From marc.fournier at acadiau.ca  Sat Jan  1 01:06:56 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Fri, 31 Dec 1999 10:06:56 -0400 (AST)
Subject: ANNOUNCE: openssh-1.2.1pre24
In-Reply-To: <Pine.LNX.4.10.9912311041420.664-100000@mothra.mindrot.org>
Message-ID: <Pine.BSF.4.10.9912311003380.10930-100000@atelier.acadiau.ca>


Upgraded to this one, got it compiled and installed, and now I'm getting:

> ssh dragon
Local: Corrupted check bytes on input.

dragon:/var/src/openssh-1.2.1pre24> /usr/slocal/sbin/sshd -d
debug: sshd version OpenSSH-1.2.1
Server listening on port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 131.162.138.223 port 636
debug: Client protocol version 1.5; client software version 1.2.26
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
Disconnecting: Corrupted check bytes on input.
debug: Calling cleanup 0x806028c(0x0)

Tried regenerating the server key, and removing it from my
.ssh/known_hosts and regenerating there...no change...

Not sure where else to look ...

On Fri, 31 Dec 1999, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> openssh-1.2.1pre24 is being uploaded to:
> 
> http://violet.ibs.com.au/openssh/files/
> 
> This release fixes the silly bugs (almost all autoconf related) that
> crept into yesterday's release.
> 
> 19991231
>  - Fix password support on systems with a mixture of shadowed and 
>    non-shadowed passwords (e.g. NIS). Report and fix from 
>    HARUYAMA Seigo <haruyama at nt.phys.s.u-tokyo.ac.jp>
>  - Fix broken autoconf typedef detection. Report from Marc G. 
>    Fournier <marc.fournier at acadiau.ca>
>  - Fix occasional crash on LinuxPPC. Patch from Franz Sirl
>    <Franz.Sirl-kernel at lauterbach.com>
>  - Prevent typedefs from being compiled more than once. Report from 
>    Marc G. Fournier <marc.fournier at acadiau.ca>
>  - Fill in ut_utaddr utmp field. Report from Benjamin Charron
>    <iretd at bigfoot.com>
>  - Really fix broken default path. Fix from Jim Knoble 
>    <jmknoble at pobox.com>
>  - Remove test for quad_t. No longer needed.
> 
> Regards,
> Damien
> 
> - --
> | "Bombay is 250ms from New York in the new world order" - Alan Cox
> | Damien Miller - http://www.mindrot.org/
> | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.0 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE4a+7dormJ9RG1dI8RAtPVAJ9eei2hVKSrLRhk5tDNjI6sIn/ybQCeNhBr
> INmewdyMfjU0SV6xlVqb34M=
> =6Bj8
> -----END PGP SIGNATURE-----
> 
> 
> 

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From andre.lucas at dial.pipex.com  Sat Jan  1 01:54:51 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Fri, 31 Dec 1999 14:54:51 +0000
Subject: ANNOUNCE: openssh-1.2.1pre24
In-Reply-To: <Pine.LNX.4.10.9912311041420.664-100000@mothra.mindrot.org>; from djm@mindrot.org on Fri, Dec 31, 1999 at 10:46:34AM +1100
References: <Pine.LNX.4.10.9912311041420.664-100000@mothra.mindrot.org>
Message-ID: <19991231145451.B1067@internal.domain>

On Fri, Dec 31, 1999 at 10:46:34AM +1100, Damien Miller wrote:
> 
> openssh-1.2.1pre24 is being uploaded to:
> 

HPUX status:
- compile problem, patch follows.
- utmp is now registering logins on the ptys (well done), but not
logouts. I'll look into it.
- manpages still broken, I hope to have a fix for that (probably
precompile them :-( ) today
- fixpaths is run twice, once at the end of a 'make', and again for a
'make install'

HPUX croaks, as I suspect will other plats, at a multi-include of
defines.h . Fair enough, I suppose. A patch follows, though I doubt it's
necessary in this case :-) Here's the trace:

includes.h
	...
	bsd-misc.h
		config.h
			defines.h
	<other>.h
		config.h
			defines.h  -> error.
	...
	config.h
			defines.h  -> error.

The patch fixes the current compile problem. IMO other includes,
particularly config.h, should have guards as well. An equally good fix
may be to stop .h files including config.h, as the .c should probably do
that.

-Andre


--- openssh-1.2.1pre24.orig/defines.h	Thu Dec 30 22:55:34 1999
+++ openssh-1.2.1pre24.new/defines.h	Fri Dec 31 14:35:12 1999
@@ -1,3 +1,6 @@
+#ifndef __DEFINES_H__
+#define __DEFINES_H__
+
 /* Necessary headers */
 
 #include <sys/types.h> /* For u_intXX_t */
@@ -223,4 +226,6 @@
 #else
 # define PAM_STRERROR(a,b) pam_strerror((a),(b))
 #endif
+
+#endif /* __DEFINES_H__ */


-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991231/e3bf9804/attachment.bin 

From andre.lucas at dial.pipex.com  Sat Jan  1 01:59:05 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Fri, 31 Dec 1999 14:59:05 +0000
Subject: ANNOUNCE: openssh-1.2.1pre24
In-Reply-To: <Pine.GSO.4.05.9912302307190.27544-100000@shell.clark.net>; from bent@clark.net on Thu, Dec 30, 1999 at 11:08:24PM -0500
References: <Pine.LNX.4.10.9912311041420.664-100000@mothra.mindrot.org> <Pine.GSO.4.05.9912302307190.27544-100000@shell.clark.net>
Message-ID: <19991231145905.C1067@internal.domain>

I've sent along another patch on this subject (same thread.) I think the
problem here is the multi-include, not the __.*int.* defines. With a
multi-include guard around defines.h, the problem goes away.

Ta,
-Andre

On Thu, Dec 30, 1999 at 11:08:24PM -0500, Ben Taylor wrote:
> 
> This is a patch to avoid the redefinition of the uintxx_t structures.
> 
> Ben
> 
> --- defines.h.ORIG      Thu Dec 30 23:05:41 1999
> +++ defines.h   Thu Dec 30 23:06:35 1999
> @@ -61,7 +61,7 @@
>  # else
>  #  if (SIZEOF_LONG_LONG_INT == 8)
>  typedef long long int int64_t;
> -#   define HAVE_INTXX_T
> +#   define HAVE_INTXX_T 1
>  #  else
>  #   error "64 bit int type not found."
>  #  endif
> @@ -74,6 +74,7 @@
>  typedef uint16_t u_int16_t;
>  typedef uint32_t u_int32_t;
>  typedef  uint64_t u_int64_t;
> +#  define HAVE_U_INTXX_T 1
>  # else
>  #  if (SIZEOF_SHORT_INT == 2)
>  typedef unsigned short int u_int16_t;
> 

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991231/56ff3f97/attachment.bin 

From marc.fournier at acadiau.ca  Sat Jan  1 02:30:39 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Fri, 31 Dec 1999 11:30:39 -0400 (AST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
Message-ID: <Pine.BSF.4.10.9912311128130.10930-100000@atelier.acadiau.ca>


I just tried, on a whim, to use an OpenSSH client vs SSH 1.2.26 client,
and I can connect with it...

Something drastic change between pre23 and pre24?  Then again, I can't get
pre23 to work anymore either, after further investigation :(  OpenSSH
clients connect no problem, just not the old SSH 1.2.26 clients ...


Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From marc.fournier at acadiau.ca  Sat Jan  1 02:46:36 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Fri, 31 Dec 1999 11:46:36 -0400 (AST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <Pine.BSF.4.10.9912311128130.10930-100000@atelier.acadiau.ca>
Message-ID: <Pine.BSF.4.10.9912311145580.10930-100000@atelier.acadiau.ca>


Yup, just checked a few other hosts connecting in...I can connect from any
host that has OpenSSH installed to the server in question, but not from a
host that has the older 1.2.26 clients installed :(



On Fri, 31 Dec 1999, Marc G. Fournier wrote:

> 
> I just tried, on a whim, to use an OpenSSH client vs SSH 1.2.26 client,
> and I can connect with it...
> 
> Something drastic change between pre23 and pre24?  Then again, I can't get
> pre23 to work anymore either, after further investigation :(  OpenSSH
> clients connect no problem, just not the old SSH 1.2.26 clients ...
> 
> 
> Marc G. Fournier                                 marc.fournier at acadiau.ca
> Senior Systems Administrator                            Acadia University
> 
>   "These are my opinions, which are not necessarily shared by my employer"
> 
> 
> 

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From dugsong at monkey.org  Sun Jan  2 06:51:57 2000
From: dugsong at monkey.org (Dug Song)
Date: Sat, 1 Jan 2000 14:51:57 -0500 (EST)
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <Pine.BSF.4.10.10001011324420.756-100000@green.dyndns.org>
Message-ID: <Pine.BSO.4.10.10001011437320.29042-100000@funky.monkey.org>

On Sat, 1 Jan 2000, Brian Fundakowski Feldman wrote:

> 	http://www.FreeBSD.org/~green/openssh.SHA-1.patch
> MD5 (public_html/openssh.SHA-1.patch) = e21a896f59474a31ab3b9103acf44c35
> 
> P.S.:	I realize other people may have proposed something very similar.
> 	Indeed, markus's proposal may be something like this.  However,
> 	since it's impossible to work with anyone who is Theo, or
> 	"under" Theo, it's unrealistic to work with that.  Hence the
> 	reason we need to make a code fork of OpenSSH as soon as
> 	convenient.

i'm sorry you feel this way. so far, the OpenBSD OpenSSH developers and
the Linux/Solaris/etc. OpenSSH developers led by Damien Miller have been
getting along just fine. we hereby cordially invite you to join the party!

	http://violet.ibs.com.au/openssh/list.html

best wishes for the new year.

-d.

---
http://www.monkey.org/~dugsong/







From green at FreeBSD.org  Sun Jan  2 08:37:07 2000
From: green at FreeBSD.org (Brian Fundakowski Feldman)
Date: Sat, 1 Jan 2000 16:37:07 -0500 (EST)
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <Pine.BSO.4.10.10001011437320.29042-100000@funky.monkey.org>
Message-ID: <Pine.BSF.4.10.10001011631270.1082-100000@green.dyndns.org>

On Sat, 1 Jan 2000, Dug Song wrote:

> On Sat, 1 Jan 2000, Brian Fundakowski Feldman wrote:
> 
> > 	http://www.FreeBSD.org/~green/openssh.SHA-1.patch
> > MD5 (public_html/openssh.SHA-1.patch) = e21a896f59474a31ab3b9103acf44c35
> > 
> > P.S.:	I realize other people may have proposed something very similar.
> > 	Indeed, markus's proposal may be something like this.  However,
> > 	since it's impossible to work with anyone who is Theo, or
> > 	"under" Theo, it's unrealistic to work with that.  Hence the
> > 	reason we need to make a code fork of OpenSSH as soon as
> > 	convenient.
> 
> i'm sorry you feel this way. so far, the OpenBSD OpenSSH developers and
> the Linux/Solaris/etc. OpenSSH developers led by Damien Miller have been
> getting along just fine. we hereby cordially invite you to join the party!
> 
> 	http://violet.ibs.com.au/openssh/list.html
> 
> best wishes for the new year.

Have you, personally, ever tried to talk to Theo?  I know I'm not the
only one who has tried, and only gotten flames in response.  I don't
think someone like that should be the head of any project, and it's
truly impossible to work with such a... person.
   Now, if you come to tell me there's a way to actually discuss things
with ration human beings, not having to deal with flaming egomaniacs,
I am all ears!  I would love to have more people to work with, where
the people could actually remain civil.

> -d.
> 
> ---
> http://www.monkey.org/~dugsong/

-- 
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green at FreeBSD.org                    `------------------------------'





From damien at ibs.com.au  Sun Jan  2 11:46:43 2000
From: damien at ibs.com.au (Damien Miller)
Date: Sun, 02 Jan 2000 11:46:43 +1100
Subject: [Fwd: openssh-1.2.1pre24 ssh-agent buglet]
Message-ID: <386E9FF3.39665760@ibs.com.au>

This patch may be suitable for inclusion in the OpenBSD tree.

Regards,
Damien
-------------- next part --------------
An embedded message was scrubbed...
From: Dean Gaudet <dgaudet at arctic.org>
Subject: openssh-1.2.1pre24 ssh-agent buglet
Date: Fri, 31 Dec 1999 19:41:01 -0800 (PST)
Size: 1729
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000102/f28122c2/attachment.mht 

From mhw at wittsend.com  Sun Jan  2 15:57:21 2000
From: mhw at wittsend.com (Michael H. Warfield)
Date: Sat, 1 Jan 2000 23:57:21 -0500
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <Pine.BSF.4.10.10001011631270.1082-100000@green.dyndns.org>; from green@FreeBSD.org on Sat, Jan 01, 2000 at 04:37:07PM -0500
References: <Pine.BSO.4.10.10001011437320.29042-100000@funky.monkey.org> <Pine.BSF.4.10.10001011631270.1082-100000@green.dyndns.org>
Message-ID: <20000101235721.A15256@alcove.wittsend.com>

On Sat, Jan 01, 2000 at 04:37:07PM -0500, Brian Fundakowski Feldman wrote:
> On Sat, 1 Jan 2000, Dug Song wrote:

> > On Sat, 1 Jan 2000, Brian Fundakowski Feldman wrote:

> > > 	http://www.FreeBSD.org/~green/openssh.SHA-1.patch
> > > MD5 (public_html/openssh.SHA-1.patch) = e21a896f59474a31ab3b9103acf44c35

> > > P.S.:	I realize other people may have proposed something very similar.
> > > 	Indeed, markus's proposal may be something like this.  However,
> > > 	since it's impossible to work with anyone who is Theo, or
> > > 	"under" Theo, it's unrealistic to work with that.  Hence the
> > > 	reason we need to make a code fork of OpenSSH as soon as
> > > 	convenient.

> > i'm sorry you feel this way. so far, the OpenBSD OpenSSH developers and
> > the Linux/Solaris/etc. OpenSSH developers led by Damien Miller have been
> > getting along just fine. we hereby cordially invite you to join the party!

> > 	http://violet.ibs.com.au/openssh/list.html

> > best wishes for the new year.

> Have you, personally, ever tried to talk to Theo?  I know I'm not the
> only one who has tried, and only gotten flames in response.  I don't

	As a matter of fact I have.  Theo and I shared more than a few
beers down in San Antonio at the Usenix Security Symposium a while back.
I found that he was just as opinionated and arrogant as I was.  I quickly
figured out that one did NOT come to debate one's position with Theo
unless one was fully prepared to defend one's position.  I like that man!
I don't agree with him on all points and we may send some people scrambling
for 911 when we debate, but I like him.  He knows his position and he IS
prepared to debate it and defend it.  Anyone who attempts to argue with
him who is not prepared it engaging in a self inflicted injury.  I don't
know and don't really care if he remembers our debates (hell, it was 2 in
the morning).  He has my respect, whether I agree with him or not.

> think someone like that should be the head of any project, and it's
> truly impossible to work with such a... person.

	Excuse "my french" at this point.

	No...  He is easy to work with...  I know plently of assholes who
don't know jack shit about what they are managing, but the are "the manager".
THEY are impossible to work with.  I have watched at least one totally
incompetant moron, whose sole goal in life is to be a role model for a
dilbert comic strip, totally destroy a corporate position with regard
to platforms and support.  This man micromanaged by "buzzword".  Buzzword
bingo is no fun when everyone goes balistic five minutes into one of his
monologs.

	I would work under Theo in a heart beat, even if they had to
call the goon squad to keep us from throtalling each other.  Theo knows
his shit and is prepared to defend his position.  Anyone who argues with
him and is NOT prepared to do this same gets what they deserve.

>    Now, if you come to tell me there's a way to actually discuss things
> with ration human beings, not having to deal with flaming egomaniacs,
> I am all ears!  I would love to have more people to work with, where
> the people could actually remain civil.

	I had this with Theo.  If you are prepared to defend your ideas
and are prepared to LISTEN to his, you CAN have a productive debate with
him.  You will not win all the arguements.  You may even win a few points
with him.  You may even part as friends (I hope I can claim that).  He may
concede some points and learn some things and so may you.  You DON'T
engage him in debate to convince him of something.  You engage him in debate
expecting that you BOTH MIGHT learn something.  And you will...

> > -d.

> > ---
> > http://www.monkey.org/~dugsong/

> -- 
>  Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
>  green at FreeBSD.org                    `------------------------------'

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!





From green at FreeBSD.org  Sun Jan  2 17:00:17 2000
From: green at FreeBSD.org (Brian Fundakowski Feldman)
Date: Sun, 2 Jan 2000 01:00:17 -0500 (EST)
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000101235721.A15256@alcove.wittsend.com>
Message-ID: <Pine.BSF.4.10.10001020047520.36184-100000@green.dyndns.org>

I'm sorry for bringing this up under all these public eyes.  Let me suffice
it to say that all the communcation so far I have had with Theo regarding
OpenSSH has come down to (on my receiving side):
	a. name-calling
	b. NIHism
	c. ignoring of all technical arguments 
	d. "religious" issues
	e. "disappearing" from a discussion when proven wrong

Therefore, I do not find it unreasonable to state that it is nearly
impossible to try to communicate with him.  I had no bias at all,
but what I've experienced from attempting rational discussion with
him has obviously given me an opinion.
   I'd be elated if it were possible to have a rational discussion
with him.  I suppose if I wasn't affiliated with the FreeBSD project,
I might be able to.  All the evidence of possibility of rational
discussion, so far, has pointed to there being none.

-- 
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green at FreeBSD.org                    `------------------------------'





From drankin at bohemians.lexington.ky.us  Sun Jan  2 22:15:48 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Sun, 2 Jan 2000 06:15:48 -0500
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <Pine.BSF.4.10.10001020047520.36184-100000@green.dyndns.org>; from Brian Fundakowski Feldman on Sun, Jan 02, 2000 at 01:00:17AM -0500
References: <20000101235721.A15256@alcove.wittsend.com> <Pine.BSF.4.10.10001020047520.36184-100000@green.dyndns.org>
Message-ID: <20000102061545.A1691@rumpole.bohemians.lexington.ky.us>

On Sun, Jan 02, 2000 at 01:00:17AM -0500, Brian Fundakowski Feldman wrote:
> I'm sorry for bringing this up under all these public eyes.  Let me suffice
> it to say that all the communcation so far I have had with Theo regarding
> OpenSSH has come down to (on my receiving side):

*rest deleted*

Since I've never dealt with Theo, I won't comment on the ability (or
lack thereof) of Theo to hold a public discussion with others.
What I AM concerned about is the discussion of a possible 1.6 protocol.
Since the openssh-dev-list was never involved in that discussion, could
someone please let us know the details.

Speaking completely without facts, I am personally skeptical about
enhancing the 1.x protocol when all of the standards processes are
focused on getting 2.0 out the door. That said, I am willing to be
convinced on the matter.

Thanks,
David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard




From djm at mindrot.org  Sun Jan  2 23:22:56 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 2 Jan 2000 23:22:56 +1100 (EST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <Pine.BSF.4.10.9912311145580.10930-100000@atelier.acadiau.ca>
Message-ID: <Pine.LNX.4.10.10001022321370.659-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 31 Dec 1999, Marc G. Fournier wrote:

> Yup, just checked a few other hosts connecting in...I can connect
> from any host that has OpenSSH installed to the server in question,
> but not from a host that has the older 1.2.26 clients installed :(

I can't replicate this behaviour.

Can you turn on maximum debugging for both the server and the 
client and tell me what it says during a failed connect attempt?

Thanks,
Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4b0MjormJ9RG1dI8RAsP3AKC0fJqXh/i41jOTGPahtwaoQu+fGgCZASH6
e6sv0W6928+K+AnskB6t1js=
=u5Eo
-----END PGP SIGNATURE-----





From djm at mindrot.org  Sun Jan  2 23:43:49 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 2 Jan 2000 23:43:49 +1100 (EST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <Pine.BSF.4.10.9912311128130.10930-100000@atelier.acadiau.ca>
Message-ID: <Pine.LNX.4.10.10001022342320.659-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 31 Dec 1999, Marc G. Fournier wrote:

> 
> I just tried, on a whim, to use an OpenSSH client vs SSH 1.2.26
> client, and I can connect with it...
>
> Something drastic change between pre23 and pre24?  Then again, I
> can't get pre23 to work anymore either, after further investigation
> :( OpenSSH clients connect no problem, just not the old SSH 1.2.26
> clients ...

Very strange - I cannot see what change between pre23 and pre24 
could possibly cause this. Are you sure it was working with pre23?

Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4b0gHormJ9RG1dI8RAsVCAJ0b+21IUsYnx8CDF5jDlmNgPKQRPgCfQEty
ySJH3R/b2f+ZKA9ifLWcAU4=
=a85k
-----END PGP SIGNATURE-----





From markus.friedl at informatik.uni-erlangen.de  Sun Jan  2 23:42:42 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Sun, 2 Jan 2000 13:42:42 +0100
Subject: TCP port forwarding troubles?
In-Reply-To: <199912301022.CAA10614@homer.ka9q.ampr.org>
References: <199912301022.CAA10614@homer.ka9q.ampr.org>
Message-ID: <20000102134242.A6241@folly.informatik.uni-erlangen.de>

On Thu, Dec 30, 1999 at 02:22:09AM -0800, Phil Karn wrote:
> Before I dig into the problem, has anyone else out there heavily
> exercised TCP port forwarding in openssh?

yes, i experience this, too, but no, i did not look into this yet.
i am using portforwarding for connections to webproxies, too.
i think, the problem has been fixed in ssh-1.2.2x since i remember
having the same problem with older versions of the 1.2.x family.
note that all the forwarded channels are locked, but you still
can control ssh with the ~ escape character and list all forwarded
connections.

-markus

Supported escape sequences:
~.  - terminate connection
~^Z - suspend ssh
~#  - list forwarded connections
~&  - background ssh (when waiting for connections to terminate)
~?  - this message
~~  - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)




From markus.friedl at informatik.uni-erlangen.de  Sun Jan  2 23:51:54 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Sun, 2 Jan 2000 13:51:54 +0100
Subject: Patch to use Dante socks library
In-Reply-To: <19991229113239.A19471@rumpole.bohemians.lexington.ky.us>
References: <Pine.LNX.4.10.9912301654200.664-100000@mothra.mindrot.org> <19991229113239.A19471@rumpole.bohemians.lexington.ky.us>
Message-ID: <20000102135154.A6648@folly.informatik.uni-erlangen.de>

On Wed, Dec 29, 1999 at 11:32:40AM -0500, David Rankin wrote:
> Since I use the Dante SOCKS library (instead of the NEC libraries), I
> decided to hack support for them into OpenSSH. Here is the results.

hello,
a general purpose program that can be used as a ProxyCommand in
ssh(1) would be more usefull since it does not require recompilation.

-markus




From markus.friedl at informatik.uni-erlangen.de  Mon Jan  3 01:12:08 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Sun, 2 Jan 2000 15:12:08 +0100
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000102061545.A1691@rumpole.bohemians.lexington.ky.us>
References: <20000101235721.A15256@alcove.wittsend.com> <Pine.BSF.4.10.10001020047520.36184-100000@green.dyndns.org> <20000102061545.A1691@rumpole.bohemians.lexington.ky.us>
Message-ID: <20000102151208.A21548@folly.informatik.uni-erlangen.de>

On Sun, Jan 02, 2000 at 06:15:48AM -0500, David Rankin wrote:
> Speaking completely without facts, I am personally skeptical about
> enhancing the 1.x protocol when all of the standards processes are
> focused on getting 2.0 out the door. That said, I am willing to be
> convinced on the matter.

i have put the latest revisions of my SSH 1.6 patches to
	http://wwwcip.informatik.uni-erlangen.de/~msfriedl/openssh/

basically they consist of:
(1) CRC is replaced with hmac-sha1 + sequence-numbers. the bytes
    needed for the hmac-key are taken from the shared session-key
(2) authentication for parameters passed in the clear: the session-id
    is extended from
   session_id := MD5 (host_key_n |session_key_n|cookie);
to
   session_id := MD5 (host_key_n |session_key_n|
       supported_ciphers|supported_authentications|
       client_flags|server_flags|
       client_version_string|server_version_string|
       cookie);

and yes, having openssh speak SSH-2.0 would be nice.
mail me if you are interested in helping implement 2.0.

-markus




From mouring at pconline.com  Mon Jan  3 06:18:22 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Sun, 2 Jan 2000 13:18:22 -0600 (CST)
Subject: OpenSSH and NeXT (Black hardware)
Message-ID: <Pine.LNX.3.95.1000102131536.2174B-100000@newton.pconline.com>


Anyone working on a port of OpenSSH to NeXT (I have a 3.3 Workstation at
home).  I started looking around and there are a few things that may need
a bit of helping (NeXT version of GCC in the 3.3 days requires a bit more
work to pass functions around as pointers and it looks like the compiler
does not protect the header files from being recursively entered).  I
think the main thing would be to add the NetInfo logic into it.

Just wondering so I don't do too much double work.

Thanks

Ben






From green at FreeBSD.org  Mon Jan  3 06:46:49 2000
From: green at FreeBSD.org (Brian Fundakowski Feldman)
Date: Sun, 2 Jan 2000 14:46:49 -0500 (EST)
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000102151208.A21548@folly.informatik.uni-erlangen.de>
Message-ID: <Pine.BSF.4.10.10001021441330.8076-100000@green.dyndns.org>

On Sun, 2 Jan 2000, Markus Friedl wrote:

> On Sun, Jan 02, 2000 at 06:15:48AM -0500, David Rankin wrote:
> > Speaking completely without facts, I am personally skeptical about
> > enhancing the 1.x protocol when all of the standards processes are
> > focused on getting 2.0 out the door. That said, I am willing to be
> > convinced on the matter.
> 
> i have put the latest revisions of my SSH 1.6 patches to
> 	http://wwwcip.informatik.uni-erlangen.de/~msfriedl/openssh/

My concern here is, how much does it convolute the code?  I believe
that it's probably not as useful to make the old SSH 1.X protocol
as infinitely more secure as it is useful to make OpenSSH support
the 2.X protocol.

> 
> basically they consist of:
> (1) CRC is replaced with hmac-sha1 + sequence-numbers. the bytes
>     needed for the hmac-key are taken from the shared session-key

I really don't see why we should need sequence numbers if we do
a continuous SHA-1 hash of the entire stream.  Are you proposing
just one use per SHA_CTX, each packet having its own independent
hash and sequence number?

> (2) authentication for parameters passed in the clear: the session-id
>     is extended from
>    session_id := MD5 (host_key_n |session_key_n|cookie);
> to
>    session_id := MD5 (host_key_n |session_key_n|
>        supported_ciphers|supported_authentications|
>        client_flags|server_flags|
>        client_version_string|server_version_string|
>        cookie);

That does sound better, although I wouldn't know ow much better than
before.

> 
> and yes, having openssh speak SSH-2.0 would be nice.
> mail me if you are interested in helping implement 2.0.

Of course!

> 
> -markus
> 

-- 
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green at FreeBSD.org                    `------------------------------'





From marc.fournier at acadiau.ca  Mon Jan  3 08:34:09 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Sun, 2 Jan 2000 17:34:09 -0400 (AST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <Pine.LNX.4.10.10001022342320.659-100000@mothra.mindrot.org>
Message-ID: <Pine.BSF.4.10.10001021733470.24669-100000@atelier.acadiau.ca>

On Sun, 2 Jan 2000, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Fri, 31 Dec 1999, Marc G. Fournier wrote:
> 
> > 
> > I just tried, on a whim, to use an OpenSSH client vs SSH 1.2.26
> > client, and I can connect with it...
> >
> > Something drastic change between pre23 and pre24?  Then again, I
> > can't get pre23 to work anymore either, after further investigation
> > :( OpenSSH clients connect no problem, just not the old SSH 1.2.26
> > clients ...
> 
> Very strange - I cannot see what change between pre23 and pre24 
> could possibly cause this. Are you sure it was working with pre23?

99% certain, but I have been known to be wrong before ...






From marc.fournier at acadiau.ca  Mon Jan  3 08:47:21 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Sun, 2 Jan 2000 17:47:21 -0400 (AST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <Pine.LNX.4.10.10001022321370.659-100000@mothra.mindrot.org>
Message-ID: <Pine.BSF.4.10.10001021737190.24669-100000@atelier.acadiau.ca>



sshd -d:
debug: sshd version OpenSSH-1.2.1
Server listening on port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 131.162.138.223 port 745
debug: Client protocol version 1.5; client software version 1.2.26
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
Disconnecting: Corrupted check bytes on input.
debug: Calling cleanup 0x806028c(0x0)


ssh -v:
SSH Version 1.2.26 [i386--freebsd3.2], protocol version 1.5.
Compiled with RSAREF.
atelier.acadiau.ca: Reading configuration data /usr/local/etc/ssh_config
atelier.acadiau.ca: ssh_connect: getuid 1000 geteuid 0 anon 0
atelier.acadiau.ca: Connecting to dragon [131.162.200.56] port 22.
atelier.acadiau.ca: Allocated local port 745.
atelier.acadiau.ca: Connection established.
atelier.acadiau.ca: Remote protocol version 1.5, remote software version
OpenSSH-1.2.1
atelier.acadiau.ca: Waiting for server public key.
atelier.acadiau.ca: Received server public key (768 bits) and host key
(1024 bits).
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'dragon' added to the list of known hosts.
atelier.acadiau.ca: Initializing random; seed file
/home/marc/.ssh/random_seed
atelier.acadiau.ca: IDEA not supported, using 3des instead.
atelier.acadiau.ca: Encryption type: 3des
atelier.acadiau.ca: Sent encrypted session key.
atelier.acadiau.ca: Installing crc compensation attack detector.
Local: Corrupted check bytes on input.

>From the code, the error is being generated in packet.c:

        ucp = (unsigned char *) buffer_ptr(&incoming_packet) + len - 4;
        stored_checksum = GET_32BIT(ucp);
        if (checksum != stored_checksum)
                packet_disconnect("Corrupted check bytes on input.");
        buffer_consume_end(&incoming_packet, 4);

Quick suggestion, but adding the pre24 to the version string would
help...but, one of my other servers, I'm sure, is running pre23
successfully ...

Is there maybe some file, like the random_seed file, that got corrupted
and needs to be removed/regenerated?  I've tried redoing teh server_key
file several times, but that hasn't helped...




On Sun, 2 Jan 2000, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Fri, 31 Dec 1999, Marc G. Fournier wrote:
> 
> > Yup, just checked a few other hosts connecting in...I can connect
> > from any host that has OpenSSH installed to the server in question,
> > but not from a host that has the older 1.2.26 clients installed :(
> 
> I can't replicate this behaviour.
> 
> Can you turn on maximum debugging for both the server and the 
> client and tell me what it says during a failed connect attempt?
> 
> Thanks,
> Damien
> 
> - --
> | "Bombay is 250ms from New York in the new world order" - Alan Cox
> | Damien Miller - http://www.mindrot.org/
> | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.0 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE4b0MjormJ9RG1dI8RAsP3AKC0fJqXh/i41jOTGPahtwaoQu+fGgCZASH6
> e6sv0W6928+K+AnskB6t1js=
> =u5Eo
> -----END PGP SIGNATURE-----
> 
> 
> 

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From markus.friedl at informatik.uni-erlangen.de  Mon Jan  3 09:11:46 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Sun, 2 Jan 2000 23:11:46 +0100
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <Pine.BSF.4.10.10001021441330.8076-100000@green.dyndns.org>
References: <20000102151208.A21548@folly.informatik.uni-erlangen.de> <Pine.BSF.4.10.10001021441330.8076-100000@green.dyndns.org>
Message-ID: <20000102231146.C10118@folly.informatik.uni-erlangen.de>

On Sun, Jan 02, 2000 at 02:46:49PM -0500, Brian Fundakowski Feldman wrote:
> My concern here is, how much does it convolute the code?  I believe
> that it's probably not as useful to make the old SSH 1.X protocol
> as infinitely more secure as it is useful to make OpenSSH support
> the 2.X protocol.

i don't think the patch 'convolutes' the code, it just replaces
the CRC with a real authenticating MAC, hmac-sha1 in this case.

> I really don't see why we should need sequence numbers if we do
> a continuous SHA-1 hash of the entire stream.  Are you proposing
> just one use per SHA_CTX, each packet having its own independent
> hash and sequence number?

yes, each packet has an independent MAC that depends on the current
packet and current packet number. this number is not transmitted.
i don't know a protocol that uses a continuous hash for authentication.
both ipsec and ssh2 use hmacs. usage of hmac is common practice for
authentication (hmac-sha1 is required for SSH2).

> >    session_id := MD5 (host_key_n |session_key_n|
> >        supported_ciphers|supported_authentications|
> >        client_flags|server_flags|
> >        client_version_string|server_version_string|
> >        cookie);
> 
> That does sound better, although I wouldn't know ow much better than
> before.

it _authenticates_ the cleartext parameters that are transmitted
before the session key can be used for authentication/encrytion.

-markus




From sprout at dok.org  Mon Jan  3 10:24:01 2000
From: sprout at dok.org (Chris Green)
Date: 02 Jan 2000 17:24:01 -0600
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: "Marc G. Fournier"'s message of "Sun, 2 Jan 2000 17:47:21 -0400 (AST)"
References: <Pine.BSF.4.10.10001021737190.24669-100000@atelier.acadiau.ca>
Message-ID: <m3hfgwt5v2.fsf@ghostplanet.dok.org>

I'm getting this exact symptom on solaris 7 pre24 server being connected to
from a pre24 linux client.

Connection from scott port 1023
debug: Client protocol version 1.5; client software version OpenSSH-1.2.1
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
Disconnecting: Corrupted check bytes on input.
debug: Calling cleanup 0x2862c(0x0)

SSH Version OpenSSH-1.2.1, protocol version 1.5.
Compiled with SSL (RSAref version).

The solaris sshd install is a clean first time install.
-- 
Chris Green <sprout at dok.org> <grapeape at uab.edu>
To err is human, to moo bovine.




From djm at mindrot.org  Mon Jan  3 13:04:34 2000
From: djm at mindrot.org (Damien Miller)
Date: Mon, 3 Jan 2000 13:04:34 +1100 (EST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <Pine.BSF.4.10.10001021737190.24669-100000@atelier.acadiau.ca>
Message-ID: <Pine.LNX.4.10.10001031254220.774-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 2 Jan 2000, Marc G. Fournier wrote:

> >From the code, the error is being generated in packet.c:
> 
>         ucp = (unsigned char *) buffer_ptr(&incoming_packet) + len - 4;
>         stored_checksum = GET_32BIT(ucp);
>         if (checksum != stored_checksum)
>                 packet_disconnect("Corrupted check bytes on input.");
>         buffer_consume_end(&incoming_packet, 4);
> 
> Quick suggestion, but adding the pre24 to the version string would
> help...but, one of my other servers, I'm sure, is running pre23
> successfully ...
> 
> Is there maybe some file, like the random_seed file, that got corrupted
> and needs to be removed/regenerated?  I've tried redoing teh server_key
> file several times, but that hasn't helped...

I am suspecting a typedef error or similar. Could you try replacing
the "typedef xxx yyy" with "#define yyy xxx" statements in 
defines.h?

This patch should also help narrow where the problem lies:

Index: packet.c
===================================================================
RCS file: /var/cvs/openssh/packet.c,v
retrieving revision 1.8
diff -u -r1.8 packet.c
- --- packet.c	1999/12/16 02:18:04	1.8
+++ packet.c	2000/01/03 02:02:07
@@ -513,6 +513,8 @@
 
 	ucp = (unsigned char *) buffer_ptr(&incoming_packet) + len - 4;
 	stored_checksum = GET_32BIT(ucp);
+	debug("checksum: %x", checksum);
+	debug("stored_checksum: %x", stored_checksum);
 	if (checksum != stored_checksum)
 		packet_disconnect("Corrupted check bytes on input.");
 	buffer_consume_end(&incoming_packet, 4);

Thanks,
Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4cAO4ormJ9RG1dI8RAmwfAKDYxG04klrx3UCLf8SB4PJ/eKiAiACgr+mt
vM/t7fLeQla1VWKMLLLXpbI=
=oRmt
-----END PGP SIGNATURE-----





From djm at mindrot.org  Mon Jan  3 13:08:28 2000
From: djm at mindrot.org (Damien Miller)
Date: Mon, 3 Jan 2000 13:08:28 +1100 (EST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <m3hfgwt5v2.fsf@ghostplanet.dok.org>
Message-ID: <Pine.LNX.4.10.10001031307530.774-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2 Jan 2000, Chris Green wrote:

> I'm getting this exact symptom on solaris 7 pre24 server being
> connected to from a pre24 linux client.

Ouch. Is this Sun hardware or x86?

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4cASlormJ9RG1dI8RAqRSAKDYbXn+uWfwuvcA7b5OpLFCsn4cVACcCS5/
rO0I2UVuhIuE8bGyQskRK1A=
=YDne
-----END PGP SIGNATURE-----





From sprout at dok.org  Mon Jan  3 13:34:20 2000
From: sprout at dok.org (Chris Green)
Date: 02 Jan 2000 20:34:20 -0600
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: Damien Miller's message of "Mon, 3 Jan 2000 13:08:28 +1100 (EST)"
References: <Pine.LNX.4.10.10001031307530.774-100000@mothra.mindrot.org>
Message-ID: <m39027993n.fsf@ghostplanet.dok.org>

its sun hardware.

SunOS borg 5.7 Generic_106541-08 sun4m sparc SUNW,SPARCstation-10

compiled w/ gcc version 2.95.2 19991024 (release)
OpenSSL 0.9.4 + rsaref

./configure --prefix=/usr/local/ssh --with-libwrap \
  --with-egd-pool=/usr/local/ssh/tmp/entropy

> Ouch. Is this Sun hardware or x86?
> 
> Regards,
> Damien Miller
> 

-- 
Chris Green <sprout at dok.org> <grapeape at uab.edu>
"Yeah, but you're taking the universe out of context."




From robert at cyrus.watson.org  Mon Jan  3 18:28:33 2000
From: robert at cyrus.watson.org (Robert Watson)
Date: Mon, 3 Jan 2000 02:28:33 -0500 (EST)
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000102061545.A1691@rumpole.bohemians.lexington.ky.us>
Message-ID: <Pine.BSF.3.96.1000103022509.7881A-100000@fledge.watson.org>

On Sun, 2 Jan 2000, David Rankin wrote:

> Speaking completely without facts, I am personally skeptical about
> enhancing the 1.x protocol when all of the standards processes are
> focused on getting 2.0 out the door. That said, I am willing to be
> convinced on the matter.

I agree entirely.  I'd love to see a free, BSD-licensed, SSH 2.x
implementation out there.  The continuing emphasis on improving the
non-standard, albeit widely deployed, SSH 1.x protocol seems to be a less
useful allocation of resources.  While a free version of 1.x is extremely
useful, it's not the end-all. :-)  If you can get people to upgrade to
modified 1.x with backwards compatibility, wouldn't you be better served
getting them to upgrade to 2.x with backwards compatibility? :-) 

  Robert N M Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services





From djm at mindrot.org  Mon Jan  3 19:30:58 2000
From: djm at mindrot.org (Damien Miller)
Date: Mon, 3 Jan 2000 19:30:58 +1100 (EST)
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <Pine.BSF.3.96.1000103022509.7881A-100000@fledge.watson.org>
Message-ID: <Pine.LNX.4.10.10001031922560.661-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 3 Jan 2000, Robert Watson wrote:

> I agree entirely.  I'd love to see a free, BSD-licensed, SSH 2.x
> implementation out there.  The continuing emphasis on improving the
> non-standard, albeit widely deployed, SSH 1.x protocol seems to be
> a less useful allocation of resources.  While a free version of 1.x
> is extremely useful, it's not the end-all. :-) If you can get people
> to upgrade to modified 1.x with backwards compatibility, wouldn't
> you be better served getting them to upgrade to 2.x with backwards
> compatibility? :-)

While I agree that a free version of SSH 2.x is a worthwhile goal,
it will take _months_ of effort (of course I would be happy to be 
proved wrong on this).

We already have a strong SSH 1.x implementation, why not clean up its
few remaining nits (which may take only weeks)?

Apart from standards-compliance, what does SSH2 buy you over a cleaned
up SSH1?

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4cF5GormJ9RG1dI8RAooeAKCz3U4Riz1CL1ikvlWVfkTdZAU0MQCfcli1
mMn9rFYT50BnvFFIKEFZDiY=
=bL3g
-----END PGP SIGNATURE-----





From provos at citi.umich.edu  Mon Jan  3 20:48:09 2000
From: provos at citi.umich.edu (Niels Provos)
Date: Mon, 03 Jan 2000 04:48:09 -0500
Subject: OpenSSH protocol 1.6 proposal 
In-Reply-To: Robert Watson, Mon, 03 Jan 2000 02:28:33 EST
Message-ID: <20000103095005.72C3826F90@toad.mindrot.org>

In message <Pine.BSF.3.96.1000103022509.7881A-100000 at fledge.watson.org>, Robert
 Watson writes:
>I agree entirely.  I'd love to see a free, BSD-licensed, SSH 2.x
>implementation out there.  The continuing emphasis on improving the
>non-standard, albeit widely deployed, SSH 1.x protocol seems to be a less
>useful allocation of resources.  While a free version of 1.x is extremely
>useful, it's not the end-all. :-)  If you can get people to upgrade to
Actually,  Markus' modifications for the 1.6 protocol contain elements that
may be reused in a SSH 2.x implementation.  I would not call it a waste
of time at all.  The diff is rather small,  more a necessary cleanup.

Greetings,
 Niels.




From phil at hands.com  Tue Jan  4 00:00:11 2000
From: phil at hands.com (Philip Hands)
Date: 03 Jan 2000 13:00:11 +0000
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000102151208.A21548@folly.informatik.uni-erlangen.de>
 (Markus Friedl's message of "Sun, 2 Jan 2000 15:12:08 +0100")
References: <20000101235721.A15256@alcove.wittsend.com> <Pine.BSF.4.10.10001020047520.36184-100000@green.dyndns.org> <20000102061545.A1691@rumpole.bohemians.lexington.ky.us> <20000102151208.A21548@folly.informatik.uni-erlangen.de>
Message-ID: <87g0wfmht0.fsf@sheikh.hands.com>

Markus Friedl <markus.friedl at informatik.uni-erlangen.de> writes:

> On Sun, Jan 02, 2000 at 06:15:48AM -0500, David Rankin wrote:
> > Speaking completely without facts, I am personally skeptical about
> > enhancing the 1.x protocol when all of the standards processes are
> > focused on getting 2.0 out the door. That said, I am willing to be
> > convinced on the matter.
> 
> i have put the latest revisions of my SSH 1.6 patches to
> 	http://wwwcip.informatik.uni-erlangen.de/~msfriedl/openssh/

Quick question.  Does this fall foul of this clause in the license:

   Any derived versions of this software must be clearly marked as
   such, and if the derived work is incompatible with the protocol
   description in the RFC file, it must be called by a name other than
   "ssh" or "Secure Shell".

If so, are these new features worth losing the right to call the
executable ssh?

Cheers, Phil.
-- 
Boycott Amazon! ---  http://linuxtoday.com/stories/13652.html




From eivind at FreeBSD.ORG  Tue Jan  4 00:20:51 2000
From: eivind at FreeBSD.ORG (Eivind Eklund)
Date: Mon, 3 Jan 2000 14:20:51 +0100
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <Pine.LNX.4.10.10001031922560.661-100000@mothra.mindrot.org>; from djm@mindrot.org on Mon, Jan 03, 2000 at 07:30:58PM +1100
References: <Pine.BSF.3.96.1000103022509.7881A-100000@fledge.watson.org> <Pine.LNX.4.10.10001031922560.661-100000@mothra.mindrot.org>
Message-ID: <20000103142050.B6173@bitbox.follo.net>

On Mon, Jan 03, 2000 at 07:30:58PM +1100, Damien Miller wrote:
> Apart from standards-compliance, what does SSH2 buy you over a cleaned
> up SSH1?

Functional support for challenge/response authentication, at least.
When I looked, I could not find any good way to add this to the 1.x
protocol.

I think it still doesn't fix my biggest beef with ssh, though: Agent
forwarding.  The implementation of this in SSH essensially gives
out access for all your accounts to all machines you log into with
* no logs
* no way of restricting who gets authenticated (beyond turning a-f off)
* no way for the machine having the original authentication to verify who
  is asking for authentication and for what purpose (where to log into)
* a default of sending out agent forwarding
* no way to change the default and still selectively forward

The patches for the latter two problems are trivial; I'm including
them below for completeness.  Fixing the other problems is not as easy
(it require a bit of thought and several orders of magnitude more
coding); if anybody wants to do this, contact me and I'll send you an
outline for how get a reasonable implementation, including backwards
compatibility (allows the enhancements to be used securely even when
forwarding through servers that have not got support for the
enhancements.)

Eivind.

Central patch, to make it possible to selectively enable agent forwarding:

--- ssh.c.orig	Wed May 12 13:19:28 1999
+++ ssh.c	Sat Nov  6 20:50:55 1999
@@ -280,6 +280,7 @@
   fprintf(stderr, "  -l user     Log in using this user name.\n");
   fprintf(stderr, "  -n          Redirect input from /dev/null.\n");
   fprintf(stderr, "  -a          Disable authentication agent forwarding.\n");
+  fprintf(stderr, "  -A          Enable authentication agent forwarding.\n");
 #if defined(KERBEROS_TGT_PASSING) && defined(KRB5)
   fprintf(stderr, "  -k          Disable Kerberos ticket passing.\n");
 #endif /* defined(KERBEROS_TGT_PASSING) && defined(KRB5) */
@@ -537,6 +538,10 @@
 
         case 'a':
           options.forward_agent = 0;
+          break;
+
+        case 'A':
+          options.forward_agent = 1;
           break;
 
         case 'k':

Change the default to the correct (security rule #1: Disable
everything, enable what you need.)

--- readconf.c.orig	Wed May 12 13:19:27 1999
+++ readconf.c	Sat Nov  6 20:47:49 1999
@@ -716,7 +716,7 @@
 void fill_default_options(Options *options)
 {
   if (options->forward_agent == -1)
-    options->forward_agent = 1;
+    options->forward_agent = 0;
   if (options->forward_x11 == -1)
     options->forward_x11 = 1;
   if (options->rhosts_authentication == -1)




From eivind at FreeBSD.ORG  Tue Jan  4 00:24:05 2000
From: eivind at FreeBSD.ORG (Eivind Eklund)
Date: Mon, 3 Jan 2000 14:24:05 +0100
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <87g0wfmht0.fsf@sheikh.hands.com>; from phil@hands.com on Mon, Jan 03, 2000 at 01:00:11PM +0000
References: <20000101235721.A15256@alcove.wittsend.com> <Pine.BSF.4.10.10001020047520.36184-100000@green.dyndns.org> <20000102061545.A1691@rumpole.bohemians.lexington.ky.us> <20000102151208.A21548@folly.informatik.uni-erlangen.de> <87g0wfmht0.fsf@sheikh.hands.com>
Message-ID: <20000103142405.C6173@bitbox.follo.net>

On Mon, Jan 03, 2000 at 01:00:11PM +0000, Philip Hands wrote:
> Markus Friedl <markus.friedl at informatik.uni-erlangen.de> writes:
> 
> > On Sun, Jan 02, 2000 at 06:15:48AM -0500, David Rankin wrote:
> > > Speaking completely without facts, I am personally skeptical about
> > > enhancing the 1.x protocol when all of the standards processes are
> > > focused on getting 2.0 out the door. That said, I am willing to be
> > > convinced on the matter.
> > 
> > i have put the latest revisions of my SSH 1.6 patches to
> > 	http://wwwcip.informatik.uni-erlangen.de/~msfriedl/openssh/
> 
> Quick question.  Does this fall foul of this clause in the license:
> 
>    Any derived versions of this software must be clearly marked as
>    such, and if the derived work is incompatible with the protocol
>    description in the RFC file, it must be called by a name other than
>    "ssh" or "Secure Shell".

IANAL - but in my interpretation, no.  It stays compatible; it just
can negotiate higher security.

Eivind.




From drankin at bohemians.lexington.ky.us  Tue Jan  4 01:07:08 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Mon, 3 Jan 2000 09:07:08 -0500
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <Pine.LNX.4.10.10001031922560.661-100000@mothra.mindrot.org>; from Damien Miller on Mon, Jan 03, 2000 at 07:30:58PM +1100
References: <Pine.BSF.3.96.1000103022509.7881A-100000@fledge.watson.org> <Pine.LNX.4.10.10001031922560.661-100000@mothra.mindrot.org>
Message-ID: <20000103090708.A3780@rumpole.bohemians.lexington.ky.us>

On Mon, Jan 03, 2000 at 07:30:58PM +1100, Damien Miller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> While I agree that a free version of SSH 2.x is a worthwhile goal,
> it will take _months_ of effort (of course I would be happy to be 
> proved wrong on this).

It's probably a 2-4 month job to take OpenSSH 1.2.1 and implement SSH 2.0
start to finish, but it could be significantly less. The main difference
between 1.5 and 2.0 is the change in the transport protocol (and those
aren't that major). All of the encryption changes (DSS/DSA, blowfish, etc.)
are already in OpenSSL, with the exception of twofish.

> We already have a strong SSH 1.x implementation, why not clean up its
> few remaining nits (which may take only weeks)?

Please don't get me wrong. I believe that OpenSSH 1.2.1 needs to be
working now. I just happen to think that extending the SSH 1.5 protocol
should yield to implementing the 2.0 protocol, especially where the 1.6
features are a subset of the 2.0 protocol. Of course IMHO.

> Apart from standards-compliance, what does SSH2 buy you over a cleaned
> up SSH1?

I know it's been mentioned already, but the #1 is you can do PAM 
challenge/response authentication correctly. You can also handle
"You must change your password" correctly.

David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard




From drankin at bohemians.lexington.ky.us  Tue Jan  4 01:27:33 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Mon, 3 Jan 2000 09:27:33 -0500
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <Pine.BSF.4.10.10001021441330.8076-100000@green.dyndns.org>; from Brian Fundakowski Feldman on Sun, Jan 02, 2000 at 02:46:49PM -0500
References: <20000102151208.A21548@folly.informatik.uni-erlangen.de> <Pine.BSF.4.10.10001021441330.8076-100000@green.dyndns.org>
Message-ID: <20000103092733.B3780@rumpole.bohemians.lexington.ky.us>

On Sun, Jan 02, 2000 at 02:46:49PM -0500, Brian Fundakowski Feldman wrote:
> On Sun, 2 Jan 2000, Markus Friedl wrote:

> > and yes, having openssh speak SSH-2.0 would be nice.
> > mail me if you are interested in helping implement 2.0.

> Of course!

Since it looks like there's a significant interest in this, I propose
that we look at an "OpenSSH 2" project. At this point, we need a mailing
list. I'd love to host the list, but the US laws make that too painful for
me should someone post encryption code.

Once we get someone to make a list, I think we can start working on
the details. No use flooding security at FreeBSD.org or openssh-dev-list
with a lot of off-topic discussion (and can stop the monster CC:... :)

David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard




From fpscha at ns1.via-net-works.net.ar  Tue Jan  4 01:37:43 2000
From: fpscha at ns1.via-net-works.net.ar (Fernando Schapachnik)
Date: Mon, 3 Jan 2000 11:37:43 -0300 (GMT)
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000103092733.B3780@rumpole.bohemians.lexington.ky.us> from David Rankin at "Jan 3, 0 09:27:33 am"
Message-ID: <200001031437.LAA04124@ns1.via-net-works.net.ar>

I can host one. Please contact me privatedly for details.

Regards!


En un mensaje anterior, David Rankin escribi?:
> On Sun, Jan 02, 2000 at 02:46:49PM -0500, Brian Fundakowski Feldman wrote:
> > On Sun, 2 Jan 2000, Markus Friedl wrote:
> 
> > > and yes, having openssh speak SSH-2.0 would be nice.
> > > mail me if you are interested in helping implement 2.0.
> 
> > Of course!
> 
> Since it looks like there's a significant interest in this, I propose
> that we look at an "OpenSSH 2" project. At this point, we need a mailing
> list. I'd love to host the list, but the US laws make that too painful for
> me should someone post encryption code.




Fernando P. Schapachnik
Administraci?n de la red
VIA NET.WORKS ARGENTINA S.A.
fernando at via-net-works.net.ar
(54-11) 4323-3333




From jmknoble at pobox.com  Tue Jan  4 07:21:12 2000
From: jmknoble at pobox.com (Jim Knoble)
Date: Mon, 3 Jan 2000 15:21:12 -0500
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000103092733.B3780@rumpole.bohemians.lexington.ky.us>; from David Rankin on Mon, Jan 03, 2000 at 09:27:33AM -0500
References: <20000102151208.A21548@folly.informatik.uni-erlangen.de> <Pine.BSF.4.10.10001021441330.8076-100000@green.dyndns.org> <20000103092733.B3780@rumpole.bohemians.lexington.ky.us>
Message-ID: <20000103152112.C18625@ntrnet.net>

Is there a reason why we ought not to use openssh-unix-dev?  It's
already here, and i suspect most folks on the list would be interested
in an SSH-Protocol-2.0 implementation.  I don't particularly think it's
off-topic, either (except for the bit about whether certain folks can
be communicated with effectively).

-- 
jim knoble
jmknoble at pobox.com

P? 2000-Jan-03 klokka 09:27:33 -0500 skrivet David Rankin:

: Since it looks like there's a significant interest in this, I propose
: that we look at an "OpenSSH 2" project. At this point, we need a mailing
: list. I'd love to host the list, but the US laws make that too painful for
: me should someone post encryption code.
: 
: Once we get someone to make a list, I think we can start working on
: the details. No use flooding security at FreeBSD.org or openssh-dev-list
: with a lot of off-topic discussion (and can stop the monster CC:... :)




From drankin at bohemians.lexington.ky.us  Tue Jan  4 08:20:48 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Mon, 3 Jan 2000 16:20:48 -0500
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000103152112.C18625@ntrnet.net>; from Jim Knoble on Mon, Jan 03, 2000 at 03:21:12PM -0500
References: <20000102151208.A21548@folly.informatik.uni-erlangen.de> <Pine.BSF.4.10.10001021441330.8076-100000@green.dyndns.org> <20000103092733.B3780@rumpole.bohemians.lexington.ky.us> <20000103152112.C18625@ntrnet.net>
Message-ID: <20000103162048.A4248@rumpole.bohemians.lexington.ky.us>

On Mon, Jan 03, 2000 at 03:21:12PM -0500, Jim Knoble wrote:
> Is there a reason why we ought not to use openssh-unix-dev?  It's
> already here, and i suspect most folks on the list would be interested
> in an SSH-Protocol-2.0 implementation.  I don't particularly think it's
> off-topic, either (except for the bit about whether certain folks can
> be communicated with effectively).

It's Damien's list, so his will be the deciding opinion, but IMHO  
openssh-unix-dev isn't the best place for the discussion since it's
for development of the OpenSSH 1.2.1 port. OpenSSH 2.0 is going to be
(at first) a design and organization effort that will interfere with the
"daily business" of OpenSSH 1.2 on a shared list.

Thanks,
David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard




From phil at hands.com  Tue Jan  4 06:41:27 2000
From: phil at hands.com (Philip Hands)
Date: 03 Jan 2000 19:41:27 +0000
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000103142050.B6173@bitbox.follo.net>
 (Eivind Eklund's message of "Mon, 3 Jan 2000 14:20:51 +0100")
References: <Pine.BSF.3.96.1000103022509.7881A-100000@fledge.watson.org> <Pine.LNX.4.10.10001031922560.661-100000@mothra.mindrot.org> <20000103142050.B6173@bitbox.follo.net>
Message-ID: <87d7rjkkns.fsf@sheikh.hands.com>

Eivind Eklund <eivind at FreeBSD.ORG> writes:

...
> * a default of sending out agent forwarding
> * no way to change the default and still selectively forward
> 
> The patches for the latter two problems are trivial; I'm including
> them below for completeness.

I've included this in the Debian packages of ssh and OpenSSH for some
time.  I also disable X forwarding by default, since that allows
classic X attacks to be launched by untrustworthy remote systems.

These patches should be accepted upstream IMO.

As ever, my openssh stuff can be found here:

 http://www.hands.com/~phil/debian/openssh/openssh_1.2.1pre24-1.diff.gz

I think all changes except the debian/ directory itself should be
either useful or at worst harmless upstream.

Cheers, Phil.
-- 
Boycott Amazon! ---  http://linuxtoday.com/stories/13652.html




From djm at mindrot.org  Tue Jan  4 09:29:39 2000
From: djm at mindrot.org (Damien Miller)
Date: Tue, 4 Jan 2000 09:29:39 +1100 (EST)
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000103162048.A4248@rumpole.bohemians.lexington.ky.us>
Message-ID: <Pine.LNX.4.10.10001040905370.1257-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 3 Jan 2000, David Rankin wrote:

> It's Damien's list, so his will be the deciding opinion, but IMHO  
> openssh-unix-dev isn't the best place for the discussion since it's
> for development of the OpenSSH 1.2.1 port. OpenSSH 2.0 is going to be
> (at first) a design and organization effort that will interfere with the
> "daily business" of OpenSSH 1.2 on a shared list.

I don't mind discussions pertaining to the extension of OpenSSH
to support SSH2. If they become too intrusive then we can move
them to another list.

Regards,
Damien
 

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4cSLWormJ9RG1dI8RAgLRAKCB70v1PcF65o5nz5KZYIehwiVe0wCeJGQA
4EftSGVRBa6IBcmVZvPIRdg=
=zxHc
-----END PGP SIGNATURE-----





From markus.friedl at informatik.uni-erlangen.de  Tue Jan  4 09:49:30 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Mon, 3 Jan 2000 23:49:30 +0100
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000103092733.B3780@rumpole.bohemians.lexington.ky.us>
References: <20000102151208.A21548@folly.informatik.uni-erlangen.de> <Pine.BSF.4.10.10001021441330.8076-100000@green.dyndns.org> <20000103092733.B3780@rumpole.bohemians.lexington.ky.us>
Message-ID: <20000103234930.A10240@folly.informatik.uni-erlangen.de>

I hope this is my last mail on this subject.  All this discussion
about SSH2 misses the fact that we are talking about a security
product, so 'features' should not be overrated.

Especially for ssh it should be remembered that "complexity is the
enemy".  You almost get my SSH1.6 for free.  The patches consist
of minor modifications that are supposed to makes SSH1 much more
secure.  Compare the code size of OpenSSH (~ 20.000 lines) with the
code size of ssh-2.0.1x (~ 100.000 lines), an incarnation of SSH2.
Do secure protocols leed to secure implementations?

Security is also about trust.  SSH1 is old, stable, venerable,
widely used, reviewed and testetd.  Thus it consists of trusted
code.  Minor modifications, e.g. SSH1.6, should not reduce trust.
But what happens with major modifications, i.e. SSH2?  Can you still
trust the code?  Or can you trust an entirely new implementation
of a complex protocol?

Wrt 'features': SSH1 has some support for challenge/response
authentication, OpenSSH does s/key within the SSH1 framework.

Wrt OpenSSH 2: I don't think we need a special mailing-list.  If
you know of the internals of OpenSSH and/or the SecSH-drafts and
want to help implement SSH2, send private mail to me and I'll share
my code fragements.  But it's too soon for publication.

If you want an implementation that does not use the old code: LSH
speaks SSH2.

cheers, -markus




From phil at hands.com  Tue Jan  4 06:47:15 2000
From: phil at hands.com (Philip Hands)
Date: 03 Jan 2000 19:47:15 +0000
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000103092733.B3780@rumpole.bohemians.lexington.ky.us>
 (David Rankin's message of "Mon, 3 Jan 2000 09:27:33 -0500")
References: <20000102151208.A21548@folly.informatik.uni-erlangen.de> <Pine.BSF.4.10.10001021441330.8076-100000@green.dyndns.org> <20000103092733.B3780@rumpole.bohemians.lexington.ky.us>
Message-ID: <87aemnkke4.fsf@sheikh.hands.com>

David Rankin <drankin at bohemians.lexington.ky.us> writes:

> On Sun, Jan 02, 2000 at 02:46:49PM -0500, Brian Fundakowski Feldman wrote:
> > On Sun, 2 Jan 2000, Markus Friedl wrote:
> 
> > > and yes, having openssh speak SSH-2.0 would be nice.
> > > mail me if you are interested in helping implement 2.0.
> 
> > Of course!
> 
> Since it looks like there's a significant interest in this, I propose
> that we look at an "OpenSSH 2" project. At this point, we need a mailing
> list. I'd love to host the list, but the US laws make that too painful for
> me should someone post encryption code.
> 
> Once we get someone to make a list, I think we can start working on
> the details. No use flooding security at FreeBSD.org or openssh-dev-list
> with a lot of off-topic discussion (and can stop the monster CC:... :)

Would it not be better to attempt to get lsh finished off, since that
doesn't have any possible licensing problem related to the
protocol/name thing.

Regardless, there is not a vast amount of point in duplicating
efforts, so this idea should probably be mentioned to the lsh
developers to ensure that the most efficient approach can be taken to
develop one or other of these.

Cheers, Phil.




From marc.fournier at acadiau.ca  Tue Jan  4 11:44:47 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Mon, 3 Jan 2000 20:44:47 -0400 (AST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <m3hfgwt5v2.fsf@ghostplanet.dok.org>
Message-ID: <Pine.BSF.4.10.10001032042520.24669-100000@atelier.acadiau.ca>


Okay, I think that kinda narrows it down a bit ... I'm running Solaris
7/x86 as well...


On 2 Jan 2000, Chris Green wrote:

> I'm getting this exact symptom on solaris 7 pre24 server being connected to
> from a pre24 linux client.
> 
> Connection from scott port 1023
> debug: Client protocol version 1.5; client software version OpenSSH-1.2.1
> debug: Sent 768 bit public key and 1024 bit host key.
> debug: Encryption type: 3des
> debug: Received session key; encryption turned on.
> debug: Installing crc compensation attack detector.
> Disconnecting: Corrupted check bytes on input.
> debug: Calling cleanup 0x2862c(0x0)
> 
> SSH Version OpenSSH-1.2.1, protocol version 1.5.
> Compiled with SSL (RSAref version).
> 
> The solaris sshd install is a clean first time install.
> -- 
> Chris Green <sprout at dok.org> <grapeape at uab.edu>
> To err is human, to moo bovine.
> 
> 

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From marc.fournier at acadiau.ca  Tue Jan  4 12:33:13 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Mon, 3 Jan 2000 21:33:13 -0400 (AST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <Pine.LNX.4.10.10001031254220.774-100000@mothra.mindrot.org>
Message-ID: <Pine.BSF.4.10.10001032132400.24669-100000@atelier.acadiau.ca>


If you are referring to:

/* If sys/types.h does not supply u_intXX_t, supply them ourselves */
#ifndef HAVE_U_INTXX_T
# ifdef HAVE_UINTXX_T
#  define u_int16_t uint16_t;
#  define u_int32_t uint32_t;
#  define u_int64_t uint64_t;
#  define HAVE_U_INTXX_T 1
# else

It produces:

gcc -g -O2 -Wall -I/usr/slocal/include -DETCDIR=\"/usr/local/etc\"
-DSSH_PROGRAM=\"/usr/slocal/bin/ssh\"
-DSSH_ASKPASS_DEFAULT=\"/usr/slocal/libexec/ssh/ssh-askpass\"
-DHAVE_CONFIG_H   -c authfile.c -o authfile.o
authfile.c: In function `save_private_key':
authfile.c:52: warning: useless keyword or type name in empty declaration
authfile.c:52: warning: empty declaration
authfile.c:52: warning: statement with no effect
authfile.c:67: invalid lvalue in assignment
authfile.c:68: invalid operands to binary &
authfile.c:69: invalid operands to binary >>
authfile.c: In function `load_private_key':
authfile.c:238: warning: unsigned int format, long unsigned int arg (arg
2)



On Mon, 3 Jan 2000, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Sun, 2 Jan 2000, Marc G. Fournier wrote:
> 
> > >From the code, the error is being generated in packet.c:
> > 
> >         ucp = (unsigned char *) buffer_ptr(&incoming_packet) + len - 4;
> >         stored_checksum = GET_32BIT(ucp);
> >         if (checksum != stored_checksum)
> >                 packet_disconnect("Corrupted check bytes on input.");
> >         buffer_consume_end(&incoming_packet, 4);
> > 
> > Quick suggestion, but adding the pre24 to the version string would
> > help...but, one of my other servers, I'm sure, is running pre23
> > successfully ...
> > 
> > Is there maybe some file, like the random_seed file, that got corrupted
> > and needs to be removed/regenerated?  I've tried redoing teh server_key
> > file several times, but that hasn't helped...
> 
> I am suspecting a typedef error or similar. Could you try replacing
> the "typedef xxx yyy" with "#define yyy xxx" statements in 
> defines.h?
> 
> This patch should also help narrow where the problem lies:
> 
> Index: packet.c
> ===================================================================
> RCS file: /var/cvs/openssh/packet.c,v
> retrieving revision 1.8
> diff -u -r1.8 packet.c
> - --- packet.c	1999/12/16 02:18:04	1.8
> +++ packet.c	2000/01/03 02:02:07
> @@ -513,6 +513,8 @@
>  
>  	ucp = (unsigned char *) buffer_ptr(&incoming_packet) + len - 4;
>  	stored_checksum = GET_32BIT(ucp);
> +	debug("checksum: %x", checksum);
> +	debug("stored_checksum: %x", stored_checksum);
>  	if (checksum != stored_checksum)
>  		packet_disconnect("Corrupted check bytes on input.");
>  	buffer_consume_end(&incoming_packet, 4);
> 
> Thanks,
> Damien
> 
> - --
> | "Bombay is 250ms from New York in the new world order" - Alan Cox
> | Damien Miller - http://www.mindrot.org/
> | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.0 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE4cAO4ormJ9RG1dI8RAmwfAKDYxG04klrx3UCLf8SB4PJ/eKiAiACgr+mt
> vM/t7fLeQla1VWKMLLLXpbI=
> =oRmt
> -----END PGP SIGNATURE-----
> 
> 

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From djm at mindrot.org  Tue Jan  4 12:43:47 2000
From: djm at mindrot.org (Damien Miller)
Date: Tue, 4 Jan 2000 12:43:47 +1100 (EST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <Pine.BSF.4.10.10001032132400.24669-100000@atelier.acadiau.ca>
Message-ID: <Pine.LNX.4.10.10001041242050.1257-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 3 Jan 2000, Marc G. Fournier wrote:

> 
> If you are referring to:
> 
> /* If sys/types.h does not supply u_intXX_t, supply them ourselves */
> #ifndef HAVE_U_INTXX_T
> # ifdef HAVE_UINTXX_T
> #  define u_int16_t uint16_t;
> #  define u_int32_t uint32_t;
> #  define u_int64_t uint64_t;
> #  define HAVE_U_INTXX_T 1
> # else

The lines shouldn't have a semicolon at the end.

Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4cVBWormJ9RG1dI8RAlCgAKCqMZ3h/slpyyeYJKk9wTQZjnfnjACfWRlX
M1vOtwEKxYwl+eOh430ZeLM=
=hew2
-----END PGP SIGNATURE-----





From marc.fournier at acadiau.ca  Tue Jan  4 12:43:58 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Mon, 3 Jan 2000 21:43:58 -0400 (AST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <Pine.LNX.4.10.10001031254220.774-100000@mothra.mindrot.org>
Message-ID: <Pine.BSF.4.10.10001032143450.24669-100000@atelier.acadiau.ca>


more debug info ...

debug: sshd version OpenSSH-1.2.1
Server listening on port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 131.162.2.90 port 1023
debug: Client protocol version 1.5; client software version 1.2.26
debug: Sent 768 bit public key and 1024 bit host key.
debug: checksum: f5749dff
debug: stored_checksum: f5749dff
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: checksum: d4323652
debug: stored_checksum: c86bfc3c
Disconnecting: Corrupted check bytes on input.
debug: Calling cleanup 0x806028c(0x0)

Definitely something out :)


On Mon, 3 Jan 2000, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Sun, 2 Jan 2000, Marc G. Fournier wrote:
> 
> > >From the code, the error is being generated in packet.c:
> > 
> >         ucp = (unsigned char *) buffer_ptr(&incoming_packet) + len - 4;
> >         stored_checksum = GET_32BIT(ucp);
> >         if (checksum != stored_checksum)
> >                 packet_disconnect("Corrupted check bytes on input.");
> >         buffer_consume_end(&incoming_packet, 4);
> > 
> > Quick suggestion, but adding the pre24 to the version string would
> > help...but, one of my other servers, I'm sure, is running pre23
> > successfully ...
> > 
> > Is there maybe some file, like the random_seed file, that got corrupted
> > and needs to be removed/regenerated?  I've tried redoing teh server_key
> > file several times, but that hasn't helped...
> 
> I am suspecting a typedef error or similar. Could you try replacing
> the "typedef xxx yyy" with "#define yyy xxx" statements in 
> defines.h?
> 
> This patch should also help narrow where the problem lies:
> 
> Index: packet.c
> ===================================================================
> RCS file: /var/cvs/openssh/packet.c,v
> retrieving revision 1.8
> diff -u -r1.8 packet.c
> - --- packet.c	1999/12/16 02:18:04	1.8
> +++ packet.c	2000/01/03 02:02:07
> @@ -513,6 +513,8 @@
>  
>  	ucp = (unsigned char *) buffer_ptr(&incoming_packet) + len - 4;
>  	stored_checksum = GET_32BIT(ucp);
> +	debug("checksum: %x", checksum);
> +	debug("stored_checksum: %x", stored_checksum);
>  	if (checksum != stored_checksum)
>  		packet_disconnect("Corrupted check bytes on input.");
>  	buffer_consume_end(&incoming_packet, 4);
> 
> Thanks,
> Damien
> 
> - --
> | "Bombay is 250ms from New York in the new world order" - Alan Cox
> | Damien Miller - http://www.mindrot.org/
> | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.0 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE4cAO4ormJ9RG1dI8RAmwfAKDYxG04klrx3UCLf8SB4PJ/eKiAiACgr+mt
> vM/t7fLeQla1VWKMLLLXpbI=
> =oRmt
> -----END PGP SIGNATURE-----
> 
> 

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From marc.fournier at acadiau.ca  Tue Jan  4 13:00:54 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Mon, 3 Jan 2000 22:00:54 -0400 (AST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <Pine.LNX.4.10.10001041242050.1257-100000@mothra.mindrot.org>
Message-ID: <Pine.BSF.4.10.10001032200380.24669-100000@atelier.acadiau.ca>

On Tue, 4 Jan 2000, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 3 Jan 2000, Marc G. Fournier wrote:
> 
> > 
> > If you are referring to:
> > 
> > /* If sys/types.h does not supply u_intXX_t, supply them ourselves */
> > #ifndef HAVE_U_INTXX_T
> > # ifdef HAVE_UINTXX_T
> > #  define u_int16_t uint16_t;
> > #  define u_int32_t uint32_t;
> > #  define u_int64_t uint64_t;
> > #  define HAVE_U_INTXX_T 1
> > # else
> 
> The lines shouldn't have a semicolon at the end.

D'oh ...

Same problem though:

debug: sshd version OpenSSH-1.2.1
Server listening on port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 131.162.2.90 port 1023
debug: Client protocol version 1.5; client software version 1.2.26
debug: Sent 768 bit public key and 1024 bit host key.
debug: checksum: da122795
debug: stored_checksum: da122795
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: checksum: dcef8dff
debug: stored_checksum: 6fd685d7
Disconnecting: Corrupted check bytes on input.
debug: Calling cleanup 0x806028c(0x0)


> 
> Damien
> 
> - --
> | "Bombay is 250ms from New York in the new world order" - Alan Cox
> | Damien Miller - http://www.mindrot.org/
> | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.0 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE4cVBWormJ9RG1dI8RAlCgAKCqMZ3h/slpyyeYJKk9wTQZjnfnjACfWRlX
> M1vOtwEKxYwl+eOh430ZeLM=
> =hew2
> -----END PGP SIGNATURE-----
> 
> 

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From djm at mindrot.org  Tue Jan  4 13:41:18 2000
From: djm at mindrot.org (Damien Miller)
Date: Tue, 4 Jan 2000 13:41:18 +1100 (EST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <Pine.BSF.4.10.10001032200380.24669-100000@atelier.acadiau.ca>
Message-ID: <Pine.LNX.4.10.10001041339090.1257-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 3 Jan 2000, Marc G. Fournier wrote:
 
> Same problem though:

Could you send my your config.h, the options that you ran 
./configure with and its output?

Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD4DBQE4cV3RormJ9RG1dI8RAp/BAKDU2ElIbUUFL7cSOPy8iqcBTz2QFgCXdPaP
lbRnqf7Gu+/1/czgVxhBsg==
=nwjd
-----END PGP SIGNATURE-----





From marc.fournier at acadiau.ca  Tue Jan  4 13:47:36 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Mon, 3 Jan 2000 22:47:36 -0400 (AST)
Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
In-Reply-To: <Pine.LNX.4.10.10001041339090.1257-100000@mothra.mindrot.org>
Message-ID: <Pine.BSF.4.10.10001032247110.24669-100000@atelier.acadiau.ca>


sent to you with a subjet of 'configure on solaris/x86' ... 

On Tue, 4 Jan 2000, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 3 Jan 2000, Marc G. Fournier wrote:
>  
> > Same problem though:
> 
> Could you send my your config.h, the options that you ran 
> ./configure with and its output?
> 
> Damien
> 
> - --
> | "Bombay is 250ms from New York in the new world order" - Alan Cox
> | Damien Miller - http://www.mindrot.org/
> | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.0 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD4DBQE4cV3RormJ9RG1dI8RAp/BAKDU2ElIbUUFL7cSOPy8iqcBTz2QFgCXdPaP
> lbRnqf7Gu+/1/czgVxhBsg==
> =nwjd
> -----END PGP SIGNATURE-----
> 
> 
> 

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From green at FreeBSD.org  Tue Jan  4 18:21:00 2000
From: green at FreeBSD.org (Brian Fundakowski Feldman)
Date: Tue, 4 Jan 2000 02:21:00 -0500 (EST)
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000103090708.A3780@rumpole.bohemians.lexington.ky.us>
Message-ID: <Pine.BSF.4.10.10001040219110.951-100000@green.dyndns.org>

What did you mean about not supporting the "change password" feature?
Were you referring to the passwd fields which expire passwords/accounts?
If so, you should take a look at my FreeBSD OpenSSH port... I've
implemented quite a bit of new stuff, like that, login.conf support,
and a framework (with good, working defaults) for prevention of
connection-based DoS.

-- 
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green at FreeBSD.org                    `------------------------------'





From marc.fournier at acadiau.ca  Tue Jan  4 23:52:54 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Tue, 4 Jan 2000 08:52:54 -0400 (AST)
Subject: Why ...
Message-ID: <Pine.BSF.4.10.10001040852040.29696-100000@atelier.acadiau.ca>


in packet.c:packet_read_poll(), stored_checksum is an unsigned int, but
GET_32BIT is returning an unsigned long ...

Or isn't it?


Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From marc.fournier at acadiau.ca  Wed Jan  5 00:10:00 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Tue, 4 Jan 2000 09:10:00 -0400 (AST)
Subject: Why ...
In-Reply-To: <Pine.BSF.4.10.10001040852040.29696-100000@atelier.acadiau.ca>
Message-ID: <Pine.BSF.4.10.10001040909200.29696-100000@atelier.acadiau.ca>

On Tue, 4 Jan 2000, Marc G. Fournier wrote:

> 
> in packet.c:packet_read_poll(), stored_checksum is an unsigned int, but
> GET_32BIT is returning an unsigned long ...
> 
> Or isn't it?

Changing them to long made no difference ... first
'checksum/stored_checksum' comes in as equal, second set comes in as
!equal ... :(

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From marc.fournier at acadiau.ca  Wed Jan  5 04:14:25 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Tue, 4 Jan 2000 13:14:25 -0400 (AST)
Subject: A clue to solaris problem?
Message-ID: <Pine.BSF.4.10.10001041314080.29696-100000@atelier.acadiau.ca>


Got this from one of my users today ...

==========
sshing did still work last week, but you had to use the blowfish
encryption protocol instead of 3des that is used by default.
==========

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From drankin at bohemians.lexington.ky.us  Wed Jan  5 04:38:23 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Tue, 4 Jan 2000 12:38:23 -0500
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000103234930.A10240@folly.informatik.uni-erlangen.de>; from Markus Friedl on Mon, Jan 03, 2000 at 11:49:30PM +0100
References: <20000102151208.A21548@folly.informatik.uni-erlangen.de> <Pine.BSF.4.10.10001021441330.8076-100000@green.dyndns.org> <20000103092733.B3780@rumpole.bohemians.lexington.ky.us> <20000103234930.A10240@folly.informatik.uni-erlangen.de>
Message-ID: <20000104123822.B6035@rumpole.bohemians.lexington.ky.us>

I'll condense two different responses into one letter. Also, I have
posted what I'd call a "draft action plan" for an OpenSSH 2.0 project
to http://www.bohemians.lexington.ky.us/~drankin/openssh2.proposal
for anyone interested to examine.

I suggest that we limit further discussion of this thread to 
openssh-dev-list.

Thanks,
David

On Mon, Jan 03, 2000 at 07:47:15PM +0000, Philip Hands wrote:
> David Rankin <drankin at bohemians.lexington.ky.us> writes:

> > Once we get someone to make a list, I think we can start working on
> > the details. No use flooding security at FreeBSD.org or openssh-dev-list
> > with a lot of off-topic discussion (and can stop the monster CC:... :)

> Would it not be better to attempt to get lsh finished off, since that
> doesn't have any possible licensing problem related to the
> protocol/name thing.

So long as we maintain compatability with SSH 1.5, I don't think that
there are licensing issues. This should be true even when/if SSH 2.0
support is included. 

As for lsh, I like what is already there, but there's a couple of 
fundamental design choices that I don't agree with in lsh. They are:
1> Lack of compatability with the SSH 1.5 protocol. This is of course
   the biggest issue for me. There are a ton of SSH 1.x implementations
   out there.
2> Non-forking server. A select() system is inherantly more complex than
   a fork/exec design. I can see a lightweight thread replacement for
   fork/exec, but not a monolithic non-forking server.

> Cheers, Phil.

On Mon, Jan 03, 2000 at 11:49:30PM +0100, Markus Friedl wrote:
} I hope this is my last mail on this subject.  All this discussion
} about SSH2 misses the fact that we are talking about a security
} product, so 'features' should not be overrated.

} Especially for ssh it should be remembered that "complexity is the
} enemy".  You almost get my SSH1.6 for free.  The patches consist
} of minor modifications that are supposed to makes SSH1 much more
} secure.  Compare the code size of OpenSSH (~ 20.000 lines) with the
} code size of ssh-2.0.1x (~ 100.000 lines), an incarnation of SSH2.
} Do secure protocols leed to secure implementations?

I wasn't aware of how close to completion your SSH 1.6 patches are.
In this case, I think that it'd be a Good Thing(tm) to include them
right after OpenSSH 1.2.1 is ready.

Also, I'm not sure if comparing code lines is fair. OpenSSH + OpenSSL
are more than ~20000 lines, although still not in the 100k range.

That said, your point is valid: SSH 2.0 is more complex, and any SSH 2.0
implementation is also more complex. That means that it's going to be
a while before OpenSSH 1.2 is obsolete. I agree with your SSH 1.6 proposal
as an interim solution, possibly its completion driving OpenSSH 1.3.

Thanks,
David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard




From jamest at math.ksu.edu  Wed Jan  5 08:59:54 2000
From: jamest at math.ksu.edu (James Thompson)
Date: Tue, 4 Jan 2000 15:59:54 -0600 (CST)
Subject: /etc/ssh/shosts.equiv ignored?
Message-ID: <Pine.LNX.4.21.0001041519440.8569-100000@hobbes.math.ksu.edu>


I'm trying to replace ssh 1.2.27 with openssh 1.2.1-pre*  

It seems that a openssh client accessing any openssh/ssh server I've setup
always results in a password prompt.

It also seems that a openssh server requires ssh clients to provide a
password regardless of the entries in the /etc/ssh/shosts.equiv file.  If
I shut off the openssh server and run a ssh server then normal ssh client
can connect without password prompts, openssh client still prompt for
password.

One other oddity I've noticed in is using openssh as a rsh replacement for
pine/imap.  Setting up pine to use imap via ssh replacement of rsh worked
fine.  With openssh it always displays the password prompt and corrupts
the screen.

If I've overlooked something in the man pages (which are corrupted on a
Solaris 2.6 install, nroff problem?) please point me at it.  

Also, what are the legal options for me providing patches to openssh since
I'm in the US.  I've have some troubles with Solaris 2.6 installs with
pre24 and pre19 but don't care to waste time debugging something I can't
contribute back to the project.

Thanks,
James

ssh = the product from www.ssh.fi

->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<
James Thompson    138 Cardwell Hall  Manhattan, Ks   66506    785-532-0561 
Kansas State University                          Department of Mathematics
->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<








From sprout at dok.org  Thu Jan  6 01:07:02 2000
From: sprout at dok.org (Chris Green)
Date: 05 Jan 2000 08:07:02 -0600
Subject: A clue to solaris problem?
In-Reply-To: "Marc G. Fournier"'s message of "Tue, 4 Jan 2000 13:14:25 -0400 (AST)"
References: <Pine.BSF.4.10.10001041314080.29696-100000@atelier.acadiau.ca>
Message-ID: <m39024vchl.fsf@ghostplanet.dok.org>

"Marc G. Fournier" <marc.fournier at acadiau.ca> writes:
> ==========
> sshing did still work last week, but you had to use the blowfish
> encryption protocol instead of 3des that is used by default.
> ==========

debug: sshd version OpenSSH-1.2.1
Server listening on port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from scott port 1021
debug: Client protocol version 1.5; client software version
OpenSSH-1.2.1
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: blowfish
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Starting up PAM with username "sprout"
debug: Attempting authentication for sprout.
Failed rsa for sprout from 138.26.15.145 port 1021
debug: PAM Password authentication accepted for user "sprout"
Accepted password for sprout from 138.26.15.145 port 1021

from pre24 on linux/x86  -> pre24 sol7/sparc

So I'd say the conclusion that 3des might be the source of the problem
might be appropriate.
-- 
Chris Green <sprout at dok.org> <grapeape at uab.edu>
Fame may be fleeting but obscurity is forever.




From ark at eltex.ru  Thu Jan  6 01:23:25 2000
From: ark at eltex.ru (ark at eltex.ru)
Date: Wed, 5 Jan 2000 17:23:25 +0300
Subject: OpenSSH protocol 1.6 proposal
In-Reply-To: <20000103090708.A3780@rumpole.bohemians.lexington.ky.us> from "David Rankin <drankin@bohemians.lexington.ky.us>"
Message-ID: <200001051423.RAA06052@paranoid.eltex.spb.ru>

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

David Rankin <drankin at bohemians.lexington.ky.us> said :
> > Apart from standards-compliance, what does SSH2 buy you over a cleaned
> > up SSH1?
> 
> I know it's been mentioned already, but the #1 is you can do PAM 
> challenge/response authentication correctly.

TISAuthentication option works fine for me.
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBOHNT26H/mIJW9LeBAQGScQP/b7pDSIl9euhFcNOrGn2koIXvruUwFhO6
kbw+G2EtmqgFSWiCECyrhDerFL51fT67uaGKPQtoQ6fmiZ6zAhbDiVGI3ASPoPnO
tDP4rgsiRNiAy3YTmooaBMbL+XmWTg+WYRlTUDeGLVnUQbOWVUNn3kL83P0K2ScP
iBMUOtLr8wc=
=VDHV
-----END PGP SIGNATURE-----




From rrussell at cibnetwork.com  Thu Jan  6 05:00:58 2000
From: rrussell at cibnetwork.com (Rob Russell)
Date: Wed, 5 Jan 2000 13:00:58 -0500 (EST)
Subject: TCP port forwarding troubles?
Message-ID: <Pine.LNX.4.10.10001051214580.14054-100000@zathras.cibnetwork.com>


(I just subscribed and am replying to a message found in the archive.
I apologize for any malformed headers or quotations.)

On Jan 2, 2000 at 12:42, Markus Friedl wrote:
> On Thu, Dec 30, 1999 at 02:22:09AM -0800, Phil Karn wrote:
> > Before I dig into the problem, has anyone else out there heavily
> > exercised TCP port forwarding in openssh?
> yes, i experience this, too, but no, i did not look into this yet.
> i am using portforwarding for connections to webproxies, too.
> i think, the problem has been fixed in ssh-1.2.2x since i remember
> having the same problem with older versions of the 1.2.x family.

Do you believe it to be a server or client-side issue?  I'm having trouble
port forwarding (remote access to CVS) from an F-Secure SSH client for
MacOS to a server running openSSH 1.2.  

I can't reproduce this error with other client platforms (Other MacOS SSH
programs don't support port-forwarding), so it might be an issue with the
client, though the client worked with the 1.2.27 server.

Here's the logs, any input anyone would have would be greatly appreciated.

Dec 30 16:41:47 zathras sshd[8693]: log: Connection from 192.168.5.2 port
2057
Dec 30 16:41:47 zathras sshd[8693]: log: PAM Password authentication
accepted for "username"
Dec 30 16:41:47 zathras PAM_pwdb[8693]: (sshd) session opened for user
username by (uid=0)
Dec 30 16:42:07 zathras sshd[8693]: log: Packet integrity error (37 != 42)
at channels.c:975
Dec 30 16:42:07 zathras sshd[8693]: fatal: Local: Packet integrity error.
(29)
Dec 30 16:42:07 zathras PAM_pwdb[8693]: (sshd) session closed for user
username

-- 
Rob Russell, Senior Computer Systems Manager  rrussell at cibnetwork.com
Canadian Internet Broadcasting Network    office: (613) 727.4818 x206
Reseau de Diffusion Internet du Canada 	  cel: 282.7885 fax: 727.9366





From gem at rellim.com  Thu Jan  6 09:54:12 2000
From: gem at rellim.com (Gary E. Miller)
Date: Wed, 5 Jan 2000 14:54:12 -0800 (PST)
Subject: openssh-1.2.1pre24 on SCO
Message-ID: <Pine.LNX.4.21.0001051441560.15052-100000@ns1.aplatform.com>

Yo All!

Sorry if this is obvious but I am new to openssh.  I have used the
original ssh for a while and am familiar with it (and it's 
restrictive license).

I am trying to port openssh-1.2.1pre24 on to SCO UnixWare 7.1.0.  I
will post the small patches when it is really running.

Two problems, SCO has no /dev/random so I installed egd-0.6.  It
usually works but sometimes dies.  I have sent the details to the
egd folks.

The other problem is odd and affects both ssh and sshd. 

If I ssh to a known good sshd, then I get this after the host
keys are exchanged:
	Disconnecting: Corrupted check bytes on input.

The sshd is a bit more strange. The first inbound connection to the 
sshd on the SCO succeeds, but until the first one disconnects, no 
other connects will succeed.

I get this message at the remote (a known good ssh on a Linux host) when 
trying to connect to the SCO sshd:
	Local: Corrupted check bytes on input.

And this from the sshd on the SCO when the second connect comes in:
	Disconnecting: Corrupted check bytes on input.

Any ideas on how to fix it or trouble shoot it?


RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From djm at mindrot.org  Thu Jan  6 10:48:13 2000
From: djm at mindrot.org (Damien Miller)
Date: Thu, 6 Jan 2000 10:48:13 +1100 (EST)
Subject: openssh-1.2.1pre24 on SCO
In-Reply-To: <Pine.LNX.4.21.0001051441560.15052-100000@ns1.aplatform.com>
Message-ID: <Pine.LNX.4.10.10001061045480.839-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 5 Jan 2000, Gary E. Miller wrote:

> Yo All!
> 
> Sorry if this is obvious but I am new to openssh.  I have used the
> original ssh for a while and am familiar with it (and it's 
> restrictive license).
> 
> I am trying to port openssh-1.2.1pre24 on to SCO UnixWare 7.1.0.  I
> will post the small patches when it is really running.
> 
> Two problems, SCO has no /dev/random so I installed egd-0.6.  It
> usually works but sometimes dies.  I have sent the details to the
> egd folks.
> 
> The other problem is odd and affects both ssh and sshd. 
> 
> If I ssh to a known good sshd, then I get this after the host
> keys are exchanged:
> 	Disconnecting: Corrupted check bytes on input.

Can you try this with the blowfish cipher? If it works, then you may 
be facing the same problem we have on Solaris.

> The sshd is a bit more strange. The first inbound connection to the 
> sshd on the SCO succeeds, but until the first one disconnects, no 
> other connects will succeed.

I haven't seen this one before.

Regards,
Damien Miller 

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4c9hBormJ9RG1dI8RAlE2AJ9w+TrBI8lruItm8E9rcTOmz4PiQACfbYp1
ao/TzeOUZEAMZ1WVCi0+A94=
=o1OH
-----END PGP SIGNATURE-----





From gem at rellim.com  Thu Jan  6 11:18:50 2000
From: gem at rellim.com (Gary E. Miller)
Date: Wed, 5 Jan 2000 16:18:50 -0800 (PST)
Subject: openssh-1.2.1pre24 on SCO
In-Reply-To: <Pine.LNX.4.10.10001061045480.839-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.4.21.0001051614390.15052-100000@ns1.aplatform.com>

Yo Damien!

Bingo!  This works into and out of my SCO/openssh-1.2.1pre24!

ssh -c blowfish -l gem [hostname]

Looks like the 3DES must be busted????
I did a "make test" on the libz and it passes.
I did a "make check" on the openssh and it passes.

RGDS
GARY


On Thu, 6 Jan 2000, Damien Miller wrote:

> Date: Thu, 6 Jan 2000 10:48:13 +1100 (EST)
> From: Damien Miller <djm at mindrot.org>
> To: Gary E. Miller <gem at rellim.com>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: openssh-1.2.1pre24 on SCO
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, 5 Jan 2000, Gary E. Miller wrote:
> 
> > Yo All!
> > 
> > Sorry if this is obvious but I am new to openssh.  I have used the
> > original ssh for a while and am familiar with it (and it's 
> > restrictive license).
> > 
> > I am trying to port openssh-1.2.1pre24 on to SCO UnixWare 7.1.0.  I
> > will post the small patches when it is really running.
> > 
> > Two problems, SCO has no /dev/random so I installed egd-0.6.  It
> > usually works but sometimes dies.  I have sent the details to the
> > egd folks.
> > 
> > The other problem is odd and affects both ssh and sshd. 
> > 
> > If I ssh to a known good sshd, then I get this after the host
> > keys are exchanged:
> > 	Disconnecting: Corrupted check bytes on input.
> 
> Can you try this with the blowfish cipher? If it works, then you may 
> be facing the same problem we have on Solaris.
> 
> > The sshd is a bit more strange. The first inbound connection to the 
> > sshd on the SCO succeeds, but until the first one disconnects, no 
> > other connects will succeed.
> 
> I haven't seen this one before.
> 
> Regards,
> Damien Miller 
> 
> - --
> | "Bombay is 250ms from New York in the new world order" - Alan Cox
> | Damien Miller - http://www.mindrot.org/
> | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.0 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE4c9hBormJ9RG1dI8RAlE2AJ9w+TrBI8lruItm8E9rcTOmz4PiQACfbYp1
> ao/TzeOUZEAMZ1WVCi0+A94=
> =o1OH
> -----END PGP SIGNATURE-----
> 
> 
> 

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From djm at mindrot.org  Thu Jan  6 11:26:11 2000
From: djm at mindrot.org (Damien Miller)
Date: Thu, 6 Jan 2000 11:26:11 +1100 (EST)
Subject: openssh-1.2.1pre24 on SCO
In-Reply-To: <Pine.LNX.4.21.0001051614390.15052-100000@ns1.aplatform.com>
Message-ID: <Pine.LNX.4.10.10001061123180.839-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 5 Jan 2000, Gary E. Miller wrote:

> Yo Damien!
> 
> Bingo!  This works into and out of my SCO/openssh-1.2.1pre24!
> 
> ssh -c blowfish -l gem [hostname]
> 
> Looks like the 3DES must be busted????

I am not sure what caused the breakage. We suspect that it occurred 
sometime between pre22 and pre24 and the Solaris people are looking
into it.

My best guess is a type mismatch somewhere. Unfortunatly I don't have
access to any of the platforms that are effected and am thus unable
to replicate it myself :(

I am looking forward to your SCO patches.

Regards,
Damien Miller 

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4c+EnormJ9RG1dI8RAmH9AKCURgPrsV2jqdzLCAfRP8O90gPJYwCg2jI9
bewmSFnBUNnU0o98RRGr4ZA=
=br00
-----END PGP SIGNATURE-----





From djm at mindrot.org  Thu Jan  6 11:54:41 2000
From: djm at mindrot.org (Damien Miller)
Date: Thu, 6 Jan 2000 11:54:41 +1100 (EST)
Subject: SOLUTION: Re: A clue to solaris problem? (fwd)
Message-ID: <Pine.LNX.4.10.10001061154250.839-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)



- ---------- Forwarded message ----------
Date: 05 Jan 2000 18:51:09 -0600
From: Chris Green <sprout at dok.org>
To: Damien Miller <djm at mindrot.org>
Cc: Marc G. Fournier <marc.fournier at acadiau.ca>
Subject: Re: A clue to solaris problem?

> Can you try editing the Makefile and removing any reference to
> -lcrypt?
> 

That fixed it. Thanks, you made my evening :).

debug: sshd version OpenSSH-1.2.1
Server listening on port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from scott port 1021
debug: Client protocol version 1.5; client software version OpenSSH-1.2.1
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Starting up PAM with username "sprout"
debug: Attempting authentication for sprout.
Failed rsa for sprout from 138.26.15.145 port 1021
debug: PAM Password authentication accepted for user "sprout"
- -- 
Chris Green <sprout at dok.org> <grapeape at uab.edu>
This is my signature. There are many like it but this one is mine.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4c+fXormJ9RG1dI8RAuIqAKCrmuatjZchEMOrLmLX9soMM8Tq4ACcDzVB
1bIrbXYI6UvHI3q0Pc4GMLE=
=nqGv
-----END PGP SIGNATURE-----





From djm at mindrot.org  Thu Jan  6 13:39:36 2000
From: djm at mindrot.org (Damien Miller)
Date: Thu, 6 Jan 2000 13:39:36 +1100 (EST)
Subject: /etc/ssh/shosts.equiv ignored?
In-Reply-To: <Pine.LNX.4.21.0001041519440.8569-100000@hobbes.math.ksu.edu>
Message-ID: <Pine.LNX.4.10.10001061332230.839-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 4 Jan 2000, James Thompson wrote:

> 
> I'm trying to replace ssh 1.2.27 with openssh 1.2.1-pre*  
> 
> It seems that a openssh client accessing any openssh/ssh server I've setup
> always results in a password prompt.
> 
> It also seems that a openssh server requires ssh clients to provide a
> password regardless of the entries in the /etc/ssh/shosts.equiv file.  If
> I shut off the openssh server and run a ssh server then normal ssh client
> can connect without password prompts, openssh client still prompt for
> password.

Have you enabled "RhostsRSAAuthentication" in your sshd_config?

> One other oddity I've noticed in is using openssh as a rsh replacement for
> pine/imap.  Setting up pine to use imap via ssh replacement of rsh worked
> fine.  With openssh it always displays the password prompt and corrupts
> the screen.

What auth scheme are you using here?

> If I've overlooked something in the man pages (which are corrupted on a
> Solaris 2.6 install, nroff problem?) please point me at it.  
> 
> Also, what are the legal options for me providing patches to openssh since
> I'm in the US.  I've have some troubles with Solaris 2.6 installs with
> pre24 and pre19 but don't care to waste time debugging something I can't
> contribute back to the project.

The approach so far has been to allow patches from the USA so long as
they are not crypto related. 

Disclaimer: I am not a lawyer and this is not legal advice.

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4dABrormJ9RG1dI8RAk+TAKCl3nME006L5l8Ki6wtfuIgevcO0wCg0Om7
V4JU0AwUr+1v7jSPWC6t280=
=jYRJ
-----END PGP SIGNATURE-----





From mouring at pconline.com  Thu Jan  6 14:26:47 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Wed, 5 Jan 2000 21:26:47 -0600 (CST)
Subject: bsd-snprintf.c and NeXT.
Message-ID: <Pine.LNX.3.95.1000105212411.10639B-100000@newton.pconline.com>


I'm wonder if anyone happens to have a simplier (slower) version of
bsd-snprintf.c.  It seems NeXT 3.3 (unsure about 4.2) is missing
mprotect().

If I could get something to replace that for a while and fix some of
theses utmp in login.c issues I may have a rough port NeXT to black
hardware.=)

Thanks






From djm at mindrot.org  Thu Jan  6 19:45:10 2000
From: djm at mindrot.org (Damien Miller)
Date: Thu, 6 Jan 2000 19:45:10 +1100 (EST)
Subject: bsd-snprintf.c and NeXT.
In-Reply-To: <Pine.LNX.3.95.1000105212411.10639B-100000@newton.pconline.com>
Message-ID: <Pine.LNX.4.10.10001061942270.2450-300000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 5 Jan 2000, Ben Lindstrom wrote:

> 
> I'm wonder if anyone happens to have a simplier (slower) version of
> bsd-snprintf.c.  It seems NeXT 3.3 (unsure about 4.2) is missing
> mprotect().

Someone posted one to the list a while ago, but attached is the one
from the XFree86 source. It seems to be of the same lineage.

If you can be bothered cleaning it up I can include it in the standard
release.

> If I could get something to replace that for a while and fix some of
> theses utmp in login.c issues I may have a rough port NeXT to black
> hardware.=)

Excellent!

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4dFYZormJ9RG1dI8RApTbAJ45swyq8PHUlRIvmwzIn963YFA9ggCgqn8d
OaZ+GCDaiK3chzcAKUtIi6Q=
=hWB3
-----END PGP SIGNATURE-----
-------------- next part --------------
/**************************************************************
 * Original:
 * Patrick Powell Tue Apr 11 09:48:21 PDT 1995
 * A bombproof version of doprnt (dopr) included.
 * Sigh.  This sort of thing is always nasty do deal with.  Note that
 * the version here does not include floating point...
 *
 * snprintf() is used instead of sprintf() as it does limit checks
 * for string length.  This covers a nasty loophole.
 *
 * The other functions are there to prevent NULL pointers from
 * causing nast effects.
 **************************************************************/

/* $XFree86: xc/lib/misc/snprintf.c,v 3.0 1996/08/26 06:19:23 dawes Exp $ */

#include <ctype.h>
#include "snprintf.h"

static void dopr();
static char *end;

/* varargs declarations: */

#if defined(HAVE_STDARG_H)
# include <stdarg.h>
# define HAVE_STDARGS    /* let's hope that works everywhere (mj) */
# define VA_LOCAL_DECL   va_list ap;
# define VA_START(f)     va_start(ap, f)
# define VA_SHIFT(v,t)  ;   /* no-op for ANSI */
# define VA_END          va_end(ap)
#else
# if defined(HAVE_VARARGS_H)
#  include <varargs.h>
#  undef HAVE_STDARGS
#  define VA_LOCAL_DECL   va_list ap;
#  define VA_START(f)     va_start(ap)      /* f is ignored! */
#  define VA_SHIFT(v,t) v = va_arg(ap,t)
#  define VA_END        va_end(ap)
# else
/*XX ** NO VARARGS ** XX*/
# endif
#endif

#ifdef HAVE_STDARGS
int snprintf (char *str, size_t count, const char *fmt, ...);
int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
#else
int snprintf ();
int vsnprintf ();
#endif

int
vsnprintf(str, count, fmt, args)
       char *str;
       size_t count;
       const char *fmt;
       va_list args;
{
       str[0] = 0;
       end = str+count-1;
       dopr( str, fmt, args );
       if( count>0 ){
               end[0] = 0;
       }
       return(strlen(str));
}

/* VARARGS3 */
#ifdef HAVE_STDARGS
int
snprintf (char *str,size_t count,const char *fmt,...)
#else
int
snprintf (va_alist) va_dcl
#endif
{
#ifndef HAVE_STDARGS
    char *str;
       size_t count;
    char *fmt;
#endif
    VA_LOCAL_DECL

    VA_START (fmt);
    VA_SHIFT (str, char *);
    VA_SHIFT (count, size_t );
    VA_SHIFT (fmt, char *);
    (void) vsnprintf ( str, count, fmt, ap);
    VA_END;
       return( strlen( str ) );
}

/*
 * dopr(): poor man's version of doprintf
 */

static void fmtstr(
#if NeedFunctionPrototypes
	char *value, int ljust, int len, int zpad
#endif
);

static void fmtnum(
#if NeedFunctionPrototypes
	long value, int base, int dosign, int ljust, int len, int zpad
#endif
);

static void dostr(
#if NeedFunctionPrototypes
	char *
#endif
);

static char *output;

static void dopr_outch(
#if NeedFunctionPrototypes
	int c
#endif
);

static void
dopr( buffer, format, args )
       char *buffer;
       char *format;
       va_list args;
{
       int ch;
       long value;
       int longflag = 0;
       char *strvalue;
       int ljust;
       int len;
       int zpad;

       output = buffer;
       while( (ch = *format++) ){
               switch( ch ){
               case '%':
                       ljust = len = zpad = 0;
               nextch:
                       ch = *format++;
                       switch( ch ){
                       case 0:
                               dostr( "**end of format**" );
                               return;
                       case '-': ljust = 1; goto nextch;
                       case '0': /* set zero padding if len not set */
                               if(len==0) zpad = '0';
                       case '1': case '2': case '3':
                       case '4': case '5': case '6':
                       case '7': case '8': case '9':
                               len = len*10 + ch - '0';
                               goto nextch;
                       case 'l': longflag = 1; goto nextch;
                       case 'u': case 'U':
                               /*fmtnum(value,base,dosign,ljust,len,zpad) */
                               if( longflag ){
                                       value = va_arg( args, long );
                               } else {
                                       value = va_arg( args, int );
                               }
                               fmtnum( value, 10,0, ljust, len, zpad ); break;
                       case 'o': case 'O':
                               /*fmtnum(value,base,dosign,ljust,len,zpad) */
                               if( longflag ){
                                       value = va_arg( args, long );
                               } else {
                                       value = va_arg( args, int );
                               }
                               fmtnum( value, 8,0, ljust, len, zpad ); break;
                       case 'd': case 'D':
                               if( longflag ){
                                       value = va_arg( args, long );
                               } else {
                                       value = va_arg( args, int );
                               }
                               fmtnum( value, 10,1, ljust, len, zpad ); break;
                       case 'x':
                               if( longflag ){
                                       value = va_arg( args, long );
                               } else {
                                       value = va_arg( args, int );
                               }
                               fmtnum( value, 16,0, ljust, len, zpad ); break;
                       case 'X':
                               if( longflag ){
                                       value = va_arg( args, long );
                               } else {
                                       value = va_arg( args, int );
                               }
                               fmtnum( value,-16,0, ljust, len, zpad ); break;
                       case 's':
                               strvalue = va_arg( args, char *);
                               fmtstr( strvalue,ljust,len,zpad ); break;
                       case 'c':
                               ch = va_arg( args, int );
                               dopr_outch( ch ); break;
                       case '%': dopr_outch( ch ); continue;
                       default:
                               dostr(  "???????" );
                       }
                       longflag = 0;
                       break;
               default:
                       dopr_outch( ch );
                       break;
               }
       }
       *output = 0;
}

static void
fmtstr(  value, ljust, len, zpad )
       char *value;
       int ljust, len, zpad;
{
       int padlen, strlen;     /* amount to pad */

       if( value == 0 ){
               value = "<NULL>";
       }
       for( strlen = 0; value[strlen]; ++ strlen ); /* strlen */
       padlen = len - strlen;
       if( padlen < 0 ) padlen = 0;
       if( ljust ) padlen = -padlen;
       while( padlen > 0 ) {
               dopr_outch( ' ' );
               --padlen;
       }
       dostr( value );
       while( padlen < 0 ) {
               dopr_outch( ' ' );
               ++padlen;
       }
}

static void
fmtnum(  value, base, dosign, ljust, len, zpad )
       long value;
       int base, dosign, ljust, len, zpad;
{
       int signvalue = 0;
       unsigned long uvalue;
       char convert[20];
       int place = 0;
       int padlen = 0; /* amount to pad */
       int caps = 0;

       /* DEBUGP(("value 0x%x, base %d, dosign %d, ljust %d, len %d, zpad %d\n",
               value, base, dosign, ljust, len, zpad )); */
       uvalue = value;
       if( dosign ){
               if( value < 0 ) {
                       signvalue = '-';
                       uvalue = -value;
               }
       }
       if( base < 0 ){
               caps = 1;
               base = -base;
       }
       do{
               convert[place++] =
                       (caps? "0123456789ABCDEF":"0123456789abcdef")
                        [uvalue % (unsigned)base  ];
               uvalue = (uvalue / (unsigned)base );
       }while(uvalue);
       convert[place] = 0;
       padlen = len - place;
       if( padlen < 0 ) padlen = 0;
       if( ljust ) padlen = -padlen;
       /* DEBUGP(( "str '%s', place %d, sign %c, padlen %d\n",
               convert,place,signvalue,padlen)); */
       if( zpad && padlen > 0 ){
               if( signvalue ){
                       dopr_outch( signvalue );
                       --padlen;
                       signvalue = 0;
               }
               while( padlen > 0 ){
                       dopr_outch( zpad );
                       --padlen;
               }
       }
       while( padlen > 0 ) {
               dopr_outch( ' ' );
               --padlen;
       }
       if( signvalue ) dopr_outch( signvalue );
       while( place > 0 ) dopr_outch( convert[--place] );
       while( padlen < 0 ){
               dopr_outch( ' ' );
               ++padlen;
       }
}

static void
dostr( str )
       char *str;
{
       while(*str) dopr_outch(*str++);
}

static void
dopr_outch( c )
       int c;
{
       if( iscntrl(c) && c != '\n' && c != '\t' ){
               c = '@' + (c & 0x1F);
               if( end == 0 || output < end ){
                       *output++ = '^';
               }
       }
       if( end == 0 || output < end ){
               *output++ = c;
       }
}
-------------- next part --------------
/* $XFree86: xc/lib/misc/snprintf.h,v 3.1 1996/08/26 14:42:33 dawes Exp $ */

#ifndef SNPRINTF_H
#define SNPRINTF_H

#ifdef HAS_SNPRINTF
#ifdef LIBXT
#define _XtSnprintf snprintf
#define _XtVsnprintf vsnprintf
#endif
#ifdef LIBX11
#define _XSnprintf snprintf
#define _XVsnprintf vsnprintf
#endif
#else /* !HAS_SNPRINTF */

#ifdef LIBXT
#define snprintf _XtSnprintf
#define vsnprintf _XtVsnprintf
#endif
#ifdef LIBX11
#define snprintf _XSnprintf
#define vsnprintf _XVsnprintf
#endif

#include <X11/Xos.h>
#include <X11/Xlib.h>

#if NeedVarargsPrototypes
#define HAVE_STDARG_H
#endif

#ifdef HAVE_STDARG_H
#include <stdarg.h>
extern int snprintf (char *str, size_t count, const char *fmt, ...);
extern int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
#else
extern int snprintf ();
extern int vsnprintf ();
#endif

#endif /* HAS_SNPRINTF */

#endif /* SNPRINTF_H */

From mouring at pconline.com  Fri Jan  7 04:01:59 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Thu, 6 Jan 2000 11:01:59 -0600 (CST)
Subject: bsd-snprintf.c and NeXT.
In-Reply-To: <Pine.LNX.4.10.10001061942270.2450-300000@mothra.mindrot.org>
Message-ID: <Pine.LNX.3.95.1000106110052.16312D-100000@newton.pconline.com>


thanks, I'll take a look at them later tonight.  As a stop-gap I found
a snprintf() in the NeXT Programming newsgroup that I'm using.  

If all goes well I may have a reviewable patch at the end of next week.

On Thu, 6 Jan 2000, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, 5 Jan 2000, Ben Lindstrom wrote:
> 
> > 
> > I'm wonder if anyone happens to have a simplier (slower) version of
> > bsd-snprintf.c.  It seems NeXT 3.3 (unsure about 4.2) is missing
> > mprotect().
> 
> Someone posted one to the list a while ago, but attached is the one
> from the XFree86 source. It seems to be of the same lineage.
> 
> If you can be bothered cleaning it up I can include it in the standard
> release.
> 
> > If I could get something to replace that for a while and fix some of
> > theses utmp in login.c issues I may have a rough port NeXT to black
> > hardware.=)
> 
> Excellent!
> 
> Regards,
> Damien Miller
> 
> - --
> | "Bombay is 250ms from New York in the new world order" - Alan Cox
> | Damien Miller - http://www.mindrot.org/
> | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.0 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE4dFYZormJ9RG1dI8RApTbAJ45swyq8PHUlRIvmwzIn963YFA9ggCgqn8d
> OaZ+GCDaiK3chzcAKUtIi6Q=
> =hWB3
> -----END PGP SIGNATURE-----
> 





From gem at rellim.com  Fri Jan  7 08:01:23 2000
From: gem at rellim.com (Gary E. Miller)
Date: Thu, 6 Jan 2000 13:01:23 -0800 (PST)
Subject: openssh-1.2.1pre24 on SCO
In-Reply-To: <Pine.LNX.4.10.10001061123180.839-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.4.21.0001061226430.6160-300000@ns1.aplatform.com>

Yo Damien!

On Thu, 6 Jan 2000, Damien Miller wrote:

> I am looking forward to your SCO patches.

The SCO UnixWare breaks the config.guess and config.sub shell scripts
from the autoconf package.  After some discussion on the autoconf
mail list, I was pointed at the newer, CVS tree for autoconf that
cleans up the UnixWare detection mess.  They are not released yet
but are being used on many packages like gcc already.

There are two updated files, config.guess and config.sub.  They
are attached.  If you wish I could send diffs.

Once I know these are going in I have a diff to your configure
script for the UnixWare port.  If only works with blowfish for now.

Also, as the package is ported to more and more platforms, there will
be a need for porting notes.  I would like to add some notes to
my port.  I could create a "README.sco", or a section to a generic
"PORTING" doc.  Any thought on this?

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

-------------- next part --------------
From gem at rellim.com Thu Jan  6 12:21:18 2000
Date: Thu, 06 Jan 2000 12:14:19 -0800
From: Gary E. Miller <gem at rellim.com>
To: gem at rellim.com
Subject: config.guess

http://gcc.gnu.org/cgi-bin/cvsweb.cgi/~checkout~/egcs/config.guess?rev=1.35&content-type=text/plain
    [ Part 2: "Attached Text" ]

#! /bin/sh
# Attempt to guess a canonical system name.
#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999
#   Free Software Foundation, Inc.
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.

# Written by Per Bothner <bothner at cygnus.com>.
# The master version of this file is at the FSF in /home/gd/gnu/lib.
# Please send patches to <autoconf-patches at gnu.org>.
#
# This script attempts to guess a canonical system name similar to
# config.sub.  If it succeeds, it prints the system name on stdout, and
# exits with 0.  Otherwise, it exits with 1.
#
# The plan is that this can be called by configure scripts if you
# don't specify an explicit system type (host/target name).
#
# Only a few systems have been added to this list; please add others
# (but try to keep the structure clean).
#

# Use $HOST_CC if defined. $CC may point to a cross-compiler
if test x"$CC_FOR_BUILD" = x; then
  if test x"$HOST_CC" != x; then
    CC_FOR_BUILD="$HOST_CC"
  else
    if test x"$CC" != x; then
      CC_FOR_BUILD="$CC"
    else
      CC_FOR_BUILD=cc
    fi
  fi
fi


# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
# (ghazi at noc.rutgers.edu 8/24/94.)
if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
	PATH=$PATH:/.attbin ; export PATH
fi

UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown

dummy=dummy-$$
trap 'rm -f $dummy.c $dummy.o $dummy; exit 1' 1 2 15

# Note: order is significant - the case branches are not exclusive.

case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
    alpha:OSF1:*:*)
	if test $UNAME_RELEASE = "V4.0"; then
		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
	fi
	# A Vn.n version is a released version.
	# A Tn.n version is a released field test version.
	# A Xn.n version is an unreleased experimental baselevel.
	# 1.2 uses "1.2" for uname -r.
	cat <<EOF >$dummy.s
	.data
\$Lformat:
	.byte 37,100,45,37,120,10,0	# "%d-%x\n"

	.text
	.globl main
	.align 4
	.ent main
main:
	.frame \$30,16,\$26,0
	ldgp \$29,0(\$27)
	.prologue 1
	.long 0x47e03d80 # implver \$0
	lda \$2,-1
	.long 0x47e20c21 # amask \$2,\$1
	lda \$16,\$Lformat
	mov \$0,\$17
	not \$1,\$18
	jsr \$26,printf
	ldgp \$29,0(\$26)
	mov 0,\$16
	jsr \$26,exit
	.end main
EOF
	$CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null
	if test "$?" = 0 ; then
		case `./$dummy` in
			0-0)
				UNAME_MACHINE="alpha"
				;;
			1-0)
				UNAME_MACHINE="alphaev5"
				;;
			1-1)
				UNAME_MACHINE="alphaev56"
				;;
			1-101)
				UNAME_MACHINE="alphapca56"
				;;
			2-303)
				UNAME_MACHINE="alphaev6"
				;;
			2-307)
				UNAME_MACHINE="alphaev67"
				;;
		esac
	fi
	rm -f $dummy.s $dummy
	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
	exit 0 ;;
    Alpha\ *:Windows_NT*:*)
	# How do we know it's Interix rather than the generic POSIX subsystem?
	# Should we change UNAME_MACHINE based on the output of uname instead
	# of the specific Alpha model?
	echo alpha-pc-interix
	exit 0 ;;
    21064:Windows_NT:50:3)
	echo alpha-dec-winnt3.5
	exit 0 ;;
    Amiga*:UNIX_System_V:4.0:*)
	echo m68k-cbm-sysv4
	exit 0;;
    amiga:NetBSD:*:*)
      echo m68k-cbm-netbsd${UNAME_RELEASE}
      exit 0 ;;
    amiga:OpenBSD:*:*)
	echo m68k-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    *:[Aa]miga[Oo][Ss]:*:*)
	echo ${UNAME_MACHINE}-unknown-amigaos
	exit 0 ;;
    arc64:OpenBSD:*:*)
	echo mips64el-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    arc:OpenBSD:*:*)
	echo mipsel-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    hkmips:OpenBSD:*:*)
	echo mips-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    pmax:OpenBSD:*:*)
	echo mipsel-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    sgi:OpenBSD:*:*)
	echo mips-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    wgrisc:OpenBSD:*:*)
	echo mipsel-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    *:OS/390:*:*)
	echo i370-ibm-openedition
	exit 0 ;;
    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
	echo arm-acorn-riscix${UNAME_RELEASE}
	exit 0;;
    arm32:NetBSD:*:*)
	echo arm-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
	exit 0 ;;
    SR2?01:HI-UX/MPP:*:*)
	echo hppa1.1-hitachi-hiuxmpp
	exit 0;;
    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
	# akee at wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
	if test "`(/bin/universe) 2>/dev/null`" = att ; then
		echo pyramid-pyramid-sysv3
	else
		echo pyramid-pyramid-bsd
	fi
	exit 0 ;;
    NILE*:*:*:dcosx)
	echo pyramid-pyramid-svr4
	exit 0 ;;
    sun4H:SunOS:5.*:*)
	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
	exit 0 ;;
    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
	exit 0 ;;
    i86pc:SunOS:5.*:*)
	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
	exit 0 ;;
    sun4*:SunOS:6*:*)
	# According to config.sub, this is the proper way to canonicalize
	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
	# it's likely to be more like Solaris than SunOS4.
	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
	exit 0 ;;
    sun4*:SunOS:*:*)
	case "`/usr/bin/arch -k`" in
	    Series*|S4*)
		UNAME_RELEASE=`uname -v`
		;;
	esac
	# Japanese Language versions have a version number like `4.1.3-JL'.
	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
	exit 0 ;;
    sun3*:SunOS:*:*)
	echo m68k-sun-sunos${UNAME_RELEASE}
	exit 0 ;;
    sun*:*:4.2BSD:*)
	UNAME_RELEASE=`(head -1 /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
	case "`/bin/arch`" in
	    sun3)
		echo m68k-sun-sunos${UNAME_RELEASE}
		;;
	    sun4)
		echo sparc-sun-sunos${UNAME_RELEASE}
		;;
	esac
	exit 0 ;;
    aushp:SunOS:*:*)
	echo sparc-auspex-sunos${UNAME_RELEASE}
	exit 0 ;;
    atari*:NetBSD:*:*)
	echo m68k-atari-netbsd${UNAME_RELEASE}
	exit 0 ;;
    atari*:OpenBSD:*:*)
	echo m68k-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    # The situation for MiNT is a little confusing.  The machine name
    # can be virtually everything (everything which is not
    # "atarist" or "atariste" at least should have a processor 
    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
    # to the lowercase version "mint" (or "freemint").  Finally
    # the system name "TOS" denotes a system which is actually not
    # MiNT.  But MiNT is downward compatible to TOS, so this should
    # be no problem.
    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
        echo m68k-atari-mint${UNAME_RELEASE}
	exit 0 ;;
    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
	echo m68k-atari-mint${UNAME_RELEASE}
        exit 0 ;;
    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
        echo m68k-atari-mint${UNAME_RELEASE}
	exit 0 ;;
    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
        echo m68k-milan-mint${UNAME_RELEASE}
        exit 0 ;;
    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
        echo m68k-hades-mint${UNAME_RELEASE}
        exit 0 ;;
    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
        echo m68k-unknown-mint${UNAME_RELEASE}
        exit 0 ;;
    sun3*:NetBSD:*:*)
	echo m68k-sun-netbsd${UNAME_RELEASE}
	exit 0 ;;
    sun3*:OpenBSD:*:*)
	echo m68k-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    mac68k:NetBSD:*:*)
	echo m68k-apple-netbsd${UNAME_RELEASE}
	exit 0 ;;
    mac68k:OpenBSD:*:*)
	echo m68k-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    mvme68k:OpenBSD:*:*)
	echo m68k-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    mvme88k:OpenBSD:*:*)
	echo m88k-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    powerpc:machten:*:*)
	echo powerpc-apple-machten${UNAME_RELEASE}
	exit 0 ;;
    macppc:NetBSD:*:*)
        echo powerpc-apple-netbsd${UNAME_RELEASE}
        exit 0 ;;
    RISC*:Mach:*:*)
	echo mips-dec-mach_bsd4.3
	exit 0 ;;
    RISC*:ULTRIX:*:*)
	echo mips-dec-ultrix${UNAME_RELEASE}
	exit 0 ;;
    VAX*:ULTRIX*:*:*)
	echo vax-dec-ultrix${UNAME_RELEASE}
	exit 0 ;;
    2020:CLIX:*:* | 2430:CLIX:*:*)
	echo clipper-intergraph-clix${UNAME_RELEASE}
	exit 0 ;;
    mips:*:*:UMIPS | mips:*:*:RISCos)
	sed 's/^	//' << EOF >$dummy.c
#ifdef __cplusplus
	int main (int argc, char *argv[]) {
#else
	int main (argc, argv) int argc; char *argv[]; {
#endif
	#if defined (host_mips) && defined (MIPSEB)
	#if defined (SYSTYPE_SYSV)
	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
	#endif
	#if defined (SYSTYPE_SVR4)
	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
	#endif
	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
	#endif
	#endif
	  exit (-1);
	}
EOF
	$CC_FOR_BUILD $dummy.c -o $dummy \
	  && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
	  && rm $dummy.c $dummy && exit 0
	rm -f $dummy.c $dummy
	echo mips-mips-riscos${UNAME_RELEASE}
	exit 0 ;;
    Night_Hawk:Power_UNIX:*:*)
	echo powerpc-harris-powerunix
	exit 0 ;;
    m88k:CX/UX:7*:*)
	echo m88k-harris-cxux7
	exit 0 ;;
    m88k:*:4*:R4*)
	echo m88k-motorola-sysv4
	exit 0 ;;
    m88k:*:3*:R3*)
	echo m88k-motorola-sysv3
	exit 0 ;;
    AViiON:dgux:*:*)
        # DG/UX returns AViiON for all architectures
        UNAME_PROCESSOR=`/usr/bin/uname -p`
	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110]
	then
	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
	       [ ${TARGET_BINARY_INTERFACE}x = x ]
	    then
		echo m88k-dg-dgux${UNAME_RELEASE}
	    else
		echo m88k-dg-dguxbcs${UNAME_RELEASE}
	    fi
	else
	    echo i586-dg-dgux${UNAME_RELEASE}
	fi
 	exit 0 ;;
    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
	echo m88k-dolphin-sysv3
	exit 0 ;;
    M88*:*:R3*:*)
	# Delta 88k system running SVR3
	echo m88k-motorola-sysv3
	exit 0 ;;
    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
	echo m88k-tektronix-sysv3
	exit 0 ;;
    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
	echo m68k-tektronix-bsd
	exit 0 ;;
    *:IRIX*:*:*)
	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
	exit 0 ;;
    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
	echo romp-ibm-aix      # uname -m gives an 8 hex-code CPU id
	exit 0 ;;              # Note that: echo "'`uname -s`'" gives 'AIX '
    i?86:AIX:*:*)
	echo i386-ibm-aix
	exit 0 ;;
    *:AIX:2:3)
	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
		sed 's/^		//' << EOF >$dummy.c
		#include <sys/systemcfg.h>

		main()
			{
			if (!__power_pc())
				exit(1);
			puts("powerpc-ibm-aix3.2.5");
			exit(0);
			}
EOF
		$CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
		rm -f $dummy.c $dummy
		echo rs6000-ibm-aix3.2.5
	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
		echo rs6000-ibm-aix3.2.4
	else
		echo rs6000-ibm-aix3.2
	fi
	exit 0 ;;
    *:AIX:*:4)
	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | head -1 | awk '{ print $1 }'`
	if /usr/sbin/lsattr -EHl ${IBM_CPU_ID} | grep POWER >/dev/null 2>&1; then
		IBM_ARCH=rs6000
	else
		IBM_ARCH=powerpc
	fi
	if [ -x /usr/bin/oslevel ] ; then
		IBM_REV=`/usr/bin/oslevel`
	else
		IBM_REV=4.${UNAME_RELEASE}
	fi
	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
	exit 0 ;;
    *:AIX:*:*)
	echo rs6000-ibm-aix
	exit 0 ;;
    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
	echo romp-ibm-bsd4.4
	exit 0 ;;
    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC NetBSD and
	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
	exit 0 ;;                           # report: romp-ibm BSD 4.3
    *:BOSX:*:*)
	echo rs6000-bull-bosx
	exit 0 ;;
    DPX/2?00:B.O.S.:*:*)
	echo m68k-bull-sysv3
	exit 0 ;;
    9000/[34]??:4.3bsd:1.*:*)
	echo m68k-hp-bsd
	exit 0 ;;
    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
	echo m68k-hp-bsd4.4
	exit 0 ;;
    9000/[34678]??:HP-UX:*:*)
	case "${UNAME_MACHINE}" in
	    9000/31? )            HP_ARCH=m68000 ;;
	    9000/[34]?? )         HP_ARCH=m68k ;;
	    9000/[678][0-9][0-9])
              sed 's/^              //' << EOF >$dummy.c
              #include <stdlib.h>
              #include <unistd.h>

              int main ()
              {
              #if defined(_SC_KERNEL_BITS)
                  long bits = sysconf(_SC_KERNEL_BITS);
              #endif
                  long cpu  = sysconf (_SC_CPU_VERSION);

                  switch (cpu)
              	{
              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
              	case CPU_PA_RISC2_0:
              #if defined(_SC_KERNEL_BITS)
              	    switch (bits)
              		{
              		case 64: puts ("hppa2.0w"); break;
              		case 32: puts ("hppa2.0n"); break;
              		default: puts ("hppa2.0"); break;
              		} break;
              #else  /* !defined(_SC_KERNEL_BITS) */
              	    puts ("hppa2.0"); break;
              #endif
              	default: puts ("hppa1.0"); break;
              	}
                  exit (0);
              }
EOF
	(CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null ) && HP_ARCH=`./$dummy`
	rm -f $dummy.c $dummy
	esac
	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
	exit 0 ;;
    3050*:HI-UX:*:*)
	sed 's/^	//' << EOF >$dummy.c
	#include <unistd.h>
	int
	main ()
	{
	  long cpu = sysconf (_SC_CPU_VERSION);
	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
	     results, however.  */
	  if (CPU_IS_PA_RISC (cpu))
	    {
	      switch (cpu)
		{
		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
		  default: puts ("hppa-hitachi-hiuxwe2"); break;
		}
	    }
	  else if (CPU_IS_HP_MC68K (cpu))
	    puts ("m68k-hitachi-hiuxwe2");
	  else puts ("unknown-hitachi-hiuxwe2");
	  exit (0);
	}
EOF
	$CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
	rm -f $dummy.c $dummy
	echo unknown-hitachi-hiuxwe2
	exit 0 ;;
    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
	echo hppa1.1-hp-bsd
	exit 0 ;;
    9000/8??:4.3bsd:*:*)
	echo hppa1.0-hp-bsd
	exit 0 ;;
    *9??*:MPE/iX:*:*)
	echo hppa1.0-hp-mpeix
	exit 0 ;;
    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
	echo hppa1.1-hp-osf
	exit 0 ;;
    hp8??:OSF1:*:*)
	echo hppa1.0-hp-osf
	exit 0 ;;
    i?86:OSF1:*:*)
	if [ -x /usr/sbin/sysversion ] ; then
	    echo ${UNAME_MACHINE}-unknown-osf1mk
	else
	    echo ${UNAME_MACHINE}-unknown-osf1
	fi
	exit 0 ;;
    parisc*:Lites*:*:*)
	echo hppa1.1-hp-lites
	exit 0 ;;
    hppa*:OpenBSD:*:*)
	echo hppa-unknown-openbsd
	exit 0 ;;
    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
	echo c1-convex-bsd
        exit 0 ;;
    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
	if getsysinfo -f scalar_acc
	then echo c32-convex-bsd
	else echo c2-convex-bsd
	fi
        exit 0 ;;
    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
	echo c34-convex-bsd
        exit 0 ;;
    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
	echo c38-convex-bsd
        exit 0 ;;
    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
	echo c4-convex-bsd
        exit 0 ;;
    CRAY*X-MP:*:*:*)
	echo xmp-cray-unicos
        exit 0 ;;
    CRAY*Y-MP:*:*:*)
	echo ymp-cray-unicos${UNAME_RELEASE}
	exit 0 ;;
    CRAY*[A-Z]90:*:*:*)
	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/
	exit 0 ;;
    CRAY*TS:*:*:*)
	echo t90-cray-unicos${UNAME_RELEASE}
	exit 0 ;;
    CRAY*T3E:*:*:*)
	echo alpha-cray-unicosmk${UNAME_RELEASE}
	exit 0 ;;
    CRAY-2:*:*:*)
	echo cray2-cray-unicos
        exit 0 ;;
    F300:UNIX_System_V:*:*)
        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
        echo "f300-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
        exit 0 ;;
    F301:UNIX_System_V:*:*)
       echo f301-fujitsu-uxpv`echo $UNAME_RELEASE | sed 's/ .*//'`
       exit 0 ;;
    hp3[0-9][05]:NetBSD:*:*)
	echo m68k-hp-netbsd${UNAME_RELEASE}
	exit 0 ;;
    hp300:OpenBSD:*:*)
	echo m68k-unknown-openbsd${UNAME_RELEASE}
	exit 0 ;;
    i?86:BSD/386:*:* | i?86:BSD/OS:*:*)
	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
	exit 0 ;;
    sparc*:BSD/OS:*:*)
	echo sparc-unknown-bsdi${UNAME_RELEASE}
	exit 0 ;;
    *:BSD/OS:*:*)
	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
	exit 0 ;;
    *:FreeBSD:*:*)
	if test -x /usr/bin/objformat; then
	    if test "elf" = "`/usr/bin/objformat`"; then
		echo ${UNAME_MACHINE}-unknown-freebsdelf`echo ${UNAME_RELEASE}|sed -e 's/[-_].*//'`
		exit 0
	    fi
	fi
	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
	exit 0 ;;
    *:NetBSD:*:*)
	echo ${UNAME_MACHINE}-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*//'`
	exit 0 ;;
    *:OpenBSD:*:*)
	echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
	exit 0 ;;
    i*:CYGWIN*:*)
	echo ${UNAME_MACHINE}-pc-cygwin
	exit 0 ;;
    i*:MINGW*:*)
	echo ${UNAME_MACHINE}-pc-mingw32
	exit 0 ;;
    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
	# How do we know it's Interix rather than the generic POSIX subsystem?
	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
	# UNAME_MACHINE based on the output of uname instead of i386?
	echo i386-pc-interix
	exit 0 ;;
    i*:UWIN*:*)
	echo ${UNAME_MACHINE}-pc-uwin
	exit 0 ;;
    p*:CYGWIN*:*)
	echo powerpcle-unknown-cygwin
	exit 0 ;;
    prep*:SunOS:5.*:*)
	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
	exit 0 ;;
    *:GNU:*:*)
	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
	exit 0 ;;
    *:Linux:*:*)

	# The BFD linker knows what the default object file format is, so
	# first see if it will tell us. cd to the root directory to prevent
	# problems with other programs or directories called `ld' in the path.
	ld_help_string=`cd /; ld --help 2>&1`
	ld_supported_emulations=`echo $ld_help_string \
			 | sed -ne '/supported emulations:/!d
				    s/[ 	][ 	]*/ /g
				    s/.*supported emulations: *//
				    s/ .*//
				    p'`
        case "$ld_supported_emulations" in
	  *ia64)
		echo "${UNAME_MACHINE}-unknown-linux"
		exit 0
		;;
	  i?86linux)
		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
		exit 0
		;;
	  i?86coff)
		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
		exit 0
		;;
	  sparclinux)
		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
		exit 0
		;;
	  armlinux)
		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
		exit 0
		;;
	  elf32arm*)
		echo "${UNAME_MACHINE}-unknown-linux-gnu"
		exit 0
		;;
	  armelf_linux*)
		echo "${UNAME_MACHINE}-unknown-linux-gnu"
		exit 0
		;;
	  m68klinux)
		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
		exit 0
		;;
	  elf32ppc)
		# Determine Lib Version
		cat >$dummy.c <<EOF
#include <features.h>
#if defined(__GLIBC__)
extern char __libc_version[];
extern char __libc_release[];
#endif
main(argc, argv)
     int argc;
     char *argv[];
{
#if defined(__GLIBC__)
  printf("%s %s\n", __libc_version, __libc_release);
#else
  printf("unkown\n");
#endif
  return 0;
}
EOF
		LIBC=""
		$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null
		if test "$?" = 0 ; then
			./$dummy | grep 1\.99 > /dev/null
			if test "$?" = 0 ; then
				LIBC="libc1"
			fi
		fi	
		rm -f $dummy.c $dummy
		echo powerpc-unknown-linux-gnu${LIBC}
		exit 0
		;;
	esac

	if test "${UNAME_MACHINE}" = "alpha" ; then
		cat <<EOF >$dummy.s
			.data
		\$Lformat:
			.byte 37,100,45,37,120,10,0	# "%d-%x\n"

			.text
			.globl main
			.align 4
			.ent main
		main:
			.frame \$30,16,\$26,0
			ldgp \$29,0(\$27)
			.prologue 1
			.long 0x47e03d80 # implver \$0
			lda \$2,-1
			.long 0x47e20c21 # amask \$2,\$1
			lda \$16,\$Lformat
			mov \$0,\$17
			not \$1,\$18
			jsr \$26,printf
			ldgp \$29,0(\$26)
			mov 0,\$16
			jsr \$26,exit
			.end main
EOF
		LIBC=""
		$CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null
		if test "$?" = 0 ; then
			case `./$dummy` in
			0-0)
				UNAME_MACHINE="alpha"
				;;
			1-0)
				UNAME_MACHINE="alphaev5"
				;;
			1-1)
				UNAME_MACHINE="alphaev56"
				;;
			1-101)
				UNAME_MACHINE="alphapca56"
				;;
			2-303)
				UNAME_MACHINE="alphaev6"
				;;
			2-307)
				UNAME_MACHINE="alphaev67"
				;;
			esac

			objdump --private-headers $dummy | \
			  grep ld.so.1 > /dev/null
			if test "$?" = 0 ; then
				LIBC="libc1"
			fi
		fi
		rm -f $dummy.s $dummy
		echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} ; exit 0
	elif test "${UNAME_MACHINE}" = "mips" ; then
	  cat >$dummy.c <<EOF
#ifdef __cplusplus
	int main (int argc, char *argv[]) {
#else
	int main (argc, argv) int argc; char *argv[]; {
#endif
#ifdef __MIPSEB__
  printf ("%s-unknown-linux-gnu\n", argv[1]);
#endif
#ifdef __MIPSEL__
  printf ("%sel-unknown-linux-gnu\n", argv[1]);
#endif
  return 0;
}
EOF
	  $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
	  rm -f $dummy.c $dummy
	else
	  # Either a pre-BFD a.out linker (linux-gnuoldld)
	  # or one that does not give us useful --help.
	  # GCC wants to distinguish between linux-gnuoldld and linux-gnuaout.
	  # If ld does not provide *any* "supported emulations:"
	  # that means it is gnuoldld.
	  echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations:"
	  test $? != 0 && echo "${UNAME_MACHINE}-pc-linux-gnuoldld" && exit 0

	  case "${UNAME_MACHINE}" in
	  i?86)
	    VENDOR=pc;
	    ;;
	  *)
	    VENDOR=unknown;
	    ;;
	  esac
	  # Determine whether the default compiler is a.out or elf
	  cat >$dummy.c <<EOF
#include <features.h>
#ifdef __cplusplus
	int main (int argc, char *argv[]) {
#else
	int main (argc, argv) int argc; char *argv[]; {
#endif
#ifdef __ELF__
# ifdef __GLIBC__
#  if __GLIBC__ >= 2
    printf ("%s-${VENDOR}-linux-gnu\n", argv[1]);
#  else
    printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]);
#  endif
# else
   printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]);
# endif
#else
  printf ("%s-${VENDOR}-linux-gnuaout\n", argv[1]);
#endif
  return 0;
}
EOF
	  $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
	  rm -f $dummy.c $dummy
	fi ;;
# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.  earlier versions
# are messed up and put the nodename in both sysname and nodename.
    i?86:DYNIX/ptx:4*:*)
	echo i386-sequent-sysv4
	exit 0 ;;
    i?86:UNIX_SV:4.2MP:2.*)
        # Unixware is an offshoot of SVR4, but it has its own version
        # number series starting with 2...
        # I am not positive that other SVR4 systems won't match this,
	# I just have to hope.  -- rms.
        # Use sysv4.2uw... so that sysv4* matches it.
	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
	exit 0 ;;
    i?86:*:4.*:* | i?86:SYSTEM_V:4.*:*)
	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
	else
		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
	fi
	exit 0 ;;
    i?86:*:5:7*)
        # Fixed at (any) Pentium or better
        UNAME_MACHINE=i586
        if [ ${UNAME_SYSTEM} = "UnixWare" ] ; then
	    echo ${UNAME_MACHINE}-sco-sysv${UNAME_RELEASE}uw${UNAME_VERSION}
	else
	    echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE}
	fi
	exit 0 ;;
    i?86:*:3.2:*)
	if test -f /usr/options/cb.name; then
		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
	elif /bin/uname -X 2>/dev/null >/dev/null ; then
		UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')`
		(/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486
		(/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \
			&& UNAME_MACHINE=i586
		(/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \
			&& UNAME_MACHINE=i686
		(/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \
			&& UNAME_MACHINE=i686
		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
	else
		echo ${UNAME_MACHINE}-pc-sysv32
	fi
	exit 0 ;;
    pc:*:*:*)
        # uname -m prints for DJGPP always 'pc', but it prints nothing about
        # the processor, so we play safe by assuming i386.
	echo i386-pc-msdosdjgpp
        exit 0 ;;
    Intel:Mach:3*:*)
	echo i386-pc-mach3
	exit 0 ;;
    paragon:*:*:*)
	echo i860-intel-osf1
	exit 0 ;;
    i860:*:4.*:*) # i860-SVR4
	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
	else # Add other i860-SVR4 vendors below as they are discovered.
	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
	fi
	exit 0 ;;
    mini*:CTIX:SYS*5:*)
	# "miniframe"
	echo m68010-convergent-sysv
	exit 0 ;;
    M68*:*:R3V[567]*:*)
	test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
    3[34]??:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 4850:*:4.0:3.0)
	OS_REL=''
	test -r /etc/.relid \
	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
	  && echo i486-ncr-sysv4.3${OS_REL} && exit 0
	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
	  && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
          && echo i486-ncr-sysv4 && exit 0 ;;
    m68*:LynxOS:2.*:*)
	echo m68k-unknown-lynxos${UNAME_RELEASE}
	exit 0 ;;
    mc68030:UNIX_System_V:4.*:*)
	echo m68k-atari-sysv4
	exit 0 ;;
    i?86:LynxOS:2.*:* | i?86:LynxOS:3.[01]*:*)
	echo i386-unknown-lynxos${UNAME_RELEASE}
	exit 0 ;;
    TSUNAMI:LynxOS:2.*:*)
	echo sparc-unknown-lynxos${UNAME_RELEASE}
	exit 0 ;;
    rs6000:LynxOS:2.*:* | PowerPC:LynxOS:2.*:*)
	echo rs6000-unknown-lynxos${UNAME_RELEASE}
	exit 0 ;;
    SM[BE]S:UNIX_SV:*:*)
	echo mips-dde-sysv${UNAME_RELEASE}
	exit 0 ;;
    RM*:ReliantUNIX-*:*:*)
	echo mips-sni-sysv4
	exit 0 ;;
    RM*:SINIX-*:*:*)
	echo mips-sni-sysv4
	exit 0 ;;
    *:SINIX-*:*:*)
	if uname -p 2>/dev/null >/dev/null ; then
		UNAME_MACHINE=`(uname -p) 2>/dev/null`
		echo ${UNAME_MACHINE}-sni-sysv4
	else
		echo ns32k-sni-sysv
	fi
	exit 0 ;;
    PENTIUM:CPunix:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
                           # says <Richard.M.Bartel at ccMail.Census.GOV>
        echo i586-unisys-sysv4
        exit 0 ;;
    *:UNIX_System_V:4*:FTX*)
	# From Gerald Hewes <hewes at openmarket.com>.
	# How about differentiating between stratus architectures? -djm
	echo hppa1.1-stratus-sysv4
	exit 0 ;;
    *:*:*:FTX*)
	# From seanf at swdc.stratus.com.
	echo i860-stratus-sysv4
	exit 0 ;;
    mc68*:A/UX:*:*)
	echo m68k-apple-aux${UNAME_RELEASE}
	exit 0 ;;
    news*:NEWS-OS:*:6*)
	echo mips-sony-newsos6
	exit 0 ;;
    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
	if [ -d /usr/nec ]; then
	        echo mips-nec-sysv${UNAME_RELEASE}
	else
	        echo mips-unknown-sysv${UNAME_RELEASE}
	fi
        exit 0 ;;
    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
	echo powerpc-be-beos
	exit 0 ;;
    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
	echo powerpc-apple-beos
	exit 0 ;;
    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
	echo i586-pc-beos
	exit 0 ;;
    SX-4:SUPER-UX:*:*)
	echo sx4-nec-superux${UNAME_RELEASE}
	exit 0 ;;
    SX-5:SUPER-UX:*:*)
	echo sx5-nec-superux${UNAME_RELEASE}
	exit 0 ;;
    Power*:Rhapsody:*:*)
	echo powerpc-apple-rhapsody${UNAME_RELEASE}
	exit 0 ;;
    *:Rhapsody:*:*)
	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
	exit 0 ;;
    *:QNX:*:4*)
	echo i386-qnx-qnx${UNAME_VERSION}
	exit 0 ;;
esac

#echo '(No uname command or uname output not recognized.)' 1>&2
#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2

cat >$dummy.c <<EOF
#ifdef _SEQUENT_
# include <sys/types.h>
# include <sys/utsname.h>
#endif
main ()
{
#if defined (sony)
#if defined (MIPSEB)
  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
     I don't know....  */
  printf ("mips-sony-bsd\n"); exit (0);
#else
#include <sys/param.h>
  printf ("m68k-sony-newsos%s\n",
#ifdef NEWSOS4
          "4"
#else
	  ""
#endif
         ); exit (0);
#endif
#endif

#if defined (__arm) && defined (__acorn) && defined (__unix)
  printf ("arm-acorn-riscix"); exit (0);
#endif

#if defined (hp300) && !defined (hpux)
  printf ("m68k-hp-bsd\n"); exit (0);
#endif

#if defined (NeXT)
#if !defined (__ARCHITECTURE__)
#define __ARCHITECTURE__ "m68k"
#endif
  int version;
  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
  if (version < 4)
    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
  else
    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
  exit (0);
#endif

#if defined (MULTIMAX) || defined (n16)
#if defined (UMAXV)
  printf ("ns32k-encore-sysv\n"); exit (0);
#else
#if defined (CMU)
  printf ("ns32k-encore-mach\n"); exit (0);
#else
  printf ("ns32k-encore-bsd\n"); exit (0);
#endif
#endif
#endif

#if defined (__386BSD__)
  printf ("i386-pc-bsd\n"); exit (0);
#endif

#if defined (sequent)
#if defined (i386)
  printf ("i386-sequent-dynix\n"); exit (0);
#endif
#if defined (ns32000)
  printf ("ns32k-sequent-dynix\n"); exit (0);
#endif
#endif

#if defined (_SEQUENT_)
    struct utsname un;

    uname(&un);

    if (strncmp(un.version, "V2", 2) == 0) {
	printf ("i386-sequent-ptx2\n"); exit (0);
    }
    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
	printf ("i386-sequent-ptx1\n"); exit (0);
    }
    printf ("i386-sequent-ptx\n"); exit (0);

#endif

#if defined (vax)
#if !defined (ultrix)
  printf ("vax-dec-bsd\n"); exit (0);
#else
  printf ("vax-dec-ultrix\n"); exit (0);
#endif
#endif

#if defined (alliant) && defined (i860)
  printf ("i860-alliant-bsd\n"); exit (0);
#endif

  exit (1);
}
EOF

$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm $dummy.c $dummy && exit 0
rm -f $dummy.c $dummy

# Apollos put the system type in the environment.

test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }

# Convex versions that predate uname can use getsysinfo(1)

if [ -x /usr/convex/getsysinfo ]
then
    case `getsysinfo -f cpu_type` in
    c1*)
	echo c1-convex-bsd
	exit 0 ;;
    c2*)
	if getsysinfo -f scalar_acc
	then echo c32-convex-bsd
	else echo c2-convex-bsd
	fi
	exit 0 ;;
    c34*)
	echo c34-convex-bsd
	exit 0 ;;
    c38*)
	echo c38-convex-bsd
	exit 0 ;;
    c4*)
	echo c4-convex-bsd
	exit 0 ;;
    esac
fi

#echo '(Unable to guess system type)' 1>&2

exit 1
-------------- next part --------------
From gem at rellim.com Thu Jan  6 12:21:23 2000
Date: Thu, 06 Jan 2000 12:14:43 -0800
From: Gary E. Miller <gem at rellim.com>
To: gem at rellim.com
Subject: config.sub

http://gcc.gnu.org/cgi-bin/cvsweb.cgi/~checkout~/egcs/config.sub?rev=1.35&content-type=text/plain
    [ Part 2: "Attached Text" ]

#! /bin/sh
# Configuration validation subroutine script, version 1.1.
#   Copyright (C) 1991, 92-97, 1998, 1999 Free Software Foundation, Inc.
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
# can handle that machine.  It does not imply ALL GNU software can.
#
# This file is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.

# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.

# Configuration subroutine to validate and canonicalize a configuration type.
# Supply the specified configuration type as an argument.
# If it is invalid, we print an error message on stderr and exit with code 1.
# Otherwise, we print the canonical config type on stdout and succeed.

# This file is supposed to be the same for all GNU packages
# and recognize all the CPU types, system types and aliases
# that are meaningful with *any* GNU software.
# Each package is responsible for reporting which valid configurations
# it does not support.  The user should be able to distinguish
# a failure to support a valid configuration from a meaningless
# configuration.

# The goal of this file is to map all the various variations of a given
# machine specification into a single specification in the form:
#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
# or in some cases, the newer four-part form:
#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
# It is wrong to echo any other type of specification.

if [ x$1 = x ]
then
	echo Configuration name missing. 1>&2
	echo "Usage: $0 CPU-MFR-OPSYS" 1>&2
	echo "or     $0 ALIAS" 1>&2
	echo where ALIAS is a recognized configuration type. 1>&2
	exit 1
fi

# First pass through any local machine types.
case $1 in
	*local*)
		echo $1
		exit 0
		;;
	*)
	;;
esac

# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
# Here we must recognize all the valid KERNEL-OS combinations.
maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
case $maybe_os in
  linux-gnu*)
    os=-$maybe_os
    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
    ;;
  *)
    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
    if [ $basic_machine != $1 ]
    then os=`echo $1 | sed 's/.*-/-/'`
    else os=; fi
    ;;
esac

### Let's recognize common machines as not being operating systems so
### that things like config.sub decstation-3100 work.  We also
### recognize some manufacturers as not being operating systems, so we
### can provide default operating systems below.
case $os in
	-sun*os*)
		# Prevent following clause from handling this invalid input.
		;;
	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
	-apple)
		os=
		basic_machine=$1
		;;
	-sim | -cisco | -oki | -wec | -winbond)
		os=
		basic_machine=$1
		;;
	-scout)
		;;
	-wrs)
		os=-vxworks
		basic_machine=$1
		;;
	-hiux*)
		os=-hiuxwe2
		;;
	-sco5)
		os=-sco3.2v5
		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
		;;
	-sco4)
		os=-sco3.2v4
		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
		;;
	-sco3.2.[4-9]*)
		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
		;;
	-sco3.2v[4-9]*)
		# Don't forget version if it is 3.2v4 or newer.
		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
		;;
	-sco*)
		os=-sco3.2v2
		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
		;;
	-udk*)
		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
		;;
	-isc)
		os=-isc2.2
		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
		;;
	-clix*)
		basic_machine=clipper-intergraph
		;;
	-isc*)
		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
		;;
	-lynx*)
		os=-lynxos
		;;
	-ptx*)
		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
		;;
	-windowsnt*)
		os=`echo $os | sed -e 's/windowsnt/winnt/'`
		;;
	-psos*)
		os=-psos
		;;
esac

# Decode aliases for certain CPU-COMPANY combinations.
case $basic_machine in
	# Recognize the basic CPU types without company name.
	# Some are omitted here because they have special meanings below.
	tahoe | i860 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \
		| arme[lb] | pyramid | mn10200 | mn10300 | tron | a29k \
		| 580 | i960 | h8300 \
		| hppa | hppa1.0 | hppa1.1 | hppa2.0 | hppa2.0w | hppa2.0n \
		| alpha | alphaev[4-8] | alphaev56 | alphapca5[67] \
		| we32k | ns16k | clipper | i370 | sh | powerpc | powerpcle \
		| 1750a | dsp16xx | pdp11 | mips16 | mips64 | mipsel | mips64el \
		| mips64orion | mips64orionel | mipstx39 | mipstx39el \
		| mips64vr4300 | mips64vr4300el | mips64vr4100 | mips64vr4100el \
		| mips64vr5000 | miprs64vr5000el \
	        | m88110 | m680[012346]0 | m683?2 | m68360 | m5200 | z8k | v70 \
		| sparc | sparclet | sparclite | sparc64 | sparc86x | sparcv9 \
		| thumb | v850 | c4x | d10v | h8500 | w65 | fr30)
		basic_machine=$basic_machine-unknown
		;;
	# We use `pc' rather than `unknown'
	# because (1) that's what they normally are, and
	# (2) the word "unknown" tends to confuse beginning users.
	i[34567]86)
	  basic_machine=$basic_machine-pc
	  ;;
	# Object if more than one company name word.
	*-*-*)
		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
		exit 1
		;;
	# Recognize the basic CPU types with company name.
	vax-* | tahoe-* | i[34567]86-* | i860-* | m32r-* | m68k-* | m68000-* \
	      | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | arm-* | c[123]* \
	      | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \
	      | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \
	      | xmp-* | ymp-* \
	      | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* | hppa2.0w-* | hppa2.0n-* \
	      | alpha-* | alphaev[4-8]-* | alphaev56-* | alphapca5[67]-* \
	      | we32k-* | cydra-* | ns16k-* | pn-* | np1-* | xps100-* \
	      | clipper-* | orion-* \
	      | sparclite-* | pdp11-* | sh-* | powerpc-* | powerpcle-* \
	      | sparc64-* | sparcv9-* | sparc86x-* | mips16-* | mips64-* | mipsel-* \
	      | mips64el-* | mips64orion-* | mips64orionel-* \
	      | mips64vr4100-* | mips64vr4100el-* | mips64vr4300-* | mips64vr4300el-* \
	      | mipstx39-* | mipstx39el-* \
	      | f301-* | arm*-* | t3e-* \
	      | m88110-* | m680[01234]0-* | m683?2-* | m68360-* | z8k-* | d10v-* \
	      | thumb-* | v850-* | d30v-* | tic30-* | c30-* | fr30-* )
		;;
	# Recognize the various machine names and aliases which stand
	# for a CPU type and a company and sometimes even an OS.
	386bsd)
		basic_machine=i386-unknown
		os=-bsd
		;;
	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
		basic_machine=m68000-att
		;;
	3b*)
		basic_machine=we32k-att
		;;
	a29khif)
		basic_machine=a29k-amd
		os=-udi
		;;
	adobe68k)
		basic_machine=m68010-adobe
		os=-scout
		;;
	alliant | fx80)
		basic_machine=fx80-alliant
		;;
	altos | altos3068)
		basic_machine=m68k-altos
		;;
	am29k)
		basic_machine=a29k-none
		os=-bsd
		;;
	amdahl)
		basic_machine=580-amdahl
		os=-sysv
		;;
	amiga | amiga-*)
		basic_machine=m68k-cbm
		;;
	amigaos | amigados)
		basic_machine=m68k-cbm
		os=-amigaos
		;;
	amigaunix | amix)
		basic_machine=m68k-cbm
		os=-sysv4
		;;
	apollo68)
		basic_machine=m68k-apollo
		os=-sysv
		;;
	apollo68bsd)
		basic_machine=m68k-apollo
		os=-bsd
		;;
	aux)
		basic_machine=m68k-apple
		os=-aux
		;;
	balance)
		basic_machine=ns32k-sequent
		os=-dynix
		;;
	convex-c1)
		basic_machine=c1-convex
		os=-bsd
		;;
	convex-c2)
		basic_machine=c2-convex
		os=-bsd
		;;
	convex-c32)
		basic_machine=c32-convex
		os=-bsd
		;;
	convex-c34)
		basic_machine=c34-convex
		os=-bsd
		;;
	convex-c38)
		basic_machine=c38-convex
		os=-bsd
		;;
	cray | ymp)
		basic_machine=ymp-cray
		os=-unicos
		;;
	cray2)
		basic_machine=cray2-cray
		os=-unicos
		;;
	[ctj]90-cray)
		basic_machine=c90-cray
		os=-unicos
		;;
	crds | unos)
		basic_machine=m68k-crds
		;;
	da30 | da30-*)
		basic_machine=m68k-da30
		;;
	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
		basic_machine=mips-dec
		;;
	delta | 3300 | motorola-3300 | motorola-delta \
	      | 3300-motorola | delta-motorola)
		basic_machine=m68k-motorola
		;;
	delta88)
		basic_machine=m88k-motorola
		os=-sysv3
		;;
	dpx20 | dpx20-*)
		basic_machine=rs6000-bull
		os=-bosx
		;;
	dpx2* | dpx2*-bull)
		basic_machine=m68k-bull
		os=-sysv3
		;;
	ebmon29k)
		basic_machine=a29k-amd
		os=-ebmon
		;;
	elxsi)
		basic_machine=elxsi-elxsi
		os=-bsd
		;;
	encore | umax | mmax)
		basic_machine=ns32k-encore
		;;
	es1800 | OSE68k | ose68k | ose | OSE)
		basic_machine=m68k-ericsson
		os=-ose
		;;
	fx2800)
		basic_machine=i860-alliant
		;;
	genix)
		basic_machine=ns32k-ns
		;;
	gmicro)
		basic_machine=tron-gmicro
		os=-sysv
		;;
	h3050r* | hiux*)
		basic_machine=hppa1.1-hitachi
		os=-hiuxwe2
		;;
	h8300hms)
		basic_machine=h8300-hitachi
		os=-hms
		;;
	h8300xray)
		basic_machine=h8300-hitachi
		os=-xray
		;;
	h8500hms)
		basic_machine=h8500-hitachi
		os=-hms
		;;
	harris)
		basic_machine=m88k-harris
		os=-sysv3
		;;
	hp300-*)
		basic_machine=m68k-hp
		;;
	hp300bsd)
		basic_machine=m68k-hp
		os=-bsd
		;;
	hp300hpux)
		basic_machine=m68k-hp
		os=-hpux
		;;
	hp3k9[0-9][0-9] | hp9[0-9][0-9])
		basic_machine=hppa1.0-hp
		;;
	hp9k2[0-9][0-9] | hp9k31[0-9])
		basic_machine=m68000-hp
		;;
	hp9k3[2-9][0-9])
		basic_machine=m68k-hp
		;;
	hp9k6[0-9][0-9] | hp6[0-9][0-9])
		basic_machine=hppa1.0-hp
		;;
	hp9k7[0-79][0-9] | hp7[0-79][0-9])
		basic_machine=hppa1.1-hp
		;;
	hp9k78[0-9] | hp78[0-9])
		# FIXME: really hppa2.0-hp
		basic_machine=hppa1.1-hp
		;;
	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
		# FIXME: really hppa2.0-hp
		basic_machine=hppa1.1-hp
		;;
	hp9k8[0-9][13679] | hp8[0-9][13679])
		basic_machine=hppa1.1-hp
		;;
	hp9k8[0-9][0-9] | hp8[0-9][0-9])
		basic_machine=hppa1.0-hp
		;;
	hppa-next)
		os=-nextstep3
		;;
	hppaosf)
		basic_machine=hppa1.1-hp
		os=-osf
		;;
	hppro)
		basic_machine=hppa1.1-hp
		os=-proelf
		;;
	i370-ibm* | ibm*)
		basic_machine=i370-ibm
		;;
# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
	i[34567]86v32)
		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
		os=-sysv32
		;;
	i[34567]86v4*)
		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
		os=-sysv4
		;;
	i[34567]86v)
		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
		os=-sysv
		;;
	i[34567]86sol2)
		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
		os=-solaris2
		;;
	i386mach)
		basic_machine=i386-mach
		os=-mach
		;;
	i386-vsta | vsta)
		basic_machine=i386-unknown
		os=-vsta
		;;
	i386-go32 | go32)
		basic_machine=i386-unknown
		os=-go32
		;;
	i386-mingw32 | mingw32)
		basic_machine=i386-unknown
		os=-mingw32
		;;
	iris | iris4d)
		basic_machine=mips-sgi
		case $os in
		    -irix*)
			;;
		    *)
			os=-irix4
			;;
		esac
		;;
	isi68 | isi)
		basic_machine=m68k-isi
		os=-sysv
		;;
	m88k-omron*)
		basic_machine=m88k-omron
		;;
	magnum | m3230)
		basic_machine=mips-mips
		os=-sysv
		;;
	merlin)
		basic_machine=ns32k-utek
		os=-sysv
		;;
	miniframe)
		basic_machine=m68000-convergent
		;;
	*mint | *MiNT)
		basic_machine=m68k-atari
		os=-mint
		;;
	mipsel*-linux*)
		basic_machine=mipsel-unknown
		os=-linux-gnu
		;;
	mips*-linux*)
		basic_machine=mips-unknown
		os=-linux-gnu
		;;
	mips3*-*)
		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
		;;
	mips3*)
		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
		;;
	monitor)
		basic_machine=m68k-rom68k
		os=-coff
		;;
	msdos)
		basic_machine=i386-unknown
		os=-msdos
		;;
	mvs)
		basic_machine=i370-ibm
		os=-mvs
		;;
	ncr3000)
		basic_machine=i486-ncr
		os=-sysv4
		;;
	netbsd386)
		basic_machine=i386-unknown
		os=-netbsd
		;;
	netwinder)
		basic_machine=armv4l-corel
		os=-linux
		;;
	news | news700 | news800 | news900)
		basic_machine=m68k-sony
		os=-newsos
		;;
	news1000)
		basic_machine=m68030-sony
		os=-newsos
		;;
	news-3600 | risc-news)
		basic_machine=mips-sony
		os=-newsos
		;;
	necv70)
		basic_machine=v70-nec
		os=-sysv
		;;
	next | m*-next )
		basic_machine=m68k-next
		case $os in
		    -nextstep* )
			;;
		    -ns2*)
		      os=-nextstep2
			;;
		    *)
		      os=-nextstep3
			;;
		esac
		;;
	nh3000)
		basic_machine=m68k-harris
		os=-cxux
		;;
	nh[45]000)
		basic_machine=m88k-harris
		os=-cxux
		;;
	nindy960)
		basic_machine=i960-intel
		os=-nindy
		;;
	mon960)
		basic_machine=i960-intel
		os=-mon960
		;;
	np1)
		basic_machine=np1-gould
		;;
	op50n-* | op60c-*)
		basic_machine=hppa1.1-oki
		os=-proelf
		;;
	OSE68000 | ose68000)
		basic_machine=m68000-ericsson
		os=-ose
		;;
	os68k)
		basic_machine=m68k-none
		os=-os68k
		;;
	pa-hitachi)
		basic_machine=hppa1.1-hitachi
		os=-hiuxwe2
		;;
	paragon)
		basic_machine=i860-intel
		os=-osf
		;;
	pbd)
		basic_machine=sparc-tti
		;;
	pbb)
		basic_machine=m68k-tti
		;;
        pc532 | pc532-*)
		basic_machine=ns32k-pc532
		;;
	pentium | p5 | k5 | k6 | nexen)
		basic_machine=i586-pc
		;;
	pentiumpro | p6 | 6x86)
		basic_machine=i686-pc
		;;
	pentiumii | pentium2)
		basic_machine=i786-pc
		;;
	pentium-* | p5-* | k5-* | k6-* | nexen-*)
		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
		;;
	pentiumpro-* | p6-* | 6x86-*)
		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
		;;
	pentiumii-* | pentium2-*)
		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
		;;
	pn)
		basic_machine=pn-gould
		;;
	power)	basic_machine=rs6000-ibm
		;;
	ppc)	basic_machine=powerpc-unknown
	        ;;
	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
		;;
	ppcle | powerpclittle | ppc-le | powerpc-little)
		basic_machine=powerpcle-unknown
	        ;;
	ppcle-* | powerpclittle-*)
		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
		;;
	ps2)
		basic_machine=i386-ibm
		;;
	rom68k)
		basic_machine=m68k-rom68k
		os=-coff
		;;
	rm[46]00)
		basic_machine=mips-siemens
		;;
	rtpc | rtpc-*)
		basic_machine=romp-ibm
		;;
	sa29200)
		basic_machine=a29k-amd
		os=-udi
		;;
	sequent)
		basic_machine=i386-sequent
		;;
	sh)
		basic_machine=sh-hitachi
		os=-hms
		;;
	sparclite-wrs)
		basic_machine=sparclite-wrs
		os=-vxworks
		;;
	sps7)
		basic_machine=m68k-bull
		os=-sysv2
		;;
	spur)
		basic_machine=spur-unknown
		;;
	st2000)
		basic_machine=m68k-tandem
		;;
	stratus)
		basic_machine=i860-stratus
		os=-sysv4
		;;
	sun2)
		basic_machine=m68000-sun
		;;
	sun2os3)
		basic_machine=m68000-sun
		os=-sunos3
		;;
	sun2os4)
		basic_machine=m68000-sun
		os=-sunos4
		;;
	sun3os3)
		basic_machine=m68k-sun
		os=-sunos3
		;;
	sun3os4)
		basic_machine=m68k-sun
		os=-sunos4
		;;
	sun4os3)
		basic_machine=sparc-sun
		os=-sunos3
		;;
	sun4os4)
		basic_machine=sparc-sun
		os=-sunos4
		;;
	sun4sol2)
		basic_machine=sparc-sun
		os=-solaris2
		;;
	sun3 | sun3-*)
		basic_machine=m68k-sun
		;;
	sun4)
		basic_machine=sparc-sun
		;;
	sun386 | sun386i | roadrunner)
		basic_machine=i386-sun
		;;
	symmetry)
		basic_machine=i386-sequent
		os=-dynix
		;;
	t3e)
		basic_machine=t3e-cray
		os=-unicos
		;;
	tx39)
		basic_machine=mipstx39-unknown
		;;
	tx39el)
		basic_machine=mipstx39el-unknown
		;;
	tower | tower-32)
		basic_machine=m68k-ncr
		;;
	udi29k)
		basic_machine=a29k-amd
		os=-udi
		;;
	ultra3)
		basic_machine=a29k-nyu
		os=-sym1
		;;
	v810 | necv810)
		basic_machine=v810-nec
		os=-none
		;;
	vaxv)
		basic_machine=vax-dec
		os=-sysv
		;;
	vms)
		basic_machine=vax-dec
		os=-vms
		;;
	vpp*|vx|vx-*)
               basic_machine=f301-fujitsu
               ;;
	vxworks960)
		basic_machine=i960-wrs
		os=-vxworks
		;;
	vxworks68)
		basic_machine=m68k-wrs
		os=-vxworks
		;;
	vxworks29k)
		basic_machine=a29k-wrs
		os=-vxworks
		;;
	w65*)
		basic_machine=w65-wdc
		os=-none
		;;
	w89k-*)
		basic_machine=hppa1.1-winbond
		os=-proelf
		;;
	xmp)
		basic_machine=xmp-cray
		os=-unicos
		;;
        xps | xps100)
		basic_machine=xps100-honeywell
		;;
	z8k-*-coff)
		basic_machine=z8k-unknown
		os=-sim
		;;
	none)
		basic_machine=none-none
		os=-none
		;;

# Here we handle the default manufacturer of certain CPU types.  It is in
# some cases the only manufacturer, in others, it is the most popular.
	w89k)
		basic_machine=hppa1.1-winbond
		;;
	op50n)
		basic_machine=hppa1.1-oki
		;;
	op60c)
		basic_machine=hppa1.1-oki
		;;
	mips)
		if [ x$os = x-linux-gnu ]; then
			basic_machine=mips-unknown
		else
			basic_machine=mips-mips
		fi
		;;
	romp)
		basic_machine=romp-ibm
		;;
	rs6000)
		basic_machine=rs6000-ibm
		;;
	vax)
		basic_machine=vax-dec
		;;
	pdp11)
		basic_machine=pdp11-dec
		;;
	we32k)
		basic_machine=we32k-att
		;;
	sparc | sparcv9)
		basic_machine=sparc-sun
		;;
        cydra)
		basic_machine=cydra-cydrome
		;;
	orion)
		basic_machine=orion-highlevel
		;;
	orion105)
		basic_machine=clipper-highlevel
		;;
	mac | mpw | mac-mpw)
		basic_machine=m68k-apple
		;;
	pmac | pmac-mpw)
		basic_machine=powerpc-apple
		;;
	c4x*)
		basic_machine=c4x-none
		os=-coff
		;;
	*)
		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
		exit 1
		;;
esac

# Here we canonicalize certain aliases for manufacturers.
case $basic_machine in
	*-digital*)
		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
		;;
	*-commodore*)
		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
		;;
	*)
		;;
esac

# Decode manufacturer-specific aliases for certain operating systems.

if [ x"$os" != x"" ]
then
case $os in
        # First match some system type aliases
        # that might get confused with valid system types.
	# -solaris* is a basic system type, with this one exception.
	-solaris1 | -solaris1.*)
		os=`echo $os | sed -e 's|solaris1|sunos4|'`
		;;
	-solaris)
		os=-solaris2
		;;
	-svr4*)
		os=-sysv4
		;;
	-unixware*)
		os=-sysv4.2uw
		;;
	-gnu/linux*)
		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
		;;
	# First accept the basic system types.
	# The portable systems comes first.
	# Each alternative MUST END IN A *, to match a version number.
	# -sysv* is not here because it comes later, after sysvr4.
	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
	      | -aos* | -opened* \
	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
	      | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \
	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
	      | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \
	      | -interix* | -uwin* | -rhapsody* | -openstep* | -oskit*)
	# Remember, each alternative MUST END IN *, to match a version number.
		;;
	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
	      | -macos* | -mpw* | -magic* | -mon960* | -lnews*)
		;;
	-mac*)
		os=`echo $os | sed -e 's|mac|macos|'`
		;;
	-linux*)
		os=`echo $os | sed -e 's|linux|linux-gnu|'`
		;;
	-sunos5*)
		os=`echo $os | sed -e 's|sunos5|solaris2|'`
		;;
	-sunos6*)
		os=`echo $os | sed -e 's|sunos6|solaris3|'`
		;;
	-opened*)
		os=-openedition
		;;
	-osfrose*)
		os=-osfrose
		;;
	-osf*)
		os=-osf
		;;
	-utek*)
		os=-bsd
		;;
	-dynix*)
		os=-bsd
		;;
	-acis*)
		os=-aos
		;;
	-386bsd)
		os=-bsd
		;;
	-ctix* | -uts*)
		os=-sysv
		;;
	-ns2 )
	        os=-nextstep2
		;;
	# Preserve the version number of sinix5.
	-sinix5.*)
		os=`echo $os | sed -e 's|sinix|sysv|'`
		;;
	-sinix*)
		os=-sysv4
		;;
	-triton*)
		os=-sysv3
		;;
	-oss*)
		os=-sysv3
		;;
	-svr4)
		os=-sysv4
		;;
	-svr3)
		os=-sysv3
		;;
	-sysvr4)
		os=-sysv4
		;;
	# This must come after -sysvr4.
	-sysv*)
		;;
	-ose*)
		os=-ose
		;;
	-es1800*)
		os=-ose
		;;
	-xenix)
		os=-xenix
		;;
        -*mint | -*MiNT)
	        os=-mint
		;;
	-none)
		;;
	*)
		# Get rid of the `-' at the beginning of $os.
		os=`echo $os | sed 's/[^-]*-//'`
		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
		exit 1
		;;
esac
else

# Here we handle the default operating systems that come with various machines.
# The value should be what the vendor currently ships out the door with their
# machine or put another way, the most popular os provided with the machine.

# Note that if you're going to try to match "-MANUFACTURER" here (say,
# "-sun"), then you have to tell the case statement up towards the top
# that MANUFACTURER isn't an operating system.  Otherwise, code above
# will signal an error saying that MANUFACTURER isn't an operating
# system, and we'll never get to this point.

case $basic_machine in
	*-acorn)
		os=-riscix1.2
		;;
	arm*-corel)
		os=-linux
		;;
	arm*-semi)
		os=-aout
		;;
        pdp11-*)
		os=-none
		;;
	*-dec | vax-*)
		os=-ultrix4.2
		;;
	m68*-apollo)
		os=-domain
		;;
	i386-sun)
		os=-sunos4.0.2
		;;
	m68000-sun)
		os=-sunos3
		# This also exists in the configure program, but was not the
		# default.
		# os=-sunos4
		;;
	m68*-cisco)
		os=-aout
		;;
	mips*-cisco)
		os=-elf
		;;
	mips*-*)
		os=-elf
		;;
	*-tti)	# must be before sparc entry or we get the wrong os.
		os=-sysv3
		;;
	sparc-* | *-sun)
		os=-sunos4.1.1
		;;
	*-be)
		os=-beos
		;;
	*-ibm)
		os=-aix
		;;
	*-wec)
		os=-proelf
		;;
	*-winbond)
		os=-proelf
		;;
	*-oki)
		os=-proelf
		;;
	*-hp)
		os=-hpux
		;;
	*-hitachi)
		os=-hiux
		;;
	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
		os=-sysv
		;;
	*-cbm)
		os=-amigaos
		;;
	*-dg)
		os=-dgux
		;;
	*-dolphin)
		os=-sysv3
		;;
	m68k-ccur)
		os=-rtu
		;;
	m88k-omron*)
		os=-luna
		;;
	*-next )
		os=-nextstep
		;;
	*-sequent)
		os=-ptx
		;;
	*-crds)
		os=-unos
		;;
	*-ns)
		os=-genix
		;;
	i370-*)
		os=-mvs
		;;
	*-next)
		os=-nextstep3
		;;
        *-gould)
		os=-sysv
		;;
        *-highlevel)
		os=-bsd
		;;
	*-encore)
		os=-bsd
		;;
        *-sgi)
		os=-irix
		;;
        *-siemens)
		os=-sysv4
		;;
	*-masscomp)
		os=-rtu
		;;
	f301-fujitsu)
		os=-uxpv
		;;
	*-rom68k)
		os=-coff
		;;
	*-*bug)
		os=-coff
		;;
	*-apple)
		os=-macos
		;;
	*-atari*)
		os=-mint
		;;
	*)
		os=-none
		;;
esac
fi

# Here we handle the case where we know the os, and the CPU type, but not the
# manufacturer.  We pick the logical manufacturer.
vendor=unknown
case $basic_machine in
	*-unknown)
		case $os in
			-riscix*)
				vendor=acorn
				;;
			-sunos*)
				vendor=sun
				;;
			-aix*)
				vendor=ibm
				;;
			-beos*)
				vendor=be
				;;
			-hpux*)
				vendor=hp
				;;
			-mpeix*)
				vendor=hp
				;;
			-hiux*)
				vendor=hitachi
				;;
			-unos*)
				vendor=crds
				;;
			-dgux*)
				vendor=dg
				;;
			-luna*)
				vendor=omron
				;;
			-genix*)
				vendor=ns
				;;
			-mvs* | -opened*)
				vendor=ibm
				;;
			-ptx*)
				vendor=sequent
				;;
			-vxsim* | -vxworks*)
				vendor=wrs
				;;
			-aux*)
				vendor=apple
				;;
			-hms*)
				vendor=hitachi
				;;
			-mpw* | -macos*)
				vendor=apple
				;;
			-*mint | -*MiNT)
				vendor=atari
				;;
		esac
		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
		;;
esac

echo $basic_machine$os

From djm at mindrot.org  Fri Jan  7 08:41:54 2000
From: djm at mindrot.org (Damien Miller)
Date: Fri, 7 Jan 2000 08:41:54 +1100 (EST)
Subject: openssh-1.2.1pre24 on SCO
In-Reply-To: <Pine.LNX.4.21.0001061226430.6160-300000@ns1.aplatform.com>
Message-ID: <Pine.LNX.4.10.10001070820540.18581-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 6 Jan 2000, Gary E. Miller wrote:

> Yo Damien!
> 
> On Thu, 6 Jan 2000, Damien Miller wrote:
> 
> > I am looking forward to your SCO patches.
> 
> The SCO UnixWare breaks the config.guess and config.sub shell scripts
> from the autoconf package.  After some discussion on the autoconf
> mail list, I was pointed at the newer, CVS tree for autoconf that
> cleans up the UnixWare detection mess.  They are not released yet
> but are being used on many packages like gcc already.
> 
> There are two updated files, config.guess and config.sub.  They
> are attached.  If you wish I could send diffs.

Thanks, I will give them a try.

> Once I know these are going in I have a diff to your configure
> script for the UnixWare port.  If only works with blowfish for now.
> 
> Also, as the package is ported to more and more platforms, there will
> be a need for porting notes.  I would like to add some notes to
> my port.  I could create a "README.sco", or a section to a generic
> "PORTING" doc.  Any thought on this?

I have been putting note like this in the UPGRADING file. If it gets
too large we can break it up by platform.

Regards,
Damien Miller
 

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4dQwmormJ9RG1dI8RAo0ZAKCsYZdujHPvZ/q8i07vWbkBc8MD4QCgmgf3
n/wUDHzUilNmlnx6XSTM0cM=
=jx74
-----END PGP SIGNATURE-----





From shapa at maxnet.ru  Fri Jan  7 13:25:33 2000
From: shapa at maxnet.ru (Max Shaposhnikov)
Date: Fri, 7 Jan 2000 05:25:33 +0300
Subject: problems with compiling on SPARC solaris 2.7
Message-ID: <15226.000107@maxnet.ru>

ssh won't compile on this platform
log:
gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\"
-DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H   -c atomicio.c -o atomicio.o
In file included from config.h:294,
                 from bsd-misc.h:39,
                 from includes.h:91,
                 from atomicio.c:26:
defines.h:74: redefinition of `u_int16_t'
defines.h:74: `u_int16_t' previously declared here
defines.h:75: redefinition of `u_int32_t'
defines.h:75: `u_int32_t' previously declared here
defines.h:76: redefinition of `u_int64_t'
defines.h:76: `u_int64_t' previously declared here
In file included from config.h:294,
                 from bsd-strlcpy.h:4,
                 from includes.h:92,
                 from atomicio.c:26:
defines.h:74: redefinition of `u_int16_t'
defines.h:74: `u_int16_t' previously declared here
defines.h:75: redefinition of `u_int32_t'
defines.h:75: `u_int32_t' previously declared here
defines.h:76: redefinition of `u_int64_t'
defines.h:76: `u_int64_t' previously declared here
In file included from config.h:294,
                 from bsd-strlcat.h:4,
                 from includes.h:93,
                 from atomicio.c:26:
defines.h:74: redefinition of `u_int16_t'
defines.h:74: `u_int16_t' previously declared here
defines.h:75: redefinition of `u_int32_t'
defines.h:75: `u_int32_t' previously declared here
defines.h:76: redefinition of `u_int64_t'
defines.h:76: `u_int64_t' previously declared here
In file included from config.h:294,
                 from bsd-mktemp.h:4,
                 from includes.h:94,
                 from atomicio.c:26:
defines.h:74: redefinition of `u_int16_t'
defines.h:74: `u_int16_t' previously declared here
defines.h:75: redefinition of `u_int32_t'
defines.h:75: `u_int32_t' previously declared here
defines.h:76: redefinition of `u_int64_t'
defines.h:76: `u_int64_t' previously declared here
In file included from config.h:294,
                 from bsd-snprintf.h:4,
                 from includes.h:95,
                 from atomicio.c:26:
defines.h:74: redefinition of `u_int16_t'
defines.h:74: `u_int16_t' previously declared here
defines.h:75: redefinition of `u_int32_t'
defines.h:75: `u_int32_t' previously declared here
defines.h:76: redefinition of `u_int64_t'
defines.h:76: `u_int64_t' previously declared here
In file included from config.h:294,
                 from bsd-daemon.h:4,
                 from includes.h:96,
                 from atomicio.c:26:
defines.h:74: redefinition of `u_int16_t'
defines.h:74: `u_int16_t' previously declared here
defines.h:75: redefinition of `u_int32_t'
defines.h:75: `u_int32_t' previously declared here
defines.h:76: redefinition of `u_int64_t'
defines.h:76: `u_int64_t' previously declared here
In file included from config.h:294,
                 from bsd-login.h:4,
                 from includes.h:97,
                 from atomicio.c:26:
defines.h:74: redefinition of `u_int16_t'
defines.h:74: `u_int16_t' previously declared here
defines.h:75: redefinition of `u_int32_t'
defines.h:75: `u_int32_t' previously declared here
defines.h:76: redefinition of `u_int64_t'
defines.h:76: `u_int64_t' previously declared here
In file included from config.h:294,
                 from rsa.h:21,
                 from ssh.h:27,
                 from atomicio.c:30:
defines.h:74: redefinition of `u_int16_t'
defines.h:74: `u_int16_t' previously declared here
defines.h:75: redefinition of `u_int32_t'
defines.h:75: `u_int32_t' previously declared here
defines.h:76: redefinition of `u_int64_t'
defines.h:76: `u_int64_t' previously declared here
In file included from config.h:294,
                 from cipher.h:19,
                 from ssh.h:28,
                 from atomicio.c:30:
defines.h:74: redefinition of `u_int16_t'
defines.h:74: `u_int16_t' previously declared here
defines.h:75: redefinition of `u_int32_t'
defines.h:75: `u_int32_t' previously declared here
defines.h:76: redefinition of `u_int64_t'
defines.h:76: `u_int64_t' previously declared here
make: *** [atomicio.o] Error 1
Press any key to continue...






From karn at ka9q.ampr.org  Fri Jan  7 13:32:37 2000
From: karn at ka9q.ampr.org (root)
Date: Thu, 6 Jan 2000 18:32:37 -0800
Subject: possible clue on tcp forwarding problems
Message-ID: <200001070232.SAA12344@homer.ka9q.ampr.org>

When I encounter the problem with TCP port forwarding locking up, I'll
see this on the client window (if I haven't invoked ssh with -q):

chan_shutdown_read failed for #1/fd6: Transport endpoint is not connected
chan_shutdown_read failed for #1/fd6: Transport endpoint is not connected

This is with Blowfish encryption. I have to kill and restart the client
when this happens.

Phil





From gem at rellim.com  Fri Jan  7 13:50:12 2000
From: gem at rellim.com (Gary E. Miller)
Date: Thu, 6 Jan 2000 18:50:12 -0800 (PST)
Subject: problems with compiling on SPARC solaris 2.7
In-Reply-To: <15226.000107@maxnet.ru>
Message-ID: <Pine.LNX.4.21.0001061844410.6160-100000@ns1.aplatform.com>

Yo Max!

SCO UnixWare has the same problem, but it is a warning and not a
fatal error.

Looking at defines.h it seems to me that if you set:
#define HAVE_U_INTXX_T 1
in config.h that your problem should go away.  I just tried that on 
UnixWare and things are much better.

RGDS
GARY

On Fri, 7 Jan 2000, Max Shaposhnikov wrote:

> defines.h:74: redefinition of `u_int16_t'
> defines.h:74: `u_int16_t' previously declared here
> defines.h:75: redefinition of `u_int32_t'
> defines.h:75: `u_int32_t' previously declared here
> defines.h:76: redefinition of `u_int64_t'
> defines.h:76: `u_int64_t' previously declared here

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From gem at rellim.com  Fri Jan  7 13:52:32 2000
From: gem at rellim.com (Gary E. Miller)
Date: Thu, 6 Jan 2000 18:52:32 -0800 (PST)
Subject: openssh-1.2.1pre24 on SCO
In-Reply-To: <Pine.LNX.4.10.10001070820540.18581-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.4.21.0001061851180.6160-100000@ns1.aplatform.com>

Yo Damien!

A slightly improved patch for UnixWare with fewer compiler warnings.

I will dig at the 3DES thing now....


*** configure.old	Wed Jan  5 19:02:34 2000
--- configure	Thu Jan  6 18:48:21 2000
***************
*** 1254,1259 ****
--- 1254,1274 ----
  	no_libsocket=1
  	no_libnsl=1
  	;;
+ *-*-sysv*)
+         # UnixWare with SCO cc
+ 
+ 	cat >> confdefs.h <<\EOF
+ #define CRYPT_H_BREAKS_BUILD 1
+ #define HAVE_INNETGR 1
+ #define HAVE_U_INTXX_T 1
+ EOF
+ 
+ 	# -dn links the binary statically with SCO cc
+         # -dn does not work with -lsocket!
+ 	#CFLAGS="$CFLAGS -dn"
+         LIBS="$LIBS -lgen -lsocket "
+ 
+ 	;;
  esac
  
  echo $ac_n "checking for OpenSSL/SSLeay directory""... $ac_c" 1>&6

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From djm at mindrot.org  Fri Jan  7 13:56:19 2000
From: djm at mindrot.org (Damien Miller)
Date: Fri, 7 Jan 2000 13:56:19 +1100 (EST)
Subject: IPv6 support in OpenBSD CVS
Message-ID: <Pine.LNX.4.10.10001071336180.18937-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


A couple of days ago, Markus Friedl merged IPv6 support into the
OpenBSD CVS tree. This is a welcome addition, but it presents a few
potential problems for the port.

The main problem is the lack IPv6 support in most Unices. OpenBSD has
it, as do recent versions of NetBSD (presumably), Solaris and Linux
but others may not.

This could be worked around by liberal use of #ifdefs through the
code, but this is something that I am loathe to do. One of my goals
has been to keep the _source_ differences as small as possible between
the OpenBSD source and my own.

For the short term I propose not to merge the IPv6 updates from the
OpenBSD tree, but to continue to pick up other changes. 

Comments?

Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4dVXXormJ9RG1dI8RAjb7AKCq3cH3uptW2T3VCzVPBEjbwIMq9ACeN67f
R644l5+zfuU8tPLfLNjMTys=
=CYqP
-----END PGP SIGNATURE-----





From gem at rellim.com  Fri Jan  7 14:16:37 2000
From: gem at rellim.com (Gary E. Miller)
Date: Thu, 6 Jan 2000 19:16:37 -0800 (PST)
Subject: IPv6 support in OpenBSD CVS
In-Reply-To: <Pine.LNX.4.10.10001071336180.18937-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.4.21.0001061913060.6160-100000@ns1.aplatform.com>

Yo Damien!

This has been discussed a lot on linux-ipsec.  It seems that if the
ipv6 changes are done properly it should be limited to just a few
function call.  Of course one guys "proper" is anothers "kludge".

If it can be handled by putting in the stubs for the ipv6 now than
that seems to me to be the way to go.  Once the trees diverge it
is always a bummer to get them back together...

So back to you, how much has changed in the openBSD version?

RGDS
GARY

On Fri, 7 Jan 2000, Damien Miller wrote:

> A couple of days ago, Markus Friedl merged IPv6 support into the
> OpenBSD CVS tree. This is a welcome addition, but it presents a few
> potential problems for the port.
[...]
> Comments?

---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From shapa at maxnet.ru  Fri Jan  7 15:42:24 2000
From: shapa at maxnet.ru (Max Shaposhnikov)
Date: Fri, 7 Jan 2000 07:42:24 +0300
Subject: troubles with ssh daemon
Message-ID: <1321.000107@maxnet.ru>

i've successfully compiled openssh on Sparc solaris2.7 (after #define
HAVE_U_INTXX_T 1)
and run sshd
when i try to connect to SUN i have such error:
"Disconnecting: Corrupted check bytes on input." - from linux (openssh
client)
and  "decrypting  packet: received/computed checksum error" from WinNT
client (Secure CRT)

but ssh localhost (on SUN) work just fine

i use egd entropy daemon (who can tell me alternate to this daemon - i
think  that  perl script very big - it take up to 2 mb in memory - may
be i'm wrong and solaris have something like /dev/urandom?)






From shapa at maxnet.ru  Fri Jan  7 15:59:47 2000
From: shapa at maxnet.ru (Max Shaposhnikov)
Date: Fri, 7 Jan 2000 07:59:47 +0300
Subject: sorry...
Message-ID: <16333.000107@maxnet.ru>

sorry - i've solve my problem - just remove lcrypt from makefile
(10x to Ben Taylor)






From jmknoble at pobox.com  Fri Jan  7 17:20:15 2000
From: jmknoble at pobox.com (Jim Knoble)
Date: Fri, 7 Jan 2000 01:20:15 -0500
Subject: IPv6 support in OpenBSD CVS
In-Reply-To: <Pine.LNX.4.10.10001071336180.18937-100000@mothra.mindrot.org>; from Damien Miller on Fri, Jan 07, 2000 at 01:56:19PM +1100
References: <Pine.LNX.4.10.10001071336180.18937-100000@mothra.mindrot.org>
Message-ID: <20000107012015.A3935@quipu.earth>

P? 2000-Jan-07 klokka 13:56:19 +1100 skrivet Damien Miller:

: A couple of days ago, Markus Friedl merged IPv6 support into the
: OpenBSD CVS tree. This is a welcome addition, but it presents a few
: potential problems for the port.

  [...]

: This could be worked around by liberal use of #ifdefs through the
: code, but this is something that I am loathe to do. One of my goals
: has been to keep the _source_ differences as small as possible between
: the OpenBSD source and my own.

Damien, is this something that could be worked around using wrapper
functions or macro definitions instead?  That's the sort of thing i'd
recommend, if it's possible.

-- 
jim knoble
jmknoble at pobox.com




From djm at mindrot.org  Fri Jan  7 17:34:40 2000
From: djm at mindrot.org (Damien Miller)
Date: Fri, 7 Jan 2000 17:34:40 +1100 (EST)
Subject: IPv6 support in OpenBSD CVS
In-Reply-To: <20000107012015.A3935@quipu.earth>
Message-ID: <Pine.LNX.4.10.10001071731220.19802-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Jan 2000, Jim Knoble wrote:

> : This could be worked around by liberal use of #ifdefs through the
> : code, but this is something that I am loathe to do. One of my goals
> : has been to keep the _source_ differences as small as possible between
> : the OpenBSD source and my own.
> 
> Damien, is this something that could be worked around using wrapper
> functions or macro definitions instead?  That's the sort of thing i'd
> recommend, if it's possible.

Possibly, this is the route I would prefer to take.

Just to be clear - I _do_ want our port of OpenSSH to be IPv6 capable,
just not for the 1.2.1.0 release. I feel that getting this working
cross-platform would take too long. As always, I would be happy to be
proved wrong :)

Another complication is that I don't have IPv6 up yet to perform 
testing, this is still a couple of weekends away for me.

Regards,
Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4dYkDormJ9RG1dI8RAkHDAJ9cqm0QHGtw8vQj2Fp54/Ci+ePJZQCgmtNe
cJliqbzcxd2QkuxN9GAUaPA=
=Rap8
-----END PGP SIGNATURE-----





From djm at mindrot.org  Fri Jan  7 18:43:39 2000
From: djm at mindrot.org (Damien Miller)
Date: Fri, 7 Jan 2000 18:43:39 +1100 (EST)
Subject: ANNOUNCE: openssh-1.2.1pre25
Message-ID: <Pine.LNX.4.10.10001071447410.18937-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


1.2.1pre25 is out. Please use a mirror:

http://violet.ibs.com.au/openssh/files/MIRRORS.html

The following mirrors already have it:

ftp://ftp.localhost.ca/pub/openssh/files/
ftp://thermo.stat.ncsu.edu/pub/openssh/files/
http://www.firedrake.org/openssh/files/

Changes:

- - "Corrupted check bytes on input" when using triple DES has been 
  fixed

- - Added support for directory based lastlogs. This should make Irix
  as functional as the other platforms. 

- - Compilation fixes

- - Documentation updates

- - ssh-agent now properly cleans up after itself. 

- - Beginnings of SCO support

Open Issues:

- - manpages on Solaris and other platforms

- - AIX status is unknown

- - snprintf for NeXT and older Solaris systems

- - Older Linux systems lack the poll() function. Replacement needed.

- - Connection stalls over forwarded connections

- - Hang on logout. Refer to TODO for details.

Detailed changelog:

20000107
 - New config.sub and config.guess to fix problems on SCO. Supplied
   by Gary E. Miller <gem at rellim.com>
 - SCO build fix from Gary E. Miller <gem at rellim.com>

20000106
 - Documentation update & cleanup
 - Better KrbIV / AFS detection, based on patch from:
   Holger Trapp <Holger.Trapp at Informatik.TU-Chemnitz.DE>

20000105
 - Fixed annoying DES corruption problem. libcrypt has been 
   overriding symbols in libcrypto. Removed libcrypt and crypt.h
   altogether (libcrypto includes its own crypt(1) replacement)
 - Added platform-specific rules for Irix 6.x. Included warning that
   they are untested.

20000103
 - Add explicit make rules for files proccessed by fixpaths.
 - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori  
   <tnh at kondara.org>
 - Removed "nullok" directive from default PAM configuration files. 
   Added information on enabling EmptyPasswords on openssh+PAM in 
   UPGRADING file.
 - OpenBSD CVS updates
   - [ssh-agent.c]
     cleanup_exit() for SIGTERM/SIGHUP, too. from fgsch@ and 
     dgaudet at arctic.org
   - [sshconnect.c]
     compare correct version for 1.3 compat mode

20000102
 - Prevent multiple inclusion of config.h and defines.h. Suggested
   by Andre Lucas <andre.lucas at dial.pipex.com>
 - Properly clean up on exit of ssh-agent. Patch from Dean Gaudet
   <dgaudet at arctic.org>

19991231
 - Added support for directory-based lastlogs
 - Really fix typedefs, patch from Ben Taylor <bent at clark.net>

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4dZkvormJ9RG1dI8RAoTzAJ4nkp65WW8hNO0alIrE8My0Rci0xQCglQ6m
Ls3xdOymKybAU+p795e4XnE=
=RWBk
-----END PGP SIGNATURE-----





From mouring at pconline.com  Fri Jan  7 19:06:38 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Fri, 7 Jan 2000 02:06:38 -0600 (CST)
Subject: IPv6 support in OpenBSD CVS
In-Reply-To: <Pine.LNX.4.10.10001071731220.19802-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.3.95.1000107014929.9571C-100000@newton.pconline.com>



On Fri, 7 Jan 2000, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Fri, 7 Jan 2000, Jim Knoble wrote:
> 
> > : This could be worked around by liberal use of #ifdefs through the
> > : code, but this is something that I am loathe to do. One of my goals
> > : has been to keep the _source_ differences as small as possible between
> > : the OpenBSD source and my own.
> > 
> > Damien, is this something that could be worked around using wrapper
> > functions or macro definitions instead?  That's the sort of thing i'd
> > recommend, if it's possible.
> 
> Possibly, this is the route I would prefer to take.
> 
> Just to be clear - I _do_ want our port of OpenSSH to be IPv6 capable,
> just not for the 1.2.1.0 release. I feel that getting this working
> cross-platform would take too long. As always, I would be happy to be
> proved wrong :)
> 

About how much of the code put into our version of the OpenASSH
port migrates back into the main CVS souce tree?  If most of
it then at this point it should be easy to provide a patch
set to IPv6 and provide it out to the list for those who
want to attempt the inital port.  Even if it's just locating
and building stubs into our current version to support IPv6
down the road.









From djm at mindrot.org  Fri Jan  7 19:13:48 2000
From: djm at mindrot.org (Damien Miller)
Date: Fri, 7 Jan 2000 19:13:48 +1100 (EST)
Subject: IPv6 support in OpenBSD CVS
In-Reply-To: <Pine.LNX.3.95.1000107014929.9571C-100000@newton.pconline.com>
Message-ID: <Pine.LNX.4.10.10001071909060.19802-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Jan 2000, Ben Lindstrom wrote:

> About how much of the code put into our version of the OpenASSH
> port migrates back into the main CVS souce tree? 

Any changes that are not for the sole purposes of portability I submit
back to the OpenBSD folks. There haven't been many, because I have
been keeping changes in seperate files wherever possible.

I don't want something like the forest of #ifdefs that the commercial
ssh-1.2.x was.

> If most of it then at this point it should be easy to provide a
> patch set to IPv6 and provide it out to the list for those who want
> to attempt the inital port.  Even if it's just locating and building
> stubs into our current version to support IPv6 down the road.

An excellent idea. I can make this available when 1.2.1.0 is 
released. If anyone wants to do it before now, all you need to do
is a checkout of the OpenBSD CVS source and a 
"cvs diff -D 20000103" in the directory.

Regards,
Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4daA/ormJ9RG1dI8RAigEAJ0WhtSFMBRVHJgFqAUVNW530MU/hACgrUBl
PTexna/9RZa94JFIKtN/3m4=
=uU7e
-----END PGP SIGNATURE-----





From jmknoble at pobox.com  Fri Jan  7 21:23:19 2000
From: jmknoble at pobox.com (Jim Knoble)
Date: Fri, 7 Jan 2000 05:23:19 -0500
Subject: ANNOUNCE: x11-ssh-askpass v1.0
Message-ID: <20000107052319.O15698@quipu.earth>

x11-ssh-askpass version 1.0 is available.  IMPORTANT: Its location has
changed.

  OLD Location: http://www.pobox.com/~jmknoble/jmk/
  
  NEW Location: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/

Changes from 0.99 are slight:

  - Now installs as `x11-ssh-askpass', with symlink `ssh-askpass' that
    points there.  This allows Damien to use `make ... install' to
    install it instead of hardcoded stuff in his spec file [Damien:
    hint-hint].

Since Damien has integrated it into his spec files for the OpenSSH RPM
packages, i see no reason to make a separate spec file for
x11-ssh-askpass.  Hence, this is version 1.0.  May it not have to
change.  :)

[Matthieu: I've made a slight change from your fix to the potential
 memory leak in dynlist.c.  Formerly (with or without the leak),
 append_to_buf() would set the buffer to NULL if the realloc() failed,
 causing the contents of the buffer to be lost.  I've made the behavior
 less destructive; the calling application should check the return
 value to ensure the realloc() succeeded.  All your other actual code
 changes should be present in 1.0, except for the Imakefile.]

-- 
jim knoble
jmknoble at pobox.com




From markus.friedl at informatik.uni-erlangen.de  Fri Jan  7 21:13:46 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Fri, 7 Jan 2000 11:13:46 +0100
Subject: IPv6 support in OpenBSD CVS
In-Reply-To: <Pine.LNX.3.95.1000107014929.9571C-100000@newton.pconline.com>
References: <Pine.LNX.4.10.10001071731220.19802-100000@mothra.mindrot.org> <Pine.LNX.3.95.1000107014929.9571C-100000@newton.pconline.com>
Message-ID: <20000107111346.B21613@folly.informatik.uni-erlangen.de>

On Fri, Jan 07, 2000 at 02:06:38AM -0600, Ben Lindstrom wrote:
> Even if it's just locating
> and building stubs into our current version to support IPv6
> down the road.

my IPv6 changes consist mostly of a replacement of the calls to
gethostbyname/inet_ntoa with the new getaddrinfo/getnameinfo API
from rfc 2553. sockaddr_in is replaced with sockaddr_storage
or sockaddr.
 
there is already a getaddrinfo-emulation for 'older' systems
in the original ipv6-patch from
        ftp://ftp.kyoto.wide.ad.jp/pub/security/ssh/IPv6/
look for gai.h getaddrinfo.c getnameinfo.c and the configure
changes.

-markus




From markus.friedl at informatik.uni-erlangen.de  Fri Jan  7 20:34:08 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Fri, 7 Jan 2000 10:34:08 +0100
Subject: possible clue on tcp forwarding problems
In-Reply-To: <200001070232.SAA12344@homer.ka9q.ampr.org>
References: <200001070232.SAA12344@homer.ka9q.ampr.org>
Message-ID: <20000107103408.A21613@folly.informatik.uni-erlangen.de>

thanks, could you please start the client with 'ssh -v' ?
also, it should be possible to get information about the
active channels by entering
	<ENTER>~#
at the client and exit the client with
	<ENTER>~.
this information would be very usefull.
(include information about the server software, too)

-markus

On Thu, Jan 06, 2000 at 06:32:37PM -0800, root wrote:
> When I encounter the problem with TCP port forwarding locking up, I'll
> see this on the client window (if I haven't invoked ssh with -q):
> 
> chan_shutdown_read failed for #1/fd6: Transport endpoint is not connected
> chan_shutdown_read failed for #1/fd6: Transport endpoint is not connected
> 
> This is with Blowfish encryption. I have to kill and restart the client
> when this happens.
> 
> Phil




From markus.friedl at informatik.uni-erlangen.de  Fri Jan  7 23:35:12 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Fri, 7 Jan 2000 13:35:12 +0100
Subject: possible clue on tcp forwarding problems
In-Reply-To: <200001070232.SAA12344@homer.ka9q.ampr.org>
References: <200001070232.SAA12344@homer.ka9q.ampr.org>
Message-ID: <20000107133511.A4665@folly.informatik.uni-erlangen.de>

hi, this should fix the lockup during tcp-fwding and
other channel-related bugs.  -markus
-------------- next part --------------
Index: channels.c
===================================================================
RCS file: /home/markus/cvs/ssh/channels.c,v
retrieving revision 1.36
diff -u -r1.36 channels.c
--- channels.c	2000/01/04 07:52:03	1.36
+++ channels.c	2000/01/07 12:29:22
@@ -533,10 +533,19 @@
 
 	for (i = 0; i < channels_alloc; i++) {
 		ch = &channels[i];
+
 		/* We are only interested in channels that can have buffered incoming data. */
-		if (ch->type != SSH_CHANNEL_OPEN &&
-		    ch->type != SSH_CHANNEL_INPUT_DRAINING)
-			continue;
+		if (compat13) {
+			if (ch->type != SSH_CHANNEL_OPEN &&
+			    ch->type != SSH_CHANNEL_INPUT_DRAINING)
+				continue;
+		} else {
+			if (ch->type != SSH_CHANNEL_OPEN)
+				continue;
+			if (ch->istate != CHAN_INPUT_OPEN &&
+			    ch->istate != CHAN_INPUT_WAIT_DRAIN)
+				continue;
+		}
 
 		/* Get the amount of buffered data for this channel. */
 		len = buffer_len(&ch->input);
@@ -576,25 +585,33 @@
 void 
 channel_input_data(int payload_len)
 {
-	int channel;
+	int id;
 	char *data;
 	unsigned int data_len;
+	Channel *ch;
 
 	/* Get the channel number and verify it. */
-	channel = packet_get_int();
-	if (channel < 0 || channel >= channels_alloc ||
-	    channels[channel].type == SSH_CHANNEL_FREE)
-		packet_disconnect("Received data for nonexistent channel %d.", channel);
+	id = packet_get_int();
+	if (id < 0 || id >= channels_alloc)
+		packet_disconnect("Received data for nonexistent channel %d.", id);
+	ch = &channels[id];
 
+	if (ch->type == SSH_CHANNEL_FREE)
+		packet_disconnect("Received data for free channel %d.", ch->self);
+
 	/* Ignore any data for non-open channels (might happen on close) */
-	if (channels[channel].type != SSH_CHANNEL_OPEN &&
-	    channels[channel].type != SSH_CHANNEL_X11_OPEN)
+	if (ch->type != SSH_CHANNEL_OPEN &&
+	    ch->type != SSH_CHANNEL_X11_OPEN)
+		return;
+
+	/* same for protocol 1.5 if output end is no longer open */
+	if (!compat13 && ch->ostate != CHAN_OUTPUT_OPEN)
 		return;
 
 	/* Get the data. */
 	data = packet_get_string(&data_len);
 	packet_integrity_check(payload_len, 4 + 4 + data_len, SSH_MSG_CHANNEL_DATA);
-	buffer_append(&channels[channel].output, data, data_len);
+	buffer_append(&ch->output, data, data_len);
 	xfree(data);
 }
 
@@ -611,23 +628,11 @@
 
 	for (i = 0; i < channels_alloc; i++) {
 		ch = &channels[i];
-		switch (ch->type) {
-		case SSH_CHANNEL_X11_LISTENER:
-		case SSH_CHANNEL_PORT_LISTENER:
-		case SSH_CHANNEL_AUTH_SOCKET:
-			continue;
-		case SSH_CHANNEL_OPEN:
+		if (ch->type == SSH_CHANNEL_OPEN) {
 			if (buffer_len(&ch->input) > packet_get_maxsize())
 				return 0;
 			if (buffer_len(&ch->output) > packet_get_maxsize())
 				return 0;
-			continue;
-		case SSH_CHANNEL_INPUT_DRAINING:
-		case SSH_CHANNEL_OUTPUT_DRAINING:
-		case SSH_CHANNEL_X11_OPEN:
-		case SSH_CHANNEL_FREE:
-		default:
-			continue;
 		}
 	}
 	return 1;
@@ -854,9 +859,11 @@
 		case SSH_CHANNEL_X11_OPEN:
 		case SSH_CHANNEL_INPUT_DRAINING:
 		case SSH_CHANNEL_OUTPUT_DRAINING:
-			snprintf(buf, sizeof buf, "  #%d %.300s (t%d r%d i%d o%d)\r\n",
-				 c->self, c->remote_name,
-				 c->type, c->remote_id, c->istate, c->ostate);
+			snprintf(buf, sizeof buf, "  #%d %.300s (t%d r%d i%d/%d o%d/%d)\r\n",
+			    c->self, c->remote_name,
+			    c->type, c->remote_id,
+			    c->istate, buffer_len(&c->input),
+			    c->ostate, buffer_len(&c->output));
 			buffer_append(&buffer, buf, strlen(buf));
 			continue;
 		default:
Index: nchan.c
===================================================================
RCS file: /home/markus/cvs/ssh/nchan.c,v
retrieving revision 1.9
diff -u -r1.9 nchan.c
--- nchan.c	1999/12/02 20:10:05	1.9
+++ nchan.c	2000/01/07 12:30:37
@@ -41,7 +41,7 @@
 static void chan_send_oclose(Channel *c);
 static void chan_shutdown_write(Channel *c);
 static void chan_shutdown_read(Channel *c);
-static void chan_delele_if_full_closed(Channel *c);
+static void chan_delete_if_full_closed(Channel *c);
 
 /*
  * EVENTS update channel input/output states execute ACTIONS
@@ -55,19 +55,25 @@
 	case CHAN_INPUT_WAIT_OCLOSE:
 		debug("channel %d: INPUT_WAIT_OCLOSE -> INPUT_CLOSED [rcvd OCLOSE]", c->self);
 		c->istate = CHAN_INPUT_CLOSED;
-		chan_delele_if_full_closed(c);
 		break;
 	case CHAN_INPUT_OPEN:
 		debug("channel %d: INPUT_OPEN -> INPUT_CLOSED [rvcd OCLOSE, send IEOF]", c->self);
 		chan_shutdown_read(c);
 		chan_send_ieof(c);
 		c->istate = CHAN_INPUT_CLOSED;
-		chan_delele_if_full_closed(c);
 		break;
+	case CHAN_INPUT_WAIT_DRAIN:
+		/* both local read_failed and remote write_failed  */
+		log("channel %d: INPUT_WAIT_DRAIN -> INPUT_CLOSED [rvcd OCLOSE, send IEOF]", c->self);
+		debug("channel %d: INPUT_WAIT_DRAIN -> INPUT_CLOSED [rvcd OCLOSE, send IEOF]", c->self);
+		chan_send_ieof(c);
+		c->istate = CHAN_INPUT_CLOSED;
+		break;
 	default:
 		error("protocol error: chan_rcvd_oclose %d for istate %d", c->self, c->istate);
-		break;
+		return;
 	}
+	chan_delete_if_full_closed(c);
 }
 void
 chan_read_failed(Channel *c)
@@ -115,7 +121,7 @@
 	case CHAN_OUTPUT_WAIT_IEOF:
 		debug("channel %d: OUTPUT_WAIT_IEOF -> OUTPUT_CLOSED [rvcd IEOF]", c->self);
 		c->ostate = CHAN_OUTPUT_CLOSED;
-		chan_delele_if_full_closed(c);
+		chan_delete_if_full_closed(c);
 		break;
 	default:
 		error("protocol error: chan_rcvd_ieof %d for ostate %d", c->self, c->ostate);
@@ -135,7 +141,7 @@
 		debug("channel %d: OUTPUT_WAIT_DRAIN -> OUTPUT_CLOSED [write failed]", c->self);
 		chan_send_oclose(c);
 		c->ostate = CHAN_OUTPUT_CLOSED;
-		chan_delele_if_full_closed(c);
+		chan_delete_if_full_closed(c);
 		break;
 	default:
 		error("internal error: chan_write_failed %d for ostate %d", c->self, c->ostate);
@@ -154,7 +160,7 @@
 		debug("channel %d: OUTPUT_WAIT_DRAIN -> OUTPUT_CLOSED [obuf empty, send OCLOSE]", c->self);
 		chan_send_oclose(c);
 		c->ostate = CHAN_OUTPUT_CLOSED;
-		chan_delele_if_full_closed(c);
+		chan_delete_if_full_closed(c);
 		break;
 	default:
 		error("internal error: chan_obuf_empty %d for ostate %d", c->self, c->ostate);
@@ -213,14 +219,14 @@
 {
 	debug("channel %d: shutdown_read", c->self);
 	if (shutdown(c->sock, SHUT_RD) < 0)
-		error("chan_shutdown_read failed for #%d/fd%d: %.100s",
-		      c->self, c->sock, strerror(errno));
+		error("chan_shutdown_read failed for #%d/fd%d [i%d o%d]: %.100s",
+		      c->self, c->sock, c->istate, c->ostate, strerror(errno));
 }
 static void
-chan_delele_if_full_closed(Channel *c)
+chan_delete_if_full_closed(Channel *c)
 {
 	if (c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED) {
-		debug("channel %d: closing", c->self);
+		debug("channel %d: full closed", c->self);
 		channel_free(c->self);
 	}
 }

From bent at clark.net  Sat Jan  8 00:48:23 2000
From: bent at clark.net (Ben Taylor)
Date: Fri, 7 Jan 2000 08:48:23 -0500 (EST)
Subject: Testing openssh-1.2.1pre25
In-Reply-To: <Pine.LNX.4.10.10001071447410.18937-100000@mothra.mindrot.org>
Message-ID: <Pine.GSO.4.05.10001070835390.25502-100000@shell.clark.net>


Since I have been involved with the OpenSSH project, I've seen references
to really cool things that people are using OpenSSH for.  However, my
limitation comes from lack of experience with ssh type projects/products,
and my testing tends to be pretty minimal.

What do you think about starting a suite of testing methods for OpenSSH?  
I figure there are some pretty cool things being done out there, and those
of us who have resources could further stress-test the code with good
examples of testing methods.

I would like to volunteer to accept testing methods from other OpenSSH
folks who really stress out the protocol and systems. What I'm looking for
is a complete but short description of how to set up the "test", along
with any shell code, or other fragments of code needed to make the test
work for us ssh dummies.  Once I have it standardized with documentation
and code, I'll forward it to Damien for inclusion in the tree.

Ben






From harvell at aol.net  Sat Jan  8 01:38:25 2000
From: harvell at aol.net (Brian Harvell)
Date: Fri, 7 Jan 2000 09:38:25 -0500 (EST)
Subject: problems with compiling on SPARC solaris 2.7
In-Reply-To: <15226.000107@maxnet.ru>
Message-ID: <Pine.GSO.4.21.0001070935340.2992-100000@boondoggle.office.aol.com>

On Fri, 7 Jan 2000, Max Shaposhnikov wrote:

> ssh won't compile on this platform
> log:
> gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\"
> -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H   -c atomicio.c -o atomicio.o
> In file included from config.h:294,
>                  from bsd-misc.h:39,
>                  from includes.h:91,
>                  from atomicio.c:26:
> defines.h:74: redefinition of `u_int16_t'
> defines.h:74: `u_int16_t' previously declared here
> defines.h:75: redefinition of `u_int32_t'
> defines.h:75: `u_int32_t' previously declared here
> defines.h:76: redefinition of `u_int64_t'
> defines.h:76: `u_int64_t' previously declared here

apply the following patch to your defines.h

*** defines.h   Tue Jan  4 14:23:15 2000
--- defines.h.orig      Tue Jan  4 14:22:50 2000
***************
*** 71,77 ****
  /* If sys/types.h does not supply u_intXX_t, supply them ourselves */
  #ifndef HAVE_U_INTXX_T
  # ifdef HAVE_UINTXX_T
- #define HAVE_U_INTXX_T
  typedef uint16_t u_int16_t;
  typedef uint32_t u_int32_t;
  typedef  uint64_t u_int64_t;
--- 71,76 ----

Since it's included in multiple files it keeps getting redefined.
(there is probably a more elegant way of doing this but I didn't look for it)

Brian



Brian Harvell                harvell at aol.net             http://ToolBoy.com/
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc







From andre.lucas at dial.pipex.com  Sat Jan  8 01:41:35 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Fri, 07 Jan 2000 14:41:35 +0000
Subject: Testing openssh-1.2.1pre25
References: <Pine.GSO.4.05.10001070835390.25502-100000@shell.clark.net>
Message-ID: <3875FB1F.3A213C66@dial.pipex.com>

Are you looking to use a test framework such as DejaGNU for this? If you
haven't decided already, this might be a good choice given the
interactive nature of OpenSSH.

But then, I'm only going on what I think it can do for you since I've
never actually used it myself. If Cygnus can test GDB on cross targets
with it, we should be OK ;-)

-Andre

Ben Taylor wrote:
> 
> Since I have been involved with the OpenSSH project, I've seen references
> to really cool things that people are using OpenSSH for.  However, my
> limitation comes from lack of experience with ssh type projects/products,
> and my testing tends to be pretty minimal.
> 
> What do you think about starting a suite of testing methods for OpenSSH?
> I figure there are some pretty cool things being done out there, and those
> of us who have resources could further stress-test the code with good
> examples of testing methods.
> 
> I would like to volunteer to accept testing methods from other OpenSSH
> folks who really stress out the protocol and systems. What I'm looking for
> is a complete but short description of how to set up the "test", along
> with any shell code, or other fragments of code needed to make the test
> work for us ssh dummies.  Once I have it standardized with documentation
> and code, I'll forward it to Damien for inclusion in the tree.
> 
> Ben




From bent at clark.net  Sat Jan  8 01:49:02 2000
From: bent at clark.net (Ben Taylor)
Date: Fri, 7 Jan 2000 09:49:02 -0500 (EST)
Subject: Testing openssh-1.2.1pre25
In-Reply-To: <3875FB1F.3A213C66@dial.pipex.com>
Message-ID: <Pine.GSO.4.05.10001070945340.17169-100000@shell.clark.net>

On Fri, 7 Jan 2000, Andre Lucas wrote:

> Are you looking to use a test framework such as DejaGNU for this? If you
> haven't decided already, this might be a good choice given the
> interactive nature of OpenSSH.

I suppose I could do something like that.  Though I'll have to pull it
down and start playing with that.  Initially, I was just looking for
boilerplate scripts and descriptions so that more thorough testing
can occur, especially by those of us less familiar with ssh type tools.

> But then, I'm only going on what I think it can do for you since I've
> never actually used it myself. If Cygnus can test GDB on cross targets
> with it, we should be OK ;-)

Damn, GDB with cross targets?  I would figure so.  Any one really familiar
with Deja Gnu?

Ben

> 
> -Andre
> 
> Ben Taylor wrote:
> > 
> > Since I have been involved with the OpenSSH project, I've seen references
> > to really cool things that people are using OpenSSH for.  However, my
> > limitation comes from lack of experience with ssh type projects/products,
> > and my testing tends to be pretty minimal.
> > 
> > What do you think about starting a suite of testing methods for OpenSSH?
> > I figure there are some pretty cool things being done out there, and those
> > of us who have resources could further stress-test the code with good
> > examples of testing methods.
> > 
> > I would like to volunteer to accept testing methods from other OpenSSH
> > folks who really stress out the protocol and systems. What I'm looking for
> > is a complete but short description of how to set up the "test", along
> > with any shell code, or other fragments of code needed to make the test
> > work for us ssh dummies.  Once I have it standardized with documentation
> > and code, I'll forward it to Damien for inclusion in the tree.
> > 
> > Ben
> 





From djm at mindrot.org  Sat Jan  8 02:02:38 2000
From: djm at mindrot.org (Damien Miller)
Date: Sat, 8 Jan 2000 02:02:38 +1100 (EST)
Subject: Testing openssh-1.2.1pre25
In-Reply-To: <Pine.GSO.4.05.10001070835390.25502-100000@shell.clark.net>
Message-ID: <Pine.LNX.4.10.10001080153210.19802-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Jan 2000, Ben Taylor wrote:

>
> Since I have been involved with the OpenSSH project, I've seen
> references to really cool things that people are using OpenSSH for.
> However, my limitation comes from lack of experience with ssh type
> projects/products, and my testing tends to be pretty minimal.
>
> What do you think about starting a suite of testing methods for
> OpenSSH?  I figure there are some pretty cool things being done out
> there, and those of us who have resources could further stress-test
> the code with good examples of testing methods.

Before a do a release I do some basic tests:

Basic connectivity

RSA authentication

Password authentication

If I have time, or have touched a lot of the code I do one or more 
of the following:

Connect OpenSSH -> commercial SSH

Connect Commerical SSH -> OpenSSH

ssh-keygen

ssh-agent

while [ 1 ] ; do ssh djm at localhost /bin/true || echo FAIL ; done

scp a couple of large files around & do md5sums on the results

Notably absent is testing of the port-forwarding.

> I would like to volunteer to accept testing methods from other
> OpenSSH folks who really stress out the protocol and systems. What
> I'm looking for is a complete but short description of how to set up
> the "test", along with any shell code, or other fragments of code
> needed to make the test work for us ssh dummies.  Once I have it
> standardized with documentation and code, I'll forward it to Damien
> for inclusion in the tree.

A testing framework would be wonderful, perhaps a test subdirectory
and multiple tests implemented as makefile rules and/or shell 
scripts.

I will assist wherever possible, this promises to make my life much 
easier :)

Regards,
Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4dgASormJ9RG1dI8RAmLUAJ9qdh3yKfxlBFfzJOKE+/NiruJuuQCeI4Ok
2BNOhNXrcvJhIw7rNoopkFA=
=FcCX
-----END PGP SIGNATURE-----





From john at waw.be  Sat Jan  8 03:23:57 2000
From: john at waw.be (John Seifarth)
Date: Fri, 7 Jan 2000 17:23:57 +0100
Subject: Slackware 4.0: wtmp and pty.c problems
Message-ID: <l03102803b49b67ef589d@[192.168.10.11]>

Hello all,

I use a Slackware 4.0 based system (libc5 based, with glibc2.07 runtime
support).


I've configured OpenSSH using:
./configure --sysconfdir=/etc/ssh --without-pam
--with-default-path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbi
n:/sbin

NOTE: yes, --with-default-path DOES work, since pre24 (pre 22 did not)

When I try to compile OpenSSH-1.2.1pre25 (or pre24 or pre22), I get the
following error messages:

gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\"
-DSSH_PROGRAM=\"/usr/local/bin/ssh\"
-DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\"
-DHAVE_CONFIG_H   -c pty.c -o pty.o
pty.c: In function `pty_allocate':
pty.c:100: warning: implicit declaration of function `grantpt'
pty.c:104: warning: implicit declaration of function `unlockpt'
pty.c:108: warning: implicit declaration of function `ptsname'
pty.c:108: warning: assignment makes pointer from integer without a cast
pty.c:122: `I_PUSH' undeclared (first use this function)
pty.c:122: (Each undeclared identifier is reported only once
pty.c:122: for each function it appears in.)
make: *** [pty.o] Error 1

If I then edit pty.c and add a line after the test, unconditionally
undefining HAVE_DEV_PTMX like this:

/* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */
#if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY)
#undef HAVE_DEV_PTMX
#endif

#undef HAVE_DEV_PTMX

Then everything compiles, installs and functions ALMOST normally.

However, /var/log/wtmp is NOT updated.

Login messages appear in syslog quite normally, /var/run/utmp appears to be
updated properly, but  /var/log/wtmp is not updated on login/logpout using
openSSH.

I also note that, on the same setup, /var/log/wtmp IS updated correctly
when using commercial SSH (version 1.2.26).

Any suggestions how I should investigate this problem further? My C skills
are basically limited to messing with Makefiles and sundry to get programs
to compile, and I'm NOT competent to plunge into the code and post a diff
to the list.

Also, I note that ssh -V always returns
SSH Version OpenSSH-1.2.1, protocol version 1.5

Not that this is a real problem, but it makes it difficult to see what
preXX version I'm actually running. Would adding this to the version output
cause problems elesewhere?

Thanks for any and all pointers!

John

__________________________________________________________________
John Seifarth                               http://www.waw.be/waw/
Words & Wires SPRL                                     john at waw.be
Computer Consulting & Language Services   Voice: (+) 32-2-660-3943
1160 Brussels, Belgium                      Fax: (+) 32-2-675-3922






From karn at ka9q.ampr.org  Sat Jan  8 05:21:23 2000
From: karn at ka9q.ampr.org (Phil Karn)
Date: Fri, 7 Jan 2000 10:21:23 -0800
Subject: possible clue on tcp forwarding problems
In-Reply-To: <20000107133511.A4665@folly.informatik.uni-erlangen.de> (message
	from Markus Friedl on Fri, 7 Jan 2000 13:35:12 +0100)
References: <200001070232.SAA12344@homer.ka9q.ampr.org> <20000107133511.A4665@folly.informatik.uni-erlangen.de>
Message-ID: <200001071821.KAA19680@homer.ka9q.ampr.org>

Thanks, I applied your patches to the just-released pre25 and I'm
running it now on both ends of the path I use for websurfing, so that
should give it a good workout.

Phil




From karn at ka9q.ampr.org  Sat Jan  8 05:28:20 2000
From: karn at ka9q.ampr.org (Phil Karn)
Date: Fri, 7 Jan 2000 10:28:20 -0800
Subject: Testing openssh-1.2.1pre25
In-Reply-To: <Pine.GSO.4.05.10001070835390.25502-100000@shell.clark.net>
	(message from Ben Taylor on Fri, 7 Jan 2000 08:48:23 -0500 (EST))
References: <Pine.GSO.4.05.10001070835390.25502-100000@shell.clark.net>
Message-ID: <200001071828.KAA19704@homer.ka9q.ampr.org>

>I would like to volunteer to accept testing methods from other OpenSSH
>folks who really stress out the protocol and systems. What I'm looking for

Okay, here's how I exercise the TCP port-forwarding scheme by websurfing
over it.

Assume you have shell access to a system running sshd and Squid or
some other proxy web cache. Call this machine "squid".

Locally execute the following command in its own window:

ssh -L3128:127.0.0.1:3128 squid

Now configure your web browser to use a proxy with address 127.0.0.1,
port 3128, and surf away.

There used to be an option in Netscape to control the max number of
simultaneous TCP connections that it will open, but I can't find it in
the Linux flavor of Communicator 4.7. Anybody know if it's still there
somewhere? Setting this to a large number would really exercise ssh
port forwarding.

Phil





From gem at rellim.com  Sat Jan  8 06:42:04 2000
From: gem at rellim.com (Gary E. Miller)
Date: Fri, 7 Jan 2000 11:42:04 -0800 (PST)
Subject: ANNOUNCE: openssh-1.2.1pre25
In-Reply-To: <Pine.LNX.4.10.10001071447410.18937-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.4.21.0001071136400.31403-100000@ns1.aplatform.com>

Yo Damien!

It works much better now.  I can confirm the "corrupted bytes" thing
is fixed on SCO.

Somehow part of my SCO patch did not make it in.  The following is
required to make UnixWare 7.1 work in configure:

*-*-sysv*)
        LIBS="$LIBS -lgen -lsocket"

       cat >> confdefs.h <<\EOF
#define CRYPT_H_BREAKS_BUILD 1
#define HAVE_INNETGR 1
#define HAVE_U_INTXX_T 1
EOF

The "cat" part disappeared.  Did you try to fix the tests for those
defines instead of just forcing the conditions as I proposed?  If so maybe
we can work together on getting the tests fixed?

RGDWS
GARY

On Fri, 7 Jan 2000, Damien Miller wrote:

> 1.2.1pre25 is out. Please use a mirror:

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From andre.lucas at dial.pipex.com  Sat Jan  8 07:45:28 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Fri, 7 Jan 2000 20:45:28 +0000
Subject: login code in a separate library?
Message-ID: <20000107204528.C884@internal.domain>

Following on from an earlier discussion about login recording, I was
toying with the idea of breaking out the login code into a separate
library (in a subdirectory of the OpenSSH source tree) with its own
configure script.

I think this would serve three purposes: First, it would in the long run
remove a lot of things from OpenSSH's configure script that, save for
the login code, needn't be there; second, it would more readily allow
parallel development so that people don't try OpenSSH-1.3pre1 (or
2.0pre1, or whatever) and suddenly lose all their utmp etc.

Third, it ties in with what Damien was saying before about this being a
way for approaching this problem in other projects. I think it may make
some people happy to have an autoconf/automake login library ready to
plug in.

I'm able to test on only four platforms, but the idea - David Rankin was
right to make this point - is to have enough generality to detect new
platforms on its own. I think that the best way to get this right is to
separate the admin function of recording a login from SSH's security
functionality.

I'm hoping to get this ready for inclusion in the next round of test
releases (i.e. after 1.2.1).

Ta,
-Andre

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/




From djm at mindrot.org  Sat Jan  8 09:32:24 2000
From: djm at mindrot.org (Damien Miller)
Date: Sat, 8 Jan 2000 09:32:24 +1100 (EST)
Subject: ANNOUNCE: openssh-1.2.1pre25
In-Reply-To: <Pine.LNX.4.21.0001071136400.31403-100000@ns1.aplatform.com>
Message-ID: <Pine.LNX.4.10.10001080929440.19802-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Jan 2000, Gary E. Miller wrote:

> Yo Damien!
> 
> It works much better now.  I can confirm the "corrupted bytes" thing
> is fixed on SCO.
> 
> Somehow part of my SCO patch did not make it in.  The following is
> required to make UnixWare 7.1 work in configure:
> 
> *-*-sysv*)
>         LIBS="$LIBS -lgen -lsocket"
> 
>        cat >> confdefs.h <<\EOF
> #define CRYPT_H_BREAKS_BUILD 1
> #define HAVE_INNETGR 1
> #define HAVE_U_INTXX_T 1
> EOF
> 
> The "cat" part disappeared.  Did you try to fix the tests for those
> defines instead of just forcing the conditions as I proposed?  If so
> maybe we can work together on getting the tests fixed?

I would rather fix the tests so that these are auto-detected.

The CRYPT_H_BREAKS_BUILD isn't there any more.

Do you need to include any special libraries for the innetgr() 
function?

Why did you need to define HAVE_U_INTXX_T again?

Regards,
Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4dml7ormJ9RG1dI8RAknoAJ9zL3dOA2X5v41wru5Aal/RFN+LCwCgmnMM
env3R1jUgHj5HLZbAw2YJf4=
=JGIH
-----END PGP SIGNATURE-----





From djm at mindrot.org  Sat Jan  8 09:44:12 2000
From: djm at mindrot.org (Damien Miller)
Date: Sat, 8 Jan 2000 09:44:12 +1100 (EST)
Subject: Slackware 4.0: wtmp and pty.c problems
In-Reply-To: <l03102803b49b67ef589d@[192.168.10.11]>
Message-ID: <Pine.LNX.4.10.10001080939260.19802-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Jan 2000, John Seifarth wrote:

> Hello all,
> 
> I use a Slackware 4.0 based system (libc5 based, with glibc2.07 runtime
> support).
> 
> 
> I've configured OpenSSH using:
> ./configure --sysconfdir=/etc/ssh --without-pam
> --with-default-path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbi
> n:/sbin
> 
> NOTE: yes, --with-default-path DOES work, since pre24 (pre 22 did not)
> 
> When I try to compile OpenSSH-1.2.1pre25 (or pre24 or pre22), I get the
> following error messages:
> 

[error message snipped]

> If I then edit pty.c and add a line after the test, unconditionally
> undefining HAVE_DEV_PTMX like this:

It looks like you are running a 2.2.x kernel or at least have the
Unix98 pty device nodes., but are lacking the openpty() function
in your libc.

> /* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */
> #if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY)
> #undef HAVE_DEV_PTMX
> #endif
> 
> #undef HAVE_DEV_PTMX
> 
> Then everything compiles, installs and functions ALMOST normally.
>
> However, /var/log/wtmp is NOT updated.
>
> Login messages appear in syslog quite normally, /var/run/utmp
> appears to be updated properly, but /var/log/wtmp is not updated on
> login/logpout using openSSH.
> 
> I also note that, on the same setup, /var/log/wtmp IS updated correctly
> when using commercial SSH (version 1.2.26).
> 
> Any suggestions how I should investigate this problem further? My C
> skills are basically limited to messing with Makefiles and sundry to
> get programs to compile, and I'm NOT competent to plunge into the
> code and post a diff to the list.

Could you send me a copy of the output of ./configure and the
config.h file it generates?

> Also, I note that ssh -V always returns
> SSH Version OpenSSH-1.2.1, protocol version 1.5
> 
> Not that this is a real problem, but it makes it difficult to see
> what preXX version I'm actually running. Would adding this to the
> version output cause problems elesewhere?

I will consider this.

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4dmw/ormJ9RG1dI8RAlWHAKCFnyEqpDM5yQjZcNmY9AXH8iZLZACgjK26
VJ4yd9XQboQyR3pNgJXcSMs=
=F7k+
-----END PGP SIGNATURE-----





From djm at mindrot.org  Sat Jan  8 09:45:17 2000
From: djm at mindrot.org (Damien Miller)
Date: Sat, 8 Jan 2000 09:45:17 +1100 (EST)
Subject: possible clue on tcp forwarding problems
In-Reply-To: <200001071821.KAA19680@homer.ka9q.ampr.org>
Message-ID: <Pine.LNX.4.10.10001080944220.19802-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Jan 2000, Phil Karn wrote:

> Thanks, I applied your patches to the just-released pre25 and I'm
> running it now on both ends of the path I use for websurfing, so
> that should give it a good workout.

The patch which fixed the channels problem did not make it into 
pre25. You may want to apply it manually.

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4dmyAormJ9RG1dI8RAnkyAJ4vbEwzR6PePvamD9CCT0e+7QuymgCfQWme
gOEU/3GShzOmJdsDy2RbruM=
=2lkE
-----END PGP SIGNATURE-----





From gem at rellim.com  Sat Jan  8 09:55:08 2000
From: gem at rellim.com (Gary E. Miller)
Date: Fri, 7 Jan 2000 14:55:08 -0800 (PST)
Subject: ANNOUNCE: openssh-1.2.1pre25
In-Reply-To: <Pine.LNX.4.10.10001080929440.19802-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.4.21.0001071436280.2382-100000@ns1.aplatform.com>

Yo Damien!

On Sat, 8 Jan 2000, Damien Miller wrote:

> I would rather fix the tests so that these are auto-detected.
If you are up for it, then I am.

> The CRYPT_H_BREAKS_BUILD isn't there any more.
Confirmed.  SCO works OK without it.

> Do you need to include any special libraries for the innetgr() 
> function?
Just -lsocket

BTW, getspnam() is what requires -lgen

> Why did you need to define HAVE_U_INTXX_T again?

Otherwise I get this warning message a whole lot:
UX:acomp: WARNING: "./defines.h", line 77: typedef redeclared: u_int16_t
UX:acomp: WARNING: "./defines.h", line 78: typedef redeclared: u_int32_t

I hate warning messages because the bugs are usually hiding amoung them
somewhere...

The u_intXX_t is in /usr/include/sys/bitypes.h.

bitypes.h is pulled in directly by:
	netdb.h
	resolv.h
	arpa/inet.h
	arpa/nameser.h
	net/if_dl.h
	netinet/if_ether.h
	netinet/in.h
	netinet/in6.h
	netinet/in6_f.h
	sys/bitypes.h
	sys/convsa.h
	sys/socket.h
	sys/un.h

And sys/socket.h is always called by defines.h  

So, for at least the SCO case, if you included sys.socket.h in your
test for u_int16_t that should work.

Other traffic on this list has mentioned that this is a fatal error
on Solaris.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From djm at mindrot.org  Sat Jan  8 10:04:15 2000
From: djm at mindrot.org (Damien Miller)
Date: Sat, 8 Jan 2000 10:04:15 +1100 (EST)
Subject: ANNOUNCE: openssh-1.2.1pre25
In-Reply-To: <Pine.LNX.4.21.0001071436280.2382-100000@ns1.aplatform.com>
Message-ID: <Pine.LNX.4.10.10001081001430.19802-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Jan 2000, Gary E. Miller wrote:

> Yo Damien!
> 
> On Sat, 8 Jan 2000, Damien Miller wrote:
> 
> > I would rather fix the tests so that these are auto-detected.
> If you are up for it, then I am.
> 
> > The CRYPT_H_BREAKS_BUILD isn't there any more.
> Confirmed.  SCO works OK without it.
> 
> > Do you need to include any special libraries for the innetgr() 
> > function?
> Just -lsocket
> 
> BTW, getspnam() is what requires -lgen

Are they detected OK now?

> > Why did you need to define HAVE_U_INTXX_T again?
> 
> Otherwise I get this warning message a whole lot:
> UX:acomp: WARNING: "./defines.h", line 77: typedef redeclared: u_int16_t
> UX:acomp: WARNING: "./defines.h", line 78: typedef redeclared: u_int32_t
> 
> I hate warning messages because the bugs are usually hiding amoung them
> somewhere...
> 
> The u_intXX_t is in /usr/include/sys/bitypes.h.
> 
> bitypes.h is pulled in directly by:
> 	netdb.h
> 	resolv.h
> 	arpa/inet.h
> 	arpa/nameser.h
> 	net/if_dl.h
> 	netinet/if_ether.h
> 	netinet/in.h
> 	netinet/in6.h
> 	netinet/in6_f.h
> 	sys/bitypes.h
> 	sys/convsa.h
> 	sys/socket.h
> 	sys/un.h

... but not sys/types.h? That seems broken.

> And sys/socket.h is always called by defines.h  
> 
> So, for at least the SCO case, if you included sys.socket.h in your
> test for u_int16_t that should work.

I now detect and include u_intXX_t declarations in sys/bitypes.h.

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4dnDyormJ9RG1dI8RAqHsAJ981rNlY79er//cbjTkx+QbTOXDAQCgnnCH
69+a4np1J/OSp/sM2T5yEWg=
=YuKi
-----END PGP SIGNATURE-----





From gem at rellim.com  Sat Jan  8 10:38:24 2000
From: gem at rellim.com (Gary E. Miller)
Date: Fri, 7 Jan 2000 15:38:24 -0800 (PST)
Subject: ANNOUNCE: openssh-1.2.1pre25
In-Reply-To: <Pine.LNX.4.10.10001081001430.19802-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.4.21.0001071515570.2382-100000@ns1.aplatform.com>

Yo Damien!

On Sat, 8 Jan 2000, Damien Miller wrote:

> > > Do you need to include any special libraries for the innetgr() 
> > > function?
> > Just -lsocket
> > 
> > BTW, getspnam() is what requires -lgen
> 
> Are they detected OK now?
-lsocket is detected OK. 
-lgen is added by the previous patch.

> > The u_intXX_t is in /usr/include/sys/bitypes.h.
[...]
> ... but not sys/types.h? That seems broken.

hehehe, It is SCO, what can I say?

> I now detect and include u_intXX_t declarations in sys/bitypes.h.
Great!  I look forward to pre26!

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From andre.lucas at dial.pipex.com  Sat Jan  8 12:21:59 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Sat, 8 Jan 2000 01:21:59 +0000
Subject: Man pages on HPUX (and others?)
Message-ID: <20000108012158.F884@internal.domain>

HPUX doesn't seem to ship with a set of troff macros that can handle the
OpenSSH manpages. Maybe other OSs have this problem?

Rather than sodding about with the tmac/ directory, I think we should do
one of two things:

1. Ship a set of preformatted manpages, and either auto-install them in
   $prefix/man/cat{1,1m} or just have instructions in INSTALL to do so
2. Recommend users install groff ;-)

Neither is great, but as things stand right now HP users get garbage for
manpages. It's not too much effort to provide them with pages
preprocessed by a decent troff implementation, so I think we should do
so. Opinions?

-Andre
-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/




From gem at rellim.com  Sat Jan  8 12:31:31 2000
From: gem at rellim.com (Gary E. Miller)
Date: Fri, 7 Jan 2000 17:31:31 -0800 (PST)
Subject: Man pages on HPUX (and others?)
In-Reply-To: <20000108012158.F884@internal.domain>
Message-ID: <Pine.LNX.4.21.0001071730560.6078-100000@ns1.aplatform.com>

Yo Andre!

Now that you mention it, the man pages are boken on SCO too...

On Sat, 8 Jan 2000, Andre Lucas wrote:

> HPUX doesn't seem to ship with a set of troff macros that can handle the
> OpenSSH manpages. Maybe other OSs have this problem?

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From Kurt at OpenLDAP.org  Tue Jan 11 03:40:59 2000
From: Kurt at OpenLDAP.org (Kurt D. Zeilenga)
Date: Mon, 10 Jan 2000 08:40:59 -0800
Subject: OpenSSH and Heimdal KRB5
In-Reply-To: <5l7lhjpmhf.fsf@assaris.sics.se>
Message-ID: <3.0.5.32.20000110084059.00975690@localhost>

Has anyone have patches to allow OpenSSH to use Heimdal Kerberos?
I suspect the patches <http://www.ics.muni.cz/scb/devel/heimdal.html>
against SSH 1.2 could likely be easily adapted for use with OpenSSH.
Has anyone already done this?

I'm willing to test and may, if time permits, even do the port
of the above patches.

Kurt





From enigma at nmt.edu  Tue Jan 11 06:30:14 2000
From: enigma at nmt.edu (SysProg - Nathan Paul Simons)
Date: Mon, 10 Jan 2000 12:30:14 -0700 (MST)
Subject: ./configure --program-suffix doesn't work
Message-ID: <Pine.LNX.4.21.0001101222460.18309-100000@moogle.tcct.nmt.edu>

-----BEGIN PGP SIGNED MESSAGE-----

	Just recently we installed ssh2 here to avoid problems in
ssh-1.2.27.  To keep backwards compatibility we installed
openssh-1.2.1pre24.  Unfortunately, the --program-suffix option for the
configure script doesn't seem to work.  In particular, i was trying to do
'./configure --prefix=/usr/local --program-suffix=1'.  The programs did
not compile with a "1" on the end of their names, and don't work when
renamed (mainly, ssh when called as ssh1 says "Bad host name: ssh1").

Systems Programmer - Nathan Paul Simons
http://www.nmt.edu/~enigma   Speare 20   x5748

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOHozTIagi6ObDYzdAQHSdwQAi7wRpFvP52TErkr948VFg1LN4HZNjx2N
K8SBnS4k3EW9iJTFdb/AJ33Ow+VZwpZvQfXHI0bSlW1sdFl3kvnHvNRo7wrolgfS
Qzf97cdInbamLOsBNhvaIv8t2C0RIsArRbY0LmHisWm6MMQSKxtcSwTNMN4BbnIH
TBtxUN9wAJc=
=gs+3
-----END PGP SIGNATURE-----





From anders at fix.no  Tue Jan 11 22:50:53 2000
From: anders at fix.no (Anders Nordby)
Date: Tue, 11 Jan 2000 12:50:53 +0100
Subject: OpenSSH 1.2.1pre25 on Solaris 7
Message-ID: <20000111125053.A85960@totem.fix.no>

Hi there,

I just wanted to say that OpenSSH now seems to work fine on Solaris
(7)! Great work, guys! Anyway, you need to put some XAUTH_PATH stuff 
in Makefile.in so that the right xauth is found. In Solaris 2.x it is
located in /usr/openwin/bin and not in /usr/X11R6/bin. The following patch
fixes this in openssh-1.2.1pre25:

root at trondheim:/div/openssh-1.2.1pre25# diff -c Makefile.in.old Makefile.in
*** Makefile.in.old     Tue Jan 11 12:13:24 2000
--- Makefile.in Tue Jan 11 12:13:42 2000
***************
*** 10,15 ****
--- 10,16 ----
  top_srcdir = @top_srcdir@
  VPATH=@srcdir@
  
+ XAUTH_PATH=@xauth_path@
  SSH_PROGRAM=@bindir@/ssh
  ASKPASS_LOCATION=@libexecdir@/ssh
  ASKPASS_PROGRAM=$(ASKPASS_LOCATION)/ssh-askpass

I do not read this list, so please send any comments directly. Cheers.

-- 
Anders Nordby ^ anders at fix.no ^ http://anders.fix.no/




From noel at koethe.net  Wed Jan 12 02:41:16 2000
From: noel at koethe.net (Noel Koethe)
Date: Tue, 11 Jan 2000 16:41:16 +0100 (CET)
Subject: openssh 1.2.1. pre25 and X11 forward
Message-ID: <Pine.LNX.3.96.1000111162626.2487A-100000@heidi.wipol.uni-bonn.de>

Hello,

I moved my ssh servers to openssh and installed:
openssh-1.2.1pre25 via .rpm

My problem is that X11 forwarding doesn't work.

-/etc/ssh/sshd_config
X11Forwarding yes
X11DisplayOffset 10

I start sshd with defaul port and can connect to the server
and then:

$ xosview 
X11 connection rejected because of wrong authentication.
X connection to servername.de:10.0 broken (explicit kill or
server shutdown).

Sorry but there is no hint or FAQ for that problem on www.openssh.org.

Thanks for help.

-- 
Noch einen sch?nen Tag

        Noel K?the





From Nigel.Metheringham at VData.co.uk  Wed Jan 12 02:49:11 2000
From: Nigel.Metheringham at VData.co.uk (Nigel Metheringham)
Date: Tue, 11 Jan 2000 15:49:11 +0000
Subject: openssh 1.2.1. pre25 and X11 forward 
In-Reply-To: Message from Noel Koethe <noel@koethe.net> 
   of "Tue, 11 Jan 2000 16:41:16 +0100." <Pine.LNX.3.96.1000111162626.2487A-100000@heidi.wipol.uni-bonn.de> 
Message-ID: <E1283Xj-0005Nm-00@rioja.localnet>


noel at koethe.net said:
> My problem is that X11 forwarding doesn't work. 

On the remote machine (through ssh connection), check the value of the 
DISPLAY environment variable, and also the IP address that the name in 
that variable maps to (through /etc/hosts or DNS).  If the name is  
resolves to 127.0.0.1 then the X server seems to put the data through a 
local unix socket rather than a inet socket - which also appears to 
need different authentication.

Workround is to make sure that the DISPLAY name maps to a non-loopback 
IP address or even 127.0.0.2

	Nigel.
-- 
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham                  Nigel.Metheringham at VData.co.uk ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]






From a.d.stribblehill at durham.ac.uk  Wed Jan 12 04:35:52 2000
From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill)
Date: Tue, 11 Jan 2000 17:35:52 +0000
Subject: PID file
Message-ID: <20000111173552.G1249@itspc142.dur.ac.uk>

Where is the best place for me to change the PID file location? I
_could_ change it in ssh.h but then I'd have to do this every
time. Am I best to put in a -DPIDDIR="/etc" or something?
Alternatively, would it be easy to change the configure.in stuff
to let me do a --pid-dir="/etc" or a --pid-file="/etc/ssh.pid"?

Thanks,

Andrew Stribblehill
Systems Programmer, IT Service, University of Durham, England




From bent at clark.net  Wed Jan 12 05:01:23 2000
From: bent at clark.net (Ben Taylor)
Date: Tue, 11 Jan 2000 13:01:23 -0500 (EST)
Subject: PID file
In-Reply-To: <20000111173552.G1249@itspc142.dur.ac.uk>
Message-ID: <Pine.GSO.4.05.10001111300290.3678-100000@shell.clark.net>

On Tue, 11 Jan 2000, Andrew Stribblehill wrote:

> Where is the best place for me to change the PID file location? I
> _could_ change it in ssh.h but then I'd have to do this every
> time. Am I best to put in a -DPIDDIR="/etc" or something?
> Alternatively, would it be easy to change the configure.in stuff
> to let me do a --pid-dir="/etc" or a --pid-file="/etc/ssh.pid"?

Isn't /var/run on of those directories used for holding pid type files,
or is this not a standard yet?

Ben







From willard.dawson at sbs.siemens.com  Wed Jan 12 05:15:59 2000
From: willard.dawson at sbs.siemens.com (Willard Dawson)
Date: Tue, 11 Jan 2000 13:15:59 -0500
Subject: PID file
In-Reply-To: <Pine.GSO.4.05.10001111300290.3678-100000@shell.clark.net>; from bent@clark.net on Tue, Jan 11, 2000 at 01:01:23PM -0500
References: <20000111173552.G1249@itspc142.dur.ac.uk> <Pine.GSO.4.05.10001111300290.3678-100000@shell.clark.net>
Message-ID: <20000111131558.B12067@wdawson-sun.sbs.siemens.com>

On Tue, Jan 11, 2000 at 01:01:23PM -0500, Ben Taylor wrote:
> On Tue, 11 Jan 2000, Andrew Stribblehill wrote:
> 
> > Where is the best place for me to change the PID file location? I
> > _could_ change it in ssh.h but then I'd have to do this every
> > time. Am I best to put in a -DPIDDIR="/etc" or something?
> > Alternatively, would it be easy to change the configure.in stuff
> > to let me do a --pid-dir="/etc" or a --pid-file="/etc/ssh.pid"?
> 
> Isn't /var/run on of those directories used for holding pid type files,
> or is this not a standard yet?

There is no such directory in my Solaris 7 environment.

-- 
Willard Francis Otto Dawson      +1 770 814 5099 / +1 770 814 5202 FAX
Siemens Business Services, ENS   mailto:willard.dawson at sbs.siemens.com
4570 River Green Pkwy, Ste 140   http://www.sbs.siemens.com/
Duluth, GA  30096-2564           Standard disclaimer applies.




From bent at clark.net  Wed Jan 12 05:19:33 2000
From: bent at clark.net (Ben Taylor)
Date: Tue, 11 Jan 2000 13:19:33 -0500 (EST)
Subject: PID file
In-Reply-To: <20000111131558.B12067@wdawson-sun.sbs.siemens.com>
Message-ID: <Pine.GSO.4.05.10001111318340.23039-100000@shell.clark.net>

On Tue, 11 Jan 2000, Willard Dawson wrote:

> On Tue, Jan 11, 2000 at 01:01:23PM -0500, Ben Taylor wrote:
> > On Tue, 11 Jan 2000, Andrew Stribblehill wrote:
> > 
> > > Where is the best place for me to change the PID file location? I
> > > _could_ change it in ssh.h but then I'd have to do this every
> > > time. Am I best to put in a -DPIDDIR="/etc" or something?
> > > Alternatively, would it be easy to change the configure.in stuff
> > > to let me do a --pid-dir="/etc" or a --pid-file="/etc/ssh.pid"?
> > 
> > Isn't /var/run on of those directories used for holding pid type files,
> > or is this not a standard yet?
> 
> There is no such directory in my Solaris 7 environment.

Yep.  I was looking at my Solaris 8 box.

Ben






From sprout at dok.org  Wed Jan 12 09:35:42 2000
From: sprout at dok.org (Chris Green)
Date: 11 Jan 2000 16:35:42 -0600
Subject: pam & solaris
Message-ID: <m3so042q4h.fsf@ghostplanet.dok.org>

At the end of every session with sshd running on sparc Solaris 7 I get

Jan 11 16:28:26 borg sshd[2061]: Cannot delete credentials: Permission
denied regardless of passwd or rsa authentication.

in auth-pam.c  I see


pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED);

if (pam_retval != PAM_SUCCESS) {
         log("Cannot delete credentials: %.200s",
        PAM_STRERROR((pam_handle_t *)pamh,pam_retval));
}

I do not get the same problems on linux w/ pam.

Any ideas?
-- 
Chris Green <sprout at dok.org> <grapeape at uab.edu>
"When the going gets weird, the weird turn pro..."
                            -- Hunter S. Thompson




From iretd at bigfoot.com  Wed Jan 12 10:49:14 2000
From: iretd at bigfoot.com (Benjamin Charron)
Date: Tue, 11 Jan 2000 18:49:14 -0500
Subject: Slackware 4.0: wtmp and pty.c problems
In-Reply-To: <Pine.LNX.4.10.10001080939260.19802-100000@mothra.mindrot.org>; from djm@mindrot.org on Sat, Jan 08, 2000 at 09:44:12AM +1100
References: <l03102803b49b67ef589d@[192.168.10.11]> <Pine.LNX.4.10.10001080939260.19802-100000@mothra.mindrot.org>
Message-ID: <20000111184914.A5684@bigfoot.com>

On Sat, Jan 08, 2000 at 09:44:12AM +1100, Damien Miller wrote:
> > If I then edit pty.c and add a line after the test, unconditionally
> > undefining HAVE_DEV_PTMX like this:
> 
> It looks like you are running a 2.2.x kernel or at least have the
> Unix98 pty device nodes., but are lacking the openpty() function
> in your libc.
> 
> > /* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */
> > #if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY)
> > #undef HAVE_DEV_PTMX
> > #endif
> > 
> > #undef HAVE_DEV_PTMX
> > 
> > Then everything compiles, installs and functions ALMOST normally.

Sorry if this message is innapropriate for the list;

Anyhow, I don't know if it matters / if it's related, but I get a similar
behavior under Slack 7.0 with GNU Screen 3.9.4.. I start it up and it
terminates complaining about I_PUSH stuff.. [ie: can't make it work on
slack7 boxes]. Would slack's glibc screwed up?

-- 
Benjamin Charron (bcharron at bigfoot.com)
[ICQ : 2097711]
PGP Fingerprint : 251D AB92 35E4 BE76 9A24  F08C 26A4 84D1 FB04 077A

Dyslexics have more fnu.




From mouring at pconline.com  Wed Jan 12 15:59:06 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Tue, 11 Jan 2000 22:59:06 -0600 (CST)
Subject: unrequired headers (looping affect in NeXT)
Message-ID: <Pine.LNX.3.95.1000111224856.5118C-100000@newton.pconline.com>


In bsd-login.[hc] and login.c  seems to have #include <utmp.h> that
are unneeded (and platforms with non-protected headers files trips on
them.)

Could I get a few people on different platforms remove them and see
if they cause any compiling issues it would make my life easier (and
less required #ifdef grabage).

bsd-login.c:52:#include <utmp.h>
bsd-login.h:7:#include <utmp.h>
login.c:27:#include <utmp.h>  

Thanks. (This may also be true for utmpx.h, but NeXT does not use that
header file)






From mouring at pconline.com  Wed Jan 12 19:28:15 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Wed, 12 Jan 2000 02:28:15 -0600 (CST)
Subject: Mostly good news on the NeXT front.
Message-ID: <Pine.LNX.3.95.1000112020732.5118D-100000@newton.pconline.com>


I'll be able to test on next 4.2 after the initial 3.3 port.  

I have a vsnprintf/snprintf that compiles (works?) on NeXT.  Not sure how
portable nor if it truely solves the security issue (it's from the
comp.sys.next.programmer fokes).  Plus NeXT 3.3 (not sure about 4.2 yet)
lacks a putenv().  I found one that compiles cleanly from the GNU libc
fokes.  Which brings up licensing issues.  I'm not sure if we can get a
wavier or if we will have to write our own.  It looks simple enough to
rewrite if we have to.  I personally hate reinventing wheels.

But things are slowly compiling. It does look like I am missing poll()
(I believe older versions of Linux has this problem so I may be able to
find sample code) and the whole mem*() functions are very poorly
documented so it should be interesting.  (It exists in the libposix.a, but
no manpages)

The "ssh" program compiled, but on attempting to connect I get a coredump
and a nice "Floating exception" error.  (It would not suprise me if my
vsnprintf/snprintf are incorrect, but I've not bothered to trace it yet)

But hey.. We have least progress.. And after finding -posix and
-D_POSIX_SOURCE cc flags I have less #ifdef and things are compiling
much cleaner.  So maybe next week sometime I may have patches.  (Looks
like 2 or 3 #ifdef now instead of 10 =)






From marc.fournier at acadiau.ca  Thu Jan 13 00:14:17 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Wed, 12 Jan 2000 09:14:17 -0400 (AST)
Subject: What are these files ... ?
Message-ID: <Pine.BSF.4.10.10001120913520.65453-100000@atelier.acadiau.ca>


total 3136
-rwxr-xr-x   1 root     other     1913044 Jan 12 09:08 sshd
-rw-rw-rw-   1 root     other           0 Jan 12 09:08 stSyaqBu

What are the st* files, and why are they being created in the same
directory as sshd lives?

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From drankin at bohemians.lexington.ky.us  Thu Jan 13 04:04:32 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Wed, 12 Jan 2000 12:04:32 -0500
Subject: Mostly good news on the NeXT front.
In-Reply-To: <Pine.LNX.3.95.1000112020732.5118D-100000@newton.pconline.com>; from Ben Lindstrom on Wed, Jan 12, 2000 at 02:28:15AM -0600
References: <Pine.LNX.3.95.1000112020732.5118D-100000@newton.pconline.com>
Message-ID: <20000112120431.A610@rumpole.bohemians.lexington.ky.us>

On Wed, Jan 12, 2000 at 02:28:15AM -0600, Ben Lindstrom wrote:
> 
> I'll be able to test on next 4.2 after the initial 3.3 port.  

> I have a vsnprintf/snprintf that compiles (works?) on NeXT.  Not sure how
> portable nor if it truely solves the security issue (it's from the
> comp.sys.next.programmer fokes).  Plus NeXT 3.3 (not sure about 4.2 yet)
> lacks a putenv().  I found one that compiles cleanly from the GNU libc
> fokes.  Which brings up licensing issues.  I'm not sure if we can get a
> wavier or if we will have to write our own.  It looks simple enough to
> rewrite if we have to.  I personally hate reinventing wheels.

is libc under the LGPL? If so, and I think it is, its license isn't
incompatable with distributing the rest of the package under the
BSD-ish license it has.

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard




From marc.fournier at acadiau.ca  Thu Jan 13 04:48:57 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Wed, 12 Jan 2000 13:48:57 -0400 (AST)
Subject: Solaris 7/sparc20 binary comes out weird?
Message-ID: <Pine.BSF.4.10.10001121347500.65453-100000@atelier.acadiau.ca>


I've tried doing a 'make distclean' and a rebuild on the machine, and I
keep coming up with:

eris:/var/src/openssh-1.2.1pre25> file sshd
sshd:           ELF 32-bit MSB executable SPARC32PLUS Version 1, V8+ Required, UltraSPARC1 Extensions Required, dynamically linked, not stripped
eris:/var/src/openssh-1.2.1pre25> ./sshd
./sshd: Exec format error. Binary file not executable.

I'm lost...what is causing this, and how to fix it?


Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From gem at rellim.com  Thu Jan 13 05:53:37 2000
From: gem at rellim.com (Gary E. Miller)
Date: Wed, 12 Jan 2000 10:53:37 -0800 (PST)
Subject: unrequired headers (looping affect in NeXT)
In-Reply-To: <Pine.LNX.3.95.1000111224856.5118C-100000@newton.pconline.com>
Message-ID: <Pine.LNX.4.21.0001121052170.11023-100000@ns1.aplatform.com>

Yo Ben!

I can do this on SCO UnixWare 7.1.0 and it compiles just fine.

On Tue, 11 Jan 2000, Ben Lindstrom wrote:

> Could I get a few people on different platforms remove them and see
> if they cause any compiling issues it would make my life easier (and
> less required #ifdef grabage).
> 
> bsd-login.c:52:#include <utmp.h>
> bsd-login.h:7:#include <utmp.h>
> login.c:27:#include <utmp.h>  

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From jmknoble at pobox.com  Thu Jan 13 07:15:05 2000
From: jmknoble at pobox.com (Jim Knoble)
Date: Wed, 12 Jan 2000 15:15:05 -0500
Subject: Mostly good news on the NeXT front.
In-Reply-To: <Pine.LNX.3.95.1000112020732.5118D-100000@newton.pconline.com>; from Ben Lindstrom on Wed, Jan 12, 2000 at 02:28:15AM -0600
References: <Pine.LNX.3.95.1000112020732.5118D-100000@newton.pconline.com>
Message-ID: <20000112151505.B6636@ntrnet.net>

P? 2000-Jan-12 klokka 02:28:15 -0600 skrivet Ben Lindstrom:

: [...] Plus NeXT 3.3 (not sure about 4.2 yet) lacks a putenv().  I found
: one that compiles cleanly from the GNU libc fokes.  Which brings up
: licensing issues.  I'm not sure if we can get a wavier or if we will
: have to write our own.  It looks simple enough to rewrite if we have
: to.  I personally hate reinventing wheels.

Ben, does NeXT have setenv()?  If it does, you might be able to get
away with making a wrapper that uses either putenv() or setenv(),
depending on what's available.  That would be much better than trying
to use glibc code.

-- 
jim knoble
jmknoble at pobox.com




From mouring at pconline.com  Thu Jan 13 07:21:08 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Wed, 12 Jan 2000 14:21:08 -0600 (CST)
Subject: Mostly good news on the NeXT front.
In-Reply-To: <20000112151505.B6636@ntrnet.net>
Message-ID: <Pine.LNX.3.95.1000112141728.13349B-100000@newton.pconline.com>



On Wed, 12 Jan 2000, Jim Knoble wrote:

> P? 2000-Jan-12 klokka 02:28:15 -0600 skrivet Ben Lindstrom:
> 
> : [...] Plus NeXT 3.3 (not sure about 4.2 yet) lacks a putenv().  I found
> : one that compiles cleanly from the GNU libc fokes.  Which brings up
> : licensing issues.  I'm not sure if we can get a wavier or if we will
> : have to write our own.  It looks simple enough to rewrite if we have
> : to.  I personally hate reinventing wheels.
> 
> Ben, does NeXT have setenv()?  If it does, you might be able to get
> away with making a wrapper that uses either putenv() or setenv(),
> depending on what's available.  That would be much better than trying
> to use glibc code.
> 
Nope already looked for the non-posix setenv() call.  I'll have to look
at the header from the putenv() the gnu libc fragment I have.  I know
it was dated 1991.  Which if I'm not mistaken is pre-LGPL.  But I suspect
that it would not be hard to get a wavier to at least LGPL if it's not
already.

If anyone was on #unixhelp/#nixhelp on efnet last night you would have
heard me curse up and down about lack of native libc functions on
NeXT.=)







From amulyon at ipass.net  Thu Jan 13 09:47:56 2000
From: amulyon at ipass.net (Aris Mulyono)
Date: Wed, 12 Jan 2000 17:47:56 -0500
Subject: solaris 2.5.1 still no good
Message-ID: <20000112174754.D12368@ipass.net>

Hello,


I've got the same problem like this one.
Can somebody send the snprintf.c or other ways around please?

Thanks,

<------- snipped from mail archive ---------------------------------->
I just email'd, from my other account, the snprintf.c that we distribute
in PostgreSQL...its been thoroughly tested on all the platforms that we
support, with Solaris 2.5.1 being one of them...the bsd-snprintf.c that we
included in OpenSSH, I believe, was the stock FreeBSD one, whereas this
one is meant to be generic ...

I *believe* that we pulled/borrowed this from sendmail originally...

<------------------ end snip ---------------------------------------->

bsd-snprintf.c: In function `msetup':
bsd-snprintf.c:86: warning: implicit declaration of function `getpagesize'
bsd-snprintf.c:91: `x' undeclared (first use this function)
bsd-snprintf.c:91: (Each undeclared identifier is reported only once
bsd-snprintf.c:91: for each function it appears in.)
bsd-snprintf.c:91: `y' undeclared (first use this function)
bsd-snprintf.c:91: warning: left-hand operand of comma expression has no effect
bsd-snprintf.c: In function `vsnprintf':
bsd-snprintf.c:133: warning: variable `ret' might be clobbered by `longjmp' or
`vfork'
bsd-snprintf.c: At top level:
bsd-snprintf.c:52: warning: `caught' defined but not used
make: *** [bsd-snprintf.o] Error 1

-- 
 Aris Mulyono




From bent at clark.net  Thu Jan 13 10:25:51 2000
From: bent at clark.net (Ben Taylor)
Date: Wed, 12 Jan 2000 18:25:51 -0500 (EST)
Subject: solaris 2.5.1 still no good
In-Reply-To: <20000112174754.D12368@ipass.net>
Message-ID: <Pine.GSO.4.05.10001121825020.18805-100000@shell.clark.net>

On Wed, 12 Jan 2000, Aris Mulyono wrote:

> Hello,
> 
> 
> I've got the same problem like this one.
> Can somebody send the snprintf.c or other ways around please?
> 

Due a bug in Solaris I was tracking in 2.5 and 2.5.1, it turns
out there is an snprintf in solaris' libc, and I will do what
I can to post a patch so we don't have to use an outside
source.

Ben

> Thanks,
> 
> <------- snipped from mail archive ---------------------------------->
> I just email'd, from my other account, the snprintf.c that we distribute
> in PostgreSQL...its been thoroughly tested on all the platforms that we
> support, with Solaris 2.5.1 being one of them...the bsd-snprintf.c that we
> included in OpenSSH, I believe, was the stock FreeBSD one, whereas this
> one is meant to be generic ...
> 
> I *believe* that we pulled/borrowed this from sendmail originally...
> 
> <------------------ end snip ---------------------------------------->
> 
> bsd-snprintf.c: In function `msetup':
> bsd-snprintf.c:86: warning: implicit declaration of function `getpagesize'
> bsd-snprintf.c:91: `x' undeclared (first use this function)
> bsd-snprintf.c:91: (Each undeclared identifier is reported only once
> bsd-snprintf.c:91: for each function it appears in.)
> bsd-snprintf.c:91: `y' undeclared (first use this function)
> bsd-snprintf.c:91: warning: left-hand operand of comma expression has no effect
> bsd-snprintf.c: In function `vsnprintf':
> bsd-snprintf.c:133: warning: variable `ret' might be clobbered by `longjmp' or
> `vfork'
> bsd-snprintf.c: At top level:
> bsd-snprintf.c:52: warning: `caught' defined but not used
> make: *** [bsd-snprintf.o] Error 1
> 
> -- 
>  Aris Mulyono
> 





From bent at clark.net  Thu Jan 13 15:18:14 2000
From: bent at clark.net (Ben Taylor)
Date: Wed, 12 Jan 2000 23:18:14 -0500 (EST)
Subject: solaris 2.5.1 still no good
In-Reply-To: <20000112174754.D12368@ipass.net>
Message-ID: <Pine.GSO.4.05.10001122313590.6814-100000@shell.clark.net>

On Wed, 12 Jan 2000, Aris Mulyono wrote:

> Hello,
> 
> 
> I've got the same problem like this one.
> Can somebody send the snprintf.c or other ways around please?

This is a snippet of code an engineer at Sun sent me when they
were confused about some code which couldn't find snprintf under
2.5/2.5.1.

It looks like all we have to do for 2.5/2.5.1 support is define
#define snprintf __snprintf
#define vsnprintf __vsnprintf

I will check my 2.5.1 system tommorow and see what I can do 
about patching.  (Anyone got a snippet of Autoconf to 
test various versions of a particular Operating system)

Let me know if this fixes the 2.5/2.5.1 problem

Thanks

Ben

------



/* 
 * If compiled and linked on OS 5.5.1 or earlier works on 5.5 or later.
 * to compile on 5.6 or later and work on 5.5.1 or earlire,
 * reverse __snprintf and snprintf at indicated lines.
 * If compiled on 5.6 or later without reversing, it will work on 5.6 or
 * later but not 5.5.1 or earlier.
 * For OS 5.4 or earlier you need libc patch. If not it will core dump;
 */
 
int      snprintf(char *, size_t, const char *, ...);
#pragma weak snprintf

int      __snprintf(char *, size_t, const char *, ...);
#pragma weak __snprintf

/* to compile on 5.6 or later and work on 5.5 or earlier use __snprintf
here */
int  (*snprintf_p)(char *, size_t, const char *, ...) = snprintf;


#define snprintf snprintf_p

main() {
        char    buf[100];
        if (snprintf_p == NULL) {
/* to compile on 5.6 or later and work on 5.5 or earlier use snprintf here
*/
                snprintf_p =  __snprintf;
        }

> 
> Thanks,
> 
> <------- snipped from mail archive ---------------------------------->
> I just email'd, from my other account, the snprintf.c that we distribute
> in PostgreSQL...its been thoroughly tested on all the platforms that we
> support, with Solaris 2.5.1 being one of them...the bsd-snprintf.c that we
> included in OpenSSH, I believe, was the stock FreeBSD one, whereas this
> one is meant to be generic ...
> 
> I *believe* that we pulled/borrowed this from sendmail originally...
> 
> <------------------ end snip ---------------------------------------->
> 
> bsd-snprintf.c: In function `msetup':
> bsd-snprintf.c:86: warning: implicit declaration of function `getpagesize'
> bsd-snprintf.c:91: `x' undeclared (first use this function)
> bsd-snprintf.c:91: (Each undeclared identifier is reported only once
> bsd-snprintf.c:91: for each function it appears in.)
> bsd-snprintf.c:91: `y' undeclared (first use this function)
> bsd-snprintf.c:91: warning: left-hand operand of comma expression has no effect
> bsd-snprintf.c: In function `vsnprintf':
> bsd-snprintf.c:133: warning: variable `ret' might be clobbered by `longjmp' or
> `vfork'
> bsd-snprintf.c: At top level:
> bsd-snprintf.c:52: warning: `caught' defined but not used
> make: *** [bsd-snprintf.o] Error 1
> 
> -- 
>  Aris Mulyono
> 





From djm at mindrot.org  Thu Jan 13 15:26:06 2000
From: djm at mindrot.org (Damien Miller)
Date: Thu, 13 Jan 2000 15:26:06 +1100 (EST)
Subject: solaris 2.5.1 still no good
In-Reply-To: <Pine.GSO.4.05.10001122313590.6814-100000@shell.clark.net>
Message-ID: <Pine.LNX.4.10.10001131525270.1829-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 12 Jan 2000, Ben Taylor wrote:

> It looks like all we have to do for 2.5/2.5.1 support is define
> #define snprintf __snprintf
> #define vsnprintf __vsnprintf

I will integrate tests for the __ functions into configure.in

Damien 

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4fVPhormJ9RG1dI8RAihNAJ9elTgwb29mgVq0V3U2sskDmmwA4wCgqn6x
h1vzZMKTygjIeBceIE90B1I=
=7SFO
-----END PGP SIGNATURE-----





From andre.lucas at dial.pipex.com  Fri Jan 14 00:40:21 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Thu, 13 Jan 2000 13:40:21 +0000
Subject: solaris 2.5.1 still no good
In-Reply-To: <Pine.GSO.4.05.10001122313590.6814-100000@shell.clark.net>; from bent@clark.net on Wed, Jan 12, 2000 at 11:18:14PM -0500
References: <20000112174754.D12368@ipass.net> <Pine.GSO.4.05.10001122313590.6814-100000@shell.clark.net>
Message-ID: <20000113134021.E718@internal.domain>

On Wed, Jan 12, 2000 at 11:18:14PM -0500, Ben Taylor wrote:
8< snip 
> I will check my 2.5.1 system tommorow and see what I can do 
> about patching.  (Anyone got a snippet of Autoconf to 
> test various versions of a particular Operating system)
> 

I know Damien's handling this now, but just for interest's sake: In
configure.in there's code like this:

*-*-solaris*)
	AC_DEFINE(USE_WTMPX)
	;;

you'd just need to add something like this:

*-*-solaris*)
	AC_DEFINE(USE_WTMPX)
	sol_ver=`uname -r`
	if test $sol_ver == 5.5 -o test $sol_ver == 5.5.1; then
	   AC_DEFINE(SOL_25_SNPRINTF_FIX)
	fi
	;;

(you'll have to check what `uname -r` returns on 2.5.1, though.) You
could do wacky stuff if you need to test for, say, versions less than
2.6:

sol_ver=`uname -r`
sol_major=`echo $sol_ver | awk -F. '{print $1}'`
sol_minor=`echo $sol_ver | awk -F. '{print $2}'`
if test $sol_major -eq 5 -a $sol_minor -lt 6 ; then
   do_things
fi

watch those backticks :-)

You could instead add more specific cases instead, e.g.

*-*-solaris2.5)
*-*-solaris2.5.1)
	do_things
	# fall through
*-*-solaris*)
	do_more_things

but that will get messy if there are other special cases for different
versions.


> 8< snip rest

Regs,
-Andre

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/




From andre.lucas at dial.pipex.com  Fri Jan 14 00:45:11 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Thu, 13 Jan 2000 13:45:11 +0000
Subject: solaris 2.5.1 still no good
In-Reply-To: <20000113134021.E718@internal.domain>; from andre.lucas@dial.pipex.com on Thu, Jan 13, 2000 at 01:40:21PM +0000
References: <20000112174754.D12368@ipass.net> <Pine.GSO.4.05.10001122313590.6814-100000@shell.clark.net> <20000113134021.E718@internal.domain>
Message-ID: <20000113134511.F718@internal.domain>

typo:

On Thu, Jan 13, 2000 at 01:40:21PM +0000, Andre Lucas wrote:
> On Wed, Jan 12, 2000 at 11:18:14PM -0500, Ben Taylor wrote:
> 8< snip 
> > I will check my 2.5.1 system tommorow and see what I can do 
> > about patching.  (Anyone got a snippet of Autoconf to 
> > test various versions of a particular Operating system)
> > 
> 
> I know Damien's handling this now, but just for interest's sake: In
> configure.in there's code like this:
> 
> *-*-solaris*)
> 	AC_DEFINE(USE_WTMPX)
> 	;;
> 
> you'd just need to add something like this:
> 
> *-*-solaris*)
> 	AC_DEFINE(USE_WTMPX)
> 	sol_ver=`uname -r`
> 	if test $sol_ver == 5.5 -o test $sol_ver == 5.5.1; then

remove:                            ^^^^

-Andre

> 	   AC_DEFINE(SOL_25_SNPRINTF_FIX)
> 	fi
> 	;;
> 
> (you'll have to check what `uname -r` returns on 2.5.1, though.) You
> could do wacky stuff if you need to test for, say, versions less than
> 2.6:
> 
> sol_ver=`uname -r`
> sol_major=`echo $sol_ver | awk -F. '{print $1}'`
> sol_minor=`echo $sol_ver | awk -F. '{print $2}'`
> if test $sol_major -eq 5 -a $sol_minor -lt 6 ; then
>    do_things
> fi
> 
> watch those backticks :-)
> 
> You could instead add more specific cases instead, e.g.
> 
> *-*-solaris2.5)
> *-*-solaris2.5.1)
> 	do_things
> 	# fall through
> *-*-solaris*)
> 	do_more_things
> 
> but that will get messy if there are other special cases for different
> versions.
> 
> 
> > 8< snip rest
> 
> Regs,
> -Andre
> 
> -- 
> Andre Lucas <andre.lucas at dial.pipex.com>
> http://dspace.dial.pipex.com/andre.lucas/

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/




From marc.fournier at acadiau.ca  Fri Jan 14 00:49:29 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Thu, 13 Jan 2000 09:49:29 -0400 (AST)
Subject: pre25 not honoring .rhosts?
Message-ID: <Pine.BSF.4.10.10001130942320.65453-100000@atelier.acadiau.ca>


One our servers at work, I use ssh/rdist to sync binaries on various
machines...one master server, several client machines.  This requires the
ability to ssh to the remote host without a password, so I have a .rhosts
setup on the remote host, trusting the 'central server'...

With pre25, I can't seem to get this to work anymore...

I have 

PermitRootLogin yes
IgnoreRhosts no

set ... but it keeps prompting me for a password ... even as a regular
user, the .rhosts are being ignored ...

I'm still investigating on this end, in case its something I overlooked,
but can anyone else confirm/deny this?

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From drankin at bohemians.lexington.ky.us  Fri Jan 14 00:53:30 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Thu, 13 Jan 2000 08:53:30 -0500
Subject: solaris 2.5.1 still no good
In-Reply-To: <20000113134021.E718@internal.domain>; from Andre Lucas on Thu, Jan 13, 2000 at 01:40:21PM +0000
References: <20000112174754.D12368@ipass.net> <Pine.GSO.4.05.10001122313590.6814-100000@shell.clark.net> <20000113134021.E718@internal.domain>
Message-ID: <20000113085330.E610@rumpole.bohemians.lexington.ky.us>

On Thu, Jan 13, 2000 at 01:40:21PM +0000, Andre Lucas wrote:
> On Wed, Jan 12, 2000 at 11:18:14PM -0500, Ben Taylor wrote:
> 8< snip 
> > I will check my 2.5.1 system tommorow and see what I can do 
> > about patching.  (Anyone got a snippet of Autoconf to 
> > test various versions of a particular Operating system)

> I know Damien's handling this now, but just for interest's sake: In
> configure.in there's code like this:
> 
> *-*-solaris*)
> 	AC_DEFINE(USE_WTMPX)
> 	;;
> 
> you'd just need to add something like this:
> 
> *-*-solaris*)
> 	AC_DEFINE(USE_WTMPX)
> 	sol_ver=`uname -r`
> 	if test $sol_ver == 5.5 -o test $sol_ver == 5.5.1; then
> 	   AC_DEFINE(SOL_25_SNPRINTF_FIX)
> 	fi
> 	;;

Please, please NO, don't do this. Instead, try to find snprintf, and
iff that fails, search for __snprintf. This makes the search more OS
independant, since you're searching for features, not OS characteristics.
(I know, it's a pain. Welcome to autoconf.)

I'm just too used to the Dynix/HP-UX9/SunOS4/etc. days where you had a
soup of "ifdef OS" code that autoconf was designed to fix.

Excuse me, I have to go get depressed about how old that last sentence
makes me sound....

David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard




From bent at clark.net  Fri Jan 14 01:02:13 2000
From: bent at clark.net (Ben Taylor)
Date: Thu, 13 Jan 2000 09:02:13 -0500 (EST)
Subject: solaris 2.5.1 still no good
In-Reply-To: <20000113085330.E610@rumpole.bohemians.lexington.ky.us>
Message-ID: <Pine.GSO.4.05.10001130857290.5317-100000@shell.clark.net>

On Thu, 13 Jan 2000, David Rankin wrote:

> Please, please NO, don't do this. Instead, try to find snprintf, and
> iff that fails, search for __snprintf. This makes the search more OS
> independant, since you're searching for features, not OS characteristics.
> (I know, it's a pain. Welcome to autoconf.)

The way I fixed the problem was to add a set of function prototypes
and #defines surrounded by an #ifdef HAVE___SNPRINTF in defines.h
and to #define HAVE_SNPRINTF, HAVE_VSNPRINTF and HAVE___SNPRINTF.
No code outside of defines.h and a single define in config.h
is all that's needed.

> I'm just too used to the Dynix/HP-UX9/SunOS4/etc. days where you had a
> soup of "ifdef OS" code that autoconf was designed to fix.

I understand your pain.  I tried to make the fix as elegant as
possible.

Ben





From shapa at maxnet.ru  Fri Jan 14 01:03:59 2000
From: shapa at maxnet.ru (Max Shaposhnikov)
Date: Thu, 13 Jan 2000 17:03:59 +0300
Subject: /dev/urandom
Message-ID: <5711.000113@maxnet.ru>

on solaris7/sparc this device doesn't exists

i can use EGD but he very big (perl script!) - in memory it take about
4mb! apache use the same!

why ssh1.27 doesn't requre /dev/urandom on solaris?

what alternatives exists?






From charlesa at gi4s.qc.ca  Fri Jan 14 01:07:14 2000
From: charlesa at gi4s.qc.ca (Arsenault, Charles)
Date: Thu, 13 Jan 2000 09:07:14 -0500 (EST)
Subject: support for skey on linux
Message-ID: <Pine.LNX.4.20.0001130855030.11190-100000@hiver.ca.gi4s.qc.ca>


I am having difficulties compiling the Linux/Unix port of openssh
--with-skey.

Is it supported?

--
Charles Arsenault <charlesa at gi4s.qc.ca>
Tel: +1-514-575-8140
D011 DEC9 E226 D928 8F84  3257 8908 4865 744D 1654





From marc.fournier at acadiau.ca  Fri Jan 14 01:10:56 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Thu, 13 Jan 2000 10:10:56 -0400 (AST)
Subject: Huh ... sIgnoreRhosts "reset" 12 times?
Message-ID: <Pine.BSF.4.10.10001131009210.65453-100000@atelier.acadiau.ca>


It eventually gets where I want it ... doesn't work, but at least its set
right ... but why is it done 12 times?

Note, I just added fprintf(stderr) messages to the case statements in the
read_conf() section of servconf.c ...

./sshd -d
sPermitRootLogin triggered as yes
sIgnoreRhosts triggered as yes
sIgnoreRhosts triggered as no
sIgnoreRhosts triggered as yes
sIgnoreRhosts triggered as yes
sIgnoreRhosts triggered as no
sIgnoreRhosts triggered as no
sIgnoreRhosts triggered as no
sIgnoreRhosts triggered as no
sIgnoreRhosts triggered as no
sIgnoreRhosts triggered as yes
sIgnoreRhosts triggered as yes
sIgnoreRhosts triggered as no
debug: sshd version OpenSSH-1.2.1
Server listening on port 22.
Generating 768 bit RSA key.
RSA key generation complete.


Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From andre.lucas at dial.pipex.com  Fri Jan 14 01:10:38 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Thu, 13 Jan 2000 14:10:38 +0000
Subject: solaris 2.5.1 still no good
In-Reply-To: <20000113085330.E610@rumpole.bohemians.lexington.ky.us>; from drankin@bohemians.lexington.ky.us on Thu, Jan 13, 2000 at 08:53:30AM -0500
References: <20000112174754.D12368@ipass.net> <Pine.GSO.4.05.10001122313590.6814-100000@shell.clark.net> <20000113134021.E718@internal.domain> <20000113085330.E610@rumpole.bohemians.lexington.ky.us>
Message-ID: <20000113141038.G718@internal.domain>


> Please, please NO, don't do this. Instead, try to find snprintf, and
> iff that fails, search for __snprintf. This makes the search more OS
> independant, since you're searching for features, not OS characteristics.
> (I know, it's a pain. Welcome to autoconf.)

And on how many OSes is __snprintf going to be equivalent to snprintf?

This is what we were talking about before - detect features portably
where useful. If it's a 'platform x is fucked up' hack, treat it as
such. Then, at least it's clear what is going on. In this case, it's
unlikely that you'll find a platform y with the same problem. Why
clutter the code?

You can be over-generic. Look at SGML ;-)

I see your point, but I'm not sure it's always correct to put in generic
detection routines for everything. This is one silly little thing in
Solaris 2.5.x, let it stay there.

-Andre

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/




From bent at clark.net  Fri Jan 14 01:14:58 2000
From: bent at clark.net (Ben Taylor)
Date: Thu, 13 Jan 2000 09:14:58 -0500 (EST)
Subject: /dev/urandom
In-Reply-To: <5711.000113@maxnet.ru>
Message-ID: <Pine.GSO.4.05.10001130909420.5317-100000@shell.clark.net>

On Thu, 13 Jan 2000, Max Shaposhnikov wrote:

> on solaris7/sparc this device doesn't exists
> 
> i can use EGD but he very big (perl script!) - in memory it take about
> 4mb! apache use the same!

Yeah, it is a bit piggy.  On my Usparc running 2.6, memory utilization
is about 2.8M, but another 1.4M is paged/swapped out.

> why ssh1.27 doesn't requre /dev/urandom on solaris?

I don't know.  I have no experience with the ssh1.27. I think I used
like 1.20 or 1.22 several years ago, but I wasn't doing any
development.

> what alternatives exists?

None, that I'm aware of.  I don't do a whole lot with crypto
since I'm in the USA. (Legal stuff, and all that, besides
I'm *not* a mathematician...) :-)

I suppose that someone could port the /dev/urandom stuff to
Solaris.  It would definitely be less memory intensive, I 
suspect.

Regards,

Ben





From carl at bl.echidna.id.au  Fri Jan 14 01:16:42 2000
From: carl at bl.echidna.id.au (Carl Brewer)
Date: Fri, 14 Jan 2000 01:16:42 +1100 (EST)
Subject: /dev/urandom
Message-ID: <200001131416.e0DEGg529343@oversteer.bl.echidna.id.au>


You can get hold of /dev/random as part of SUNWski.  If you 
hunt through sunsolve's public patches you'll find that package,
it's a bit of a dodgey way to get it, but it works fine :)

Carl

> From owner-openssh-unix-dev at mindrot.org Fri Jan 14 01:05:05 2000
> Delivered-To: openssh-unix-dev-list at mindrot.org
> Date: Thu, 13 Jan 2000 17:03:59 +0300
> From: Max Shaposhnikov <shapa at maxnet.ru>
> X-Priority: 3 (Normal)
> To: openssh-unix-dev at mindrot.org
> Subject: /dev/urandom
> Mime-Version: 1.0
> Content-Transfer-Encoding: 7bit
> 
> on solaris7/sparc this device doesn't exists
> 
> i can use EGD but he very big (perl script!) - in memory it take about
> 4mb! apache use the same!
> 
> why ssh1.27 doesn't requre /dev/urandom on solaris?
> 
> what alternatives exists?
> 
> 
> 
> 




From shapa at maxnet.ru  Fri Jan 14 01:49:03 2000
From: shapa at maxnet.ru (Max Shaposhnikov)
Date: Thu, 13 Jan 2000 17:49:03 +0300
Subject: /dev/urandom
In-Reply-To: <200001131416.e0DEGg529343@oversteer.bl.echidna.id.au>
References: <200001131416.e0DEGg529343@oversteer.bl.echidna.id.au>
Message-ID: <2742.000113@maxnet.ru>

Hello Carl,

Thursday, January 13, 2000, 5:16:42 PM, you wrote:


CB> You can get hold of /dev/random as part of SUNWski.  If you 
CB> hunt through sunsolve's public patches you'll find that package,
CB> it's a bit of a dodgey way to get it, but it works fine :)

CB> Carl

>> From owner-openssh-unix-dev at mindrot.org Fri Jan 14 01:05:05 2000
>> Delivered-To: openssh-unix-dev-list at mindrot.org
>> Date: Thu, 13 Jan 2000 17:03:59 +0300
>> From: Max Shaposhnikov <shapa at maxnet.ru>
>> X-Priority: 3 (Normal)
>> To: openssh-unix-dev at mindrot.org
>> Subject: /dev/urandom
>> Mime-Version: 1.0
>> Content-Transfer-Encoding: 7bit
>> 
>> on solaris7/sparc this device doesn't exists
>> 
>> i can use EGD but he very big (perl script!) - in memory it take about
>> 4mb! apache use the same!
>> 
>> why ssh1.27 doesn't requre /dev/urandom on solaris?
>> 
>> what alternatives exists?
>> 
>> 
>> 
>> 


can't find... ;-(
can you help me a little?

-- 
Best regards,
 Max                            mailto:shapa at maxnet.ru






From marc.fournier at acadiau.ca  Fri Jan 14 01:55:03 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Thu, 13 Jan 2000 10:55:03 -0400 (AST)
Subject: .rhosts problem ... backtrackign through code slowly ...
Message-ID: <Pine.BSF.4.10.10001131047350.65453-100000@atelier.acadiau.ca>


Okay, here's where I've gotten to so far, which isn't far, but it doesn't
appear that "case SSH_CMSG_AUTH_RHOSTS:" is very being triggered in
do_authloop() in sshd.c ...

Now, from what I can tell, in do_authloop(), this case is triggered by a
packet from the client, with:

                /* Get a packet from the client. */
                type = packet_read(&plen);

So, if I'm right, the client isn't sending over what is necessary? 

client is openssh under FreeBSD/ports, server is Solaris7/pre25 ...

Still investigating ...


Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From harvell at aol.net  Fri Jan 14 01:57:24 2000
From: harvell at aol.net (Brian Harvell)
Date: Thu, 13 Jan 2000 09:57:24 -0500 (EST)
Subject: /dev/urandom
In-Reply-To: <5711.000113@maxnet.ru>
Message-ID: <Pine.GSO.4.21.0001130954580.26185-100000@boondoggle.office.aol.com>

On Thu, 13 Jan 2000, Max Shaposhnikov wrote:

> on solaris7/sparc this device doesn't exists
> 
> i can use EGD but he very big (perl script!) - in memory it take about
> 4mb! apache use the same!
> 
> why ssh1.27 doesn't requre /dev/urandom on solaris?
> 
> what alternatives exists?
> 

You can install the SUNWski package. It comes with the sun webserver on the
SEAS cd. It's still not a kernel random like linux though. It has a stand
alone daemon like the perl package. I think it's a little lighter though.

   PKGINST:  SUNWski
      NAME:  SKI 1.0 Software (User Package)
  CATEGORY:  application
      ARCH:  sparc
   VERSION:  1.0,REV=1998.09.24.00.00
   BASEDIR:  /
    VENDOR:  Sun Microsystems
      DESC:  SKI Software (User Package)
    PSTAMP:  mcm-ultra1>Fri Dec  4 14:23:39 PST 1998
  INSTDATE:  Jan 07 2000 16:32
    VSTOCK:  258-6422-05
   HOTLINE:  Please contact your local service provider
    STATUS:  completely installed
     FILES:     36 installed pathnames
                10 shared pathnames
                 4 linked files
                11 directories
                16 executables
              3173 blocks used (approx)


Brian

Brian Harvell                harvell at aol.net             http://ToolBoy.com/
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc







From shapa at maxnet.ru  Fri Jan 14 02:10:08 2000
From: shapa at maxnet.ru (Max Shaposhnikov)
Date: Thu, 13 Jan 2000 18:10:08 +0300
Subject: /dev/urandom
In-Reply-To: <Pine.GSO.4.21.0001130954580.26185-100000@boondoggle.office.aol.com>
References: <Pine.GSO.4.21.0001130954580.26185-100000@boondoggle.office.aol.com>
Message-ID: <6757.000113@maxnet.ru>

Hello Brian,

Thursday, January 13, 2000, 5:57:24 PM, you wrote:

BH> On Thu, 13 Jan 2000, Max Shaposhnikov wrote:

>> on solaris7/sparc this device doesn't exists
>> 
>> i can use EGD but he very big (perl script!) - in memory it take about
>> 4mb! apache use the same!
>> 
>> why ssh1.27 doesn't requre /dev/urandom on solaris?
>> 
>> what alternatives exists?
>> 

BH> You can install the SUNWski package. It comes with the sun webserver on the
BH> SEAS cd. It's still not a kernel random like linux though. It has a stand
BH> alone daemon like the perl package. I think it's a little lighter though.

BH>    PKGINST:  SUNWski
BH>       NAME:  SKI 1.0 Software (User Package)
BH>   CATEGORY:  application
BH>       ARCH:  sparc
BH>    VERSION:  1.0,REV=1998.09.24.00.00
BH>    BASEDIR:  /
BH>     VENDOR:  Sun Microsystems
BH>       DESC:  SKI Software (User Package)
BH>     PSTAMP:  mcm-ultra1>Fri Dec  4 14:23:39 PST 1998
BH>   INSTDATE:  Jan 07 2000 16:32
BH>     VSTOCK:  258-6422-05
BH>    HOTLINE:  Please contact your local service provider
BH>     STATUS:  completely installed
BH>      FILES:     36 installed pathnames
BH>                 10 shared pathnames
BH>                  4 linked files
BH>                 11 directories
BH>                 16 executables
BH>               3173 blocks used (approx)


BH> Brian

BH> Brian Harvell                harvell at aol.net             http://ToolBoy.com/
BH> echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc


i don't have SEAS cd - in russia SUN support isn't good ;-(
who can send to me this package?

-- 
Best regards,
 Max                            mailto:shapa at maxnet.ru






From marc.fournier at acadiau.ca  Fri Jan 14 02:52:16 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Thu, 13 Jan 2000 11:52:16 -0400 (AST)
Subject: IgnoreRhosts not honored...?
Message-ID: <Pine.BSF.4.10.10001131148390.65453-100000@atelier.acadiau.ca>


further investigation...changing IgnoreRhosts to yes instead of no:

eris:/var/src/openssh-1.2.1pre25> grep IgnoreRhosts
/usr/local/etc/sshd_config 
IgnoreRhosts yes
./sshd -d
sPermitRootLogin triggered as yes
sIgnoreRhosts triggered as yes
sIgnoreRhosts triggered as no
sIgnoreRhosts triggered as yes
sIgnoreRhosts triggered as yes
sIgnoreRhosts triggered as no
sIgnoreRhosts triggered as no
sIgnoreRhosts triggered as no
sIgnoreRhosts triggered as yes
sIgnoreRhosts triggered as no
sIgnoreRhosts triggered as yes
sIgnoreRhosts triggered as yes
sIgnoreRhosts triggered as no
debug: sshd version OpenSSH-1.2.1

Problem here?

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From enigma at nmt.edu  Fri Jan 14 03:24:01 2000
From: enigma at nmt.edu (SysProg - Nathan Paul Simons)
Date: Thu, 13 Jan 2000 09:24:01 -0700 (MST)
Subject: /dev/urandom
In-Reply-To: <Pine.GSO.4.05.10001130909420.5317-100000@shell.clark.net>
Message-ID: <Pine.LNX.4.21.0001130920120.22885-100000@moogle.tcct.nmt.edu>

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 13 Jan 2000, Ben Taylor wrote:

> On Thu, 13 Jan 2000, Max Shaposhnikov wrote:
> > why ssh1.27 doesn't requre /dev/urandom on solaris?

	i think the commercial ssh uses a one time generated random
seed file.  If i remember, it asks you to bang on the keyboard until it
gets enough entropy, like PGP.  It also might have its own internal code
that does the same thing egd or /dev/urandom on linux does.

> > what alternatives exists?
> 
> None, that I'm aware of.  I don't do a whole lot with crypto
> since I'm in the USA. (Legal stuff, and all that, besides
> I'm *not* a mathematician...) :-)
> 
> I suppose that someone could port the /dev/urandom stuff to
> Solaris.  It would definitely be less memory intensive, I 
> suspect.

	Hmm, i wonder how hard it would be to write a kernel module for
Solaris.  They wrote a module for netatalk that seems to work pretty well,
but i'm not all too familiar with Solaris internals.

Systems Programmer - Nathan Paul Simons
http://www.nmt.edu/~enigma   Speare 20   x5748

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOH38I4agi6ObDYzdAQGvKgP/Svz2+Mjv/b5gHIvtJkm8OCBg6t2uC42N
6m+AGrt6uojK6989kBKs4+RWaK9WTB5E+4ykYLMWyo+3tEvevQsvjSkoI371Zb5g
NBO3KYrlWaGtwxtl/5GoFgXI/x40+Qe0DtWO1o/nheWG1mjkptCtUZKopF5+mKYP
jmGIxm2oOOM=
=KxwH
-----END PGP SIGNATURE-----





From harvell at aol.net  Fri Jan 14 03:32:36 2000
From: harvell at aol.net (Brian Harvell)
Date: Thu, 13 Jan 2000 11:32:36 -0500 (EST)
Subject: /dev/urandom
In-Reply-To: <6757.000113@maxnet.ru>
Message-ID: <Pine.GSO.4.21.0001131132060.26185-100000@boondoggle.office.aol.com>

On Thu, 13 Jan 2000, Max Shaposhnikov wrote:

> 
> i don't have SEAS cd - in russia SUN support isn't good ;-(
> who can send to me this package?
> 

one person stated it could be found on sunsolve.

http://sunsolve.sun.com

Brian

Brian Harvell                harvell at aol.net             http://ToolBoy.com/
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc







From dgryski at uwaterloo.ca  Fri Jan 14 03:48:56 2000
From: dgryski at uwaterloo.ca (Damian Gryski)
Date: Thu, 13 Jan 2000 11:48:56 -0500
Subject: using gkermit with ssh (wishlist item)
Message-ID: <20000113114856.A1779@uwaterloo.ca>

   I've been toying with the idea of using gkermit
over an ssh connection.  As it stands, gkermit is essentially
featureless, a GPL kermit implementation that's enough to
get the Free software advocated off their backs.  However,
since they want to continue to sell C-Kermit, it has all
the `useful' features, such as scripting, but more importantly
the ability to create a connection over which to transfer files.

   That's where ssh comes in.  Since gkermit has no interactive
mode, only a command line interface, the only way to use it
with ssh would be in a command like:

   gkermit -s hello.c |ssh user at host gkermit -r

   But what if I'm connecting to a telnet (or, more precisly,
ssh) BBS?  What if I want to use ZModem instead of kermit?
I think a useful feature of ssh would to be able to replace
the current input/output stream with that of a spawned
programs, returning i/o control to the tty once the program
exits.

   I envision a new escape sequence, like ~| or something,
that would send all input from the remote machine to a
program, and spit all output from the program back to the
remote machine.

   I am going to try and code this, 'cause I think it would
be fun.  I'm looking for any suggestions, or pointers
on how to go about implementing this (or reasons why
I shouldn't -- yes, I already know about scp...).

   Thanks,

   Damian

-- 
Damian Gryski ==> dgryski at uwaterloo.ca | Linux, the choice of a GNU generation
512 pt Hacker Test score = 37%         | 500 pt Nerd Test score = 56%
           geek / linux zealot / coder / juggler / sysadmin




From mag at bunuel.tii.matav.hu  Fri Jan 14 04:10:05 2000
From: mag at bunuel.tii.matav.hu (Magosanyi Arpad)
Date: Thu, 13 Jan 2000 18:10:05 +0100
Subject: ssh-proxy, a new approach to firewall software
Message-ID: <20000113181005.A24546@bunuel.tii.matav.hu>

Hi!

After 3 days of furious programming, here is the half-finished code of
the ssh gateway: http://www.linux.hu/~mag/openssh.prepared.tar.gz
[No, it isn't even quarter finished, but I am forking to background again,
and have no time/whatever to end it in the foreseeable future (except
if one says "gee, it _is_ nice, here is the cash for finishing it")].

There are logically two parts of the work. Let's start with the more
boring one: I have modified a big part of the openssh code making
functions to include and use an int session parameter.
Now this parameter can be 0 or 1, but writing the necessary initialization
functions for the packet and the channel handling it is relatively 
straightforward to raise the limit to <undefined>.
Rationale: The ssh proxy needs at least two of the encrypted connections,
	because it has to talk with a client and a server in the same time.
Status: I _believe_ that this wasn't introduce a security hole, and
	possibly only minor bugs. I was modified every other line of the
	code in some sources, but the modifications were straightforward.
	I have tested it, and seems to work.
	Of course I cannot be sure that is the case.

The really interesting one is the ssh proxy (ssh-proxy.c). 
The idea is the following:
To the client it looks like an ssh daemon, but forwards anything politically
accepted to some other host, for which it looks like an ssh client.
Because the encryption, it does a "man-in-the-middle attack":
substitues every key with a fake one, etc,etc. So far it is the normal
behaviour an ssh proxy is expected to work. The design of the beast is
the interesting part:
	There is expected to be a higher level where the policy decisions
	are made: where to connect, when does the connection gets
	accepted, what are the substitue keys, etc. I think of the
	upper layer as a scheme script, part of which constitue
	the configuraion files, the other parts are the configuration
	library, which can be replaced by the admin if she knows a better.
	A bit like the state machine code of fw-1.
	Whenever the proxy gets to a state it generates an event and the
	upper layer decides on logging it, possibly aborting, and the
	parameters of the following control flow.
	The proxy knows the details of the protocol, the upper layer
	knows about the states of the protocol, and the configuration
	parts of it possibly knows only some configuration parameters.
	The communication of the proxy and the upper layer is done
	via events (the fw_event() function). Before the event the
	proxy sets variables which are the parameters of it ( with
	fw_set_option_* ). The upper layer makes decisions based
	those parameters, and other parameters set in previous events.
	The decisions are communicated either through setting variables
	or directly modifying the control flow (tipically aborting).
	The proxy reads the variables set by the upper layer (with
	fw_get_option_*), and acts accordingly.
Rationale: By my experience all firewall software have the problem
	of not giving enough chance of decision to the firewall
	administrator, and not going up enough on the OSI layer.
	The (even stateful) packet filters are by design cannot easily have
	the information needed to do real firewalling work. The proxy
	firewalls would have the chance, but (at least I) haven't seen
	one which would really pull everything which is in the
	technology. Typically they stop at IP based access control,
	user based access control where inbound authentication is
	easy enough, and some simple filtering capability. And you end
	up using just plugs for everything, which is nearly as bad as
	just having a packet filter. Maybe your vendor calls
	one particular setup of his plug as samba gateway, and if
	you not look into the insides of your firewall, you will
	think that it really parses the protocol. (Practice #1
	for script kiddies: fire a VPN through telnet port using ssh 
	and have your firewall administrator not notice it. 
	Practice #1 for firewall administrators: Make it at least
	a bit harder to do for a script kiddie with your current
	firewall software.)
	So we need something which can keep up with the kiddies at least.
	Here is it. If you like buzzwords, call it stateful proxy
	technology. Have a proxy, and if you like it, alter
	every nuance of the way it speaks the protocol.
	And (it doesn't appear in the code, because it isn't
	ready), if you need to stack in something to keep care
	of the healthy state of your data and systems (covert
	channel minimising comes to mind), just stack it in, and
	have phun.
Status:
	A serious programmer does not give out such a code. I wouldn't
	either, but I have to abort this project of mine here and
	I hope someone will find it interesting enough to keep on.
	What is written is only ssh-proxy.c and fw/fw.h . 
	It compiles cleanly to object, but you would not find
	a lib to link with, and there is no main() anywhere.
	(Yes, there is a proxy_main()).
	What is missing:
		The helper functions on the bottom, and the upper layer
		on the top:)
		Everything after we got into the server. There is no channel
		code, or main loop.
	What we have:
		Lots of memory leaks. If you give me a buck for every memory
		leak you find in the code, I will be _rich_!
		Surely other bugs. 1400 lines of C code untested
		should be a very healthy location for millions of bugs.
		If you ever have problems about your house having to many
		bugs, just untar the archive to the carpet, wait until
		the bugs run in, and put out the thing to the dust bin.

Credits:
	To the openssh team.
	To the ALF team.

-- 
GNU GPL: csak tiszta forr?sb?l




From andre.lucas at dial.pipex.com  Fri Jan 14 04:34:10 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Thu, 13 Jan 2000 17:34:10 +0000
Subject: /dev/urandom
In-Reply-To: <Pine.LNX.4.21.0001130920120.22885-100000@moogle.tcct.nmt.edu>; from enigma@nmt.edu on Thu, Jan 13, 2000 at 09:24:01AM -0700
References: <Pine.GSO.4.05.10001130909420.5317-100000@shell.clark.net> <Pine.LNX.4.21.0001130920120.22885-100000@moogle.tcct.nmt.edu>
Message-ID: <20000113173410.H718@internal.domain>

On Thu, Jan 13, 2000 at 09:24:01AM -0700, SysProg - Nathan Paul Simons wrote:
> On Thu, 13 Jan 2000, Ben Taylor wrote:
> 
> > On Thu, 13 Jan 2000, Max Shaposhnikov wrote:
> > > why ssh1.27 doesn't requre /dev/urandom on solaris?
> 
> 	i think the commercial ssh uses a one time generated random
> seed file.  If i remember, it asks you to bang on the keyboard until it
> gets enough entropy, like PGP.  It also might have its own internal code
> that does the same thing egd or /dev/urandom on linux does.

It works like EGD. In SSH 1.2.27, It hashes the output of various system
state commands (e.g. ps, ls -alni /tmp, w, netstat) . Check out
randoms.c .

In SSH 2.0.9, it doesn't run commands (all those fork()s can't have been
too good for the program's efficiency...) but instead pulls in entropy
from sources like /dev/random, system clock, getrusage(), etc.

To be honest, the entropy pool doesn't look to be that large, even in
v2. If your system doesn't have getrusage then (at first glance, ok?)
looks like they're using the system clock and the saved state as IVs,
which doesn't seem very random at all. They're getting a less thorough
stir than with EGD, too.

> 
> > > what alternatives exists?
> > 
> > None, that I'm aware of.  I don't do a whole lot with crypto
> > since I'm in the USA. (Legal stuff, and all that, besides
> > I'm *not* a mathematician...) :-)
> > 
> > I suppose that someone could port the /dev/urandom stuff to
> > Solaris.  It would definitely be less memory intensive, I 
> > suspect.
> 

One could also reimplement something like EGD in C rather than Perl. I
think EGD is rather more thorough than the SSH system entropy-based
generator - it doesn't seem to have changed a great deal in v2 - which
is a good thing.

There's not really any extra trust gained in making kernel modules since
they're from a third party, so a user space program is equally
(un)trustworthy, and a lot more likely to be portable.

Regs,
-Andre

> 	Hmm, i wonder how hard it would be to write a kernel module for
> Solaris.  They wrote a module for netatalk that seems to work pretty well,
> but i'm not all too familiar with Solaris internals.
> 
> Systems Programmer - Nathan Paul Simons
> http://www.nmt.edu/~enigma   Speare 20   x5748
> 
> 

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/




From karn at ka9q.ampr.org  Fri Jan 14 06:03:31 2000
From: karn at ka9q.ampr.org (Phil Karn)
Date: Thu, 13 Jan 2000 11:03:31 -0800
Subject: Inhibiting swapping with mlock
Message-ID: <200001131903.LAA22463@homer.ka9q.ampr.org>

There's one vulnerability that's bugged me for some time. It applies
to nearly all crypto software, including ssh. That's the swapping of
sensitive info (such as keys and key equivalents) onto hard drives
where they could possibly be recovered later.

The Linux kernel provides a system call, mlock(), that inhibits
swapping of a specified region of virtual memory. It locks it into
real memory.

I see no calls to mlock anywhere in ssh.

The easiest thing would be for ssh to mlock its entire data and stack
segments at startup (no need to protect the text segment). This does
entail a risk of deadlocking machines with limited RAM, though.

What do people think? Should this be a build option?

Phil






From marc.fournier at acadiau.ca  Fri Jan 14 06:22:33 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Thu, 13 Jan 2000 15:22:33 -0400 (AST)
Subject: sshd doesn't set SSH_AUTH_RHOSTS as supported authentication
Message-ID: <Pine.BSF.4.10.10001131427490.65453-100000@atelier.acadiau.ca>


Okay...I've got it narrowed down, just don't know why this is happening...

In sshd.c, auth_mask is set to "supported authentication methods":

        /* Declare supported authentication types. */
        auth_mask = 0;
        if (options.rhosts_authentication)
                auth_mask |= 1 << SSH_AUTH_RHOSTS;
        if (options.rhosts_rsa_authentication)
                auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
        if (options.rsa_authentication)
                auth_mask |= 1 << SSH_AUTH_RSA;

Now, in servconf.c, options.rhosts_authentication is set to 0 if
IgnoreRhosts is no:

    case sIgnoreRhosts:
      intptr = &options->ignore_rhosts;
parse_flag:
      cp = strtok(NULL, WHITESPACE);
      fprintf(stderr, "sIgnoreRhosts triggered as %s\n", cp);
      if (!cp) {
        fprintf(stderr, "%s line %d: missing yes/no argument.\n",
          filename, linenum);
        exit(1);
      }
      if (strcmp(cp, "yes") == 0)
        value = 1;
      else if (strcmp(cp, "no") == 0)
        value = 0;
      else {
        fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
          filename, linenum, cp);
        exit(1);
      }
      if (*intptr == -1)
        *intptr = value;
      break;

================

now, just in case I had my logic backwards here, I wrote a test stub:

#include <stdio.h>

main()
{
  if(1) printf("1 - hello\n");
  if(0) printf("0 - hello\n");
}

and the results are:

atelier# !./
./t2
1 - hello
atelier# 

========================

	So, am I going crazy, or is the logic in sshd.c backwards?  Should
it not be:

        /* Declare supported authentication types. */
        auth_mask = 0;
        if (!options.rhosts_authentication)
                auth_mask |= 1 << SSH_AUTH_RHOSTS;
        if (options.rhosts_rsa_authentication)
                auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
        if (options.rsa_authentication)
                auth_mask |= 1 << SSH_AUTH_RSA;






From dugsong at monkey.org  Fri Jan 14 06:36:02 2000
From: dugsong at monkey.org (Dug Song)
Date: Thu, 13 Jan 2000 14:36:02 -0500 (EST)
Subject: Inhibiting swapping with mlock
In-Reply-To: <200001131903.LAA22463@homer.ka9q.ampr.org>
Message-ID: <Pine.BSO.4.10.10001131428470.19323-100000@funky.monkey.org>

On Thu, 13 Jan 2000, Phil Karn wrote:

> The Linux kernel provides a system call, mlock(), that inhibits
> swapping of a specified region of virtual memory. It locks it into
> real memory.
>
> I see no calls to mlock anywhere in ssh.

OpenBSD supports swap encryption instead. shouldn't be hard to port to
Linux.

  option UVM_SWAP_ENCRYPT
  Enables kernel support for encrypting pages that are written out to swap
  storage.  Swap encryption prevents sensitive data from remaining on the
  disk even after the operating system has been shut down.  This option
  should be turned on if cryptographic filesystems are used.  The sysctl
  variable vm.swapencrypt controls its behaviour. See sysctl(8) and
  sysctl(3) for details.

-d.

---
http://www.monkey.org/~dugsong/





From enigma at nmt.edu  Fri Jan 14 06:56:52 2000
From: enigma at nmt.edu (SysProg - Nathan Paul Simons)
Date: Thu, 13 Jan 2000 12:56:52 -0700 (MST)
Subject: Inhibiting swapping with mlock
In-Reply-To: <Pine.BSO.4.10.10001131428470.19323-100000@funky.monkey.org>
Message-ID: <Pine.LNX.4.21.0001131251250.19322-100000@moogle.tcct.nmt.edu>

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 13 Jan 2000, Dug Song wrote:

> On Thu, 13 Jan 2000, Phil Karn wrote:
> 
> > The Linux kernel provides a system call, mlock(), that inhibits
> > swapping of a specified region of virtual memory. It locks it into
> > real memory.
> >
> > I see no calls to mlock anywhere in ssh.
> 
> OpenBSD supports swap encryption instead. shouldn't be hard to port to
> Linux.

	i was about to say that maybe swap should be encrypted.  And, if
you're really paranoid, you might go so far as to apply ipsec/swan
principles to paged memory entirely (ie encrypt ALL memory and implement
an authentication scheme process by process).  This would really slow
things down, however, and also leads to the question of where do you keep
the keys?  On the insecure hard drive?
	Of course, for most purposes, having swap on a partition that's
not touchable by anyone but root is usually good enough, plus the fact
that most modern OSes (*BSD and Linux in particular) don't allow processes
to acess other processes memory, except under special conditions (ie
forks, shared libs, etc)

Systems Programmer - Nathan Paul Simons
http://www.nmt.edu/~enigma   Speare 20   x5748

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOH4uCYagi6ObDYzdAQGgHgQAkh+g5dTU3XMbCtYacS75F1eEIjDGBU/k
hBm4sT0sWQ8FL90iKR9odViZI1NcDMzBEscaugvSP16KoaLgqyauMpgcGQy0sNLi
tGUab8RLytsNrGSCDGLPqw8acIxBYThk6sIdJCYFOo1D6wWuOGci8BXCKdXPkJ5c
+0tQra6Y+TU=
=Q6JZ
-----END PGP SIGNATURE-----





From provos at citi.umich.edu  Fri Jan 14 08:23:55 2000
From: provos at citi.umich.edu (Niels Provos)
Date: Thu, 13 Jan 2000 16:23:55 -0500
Subject: sshd doesn't set SSH_AUTH_RHOSTS as supported authentication 
In-Reply-To: "Marc G. Fournier", Thu, 13 Jan 2000 15:22:33 -0400
Message-ID: <20000113212508.D7642270AC@toad.mindrot.org>

In message <Pine.BSF.4.10.10001131427490.65453-100000 at atelier.acadiau.ca>, "Mar
c G. Fournier" writes:
>Now, in servconf.c, options.rhosts_authentication is set to 0 if
>IgnoreRhosts is no:
>
>    case sIgnoreRhosts:
>      intptr = &options->ignore_rhosts;
>parse_flag:
>      cp = strtok(NULL, WHITESPACE);
>      fprintf(stderr, "sIgnoreRhosts triggered as %s\n", cp);
Your debug fprintf is rather bogus, many case statements reuse this
code by jumping to parse_flag. That also explains why you got so many
print outs in your log.

Niels.




From bwelling at xbill.org  Fri Jan 14 08:36:50 2000
From: bwelling at xbill.org (Brian Wellington)
Date: Thu, 13 Jan 2000 16:36:50 -0500 (EST)
Subject: [David Huggins-Daines <dhd@plcom.on.ca>] Bug#52414: ssh-add uses ssh-askpass, but ssh doesn't
In-Reply-To: <87u2lmby0b.fsf@sheikh.hands.com>
Message-ID: <Pine.BSF.3.96.1000113163013.32218B-100000@fledge.watson.org>

On 13 Dec 1999, Philip Hands wrote:

> Markus Friedl <markus.friedl at informatik.uni-erlangen.de> writes:
> 
> > On Fri, Dec 10, 1999 at 05:13:20PM +0000, Philip Hands wrote:
> > > OpenSSH's 'ssh' program doesn't seem to mimic the non-free SSH's behaviour
> > > of calling ssh-askpass when it's not possible to read the pass{phrase,word}
> > > from a terminal.
> > 
> > hm, this is not a bug in openssh.  i don't want ssh (setuid root)
> > exec a X11 program.
> 
> That's a very good point.
> 
> David, perhaps you should just use ssh-agent.
> 
> I'm closing this bug --- Feel free to persuade me otherwise.

Hi.  I just noticed this behavior, so I thought I'd check the mailing list
to see if anyone else had commented on it.

Having ssh call ssh-askpass is useful for applications that want to tunnel
over ssh.  An example is the graphical interface to the sftp program I
wrote.  Since there's no controlling terminal, openssh just doesn't work,
when the standard ssh does, since it calls ssh-askpass.

I don't see why the setuidness of ssh is a problem.  There's no reason the
privileges couldn't be dropped before calling exec-ing ssh-askpass.  There
are already places where ssh drops privileges.

Requiring the use of ssh-agent in this case is unacceptable.

Brian





From andre.lucas at dial.pipex.com  Fri Jan 14 09:14:24 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Thu, 13 Jan 2000 22:14:24 +0000
Subject: new login library alpha release
Message-ID: <20000113221423.I718@internal.domain>

Hi,

I've just posted an early alpha of a new login record library 'liblogin'
to my website -> http://dspace.dial.pipex.com/andre.lucas/openssh.html .

It's released as a patch, and it doesn't enable itself by default. Read
the instructions first!

This release is missing a lot of functionality, but is tested and
working on Linux (RH6.0 anyway) and OpenBSD. Why you might want it on
OpenBSD is covered on the web page... It's a good thing.

It won't work properly on platforms using direct utmp[x], wtmp[x] or the
putut[x]line() methods. I want to see how people get on with it before
implementing the rest.

Essentially, the library tries to abstract the simple-sounding task of
recording who logged in and when away from the very ugly
system-dependent implementation of this on various UNIX-like OSes. As
Damien said before on the list, it's the nastiest part of porting
OpenSSH to new platforms.

The old record_login() function (login.c) is about 100 lines of
code, full of #ifdef statements. The liblogin version is this:

void record_login( <params> ) {
  struct logininfo *li;

  li = liblogin_alloc_entry(pid, user, host, ttyname);
  liblogin_set_ip4(li, addr);
  liblogin_login(li);
}

A good deal less hassle. Of course, the hassle has moved somewhere else,
but, because it's liblogin's raison d'etre, it's designed with
portability in mind and hopefully it will be easier to manage.

If you have a supported OS for this, please check it out and let me know
how you get on.

Ta,
-Andre

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/




From karn at ka9q.ampr.org  Fri Jan 14 15:35:05 2000
From: karn at ka9q.ampr.org (Phil Karn)
Date: Thu, 13 Jan 2000 20:35:05 -0800
Subject: Inhibiting swapping with mlock
In-Reply-To: <Pine.LNX.4.21.0001131251250.19322-100000@moogle.tcct.nmt.edu>
	(message from SysProg - Nathan Paul Simons on Thu, 13 Jan 2000
	12:56:52 -0700 (MST))
References: <Pine.LNX.4.21.0001131251250.19322-100000@moogle.tcct.nmt.edu>
Message-ID: <200001140435.UAA23022@homer.ka9q.ampr.org>

>	Of course, for most purposes, having swap on a partition that's
>not touchable by anyone but root is usually good enough, plus the fact
>that most modern OSes (*BSD and Linux in particular) don't allow processes

I'm thinking mainly about a machine that has been physically seized.

Phil




From djm at mindrot.org  Fri Jan 14 22:27:42 2000
From: djm at mindrot.org (Damien Miller)
Date: Fri, 14 Jan 2000 22:27:42 +1100 (EST)
Subject: Inhibiting swapping with mlock
In-Reply-To: <200001131903.LAA22463@homer.ka9q.ampr.org>
Message-ID: <Pine.LNX.4.10.10001142223350.2964-100000@mothra.mindrot.org>

On Thu, 13 Jan 2000, Phil Karn wrote:

> There's one vulnerability that's bugged me for some time. It applies
> to nearly all crypto software, including ssh. That's the swapping of
> sensitive info (such as keys and key equivalents) onto hard drives
> where they could possibly be recovered later.

FWIW OpenSSH is pretty careful to bzero() sensitive data (such as
keys and passphrases) as soon as possible. 

This does not protect data that has been swapped, but it does reduce 
the likelyhood of it reaching swap in the first place.

Regards,
Damien Miller

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From djm at mindrot.org  Fri Jan 14 22:41:13 2000
From: djm at mindrot.org (Damien Miller)
Date: Fri, 14 Jan 2000 22:41:13 +1100 (EST)
Subject: /dev/urandom
In-Reply-To: <Pine.GSO.4.21.0001131132060.26185-100000@boondoggle.office.aol.com>
Message-ID: <Pine.LNX.4.10.10001142240370.2964-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 13 Jan 2000, Brian Harvell wrote:

> On Thu, 13 Jan 2000, Max Shaposhnikov wrote:
> 
> > 
> > i don't have SEAS cd - in russia SUN support isn't good ;-(
> > who can send to me this package?
> 
> one person stated it could be found on sunsolve.
> 
> http://sunsolve.sun.com

If someone can point me to a canonical URL I would love to include 
it in the documentation.

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4fwtcormJ9RG1dI8RAqSeAJ96g9FjiU6vK9tD9/hEMcAEfOm9OACaA3nl
NASIfyGid2Ti3s2yi0DLPfc=
=KNZ9
-----END PGP SIGNATURE-----





From oliver at gol.com  Sat Jan 15 01:58:47 2000
From: oliver at gol.com (Oliver M . Bolzer)
Date: Fri, 14 Jan 2000 15:58:47 +0100
Subject: The cipher 'none' in OpenSSH
Message-ID: <20000114155847.A21245@mokona.sukisuki.org>

Hallo to everyone!
First I would like to thank everybody for making a free implementation
of ssh available.

I am administrating the network at the computer science department of
the University of Munich. Here, rcp (as in many other places, I guess)
is banned for security reasons. I, aswell as others, use scp regulary
to copy files from one machine to another.
The problem is, that the transfer rate is nowhere near what an 100Mbps
connection would give. To and from my P5-233 laptop gets only about
350KBps. Between P6-450 machines the performance is about double. In contrast
if I used ftp, I'd get much much more. I checked and noticed, that ssh
used up all the CPU power for encrypting the data.
I remember ssh-nonfree having a cipher 'none' which does not encrypt
the actual data. But it's not available in OpenSSH up to 1.2.1pre25 .
I checked the source and all the infrastructure seemed to be there, so
I added support for "-c none". See the attached patch.
It has been tested between two up-todate Debian Linux (potato) boxes
runngin Linux 2.2.13 and Linux 2.3.32 with openssh-1.2.1pre25.
On the above said laptop transfer rates of 3MBps was obtained (loopback
test)
 
Because authentication is still done using RSA keys, there should be
no huge security impacts. Also "-c none" would only be explictly specified
by the user when transfering large files.
As I am not subscribed to the list, I'd appreciate if any replied could
be Cc:-ed to me. Thanks.

-- 

	Oliver M. Bolzer
	oliver at gol.com

GPG (PGP) Fingerprint = 621B 52F6 2AC1 36DB 8761  018F 8786 87AD EF50 D1FF

-------------- next part --------------
Only in openssh-1.2.1pre25: Makefile
diff -ur openssh-1.2.1pre25.orig/cipher.c openssh-1.2.1pre25/cipher.c
--- openssh-1.2.1pre25.orig/cipher.c	Tue Dec 14 23:34:31 1999
+++ openssh-1.2.1pre25/cipher.c	Fri Jan 14 14:37:16 2000
@@ -148,6 +148,7 @@
 	unsigned int mask = 0;
 	mask |= 1 << SSH_CIPHER_3DES;		/* Mandatory */
 	mask |= 1 << SSH_CIPHER_BLOWFISH;
+	mask |= 1 << SSH_CIPHER_NONE;
 	return mask;
 }
 
diff -ur openssh-1.2.1pre25.orig/ssh.c openssh-1.2.1pre25/ssh.c
--- openssh-1.2.1pre25.orig/ssh.c	Wed Dec 29 00:17:09 1999
+++ openssh-1.2.1pre25/ssh.c	Fri Jan 14 14:40:50 2000
@@ -106,7 +106,8 @@
 
 	fprintf(stderr, "  -c cipher   Select encryption algorithm: "
 			"``3des'', "
-			"``blowfish''\n");
+			"``blowfish'', "
+			"``none''\n");
 	fprintf(stderr, "  -p port     Connect to this port.  Server must be on the same port.\n");
 	fprintf(stderr, "  -L listen-port:host:port   Forward local port to remote address\n");
 	fprintf(stderr, "  -R listen-port:host:port   Forward remote port to local address\n");

From drankin at bohemians.lexington.ky.us  Sat Jan 15 03:28:52 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Fri, 14 Jan 2000 11:28:52 -0500
Subject: The cipher 'none' in OpenSSH
In-Reply-To: <20000114155847.A21245@mokona.sukisuki.org>; from Oliver M . Bolzer on Fri, Jan 14, 2000 at 03:58:47PM +0100
References: <20000114155847.A21245@mokona.sukisuki.org>
Message-ID: <20000114112851.A5347@rumpole.bohemians.lexington.ky.us>

On Fri, Jan 14, 2000 at 03:58:47PM +0100, Oliver M . Bolzer wrote:
> Hallo to everyone!
> First I would like to thank everybody for making a free implementation
> of ssh available.

> I am administrating the network at the computer science department of
> the University of Munich. Here, rcp (as in many other places, I guess)
> is banned for security reasons. I, aswell as others, use scp regulary
> to copy files from one machine to another.
> The problem is, that the transfer rate is nowhere near what an 100Mbps
> connection would give. To and from my P5-233 laptop gets only about
> 350KBps. Between P6-450 machines the performance is about double. In contrast
> if I used ftp, I'd get much much more. I checked and noticed, that ssh
> used up all the CPU power for encrypting the data.

If you are concerned with performance, I'd suggest using "des". You are
getting "trivial" encryption; i.e. not enough encryption to stop someone
from seeing the data given some time, but sufficient encryption to keep
"most" people from becoming the man in the middle and changing your data
in-transit. Even so, do NOT pass ANY sensitive data over des, since it
can be easily cracked within a couple of weeks.

> I remember ssh-nonfree having a cipher 'none' which does not encrypt
> the actual data. But it's not available in OpenSSH up to 1.2.1pre25 .
> I checked the source and all the infrastructure seemed to be there, so
> I added support for "-c none". See the attached patch.
> It has been tested between two up-todate Debian Linux (potato) boxes
> runngin Linux 2.2.13 and Linux 2.3.32 with openssh-1.2.1pre25.
> On the above said laptop transfer rates of 3MBps was obtained (loopback
> test)
>  
> Because authentication is still done using RSA keys, there should be
> no huge security impacts. Also "-c none" would only be explictly specified
> by the user when transfering large files.

-c none is still a large security exposure. It is the encryption that keeps
someone from waiting until after keys pass and then immediately step in and
either alter data or intercept passwords. 

I'm not even sure that I'd support this, but the only way this should go
into the tree is with a "--with-none" option for configure that is by default
"without".

David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard




From mw at moni.msci.memphis.edu  Sat Jan 15 05:51:01 2000
From: mw at moni.msci.memphis.edu (Mate Wierdl)
Date: Fri, 14 Jan 2000 12:51:01 -0600
Subject: forum to discuss problems
Message-ID: <20000114125101.A12772@moni.msci.memphis.edu>

Please tell me where I can ask questions on ssh's use.

I installed openssh on two Linux boxes, one is RedHat 6.0 the other is
RedHat 6.1.  I used the rpms at 

ftp://thermo.stat.ncsu.edu/pub/openssh-usa/

I used the us versions, and I touched no config files whatsoever.

>From one machine, I have no problems connecting to the other machine,
but does not work the other way around.

Here are the details:

On the RH 6.0 box, I have problems connectiong to the 6.1 box: 

ssh -v moni
SSH Version OpenSSH-1.2.1, protocol version 1.5.
Compiled with SSL (RSAref version).
debug: Reading configuration data /etc/ssh/ssh_config
debug: ssh_connect: getuid 0 geteuid 0 anon 0
debug: Connecting to wierdlmpc.msci.memphis.edu [141.225.11.87] port
22.
debug: Allocated local port 1023.
debug: Connection established.
ssh_exchange_identification: read: No such file or directory
debug: Calling cleanup 0x8054c80(0x0)

>From the 6.1 box, I have no problems connection to the 6.0 box:

# ssh -v bbg
SSH Version OpenSSH-1.2.1, protocol version 1.5.
Compiled with SSL (RSAref version).
debug: Reading configuration data /etc/ssh/ssh_config
debug: ssh_connect: getuid 0 geteuid 0 anon 0
debug: Connecting to bbg.msci.memphis.edu [141.225.112.200] port 22.
debug: Allocated local port 1023.
debug: Connection established.
debug: Remote protocol version 1.5, remote software version
OpenSSH-1.2.1
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'bbg.msci.memphis.edu' is known and matches the host key.
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying RSA authentication with key 'root at moni.msci.memphis.edu'
debug: Server refused our key.
debug: Doing password authentication.
root at bbg.msci.memphis.edu's password:

Thx for any hints,
-- 
---
Mate Wierdl | Dept. of Math. Sciences | University of Memphis  




From mw at wierdlmpc.msci.memphis.edu  Sat Jan 15 06:52:36 2000
From: mw at wierdlmpc.msci.memphis.edu (Mate Wierdl)
Date: Fri, 14 Jan 2000 13:52:36 -0600
Subject: minor prob with spec file
Message-ID: <20000114195237.18390.qmail@wierdlmpc.msci.memphis.edu>

The openssl rpm needs to be installed on the system *before* the
openssh-server rpm is installed.  This is because the openssh-server's
post script does the host key generation.  

As it is now, the command

rpm -U openss*

intended to install openssh* and openssl* will report that the host
key generation failed.  Fix: change 

PreReq: openssh chkconfig >= 0.9

to

PreReq: openssh chkconfig >= 0.9 openssl

in %package server.

Best

Mate
---
Mate Wierdl | Dept. of Math. Sciences | University of Memphis  





From ds-openssh at sws5.ctd.ornl.gov  Sat Jan 15 07:56:24 2000
From: ds-openssh at sws5.ctd.ornl.gov (Dave Sill)
Date: Fri, 14 Jan 2000 15:56:24 -0500 (EST)
Subject: 1.2.1pre25 on IRIX 6.5
Message-ID: <14463.36216.803286.956019@sws5.ctd.ornl.gov>

Built it OK, and the daemon runs fine, but the client has a
problem. It identifies all remote hosts as 255.255.255.255 and
complains that the key differs:

de5 at sws5$ ssh sws31 date
Warning: the host key for 'sws31.cind.ornl.gov' differs from the key for the IP address '255.255.255.255'

Any ideas?

Please copy me on replies.

-Dave




From gene at ozob.net  Sat Jan 15 08:51:53 2000
From: gene at ozob.net (Gene Imes)
Date: Fri, 14 Jan 2000 15:51:53 -0600 (CST)
Subject: Failed password
Message-ID: <Pine.LNX.3.96.1000114154921.22401A-100000@ozob.net>


I may have posted this before but got no reply.

I run sshd -d and try to login from another machine and this is what
happens:

gene at bubba:/usr/include/asm> sudo sshd -d
Password:
debug: sshd version OpenSSH-1.2.1
Server listening on port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 216.131.4.131 port 1023
debug: Client protocol version 1.5; client software version 1.2.27
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Attempting authentication for gene.
Failed password for gene from 216.131.4.131 port 1023
Connection closed by 216.131.4.131
debug: Calling cleanup 0x805724c(0x0)

The password is correct though.

Please email me a reply, I am not subscribed.

Thanks,

::::: Gene Imes			     http://www.ozob.net :::::





From karn at ka9q.ampr.org  Sat Jan 15 07:25:31 2000
From: karn at ka9q.ampr.org (Phil Karn)
Date: Fri, 14 Jan 2000 12:25:31 -0800
Subject: The cipher 'none' in OpenSSH
In-Reply-To: <20000114155847.A21245@mokona.sukisuki.org> (oliver@gol.com)
References: <20000114155847.A21245@mokona.sukisuki.org>
Message-ID: <200001142025.MAA24410@homer.ka9q.ampr.org>

It's been suggested to me that I use blowfish if I am more concerned
with speed than with security.

Wasn't there some weakness in the SSH protocol if the null cipher were
supported in the endpoints even if the user doesn't choose it? It may
have been a vulnerability to a man-in-the-middle attack, I'm not sure.

Phil





From jmknoble at pobox.com  Sat Jan 15 08:31:28 2000
From: jmknoble at pobox.com (Jim Knoble)
Date: Fri, 14 Jan 2000 16:31:28 -0500
Subject: forum to discuss problems
In-Reply-To: <20000114125101.A12772@moni.msci.memphis.edu>; from Mate Wierdl on Fri, Jan 14, 2000 at 12:51:01PM -0600
References: <20000114125101.A12772@moni.msci.memphis.edu>
Message-ID: <20000114163128.A986@ntrnet.net>

Mate--

P? 2000-Jan-14 klokka 12:51:01 -0600 skrivet Mate Wierdl:

: Please tell me where I can ask questions on ssh's use.

For openssh, this list will work.

: I installed openssh on two Linux boxes, one is RedHat 6.0 the other is
: RedHat 6.1.  I used the rpms at 

  [...]

: >From one machine, I have no problems connecting to the other machine,
: but does not work the other way around. [...]
: 
: On the RH 6.0 box, I have problems connectiong to the 6.1 box: 
: 
: ssh -v moni
: SSH Version OpenSSH-1.2.1, protocol version 1.5.
: Compiled with SSL (RSAref version).
: debug: Reading configuration data /etc/ssh/ssh_config
: debug: ssh_connect: getuid 0 geteuid 0 anon 0
: debug: Connecting to wierdlmpc.msci.memphis.edu [141.225.11.87] port
: 22.
: debug: Allocated local port 1023.
: debug: Connection established.
: ssh_exchange_identification: read: No such file or directory
 /^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This looks as if the remote server doesn't have a host key.  Can you
confirm?

: debug: Calling cleanup 0x8054c80(0x0)

Have you tried running the remote server with debugging messages
enabled as well?  That ought to tell you more.

-- 
jim knoble
jmknoble at pobox.com




From jmknoble at pobox.com  Fri Jan 14 08:06:42 2000
From: jmknoble at pobox.com (Jim Knoble)
Date: Thu, 13 Jan 2000 16:06:42 -0500
Subject: sshd doesn't set SSH_AUTH_RHOSTS as supported authentication
In-Reply-To: <Pine.BSF.4.10.10001131427490.65453-100000@atelier.acadiau.ca>; from Marc G. Fournier on Thu, Jan 13, 2000 at 03:22:33PM -0400
References: <Pine.BSF.4.10.10001131427490.65453-100000@atelier.acadiau.ca>
Message-ID: <20000113160642.B20804@ntrnet.net>

P? 2000-Jan-13 klokka 15:22:33 -0400 skrivet Marc G. Fournier:

: Now, in servconf.c, options.rhosts_authentication is set to 0 if
                              ^^^^^^^^^^^^^^^^^^^^^
: IgnoreRhosts is no:
: 
:     case sIgnoreRhosts:
:       intptr = &options->ignore_rhosts;
                           ^^^^^^^^^^^^^
: parse_flag:
:       cp = strtok(NULL, WHITESPACE);
:       fprintf(stderr, "sIgnoreRhosts triggered as %s\n", cp);
:       if (!cp) {
:         fprintf(stderr, "%s line %d: missing yes/no argument.\n",
:           filename, linenum);
:         exit(1);
:       }
:       if (strcmp(cp, "yes") == 0)
:         value = 1;
:       else if (strcmp(cp, "no") == 0)
:         value = 0;
:       else {
:         fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
:           filename, linenum, cp);
:         exit(1);
:       }
:       if (*intptr == -1)
:         *intptr = value;
:       break;

I might be wrong, but i don't see options.rhosts_authentication being
set in the code snippet above.

-- 
jim knoble
jmknoble at pobox.com




From the_h1ghlander at yahoo.com  Sat Jan 15 17:54:53 2000
From: the_h1ghlander at yahoo.com (Ben Taylor)
Date: Fri, 14 Jan 2000 22:54:53 -0800 (PST)
Subject: Inhibiting swapping with mlock
Message-ID: <20000115065453.28383.rocketmail@web221.mail.yahoo.com>



--- Damien Miller <djm at mindrot.org> wrote:
> On Thu, 13 Jan 2000, Phil Karn wrote:
> 
> > There's one vulnerability that's bugged me for
> some time. It applies
> > to nearly all crypto software, including ssh.
> That's the swapping of
> > sensitive info (such as keys and key equivalents)
> onto hard drives
> > where they could possibly be recovered later.
> 
> FWIW OpenSSH is pretty careful to bzero() sensitive
> data (such as
> keys and passphrases) as soon as possible. 
> 
> This does not protect data that has been swapped,
> but it does reduce 
> the likelyhood of it reaching swap in the first
> place.

I don't know about Linux and the BSD variants, but I
think you can lock a process into memory which will
prevent it from being paged out in Solaris.  Perhaps
this is something we should investigate?

Ben
mailto:bent at clark.net 
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com




From dugsong at monkey.org  Sat Jan 15 18:08:26 2000
From: dugsong at monkey.org (Dug Song)
Date: Sat, 15 Jan 2000 02:08:26 -0500 (EST)
Subject: The cipher 'none' in OpenSSH
In-Reply-To: <200001142025.MAA24410@homer.ka9q.ampr.org>
Message-ID: <Pine.BSO.4.10.10001150206540.19323-100000@funky.monkey.org>

On Fri, 14 Jan 2000, Phil Karn wrote:

> Wasn't there some weakness in the SSH protocol if the null cipher were
> supported in the endpoints even if the user doesn't choose it? It may
> have been a vulnerability to a man-in-the-middle attack, I'm not sure.

yes - markus friedl (OpenSSH developer) reported this to BUGTRAQ in early
OpenSSH development. doesn't affect OpenSSH (or the OpenBSD third-party
/usr/ports/security/ssh port either)...

-d.

---
http://www.monkey.org/~dugsong/





From andre.lucas at dial.pipex.com  Sat Jan 15 21:51:25 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Sat, 15 Jan 2000 10:51:25 +0000
Subject: Failed password
In-Reply-To: <Pine.LNX.3.96.1000114154921.22401A-100000@ozob.net>; from gene@ozob.net on Fri, Jan 14, 2000 at 03:51:53PM -0600
References: <Pine.LNX.3.96.1000114154921.22401A-100000@ozob.net>
Message-ID: <20000115105125.A710@internal.domain>

Gene,

I can't find your previous post in my mailbox. Did it have some more
information than this one? Which platform(s) you running on would be
helpful. The version(s) of openssh would be useful too.

If you're using Solaris or Linux and running PAM, it's possible that you
haven't installed the PAM support file, included in the
distribution. See INSTALL for details.

Ta,
-Andre


On Fri, Jan 14, 2000 at 03:51:53PM -0600, Gene Imes wrote:
> 
> I may have posted this before but got no reply.
> 
> I run sshd -d and try to login from another machine and this is what
> happens:
> 
> gene at bubba:/usr/include/asm> sudo sshd -d
> Password:
> debug: sshd version OpenSSH-1.2.1
> Server listening on port 22.
> Generating 768 bit RSA key.
> RSA key generation complete.
> debug: Server will not fork when running in debugging mode.
> Connection from 216.131.4.131 port 1023
> debug: Client protocol version 1.5; client software version 1.2.27
> debug: Sent 768 bit public key and 1024 bit host key.
> debug: Encryption type: 3des
> debug: Received session key; encryption turned on.
> debug: Installing crc compensation attack detector.
> debug: Attempting authentication for gene.
> Failed password for gene from 216.131.4.131 port 1023
> Connection closed by 216.131.4.131
> debug: Calling cleanup 0x805724c(0x0)
> 
> The password is correct though.
> 
> Please email me a reply, I am not subscribed.
> 
> Thanks,
> 
> ::::: Gene Imes			     http://www.ozob.net :::::
> 

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/




From oliver at gol.com  Sat Jan 15 23:31:55 2000
From: oliver at gol.com (Oliver M . Bolzer)
Date: Sat, 15 Jan 2000 13:31:55 +0100
Subject: The cipher 'none' in OpenSSH
In-Reply-To: <20000114112851.A5347@rumpole.bohemians.lexington.ky.us>; from David Rankin on Fri, Jan 14, 2000 at 11:28:52AM -0500
References: <20000114155847.A21245@mokona.sukisuki.org> <20000114112851.A5347@rumpole.bohemians.lexington.ky.us>
Message-ID: <20000115133155.A24558@mokona.sukisuki.org>

On Fri, Jan 14, 2000 at 11:28:52AM -0500, David Rankin <drankin at bohemians.lexington.ky.us> wrote...

> > if I used ftp, I'd get much much more. I checked and noticed, that ssh
> > used up all the CPU power for encrypting the data.
> 
> If you are concerned with performance, I'd suggest using "des". You are
> getting "trivial" encryption; i.e. not enough encryption to stop someone

des "is no longer supported in ssh"(man 1 ssh). Someone else suggested using
blowfish so I did some benchmarks. I copied a 23083KB file using  scp on a
P5-233/64MB RAM laptop running Debian Linux (potato as of 1/13) with
Linux 2.3.32 three times using the various ciphers and calculated the average.
The command line used was
time scp -c XXX  07_Beethoven_Symph9Mov4.mp3 localhost:
where XXX is the cipher. For comparison I also copied using /bin/cp because
the experiment was done copying onto the same disk.

cipher	time	throughput
3des	1m43s	 224KBps
blowfish  31s	 769KBps
none	  17s	1357KBps
/bin/cp	  13s	1776KBps

none still has a 2:1 speed advantage over blowfish and that is IMHO still
a lot. If des was enabled I guess it would about 3x the performance
of 3des, so about equal to blowfish.

> -c none is still a large security exposure. It is the encryption that keeps
> someone from waiting until after keys pass and then immediately step in and
> either alter data or intercept passwords. 

Yes, I do recognize the danger of a man-in-the-middle attack. The only
reasonable place for none would be LANs (because over the net, bandwidth
will be more likely the limiting factor) where the largest danger would
be password sniffing. Also none is most useful for transferring large
data, as speed is not much an issue for small files (3des is fast enough
in such a case). The difference between 1 and 2 sec is small but between
5min and 10min is huge.

> I'm not even sure that I'd support this, but the only way this should go
> into the tree is with a "--with-none" option for configure that is by default
> "without".

I would agree with making it an configure option. Default value is not for
me to decide. What I pledge for is the freedom of choice to
select a weaker cipher in cases where it's use gives more advantages
than disadvantages.

Thanks. 
-- 

	Oliver M. Bolzer
	oliver at gol.com

GPG (PGP) Fingerprint = 621B 52F6 2AC1 36DB 8761  018F 8786 87AD EF50 D1FF





From provos at citi.umich.edu  Sun Jan 16 07:46:08 2000
From: provos at citi.umich.edu (Niels Provos)
Date: Sat, 15 Jan 2000 15:46:08 -0500
Subject: Inhibiting swapping with mlock 
In-Reply-To: Phil Karn, Thu, 13 Jan 2000 20:35:05 PST
Message-ID: <20000115204806.A42D427107@toad.mindrot.org>

In message <200001140435.UAA23022 at homer.ka9q.ampr.org>, Phil Karn writes:
>I'm thinking mainly about a machine that has been physically seized.
That was the main motivation behind the swap encryption I implemented
for OpenBSD.  It is amazing what you find on a swap partition: plaintext
passwords, old icb conversations, old emails, old netscape url history
lists, etc...  Data survives across multiple system shutdowns.

Niels.




From mw at wierdlmpc.msci.memphis.edu  Sun Jan 16 08:18:32 2000
From: mw at wierdlmpc.msci.memphis.edu (Mate Wierdl)
Date: Sat, 15 Jan 2000 15:18:32 -0600
Subject: forum to discuss problems 
In-Reply-To: Message from Jim Knoble <jmknoble@pobox.com> 
   of "Fri, 14 Jan 2000 16:31:28 EST." <20000114163128.A986@ntrnet.net> 
Message-ID: <20000115211832.3685.qmail@wierdlmpc.msci.memphis.edu>


   : >From one machine, I have no problems connecting to the other machine,
   : but does not work the other way around. [...]

My question is cancelled: I had an `ALL: ALL' entry in /etc/hosts.deny
on the machine I could not connect to, and I did not realize that the
rpm was compiled with tcpwrappers support.

But here is another bit: On one machine, I ran ssh-keygen on box A,
and copied ~mw/.ssh/identity.pub to box B as
~mw/.ssh/authorized_keys.  I expected that typing `ssh B' on box A
would immediately connect me to box B, but I was still prompted for a
password. Am I reading the man page for ssh incorrectly:

     The user should then copy the identity.pub to
     .ssh/authorized_keys in his/her home directory on the remote machine (the
     authorized_keys file corresponds to the conventional .rhosts file, and
     has one key per line, though the lines can be very long).  After this,
     the user can log in without giving the password. 

A reminder: I have installed ssh* from the rpms for US users.

Thx,

Mate
---
Mate Wierdl | Dept. of Math. Sciences | University of Memphis  




From jmknoble at pobox.com  Sun Jan 16 08:26:32 2000
From: jmknoble at pobox.com (Jim Knoble)
Date: Sat, 15 Jan 2000 16:26:32 -0500
Subject: forum to discuss problems
In-Reply-To: <20000115211832.3685.qmail@wierdlmpc.msci.memphis.edu>; from Mate Wierdl on Sat, Jan 15, 2000 at 03:18:32PM -0600
References: <jmknoble@pobox.com> <20000115211832.3685.qmail@wierdlmpc.msci.memphis.edu>
Message-ID: <20000115162632.I701@quipu.earth>

Sounds like you're understanding the man page properly to me.

Check the permissions of the ~/.ssh/authorized_keys on the remote host.
Also check the StrictModes setting in /etc/ssh/sshd_config on that
machine.

Does the debug/verbose output from the client or server tell you
anything?

-- 
jim knoble
jmknoble at pobox.com

P? 2000-Jan-15 klokka 15:18:32 -0600 skrivet Mate Wierdl:

: But here is another bit: On one machine, I ran ssh-keygen on box A,
: and copied ~mw/.ssh/identity.pub to box B as
: ~mw/.ssh/authorized_keys.  I expected that typing `ssh B' on box A
: would immediately connect me to box B, but I was still prompted for a
: password. Am I reading the man page for ssh incorrectly:

  [...]





From djm at mindrot.org  Sun Jan 16 10:08:55 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 16 Jan 2000 10:08:55 +1100 (EST)
Subject: Failed password
In-Reply-To: <Pine.LNX.3.96.1000114154921.22401A-100000@ozob.net>
Message-ID: <Pine.LNX.4.10.10001161007580.699-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 14 Jan 2000, Gene Imes wrote:

> 
> I may have posted this before but got no reply.
> 
> I run sshd -d and try to login from another machine and this is what
> happens:

You will need to supply a lot more information. What OS are you 
using? What options OpenSSH was compiled with? Are you using PAM?
Shadowed passwords? NIS?

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gP4KormJ9RG1dI8RApelAKCdJf1QAUEsKCYc8rfHlzZHvzy8WACfeRt9
c78j3wwYPmSRQyVtmTElR1I=
=f+lW
-----END PGP SIGNATURE-----





From djm at mindrot.org  Sun Jan 16 10:13:13 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 16 Jan 2000 10:13:13 +1100 (EST)
Subject: forum to discuss problems 
In-Reply-To: <20000115211832.3685.qmail@wierdlmpc.msci.memphis.edu>
Message-ID: <Pine.LNX.4.10.10001161012230.699-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 15 Jan 2000, Mate Wierdl wrote:

> But here is another bit: On one machine, I ran ssh-keygen on box A,
> and copied ~mw/.ssh/identity.pub to box B as
> ~mw/.ssh/authorized_keys.  I expected that typing `ssh B' on box A
> would immediately connect me to box B, but I was still prompted for a
> password. Am I reading the man page for ssh incorrectly:

Check your permissions on your home and .ssh directories. They 
should be mode 0600.

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gP8PormJ9RG1dI8RAhz9AJ9QbD/zCDZGBnLrZHAOZgIr2WA6BQCdFvUP
41Vu8JD83op/ZmRM0CK+ygM=
=C3ZR
-----END PGP SIGNATURE-----





From djm at mindrot.org  Sun Jan 16 10:41:34 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 16 Jan 2000 10:41:34 +1100 (EST)
Subject: support for skey on linux
In-Reply-To: <Pine.LNX.4.20.0001130855030.11190-100000@hiver.ca.gi4s.qc.ca>
Message-ID: <Pine.LNX.4.10.10001161039360.699-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 13 Jan 2000, Arsenault, Charles wrote:

> 
> I am having difficulties compiling the Linux/Unix port of openssh
> --with-skey.
> 
> Is it supported?

A few people have reported difficulties because of differences between
OpenBSD's skey libs and theirs, and because of incompatibilities in
auth-skey.c itself.

I have modified auth-skey.c to be more compatible, these changes will
be in the next release.

Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gQW1ormJ9RG1dI8RAjTPAJwJRmMnSVgLZcCm/2ygJRtOQULWmgCfdfbu
gVumj+nMLiCzATAYrZixMaY=
=r0G7
-----END PGP SIGNATURE-----





From djm at mindrot.org  Sun Jan 16 10:47:02 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 16 Jan 2000 10:47:02 +1100 (EST)
Subject: Man pages on HPUX (and others?)rm 
In-Reply-To: <20000108012158.F884@internal.domain>
Message-ID: <Pine.LNX.4.10.10001161042470.699-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 8 Jan 2000, Andre Lucas wrote:

> HPUX doesn't seem to ship with a set of troff macros that can handle the
> OpenSSH manpages. Maybe other OSs have this problem?
> 
> Rather than sodding about with the tmac/ directory, I think we should do
> one of two things:
> 
> 1. Ship a set of preformatted manpages, and either auto-install them in
>    $prefix/man/cat{1,1m} or just have instructions in INSTALL to do so
> 2. Recommend users install groff ;-)
> 
> Neither is great, but as things stand right now HP users get garbage for
> manpages. It's not too much effort to provide them with pages
> preprocessed by a decent troff implementation, so I think we should do
> so. Opinions?

I am happy to ship preformatted manpages in a subdirectory. We just 
need to be careful to ensure that the substituted paths in them 
are correct.

Anyone want to take this on?

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gQb5ormJ9RG1dI8RAqf8AKDV7vmY54SHm+7jaDdOGQCsZ4/Q2wCeO0He
9B4MNbT/6YIUgSvXLq075uw=
=8ZBl
-----END PGP SIGNATURE-----





From djm at mindrot.org  Sun Jan 16 10:53:25 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 16 Jan 2000 10:53:25 +1100 (EST)
Subject: PID file
In-Reply-To: <20000111173552.G1249@itspc142.dur.ac.uk>
Message-ID: <Pine.LNX.4.10.10001161053080.699-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 11 Jan 2000, Andrew Stribblehill wrote:

> Where is the best place for me to change the PID file location? I
> _could_ change it in ssh.h but then I'd have to do this every
> time. Am I best to put in a -DPIDDIR="/etc" or something?
> Alternatively, would it be easy to change the configure.in stuff
> to let me do a --pid-dir="/etc" or a --pid-file="/etc/ssh.pid"?

There is now a --with-pid-dir option.

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gQh4ormJ9RG1dI8RAmp3AJ9WZr6pZlRNSlondIV7SmJL2GvsOgCdGq/o
fsJIt+u3bLiSAHkLrshpx1Q=
=FXAD
-----END PGP SIGNATURE-----





From djm at mindrot.org  Sun Jan 16 10:54:38 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 16 Jan 2000 10:54:38 +1100 (EST)
Subject: What are these files ... ?
In-Reply-To: <Pine.BSF.4.10.10001120913520.65453-100000@atelier.acadiau.ca>
Message-ID: <Pine.LNX.4.10.10001161054120.699-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 12 Jan 2000, Marc G. Fournier wrote:

> 
> total 3136
> -rwxr-xr-x   1 root     other     1913044 Jan 12 09:08 sshd
> -rw-rw-rw-   1 root     other           0 Jan 12 09:08 stSyaqBu
> 
> What are the st* files, and why are they being created in the same
> directory as sshd lives?

No idea!? Is the 'install' program doing it?

Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gQjBormJ9RG1dI8RAi44AJ97jkjsolyssEw6mfWFTZW3CKOJFwCgu5rI
dWnGUmPiskZSAcAD232+Cr4=
=lJ4w
-----END PGP SIGNATURE-----





From djm at mindrot.org  Sun Jan 16 10:56:51 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 16 Jan 2000 10:56:51 +1100 (EST)
Subject: Mostly good news on the NeXT front.
In-Reply-To: <20000112151505.B6636@ntrnet.net>
Message-ID: <Pine.LNX.4.10.10001161055530.699-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 12 Jan 2000, Jim Knoble wrote:

> Ben, does NeXT have setenv()?  If it does, you might be able to get
> away with making a wrapper that uses either putenv() or setenv(),
> depending on what's available.  That would be much better than trying
> to use glibc code.

I have a replacement setenv which uses putenv already in bsd-misc.c.

It would be amusing to have to do the reverse as well.

Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gQlFormJ9RG1dI8RAny1AKCQCuc4ZwJ7Tjvnm6L721C4rWPVUQCg3l6I
cGfjBX6gO+uyZ6ZQhQwplQk=
=tKZF
-----END PGP SIGNATURE-----





From djm at mindrot.org  Sun Jan 16 10:57:30 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 16 Jan 2000 10:57:30 +1100 (EST)
Subject: solaris 2.5.1 still no good
In-Reply-To: <Pine.GSO.4.05.10001122313590.6814-100000@shell.clark.net>
Message-ID: <Pine.LNX.4.10.10001161057110.699-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 12 Jan 2000, Ben Taylor wrote:

> It looks like all we have to do for 2.5/2.5.1 support is define
> #define snprintf __snprintf
> #define vsnprintf __vsnprintf

Done.

Regards,
Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gQluormJ9RG1dI8RAgl3AKCvoukXc5ec7mbKFcvVMcfg9UN9+ACgz0C7
hoh9VPnqGcxOMn9ofPoxr+E=
=W/9g
-----END PGP SIGNATURE-----





From djm at mindrot.org  Sun Jan 16 11:16:05 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 16 Jan 2000 11:16:05 +1100 (EST)
Subject: /dev/urandom
In-Reply-To: <20000113173410.H718@internal.domain>
Message-ID: <Pine.LNX.4.10.10001161112290.699-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 13 Jan 2000, Andre Lucas wrote:

> One could also reimplement something like EGD in C rather than
> Perl. I think EGD is rather more thorough than the SSH system
> entropy-based generator - it doesn't seem to have changed a great
> deal in v2 - which is a good thing.

A small C random gatherer and pool would be a very useful thing.
Perhaps a port of the Linux/BSD kernel random.c to userspace? or
a port of Yarrow[1]?

Regards,
Damien Miller

[1] http://www.counterpane.com/yarrow.html

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gQ3IormJ9RG1dI8RAoDhAJ9+Y95SDVwmYF+yM4ZPeJYgrh6MBgCfRDij
h0yVc0ccqEtXq4iYqeDMcFY=
=8H8k
-----END PGP SIGNATURE-----





From suto at ks-and-ks.ne.jp  Sun Jan 16 17:44:28 2000
From: suto at ks-and-ks.ne.jp (Kiyokazu SUTO)
Date: 16 Jan 2000 15:44:28 +0900
Subject: Report on openssh-1.2.1pre26.tar.gz
Message-ID: <20000116-154428-4d645.suto@ks-and-ks.ne.jp>

Dear developers,

I tried to make openssh-1.2.1pre26 on my Linux box with kernel 2.2.13
and libc 5.4.46.

First I needed to modify the file "fake-getaddrinfo.h" as attached
diff.  Then I tried again, and gave up with the error:

  gcc -g -O2 -Wall -I/usr/local/ssl/include \
    -DETCDIR=\"/usr/local/openssh/etc\" \
    -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" \
    -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" \
    -DHAVE_CONFIG_H   -c pty.c -o pty.o
  pty.c: In function `pty_allocate':
  pty.c:100: warning: implicit declaration of function `grantpt'
  pty.c:104: warning: implicit declaration of function `unlockpt'
  pty.c:108: warning: implicit declaration of function `ptsname'
  pty.c:108: warning: assignment makes pointer from integer without a cast
  pty.c:122: `I_PUSH' undeclared (first use this function)
  pty.c:122: (Each undeclared identifier is reported only once
  pty.c:122: for each function it appears in.)
  make: *** [pty.o] Error 1

I encountered the same error when I tried 1.2.1pre25 and 1.2pre17,
while I succeeded to make 1.2pre15 with some harmless warnings.

-- 
SUTO, Kiyokazu <suto at ks-and-ks.ne.jp>
http://pub.ks-and-ks.ne.jp/pgp-public-key.html

-------------- next part --------------
--- fake-getaddrinfo.h-dist	Sun Jan 16 14:26:15 2000
+++ fake-getaddrinfo.h	Sun Jan 16 14:28:40 2000
@@ -9,6 +9,10 @@
 # define AI_PASSIVE        1
 #endif
 
+#ifndef AI_CANONNAME
+# define AI_CANONNAME      2
+#endif
+
 #ifndef NI_NUMERICHOST
 # define NI_NUMERICHOST    2
 # define NI_NAMEREQD       4
@@ -25,7 +29,7 @@
 	char	*ai_canonname;	/* canonical name for hostname */
 	struct sockaddr *ai_addr;	/* binary address */
 	struct addrinfo *ai_next;	/* next structure in linked list */
-}
+};
 #endif /* !HAVE_STRUCT_ADDRINFO */
 
 #ifndef HAVE_GETADDRINFO

From djm at mindrot.org  Sun Jan 16 17:59:08 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 16 Jan 2000 17:59:08 +1100 (EST)
Subject: ANNOUNCE: 1.2.1pre26
Message-ID: <Pine.LNX.4.10.10001161753130.8040-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I have uploaded openssh-1.2.1pre26. Please use a mirror:

http://violet.ibs.com.au/openssh/files/MIRRORS.html

Major changes:

 - IPv6 support. I have merged the IPv6 support from OpenBSD CVS and
   the function replacements from KIKUCHI Takahiro 
   <kick at kyoto.wide.ad.jp>. It compiles and works OK for me on 
   Redhat Linux 6.1 (which has the necessary functions) and 5.2 
   (which uses the replacement functions). This is a big change and
   is likely to break some of the other platforms. Please test.

 - OpenBSD cvs updates (including portforwarding fixes).

 - Change auth-skey.c to use OpenSSH SHA1 functions

 - Use __snprintf and friends if they are present and snprintf is not.

 - Portability fixes

 - Add --with-xauth=FILE and --with-pid-dir=PATH configure options

Detailed changes:

20000116
 - Renamed --with-xauth-path to --with-xauth
 - Added --with-pid-dir option
 - Released 1.2.1pre26

20000115
 - Add --with-xauth-path configure directive and explicit test for
   /usr/openwin/bin/xauth for Solaris systems. Report from Anders 
   Nordby <anders at fix.no>
 - Fix incorrect detection of /dev/ptmx on Linux systems that lack 
   openpty. Report from John Seifarth <john at waw.be>
 - Look for intXX_t and u_intXX_t in sys/bitypes.h if they are not in
   sys/types.h. Fixes problems on SCO, report from Gary E. Miller 
   <gem at rellim.com>
 - Use __snprintf and __vnsprintf if they are found where snprintf and
   vnsprintf are lacking. Suggested by Ben Taylor <bent at shell.clark.net>
   and others.

20000114
 - Merged OpenBSD IPv6 patch:
   - [sshd.c sshd.8 sshconnect.c ssh.h ssh.c servconf.h servconf.c scp.1]
     [scp.c packet.h packet.c login.c log.c canohost.c channels.c]
     [hostfile.c sshd_config]
     ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new
     features: sshd allows multiple ListenAddress and Port options. note 
     that libwrap is not IPv6-ready. (based on patches from 
     fujiwara at rcac.tdi.co.jp)
   - [ssh.c canohost.c]
     more hints (hints.ai_socktype=SOCK_STREAM) for getaddrinfo, 
     from itojun@
   - [channels.c]
     listen on _all_ interfaces for X11-Fwd (hints.ai_flags = AI_PASSIVE)
   - [packet.h]
     allow auth-kerberos for IPv4 only
   - [scp.1 sshd.8 servconf.h scp.c]
     document -4, -6, and 'ssh -L 2022/::1/22'
   - [ssh.c]
     'ssh @host' is illegal (null user name), from 
     karsten at gedankenpolizei.de
   - [sshconnect.c]
     better error message
   - [sshd.c]
     allow auth-kerberos for IPv4 only
 - Big IPv6 merge:
   - Cleanup overrun in sockaddr copying on RHL 6.1
   - Replacements for getaddrinfo, getnameinfo, etc based on versions
     from patch from KIKUCHI Takahiro <kick at kyoto.wide.ad.jp>
   - Replacement for missing structures on systems that lack IPv6
   - record_login needed to know about AF_INET6 addresses
   - Borrowed more code from OpenBSD: rresvport_af and requisites

20000110
 - Fixes to auth-skey to enable it to use the standard OpenSSL libraries

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gWxAormJ9RG1dI8RAg1VAKDRJm+naPjh0mp81FeG0fmULtGEzgCdEyRb
Ahg8A459AGPSPy0rboC1hlo=
=ql+U
-----END PGP SIGNATURE-----





From djm at mindrot.org  Sun Jan 16 18:00:17 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 16 Jan 2000 18:00:17 +1100 (EST)
Subject: Report on openssh-1.2.1pre26.tar.gz
In-Reply-To: <20000116-154428-4d645.suto@ks-and-ks.ne.jp>
Message-ID: <Pine.LNX.4.10.10001161759190.8040-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16 Jan 2000, Kiyokazu SUTO wrote:

> Dear developers,
> 
> I tried to make openssh-1.2.1pre26 on my Linux box with kernel 2.2.13
> and libc 5.4.46.
> 
> First I needed to modify the file "fake-getaddrinfo.h" as attached
> diff.  Then I tried again, and gave up with the error:

Thanks for the patch, I have applied it.

For the other bug, can you send me the output of ./configure?

Thanks,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gWyGormJ9RG1dI8RAqGCAKDHdOvNxHhm30HePhR+WjmwpFsxkACfT4FH
0dEBRpgftNeMmURDFY5MIM0=
=eWZJ
-----END PGP SIGNATURE-----





From mouring at pconline.com  Sun Jan 16 18:36:07 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Sun, 16 Jan 2000 01:36:07 -0600 (CST)
Subject: Mostly good news on the NeXT front.
In-Reply-To: <Pine.LNX.4.10.10001161055530.699-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.3.95.1000116013444.16679A-100000@newton.pconline.com>



On Sun, 16 Jan 2000, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, 12 Jan 2000, Jim Knoble wrote:
> 
> > Ben, does NeXT have setenv()?  If it does, you might be able to get
> > away with making a wrapper that uses either putenv() or setenv(),
> > depending on what's available.  That would be much better than trying
> > to use glibc code.
> 
> I have a replacement setenv which uses putenv already in bsd-misc.c.
> 
I think you mean a putenv() that uses setenv() =)  putenv() is posix where
setenv() was done pre-posix.=)

> It would be amusing to have to do the reverse as well.
> 
There are some OSes that lack both. 

BTW.. all my NeXT patchs will be delayed since I have to redo my NeXT box
and move it up to 4.2 to start setting it up for my website.  So hopefully
I'll have that done in a few days.






From carl at bl.echidna.id.au  Sun Jan 16 23:48:36 2000
From: carl at bl.echidna.id.au (Carl Brewer)
Date: Sun, 16 Jan 2000 23:48:36 +1100 (EST)
Subject: OpenSSH 1.2.1 pre26, solaris 8ea and IPv6 - good news
Message-ID: <200001161248.e0GCmai03693@oversteer.bl.echidna.id.au>


I don't know if anyone else has tested it yet, but the IPv6 integration 
into OpenSSH seems to work just fine on my Solaris 8 box, as much as I
can I've tested it and it's behaving nicely.

Carl





From djm at mindrot.org  Sun Jan 16 23:53:17 2000
From: djm at mindrot.org (Damien Miller)
Date: Sun, 16 Jan 2000 23:53:17 +1100 (EST)
Subject: OpenSSH 1.2.1 pre26, solaris 8ea and IPv6 - good news
In-Reply-To: <200001161248.e0GCmai03693@oversteer.bl.echidna.id.au>
Message-ID: <Pine.LNX.4.10.10001162349480.8040-100000@mothra.mindrot.org>

On Sun, 16 Jan 2000, Carl Brewer wrote:

> I don't know if anyone else has tested it yet, but the IPv6 integration 
> into OpenSSH seems to work just fine on my Solaris 8 box, as much as I
> can I've tested it and it's behaving nicely.

Good to hear! I haven't tested IPv6 (haven't found the time to set it 
up).

IPv4 seems to work OK so far. I have seen one failure of rresvport_af(),
but haven't been able to repeat it. 

If anyone does, I suspect the place to start looking would be
bsd-bindresvport.c.

Thanks,
Damien Miller

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From andre.lucas at dial.pipex.com  Mon Jan 17 02:22:24 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Sun, 16 Jan 2000 15:22:24 +0000
Subject: PAM config file installation
Message-ID: <20000116152224.A935@internal.domain>

This might have been covered before and I've missed it. If so, sorry in
advance.

The file sshd.pam.generic didn't work for me on Linux RH6, I guess it's
a Solaris file. Instead I copied the file /etc/pam.d/rlogin to
/etc/pam.d/sshd . I wonder if this isn't a good way to go about things
anyway, have an install target that does just that?

Perhaps the rsh file is more appropriate for SSH. Perhaps neither - I
just haven't looked into PAM in any detail yet, and the above seems to
work well.

In any case, I think a working Linux PAM config file should be in the
distribution. Perhaps someone who knows PAM well can provide one that's
good on Linux-PAM?

-Andre

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/




From nalin at thermo.stat.ncsu.edu  Mon Jan 17 05:25:16 2000
From: nalin at thermo.stat.ncsu.edu (Nalin Dahyabhai)
Date: Sun, 16 Jan 2000 13:25:16 -0500
Subject: PAM config file installation
In-Reply-To: <20000116152224.A935@internal.domain>
References: <20000116152224.A935@internal.domain>
Message-ID: <20000116132516.A29012@thermo.stat.ncsu.edu>

On Sun, Jan 16, 2000 at 03:22:24PM +0000, Andre Lucas wrote:
> In any case, I think a working Linux PAM config file should be in the
> distribution. Perhaps someone who knows PAM well can provide one that's
> good on Linux-PAM?

I just copy the one used for login, and remove the references to
pam_securetty, and it's always worked fine.  Under Red Hat Linux 6.1:

#%PAM-1.0
#auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_pwdb.so shadow nullok
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session    required     /lib/security/pam_pwdb.so
session    optional     /lib/security/pam_console.so

If I were using another distribution, I'd expect pam_pwdb to be replaced
by pam_unix, but the arguments wouldn't need to change.  This might be a
good one to include in the Red Hat-specific RPM, anyway.

Cheers,

Nalin




From jmknoble at pobox.com  Mon Jan 17 06:47:08 2000
From: jmknoble at pobox.com (Jim Knoble)
Date: Sun, 16 Jan 2000 14:47:08 -0500
Subject: PAM config file installation
In-Reply-To: <20000116152224.A935@internal.domain>; from Andre Lucas on Sun, Jan 16, 2000 at 03:22:24PM +0000
References: <20000116152224.A935@internal.domain>
Message-ID: <20000116144708.M701@quipu.earth>

Have you checked in the redhat-specific directory in the OpenSSH source
tree?  There's a pam config file there that works nicely.

-- 
jim knoble
jmknoble at pobox.com

P? 2000-Jan-16 klokka 15:22:24 +0000 skrivet Andre Lucas:

: This might have been covered before and I've missed it. If so, sorry in
: advance.
: 
: The file sshd.pam.generic didn't work for me on Linux RH6, I guess it's
: a Solaris file. Instead I copied the file /etc/pam.d/rlogin to
: /etc/pam.d/sshd . I wonder if this isn't a good way to go about things
: anyway, have an install target that does just that?
: 
: Perhaps the rsh file is more appropriate for SSH. Perhaps neither - I
: just haven't looked into PAM in any detail yet, and the above seems to
: work well.
: 
: In any case, I think a working Linux PAM config file should be in the
: distribution. Perhaps someone who knows PAM well can provide one that's
: good on Linux-PAM?




From djm at mindrot.org  Mon Jan 17 07:32:08 2000
From: djm at mindrot.org (Damien Miller)
Date: Mon, 17 Jan 2000 07:32:08 +1100 (EST)
Subject: PAM config file installation
In-Reply-To: <20000116152224.A935@internal.domain>
Message-ID: <Pine.LNX.4.10.10001170731340.13338-100000@mothra.mindrot.org>

On Sun, 16 Jan 2000, Andre Lucas wrote:

> This might have been covered before and I've missed it. If so, sorry in
> advance.
> 
> The file sshd.pam.generic didn't work for me on Linux RH6, I guess it's
> a Solaris file. Instead I copied the file /etc/pam.d/rlogin to
> /etc/pam.d/sshd . I wonder if this isn't a good way to go about things
> anyway, have an install target that does just that?

You are probably after packages/redhat/sshd.pam. That is the one I
use in the RPMs.

Regards,
Damien

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From andre.lucas at dial.pipex.com  Mon Jan 17 08:10:42 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Sun, 16 Jan 2000 21:10:42 +0000
Subject: PAM config file installation
In-Reply-To: <Pine.LNX.4.10.10001170731340.13338-100000@mothra.mindrot.org>; from djm@mindrot.org on Mon, Jan 17, 2000 at 07:32:08AM +1100
References: <20000116152224.A935@internal.domain> <Pine.LNX.4.10.10001170731340.13338-100000@mothra.mindrot.org>
Message-ID: <20000116211042.A805@internal.domain>

> 
> You are probably after packages/redhat/sshd.pam. That is the one I
> use in the RPMs.

Doh! I guess I probably am. It's not mentioned in the INSTALL doc, but
that's no excuse for not looking... Thanks.

-Andre

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/




From djm at mindrot.org  Mon Jan 17 11:56:57 2000
From: djm at mindrot.org (Damien Miller)
Date: Mon, 17 Jan 2000 11:56:57 +1100 (EST)
Subject: PAM config file installation
In-Reply-To: <20000116211042.A805@internal.domain>
Message-ID: <Pine.LNX.4.10.10001171156310.13637-100000@mothra.mindrot.org>

On Sun, 16 Jan 2000, Andre Lucas wrote:

> > 
> > You are probably after packages/redhat/sshd.pam. That is the one I
> > use in the RPMs.
> 
> Doh! I guess I probably am. It's not mentioned in the INSTALL doc, but
> that's no excuse for not looking... Thanks.

It is now :)

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From djm at mindrot.org  Mon Jan 17 13:50:28 2000
From: djm at mindrot.org (Damien Miller)
Date: Mon, 17 Jan 2000 13:50:28 +1100 (EST)
Subject: AANOUNCE: openssh-1.2.1pre27
Message-ID: <Pine.LNX.4.10.10001171200330.13637-100000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


A couple of silly errors, and one dangerous bug were in the pre26 
release. This release corrects them.

http://violet.ibs.com.au/openssh/files/openssh-1.2.1pre27.tar.gz

If you want RPMs or any of the other files, please use a mirror:

http://violet.ibs.com.au/openssh/files/MIRRORS.html

Changes:

 - Using __snprintf is *NOT SAFE* on old Solaris. These functions do
   not behave the same as "normal" snprintf. The compatiblity change
   has been reverted. Thanks to Theo de Raadt <theo at cvs.openbsd.org>
   for the warning.

  (this means we need to adapt the another snprintf implementation
   to replace the one in bsd-snprintf.c. Has anyone cleaned up the 
   PostgreSQL version that was posted here a month or so ago?)

 - Compile fixes for systems lacking IPv6 support.

 - Compile fixes for Linux systems with /dev/ptmx but lacking 
   openpty()

 - Cleaned up bugs in bsd-bindresvport.c

 - Fix X11 forwarding on Linux w/o IPv6

Changelog:

20000117
 - Clean up bsd-bindresvport.c. Use arc4random() for picking initial
   port, ignore EINVAL errors (Linux) when searching for free port.
 - Revert __snprintf -> snprintf aliasing. Apparently Solaris 
   __snprintf isn't. Report from Theo de Raadt <theo at cvs.openbsd.org>
 - Document location of Redhat PAM file in INSTALL.
 - Fixed X11 forwarding bug on Linux. libc advertises AF_INET6 
   INADDR_ANY_INIT addresses via getaddrinfo, but may not be able to 
   deliver (no IPv6 kernel kernel support)
 - Released 1.2.1pre27

20000116
 - Compilation fix from Kiyokazu SUTO <suto at ks-and-ks.ne.jp>
 - Fixed broken bugfix for /dev/ptmx on Linux systems which lack 
   openpty(). Report from Kiyokazu SUTO <suto at ks-and-ks.ne.jp>

- -dm


- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4goN4ormJ9RG1dI8RArXIAKC3l60ufV4otRvX6OPEcPQhEfq2BACeOb/a
gcACH0b/NeKHaOmLU64ecKE=
=85fx
-----END PGP SIGNATURE-----





From djm at mindrot.org  Mon Jan 17 15:25:35 2000
From: djm at mindrot.org (Damien Miller)
Date: Mon, 17 Jan 2000 15:25:35 +1100 (EST)
Subject: Patch for pre27
Message-ID: <Pine.LNX.4.10.10001171523120.13637-200000@mothra.mindrot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Apply this patch to 1.2.1pre27. It fixes an occasional failure.

If you want to see the failure in action:

while [ 1 ] ; do ssh localhost true || break ; done

(assumes you have an RSA key set up on localhost)

Damien

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gpnDormJ9RG1dI8RArUyAKDepJb4yJx6rpEVTkmBYodrKFehuACgikJM
KfelifCGDrV8bK56x3v8V6c=
=E0Ge
-----END PGP SIGNATURE-----
-------------- next part --------------
? ssh.tr
Index: ChangeLog
===================================================================
RCS file: /var/cvs/openssh/ChangeLog,v
retrieving revision 1.167
diff -u -r1.167 ChangeLog
--- ChangeLog	2000/01/17 02:22:55	1.167
+++ ChangeLog	2000/01/17 04:21:33
@@ -9,6 +9,8 @@
    deliver (no IPv6 kernel kernel support)
  - Released 1.2.1pre27
 
+ - Fix rresvport_af failure errors (logic error in bsd-bindresvport.c)
+
 20000116
  - Renamed --with-xauth-path to --with-xauth
  - Added --with-pid-dir option
Index: bsd-bindresvport.c
===================================================================
RCS file: /var/cvs/openssh/bsd-bindresvport.c,v
retrieving revision 1.2
diff -u -r1.2 bsd-bindresvport.c
--- bsd-bindresvport.c	2000/01/16 22:52:47	1.2
+++ bsd-bindresvport.c	2000/01/17 04:21:33
@@ -84,17 +84,17 @@
 	sa->sa_family = af;
 
 	if (*portp == 0)
-		*portp = (arc4random() % NPORTS) + STARTPORT;
+		*portp = (u_int16_t)(arc4random() % NPORTS) + STARTPORT;
 
 	for(i = 0; i < NPORTS; i++) {
 		error = bind(sd, sa, salen);
-
+		
 		/* Terminate on success */
 		if (error == 0)
 			break;
 			
 		/* Terminate on errors, except "address already in use" */
-		if ((error < 0) && ((errno != EADDRINUSE) || (errno != EINVAL)))
+		if ((error < 0) && !((errno == EADDRINUSE) || (errno == EINVAL)))
 			break;
 			
 		*portp = (i % NPORTS) + STARTPORT;

From a.d.stribblehill at durham.ac.uk  Mon Jan 17 21:14:26 2000
From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill)
Date: Mon, 17 Jan 2000 10:14:26 +0000
Subject: PID file
In-Reply-To: <Pine.LNX.4.10.10001161053080.699-100000@mothra.mindrot.org>; from djm@mindrot.org on Sun, Jan 16, 2000 at 10:53:25AM +1100
References: <20000111173552.G1249@itspc142.dur.ac.uk> <Pine.LNX.4.10.10001161053080.699-100000@mothra.mindrot.org>
Message-ID: <20000117101426.D19223@itspc142.dur.ac.uk>

Quoting Damien Miller <djm at mindrot.org>:
> On Tue, 11 Jan 2000, Andrew Stribblehill wrote:
> 
> > Where is the best place for me to change the PID file location? I
> > _could_ change it in ssh.h but then I'd have to do this every
> > time. Am I best to put in a -DPIDDIR="/etc" or something?
> > Alternatively, would it be easy to change the configure.in stuff
> > to let me do a --pid-dir="/etc" or a --pid-file="/etc/ssh.pid"?
> 
> There is now a --with-pid-dir option.

Marvellous. Is it possible to change the manpage for sshd.8 to
reflect this, in the same way that /etc is remapped? I would
submit a patch but it appears that fixpaths relies on the variable
being defined in the Makefile and it's not my place to make such a
change!

Thanks,

Andrew Stribblehill
Systems Programmer, IT Service, University of Durham, England




From Nigel.Metheringham at VData.co.uk  Mon Jan 17 21:28:28 2000
From: Nigel.Metheringham at VData.co.uk (Nigel Metheringham)
Date: Mon, 17 Jan 2000 10:28:28 +0000
Subject: minor prob with spec file 
In-Reply-To: Message from Mate Wierdl <mw@wierdlmpc.msci.memphis.edu> 
   of "Fri, 14 Jan 2000 13:52:36 CST." <20000114195237.18390.qmail@wierdlmpc.msci.memphis.edu> 
Message-ID: <E12A9Oe-00047W-00@rioja.localnet>


mw at wierdlmpc.msci.memphis.edu said:
> The openssl rpm needs to be installed on the system *before* the
> openssh-server rpm is installed.  This is because the openssh-server's
> post script does the host key generation.   

although I agree with your diagnosis that that is *one* way to fix the 
problem, I actually think it is the wrong solution...

generating keys on the fly at install I think is incorrect - it can 
cause problems with install sets run at initial install (ie for systems 
which install ssh when they first install rather than as an add on 
package).  For this reason I always take the key generation script out 
of the rpm scripts set and put it into the start of the 
/etc/rc.d/init.d/sshd script start section - hence on first installed 
boot the key is generated.

	Nigel.
-- 
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham                  Nigel.Metheringham at VData.co.uk ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]






From djm at mindrot.org  Mon Jan 17 21:48:32 2000
From: djm at mindrot.org (Damien Miller)
Date: Mon, 17 Jan 2000 21:48:32 +1100 (EST)
Subject: PID file
In-Reply-To: <20000117101426.D19223@itspc142.dur.ac.uk>
Message-ID: <Pine.LNX.4.10.10001172147120.15435-100000@mothra.mindrot.org>

On Mon, 17 Jan 2000, Andrew Stribblehill wrote:

> Marvellous. Is it possible to change the manpage for sshd.8 to
> reflect this, in the same way that /etc is remapped? I would
> submit a patch but it appears that fixpaths relies on the variable
> being defined in the Makefile and it's not my place to make such a
> change!

Coming right up...

I may change the way that the paths are substituted into the 
manpages in the near future to a system that allows me to use the
unmodified OpenBSD manpages (to keep the diff size down).

Regards,
Damien

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From andre.lucas at dial.pipex.com  Mon Jan 17 22:11:03 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Mon, 17 Jan 2000 11:11:03 +0000
Subject: PID file
References: <Pine.LNX.4.10.10001172147120.15435-100000@mothra.mindrot.org>
Message-ID: <3882F8C7.EAB2EC9A@dial.pipex.com>

Damien Miller wrote:
8< snip 8< 
> I may change the way that the paths are substituted into the
> manpages in the near future to a system that allows me to use the
> unmodified OpenBSD manpages (to keep the diff size down).

Yep, fixpaths was always a hack. The problem I saw with that was
distinguishing between OpenBSD's SSH config files and system files in
/etc. I suppose you could substitute for /etc/<config file> where config
file is one of {ssh_config, sshd_config, shosts.equiv ssh_host_key*},
and though I can think of a few cases where that might break that it
would most likely be fine.

I guess I didn't count on the man pages changing that often, which in
retrospect was probably a mistake. Since I haven't seen anyone else jump
at the opportunity to provide preformatted manpages, I guess I could do
that. Now that I know that you want to avoid heavy diff work, I'll try
out the above substitution scheme to see how it flies.

Do you want to do the substitutions from configure, or as a make target?

Ta,
-Andre




From djm at mindrot.org  Mon Jan 17 22:17:44 2000
From: djm at mindrot.org (Damien Miller)
Date: Mon, 17 Jan 2000 22:17:44 +1100 (EST)
Subject: PID file
In-Reply-To: <3882F8C7.EAB2EC9A@dial.pipex.com>
Message-ID: <Pine.LNX.4.10.10001172213420.15435-100000@mothra.mindrot.org>

On Mon, 17 Jan 2000, Andre Lucas wrote:

> Yep, fixpaths was always a hack. The problem I saw with that was
> distinguishing between OpenBSD's SSH config files and system files
> in /etc. I suppose you could substitute for /etc/<config file>
> where config file is one of {ssh_config, sshd_config, shosts.equiv
> ssh_host_key*}, and though I can think of a few cases where that
> might break that it would most likely be fine.

Fixpaths is OK, just the way we use it needs to change a bit. 
Instead of replacing @sysconfdir@ in manpages, etc we need to be
replacing "/etc/ssh_config".

> I guess I didn't count on the man pages changing that often, which
> in retrospect was probably a mistake. 

The problem is not so much the changing, rather that a) we want the
input files to fixpaths to be identified somehow and b) diff doesn't
have a nice way of handling renamed files.

> Since I haven't seen anyone else jump at the opportunity to provide
> preformatted manpages, I guess I could do that. Now that I know
> that you want to avoid heavy diff work, I'll try out the above
> substitution scheme to see how it flies.

Excellent. How about converting from (for example) sshd.8 to 
sshd.8.out and sshd.8.catman

> Do you want to do the substitutions from configure, or as a make
> target?

A makefile target would probably be best.

Thanks again,
Damien Miller

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From a.d.stribblehill at durham.ac.uk  Mon Jan 17 22:49:16 2000
From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill)
Date: Mon, 17 Jan 2000 11:49:16 +0000
Subject: pre27 compilation fails on Sol7 box
Message-ID: <20000117114916.B20258@itspc142.dur.ac.uk>

Something strange happens when I compile the pre27 SSH:

ocal/ssh//include -DETCDIR=\"/usr/local/ssh//etc\" \
-DSSH_PROGRAM=\"/usr/local/ssh//bin/ssh\" \
-DSSH_ASKPASS_DEFAULT=\"/usr/local/ssh//libexec/ssh/ssh-askpass\" \
-DHAVE_CONFIG_H  -c  atomicio.c
In file included from includes.h:106,
                 from atomicio.c:26:
		 fake-socket.h:30: parse error before u_int8_t'
		 fake-socket.h:30: warning: no semicolon at end of
struct or union
fake-socket.h:39: field sin6_addr' has incomplete type
*** Error code 1
make: Fatal error: Command failed for target atomicio.o'


This is indeed bizarre because the bit of code in question is:

------->8-----fake-socket.h--starting-at-line-28-------
#ifndef HAVE_STRUCT_IN6_ADDR
struct in6_addr {
    u_int8_t  s6_addr[16];           <------ line 30
};
#endif /* !HAVE_STRUCT_IN6_ADDR */

#ifndef HAVE_STRUCT_SOCKADDR_IN6
struct sockaddr_in6 {
   unsigned short sin6_family;
   u_int16_t sin6_port;
   u_int32_t sin6_flowinfo;
   struct in6_addr sin6_addr;       <------- line 39
   };
#endif /* !HAVE_STRUCT_SOCKADDR_IN6 */
---------8<-------------------------------------------

which would appear to have the requisite number of semicolons.
When I comment out line 30, everything compiles.

Any guesses? Can anyone say for certain that it's _not_ ssh's fault?

Thanks,

Andrew Stribblehill
Systems Programmer, IT Service, University of Durham, England




From andre.lucas at dial.pipex.com  Mon Jan 17 23:11:24 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Mon, 17 Jan 2000 12:11:24 +0000
Subject: PID file
References: <Pine.LNX.4.10.10001172213420.15435-100000@mothra.mindrot.org>
Message-ID: <388306EB.3A6D1901@dial.pipex.com>


Damien Miller wrote:
> 
8<
> Fixpaths is OK, just the way we use it needs to change a bit.
> Instead of replacing @sysconfdir@ in manpages, etc we need to be
> replacing "/etc/ssh_config".

Ok
 
> > I guess I didn't count on the man pages changing that often, which
> > in retrospect was probably a mistake.
> 
> The problem is not so much the changing, rather that a) we want the
> input files to fixpaths to be identified somehow and b) diff doesn't
> have a nice way of handling renamed files.
>
Ah, I see what you mean now. It will be simple to have fixpaths write a
different filename and have the Makefile install that. Cleaner, too, now
there is more than one potential install target (troff or preformatted.)
 
> > Since I haven't seen anyone else jump at the opportunity to provide
> > preformatted manpages, I guess I could do that. Now that I know
> > that you want to avoid heavy diff work, I'll try out the above
> > substitution scheme to see how it flies.
> 
> Excellent. How about converting from (for example) sshd.8 to
> sshd.8.out and sshd.8.catman

Fine. Input from OpenBSD filenames, output to whatever we need.

BTW not all systems put administrative manual pages in man/man8. HPUX
uses man1m, for example. It's OK to put them in man8 (and it works just
fine) but putting them in the 'right' directory would be a nice
finishing touch. Not any kind of priority, however.

> 
> > Do you want to do the substitutions from configure, or as a make
> > target?
> 
> A makefile target would probably be best.

Ta,
-Andre


-Andre




From marc.fournier at acadiau.ca  Tue Jan 18 00:27:13 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Mon, 17 Jan 2000 09:27:13 -0400 (AST)
Subject: What are these files ... ?
In-Reply-To: <Pine.LNX.4.10.10001161054120.699-100000@mothra.mindrot.org>
Message-ID: <Pine.BSF.4.10.10001170925410.65453-100000@atelier.acadiau.ca>

On Sun, 16 Jan 2000, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, 12 Jan 2000, Marc G. Fournier wrote:
> 
> > 
> > total 3136
> > -rwxr-xr-x   1 root     other     1913044 Jan 12 09:08 sshd
> > -rw-rw-rw-   1 root     other           0 Jan 12 09:08 stSyaqBu
> > 
> > What are the st* files, and why are they being created in the same
> > directory as sshd lives?
> 
> No idea!? Is the 'install' program doing it?

I'm honestly not sure ... I'm going through my directories again and
can't find any now after that last clean out of them ...

I'll keep an eye on it and see if I see any regenerated, it might be
something from an old 'Makefile' that it was installing ...

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From marc.fournier at acadiau.ca  Tue Jan 18 00:30:35 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Mon, 17 Jan 2000 09:30:35 -0400 (AST)
Subject: AANOUNCE: openssh-1.2.1pre27
In-Reply-To: <Pine.LNX.4.10.10001171200330.13637-100000@mothra.mindrot.org>
Message-ID: <Pine.BSF.4.10.10001170928140.65453-100000@atelier.acadiau.ca>

On Mon, 17 Jan 2000, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> A couple of silly errors, and one dangerous bug were in the pre26 
> release. This release corrects them.
> 
> http://violet.ibs.com.au/openssh/files/openssh-1.2.1pre27.tar.gz
> 
> If you want RPMs or any of the other files, please use a mirror:
> 
> http://violet.ibs.com.au/openssh/files/MIRRORS.html
> 
> Changes:
> 
>  - Using __snprintf is *NOT SAFE* on old Solaris. These functions do
>    not behave the same as "normal" snprintf. The compatiblity change
>    has been reverted. Thanks to Theo de Raadt <theo at cvs.openbsd.org>
>    for the warning.
> 
>   (this means we need to adapt the another snprintf implementation
>    to replace the one in bsd-snprintf.c. Has anyone cleaned up the 
>    PostgreSQL version that was posted here a month or so ago?)

Ummm...that version works on all our supported platforms, which include(d)
stuff as old as SunOS 4.x ... what exactly is the problem?  In fact, I
believe *we* got our copy from sendmail, but its been so long, I'm not
100% certain on that point...





From andre.lucas at dial.pipex.com  Tue Jan 18 03:43:44 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Mon, 17 Jan 2000 16:43:44 +0000
Subject: patch for u_int8_t [was: pre27 compilation fails on Sol7 box]
References: <20000117114916.B20258@itspc142.dur.ac.uk>
Message-ID: <388346C0.C6EF5EB9@dial.pipex.com>

I got this on HPUX too. The following patch fixed it for me.

BTW all, I am aware that relying on an unsigned char to be 8 bits wide
isn't necessarily a wise thing to do, but it may suffice as the
last-ditch-before-error option that it is. Instead there could be a
SIZEOF_CHAR define. I'm not sure how necessary this is.

Ta,
-Andre

===== begin patch =====
--- openssh-1.2.1pre27/defines.h        Sun Jan 16 22:59:41 2000
+++ openssh-1.2.1pre27.new/defines.h    Mon Jan 17 16:37:16 2000
@@ -78,11 +78,13 @@
 /* If sys/types.h does not supply u_intXX_t, supply them ourselves */
 #ifndef HAVE_U_INTXX_T
 # ifdef HAVE_UINTXX_T
+typedef uint8_t u_int8_t;
 typedef uint16_t u_int16_t;
 typedef uint32_t u_int32_t;
 typedef  uint64_t u_int64_t;
 # define HAVE_U_INTXX_T 1
 # else
+typedef unsigned char u_int8_t;
 #  if (SIZEOF_SHORT_INT == 2)
 typedef unsigned short int u_int16_t;
 #  else
===== end patch =====

Ta,
-Andre


Andrew Stribblehill wrote:
> 
> Something strange happens when I compile the pre27 SSH:
> 
> ocal/ssh//include -DETCDIR=\"/usr/local/ssh//etc\" \
> -DSSH_PROGRAM=\"/usr/local/ssh//bin/ssh\" \
> -DSSH_ASKPASS_DEFAULT=\"/usr/local/ssh//libexec/ssh/ssh-askpass\" \
> -DHAVE_CONFIG_H  -c  atomicio.c
> In file included from includes.h:106,
>                  from atomicio.c:26:
>                  fake-socket.h:30: parse error before u_int8_t'
>                  fake-socket.h:30: warning: no semicolon at end of
> struct or union
> fake-socket.h:39: field sin6_addr' has incomplete type
> *** Error code 1
> make: Fatal error: Command failed for target atomicio.o'
> 
> This is indeed bizarre because the bit of code in question is:
> 
> ------->8-----fake-socket.h--starting-at-line-28-------
> #ifndef HAVE_STRUCT_IN6_ADDR
> struct in6_addr {
>     u_int8_t  s6_addr[16];           <------ line 30
> };
> #endif /* !HAVE_STRUCT_IN6_ADDR */
> 
> #ifndef HAVE_STRUCT_SOCKADDR_IN6
> struct sockaddr_in6 {
>    unsigned short sin6_family;
>    u_int16_t sin6_port;
>    u_int32_t sin6_flowinfo;
>    struct in6_addr sin6_addr;       <------- line 39
>    };
> #endif /* !HAVE_STRUCT_SOCKADDR_IN6 */
> ---------8<-------------------------------------------
> 
> which would appear to have the requisite number of semicolons.
> When I comment out line 30, everything compiles.
> 
> Any guesses? Can anyone say for certain that it's _not_ ssh's fault?
> 
> Thanks,
> 
> Andrew Stribblehill
> Systems Programmer, IT Service, University of Durham, England




From marc.fournier at acadiau.ca  Tue Jan 18 06:43:48 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Mon, 17 Jan 2000 15:43:48 -0400 (AST)
Subject: Great, another rhosts bug ...
Message-ID: <Pine.BSF.4.10.10001171541320.65453-100000@atelier.acadiau.ca>


Wow, this is definitely turning out to not be my month ... upgrade all the
servers to OpenSSH due to SSH1.2.26 vulnerabilities ... .rhosts doesn't
work anymore :(

Get that fixed ... now rhosts of usera:hosta -> userb:hostb, where
userb:hostb's rhosts has 'hosta usera' in it fails ...

I don't know if these are problems specific to Solaris 7 or not, but can
ppl check their machines to see whether this is just me, or a problem?

I'm running pre25, and the pre26/pre27 releases don't look like they
address this, but am going to download pre27 and recheck that ...


Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From gem at rellim.com  Tue Jan 18 07:08:56 2000
From: gem at rellim.com (Gary E. Miller)
Date: Mon, 17 Jan 2000 12:08:56 -0800 (PST)
Subject: AANOUNCE: openssh-1.2.1pre27
In-Reply-To: <Pine.LNX.4.10.10001171200330.13637-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.4.21.0001171205180.29406-100000@ns1.aplatform.com>

Yo Damien!

pre27 breaks SCO UNixWare 7.1.0

There is a problem in the Makefile.

In the old Makefile there was this:
 OBJS= atomicio.o authfd.o authfile.o auth-krb4.o auth-passwd.o auth-pam.o \

The new Makefile has this:
 LIBOBJS= atomicio.o authfd.o authfile.o bsd-daemon.o bsd-misc.o \

But this target has not changed:
  $(OBJS): config.h
and make fails due to an unknown object $(OBJS).

I will hand fix this and do furhter testing later.

RGDS
GARY


On Mon, 17 Jan 2000, Damien Miller wrote:

> A couple of silly errors, and one dangerous bug were in the pre26 
> release. This release corrects them.
> 
> http://violet.ibs.com.au/openssh/files/openssh-1.2.1pre27.tar.gz

---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From marc.fournier at acadiau.ca  Tue Jan 18 07:20:38 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Mon, 17 Jan 2000 16:20:38 -0400 (AST)
Subject: rhosts problem: usera on hosta connecting to userb on hostb ...
Message-ID: <Pine.BSF.4.10.10001171619410.65453-100000@atelier.acadiau.ca>


okay, so far as i can tell, going from an SSH 1.2.26 client to an OpenSSH
pre25 server works ..its only going OpenSSH client->server that fails ...

Still investigating, but maybe someone else has an idea?


Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From markus.friedl at informatik.uni-erlangen.de  Tue Jan 18 10:36:10 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Tue, 18 Jan 2000 00:36:10 +0100
Subject: rhosts problem: usera on hosta connecting to userb on hostb ...
In-Reply-To: <Pine.BSF.4.10.10001171619410.65453-100000@atelier.acadiau.ca>
References: <Pine.BSF.4.10.10001171619410.65453-100000@atelier.acadiau.ca>
Message-ID: <20000118003610.A22355@folly.informatik.uni-erlangen.de>

are you sure the client is allocating a reserved port?
ssh -v? sshd -d? sbit on ssh?

On Mon, Jan 17, 2000 at 04:20:38PM -0400, Marc G. Fournier wrote:
> 
> okay, so far as i can tell, going from an SSH 1.2.26 client to an OpenSSH
> pre25 server works ..its only going OpenSSH client->server that fails ...
> 
> Still investigating, but maybe someone else has an idea?




From karn at ka9q.ampr.org  Tue Jan 18 14:51:52 2000
From: karn at ka9q.ampr.org (Phil Karn)
Date: Mon, 17 Jan 2000 19:51:52 -0800
Subject: Inhibiting swapping with mlock
In-Reply-To: <200001152047.MAA29052@homer.ka9q.ampr.org> (message from Niels
	Provos on Sat, 15 Jan 2000 15:46:08 -0500)
References: <200001152047.MAA29052@homer.ka9q.ampr.org>
Message-ID: <200001180351.TAA31660@homer.ka9q.ampr.org>

I agree, encrypting the swap partition is an effective defense, but it
sure seems expensive. How much CPU time does it take to encrypt a disk block
compared to a) the CPU time spent in the filesystem and device driver code
and b) the real time needed to do the disk I/O? What ciphers are generally used?

Phil





From j.petersen at msh.de  Tue Jan 18 21:33:12 2000
From: j.petersen at msh.de (=?iso-8859-1?Q?=22Petersen=2C_J=F6rg=22?=)
Date: Tue, 18 Jan 2000 11:33:12 +0100
Subject: AIX- 'Host not found' in getaddrinfo("0.0.0.0", "22" , ...) 
Message-ID: <B56A3A4C735ED2118F25000083687FBB3ED3DE@msegw.msh.de>

Hello,
   while openssh-1.2.1pre25 ran out-of-the box, in openssh-1.2.1pre27 the
sshd fails to start with: "Host not found" returned...
(gcc 2.9.5.2 under AIX 4.3.2 ML 2)

Incompatibility of AIX-getaddrinfo ????
Since I'm not familiar with getaddrinfo, I've got no idea what goes wrong
??? Does the code below work on other architectures?

Demo-Code built with values taken from a debug-session:
=======================================================
#include <stdio.h>
#include <sys/socket.h>
#include <netdb.h>

void main (void) {
   
struct addrinfo hints;
struct addrinfo *res;
int gaierr;

hints.ai_family = AF_UNSPEC;
hints.ai_flags = 0;
hints.ai_flags = 0;
hints.ai_family = 0;
hints.ai_socktype = 1; /* = SOCK_STREAM; */
hints.ai_protocol = 0;
hints.ai_addrlen = 0;
hints.ai_canonname = 0x0;
hints.ai_addr = 0x0;
hints.ai_next = 0x0;

gaierr = getaddrinfo("0.0.0.0", "22" , &hints, &res);

printf("gaierr=%i (=%s)\n",gaierr,gai_strerror(gaierr));
}




From Darren_Hall at progressive.com  Wed Jan 19 01:26:33 2000
From: Darren_Hall at progressive.com (Darren_Hall at progressive.com)
Date: Tue, 18 Jan 2000 09:26:33 -0500
Subject: AIX- 'Host not found' in getaddrinfo("0.0.0.0", "22" , ...) 
Message-ID: <8525686A.004CCF36.00@s65a0384.prci.com>


> while openssh-1.2.1pre25 ran out-of-the box, in openssh-1.2.1pre27 the
> sshd fails to start with: "Host not found" returned...
> (gcc 2.9.5.2 under AIX 4.3.2 ML 2)

I can't duplicate this, although I'm using the AIX native compiler.  I have
found a couple issues with pre27 release.

Quick fix, the config.h.in file, please change

#endif _CONFIG_H

to

#endif /* _CONFIG_H */

There's also a problem with u_int8_t, as defined within fake-socket.h, I'll
try to prepare a patch later today.  As a quick fix to get it to compile, I
defined u_int8_t to unsigned char, Stevens had some autoconf rules to get
a relatively portable listing of types.

> Incompatibility of AIX-getaddrinfo ????

I'm noticing that this dist has a fake-getaddrinfo, you're using AIX's
native
version on 4.3.2?  In 4.2.1, the fake version seems defined when I
compiled.
Did you run ./configure --enable-ipv6 (which would definitely not use the
pre-packaged version)?









From drankin at bohemians.lexington.ky.us  Wed Jan 19 01:49:29 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Tue, 18 Jan 2000 09:49:29 -0500
Subject: AIX- 'Host not found' in getaddrinfo("0.0.0.0", "22" , ...)
In-Reply-To: =?iso-8859-1?Q?=3CB56A3A4C735ED2118F25000083687FBB3ED3DE=40msegw=2Emsh?=
 =?iso-8859-1?Q?=2Ede=3E=3B_from_=22Petersen=2C_J=F6rg=22_on_Tue=2C_Jan_1?=
 =?iso-8859-1?Q?8=2C_2000_at_11:33:12AM_+0100?=
References: <B56A3A4C735ED2118F25000083687FBB3ED3DE@msegw.msh.de>
Message-ID: <20000118094929.C21896@rumpole.bohemians.lexington.ky.us>

On Tue, Jan 18, 2000 at 11:33:12AM +0100, "Petersen, J?rg" wrote:
> Hello,
>    while openssh-1.2.1pre25 ran out-of-the box, in openssh-1.2.1pre27 the
> sshd fails to start with: "Host not found" returned...
> (gcc 2.9.5.2 under AIX 4.3.2 ML 2)

> Incompatibility of AIX-getaddrinfo ????
> Since I'm not familiar with getaddrinfo, I've got no idea what goes wrong
> ??? Does the code below work on other architectures?

Accepting "0.0.0.0" is a hack, not a "standard behaviour" for UNIX-like
OSes. I know that NetBSD has become less accepting of 0.0.0.0 as an
"all addresses" alias.

Is ListenAddress 0.0.0.0 a no-op? It looks like it is, but I don't have
a multi-interface machine on which I can check. If it's not, then maybe
we need to make people specify all ListenAddress'es or maybe we need to
let the default be to listen on all addresses unless a ListenAddress is
specified, and then it won't listen to any other source address.

David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard




From marc.fournier at acadiau.ca  Wed Jan 19 01:54:00 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Tue, 18 Jan 2000 10:54:00 -0400 (AST)
Subject: rhosts problem: usera on hosta connecting to userb on hostb ...
In-Reply-To: <20000118003610.A22355@folly.informatik.uni-erlangen.de>
Message-ID: <Pine.BSF.4.10.10001181053250.65453-100000@atelier.acadiau.ca>

On Tue, 18 Jan 2000, Markus Friedl wrote:

> are you sure the client is allocating a reserved port?
> ssh -v? sshd -d? sbit on ssh?

IgnoreRhosts no
RhostsAuthentication no

tends to negate each other *sigh*

Fixed it and am checking over things now ... 

> 
> On Mon, Jan 17, 2000 at 04:20:38PM -0400, Marc G. Fournier wrote:
> > 
> > okay, so far as i can tell, going from an SSH 1.2.26 client to an OpenSSH
> > pre25 server works ..its only going OpenSSH client->server that fails ...
> > 
> > Still investigating, but maybe someone else has an idea?
> 

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From j.petersen at msh.de  Wed Jan 19 02:05:31 2000
From: j.petersen at msh.de (=?iso-8859-1?Q?=22Petersen=2C_J=F6rg=22?=)
Date: Tue, 18 Jan 2000 16:05:31 +0100
Subject: AIX- 'Host not found' in getaddrinfo("0.0.0.0", "22" , ...) 
Message-ID: <B56A3A4C735ED2118F25000083687FBB3ED3E0@msegw.msh.de>

Thanks for all answers.

Here my summary/solution:
./configure --with-egd-pool=/usr/local/etc/entropy-for-openssh 
on AIX uses the getaddrinfo shipped with AIX.
Somehow this doesn't work -
neither with 0.0.0.0 nor with a real IP-Adress....

Commenting out
/* #define HAVE_GETADDRINFO 1 */
in config.h uses the fake-getnameinfo.c-Version which works.


This leaves the Question:
  a) is the AIX-getaddrinfo wrong
or
  b) is the call to getaddrinfo by openssh wrong?

Joerg Petersen




From marc.fournier at acadiau.ca  Wed Jan 19 02:25:04 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Tue, 18 Jan 2000 11:25:04 -0400 (AST)
Subject: rhosts problem: usera on hosta connecting to userb on hostb ...
In-Reply-To: <Pine.BSF.4.10.10001181053250.65453-100000@atelier.acadiau.ca>
Message-ID: <Pine.BSF.4.10.10001181124040.65453-100000@atelier.acadiau.ca>

On Tue, 18 Jan 2000, Marc G. Fournier wrote:

> On Tue, 18 Jan 2000, Markus Friedl wrote:
> 
> > are you sure the client is allocating a reserved port?
> > ssh -v? sshd -d? sbit on ssh?
> 
> IgnoreRhosts no
> RhostsAuthentication no
> 
> tends to negate each other *sigh*
> 
> Fixed it and am checking over things now ... 

Okay, slowly getting there ...

On FreeBSD, ssh is installed 4555 (setuid root), while under Solaris, it
appears to be installed 0755 ...

To get the reserved port, (and where it works), I'm assuming that FreeBSD
is doing this correct?


> 
> > 
> > On Mon, Jan 17, 2000 at 04:20:38PM -0400, Marc G. Fournier wrote:
> > > 
> > > okay, so far as i can tell, going from an SSH 1.2.26 client to an OpenSSH
> > > pre25 server works ..its only going OpenSSH client->server that fails ...
> > > 
> > > Still investigating, but maybe someone else has an idea?
> > 
> 
> Marc G. Fournier                                 marc.fournier at acadiau.ca
> Senior Systems Administrator                            Acadia University
> 
>   "These are my opinions, which are not necessarily shared by my employer"
> 
> 
> 

Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From marc.fournier at acadiau.ca  Wed Jan 19 02:54:21 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Tue, 18 Jan 2000 11:54:21 -0400 (AST)
Subject: LD_LIBRARY_PATH under Solaris issues ...
Message-ID: <Pine.BSF.4.10.10001181152350.65453-100000@atelier.acadiau.ca>


How do/are ppl getting around this:

hermes:/home/centre/edenauto/work/Jan18> ssh -v -l sais iceberg
ld.so.1: ssh: fatal: libz.so: open failed: No such file or directory
Killed

I've tried using -R/usr/slocal/lib, but it doesn't appear to be working 
properly ...




Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From speno at isc.upenn.edu  Wed Jan 19 03:01:29 2000
From: speno at isc.upenn.edu (John P Speno)
Date: Tue, 18 Jan 2000 11:01:29 -0500
Subject: Tru64 UNIX plans?
Message-ID: <20000118110129.B133698@isc.upenn.edu>

Is anyone currently working on adding support for Tru64 UNIX's enhanced
security to OpenSSH?




From drankin at bohemians.lexington.ky.us  Wed Jan 19 02:56:55 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Tue, 18 Jan 2000 10:56:55 -0500
Subject: More NetBSD patches
Message-ID: <20000118105655.A23297@rumpole.bohemians.lexington.ky.us>

Here's a unified diff, proposed by Christos Zoulas (with a little
reworking to get the configure.in part a bit cleaner). The main target of
the patches are NetBSD compatability, although there are some changes
making
  if (pointer X)
into
  if (X != NULL)
as well. Christos also proposed a change to Makefile.in, but I'll send
that as a seperate mail.

Thanks,
David


Index: configure.in
===================================================================
RCS file: /usr/local/cvs/openssh/configure.in,v
retrieving revision 1.22
diff -u -r1.22 configure.in
--- configure.in	2000/01/17 19:34:14	1.22
+++ configure.in	2000/01/18 15:16:18
@@ -51,6 +51,31 @@
 
 AC_C_INLINE
 
+dnl Check for OpenSSL/SSLeay directories.
+AC_MSG_CHECKING([for OpenSSL/SSLeay directory])
+for ssldir in $prefix /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg ; do
+	if test -f "$ssldir/include/openssl/crypto.h"; then
+		AC_DEFINE(HAVE_OPENSSL)
+		GOT_SSL="yes"
+		break
+	fi
+	if test -f "$ssldir/include/ssl/crypto.h"; then
+		AC_DEFINE(HAVE_SSL)
+		GOT_SSL="yes"
+		break
+	fi
+done
+if test -z "$GOT_SSL" ; then
+	AC_MSG_ERROR([Could not find SSLeay / OpenSSL libraries, please install])	
+fi
+AC_SUBST(ssldir)
+AC_DEFINE_UNQUOTED(ssldir, "$ssldir")
+if test "$ssldir" != "/usr"; then
+	CFLAGS="$CFLAGS -I$ssldir/include"
+	LDFLAGS="$LDFLAGS -L$ssldir/lib"
+fi
+AC_MSG_RESULT($ssldir)
+
 dnl Check for some target-specific stuff
 case "$host" in
 *-*-aix*)
@@ -92,32 +117,12 @@
 *-*-sysv*)
 	LIBS="$LIBS -lgen -lsocket"
 	;;
-esac
-
-dnl Check for OpenSSL/SSLeay directories.
-AC_MSG_CHECKING([for OpenSSL/SSLeay directory])
-for ssldir in /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local $prefix /usr/pkg ; do
-	if test -f "$ssldir/include/openssl/crypto.h"; then
-		AC_DEFINE(HAVE_OPENSSL)
-		GOT_SSL="yes"
-		break
-	fi
-	if test -f "$ssldir/include/ssl/crypto.h"; then
-		AC_DEFINE(HAVE_SSL)
-		GOT_SSL="yes"
-		break
+*-*-netbsd*)
+	if test "$GOT_SSL" = "yes"; then
+		LDFLAGS="$LDFLAGS -R$ssldir/lib"
 	fi
-done
-if test -z "$GOT_SSL" ; then
-	AC_MSG_ERROR([Could not find SSLeay / OpenSSL libraries, please install])	
-fi
-AC_SUBST(ssldir)
-AC_DEFINE_UNQUOTED(ssldir, "$ssldir")
-if test "$ssldir" != "/usr"; then
-	CFLAGS="$CFLAGS -I$ssldir/include"
-	LDFLAGS="$LDFLAGS -L$ssldir/lib"
-fi
-AC_MSG_RESULT($ssldir)
+	;;
+esac
 
 dnl Check for RSAref library.
 AC_MSG_CHECKING([for RSAref library])
@@ -246,7 +251,10 @@
 
 AC_MSG_CHECKING([for struct sockaddr_storage])
 AC_TRY_COMPILE(
-	[#include <sys/socket.h>],
+	[
+#include <sys/types.h>
+#include <sys/socket.h>
+	],
 	[struct sockaddr_storage s;],
 	[
 		AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE)
@@ -257,7 +265,10 @@
 
 AC_MSG_CHECKING([for struct sockaddr_in6])
 AC_TRY_COMPILE(
-	[#include <netinet/in.h>],
+	[
+#include <sys/types.h>
+#include <netinet/in.h>
+	],
 	[struct sockaddr_in6 s; s.sin6_family = 0;],
 	[
 		AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6)
@@ -268,7 +279,10 @@
 
 AC_MSG_CHECKING([for struct in6_addr])
 AC_TRY_COMPILE(
-	[#include <netinet/in.h>],
+	[
+#include <sys/types.h>
+#include <netinet/in.h>
+	],
 	[struct in6_addr s; s.s6_addr[0] = 0;],
 	[
 		AC_DEFINE(HAVE_STRUCT_IN6_ADDR)
@@ -280,6 +294,7 @@
 AC_MSG_CHECKING([for struct addrinfo])
 AC_TRY_COMPILE(
 	[
+		#include <sys/types.h>
 		#include <sys/socket.h>
 		#include <netdb.h>
 	],
Index: fake-getaddrinfo.c
===================================================================
RCS file: /usr/local/cvs/openssh/fake-getaddrinfo.c,v
retrieving revision 1.1
diff -u -r1.1 fake-getaddrinfo.c
--- fake-getaddrinfo.c	2000/01/17 19:24:04	1.1
+++ fake-getaddrinfo.c	2000/01/18 15:16:49
@@ -41,7 +41,7 @@
   do {
     next = ai->ai_next;
     free(ai);
-  } while (ai = next);
+  } while ((ai = next) != NULL);
 }
 #endif /* !HAVE_FREEADDRINFO */
 
@@ -53,8 +53,8 @@
 {
   struct addrinfo *ai;
 
-  if (ai = (struct addrinfo *)malloc(sizeof(struct addrinfo) +
-				     sizeof(struct sockaddr_in))) {
+  if ((ai = (struct addrinfo *)malloc(sizeof(struct addrinfo) +
+				     sizeof(struct sockaddr_in))) != NULL) {
     memset(ai, 0, sizeof(struct addrinfo) + sizeof(struct sockaddr_in));
     ai->ai_addr = (struct sockaddr *)(ai + 1);
     /* XXX -- ssh doesn't use sa_len */
@@ -83,25 +83,27 @@
   else
     port = 0;
   if (hints && hints->ai_flags & AI_PASSIVE)
-    if (*res = malloc_ai(port, htonl(0x00000000)))
+    if ((*res = malloc_ai(port, htonl(0x00000000))) != NULL)
       return 0;
     else
       return EAI_MEMORY;
-  if (!hostname)
-    if (*res = malloc_ai(port, htonl(0x7f000001)))
+  if (!hostname) {
+    if ((*res = malloc_ai(port, htonl(0x7f000001))) != NULL)
       return 0;
     else
       return EAI_MEMORY;
-  if (inet_addr(hostname) != -1)
-    if (*res = malloc_ai(port, inet_addr(hostname)))
+  }
+  if (inet_addr(hostname) != -1) {
+    if ((*res = malloc_ai(port, inet_addr(hostname))) != NULL)
       return 0;
     else
       return EAI_MEMORY;
+  }
   if ((hp = gethostbyname(hostname)) &&
       hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) {
     for (i = 0; hp->h_addr_list[i]; i++)
-      if (cur = malloc_ai(port,
-			  ((struct in_addr *)hp->h_addr_list[i])->s_addr)) {
+      if ((cur = malloc_ai(port,
+			  ((struct in_addr *)hp->h_addr_list[i])->s_addr)) != NULL) {
 	if (prev)
 	  prev->ai_next = cur;
 	else
Index: fake-getnameinfo.c
===================================================================
RCS file: /usr/local/cvs/openssh/fake-getnameinfo.c,v
retrieving revision 1.1
diff -u -r1.1 fake-getnameinfo.c
--- fake-getnameinfo.c	2000/01/17 19:24:05	1.1
+++ fake-getnameinfo.c	2000/01/18 15:21:32
@@ -46,8 +46,8 @@
 	return 0;
       }
     else
-      if (hp = gethostbyaddr((char *)&sin->sin_addr, sizeof(struct in_addr),
-			     AF_INET))
+      if ((hp = gethostbyaddr((char *)&sin->sin_addr, sizeof(struct in_addr),
+			     AF_INET)) != NULL)
 	if (strlen(hp->h_name) > hostlen)
 	  return EAI_MEMORY;
 	else {
Index: log-client.c
===================================================================
RCS file: /usr/local/cvs/openssh/log-client.c,v
retrieving revision 1.3
diff -u -r1.3 log-client.c
--- log-client.c	2000/01/17 16:53:09	1.3
+++ log-client.c	2000/01/18 15:21:54
@@ -45,12 +45,12 @@
 	}
 }
 
-#define MSGBUFSIZE 1024
+#define SSH_MSGBUFSIZE 1024
 
 void
 do_log(LogLevel level, const char *fmt, va_list args)
 {
-	char msgbuf[MSGBUFSIZE];
+	char msgbuf[SSH_MSGBUFSIZE];
 
 	if (level > log_level)
 		return;
Index: log-server.c
===================================================================
RCS file: /usr/local/cvs/openssh/log-server.c,v
retrieving revision 1.4
diff -u -r1.4 log-server.c
--- log-server.c	2000/01/17 16:53:10	1.4
+++ log-server.c	2000/01/18 15:22:24
@@ -97,13 +97,13 @@
 	log_on_stderr = on_stderr;
 }
 
-#define MSGBUFSIZE 1024
+#define SSH_MSGBUFSIZE 1024
 
 void
 do_log(LogLevel level, const char *fmt, va_list args)
 {
-	char msgbuf[MSGBUFSIZE];
-	char fmtbuf[MSGBUFSIZE];
+	char msgbuf[SSH_MSGBUFSIZE];
+	char fmtbuf[SSH_MSGBUFSIZE];
 	char *txt = NULL;
 	int pri = LOG_INFO;
 
Index: uidswap.c
===================================================================
RCS file: /usr/local/cvs/openssh/uidswap.c,v
retrieving revision 1.2
diff -u -r1.2 uidswap.c
--- uidswap.c	2000/01/17 16:53:38	1.2
+++ uidswap.c	2000/01/18 15:23:27
@@ -27,8 +27,10 @@
 #define SAVED_IDS_WORK_WITH_SETEUID
 #endif /* _POSIX_SAVED_IDS */
 
+#ifdef SAVED_IDS_WORK_WITH_SETEUID
 /* Saved effective uid. */
 static uid_t saved_euid = 0;
+#endif
 
 /*
  * Temporarily changes to the given uid.  If the effective user




From drankin at bohemians.lexington.ky.us  Wed Jan 19 03:44:16 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Tue, 18 Jan 2000 11:44:16 -0500
Subject: Patch to change installation of ssh_config and sshd_config
Message-ID: <20000118114415.A26457@rumpole.bohemians.lexington.ky.us>

The NetBSD packages system "forbids" packages from installing stuff outside
of the package tree (typically "/usr/pkg"). OpenSSH installs ssh*_config
into $sysconfdir by default, which violates that rule. Christos Zoulas
reworked Makefile.in to seperate the install from sysconfdir, and I added
some logic to configure.in to add --with-example-dir.

NetBSD's package would install this by default in
$prefix/share/examples/openssh rather than $sysconfdir. I personally like
that approach, but I don't know if it'd be appropriate for the base install
to take that approach.

Thanks,
David

Index: Makefile.in
===================================================================
RCS file: /usr/local/cvs/openssh/Makefile.in,v
retrieving revision 1.18
diff -u -r1.18 Makefile.in
--- Makefile.in	2000/01/17 19:23:49	1.18
+++ Makefile.in	2000/01/18 16:32:21
@@ -5,6 +5,7 @@
 libexecdir=@libexecdir@
 mandir=@mandir@
 sysconfdir=@sysconfdir@
+examplesdir=@examplesdir@
 
 srcdir = @srcdir@
 top_srcdir = @top_srcdir@
@@ -137,16 +138,16 @@
 		$(INSTALL) -s @GNOME_ASKPASS@ ${ASKPASS_LOCATION} ; \
 	fi
 
-	if [ ! -f $(sysconfdir)/ssh_config -a ! -f $(sysconfdir)/sshd_config ]; then \
-		$(INSTALL) -d $(sysconfdir); \
-		$(INSTALL) -m 644 ssh_config $(sysconfdir)/ssh_config; \
-		$(INSTALL) -m 644 sshd_config $(sysconfdir)/sshd_config; \
+	if [ ! -f $(examplesdir)/ssh_config -a ! -f $(examplesdir)/sshd_config ]; then \
+		$(INSTALL) -d $(examplesdir); \
+		$(INSTALL) -m 644 ssh_config $(examplesdir)/ssh_config; \
+		$(INSTALL) -m 644 sshd_config $(examplesdir)/sshd_config; \
 	fi
 
 uninstallall:	uninstall
-	-rm -f $(sysconfdir)/ssh_config
-	-rm -f $(sysconfdir)/sshd_config
-	-rmdir $(sysconfdir)
+	-rm -f $(examplesdir)/ssh_config
+	-rm -f $(examplesdir)/sshd_config
+	-rmdir $(examplesdir)
 	-rmdir $(bindir)
 	-rmdir $(sbindir)
 	-rmdir $(mandir)/man1
Index: configure.in
===================================================================
RCS file: /usr/local/cvs/openssh/configure.in,v
retrieving revision 1.22
diff -u -r1.22 configure.in
--- configure.in	2000/01/17 19:34:14	1.22
+++ configure.in	2000/01/18 16:28:52
@@ -524,6 +524,23 @@
 	]
 )
 
+dnl Check to see where config examples get installed
+AC_ARG_WITH(example-dir,
+	[  --with-example-dir=DIR  Install directory for config examples],
+	[
+		if test "x$withval" != "$xno" ; then
+			if test "x$withval" != "$xyes" ; then
+				examplesdir=$withval
+			fi
+		fi
+	],
+	[
+		examplesdir="${sysconfdir}"
+	]
+)
+
+AC_SUBST(examplesdir)
+
 dnl Check whether user wants Kerberos support
 AC_ARG_WITH(kerberos4,
 	[  --with-kerberos4=PATH   Enable Kerberos 4 support],




From marc.fournier at acadiau.ca  Wed Jan 19 04:55:25 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Tue, 18 Jan 2000 13:55:25 -0400 (AST)
Subject: SSH problems ...
Message-ID: <Pine.BSF.4.10.10001181351370.65453-100000@atelier.acadiau.ca>


Okay, we think we've resolved them all now *wipe brow*

There were two outstanding problems...

Problem 1:

The config file has two directives in it:

IgnoreRhosts
RhostsAuthentication

Without realizing it, even though I had IgnoreRhosts set to 'no',
RhostsAuthentication was set to 'no' also, so it didn't matter ...

This appears to fix the authentication issue of last week :(  


Problem 2:

A regular user can't ssh to another users account on a remote server
without a password ... the .rhosts file on the remote server granted
permission, but it wouldn't work.

Thanks to one of the guys on the list, for pointing out the 'reserved
port' issue, I checked my FreeBSD machine's install of OpenSSH and noticed
that both ssh and scp are set 4555, vs 755 on the Solaris machine.  It
appears that the OpenSSH distribution doesn't set this, which is what
caused that problem ...

So far, it appears that both are fixed ... Problem 2, I think, needs to be
fixed in 'make install' of the distribution though ...



Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From sb at dcs.qmw.ac.uk  Wed Jan 19 06:32:04 2000
From: sb at dcs.qmw.ac.uk (Sergio Brandano)
Date: Tue, 18 Jan 2000 19:32:04 +0000
Subject: No subject
Message-ID: <200001181932.TAA02927@copper.dcs.qmw.ac.uk>


 Hi,

 I premit I am not subscribed to the list, so, please,
 Cc all messages to me. 

 The problem is the following. I installed OpenSSH 1.2.1pre24-1 on my
 desktop and laptop (Debian potato, using packages). I then created
 the new key for each machine, as described in the INSTALL file.

 This is the result when connecting:
 

<box1> [~] 
--> ssh box2
You have no controlling tty.  Cannot read passphrase.

<box1> [~] 
--> 


 I checked in the manuals but no clue on how setting tty for ssh.

 Please help.

 Sergio




From bole at falcon.etf.bg.ac.yu  Wed Jan 19 06:45:13 2000
From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic)
Date: Tue, 18 Jan 2000 20:45:13 +0100 (CET)
Subject: Problem with wtmp loging
Message-ID: <Pine.LNX.4.21.0001182043520.6866-100000@falcon.etf.bg.ac.yu>

Hello!

There is (still) problem with loging logins in wtmp (on Slackware 4 &
Slackware 7). utmp & lastlog are successfully updated, but there is
nothing in wtmp.

Bye






From bole at falcon.etf.bg.ac.yu  Wed Jan 19 07:05:03 2000
From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic)
Date: Tue, 18 Jan 2000 21:05:03 +0100 (CET)
Subject: your mail
In-Reply-To: <200001181932.TAA02927@copper.dcs.qmw.ac.uk>
Message-ID: <Pine.LNX.4.21.0001182104030.6979-100000@falcon.etf.bg.ac.yu>


On Tue, 18 Jan 2000, Sergio Brandano wrote:

>  The problem is the following. I installed OpenSSH 1.2.1pre24-1 on my
[..]
> --> ssh box2
> You have no controlling tty.  Cannot read passphrase.

I had the same problem, but with some earlier prerelease. Try with pre27,
it work for me.

Bye





From sdn at sprintlabs.com  Wed Jan 19 09:48:40 2000
From: sdn at sprintlabs.com (Steve Davidson)
Date: Tue, 18 Jan 2000 14:48:40 -0800
Subject: Error when compiling for Solaris7
Message-ID: <3884EDC7.C0CBE5C@sprintlabs.com>

I cannot make openssh on Solaris.
The 'make' fails on the first file.

Here are the commands and the output.

Essentially, I pre-built EGD, SSL,  and ran:
configure
make

make errors are listed at the bottom.

Can anyone help me get this compiled on Solaris7?
Steve
sdn at sprintlabs.com


./configure --prefix=/common --sysconfdir=/etc/ssh
--with-egd-pool=/common/bin/egd.pl

loading cache ./config.cache
checking host system type... sparc-sun-solaris2.7
checking for gcc... (cached) gcc
checking whether the C compiler (gcc  ) works... yes
checking whether the C compiler (gcc  ) is a cross-compiler... no
checking whether we are using GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking how to run the C preprocessor... (cached) gcc -E
checking for ranlib... (cached) ranlib
checking for a BSD compatible install... (cached) /common/bin/install -c

checking for ar... (cached) ar
checking for perl... (cached) /common/bin/perl
checking for rsh... (cached) /usr/bin/rsh
checking for xauth... (cached) /usr/openwin/bin/xauth
checking for inline... (cached) inline
checking for OpenSSL/SSLeay directory... /common
checking for RSAref library... no
checking for CRYPTO_lock in -lcrypto... (cached) yes
checking for deflate in -lz... (cached) yes
checking for login in -lutil... (cached) no
checking for yp_match in -lnsl... (cached) yes
checking for main in -lsocket... (cached) yes
checking for bstring.h... (cached) no
checking for endian.h... (cached) no
checking for lastlog.h... (cached) yes
checking for login.h... (cached) no
checking for maillock.h... (cached) yes
checking for netdb.h... (cached) yes
checking for netgroup.h... (cached) no
checking for paths.h... (cached) no
checking for poll.h... (cached) yes
checking for pty.h... (cached) no
checking for shadow.h... (cached) yes
checking for security/pam_appl.h... (cached) yes
checking for sys/bitypes.h... (cached) no
checking for sys/bsdtty.h... (cached) no
checking for sys/cdefs.h... (cached) no
checking for sys/poll.h... (cached) yes
checking for sys/select.h... (cached) yes
checking for sys/stropts.h... (cached) yes
checking for sys/time.h... (cached) yes
checking for sys/ttcompat.h... (cached) yes
checking for util.h... (cached) no
checking for utmp.h... (cached) yes
checking for utmpx.h... (cached) yes
checking for arc4random... (cached) no
checking for bindresvport_af... (cached) no
checking for freeaddrinfo... (cached) no
checking for gai_strerror... (cached) no
checking for getaddrinfo... (cached) no
checking for getpagesize... (cached) yes
checking for getnameinfo... (cached) no
checking for innetgr... (cached) yes
checking for md5_crypt... (cached) no
checking for mkdtemp... (cached) no
checking for openpty... (cached) no
checking for rresvport_af... (cached) no
checking for setenv... (cached) no
checking for seteuid... (cached) yes
checking for setlogin... (cached) no
checking for setproctitle... (cached) no
checking for setreuid... (cached) yes
checking for snprintf... (cached) yes
checking for strlcat... (cached) no
checking for strlcpy... (cached) no
checking for updwtmpx... (cached) yes
checking for vsnprintf... (cached) yes
checking for _getpty... (cached) no
checking for login... (cached) no
checking for login in -lbsd... (cached) no
checking for daemon... (cached) no
checking for daemon in -lbsd... (cached) no
checking size of short int... (cached) 2
checking size of int... (cached) 4
checking size of long int... (cached) 4
checking size of long long int... (cached) 8
checking for intXX_t types... yes
checking for u_intXX_t types... no
checking for uintXX_t types... yes
checking for socklen_t... yes
checking for size_t... yes
checking for struct sockaddr_storage... no
checking for struct sockaddr_in6... no
checking for struct in6_addr... no
checking for struct addrinfo... no
checking for dlopen in -ldl... (cached) yes
checking whether pam_strerror takes only one argument... no
checking whether to build GNOME ssh-askpass... no
checking for /dev/urandom... (cached) no
checking whether utmp.h has ut_host field... no
checking whether utmpx.h has ut_host field... yes
checking whether utmpx.h has syslen field... yes
checking whether utmp.h has ut_pid field... yes
checking whether utmp.h has ut_type field... yes
checking whether utmp.h has ut_tv field... no
checking whether utmp.h has ut_id field... yes
checking whether utmp.h has ut_addr field... no
checking whether utmpx.h has ut_addr field... no
checking whether utmp.h has ut_addr_v6 field... no
checking whether utmpx.h has ut_addr_v6 field... no
checking whether struct sockaddr_storage has ss_family field... no
checking whether struct sockaddr_storage has __ss_family field... no
checking location of lastlog file... /var/adm/lastlog
checking for /dev/ptmx... (cached) yes
checking for /dev/ptc... (cached) no
checking whether libc defines __progname... no
creating ./config.status
creating Makefile
creating config.h
config.h is unchanged


% make
gcc -g -O2 -Wall -I/common/include -DETCDIR=\"/etc/ssh\"
-DSSH_PROGRAM=\"/common/bin/ssh\"
-DSSH_ASKPASS_DEFAULT=\"/common/libexec/ssh/ssh-askpass\"
-DHAVE_CONFIG_H   -c atomicio.c -o atomicio.o
In file included from includes.h:106,
                 from atomicio.c:26:
fake-socket.h:31: parse error before `u_int8_t'
fake-socket.h:31: warning: no semicolon at end of struct or union
fake-socket.h:40: field `sin6_addr' has incomplete type
make: *** [atomicio.o] Error 1






From sdn at sprintlabs.com  Wed Jan 19 10:42:18 2000
From: sdn at sprintlabs.com (Steve Davidson)
Date: Tue, 18 Jan 2000 15:42:18 -0800
Subject: Error when compiling for Solaris7
References: <3884EDC7.C0CBE5C@sprintlabs.com>
Message-ID: <3884FA5A.70703B09@sprintlabs.com>

The version of openssh is:  openssh-1.2.1pre27
Solaris 7 on an Ultra 2.

My apologies for not including this in the original email.

> I cannot make openssh on Solaris.
> The 'make' fails on the first file.
>
> Here are the commands and the output.
>
> Essentially, I pre-built EGD, SSL,  and ran:
> configure
> make
>
> make errors are listed at the bottom.
>
> Can anyone help me get this compiled on Solaris7?
> Steve
> sdn at sprintlabs.com
>
> ./configure --prefix=/common --sysconfdir=/etc/ssh
> --with-egd-pool=/common/bin/egd.pl
>
> loading cache ./config.cache
> checking host system type... sparc-sun-solaris2.7
> checking for gcc... (cached) gcc
> checking whether the C compiler (gcc  ) works... yes
> checking whether the C compiler (gcc  ) is a cross-compiler... no
> checking whether we are using GNU C... (cached) yes
> checking whether gcc accepts -g... (cached) yes
> checking how to run the C preprocessor... (cached) gcc -E
> checking for ranlib... (cached) ranlib
> checking for a BSD compatible install... (cached) /common/bin/install -c
>
> checking for ar... (cached) ar
> checking for perl... (cached) /common/bin/perl
> checking for rsh... (cached) /usr/bin/rsh
> checking for xauth... (cached) /usr/openwin/bin/xauth
> checking for inline... (cached) inline
> checking for OpenSSL/SSLeay directory... /common
> checking for RSAref library... no
> checking for CRYPTO_lock in -lcrypto... (cached) yes
> checking for deflate in -lz... (cached) yes
> checking for login in -lutil... (cached) no
> checking for yp_match in -lnsl... (cached) yes
> checking for main in -lsocket... (cached) yes
> checking for bstring.h... (cached) no
> checking for endian.h... (cached) no
> checking for lastlog.h... (cached) yes
> checking for login.h... (cached) no
> checking for maillock.h... (cached) yes
> checking for netdb.h... (cached) yes
> checking for netgroup.h... (cached) no
> checking for paths.h... (cached) no
> checking for poll.h... (cached) yes
> checking for pty.h... (cached) no
> checking for shadow.h... (cached) yes
> checking for security/pam_appl.h... (cached) yes
> checking for sys/bitypes.h... (cached) no
> checking for sys/bsdtty.h... (cached) no
> checking for sys/cdefs.h... (cached) no
> checking for sys/poll.h... (cached) yes
> checking for sys/select.h... (cached) yes
> checking for sys/stropts.h... (cached) yes
> checking for sys/time.h... (cached) yes
> checking for sys/ttcompat.h... (cached) yes
> checking for util.h... (cached) no
> checking for utmp.h... (cached) yes
> checking for utmpx.h... (cached) yes
> checking for arc4random... (cached) no
> checking for bindresvport_af... (cached) no
> checking for freeaddrinfo... (cached) no
> checking for gai_strerror... (cached) no
> checking for getaddrinfo... (cached) no
> checking for getpagesize... (cached) yes
> checking for getnameinfo... (cached) no
> checking for innetgr... (cached) yes
> checking for md5_crypt... (cached) no
> checking for mkdtemp... (cached) no
> checking for openpty... (cached) no
> checking for rresvport_af... (cached) no
> checking for setenv... (cached) no
> checking for seteuid... (cached) yes
> checking for setlogin... (cached) no
> checking for setproctitle... (cached) no
> checking for setreuid... (cached) yes
> checking for snprintf... (cached) yes
> checking for strlcat... (cached) no
> checking for strlcpy... (cached) no
> checking for updwtmpx... (cached) yes
> checking for vsnprintf... (cached) yes
> checking for _getpty... (cached) no
> checking for login... (cached) no
> checking for login in -lbsd... (cached) no
> checking for daemon... (cached) no
> checking for daemon in -lbsd... (cached) no
> checking size of short int... (cached) 2
> checking size of int... (cached) 4
> checking size of long int... (cached) 4
> checking size of long long int... (cached) 8
> checking for intXX_t types... yes
> checking for u_intXX_t types... no
> checking for uintXX_t types... yes
> checking for socklen_t... yes
> checking for size_t... yes
> checking for struct sockaddr_storage... no
> checking for struct sockaddr_in6... no
> checking for struct in6_addr... no
> checking for struct addrinfo... no
> checking for dlopen in -ldl... (cached) yes
> checking whether pam_strerror takes only one argument... no
> checking whether to build GNOME ssh-askpass... no
> checking for /dev/urandom... (cached) no
> checking whether utmp.h has ut_host field... no
> checking whether utmpx.h has ut_host field... yes
> checking whether utmpx.h has syslen field... yes
> checking whether utmp.h has ut_pid field... yes
> checking whether utmp.h has ut_type field... yes
> checking whether utmp.h has ut_tv field... no
> checking whether utmp.h has ut_id field... yes
> checking whether utmp.h has ut_addr field... no
> checking whether utmpx.h has ut_addr field... no
> checking whether utmp.h has ut_addr_v6 field... no
> checking whether utmpx.h has ut_addr_v6 field... no
> checking whether struct sockaddr_storage has ss_family field... no
> checking whether struct sockaddr_storage has __ss_family field... no
> checking location of lastlog file... /var/adm/lastlog
> checking for /dev/ptmx... (cached) yes
> checking for /dev/ptc... (cached) no
> checking whether libc defines __progname... no
> creating ./config.status
> creating Makefile
> creating config.h
> config.h is unchanged
>
> % make
> gcc -g -O2 -Wall -I/common/include -DETCDIR=\"/etc/ssh\"
> -DSSH_PROGRAM=\"/common/bin/ssh\"
> -DSSH_ASKPASS_DEFAULT=\"/common/libexec/ssh/ssh-askpass\"
> -DHAVE_CONFIG_H   -c atomicio.c -o atomicio.o
> In file included from includes.h:106,
>                  from atomicio.c:26:
> fake-socket.h:31: parse error before `u_int8_t'
> fake-socket.h:31: warning: no semicolon at end of struct or union
> fake-socket.h:40: field `sin6_addr' has incomplete type
> make: *** [atomicio.o] Error 1





From djm at mindrot.org  Wed Jan 19 10:39:35 2000
From: djm at mindrot.org (Damien Miller)
Date: Wed, 19 Jan 2000 10:39:35 +1100 (EST)
Subject: AIX- 'Host not found' in getaddrinfo("0.0.0.0", "22" , ...) 
In-Reply-To: <B56A3A4C735ED2118F25000083687FBB3ED3DE@msegw.msh.de>
Message-ID: <Pine.LNX.4.10.10001191038580.545-100000@mothra.mindrot.org>

On Tue, 18 Jan 2000, Petersen, J?rg wrote:

> Hello,
>    while openssh-1.2.1pre25 ran out-of-the box, in openssh-1.2.1pre27 the
> sshd fails to start with: "Host not found" returned...
> (gcc 2.9.5.2 under AIX 4.3.2 ML 2)
> 
> Incompatibility of AIX-getaddrinfo ????
> Since I'm not familiar with getaddrinfo, I've got no idea what goes wrong
> ??? Does the code below work on other architectures?
 
Does AIX define its own getaddrinfo or does it use the replacement
functions?

Damien

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From gem at rellim.com  Wed Jan 19 11:14:07 2000
From: gem at rellim.com (Gary E. Miller)
Date: Tue, 18 Jan 2000 16:14:07 -0800 (PST)
Subject: AANOUNCE: openssh-1.2.1pre27
In-Reply-To: <Pine.LNX.4.10.10001171200330.13637-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.4.21.0001181522260.21925-100000@ns1.aplatform.com>

Yo Damien!

On Mon, 17 Jan 2000, Damien Miller wrote:

> A couple of silly errors, and one dangerous bug were in the pre26 
> release. This release corrects them.
> 
> http://violet.ibs.com.au/openssh/files/openssh-1.2.1pre27.tar.gz

This fails to compile on  SCO UNIXWARE 7.1.0 for the following 4 reasons:

1. partially complete change from $(OBJS) to $(LIBOBJS) in Makefile
   previsously reported.

2. in "bsd-rresvport.c" at line 64:
	int sa_len;
   sa_len is already defined in <sys/socket.h> and creates a fatal
   name collision. I just changed the name.

3. "sshconnect.c" at line 1073:
	 int sa_len;
   same problem as #2 above.

4. at link time, "howmany()", referenced in sshd.o is undefined.
   howmany() is a macro defined in:<sys/sysmacros.h>
   so I manually added it to defined.h

Then it compiles with the following errors:

1. the u_intXX_t detection seems broken again:

UX:acomp: WARNING: "./defines.h", line 83: typedef redeclared: u_int16_t
UX:acomp: WARNING: "./defines.h", line 84: typedef redeclared: u_int32_t

2. in bufaux.c on line 47:

	oi = BN_bn2bin(value, buf);

buf is a "char *", but include/openssl/bn.h says buf should be 
"unsigned char *".

3. rsa.c has same problems as #2.

4. packet.h defines:
	char   *packet_get_string(unsigned int *length_ptr);
but it is called with an "int *" from:
	channels.c, line 1049 and 1056.
	clientloop.c, line 250, and 259
	sshconnect.c, line 886
	sshd.c, line 1079, 1291, 1306, 1352, 1372, etc.


RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From djm at mindrot.org  Wed Jan 19 13:03:54 2000
From: djm at mindrot.org (Damien Miller)
Date: Wed, 19 Jan 2000 13:03:54 +1100 (EST)
Subject: AANOUNCE: openssh-1.2.1pre27
In-Reply-To: <Pine.LNX.4.21.0001181522260.21925-100000@ns1.aplatform.com>
Message-ID: <Pine.LNX.4.10.10001191302100.545-100000@mothra.mindrot.org>

On Tue, 18 Jan 2000, Gary E. Miller wrote:

> Yo Damien!
> 
> On Mon, 17 Jan 2000, Damien Miller wrote:
> 
> > A couple of silly errors, and one dangerous bug were in the pre26 
> > release. This release corrects them.
> > 
> > http://violet.ibs.com.au/openssh/files/openssh-1.2.1pre27.tar.gz
> 
> This fails to compile on  SCO UNIXWARE 7.1.0 for the following 4 reasons:
> 
> 1. partially complete change from $(OBJS) to $(LIBOBJS) in Makefile
>    previsously reported.

Fixed.

> 2. in "bsd-rresvport.c" at line 64:
> 	int sa_len;
>    sa_len is already defined in <sys/socket.h> and creates a fatal
>    name collision. I just changed the name.

Changed to salen

> 3. "sshconnect.c" at line 1073:
> 	 int sa_len;
>    same problem as #2 above.
> 
> 4. at link time, "howmany()", referenced in sshd.o is undefined.
>    howmany() is a macro defined in:<sys/sysmacros.h>
>    so I manually added it to defined.h

Would this fragment suffice?

/* SCO defines this */
#ifdef howmany
# undef howmany
#endif /* howmany */

> Then it compiles with the following errors:
> 
> 1. the u_intXX_t detection seems broken again:
> 
> UX:acomp: WARNING: "./defines.h", line 83: typedef redeclared: u_int16_t
> UX:acomp: WARNING: "./defines.h", line 84: typedef redeclared: u_int32_t

What is the output of configure?

-d
 
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From gem at rellim.com  Wed Jan 19 13:22:36 2000
From: gem at rellim.com (Gary E. Miller)
Date: Tue, 18 Jan 2000 18:22:36 -0800 (PST)
Subject: AANOUNCE: openssh-1.2.1pre27
In-Reply-To: <Pine.LNX.4.10.10001191302100.545-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.4.21.0001181813400.21925-100000@ns1.aplatform.com>

Yo Damien!

On Wed, 19 Jan 2000, Damien Miller wrote:

> > This fails to compile on  SCO UNIXWARE 7.1.0 for the following 4 reasons:
[...]
> > 4. at link time, "howmany()", referenced in sshd.o is undefined.
> >    howmany() is a macro defined in:<sys/sysmacros.h>
> >    so I manually added it to defined.h
> 
> Would this fragment suffice?
> 
> /* SCO defines this */
> #ifdef howmany
> # undef howmany
> #endif /* howmany */
The problem is not that it is defined, but that it is undefined.
I could find not definition in the openssh source so I assuem that
it is getting the howmany() from an include file that SCO does not.

> > Then it compiles with the following errors:
> > 
> > 1. the u_intXX_t detection seems broken again:
> > 
> > UX:acomp: WARNING: "./defines.h", line 83: typedef redeclared: u_int16_t
> > UX:acomp: WARNING: "./defines.h", line 84: typedef redeclared: u_int32_t
> 
> What is the output of configure?

LDFLAGS=-L/usr/local/lib CFLAGS=-I/usr/local/include ./configure \
   --with-egd-pool=/.gnupg/entropy --libdir=/usr/local/lib \
   --with-default-path=/usr/local/bin:/usr/sbin:/bin:/usr/bin:/usr/ucb

creating cache ./config.cache
checking host system type... i586-sco-sysv5uw7.1.0
checking for gcc... no
checking for cc... cc
checking whether the C compiler (cc -I/usr/local/include -L/usr/local/lib) works... yes
checking whether the C compiler (cc -I/usr/local/include -L/usr/local/lib) is a cross-compiler... no
checking whether we are using GNU C... no
checking whether cc accepts -g... yes
checking how to run the C preprocessor... cc -E
checking for ranlib... :
checking for a BSD compatible install... ./install-sh -c
checking for ar... ar
checking for perl... /usr/local/bin/perl
checking for rsh... /usr/bin/rsh
checking for xauth... no
checking for inline... no
checking for OpenSSL/SSLeay directory... /usr/local/ssl
checking for RSAref library... no
checking for CRYPTO_lock in -lcrypto... yes
checking for deflate in -lz... yes
checking for login in -lutil... no
checking for yp_match in -lnsl... yes
checking for main in -lsocket... yes
checking for bstring.h... no
checking for endian.h... no
checking for lastlog.h... yes
checking for login.h... no
checking for maillock.h... yes
checking for netdb.h... yes
checking for netgroup.h... no
checking for paths.h... yes
checking for poll.h... yes
checking for pty.h... no
checking for shadow.h... yes
checking for security/pam_appl.h... no
checking for sys/bitypes.h... yes
checking for sys/bsdtty.h... no
checking for sys/cdefs.h... yes
checking for sys/poll.h... yes
checking for sys/select.h... yes
checking for sys/stropts.h... yes
checking for sys/time.h... yes
checking for sys/ttcompat.h... no
checking for util.h... no
checking for utmp.h... yes
checking for utmpx.h... yes
checking for arc4random... no
checking for bindresvport_af... no
checking for freeaddrinfo... yes
checking for gai_strerror... yes
checking for getaddrinfo... yes
checking for getpagesize... yes
checking for getnameinfo... yes
checking for innetgr... yes
checking for md5_crypt... no
checking for mkdtemp... no
checking for openpty... no
checking for rresvport_af... no
checking for setenv... no
checking for seteuid... yes
checking for setlogin... no
checking for setproctitle... no
checking for setreuid... yes
checking for snprintf... yes
checking for strlcat... no
checking for strlcpy... no
checking for updwtmpx... yes
checking for vsnprintf... yes
checking for _getpty... no
checking for login... no
checking for login in -lbsd... no
checking for daemon... no
checking for daemon in -lbsd... no
checking size of short int... 2
checking size of int... 4
checking size of long int... 4
checking size of long long int... 8
checking for intXX_t types... yes
checking for u_intXX_t types... no
checking for uintXX_t types... yes
checking for socklen_t... no
checking for size_t... yes
checking for struct sockaddr_storage... no
checking for struct sockaddr_in6... yes
checking for struct in6_addr... yes
checking for struct addrinfo... yes
checking whether to build GNOME ssh-askpass... no
checking for /dev/urandom... no
checking whether utmp.h has ut_host field... no
checking whether utmpx.h has ut_host field... yes
checking whether utmpx.h has syslen field... yes
checking whether utmp.h has ut_pid field... yes
checking whether utmp.h has ut_type field... yes
checking whether utmp.h has ut_tv field... no
checking whether utmp.h has ut_id field... yes
checking whether utmp.h has ut_addr field... no
checking whether utmpx.h has ut_addr field... no
checking whether utmp.h has ut_addr_v6 field... no
checking whether utmpx.h has ut_addr_v6 field... no
checking whether struct sockaddr_storage has ss_family field... no
checking whether struct sockaddr_storage has __ss_family field... no
checking location of lastlog file... /var/adm/lastlog
checking for /dev/ptmx... yes
checking for /dev/ptc... no
checking whether libc defines __progname... no
updating cache ./config.cache
creating ./config.status
creating Makefile
creating config.h
config.h is unchanged

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From drankin at bohemians.lexington.ky.us  Wed Jan 19 18:39:18 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Wed, 19 Jan 2000 02:39:18 -0500
Subject: Potentially serious (but rare) issue with buffer.c and cipher.c
Message-ID: <20000119023917.A26901@rumpole.bohemians.lexington.ky.us>

While rototilling packet.c, I did some looking at cipher_encrypt in
cipher.c. It ends up that for SSH_CIPHER_NONE in cipher_encrypt, it
uses memcpy. However, it also appears that dest and src can be equal
in cipher_encrypt.

On most sane libc implementations, memcpy == memmove. However, ANSI C
makes no such guarantee, and some implementations out there are bound
to try to optimize memcpy eventually.

Therefore, I've hacked out the following patch to change what may be
"dangerous" memcpy's to memmove. Take a look and see what you think.

Thanks,
David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard
-------------- next part --------------
Index: cipher.c
===================================================================
RCS file: /usr/local/cvs/openssh/cipher.c,v
retrieving revision 1.7
diff -u -r1.7 cipher.c
--- cipher.c	2000/01/17 17:27:31	1.7
+++ cipher.c	2000/01/19 07:18:49
@@ -45,16 +45,16 @@
 {
 	des_cblock iv1;
 
-	memcpy(&iv1, iv2, 8);
+	memmove(&iv1, iv2, 8);
 
 	des_cbc_encrypt(src, dest, len, ks1, &iv1, DES_ENCRYPT);
-	memcpy(&iv1, (char *)dest + len - 8, 8);
+	memmove(&iv1, (char *)dest + len - 8, 8);
 
 	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_DECRYPT);
-	memcpy(iv2, &iv1, 8);	/* Note how iv1 == iv2 on entry and exit. */
+	memmove(iv2, &iv1, 8);	/* Note how iv1 == iv2 on entry and exit. */
 
 	des_cbc_encrypt(dest, dest, len, ks3, iv3, DES_ENCRYPT);
-	memcpy(iv3, (char *)dest + len - 8, 8);
+	memmove(iv3, (char *)dest + len - 8, 8);
 }
 
 void
@@ -66,16 +66,16 @@
 {
 	des_cblock iv1;
 
-	memcpy(&iv1, iv2, 8);
+	memmove(&iv1, iv2, 8);
 
 	des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT);
-	memcpy(iv3, (char *)src + len - 8, 8);
+	memmove(iv3, (char *)src + len - 8, 8);
 
 	des_cbc_encrypt(dest, dest, len, ks2, iv2, DES_ENCRYPT);
-	memcpy(iv2, (char *)dest + len - 8, 8);
+	memmove(iv2, (char *)dest + len - 8, 8);
 
 	des_cbc_encrypt(dest, dest, len, ks1, &iv1, DES_DECRYPT);
-	/* memcpy(&iv1, iv2, 8); */
+	/* memmove(&iv1, iv2, 8); */
 	/* Note how iv1 == iv2 on entry and exit. */
 }
 
@@ -214,7 +214,7 @@
 	/* Get 32 bytes of key data.  Pad if necessary.  (So that code
 	   below does not need to worry about key size). */
 	memset(padded, 0, sizeof(padded));
-	memcpy(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));
+	memmove(padded, key, keylen < sizeof(padded) ? keylen : sizeof(padded));
 
 	/* Initialize the initialization vector. */
 	switch (cipher) {
@@ -265,7 +265,7 @@
 
 	switch (context->type) {
 	case SSH_CIPHER_NONE:
-		memcpy(dest, src, len);
+		memmove(dest, src, len);
 		break;
 
 	case SSH_CIPHER_3DES:
@@ -299,7 +299,7 @@
 
 	switch (context->type) {
 	case SSH_CIPHER_NONE:
-		memcpy(dest, src, len);
+		memmove(dest, src, len);
 		break;
 
 	case SSH_CIPHER_3DES:
Index: buffer.c
===================================================================
RCS file: /usr/local/cvs/openssh/buffer.c,v
retrieving revision 1.2
diff -u -r1.2 buffer.c
--- buffer.c	2000/01/17 16:52:52	1.2
+++ buffer.c	2000/01/19 07:17:46
@@ -59,7 +59,7 @@
 {
 	char *cp;
 	buffer_append_space(buffer, &cp, len);
-	memcpy(cp, data, len);
+	memmove(cp, data, len);
 }
 
 /*
@@ -115,7 +115,7 @@
 {
 	if (len > buffer->end - buffer->offset)
 		fatal("buffer_get trying to get more bytes than in buffer");
-	memcpy(buf, buffer->buf + buffer->offset, len);
+	memmove(buf, buffer->buf + buffer->offset, len);
 	buffer->offset += len;
 }
 

From sb at dcs.qmw.ac.uk  Wed Jan 19 22:38:43 2000
From: sb at dcs.qmw.ac.uk (Sergio Brandano)
Date: Wed, 19 Jan 2000 11:38:43 +0000
Subject: your mail 
In-Reply-To: Message from Bosko Radivojevic <bole@falcon.etf.bg.ac.yu> 
   of "Tue, 18 Jan 2000 21:05:03 +0100." <Pine.LNX.4.21.0001182104030.6979-100000@falcon.etf.bg.ac.yu> 
References: <Pine.LNX.4.21.0001182104030.6979-100000@falcon.etf.bg.ac.yu> 
Message-ID: <200001191138.LAA10741@copper.dcs.qmw.ac.uk>


>> The problem is the following. I installed OpenSSH 1.2.1pre24-1 on my
>> --> ssh box2
>> You have no controlling tty.  Cannot read passphrase.

> I had the same problem, but with some earlier prerelease. Try with
> pre27, it work for

 I tried it. I still I have that message.

 Sergio




From sb at dcs.qmw.ac.uk  Wed Jan 19 22:41:42 2000
From: sb at dcs.qmw.ac.uk (Sergio Brandano)
Date: Wed, 19 Jan 2000 11:41:42 +0000
Subject: your mail 
In-Reply-To: Message from Bosko Radivojevic <bole@falcon.etf.bg.ac.yu> 
   of "Tue, 18 Jan 2000 21:05:03 +0100." <Pine.LNX.4.21.0001182104030.6979-100000@falcon.etf.bg.ac.yu> 
References: <Pine.LNX.4.21.0001182104030.6979-100000@falcon.etf.bg.ac.yu> 
Message-ID: <200001191141.LAA11089@copper.dcs.qmw.ac.uk>


 Anyway, is it possible to have the new Debian packages for it?
 I am running both on i386 and ppc.

 Thank you.
 Sergio




From bent at clark.net  Thu Jan 20 00:46:03 2000
From: bent at clark.net (Ben Taylor)
Date: Wed, 19 Jan 2000 08:46:03 -0500 (EST)
Subject: Error when compiling for Solaris 2.5.1
In-Reply-To: <3884FA5A.70703B09@sprintlabs.com>
Message-ID: <Pine.GSO.4.05.10001190842520.7827-100000@shell.clark.net>


After getting past the previous problem reported with atomicio.c and
the u_int8_t problem,  I've run into another problem with Solaris 2.5.1
when compiling bsd-snprintf.c.  Here is the output:

gcc -I/usr/local/ssl/include -Wall -I/usr/local/ssl/include
-DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\"
-DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\"
-DHAVE_CONFIG_H  -c  bsd-snprintf.c
bsd-snprintf.c: In function `msetup':
bsd-snprintf.c:86: warning: implicit declaration of function `getpagesize'
bsd-snprintf.c:91: `x' undeclared (first use in this function)
bsd-snprintf.c:91: (Each undeclared identifier is reported only once
bsd-snprintf.c:91: for each function it appears in.)
bsd-snprintf.c:91: `y' undeclared (first use in this function)
bsd-snprintf.c:91: warning: left-hand operand of comma expression has no
effect
bsd-snprintf.c: At top level:
bsd-snprintf.c:52: warning: `caught' defined but not used
*** Error code 1
make: Fatal error: Command failed for target `bsd-snprintf.o'


Notes: Even thought getpagesize is in libc and has a man page, it is not
defined in <unistd.h> as would be implied by the man page. Ideas?

Thanks,

Ben





From mhw at wittsend.com  Thu Jan 20 01:47:29 2000
From: mhw at wittsend.com (Michael H. Warfield)
Date: Wed, 19 Jan 2000 09:47:29 -0500
Subject: Potentially serious (but rare) issue with buffer.c and cipher.c
In-Reply-To: <20000119023917.A26901@rumpole.bohemians.lexington.ky.us>; from drankin@bohemians.lexington.ky.us on Wed, Jan 19, 2000 at 02:39:18AM -0500
References: <20000119023917.A26901@rumpole.bohemians.lexington.ky.us>
Message-ID: <20000119094729.B4831@alcove.wittsend.com>

	Wait a minute here...

On Wed, Jan 19, 2000 at 02:39:18AM -0500, David Rankin wrote:
> While rototilling packet.c, I did some looking at cipher_encrypt in
> cipher.c. It ends up that for SSH_CIPHER_NONE in cipher_encrypt, it
> uses memcpy. However, it also appears that dest and src can be equal
> in cipher_encrypt.

> On most sane libc implementations, memcpy == memmove. However, ANSI C
> makes no such guarantee, and some implementations out there are bound
> to try to optimize memcpy eventually.

	Check me on this...

	The danger in those routines has always been overlaping regions.
If the source and destination do not overlap, you are safe, of course.
If the source and destination are the same, you are also safe since you
are setting memory back to its original value.  Length limited functions
such as memcpy were never in danger of runaway conditions like strcpy was,
but they could have unpredictable results in memory if the source and
destination where overlaping and non-congruent (not identical).

	If the src and dest can be equal, I don't see the problem.  If they
can be non-equal but overlapping, then we have a potential problem.

> Therefore, I've hacked out the following patch to change what may be
> "dangerous" memcpy's to memmove. Take a look and see what you think.

	I didn't look at it real close but it didn't look like it did
any harm.  Is it going to cause any platform support and compatibility
issues?

> Thanks,
> David

> -- 
> David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
>    Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
> "It is no great thing to be humble when you are brought low; but to be humble
> when you are praised is a great and rare accomplishment." St. Bernard

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!





From gene at ozob.net  Thu Jan 20 03:46:43 2000
From: gene at ozob.net (Gene Imes)
Date: Wed, 19 Jan 2000 10:46:43 -0600 (CST)
Subject: Failed password
In-Reply-To: <20000115105125.A710@internal.domain>
Message-ID: <Pine.LNX.3.96.1000119104310.16208A-100000@ozob.net>

On Sat, 15 Jan 2000, Andre Lucas wrote:

> Gene,
> 
> I can't find your previous post in my mailbox. Did it have some more
> information than this one? Which platform(s) you running on would be
> helpful. The version(s) of openssh would be useful too.

Ok, I am a nitwit. I compiled openssh-1.2.1pre25.tar.gz with
openssl-0.9.4.tar.gz on a Slackware 7.0 Linux box.

> 
> If you're using Solaris or Linux and running PAM, it's possible that you
> haven't installed the PAM support file, included in the
> distribution. See INSTALL for details.
> 

I don't use PAM. The original details are below.

Thanks for the help.



> On Fri, Jan 14, 2000 at 03:51:53PM -0600, Gene Imes wrote:
> > 
> > I run sshd -d and try to login from another machine and this is what
> > happens:
> > 
> > gene at bubba:/usr/include/asm> sudo sshd -d
> > Password:
> > debug: sshd version OpenSSH-1.2.1
> > Server listening on port 22.
> > Generating 768 bit RSA key.
> > RSA key generation complete.
> > debug: Server will not fork when running in debugging mode.
> > Connection from 216.131.4.131 port 1023
> > debug: Client protocol version 1.5; client software version 1.2.27
> > debug: Sent 768 bit public key and 1024 bit host key.
> > debug: Encryption type: 3des
> > debug: Received session key; encryption turned on.
> > debug: Installing crc compensation attack detector.
> > debug: Attempting authentication for gene.
> > Failed password for gene from 216.131.4.131 port 1023
> > Connection closed by 216.131.4.131
> > debug: Calling cleanup 0x805724c(0x0)
> > 
> > The password is correct though.
> > 
> > Please email me a reply, I am not subscribed.
> > 
> > Thanks,
> > 

::::: Gene Imes			     http://www.ozob.net :::::





From gene at ozob.net  Thu Jan 20 03:56:19 2000
From: gene at ozob.net (Gene Imes)
Date: Wed, 19 Jan 2000 10:56:19 -0600 (CST)
Subject: Failed password
In-Reply-To: <Pine.LNX.4.10.10001161007580.699-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.3.96.1000119104818.16208B-100000@ozob.net>

On Sun, 16 Jan 2000, Damien Miller wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Fri, 14 Jan 2000, Gene Imes wrote:
> 
> > 
> > I may have posted this before but got no reply.
> > 
> > I run sshd -d and try to login from another machine and this is what
> > happens:
> 
> You will need to supply a lot more information. What OS are you 
> using? What options OpenSSH was compiled with? Are you using PAM?
> Shadowed passwords? NIS?
> 
> Regards,
> Damien Miller
> 

Sorry for the lack of details.

This is what happens:

root at bubba:/usr/src/openssh-1.2.1pre25# sshd -d
debug: sshd version OpenSSH-1.2.1
Server listening on port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 216.131.4.131 port 1023
debug: Client protocol version 1.5; client software version 1.2.27
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.

I try to login from remote machine:

debug: Attempting authentication for gene.
Failed password for gene from 216.131.4.131 port 1023
Connection closed by 216.131.4.131
debug: Calling cleanup 0x805724c(0x0)

sshd terminates.

On remote machine:

Permission denied.


I compiled openssh-1.2.1pre25.tar.gz with openssl-0.9.4.tar.gz and
configured openssh like so:

./configure --prefix=/usr --sysconfdir=/etc --without-pam

This is on a Slackware 7.0 Linux box, no PAM, with shadowed passwords, and
no NIS.

Thanks for any help.

::::: Gene Imes			     http://www.ozob.net :::::





From v2matt at btv.ibm.com  Thu Jan 20 04:33:55 2000
From: v2matt at btv.ibm.com (Matt Richards)
Date: Wed, 19 Jan 2000 12:33:55 -0500
Subject: AIX openssh patches
Message-ID: <20000119123354.D23506@btv.ibm.com>


I have a few patches for AIX. The patchfile is attached below. The patch
has been tested on AIX4.2 and AIX4.3. The patch is on openssh-1.2.1pre25, 
with openssl-0.94, using RSAref.

1) authenticate support - this function allows the system to determine
   authentification. Whatever the system allows for login, authenticate
   will too. It doesn't matter whether it is AFS, DFS, SecureID, local.

2) loginsuccess - this function will log to /etc/security/lastlog as
   well as clear the failed logins.

3) loginfailed - this function will increase the number of failed logins
   and update /etc/security/lastlog and /etc/security/failedlogins.

4) loginrestrictions - this function will determine if a user is allowed
   to login (ie too many failed logins, account disabled, etc). This
   function is used in conjunction with authenticate.

5) SOCKS5 and SOCKS4 support.

6) Support for the system random function instead of egd or /dev/urandom.


There is one fix that should be put in. In sshd.c, function do_authloop, 
client_user needs to be set to NULL after the xfree. There is a double free
happening here.



*** acconfig.h.DIST	Tue Jan 11 09:38:15 2000
--- acconfig.h	Tue Jan 11 12:11:02 2000
***************
*** 12,17 ****
--- 12,23 ----
  /* Define if you want to disable PAM support */
  #undef DISABLE_PAM
  
+ /* Define if you want to disable AIX4's authenticate function */
+ #undef WITH_AIXAUTHENTICATE
+ 
+ /* Define if you want to use system random */
+ #undef USE_SYSRANDOM
+ 
  /* Define if you want to disable lastlog support */
  #undef DISABLE_LASTLOG
  
***************
*** 29,34 ****
--- 35,69 ----
  
  /* Define if using the Dante SOCKS library. */
  #undef HAVE_DANTE
+ 
+ /* Define this if compiling with SOCKS (the firewall traversal library). */
+ #undef SOCKS
+ #undef SOCKS4
+ #undef SOCKS5
+ 
+ #undef Rconnect
+ #undef Rgetsockname
+ #undef Rgetpeername
+ #undef Rbind
+ #undef Raccept
+ #undef Rlisten
+ #undef Rselect
+ #undef Rrecvfrom
+ #undef Rsendto
+ #undef Rrecv
+ #undef Rsend
+ #undef Rread
+ #undef Rwrite
+ #undef Rrresvport
+ #undef Rshutdown
+ #undef Rlisten
+ #undef Rclose
+ #undef Rdup
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
+ 
+ 
  
  /* Define if your ssl headers are included with #include <ssl/header.h>  */
  #undef HAVE_SSL
*** auth-passwd.c.DIST	Tue Jan 11 09:19:33 2000
--- auth-passwd.c	Tue Jan 11 09:45:13 2000
***************
*** 18,23 ****
--- 18,27 ----
  #include "servconf.h"
  #include "xmalloc.h"
  
+ #ifdef WITH_AIXAUTHENTICATE
+ #include <login.h>
+ #endif
+ 
  #ifdef HAVE_SHADOW_H
  # include <shadow.h>
  #endif
***************
*** 40,45 ****
--- 44,55 ----
  	struct spwd *spw;
  #endif
  
+ #ifdef WITH_AIXAUTHENTICATE
+ 	char *authmsg;
+ 	char *loginmsg;
+ 	int reenter = 1;
+ #endif
+ 
  	/* deny if no user. */
  	if (pw == NULL)
  		return 0;
***************
*** 55,60 ****
--- 65,79 ----
  			return ret;
  		/* Fall back to ordinary passwd authentication. */
  	}
+ #endif
+ #ifdef WITH_AIXAUTHENTICATE
+ 
+ 	if ( (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0) &&
+ 	     (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) == 0))
+               return 1;
+ 	else 
+ 	      return 0;
+ 	
  #endif
  #ifdef KRB4
  	if (options.kerberos_authentication == 1) {
*** bsd-misc.c.DIST	Tue Jan 11 09:48:36 2000
--- bsd-misc.c	Wed Jan 19 08:29:59 2000
***************
*** 52,61 ****
--- 52,67 ----
  #include "ssh.h"
  #include "bsd-misc.h"
  
+ #if 0
  #ifndef offsetof
  #define offsetof(type, member) ((size_t) &((type *)0)->member)
  #endif
+ #endif
  
+ #ifdef USE_SYSRANDOM
+ #include <time.h>
+ #endif
+ 
  #ifndef HAVE_ARC4RANDOM
  
  typedef struct
***************
*** 135,140 ****
--- 141,156 ----
  
  void get_random_bytes(unsigned char *buf, int len)
  {
+ 
+ #ifdef USE_SYSRANDOM 
+ 	int index;
+ 
+ 	srandom(time(NULL) + getpid());
+ 
+ 	for (index = 0; index < len+1; index++) {
+              buf[index] = rand()%255;
+ 	}
+ #else /* USE_SYSRANDOM */
  	static int random_pool;
  	int c;
  #ifdef HAVE_EGD
***************
*** 184,189 ****
--- 200,206 ----
  		fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno));
  	
  	close(random_pool);
+ #endif /* USE_SYSRANDOM */
  }
  #endif /* !HAVE_ARC4RANDOM */
  
*** canohost.c.DIST	Wed Jan 19 11:00:42 2000
--- canohost.c	Wed Jan 19 11:01:09 2000
***************
*** 29,35 ****
  get_remote_hostname(int socket)
  {
  	struct sockaddr_in from;
! 	int fromlen, i;
  	struct hostent *hp;
  	char name[MAXHOSTNAMELEN];
  
--- 29,40 ----
  get_remote_hostname(int socket)
  {
  	struct sockaddr_in from;
! #ifdef _AIX
! 	unsigned long fromlen;
! #else
! 	int fromlen;
! #endif
! 	int i;
  	struct hostent *hp;
  	char name[MAXHOSTNAMELEN];
  
***************
*** 116,122 ****
  	{
  		unsigned char options[200], *ucp;
  		char text[1024], *cp;
! 		int option_size, ipproto;
  		struct protoent *ip;
  
  		if ((ip = getprotobyname("ip")) != NULL)
--- 121,132 ----
  	{
  		unsigned char options[200], *ucp;
  		char text[1024], *cp;
! #ifdef _AIX
! 		unsigned long option_size;
! #else
! 		int option_size;
! #endif
! 		int ipproto;
  		struct protoent *ip;
  
  		if ((ip = getprotobyname("ip")) != NULL)
***************
*** 149,155 ****
--- 159,169 ----
  peer_connection_is_on_socket()
  {
  	struct sockaddr_in from;
+ #ifdef _AIX
+ 	unsigned long fromlen;
+ #else
  	int fromlen;
+ #endif
  	int in = packet_get_connection_in();
  	int out = packet_get_connection_out();
  
***************
*** 197,203 ****
  get_remote_ipaddr()
  {
  	struct sockaddr_in from;
! 	int fromlen, socket;
  
  	/* Check whether we have chached the name. */
  	if (canonical_host_ip != NULL)
--- 211,222 ----
  get_remote_ipaddr()
  {
  	struct sockaddr_in from;
! #ifdef _AIX
! 	unsigned long fromlen;
! #else
! 	int fromlen;
! #endif
! 	int socket;
  
  	/* Check whether we have chached the name. */
  	if (canonical_host_ip != NULL)
***************
*** 231,237 ****
--- 250,260 ----
  get_peer_port(int sock)
  {
  	struct sockaddr_in from;
+ #ifdef _AIX
+ 	unsigned long fromlen;
+ #else
  	int fromlen;
+ #endif
  
  	/* Get IP address of client. */
  	fromlen = sizeof(from);
*** channels.c.DIST	Tue Jan 11 12:16:35 2000
--- channels.c	Wed Jan 19 11:01:32 2000
***************
*** 374,380 ****
  channel_after_select(fd_set * readset, fd_set * writeset)
  {
  	struct sockaddr addr;
! 	int addrlen, newsock, i, newch, len;
  	Channel *ch;
  	char buf[16384], *remote_hostname;
  
--- 374,385 ----
  channel_after_select(fd_set * readset, fd_set * writeset)
  {
  	struct sockaddr addr;
! #ifdef _AIX
! 	unsigned long addrlen;
! #else
! 	int addrlen;
! #endif
! 	int newsock, i, newch, len;
  	Channel *ch;
  	char buf[16384], *remote_hostname;
  
***************
*** 1005,1011 ****
  	struct sockaddr_in sin;
  	char *host, *originator_string;
  	struct hostent *hp;
! 	int host_len, originator_len;
  
  	/* Get remote channel number. */
  	remote_channel = packet_get_int();
--- 1010,1016 ----
  	struct sockaddr_in sin;
  	char *host, *originator_string;
  	struct hostent *hp;
! 	unsigned int host_len, originator_len;
  
  	/* Get remote channel number. */
  	remote_channel = packet_get_int();
***************
*** 1257,1263 ****
  	struct sockaddr_in sin;
  	char buf[1024], *cp, *remote_host;
  	struct hostent *hp;
! 	int remote_len;
  
  	/* Get remote channel number. */
  	remote_channel = packet_get_int();
--- 1262,1268 ----
  	struct sockaddr_in sin;
  	char buf[1024], *cp, *remote_host;
  	struct hostent *hp;
! 	unsigned int remote_len;
  
  	/* Get remote channel number. */
  	remote_channel = packet_get_int();
*** cipher.c.DIST	Tue Jan 11 09:45:57 2000
--- cipher.c	Tue Jan 11 09:46:35 2000
***************
*** 111,117 ****
  
  void (*cipher_attack_detected) (const char *fmt,...) = fatal;
  
! static inline void
  detect_cbc_attack(const unsigned char *src,
  		  unsigned int len)
  {
--- 111,122 ----
  
  void (*cipher_attack_detected) (const char *fmt,...) = fatal;
  
! #ifdef _AIX
! static __inline
! #else
! static inline
! #endif
! void
  detect_cbc_attack(const unsigned char *src,
  		  unsigned int len)
  {
*** config.h.in.DIST	Tue Jan 11 09:40:43 2000
--- config.h.in	Wed Jan 19 11:01:42 2000
***************
*** 15,20 ****
--- 15,26 ----
  /* Define if you want to disable PAM support */
  #undef DISABLE_PAM
  
+ /* Define if you want AIX4's authenticate function */
+ #undef WITH_AIXAUTHENTICATE
+ 
+ /* Define if you want to use system random */
+ #undef USE_SYSRANDOM
+ 
  /* Define if you want to disable lastlog support */
  #undef DISABLE_LASTLOG
  
***************
*** 33,38 ****
--- 39,72 ----
  /* Define if using the Dante SOCKS library. */
  #undef HAVE_DANTE
  
+ /* Define this if compiling with SOCKS (the firewall traversal library). */
+ #undef SOCKS
+ #undef SOCKS4
+ #undef SOCKS5
+ 
+ #undef Rconnect
+ #undef Rgetsockname
+ #undef Rgetpeername
+ #undef Rbind
+ #undef Raccept
+ #undef Rlisten
+ #undef Rselect
+ #undef Rrecvfrom
+ #undef Rsendto
+ #undef Rrecv
+ #undef Rsend
+ #undef Rread
+ #undef Rwrite
+ #undef Rrresvport
+ #undef Rshutdown
+ #undef Rlisten
+ #undef Rclose
+ #undef Rdup
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
+ 
+ 
  /* Define if your ssl headers are included with #include <ssl/header.h>  */
  #undef HAVE_SSL
  
***************
*** 295,298 ****
  
  #include "defines.h"
  
! #endif _CONFIG_H
--- 329,332 ----
  
  #include "defines.h"
  
! #endif
*** configure.DIST	Tue Jan 11 09:20:43 2000
--- configure	Tue Jan 11 12:09:34 2000
***************
*** 16,21 ****
--- 16,23 ----
  ac_help="$ac_help
    --without-pam           Disable PAM support "
  ac_help="$ac_help
+   --with-aixauthenticate  Use AIX4's authenticate function"
+ ac_help="$ac_help
    --with-gnome-askpass    Build the GNOME passphrase requester (default=no)"
  ac_help="$ac_help
    --with-random=FILE      read randomness from FILE (default=/dev/urandom)"
***************
*** 26,31 ****
--- 28,39 ----
  ac_help="$ac_help
    --with-dante=DIR        Use Dante SOCKS lib (default is system library path)"
  ac_help="$ac_help
+   --with-socks            Compile with SOCKS firewall traversal support."
+ ac_help="$ac_help
+   --with-socks5[=PATH]    Compile with SOCKS5 firewall traversal support."
+ ac_help="$ac_help
+   --with-socks4[=PATH]    Compile with SOCKS4 firewall traversal support."
+ ac_help="$ac_help
    --with-kerberos4=PATH   Enable Kerberos 4 support"
  ac_help="$ac_help
    --with-afs=PATH         Enable AFS support"
***************
*** 2245,2250 ****
--- 2253,2282 ----
  rm -f conftest* 
  fi
  
+ # check for the AIX authenticate
+ echo $ac_n "checking whether to use AIX authenticate""... $ac_c" 1>&6
+ echo "configure:XXXX: checking whether to use AIX authenticate" >&5
+ # Check whether --with-aixauthenticate or --without-aixauthenticate was given.
+ if test "${with_aixauthenticate+set}" = set; then
+   withval="$with_aixauthenticate"
+      case "$withval" in
+        yes)
+          echo "$ac_t""yes" 1>&6
+ 	 cat >> confdefs.h <<\EOF
+ #define WITH_AIXAUTHENTICATE 1
+ EOF
+          LIBS="$LIBS -ls"
+          ;;
+        *)
+          echo "$ac_t""no" 1>&6
+          ;;
+       esac
+ else
+      echo "$ac_t""no" 1>&6
+ 
+ fi
+ 
+ 
  echo $ac_n "checking whether to build GNOME ssh-askpass""... $ac_c" 1>&6
  echo "configure:2250: checking whether to build GNOME ssh-askpass" >&5
  # Check whether --with-gnome-askpass or --without-gnome-askpass was given.
***************
*** 2335,2345 ****
  
  fi
  
  
- if test -z "$RANDOM_POOL" -a -z "$EGD_POOL"; then
- 	{ echo "configure: error: No random device found, and no EGD random pool specified" 1>&2; exit 1; }
  fi
  
  echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6
  echo "configure:2345: checking whether utmp.h has ut_host field" >&5
  cat > conftest.$ac_ext <<EOF
--- 2367,2382 ----
  
  fi
  
+ if test -z "$RANDOM_POOL" -a -z "$EGD_POOL";then
+     echo $ac_n "using system random" 1>&6
+     cat >> confdefs.h <<\EOF
+ #define USE_SYSRANDOM 1
+ EOF
  
  fi
  
+ 
+ 
  echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6
  echo "configure:2345: checking whether utmp.h has ut_host field" >&5
  cat > conftest.$ac_ext <<EOF
***************
*** 2606,2611 ****
--- 2643,2970 ----
  			LIBS="$LIBS -lsocks"
  		fi
  	
+ 
+ fi
+ 
+ 
+ # Check whether --with-socks or --without-socks was given.
+ if test "${with_socks+set}" = set; then
+   withval="$with_socks"
+    case "$withval" in
+   no)
+     echo "$ac_t""no" 1>&6
+     ;;
+   yes)
+     echo "$ac_t""yes" 1>&6
+     echo $ac_n "checking for SOCKSconnect in -lsocks5""... $ac_c" 1>&6
+ echo "configure:6842: checking for SOCKSconnect in -lsocks5" >&5
+ ac_lib_var=`echo socks5'_'SOCKSconnect | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   ac_save_LIBS="$LIBS"
+ LIBS="-lsocks5  $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6850 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error.  */
+ /* We use char because int might match the return type of a gcc2
+     builtin and then its argument prototype would still apply.  */
+ char SOCKSconnect();
+ 
+ int main() {
+ SOCKSconnect()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6861: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+   echo "configure: failed program was:" >&5
+   cat conftest.$ac_ext >&5
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=no"
+ fi
+ rm -f conftest*
+ LIBS="$ac_save_LIBS"
+ 
+ fi
+ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+   echo "$ac_t""yes" 1>&6
+   
+ 	    socks=5
+ 	    LIBS="-lsocks5 $LIBS"
+ else
+   echo "$ac_t""no" 1>&6
+ 
+ 	echo $ac_n "checking for Rconnect in -lsocks""... $ac_c" 1>&6
+ echo "configure:6883: checking for Rconnect in -lsocks" >&5
+ ac_lib_var=`echo socks'_'Rconnect | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   ac_save_LIBS="$LIBS"
+ LIBS="-lsocks  $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6891 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error.  */
+ /* We use char because int might match the return type of a gcc2
+     builtin and then its argument prototype would still apply.  */
+ char Rconnect();
+ 
+ int main() {
+ Rconnect()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+   echo "configure: failed program was:" >&5
+   cat conftest.$ac_ext >&5
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=no"
+ fi
+ rm -f conftest*
+ LIBS="$ac_save_LIBS"
+ 
+ fi
+ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+   echo "$ac_t""yes" 1>&6
+   
+ 	    socks=4
+ 	    LIBS="-lsocks $LIBS"
+ else
+   echo "$ac_t""no" 1>&6
+ 
+ 		{ echo "configure: error: Could not find socks library.  You must first install socks." 1>&2; exit 1; }  
+ fi
+   
+ fi
+ 
+     ;;
+   esac 
+ else
+   echo "$ac_t""no" 1>&6
+ 
+ fi
+ 
+ 
+ if test "x$socks" = "x"; then
+ 	echo $ac_n "checking whether to support SOCKS5""... $ac_c" 1>&6
+ echo "configure:6938: checking whether to support SOCKS5" >&5
+ 	# Check whether --with-socks5 or --without-socks5 was given.
+ if test "${with_socks5+set}" = set; then
+   withval="$with_socks5"
+    case "$withval" in
+ 	  no)
+ 	    echo "$ac_t""no" 1>&6
+ 	    ;;
+ 	  *)
+ 	    echo "$ac_t""yes" 1>&6
+ 	    socks=5
+ 	    if test "x$withval" = "xyes"; then
+ 	      withval="-lsocks5"
+ 	    else
+ 	      if test -d "$withval"; then
+ 		if test -d "$withval/include"; then
+ 		  CFLAGS="$CFLAGS -I$withval/include"
+ 		else
+ 		  CFLAGS="$CFLAGS -I$withval"
+ 		fi
+ 	        if test -d "$withval/lib"; then
+ 		  withval="-L$withval/lib -lsocks5"
+ 		else
+ 		  withval="-L$withval -lsocks5"
+ 		fi
+ 	      fi
+ 	    fi
+ 	    LIBS="$withval $LIBS"
+ 	    # If Socks was compiled with Kerberos support, we will need
+ 	    # to link against kerberos libraries.  Temporarily append
+ 	    # to LIBS.  This is harmless if there is no kerberos support.
+ 	    TMPLIBS="$LIBS"
+ 	    LIBS="$LIBS $KERBEROS_LIBS"
+ 	    cat > conftest.$ac_ext <<EOF
+ #line 6972 "configure"
+ #include "confdefs.h"
+ 
+ int main() {
+  SOCKSconnect(); 
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6979: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+   :
+ else
+   echo "configure: failed program was:" >&5
+   cat conftest.$ac_ext >&5
+   rm -rf conftest*
+    { echo "configure: error: Could not find the $withval library.  You must first install socks5." 1>&2; exit 1; } 
+ fi
+ rm -f conftest*
+ 	    LIBS="$TMPLIBS"
+ 	    ;;
+ 	  esac 
+ else
+   echo "$ac_t""no" 1>&6
+ 	
+ fi
+ 
+ fi
+ 
+ if test "x$socks" = "x"; then
+ 	echo $ac_n "checking whether to support SOCKS4""... $ac_c" 1>&6
+ echo "configure:7000: checking whether to support SOCKS4" >&5
+ 	# Check whether --with-socks4 or --without-socks4 was given.
+ if test "${with_socks4+set}" = set; then
+   withval="$with_socks4"
+    case "$withval" in
+ 	  no)
+ 	    echo "$ac_t""no" 1>&6
+ 	    ;;
+ 	  *)
+ 	    echo "$ac_t""yes" 1>&6
+ 	    socks=4
+ 	    if test "x$withval" = "xyes"; then
+ 	      withval="-lsocks"
+ 	    else
+ 	      if test -d "$withval"; then
+ 	        withval="-L$withval -lsocks"
+ 	      fi
+ 	    fi
+ 	    LIBS="$withval $LIBS"
+ 	    cat > conftest.$ac_ext <<EOF
+ #line 7020 "configure"
+ #include "confdefs.h"
+ 
+ int main() {
+  Rconnect(); 
+ ; return 0; }
+ EOF
+ if { (eval echo configure:7027: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+   :
+ else
+   echo "configure: failed program was:" >&5
+   cat conftest.$ac_ext >&5
+   rm -rf conftest*
+    { echo "configure: error: Could not find the $withval library.  You must first install socks." 1>&2; exit 1; } 
+ fi
+ rm -f conftest*
+ 	    ;;
+ 	  esac 
+ else
+   echo "$ac_t""no" 1>&6
+ 	
+ fi
+ 
+ fi
+ 
+ 
+ 
+ if test "x$socks" = "x4"; then
+     cat >> confdefs.h <<\EOF
+ #define SOCKS 1
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define SOCKS4 1
+ EOF
+ 
+ fi
+ 
+ if test "x$socks" = "x5"; then
+     cat >> confdefs.h <<\EOF
+ #define SOCKS 1
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define SOCKS5 1
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rconnect SOCKSconnect
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rgetsockname SOCKSgetsockname
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rgetpeername SOCKSgetpeername
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rbind SOCKSbind
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Raccept SOCKSaccept
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rlisten SOCKSlisten
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rselect SOCKSselect
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rrecvfrom SOCKSrecvfrom
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rsendto SOCKSsendto
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rrecv SOCKSrecv
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rsend SOCKSsend
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rread SOCKSread
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rwrite SOCKSwrite
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rrresvport SOCKSrresvport
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rshutdown SOCKSshutdown
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rlisten SOCKSlisten
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rclose SOCKSclose
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rdup SOCKSdup
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rdup2 SOCKSdup2
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rfclose SOCKSfclose
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rgethostbyname SOCKSgethostbyname
+ EOF
  
  fi
  
*** configure.in.DIST	Tue Jan 11 09:39:21 2000
--- configure.in	Tue Jan 11 09:40:15 2000
***************
*** 234,239 ****
--- 234,256 ----
  	) 
  fi
  
+ AC_ARG_WITH(aixauthenticate,
+ [  --with-aixauthenticate     Include AIX authenticate support
+   --without-aixauthenticate   Don't include AIX authenticate support (default)],
+ [ case "$withval" in
+   yes)
+     AC_MSG_RESULT(yes)
+     AC_DEFINE(WITH_AIXAUTHENTICATE)
+     LIBS="$LIBS -ls"
+     ;;
+   *)
+     AC_MSG_RESULT(no)
+     ;;
+   esac ],
+   AC_MSG_RESULT(no)
+ )
+ 
+ 
  AC_MSG_CHECKING([whether to build GNOME ssh-askpass])
  dnl Check whether user wants GNOME ssh-askpass
  AC_ARG_WITH(gnome-askpass,
*** ssh-agent.c.DIST	Mon Jan  3 07:41:05 2000
--- ssh-agent.c	Wed Jan 19 11:01:59 2000
***************
*** 416,422 ****
  after_select(fd_set *readset, fd_set *writeset)
  {
  	unsigned int i;
! 	int len, sock;
  	char buf[1024];
  	struct sockaddr_un sunaddr;
  
--- 416,427 ----
  after_select(fd_set *readset, fd_set *writeset)
  {
  	unsigned int i;
! #ifdef _AIX
! 	unsigned long len;
! #else
! 	int len;
! #endif
! 	int sock;
  	char buf[1024];
  	struct sockaddr_un sunaddr;
  
*** ssh-keygen.c.DIST	Wed Nov 24 19:54:59 1999
--- ssh-keygen.c	Wed Jan 19 11:02:18 2000
***************
*** 101,107 ****
  		if (f && fgets(line, sizeof(line), f)) {
  			cp = line;
  			line[strlen(line) - 1] = '\0';
! 			if (auth_rsa_read_key(&cp, &dummy, e, n)) {
  				public_key->e = e;
  				public_key->n = n;
  				comment = xstrdup(cp ? cp : "no comment");
--- 101,107 ----
  		if (f && fgets(line, sizeof(line), f)) {
  			cp = line;
  			line[strlen(line) - 1] = '\0';
! 			if (auth_rsa_read_key(&cp, (unsigned int *)&dummy, e, n)) {
  				public_key->e = e;
  				public_key->n = n;
  				comment = xstrdup(cp ? cp : "no comment");
*** ssh.c.DIST	Tue Jan 11 12:13:59 2000
--- ssh.c	Tue Jan 11 12:15:16 2000
***************
*** 207,212 ****
--- 207,216 ----
  	/* Save our own name. */
  	av0 = av[0];
  
+ #ifdef SOCKS
+ 	SOCKSinit(av0);
+ #endif /* SOCKS */
+ 
  	/* Initialize option structure to indicate that no values have been set. */
  	initialize_options(&options);
  
*** sshconnect.c.DIST	Tue Jan 11 09:54:21 2000
--- sshconnect.c	Wed Jan 19 11:03:46 2000
***************
*** 142,172 ****
  int
  ssh_create_socket(uid_t original_real_uid, int privileged)
  {
! 	int sock;
  
! 	/*
! 	 * If we are running as root and want to connect to a privileged
! 	 * port, bind our own socket to a privileged port.
! 	 */
! 	if (privileged) {
! 		int p = IPPORT_RESERVED - 1;
  
! 		sock = rresvport(&p);
! 		if (sock < 0)
! 			fatal("rresvport: %.100s", strerror(errno));
! 		debug("Allocated local port %d.", p);
! 	} else {
! 		/*
! 		 * Just create an ordinary socket on arbitrary port.  We use
! 		 * the user's uid to create the socket.
! 		 */
! 		temporarily_use_uid(original_real_uid);
! 		sock = socket(AF_INET, SOCK_STREAM, 0);
! 		if (sock < 0)
! 			fatal("socket: %.100s", strerror(errno));
! 		restore_uid();
! 	}
! 	return sock;
  }
  
  /*
--- 142,193 ----
  int
  ssh_create_socket(uid_t original_real_uid, int privileged)
  {
!   int sock;
  
!   /* If we are running as root and want to connect to a privileged port,
!      bind our own socket to a privileged port. */
!   if (0)
!     {
!       struct sockaddr_in sin;
!       int p;
!       for (p = 1023; p > 512; p--)
!         {
!           sock = socket(AF_INET, SOCK_STREAM, 0);
!           if (sock < 0)
!             fatal("socket: %.100s", strerror(errno));
!           
!           /* Initialize the desired sockaddr_in structure. */
!           memset(&sin, 0, sizeof(sin));
!           sin.sin_family = AF_INET;
!           sin.sin_addr.s_addr = INADDR_ANY;
!           sin.sin_port = htons(p);
  
!           /* Try to bind the socket to the privileged port. */
! #if defined(SOCKS)
!           if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
!             break; /* Success. */
! #else /* SOCKS */
!           if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
!             break; /* Success. */
! #endif /* SOCKS */
!           if (errno == EADDRINUSE)
!             {
!               close(sock);
!               continue;
!             }
!           fatal("bind: %.100s", strerror(errno));
!         }
!       debug("Allocated local port %d.", p);
!     }
!   else
!     { 
!       /* Just create an ordinary socket on arbitrary port.  */
!       sock = socket(AF_INET, SOCK_STREAM, 0);
!       if (sock < 0)
!         fatal("socket: %.100s", strerror(errno));
!     }
!   return sock;
! 
  }
  
  /*
***************
*** 241,247 ****
--- 262,272 ----
  			 * tcp_wrappers showing the remote uid as root.
  			 */
  			temporarily_use_uid(original_real_uid);
+ #if defined(SOCKS)
+ 	               if (Rconnect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+ #else
  			if (connect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+ #endif
  			    >= 0) {
  				/* Successful connect. */
  				restore_uid();
***************
*** 257,263 ****
--- 282,292 ----
  			/* Not a valid numeric inet address. */
  			/* Map host name to an address. */
  			if (!hp)
+ #if defined(SOCKS5)
+ 				hp = Rgethostbyname(host);
+ #else
  				hp = gethostbyname(host);
+ #endif
  			if (!hp)
  				fatal("Bad host name: %.100s", host);
  			if (!hp->h_addr_list[0])
***************
*** 287,293 ****
--- 316,326 ----
  				 * root.
  				 */
  				temporarily_use_uid(original_real_uid);
+ #if defined(SOCKS)
+ 				if (Rconnect(sock, (struct sockaddr *) hostaddr,
+ #else
  				if (connect(sock, (struct sockaddr *) hostaddr,
+ #endif
  					    sizeof(*hostaddr)) >= 0) {
  					/* Successful connection. */
  					restore_uid();
***************
*** 916,922 ****
  		debug("No challenge for skey authentication.");
  		return 0;
  	}
! 	challenge = packet_get_string(&payload_len);
  	if (options.cipher == SSH_CIPHER_NONE)
  		log("WARNING: Encryption is disabled! "
  		    "Reponse will be transmitted in clear text.");
--- 949,955 ----
  		debug("No challenge for skey authentication.");
  		return 0;
  	}
! 	challenge = packet_get_string((unsigned int *)&payload_len);
  	if (options.cipher == SSH_CIPHER_NONE)
  		log("WARNING: Encryption is disabled! "
  		    "Reponse will be transmitted in clear text.");
*** sshd.c.DIST	Tue Jan 11 09:55:44 2000
--- sshd.c	Wed Jan 19 11:05:02 2000
***************
*** 277,283 ****
  {
  	extern char *optarg;
  	extern int optind;
! 	int opt, aux, sock_in, sock_out, newsock, i, pid, on = 1;
  	int remote_major, remote_minor;
  	int silentrsa = 0;
  	struct pollfd fds;
--- 277,288 ----
  {
  	extern char *optarg;
  	extern int optind;
! #ifdef _AIX
! 	unsigned long aux;
! #else
! 	int aux;
! #endif
! 	int opt, sock_in, sock_out, newsock, i, pid, on = 1;
  	int remote_major, remote_minor;
  	int silentrsa = 0;
  	struct pollfd fds;
***************
*** 988,994 ****
  	packet_read_expect(&plen, SSH_CMSG_USER);
  
  	/* Get the user name. */
! 	user = packet_get_string(&ulen);
  	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
  
  	/* Destroy the private and public keys.  They will no longer be needed. */
--- 993,999 ----
  	packet_read_expect(&plen, SSH_CMSG_USER);
  
  	/* Get the user name. */
! 	user = packet_get_string((unsigned int*)&ulen);
  	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
  
  	/* Destroy the private and public keys.  They will no longer be needed. */
***************
*** 997,1002 ****
--- 1002,1008 ----
  	RSA_free(sensitive_data.host_key);
  
  	setproctitle("%s", user);
+ 
  	/* Do the authentication. */
  	do_authentication(user);
  }
***************
*** 1084,1089 ****
--- 1090,1099 ----
  {
  	struct passwd *pw, pwcopy;
  
+ #ifdef _AIX
+ 	char *loginmsg;
+ #endif
+ 
  #ifdef AFS
  	/* If machine has AFS, set process authentication group. */
  	if (k_hasafs()) {
***************
*** 1092,1097 ****
--- 1102,1109 ----
  	}
  #endif /* AFS */
  
+ 	pw = (struct passwd *) malloc (sizeof(struct passwd));
+ 
  	/* Verify that the user is a valid user. */
  	pw = getpwnam(user);
  	if (!pw || !allowed_user(pw))
***************
*** 1133,1138 ****
--- 1145,1151 ----
  		/* Authentication with empty password succeeded. */
  		log("Login for user %s from %.100s, accepted without authentication.",
  		    pw->pw_name, get_remote_ipaddr());
+ 
  	} else {
  		/* Loop until the user has been authenticated or the
  		   connection is closed, do_authloop() returns only if
***************
*** 1142,1148 ****
  
  	/* Check if the user is logging in as root and root logins are disallowed. */
  	if (pw->pw_uid == 0 && !options.permit_root_login) {
! 		if (forced_command)
  			log("Root login accepted for forced command.");
  		else
  			packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
--- 1155,1161 ----
  
  	/* Check if the user is logging in as root and root logins are disallowed. */
  	if (pw->pw_uid == 0 && !options.permit_root_login) {
! 		if (forced_command)  
  			log("Root login accepted for forced command.");
  		else
  			packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
***************
*** 1149,1154 ****
--- 1162,1170 ----
  					  get_canonical_hostname());
  	}
  	/* The user has been authenticated and accepted. */
+ #ifdef _AIX
+ 	loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+ #endif
  	packet_start(SSH_SMSG_SUCCESS);
  	packet_send();
  	packet_write_wait();
***************
*** 1178,1183 ****
--- 1194,1200 ----
  	int type = 0;
  	void (*authlog) (const char *fmt,...) = verbose;
  
+ 
  	/* Indicate that authentication is needed. */
  	packet_start(SSH_SMSG_FAILURE);
  	packet_send();
***************
*** 1261,1267 ****
  			 * authentication is insecure. (Another is
  			 * IP-spoofing on a local network.)
  			 */
! 			client_user = packet_get_string(&ulen);
  			packet_integrity_check(plen, 4 + ulen, type);
  
  			/* Try to authenticate using /etc/hosts.equiv and
--- 1278,1284 ----
  			 * authentication is insecure. (Another is
  			 * IP-spoofing on a local network.)
  			 */
! 			client_user = packet_get_string((unsigned int *)&ulen);
  			packet_integrity_check(plen, 4 + ulen, type);
  
  			/* Try to authenticate using /etc/hosts.equiv and
***************
*** 1281,1287 ****
  			 * trust the client; root on the client machine can
  			 * claim to be any user.
  			 */
! 			client_user = packet_get_string(&ulen);
  
  			/* Get the client host key. */
  			client_host_key_e = BN_new();
--- 1298,1304 ----
  			 * trust the client; root on the client machine can
  			 * claim to be any user.
  			 */
! 			client_user = packet_get_string((unsigned int *)&ulen);
  
  			/* Get the client host key. */
  			client_host_key_e = BN_new();
***************
*** 1326,1332 ****
  			 * transmitted over the encrypted channel so it is
  			 * not visible to an outside observer.
  			 */
! 			password = packet_get_string(&dlen);
  			packet_integrity_check(plen, 4 + dlen, type);
  
  #ifdef USE_PAM
--- 1343,1349 ----
  			 * transmitted over the encrypted channel so it is
  			 * not visible to an outside observer.
  			 */
! 			password = packet_get_string((unsigned int *)&dlen);
  			packet_integrity_check(plen, 4 + dlen, type);
  
  #ifdef USE_PAM
***************
*** 1405,1430 ****
  #ifdef USE_PAM
  			if (!do_pam_account(pw->pw_name, client_user))
  			{
! 				if (client_user != NULL)
  					xfree(client_user);
  
  				do_fake_authloop(pw->pw_name);
  			}
  #endif /* USE_PAM */
  			return;
! 		}
  
! 		if (client_user != NULL)
  			xfree(client_user);
  
  		if (attempt > AUTH_FAIL_MAX)
  			packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
  
  		/* Send a message indicating that the authentication attempt failed. */
  		packet_start(SSH_SMSG_FAILURE);
  		packet_send();
  		packet_write_wait();
  	}
  }
  
  /*
--- 1422,1463 ----
  #ifdef USE_PAM
  			if (!do_pam_account(pw->pw_name, client_user))
  			{
! 				if (client_user != NULL) {
  					xfree(client_user);
+ 					client_user = NULL;
+ 				}
  
  				do_fake_authloop(pw->pw_name);
  			}
  #endif /* USE_PAM */
  			return;
! 		} 
  
! /* HEAP*/
! #if 1
! 		if (client_user != NULL) {
  			xfree(client_user);
+ 			client_user = NULL;
+ 		}
+ #endif
  
  		if (attempt > AUTH_FAIL_MAX)
  			packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
  
  		/* Send a message indicating that the authentication attempt failed. */
+ #ifdef _AIX 
+ 		if (strncmp(get_authname(type),"password",
+ 			      strlen(get_authname(type))) == 0)
+ 	          loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+ #endif
+ 
  		packet_start(SSH_SMSG_FAILURE);
  		packet_send();
  		packet_write_wait();
  	}
+ 
+ 
+ 
  }
  
  /*
***************
*** 1603,1609 ****
  				      ttyname, tty_mode, strerror(errno));
  
  			/* Get TERM from the packet.  Note that the value may be of arbitrary length. */
! 			term = packet_get_string(&dlen);
  			packet_integrity_check(dlen, strlen(term), type);
  			/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
  			/* Remaining bytes */
--- 1636,1642 ----
  				      ttyname, tty_mode, strerror(errno));
  
  			/* Get TERM from the packet.  Note that the value may be of arbitrary length. */
! 			term = packet_get_string((unsigned int *)&dlen);
  			packet_integrity_check(dlen, strlen(term), type);
  			/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
  			/* Remaining bytes */
***************
*** 1648,1655 ****
  				packet_disconnect("Protocol error: X11 display already set.");
  			{
  				int proto_len, data_len;
! 				proto = packet_get_string(&proto_len);
! 				data = packet_get_string(&data_len);
  				packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
  			}
  			if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
--- 1681,1688 ----
  				packet_disconnect("Protocol error: X11 display already set.");
  			{
  				int proto_len, data_len;
! 				proto = packet_get_string((unsigned int *)&proto_len);
! 				data = packet_get_string((unsigned int *)&data_len);
  				packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
  			}
  			if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
***************
*** 1732,1738 ****
  			/* Get command from the packet. */
  			{
  				int dlen;
! 				command = packet_get_string(&dlen);
  				debug("Executing command '%.500s'", command);
  				packet_integrity_check(plen, 4 + dlen, type);
  			}
--- 1765,1771 ----
  			/* Get command from the packet. */
  			{
  				int dlen;
! 				command = packet_get_string((unsigned int *)&dlen);
  				debug("Executing command '%.500s'", command);
  				packet_integrity_check(plen, 4 + dlen, type);
  			}
***************
*** 1936,1942 ****
--- 1969,1979 ----
  	struct stat st;
  	int quiet_login;
  	struct sockaddr_in from;
+ #ifdef _AIX
+ 	unsigned long fromlen;
+ #else
  	int fromlen;
+ #endif
  	struct pty_cleanup_context cleanup_context;
  
  	/* Get remote host name. */
***************
*** 2328,2333 ****
--- 2365,2380 ----
  	if (display)
  		child_set_env(&env, &envsize, "DISPLAY", display);
  
+ 	{
+            char *authstate,*krb5cc;
+ 
+ 	   if ((authstate = getenv("AUTHSTATE")) != NULL)
+ 		 child_set_env(&env,&envsize,"AUTHSTATE",authstate);
+ 
+ 	   if ((krb5cc = getenv("KRB5CCNAME")) != NULL)
+ 		 child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc);
+ 	}
+ 
  #ifdef KRB4
  	{
  		extern char *ticket;
***************
*** 2348,2353 ****
--- 2395,2402 ----
  	if (auth_get_socket_name() != NULL)
  		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
  			      auth_get_socket_name());
+ 
+ 	read_environment_file(&env,&envsize,"/etc/environment");
  
  	/* read $HOME/.ssh/environment. */
  	if (!options.use_login) {
   


-- 
Matt Richards




From drankin at bohemians.lexington.ky.us  Thu Jan 20 05:24:34 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Wed, 19 Jan 2000 13:24:34 -0500
Subject: Potentially serious (but rare) issue with buffer.c and cipher.c
In-Reply-To: <20000119094729.B4831@alcove.wittsend.com>; from Michael H. Warfield on Wed, Jan 19, 2000 at 09:47:29AM -0500
References: <20000119023917.A26901@rumpole.bohemians.lexington.ky.us> <20000119094729.B4831@alcove.wittsend.com>
Message-ID: <20000119132433.A113@rumpole.bohemians.lexington.ky.us>

On Wed, Jan 19, 2000 at 09:47:29AM -0500, Michael H. Warfield wrote:
> 	Wait a minute here...

> On Wed, Jan 19, 2000 at 02:39:18AM -0500, David Rankin wrote:
...
> > On most sane libc implementations, memcpy == memmove. However, ANSI C
> > makes no such guarantee, and some implementations out there are bound
> > to try to optimize memcpy eventually.

> 	Check me on this...
> 
> 	The danger in those routines has always been overlaping regions.
> If the source and destination do not overlap, you are safe, of course.
> If the source and destination are the same, you are also safe since you
> are setting memory back to its original value.  Length limited functions
> such as memcpy were never in danger of runaway conditions like strcpy was,
> but they could have unpredictable results in memory if the source and
> destination where overlaping and non-congruent (not identical).
> 
> 	If the src and dest can be equal, I don't see the problem.  If they
> can be non-equal but overlapping, then we have a potential problem.

Thank you. My ability to explain things always deteriotates when up that
late. (The baby's been liking her 2AM feeds this week...)

Basically, I'm a paranoid programmer. I like to see subroutines be
paranoid, since you never know who will be calling you later. memmove
isn't that much more expensive than memcpy, and it keeps someone from
(knowingly or unknowingly) giving the routines bad data.

Also, to be horribly pedantic, memcpy isn't guaranteed to work when
src == dest. Any sane implementation will work, but the standard would
call that "undefined behaviour".

> > Therefore, I've hacked out the following patch to change what may be
> > "dangerous" memcpy's to memmove. Take a look and see what you think.

> 	I didn't look at it real close but it didn't look like it did
> any harm.  Is it going to cause any platform support and compatibility
> issues?

We're already assuming full ANSI C support, and memmove is definitely
defined in the ANSI C language specs. That said, I can see where there
might be platforms with buggy implementations, but these should be
extremely rare these days.

David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard




From drankin at bohemians.lexington.ky.us  Thu Jan 20 05:32:34 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Wed, 19 Jan 2000 13:32:34 -0500
Subject: AIX openssh patches
In-Reply-To: <20000119123354.D23506@btv.ibm.com>; from Matt Richards on Wed, Jan 19, 2000 at 12:33:55PM -0500
References: <20000119123354.D23506@btv.ibm.com>
Message-ID: <20000119133233.B113@rumpole.bohemians.lexington.ky.us>

On Wed, Jan 19, 2000 at 12:33:55PM -0500, Matt Richards wrote:

> I have a few patches for AIX. The patchfile is attached below. The patch
> has been tested on AIX4.2 and AIX4.3. The patch is on openssh-1.2.1pre25, 
> with openssl-0.94, using RSAref.

These are a good set of patches, but I propose that these be implemented
a bit differently (and yes, I'll be happy to do it, it'll just take a day
or so).

1> Don't use --with-aixauthenticate. Instead, autodetect AIX 4 and use
it without prompting.

2> Instead of the _AIX defines, I'd prefer to see #define used for each
differing item (i.e. unsigned long versus int, __inline versus inline, etc.),
preferably autodetecting using autoconf. I'll work on making this cleaner.

3> The Dante and SOCKS4/5 implementations are 99% alike. Rather than defining
the R* functions in config.h, I'd rather roll them all into one spot, where
they are now.

Any objections?

David

> 1) authenticate support - this function allows the system to determine
>    authentification. Whatever the system allows for login, authenticate
>    will too. It doesn't matter whether it is AFS, DFS, SecureID, local.
> 
> 2) loginsuccess - this function will log to /etc/security/lastlog as
>    well as clear the failed logins.
> 
> 3) loginfailed - this function will increase the number of failed logins
>    and update /etc/security/lastlog and /etc/security/failedlogins.
> 
> 4) loginrestrictions - this function will determine if a user is allowed
>    to login (ie too many failed logins, account disabled, etc). This
>    function is used in conjunction with authenticate.
> 
> 5) SOCKS5 and SOCKS4 support.

> 6) Support for the system random function instead of egd or /dev/urandom.
-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard




From v2matt at btv.ibm.com  Thu Jan 20 06:00:19 2000
From: v2matt at btv.ibm.com (Matt Richards)
Date: Wed, 19 Jan 2000 14:00:19 -0500
Subject: AIX openssh patches
In-Reply-To: <20000119133233.B113@rumpole.bohemians.lexington.ky.us>; from drankin@bohemians.lexington.ky.us on Wed, Jan 19, 2000 at 01:32:34PM -0500
References: <20000119123354.D23506@btv.ibm.com> <20000119133233.B113@rumpole.bohemians.lexington.ky.us>
Message-ID: <20000119140018.E23506@btv.ibm.com>

Thus spake David Rankin (drankin at bohemians.lexington.ky.us):

> On Wed, Jan 19, 2000 at 12:33:55PM -0500, Matt Richards wrote:
> 
> > I have a few patches for AIX. The patchfile is attached below. The patch
> > has been tested on AIX4.2 and AIX4.3. The patch is on openssh-1.2.1pre25, 
> > with openssl-0.94, using RSAref.
> 
> These are a good set of patches, but I propose that these be implemented
> a bit differently (and yes, I'll be happy to do it, it'll just take a day
> or so).
> 
> 1> Don't use --with-aixauthenticate. Instead, autodetect AIX 4 and use
> it without prompting.
> 
> 2> Instead of the _AIX defines, I'd prefer to see #define used for each
> differing item (i.e. unsigned long versus int, __inline versus inline, etc.),
> preferably autodetecting using autoconf. I'll work on making this cleaner.
> 
> 3> The Dante and SOCKS4/5 implementations are 99% alike. Rather than defining
> the R* functions in config.h, I'd rather roll them all into one spot, where
> they are now.
> 
> Any objections?
> 
> David

Not at all, I like your suggestions.

I did make a mistake in the inline. The configure script works fine
for inline, just need to include config.h in cipher.c in order to get
the inline define. I've updated the patch to reflect this.

Is it feasible to have a configure switch to turn off using priviledged
ports, even is the user has priviledges?


*** acconfig.h.DIST	Tue Jan 11 09:38:15 2000
--- acconfig.h	Tue Jan 11 12:11:02 2000
***************
*** 12,17 ****
--- 12,23 ----
  /* Define if you want to disable PAM support */
  #undef DISABLE_PAM
  
+ /* Define if you want to disable AIX4's authenticate function */
+ #undef WITH_AIXAUTHENTICATE
+ 
+ /* Define if you want to use system random */
+ #undef USE_SYSRANDOM
+ 
  /* Define if you want to disable lastlog support */
  #undef DISABLE_LASTLOG
  
***************
*** 29,34 ****
--- 35,69 ----
  
  /* Define if using the Dante SOCKS library. */
  #undef HAVE_DANTE
+ 
+ /* Define this if compiling with SOCKS (the firewall traversal library). */
+ #undef SOCKS
+ #undef SOCKS4
+ #undef SOCKS5
+ 
+ #undef Rconnect
+ #undef Rgetsockname
+ #undef Rgetpeername
+ #undef Rbind
+ #undef Raccept
+ #undef Rlisten
+ #undef Rselect
+ #undef Rrecvfrom
+ #undef Rsendto
+ #undef Rrecv
+ #undef Rsend
+ #undef Rread
+ #undef Rwrite
+ #undef Rrresvport
+ #undef Rshutdown
+ #undef Rlisten
+ #undef Rclose
+ #undef Rdup
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
+ 
+ 
  
  /* Define if your ssl headers are included with #include <ssl/header.h>  */
  #undef HAVE_SSL
*** auth-passwd.c.DIST	Tue Jan 11 09:19:33 2000
--- auth-passwd.c	Tue Jan 11 09:45:13 2000
***************
*** 18,23 ****
--- 18,27 ----
  #include "servconf.h"
  #include "xmalloc.h"
  
+ #ifdef WITH_AIXAUTHENTICATE
+ #include <login.h>
+ #endif
+ 
  #ifdef HAVE_SHADOW_H
  # include <shadow.h>
  #endif
***************
*** 40,45 ****
--- 44,55 ----
  	struct spwd *spw;
  #endif
  
+ #ifdef WITH_AIXAUTHENTICATE
+ 	char *authmsg;
+ 	char *loginmsg;
+ 	int reenter = 1;
+ #endif
+ 
  	/* deny if no user. */
  	if (pw == NULL)
  		return 0;
***************
*** 55,60 ****
--- 65,79 ----
  			return ret;
  		/* Fall back to ordinary passwd authentication. */
  	}
+ #endif
+ #ifdef WITH_AIXAUTHENTICATE
+ 
+ 	if ( (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0) &&
+ 	     (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) == 0))
+               return 1;
+ 	else 
+ 	      return 0;
+ 	
  #endif
  #ifdef KRB4
  	if (options.kerberos_authentication == 1) {
*** bsd-misc.c.DIST	Tue Jan 11 09:48:36 2000
--- bsd-misc.c	Wed Jan 19 13:10:11 2000
***************
*** 47,52 ****
--- 47,55 ----
  #include <sys/socket.h>
  #include <sys/un.h>
  #include <fcntl.h>
+ #ifdef _AIX
+ #include <stddef.h>
+ #endif
  
  #include "xmalloc.h"
  #include "ssh.h"
***************
*** 56,61 ****
--- 59,68 ----
  #define offsetof(type, member) ((size_t) &((type *)0)->member)
  #endif
  
+ #ifdef USE_SYSRANDOM
+ #include <time.h>
+ #endif
+ 
  #ifndef HAVE_ARC4RANDOM
  
  typedef struct
***************
*** 135,140 ****
--- 142,157 ----
  
  void get_random_bytes(unsigned char *buf, int len)
  {
+ 
+ #ifdef USE_SYSRANDOM 
+ 	int index;
+ 
+ 	srandom(time(NULL) + getpid());
+ 
+ 	for (index = 0; index < len+1; index++) {
+              buf[index] = rand()%255;
+ 	}
+ #else /* USE_SYSRANDOM */
  	static int random_pool;
  	int c;
  #ifdef HAVE_EGD
***************
*** 184,189 ****
--- 201,207 ----
  		fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno));
  	
  	close(random_pool);
+ #endif /* USE_SYSRANDOM */
  }
  #endif /* !HAVE_ARC4RANDOM */
  
*** canohost.c.DIST	Wed Jan 19 11:00:42 2000
--- canohost.c	Wed Jan 19 11:01:09 2000
***************
*** 29,35 ****
  get_remote_hostname(int socket)
  {
  	struct sockaddr_in from;
! 	int fromlen, i;
  	struct hostent *hp;
  	char name[MAXHOSTNAMELEN];
  
--- 29,40 ----
  get_remote_hostname(int socket)
  {
  	struct sockaddr_in from;
! #ifdef _AIX
! 	unsigned long fromlen;
! #else
! 	int fromlen;
! #endif
! 	int i;
  	struct hostent *hp;
  	char name[MAXHOSTNAMELEN];
  
***************
*** 116,122 ****
  	{
  		unsigned char options[200], *ucp;
  		char text[1024], *cp;
! 		int option_size, ipproto;
  		struct protoent *ip;
  
  		if ((ip = getprotobyname("ip")) != NULL)
--- 121,132 ----
  	{
  		unsigned char options[200], *ucp;
  		char text[1024], *cp;
! #ifdef _AIX
! 		unsigned long option_size;
! #else
! 		int option_size;
! #endif
! 		int ipproto;
  		struct protoent *ip;
  
  		if ((ip = getprotobyname("ip")) != NULL)
***************
*** 149,155 ****
--- 159,169 ----
  peer_connection_is_on_socket()
  {
  	struct sockaddr_in from;
+ #ifdef _AIX
+ 	unsigned long fromlen;
+ #else
  	int fromlen;
+ #endif
  	int in = packet_get_connection_in();
  	int out = packet_get_connection_out();
  
***************
*** 197,203 ****
  get_remote_ipaddr()
  {
  	struct sockaddr_in from;
! 	int fromlen, socket;
  
  	/* Check whether we have chached the name. */
  	if (canonical_host_ip != NULL)
--- 211,222 ----
  get_remote_ipaddr()
  {
  	struct sockaddr_in from;
! #ifdef _AIX
! 	unsigned long fromlen;
! #else
! 	int fromlen;
! #endif
! 	int socket;
  
  	/* Check whether we have chached the name. */
  	if (canonical_host_ip != NULL)
***************
*** 231,237 ****
--- 250,260 ----
  get_peer_port(int sock)
  {
  	struct sockaddr_in from;
+ #ifdef _AIX
+ 	unsigned long fromlen;
+ #else
  	int fromlen;
+ #endif
  
  	/* Get IP address of client. */
  	fromlen = sizeof(from);
*** channels.c.DIST	Tue Jan 11 12:16:35 2000
--- channels.c	Wed Jan 19 11:01:32 2000
***************
*** 374,380 ****
  channel_after_select(fd_set * readset, fd_set * writeset)
  {
  	struct sockaddr addr;
! 	int addrlen, newsock, i, newch, len;
  	Channel *ch;
  	char buf[16384], *remote_hostname;
  
--- 374,385 ----
  channel_after_select(fd_set * readset, fd_set * writeset)
  {
  	struct sockaddr addr;
! #ifdef _AIX
! 	unsigned long addrlen;
! #else
! 	int addrlen;
! #endif
! 	int newsock, i, newch, len;
  	Channel *ch;
  	char buf[16384], *remote_hostname;
  
***************
*** 1005,1011 ****
  	struct sockaddr_in sin;
  	char *host, *originator_string;
  	struct hostent *hp;
! 	int host_len, originator_len;
  
  	/* Get remote channel number. */
  	remote_channel = packet_get_int();
--- 1010,1016 ----
  	struct sockaddr_in sin;
  	char *host, *originator_string;
  	struct hostent *hp;
! 	unsigned int host_len, originator_len;
  
  	/* Get remote channel number. */
  	remote_channel = packet_get_int();
***************
*** 1257,1263 ****
  	struct sockaddr_in sin;
  	char buf[1024], *cp, *remote_host;
  	struct hostent *hp;
! 	int remote_len;
  
  	/* Get remote channel number. */
  	remote_channel = packet_get_int();
--- 1262,1268 ----
  	struct sockaddr_in sin;
  	char buf[1024], *cp, *remote_host;
  	struct hostent *hp;
! 	unsigned int remote_len;
  
  	/* Get remote channel number. */
  	remote_channel = packet_get_int();
*** cipher.c.DIST	Tue Jan 11 09:45:57 2000
--- cipher.c	Wed Jan 19 13:29:04 2000
***************
*** 16,21 ****
--- 16,22 ----
  
  #include "ssh.h"
  #include "cipher.h"
+ #include "config.h"
  
  #ifdef HAVE_OPENSSL
  #include <openssl/md5.h>
*** config.h.in.DIST	Tue Jan 11 09:40:43 2000
--- config.h.in	Wed Jan 19 11:01:42 2000
***************
*** 15,20 ****
--- 15,26 ----
  /* Define if you want to disable PAM support */
  #undef DISABLE_PAM
  
+ /* Define if you want AIX4's authenticate function */
+ #undef WITH_AIXAUTHENTICATE
+ 
+ /* Define if you want to use system random */
+ #undef USE_SYSRANDOM
+ 
  /* Define if you want to disable lastlog support */
  #undef DISABLE_LASTLOG
  
***************
*** 33,38 ****
--- 39,72 ----
  /* Define if using the Dante SOCKS library. */
  #undef HAVE_DANTE
  
+ /* Define this if compiling with SOCKS (the firewall traversal library). */
+ #undef SOCKS
+ #undef SOCKS4
+ #undef SOCKS5
+ 
+ #undef Rconnect
+ #undef Rgetsockname
+ #undef Rgetpeername
+ #undef Rbind
+ #undef Raccept
+ #undef Rlisten
+ #undef Rselect
+ #undef Rrecvfrom
+ #undef Rsendto
+ #undef Rrecv
+ #undef Rsend
+ #undef Rread
+ #undef Rwrite
+ #undef Rrresvport
+ #undef Rshutdown
+ #undef Rlisten
+ #undef Rclose
+ #undef Rdup
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
+ 
+ 
  /* Define if your ssl headers are included with #include <ssl/header.h>  */
  #undef HAVE_SSL
  
***************
*** 295,298 ****
  
  #include "defines.h"
  
! #endif _CONFIG_H
--- 329,332 ----
  
  #include "defines.h"
  
! #endif
*** configure.DIST	Tue Jan 11 09:20:43 2000
--- configure	Tue Jan 11 12:09:34 2000
***************
*** 16,21 ****
--- 16,23 ----
  ac_help="$ac_help
    --without-pam           Disable PAM support "
  ac_help="$ac_help
+   --with-aixauthenticate  Use AIX4's authenticate function"
+ ac_help="$ac_help
    --with-gnome-askpass    Build the GNOME passphrase requester (default=no)"
  ac_help="$ac_help
    --with-random=FILE      read randomness from FILE (default=/dev/urandom)"
***************
*** 26,31 ****
--- 28,39 ----
  ac_help="$ac_help
    --with-dante=DIR        Use Dante SOCKS lib (default is system library path)"
  ac_help="$ac_help
+   --with-socks            Compile with SOCKS firewall traversal support."
+ ac_help="$ac_help
+   --with-socks5[=PATH]    Compile with SOCKS5 firewall traversal support."
+ ac_help="$ac_help
+   --with-socks4[=PATH]    Compile with SOCKS4 firewall traversal support."
+ ac_help="$ac_help
    --with-kerberos4=PATH   Enable Kerberos 4 support"
  ac_help="$ac_help
    --with-afs=PATH         Enable AFS support"
***************
*** 2245,2250 ****
--- 2253,2282 ----
  rm -f conftest* 
  fi
  
+ # check for the AIX authenticate
+ echo $ac_n "checking whether to use AIX authenticate""... $ac_c" 1>&6
+ echo "configure:XXXX: checking whether to use AIX authenticate" >&5
+ # Check whether --with-aixauthenticate or --without-aixauthenticate was given.
+ if test "${with_aixauthenticate+set}" = set; then
+   withval="$with_aixauthenticate"
+      case "$withval" in
+        yes)
+          echo "$ac_t""yes" 1>&6
+ 	 cat >> confdefs.h <<\EOF
+ #define WITH_AIXAUTHENTICATE 1
+ EOF
+          LIBS="$LIBS -ls"
+          ;;
+        *)
+          echo "$ac_t""no" 1>&6
+          ;;
+       esac
+ else
+      echo "$ac_t""no" 1>&6
+ 
+ fi
+ 
+ 
  echo $ac_n "checking whether to build GNOME ssh-askpass""... $ac_c" 1>&6
  echo "configure:2250: checking whether to build GNOME ssh-askpass" >&5
  # Check whether --with-gnome-askpass or --without-gnome-askpass was given.
***************
*** 2335,2345 ****
  
  fi
  
  
- if test -z "$RANDOM_POOL" -a -z "$EGD_POOL"; then
- 	{ echo "configure: error: No random device found, and no EGD random pool specified" 1>&2; exit 1; }
  fi
  
  echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6
  echo "configure:2345: checking whether utmp.h has ut_host field" >&5
  cat > conftest.$ac_ext <<EOF
--- 2367,2382 ----
  
  fi
  
+ if test -z "$RANDOM_POOL" -a -z "$EGD_POOL";then
+     echo $ac_n "using system random" 1>&6
+     cat >> confdefs.h <<\EOF
+ #define USE_SYSRANDOM 1
+ EOF
  
  fi
  
+ 
+ 
  echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6
  echo "configure:2345: checking whether utmp.h has ut_host field" >&5
  cat > conftest.$ac_ext <<EOF
***************
*** 2606,2611 ****
--- 2643,2970 ----
  			LIBS="$LIBS -lsocks"
  		fi
  	
+ 
+ fi
+ 
+ 
+ # Check whether --with-socks or --without-socks was given.
+ if test "${with_socks+set}" = set; then
+   withval="$with_socks"
+    case "$withval" in
+   no)
+     echo "$ac_t""no" 1>&6
+     ;;
+   yes)
+     echo "$ac_t""yes" 1>&6
+     echo $ac_n "checking for SOCKSconnect in -lsocks5""... $ac_c" 1>&6
+ echo "configure:6842: checking for SOCKSconnect in -lsocks5" >&5
+ ac_lib_var=`echo socks5'_'SOCKSconnect | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   ac_save_LIBS="$LIBS"
+ LIBS="-lsocks5  $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6850 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error.  */
+ /* We use char because int might match the return type of a gcc2
+     builtin and then its argument prototype would still apply.  */
+ char SOCKSconnect();
+ 
+ int main() {
+ SOCKSconnect()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6861: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+   echo "configure: failed program was:" >&5
+   cat conftest.$ac_ext >&5
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=no"
+ fi
+ rm -f conftest*
+ LIBS="$ac_save_LIBS"
+ 
+ fi
+ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+   echo "$ac_t""yes" 1>&6
+   
+ 	    socks=5
+ 	    LIBS="-lsocks5 $LIBS"
+ else
+   echo "$ac_t""no" 1>&6
+ 
+ 	echo $ac_n "checking for Rconnect in -lsocks""... $ac_c" 1>&6
+ echo "configure:6883: checking for Rconnect in -lsocks" >&5
+ ac_lib_var=`echo socks'_'Rconnect | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   ac_save_LIBS="$LIBS"
+ LIBS="-lsocks  $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6891 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error.  */
+ /* We use char because int might match the return type of a gcc2
+     builtin and then its argument prototype would still apply.  */
+ char Rconnect();
+ 
+ int main() {
+ Rconnect()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+   echo "configure: failed program was:" >&5
+   cat conftest.$ac_ext >&5
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=no"
+ fi
+ rm -f conftest*
+ LIBS="$ac_save_LIBS"
+ 
+ fi
+ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+   echo "$ac_t""yes" 1>&6
+   
+ 	    socks=4
+ 	    LIBS="-lsocks $LIBS"
+ else
+   echo "$ac_t""no" 1>&6
+ 
+ 		{ echo "configure: error: Could not find socks library.  You must first install socks." 1>&2; exit 1; }  
+ fi
+   
+ fi
+ 
+     ;;
+   esac 
+ else
+   echo "$ac_t""no" 1>&6
+ 
+ fi
+ 
+ 
+ if test "x$socks" = "x"; then
+ 	echo $ac_n "checking whether to support SOCKS5""... $ac_c" 1>&6
+ echo "configure:6938: checking whether to support SOCKS5" >&5
+ 	# Check whether --with-socks5 or --without-socks5 was given.
+ if test "${with_socks5+set}" = set; then
+   withval="$with_socks5"
+    case "$withval" in
+ 	  no)
+ 	    echo "$ac_t""no" 1>&6
+ 	    ;;
+ 	  *)
+ 	    echo "$ac_t""yes" 1>&6
+ 	    socks=5
+ 	    if test "x$withval" = "xyes"; then
+ 	      withval="-lsocks5"
+ 	    else
+ 	      if test -d "$withval"; then
+ 		if test -d "$withval/include"; then
+ 		  CFLAGS="$CFLAGS -I$withval/include"
+ 		else
+ 		  CFLAGS="$CFLAGS -I$withval"
+ 		fi
+ 	        if test -d "$withval/lib"; then
+ 		  withval="-L$withval/lib -lsocks5"
+ 		else
+ 		  withval="-L$withval -lsocks5"
+ 		fi
+ 	      fi
+ 	    fi
+ 	    LIBS="$withval $LIBS"
+ 	    # If Socks was compiled with Kerberos support, we will need
+ 	    # to link against kerberos libraries.  Temporarily append
+ 	    # to LIBS.  This is harmless if there is no kerberos support.
+ 	    TMPLIBS="$LIBS"
+ 	    LIBS="$LIBS $KERBEROS_LIBS"
+ 	    cat > conftest.$ac_ext <<EOF
+ #line 6972 "configure"
+ #include "confdefs.h"
+ 
+ int main() {
+  SOCKSconnect(); 
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6979: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+   :
+ else
+   echo "configure: failed program was:" >&5
+   cat conftest.$ac_ext >&5
+   rm -rf conftest*
+    { echo "configure: error: Could not find the $withval library.  You must first install socks5." 1>&2; exit 1; } 
+ fi
+ rm -f conftest*
+ 	    LIBS="$TMPLIBS"
+ 	    ;;
+ 	  esac 
+ else
+   echo "$ac_t""no" 1>&6
+ 	
+ fi
+ 
+ fi
+ 
+ if test "x$socks" = "x"; then
+ 	echo $ac_n "checking whether to support SOCKS4""... $ac_c" 1>&6
+ echo "configure:7000: checking whether to support SOCKS4" >&5
+ 	# Check whether --with-socks4 or --without-socks4 was given.
+ if test "${with_socks4+set}" = set; then
+   withval="$with_socks4"
+    case "$withval" in
+ 	  no)
+ 	    echo "$ac_t""no" 1>&6
+ 	    ;;
+ 	  *)
+ 	    echo "$ac_t""yes" 1>&6
+ 	    socks=4
+ 	    if test "x$withval" = "xyes"; then
+ 	      withval="-lsocks"
+ 	    else
+ 	      if test -d "$withval"; then
+ 	        withval="-L$withval -lsocks"
+ 	      fi
+ 	    fi
+ 	    LIBS="$withval $LIBS"
+ 	    cat > conftest.$ac_ext <<EOF
+ #line 7020 "configure"
+ #include "confdefs.h"
+ 
+ int main() {
+  Rconnect(); 
+ ; return 0; }
+ EOF
+ if { (eval echo configure:7027: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+   :
+ else
+   echo "configure: failed program was:" >&5
+   cat conftest.$ac_ext >&5
+   rm -rf conftest*
+    { echo "configure: error: Could not find the $withval library.  You must first install socks." 1>&2; exit 1; } 
+ fi
+ rm -f conftest*
+ 	    ;;
+ 	  esac 
+ else
+   echo "$ac_t""no" 1>&6
+ 	
+ fi
+ 
+ fi
+ 
+ 
+ 
+ if test "x$socks" = "x4"; then
+     cat >> confdefs.h <<\EOF
+ #define SOCKS 1
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define SOCKS4 1
+ EOF
+ 
+ fi
+ 
+ if test "x$socks" = "x5"; then
+     cat >> confdefs.h <<\EOF
+ #define SOCKS 1
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define SOCKS5 1
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rconnect SOCKSconnect
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rgetsockname SOCKSgetsockname
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rgetpeername SOCKSgetpeername
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rbind SOCKSbind
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Raccept SOCKSaccept
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rlisten SOCKSlisten
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rselect SOCKSselect
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rrecvfrom SOCKSrecvfrom
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rsendto SOCKSsendto
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rrecv SOCKSrecv
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rsend SOCKSsend
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rread SOCKSread
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rwrite SOCKSwrite
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rrresvport SOCKSrresvport
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rshutdown SOCKSshutdown
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rlisten SOCKSlisten
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rclose SOCKSclose
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rdup SOCKSdup
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rdup2 SOCKSdup2
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rfclose SOCKSfclose
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rgethostbyname SOCKSgethostbyname
+ EOF
  
  fi
  
*** configure.in.DIST	Tue Jan 11 09:39:21 2000
--- configure.in	Tue Jan 11 09:40:15 2000
***************
*** 234,239 ****
--- 234,256 ----
  	) 
  fi
  
+ AC_ARG_WITH(aixauthenticate,
+ [  --with-aixauthenticate     Include AIX authenticate support
+   --without-aixauthenticate   Don't include AIX authenticate support (default)],
+ [ case "$withval" in
+   yes)
+     AC_MSG_RESULT(yes)
+     AC_DEFINE(WITH_AIXAUTHENTICATE)
+     LIBS="$LIBS -ls"
+     ;;
+   *)
+     AC_MSG_RESULT(no)
+     ;;
+   esac ],
+   AC_MSG_RESULT(no)
+ )
+ 
+ 
  AC_MSG_CHECKING([whether to build GNOME ssh-askpass])
  dnl Check whether user wants GNOME ssh-askpass
  AC_ARG_WITH(gnome-askpass,
*** ssh-agent.c.DIST	Mon Jan  3 07:41:05 2000
--- ssh-agent.c	Wed Jan 19 11:01:59 2000
***************
*** 416,422 ****
  after_select(fd_set *readset, fd_set *writeset)
  {
  	unsigned int i;
! 	int len, sock;
  	char buf[1024];
  	struct sockaddr_un sunaddr;
  
--- 416,427 ----
  after_select(fd_set *readset, fd_set *writeset)
  {
  	unsigned int i;
! #ifdef _AIX
! 	unsigned long len;
! #else
! 	int len;
! #endif
! 	int sock;
  	char buf[1024];
  	struct sockaddr_un sunaddr;
  
*** ssh-keygen.c.DIST	Wed Nov 24 19:54:59 1999
--- ssh-keygen.c	Wed Jan 19 11:02:18 2000
***************
*** 101,107 ****
  		if (f && fgets(line, sizeof(line), f)) {
  			cp = line;
  			line[strlen(line) - 1] = '\0';
! 			if (auth_rsa_read_key(&cp, &dummy, e, n)) {
  				public_key->e = e;
  				public_key->n = n;
  				comment = xstrdup(cp ? cp : "no comment");
--- 101,107 ----
  		if (f && fgets(line, sizeof(line), f)) {
  			cp = line;
  			line[strlen(line) - 1] = '\0';
! 			if (auth_rsa_read_key(&cp, (unsigned int *)&dummy, e, n)) {
  				public_key->e = e;
  				public_key->n = n;
  				comment = xstrdup(cp ? cp : "no comment");
*** ssh.c.DIST	Tue Jan 11 12:13:59 2000
--- ssh.c	Tue Jan 11 12:15:16 2000
***************
*** 207,212 ****
--- 207,216 ----
  	/* Save our own name. */
  	av0 = av[0];
  
+ #ifdef SOCKS
+ 	SOCKSinit(av0);
+ #endif /* SOCKS */
+ 
  	/* Initialize option structure to indicate that no values have been set. */
  	initialize_options(&options);
  
*** sshconnect.c.DIST	Tue Jan 11 09:54:21 2000
--- sshconnect.c	Wed Jan 19 13:24:11 2000
***************
*** 142,172 ****
  int
  ssh_create_socket(uid_t original_real_uid, int privileged)
  {
! 	int sock;
  
! 	/*
! 	 * If we are running as root and want to connect to a privileged
! 	 * port, bind our own socket to a privileged port.
! 	 */
! 	if (privileged) {
! 		int p = IPPORT_RESERVED - 1;
  
! 		sock = rresvport(&p);
! 		if (sock < 0)
! 			fatal("rresvport: %.100s", strerror(errno));
! 		debug("Allocated local port %d.", p);
! 	} else {
! 		/*
! 		 * Just create an ordinary socket on arbitrary port.  We use
! 		 * the user's uid to create the socket.
! 		 */
! 		temporarily_use_uid(original_real_uid);
! 		sock = socket(AF_INET, SOCK_STREAM, 0);
! 		if (sock < 0)
! 			fatal("socket: %.100s", strerror(errno));
! 		restore_uid();
! 	}
! 	return sock;
  }
  
  /*
--- 142,193 ----
  int
  ssh_create_socket(uid_t original_real_uid, int privileged)
  {
!   int sock;
  
!   /* If we are running as root and want to connect to a privileged port,
!      bind our own socket to a privileged port. */
!   if (privileged)
!     {
!       struct sockaddr_in sin;
!       int p;
!       for (p = 1023; p > 512; p--)
!         {
!           sock = socket(AF_INET, SOCK_STREAM, 0);
!           if (sock < 0)
!             fatal("socket: %.100s", strerror(errno));
!           
!           /* Initialize the desired sockaddr_in structure. */
!           memset(&sin, 0, sizeof(sin));
!           sin.sin_family = AF_INET;
!           sin.sin_addr.s_addr = INADDR_ANY;
!           sin.sin_port = htons(p);
  
!           /* Try to bind the socket to the privileged port. */
! #if defined(SOCKS)
!           if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
!             break; /* Success. */
! #else /* SOCKS */
!           if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
!             break; /* Success. */
! #endif /* SOCKS */
!           if (errno == EADDRINUSE)
!             {
!               close(sock);
!               continue;
!             }
!           fatal("bind: %.100s", strerror(errno));
!         }
!       debug("Allocated local port %d.", p);
!     }
!   else
!     { 
!       /* Just create an ordinary socket on arbitrary port.  */
!       sock = socket(AF_INET, SOCK_STREAM, 0);
!       if (sock < 0)
!         fatal("socket: %.100s", strerror(errno));
!     }
!   return sock;
! 
  }
  
  /*
***************
*** 241,247 ****
--- 262,272 ----
  			 * tcp_wrappers showing the remote uid as root.
  			 */
  			temporarily_use_uid(original_real_uid);
+ #if defined(SOCKS)
+ 	               if (Rconnect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+ #else
  			if (connect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+ #endif
  			    >= 0) {
  				/* Successful connect. */
  				restore_uid();
***************
*** 257,263 ****
--- 282,292 ----
  			/* Not a valid numeric inet address. */
  			/* Map host name to an address. */
  			if (!hp)
+ #if defined(SOCKS5)
+ 				hp = Rgethostbyname(host);
+ #else
  				hp = gethostbyname(host);
+ #endif
  			if (!hp)
  				fatal("Bad host name: %.100s", host);
  			if (!hp->h_addr_list[0])
***************
*** 287,293 ****
--- 316,326 ----
  				 * root.
  				 */
  				temporarily_use_uid(original_real_uid);
+ #if defined(SOCKS)
+ 				if (Rconnect(sock, (struct sockaddr *) hostaddr,
+ #else
  				if (connect(sock, (struct sockaddr *) hostaddr,
+ #endif
  					    sizeof(*hostaddr)) >= 0) {
  					/* Successful connection. */
  					restore_uid();
***************
*** 916,922 ****
  		debug("No challenge for skey authentication.");
  		return 0;
  	}
! 	challenge = packet_get_string(&payload_len);
  	if (options.cipher == SSH_CIPHER_NONE)
  		log("WARNING: Encryption is disabled! "
  		    "Reponse will be transmitted in clear text.");
--- 949,955 ----
  		debug("No challenge for skey authentication.");
  		return 0;
  	}
! 	challenge = packet_get_string((unsigned int *)&payload_len);
  	if (options.cipher == SSH_CIPHER_NONE)
  		log("WARNING: Encryption is disabled! "
  		    "Reponse will be transmitted in clear text.");
*** sshd.c.DIST	Tue Jan 11 09:55:44 2000
--- sshd.c	Wed Jan 19 11:05:02 2000
***************
*** 277,283 ****
  {
  	extern char *optarg;
  	extern int optind;
! 	int opt, aux, sock_in, sock_out, newsock, i, pid, on = 1;
  	int remote_major, remote_minor;
  	int silentrsa = 0;
  	struct pollfd fds;
--- 277,288 ----
  {
  	extern char *optarg;
  	extern int optind;
! #ifdef _AIX
! 	unsigned long aux;
! #else
! 	int aux;
! #endif
! 	int opt, sock_in, sock_out, newsock, i, pid, on = 1;
  	int remote_major, remote_minor;
  	int silentrsa = 0;
  	struct pollfd fds;
***************
*** 988,994 ****
  	packet_read_expect(&plen, SSH_CMSG_USER);
  
  	/* Get the user name. */
! 	user = packet_get_string(&ulen);
  	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
  
  	/* Destroy the private and public keys.  They will no longer be needed. */
--- 993,999 ----
  	packet_read_expect(&plen, SSH_CMSG_USER);
  
  	/* Get the user name. */
! 	user = packet_get_string((unsigned int*)&ulen);
  	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
  
  	/* Destroy the private and public keys.  They will no longer be needed. */
***************
*** 997,1002 ****
--- 1002,1008 ----
  	RSA_free(sensitive_data.host_key);
  
  	setproctitle("%s", user);
+ 
  	/* Do the authentication. */
  	do_authentication(user);
  }
***************
*** 1084,1089 ****
--- 1090,1099 ----
  {
  	struct passwd *pw, pwcopy;
  
+ #ifdef _AIX
+ 	char *loginmsg;
+ #endif
+ 
  #ifdef AFS
  	/* If machine has AFS, set process authentication group. */
  	if (k_hasafs()) {
***************
*** 1092,1097 ****
--- 1102,1109 ----
  	}
  #endif /* AFS */
  
+ 	pw = (struct passwd *) malloc (sizeof(struct passwd));
+ 
  	/* Verify that the user is a valid user. */
  	pw = getpwnam(user);
  	if (!pw || !allowed_user(pw))
***************
*** 1133,1138 ****
--- 1145,1151 ----
  		/* Authentication with empty password succeeded. */
  		log("Login for user %s from %.100s, accepted without authentication.",
  		    pw->pw_name, get_remote_ipaddr());
+ 
  	} else {
  		/* Loop until the user has been authenticated or the
  		   connection is closed, do_authloop() returns only if
***************
*** 1142,1148 ****
  
  	/* Check if the user is logging in as root and root logins are disallowed. */
  	if (pw->pw_uid == 0 && !options.permit_root_login) {
! 		if (forced_command)
  			log("Root login accepted for forced command.");
  		else
  			packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
--- 1155,1161 ----
  
  	/* Check if the user is logging in as root and root logins are disallowed. */
  	if (pw->pw_uid == 0 && !options.permit_root_login) {
! 		if (forced_command)  
  			log("Root login accepted for forced command.");
  		else
  			packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
***************
*** 1149,1154 ****
--- 1162,1170 ----
  					  get_canonical_hostname());
  	}
  	/* The user has been authenticated and accepted. */
+ #ifdef _AIX
+ 	loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+ #endif
  	packet_start(SSH_SMSG_SUCCESS);
  	packet_send();
  	packet_write_wait();
***************
*** 1178,1183 ****
--- 1194,1200 ----
  	int type = 0;
  	void (*authlog) (const char *fmt,...) = verbose;
  
+ 
  	/* Indicate that authentication is needed. */
  	packet_start(SSH_SMSG_FAILURE);
  	packet_send();
***************
*** 1261,1267 ****
  			 * authentication is insecure. (Another is
  			 * IP-spoofing on a local network.)
  			 */
! 			client_user = packet_get_string(&ulen);
  			packet_integrity_check(plen, 4 + ulen, type);
  
  			/* Try to authenticate using /etc/hosts.equiv and
--- 1278,1284 ----
  			 * authentication is insecure. (Another is
  			 * IP-spoofing on a local network.)
  			 */
! 			client_user = packet_get_string((unsigned int *)&ulen);
  			packet_integrity_check(plen, 4 + ulen, type);
  
  			/* Try to authenticate using /etc/hosts.equiv and
***************
*** 1281,1287 ****
  			 * trust the client; root on the client machine can
  			 * claim to be any user.
  			 */
! 			client_user = packet_get_string(&ulen);
  
  			/* Get the client host key. */
  			client_host_key_e = BN_new();
--- 1298,1304 ----
  			 * trust the client; root on the client machine can
  			 * claim to be any user.
  			 */
! 			client_user = packet_get_string((unsigned int *)&ulen);
  
  			/* Get the client host key. */
  			client_host_key_e = BN_new();
***************
*** 1326,1332 ****
  			 * transmitted over the encrypted channel so it is
  			 * not visible to an outside observer.
  			 */
! 			password = packet_get_string(&dlen);
  			packet_integrity_check(plen, 4 + dlen, type);
  
  #ifdef USE_PAM
--- 1343,1349 ----
  			 * transmitted over the encrypted channel so it is
  			 * not visible to an outside observer.
  			 */
! 			password = packet_get_string((unsigned int *)&dlen);
  			packet_integrity_check(plen, 4 + dlen, type);
  
  #ifdef USE_PAM
***************
*** 1405,1430 ****
  #ifdef USE_PAM
  			if (!do_pam_account(pw->pw_name, client_user))
  			{
! 				if (client_user != NULL)
  					xfree(client_user);
  
  				do_fake_authloop(pw->pw_name);
  			}
  #endif /* USE_PAM */
  			return;
! 		}
  
! 		if (client_user != NULL)
  			xfree(client_user);
  
  		if (attempt > AUTH_FAIL_MAX)
  			packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
  
  		/* Send a message indicating that the authentication attempt failed. */
  		packet_start(SSH_SMSG_FAILURE);
  		packet_send();
  		packet_write_wait();
  	}
  }
  
  /*
--- 1422,1463 ----
  #ifdef USE_PAM
  			if (!do_pam_account(pw->pw_name, client_user))
  			{
! 				if (client_user != NULL) {
  					xfree(client_user);
+ 					client_user = NULL;
+ 				}
  
  				do_fake_authloop(pw->pw_name);
  			}
  #endif /* USE_PAM */
  			return;
! 		} 
  
! /* HEAP*/
! #if 1
! 		if (client_user != NULL) {
  			xfree(client_user);
+ 			client_user = NULL;
+ 		}
+ #endif
  
  		if (attempt > AUTH_FAIL_MAX)
  			packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
  
  		/* Send a message indicating that the authentication attempt failed. */
+ #ifdef _AIX 
+ 		if (strncmp(get_authname(type),"password",
+ 			      strlen(get_authname(type))) == 0)
+ 	          loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+ #endif
+ 
  		packet_start(SSH_SMSG_FAILURE);
  		packet_send();
  		packet_write_wait();
  	}
+ 
+ 
+ 
  }
  
  /*
***************
*** 1603,1609 ****
  				      ttyname, tty_mode, strerror(errno));
  
  			/* Get TERM from the packet.  Note that the value may be of arbitrary length. */
! 			term = packet_get_string(&dlen);
  			packet_integrity_check(dlen, strlen(term), type);
  			/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
  			/* Remaining bytes */
--- 1636,1642 ----
  				      ttyname, tty_mode, strerror(errno));
  
  			/* Get TERM from the packet.  Note that the value may be of arbitrary length. */
! 			term = packet_get_string((unsigned int *)&dlen);
  			packet_integrity_check(dlen, strlen(term), type);
  			/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
  			/* Remaining bytes */
***************
*** 1648,1655 ****
  				packet_disconnect("Protocol error: X11 display already set.");
  			{
  				int proto_len, data_len;
! 				proto = packet_get_string(&proto_len);
! 				data = packet_get_string(&data_len);
  				packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
  			}
  			if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
--- 1681,1688 ----
  				packet_disconnect("Protocol error: X11 display already set.");
  			{
  				int proto_len, data_len;
! 				proto = packet_get_string((unsigned int *)&proto_len);
! 				data = packet_get_string((unsigned int *)&data_len);
  				packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
  			}
  			if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
***************
*** 1732,1738 ****
  			/* Get command from the packet. */
  			{
  				int dlen;
! 				command = packet_get_string(&dlen);
  				debug("Executing command '%.500s'", command);
  				packet_integrity_check(plen, 4 + dlen, type);
  			}
--- 1765,1771 ----
  			/* Get command from the packet. */
  			{
  				int dlen;
! 				command = packet_get_string((unsigned int *)&dlen);
  				debug("Executing command '%.500s'", command);
  				packet_integrity_check(plen, 4 + dlen, type);
  			}
***************
*** 1936,1942 ****
--- 1969,1979 ----
  	struct stat st;
  	int quiet_login;
  	struct sockaddr_in from;
+ #ifdef _AIX
+ 	unsigned long fromlen;
+ #else
  	int fromlen;
+ #endif
  	struct pty_cleanup_context cleanup_context;
  
  	/* Get remote host name. */
***************
*** 2328,2333 ****
--- 2365,2380 ----
  	if (display)
  		child_set_env(&env, &envsize, "DISPLAY", display);
  
+ 	{
+            char *authstate,*krb5cc;
+ 
+ 	   if ((authstate = getenv("AUTHSTATE")) != NULL)
+ 		 child_set_env(&env,&envsize,"AUTHSTATE",authstate);
+ 
+ 	   if ((krb5cc = getenv("KRB5CCNAME")) != NULL)
+ 		 child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc);
+ 	}
+ 
  #ifdef KRB4
  	{
  		extern char *ticket;
***************
*** 2348,2353 ****
--- 2395,2402 ----
  	if (auth_get_socket_name() != NULL)
  		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
  			      auth_get_socket_name());
+ 
+ 	read_environment_file(&env,&envsize,"/etc/environment");
  
  	/* read $HOME/.ssh/environment. */
  	if (!options.use_login) {




-- 
Matt Richards




From drankin at bohemians.lexington.ky.us  Thu Jan 20 08:41:02 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Wed, 19 Jan 2000 16:41:02 -0500
Subject: AIX openssh patches
In-Reply-To: <20000119140018.E23506@btv.ibm.com>; from Matt Richards on Wed, Jan 19, 2000 at 02:00:19PM -0500
References: <20000119123354.D23506@btv.ibm.com> <20000119133233.B113@rumpole.bohemians.lexington.ky.us> <20000119140018.E23506@btv.ibm.com>
Message-ID: <20000119164059.A1276@rumpole.bohemians.lexington.ky.us>

On Wed, Jan 19, 2000 at 02:00:19PM -0500, Matt Richards wrote:
(AIX 4 patch discussion truncated.)
> I did make a mistake in the inline. The configure script works fine
> for inline, just need to include config.h in cipher.c in order to get
> the inline define. I've updated the patch to reflect this.

I've attached the revised patch. I don't have SOCKS4 or SOCKS5 to play
with, so if you can test it, that'd be good. As mentioned, AIX users get
WITH_AIXAUTHENTICATE without choice now.

I did not include any of your USE_SYSRANDOM patches into this patch. I looked
at one of the AIX boxes I have access to, and srandom() is pseudorandom,
not truly random (or at least nearly as random as EGD). I don't feel
comfortable in making this an option given the attack possibilities 
pseudorandom numbers give. Sorry.

> Is it feasible to have a configure switch to turn off using priviledged
> ports, even is the user has priviledges?

I'd think this is reasonable, although I'm so low on time I can't even
think about working on it.

Note: This patch is against pre27, which probably fixes almost all of
the "unsigned long" versus "int" problems you were seeing.

Index: acconfig.h
===================================================================
RCS file: /usr/local/cvs/openssh/acconfig.h,v
retrieving revision 1.19
diff -u -r1.19 acconfig.h
--- acconfig.h	2000/01/17 19:23:50	1.19
+++ acconfig.h	2000/01/19 21:08:57
@@ -12,6 +12,9 @@
 /* Define if you want to disable PAM support */
 #undef DISABLE_PAM
 
+/* Define if you want to disable AIX4's authenticate function */
+#undef WITH_AIXAUTHENTICATE
+
 /* Define if you want to disable lastlog support */
 #undef DISABLE_LASTLOG
 
@@ -29,6 +32,12 @@
 
 /* Define if using the Dante SOCKS library. */
 #undef HAVE_DANTE
+
+/* Define if using the Socks4 SOCKS library. */
+#undef HAVE_SOCKS4
+
+/* Define if using the Socks5 SOCKS library. */
+#undef HAVE_SOCKS5
 
 /* Define if your ssl headers are included with #include <ssl/header.h>  */
 #undef HAVE_SSL
Index: auth-passwd.c
===================================================================
RCS file: /usr/local/cvs/openssh/auth-passwd.c,v
retrieving revision 1.14
diff -u -r1.14 auth-passwd.c
--- auth-passwd.c	2000/01/17 18:39:32	1.14
+++ auth-passwd.c	2000/01/19 20:38:38
@@ -18,6 +18,10 @@
 #include "servconf.h"
 #include "xmalloc.h"
 
+#ifdef WITH_AIXAUTHENTICATE
+#include <login.h>
+#endif
+
 #ifdef HAVE_SHADOW_H
 # include <shadow.h>
 #endif
@@ -40,6 +44,12 @@
 	struct spwd *spw;
 #endif
 
+#ifdef WITH_AIXAUTHENTICATE
+	char *authmsg;
+	char *loginmsg;
+	int reenter = 1;
+#endif
+
 	/* deny if no user. */
 	if (pw == NULL)
 		return 0;
@@ -55,6 +65,15 @@
 			return ret;
 		/* Fall back to ordinary passwd authentication. */
 	}
+#endif
+#ifdef WITH_AIXAUTHENTICATE
+
+	if ( (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0) &&
+	     (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) == 0))
+              return 1;
+	else 
+	      return 0;
+	
 #endif
 #ifdef KRB4
 	if (options.kerberos_authentication == 1) {
Index: bsd-misc.c
===================================================================
RCS file: /usr/local/cvs/openssh/bsd-misc.c,v
retrieving revision 1.2
diff -u -r1.2 bsd-misc.c
--- bsd-misc.c	2000/01/17 18:39:33	1.2
+++ bsd-misc.c	2000/01/19 21:14:36
@@ -47,6 +47,9 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <fcntl.h>
+#ifdef _AIX
+#include <stddef.h>
+#endif
 
 #include "xmalloc.h"
 #include "ssh.h"
Index: cipher.c
===================================================================
RCS file: /usr/local/cvs/openssh/cipher.c,v
retrieving revision 1.7
diff -u -r1.7 cipher.c
--- cipher.c	2000/01/17 17:27:31	1.7
+++ cipher.c	2000/01/19 20:38:38
@@ -16,6 +16,7 @@
 
 #include "ssh.h"
 #include "cipher.h"
+#include "config.h"
 
 #ifdef HAVE_OPENSSL
 #include <openssl/md5.h>
Index: config.h.in
===================================================================
RCS file: /usr/local/cvs/openssh/config.h.in,v
retrieving revision 1.22
diff -u -r1.22 config.h.in
--- config.h.in	2000/01/17 19:34:11	1.22
+++ config.h.in	2000/01/19 21:13:52
@@ -15,6 +15,9 @@
 /* Define if you want to disable PAM support */
 #undef DISABLE_PAM
 
+/* Define if you want to disable AIX4's authenticate function */
+#undef WITH_AIXAUTHENTICATE
+
 /* Define if you want to disable lastlog support */
 #undef DISABLE_LASTLOG
 
@@ -32,6 +35,12 @@
 
 /* Define if using the Dante SOCKS library. */
 #undef HAVE_DANTE
+
+/* Define if using the Socks4 SOCKS library. */
+#undef HAVE_SOCKS4
+
+/* Define if using the Socks5 SOCKS library. */
+#undef HAVE_SOCKS5
 
 /* Define if your ssl headers are included with #include <ssl/header.h>  */
 #undef HAVE_SSL
Index: configure.in
===================================================================
RCS file: /usr/local/cvs/openssh/configure.in,v
retrieving revision 1.22
diff -u -r1.22 configure.in
--- configure.in	2000/01/17 19:34:14	1.22
+++ configure.in	2000/01/19 21:28:41
@@ -55,6 +55,8 @@
 case "$host" in
 *-*-aix*)
 	AFS_LIBS="-lld"
+	AC_DEFINE(WITH_AIXAUTHENTICATE)
+	LIBS="$LIBS -ls"
 	;;
 *-*-hpux10*)
 	if test -z "$GCC"; then
@@ -497,13 +499,53 @@
 AC_ARG_WITH(dante,
 	[  --with-dante=DIR        Use Dante SOCKS lib (default is system library path)],
 	[
-		AC_DEFINE(HAVE_DANTE)
+		SAVELIBS="$LIBS"
+		SOCKSLIBS=""
+		SOCKSLIBPATH=""
 		if test "x$withval" != "xno" ; then
 			if test -n $withval ; then
 				LIBS="$LIBS -L$withval"
+				SOCKSLIBPATH="-L$withval"
 			fi
-			LIBS="$LIBS -lsocks"
+			AC_CHECK_LIB(socks, Rconnect, AC_DEFINE(HAVE_DANTE) SOCKSLIBS="$SOCKSLIBPATH -lsocks")
 		fi
+		LIBS="$SAVELIBS $SOCKSLIBS"
+	]
+)
+
+dnl Compile with SOCKS4 SOCKS library
+AC_ARG_WITH(socks4,
+	[  --with-socks4=DIR        Use Socks4 SOCKS lib (default is system library path)],
+	[
+		SAVELIBS="$LIBS"
+		SOCKSLIBS=""
+		SOCKSLIBPATH=""
+		if test "x$withval" != "xno" ; then
+			if test -n $withval ; then
+				LIBS="$LIBS -L$withval"
+				SOCKSLIBPATH="-L$withval"
+			fi
+			AC_CHECK_LIB(socks, Rconnect, AC_DEFINE(HAVE_SOCKS4) SOCKSLIBS="$SOCKSLIBPATH -lsocks")
+		fi
+		LIBS="$SAVELIBS $SOCKSLIBS"
+	]
+)
+
+dnl Compile with SOCKS5 SOCKS library
+AC_ARG_WITH(socks5,
+	[  --with-socks5=DIR        Use Socks5 SOCKS lib (default is system library path)],
+	[
+		SAVELIBS="$LIBS"
+		SOCKSLIBS=""
+		SOCKSLIBPATH=""
+		if test "x$withval" != "xno" ; then
+			if test -n $withval ; then
+				LIBS="$LIBS -L$withval"
+				SOCKSLIBPATH="-L$withval"
+			fi
+			AC_CHECK_LIB(socks5, SOCKSconnect, AC_DEFINE(HAVE_SOCKS5) SOCKSLIBS="$SOCKSLIBPATH -lsocks5")
+		fi
+		LIBS="$SAVELIBS $SOCKSLIBS"
 	]
 )
 
Index: ssh-keygen.c
===================================================================
RCS file: /usr/local/cvs/openssh/ssh-keygen.c,v
retrieving revision 1.7
diff -u -r1.7 ssh-keygen.c
--- ssh-keygen.c	2000/01/17 16:53:27	1.7
+++ ssh-keygen.c	2000/01/19 20:38:39
@@ -101,7 +101,7 @@
 		if (f && fgets(line, sizeof(line), f)) {
 			cp = line;
 			line[strlen(line) - 1] = '\0';
-			if (auth_rsa_read_key(&cp, &dummy, e, n)) {
+			if (auth_rsa_read_key(&cp, (unsigned int *)&dummy, e, n)) {
 				public_key->e = e;
 				public_key->n = n;
 				comment = xstrdup(cp ? cp : "no comment");
Index: ssh.c
===================================================================
RCS file: /usr/local/cvs/openssh/ssh.c,v
retrieving revision 1.13
diff -u -r1.13 ssh.c
--- ssh.c	2000/01/17 19:24:17	1.13
+++ ssh.c	2000/01/19 20:38:39
@@ -213,6 +213,10 @@
 	/* Save our own name. */
 	av0 = av[0];
 
+#ifdef SOCKS
+	SOCKSinit(av0);
+#endif /* SOCKS */
+
 	/* Initialize option structure to indicate that no values have been set. */
 	initialize_options(&options);
 
Index: ssh.h
===================================================================
RCS file: /usr/local/cvs/openssh/ssh.h,v
retrieving revision 1.15
diff -u -r1.15 ssh.h
--- ssh.h	2000/01/17 19:24:19	1.15
+++ ssh.h	2000/01/19 21:16:53
@@ -752,7 +752,7 @@
 #include "auth-pam.h"
 #endif /* USE_PAM */
 
-#ifdef HAVE_DANTE
+#if defined(HAVE_DANTE) || defined(HAVE_SOCKS4)
 /*
  * The following defines map the normal socket operations to SOCKSified
  * versions coming from the Dante SOCKS package.
@@ -795,6 +795,54 @@
             size_t, int, const struct sockaddr *, socklen_t);
 ssize_t Rwrite(int , const void *, size_t );
 ssize_t Rwritev(int , const struct iovec *, int );
-#endif /* HAVE_DANTE */
+#endif /* HAVE_DANTE || HAVE_SOCKS4 */
 
+#if defined(HAVE_SOCKS5) 
+/*
+ * The following defines map the normal socket operations to SOCKSified
+ * versions coming from the Dante SOCKS package.
+ */
+#define accept SOCKSaccept
+#define bind SOCKSbind
+#define bindresvport SOCKSbindresvport
+#define connect SOCKSconnect
+#define gethostbyname SOCKSgethostbyname
+#define gethostbyname2 SOCKSgethostbyname2
+#define getpeername SOCKSgetpeername
+#define getsockname SOCKSgetsockname
+#define read SOCKSread
+#define readv SOCKSreadv
+#define recv SOCKSrecv
+#define recvmsg SOCKSrecvmsg
+#define recvfrom SOCKSrecvfrom
+#define rresvport SOCKSrresvport
+#define send SOCKSsend
+#define sendmsg SOCKSsendmsg
+#define sendto SOCKSsendto
+#define write SOCKSwrite
+#define writev SOCKSwritev
+int     SOCKSaccept (int, struct sockaddr *, socklen_t *);
+int     SOCKSbind (int, const struct sockaddr *, socklen_t);
+int	SOCKSbindresvport(int , struct sockaddr_in *);
+int     SOCKSconnect (int, const struct sockaddr *, socklen_t);
+struct hostent *SOCKSgethostbyname(const char *);
+struct hostent *SOCKSgethostbyname2(const char *, int);
+int     SOCKSgetpeername (int, struct sockaddr *, socklen_t *);
+int     SOCKSgetsockname (int, struct sockaddr *, socklen_t *);
+ssize_t SOCKSread(int , void *, size_t );
+ssize_t SOCKSreadv(int d, const struct iovec *iov, int iovcnt);
+ssize_t SOCKSrecv (int, void *, size_t, int);
+ssize_t SOCKSrecvfrom (int, void *, size_t, int, struct sockaddr *,
+            socklen_t *);
+ssize_t SOCKSsend (int, const void *, size_t, int);
+ssize_t SOCKSsendmsg (int, const struct msghdr *, int);
+ssize_t SOCKSsendto (int, const void *,
+            size_t, int, const struct sockaddr *, socklen_t);
+ssize_t SOCKSwrite(int , const void *, size_t );
+ssize_t SOCKSwritev(int , const struct iovec *, int );
+#endif /* SOCKS5 */
+
+#if defined(DANTE) || defined(SOCKS4) || defined(SOCKS5)
+#define SOCKS
+#endif /* defined(DANTE) || defined(SOCKS4) || defined(SOCKS5) */
 #endif				/* SSH_H */
Index: sshconnect.c
===================================================================
RCS file: /usr/local/cvs/openssh/sshconnect.c,v
retrieving revision 1.14
diff -u -r1.14 sshconnect.c
--- sshconnect.c	2000/01/17 19:24:20	1.14
+++ sshconnect.c	2000/01/19 20:38:40
@@ -883,7 +883,7 @@
 		debug("No challenge for skey authentication.");
 		return 0;
 	}
-	challenge = packet_get_string(&payload_len);
+	challenge = packet_get_string((unsigned int *)&payload_len);
 	if (options.cipher == SSH_CIPHER_NONE)
 		log("WARNING: Encryption is disabled! "
 		    "Reponse will be transmitted in clear text.");
Index: sshd.c
===================================================================
RCS file: /usr/local/cvs/openssh/sshd.c,v
retrieving revision 1.18
diff -u -r1.18 sshd.c
--- sshd.c	2000/01/17 19:24:22	1.18
+++ sshd.c	2000/01/19 21:02:01
@@ -1076,7 +1076,7 @@
 	packet_read_expect(&plen, SSH_CMSG_USER);
 
 	/* Get the user name. */
-	user = packet_get_string(&ulen);
+	user = packet_get_string((unsigned int*)&ulen);
 	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
 
 	/* Destroy the private and public keys.  They will no longer be needed. */
@@ -1172,6 +1172,10 @@
 {
 	struct passwd *pw, pwcopy;
 
+#ifdef WITH_AIXAUTHENTICATE
+	char *loginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
+
 #ifdef AFS
 	/* If machine has AFS, set process authentication group. */
 	if (k_hasafs()) {
@@ -1180,6 +1184,8 @@
 	}
 #endif /* AFS */
 
+	pw = (struct passwd *) malloc (sizeof(struct passwd));
+
 	/* Verify that the user is a valid user. */
 	pw = getpwnam(user);
 	if (!pw || !allowed_user(pw))
@@ -1237,6 +1243,9 @@
 					  get_canonical_hostname());
 	}
 	/* The user has been authenticated and accepted. */
+#ifdef WITH_AIXAUTHENTICATE
+	loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+#endif /* WITH_AIXAUTHENTICATE */
 	packet_start(SSH_SMSG_SUCCESS);
 	packet_send();
 	packet_write_wait();
@@ -1349,7 +1358,7 @@
 			 * authentication is insecure. (Another is
 			 * IP-spoofing on a local network.)
 			 */
-			client_user = packet_get_string(&ulen);
+			client_user = packet_get_string((unsigned int *)&ulen);
 			packet_integrity_check(plen, 4 + ulen, type);
 
 			/* Try to authenticate using /etc/hosts.equiv and
@@ -1369,7 +1378,7 @@
 			 * trust the client; root on the client machine can
 			 * claim to be any user.
 			 */
-			client_user = packet_get_string(&ulen);
+			client_user = packet_get_string((unsigned int *)&ulen);
 
 			/* Get the client host key. */
 			client_host_key_e = BN_new();
@@ -1414,7 +1423,7 @@
 			 * transmitted over the encrypted channel so it is
 			 * not visible to an outside observer.
 			 */
-			password = packet_get_string(&dlen);
+			password = packet_get_string((unsigned int *)&dlen);
 			packet_integrity_check(plen, 4 + dlen, type);
 
 #ifdef USE_PAM
@@ -1493,26 +1502,42 @@
 #ifdef USE_PAM
 			if (!do_pam_account(pw->pw_name, client_user))
 			{
-				if (client_user != NULL)
+				if (client_user != NULL) {
 					xfree(client_user);
+					client_user = NULL;
+				}
 
 				do_fake_authloop(pw->pw_name);
 			}
 #endif /* USE_PAM */
 			return;
-		}
+		} 
 
-		if (client_user != NULL)
+/* HEAP*/
+#if 1
+		if (client_user != NULL) {
 			xfree(client_user);
+			client_user = NULL;
+		}
+#endif
 
 		if (attempt > AUTH_FAIL_MAX)
 			packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
 
 		/* Send a message indicating that the authentication attempt failed. */
+#ifdef WITH_AIXAUTHENTICATE 
+		if (strncmp(get_authname(type),"password",
+			      strlen(get_authname(type))) == 0)
+	          loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
+
 		packet_start(SSH_SMSG_FAILURE);
 		packet_send();
 		packet_write_wait();
 	}
+
+
+
 }
 
 /*
@@ -1691,7 +1716,7 @@
 				      ttyname, tty_mode, strerror(errno));
 
 			/* Get TERM from the packet.  Note that the value may be of arbitrary length. */
-			term = packet_get_string(&dlen);
+			term = packet_get_string((unsigned int *)&dlen);
 			packet_integrity_check(dlen, strlen(term), type);
 			/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
 			/* Remaining bytes */
@@ -1736,8 +1761,8 @@
 				packet_disconnect("Protocol error: X11 display already set.");
 			{
 				int proto_len, data_len;
-				proto = packet_get_string(&proto_len);
-				data = packet_get_string(&data_len);
+				proto = packet_get_string((unsigned int *)&proto_len);
+				data = packet_get_string((unsigned int *)&data_len);
 				packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
 			}
 			if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
@@ -1820,7 +1845,7 @@
 			/* Get command from the packet. */
 			{
 				int dlen;
-				command = packet_get_string(&dlen);
+				command = packet_get_string((unsigned int *)&dlen);
 				debug("Executing command '%.500s'", command);
 				packet_integrity_check(plen, 4 + dlen, type);
 			}
@@ -2416,6 +2441,16 @@
 	if (display)
 		child_set_env(&env, &envsize, "DISPLAY", display);
 
+	{
+           char *authstate,*krb5cc;
+
+	   if ((authstate = getenv("AUTHSTATE")) != NULL)
+		 child_set_env(&env,&envsize,"AUTHSTATE",authstate);
+
+	   if ((krb5cc = getenv("KRB5CCNAME")) != NULL)
+		 child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc);
+	}
+
 #ifdef KRB4
 	{
 		extern char *ticket;
@@ -2436,6 +2471,8 @@
 	if (auth_get_socket_name() != NULL)
 		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
 			      auth_get_socket_name());
+
+	read_environment_file(&env,&envsize,"/etc/environment");
 
 	/* read $HOME/.ssh/environment. */
 	if (!options.use_login) {
Index: configure
===================================================================
RCS file: /usr/local/cvs/openssh/configure,v
retrieving revision 1.22
diff -u -r1.22 configure
--- configure	2000/01/17 19:34:11	1.22
+++ configure	2000/01/19 21:32:12
@@ -28,6 +28,10 @@
 ac_help="$ac_help
   --with-dante=DIR        Use Dante SOCKS lib (default is system library path)"
 ac_help="$ac_help
+  --with-socks4=DIR        Use Socks4 SOCKS lib (default is system library path)"
+ac_help="$ac_help
+  --with-socks5=DIR        Use Socks5 SOCKS lib (default is system library path)"
+ac_help="$ac_help
   --with-kerberos4=PATH   Enable Kerberos 4 support"
 ac_help="$ac_help
   --with-afs=PATH         Enable AFS support"
@@ -1236,6 +1240,11 @@
 case "$host" in
 *-*-aix*)
 	AFS_LIBS="-lld"
+	cat >> confdefs.h <<\EOF
+#define WITH_AIXAUTHENTICATE 1
+EOF
+
+	LIBS="$LIBS -ls"
 	;;
 *-*-hpux10*)
 	if test -z "$GCC"; then
@@ -2878,16 +2887,183 @@
 if test "${with_dante+set}" = set; then
   withval="$with_dante"
   
-		cat >> confdefs.h <<\EOF
+		SAVELIBS="$LIBS"
+		SOCKSLIBS=""
+		SOCKSLIBPATH=""
+		if test "x$withval" != "xno" ; then
+			if test -n $withval ; then
+				LIBS="$LIBS -L$withval"
+				SOCKSLIBPATH="-L$withval"
+			fi
+			echo $ac_n "checking for Rconnect in -lsocks""... $ac_c" 1>&6
+echo "configure:2900: checking for Rconnect in -lsocks" >&5
+ac_lib_var=`echo socks'_'Rconnect | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lsocks  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2908 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char Rconnect();
+
+int main() {
+Rconnect()
+; return 0; }
+EOF
+if { (eval echo configure:2919: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  cat >> confdefs.h <<\EOF
 #define HAVE_DANTE 1
 EOF
+ SOCKSLIBS="$SOCKSLIBPATH -lsocks"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+		fi
+		LIBS="$SAVELIBS $SOCKSLIBS"
+	
 
+fi
+
+
+# Check whether --with-socks4 or --without-socks4 was given.
+if test "${with_socks4+set}" = set; then
+  withval="$with_socks4"
+  
+		SAVELIBS="$LIBS"
+		SOCKSLIBS=""
+		SOCKSLIBPATH=""
 		if test "x$withval" != "xno" ; then
 			if test -n $withval ; then
 				LIBS="$LIBS -L$withval"
+				SOCKSLIBPATH="-L$withval"
 			fi
-			LIBS="$LIBS -lsocks"
+			echo $ac_n "checking for Rconnect in -lsocks""... $ac_c" 1>&6
+echo "configure:2962: checking for Rconnect in -lsocks" >&5
+ac_lib_var=`echo socks'_'Rconnect | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lsocks  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2970 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char Rconnect();
+
+int main() {
+Rconnect()
+; return 0; }
+EOF
+if { (eval echo configure:2981: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  cat >> confdefs.h <<\EOF
+#define HAVE_SOCKS4 1
+EOF
+ SOCKSLIBS="$SOCKSLIBPATH -lsocks"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+		fi
+		LIBS="$SAVELIBS $SOCKSLIBS"
+	
+
+fi
+
+
+# Check whether --with-socks5 or --without-socks5 was given.
+if test "${with_socks5+set}" = set; then
+  withval="$with_socks5"
+  
+		SAVELIBS="$LIBS"
+		SOCKSLIBS=""
+		SOCKSLIBPATH=""
+		if test "x$withval" != "xno" ; then
+			if test -n $withval ; then
+				LIBS="$LIBS -L$withval"
+				SOCKSLIBPATH="-L$withval"
+			fi
+			echo $ac_n "checking for SOCKSconnect in -lsocks5""... $ac_c" 1>&6
+echo "configure:3024: checking for SOCKSconnect in -lsocks5" >&5
+ac_lib_var=`echo socks5'_'SOCKSconnect | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lsocks5  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 3032 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char SOCKSconnect();
+
+int main() {
+SOCKSconnect()
+; return 0; }
+EOF
+if { (eval echo configure:3043: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  cat >> confdefs.h <<\EOF
+#define HAVE_SOCKS5 1
+EOF
+ SOCKSLIBS="$SOCKSLIBPATH -lsocks5"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
 		fi
+		LIBS="$SAVELIBS $SOCKSLIBS"
 	
 
 fi




From andre.lucas at dial.pipex.com  Thu Jan 20 09:07:07 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Wed, 19 Jan 2000 22:07:07 +0000
Subject: New liblogin release
Message-ID: <20000119220707.B26370@internal.domain>

Hi,

I've just put a new version of liblogin[1] on my website. This version
is fully tested on Linux RH6, OpenBSD, HPUX10.20 and Solaris 2.6. It may
well work on other systems now, as it supports login(), [uw]tmp,
[uw]tmpx, and lastlog (filemode only.)

If you're feeling adventurous, please check out the web page and try it
out.

By 'tested', I mean that the library is known to record the logins
so the 'who' and 'last' commands show correct information, and lastlog
information is recorded where its supported. I'd very much like to know
if it works on other systems or not. If you could send me the output of
'testlogin' (in the liblogin directory) when you try it, I would be very
grateful.

Can someone tell me which platforms have directory-mode lastlog? I need
to add that support in.

Thanks,
-Andre

[1] http://dspace.dial.pipex.com/andre.lucas/liblogin.html

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/




From djm at mindrot.org  Thu Jan 20 09:21:31 2000
From: djm at mindrot.org (Damien Miller)
Date: Thu, 20 Jan 2000 09:21:31 +1100 (EST)
Subject: Failed password
In-Reply-To: <Pine.LNX.3.96.1000119104818.16208B-100000@ozob.net>
Message-ID: <Pine.LNX.4.10.10001200920020.971-100000@mothra.mindrot.org>

On Wed, 19 Jan 2000, Gene Imes wrote:

> I compiled openssh-1.2.1pre25.tar.gz with openssl-0.9.4.tar.gz and
> configured openssh like so:
> 
> ./configure --prefix=/usr --sysconfdir=/etc --without-pam
> 
> This is on a Slackware 7.0 Linux box, no PAM, with shadowed
> passwords, and no NIS.

Are you using MD5 passwords? You can tell if your crypted passwords
in /etc/shadow begin with '$1$'. If so, you need to enable 
--with-md5-passwords

Damien

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From djm at mindrot.org  Thu Jan 20 09:25:35 2000
From: djm at mindrot.org (Damien Miller)
Date: Thu, 20 Jan 2000 09:25:35 +1100 (EST)
Subject: New liblogin release
In-Reply-To: <20000119220707.B26370@internal.domain>
Message-ID: <Pine.LNX.4.10.10001200925140.971-100000@mothra.mindrot.org>

On Wed, 19 Jan 2000, Andre Lucas wrote:

> Can someone tell me which platforms have directory-mode lastlog? I need
> to add that support in.

AFAIK Only Irix.

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From markus.friedl at informatik.uni-erlangen.de  Thu Jan 20 08:29:41 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Wed, 19 Jan 2000 22:29:41 +0100
Subject: AIX openssh patches
In-Reply-To: <20000119123354.D23506@btv.ibm.com>; from v2matt@btv.ibm.com on Wed, Jan 19, 2000 at 12:33:55PM -0500
References: <20000119123354.D23506@btv.ibm.com>
Message-ID: <20000119222941.A29720@folly.informatik.uni-erlangen.de>

no. never ever. please don't do this.
netscape+ssl has been broken because of this.
(http://www.cs.berkeley.edu/~daw/my-posts/netscape-cracked)

-markus

On Wed, Jan 19, 2000 at 12:33:55PM -0500, Matt Richards wrote:
>   void get_random_bytes(unsigned char *buf, int len)
>   {
> + 
> + #ifdef USE_SYSRANDOM 
> + 	int index;
> + 
> + 	srandom(time(NULL) + getpid());
> + 
> + 	for (index = 0; index < len+1; index++) {
> +              buf[index] = rand()%255;
> + 	}
> + #else /* USE_SYSRANDOM */




From jhuuskon at hytti.uku.fi  Thu Jan 20 18:47:13 2000
From: jhuuskon at hytti.uku.fi (Jarno Huuskonen)
Date: Thu, 20 Jan 2000 09:47:13 +0200 (WET)
Subject: ssh and expired passwords ?
Message-ID: <200001200747.JAA116178@hytti.uku.fi>

Hi !

Is it possible to add support for expired passwords to OpenSSH ? What I mean
by this is that when users password has expired the user is forced to
change the password before the shell is executed.

At least OpenSSH on linux+pam (RedHat 6.0) denies access if the password has
expired ...

Would something like this work (as a temporary fix): If the password is expired
run a command that first executes passwd and if that was a success executes
the users shell ?

-Jarno

-- 
       ,,,,
      /'^'\
     ( o o )
-oOOO--(_)--OOOo------------------------------
  .oooO            .oOo. Jarno Huuskonen .oOo.
  (   )   Oooo.         jhuuskon at hytti.uku.fi 
---\ (----(   )-------------------------------
    \_)    ) /     Mobile: +358-40-5388169
          (_/      Work:   +358-17-162822





From marc.vanwoerkom at orgaplan.de  Thu Jan 20 20:18:22 2000
From: marc.vanwoerkom at orgaplan.de (Marc van Woerkom (ORGAPLAN Software GmbH))
Date: Thu, 20 Jan 2000 10:18:22 +0100
Subject: Porting openssh to Win32
Message-ID: <200001200918.KAA32411@mail-in-01.piro.net>

Hello,

I am interested in a port of OpenSSH to the Win32 plattform,
using Cygwin for a start.

Is anyone already working on it?

Regards,
Marc





From drankin at bohemians.lexington.ky.us  Thu Jan 20 21:51:57 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Thu, 20 Jan 2000 05:51:57 -0500
Subject: AIX openssh patches
In-Reply-To: <200001200753.JAA39898@hytti.uku.fi>; from Jarno Huuskonen on Thu, Jan 20, 2000 at 09:53:10AM +0200
References: <20000119133233.B113@rumpole.bohemians.lexington.ky.us> <200001200753.JAA39898@hytti.uku.fi>
Message-ID: <20000120055156.A2672@rumpole.bohemians.lexington.ky.us>

On Thu, Jan 20, 2000 at 09:53:10AM +0200, Jarno Huuskonen wrote:
> > > 1) authenticate support - this function allows the system to determine
> > >    authentification. Whatever the system allows for login, authenticate
> > >    will too. It doesn't matter whether it is AFS, DFS, SecureID, local.

> > > 2) loginsuccess - this function will log to /etc/security/lastlog as
> > >    well as clear the failed logins.

> > > 3) loginfailed - this function will increase the number of failed logins
> > >    and update /etc/security/lastlog and /etc/security/failedlogins.

> > > 4) loginrestrictions - this function will determine if a user is allowed
> > >    to login (ie too many failed logins, account disabled, etc). This
> > >    function is used in conjunction with authenticate.

> Would it be better to call the loginrestrictions (and maybe passwdexpired)
> from allowed_user, because I think now if the user is authenticated with
> eg. RSA then no loginrestrictions check is done ?

This is a good idea, but instead of moving the loginrestrictions() call,
I just added it to allowed_user.  Matt, can you test this and see how well
it works?

David


Index: sshd.c
===================================================================
RCS file: /usr/local/cvs/openssh/sshd.c,v
retrieving revision 1.18
diff -u -r1.18 sshd.c
--- sshd.c	2000/01/17 19:24:22	1.18
+++ sshd.c	2000/01/20 10:38:17
@@ -32,6 +32,10 @@
 int deny_severity = LOG_WARNING;
 #endif /* LIBWRAP */
 
+#ifdef WITH_AIXAUTHENTICATE
+#include <login.h>
+#endif /* WITH_AIXAUTHENTICATE */
+
 #ifndef O_NOCTTY
 #define O_NOCTTY	0
 #endif
@@ -1102,11 +1106,21 @@
 {
 	struct group *grp;
 	int i;
+#ifdef WITH_AIXAUTHENTICATE
+	char *loginmsg;
+#endif
 
 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
-	if (!pw)
+	if (pw == NULL)
 		return 0;
 
+#ifdef WITH_AIXAUTHENTICATE
+	/* On AIX, loginrestrictions() tells us whether the person has been
+	 * locked out at the OS level or not. */
+	if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
+		return 0;
+#endif /* WITH_AIXAUTHENTICATE
+
 	/* XXX Should check for valid login shell */
 
 	/* Return false if user is listed in DenyUsers */




From djm at mindrot.org  Thu Jan 20 23:26:24 2000
From: djm at mindrot.org (Damien Miller)
Date: Thu, 20 Jan 2000 23:26:24 +1100 (EST)
Subject: Patch to change installation of ssh_config and sshd_config
In-Reply-To: <20000118114415.A26457@rumpole.bohemians.lexington.ky.us>
Message-ID: <Pine.LNX.4.10.10001202324570.2598-100000@mothra.mindrot.org>

On Tue, 18 Jan 2000, David Rankin wrote:

> The NetBSD packages system "forbids" packages from installing
> stuff outside of the package tree (typically "/usr/pkg"). OpenSSH
> installs ssh*_config into $sysconfdir by default, which violates
> that rule. Christos Zoulas reworked Makefile.in to seperate the
> install from sysconfdir, and I added some logic to configure.in to
> add --with-example-dir.

Can you get away with something like:

make install sysconfdir=/usr/share/examples/openssh

?

Regards,
Damien

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From djm at mindrot.org  Thu Jan 20 23:28:27 2000
From: djm at mindrot.org (Damien Miller)
Date: Thu, 20 Jan 2000 23:28:27 +1100 (EST)
Subject: SSH problems ...
In-Reply-To: <Pine.BSF.4.10.10001181351370.65453-100000@atelier.acadiau.ca>
Message-ID: <Pine.LNX.4.10.10001202326560.2598-100000@mothra.mindrot.org>

On Tue, 18 Jan 2000, Marc G. Fournier wrote:

> Thanks to one of the guys on the list, for pointing out the
> 'reserved port' issue, I checked my FreeBSD machine's install of
> OpenSSH and noticed that both ssh and scp are set 4555, vs 755 on
> the Solaris machine.  It appears that the OpenSSH distribution
> doesn't set this, which is what caused that problem ...

You are correct, the makefile does not set the suid bit. This is
deliberate, but I will add a note to the UPGRADING text.

Damien

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From andre.lucas at dial.pipex.com  Thu Jan 20 23:54:40 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Thu, 20 Jan 2000 12:54:40 +0000
Subject: Porting openssh to Win32
References: <200001200918.KAA32411@mail-in-01.piro.net>
Message-ID: <38870590.BE469D1@dial.pipex.com>

I did look into it a short while ago. I don't have the time to work on
it now, and I didn't get that far (I was busy with other stuff) so I'm
afraid I don't have any source to give to you.

First port of call was a cygwin port of openssl (I was using cygwin 1.0,
not b20.1) as the existing win32 stuff is for the M$ compiler. I got it
compiled with gcc (using the gcc target, and changing  an 'ln -s'
command to a copy, as the symlink was looping on NT) but for some reason
a file was getting truncated and the tests failed. I stopped there as
there was other stuff to do on the Unix ports.

Then, as Damien pointed out to me, a good random source is required,
which will probably require some native win32 code to access the
system's entropy sources.  The performance monitor interface looked a
good bet for this. There was some talk recently of porting the Yarrow
PRNG from VC++, that would help but it's still some way off I think.

Then there's the pseudo-terminal implementation, which I didn't get to
I'm afraid.

Ta,
-Andre

"Marc van Woerkom (ORGAPLAN Software GmbH)" wrote:
> 
> Hello,
> 
> I am interested in a port of OpenSSH to the Win32 plattform,
> using Cygwin for a start.
> 
> Is anyone already working on it?
> 
> Regards,
> Marc




From marc.vanwoerkom at orgaplan.de  Fri Jan 21 01:33:34 2000
From: marc.vanwoerkom at orgaplan.de (Marc van Woerkom)
Date: Thu, 20 Jan 2000 15:33:34 +0100
Subject: Porting openssh to Win32
In-Reply-To: <38870590.BE469D1@dial.pipex.com> (message from Andre Lucas on
	Thu, 20 Jan 2000 12:54:40 +0000)
References: <200001200918.KAA32411@mail-in-01.piro.net> <38870590.BE469D1@dial.pipex.com>
Message-ID: <200001201433.PAA15361@mail-in-01.piro.net>

>   First port of call was a cygwin port of openssl (I was using cygwin 1.0,
>   not b20.1) as the existing win32 stuff is for the M$ compiler. I got it
>   compiled with gcc (using the gcc target, and changing  an 'ln -s'
>   command to a copy, as the symlink was looping on NT) but for some reason
>   a file was getting truncated and the tests failed. I stopped there as
>   there was other stuff to do on the Unix ports.

Another source of fun is usually the \r\n vs \n line termination, as
expressed using text or binary mode on files.


>  Then, as Damien pointed out to me, a good random source is required,
>  which will probably require some native win32 code to access the
>  system's entropy sources.  

My first problem would be to determine how good that generator is.
Is there any test suite out there, with a minimum of consesus among the
experts, that would allow to decide if it is crap or not?

I know that there is a lot written in Knuths books - I remember that
easy test to simply plot (x_i, x_{i+1}) to spot for some of the more
obvious flaws.

Regards,
Marc





From christos at zoulas.com  Fri Jan 21 01:35:44 2000
From: christos at zoulas.com (Christos Zoulas)
Date: Thu, 20 Jan 2000 09:35:44 -0500
Subject: Patch to change installation of ssh_config and sshd_config
In-Reply-To: <Pine.LNX.4.10.10001202324570.2598-100000@mothra.mindrot.org>
       from Damien Miller (Jan 20, 11:26pm)
Message-ID: <200001201435.JAA04650@hrothgar.gw.com>

On Jan 20, 11:26pm, djm at mindrot.org (Damien Miller) wrote:
-- Subject: Re: Patch to change installation of ssh_config and sshd_config

| On Tue, 18 Jan 2000, David Rankin wrote:
| 
| > The NetBSD packages system "forbids" packages from installing
| > stuff outside of the package tree (typically "/usr/pkg"). OpenSSH
| > installs ssh*_config into $sysconfdir by default, which violates
| > that rule. Christos Zoulas reworked Makefile.in to seperate the
| > install from sysconfdir, and I added some logic to configure.in to
| > add --with-example-dir.
| 
| Can you get away with something like:
| 
| make install sysconfdir=/usr/share/examples/openssh
| 

Not really, because I want openssh to look in /etc for its config file.
I just don't want them installed when I build it, because the drain-bamaged
package system does not allow me to do it.

christos




From markus.friedl at informatik.uni-erlangen.de  Fri Jan 21 02:55:54 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Thu, 20 Jan 2000 16:55:54 +0100
Subject: Porting openssh to Win32
In-Reply-To: <200001201433.PAA15361@mail-in-01.piro.net>; from marc.vanwoerkom@orgaplan.de on Thu, Jan 20, 2000 at 03:33:34PM +0100
References: <200001200918.KAA32411@mail-in-01.piro.net> <38870590.BE469D1@dial.pipex.com> <200001201433.PAA15361@mail-in-01.piro.net>
Message-ID: <20000120165554.A15971@folly.informatik.uni-erlangen.de>

On Thu, Jan 20, 2000 at 03:33:34PM +0100, Marc van Woerkom wrote:
> My first problem would be to determine how good that generator is.
> Is there any test suite out there, with a minimum of consesus among the
> experts, that would allow to decide if it is crap or not?

ftp://ftp.franken.de/pub/crypt/cryptlib/beta/cl30beta01.zip
contains Peter Gutmann's random generators for various OSes.
He has written a paper about his ideas:
http://www.cs.auckland.ac.nz/~pgut001/pubs/random.pdf
For more information see
http://www.cs.berkeley.edu/~daw/rnd/index.html
or the www.gnupg.org page. They have a windows port and need
randomness, too.




From andre.lucas at dial.pipex.com  Fri Jan 21 03:26:53 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Thu, 20 Jan 2000 16:26:53 +0000
Subject: Porting openssh to Win32
References: <200001200918.KAA32411@mail-in-01.piro.net> <38870590.BE469D1@dial.pipex.com> <200001201433.PAA15361@mail-in-01.piro.net>
Message-ID: <3887374D.F4800F41@dial.pipex.com>

Marc van Woerkom wrote:
> 
> >   First port of call was a cygwin port of openssl (I was using cygwin 1.0,
> >   not b20.1) as the existing win32 stuff is for the M$ compiler. I got it
> >   compiled with gcc (using the gcc target, and changing  an 'ln -s'
> >   command to a copy, as the symlink was looping on NT) but for some reason
> >   a file was getting truncated and the tests failed. I stopped there as
> >   there was other stuff to do on the Unix ports.
> 
> Another source of fun is usually the \r\n vs \n line termination, as
> expressed using text or binary mode on files.

Yep, it's quite likely the truncated file is simply this - it spots an
EOF for an ASCII mode file (I got bitten by that when porting some unix
OpenGL stuff a while back, I had trouble opening GIFs on Windows...

-Andr?




From v2matt at btv.ibm.com  Fri Jan 21 03:45:39 2000
From: v2matt at btv.ibm.com (Matt Richards)
Date: Thu, 20 Jan 2000 11:45:39 -0500
Subject: AIX openssh patches
In-Reply-To: <20000119164059.A1276@rumpole.bohemians.lexington.ky.us>; from drankin@bohemians.lexington.ky.us on Wed, Jan 19, 2000 at 04:41:02PM -0500
References: <20000119123354.D23506@btv.ibm.com> <20000119133233.B113@rumpole.bohemians.lexington.ky.us> <20000119140018.E23506@btv.ibm.com> <20000119164059.A1276@rumpole.bohemians.lexington.ky.us>
Message-ID: <20000120114538.A38018@btv.ibm.com>

Thus spake David Rankin (drankin at bohemians.lexington.ky.us):

> I've attached the revised patch. I don't have SOCKS4 or SOCKS5 to play
> with, so if you can test it, that'd be good. As mentioned, AIX users get
> WITH_AIXAUTHENTICATE without choice now.

I'm having a little problem with the pre27 working with the patches, I
let you know when I find out what's going on.


> I did not include any of your USE_SYSRANDOM patches into this patch. I looked
> at one of the AIX boxes I have access to, and srandom() is pseudorandom,
> not truly random (or at least nearly as random as EGD). I don't feel
> comfortable in making this an option given the attack possibilities 
> pseudorandom numbers give. Sorry.

You're absolutely right, I don't know what I was thinking. I just don't
like the idea of a separate process to generate randomness.

Thanks,
Matt




From ishikawa at yk.rim.or.jp  Fri Jan 21 04:05:56 2000
From: ishikawa at yk.rim.or.jp (Ishikawa)
Date: Fri, 21 Jan 2000 02:05:56 +0900
Subject: OpenSSH problem report on Linux 2.2.14.
Message-ID: <38874074.6FFE8F9B@yk.rim.or.jp>


I have been using OpenSSH for a while, and I would like to thank you
for the great package.

Here is a report of mysterious warning message lines, I get while I
use OpenSSH.
They don't seem to be serious, but annoying nevertheless.

version: openssh-1.2.1pre27

OS
 Linux standard 2.2.14 #18 SMP Thu Jan 6 06:07:45 JST 2000 i586 unknown
 (compiled with gcc 2.95.2)

Compiler
 gcc -v
 Reading specs from /usr/lib/gcc-lib/i586-pc-linux-gnu/2.95.2/specs
   gcc version 2.95.2 19991024 (release)

Symptom:

I login into a remote host (remote-host, below)
and use port forwarding to access web servers beyond that machinee
like the following.

/usr/local/bin/ssh -l ishikawa  -C -L3000:hostA:3000 -L3001:hostB:3000
-L3002:hostC:3000 -L3003:hostD:3000 -L3004:localhost:3000
-L8082:u43:8082 -L3026:hostA:23  -L8080:hostB:8080  remote-host

hostB ... I believe this is sunos 4.1.4 sparc host
remote-host ... I believe this is SunOS  5.5.1 or 5.6 sparc host.

After having connected to remote-host using ssh (from openssh
package), I used the port-forwarding to access the web server ports.
"-L8080:hostB:8080" and others are used for this purpose, for example.
Whenever I visit a new page, I noticed that the following
warning lines are printed to the initial
window where ssh established the connection to remote-host and shell
prompt was displayed.

Warning messages shown:
These are just a few examples.
Each time a new connection is made (and cut) for, say,  the
connection to the remote web server via port forwarding,
lines similar to the following were shown.

chan_shutdown_read failed for #8/fd12 [i1 o128]: Transport endpoint is
not connected
chan_shutdown_read failed for #8/fd12 [i1 o128]: Transport endpoint is
not connected
chan_shutdown_read failed for #11/fd15 [i1 o128]: Transport endpoint is
not connected
chan_shutdown_read failed for #10/fd14 [i1 o128]: Transport endpoint is
not connected
chan_shutdown_read failed for #9/fd13 [i1 o128]: Transport endpoint is
not connected
chan_shutdown_read failed for #8/fd12 [i1 o128]: Transport endpoint is
not connected
chan_shutdown_read failed for #13/fd17 [i1 o128]: Transport endpoint is
not connected
chan_shutdown_read failed for #12/fd16 [i1 o128]: Transport endpoint is
not connected
chan_shutdown_read failed for #14/fd18 [i1 o128]: Transport endpoint is
not connected
chan_shutdown_read failed for #9/fd13 [i1 o128]: Transport endpoint is
not connected
chan_shutdown_read failed for #8/fd12 [i1 o128]: Transport endpoint is
not connected


Are they indication of serious problems?
If not, is it safe to shut up ssh so that
these warning lines are not printed?

MY PRELIMINARY ANALYSIS of the PROBLEM.

The message seems to come from the following routine in
nchan.c:

static void
chan_shutdown_read(Channel *c)
{
        debug("channel %d: shutdown_read", c->self);
        if (shutdown(c->sock, SHUT_RD) < 0)
                error("chan_shutdown_read failed for #%d/fd%d [i%d o%d]:
%.100s",
                      c->self, c->sock, c->istate, c->ostate,
strerror(errno));
}

Although the self and sock fields vary,
ostate is 128 and istate is 1 in the warning messages.

========================================
Where does ostate get set?
----------------------------------------

grep ostate *.c *.h

channels.c:     chan_init_iostates(c);
channels.c:                     if (ch->ostate == CHAN_OUTPUT_OPEN ||
channels.c:                         ch->ostate ==
CHAN_OUTPUT_WAIT_DRAIN) {
channels.c:                             } else if (ch->ostate ==
CHAN_OUTPUT_WAIT_DRAIN) {
channels.c:                             debug("X11 rejected %d i%d/o%d",
ch->self, ch->istate, ch->ostate);
channels.c:                             debug("X11 rejected %d i%d/o%d",
ch->self, ch->istate, ch->ostate);
channels.c:     if (!compat13 && ch->ostate != CHAN_OUTPUT_OPEN)
channels.c:                         c->ostate, buffer_len(&c->output));
nchan.c:/* events concerning the OUTPUT from channel for socket (ostate)
*/
nchan.c:        switch (c->ostate) {
nchan.c:                c->ostate = CHAN_OUTPUT_WAIT_DRAIN;
nchan.c:                c->ostate = CHAN_OUTPUT_CLOSED;
nchan.c:                error("protocol error: chan_rcvd_ieof %d for
ostate %d", c->self, c->ostate);
nchan.c:        switch (c->ostate) {
nchan.c:                c->ostate = CHAN_OUTPUT_WAIT_IEOF;
nchan.c:                c->ostate = CHAN_OUTPUT_CLOSED;
nchan.c:                error("internal error: chan_write_failed %d for
ostate %d", c->self, c->ostate);
nchan.c:        switch (c->ostate) {
nchan.c:                c->ostate = CHAN_OUTPUT_CLOSED;
nchan.c:                error("internal error: chan_obuf_empty %d for
ostate %d", c->self, c->ostate);
nchan.c: * ACTIONS: should never update the channel states: c->istate or
c->ostate
nchan.c:        switch (c->ostate) {
nchan.c:                error("internal error: channel %d: cannot send
OCLOSE for ostate %d", c->self, c->istate);
nchan.c:                      c->self, c->sock, c->istate, c->ostate,
strerror(errno));
nchan.c:        if (c->istate == CHAN_INPUT_CLOSED && c->ostate ==
CHAN_OUTPUT_CLOSED) {
nchan.c:chan_init_iostates(Channel *c)
nchan.c:        c->ostate = CHAN_OUTPUT_OPEN;
channels.h:     int     ostate;         /* output to channel  (state of
transmit half) */
nchan.h:void    chan_init_iostates(Channel * c);
========================================

OK, so the value set to ostate must be 128 before the message was
printed.

It turns out CHAN_OUTPUT_CLOSED is the value, 128, we are looking for.

nchan.h:#define CHAN_OUTPUT_CLOSED              0x80


Now what is the state 1 for istate?
It turns out the the following states (in nchan.h)
describe the status.

#define CHAN_INPUT_OPEN                 0x01

So the message was printed when
istate was CHAN_INPUT_OPEN and
ostate was CHAN_OUTPUT_CLOSED.

cf. From nchan.h.
/* possible input states */
#define CHAN_INPUT_OPEN                 0x01
#define CHAN_INPUT_WAIT_DRAIN           0x02
#define CHAN_INPUT_WAIT_OCLOSE          0x04
#define CHAN_INPUT_CLOSED               0x08

/* possible output states */
#define CHAN_OUTPUT_OPEN                0x10
#define CHAN_OUTPUT_WAIT_DRAIN          0x20
#define CHAN_OUTPUT_WAIT_IEOF           0x40
#define CHAN_OUTPUT_CLOSED              0x80


Oh, I forgot.
The remote server runs the sshd from the
original ssh distributions (not sure which version).

I wonder if there is a way to shut up ssh so that
these warning lines won't be printed.

Thank you again for the great free package!

Happy Hacking

Chiaki Ishikawa






From dgames at isoc.net  Fri Jan 21 05:58:00 2000
From: dgames at isoc.net (Dax T.Games)
Date: Thu, 20 Jan 2000 13:58:00 -0500
Subject: X11 forwarding not working with OpenSSH 1.2.1 pre27.
Message-ID: <00012014041200.11608@dtg-llt.dgames-adsl.isoc.net>

When I try to run any X11 app I get the following:
-----------------------------------------------
X11 connection rejected because of wrong authentication.

kedit: Fatal IO error: client killed
-----------------------------------------------

The DISPLAY variable maps to an IP address other than 127.0.0.1 and is listed
int /etc/hosts.

I am not a member of this list so a CC: to dgames at isoc.net would be nice.

Any help would be appreciated.

Thanks
Dax Games




From drankin at bohemians.lexington.ky.us  Fri Jan 21 08:41:50 2000
From: drankin at bohemians.lexington.ky.us (David Rankin)
Date: Thu, 20 Jan 2000 16:41:50 -0500
Subject: AIX openssh patches
In-Reply-To: <20000120114538.A38018@btv.ibm.com>; from Matt Richards on Thu, Jan 20, 2000 at 11:45:39AM -0500
References: <20000119123354.D23506@btv.ibm.com> <20000119133233.B113@rumpole.bohemians.lexington.ky.us> <20000119140018.E23506@btv.ibm.com> <20000119164059.A1276@rumpole.bohemians.lexington.ky.us> <20000120114538.A38018@btv.ibm.com>
Message-ID: <20000120164150.B2972@rumpole.bohemians.lexington.ky.us>

On Thu, Jan 20, 2000 at 11:45:39AM -0500, Matt Richards wrote:
> Thus spake David Rankin (drankin at bohemians.lexington.ky.us):

> > I've attached the revised patch. I don't have SOCKS4 or SOCKS5 to play
> > with, so if you can test it, that'd be good. As mentioned, AIX users get
> > WITH_AIXAUTHENTICATE without choice now.

> I'm having a little problem with the pre27 working with the patches, I
> let you know when I find out what's going on.

I think I found out. Our u_int*_t tests don't define u_int8_t. Could
someone a bit more familiar with how that code works hack out a patch for
this?

Thanks,
David

-- 
David W. Rankin, Jr.     Husband, Father, and UNIX Sysadmin. 
   Email: drankin at bohemians.lexington.ky.us   Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard




From Fenlason at clearway.com  Fri Jan 21 10:15:29 2000
From: Fenlason at clearway.com (Jay Fenlason)
Date: Thu, 20 Jan 2000 18:15:29 -0500
Subject: Patch to make openssh-1.2.1pre27 compile on a sparc solaris7 syst
	em
Message-ID: <611C0CE12596D311B466009027D5E7590EDE6D@host100.56jfk.com>

Hack: diff -c defines.h.orig defines.h
*** defines.h.orig      Thu Jan 20 18:07:40 2000
--- defines.h   Thu Jan 20 18:08:05 2000
***************
*** 78,83 ****
--- 78,84 ----
  /* If sys/types.h does not supply u_intXX_t, supply them ourselves */
  #ifndef HAVE_U_INTXX_T
  # ifdef HAVE_UINTXX_T
+ typedef uint8_t u_int8_t;
  typedef uint16_t u_int16_t;
  typedef uint32_t u_int32_t;
  typedef  uint64_t u_int64_t;
Hack: uname -a
SunOS sol 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-250

			-- JF





From andre.lucas at dial.pipex.com  Fri Jan 21 10:42:37 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Thu, 20 Jan 2000 23:42:37 +0000
Subject: Patch to make openssh-1.2.1pre27 compile on a sparc solaris7 syst em
In-Reply-To: <611C0CE12596D311B466009027D5E7590EDE6D@host100.56jfk.com>; from Fenlason@clearway.com on Thu, Jan 20, 2000 at 06:15:29PM -0500
References: <611C0CE12596D311B466009027D5E7590EDE6D@host100.56jfk.com>
Message-ID: <20000120234237.B1082@internal.domain>

I posted a patch very similar to this a few days ago, as HPUX has the
same problem. It makes more sense to do it your way though, and use
uint8_t, than my patch which used unsigned char which isn't guaranteed
to be 8 bits at all.

-Andre

On Thu, Jan 20, 2000 at 06:15:29PM -0500, Jay Fenlason wrote:
> Hack: diff -c defines.h.orig defines.h
> *** defines.h.orig      Thu Jan 20 18:07:40 2000
> --- defines.h   Thu Jan 20 18:08:05 2000
> ***************
> *** 78,83 ****
> --- 78,84 ----
>   /* If sys/types.h does not supply u_intXX_t, supply them ourselves */
>   #ifndef HAVE_U_INTXX_T
>   # ifdef HAVE_UINTXX_T
> + typedef uint8_t u_int8_t;
>   typedef uint16_t u_int16_t;
>   typedef uint32_t u_int32_t;
>   typedef  uint64_t u_int64_t;
> Hack: uname -a
> SunOS sol 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-250
> 
> 			-- JF
> 

-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/




From js1 at js1.org  Fri Jan 21 16:22:48 2000
From: js1 at js1.org (Jiann-Ming Su)
Date: Fri, 21 Jan 2000 00:22:48 -0500 (EST)
Subject: RSA question 
Message-ID: <Pine.LNX.4.10.10001210021140.5853-100000@js1.domaindf.com>

This may be a FAQ, but wouldn't SSH be more secure if the user can only
log in if the server has the client's ssh_host_key.pub in its 
ssh_known_hosts file AND the user has his identity.pub from his
client computer in the authorized_keys on the server?  This
would require two keys to be able to log in.  I thought this
was ssh would work with the following sshd_config file:


--- BEGIN FILE ---
Port 22
ListenAddress 0.0.0.0
HostKey /etc/ssh/ssh_host_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
CheckMail no
UseLogin no
SyslogFacility AUTH
LogLevel INFO
RhostsRSAAuthentication yes
IgnoreRhosts yes
RhostsAuthentication no
IgnoreUserKnownHosts yes
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
---- END FILE ---

But, it turns out, that as long as authorized_keys on my server has
the identity.pub file from my client computer, I'm allowed in regardless
if the public key of the client is in the ssh_known_hosts on the server.

It seems like requiring two keys would be preferrable, but if
I've misconfigured something, please let me know.  Thanks for any help.

Jiann-Ming Su
js1 at js1.org






From markus.friedl at informatik.uni-erlangen.de  Fri Jan 21 21:11:57 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Fri, 21 Jan 2000 11:11:57 +0100
Subject: RSA question
In-Reply-To: <Pine.LNX.4.10.10001210021140.5853-100000@js1.domaindf.com>; from js1@js1.org on Fri, Jan 21, 2000 at 12:22:48AM -0500
References: <Pine.LNX.4.10.10001210021140.5853-100000@js1.domaindf.com>
Message-ID: <20000121111157.A23092@folly.informatik.uni-erlangen.de>

On Fri, Jan 21, 2000 at 12:22:48AM -0500, Jiann-Ming Su wrote:
> This may be a FAQ, but wouldn't SSH be more secure if the user can only
> log in if the server has the client's ssh_host_key.pub in its 
> ssh_known_hosts file AND the user has his identity.pub from his
> client computer in the authorized_keys on the server?  This
> would require two keys to be able to log in.  I thought this

no, this is not possible with SSH, it's not defined in the protocol,
you cannot do both. -markus




From v2matt at btv.ibm.com  Sat Jan 22 00:55:16 2000
From: v2matt at btv.ibm.com (Matt Richards)
Date: Fri, 21 Jan 2000 08:55:16 -0500
Subject: AIX openssh patches
In-Reply-To: <20000120164150.B2972@rumpole.bohemians.lexington.ky.us>; from drankin@bohemians.lexington.ky.us on Thu, Jan 20, 2000 at 04:41:50PM -0500
References: <20000119123354.D23506@btv.ibm.com> <20000119133233.B113@rumpole.bohemians.lexington.ky.us> <20000119140018.E23506@btv.ibm.com> <20000119164059.A1276@rumpole.bohemians.lexington.ky.us> <20000120114538.A38018@btv.ibm.com> <20000120164150.B2972@rumpole.bohemians.lexington.ky.us>
Message-ID: <20000121085515.D38018@btv.ibm.com>

Thus spake David Rankin (drankin at bohemians.lexington.ky.us):

> I think I found out. Our u_int*_t tests don't define u_int8_t. Could
> someone a bit more familiar with how that code works hack out a patch for
> this?

Actually, its the getaddrinfo in add_listen_addr in servconf.c. I get

fatal: bad addr or host: <NULL> (Host not found)

or 

fatal: bad addr or host: 0.0.0.0 (Host not found)

when I specify ListenAddress 0.0.0.0 in sshd_config.

getaddrinfo is returning EAI_NODATA (no address associated with hostname).

-- 
Matt Richards




From js1 at js1.org  Sat Jan 22 02:17:12 2000
From: js1 at js1.org (Jiann-Ming Su)
Date: Fri, 21 Jan 2000 10:17:12 -0500 (EST)
Subject: RSA question
In-Reply-To: <20000121111157.A23092@folly.informatik.uni-erlangen.de>
Message-ID: <Pine.LNX.4.10.10001211016350.6875-100000@js1.domaindf.com>

On Fri, 21 Jan 2000, Markus Friedl wrote:

> On Fri, Jan 21, 2000 at 12:22:48AM -0500, Jiann-Ming Su wrote:
> > This may be a FAQ, but wouldn't SSH be more secure if the user can only
> > log in if the server has the client's ssh_host_key.pub in its 
> > ssh_known_hosts file AND the user has his identity.pub from his
> > client computer in the authorized_keys on the server?  This
> > would require two keys to be able to log in.  I thought this
> 
> no, this is not possible with SSH, it's not defined in the protocol,
> you cannot do both. -markus
> 

Ok, then I ask, would it not be desireable to be able to do both?

Jiann-Ming Su
js1 at js1.org





From v2matt at btv.ibm.com  Sat Jan 22 07:19:16 2000
From: v2matt at btv.ibm.com (Matt Richards)
Date: Fri, 21 Jan 2000 15:19:16 -0500
Subject: AIX openssh patches
In-Reply-To: <20000120164150.B2972@rumpole.bohemians.lexington.ky.us>; from drankin@bohemians.lexington.ky.us on Thu, Jan 20, 2000 at 04:41:50PM -0500
References: <20000119123354.D23506@btv.ibm.com> <20000119133233.B113@rumpole.bohemians.lexington.ky.us> <20000119140018.E23506@btv.ibm.com> <20000119164059.A1276@rumpole.bohemians.lexington.ky.us> <20000120114538.A38018@btv.ibm.com> <20000120164150.B2972@rumpole.bohemians.lexington.ky.us>
Message-ID: <20000121151916.E38018@btv.ibm.com>

Thus spake David Rankin (drankin at bohemians.lexington.ky.us):

> I think I found out. Our u_int*_t tests don't define u_int8_t. Could
> someone a bit more familiar with how that code works hack out a patch for
> this?


I found out the problem with AIX 4.3 and the patches. AIX4.3 has a
bug in getaddrinfo. The problem is known, but a patch has not been
released yet. So for now, I just commented out

#define HAVE_GETADDRINFO 1 

in config.h (after the configure).

I did have to modify ssh.h a little to get the SOCKS4 and SOCKS5
stuff working correctly. The patch is included. Other than that, 
ssh worked like a champ for AIX4.3. 

I did have that u_int*t problem for AIX4.2, but Andre Lucas' patch 
fixed that. 


*** ssh.h.DIST	Fri Jan 21 14:50:45 2000
--- ssh.h	Fri Jan 21 14:45:32 2000
***************
*** 761,771 ****
  #define bind Rbind
  #define bindresvport Rbindresvport
  #define connect Rconnect
- #define gethostbyname Rgethostbyname
  #define gethostbyname2 Rgethostbyname2
- #define getpeername Rgetpeername
  #define getsockname Rgetsockname
- #define read Rread
  #define readv Rreadv
  #define recv Rrecv
  #define recvmsg Rrecvmsg
--- 761,768 ----
***************
*** 774,781 ****
  #define send Rsend
  #define sendmsg Rsendmsg
  #define sendto Rsendto
- #define write Rwrite
  #define writev Rwritev
  int     Raccept (int, struct sockaddr *, socklen_t *);
  int     Rbind (int, const struct sockaddr *, socklen_t);
  int	Rbindresvport(int , struct sockaddr_in *);
--- 771,785 ----
  #define send Rsend
  #define sendmsg Rsendmsg
  #define sendto Rsendto
  #define writev Rwritev
+ 
+ #ifndef HAVE_SOCKS4
+ #define gethostbyname Rgethostbyname
+ #define getpeername Rgetpeername
+ #define write Rwrite
+ #define read Rread
+ #endif
+ 
  int     Raccept (int, struct sockaddr *, socklen_t *);
  int     Rbind (int, const struct sockaddr *, socklen_t);
  int	Rbindresvport(int , struct sockaddr_in *);
***************
*** 802,815 ****
   * The following defines map the normal socket operations to SOCKSified
   * versions coming from the Dante SOCKS package.
   */
- #define accept SOCKSaccept
  #define bind SOCKSbind
  #define bindresvport SOCKSbindresvport
  #define connect SOCKSconnect
  #define gethostbyname SOCKSgethostbyname
  #define gethostbyname2 SOCKSgethostbyname2
- #define getpeername SOCKSgetpeername
- #define getsockname SOCKSgetsockname
  #define read SOCKSread
  #define readv SOCKSreadv
  #define recv SOCKSrecv
--- 806,816 ----


-- 
Matt Richards




From andy at guildsoftware.com  Sun Jan 23 03:58:39 2000
From: andy at guildsoftware.com (Andy Sloane)
Date: Sat, 22 Jan 2000 10:58:39 -0600
Subject: Solaris 2.5.1 patch
Message-ID: <20000122105839.C572@guild.guildsoftware.com>

Aside from the u_int_8 thing, Solaris 2.5.1 has some other problems.  For
some reason even the newest gcc's preprocessor can't grok
#define blah (x,y) (stuff using x and y)
as opposed to
#define blah(x,y) (stuff using x and y).

also, getsockname() expects its "tolen" parameter to be initialized for
some reason.

This patch seems to fix any problems with 2.5.1.  It includes my own
version of the uint8 hack.

-Andy.

-------------- next part --------------
diff -ur old/openssh-1.2.1pre27/bsd-snprintf.c openssh-1.2.1pre27/bsd-snprintf.c
--- old/openssh-1.2.1pre27/bsd-snprintf.c	Mon Dec 27 17:19:16 1999
+++ openssh-1.2.1pre27/bsd-snprintf.c	Sat Jan 22 10:39:45 2000
@@ -44,7 +44,7 @@
 #include <setjmp.h>
 
 #ifndef roundup
-#define roundup (x, y) ((((x)+((y)-1))/(y))*(y))
+#define roundup(x,y) ((((x)+((y)-1))/(y))*(y))
 #endif
 
 static int pgsize;
diff -ur old/openssh-1.2.1pre27/defines.h openssh-1.2.1pre27/defines.h
--- old/openssh-1.2.1pre27/defines.h	Sun Jan 16 16:59:41 2000
+++ openssh-1.2.1pre27/defines.h	Sat Jan 22 10:17:02 2000
@@ -83,6 +83,7 @@
 typedef  uint64_t u_int64_t;
 # define HAVE_U_INTXX_T 1
 # else
+typedef unsigned char u_int8_t;
 #  if (SIZEOF_SHORT_INT == 2)
 typedef unsigned short int u_int16_t;
 #  else
diff -ur old/openssh-1.2.1pre27/packet.c openssh-1.2.1pre27/packet.c
--- old/openssh-1.2.1pre27/packet.c	Thu Jan 13 22:45:50 2000
+++ openssh-1.2.1pre27/packet.c	Sat Jan 22 10:32:14 2000
@@ -138,6 +138,8 @@
 	struct sockaddr_storage to;
 	socklen_t tolen;
 
+	tolen = sizeof(to);
+
 	memset(&to, 0, sizeof(to));
 	if (getsockname(connection_out, (struct sockaddr *)&to, &tolen) < 0)
 		return 0;

From andre.lucas at dial.pipex.com  Sun Jan 23 11:18:23 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Sun, 23 Jan 2000 00:18:23 +0000
Subject: login.c: #ifdef wrong?
Message-ID: <20000123001823.A686@internal.domain>

In login.c, I think the #ifdef in line 67 should be an #ifndef.
Otherwise, the wrong lastlog mode is selected. Oops. I also changed the
char array name (for the dirmode filename) to lbuf, as buf shadows the
function parameter of the same name.

Patch follows.

Ta,
-Andre


--- openssh-1.2.1pre27/login.c	Fri Jan 14 04:45:50 2000
+++ openssh-1.2.1pre27.ll/login.c	Sun Jan 23 00:09:19 2000
@@ -58,20 +58,20 @@
 	char *lastlog;
 	int fd;
 #ifdef LASTLOG_IS_DIR
-	char buf[1024];
+	char lbuf[1024];
 #endif /* LASTLOG_IS_DIR */
 
 	lastlog = _PATH_LASTLOG;
 	buf[0] = '\0';
 
-#ifdef LASTLOG_IS_DIR
+#ifndef LASTLOG_IS_DIR
 	fd = open(lastlog, O_RDONLY);
 	if (fd < 0)
 		return 0;
 	lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET);
 #else /* LASTLOG_IS_DIR */
-	snprintf(buf, sizeof(buf), "%s/%s", lastlog, logname);
-	fd = open(buf, O_RDONLY);
+	snprintf(lbuf, sizeof(buf), "%s/%s", lastlog, logname);
+	fd = open(lbuf, O_RDONLY);
 	if (fd < 0)
 		return 0;
 #endif /* LASTLOG_IS_DIR */




-- 
Andre Lucas <andre.lucas at dial.pipex.com>
http://dspace.dial.pipex.com/andre.lucas/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000123/a71291c7/attachment.bin 

From mouring at pconline.com  Mon Jan 24 13:52:26 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Sun, 23 Jan 2000 20:52:26 -0600 (CST)
Subject: OpenSSH on OpenStep 4.2 -- Mostly working!!! =)
Message-ID: <Pine.LNX.3.95.1000123204011.14460A-100000@newton.pconline.com>


I have an initial port of the SSH client.  Only one known issue with it.
sigaddset(), sigempty(), and sigprocmask() don't exist on NeXT without
using libposix which I'm now avoiding (thanks, Garance A Drosehn) like
the plague because it conflicts too much.  Only thing this affects is
the readpass.c file at this point.  Which means if you ctrl-C out of
the password prompt you mess up your current tty.

I have simple [v]snprint() that work like a charm, along with a putenv()
(since NeXT lacks even a setenv()) thanks to Garance.

Plus a full set of replacement for tc[get|set]attr functions since NeXT
lack them also (thanks to Comp.sys.next.programmer). <sigh>

But I can ssh into a sshd (commerical version) 1.2.x server and it works
likes a charm.  

Hopefully I can clean up what I'm doing and put in checks into the
Configure software and get a patch out soon so one can at least have
a client for NeXT.






From sb at dcs.qmw.ac.uk  Wed Jan 26 05:18:55 2000
From: sb at dcs.qmw.ac.uk (Sergio Brandano)
Date: Tue, 25 Jan 2000 18:18:55 +0000
Subject: Can't open display error
Message-ID: <200001251818.SAA24009@copper.dcs.qmw.ac.uk>


 Hi,

 I get this message on the latest Debian potato for i386.

--> ssh -f localhost xterm
sb at localhost's password: 
--> xterm Xt error: Can't open display: 

 There does not seem to be any doc on the topic.
 Also, all my xterm proc do not appear under sshd in pstree,
 so I guess there is something wrong there too?

 Sergio

P.S. I am not subscribed to the list, so please copy the reply to me.




From celinn at mtu.edu  Wed Jan 26 10:16:44 2000
From: celinn at mtu.edu (Christopher Linn)
Date: Tue, 25 Jan 2000 18:16:44 -0500
Subject: Origin of directory /usr/slocal?
Message-ID: <20000125181643.A9107@mtu.edu>

I could not help but notice (at least in the solaris7/x86 port) the existance
of /usr/slocal; what is the origin/purpose of this dir, and what conditions/
restrictions on what goes in there?

thnaks

chris

-- 
Christopher Linn             <celinn at mtu.edu>       Staff System Administrator
Center for Experimental Computation          Michigan Technological University
All opinions are my own, and do not represent the opinions of my employer.
==============================================================================
"...and then i read the directions, where it said ``don't do that''." -- JRH




From marc.fournier at acadiau.ca  Thu Jan 27 00:13:03 2000
From: marc.fournier at acadiau.ca (Marc G. Fournier)
Date: Wed, 26 Jan 2000 09:13:03 -0400 (AST)
Subject: Origin of directory /usr/slocal?
In-Reply-To: <20000125181643.A9107@mtu.edu>
Message-ID: <Pine.BSF.4.10.10001260911020.81271-100000@atelier.acadiau.ca>

On Tue, 25 Jan 2000, Christopher Linn wrote:

> I could not help but notice (at least in the solaris7/x86 port) the existance
> of /usr/slocal; what is the origin/purpose of this dir, and what conditions/
> restrictions on what goes in there?

This would have to be my fault ... where are you seeing this though?  When
I first started working here, my predecessor's had one helluva mess as far
as /usr/local was concerned ... to clean it up, we adopted a /usr/slocal
directory to put everything installed locally that was/is common across
all our servers (using rdist to sync things up), while /usr/local is
server dependent stuff ...

Curious as to where that creeped into one of my patches though :(  

Sorry about that ...


Marc G. Fournier                                 marc.fournier at acadiau.ca
Senior Systems Administrator                            Acadia University

  "These are my opinions, which are not necessarily shared by my employer"





From sb at dcs.qmw.ac.uk  Thu Jan 27 04:37:17 2000
From: sb at dcs.qmw.ac.uk (Sergio Brandano)
Date: Wed, 26 Jan 2000 17:37:17 +0000
Subject: Open display error
Message-ID: <200001261737.RAA20499@copper.dcs.qmw.ac.uk>


 Hi,

 I get this message on the latest Debian potato for i386.

--> ssh -f localhost xterm
sb at localhost's password: 
--> xterm Xt error: Can't open display: 

 That happens also when connecting to another linux box:

--> ssh -f box2 /usr/X11R6/bin/xterm
--> /usr/X11R6/bin/xterm Xt error: Can't open display: 

 The $DISPLAY is
 :0.0 for box1
 undefined for box2 after plain ssh connection

 If I manually set DISPLAY in box2 to box1:0.0 then I can open
 all the windows I like, provided I ``xhost +'' box1. There are two
 problems with this:

1. box2 should set the DISPLAY by itself (how?)
2. I do not want to ``xhost +'' box1, as my email client (exmh) will
   otherwise stop working.

 Also, all my xterm proc do not appear under sshd in pstree.
 How do I fix this?

 Thank you.

 Sergio




From sb at dcs.qmw.ac.uk  Thu Jan 27 04:52:00 2000
From: sb at dcs.qmw.ac.uk (Sergio Brandano)
Date: Wed, 26 Jan 2000 17:52:00 +0000
Subject: Open display error 
In-Reply-To: Message from Sergio Brandano <sb@dcs.qmw.ac.uk> 
   of "Wed, 26 Jan 2000 17:37:17 GMT." <200001261737.RAA20499@copper.dcs.qmw.ac.uk> 
References: <200001261737.RAA20499@copper.dcs.qmw.ac.uk> 
Message-ID: <200001261752.RAA21125@copper.dcs.qmw.ac.uk>


 ... I can connect with the following command:

> ssh -f box2 'setenv DISPLAY box1:0.0 ; /usr/X11R6/bin/xterm'

 provided I trigger "xhost + box2" in box1. This makes the thing
 authomatic, but I still the problems I mentioned in the previous
 message (and exmh still does not work with that xhost setting).

 Sergio




From celinn at mtu.edu  Thu Jan 27 05:22:15 2000
From: celinn at mtu.edu (Christopher Linn)
Date: Wed, 26 Jan 2000 13:22:15 -0500
Subject: Origin of directory /usr/slocal?
In-Reply-To: <Pine.BSF.4.10.10001260911020.81271-100000@atelier.acadiau.ca>; from Marc G. Fournier on Wed, Jan 26, 2000 at 09:13:03AM -0400
References: <20000125181643.A9107@mtu.edu> <Pine.BSF.4.10.10001260911020.81271-100000@atelier.acadiau.ca>
Message-ID: <20000126132215.A9480@mtu.edu>

marc,

On Wed, Jan 26, 2000 at 09:13:03AM -0400, Marc G. Fournier wrote:
[...]
> Curious as to where that creeped into one of my patches though :(  
> 

WHOA!

no, it did NOT creep into any patches!  sorry about that!

i grepped my mail (for "slocal") and found:

# refs	Subject: line
------	------------------------------------------
1       Subject: Re: ANNOUNCE: openssh-1.2.1pre18
1       Subject: more problems with solaris 7?
7       Subject: quad_t: incompatible types in config.log:
1       Subject: Re: ANNOUNCE: openssh-1.2.1pre24
3       Subject: Re: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients?
1       Subject: LD_LIBRARY_PATH under Solaris issues ...


ALL these were references to compiler outputs of various sorts.
(i hope i didn't miss anything...)

i had just wondered if there were some cousin of /usr/local that had been
adopted by someone somewhere.  we have an NFS mounted /usr/local here,
and of course we mount it "nosuid" and also do not have it in root's
PATH.  we have another /some/arbitrary/site/path on each local disk
for the very few programs which we need in root's PATH, and this is
what i thought /usr/slocal ("secure/sysadm" local?) might have been.


> Sorry about that ...

no problem!  thanks for responding!  ;*)

chris

-- 
Christopher Linn             <celinn at mtu.edu>       Staff System Administrator
Center for Experimental Computation          Michigan Technological University
All opinions are my own, and do not represent the opinions of my employer.
==============================================================================
"...and then i read the directions, where it said ``don't do that''." -- JRH




From jmknoble at pobox.com  Thu Jan 27 07:31:06 2000
From: jmknoble at pobox.com (Jim Knoble)
Date: Wed, 26 Jan 2000 15:31:06 -0500
Subject: Open display error
In-Reply-To: <200001261737.RAA20499@copper.dcs.qmw.ac.uk>; from Sergio Brandano on Wed, Jan 26, 2000 at 05:37:17PM +0000
References: <200001261737.RAA20499@copper.dcs.qmw.ac.uk>
Message-ID: <20000126153106.A53@ntrnet.net>

Do you have X11Forwarding turned on in both /etc/sshd_config and
~/.ssh/config?  Try running both ssh and sshd in debug mode and see if
the output doesn't tell you something.

-- 
jim knoble
jmknoble at pobox.com

P? 2000-Jan-26 klokka 17:37:17 +0000 skrivet Sergio Brandano:

:  I get this message on the latest Debian potato for i386.
: 
: --> ssh -f localhost xterm
: sb at localhost's password: 
: --> xterm Xt error: Can't open display: 
: 
:  That happens also when connecting to another linux box:
: 
: --> ssh -f box2 /usr/X11R6/bin/xterm
: --> /usr/X11R6/bin/xterm Xt error: Can't open display: 
: 
:  The $DISPLAY is
:  :0.0 for box1
:  undefined for box2 after plain ssh connection
: 
:  If I manually set DISPLAY in box2 to box1:0.0 then I can open
:  all the windows I like, provided I ``xhost +'' box1. There are two
:  problems with this:
: 
: 1. box2 should set the DISPLAY by itself (how?)
: 2. I do not want to ``xhost +'' box1, as my email client (exmh) will
:    otherwise stop working.




From djm at mindrot.org  Thu Jan 27 16:12:59 2000
From: djm at mindrot.org (Damien Miller)
Date: Thu, 27 Jan 2000 16:12:59 +1100 (EST)
Subject: ANNOUNCE: openssh-1.2.2
Message-ID: <Pine.LNX.4.10.10001271359120.553-100000@mothra.mindrot.org>


It gives me no little pleasure to announce the first stable release
of the Unix port of OpenSSH. 

It is available in tar.gz and RPM format from one of the mirrors
listed at:

http://violet.ibs.com.au/openssh/files/MIRRORS.html

This release fixes all known issues and is known to compile and
function on (at least) recent releases on Linux, Solaris, HPUX and SCO
Unixware.

Please review the ChangeLog[1] for details on what has changed since
the last release.

I am holding off on a wider announcement until the mirrors have
updated.

Thanks to everyone who assisted with testing, bug reports, success
stories and most of all, patches :) Special thanks to the OpenBSD
developers for giving us OpenSSH to begin with.

Regards,
Damien Miller

[1] http://violet.ibs.com.au/openssh/files/ChangeLog

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From jmknoble at pobox.com  Thu Jan 27 17:20:56 2000
From: jmknoble at pobox.com (Jim Knoble)
Date: Thu, 27 Jan 2000 01:20:56 -0500
Subject: Release party on IRC (was: Re: ANNOUNCE: openssh-1.2.2)
In-Reply-To: <Pine.LNX.4.10.10001271359120.553-100000@mothra.mindrot.org>; from Damien Miller on Thu, Jan 27, 2000 at 04:12:59PM +1100
References: <Pine.LNX.4.10.10001271359120.553-100000@mothra.mindrot.org>
Message-ID: <20000127012056.E21917@quipu.earth>

P? 2000-Jan-27 klokka 16:12:59 +1100 skrivet Damien Miller:

: It gives me no little pleasure to announce the first stable release
: of the Unix port of OpenSSH. 

Let's celebrate!

Unfortunately, Damien's informed me that he has to work for several
hours yet.  :(

Regardless, all contributors, testers, patchers, etc. are welcome to
a gathering on IRC:

   IRC server:  irc.cabi.net
      channel:  #openssh
  channel key:  release

I'll be there for several hours, so join when you feel like it.

-- 
jim knoble
jmknoble at pobox.com




From mouring at pconline.com  Thu Jan 27 19:55:22 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Thu, 27 Jan 2000 02:55:22 -0600 (CST)
Subject: Long awaited round 1 of NeXT patches.
Message-ID: <Pine.LNX.3.95.1000127024254.8034A-200000@newton.pconline.com>


This is about 90% of the core work.  I omited a few files from the patch
set since they are basicly small blocks of #ifndef HAVE_NEXT/#endif to
get it to compile.

Daimen, feel free to let me know what you applied and what your
rejecting and why.. so I can work on cleaning things up.

Andre, Only thing of note you may want to look into is NeXT does not
use  "ut_user" in it's lastlog.  It uses "ut_name"  and it does not
have a "ut_type" (It's part of the above patch in the login.c
part).  

BTW, this patch is against 1.2.2 (since it was released before I was
able to relase my patch. =)

Known issues with my port (and my internal tree):

1) lack of utmp entries.  I think I know what is wrong.
2) lack of signal capturing in readpass.c (I omited this from
	the patch) due to lack of sigaddset, sigemtyset, and
	sigprocmask functions outside of using libposix.
3) lost of warning.  Most are ignorable.
4) Current patch *IS NOT* complete enough to support out of box
	next compiling.

But it works against 1.2.2x ssh both client/server and works with
itself.  So it's progress.
-------------- next part --------------
diff -ruN openssh-1.2.2/bsd-login.c ossh-1.2.2n/bsd-login.c
--- openssh-1.2.2/bsd-login.c	Sat Dec 25 17:21:48 1999
+++ ossh-1.2.2n/bsd-login.c	Thu Jan 27 00:42:24 2000
@@ -48,9 +48,7 @@
 #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
 # include <utmpx.h>
 #endif
-#ifdef HAVE_UTMP_H
-# include <utmp.h>
-#endif
+
 #include <stdio.h>
 #include <string.h>
 
diff -ruN openssh-1.2.2/bsd-login.h ossh-1.2.2n/bsd-login.h
--- openssh-1.2.2/bsd-login.h	Fri Dec 24 17:11:29 1999
+++ ossh-1.2.2n/bsd-login.h	Thu Jan 27 00:42:24 2000
@@ -4,8 +4,6 @@
 # include "config.h"
 # ifndef HAVE_LOGIN
 
-#  include <utmp.h>
-
 #  if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
 #   include <utmpx.h>
 
diff -ruN openssh-1.2.2/bsd-misc.c ossh-1.2.2n/bsd-misc.c
--- openssh-1.2.2/bsd-misc.c	Sat Jan 22 17:32:03 2000
+++ ossh-1.2.2n/bsd-misc.c	Thu Jan 27 00:42:24 2000
@@ -239,3 +239,89 @@
 	return(setreuid(-1,euid));
 }
 #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */
+
+/* putenv: 
+ *    implementation of putenv, from the comp.sys.next.programmers
+ *          FAQ list and misc-source repository.  I believe it comes
+ *          from Thomas Funke <thf at zelator.in-berlin.de>.  Includes
+ *          some mods from Garance Drosehn <gad at eclipse.its.rpi.edu>.
+ */
+#if !defined(HAVE_SETENV) && !defined(HAVE_PUTENV)
+int putenv(char *s)
+{
+	int nlen;
+	char *cptr;
+	char **nenv, **eptr;
+	extern char **environ;
+
+        /* first see if there is any environment setup.  If not,
+	 * create it with this single variable in it.
+	 */
+	if (environ == NULL) {
+	    nenv = (char **) malloc(2 * sizeof(char *));
+	    if (nenv == NULL)
+		    return -1;
+	    environ = nenv;
+	    *nenv = s;
+	    nenv[1] = NULL;
+	    return 0;
+	}
+
+	/*  If there is an environ setup, see if there is an existing
+	 * 'name=value' with the same name as s.
+	 */
+	for (cptr = s; *cptr != '=' && *cptr != '\0'; cptr++)
+		;
+	if (*cptr == '=' && cptr > s) {
+		nlen = cptr - s + 1;
+		for (eptr = environ; *eptr != NULL; eptr++) {
+			if (strncmp(*eptr, s, nlen) == 0) {
+				*eptr = s;
+				return 0;
+			}
+		}
+	}
+	
+	/*  New name, so must change environ.
+	 */
+	for (eptr = environ; *eptr != NULL; eptr++)
+		;
+	nenv = (char **) malloc((eptr - environ + 2) * sizeof(char *));
+	if (nenv == NULL)
+		return -1;
+	eptr = environ;
+	environ = nenv;
+	while ((*nenv = *eptr) != NULL)
+		nenv++, eptr++;
+	*nenv = s;
+	nenv[1] = NULL;
+	return 0;
+}  /* end putenv() */
+#endif   /* !defined(HAVE_SETENV) && !defined(HAVE_PUTENV) */
+
+#ifdef NEED_WAITPID
+int
+waitpid(pid, stat_loc, options)
+  int	pid;
+  int	*stat_loc;
+  int	options;
+{
+    if (pid <= 0)
+    {
+	if (pid != -1)
+	{
+		    errno = EINVAL;
+		    return -1;
+	}
+	pid = 0;	/* wait4() expects pid=0 for indiscriminate wait. */
+    }
+    return wait4(pid, (union wait *)stat_loc, options, NULL);
+}
+#endif /* NEED_WAITPID */
+
+#ifdef NEED_SETSID
+pid_t setsid(void)
+{
+ return setpgrp(0, getpid());
+}
+#endif /* !NEED_SETSID */
diff -ruN openssh-1.2.2/bsd-misc.h ossh-1.2.2n/bsd-misc.h
--- openssh-1.2.2/bsd-misc.h	Thu Jan  6 03:28:41 2000
+++ ossh-1.2.2n/bsd-misc.h	Thu Jan 27 00:42:24 2000
@@ -65,4 +65,16 @@
 int seteuid(uid_t euid);
 #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */
 
+#if !defined(HAVE_SETENV) && !defined(HAVE_PUTENV)
+int putenv(char *s);
+#endif /* !defined(HAVE_SETENV) && !defined(HAVE_PUTENV) */
+
+#ifdef NEED_WAITPID
+int waitpid(int pid,int *stat_loc,int options);
+#endif /* NEED_WAITPID */
+
+#ifdef NEED_SETSID
+pid_t setsid(void);
+#endif /* NEED_SETSID */
+
 #endif /* _BSD_MISC_H */
diff -ruN openssh-1.2.2/configure.in ossh-1.2.2n/configure.in
--- openssh-1.2.2/configure.in	Tue Jan 25 19:15:31 2000
+++ ossh-1.2.2n/configure.in	Thu Jan 27 00:42:24 2000
@@ -78,6 +78,12 @@
 
 dnl Check for some target-specific stuff
 case "$host" in
+*-next-*)
+	AC_DEFINE(HAVE_NEXT)
+	AC_DEFINE(NEED_SETSID)
+	AC_DEFINE(NEED_WAITPID)
+       CFLAGS="$CFLAGS -posix"
+       ;;
 *-*-aix*)
 	AFS_LIBS="-lld"
 	AC_DEFINE(BROKEN_GETADDRINFO)
@@ -427,6 +433,14 @@
 	[AC_DEFINE(HAVE_ID_IN_UTMP) AC_MSG_RESULT(yes); ], 
 	[AC_MSG_RESULT(no)]
 )
+AC_MSG_CHECKING([whether utmp.h has ut_user or ut_name field])
+AC_EGREP_HEADER(ut_user, utmp.h,
+	[AC_DEFINE(HAVE_USER_IN_UTMP) AC_MSG_RESULT(yes); ],
+	[AC_MSG_RESULT(no)]
+AC_MSG_CHECKING([whether utmp.h has ut_type field])
+AC_EGREP_HEADER(ut_type, utmp.h,
+        [AC_DEFINE(HAVE_TYPE_IN_UTMP) AC_MSG_RESULT(yes); ],
+        [AC_MSG_RESULT(no)]
 AC_MSG_CHECKING([whether utmp.h has ut_addr field])
 AC_EGREP_HEADER(ut_addr, utmp.h, 
 	[AC_DEFINE(HAVE_ADDR_IN_UTMP) AC_MSG_RESULT(yes); ], 
@@ -487,7 +501,7 @@
 	],
 	[
 		AC_MSG_CHECKING([location of lastlog file])
-		for lastlog in /var/log/lastlog /var/adm/lastlog /etc/security/lastlog ; do
+		for lastlog in /var/log/lastlog /var/adm/lastlog /etc/security/lastlog  /usr/adm/lastlog; do
 			if test -f $lastlog ; then
 				gotlastlog="file"
 				break
diff -ruN openssh-1.2.2/includes.h ossh-1.2.2n/includes.h
--- openssh-1.2.2/includes.h	Tue Jan 18 20:45:07 2000
+++ ossh-1.2.2n/includes.h	Thu Jan 27 00:42:24 2000
@@ -32,8 +32,10 @@
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
-#include <netinet/tcp.h>
-#include <netinet/ip.h>
+#ifndef HAVE_NEXT
+# include <netinet/tcp.h>
+# include <netinet/ip.h>
+#endif
 #include <arpa/inet.h>
 #include <netdb.h>
 
@@ -91,6 +93,23 @@
 #endif
 
 #include "version.h"
+
+#ifdef HAVE_USER_IN_UTMP
+# define UTMP_NAME wt.ut_user
+#else
+# define UTMP_NAME wt.ut_name
+#endif
+
+/* NeXTism  that are evil <sigh>  This is just for quick port reasons
+   I plan on attempting to sort out and deal with this stuff when I
+   have a chance to skim more of the header files. - Ben Lindstrom */
+#ifdef HAVE_NEXT
+#define TCP_NODELAY IPTOS_LOWDELAY
+#define IP_TOS                  1
+#define IPTOS_LOWDELAY          0x10    /* TCP_NODELAY */
+#define IPTOS_THROUGHPUT        0x08
+#define MAIL_DIRECTORY "/usr/spool/mail"
+#endif
 
 /* BSD function replacements */
 #include "bsd-bindresvport.h"
diff -ruN openssh-1.2.2/login.c ossh-1.2.2n/login.c
--- openssh-1.2.2/login.c	Tue Jan 25 18:04:48 2000
+++ ossh-1.2.2n/login.c	Thu Jan 27 00:42:24 2000
@@ -23,9 +23,6 @@
 #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX)
 # include <utmpx.h>
 #endif
-#ifdef HAVE_UTMP_H
-# include <utmp.h>
-#endif
 #include "ssh.h"
 
 #ifdef HAVE_UTIL_H
@@ -108,8 +105,10 @@
 			return 0;
 		}
 
+#ifdef HAVE_TYPE_IN_UTMP
 		if ( wt.ut_type == USER_PROCESS) {
-			if ( !strncmp(logname, wt.ut_user, 8) ) {
+#endif /* HAVE_TYPE_IN_UTMP */
+			if ( !strncmp(logname, UTMP_NAME, 8) ) {
 				t = (unsigned long) wt.ut_time;
 #ifdef HAVE_HOST_IN_UTMP
 				if (bufsize > sizeof(wt.ut_host) + 1)
@@ -120,7 +119,9 @@
 				buf[0] = 0;
 #endif /* HAVE_HOST_IN_UTMP */
 			}
+#ifdef HAVE_TYPE_IN_UTMP
 		}
+#endif /* HAVE_TYPE_IN_UTMP */
 
 		if (lseek(fd1, (off_t)(0-2*sizeof(struct utmp)), SEEK_CUR) == -1)
 			break;
diff -ruN openssh-1.2.2/next-termios.c ossh-1.2.2n/next-termios.c
--- openssh-1.2.2/next-termios.c	Wed Dec 31 18:00:00 1969
+++ ossh-1.2.2n/next-termios.c	Thu Jan 27 01:04:39 2000
@@ -0,0 +1,242 @@
+/*-
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)termios.c	8.2 (Berkeley) 2/21/94";
+#endif /* LIBC_SCCS and not lint */
+
+#include <sys/types.h>
+#include <sys/fcntl.h>
+#include <sys/ioctl.h>
+#include <sys/time.h>
+#include <sys/file.h>
+
+#include <errno.h>
+#include <termios.h>
+#include <unistd.h>
+
+#include <sys/types.h>
+#include <errno.h>
+#include <sys/wait.h>
+
+int
+tcgetattr(fd, t)
+	int fd;
+	struct termios *t;
+{
+
+	return (ioctl(fd, TIOCGETA, t));
+}
+
+int
+tcsetattr(fd, opt, t)
+	int fd, opt;
+	const struct termios *t;
+{
+	struct termios localterm;
+
+	if (opt & TCSASOFT) {
+		localterm = *t;
+		localterm.c_cflag |= CIGNORE;
+		t = &localterm;
+	}
+	switch (opt & ~TCSASOFT) {
+	case TCSANOW:
+		return (ioctl(fd, TIOCSETA, t));
+	case TCSADRAIN:
+		return (ioctl(fd, TIOCSETAW, t));
+	case TCSAFLUSH:
+		return (ioctl(fd, TIOCSETAF, t));
+	default:
+		errno = EINVAL;
+		return (-1);
+	}
+}
+
+int tcsetpgrp(int fd, pid_t pgrp)
+{
+	int s;
+
+	s = pgrp;
+	return (ioctl(fd, TIOCSPGRP, &s));
+}
+
+pid_t tcgetpgrp(int fd)
+{
+	int s;
+
+	if (ioctl(fd, TIOCGPGRP, &s) < 0)
+		return ((pid_t)-1);
+
+	return ((pid_t)s);
+}
+/*
+speed_t cfgetispeed(const struct termios *);
+speed_t cfgetospeed(const struct termios *);
+*/
+
+speed_t cfgetospeed(const struct termios *t)
+{
+
+	return (t->c_ospeed);
+}
+
+speed_t cfgetispeed(t)
+	const struct termios *t;
+{
+
+	return (t->c_ispeed);
+}
+
+/*int     cfsetospeed(struct termios *, int);*/
+int
+cfsetospeed(struct termios *t,int speed)
+{
+
+	t->c_ospeed = speed;
+	return (0);
+}
+
+int
+cfsetispeed(t, speed)
+	struct termios *t;
+	speed_t speed;
+{
+
+	t->c_ispeed = speed;
+	return (0);
+}
+
+void
+cfsetspeed(t, speed)
+	struct termios *t;
+	speed_t speed;
+{
+
+	t->c_ispeed = t->c_ospeed = speed;
+}
+
+/*
+ * Make a pre-existing termios structure into "raw" mode: character-at-a-time
+ * mode with no characters interpreted, 8-bit data path.
+ */
+void
+cfmakeraw(t)
+	struct termios *t;
+{
+
+	t->c_iflag &= 
+~(IMAXBEL|IXOFF|INPCK|BRKINT|PARMRK|ISTRIP|INLCR|IGNCR|ICRNL|IXON|IGNPAR);
+	t->c_iflag |= IGNBRK;
+	t->c_oflag &= ~OPOST;
+	t->c_lflag &= 
+~(ECHO|ECHOE|ECHOK|ECHONL|ICANON|ISIG|IEXTEN|NOFLSH|TOSTOP|PENDIN);
+	t->c_cflag &= ~(CSIZE|PARENB);
+	t->c_cflag |= CS8|CREAD;
+	t->c_cc[VMIN] = 1;
+	t->c_cc[VTIME] = 0;
+}
+
+int
+tcsendbreak(fd, len)
+	int fd, len;
+{
+	struct timeval sleepytime;
+
+	sleepytime.tv_sec = 0;
+	sleepytime.tv_usec = 400000;
+	if (ioctl(fd, TIOCSBRK, 0) == -1)
+		return (-1);
+	(void)select(0, 0, 0, 0, &sleepytime);
+	if (ioctl(fd, TIOCCBRK, 0) == -1)
+		return (-1);
+	return (0);
+}
+
+int
+tcdrain(fd)
+	int fd;
+{
+
+	return (ioctl(fd, TIOCDRAIN, 0));
+}
+
+int
+tcflush(fd, which)
+	int fd, which;
+{
+	int com;
+
+	switch (which) {
+	case TCIFLUSH:
+		com = FREAD;
+		break;
+	case TCOFLUSH:
+		com = FWRITE;
+		break;
+	case TCIOFLUSH:
+		com = FREAD | FWRITE;
+		break;
+	default:
+		errno = EINVAL;
+		return (-1);
+	}
+	return (ioctl(fd, TIOCFLUSH, &com));
+}
+
+int
+tcflow(fd, action)
+	int fd, action;
+{
+	struct termios term;
+	u_char c;
+
+	switch (action) {
+	case TCOOFF:
+		return (ioctl(fd, TIOCSTOP, 0));
+	case TCOON:
+		return (ioctl(fd, TIOCSTART, 0));
+	case TCION:
+	case TCIOFF:
+		if (tcgetattr(fd, &term) == -1)
+			return (-1);
+		c = term.c_cc[action == TCIOFF ? VSTOP : VSTART];
+		if (write(fd, &c, sizeof(c)) == -1)
+			return (-1);
+		return (0);
+	default:
+		errno = EINVAL;
+		return (-1);
+	}
+	/* NOTREACHED */
+}

From sb at dcs.qmw.ac.uk  Thu Jan 27 22:07:19 2000
From: sb at dcs.qmw.ac.uk (Sergio Brandano)
Date: Thu, 27 Jan 2000 11:07:19 +0000
Subject: Open display error
Message-ID: <200001271107.LAA27259@copper.dcs.qmw.ac.uk>


>Do you have X11Forwarding turned on in both /etc/sshd_config and
>~/.ssh/config?  Try running both ssh and sshd in debug mode and see if
>the output doesn't tell you something.
> 
>jim knoble
 
 I have no error messages on the debug, as far as I can see.

 On  /etc/ssh/sshd_config I have:

> X11Forwarding yes

 and I remember it was the first thing I did some days ago.
 I do not have ~/.ssh/config, but I found /etc/ssh/ssh_config
 where ForwardX11 was not active. I created the ~/.ssh/config
 where I allowed box2 as possible host:

Host box2
    ForwardAgent yes
    ForwardX11 yes

 As a result

- --> ssh -f xterm

 now works as it should (DISPLAY is set to box1:10.0
 and, obviously, there are no problems concerning xhost).
 (The debug trace was fine too.)

 The following still does not work: 

- --> ssh -f box2 /usr/X11R6/bin/xterm
- --> _X11TransSocketINETConnect: Can't connect: errno = 111
_X11TransSocketINETConnect: Can't connect: errno = 111
_X11TransSocketINETConnect: Can't connect: errno = 111
_X11TransSocketINETConnect: Can't connect: errno = 111
_X11TransSocketINETConnect: Can't connect: errno = 111
_X11TransSocketINETConnect: Can't connect: errno = 111
/usr/X11R6/bin/xterm Xt error: Can't open display: box2:10.0

 I see it created DISPLAY automatically, but in the wrong way.
 Instead of box2:10.0, it should open box1:10.0.
 (the debug trace was dead.)

 Sergio




From markus.friedl at informatik.uni-erlangen.de  Thu Jan 27 22:43:27 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Thu, 27 Jan 2000 12:43:27 +0100
Subject: Open display error
In-Reply-To: <200001271107.LAA27259@copper.dcs.qmw.ac.uk>; from sb@dcs.qmw.ac.uk on Thu, Jan 27, 2000 at 11:07:19AM +0000
References: <200001271107.LAA27259@copper.dcs.qmw.ac.uk>
Message-ID: <20000127124327.A28642@folly.informatik.uni-erlangen.de>

On Thu, Jan 27, 2000 at 11:07:19AM +0000, Sergio Brandano wrote:
> - --> ssh -f box2 /usr/X11R6/bin/xterm
> - --> _X11TransSocketINETConnect: Can't connect: errno = 111
> _X11TransSocketINETConnect: Can't connect: errno = 111
> _X11TransSocketINETConnect: Can't connect: errno = 111
> _X11TransSocketINETConnect: Can't connect: errno = 111
> _X11TransSocketINETConnect: Can't connect: errno = 111
> _X11TransSocketINETConnect: Can't connect: errno = 111
> /usr/X11R6/bin/xterm Xt error: Can't open display: box2:10.0
> 
>  I see it created DISPLAY automatically, but in the wrong way.
>  Instead of box2:10.0, it should open box1:10.0.
>  (the debug trace was dead.)

no it should try box2:10.0.
i still can see no debugging output.




From andre.lucas at dial.pipex.com  Thu Jan 27 22:31:41 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Thu, 27 Jan 2000 11:31:41 +0000
Subject: Long awaited round 1 of NeXT patches.
References: <Pine.LNX.3.95.1000127024254.8034A-200000@newton.pconline.com>
Message-ID: <38902C9D.5BDC5866@dial.pipex.com>

Noted, thanks. That's amazing, now the only field that can be relied on
to be in struct utmp is ut_line. Anyone want to kill that too? ;-) I'm
sure some OS can store it as device numbers, just to wind people up.

What's your theory on the NeXT utmp failures? I'm looking to do a new
release of liblogin tonight (the ut_name fixes will be in) and fresh
openssh patches for 1.2.2. If you're still having utmp trouble, you
might want to run it up and send me the output from testlogin -v (as
root).

Is there any chance you can send me any of the following:

- utmp.h  (and any relevant files it includes)
- if they exist, utmpx.h, lastlog.h, paths.h and any dependencies

Ta,
-Andre

Ben Lindstrom wrote:
> 
> This is about 90% of the core work.  I omited a few files from the patch
> set since they are basicly small blocks of #ifndef HAVE_NEXT/#endif to
> get it to compile.
> 
> Daimen, feel free to let me know what you applied and what your
> rejecting and why.. so I can work on cleaning things up.
> 
> Andre, Only thing of note you may want to look into is NeXT does not
> use  "ut_user" in it's lastlog.  It uses "ut_name"  and it does not
> have a "ut_type" (It's part of the above patch in the login.c
> part).
> 
> BTW, this patch is against 1.2.2 (since it was released before I was
> able to relase my patch. =)
> 
> Known issues with my port (and my internal tree):
> 
> 1) lack of utmp entries.  I think I know what is wrong.
> 2) lack of signal capturing in readpass.c (I omited this from
>         the patch) due to lack of sigaddset, sigemtyset, and
>         sigprocmask functions outside of using libposix.
> 3) lost of warning.  Most are ignorable.
> 4) Current patch *IS NOT* complete enough to support out of box
>         next compiling.
> 
> But it works against 1.2.2x ssh both client/server and works with
> itself.  So it's progress.
> 
8<!-- patch omitted -- 8<




From sb at dcs.qmw.ac.uk  Thu Jan 27 22:47:07 2000
From: sb at dcs.qmw.ac.uk (Sergio Brandano)
Date: Thu, 27 Jan 2000 11:47:07 +0000
Subject: Open display error 
In-Reply-To: Message from Markus Friedl <markus.friedl@informatik.uni-erlangen.de> 
   of "Thu, 27 Jan 2000 12:43:27 +0100." <20000127124327.A28642@folly.informatik.uni-erlangen.de> 
References: <200001271107.LAA27259@copper.dcs.qmw.ac.uk>  <20000127124327.A28642@folly.informatik.uni-erlangen.de> 
Message-ID: <200001271147.LAA30002@copper.dcs.qmw.ac.uk>


>no it should try box2:10.0.
>i still can see no debugging output.

 Why? box1 is my machine (where I expect to see the window),
 and box2 is the remote.

 Sergio




From a.d.stribblehill at durham.ac.uk  Thu Jan 27 23:08:58 2000
From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill)
Date: Thu, 27 Jan 2000 12:08:58 +0000
Subject: Open display error
In-Reply-To: <200001271147.LAA30002@copper.dcs.qmw.ac.uk>; from sb@dcs.qmw.ac.uk on Thu, Jan 27, 2000 at 11:47:07AM +0000
References: <200001271107.LAA27259@copper.dcs.qmw.ac.uk> <20000127124327.A28642@folly.informatik.uni-erlangen.de> <markus.friedl@informatik.uni-erlangen.de> <200001271147.LAA30002@copper.dcs.qmw.ac.uk>
Message-ID: <20000127120858.H27654@itspc142.dur.ac.uk>

The way forwarding works is this:

ssh (client) run on 'smallbox' is asked to connect to 'bigbox'. It
looks at /etc/ssh/ssh_config then at the ~/.ssh/config file
(allowing the latter to override the former's defaults).

It connects to 'bigbox'.

If ssh (client) has X forwarding enabled, it tries to open an
encrypted tunnel from smallbox:0.0 to bigbox:10.0. (If this is
used, it tries :11 etc). This will only work if bigbox allows X
forwarding (it looks in /etc/ssh/sshd_config). Assuming bigbox
lets it have bigbox:10.0, the connection has $DISPLAY set to
bigbox:10.0.

If in this new window, you run 'xterm', it makes a connection with
bigbox:10.0 which is tunnelled through to smallbox's display.

Disclaimer: I'm not very familiar with SSH internals so this is
just partially-educated guesswork.

Cheerio,

Andrew Stribblehill
Systems Programmer, IT Service, University of Durham, England




From sb at dcs.qmw.ac.uk  Thu Jan 27 23:41:37 2000
From: sb at dcs.qmw.ac.uk (Sergio Brandano)
Date: Thu, 27 Jan 2000 12:41:37 +0000
Subject: Open display error 
In-Reply-To: Message from Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> 
   of "Thu, 27 Jan 2000 12:08:58 GMT." <20000127120858.H27654@itspc142.dur.ac.uk> 
References: <200001271107.LAA27259@copper.dcs.qmw.ac.uk> <20000127124327.A28642@folly.informatik.uni-erlangen.de> <markus.friedl@informatik.uni-erlangen.de> <200001271147.LAA30002@copper.dcs.qmw.ac.uk>  <20000127120858.H27654@itspc142.dur.ac.uk> 
Message-ID: <200001271241.MAA00961@copper.dcs.qmw.ac.uk>


 Problem solved!
 It was the server ...

 Thank you.
 Sergio




From mouring at pconline.com  Fri Jan 28 02:22:19 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Thu, 27 Jan 2000 09:22:19 -0600 (CST)
Subject: Long awaited round 1 of NeXT patches.
In-Reply-To: <38902C9D.5BDC5866@dial.pipex.com>
Message-ID: <Pine.LNX.3.95.1000127091857.21418A-100000@newton.pconline.com>


Sure.. I'll get them out to you when I get home tonight.  

As for why.. I think part of the reason is the ./configure
software disabled lastlog support because next throws
it's lastlog file in /usr/adm (and I forgot to
re-enable it).  I thought of that as a drifted off to
sleep last night.

So I'll be trying that tonight.


On Thu, 27 Jan 2000, Andre Lucas wrote:

> Noted, thanks. That's amazing, now the only field that can be relied on
> to be in struct utmp is ut_line. Anyone want to kill that too? ;-) I'm
> sure some OS can store it as device numbers, just to wind people up.
> 
> What's your theory on the NeXT utmp failures? I'm looking to do a new
> release of liblogin tonight (the ut_name fixes will be in) and fresh
> openssh patches for 1.2.2. If you're still having utmp trouble, you
> might want to run it up and send me the output from testlogin -v (as
> root).
> 
> Is there any chance you can send me any of the following:
> 
> - utmp.h  (and any relevant files it includes)
> - if they exist, utmpx.h, lastlog.h, paths.h and any dependencies
> 
> Ta,
> -Andre
> 
> Ben Lindstrom wrote:
> > 
> > This is about 90% of the core work.  I omited a few files from the patch
> > set since they are basicly small blocks of #ifndef HAVE_NEXT/#endif to
> > get it to compile.
> > 
> > Daimen, feel free to let me know what you applied and what your
> > rejecting and why.. so I can work on cleaning things up.
> > 
> > Andre, Only thing of note you may want to look into is NeXT does not
> > use  "ut_user" in it's lastlog.  It uses "ut_name"  and it does not
> > have a "ut_type" (It's part of the above patch in the login.c
> > part).
> > 
> > BTW, this patch is against 1.2.2 (since it was released before I was
> > able to relase my patch. =)
> > 
> > Known issues with my port (and my internal tree):
> > 
> > 1) lack of utmp entries.  I think I know what is wrong.
> > 2) lack of signal capturing in readpass.c (I omited this from
> >         the patch) due to lack of sigaddset, sigemtyset, and
> >         sigprocmask functions outside of using libposix.
> > 3) lost of warning.  Most are ignorable.
> > 4) Current patch *IS NOT* complete enough to support out of box
> >         next compiling.
> > 
> > But it works against 1.2.2x ssh both client/server and works with
> > itself.  So it's progress.
> > 
> 8<!-- patch omitted -- 8<
> 





From feyrer at rfhs8012.fh-regensburg.de  Fri Jan 28 04:26:48 2000
From: feyrer at rfhs8012.fh-regensburg.de (Hubert Feyrer)
Date: Thu, 27 Jan 2000 18:26:48 +0100 (MET)
Subject: more NetBSD patches, for OpenSSH V1.2.2
Message-ID: <Pine.GSO.4.05.10001271823460.869-100000@rfhs8036>


Hi,

the following patches are in the NetBSD packages collection to get OpenSSH
1.2.2 going. Changes:

 * /dev/urandom may be there but not in the kernel - make sure
 * Pull in some more headers needed by configure
 * Add proper ld-flags for ELF platforms
 * Some code cleanup
 * Install example files always to a different dir, and use out
   build system to DTRT WRT getting them to /etc.


Regards,

	Hubert

-- 
NetBSD - Better for your uptime than Viagra!

---------- Forwarded message ----------
Date: Thu, 27 Jan 2000 18:21:20 +0100 (MET)
From: Hubert Feyrer <feyrer at smaug.fh-regensburg.de>
To: feyrer at smaug.fh-regensburg.de

$NetBSD: patch-aa,v 1.3 2000/01/27 17:12:03 hubertf Exp $

--- configure.orig	Thu Jan 27 04:17:06 2000
+++ configure	Thu Jan 27 17:02:44 2000
@@ -1271,7 +1271,7 @@
 
 if test "$ssldir" != "/usr"; then
 	CFLAGS="$CFLAGS -I$ssldir/include"
-	LDFLAGS="$LDFLAGS -L$ssldir/lib"
+	LDFLAGS="$LDFLAGS -L$ssldir/lib -R$ssldir/lib"
 fi
 echo "$ac_t""$ssldir" 1>&6
 
@@ -2321,7 +2321,9 @@
 cat > conftest.$ac_ext <<EOF
 #line 2323 "configure"
 #include "confdefs.h"
+#include <sys/types.h>
 #include <netinet/in.h>
+#include <netinet/in6.h>
 int main() {
 struct sockaddr_in6 s; s.sin6_family = 0;
 ; return 0; }
@@ -2349,7 +2351,9 @@
 cat > conftest.$ac_ext <<EOF
 #line 2351 "configure"
 #include "confdefs.h"
+#include <sys/types.h>
 #include <netinet/in.h>
+#include <netinet/in6.h>
 int main() {
 struct in6_addr s; s.s6_addr[0] = 0;
 ; return 0; }
@@ -2545,7 +2549,7 @@
   if test "$cross_compiling" = yes; then
     { echo "configure: error: Cannot check for file existence when cross compiling" 1>&2; exit 1; }
 else
-  if test -r "/dev/urandom"; then
+  if test -r "/dev/urandom" && dd if=/dev/urandom of=/dev/null bs=1 count=1; then
     eval "ac_cv_file_$ac_safe=yes"
   else
     eval "ac_cv_file_$ac_safe=no"
$NetBSD: patch-ab,v 1.1 2000/01/17 05:34:34 christos Exp $

--- fake-getaddrinfo.c.orig	Sun Jan 16 23:45:39 2000
+++ fake-getaddrinfo.c	Sun Jan 16 23:47:45 2000
@@ -41,7 +41,7 @@
   do {
     next = ai->ai_next;
     free(ai);
-  } while (ai = next);
+  } while ((ai = next) != NULL);
 }
 #endif /* !HAVE_FREEADDRINFO */
 
@@ -53,8 +53,8 @@
 {
   struct addrinfo *ai;
 
-  if (ai = (struct addrinfo *)malloc(sizeof(struct addrinfo) +
-				     sizeof(struct sockaddr_in))) {
+  if ((ai = (struct addrinfo *)malloc(sizeof(struct addrinfo) +
+				     sizeof(struct sockaddr_in))) != NULL) {
     memset(ai, 0, sizeof(struct addrinfo) + sizeof(struct sockaddr_in));
     ai->ai_addr = (struct sockaddr *)(ai + 1);
     /* XXX -- ssh doesn't use sa_len */
@@ -83,25 +83,27 @@
   else
     port = 0;
   if (hints && hints->ai_flags & AI_PASSIVE)
-    if (*res = malloc_ai(port, htonl(0x00000000)))
+    if ((*res = malloc_ai(port, htonl(0x00000000))) != NULL)
       return 0;
     else
       return EAI_MEMORY;
-  if (!hostname)
-    if (*res = malloc_ai(port, htonl(0x7f000001)))
+  if (!hostname) {
+    if ((*res = malloc_ai(port, htonl(0x7f000001))) != NULL)
       return 0;
     else
       return EAI_MEMORY;
-  if (inet_addr(hostname) != -1)
-    if (*res = malloc_ai(port, inet_addr(hostname)))
+  }
+  if (inet_addr(hostname) != -1) {
+    if ((*res = malloc_ai(port, inet_addr(hostname))) != NULL)
       return 0;
     else
       return EAI_MEMORY;
+  }
   if ((hp = gethostbyname(hostname)) &&
       hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) {
     for (i = 0; hp->h_addr_list[i]; i++)
-      if (cur = malloc_ai(port,
-			  ((struct in_addr *)hp->h_addr_list[i])->s_addr)) {
+      if ((cur = malloc_ai(port,
+			  ((struct in_addr *)hp->h_addr_list[i])->s_addr)) != NULL) {
 	if (prev)
 	  prev->ai_next = cur;
 	else
$NetBSD: patch-ad,v 1.1 2000/01/17 05:34:34 christos Exp $

--- fake-getnameinfo.c.orig	Sun Jan 16 23:45:45 2000
+++ fake-getnameinfo.c	Sun Jan 16 23:48:01 2000
@@ -37,25 +37,27 @@
     else
       strcpy(serv, tmpserv);
   }
-  if (host)
-    if (flags & NI_NUMERICHOST)
+  if (host) {
+    if (flags & NI_NUMERICHOST) {
       if (strlen(inet_ntoa(sin->sin_addr)) > hostlen)
 	return EAI_MEMORY;
       else {
 	strcpy(host, inet_ntoa(sin->sin_addr));
 	return 0;
       }
-    else
-      if (hp = gethostbyaddr((char *)&sin->sin_addr, sizeof(struct in_addr),
-			     AF_INET))
+    } else {
+      if ((hp = gethostbyaddr((char *)&sin->sin_addr, sizeof(struct in_addr),
+			     AF_INET)) != NULL) {
 	if (strlen(hp->h_name) > hostlen)
 	  return EAI_MEMORY;
 	else {
 	  strcpy(host, hp->h_name);
 	  return 0;
 	}
-      else
+      } else
 	return EAI_NODATA;
+    }
+  }
   return 0;
 }
 #endif /* !HAVE_GETNAMEINFO */
$NetBSD: patch-ag,v 1.2 2000/01/27 17:12:05 hubertf Exp $

--- uidswap.c.orig	Thu Jan 20 14:18:16 2000
+++ uidswap.c	Thu Jan 27 17:04:38 2000
@@ -26,8 +26,10 @@
    is not part of the posix specification. */
 #define SAVED_IDS_WORK_WITH_SETEUID
 
+#ifdef SAVED_IDS_WORK_WITH_SETEUID
 /* Saved effective uid. */
 static uid_t saved_euid = 0;
+#endif
 
 #endif /* _POSIX_SAVED_IDS */
 
$NetBSD: patch-ah,v 1.2 2000/01/27 17:12:05 hubertf Exp $

--- Makefile.in.orig	Thu Jan 27 04:15:48 2000
+++ Makefile.in	Thu Jan 27 17:07:34 2000
@@ -6,6 +6,7 @@
 mandir=@mandir@
 mansubdir=@mansubdir@
 sysconfdir=@sysconfdir@
+examplesdir=@prefix@/share/examples/ssh
 piddir=@piddir@
 srcdir=@srcdir@
 top_srcdir=@top_srcdir@
@@ -130,16 +131,16 @@
 		$(INSTALL) -s @GNOME_ASKPASS@ $(DESTDIR)${ASKPASS_LOCATION} ; \
 	fi
 
-	if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config -a ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \
-		$(INSTALL) -d $(DESTDIR)$(sysconfdir); \
-		$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
-		$(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \
+	if [ ! -f $(DESTDIR)$(examplesdir)/ssh_config -a ! -f $(DESTDIR)$(examplesdir)/sshd_config ]; then \
+		$(INSTALL) -d $(DESTDIR)$(examplesdir); \
+		$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(examplesdir)/ssh_config; \
+		$(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(examplesdir)/sshd_config; \
 	fi
 
 uninstallall:	uninstall
-	-rm -f $(DESTDIR)$(sysconfdir)/ssh_config
-	-rm -f $(DESTDIR)$(sysconfdir)/sshd_config
-	-rmdir $(DESTDIR)$(sysconfdir)
+	-rm -f $(DESTDIR)$(examplesdir)/ssh_config
+	-rm -f $(DESTDIR)$(examplesdir)/sshd_config
+	-rmdir $(DESTDIR)$(examplesdir)
 	-rmdir $(DESTDIR)$(bindir)
 	-rmdir $(DESTDIR)$(sbindir)
 	-rmdir $(DESTDIR)$(mandir)/$(mansubdir)1





From dwd at bell-labs.com  Fri Jan 28 09:33:06 2000
From: dwd at bell-labs.com (Dave Dykstra)
Date: Thu, 27 Jan 2000 16:33:06 -0600
Subject: EGD requirement a show stopper for me
Message-ID: <20000127163306.A12667@lucent.com>

On Thu, Jan 13, 2000 at 17:34:10, Andre Lucas wrote:
> Subject: /dev/urandom
> On Thu, Jan 13, 2000 at 09:24:01AM -0700, SysProg - Nathan Paul Simons wrote:
> > On Thu, 13 Jan 2000, Ben Taylor wrote:
> > 
> > > On Thu, 13 Jan 2000, Max Shaposhnikov wrote:
> > > > why ssh1.27 doesn't requre /dev/urandom on solaris?
> > 
> >       i think the commercial ssh uses a one time generated random
> > seed file.  If i remember, it asks you to bang on the keyboard until it
> > gets enough entropy, like PGP.  It also might have its own internal code
> > that does the same thing egd or /dev/urandom on linux does.
> 
> It works like EGD. In SSH 1.2.27, It hashes the output of various system
> state commands (e.g. ps, ls -alni /tmp, w, netstat) . Check out
> randoms.c .
> 
> In SSH 2.0.9, it doesn't run commands (all those fork()s can't have been
> too good for the program's efficiency...) but instead pulls in entropy
> from sources like /dev/random, system clock, getrusage(), etc.
> 
> To be honest, the entropy pool doesn't look to be that large, even in
> v2. If your system doesn't have getrusage then (at first glance, ok?)
> looks like they're using the system clock and the saved state as IVs,
> which doesn't seem very random at all. They're getting a less thorough
> stir than with EGD, too.


The memory requirement isn't the worse problem for me:  I currently
distribute the ssh 1.2.27 client via a non-root user id *very* widely
throughout my company (on 8 unix variants), and there isn't any reasonable
way for me to start a shared long-running process on every machine that may
run ssh.  It's not a problem for the machines that are running sshd, since
that has to run as root anyway, but it is a big problem on machines that
run the ssh client only.  I could start a shared processes on the servers
that receive the distribution under my non-root user id, but that doesn't
help for all the workstations that nfs-mount the package from servers.

I need a mechanism like the one used in commercial ssh, where the random
seed is saved in a file.

- Dave Dykstra




From djm at mindrot.org  Fri Jan 28 10:05:00 2000
From: djm at mindrot.org (Damien Miller)
Date: Fri, 28 Jan 2000 10:05:00 +1100 (EST)
Subject: EGD requirement a show stopper for me
In-Reply-To: <20000127163306.A12667@lucent.com>
Message-ID: <Pine.LNX.4.10.10001281001290.1540-100000@mothra.mindrot.org>

On Thu, 27 Jan 2000, Dave Dykstra wrote:

 
> The memory requirement isn't the worse problem for me:  I currently
> distribute the ssh 1.2.27 client via a non-root user id *very* widely
> throughout my company (on 8 unix variants), and there isn't any reasonable
> way for me to start a shared long-running process on every machine that may
> run ssh.  It's not a problem for the machines that are running sshd, since
> that has to run as root anyway, but it is a big problem on machines that
> run the ssh client only.  I could start a shared processes on the servers
> that receive the distribution under my non-root user id, but that doesn't
> help for all the workstations that nfs-mount the package from servers.

I have received a patch to enable the EGD support in OpenSSH to
use a TCP socket for communications with EGD. This would allow
multiple users on a machine to share a single instance of
EGD. Though I wouldn't recommend it be used over a network.

> I need a mechanism like the one used in commercial ssh, where the random
> seed is saved in a file.

Sun do have a random driver which may be of use:

BH> You can install the SUNWski package. It comes with the sun webserver on the
BH> SEAS cd. It's still not a kernel random like linux though. It has a stand
BH> alone daemon like the perl package. I think it's a little lighter though.

BH>    PKGINST:  SUNWski
BH>       NAME:  SKI 1.0 Software (User Package)
BH>   CATEGORY:  application
BH>       ARCH:  sparc
BH>    VERSION:  1.0,REV=1998.09.24.00.00
BH>    BASEDIR:  /
BH>     VENDOR:  Sun Microsystems
BH>       DESC:  SKI Software (User Package)
BH>     PSTAMP:  mcm-ultra1>Fri Dec  4 14:23:39 PST 1998
BH>   INSTDATE:  Jan 07 2000 16:32
BH>     VSTOCK:  258-6422-05
BH>    HOTLINE:  Please contact your local service provider
BH>     STATUS:  completely installed
BH>      FILES:     36 installed pathnames
BH>                 10 shared pathnames
BH>                  4 linked files
BH>                 11 directories
BH>                 16 executables
BH>               3173 blocks used (approx)

-d
 

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From carl at bl.echidna.id.au  Fri Jan 28 10:12:54 2000
From: carl at bl.echidna.id.au (Carl Brewer)
Date: Fri, 28 Jan 2000 10:12:54 +1100 (EST)
Subject: EGD requirement a show stopper for me
Message-ID: <200001272312.e0RNCsY24085@oversteer.bl.echidna.id.au>

> Date: Fri, 28 Jan 2000 10:05:00 +1100 (EST)
> From: Damien Miller <djm at mindrot.org>
> To: Dave Dykstra <dwd at bell-labs.com>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: EGD requirement a show stopper for me
> X-Paranoia: just because you're paranoid doesn't mean they aren't out to get you
> MIME-Version: 1.0
> 
> > The memory requirement isn't the worse problem for me:  I currently
> > distribute the ssh 1.2.27 client via a non-root user id *very* widely
> > throughout my company (on 8 unix variants), and there isn't any reasonable
> > way for me to start a shared long-running process on every machine that may
> > run ssh.  It's not a problem for the machines that are running sshd, since
> > that has to run as root anyway, but it is a big problem on machines that
> > run the ssh client only.  I could start a shared processes on the servers
> > that receive the distribution under my non-root user id, but that doesn't
> > help for all the workstations that nfs-mount the package from servers.
> 
> I have received a patch to enable the EGD support in OpenSSH to
> use a TCP socket for communications with EGD. This would allow
> multiple users on a machine to share a single instance of
> EGD. Though I wouldn't recommend it be used over a network.
> 
> > I need a mechanism like the one used in commercial ssh, where the random
> > seed is saved in a file.
> 
> Sun do have a random driver which may be of use:
> 
> BH> You can install the SUNWski package. It comes with the sun webserver on the
> BH> SEAS cd. It's still not a kernel random like linux though. It has a stand
> BH> alone daemon like the perl package. I think it's a little lighter though.
> 
> BH>    PKGINST:  SUNWski
> BH>       NAME:  SKI 1.0 Software (User Package)
> BH>   CATEGORY:  application
> BH>       ARCH:  sparc
> BH>    VERSION:  1.0,REV=1998.09.24.00.00
> BH>    BASEDIR:  /
> BH>     VENDOR:  Sun Microsystems
> BH>       DESC:  SKI Software (User Package)
> BH>     PSTAMP:  mcm-ultra1>Fri Dec  4 14:23:39 PST 1998
> BH>   INSTDATE:  Jan 07 2000 16:32
> BH>     VSTOCK:  258-6422-05
> BH>    HOTLINE:  Please contact your local service provider
> BH>     STATUS:  completely installed
> BH>      FILES:     36 installed pathnames
> BH>                 10 shared pathnames
> BH>                  4 linked files
> BH>                 11 directories
> BH>                 16 executables
> BH>               3173 blocks used (approx)

I can personally verify that this works on SunOS 5.6 through to 5.8 beta
with OpenSSH.  Also, if you have a sunsolve account, you can get it from
a Sun patch, just do a search for SUNWski on sunsolve and grab that
patch, the patch contains SUNWski and then install it.

Carl





From gem at rellim.com  Fri Jan 28 10:51:21 2000
From: gem at rellim.com (Gary E. Miller)
Date: Thu, 27 Jan 2000 15:51:21 -0800 (PST)
Subject: EGD requirement a show stopper for me
In-Reply-To: <Pine.LNX.4.10.10001281001290.1540-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.4.21.0001271549390.19754-100000@ns1.aplatform.com>

Yo All!

I tried to find the SUNWski package as a standalone file.  Anyone got
any hints where to find that, or another, /dev/random package?

RGDS
GARY

> You can install the SUNWski package. It comes with the sun webserver on the

---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From gem at rellim.com  Fri Jan 28 10:52:37 2000
From: gem at rellim.com (Gary E. Miller)
Date: Thu, 27 Jan 2000 15:52:37 -0800 (PST)
Subject: EGD requirement a show stopper for me
In-Reply-To: <200001272312.e0RNCsY24085@oversteer.bl.echidna.id.au>
Message-ID: <Pine.LNX.4.21.0001271551540.19754-100000@ns1.aplatform.com>

Yo Carl!

Got a URL for this??  I am not up to date on SunOS and such...

RGDS
GARY

On Fri, 28 Jan 2000, Carl Brewer wrote:

> I can personally verify that this works on SunOS 5.6 through to 5.8 beta
> with OpenSSH.  Also, if you have a sunsolve account, you can get it from
> a Sun patch, just do a search for SUNWski on sunsolve and grab that
> patch, the patch contains SUNWski and then install it.

---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From harvell at aol.net  Fri Jan 28 10:53:17 2000
From: harvell at aol.net (Brian Harvell)
Date: Thu, 27 Jan 2000 18:53:17 -0500 (EST)
Subject: EGD requirement a show stopper for me
In-Reply-To: <Pine.LNX.4.21.0001271549390.19754-100000@ns1.aplatform.com>
Message-ID: <Pine.GSO.4.21.0001271853000.29929-100000@boondoggle.office.aol.com>

On Thu, 27 Jan 2000, Gary E. Miller wrote:

> Yo All!
> 
> I tried to find the SUNWski package as a standalone file.  Anyone got
> any hints where to find that, or another, /dev/random package?
> 

It's on the SEAS cd along with the sun web server.

Brian

Brian Harvell                harvell at aol.net             http://ToolBoy.com/
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc







From gem at rellim.com  Fri Jan 28 11:01:31 2000
From: gem at rellim.com (Gary E. Miller)
Date: Thu, 27 Jan 2000 16:01:31 -0800 (PST)
Subject: EGD requirement a show stopper for me
In-Reply-To: <Pine.GSO.4.21.0001271853000.29929-100000@boondoggle.office.aol.com>
Message-ID: <Pine.LNX.4.21.0001271600510.19754-100000@ns1.aplatform.com>

Yo Brian!

So how do I get the CD?  

Can I install just the SUNWski?

RGDS
GARY

On Thu, 27 Jan 2000, Brian Harvell wrote:

> Date: Thu, 27 Jan 2000 18:53:17 -0500 (EST)
> From: Brian Harvell <harvell at aol.net>
> To: Gary E. Miller <gem at rellim.com>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: EGD requirement a show stopper for me
> 
> On Thu, 27 Jan 2000, Gary E. Miller wrote:
> 
> > Yo All!
> > 
> > I tried to find the SUNWski package as a standalone file.  Anyone got
> > any hints where to find that, or another, /dev/random package?
> > 
> 
> It's on the SEAS cd along with the sun web server.
> 
> Brian
> 
> Brian Harvell                harvell at aol.net             http://ToolBoy.com/
> echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
> 
> 
> 
> 

---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From n.endres at its.unimelb.edu.au  Fri Jan 28 12:50:16 2000
From: n.endres at its.unimelb.edu.au (Niels Endres)
Date: Fri, 28 Jan 2000 12:50:16 +1100
Subject: porting OpenSSH to an SX4
Message-ID: <003901bf6932$065b6f00$6292fa80@its.unimelb.edu.au>

Dear OpenSSH developers,

  I'm trying to port OpenSSH to our NEC SX4, but am having trouble finding
reference to the 'addrinfo' structure.  (Refer ssh.c:488).  If anyone can
shed some light on this struct, or has ported OpenSSH to a similar platform,
I'd be very interested to hear from you.

Thanks,
Niels

--
HPC Systems Programmer
Information Technology Services,
The University of Melbourne, Parkville 3052, Australia
Email:n.endres at its.unimelb.edu.au, Phone:+61 3 9344-7995







From carl at bl.echidna.id.au  Fri Jan 28 12:59:34 2000
From: carl at bl.echidna.id.au (Carl Brewer)
Date: Fri, 28 Jan 2000 12:59:34 +1100 (EST)
Subject: porting OpenSSH to an SX4
Message-ID: <200001280159.e0S1xYB24433@oversteer.bl.echidna.id.au>


addrinfo is a standard socket network structure described in Stevens 
"UNIX Network Programming, 2nd ed".  It's an IPv6 structure, and 
is also described in RFC 2553

You will probably find it easy enought to #ifef it out, as
there's not much IPv6 penetration yet into the various UNIX
flavours.

cheers

Carl






From djm at mindrot.org  Fri Jan 28 13:03:19 2000
From: djm at mindrot.org (Damien Miller)
Date: Fri, 28 Jan 2000 13:03:19 +1100 (EST)
Subject: porting OpenSSH to an SX4
In-Reply-To: <003901bf6932$065b6f00$6292fa80@its.unimelb.edu.au>
Message-ID: <Pine.LNX.4.10.10001281302290.1540-100000@mothra.mindrot.org>

On Fri, 28 Jan 2000, Niels Endres wrote:

> Dear OpenSSH developers,
> 
>   I'm trying to port OpenSSH to our NEC SX4, but am having trouble finding
> reference to the 'addrinfo' structure.  (Refer ssh.c:488).  If anyone can
> shed some light on this struct, or has ported OpenSSH to a similar platform,
> I'd be very interested to hear from you.

RFC2553 contains most of the gory details. What problems are you
encountering? autoconf should replace the structure if it is missing.

Damien 

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From harvell at aol.net  Fri Jan 28 13:48:44 2000
From: harvell at aol.net (Brian Harvell)
Date: Thu, 27 Jan 2000 21:48:44 -0500 (EST)
Subject: EGD requirement a show stopper for me
In-Reply-To: <Pine.LNX.4.21.0001271600510.19754-100000@ns1.aplatform.com>
Message-ID: <Pine.GSO.4.21.0001272148140.5695-100000@boondoggle.office.aol.com>


Should be in the 11/99 solaris 7 server pack. And yes you can install just
that package.

Brian

On Thu, 27 Jan 2000, Gary E. Miller wrote:

> Yo Brian!
> 
> So how do I get the CD?  
> 
> Can I install just the SUNWski?
> 
> RGDS
> GARY
> 
> On Thu, 27 Jan 2000, Brian Harvell wrote:
> 
> > Date: Thu, 27 Jan 2000 18:53:17 -0500 (EST)
> > From: Brian Harvell <harvell at aol.net>
> > To: Gary E. Miller <gem at rellim.com>
> > Cc: openssh-unix-dev at mindrot.org
> > Subject: Re: EGD requirement a show stopper for me
> > 
> > On Thu, 27 Jan 2000, Gary E. Miller wrote:
> > 
> > > Yo All!
> > > 
> > > I tried to find the SUNWski package as a standalone file.  Anyone got
> > > any hints where to find that, or another, /dev/random package?
> > > 
> > 
> > It's on the SEAS cd along with the sun web server.
> > 
> > Brian
> > 
> > Brian Harvell                harvell at aol.net             http://ToolBoy.com/
> > echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
> > 
> > 
> > 
> > 
> 
> ---------------------------------------------------------------------------
> Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
> 	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676
> 


Brian Harvell                harvell at aol.net             http://ToolBoy.com/
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc







From v2matt at btv.ibm.com  Fri Jan 28 23:54:32 2000
From: v2matt at btv.ibm.com (Matt Richards)
Date: Fri, 28 Jan 2000 07:54:32 -0500
Subject: EGD requirement a show stopper for me 
In-Reply-To: <Pine.LNX.4.21.0001271600510.19754-100000@ns1.aplatform.com> 
Message-ID: <200001281254.HAA24150@voodoo.btv.ibm.com>


I'm currently working on a random number generator. From rfc1750, I'm
trying to get a cypher feedback implementation. I was going to do
the Blum Blum Shub, but I think it would be to computationally intensive.

Matt






From markus.friedl at informatik.uni-erlangen.de  Sat Jan 29 00:59:06 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Fri, 28 Jan 2000 14:59:06 +0100
Subject: porting OpenSSH to an SX4
In-Reply-To: <003901bf6932$065b6f00$6292fa80@its.unimelb.edu.au>; from n.endres@its.unimelb.edu.au on Fri, Jan 28, 2000 at 12:50:16PM +1100
References: <003901bf6932$065b6f00$6292fa80@its.unimelb.edu.au>
Message-ID: <20000128145906.A25741@folly.informatik.uni-erlangen.de>

On Fri, Jan 28, 2000 at 12:50:16PM +1100, Niels Endres wrote:
>   I'm trying to port OpenSSH to our NEC SX4, but am having trouble finding
> reference to the 'addrinfo' structure.  (Refer ssh.c:488).  If anyone can
> shed some light on this struct, or has ported OpenSSH to a similar platform,
> I'd be very interested to hear from you.

more information on getaddinfo and friends can be found at
Stevens' page, see http://www.kohala.com/start/unpv12e.html and
http://www.kohala.com/start/unpv12e.chap11.pdf




From andre.lucas at dial.pipex.com  Sat Jan 29 02:15:39 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Fri, 28 Jan 2000 15:15:39 +0000
Subject: small typo in 1.2.2
Message-ID: <3891B29B.78348875@dial.pipex.com>

There's a small typo in login.c, so that if struct utmpx has ut_addr,
compilation fails. Patch attached.

-Andre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-1.2.2-login-addr.patch
Type: application/x-unknown-content-type-patch_auto_file
Size: 337 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000128/434d526a/attachment.bin 

From dwd at bell-labs.com  Sat Jan 29 03:13:19 2000
From: dwd at bell-labs.com (Dave Dykstra)
Date: Fri, 28 Jan 2000 10:13:19 -0600
Subject: EGD requirement a show stopper for me
In-Reply-To: <Pine.LNX.4.10.10001281001290.1540-100000@mothra.mindrot.org>; from Damien Miller on Fri, Jan 28, 2000 at 10:05:00AM +1100
References: <20000127163306.A12667@lucent.com> <Pine.LNX.4.10.10001281001290.1540-100000@mothra.mindrot.org>
Message-ID: <20000128101319.A8147@lucent.com>

On Fri, Jan 28, 2000 at 10:05:00AM +1100, Damien Miller wrote:
> > The memory requirement isn't the worse problem for me:  I currently
> > distribute the ssh 1.2.27 client via a non-root user id *very* widely
> > throughout my company (on 8 unix variants), and there isn't any reasonable
> > way for me to start a shared long-running process on every machine that may
> > run ssh.  It's not a problem for the machines that are running sshd, since
> > that has to run as root anyway, but it is a big problem on machines that
> > run the ssh client only.  I could start a shared processes on the servers
> > that receive the distribution under my non-root user id, but that doesn't
> > help for all the workstations that nfs-mount the package from servers.
> 
> I have received a patch to enable the EGD support in OpenSSH to
> use a TCP socket for communications with EGD. This would allow
> multiple users on a machine to share a single instance of
> EGD. Though I wouldn't recommend it be used over a network.

Could that be used in such a way that the first person on a machine to use
openssh would start up EGD under their own user id (via a front-end script
to 'ssh' which I would write so they don't have to do anything special),
and subsequent users would share the same socket?  Even if that's what's
intended, it sure doesn't sound like a good idea because a malicious user
could start up a hacked EGD and control what other users get.


> > I need a mechanism like the one used in commercial ssh, where the random
> > seed is saved in a file.
> 
> Sun do have a random driver which may be of use:
> 
> BH> You can install the SUNWski package.

This is not an option for me; I have no control over what packages are on
all the machines that get my distribution, so I can only rely on standard
stuff.  I use the same binaries for a variety of OS releases as well, for
example on solaris it is 2.5.1 through 2.7.

- Dave Dykstra




From mouring at pconline.com  Sat Jan 29 03:53:28 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Fri, 28 Jan 2000 10:53:28 -0600 (CST)
Subject: EGD requirement a show stopper for me
In-Reply-To: <20000128101319.A8147@lucent.com>
Message-ID: <Pine.LNX.3.95.1000128104735.23217D-100000@newton.pconline.com>


I've not looked at the source for where random number generation is
needed, but where in the SSH process are they need.

I can see it needed on connection with a new machine to generate your
keys, and I could see another call on each connection afterwards.

Would it cost to much to use something like what Stronghold does
for it's key generation (entering a random amount of keystrokes) for
the primary key, then use a simpiler random number generator for
each connection afterwards?

Granted it would not be as strong as /dev/random or /dev/urandom, but
could be a ./configure option for platforms that don't support
them nor sites that can assure to have egd.  (Sounds like someone
is working on this.)

On Fri, 28 Jan 2000, Dave Dykstra wrote:

> On Fri, Jan 28, 2000 at 10:05:00AM +1100, Damien Miller wrote:
> > > The memory requirement isn't the worse problem for me:  I currently
> > > distribute the ssh 1.2.27 client via a non-root user id *very* widely
> > > throughout my company (on 8 unix variants), and there isn't any reasonable
> > > way for me to start a shared long-running process on every machine that may
> > > run ssh.  It's not a problem for the machines that are running sshd, since
> > > that has to run as root anyway, but it is a big problem on machines that
> > > run the ssh client only.  I could start a shared processes on the servers
> > > that receive the distribution under my non-root user id, but that doesn't
> > > help for all the workstations that nfs-mount the package from servers.
> > 
> > I have received a patch to enable the EGD support in OpenSSH to
> > use a TCP socket for communications with EGD. This would allow
> > multiple users on a machine to share a single instance of
> > EGD. Though I wouldn't recommend it be used over a network.
> 
> Could that be used in such a way that the first person on a machine to use
> openssh would start up EGD under their own user id (via a front-end script
> to 'ssh' which I would write so they don't have to do anything special),
> and subsequent users would share the same socket?  Even if that's what's
> intended, it sure doesn't sound like a good idea because a malicious user
> could start up a hacked EGD and control what other users get.
> 
> 
> > > I need a mechanism like the one used in commercial ssh, where the random
> > > seed is saved in a file.
> > 
> > Sun do have a random driver which may be of use:
> > 
> > BH> You can install the SUNWski package.
> 
> This is not an option for me; I have no control over what packages are on
> all the machines that get my distribution, so I can only rely on standard
> stuff.  I use the same binaries for a variety of OS releases as well, for
> example on solaris it is 2.5.1 through 2.7.
> 
> - Dave Dykstra
> 





From mouring at pconline.com  Sat Jan 29 03:55:51 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Fri, 28 Jan 2000 10:55:51 -0600 (CST)
Subject: EGD requirement a show stopper for me
In-Reply-To: <20000128101319.A8147@lucent.com>
Message-ID: <Pine.LNX.3.95.1000128105424.23217E-100000@newton.pconline.com>


Oh 2nd thought.. on quick search of Freshmeat.net  I found this:

http://www.freshmeat.net/appindex/1999/09/11/937100790.html

Crypto++
randombit - September 11th 1999, 21:46 EST 
Crypto++ is a C++ cryptographic class library which includes block and
steam ciphers, hash functions, MACs, random number generators, public key
cryptography (including elliptic curves), compression, and an easy-to-use
filter interface. It aims towards IEEE 1363 compliance.

It may be a good thing.. Since I believe we are also missing ARC4 
encoding in OpenSSH (and I notice some clients support it).






From gem at rellim.com  Sat Jan 29 08:23:05 2000
From: gem at rellim.com (Gary E. Miller)
Date: Fri, 28 Jan 2000 13:23:05 -0800 (PST)
Subject: EGD requirement a show stopper for me 
In-Reply-To: <200001281254.HAA24150@voodoo.btv.ibm.com>
Message-ID: <Pine.LNX.4.21.0001281317300.12460-100000@ns1.aplatform.com>

Yo Matt!

Let me know if you need any help porting.  I have access to Slowlaris,
UnixWare and Linux hosts.  Something like this is sorely needed.

It would be nice if it had an easy way to plug in randomness sources
without regard to OS.  A lot of crypto guys do things like take
the LSB of the audio input noise, etc...  Everyone it seems has
their own pet entropy source.   This is an especially annoying
problem on a firewall that otherwise has little activity.

Be sure to talk to some crypto hardcores early on, they are real
fussy about true randomness.

RGDS
GARY

On Fri, 28 Jan 2000, Matt Richards wrote:

> I'm currently working on a random number generator. From rfc1750, I'm
> trying to get a cypher feedback implementation. I was going to do
> the Blum Blum Shub, but I think it would be to computationally intensive.

---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676






From djm at mindrot.org  Sat Jan 29 10:56:02 2000
From: djm at mindrot.org (Damien Miller)
Date: Sat, 29 Jan 2000 10:56:02 +1100 (EST)
Subject: EGD requirement a show stopper for me
In-Reply-To: <Pine.LNX.3.95.1000128104735.23217D-100000@newton.pconline.com>
Message-ID: <Pine.LNX.4.10.10001290916490.662-100000@mothra.mindrot.org>

On Fri, 28 Jan 2000, Ben Lindstrom wrote:

> I've not looked at the source for where random number generation is
> needed, but where in the SSH process are they need.

Some randomness is needed for RSA key generation. The RSA key
generation routines in OpenSSL source from its own RAND_* routines.

OpenSSL with use /dev/random if it is present or will <looks at
OpenSSL sources> use some easily predictable (uid, pid, time) data to
seed its own hash pool.

Ouch. IMO this is woefully insufficient, and I will be explicitly
seeding the OpenSSL pool from our random number source.

OpenSSH also needs a reasonable amount on entropy to feed an ARC4
PRNG. The PRNG is periodically re-keyed with fresh entropy (256 bits
at a time IIRC).

The output of the PRNG is used for session keys, random pad bytes,
check digits, temp file names, rresvport port numbers and anything
else that needs remotely unpredictable numbers.

The problem is that there is no nice portable way to get high-quality 
random numbers. EGD does the job, at the cost of running a large PERL
daemon. (currently one for each user).

I have a patch which will enable users to run only one EGD per machine
and have it serve entropy over a localhost TCP socket. This is still
less than optimal, and I don't think that EGD has been designed for
this. For instance, it may be possible for one user to drain EGD's
entropy pool so it either blocks (DoS) or produces degraded data.

There are several options to pursue here:

1. Revive the random code from ssh 1.2.16.
2. Port the Linux or BSD kernel random driver to userspace
3. Port Yarrow[1]
4. Fix EGD
5. Roll our own

I think that if we are going to change the random source, then we
should use something that has been subjected to review. This precludes
1, 5 and (to a lesser extent) 4. Porting Yarrow is to me the most
attractive option, as it has been the subject of a formal design but
this may take some time.

-d

[1] http://www.counterpane.com/yarrow.html

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)







From gem at rellim.com  Sat Jan 29 11:30:44 2000
From: gem at rellim.com (Gary E. Miller)
Date: Fri, 28 Jan 2000 16:30:44 -0800 (PST)
Subject: EGD requirement a show stopper for me
In-Reply-To: <Pine.LNX.4.10.10001290916490.662-100000@mothra.mindrot.org>
Message-ID: <Pine.LNX.4.21.0001281628350.12460-100000@ns1.aplatform.com>

Yo Damien!

I just checked out the Yarrow code again.  It is very much WinXX code
and would be a PTA to port to any flavor of UNIX.  After the port it
would not look anything like it does now...

RGDS
GARY

On Sat, 29 Jan 2000, Damien Miller wrote:

> I think that if we are going to change the random source, then we
> should use something that has been subjected to review. This precludes
> 1, 5 and (to a lesser extent) 4. Porting Yarrow is to me the most
> attractive option, as it has been the subject of a formal design but
> this may take some time.

---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676





From tridge at linuxcare.com  Sat Jan 29 23:33:20 2000
From: tridge at linuxcare.com (tridge at linuxcare.com)
Date: Sat, 29 Jan 2000 23:33:20 +1100
Subject: rsync over ssh - lockups with pipe()
Message-ID: <20000129123333Z13356428-11511+45588@samba.anu.edu.au>

For a couple of years people have been reporting intermittent problems
with rsync over ssh freezing during a large transfer (typically
several GB). I have now gotten to the bottom of these problems, and
have written a small test program which demonstrates a deadlock in
sshd when doing large bi-directional transfers. Luckily the problem is
easily solved by modifying sshd to use socketpair() instead of
pipe(). Just remove "#define USE_PIPES 1" from near the bottom of
includes.h does the trick.

The test program, along with instructions for use and an explanation
of some of the pipe() bugs in various OSes that make this change
necessary is available from ftp://samba.org/pub/tridge/misc/sshtest.c

In past releases of rsync I added various buffering tricks in rsync
which reduced the likelyhood of this problem occuring, but didn't
eliminate it completely. I have removed those tricks in rsync 2.4.0 so
you may find an increase in the number of bug reports regarding rsync
over ssh. I removed the tricks as they caused excessive memory usage
(to the point of memory starvation) in some cases and are completely
unnecessary once sshd is modified to use socketpair().

I think the combination of pipe/select bugs on various OSes means that
you can't work around this problem by playing with non-blocking pipes
or the size of writes (except by dropping the size by 1). 

I'm also amazed at the number of pipe/select bugs in the various OSes
I tested - Linux 2.2 was particularly bad (fixed in 2.3). I really
expected pipes to be pretty well defined and bug-free by now!

Cheers, Tridge

PS: I am not on this list, I'm just using this address as noted in the
README.




From Marc.Haber-lists at gmx.de  Sun Jan 30 02:20:03 2000
From: Marc.Haber-lists at gmx.de (Marc Haber)
Date: Sat, 29 Jan 2000 15:20:03 GMT
Subject: problems logging in from 1.2.2 client to 1.2.1pre24 server
Message-ID: <E12EZfw-0003H7-00@q.bofh.de>

Hi!

On my personal workstation, I have installed openssh 1.2.2. I have two
server machines, one (A) running a self-compiled openssh 1.2.1pre24,
and a different one (B) running an openssh1.2.1pre24 compiled by
someone else.

While I can perfectly log in to A, logging in to B fails:
|mh at leona[32/532]:~$ ssh haber at b
|ssh_exchange_identification: read: Success
|mh at leona[33/533]:~$

So, I started a debugging sshd on B and tried to log in to B:
|mh at leona[34/534]:~$ ssh -p 10022 haber at b
|ssh_exchange_identification: read: Success
|mh at leona[35/535]:~$

|haber at b:~ $ /usr/sbin/sshd -d -p 10022 -h test_host_key
|debug: sshd version OpenSSH-1.2.1
|Server listening on port 10022.
|Generating 768 bit RSA key.
|RSA key generation complete.
|debug: Server will not fork when running in debugging mode.
|haber at b:~ $

What's going on here? Any ideas?

Greetings
Marc

-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber          |   " Questions are the         | Mailadresse im Header
Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29




From cjc5 at po.cwru.edu  Sun Jan 30 10:00:57 2000
From: cjc5 at po.cwru.edu (Craig J Copi)
Date: Sat, 29 Jan 2000 18:00:57 -0500
Subject: ssh-1.2.2 freeze under Linux
Message-ID: <200001292300.SAA11461@styx.net.copi>

After compiling and installing ssh-1.2.2 at home whenever I try to ssh
to a host ssh freezes and never actually tries to establish a 
connection.  Actually it depends on whether I'm dialed in or not
(it has to do with dns lookups, I'm not sure exactly what it is
doing).  The problem seems to be caused by getaddrinfo in ssh.c,
line 511.  If I strace the process it keeps trying to connect to my 
dns server to resolve the name.  If I use the full host name (or
if I'm dialed in) it claims 
Secure connection to full.host.name refused.
However, no connection attempt is logged on the remote machine.

I am using RH6.0 with kernel 2.2.14 and glibc-2.1.1-6.   getaddrinfo
is detected by configure (it is in glibc) so that version is used.
If, by hand, I insert into config.h
#define BROKEN_GETADDRINFO 1
then it seems to connect fine.  I don't seem to have any information
on what getaddrinfo is suppose to do (neither man page nor in glibc
info) so I don't know why it isn't working (such as it might not like
something in hints). 

I noticed a similar problem with 1.2pre27 but didn't have time to
look into it until now.

	Craig

--
Craig J Copi                     |  cjc5 at po.cwru.edu
Case Western Reserve University  |  http://erebus.phys.cwru.edu/~copi/
Department of Physics            |  (216) 368-8831




From mouring at pconline.com  Sun Jan 30 12:53:53 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Sat, 29 Jan 2000 19:53:53 -0600 (CST)
Subject: rsync over ssh - lockups with pipe()
In-Reply-To: <20000129123333Z13356428-11511+45588@samba.anu.edu.au>
Message-ID: <Pine.LNX.3.95.1000129195232.2972G-100000@newton.pconline.com>

[Removed tridge at linuxcare.com, and thanked him for a bit of help with
it on NeXT]

Has anyone tried this with OpenSSH?  I know I ran it for about 5 - 10
minutes and it never deadlocked.  Wondering if anyone else had any
problems.

On Sat, 29 Jan 2000 tridge at linuxcare.com wrote:

> For a couple of years people have been reporting intermittent problems
> with rsync over ssh freezing during a large transfer (typically
> several GB). I have now gotten to the bottom of these problems, and
> have written a small test program which demonstrates a deadlock in
> sshd when doing large bi-directional transfers. Luckily the problem is
> easily solved by modifying sshd to use socketpair() instead of
> pipe(). Just remove "#define USE_PIPES 1" from near the bottom of
> includes.h does the trick.
> 
> The test program, along with instructions for use and an explanation
> of some of the pipe() bugs in various OSes that make this change
> necessary is available from ftp://samba.org/pub/tridge/misc/sshtest.c
> 
> In past releases of rsync I added various buffering tricks in rsync
> which reduced the likelyhood of this problem occuring, but didn't
> eliminate it completely. I have removed those tricks in rsync 2.4.0 so
> you may find an increase in the number of bug reports regarding rsync
> over ssh. I removed the tricks as they caused excessive memory usage
> (to the point of memory starvation) in some cases and are completely
> unnecessary once sshd is modified to use socketpair().
> 
> I think the combination of pipe/select bugs on various OSes means that
> you can't work around this problem by playing with non-blocking pipes
> or the size of writes (except by dropping the size by 1). 
> 
> I'm also amazed at the number of pipe/select bugs in the various OSes
> I tested - Linux 2.2 was particularly bad (fixed in 2.3). I really
> expected pipes to be pretty well defined and bug-free by now!
> 
> Cheers, Tridge
> 
> PS: I am not on this list, I'm just using this address as noted in the
> README.
> 





From markus.friedl at informatik.uni-erlangen.de  Mon Jan 31 07:20:56 2000
From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl)
Date: Sun, 30 Jan 2000 21:20:56 +0100
Subject: rsync over ssh - lockups with pipe()
In-Reply-To: <Pine.LNX.3.95.1000129195232.2972G-100000@newton.pconline.com>; from mouring@pconline.com on Sat, Jan 29, 2000 at 07:53:53PM -0600
References: <20000129123333Z13356428-11511+45588@samba.anu.edu.au> <Pine.LNX.3.95.1000129195232.2972G-100000@newton.pconline.com>
Message-ID: <20000130212056.A6879@folly.informatik.uni-erlangen.de>


did you test pipe() or socketpair() ?

On Sat, Jan 29, 2000 at 07:53:53PM -0600, Ben Lindstrom wrote:
> [Removed tridge at linuxcare.com, and thanked him for a bit of help with
> it on NeXT]
> 
> Has anyone tried this with OpenSSH?  I know I ran it for about 5 - 10
> minutes and it never deadlocked.  Wondering if anyone else had any
> problems.




From digests at hotmail.com  Mon Jan 31 17:53:56 2000
From: digests at hotmail.com (Joe S)
Date: Sun, 30 Jan 2000 22:53:56 PST
Subject: EGD requirement a show stopper for me
Message-ID: <20000131065356.22196.qmail@hotmail.com>

You have to be a little careful, just implementing a good pseudo-random 
number generator like Yarrow (or several others) does not guarantee you will 
have strong random numbers.  You also need a truly random seed, which is 
hard to come by.  You need to port the keyboard and mouse timing code (which 
may or may not provide enough entropy on a particular platform) or find some 
other source of entropy.

Typically you need to collect entropy from several sources that are 
unavailable to the attacker (disk access times, key strokes, mouse 
movements, special hardware) and remove any bias from them (this is what RFC 
1750 mostly deals with).  Collecting enough entropy to generate enough bits 
of entropy be time consuming so it is typically done once at the start of a 
session and then the seeded PRNG is used thereafter.  Some implementations 
save random material in a file to reduce subsequent startup times (this can 
lead to a bunch of security vulnerabilites).

PRNGs are mostly platform independent, while generating a truly random seed 
is usually fairly platform specific.  Some implementations of /dev/random go 
though the trouble of trying to get good random data from the OD and 
hardware, but some do not.

Hope I haven't bored you,

Joe

>From: Damien Miller <djm at mindrot.org>
>To: Ben Lindstrom <mouring at pconline.com>
>CC: Dave Dykstra <dwd at bell-labs.com>, openssh-unix-dev at mindrot.org
>Subject: Re: EGD requirement a show stopper for me
>Date: Sat, 29 Jan 2000 10:56:02 +1100 (EST)
>
>On Fri, 28 Jan 2000, Ben Lindstrom wrote:
>
> > I've not looked at the source for where random number generation is
> > needed, but where in the SSH process are they need.
>
>Some randomness is needed for RSA key generation. The RSA key
>generation routines in OpenSSL source from its own RAND_* routines.
>
>OpenSSL with use /dev/random if it is present or will <looks at
>OpenSSL sources> use some easily predictable (uid, pid, time) data to
>seed its own hash pool.
>
>Ouch. IMO this is woefully insufficient, and I will be explicitly
>seeding the OpenSSL pool from our random number source.
>
>OpenSSH also needs a reasonable amount on entropy to feed an ARC4
>PRNG. The PRNG is periodically re-keyed with fresh entropy (256 bits
>at a time IIRC).
>
>The output of the PRNG is used for session keys, random pad bytes,
>check digits, temp file names, rresvport port numbers and anything
>else that needs remotely unpredictable numbers.
>
>The problem is that there is no nice portable way to get high-quality
>random numbers. EGD does the job, at the cost of running a large PERL
>daemon. (currently one for each user).
>
>I have a patch which will enable users to run only one EGD per machine
>and have it serve entropy over a localhost TCP socket. This is still
>less than optimal, and I don't think that EGD has been designed for
>this. For instance, it may be possible for one user to drain EGD's
>entropy pool so it either blocks (DoS) or produces degraded data.
>
>There are several options to pursue here:
>
>1. Revive the random code from ssh 1.2.16.
>2. Port the Linux or BSD kernel random driver to userspace
>3. Port Yarrow[1]
>4. Fix EGD
>5. Roll our own
>
>I think that if we are going to change the random source, then we
>should use something that has been subjected to review. This precludes
>1, 5 and (to a lesser extent) 4. Porting Yarrow is to me the most
>attractive option, as it has been the subject of a formal design but
>this may take some time.
>
>-d
>
>[1] http://www.counterpane.com/yarrow.html
>
>--
>| "Bombay is 250ms from New York in the new world order" - Alan Cox
>| Damien Miller - http://www.mindrot.org/
>| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
>
>
>
>

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com





From a.d.stribblehill at durham.ac.uk  Mon Jan 31 20:01:34 2000
From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill)
Date: Mon, 31 Jan 2000 09:01:34 +0000
Subject: EGD requirement a show stopper for me
In-Reply-To: <Pine.LNX.4.21.0001281628350.12460-100000@ns1.aplatform.com>; from gem@rellim.com on Fri, Jan 28, 2000 at 04:30:44PM -0800
References: <Pine.LNX.4.10.10001290916490.662-100000@mothra.mindrot.org> <Pine.LNX.4.21.0001281628350.12460-100000@ns1.aplatform.com>
Message-ID: <20000131090134.L27654@itspc142.dur.ac.uk>

Quoting Gary E. Miller <gem at rellim.com>:
> 
> I just checked out the Yarrow code again.  It is very much WinXX code
> and would be a PTA to port to any flavor of UNIX.  After the port it
> would not look anything like it does now...

The author in their paper say that there is a UNIX port. But I
mailed them about it and they didn't get back to me.

I agree that the code is full of yuck but we wouldn't need the
front-end and the back-end could be pretty simple. So this leaves
us with the task of porting the bit in the middle! Sadly, I can't
understand the M$ makefile-alike distributed with it.

All the same, this still leaves us with the same problem, namely
that of needing to have a daemon around all the time.

Cheerio,

Andrew.




From mouring at pconline.com  Mon Jan 31 10:31:51 2000
From: mouring at pconline.com (Ben Lindstrom)
Date: Sun, 30 Jan 2000 17:31:51 -0600 (CST)
Subject: rsync over ssh - lockups with pipe()
In-Reply-To: <20000130212056.A6879@folly.informatik.uni-erlangen.de>
Message-ID: <Pine.LNX.3.95.1000130172959.2972I-100000@newton.pconline.com>


The default which is pipe().  I never tried it with socketpair()
at this point.

On Sun, 30 Jan 2000, Markus Friedl wrote:

> 
> did you test pipe() or socketpair() ?
> 
> On Sat, Jan 29, 2000 at 07:53:53PM -0600, Ben Lindstrom wrote:
> > [Removed tridge at linuxcare.com, and thanked him for a bit of help with
> > it on NeXT]
> > 
> > Has anyone tried this with OpenSSH?  I know I ran it for about 5 - 10
> > minutes and it never deadlocked.  Wondering if anyone else had any
> > problems.
> 





From andre.lucas at dial.pipex.com  Mon Jan 31 20:47:12 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Mon, 31 Jan 2000 09:47:12 +0000
Subject: EGD requirement a show stopper for me
References: <Pine.LNX.4.10.10001290916490.662-100000@mothra.mindrot.org> <Pine.LNX.4.21.0001281628350.12460-100000@ns1.aplatform.com> <20000131090134.L27654@itspc142.dur.ac.uk>
Message-ID: <38955A20.CC3376EB@dial.pipex.com>

Andrew Stribblehill wrote:
>
> The author in their paper say that there is a UNIX port. But I
> mailed them about it and they didn't get back to me.

I did the same thing, I also didn't get a reply.

> 
> I agree that the code is full of yuck but we wouldn't need the
> front-end and the back-end could be pretty simple. So this leaves
> us with the task of porting the bit in the middle! Sadly, I can't
> understand the M$ makefile-alike distributed with it.
> 

It's a quite simple build. All dirs except testapp compile into separate
libraries (hence the DllMain() stuff) and the resulting libraries are
copied to %systemroot%\system32. Testapp links against the dll export
files.

> All the same, this still leaves us with the same problem, namely
> that of needing to have a daemon around all the time.

We already have a daemon around all the time, sshd. There's no reason
why the entropy hooks and the yarrow code should be outside that.

FWIW I'm not saying there's anything wrong with a standalone PRNG daemon
- I actually think that would be a good thing, and others could benefit
from it. We could stir in good /dev/random output as additional entropy,
but still be portable to systems that lack such devices.

Ta,
-Andre




From a.d.stribblehill at durham.ac.uk  Mon Jan 31 21:08:08 2000
From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill)
Date: Mon, 31 Jan 2000 10:08:08 +0000
Subject: EGD requirement a show stopper for me
In-Reply-To: <38955A20.CC3376EB@dial.pipex.com>; from andre.lucas@dial.pipex.com on Mon, Jan 31, 2000 at 09:47:12AM +0000
References: <Pine.LNX.4.10.10001290916490.662-100000@mothra.mindrot.org> <Pine.LNX.4.21.0001281628350.12460-100000@ns1.aplatform.com> <20000131090134.L27654@itspc142.dur.ac.uk> <38955A20.CC3376EB@dial.pipex.com>
Message-ID: <20000131100808.M27654@itspc142.dur.ac.uk>

Quoting Andre Lucas <andre.lucas at dial.pipex.com>:
> 
> > All the same, this still leaves us with the same problem, namely
> > that of needing to have a daemon around all the time.
> 
> We already have a daemon around all the time, sshd. There's no reason
> why the entropy hooks and the yarrow code should be outside that.
> 
> FWIW I'm not saying there's anything wrong with a standalone PRNG daemon
> - I actually think that would be a good thing, and others could benefit
> from it. We could stir in good /dev/random output as additional entropy,
> but still be portable to systems that lack such devices.

If we assume that sshd is around all the time, there is no way for
local users to login to other machines whilst disallowing ssh
logins to localhost. (A sort of runlevel-2 state.) If it's
considered that this is of minority interest, perhaps PRNG stuff
/should/ be compiled in.

Thanks,

Andrew Stribblehill
Systems Programmer, IT Service, University of Durham




From andre.lucas at dial.pipex.com  Mon Jan 31 22:18:43 2000
From: andre.lucas at dial.pipex.com (Andre Lucas)
Date: Mon, 31 Jan 2000 11:18:43 +0000
Subject: EGD requirement a show stopper for me
References: <Pine.LNX.4.10.10001290916490.662-100000@mothra.mindrot.org> <Pine.LNX.4.21.0001281628350.12460-100000@ns1.aplatform.com> <20000131090134.L27654@itspc142.dur.ac.uk> <38955A20.CC3376EB@dial.pipex.com> <20000131100808.M27654@itspc142.dur.ac.uk>
Message-ID: <38956F93.CD1D028@dial.pipex.com>

Andrew Stribblehill wrote:
8<
> If we assume that sshd is around all the time, there is no way for
> local users to login to other machines whilst disallowing ssh
> logins to localhost. (A sort of runlevel-2 state.) If it's
> considered that this is of minority interest, perhaps PRNG stuff
> /should/ be compiled in.
> 
Good point. The prng code would need to be linked into ssh as well as
sshd - as it is in ssh-1.2.27 - and the state would be picked up from a
file. The biggest problem I see with that would be that the ssh
executable would have to be setuid <whatever> to access the seed and key
files if there was no other program running to manage this.

IMHO the best way is indeed to have a standalone daemon. Reading output
from a pipe, it's as close to a portable random device as we're likely
to get. EGD is good, but because it's written in Perl it's slow and big.
With a C prng as a separate program it should be easier to maintain, and
it would be easier to protect the statefiles that Yarrow wants. I can't
think of a reason why it would have to run as root, either.

Ta,
-Andr?




From karthy at kom.auc.dk  Mon Jan 31 22:47:45 2000
From: karthy at kom.auc.dk (Karsten Thygesen)
Date: 31 Jan 2000 12:47:45 +0100
Subject: openssh-1.2.2 and openssl detection
Message-ID: <yd81z6ypin2.fsf@harley.kom.auc.dk>


Hi

Due to local system policy, my openssl is installed in a non-standard
location - the configure system should have an option like
"--with-openssl=/non/standard/path"

Best regards,
Karsten