From Lasse.Holmqvist at uab.ericsson.se Tue Aug 1 03:54:29 2000 From: Lasse.Holmqvist at uab.ericsson.se (Lasse Holmqvist) Date: Mon, 31 Jul 2000 19:54:29 +0200 Subject: Solaris and a minor PAM *problem* References: <20000720205304.5560DB47B@fleck.princetonecom.com> <7B73D5F649D0D311B1E30008C7A4D92A020D8E39@cnfqs029.cnf.com> <20000728191350.A1813@rom.oit.gatech.edu> Message-ID: <3985BD55.664AB089@uab.ericsson.se> Please, help me !!! I see a *PAM error* when using OpenSSH - currently 2.1.1p4 on Solaris 7. Note that everything works - as I see it, but the debug print out says something else... If I start sshd in debug mode and connect from some other machine also running OpenSSH I get an error print out from sshd/PAM when I disconnect, it looks like this: ... debug: session_pty_cleanup: session 0 release /dev/pts/2 debug: xauthfile_cleanup_proc called Closing connection to n.n.n.n Cannot delete credentials: Permission denied ^^^^^^^^^^^^^^^^^ Why do I get this *Permission denied* ??? The error is generated in auth-pam.c: pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) { log("Cannot delete credentials: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } i.e. the return value from pam_setcred isn't PAM_SUCCESS. In my /etc/pam.conf I have added: # OpenSSH added by lgh 19991120 sshd auth sufficient /usr/lib/security/pam_rhosts_auth.so.1 sshd auth required /usr/lib/security/pam_unix.so.1 Is something faulty in my /etc/pam.conf ??? or is it a *problem* in OpenSSH ? - And (hum) I have seen it a long time before 2.1.1p4. Regards Lasse Holmqvist From morgan at transmeta.com Tue Aug 1 06:35:39 2000 From: morgan at transmeta.com (Andrew Morgan) Date: Mon, 31 Jul 2000 13:35:39 -0700 Subject: Solaris and a minor PAM *problem* References: <20000720205304.5560DB47B@fleck.princetonecom.com> <7B73D5F649D0D311B1E30008C7A4D92A020D8E39@cnfqs029.cnf.com> <20000728191350.A1813@rom.oit.gatech.edu> <3985BD55.664AB089@uab.ericsson.se> Message-ID: <3985E31B.72FE9505@transmeta.com> Lasse Holmqvist wrote: > Closing connection to n.n.n.n > Cannot delete credentials: Permission denied > ^^^^^^^^^^^^^^^^^ > Why do I get this *Permission denied* ??? > > The error is generated in auth-pam.c: > pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); > if (pam_retval != PAM_SUCCESS) { > log("Cannot delete credentials: %.200s", > PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > } > i.e. the return value from pam_setcred isn't PAM_SUCCESS. This is likely to be a misfeature of the Solaris implementation of the pam_unix.so module. I don't believe it is indicative of anything other than the fact that pam_unix.so does not implement credential deletion. (In other words, if you don't hear differently from someone at Sun - who knows for definite what their pam_unix does? - I don't believe you need to worry about this error.) Cheers Andrew From andrew at pimlott.ne.mediaone.net Tue Aug 1 08:28:26 2000 From: andrew at pimlott.ne.mediaone.net (Andrew Pimlott) Date: Mon, 31 Jul 2000 18:28:26 -0400 Subject: find canonic host name Message-ID: <20000731182826.A6522@pimlott.ne.mediaone.net> I am concerned about the code under the comment /* Find canonic host name. */ in ssh.c. This replaces the hostname entered by the user with the cannonical name determined by getaddrinfo, causing the new name to be used henceforth. This includes connecting to the host, and finding its public key in a known_hosts file. getaddrinfo seems (on Debian GNU/Linux 2.2, GNU libc 2.1.3) to look up the IP address of the entered host then reverse look up the IP address to get the cannonical name. I think this means that my DNS administrator can control the cannonical name. So, if I have both goodhost and badhost in my known_hosts file, and the DNS admin makes badhost the cannonical name of goodhost, ssh would successfully connect me to badhost when I ask to connect to goodhost. (I realize this applies only when I enter a host without dots, but that is only a small consolation.) I would expect ssh to connect to badhost, then complain about a key mismatch. Am I just confused? Does the canonic host code serve any important purpose? All in all, I would much rather that ssh always used the public key for the host I literally type to verify the foreign host. Andrew PS. Please Cc: me on replies to the list. -- Where is the innovation? Microsoft, mostly. - Rob Pike, "Systems Software Research is Irrelevant" http://www.cs.bell-labs.com/cm/cs/who/rob/utah2000.ps From sen_ml at eccosys.com Tue Aug 1 15:04:05 2000 From: sen_ml at eccosys.com (sen_ml at eccosys.com) Date: Tue, 01 Aug 2000 14:04:05 +0900 Subject: OpenPGP auth In-Reply-To: <20000726182411.C6904@hyena.skygate.co.uk> References: <20000725150003.J13003@hyena.skygate.co.uk> <20000726110440W.1001@eccosys.com> <20000726182411.C6904@hyena.skygate.co.uk> Message-ID: <20000801140405P.1001@eccosys.com> sorry for the late response. From: Pete Chown Subject: OpenPGP auth Date: Wed, 26 Jul 2000 18:24:11 +0100 Message-ID: <20000726182411.C6904 at hyena.skygate.co.uk> > sen_ml at eccosys.com wrote: > > > so, are you going to write an openpgp packet manipulation library? > > At present I am just invoking the gnupg binary. I think the gnupg > people have a project to create a library, so I would probably be > duplicating work. (Also it would be a *lot* of work -- much more than > just doing OpenPGP authentication for OpenSSH.) iirc, the gnupg people are not working on an openpgp packet manipulation library. you might want to confirm this w/ them. it may be a lot of work, but i was hoping someone could take it up ;-) > > that'd be very useful for other purposes as well -- for instance, it > > could be used to write a pam module that will allow a > > challenge-and-response type of authentication using openpgp keys. > > That's an interesting idea... Also you could do a SASL method that > used OpenPGP. yes, i suppose that could be done. > Actually how about a SASL or GSSAPI method that uses ssh? Then if > you use IMAP forwarded by ssh, you don't have to worry about sending > a password. i guess that's true if you don't use password authentication, presumably. i think i prefer the idea of an sasl method that uses openpgp or a pam-based method to trying the sasl/gssapi method that uses ssh. From wpilorz at bdk.pl Tue Aug 1 19:04:22 2000 From: wpilorz at bdk.pl (Wojtek Pilorz) Date: Tue, 1 Aug 2000 11:04:22 +0200 (CEST) Subject: find canonic host name In-Reply-To: <20000731182826.A6522@pimlott.ne.mediaone.net> Message-ID: On Mon, 31 Jul 2000, Andrew Pimlott wrote: > Date: Mon, 31 Jul 2000 18:28:26 -0400 > From: Andrew Pimlott > To: openssh-unix-dev at mindrot.org > Subject: find canonic host name > > I am concerned about the code under the comment > > /* Find canonic host name. */ > > in ssh.c. This replaces the hostname entered by the user with the > cannonical name determined by getaddrinfo, causing the new name to > be used henceforth. This includes connecting to the host, and > finding its public key in a known_hosts file. [...] > > Am I just confused? Does the canonic host code serve any important > purpose? All in all, I would much rather that ssh always used the > public key for the host I literally type to verify the foreign host. I would also strongly prefer that this canonical host name feature be disable (or that it could be disabled). I often use systems with several separate Linux installation on the HD, sometimes even running concurrently (in chrooted environment), installed with different host keys; if this host name->canonical host name translation could be disabled, I would just be able to use different host names in my /etc/hosts to connect to sshd daemons using different host keys on a single TCP/IP address. > > Andrew > > PS. Please Cc: me on replies to the list. > Best regards, Wojtek From nitkin at europa.com Tue Aug 1 19:10:30 2000 From: nitkin at europa.com (Nate Itkin) Date: Tue, 1 Aug 2000 02:10:30 -0700 (PDT) Subject: [2.1.1p4] utmp patch for SunOS 4.1.x Message-ID: <200008010910.CAA07102@thetics.europa.com> Follow-on to Charles Levert's work on utmp_write_direct. Fixed: -- At logout, the utmp entry is cleared. Tested on SunOS 4.1.4. The code I added to loginrec.c is restricted to SUNOS4 pending QA testing on other platforms. This patch incorporates the work done by Charles Levert on 7/25/2000 00:43:22. (Do any of us sleep at night?) Remaining: -- Test on NeXT and other operating systems that need utmp_write_direct (those without entutent, getutent, getutid, getutline, ...) If successful, the SUNOS4 restriction could be removed and the FIXME can be eliminated. If not, similar code will need to be added to support those operating systems. -- In the unlikely case that other operating systems have prereqs. for ttyent.h, those .h files will need to be added to configure.in, includes.h, and config.h.in. Install: (prereq: GNU autoconf and Larry Wall's patch) o save attached context diffs to "patchfile" -- patch < patchfile (apply patch to 2.1.1p4 release) -- autoconf (generate configure, config.h, etc.) o follow ssh install docs. In a nutshell, -- configure -- gmake -- gmake install -- - Nate Itkin - Nate.Itkin at europa.com - "Looking for an off-ramp on the Information Superhighway" --------------------- cut-here --------------------- *** config.h.in.orig Mon Jul 31 10:06:48 2000 --- config.h.in Mon Jul 31 10:10:36 2000 *************** *** 297,302 **** --- 297,305 ---- /* Define if you have the getutxline function. */ #undef HAVE_GETUTXLINE + /* Define if you have the getttyent function. */ + #undef HAVE_GETTTYENT + /* Define if you have the inet_aton function. */ #undef HAVE_INET_ATON *************** *** 482,487 **** --- 485,493 ---- /* Define if you have the header file. */ #undef HAVE_TIME_H + + /* Define if you have the header file. */ + #undef HAVE_TTYENT_H /* Define if you have the header file. */ #undef HAVE_USERSEC_H *** configure.in.orig Fri Jul 14 21:59:14 2000 --- configure.in Mon Jul 31 23:44:12 2000 *************** *** 137,142 **** --- 137,147 ---- *-*-sunos4*) CFLAGS="$CFLAGS -DSUNOS4" AC_CHECK_FUNCS(getpwanam) + conf_utmp_location=/etc/utmp + conf_wtmp_location=/var/adm/wtmp + conf_lastlog_location=/var/adm/lastlog + MANTYPE='$(CATMAN)' + mansubdir=cat ;; *-sni-sysv*) CFLAGS="$CFLAGS -I/usr/local/include" *************** *** 216,225 **** fi # Checks for header files. ! AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h usersec.h util.h utmp.h utmpx.h) # Checks for library functions. ! AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage inet_aton innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strerror strlcat strlcpy strsep vsnprintf vhangup _getpty __b64_ntop) dnl checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl checks for libutil functions --- 221,230 ---- fi # Checks for header files. ! AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h) # Checks for library functions. ! AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage getttyent inet_aton innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strerror strlcat strlcpy strsep vsnprintf vhangup _getpty __b64_ntop) dnl checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl checks for libutil functions *** defines.h.orig Thu Jun 22 15:23:34 2000 --- defines.h Tue Aug 1 00:33:17 2000 *************** *** 329,346 **** #endif /* FIXME: put default paths back in */ ! #if !defined(UTMP_FILE) && defined(_PATH_UTMP) ! # define UTMP_FILE _PATH_UTMP #endif ! #if !defined(WTMP_FILE) && defined(_PATH_WTMP) ! # define WTMP_FILE _PATH_WTMP #endif /* pick up the user's location for lastlog if given */ ! #if !defined(LASTLOG_FILE) && defined(_PATH_LASTLOG) ! # define LASTLOG_FILE _PATH_LASTLOG ! #endif ! #if !defined(LASTLOG_FILE) && defined(CONF_LASTLOG_FILE) ! # define LASTLOG_FILE CONF_LASTLOG_FILE #endif --- 329,361 ---- #endif /* FIXME: put default paths back in */ ! #ifndef UTMP_FILE ! # ifdef _PATH_UTMP ! # define UTMP_FILE _PATH_UTMP ! # else ! # ifdef CONF_UTMP_FILE ! # define UTMP_FILE CONF_UTMP_FILE ! # endif ! # endif #endif ! #ifndef WTMP_FILE ! # ifdef _PATH_WTMP ! # define WTMP_FILE _PATH_WTMP ! # else ! # ifdef CONF_WTMP_FILE ! # define WTMP_FILE CONF_WTMP_FILE ! # endif ! # endif #endif /* pick up the user's location for lastlog if given */ ! #ifndef LASTLOG_FILE ! # ifdef _PATH_LASTLOG ! # define LASTLOG_FILE _PATH_LASTLOG ! # else ! # ifdef CONF_LASTLOG_FILE ! # define LASTLOG_FILE CONF_LASTLOG_FILE ! # endif ! # endif #endif *** includes.h.orig Mon Jul 31 10:29:28 2000 --- includes.h Mon Jul 31 10:30:39 2000 *************** *** 70,75 **** --- 70,78 ---- #ifdef HAVE_SYS_BSDTTY_H # include #endif + #ifdef HAVE_TTYENT_H + # include + #endif #ifdef USE_PAM # include #endif *** loginrec.c.orig Mon Jul 10 19:15:54 2000 --- loginrec.c Mon Jul 31 10:37:45 2000 *************** *** 723,730 **** --- 723,751 ---- int tty; /* FIXME: (ATL) ttyslot() needs local implementation */ + + #if defined(SUNOS4) && defined(HAVE_GETTTYENT) + + register struct ttyent *ty; + tty=0; + setttyent(); + while ((struct ttyent *)0 != (ty = getttyent())) { + tty++; + if(0 == strncmp(ty->ty_name,ut->ut_line,sizeof(ut->ut_line))) + break; + } + endttyent(); + if((struct ttyent *)0 == ty) { + log("utmp_write_entry: tty not found"); + return(1); + } + + #else /* FIXME */ + tty = ttyslot(); /* seems only to work for /dev/ttyp? style names */ + #endif /* SUNOS4 && HAVE_GETTTYENT */ + if (tty > 0 && (fd = open(UTMP_FILE, O_RDWR|O_CREAT, 0644)) >= 0) { (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); /* *************** *** 740,746 **** } (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); ! if (atomicio(write, fd, ut, sizeof(ut)) != sizeof(ut)) log("utmp_write_direct: error writing %s: %s", UTMP_FILE, strerror(errno)); --- 761,767 ---- } (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); ! if (atomicio(write, fd, ut, sizeof(struct utmp)) != sizeof(struct utmp)) log("utmp_write_direct: error writing %s: %s", UTMP_FILE, strerror(errno)); From pekkas at netcore.fi Tue Aug 1 22:15:52 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 1 Aug 2000 15:15:52 +0300 (EEST) Subject: AllowHosts implementation plea. Message-ID: Hello all, I'd like to see sshd_config directive AllowHosts implemented. This is about the only SSH 1.2.27 (etc.) thing not supported by OpenSSH. The reason for this would be drop-in compatibility. Sure, you can do about the same thing with hosts.allow, but the syntax is a bit different and you'd have to modify sshd_config and you lose the possibility to have multiple security layers here (disregarding firewalls). As AllowHosts was implemented in the last free SSH by Tatu Yl?nen, I'd regard this more as a political than technical decision. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From niemeyer at conectiva.com Wed Aug 2 00:08:51 2000 From: niemeyer at conectiva.com (Gustavo Niemeyer) Date: Tue, 1 Aug 2000 11:08:51 -0300 Subject: tty problem Message-ID: <20000801110851.C1868@tux.distro.conectiva> Hi there!! I'm getting this strange error with openssh-2.1.1p3 and p4 (p2 works ok). [user at computer dir]$ ssh my.computer.com Enter passphrase for RSA key 'user at computer': -bash: ??9tty1: command not found Connection to my.computer.com closed. If I don't try to allocate a tty, everything works fine: [user at computer dir]$ ssh my.computer.com /bin/bash Enter passphrase for RSA key 'user at computer': rpm -q openssh openssh-2.1.1p4-1 exit [user at computer dir]$ I'm running it with '-i'. Any hint!? -- Gustavo Niemeyer [ 2AAC 7928 0FBF 0299 5EB5 60E2 2253 B29A 6664 3A0C ] From chip at princetonecom.com Wed Aug 2 00:42:14 2000 From: chip at princetonecom.com (Chip Christian) Date: Tue, 01 Aug 2000 10:42:14 -0400 Subject: OpenPGP auth In-Reply-To: Message from sen_ml@eccosys.com of "Tue, 01 Aug 2000 14:04:05 +0900." <20000801140405P.1001@eccosys.com> Message-ID: <20000801144214.27586B47B@fleck.princetonecom.com> Werner Koch is definitely not working on a library. I don't have a direct quote handy, but I recall him saying he wouldn't since he couldn't know what the library's user is doing with memory. I did find this response on the topic: > No. Use the Unix way. The overhead of fork and exec is not that high > compared to the crypto operations. Have a look at your MTA, it is > calling procmail (when used) for each message. The httpd calls a CGI > on every transaction. sen_ml at eccosys.com said: > > so, are you going to write an openpgp packet manipulation library? > > At present I am just invoking the gnupg binary. I think the gnupg > people have a project to create a library, so I would probably be > duplicating work. (Also it would be a *lot* of work -- much more than > just doing OpenPGP authentication for OpenSSH.) > iirc, the gnupg people are not working on an openpgp packet > manipulation library. you might want to confirm this w/ them. > it may be a lot of work, but i was hoping someone could take it up ;-) > From luc at cs.ubc.ca Wed Aug 2 02:08:58 2000 From: luc at cs.ubc.ca (Luc Dierckx) Date: Tue, 1 Aug 2000 09:08:58 -0700 Subject: MAIL on Solaris Message-ID: <20000801090858.A20135@cs.ubc.ca> On Solaris, the environment variable MAIL gets set to /var/mail//user, (with double // before user name),which breaks some MUAs, e.g. emacs' Rmail. The problem lies in the fact that /usr/include/maillock.h has: #define MAILDIR "/var/mail/" while session.c adds another / snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); This only occurs on systems with maillock.h (i.e. not on linux) -- Luc Dierckx Systems Manager Laboratory for Computational Intelligence University of British Columbia From vinschen at cygnus.com Wed Aug 2 02:22:22 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Tue, 01 Aug 2000 18:22:22 +0200 Subject: Port of OpenSSH-2.1.1p4 to Cygwin Message-ID: <3986F93E.B05B9247@cygnus.com> Hi, since the previous port of OpenSSH to Cygwin, there's happened a lot with Cygwin. We have worked hard to allow a more smooth porting of UNIX applications which results in two major advantages: - There's no need to use so called `text mode' in open calls anymore. - With only less interventions in the applications code the concept of real and effective uid's is supported as far as it's possible with Windows NT/W2K. The result is a small, more predictable patch then the previous version. The patch contains now changes to configure.in and config.h.in, which support *-*-cygwin as target and which define HAVE_CYGWIN similar to the NeXT patch. The patch to `configure' is _not_ included. It's very long and not worth to send since it's easy to rebuild from `configure.in'. We still have a problem with the sources: One file is called `aux.c' which is a special filename on Windows systems. This results in the need to rename the file since it's impossible to create a file with that name on any Windows system. I have renamed the file to `aux_funcs.c'. Is it possible to convince the author to rename that file permanently? This patch (attached as gzip'd file) needs the latest Cygwin version 1.1.3 which is accessible via ftp://sources.redhat.com/pub/cygwin/latest ChangeLog: ========== - Makefile.in: Changed to support $EXEEXT transparently. aux.o renamed to aux_funcs.o in LIBSSH_OBJS. - acconfig.h: Add HAVE_CYGWIN. - auth-passwd.c: Support getting NT passwords via Cygwin special functions. Disable check for uid = 0 when compiled for Cygwin. - auth-skey.c: Add O_BINARY to open call. - auth1.c: Reject changing user context if not authenticated via password under Windows NT. Disable check for uid = 0 when compiled for Cygwin. - authfile.c: Add O_BINARY to open calls. Disable check for file modes when compiled for Cygwin. - bsd-daemon.c: Avoid possible race condition under Cygwin. - bsd-mktemp.c: Add O_BINARY to open call. - config.h.in: Add HAVE_CYGWIN. - configure.in: Add *-*-cygwin as target. Call AC_EXEEXT now. - entropy.c: Add O_BINARY to open calls. - includes.h: Use HAVE_CYGWIN to care for include files. Add a define for O_BINARY. - loginrec.c: Add O_BINARY to open calls. - pty.c: Don't call I_PUSH ioctl's under Cygwin. - scp.c: Add O_BINARY to open calls. Call tcgetpgrp() instead of ioctl(..., TIOCGPGRP) to get the controlling terminal. - session.c: Close xauthfiles immediatly to avoid implicit file lockings on Windows NT systems. Changes in environment setting. Disable check for uid 0. Don't call xauth with `.../unix' syntax under Cygwin. - ssh.c: Disable setrlimit call under Cygwin. Take care for `.exe' file extension. We (the Cygwin team) would be very glad, if the Cygwin support would become part of the portable OpenSSH. Have fun, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-2.1.1p4.p0.gz Type: application/x-gzip Size: 7504 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000801/e4747718/attachment.bin From mouring at pconline.com Wed Aug 2 04:13:54 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Tue, 1 Aug 2000 13:13:54 -0500 (CDT) Subject: [2.1.1p4] utmp patch for SunOS 4.1.x In-Reply-To: <200008010910.CAA07102@thetics.europa.com> Message-ID: It has the NeXT seal of approval. =) That makes a few anonying warnings and readpass.c ctrl-Z/Ctrl-C fix left on the NeXT side of the house to be a clean port. My suggestion is to remove the "defined(SUNOS4)" in the loginrec.c and let it just depend on the existance of HAVE_GETTYENT unless that distrupts other ports. On Tue, 1 Aug 2000, Nate Itkin wrote: > Follow-on to Charles Levert's work on > utmp_write_direct. > > Fixed: > > -- At logout, the utmp entry is cleared. Tested on SunOS 4.1.4. > The code I added to loginrec.c is restricted to SUNOS4 pending > QA testing on other platforms. > > This patch incorporates the work done by Charles Levert on > 7/25/2000 00:43:22. (Do any of us sleep at night?) > > Remaining: > > -- Test on NeXT and other operating systems that need utmp_write_direct > (those without entutent, getutent, getutid, getutline, ...) If > successful, the SUNOS4 restriction could be removed and the FIXME > can be eliminated. If not, similar code will need to be added > to support those operating systems. > > -- In the unlikely case that other operating systems have prereqs. > for ttyent.h, those .h files will need to be added to configure.in, > includes.h, and config.h.in. > > Install: (prereq: GNU autoconf and Larry Wall's patch) > > o save attached context diffs to "patchfile" > > -- patch < patchfile (apply patch to 2.1.1p4 release) > -- autoconf (generate configure, config.h, etc.) > > o follow ssh install docs. In a nutshell, > > -- configure > -- gmake > -- gmake install > > -- > - Nate Itkin > - Nate.Itkin at europa.com > - "Looking for an off-ramp on the Information Superhighway" > > --------------------- cut-here --------------------- > > *** config.h.in.orig Mon Jul 31 10:06:48 2000 > --- config.h.in Mon Jul 31 10:10:36 2000 > *************** > *** 297,302 **** > --- 297,305 ---- > /* Define if you have the getutxline function. */ > #undef HAVE_GETUTXLINE > > + /* Define if you have the getttyent function. */ > + #undef HAVE_GETTTYENT > + > /* Define if you have the inet_aton function. */ > #undef HAVE_INET_ATON > > *************** > *** 482,487 **** > --- 485,493 ---- > > /* Define if you have the header file. */ > #undef HAVE_TIME_H > + > + /* Define if you have the header file. */ > + #undef HAVE_TTYENT_H > > /* Define if you have the header file. */ > #undef HAVE_USERSEC_H > *** configure.in.orig Fri Jul 14 21:59:14 2000 > --- configure.in Mon Jul 31 23:44:12 2000 > *************** > *** 137,142 **** > --- 137,147 ---- > *-*-sunos4*) > CFLAGS="$CFLAGS -DSUNOS4" > AC_CHECK_FUNCS(getpwanam) > + conf_utmp_location=/etc/utmp > + conf_wtmp_location=/var/adm/wtmp > + conf_lastlog_location=/var/adm/lastlog > + MANTYPE='$(CATMAN)' > + mansubdir=cat > ;; > *-sni-sysv*) > CFLAGS="$CFLAGS -I/usr/local/include" > *************** > *** 216,225 **** > fi > > # Checks for header files. > ! AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h usersec.h util.h utmp.h utmpx.h) > > # Checks for library functions. > ! AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage inet_aton innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strerror strlcat strlcpy strsep vsnprintf vhangup _getpty __b64_ntop) > dnl checks for time functions > AC_CHECK_FUNCS(gettimeofday time) > dnl checks for libutil functions > --- 221,230 ---- > fi > > # Checks for header files. > ! AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h lastlog.h limits.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h) > > # Checks for library functions. > ! AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage getttyent inet_aton innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strerror strlcat strlcpy strsep vsnprintf vhangup _getpty __b64_ntop) > dnl checks for time functions > AC_CHECK_FUNCS(gettimeofday time) > dnl checks for libutil functions > *** defines.h.orig Thu Jun 22 15:23:34 2000 > --- defines.h Tue Aug 1 00:33:17 2000 > *************** > *** 329,346 **** > #endif > > /* FIXME: put default paths back in */ > ! #if !defined(UTMP_FILE) && defined(_PATH_UTMP) > ! # define UTMP_FILE _PATH_UTMP > #endif > ! #if !defined(WTMP_FILE) && defined(_PATH_WTMP) > ! # define WTMP_FILE _PATH_WTMP > #endif > /* pick up the user's location for lastlog if given */ > ! #if !defined(LASTLOG_FILE) && defined(_PATH_LASTLOG) > ! # define LASTLOG_FILE _PATH_LASTLOG > ! #endif > ! #if !defined(LASTLOG_FILE) && defined(CONF_LASTLOG_FILE) > ! # define LASTLOG_FILE CONF_LASTLOG_FILE > #endif > > > --- 329,361 ---- > #endif > > /* FIXME: put default paths back in */ > ! #ifndef UTMP_FILE > ! # ifdef _PATH_UTMP > ! # define UTMP_FILE _PATH_UTMP > ! # else > ! # ifdef CONF_UTMP_FILE > ! # define UTMP_FILE CONF_UTMP_FILE > ! # endif > ! # endif > #endif > ! #ifndef WTMP_FILE > ! # ifdef _PATH_WTMP > ! # define WTMP_FILE _PATH_WTMP > ! # else > ! # ifdef CONF_WTMP_FILE > ! # define WTMP_FILE CONF_WTMP_FILE > ! # endif > ! # endif > #endif > /* pick up the user's location for lastlog if given */ > ! #ifndef LASTLOG_FILE > ! # ifdef _PATH_LASTLOG > ! # define LASTLOG_FILE _PATH_LASTLOG > ! # else > ! # ifdef CONF_LASTLOG_FILE > ! # define LASTLOG_FILE CONF_LASTLOG_FILE > ! # endif > ! # endif > #endif > > > *** includes.h.orig Mon Jul 31 10:29:28 2000 > --- includes.h Mon Jul 31 10:30:39 2000 > *************** > *** 70,75 **** > --- 70,78 ---- > #ifdef HAVE_SYS_BSDTTY_H > # include > #endif > + #ifdef HAVE_TTYENT_H > + # include > + #endif > #ifdef USE_PAM > # include > #endif > *** loginrec.c.orig Mon Jul 10 19:15:54 2000 > --- loginrec.c Mon Jul 31 10:37:45 2000 > *************** > *** 723,730 **** > --- 723,751 ---- > int tty; > > /* FIXME: (ATL) ttyslot() needs local implementation */ > + > + #if defined(SUNOS4) && defined(HAVE_GETTTYENT) > + > + register struct ttyent *ty; > + tty=0; > + setttyent(); > + while ((struct ttyent *)0 != (ty = getttyent())) { > + tty++; > + if(0 == strncmp(ty->ty_name,ut->ut_line,sizeof(ut->ut_line))) > + break; > + } > + endttyent(); > + if((struct ttyent *)0 == ty) { > + log("utmp_write_entry: tty not found"); > + return(1); > + } > + > + #else /* FIXME */ > + > tty = ttyslot(); /* seems only to work for /dev/ttyp? style names */ > > + #endif /* SUNOS4 && HAVE_GETTTYENT */ > + > if (tty > 0 && (fd = open(UTMP_FILE, O_RDWR|O_CREAT, 0644)) >= 0) { > (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); > /* > *************** > *** 740,746 **** > } > > (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); > ! if (atomicio(write, fd, ut, sizeof(ut)) != sizeof(ut)) > log("utmp_write_direct: error writing %s: %s", > UTMP_FILE, strerror(errno)); > > --- 761,767 ---- > } > > (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); > ! if (atomicio(write, fd, ut, sizeof(struct utmp)) != sizeof(struct utmp)) > log("utmp_write_direct: error writing %s: %s", > UTMP_FILE, strerror(errno)); > > > From DerekB at amdocs.com Wed Aug 2 04:35:33 2000 From: DerekB at amdocs.com (Derek Becker) Date: Tue, 1 Aug 2000 13:35:33 -0500 Subject: RSA authentication bypassing /etc/nologin Message-ID: Hello everyone, I noticed recently that when I had /etc/nologin in place on my server I couldn't log in when I authenticated via passwords, but when I used RSA authentication I was able to log in no problem. I looked through the source, and I think I might see where the problem is. I have a Linux system, so sshd was compiled with PAM support. Using normal authentication, the pam_nologin module correctly denies the login attempt (although I don't get the contents of /etc/nologin on my terminal, but that's a different issue). I understand that the RSA authentication can't use PAM for obvious reasons, but the only other check for /etc/nologin is in session.c, line 818. When PAM support is compiled in, the section that checks is essentially commented out inside an #ifndef USE_PAM. As a straightforward fix, I could incorporate the code contained in the #ifndef section into the auth-rsa.c file, but as this is my first post and I haven't dealt with the source too much before, I'm not sure where the most appropriate change would be to correctly implement the nologin mechanism. Any suggestions, comments? I tried searching the bug pages but I didn't see anything resembling this problem. I'm using 2.1.1p1. Thanks, Derek Becker Network Engineer Amdocs, Inc. 1390 Timberlake Manor Pkwy Chesterfield, MO 63017-6041 derekb at amdocs.com 314-212-7447 From provos at citi.umich.edu Wed Aug 2 05:03:07 2000 From: provos at citi.umich.edu (Niels Provos) Date: Tue, 01 Aug 2000 15:03:07 -0400 Subject: Port of OpenSSH-2.1.1p4 to Cygwin In-Reply-To: Corinna Vinschen, Tue, 01 Aug 2000 18:22:22 +0200 Message-ID: <20000801190306.EB738207C1@citi.umich.edu> Hi Corinna, In message <3986F93E.B05B9247 at cygnus.com>, Corinna Vinschen writes: >`aux_funcs.c'. Is it possible to convince the author to rename that >file permanently? We renamed it from aux.c to util.c - hope that helps. Niels. From vinschen at cygnus.com Wed Aug 2 05:43:53 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Tue, 01 Aug 2000 21:43:53 +0200 Subject: Port of OpenSSH-2.1.1p4 to Cygwin References: <20000801190306.EB738207C1@citi.umich.edu> Message-ID: <39872879.1047BF2@cygnus.com> Niels Provos wrote: > > Hi Corinna, > > In message <3986F93E.B05B9247 at cygnus.com>, Corinna Vinschen writes: > >`aux_funcs.c'. Is it possible to convince the author to rename that > >file permanently? > We renamed it from aux.c to util.c - hope that helps. > > Niels. Thanks, Niels. That helps, indeed. Shall I change that in my patch and resend it or is the patch ok as it is? Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com From sen_ml at eccosys.com Wed Aug 2 10:59:57 2000 From: sen_ml at eccosys.com (sen_ml at eccosys.com) Date: Wed, 02 Aug 2000 09:59:57 +0900 Subject: OpenPGP auth In-Reply-To: <20000801144214.27586B47B@fleck.princetonecom.com> References: <20000801140405P.1001@eccosys.com> <20000801144214.27586B47B@fleck.princetonecom.com> Message-ID: <20000802095957D.1001@eccosys.com> From: Chip Christian Subject: Re: OpenPGP auth Date: Tue, 01 Aug 2000 10:42:14 -0400 Message-ID: <20000801144214.27586B47B at fleck.princetonecom.com> > Werner Koch is definitely not working on a library. I don't have a direct > quote handy, but I recall him saying he wouldn't since he couldn't know > what the library's user is doing with memory. I did find this response on > the topic: > > > No. Use the Unix way. The overhead of fork and exec is not that high > > compared to the crypto operations. Have a look at your MTA, it is > > calling procmail (when used) for each message. The httpd calls a CGI > > on every transaction. yes, i remember that post. if i dug enough, i could also find a later post from him saying that it would be really nice to have an openpgp packet manipulation library too ;-) it'd be nice to have openpgp auth in openssh, but i don't suppose the priority is that high. i suppose not having it forces people to use different authentication tokens/info (if you had openpgp auth, you'd probably be at least tempted to use the same key pairs for mail and for ssh authentication) which might actually be a better thing security-wise (cf. the all-mighty card system discussion at mit a few years back). From Edwin.Brown at sdrc.com Wed Aug 2 22:46:45 2000 From: Edwin.Brown at sdrc.com (Edwin Brown) Date: Wed, 02 Aug 2000 14:46:45 +0200 Subject: IRIX 6.5.5m openssh-2.1.1p4 IRIX_AUDIT PROBLEM Message-ID: <39881835.3F48D8C@sdrc.com> There is an error when installing ssh as a non root user on SGI IRIX 6.5.5m. See the error below when negotiating connection: ---BEGIN ERROR LISTING--- ssh -c blowfish -P -v -p 3400 -X -i /usr/people/bozo/.ssh/identity -l bozo 1.2.3.4 SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /free/bozo/sgi/etc/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 82409 geteuid 82409 anon 1 debug: Connecting to 1.2.3.4 [1.2.3.4] port 3400. debug: Connection established. debug: Setting sat id to 82409 error setting satid: Operation not permitted debug: Calling cleanup 0x1003ddc0(0x0) ---END ERROR LISTING--- The acutal error is generated from lines 89-95 of uidswap.c ---BEGIN UIDSWAP CODE--- 82 /* 83 * Permanently sets all uids to the given uid. This cannot be 84 * called while temporarily_use_uid is effective. 85 */ 86 void 87 permanently_set_uid(uid_t uid) 88 { 89 #ifdef WITH_IRIX_AUDIT 90 if (sysconf(_SC_AUDIT)) { 91 debug("Setting sat id to %d", (int) uid); 92 if (satsetid(uid)) 93 fatal("error setting satid: %.100s", strerror(errno)); 94 } 95 #endif /* WITH_IRIX_AUDIT */ 96 97 if (setuid(uid) < 0) 98 debug("setuid %d: %.100s", (int) uid, strerror(errno)); 99 } ---BEGIN UIDSWAP CODE--- Here is a context diff patch for a generated config.h file ---BEGIN PATCH--- *** config.h Wed Aug 2 14:37:08 2000 --- config.h.me Wed Aug 2 14:37:42 2000 *************** *** 41,47 **** #define WITH_IRIX_PROJECT 1 /* Define if you want IRIX audit trails */ ! #define WITH_IRIX_AUDIT 1 /* Location of random number pool */ /* #undef RANDOM_POOL */ --- 41,47 ---- #define WITH_IRIX_PROJECT 1 /* Define if you want IRIX audit trails */ ! /* #undef WITH_IRIX_AUDIT */ /* Location of random number pool */ /* #undef RANDOM_POOL */ ---END PATCH--- Shouldn't there actually be a --enable --disable switch for the IRIX stuff or a --with-root-install switch to see if you are going to install as root? Anyway. Hope this helps out. If I get around to it, I'll fix the configure.in stuff myself and send in the patches. -Edwin -- Ford Werke AG D-NZ/FF-1C3P Voice: (+49) 221 90 19848 Henry-Ford-Str. 1 FAX: (+49) 221 90 19849 50725 Koeln E-mail: Edwin.Brown at sdrc.com Germany PROFS: ebrown16 at ford.com From Pete.Chown at skygate.co.uk Thu Aug 3 00:42:37 2000 From: Pete.Chown at skygate.co.uk (Pete Chown) Date: Wed, 2 Aug 2000 15:42:37 +0100 Subject: OpenPGP auth In-Reply-To: <20000802095957D.1001@eccosys.com>; from sen_ml@eccosys.com on Wed, Aug 02, 2000 at 09:59:57AM +0900 References: <20000801140405P.1001@eccosys.com> <20000801144214.27586B47B@fleck.princetonecom.com> <20000802095957D.1001@eccosys.com> Message-ID: <20000802154237.B13181@hyena.skygate.co.uk> sen_ml at eccosys.com wrote: > if i dug enough, i could also find a later post from [Werner Koch] > saying that it would be really nice to have an openpgp packet > manipulation library too ;-) Yes -- there have been a few posts along these lines on the gnupg lists over the last week or so. I got this wrong; sorry. > it'd be nice to have openpgp auth in openssh, but i don't suppose the > priority is that high. i suppose not having it forces people to use > different authentication tokens/info (if you had openpgp auth, you'd > probably be at least tempted to use the same key pairs for mail and > for ssh authentication) which might actually be a better thing > security-wise (cf. the all-mighty card system discussion at mit a few > years back). My motivation is not really to let people use the same keys for everything, although that might be useful in some circumstances. What I think is neat about OpenPGP auth is that it makes access control more flexible. You could, for example, grant access to systems just by signing a key. If you wanted to withdraw access again you could revoke the signature. I will be fascinated to see how well this works in practice. -- Pete From provos at citi.umich.edu Thu Aug 3 02:35:28 2000 From: provos at citi.umich.edu (Niels Provos) Date: Wed, 02 Aug 2000 12:35:28 -0400 Subject: Port of OpenSSH-2.1.1p4 to Cygwin In-Reply-To: Corinna Vinschen, Tue, 01 Aug 2000 21:43:53 +0200 Message-ID: <20000802163528.0BB9A207C1@citi.umich.edu> In message <39872879.1047BF2 at cygnus.com>, Corinna Vinschen writes: >That helps, indeed. Shall I change that in my patch and resend it or >is the patch ok as it is? For further integration of your patch into the portable version of OpenSSH, you need to talk with Damien Miller. For example, there is no O_BINARY in POSIX. If you need to specify O_BINARY, then there is a problem with cygwin. And that's the place where it should be fixed. Niels. From vinschen at cygnus.com Thu Aug 3 03:48:35 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Wed, 02 Aug 2000 19:48:35 +0200 Subject: Port of OpenSSH-2.1.1p4 to Cygwin References: <20000802163528.0BB9A207C1@citi.umich.edu> Message-ID: <39885EF3.2B51E24E@cygnus.com> Niels Provos wrote: > > In message <39872879.1047BF2 at cygnus.com>, Corinna Vinschen writes: > >That helps, indeed. Shall I change that in my patch and resend it or > >is the patch ok as it is? > For further integration of your patch into the portable version of > OpenSSH, you need to talk with Damien Miller. > > For example, there is no O_BINARY in POSIX. If you need to specify > O_BINARY, then there is a problem with cygwin. And that's the place > where it should be fixed. You know that this is impossible, do you? The underlying system is using two byte line endings and there has to be a method to disallow CRLF <-> LF translation for reading binary files in contrast to text files. On the other hand I don't understand where the problem is. The O_BINARY usage in the patch is transparent to all other operating systems and many parts of the sources contain special code for different OSes like HPUX, Solaris, NeXT etc. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com From loomisg at cist.saic.com Thu Aug 3 05:21:06 2000 From: loomisg at cist.saic.com (Rip Loomis) Date: Wed, 2 Aug 2000 15:21:06 -0400 Subject: [PATCH] Add Solaris 'pkgadd' support scripts in contrib/solaris Message-ID: <003a01bffcb6$cf168430$275346d1@rloomis.cist.saic.com> All-- Attached is a tarball that has undergone some testing here and appears to handle all reasonable cases. The goal is to allow OpenSSH users to easily create installable Solaris packages, which can be installed using the native 'pkgadd' command. Comments requested--it sure has helped things here. As always, I would recommend caution if you're trying to upgrade SSH while logged in remotely by SSH. >From the README: ______________ To use, simply expand this tarball under your main OpenSSH source directory--it will create a contrib/solaris subdirectory. Run configure and make in OpenSSH as before. Then, from either that directory or the main OpenSSH source directory, run the command "build-pkg" (specifying the appropriate path of course.) A subdirectory will be created as contrib/solaris/build-SSH-package, and after the build is done the package will be present in that build-SSH-package directory with a name of the form OPENssh-$SSHversion-$arch-$OSversion[-$installLocation] The build and install scripts should take into account most possible situations (existing SSH installation, differences in Solaris version between build and target systems, changes you have made to the default configuration, etc.) I would appreciate any feedback or comments. ______________ For anyone who hasn't played with packages of this type before (such as the ones on sunfreeware.com), the packages built with these scripts are installed using 'pkgadd -d FILENAME'. --Rip -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-solaris-pkgscripts.tgz Type: application/x-compressed Size: 7283 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000802/1d5ef6fc/attachment.bin From amb at cobite.com Thu Aug 3 08:05:44 2000 From: amb at cobite.com (Adam Bentitou) Date: Wed, 2 Aug 2000 18:05:44 -0400 (EDT) Subject: load_private_key hell Message-ID: NOTE: If you know how to properly use load_private_key for dsa keys and NOTE: don't want to read my long post, simply reply with that info and NOTE: I will really appreciate it. thanks. I've been playing with the source code and trying to create extra apps. All has been going well except the fact that I can't load a dsa private key. To highlight my problem I stole some code directly from sshconnect2.c (which loads the dsa private key) and put it in a test program, and it still doesn't work. The source will follow this message. Then I got out my trusty copy of gdb. I ran it on ssh and on my test program, simultaneously. While running I checked that the arguments to load_private_key were identical in ssh and my test program for both times they are called. I continued checking like this for every function call inside load_private_key. The first difference I noticed was in load_private_key_dsa. After it calls: in = BIO_new(BIO_s_file()); The "in" stucture in my test program and ssh are identical except for in->ex_data->dummy which is 0 in ssh and 1886999597 in my program!?! I don't know how that happens, since that function takes no arguments. I'm guessing some sort of global variable? Also with the BIO functions I am now into undocumented openssl code. yay! Anyway, Since everything else was identical I just set in->ex_data->dummy to 0 in gdb and let it run but it still failed. Next I let it go all the way to PEM_read_bio_DSAPrivateKey (more undocumented openssl code) without changing in->ex_data->dummy. Then I single instruction step all the way through PEM_read_bio_DSAPrivateKey and I find something really odd. Deep in the middle of some library with no debuging info I get a big difference between ssh and my test program. In ssh I get: _IO_fgets (buf=0xbffff0bc "", n=1, fp=0x6) at iofgets.c:34 34 in iofgets.c which looks ok. But in my program I get: _IO_fgets (buf=0x5
, n=5, fp=0xa544156) at iofgets.c:34 34 in iofgets.c Which is obviously broken, and it looks like somehow buf and fp have been mixed up. Anyway if sombody could give me any idea of how load_private_key for dsa keys is supposed to work, I would really appreciate it. Adam Bentitou #include "includes.h" #include #include "buffer.h" #include "bufaux.h" #include "ssh.h" #include "xmalloc.h" #include "rsa.h" #include "ssh2.h" #include "kex.h" #include "key.h" #include "dsa.h" #include "authfile.h" int main (int argc, char *argv[]) { Key *k; struct stat st; char *filename="/home/sun1/amb/.ssh/id_dsa"; if (stat(filename, &st) != 0) { debug("key does not exist: %s", filename); return 0; } k = key_new(KEY_DSA); if (!load_private_key(filename, "", k, NULL)) { int success = 0; char *passphrase; char prompt[300]; snprintf(prompt, sizeof prompt, "Enter passphrase for DSA key '%.100s': ", filename); passphrase = read_passphrase(prompt, 0); success = load_private_key(filename, passphrase, k, NULL); memset(passphrase, 0, strlen(passphrase)); xfree(passphrase); if (!success) { key_free(k); printf("FAILURE\n"); exit(0); } printf("SUCCESS!\n"); } } From djm at mindrot.org Thu Aug 3 11:31:00 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 3 Aug 2000 11:31:00 +1000 (EST) Subject: Port of OpenSSH-2.1.1p4 to Cygwin In-Reply-To: <39885EF3.2B51E24E@cygnus.com> Message-ID: On Wed, 2 Aug 2000, Corinna Vinschen wrote: > You know that this is impossible, do you? > > The underlying system is using two byte line endings and there > has to be a method to disallow CRLF <-> LF translation for > reading binary files in contrast to text files. Why should read() and write() do line ending translations anyway? > On the other hand I don't understand where the problem is. > The O_BINARY usage in the patch is transparent to all > other operating systems and many parts of the sources contain > special code for different OSes like HPUX, Solaris, NeXT etc. It makes keeping the portable version in sync with the OpenBSD tree much more difficult (lots more broken diffs) why is why I haven't merged these changes. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu Aug 3 11:33:43 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 3 Aug 2000 11:33:43 +1000 (EST) Subject: OpenPGP auth In-Reply-To: <20000801144214.27586B47B@fleck.princetonecom.com> Message-ID: On Tue, 1 Aug 2000, Chip Christian wrote: > Werner Koch is definitely not working on a library. Add to this the complication that such a library would likely be GPL licensed and thus incompatible with OpenSSH's BSD license. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From sen_ml at eccosys.com Thu Aug 3 13:06:10 2000 From: sen_ml at eccosys.com (sen_ml at eccosys.com) Date: Thu, 03 Aug 2000 12:06:10 +0900 Subject: perhaps getting off-topic (Re: OpenPGP auth) In-Reply-To: <20000802154237.B13181@hyena.skygate.co.uk> References: <20000801144214.27586B47B@fleck.princetonecom.com> <20000802095957D.1001@eccosys.com> <20000802154237.B13181@hyena.skygate.co.uk> Message-ID: <20000803120610R.1001@eccosys.com> From: Pete Chown Subject: Re: OpenPGP auth Date: Wed, 2 Aug 2000 15:42:37 +0100 Message-ID: <20000802154237.B13181 at hyena.skygate.co.uk> > sen_ml at eccosys.com wrote: > > > if i dug enough, i could also find a later post from [Werner Koch] > > saying that it would be really nice to have an openpgp packet > > manipulation library too ;-) > > Yes -- there have been a few posts along these lines on the gnupg > lists over the last week or so. I got this wrong; sorry. no worries ;-) > My motivation is not really to let people use the same keys for > everything, although that might be useful in some circumstances. i agree that it would be useful under certain circumstances -- in combination w/ some sort of general agent mechanism (which allows selective decryption of keys, for instance), i would be fairly happy. > What I think is neat about OpenPGP auth is that it makes access > control more flexible. You could, for example, grant access to > systems just by signing a key. If you wanted to withdraw access again > you could revoke the signature. I will be fascinated to see how well > this works in practice. for reference, if you have not already done so, i would suggest that you have a look at the "now expired" [1] pgp ticket draft. there's something relevant pointed at by: http://noc.rutgers.edu/~mione/ietf/pgptick/ [1] last i checked it had expired anyway From djm at mindrot.org Thu Aug 3 17:01:42 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 3 Aug 2000 17:01:42 +1000 (EST) Subject: load_private_key hell In-Reply-To: Message-ID: On Wed, 2 Aug 2000, Adam Bentitou wrote: > I've been playing with the source code and trying to create extra > apps. All has been going well except the fact that I can't load a dsa > private key. Have you made a SSLeay_add_all_algorithms() call in your app? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From vinschen at cygnus.com Thu Aug 3 22:18:58 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Thu, 03 Aug 2000 14:18:58 +0200 Subject: Port of OpenSSH-2.1.1p4 to Cygwin References: Message-ID: <39896332.9B1A75C5@cygnus.com> [Sorry for resending. That mail didn't show up in the mailing list.] Damien Miller wrote: > > On Wed, 2 Aug 2000, Corinna Vinschen wrote: > > > You know that this is impossible, do you? > > > > The underlying system is using two byte line endings and there > > has to be a method to disallow CRLF <-> LF translation for > > reading binary files in contrast to text files. > > Why should read() and write() do line ending translations anyway? There are many applications which are using read/write for text files for example `ash' while others are using read/write for binary operations like `od'. The current port to Cygwin is using text mode as default so I could drop the fopen(foo, "rt") constructs which some people on this mailing list objects to. Now it's the problem with O_BINARY in open calls. Sigh. > > On the other hand I don't understand where the problem is. > > The O_BINARY usage in the patch is transparent to all > > other operating systems and many parts of the sources contain > > special code for different OSes like HPUX, Solaris, NeXT etc. > > It makes keeping the portable version in sync with the OpenBSD tree > much more difficult (lots more broken diffs) why is why I haven't > merged these changes. I have solved that now as follows: I have created a new file `cygwin_util.c' which contains the function `binary_open' which in turn calls `open' with O_BINARY flag if and only if HAVE_CYGWIN is defined. In `includes.h' and `bsd-mktemp.c' (because it doesn't include `includes.h') I have added the following lines: #ifdef HAVE_CYGWIN #define open binary_open extern int binary_open(); #endif This has the result that the O_BINARY is only used in the new `cygwin_util.c' file. I hope that this is according to your needs. I have attached the complete patch to version 2.1.1p4 again as gzip'd file because of it's size. It contains two additional modifications which were needed to get sshd running under inetd on NT/W2K and to get sshd working on 9X. ChangeLog: ========== - Makefile.in: Changed to support $EXEEXT transparently.Added `cygwin_util.o' to the dependencies of LIBSSH_OBJS. - acconfig.h: Add HAVE_CYGWIN. - auth-passwd.c: Support getting NT passwords via Cygwin special functions. Disable check for uid = 0 when compiled for Cygwin. - auth1.c: Reject changing user context if not authenticated via password under Windows NT. Disable check for uid = 0 when HAVE_CYGWIN is set. - authfile.c: Disable check for file modes when HAVE_CYGWIN is set. - bsd-daemon.c: Avoid possible race condition under Cygwin. - bsd-mktemp.c: Define `open' as `binary_open' when HAVE_CYGWIN is set. - config.h.in: Add HAVE_CYGWIN. - configure.in: Add *-*-cygwin as target. Call AC_EXEEXT now. - cygwin_util.c: New file containing just `binary_open' function. - includes.h: Use HAVE_CYGWIN to care for include files. Define `open' as `binary_open' when HAVE_CYGWIN is set. - loginrec.c: Disable check for uid 0 when HAVE_CYGWIN is set. - pty.c: Disable HAVE_VHANGUP explicitely if HAVE_CYGWIN is set. Don't call I_PUSH ioctl's under Cygwin. - scp.c: Call tcgetpgrp() instead of ioctl(..., TIOCGPGRP) to get the controlling terminal when HAVE_CYGWIN is set. - session.c: Close xauthfiles immediatly to avoid implicit file lockings on Windows NT systems. Changes in environment setting. Disable check for uid 0 when HAVE_CYGWIN is set. Don't call xauth with `.../unix' syntax under Cygwin. - ssh.c: Disable setrlimit call under Cygwin. Take care for `.exe' file extension. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-2.1.1p4.p0.gz Type: application/x-gzip Size: 5994 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000803/b368197c/attachment.bin From janfrode at parallab.uib.no Thu Aug 3 20:49:48 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Thu, 3 Aug 2000 12:49:48 +0200 Subject: lastlog_get_entry error on IRIX Message-ID: <20000803124947.A1461@ii.uib.no> Precedence: bulk Hi, I'm getting the error: sshd[71835]: lastlog_get_entry: Error reading from /var/adm/lastlog: Error 0 from openssh 2.1.1p4 on IRIX (6.5.8m). Looks like there's some confusion about /var/adm/lastlog being a directory and not a file on IRIX. ./configure says: checking for lastlog... no checking if your system defines LASTLOG_FILE... no but I still gets the error in the syslog. -jf From vinschen at cygnus.com Thu Aug 3 18:49:55 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Thu, 03 Aug 2000 10:49:55 +0200 Subject: Port of OpenSSH-2.1.1p4 to Cygwin References: Message-ID: <39893233.669BFF08@cygnus.com> Damien Miller wrote: > > On Wed, 2 Aug 2000, Corinna Vinschen wrote: > > > You know that this is impossible, do you? > > > > The underlying system is using two byte line endings and there > > has to be a method to disallow CRLF <-> LF translation for > > reading binary files in contrast to text files. > > Why should read() and write() do line ending translations anyway? There are many applications which are using read/write for text files for example `ash' while others are using read/write for binary operations like `od'. The current port to Cygwin is using text mode as default so I could drop the fopen(foo, "rt") constructs which some people on this mailing list objects to. Now it's the problem with O_BINARY in open calls. Sigh. > > On the other hand I don't understand where the problem is. > > The O_BINARY usage in the patch is transparent to all > > other operating systems and many parts of the sources contain > > special code for different OSes like HPUX, Solaris, NeXT etc. > > It makes keeping the portable version in sync with the OpenBSD tree > much more difficult (lots more broken diffs) why is why I haven't > merged these changes. I have solved that now as follows: I have created a new file `cygwin_util.c' which contains the function `binary_open' which in turn calls `open' with O_BINARY flag if and only if HAVE_CYGWIN is defined. In `includes.h' and `bsd-mktemp.c' (because it doesn't include `includes.h') I have added the following lines: #ifdef HAVE_CYGWIN #define open binary_open extern int binary_open(); #endif This has the result that the O_BINARY is only used in the new `cygwin_util.c' file. I hope that this is according to your needs. I have attached the complete patch to version 2.1.1p4 again as gzip'd file because of it's size. It contains two additional modifications which were needed to get sshd running under inetd on NT/W2K and to get sshd working on 9X. ChangeLog: ========== - Makefile.in: Changed to support $EXEEXT transparently.Added `cygwin_util.o' to the dependencies of LIBSSH_OBJS. - acconfig.h: Add HAVE_CYGWIN. - auth-passwd.c: Support getting NT passwords via Cygwin special functions. Disable check for uid = 0 when compiled for Cygwin. - auth1.c: Reject changing user context if not authenticated via password under Windows NT. Disable check for uid = 0 when HAVE_CYGWIN is set. - authfile.c: Disable check for file modes when HAVE_CYGWIN is set. - bsd-daemon.c: Avoid possible race condition under Cygwin. - bsd-mktemp.c: Define `open' as `binary_open' when HAVE_CYGWIN is set. - config.h.in: Add HAVE_CYGWIN. - configure.in: Add *-*-cygwin as target. Call AC_EXEEXT now. - cygwin_util.c: New file containing just `binary_open' function. - includes.h: Use HAVE_CYGWIN to care for include files. Define `open' as `binary_open' when HAVE_CYGWIN is set. - loginrec.c: Disable check for uid 0 when HAVE_CYGWIN is set. - pty.c: Disable HAVE_VHANGUP explicitely if HAVE_CYGWIN is set. Don't call I_PUSH ioctl's under Cygwin. - scp.c: Call tcgetpgrp() instead of ioctl(..., TIOCGPGRP) to get the controlling terminal when HAVE_CYGWIN is set. - session.c: Close xauthfiles immediatly to avoid implicit file lockings on Windows NT systems. Changes in environment setting. Disable check for uid 0 when HAVE_CYGWIN is set. Don't call xauth with `.../unix' syntax under Cygwin. - ssh.c: Disable setrlimit call under Cygwin. Take care for `.exe' file extension. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-2.1.1p4.p0.gz Type: application/x-gzip Size: 5994 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000803/06f3e90f/attachment.bin From mstone at cs.loyola.edu Fri Aug 4 11:55:35 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Thu, 3 Aug 2000 21:55:35 -0400 Subject: IRIX 6.5.5m openssh-2.1.1p4 IRIX_AUDIT PROBLEM In-Reply-To: <39881835.3F48D8C@sdrc.com>; from Edwin Brown on Wed, Aug 02, 2000 at 02:46:45PM +0200 References: <39881835.3F48D8C@sdrc.com> Message-ID: <20000803215535.D13699@justice.loyola.edu> Precedence: bulk On Wed, Aug 02, 2000 at 02:46:45PM +0200, Edwin Brown wrote: > The acutal error is generated from lines 89-95 of uidswap.c > > ---BEGIN UIDSWAP CODE--- > 82 /* > 83 * Permanently sets all uids to the given uid. This cannot be > 84 * called while temporarily_use_uid is effective. > 85 */ > 86 void > 87 permanently_set_uid(uid_t uid) > 88 { > 89 #ifdef WITH_IRIX_AUDIT > 90 if (sysconf(_SC_AUDIT)) { > 91 debug("Setting sat id to %d", (int) uid); > 92 if (satsetid(uid)) > 93 fatal("error setting satid: %.100s", strerror(errno)); Make this fatal a debug. In the case where ssh is running as a non-root user, the failure doesn't matter. -- Mike Stone From pekkas at netcore.fi Fri Aug 4 20:28:56 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 4 Aug 2000 13:28:56 +0300 (EEST) Subject: /etc/motd printed twice on Irix 6.5. Message-ID: Precedence: bulk Hello all, I tested openssh-2.1.1p4 briefly on 64-bit Irix 6.5 system. I noticed that when I log on, /etc/motd is printed out twice in the row. This does not happen with SSH.COM's ssh. UseLogin is disabled. Works fine in Linux and FreeBSD. Anyone else (Irix users?) notice anything like this happening? -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From janfrode at parallab.uib.no Fri Aug 4 20:43:06 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Fri, 4 Aug 2000 12:43:06 +0200 Subject: /etc/motd printed twice on Irix 6.5. In-Reply-To: ; from pekkas@netcore.fi on Fri, Aug 04, 2000 at 01:28:56PM +0300 References: Message-ID: <20000804124306.A3641@ii.uib.no> Precedence: bulk > > I tested openssh-2.1.1p4 briefly on 64-bit Irix 6.5 system. > > I noticed that when I log on, /etc/motd is printed out twice in the > row. This does not happen with SSH.COM's ssh. UseLogin is disabled. > > Works fine in Linux and FreeBSD. > > Anyone else (Irix users?) notice anything like this happening? > Yes, you can fix it by setting 'PrintMotd no' in the sshd_config. -jf From rmy at tigress.co.uk Fri Aug 4 21:03:11 2000 From: rmy at tigress.co.uk (Ron Yorston) Date: Fri, 4 Aug 2000 12:03:11 +0100 (BST) Subject: Combining RSA host authentication with another method Message-ID: <200008041103.MAA03201@tiffany.tigress.pgs.com.> Precedence: bulk Hi folks, It seemed to me that it would be useful to be able to control access to my server with the /etc/ssh_known_hosts file, using RSA authentication of the remote host. But the protocol only allows RSA host authentication in conjunction with rhosts, while I prefer RSA user authentication. I've made a patch to the server which adds a new configuration option: RSAHostOtherAuthentication. When this option is enabled RSA host authentication is turned on, but without the rhosts check. Also, RSA host authentication on its own is insufficient to authenticate the user. The server also requires one other authentication method to succeed. It doesn't matter which, and the order in which the methods are tried doesn't matter. With this modified server I can enable RSA authentication of both the remote host and the user. This only works if the client is willing to try different authentication methods if the first doesn't succeed. I'm happy with this, but does it make sense? Is there any obvious flaw? Ron diff -c openssh-2.1.1p4.orig/auth-rh-rsa.c openssh-2.1.1p4/auth-rh-rsa.c *** openssh-2.1.1p4.orig/auth-rh-rsa.c Thu Jun 22 12:32:31 2000 --- openssh-2.1.1p4/auth-rh-rsa.c Fri Aug 4 10:25:55 2000 *************** *** 47,53 **** return 0; /* Check if we would accept it using rhosts authentication. */ ! if (!auth_rhosts(pw, client_user)) return 0; canonical_hostname = get_canonical_hostname(); --- 47,54 ---- return 0; /* Check if we would accept it using rhosts authentication. */ ! /* But not if we're doing RSA host/other authentication. */ ! if (!options.rsa_host_other_authentication && !auth_rhosts(pw, client_user)) return 0; canonical_hostname = get_canonical_hostname(); diff -c openssh-2.1.1p4.orig/auth1.c openssh-2.1.1p4/auth1.c *** openssh-2.1.1p4.orig/auth1.c Sat Jul 8 01:44:14 2000 --- openssh-2.1.1p4/auth1.c Fri Aug 4 11:04:57 2000 *************** *** 31,36 **** --- 31,40 ---- extern char **saved_argv; #endif /* HAVE_OSF_SIA */ + #define AUTH_RSA_HOST 1 + #define AUTH_OTHER 2 + #define AUTH_BOTH (AUTH_RSA_HOST|AUTH_OTHER) + /* * convert ssh auth msg type into description */ *************** *** 150,155 **** --- 154,160 ---- unsigned int ulen; int type = 0; void (*authlog) (const char *fmt,...) = verbose; + int authenticated_so_far = 0; /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); *************** *** 371,376 **** --- 376,404 ---- break; } + /* + * If we require both RSA host and some other authentication + * check that we've obtained two distinct authentications. + */ + if ( options.rsa_host_other_authentication && authenticated ) { + if ( type == SSH_CMSG_AUTH_RHOSTS_RSA ) { + authenticated_so_far |= AUTH_RSA_HOST ; + } + else { + authenticated_so_far |= AUTH_OTHER ; + } + + if ( authenticated_so_far == AUTH_BOTH ) { + verbose("Both RSA host and other authentication accepted."); + packet_send_debug("Both RSA host and other authentication accepted."); + } + else { + authenticated = 0 ; + verbose("Awaiting further authentication."); + packet_send_debug("Awaiting further authentication."); + } + } + /* * Check if the user is logging in as root and root logins * are disallowed. diff -c openssh-2.1.1p4.orig/servconf.c openssh-2.1.1p4/servconf.c *** openssh-2.1.1p4.orig/servconf.c Sat Jul 15 05:14:17 2000 --- openssh-2.1.1p4/servconf.c Fri Aug 4 10:49:16 2000 *************** *** 52,57 **** --- 52,58 ---- options->rhosts_authentication = -1; options->rhosts_rsa_authentication = -1; options->rsa_authentication = -1; + options->rsa_host_other_authentication = -1; options->dsa_authentication = -1; #ifdef KRB4 options->kerberos_authentication = -1; *************** *** 130,135 **** --- 131,138 ---- options->rhosts_rsa_authentication = 0; if (options->rsa_authentication == -1) options->rsa_authentication = 1; + if (options->rsa_host_other_authentication == -1) + options->rsa_host_other_authentication = 0; if (options->dsa_authentication == -1) options->dsa_authentication = 1; #ifdef KRB4 *************** *** 170,175 **** --- 173,179 ---- sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, + sRSAHostOtherAuthentication, #ifdef KRB4 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, #endif *************** *** 205,210 **** --- 209,215 ---- { "rhostsauthentication", sRhostsAuthentication }, { "rhostsrsaauthentication", sRhostsRSAAuthentication }, { "rsaauthentication", sRSAAuthentication }, + { "rsahostotherauthentication", sRSAHostOtherAuthentication }, { "dsaauthentication", sDSAAuthentication }, #ifdef KRB4 { "kerberosauthentication", sKerberosAuthentication }, *************** *** 457,462 **** --- 462,471 ---- intptr = &options->rhosts_rsa_authentication; goto parse_flag; + case sRSAHostOtherAuthentication: + intptr = &options->rsa_host_other_authentication; + goto parse_flag; + case sRSAAuthentication: intptr = &options->rsa_authentication; goto parse_flag; diff -c openssh-2.1.1p4.orig/servconf.h openssh-2.1.1p4/servconf.h *** openssh-2.1.1p4.orig/servconf.h Tue Jul 11 08:31:38 2000 --- openssh-2.1.1p4/servconf.h Fri Aug 4 10:26:09 2000 *************** *** 61,66 **** --- 61,68 ---- int rhosts_rsa_authentication; /* If true, permit rhosts RSA * authentication. */ int rsa_authentication; /* If true, permit RSA authentication. */ + int rsa_host_other_authentication; /* If true, require RSA host + * authentication and some other. */ int dsa_authentication; /* If true, permit DSA authentication. */ #ifdef KRB4 int kerberos_authentication; /* If true, permit Kerberos diff -c openssh-2.1.1p4.orig/sshd.8 openssh-2.1.1p4/sshd.8 *** openssh-2.1.1p4.orig/sshd.8 Tue Jul 11 08:31:39 2000 --- openssh-2.1.1p4/sshd.8 Fri Aug 4 11:09:06 2000 *************** *** 530,535 **** --- 530,541 ---- The default is .Dq yes . Note that this option applies to protocol version 1 only. + .It Cm RSAHostOtherAuthentication + Specifies whether a combination of RSA host and some other form of + authentication is required. + .Cm RhostsRSAAuthentication + will be enabled automatically if this option is enabled, but the rhost + authentication part will be ignored. .It Cm ServerKeyBits Defines the number of bits in the server key. The minimum value is 512, and the default is 768. diff -c openssh-2.1.1p4.orig/sshd.c openssh-2.1.1p4/sshd.c *** openssh-2.1.1p4.orig/sshd.c Wed Jul 12 00:45:27 2000 --- openssh-2.1.1p4/sshd.c Fri Aug 4 10:52:33 2000 *************** *** 977,982 **** --- 977,985 ---- * programs. Of course, if the intruder has root access on his local * machine, he can connect from any port. So do not use these * authentication methods from machines that you do not trust. + * + * If we're doing RSA host/other authentication we must have rhosts/RSA, + * but this is OK because we won't use rhosts authentication. */ if (remote_port >= IPPORT_RESERVED || remote_port < IPPORT_RESERVED / 2) { *************** *** 983,988 **** --- 986,994 ---- options.rhosts_authentication = 0; options.rhosts_rsa_authentication = 0; } + if ( options.rsa_host_other_authentication ) { + options.rhosts_rsa_authentication = 1; + } #ifdef KRB4 if (!packet_connection_is_ipv4() && options.kerberos_authentication) { From acox at cv.telegroup.com Fri Aug 4 22:39:29 2000 From: acox at cv.telegroup.com (Aran Cox) Date: Fri, 04 Aug 2000 14:39:29 +0200 Subject: remote commands: Command terminated on signal 13. Message-ID: <398AB981.21B661EE@cv.telegroup.com> Precedence: bulk Background: Client: RH6.2, openssh-2.1.1p4, egcs-2.91.66 Server: SCO OS 5.0.5, openssh-2.1.1p4, SCO Dev environment RSA Authentication via ssh-agent Any time I attempt to remotely run commands using the -n option from my linux machine to a SCO OS I get this: [spin at lazarus]$ ssh -n -l root somehost ls Received disconnect: Command terminated on signal 13. If I remove the -n option, the command completes normally. If I place the above simple command inside a shell script like this one: while read host; do ssh -l root $host ls done it still doesn't work, giving the same error message as above. According to signal(7), 13 is SIGPIPE which means a write to a pipe with no readers. I assume that this problem has something to do with redirecting stdin. Is it not being done properly in 2.1.1p4 under SCO? I tried to duplicate this behaviour with a linux sshd but I couldn't. I also tested X11 apps (using -n) and using ssh as a login mechanism. Both worked fine. Has anyone else seen this? Any suggestions? From burnus at gmx.de Sat Aug 5 01:51:54 2000 From: burnus at gmx.de (Tobias Burnus) Date: Fri, 04 Aug 2000 17:51:54 +0200 Subject: OpenSSH -> SSH; ssh-agent: reasking for passphrase Message-ID: <398AE69A.75338D50@gmx.de> Precedence: bulk Hi, I try to connect from a SuSE Linux openssh-2.1.1p1-4 system to a FreeBSD system which runs SSH Version 1.2.27 [i386-unknown-freebsd3.2], protocol version 1.5. Standard version. Does not use RSAREF. Before I switched (at home) to openssh I could use ssh-add, ssh (freebsd), and from there to another server ssh (freebsd2), where (freebsd[2..n]) are n+1 unix systems @university. Now with openssh I can use the ssh agent to connect to (freebsd[n]), but if I want to connet via ssh to another server @university I'm asked for "Enter passphrase for RSA key `foo at freebsd3': " A first try with openssh-2.1.1p4 from a solaris system shows the same problems. Note: The authorized_keys @univ uses user at foo.university.net, but I log in as user at bar.university.net ($HOME is nfs), but I makes no difference if I login at foo or bar first. Tobias From burnus at gmx.de Sat Aug 5 02:14:01 2000 From: burnus at gmx.de (Tobias Burnus) Date: Fri, 04 Aug 2000 18:14:01 +0200 Subject: OpenSSH -> SSH; ssh-agent: reasking for passphrase References: <398AE69A.75338D50@gmx.de> Message-ID: <398AEBC9.F068A961@gmx.de> Precedence: bulk A quick test shows that this even doesn't work: foo at bar ~> ssh foo at localhost Last login: Fri Aug 4 18:08:48 2000 from localhost foo at bar ~> ssh foo at localhost Enter passphrase for RSA key 'foo at bar': compared with ssh 1.2.27: foo at freebsd1:~> eval `ssh-agent` Agent pid 3310 foo at freebsd1:~> ssh-add .... foo at freebsd1:~> ssh freebsd2 [login] foo at freebsd2:~> ssh freebsd1 [login] foo at freebsd1:~> ssh freebsd2 [login] etc. Tobias From rafi at ugcs.caltech.edu Sat Aug 5 02:19:13 2000 From: rafi at ugcs.caltech.edu (Rafi Rubin) Date: Fri, 4 Aug 2000 09:19:13 -0700 (PDT) Subject: OpenSSH -> SSH; ssh-agent: reasking for passphrase In-Reply-To: <398AEBC9.F068A961@gmx.de> Message-ID: Precedence: bulk Out of curiousity do you have ForwardAgent yes in your /etc/ssh/ssh_config On Fri, 4 Aug 2000, Tobias Burnus wrote: > Precedence: bulk > > A quick test shows that this even doesn't work: > > foo at bar ~> ssh foo at localhost > Last login: Fri Aug 4 18:08:48 2000 from localhost > foo at bar ~> ssh foo at localhost > Enter passphrase for RSA key 'foo at bar': > > > compared with ssh 1.2.27: > foo at freebsd1:~> eval `ssh-agent` > Agent pid 3310 > foo at freebsd1:~> ssh-add > .... > foo at freebsd1:~> ssh freebsd2 > [login] > foo at freebsd2:~> ssh freebsd1 > [login] > foo at freebsd1:~> ssh freebsd2 > [login] > etc. > > Tobias > From rafi at ugcs.caltech.edu Sat Aug 5 02:32:11 2000 From: rafi at ugcs.caltech.edu (Rafi Rubin) Date: Fri, 4 Aug 2000 09:32:11 -0700 (PDT) Subject: OpenSSH -> SSH; ssh-agent: reasking for passphrase In-Reply-To: Message-ID: Precedence: bulk Sorry, a little more info. /etc/ssh/ssh_config may contian FowardAgent yes (or no) and /etc/ssh/sshd_config maycontain no-agent-forwarding you also might want to check for ssh2 config files as well. On Fri, 4 Aug 2000, Rafi Rubin wrote: > Out of curiousity do you have > ForwardAgent yes > in your /etc/ssh/ssh_config > > On Fri, 4 Aug 2000, Tobias Burnus wrote: > > > Precedence: bulk > > > > A quick test shows that this even doesn't work: > > > > foo at bar ~> ssh foo at localhost > > Last login: Fri Aug 4 18:08:48 2000 from localhost > > foo at bar ~> ssh foo at localhost > > Enter passphrase for RSA key 'foo at bar': > > > > > > compared with ssh 1.2.27: > > foo at freebsd1:~> eval `ssh-agent` > > Agent pid 3310 > > foo at freebsd1:~> ssh-add > > .... > > foo at freebsd1:~> ssh freebsd2 > > [login] > > foo at freebsd2:~> ssh freebsd1 > > [login] > > foo at freebsd1:~> ssh freebsd2 > > [login] > > etc. > > > > Tobias > > > > From djm at mindrot.org Sat Aug 5 13:05:36 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 5 Aug 2000 13:05:36 +1000 (EST) Subject: Testers wanted Message-ID: To ensure that future releases of portable OpenSSH are as bug-free as possible, we need to recruit a team of testers. Each tester would be responsible for a particular OS platform and would be called upon to test snapshots before they are marked as official releases. The release would not go out until it had been given the OK by testers on each supported platform. A corollary of this is that only platforms for which we have testers will be treated as supported. Exactly what tests should be performed is a matter for further discussion. They will include at least compilation and basic operation of each of the programs. Hopefully we can automate these tests as much as possible. If you are interested, please email me the details of what platform(s) you are able to test. Favour will be given to people who have contributed to OpenSSH and those with development experience. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From odin at linuxfreak.com Sat Aug 5 13:42:22 2000 From: odin at linuxfreak.com (Dan Brosemer) Date: Fri, 4 Aug 2000 23:42:22 -0400 Subject: Testers wanted In-Reply-To: ; from djm@mindrot.org on Sat, Aug 05, 2000 at 01:05:36PM +1000 References: Message-ID: <20000804234222.A1205@dmgware.ca> On Sat, Aug 05, 2000 at 01:05:36PM +1000, Damien Miller wrote: > To ensure that future releases of portable OpenSSH are as bug-free as > possible, we need to recruit a team of testers. I contributed some code early on, but have since developed other commitments so I haven't been able to spend as much (indeed any) time on the project as I would have liked. I'd like to get involved again. I'm able and willing to test on: Linux-x86 (who isn't?) (Debian slink/potato/woody) Linux-arm (maybe a little rarer) (Severely hacked up RedHat). At times I could do Solaris7 on sun4u, but I'm sure you could find someone with more reliable access to such a machine. If not, feel free to call on me. -Dan -- "... the most serious problems in the Internet have been caused by unenvisaged mechanisms triggered by low-probability events; mere human malice would never have taken so devious a course!" - RFC 1122 section 1.2.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000804/8838d1d9/attachment.bin From yusufg at outblaze.com Sat Aug 5 14:28:11 2000 From: yusufg at outblaze.com (Yusuf Goolamabbas) Date: Sat, 5 Aug 2000 12:28:11 +0800 Subject: Making UseLogin yes requires a valid reverse DNS enty Message-ID: <20000805122811.A6546@outblaze.com> Hi, I am using openssh 2.1.1pl4 on a Linux 2.2.16 box [RH 6.1 distribution], I was confused as to why when I telnet into that box, I get /usr/local/bin in my PATH but when I ssh into my box, /usr/local/bin is not in my PATH I modified /etc/ssh/sshd_config to have UseLogin yes and then when I try to ssh into that box, I couldn't. ssh -v showed the following debug: Requesting shell. debug: Entering interactive session. login: No such file or directory Connection to host closed This is what I see in /var/log/messages Aug 5 00:07:56 yusufg sshd[2204]: Could not reverse map address a.b.c.d Is there something obvious I have missed ? -- Yusuf Goolamabbas yusufg at outblaze.com From mouring at pconline.com Sat Aug 5 16:18:11 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 5 Aug 2000 01:18:11 -0500 (CDT) Subject: Testers wanted In-Reply-To: Message-ID: On Sat, 5 Aug 2000, Damien Miller wrote: [..] > Exactly what tests should be performed is a matter for further > discussion. They will include at least compilation and basic operation > of each of the programs. Hopefully we can automate these tests as much > as possible. > As long as there is a test suite, I'd be more then happy to ensure the NeXTStep 4.2 m68k works as promised (Or up to the current support which should be pretty much gold after the SunOS 4.1.4 fokes.. Thanks again). I've invested too much of my time to let it disappear. =) From pekkas at netcore.fi Sat Aug 5 16:33:37 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 5 Aug 2000 09:33:37 +0300 (EEST) Subject: Making UseLogin yes requires a valid reverse DNS enty In-Reply-To: <20000805122811.A6546@outblaze.com> Message-ID: On Sat, 5 Aug 2000, Yusuf Goolamabbas wrote: > Hi, I am using openssh 2.1.1pl4 on a Linux 2.2.16 box [RH 6.1 > distribution], I was confused as to why when I telnet into that box, I > get /usr/local/bin in my PATH but when I ssh into my box, /usr/local/bin > is not in my PATH > > I modified /etc/ssh/sshd_config to have UseLogin yes and then when I try > to ssh into that box, I couldn't. ssh -v showed the following > > debug: Requesting shell. > debug: Entering interactive session. > login: No such file or directory > Connection to host closed 'login' in Red Hat is /bin/login, not the hard-coded default /usr/bin/login. This should probably be autoconf'ized. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From amb at cobite.com Sat Aug 5 18:15:06 2000 From: amb at cobite.com (Adam Bentitou) Date: Sat, 5 Aug 2000 04:15:06 -0400 (EDT) Subject: dsa keys & ssh-agent Message-ID: Ok... I just kludged dsa key support into the ssh-agent that comes with openssh-2.1.1p4. Its ugly and conforms to no standard (I could find no signifigant mention of it in the IETF drafts) but it does seem to work. If anybodys interested in it, I'll clean up the code and post. For now I'm going to sleep. Oh yeah.. thanks Damien Miller for pointing out that SSL add_all_algorithms bit, without telling me to RTFM which was your right. Adam Bentitou From jhuuskon at messi.uku.fi Sat Aug 5 21:05:03 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Sat, 5 Aug 2000 14:05:03 +0300 Subject: Protocol 2 and fork Message-ID: <20000805140503.A19391@laivuri63.uku.fi> Hello ! Like Edmund EVANS reported openssh-2.1.1p4 won't fork to background when using protocol 2. I managed to hack a little patch that might work ... What is the -N command line option supposed to do ? I gather it should work only with protocol2 and without any command to run on the server (and with some port forwardings ??) Anyway in the patch I put some code to check that -N is used with port forwards (and if used -f user doesn't have enter command). (If my assumptions about what -N is supposed to do are way off just rip out the unnecessary code from the patch). Also there seems to be a incompatibility issue with commercial ssh-2.2.0 and openssh when openssh client uses -N. If I press enter on the openssh client then the commercial server sends "Window overflow received channel data." and disconnects. This doesn't happen when both the client and server are openssh. Cheers, -Jarno PS. I haven't done much testing with the patch so it'll propably break something. It works now for 'ssh -f -n -N -L5000:server:110 server' and fetchmail. Patch: diff -u -r openssh-2.1.1p4/ssh.c openssh-2.1.1p4-ruined/ssh.c --- openssh-2.1.1p4/ssh.c Sat Jul 15 07:14:17 2000 +++ openssh-2.1.1p4-ruined/ssh.c Fri Aug 4 20:54:10 2000 @@ -460,10 +460,6 @@ } } - /* Cannot fork to background if no command. */ - if (fork_after_authentication_flag && buffer_len(&command) == 0) - fatal("Cannot fork into background without a command to execute."); - /* Allocate a tty by default if no command specified. */ if (buffer_len(&command) == 0) tty_flag = 1; @@ -511,6 +507,29 @@ /* reinit */ log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 0); + /* -N option only makes sense with protocol 2. It doesn't make sense + without port forwarding ?????? + */ + if ( options.num_local_forwards == 0 && options.num_remote_forwards == 0 && + no_shell_flag ) { + fprintf(stderr, "-N makes sense only with port forwardings\n"); + usage(); + /* NOT REACHED */ + } + if ((options.protocol & SSH_PROTO_2) && no_shell_flag && + buffer_len(&command) > 0) { + fprintf(stderr,"-N option works only with protocol version 2 and w/out a command\n"); + usage(); + /* NOT REACHED */ + } + + /* Cannot fork to background if no command. + Command not needed for protocol 2 & -N + */ + if ((options.protocol & SSH_PROTO_1) && !(options.protocol & SSH_PROTO_2) && + fork_after_authentication_flag && buffer_len(&command) == 0) + fatal("Cannot fork into background without a command to execute."); + /* check if RSA support exists */ if ((options.protocol & SSH_PROTO_1) && rsa_alive() == 0) { @@ -979,6 +998,12 @@ channel_open(id); channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, client_init, (void *)0); + + /* Jarno: hack to get -f working with protocol 2 */ + if (fork_after_authentication_flag) { + if (daemon(1, 1) < 0) + fatal("daemon() failed: %.200s", strerror(errno)); + } return client_loop(tty_flag, tty_flag ? options.escape_char : -1); } -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Center | Work: +358 17 162822 PL 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 From gert at greenie.muc.de Sun Aug 6 02:11:48 2000 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 5 Aug 2000 18:11:48 +0200 Subject: Testers wanted In-Reply-To: ; from Damien Miller on Sat, Aug 05, 2000 at 01:05:36PM +1000 References: Message-ID: <20000805181148.K5093@greenie.muc.de> hi, On Sat, Aug 05, 2000 at 01:05:36PM +1000, Damien Miller wrote: > To ensure that future releases of portable OpenSSH are as bug-free as > possible, we need to recruit a team of testers. > > Each tester would be responsible for a particular OS platform and > would be called upon to test snapshots before they are marked as > official releases. The release would not go out until it had been > given the OK by testers on each supported platform. I could do AIX 4.2.x and 4.3.x, but the tests would have to be fairly automated. (Actually, I have to admit that I did not test the latest releases for whether they work on AIX at all - no time, I'm still at OpenSSH 1.2.3 plus private patches). I could also do SCO Unix 3.2v4.2, as soon as a port exists - didn't find time for *that* either. It would be immensely helpful for automatizing those tests if someone could set up a public (?) cvs repository, so that we don't have to download whole tarballs all the time. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From corinna at vinschen.de Sun Aug 6 03:08:04 2000 From: corinna at vinschen.de (Corinna Vinschen) Date: Sat, 05 Aug 2000 19:08:04 +0200 Subject: Testers wanted References: Message-ID: <398C49F4.B21C7E07@vinschen.de> Damien Miller wrote: > > To ensure that future releases of portable OpenSSH are as bug-free as > possible, we need to recruit a team of testers. > > Each tester would be responsible for a particular OS platform and > would be called upon to test snapshots before they are marked as > official releases. The release would not go out until it had been > given the OK by testers on each supported platform. If the Cygwin port would become part of portable OpenSSH I would feel happy to become tester for that platform as well. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com From GLeblanc at cu-portland.edu Sun Aug 6 04:25:43 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Sat, 5 Aug 2000 11:25:43 -0700 Subject: Testers wanted Message-ID: <025836EFF856D411A6660090272811E61D057A@EMAIL> Assuming that I've got a couple of weeks to prepare, I can do testing on 32-bit SPARCs, running RH Linux, Solaris7, and maybe Solaris8. I'm hoping to install this on my IP22 Indy running IRIX 6.5 as well, so I may be able to test there, but with that many platforms, if it takes a half hour a test, time could get tight. Later, Greg From gem at rellim.com Sun Aug 6 07:06:39 2000 From: gem at rellim.com (Gary E. Miller) Date: Sat, 5 Aug 2000 14:06:39 -0700 (PDT) Subject: Testers wanted In-Reply-To: Message-ID: Yo Damien! Linux 2.0/libc5/ix86 Linux 2.2/libc6/ix86 Linux 2.4/libc6/ix86 Linux 2.2/libc6/sparc SCO Unixware 7.1/ ix86 (at least for a few more months) Solaris 2.7/sparc RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Sat, 5 Aug 2000, Damien Miller wrote: > If you are interested, please email me the details of what platform(s) > you are able to test. Favour will be given to people who have > contributed to OpenSSH and those with development experience. From jmknoble at pint-stowp.cx Sun Aug 6 07:39:53 2000 From: jmknoble at pint-stowp.cx (Jim Knoble) Date: Sat, 5 Aug 2000 17:39:53 -0400 Subject: Testers wanted In-Reply-To: ; from gem@rellim.com on Sat, Aug 05, 2000 at 02:06:39PM -0700 References: Message-ID: <20000805173953.G12046@quipu.half.pint-stowp.cx> Circa 2000-Aug-05 14:06:39 -0700 dixit Gary E. Miller: [About serving as a tester for OpenSSH...] : Linux 2.0/libc5/ix86 : Linux 2.2/libc6/ix86 : Linux 2.4/libc6/ix86 : Linux 2.2/libc6/sparc Gary, it's probably best if you mention what Linux distribution these systems are. LSB is coming along, but it's not here yet, and, unfortunately, the differences between the distributions are still enough that it's important to distinguish which one you mean, and mention how each differs, if at all, from the stock installation. Jim's USD0.02. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From gem at rellim.com Sun Aug 6 09:53:33 2000 From: gem at rellim.com (Gary E. Miller) Date: Sat, 5 Aug 2000 16:53:33 -0700 (PDT) Subject: Testers wanted In-Reply-To: <20000805173953.G12046@quipu.half.pint-stowp.cx> Message-ID: Linux 2.0/libc5/ix86 slackware Linux 2.2/libc6/ix86 slackware Linux 2.4/libc6/ix86 slackware Linux 2.2/libc6/sparc redhat? RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From chenda at cs.unc.edu Sun Aug 6 10:51:20 2000 From: chenda at cs.unc.edu (Daniel T. Chen) Date: Sat, 5 Aug 2000 20:51:20 -0400 (EDT) Subject: Testers wanted In-Reply-To: Message-ID: I can handle Linux 2.2/libc6/x86 SuSE 6.4+ if it's needed separately. dtc --- Daniel T. Chen crimsun at adirondack.masticators.org On Sat, 5 Aug 2000, Gary E. Miller wrote: > > Linux 2.0/libc5/ix86 slackware > Linux 2.2/libc6/ix86 slackware > Linux 2.4/libc6/ix86 slackware > Linux 2.2/libc6/sparc redhat? From markus at openbsd.org Sun Aug 6 20:12:33 2000 From: markus at openbsd.org (Markus Friedl) Date: Sun, 6 Aug 2000 12:12:33 +0200 Subject: dsa keys & ssh-agent In-Reply-To: ; from amb@cobite.com on Sat, Aug 05, 2000 at 04:15:06AM -0400 References: Message-ID: <20000806121233.A10861@folly.informatik.uni-erlangen.de> hi, please send the patches to me, i am working on this, too. (no need to cleanup...) On Sat, Aug 05, 2000 at 04:15:06AM -0400, Adam Bentitou wrote: > > Ok... I just kludged dsa key support into the ssh-agent that comes with > openssh-2.1.1p4. Its ugly and conforms to no standard (I could find no > signifigant mention of it in the IETF drafts) but it does seem to > work. If anybodys interested in it, I'll clean up the code and post. For > now I'm going to sleep. > Oh yeah.. thanks Damien Miller for pointing out that SSL > add_all_algorithms bit, without telling me to RTFM which was your right. > > Adam Bentitou > > From fitzner at informatik.hu-berlin.de Sun Aug 6 23:15:13 2000 From: fitzner at informatik.hu-berlin.de (Andreas Fitzner) Date: Sun, 6 Aug 2000 15:15:13 +0200 Subject: problems compiling sshd on slackware 7.x Message-ID: <20000806151513.A19279@jazz.informatik.hu-berlin.de> Hi, I tried to compile openssh-2.1.1p4 on a slackware 7.1 (and then on a slackware 7.0). you need to supply -lcrypt because otherwise auth-passwd.c line 135 calls the wrong crypt and sshd will never let you log in. (took a while to figure that out.) I tried './configure --with-libs crypt' but configure doesn't seem to understand me ;) checking host system type... Invalid configuration `crypt': machine `crypt' not recognized ... checking whether snprintf correctly terminates long strings... no configure: warning: ****** Your snprintf() function is broken, complain to your vendor checking for OpenSSL directory... (cached) /usr/local/ssl checking for RSA support... configure: warning: *** No RSA support found *** ... Compiler flags: -g -O2 -Wall -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lnsl -lz yes -lutil -lcrypto -lRSAglue -lrsaref and strangely complains about snprintf and wants to enable this rsaref thingy. I also tried --with-ldflags but couldn't specify a '-lcrypt' because configure recognizes this as an to its unknown option. hm. BTW: ./configure --help | grep ldlags (typo!) only supplying 'lcrypt' creates the same strange reaction as with '--with-libs crypt'. At the end I edited the Makefile manually (LIBS=-lcrypt ...) and it finally works. I like openssh and after it also works on my box even more ;). best wishes, Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000806/8edce795/attachment.bin From jweaver at aens.net Mon Aug 7 04:08:50 2000 From: jweaver at aens.net (jweaver at aens.net) Date: Sun, 6 Aug 2000 18:08:50 +0000 (GMT) Subject: Testers wanted In-Reply-To: Message-ID: > Each tester would be responsible for a particular OS platform and > would be called upon to test snapshots before they are marked as > official releases. The release would not go out until it had been > given the OK by testers on each supported platform. I can do Solaris 7/8 on a varity of Sun boxes in both 32/64 bit trim. I would not say that I'm of 'development quality' in the debugging area. I am more than capable of running scripts. On a related note, scp didn't want to transfer the 3.2gb tarball. Large file issues on Solaris, I guess. Any ideas. -- john weaver -- jweaver at aens.net | Systems Administrator From ard at waikato.ac.nz Mon Aug 7 07:20:29 2000 From: ard at waikato.ac.nz (Andrew Donkin) Date: 07 Aug 2000 09:20:29 +1200 Subject: problems compiling sshd on slackware 7.x In-Reply-To: Andreas Fitzner's message of "Sun, 6 Aug 2000 15:15:13 +0200" References: <20000806151513.A19279@jazz.informatik.hu-berlin.de> Message-ID: > I tried to compile openssh-2.1.1p4 on a slackware 7.1 (and then on a > slackware 7.0). you need to supply -lcrypt because otherwise > auth-passwd.c line 135 calls the wrong crypt and sshd will never let > you log in. (took a while to figure that out.) This works for me, for many versions of openssh, a couple of versions of Slackware, and Debian. ./configure --with-md5-passwords I also supply "--with-tcp-wrappers" for obvious reasons, "--without-pam" because I have the PAM libraries installed and really really want to avoid using them, and "--prefix=/usr --sysconfdir=/etc" because I don't like the defaults. But "--with-md5-passwords" should fix your problem. -- _________________________________________________________________________ Andrew Donkin Waikato University, Hamilton, New Zealand From richard.savage at sytec.co.nz Mon Aug 7 08:01:02 2000 From: richard.savage at sytec.co.nz (Richard Savage) Date: Mon, 7 Aug 2000 10:01:02 +1200 Subject: openssh-2.1.1p4 + libwrap problem Message-ID: <61B6688756F7D011B70100805F06BEDC86FF59@palliser.sytec.co.nz> Hi all, I've hit a problem with OpenSSH 2.1.1p4 and TCP Wrappers, and have noticed others may also have seen the problem. When OpenSSH is compiled with wrapper support, access using standard userid/password fails - authentication works ok and a shell is gained and then immediately terminated. Running client in debug mode shows no obvious errors, and debug output from syslog also reveals very little. This made me think that an external influence was involved, so I removed wrapper support and everything works fine. The environment is: - Solaris 7 host - OpenSSH 2.1.1p4 - OpenSSL 0.9.5a - LibWrap 7.6 Other hosts running OpenSSH-1.2.3 with Wrapper support work just fine. I can supply more detail if needed, but if anyone has also seen this problem and has a resolution it'd be much appreciated ! Regards Richard mailto:richard.savage at sytec.co.nz PS: Also keen to contribute in the testing area if possible. Solaris Sparc/Intel V6+7 and Redhat Linux 6+ are available for testing. From ejb at ql.org Mon Aug 7 10:11:05 2000 From: ejb at ql.org (E. Jay Berkenbilt) Date: Sun, 6 Aug 2000 20:11:05 -0400 Subject: openssh 2.1.1p4-1: port number data in known_hosts: suggestion Message-ID: <200008070011.UAA16839@soup.ql.org> Before I went to the trouble of implementing this feature and sending in a patch, I want to see what the general reaction would be... I allow ssh through my firewall under certain circumstances. My firewall is a Linux box running ipchains, but it could just as easily be any firewall that can forward external ports to internal ports. My internal network uses non-published addresses, so I forward specific ports on my firewall to specific internal hosts when appropriate. For example, port 221 on the firewall forwards to port 22 on one of our internal servers so that I can ssh to the internal server from outside. This means that, from the client's perspective, my firewall may appear to be running multiple instances of ssh on different ports each of which has a different host key. At present, I see no way of dealing with this cleanly with openssh since no port information is stored in the known_hosts file. My proposal would be to extend the syntax of the known_hosts file in a backward-compatible way so that additional attributes could be stored. For example, if the second word starts with :, then from there up to the next space or tab would be an attribute specification. We could have a port attribute that would cause a match to occur only when connecting to the specified host on the specified port. If the port attribute were not present, the present behavior of ignoring the port would be retained. For example, if I had the following entry in my known_hosts file: some.host.com,123.321.123.321 :port=221 1024 35 48524..... then this line would match only when I attempted to connect to some.host.com on port 221. I could then have the firewall forward various ports to various internal hosts with different host keys without a problem. I think this would be pretty easy to implement since check_host_key in sshconnect.c seems to be a common interface and since this routine already has the sockaddr for the remote connection. Do people think this is an idea worth implementing? Does someone know of some other way to achieve my desired functionality under the existing implementation? I know I could do this using ProxyCommand by having some program that copies stdin <-> host/port, but that unfortunately requires the extra overhead of an external program passing all the data in both directions... In my opinion, you really need a host/port pair to specify the destination, so anything like this should provide a way to specify the port as well as the hostname/IP address.... -- E. Jay Berkenbilt (ejb at ql.org) | http://www.ql.org/q/ From ejb at ql.org Mon Aug 7 11:24:04 2000 From: ejb at ql.org (E. Jay Berkenbilt) Date: Sun, 6 Aug 2000 21:24:04 -0400 Subject: openssh 2.1.1p4-1: port number data in known_hosts: suggestion In-Reply-To: <200008070011.UAA16839@soup.ql.org> (ejb@ql.org) References: <200008070011.UAA16839@soup.ql.org> Message-ID: <200008070124.VAA17446@soup.ql.org> > Do people think this is an idea worth implementing? Does someone know > of some other way to achieve my desired functionality under the > existing implementation? I know I could do this using ProxyCommand by > having some program that copies stdin <-> host/port, but that > unfortunately requires the extra overhead of an external program > passing all the data in both directions... To answer my own question, I figured out a way to achieve my goal.... I added (lines like) the following to /etc/ssh/ssh_config or ~/.ssh/config on hosts outside the firewall Host inside1 HostName name.of.my.firewall Port 221 UserKnownHostsFile ~/.ssh/inside1 Host inside2 HostName name.of.my.firewall Port 222 UserKnownHostsFile ~/.ssh/inside2 Then ssh inside1 and ssh inside2 use different known_hosts files and I don't have a problem. I can also not put those lines on the machines inside the firewall so I can use identical configurations everywhere..... I still think my suggested fix is a reasonable idea, but my incentive to implement it has mostly disappeared. :-) -- E. Jay Berkenbilt (ejb at ql.org) | http://www.ql.org/q/ From jhuuskon at messi.uku.fi Mon Aug 7 15:28:15 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Mon, 7 Aug 2000 08:28:15 +0300 Subject: --with-ipaddr-display patch Message-ID: <20000807082815.A29055@laivuri63.uku.fi> Hi ! I think that the configure option --with-ipaddr-display doesn't set the IPADDR_IN_DISPLAY define in config.h Here's a small patch to configure.in that should enable the feature (after running autoconf again). -Jarno --- openssh-2.1.1p4-orig/configure.in Sat Jul 15 07:59:14 2000 +++ openssh-2.1.1p4/configure.in Mon Aug 7 08:18:15 2000 @@ -1026,7 +1026,7 @@ AC_ARG_WITH(ipaddr-display, [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], [ - if test "x$withval" = "xno" ; then + if test "x$withval" != "xno" ; then AC_DEFINE(IPADDR_IN_DISPLAY) DISPLAY_HACK_MSG="yes" fi -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Center | Work: +358 17 162822 PL 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 From djm at mindrot.org Mon Aug 7 15:32:37 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 7 Aug 2000 15:32:37 +1000 (EST) Subject: UseLogin yes and 'w': IP address used In-Reply-To: Message-ID: On Wed, 19 Jul 2000, Pekka Savola wrote: > Hello all, > > I just noticed that if I enable UseLogin, IP address will be shown in 'w' > when logging on. If UseLogin is disabled, the hostname will be used. > > I tested this on 2.1.1p2 and p4, on home-grown Redhat Linux 6.2. > > Anyone else notice this? Is this an issue with OpenSSH or login? The problem is most likely with login. OpenSSH tries to fill out all fields in utmp, and will store both remote hostname and IP address if your struct utmp supports them (RH does). -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Mon Aug 7 15:39:44 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 7 Aug 2000 15:39:44 +1000 (EST) Subject: Minor "make install" problem with 2.1.1p4 In-Reply-To: <20000721165810.A16338@serv01.aet.tu-cottbus.de> Message-ID: On Fri, 21 Jul 2000, Lutz Jaenicke wrote: > Hi! > > I am currently switching from ssh-1.2.27 to OpenSSH for production use, > so some more things pop up :-) > > In Makefile.in:127-131 the executables are installed without "-m 755", > so that they may be unusable when installed after a umask 077 make :-( Thanks - fixed. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Mon Aug 7 15:50:02 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 7 Aug 2000 15:50:02 +1000 (EST) Subject: Work around Linux kernel bug provoked by nchan.c In-Reply-To: <20000723100323.F263@wolery.cumb.org> Message-ID: On Sun, 23 Jul 2000, Zack Weinberg wrote: > The Linux implementation of TCP sockets has a bug which causes > shutdown(sock, SHUT_RD) to fail spuriously (ENOTCONN) if the write > side of the socket has already been shut down. If you are using SSH > port forwarding to tunnel HTTP through a firewall, nchan.c will tickle > this bug once for every HTTP exchange. You will therefore get lots of > useless, annoying error messages: [snip] > I'd appreciate it if the appended patch could be applied. It causes > ssh to recognize the bug and not emit the error message. Applied - thanks. > [I've reported the bug to the kernel developers but they do not seem > interested in fixing it.] Can you give me a pointer to some discussion on this? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Mon Aug 7 15:55:43 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 7 Aug 2000 15:55:43 +1000 (EST) Subject: compiling openssh with skey? Fails on redhat linux In-Reply-To: <397F369C.A09027F1@rogue.stx.com> Message-ID: On Wed, 26 Jul 2000, Steven G. Smith wrote: > If I configure openssh-2.1.1p4 with the --with-skey option on a Redhat > Linux 6.2 system which has openssl-0.9.5a and skey (the logdaemon 6.2 > version) installed, the compile fails with the following errors: You need the OpenBSD skey library. Check the mailing list archive for patches to get it to compile on Linux. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From radtkens at rupert.informatik.uni-stuttgart.de Mon Aug 7 21:15:56 2000 From: radtkens at rupert.informatik.uni-stuttgart.de (Nils Radtke) Date: Mon, 7 Aug 2000 13:15:56 +0200 (METDST) Subject: ssh startup fails Message-ID: Hello all :) While trying to bind to 0.0.0.0 having lo0, eth0 and ippp0 up no matter whether on- or offline, i get this: sshd[4518]: error: getnameinfo failed sshd[4518]: fatal: Cannot bind any address. It seems sshd tries to get reverse-resolved the ippp0's address. Is there a configuraiotn fault on my behalf? Did i misunderstand the way sshd works? Shouldn't sshd rather not rely on what nameserver say? I wonder why asks for an ns query at all.. I'd have expected sshd to bind to any ifaces, whatever ip belongs to the resp. ifaces.. :) (at least with ListenAddress 0.0.0.0 in /etc/sshd_config) Another Q regarding the --with-ipaddr-display flag to configure, this doesn't work for me even the patch applied that came through on this list. Some postings ago i saw a configuration keyword like host and so on, where are these keywords documented? sincerely, Nils Nils Radtke * de.AIESEC.org * Student @ the * nils.radtke@ * * Nat. Trainer Pool * University Stuttgart * think-future.de * * Brave GNU World. * icq/lc#:78021407/92045 PGP/GCB: c at hp :wq From schmidta at ph.tum.de Tue Aug 8 01:31:49 2000 From: schmidta at ph.tum.de (Michael Schmidt) Date: Mon, 07 Aug 2000 17:31:49 +0200 Subject: X11-Forwarding OpenSSH 2.1.1p4 problem Message-ID: <398ED665.5AB5CEC8@ph.tum.de> Hi, I have the following problem: I have two computers. On the first RedHat 6.2 (Openssh 2.1.1) is installed. The second is an PC with Windows NT 4.0 (SP 6) with Cygwin and Openssh 2.1.1p4. The X-Server running on the WinNT machine is Hummingbird Exceed 6.1 . I have activated X11-Forwarding in the config-files on both machines. I'm sitting in front of the WinNT machine and want to do a XSession on the RedHat machine. Here is a screen dump: ------------------------------------------------------------------ $ ssh -v -l schmidta saturn 2>/dump schmidta at saturn's password: saturn $ echo $DISPLAY saturn:10.0 saturn $ xdvi X connection to saturn:10.0 broken (explicit kill or server shutdown). saturn $ exit logout $ cat /dump SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x00905100). debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 500 geteuid 500 anon 1 debug: Connecting to saturn [129.187.154.64] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.1.1 debug: Seeding random number generator debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: zlib,none debug: got kexinit: zlib,none debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 none debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 512/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: keytype ssh-dss debug: keytype ssh-dss debug: keytype ssh-dss debug: Host 'saturn' is known and matches the DSA host key. debug: bits set: 514/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: key does not exist: /.ssh/id_dsa debug: ssh-userauth2 successfull debug: no set_nonblock for tty fd 4 debug: no set_nonblock for tty fd 5 debug: fd 6 setting O_NONBLOCK debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: callback start debug: client_init id 0 arg 0 debug: Requesting X11 forwarding with authentication spoofing. debug: channel request 0: shell debug: client_set_session_ident: id 0 debug: callback done debug: channel 0: open confirm rwindow 0 rmax 32768 debug: channel 0: rcvd adjust 16384 debug: client_input_channel_open: ctype x11 rchan 2 win 4096 max 2048 connect /usr/spool/sockets/X11/0: No such file or directory debug: failure x11 debug: callback start debug: client_input_channel_req: rtype exit-status reply 0 debug: callback done debug: channel 0: rcvd eof debug: channel 0: output open -> drain debug: channel 0: rcvd close debug: channel 0: input open -> closed debug: channel 0: close_read debug: channel 0: obuf empty debug: channel 0: output drain -> closed debug: channel 0: close_write debug: channel 0: send close debug: channel 0: full closed2 debug: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug: !channel_still_open. Connection to saturn closed. debug: Transferred: stdin 0, stdout 0, stderr 30 bytes in 59.7 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.5 debug: Exit status 1 ------------------------------------------------------------------------ Does anybody know, where I've done a mistake? What is wrong? Thank you :-) cu Michael From amb at cobite.com Tue Aug 8 02:30:12 2000 From: amb at cobite.com (Adam Bentitou) Date: Mon, 7 Aug 2000 12:30:12 -0400 (EDT) Subject: dsa keys & ssh-agent In-Reply-To: <20000806121233.A10861@folly.informatik.uni-erlangen.de> Message-ID: OK, attached is a cdiff of my source to the standard 2.1.1p4 source. I have had no time to clean it at all, since there is a phone company strike and my phone service and DSL service have mysteriously dissapeared. Oh well. This should allow you to add, remove and list dsa keys in the agent with the "-2" options, and allow you to connect to another host using the agent normally. Adam Bentitou On Sun, 6 Aug 2000, Markus Friedl wrote: > hi, please send the patches to me, i am working on this, too. > (no need to cleanup...) > > On Sat, Aug 05, 2000 at 04:15:06AM -0400, Adam Bentitou wrote: > > > > Ok... I just kludged dsa key support into the ssh-agent that comes with > > openssh-2.1.1p4. Its ugly and conforms to no standard (I could find no > > signifigant mention of it in the IETF drafts) but it does seem to > > work. If anybodys interested in it, I'll clean up the code and post. For > > now I'm going to sleep. > > Oh yeah.. thanks Damien Miller for pointing out that SSL > > add_all_algorithms bit, without telling me to RTFM which was your right. > > > > Adam Bentitou > > > > > diff -c openssh-2.1.1p4/authfd.c openssh-dsa/authfd.c *** openssh-2.1.1p4/authfd.c Tue Jul 11 03:31:38 2000 --- openssh-dsa/authfd.c Mon Aug 7 11:45:54 2000 *************** *** 23,28 **** --- 23,29 ---- #include "bufaux.h" #include "xmalloc.h" #include "getput.h" + #include "compat.h" #include *************** *** 128,133 **** --- 129,210 ---- */ int + ssh_get_first_dsa_identity(AuthenticationConnection *auth, + BIGNUM *p, BIGNUM *q, BIGNUM *g, + BIGNUM *pub_key, char **comment) + { + unsigned char msg[8192]; + int len, l; + + /* + * Send a message to the agent requesting for a list of the + * identities it can represent. + */ + msg[0] = 0; + msg[1] = 0; + msg[2] = 0; + msg[3] = 1; + msg[4] = SSH_AGENTC_REQUEST_DSA_IDENTITIES; + if (atomicio(write, auth->fd, msg, 5) != 5) { + error("write auth->fd: %.100s", strerror(errno)); + return 0; + } + /* Read the length of the response. XXX implement timeouts here. */ + len = 4; + while (len > 0) { + l = read(auth->fd, msg + 4 - len, len); + if (l <= 0) { + error("read auth->fd: %.100s", strerror(errno)); + return 0; + } + len -= l; + } + + /* + * Extract the length, and check it for sanity. (We cannot trust + * authentication agents). + * Skipping this for now. I just want a working dsa agent. + */ + len = GET_32BIT(msg); + /* if (len < 1 || len > 256 * 1024) + fatal("Authentication reply message too long: %d\n", len); */ + + /* Read the packet itself. */ + buffer_clear(&auth->identities); + while (len > 0) { + l = len; + if (l > sizeof(msg)) + l = sizeof(msg); + l = read(auth->fd, msg, l); + if (l <= 0) + fatal("Incomplete authentication reply."); + buffer_append(&auth->identities, (char *) msg, l); + len -= l; + } + + /* Get message type, and verify that we got a proper answer. */ + buffer_get(&auth->identities, (char *) msg, 1); + if (msg[0] != SSH_AGENT_DSA_IDENTITIES_ANSWER) + fatal("Bad authentication reply message type: %d", msg[0]); + + /* Get the number of entries in the response and check it for sanity. */ + auth->howmany = buffer_get_int(&auth->identities); + if (auth->howmany > 1024) + fatal("Too many identities in authentication reply: %d\n", auth->howmany); + + /* Return the first entry (if any). */ + return ssh_get_next_dsa_identity(auth, p, q, g, pub_key, comment); + } + + + /* + * Returns the first authentication identity held by the agent. + * Returns true if an identity is available, 0 otherwise. + * The caller must initialize the integers before the call, and free the + * comment after a successful call (before calling ssh_get_next_identity). + */ + + int ssh_get_first_identity(AuthenticationConnection *auth, BIGNUM *e, BIGNUM *n, char **comment) { *************** *** 201,206 **** --- 278,322 ---- */ int + ssh_get_next_dsa_identity(AuthenticationConnection *auth, + BIGNUM *p, BIGNUM *q, BIGNUM *g, + BIGNUM *pub_key, char **comment) + { + unsigned int bits; + + /* Return failure if no more entries. */ + if (auth->howmany <= 0) + return 0; + + /* + * Get the next entry from the packet. These will abort with a fatal + * error if the packet is too short or contains corrupt data. + */ + bits = buffer_get_int(&auth->identities); + buffer_get_bignum(&auth->identities, p); + buffer_get_bignum(&auth->identities, q); + buffer_get_bignum(&auth->identities, g); + buffer_get_bignum(&auth->identities, pub_key); + *comment = buffer_get_string(&auth->identities, NULL); + + if (bits != BN_num_bits(p)) + log("Warning: identity keysize mismatch: actual %d, announced %u", + BN_num_bits(p), bits); + + /* Decrement the number of remaining entries. */ + auth->howmany--; + + return 1; + } + + /* + * Returns the next authentication identity for the agent. Other functions + * can be called between this and ssh_get_first_identity or two calls of this + * function. This returns 0 if there are no more identities. The caller + * must free comment after a successful return. + */ + + int ssh_get_next_identity(AuthenticationConnection *auth, BIGNUM *e, BIGNUM *n, char **comment) { *************** *** 229,234 **** --- 345,430 ---- return 1; } + int + ssh2_sign_data(AuthenticationConnection *auth, BIGNUM *p, BIGNUM *q, BIGNUM *g, + BIGNUM *pub_key, char *data, int dlen, char **response, int *rlen, int datafellows) + { + Buffer buffer; + unsigned char buf[8192]; + int len, l; + + buf[0] = SSH_AGENTC_DSA_SIGN; + buffer_init(&buffer); + buffer_append(&buffer, (char *) buf, 1); + buffer_put_int(&buffer, BN_num_bits(p)); + buffer_put_bignum(&buffer, p); + buffer_put_bignum(&buffer, q); + buffer_put_bignum(&buffer, g); + buffer_put_bignum(&buffer, pub_key); + buffer_put_int(&buffer, datafellows); + buffer_put_string(&buffer, data, dlen); + len = buffer_len(&buffer); + PUT_32BIT(buf, len); + + if (atomicio(write, auth->fd, buf, 4) != 4 || + atomicio(write, auth->fd, buffer_ptr(&buffer), + buffer_len(&buffer)) != buffer_len(&buffer)) { + error("Error writing to authentication socket."); + error_cleanup: + buffer_free(&buffer); + return 0; + } + len = 4; + while (len > 0) { + l = read(auth->fd, buf + 4 - len, len); + if (l <= 0) { + error("Error reading response length from authentication socket."); + goto error_cleanup; + } + len -= l; + } + + len = GET_32BIT(buf); + + buffer_clear(&buffer); + while (len > 0) { + l = len; + if (l > sizeof(buf)) + l = sizeof(buf); + l = read(auth->fd, buf, l); + if (l <= 0) { + error("Error reading response from authentication socket."); + goto error_cleanup; + } + buffer_append(&buffer, (char *) buf, l); + len -= l; + } + + /* Get the type of the packet. */ + buffer_get(&buffer, (char *) buf, 1); + + /* Check for agent failure message. */ + if (buf[0] == SSH_AGENT_FAILURE) { + log("Agent admitted failure to authenticate using the key."); + goto error_cleanup; + } + if (buf[0] != SSH_AGENT_DSA_RESPONSE) + fatal("Bad authentication response: %d", buf[0]); + + /* + * Get the response from the packet. This will abort with a fatal + * error if the packet is corrupt. + */ + *rlen = buffer_get_int(&buffer); + *response = buffer_get_string(&buffer, rlen); + + /* The buffer containing the packet is no longer needed. */ + buffer_free(&buffer); + + /* Correct answer. */ + return 1; + + } /* * Generates a random challenge, sends it to the agent, and waits for * response from the agent. Returns true (non-zero) if the agent gave the *************** *** 343,366 **** int ssh_add_identity(AuthenticationConnection *auth, ! RSA * key, const char *comment) { Buffer buffer; unsigned char buf[8192]; int len; /* Format a message to the agent. */ buffer_init(&buffer); ! buffer_put_char(&buffer, SSH_AGENTC_ADD_RSA_IDENTITY); ! buffer_put_int(&buffer, BN_num_bits(key->n)); ! buffer_put_bignum(&buffer, key->n); ! buffer_put_bignum(&buffer, key->e); ! buffer_put_bignum(&buffer, key->d); ! /* To keep within the protocol: p < q for ssh. in SSL p > q */ ! buffer_put_bignum(&buffer, key->iqmp); /* ssh key->u */ ! buffer_put_bignum(&buffer, key->q); /* ssh key->p, SSL key->q */ ! buffer_put_bignum(&buffer, key->p); /* ssh key->q, SSL key->p */ ! buffer_put_string(&buffer, comment, strlen(comment)); /* Get the length of the message, and format it in the buffer. */ len = buffer_len(&buffer); --- 539,580 ---- int ssh_add_identity(AuthenticationConnection *auth, ! Key *key, const char *comment) { Buffer buffer; unsigned char buf[8192]; int len; + RSA *rsa; + DSA *dsa; /* Format a message to the agent. */ buffer_init(&buffer); ! if (key->type == KEY_RSA) { ! rsa = key->rsa; ! buffer_put_char(&buffer, SSH_AGENTC_ADD_RSA_IDENTITY); ! buffer_put_int(&buffer, BN_num_bits(rsa->n)); ! buffer_put_bignum(&buffer, rsa->n); ! buffer_put_bignum(&buffer, rsa->e); ! buffer_put_bignum(&buffer, rsa->d); ! /* To keep within the protocol: p < q for ssh. in SSL p > q */ ! buffer_put_bignum(&buffer, rsa->iqmp); /* ssh key->u */ ! buffer_put_bignum(&buffer, rsa->q); /* ssh key->p, SSL key->q */ ! buffer_put_bignum(&buffer, rsa->p); /* ssh key->q, SSL key->p */ ! buffer_put_string(&buffer, comment, strlen(comment)); ! } else if (key->type == KEY_DSA) { ! dsa = key->dsa; ! buffer_put_char(&buffer, SSH_AGENTC_ADD_DSA_IDENTITY); ! buffer_put_int(&buffer, BN_num_bits(dsa->p)); ! buffer_put_bignum(&buffer, dsa->p); ! buffer_put_bignum(&buffer, dsa->q); ! buffer_put_bignum(&buffer, dsa->g); ! buffer_put_bignum(&buffer, dsa->pub_key); ! buffer_put_bignum(&buffer, dsa->priv_key); ! buffer_put_string(&buffer, comment, strlen(comment)); ! } else { ! fprintf(stderr, "Bad Key type: %d.\n", key->type); ! exit(1); ! } /* Get the length of the message, and format it in the buffer. */ len = buffer_len(&buffer); *************** *** 373,378 **** --- 587,621 ---- error("Error writing to authentication socket."); buffer_free(&buffer); return 0; + } + buffer_free(&buffer); + return ssh_agent_get_reply(auth); + } + + + int + ssh_remove_dsa_identity(AuthenticationConnection *auth, DSA *key) + { + Buffer buffer; + unsigned char buf[5]; + int len; + + buffer_init(&buffer); + buffer_put_char(&buffer, SSH_AGENTC_REMOVE_DSA_IDENTITY); + buffer_put_int(&buffer, BN_num_bits(key->p)); + buffer_put_bignum(&buffer, key->p); + buffer_put_bignum(&buffer, key->q); + buffer_put_bignum(&buffer, key->g); + buffer_put_bignum(&buffer, key->pub_key); + + len = buffer_len(&buffer); + PUT_32BIT(buf, len); + + if (atomicio(write, auth->fd, buf, 4) != 4 || + atomicio(write, auth->fd, buffer_ptr(&buffer), + buffer_len(&buffer)) != buffer_len(&buffer)) { + error("Error writing to authentication socket."); + return 0; } buffer_free(&buffer); return ssh_agent_get_reply(auth); diff -c openssh-2.1.1p4/authfd.h openssh-dsa/authfd.h *** openssh-2.1.1p4/authfd.h Thu Jun 22 07:32:31 2000 --- openssh-dsa/authfd.h Tue Aug 1 19:48:48 2000 *************** *** 19,25 **** #define AUTHFD_H #include "buffer.h" ! /* Messages for the authentication agent connection. */ #define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1 #define SSH_AGENT_RSA_IDENTITIES_ANSWER 2 --- 19,26 ---- #define AUTHFD_H #include "buffer.h" ! #include ! #include "key.h" /* Messages for the authentication agent connection. */ #define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1 #define SSH_AGENT_RSA_IDENTITIES_ANSWER 2 *************** *** 30,36 **** #define SSH_AGENTC_ADD_RSA_IDENTITY 7 #define SSH_AGENTC_REMOVE_RSA_IDENTITY 8 #define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES 9 ! typedef struct { int fd; Buffer packet; --- 31,45 ---- #define SSH_AGENTC_ADD_RSA_IDENTITY 7 #define SSH_AGENTC_REMOVE_RSA_IDENTITY 8 #define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES 9 ! /* dsa related messages */ ! #define SSH_AGENTC_REQUEST_DSA_IDENTITIES 10 ! #define SSH_AGENT_DSA_IDENTITIES_ANSWER 11 ! #define SSH_AGENTC_DSA_SIGN 12 ! #define SSH_AGENT_DSA_RESPONSE 13 ! #define SSH_AGENTC_ADD_DSA_IDENTITY 14 ! #define SSH_AGENTC_REMOVE_DSA_IDENTITY 15 ! #define SSH_AGENTC_REMOVE_ALL_DSA_IDENTITIES 16 ! #define SSH_AGENTC_REMOVE_ALL_IDENTITIES 17 typedef struct { int fd; Buffer packet; *************** *** 71,76 **** --- 80,89 ---- ssh_get_first_identity(AuthenticationConnection * connection, BIGNUM * e, BIGNUM * n, char **comment); + int + ssh_get_first_dsa_identity(AuthenticationConnection * connection, + BIGNUM *p, BIGNUM *q, BIGNUM *g, BIGNUM *pub_key, char **comment); + /* * Returns the next authentication identity for the agent. Other functions * can be called between this and ssh_get_first_identity or two calls of this *************** *** 81,86 **** --- 94,102 ---- ssh_get_next_identity(AuthenticationConnection * connection, BIGNUM * e, BIGNUM * n, char **comment); + int + ssh_get_next_dsa_identity(AuthenticationConnection * connection, + BIGNUM *p, BIGNUM *q, BIGNUM *g, BIGNUM *pub_key, char **comment); /* Requests the agent to decrypt the given challenge. Returns true if the agent claims it was able to decrypt it. */ int *************** *** 96,102 **** * successfully added. */ int ! ssh_add_identity(AuthenticationConnection * connection, RSA * key, const char *comment); /* --- 112,118 ---- * successfully added. */ int ! ssh_add_identity(AuthenticationConnection * connection, Key *key, const char *comment); /* diff -c openssh-2.1.1p4/authfile.c openssh-dsa/authfile.c *** openssh-2.1.1p4/authfile.c Thu Jun 22 07:32:31 2000 --- openssh-dsa/authfile.c Fri Aug 4 14:50:05 2000 *************** *** 191,196 **** --- 191,250 ---- return 0; } + int + load_public_key_dsa (const char *filename, DSA *pub, char **comment_return) + { + #define PUB ".pub" + #define MAX_COMMENT_SIZE 1024 + int fd; + char line[8192], file[1024]; + char *l; + Key *k; + + strncpy (file, filename, sizeof(file)); + strncat (file, PUB, sizeof (file) - strlen (PUB)); + + if ((fd = open(file, O_RDONLY)) < 0) + return 0; + + /* What is the minimum public key size? */ + if (read (fd, line, sizeof(line)) < 300) + return 0; + + if (*comment_return != NULL) { + char *cp, *com; + if ((com = malloc(MAX_COMMENT_SIZE)) != NULL) { + + cp = (char *) line; + while (*cp++ != '\n') { + if (*cp == '=' && *(cp + 1) == '=') { + strncpy (com, cp, MAX_COMMENT_SIZE); + break; + } + } + *comment_return = com; + } + } + + k = key_new (KEY_DSA); + l=line; + if (!key_read(k, &l)) { + key_free (k); + return 0; + } + + pub->p = k->dsa->p; + pub->q = k->dsa->q; + pub->g = k->dsa->g; + pub->pub_key = k->dsa->pub_key; + k->dsa = NULL; + key_free(k); + return 1; + } + + + + /* * Loads the public part of the key file. Returns 0 if an error was * encountered (the file does not exist or is not readable), and non-zero *************** *** 270,275 **** --- 324,331 ---- return load_public_key_rsa(filename, key->rsa, comment_return); break; case KEY_DSA: + return load_public_key_dsa(filename, key->dsa, comment_return); + break; default: break; } Common subdirectories: openssh-2.1.1p4/contrib and openssh-dsa/contrib diff -c openssh-2.1.1p4/key.c openssh-dsa/key.c *** openssh-2.1.1p4/key.c Thu Jun 22 20:16:38 2000 --- openssh-dsa/key.c Fri Aug 4 13:34:28 2000 *************** *** 274,279 **** --- 274,280 ---- xfree(blob); if (ret->dsa != NULL) DSA_free(ret->dsa); + ret->dsa = k->dsa; k->dsa = NULL; key_free(k); diff -c openssh-2.1.1p4/ssh-add.c openssh-dsa/ssh-add.c *** openssh-2.1.1p4/ssh-add.c Sun Jul 9 08:42:33 2000 --- openssh-dsa/ssh-add.c Thu Aug 3 19:24:20 2000 *************** *** 19,24 **** --- 19,26 ---- #include "fingerprint.h" #include "key.h" #include "authfile.h" + #include + #include #ifdef HAVE___PROGNAME extern char *__progname; *************** *** 27,46 **** #endif /* HAVE___PROGNAME */ void ! delete_file(AuthenticationConnection *ac, const char *filename) { Key *public; char *comment; ! public = key_new(KEY_RSA); if (!load_public_key(filename, public, &comment)) { printf("Bad key file %s: %s\n", filename, strerror(errno)); return; } ! if (ssh_remove_identity(ac, public->rsa)) ! fprintf(stderr, "Identity removed: %s (%s)\n", filename, comment); ! else ! fprintf(stderr, "Could not remove identity: %s\n", filename); key_free(public); xfree(comment); } --- 29,56 ---- #endif /* HAVE___PROGNAME */ void ! delete_file(AuthenticationConnection *ac, const char *filename, int type) { Key *public; char *comment; ! public = key_new(type); if (!load_public_key(filename, public, &comment)) { printf("Bad key file %s: %s\n", filename, strerror(errno)); return; } ! if (type == KEY_RSA) { ! if (ssh_remove_identity(ac, public->rsa)) ! fprintf(stderr, "Identity removed: %s (%s)\n", filename, comment); ! else ! fprintf(stderr, "Could not remove identity: %s\n", filename); ! } else if (type == KEY_DSA) { ! if(ssh_remove_dsa_identity(ac, public->dsa)) ! fprintf(stderr, "Identity removed: %s (%s)\n", filename, comment); ! else ! fprintf(stderr, "Could not remove identity: %s\n", filename); ! } ! key_free(public); xfree(comment); } *************** *** 92,100 **** memset(buf, 0, sizeof(buf)); return pass; } ! void ! add_file(AuthenticationConnection *ac, const char *filename) { Key *public; Key *private; --- 102,110 ---- memset(buf, 0, sizeof(buf)); return pass; } ! void ! add_file(AuthenticationConnection *ac, const char *filename, int type) { Key *public; Key *private; *************** *** 102,114 **** char buf[1024], msg[1024]; int success; int interactive = isatty(STDIN_FILENO); ! public = key_new(KEY_RSA); ! if (!load_public_key(filename, public, &saved_comment)) { ! printf("Bad key file %s: %s\n", filename, strerror(errno)); ! return; } ! key_free(public); if (!interactive && getenv("DISPLAY")) { if (getenv(SSH_ASKPASS_ENV)) --- 112,138 ---- char buf[1024], msg[1024]; int success; int interactive = isatty(STDIN_FILENO); + struct stat st; ! if (type == KEY_RSA) { ! public = key_new(type); ! if (!load_public_key(filename, public, &saved_comment)) { ! fprintf(stderr, "Bad key file %s: %s\n", filename, strerror(errno)); ! return; ! } ! key_free(public); ! } else if (type == KEY_DSA) { ! if (stat(filename, &st) != 0) { ! fprintf(stderr, "key does not exist: %s", filename); ! exit(1); ! } ! saved_comment = xmalloc (strlen(filename) + 1); ! snprintf (saved_comment, strlen(filename), "%s", filename); ! } else { ! fprintf (stderr, "Bad key type: %d.\n", type); ! exit (1); } ! if (!interactive && getenv("DISPLAY")) { if (getenv(SSH_ASKPASS_ENV)) *************** *** 118,124 **** } /* At first, try empty passphrase */ ! private = key_new(KEY_RSA); success = load_private_key(filename, "", private, &comment); if (!success) { printf("Need passphrase for %.200s\n", filename); --- 142,148 ---- } /* At first, try empty passphrase */ ! private = key_new(type); success = load_private_key(filename, "", private, &comment); if (!success) { printf("Need passphrase for %.200s\n", filename); *************** *** 150,156 **** } xfree(saved_comment); ! if (ssh_add_identity(ac, private->rsa, comment)) fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); else fprintf(stderr, "Could not add identity: %s\n", filename); --- 174,180 ---- } xfree(saved_comment); ! if (ssh_add_identity(ac, private, comment)) fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); else fprintf(stderr, "Could not add identity: %s\n", filename); *************** *** 159,165 **** } void ! list_identities(AuthenticationConnection *ac, int fp) { BIGNUM *e, *n; int status; --- 183,257 ---- } void ! list_identities(AuthenticationConnection *ac, int fp, int type) ! { ! if (type == KEY_RSA) ! list_rsa_identities(ac, fp); ! else if (type == KEY_DSA) ! list_dsa_identities(ac, fp); ! else { ! fprintf (stderr, "Bad Key type: %d.\n", type); ! exit (1); ! } ! } ! /* For now we ignore the fingerprint request... */ ! void ! list_dsa_identities(AuthenticationConnection *ac, int fp) ! { ! BIGNUM *p, *q, *g, *pub_key; ! int status; ! char *comment; ! char *pbuf, *qbuf, *gbuf, *pub_keybuf; ! int had_identities; ! ! p = BN_new(); ! q = BN_new(); ! g = BN_new(); ! pub_key = BN_new(); ! had_identities = 0; ! for (status = ssh_get_first_dsa_identity(ac, p, q, g, pub_key, &comment); ! status; ! status = ssh_get_next_dsa_identity(ac, p, q, g, pub_key, &comment)) { ! unsigned int bits = BN_num_bits(p); ! had_identities = 1; ! /* What follows is beyond ugly */ ! pbuf = BN_bn2dec(p); ! if (pbuf == NULL) { ! error("list_identities: BN_bn2dec(p) failed."); ! } else { ! qbuf = BN_bn2dec(q); ! if (qbuf == NULL) { ! error("list_identities: BN_bn2dec(q) failed."); ! } else { ! gbuf = BN_bn2dec(g); ! if (gbuf == NULL) { ! error("list_identities: BN_bn2dec(g) failed."); ! } else { ! pub_keybuf = BN_bn2dec(pub_key); ! if (pub_keybuf == NULL) { ! error("list_identities: BN_bn2dec(pub_key) failed."); ! } else { ! printf("Bits: %d\np: %s\nq:%s\ng:%s\npub_key: %s\n Comment: %s\n", bits, pbuf, qbuf, gbuf, pub_keybuf, comment); ! free(pub_keybuf); ! } ! free(gbuf); ! } ! free(qbuf); ! } ! free(pbuf); ! } ! xfree(comment); ! } ! BN_clear_free(p); ! BN_clear_free(q); ! BN_clear_free(g); ! BN_clear_free(pub_key); ! if (!had_identities) ! printf("The agent has no identities.\n"); ! } ! ! void ! list_rsa_identities(AuthenticationConnection *ac, int fp) { BIGNUM *e, *n; int status; *************** *** 209,223 **** int no_files = 1; int i; int deleting = 0; init_rng(); /* check if RSA support exists */ if (rsa_alive() == 0) { fprintf(stderr, ! "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", __progname); ! exit(1); } /* At first, get a connection to the authentication agent. */ ac = ssh_get_authentication_connection(); --- 301,319 ---- int no_files = 1; int i; int deleting = 0; + /* We assume rsa by default so as not to break peoples scripts */ + int type = KEY_RSA; + + OpenSSL_add_all_algorithms(); init_rng(); /* check if RSA support exists */ if (rsa_alive() == 0) { fprintf(stderr, ! "%s: no RSA support in libssl and libcrypto. Assuming DSA support.\n", __progname); ! type = KEY_DSA; } /* At first, get a connection to the authentication agent. */ ac = ssh_get_authentication_connection(); *************** *** 228,234 **** for (i = 1; i < argc; i++) { if ((strcmp(argv[i], "-l") == 0) || (strcmp(argv[i], "-L") == 0)) { ! list_identities(ac, argv[i][1] == 'l' ? 1 : 0); /* Don't default-add/delete if -l. */ no_files = 0; continue; --- 324,330 ---- for (i = 1; i < argc; i++) { if ((strcmp(argv[i], "-l") == 0) || (strcmp(argv[i], "-L") == 0)) { ! list_identities(ac, argv[i][1] == 'l' ? 1 : 0, type); /* Don't default-add/delete if -l. */ no_files = 0; continue; *************** *** 242,252 **** no_files = 0; continue; } no_files = 0; if (deleting) ! delete_file(ac, argv[i]); else ! add_file(ac, argv[i]); } if (no_files) { pw = getpwuid(getuid()); --- 338,356 ---- no_files = 0; continue; } + if (strcmp(argv[i], "-2") == 0) { + type = KEY_DSA; + continue; + } + if (strcmp(argv[i], "-1") == 0) { + type = KEY_RSA; + continue; + } no_files = 0; if (deleting) ! delete_file(ac, argv[i], type); else ! add_file(ac, argv[i], type); } if (no_files) { pw = getpwuid(getuid()); *************** *** 255,265 **** ssh_close_authentication_connection(ac); exit(1); } ! snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, SSH_CLIENT_IDENTITY); if (deleting) ! delete_file(ac, buf); else ! add_file(ac, buf); } ssh_close_authentication_connection(ac); exit(0); --- 359,369 ---- ssh_close_authentication_connection(ac); exit(1); } ! snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, (type == KEY_RSA) ? SSH_CLIENT_IDENTITY : SSH_CLIENT_ID_DSA); if (deleting) ! delete_file(ac, buf, type); else ! add_file(ac, buf, type); } ssh_close_authentication_connection(ac); exit(0); diff -c openssh-2.1.1p4/ssh-agent.c openssh-dsa/ssh-agent.c *** openssh-2.1.1p4/ssh-agent.c Sun Jul 9 08:42:33 2000 --- openssh-dsa/ssh-agent.c Sat Aug 5 02:57:03 2000 *************** *** 20,26 **** #include "packet.h" #include "getput.h" #include "mpaux.h" ! #include typedef struct { --- 20,29 ---- #include "packet.h" #include "getput.h" #include "mpaux.h" ! #include ! #include "key.h" ! #include "compat.h" ! #include "dsa.h" #include typedef struct { *************** *** 43,48 **** --- 46,59 ---- unsigned int num_identities = 0; Identity *identities = NULL; + typedef struct { + DSA *key; + char *comment; + } dsa_Identity; + + unsigned int num_dsa_identities = 0; + dsa_Identity *dsa_identities = NULL; + int max_fd = 0; /* pid of shell == parent of agent */ *************** *** 59,64 **** --- 70,98 ---- #endif /* HAVE___PROGNAME */ void + process_request_dsa_identity(SocketEntry *e) + { + Buffer msg; + int i; + + buffer_init(&msg); + buffer_put_char(&msg, SSH_AGENT_DSA_IDENTITIES_ANSWER); + buffer_put_int(&msg, num_dsa_identities); + for (i = 0; i < num_dsa_identities; i++) { + buffer_put_int(&msg, BN_num_bits(dsa_identities[i].key->p)); + buffer_put_bignum(&msg, dsa_identities[i].key->p); + buffer_put_bignum(&msg, dsa_identities[i].key->q); + buffer_put_bignum(&msg, dsa_identities[i].key->g); + buffer_put_bignum(&msg, dsa_identities[i].key->pub_key); + buffer_put_string(&msg, dsa_identities[i].comment, + strlen(dsa_identities[i].comment)); + } + buffer_put_int(&e->output, buffer_len(&msg)); + buffer_append(&e->output, buffer_ptr(&msg), buffer_len(&msg)); + buffer_free(&msg); + } + + void process_request_identity(SocketEntry *e) { Buffer msg; *************** *** 80,85 **** --- 114,205 ---- } void + process_dsa_sign(SocketEntry *e) + { + Key *k; + BIGNUM *p, *q, *g, *pub_key; + unsigned char *data, *signature; + int datalen, slen, len; + unsigned int i, bits; + Buffer msg; + + k = xmalloc(sizeof(*k)); + k->type = KEY_DSA; + k->rsa = NULL; + + p = BN_new(); + q = BN_new(); + g = BN_new(); + pub_key = BN_new(); + printf ("DSA sign\n"); + bits = buffer_get_int(&e->input); + printf ("Bits: %d\n", bits); + buffer_get_bignum(&e->input, p); + printf ("p: %s\n", BN_bn2dec(p)); + buffer_get_bignum(&e->input, q); + buffer_get_bignum(&e->input, g); + buffer_get_bignum(&e->input, pub_key); + + for (i = 0; i < num_dsa_identities; i++) { + if (BN_cmp(p, dsa_identities[i].key->p) == 0 && + BN_cmp(q, dsa_identities[i].key->q) == 0 && + BN_cmp(g, dsa_identities[i].key->g) == 0 && + BN_cmp(pub_key, dsa_identities[i].key->pub_key) == 0 && + bits == BN_num_bits(dsa_identities[i].key->p)) { + + /* We have the key. */ + printf ("Found the key\n"); + k->dsa = dsa_identities[i].key; + /* UGLY datafellows hack */ + datafellows = buffer_get_int(&e->input); + printf ("Datafellows: %d\n", datafellows); + data = buffer_get_string(&e->input, &datalen); + printf ("Data: %s\n", data); + printf ("Datalen: %d\n", datalen); + printf ("About to sign...\n"); + len = dsa_sign(k, &signature, &slen, data, datalen); + printf ("dsa_sign ret: %d\n", len); + printf ("Signed!: %x %x\n", *signature, *(signature + 1)); + /* Success */ + buffer_init(&msg); + buffer_put_char(&msg, SSH_AGENT_DSA_RESPONSE); + printf ("About to add slen: %d.\n", slen); + buffer_put_int(&msg, slen); + printf ("About to add signature\n"); + buffer_put_string(&msg, signature, slen); + printf ("About to free k\n"); + xfree(k); + printf ("About to free data\n"); + xfree(data); + printf ("About to free signature\n"); + xfree(signature); + printf ("freeing p\n"); + BN_clear_free(p); + printf ("freeing q\n"); + BN_clear_free(q); + printf ("freeing g\n"); + BN_clear_free(g); + printf ("freeing pub_key\n"); + BN_clear_free(pub_key); + buffer_put_int(&e->output, buffer_len(&msg)); + buffer_append(&e->output, buffer_ptr(&msg), buffer_len(&msg)); + printf("About to return"); + return; + } + } + /* We Dont have the key */ + buffer_put_char(&e->output, SSH_AGENT_FAILURE); + xfree(k); + BN_clear_free(p); + BN_clear_free(q); + BN_clear_free(g); + BN_clear_free(pub_key); + } + + + + + void process_authentication_challenge(SocketEntry *e) { int i, pub_bits, len; *************** *** 163,168 **** --- 283,352 ---- } void + process_remove_dsa_identity(SocketEntry *e) + { + unsigned int bits; + unsigned int i; + BIGNUM *p, *q, *g, *pub_key; + + + p = BN_new(); + q = BN_new(); + g = BN_new(); + pub_key = BN_new(); + + /* Get the key from the packet. */ + bits = buffer_get_int(&e->input); + buffer_get_bignum(&e->input, p); + buffer_get_bignum(&e->input, q); + buffer_get_bignum(&e->input, g); + buffer_get_bignum(&e->input, pub_key); + + if (bits != BN_num_bits(p)) + log("Warning: identity keysize mismatch: actual %d, announced %d", BN_num_bits(p), bits); + + /* Check if we have the key. */ + for (i = 0; i < num_dsa_identities; i++) + if (BN_cmp(dsa_identities[i].key->pub_key, pub_key) == 0 && + BN_cmp(dsa_identities[i].key->p, p) == 0 && + BN_cmp(dsa_identities[i].key->q, q) == 0 && + BN_cmp(dsa_identities[i].key->g, g) == 0) { + /* + * We have this key. Free the old key. Since we + * don\'t want to leave empty slots in the middle of + * the array, we actually free the key there and copy + * data from the last entry. + */ + DSA_free(dsa_identities[i].key); + xfree(dsa_identities[i].comment); + if (i < num_dsa_identities - 1) + dsa_identities[i] = dsa_identities [num_dsa_identities - 1]; + num_dsa_identities--; + BN_clear_free(q); + BN_clear_free(g); + BN_clear_free(p); + BN_clear_free(pub_key); + + /* Send success. */ + buffer_put_int(&e->output, 1); + buffer_put_char(&e->output, SSH_AGENT_SUCCESS); + return; + } + /* We did not have the key. */ + /* original just cleared. I dont see why we shouldn't free as well */ + BN_clear_free(p); + BN_clear_free(q); + BN_clear_free(g); + BN_clear_free(pub_key); + + /* Send failure. */ + buffer_put_int(&e->output, 1); + buffer_put_char(&e->output, SSH_AGENT_FAILURE); + + } + + + void process_remove_identity(SocketEntry *e) { unsigned int bits; *************** *** 213,222 **** } /* ! * Removes all identities from the agent. */ void ! process_remove_all_identities(SocketEntry *e) { unsigned int i; --- 397,431 ---- } /* ! * Removes all dsa identities from the agent. */ void ! process_remove_all_dsa_identities(SocketEntry *e, int suppress) ! { ! unsigned int i; ! ! /* Loop over all identities and clear the keys. */ ! for (i = 0; i < num_dsa_identities; i++) { ! DSA_free(dsa_identities[i].key); ! xfree(identities[i].comment); ! } ! ! /* Mark that there are no dsa identities. */ ! num_dsa_identities = 0; ! ! /* Send success if not suppressed */ ! if (!suppress) { ! buffer_put_int(&e->output, 1); ! buffer_put_char(&e->output, SSH_AGENT_SUCCESS); ! } ! return; ! } ! ! /* ! * Removes all rsa identities from the agent. ! */ ! void ! process_remove_all_rsa_identities(SocketEntry *e) { unsigned int i; *************** *** 226,232 **** xfree(identities[i].comment); } ! /* Mark that there are no identities. */ num_identities = 0; /* Send success. */ --- 435,441 ---- xfree(identities[i].comment); } ! /* Mark that there are no rsa identities. */ num_identities = 0; /* Send success. */ *************** *** 236,242 **** } /* ! * Adds an identity to the agent. */ void process_add_identity(SocketEntry *e) --- 445,517 ---- } /* ! * Removes all rsa and dsa identities from the agent. ! */ ! void ! process_remove_all_identities(SocketEntry *e) ! { ! process_remove_all_dsa_identities(e,1); ! process_remove_all_rsa_identities(e); ! return; ! } ! ! /* ! * Adds a DSA identity to the agent. ! */ ! ! void ! process_add_dsa_identity(SocketEntry *e) ! { ! DSA *k; ! int i; ! ! if (num_dsa_identities == 0) ! dsa_identities = xmalloc(sizeof(dsa_Identity)); ! else ! dsa_identities = xrealloc(dsa_identities, ! (num_dsa_identities +1) * sizeof(dsa_Identity)); ! dsa_identities[num_dsa_identities].key = DSA_new(); ! k = dsa_identities[num_dsa_identities].key; ! ! buffer_get_int(&e->input); /* bits of p, the variable bit dsa param. */ ! k->p = BN_new(); ! buffer_get_bignum(&e->input, k->p); ! k->q = BN_new(); ! buffer_get_bignum(&e->input, k->q); ! k->g = BN_new(); ! buffer_get_bignum(&e->input, k->g); ! k->pub_key = BN_new(); ! buffer_get_bignum(&e->input, k->pub_key); ! k->priv_key = BN_new(); ! buffer_get_bignum(&e->input, k->priv_key); ! dsa_identities[num_dsa_identities].comment = buffer_get_string(&e->input, NULL); ! ! /* Check if we already have the key */ ! for (i = 0; i > num_dsa_identities; i++) ! if(BN_cmp(dsa_identities[i].key->priv_key, k->priv_key) == 0) { ! /* ! * We already have this key. Clear and free the new ! * data and return success. ! */ ! DSA_free(k); ! xfree(dsa_identities[num_dsa_identities].comment); ! /* Possible memory leak here? */ ! ! /* Send success. */ ! buffer_put_int(&e->output, 1); ! buffer_put_char(&e->output, SSH_AGENT_SUCCESS); ! return; ! } ! /* Increment the number of identities. */ ! num_dsa_identities++; ! ! /* Send a success message. */ ! buffer_put_int(&e->output, 1); ! buffer_put_char(&e->output, SSH_AGENT_SUCCESS); ! } ! ! /* ! * Adds an RSA identity to the agent. */ void process_add_identity(SocketEntry *e) *************** *** 343,348 **** --- 618,641 ---- process_remove_identity(e); break; case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES: + process_remove_all_rsa_identities(e); + break; + case SSH_AGENTC_REQUEST_DSA_IDENTITIES: + process_request_dsa_identity(e); + break; + case SSH_AGENTC_DSA_SIGN: + process_dsa_sign(e); + break; + case SSH_AGENTC_ADD_DSA_IDENTITY: + process_add_dsa_identity(e); + break; + case SSH_AGENTC_REMOVE_DSA_IDENTITY: + process_remove_dsa_identity(e); + break; + case SSH_AGENTC_REMOVE_ALL_DSA_IDENTITIES: + process_remove_all_dsa_identities(e, 0); + break; + case SSH_AGENTC_REMOVE_ALL_IDENTITIES: process_remove_all_identities(e); break; default: *************** *** 503,527 **** main(int ac, char **av) { fd_set readset, writeset; ! int sock, c_flag = 0, k_flag = 0, s_flag = 0, ch; struct sockaddr_un sunaddr; pid_t pid; char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid]; extern int optind; init_rng(); /* check if RSA support exists */ ! if (rsa_alive() == 0) { fprintf(stderr, "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", __progname); exit(1); ! } #ifdef __GNU_LIBRARY__ ! while ((ch = getopt(ac, av, "+cks")) != -1) { #else /* __GNU_LIBRARY__ */ ! while ((ch = getopt(ac, av, "cks")) != -1) { #endif /* __GNU_LIBRARY__ */ switch (ch) { case 'c': --- 796,822 ---- main(int ac, char **av) { fd_set readset, writeset; ! int sock, c_flag = 0, k_flag = 0, s_flag = 0, d_flag = 0, ch; struct sockaddr_un sunaddr; pid_t pid; char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid]; extern int optind; + OpenSSL_add_all_algorithms(); + init_rng(); /* check if RSA support exists */ ! /* if (rsa_alive() == 0) { fprintf(stderr, "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", __progname); exit(1); ! }*/ #ifdef __GNU_LIBRARY__ ! while ((ch = getopt(ac, av, "+cdks")) != -1) { #else /* __GNU_LIBRARY__ */ ! while ((ch = getopt(ac, av, "cdks")) != -1) { #endif /* __GNU_LIBRARY__ */ switch (ch) { case 'c': *************** *** 537,542 **** --- 832,840 ---- usage(); s_flag++; break; + case 'd': + d_flag++; + break; default: usage(); } *************** *** 544,553 **** ac -= optind; av += optind; ! if (ac > 0 && (c_flag || k_flag || s_flag)) usage(); ! if (ac == 0 && !c_flag && !k_flag && !s_flag) { shell = getenv("SHELL"); if (shell != NULL && strncmp(shell + strlen(shell) - 3, "csh", 3) == 0) c_flag = 1; --- 842,851 ---- ac -= optind; av += optind; ! if (ac > 0 && (c_flag || k_flag || s_flag || d_flag)) usage(); ! if (ac == 0 && !c_flag && !k_flag && !s_flag && !d_flag) { shell = getenv("SHELL"); if (shell != NULL && strncmp(shell + strlen(shell) - 3, "csh", 3) == 0) c_flag = 1; *************** *** 611,653 **** * Fork, and have the parent execute the command, if any, or present * the socket data. The child continues as the authentication agent. */ ! pid = fork(); ! if (pid == -1) { ! perror("fork"); ! exit(1); ! } ! if (pid != 0) { /* Parent - execute the given command. */ ! close(sock); ! snprintf(pidstrbuf, sizeof pidstrbuf, "%d", pid); ! if (ac == 0) { ! format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n"; ! printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name, ! SSH_AUTHSOCKET_ENV_NAME); ! printf(format, SSH_AGENTPID_ENV_NAME, pidstrbuf, ! SSH_AGENTPID_ENV_NAME); ! printf("echo Agent pid %d;\n", pid); ! exit(0); ! } ! setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1); ! setenv(SSH_AGENTPID_ENV_NAME, pidstrbuf, 1); ! execvp(av[0], av); ! perror(av[0]); ! exit(1); ! } ! close(0); ! close(1); ! close(2); ! ! if (setsid() == -1) { ! perror("setsid"); ! cleanup_exit(1); } if (atexit(cleanup_socket) < 0) { perror("atexit"); cleanup_exit(1); } new_socket(AUTH_SOCKET, sock); ! if (ac > 0) { signal(SIGALRM, check_parent_exists); alarm(10); } --- 909,958 ---- * Fork, and have the parent execute the command, if any, or present * the socket data. The child continues as the authentication agent. */ ! if (!d_flag) { ! pid = fork(); ! if (pid == -1) { ! perror("fork"); ! exit(1); ! } ! if (pid != 0) { /* Parent - execute the given command. */ ! close(sock); ! snprintf(pidstrbuf, sizeof pidstrbuf, "%d", pid); ! if (ac == 0) { ! format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n"; ! printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name, ! SSH_AUTHSOCKET_ENV_NAME); ! printf(format, SSH_AGENTPID_ENV_NAME, pidstrbuf, ! SSH_AGENTPID_ENV_NAME); ! printf("echo Agent pid %d;\n", pid); ! exit(0); ! } ! setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1); ! setenv(SSH_AGENTPID_ENV_NAME, pidstrbuf, 1); ! execvp(av[0], av); ! perror(av[0]); ! exit(1); ! } ! close(0); ! close(1); ! close(2); ! ! if (setsid() == -1) { ! perror("setsid"); ! cleanup_exit(1); ! } ! } else { ! ! format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n"; ! printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name, ! SSH_AUTHSOCKET_ENV_NAME); } if (atexit(cleanup_socket) < 0) { perror("atexit"); cleanup_exit(1); } new_socket(AUTH_SOCKET, sock); ! if (ac > 0 && !d_flag) { signal(SIGALRM, check_parent_exists); alarm(10); } diff -c openssh-2.1.1p4/sshconnect2.c openssh-dsa/sshconnect2.c *** openssh-2.1.1p4/sshconnect2.c Thu Jun 22 07:32:32 2000 --- openssh-dsa/sshconnect2.c Sat Aug 5 03:53:02 2000 *************** *** 54,59 **** --- 54,60 ---- #include "dsa.h" #include "sshconnect.h" #include "authfile.h" + #include "authfd.h" /* import */ extern char *client_version_string; *************** *** 287,292 **** --- 288,387 ---- } int + ssh2_try_agent(const char *server_user, const char *host, const char *service) + { + AuthenticationConnection *auth; + Buffer b; + Key *k; + unsigned char *blob, *signature; + int bloblen, slen, plen; + int skip = 0; + int status; + BIGNUM *p, *q, *g, *pub_key; + char *comment; + + auth = ssh_get_authentication_connection(); + if(!auth) + return 0; + + p = BN_new(); + q = BN_new(); + g = BN_new(); + pub_key = BN_new(); + + + for (status = ssh_get_first_dsa_identity(auth, p, q, g, pub_key, &comment); status; status = ssh_get_next_dsa_identity(auth, p, q, g, pub_key, &comment)) { + xfree (comment); + k = key_new(KEY_DSA); + k->dsa->p = p; + k->dsa->q = q; + k->dsa->g = g; + k->dsa->pub_key = pub_key; + dsa_make_key_blob(k, &blob, &bloblen); + + /* data to be signed */ + buffer_init(&b); + if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) { + buffer_put_string(&b, session_id2, session_id2_len); + skip = buffer_len(&b); + } else { + buffer_append(&b, session_id2, session_id2_len); + skip = session_id2_len; + } + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); + buffer_put_cstring(&b, server_user); + buffer_put_cstring(&b, + datafellows & SSH_BUG_PUBKEYAUTH ? + "ssh-userauth" : + service); + buffer_put_cstring(&b, "publickey"); + buffer_put_char(&b, 1); + buffer_put_cstring(&b, KEX_DSS); + buffer_put_string(&b, blob, bloblen); + + /* generate signature */ + ssh2_sign_data(auth, p, q, g, pub_key, buffer_ptr(&b), buffer_len(&b), &signature, &slen, datafellows); + key_free(k); + #ifdef DEBUG_DSS + buffer_dump(&b); + #endif + if (datafellows & SSH_BUG_PUBKEYAUTH) { + buffer_clear(&b); + buffer_append(&b, session_id2, session_id2_len); + buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); + buffer_put_cstring(&b, server_user); + buffer_put_cstring(&b, service); + buffer_put_cstring(&b, "publickey"); + buffer_put_char(&b, 1); + buffer_put_cstring(&b, KEX_DSS); + buffer_put_string(&b, blob, bloblen); + } + xfree(blob); + /* append signature */ + buffer_put_string(&b, signature, slen); + + /* skip session id and packet type */ + if (buffer_len(&b) < skip + 1) + fatal("ssh2_try_pubkey: internal error"); + buffer_consume(&b, skip + 1); + + /* put remaining data from buffer into packet */ + packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_put_raw(buffer_ptr(&b), buffer_len(&b)); + buffer_free(&b); + + /* send */ + packet_send(); + packet_write_wait(); + + if (SSH2_MSG_USERAUTH_SUCCESS == packet_read(&plen)) + return 1; + + } + return 0; + } + + int ssh2_try_pubkey(char *filename, const char *server_user, const char *host, const char *service) { *************** *** 437,442 **** --- 532,539 ---- debug("partial success"); if (options.dsa_authentication && strstr(auths, "publickey") != NULL) { + if (ssh2_try_agent(server_user, host, service)) + break; while (i < options.num_identity_files2) { sent = ssh2_try_pubkey( options.identity_files2[i++], From vinschen at cygnus.com Tue Aug 8 04:16:40 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Mon, 07 Aug 2000 20:16:40 +0200 Subject: X11-Forwarding OpenSSH 2.1.1p4 problem References: <398ED665.5AB5CEC8@ph.tum.de> Message-ID: <398EFD08.6C0D0C4E@cygnus.com> Michael Schmidt wrote: > > Hi, > > I have the following problem: > > I have two computers. On the first RedHat 6.2 (Openssh 2.1.1) is > installed. The second is an PC with Windows NT 4.0 (SP 6) with Cygwin > and Openssh 2.1.1p4. The X-Server running on the WinNT machine is > Hummingbird Exceed 6.1 . I have activated X11-Forwarding in the > config-files on both machines. > I'm sitting in front of the WinNT machine and want to do a XSession on > the RedHat machine. Here is a screen dump: > > ------------------------------------------------------------------ > $ ssh -v -l schmidta saturn 2>/dump > [...] > debug: client_input_channel_open: ctype x11 rchan 2 win 4096 max 2048 > connect /usr/spool/sockets/X11/0: No such file or directory > [...] > ------------------------------------------------------------------------ > > Does anybody know, where I've done a mistake? What is wrong? > Thank you :-) Wired. No problem here in either direction. I'm using a box with a Linux 2.2.14 kernel and a Cygwin box with W2K and, uhm, don't know the name, some NT X Server. What's that above message? Is it possible that your xdvi script explicitly tries to open :0 or what's that strange unix socket named '0'? Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com From toh at po.ntts.co.jp Tue Aug 8 17:11:06 2000 From: toh at po.ntts.co.jp (Fujio Nobori) Date: Tue, 8 Aug 2000 16:11:06 +0900 Subject: port forwarding on Windows or WindowsCE Message-ID: <20000808161106E.toh@po.ntts.co.jp> Hi, I am not sure how many people here are using Windows or WindowsCE, but I made an application out of OpenSSH that enables port forwarding on Windows or WindowsCE platform. If you have any interest, please visit: http://host07.ntts-inl.net/~toh/PortForwarder/ Any comment will be appreciated. Thank you very much in advance. ------------------------------------------------------- FUJIO NOBORI (toh at po.ntts.co.jp) il|li NTT SOFTWARE CO., TOKYO JAPAN q|@.@|p tel: +81 3 5782 7291 m. ( o ) .m fax: +81 3 5782 7222 ~~~~~~~~~~~~~ From vinschen at cygnus.com Tue Aug 8 21:17:14 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Tue, 08 Aug 2000 13:17:14 +0200 Subject: [PATCH] Updated patch to Cygwin port of 2.1.1p4 Message-ID: <398FEC3A.CAFF1E83@cygnus.com> I had to update the Cygwin port for two reasons: - scp could fail because of another textmode/binmode problem. - Privileged ports are not privileged on Windows and there's no coherence between privileged user and uid 0. So I send the complete patch again with the above changes. ChangeLog: ========== - Makefile.in: Changed to support $EXEEXT transparently. Added `cygwin_util.o' to the dependencies of LIBSSH_OBJS. - acconfig.h: Add HAVE_CYGWIN. - auth-passwd.c: Support getting NT passwords via Cygwin special functions. Disable check for uid 0 when HAVE_CYGWIN is set. - auth1.c: Reject changing user context if not authenticated via password under Windows NT. Disable check for uid 0 when HAVE_CYGWIN is set. - authfile.c: Disable check for file modes when HAVE_CYGWIN is set. - bsd-daemon.c: Avoid possible race condition under Cygwin. - bsd-mktemp.c: Define `open' as `binary_open' when HAVE_CYGWIN is set. - channels.c: Disable check for uid 0 when HAVE_CYGWIN is set. - config.h.in: Add HAVE_CYGWIN. - configure.in: Add *-*-cygwin as target. Call AC_EXEEXT now. - cygwin_util.c: New file containing `binary_open' and `binary_pipe' function. - includes.h: Use HAVE_CYGWIN to care for include files. Define `open' as `binary_open' and `pipe' as `binary_pipe' when HAVE_CYGWIN is set. - loginrec.c: Disable check for uid 0 when HAVE_CYGWIN is set. - pty.c: Disable HAVE_VHANGUP explicitely if HAVE_CYGWIN is set. Don't call I_PUSH ioctl's under Cygwin. - readconf.c: Disable check for uid 0 when HAVE_CYGWIN is set. - scp.c: Call tcgetpgrp() instead of ioctl(..., TIOCGPGRP) to get the controlling terminal when HAVE_CYGWIN is set. - session.c: Close xauthfiles immediatly to avoid implicit file lockings on Windows NT systems. Changes in environment setting. Disable check for uid 0 when HAVE_CYGWIN is set. Don't call xauth with `.../unix' syntax under Cygwin. - ssh.c: Disable setrlimit call under Cygwin. Take care for `.exe' file extension. Disable check for uid 0 when HAVE_CYGWIN is set. - sshd.c: Open pid file explicit binary. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-2.1.1p4.p0.gz Type: application/x-gzip Size: 6928 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000808/1fdbe3e3/attachment.bin From aspa at kronodoc.fi Wed Aug 9 00:31:57 2000 From: aspa at kronodoc.fi (Marko Asplund) Date: Tue, 8 Aug 2000 17:31:57 +0300 (EEST) Subject: IDEA support Message-ID: hello! one thing i'd like to see in OpenSSH is (optional) IDEA algorith support. this would be useful especially in an environment which has a mix of old ssh v1.2.x and OpenSSH installations. according to Ascom non commercial use of IDEA is free (http://www.ascom.com/infosec/idea.html). also, there are countries (e.g. Finland) where IDEA is not patented. here's a patch suggestion for IDEA support (autoreconf has to be run after patching the source). thanks, best regards, -- aspa -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-idea-0808.patch.gz Type: application/x-gzip Size: 1568 bytes Desc: Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000808/bf142e16/attachment.bin From phma at oltronics.net Wed Aug 9 01:12:10 2000 From: phma at oltronics.net (Pierre Abbat) Date: Tue, 8 Aug 2000 11:12:10 -0400 Subject: Can't get in without a password Message-ID: <0008081121470L.14466@neofelis> I have access to three machines: A: Mandrake 7.0, OpenSSH 2.1.1. B: Mandrake 5.3, SSH 1.2.27. C: Mandrake 6.1, OpenSSH 2.1.1. I can get from A to B, or B to A, without a password, but I cannot get from A or B to C without a password. sshd_config is identical on A and C. My public key is in authorized_keys on C, and all files in .ssh and .ssh itself have mode 600 and 700 respectively. C is behind a port-forwarding firewall. Would that make any difference? phma From bds at jhb.ucs.co.za Wed Aug 9 01:36:48 2000 From: bds at jhb.ucs.co.za (Berend De Schouwer) Date: Tue, 8 Aug 2000 17:36:48 +0200 Subject: Can't get in without a password In-Reply-To: <0008081121470L.14466@neofelis>; from phma@oltronics.net on Tue, Aug 08, 2000 at 17:12:10 +0200 References: <0008081121470L.14466@neofelis> Message-ID: <20000808173648.P29059@bds.ucs.co.za> On Tue, 08 Aug 2000 17:12:10 Pierre Abbat wrote: > I have access to three machines: > A: Mandrake 7.0, OpenSSH 2.1.1. > B: Mandrake 5.3, SSH 1.2.27. > C: Mandrake 6.1, OpenSSH 2.1.1. > > I can get from A to B, or B to A, without a password, but I cannot get from A > or B to C without a password. sshd_config is identical on A and C. My public > key is in authorized_keys on C, and all files in .ssh and .ssh itself have mode > 600 and 700 respectively. > > C is behind a port-forwarding firewall. Would that make any difference? Potentially. What does /var/log/messages and /var/log/secure say? It could match the wrong IP when looking through /etc/hosts.[allow|deny] or when trying to verify your public key. I've gotten OpenSSH to work with socks, using RSA authentication, so that is possible. > phma -- Kind regards, Berend -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS From phma at oltronics.net Wed Aug 9 02:20:41 2000 From: phma at oltronics.net (Pierre Abbat) Date: Tue, 8 Aug 2000 12:20:41 -0400 Subject: Can't get in without a password In-Reply-To: <20000808173648.P29059@bds.ucs.co.za> References: <0008081121470L.14466@neofelis> <20000808173648.P29059@bds.ucs.co.za> Message-ID: <0008081222240Q.14466@neofelis> >Potentially. What does /var/log/messages and /var/log/secure say? >It could match the wrong IP when looking through /etc/hosts.[allow|deny] >or when trying to verify your public key. I just get "Accepted password" in messages and nothing in secure. phma From vinschen at cygnus.com Wed Aug 9 03:32:05 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Tue, 08 Aug 2000 19:32:05 +0200 Subject: [PATCH] Updated patch to Cygwin port of 2.1.1p4 References: <398FEC3A.CAFF1E83@cygnus.com> Message-ID: <39904415.4A4D2834@cygnus.com> Corinna Vinschen wrote: > > I had to update the Cygwin port for two reasons: > - scp could fail because of another textmode/binmode problem. > - Privileged ports are not privileged on Windows and there's > no coherence between privileged user and uid 0. > > So I send the complete patch again with the above changes. Sorry folks, I forgot to mention where the binaries and patched sources are accessible via ftp: OpenSSH-2.1.1p4: ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Vinschen_Corinna/V1.1.3 files: openssh-2.1.1p4-2.README README openssh-2.1.1p4-2.tar.gz binary openssh-2.1.1p4-2-src.tar.gz patched sources OpenSSL-0.9.5 (sorry, no `a' version yet): ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Vinschen_Corinna/V1.1.1 files: openssl-0.9.5.README README openssl-0.9.5.tar.gz binary openssl-0.9.5-src.tar.gz original sources openssl-0.9.5.diff diffs Hope, that helps, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com From pekkas at netcore.fi Wed Aug 9 04:10:52 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 8 Aug 2000 21:10:52 +0300 (EEST) Subject: UseLogin yes and 'w': IP address used In-Reply-To: Message-ID: On Mon, 7 Aug 2000, Damien Miller wrote: > On Wed, 19 Jul 2000, Pekka Savola wrote: > > > Hello all, > > > > I just noticed that if I enable UseLogin, IP address will be shown in 'w' > > when logging on. If UseLogin is disabled, the hostname will be used. > > > > I tested this on 2.1.1p2 and p4, on home-grown Redhat Linux 6.2. > > > > Anyone else notice this? Is this an issue with OpenSSH or login? > > The problem is most likely with login. OpenSSH tries to fill out > all fields in utmp, and will store both remote hostname and IP address > if your struct utmp supports them (RH does). The same thing happens with login in FreeBSD-4.1 -STABLE. I doubt it's login (at least mostly). There are actually two problems here, I think. 'w' showing the IP address and logins getting double recorded. In RHL 6.2 you get: --- esa pts/1 x.y.z.159 Thu Jul 20 07:56 still logged in esa pts/1 host.domain Thu Jul 20 07:56 - 07:56 (00:00) --- (this dummy session doesn't look good in you lastlog :) In FreeBSD-4.1-STABLE you get: --- ow ttypb x.y.z.1 Tue Aug 8 21:00 still logged in ow ttypb host.domain Tue Aug 8 21:00 still logged in --- Also, if you use 'UseLogin yes', lastlog will not be cleaned when you log out (I was on for 1 minute): --- ow ttypb 193.94.160.1 Tue Aug 8 21:00 - 21:01 (00:00) ow ttypb host.domain Tue Aug 8 21:00 still logged in --- (but this, lingering session looks even worse) HTH. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From rachit at ensim.com Wed Aug 9 07:21:10 2000 From: rachit at ensim.com (Rachit Siamwalla) Date: Tue, 08 Aug 2000 14:21:10 -0700 Subject: Can't get in without a password References: <0008081121470L.14466@neofelis> Message-ID: <399079C6.88316B62@ensim.com> I have wrestled with similar problems, and the easiest way to figure it out is to run the sshd server in debug mode (-d i think) and try it out. -rchit Pierre Abbat wrote: > > I have access to three machines: > A: Mandrake 7.0, OpenSSH 2.1.1. > B: Mandrake 5.3, SSH 1.2.27. > C: Mandrake 6.1, OpenSSH 2.1.1. > > I can get from A to B, or B to A, without a password, but I cannot get from A > or B to C without a password. sshd_config is identical on A and C. My public > key is in authorized_keys on C, and all files in .ssh and .ssh itself have mode > 600 and 700 respectively. > > C is behind a port-forwarding firewall. Would that make any difference? > > phma From phma at oltronics.net Wed Aug 9 07:39:21 2000 From: phma at oltronics.net (Pierre Abbat) Date: Tue, 8 Aug 2000 17:39:21 -0400 Subject: Can't get in without a password In-Reply-To: <399079C6.88316B62@ensim.com> References: <0008081121470L.14466@neofelis> <399079C6.88316B62@ensim.com> Message-ID: <0008081752000U.14466@neofelis> On Tue, 08 Aug 2000, Rachit Siamwalla wrote: >I have wrestled with similar problems, and the easiest way to figure it >out is to run the sshd server in debug mode (-d i think) and try it out. I get this: debug: sshd version OpenSSH_2.1.1 debug: Seeding random number generator debug: read DSA private key done debug: Seeding random number generator debug: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. Generating 768 bit RSA key. debug: Seeding random number generator debug: Seeding random number generator RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 207.15.133.8 port 61028 debug: Client protocol version 1.5; client software version OpenSSH_2.1.1 debug: Local version string SSH-1.99-OpenSSH_2.1.1 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Starting up PAM with username "phma" debug: Attempting authentication for phma. Failed rsa for phma from 207.15.133.8 port 61028 debug: PAM Password authentication accepted for user "phma" Accepted password for phma from 207.15.133.8 port 61028 debug: PAM setting rhost to "i008-1.clt-nc.oltronics.net" debug: session_new: init debug: session_new: session 0 debug: Allocating pty. debug: Received request for X11 forwarding with auth spoofing. debug: Socket family 10 not supported [X11 disp create] debug: fd 8 setting O_NONBLOCK debug: channel 0: new [X11 inet listener] debug: PAM setting tty to "/dev/pts/0" debug: PAM establishing creds debug: Entering interactive session. debug: Setting controlling tty using TIOCSCTTY. debug: no set_nonblock for tty fd 3 debug: no set_nonblock for tty fd 7 debug: server_init_dispatch_13 debug: server_init_dispatch_15 debug: tvp!=NULL kid 0 mili 10 I also tried with the -2 flag and got this, with the rest being the same: debug: Client protocol version 2.0; client software version OpenSSH_2.1.1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-1.99-OpenSSH_2.1.1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none debug: got kexinit: none debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: client->server 3des-cbc hmac-sha1 none debug: kex: server->client 3des-cbc hmac-sha1 none debug: Wait SSH2_MSG_KEXDH_INIT. debug: bits set: 531/1024 debug: bits set: 502/1024 debug: sig size 20 20 debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: userauth-request for user phma service ssh-connection method none debug: Starting up PAM with username "phma" Failed none for phma from 207.15.133.8 port 61030 ssh2 debug: userauth-request for user phma service ssh-connection method publickey debug: keytype ssh-dss Failed publickey for phma from 207.15.133.8 port 61030 ssh2 debug: userauth-request for user phma service ssh-connection method password debug: PAM Password authentication accepted for user "phma" I have checked that both keys on the remote host match the ones in my identity.pub and id_dsa.pub. I also notice that every time I try to ssh in, a line appears in /var/log/messages: "can't locate module net-pf-10". I have no idea what a kernel module could have to do with public key ssh authentication. phma From willday at rom.oit.gatech.edu Wed Aug 9 09:00:32 2000 From: willday at rom.oit.gatech.edu (Will Day) Date: Tue, 8 Aug 2000 19:00:32 -0400 Subject: v2 connection logging vs v1 Message-ID: <20000808190032.A21578@rom.oit.gatech.edu> When connecting with v1, the server logs a message when I exit my login shell: Closing connection to 130.207.167.32 However, when connecting with v2, it only ever logs: Connection closed by remote host. Tracing through the code, it appears that instead of breaking in serverloop.c:server_loop2() at: if (had_channel && !channel_still_open()) { debug("!channel_still_open."); break; } and returning to sshd.c:main() and logging the nice message, it continues to process_input(), gets a len==0 from the read(), and does: verbose("Connection closed by remote host."); fatal_cleanup(); Comparing the v1 server_loop and the v2 server_loop2, the v1 loop appears to have significantly more checks for breaking the loop: if (((fdout_eof && fderr_eof) || (child_terminated && child_has_selected)) && !packet_have_data_to_write() && (buffer_len(&stdout_buffer) == 0) && (buffer_len(&stderr_buffer) == 0)) { if (!channel_still_open()) break; as well as other useful logging information, like: debug("End of interactive session; stdin %ld, stdout (read %ld, sent %ld), stderr %ld bytes.", stdin_bytes, fdout_bytes, stdout_bytes, stderr_bytes); which aren't in the v2 server_loop2. I'd suggest a patch here, but I don't know enough about the code nor protocols to know how much these v1 conventions can be applied to v2. It sure would be nice to have a v2 connection log the same information a v1 connection does, though. -- Will Day OIT / O&E / Technical Support willday at rom.oit.gatech.edu Georgia Tech, Atlanta 30332-0715 -> Opinions expressed are mine alone and do not reflect OIT policy <- Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin, Pennsylvania Assembly, Nov. 11, 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 360 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000808/afa38e72/attachment.bin From djm at mindrot.org Wed Aug 9 10:12:13 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 9 Aug 2000 10:12:13 +1000 (EST) Subject: UseLogin yes and 'w': IP address used In-Reply-To: Message-ID: On Tue, 8 Aug 2000, Pekka Savola wrote: > > The problem is most likely with login. OpenSSH tries to fill out > > all fields in utmp, and will store both remote hostname and IP address > > if your struct utmp supports them (RH does). > > The same thing happens with login in FreeBSD-4.1 -STABLE. I doubt it's > login (at least mostly). > > There are actually two problems here, I think. 'w' showing the IP address > and logins getting double recorded. The 'w' issue looks deliberate - OpenSSH passes the IP address to login(1) presumably because hostnames are lest trustworthy than addresses. The double recording issue is a bug in OpenSSH. Does the below fix help? Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.28 diff -u -r1.28 session.c --- session.c 2000/07/11 23:45:27 1.28 +++ session.c 2000/08/08 23:25:03 @@ -591,8 +591,9 @@ } } /* Record that there was a login on that terminal. */ - record_login(pid, s->tty, pw->pw_name, pw->pw_uid, hostname, - (struct sockaddr *)&from); + if (!options.use_login || command != NULL) + record_login(pid, s->tty, pw->pw_name, pw->pw_uid, + hostname, (struct sockaddr *)&from); /* Check if .hushlogin exists. */ snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir); -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Aug 9 14:52:13 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 9 Aug 2000 14:52:13 +1000 (EST) Subject: IDEA support In-Reply-To: Message-ID: On Thu, 3 Aug 2000, Marko Asplund wrote: > hi > > first of all i'd like to thank you for your efforts in developing OpenSSH. Thanks! > one thing i'd like to see in OpenSSH is (optional) IDEA algorith support. > this would be useful especially in an environment which has a mix of old > ssh v1.2.x and OpenSSH installations. according to Ascom the non > commercial use of IDEA is free (http://www.ascom.com/infosec/idea.html). > also, there are countries (e.g. Finland) where IDEA is not patented. > here's a patch suggestion for IDEA support (autoheader and autoconf have > to be run after patching the source). We won't integrate IDEA for a couple of reasons: 1) It is patented in some countries and will be for the forseeable future. We want OpenSSH to be free everywhere. (we tolerate the RSA code because the patent will expire in 42 days) 2) It doesn't need to be there - it is not required to communicate with commercial SSH servers. Old keys ciphered with IDEA can be migrated as per the FAQ. 3) It offers no advantages as a cipher - blowfish is fast & free, 3DES is secure & free. IDEA is vulnerable to the insertion attack and (IIRC) has a few potential attacks published. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Aug 9 16:37:57 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 9 Aug 2000 16:37:57 +1000 (EST) Subject: [2.1.1p4] utmp related patches plus unresolved bugs description In-Reply-To: <200007261945.PAA26373@faucon.comm.polymtl.ca> Message-ID: On Wed, 26 Jul 2000, Charles Levert wrote: > Fixed: > > -- On systems such as SunOS4 where the system include files > are no help in locating the utmp file (et al.), configure > can define their location in CONF_*, but defines.h never used > these. > > -- Might as well put in the usual location for SunOS4. > > -- In loginrec.c (utmp_write_direct), writing to the utmp file > was not done correctly. Applied - thanks. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Aug 9 16:43:13 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 9 Aug 2000 16:43:13 +1000 (EST) Subject: bug in lastlog logging? In-Reply-To: <20000727150802.A31546@lynxhub.att.com> Message-ID: On Thu, 27 Jul 2000, Henry E. Thorpe wrote: > Folks; > > I couldn't find anything on my archive of the mailing list on this, > and it may just be my mis-understanding, but: > > When I "ssh machine1 -l user1" as user2 on machine2, if user2 has the > same uid on machine1, then user2's name ends up in lastlog, instead of > user1's. I can't replicate this between RH6.2 & RH6.2, RH6.2 & OpenBSD 2.7 or RH6.2 and Solaris 7. Can anyone else replicate this? Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From pekkas at netcore.fi Wed Aug 9 18:30:20 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 9 Aug 2000 11:30:20 +0300 (EEST) Subject: UseLogin yes and 'w': IP address used In-Reply-To: Message-ID: On Wed, 9 Aug 2000, Damien Miller wrote: > The 'w' issue looks deliberate - OpenSSH passes the IP address to login(1) > presumably because hostnames are lest trustworthy than addresses. Hmm.. Perhaps login(1) should do some resolving of its own then in order to be consistant. > The double recording issue is a bug in OpenSSH. Does the below fix help? [fix snipped] Yes. It'd seem to work just fine with RHL 6.2 and FreeBSD-4.1 with that. Thanks. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From pekkas at netcore.fi Wed Aug 9 20:30:03 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 9 Aug 2000 13:30:03 +0300 (EEST) Subject: UseLogin yes and 'w': IP address used In-Reply-To: Message-ID: > > There are actually two problems here, I think. 'w' showing the IP address > > and logins getting double recorded. > > The 'w' issue looks deliberate - OpenSSH passes the IP address to login(1) > presumably because hostnames are lest trustworthy than addresses. The more I think about this, the more I feel this should be configurable. I'm not sure if it's login(1)'s job to do DNS lookups. Perhaps there should be a compile-time option to toggle this behaviour on/off, or something in sshd_config? It's not as if login(1) does that much using hostname or IP address. Just log it in [uw]tmp, etc. AFAIK. All the checks have already been done in OpenSSH. Almost all systems I have seen print hostnames with w(1). Should OpenSSH change this behaviour if UseLogin is enabled? This is one of these useability vs little more security issues I guess. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From Rune.Mossige at waii.com Wed Aug 9 23:20:05 2000 From: Rune.Mossige at waii.com (Rune Mossige) Date: Wed, 9 Aug 2000 15:20:05 +0200 Subject: Problems compiling openssh-2.1.1p2 on FreeBSD 4.0-RELEASE Message-ID: <200008091320.PAA55548@svnfs01.norway.waii.com> Hello, I have just installed a fresh copy of FreeBSD 4.0-RELEASE on a P75, and want to compile openssh-2.1.1p2, but the compile fails with: gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c loginrec.c loginrec.c: In function `construct_utmp': loginrec.c:619: structure has no member named `ut_user' loginrec.c:619: structure has no member named `ut_user' loginrec.c:619: structure has no member named `ut_user' loginrec.c: In function `syslogin_perform_login': loginrec.c:1256: warning: implicit declaration of function `login' loginrec.c: In function `syslogin_perform_logout': loginrec.c:1269: warning: implicit declaration of function `logout' loginrec.c:1273: warning: implicit declaration of function `logwtmp' *** Error code 1 Stop in /usr/local/src/openssh-2.1.1p2. Is there something I have forgotten to install, or configure? I just ran the 'configure' script with all details. The FreeBSD box is a fresh vanilla installation. From ust at cert.siemens.de Thu Aug 10 00:25:24 2000 From: ust at cert.siemens.de (Udo Schweigert) Date: Wed, 9 Aug 2000 16:25:24 +0200 Subject: Problems compiling openssh-2.1.1p2 on FreeBSD 4.0-RELEASE In-Reply-To: <200008091320.PAA55548@svnfs01.norway.waii.com>; from Rune.Mossige@waii.com on Wed, Aug 09, 2000 at 03:20:05PM +0200 References: <200008091320.PAA55548@svnfs01.norway.waii.com> Message-ID: <20000809162524.A92647@alaska.cert.siemens.de> On Wed, Aug 09, 2000 at 15:20:05 +0200, Rune Mossige wrote: > Hello, > I have just installed a fresh copy of FreeBSD 4.0-RELEASE on a P75, It is best to install OpenSSH from the FreeBSD ports collection: % cd /usr/ports/security/openssh % make install Regards. -- Udo Schweigert, Siemens AG | Voice : +49 89 636 42170 ZT IK 3, Siemens CERT | Fax : +49 89 636 41166 D-81730 Muenchen / Germany | email : ust at cert.siemens.de PGP-2/5 fingerprint | D8 A5 DF 34 EC 87 E8 C6 E2 26 C4 D0 EE 80 36 B2 From djm at mindrot.org Thu Aug 10 14:00:03 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 10 Aug 2000 14:00:03 +1000 (EST) Subject: Control-c not work under openssh? In-Reply-To: <20000718153729.A4089@uscybernetics.com> Message-ID: On Tue, 18 Jul 2000, Irving Popovetsky wrote: > A note on this: > Is UseLogin safe to use yet? If I set "UseLogin yes" in my > sshd_config, the Solaris control-c problem goes away. Yes - this has been fixed for a while now. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Rune.Mossige at waii.com Thu Aug 10 16:25:15 2000 From: Rune.Mossige at waii.com (Rune Mossige) Date: Thu, 10 Aug 2000 08:25:15 +0200 (CEST) Subject: Problems compiling openssh-2.1.1p2 on FreeBSD 4.0-RELEASE In-Reply-To: <20000809162524.A92647@alaska.cert.siemens.de> Message-ID: On Wed, 9 Aug 2000, Udo Schweigert wrote: > On Wed, Aug 09, 2000 at 15:20:05 +0200, Rune Mossige wrote: > > Hello, > > I have just installed a fresh copy of FreeBSD 4.0-RELEASE on a P75, > > It is best to install OpenSSH from the FreeBSD ports collection: > > % cd /usr/ports/security/openssh > % make install I can't do this, as the box do not have the ports installed, and do not have access to the Internet. > > Regards. > ------------------------------------------------------------------- (-: Hiroshima 45, Chernobyl 86, Windows 95 :-) Our ultimate goal is to make overloaded machines appear to be idle. High performance, High reliability, Low cost -------- Pick any two. ------------------------------------------------------------------- Rune Mossige, Systems Support, Western Geophysical, Stavanger, Norway Tel: (+47)51598922 Fax:(+47)51598999 Mobile:(+47)90871024 From darren at horseplay.demon.co.uk Thu Aug 10 22:16:51 2000 From: darren at horseplay.demon.co.uk (Darren Evans) Date: Thu, 10 Aug 2000 13:16:51 +0100 Subject: Problems compiling openssh-2.1.1p2 on FreeBSD 4.0-RELEASE In-Reply-To: References: <20000809162524.A92647@alaska.cert.siemens.de> Message-ID: <4.3.2.7.0.20000810131602.03334910@pop3.demon.co.uk> At 08:25 10/08/00 +0200, Rune Mossige wrote: >On Wed, 9 Aug 2000, Udo Schweigert wrote: > >> On Wed, Aug 09, 2000 at 15:20:05 +0200, Rune Mossige wrote: >> > Hello, >> > I have just installed a fresh copy of FreeBSD 4.0-RELEASE on a P75, >> >> It is best to install OpenSSH from the FreeBSD ports collection: >> >> % cd /usr/ports/security/openssh >> % make install > >I can't do this, as the box do not have the ports installed, and do not >have access to the Internet. Download 2.1.1p4 onto a floppy and then mount it and copy it off. Split the file into chunks if necessary. Darren --- From irving at uscybernetics.com Fri Aug 11 02:17:23 2000 From: irving at uscybernetics.com (Irving Popovetsky) Date: Thu, 10 Aug 2000 12:17:23 -0400 Subject: Control-c not work under openssh? In-Reply-To: ; from djm@mindrot.org on Thu, Aug 10, 2000 at 02:00:03PM +1000 References: <20000718153729.A4089@uscybernetics.com> Message-ID: <20000810121722.A61885@uscybernetics.com> This issue has actually cropped up again recently in my testing. When I do use Solaris login (UseLogin yes), a ton of the important environment variables (like TERM, etc) don't get passed. Is that normal behavior? If so, then its back to not using login, and battling with the issue of OpenSSH not properly catching SIGINT. (or has this been fixed somewhere in CVS and I just haven't seen it yet?) -Irving On Thu, Aug 10, 2000 at 02:00:03PM +1000, Damien Miller wrote: > On Tue, 18 Jul 2000, Irving Popovetsky wrote: > > > A note on this: > > Is UseLogin safe to use yet? If I set "UseLogin yes" in my > > sshd_config, the Solaris control-c problem goes away. > > Yes - this has been fixed for a while now. > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > From douglas.manton at uk.ibm.com Fri Aug 11 02:32:54 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Thu, 10 Aug 2000 17:32:54 +0100 Subject: Control-c not work under openssh? Message-ID: <80256937.005AEBF1.00@d06mta05.portsmouth.uk.ibm.com> >This issue has actually cropped up again recently in my testing. When I >do use Solaris login (UseLogin yes), a ton of the important environment >variables (like TERM, etc) don't get passed. Is that normal behavior? Looking at the source os session.c it is obvious that when you use login the environment is not passed: execl(LOGIN_PROGRAM, "login", "-h", get_remote_ipaddr(), "-p", "-f", "--", pw->pw_name, NULL); But when the shell is exec'd directly it is: execve(shell, argv, env); Login can accept a list of environment variables in the format VARIABLE=VALUE, but it refuses to accept PATH being passed (a good thing) although this just gives a warning and the logon continues. I did kludge an earlier version to pass the env list in place of the NULL when using login but lost it during a disk cleanup :-( . BTW login ignores any env passed by calling it with an execle. -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From irving at uscybernetics.com Fri Aug 11 02:46:48 2000 From: irving at uscybernetics.com (Irving Popovetsky) Date: Thu, 10 Aug 2000 12:46:48 -0400 Subject: Control-c not work under openssh? In-Reply-To: <80256937.005AEBF1.00@d06mta05.portsmouth.uk.ibm.com>; from douglas.manton@uk.ibm.com on Thu, Aug 10, 2000 at 05:32:54PM +0100 References: <80256937.005AEBF1.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: <20000810124648.B61885@uscybernetics.com> On Thu, Aug 10, 2000 at 05:32:54PM +0100, douglas.manton at uk.ibm.com wrote: > Login can accept a list of environment variables in the format > VARIABLE=VALUE, but it refuses to accept PATH being passed (a good thing) > although this just gives a warning and the logon continues. I did kludge > an earlier version to pass the env list in place of the NULL when using > login but lost it during a disk cleanup :-( . BTW login ignores any env > passed by calling it with an execle. Yes, I started doing this myself also when I got sidetracked. Looking at Tatu Ylonen's ssh, it does the exact same thing (just a NULL), so I'm assuming that this is the correct behavior? So I figured (at least for my environment) it would be better to turn efforts to fixing the control-C issue instead of kludging something else. But I may be mistaken. -Irving From willday at rom.oit.gatech.edu Fri Aug 11 06:56:14 2000 From: willday at rom.oit.gatech.edu (Will Day) Date: Thu, 10 Aug 2000 16:56:14 -0400 Subject: Solaris and a minor PAM *problem* In-Reply-To: <3985E31B.72FE9505@transmeta.com>; from morgan@transmeta.com on Mon, Jul 31, 2000 at 01:35:39PM -0700 References: <20000720205304.5560DB47B@fleck.princetonecom.com> <7B73D5F649D0D311B1E30008C7A4D92A020D8E39@cnfqs029.cnf.com> <20000728191350.A1813@rom.oit.gatech.edu> <3985BD55.664AB089@uab.ericsson.se> <3985E31B.72FE9505@transmeta.com> Message-ID: <20000810165614.A12933@rom.oit.gatech.edu> A short time ago, at a computer terminal far, far away, Andrew Morgan wrote: >> Closing connection to n.n.n.n >> Cannot delete credentials: Permission denied >> ^^^^^^^^^^^^^^^^^ >> Why do I get this *Permission denied* ??? >> >> The error is generated in auth-pam.c: >> pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); >> if (pam_retval != PAM_SUCCESS) { >> log("Cannot delete credentials: %.200s", >> PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); >> } >> i.e. the return value from pam_setcred isn't PAM_SUCCESS. > >This is likely to be a misfeature of the Solaris implementation of the >pam_unix.so module. I don't believe it is indicative of anything other >than the fact that pam_unix.so does not implement credential deletion. >(In other words, if you don't hear differently from someone at Sun - who >knows for definite what their pam_unix does? - I don't believe you need >to worry about this error.) I've just been looking through the sourcecode, and it seems the error is generated by Sun's pam_unix because geteuid()==0, with sshd running as root. It also hands a three-part error message to the conversation function: removing root credentials would break the rpc services that use secure rpc on this host! root may use keylogout -f to do this (at your own risk)! Openssh doesn't ever print this, though, as its conv function handles only PAM_PROMPT_ECHO_OFF and PAM_TEXT_INFO, and this is PAM_ERROR_MSG. A few thoughts that come to mind: - ifdef the PAM_DELETE_CRED out for Solaris? For default sites, this would be fine, and would remove the superfluous error messages. For sites actually using secureRPC/keylogin, or for sites using pam modules other than pam_unix which might need to delete their creds, it could cause problems. Personally, I wonder why pam_unix is looking at geteuid rather than the actual username/uid for the pam session, but I don't understand enough about secure RPC to guess why this might be an issue. - handle PAM_ERROR_MSG in pamconv() - output any remaining pam_msg before ending a session (to the user? to the syslog?); right now, pam_msg is only ever output at login. -- Will Day OIT / O&E / Technical Support willday at rom.oit.gatech.edu Georgia Tech, Atlanta 30332-0715 -> Opinions expressed are mine alone and do not reflect OIT policy <- Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin, Pennsylvania Assembly, Nov. 11, 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 360 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000810/beb1a592/attachment.bin From ddulek at fastenal.com Fri Aug 11 08:13:28 2000 From: ddulek at fastenal.com (David Dulek) Date: Thu, 10 Aug 2000 17:13:28 -0500 Subject: Testers wanted In-Reply-To: References: Message-ID: <00081017141501.08222@penelope> I can probably help out a DG/UX intel test. I would need to know what kind of tests are required though. On Fri, 04 Aug 2000, Damien Miller wrote: >To ensure that future releases of portable OpenSSH are as bug-free as >possible, we need to recruit a team of testers. > >Each tester would be responsible for a particular OS platform and >would be called upon to test snapshots before they are marked as >official releases. The release would not go out until it had been >given the OK by testers on each supported platform. > >A corollary of this is that only platforms for which we have testers >will be treated as supported. > >Exactly what tests should be performed is a matter for further >discussion. They will include at least compilation and basic operation >of each of the programs. Hopefully we can automate these tests as much >as possible. > >If you are interested, please email me the details of what platform(s) >you are able to test. Favour will be given to people who have >contributed to OpenSSH and those with development experience. > >-d > >-- >| "Bombay is 250ms from New York in the new world order" - Alan Cox >| Damien Miller - http://www.mindrot.org/ >| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -- Dave Dulek System Administration Fastenal Company E-mail: ddulek at fastenal.com Phone: (507) 453-8149 Fax: (507) 453-8333 From toh at po.ntts.co.jp Fri Aug 11 10:44:56 2000 From: toh at po.ntts.co.jp (Fujio Nobori) Date: Fri, 11 Aug 2000 09:44:56 +0900 Subject: port forwarding on Windows or WindowsCE In-Reply-To: <20000808161106E.toh@po.ntts.co.jp>; from toh@po.ntts.co.jp on Tue, Aug 08, 2000 at 04:11:06PM +0900 References: <20000808161106E.toh@po.ntts.co.jp> Message-ID: <20000811094456N.toh@po.ntts.co.jp> Hi, again. On Tue, Aug 08, 2000 at 04:11:06PM +0900, I wrote: > I am not sure how many people here are using Windows or > WindowsCE, but I made an application out of OpenSSH that > enables port forwarding on Windows or WindowsCE platform. I also put binaries on my Web page. If you have any interest, please visit: http://host07.ntts-inl.net/~toh/PortForwarder/ Thank you very much. ------------------------------------------------------- FUJIO NOBORI (toh at po.ntts.co.jp) il|li NTT SOFTWARE CO., TOKYO JAPAN q|@.@|p tel: +81 3 5782 7291 m. ( o ) .m fax: +81 3 5782 7222 ~~~~~~~~~~~~~ From eugene at ergonsoftware.com Fri Aug 11 11:18:23 2000 From: eugene at ergonsoftware.com (Eugene Efremov) Date: Thu, 10 Aug 2000 18:18:23 -0700 Subject: compiling openssh-2.1.1p4 on SPARC Solaris 8 Message-ID: <3a2d58a3.58a33a2d@ergonsoftware.com> I'm trying to compile openssh-2.1.1p4 on a Sparc machine running Solaris 8. I've got all sorts of patches installed. The compiler is gcc 2.95.2. I was originally trying to get the ssh from www.ssh.com, not the OpenSSH, to work, but that's another story in and of itself, so I'm trying this opensource version in hopes of better success. I'm not exactly sure what a 'cross compiler' is, as opposed to not a cross compiler, but it seems to me that the problem has something to do with that. Here's what happens when I run configure: bash-2.03# configure loading cache ./config.cache checking for gcc... gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... yes checking whether we are using GNU C... yes checking whether gcc accepts -g... yes checking host system type... sparc-sun-solaris2.8 checking how to run the C preprocessor... gcc -E checking for ranlib... ranlib checking for a BSD compatible install... ./install-sh -c checking for ar... ar checking for perl... /bin/perl checking for ent... no checking for inline... inline checking for obsolete utmp and wtmp in solaris2.x... yes checking for deflate in -lz... yes checking for login in -lutil... no checking for yp_match in -lnsl... yes checking for main in -lsocket... yes checking for bstring.h... no checking for endian.h... no checking for floatingpoint.h... yes checking for lastlog.h... yes checking for limits.h... yes checking for login.h... no checking for maillock.h... yes checking for netdb.h... yes checking for netgroup.h... no checking for netinet/in_systm.h... yes checking for paths.h... no checking for poll.h... yes checking for pty.h... no checking for shadow.h... yes checking for security/pam_appl.h... yes checking for sys/bitypes.h... no checking for sys/bsdtty.h... no checking for sys/cdefs.h... no checking for sys/poll.h... yes checking for sys/select.h... yes checking for sys/stat.h... yes checking for sys/stropts.h... yes checking for sys/sysmacros.h... yes checking for sys/time.h... yes checking for sys/ttcompat.h... yes checking for stddef.h... yes checking for time.h... yes checking for usersec.h... no checking for util.h... no checking for utmp.h... yes checking for utmpx.h... yes checking for arc4random... no checking for atexit... yes checking for b64_ntop... no checking for bcopy... yes checking for bindresvport_af... no checking for clock... yes checking for freeaddrinfo... yes checking for gai_strerror... yes checking for getaddrinfo... yes checking for getnameinfo... yes checking for getrusage... yes checking for inet_aton... no checking for innetgr... yes checking for md5_crypt... no checking for memmove... yes checking for mkdtemp... no checking for on_exit... no checking for openpty... no checking for rresvport_af... yes checking for setenv... no checking for seteuid... yes checking for setlogin... no checking for setproctitle... no checking for setreuid... yes checking for sigaction... yes checking for sigvec... no checking for snprintf... yes checking for strerror... yes checking for strlcat... yes checking for strlcpy... yes checking for strsep... no checking for vsnprintf... yes checking for vhangup... yes checking for _getpty... no checking for __b64_ntop... no checking for gettimeofday... yes checking for time... yes checking for login... no checking for logout... no checking for updwtmp... yes checking for logwtmp... no checking for entutent... no checking for getutent... yes checking for getutid... yes checking for getutline... yes checking for pututline... yes checking for setutent... yes checking for utmpname... yes checking for entutxent... no checking for getutxent... yes checking for getutxid... yes checking for getutxline... yes checking for pututxline... yes checking for setutxent... yes checking for utmpxname... yes checking for getuserattr... no checking for getuserattr in -ls... no checking for login... (cached) no checking for login in -lbsd... no checking for daemon... no checking for daemon in -lbsd... no checking for getpagesize... yes checking whether snprintf correctly terminates long strings... configure: error: can not run test program while cross compiling The last bit of config.log is this: configure:2443: checking for getpagesize configure:2471: gcc -o conftest -g -O2 -Wall -I/usr/local/include -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib conftest.c -lsocket -lnsl -lz 1>&5 configure:2541: checking whether snprintf correctly terminates long strings That's where it ends. Later. -------------------------------------------Eugene From djm at mindrot.org Fri Aug 11 11:37:07 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 11 Aug 2000 11:37:07 +1000 (EST) Subject: compiling openssh-2.1.1p4 on SPARC Solaris 8 In-Reply-To: <3a2d58a3.58a33a2d@ergonsoftware.com> Message-ID: On Thu, 10 Aug 2000, Eugene Efremov wrote: > I'm trying to compile openssh-2.1.1p4 on a Sparc machine running Solaris > 8. I've got all sorts of patches installed. The compiler is gcc > 2.95.2. I was originally trying to get the ssh from www.ssh.com, not > the OpenSSH, to work, but that's another story in and of itself, so I'm > trying this opensource version in hopes of better success. Are you using a gcc that you built yourself or the one from Sun Freeware? > I'm not exactly sure what a 'cross compiler' is, as opposed to not a > cross compiler, but it seems to me that the problem has something to do > with that. A cross compiler is a compiler which produces object code for a platform different to the one it runs on. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From GLeblanc at cu-portland.edu Fri Aug 11 15:50:17 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Thu, 10 Aug 2000 22:50:17 -0700 Subject: slow sparc questions Message-ID: <025836EFF856D411A6660090272811E61D05C2@EMAIL> I've got a couple of SPARCstation 2s (about as fast as a fast 486, for most thing) that I'm going to be using for some testing. I realize that these machines are a bit slow, but when connecting via OpenSSH, it's MUCH slower than connecting to my 486-DX 50. The point where it waits is just after "debug: Sent encrypted session key.". The pause is for about 10 seconds, while when connecting to the 486 the pause is barely noticeable. All machines are using 3des as the encryption type. So, I've got a few questions. First, why is this machine SO much slower than my 486? Crappy compiler (linux is compiled using egcs 1.1.2 and the OpenSSH box is using ssl-2.6-USA, installed when I did my OpenBSD install)? Second, would I be better off using another encryption algorithm? If so, which one? These machines are just my toys, not commercial in any way. What are the pros and cons? (RTFM links appreciated) Third, what can I do to help "fix" this slowness? Later, and thanks, Greg |---------------------------------------------------| | Windows NT has detected that there were no errors | | for the past 10 minutes. The system will now try | | to restart or crash. Click the OK button to | | continue. | | < Ok > | |---------------------------------------------------| (sigline nicked from Jayan M on comp.os.linux.misc) From douglas.manton at uk.ibm.com Fri Aug 11 17:47:07 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Fri, 11 Aug 2000 08:47:07 +0100 Subject: Control-c not work under openssh? Message-ID: <80256938.002BD248.00@d06mta05.portsmouth.uk.ibm.com> > Yes, I started doing this myself also when I got sidetracked. > Looking at Tatu Ylonen's ssh, it does the exact same thing (just a NULL), > so I'm assuming that this is the correct behavior? So I figured (at > least for my environment) it would be better to turn efforts to fixing the > control-C issue instead of kludging something else. But I may be > mistaken. Of course the lack of environment means that the DISPLAY variable is left unset -- an annoyance when 20 lusers are trying to forward X11 back from one of our NetView servers and calling me for tech support :-( Doug. -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From J.Horne at plymouth.ac.uk Fri Aug 11 19:08:40 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Fri, 11 Aug 2000 10:08:40 +0100 (BST) Subject: compiling openssh-2.1.1p4 on SPARC Solaris 8 In-Reply-To: Message-ID: On 11-Aug-00 at 01:37:07 Damien Miller wrote: > On Thu, 10 Aug 2000, Eugene Efremov wrote: > >> I'm trying to compile openssh-2.1.1p4 on a Sparc machine running Solaris >> 8. I've got all sorts of patches installed. The compiler is gcc >> 2.95.2. I was originally trying to get the ssh from www.ssh.com, not >> the OpenSSH, to work, but that's another story in and of itself, so I'm >> trying this opensource version in hopes of better success. > > Are you using a gcc that you built yourself or the one from Sun Freeware? > Solaris 8 comes with gcc now :-) It's on the supplementary CD (I think) along with other goodies - bzip, ghostscript, bash etc. We compiled openssh on Solaris 8 (with the Sun supplied gcc) no problem. John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From achanak at my-Deja.com Sat Aug 12 03:52:14 2000 From: achanak at my-Deja.com (achanak ) Date: Fri, 11 Aug 2000 10:52:14 -0700 Subject: OpenSSH Questions Message-ID: Heya, I'm trying to convince my company to use OpenSSH instead of the commercial SSH version. I need a little help: 1. What features does OpenSSH offer over commercial SSH (besides being free and open source of course)? 2. Our lawyers want details on the licensing / patents stuff. I have the high level details from the OpenSSH page. I need the nitty gritty like RSA patent# and references, license statements for Diffie Hellman, DSA, openSSL, zlib, and any other components, besides the official license statement for OpenSSH. Any pointers would be appreciated. 3. The security folks want me to be able to disable tcp port forwarding and X11 forwarding in the binary. Commercial sshd has the compile time switches --disable-tcp-port-forwarding and --disable-X11-forwarding. How do I do this with openSSH?? (using the /etc/ssh_config directives is not an option - has to be a compile time switch). 4. There's also a requirement that tcp port forwarding attempts be logged to syslog whether the compile time switch has disabled port forwarding or not. Commercial sshd currently offers this as well...can openssh do this too? I know it does regular syslog logging..not sure about port forwarding entries. Thanks --== Sent via Deja.com http://www.deja.com/ ==-- Before you buy. From eugene at ergonsoftware.com Sat Aug 12 04:31:45 2000 From: eugene at ergonsoftware.com (Eugene A. Efremov) Date: Fri, 11 Aug 2000 11:31:45 -0700 Subject: compiling openssh-2.1.1p4 on SPARC Solaris 8 References: Message-ID: <39944691.33B2B110@ergonsoftware.com> Awesome; it worked. Does anybody know why the gcc from sunfreeware.com thinks it's a cross-compiler? It seems that was the problem. John Horne wrote: > > On 11-Aug-00 at 01:37:07 Damien Miller wrote: > > On Thu, 10 Aug 2000, Eugene Efremov wrote: > > > >> I'm trying to compile openssh-2.1.1p4 on a Sparc machine running Solaris > >> 8. I've got all sorts of patches installed. The compiler is gcc > >> 2.95.2. I was originally trying to get the ssh from www.ssh.com, not > >> the OpenSSH, to work, but that's another story in and of itself, so I'm > >> trying this opensource version in hopes of better success. > > > > Are you using a gcc that you built yourself or the one from Sun Freeware? > > > Solaris 8 comes with gcc now :-) It's on the supplementary CD (I think) > along with other goodies - bzip, ghostscript, bash etc. > > We compiled openssh on Solaris 8 (with the Sun supplied gcc) no problem. > > John. > > -------------------------------------------------------------------------- > John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 > E-mail: jhorne at plymouth.ac.uk > PGP key available from public key servers -- Later. -------------------------------Eugene From tv at debian.org Sun Aug 13 04:06:45 2000 From: tv at debian.org (Tommi Virtanen) Date: Sat, 12 Aug 2000 21:06:45 +0300 Subject: [PATCH] scp -S support Message-ID: <20000812210645.A17147@hq.yok.utu.fi> [Please Cc: me, I'm not on the list] fsh (http://www.lysator.liu.se/fsh/) is a program that keeps an ssh tunnel open and multiplexes multiple batch sessions through that single connection, avoiding slower public key crypto for things like cvs. fsh includes an utility called fcp that can multiplex file copies through this single connection. It relies on scp for the actual file copying, and expects to be able to pass scp a -S option to make scp use a fsh's own substitute for ssh. However, OpenSSH 2.x does not currently have -S. This simple patch adds it, documentation and all. diff -u openssh-1.2.3/scp.1 openssh-1.2.3.scp/scp.1 --- openssh-1.2.3/scp.1 Thu Jan 20 14:13:36 2000 +++ openssh-1.2.3.scp/scp.1 Fri May 5 09:42:21 2000 @@ -93,6 +93,11 @@ .Fl p is already reserved for preserving the times and modes of the file in .Xr rcp 1 . +.It Fl S +Name of program to use for the encrypted connection. The program must +understand +.Xr ssh 1 +options. .It Fl 4 Forces .Nm diff -u openssh-1.2.3/scp.c openssh-1.2.3.scp/scp.c --- openssh-1.2.3/scp.c Fri May 5 09:43:24 2000 +++ openssh-1.2.3.scp/scp.c Fri May 5 09:39:09 2000 @@ -103,6 +103,9 @@ /* This is the port to use in contacting the remote site (is non-NULL). */ char *port = NULL; +/* This is the program to execute for the secured connection. ("ssh" or -S) */ +char *ssh_program = SSH_PROGRAM; + /* * This function executes the given command as the specified user on the * given host. This returns < 0 if execution fails, and >= 0 otherwise. This @@ -148,7 +151,7 @@ close(pout[1]); i = 0; - args[i++] = SSH_PROGRAM; + args[i++] = ssh_program; args[i++] = "-x"; args[i++] = "-oFallBackToRsh no"; if (IPv4) @@ -182,8 +185,8 @@ args[i++] = cmd; args[i++] = NULL; - execvp(SSH_PROGRAM, args); - perror(SSH_PROGRAM); + execvp(ssh_program, args); + perror(ssh_program); exit(1); } /* Parent. Close the other side, and return the local side. */ @@ -247,7 +250,7 @@ extern int optind; fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46")) != EOF) + while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:")) != EOF) switch (ch) { /* User-visible flags. */ case '4': @@ -265,6 +268,9 @@ case 'r': iamrecursive = 1; break; + case 'S': + ssh_program = optarg; + break; /* Server options. */ case 'd': targetshouldbedirectory = 1; @@ -388,7 +394,7 @@ if (*src == 0) src = "."; host = strchr(argv[i], '@'); - len = strlen(SSH_PROGRAM) + strlen(argv[i]) + + len = strlen(ssh_program) + strlen(argv[i]) + strlen(src) + (tuser ? strlen(tuser) : 0) + strlen(thost) + strlen(targ) + CMDNEEDS + 32; bp = xmalloc(len); @@ -402,7 +408,7 @@ continue; (void) sprintf(bp, "%s%s -x -o'FallBackToRsh no' -n -l %s %s %s %s '%s%s%s:%s'", - SSH_PROGRAM, verbose_mode ? " -v" : "", + ssh_program, verbose_mode ? " -v" : "", suser, host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); @@ -410,7 +416,7 @@ host = cleanhostname(argv[i]); (void) sprintf(bp, "exec %s%s -x -o'FallBackToRsh no' -n %s %s %s '%s%s%s:%s'", - SSH_PROGRAM, verbose_mode ? " -v" : "", + ssh_program, verbose_mode ? " -v" : "", host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); @@ -931,7 +937,7 @@ usage() { (void) fprintf(stderr, - "usage: scp [-pqrvC46] [-P port] [-c cipher] [-i identity] f1 f2; or:\n scp [options] f1 ... fn directory\n"); + "usage: scp [-pqrvC46] [-S ssh] [-P port] [-c cipher] [-i identity] f1 f2; or:\n scp [options] f1 ... fn directory\n"); exit(1); } -- tv@{{hq.yok.utu,havoc,gaeshido}.fi,{debian,wanderer}.org,stonesoft.com} unix, linux, debian, networks, security, | Rather than a beep kernel, TCP/IP, C, perl, free software, | Or a rude error message, mail, www, sw devel, unix admin, hacks. | These words: "File not found." From oliva at lsd.ic.unicamp.br Sun Aug 13 08:44:21 2000 From: oliva at lsd.ic.unicamp.br (Alexandre Oliva) Date: 12 Aug 2000 19:44:21 -0300 Subject: OpenSSH 2.1.1p4 won't build on AIX 4.1 (patch) Message-ID: A non-text attachment was scrubbed... Name: openssh-2.1.1p4.patch Type: text/x-patch Size: 1069 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000812/9a7edc96/attachment.bin From chenda at cs.unc.edu Sun Aug 13 09:49:16 2000 From: chenda at cs.unc.edu (Daniel T. Chen) Date: Sat, 12 Aug 2000 19:49:16 -0400 (EDT) Subject: OpenSSH-2.1.1p4 and SuSE 6.4 Message-ID: Hi folks, I meant to send this in to the devel list a while ago (1 Jul, actually) but school has until recently had a strangehold on me. The issue is this: the sshd.pam.generic in the openssh-2.1.1p4/contrib directory can be modified to suit standard SuSE 6.4 configurations as thus: {crimsun@[dhcp1520]:~} diff -c /etc/pam.d/sshd openssh-2.1.1p4/contrib/sshd.pam.generic *** /etc/pam.d/sshd Sat Jul 1 19:52:23 2000 --- openssh-2.1.1p4/contrib/sshd.pam.generic Tue Mar 14 20:25:06 2000 *************** *** 1,8 **** #%PAM-1.0 ! auth required /lib/security/pam_unix_auth.so shadow nodelay auth required /lib/security/pam_nologin.so ! account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so ! password required /lib/security/pam_unix_passwd.so shadow use_authtok ! session required /lib/security/pam_unix_session.so session required /lib/security/pam_limits.so --- 1,8 ---- #%PAM-1.0 ! auth required /lib/security/pam_unix.so shadow nodelay auth required /lib/security/pam_nologin.so ! account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so ! password required /lib/security/pam_unix.so shadow nullok use_authtok ! session required /lib/security/pam_unix.so session required /lib/security/pam_limits.so Sorry if the formatting makes things unclear. The sshd.pam.generic included in the 2.1.1p4 tarball is adequately functional on stock SuSE 6.4 systems but does not log to syslog via PRIORITY when a sshd session has been closed. The changes above rectify that. (Note: I've taken the liberty of disallowing null passwords for my machine.) This is a SuSE Linux-specific diff, but I thought I'd let everyone know just in case someone had run across it and was scratching his/her head. :) dtc --- Daniel T. Chen crimsun at adirondack.masticators.org From jhuuskon at messi.uku.fi Sun Aug 13 21:31:48 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Sun, 13 Aug 2000 14:31:48 +0300 Subject: Patches for openssh port forwarding Message-ID: <20000813143148.A21334@laivuri63.uku.fi> Hi ! I hacked together a couple of patches for Openssh 2.1.1p4 port forwarding. It is a one patch file that does the following two things: First: If the server is configured not to allow port forwardings it sends SSH_SMSG_FAILURE (protocol 1) while openssh client expects SSH_SMSG_SUCCESS. When the client gets the failure it exists with protocol error message. This patch will accept both failure and success messages. Second: I added a new configuration option to sshd_config: PortForwarding that can be used to disable port forwarding on the server (It does nothing to the client). This option can be used to mimic the commercial ssh compile time option --disable-server-port-forwarding (or something like that). I think a better solution would be to have tcp_wrappers like access control to port forwarding (like the commercial ssh2) and/or something like allow/deny port forwarding users ? What do you think ... TEST the patch BEFORE using it in production ! -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Center | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 -------------- next part -------------- diff -u -r openssh-2.1.1p4/channels.c openssh-2.1.1p4-jhchanges/channels.c --- openssh-2.1.1p4/channels.c Mon Jun 26 03:22:53 2000 +++ openssh-2.1.1p4-jhchanges/channels.c Sun Aug 13 02:22:42 2000 @@ -59,6 +59,9 @@ */ static int channels_alloc = 0; +/* Jarno: Needed to check if port_forwarding is allowed */ +extern ServerOptions options; + /* * Maximum file descriptor value used in any of the channels. This is * updated in channel_allocate. @@ -1506,15 +1509,12 @@ u_short port_to_connect) { int payload_len; + int type; + /* Record locally that connection to this host/port is permitted. */ if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_request_remote_forwarding: too many forwards"); - permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); - permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; - permitted_opens[num_permitted_opens].listen_port = listen_port; - num_permitted_opens++; - /* Send the forward request to the remote side. */ if (compat20) { const char *address_to_bind = "0.0.0.0"; @@ -1534,7 +1534,28 @@ * Wait for response from the remote side. It will send a disconnect * message on failure, and we will never see it here. */ - packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); + + /* Jarno: Server can send SSH_SMSG_FAILURE if it won't do port + forwardings ! + */ + + type = packet_read(&payload_len); + + switch (type) { + case SSH_SMSG_SUCCESS: + permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); + permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; + permitted_opens[num_permitted_opens].listen_port = listen_port; + num_permitted_opens++; + break; + case SSH_SMSG_FAILURE: + /* OK: Server won't do forwardings */ + log("Warning: Server doesn't do port forwarding."); + break; + default: + /* Unknown packet */ + packet_disconnect("Protocol error for port forward request: received packet type %d.", type); + } } } @@ -1637,6 +1658,17 @@ /* Get remote channel number. */ remote_channel = packet_get_int(); + + /* Jarno */ + if (!options.port_forwarding) { + /* packet_get_all(); */ + debug("Refused port forward request."); + packet_send_debug("Server configuration rejects port forwardings."); + packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); + packet_put_int(remote_channel); + packet_send(); + return; + } /* Get host name to connect to. */ host = packet_get_string(&host_len); diff -u -r openssh-2.1.1p4/servconf.c openssh-2.1.1p4-jhchanges/servconf.c --- openssh-2.1.1p4/servconf.c Sat Jul 15 07:14:17 2000 +++ openssh-2.1.1p4-jhchanges/servconf.c Sun Aug 13 00:06:25 2000 @@ -45,6 +45,7 @@ options->x11_forwarding = -1; options->x11_display_offset = -1; options->xauth_location = NULL; + options->port_forwarding = -1; options->strict_modes = -1; options->keepalives = -1; options->log_facility = (SyslogFacility) - 1; @@ -116,6 +117,8 @@ if (options->xauth_location == NULL) options->xauth_location = XAUTH_PATH; #endif /* XAUTH_PATH */ + if (options->port_forwarding == -1) + options->port_forwarding = 1; /* Allow forwarding */ if (options->strict_modes == -1) options->strict_modes = 1; if (options->keepalives == -1) @@ -180,9 +183,9 @@ sSkeyAuthentication, #endif sPasswordAuthentication, sListenAddress, - sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, - sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, - sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, + sPortForwarding, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, + sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups } ServerOpCodes; @@ -227,6 +230,7 @@ { "x11forwarding", sX11Forwarding }, { "x11displayoffset", sX11DisplayOffset }, { "xauthlocation", sXAuthLocation }, + { "portforwarding", sPortForwarding }, { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, { "uselogin", sUseLogin }, @@ -518,7 +522,11 @@ case sXAuthLocation: charptr = &options->xauth_location; goto parse_filename; - + + case sPortForwarding: + intptr = &options->port_forwarding; + goto parse_flag; + case sStrictModes: intptr = &options->strict_modes; goto parse_flag; diff -u -r openssh-2.1.1p4/servconf.h openssh-2.1.1p4-jhchanges/servconf.h --- openssh-2.1.1p4/servconf.h Tue Jul 11 10:31:38 2000 +++ openssh-2.1.1p4-jhchanges/servconf.h Sat Aug 12 18:25:21 2000 @@ -49,6 +49,7 @@ int x11_display_offset; /* What DISPLAY number to start * searching at */ char *xauth_location; /* Location of xauth program */ + int port_forwarding; /* If true allow port forwarding */ int strict_modes; /* If true, require string home dir modes. */ int keepalives; /* If true, set SO_KEEPALIVE. */ char *ciphers; /* Ciphers in order of preference. */ diff -u -r openssh-2.1.1p4/serverloop.c openssh-2.1.1p4-jhchanges/serverloop.c --- openssh-2.1.1p4/serverloop.c Tue Jul 11 10:31:38 2000 +++ openssh-2.1.1p4-jhchanges/serverloop.c Sun Aug 13 14:06:06 2000 @@ -58,6 +58,9 @@ static volatile int child_has_selected; /* Child has had chance to drain. */ static volatile int child_wait_status; /* Status from wait(). */ +/* Jarno: Needed to check if port_forwarding is allowed */ +extern ServerOptions options; + void server_init_dispatch(void); void @@ -722,7 +725,10 @@ originator, originator_port, target, target_port); /* XXX check permission */ - if (no_port_forwarding_flag) { + /* Jarno: */ + if (no_port_forwarding_flag || !options.port_forwarding) { + packet_send_debug("Server configuration rejects port forwardings."); + debug("Port forwarding disabled in server configuration."); xfree(target); xfree(originator); return -1; diff -u -r openssh-2.1.1p4/session.c openssh-2.1.1p4-jhchanges/session.c --- openssh-2.1.1p4/session.c Wed Jul 12 02:45:27 2000 +++ openssh-2.1.1p4-jhchanges/session.c Sun Aug 13 00:51:47 2000 @@ -324,6 +324,13 @@ debug("Port forwarding not permitted for this authentication."); break; } + if (!options.port_forwarding) { + debug("Port forwarding disabled in server configuration."); + packet_send_debug("Port forwarding disabled in server configuration file."); + success = 0; + break; + } + debug("Received TCP/IP port forwarding request."); channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports); success = 1; diff -u -r openssh-2.1.1p4/sshd.8 openssh-2.1.1p4-jhchanges/sshd.8 --- openssh-2.1.1p4/sshd.8 Tue Jul 11 10:31:39 2000 +++ openssh-2.1.1p4-jhchanges/sshd.8 Sun Aug 13 13:47:46 2000 @@ -485,6 +485,10 @@ listens on. The default is 22. Multiple options of this type are permitted. +.It Cm PortForwarding +Specifies whether TCP/IP port forwarding is permitted. +The default is +.Dq yes . .It Cm PrintMotd Specifies whether .Nm From jhuuskon at messi.uku.fi Sun Aug 13 21:39:49 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Sun, 13 Aug 2000 14:39:49 +0300 Subject: Anybody working on -R support for proto 2 ? Message-ID: <20000813143949.A21366@laivuri63.uku.fi> Hi ! Is anyone working on getting -R (remote port forwarding) working with protocol 2 ? I might be interested in helping but don't want to duplicate any previous work. -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Center | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 From markus.friedl at informatik.uni-erlangen.de Sun Aug 13 23:43:53 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 13 Aug 2000 15:43:53 +0200 Subject: Patches for openssh port forwarding In-Reply-To: <20000813143148.A21334@laivuri63.uku.fi>; from jhuuskon@messi.uku.fi on Sun, Aug 13, 2000 at 02:31:48PM +0300 References: <20000813143148.A21334@laivuri63.uku.fi> Message-ID: <20000813154353.A617@folly.informatik.uni-erlangen.de> this is not 'clean' since channels.c is linked to both ssh and sshd. > diff -u -r openssh-2.1.1p4/channels.c openssh-2.1.1p4-jhchanges/channels.c > --- openssh-2.1.1p4/channels.c Mon Jun 26 03:22:53 2000 > +++ openssh-2.1.1p4-jhchanges/channels.c Sun Aug 13 02:22:42 2000 > @@ -59,6 +59,9 @@ > */ > static int channels_alloc = 0; > > +/* Jarno: Needed to check if port_forwarding is allowed */ > +extern ServerOptions options; > + > /* > * Maximum file descriptor value used in any of the channels. This is > * updated in channel_allocate. From markus.friedl at informatik.uni-erlangen.de Sun Aug 13 23:44:48 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 13 Aug 2000 15:44:48 +0200 Subject: Anybody working on -R support for proto 2 ? In-Reply-To: <20000813143949.A21366@laivuri63.uku.fi>; from jhuuskon@messi.uku.fi on Sun, Aug 13, 2000 at 02:39:49PM +0300 References: <20000813143949.A21366@laivuri63.uku.fi> Message-ID: <20000813154448.B617@folly.informatik.uni-erlangen.de> noone is working on this. send patches to me. On Sun, Aug 13, 2000 at 02:39:49PM +0300, Jarno Huuskonen wrote: > Hi ! > > Is anyone working on getting -R (remote port forwarding) working with > protocol 2 ? > > I might be interested in helping but don't want to duplicate any > previous work. > > -Jarno > > -- > Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi > University of Kuopio - Computer Center | Work: +358 17 162822 > PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 > From smang at cs.jhu.edu Mon Aug 14 07:34:19 2000 From: smang at cs.jhu.edu (Stefan Mangard) Date: Sun, 13 Aug 2000 17:34:19 -0400 (EDT) Subject: combining openSSH and DNSSEC Message-ID: Hi everybody, in a university project I started building DNSSEC features into the current release of openSSH. The openSSH client I modified now authenticates a server through DNSSEC. I wanted to ask if there are already plans in the openSSH community to integrate DNSSEC features. I really enjoyed working with openSSH and would like to continue my work and contribute it. I am about to set up a web page on my project which will contain more details. If anybody thinks that my work could be of future use, please let me know! Stefan From Pete.Chown at skygate.co.uk Tue Aug 15 04:14:58 2000 From: Pete.Chown at skygate.co.uk (Pete Chown) Date: Mon, 14 Aug 2000 19:14:58 +0100 Subject: combining openSSH and DNSSEC In-Reply-To: ; from smang@cs.jhu.edu on Sun, Aug 13, 2000 at 05:34:19PM -0400 References: Message-ID: <20000814191458.A3134@hyena.skygate.co.uk> Stefan Mangard wrote: > The openSSH client I modified now authenticates a server through DNSSEC. That sounds like an interesting idea, but surely DNSSEC only makes sure that you get the authentic IP address? If the connection is hijacked later on, you are no better off. Personally I am very interested in playing with different ways of doing authentication... -- Pete From djm at mindrot.org Tue Aug 15 10:04:58 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 Aug 2000 10:04:58 +1000 (EST) Subject: RSA authentication bypassing /etc/nologin In-Reply-To: Message-ID: On Tue, 1 Aug 2000, Derek Becker wrote: > Hello everyone, > I noticed recently that when I had /etc/nologin in place on my > server I couldn't log in when I authenticated via passwords, but when I used > RSA authentication I was able to log in no problem. I looked through the You should use the pam_nologin.so module in sshd's PAM configuration file. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Aug 15 10:15:47 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 Aug 2000 10:15:47 +1000 (EST) Subject: lastlog_get_entry error on IRIX In-Reply-To: <20000803124947.A1461@ii.uib.no> Message-ID: On Thu, 3 Aug 2000, Jan-Frode Myklebust wrote: > Precedence: bulk > > > Hi, > > I'm getting the error: > > sshd[71835]: lastlog_get_entry: Error reading from /var/adm/lastlog: Error 0 > > from openssh 2.1.1p4 on IRIX (6.5.8m). Looks like there's some confusion > about /var/adm/lastlog being a directory and not a file on IRIX. Part of the problem is the error message - it does not reflect the true file that OpenSSH is trying to open (OpenSSH supports directory-based lastlogs). There is a bug in there though, can you try this patch: Index: loginrec.c =================================================================== RCS file: /var/cvs/openssh/loginrec.c,v retrieving revision 1.19 diff -u -r1.19 loginrec.c --- loginrec.c 2000/08/15 00:01:22 1.19 +++ loginrec.c 2000/08/15 00:15:12 @@ -1380,14 +1380,17 @@ return 0; } - /* find this uid's offset in the lastlog file */ - offset = (off_t) ( (long)li->uid * sizeof(struct lastlog)); + if (type == LL_FILE) { + /* find this uid's offset in the lastlog file */ + offset = (off_t) ( (long)li->uid * sizeof(struct lastlog)); - if ( lseek(*fd, offset, SEEK_SET) != offset ) { - log("lastlog_openseek: %s->lseek(): %s", - lastlog_file, strerror(errno)); - return 0; + if ( lseek(*fd, offset, SEEK_SET) != offset ) { + log("lastlog_openseek: %s->lseek(): %s", + lastlog_file, strerror(errno)); + return 0; + } } + return 1; } -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Aug 15 10:20:08 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 Aug 2000 10:20:08 +1000 (EST) Subject: --with-ipaddr-display patch In-Reply-To: <20000807082815.A29055@laivuri63.uku.fi> Message-ID: On Mon, 7 Aug 2000, Jarno Huuskonen wrote: > Hi ! > > I think that the configure option --with-ipaddr-display doesn't set > the IPADDR_IN_DISPLAY define in config.h > > Here's a small patch to configure.in that should enable the feature (after > running autoconf again). Thanks - applied. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Aug 15 10:20:32 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 Aug 2000 10:20:32 +1000 (EST) Subject: [2.1.1p4] utmp patch for SunOS 4.1.x In-Reply-To: <200008010910.CAA07102@thetics.europa.com> Message-ID: On Tue, 1 Aug 2000, Nate Itkin wrote: > Follow-on to Charles Levert's work on > utmp_write_direct. Thanks - applied. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Aug 15 10:23:45 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 Aug 2000 10:23:45 +1000 (EST) Subject: openssh-2.1.1p4 + libwrap problem In-Reply-To: <61B6688756F7D011B70100805F06BEDC86FF59@palliser.sytec.co.nz> Message-ID: On Mon, 7 Aug 2000, Richard Savage wrote: > Hi all, > > I've hit a problem with OpenSSH 2.1.1p4 and TCP Wrappers, and have noticed > others may also have seen the problem. When OpenSSH is compiled with wrapper > support, access using standard userid/password fails - authentication works > ok and a shell is gained and then immediately terminated. I haven't seen any reports of this before. Are there explicit entries in hosts.allow permitting ssh access? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Aug 15 10:28:10 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 Aug 2000 10:28:10 +1000 (EST) Subject: Problems compiling openssh-2.1.1p2 on FreeBSD 4.0-RELEASE In-Reply-To: <200008091320.PAA55548@svnfs01.norway.waii.com> Message-ID: On Wed, 9 Aug 2000, Rune Mossige wrote: > Hello, > I have just installed a fresh copy of FreeBSD 4.0-RELEASE on a P75, > and want to compile openssh-2.1.1p2, but the compile fails with: Have you tried openssh-2.1.1p4? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Aug 15 10:32:40 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 Aug 2000 10:32:40 +1000 (EST) Subject: slow sparc questions In-Reply-To: <025836EFF856D411A6660090272811E61D05C2@EMAIL> Message-ID: On Thu, 10 Aug 2000, Gregory Leblanc wrote: > I've got a couple of SPARCstation 2s (about as fast as a fast 486, for most > thing) that I'm going to be using for some testing. I realize that these > machines are a bit slow, but when connecting via OpenSSH, it's MUCH slower > than connecting to my 486-DX 50. The point where it waits is just after > "debug: Sent encrypted session key.". The pause is for about 10 seconds, > while when connecting to the 486 the pause is barely noticeable. All > machines are using 3des as the encryption type. So, I've got a few > questions. > First, why is this machine SO much slower than my 486? Crappy compiler > (linux is compiled using egcs 1.1.2 and the OpenSSH box is using > ssl-2.6-USA, installed when I did my OpenBSD install)? This sounds like DNS problems - the server may be trying to resolve the client's hostname from its IP address? If the client does not have an in-addr.arpa address or an entry in the hosts file then this can take a while to timeout. > Second, would I be better off using another encryption algorithm? If so, > which one? These machines are just my toys, not commercial in any way. > What are the pros and cons? (RTFM links appreciated) > Third, what can I do to help "fix" this slowness? 3des is slow and secure (due to many years of review and attacks) blowfish is faster, but not as well examined -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From herrold at owlriver.com Tue Aug 15 10:49:46 2000 From: herrold at owlriver.com (R P Herrold) Date: Mon, 14 Aug 2000 20:49:46 -0400 (EDT) Subject: slow sparc questions In-Reply-To: Message-ID: On Tue, 15 Aug 2000, Damien Miller wrote: > > "debug: Sent encrypted session key.". The pause is for about 10 seconds, > > First, why is this machine SO much slower than my 486? > > This sounds like DNS problems - the server may be trying to resolve the > client's hostname from its IP address? If the client does not have an > in-addr.arpa address or an entry in the hosts file then this can take > a while to timeout. ... well, no - not it's not DNS related ... even with the prior non-OpenSSH, connects with a fully functioning DNS (forward and reverse) can only be described as 'glacier-like' in their startup on a Sparc 2 -- I stripped almost ALL services, spare consoles, turned off the inetd - everything, and _still_ cannot get reasonable throughput. I had assumed that the math processing was not up to par. I have not recently tried an install of openssh/openssl (I thought I filed a private bugreport with Damien, but don't have a copy on the host I am at) -- it died during compile perhaps 6 months ago -- I'll retry and run some time trials. -- Russ From djm at mindrot.org Tue Aug 15 11:07:50 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 Aug 2000 11:07:50 +1000 (EST) Subject: OpenSSH Questions In-Reply-To: Message-ID: On Fri, 11 Aug 2000, achanak wrote: > Heya, > > I'm trying to convince my company to use OpenSSH instead of the > commercial SSH version. I need a little help: > > 1. What features does OpenSSH offer over commercial SSH (besides > being free and open source of course)? > > 2. Our lawyers want details on the licensing / patents stuff. I > have the high level details from the OpenSSH page. I need the > nitty gritty like RSA patent# and references, license statements > for Diffie Hellman, DSA, openSSL, zlib, and any other components, > besides the official license statement for OpenSSH. Any pointers > would be appreciated. IIRC and IANAL: RSA expires soon 20-sep-2000 DH expired a couple of years back DSA is unpatented or freely licensed (?) zlib (deflate) is unpatented > 3. The security folks want me to be able to disable tcp port > forwarding and X11 forwarding in the binary. Commercial sshd > has the compile time switches --disable-tcp-port-forwarding and > --disable-X11-forwarding. How do I do this with openSSH?? (using > the /etc/ssh_config directives is not an option - has to be a > compile time switch). This may be false security - what is to stop a luser from uploading something that opens a socket and passes data back and forth over ssh? OpenSSH doesn't have any such feature at the moment - though it would be easy to add. There is an untested patch attached to make PortForwarding a config option and a second patch to disable it entirely. > 4. There's also a requirement that tcp port forwarding attempts > be logged to syslog whether the compile time switch has disabled > port forwarding > or not. Commercial sshd currently offers this > as well...can openssh do this too? I know it does regular syslog > logging..not sure about port forwarding entries. Either patch will take care of this requirement. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -------------- next part -------------- Index: servconf.c =================================================================== RCS file: /var/cvs/openssh/servconf.c,v retrieving revision 1.22 diff -u -r1.22 servconf.c --- servconf.c 2000/07/15 04:14:17 1.22 +++ servconf.c 2000/08/15 00:58:45 @@ -74,6 +74,7 @@ options->num_deny_groups = 0; options->ciphers = NULL; options->protocol = SSH_PROTO_UNKNOWN; + options->port_forwarding = -1; options->gateway_ports = -1; options->num_subsystems = 0; options->max_startups = -1; @@ -158,6 +159,8 @@ options->use_login = 0; if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; + if (options->port_forwarding == -1) + options->port_forwarding = 1; if (options->gateway_ports == -1) options->gateway_ports = 0; if (options->max_startups == -1) @@ -184,7 +187,8 @@ sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, - sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups + sPortForwarding, sGatewayPorts, sDSAAuthentication, sXAuthLocation, + sSubsystem, sMaxStartups } ServerOpCodes; /* Textual representation of the tokens. */ @@ -238,6 +242,7 @@ { "denygroups", sDenyGroups }, { "ciphers", sCiphers }, { "protocol", sProtocol }, + { "portforwarding", sPortForwarding }, { "gatewayports", sGatewayPorts }, { "subsystem", sSubsystem }, { "maxstartups", sMaxStartups }, @@ -537,6 +542,10 @@ case sGatewayPorts: intptr = &options->gateway_ports; + goto parse_flag; + + case sPortForwarding: + intptr = &options->port_forwarding; goto parse_flag; case sLogFacility: Index: servconf.h =================================================================== RCS file: /var/cvs/openssh/servconf.h,v retrieving revision 1.15 diff -u -r1.15 servconf.h --- servconf.h 2000/07/11 07:31:38 1.15 +++ servconf.h 2000/08/15 00:58:45 @@ -53,6 +53,7 @@ int keepalives; /* If true, set SO_KEEPALIVE. */ char *ciphers; /* Ciphers in order of preference. */ int protocol; /* Protocol in order of preference. */ + int port_forwarding; /* If true, permit port forwarding. */ int gateway_ports; /* If true, allow remote connects to forwarded ports. */ SyslogFacility log_facility; /* Facility for system logging. */ LogLevel log_level; /* Level for system logging. */ Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.30 diff -u -r1.30 session.c --- session.c 2000/08/15 00:01:22 1.30 +++ session.c 2000/08/15 00:58:45 @@ -191,7 +191,7 @@ * by the client telling us, so we can equally well trust the client * not to request anything bogus.) */ - if (!no_port_forwarding_flag) + if (!no_port_forwarding_flag && options.port_forwarding) channel_permit_all_opens(); s = session_new(); @@ -330,7 +330,7 @@ break; case SSH_CMSG_PORT_FORWARD_REQUEST: - if (no_port_forwarding_flag) { + if (no_port_forwarding_flag || !options.port_forwarding) { debug("Port forwarding not permitted for this authentication."); break; } -------------- next part -------------- Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.30 diff -u -r1.30 session.c --- session.c 2000/08/15 00:01:22 1.30 +++ session.c 2000/08/15 01:02:23 @@ -191,8 +191,10 @@ * by the client telling us, so we can equally well trust the client * not to request anything bogus.) */ +#if 0 if (!no_port_forwarding_flag) channel_permit_all_opens(); +#endif s = session_new(); s->pw = pw; @@ -330,6 +332,9 @@ break; case SSH_CMSG_PORT_FORWARD_REQUEST: + debug("Port forwarding not permitted for this authentication."); + break; +#if 0 if (no_port_forwarding_flag) { debug("Port forwarding not permitted for this authentication."); break; @@ -338,6 +343,7 @@ channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports); success = 1; break; +#endif case SSH_CMSG_MAX_PACKET_SIZE: if (packet_set_maxsize(packet_get_int()) > 0) From oneill at cs.sfu.ca Tue Aug 15 12:11:07 2000 From: oneill at cs.sfu.ca (M.E. O'Neill) Date: Mon, 14 Aug 2000 19:11:07 -0700 Subject: crc32() clashes with zlib function of the same name Message-ID: <200008150211.TAA26781@aldrington.clawpaws.net> OpenSSH defines a function crc32(), and so does the zlib library. This is at best confusing (since they are different functions with different prototypes), and at worst a source of crashes. I found this problem getting OpenSSH up and running on Darwin, which turned out to be calling the wrong function. My bandaid was to include ``-Dcrc32=crcsum32'' in CFLAGS. The proper fix would be to either use zlib's crc32 function if it is essentially the same as OpenSSH's or rename OpenSSH's function if it differs. Best regards, M.E.O. From wsanchez at apple.com Tue Aug 15 13:31:22 2000 From: wsanchez at apple.com (Wilfredo S=?iso-8859-1?q?=E1?=nchez) Date: Mon, 14 Aug 2000 20:31:22 -0700 Subject: [PATCH]: Port to Mac OS X/Darwin, misc Message-ID: <200008150331.UAA04306@ns1.abstrata.com> Below I've includes a patch which helps build OpenSSH outside from a read-only source tree, find OpenSSL on Mac OS X, and fix a typo. This applies to OpenSSH 2.1.1p4. You should already have gotten a note from Melissa O'Neil about a conflict with the crc32() symbol in zlib, which was causing a crash on Darwin. I've noticed another bug. If ssh is setuid, I get a permission denied error while it tries to open ~/.ssh/prng_seed. I'm guessing this is because ssh is running with euid=0 at that point; since my home dir is exported from an NFS server with maproot=nobody, this fails. Aside from that problem, there may be a larger problem that ssh is running with euid=0 when it doesn't need to be. Thanks, -Fred Summary: Makefile.in: - OpenSSH doesn't build well if you are building outside of the source tree. - mkinstalldirs lives in $(srcdir), not necessarily '.'. - fixprogs lives in $(srcdir), not necessarily '.'. - Separate CFLAGS from CPPFLAGS, so one can override CFLAGS from the command line without whacking include paths. configure.in: - Find OpenSSL install as a framework. (-framework OpenSSL instead of -lcrypto) uidswap.c: - Fix apparent typo. Index: Services/OpenSSH/openssh/Makefile.in diff -u Services/OpenSSH/openssh/Makefile.in:1.1.1.3 Services/OpenSSH/openssh/Makefile.in:1.7 --- Services/OpenSSH/openssh/Makefile.in:1.1.1.3 Wed Jul 12 20:13:08 2000 +++ Services/OpenSSH/openssh/Makefile.in Mon Aug 14 19:36:09 2000 @@ -21,7 +21,8 @@ CC=@CC@ LD=@LD@ PATHS=-DETCDIR=\"$(sysconfdir)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" -CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ +CFLAGS=@CFLAGS@ +CPPFLAGS=@CPPFLAGS@ $(PATHS) @DEFS@ -I. -I$(srcdir) LIBS=@LIBS@ AR=@AR@ RANLIB=@RANLIB@ @@ -118,11 +119,11 @@ install: manpages $(TARGETS) install-files host-key install-files: - ./mkinstalldirs $(DESTDIR)$(bindir) - ./mkinstalldirs $(DESTDIR)$(sbindir) - ./mkinstalldirs $(DESTDIR)$(mandir) - ./mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 - ./mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 + $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 $(INSTALL) -m 4755 -s ssh $(DESTDIR)$(bindir)/ssh $(INSTALL) -s scp $(DESTDIR)$(bindir)/scp $(INSTALL) -s ssh-add $(DESTDIR)$(bindir)/ssh-add @@ -140,12 +141,12 @@ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config -a ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \ - ./mkinstalldirs $(DESTDIR)$(sysconfdir); \ + $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \ $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \ fi if [ -f ssh_prng_cmds -a ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \ - $(PERL) fixprogs ssh_prng_cmds $(ENT); \ + $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \ $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \ fi Index: Services/OpenSSH/openssh/configure.in diff -u Services/OpenSSH/openssh/configure.in:1.1.1.4 Services/OpenSSH/openssh/configure.in:1.5 --- Services/OpenSSH/openssh/configure.in:1.1.1.4 Thu Aug 3 14:29:33 2000 +++ Services/OpenSSH/openssh/configure.in Mon Aug 14 19:38:51 2000 @@ -323,19 +326,25 @@ tryssldir="$tryssldir $prefix" fi AC_CACHE_CHECK([for OpenSSL directory], ac_cv_openssldir, [ - - for ssldir in "" $tryssldir /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do - if test ! -z "$ssldir" ; then + for ssldir in "" $tryssldir /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl FRAMEWORK ; do + if test "x$ssldir" = "xFRAMEWORK" ; then + LDFLAGS="$saved_LDFLAGS" + CFLAGS="$saved_CFLAGS" + LIBCRYPTO="-framework openssl" + elif test ! -z "$ssldir" ; then LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir" CFLAGS="$saved_CFLAGS -I$ssldir/include" if test ! -z "$need_dash_r" ; then LDFLAGS="$LDFLAGS -R$ssldir/lib -R$ssldir" fi + LIBCRYPTO="-lcrypto" else LDFLAGS="$saved_LDFLAGS" + CFLAGS="$saved_CFLAGS" + LIBCRYPTO="-lcrypto" fi - LIBS="$saved_LIBS -lcrypto" + LIBS="$saved_LIBS $LIBCRYPTO" # Basic test to check for compatible version and correct linking # *does not* test for RSA - that comes later. @@ -372,7 +381,13 @@ ac_cv_openssldir=$ssldir ]) -if (test ! -z "$ac_cv_openssldir" && test "x$ac_cv_openssldir" != "x(system)") ; then +if test "x$ssldir" = "xFRAMEWORK" ; then + AC_DEFINE(HAVE_OPENSSL) + ssldir="(framework)" + LDFLAGS="$saved_LDFLAGS" + CFLAGS="$saved_CFLAGS" + LIBCRYPTO="-framework openssl" +elif test ! -z "$ac_cv_openssldir" && test "x$ac_cv_openssldir" != "x(system)" ; then AC_DEFINE(HAVE_OPENSSL) dnl Need to recover ssldir - test above runs in subshell ssldir=$ac_cv_openssldir @@ -384,8 +399,9 @@ if test ! -z "$blibpath" ; then blibpath="$blibpath:$ssldir:$ssldir/lib" fi + LIBCRYPTO="-lcrypto" fi -LIBS="$saved_LIBS -lcrypto" +LIBS="$saved_LIBS $LIBCRYPTO" # Now test RSA support saved_LIBS="$LIBS" @@ -432,7 +448,7 @@ else RSA_MSG="yes (using RSAref)" AC_MSG_RESULT(using RSAref) - LIBS="$saved_LIBS -lcrypto -lRSAglue -lrsaref" + LIBS="$saved_LIBS $LIBCRYPTO -lRSAglue -lrsaref" fi fi fi Index: Services/OpenSSH/openssh/uidswap.c diff -u Services/OpenSSH/openssh/uidswap.c:1.1.1.3 Services/OpenSSH/openssh/uidswap.c:1.3 --- Services/OpenSSH/openssh/uidswap.c:1.1.1.3 Wed Jul 12 20:13:17 2000 +++ Services/OpenSSH/openssh/uidswap.c Wed Jul 12 20:27:37 2000 @@ -48,7 +48,7 @@ /* Set the effective uid to the given (unprivileged) uid. */ if (seteuid(uid) == -1) debug("seteuid %d: %.100s", (int) uid, strerror(errno)); -#else /* SAVED_IDS_WORK_WITH_SETUID */ +#else /* SAVED_IDS_WORK_WITH_SETEUID */ /* Propagate the privileged uid to all of our uids. */ if (setuid(geteuid()) < 0) debug("setuid %d: %.100s", (int) geteuid(), strerror(errno)); Wilfredo S?nchez, wsanchez at apple.com Open Source Engineering Lead Apple Computer, Inc., Core Operating System Group 1 Infinite Loop, Cupertino, CA 94086, 408.974-5174 From Rune.Mossige at waii.com Tue Aug 15 16:38:34 2000 From: Rune.Mossige at waii.com (Rune Mossige) Date: Tue, 15 Aug 2000 08:38:34 +0200 (CEST) Subject: Problems compiling openssh-2.1.1p2 on FreeBSD 4.0-RELEASE In-Reply-To: Message-ID: Yes, I got a hint about that. openssh-2.1.1p4 compiled and installed clean. Thanks for the help. On Tue, 15 Aug 2000, Damien Miller wrote: > On Wed, 9 Aug 2000, Rune Mossige wrote: > > > Hello, > > I have just installed a fresh copy of FreeBSD 4.0-RELEASE on a P75, > > and want to compile openssh-2.1.1p2, but the compile fails with: > > Have you tried openssh-2.1.1p4? > > -d > > ------------------------------------------------------------------- (-: Hiroshima 45, Chernobyl 86, Windows 95 :-) Our ultimate goal is to make overloaded machines appear to be idle. High performance, High reliability, Low cost -------- Pick any two. ------------------------------------------------------------------- Rune Mossige, Systems Support, Western Geophysical, Stavanger, Norway Tel: (+47)51598922 Fax:(+47)51598999 Mobile:(+47)90871024 From jhuuskon at messi.uku.fi Wed Aug 16 02:55:11 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Tue, 15 Aug 2000 19:55:11 +0300 Subject: Experimental -R support patch for openssh client Message-ID: <20000815195511.B15157@laivuri63.uku.fi> Hi ! Here's an experimental patch for openssh-2.1.1p4 to add support (to openssh client) for -R (protocol 2). So if you have access to a commercial ssh2 server (that allows port forwardings) could you test this patch. (Note the openssh server doesn't have support for -R with protocol 2 so testing with openssh server won't do much good). To test remember to use -o "Protocol 2". This is my first go at implementing -R support so expect a few glitches. Thanks, -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Center | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 -------------- next part -------------- diff -u -r openssh-2.1.1p4/channels.c openssh-2.1.1p4-jhchanges/channels.c --- openssh-2.1.1p4/channels.c Mon Jun 26 03:22:53 2000 +++ openssh-2.1.1p4-jhchanges/channels.c Tue Aug 15 19:10:49 2000 @@ -1506,38 +1509,139 @@ u_short port_to_connect) { int payload_len; + int type; + int success = 0; + /* Record locally that connection to this host/port is permitted. */ if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_request_remote_forwarding: too many forwards"); - permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); - permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; - permitted_opens[num_permitted_opens].listen_port = listen_port; - num_permitted_opens++; - /* Send the forward request to the remote side. */ if (compat20) { const char *address_to_bind = "0.0.0.0"; packet_start(SSH2_MSG_GLOBAL_REQUEST); packet_put_cstring("tcpip-forward"); - packet_put_char(0); /* boolean: want reply */ + /* Ask for reply so we know to expect 'forwarded-tcpip' messages */ + packet_put_char(1); /* Boolean 1 asks for reply */ packet_put_cstring(address_to_bind); packet_put_int(listen_port); - } else { + packet_send(); + packet_write_wait(); + + type = packet_read(&payload_len); /* Expect reply from server */ + switch (type) { + case SSH2_MSG_REQUEST_SUCCESS: + success = 1; + break; + case SSH2_MSG_REQUEST_FAILURE: + log("Warning: Server doesn't do port forwarding."); + break; + default: + /* Unknown packet */ + packet_disconnect("Protocol error for port forward request: received packet type %d.", type); + } + + } + else { + /* Protocol 1 */ packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); packet_put_int(listen_port); packet_put_cstring(host_to_connect); packet_put_int(port_to_connect); packet_send(); packet_write_wait(); - /* - * Wait for response from the remote side. It will send a disconnect - * message on failure, and we will never see it here. + + /* Jarno: Server can send SSH_SMSG_FAILURE if it won't do port + * forwardings. Read the server reply. */ - packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); + type = packet_read(&payload_len); /* Expect reply from server */ + switch (type) { + case SSH_SMSG_SUCCESS: + success = 1; + break; + case SSH_SMSG_FAILURE: + log("Warning: Server doesn't do port forwarding."); + break; + default: + /* Unknown packet */ + packet_disconnect("Protocol error for port forward request: received packet type %d.", type); + } + } + + if ( success ) { + debug("Server acknowledged our remote port forward request"); + permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); + permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; + permitted_opens[num_permitted_opens].listen_port = listen_port; + num_permitted_opens++; } } +/* Jarno Huuskonen: + * ssh2 + * This called after client has received SSH2_MSG_GLOBAL_REQUEST/ + * "forwarded-tcpip". + * Checks if creating the channel is ok. And connects to required host. + * returns new channel if OK or NULL for failure. + */ +Channel* +client_forwarded_tcpip_request(const char *request_type, int rchan, + int rwindow, int rmaxpack) +{ + Channel* c = NULL; + int sock; + char *connected_address; /* Remote address that is listening for the + connection */ + int connected_port; /* Remote port connected */ + + char* client_address; /* Client that connected to connected_address */ + int client_port; /* Client port */ + + unsigned int client_len, connected_len; + + int newch; + int i; + + debug("ssh2 server tries to open forwarded-tcpip channel."); + + /* Get rest of the packet */ + connected_address = packet_get_string(&connected_len); + connected_port = packet_get_int(); + client_address = packet_get_string(&client_len); + client_port = packet_get_int(); + packet_done(); + + /* Check if we have requested this remote forwarding */ + for (i = 0; i= num_permitted_opens ) { + log("Received request to open remote forwarded channel (%d) but the request was denied", rchan); + return NULL; + } + + /* TODO: call somekind of forward allowed function to check if connection + * is allowed. + */ + /* int allowed = allow_forwarded_tcpip( .... ); */ + + /* Open socket */ + sock = channel_connect_to(permitted_opens[i].host_to_connect, + permitted_opens[i].port_to_connect); + + if ( sock >= 0 ) { + newch = channel_new("forwarded-tcpip", SSH_CHANNEL_OPEN, + sock, sock, -1, 4*1024, 32*1024, 0, + xstrdup(client_address)); + c = channel_lookup( newch ); + } + return c; +} + /* * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates * listening for the port, and sends back a success reply (or disconnect diff -u -r openssh-2.1.1p4/channels.h openssh-2.1.1p4-jhchanges/channels.h --- openssh-2.1.1p4/channels.h Thu Jun 22 14:32:31 2000 +++ openssh-2.1.1p4-jhchanges/channels.h Tue Aug 15 19:03:17 2000 @@ -163,6 +163,12 @@ channel_request_remote_forwarding(u_short port, const char *host, u_short remote_port); +/* Jarno: Copy comment from source + */ +Channel * +client_forwarded_tcpip_request(const char *request_type, int rchan, + int rwindow, int rmaxpack); + /* * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually * called by the server, because the user could connect to any port anyway, diff -u -r openssh-2.1.1p4/clientloop.c openssh-2.1.1p4-jhchanges/clientloop.c --- openssh-2.1.1p4/clientloop.c Sat Jul 15 07:14:17 2000 +++ openssh-2.1.1p4-jhchanges/clientloop.c Tue Aug 15 19:16:15 2000 @@ -974,6 +974,16 @@ debug("client_input_channel_open: ctype %s rchan %d win %d max %d", ctype, rchan, rwindow, rmaxpack); + /* Jarno: Check if ssh2 server tries to open remote forward channel */ + if (strcmp(ctype, "forwarded-tcpip") == 0) { + c = client_forwarded_tcpip_request( ctype, rchan, rwindow, rmaxpack ); + } + + /* if (strcmp(ctype, "x11") == 0) { + c = client_forwarded_x11_request( ctype, rchan, rwindow, rmaxpack ); + } + */ + if (strcmp(ctype, "x11") == 0) { int sock; char *originator; @@ -1015,7 +1025,7 @@ packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(rchan); packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED); - packet_put_cstring("bla bla"); + packet_put_cstring("bla bla"); /* TODO: Shouldn't we send a reason ?*/ packet_put_cstring(""); packet_send(); } diff -u -r openssh-2.1.1p4/ssh.c openssh-2.1.1p4-jhchanges/ssh.c --- openssh-2.1.1p4/ssh.c Sat Jul 15 07:14:17 2000 +++ openssh-2.1.1p4-jhchanges/ssh.c Mon Aug 14 20:04:53 2000 @@ -891,6 +891,22 @@ } } +/* Jarno: ssh2_session calls this */ +void +init_remote_fwd(void) +{ + int i; + for (i = 0; i < options.num_remote_forwards; i++) { + debug("Connections to remote port %d forwarded to local address %.200s:%d", + options.remote_forwards[i].port, + options.remote_forwards[i].host, + options.remote_forwards[i].host_port); + channel_request_remote_forwarding(options.remote_forwards[i].port, + options.remote_forwards[i].host, + options.remote_forwards[i].host_port); + } +} + extern void client_set_session_ident(int id); void @@ -963,7 +979,9 @@ /* should be pre-session */ init_local_fwd(); - + /* Jarno */ + init_remote_fwd(); + window = 32*1024; if (tty_flag) { packetmax = window/8; From GLeblanc at cu-portland.edu Wed Aug 16 08:47:52 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue, 15 Aug 2000 15:47:52 -0700 Subject: slow sparc questions Message-ID: <025836EFF856D411A6660090272811E61D05EC@EMAIL> > -----Original Message----- > From: R P Herrold [mailto:herrold at owlriver.com] > Sent: Monday, August 14, 2000 5:50 PM > To: Damien Miller > Cc: Gregory Leblanc; OpenSSH List (E-mail) > Subject: Re: slow sparc questions > > On Tue, 15 Aug 2000, Damien Miller wrote: > > > > "debug: Sent encrypted session key.". The pause is for > about 10 seconds, > > > > First, why is this machine SO much slower than my 486? > > > > This sounds like DNS problems - the server may be trying to > resolve the > > client's hostname from its IP address? If the client does > not have an > > in-addr.arpa address or an entry in the hosts file then > this can take > > a while to timeout. > > ... well, no - not it's not DNS related ... even with the > prior non-OpenSSH, connects with a fully functioning DNS > (forward and reverse) can only be described as 'glacier-like' > in their startup on a Sparc 2 -- I stripped almost ALL > services, spare consoles, turned off the inetd - everything, > and _still_ cannot get reasonable throughput. I had assumed > that the math processing was not up to par. I'll double check things with DNS, but I'm not convinced, yet. :-) [several hours pass] Ok, I got back to check on things, DNS is properly configured, things haven't changed. Which end of the connection were you talking about doing a reverse lookup, the server (SPARCstation2) or the client (some other machine)? My SS2 should have been able to handle lookups fine, I had hosts properly configured. I've added the SS2 to my DNS server, but that hasn't made any difference. Drifting off-topic slightly, here are some SPEC numbers from relative machine machines. System CPU BUS Cache SPECint SPECfp Info Mhz Mhz Int/ 92 92 Date Ext SS2 40 20 64 21.8 22.8 Oct92 Intel 50 50 8/256 30.1 14.0 Oct92 486DX Intel 66 33 8/256 32.4 16.1 Sep92 486DX2 Pentium 60 60 8/256 70.4 55.1 Mar95 I've got an SS2, and a 486DX 50. Somehow, it doesn't seem that there is that big of a difference. However, just for reference, I've used the P60 systems, and compared them with similar 486 DX2 66 systems, and the 486's "felt" faster. > I have not recently tried an install of openssh/openssl (I > thought I filed a private bugreport with Damien, but don't > have a copy on the host I am at) -- it died during compile > perhaps 6 months ago -- I'll retry and run some time trials. Hmm, I don't compile things on my SS2, instead I use my dual proc SS20. There is a patch for the RPM that makes it work properly on S/Linux, but I don't know if that was your test platform or not. Thanks, Greg From Peter.Losher at nominum.com Wed Aug 16 11:36:52 2000 From: Peter.Losher at nominum.com (Peter Losher) Date: Tue, 15 Aug 2000 18:36:52 -0700 (PDT) Subject: Krb5 patches for OpenSSH 2.1.1p4 Message-ID: Does anyone have any patches for either MIT or Heimdal Kerberos support (ticket passing, etc) I have seen some floating around, but they are all for v2.1.x... Any hints? Thanks - Peter -- Peter Losher Systems Admin. - Nominum, Inc. PGP key available on request From janfrode at parallab.uib.no Wed Aug 16 17:19:42 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Wed, 16 Aug 2000 09:19:42 +0200 Subject: lastlog_get_entry error on IRIX In-Reply-To: ; from djm@mindrot.org on Tue, Aug 15, 2000 at 10:15:47AM +1000 References: <20000803124947.A1461@ii.uib.no> Message-ID: <20000816091942.A10373@ii.uib.no> On Tue, Aug 15, 2000 at 10:15:47AM +1000, Damien Miller wrote: > > sshd[71835]: lastlog_get_entry: Error reading from /var/adm/lastlog: Error 0 > > > > from openssh 2.1.1p4 on IRIX (6.5.8m). Looks like there's some confusion > > about /var/adm/lastlog being a directory and not a file on IRIX. > > Part of the problem is the error message - it does not reflect the true > file that OpenSSH is trying to open (OpenSSH supports directory-based > lastlogs). > > There is a bug in there though, can you try this patch: > OK, I've applied the patch, but it'll probably take a few days before we know that it's working. I've only gotten the error once the last 3 days, and don't know how to provoke it. -jf From smangard at gmx.net Thu Aug 17 02:50:20 2000 From: smangard at gmx.net (Stefan Mangard) Date: Wed, 16 Aug 2000 18:50:20 +0200 (MEST) Subject: combining openSSH and DNSSEC References: <20000814191458.A3134@hyena.skygate.co.uk> Message-ID: <4855.966444620@www25.gmx.net> > That sounds like an interesting idea, but surely DNSSEC only makes > sure that you get the authentic IP address? If the connection is > hijacked later on, you are no better off. Actually I am going one step further. I also use the DNS features to distribute the public host keys. The DNS server signs the host keys of all machines in a network. Therefore not only the IP is authenticated, but also the host itself. The DNS server acts as a kind of key distribution server. The advantage compared to the standard system lies in the fact that it is only necessary to have the public key of the DNS server, which is used for signing and not for each host of the network. A page with all details will be online from tomorrow on. There will be a link on the page: http://www.cs.jhu.edu/hisl The project name is LADON. > Personally I am very interested in playing with different ways of > doing authentication... Me too ;-) Stefan -- Sent through GMX FreeMail - http://www.gmx.net From swalton at galileo.csun.edu Thu Aug 17 14:51:35 2000 From: swalton at galileo.csun.edu (Stephen Walton) Date: Wed, 16 Aug 2000 21:51:35 -0700 (PDT) Subject: OpenSSH and HP-UX Message-ID: My system: HP-UX 10.20, pretty vanilla, most non-HP software from the HP Porting Archive at hpux.cae.wisc.edu. GNU make is /usr/local/bin/gmake, zlib is in /opt/zlib, OpenSSl in /opt/openssl, HP ANSI C compiler. OpenSSH 2.2.1p4. 'configure' on this system warns that rsa is not available. I found source at www.spinnaker.com which builds an rsaref.a library but not an RSAglue one. So I'm stuck with the failed link of ssh. Help? -- Stephen Walton, Professor of Physics and Astronomy, California State University, Northridge stephen.walton at csun.edu From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Aug 17 20:06:31 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 17 Aug 2000 12:06:31 +0200 Subject: OpenSSH and HP-UX In-Reply-To: ; from swalton@galileo.csun.edu on Wed, Aug 16, 2000 at 09:51:35PM -0700 References: Message-ID: <20000817120631.F15661@ws01.aet.tu-cottbus.de> On Wed, Aug 16, 2000 at 09:51:35PM -0700, Stephen Walton wrote: > My system: HP-UX 10.20, pretty vanilla, most non-HP software from the HP > Porting Archive at hpux.cae.wisc.edu. GNU make is /usr/local/bin/gmake, > zlib is in /opt/zlib, OpenSSl in /opt/openssl, HP ANSI C compiler. > OpenSSH 2.2.1p4. (I run my self compiled OpenSSL on HP-UX 10.20, so my $0.02 just from the theoretical point of view). I have checked out the contents of the HP Porting Archive and there is no indication, that the library was compiled without RSA support. The files are in the source and HPUX.Install does not give any information about having used the no-rsa option. Actually, when using the no-rsa option, the RSAglue library should be generated automatically when configured with the "rsaref" option. > 'configure' on this system warns that rsa is not available. I found > source at www.spinnaker.com which builds an rsaref.a library but not an > RSAglue one. So I'm stuck with the failed link of ssh. Help? Rebuild OpenSSL from source with the "rsaref" option enabled... Something like ./Configure -D_REENTRANT rsaref --prefix=/opt/openssl hpux-parisc-cc Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From garrick at james.net Fri Aug 18 02:39:59 2000 From: garrick at james.net (Garrick James) Date: Thu, 17 Aug 2000 09:39:59 -0700 (PDT) Subject: OpenSSH and HP-UX In-Reply-To: Message-ID: I don't use HP-UX, but I have noticed on both Solaris and Linux that I have to rename rsaref.a to librsaref.a (or at least make an appropriate link). Regards, Garrick On Wed, 16 Aug 2000, Stephen Walton wrote: > My system: HP-UX 10.20, pretty vanilla, most non-HP software from the HP > Porting Archive at hpux.cae.wisc.edu. GNU make is /usr/local/bin/gmake, > zlib is in /opt/zlib, OpenSSl in /opt/openssl, HP ANSI C compiler. > OpenSSH 2.2.1p4. > > 'configure' on this system warns that rsa is not available. I found > source at www.spinnaker.com which builds an rsaref.a library but not an > RSAglue one. So I'm stuck with the failed link of ssh. Help? > > -- > Stephen Walton, Professor of Physics and Astronomy, > California State University, Northridge > stephen.walton at csun.edu > > > > From joe at plaguesplace.dyndns.org Fri Aug 18 15:31:14 2000 From: joe at plaguesplace.dyndns.org (me) Date: Fri, 18 Aug 2000 01:31:14 -0400 Subject: scp and the use of fortune in /etc/profile Message-ID: <20000818013114.D13836@plaguesplace.dyndns.org> I tracked down a problem related to running fortune at the start of every shell instance and scp. I imagine the problem would be the same with any utility automatically started upon login that prints to the screen. I am not sure if this intentional, a bug or just an annoyance that one should not run such utilities at login. Maybe one for the faq eh, so no one respends the time I just did tracking it down. openssh-2.1.1p3-3mdk joe -- When asked if Lars and the other metallica memebers ever violated anothers intellectual property and copyright: "Yeah, I mean I think we answered that before. Of course we have, ok? And of course it's a valid point." -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 174 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000818/85386549/attachment.bin From djm at mindrot.org Fri Aug 18 16:06:57 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 18 Aug 2000 16:06:57 +1000 (EST) Subject: scp and the use of fortune in /etc/profile In-Reply-To: <20000818013114.D13836@plaguesplace.dyndns.org> Message-ID: On Fri, 18 Aug 2000, me wrote: > I tracked down a problem related to running fortune at the start of > every shell instance and scp. I imagine the problem would be the same > with any utility automatically started upon login that prints to the > screen. I am not sure if this intentional, a bug or just an annoyance > that one should not run such utilities at login. Maybe one for the faq > eh, so no one respends the time I just did tracking it down. > > openssh-2.1.1p3-3mdk Such programs should only be run for interactive shells. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From chip at valinux.com Fri Aug 18 21:37:06 2000 From: chip at valinux.com (Chip Salzenberg) Date: Fri, 18 Aug 2000 04:37:06 -0700 Subject: [PATCH] Support symlinks in scp of openssh 2 Message-ID: <20000818043706.A15230@perlsupport.com> I'm fond of the "-a" (archive) option of cp, and I'm a heavy user of scp, so I guess it's inevitable that I would eventually add support for "-a" to scp. :-) Actually, it's a "-L" flag for preserving symlinks, and a "-a" flag that is shorthand for "-Lpr". Please let me know if I'm not doing this right.... I made a great effort to limit the number of code lines changed, so as to minimize the difficulty of understanding and accepting this patch. Index: scp.1 --- scp.1.prev +++ scp.1 Fri Aug 18 04:24:46 2000 @@ -20,5 +20,5 @@ .Sh SYNOPSIS .Nm scp -.Op Fl pqrvC46 +.Op Fl aLpqrvC46 .Op Fl P Ar port .Op Fl c Ar cipher @@ -69,4 +69,9 @@ .It Fl o Ar ssh_options specify options to be passed to ssh. For example: "-o UsePriviledgePort=no" +.It Fl a +Archival copy. Shorthand for "-Lpr". +.It Fl L +Preserves symbolic links as such, instead of following them and +copying their targets. .It Fl p Preserves modification times, access times, and modes from the Index: scp.c --- scp.c.prev +++ scp.c Fri Aug 18 04:14:40 2000 @@ -253,5 +253,5 @@ struct passwd *pwd; uid_t userid; int errs, remin, remout; -int pflag, iamremote, iamrecursive, targetshouldbedirectory; +int linkflag, pflag, iamremote, iamrecursive, targetshouldbedirectory; #define CMDNEEDS 64 @@ -280,5 +280,5 @@ main(argc, argv) memset(sshoptions,0,sizeof(sshoptions)); sshoptionsend = sshoptions; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:o:S:q46")) != EOF) + while ((ch = getopt(argc, argv, "adfLprtvBCc:i:P:o:S:q46")) != EOF) switch (ch) { /* User-visible flags. */ @@ -289,4 +289,12 @@ main(argc, argv) IPv6 = 1; break; + case 'a': + linkflag = 1; + pflag = 1; + iamrecursive = 1; + break; + case 'L': + linkflag = 1; + break; case 'p': pflag = 1; @@ -549,12 +557,24 @@ source(argc, argv) name = argv[indx]; statbytes = 0; - if ((fd = open(name, O_RDONLY, 0)) < 0) - goto syserr; - if (fstat(fd, &stb) < 0) { + if (linkflag) { + fd = -1; + result = lstat(name, &stb); + } + else { + if ((fd = open(name, O_RDONLY, 0)) < 0) + goto syserr; + result = fstat(fd, &stb); + } + if (result < 0) { syserr: run_err("%s: %s", name, strerror(errno)); goto next; } switch (stb.st_mode & S_IFMT) { + case S_IFLNK: + /* readlink later */ + break; case S_IFREG: + if (fd < 0 && (fd = open(name, O_RDONLY, 0)) < 0) + goto syserr; break; case S_IFDIR: @@ -586,6 +606,7 @@ syserr: run_err("%s: %s", name, strerr } #define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO) - (void) sprintf(buf, "C%04o %lu %s\n", - (unsigned int) (stb.st_mode & FILEMODEMASK), + (void) sprintf(buf, "%c%04o %lu %s\n", + ((stb.st_mode & S_IFMT) == S_IFLNK) ? 'L' : 'C', + (unsigned int) (stb.st_mode & FILEMODEMASK), (unsigned long) stb.st_size, last); @@ -609,5 +630,8 @@ next: (void) close(fd); amt = stb.st_size - i; if (!haderr) { - result = atomicio(read, fd, bp, amt); + if ((stb.st_mode & S_IFMT) == S_IFLNK) + result = readlink(name, bp, amt); + else + result = atomicio(read, fd, bp, amt); if (result != amt) haderr = result >= 0 ? EIO : errno; @@ -625,5 +649,5 @@ next: (void) close(fd); progressmeter(1); - if (close(fd) < 0 && !haderr) + if (fd >= 0 && close(fd) < 0 && !haderr) haderr = errno; if (!haderr) @@ -775,5 +799,5 @@ sink(argc, argv) continue; } - if (*cp != 'C' && *cp != 'D') { + if (*cp != 'C' && *cp != 'D' && *cp != 'L') { /* * Check for the case "rcp remote:foo\* local:bar". @@ -816,5 +840,5 @@ sink(argc, argv) np = targ; curfile = cp; - exists = stat(np, &stb) == 0; + exists = (buf[0] == 'L' ? lstat : stat)(np, &stb) == 0; if (buf[0] == 'D') { int mod_flag = pflag; @@ -845,9 +869,14 @@ sink(argc, argv) continue; } - omode = mode; - mode |= S_IWRITE; - if ((ofd = open(np, O_WRONLY | O_CREAT | O_TRUNC, mode)) < 0) { -bad: run_err("%s: %s", np, strerror(errno)); - continue; + if (buf[0] == 'L') + ofd = omode = -1; + else { + omode = mode; + mode |= S_IWRITE; + if ((ofd = open(np, O_WRONLY | O_CREAT | O_TRUNC, + mode)) < 0) { +bad: run_err("%s: %s", np, strerror(errno)); + continue; + } } (void) atomicio(write, remout, "", 1); @@ -891,4 +920,12 @@ bad: run_err("%s: %s", np, strerror(er if (showprogress) progressmeter(1); + if (buf[0] == 'L') { + if (size >= PIPE_BUF) + SCREWUP("symlink bigger than PIPE_BUF"); + bp[size] = '\0'; + wrerr = (symlink(bp, np) < 0) ? YES : NO; + wrerrno = errno; + goto done; + } if (count != 0 && wrerr == NO && (j = atomicio(write, ofd, bp, count)) != count) { @@ -917,5 +954,4 @@ bad: run_err("%s: %s", np, strerror(er wrerrno = errno; } - (void) response(); if (setimes && wrerr == NO) { setimes = 0; @@ -926,4 +962,5 @@ bad: run_err("%s: %s", np, strerror(er } } +done: (void) response(); switch (wrerr) { case YES: -- Chip Salzenberg - a.k.a. - "I wanted to play hopscotch with the impenetrable mystery of existence, but he stepped in a wormhole and had to go in early." // MST3K From roman at buildpoint.com Sat Aug 19 09:07:24 2000 From: roman at buildpoint.com (Roman Gollent) Date: Fri, 18 Aug 2000 16:07:24 -0700 (PDT) Subject: Patch/Request for remsh Message-ID: Hi folks, First of all, I wanted to thank you for your most excellent port of ssh! I have a small request, however. Could you please incorporate the belowmentioned patch so that OpenSSH recognises remsh as a valid argv[0] again? There are certain third party products (netbackup being one of them) that insist on using remsh as a transport mechanism, so we cheated and created a link from remsh to ssh to improve security. This unfortunately broke when we migrated to OpenSSH2 (as several argv[0] instances were removed from the checklist). Thanks again! Best Regards, Roman *** ssh.c.orig Fri Aug 18 12:05:26 2000 --- ssh.c Fri Aug 18 12:44:13 2000 *************** *** 254,260 **** else cp = av0; if (strcmp(cp, "rsh") != 0 && strcmp(cp, "ssh") != 0 && ! strcmp(cp, "rlogin") != 0 && strcmp(cp, "slogin") != 0) host = cp; for (optind = 1; optind < ac; optind++) { --- 254,261 ---- else cp = av0; if (strcmp(cp, "rsh") != 0 && strcmp(cp, "ssh") != 0 && ! strcmp(cp, "rlogin") != 0 && strcmp(cp, "slogin") != 0 && ! strcmp(cp, "remsh") != 0) host = cp; for (optind = 1; optind < ac; optind++) {A From itoi at eecs.umich.edu Sat Aug 19 13:37:18 2000 From: itoi at eecs.umich.edu (Naomaru Itoi) Date: Fri, 18 Aug 2000 23:37:18 -0400 Subject: smartcard integration - clean or portable? Message-ID: <200008190337.e7J3bI103187@soso.eecs.umich.edu> Hello, Theo, Niels, Jim Rees and I have discussed about integration of smartcard to OpenSSH. Later I have found that OpenSSH has two versions - clean and portable. Now I am wondering which version we should start from. Any suggestions? Thanks. -- Concentration .. Naomaru Itoi From mouring at pconline.com Sat Aug 19 14:34:45 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Fri, 18 Aug 2000 23:34:45 -0500 (CDT) Subject: smartcard integration - clean or portable? In-Reply-To: <200008190337.e7J3bI103187@soso.eecs.umich.edu> Message-ID: My vote would be integrate it first into the clean version, and let Damien bring the changes into the portable version. Then each platform manager/tester can verify it compiles on their platform (In other words make it an --enable-smartcard option. This would make the most sense to me. Then any platforms that can not support the feature (I assume NeXT would be one of them A notification can be entered on attempting to "enable" support stating it's "broken" or "unsupported" on that platform. On Fri, 18 Aug 2000, Naomaru Itoi wrote: > Hello, > > Theo, Niels, Jim Rees and I have discussed about integration of > smartcard to OpenSSH. Later I have found that OpenSSH has two > versions - clean and portable. Now I am wondering which version we > should start from. Any suggestions? > > Thanks. > > -- > Concentration .. Naomaru Itoi > From djm at mindrot.org Sat Aug 19 21:48:20 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 19 Aug 2000 21:48:20 +1000 (EST) Subject: smartcard integration - clean or portable? In-Reply-To: <200008190337.e7J3bI103187@soso.eecs.umich.edu> Message-ID: On Fri, 18 Aug 2000, Naomaru Itoi wrote: > Hello, > > Theo, Niels, Jim Rees and I have discussed about integration of > smartcard to OpenSSH. Later I have found that OpenSSH has two > versions - clean and portable. Now I am wondering which version we > should start from. Any suggestions? Work from the 'clean' version if at all possible - it will be easier to integrate into that standard version and I will pick up the changes anyway. What are you planning? Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From markus.friedl at informatik.uni-erlangen.de Sun Aug 20 05:09:20 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 19 Aug 2000 21:09:20 +0200 Subject: ssh-agent support of ssh2 In-Reply-To: <802568F9.0036E112.00@d06mta05.portsmouth.uk.ibm.com>; from douglas.manton@uk.ibm.com on Fri, Jun 09, 2000 at 10:59:54AM +0100 References: <3943E25A.B17677A6@cyte.com> <802568F9.0036E112.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: <20000819210920.A17262@folly.informatik.uni-erlangen.de> the next release will contain agent support for dsa keys On Fri, Jun 09, 2000 at 10:59:54AM +0100, douglas.manton at uk.ibm.com wrote: > Any idea of when ssh2 support will be available within ssh-agent and > ssh-add? On Sun, Jun 11, 2000 at 12:02:50PM -0700, Jeff Wiegley wrote: > Any news about other peoples attempts/progress to get ssh-agent2 > implemented? On Sat, Aug 05, 2000 at 04:15:06AM -0400, Adam Bentitou wrote: > Ok... I just kludged dsa key support into the ssh-agent that comes with > openssh-2.1.1p4. Its ugly and conforms to no standard (I could find no > signifigant mention of it in the IETF drafts) but it does seem to > work. If anybodys interested in it, I'll clean up the code and post. For > now I'm going to sleep. From itoi at eecs.umich.edu Sun Aug 20 10:19:27 2000 From: itoi at eecs.umich.edu (Naomaru Itoi) Date: Sat, 19 Aug 2000 20:19:27 -0400 Subject: smartcard integration - clean or portable? In-Reply-To: Your message of "Sat, 19 Aug 2000 21:48:20 +1000." Message-ID: <200008200019.e7K0JR117559@soso.eecs.umich.edu> > > Hello, > > > > Theo, Niels, Jim Rees and I have discussed about integration of > > smartcard to OpenSSH. Later I have found that OpenSSH has two > > versions - clean and portable. Now I am wondering which version we > > should start from. Any suggestions? > > Work from the 'clean' version if at all possible - it will be easier to > integrate into that standard version and I will pick up the changes > anyway. Thanks. I will start from 'clean'. > What are you planning? Store user private key in a smartcard, and modify SSH agent to do the crypto operation for authentication in the card. -- Concentration .. Naomaru Itoi From zack at wolery.cumb.org Sun Aug 20 10:55:24 2000 From: zack at wolery.cumb.org (Zack Weinberg) Date: Sat, 19 Aug 2000 17:55:24 -0700 Subject: Work around Linux kernel bug provoked by nchan.c In-Reply-To: ; from djm@mindrot.org on Mon, Aug 07, 2000 at 03:50:02PM +1000 References: <20000723100323.F263@wolery.cumb.org> Message-ID: <20000819175524.G25518@wolery.cumb.org> On Mon, Aug 07, 2000 at 03:50:02PM +1000, Damien Miller wrote: > On Sun, 23 Jul 2000, Zack Weinberg wrote: > > > The Linux implementation of TCP sockets has a bug which causes > > shutdown(sock, SHUT_RD) to fail spuriously (ENOTCONN) if the write > > side of the socket has already been shut down. ... > > [I've reported the bug to the kernel developers but they do not seem > > interested in fixing it.] > > Can you give me a pointer to some discussion on this? Unfortunately, there was no discussion. I posted to linux-kernel, it was ignored. zw From i.palsenberg at jdimedia.nl Mon Aug 21 02:34:32 2000 From: i.palsenberg at jdimedia.nl (Igmar Palsenberg) Date: Sun, 20 Aug 2000 18:34:32 +0200 (CEST) Subject: [ANNOUNCE] OpenSSH CryptoCard support. Message-ID: Hi, I just finished integrating CryptoCard support in OpenSSH. - Native X9.9 support. Should work with CryptoCard en Secure Computing tokens. This basically gives support for Challenge / Response - Licensed under BSD license I'll put the patch on http://www.jdimedia.nl/igmar/pam, but that wil shorty change to projects.jdimedia.nl. If desired I could also put in on the mail. Let me know if you're interested in incorporating it in the OpenSSH release. Regards, Igmar Palsenberg -- -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl From martynas at inet.lt Mon Aug 21 22:39:16 2000 From: martynas at inet.lt (Martynas) Date: Mon, 21 Aug 2000 14:39:16 +0200 Subject: chroot Message-ID: <006d01c00b6c$d26ff520$0940dcc1@inet.lt> Hi, Are You planning to add "chroot" feature like in ssh 2.2.0 from www.ssh.com ? It would be good feature. Waiting for replay.. Martynas Bieliauskas From pekkas at netcore.fi Mon Aug 21 23:42:25 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 21 Aug 2000 16:42:25 +0300 (EEST) Subject: chroot In-Reply-To: <006d01c00b6c$d26ff520$0940dcc1@inet.lt> Message-ID: > Are You planning to add "chroot" feature like in ssh 2.2.0 from www.ssh.com > ? It would be good feature. There's a patch for it in contrib/ directory. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From rmcc at novis.pt Mon Aug 21 23:57:55 2000 From: rmcc at novis.pt (Ricardo Cerqueira) Date: Mon, 21 Aug 2000 14:57:55 +0100 Subject: chroot In-Reply-To: ; from pekkas@netcore.fi on Mon, Aug 21, 2000 at 04:42:25PM +0300 References: <006d01c00b6c$d26ff520$0940dcc1@inet.lt> Message-ID: <20000821145755.A14995@isp.novis.pt> On Mon, Aug 21, 2000 at 04:42:25PM +0300, Pekka Savola wrote: > > Are You planning to add "chroot" feature like in ssh 2.2.0 from www.ssh.com > > ? It would be good feature. > > There's a patch for it in contrib/ directory. > If it's still my patch, I think it doesn't work in the latest versions of OpenSSH. If nobody else does it, and if I manage to get a few unoccupied minutes, I'll try to port it sometime this week. RC -- +------------------- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis - Engenharia ISP / Rede T?cnica | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal | Tel: +351 21 3166700 (24h/dia) - Fax: +351 21 3166701 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 524 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000821/ec8fb783/attachment.bin From support at securenetterm.com Tue Aug 22 20:50:35 2000 From: support at securenetterm.com (Kenneth R. Robinette) Date: Tue, 22 Aug 2000 05:50:35 -0500 Subject: OpenSSH Authentication Message-ID: <39A214AB.27066.6A0E08A@localhost> The current version of OpenSSH seems to be using a version of Kerberos that is quite old. Is there any way to isolate the Kerberos code in a single module for both client and server which can be customized by each site, if necessary. Is there any plans to support the Kerberos 5 release that supports both Kerberos 4 and Kerberos 5? Ken _____________________________________________ Kenneth R. Robinette President InterSoft International, Inc. Voice:888-823-1541 or 281-398-7060 Fax:888-823-1542 or 281-560-9170 http://www.securenetterm.com _____________________________________________ From i.palsenberg at jdimedia.nl Tue Aug 22 23:37:23 2000 From: i.palsenberg at jdimedia.nl (Igmar Palsenberg) Date: Tue, 22 Aug 2000 15:37:23 +0200 (CEST) Subject: OpenSSH PAM bug (fwd) Message-ID: Hi, OpenSSH doesn't comply to the PAM spec, and always assume that a password is asked. This prevents for example pam-cryptocard from operating. I'll post a patch this week to make things work.... (and will also change the pam-cryptocard name. It's to confusing :) Regards, Igmar -- -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl From i.palsenberg at jdimedia.nl Wed Aug 23 02:41:19 2000 From: i.palsenberg at jdimedia.nl (Igmar Palsenberg) Date: Tue, 22 Aug 2000 18:41:19 +0200 (CEST) Subject: Work around Linux kernel bug provoked by nchan.c (fwd) Message-ID: I always forget those CC's :(( ---------- Forwarded message ---------- Date: Tue, 22 Aug 2000 18:39:14 +0200 (CEST) From: Igmar Palsenberg To: zack at wolery.cumb.org Subject: Re: Work around Linux kernel bug provoked by nchan.c Hi, Regarding this bug : the man page states : On success, zero is returned. On error, -1 is returned and errno is set appropriately. Errors : ENOTCONN The specified socket is not connected. If the other side had closed down the socket, it is not connected, and this error is returned. I won't call this a bug. I'll post if to the linux list, but I don't think the call it a bug. Regards, Igmar -- -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl From djm at mindrot.org Wed Aug 23 11:54:40 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 23 Aug 2000 11:54:40 +1000 (EST) Subject: Test snapshot Message-ID: I have just tarred up a snapshot and uploaded it to: http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz The snapshot incorporates the last month's fixes and enhancements from the openssh-unix-dev mailing list and from the OpenBSD developers. In particular: - ssh-agent and ssh-add now handle DSA keys. NB. this does not interop with ssh.com's ssh-agent. (Markus Friedl) - Fix crashes when sshd is run out of inetd - More fixes for SunOS4 and NeXT (Nate Itkin and Charles Levert) - Add Solaris package support in contrib/solaris/ (Rip Loomis) - Random Early Drop connection rate limiting for sshd (Markus Friedl) - Fix duplicate lastlog logging (Markus & me) - Add -u option to sshd to make wtmp logging more like login's (Markus) - Use pipes instead of socketpairs to avoid scp not exiting problem on SunOS4 and HPUX 10. (Klaus Engelhardt, Tamito KAJIYAMA & Lutz Jaenicke) - Lots of other fixes (see changelog below) Please give the snapshot a good run and report problems back to the mailing list. If you have received this email twice, it is because you are on the list of testers. I will be setting up a seperate email list over the weekend. Regards, Damien Miller Changelog: 20000823 - (djm) Define USE_PIPES to avoid socketpair problems on HPUX 10 and SunOS 4 Avoids "scp never exits" problem. Reports from Lutz Jaenicke and Tamito KAJIYAMA - (djm) Pick up LOGIN_PROGRAM from environment or PATH if not set by headers - (djm) Add local version to version.h - (djm) OpenBSD CVS updates: - deraadt at cvs.openbsd.org 2000/08/18 20:07:23 [ssh.c] accept remsh as a valid name as well; roman at buildpoint.com - deraadt at cvs.openbsd.org 2000/08/18 20:17:13 [deattack.c crc32.c packet.c] rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to libz crc32 function yet, because it has ugly "long"'s in it; oneill at cs.sfu.ca - deraadt at cvs.openbsd.org 2000/08/18 20:26:08 [scp.1 scp.c] -S prog support; tv at debian.org - deraadt at cvs.openbsd.org 2000/08/18 20:50:07 [scp.c] knf - deraadt at cvs.openbsd.org 2000/08/18 20:57:33 [log-client.c] shorten - markus at cvs.openbsd.org 2000/08/19 12:48:11 [channels.c channels.h clientloop.c ssh.c ssh.h] support for ~. in ssh2 - deraadt at cvs.openbsd.org 2000/08/19 15:29:40 [crc32.h] proper prototype - markus at cvs.openbsd.org 2000/08/19 15:34:44 [authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1] [ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile] [fingerprint.c fingerprint.h] add SSH2/DSA support to the agent and some other DSA related cleanups. (note that we cannot talk to ssh.com's ssh2 agents) - markus at cvs.openbsd.org 2000/08/19 15:55:52 [channels.c channels.h clientloop.c] more ~ support for ssh2 - markus at cvs.openbsd.org 2000/08/19 16:21:19 [clientloop.c] oops - millert at cvs.openbsd.org 2000/08/20 12:25:53 [session.c] We have to stash the result of get_remote_name_or_ip() before we close our socket or getpeername() will get EBADF and the process will exit. Only a problem for "UseLogin yes". - millert at cvs.openbsd.org 2000/08/20 12:30:59 [session.c] Only check /etc/nologin if "UseLogin no" since login(1) may have its own policy on determining who is allowed to login when /etc/nologin is present. Also use the _PATH_NOLOGIN define. - millert at cvs.openbsd.org 2000/08/20 12:42:43 [auth1.c auth2.c session.c ssh.c] Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class. - millert at cvs.openbsd.org 2000/08/21 10:23:31 [session.c] Fix incorrect PATH setting; noted by Markus. 20000818 - (djm) OpenBSD CVS changes: - markus at cvs.openbsd.org 2000/07/22 03:14:37 [servconf.c servconf.h sshd.8 sshd.c sshd_config] random early drop; ok theo, niels - deraadt at cvs.openbsd.org 2000/07/26 11:46:51 [ssh.1] typo - deraadt at cvs.openbsd.org 2000/08/01 11:46:11 [sshd.8] many fixes from pepper at mail.reppep.com - provos at cvs.openbsd.org 2000/08/01 13:01:42 [Makefile.in util.c aux.c] rename aux.c to util.c to help with cygwin port - deraadt at cvs.openbsd.org 2000/08/02 00:23:31 [authfd.c] correct sun_len; Alexander at Leidinger.net - provos at cvs.openbsd.org 2000/08/02 10:27:17 [readconf.c sshd.8] disable kerberos authentication by default - provos at cvs.openbsd.org 2000/08/02 11:27:05 [sshd.8 readconf.c auth-krb4.c] disallow kerberos authentication if we can't verify the TGT; from dugsong@ kerberos authentication is on by default only if you have a srvtab. - markus at cvs.openbsd.org 2000/08/04 14:30:07 [auth.c] unused - markus at cvs.openbsd.org 2000/08/04 14:30:35 [sshd_config] MaxStartups - markus at cvs.openbsd.org 2000/08/15 13:20:46 [authfd.c] cleanup; ok niels@ - markus at cvs.openbsd.org 2000/08/17 14:05:10 [session.c] cleanup login(1)-like jobs, no duplicate utmp entries - markus at cvs.openbsd.org 2000/08/17 14:06:34 [session.c sshd.8 sshd.c] sshd -u len, similar to telnetd - (djm) Lastlog was not getting closed after writing login entry - (djm) Add Solaris package support from Rip Loomis 20000816 - (djm) Replacement for inet_ntoa for Irix (which breaks on gcc) - (djm) Fix strerror replacement for old SunOS. Based on patch from Charles Levert - (djm) Seperate arc4random into seperate file and use OpenSSL's RC4 implementation. - (djm) SUN_LEN macro for systems which lack it 20000815 - (djm) More SunOS 4.1.x fixes from Nate Itkin - (djm) Avoid failures on Irix when ssh is not setuid. Fix from Michael Stone - (djm) Don't seek in directory based lastlogs - (djm) Fix --with-ipaddr-display configure option test. Patch from Jarno Huuskonen - (djm) Fix AIX limits from Alexandre Oliva 20000813 - (djm) Add $(srcdir) to includes when compiling (for VPATH). Report from Fabrice bacchella 20000809 - (djm) Define AIX hard limits if headers don't. Report from Bill Painter - (djm) utmp direct write & SunOS 4 patch from Charles Levert 20000808 - (djm) Cleanup Redhat RPMs. Generate keys at runtime rather than install time, spec file cleanup. 20000807 - (djm) Set 0755 on binaries during install. Report from Lutz Jaenicke - (djm) Suppress error messages on channel close shutdown() failurs works around Linux bug. Patch from Zack Weinberg - (djm) Add some more entropy collection commands from Lutz Jaenicke 20000725 - (djm) Fix autoconf typo: HAVE_BINRESVPORT_AF -> HAVE_BINDRESVPORT_AF 20000721 - (djm) OpenBSD CVS updates: - markus at cvs.openbsd.org 2000/07/16 02:27:22 [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c] [sshconnect1.c sshconnect2.c] make ssh-add accept dsa keys (the agent does not) - djm at cvs.openbsd.org 2000/07/17 19:25:02 [sshd.c] Another closing of stdin; ok deraadt - markus at cvs.openbsd.org 2000/07/19 18:33:12 [dsa.c] missing free, reorder - markus at cvs.openbsd.org 2000/07/20 16:23:14 [ssh-keygen.1] document input and output files 20000720 - (djm) Spec file fix from Petr Novotny -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From emily at ubermachine.com Wed Aug 23 13:31:00 2000 From: emily at ubermachine.com (Emily Slocombe) Date: Tue, 22 Aug 2000 23:31:00 -0400 Subject: Test snapshot In-Reply-To: ; from djm@mindrot.org on Wed, Aug 23, 2000 at 11:54:40AM +1000 References: Message-ID: <20000822233100.A15924@ubermachine.com> * Damien Miller [000823 02:07]: | |I have just tarred up a snapshot and uploaded it to: |http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz Not on the testing team, but sshd and ssh build and run fine on Slackware 7 and 7.1. I still need to specify lcrypt and link /usr/local/sbin/scp to /bin/scp, but I have had to do this for a while under Slackware with OpenSSH. Here are my usual configure options: LIBS=-lcrypt ./configure \ --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/local/sbin \ --with-md5-passwords -- Emily Slocombe ...................................................................... "Linux - it'll eat your dog for you if you want your dog to be eaten" From oetiker at ee.ethz.ch Wed Aug 23 16:20:42 2000 From: oetiker at ee.ethz.ch (Tobias Oetiker) Date: Wed, 23 Aug 2000 08:20:42 +0200 (MET DST) Subject: [openssh] Test snapshot (Solaris Bug Report) In-Reply-To: Message-ID: Today you sent me mail regarding [openssh] Test snapshot: *> *> I have just tarred up a snapshot and uploaded it to: *> http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz tested it on SPARC Solaris 2.6. It seems to work fine, but the Motif bug is still there: * open a ssh with X forwarding to a REMOTE host (localhost is not good). * Start a Motif application on the remote host. (Eg nedit). * Now close the application. * Oops .. the connection is gone ... ---------------------------------------------------------- tardis> nedit Connection to tardis closed by remote host. Connection to tardis closed. engelberg> ---------------------------------------------------------- cheers tobi -- ______ __ _ /_ __/_ / / (_) Oetiker, Timelord & SysMgr @ EE-Dept ETH-Zurich / // _ \/ _ \/ / TEL: +41(0)1-6325286 FAX:...1517 ICQ: 10419518 /_/ \.__/_.__/_/ oetiker at ee.ethz.ch http://ee-staff.ethz.ch/~oetiker From mouring at pconline.com Wed Aug 23 16:25:12 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 23 Aug 2000 01:25:12 -0500 (CDT) Subject: Test snapshot In-Reply-To: Message-ID: OpenStep 4.2.. Compiles. I've not ran any amount of tests on it yet since I'm going to bed. =) All the wait() stuff in the next-posix.[ch] should be split out to it's own bsd-wait.[ch]. I'll take a look at that later this week. configure.in changes to clean up the *-next-* section. --- configure.in.orig Wed Aug 23 01:17:38 2000 +++ configure.in Wed Aug 23 01:19:42 2000 @@ -122,15 +122,13 @@ need_dash_r=1 ;; *-next-*) - # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/usr/adm/lastlog" conf_utmp_location=/etc/utmp + conf_wtmp_location=/usr/adm/wtmp + MAIL=/usr/spool/mail AC_DEFINE(HAVE_NEXT) CFLAGS="$CFLAGS -I/usr/local/include" - MAIL=/usr/spool/mail AC_MSG_WARN([*** Tested: PA-RISC/m68k Untested: Sparc/Intel]) - AC_MSG_WARN([*** Expect 'scp' to fail!]) - AC_MSG_WARN([*** Please report any problems, thanks]) ;; *-*-solaris*) CFLAGS="$CFLAGS -I/usr/local/include" Login utmp/wtmp patch that slipped through from the verification of the SunOS 4.1.x direct utmp write on NeXT: --- loginrec.c.orig Wed Aug 23 01:05:37 2000 +++ loginrec.c Wed Aug 23 01:06:06 2000 @@ -724,7 +724,7 @@ /* FIXME: (ATL) ttyslot() needs local implementation */ -#if defined(SUNOS4) && defined(HAVE_GETTTYENT) +#if defined(HAVE_GETTTYENT) register struct ttyent *ty; tty=0; @@ -745,7 +745,7 @@ tty = ttyslot(); /* seems only to work for /dev/ttyp? style names */ -#endif /* SUNOS4 && HAVE_GETTTYENT */ +#endif /* HAVE_GETTTYENT */ if (tty > 0 && (fd = open(UTMP_FILE, O_RDWR|O_CREAT, 0644)) >= 0) { (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); From jhuuskon at messi.uku.fi Wed Aug 23 17:48:37 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Wed, 23 Aug 2000 10:48:37 +0300 Subject: Protocol 2 remote forwarding patch Message-ID: <20000823104837.A661@laivuri63.uku.fi> Hi ! Here's a patch to add remote port forwarding support (protocol 2) for openssh. I have tried to test that it works like it should but a more thorough testing is needed. This patch adds both client/server support. The patch should be applied to openssh-2.1.1p4 source tree. Also included is a PortForwarding sshd_config option, new ./configure option --disable-forwarding that should make it possible to disable port forwarding in server altogether and some earlier patch to make ssh client fork with -f (when using protocol 2). Please test the patch and give me feedback. -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Center | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 -------------- next part -------------- diff -u -r openssh-2.1.1p4/auth2.c openssh-2.1.1p4-jhchanges/auth2.c --- openssh-2.1.1p4/auth2.c Tue Jul 11 10:31:38 2000 +++ openssh-2.1.1p4-jhchanges/auth2.c Tue Aug 22 19:43:09 2000 @@ -65,6 +65,7 @@ extern ServerOptions options; extern unsigned char *session_id2; extern int session_id2_len; +extern int user_authenticated_as_root; /* Jarno: From channels.c */ /* protocol */ @@ -239,6 +240,14 @@ packet_put_char(0); /* XXX partial success, unused */ packet_send(); packet_write_wait(); + } + + /* Jarno: Set the user_authenticated_as_root flag */ + if ( authenticated && pw && pw->pw_uid == (uid_t)0 ) { + user_authenticated_as_root = 1; + } + else { + user_authenticated_as_root = 0; } xfree(service); diff -u -r openssh-2.1.1p4/channels.c openssh-2.1.1p4-jhchanges/channels.c --- openssh-2.1.1p4/channels.c Mon Jun 26 03:22:53 2000 +++ openssh-2.1.1p4-jhchanges/channels.c Wed Aug 23 09:27:47 2000 @@ -59,6 +59,12 @@ */ static int channels_alloc = 0; +/* Jarno: Needed to check if port_forwarding is allowed */ +int allow_port_forwarding; +int user_authenticated_as_root; /* This could be uid so we could log who + * tried to forward ports. + */ + /* * Maximum file descriptor value used in any of the channels. This is * updated in channel_allocate. @@ -581,13 +587,20 @@ "connect from %.200s port %d", c->listening_port, c->path, c->host_port, remote_hostname, remote_port); - newch = channel_new("direct-tcpip", + /* Jarno: If the channel is SSH2 port listener (server) then send + * forwarded-tcpip message. + */ + newch = channel_new( (c->type == SSH2_CHANNEL_PORT_LISTENER) ? + "forwarded-tcpip" : "direct-tcpip", SSH_CHANNEL_OPENING, newsock, newsock, -1, c->local_window_max, c->local_maxpacket, 0, xstrdup(buf)); if (compat20) { packet_start(SSH2_MSG_CHANNEL_OPEN); - packet_put_cstring("direct-tcpip"); + if (c->type == SSH2_CHANNEL_PORT_LISTENER) + packet_put_cstring("forwarded-tcpip"); + else + packet_put_cstring("direct-tcpip"); packet_put_int(newch); packet_put_int(c->local_window_max); packet_put_int(c->local_maxpacket); @@ -786,10 +799,12 @@ channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20; channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; + channel_pre[SSH2_CHANNEL_PORT_LISTENER] = &channel_pre_listener; channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2; channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; + channel_post[SSH2_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; } @@ -1275,6 +1290,122 @@ c->remote_window += adjust; } +/* Jarno Huuskonen: Checks if the server allows port forwarding. + * Logs all failed attempts. + * Return 1 if the forwarding is allowed or 0 for failure. + */ +int allow_remote_forwarding(const char *address_to_listen, int port) +{ +#ifdef DISABLE_FORWARDING + return 0; +#endif /* DISABLE_FORWARDING */ + + /* Only root can forward privileged ports */ + if ( port < IPPORT_RESERVED && !user_authenticated_as_root ) { + debug("Non-root user tries to forward privileged port %d", port); + /* Commercial ssh2 doesn't disconnect so same behaviour here */ + packet_send_debug("Requested forwarding of port %d but user is not root.", + port); + return 0; + } + + /* Is forwarding disabled in configuration */ + if ( allow_port_forwarding ) { + return 1; + } + /* TODO: Better logging of refused forwards: + * log("Refused port forward request from %.100s port %d."); + */ + return 0; +} + +/* Jarno Huuskonen: This is called when server receives + * SSH2_MSG_GLOBAL_REQUEST. Handles both "tcpip-forward" and + * "cancel-tcpip-forward" requests. + */ +void +channel_server_global_request(int type, int plen) +{ + char *rtype; + char want_reply; + int success = 0; + + rtype = packet_get_string(NULL); + want_reply = packet_get_char(); + debug("server received: %.100s request (reply=%d)",rtype, + (int)want_reply); + + if ( strcmp(rtype, "tcpip-forward") == 0 ) { + char *address_to_bind; + int port_to_bind; + address_to_bind = packet_get_string(NULL); + port_to_bind = packet_get_int(); + + /* Check if the client is allowed to forward (this port) */ + if ( allow_remote_forwarding(address_to_bind, port_to_bind) ) { + /* Start listening on the port */ + channel_request_local_forwarding( port_to_bind, address_to_bind, + port_to_bind, 1, 1 ); + /* NOT REACHED if error (disconnects). + * Note: if error xfree not called + * for address_to_bind + */ + success = 1; + } + else { + success = 0; + packet_send_debug("Server has disabled port forwarding."); + } + + xfree( address_to_bind ); + } + + /* TODO: This is untested !!! create some test code !!!*/ + if ( strcmp(rtype, "cancel-tcpip-forward") == 0 ) { + char *address_to_bind; + int port_to_bind; + int chan; + + address_to_bind = packet_get_string(NULL); + port_to_bind = packet_get_int(); + + /* Lookup the channel listening for this port: + First see if the channel type is SSH2_CHANNEL_PORT_LISTENER and then + compare port/addr. + TODO: Is it safe to use strcmp ? + */ + for (chan = 0; chan < channels_alloc; chan++) { + if ( channels[chan].type == SSH2_CHANNEL_PORT_LISTENER ) { + if ( channels[chan].listening_port == port_to_bind && + (strcmp(address_to_bind, channels[chan].path) == 0) ) + break; + } + } + + if ( chan < channels_alloc ) { + /* We have a winner --> close the channel*/ + channel_free( channels[chan].self ); + success = 1; + } + xfree( address_to_bind ); + } + + /* Client requested a reply */ + if ( want_reply ) { + if ( success ) { + packet_start(SSH2_MSG_REQUEST_SUCCESS); + } + else { + packet_start(SSH2_MSG_REQUEST_FAILURE); + } + /* Now send the SUCCESS/FAILURE */ + packet_send(); + packet_write_wait(); + } + xfree(rtype); +} + + /* * Stops listening for channels, and removes any unix domain sockets that we * might have. @@ -1292,6 +1423,7 @@ channel_free(i); break; case SSH_CHANNEL_PORT_LISTENER: + case SSH2_CHANNEL_PORT_LISTENER: /* Jarno */ case SSH_CHANNEL_X11_LISTENER: close(channels[i].sock); channel_free(i); @@ -1335,6 +1467,7 @@ case SSH_CHANNEL_FREE: case SSH_CHANNEL_X11_LISTENER: case SSH_CHANNEL_PORT_LISTENER: + case SSH2_CHANNEL_PORT_LISTENER: /* Jarno */ case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_AUTH_SOCKET: continue; @@ -1380,6 +1513,7 @@ case SSH_CHANNEL_FREE: case SSH_CHANNEL_X11_LISTENER: case SSH_CHANNEL_PORT_LISTENER: + case SSH2_CHANNEL_PORT_LISTENER: /* Jarno */ case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_AUTH_SOCKET: continue; @@ -1412,10 +1546,14 @@ * Initiate forwarding of connections to local port "port" through the secure * channel to host:port from remote side. */ - +/* Jarno: If ssh2_remote_fwd is true then protocol 2 server called this + * and we need to use channel type SSH2_CHANNEL_PORT_LISTENER (when someone + * connects to the listening socket we know to send "forwarded-tcpip" message + * instead of "direct-tcpip"). + */ void channel_request_local_forwarding(u_short port, const char *host, - u_short host_port, int gateway_ports) + u_short host_port, int gateway_ports, int ssh2_remote_fwd) { int success, ch, sock, on = 1; struct addrinfo hints, *ai, *aitop; @@ -1482,7 +1620,8 @@ } /* Allocate a channel number for the socket. */ ch = channel_new( - "port listener", SSH_CHANNEL_PORT_LISTENER, + "port listener", + ssh2_remote_fwd ? SSH2_CHANNEL_PORT_LISTENER : SSH_CHANNEL_PORT_LISTENER, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("port listener")); @@ -1506,38 +1645,149 @@ u_short port_to_connect) { int payload_len; + int type; + int success = 0; + /* Record locally that connection to this host/port is permitted. */ if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_request_remote_forwarding: too many forwards"); - permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); - permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; - permitted_opens[num_permitted_opens].listen_port = listen_port; - num_permitted_opens++; - /* Send the forward request to the remote side. */ if (compat20) { const char *address_to_bind = "0.0.0.0"; packet_start(SSH2_MSG_GLOBAL_REQUEST); packet_put_cstring("tcpip-forward"); - packet_put_char(0); /* boolean: want reply */ + + /* Don't ask for a reply because: while waiting for a reply server can + send rekey-msg and handling that correctly might be messy. + Not requesting a reply is not the best solution: We have no way of + know if the server doesn't allow port forwarding. + */ + packet_put_char(0); /* Boolean 1 asks for reply */ packet_put_cstring(address_to_bind); packet_put_int(listen_port); - } else { + packet_send(); + packet_write_wait(); + success = 1; /* Assume that server accepts the request and put the + forward request to permitted_opens */ + + /* + type = packet_read(&payload_len); + switch (type) { + case SSH2_MSG_REQUEST_SUCCESS: + success = 1; + break; + case SSH2_MSG_REQUEST_FAILURE: + log("Warning: Server doesn't do port forwarding."); + break; + default: + packet_disconnect("Protocol error for port forward request: received packet type %d.", type); + } + */ + } + else { + /* Protocol 1 */ packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); packet_put_int(listen_port); packet_put_cstring(host_to_connect); packet_put_int(port_to_connect); packet_send(); packet_write_wait(); - /* - * Wait for response from the remote side. It will send a disconnect - * message on failure, and we will never see it here. + + /* Jarno: Server can send SSH_SMSG_FAILURE if it won't do port + * forwardings. Read the server reply. */ - packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); + type = packet_read(&payload_len); /* Expect reply from server */ + switch (type) { + case SSH_SMSG_SUCCESS: + success = 1; + break; + case SSH_SMSG_FAILURE: + log("Warning: Server doesn't do port forwarding."); + break; + default: + /* Unknown packet */ + packet_disconnect("Protocol error for port forward request: received packet type %d.", type); + } + } + + if ( success ) { + permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); + permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; + permitted_opens[num_permitted_opens].listen_port = listen_port; + num_permitted_opens++; } } +/* Jarno Huuskonen: + * This gets called after ssh client has received + * SSH2_MSG_GLOBAL_REQUEST type "forwarded-tcpip". + * + * returns new channel if OK or NULL for failure. + */ +Channel* +client_forwarded_tcpip_request(const char *request_type, int rchan, + int rwindow, int rmaxpack) +{ + Channel* c = NULL; + int sock; + char *listen_address; /* Remote (server) address that is listening + for the connection */ + int listen_port; + char* originator_address; /* Address of the client connecting to + listen_address */ + int originator_port; /* Client port */ + + unsigned int client_len, connected_len; + + int newch; + int i; + + debug("ssh2 server tries to open forwarded-tcpip channel."); + + /* Get rest of the packet */ + listen_address = packet_get_string(&connected_len); + listen_port = packet_get_int(); + originator_address = packet_get_string(&client_len); + originator_port = packet_get_int(); + packet_done(); + + /* Check if we have requested this remote forwarding + * Note: this is not fool proof, because we don't ask the server to + * acknowledge our remote forward request. + */ + for (i = 0; i= num_permitted_opens ) { + log("Received request to open remote forwarded channel (%d) but the request was denied", rchan); + return NULL; + } + + /* TODO: Somekind of access control ?? + * Maybe tcp_wrappers/username/group based access control ?? + */ + + /* Open socket and allocate a channel for it */ + sock = channel_connect_to(permitted_opens[i].host_to_connect, + permitted_opens[i].port_to_connect); + + if ( sock >= 0 ) { + newch = channel_new("forwarded-tcpip", SSH_CHANNEL_OPEN, + sock, sock, -1, 4*1024, 32*1024, 0, + xstrdup(originator_address)); + c = channel_lookup( newch ); + } + /* client_input_channel_open calls xfree(request_type) Don't call it here */ + xfree(originator_address); + xfree(listen_address); + return c; +} + /* * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates * listening for the port, and sends back a success reply (or disconnect @@ -1565,7 +1815,10 @@ /* * Initiate forwarding, */ - channel_request_local_forwarding(port, hostname, host_port, gateway_ports); + /* Jarno: The last parameter is used to signal if this is protocol 2 + server listening for remote forward --> false */ + channel_request_local_forwarding(port, hostname, host_port, + gateway_ports, 0); /* Free the argument string. */ xfree(hostname); @@ -1621,22 +1874,49 @@ return sock; } +/* Jarno: This is only a wrapper for channel_input_port_open that + * server calls after receiving PORT_OPEN. The only purpose for this is to + * make it possible to refuse forwarding requests (in server). + */ +void server_channel_input_port_open(int type, int plen) +{ + int remote_channel = packet_get_int(); + +#ifndef DISABLE_FORWARDING + if (!allow_port_forwarding) { +#endif + debug("Refused port forward request."); + packet_send_debug("Server configuration rejects port forwardings."); + packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); + packet_put_int(remote_channel); + packet_send(); + return; +#ifndef DISABLE_FORWARDING + } +#endif + channel_input_port_open(type, plen, remote_channel); +} + +/* Jarno: This is only a client wrapper for channel_input_port_open */ +void client_channel_input_port_open(int type, int plen) +{ + int remote_channel = packet_get_int(); + channel_input_port_open(type, plen, remote_channel); +} + + /* * This is called after receiving PORT_OPEN message. This attempts to * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION * or CHANNEL_OPEN_FAILURE. */ - void -channel_input_port_open(int type, int plen) +channel_input_port_open(int type, int plen, int remote_channel) { u_short host_port; char *host, *originator_string; - int remote_channel, sock = -1, newch, i, denied; + int sock = -1, newch, i, denied; unsigned int host_len, originator_len; - - /* Get remote channel number. */ - remote_channel = packet_get_int(); /* Get host name to connect to. */ host = packet_get_string(&host_len); diff -u -r openssh-2.1.1p4/channels.h openssh-2.1.1p4-jhchanges/channels.h --- openssh-2.1.1p4/channels.h Thu Jun 22 14:32:31 2000 +++ openssh-2.1.1p4-jhchanges/channels.h Tue Aug 22 21:36:16 2000 @@ -15,7 +15,13 @@ #define SSH_CHANNEL_INPUT_DRAINING 8 /* sending remaining data to conn */ #define SSH_CHANNEL_OUTPUT_DRAINING 9 /* sending remaining data to app */ #define SSH_CHANNEL_LARVAL 10 /* larval session */ -#define SSH_CHANNEL_MAX_TYPE 11 +#define SSH2_CHANNEL_PORT_LISTENER 11 /* Jarno: protocol 2 remote port + * listener. (needs different type + * because with protocol 2 remote + * forward the server sends + * forwarded-tcpip (not direct-tcpip) + */ +#define SSH_CHANNEL_MAX_TYPE 12 /* * Data structure for channel data. This is iniailized in channel_allocate @@ -89,10 +95,27 @@ void channel_input_oclose(int type, int plen); void channel_input_open_confirmation(int type, int plen); void channel_input_open_failure(int type, int plen); -void channel_input_port_open(int type, int plen); +/* Jarno: This is only a wrapper for channel_input_port_open that the + * server calls after receiving PORT_OPEN. The only purpose of this is to + * make it possible to refuse forwarding requests. + */ +void server_channel_input_port_open(int type, int plen); +/* Jarno: This is only a client wrapper for channel_input_port_open */ +void client_channel_input_port_open(int type, int plen); +void channel_input_port_open(int type, int plen, int remote_channel); void channel_input_window_adjust(int type, int plen); + +/* Jarno Huuskonen: Checks if the server allows port forwarding. + * Logs all failed attempts. + * Return 1 if the forwarding is allowed or 0 for failure. + */ +int allow_remote_forwarding(const char *address_to_listen, int port); + void channel_input_open(int type, int plen); +/* Jarno Huuskonen: */ +void channel_server_global_request(int type, int plen); + /* Sets specific protocol options. */ void channel_set_options(int hostname_in_open); @@ -149,9 +172,12 @@ * channel to host:port from remote side. This never returns if there was an * error. */ +/* Jarno: Added ssh2_remote_fwd flag. Used when protocol2 server gets + * tcpip-forward request + */ void channel_request_local_forwarding(u_short port, const char *host, - u_short remote_port, int gateway_ports); + u_short remote_port, int gateway_ports, int ssh2_remote_fwd); /* * Initiate forwarding of connections to port "port" on remote host through @@ -162,6 +188,12 @@ void channel_request_remote_forwarding(u_short port, const char *host, u_short remote_port); + +/* Jarno Huuskonen: + */ +Channel * +client_forwarded_tcpip_request(const char *request_type, int rchan, + int rwindow, int rmaxpack); /* * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually diff -u -r openssh-2.1.1p4/clientloop.c openssh-2.1.1p4-jhchanges/clientloop.c --- openssh-2.1.1p4/clientloop.c Sat Jul 15 07:14:17 2000 +++ openssh-2.1.1p4-jhchanges/clientloop.c Tue Aug 22 21:37:57 2000 @@ -974,6 +974,12 @@ debug("client_input_channel_open: ctype %s rchan %d win %d max %d", ctype, rchan, rwindow, rmaxpack); + /* Jarno: Check if ssh2 server tries to open remote forward channel + */ + if (strcmp(ctype, "forwarded-tcpip") == 0) { + c = client_forwarded_tcpip_request( ctype, rchan, rwindow, rmaxpack ); + } + if (strcmp(ctype, "x11") == 0) { int sock; char *originator; @@ -1015,7 +1021,8 @@ packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(rchan); packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED); - packet_put_cstring("bla bla"); + packet_put_cstring("bla bla"); /* TODO: Perhaps a little better + explanation */ packet_put_cstring(""); packet_send(); } @@ -1045,7 +1052,7 @@ dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data); dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); - dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open); + dispatch_set(SSH_MSG_PORT_OPEN, &client_channel_input_port_open); /* Jarno */ dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request); dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status); dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data); diff -u -r openssh-2.1.1p4/configure.in openssh-2.1.1p4-jhchanges/configure.in --- openssh-2.1.1p4/configure.in Sat Jul 15 07:59:14 2000 +++ openssh-2.1.1p4-jhchanges/configure.in Fri Aug 18 20:02:20 2000 @@ -1094,6 +1094,12 @@ AC_DEFINE_UNQUOTED(PIDDIR, "$piddir") AC_SUBST(piddir) +# Disable server port forwarding +AC_ARG_ENABLE(forwarding, + [ --disable-forwarding disable port forwarding in server [no]], + [ AC_DEFINE(DISABLE_FORWARDING) ] +) + dnl allow user to disable some login recording features AC_ARG_ENABLE(lastlog, [ --disable-lastlog disable use of lastlog even if detected [no]], @@ -1370,7 +1376,6 @@ echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" - echo "" echo "Compiler flags: ${CFLAGS}" diff -u -r openssh-2.1.1p4/config.h.in openssh-2.1.1p4-jhchanges/config.h.in --- openssh-2.1.1p4/config.h.in Sun Jul 16 06:26:46 2000 +++ openssh-2.1.1p4-jhchanges/config.h.in Fri Aug 18 19:58:58 2000 @@ -73,6 +73,9 @@ #undef HAVE_TIME_IN_UTMP #undef HAVE_TIME_IN_UTMPX +/* Define if you want to disable port forwarding in server */ +#undef DISABLE_FORWARDING + /* Define if you don't want to use your system's login() call */ #undef DISABLE_LOGIN diff -u -r openssh-2.1.1p4/servconf.c openssh-2.1.1p4-jhchanges/servconf.c --- openssh-2.1.1p4/servconf.c Sat Jul 15 07:14:17 2000 +++ openssh-2.1.1p4-jhchanges/servconf.c Mon Aug 21 20:48:09 2000 @@ -19,6 +19,9 @@ #include "xmalloc.h" #include "compat.h" +/* Jarno: import */ +extern int allow_port_forwarding; + /* add listen address */ void add_listen_addr(ServerOptions *options, char *addr); @@ -45,6 +48,7 @@ options->x11_forwarding = -1; options->x11_display_offset = -1; options->xauth_location = NULL; + allow_port_forwarding = -1; options->strict_modes = -1; options->keepalives = -1; options->log_facility = (SyslogFacility) - 1; @@ -116,6 +120,8 @@ if (options->xauth_location == NULL) options->xauth_location = XAUTH_PATH; #endif /* XAUTH_PATH */ + if (allow_port_forwarding == -1) + allow_port_forwarding = 1; /* Allow forwarding */ if (options->strict_modes == -1) options->strict_modes = 1; if (options->keepalives == -1) @@ -180,9 +186,9 @@ sSkeyAuthentication, #endif sPasswordAuthentication, sListenAddress, - sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, - sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, - sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, + sPortForwarding, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, + sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups } ServerOpCodes; @@ -227,6 +233,7 @@ { "x11forwarding", sX11Forwarding }, { "x11displayoffset", sX11DisplayOffset }, { "xauthlocation", sXAuthLocation }, + { "portforwarding", sPortForwarding }, { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, { "uselogin", sUseLogin }, @@ -518,7 +525,11 @@ case sXAuthLocation: charptr = &options->xauth_location; goto parse_filename; - + + case sPortForwarding: + intptr = &allow_port_forwarding; + goto parse_flag; + case sStrictModes: intptr = &options->strict_modes; goto parse_flag; diff -u -r openssh-2.1.1p4/serverloop.c openssh-2.1.1p4-jhchanges/serverloop.c --- openssh-2.1.1p4/serverloop.c Tue Jul 11 10:31:38 2000 +++ openssh-2.1.1p4-jhchanges/serverloop.c Tue Aug 22 21:26:20 2000 @@ -44,6 +44,9 @@ static unsigned int buffer_high;/* "Soft" max buffer size. */ static int max_fd; /* Max file descriptor number for select(). */ +/* Jarno: import */ +extern int allow_port_forwarding; + /* * This SIGCHLD kludge is used to detect when the child exits. The server * will exit after that, as soon as forwarded connections have terminated. @@ -722,11 +725,19 @@ originator, originator_port, target, target_port); /* XXX check permission */ - if (no_port_forwarding_flag) { + /* Jarno: TODO: call function to check forwarding+better logging */ +#ifndef DISABLE_FORWARDING + if (no_port_forwarding_flag || !allow_port_forwarding) { +#endif /* DISABLE_FORWARDING */ + packet_send_debug("Server configuration rejects port forwardings."); + debug("Port forwarding disabled in server configuration."); xfree(target); xfree(originator); return -1; +#ifndef DISABLE_FORWARDING } +#endif /* DISABLE_FORWARDING */ + sock = channel_connect_to(target, target_port); xfree(target); xfree(originator); @@ -819,6 +830,7 @@ dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request); dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); + dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &channel_server_global_request); } void server_init_dispatch_13() @@ -833,7 +845,7 @@ dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data); dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); - dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open); + dispatch_set(SSH_MSG_PORT_OPEN, &server_channel_input_port_open); /* Jarno */ } void server_init_dispatch_15() diff -u -r openssh-2.1.1p4/session.c openssh-2.1.1p4-jhchanges/session.c --- openssh-2.1.1p4/session.c Wed Jul 12 02:45:27 2000 +++ openssh-2.1.1p4-jhchanges/session.c Wed Aug 23 10:25:53 2000 @@ -82,6 +82,9 @@ /* import */ extern ServerOptions options; +/* Jarno */ +extern int allow_port_forwarding; + #ifdef HAVE___PROGNAME extern char *__progname; #else /* HAVE___PROGNAME */ @@ -324,6 +327,19 @@ debug("Port forwarding not permitted for this authentication."); break; } + + /* JARNO: Todo: Better logging */ +#ifndef DISABLE_FORWARDING + if ( !allow_port_forwarding ) { +#endif /* DISABLE_FORWARDING */ + debug("Port forwarding disabled in server configuration."); + packet_send_debug("Server has disabled port forwarding."); + success = 0; + break; +#ifndef DISABLE_FORWARDING + } +#endif /* DISABLE_FORWARDING */ + debug("Received TCP/IP port forwarding request."); channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports); success = 1; diff -u -r openssh-2.1.1p4/ssh.c openssh-2.1.1p4-jhchanges/ssh.c --- openssh-2.1.1p4/ssh.c Sat Jul 15 07:14:17 2000 +++ openssh-2.1.1p4-jhchanges/ssh.c Mon Aug 21 18:37:31 2000 @@ -460,10 +460,6 @@ } } - /* Cannot fork to background if no command. */ - if (fork_after_authentication_flag && buffer_len(&command) == 0) - fatal("Cannot fork into background without a command to execute."); - /* Allocate a tty by default if no command specified. */ if (buffer_len(&command) == 0) tty_flag = 1; @@ -511,6 +507,29 @@ /* reinit */ log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 0); + /* -N option only makes sense with protocol 2. It doesn't make sense + without port forwarding ?????? + */ + if ( options.num_local_forwards == 0 && options.num_remote_forwards == 0 && + no_shell_flag ) { + fprintf(stderr, "-N makes sense only with port forwardings\n"); + usage(); + /* NOT REACHED */ + } + if ((options.protocol & SSH_PROTO_2) && no_shell_flag && + buffer_len(&command) > 0) { + fprintf(stderr,"-N option works only with protocol version 2 and w/out a command\n"); + usage(); + /* NOT REACHED */ + } + + /* Cannot fork to background if no command. + Command not needed for protocol 2 & -N + */ + if ((options.protocol & SSH_PROTO_1) && !(options.protocol & SSH_PROTO_2) && + fork_after_authentication_flag && buffer_len(&command) == 0) + fatal("Cannot fork into background without a command to execute."); + /* check if RSA support exists */ if ((options.protocol & SSH_PROTO_1) && rsa_alive() == 0) { @@ -831,7 +850,7 @@ channel_request_local_forwarding(options.local_forwards[i].port, options.local_forwards[i].host, options.local_forwards[i].host_port, - options.gateway_ports); + options.gateway_ports, 0); } /* Initiate remote TCP/IP port forwardings. */ @@ -887,7 +906,25 @@ channel_request_local_forwarding(options.local_forwards[i].port, options.local_forwards[i].host, options.local_forwards[i].host_port, - options.gateway_ports); + options.gateway_ports, 0); + } +} + +/* Jarno Huuskonen: ssh2 client calls this to initiate remote port forwarding + * requests. + */ +void +init_remote_fwd(void) +{ + int i; + for (i = 0; i < options.num_remote_forwards; i++) { + debug("Connections to remote port %d forwarded to local address %.200s:%d", + options.remote_forwards[i].port, + options.remote_forwards[i].host, + options.remote_forwards[i].host_port); + channel_request_remote_forwarding(options.remote_forwards[i].port, + options.remote_forwards[i].host, + options.remote_forwards[i].host_port); } } @@ -963,7 +1000,9 @@ /* should be pre-session */ init_local_fwd(); - + /* Jarno */ + init_remote_fwd(); + window = 32*1024; if (tty_flag) { packetmax = window/8; @@ -979,6 +1018,12 @@ channel_open(id); channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, client_init, (void *)0); + + /* Jarno: User wants us to fork */ + if (fork_after_authentication_flag) { + if (daemon(1, 1) < 0) + fatal("daemon() failed: %.200s", strerror(errno)); + } return client_loop(tty_flag, tty_flag ? options.escape_char : -1); } diff -u -r openssh-2.1.1p4/sshd.8 openssh-2.1.1p4-jhchanges/sshd.8 --- openssh-2.1.1p4/sshd.8 Tue Jul 11 10:31:39 2000 +++ openssh-2.1.1p4-jhchanges/sshd.8 Sun Aug 13 13:47:46 2000 @@ -485,6 +485,10 @@ listens on. The default is 22. Multiple options of this type are permitted. +.It Cm PortForwarding +Specifies whether TCP/IP port forwarding is permitted. +The default is +.Dq yes . .It Cm PrintMotd Specifies whether .Nm From chenda at cs.unc.edu Wed Aug 23 18:55:47 2000 From: chenda at cs.unc.edu (Daniel T. Chen) Date: Wed, 23 Aug 2000 04:55:47 -0400 (EDT) Subject: Test snapshot In-Reply-To: Message-ID: On Wed, 23 Aug 2000, Damien Miller wrote: > I have just tarred up a snapshot and uploaded it to: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz > > The snapshot incorporates the last month's fixes and enhancements from > the openssh-unix-dev mailing list and from the OpenBSD developers. Compiles, installs, and runs fine here on SuSE 6.4 (x86). Still using separate/modified sshd.pam.generic, though. ./configure --with-tcp-wrappers --with-md5-passwords --with-ipv4-default % ssh -V SSH Version OpenSSH_2.1.1p5, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). Nice touch. :) dtc From vinschen at cygnus.com Wed Aug 23 19:25:20 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Wed, 23 Aug 2000 11:25:20 +0200 Subject: Test snapshot References: Message-ID: <39A39880.ECACC9F1@cygnus.com> What do I have to do so that Cygwin support is added to OpenSSH as well? Corinna Damien Miller wrote: > > I have just tarred up a snapshot and uploaded it to: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz > > The snapshot incorporates the last month's fixes and enhancements from > the openssh-unix-dev mailing list and from the OpenBSD developers. > > In particular: > > - ssh-agent and ssh-add now handle DSA keys. NB. this does not interop > with ssh.com's ssh-agent. (Markus Friedl) > - Fix crashes when sshd is run out of inetd > - More fixes for SunOS4 and NeXT (Nate Itkin and Charles Levert) > - Add Solaris package support in contrib/solaris/ (Rip Loomis) > - Random Early Drop connection rate limiting for sshd (Markus Friedl) > - Fix duplicate lastlog logging (Markus & me) > - Add -u option to sshd to make wtmp logging more like login's (Markus) > - Use pipes instead of socketpairs to avoid scp not exiting problem > on SunOS4 and HPUX 10. (Klaus Engelhardt, Tamito KAJIYAMA & Lutz > Jaenicke) > - Lots of other fixes (see changelog below) > > Please give the snapshot a good run and report problems back to the > mailing list. > > If you have received this email twice, it is because you are on the > list of testers. I will be setting up a seperate email list over the > weekend. > > Regards, > Damien Miller > > Changelog: > > 20000823 > - (djm) Define USE_PIPES to avoid socketpair problems on HPUX 10 and SunOS 4 > Avoids "scp never exits" problem. Reports from Lutz Jaenicke > and Tamito KAJIYAMA > > - (djm) Pick up LOGIN_PROGRAM from environment or PATH if not set by headers > - (djm) Add local version to version.h > - (djm) OpenBSD CVS updates: > - deraadt at cvs.openbsd.org 2000/08/18 20:07:23 > [ssh.c] > accept remsh as a valid name as well; roman at buildpoint.com > - deraadt at cvs.openbsd.org 2000/08/18 20:17:13 > [deattack.c crc32.c packet.c] > rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to > libz crc32 function yet, because it has ugly "long"'s in it; > oneill at cs.sfu.ca > - deraadt at cvs.openbsd.org 2000/08/18 20:26:08 > [scp.1 scp.c] > -S prog support; tv at debian.org > - deraadt at cvs.openbsd.org 2000/08/18 20:50:07 > [scp.c] > knf > - deraadt at cvs.openbsd.org 2000/08/18 20:57:33 > [log-client.c] > shorten > - markus at cvs.openbsd.org 2000/08/19 12:48:11 > [channels.c channels.h clientloop.c ssh.c ssh.h] > support for ~. in ssh2 > - deraadt at cvs.openbsd.org 2000/08/19 15:29:40 > [crc32.h] > proper prototype > - markus at cvs.openbsd.org 2000/08/19 15:34:44 > [authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1] > [ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile] > [fingerprint.c fingerprint.h] > add SSH2/DSA support to the agent and some other DSA related cleanups. > (note that we cannot talk to ssh.com's ssh2 agents) > - markus at cvs.openbsd.org 2000/08/19 15:55:52 > [channels.c channels.h clientloop.c] > more ~ support for ssh2 > - markus at cvs.openbsd.org 2000/08/19 16:21:19 > [clientloop.c] > oops > - millert at cvs.openbsd.org 2000/08/20 12:25:53 > [session.c] > We have to stash the result of get_remote_name_or_ip() before we > close our socket or getpeername() will get EBADF and the process > will exit. Only a problem for "UseLogin yes". > - millert at cvs.openbsd.org 2000/08/20 12:30:59 > [session.c] > Only check /etc/nologin if "UseLogin no" since login(1) may have its > own policy on determining who is allowed to login when /etc/nologin > is present. Also use the _PATH_NOLOGIN define. > - millert at cvs.openbsd.org 2000/08/20 12:42:43 > [auth1.c auth2.c session.c ssh.c] > Add calls to setusercontext() and login_get*(). We basically call > setusercontext() in most places where previously we did a setlogin(). > Add default login.conf file and put root in the "daemon" login class. > - millert at cvs.openbsd.org 2000/08/21 10:23:31 > [session.c] > Fix incorrect PATH setting; noted by Markus. > > 20000818 > - (djm) OpenBSD CVS changes: > - markus at cvs.openbsd.org 2000/07/22 03:14:37 > [servconf.c servconf.h sshd.8 sshd.c sshd_config] > random early drop; ok theo, niels > - deraadt at cvs.openbsd.org 2000/07/26 11:46:51 > [ssh.1] > typo > - deraadt at cvs.openbsd.org 2000/08/01 11:46:11 > [sshd.8] > many fixes from pepper at mail.reppep.com > - provos at cvs.openbsd.org 2000/08/01 13:01:42 > [Makefile.in util.c aux.c] > rename aux.c to util.c to help with cygwin port > - deraadt at cvs.openbsd.org 2000/08/02 00:23:31 > [authfd.c] > correct sun_len; Alexander at Leidinger.net > - provos at cvs.openbsd.org 2000/08/02 10:27:17 > [readconf.c sshd.8] > disable kerberos authentication by default > - provos at cvs.openbsd.org 2000/08/02 11:27:05 > [sshd.8 readconf.c auth-krb4.c] > disallow kerberos authentication if we can't verify the TGT; from > dugsong@ > kerberos authentication is on by default only if you have a srvtab. > - markus at cvs.openbsd.org 2000/08/04 14:30:07 > [auth.c] > unused > - markus at cvs.openbsd.org 2000/08/04 14:30:35 > [sshd_config] > MaxStartups > - markus at cvs.openbsd.org 2000/08/15 13:20:46 > [authfd.c] > cleanup; ok niels@ > - markus at cvs.openbsd.org 2000/08/17 14:05:10 > [session.c] > cleanup login(1)-like jobs, no duplicate utmp entries > - markus at cvs.openbsd.org 2000/08/17 14:06:34 > [session.c sshd.8 sshd.c] > sshd -u len, similar to telnetd > - (djm) Lastlog was not getting closed after writing login entry > - (djm) Add Solaris package support from Rip Loomis > > 20000816 > - (djm) Replacement for inet_ntoa for Irix (which breaks on gcc) > - (djm) Fix strerror replacement for old SunOS. Based on patch from > Charles Levert > - (djm) Seperate arc4random into seperate file and use OpenSSL's RC4 > implementation. > - (djm) SUN_LEN macro for systems which lack it > > 20000815 > - (djm) More SunOS 4.1.x fixes from Nate Itkin > - (djm) Avoid failures on Irix when ssh is not setuid. Fix from > Michael Stone > - (djm) Don't seek in directory based lastlogs > - (djm) Fix --with-ipaddr-display configure option test. Patch from > Jarno Huuskonen > - (djm) Fix AIX limits from Alexandre Oliva > > 20000813 > - (djm) Add $(srcdir) to includes when compiling (for VPATH). Report from > Fabrice bacchella > > 20000809 > - (djm) Define AIX hard limits if headers don't. Report from > Bill Painter > - (djm) utmp direct write & SunOS 4 patch from Charles Levert > > > 20000808 > - (djm) Cleanup Redhat RPMs. Generate keys at runtime rather than install > time, spec file cleanup. > > 20000807 > - (djm) Set 0755 on binaries during install. Report from Lutz Jaenicke > - (djm) Suppress error messages on channel close shutdown() failurs > works around Linux bug. Patch from Zack Weinberg > - (djm) Add some more entropy collection commands from Lutz Jaenicke > > 20000725 > - (djm) Fix autoconf typo: HAVE_BINRESVPORT_AF -> HAVE_BINDRESVPORT_AF > > 20000721 > - (djm) OpenBSD CVS updates: > - markus at cvs.openbsd.org 2000/07/16 02:27:22 > [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c] > [sshconnect1.c sshconnect2.c] > make ssh-add accept dsa keys (the agent does not) > - djm at cvs.openbsd.org 2000/07/17 19:25:02 > [sshd.c] > Another closing of stdin; ok deraadt > - markus at cvs.openbsd.org 2000/07/19 18:33:12 > [dsa.c] > missing free, reorder > - markus at cvs.openbsd.org 2000/07/20 16:23:14 > [ssh-keygen.1] > document input and output files > > 20000720 > - (djm) Spec file fix from Petr Novotny > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com From zaks at prioris.mini.pw.edu.pl Wed Aug 23 19:50:50 2000 From: zaks at prioris.mini.pw.edu.pl (Slawek Zak) Date: 23 Aug 2000 11:50:50 +0200 Subject: Port forwarding with scp Message-ID: <87zom4z4p1.fsf@pf39.warszawa.sdi.tpnet.pl> Hi, What do you think of disabling port forwardings configured in ~/.ssh/config with scp. Copying of files is shorter or longer but still only temporary process. Moreover, when you have one session opened and used for "real" forwardings, you can't use scp for the remote host, as the forwardings can't be established again (ports are busy). /S From janfrode at parallab.uib.no Wed Aug 23 22:06:59 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Wed, 23 Aug 2000 14:06:59 +0200 Subject: Test snapshot In-Reply-To: ; from djm@mindrot.org on Wed, Aug 23, 2000 at 11:54:40AM +1000 References: Message-ID: <20000823140658.A16570@ii.uib.no> This is on IRIX, compiled with MIPSPro compilers. setenv CC cc ./configure --prefix=/usr/openssh --with-ssl-dir=/usr/local/ssl --with-rsh=/usr/bsd/rsh OpenSSH configured has been configured with the following options. User binaries: /usr/local/openssh-2.1.1p1-SNAP/bin System binaries: /usr/local/openssh-2.1.1p1-SNAP/sbin Configuration files: /usr/local/openssh-2.1.1p1-SNAP/etc Askpass program: /usr/local/openssh-2.1.1p1-SNAP/libexec/ssh/ssh-askpass Manual pages: /usr/local/openssh-2.1.1p1-SNAP/man/X PID file: /var/run Random number collection: Builtin (timeout 200) Manpage format: cat PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Compiler flags: -g -I/usr/local/include -I/usr/local/ssl//include Linker flags: -L/usr/local/ssl//lib -L/usr/local/ssl/ Libraries: -lz -lcrypto It looks like the openssh-SNAP-20000823 is taking a lot more time collecting entropy (or is it failing several times?) than the OpenSSH_2.1.1p4 version did. Here's an example (both are using the same etc/ssh_prng_cmds). 2.1.1p4% timex ssh dontask exit real 4.49 user 0.37 sys 1.21 2.1.1p5% timex ssh dontask exit real 24.89 user 3.10 sys 10.89 Here's full 'ssh -v' output from both versions: 2.1.1p4: SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /Home/plab/janfrode/.ssh/config debug: Applying options for dontask debug: Applying options for * debug: Reading configuration data /usr/openssh/etc/ssh_config debug: Applying options for * debug: Command 'netstat -an' timed out debug: Seeded RNG with 29 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: ssh_connect: getuid 1158 geteuid 0 anon 1 debug: Connecting to dontask [129.177.192.97] port 22. debug: Connection established. debug: Setting sat id to 1158 debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1p5 debug: Local version string SSH-1.5-OpenSSH_2.1.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'dontask' is known and matches the RSA host key. debug: Command 'ps -efl' timed out debug: Seeded RNG with 27 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication via agent with 'jfm at krypvier.ii.uib.no' debug: Received RSA challenge from server. debug: Sending response to RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication accepted by server. debug: Requesting X11 forwarding with authentication spoofing. debug: Requesting authentication agent forwarding. debug: Sending command: exit debug: Entering interactive session. debug: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.4 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug: Exit status 0 debug: writing PRNG seed to file /Home/plab/janfrode/.ssh/prng_seed 2.1.1p5: SSH Version OpenSSH_2.1.1p5, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /usr/people/jfm/.ssh/config debug: Applying options for dontask debug: Applying options for * debug: Reading configuration data /usr/openssh/etc/ssh_config debug: Applying options for * debug: Command 'netstat -an' timed out debug: Seeded RNG with 28 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: ssh_connect: getuid 1200 geteuid 0 anon 1 debug: Connecting to dontask [129.177.192.97] port 22. debug: Connection established. debug: Setting sat id to 1200 debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1p5 debug: Local version string SSH-1.5-OpenSSH_2.1.1p5 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'dontask' is known and matches the RSA host key. debug: Seeded RNG with 28 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 28 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Command 'netstat -an' timed out debug: Command 'ps -efl' timed out debug: Seeded RNG with 30 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 25 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 25 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Command 'ps -efl' timed out debug: Seeded RNG with 28 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 25 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Command 'netstat -an' timed out debug: Seeded RNG with 28 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 25 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication via agent with 'jfm at krypvier.ii.uib.no' debug: Received RSA challenge from server. debug: Sending response to RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication accepted by server. debug: Seeded RNG with 25 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Command 'ps -efl' timed out debug: Seeded RNG with 28 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 25 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 25 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Requesting X11 forwarding with authentication spoofing. debug: Seeded RNG with 25 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 25 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 25 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Command 'netstat -an' timed out debug: Seeded RNG with 26 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Requesting authentication agent forwarding. debug: Sending command: exit debug: Entering interactive session. debug: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.4 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug: Exit status 0 debug: writing PRNG seed to file /usr/people/jfm/.ssh/prng_seed -jf From douglas.manton at uk.ibm.com Wed Aug 23 23:21:10 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Wed, 23 Aug 2000 14:21:10 +0100 Subject: Test snapshot Message-ID: <80256944.0049ADB2.00@d06mta05.portsmouth.uk.ibm.com> Damien, Compiles and installs cleanly under AIX 4.3.3 (latest patchlevel) with IBM's latest C++ compiler. The fixprogs script take forever on install -- I narrowed this down to "ipcs -a" on my very busy RS/6000 taking about five minutes to complete. Dropped this from ssh_prng_cmds.in and all is well. I refreshed sshd, kicked in the new ssh-agent, loaded my DSA and RSA keys and tried a local connection. Connecting with protocol 1.5 seems okay. Connecting with protocol 2 takes an age and once connected the performance reminds me of my first ever dot-matix printer -- about 10 minutes per page. Retrying without the agent does not improve the matter, nor does password authentication. I have also tried switching session encryption from 3des to blowfish. Connecting to my server from SecureCRT shows the same symptoms. Compiled with: CFLAGS="-qlanglvl=extended -qcpluscmt -O2" ./configure --prefix=/usr --sysconfdir=/etc/ssh --without-pam --with-ipaddr-display --with-ipv4-default Reports: OpenSSH configured has been configured with the following options. User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/libexec/ssh/ssh-askpass Manual pages: /usr/man/catX PID file: /var/run Random number collection: Builtin (timeout 200) Manpage format: cat PAM support: disabled KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: yes Use IPv4 by default hack: yes Translate v4 in v6 hack: no Compiler flags: -qlanglvl=extended -qcpluscmt -O2 -I/usr/local/include Linker flags: -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib Libraries: -lnsl -lz -lcrypto Changing the random number timeout to 100 does not appear to make any difference. Lots of good work has gone into this project -- I think I speak for everyone when I say "thank-you" to all who have contributed. Many thanks, -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From jeff at ntcor.com Thu Aug 24 07:07:18 2000 From: jeff at ntcor.com (Jeff Wiegley, Ph.D.) Date: Wed, 23 Aug 2000 14:07:18 -0700 Subject: Control-c not work under openssh? References: <80256938.002BD248.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: <39A43D06.B5084F9@ntcor.com> I'm a little confused now. Am I suspose to use "UseLogin yes"; if I do am I supose to kludge the execl function call for login to pass the environment. Or... Is this really a bug in the way the sshd daemon handles control-c? Should I wait for this to be fixed the real way? Where in the code would this problem reside? If I knew that maybe I could help design and code the solution and provide a patch for it. (Though I'm not real intimate with the ssh code :-( Let me know how I can help! This has been bothering me for quite some time and I would love to help fix it. Thanks, - Jeff douglas.manton at uk.ibm.com wrote: > > > Yes, I started doing this myself also when I got sidetracked. > > > Looking at Tatu Ylonen's ssh, it does the exact same thing (just a NULL), > > so I'm assuming that this is the correct behavior? So I figured (at > > least for my environment) it would be better to turn efforts to fixing > the > > control-C issue instead of kludging something else. But I may be > > mistaken. > > Of course the lack of environment means that the DISPLAY variable is left > unset -- an annoyance when 20 lusers are trying to forward X11 back from > one of our NetView servers and calling me for tech support :-( > > Doug. > -------------------------------------------------------- > Doug Manton, AT&T EMEA Firewall and Security Solutions > > demanton at att.com > -------------------------------------------------------- > "If privacy is outlawed, only outlaws will have privacy" From paul.l.allen at boeing.com Thu Aug 24 08:03:26 2000 From: paul.l.allen at boeing.com (Paul Allen) Date: Wed, 23 Aug 2000 15:03:26 -0700 Subject: Test snapshot Message-ID: <39A44A2E.C8EAF500@boeing.com> Damien Miller wrote: > > I have just tarred up a snapshot and uploaded it to: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz After applying this change to Makefile.in, it configures and builds on Alpha RedHat 6.2: 24c24,27 < CFLAGS=@CFLAGS@ -I. -I$(srcdir) $(PATHS) @DEFS@ --- > CFLAGS=@CFLAGS@ -I. -I$(srcdir) $(PATHS) @DEFS@ \ > -DOPENSSL_ALGORITHM_DEFINES \ > -DOPENSSL_THREAD_DEFINES \ > -DOPENSSL_OTHER_DEFINES I configured like this: ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/openssh \ --with-random=/dev/random --with-ipv4-default \ --with-ssl-dir=/usr/local/openssl \ --with-tcp-wrappers \ --with-default-path=/usr/bin:/bin:/usr/local/openssh/bin My openssl is trusty old 0.9.5a built with RSAREF2 hacked to know that a "UINT4" is 32 bits long. I installed over the top of my 2.1.1p4 setup, restarted sshd, and tried to ssh to a Solaris 2.6 Sun running 2.1.1p4. It took several minutes to get to a shell prompt. Retrying the ssh command with "-v" showed multiple long pauses while it was seeding the random number generator. After it finally logged me in on the Sun, it all seemed to be working OK. Did I miss a step? 2.1.1p4 worked fine on my Alpha. Paul Allen -- Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964 Unix Technical Support | paul.l.allen at boeing.com Boeing Phantom Works Math & Computing Technology Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207 From djm at mindrot.org Thu Aug 24 09:08:32 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 24 Aug 2000 09:08:32 +1000 (EST) Subject: Test snapshot In-Reply-To: <20000823140658.A16570@ii.uib.no> Message-ID: On Wed, 23 Aug 2000, Jan-Frode Myklebust wrote: > It looks like the openssh-SNAP-20000823 is taking a lot more time > collecting entropy (or is it failing several times?) than the > OpenSSH_2.1.1p4 version did. My bad: Index: bsd-arc4random.c =================================================================== RCS file: /var/cvs/openssh/bsd-arc4random.c,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- bsd-arc4random.c 2000/08/16 00:35:58 1.1 +++ bsd-arc4random.c 2000/08/23 05:31:41 1.2 @@ -60,5 +60,7 @@ RC4_set_key(&rc4, sizeof(rand_buf), rand_buf); memset(rand_buf, 0, sizeof(rand_buf)); + + rc4_ready = 1; } #endif /* !HAVE_ARC4RANDOM */ -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu Aug 24 09:37:43 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 24 Aug 2000 09:37:43 +1000 (EST) Subject: Test snapshot In-Reply-To: <39A39880.ECACC9F1@cygnus.com> Message-ID: On Wed, 23 Aug 2000, Corinna Vinschen wrote: > What do I have to do so that Cygwin support is added to OpenSSH as > well? My sincere apologies for my silence on your patches - a couple of things have prevented me from merging them - primarily a lack of time on my part. I will look over them again this weekend. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From vinschen at cygnus.com Thu Aug 24 09:51:54 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Thu, 24 Aug 2000 01:51:54 +0200 Subject: Test snapshot References: Message-ID: <39A4639A.ED063CDF@cygnus.com> Damien Miller wrote: > > On Wed, 23 Aug 2000, Corinna Vinschen wrote: > > > What do I have to do so that Cygwin support is added to OpenSSH as > > well? > > My sincere apologies for my silence on your patches - a couple of things > have prevented me from merging them - primarily a lack of time on my part. > > I will look over them again this weekend. That would be really nice. I had to add an additional patch, unfortunately, to get rhosts authentication working without checking for uid 0 (which is meaningless for Windows systems as you know). It's your choice if you will try the latest patch I sent (as of 2000-08-08) or if I should send the current patch additionally. Unfortunately I had no chance to upgrade to the latest OpenSSH-Snapshot so it's still related to 2.1.1p4. The current sources and binaries of the Cygwin version are accessible via ftp: OpenSSH-2.1.1p4: ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Vinschen_Corinna/V1.1.3 files: openssh-2.1.1p4.README README openssh-2.1.1p4-3.tar.gz binary openssh-2.1.1p4-3-src.tar.gz patched sources Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com From scraig at eli.net Thu Aug 24 09:57:01 2000 From: scraig at eli.net (Stuart Craig) Date: Wed, 23 Aug 2000 16:57:01 -0700 Subject: Test snapshot References: Message-ID: <39A464CD.2DC83AC@eli.net> I'm in the process of building and testing the new snapshot on HP-UX 10.20 and HP-UX 11. Attached to this message is a patch I made against 2.1.1p4 for HP-UX which causes sshd to set the PATH variable from /etc/PATH. This is the usual practice under HP-UX 10.20 and HP-UX 11. I activated the patch by calling configure like so: ./configure --with-cflags=-DHAVE_ETC_PATH ... This should be done in configure instead, but I haven't installed autoconf. This patch also works with the new snapshot. - Stu -- Stuart J. Craig Senior UNIX Administrator Electric Lightwave, Inc. -------------- next part -------------- *** session.c.orig Tue Jul 11 16:45:27 2000 --- session.c Tue Jul 25 08:56:21 2000 *************** *** 900,905 **** --- 900,908 ---- #ifdef WITH_IRIX_PROJECT prid_t projid; #endif /* WITH_IRIX_PROJECT */ + #ifdef HAVE_ETC_PATH + char epbuf[4096]; + #endif /* HAVE_ETC_PATH */ /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) *************** *** 1076,1081 **** --- 1079,1101 ---- /* Pull in any environment variables that may have been set by PAM. */ do_pam_environment(&env, &envsize); #endif /* USE_PAM */ + + #ifdef HAVE_ETC_PATH + /* Under versions 10 and 11 of HP-UX, the /etc/PATH file should + * contain a single line which is the value for the PATH environment + * variable. + */ + f = fopen("/etc/PATH", "r"); + if (f) { + if (fgets(epbuf, sizeof(epbuf), f)) { + if (strchr(epbuf, '\n')) + *strchr(epbuf, '\n') = '\0'; + if (strlen(epbuf) > 0) + child_set_env(&env, &envsize, "PATH", epbuf); + } + fclose(f); + } + #endif /* HAVE_ETC_PATH */ read_environment_file(&env,&envsize,"/etc/environment"); -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2515 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000823/2d2c7c19/attachment.bin From aaron at cs.dal.ca Thu Aug 24 11:42:49 2000 From: aaron at cs.dal.ca (Aaron Campbell) Date: Wed, 23 Aug 2000 22:42:49 -0300 (ADT) Subject: OpenSSH && HP-UX && Package (fwd) Message-ID: ---------- Forwarded message ---------- Date: Wed, 23 Aug 2000 22:25:23 +0200 From: Roderick Groesbeek To: www at openbsd.org Cc: aaron at cvs.openbsd.org Subject: OpenSSH && HP-UX && Package Good(morning|day|evening), Info: === For a customer I have built an HP-UX OpenSSH depot package. Questions: ======= - Are you guys interested in the OpenSSH HP-UX package? - I have included the ugly .psf files etc You can find the stuff on: http://www.triple-it.nl/~rgroesb/hp-ux/owndepots/openssh/ Depot: http://www.triple-it.nl/~rgroesb/hp-ux/owndepots/openssh/openssh-1.2.27.depo t Devel: http://www.triple-it.nl/~rgroesb/hp-ux/owndepots/openssh/devel/ If you need a maintainer of the HP-UX depot variant I'm happy to oblige. If you can use the stuff.. drop me a note. Vriendelijke Groet, * And remember, it's spelled M-i-c-r-o-s-o-f-t , but it's pronounced "Triple-IT." Roderick -- Pettemerstraat 12A T r I p l e 1823 CW Alkmaar T Tel. +31 (0)72-5129516 fax. +31 (0)72-5129520 Automatisering www.triple-it.nl "Laat uw Net Werken" From mouring at pconline.com Thu Aug 24 14:02:00 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 23 Aug 2000 23:02:00 -0500 (CDT) Subject: Test snapshot In-Reply-To: Message-ID: Two more NeXT patches.. next-posix.c.patch - cleans up some unwanted #includes that are artifacts from the orignal version of the port. loginrec.c.patch - moves NeXT from known problem to known to work. Since I just verified that utmp/wtmp/lastlog are offically working (after the first loginrec.c patch I submited). Only other thing in the near future I'd do for next-posix.[ch] is moving wait() and setsid() out to be more generally accessable to other platforms that may need them. -------------- next part -------------- --- next-posix.c.orig Wed Aug 23 22:34:30 2000 +++ next-posix.c Wed Aug 23 22:36:35 2000 @@ -1,26 +1,7 @@ #include "config.h" #ifdef HAVE_NEXT -#include -#include -#include #include -#include - -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -#include "xmalloc.h" -#include "ssh.h" #include "next-posix.h" int -------------- next part -------------- --- loginrec.c.orig Wed Aug 23 22:30:11 2000 +++ loginrec.c Wed Aug 23 22:31:53 2000 @@ -132,7 +132,7 @@ /** ** TODO: - ** homegrown ttyslot()q + ** homegrown ttyslot() ** test, test, test ** ** Platform status: @@ -142,15 +142,13 @@ ** Linux (Redhat 6.2, need more variants) ** HP-UX 10.20 (gcc only) ** IRIX + ** NeXT - M68k/HPPA (4.2/3.3) ** ** Testing required: Please send reports! ** Solaris ** NetBSD ** HP-UX 11 ** AIX - ** - ** Platforms with known problems: - ** NeXT ** **/ From mouring at pconline.com Thu Aug 24 15:07:04 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 24 Aug 2000 00:07:04 -0500 (CDT) Subject: Final NeXT issues (Re: Test snapshot) In-Reply-To: Message-ID: Remove the following in the TODO file: - Next now has sigaction() based on sigvec(). But it sill does not seem to act correctly. Ctrl-C and Ctrl-Z don't return echo to the underlying shell. Somewhere between p4 and this snapshot a correction was made that made this bug in NeXT go away. Still would like to know what change did this because I don't see it due to the forest of modifications, and I know I did not solve it.=) This pretty much ends all major show stopping issues I have with the NeXT port (Outside of next-posix.[ch] clean up and compiling warnings). If those running NeXT port could forward me anything else you have on your lists it would be helpful. Matt, did you ever successfully building FAT binaries? Ben Lindstrom "The end is in sight" From markm at swoon.net Thu Aug 24 16:43:42 2000 From: markm at swoon.net (Mark Miller) Date: Wed, 23 Aug 2000 23:43:42 -0700 Subject: Final NeXT issues (Re: Test snapshot) In-Reply-To: References: Message-ID: <200008240643.XAA21642@swoon.net> You wrote: > Remove the following in the TODO file: > > - Next now has sigaction() based on sigvec(). But it sill does not > seem to act correctly. Ctrl-C and Ctrl-Z don't return echo to the > underlying shell. > > Somewhere between p4 and this snapshot a correction was made that made > this bug in NeXT go away. Still would like to know what change did > this because I don't see it due to the forest of modifications, and I > know I did not solve it.=) Interesting. If you do find out what changed, Ben, I would like to know as well. This bug has me rather stumped. > This pretty much ends all major show stopping issues I have with > the NeXT port (Outside of next-posix.[ch] clean up and compiling > warnings). I like the idea of splitting up those files quite a bit. > If those running NeXT port could forward me anything > else you have on your lists it would be helpful. I have been running the 20000823 snapshot on both NS3.3 and OS4.2 for m68k with no troubles. My installation also successfully uses the entropy gathering daemon (egd 0.8). > Matt, did you ever successfully building FAT binaries? I have not attempted this. Is there some obvious problem with building FAT binaries? -- _/ mark miller _/ markm at swoon.net _/ _/ NeXTmail OK From odin at linuxfreak.com Thu Aug 24 16:54:01 2000 From: odin at linuxfreak.com (Dan Brosemer) Date: Thu, 24 Aug 2000 02:54:01 -0400 Subject: Test snapshot In-Reply-To: ; from djm@mindrot.org on Wed, Aug 23, 2000 at 11:54:40AM +1000 References: Message-ID: <20000824025401.A4321@dmgware.ca> On Wed, Aug 23, 2000 at 11:54:40AM +1000, Damien Miller wrote: > I have just tarred up a snapshot and uploaded it to: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz Tested on i386 Debian GNU/Linux (woody). (Slink and Potato take a little more effort, I'll report on them in the afternoon). Compiles fine. Binaries run fine (communicates with OpenBSD (2.1) and ssh.com's 1.2.27 as well as itself). > - ssh-agent and ssh-add now handle DSA keys. NB. this does not interop > with ssh.com's ssh-agent. (Markus Friedl) Appears to work. > - Fix crashes when sshd is run out of inetd Don't have an old version to use as a control, but I can't seem to make this one crash either. > - More fixes for SunOS4 and NeXT (Nate Itkin and Charles Levert) > - Add Solaris package support in contrib/solaris/ (Rip Loomis) > - Random Early Drop connection rate limiting for sshd (Markus Friedl) > - Fix duplicate lastlog logging (Markus & me) > - Add -u option to sshd to make wtmp logging more like login's (Markus) > - Use pipes instead of socketpairs to avoid scp not exiting problem > on SunOS4 and HPUX 10. (Klaus Engelhardt, Tamito KAJIYAMA & Lutz > Jaenicke) > - Lots of other fixes (see changelog below) I'll test Linux/ARM this afternoon as well as i386 Debian Potato and Slink. -Dan -- "... the most serious problems in the Internet have been caused by unenvisaged mechanisms triggered by low-probability events; mere human malice would never have taken so devious a course!" - RFC 1122 section 1.2.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000824/90118236/attachment.bin From janfrode at parallab.uib.no Thu Aug 24 17:20:12 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Thu, 24 Aug 2000 09:20:12 +0200 Subject: Test snapshot In-Reply-To: ; from djm@mindrot.org on Thu, Aug 24, 2000 at 09:08:32AM +1000 References: <20000823140658.A16570@ii.uib.no> Message-ID: <20000824092012.B17175@ii.uib.no> On Thu, Aug 24, 2000 at 09:08:32AM +1000, Damien Miller wrote: > On Wed, 23 Aug 2000, Jan-Frode Myklebust wrote: > > > It looks like the openssh-SNAP-20000823 is taking a lot more time > > collecting entropy (or is it failing several times?) than the > > OpenSSH_2.1.1p4 version did. > > My bad: > > Index: bsd-arc4random.c > =================================================================== > RCS file: /var/cvs/openssh/bsd-arc4random.c,v > retrieving revision 1.1 > retrieving revision 1.2 > diff -u -r1.1 -r1.2 > --- bsd-arc4random.c 2000/08/16 00:35:58 1.1 > +++ bsd-arc4random.c 2000/08/23 05:31:41 1.2 > @@ -60,5 +60,7 @@ > RC4_set_key(&rc4, sizeof(rand_buf), rand_buf); > > memset(rand_buf, 0, sizeof(rand_buf)); > + > + rc4_ready = 1; > } > #endif /* !HAVE_ARC4RANDOM */ > > Thanks, looks like this fixed the problem with the sshd acting like a dot-matrix printer in v2 mode also. -jf From douglas.manton at uk.ibm.com Thu Aug 24 20:00:40 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Thu, 24 Aug 2000 11:00:40 +0100 Subject: Test snapshot Message-ID: <80256945.0037031F.00@d06mta05.portsmouth.uk.ibm.com> Damien, One other problem that has just come to light. I have switched "UseLogin" to "yes" and receive the following error message when attempting to ssh into my AIX machine: /dev/pts/0: 3004-004 You must "exec" login from the lowest login shell. Switching back to 2.1.1p4 fixes this -- configured identically to the latest snapshot (as per my last email). Many thanks, -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From acox at cv.telegroup.com Thu Aug 24 20:21:24 2000 From: acox at cv.telegroup.com (Aran Cox) Date: Thu, 24 Aug 2000 12:21:24 +0200 Subject: Test snapshot In-Reply-To: ; from djm@mindrot.org on Wed, Aug 23, 2000 at 11:54:40AM +1000 References: Message-ID: <20000824122124.C1036@lazarus.cv.telegroup.com> I have tested this snapshot with SCO OpenServer 5.0.5 and 5.0.0. I have confirmed most basic functionality, scp, ssh, port forwarding, X11 forwarding, logins, remote execution, etc. In fact this release fixes the problems I was having with SCO using p4. (see my post to the list titled: remote commands: Command terminated on signal 13. for details) I don't know exacly what changed that fixed my problems under SCO but they're gone. I also confirmed interoperability with p4 under linux and openssh-SNAP under SCO. Everything looks good from my seat! On Wed, Aug 23, 2000 at 11:54:40AM +1000, Damien Miller wrote: > > I have just tarred up a snapshot and uploaded it to: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz > > The snapshot incorporates the last month's fixes and enhancements from > the openssh-unix-dev mailing list and from the OpenBSD developers. > > In particular: > > - ssh-agent and ssh-add now handle DSA keys. NB. this does not interop > with ssh.com's ssh-agent. (Markus Friedl) > - Fix crashes when sshd is run out of inetd > - More fixes for SunOS4 and NeXT (Nate Itkin and Charles Levert) > - Add Solaris package support in contrib/solaris/ (Rip Loomis) > - Random Early Drop connection rate limiting for sshd (Markus Friedl) > - Fix duplicate lastlog logging (Markus & me) > - Add -u option to sshd to make wtmp logging more like login's (Markus) > - Use pipes instead of socketpairs to avoid scp not exiting problem > on SunOS4 and HPUX 10. (Klaus Engelhardt, Tamito KAJIYAMA & Lutz > Jaenicke) > - Lots of other fixes (see changelog below) > > Please give the snapshot a good run and report problems back to the > mailing list. > > If you have received this email twice, it is because you are on the > list of testers. I will be setting up a seperate email list over the > weekend. > > Regards, > Damien Miller > > Changelog: > > 20000823 > - (djm) Define USE_PIPES to avoid socketpair problems on HPUX 10 and SunOS 4 > Avoids "scp never exits" problem. Reports from Lutz Jaenicke > and Tamito KAJIYAMA > > - (djm) Pick up LOGIN_PROGRAM from environment or PATH if not set by headers > - (djm) Add local version to version.h > - (djm) OpenBSD CVS updates: > - deraadt at cvs.openbsd.org 2000/08/18 20:07:23 > [ssh.c] > accept remsh as a valid name as well; roman at buildpoint.com > - deraadt at cvs.openbsd.org 2000/08/18 20:17:13 > [deattack.c crc32.c packet.c] > rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to > libz crc32 function yet, because it has ugly "long"'s in it; > oneill at cs.sfu.ca > - deraadt at cvs.openbsd.org 2000/08/18 20:26:08 > [scp.1 scp.c] > -S prog support; tv at debian.org > - deraadt at cvs.openbsd.org 2000/08/18 20:50:07 > [scp.c] > knf > - deraadt at cvs.openbsd.org 2000/08/18 20:57:33 > [log-client.c] > shorten > - markus at cvs.openbsd.org 2000/08/19 12:48:11 > [channels.c channels.h clientloop.c ssh.c ssh.h] > support for ~. in ssh2 > - deraadt at cvs.openbsd.org 2000/08/19 15:29:40 > [crc32.h] > proper prototype > - markus at cvs.openbsd.org 2000/08/19 15:34:44 > [authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1] > [ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile] > [fingerprint.c fingerprint.h] > add SSH2/DSA support to the agent and some other DSA related cleanups. > (note that we cannot talk to ssh.com's ssh2 agents) > - markus at cvs.openbsd.org 2000/08/19 15:55:52 > [channels.c channels.h clientloop.c] > more ~ support for ssh2 > - markus at cvs.openbsd.org 2000/08/19 16:21:19 > [clientloop.c] > oops > - millert at cvs.openbsd.org 2000/08/20 12:25:53 > [session.c] > We have to stash the result of get_remote_name_or_ip() before we > close our socket or getpeername() will get EBADF and the process > will exit. Only a problem for "UseLogin yes". > - millert at cvs.openbsd.org 2000/08/20 12:30:59 > [session.c] > Only check /etc/nologin if "UseLogin no" since login(1) may have its > own policy on determining who is allowed to login when /etc/nologin > is present. Also use the _PATH_NOLOGIN define. > - millert at cvs.openbsd.org 2000/08/20 12:42:43 > [auth1.c auth2.c session.c ssh.c] > Add calls to setusercontext() and login_get*(). We basically call > setusercontext() in most places where previously we did a setlogin(). > Add default login.conf file and put root in the "daemon" login class. > - millert at cvs.openbsd.org 2000/08/21 10:23:31 > [session.c] > Fix incorrect PATH setting; noted by Markus. > > 20000818 > - (djm) OpenBSD CVS changes: > - markus at cvs.openbsd.org 2000/07/22 03:14:37 > [servconf.c servconf.h sshd.8 sshd.c sshd_config] > random early drop; ok theo, niels > - deraadt at cvs.openbsd.org 2000/07/26 11:46:51 > [ssh.1] > typo > - deraadt at cvs.openbsd.org 2000/08/01 11:46:11 > [sshd.8] > many fixes from pepper at mail.reppep.com > - provos at cvs.openbsd.org 2000/08/01 13:01:42 > [Makefile.in util.c aux.c] > rename aux.c to util.c to help with cygwin port > - deraadt at cvs.openbsd.org 2000/08/02 00:23:31 > [authfd.c] > correct sun_len; Alexander at Leidinger.net > - provos at cvs.openbsd.org 2000/08/02 10:27:17 > [readconf.c sshd.8] > disable kerberos authentication by default > - provos at cvs.openbsd.org 2000/08/02 11:27:05 > [sshd.8 readconf.c auth-krb4.c] > disallow kerberos authentication if we can't verify the TGT; from > dugsong@ > kerberos authentication is on by default only if you have a srvtab. > - markus at cvs.openbsd.org 2000/08/04 14:30:07 > [auth.c] > unused > - markus at cvs.openbsd.org 2000/08/04 14:30:35 > [sshd_config] > MaxStartups > - markus at cvs.openbsd.org 2000/08/15 13:20:46 > [authfd.c] > cleanup; ok niels@ > - markus at cvs.openbsd.org 2000/08/17 14:05:10 > [session.c] > cleanup login(1)-like jobs, no duplicate utmp entries > - markus at cvs.openbsd.org 2000/08/17 14:06:34 > [session.c sshd.8 sshd.c] > sshd -u len, similar to telnetd > - (djm) Lastlog was not getting closed after writing login entry > - (djm) Add Solaris package support from Rip Loomis > > 20000816 > - (djm) Replacement for inet_ntoa for Irix (which breaks on gcc) > - (djm) Fix strerror replacement for old SunOS. Based on patch from > Charles Levert > - (djm) Seperate arc4random into seperate file and use OpenSSL's RC4 > implementation. > - (djm) SUN_LEN macro for systems which lack it > > 20000815 > - (djm) More SunOS 4.1.x fixes from Nate Itkin > - (djm) Avoid failures on Irix when ssh is not setuid. Fix from > Michael Stone > - (djm) Don't seek in directory based lastlogs > - (djm) Fix --with-ipaddr-display configure option test. Patch from > Jarno Huuskonen > - (djm) Fix AIX limits from Alexandre Oliva > > 20000813 > - (djm) Add $(srcdir) to includes when compiling (for VPATH). Report from > Fabrice bacchella > > 20000809 > - (djm) Define AIX hard limits if headers don't. Report from > Bill Painter > - (djm) utmp direct write & SunOS 4 patch from Charles Levert > > > 20000808 > - (djm) Cleanup Redhat RPMs. Generate keys at runtime rather than install > time, spec file cleanup. > > 20000807 > - (djm) Set 0755 on binaries during install. Report from Lutz Jaenicke > - (djm) Suppress error messages on channel close shutdown() failurs > works around Linux bug. Patch from Zack Weinberg > - (djm) Add some more entropy collection commands from Lutz Jaenicke > > 20000725 > - (djm) Fix autoconf typo: HAVE_BINRESVPORT_AF -> HAVE_BINDRESVPORT_AF > > 20000721 > - (djm) OpenBSD CVS updates: > - markus at cvs.openbsd.org 2000/07/16 02:27:22 > [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c] > [sshconnect1.c sshconnect2.c] > make ssh-add accept dsa keys (the agent does not) > - djm at cvs.openbsd.org 2000/07/17 19:25:02 > [sshd.c] > Another closing of stdin; ok deraadt > - markus at cvs.openbsd.org 2000/07/19 18:33:12 > [dsa.c] > missing free, reorder > - markus at cvs.openbsd.org 2000/07/20 16:23:14 > [ssh-keygen.1] > document input and output files > > 20000720 > - (djm) Spec file fix from Petr Novotny > > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > > From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Aug 24 21:54:28 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 24 Aug 2000 13:54:28 +0200 Subject: Test snapshot In-Reply-To: <39A464CD.2DC83AC@eli.net>; from scraig@eli.net on Wed, Aug 23, 2000 at 04:57:01PM -0700 References: <39A464CD.2DC83AC@eli.net> Message-ID: <20000824135428.B9430@serv01.aet.tu-cottbus.de> On Wed, Aug 23, 2000 at 04:57:01PM -0700, Stuart Craig wrote: > Attached to this message is a patch I made against 2.1.1p4 for HP-UX > which causes sshd to set the PATH variable from /etc/PATH. This is the > usual practice under HP-UX 10.20 and HP-UX 11. I activated the patch by > calling configure like so: > > ./configure --with-cflags=-DHAVE_ETC_PATH ... > > This should be done in configure instead, but I haven't installed > autoconf. /etc/PATH is read by /etc/csh.login or /etc/profile, respectively. My (may be personal) problem is that I only have the "system PATH" as automatically be set during swinstall processes in /etc/PATH, my additional settings are in /usr/local/etc/PATH which is sourced later from my (changed) /etc/csh.login or /etc/profile files. (And, of course, /usr/local/openssh/bin is on /usr/local/etc/PATH :-) [This solution is easier to maintain as I have a common /usr/local that is distributed via rdist (over ssh, of course :-), while /etc/PATH can be different for the individual hosts with respect to the installed software.] That won't hurt anybody, if (there is always an if :-) your patch would not overwrite the PATH that was compiled in by setting the "--with-default-path=..." switch. Do you think it would be appropriate to concatenate the default path compiled in _and_ /etc/PATH? Probably we would get doubled entries. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From acox at cv.telegroup.com Fri Aug 25 00:17:34 2000 From: acox at cv.telegroup.com (Aran Cox) Date: Thu, 24 Aug 2000 16:17:34 +0200 Subject: Test snapshot In-Reply-To: <20000824122124.C1036@lazarus.cv.telegroup.com>; from acox@cv.telegroup.com on Thu, Aug 24, 2000 at 12:21:24PM +0200 References: <20000824122124.C1036@lazarus.cv.telegroup.com> Message-ID: <20000824161734.G1036@lazarus.cv.telegroup.com> Ok, I spoke too soon. I am having the same problems, and some new ones to boot. The problem is it's very inconsistant. They all have to do with invoking ssh with -n option to run a shell command on a remote machine. I have now upgraded my (linux) client to use the snapshot as well and the clients are SCO OS 5.0.5 running the snapshot. Occasionally when I use ssh to invoke a remote command (even simple ones, like ls -ld . or find .) using the -n switch, ssh will exit with the error message "Command terminated on signal 13." Here is some server output for a failed ssh invocation of find: debug: Exec command 'find .' debug: Entering interactive session. debug: fd 11 setting O_NONBLOCK debug: fd 13 setting O_NONBLOCK debug: server_init_dispatch_13 debug: server_init_dispatch_15 debug: EOF received for stdin. debug: Received SIGCHLD. debug: tvp!=NULL kid 1 mili 100 debug: End of interactive session; stdin 0, stdout (read 1008, sent 1008), stderr 467 bytes. debug: channel_free: channel 0: status: The following connections are open: Disconnecting: Command terminated on signal 13. debug: Calling cleanup 0xa578(0x0) debug: xauthfile_cleanup_proc called debug: Calling cleanup 0x11af0(0x0) debug: Calling cleanup 0x18c4c(0x0) debug: Calling cleanup 0x1b658(0x0) debug: writing PRNG seed to file //.ssh/prng_seed Here is the invocation: [spin at lazarus ssh]$ ssh -n -l tign tignnj5b find . tign at tignnj5b.cv.telegroup.com's password: Received disconnect: Command terminated on signal 13. Does anyone else have problems with using -n? Does anyone else use scripts like this: while read host; do ssh -n -l acox $host ls -ld . done You have to use the -n option in scripts like the above, trying to use rsh without the -n results in only the first host being processed. The above script minus -n likewise fails to invoke ssh once for each host passed via stdin. Any suggestions? On Thu, Aug 24, 2000 at 12:21:24PM +0200, Aran Cox wrote: > I have tested this snapshot with SCO OpenServer 5.0.5 and 5.0.0. > I have confirmed most basic functionality, scp, ssh, port forwarding, > X11 forwarding, logins, remote execution, etc. > > In fact this release fixes the problems I was having with SCO using > p4. (see my post to the list titled: > remote commands: Command terminated on signal 13. for details) > I don't know exacly what changed that fixed my problems under SCO > but they're gone. I also confirmed interoperability with p4 under > linux and openssh-SNAP under SCO. > > Everything looks good from my seat! > > > On Wed, Aug 23, 2000 at 11:54:40AM +1000, Damien Miller wrote: > > > > I have just tarred up a snapshot and uploaded it to: > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz > > > > The snapshot incorporates the last month's fixes and enhancements from > > the openssh-unix-dev mailing list and from the OpenBSD developers. > > > > In particular: > > > > - ssh-agent and ssh-add now handle DSA keys. NB. this does not interop > > with ssh.com's ssh-agent. (Markus Friedl) > > - Fix crashes when sshd is run out of inetd > > - More fixes for SunOS4 and NeXT (Nate Itkin and Charles Levert) > > - Add Solaris package support in contrib/solaris/ (Rip Loomis) > > - Random Early Drop connection rate limiting for sshd (Markus Friedl) > > - Fix duplicate lastlog logging (Markus & me) > > - Add -u option to sshd to make wtmp logging more like login's (Markus) > > - Use pipes instead of socketpairs to avoid scp not exiting problem > > on SunOS4 and HPUX 10. (Klaus Engelhardt, Tamito KAJIYAMA & Lutz > > Jaenicke) > > - Lots of other fixes (see changelog below) > > > > Please give the snapshot a good run and report problems back to the > > mailing list. > > > > If you have received this email twice, it is because you are on the > > list of testers. I will be setting up a seperate email list over the > > weekend. > > > > Regards, > > Damien Miller > > > > Changelog: > > > > 20000823 > > - (djm) Define USE_PIPES to avoid socketpair problems on HPUX 10 and SunOS 4 > > Avoids "scp never exits" problem. Reports from Lutz Jaenicke > > and Tamito KAJIYAMA > > > > - (djm) Pick up LOGIN_PROGRAM from environment or PATH if not set by headers > > - (djm) Add local version to version.h > > - (djm) OpenBSD CVS updates: > > - deraadt at cvs.openbsd.org 2000/08/18 20:07:23 > > [ssh.c] > > accept remsh as a valid name as well; roman at buildpoint.com > > - deraadt at cvs.openbsd.org 2000/08/18 20:17:13 > > [deattack.c crc32.c packet.c] > > rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to > > libz crc32 function yet, because it has ugly "long"'s in it; > > oneill at cs.sfu.ca > > - deraadt at cvs.openbsd.org 2000/08/18 20:26:08 > > [scp.1 scp.c] > > -S prog support; tv at debian.org > > - deraadt at cvs.openbsd.org 2000/08/18 20:50:07 > > [scp.c] > > knf > > - deraadt at cvs.openbsd.org 2000/08/18 20:57:33 > > [log-client.c] > > shorten > > - markus at cvs.openbsd.org 2000/08/19 12:48:11 > > [channels.c channels.h clientloop.c ssh.c ssh.h] > > support for ~. in ssh2 > > - deraadt at cvs.openbsd.org 2000/08/19 15:29:40 > > [crc32.h] > > proper prototype > > - markus at cvs.openbsd.org 2000/08/19 15:34:44 > > [authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1] > > [ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile] > > [fingerprint.c fingerprint.h] > > add SSH2/DSA support to the agent and some other DSA related cleanups. > > (note that we cannot talk to ssh.com's ssh2 agents) > > - markus at cvs.openbsd.org 2000/08/19 15:55:52 > > [channels.c channels.h clientloop.c] > > more ~ support for ssh2 > > - markus at cvs.openbsd.org 2000/08/19 16:21:19 > > [clientloop.c] > > oops > > - millert at cvs.openbsd.org 2000/08/20 12:25:53 > > [session.c] > > We have to stash the result of get_remote_name_or_ip() before we > > close our socket or getpeername() will get EBADF and the process > > will exit. Only a problem for "UseLogin yes". > > - millert at cvs.openbsd.org 2000/08/20 12:30:59 > > [session.c] > > Only check /etc/nologin if "UseLogin no" since login(1) may have its > > own policy on determining who is allowed to login when /etc/nologin > > is present. Also use the _PATH_NOLOGIN define. > > - millert at cvs.openbsd.org 2000/08/20 12:42:43 > > [auth1.c auth2.c session.c ssh.c] > > Add calls to setusercontext() and login_get*(). We basically call > > setusercontext() in most places where previously we did a setlogin(). > > Add default login.conf file and put root in the "daemon" login class. > > - millert at cvs.openbsd.org 2000/08/21 10:23:31 > > [session.c] > > Fix incorrect PATH setting; noted by Markus. > > > > 20000818 > > - (djm) OpenBSD CVS changes: > > - markus at cvs.openbsd.org 2000/07/22 03:14:37 > > [servconf.c servconf.h sshd.8 sshd.c sshd_config] > > random early drop; ok theo, niels > > - deraadt at cvs.openbsd.org 2000/07/26 11:46:51 > > [ssh.1] > > typo > > - deraadt at cvs.openbsd.org 2000/08/01 11:46:11 > > [sshd.8] > > many fixes from pepper at mail.reppep.com > > - provos at cvs.openbsd.org 2000/08/01 13:01:42 > > [Makefile.in util.c aux.c] > > rename aux.c to util.c to help with cygwin port > > - deraadt at cvs.openbsd.org 2000/08/02 00:23:31 > > [authfd.c] > > correct sun_len; Alexander at Leidinger.net > > - provos at cvs.openbsd.org 2000/08/02 10:27:17 > > [readconf.c sshd.8] > > disable kerberos authentication by default > > - provos at cvs.openbsd.org 2000/08/02 11:27:05 > > [sshd.8 readconf.c auth-krb4.c] > > disallow kerberos authentication if we can't verify the TGT; from > > dugsong@ > > kerberos authentication is on by default only if you have a srvtab. > > - markus at cvs.openbsd.org 2000/08/04 14:30:07 > > [auth.c] > > unused > > - markus at cvs.openbsd.org 2000/08/04 14:30:35 > > [sshd_config] > > MaxStartups > > - markus at cvs.openbsd.org 2000/08/15 13:20:46 > > [authfd.c] > > cleanup; ok niels@ > > - markus at cvs.openbsd.org 2000/08/17 14:05:10 > > [session.c] > > cleanup login(1)-like jobs, no duplicate utmp entries > > - markus at cvs.openbsd.org 2000/08/17 14:06:34 > > [session.c sshd.8 sshd.c] > > sshd -u len, similar to telnetd > > - (djm) Lastlog was not getting closed after writing login entry > > - (djm) Add Solaris package support from Rip Loomis > > > > 20000816 > > - (djm) Replacement for inet_ntoa for Irix (which breaks on gcc) > > - (djm) Fix strerror replacement for old SunOS. Based on patch from > > Charles Levert > > - (djm) Seperate arc4random into seperate file and use OpenSSL's RC4 > > implementation. > > - (djm) SUN_LEN macro for systems which lack it > > > > 20000815 > > - (djm) More SunOS 4.1.x fixes from Nate Itkin > > - (djm) Avoid failures on Irix when ssh is not setuid. Fix from > > Michael Stone > > - (djm) Don't seek in directory based lastlogs > > - (djm) Fix --with-ipaddr-display configure option test. Patch from > > Jarno Huuskonen > > - (djm) Fix AIX limits from Alexandre Oliva > > > > 20000813 > > - (djm) Add $(srcdir) to includes when compiling (for VPATH). Report from > > Fabrice bacchella > > > > 20000809 > > - (djm) Define AIX hard limits if headers don't. Report from > > Bill Painter > > - (djm) utmp direct write & SunOS 4 patch from Charles Levert > > > > > > 20000808 > > - (djm) Cleanup Redhat RPMs. Generate keys at runtime rather than install > > time, spec file cleanup. > > > > 20000807 > > - (djm) Set 0755 on binaries during install. Report from Lutz Jaenicke > > - (djm) Suppress error messages on channel close shutdown() failurs > > works around Linux bug. Patch from Zack Weinberg > > - (djm) Add some more entropy collection commands from Lutz Jaenicke > > > > 20000725 > > - (djm) Fix autoconf typo: HAVE_BINRESVPORT_AF -> HAVE_BINDRESVPORT_AF > > > > 20000721 > > - (djm) OpenBSD CVS updates: > > - markus at cvs.openbsd.org 2000/07/16 02:27:22 > > [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c] > > [sshconnect1.c sshconnect2.c] > > make ssh-add accept dsa keys (the agent does not) > > - djm at cvs.openbsd.org 2000/07/17 19:25:02 > > [sshd.c] > > Another closing of stdin; ok deraadt > > - markus at cvs.openbsd.org 2000/07/19 18:33:12 > > [dsa.c] > > missing free, reorder > > - markus at cvs.openbsd.org 2000/07/20 16:23:14 > > [ssh-keygen.1] > > document input and output files > > > > 20000720 > > - (djm) Spec file fix from Petr Novotny > > > > > > -- > > | "Bombay is 250ms from New York in the new world order" - Alan Cox > > | Damien Miller - http://www.mindrot.org/ > > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > > > > > > > > From mouring at pconline.com Fri Aug 25 00:21:24 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 24 Aug 2000 09:21:24 -0500 (CDT) Subject: Final NeXT issues (Re: Test snapshot) In-Reply-To: <200008240643.XAA21642@swoon.net> Message-ID: > > Matt, did you ever successfully building FAT binaries? > > I have not attempted this. Is there some obvious problem with building FAT > binaries? > Not really. Mr Weigel eariler in the port expressed an interest in building a OpenSSH NeXT package with at least M68k, HPPA, and Intel (unsure if he was going to do Sparc since it's even more rare to find such an install) as being on his list of things he would like to see occur. Ben Lindstrom From garrick at james.net Fri Aug 25 02:04:37 2000 From: garrick at james.net (Garrick James) Date: Thu, 24 Aug 2000 09:04:37 -0700 (PDT) Subject: Control-c not work under openssh? In-Reply-To: <39A43D06.B5084F9@ntcor.com> Message-ID: I've been realy trying to get around to writing this up. I think I've found a work around (and some info for someone with more knowledge to track down this little glitch) for this control-c problem under Solaris. Appologies up front for how wordy this is all going to be... I've used openssh on Linux-x86 2.0, Linux-x86 2.2, and Solaris-SPARC 2.6. The bug I'm going to discuss here seems to only manifest itself with the openssh sshd on my Solaris boxen. Bug symptoms: Regardless of the client being used (so far, I have used SecureCRT, linux openssh, solaris openssh, SSH-inc's ssh, and Tera Term Pro SSH), when sshing into a Solaris box running openssh, control-c does not work. :-( I've noticed something interesting, though. The presence of the bug's symptom is dependant on the state of control-c functionality at the time that sshd is started on the server. If control-c is working in the controlling terminal from which sshd is started, then control-c will work in all client connections. If control-c is not working at server daemon startup time, then clients do not get a working control-c. For example, if I use an "at" or "cron" job to kill all sshd processes and then start sshd up again, control-c will not work in client connections. However, if I execute the same script that does the stop and start actions from a session that does have a working control-c (logged in at the console, via telnet, or via an ssh connection that is working properly--remember to nohup the script, though:) then control-c will work properly for client connections. I do not run sshd from inetd, so I cannot give the results for that case, but my gut *guess* is that control-c will not work for clients. So... I hope all that made sense. I do not have enough skill/knowledge to track down in the source why sshd is dependant on control-c working at startup time on Solaris and not on other OSes (like my Linux boxen). Hopefully someone out there can take this info as a starting place to track down the bug. Anyway, to work around the control-c problem on Solaris: run sshd in daemon mode and start it either from an rc init script or from a logged in session with a working control-c. Oh yeah, almost forgot. The above all holds true for when UseLogin is set to no. I have no idea about when it is set to yes. -Garrick James OpenSSH fan. On Wed, 23 Aug 2000, Jeff Wiegley, Ph.D. wrote: > I'm a little confused now. > > Am I suspose to use "UseLogin yes"; if I do am I supose to kludge the > execl function call for login to pass the environment. > > Or... > > Is this really a bug in the way the sshd daemon handles control-c? > Should I wait for this to be fixed the real way? > Where in the code would this problem reside? If I knew that maybe I > could help design and code the solution and provide a patch for it. > (Though I'm not real intimate with the ssh code :-( > > Let me know how I can help! This has been bothering me for quite some > time and I would love to help fix it. > > Thanks, > > - Jeff > > > douglas.manton at uk.ibm.com wrote: > > > > > Yes, I started doing this myself also when I got sidetracked. > > > > > Looking at Tatu Ylonen's ssh, it does the exact same thing (just a NULL), > > > so I'm assuming that this is the correct behavior? So I figured (at > > > least for my environment) it would be better to turn efforts to fixing > > the > > > control-C issue instead of kludging something else. But I may be > > > mistaken. > > > > Of course the lack of environment means that the DISPLAY variable is left > > unset -- an annoyance when 20 lusers are trying to forward X11 back from > > one of our NetView servers and calling me for tech support :-( > > > > Doug. > > -------------------------------------------------------- > > Doug Manton, AT&T EMEA Firewall and Security Solutions > > > > demanton at att.com > > -------------------------------------------------------- > > "If privacy is outlawed, only outlaws will have privacy" > > > From scraig at eli.net Fri Aug 25 02:08:16 2000 From: scraig at eli.net (Stuart Craig) Date: Thu, 24 Aug 2000 09:08:16 -0700 Subject: HP-UX /etc/PATH References: <39A464CD.2DC83AC@eli.net> <20000824135428.B9430@serv01.aet.tu-cottbus.de> Message-ID: <39A54870.E1763E75@eli.net> Lutz Jaenicke wrote: > > On Wed, Aug 23, 2000 at 04:57:01PM -0700, Stuart Craig wrote: > > Attached to this message is a patch I made against 2.1.1p4 for HP-UX > > which causes sshd to set the PATH variable from /etc/PATH. This is the > > usual practice under HP-UX 10.20 and HP-UX 11. I activated the patch by > > calling configure like so: > > > > ./configure --with-cflags=-DHAVE_ETC_PATH ... > > > > This should be done in configure instead, but I haven't installed > > autoconf. > > /etc/PATH is read by /etc/csh.login or /etc/profile, respectively. > My (may be personal) problem is that I only have the "system PATH" > as automatically be set during swinstall processes in /etc/PATH, > my additional settings are in /usr/local/etc/PATH which is sourced > later from my (changed) /etc/csh.login or /etc/profile files. > (And, of course, /usr/local/openssh/bin is on /usr/local/etc/PATH :-) > [This solution is easier to maintain as I have a common /usr/local that > is distributed via rdist (over ssh, of course :-), while /etc/PATH can > be different for the individual hosts with respect to the installed software.] I added this patch because /etc/PATH is read by /etc/csh.login and /etc/profile, but neither of these get executed if you use ssh for remote command execution. To see the difference, compare the path you see with "ssh env" with the path you see when you ssh to and then run env in an interactive shell. It sounds like you have gotten around that problem by specifying a more complete default PATH to configure. I didn't want to do it that way because I've got more than 80 HP systems with a very random mix of installed applications -- most of them have different system PATH settings. > That won't hurt anybody, if (there is always an if :-) your patch would > not overwrite the PATH that was compiled in by setting the > "--with-default-path=..." switch. > Do you think it would be appropriate to concatenate the default path compiled > in _and_ /etc/PATH? Probably we would get doubled entries. I don't have a problem with modifying the patch to concatenate the two PATHs. I almost did it that way in the first place. The question is, do I put the compiled in default PATH first, or last? I'm leaning towards first. Maybe what is really needed is a simple way, using configure, to specify one or more arbitrary files to read for PATH and other environment variable information. You've got to admit that the current set of files that gets looked at, on various platforms, is pretty much a random jumble. - Stu -- Stuart J. Craig Senior UNIX Administrator Electric Lightwave, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2515 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000824/24b981fe/attachment.bin From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Aug 25 02:35:09 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 24 Aug 2000 18:35:09 +0200 Subject: HP-UX /etc/PATH In-Reply-To: <39A54870.E1763E75@eli.net>; from scraig@eli.net on Thu, Aug 24, 2000 at 09:08:16AM -0700 References: <39A464CD.2DC83AC@eli.net> <20000824135428.B9430@serv01.aet.tu-cottbus.de> <39A54870.E1763E75@eli.net> Message-ID: <20000824183509.A13271@serv01.aet.tu-cottbus.de> On Thu, Aug 24, 2000 at 09:08:16AM -0700, Stuart Craig wrote: > I added this patch because /etc/PATH is read by /etc/csh.login and > /etc/profile, but neither of these get executed if you use ssh for > remote command execution. To see the difference, compare the path you > see with "ssh env" with the path you see when you ssh to > and then run env in an interactive shell. It sounds like you > have gotten around that problem by specifying a more complete default > PATH to configure. I didn't want to do it that way because I've got > more than 80 HP systems with a very random mix of installed applications > -- most of them have different system PATH settings. Yes, I completely understand your problem. I have solved it by having a synchronised /usr/local with its own /usr/local/etc/PATH. You have your setup and your solution (it would be boring if everybody would have the same problem and solve it the same way :-). > I don't have a problem with modifying the patch to concatenate the two > PATHs. I almost did it that way in the first place. The question is, > do I put the compiled in default PATH first, or last? I'm leaning > towards first. I also support to put the compiled in PATH first. The most important entry in the default PATH I have specified is the path to the OpenSSH binaries, so that e.g. an scp is found that does match the OpenSSH package used. > Maybe what is really needed is a simple way, using configure, to specify > one or more arbitrary files to read for PATH and other environment > variable information. You've got to admit that the current set of files > that gets looked at, on various platforms, is pretty much a random > jumble. :-) That's one of the weakest points of the different UNIX incarnations. A lot of things are more or less easy to port, but these questions are a horror. I only have HP-UX and (SuSE-)Linux and there is no common denominator on how to find out a good default PATH automatically. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From adamb at zeroknowledge.com Fri Aug 25 03:42:22 2000 From: adamb at zeroknowledge.com (Adam Back) Date: Thu, 24 Aug 2000 13:42:22 -0400 Subject: yarrow unix source Message-ID: <200008241742.NAA27721@adamb.dev.zks.net> Some time ago I sent to this list: > We at ZKS were also interested in yarrow under unix. However the > implementation that counterpane have on their web page doesn't > correspond to the paper -- it is a pretty different design. And finally... ZKS' open source yarrow implementation (BSD license) is at: http://opensource.zeroknowledge.com Damien Miller wrote: > Has there been any movement on this release? > > We are keen to use Yarrow as an entropy source for OpenSSH. I would be > willing to test and debug such code :) This isn't a final version as there are no test vectors yet, and there remain some spec abiguities but we've setup a mailing list for the purpose of deriving test vectors. send mail with body "subscribe" to yarrow-request at zeroknowledge.com those interested may like to participate in discovering differences between yarrow implementations and fixing the ambiguities in the yarrow spec. Or perhaps just subscribing to monitor how well it's doing until it's stable enough to use for openSSH. The API it should present to make porting easy is also tricky as it has to work in the linux kernel, MAC driver levels, perhaps windows or DOS device drivers etc, and the implementation restrictions down there are kind of interesting. You can also use it as a user land process for OSes without device level yarrow support (though it would be nice to head that way). The tricky part there is threading (you need to provide thread functions) and what to do about forking -- ideally you want the rng context to be in shared memory, but the SSH may not support cross platform shared memory. Adam From svaughan at asterion.com Fri Aug 25 05:00:00 2000 From: svaughan at asterion.com (svaughan at asterion.com) Date: Thu, 24 Aug 2000 12:00:00 -0700 (PDT) Subject: Test snapshot In-Reply-To: <20000824122124.C1036@lazarus.cv.telegroup.com> Message-ID: Hello, I've compiled the snapshot on SCO Openserver 5.0.5, However I am still getting the same problem of sshd erring out because it could not allocate a pty. I can send the config.log to the people who want to look at it.. (I didn't want to send a long email to those who don't need it :-) Also tested the snapshot under Mandrake 6.0 (w/kernel 2.2.13-7mdk) and so far no problems. Thanks, Sam some debug ..... syslog: Aug 24 11:26:42 beta sshd[13890]: Accepted password for sam from beta port 800 Aug 24 11:26:42 beta sshd[13890]: error: Failed to allocate pty. from ssh when trying to connect: debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 501 geteuid 0 anon 0 debug: Connecting to beta [beta] port 22. debug: Seeding random number generator debug: Allocated local port 684. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1p5 debug: Local version string SSH-1.5-OpenSSH_2.1.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'beta' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Doing password authentication. sam at beta's password: debug: Requesting pty. Warning: Remote host failed or refused to allocate a pseudo tty. debug: Requesting shell. debug: Entering interactive session. debug: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.0 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug: Exit status 0 From seva at null.cc.uic.edu Fri Aug 25 05:25:17 2000 From: seva at null.cc.uic.edu (Simon Epsteyn) Date: Thu, 24 Aug 2000 14:25:17 -0500 (CDT) Subject: Force pseudo-tty allocation option "-t" Message-ID: Please Cc: me on the reply as I am not on the list. >From the ssh(1) man page: -t Force pseudo-tty allocation. This can be used to execute arbi trary screen-based programs on a remote machine, which can be very useful, e.g., when implementing menu services. This is similiar to what I am trying to do, use "-t" flag to ssh from my application, however it just didn't seem to work. >From the ssh.c source: /* Do not allocate a tty if stdin is not a tty. */ if (!isatty(fileno(stdin))) { if (tty_flag) fprintf(stderr, "Pseudo-terminal will not be allocated because stdin is not a terminal.\n"); tty_flag = 0; } This seems like it doesn't allocate a pseudo-tty no matter what the command line option set the tty_flag to, since it only check for isatty(). Could someone explain this to me if I am wrong, but does changing "if (tty_flag)" to "if (!(tty_flag))" seems to work... Please take a look at the attached patch and Cc: me on the reply. /Simon -------------- next part -------------- --- ssh.c.orig Thu Aug 24 13:17:30 2000 +++ ssh.c Thu Aug 24 14:16:47 2000 @@ -460,9 +460,8 @@ /* Do not allocate a tty if stdin is not a tty. */ if (!isatty(fileno(stdin))) { - if (tty_flag) + if (!(tty_flag)) fprintf(stderr, "Pseudo-terminal will not be allocated because stdin is not a terminal.\n"); - tty_flag = 0; } /* force */ if (no_tty_flag) From gert at greenie.muc.de Fri Aug 25 05:51:48 2000 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 24 Aug 2000 21:51:48 +0200 Subject: Control-c not work under openssh? In-Reply-To: ; from Garrick James on Thu, Aug 24, 2000 at 09:04:37AM -0700 References: <39A43D06.B5084F9@ntcor.com> Message-ID: <20000824215148.F6248@greenie.muc.de> Hi, On Thu, Aug 24, 2000 at 09:04:37AM -0700, Garrick James wrote: > I've noticed something interesting, though. The presence of the bug's > symptom is dependant on the state of control-c functionality at the time > that sshd is started on the server. If control-c is working in the > controlling terminal from which sshd is started, then control-c will work > in all client connections. If control-c is not working at server daemon > startup time, then clients do not get a working control-c. Now that's a VERY good hint. It means, most likely, that the signal() handling for SIGINT is broken - it sounds ike "if sshd inherits a 'SIG_IGN' setting at startup, this will be passed to all children, which will ignore SIGINT as well". If that assumption is correct, it would sufficient to do signal( SIGINT, SIG_DFL ); somewhere early in the sshd startup phase. ... just browsing through the code without really trying to find the "ideal" spot, I'd suggest the following experiment. In "session.c", about line 420 (2.1.1p4 here), you'll find the following code: /* Fork the child. */ if ((pid = fork()) == 0) { /* Child. Reinitialize the log since the pid has changed. */ log_init(__progname, options.log_level, options.log_facility, lo g_stderr); /* * Create a new session and process group since the 4.4BSD * setlogin() affects the entire process group. */ put the signal(SIGINT, SIG_DFL) in between those lines, after the log_init, recompile, and see what happens... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From gert at greenie.muc.de Fri Aug 25 06:01:13 2000 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 24 Aug 2000 22:01:13 +0200 Subject: Control-c not work under openssh? In-Reply-To: <20000824215148.F6248@greenie.muc.de>; from Gert Doering on Thu, Aug 24, 2000 at 09:51:48PM +0200 References: <39A43D06.B5084F9@ntcor.com> <20000824215148.F6248@greenie.muc.de> Message-ID: <20000824220113.A8555@greenie.muc.de> Hi, On Thu, Aug 24, 2000 at 09:51:48PM +0200, Gert Doering wrote: > ... just browsing through the code without really trying to find the > "ideal" spot, I'd suggest the following experiment. In "session.c", > about line 420 (2.1.1p4 here), you'll find the following code: Wrong place, this is only for no-tty commands, which don't care about ctrl-c. *oops*. Next try.... "pty.c", function "pty_make_controlling_tty" (about line 201) is a better bet. Just insert the "signal( SIGINT, SIG_DFL);" line at the end of the function, right after: /* Verify that we now have a controlling tty. */ fd = open("/dev/tty", O_WRONLY); if (fd < 0) error("open /dev/tty failed - could not set controlling tty: %.100s", strerror(errno)); else { close(fd); } /* NEW: set ctrl-C signal to "default", which is "abort program" */ sinal( SIGINT, SIG_DFL ); /* end NEW */ } gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From willday at rom.oit.gatech.edu Fri Aug 25 06:43:37 2000 From: willday at rom.oit.gatech.edu (Will Day) Date: Thu, 24 Aug 2000 16:43:37 -0400 Subject: patch for a few things Message-ID: <20000824164337.A6790@rom.oit.gatech.edu> This isn't related to the snapshot, but mention of it reminded me to submit these changes. I added a few things, and made a couple small changes; here's a list of what the patch includes: - adds a "-1" argument to ssh and ssh.1 to force protocol1, similar to the existing "-2" argument. - adds "-1" and "-2" to scp and scp.1 as well. - adds "-S" to scp.1 "Synopsis" argument list; it was described in the body, but wasn't included in the list of options at the top. - in configure.in, removed "-L/usr/ucblib -R/usr/ucblib" from the LDFLAGS for solaris, as it has been my experience that one generally does _not_ want to use any of the UCB-compat libraries under Solaris - that it usually causes more problems than anything else. Everything should work fine using svr4 interfaces, and I didn't notice any problems with compile or execution without ucblib. The only caveat is that it may actually be required with older solaris versions; I'm not sure about those (2.4 and below). - in the getopt-handling section of scp.c, there were comment headers that seemed to split the arguments into "Server options" and "User-visible flags". However, there appeared to be a number of "user" options added to the end of the list, appearing under the "server options" comment. I put all the user options together, and moved the server options (df:t:) to the top, so that if new options are added at the bottom, they'll be in user section rather than the server section. - on startup, have sshd log the PAM service it's going to recognize. I had a situation with machines using different strings (sometimes the default "sshd", sometimes compiled with -DSSHD_PAM_SERVICE="ssh"), and I couldn't tell which the particular binary was looking for. Doing a 'strings' on the binary didn't help. :) So, I added a message to log this on startup, when compiled with PAM support. - in auth-pam.c:pamconv(), add support for PAM_ERROR_MSG. Also, in addition to appending messages to pam_msg, it sends errors and text_infos to the client as debug messages, and also log()'s error messages. I had a situation where a PAM module was trying to send an error to the user, but it was never being displayed. I also figured it'd be nice to see them _immediately_ (when connecting with '-v'), as well as having them logged so the sysadmin can go back to see any errors if a user reported a problem logging in. - in configure.in, added an option "--without-progress-meter" to have scp default to not showing the progress meter, similar to "--disable-scp-stats" in recent versions of ssh-1.2.2x. Added a "-Q" option to scp and scp.1 to enable the meter, again similar to recent ssh-1.2. In my case, I use scp in a lot of scripts and things, and prefer to only see the progress meter in a subset of these situations. - also in scp, added a transfer rate display to the progress meter, as I had gotten used to the one in ssh-1.2 and missed it very much. :) I had to make room on the line, of course, and did that by: - pulling 2 characters from the filename - pulling 7 characters from the progress-bar - pulling 2 characters from the ETA time, by making times over 1 hour display as "hh:mm:" (with a trailing ':' to differentiate from "mm:ss") and leaving off the seconds (and changing "- stalled -" to "-stalled-"). I figured that, statistically speaking, most transfers probably take less than an hour, and so most of the time the space reserved for the "hh:" is just being wasted. I also figured that, if the transfer were going to be more than another hour, knowing the number of seconds wasn't much help, and thus didn't especially need to be displayed. It thus looks like: perl5.005_03.tar.g 72% |*************** | 2592 KB 530 KB/s 00:01 ETA This could easily be a configure option, if enough people don't want to see the transfer rate in the progress meter, but I figured it probably wouldn't be much of an issue, so I didn't add one to configure. Also, many times when watching the transfer rate, I found I was more interested in knowing the rate in bits/sec rather than in bytes/sec (since I know the speed of given networks in bits), so I added an option "-b" to scp and scp.1 to display in bits/sec instead of bytes. So: perl5.005_03.tar.g 84% |****************** | 3048 KB 4274 Kb/s 00:01 ETA - also in the progress meter, upon completion, I added a "FIN" in place of the "ETA". I sometimes found that, looking back in a window scrollback, I couldn't always tell if the transfer had succeeded, or if I'd hit CTRL-C, and just lost the "ETA" somewhere. Thus, I added the "FIN" so that (a) there was no question it had finished, and (b) it looked consistent with the in-progress display "ETA". So: perl5.005_03.tar.g 100% |**********************| 3592 KB 518 KB/s 00:07 FIN - in sshd's "Connection from" and "Closing connection" log messages, had them include the hostname as well, since that's generally more useful to me than the ipaddr. The ipaddr is still included, though, for completeness and security's sake. Also, when using libwrap, have it call eval_client() to evaluate and return the hostname. I also added the remote port to the "Closing" message, so that it could be correlated to the original connection. - also with sshd connection logging, I found that when using protocol2, it seems the daemon frequently exits with fatal_cleanup(), and execution doesn't return to main() to log the "connection closing" message. I don't understand the protocol well enough to know if there was a better way to have it handle the situation so that it actually does return to main. So, I did this: - added a routine log_connect_close() and pushed this with fatal_add_cleanup() to run on fatal_cleanup() - saved hostname, ipaddr, and port in global vars There's almost certainly a better way to do this, though. The attached patch is made against the openssh-SNAP-20000823 source. -- Will Day OIT / O&E / Technical Support willday at rom.oit.gatech.edu Georgia Tech, Atlanta 30332-0715 -> Opinions expressed are mine alone and do not reflect OIT policy <- Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin, Pennsylvania Assembly, Nov. 11, 1755 -------------- next part -------------- *** ./ssh.c.orig Tue Aug 22 20:46:25 2000 --- ./ssh.c Thu Aug 24 11:12:51 2000 *************** *** 146,151 **** --- 146,152 ---- fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n"); fprintf(stderr, " -4 Use IPv4 only.\n"); fprintf(stderr, " -6 Use IPv6 only.\n"); + fprintf(stderr, " -1 Force protocol version 1.\n"); fprintf(stderr, " -2 Force protocol version 2.\n"); fprintf(stderr, " -o 'option' Process the option as if it was read from a configuration file.\n"); exit(1); *************** *** 287,292 **** --- 288,296 ---- optarg = NULL; } switch (opt) { + case '1': + options.protocol = SSH_PROTO_1; + break; case '2': options.protocol = SSH_PROTO_2; break; *** ./sshd.c.orig Thu Aug 17 23:59:07 2000 --- ./sshd.c Thu Aug 24 15:30:16 2000 *************** *** 90,95 **** --- 90,101 ---- char **saved_argv; int saved_argc; + /* Save these for use from log_connect_close(), called on fatal_cleanup, + * to make sure connection-close is fully logged. */ + char saved_remote_hostname[200]; + char saved_remote_ipaddress[200]; + int saved_remote_port = 0; + /* * The sockets that the server is listening; this is used in the SIGHUP * signal handler. *************** *** 228,233 **** --- 234,248 ---- fatal("Timeout before authentication for %s.", get_remote_ipaddr()); } + void + log_connect_close(void *junk) + { + verbose("Closing connection to %.100s [%.100s] port %d", + saved_remote_hostname, saved_remote_ipaddress, + saved_remote_port); + return; + } + /* * Signal handler for the key regeneration alarm. Note that this * alarm only occurs in the daemon waiting for connections, and it does not *************** *** 451,456 **** --- 466,472 ---- struct sockaddr_storage from; const char *remote_ip; int remote_port; + const char *remote_hostname; FILE *f; struct linger linger; struct addrinfo *ai; *************** *** 753,758 **** --- 769,777 ---- } freeaddrinfo(options.listen_addrs); + #ifdef USE_PAM + log("Using PAM authentication service \"%s\".", SSHD_PAM_SERVICE); + #endif /* USE_PAM */ if (!num_listen_socks) fatal("Cannot bind any address."); *************** *** 975,980 **** --- 994,1000 ---- remote_port = get_remote_port(); remote_ip = get_remote_ipaddr(); + remote_hostname = get_canonical_hostname(); /* Check whether logins are denied from this host. */ #ifdef LIBWRAP *************** *** 990,1000 **** close(sock_out); refuse(&req); } /*XXX IPv6 verbose("Connection from %.500s port %d", eval_client(&req), remote_port); */ } #endif /* LIBWRAP */ /* Log the connection. */ ! verbose("Connection from %.500s port %d", remote_ip, remote_port); /* * We don\'t want to listen forever unless the other side --- 1010,1029 ---- close(sock_out); refuse(&req); } + snprintf(saved_remote_hostname, sizeof(saved_remote_hostname), + "%s", eval_client(&req)); /*XXX IPv6 verbose("Connection from %.500s port %d", eval_client(&req), remote_port); */ } + snprintf(saved_remote_hostname, sizeof(saved_remote_hostname), + "%s", remote_hostname); #endif /* LIBWRAP */ /* Log the connection. */ ! snprintf(saved_remote_ipaddress, sizeof(saved_remote_ipaddress), ! "%s", remote_ip); ! saved_remote_port=remote_port; ! verbose("Connection from %.100s [%.500s] port %d", ! saved_remote_hostname, saved_remote_ip, saved_remote_port); ! fatal_add_cleanup(log_connect_close, NULL); /* * We don\'t want to listen forever unless the other side *************** *** 1048,1054 **** #endif /* KRB4 */ /* The connection has been terminated. */ ! verbose("Closing connection to %.100s", remote_ip); #ifdef USE_PAM finish_pam(); --- 1077,1084 ---- #endif /* KRB4 */ /* The connection has been terminated. */ ! verbose("Closing connection to %.100s [%.100s] port %d", ! remote_hostname, remote_ip, remote_port); #ifdef USE_PAM finish_pam(); *** ./auth-pam.c.orig Sun Jul 9 08:42:33 2000 --- ./auth-pam.c Thu Aug 24 15:41:56 2000 *************** *** 77,89 **** reply[count].resp_retcode = PAM_SUCCESS; reply[count].resp = xstrdup(pampasswd); break; case PAM_TEXT_INFO: reply[count].resp_retcode = PAM_SUCCESS; reply[count].resp = xstrdup(""); ! ! if (msg[count]->msg != NULL) pam_msg_cat(msg[count]->msg); ! break; default: free(reply); --- 77,92 ---- reply[count].resp_retcode = PAM_SUCCESS; reply[count].resp = xstrdup(pampasswd); break; + case PAM_ERROR_MSG: case PAM_TEXT_INFO: reply[count].resp_retcode = PAM_SUCCESS; reply[count].resp = xstrdup(""); ! if (msg[count]->msg != NULL) { ! if(msg[count]->msg_style==PAM_ERROR_MSG) ! log(msg[count]->msg); ! packet_send_debug(msg[count]->msg); pam_msg_cat(msg[count]->msg); ! } break; default: free(reply); *** ./ssh.1.orig Thu Aug 17 23:59:06 2000 --- ./ssh.1 Thu Aug 24 11:02:14 2000 *************** *** 24,30 **** .Op Ar command .Pp .Nm ssh ! .Op Fl afgknqtvxACNPTX246 .Op Fl c Ar cipher_spec .Op Fl e Ar escape_char .Op Fl i Ar identity_file --- 24,30 ---- .Op Ar command .Pp .Nm ssh ! .Op Fl afgknqtvxACNPTX1246 .Op Fl c Ar cipher_spec .Op Fl e Ar escape_char .Op Fl i Ar identity_file *************** *** 512,517 **** --- 512,521 ---- Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. + .It Fl 1 + Forces + .Nm + to try protocol version 1 only. .It Fl 2 Forces .Nm *** ./scp.1.orig Tue Aug 22 20:46:24 2000 --- ./scp.1 Thu Aug 24 11:40:17 2000 *************** *** 19,25 **** .Nd secure copy (remote file copy program) .Sh SYNOPSIS .Nm scp ! .Op Fl pqrvC46 .Op Fl P Ar port .Op Fl c Ar cipher .Op Fl i Ar identity_file --- 19,25 ---- .Nd secure copy (remote file copy program) .Sh SYNOPSIS .Nm scp ! .Op Fl bpqrvCQS1246 .Op Fl P Ar port .Op Fl c Ar cipher .Op Fl i Ar identity_file *************** *** 86,93 **** --- 86,97 ---- debugging connection, authentication, and configuration problems. .It Fl B Selects batch mode (prevents asking for passwords or passphrases). + .It Fl Q + Enables the progress meter. .It Fl q Disables the progress meter. + .It Fl b + Show progress meter transfer rate in bits/sec rather than bytes/sec. .It Fl C Compression enable. Passes the *************** *** 108,113 **** --- 112,125 ---- understand .Xr ssh 1 options. + .It Fl 1 + Forces + .Nm + to use SSH Protocol v1 only. + .It Fl 2 + Forces + .Nm + to use SSH Protocol v2 only. .It Fl 4 Forces .Nm *** ./configure.in.orig Tue Aug 22 20:46:24 2000 --- ./configure.in Thu Aug 24 11:02:14 2000 *************** *** 134,140 **** ;; *-*-solaris*) CFLAGS="$CFLAGS -I/usr/local/include" ! LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib" need_dash_r=1 # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" --- 134,140 ---- ;; *-*-solaris*) CFLAGS="$CFLAGS -I/usr/local/include" ! LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" need_dash_r=1 # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" *************** *** 1097,1102 **** --- 1097,1119 ---- ] ) + # Display scp progress-meter by default or not + PROGRESS_METER="yes" + AC_MSG_CHECKING(whether to enable progress-meter by default) + AC_ARG_WITH(progress-meter, + [ --without-progress-meter Don't display scp progress-meter by default], + [ + if test "x$withval" = "xno" ; then + PROGRESS_METER="no" + AC_DEFINE(DEFAULT_NO_PROGRESS) + AC_MSG_RESULT(no) + else + PROGRESS_METER="yes" + AC_MSG_RESULT(yes) + fi + ] + ) + # Whether to mess with the default path SERVER_PATH_MSG="(default)" AC_ARG_WITH(default-path, *************** *** 1434,1439 **** --- 1451,1457 ---- echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" + echo " scp progress meter by default: $PROGRESS_METER" echo "" *** ./acconfig.h.orig Tue Aug 22 20:46:23 2000 --- ./acconfig.h Thu Aug 24 11:02:14 2000 *************** *** 248,253 **** --- 248,256 ---- /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ #undef IPV4_IN_IPV6 + /* Don't display scp progress meter by default */ + #undef DEFAULT_NO_PROGRESS + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ *** ./config.h.in.orig Tue Aug 22 21:45:36 2000 --- ./config.h.in Thu Aug 24 11:02:14 2000 *************** *** 235,240 **** --- 235,243 ---- /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ #undef IPV4_IN_IPV6 + /* Don't display scp progress meter by default */ + #undef DEFAULT_NO_PROGRESS + /* The number of bytes in a char. */ #undef SIZEOF_CHAR *** ./scp.c.orig Tue Aug 22 20:46:24 2000 --- ./scp.c Thu Aug 24 15:20:35 2000 *************** *** 91,104 **** /* This is set to non-zero if IPv6 is desired. */ int IPv6 = 0; /* This is set to non-zero to enable verbose mode. */ int verbose_mode = 0; /* This is set to non-zero if compression is desired. */ int compress_flag = 0; ! /* This is set to zero if the progressmeter is not desired. */ int showprogress = 1; /* This is set to non-zero if running in batch mode (that is, password and passphrase queries are not allowed). */ --- 91,114 ---- /* This is set to non-zero if IPv6 is desired. */ int IPv6 = 0; + /* Protocol (1, 2) to pass to ssh. */ + int protocol = 0; + + /* Show transfer rate in bits/sec rather than bytes/sec. */ + int bitspersec = 0; + /* This is set to non-zero to enable verbose mode. */ int verbose_mode = 0; /* This is set to non-zero if compression is desired. */ int compress_flag = 0; ! /* This is set to zero if the progress meter is not desired by default. */ ! #ifdef DEFAULT_NO_PROGRESS ! int showprogress = 0; ! #else /* not DEFAULT_NO_PROGRESS */ int showprogress = 1; + #endif /* DEFAULT_NO_PROGRESS */ /* This is set to non-zero if running in batch mode (that is, password and passphrase queries are not allowed). */ *************** *** 165,170 **** --- 175,184 ---- args[i++] = ssh_program; args[i++] = "-x"; args[i++] = "-oFallBackToRsh no"; + if (protocol==1) + args[i++] = "-oProtocol 1"; + else if (protocol==2) + args[i++] = "-oProtocol 2"; if (IPv4) args[i++] = "-4"; if (IPv6) *************** *** 262,270 **** extern int optind; fflag = tflag = 0; ! while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S")) != EOF) switch (ch) { /* User-visible flags. */ case '4': IPv4 = 1; break; --- 276,302 ---- extern int optind; fflag = tflag = 0; ! while ((ch = getopt(argc, argv, "bdfprtvBCc:i:P:qQS4612")) != EOF) switch (ch) { + /* Server options. */ + case 'd': + targetshouldbedirectory = 1; + break; + case 'f': /* "from" */ + iamremote = 1; + fflag = 1; + break; + case 't': /* "to" */ + iamremote = 1; + tflag = 1; + break; /* User-visible flags. */ + case '1': + protocol = 1; + break; + case '2': + protocol = 2; + break; case '4': IPv4 = 1; break; *************** *** 283,301 **** case 'S': ssh_program = optarg; break; - - /* Server options. */ - case 'd': - targetshouldbedirectory = 1; - break; - case 'f': /* "from" */ - iamremote = 1; - fflag = 1; - break; - case 't': /* "to" */ - iamremote = 1; - tflag = 1; - break; case 'c': cipher = optarg; break; --- 315,320 ---- *************** *** 311,319 **** --- 330,344 ---- case 'C': compress_flag = 1; break; + case 'Q': + showprogress = 1; + break; case 'q': showprogress = 0; break; + case 'b': + bitspersec = 1; + break; case '?': default: usage(); *************** *** 1129,1134 **** --- 1154,1162 ---- struct timeval now, td, wait; off_t cursize, abbrevsize; double elapsed; + double rate, abbrevrate; + int j; + char b; int ratio, barlength, i, remaining; char buf[256]; *************** *** 1148,1157 **** ratio = MIN(ratio, 100); } else ratio = 100; ! snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio); ! ! barlength = getttywidth() - 51; barlength = (barlength <= MAX_BARLENGTH)?barlength:MAX_BARLENGTH; if (barlength > 0) { i = barlength * ratio / 100; --- 1176,1184 ---- ratio = MIN(ratio, 100); } else ratio = 100; + snprintf(buf, sizeof(buf), "\r%-18.18s %3d%% ", curfile, ratio); ! barlength = getttywidth() - 58; barlength = (barlength <= MAX_BARLENGTH)?barlength:MAX_BARLENGTH; if (barlength > 0) { i = barlength * ratio / 100; *************** *** 1181,1192 **** timersub(&now, &start, &td); elapsed = td.tv_sec + (td.tv_usec / 1000000.0); if (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes) { snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), ! " --:-- ETA"); } else if (wait.tv_sec >= STALLTIME) { snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), ! " - stalled -"); } else { if (flag != 1) remaining = --- 1208,1249 ---- timersub(&now, &start, &td); elapsed = td.tv_sec + (td.tv_usec / 1000000.0); + rate = cursize / elapsed; + if(bitspersec) { + rate *= 8; + b='b'; + } + else + b='B'; + j = 0; + abbrevrate = rate; + while (abbrevrate >= 10000 && j < sizeof(prefixes)) { + j++; + abbrevrate/=1000; + } + if(wait.tv_sec >= STALLTIME) { + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + " -.- %c%c/s ", prefixes[j], b); + } + else if (abbrevrate < 10) { + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + " %1.2f %c%c/s ", abbrevrate, prefixes[j], b); + } + else if (abbrevrate < 100) { + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + " %2.1f %c%c/s ", abbrevrate, prefixes[j], b); + } + else { + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + " %4.0f %c%c/s ", abbrevrate, prefixes[j], b); + } + if (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes) { snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), ! " --:-- ETA"); } else if (wait.tv_sec >= STALLTIME) { snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), ! " -stalled-"); } else { if (flag != 1) remaining = *************** *** 1195,1210 **** remaining = elapsed; i = remaining / 3600; ! if (i) ! snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), ! "%2d:", i); ! else snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), ! " "); ! i = remaining % 3600; ! snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), ! "%02d:%02d%s", i / 60, i % 60, ! (flag != 1) ? " ETA" : " "); } atomicio(write, fileno(stdout), buf, strlen(buf)); --- 1252,1268 ---- remaining = elapsed; i = remaining / 3600; ! j = remaining % 3600; ! if (remaining > 3600) { ! snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), ! "%2d:%02d:%s", i, j / 60, ! (flag != 1) ? " ETA" : " FIN"); ! } ! else { snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), ! " %02d:%02d%s", j / 60, j % 60, ! (flag != 1) ? " ETA" : " FIN"); ! } } atomicio(write, fileno(stdout), buf, strlen(buf)); -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 360 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000824/efc9685b/attachment.bin From odin at linuxfreak.com Fri Aug 25 07:25:01 2000 From: odin at linuxfreak.com (Dan Brosemer) Date: Thu, 24 Aug 2000 17:25:01 -0400 Subject: Test snapshot In-Reply-To: <20000824025401.A4321@dmgware.ca>; from odin@linuxfreak.com on Thu, Aug 24, 2000 at 02:54:01AM -0400 References: <20000824025401.A4321@dmgware.ca> Message-ID: <20000824172501.C19100@dmgware.ca> Same good luck on: Linux/ARM (Debian/RedHat hybrid) gcc 2.95.1, glibc2.1.2 Linux/i386 (Debian Potato) gcc 2.95.2, glibc2.1.3 Linux/i386 (Debian Slink) 2.7.2.3, libc2.0.7 OpenSSL 0.9.5a all around. -Dan On Thu, Aug 24, 2000 at 02:54:01AM -0400, Dan Brosemer wrote: > On Wed, Aug 23, 2000 at 11:54:40AM +1000, Damien Miller wrote: > > I have just tarred up a snapshot and uploaded it to: > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz > > Tested on i386 Debian GNU/Linux (woody). (Slink and Potato take a little > more effort, I'll report on them in the afternoon). > > Compiles fine. Binaries run fine (communicates with OpenBSD (2.1) and > ssh.com's 1.2.27 as well as itself). > > > - ssh-agent and ssh-add now handle DSA keys. NB. this does not interop > > with ssh.com's ssh-agent. (Markus Friedl) > > Appears to work. > > > - Fix crashes when sshd is run out of inetd > > Don't have an old version to use as a control, but I can't seem to make this > one crash either. > > > - More fixes for SunOS4 and NeXT (Nate Itkin and Charles Levert) > > - Add Solaris package support in contrib/solaris/ (Rip Loomis) > > - Random Early Drop connection rate limiting for sshd (Markus Friedl) > > - Fix duplicate lastlog logging (Markus & me) > > - Add -u option to sshd to make wtmp logging more like login's (Markus) > > - Use pipes instead of socketpairs to avoid scp not exiting problem > > on SunOS4 and HPUX 10. (Klaus Engelhardt, Tamito KAJIYAMA & Lutz > > Jaenicke) > > - Lots of other fixes (see changelog below) > > I'll test Linux/ARM this afternoon as well as i386 Debian Potato and Slink. > > -Dan > > -- > "... the most serious problems in the Internet have been caused by > unenvisaged mechanisms triggered by low-probability events; mere human > malice would never have taken so devious a course!" - RFC 1122 section 1.2.2 > -- "... the most serious problems in the Internet have been caused by unenvisaged mechanisms triggered by low-probability events; mere human malice would never have taken so devious a course!" - RFC 1122 section 1.2.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000824/9e01be98/attachment.bin From markus.friedl at informatik.uni-erlangen.de Fri Aug 25 07:59:38 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 24 Aug 2000 23:59:38 +0200 Subject: Port forwarding with scp In-Reply-To: <87zom4z4p1.fsf@pf39.warszawa.sdi.tpnet.pl>; from zaks@prioris.mini.pw.edu.pl on Wed, Aug 23, 2000 at 11:50:50AM +0200 References: <87zom4z4p1.fsf@pf39.warszawa.sdi.tpnet.pl> Message-ID: <20000824235938.B27278@folly.informatik.uni-erlangen.de> usually you do this: % cat .ssh/config Host bla+fwd Hostname bla LocalForward .... and % scp file bla:/tmp works fine. if you want to have forwards, explicitly say: % ssh bla+fwd -m On Wed, Aug 23, 2000 at 11:50:50AM +0200, Slawek Zak wrote: > Hi, > > What do you think of disabling port forwardings configured in > ~/.ssh/config with scp. Copying of files is shorter or longer but > still only temporary process. Moreover, when you have one session > opened and used for "real" forwardings, you can't use scp for the > remote host, as the forwardings can't be established again (ports are > busy). > > /S > From scraig at eli.net Fri Aug 25 09:50:48 2000 From: scraig at eli.net (Stuart Craig) Date: Thu, 24 Aug 2000 16:50:48 -0700 Subject: HP-UX /etc/PATH References: <39A464CD.2DC83AC@eli.net> <20000824135428.B9430@serv01.aet.tu-cottbus.de> <39A54870.E1763E75@eli.net> Message-ID: <39A5B4D8.B9D98432@eli.net> Attached is an improved patch for the HP-UX /etc/PATH file, which also uses the compiled-in default PATH information. So far, the new snapshot is working well under HP-UX 10.20, built with gcc 2.95. I plan to do more testing tomorrow, and I will also build it using the HP ANSI C compiler, and test it under HP-UX 11 and Red Hat 6.2. - Stu -- Stuart J. Craig Senior UNIX Administrator Electric Lightwave, Inc. -------------- next part -------------- *** session.c.orig Tue Aug 22 17:46:24 2000 --- session.c Thu Aug 24 11:59:05 2000 *************** *** 1116,1121 **** --- 1116,1159 ---- do_pam_environment(&env, &envsize); #endif /* USE_PAM */ + #ifdef HAVE_ETC_PATH + /* Under versions 10 and 11 of HP-UX, the /etc/PATH file should + * contain a single line which is the value for the PATH environment + * variable. We will append this value to the default openssh PATH. + * We don't actually set the PATH unless /etc/PATH contains something. + */ + #define EPBUFLEN 4096 + { + char epbuf[EPBUFLEN]; + char *epptr; + int eplen; + + f = fopen("/etc/PATH", "r"); + if (f) { + strncpy(epbuf, _PATH_STDPATH, EPBUFLEN - 2); + epbuf[EPBUFLEN - 1] = '\0'; /* Make sure it's terminated */ + if((eplen = strlen(epbuf)) > 0) { + epptr = epbuf + eplen++; + *epptr++ = ':'; + } + else + epptr = epbuf; + + /* This is pretty arbitrary -- make sure there's at least + * a bit of space left in the buffer. */ + if(eplen < EPBUFLEN - 80) { + if (fgets(epptr, EPBUFLEN - eplen, f)) { + if (strchr(epptr, '\n')) + *strchr(epptr, '\n') = '\0'; + if (strlen(epptr) > 0) + child_set_env(&env, &envsize, "PATH", epbuf); + } + } + fclose(f); + } + } + #endif /* HAVE_ETC_PATH */ + read_environment_file(&env,&envsize,"/etc/environment"); if (xauthfile) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2515 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000824/de35bf1f/attachment.bin From markm at swoon.net Fri Aug 25 11:23:32 2000 From: markm at swoon.net (Mark Miller) Date: Thu, 24 Aug 2000 18:23:32 -0700 Subject: Bug in session.c? Message-ID: <200008250123.SAA23909@swoon.net> I think I have discovered a bug in the 20000823 snapshot of session.c ... Beginning at line 1229: if (screen != NULL) fprintf(stderr, "Adding %.*s/unix%s %s %s\n", screen-display, display, screen, auth_proto, auth_data); and repeated at line 1241: if (screen != NULL) fprintf(f, "add %.*s/unix%s %s %s\n", screen-display, display, screen, auth_proto, auth_data); Both fprintf() calls have four string arguments, but contain five variables. What do you think? From djm at mindrot.org Fri Aug 25 12:09:52 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 25 Aug 2000 12:09:52 +1000 (EST) Subject: Bug in session.c? In-Reply-To: <200008250123.SAA23909@swoon.net> Message-ID: On Thu, 24 Aug 2000, Mark Miller wrote: > I think I have discovered a bug in the 20000823 snapshot of session.c ... > > Beginning at line 1229: > > if (screen != NULL) > fprintf(stderr, > "Adding %.*s/unix%s %s %s\n", > Both fprintf() calls have four string arguments, but contain five variables. > > What do you think? I think that you should read the manpage for printf :) the .* construct specifies the width of the format using one of the arguments. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From markm at swoon.net Fri Aug 25 12:23:45 2000 From: markm at swoon.net (Mark Miller) Date: Thu, 24 Aug 2000 19:23:45 -0700 Subject: Bug in session.c? In-Reply-To: References: Message-ID: <200008250223.TAA23996@swoon.net> > > I think that you should read the manpage for printf :) Doh! Yep, so much for jumping the gun. :) > the .* construct specifies the width of the format using one of the > arguments. Indeed, something that I should have looked into before opening my big yap! Thanks. From carl at bl.echidna.id.au Fri Aug 25 12:32:01 2000 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Fri, 25 Aug 2000 12:32:01 +1000 (EST) Subject: permissions to read .rhosts? Message-ID: <200008250232.e7P2W1218310@rollcage.bl.echidna.id.au> I know I shouldn't :) But, I have a requirement for a group writable home directory that has a .rhosts file that I want OpenSSH to be able to use. When I set the group writable permissions for the directory, OpenSSH rejects the .rhosts file as it doesn't like the permissions. Is there a workaround or an option to control this, I don't want to hack the source unless I absolutely have to! Thanks Carl From mouring at pconline.com Fri Aug 25 15:15:55 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Fri, 25 Aug 2000 00:15:55 -0500 (CDT) Subject: Bug in session.c? In-Reply-To: Message-ID: On Fri, 25 Aug 2000, Damien Miller wrote: > On Thu, 24 Aug 2000, Mark Miller wrote: > > > I think I have discovered a bug in the 20000823 snapshot of session.c ... > > > > Beginning at line 1229: > > > > if (screen != NULL) > > fprintf(stderr, > > "Adding %.*s/unix%s %s %s\n", > > Both fprintf() calls have four string arguments, but contain five variables. > > > > What do you think? > > I think that you should read the manpage for printf :) > > the .* construct specifies the width of the format using one of the > arguments. > > -d > Never used %.*s myself so I had to look it up.. but older gcc does grumble about the line: fprintf(stderr,"Adding %.*s/unix%s %s %s\n", screen - display, display, screen, auth_proto, auth_data); "screen - display" needs to be changed to "(int) (screen - display)" to ensure type casting is correct for older compilers so they don't grumble so loud. From i.palsenberg at jdimedia.nl Fri Aug 25 17:38:04 2000 From: i.palsenberg at jdimedia.nl (Igmar Palsenberg) Date: Fri, 25 Aug 2000 09:38:04 +0200 (CEST) Subject: OpenSSH CryptoCard patch. Message-ID: Hi, Patch that makes CryptoCard word natively with OpenSSH is on http://www.jdimedia.nl/igmar/openssh Damien, please forward this to any list you thing is relevant. Regards, Igmar Palsenberg JDI Media Solutions -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl From J.Horne at plymouth.ac.uk Fri Aug 25 19:22:28 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Fri, 25 Aug 2000 10:22:28 +0100 (BST) Subject: Control-c not work under openssh? In-Reply-To: Message-ID: On 24-Aug-00 at 16:04:37 Garrick James wrote: > I've noticed something interesting, though. The presence of the bug's > symptom is dependant on the state of control-c functionality at the time > that sshd is started on the server. If control-c is working in the > controlling terminal from which sshd is started, then control-c will work > in all client connections. If control-c is not working at server daemon > startup time, then clients do not get a working control-c. > Interesting. However, I start sshd via an /etc/init.d file and for testing connect to the system using a telnet session. Control-c works with telnet. I assume then that starting the sshd daemon from the telnet session (using the /etc/init.d file) will likewise have control-c working by default. However, using slogin to the system control-c still doesn't work. In that respect, your scenario would seem to be wrong (but see below before desparing...:-) ) On 24-Aug-00 at 20:01:13 Gert Doering wrote: > Next try.... "pty.c", function "pty_make_controlling_tty" (about line > 201) is a better bet. Just insert the "signal( SIGINT, SIG_DFL);" line at > the end of the function, right after: [snipped] > > /* NEW: set ctrl-C signal to "default", which is "abort program" */ > sinal( SIGINT, SIG_DFL ); ^^^^^ should be 'signal' :-) Yup, I put this in pty.c after line 261. I have tested this with Solaris 7 and Solaris 8 (on sparc systems) and it works fine :-) :-) I also used the new snapshot (openssh-SNAP-20000823) for the tests, so hopefully it could be included for the next release. Many thanks to both Garrick James and Gert Doering for what seems to be a fix for this annoying problem! John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From gert at greenie.muc.de Fri Aug 25 19:28:54 2000 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 25 Aug 2000 11:28:54 +0200 Subject: Control-c not work under openssh? In-Reply-To: ; from John Horne on Fri, Aug 25, 2000 at 10:22:28AM +0100 References: Message-ID: <20000825112854.C23737@greenie.muc.de> Hi, On Fri, Aug 25, 2000 at 10:22:28AM +0100, John Horne wrote: [...] > Interesting. However, I start sshd via an /etc/init.d file and for testing > connect to the system using a telnet session. Control-c works with telnet. I > assume then that starting the sshd daemon from the telnet session (using the > /etc/init.d file) will likewise have control-c working by default. However, > using slogin to the system control-c still doesn't work. In that respect, > your scenario would seem to be wrong (but see below before desparing...:-) ) Hmmm... > > /* NEW: set ctrl-C signal to "default", which is "abort program" */ > > sinal( SIGINT, SIG_DFL ); > ^^^^^ > should be 'signal' :-) Ooops :-) > Yup, I put this in pty.c after line 261. > > I have tested this with Solaris 7 and Solaris 8 (on sparc systems) and it > works fine :-) :-) I also used the new snapshot (openssh-SNAP-20000823) for > the tests, so hopefully it could be included for the next release. Great! I think this is what makes Open Software so great - someone will observe something, and suddenly an "ever-lasting problem" is easily solved by somebody else :-) > Many thanks to both Garrick James and Gert Doering for what seems to be a > fix for this annoying problem! My pleasure. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From jaaskela at tietomyrsky.fi Fri Aug 25 22:10:50 2000 From: jaaskela at tietomyrsky.fi (=?ISO-8859-1?Q?Vesa_J=E4=E4skel=E4inen?=) Date: Fri, 25 Aug 2000 15:10:50 +0300 (EEST) Subject: problem with AllowUsers and AllowGroups Message-ID: I do not know have you have already fixed problem when both AllowUsers and AllowGroups have been defined. Source package was: openssh-2.1.1-p1 (rpm version) Problem is described in this example: AllowGroups admins ssh AllowUsers testuser testusers primary group is users User cannot login because his primary group wasn't admins or ssh... I have included patch for this in this message. Hope this was way you thinked it supposed to work. There is also problem with following case but I am looking for fix for it. AllowGroups admins ssh User testuser tries to login (he is primary member of users) who is member of group ssh. Since code only tests against primary group user can't login. -------------- next part -------------- diff openssh-2.1.1p4/auth.c openssh-fixed/auth.c 55a56 > int allow_users_ok = 0; 111a113,114 > { > allow_users_ok = 1; 112a116 > } 135c139 < if (options.num_allow_groups > 0) { --- > if ((options.num_allow_groups > 0) && (!allow_users_ok)) { From jan.iven at cern.ch Fri Aug 25 23:02:42 2000 From: jan.iven at cern.ch (Jan IVEN) Date: 25 Aug 2000 15:02:42 +0200 Subject: [patch] configurable ssh_prng_cmds Message-ID: The following patch against openssh-SNAP-20000823 allows to override the compile-time "ssh_prng_cmds" file at run time by adding new options to the server and client configurations. (We move binaries around a bit, and this was the only absolute path that couldn't be fixed at run-time). Regards Jan diff -ur openssh-SNAP-20000823.orig/entropy.c openssh-SNAP-20000823.new/entropy.c --- openssh-SNAP-20000823.orig/entropy.c Sat Jul 15 06:59:15 2000 +++ openssh-SNAP-20000823.new/entropy.c Fri Aug 25 14:44:52 2000 @@ -67,6 +67,8 @@ # define RUSAGE_CHILDREN 0 #endif +char *ssh_prng_command_file = NULL; + #if defined(EGD_SOCKET) || defined(RANDOM_POOL) #ifdef EGD_SOCKET @@ -810,7 +812,7 @@ original_uid = getuid(); /* Read in collection commands */ - if (!prng_read_commands(SSH_PRNG_COMMAND_FILE)) + if (!prng_read_commands(ssh_prng_command_file)) fatal("PRNG initialisation failed -- exiting."); /* Set ourselves up to save a seed upon exit */ diff -ur openssh-SNAP-20000823.orig/entropy.h openssh-SNAP-20000823.new/entropy.h --- openssh-SNAP-20000823.orig/entropy.h Sun Jul 9 14:42:33 2000 +++ openssh-SNAP-20000823.new/entropy.h Fri Aug 25 14:43:55 2000 @@ -33,4 +33,7 @@ void seed_rng(void); void init_rng(void); +/* SSH_PRNG_COMMAND_FILE from server/client options */ +extern char* ssh_prng_command_file; + #endif /* _RANDOMS_H */ diff -ur openssh-SNAP-20000823.orig/readconf.c openssh-SNAP-20000823.new/readconf.c --- openssh-SNAP-20000823.orig/readconf.c Fri Aug 18 05:59:06 2000 +++ openssh-SNAP-20000823.new/readconf.c Fri Aug 25 14:43:55 2000 @@ -20,6 +20,7 @@ #include "cipher.h" #include "readconf.h" #include "match.h" +#include "entropy.h" #include "xmalloc.h" #include "compat.h" @@ -105,7 +106,8 @@ oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oIdentityFile2, - oGlobalKnownHostsFile2, oUserKnownHostsFile2, oDSAAuthentication + oGlobalKnownHostsFile2, oUserKnownHostsFile2, oDSAAuthentication, + oPrngCommandFile } OpCodes; /* Textual representations of the tokens. */ @@ -161,6 +163,7 @@ { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "tisauthentication", oTISAuthentication }, { "loglevel", oLogLevel }, + { "prngcommandfile", oPrngCommandFile }, { NULL, 0 } }; @@ -583,6 +586,10 @@ *intptr = value; break; + case oPrngCommandFile: + charptr = &ssh_prng_command_file; /* globally def in ssh.h */ + goto parse_string; + default: fatal("process_config_line: Unimplemented opcode %d", opcode); } @@ -788,6 +795,8 @@ options->user_hostfile2 = SSH_USER_HOSTFILE2; if (options->log_level == (LogLevel) - 1) options->log_level = SYSLOG_LEVEL_INFO; + if (ssh_prng_command_file == NULL) + ssh_prng_command_file = xstrdup(SSH_PRNG_COMMAND_FILE); /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ diff -ur openssh-SNAP-20000823.orig/servconf.c openssh-SNAP-20000823.new/servconf.c --- openssh-SNAP-20000823.orig/servconf.c Fri Aug 18 05:59:06 2000 +++ openssh-SNAP-20000823.new/servconf.c Fri Aug 25 14:46:12 2000 @@ -15,6 +15,7 @@ RCSID("$OpenBSD: servconf.c,v 1.50 2000/07/22 09:14:36 markus Exp $"); #include "ssh.h" +#include "entropy.h" #include "servconf.h" #include "xmalloc.h" #include "compat.h" @@ -162,6 +163,8 @@ options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->gateway_ports == -1) options->gateway_ports = 0; + if (ssh_prng_command_file == NULL) + ssh_prng_command_file = xstrdup(SSH_PRNG_COMMAND_FILE); if (options->max_startups == -1) options->max_startups = 10; if (options->max_startups_rate == -1) @@ -187,7 +190,7 @@ #endif sPasswordAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, - sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, + sStrictModes, sEmptyPasswd, sRandomSeedFile, sPrngCommandFile, sKeepAlives, sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups @@ -237,6 +240,7 @@ { "permitemptypasswords", sEmptyPasswd }, { "uselogin", sUseLogin }, { "randomseed", sRandomSeedFile }, + { "prngcommandfile", sPrngCommandFile }, { "keepalive", sKeepAlives }, { "allowusers", sAllowUsers }, { "denyusers", sDenyUsers }, @@ -406,6 +410,10 @@ arg = strdelim(&cp); break; + case sPrngCommandFile: + charptr = &ssh_prng_command_file; /* globally def in ssh.h */ + goto parse_filename; + case sPermitRootLogin: intptr = &options->permit_root_login; arg = strdelim(&cp); diff -ur openssh-SNAP-20000823.orig/ssh.1 openssh-SNAP-20000823.new/ssh.1 --- openssh-SNAP-20000823.orig/ssh.1 Fri Aug 18 05:59:06 2000 +++ openssh-SNAP-20000823.new/ssh.1 Fri Aug 25 14:43:55 2000 @@ -826,6 +826,12 @@ .Cm CheckHostIP is not available for connects with a proxy command. .Pp +.It Cm PrngCmdFile +Specifies a file containing system commands and the estimated amount of +entropy that can be gathered from their output. Only used when there is no +other source of entropy available. +The default is +.Pa /etc/ssh_prng_cmds . .It Cm RemoteForward Specifies that a TCP/IP port on the remote machine be forwarded over the secure channel to given host:port from the local machine. @@ -1013,6 +1019,9 @@ Records host keys for all hosts the user has logged into (that are not in .Pa /etc/ssh_known_hosts ) . +See +.Xr sshd 8 . +.Pa /etc/ssh_prng_cmds ) . See .Xr sshd 8 . .It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa diff -ur openssh-SNAP-20000823.orig/sshd.8 openssh-SNAP-20000823.new/sshd.8 --- openssh-SNAP-20000823.orig/sshd.8 Fri Aug 18 05:59:06 2000 +++ openssh-SNAP-20000823.new/sshd.8 Fri Aug 25 14:43:55 2000 @@ -542,6 +542,12 @@ Multiple versions must be comma-separated. The default is .Dq 1 . +.It Cm PrngCmdFile +Specifies a file containing system commands and the estimated amount of +entropy that can be gathered from their output. Only used when there is no +other source of entropy available. +The default is +.Pa /etc/ssh_prng_cmds . .It Cm RandomSeed Obsolete. Random number generation uses other techniques. @@ -844,6 +850,18 @@ the user so its contents can be copied to known hosts files. These two files are created using .Xr ssh-keygen 1 . +.It Pa /etc/ssh_prng_cmds +Contains a list of system commands and the conservatively estimated amount of +usable entropy (bits per byte of output) that may be gathered from their +hashed output. Each line contains 3 whitespace-separated and possibly quoted +arguments, program-name+args, path and entropy. Non-existent or faulty +commands will only be tried once. This file should be world-readable but +writable only by root. +.Ss Example + "ls -alni /var/log" /usr/bin/ls 0.02 + "ls -alni /var/adm" /usr/bin/ls 0.02 + "ps -efl" /usr/bin/ps 0.03 + .It Pa /var/run/sshd.pid Contains the process ID of the .Nm From mouring at pconline.com Sat Aug 26 00:49:59 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Fri, 25 Aug 2000 09:49:59 -0500 (CDT) Subject: wait() function survey In-Reply-To: Message-ID: In serverloop.c we have two wait() lines. POSIX defines wait() was "pid_t wait(int *status)". However older BSD systems could have "int wait(union wait *statusp)" as it's defines. I'm interested to see how many platforms OpenSSH is ported requires the latter define. I know NeXT does. Part two of the survey have to be how would be the best way to "detect" the older BSD define and account for it (since I know I hate to be throwing #ifdef all over the place) Thanks. Ben Lindstrom From djm at mindrot.org Sat Aug 26 09:20:56 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 26 Aug 2000 09:20:56 +1000 (EST) Subject: wait() function survey In-Reply-To: Message-ID: On Fri, 25 Aug 2000, Ben Lindstrom wrote: > > In serverloop.c we have two wait() lines. > > POSIX defines wait() was "pid_t wait(int *status)". However older BSD > systems could have "int wait(union wait *statusp)" as it's defines. > > I'm interested to see how many platforms OpenSSH is ported requires the > latter define. > > I know NeXT does. What is the definition of the union? Is it a fatal error or just a warning if the (int*) version is used? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From rmcc at novis.pt Sat Aug 26 10:53:53 2000 From: rmcc at novis.pt (Ricardo Cerqueira) Date: Sat, 26 Aug 2000 01:53:53 +0100 Subject: New chroot patch, for 2.1.1p4 Message-ID: <20000826015353.A30289@isp.novis.pt> Hi there, everybody; As promised, here's the new version for my chroot patch. It applies cleanly over OpenSSH 2.1.1p4, and I'm attaching 2 versions: - openssh-2.1.1p4-chroot.patch-wc, is the chroot patch plus a "--with-chroot" patch for the "configure" script. - openssh-2.1.1p4-chroot.patch, is the same without the "--with-chroot" part. Have fun, and please warn me if somethings wrong. Be aware this is not plug-and-pray. Just like common FTP daemons, the new root needs to contain at least a copy of a minimal working filesystem. (libs, bins, etc, confs) RC -- +------------------- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis - Engenharia ISP / Rede T?cnica | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal | Tel: +351 21 0100000 - Fax: +351 21 0100001 -------------- next part -------------- diff -u --new-file openssh-2.1.1p4/acconfig.h openssh-2.1.1p4-chroot/acconfig.h --- openssh-2.1.1p4/acconfig.h Sat Jul 15 05:59:14 2000 +++ openssh-2.1.1p4-chroot/acconfig.h Sat Aug 26 01:38:01 2000 @@ -158,6 +158,9 @@ /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS +/* Define if you want to use chrooting when a magic token is found */ +#undef CHROOT + /* Define if you want to disable shadow passwords */ #undef DISABLE_SHADOW diff -u --new-file openssh-2.1.1p4/config.h.in openssh-2.1.1p4-chroot/config.h.in --- openssh-2.1.1p4/config.h.in Sun Jul 16 04:26:46 2000 +++ openssh-2.1.1p4-chroot/config.h.in Sat Aug 26 01:36:49 2000 @@ -148,6 +148,9 @@ /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS +/* Define if you want to use chrooting when a magic token is found */ +#undef CHROOT + /* Define if you want to disable shadow passwords */ #undef DISABLE_SHADOW diff -u --new-file openssh-2.1.1p4/configure openssh-2.1.1p4-chroot/configure --- openssh-2.1.1p4/configure Sat Aug 26 01:31:35 2000 +++ openssh-2.1.1p4-chroot/configure Sat Aug 26 01:38:43 2000 @@ -42,6 +42,8 @@ ac_help="$ac_help --with-md5-passwords Enable use of MD5 passwords" ac_help="$ac_help + --with-chroot Enable user chrooting through magic token" +ac_help="$ac_help --without-shadow Disable shadow password support" ac_help="$ac_help --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY" @@ -588,7 +590,7 @@ # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:592: checking for $ac_word" >&5 +echo "configure:594: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -618,7 +620,7 @@ # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:622: checking for $ac_word" >&5 +echo "configure:624: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -669,7 +671,7 @@ # Extract the first word of "cl", so it can be a program name with args. set dummy cl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:673: checking for $ac_word" >&5 +echo "configure:675: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -701,7 +703,7 @@ fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 -echo "configure:705: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 +echo "configure:707: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 ac_ext=c # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. @@ -712,12 +714,12 @@ cat > conftest.$ac_ext << EOF -#line 716 "configure" +#line 718 "configure" #include "confdefs.h" main(){return(0);} EOF -if { (eval echo configure:721: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:723: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ac_cv_prog_cc_works=yes # If we can't run a trivial program, we are probably using a cross compiler. if (./conftest; exit) 2>/dev/null; then @@ -743,12 +745,12 @@ { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 -echo "configure:747: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 +echo "configure:749: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 cross_compiling=$ac_cv_prog_cc_cross echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 -echo "configure:752: checking whether we are using GNU C" >&5 +echo "configure:754: checking whether we are using GNU C" >&5 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -757,7 +759,7 @@ yes; #endif EOF -if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:761: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then +if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:763: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then ac_cv_prog_gcc=yes else ac_cv_prog_gcc=no @@ -776,7 +778,7 @@ ac_save_CFLAGS="$CFLAGS" CFLAGS= echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 -echo "configure:780: checking whether ${CC-cc} accepts -g" >&5 +echo "configure:782: checking whether ${CC-cc} accepts -g" >&5 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -833,7 +835,7 @@ fi echo $ac_n "checking host system type""... $ac_c" 1>&6 -echo "configure:837: checking host system type" >&5 +echo "configure:839: checking host system type" >&5 host_alias=$host case "$host_alias" in @@ -856,7 +858,7 @@ # Checks for programs. echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 -echo "configure:860: checking how to run the C preprocessor" >&5 +echo "configure:862: checking how to run the C preprocessor" >&5 # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= @@ -871,13 +873,13 @@ # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:881: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:883: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -888,13 +890,13 @@ rm -rf conftest* CPP="${CC-cc} -E -traditional-cpp" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:898: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:900: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -905,13 +907,13 @@ rm -rf conftest* CPP="${CC-cc} -nologo -E" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:915: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:917: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -938,7 +940,7 @@ # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:942: checking for $ac_word" >&5 +echo "configure:944: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -977,7 +979,7 @@ # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # ./install, which can be erroneously created by make from ./install.sh. echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 -echo "configure:981: checking for a BSD compatible install" >&5 +echo "configure:983: checking for a BSD compatible install" >&5 if test -z "$INSTALL"; then if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1032,7 +1034,7 @@ # Extract the first word of "ar", so it can be a program name with args. set dummy ar; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1036: checking for $ac_word" >&5 +echo "configure:1038: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_AR'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1061,7 +1063,7 @@ # Extract the first word of "perl", so it can be a program name with args. set dummy perl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1065: checking for $ac_word" >&5 +echo "configure:1067: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1097,7 +1099,7 @@ # Extract the first word of "ent", so it can be a program name with args. set dummy ent; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1101: checking for $ac_word" >&5 +echo "configure:1103: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_ENT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1138,21 +1140,21 @@ # C Compiler features echo $ac_n "checking for inline""... $ac_c" 1>&6 -echo "configure:1142: checking for inline" >&5 +echo "configure:1144: checking for inline" >&5 if eval "test \"`echo '$''{'ac_cv_c_inline'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:1158: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_c_inline=$ac_kw; break else @@ -1191,12 +1193,12 @@ blibpath="/usr/lib:/lib:/usr/local/lib" fi echo $ac_n "checking for authenticate""... $ac_c" 1>&6 -echo "configure:1195: checking for authenticate" >&5 +echo "configure:1197: checking for authenticate" >&5 if eval "test \"`echo '$''{'ac_cv_func_authenticate'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1225: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_authenticate=yes" else @@ -1264,7 +1266,7 @@ EOF echo $ac_n "checking for HPUX trusted system password database""... $ac_c" 1>&6 -echo "configure:1268: checking for HPUX trusted system password database" >&5 +echo "configure:1270: checking for HPUX trusted system password database" >&5 if test -f /tcb/files/auth/system/default; then echo "$ac_t""yes" 1>&6 cat >> confdefs.h <<\EOF @@ -1293,7 +1295,7 @@ EOF echo $ac_n "checking for HPUX trusted system password database""... $ac_c" 1>&6 -echo "configure:1297: checking for HPUX trusted system password database" >&5 +echo "configure:1299: checking for HPUX trusted system password database" >&5 if test -f /tcb/files/auth/system/default; then echo "$ac_t""yes" 1>&6 cat >> confdefs.h <<\EOF @@ -1374,7 +1376,7 @@ # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" echo $ac_n "checking for obsolete utmp and wtmp in solaris2.x""... $ac_c" 1>&6 -echo "configure:1378: checking for obsolete utmp and wtmp in solaris2.x" >&5 +echo "configure:1380: checking for obsolete utmp and wtmp in solaris2.x" >&5 sol2ver=`echo "$host"| sed -e 's/.*[0-9]\.//'` if test "$sol2ver" -ge 8; then echo "$ac_t""yes" 1>&6 @@ -1395,12 +1397,12 @@ for ac_func in getpwanam do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1399: checking for $ac_func" >&5 +echo "configure:1401: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1429: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1478,7 +1480,7 @@ # This is untested if test ! -z "USE_SIA" ; then echo $ac_n "checking for Digital Unix Security Integration Architecture""... $ac_c" 1>&6 -echo "configure:1482: checking for Digital Unix Security Integration Architecture" >&5 +echo "configure:1484: checking for Digital Unix Security Integration Architecture" >&5 if test -f /etc/sia/matrix.conf; then echo "$ac_t""yes" 1>&6 cat >> confdefs.h <<\EOF @@ -1535,7 +1537,7 @@ # Checks for libraries. echo $ac_n "checking for deflate in -lz""... $ac_c" 1>&6 -echo "configure:1539: checking for deflate in -lz" >&5 +echo "configure:1541: checking for deflate in -lz" >&5 ac_lib_var=`echo z'_'deflate | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1543,7 +1545,7 @@ ac_save_LIBS="$LIBS" LIBS="-lz $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1560: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1583,7 +1585,7 @@ fi echo $ac_n "checking for login in -lutil""... $ac_c" 1>&6 -echo "configure:1587: checking for login in -lutil" >&5 +echo "configure:1589: checking for login in -lutil" >&5 ac_lib_var=`echo util'_'login | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1591,7 +1593,7 @@ ac_save_LIBS="$LIBS" LIBS="-lutil $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1608: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1628,7 +1630,7 @@ if test -z "$no_libsocket" ; then echo $ac_n "checking for yp_match in -lnsl""... $ac_c" 1>&6 -echo "configure:1632: checking for yp_match in -lnsl" >&5 +echo "configure:1634: checking for yp_match in -lnsl" >&5 ac_lib_var=`echo nsl'_'yp_match | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1636,7 +1638,7 @@ ac_save_LIBS="$LIBS" LIBS="-lnsl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1653: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1677,7 +1679,7 @@ fi if test -z "$no_libnsl" ; then echo $ac_n "checking for main in -lsocket""... $ac_c" 1>&6 -echo "configure:1681: checking for main in -lsocket" >&5 +echo "configure:1683: checking for main in -lsocket" >&5 ac_lib_var=`echo socket'_'main | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1685,14 +1687,14 @@ ac_save_LIBS="$LIBS" LIBS="-lsocket $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1698: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1726,17 +1728,17 @@ do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:1730: checking for $ac_hdr" >&5 +echo "configure:1732: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:1740: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:1742: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -1767,12 +1769,12 @@ for ac_func in arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage inet_aton innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strerror strlcat strlcpy strsep vsnprintf vhangup _getpty __b64_ntop do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1771: checking for $ac_func" >&5 +echo "configure:1773: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1801: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1822,12 +1824,12 @@ for ac_func in gettimeofday time do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1826: checking for $ac_func" >&5 +echo "configure:1828: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1856: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1877,12 +1879,12 @@ for ac_func in login logout updwtmp logwtmp do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1881: checking for $ac_func" >&5 +echo "configure:1883: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1911: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1932,12 +1934,12 @@ for ac_func in entutent getutent getutid getutline pututline setutent do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1936: checking for $ac_func" >&5 +echo "configure:1938: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1966: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1987,12 +1989,12 @@ for ac_func in utmpname do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1991: checking for $ac_func" >&5 +echo "configure:1993: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2021: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2042,12 +2044,12 @@ for ac_func in entutxent getutxent getutxid getutxline pututxline do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2046: checking for $ac_func" >&5 +echo "configure:2048: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2076: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2097,12 +2099,12 @@ for ac_func in setutxent utmpxname do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2101: checking for $ac_func" >&5 +echo "configure:2103: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2131: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2151,12 +2153,12 @@ echo $ac_n "checking for getuserattr""... $ac_c" 1>&6 -echo "configure:2155: checking for getuserattr" >&5 +echo "configure:2157: checking for getuserattr" >&5 if eval "test \"`echo '$''{'ac_cv_func_getuserattr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2185: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_getuserattr=yes" else @@ -2200,7 +2202,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for getuserattr in -ls""... $ac_c" 1>&6 -echo "configure:2204: checking for getuserattr in -ls" >&5 +echo "configure:2206: checking for getuserattr in -ls" >&5 ac_lib_var=`echo s'_'getuserattr | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2208,7 +2210,7 @@ ac_save_LIBS="$LIBS" LIBS="-ls $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2225: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2247,12 +2249,12 @@ echo $ac_n "checking for login""... $ac_c" 1>&6 -echo "configure:2251: checking for login" >&5 +echo "configure:2253: checking for login" >&5 if eval "test \"`echo '$''{'ac_cv_func_login'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2281: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_login=yes" else @@ -2296,7 +2298,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for login in -lbsd""... $ac_c" 1>&6 -echo "configure:2300: checking for login in -lbsd" >&5 +echo "configure:2302: checking for login in -lbsd" >&5 ac_lib_var=`echo bsd'_'login | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2304,7 +2306,7 @@ ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2321: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2343,12 +2345,12 @@ echo $ac_n "checking for daemon""... $ac_c" 1>&6 -echo "configure:2347: checking for daemon" >&5 +echo "configure:2349: checking for daemon" >&5 if eval "test \"`echo '$''{'ac_cv_func_daemon'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2377: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_daemon=yes" else @@ -2392,7 +2394,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for daemon in -lbsd""... $ac_c" 1>&6 -echo "configure:2396: checking for daemon in -lbsd" >&5 +echo "configure:2398: checking for daemon in -lbsd" >&5 ac_lib_var=`echo bsd'_'daemon | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2400,7 +2402,7 @@ ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2417: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2439,12 +2441,12 @@ echo $ac_n "checking for getpagesize""... $ac_c" 1>&6 -echo "configure:2443: checking for getpagesize" >&5 +echo "configure:2445: checking for getpagesize" >&5 if eval "test \"`echo '$''{'ac_cv_func_getpagesize'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2473: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_getpagesize=yes" else @@ -2488,7 +2490,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for getpagesize in -lucb""... $ac_c" 1>&6 -echo "configure:2492: checking for getpagesize in -lucb" >&5 +echo "configure:2494: checking for getpagesize in -lucb" >&5 ac_lib_var=`echo ucb'_'getpagesize | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2496,7 +2498,7 @@ ac_save_LIBS="$LIBS" LIBS="-lucb $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2513: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2537,19 +2539,19 @@ # Check for broken snprintf if test "x$ac_cv_func_snprintf" = "xyes" ; then echo $ac_n "checking whether snprintf correctly terminates long strings""... $ac_c" 1>&6 -echo "configure:2541: checking whether snprintf correctly terminates long strings" >&5 +echo "configure:2543: checking whether snprintf correctly terminates long strings" >&5 if test "$cross_compiling" = yes; then { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < int main(void){char b[5];snprintf(b,5,"123456789");return(b[4]!='\0');} EOF -if { (eval echo configure:2553: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2555: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then echo "$ac_t""yes" 1>&6 else @@ -2590,7 +2592,7 @@ if (test -z "$no_pam" && test "x$ac_cv_header_security_pam_appl_h" = "xyes") ; then echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 -echo "configure:2594: checking for dlopen in -ldl" >&5 +echo "configure:2596: checking for dlopen in -ldl" >&5 ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2598,7 +2600,7 @@ ac_save_LIBS="$LIBS" LIBS="-ldl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2615: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2641,12 +2643,12 @@ for ac_func in pam_getenvlist do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2645: checking for $ac_func" >&5 +echo "configure:2647: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2675: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2700,9 +2702,9 @@ # Check PAM strerror arguments (old PAM) echo $ac_n "checking whether pam_strerror takes only one argument""... $ac_c" 1>&6 -echo "configure:2704: checking whether pam_strerror takes only one argument" >&5 +echo "configure:2706: checking whether pam_strerror takes only one argument" >&5 cat > conftest.$ac_ext < @@ -2712,7 +2714,7 @@ (void)pam_strerror((pam_handle_t *)NULL, -1); ; return 0; } EOF -if { (eval echo configure:2716: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:2718: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""no" 1>&6 else @@ -2752,7 +2754,7 @@ tryssldir="$tryssldir $prefix" fi echo $ac_n "checking for OpenSSL directory""... $ac_c" 1>&6 -echo "configure:2756: checking for OpenSSL directory" >&5 +echo "configure:2758: checking for OpenSSL directory" >&5 if eval "test \"`echo '$''{'ac_cv_openssldir'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -2777,7 +2779,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -2791,7 +2793,7 @@ } EOF -if { (eval echo configure:2795: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2797: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then found_crypto=1 @@ -2846,7 +2848,7 @@ # Now test RSA support saved_LIBS="$LIBS" echo $ac_n "checking for RSA support""... $ac_c" 1>&6 -echo "configure:2850: checking for RSA support" >&5 +echo "configure:2852: checking for RSA support" >&5 for WANTS_RSAREF in "" 1 ; do if test -z "$WANTS_RSAREF" ; then LIBS="$saved_LIBS" @@ -2857,7 +2859,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -2876,7 +2878,7 @@ } EOF -if { (eval echo configure:2880: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2882: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then rsa_works=1 @@ -2912,7 +2914,7 @@ # Checks for data types echo $ac_n "checking size of char""... $ac_c" 1>&6 -echo "configure:2916: checking size of char" >&5 +echo "configure:2918: checking size of char" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_char'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -2920,7 +2922,7 @@ ac_cv_sizeof_char=1 else cat > conftest.$ac_ext < main() @@ -2931,7 +2933,7 @@ exit(0); } EOF -if { (eval echo configure:2935: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2937: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_char=`cat conftestval` else @@ -2951,7 +2953,7 @@ echo $ac_n "checking size of short int""... $ac_c" 1>&6 -echo "configure:2955: checking size of short int" >&5 +echo "configure:2957: checking size of short int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_short_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -2959,7 +2961,7 @@ ac_cv_sizeof_short_int=2 else cat > conftest.$ac_ext < main() @@ -2970,7 +2972,7 @@ exit(0); } EOF -if { (eval echo configure:2974: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2976: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_short_int=`cat conftestval` else @@ -2990,7 +2992,7 @@ echo $ac_n "checking size of int""... $ac_c" 1>&6 -echo "configure:2994: checking size of int" >&5 +echo "configure:2996: checking size of int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -2998,7 +3000,7 @@ ac_cv_sizeof_int=4 else cat > conftest.$ac_ext < main() @@ -3009,7 +3011,7 @@ exit(0); } EOF -if { (eval echo configure:3013: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3015: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_int=`cat conftestval` else @@ -3029,7 +3031,7 @@ echo $ac_n "checking size of long int""... $ac_c" 1>&6 -echo "configure:3033: checking size of long int" >&5 +echo "configure:3035: checking size of long int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3037,7 +3039,7 @@ ac_cv_sizeof_long_int=4 else cat > conftest.$ac_ext < main() @@ -3048,7 +3050,7 @@ exit(0); } EOF -if { (eval echo configure:3052: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3054: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long_int=`cat conftestval` else @@ -3068,7 +3070,7 @@ echo $ac_n "checking size of long long int""... $ac_c" 1>&6 -echo "configure:3072: checking size of long long int" >&5 +echo "configure:3074: checking size of long long int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long_long_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3076,7 +3078,7 @@ ac_cv_sizeof_long_long_int=8 else cat > conftest.$ac_ext < main() @@ -3087,7 +3089,7 @@ exit(0); } EOF -if { (eval echo configure:3091: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3093: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long_long_int=`cat conftestval` else @@ -3109,20 +3111,20 @@ # More checks for data types echo $ac_n "checking for intXX_t types""... $ac_c" 1>&6 -echo "configure:3113: checking for intXX_t types" >&5 +echo "configure:3115: checking for intXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_intxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { int8_t a; int16_t b; int32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:3126: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3128: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_intxx_t="yes" else @@ -3146,20 +3148,20 @@ fi echo $ac_n "checking for u_intXX_t types""... $ac_c" 1>&6 -echo "configure:3150: checking for u_intXX_t types" >&5 +echo "configure:3152: checking for u_intXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_intxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:3163: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3165: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_intxx_t="yes" else @@ -3187,9 +3189,9 @@ test "x$ac_cv_header_sys_bitypes_h" = "xyes") then echo $ac_n "checking for intXX_t and u_intXX_t types in sys/bitypes.h""... $ac_c" 1>&6 -echo "configure:3191: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 +echo "configure:3193: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 cat > conftest.$ac_ext < @@ -3202,7 +3204,7 @@ ; return 0; } EOF -if { (eval echo configure:3206: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3208: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* cat >> confdefs.h <<\EOF @@ -3227,13 +3229,13 @@ if test -z "$have_u_intxx_t" ; then echo $ac_n "checking for uintXX_t types""... $ac_c" 1>&6 -echo "configure:3231: checking for uintXX_t types" >&5 +echo "configure:3233: checking for uintXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_uintxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3242,7 +3244,7 @@ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:3246: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3248: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_uintxx_t="yes" else @@ -3266,13 +3268,13 @@ fi echo $ac_n "checking for socklen_t""... $ac_c" 1>&6 -echo "configure:3270: checking for socklen_t" >&5 +echo "configure:3272: checking for socklen_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_socklen_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3282,7 +3284,7 @@ socklen_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3286: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3288: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_socklen_t="yes" else @@ -3305,13 +3307,13 @@ fi echo $ac_n "checking for size_t""... $ac_c" 1>&6 -echo "configure:3309: checking for size_t" >&5 +echo "configure:3311: checking for size_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_size_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3320,7 +3322,7 @@ size_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3324: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3326: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_size_t="yes" else @@ -3343,13 +3345,13 @@ fi echo $ac_n "checking for ssize_t""... $ac_c" 1>&6 -echo "configure:3347: checking for ssize_t" >&5 +echo "configure:3349: checking for ssize_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_ssize_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3358,7 +3360,7 @@ ssize_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3362: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3364: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_ssize_t="yes" else @@ -3381,13 +3383,13 @@ fi echo $ac_n "checking for sa_family_t""... $ac_c" 1>&6 -echo "configure:3385: checking for sa_family_t" >&5 +echo "configure:3387: checking for sa_family_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_sa_family_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3397,7 +3399,7 @@ sa_family_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3401: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3403: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sa_family_t="yes" else @@ -3420,13 +3422,13 @@ fi echo $ac_n "checking for pid_t""... $ac_c" 1>&6 -echo "configure:3424: checking for pid_t" >&5 +echo "configure:3426: checking for pid_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_pid_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3435,7 +3437,7 @@ pid_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3439: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3441: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_pid_t="yes" else @@ -3458,13 +3460,13 @@ fi echo $ac_n "checking for mode_t""... $ac_c" 1>&6 -echo "configure:3462: checking for mode_t" >&5 +echo "configure:3464: checking for mode_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_mode_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3473,7 +3475,7 @@ mode_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3477: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3479: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_mode_t="yes" else @@ -3497,13 +3499,13 @@ echo $ac_n "checking for struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:3501: checking for struct sockaddr_storage" >&5 +echo "configure:3503: checking for struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_sockaddr_storage'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3513,7 +3515,7 @@ struct sockaddr_storage s; ; return 0; } EOF -if { (eval echo configure:3517: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3519: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_sockaddr_storage="yes" else @@ -3536,13 +3538,13 @@ fi echo $ac_n "checking for struct sockaddr_in6""... $ac_c" 1>&6 -echo "configure:3540: checking for struct sockaddr_in6" >&5 +echo "configure:3542: checking for struct sockaddr_in6" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_sockaddr_in6'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3552,7 +3554,7 @@ struct sockaddr_in6 s; s.sin6_family = 0; ; return 0; } EOF -if { (eval echo configure:3556: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3558: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_sockaddr_in6="yes" else @@ -3575,13 +3577,13 @@ fi echo $ac_n "checking for struct in6_addr""... $ac_c" 1>&6 -echo "configure:3579: checking for struct in6_addr" >&5 +echo "configure:3581: checking for struct in6_addr" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_in6_addr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3591,7 +3593,7 @@ struct in6_addr s; s.s6_addr[0] = 0; ; return 0; } EOF -if { (eval echo configure:3595: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3597: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_in6_addr="yes" else @@ -3614,13 +3616,13 @@ fi echo $ac_n "checking for struct addrinfo""... $ac_c" 1>&6 -echo "configure:3618: checking for struct addrinfo" >&5 +echo "configure:3620: checking for struct addrinfo" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_addrinfo'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3631,7 +3633,7 @@ struct addrinfo s; s.ai_flags = AI_PASSIVE; ; return 0; } EOF -if { (eval echo configure:3635: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3637: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_addrinfo="yes" else @@ -3661,13 +3663,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host echo $ac_n "checking for ut_host field in utmp.h""... $ac_c" 1>&6 -echo "configure:3665: checking for ut_host field in utmp.h" >&5 +echo "configure:3667: checking for ut_host field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3701,13 +3703,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host echo $ac_n "checking for ut_host field in utmpx.h""... $ac_c" 1>&6 -echo "configure:3705: checking for ut_host field in utmpx.h" >&5 +echo "configure:3707: checking for ut_host field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3741,13 +3743,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"syslen echo $ac_n "checking for syslen field in utmpx.h""... $ac_c" 1>&6 -echo "configure:3745: checking for syslen field in utmpx.h" >&5 +echo "configure:3747: checking for syslen field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3781,13 +3783,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_pid echo $ac_n "checking for ut_pid field in utmp.h""... $ac_c" 1>&6 -echo "configure:3785: checking for ut_pid field in utmp.h" >&5 +echo "configure:3787: checking for ut_pid field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3821,13 +3823,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type echo $ac_n "checking for ut_type field in utmp.h""... $ac_c" 1>&6 -echo "configure:3825: checking for ut_type field in utmp.h" >&5 +echo "configure:3827: checking for ut_type field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3861,13 +3863,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type echo $ac_n "checking for ut_type field in utmpx.h""... $ac_c" 1>&6 -echo "configure:3865: checking for ut_type field in utmpx.h" >&5 +echo "configure:3867: checking for ut_type field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3901,13 +3903,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv echo $ac_n "checking for ut_tv field in utmp.h""... $ac_c" 1>&6 -echo "configure:3905: checking for ut_tv field in utmp.h" >&5 +echo "configure:3907: checking for ut_tv field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3941,13 +3943,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id echo $ac_n "checking for ut_id field in utmp.h""... $ac_c" 1>&6 -echo "configure:3945: checking for ut_id field in utmp.h" >&5 +echo "configure:3947: checking for ut_id field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3981,13 +3983,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id echo $ac_n "checking for ut_id field in utmpx.h""... $ac_c" 1>&6 -echo "configure:3985: checking for ut_id field in utmpx.h" >&5 +echo "configure:3987: checking for ut_id field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4021,13 +4023,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr echo $ac_n "checking for ut_addr field in utmp.h""... $ac_c" 1>&6 -echo "configure:4025: checking for ut_addr field in utmp.h" >&5 +echo "configure:4027: checking for ut_addr field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4061,13 +4063,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr echo $ac_n "checking for ut_addr field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4065: checking for ut_addr field in utmpx.h" >&5 +echo "configure:4067: checking for ut_addr field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4101,13 +4103,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 echo $ac_n "checking for ut_addr_v6 field in utmp.h""... $ac_c" 1>&6 -echo "configure:4105: checking for ut_addr_v6 field in utmp.h" >&5 +echo "configure:4107: checking for ut_addr_v6 field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4141,13 +4143,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 echo $ac_n "checking for ut_addr_v6 field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4145: checking for ut_addr_v6 field in utmpx.h" >&5 +echo "configure:4147: checking for ut_addr_v6 field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4181,13 +4183,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_exit echo $ac_n "checking for ut_exit field in utmp.h""... $ac_c" 1>&6 -echo "configure:4185: checking for ut_exit field in utmp.h" >&5 +echo "configure:4187: checking for ut_exit field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4221,13 +4223,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time echo $ac_n "checking for ut_time field in utmp.h""... $ac_c" 1>&6 -echo "configure:4225: checking for ut_time field in utmp.h" >&5 +echo "configure:4227: checking for ut_time field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4261,13 +4263,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time echo $ac_n "checking for ut_time field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4265: checking for ut_time field in utmpx.h" >&5 +echo "configure:4267: checking for ut_time field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4301,13 +4303,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv echo $ac_n "checking for ut_tv field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4305: checking for ut_tv field in utmpx.h" >&5 +echo "configure:4307: checking for ut_tv field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4338,13 +4340,13 @@ echo $ac_n "checking for ss_family field in struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:4342: checking for ss_family field in struct sockaddr_storage" >&5 +echo "configure:4344: checking for ss_family field in struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have_ss_family_in_struct_ss'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4354,7 +4356,7 @@ struct sockaddr_storage s; s.ss_family = 1; ; return 0; } EOF -if { (eval echo configure:4358: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4360: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_ss_family_in_struct_ss="yes" else @@ -4376,13 +4378,13 @@ fi echo $ac_n "checking for __ss_family field in struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:4380: checking for __ss_family field in struct sockaddr_storage" >&5 +echo "configure:4382: checking for __ss_family field in struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have___ss_family_in_struct_ss'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4392,7 +4394,7 @@ struct sockaddr_storage s; s.__ss_family = 1; ; return 0; } EOF -if { (eval echo configure:4396: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4398: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have___ss_family_in_struct_ss="yes" else @@ -4416,20 +4418,20 @@ echo $ac_n "checking if libc defines __progname""... $ac_c" 1>&6 -echo "configure:4420: checking if libc defines __progname" >&5 +echo "configure:4422: checking if libc defines __progname" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines___progname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4435: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines___progname="yes" else @@ -4453,20 +4455,20 @@ echo $ac_n "checking if libc defines sys_errlist""... $ac_c" 1>&6 -echo "configure:4457: checking if libc defines sys_errlist" >&5 +echo "configure:4459: checking if libc defines sys_errlist" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines_sys_errlist'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4472: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines_sys_errlist="yes" else @@ -4503,7 +4505,7 @@ # Extract the first word of "rsh", so it can be a program name with args. set dummy rsh; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4507: checking for $ac_word" >&5 +echo "configure:4509: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_rsh_path'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4553,7 +4555,7 @@ # Extract the first word of "xauth", so it can be a program name with args. set dummy xauth; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4557: checking for $ac_word" >&5 +echo "configure:4559: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_xauth_path'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4619,7 +4621,7 @@ ac_safe=`echo ""/dev/ptmx"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptmx"""... $ac_c" 1>&6 -echo "configure:4623: checking for "/dev/ptmx"" >&5 +echo "configure:4625: checking for "/dev/ptmx"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4652,7 +4654,7 @@ ac_safe=`echo ""/dev/ptc"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptc"""... $ac_c" 1>&6 -echo "configure:4656: checking for "/dev/ptc"" >&5 +echo "configure:4658: checking for "/dev/ptc"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4703,7 +4705,7 @@ ac_safe=`echo ""/dev/urandom"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/urandom"""... $ac_c" 1>&6 -echo "configure:4707: checking for "/dev/urandom"" >&5 +echo "configure:4709: checking for "/dev/urandom"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4764,7 +4766,7 @@ # Extract the first word of "ls", so it can be a program name with args. set dummy ls; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4768: checking for $ac_word" >&5 +echo "configure:4770: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4805,7 +4807,7 @@ # Extract the first word of "netstat", so it can be a program name with args. set dummy netstat; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4809: checking for $ac_word" >&5 +echo "configure:4811: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_NETSTAT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4846,7 +4848,7 @@ # Extract the first word of "arp", so it can be a program name with args. set dummy arp; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4850: checking for $ac_word" >&5 +echo "configure:4852: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_ARP'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4887,7 +4889,7 @@ # Extract the first word of "ifconfig", so it can be a program name with args. set dummy ifconfig; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4891: checking for $ac_word" >&5 +echo "configure:4893: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_IFCONFIG'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4928,7 +4930,7 @@ # Extract the first word of "ps", so it can be a program name with args. set dummy ps; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4932: checking for $ac_word" >&5 +echo "configure:4934: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_PS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4969,7 +4971,7 @@ # Extract the first word of "w", so it can be a program name with args. set dummy w; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4973: checking for $ac_word" >&5 +echo "configure:4975: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_W'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5010,7 +5012,7 @@ # Extract the first word of "who", so it can be a program name with args. set dummy who; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5014: checking for $ac_word" >&5 +echo "configure:5016: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_WHO'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5051,7 +5053,7 @@ # Extract the first word of "last", so it can be a program name with args. set dummy last; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5055: checking for $ac_word" >&5 +echo "configure:5057: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LAST'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5092,7 +5094,7 @@ # Extract the first word of "lastlog", so it can be a program name with args. set dummy lastlog; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5096: checking for $ac_word" >&5 +echo "configure:5098: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LASTLOG'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5133,7 +5135,7 @@ # Extract the first word of "df", so it can be a program name with args. set dummy df; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5137: checking for $ac_word" >&5 +echo "configure:5139: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_DF'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5174,7 +5176,7 @@ # Extract the first word of "vmstat", so it can be a program name with args. set dummy vmstat; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5178: checking for $ac_word" >&5 +echo "configure:5180: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_VMSTAT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5215,7 +5217,7 @@ # Extract the first word of "uptime", so it can be a program name with args. set dummy uptime; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5219: checking for $ac_word" >&5 +echo "configure:5221: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_UPTIME'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5256,7 +5258,7 @@ # Extract the first word of "ipcs", so it can be a program name with args. set dummy ipcs; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5260: checking for $ac_word" >&5 +echo "configure:5262: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_IPCS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5297,7 +5299,7 @@ # Extract the first word of "tail", so it can be a program name with args. set dummy tail; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5301: checking for $ac_word" >&5 +echo "configure:5303: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_TAIL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5338,7 +5340,7 @@ # Extract the first word of "ls", so it can be a program name with args. set dummy ls; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5342: checking for $ac_word" >&5 +echo "configure:5344: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5432,17 +5434,17 @@ do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:5436: checking for $ac_hdr" >&5 +echo "configure:5438: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:5446: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:5448: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -5469,7 +5471,7 @@ done echo $ac_n "checking for main in -lkrb""... $ac_c" 1>&6 -echo "configure:5473: checking for main in -lkrb" >&5 +echo "configure:5475: checking for main in -lkrb" >&5 ac_lib_var=`echo krb'_'main | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -5477,14 +5479,14 @@ ac_save_LIBS="$LIBS" LIBS="-lkrb $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:5490: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -5520,7 +5522,7 @@ KLIBS="-lkrb -ldes" echo $ac_n "checking for dn_expand in -lresolv""... $ac_c" 1>&6 -echo "configure:5524: checking for dn_expand in -lresolv" >&5 +echo "configure:5526: checking for dn_expand in -lresolv" >&5 ac_lib_var=`echo resolv'_'dn_expand | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -5528,7 +5530,7 @@ ac_save_LIBS="$LIBS" LIBS="-lresolv $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:5545: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -5640,9 +5642,9 @@ saved_LIBS="$LIBS" LIBS="$LIBS -lwrap" echo $ac_n "checking for libwrap""... $ac_c" 1>&6 -echo "configure:5644: checking for libwrap" >&5 +echo "configure:5646: checking for libwrap" >&5 cat > conftest.$ac_ext < @@ -5652,7 +5654,7 @@ hosts_access(0); ; return 0; } EOF -if { (eval echo configure:5656: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:5658: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6 @@ -5696,6 +5698,24 @@ fi +# Check whether to enable chrooting +CHROOT_MSG="no" +# Check whether --with-chroot or --without-chroot was given. +if test "${with_chroot+set}" = set; then + withval="$with_chroot" + + if test "x$withval" != "xno" ; then + cat >> confdefs.h <<\EOF +#define CHROOT 1 +EOF + + CHROOT_MSG="yes" + fi + + +fi + + # Whether to disable shadow password support # Check whether --with-shadow or --without-shadow was given. if test "${with_shadow+set}" = set; then @@ -5715,9 +5735,9 @@ if test -z "$disable_shadow" ; then echo $ac_n "checking if the systems has expire shadow information""... $ac_c" 1>&6 -echo "configure:5719: checking if the systems has expire shadow information" >&5 +echo "configure:5739: checking if the systems has expire shadow information" >&5 cat > conftest.$ac_ext < @@ -5728,7 +5748,7 @@ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ; return 0; } EOF -if { (eval echo configure:5732: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5752: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* sp_expire_available=yes else @@ -5806,7 +5826,7 @@ echo $ac_n "checking if we need to convert IPv4 in IPv6-mapped addresses""... $ac_c" 1>&6 -echo "configure:5810: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 +echo "configure:5830: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 IPV4_IN6_HACK_MSG="no" # Check whether --with-4in6 or --without-4in6 was given. if test "${with_4in6+set}" = set; then @@ -5949,9 +5969,9 @@ echo $ac_n "checking if your system defines LASTLOG_FILE""... $ac_c" 1>&6 -echo "configure:5953: checking if your system defines LASTLOG_FILE" >&5 +echo "configure:5973: checking if your system defines LASTLOG_FILE" >&5 cat > conftest.$ac_ext < @@ -5967,7 +5987,7 @@ char *lastlog = LASTLOG_FILE; ; return 0; } EOF -if { (eval echo configure:5971: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5991: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -5977,9 +5997,9 @@ echo "$ac_t""no" 1>&6 echo $ac_n "checking if your system defines _PATH_LASTLOG""... $ac_c" 1>&6 -echo "configure:5981: checking if your system defines _PATH_LASTLOG" >&5 +echo "configure:6001: checking if your system defines _PATH_LASTLOG" >&5 cat > conftest.$ac_ext < @@ -5995,7 +6015,7 @@ char *lastlog = _PATH_LASTLOG; ; return 0; } EOF -if { (eval echo configure:5999: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6019: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6034,9 +6054,9 @@ fi echo $ac_n "checking if your system defines UTMP_FILE""... $ac_c" 1>&6 -echo "configure:6038: checking if your system defines UTMP_FILE" >&5 +echo "configure:6058: checking if your system defines UTMP_FILE" >&5 cat > conftest.$ac_ext < @@ -6049,7 +6069,7 @@ char *utmp = UTMP_FILE; ; return 0; } EOF -if { (eval echo configure:6053: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6073: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6084,9 +6104,9 @@ fi echo $ac_n "checking if your system defines WTMP_FILE""... $ac_c" 1>&6 -echo "configure:6088: checking if your system defines WTMP_FILE" >&5 +echo "configure:6108: checking if your system defines WTMP_FILE" >&5 cat > conftest.$ac_ext < @@ -6099,7 +6119,7 @@ char *wtmp = WTMP_FILE; ; return 0; } EOF -if { (eval echo configure:6103: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6123: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6135,9 +6155,9 @@ echo $ac_n "checking if your system defines UTMPX_FILE""... $ac_c" 1>&6 -echo "configure:6139: checking if your system defines UTMPX_FILE" >&5 +echo "configure:6159: checking if your system defines UTMPX_FILE" >&5 cat > conftest.$ac_ext < @@ -6153,7 +6173,7 @@ char *utmpx = UTMPX_FILE; ; return 0; } EOF -if { (eval echo configure:6157: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6177: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6180,9 +6200,9 @@ fi echo $ac_n "checking if your system defines WTMPX_FILE""... $ac_c" 1>&6 -echo "configure:6184: checking if your system defines WTMPX_FILE" >&5 +echo "configure:6204: checking if your system defines WTMPX_FILE" >&5 cat > conftest.$ac_ext < @@ -6198,7 +6218,7 @@ char *wtmpx = WTMPX_FILE; ; return 0; } EOF -if { (eval echo configure:6202: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6222: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6680,6 +6700,7 @@ echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" +echo " Magic token chroot support: $CHROOT_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" diff -u --new-file openssh-2.1.1p4/configure.in openssh-2.1.1p4-chroot/configure.in --- openssh-2.1.1p4/configure.in Sat Jul 15 05:59:14 2000 +++ openssh-2.1.1p4-chroot/configure.in Sat Aug 26 01:35:51 2000 @@ -991,6 +991,18 @@ ] ) +# Check whether to enable chrooting +CHROOT_MSG="no" +AC_ARG_WITH(chroot, + [ --with-chroot Enable user chrooting through magic token], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(CHROOT) + CHROOT_MSG="yes" + fi + ] +) + # Whether to disable shadow password support AC_ARG_WITH(shadow, [ --without-shadow Disable shadow password support], @@ -1367,6 +1379,7 @@ echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" +echo " Magic token chroot support: $CHROOT_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" Common subdirectories: openssh-2.1.1p4/contrib and openssh-2.1.1p4-chroot/contrib diff -u --new-file openssh-2.1.1p4/session.c openssh-2.1.1p4-chroot/session.c --- openssh-2.1.1p4/session.c Wed Jul 12 00:45:27 2000 +++ openssh-2.1.1p4-chroot/session.c Sat Aug 26 01:28:06 2000 @@ -897,6 +897,10 @@ extern char **environ; struct stat st; char *argv[10]; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ #ifdef WITH_IRIX_PROJECT prid_t projid; #endif /* WITH_IRIX_PROJECT */ @@ -922,6 +926,25 @@ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); #endif +#ifdef CHROOT + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + while((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if(strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); + + pw->pw_dir = new_root; + break; + } + new_root += 2; + } +#endif /* CHROOT */ /* Set uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" -------------- next part -------------- diff -u --new-file openssh-2.1.1p4/session.c openssh-2.1.1p4-chroot/session.c --- openssh-2.1.1p4/session.c Wed Jul 12 00:45:27 2000 +++ openssh-2.1.1p4-chroot/session.c Sat Aug 26 01:28:06 2000 @@ -897,6 +897,10 @@ extern char **environ; struct stat st; char *argv[10]; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ #ifdef WITH_IRIX_PROJECT prid_t projid; #endif /* WITH_IRIX_PROJECT */ @@ -922,6 +926,25 @@ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); #endif +#ifdef CHROOT + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + while((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if(strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); + + pw->pw_dir = new_root; + break; + } + new_root += 2; + } +#endif /* CHROOT */ /* Set uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 524 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000826/294ae598/attachment.bin From djm at mindrot.org Sat Aug 26 12:57:45 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 26 Aug 2000 12:57:45 +1000 (EST) Subject: Control-c not work under openssh? In-Reply-To: <20000825112854.C23737@greenie.muc.de> Message-ID: On Fri, 25 Aug 2000, Gert Doering wrote: > > > /* NEW: set ctrl-C signal to "default", which is "abort program" */ > > > signal( SIGINT, SIG_DFL ); > > > Yup, I put this in pty.c after line 261. > > > > I have tested this with Solaris 7 and Solaris 8 (on sparc > > systems) and it works fine :-) :-) I also used the new snapshot > > (openssh-SNAP-20000823) for the tests, so hopefully it could be > > included for the next release. Well found people! I think it would be neater to reset this with the other signals. Can you back out your change and try this patch? Index: sshd.c =================================================================== RCS file: /var/cvs/openssh/sshd.c,v retrieving revision 1.87 diff -u -r1.87 sshd.c --- sshd.c 2000/08/18 03:59:07 1.87 +++ sshd.c 2000/08/26 02:55:01 @@ -956,6 +956,7 @@ signal(SIGTERM, SIG_DFL); signal(SIGQUIT, SIG_DFL); signal(SIGCHLD, SIG_DFL); + signal(SIGINT, SIG_DFL); /* * Set socket options for the connection. We want the socket to -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From wcooley at wirex.com Sun Aug 27 16:51:43 2000 From: wcooley at wirex.com (W. Reilly Cooley) Date: Sat, 26 Aug 2000 22:51:43 -0700 Subject: Login Patch Message-ID: <20000826225143.F12215@wirex.com> Please excuse me for mailing you directly instead of using the 'sendbug' facility; it seems to be an OpenBSD-only facility, and I didn't see a bug-tracking interface on the web site. I know the "UseLogin" feature is deprecated (to some degree, at any rate), however, on a Red Hat 6.2-based system, it is broken, because ssh.h statically defines LOGIN_PROGRAM as /usr/bin/login, whereas here it is /bin/login. Attached is a patch which corrects this by adding a check in configure.in and adding LOGIN_PROGRAM to PATHS in Makefile.in. Of course you need to re-run autoconf to pick up the new changes. (Please CC: me as I'm not on this list) Wil -- W. Reilly Cooley, Esq. wcooley at wirex.com -------------- next part -------------- --- openssh-2.1.1p4/configure.in.orig Thu Aug 17 11:11:27 2000 +++ openssh-2.1.1p4/configure.in Thu Aug 17 11:23:17 2000 @@ -13,6 +13,8 @@ AC_SUBST(PERL) AC_PATH_PROG(ENT, ent) AC_SUBST(ENT) +AC_PATH_PROG(LOGIN_PROGRAM, login) +AC_SUBST(LOGIN_PROGRAM) if test -z "$LD" ; then LD=$CC --- openssh-2.1.1p4/Makefile.in.orig Thu Aug 17 11:25:31 2000 +++ openssh-2.1.1p4/Makefile.in Thu Aug 17 11:24:06 2000 @@ -17,10 +17,11 @@ SSH_PROGRAM=@bindir@/ssh ASKPASS_LOCATION=@libexecdir@/ssh ASKPASS_PROGRAM=$(ASKPASS_LOCATION)/ssh-askpass +LOGIN_PROGRAM=@LOGIN_PROGRAM@ CC=@CC@ LD=@LD@ -PATHS=-DETCDIR=\"$(sysconfdir)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" +PATHS=-DETCDIR=\"$(sysconfdir)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" -DLOGIN_PROGRAM=\"$(LOGIN_PROGRAM)\" CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ AR=@AR@ From hein at acm.org Mon Aug 28 03:37:14 2000 From: hein at acm.org (Hein Roehrig) Date: Sun, 27 Aug 2000 18:37:14 +0200 Subject: patch for TIS (skey/opie) *and* passwd auth via PAM Message-ID: Hello, appended is a patch that makes it possible to use PAM both for password authentication and TIS (i.e. s/key or opie or any other interactive challenge/response scheme). I have developed this starting from the patch at http://www.debian.org/Bugs/db/61/61906.html on Debian with openssh-2.1.1p4-3. After configuring ssh with --with-pam-tis, there are two PAM services, "sshd" and "sshd-tis" (resp. "ssh" and "ssh-tis" on Debian); /etc/pam.d/ssh-tis could contain for example ------------ #%PAM-1.0 auth required pam_nologin.so auth required pam_opie.so auth required pam_env.so # [1] account required pam_unix.so session required pam_unix.so session optional pam_lastlog.so # [1] session optional pam_motd.so # [1] session optional pam_mail.so standard # [1] password required pam_unix.so ------------ I.e, the only change to the default /etc/pam.d/ssh is unix -> opie in line 3. I hope this patch will allow using ssh with OPIE on Debian; I am looking forward to your comments. If in principle this approach is ok, what changes are needed to get this patch into the development tree? I know that my C indenting is not the same as in the rest of the source, where do I find the official indentation style? Thanks, Hein diff -urN -x *~ openssh-2.1.1p4/acconfig.h openssh-2.1.1p4-hein/acconfig.h --- openssh-2.1.1p4/acconfig.h Sat Jul 15 06:59:14 2000 +++ openssh-2.1.1p4-hein/acconfig.h Sun Aug 27 12:13:36 2000 @@ -30,6 +30,9 @@ /* Define if you want to disable PAM support */ #undef DISABLE_PAM +/* Define if you want TIS authentication through PAM */ +#undef PAM_TIS + /* Define if you want to enable AIX4's authenticate function */ #undef WITH_AIXAUTHENTICATE diff -urN -x *~ openssh-2.1.1p4/auth-pam.c openssh-2.1.1p4-hein/auth-pam.c --- openssh-2.1.1p4/auth-pam.c Sun Jul 9 14:42:33 2000 +++ openssh-2.1.1p4-hein/auth-pam.c Sun Aug 27 18:05:44 2000 @@ -33,12 +33,15 @@ #include "ssh.h" #include "xmalloc.h" #include "servconf.h" +#include "packet.h" RCSID("$Id: auth-pam.c,v 1.11 2000/07/09 12:42:33 djm Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: You password has expired, please change it now" +static void start_pam2(struct passwd *pw, int auth_type); + /* Callbacks */ static int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -53,6 +56,7 @@ static struct pam_handle_t *pamh = NULL; static const char *pampasswd = NULL; static char *pam_msg = NULL; +static int current_auth_type=-1; /* PAM conversation function. This is really a kludge to get the password */ /* into PAM and to pick up any messages generated by PAM into pamconv_msg */ @@ -61,6 +65,7 @@ { struct pam_response *reply; int count; + int dlen, plen, type; /* PAM will free this later */ reply = malloc(num_msg * sizeof(*reply)); @@ -70,13 +75,58 @@ for(count = 0; count < num_msg; count++) { switch (msg[count]->msg_style) { case PAM_PROMPT_ECHO_OFF: - if (pampasswd == NULL) { - free(reply); - return PAM_CONV_ERR; + if (current_auth_type==SSH_CMSG_AUTH_TIS && pampasswd==NULL) { + /* TIS */ + int prompt_len; + char *prompt; + debug("send SSH_SMSG_AUTH_TIS_CHALLENGE in PAM"); + /* send all previous PAM_TEXT_INFO messages plus + the current prompt */ + prompt_len=((pam_msg!=NULL)?strlen(pam_msg):0) + + strlen(msg[count]->msg); + prompt=xmalloc(prompt_len + 1); + if (pam_msg!=NULL) { + strcpy(prompt, pam_msg); + xfree(pam_msg); + pam_msg=NULL; + } else + *prompt='\0'; + strcat(prompt, msg[count]->msg); + /* cut off Response: from the prompt because the + SSH client already prints this */ + if (prompt_len >= sizeof("Response: ") - 1 && + 0==strcasecmp(prompt + prompt_len - sizeof("\nResponse: ") + 1, + "\nResponse: ")) { + prompt[prompt_len - sizeof("\nResponse: ") + 1]='\0'; + } + packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); + packet_put_string(prompt, prompt_len); + xfree(prompt); + packet_send(); + packet_write_wait(); + type = packet_read(&plen); + if (type == SSH_CMSG_AUTH_TIS_RESPONSE) { + debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE in PAM"); + pampasswd = packet_get_string(&dlen); + packet_integrity_check(plen, 4 + dlen, type); + } else { + free(reply); + return PAM_CONV_ERR; + } + reply[count].resp_retcode = PAM_SUCCESS; + reply[count].resp = xstrdup(pampasswd); + xfree((void*)pampasswd); + pampasswd=NULL; + } else { + /* password or second TIS attempt */ + if (pampasswd == NULL) { + free(reply); + return PAM_CONV_ERR; } reply[count].resp_retcode = PAM_SUCCESS; reply[count].resp = xstrdup(pampasswd); - break; + } + break; case PAM_TEXT_INFO: reply[count].resp_retcode = PAM_SUCCESS; reply[count].resp = xstrdup(""); @@ -123,29 +173,34 @@ } } -/* Attempt password authentation using PAM */ -int auth_pam_password(struct passwd *pw, const char *password) +/* Attempt authentication using PAM */ +int auth_pam_password(struct passwd *pw, const char *password, int auth_type) { extern ServerOptions options; int pam_retval; + if (auth_type != current_auth_type) { + finish_pam(); + start_pam2(pw, auth_type); + } + /* deny if no user. */ if (pw == NULL) return 0; if (pw->pw_uid == 0 && options.permit_root_login == 2) return 0; - if (*password == '\0' && options.permit_empty_passwd == 0) + if (password!=NULL && *password == '\0' && options.permit_empty_passwd == 0) return 0; pampasswd = password; pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); if (pam_retval == PAM_SUCCESS) { - debug("PAM Password authentication accepted for user \"%.100s\"", + debug("PAM authentication accepted for user \"%.100s\"", pw->pw_name); return 1; } else { - debug("PAM Password authentication for \"%.100s\" failed: %s", + debug("PAM authentication for \"%.100s\" failed: %s", pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); return 0; } @@ -234,11 +289,34 @@ /* Start PAM authentication for specified account */ void start_pam(struct passwd *pw) { + start_pam2(pw, SSH_CMSG_AUTH_PASSWORD); +} + + +/* Start PAM authentication for specified account */ +static void start_pam2(struct passwd *pw, int auth_type) +{ int pam_retval; + const char *service=NULL; - debug("Starting up PAM with username \"%.200s\"", pw->pw_name); + switch (auth_type) { + case SSH_CMSG_AUTH_PASSWORD : + service=SSHD_PAM_SERVICE; + break; + case SSH_CMSG_AUTH_TIS : + service=SSHD_PAM_TIS_SERVICE; + break; + default: + fatal("PAM attempted for unsupported authentication type\n"); + } + + current_auth_type=auth_type; + + debug("Starting up PAM service %.200s with username \"%.200s\"", + service, + pw->pw_name); - pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, + pam_retval = pam_start(service, pw->pw_name, &conv, (pam_handle_t**)&pamh); if (pam_retval != PAM_SUCCESS) { diff -urN -x *~ openssh-2.1.1p4/auth-pam.h openssh-2.1.1p4-hein/auth-pam.h --- openssh-2.1.1p4/auth-pam.h Thu Jan 27 00:55:38 2000 +++ openssh-2.1.1p4-hein/auth-pam.h Sun Aug 27 17:27:46 2000 @@ -5,7 +5,7 @@ void start_pam(struct passwd *pw); void finish_pam(void); -int auth_pam_password(struct passwd *pw, const char *password); +int auth_pam_password(struct passwd *pw, const char *password, int auth_type); char **fetch_pam_environment(void); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); diff -urN -x *~ openssh-2.1.1p4/auth1.c openssh-2.1.1p4-hein/auth1.c --- openssh-2.1.1p4/auth1.c Sat Jul 8 02:44:14 2000 +++ openssh-2.1.1p4-hein/auth1.c Sun Aug 27 17:27:53 2000 @@ -40,7 +40,11 @@ static char buf[1024]; switch (type) { case SSH_CMSG_AUTH_PASSWORD: +#ifdef USE_PAM + return "pam-password"; +#else return "password"; +#endif case SSH_CMSG_AUTH_RSA: return "rsa"; case SSH_CMSG_AUTH_RHOSTS_RSA: @@ -55,6 +59,11 @@ case SSH_CMSG_AUTH_TIS_RESPONSE: return "s/key"; #endif +#ifdef PAM_TIS + case SSH_CMSG_AUTH_TIS: + case SSH_CMSG_AUTH_TIS_RESPONSE: + return "pam-tis"; +#endif } snprintf(buf, sizeof buf, "bad-auth-msg-%d", type); return buf; @@ -307,7 +316,7 @@ #ifdef USE_PAM /* Do PAM auth with password */ - authenticated = auth_pam_password(pw, password); + authenticated = auth_pam_password(pw, password, SSH_CMSG_AUTH_PASSWORD); #elif defined(HAVE_OSF_SIA) /* Do SIA auth with password */ if (sia_validate_user(NULL, saved_argc, saved_argv, @@ -355,6 +364,26 @@ xfree(response); } break; +#elif defined(PAM_TIS) + case SSH_CMSG_AUTH_TIS: + debug("rcvd SSH_CMSG_AUTH_TIS"); + if (!options.tis_authentication) { + verbose("TIS authentication disabled."); + break; + } + authenticated = auth_pam_password(pw, NULL, SSH_CMSG_AUTH_TIS); + break; + case SSH_CMSG_AUTH_TIS_RESPONSE: + debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE"); + if (!options.tis_authentication) { + verbose("TIS authentication disabled."); + break; + } else { + char *response = packet_get_string(&dlen); + authenticated = auth_pam_password(pw, response, SSH_CMSG_AUTH_TIS); + xfree(response); + } + break; #else case SSH_CMSG_AUTH_TIS: /* TIS Authentication is unsupported */ @@ -503,7 +532,7 @@ (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ #ifdef USE_PAM - auth_pam_password(pw, "")) { + auth_pam_password(pw, "", SSH_CMSG_AUTH_PASSWORD)) { #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, diff -urN -x *~ openssh-2.1.1p4/auth2.c openssh-2.1.1p4-hein/auth2.c --- openssh-2.1.1p4/auth2.c Tue Jul 11 09:31:38 2000 +++ openssh-2.1.1p4-hein/auth2.c Sun Aug 27 17:39:22 2000 @@ -102,6 +102,9 @@ #ifdef SKEY options.skey_authentication = 0; #endif +#ifdef PAM_TIS + options.tis_authentication = 0; +#endif #ifdef KRB4 options.kerberos_authentication = 0; #endif @@ -257,7 +260,7 @@ packet_done(); #ifdef USE_PAM - return auth_pam_password(pw, ""); + return auth_pam_password(pw, "", SSH_CMSG_AUTH_PASSWORD); #elif defined(HAVE_OSF_SIA) return(sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, @@ -284,7 +287,7 @@ packet_done(); if (options.password_authentication && #ifdef USE_PAM - auth_pam_password(pw, password) == 1) + auth_pam_password(pw, password, SSH_CMSG_AUTH_PASSWORD) == 1) #elif defined(HAVE_OSF_SIA) sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, diff -urN -x *~ openssh-2.1.1p4/configure.in openssh-2.1.1p4-hein/configure.in --- openssh-2.1.1p4/configure.in Sat Jul 15 06:59:14 2000 +++ openssh-2.1.1p4-hein/configure.in Sun Aug 27 12:31:26 2000 @@ -306,6 +306,18 @@ ) fi +PAM_TIS_MSG="no" +AC_ARG_WITH(pam-tis, + [ --with-pam-tis Enable PAM for TIS support ], + [ + if test "x$withval" = "xyes" ; then + pam_tis=1 + AC_DEFINE(PAM_TIS) + PAM_TIS_MSG="yes" + fi + ] +) + # The big search for OpenSSL AC_ARG_WITH(ssl-dir, [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], @@ -1365,6 +1377,7 @@ echo " KerberosIV support: $KRB4_MSG" echo " AFS support: $AFS_MSG" echo " S/KEY support: $SKEY_MSG" +echo " TIS via PAM support: $PAM_TIS_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" diff -urN -x *~ openssh-2.1.1p4/debian/rules openssh-2.1.1p4-hein/debian/rules --- openssh-2.1.1p4/debian/rules Sun Aug 27 15:42:21 2000 +++ openssh-2.1.1p4-hein/debian/rules Sun Aug 27 17:39:02 2000 @@ -14,8 +14,8 @@ build: build-stamp build-stamp: dh_testdir - ./configure --prefix='' --exec_prefix='$${prefix}/usr' --sysconfdir='$${prefix}/etc/ssh' --libexecdir='$${exec_prefix}/lib' --mandir='$${prefix}/usr/share/man' --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-rsh=/usr/bin/netkit-rsh - $(MAKE) OPT_FLAGS='-DLOGIN_PROGRAM=\"/bin/login\" -DSSHD_PAM_SERVICE=\"ssh\" -DFORWARD_AGENT_DEFAULT=0 -DFALLBACKTORSH_DEFAULT=0' ASKPASS_PROGRAM='/usr/bin/ssh-askpass' + ./configure --prefix='' --exec_prefix='$${prefix}/usr' --sysconfdir='$${prefix}/etc/ssh' --libexecdir='$${exec_prefix}/lib' --mandir='$${prefix}/usr/share/man' --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-rsh=/usr/bin/netkit-rsh --with-pam-tis + $(MAKE) OPT_FLAGS='-DLOGIN_PROGRAM=\"/bin/login\" -DSSHD_PAM_SERVICE=\"ssh\" -DSSHD_PAM_TIS_SERVICE=\"ssh-tis\" -DFORWARD_AGENT_DEFAULT=0 -DFALLBACKTORSH_DEFAULT=0' ASKPASS_PROGRAM='/usr/bin/ssh-askpass' gcc -O2 `gnome-config --cflags gnome gnomeui` \ contrib/gnome-ssh-askpass.c -o contrib/gnome-ssh-askpass \ `gnome-config --libs gnome gnomeui` diff -urN -x *~ openssh-2.1.1p4/servconf.c openssh-2.1.1p4-hein/servconf.c --- openssh-2.1.1p4/servconf.c Sun Aug 27 15:42:20 2000 +++ openssh-2.1.1p4-hein/servconf.c Sun Aug 27 12:36:00 2000 @@ -67,6 +67,9 @@ #ifdef SKEY options->skey_authentication = -1; #endif +#ifdef PAM_TIS + options->tis_authentication = -1; +#endif options->permit_empty_passwd = -1; options->use_login = -1; options->num_allow_users = 0; @@ -155,6 +158,10 @@ if (options->skey_authentication == -1) options->skey_authentication = 1; #endif +#ifdef PAM_TIS + if (options->tis_authentication == -1) + options->tis_authentication = 1; +#endif if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; if (options->use_login == -1) @@ -182,6 +189,9 @@ #ifdef SKEY sSkeyAuthentication, #endif +#ifdef PAM_TIS + sTISAuthentication, +#endif sPasswordAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, @@ -222,6 +232,9 @@ #ifdef SKEY { "skeyauthentication", sSkeyAuthentication }, #endif +#ifdef PAM_TIS + { "tisauthentication", sTISAuthentication }, +#endif { "checkmail", sCheckMail }, { "listenaddress", sListenAddress }, { "printmotd", sPrintMotd }, @@ -504,6 +517,12 @@ #ifdef SKEY case sSkeyAuthentication: intptr = &options->skey_authentication; + goto parse_flag; +#endif + +#ifdef PAM_TIS + case sTISAuthentication: + intptr = &options->tis_authentication; goto parse_flag; #endif diff -urN -x *~ openssh-2.1.1p4/servconf.h openssh-2.1.1p4-hein/servconf.h --- openssh-2.1.1p4/servconf.h Sun Aug 27 15:42:20 2000 +++ openssh-2.1.1p4-hein/servconf.h Sun Aug 27 12:34:52 2000 @@ -85,6 +85,10 @@ int skey_authentication; /* If true, permit s/key * authentication. */ #endif +#ifdef PAM_TIS + int tis_authentication; /* If true, permit TIS via PAM + * authentication. */ +#endif int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ diff -urN -x *~ openssh-2.1.1p4/ssh.h openssh-2.1.1p4-hein/ssh.h --- openssh-2.1.1p4/ssh.h Sun Aug 27 15:42:20 2000 +++ openssh-2.1.1p4-hein/ssh.h Sun Aug 27 17:36:02 2000 @@ -80,6 +80,10 @@ #define SSHD_PAM_SERVICE "sshd" #endif +#if defined(PAM_TIS) && ! defined(SSHD_PAM_TIS_SERVICE) +#define SSHD_PAM_TIS_SERVICE "sshd-tis" +#endif + #ifndef ETCDIR #define ETCDIR "/etc" #endif /* ETCDIR */ diff -urN -x *~ openssh-2.1.1p4/sshd.c openssh-2.1.1p4-hein/sshd.c --- openssh-2.1.1p4/sshd.c Wed Jul 12 01:45:27 2000 +++ openssh-2.1.1p4-hein/sshd.c Sun Aug 27 15:39:50 2000 @@ -1097,6 +1097,10 @@ if (options.skey_authentication == 1) auth_mask |= 1 << SSH_AUTH_TIS; #endif +#ifdef PAM_TIS + if (options.tis_authentication == 1) + auth_mask |= 1 << SSH_AUTH_TIS; +#endif if (options.password_authentication) auth_mask |= 1 << SSH_AUTH_PASSWORD; packet_put_int(auth_mask); From mouring at pconline.com Mon Aug 28 07:48:27 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sun, 27 Aug 2000 15:48:27 -0500 (CDT) Subject: wait() function survey In-Reply-To: Message-ID: On Sat, 26 Aug 2000, Damien Miller wrote: > On Fri, 25 Aug 2000, Ben Lindstrom wrote: > > > > > In serverloop.c we have two wait() lines. > > > > POSIX defines wait() was "pid_t wait(int *status)". However older BSD > > systems could have "int wait(union wait *statusp)" as it's defines. > > > > I'm interested to see how many platforms OpenSSH is ported requires the > > latter define. > > > > I know NeXT does. > > What is the definition of the union? Is it a fatal error or just a > warning if the (int*) version is used? > It's just a warning if (int*) is used. The reason why I've not looked to closely at it until recently. As for the definition of "unit wait" .. Massively different. Another nasty thing that NeXT did (unless you defined -posix and use the libposix.a library.. Maybe I should beg for libposix.a code from Apple in BSD licensing form =). As tempting as it is just to implement wait() based on wait4() like OpenBSD.. wait4() uses the same union structure. Which makes my waitpid() implement also incorrect (since I was not closely look at structure differences. ) union wait { int w_status; /* used in syscall */ /* * Terminated process status. */ struct { #if __BIG_ENDIAN__ unsigned short w_PAD16; unsigned w_Retcode:8; /* exit code if w_termsig==0 */ unsigned w_Coredump:1; /* core dump indicator */ unsigned w_Termsig:7; /* termination signal */ #else __BIG_ENDIAN__ unsigned short w_Termsig:7; /* termination signal */ unsigned short w_Coredump:1; /* core dump indicator */ unsigned short w_Retcode:8; /* exit code if w_termsig==0 */ #endif __BIG_ENDIAN__ } w_T; /* * Stopped process status. Returned * only for traced children unless requested * with the WUNTRACED option bit. */ struct { #if __BIG_ENDIAN__ unsigned short w_PAD16; unsigned w_Stopsig:8; /* signal that stopped us*/ unsigned w_Stopval:8; /* == W_STOPPED if stopped*/ #else __BIG_ENDIAN__ unsigned short w_Stopval:8; /* == W_STOPPED if stopped*/ unsigned short w_Stopsig:8; /* signal that stopped us*/ #endif __BIG_ENDIAN__ } w_S; }; From btrompetter at firemail.de Mon Aug 28 17:45:44 2000 From: btrompetter at firemail.de (Bastian Trompetter) Date: Mon, 28 Aug 2000 08:45:44 +0200 (GMT+02:00) Subject: PTY-Allocation under SCO 5 Message-ID: <136542472.967445145042.JavaMail.nobody@fmweb01.unimessage.net> Hello, I used the sshd under SCO 5, and always get the error that the deamon couldn't allcoate a pseudo tty. This depends on that SCO use a different method to create the tty's in the /dev directory. The pseudo tty line looks like: /dev/ttypXXX where XXX depends on the number of pseudo tty's entered in the scoadmin Tool for the network interface. So I change the allocation routine in the pty.c file from: snprintf(buf, sizeof buf, "/dev/pty%c%c", ptymajors[i / num_minors], ptyminors[i % num_minors]); snprintf(namebuf, namebuflen, "/dev/tty%c%c", ptymajors[i / num_minors], ptyminors[i % num_minors]); into: snprintf(buf, sizeof buf, "/dev/ptyp%d", i); snprintf(namebuf, namebuflen, "/dev/ttyp%d", i); 'i' is set in the for loop. I set 'i' to the maximum of 256. A possible is to check the system doring the configuration and insert a special define case for SCO in the pty allocation. I tested the change and it worked very good. I have only some problems with the egd.pl it stops the generating of randomness. Hope this helps. regards Bastian Trompetter ___________________________________________________________ http://www.firemail.de - Ihr Briefkasten im Web. Einfach, schnell, sicher. Lust auf Jetset & weltweite Party? K?nnen Sie haben - auf der Expo! http://www.expo2000.de From jmknoble at pint-stowp.cx Mon Aug 28 19:08:26 2000 From: jmknoble at pint-stowp.cx (Jim Knoble) Date: Mon, 28 Aug 2000 04:08:26 -0400 Subject: ANNOUNCE: x11-ssh-askpass v1.0.1 Message-ID: <20000828040826.A19242@quipu.half.pint-stowp.cx> x11-ssh-askpass version 1.0.1 is now available from the following locations: http://www.jmknoble.cx/software/x11-ssh-askpass/ http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/ x11-ssh-askpass is a passphrase dialog for use with OpenSSH (www.openssh.com) under the X Window System. The important changes since version 1.0 are as follows: - Bugfixes: - If the keyboard or pointer grab failed, the fprintf() call explaining why was missing the argument containing the reason. Thanks to Daniel Packman . - Portability fixes to Imakefile. Thanks to Charles Levert . - Invoking x11-ssh-askpass with a single X11 toolkit argument on the command line would cause the program to crash. Fixed. - Now includes a manual page. Thanks to Matthieu Herrb of the OpenBSD project. Note that an additional step ('make install.man') is required in order to install the manual page. [Note to Matthieu: I'm sending corrections and additions to the manual page in a separate message.] -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From sanpei at sanpei.org Tue Aug 29 01:38:58 2000 From: sanpei at sanpei.org (MIHIRA Sanpei Yoshiro) Date: Mon, 28 Aug 2000 23:38:58 +0900 Subject: [OpenSSH] sample line about ForwardX11 in ssh_config file is not fit to default setting Message-ID: <200008281438.e7SEcxH02399@lavender.sanpei.org> Hi OpenSSH developers I use OpenSSH under FreeBSD. It's cool and useful for me. By the way, sample line of ForwardX11 in ssh_config was not fit for default setting in readconf.c. I want to change ssh_config. ---------- In ssh source (src/usr.bin/ssh/readconf.c), currently ForwardX11 is disabled. 731 if (options->forward_x11 == -1) 732 options->forward_x11 = 0; ~ And this changes in Rev.1.23 by markus. 1.23 Mon Feb 28 19:51:58 GMT 2000 by markus Diffs to 1.22 turn off x11-fwd for the client, too. But ssh_config (src/usr.bin/ssh/ssh_config) was not changed and currently ForwardX11 yes. 17 # ForwardX11 yes ~~~ I think that markus forgot to change ssh_config file. ---------- For example, ``FallBackToRsh'' was changed by deraadt at Jul 11 2000, he changed both readconf.c and ssh_config files. readconf.c Rev.1.41 ssh_config Rev.1.5 Thank you. --- MIHIRA, Sanpei Yoshiro Yokohama, Japan. From Markus.Friedl at informatik.uni-erlangen.de Tue Aug 29 02:56:46 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 28 Aug 2000 17:56:46 +0200 Subject: [OpenSSH] sample line about ForwardX11 in ssh_config file is not fit to default setting In-Reply-To: <200008281438.e7SEcxH02399@lavender.sanpei.org>; from sanpei@sanpei.org on Mon, Aug 28, 2000 at 11:38:58PM +0900 References: <200008281438.e7SEcxH02399@lavender.sanpei.org> Message-ID: <20000828175646.A20192@faui02.informatik.uni-erlangen.de> src/usr.bin/ssh/ssh_config is not in sync at all. On Mon, Aug 28, 2000 at 11:38:58PM +0900, MIHIRA Sanpei Yoshiro wrote: > Hi > OpenSSH developers > > I use OpenSSH under FreeBSD. It's cool and useful for me. > > By the way, sample line of ForwardX11 in ssh_config was not fit > for default setting in readconf.c. I want to change ssh_config. > ---------- > In ssh source (src/usr.bin/ssh/readconf.c), currently ForwardX11 > is disabled. > > 731 if (options->forward_x11 == -1) > 732 options->forward_x11 = 0; > ~ > > And this changes in Rev.1.23 by markus. > > 1.23 Mon Feb 28 19:51:58 GMT 2000 by markus > Diffs to 1.22 > > turn off x11-fwd for the client, too. > > But ssh_config (src/usr.bin/ssh/ssh_config) was not changed and > currently ForwardX11 yes. > > 17 # ForwardX11 yes > ~~~ > > I think that markus forgot to change ssh_config file. > ---------- > For example, ``FallBackToRsh'' was changed by deraadt at Jul 11 > 2000, he changed both readconf.c and ssh_config files. > > readconf.c Rev.1.41 > ssh_config Rev.1.5 > > > Thank you. > --- > MIHIRA, Sanpei Yoshiro > Yokohama, Japan. From djm at mindrot.org Tue Aug 29 10:56:42 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 29 Aug 2000 10:56:42 +1100 (EST) Subject: Login Patch In-Reply-To: <20000826225143.F12215@wirex.com> Message-ID: On Sat, 26 Aug 2000, W. Reilly Cooley wrote: > Please excuse me for mailing you directly instead of using the 'sendbug' > facility; it seems to be an OpenBSD-only facility, and I didn't see a > bug-tracking interface on the web site. > > I know the "UseLogin" feature is deprecated (to some degree, at any > rate), however, on a Red Hat 6.2-based system, it is broken, because > ssh.h statically defines LOGIN_PROGRAM as /usr/bin/login, whereas here > it is /bin/login. Something like this is already in the lastest snapshot[1]. Please give it a try and tell me if it doesn't fit your needs. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Aug 29 11:50:00 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 29 Aug 2000 11:50:00 +1100 (EST) Subject: PTY-Allocation under SCO 5 In-Reply-To: <136542472.967445145042.JavaMail.nobody@fmweb01.unimessage.net> Message-ID: On Mon, 28 Aug 2000, Bastian Trompetter wrote: > Hello, > > I used the sshd under SCO 5, and always get the error that the deamon > couldn't allcoate a pseudo tty. This depends on that SCO use a > different method to create the tty's in the /dev directory. The pseudo > tty line looks like: /dev/ttypXXX where XXX depends on the number of > pseudo tty's entered in the scoadmin Tool for the network interface. Thanks for the diagnosis. Does this patch fix things? Index: pty.c =================================================================== RCS file: /var/cvs/openssh/pty.c,v retrieving revision 1.20 diff -u -r1.20 pty.c --- pty.c 2000/06/22 11:32:31 1.20 +++ pty.c 2000/08/29 00:47:06 @@ -162,12 +162,19 @@ for (i = 0; i < num_ptys; i++) { snprintf(buf, sizeof buf, "/dev/pty%c%c", ptymajors[i / num_minors], ptyminors[i % num_minors]); - *ptyfd = open(buf, O_RDWR | O_NOCTTY); - if (*ptyfd < 0) - continue; snprintf(namebuf, namebuflen, "/dev/tty%c%c", ptymajors[i / num_minors], ptyminors[i % num_minors]); + *ptyfd = open(buf, O_RDWR | O_NOCTTY); + if (*ptyfd < 0) { + /* Try SCO style naming */ + snprintf(buf, sizeof buf, "/dev/ptyp%d", i); + snprintf(namebuf, namebuflen, "/dev/ttyp%d", i); + *ptyfd = open(buf, O_RDWR | O_NOCTTY); + if (*ptyfd < 0) + continue; + } + /* Open the slave side. */ *ttyfd = open(namebuf, O_RDWR | O_NOCTTY); if (*ttyfd < 0) { -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Aug 29 12:03:39 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 29 Aug 2000 12:03:39 +1100 (EST) Subject: Snapshot In-Reply-To: Message-ID: I have just uploaded a new snapshot. Which fixes the (happily minor) problems uncovered by the previous test. http://www.mindrot.org/misc/openssh/openssh-SNAP-20000829.tar.gz When reporting success or failure when testing, please include the 'host system type' as reported by ./configure. Pending success this will become 2.1.1p5 -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Aug 29 14:33:17 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 29 Aug 2000 14:33:17 +1100 (EST) Subject: Snapshot In-Reply-To: Message-ID: oops. The snapshot announced earlier lacked Ben's NeXT fixed. These have been added and a new snapshot is available. http://www.mindrot.org/misc/openssh/openssh-SNAP-2000082900.tar.gz Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From oetiker at ee.ethz.ch Tue Aug 29 16:42:34 2000 From: oetiker at ee.ethz.ch (Tobias Oetiker) Date: Tue, 29 Aug 2000 07:42:34 +0200 (MET DST) Subject: [openssh] Snapshot In-Reply-To: Message-ID: Today you sent me mail regarding [openssh] Snapshot: *> I have just uploaded a new snapshot. Which fixes the (happily minor) *> problems uncovered by the previous test. *> *> http://www.mindrot.org/misc/openssh/openssh-SNAP-20000829.tar.gz *> *> When reporting success or failure when testing, please include the *> 'host system type' as reported by ./configure. Solaris 2.6 Report: a) compile runs fine ... with a few warnings (see below) b) the session dies on exit of x11 forwarded motif program bug is *GONE* ... thanks to whoever fixed it .. WARNINGS: --------- bsd-inet_aton.c: In function `inet_aton': bsd-inet_aton.c:117: warning: subscript has type `char' bsd-inet_aton.c:128: warning: subscript has type `char' bsd-inet_aton.c:131: warning: subscript has type `char' bsd-inet_aton.c:133: warning: subscript has type `char' bsd-inet_aton.c:155: warning: subscript has type `char' bsd-bindresvport.c: In function `bindresvport_af': bsd-bindresvport.c:59: warning: `error' might be used uninitialized in this function bsd-mktemp.c: In function `_gettemp': bsd-mktemp.c:174: warning: subscript has type `char' bsd-rresvport.c: In function `rresvport_af': bsd-rresvport.c:64: warning: implicit declaration of function `bzero' bsd-setenv.c: In function `setenv': bsd-setenv.c:125: warning: implicit declaration of function `bcopy' authfile.c: In function `load_private_key': authfile.c:469: warning: unsigned int format, long unsigned int arg (arg 2) canohost.c: In function `get_remote_hostname': canohost.c:83: warning: subscript has type `char' match.c: In function `match_hostname': match.c:115: warning: subscript has type `char' entropy.c: In function `prng_check_seedfile': entropy.c:544: warning: int format, uid_t arg (arg 3) entropy.c: In function `prng_write_seedfile': entropy.c:567: warning: int format, uid_t arg (arg 2) entropy.c: In function `prng_read_seedfile': entropy.c:605: warning: int format, uid_t arg (arg 2) sshconnect.c: In function `ssh_login': sshconnect.c:672: warning: unsigned int format, long unsigned int arg (arg 2) sshconnect.c:679: warning: subscript has type `char' pty.c: In function `pty_setowner': pty.c:305: warning: int format, uid_t arg (arg 3) pty.c:305: warning: int format, gid_t arg (arg 4) pty.c:308: warning: unsigned int format, mode_t arg (arg 3) serverloop.c: In function `sigchld_handler': serverloop.c:74: warning: int format, pid_t arg (arg 2) serverloop.c:74: warning: int format, pid_t arg (arg 3) serverloop.c: In function `server_loop': serverloop.c:577: warning: int format, pid_t arg (arg 2) serverloop.c:577: warning: int format, pid_t arg (arg 3) session.c: In function `do_exec_no_pty': session.c:450: warning: passing arg 1 of `log_init' discards qualifiers from pointer tar get type session.c: In function `do_exec_pty': session.c:559: warning: passing arg 1 of `log_init' discards qualifiers from pointer tar get type session.c: In function `do_child': session.c:914: warning: `hostname' might be used uninitialized in this function session.c: In function `session_dump': session.c:1372: warning: int format, pid_t arg (arg 6) session.c: In function `session_by_pid': session.c:1413: warning: int format, pid_t arg (arg 2) session.c:1419: warning: int format, pid_t arg (arg 2) session.c: In function `session_exit_message': session.c:1705: warning: int format, pid_t arg (arg 4) session.c: In function `session_free': session.c:1746: warning: int format, pid_t arg (arg 3) session.c: In function `session_close_by_pid': session.c:1771: warning: int format, pid_t arg (arg 2) session.c: In function `session_close_by_channel': session.c:1795: warning: int format, pid_t arg (arg 3) session.c:1802: warning: int format, pid_t arg (arg 2) session.c:1805: warning: int format, pid_t arg (arg 2) session.c: In function `do_authenticated2': session.c:1840: warning: unused variable `pw' ssh-keygen.c: In function `do_fingerprint': ssh-keygen.c:292: warning: implicit declaration of function `key_size' ssh-agent.c: In function `process_remove_identity': ssh-agent.c:264: warning: implicit declaration of function `key_size' ssh-agent.c: In function `main': ssh-agent.c:704: warning: int format, pid_t arg (arg 2) ssh-agent.c:756: warning: int format, pid_t arg (arg 2) -- ______ __ _ /_ __/_ / / (_) Oetiker, Timelord & SysMgr @ EE-Dept ETH-Zurich / // _ \/ _ \/ / TEL: +41(0)1-6325286 FAX:...1517 ICQ: 10419518 /_/ \.__/_.__/_/ oetiker at ee.ethz.ch http://ee-staff.ethz.ch/~oetiker From svaughan at asterion.com Tue Aug 29 17:17:06 2000 From: svaughan at asterion.com (svaughan at asterion.com) Date: Mon, 28 Aug 2000 23:17:06 -0700 (PDT) Subject: PTY-Allocation under SCO 5 In-Reply-To: Message-ID: Damien, I've tested the patch on SCO Openserver 5.0.5 and so far it works great! This fixed my pty problem. One thing I noticed is that num_ptys turns out to be 832. A standard SCO install gives you 64 ptys, though most admins up this as is the case on the server I have been testing on, which has 1055 ptys. I'm wondering if there is a good way to check to see how many ptys are available on a system like SCO. Or would this be a bad idea ? Many thanks to Bastian. Sam ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Tue, 29 Aug 2000, Damien Miller wrote: > On Mon, 28 Aug 2000, Bastian Trompetter wrote: > > > Hello, > > > > I used the sshd under SCO 5, and always get the error that the deamon > > couldn't allcoate a pseudo tty. This depends on that SCO use a > > different method to create the tty's in the /dev directory. The pseudo > > tty line looks like: /dev/ttypXXX where XXX depends on the number of > > pseudo tty's entered in the scoadmin Tool for the network interface. > > Thanks for the diagnosis. Does this patch fix things? > > Index: pty.c > =================================================================== > RCS file: /var/cvs/openssh/pty.c,v > retrieving revision 1.20 > diff -u -r1.20 pty.c > --- pty.c 2000/06/22 11:32:31 1.20 > +++ pty.c 2000/08/29 00:47:06 > @@ -162,12 +162,19 @@ > for (i = 0; i < num_ptys; i++) { > snprintf(buf, sizeof buf, "/dev/pty%c%c", ptymajors[i / num_minors], > ptyminors[i % num_minors]); > - *ptyfd = open(buf, O_RDWR | O_NOCTTY); > - if (*ptyfd < 0) > - continue; > snprintf(namebuf, namebuflen, "/dev/tty%c%c", > ptymajors[i / num_minors], ptyminors[i % num_minors]); > > + *ptyfd = open(buf, O_RDWR | O_NOCTTY); > + if (*ptyfd < 0) { > + /* Try SCO style naming */ > + snprintf(buf, sizeof buf, "/dev/ptyp%d", i); > + snprintf(namebuf, namebuflen, "/dev/ttyp%d", i); > + *ptyfd = open(buf, O_RDWR | O_NOCTTY); > + if (*ptyfd < 0) > + continue; > + } > + > /* Open the slave side. */ > *ttyfd = open(namebuf, O_RDWR | O_NOCTTY); > if (*ttyfd < 0) { > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > From J.Horne at plymouth.ac.uk Tue Aug 29 19:13:44 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Tue, 29 Aug 2000 09:13:44 +0100 (BST) Subject: Control-c not work under openssh? In-Reply-To: Message-ID: On 26-Aug-00 at 02:57:45 Damien Miller wrote: > On Fri, 25 Aug 2000, Gert Doering wrote: >> > > /* NEW: set ctrl-C signal to "default", which is "abort program" */ >> > > signal( SIGINT, SIG_DFL ); >> >> > Yup, I put this in pty.c after line 261. >> > >> > I have tested this with Solaris 7 and Solaris 8 (on sparc >> > systems) and it works fine :-) :-) I also used the new snapshot >> > (openssh-SNAP-20000823) for the tests, so hopefully it could be >> > included for the next release. > > Well found people! > > I think it would be neater to reset this with the other signals. > Can you back out your change and try this patch? > Apologies for the delay in replying - it was a public holiday in the UK yesterday. The new patch works fine under Solaris 7 and 8. Regards, John. ------------------------------------------------------------------------ John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From jaaskela at tietomyrsky.fi Tue Aug 29 20:05:29 2000 From: jaaskela at tietomyrsky.fi (=?ISO-8859-1?Q?Vesa_J=E4=E4skel=E4inen?=) Date: Tue, 29 Aug 2000 12:05:29 +0300 (EEST) Subject: AllowUsers and AllogGroups problem... Message-ID: I just downloaded newest snapshot and noticed that problem is still present. I am not sure why I didn't get any reply about my previous message, probably it wasn't too clear so I try now again. And I noticed one problem with previous patch so here is fixed and far more tested version of patch. So problem is hopefully best described by this way... When admin wants to allow invidual user to access ssh and add user in sshd_config like this: AllowUsers testuser In sshd_config there is also following line: AllowGroups admins ssh In this case testuser is not member of admins or ssh. Now when testuser tries to connect it just enters to fake login loop and therefor wont allow user to login. Current code doest checking if following order: - checks is user deny list defined if so then check is user in deny list, if so fail - checks is user allow list defined if so then check is user in allow list, if not fail - checks is users group list defined if so then check is users group listed in deny list, if so fail - checks is users group list defined if so then check is users group listed in allow list, if not fail and in this case user was in user allow list but it's group wasn't in group listed in group allow list so he was denied to login. this patch changes it to following: - check is user deny list define if so then check is user in deny list, if so fail - check is user allow list defined if so then check is user in allow list, if not then if group allow list isn't defined then fail - check is users group in deny list, if so fail - check is user allow list defined if not then if user wasn't in allow list then check against users group list if group isn't there then fail One problem is that if user is listed in allow users list and his group is listed in deny group list he can't login. I am not sure how you ment it to work so I didn't include it in this patch. But it is very easy to implement if wanted so. -------------- next part -------------- diff openssh-SNAP-20000829/auth.c openssh/auth.c 53a54 > int user_in_allow_list = 0; 109a111,112 > { > user_in_allow_list = 1; 111,112c114,120 < /* i < options.num_allow_users iff we break for loop */ < if (i >= options.num_allow_users) --- > } > /* i < options.num_allow_users if we break for loop > to allow allow users and allow groups colive we can't > quit with error message when user wasn't listed in > allow users list > */ > if (i >= options.num_allow_users && !options.num_allow_groups) 131a140,143 > * > * If user was listed in AllowUsers and not mentioned on > * deny lists then we do not need to check against > * AllowGroups definition 133c145 < if (options.num_allow_groups > 0) { --- > if (options.num_allow_groups > 0 && !user_in_allow_list) { From oetiker at ee.ethz.ch Tue Aug 29 20:13:29 2000 From: oetiker at ee.ethz.ch (Tobias Oetiker) Date: Tue, 29 Aug 2000 11:13:29 +0200 (MET DST) Subject: SNAP-2000082900 Message-ID: I have been testing the SNAP-2000082900 on solaris ... earlier I wrote that the 'connection dies on exit of x11 forwarded motif application' bug was solved with this release ... unfortunately further testing showed that it just did not occur on the machine I tested. All our other machines still show it ... cheers tobi -- ______ __ _ /_ __/_ / / (_) Oetiker, Timelord & SysMgr @ EE-Dept ETH-Zurich / // _ \/ _ \/ / TEL: +41(0)1-6325286 FAX:...1517 ICQ: 10419518 /_/ \.__/_.__/_/ oetiker at ee.ethz.ch http://ee-staff.ethz.ch/~oetiker From stevesk at sweden.hp.com Tue Aug 29 21:05:13 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 29 Aug 2000 12:05:13 +0200 (CEST) Subject: Snapshot In-Reply-To: Message-ID: <200008291003.MAA26260@b0fh.sweden.hp.com> On Tue, 29 Aug 2000, Damien Miller wrote: : I have just uploaded a new snapshot. Which fixes the (happily minor) : problems uncovered by the previous test. : : http://www.mindrot.org/misc/openssh/openssh-SNAP-20000829.tar.gz : : When reporting success or failure when testing, please include the : 'host system type' as reported by ./configure. : : Pending success this will become 2.1.1p5 The scp problem is on HP-UX 11 as well, and while I'd still like to find out why socketpair() isn't working, here's a patch to add USE_PIPES to 11. Note that -Ae is the default on 11.0, so I removed adding it to CFLAGS. --- configure.in.orig Tue Aug 29 05:30:37 2000 +++ configure.in Tue Aug 29 12:04:13 2000 @@ -75,11 +75,9 @@ mansubdir=cat ;; *-*-hpux11*) - if test -z "$GCC"; then - CFLAGS="$CFLAGS -Ae" - fi CFLAGS="$CFLAGS -D_HPUX_SOURCE" AC_DEFINE(IPADDR_IN_DISPLAY) + AC_DEFINE(USE_PIPES) AC_MSG_CHECKING(for HPUX trusted system password database) if test -f /tcb/files/auth/system/default; then AC_MSG_RESULT(yes) From J.Horne at plymouth.ac.uk Tue Aug 29 23:23:23 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Tue, 29 Aug 2000 13:23:23 +0100 (BST) Subject: Snapshot In-Reply-To: Message-ID: On 29-Aug-00 at 03:33:17 Damien Miller wrote: > The snapshot announced earlier lacked Ben's NeXT fixed. These have been > added and a new snapshot is available. > > http://www.mindrot.org/misc/openssh/openssh-SNAP-2000082900.tar.gz > Yup, seems to work okay on Solaris 7 5/99 (sparc-sun-solaris2.7) and Solaris 8 (sparc-sun-solaris2.8). I can also confirm: On 29-Aug-00 at 09:13:29 Tobias Oetiker wrote: > I have been testing the SNAP-2000082900 on solaris ... > > earlier I wrote that the 'connection dies on exit of x11 forwarded > motif application' bug was solved with this release ... > unfortunately further testing showed that it just did not occur on > the machine I tested. All our other machines still show it ... > I have tried this on a Solaris 7 system using the Sun Motif demo programs (/usr/dt/share/examples/motif/motifanim). The connection sometimes gets closed, but not always. Annoying and probably difficult to debug :-( I have also tried it on the Solaris 8 system with no problems. So it may or may not be a fixed problem at Solaris 8. Regards, John. ------------------------------------------------------------------------ John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From janfrode at parallab.uib.no Tue Aug 29 23:38:20 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Tue, 29 Aug 2000 14:38:20 +0200 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Tue, Aug 29, 2000 at 02:33:17PM +1100 References: Message-ID: <20000829143820.A21775@ii.uib.no> On Tue, Aug 29, 2000 at 02:33:17PM +1100, Damien Miller wrote: > > http://www.mindrot.org/misc/openssh/openssh-SNAP-2000082900.tar.gz > Compiled and runs fine on IRIX/IRIX64 6.5.9m with MIPSPro 7.2.1.3m/7.3.1.1m Here are the warnings I get when compiling it: WARNINGS: =-=-=-=-=- "sshconnect2.c", line 305: warning(1164): argument of type "int *" is incompatible with parameter of type "unsigned int *" dsa_make_key_blob(k, &blob, &bloblen); ^ "sshconnect2.c", line 313: warning(1164): argument of type "unsigned char *" is incompatible with parameter of type "const char *" buffer_append(&b, session_id2, session_id2_len); ^ "sshconnect2.c", line 328: warning(1164): argument of type "char *" is incompatible with parameter of type "unsigned char *" ret = do_sign(k, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); ^ "sshconnect2.c", line 339: warning(1164): argument of type "unsigned char *" is incompatible with parameter of type "const char *" buffer_append(&b, session_id2, session_id2_len); ^ "sshconnect2.c", line 468: warning(1164): argument of type "int *" is incompatible with parameter of type "unsigned int *" char *reply = packet_get_string(&plen); ^ "readconf.c", line 164: warning(1185): enumerated type mixed with another type { NULL, 0 } ^ "sshd.c", line 852: warning(1164): argument of type "socklen_t *" is incompatible with parameter of type "int *" &fromlen); ^ "auth2.c", line 331: warning(1164): argument of type "unsigned char *" is incompatible with parameter of type "const char *" buffer_append(&b, session_id2, session_id2_len); ^ "auth2.c", line 349: warning(1164): argument of type "char *" is incompatible with parameter of type "unsigned char *" dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) ^ "auth-rhosts.c", line 112: warning(1164): argument of type "const char *" is incompatible with parameter of type "char *" if (!innetgr(host + 1, hostname, NULL, NULL) && ^ "auth-rhosts.c", line 113: warning(1164): argument of type "const char *" is incompatible with parameter of type "char *" !innetgr(host + 1, ipaddr, NULL, NULL)) ^ "auth-rhosts.c", line 120: warning(1164): argument of type "const char *" is incompatible with parameter of type "char *" if (!innetgr(user + 1, NULL, client_user, NULL)) ^ "pty.c", line 246: warning(1515): a value of type "void (*)()" cannot be assigned to an entity of type "void *" old = signal(SIGHUP, SIG_IGN); ^ "pty.c", line 248: warning(1164): argument of type "void *" is incompatible with parameter of type "void (*)()" signal(SIGHUP, old); ^ "servconf.c", line 250: warning(1185): enumerated type mixed with another type { NULL, 0 } ^ log_init(__progname, options.log_level, options.log_facility, log_stderr); ^ "session.c", line 559: warning(1164): argument of type "const char *" is incompatible with parameter of type "char *" log_init(__progname, options.log_level, options.log_facility, log_stderr); ^ "session.c", line 656: warning(1164): argument of type "socklen_t *" is incompatible with parameter of type "int *" (struct sockaddr *) & from, &fromlen) < 0) { ^ "ssh-keygen.c", line 128: warning(1164): argument of type "int *" is incompatible with parameter of type "unsigned int *" dsa_make_key_blob(k, &blob, &len); ^ "ssh-keygen.c", line 218: warning(1164): argument of type "int *" is incompatible with parameter of type "unsigned int *" dsa_make_key_blob(k, &blob, &len); ^ "ssh-agent.c", line 220: warning(1515): a value of type "char *" cannot be assigned to an entity of type "unsigned char *" blob = buffer_get_string(&e->input, &blen); ^ "ssh-agent.c", line 221: warning(1515): a value of type "char *" cannot be assigned to an entity of type "unsigned char *" data = buffer_get_string(&e->input, &dlen); ^ "ssh-agent.c", line 223: warning(1164): argument of type "unsigned char *" is incompatible with parameter of type "char *" key = dsa_key_from_blob(blob, blen); ^ "ssh-agent.c", line 227: warning(1164): argument of type "unsigned int *" is incompatible with parameter of type "int *" ok = dsa_sign(private, &signature, &slen, data, dlen); ^ "ssh-agent.c", line 269: warning(1515): a value of type "char *" cannot be assigned to an entity of type "unsigned char *" blob = buffer_get_string(&e->input, &blen); ^ "ssh-agent.c", line 270: warning(1164): argument of type "unsigned char *" is incompatible with parameter of type "char *" key = dsa_key_from_blob(blob, blen); ^ "ssh-agent.c", line 499: warning(1185): enumerated type mixed with another type sockets[i].type = type; ^ "ssh-agent.c", line 512: warning(1185): enumerated type mixed with another type sockets[old_alloc].type = type; ^ "ssh-agent.c", line 554: warning(1164): argument of type "socklen_t *" is incompatible with parameter of type "int *" sock = accept(sockets[i].fd, (struct sockaddr *) & sunaddr, &slen); ^ ld32: WARNING 84: /usr/lib32/libz.so is not used for resolving any symbol. ld32: WARNING 84: /usr/local/ssl/lib/libcrypto.a is not used for resolving any symbol. -jf From acox at cv.telegroup.com Tue Aug 29 23:50:47 2000 From: acox at cv.telegroup.com (Aran Cox) Date: Tue, 29 Aug 2000 14:50:47 +0200 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Tue, Aug 29, 2000 at 12:03:39PM +1100 References: Message-ID: <20000829145047.K9325@lazarus.cv.telegroup.com> This snapshot does not fix the (serious) problems I had with the previous snapshot and p4. Please see my previous email to the list "Re: Test snapshost" for details about the problems I've been having. Does anyone have any suggestions? Has anyone duplicated this? On Tue, Aug 29, 2000 at 12:03:39PM +1100, Damien Miller wrote: > I have just uploaded a new snapshot. Which fixes the (happily minor) > problems uncovered by the previous test. > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000829.tar.gz > > When reporting success or failure when testing, please include the > 'host system type' as reported by ./configure. > > Pending success this will become 2.1.1p5 > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > From stevesk at sweden.hp.com Wed Aug 30 01:04:53 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 29 Aug 2000 16:04:53 +0200 (CEST) Subject: Snapshot In-Reply-To: Message-ID: <200008291402.QAA24333@b0fh.sweden.hp.com> Given the following configuration, and the small configure.in patch posted earlier for USE_PIPES and HP-UX 11, everything seems to be working fine. A couple notes: "IP address in $DISPLAY hack: no" is misleading below because IPADDR_IN_DISPLAY is set to 1 as it needs to be for HP-UX 11 (and 10). Another way to approach this is to disable Shared Memory Transport (SMT), then TCP will be used for displays of host:display.screen; this is done by setting XFORCE_INTERNET=1. I'm not sure which is more of a hack. Still seeing "Cannot delete credentials: Permission denied". I'll try to see what HP libpam_unix is doing here. OpenSSH configured has been configured with the following options. User binaries: /opt/openssh-SNAP-2000082900/bin System binaries: /opt/openssh-SNAP-2000082900/sbin Configuration files: /etc/opt/openssh Askpass program: /opt/openssh-SNAP-2000082900/libexec/ssh/ssh-askpass Manual pages: /opt/openssh-SNAP-2000082900/man/catX PID file: /var/run Random number collection: EGD (/etc/opt/egd/entropy) Manpage format: cat PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Compiler flags: -g -I/usr/local/include -I../../tcp_wrappers/tcp_wrappers_7.6 -I../../openssl/32-bit/openssl-0.9.5a/include Linker flags: -g -L/usr/local/lib -L../../tcp_wrappers/tcp_wrappers_7.6 -L../../openssl/32-bit/openssl-0.9.5a/lib -L../../openssl/32-bit/openssl-0.9.5a Libraries: -lnsl -lz -lsec -lpam -lcrypto -lwrap From chenda at cs.unc.edu Wed Aug 30 01:55:55 2000 From: chenda at cs.unc.edu (Daniel T. Chen) Date: Tue, 29 Aug 2000 10:55:55 -0400 (EDT) Subject: Snapshot In-Reply-To: Message-ID: openssh-SNAP-2000082900 works fine here on SuSE Linux 6.4. --- ./configure --with-tcp-wrappers --with-md5-passwords --with-ipv4-default OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Random number collection: Device (/dev/urandom) Manpage format: man PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: yes IP address in $DISPLAY hack: no Use IPv4 by default hack: yes Translate v4 in v6 hack: yes Compiler flags: -g -O2 -Wall -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto -lwrap --- dtc --- Daniel T. Chen | chenda at cs.unc.edu On Tue, 29 Aug 2000, Damien Miller wrote: > > oops. > > The snapshot announced earlier lacked Ben's NeXT fixed. These have been > added and a new snapshot is available. > > http://www.mindrot.org/misc/openssh/openssh-SNAP-2000082900.tar.gz > > Regards, > Damien Miller > > From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Aug 30 03:52:08 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 29 Aug 2000 18:52:08 +0200 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Tue, Aug 29, 2000 at 02:33:17PM +1100 References: Message-ID: <20000829185208.A26494@serv01.aet.tu-cottbus.de> On Tue, Aug 29, 2000 at 02:33:17PM +1100, Damien Miller wrote: > The snapshot announced earlier lacked Ben's NeXT fixed. These have been > added and a new snapshot is available. > > http://www.mindrot.org/misc/openssh/openssh-SNAP-2000082900.tar.gz hppa2.0-hp-hpux10.20 OK Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From djm at mindrot.org Wed Aug 30 09:50:12 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Aug 2000 09:50:12 +1100 (EST) Subject: PTY-Allocation under SCO 5 In-Reply-To: Message-ID: On Mon, 28 Aug 2000 svaughan at asterion.com wrote: > > Damien, > I've tested the patch on SCO Openserver 5.0.5 and so far it works > great! This fixed my pty problem. > One thing I noticed is that num_ptys turns out to be 832. A > standard SCO install gives you 64 ptys, though most admins up this as is > the case on the server I have been testing on, which has 1055 ptys. I'm > wondering if there is a good way to check to see how many ptys are > available on a system like SCO. Or would this be a bad idea ? Is there a system call, etc that can be used to check this? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Aug 30 10:02:02 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Aug 2000 10:02:02 +1100 (EST) Subject: Snapshot In-Reply-To: <200008291402.QAA24333@b0fh.sweden.hp.com> Message-ID: On Tue, 29 Aug 2000, Kevin Steves wrote: > Given the following configuration, and the small configure.in patch > posted earlier for USE_PIPES and HP-UX 11, everything seems to be > working fine. > > A couple notes: > > "IP address in $DISPLAY hack: no" is misleading below because > IPADDR_IN_DISPLAY is set to 1 as it needs to be for HP-UX 11 (and 10). Fixed - thanks. -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Aug 30 10:02:40 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Aug 2000 10:02:40 +1100 (EST) Subject: Snapshot In-Reply-To: <200008291003.MAA26260@b0fh.sweden.hp.com> Message-ID: On Tue, 29 Aug 2000, Kevin Steves wrote: > The scp problem is on HP-UX 11 as well, and while I'd still like to find > out why socketpair() isn't working, here's a patch to add USE_PIPES to > 11. Note that -Ae is the default on 11.0, so I removed adding it to > CFLAGS. Applied - thanks. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Aug 30 10:15:34 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Aug 2000 10:15:34 +1100 (EST) Subject: SNAP-2000082900 In-Reply-To: Message-ID: On Tue, 29 Aug 2000, Tobias Oetiker wrote: > earlier I wrote that the 'connection dies on exit of x11 forwarded > motif application' bug was solved with this release ... > unfortunately further testing showed that it just did not occur on > the machine I tested. All our other machines still show it ... Are there any error messages in the client or server logs when this happens? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Aug 30 10:16:27 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Aug 2000 10:16:27 +1100 (EST) Subject: Snapshot In-Reply-To: <20000829143820.A21775@ii.uib.no> Message-ID: On Tue, 29 Aug 2000, Jan-Frode Myklebust wrote: > Compiled and runs fine on IRIX/IRIX64 6.5.9m with MIPSPro 7.2.1.3m/7.3.1.1m What 'host system type' does configure report? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From svaughan at asterion.com Wed Aug 30 10:38:05 2000 From: svaughan at asterion.com (svaughan at asterion.com) Date: Tue, 29 Aug 2000 16:38:05 -0700 (PDT) Subject: PTY-Allocation under SCO 5 In-Reply-To: Message-ID: Bastian showed me that this command will give you the number of ptys configured. [sam at beta<>]:$ grep NSPTTYS /etc/conf/cf.d/stune NSPTTYS 1056 Possible to put in the configure? I will have more time tonight to look into if there is a system call ..... I'll let you know. Sam On Wed, 30 Aug 2000, Damien Miller wrote: > On Mon, 28 Aug 2000 svaughan at asterion.com wrote: > > > > > Damien, > > I've tested the patch on SCO Openserver 5.0.5 and so far it works > > great! This fixed my pty problem. > > One thing I noticed is that num_ptys turns out to be 832. A > > standard SCO install gives you 64 ptys, though most admins up this as is > > the case on the server I have been testing on, which has 1055 ptys. I'm > > wondering if there is a good way to check to see how many ptys are > > available on a system like SCO. Or would this be a bad idea ? > > Is there a system call, etc that can be used to check this? > > -d > > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > From scraig at eli.net Wed Aug 30 11:09:20 2000 From: scraig at eli.net (Stuart Craig) Date: Tue, 29 Aug 2000 17:09:20 -0700 Subject: Snapshot References: Message-ID: <39AC50B0.FD2E7C7A@eli.net> I have compiled and tested the 2000082900 snapshot on: HP-UX 10.20 with GCC 10.20 HP-UX 11.00 with HP ANSI C Red Hat 6.2 with 2.2.15 kernel Everything looks good, so far, although I've been having some problems with RhostsRSAAuthentication. I think this is a configuration error on my part, and not a problem with OpenSSH. You can find more detailed configuration information for all three builds at http://sage.eli.net/~scraig/OpenSSH/. There's not a lot there, but it was more than I wanted to bomb everyone on the mailing list with. - Stu -- Stuart J. Craig Senior UNIX Administrator Electric Lightwave, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2515 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000829/d72360c1/attachment.bin From djm at mindrot.org Wed Aug 30 11:29:25 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Aug 2000 11:29:25 +1100 (EST) Subject: Snapshot In-Reply-To: <20000829145047.K9325@lazarus.cv.telegroup.com> Message-ID: On Tue, 29 Aug 2000, Aran Cox wrote: > This snapshot does not fix the (serious) problems I had with > the previous snapshot and p4. > > Please see my previous email to the list "Re: Test snapshost" > for details about the problems I've been having. Does anyone > have any suggestions? Has anyone duplicated this? I haven't been able to duplicate this on Linux or Irix 5.3. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Aug 30 11:37:30 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Aug 2000 11:37:30 +1100 (EST) Subject: Please include 'host system type' in reports Message-ID: When making success / failure reports, could you please include the 'host system type' as reported by configure. Reports in this format can be processed with uniq :) So far I have success reports from: sparc-sun-solaris2.7 sparc-sun-solaris2.8 hppa2.0-hp-hpux10.20 mips-sgi-irix5.3 i686-pc-linux-gnu Missing: SunOS 4.x HP/UX 11 NeXT SCO SNI/Reliant Unix -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From mouring at pconline.com Wed Aug 30 12:31:15 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Tue, 29 Aug 2000 20:31:15 -0500 (CDT) Subject: Please include 'host system type' in reports In-Reply-To: Message-ID: After the patch sent off list. OpenSSH works great. host system type: m68k-next-openstep4 On Wed, 30 Aug 2000, Damien Miller wrote: > > When making success / failure reports, could you please include the > 'host system type' as reported by configure. Reports in this format > can be processed with uniq :) > > So far I have success reports from: > > sparc-sun-solaris2.7 > sparc-sun-solaris2.8 > hppa2.0-hp-hpux10.20 > mips-sgi-irix5.3 > i686-pc-linux-gnu > > Missing: > > SunOS 4.x > HP/UX 11 > NeXT > SCO > SNI/Reliant Unix > > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > From gem at rellim.com Wed Aug 30 13:22:09 2000 From: gem at rellim.com (Gary E. Miller) Date: Tue, 29 Aug 2000 19:22:09 -0700 (PDT) Subject: Please include 'host system type' in reports In-Reply-To: Message-ID: Yo Damien! i686-pc-linux-gnu on Slackware 7.0 seems OK. I thought that it used to autodetect md5 passwords before but I had to manually add it this time. i586-sco-sysv5uw7.1.0 (SCO UNixWare 7.1.0) compiles and runs clean with no extra flags. I'll beat on them and see if anything drops. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Wed, 30 Aug 2000, Damien Miller wrote: > Date: Wed, 30 Aug 2000 11:37:30 +1100 (EST) > From: Damien Miller > To: openssh-unix-dev at mindrot.org > Subject: Please include 'host system type' in reports > > > When making success / failure reports, could you please include the > 'host system type' as reported by configure. Reports in this format > can be processed with uniq :) > > So far I have success reports from: > > sparc-sun-solaris2.7 > sparc-sun-solaris2.8 > hppa2.0-hp-hpux10.20 > mips-sgi-irix5.3 > i686-pc-linux-gnu > > Missing: > > SunOS 4.x > HP/UX 11 > NeXT > SCO > SNI/Reliant Unix > > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > From scraig at eli.net Wed Aug 30 13:44:33 2000 From: scraig at eli.net (Stuart Craig) Date: Tue, 29 Aug 2000 19:44:33 -0700 Subject: Please include 'host system type' in reports References: Message-ID: <39AC7511.A83ABDD0@eli.net> I have tested: hppa2.0-hp-hpux10.20 (with GCC) hppa2.0n-hp-hpux11.00 (with HP ANSI C) i686-pc-linux-gnu It would be useful to include this information in the summary information that configure prints out. - Stu -- Stuart J. Craig Senior UNIX Administrator Electric Lightwave, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2515 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000829/a8459906/attachment.bin From damien at galexia.com.au Wed Aug 30 13:46:50 2000 From: damien at galexia.com.au (Damien Mascord) Date: Wed, 30 Aug 2000 13:46:50 +1100 Subject: Snapshot In-Reply-To: References: Message-ID: <4.3.2.7.2.20000830133549.00bb8400@mail.galexia.com.au> Hi, This snapshot compiled fine on i386-pc-solaris2.8 and runs fine. In debug mode, 'Cannot delete credentials: Permission denied' still appears. As a further test I was using SecureFX to establish a 'secure' ftp session with the machine in question, and I got an interesting error when I was doing something slightly wrong. As you can see from the following transcript, I had the incorrect username configured, so when it asked for the username/password when it failed, I entered damien/password. -- transcript -- debug: userauth-request for user automaton service ssh-connection method password auth_set_user: illegal user automaton Failed password for automaton from x.x.x.x port 3625 ssh2 debug: userauth-request for user damien service ssh-connection method password auth_set_user: missmatch: (damien,ssh-connection)!=(automaton,ssh-connection) Failed password for damien from x.x.x.x port 3625 ssh2 Received disconnect: 13: The user canceled authentication. -- /transcript -- Not sure whether or not this is what is meant to happen this way... just letting you guys know :) If I configure the client with the correct username to start with, everything goes fine and file transfers work correctly. Damien At 14:33 29/08/2000 +1100, Damien Miller wrote: >oops. > >The snapshot announced earlier lacked Ben's NeXT fixed. These have been >added and a new snapshot is available. > >http://www.mindrot.org/misc/openssh/openssh-SNAP-2000082900.tar.gz > >Regards, >Damien Miller > >-- >| "Bombay is 250ms from New York in the new world order" - Alan Cox >| Damien Miller - http://www.mindrot.org/ >| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) _____________________________________________________________ Damien Mascord Email: damien at galexia.com.au Network and System Administrator http://www.galexia.com.au Galexia Mobile: +61 414 448 272 Level 1, 3 Montague Street Tel: +61 2 9555 5913 Balmain, NSW 2041 Australia Fax: +61 2 9555 5688 From nakaji at tutrp.tut.ac.jp Wed Aug 30 13:49:32 2000 From: nakaji at tutrp.tut.ac.jp (NAKAJI Hiroyuki) Date: 30 Aug 2000 11:49:32 +0900 Subject: [Need help] sshd cannot work on mips-sony-bsd Message-ID: <87d7ira2f7.fsf@nakaji.tutrp.tut.ac.jp> Hi, I tried openssh on my SONY NEWS-OS 4.2.1R which is 4.3BSD based system. I modified a little(*) to compile openssh and the compilation was successful. Ssh worked but sshd didn't work. I checked the output of 'sshd -d'. It says error: open /dev/tty failed - could not set controlling tty: No such device or address when connected from remote host (FreeBSD 5-current) with ssh. And I gave up. Please help. Thanks in advance. (*) The diff is at http://www.rc.tutrp.tut.ac.jp/~nakaji/install/NEWS/utils/ref/openssh-2.1.1p4-news4.diff.gz -- NAKAJI Hiroyuki From oetiker at ee.ethz.ch Wed Aug 30 17:22:20 2000 From: oetiker at ee.ethz.ch (Tobias Oetiker) Date: Wed, 30 Aug 2000 08:22:20 +0200 (MET DST) Subject: [openssh] Re: SNAP-2000082900 In-Reply-To: Message-ID: Today you sent me mail regarding [openssh] Re: SNAP-2000082900: *> On Tue, 29 Aug 2000, Tobias Oetiker wrote: *> *> > earlier I wrote that the 'connection dies on exit of x11 forwarded *> > motif application' bug was solved with this release ... *> > unfortunately further testing showed that it just did not occur on *> > the machine I tested. All our other machines still show it ... *> *> Are there any error messages in the client or server logs when this *> happens? OK ... this issue is realy getting to me ... so I debugged it ... here is the patch ... the problem seems to be that the motif app exists so fast that it is already gone when sshd still tries to send data to the remote xserver or something of that ilk ... probably the error is somewhere deeper inside the x11 forwarding code as I expect the remote ssh should actually tell the sshd that a channel has been closed ... --- channels.c.orig Wed Aug 30 07:42:11 2000 +++ channels.c Wed Aug 30 08:09:30 2000 @@ -686,9 +686,17 @@ if (c->wfd != -1 && FD_ISSET(c->wfd, writeset) && buffer_len(&c->output) > 0) { + void *oldhandler; + int errsave; + /* maybe the other end is dead so we would get SIGPIPE + which would be fatal. We don't want this, so lets + ignore it for now and reset the handler afterwards */ + oldhandler = signal (SIGPIPE, SIG_IGN); len = write(c->wfd, buffer_ptr(&c->output), buffer_len(&c->output)); - if (len < 0 && (errno == EINTR || errno == EAGAIN)) + errsave = errno; + signal (SIGPIPE, oldhandler); + if (len < 0 && (errsave == EINTR || errsave == EAGAIN || errsave==EPIPE)) return 1; if (len <= 0) { if (compat13) { cheers tobi -- ______ __ _ /_ __/_ / / (_) Oetiker, Timelord & SysMgr @ EE-Dept ETH-Zurich / // _ \/ _ \/ / TEL: +41(0)1-6325286 FAX:...1517 ICQ: 10419518 /_/ \.__/_.__/_/ oetiker at ee.ethz.ch http://ee-staff.ethz.ch/~oetiker From janfrode at parallab.uib.no Wed Aug 30 17:25:40 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Wed, 30 Aug 2000 08:25:40 +0200 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Wed, Aug 30, 2000 at 10:16:27AM +1100 References: <20000829143820.A21775@ii.uib.no> Message-ID: <20000830082540.A22359@ii.uib.no> On Wed, Aug 30, 2000 at 10:16:27AM +1100, Damien Miller wrote: > On Tue, 29 Aug 2000, Jan-Frode Myklebust wrote: > > > Compiled and runs fine on IRIX/IRIX64 6.5.9m with MIPSPro 7.2.1.3m/7.3.1.1m > > What 'host system type' does configure report? > checking host system type... mips-sgi-irix6.5 -jf From gert at greenie.muc.de Wed Aug 30 19:23:45 2000 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 30 Aug 2000 10:23:45 +0200 Subject: PTY-Allocation under SCO 5 In-Reply-To: ; from Damien Miller on Wed, Aug 30, 2000 at 09:50:12AM +1100 References: Message-ID: <20000830102345.A820@greenie.muc.de> Hi, On Wed, Aug 30, 2000 at 09:50:12AM +1100, Damien Miller wrote: > > I've tested the patch on SCO Openserver 5.0.5 and so far it works > > great! This fixed my pty problem. > > One thing I noticed is that num_ptys turns out to be 832. A > > standard SCO install gives you 64 ptys, though most admins up this as is > > the case on the server I have been testing on, which has 1055 ptys. I'm > > wondering if there is a good way to check to see how many ptys are > > available on a system like SCO. Or would this be a bad idea ? > > Is there a system call, etc that can be used to check this? Not that I know of. Usually programs just loop, trying to find the first free one, and abort after the maximum number of ptys. To abort the loop after the total number of ptys are run out, one could check whether the /dev/ttyp* device node exists - if not, no use in looking further. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From gert at greenie.muc.de Wed Aug 30 19:24:27 2000 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 30 Aug 2000 10:24:27 +0200 Subject: PTY-Allocation under SCO 5 In-Reply-To: ; from svaughan@asterion.com on Tue, Aug 29, 2000 at 04:38:05PM -0700 References: Message-ID: <20000830102427.B820@greenie.muc.de> Hi, On Tue, Aug 29, 2000 at 04:38:05PM -0700, svaughan at asterion.com wrote: > Bastian showed me that this command > will give you the number of ptys configured. > > [sam at beta<>]:$ grep NSPTTYS /etc/conf/cf.d/stune > NSPTTYS 1056 > > Possible to put in the configure? Not very useful, as this might change after OpenSSH was compiled (or someone might want to copy the binary to a different machine with different NSPTTYS settings). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From bit at eltech.ru Wed Aug 30 19:33:44 2000 From: bit at eltech.ru (Andrew Zabolotny) Date: Wed, 30 Aug 2000 12:33:44 +0400 (MSD) Subject: OpenSSH port question Message-ID: <200008300829.MAA11841@post.eltech.ru> Good day! A little time ago I have ported the "original" ssh 1.2.30 to OS/2. Unfortunately, I was mislead by the gnu-COPYING-GPL file that is present in the ssh root dir, thus was under impression that ssh is GPL as well. I was shaken when I have discovered my mistake :-) This basically made it unusable for many users which want to use ssh in commercial environments. Thus I decided to port OpenSSH to OS/2, to get a really free ssh. After looking at your web site I've found that there are two flavours of openssh: OpenBSD and "portable" version. Thus I have the question: which flavour should I base my work upon? I could derive it from "portable" ssh, but I believe I will find hardly a single common line between other OS-es and OS/2. In general, I prefer to avoid all kinds of ugly #ifdef's spread across the code. They make sense only for code which is shared by more than one platform; for OS/2-specific code I'm going to write several additional modules, as I did for original ssh/sshd. This includes a terminal emulator (um... maybe it would be helpful for other platforms as well which don't have "built-in" terminals), a file-system path translator (which maps all kinds of "/etc" and "/dev") and a misc module for the rest of compatibility stuff. I'm a little worried by the two flavours being developed at the same time. How you "refresh" the "base" of the openssh in the "portable" version? Having two separate versions forces to synchronize these two version often, who's in charge for this? Ok, I'll stop here for now. Greetings, _\ndy at teamOS/2 From janfrode at parallab.uib.no Wed Aug 30 22:42:16 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Wed, 30 Aug 2000 13:42:16 +0200 Subject: /etc/nologin.allow Message-ID: <20000830134216.A22569@ii.uib.no> Here's a patch for a feature I'm used to having in the old commercial ssh. It checks for usernames the file /etc/nologin.allow when /etc/nologin is in place, and lets the users mentioned in /etc/nologin.allow in regardless of /etc/nologin. This is very usefull for remote administration of servers. Please consider applying this. -jf -------------- next part -------------- --- openssh-SNAP-2000082900/session.c Tue Aug 29 02:33:51 2000 +++ openssh/session.c Wed Aug 30 12:17:13 2000 @@ -943,6 +943,9 @@ while (fgets(buf, sizeof(buf), f)) fputs(buf, stderr); fclose(f); +#ifdef NOLOGINALLOW + if (nologin_allow(pw->pw_name) != 1) +#endif /* NOLOGINALLOW */ exit(254); } } @@ -1858,4 +1861,29 @@ server_loop2(); if (xauthfile) xauthfile_cleanup_proc(NULL); +} + +int +nologin_allow(char *username) +{ + char buf[256], buf2[256]; + FILE *f = NULL; + + /* Appending an "\n" to the username since that's what it'll read like + * in the file. + */ + strcpy(buf2, username); + strcat(buf2, "\n"); + + f = fopen("/etc/nologin.allow", "r"); + if (f) { + while (fgets(buf, sizeof(buf), f)) + if (strcmp(buf2, buf) == 0) { + fputs("WARNING: Let in by /etc/nologin.allow\n", stderr); + fclose(f); + return(1); + } + fclose(f); + } + return(0); } From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Aug 30 23:10:58 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 30 Aug 2000 14:10:58 +0200 Subject: SNAP-2000082900: minor configuration detail Message-ID: <20000830141058.A13746@ws01.aet.tu-cottbus.de> Hi! In the INSTALL file, line 159, CFLAGS="-O -m486" LFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure "LFLAGS" are mentioned. Probably "LDFLAGS" are meant. The LFLAGS is also used at one place in "configure", please check configure.in:997, I also assume the LDFLAGS was meant, as used correctly in other locations. There is another "confusion", as ./configure --help allows to use --with-cflags and --with-ldlags (here ldflags with "f" was meant). I have tried and you can use both "CFLAGS" as well as --with-cflags to specify the special compiler flags. However, when using --with-cflags configure assumes that no CFLAGS was set, so "-g" is used by default. When specifying CFLAGS, only the CFLAGS specified are applied. (I don't have an opinion on whether this is good or bad, I just found out, that --with-cflags is not the same as "CFLAGS=... ./configure" :-) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From mouring at pconline.com Wed Aug 30 23:50:47 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 30 Aug 2000 07:50:47 -0500 (CDT) Subject: [Need help] sshd cannot work on mips-sony-bsd In-Reply-To: <87d7ira2f7.fsf@nakaji.tutrp.tut.ac.jp> Message-ID: May I suggest trying the current snapshot? http://www.mindrot.org/misc/openssh/openssh-SNAP-20000830.tar.gz This includes a decent size rewrite of the next-posix.[ch] file to deal with 4.3bsdism on NeXT (which includes utime and wait). It looks like I should split next-posix.[ch] into next-posix.[ch] and 43bsd-posix.[ch] so we can share common code. On 30 Aug 2000, NAKAJI Hiroyuki wrote: > Hi, > > I tried openssh on my SONY NEWS-OS 4.2.1R which is 4.3BSD based > system. > > I modified a little(*) to compile openssh and the compilation was > successful. Ssh worked but sshd didn't work. > > I checked the output of 'sshd -d'. It says > > error: open /dev/tty failed - could not set controlling tty: No such device or address > > when connected from remote host (FreeBSD 5-current) with ssh. And I > gave up. > > Please help. Thanks in advance. > > (*) The diff is at > http://www.rc.tutrp.tut.ac.jp/~nakaji/install/NEWS/utils/ref/openssh-2.1.1p4-news4.diff.gz > -- > NAKAJI Hiroyuki > From acox at cv.telegroup.com Thu Aug 31 00:33:51 2000 From: acox at cv.telegroup.com (Aran Cox) Date: Wed, 30 Aug 2000 15:33:51 +0200 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Wed, Aug 30, 2000 at 11:29:25AM +1100 References: <20000829145047.K9325@lazarus.cv.telegroup.com> Message-ID: <20000830153351.B3110@lazarus.cv.telegroup.com> Well, I think I have managed to make my problem disapear, but first a little more background. I'm currently under the impression that the problems I've been having are related to timing (does that qualify them as a race condition?) I could *never* duplicate this problem while running sshd under the SCO OS debugger. Not once! Also, I could almost always duplicate the problem if I gave the server (SCO OS 5.0.5) running sshd something else to do in the background (like a find invocation, or compressing a large amount of data.) After looking around the code for a while I saw the section on USE_PIPES in session.c in the do_exec_no_pty. Since my problem was related to pipes, (the program is dying on SIGPIPE) I thought I'd try defining USE_PIPES and recompiling. Now I cannot duplicate the SIGPIPE (signal 13) problem with an sshd compiled with USE_PIPES. Of course, I don't understand exactly why this fixes my problem or if the solution is correct. I'll include the output of sshd -d for a successful run and an unsuccessful one. I was usually invoking ssh like so: ssh -n -l root host ls -ld . My system is i686-pc-sco3.2v5.0.5. I can understand why it's undesirable to apply a patch to fix a problem that only one person can duplicate, so hopefully this info will be useful to someone who can give me a clue where to look next. Has anyone really tried running SCO OS 5.0.5 as an sshd server and using the -n switch from the client side? It would make me feel less insane if someone would try (possibly with a little load on the server since that seems to make the problem occur more frequently) running ssh -n host ls -ld . in a loop and seeing if they see any Received disconnect: Command terminated on signal 13. error messages. cheers! On Wed, Aug 30, 2000 at 11:29:25AM +1100, Damien Miller wrote: > On Tue, 29 Aug 2000, Aran Cox wrote: > > > This snapshot does not fix the (serious) problems I had with > > the previous snapshot and p4. > > > > Please see my previous email to the list "Re: Test snapshost" > > for details about the problems I've been having. Does anyone > > have any suggestions? Has anyone duplicated this? > > I haven't been able to duplicate this on Linux or Irix 5.3. > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > -------------- next part -------------- debug: sshd version OpenSSH_2.1.1p5 debug: Command 'ls -alni /var/log' exit status was 2 debug: Command 'tail -200 /var/log/messages' exit status was 2 debug: Command 'tail -200 /var/log/syslog' exit status was 2 debug: Seeded RNG with 32 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: read DSA private key done debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 172.16.10.59 port 724 debug: Client protocol version 1.5; client software version OpenSSH_2.1.1p5 debug: Local version string SSH-1.99-OpenSSH_2.1.1p5 debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: blowfish debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Attempting authentication for root. Failed rsa for ROOT from 172.16.10.59 port 724 Failed rsa for ROOT from 172.16.10.59 port 724 Accepted password for ROOT from 172.16.10.59 port 724 debug: session_new: init debug: session_new: session 0 debug: Received request for X11 forwarding with auth spoofing. debug: fd 5 setting O_NONBLOCK debug: channel 0: new [X11 inet listener] debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Exec command 'ls -ld .' debug: Entering interactive session. debug: Received SIGCHLD. debug: fd 11 setting O_NONBLOCK debug: fd 13 setting O_NONBLOCK debug: server_init_dispatch_13 debug: server_init_dispatch_15 debug: EOF received for stdin. debug: tvp!=NULL kid 1 mili 100 debug: tvp!=NULL kid 1 mili 10 debug: tvp!=NULL kid 1 mili 100 debug: End of interactive session; stdin 0, stdout (read 56, sent 56), stderr 463 bytes. debug: channel_free: channel 0: status: The following connections are open: debug: Command exited with status 0. debug: Received exit confirmation. debug: xauthfile_cleanup_proc called Closing connection to 172.16.10.59 debug: writing PRNG seed to file //.ssh/prng_seed -------------- next part -------------- debug: sshd version OpenSSH_2.1.1p5 debug: Command 'ls -alni /var/log' exit status was 2 debug: Command 'ipcs -a' timed out debug: Command 'tail -200 /var/log/messages' exit status was 2 debug: Command 'tail -200 /var/log/syslog' exit status was 2 debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: read DSA private key done debug: Seeded RNG with 30 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. debug: Seeded RNG with 30 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Command 'ipcs -a' timed out debug: Seeded RNG with 30 bytes from programs debug: Seeded RNG with 3 bytes from system calls RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 172.16.10.59 port 963 debug: Client protocol version 1.5; client software version OpenSSH_2.1.1p5 debug: Local version string SSH-1.99-OpenSSH_2.1.1p5 debug: Seeded RNG with 29 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 29 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: blowfish debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Attempting authentication for root. Failed rsa for ROOT from 172.16.10.59 port 963 Failed rsa for ROOT from 172.16.10.59 port 963 Accepted password for ROOT from 172.16.10.59 port 963 debug: session_new: init debug: session_new: session 0 debug: Received request for X11 forwarding with auth spoofing. debug: fd 5 setting O_NONBLOCK debug: channel 0: new [X11 inet listener] debug: Seeded RNG with 29 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 29 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Exec command 'ls -ld .' debug: Entering interactive session. debug: fd 11 setting O_NONBLOCK debug: fd 13 setting O_NONBLOCK debug: server_init_dispatch_13 debug: server_init_dispatch_15 debug: EOF received for stdin. debug: Received SIGCHLD. debug: tvp!=NULL kid 1 mili 100 debug: End of interactive session; stdin 0, stdout (read 0, sent 0), stderr 463 bytes. debug: channel_free: channel 0: status: The following connections are open: Disconnecting: Command terminated on signal 13. debug: Calling cleanup 0xa578(0x0) debug: xauthfile_cleanup_proc called debug: Calling cleanup 0x11af0(0x0) debug: Calling cleanup 0x18c4c(0x0) debug: Calling cleanup 0x1b658(0x0) debug: writing PRNG seed to file //.ssh/prng_seed From bit at eltech.ru Thu Aug 31 01:16:30 2000 From: bit at eltech.ru (Andrew Zabolotny) Date: Wed, 30 Aug 2000 18:16:30 +0400 (MSD) Subject: test Message-ID: <200008301412.SAA16095@post.eltech.ru> I just have subscribed to the list and I have problems with some transit mail servers. Please answer (privately by mail) if my letter is visible on the list. Greetings, _\ndy at teamOS/2 From loomisg at cist.saic.com Thu Aug 31 02:05:39 2000 From: loomisg at cist.saic.com (Rip Loomis) Date: Wed, 30 Aug 2000 11:05:39 -0400 Subject: OpenSSH port question In-Reply-To: <200008300829.MAA11841@post.eltech.ru> Message-ID: <003101c01293$c2e9ab40$275346d1@rloomis.cist.saic.com> Andy-- This should be in an FAQ somewhere, but here's a quick summary of the situation: 1. OpenSSH ("basic") is principally maintained by the OpenBSD developers. Relevant fixes from the portable version *may* be incorporated if they are applicable to OpenBSD, but there is a specific intent to keep the OpenBSD version clean of the #ifdefs that make the ssh.com 1.2.x code so troublesome to follow/audit. 2. The OpenSSH Portability Team has taken the "clean" OpenBSD implementation and modified it as required to allow compilation and support on other platforms. Again, there is a specific interest in keeping the diffs clean and minimal, but there are obviously changes that need to be incorporated. Damien Miller and other folks in the portability team communicate with the upstream (essentially OpenBSD) developers to keep things in sync. 3. OpenSSH has already been ported to NeXT and CygWin (Win32 + Cygnus support libraries), so I think that what you want to do is possible. Not sure whether the CygWin port might already include terminal emulation-- I use PuTTY as my Win32 client. Bottom line--I would recommend that you submit your patches to Damien via the list. That's what seems to be working for other folks right now. Obviously, if you've got 100K of code, it might be better to put it up for download and send a pointer. Hope this helps-- Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Systems Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com -----Original Message----- From: Andrew Zabolotny [mailto:bit at eltech.ru] Sent: Wednesday, August 30, 2000 4:34 AM To: openssh-unix-dev-list at mindrot.org Subject: OpenSSH port question Good day! A little time ago I have ported the "original" ssh 1.2.30 to OS/2. Unfortunately, I was mislead by the gnu-COPYING-GPL file that is present in the ssh root dir, thus was under impression that ssh is GPL as well. I was shaken when I have discovered my mistake :-) This basically made it unusable for many users which want to use ssh in commercial environments. Thus I decided to port OpenSSH to OS/2, to get a really free ssh. After looking at your web site I've found that there are two flavours of openssh: OpenBSD and "portable" version. Thus I have the question: which flavour should I base my work upon? I could derive it from "portable" ssh, but I believe I will find hardly a single common line between other OS-es and OS/2. In general, I prefer to avoid all kinds of ugly #ifdef's spread across the code. They make sense only for code which is shared by more than one platform; for OS/2-specific code I'm going to write several additional modules, as I did for original ssh/sshd. This includes a terminal emulator (um... maybe it would be helpful for other platforms as well which don't have "built-in" terminals), a file-system path translator (which maps all kinds of "/etc" and "/dev") and a misc module for the rest of compatibility stuff. I'm a little worried by the two flavours being developed at the same time. How you "refresh" the "base" of the openssh in the "portable" version? Having two separate versions forces to synchronize these two version often, who's in charge for this? Ok, I'll stop here for now. Greetings, _\ndy at teamOS/2 From nakaji at tutrp.tut.ac.jp Thu Aug 31 02:06:44 2000 From: nakaji at tutrp.tut.ac.jp (NAKAJI Hiroyuki) Date: 31 Aug 2000 00:06:44 +0900 Subject: [Need help] sshd cannot work on mips-sony-bsd In-Reply-To: (Ben Lindstrom's message of "Wed, 30 Aug 2000 07:50:47 -0500 (CDT)") References: <87d7ira2f7.fsf@nakaji.tutrp.tut.ac.jp> Message-ID: <86vgwi6b5n.fsf@xa12.heimat.gr.jp> Thank you for your suggestion. >>>>> In >>>>> Ben Lindstrom wrote: Ben> May I suggest trying the current snapshot? Ben> http://www.mindrot.org/misc/openssh/openssh-SNAP-20000830.tar.gz I'll try it. Ben> It looks like I should split next-posix.[ch] into next-posix.[ch] and Ben> 43bsd-posix.[ch] so we can share common code. Well, news4-posix.[ch] is copied from next-posix.[ch] and modified. :) There are some functions and declarations which NEWS4 has and NeXT doesn't. NEWS-OS 4.x is based on 4.3BSD but it has some POSIXization and SystemV features. I don't know exactly. Of cource, NEWS-OS 4.x is made in Japan. Do you know it? -- NAKAJI Hiroyuki From mouring at pconline.com Thu Aug 31 02:47:50 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 30 Aug 2000 10:47:50 -0500 (CDT) Subject: [Need help] sshd cannot work on mips-sony-bsd In-Reply-To: <86vgwi6b5n.fsf@xa12.heimat.gr.jp> Message-ID: On 31 Aug 2000, NAKAJI Hiroyuki wrote: > Thank you for your suggestion. > > >>>>> In > >>>>> Ben Lindstrom wrote: > > Ben> May I suggest trying the current snapshot? > Ben> http://www.mindrot.org/misc/openssh/openssh-SNAP-20000830.tar.gz > > I'll try it. > > Ben> It looks like I should split next-posix.[ch] into next-posix.[ch] and > Ben> 43bsd-posix.[ch] so we can share common code. > > Well, news4-posix.[ch] is copied from next-posix.[ch] and modified. :) > There are some functions and declarations which NEWS4 has and NeXT > doesn't. > I noticed very quickly.=) As the author of the next-posix.[ch] the code is pretty quickly noticed.=) > NEWS-OS 4.x is based on 4.3BSD but it has some POSIXization and SystemV > features. I don't know exactly. > > Of cource, NEWS-OS 4.x is made in Japan. Do you know it? I've heard of it, but I've never seen it. I'm glad to see that NEWS-OS (unlike NeXT) has termios support by default.=) Ben Lindstrom From william at opinicus.com Thu Aug 31 03:54:04 2000 From: william at opinicus.com (William Montgomery) Date: Wed, 30 Aug 2000 12:54:04 -0400 (EDT) Subject: Maximum Idle Time thread resolution? Message-ID: Was there a resolution to the "connection reset by peer" problem? I am using Linux 2.2.16 with openssh-2.1.1p4 and I get the timeout problem described a few months ago in the Maximum Idle Time thread when connecting to a machine running Linux 2.0.36 with openssh-1.2.1pre25. Any hints? Wm From loomisg at cist.saic.com Thu Aug 31 05:52:00 2000 From: loomisg at cist.saic.com (Rip Loomis) Date: Wed, 30 Aug 2000 14:52:00 -0400 Subject: Solaris/IRIX audit support: login.c vs loginrec.c In-Reply-To: Message-ID: <003701c012b3$61b63170$275346d1@rloomis.cist.saic.com> Comments requested: I have internally-generated patches against commercial SSH 1.2.27 that add full support for generation of kernel-level audit data on Solaris 2.5.1+ and IRIX 6.2/6.5, and I'm finally getting around to porting them to OpenSSH. One piece that had been previously implemented was generation of login/logout events in record_login and record_logout in login.c--but now those functions are mostly shells for the stuff in loginrec.c. It looks as though it would be easier for me to just drop these into login.c, but the functionality might be more useful to other projects if it was integrated into loginrec.c. What's the best answer? Related questions: 1. Will anyone besides me (and certain customers) actually use this sort of functionality? 2. Is anyone else working on anything similar? I had abstracted much of the functionality out into "sshaudit.c" and "sshaudit.h", and would intend to continue that. I'm not personally sure whether the functionality is important on HP-UX or Tru64, each of which has its own bizarre auditing methodology. It appears on HP-UX that it's not even possible to generate audit events directly from sshd itself, but only indirectly (through any audited library call that fails/succeeds)--which means that there would seem to be no way to generate an audit event on login failure. It's also not clear whether specific action must be taken to generate audit data under the correct UID, or whether those OSs automagically set the audit user ID to the actual user. On both IRIX and Solaris, if sshd is running as root and no action is taken to re-initialize the audit ID to the user's true UID, then all actions taken during the SSH session appear in the audit trail to have been performed by root. (Note that patches to fix this specific issue for IRIX were included in OpenSSH as of June 2000--my patches also generate additional audit data for failed login/successful login/logout). Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com From qralston+ml.openssh-unix-dev at andrew.cmu.edu Thu Aug 31 09:25:31 2000 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Wed, 30 Aug 2000 18:25:31 -0400 (EDT) Subject: assorted issues with 2.1.1p4... Message-ID: I've just finished compiling OpenSSH version 2.1.1p4 for Red Hat Linux 6.2 (i386) with recent patches, using OpenSSL version 0.9.5a, which was compiled to use RSAREF. There are a couple of issues I noticed immediately: 1. The ssh-agent program can only store RSA keys, not DSA keys. 2. Only ssh-add knows to invoke ssh-askpass (if it is not attached to a tty and DISPLAY is set). Slogin, ssh, scp, et. al. do not invoke ssh-askpass, either to prompt for a RSA/DSA passphrase, or to prompt for a password to the remote system. 3. The -f option to ssh has no effect when protocol version 2 is being used. 4. If X11 forwarding is being used, and an X11 application is being forwarded across the secure channel, occasionally shutting down that application causes the sshd process to crash. I see that issue #1 is resolved, as of the 20000823 snapshot. I will go grab the snapshot and bang on it. Daiki Ueno brought up issue #2 back in April, but I can't find a follow-up that answers his central question (why does ssh not know how to invoke ssh-askpass?). So, I'll ask it again: is this a deliberate design decision, or something that just hasn't been implemented yet? I see that Jarno Huuskonen provided a tentative patch for issue #3 on August 5, but the patch didn't make it into the 20000823 snapshot. Does anyone know the status of that patch, or this issue in general? I've made an attempt to look at issue #4, but so far, I've been unable to catch the sshd process in the act of crashing; it seems that the problem doesn't occur when the sshd process in question is being traced. I'm not even sure what signal sshd is dying on. I'll report back once I have more definite information, but until then, has anyone run into what they think might be the same problem? Regards, -- James Ralston, Information Technology Software Engineering Institute Carnegie Mellon University, Pittsburgh, PA, USA From GLeblanc at cu-portland.edu Thu Aug 31 09:53:48 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Wed, 30 Aug 2000 15:53:48 -0700 Subject: Solaris/IRIX audit support: login.c vs loginrec.c Message-ID: <025836EFF856D411A6660090272811E61D0688@EMAIL> > -----Original Message----- > From: Rip Loomis [mailto:loomisg at cist.saic.com] > Sent: Wednesday, August 30, 2000 11:52 AM > To: openssh-unix-dev at mindrot.org > Subject: Solaris/IRIX audit support: login.c vs loginrec.c > > Comments requested: > I have internally-generated patches against > commercial SSH 1.2.27 that add full support > for generation of kernel-level audit data > on Solaris 2.5.1+ and IRIX 6.2/6.5, and > I'm finally getting around to porting them > to OpenSSH. > > One piece that had been previously implemented > was generation of login/logout events in > record_login and record_logout in login.c--but > now those functions are mostly shells for the > stuff in loginrec.c. It looks as though it > would be easier for me to just drop these > into login.c, but the functionality might > be more useful to other projects if it was > integrated into loginrec.c. > > What's the best answer? It seems to me that the best answer is the one that's most architecturally sound, so putting it into loginrec.c seems to make the most sense, but it may not be easiest. Please keep in mind that IANAH, so I may be unduly biased. > Related questions: > 1. Will anyone besides me (and certain > customers) actually use this sort of > functionality? I'd probably use that on my machines at home, assuming that I've read this correctly. I've got machines using Solaris 2.7/2.8, and IRIX 6.5, although none of them have working compilers right now. Later, Greg From markus.friedl at informatik.uni-erlangen.de Thu Aug 31 09:25:51 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 31 Aug 2000 00:25:51 +0200 Subject: [openssh] Re: SNAP-2000082900 In-Reply-To: ; from oetiker@ee.ethz.ch on Wed, Aug 30, 2000 at 08:22:20AM +0200 References: Message-ID: <20000831002551.A30773@folly.informatik.uni-erlangen.de> i think the server should signal(SIGPIPE, SIG_IGN) in serverloop.c/server_loop{2}(), or earlier and restore the default signal(SIGPIPE, SIG_DFL) in sshd.c after the child is fork'ed. On Wed, Aug 30, 2000 at 08:22:20AM +0200, Tobias Oetiker wrote: > OK ... this issue is realy getting to me ... so I debugged it ... > here is the patch ... the problem seems to be that the motif app > exists so fast that it is already gone when sshd still tries to > send data to the remote xserver or something of that ilk ... > probably the error is somewhere deeper inside the x11 forwarding > code as I expect the remote ssh should actually tell the sshd that > a channel has been closed ... > > --- channels.c.orig Wed Aug 30 07:42:11 2000 > +++ channels.c Wed Aug 30 08:09:30 2000 > @@ -686,9 +686,17 @@ > if (c->wfd != -1 && > FD_ISSET(c->wfd, writeset) && > buffer_len(&c->output) > 0) { > + void *oldhandler; > + int errsave; > + /* maybe the other end is dead so we would get SIGPIPE > + which would be fatal. We don't want this, so lets > + ignore it for now and reset the handler afterwards */ > + oldhandler = signal (SIGPIPE, SIG_IGN); > len = write(c->wfd, buffer_ptr(&c->output), > buffer_len(&c->output)); > - if (len < 0 && (errno == EINTR || errno == EAGAIN)) > + errsave = errno; > + signal (SIGPIPE, oldhandler); > + if (len < 0 && (errsave == EINTR || errsave == EAGAIN || errsave==EPIPE)) > return 1; > if (len <= 0) { > if (compat13) { > > cheers > tobi > > -- > ______ __ _ > /_ __/_ / / (_) Oetiker, Timelord & SysMgr @ EE-Dept ETH-Zurich > / // _ \/ _ \/ / TEL: +41(0)1-6325286 FAX:...1517 ICQ: 10419518 > /_/ \.__/_.__/_/ oetiker at ee.ethz.ch http://ee-staff.ethz.ch/~oetiker > > From nakaji at tutrp.tut.ac.jp Thu Aug 31 12:26:07 2000 From: nakaji at tutrp.tut.ac.jp (NAKAJI Hiroyuki) Date: 31 Aug 2000 10:26:07 +0900 Subject: [Need help] sshd cannot work on mips-sony-bsd In-Reply-To: (Ben Lindstrom's message of "Wed, 30 Aug 2000 07:50:47 -0500 (CDT)") References: <87d7ira2f7.fsf@nakaji.tutrp.tut.ac.jp> Message-ID: <87hf82jk5s.fsf@nakaji.tutrp.tut.ac.jp> Ben and folks, The problem seems the error message, error: open /dev/tty failed - could not set controlling tty: No such device or address But I wander why 'open /dev/tty failed'. Anyway, I tried the snapshot (with my patch to compile it). >>>>> In >>>>> Ben Lindstrom wrote: Ben> May I suggest trying the current snapshot? Ben> http://www.mindrot.org/misc/openssh/openssh-SNAP-20000830.tar.gz It fails with same error... When slogined from remote host (133.15.188.118), 'sshd -d -p 24' says: debug: Server will not fork when running in debugging mode. Connection from 133.15.188.118 port 974 debug: Client protocol version 1.5; client software version OpenSSH-2.1 debug: Local version string SSH-1.99-OpenSSH_2.1.1p5 debug: Seeded RNG with 14 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 14 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Attempting authentication for nakaji. Accepted rsa for nakaji from 133.15.188.118 port 974 debug: session_new: init debug: session_new: session 0 debug: Allocating pty. debug: Entering interactive session. error: open /dev/tty failed - could not set controlling tty: No such device or address debug: no set_nonblock for tty fd 7 debug: no set_nonblock for tty fd 11 debug: server_init_dispatch_13 debug: server_init_dispatch_15 debug: tvp!=NULL kid 0 mili 10 debug: tvp!=NULL kid 0 mili 10 debug: tvp!=NULL kid 0 mili 10 debug: tvp!=NULL kid 0 mili 10 debug: tvp!=NULL kid 0 mili 10 debug: tvp!=NULL kid 0 mili 10 debug: tvp!=NULL kid 0 mili 10 debug: tvp!=NULL kid 0 mili 10 debug: tvp!=NULL kid 0 mili 10 debug: tvp!=NULL kid 0 mili 10 debug: tvp!=NULL kid 0 mili 10 debug: Received SIGCHLD. On tty of 133.15.188.188, $ rlogin -p 24 nakaji-nws # rlogin is an alias of slogin The authenticity of host 'nakaji-nws' can't be established. RSA key fingerprint is 3e:1a:63:60:4b:c8:88:d1:8e:e2:f1:a3:10:37:6d:07. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'nakaji-nws' (RSA) to the list of known hosts. Last login: Thu Aug 31 10:08:38 2000 from nakaji NEWS-OS Release 4.2.1R FCS#5 #13: Mon Sep 8 23:50:00 JST 1997 Environment: USER=nakaji LOGNAME=nakaji HOME=/home/nakaji PATH=/usr/bin:/bin:/usr/sbin:/sbin MAIL=/var/spool/mail/nakaji SHELL=/usr/local/bin/bash SSH_CLIENT=133.15.188.118 974 24 SSH_TTY=/dev/ttyp2 TERM=kterm I cannot see shell's prompt. At this state, ps on nakaji-nws shows, $ tty /dev/ttyp3 $ ps xc USER PID %CPU %MEM SZ RSS TT STAT TIME COMMAND nakaji 17407 5.4 1.7 924 468 p3 S 0:00 bash nakaji 17405 0.0 1.3 796 340 ? T 0:00 bash nakaji 17423 0.0 0.7 316 192 p3 R 0:00 ps On ttyp3 of nakaji-nws, I killed one bash with 'kill -KILL 17405' and 'sshd -d' exits with following message: debug: Received SIGCHLD. debug: tvp!=NULL kid 1 mili 100 debug: End of interactive session; stdin 0, stdout (read 353, sent 353), stderr 0 bytes. Disconnecting: Command terminated on signal 9. debug: Calling cleanup 0x409c98(0x10025eb0) debug: pty_cleanup_proc: /dev/ttyp2 debug: Calling cleanup 0x40d5dc(0x0) debug: Calling cleanup 0x411de0(0x0) debug: writing PRNG seed to file //.ssh/prng_seed Ssh-1.2.27 is working well. But I want to use OpenSSH if possible. Thanks. -- NAKAJI Hiroyuki From irving at samurai.sfo.dead-dog.com Thu Aug 31 12:41:51 2000 From: irving at samurai.sfo.dead-dog.com (Irving Popovetsky) Date: Wed, 30 Aug 2000 18:41:51 -0700 Subject: slightly overzealous RNG seeding? Message-ID: <20000830184151.B4471@samurai.sfo.dead-dog.com> Hello again, I was testing today's SNAP (openssh-SNAP-20000830.tar.gz) in my Solaris 2.6-8 environment, when I found some problems with the ssh2 support. While connecting, it seeds the RNG something like 32 times! And then once connected, it seeds again 2 or 3 times with *every* keystroke! This makes for some slow going. This happens on all of the Solaris boxes I tried. Binary was compiled on 2.6 against OpenSSL 0.9.5a. Output follows: 6:19pm.orangecrush: ~# ssh -2 -v qabigip1 SSH Version OpenSSH_2.1.1p5, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to qabigip1 [10.23.1.2] port 22. debug: Command 'ipcs -a' timed out debug: Seeded RNG with 35 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Allocated local port 1021. debug: Connection established. debug: Remote protocol version 1.99, remote software version 2.0.12 F-SECURE SSH datafellows: 2.0.12 F-SECURE SSH Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.1.1p5 debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Command 'ipcs -a' timed out debug: Seeded RNG with 35 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none debug: got kexinit: 3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none debug: got kexinit: hmac-md5,md5-8,none debug: got kexinit: hmac-md5,md5-8,none debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client blowfish-cbc hmac-md5 none debug: kex: client->server blowfish-cbc hmac-md5 none debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 522/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: Host 'qabigip1' is known and matches the DSA host key. debug: bits set: 507/1024 debug: len 40 datafellows 15 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: Command 'ipcs -a' timed out debug: Seeded RNG with 35 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: buggy server: service_accept w/o service debug: got SSH2_MSG_SERVICE_ACCEPT debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: authentications that can continue: publickey,password debug: key does not exist: //.ssh/id_dsa root at qabigip1's password: debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: ssh-userauth2 successfull debug: no set_nonblock for tty fd 7 debug: no set_nonblock for tty fd 8 debug: no set_nonblock for tty fd 9 debug: channel 0: new [client-session] debug: send channel open 0 debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Command 'ipcs -a' timed out debug: Seeded RNG with 35 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Entering interactive session. debug: callback start debug: client_init id 0 arg 0 debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Requesting X11 forwarding with authentication spoofing. debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: channel request 0: shell debug: client_set_session_ident: id 0 debug: callback done debug: channel 0: open confirm rwindow 10000 rmax 4096 Last login: Wed Aug 30 21:04:04 2000 from orangecrush No mail. Terminal type? [xterm] debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Command 'ipcs -a' timed out debug: Seeded RNG with 35 bytes from programs debug: Seeded RNG with 3 bytes from system calls Terminal type is xterm. qabigip1:~# debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls qabigip1:~# debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls testdebug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls That can't be right. Or am I doing something wrong? Gratefully, -Irving From djm at mindrot.org Thu Aug 31 12:39:14 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 31 Aug 2000 12:39:14 +1100 (EST) Subject: slightly overzealous RNG seeding? In-Reply-To: <20000830184151.B4471@samurai.sfo.dead-dog.com> Message-ID: On Wed, 30 Aug 2000, Irving Popovetsky wrote: > Hello again, > > I was testing today's SNAP (openssh-SNAP-20000830.tar.gz) in my > Solaris 2.6-8 environment, when I found some problems with the ssh2 > support. > > While connecting, it seeds the RNG something like 32 times! And then > once connected, it seeds again 2 or 3 times with *every* keystroke! This > makes for some slow going. This happens on all of the Solaris boxes I > tried. Binary was compiled on 2.6 against OpenSSL 0.9.5a. Yes - my mistake: Index: bsd-arc4random.c =================================================================== RCS file: /var/cvs/openssh/bsd-arc4random.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- bsd-arc4random.c 2000/08/29 22:40:09 1.3 +++ bsd-arc4random.c 2000/08/30 03:06:35 1.4 @@ -37,7 +37,7 @@ #define SEED_SIZE 20 /* Number of bytes to reseed after */ -#define REKEY_BYTES (1 >> 18) +#define REKEY_BYTES (1 << 18) static int rc4_ready = 0; static RC4_KEY rc4; -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From irving at samurai.sfo.dead-dog.com Thu Aug 31 13:30:36 2000 From: irving at samurai.sfo.dead-dog.com (Irving Popovetsky) Date: Wed, 30 Aug 2000 19:30:36 -0700 Subject: slightly overzealous RNG seeding? In-Reply-To: ; from djm@mindrot.org on Thu, Aug 31, 2000 at 12:39:14PM +1100 References: <20000830184151.B4471@samurai.sfo.dead-dog.com> Message-ID: <20000830193035.A4753@samurai.sfo.dead-dog.com> Cool, that fixed it! I can't believe I missed that one .... Thanks! -Irving On Thu, Aug 31, 2000 at 12:39:14PM +1100, Damien Miller wrote: > On Wed, 30 Aug 2000, Irving Popovetsky wrote: > > > Hello again, > > > > I was testing today's SNAP (openssh-SNAP-20000830.tar.gz) in my > > Solaris 2.6-8 environment, when I found some problems with the ssh2 > > support. > > > > While connecting, it seeds the RNG something like 32 times! And then > > once connected, it seeds again 2 or 3 times with *every* keystroke! This > > makes for some slow going. This happens on all of the Solaris boxes I > > tried. Binary was compiled on 2.6 against OpenSSL 0.9.5a. > > Yes - my mistake: > > Index: bsd-arc4random.c > =================================================================== > RCS file: /var/cvs/openssh/bsd-arc4random.c,v > retrieving revision 1.3 > retrieving revision 1.4 > diff -u -r1.3 -r1.4 > --- bsd-arc4random.c 2000/08/29 22:40:09 1.3 > +++ bsd-arc4random.c 2000/08/30 03:06:35 1.4 > @@ -37,7 +37,7 @@ > #define SEED_SIZE 20 > > /* Number of bytes to reseed after */ > -#define REKEY_BYTES (1 >> 18) > +#define REKEY_BYTES (1 << 18) > > static int rc4_ready = 0; > static RC4_KEY rc4; > > > > -- > | ``The power of accurate observation is | Damien Miller > | commonly called cynicism by those who | @Work > | have not got it'' - George Bernard Shaw | http://www.mindrot.org > From mouring at pconline.com Thu Aug 31 14:50:35 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 30 Aug 2000 22:50:35 -0500 (CDT) Subject: [Need help] sshd cannot work on mips-sony-bsd In-Reply-To: <87hf82jk5s.fsf@nakaji.tutrp.tut.ac.jp> Message-ID: On 31 Aug 2000, NAKAJI Hiroyuki wrote: [..] > debug: session_new: init > debug: session_new: session 0 > debug: Allocating pty. > debug: Entering interactive session. > error: open /dev/tty failed - could not set controlling tty: No such device or address [..] Ermm.. I wonder if vhangup is either broken or returning an error that is not being caught. Or we are trying to move to a tty device that does not exist (but it looks like the wrong section of code for that) In pty.c around line 247 make this change and see if it yields any helpful data when you run the test again. Otherwise I'm not really sure where to begin to work. I've not spent enough time prowling around in the tty code of OpenSSH (luckly I never had). + if (vhangup() < 0) + error("vhangup: %.100s",strerror(errno)); + debug("Attempting to use %s as our tty.",ttyname); - vhangup(); Ben From nakaji at tutrp.tut.ac.jp Thu Aug 31 15:58:39 2000 From: nakaji at tutrp.tut.ac.jp (NAKAJI Hiroyuki) Date: 31 Aug 2000 13:58:39 +0900 Subject: [Need help] sshd cannot work on mips-sony-bsd In-Reply-To: (Ben Lindstrom's message of "Wed, 30 Aug 2000 22:50:35 -0500 (CDT)") References: <87hf82jk5s.fsf@nakaji.tutrp.tut.ac.jp> Message-ID: <871yz6jabk.fsf@nakaji.tutrp.tut.ac.jp> >>>>> In >>>>> Ben Lindstrom wrote: > debug: session_new: init > debug: session_new: session 0 > debug: Allocating pty. > debug: Entering interactive session. > error: open /dev/tty failed - could not set controlling tty: No such device or address Ben> + if (vhangup() < 0) Ben> + error("vhangup: %.100s",strerror(errno)); Ben> + debug("Attempting to use %s as our tty.",ttyname); Ben> - vhangup(); I checked this. Message changed a little but... debug: session_new: init debug: session_new: session 0 debug: Allocating pty. debug: Entering interactive session. debug: Attempting to use /dev/ttyp3 as our tty. <-- debug: no set_nonblock for tty fd 7 error: open /dev/tty failed - could not set controlling tty: No such device or address debug: no set_nonblock for tty fd 11 debug: server_init_dispatch_13 debug: server_init_dispatch_15 [...] Things not go well. Ben> Ermm.. I wonder if vhangup is either broken or returning an error that is Ben> not being caught. Or we are trying to move to a tty device that does Ben> not exist (but it looks like the wrong section of code for that) I read vhangup(2), it says BUGS Access to the control terminal via /dev/tty is still possi- ble. This call should be replaced by an automatic mechanism that takes place on process exit. Is this what you wonder? There is /dev/tty. $ ls -l /dev/tty crw-rw-rw- 1 root wheel 2, 0 Jun 23 15:20 /dev/tty -- NAKAJI Hiroyuki From oetiker at ee.ethz.ch Thu Aug 31 16:34:00 2000 From: oetiker at ee.ethz.ch (Tobias Oetiker) Date: Thu, 31 Aug 2000 07:34:00 +0200 (MET DST) Subject: [openssh] Re: [openssh] Re: SNAP-2000082900 In-Reply-To: <20000831002551.A30773@folly.informatik.uni-erlangen.de> Message-ID: Today you sent me mail regarding [openssh] Re: [openssh] Re: SNAP-2000082900: *> i think the server should *> signal(SIGPIPE, SIG_IGN) in serverloop.c/server_loop{2}(), or *> earlier and restore the default *> signal(SIGPIPE, SIG_DFL) in sshd.c after the child is fork'ed. *> *> On Wed, Aug 30, 2000 at 08:22:20AM +0200, Tobias Oetiker wrote: *> > OK ... this issue is realy getting to me ... so I debugged it ... *> > here is the patch ... the problem seems to be that the motif app *> > exists so fast that it is already gone when sshd still tries to *> > send data to the remote xserver or something of that ilk ... *> > probably the error is somewhere deeper inside the x11 forwarding *> > code as I expect the remote ssh should actually tell the sshd that *> > a channel has been closed ... *> > *> > --- channels.c.orig Wed Aug 30 07:42:11 2000 *> > +++ channels.c Wed Aug 30 08:09:30 2000 *> > @@ -686,9 +686,17 @@ *> > if (c->wfd != -1 && *> > FD_ISSET(c->wfd, writeset) && *> > buffer_len(&c->output) > 0) { *> > + void *oldhandler; *> > + int errsave; *> > + /* maybe the other end is dead so we would get SIGPIPE *> > + which would be fatal. We don't want this, so lets *> > + ignore it for now and reset the handler afterwards */ *> > + oldhandler = signal (SIGPIPE, SIG_IGN); *> > len = write(c->wfd, buffer_ptr(&c->output), *> > buffer_len(&c->output)); *> > - if (len < 0 && (errno == EINTR || errno == EAGAIN)) *> > + errsave = errno; *> > + signal (SIGPIPE, oldhandler); *> > + if (len < 0 && (errsave == EINTR || errsave == EAGAIN || errsave==EPIPE)) *> > return 1; *> > if (len <= 0) { *> > if (compat13) { As mentioned above I have been thinking about why this could happen at all. Here is my theory. Uppon exit, the application (or sshd x11 forwarding code) somehow removes its session from the remote Xserver or remote ssh (maybe this is done differently by motif apps than other toolkits) the remote server complies with the wish of the app and closes the session. Then the sshd end wants to send some more data. Often this works because the session has not been closed yet, but sometimes the remote session is gone already and therfore sshd gets sigpipe. Obviously sshd must not die upon this event and should thus ignore sigpipe. But I suspect that the event should not occur at all under these circumstances ... cheers tobi *> > *> > cheers *> > tobi *> > *> > -- *> > ______ __ _ *> > /_ __/_ / / (_) Oetiker, Timelord & SysMgr @ EE-Dept ETH-Zurich *> > / // _ \/ _ \/ / TEL: +41(0)1-6325286 FAX:...1517 ICQ: 10419518 *> > /_/ \.__/_.__/_/ oetiker at ee.ethz.ch http://ee-staff.ethz.ch/~oetiker *> > *> > *> *> -- ______ __ _ /_ __/_ / / (_) Oetiker, Timelord & SysMgr @ EE-Dept ETH-Zurich / // _ \/ _ \/ / TEL: +41(0)1-6325286 FAX:...1517 ICQ: 10419518 /_/ \.__/_.__/_/ oetiker at ee.ethz.ch http://ee-staff.ethz.ch/~oetiker From pekkas at netcore.fi Thu Aug 31 16:42:58 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 31 Aug 2000 08:42:58 +0300 (EEST) Subject: assorted issues with 2.1.1p4... In-Reply-To: Message-ID: On Wed, 30 Aug 2000, James Ralston wrote: > 4. If X11 forwarding is being used, and an X11 application is being > forwarded across the secure channel, occasionally shutting down > that application causes the sshd process to crash. [snip] > > I've made an attempt to look at issue #4, but so far, I've been unable > to catch the sshd process in the act of crashing; it seems that the > problem doesn't occur when the sshd process in question is being > traced. I'm not even sure what signal sshd is dying on. I'll report > back once I have more definite information, but until then, has anyone > run into what they think might be the same problem? Do you mean that the main sshd process dies, or the one handling your connection? For what it's worth, when doing heavy X11Forwarding, the latter happens to me almost daily. Connecting with SecureCRT 3.1 to commercial SSH-1.2.25. I've only noticed this with SecureCRT (not that I do much X11 forwarding from anywhere else). So this might be a little more generic problem ... -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From aspa at kronodoc.fi Thu Aug 31 16:50:00 2000 From: aspa at kronodoc.fi (Marko Asplund) Date: Thu, 31 Aug 2000 08:50:00 +0300 (EEST) Subject: 'ssh -f' option, interoperability with ssh v2.3.0 Message-ID: i'm trying to use the ssh command's -f option with OpenSSH v2.1.1p4 on linux (RedHat v6.2). this option doesn't seem to be working properly on my system - the specified is run succesfully but it isn't put to the background. is this a known problem? also, OpenSSH doesn't seem to interoperate with SSH Communications Security's ssh v2.3.0 (apparently because of different opinions about HMAC sizes). this can be fixed in the (ssh v2.3.0) configuration files by specifying: MACs hmac-md5 but is there any work being done for fixing this this problem in OpenSSH's part? best regards, -- aspa From aspa at kronodoc.fi Thu Aug 31 16:57:14 2000 From: aspa at kronodoc.fi (Marko Asplund) Date: Thu, 31 Aug 2000 08:57:14 +0300 (EEST) Subject: 'ssh -f' option, interoperability with ssh v2.3.0 In-Reply-To: Message-ID: On Thu, 31 Aug 2000, Marko Asplund wrote: > i'm trying to use the ssh command's -f option with OpenSSH v2.1.1p4 on > linux (RedHat v6.2). this option doesn't seem to be working properly on my > system - the specified is run succesfully but it isn't put to the > background. is this a known problem? this only happens with ssh protocol 2. -- aspa From loomisg at cist.saic.com Thu Aug 31 02:05:39 2000 From: loomisg at cist.saic.com (Rip Loomis) Date: Wed, 30 Aug 2000 11:05:39 -0400 Subject: OpenSSH port question In-Reply-To: <200008300829.MAA11841@post.eltech.ru> Message-ID: <003101c01293$c2e9ab40$275346d1@rloomis.cist.saic.com> Andy-- This should be in an FAQ somewhere, but here's a quick summary of the situation: 1. OpenSSH ("basic") is principally maintained by the OpenBSD developers. Relevant fixes from the portable version *may* be incorporated if they are applicable to OpenBSD, but there is a specific intent to keep the OpenBSD version clean of the #ifdefs that make the ssh.com 1.2.x code so troublesome to follow/audit. 2. The OpenSSH Portability Team has taken the "clean" OpenBSD implementation and modified it as required to allow compilation and support on other platforms. Again, there is a specific interest in keeping the diffs clean and minimal, but there are obviously changes that need to be incorporated. Damien Miller and other folks in the portability team communicate with the upstream (essentially OpenBSD) developers to keep things in sync. 3. OpenSSH has already been ported to NeXT and CygWin (Win32 + Cygnus support libraries), so I think that what you want to do is possible. Not sure whether the CygWin port might already include terminal emulation-- I use PuTTY as my Win32 client. Bottom line--I would recommend that you submit your patches to Damien via the list. That's what seems to be working for other folks right now. Obviously, if you've got 100K of code, it might be better to put it up for download and send a pointer. Hope this helps-- Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Systems Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com -----Original Message----- From: Andrew Zabolotny [mailto:bit at eltech.ru] Sent: Wednesday, August 30, 2000 4:34 AM To: openssh-unix-dev-list at mindrot.org Subject: OpenSSH port question Good day! A little time ago I have ported the "original" ssh 1.2.30 to OS/2. Unfortunately, I was mislead by the gnu-COPYING-GPL file that is present in the ssh root dir, thus was under impression that ssh is GPL as well. I was shaken when I have discovered my mistake :-) This basically made it unusable for many users which want to use ssh in commercial environments. Thus I decided to port OpenSSH to OS/2, to get a really free ssh. After looking at your web site I've found that there are two flavours of openssh: OpenBSD and "portable" version. Thus I have the question: which flavour should I base my work upon? I could derive it from "portable" ssh, but I believe I will find hardly a single common line between other OS-es and OS/2. In general, I prefer to avoid all kinds of ugly #ifdef's spread across the code. They make sense only for code which is shared by more than one platform; for OS/2-specific code I'm going to write several additional modules, as I did for original ssh/sshd. This includes a terminal emulator (um... maybe it would be helpful for other platforms as well which don't have "built-in" terminals), a file-system path translator (which maps all kinds of "/etc" and "/dev") and a misc module for the rest of compatibility stuff. I'm a little worried by the two flavours being developed at the same time. How you "refresh" the "base" of the openssh in the "portable" version? Having two separate versions forces to synchronize these two version often, who's in charge for this? Ok, I'll stop here for now. Greetings, _\ndy at teamOS/2 From Markus.Friedl at informatik.uni-erlangen.de Thu Aug 31 18:55:05 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 31 Aug 2000 09:55:05 +0200 Subject: 'ssh -f' option, interoperability with ssh v2.3.0 In-Reply-To: ; from aspa@kronodoc.fi on Thu, Aug 31, 2000 at 08:50:00AM +0300 References: Message-ID: <20000831095505.A17463@faui02.informatik.uni-erlangen.de> On Thu, Aug 31, 2000 at 08:50:00AM +0300, Marko Asplund wrote: > i'm trying to use the ssh command's -f option with OpenSSH v2.1.1p4 on > linux (RedHat v6.2). this option doesn't seem to be working properly on my > system - the specified is run succesfully but it isn't put to the > background. is this a known problem? > > also, OpenSSH doesn't seem to interoperate with SSH Communications > Security's ssh v2.3.0 (apparently because of different opinions about HMAC > sizes). this can be fixed in the (ssh v2.3.0) configuration files by > specifying: > > MACs hmac-md5 > > but is there any work being done for fixing this this problem in OpenSSH's > part? yes. OpenSSH and ssh.com-2.3.0 disagree on how hmac-sha1 should be implemented. OpenSSH-2.2.0 detects ssh.com-2.3.0 and uses their scheme. the next release implementes '-f' for protocol 2, too.