From speno at isc.upenn.edu Sat Jul 1 00:36:08 2000 From: speno at isc.upenn.edu (John P Speno) Date: Fri, 30 Jun 2000 10:36:08 -0400 Subject: Please test this snapshot In-Reply-To: ; from djm@mindrot.org on Thu, Jun 29, 2000 at 07:02:05AM +1000 References: <001f01bfe13c$073d04b0$275346d1@rloomis.cist.saic.com> Message-ID: <20000630103608.A195082@isc.upenn.edu> On Thu, Jun 29, 2000 at 07:02:05AM +1000, Damien Miller wrote: > > BTW this snapshot contains DEC OSF/Tru64 SIA support, enable it > using "USE_SIA=1 ./configure [options]". I would like some feedback > from DEC users as to the correctness of this code (as I know nothing > about SIA). There's a few compile errors under Tru64 UNIX 5.0a here: cc: Error: auth1.c, line 313: In this statement, "host" is not declared. (undeclared) host = get_canonical_hostname(); ------------------------^ That line should be deleted. It's not needed. Fixing that gives this linker problem: cc -o sshd sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o -L. -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl -lssh -lopenbsd-compat -lz -lsecurity -ldb -lm -laud -lutil -lcrypto -lcrypto -lRSAglue -lrsaref -lwrap ld: Unresolved: auth_password *** Exit 1 Stop. From bole at falcon.etf.bg.ac.yu Sat Jul 1 12:07:49 2000 From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic) Date: Sat, 1 Jul 2000 04:07:49 +0200 (CEST) Subject: Problem with cleaning utmp entry Message-ID: Hello I have problem with OpenSSH 2.1.1p1 on libc5 system (Slackware 4). I'm not sure if I had those problems with 1.2.x version of OpenSSH (on the same system), but I don't think so. When someone ends ssh session (logout, or something) utmp entry for that user doesn't get erased from UTMP file. In 'finger' I can see a lot of multiplicied users that are not actually logged in. WTMP logging is also broken. (there is no entries at all) I don't have those problems on glibc2 systems (slack7), and I would be very happy if problem with libc5 and logging could be solved. Greetings PS. Part of ./configure that may be useful: checking for ut_host field in utmp.h... yes checking for ut_host field in utmpx.h... no checking for syslen field in utmpx.h... no checking for ut_pid field in utmp.h... yes checking for ut_type field in utmp.h... yes checking for ut_type field in utmpx.h... no checking for ut_tv field in utmp.h... no checking for ut_id field in utmp.h... yes checking for ut_addr field in utmp.h... yes checking for ut_addr field in utmpx.h... no checking for ut_addr_v6 field in utmp.h... no checking for ut_addr_v6 field in utmpx.h... no checking for ut_exit field in utmp.h... no checking for ut_time field in utmp.h... yes checking for ut_time field in utmpx.h... no checking for ut_tv field in utmpx.h... no PPS. Part of config.h (after doing configure): /* struct utmp and struct utmpx fields */ #define HAVE_HOST_IN_UTMP 1 /* #undef HAVE_HOST_IN_UTMPX */ #define HAVE_ADDR_IN_UTMP 1 /* #undef HAVE_ADDR_IN_UTMPX */ /* #undef HAVE_ADDR_V6_IN_UTMP */ /* #undef HAVE_ADDR_V6_IN_UTMPX */ /* #undef HAVE_SYSLEN_IN_UTMPX */ #define HAVE_PID_IN_UTMP 1 #define HAVE_TYPE_IN_UTMP 1 /* #undef HAVE_TYPE_IN_UTMPX */ /* #undef HAVE_TV_IN_UTMP */ /* #undef HAVE_TV_IN_UTMPX */ #define HAVE_ID_IN_UTMP 1 /* #undef HAVE_EXIT_IN_UTMP */ #define HAVE_TIME_IN_UTMP 1 /* #undef HAVE_TIME_IN_UTMPX */ From djm at mindrot.org Sat Jul 1 12:49:55 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 1 Jul 2000 12:49:55 +1000 (EST) Subject: SINIX-N openssh ??? In-Reply-To: <395C9EAD.23131261@coo.vlaanderen.be> Message-ID: On Fri, 30 Jun 2000, Vergauwen Terrence wrote: > Hello, > > We have been trying to compile openssh on some SINIX (ReliantUNIX 5.42) > machines without any success, not even using GCC. > > Could anyone who has succeeded in compiling openssh on this platform be > so kind to mail me a copy of the binaries ssh, scp, ssh-keygen, ssh-add, > ssh-agent and sshd please ??? I am not aware of anyone who has tried yet. If you send me the output of ./configure and a failing run of make we may be able to get started though. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Jul 1 12:54:58 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 1 Jul 2000 12:54:58 +1000 (EST) Subject: Please test this snapshot In-Reply-To: <20000630103608.A195082@isc.upenn.edu> Message-ID: On Fri, 30 Jun 2000, John P Speno wrote: > On Thu, Jun 29, 2000 at 07:02:05AM +1000, Damien Miller wrote: > > > > BTW this snapshot contains DEC OSF/Tru64 SIA support, enable it > > using "USE_SIA=1 ./configure [options]". I would like some feedback > > from DEC users as to the correctness of this code (as I know nothing > > about SIA). > > There's a few compile errors under Tru64 UNIX 5.0a here: Does this help? Index: auth1.c =================================================================== RCS file: /var/cvs/openssh/auth1.c,v retrieving revision 1.4 diff -u -r1.4 auth1.c --- auth1.c 2000/06/28 05:22:42 1.4 +++ auth1.c 2000/07/01 02:54:00 @@ -310,7 +310,6 @@ authenticated = auth_pam_password(pw, password); #elif defined(HAVE_OSF_SIA) /* Do SIA auth with password */ - host = get_canonical_hostname(); if (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, password) == SIASUCCESS) { @@ -505,7 +504,11 @@ #endif /* KRB4 */ #ifdef USE_PAM auth_pam_password(pw, "")) { -#else /* USE_PAM */ +#elif defined(HAVE_OSF_SIA) + (sia_validate_user(NULL, saved_argc, saved_argv, + get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, + "") == SIASUCCESS)) { +#else /* !HAVE_OSF_SIA && !USE_PAM */ auth_password(pw, "")) { #endif /* USE_PAM */ /* Authentication with empty password succeeded. */ -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Jul 1 13:25:59 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 1 Jul 2000 13:25:59 +1000 (EST) Subject: _PATH_BSHELL versus /bin/sh In-Reply-To: <395B49FE.68EA3967@cygnus.com> Message-ID: On Thu, 29 Jun 2000, Corinna Vinschen wrote: > Hi all, > > while _PATH_BSHELL is defined in "defines.h", there are > two sources which uses /bin/sh _hardcoded_. Shouldn't that > changed to _PATH_BSHELL, too? Done, thanks. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Jul 1 13:28:18 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 1 Jul 2000 13:28:18 +1000 (EST) Subject: Please test this snapshot In-Reply-To: <395B92D2.40A5BB80@abac.com> Message-ID: On Thu, 29 Jun 2000, Tom Bertelson wrote: > Some old thing - utmp entries. This fixes a buffer underrun, a reversed > test, and the assumption size_t == int. I suspect any architecture that > uses pututline(3) and doesn't have utmpx may have the same problems. Thanks, the patch has been applied. What problems are outstanding? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From speno at isc.upenn.edu Sat Jul 1 14:48:46 2000 From: speno at isc.upenn.edu (John P Speno) Date: Sat, 1 Jul 2000 00:48:46 -0400 Subject: Please test this snapshot In-Reply-To: ; from djm@mindrot.org on Sat, Jul 01, 2000 at 12:54:58PM +1000 References: <20000630103608.A195082@isc.upenn.edu> Message-ID: <20000701004846.Q199086@isc.upenn.edu> On Sat, Jul 01, 2000 at 12:54:58PM +1000, Damien Miller wrote: > On Fri, 30 Jun 2000, John P Speno wrote: > > > On Thu, Jun 29, 2000 at 07:02:05AM +1000, Damien Miller wrote: > > > > > > BTW this snapshot contains DEC OSF/Tru64 SIA support, enable it > > > using "USE_SIA=1 ./configure [options]". I would like some feedback > > > from DEC users as to the correctness of this code (as I know nothing > > > about SIA). > > > > There's a few compile errors under Tru64 UNIX 5.0a here: > > Does this help? Yes sir. It compiles. I'll test SIA stuff on Monday, I hope. From djm at mindrot.org Sat Jul 1 20:22:36 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 1 Jul 2000 20:22:36 +1000 (EST) Subject: Announce: OpenSSH 2.1.1p2 Message-ID: Announcing the release of portable OpenSSH 2.1.1p2. This release primarily contains fixes to the bugs that have been reported over the last month, in particular: - Invalid time bring written to utmp/wtmp on systems using bash2 - Several lastlog fixes - AIX, SCO, Irix portability fixes - Avoid failures on PAM systems when using PAM authentication modules which require a tty. - Entropy collection fixes for Solaris. - EGD robustness improvements - Fixes and enhancements from the OpenBSD team: - Fixed options processing in authorized_keys2 file - Compatibility with commercial SSH 2.0.13 and 2.2.0 - Numerous minor fixes There are also a couple of new features: - Shadow password expiry support (no password change support yet) - Irix 6.x array sessions, project IDs and system audit trail IDs - Beginnings of Tru64 / OSF SIA (Security Integration Architecture) support - Beginnings of NeXT support Version 2.1.1p2 will be available from the mirrors listed at http://www.openssh.com/portable.html (as soon as they update). Many thanks to all those who tested the snapshots and/or contributed bug reports and patches Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From vinschen at cygnus.com Sun Jul 2 01:46:59 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Sat, 01 Jul 2000 17:46:59 +0200 Subject: [PATCH]: 2.1.1p2: wrong #if/#endif in loginrec.c Message-ID: <395E1273.D736A1F0@cygnus.com> Hi, I have found an error in loginrec.c in the portable 2.1.1p2 release. The #if/#endif combination in syslogin_perform_logout() is wrong and results in unbalanced braces if HAVE_LOGWTMP is undefined. Corinna Index: loginrec.c =================================================================== RCS file: /src/cvsroot/openssh-211p2/loginrec.c,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 loginrec.c --- loginrec.c 2000/07/01 13:06:52 1.1.1.1 +++ loginrec.c 2000/07/01 15:40:22 @@ -1271,8 +1271,8 @@ syslogin_perform_logout(struct logininfo # ifdef HAVE_LOGWTMP } else { logwtmp(line, "", ""); - } # endif + } /* FIXME: (ATL - if the need arises) What to do if we have * login, but no logout? what if logout but no logwtmp? All * routines are in libutil so they should all be there, -- Corinna Vinschen Cygwin Developer Cygnus Solutions, a Red Hat company From darren at horseplay.demon.co.uk Sun Jul 2 06:09:19 2000 From: darren at horseplay.demon.co.uk (Darren Evans) Date: Sat, 01 Jul 2000 21:09:19 +0100 Subject: openssh-2.1.1p2 problem and fix Message-ID: <4.3.2.7.0.20000701210014.02863540@pop3.demon.co.uk> Hi all, trawled through the archives and did'nt find what I was looking for so here goes. This may be common knowledge or may not for the developers here ... maybe it will save someone some time anyhow. I'm running Redhat 6.2, **2.4.0-test1 kernel**, openssh-2.1.1p2.tar.gz, openssl-0.9.5a.tar.gz, with these options. sh configure --with-tcp-wrappers --with-md5-passwords --with-ipv4-default --with-pam /etc/pam.d/sshd #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nodelay auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session required /lib/security/pam_limits.so ident /usr/local/sbin/sshd | grep -i pam Does not find pam. The error I receive is a, Permission denied, please try again even though my password **IS** correct. sshd shows this Connection from 192.168.254.200 port 720 debug: Client protocol version 1.5; client software version OpenSSH_2.1.1 debug: Local version string SSH-1.99-OpenSSH_2.1.1 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Attempting authentication for darren. Failed password for darren from 192.168.254.200 port 720 Connection closed by 192.168.254.200 debug: Calling cleanup 0x805c7b4(0x0) When I do this, and strace sshd -d I get this from strace ssh -v -l darren horseplay ) = 1 (in [4]) read(4, "\0\0\0\17u\17\264\244\27\205\237\26q\341\322\251\31\217"..., 8192) = 20 open("/etc/shadow", O_RDONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 fstat64(0x3, 0xbfffef28) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000 read(3, "root:$1$1xxxxxxxxxxxxxxxxxxxxxxx"..., 4096) = 757 close(3) = 0 munmap(0x40015000, 4096) = 0 getpeername(4, {sin_family=AF_INET, sin_port=htons(743), sin_addr=inet_addr("192.168.254.200")}}, [16]) = 0 write(2, "Failed password for darren from "..., 57) = 57 write(4, "\0\0\0\5\r\260\314t\211\336\320\"", 12) = 12 select(5, [4], NULL, NULL, NULL) = 1 (in [4]) read(4, "", 8192) = 0 write(2, "Connection closed by 192.168.254"..., 37) = 37 write(2, "debug: Calling cleanup 0x805c7b4"..., 38) = 38 shutdown(4, 2 /* send and receive */) = 0 close(4) = 0 _exit(255) = ? I may be wrong, but it does say read(4, "root: ...." so is it not reading my username in the shadow file. I've also had odd problems with openssh-2.1.1p1.tar.gz on FreeBSD 3.5-STABLE, maybe i'll go into that one another day as my memory is hazy at the moment. My configuration files are the standard ones when installed. When I set the link back on /usr/src/linux to /usr/src/linux-2.2.12 and recompiled openssh **sshd actually worked**. Also note that when sshd was run under Linux-2.4.0-test1 but recompiled under 2.2.12 it **ran as expected**. So I can only conclude that openssh does not support linux-2.4 yet. Damien, any plans to update it soon? Presumably there are too many changes :-) Hope this helps someone else from a headache, now onto why it did'nt work under FreeBSD .... (probably my fault ..) thanks Darren --- From mouring at pconline.com Sun Jul 2 06:31:49 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 1 Jul 2000 15:31:49 -0500 (CDT) Subject: openssh-2.1.1p2 problem and fix In-Reply-To: <4.3.2.7.0.20000701210014.02863540@pop3.demon.co.uk> Message-ID: On Sat, 1 Jul 2000, Darren Evans wrote: > > Hi all, > > trawled through the archives and did'nt find what I was looking for so here goes. > > This may be common knowledge or may not for the developers here ... maybe > it will save someone some time anyhow. > > I'm running Redhat 6.2, **2.4.0-test1 kernel**, openssh-2.1.1p2.tar.gz, openssl-0.9.5a.tar.gz, > with these options. > Suse 6.3, 2.4.0-test2-ac2, openssh-2.1.1p1.tar.gz (not had a chance to upgrade since I just woke up to find a new release.=) > sh configure --with-tcp-wrappers --with-md5-passwords --with-ipv4-default --with-pam > I just did ./configure and let it figure everything out. No /etc/pam.d/sshd (Which means pam should default to standard rules) > /etc/pam.d/sshd [..] Mine is the default sshd rules provide in the contrib/ section. (Which is almost the same except for the "account required /lib/security/pam_pwdb.so" line > ident /usr/local/sbin/sshd | grep -i pam > > Does not find pam. > I don't have ident installed, but strings /opt/openssh/sbin/sshd | grep -i pam show a good 12 lines the last one being the ident: @(#)$Id: auth-pam.c,v 1.8 2000/06/22 11:44:54 djm Exp $ [..] > I've also had odd problems with openssh-2.1.1p1.tar.gz on FreeBSD 3.5-STABLE, > maybe i'll go into that one another day as my memory is hazy at the moment. > > My configuration files are the standard ones when installed. > > When I set the link back on /usr/src/linux to /usr/src/linux-2.2.12 and > recompiled openssh **sshd actually worked**. > > Also note that when sshd was run under Linux-2.4.0-test1 but recompiled > under 2.2.12 it **ran as expected**. > ermm.. This is interesting.. Since I've been runnning the whole gambit of kernels (from the late 2.3.x kernels) and I've not seen this problem. Have you set OpenSSH's configure decide on your configuration options instead of forcing which ones it should pick? Ben Lindstrom From djm at mindrot.org Sun Jul 2 08:43:33 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 2 Jul 2000 08:43:33 +1000 (EST) Subject: [PATCH]: 2.1.1p2: wrong #if/#endif in loginrec.c In-Reply-To: <395E1273.D736A1F0@cygnus.com> Message-ID: On Sat, 1 Jul 2000, Corinna Vinschen wrote: > Hi, > > I have found an error in loginrec.c in the portable 2.1.1p2 release. > The #if/#endif combination in syslogin_perform_logout() is wrong and > results in unbalanced braces if HAVE_LOGWTMP is undefined. Thanks, applied. -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Jul 2 08:48:12 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 2 Jul 2000 08:48:12 +1000 (EST) Subject: openssh-2.1.1p2 problem and fix In-Reply-To: <4.3.2.7.0.20000701210014.02863540@pop3.demon.co.uk> Message-ID: On Sat, 1 Jul 2000, Darren Evans wrote: > > Hi all, > > trawled through the archives and did'nt find what I was looking for > so here goes. > > This may be common knowledge or may not for the developers here ... > maybe it will save someone some time anyhow. > > I'm running Redhat 6.2, **2.4.0-test1 kernel**, > openssh-2.1.1p2.tar.gz, openssl-0.9.5a.tar.gz, with these options. > > sh configure --with-tcp-wrappers --with-md5-passwords > --with-ipv4-default --with-pam Can you send the output of a configure run? > ident /usr/local/sbin/sshd | grep -i pam > > Does not find pam. I suspect that some brokenness in the new kernel headers is breaking the test for PAM. You might want to trawl through config.log for more detailed error messages. > The error I receive is a, > > Permission denied, please try again even though my password **IS** > correct. As a temporary workaround you might want to set --with-md5-passwords > When I do this, and strace sshd -d I get this from strace > ssh -v -l darren horseplay > read(3, "root:$1$1xxxxxxxxxxxxxxxxxxxxxxx"..., 4096) = 757 > I may be wrong, but it does say read(4, "root: ...." so is it not > reading my username in the shadow file. If you username is in the first 4096 bytes of the password file it is getting it OK. > I've also had odd problems with openssh-2.1.1p1.tar.gz on FreeBSD > 3.5-STABLE, maybe i'll go into that one another day as my memory is > hazy at the moment. The FreeBSD developers maintain their own port of OpenSSH - I have no idea whether it is based on our work or not. Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From darren at horseplay.demon.co.uk Sun Jul 2 09:30:04 2000 From: darren at horseplay.demon.co.uk (Darren Evans) Date: Sun, 02 Jul 2000 00:30:04 +0100 Subject: openssh-2.1.1p2 problem and fix In-Reply-To: References: <4.3.2.7.0.20000701210014.02863540@pop3.demon.co.uk> Message-ID: <4.3.2.7.0.20000702002627.028aaf00@pop3.demon.co.uk> HI all, well after some messing around, I have come a lot closer. It appears to be a kernel issue/bug with linux-2.4.0-test1. I upgraded to linux-2.4.0-test2 with both of these configure options and sshd/ssh worked. What has changed in the kernels i'll leave to someone else to figure out :-) OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Random number collection: Device (/dev/urandom) Manpage format: man PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: yes Compiler flags: -g -O2 -Wall -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto And with these options. OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Random number collection: Device (/dev/urandom) Manpage format: man PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: yes IP address in $DISPLAY hack: no Use IPv4 by default hack: yes Translate v4 in v6 hack: yes Compiler flags: -g -O2 -Wall -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto -lwrap As I say both worked ... regards Darren At 15:31 01/07/00 -0500, Ben Lindstrom wrote: >On Sat, 1 Jul 2000, Darren Evans wrote: > >> sh configure --with-tcp-wrappers --with-md5-passwords --with-ipv4-default --with-pam >> >I just did ./configure and let it figure everything out. > >No /etc/pam.d/sshd (Which means pam should default to standard rules) > >> /etc/pam.d/sshd >[..] >Mine is the default sshd rules provide in the contrib/ section. >(Which is almost the same except for the "account required >/lib/security/pam_pwdb.so" line > >> ident /usr/local/sbin/sshd | grep -i pam >> >> Does not find pam. >> >I don't have ident installed, but strings /opt/openssh/sbin/sshd | grep -i >pam show a good 12 lines the last one being the ident: > >@(#)$Id: auth-pam.c,v 1.8 2000/06/22 11:44:54 djm Exp $ > >[..] >> I've also had odd problems with openssh-2.1.1p1.tar.gz on FreeBSD 3.5-STABLE, >> maybe i'll go into that one another day as my memory is hazy at the moment. >> >> My configuration files are the standard ones when installed. >> >> When I set the link back on /usr/src/linux to /usr/src/linux-2.2.12 and >> recompiled openssh **sshd actually worked**. >> >> Also note that when sshd was run under Linux-2.4.0-test1 but recompiled >> under 2.2.12 it **ran as expected**. >> >ermm.. This is interesting.. Since I've been runnning the whole gambit >of kernels (from the late 2.3.x kernels) and I've not seen this problem. > >Have you set OpenSSH's configure decide on your configuration options >instead of forcing which ones it should pick? > >Ben Lindstrom --- From mouring at pconline.com Sun Jul 2 09:31:24 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 1 Jul 2000 18:31:24 -0500 (CDT) Subject: openssh-2.1.1p2 problem and fix In-Reply-To: <4.3.2.7.0.20000702002627.028aaf00@pop3.demon.co.uk> Message-ID: On Sun, 2 Jul 2000, Darren Evans wrote: > > HI all, > > well after some messing around, I have come a lot closer. > > It appears to be a kernel issue/bug with linux-2.4.0-test1. > > I upgraded to linux-2.4.0-test2 with both of these configure options > and sshd/ssh worked. > What has changed in the kernels i'll leave to someone else to figure out :-) > I sure won't be digging through the kernel changes. =) Granted As soon as 2.4.0-test1 was out Alan Cox had published a -ac1 to it. So I never really tried 2.4.0-test1 proper. It's the price one pays for runinng bleeding edge software.=) Ben Lindstrom From cloos at jhcloos.com Sun Jul 2 12:22:33 2000 From: cloos at jhcloos.com (James H. Cloos Jr.) Date: 01 Jul 2000 21:22:33 -0500 Subject: minor cosmetic bug Message-ID: The progress metre in scp(1) breaks when the tty is too wide. This patch is the effortless fix: ########################################################################### :; diff -u openssh-2.1.1p2/scp.c openssh-2.1.1p2+jhc/scp.c --- openssh-2.1.1p2+jhc/scp.c Thu Jun 22 07:32:32 2000 +++ openssh-2.1.1p2/scp.c Sat Jul 1 22:15:36 2000 @@ -1176,8 +1176,9 @@ i = barlength * ratio / 100; snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), "|%.*s%*s|", i, - "*****************************************************************************" - "*****************************************************************************", + "*********************************************************************" + "*********************************************************************" + "*********************************************************************", barlength - i, ""); } i = 0; ########################################################################### In case it numges in mail, change from two strings of 77 asterisks each to three of 69 each. Limiting it to 207 *s keeps the bargraph from overwriting the octet-count and time-to-go; 210 is too many. I didn't try 209 or 208, prefering to keep the three strings equal in length.... -JimC -- James H. Cloos, Jr. 1024D/ED7DAEA6 E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Is this post worth two cents? Then goto ! From cky at pobox.com Sun Jul 2 14:04:33 2000 From: cky at pobox.com (Chris, the Young One) Date: Sun, 2 Jul 2000 16:04:33 +1200 Subject: ``portability'' patch for OpenSSH S/Key support Message-ID: <20000702160433.A18168@arcanum.m.org.nz> More specifically, the hashing functions in most operating systems will be provided by OpenSSL, rather than libc. OpenSSL does not have SHA1_End but since it is used only for generating fake challenges, the impact of changing it to SHA1_Final should be small. A more general solution would be to have configure.in test for sha1.h, openssl/sha.h, and SHA1_End. configure.in should also add auth-skey.o to SSHDOBJS in Makefile if S/Key is enabled; my patch below does not cover those issues. Perhaps another time. If any GNU/Linux admins want to play with S/Key, I have some patches on the OpenBSD versions at http://ftp.m.org.nz/users/cky/patches/skey/ (or, of course, ftp://...). Enjoy! ---Chris K. * * * --- auth-skey.c Thu Jun 22 23:32:31 2000 +++ auth-skey.c Sun Jul 2 15:17:47 2000 @@ -4,7 +4,7 @@ #include "ssh.h" #include "packet.h" -#include +#include /* from %OpenBSD: skeylogin.c,v 1.32 1999/08/16 14:46:56 millert Exp % */ @@ -74,7 +74,6 @@ size_t secretlen = 0; SHA_CTX ctx; char *p, *u; - char md[SHA_DIGEST_LENGTH]; /* * Base first 4 chars of seed on hostname. @@ -99,7 +98,7 @@ SHA1_Init(&ctx); SHA1_Update(&ctx, username, strlen(username)); - SHA1_End(&ctx, up); + SHA1_Final(up, &ctx); /* Collapse the hash */ ptr = hash_collapse(up); @@ -133,7 +132,7 @@ SHA1_Init(&ctx); SHA1_Update(&ctx, secret, secretlen); SHA1_Update(&ctx, username, strlen(username)); - SHA1_End(&ctx, up); + SHA1_Final(up, &ctx); /* Zero out */ memset(secret, 0, secretlen); @@ -141,7 +140,7 @@ /* Now hash the hash */ SHA1_Init(&ctx); SHA1_Update(&ctx, up, strlen(up)); - SHA1_End(&ctx, up); + SHA1_Final(up, &ctx); ptr = hash_collapse(up + 4); -- Chris, the Young One |_ If Robert Di Niro assassinates Walter Slezak, Auckland, New Zealand |_ will Jodie Foster marry Bonzo?? http://cloud9.hedgee.com/ |_ From haruyama at nt.phys.s.u-tokyo.ac.jp Sun Jul 2 18:28:35 2000 From: haruyama at nt.phys.s.u-tokyo.ac.jp (HARUYAMA Seigo) Date: Sun, 02 Jul 2000 17:28:35 +0900 Subject: A error in auth.c of openssh-2.1.1p2 port on systems with a mixture of shadowed and non-shadowed passwords and Japanese Translations. Message-ID: Hi. I have found a error of openssh-2.1.1p2 port on systems with a mixture of shadowed and non-shadowed passwords. I reported a same type of error to Mr. Miller when openssh-1.2.1pre23 was released. On our systems, our local machines have shadowed /etc/passwd (and /etc/shadow) and our NIS server distributes non-shadowed password of general users. We have to use getspnam(3) for shadowed local users' ( for example, "root") entries and getpwnam(3) for non-shadowed users' entries. Otherwise, the function "allowed_user" in auth.c of openssh-2.1.1p2 has the following lines: 59 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ 60 defined(HAS_SHADOW_EXPIRE) 61 struct spwd *spw; 62 63 /* Shouldn't be called if pw is NULL, but better safe than sorry */ 64 if (!pw) 65 return 0; 66 67 spw = getspnam(pw->pw_name); 68 if (spw == NULL) 69 return 0; . So, getspnam will returns NULL for our general users and allowed_user returns 0. As a result, our general users cannot login. I fixed this problem. diff openssh-2.1.1p2.bak/auth.c openssh-2.1.1p2/auth.c 68,69c68 < if (spw == NULL) < return 0; --- > if (spw){ 78a78 > } ------- I translated README and UPGRADING documents of openssh port into Japanese. Now I have translated INSTALL and README.openssh2. These documents are open to the public at http://www.unixuser.org/%7Eharuyama/security/openssh/index.html . Now, all translated documents update when new version of openssh port releases. Regards, HARUYAMA Seigo haruyama at unixuser.org From djm at mindrot.org Sun Jul 2 18:43:39 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 2 Jul 2000 18:43:39 +1000 (EST) Subject: A error in auth.c of openssh-2.1.1p2 port on systems with a mixture of shadowed and non-shadowed passwords and Japanese Translations. In-Reply-To: Message-ID: On Sun, 2 Jul 2000, HARUYAMA Seigo wrote: > > Hi. > > I have found a error of openssh-2.1.1p2 port on systems with a > mixture of shadowed and non-shadowed passwords. Thanks for the report - this slipped in with the new expiry checking code. Here is the fix that was applied: Index: auth.c =================================================================== RCS file: /var/cvs/openssh/auth.c,v retrieving revision 1.9 diff -u -r1.9 auth.c --- auth.c 2000/06/26 01:31:33 1.9 +++ auth.c 2000/07/02 08:42:19 @@ -65,17 +65,18 @@ return 0; spw = getspnam(pw->pw_name); - if (spw == NULL) - return 0; - - /* Check account expiry */ - if ((spw->sp_expire > 0) && ((time(NULL) / 86400) > spw->sp_expire)) - return 0; + if (spw != NULL) { + int days = time(NULL) / 86400; - /* Check password expiry */ - if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) && - ((time(NULL) / 86400) > (spw->sp_lstchg + spw->sp_inact))) - return 0; + /* Check account expiry */ + if ((spw->sp_expire > 0) && (days > spw->sp_expire)) + return 0; + + /* Check password expiry */ + if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) && + (days > (spw->sp_lstchg + spw->sp_inact))) + return 0; + } #else /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw) --d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Jul 2 19:15:59 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 2 Jul 2000 19:15:59 +1000 (EST) Subject: ``portability'' patch for OpenSSH S/Key support In-Reply-To: <20000702160433.A18168@arcanum.m.org.nz> Message-ID: On Sun, 2 Jul 2000, Chris, the Young One wrote: > More specifically, the hashing functions in most operating systems will > be provided by OpenSSL, rather than libc. OpenSSL does not have SHA1_End > but since it is used only for generating fake challenges, the impact of > changing it to SHA1_Final should be small. Thanks, patch applied. > A more general solution would be to have configure.in test for sha1.h, > openssl/sha.h, and SHA1_End. configure.in should also add auth-skey.o to > SSHDOBJS in Makefile if S/Key is enabled; my patch below does not cover > those issues. Perhaps another time. SHA1 is SHA1 :) We are linking against OpenSSL, so we might as well use their routines. > If any GNU/Linux admins want to play with S/Key, I have some patches on > the OpenBSD versions at http://ftp.m.org.nz/users/cky/patches/skey/ (or, > of course, ftp://...). Do you intend to roll your patches into a tarball with a Makefile, etc? It would be great to be able to point people to a ported version of OpenBSD's S/Key libs. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Jul 2 19:16:48 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 2 Jul 2000 19:16:48 +1000 (EST) Subject: minor cosmetic bug In-Reply-To: Message-ID: On 1 Jul 2000, James H. Cloos Jr. wrote: > The progress metre in scp(1) breaks when the tty is too wide. > > This patch is the effortless fix: Here is a slightly more general one, which shouldn't break on any line size: Index: scp.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/scp.c,v retrieving revision 1.32 diff -u -r1.32 scp.c --- scp.c 2000/06/20 01:39:44 1.32 +++ scp.c 2000/07/02 08:58:49 @@ -56,6 +56,14 @@ /* For progressmeter() -- number of seconds before xfer considered "stalled" */ #define STALLTIME 5 +/* Progress meter bar */ +#define BAR \ + "************************************************************"\ + "************************************************************"\ + "************************************************************"\ + "************************************************************" +#define MAX_BARLENGTH (sizeof(BAR) - 1) + /* Visual statistics about files as they are transferred. */ void progressmeter(int); @@ -1170,13 +1178,11 @@ snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio); barlength = getttywidth() - 51; + barlength = (barlength <= MAX_BARLENGTH)?barlength:MAX_BARLENGTH; if (barlength > 0) { i = barlength * ratio / 100; snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "|%.*s%*s|", i, - "*****************************************************************************" - "*****************************************************************************", - barlength - i, ""); + "|%.*s%*s|", i, BAR, barlength - i, ""); } i = 0; abbrevsize = cursize; -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From itojun at iijlab.net Mon Jul 3 08:08:44 2000 From: itojun at iijlab.net (Jun-ichiro itojun Hagino) Date: Mon, 03 Jul 2000 07:08:44 +0900 Subject: patch for NetBSD utmp (ut_name instead of ut_host) Message-ID: <3046.962575724@localhost> here are patches to compile portable openssh 2.1.1p2 on netbsd, and some other platforms I suppose. itojun -------------- next part -------------- $NetBSD: patch-aa,v 1.8 2000/07/02 22:07:56 itojun Exp $ --- configure.in.orig Sat Jul 1 15:52:55 2000 +++ configure.in Mon Jul 3 06:49:00 2000 @@ -647,2 +647,6 @@ +OSSH_CHECK_HEADER_FOR_FIELD(ut_name, utmp.h, HAVE_NAME_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_name, utmpx.h, HAVE_NAME_IN_UTMPX) +OSSH_CHECK_HEADER_FOR_FIELD(ut_user, utmp.h, HAVE_USER_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_user, utmpx.h, HAVE_USER_IN_UTMPX) OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmp.h, HAVE_HOST_IN_UTMP) -------------- next part -------------- $NetBSD: patch-al,v 1.1 2000/07/02 22:07:56 itojun Exp $ --- loginrec.c- Mon Jul 3 06:49:20 2000 +++ loginrec.c Mon Jul 3 06:51:59 2000 @@ -618,3 +618,9 @@ /* Use strncpy because we don't necessarily want null termination */ +# ifdef HAVE_USER_IN_UTMP strncpy(ut->ut_user, li->username, MIN_SIZEOF(ut->ut_user, li->username)); +# elif defined(HAVE_NAME_IN_UTMP) + strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username)); +# else +# error no ut_user nor ut_name +# endif # ifdef HAVE_HOST_IN_UTMP @@ -1008,4 +1014,12 @@ { +# ifdef HAVE_USER_IN_UTMP if (strncmp(li->username, ut->ut_user, - MIN_SIZEOF(li->username, ut->ut_user)) == 0) { + MIN_SIZEOF(li->username, ut->ut_user)) == 0) +# elif defined(HAVE_NAME_IN_UTMP) + if (strncmp(li->username, ut->ut_name, + MIN_SIZEOF(li->username, ut->ut_name)) == 0) +# else +# error no ut_user nor ut_name +# endif + { # ifdef HAVE_TYPE_IN_UTMP @@ -1163,4 +1177,12 @@ { +# ifdef HAVE_USER_IN_UTMP if ( strncmp(li->username, utx->ut_user, - MIN_SIZEOF(li->username, utx->ut_user)) == 0 ) { + MIN_SIZEOF(li->username, utx->ut_user)) == 0 ) +# elif defined(HAVE_NAME_IN_UTMP) + if ( strncmp(li->username, utx->ut_name, + MIN_SIZEOF(li->username, utx->ut_name)) == 0 ) +# else +# error no ut_user nor ut_name +# endif + { # ifdef HAVE_TYPE_IN_UTMPX -------------- next part -------------- $NetBSD: patch-am,v 1.1 2000/07/02 22:07:56 itojun Exp $ --- acconfig.h- Mon Jul 3 06:58:28 2000 +++ acconfig.h Mon Jul 3 06:58:09 2000 @@ -49,2 +49,6 @@ /* struct utmp and struct utmpx fields */ +#undef HAVE_NAME_IN_UTMP +#undef HAVE_NAME_IN_UTMPX +#undef HAVE_USER_IN_UTMP +#undef HAVE_USER_IN_UTMPX #undef HAVE_HOST_IN_UTMP From stevesk at sweden.hp.com Mon Jul 3 22:37:24 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Mon, 3 Jul 2000 14:37:24 +0200 (CEST) Subject: 2.1.1p2 HP-UX 11 PAM General Commerical Security error Message-ID: <200007031228.OAA18209@b0fh.sweden.hp.com> Trying 2.1.1p2 on HP-UX 11 (trusted system) I get: Jul 3 14:24:53 robinson sshd[1236]: debug: Encryption type: 3des Jul 3 14:24:53 robinson sshd[1236]: debug: Received session key; encryption turned on. Jul 3 14:24:53 robinson sshd[1236]: debug: Installing crc compensation attack detector. Jul 3 14:24:53 robinson sshd[1236]: debug: Starting up PAM with username "stevesk" Jul 3 14:24:53 robinson sshd[1236]: debug: Attempting authentication for stevesk. Jul 3 14:24:54 robinson sshd[1236]: Accepted rsa for stevesk from 192.168.1.206 port 909 Jul 3 14:24:58 robinson sshd[1236]: debug: PAM setting rhost to "jenny.foo.se" Jul 3 14:24:58 robinson sshd[1236]: pam_acct_mgmt: error General Commercial Security error Jul 3 14:24:58 robinson sshd[1236]: PAM rejected by account configuration: General Commercial Security error Jul 3 14:24:58 robinson sshd[1236]: Faking authloop for illegal user stevesk from 192.168.1.206 port 909 2.1.1p1 works fine (modulo scp hang/blocked on read problem). OpenSSH configured has been configured with the following options. User binaries: /opt/openssh-2.1.1p2/bin System binaries: /opt/openssh-2.1.1p2/sbin Configuration files: /etc/opt/openssh Askpass program: /opt/openssh-2.1.1p2/libexec/ssh/ssh-askpass Manual pages: /opt/openssh-2.1.1p2/man/catX PID file: /var/run Random number collection: EGD (/etc/opt/egd/entropy) Manpage format: cat PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Compiler flags: -g -I/usr/local/include -I../../tcp_wrappers/tcp_wrappers_7.6 -Ae -D_HPUX_SOURCE -I../../openssl/32-bit/openssl-0.9.5a/include Linker flags: -L/usr/local/lib -L../../tcp_wrappers/tcp_wrappers_7.6 -L../../openssl/32-bit/openssl-0.9.5a/lib -L../../openssl/32-bit/openssl-0.9.5a Libraries: -lnsl -lz -lsec -lpam -lcrypto -lwrap From stevesk at sweden.hp.com Mon Jul 3 22:46:19 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Mon, 3 Jul 2000 14:46:19 +0200 (CEST) Subject: sshd does not exit after scp (hpux 11.00 / ssh 2.1.1p1) In-Reply-To: <41256903.0058D3E4.00@mailint.dmz.advance-bank.de> Message-ID: <200007031237.OAA20089@b0fh.sweden.hp.com> On Mon, 19 Jun 2000 kengelha at advance-bank.de wrote: : Damien Miller wrote: : > Can you turn on debugging at the server end (LogLevel DEBUG) and send : > along the output? : : Yes, here it comes: Has any progress been made on this issue? I've included an older message that has a stack trace, which if I recall was still the same in 2.1.1p1. I can provide a newer trace or additional information if needed. Date: Tue, 23 May 2000 15:11:25 +0200 (CEST) From: Kevin Steves To: openssh-unix-dev at mindrot.org Cc: stevesk at sweden.hp.com Subject: HP-UX 11.0 scp -t hangs and PAM openssh-2.1.0p2 on HP-UX 11.0 trusted system. One problem is that scp does not exit after a file transfer: stevesk 14074 14073 0 13:21:46 ? 0:00 scp -t . Attaching to the running process with gdb yields: (gdb) bt #0 0xc01ed230 in _read_sys () from /usr/lib/libc.2 #1 0xc01f85e4 in read () from /usr/lib/libc.2 #2 0x8228 in atomicio (f=0x400025c2 , fd=0, _s=0x7bff03e0 "C0644 59 resolv.conf", n=1) at atomicio.c:46 #3 0x620c in sink (argc=1, argv=0x7bff0164) at scp.c:695 #4 0x4bb8 in main (argc=1, argv=0x7bff0164) at scp.c:328 So we're blocked in read() on fd 0 for some reason. The file transfer does complete. Another issue is we get this message from sshd when logging out: May 23 13:22:16 robinson sshd[14075]: Cannot delete credentials: Permission denied So pam_setcred(PAM_DELETE_CRED) isn't working. From Lutz.Jaenicke at aet.TU-Cottbus.DE Mon Jul 3 23:26:06 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Mon, 3 Jul 2000 15:26:06 +0200 Subject: Openssh-2.1.1p2: configure option "--with-rsh=" Message-ID: <20000703152606.A11773@serv01.aet.tu-cottbus.de> Hi! Openssh-2.2.1p2: In configure:4348 the path given with the "--with-rsh' option to configure is assigned to rsa_path=$withval Probably this should be rsh_path=$withval Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From stevesk at sweden.hp.com Tue Jul 4 00:05:05 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Mon, 3 Jul 2000 16:05:05 +0200 (CEST) Subject: 2.1.1p2 HP-UX 11 PAM General Commerical Security error In-Reply-To: <200007031228.OAA18209@b0fh.sweden.hp.com> Message-ID: <200007031356.PAA09983@b0fh.sweden.hp.com> : Trying 2.1.1p2 on HP-UX 11 (trusted system) I get: : Jul 3 14:24:58 robinson sshd[1236]: pam_acct_mgmt: error General Commercial Security error : Jul 3 14:24:58 robinson sshd[1236]: PAM rejected by account configuration: General Commercial Security error A little more info. I wanted to see the specific pam_retval so I modifed the error string; then I went ahead and added it to the other auth-pam.c error/debug output. It might be worthwhile to integrate so the patch is attached. Now I see: Jul 3 15:19:29 robinson sshd[1293]: PAM rejected by account configuration: [32] General Commercial Security error which is: #define PAM_TERM_ERROR 32 /* Terminal database corruption or no corresponding entry found */ I'm not sure at this point what this could indicate, but I'll try to track it down. -------------- next part -------------- --- auth-pam.c~ Thu Jun 22 13:44:54 2000 +++ auth-pam.c Mon Jul 3 15:49:05 2000 @@ -105,19 +105,22 @@ { pam_retval = pam_close_session((pam_handle_t *)pamh, 0); if (pam_retval != PAM_SUCCESS) { - log("Cannot close PAM session: %.200s", + log("Cannot close PAM session: [%d] %.200s", + pam_retval, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) { - log("Cannot delete credentials: %.200s", + log("Cannot delete credentials: [%d] %.200s", + pam_retval, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); if (pam_retval != PAM_SUCCESS) { - log("Cannot release PAM authentication: %.200s", + log("Cannot release PAM authentication: [%d] %.200s", + pam_retval, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } } @@ -145,8 +148,9 @@ pw->pw_name); return 1; } else { - debug("PAM Password authentication for \"%.100s\" failed: %s", - pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + debug("PAM Password authentication for \"%.100s\" failed: [%d] %s", + pw->pw_name, pam_retval, + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); return 0; } } @@ -160,7 +164,8 @@ pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, get_canonical_hostname()); if (pam_retval != PAM_SUCCESS) { - fatal("PAM set rhost failed: %.200s", + fatal("PAM set rhost failed: [%d] %.200s", + pam_retval, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } @@ -168,7 +173,8 @@ debug("PAM setting ruser to \"%.200s\"", remote_user); pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); if (pam_retval != PAM_SUCCESS) { - fatal("PAM set ruser failed: %.200s", + fatal("PAM set ruser failed: [%d] %.200s", + pam_retval, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } } @@ -182,7 +188,8 @@ pam_msg_cat(NEW_AUTHTOK_MSG); break; default: - log("PAM rejected by account configuration: %.200s", + log("PAM rejected by account configuration: [%d] %.200s", + pam_retval, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); return(0); } @@ -199,14 +206,16 @@ debug("PAM setting tty to \"%.200s\"", ttyname); pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname); if (pam_retval != PAM_SUCCESS) { - fatal("PAM set tty failed: %.200s", + fatal("PAM set tty failed: [%d] %.200s", + pam_retval, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } } pam_retval = pam_open_session((pam_handle_t *)pamh, 0); if (pam_retval != PAM_SUCCESS) { - fatal("PAM session setup failed: %.200s", + fatal("PAM session setup failed: [%d] %.200s", + pam_retval, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } } @@ -219,7 +228,8 @@ debug("PAM establishing creds"); pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED); if (pam_retval != PAM_SUCCESS) { - fatal("PAM setcred failed: %.200s", + fatal("PAM setcred failed: [%d] %.200s", + pam_retval, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } } @@ -242,7 +252,8 @@ (pam_handle_t**)&pamh); if (pam_retval != PAM_SUCCESS) { - fatal("PAM initialisation failed: %.200s", + fatal("PAM initialisation failed: [%d] %.200s", + pam_retval, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } @@ -255,7 +266,8 @@ */ pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, "ssh"); if (pam_retval != PAM_SUCCESS) { - fatal("PAM set tty failed: %.200s", + fatal("PAM set tty failed: [%d] %.200s", + pam_retval, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } From speno at isc.upenn.edu Tue Jul 4 00:08:55 2000 From: speno at isc.upenn.edu (John P Speno) Date: Mon, 3 Jul 2000 10:08:55 -0400 Subject: Please test this snapshot In-Reply-To: <20000701004846.Q199086@isc.upenn.edu>; from speno@isc.upenn.edu on Sat, Jul 01, 2000 at 12:48:46AM -0400 References: <20000630103608.A195082@isc.upenn.edu> <20000701004846.Q199086@isc.upenn.edu> Message-ID: <20000703100855.A214691@isc.upenn.edu> On Sat, Jul 01, 2000 at 12:48:46AM -0400, John P Speno wrote: > > Yes sir. It compiles. I'll test SIA stuff on Monday, I hope. I've tested it. Here's what I find: The SIA code isn't complete enough to be useful. It only performs password checking. It doesn't support any other SIA features such as checking for locked accounts, password expirations, requiring password changes, or setting of resource limits. IMO, you can't have SIA support without supporting those features. From kengelha at advance-bank.de Tue Jul 4 03:49:37 2000 From: kengelha at advance-bank.de (kengelha at advance-bank.de) Date: Mon, 3 Jul 2000 18:49:37 +0100 Subject: Antwort: Re: sshd does not exit after scp (hpux 11.00 / ssh 2.1 .1p1) Message-ID: <41256911.0061EDC9.00@mailint.dmz.advance-bank.de> Hi, stevesk at sweden.hp.com wrote: > Has any progress been made on this issue? I've included an older > message that has a stack trace, which if I recall was still the same in > 2.1.1p1. I can provide a newer trace or additional information if > needed. not really... On a non-trusted system with HP AnsiC it seems to work if changing shutdown(fdin, SHUT_WR) to shutdown(fdin, SHUT_RDWR) in serverloop.c (lines 320 & 464) On a trusted system with gcc however this does not seem to have any effect. Here I use #define USE_PIPES 1 in includes.h as workaround I think I will have to do some more checks with compilers/(non-)trusted systems... Or any other ideas? Klaus stevesk at sweden.hp.com am 03.07.2000 13:46:19 An: Klaus Engelhardt/SP/OP/IT/Advance Bank AG/DE at Advance Bank Kopie: djm at mindrot.org, openssh-unix-dev at mindrot.org Thema: Re: sshd does not exit after scp (hpux 11.00 / ssh 2.1.1p1) On Mon, 19 Jun 2000 kengelha at advance-bank.de wrote: : Damien Miller wrote: : > Can you turn on debugging at the server end (LogLevel DEBUG) and send : > along the output? : : Yes, here it comes: Has any progress been made on this issue? I've included an older message that has a stack trace, which if I recall was still the same in 2.1.1p1. I can provide a newer trace or additional information if needed. Date: Tue, 23 May 2000 15:11:25 +0200 (CEST) From: Kevin Steves To: openssh-unix-dev at mindrot.org Cc: stevesk at sweden.hp.com Subject: HP-UX 11.0 scp -t hangs and PAM openssh-2.1.0p2 on HP-UX 11.0 trusted system. One problem is that scp does not exit after a file transfer: stevesk 14074 14073 0 13:21:46 ? 0:00 scp -t . Attaching to the running process with gdb yields: (gdb) bt #0 0xc01ed230 in _read_sys () from /usr/lib/libc.2 #1 0xc01f85e4 in read () from /usr/lib/libc.2 #2 0x8228 in atomicio (f=0x400025c2 , fd=0, _s=0x7bff03e0 "C0644 59 resolv.conf", n=1) at atomicio.c:46 #3 0x620c in sink (argc=1, argv=0x7bff0164) at scp.c:695 #4 0x4bb8 in main (argc=1, argv=0x7bff0164) at scp.c:328 So we're blocked in read() on fd 0 for some reason. The file transfer does complete. Another issue is we get this message from sshd when logging out: May 23 13:22:16 robinson sshd[14075]: Cannot delete credentials: Permission denied So pam_setcred(PAM_DELETE_CRED) isn't working. -------------- next part -------------- A non-text attachment was scrubbed... Name: att1.eml Type: application/octet-stream Size: 3401 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000703/3ff8d57b/attachment.obj From darren at horseplay.demon.co.uk Tue Jul 4 06:19:00 2000 From: darren at horseplay.demon.co.uk (Darren Evans) Date: Mon, 03 Jul 2000 21:19:00 +0100 Subject: FreeBSD 3.5-STABLE Message-ID: <4.3.2.7.0.20000703211234.00dc0460@pop3.demon.co.uk> gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c loginrec.c loginrec.c: In function `construct_utmp': loginrec.c:619: structure has no member named `ut_user' loginrec.c:619: structure has no member named `ut_user' loginrec.c:619: structure has no member named `ut_user' loginrec.c: In function `syslogin_perform_login': loginrec.c:1256: warning: implicit declaration of function `login' loginrec.c: In function `syslogin_perform_logout': loginrec.c:1269: warning: implicit declaration of function `logout' loginrec.c:1273: warning: implicit declaration of function `logwtmp' *** Error code 1 Stop. creating cache ./config.cache checking for gcc... gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... yes checking whether gcc accepts -g... yes checking host system type... i386-unknown-freebsd3.5 checking how to run the C preprocessor... gcc -E checking for ranlib... ranlib checking for a BSD compatible install... /usr/bin/install -c checking for ar... ar checking for perl... /usr/bin/perl checking for ent... no checking for inline... inline checking for deflate in -lz... yes checking for login in -lutil... yes checking for yp_match in -lnsl... no checking for main in -lsocket... no checking for bstring.h... no checking for endian.h... no checking for lastlog.h... no checking for limits.h... yes checking for login.h... no checking for maillock.h... no checking for netdb.h... yes checking for netgroup.h... no checking for netinet/in_systm.h... yes checking for paths.h... yes checking for poll.h... yes checking for pty.h... no checking for shadow.h... no checking for security/pam_appl.h... yes checking for sys/bitypes.h... no checking for sys/bsdtty.h... no checking for sys/cdefs.h... yes checking for sys/poll.h... yes checking for sys/select.h... yes checking for sys/stat.h... yes checking for sys/stropts.h... no checking for sys/sysmacros.h... no checking for sys/time.h... yes checking for sys/ttcompat.h... no checking for stddef.h... yes checking for time.h... yes checking for util.h... no checking for utmp.h... yes checking for utmpx.h... no checking for arc4random... yes checking for atexit... yes checking for b64_ntop... no checking for bcopy... yes checking for bindresvport_af... no checking for clock... yes checking for freeaddrinfo... no checking for gai_strerror... no checking for getaddrinfo... no checking for getnameinfo... no checking for getrusage... yes checking for innetgr... yes checking for md5_crypt... no checking for memmove... yes checking for mkdtemp... yes checking for on_exit... no checking for openpty... yes checking for rresvport_af... no checking for setenv... yes checking for seteuid... yes checking for setlogin... yes checking for setproctitle... yes checking for setreuid... yes checking for snprintf... yes checking for strlcat... yes checking for strlcpy... yes checking for vsnprintf... yes checking for vhangup... no checking for _getpty... no checking for __b64_ntop... yes checking for gettimeofday... yes checking for time... yes checking for login... yes checking for logout... yes checking for updwtmp... no checking for logwtmp... yes checking for entutent... no checking for getutent... no checking for getutid... no checking for getutline... no checking for pututline... no checking for setutent... no checking for utmpname... no checking for entutxent... no checking for getutxent... no checking for getutxid... no checking for getutxline... no checking for pututxline... no checking for setutxent... no checking for utmpxname... no checking for login... (cached) yes checking for daemon... yes checking for getpagesize... yes checking whether snprintf correctly terminates long strings... yes checking for dlopen in -ldl... no checking for pam_getenvlist... yes checking whether pam_strerror takes only one argument... no checking for OpenSSL directory... /usr/local/ssl checking for RSA support... yes checking size of char... 1 checking size of short int... 2 checking size of int... 4 checking size of long int... 4 checking size of long long int... 8 checking for intXX_t types... yes checking for u_intXX_t types... yes checking for socklen_t... yes checking for size_t... yes checking for ssize_t... yes checking for sa_family_t... yes checking for pid_t... yes checking for mode_t... yes checking for struct sockaddr_storage... no checking for struct sockaddr_in6... no checking for struct in6_addr... no checking for struct addrinfo... no checking for ut_host field in utmp.h... yes checking for ut_host field in utmpx.h... no checking for syslen field in utmpx.h... no checking for ut_pid field in utmp.h... no checking for ut_type field in utmp.h... no checking for ut_type field in utmpx.h... no checking for ut_tv field in utmp.h... no checking for ut_id field in utmp.h... no checking for ut_id field in utmpx.h... no checking for ut_addr field in utmp.h... no checking for ut_addr field in utmpx.h... no checking for ut_addr_v6 field in utmp.h... no checking for ut_addr_v6 field in utmpx.h... no checking for ut_exit field in utmp.h... no checking for ut_time field in utmp.h... yes checking for ut_time field in utmpx.h... no checking for ut_tv field in utmpx.h... no checking for ss_family field in struct sockaddr_storage... no checking for __ss_family field in struct sockaddr_storage... no checking if libc defines __progname... yes checking for rsh... /usr/bin/rsh checking for xauth... no checking for /dev/ptmx... no checking for /dev/ptc... no checking for /dev/urandom... yes checking if we need to convert IPv4 in IPv6-mapped addresses... no (default) checking if your system defines LASTLOG_FILE... no checking if your system defines _PATH_LASTLOG... yes checking if your system defines UTMP_FILE... no checking if your system defines WTMP_FILE... no checking if your system defines UTMPX_FILE... no checking if your system defines WTMPX_FILE... no updating cache ./config.cache creating ./config.status creating Makefile creating ssh_prng_cmds creating config.h OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Random number collection: Device (/dev/urandom) Manpage format: man PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Compiler flags: -g -O2 -Wall -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lz -lutil -lpam -lcrypto Presumably FreeBSD has different utmp structure header file. Ashame there's no ports for 3.5 yet for openssh. I also have the config.log, and can post that privately as it's quite a long file. Damien, I presume you will want a look :) Darren --- From darren at horseplay.demon.co.uk Tue Jul 4 06:19:00 2000 From: darren at horseplay.demon.co.uk (Darren Evans) Date: Mon, 03 Jul 2000 21:19:00 +0100 Subject: FreeBSD 3.5-STABLE Message-ID: <4.3.2.7.0.20000703211234.00dc0460@pop3.demon.co.uk> gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c loginrec.c loginrec.c: In function `construct_utmp': loginrec.c:619: structure has no member named `ut_user' loginrec.c:619: structure has no member named `ut_user' loginrec.c:619: structure has no member named `ut_user' loginrec.c: In function `syslogin_perform_login': loginrec.c:1256: warning: implicit declaration of function `login' loginrec.c: In function `syslogin_perform_logout': loginrec.c:1269: warning: implicit declaration of function `logout' loginrec.c:1273: warning: implicit declaration of function `logwtmp' *** Error code 1 Stop. creating cache ./config.cache checking for gcc... gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... yes checking whether gcc accepts -g... yes checking host system type... i386-unknown-freebsd3.5 checking how to run the C preprocessor... gcc -E checking for ranlib... ranlib checking for a BSD compatible install... /usr/bin/install -c checking for ar... ar checking for perl... /usr/bin/perl checking for ent... no checking for inline... inline checking for deflate in -lz... yes checking for login in -lutil... yes checking for yp_match in -lnsl... no checking for main in -lsocket... no checking for bstring.h... no checking for endian.h... no checking for lastlog.h... no checking for limits.h... yes checking for login.h... no checking for maillock.h... no checking for netdb.h... yes checking for netgroup.h... no checking for netinet/in_systm.h... yes checking for paths.h... yes checking for poll.h... yes checking for pty.h... no checking for shadow.h... no checking for security/pam_appl.h... yes checking for sys/bitypes.h... no checking for sys/bsdtty.h... no checking for sys/cdefs.h... yes checking for sys/poll.h... yes checking for sys/select.h... yes checking for sys/stat.h... yes checking for sys/stropts.h... no checking for sys/sysmacros.h... no checking for sys/time.h... yes checking for sys/ttcompat.h... no checking for stddef.h... yes checking for time.h... yes checking for util.h... no checking for utmp.h... yes checking for utmpx.h... no checking for arc4random... yes checking for atexit... yes checking for b64_ntop... no checking for bcopy... yes checking for bindresvport_af... no checking for clock... yes checking for freeaddrinfo... no checking for gai_strerror... no checking for getaddrinfo... no checking for getnameinfo... no checking for getrusage... yes checking for innetgr... yes checking for md5_crypt... no checking for memmove... yes checking for mkdtemp... yes checking for on_exit... no checking for openpty... yes checking for rresvport_af... no checking for setenv... yes checking for seteuid... yes checking for setlogin... yes checking for setproctitle... yes checking for setreuid... yes checking for snprintf... yes checking for strlcat... yes checking for strlcpy... yes checking for vsnprintf... yes checking for vhangup... no checking for _getpty... no checking for __b64_ntop... yes checking for gettimeofday... yes checking for time... yes checking for login... yes checking for logout... yes checking for updwtmp... no checking for logwtmp... yes checking for entutent... no checking for getutent... no checking for getutid... no checking for getutline... no checking for pututline... no checking for setutent... no checking for utmpname... no checking for entutxent... no checking for getutxent... no checking for getutxid... no checking for getutxline... no checking for pututxline... no checking for setutxent... no checking for utmpxname... no checking for login... (cached) yes checking for daemon... yes checking for getpagesize... yes checking whether snprintf correctly terminates long strings... yes checking for dlopen in -ldl... no checking for pam_getenvlist... yes checking whether pam_strerror takes only one argument... no checking for OpenSSL directory... /usr/local/ssl checking for RSA support... yes checking size of char... 1 checking size of short int... 2 checking size of int... 4 checking size of long int... 4 checking size of long long int... 8 checking for intXX_t types... yes checking for u_intXX_t types... yes checking for socklen_t... yes checking for size_t... yes checking for ssize_t... yes checking for sa_family_t... yes checking for pid_t... yes checking for mode_t... yes checking for struct sockaddr_storage... no checking for struct sockaddr_in6... no checking for struct in6_addr... no checking for struct addrinfo... no checking for ut_host field in utmp.h... yes checking for ut_host field in utmpx.h... no checking for syslen field in utmpx.h... no checking for ut_pid field in utmp.h... no checking for ut_type field in utmp.h... no checking for ut_type field in utmpx.h... no checking for ut_tv field in utmp.h... no checking for ut_id field in utmp.h... no checking for ut_id field in utmpx.h... no checking for ut_addr field in utmp.h... no checking for ut_addr field in utmpx.h... no checking for ut_addr_v6 field in utmp.h... no checking for ut_addr_v6 field in utmpx.h... no checking for ut_exit field in utmp.h... no checking for ut_time field in utmp.h... yes checking for ut_time field in utmpx.h... no checking for ut_tv field in utmpx.h... no checking for ss_family field in struct sockaddr_storage... no checking for __ss_family field in struct sockaddr_storage... no checking if libc defines __progname... yes checking for rsh... /usr/bin/rsh checking for xauth... no checking for /dev/ptmx... no checking for /dev/ptc... no checking for /dev/urandom... yes checking if we need to convert IPv4 in IPv6-mapped addresses... no (default) checking if your system defines LASTLOG_FILE... no checking if your system defines _PATH_LASTLOG... yes checking if your system defines UTMP_FILE... no checking if your system defines WTMP_FILE... no checking if your system defines UTMPX_FILE... no checking if your system defines WTMPX_FILE... no updating cache ./config.cache creating ./config.status creating Makefile creating ssh_prng_cmds creating config.h OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Random number collection: Device (/dev/urandom) Manpage format: man PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Compiler flags: -g -O2 -Wall -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lz -lutil -lpam -lcrypto Presumably FreeBSD has different utmp structure header file. Ashame there's no ports for 3.5 yet for openssh. I also have the config.log, and can post that privately as it's quite a long file. Damien, I presume you will want a look :) Darren --- From jeff at ntcor.com Tue Jul 4 06:37:48 2000 From: jeff at ntcor.com (jeff at ntcor.com) Date: Mon, 03 Jul 2000 13:37:48 -0700 Subject: rhostsauthentication fails. (Or why I hate poorly documented software.) Message-ID: <3960F99C.C89A9E8A@ntcor.com> I have a ssh enabled server and client machine (we'll call them "server" and "client" respectively...) They both have proper RSA and DSA keys,using protocol version 2 works fine between them. (so ssh itself and the network is working fine) However, I want to get something that will work with rsync without having to manually enter passwords, passphrases, or enter such information hardcoded in scripts. I figured I'ld first get rhosts authentication working and then move to rhosts/RSA authentication (if that doesn't require passphrase.) first things first... rhosts authentication... Here's the sshd_config from the server... Protocol 1 RSAAuthentication no PasswordAuthentication no RhostsAuthentication yes IgnoreRhosts no I have "client" listed in the /etc/hosts.equiv file and... (for testing purposes.) "rlogin server" from the client works fine, login is granted without a password. So I know rhosts authentication is configured correctly for at least rsh. However here's what "ssh -v server" on the client gives me... SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 500 geteuid 500 anon 1 debug: Connecting to server [servers ip] port 22. debug: Connection established. debug: Remote protocol version 1.5, remote software version OpenSSH_2.1.1 debug: Local version string SSH-1.5-OpenSSH-2.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'server' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. ssh_userauth: server supports no auth methods debug: Calling cleanup 0x8059c34(0x0) Notice that the client thinks the server doesn't support any authentication methods. Which should not be true because the last line of sshd_config specifically allows RhostsAuthentication and does not ignore the rhosts files. Anybody have a clue what I've done wrong? For some reason it appears that the sshd server ignores the "RhostsAuthentication yes" line and doesn't add rhosts authentication to its list of authentication methods to support. Which isn't what the sshd/ssh man pages document the behavior to be. - Jeff From jeff at ntcor.com Tue Jul 4 07:18:18 2000 From: jeff at ntcor.com (jeff at ntcor.com) Date: Mon, 03 Jul 2000 14:18:18 -0700 Subject: rhostsauthentication fails. (Or why I hate poorly documented software.) References: <3960F99C.C89A9E8A@ntcor.com> <3960FCAD.9D7846E@aproposretail.com> Message-ID: <3961031A.1A23875F@ntcor.com> Ok after a bit of work. I've done the following: created a new RSA key with blank passphrase. copied the .pub RSA key to the $HOME/.ssh/authorized_keys file. Set RhostsRSAAuthentication and RSAAuthentication to yes on the server and client. and it works fine. But this doesn't seem to provide RhostsRSAauthentication. It only provided RSAAuthentication. If I change RSAAuthentication to no (keeping RhostsRSAAuthentication as yes) on the server everything breaks again. I guess I don't get this whole thing. I would think somebody besides me would need a secure method of remote login/shell capabilities without having to enter passwords all the time. Tons of people need daily rsync abilities. However, If I use RSA Authentication with a blank passphrase then I wouldn't consider this anymore secure than plain rhosts authentication because as soon as somebody steals my private key (which isn't really private because its got a blank passphrase) then they have the same level of security as rhosts. And then why should I be using protocol 1 at all? why not use DSAauthentication with a blank passphrase? So then I guess my question is... Why have rhosts/RSA authentication implemented at all? it doesn't seem to work (because ssh doesn't seem to really support rhosts authentication) and furthermore DSAAuthentication is exactly the same as RhostsRSAAuth. if used with /etc/hosts.allow and /etc/hosts.deny. Even better because I can disable Protocol 1. Any thoughts on the subject are appreciated. Maybe I'm missing something fundamental. Does anybody else *just* rhosts authentication in OpenSSH working? Is it something that needs to be explicitly enabled/included during compile time? - Jeff John Hardin wrote: > > jeff at ntcor.com wrote: > > > > However, I want to get something that will work with rsync without having > > to manually enter passwords, passphrases, or enter such information hardcoded > > in scripts. > > Try an RSA authenticated connection, without a passphrase on the key... > (explicitly set a blank passphrase) > > -- > John Hardin > Internal Systems Administrator > Apropos Retail Management Systems, Inc. > From Norbert.Bladt at adi.ch Tue Jul 4 16:00:41 2000 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Tue, 4 Jul 2000 08:00:41 +0200 Subject: AW: rhostsauthentication fails. (Or why I hate poorly documented software.) Message-ID: <0912C8BC2132D411BBB80001020BA94702D72A@naizk10.adi.ch> > jeff at ntcor.com [SMTP:jeff at ntcor.com] wrote: > > I have a ssh enabled server and client machine (we'll call them "server" > and "client" respectively...) OK :-) > They both have proper RSA and DSA keys,using protocol version 2 works > fine between them. (so ssh itself and the network is working fine) OK. > However, I want to get something that will work with rsync without having > to manually enter passwords, passphrases, or enter such information hardcoded > in scripts. We are in a similar situation, executing remote commands from a script. > I figured I'ld first get rhosts authentication working and then move to > rhosts/RSA authentication (if that doesn't require passphrase.) May be it works, may be it doesn't. What I have done to get it to work is: 1. Create private keys on client (~/.ssh/identity und identity.pub) 2. Put identity.pub on server in ~/.ssh/authorized_keys 3. Added host/user on server in ~/.shosts [...] > Here's the sshd_config from the server... Compared to the same part of the sshd_config on our server: > Protocol 1 No such entry in my sshd_config on server, does it matter for this case ? > RSAAuthentication no "yes" on our server > PasswordAuthentication no "yes" on our server > RhostsAuthentication yes "no" on our server > IgnoreRhosts no Same here, i.e. "no", just to read .shosts (comment in the sshd_config example) > I have "client" listed in the /etc/hosts.equiv file and... > (for testing purposes.) "rlogin server" from the client works fine, > login is granted without a password. So I know rhosts authentication > is configured correctly for at least rsh. No entries in /etc/hosts.equiv (we really don't want rhosts authentication). With the above setup the command slogin server works without asking any passwords or passphrases. The same for "ssh" or "scp". We don't have any .rhosts file either. I think we'll set the "PasswordAuthentication no" in our server sshd_config file, later. HTH, Norbert Bladt. -- Norbert Bladt ATAG debis Informatik, ISM-TZ1 / Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 > However here's what "ssh -v server" on the client gives me... > > SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. > Compiled with SSL (0x0090581f). > debug: Reading configuration data /etc/ssh/ssh_config > debug: Applying options for * > debug: Seeding random number generator > debug: ssh_connect: getuid 500 geteuid 500 anon 1 > debug: Connecting to server [servers ip] port 22. > debug: Connection established. > debug: Remote protocol version 1.5, remote software version > OpenSSH_2.1.1 > debug: Local version string SSH-1.5-OpenSSH-2.1 > debug: Waiting for server public key. > debug: Received server public key (768 bits) and host key (1024 bits). > debug: Host 'server' is known and matches the RSA host key. > debug: Seeding random number generator > debug: Encryption type: 3des > debug: Sent encrypted session key. > debug: Installing crc compensation attack detector. > debug: Received encrypted confirmation. > ssh_userauth: server supports no auth methods > debug: Calling cleanup 0x8059c34(0x0) > > Notice that the client thinks the server doesn't support any > authentication > methods. Which should not be true because the last line of sshd_config > specifically allows RhostsAuthentication and does not ignore the rhosts > files. > > Anybody have a clue what I've done wrong? For some reason it appears that > the sshd server ignores the "RhostsAuthentication yes" line and doesn't > add rhosts authentication to its list of authentication methods to > support. > > Which isn't what the sshd/ssh man pages document the behavior to be. > > - Jeff From J.Horne at plymouth.ac.uk Tue Jul 4 22:50:26 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Tue, 04 Jul 2000 13:50:26 +0100 (BST) Subject: Control-c not work under openssh? Message-ID: Hello, I'm using openSSH 2.1.1p2 from my Linux PC to Solaris 7 and 8 systems (using 2.1.1p1). No problem, except that if I run a program on the Sun, having used slogin to connect to it, and then try and issue a control-c to break into the program it seems to be ignored. I can control-z and then kill the suspended job, but I'd prefer control-c. I tried setting '-e none' on the connection but to no effect. If I do a straight telnet into the system and run the same program, then control-c works. So I guess its got to be something with ssh? Note that I use protocol 1 to connect to the systems, but have had the same problem with protocol 2. Any ideas? Have I just omitted something in the configuration? Thanks, John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From darren at horseplay.demon.co.uk Wed Jul 5 04:47:36 2000 From: darren at horseplay.demon.co.uk (Darren Evans) Date: Tue, 04 Jul 2000 19:47:36 +0100 Subject: AW: FreeBSD 3.5-STABLE In-Reply-To: <0912C8BC2132D411BBB80001020BA94702D72B@naizk10.adi.ch> Message-ID: <4.3.2.7.0.20000704194020.00b16190@pop3.demon.co.uk> At 08:15 04/07/00 +0200, Bladt Norbert wrote: >> Darren Evans [SMTP:darren at horseplay.demon.co.uk] wrote: >> >> gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" >-DSSH_PROGRAM=\"/usr/local/bin/ssh\" - >> DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" >-DHAVE_CONFIG_H -c loginrec.c >> loginrec.c: In function `construct_utmp': >> loginrec.c:619: structure has no member named `ut_user' >[...] >Would it be possible for you to switch to FreeBSD 4.0-RELEASE ? >AFAIK, this includes openssh support per installation, so no hassle >with porting it. > >Just a hint, Just a hint, but i'm probably speaking for thousands who go for stable releases on server's who need stable and secure solutions. With PAM and the hack below it core says (sshd) illegal module type: sshd then core dumps. Add -lcrypt when compiling 'configure --without-pam' for sshd. The patch get's it compiled but obviously only on this platform. Anyone want to fix pam and some defines then for the masses ? :) openssh works fine though without PAM and the "hotfix". --- loginrec.c.orig Tue Jul 4 10:30:18 2000 +++ loginrec.c Tue Jul 4 10:31:18 2000 @@ -616,7 +616,7 @@ */ /* Use strncpy because we don't necessarily want null termination */ - strncpy(ut->ut_user, li->username, MIN_SIZEOF(ut->ut_user, li->username)); + strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username)); # ifdef HAVE_HOST_IN_UTMP strncpy(ut->ut_host, li->hostname, MIN_SIZEOF(ut->ut_host, li->hostname)); # endif @@ -1006,8 +1006,8 @@ static int wtmp_islogin(struct logininfo *li, struct utmp *ut) { - if (strncmp(li->username, ut->ut_user, - MIN_SIZEOF(li->username, ut->ut_user)) == 0) { + if (strncmp(li->username, ut->ut_name, + MIN_SIZEOF(li->username, ut->ut_name)) == 0) { # ifdef HAVE_TYPE_IN_UTMP if (ut->ut_type & USER_PROCESS) return 1; @@ -1161,7 +1161,7 @@ static int wtmpx_islogin(struct logininfo *li, struct utmpx *utx) { - if ( strncmp(li->username, utx->ut_user, + if ( strncmp(li->username, utx->ut_name, MIN_SIZEOF(li->username, utx->ut_user)) == 0 ) { # ifdef HAVE_TYPE_IN_UTMPX if (utx->ut_type == USER_PROCESS) And here's a startup script. #!/bin/sh # sshd startup script for FreeBSD 3.5-STABLE, should work elsewhere # Name it /usr/local/etc/rc.d/sshd.sh # Note without the .sh it won't execute from boot # darren at horseplay.demon.co.uk PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin bindir=/usr/local/sbin pid_file=/var/run/sshd.pid export PATH mode=$1 case "$mode" in 'start') # Start daemon if test -x $bindir/sshd then $bindir/sshd else echo "Can't execute $bindir/sshd" fi ;; 'stop') # Stop daemon. if test -f "$pid_file" then mysqld_pid=`cat $pid_file` echo "Killing sshd with pid $mysqld_pid" kill $mysqld_pid # sshd should remove the pid_file when it exits, so wait for it. sleep 1 while [ -s $pid_file -a "$flags" != aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ] do [ -z "$flags" ] && echo "Wait for sshd to exit\c" || echo ".\c" flags=a$flags sleep 1 done if [ -s $pid_file ] then echo " gave up waiting!" elif [ -n "$flags" ] then echo " done" fi else echo "No sshd pid file found. Looked for $pid_file." fi ;; *) # usage echo "usage: $0 start|stop" exit 1 ;; esac --- From cshihpin at dso.org.sg Wed Jul 5 18:02:38 2000 From: cshihpin at dso.org.sg (Chan Shih-Ping Richard) Date: Wed, 5 Jul 2000 16:02:38 +0800 (SGT) Subject: Openssh-2.1.1p2 BUG? X11 forwarding no longer works Message-ID: BUG: X11 forwarding no longer works in Openssh-2.1.1p2. I think this is due to the wrong sense of the test in session.c:1372 session_x11_req(Session *s) { if (!no_port_forwarding_flag) { debug("X11 forwarding disabled in user configuration file."); return 0; } It should be session_x11_req(Session *s) { if (no_port_forwarding_flag) { debug("X11 forwarding disabled in user configuration file."); return 0; } -- Chan Shih-Ping (Richard) DSO National Laboratories 20 Science Park Drive Singapore 118230 From Nils at InfoSun.FMI.Uni-Passau.De Wed Jul 5 18:17:58 2000 From: Nils at InfoSun.FMI.Uni-Passau.De (Nils Ellmenreich) Date: Wed, 5 Jul 2000 10:17:58 +0200 (MEST) Subject: Control-c not work under openssh? Message-ID: <14690.61238.790043.192241@skrjabin.fmi.uni-passau.de> >>>"JH" == John Horne writes: JH> I'm using openSSH 2.1.1p2 from my Linux PC to Solaris 7 and 8 systems (using JH> 2.1.1p1). No problem, except that if I run a program on the Sun, having used JH> slogin to connect to it, and then try and issue a control-c to break into JH> the program it seems to be ignored. I can control-z and then kill the ... Hi, I got the same problem and want to add some details that might help to track down the problem. We have a heterogeneous environment of Solaris 2.6 and 8 and Linux, most using ssh 1.x and some OpenSSH 2.1.1p1. After some testing, we are certain that the problem is with the OpenSSH daemon. The ctrl-c is ignored whenever the target host runs this sshd on Solaris 8 (didn't try 2.6; no problem on Linux). The problem exists, if the user has a Bourne shell or a bash. However, if you invoke (in a broken tty/shell) either /bin/su or zsh, ctrl-c works again. The ssty -a output in a broken and not-broken tty are the same. sshd might be doing something wrong when initializing the pty/tty. A truss/strace comparison of Solaris 8 and Linux shows that the Linux sshd does some more ioctls on the tty during login. Maybe su and zsh repair the problem by default but bash and sh don't. Hope that helps someone who know more about this stuff ... ;-) Cheers, Nils -- Nils Ellmenreich - Fakultaet fuer Math./Informatik - Nils @ http://www.fmi.uni-passau.de/~nils - Univ. Passau - Uni-Passau.DE From J.Horne at plymouth.ac.uk Wed Jul 5 19:04:08 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Wed, 05 Jul 2000 10:04:08 +0100 (BST) Subject: Control-c not work under openssh? In-Reply-To: <14690.61238.790043.192241@skrjabin.fmi.uni-passau.de> Message-ID: On 05-Jul-00 at 08:17:58 Nils Ellmenreich wrote: > > sshd might be doing something wrong when initializing the > pty/tty. A truss/strace comparison of Solaris 8 and Linux shows that the > Linux sshd does some more ioctls on the tty during login. Maybe su and > zsh repair the problem by default but bash and sh don't. > > Well, thanks for the confirmation that it isn't just me :-) A minor point I'd also add is that I use the Korn shell (ksh) on Solaris 7. It happens with ksh as well. John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From cshihpin at dso.org.sg Wed Jul 5 19:25:28 2000 From: cshihpin at dso.org.sg (Chan Shih-Ping Richard) Date: Wed, 5 Jul 2000 17:25:28 +0800 (SGT) Subject: OpenSSH-2.1.1p2: Is this misuse of strtok? Message-ID: Is this a misuse of strtok() in OpenSSH-2.1.1p2? readconf.c:process_config_line() calls strtok() to parse config lines. When it finds oProtocol it calls compat.c:proto_spec() which in turns uses strtok(). However on return of proto_spec(), process_config_line() calls strtok() once more to (quoting from the source code) /* Check that there is no garbage at end of line. */ But surely strtok() is being called with the context established by proto_spec() rather than the original context. A similar problem seems to occur in servconf.c. -- Chan Shih-Ping (Richard) DSO National Laboratories 20 Science Park Drive Singapore 118230 From edmundo at rano.org Wed Jul 5 19:40:39 2000 From: edmundo at rano.org (Edmund GRIMLEY EVANS) Date: Wed, 5 Jul 2000 10:40:39 +0100 Subject: ssh ignores -f with protocol version 2 Message-ID: <20000705104039.A25999@daisy.vocalis.com> Subject line says it all. I couldn't find an on-line bug database to check whether this has already been reported. I'm testing openssh-2.1.1p2 on Linux. Perhaps this isn't a bug, but it's certainly an incompatibility with "SSH Version 2.0.13", which I want to replace, and I can't find another way of achieving what I currently do with: $ ssh -C -f user at host -L 12345:host:110 sleep 100000000 Of course, I'd rather do something like: $ ssh -C -f user at host -L 12345:host:110 -N But that gets: "Cannot fork into background without a command to execute." So I think that's perhaps a separate bug: I think -f -N ought to work. Please copy replies to me. I'm not subscribed. I'd be happy to test a patch. Edmund From Hendrik.Baars at nl.origin-it.com Thu Jul 6 01:11:21 2000 From: Hendrik.Baars at nl.origin-it.com (Baars, Henk) Date: Wed, 5 Jul 2000 17:11:21 +0200 Subject: openssh compile error on TRU64 4.0D Message-ID: <91C07B5BD6BBD011835100805FC1EB33EDD1AC@nlehx001.ehvrun.nl.origin-it.com> L.S We have a problem compiling the latest ssh (openssh2.1.1p2) on TRU64 Unix 4.0D we got the following error message ... auth1.c:507: `saved_argv' undeclared (first use in this function) .... auth1.c:509: warning: passing arg 4 of `sia_validate_user' discards qualifiers from pointer target type *** Exit 1 where line 509 ===> (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS)) I read the archive mails and adjusted the auth1.c source file according to the latest info (by John Speno on 7/3) but without success (so there seems to be a difference between TRU64 5.0A and 4.0D) or did i overlook something obvious? Any help would be appreciated Kind regards Henk Baars From ETARDIEU at CPR.FR Thu Jul 6 02:26:57 2000 From: ETARDIEU at CPR.FR (TARDIEU Emmanuel) Date: Wed, 5 Jul 2000 18:26:57 +0200 Subject: some problems reading rsa/dsa keys Message-ID: <5BF932D2CD05D211B54800805FE60FEB08F525B0@serv-hermes.systeme.cpr.fr> Hi people, Please excuse this rather long debug output... $ uname -a SunOS echelon 5.6 Generic_105181-17 sun4u sparc SUNW,Ultra-Enterprise $ /usr/local/openssh/bin/ssh -v x.x.x.x SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 1002 geteuid 0 anon 0 debug: Connecting to x.x.x.x [x.x.x.x] port x. debug: Connection established. debug: Remote protocol version 2.0, remote software version 2.0.13 (non-commercial) datafellows: 2.0.13 (non-commercial) Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.1.1 debug: loaded 20 entropy commands from /usr/local/etc/ssh_prng_cmds debug: Seeding random number generator. debug: OpenSSL random status is now 0 debug: 3 bytes from system calls debug: Command 'arp -a -n' timed out debug: 31 bytes from programs debug: OpenSSL random status is now 1 debug: loading PRNG seed from file /export/home/joe/.ssh/prng_seed debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: blowfish-cbc debug: got kexinit: blowfish-cbc debug: got kexinit: hmac-md5,md5-8,none debug: got kexinit: hmac-md5,md5-8,none debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client blowfish-cbc hmac-md5 none debug: kex: client->server blowfish-cbc hmac-md5 none debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 492/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: keytype ssh-dss debug: keytype ssh-dss debug: Host 'x.x.x.x' is known and matches the DSA host key. debug: bits set: 536/1024 debug: len 40 datafellows 15 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: buggy server: service_accept w/o service debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey debug: key does not exist: /export/home/joe/.ssh/id_dsa Permission denied (publickey). debug: Calling cleanup 0x4e754(0x0) debug: writing PRNG seed to file /export/home/joe/.ssh/prng_seed debug: Calling cleanup 0x49204(0x0) $ cat /usr/local/etc/ssh_config # This is ssh client systemwide configuration file. This file provides # defaults for users, and the values can be changed in per-user configuration # files or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * # ForwardAgent yes # ForwardX11 yes # RhostsAuthentication yes # RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes # FallBackToRsh yes # UseRsh no # BatchMode no # CheckHostIP yes # StrictHostKeyChecking no # IdentityFile ~/.ssh/identity # Port 22 # Protocol 2,1 # Cipher 3des # EscapeChar ~ # Be paranoid by default Host * ForwardAgent no ForwardX11 yes RSAAuthentication yes FallBackToRsh no IdentityFile ~/.ssh2/identification Port x Protocol 2 $ cat .ssh/identification IdKey joe_dsa_1024 So, why doesn't the damn thing read the correct key? The key was generated by ssh-2.0.13, it's a generic 1024bits DSA. Thanks, Emmanuel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000705/d4fbc3d7/attachment.html From Pete.Chown at skygate.co.uk Thu Jul 6 03:45:18 2000 From: Pete.Chown at skygate.co.uk (Pete Chown) Date: Wed, 5 Jul 2000 18:45:18 +0100 Subject: Openssh-2.1.1p2 BUG? X11 forwarding no longer works In-Reply-To: ; from cshihpin@dso.org.sg on Wed, Jul 05, 2000 at 04:02:38PM +0800 References: Message-ID: <20000705184518.B4464@hyena.skygate.co.uk> Chan Shih-Ping Richard wrote: > BUG: X11 forwarding no longer works in Openssh-2.1.1p2. > > I think this is due to the wrong sense of the test > in session.c:1372 Yes, I've noticed this as well. There seems to be a similar issue with the -L style forwarding. Perhaps this is caused by the test on serverloop.c:725. I'm not sure without trying it, though. I don't mind doing this if it is any help to anyone. -- Pete From heinlein at cse.ogi.edu Thu Jul 6 06:56:14 2000 From: heinlein at cse.ogi.edu (Paul Heinlein) Date: Wed, 5 Jul 2000 13:56:14 -0700 (PDT) Subject: pine/openssh In-Reply-To: Message-ID: On Sun, 18 Jun 2000, Damien Miller wrote: > The output of ssh in verbose mode would be preferable to tcpdumps. To > capture this you might need to create a wrapper script that runs "ssh > -v" and directs stderr to a log file. Use the wrapper instead of ssh > in your pinerc. Now here's an odd thing. If my .pinerc specifies an ssh-path that points directly at /usr/local/bin/ssh, then pine will not connect to our imap server in ssh mode (it falls back to plain-text imap authentication). Oddly, however, things work just fine under openssh-2.1.1p{1,2} if I point ssh-path at a very simple wrapper script: #!/bin/sh /usr/local/bin/ssh $* 2> /dev/null . Paul Heinlein . . . . . . . . . . . Webmaster, Systems Administrator . . Department of Computer Science and Engineering . . Oregon Graduate Institute of Science and Technology . . Beaverton, Oregon, USA . . . . 503-748-1199 http://www.cse.ogi.edu/~heinlein/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . From drnick-ssh at totl.net Thu Jul 6 09:59:21 2000 From: drnick-ssh at totl.net (Nick Lamb) Date: Thu, 6 Jul 2000 00:59:21 +0100 Subject: Misleading SCP server error? Message-ID: <20000706005921.A1524@teleute.house> (Not a subscriber, please CC me into relevant discussion only) I'm not sure if it's fixable, but this error message from scp in OpenSSH seems to be at least irrelevant, if not completely misleading... prompt> scp remote.example.com:/non-existent/directory/*glob* . select: Bad file descriptor server: OpenSSH openssh-server-2.1.1p1-1 client: OpenSSH openssh-2.1.1p1-1 When the same client is used with proprietary SSH 1.2.x provided by our local systems team, the error message is: scp: No match. Which is *much* more what I would expect. The error messages for a single missing file are OK, as are those for a directory-in-a-file-context, things which can't/shouldn't be copyable, and so on. If this is fixed in current CVS, please ignore, otherwise I hope someone can fix this for 2.1.2 or later. Thanks for your time, Nick. From GLeblanc at cu-portland.edu Thu Jul 6 14:13:56 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Wed, 5 Jul 2000 21:13:56 -0700 Subject: OpenSSH on RH SPARC Message-ID: Anybody made OpenSSH work on a SPARC machine yet? I managed to get OpenSSL to compile correctly, via a patch to fix the location of perl (on RPM based systems, it will almost always be in /usr/bin/perl, not in /usr/local/bin/perl), and a small patch to the spec file to allow for SPARC builds. That RPM is built and installed without any errors that I can detect. OpenSSH is failing during a key generation step, the exact error messages I'll have in a few hours when this compile finishes. Here's a quote from the build: Generating RSA Keys: (gook goes here) Key generation complete. Saving the key failed: /etc/ssh/ssh_host_key: no such file or directory Generating the DSA parameter and key. Saving the key failed: /etc/ssh/ssh_host_dsa_key: no such file or directory etc. Now, I can make these errors go away by creating /etc/ssh, but it seems that since it's building into someplace, shouldn't it be creating these darn things there? Is there any way to tell the makefile NOT to create the bloody keys, since it takes forever, and the keys get discarded anyway? Any good thoughts for me? Grego BTW, anybody know why OpenSSL is so slow to build? I think I could almost do a complete Linux kernel re-compile in the amount of time it takes to rebuild that RPM. |---------------------------------------------------| | Windows NT has detected that there were no errors | | for the past 10 minutes. The system will now try | | to restart or crash. Click the OK button to | | continue. | | < Ok > | |---------------------------------------------------| (sigline nicked from Jayan M on comp.os.linux.misc) From herrold at owlriver.com Thu Jul 6 14:38:01 2000 From: herrold at owlriver.com (R P Herrold) Date: Thu, 6 Jul 2000 00:38:01 -0400 (EDT) Subject: OpenSSH on RH SPARC In-Reply-To: Message-ID: On Wed, 5 Jul 2000, Gregory Leblanc wrote: > Anybody made OpenSSH work on a SPARC machine yet? > Now, I can make these errors go away by creating /etc/ssh, but it seems that > since it's building into someplace, shouldn't it be creating these darn > things there? ummm, if all you got was an install error, regarding the missing directory, make the directory, and re-install the RPMs -- no need to recomplie for that. There is some error in the OpenSSH spec file you are using --- you don't specify which, and whose. I am aware of at least two competing versions, in general circulation. > BTW, anybody know why OpenSSL is so slow to build? I think I could almost > do a complete Linux kernel re-compile in the amount of time it takes to > rebuild that RPM. On the sparc, I think the numeric handling is not well up to snuff, compared to that which one might be used to on the i386 line. A lot is done in math routines rather than at the chip level, and it does seem to drag ... ... Unfortunately this carries over to runtime --- I am quite unhappy with sshd performance on the Sparcs. -- end ================================== .-- -... ---.. ... -.- -.-- Copyright (C) 2000 R P Herrold herrold at owlriver.com NIC: RPH5 (US) My words are not deathless prose, but they are mine. Owl River Company 614 - 221 - 0695 "The World is Open to Linux (tm)" ... Open Source LINUX solutions ... info at owlriver.com Columbus, OH From GLeblanc at cu-portland.edu Thu Jul 6 15:09:20 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Wed, 5 Jul 2000 22:09:20 -0700 Subject: OpenSSH on RH SPARC Message-ID: > -----Original Message----- > From: R P Herrold [mailto:herrold at owlriver.com] > Sent: Wednesday, July 05, 2000 9:38 PM > To: Gregory Leblanc > Cc: OpenSSH List (E-mail) > Subject: Re: OpenSSH on RH SPARC > > On Wed, 5 Jul 2000, Gregory Leblanc wrote: > > > Anybody made OpenSSH work on a SPARC machine yet? > > > Now, I can make these errors go away by creating /etc/ssh, > but it seems that > > since it's building into someplace, shouldn't it be > creating these darn > > things there? > > ummm, if all you got was an install error, regarding the > missing directory, make the directory, and re-install the RPMs > -- no need to recomplie for that. There is some error in the > OpenSSH spec file you are using --- you don't specify which, > and whose. I am aware of at least two competing versions, in > general circulation. Whoops, sorry for being so vague. I'm using the version from the OpenSSH ftp site. The maintainer is somebody at mindrot.org, so I figured this had to be the right list, although I've never gotten an acknowledgement of any of my emails to him. Is the other RPM better, and if so, where do I get it? The error that I'm getting is part of the RPM rebuild, and so the binary RPM doesn't get written. :-( As I said, I can get a binary RPM by creating that directory beforehand, but is that kosher? I think that it should be creating that in the Build-root directory, and NOT where the RPM is going to be installed. Maybe I should point this back at the RPM list... > > BTW, anybody know why OpenSSL is so slow to build? I think > I could almost > > do a complete Linux kernel re-compile in the amount of time > it takes to > > rebuild that RPM. > > On the sparc, I think the numeric handling is not well up to > snuff, compared to that which one might be used to on the i386 > line. A lot is done in math routines rather than at the chip > level, and it does seem to drag ... > > ... Unfortunately this carries over to runtime --- I am quite > unhappy with sshd performance on the Sparcs. Can you elaborate, off list if it's not appropriate? Is this a limitation with the Linux kernel, or with the OpenSSH code, or with the GCC compiler? If it's with the kernel, are the *BSD's or Solaris any better? If with the compiler, have you tried any others? If OpenSSH, uhm, bummer. Not going to try anything else, as OpenSSH kicks butt. Maybe somebody should look at the code, but it won't be me. Thanks for the help, Grego From J.Horne at plymouth.ac.uk Thu Jul 6 20:44:51 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Thu, 06 Jul 2000 11:44:51 +0100 (BST) Subject: SSH backups - 1hr daytime; 8hrs nighttime Message-ID: Hi, I posted the following message to the RedHat linux list to see if anyone had any thoughts about this problem. I have only received a few replies, all of which state that they have experinced poor performance problems with ssh on Solaris. They do not, however, state if it is openssh, which version, what hardware, or what version of Solaris. (All I can say is that we have had no problems with openssh (2.1.1p1/2) on Solaris 7/8 with hardware from an E3000 down to an old sparc classic.) Anyway, I wondered if anyone on this list had any ideas of what might be causing a remote backup to take much longer overnight than during the day. I have now run 'top' on both systems overnight and noticed nothing unusual. A remote backup using ssh from the sparc classic to a sparcstation20, overnight, of 1GB takes about 90mins. So 2GB would take about 3hours. Why then does my P200 system to an Ultra 10 take over 8 hours? Any ideas appreciated. Here's the original message: ------- I've recently setup remote ssh backups from my work RH6.1 linux PC to one of our Sun systems. The backup occurs once a week overnight. No problem with this generally, in as much as it works (sort of) fine. The PC is a 200Mhz system with an internal 6GB and 1 GB disk. The amount of data being backed up is about 2GB from the 6GB disk. The Sun system is an Ultra 10 running Solaris 8, and I'm using openSSH 2.1.1p1 on the Sun; 2.1.1p2 on the PC. Backup occurs over our local network, which may have its problems but is generally okay. When I was testing the setup - during the daytime - the backup took about one hour. This was with me doing other things on the PC whilst it was going on. Again, no problem. I configured the backup to run overnight via cron on the PC. It was to start at 1am. However, it took over 8 hours for the backup to complete! The throughput from the log file shows it at about 73KB/s (from last nights log). This takes it to about 09:30 by which time I am in work and login. I can see the backup is still going, and when it comes to backup the final small partition (5MB in size), it does this in a few seconds and with a throughput of 712KB/s which is more like the throughput I get during the day! So why is the backup taking so long? I have checked for overnight cron jobs and disabled the cron.daily run (which kicks in at 4am). I ran top every 15mins (again via cron) overnight when the backup was not running, and could not really see any problem. However the system did seem to be 'busy' during the night despite no-one using the system. The %system and %nice values seemed high (he says having now deleted the actual log file...:-( ) and typically the system only ever got to about 60% idle. I get more than this during the day (around 90% right now). Anyone have any ideas about this? -------- That's it. Thanks, John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From Steve.Marquess at DET.AMEDD.ARMY.MIL Fri Jul 7 00:06:53 2000 From: Steve.Marquess at DET.AMEDD.ARMY.MIL (Marquess, Steve Mr JMLFDC) Date: Thu, 6 Jul 2000 10:06:53 -0400 Subject: 2.1.1p2 HP-UX 11 timing error Message-ID: FYI in order to get 2.1.1p2 to work on my HP-UX 11.0 systems I had to patch atomicio.c for EWOULDBLOCK (HP read() does not give the POSIX return code). The new atomicio() is a clean fix for this timing problem; all it needs now is this one little tweak. Also had the "General Commercial Security" error (PAM_TERM_ERROR from pam_acct_mgmt()) which I have very crudely addressed for now by hacking out that check entirely. *** atomicio.c Thu Jun 22 07:32:31 2000 --- /tmp/atomicio.c Thu Jul 6 09:03:30 2000 *************** *** 46,52 **** res = (f) (fd, s + pos, n - pos); switch (res) { case -1: ! if (errno == EINTR || errno == EAGAIN) continue; case 0: return (res); --- 46,56 ---- res = (f) (fd, s + pos, n - pos); switch (res) { case -1: ! if (errno == EINTR || errno == EAGAIN ! #ifdef _HPUX_SOURCE ! || (errno == EWOULDBLOCK) ! #endif ! ) continue; case 0: return (res); Steve Marquess 301-663-1770 x238 / 301-619-3933 voice DMLSS Technical Manager DSN 343-3933 JMLFDC 301-663-6788 / 301-619-7831 fax 623 Porter Street steve.marquess at amedd.army.mil Ft. Detrick, MD 21702-5018 From carl at bl.echidna.id.au Fri Jul 7 09:59:09 2000 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Fri, 7 Jul 2000 09:59:09 +1000 (EST) Subject: PAM on OPenBSD for OpenSSH? Message-ID: <200007062359.e66Nx9Z05211@rollcage.bl.echidna.id.au> I know this is slightly off-topic. I'm looking at a way to use PAM with OpenSSH, on OpenBSD 2.7 (which at the moment as far as I can tell has no PAM support). I wonder how hard it would be to spoof the config of the portable OpenSSH into thinking it was on something that supported PAM, and then having a wrapper of some sort to connect to a PAM module? Some background: I have a requirement to allow ssh (prefeably OpenSSH) into an OpenBSD box, using radius authentication. I know of a good PAM radius module which will work on Solaris and GNU/Linux, but I want to get it working on OpenBSD also (as that's what I'm using for a remote client site firewall ... I know, radius may not be ideal for this, but combined with IPsec it's "pretty secure". Thanks for any clues or suggestions. Carl From mouring at pconline.com Fri Jul 7 10:09:17 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 6 Jul 2000 19:09:17 -0500 (CDT) Subject: PAM on OPenBSD for OpenSSH? In-Reply-To: <200007062359.e66Nx9Z05211@rollcage.bl.echidna.id.au> Message-ID: On Fri, 7 Jul 2000 carl at bl.echidna.id.au wrote: > > I know this is slightly off-topic. > > I'm looking at a way to use PAM with OpenSSH, on OpenBSD 2.7 (which > at the moment as far as I can tell has no PAM support). > > I wonder how hard it would be to spoof the config of the portable > OpenSSH into thinking it was on something that supported PAM, and > then having a wrapper of some sort to connect to a PAM module? > I suggest picking up and compiling the PAM package from your favorate Linux archives. And then you should be able to get OpenSSH portable to link against it and use it. While every of your normal services are supported normally. Graned, this adds confusing to the mix, and would be generally frowned on. But it's a solution. Ben Lindstrom From carl at bl.echidna.id.au Fri Jul 7 11:56:29 2000 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Fri, 7 Jul 2000 11:56:29 +1000 (EST) Subject: radius support? (was Re: PAM on OPenBSD for OpenSSH? Message-ID: <200007070156.e671uTV05619@rollcage.bl.echidna.id.au> Further to my original question about PAM on OpenBSD for OpenSSH, it may be non-trivial to get any PAM stuff onto OpenBSD (Thanks to Ben Lindstrom for his suggestion, which I'll try, using a gnu/loonucks PAM package, any suggestions for which one to use, or where to get it from? I'm not very clueful when it comes to GNU/linux). So, I remember in a past life hacking suport for other auth into erpcd (Annex TS's), and it wasn't rocket science to do, so I'd have to guess that hacking a radius client into openSSH wouldn't be too hard either? I've had the Merit one suggested, but before I do anything, is anyone 1. working on this already? 2. interested in doing this (ie: should I pass my hacks back to the OpenSSH maintainers to include/laugh at?) 3. know of a better way to get OpenSSH's daemon to authenticate against a remote radius server? thanks again Carl From sjl at zepler.org Fri Jul 7 23:20:48 2000 From: sjl at zepler.org (Simon Liddington) Date: Fri, 7 Jul 2000 14:20:48 +0100 (BST) Subject: ssh -f does not work Message-ID: ssh -f host xterm doesn't background the process. I'm running 2.1.1p2 (2.1.1p1 does this too) on RedHat linux 6. It works for protocol 1 though. I also get the "Transport endpoint is not connected" thing and have some output of "ssh -v" for this if anyone wants it but I see Damien has it in hand now. Simon ----------------------------------------------------------------------- | Simon Liddington | Tel (home) : 01703 237935 | | E-Mail : sjl at zepler.org | Tel (work) : 01420 544952 | ----------------------------------------------------------------------- From mkiernan at avantgo.com Sat Jul 8 02:27:46 2000 From: mkiernan at avantgo.com (Michael Kiernan) Date: Fri, 07 Jul 2000 09:27:46 -0700 Subject: keyboard-interactive authentication mehtod? Message-ID: <20000707162746.8DECFF811@nayarit.avantgo.com> Hi all, I noticed that support for the keyboard-interactive user authentication method is mentioned on the "todo" list in the README.openssh2 file. Is anybody actively working on this? Thanks, Mike -- Michael Kiernan mkiernan at avantgo.com +1-650-638-7581 From stevesk at sweden.hp.com Sat Jul 8 02:49:16 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 7 Jul 2000 18:49:16 +0200 (METDST) Subject: 2.1.1p2 HP-UX 11 PAM General Commerical Security error In-Reply-To: <200007031356.PAA09983@b0fh.sweden.hp.com> Message-ID: On Mon, 3 Jul 2000, Kevin Steves wrote: > Jul 3 15:19:29 robinson sshd[1293]: PAM rejected by account configuration: [32] General Commercial Security error > > which is: > > #define PAM_TERM_ERROR 32 /* Terminal database corruption or > no corresponding entry found */ > > I'm not sure at this point what this could indicate, but I'll try to > track it down. Not much progress made other than I discovered I don't get this error and can log in successfully when running the server in debug mode (i.e., "sshd -d"). Strange. Any ideas? From nalin at redhat.com Sat Jul 8 04:04:38 2000 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 7 Jul 2000 14:04:38 -0400 Subject: radius support? (was Re: PAM on OPenBSD for OpenSSH? In-Reply-To: <200007070156.e671uTV05619@rollcage.bl.echidna.id.au>; from carl@bl.echidna.id.au on Fri, Jul 07, 2000 at 11:56:29AM +1000 References: <200007070156.e671uTV05619@rollcage.bl.echidna.id.au> Message-ID: <20000707140438.F6562@devserv.devel.redhat.com> On Fri, Jul 07, 2000 at 11:56:29AM +1000, carl at bl.echidna.id.au wrote: > Further to my original question about PAM on OpenBSD for OpenSSH, > it may be non-trivial to get any PAM stuff onto OpenBSD (Thanks > to Ben Lindstrom for his suggestion, which I'll try, using a > gnu/loonucks PAM package, any suggestions for which one to use, or > where to get it from? I'm not very clueful when it comes to GNU/linux). The official home site is http://www.kernel.org/pub/linux/libs/pam/, though there's some stuff going on at http://pam.sourceforge.net/. Some tweaking of (or creation of an entirely new) .defs file will probably be necessary to build it properly on OpenBSD. Nalin From jasons at usemail.com Sat Jul 8 05:16:27 2000 From: jasons at usemail.com (Jason Spangler) Date: Fri, 07 Jul 2000 14:16:27 -0500 Subject: Patch to add scp -L option Message-ID: <39662C8B.6AC83326@usemail.com> Here is a patch to scp made against openssh-2.1.1p2 that adds the -L option to scp. The -L option tells scp to use nonprivilaged ports (by passing ssh the -P option). The non-free ssh's scp has this option, and it is required under some firewall setups (like mine) for scp to function. Please let me know if there are any problems with this patch, or if there is anything I can do to help get this feature into the official openssh version. -------------- next part -------------- --- openssh-2.1.1p2.orig/scp.c Thu Jun 22 06:32:32 2000 +++ openssh-2.1.1p2/scp.c Fri Jul 7 12:28:27 2000 @@ -8,6 +8,11 @@ * * 1995 Timo Rinne , Tatu Ylonen * + * Changes: + * + * 2000/7/7 Jason Spangler + * Added nonprivilaged port option -L that passes -P option to SSH + * */ /* @@ -93,6 +98,9 @@ and passphrase queries are not allowed). */ int batchmode = 0; +/* This is set to non-zero if a non-privilaged port is desired. */ +int nonprivilaged_port = 0; + /* This is set to the cipher type string if given on the command line. */ char *cipher = NULL; @@ -161,6 +169,8 @@ args[i++] = "-C"; if (batchmode) args[i++] = "-oBatchMode yes"; + if (nonprivilaged_port) + args[i++] = "-P"; if (cipher != NULL) { args[i++] = "-c"; args[i++] = cipher; @@ -252,7 +262,7 @@ extern int optind; fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46")) != EOF) + while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46L")) != EOF) switch (ch) { /* User-visible flags. */ case '4': @@ -300,6 +310,9 @@ case 'q': showprogress = 0; break; + case 'L': + nonprivilaged_port = 1; + break; case '?': default: usage(); @@ -406,16 +419,18 @@ else if (!okname(suser)) continue; (void) sprintf(bp, - "%s%s -x -o'FallBackToRsh no' -n -l %s %s %s %s '%s%s%s:%s'", + "%s%s%s -x -o'FallBackToRsh no' -n -l %s %s %s %s '%s%s%s:%s'", SSH_PROGRAM, verbose_mode ? " -v" : "", + nonprivilaged_port ? " -P" : "", suser, host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); } else { host = cleanhostname(argv[i]); (void) sprintf(bp, - "exec %s%s -x -o'FallBackToRsh no' -n %s %s %s '%s%s%s:%s'", + "exec %s%s%s -x -o'FallBackToRsh no' -n %s %s %s '%s%s%s:%s'", SSH_PROGRAM, verbose_mode ? " -v" : "", + nonprivilaged_port ? " -P" : "", host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); --- openssh-2.1.1p2.orig/scp.1 Wed Apr 12 21:26:37 2000 +++ openssh-2.1.1p2/scp.1 Fri Jul 7 12:25:32 2000 @@ -106,6 +106,14 @@ Forces .Nm to use IPv6 addresses only. +.It Fl L +Use a non-privileged port for outgoing connections. +This can be used if your firewall does +not permit connections from privileged ports. +Note that this option turns off +.Cm RhostsAuthentication +and +.Cm RhostsRSAAuthentication . .Sh AUTHORS Timo Rinne and Tatu Ylonen .Sh HISTORY --- openssh-2.1.1p2.orig/scp.0 Sat Jul 1 04:43:10 2000 +++ openssh-2.1.1p2/scp.0 Fri Jul 7 12:27:42 2000 @@ -56,6 +56,11 @@ -6 Forces scp to use IPv6 addresses only. + -L Use a non-privileged port for outgoing connections. This can be + used if your firewall does not permit connections from privileged + ports. Note that this option turns off RhostsAuthentication and + RhostsRSAAuthentication. + AUTHORS Timo Rinne and Tatu Ylonen From aaron at die.net Sat Jul 8 08:05:48 2000 From: aaron at die.net (Aaron Hopkins) Date: Fri, 7 Jul 2000 15:05:48 -0700 (PDT) Subject: Potentially insecure format string handling in PAM support Message-ID: -----BEGIN PGP SIGNED MESSAGE----- With the recent remote root Wu-ftpd exploit based upon incorrect format string handling (processing user-supplied data as format strings), I've taken to scanning any code with elevated permissions for similar problems. I found one in the portable version of OpenSSH. Its only outputting messages passed back by PAM, I think, so I don't think its exploitable. But the format string processing isn't needed here, so it should be painless to remove. Here's the patch. -- Aaron - --- auth-pam.c~ Thu Jun 22 04:44:54 2000 +++ auth-pam.c Fri Jul 7 14:57:16 2000 @@ -277,7 +277,7 @@ void print_pam_messages(void) { if (pam_msg != NULL) - - fprintf(stderr, pam_msg); + fputs(pam_msg, stderr); } /* Append a message to the PAM message buffer */ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBOWZUP0fJWHAEvsjBAQErLQQAq9VEEOS5sjBKC07XT7zy9J2Gm+ebgSJ1 RvHBHGY6O9hoKUUHg1lVQzUwIj2n/5XB4acKj+M7GsSE4Csx0efqV5RpespZKyld 0pn24jWJc7ud0iqBkg2U82mXQGhcrkBWZ665rpysw0TDbeNmF1eXMkkoFvuaN6Pr CeSJuksVjnI= =SXbz -----END PGP SIGNATURE----- From djm at mindrot.org Sat Jul 8 10:14:34 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jul 2000 10:14:34 +1000 (EST) Subject: Potentially insecure format string handling in PAM support In-Reply-To: Message-ID: On Fri, 7 Jul 2000, Aaron Hopkins wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > With the recent remote root Wu-ftpd exploit based upon incorrect > format string handling (processing user-supplied data as format > strings), I've taken to scanning any code with elevated permissions > for similar problems. > > I found one in the portable version of OpenSSH. Its only outputting > messages passed back by PAM, I think, so I don't think its > exploitable. But the format string processing isn't needed here, so > it should be painless to remove. Thanks - applied. --d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Jul 8 10:16:19 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jul 2000 10:16:19 +1000 (EST) Subject: 2.1.1p2 HP-UX 11 PAM General Commerical Security error In-Reply-To: <200007031228.OAA18209@b0fh.sweden.hp.com> Message-ID: On Mon, 3 Jul 2000, Kevin Steves wrote: > Trying 2.1.1p2 on HP-UX 11 (trusted system) I get: What pam configuration are you using? Your's is the first report of PAM on HP/UX. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Jul 8 10:20:51 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jul 2000 10:20:51 +1000 (EST) Subject: Antwort: Re: sshd does not exit after scp (hpux 11.00 / ssh 2.1 .1p1) In-Reply-To: <41256911.0061EDC9.00@mailint.dmz.advance-bank.de> Message-ID: On Mon, 3 Jul 2000 kengelha at advance-bank.de wrote: > not really... On a non-trusted system with HP AnsiC it seems to work if > changing shutdown(fdin, SHUT_WR) to shutdown(fdin, SHUT_RDWR) > in serverloop.c (lines 320 & 464) > > On a trusted system with gcc however this does not seem to have any > effect. Here I use #define USE_PIPES 1 in includes.h as workaround Does USE_PIPES fix the problem on the non-trusted system as well? If so we can set this automatically in configure. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Jul 8 10:39:16 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jul 2000 10:39:16 +1000 (EST) Subject: OpenSSH-2.1.1p2: Is this misuse of strtok? In-Reply-To: Message-ID: On Wed, 5 Jul 2000, Chan Shih-Ping Richard wrote: > Is this a misuse of strtok() in OpenSSH-2.1.1p2? Yes. The error is pretty harmless - it will cause garbage at the end of "Protocol" lines to be ignored. Markus - is this worth fixing? --d > readconf.c:process_config_line() calls strtok() to > parse config lines. When it finds oProtocol it calls > compat.c:proto_spec() which in turns uses strtok(). > > However on return of proto_spec(), process_config_line() calls > strtok() once more to (quoting from the source code) > /* Check that there is no garbage at end of line. */ > > But surely strtok() is being called with the context established > by proto_spec() rather than the original context. > > A similar problem seems to occur in servconf.c. > > > -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From eli at kibucorp.com Sat Jul 8 10:50:36 2000 From: eli at kibucorp.com (Eli Lev) Date: Fri, 7 Jul 2000 17:50:36 -0700 Subject: sshd Pam problem for Redhat 6.2 Message-ID: <76764D3B0D08D41180A8009027866ABA068BF9@KIBUNTSVR01> Hi, There was another message about this from Darren Evans. I am hoping that the logs from below might shed additional light on this problem (kernel version 2.2.14). I'm running Redhat 6.2, openssh-2.1.1p2.tar.gz, openssl-0.9.5a.tar.gz. I haven't tried to recompile with /usr/src/linux pointing to 2.2.12 per Darren's solution - that's my next thing to do, or perhaps compile without pam. I'm doing the standard: configure make make install No sshd file is created in /etc/pam.d - I'm not sure if there should be one there. I'd appreciate any and all help in regards to this: Eli strace sshd -d yields: old_mmap(NULL, 36384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40146000 mprotect(0x4014e000, 3616, PROT_NONE) = 0 old_mmap(0x4014e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x7000) = 0x4014e000 close(3) = 0 munmap(0x40015000, 26952) = 0 open("/etc/passwd", O_RDONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=904, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 904 close(3) = 0 munmap(0x40015000, 4096) = 0 stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=316848, ...}) = 0 write(2, "debug: Starting up PAM with user"..., 44debug: Starting up PAM with username "elev" ) = 44 stat("/etc/pam.d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 open("/etc/pam.d/sshd", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/pam.conf", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/pam.d/other", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=210, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000 read(3, "#%PAM-1.0\nauth required "..., 4096) = 210 open("/lib/security/pam_deny.so", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0755, st_size=5359, ...}) = 0 read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200\7\0"..., 4096) = 4096 old_mmap(NULL, 6696, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x40016000 mprotect(0x40017000, 2600, PROT_NONE) = 0 old_mmap(0x40017000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0) = 0x40017000 close(5) = 0 read(3, "", 4096) = 0 close(3) = 0 munmap(0x40015000, 4096) = 0 getuid() = 0 write(2, "debug: Attempting authentication"..., 43debug: Attempting authentication for elev. ) = 43 write(4, "\0\0\0\5\'\271\0\272\202\30\375<", 12) = 12 select(5, [4], NULL, NULL, NULL) = 1 (in [4]) read(4, "\0\0\0\21\31\204\227\317?w\340%;\201tdS\320\7\251?\341"..., 8192) = 28 time(NULL) = 963014261 write(2, "debug: PAM Password authenticati"..., 77debug: PAM Password authentication for "elev" failed: Authentication failure ) = 77 getpeername(4, {sin_family=AF_INET, sin_port=htons(1022), sin_addr=inet_addr("216.217.10.136")}}, [16]) = 0 write(2, "Failed password for elev from 21"..., 55Failed password for elev from 216.217.10.136 port 1022 ) = 55 write(4, "\0\0\0\5\224\4\27M\271!\211#", 12) = 12 select(5, [4], NULL, NULL, NULL) = 1 (in [4]) read(4, "", 8192) = 0 write(2, "Connection closed by 216.217.10."..., 36Connection closed by 216.217.10.136 ) = 36 write(2, "debug: Calling cleanup 0x804e3ac"..., 38debug: Calling cleanup 0x804e3ac(0x0) ) = 38 write(2, "Cannot close PAM session: System"..., 39Cannot close PAM session: System error ) = 39 write(2, "Cannot delete credentials: Authe"..., 83Cannot delete credentials: Authentication service cannot retrieve user credentials ) = 83 munmap(0x40016000, 6696) = 0 write(2, "debug: Calling cleanup 0x805ced4"..., 38debug: Calling cleanup 0x805ced4(0x0) ) = 38 shutdown(4, 2 /* send and receive */) = 0 close(4) = 0 ++++++++++++++++++++++++ Running configure gives: ++++++++++++++++++++++++ Script started on Fri Jul 7 17:09:03 2000 [root at apollo openssh-2.1.1p2]# sh configure creating cache ./config.cache checking for gcc... gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... yes checking whether gcc accepts -g... yes checking host system type... i686-pc-linux-gnu checking how to run the C preprocessor... gcc -E checking for ranlib... ranlib checking for a BSD compatible install... /usr/bin/install -c checking for ar... ar checking for perl... /usr/bin/perl checking for ent... no checking for inline... inline checking for deflate in -lz... yes checking for login in -lutil... yes checking for yp_match in -lnsl... yes checking for main in -lsocket... no checking for bstring.h... no checking for endian.h... yes checking for lastlog.h... yes checking for limits.h... yes checking for login.h... no checking for maillock.h... no checking for netdb.h... yes checking for netgroup.h... no checking for netinet/in_systm.h... yes checking for paths.h... yes checking for poll.h... yes checking for pty.h... yes checking for shadow.h... yes checking for security/pam_appl.h... yes checking for sys/bitypes.h... yes checking for sys/bsdtty.h... no checking for sys/cdefs.h... yes checking for sys/poll.h... yes checking for sys/select.h... yes checking for sys/stat.h... yes checking for sys/stropts.h... yes checking for sys/sysmacros.h... yes checking for sys/time.h... yes checking for sys/ttcompat.h... no checking for stddef.h... yes checking for time.h... yes checking for util.h... no checking for utmp.h... yes checking for utmpx.h... yes checking for arc4random... no checking for atexit... yes checking for b64_ntop... no checking for bcopy... yes checking for bindresvport_af... no checking for clock... yes checking for freeaddrinfo... yes checking for gai_strerror... yes checking for getaddrinfo... yes checking for getnameinfo... yes checking for getrusage... yes checking for innetgr... yes checking for md5_crypt... no checking for memmove... yes checking for mkdtemp... no checking for on_exit... yes checking for openpty... yes checking for rresvport_af... no checking for setenv... yes checking for seteuid... yes checking for setlogin... no checking for setproctitle... no checking for setreuid... yes checking for snprintf... yes checking for strlcat... no checking for strlcpy... no checking for vsnprintf... yes checking for vhangup... yes checking for _getpty... no checking for __b64_ntop... no checking for gettimeofday... yes checking for time... yes checking for login... yes checking for logout... yes checking for updwtmp... yes checking for logwtmp... yes checking for entutent... no checking for getutent... yes checking for getutid... yes checking for getutline... yes checking for pututline... yes checking for setutent... yes checking for utmpname... yes checking for entutxent... no checking for getutxent... yes checking for getutxid... yes checking for getutxline... yes checking for pututxline... yes checking for setutxent... yes checking for utmpxname... yes checking for login... (cached) yes checking for daemon... yes checking for getpagesize... yes checking whether snprintf correctly terminates long strings... yes checking for dlopen in -ldl... yes checking for pam_getenvlist... yes checking whether pam_strerror takes only one argument... no checking for OpenSSL directory... /usr/local/ssl checking for RSA support... yes checking size of char... 1 checking size of short int... 2 checking size of int... 4 checking size of long int... 4 checking size of long long int... 8 checking for intXX_t types... yes checking for u_intXX_t types... yes checking for socklen_t... yes checking for size_t... yes checking for ssize_t... yes checking for sa_family_t... yes checking for pid_t... yes checking for mode_t... yes checking for struct sockaddr_storage... yes checking for struct sockaddr_in6... yes checking for struct in6_addr... yes checking for struct addrinfo... yes checking for ut_host field in utmp.h... yes checking for ut_host field in utmpx.h... yes checking for syslen field in utmpx.h... no checking for ut_pid field in utmp.h... yes checking for ut_type field in utmp.h... yes checking for ut_type field in utmpx.h... yes checking for ut_tv field in utmp.h... yes checking for ut_id field in utmp.h... yes checking for ut_id field in utmpx.h... yes checking for ut_addr field in utmp.h... yes checking for ut_addr field in utmpx.h... yes checking for ut_addr_v6 field in utmp.h... yes checking for ut_addr_v6 field in utmpx.h... yes checking for ut_exit field in utmp.h... yes checking for ut_time field in utmp.h... no checking for ut_time field in utmpx.h... no checking for ut_tv field in utmpx.h... yes checking for ss_family field in struct sockaddr_storage... no checking for __ss_family field in struct sockaddr_storage... yes checking if libc defines __progname... yes checking for rsh... /usr/kerberos/bin/rsh checking for xauth... /usr/bin/X11/xauth checking for /dev/ptc... no checking for /dev/urandom... yes checking if we need to convert IPv4 in IPv6-mapped addresses... yes (default) checking if your system defines LASTLOG_FILE... no checking if your system defines _PATH_LASTLOG... yes checking if your system defines UTMP_FILE... yes checking if your system defines WTMP_FILE... yes checking if your system defines UTMPX_FILE... no checking if your system defines WTMPX_FILE... no updating cache ./config.cache creating ./config.status creating Makefile creating ssh_prng_cmds creating config.h OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Random number collection: Device (/dev/urandom) Manpage format: man PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: yes Compiler flags: -g -O2 -Wall -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto +++++++++++++ config.log +++++++++++++ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. configure:592: checking for gcc configure:705: checking whether the C compiler (gcc ) works configure:721: gcc -o conftest conftest.c 1>&5 configure:747: checking whether the C compiler (gcc ) is a cross-compiler configure:752: checking whether we are using GNU C configure:761: gcc -E conftest.c configure:780: checking whether gcc accepts -g configure:837: checking host system type configure:860: checking how to run the C preprocessor configure:881: gcc -E conftest.c >/dev/null 2>conftest.out configure:942: checking for ranlib configure:981: checking for a BSD compatible install configure:1036: checking for ar configure:1065: checking for perl configure:1101: checking for ent configure:1142: checking for inline configure:1156: gcc -c -g -O2 conftest.c 1>&5 configure:1522: checking for deflate in -lz configure:1541: gcc -o conftest -g -O2 -Wall conftest.c -lz 1>&5 configure:1570: checking for login in -lutil configure:1589: gcc -o conftest -g -O2 -Wall conftest.c -lutil -lz 1>&5 configure:1615: checking for yp_match in -lnsl configure:1634: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1664: checking for main in -lsocket configure:1679: gcc -o conftest -g -O2 -Wall conftest.c -lsocket -lnsl -lz -lutil 1>&5 /usr/bin/ld: cannot find -lsocket collect2: ld returned 1 exit status configure: failed program was: #line 1672 "configure" #include "confdefs.h" int main() { main() ; return 0; } configure:1713: checking for bstring.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1719: bstring.h: No such file or directory configure: failed program was: #line 1718 "configure" #include "confdefs.h" #include configure:1713: checking for endian.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for lastlog.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for limits.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for login.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1719: login.h: No such file or directory configure: failed program was: #line 1718 "configure" #include "confdefs.h" #include configure:1713: checking for maillock.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1719: maillock.h: No such file or directory configure: failed program was: #line 1718 "configure" #include "confdefs.h" #include configure:1713: checking for netdb.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for netgroup.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1719: netgroup.h: No such file or directory configure: failed program was: #line 1718 "configure" #include "confdefs.h" #include configure:1713: checking for netinet/in_systm.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for paths.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for poll.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for pty.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for shadow.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for security/pam_appl.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for sys/bitypes.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for sys/bsdtty.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1719: sys/bsdtty.h: No such file or directory configure: failed program was: #line 1718 "configure" #include "confdefs.h" #include configure:1713: checking for sys/cdefs.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for sys/poll.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for sys/select.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for sys/stat.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for sys/stropts.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for sys/sysmacros.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for sys/time.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for sys/ttcompat.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1719: sys/ttcompat.h: No such file or directory configure: failed program was: #line 1718 "configure" #include "confdefs.h" #include configure:1713: checking for stddef.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for time.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for util.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1719: util.h: No such file or directory configure: failed program was: #line 1718 "configure" #include "confdefs.h" #include configure:1713: checking for utmp.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1713: checking for utmpx.h configure:1723: gcc -E conftest.c >/dev/null 2>conftest.out configure:1754: checking for arc4random configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccrxfo4N.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:1776: undefined reference to `arc4random' collect2: ld returned 1 exit status configure: failed program was: #line 1759 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char arc4random(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char arc4random(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_arc4random) || defined (__stub___arc4random) choke me #else arc4random(); #endif ; return 0; } configure:1754: checking for atexit configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for b64_ntop configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/cc6knarz.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:1776: undefined reference to `b64_ntop' collect2: ld returned 1 exit status configure: failed program was: #line 1759 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char b64_ntop(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char b64_ntop(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_b64_ntop) || defined (__stub___b64_ntop) choke me #else b64_ntop(); #endif ; return 0; } configure:1754: checking for bcopy configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for bindresvport_af configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccIxdPoQ.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:1776: undefined reference to `bindresvport_af' collect2: ld returned 1 exit status configure: failed program was: #line 1759 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char bindresvport_af(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char bindresvport_af(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_bindresvport_af) || defined (__stub___bindresvport_af) choke me #else bindresvport_af(); #endif ; return 0; } configure:1754: checking for clock configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for freeaddrinfo configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for gai_strerror configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for getaddrinfo configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for getnameinfo configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for getrusage configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for innetgr configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for md5_crypt configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccINeFge.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:1776: undefined reference to `md5_crypt' collect2: ld returned 1 exit status configure: failed program was: #line 1759 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char md5_crypt(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char md5_crypt(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_md5_crypt) || defined (__stub___md5_crypt) choke me #else md5_crypt(); #endif ; return 0; } configure:1754: checking for memmove configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for mkdtemp configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccxUb2GV.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:1776: undefined reference to `mkdtemp' collect2: ld returned 1 exit status configure: failed program was: #line 1759 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char mkdtemp(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char mkdtemp(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_mkdtemp) || defined (__stub___mkdtemp) choke me #else mkdtemp(); #endif ; return 0; } configure:1754: checking for on_exit configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for openpty configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for rresvport_af configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccjdJiNY.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:1776: undefined reference to `rresvport_af' collect2: ld returned 1 exit status configure: failed program was: #line 1759 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char rresvport_af(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char rresvport_af(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_rresvport_af) || defined (__stub___rresvport_af) choke me #else rresvport_af(); #endif ; return 0; } configure:1754: checking for setenv configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for seteuid configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for setlogin configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure: In function `main': configure:1774: `choke' undeclared (first use in this function) configure:1774: (Each undeclared identifier is reported only once configure:1774: for each function it appears in.) configure:1774: parse error before `me' configure: failed program was: #line 1759 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char setlogin(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char setlogin(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_setlogin) || defined (__stub___setlogin) choke me #else setlogin(); #endif ; return 0; } configure:1754: checking for setproctitle configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccW3Oveb.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:1776: undefined reference to `setproctitle' collect2: ld returned 1 exit status configure: failed program was: #line 1759 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char setproctitle(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char setproctitle(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_setproctitle) || defined (__stub___setproctitle) choke me #else setproctitle(); #endif ; return 0; } configure:1754: checking for setreuid configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for snprintf configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for strlcat configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/cctuPlxM.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:1776: undefined reference to `strlcat' collect2: ld returned 1 exit status configure: failed program was: #line 1759 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char strlcat(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char strlcat(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_strlcat) || defined (__stub___strlcat) choke me #else strlcat(); #endif ; return 0; } configure:1754: checking for strlcpy configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/cctzrfu7.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:1776: undefined reference to `strlcpy' collect2: ld returned 1 exit status configure: failed program was: #line 1759 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char strlcpy(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char strlcpy(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_strlcpy) || defined (__stub___strlcpy) choke me #else strlcpy(); #endif ; return 0; } configure:1754: checking for vsnprintf configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for vhangup configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1754: checking for _getpty configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccfgTKMc.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:1776: undefined reference to `_getpty' collect2: ld returned 1 exit status configure: failed program was: #line 1759 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char _getpty(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char _getpty(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub__getpty) || defined (__stub____getpty) choke me #else _getpty(); #endif ; return 0; } configure:1754: checking for __b64_ntop configure:1782: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccP381sx.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:1776: undefined reference to `__b64_ntop' collect2: ld returned 1 exit status configure: failed program was: #line 1759 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char __b64_ntop(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char __b64_ntop(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub___b64_ntop) || defined (__stub_____b64_ntop) choke me #else __b64_ntop(); #endif ; return 0; } configure:1809: checking for gettimeofday configure:1837: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1809: checking for time configure:1837: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1864: checking for login configure:1892: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1864: checking for logout configure:1892: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1864: checking for updwtmp configure:1892: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1864: checking for logwtmp configure:1892: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1919: checking for entutent configure:1947: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccqWzKVy.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:1941: undefined reference to `entutent' collect2: ld returned 1 exit status configure: failed program was: #line 1924 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char entutent(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char entutent(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_entutent) || defined (__stub___entutent) choke me #else entutent(); #endif ; return 0; } configure:1919: checking for getutent configure:1947: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1919: checking for getutid configure:1947: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1919: checking for getutline configure:1947: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1919: checking for pututline configure:1947: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1919: checking for setutent configure:1947: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:1974: checking for utmpname configure:2002: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:2029: checking for entutxent configure:2057: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccRRwNgP.o: In function `main': /home/elev/a-downld/Tmp/openssh-2.1.1p2/configure:2051: undefined reference to `entutxent' collect2: ld returned 1 exit status configure: failed program was: #line 2034 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char entutxent(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char entutxent(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_entutxent) || defined (__stub___entutxent) choke me #else entutxent(); #endif ; return 0; } configure:2029: checking for getutxent configure:2057: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:2029: checking for getutxid configure:2057: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:2029: checking for getutxline configure:2057: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:2029: checking for pututxline configure:2057: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:2084: checking for setutxent configure:2112: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:2084: checking for utmpxname configure:2112: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:2138: checking for login configure:2234: checking for daemon configure:2262: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:2330: checking for getpagesize configure:2358: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:2428: checking whether snprintf correctly terminates long strings configure:2440: gcc -o conftest -g -O2 -Wall conftest.c -lnsl -lz -lutil 1>&5 configure:2481: checking for dlopen in -ldl configure:2500: gcc -o conftest -g -O2 -Wall conftest.c -ldl -lnsl -lz -lutil 1>&5 configure:2532: checking for pam_getenvlist configure:2560: gcc -o conftest -g -O2 -Wall conftest.c -ldl -lnsl -lz -lutil -lpam 1>&5 configure:2591: checking whether pam_strerror takes only one argument configure:2603: gcc -c -g -O2 -Wall conftest.c 1>&5 configure:2643: checking for OpenSSL directory configure:2682: gcc -o conftest -g -O2 -Wall conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 configure:2671: openssl/rand.h: No such file or directory configure: failed program was: #line 2668 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2682: gcc -o conftest -g -O2 -Wall -I/usr/local/openssl/include -L/usr/local/openssl/lib -L/usr/local/openssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 configure:2671: openssl/rand.h: No such file or directory configure: failed program was: #line 2668 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2682: gcc -o conftest -g -O2 -Wall -I/usr/lib/openssl/include -L/usr/lib/openssl/lib -L/usr/lib/openssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 configure:2671: openssl/rand.h: No such file or directory configure: failed program was: #line 2668 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2682: gcc -o conftest -g -O2 -Wall -I/usr/local/ssl/include -L/usr/local/ssl/lib -L/usr/local/ssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 configure:2737: checking for RSA support configure:2767: gcc -o conftest -g -O2 -Wall -I/usr/local/ssl/include -L/usr/local/ssl/lib -L/usr/local/ssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 configure:2803: checking size of char configure:2822: gcc -o conftest -g -O2 -Wall -I/usr/local/ssl/include -L/usr/local/ssl/lib -L/usr/local/ssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 configure:2814: warning: return-type defaults to `int' configure:2842: checking size of short int configure:2861: gcc -o conftest -g -O2 -Wall -I/usr/local/ssl/include -L/usr/local/ssl/lib -L/usr/local/ssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 configure:2853: warning: return-type defaults to `int' configure:2881: checking size of int configure:2900: gcc -o conftest -g -O2 -Wall -I/usr/local/ssl/include -L/usr/local/ssl/lib -L/usr/local/ssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 configure:2892: warning: return-type defaults to `int' configure:2920: checking size of long int configure:2939: gcc -o conftest -g -O2 -Wall -I/usr/local/ssl/include -L/usr/local/ssl/lib -L/usr/local/ssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 configure:2931: warning: return-type defaults to `int' configure:2959: checking size of long long int configure:2978: gcc -o conftest -g -O2 -Wall -I/usr/local/ssl/include -L/usr/local/ssl/lib -L/usr/local/ssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 configure:2970: warning: return-type defaults to `int' configure:3000: checking for intXX_t types configure:3013: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure:3037: checking for u_intXX_t types configure:3050: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure:3157: checking for socklen_t configure:3173: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure:3196: checking for size_t configure:3211: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure:3234: checking for ssize_t configure:3249: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure:3272: checking for sa_family_t configure:3288: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure:3311: checking for pid_t configure:3326: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure:3349: checking for mode_t configure:3364: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure:3388: checking for struct sockaddr_storage configure:3404: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure: In function `main': configure:3400: warning: unused variable `s' configure:3427: checking for struct sockaddr_in6 configure:3443: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure:3466: checking for struct in6_addr configure:3482: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure:3505: checking for struct addrinfo configure:3522: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure:3552: checking for ut_host field in utmp.h configure:3592: checking for ut_host field in utmpx.h configure:3632: checking for syslen field in utmpx.h configure:3672: checking for ut_pid field in utmp.h configure:3712: checking for ut_type field in utmp.h configure:3752: checking for ut_type field in utmpx.h configure:3792: checking for ut_tv field in utmp.h configure:3832: checking for ut_id field in utmp.h configure:3872: checking for ut_id field in utmpx.h configure:3912: checking for ut_addr field in utmp.h configure:3952: checking for ut_addr field in utmpx.h configure:3992: checking for ut_addr_v6 field in utmp.h configure:4032: checking for ut_addr_v6 field in utmpx.h configure:4072: checking for ut_exit field in utmp.h configure:4112: checking for ut_time field in utmp.h configure:4152: checking for ut_time field in utmpx.h configure:4192: checking for ut_tv field in utmpx.h configure:4229: checking for ss_family field in struct sockaddr_storage configure:4245: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure: In function `main': configure:4241: structure has no member named `ss_family' configure: failed program was: #line 4235 "configure" #include "confdefs.h" #include #include int main() { struct sockaddr_storage s; s.ss_family = 1; ; return 0; } configure:4267: checking for __ss_family field in struct sockaddr_storage configure:4283: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure:4307: checking if libc defines __progname configure:4320: gcc -o conftest -g -O2 -Wall -I/usr/local/ssl/include -L/usr/local/ssl/lib -L/usr/local/ssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 configure: In function `main': configure:4316: warning: implicit declaration of function `printf' configure:4357: checking for rsh configure:4407: checking for xauth configure:4506: checking for /dev/ptc configure:4557: checking for /dev/urandom configure:5660: checking if we need to convert IPv4 in IPv6-mapped addresses configure:5803: checking if your system defines LASTLOG_FILE configure:5821: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure: In function `main': configure:5817: `LASTLOG_FILE' undeclared (first use in this function) configure:5817: (Each undeclared identifier is reported only once configure:5817: for each function it appears in.) configure:5817: warning: unused variable `lastlog' configure: failed program was: #line 5805 "configure" #include "confdefs.h" #include #include #ifdef HAVE_LASTLOG_H # include #endif #ifdef HAVE_PATHS_H # include #endif int main() { char *lastlog = LASTLOG_FILE; ; return 0; } configure:5831: checking if your system defines _PATH_LASTLOG configure:5849: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure: In function `main': configure:5845: warning: unused variable `lastlog' configure:5888: checking if your system defines UTMP_FILE configure:5903: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure: In function `main': configure:5899: warning: unused variable `utmp' configure:5938: checking if your system defines WTMP_FILE configure:5953: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure: In function `main': configure:5949: warning: unused variable `wtmp' configure:5989: checking if your system defines UTMPX_FILE configure:6007: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure: In function `main': configure:6003: `UTMPX_FILE' undeclared (first use in this function) configure:6003: (Each undeclared identifier is reported only once configure:6003: for each function it appears in.) configure:6003: warning: unused variable `utmpx' configure: failed program was: #line 5991 "configure" #include "confdefs.h" #include #include #ifdef HAVE_UTMPX_H #include #endif #ifdef HAVE_PATHS_H # include #endif int main() { char *utmpx = UTMPX_FILE; ; return 0; } configure:6034: checking if your system defines WTMPX_FILE configure:6052: gcc -c -g -O2 -Wall -I/usr/local/ssl/include conftest.c 1>&5 configure: In function `main': configure:6048: `WTMPX_FILE' undeclared (first use in this function) configure:6048: (Each undeclared identifier is reported only once configure:6048: for each function it appears in.) configure:6048: warning: unused variable `wtmpx' configure: failed program was: #line 6036 "configure" #include "confdefs.h" #include #include #ifdef HAVE_UTMPX_H #include #endif #ifdef HAVE_PATHS_H # include #endif int main() { char *wtmpx = WTMPX_FILE; ; return 0; } From djm at mindrot.org Sat Jul 8 10:47:53 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jul 2000 10:47:53 +1000 (EST) Subject: some problems reading rsa/dsa keys In-Reply-To: <5BF932D2CD05D211B54800805FE60FEB08F525B0@serv-hermes.systeme.cpr.fr> Message-ID: On Wed, 5 Jul 2000, TARDIEU Emmanuel wrote: > So, why doesn't the damn thing read the correct key? The key was > generated by ssh-2.0.13, it's a generic 1024bits DSA. We cannot read commerical SSH2 private keys. They are stored in an undocumented format. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Jul 8 10:51:02 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jul 2000 10:51:02 +1000 (EST) Subject: OpenSSH on RH SPARC In-Reply-To: Message-ID: On Wed, 5 Jul 2000, Gregory Leblanc wrote: OpenSSH is failing during a key generation step, the exact error > messages I'll have in a few hours when this compile finishes. Here's a > quote from the build: > Generating RSA Keys: (gook goes here) > Key generation complete. > Saving the key failed: /etc/ssh/ssh_host_key: no such file or directory > Generating the DSA parameter and key. > Saving the key failed: /etc/ssh/ssh_host_dsa_key: no such file or directory > etc. Do you get these errors when you are building the RPM or when compiling from the tarball? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Jul 8 11:00:01 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jul 2000 11:00:01 +1000 (EST) Subject: radius support? (was Re: PAM on OPenBSD for OpenSSH? In-Reply-To: <200007070156.e671uTV05619@rollcage.bl.echidna.id.au> Message-ID: On Fri, 7 Jul 2000 carl at bl.echidna.id.au wrote: > 3. know of a better way to get OpenSSH's daemon to authenticate > against a remote radius server? It depends on what you are after - do you still want to have local accounts in /etc/master.passwd? or do you want to fetch that as well? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Jul 8 11:45:16 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jul 2000 11:45:16 +1000 (EST) Subject: 2.1.1p2 HP-UX 11 PAM General Commerical Security error In-Reply-To: Message-ID: On Fri, 7 Jul 2000, Kevin Steves wrote: > On Mon, 3 Jul 2000, Kevin Steves wrote: > > Jul 3 15:19:29 robinson sshd[1293]: PAM rejected by account configuration: [32] General Commercial Security error > Not much progress made other than I discovered I don't get this error and > can log in successfully when running the server in debug mode (i.e., > "sshd -d"). > > Strange. Any ideas? Some PAM modules fail mysteriously because ssh doesn't always set the PAM_TTY. At least one of these (pam_tty) then assumes (stupidly IMNSHO) that fd 0 is the tty and tries to use that. This will cause failures when sshd is run in daemon mode, but not in debug mode. Perhaps an strace/truss of the failure would shed some light on it. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Jul 8 11:46:44 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Jul 2000 11:46:44 +1000 (EST) Subject: sshd Pam problem for Redhat 6.2 In-Reply-To: <76764D3B0D08D41180A8009027866ABA068BF9@KIBUNTSVR01> Message-ID: On Fri, 7 Jul 2000, Eli Lev wrote: > No sshd file is created in /etc/pam.d - I'm not sure if there should > be one there. > > I'd appreciate any and all help in regards to this: You need to install an appropriate pam file - one that works for Redhat lives in contrib/redhat This is all documented in the INSTALL file. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From GLeblanc at cu-portland.edu Sat Jul 8 16:47:06 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Fri, 7 Jul 2000 23:47:06 -0700 Subject: OpenSSH on RH SPARC Message-ID: > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Friday, July 07, 2000 5:51 PM > To: Gregory Leblanc > Cc: OpenSSH List (E-mail) > Subject: Re: OpenSSH on RH SPARC > > On Wed, 5 Jul 2000, Gregory Leblanc wrote: > > OpenSSH is failing during a key generation step, the exact error > > messages I'll have in a few hours when this compile > finishes. Here's a > > quote from the build: > > Generating RSA Keys: (gook goes here) > > Key generation complete. > > Saving the key failed: /etc/ssh/ssh_host_key: no such file > or directory > > Generating the DSA parameter and key. > > Saving the key failed: /etc/ssh/ssh_host_dsa_key: no such > file or directory > > etc. > > Do you get these errors when you are building the RPM or when > compiling from the tarball? Building the RPM, as I'm trying to keep all my software everywhere under RPM control. Thanks, Grego From stevesk at sweden.hp.com Sat Jul 8 21:48:31 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 8 Jul 2000 13:48:31 +0200 (CEST) Subject: 2.1.1p2 HP-UX 11 PAM General Commerical Security error In-Reply-To: Message-ID: <200007081146.NAA25770@b0fh.sweden.hp.com> On Sat, 8 Jul 2000, Damien Miller wrote: : On Mon, 3 Jul 2000, Kevin Steves wrote: : > Trying 2.1.1p2 on HP-UX 11 (trusted system) I get: : : What pam configuration are you using? Your's is the first report of : PAM on HP/UX. The default config (ssh should match OTHER): # # PAM configuration # # Authentication management # login auth required /usr/lib/security/libpam_unix.1 su auth required /usr/lib/security/libpam_unix.1 dtlogin auth required /usr/lib/security/libpam_unix.1 dtaction auth required /usr/lib/security/libpam_unix.1 ftp auth required /usr/lib/security/libpam_unix.1 OTHER auth required /usr/lib/security/libpam_unix.1 # # Account management # login account required /usr/lib/security/libpam_unix.1 su account required /usr/lib/security/libpam_unix.1 dtlogin account required /usr/lib/security/libpam_unix.1 dtaction account required /usr/lib/security/libpam_unix.1 ftp account required /usr/lib/security/libpam_unix.1 # OTHER account required /usr/lib/security/libpam_unix.1 # # Session management # login session required /usr/lib/security/libpam_unix.1 dtlogin session required /usr/lib/security/libpam_unix.1 dtaction session required /usr/lib/security/libpam_unix.1 OTHER session required /usr/lib/security/libpam_unix.1 # # Password management # login password required /usr/lib/security/libpam_unix.1 passwd password required /usr/lib/security/libpam_unix.1 dtlogin password required /usr/lib/security/libpam_unix.1 dtaction password required /usr/lib/security/libpam_unix.1 OTHER password required /usr/lib/security/libpam_unix.1 From stevesk at sweden.hp.com Sat Jul 8 21:51:58 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 8 Jul 2000 13:51:58 +0200 (CEST) Subject: 2.1.1p2 HP-UX 11 PAM General Commerical Security error In-Reply-To: Message-ID: <200007081150.NAA26748@b0fh.sweden.hp.com> On Sat, 8 Jul 2000, Damien Miller wrote: : On Fri, 7 Jul 2000, Kevin Steves wrote: : > On Mon, 3 Jul 2000, Kevin Steves wrote: : > > Jul 3 15:19:29 robinson sshd[1293]: PAM rejected by account configuration: [32] General Commercial Security error : : > Not much progress made other than I discovered I don't get this error and : > can log in successfully when running the server in debug mode (i.e., : > "sshd -d"). : > : > Strange. Any ideas? : : Some PAM modules fail mysteriously because ssh doesn't always set : the PAM_TTY. At least one of these (pam_tty) then assumes (stupidly : IMNSHO) that fd 0 is the tty and tries to use that. This will cause : failures when sshd is run in daemon mode, but not in debug mode. : : Perhaps an strace/truss of the failure would shed some light on it. I turned on debugging in the pam modules and now see (get_comsec_info message): Jul 8 13:36:59 robinson sshd[6045]: get_comsec_info: Cannot obtain database information on this terminal Jul 8 13:36:59 robinson sshd[6045]: pam_acct_mgmt: error General Commercial Security error Jul 8 13:36:59 robinson sshd[6045]: PAM rejected by account configuration: [32] General Commercial Security er ror It's complaining about the fake PAM_TTY; With this code removed it works: #if 0 pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, "ssh"); if (pam_retval != PAM_SUCCESS) { fatal("PAM set tty failed: [%d] %.200s", pam_retval, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } #endif From nikke at ing.umu.se Sun Jul 9 01:13:36 2000 From: nikke at ing.umu.se (Niklas Edmundsson) Date: Sat, 8 Jul 2000 17:13:36 +0200 (CEST) Subject: OpenSSH 2.1.1p2 - compiling on AIX Message-ID: When compiling OpenSSH 2.1.1p2 on AIX 4.3.2 using the IBM compiler (ibmcxx 3.6.4) in Ansi-C mode by using the xlc binary instead of cc the compilation fails due to the fact that the OpenSSH code mixes k&r style functions with ANSI prototypes: "bsd-rresvport.c", line 56.1: 1506-343 (S) Redeclaration of rresvport_af differs from previous declaration on line 7 of "bsd-rresvport.h". "bsd-rresvport.c", line 56.1: 1506-379 (I) Prototype for function rresvport_af must contain only promoted types if prototype and nonprototype declarations are mixed. "bsd-rresvport.c", line 56.1: 1506-380 (I) Parameter 2 has type "unsigned char" which promotes to "int". One way to fix this is to rewrite all functions to ANSI style, which I guess is not an option. Another way to "fix" it is to tell xlc to behave more like cc by setting the compiler flag -qlanglvl=extended, which I feel should be done by configure when it detects AIX using the xlc compiler. /Nikke -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Niklas Edmundsson, Admin @ {acc,hpc2n,ing}.umu.se | nikke at ing.umu.se --------------------------------------------------------------------------- I never did it that way before. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From stevesk at sweden.hp.com Sun Jul 9 01:37:55 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 8 Jul 2000 17:37:55 +0200 (CEST) Subject: 2.1.1p2 HP-UX 11 timing error In-Reply-To: Message-ID: <200007081536.RAA05643@b0fh.sweden.hp.com> Hi, On Thu, 6 Jul 2000, Marquess, Steve Mr JMLFDC wrote: : FYI in order to get 2.1.1p2 to work on my HP-UX 11.0 systems I had to patch : atomicio.c for EWOULDBLOCK (HP read() does not give the POSIX return code). : The new atomicio() is a clean fix for this timing problem; all it needs now : is this one little tweak. : : *** atomicio.c Thu Jun 22 07:32:31 2000 : --- /tmp/atomicio.c Thu Jul 6 09:03:30 2000 : *************** : *** 46,52 **** : res = (f) (fd, s + pos, n - pos); : switch (res) { : case -1: : ! if (errno == EINTR || errno == EAGAIN) : continue; : case 0: : return (res); : --- 46,56 ---- : res = (f) (fd, s + pos, n - pos); : switch (res) { : case -1: : ! if (errno == EINTR || errno == EAGAIN : ! #ifdef _HPUX_SOURCE : ! || (errno == EWOULDBLOCK) : ! #endif : ! ) : continue; : case 0: : return (res); Which problem(s) does this fix? If read() is really returning EWOULDBLOCK instead of EAGAIN for POSIX non-blocking IO we should file a defect and get it fixed. There was an old problem with send() returning EWOULDBLOCK that was fixed over a year ago. Which ARPA transport patch do you have installed? This was the defect information in the patch README: ( SR number: [5003446658/STARS-ACTIVE/English] ; Defect: JAGaa45906 ) send() when called non-blocking returns EWOULDBLOCK rather than EAGAIN. I have a test program and I don't see EWOULDBLOCK for sockets. From stevesk at sweden.hp.com Sun Jul 9 06:20:52 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 8 Jul 2000 22:20:52 +0200 (METDST) Subject: Antwort: Re: sshd does not exit after scp (hpux 11.00 / ssh 2.1 .1p1) In-Reply-To: Message-ID: On Sat, 8 Jul 2000, Damien Miller wrote: > > not really... On a non-trusted system with HP AnsiC it seems to work if > > changing shutdown(fdin, SHUT_WR) to shutdown(fdin, SHUT_RDWR) > > in serverloop.c (lines 320 & 464) Strange, I'll try this in my environment when I get a chance. > > On a trusted system with gcc however this does not seem to have any > > effect. Here I use #define USE_PIPES 1 in includes.h as workaround > > Does USE_PIPES fix the problem on the non-trusted system as well? > > If so we can set this automatically in configure. Yes, but the socketpair() method should work, so it's just a case of finding where the problem lies. From djm at mindrot.org Sun Jul 9 21:24:27 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 9 Jul 2000 21:24:27 +1000 (EST) Subject: 2.1.1p2 HP-UX 11 PAM General Commerical Security error In-Reply-To: <200007081150.NAA26748@b0fh.sweden.hp.com> Message-ID: On Sat, 8 Jul 2000, Kevin Steves wrote: > It's complaining about the fake PAM_TTY; With this code removed it > works: I have disabled this for platforms other than Linux. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Jul 9 21:28:28 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 9 Jul 2000 21:28:28 +1000 (EST) Subject: OpenSSH on RH SPARC In-Reply-To: Message-ID: On Fri, 7 Jul 2000, Gregory Leblanc wrote: > Building the RPM, as I'm trying to keep all my software everywhere > under RPM control. Thanks, Try this patch: Index: Makefile.in =================================================================== RCS file: /var/cvs/openssh/Makefile.in,v retrieving revision 1.89 diff -u -r1.89 Makefile.in --- Makefile.in 2000/06/27 22:24:49 1.89 +++ Makefile.in 2000/07/09 11:27:46 @@ -150,20 +150,20 @@ fi host-key: ssh-keygen - if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \ - echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \ + if [ -f "$(DESTDIR)$(sysconfdir)/ssh_host_key" ] ; then \ + echo "$(DESTDIR)$(sysconfdir)/ssh_host_key already exists, skipping." ; \ else \ - ./ssh-keygen -b 1024 -f $(sysconfdir)/ssh_host_key -N "" ; \ + ./ssh-keygen -b 1024 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ; \ fi ; \ - if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \ - echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ + if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key ] ; then \ + echo "$(DESTDIR)$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ else \ - ./ssh-keygen -d -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \ + ./ssh-keygen -d -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ; \ fi ; host-key-force: ssh-keygen - ./ssh-keygen -b 1024 -f $(sysconfdir)/ssh_host_key -N "" - ./ssh-keygen -d -f $(sysconfdir)/ssh_host_dsa_key -N "" + ./ssh-keygen -b 1024 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" + ./ssh-keygen -d -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" uninstallall: uninstall -rm -f $(DESTDIR)$(sysconfdir)/ssh_config -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Jul 9 21:29:06 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 9 Jul 2000 21:29:06 +1000 (EST) Subject: OpenSSH 2.1.1p2 - compiling on AIX In-Reply-To: Message-ID: On Sat, 8 Jul 2000, Niklas Edmundsson wrote: > > When compiling OpenSSH 2.1.1p2 on AIX 4.3.2 using the IBM compiler > (ibmcxx 3.6.4) in Ansi-C mode by using the xlc binary instead of cc > the compilation fails due to the fact that the OpenSSH code mixes k&r > style functions with ANSI prototypes: Thanks, I have matched the function declarations with the prototypes. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From nikke at ing.umu.se Mon Jul 10 04:04:10 2000 From: nikke at ing.umu.se (Niklas Edmundsson) Date: Sun, 9 Jul 2000 20:04:10 +0200 (CEST) Subject: OpenSSH 2.1.1p2: /etc/nologin handling and related stuff Message-ID: Attached is a patch to be applied with GNU patch -p0, notice that configure needs to be regenerated. The patch addresses the following annoyances: * On AIX there is a signal called SIGDANGER which is sent to all processes when the machine runs low on virtual memory. This patch makes sure that this signal is ignored, because the default on older AIX releases is to kill the running process (which is pretty bad). * On AIX loginrestrictions() is called to decide whether the user is allowed to log in. Since OpenSSH has the PermitRootLogin configuration option you don't want loginrestrictions() pertain to root (since you generally disable remote root logins and only enable root logins with 'PermitRootLogin without-password' ...). This patch ignores loginrestrictions() for root. * There is no pam_nologin on Solaris, thus the handling of /etc/nologin needs to be there even though PAM is used. This patch simply removes the #ifdef USE_PAM since it's better with two checks on some OS's instead of none on some, a more correct solution is probably not that hard to come up with though. * This patch introduces the configure option --with-nologin-allow=FILE which, when defined, specifies a file containing users that should be able to log in even though /etc/nologin exists. Additionally, we have noticed the following problems with OpenSSH: * On AIX, the message from loginrestrictions() isn't shown to the user, like it's supposed to, but instead stored in the log file of SSH. * Also, loginrestrictions() is called before the check of /etc/nologin, and since loginrestrictions() also checks for nologin the user isn't allowed to log in even though the user is in the nologin-allow file introduced in the attached patch. Since the user doesn't see the nologin (which instead is logged in the sshd log file) this is most confusing. * make install overwrites ssh_prng_cmds. Also, the script that generates ssh_prng_cmds doesn't seem to check for binaries in /usr/sbin/ where arp, ifconfig etc. resides on Solaris and others. A suggestion is also to parse /etc/syslog.conf to find out which log files there is instead of taking a stab at which files there might be. /bin/who -a dumps all information from utmp on AIX, Solaris and others, who -i doesn't work. Doing ls -l on /var/.../mail isn't that good when it's NFS mounted. * In general, there is very little documentation on ssh_prng_cmds (or I'm blind ;) * Running on an Sparc LX (ie. a very slow machine) on Solaris8 we sometimes get the following error message upon startup: # /usr/local/sbin/sshd fatal: Couldn't initialise builtin random number generator -- exiting. What failed? The entropy-stuff, or some random thing that went bezerk? Any hints on how to debug this is appreciated, since we don't want to run a daemon that sometimes just fails to start... * Also on Solaris8 we get the following message in the sshd log file when a user logs out: sshd[4692]: [ID 800047 auth.info] Cannot delete credentials: Permission denied This seems to be a PAM issue, but that's about all we've figured out... /Nikke - wants OpenSSH to be perfect :) -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Niklas Edmundsson, Admin @ {acc,hpc2n,ing}.umu.se | nikke at ing.umu.se --------------------------------------------------------------------------- "I happen to like nice men." - Leia =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -------------- next part -------------- diff -ruw -x configure ../dist/acconfig.h ./acconfig.h --- ../dist/acconfig.h Sat Jul 1 08:52:55 2000 +++ ./acconfig.h Sat Jul 8 21:13:22 2000 @@ -214,6 +214,9 @@ /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ #undef IPV4_IN_IPV6 +/* File with users to allow even with /etc/nologin in place */ +#undef NOLOGIN_ALLOW_FILE + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ diff -ruw -x configure ../dist/auth.c ./auth.c --- ../dist/auth.c Mon Jun 26 03:31:33 2000 +++ ./auth.c Sat Jul 8 19:53:37 2000 @@ -145,7 +145,8 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0 && + pw->pw_uid != 0) { if (loginmsg && *loginmsg) { /* Remove embedded newlines (if any) */ char *p; diff -ruw -x configure ../dist/config.h.in ./config.h.in --- ../dist/config.h.in Sat Jul 1 11:43:08 2000 +++ ./config.h.in Sat Jul 8 21:13:53 2000 @@ -201,6 +201,9 @@ /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ #undef IPV4_IN_IPV6 +/* File with users to allow even with /etc/nologin in place */ +#undef NOLOGIN_ALLOW_FILE + /* The number of bytes in a char. */ #undef SIZEOF_CHAR diff -ruw -x configure ../dist/configure.in ./configure.in --- ../dist/configure.in Sat Jul 1 08:52:55 2000 +++ ./configure.in Sat Jul 8 21:12:27 2000 @@ -823,6 +823,17 @@ fi AC_SUBST(INSTALL_SSH_PRNG_CMDS) +# Check for nologin-allow file +AC_ARG_WITH(nologin-allow, + [ --with-nologin-allow=FILE File with users to allow during nologin (default none)], + [ + if test "x$withval" != "xno" ; then + NOLOGIN_ALLOW_FILE="$withval"; + AC_DEFINE_UNQUOTED(NOLOGIN_ALLOW_FILE, "$NOLOGIN_ALLOW_FILE") + fi + ] +) + AC_ARG_WITH(catman, [ --with-catman=man|cat Install preformatted manpages[no]], diff -ruw -x configure ../dist/session.c ./session.c --- ../dist/session.c Sat Jul 1 05:24:21 2000 +++ ./session.c Sun Jul 9 19:22:23 2000 @@ -816,17 +816,34 @@ if (options.use_login && command != NULL) options.use_login = 0; -#ifndef USE_PAM /* pam_nologin handles this */ f = fopen("/etc/nologin", "r"); if (f) { + char notallowed=1; /* /etc/nologin exists. Print its contents and exit. */ + fprintf(stderr, "\aLogins are currently disallowed:\n\n"); while (fgets(buf, sizeof(buf), f)) fputs(buf, stderr); + fprintf(stderr, "\n"); fclose(f); - if (pw->pw_uid != 0) +#ifdef NOLOGIN_ALLOW_FILE + if((f=fopen(NOLOGIN_ALLOW_FILE, "r"))) { + char *tmpend; + while (fgets(buf, sizeof(buf), f)) { + if(*buf=='\0' || *buf=='#' || *buf=='\n' || *buf=='\r') + continue; + if((tmpend=strchr(buf, '\n'))) + *tmpend='\0'; + if(!strcmp(buf, pw->pw_name)) { + notallowed=0; + break; + } + } + } + fclose(f); +#endif /* NOLOGIN_ALLOW_FILE */ + if (pw->pw_uid != 0 && notallowed != 0) exit(254); } -#endif /* USE_PAM */ #ifndef HAVE_OSF_SIA /* Set login name in the kernel. */ diff -ruw -x configure ../dist/sshd.c ./sshd.c --- ../dist/sshd.c Wed Jun 28 07:22:42 2000 +++ ./sshd.c Sun Jul 9 19:23:29 2000 @@ -746,6 +746,10 @@ signal(SIGHUP, sighup_handler); signal(SIGTERM, sigterm_handler); signal(SIGQUIT, sigterm_handler); +#ifdef SIGDANGER + /* Don't die on AIX when the machine runs low on memory */ + signal(SIGDANGER, SIG_IGN); +#endif /* Arrange SIGCHLD to be caught. */ signal(SIGCHLD, main_sigchld_handler); From jeh at kant.ee.washington.edu Mon Jul 10 12:31:54 2000 From: jeh at kant.ee.washington.edu (Justin Hahn) Date: Sun, 09 Jul 2000 19:31:54 -0700 Subject: Minor nitpick on openssh: man pages Message-ID: <3969359A.7CF516AA@rcs.ee.washington.edu> On a plain vanilla Solaris 8 install, the man page source WILL NOT generate readable manpages. It just ends up as one big paragraph. I've been using the cat pages as a workaround, but it would be nice if the man pages would format with nroff -man --jeh Asst. Systems Administrator Research Computing Systems UW Electrical Engineering From jhpark at brainzsquare.com Mon Jul 10 14:52:13 2000 From: jhpark at brainzsquare.com (Jeong Hwan Park) Date: Mon, 10 Jul 2000 13:52:13 +0900 Subject: No subject Message-ID: subscribe ---------------------------------------------- Jeong Hwan Park (jhpark at brainzsquare.com) Senior System Engineer Brainzsquare, Inc. (http://www.brainzsquare.com) I live in http://zelcom.inticity.com. Visit if you have times! ---------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: ? ??.vcf Type: text/x-vcard Size: 660 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000710/de0b89b1/attachment.vcf From Steve.Marquess at DET.AMEDD.ARMY.MIL Tue Jul 11 00:02:10 2000 From: Steve.Marquess at DET.AMEDD.ARMY.MIL (Marquess, Steve Mr JMLFDC) Date: Mon, 10 Jul 2000 10:02:10 -0400 Subject: 2.1.1p2 HP-UX 11 timing error Message-ID: Kevin: You are right about the patch, read() is indeed returning EWOULDBLOCK but HP has a June 14, 2000 cumulative patch (s700_800 11.00 cumulative ARPA Transport patch) that supposedly fixes the EWOULDBLOCK-instead-of-EAGAIN problem (PHNE_21767, either obsoleting two earlier patches or "Not yet HP recommended" depending on how you query). I'll try it out on an in-house system. Unfortunately it will take us quite awhile to run this substantial looking patch through our QA process and push it to our deployed systems worldwide (auto-reboot in particular is a problem), so in the meantime I'll still need to hack atomicio.c locally. Good tip, though, thanks. BTW I'm seeing the same General Commercial Security error you've reported (HP-UX B.11.0, same pam.conf). -Steve M. -----Original Message----- From: Kevin Steves [mailto:stevesk at sweden.hp.com] Sent: Saturday, July 08, 2000 11:38 AM To: Marquess, Steve Mr JMLFDC Cc: openssh-unix-dev at mindrot.org Subject: Re: 2.1.1p2 HP-UX 11 timing error Hi, On Thu, 6 Jul 2000, Marquess, Steve Mr JMLFDC wrote: : FYI in order to get 2.1.1p2 to work on my HP-UX 11.0 systems I had to patch : atomicio.c for EWOULDBLOCK (HP read() does not give the POSIX return code). : The new atomicio() is a clean fix for this timing problem; all it needs now : is this one little tweak. : . . <> . . Which problem(s) does this fix? If read() is really returning EWOULDBLOCK instead of EAGAIN for POSIX non-blocking IO we should file a defect and get it fixed. There was an old problem with send() returning EWOULDBLOCK that was fixed over a year ago. Which ARPA transport patch do you have installed? This was the defect information in the patch README: ( SR number: [5003446658/STARS-ACTIVE/English] ; Defect: JAGaa45906 ) send() when called non-blocking returns EWOULDBLOCK rather than EAGAIN. I have a test program and I don't see EWOULDBLOCK for sockets. From ust at cert.siemens.de Tue Jul 11 01:53:00 2000 From: ust at cert.siemens.de (Udo Schweigert) Date: Mon, 10 Jul 2000 17:53:00 +0200 Subject: OpenSSH port to ReliantUNIX Message-ID: <20000710175300.A89000@alaska.cert.siemens.de> Hi all, I just managed to get OpenSSH working on ReliantUNIX, which is the SVR4- compatible UNIX from Fujitsu-Siemens (formerly known as SNI). Patch is attached. Up to now I do not know why it does not work with IP_TOS, but I needed to switch it off. Anyway: it works here in our lab without any problems. Many thanks for OpenSSH and best regards. Udo -- Udo Schweigert, Siemens AG | Voice : +49 89 636 42170 ZT IK 3, Siemens CERT | Fax : +49 89 636 41166 D-81730 Muenchen / Germany | email : ust at cert.siemens.de PGP-2/5 fingerprint | D8 A5 DF 34 EC 87 E8 C6 E2 26 C4 D0 EE 80 36 B2 diff -ru openssh-2.1.1p2.orig/configure openssh-2.1.1p2/configure --- openssh-2.1.1p2.orig/configure Sat Jul 1 11:43:09 2000 +++ openssh-2.1.1p2/configure Mon Jul 10 15:16:05 2000 @@ -1442,6 +1442,13 @@ done ;; +*-sni-sysv*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib -L/usr/ucblib" + MANTYPE='$(CATMAN)' + mansubdir=cat + LIBS="$LIBS -lgen -lnsl -lsocket -lucb" + ;; *-*-sysv*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" diff -ru openssh-2.1.1p2.orig/packet.c openssh-2.1.1p2/packet.c --- openssh-2.1.1p2.orig/packet.c Thu Jun 22 13:32:31 2000 +++ openssh-2.1.1p2/packet.c Mon Jul 10 15:28:10 2000 @@ -48,6 +48,10 @@ #define DBG(x) #endif +#ifdef SNI +#undef IP_TOS +#endif + /* * This variable contains the file descriptors used for communicating with * the other side. connection_in is used for reading; connection_out for From ede370 at stl.rural.usda.gov Tue Jul 11 06:08:43 2000 From: ede370 at stl.rural.usda.gov (Ed Eden) Date: Mon, 10 Jul 2000 15:08:43 -0500 Subject: scp host 2 host error Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 anyone else? scp host1:z host2:z after I enter password and press return, I get: You have no controlling tty. Cannot read passphrase. lost connection -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBOWosNq70i5HtNtMYEQIaPwCgvXur2EidBy2l5wcGc5bM0W6Zxr8An0+7 tYBcLmY2pDZJmKTNeStgyMuY =qhHX -----END PGP SIGNATURE----- From rjune at ims1.imagestream-is.com Tue Jul 11 06:16:29 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Mon, 10 Jul 2000 15:16:29 -0500 (EST) Subject: scp host 2 host error In-Reply-To: Message-ID: If I remember correctly that was bad permissions on /dev/tty, however I was using slak, so YMMV, I set it to 664 I believe. On Mon, 10 Jul 2000, Ed Eden wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > anyone else? > > scp host1:z host2:z > > after I enter password and press return, I get: > > You have no controlling tty. Cannot read passphrase. > > > > lost connection > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.5.3 > > iQA/AwUBOWosNq70i5HtNtMYEQIaPwCgvXur2EidBy2l5wcGc5bM0W6Zxr8An0+7 > tYBcLmY2pDZJmKTNeStgyMuY > =qhHX > -----END PGP SIGNATURE----- > > From GLeblanc at cu-portland.edu Tue Jul 11 06:31:46 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Mon, 10 Jul 2000 13:31:46 -0700 Subject: OpenSSH on RH SPARC Message-ID: > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Sunday, July 09, 2000 4:28 AM > To: Gregory Leblanc > Cc: OpenSSH List (E-mail) > Subject: RE: OpenSSH on RH SPARC > > On Fri, 7 Jul 2000, Gregory Leblanc wrote: > > > Building the RPM, as I'm trying to keep all my software everywhere > > under RPM control. Thanks, Thanks, compiled cleanly, now I've got a real openssh-2.1.1p2-3.sparc.rpm, and I'm building on my x86 machines as well. Grego From djm at mindrot.org Tue Jul 11 09:46:25 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 11 Jul 2000 09:46:25 +1000 (EST) Subject: OpenSSH port to ReliantUNIX In-Reply-To: <20000710175300.A89000@alaska.cert.siemens.de> Message-ID: On Mon, 10 Jul 2000, Udo Schweigert wrote: > Hi all, > > I just managed to get OpenSSH working on ReliantUNIX, which is the SVR4- > compatible UNIX from Fujitsu-Siemens (formerly known as SNI). Thanks! -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Jul 11 09:47:39 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 11 Jul 2000 09:47:39 +1000 (EST) Subject: scp host 2 host error In-Reply-To: Message-ID: On Mon, 10 Jul 2000, Ed Eden wrote: > scp host1:z host2:z > > after I enter password and press return, I get: > > You have no controlling tty. Cannot read passphrase. What are the permissions of /dev/tty? They should be 0666. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From willard.dawson at sbs.siemens.com Tue Jul 11 11:38:09 2000 From: willard.dawson at sbs.siemens.com (Willard Dawson) Date: Mon, 10 Jul 2000 21:38:09 -0400 Subject: scp host 2 host error In-Reply-To: ; from djm@mindrot.org on Tue, Jul 11, 2000 at 09:47:39AM +1000 References: Message-ID: <20000710213809.A20034@wdawson-sun.sbs.siemens.com> On Tue, Jul 11, 2000 at 09:47:39AM +1000, Damien Miller wrote: > On Mon, 10 Jul 2000, Ed Eden wrote: > > > > scp host1:z host2:z > > > > after I enter password and press return, I get: > > > > You have no controlling tty. Cannot read passphrase. > > What are the permissions of /dev/tty? They should be 0666. In the other ssh, this means that host2 does not accept your credentials, and is in the position of asking for a password/passphrase. That is, if you ssh first to host1, and then try to either ssh or scp from there to host2, you'll see an interaction. Since there is no controlling tty when doing dereferenced scp's (as above), the process fails. Perhaps it's time for you to try ssh-agent, along with installing the authorized_keys on affected servers. -- Willard Francis Otto Dawson +1 770 814 5099 / +1 770 814 5202 FAX Siemens Business Services, ENS mailto:willard.dawson at sbs.siemens.com 4570 River Green Pkwy, Ste 140 http://www.sbs.siemens.com/ Duluth, GA 30096-2564 Standard disclaimer applies. From djm at mindrot.org Tue Jul 11 18:33:59 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 11 Jul 2000 18:33:59 +1000 (EST) Subject: Test snapshot Message-ID: Can interested users please test the latest snapshot at http://www.mindrot.org/misc/junk/openssh-SNAP-2000071102.tar.gz It contains quite a few fixes for small problems that have been reported in the last few weeks. Pending feedback it is going to become 2.1.1p3 Regards, Damien Miller --------------- Changelog: 20000711 - (djm) Fixup for AIX getuserattr() support from Tom Bertelson - (djm) ReliantUNIX support from Udo Schweigert - (djm) NeXT: dirent structures to get scp working from Ben Lindstrom - (djm) Fix broken inet_ntoa check and ut_user/ut_name confusion, report from Jim Watt - (djm) Replaced bsd-snprintf.c with one from Mutt source tree, it is known to compile on more platforms (incl NeXT). - (djm) Added bsd-inet_aton and configure support for NeXT - (djm) Misc NeXT fixes from Ben Lindstrom - (djm) OpenBSD CVS updates: - markus at cvs.openbsd.org 2000/06/26 03:22:29 [authfd.c] cleanup, less cut&paste - markus at cvs.openbsd.org 2000/06/26 15:59:19 [servconf.c servconf.h session.c sshd.8 sshd.c] MaxStartups: limit number of unauthenticated connections, work by theo and me - deraadt at cvs.openbsd.org 2000/07/05 14:18:07 [session.c] use no_x11_forwarding_flag correctly; provos ok - provos at cvs.openbsd.org 2000/07/05 15:35:57 [sshd.c] typo - aaron at cvs.openbsd.org 2000/07/05 22:06:58 [scp.1 ssh-agent.1 ssh-keygen.1 sshd.8] Insert more missing .El directives. Our troff really should identify these and spit out a warning. - todd at cvs.openbsd.org 2000/07/06 21:55:04 [auth-rsa.c auth2.c ssh-keygen.c] clean code is good code - deraadt at cvs.openbsd.org 2000/07/07 02:14:29 [serverloop.c] sense of port forwarding flag test was backwards - provos at cvs.openbsd.org 2000/07/08 17:17:31 [compat.c readconf.c] replace strtok with strsep; from David Young - deraadt at cvs.openbsd.org 2000/07/08 19:21:15 [auth.h] KNF - ho at cvs.openbsd.org 2000/07/08 19:27:33 [compat.c readconf.c] Better conditions for strsep() ending. - ho at cvs.openbsd.org 2000/07/10 10:27:05 [readconf.c] Get the correct message on errors. (niels@ ok) - ho at cvs.openbsd.org 2000/07/10 10:30:25 [cipher.c kex.c servconf.c] strtok() --> strsep(). (niels@ ok) - (djm) Fix problem with debug mode and MaxStartups 20000709 - (djm) Only enable PAM_TTY kludge for Linux. Problem report from Kevin Steves - (djm) Match prototype and function declaration for rresvport_af. Problem report from Niklas Edmundsson - (djm) Missing $(DESTDIR) on host-key target causing problems with RPM builds. Problem report from Gregory Leblanc - (djm) Replace ut_name with ut_user. Patch from Jim Watt - (djm) Fix pam sprintf fix - (djm) Cleanup entropy collection code a little more. Split initialisation from seeding, perform intialisation immediatly at start, be careful with uids. Based on problem report from Jim Watt - (djm) More NeXT compatibility from Ben Lindstrom Including sigaction() et al. replacements - (djm) AIX getuserattr() session initialisation from Tom Bertelson 20000708 - (djm) Fix bad fprintf format handling in auth-pam.c. Patch from Aaron Hopkins - (djm) Fix incorrect configure handling of --with-rsh-path option. Fix from Lutz Jaenicke - (djm) Fixed undefined variables for OSF SIA. Report from Baars, Henk - (djm) Handle EWOULDBLOCK returns from read() and write() in atomicio.c Fix from Marquess, Steve Mr JMLFDC - (djm) Don't use inet_addr. 20000702 - (djm) Fix brace mismatch from Corinna Vinschen - (djm) Stop shadow expiry checking from preventing logins with NIS. Based on fix from HARUYAMA Seigo - (djm) Use standard OpenSSL functions in auth-skey.c. Patch from Chris, the Young One - (djm) Fix scp progress meter on really wide terminals. Based on patch from James H. Cloos Jr. --------------- -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From kengelha at advance-bank.de Tue Jul 11 21:36:17 2000 From: kengelha at advance-bank.de (kengelha at advance-bank.de) Date: Tue, 11 Jul 2000 12:36:17 +0100 Subject: Test snapshot Message-ID: <41256919.003FBFB5.00@mailint.dmz.advance-bank.de> Hi, strsep doesn't seem to be supported on hpux (same on solaris)... Is it possible to supply BSD sources as seems to be already done for strlcpy etc ? cc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o -L. -L/opt/zlib/lib -L/opt/openssl/lib -L/opt/openssl -lssh -lopenbsd-compat -lnsl -lz -lpam -lcrypto /usr/ccs/bin/ld: Unsatisfied symbols: strsep (code) *** Error exit code 1 Stop. Thanks, Klaus Engelhardt From stevesk at sweden.hp.com Tue Jul 11 21:04:29 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 11 Jul 2000 13:04:29 +0200 (CEST) Subject: Test snapshot In-Reply-To: <41256919.003FBFB5.00@mailint.dmz.advance-bank.de> Message-ID: <200007111101.NAA17297@b0fh.sweden.hp.com> On Tue, 11 Jul 2000 kengelha at advance-bank.de wrote: : strsep doesn't seem to be supported on hpux (same on solaris)... Is it possible Yes, HP-UX libc doesn't have strsep(). From djm at mindrot.org Tue Jul 11 21:39:09 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 11 Jul 2000 21:39:09 +1000 (EST) Subject: Test snapshot In-Reply-To: <200007111101.NAA17297@b0fh.sweden.hp.com> Message-ID: On Tue, 11 Jul 2000, Kevin Steves wrote: > On Tue, 11 Jul 2000 kengelha at advance-bank.de wrote: > : strsep doesn't seem to be supported on hpux (same on solaris)... > Is it possible > > Yes, HP-UX libc doesn't have strsep(). Forgot about this one :( A new snapshot with a strsep fresh from OpenBSD's libc is available at: http://www.mindrot.org/misc/junk/openssh-SNAP-2000071103.tar.gz Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Nils at InfoSun.FMI.Uni-Passau.De Wed Jul 12 01:25:10 2000 From: Nils at InfoSun.FMI.Uni-Passau.De (Nils Ellmenreich) Date: Tue, 11 Jul 2000 17:25:10 +0200 (MEST) Subject: Test snapshot Message-ID: <14699.15446.288772.28583@skrjabin.fmi.uni-passau.de> Hi Damien, thanks for the new snapshot. I just tried openssh-2000071103 on Sparc Solaris 8 using gcc 2.95.2. Unfortunately, the bug I reported last week is still there. The OpenSSH sshd sets up the terminal in such a way that SIGINT is being ignored. You cannot Ctrl-C a sleep 5, say. This can be observed using Bourne Shell and bash. zsh and su seem to reset the signal handlers, to the problem doesn't exist there. I've been looking arount pty.c and compared it to the old SSH1 version. They are a bit different, but I couldn't identify a piece of code that would be the reason for the different behaviour. If you have suggestions what to try I'd be happy to volunteer. ;-) Cheers, Nils -- Nils Ellmenreich - Fakultaet fuer Math./Informatik - Nils @ http://www.fmi.uni-passau.de/~nils - Univ. Passau - Uni-Passau.DE From douglas.manton at uk.ibm.com Wed Jul 12 02:07:46 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Tue, 11 Jul 2000 17:07:46 +0100 Subject: ASCII mode for scp Message-ID: <80256919.00589ACE.00@d06mta05.portsmouth.uk.ibm.com> Folks, One feature of FTP that was useful in my environment was the ability to add/remove LFs from ASCII files when moving them between PC and UNIX systems. ?I use scp in place of ftp wherever possible but have to manually "tr -d" them on the other side. Any way to implement this feature as an option? ?If the file has CR/LFs then strip or if the file has CRs add. ? ? e.g. ? scp -a localfile.txt me at remotehost:remotefile.txt Many thanks, -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions ? ? ? ? ? ? ?douglas.manton at uk.ibm.com -------------------------------------------------------- "This company has performed an illegal operation and will be shut down. If the problem persists, contact your vendor or appeal to a higher court" From heffner at darkness.net Wed Jul 12 02:19:04 2000 From: heffner at darkness.net (heffner) Date: Tue, 11 Jul 2000 10:19:04 -0600 Subject: persistant err message "tvp!=NULL" Message-ID: <20000711101903.F26006@darkness.net> === not on the list, please cc === Greetings. I've STFW, and I've realy not seen any reference to this. Recently I changed from loglevel info to loglevel debug. After I did that, I started getting a PLETHERA of odd logs. I changed back to LogLevel INFO, but I do stil get these messages, which kinda worry me: Jul 11 10:10:13 cabal sshd[26003]: debug: tvp!=NULL kid 0 mili 10 Jul 11 10:10:40 cabal last message repeated 107 times I get A LOT of these. Pretty much persistant. doesn't matter if noone is logged in or not. I get a lot of these.. earlier today: Jul 11 06:41:02 cabal sshd[21774]: debug: tvp!=NULL kid 0 mili 10 Jul 11 06:41:34 cabal last message repeated 29 times Jul 11 06:43:35 cabal last message repeated 219 times Jul 11 06:48:26 cabal last message repeated 866 times So basically, 2 or 3 of those errs per second. Whats goin' on here? version info, etc: S heffner at cabal ~ % uname -a OpenBSD cabal 2.7 CABAL#1 i386 S heffner at cabal ~ % ssh -V SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). S heffner at cabal ~ % ls -l /usr/lib/libssl* -r--r--r-- 1 root bin 221906 Jun 27 09:13 /usr/lib/libssl.a -r--r--r-- 1 root bin 200076 Apr 13 13:04 /usr/lib/libssl.so.2.2 -r--r--r-- 1 root bin 200076 Jun 27 09:13 /usr/lib/libssl.so.2.4 -r--r--r-- 1 root bin 239830 Jun 27 09:13 /usr/lib/libssl_p.a -r--r--r-- 1 root bin 254408 Jun 27 09:13 /usr/lib/libssl_pic.a Larger snippet of logs in DEBUG: Jul 11 10:16:55 cabal sudo: heffner : TTY=ttyp2 ; PWD=/home/heffner ; USER=root ; COMMAND=/usr/sbin/sshd Jul 11 10:16:55 cabal sshd[26003]: debug: tvp!=NULL kid 0 mili 10 Jul 11 10:16:55 cabal sshd[5032]: debug: Bind to port 22 on ::. Jul 11 10:16:55 cabal sshd[26003]: debug: tvp!=NULL kid 0 mili 10 Jul 11 10:16:55 cabal sshd[5032]: Server listening on :: port 22. Jul 11 10:16:55 cabal sshd[5032]: debug: Bind to port 22 on 0.0.0.0. Jul 11 10:16:55 cabal sshd[5032]: Server listening on 0.0.0.0 port 22. Jul 11 10:16:55 cabal sshd[5032]: Generating 768 bit RSA key. Jul 11 10:16:55 cabal sshd[5032]: RSA key generation complete. Jul 11 10:16:56 cabal sshd[26003]: debug: tvp!=NULL kid 0 mili 10 Jul 11 10:16:58 cabal last message repeated 19 times Jul 11 10:17:00 cabal sshd[22736]: debug: tvp!=NULL kid 0 mili 10 Jul 11 10:17:01 cabal sshd[26003]: debug: tvp!=NULL kid 0 mili 10 Config file: S heffner at cabal ~ % cat /etc/sshd_config # This is ssh server systemwide configuration file. Port 22 #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh_host_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes # Logging SyslogFacility AUTH LogLevel DEBUG #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes #CheckMail yes #UseLogin no Anything I'm missing? Thank you! -jeremy === not on the list, please cc === -- --------------------------------------------------------------------------- Jeremy Heffner -- heffner at darkness.net Darkness Network Engineering PGP public key available on request My thoughts and opinions represent no one but myself --------------------------------------------------------------------------- From garrick at james.net Wed Jul 12 02:38:20 2000 From: garrick at james.net (Garrick James) Date: Tue, 11 Jul 2000 09:38:20 -0700 (PDT) Subject: X11 Forwarding Problems In-Reply-To: Message-ID: I have run into a strange problem with openssh-2.1.1p2. I have it installed on two Linux machines (both Debian Slink). When connecting to them using Tera Term Pro with SSH extensions (a windows SSH1 client), X11 forwarding works fine. The problem is when I try to ssh from one Linux machine to the other. No X11 forwarding is ever set up. I ran debug runs of both the client and server ends. The client gives a debug message saying that it is requesting X11 forwarding using authentication spoofing. At about the same time, the server gives a debug message saying that X11 forwarding is disabled in the user's config file. Then end result is that no X11 forwarding is set up. Neither of the systems have $HOME/.ssh/config files for the users I've been using for testing. Both machines have "X11Forwarding yes" in the system-wide sshd_config file and both machines have "ForwardX11 yes" in the system-wide ssh_config file. Has anyone else seen this problem? Anyone have any ideas what could be wrong? Am I brain dead and just setting something up wrong, or is there indeed a bug crawling around here? TIA, Garrick From mouring at pconline.com Wed Jul 12 03:25:34 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Tue, 11 Jul 2000 12:25:34 -0500 (CDT) Subject: Test snapshot In-Reply-To: Message-ID: On Tue, 11 Jul 2000, Damien Miller wrote: > On Tue, 11 Jul 2000, Kevin Steves wrote: > > > On Tue, 11 Jul 2000 kengelha at advance-bank.de wrote: > > : strsep doesn't seem to be supported on hpux (same on solaris)... > > Is it possible > > > > Yes, HP-UX libc doesn't have strsep(). > > Forgot about this one :( > > A new snapshot with a strsep fresh from OpenBSD's libc is available > at: > > http://www.mindrot.org/misc/junk/openssh-SNAP-2000071103.tar.gz > Snapshot works like a charm under m68k NeXT, but fails under HPPA NeXT in bsd-inet_aton.c since 'in_addr_t' is not defined. The following should be inserted after the #include statments. #ifndef in_addr_t typedef u_int32_t in_addr_t #endif Unsure how this effect the new IPv6 platform. But I suspect that all those should have a valid inet_aton.c so it's just the old IPv4 boxes we have to worry about. =) You can remove the warning about expecting scp to failing in the configure script. Only minor thing (non-show stopper) is during the xauth check it attempts to use 'dirname' which does not exists and just gives an error and goes on with the configure process. Since NeXT (by default) has no xauth it does not effect the compile. Which leaves the NeXT Port usable, but with two bugs. (Yay.. ) 1) utmp/wtmp brokenness (partly related to ttyslot issues) 2) ^C/^Z not returning echo to the shell when at the password prompt of 'ssh'. Ben Lindstrom From mouring at pconline.com Wed Jul 12 04:32:14 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Tue, 11 Jul 2000 13:32:14 -0500 (CDT) Subject: Test snapshot In-Reply-To: Message-ID: Minor Correction.. (I hate replying to myself) On Tue, 11 Jul 2000, Ben Lindstrom wrote: > On Tue, 11 Jul 2000, Damien Miller wrote: [..] > Snapshot works like a charm under m68k NeXT, but fails under > HPPA NeXT in bsd-inet_aton.c since 'in_addr_t' is not defined. The > following should be inserted after the #include statments. > > #ifndef in_addr_t > typedef u_int32_t in_addr_t > #endif > FYI.. the above is a NeXT 3.3 issue..not an HPPA issue.=) (It was pointed out to me it sounds like an HPPA problem..sorry =) > Only minor thing (non-show stopper) is during the xauth check it > attempts to use 'dirname' which does not exists and just gives an > error and goes on with the configure process. Since NeXT (by default) > has no xauth it does not effect the compile. > It's not actually 'xauth' that fails (well, it does, but it's not what is in question =).. it's the line afterwards. When it's attempting to detect the mailbox locations from the $MAIL variable (Which does not get set by default under NeXT). Provide conf_mail_dir= for platforms that don't have detectable locations. Matthew C. Weigel has a dirname.c from the FreeBSD group that works under NeXT. I'm not sure if it's really required. But Damien if you think it's the best route ask him for a copy. Ben Lindstrom From djm at mindrot.org Wed Jul 12 11:09:58 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 12 Jul 2000 11:09:58 +1000 (EST) Subject: X11 Forwarding Problems In-Reply-To: Message-ID: On Tue, 11 Jul 2000, Garrick James wrote: > Has anyone else seen this problem? Anyone have any ideas what could be > wrong? Am I brain dead and just setting something up wrong, or is there > indeed a bug crawling around here? There has been at least one bug relating to X forwarding fixed recently. Can you replicate your problem with the snapshots at http://www.mindrot.org/misc/junk ? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Jul 12 11:14:58 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 12 Jul 2000 11:14:58 +1000 (EST) Subject: Test snapshot In-Reply-To: <14699.15446.288772.28583@skrjabin.fmi.uni-passau.de> Message-ID: On Tue, 11 Jul 2000, Nils Ellmenreich wrote: > > Hi Damien, > > thanks for the new snapshot. I just tried openssh-2000071103 on Sparc > Solaris 8 using gcc 2.95.2. Unfortunately, the bug I reported last week > is still there. The OpenSSH sshd sets up the terminal in such a way that > SIGINT is being ignored. You cannot Ctrl-C a sleep 5, say. Can any other Solaris users replicate this problem? A comparative truss of (say) telnetd vs ssh's terminat setup may help. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From garrick at james.net Wed Jul 12 14:16:55 2000 From: garrick at james.net (Garrick James) Date: Tue, 11 Jul 2000 21:16:55 -0700 (PDT) Subject: X11 Forwarding Problems In-Reply-To: Message-ID: Thanks! I grabbed openssh-SNAP-2000071103 and it works now. I thought I was keeping up on the list messages, but I must have missed this bug fix earlier. Thanks to all those who have helped make OpenSSH so great! On Wed, 12 Jul 2000, Damien Miller wrote: > > Has anyone else seen this problem? Anyone have any ideas what could be > > wrong? Am I brain dead and just setting something up wrong, or is there > > indeed a bug crawling around here? > > There has been at least one bug relating to X forwarding fixed > recently. Can you replicate your problem with the snapshots at > http://www.mindrot.org/misc/junk ? > > -d From hanson at phat.shugashack.com Wed Jul 12 18:11:29 2000 From: hanson at phat.shugashack.com (Andy Hanson) Date: Wed, 12 Jul 2000 03:11:29 -0500 (CDT) Subject: Problems with Port Forwarding and Password auth Message-ID: <200007120811.DAA11117@phat.shugashack.com> Secure FTP through SecureFX 1.8B3: issues (Using OpenSSH 2.1.1p2) I downloaded the latest SecureFX because it now claims support for OpenSSH. I'm like cool, now I'll finally be able to secure my ftp on my gateway. First off, I really like the new configure. Everything went ok, I could ssh into the box just fine. Unfortunately ftp didn't work work through SecureFX. I would get this error back from OpenSSH "Opening channel administratively prohibited bla bla". The SecureFX people thought it meant I didn't have my ftp server working right, but that clearly wasn't true. So I decided it was time to dig out the source. (I love that about open source). Anyways, after a few moments of checking, I was able to trace the problem down to this line in input_direct_tcpip() ... if (! no_port_forwarding_flag) ... Basically the no_port_forwarding_flag was set to 0. Which seemed odd because I set the GatewayPorts to yes, in the sshd_config. So I look further, and it seems that the no_port_forwarding_flag only is set in one place inside sshd. That is in auth_parse_options(). Unfortunately auth_parse_options() is only called by user_dsa_key_allowed() which is in turn only called by ssh2_auth_pubkey() which due to this if statement in input_userauth_request() if (pw && strcmp(service, "ssh-connection")==0) { if (strcmp(method, "none") == 0) { authenticated = ssh2_auth_none(pw); } else if (strcmp(method, "password") == 0) { authenticated = ssh2_auth_password(pw); } else if (strcmp(method, "publickey") == 0) { authenticated = ssh2_auth_pubkey(pw, service); } } never gets called because it is authenticated by ssh2_auth_password() first. So in effect, it is never possible for the no_port_forwarding_flag to be ==1. So, for a long story made short, setting the default value of no_port_forwarding_flag=1 fixes my problem for SecureFX. But it seems to me that the problem goes deeper in that port forwarding does not seem to work under any circumstance for password authentication. Only authentication through public keys seems to allow it. As a side question, that this process got me thinking about. For password authentication is the username/password pair encrypted using an RSA session key through SSH v1 and v2? Or is it encrypted through some other form? Andy From J.Horne at plymouth.ac.uk Wed Jul 12 20:32:35 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Wed, 12 Jul 2000 11:32:35 +0100 (BST) Subject: Test snapshot In-Reply-To: Message-ID: On 12-Jul-00 at 01:14:58 Damien Miller wrote: > On Tue, 11 Jul 2000, Nils Ellmenreich wrote: >> thanks for the new snapshot. I just tried openssh-2000071103 on Sparc >> Solaris 8 using gcc 2.95.2. Unfortunately, the bug I reported last week >> is still there. The OpenSSH sshd sets up the terminal in such a way that >> SIGINT is being ignored. You cannot Ctrl-C a sleep 5, say. > > Can any other Solaris users replicate this problem? > Yup, I can confirm...:-( (Same software versions as well) > A comparative truss of (say) telnetd vs ssh's terminat setup may help. > A simple 'stty -a' shows no differences (-ignbrk and brkint are present). A truss of an ssh connection and a telnet connection does show differences (obviously), but the important bit I guess is the sigaction(SIGINT..) bits. Of which both seem okay: (part of the telnet trace) connect(4, 0xFFBEF894, 16, 1) = 0^M open("/export/home/jhorne/.telnetrc", O_RDONLY) Err#2 ENOENT^M Connected to 0.^M write(1, " C o n n e c t e d t o".., 16) = 16^M Escape character is '^]'.^M write(1, " E s c a p e c h a r a".., 26) = 26^M sigaction(SIGINT, 0xFFBEF428, 0xFFBEF4A8) = 0^M sigaction(SIGQUIT, 0xFFBEF428, 0xFFBEF4A8) = 0^M sigaction(SIGPIPE, 0xFFBEF428, 0xFFBEF4A8) = 0^M sigaction(SIGWINCH, 0xFFBEF428, 0xFFBEF4A8) = 0^M sigaction(SIGTSTP, 0xFFBEF428, 0xFFBEF4A8) = 0^M sigaction(SIGTSTP, 0xFFBEF390, 0xFFBEF410) = 0^M ioctl(0, TCGETA, 0xFFBEF43C) = 0^M ioctl(0, TCSETSW, 0xFFBEF4C4) = 0^M ioctl(0, FIONBIO, 0xFFBEF4C0) = 0^M ioctl(1, FIONBIO, 0xFFBEF4C0) = 0^M ioctl(4, FIONBIO, 0xFFBEF530) = 0^M setsockopt(4, 65535, 256, 0xFFBEF538, 4, 1) = 0^M (and from ssh) setsockopt(4, 65535, 8, 0xFFBEF6D4, 4, 1) = 0^M getsockname(4, 0xFFBEF558, 0xFFBEF554, 1) = 0^M setsockopt(4, 0, 3, 0xFFBEF6D0, 4, 1) = 0^M setsockopt(4, 6, 1, 0xFFBEF6D4, 4, 1) = 0^M write(4, "\0\0\005 aE8B1 L859AD313", 12) = 12^M brk(0x000F5C48) = 0^M brk(0x000F7C48) = 0^M sigaction(SIGINT, 0xFFBEF438, 0xFFBEF4B8) = 0^M sigaction(SIGQUIT, 0xFFBEF438, 0xFFBEF4B8) = 0^M sigaction(SIGTERM, 0xFFBEF438, 0xFFBEF4B8) = 0^M sigaction(SIGPIPE, 0xFFBEF438, 0xFFBEF4B8) = 0^M sigaction(SIGWINCH, 0xFFBEF438, 0xFFBEF4B8) = 0^M ioctl(0, TCGETS, 0xFFBEF4C0) = 0^M ioctl(0, TCSETSW, 0xFFBEF4C0) = 0 fstat64(0, 0xFFBEF308) = 0 fcntl(0, F_SETFL, 0x00000080) = 0 As can be seen SIGINT is referenced similarly in both. It is only specified once in both as well. Note that the use of SIGQUIT (using the control-| keys) does work - a quit is generated. It is odd that SIGINT seems to be the only problem. John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From djm at mindrot.org Wed Jul 12 21:51:41 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 12 Jul 2000 21:51:41 +1000 (EST) Subject: Announce: portable OpenSSH 2.1.1p3 Message-ID: The 2.1.1p3 release of portable OpenSSH has been uploaded to the OpenBSD ftp master site. In a few hours it will be available from one of the many mirrors listed at: http://www.openssh.com/portable.html This release fixes several bugs reported since the previous release and extends portability to NeXT and Reliant Unix. As usual, the OpenBSD team has been hard at work further polishing and enhancing OpenSSH. This release brings a new configuration directive "MaxStartups" which mitigates connection flooding attacks, further details are in the sshd man-page. Another noteworthy difference from previous releases is that 'FallBackToRsh' now defaults to 'no'. Users of this feature may need to edit their /etc/ssh_config or ~/.ssh/config files to achieve the same behavior. Again, thanks to those who reported bugs, tested the snapshot and sent fixes. Regards, Damien Miller ------------------ Changelog 20000712 - (djm) Remove -lresolve for Reliant Unix - (djm) OpenBSD CVS Updates: - deraadt at cvs.openbsd.org 2000/07/11 02:11:34 [session.c sshd.c ] make MaxStartups code still work with -d; djm - deraadt at cvs.openbsd.org 2000/07/11 13:17:45 [readconf.c ssh_config] disable FallBackToRsh by default - (djm) Replace in_addr_t with u_int32_t in bsd-inet_aton.c. Report from Ben Lindstrom - (djm) Make building of X11-Askpass and GNOME-Askpass optional in RPM spec file. - (djm) Released 2.1.1p3 20000711 - (djm) Fixup for AIX getuserattr() support from Tom Bertelson - (djm) ReliantUNIX support from Udo Schweigert - (djm) NeXT: dirent structures to get scp working from Ben Lindstrom - (djm) Fix broken inet_ntoa check and ut_user/ut_name confusion, report from Jim Watt - (djm) Replaced bsd-snprintf.c with one from Mutt source tree, it is known to compile on more platforms (incl NeXT). - (djm) Added bsd-inet_aton and configure support for NeXT - (djm) Misc NeXT fixes from Ben Lindstrom - (djm) OpenBSD CVS updates: - markus at cvs.openbsd.org 2000/06/26 03:22:29 [authfd.c] cleanup, less cut&paste - markus at cvs.openbsd.org 2000/06/26 15:59:19 [servconf.c servconf.h session.c sshd.8 sshd.c] MaxStartups: limit number of unauthenticated connections, work by theo and me - deraadt at cvs.openbsd.org 2000/07/05 14:18:07 [session.c] use no_x11_forwarding_flag correctly; provos ok - provos at cvs.openbsd.org 2000/07/05 15:35:57 [sshd.c] typo - aaron at cvs.openbsd.org 2000/07/05 22:06:58 [scp.1 ssh-agent.1 ssh-keygen.1 sshd.8] Insert more missing .El directives. Our troff really should identify these and spit out a warning. - todd at cvs.openbsd.org 2000/07/06 21:55:04 [auth-rsa.c auth2.c ssh-keygen.c] clean code is good code - deraadt at cvs.openbsd.org 2000/07/07 02:14:29 [serverloop.c] sense of port forwarding flag test was backwards - provos at cvs.openbsd.org 2000/07/08 17:17:31 [compat.c readconf.c] replace strtok with strsep; from David Young - deraadt at cvs.openbsd.org 2000/07/08 19:21:15 [auth.h] KNF - ho at cvs.openbsd.org 2000/07/08 19:27:33 [compat.c readconf.c] Better conditions for strsep() ending. - ho at cvs.openbsd.org 2000/07/10 10:27:05 [readconf.c] Get the correct message on errors. (niels@ ok) - ho at cvs.openbsd.org 2000/07/10 10:30:25 [cipher.c kex.c servconf.c] strtok() --> strsep(). (niels@ ok) - (djm) Fix problem with debug mode and MaxStartups - (djm) Don't generate host keys when $(DESTDIR) is set (e.g. during RPM builds) - (djm) Add strsep function from OpenBSD libc for systems that lack it 20000709 - (djm) Only enable PAM_TTY kludge for Linux. Problem report from Kevin Steves - (djm) Match prototype and function declaration for rresvport_af. Problem report from Niklas Edmundsson - (djm) Missing $(DESTDIR) on host-key target causing problems with RPM builds. Problem report from Gregory Leblanc - (djm) Replace ut_name with ut_user. Patch from Jim Watt - (djm) Fix pam sprintf fix - (djm) Cleanup entropy collection code a little more. Split initialisation from seeding, perform intialisation immediatly at start, be careful with uids. Based on problem report from Jim Watt - (djm) More NeXT compatibility from Ben Lindstrom Including sigaction() et al. replacements - (djm) AIX getuserattr() session initialisation from Tom Bertelson 20000708 - (djm) Fix bad fprintf format handling in auth-pam.c. Patch from Aaron Hopkins - (djm) Fix incorrect configure handling of --with-rsh-path option. Fix from Lutz Jaenicke - (djm) Fixed undefined variables for OSF SIA. Report from Baars, Henk - (djm) Handle EWOULDBLOCK returns from read() and write() in atomicio.c Fix from Marquess, Steve Mr JMLFDC - (djm) Don't use inet_addr. 20000702 - (djm) Fix brace mismatch from Corinna Vinschen - (djm) Stop shadow expiry checking from preventing logins with NIS. Based on fix from HARUYAMA Seigo - (djm) Use standard OpenSSL functions in auth-skey.c. Patch from Chris, the Young One - (djm) Fix scp progress meter on really wide terminals. Based on patch from James H. Cloos Jr. ------------------ -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Florian.Weimer at RUS.Uni-Stuttgart.DE Thu Jul 13 00:40:27 2000 From: Florian.Weimer at RUS.Uni-Stuttgart.DE (Florian Weimer) Date: 12 Jul 2000 16:40:27 +0200 Subject: Problems with Port Forwarding and Password auth In-Reply-To: Andy Hanson's message of "Wed, 12 Jul 2000 03:11:29 -0500 (CDT)" References: <200007120811.DAA11117@phat.shugashack.com> Message-ID: Andy Hanson writes: > So, for a long story made short, setting the default value of > no_port_forwarding_flag=1 fixes my problem for SecureFX. But it seems > to me that the problem goes deeper in that port forwarding does not > seem to work under any circumstance for password authentication. Only > authentication through public keys seems to allow it. Yes, that's right. We have customized OpenSSH 1.2.x for our own use so that we have more control over port forwarding. (Users do not have shell accounts on the tunneling endpoint, so they cannot set up tunnels on their own.) While the patch primarily aims at fine-grained control regarding to which hosts and ports can be tunneled, port forwarding can be disabled on a per-user base as a side effect (and not only on a per-RSA-key base, as with standard OpenSSH). We can donate the patch to the OpenSSH team if there is any interest (if some legal details with the univeristy administration can be worked out, that is...) The patch was developed on Linux, and has yet to be tested in an IPv6 environment, though. -- Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5 From rse at engelschall.com Thu Jul 13 18:26:01 2000 From: rse at engelschall.com (Ralf S. Engelschall) Date: Thu, 13 Jul 2000 10:26:01 +0200 Subject: [PATCH] OpenSSH 2.1.1pl3 (portable), readconf.c and strsep(3) Message-ID: <20000713102601.A19842@engelschall.com> The latest changes (replacing strtok with strsep) in OpenSSH's readconf.c broke many ~/.ssh/config files. Actually those which uses more than one whitespace character to separate keyword and value. For instance my ~/.ssh/config file reads: | BatchMode no | Compression yes | CompressionLevel 3 | FallBackToRsh no | UsePrivilegedPort no | ForwardX11 no | KeepAlive yes | StrictHostKeyChecking no | ... And now I got errors like this: | /u/rse/.ssh/config line 1: Missing yes/no argument. The problem is that strsep(1) explicitly supports empty fields (= the field between two whitespace characters) and so doesn't automatically handle config files as above. Old config files with the "key = value" syntax are also broken, because " = " are in OpenSSH's current parsing three whitespace characters. I solved the problem by skipping additional whitespace characters between the keyword and the value with the following patch (against readconf.c from OpenSSH 2.1.1pl3): --- readconf.c.orig Wed Jul 12 01:45:27 2000 +++ readconf.c Thu Jul 13 10:11:36 2000 @@ -248,6 +248,7 @@ /* Get the keyword. (Each line is supposed to begin with a keyword). */ keyword = strsep(&s, WHITESPACE); + s += strspn(s, WHITESPACE); opcode = parse_token(keyword, filename, linenum); switch (opcode) { This made all of our ~/.ssh/config files working again. Yours, Ralf S. Engelschall rse at engelschall.com www.engelschall.com From charvel at link.pl Thu Jul 13 22:50:00 2000 From: charvel at link.pl (Piotr Majka) Date: Thu, 13 Jul 2000 14:50:00 +0200 (CEST) Subject: ``portability'' patch for OpenSSH S/Key support In-Reply-To: Message-ID: On Sun, 2 Jul 2000, Damien Miller wrote: [cut] > Do you intend to roll your patches into a tarball with a Makefile, etc? > It would be great to be able to point people to a ported version > of OpenBSD's S/Key libs. Btw: When S/Key support will be back at 2.x.x release ? I try ported opie patch from 1.2.3 release to the 2.1.1p3, but I see that all s/key support is out from sshd.c -- Piotr "Charvel" Majka | PGP & GPG Public Key: finger charvel at link.pl | Uin: 20873695 GCM d- s-:- a-- C++ UL++++ P+ L+++ E--- W+ N+++ !o !K w--- !O M V- PS+ PE !Y PGP+ t--- !5 X R tv- b !DI D+ G++ e h r y++** From darren at horseplay.demon.co.uk Fri Jul 14 06:02:49 2000 From: darren at horseplay.demon.co.uk (Darren Evans) Date: Thu, 13 Jul 2000 21:02:49 +0100 Subject: OpenSSH 2.2.1p3 - FreeBSD 3.5-STABLE Message-ID: <4.3.2.7.0.20000713210119.00cc08e0@pop3.demon.co.uk> Everything compiled and works so far except sshd with needed a -lcrypt for the crypt function. Darren --- From djm at mindrot.org Fri Jul 14 09:38:59 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 14 Jul 2000 09:38:59 +1000 (EST) Subject: OpenSSH 2.2.1p3 - FreeBSD 3.5-STABLE In-Reply-To: <4.3.2.7.0.20000713210119.00cc08e0@pop3.demon.co.uk> Message-ID: On Thu, 13 Jul 2000, Darren Evans wrote: > > Everything compiled and works so far except sshd with needed a > -lcrypt for the crypt function. What ysyem type (e.g. "i686-pc-linux-gnu") did ./configure report? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Fri Jul 14 09:39:47 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 14 Jul 2000 09:39:47 +1000 (EST) Subject: ``portability'' patch for OpenSSH S/Key support In-Reply-To: Message-ID: On Thu, 13 Jul 2000, Piotr Majka wrote: > > > On Sun, 2 Jul 2000, Damien Miller wrote: > > [cut] > > > Do you intend to roll your patches into a tarball with a Makefile, etc? > > It would be great to be able to point people to a ported version > > of OpenBSD's S/Key libs. > > Btw: When S/Key support will be back at 2.x.x release ? > I try ported opie patch from 1.2.3 release to the 2.1.1p3, but I see that > all s/key support is out from sshd.c SKey support has never been removed, most of the code is now in auth*.c -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From gem at rellim.com Fri Jul 14 10:27:12 2000 From: gem at rellim.com (Gary E. Miller) Date: Thu, 13 Jul 2000 17:27:12 -0700 (PDT) Subject: [PATCH] OpenSSH 2.1.1pl3 (portable), readconf.c and strsep(3)x In-Reply-To: <20000713102601.A19842@engelschall.com> Message-ID: Yo All! SCO 5 does not even have an strsep(). You have to steal a copy from somewhere else. Otherwise still hacking at an SCO 5 port... RGDS GARY On Thu, 13 Jul 2000, Ralf S. Engelschall wrote: > The latest changes (replacing strtok with strsep) in OpenSSH's readconf.c > broke many ~/.ssh/config files. Actually those which uses more than one > whitespace character to separate keyword and value. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From cky at pobox.com Fri Jul 14 10:58:19 2000 From: cky at pobox.com (Chris, the Young One) Date: Fri, 14 Jul 2000 12:58:19 +1200 Subject: ``portability'' patch for OpenSSH S/Key support Message-ID: <20000714125819.A2867@arcanum.m.org.nz> Damien Miller writes: ! SKey support has never been removed, most of the code is now in auth*.c Actually, the ChangeLog in 20000501 says [auth2.c] - disable kerb,s/key in ssh2 So if you want to use S/Key you have to use SSH1 mode. Another reason I still use SSH1 is because I don't know how to use ssh-agent with SSH2. ---Chris K. -- Chris, the Young One |_ You know it's going to be a bad day when you Auckland, New Zealand |_ want to put on the clothes you wore home from http://cloud9.hedgee.com/ |_ the party and there aren't any. From djm at mindrot.org Fri Jul 14 13:31:14 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 14 Jul 2000 13:31:14 +1000 (EST) Subject: [PATCH] OpenSSH 2.1.1pl3 (portable), readconf.c and strsep(3)x In-Reply-To: Message-ID: On Thu, 13 Jul 2000, Gary E. Miller wrote: > Yo All! > > SCO 5 does not even have an strsep(). You have to steal a copy > from somewhere else. There is a replacement in the portable version. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From jeremy at xxedgexx.com Fri Jul 14 20:13:01 2000 From: jeremy at xxedgexx.com (Jeremy Hansen) Date: Fri, 14 Jul 2000 06:13:01 -0400 (EDT) Subject: Still a problem with openssh and rsaref In-Reply-To: <20000714100434.D328026EE0@toad.mindrot.org> Message-ID: I have openssl linked against rsaref and rsaref libraries are in my path but for some reason openssh now fails on SSLeay / OpenSSL tests. checking for OpenSSL directory... configure: error: Could not find working SSLeay / OpenSSL libraries, please install and config.log shows: configure:2795: gcc -o conftest -g -O2 -Wall -I/opt/openssl/include -L/opt/openssl/lib -L/opt/openssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 /usr/bin/../lib/libcrypto.so: undefined reference to `ERR_load_RSAREF_strings' /usr/bin/../lib/libcrypto.so: undefined reference to `RSA_PKCS1_RSAref' so why doesn't it seem to use my --with-ssl-dir, which points to /usr/lib, also the test isn't including -lRSAglue -lrsaref. I see that there has been problems with this in past versions of openssh, but I didn't see anything that applies to 2.1.1p3. Thanks for any help. -jeremy -- http://www.xxedgexx.com | jeremy at xxedgexx.com --------------------------------------------- From herrmanm at informatik.tu-muenchen.de Sat Jul 15 02:53:47 2000 From: herrmanm at informatik.tu-muenchen.de (Michael Herrmann) Date: Fri, 14 Jul 2000 16:53:47 +0000 Subject: Fix for ssh_prng_cmds on Solaris Message-ID: <20000714165345.C21173@sunrbg8.informatik.tu-muenchen.de> Hi all, there ist a possibly minor Problem with the default ssh_prng_cmds file on Solaris. On my system "arp" is detected to be valid so configure inserts: "arp -a -n" /usr/sbin/arp 0.02 I assume "-n" is supposed to turn off reverse-lookups on hostnames. This does not work on Solaris. This option is ignored, all hostnames are resolved and "arp -a" takes quite some time. Dumping the arp-table on Solaris without resolving hostnames is done with "netstat -pn". This works for at least Solaris versions 2.5.1, 2.6, 7 and 8: "netstat -pn" /usr/bin/netstat 0.02 Now if I only knew why ipcs takes so long ... Regards, Michael From markus.friedl at informatik.uni-erlangen.de Fri Jul 14 19:51:34 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 14 Jul 2000 11:51:34 +0200 Subject: F-secure -> Openssh Compatibility (fwd) In-Reply-To: ; from mfisk@lanl.gov on Wed, Jun 28, 2000 at 03:02:13PM +0000 References: Message-ID: <20000714115134.C32529@folly.informatik.uni-erlangen.de> i think i read that the mac client does not sends only SSH-x.y-VERSION\r and not SSH-x.y-VERSION\r\n as openssh espects. can someone with access to a mac confirm this? On Wed, Jun 28, 2000 at 03:02:13PM +0000, Mike Fisk wrote: > Date: Tue, 27 Jun 2000 16:09:43 -0600 (MDT) > From: "W. Scott Wilburn" > To: ssh at clinet.fi > Subject: F-secure -> Openssh Compatibility > > We have Macintoshes running Fsecure SSH client 1.0.1 which are unable to > connect to a server running Openssh 2.1.1 on Red Hat 6.2. > > I believe that the problem is a bug with Fsecure, since a 30-day trial > version of 1.0.2 works fine. I'm a bit reluctant to tell all the Mac users > they have to spend money to upgrade, though, since everything was fine > until I switched my machines to OpenSSH from commercial SSH. > > Does anyone have any info on this? Is there a workaround? > > Symptoms > -------- > > Client side (Mac w/ Fsecure): > > After initiating connection, nothing happens until eventual timeout or > manual quit. > > Server side (Linux w/ Openssh) > > Log file reads > > Connection from port 49153 > > After client-side quit, log file reads > > Did not receive ident string from . > > > Best regards, > Scott Wilburn > > -- > *--------------------------------*-------------------------* > | W. Scott Wilburn | Email: wilburn at lanl.gov | > | Los Alamos National Laboratory | Phone: (505) 667-2107 | > | MS H803 | Fax: (505) 665-4121 | > | Los Alamos, NM 87545 | | > *--------------------------------*-------------------------* > > > -- > Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab > See http://home.lanl.gov/mfisk/ for contact information > > > From irving at uscybernetics.com Sat Jul 15 03:34:15 2000 From: irving at uscybernetics.com (Irving Popovetsky) Date: Fri, 14 Jul 2000 13:34:15 -0400 Subject: rlogin/slogin handling [PATCH] Message-ID: <20000714133415.A87975@uscybernetics.com> Hello. I noticed that OpenSSH 2.1.1p3 does not check whether it is being called as rlogin or slogin, like it's siblings do. This can get ugly if you have rlogin and rsh symlinked to ssh, and old r* commands are moved off in another place, as I do. Since Solaris rsh is hardcoded to call /usr/bin/rlogin, it will get stuck in an infinite loop. Below is a quick patch I hacked up, based on the functionality in ssh-1.2.27, tested under Solaris 2.6,7 and 8. Thanks, -Irving Popovetsky --- ssh.c.orig Wed Jul 12 15:54:55 2000 +++ ssh.c Fri Jul 14 13:15:45 2000 @@ -160,11 +160,26 @@ { char *args[10]; int i; + char rsh_program_name[256]; log("Using rsh. WARNING: Connection will not be encrypted."); + +/* Check case for rlogin/slogin */ + if (strncmp(av0, "rlogin", strlen(av0)) == 0 || strncmp(av0, "slogin", strlen(av0)) == 0)+ { + strncpy(rsh_program_name, _PATH_RSH, sizeof(rsh_program_name)); + if (strchr(rsh_program_name, '/')) + *strrchr(rsh_program_name, '/') = '\0'; + sprintf(rsh_program_name + strlen(rsh_program_name), "/rlogin"); + } + else + { + strncpy(rsh_program_name, _PATH_RSH, sizeof(rsh_program_name)); + } + /* Build argument list for rsh. */ i = 0; - args[i++] = _PATH_RSH; + args[i++] = rsh_program_name; /* host may have to come after user on some systems */ args[i++] = host; if (user) { @@ -184,8 +199,8 @@ } fprintf(stderr, "\n"); } - execv(_PATH_RSH, args); - perror(_PATH_RSH); + execv(rsh_program_name, args); + perror(rsh_program_name); exit(1); } From gordon at cs.ualberta.ca Sat Jul 15 06:44:42 2000 From: gordon at cs.ualberta.ca (Gordon Atwood) Date: Fri, 14 Jul 2000 14:44:42 -0600 (MDT) Subject: Patch to make openssh-2.1.1p3 compile on SunOS 4.1.4 Message-ID: <20000714204452Z433263-24860+179@scapa.cs.ualberta.ca> Hi, For the last few weeks I've been struggling to get openSSL/openSSH compiled and running under SunOS. Specfically, openssh-2.1.1p3: SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x00905820). on SunOS 4.1.4. Happily I can say there is only one small change so I'm not going to even try to generate all the associated noise you'd expect. The function 'strtod' in entropy.c requires '#include ' to work. Without it your entropy rate from the prng_cmds file doesn't get converted into the correcting floating-point number. The symptom shows up during the make as: ... $ ./ssh-keygen -b 1024 -f /usr/host/etc/ssh/ssh_host_key -N "" Not enough entropy in RNG SOLUTION: (mine :-) Insert '#include ' into entropy.c Note that this is just under SunOS. --- Of less importance: you need to compile with '-liberty' in order to get the system call for 'strerror' to work. In order to do that I need to do the following 'configure' command: LIBS="-liberty" ./configure --prefix=/usr/local/openssh --sysconfdir=\ /usr/host/etc/ssh --bindir=/usr/host/bin --sbindir=/usr/host/sbin \ --with-tcp-wrappers --with-xauth --without-pam --with-ssl-dir=\ /usr/local/openssl --with-cflags=-I/usr/local/include \ --with-ldflags=-L/usr/local/lib --- Finally, is there some way to turn of the debugging compile option from the configure line? The only 'easy' way I could find was to edit the 'config.cache' and change ac_cv_prog_cc_g=${ac_cv_prog_cc_g='yes'} to ac_cv_prog_cc_g=${ac_cv_prog_cc_g='no'} Just curious. Hope this is useful. G.H.A. -- Gordon H. Atwood E-mail: gordon at cs.ualberta.ca Research System Administrator Phone: (780) 492-9930 Department of Computing Science Fax: (780) 492-1071 University of Alberta WWW: http://web.cs.ualberta.ca:80/~gordon From markus.friedl at informatik.uni-erlangen.de Sat Jul 15 05:13:41 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 14 Jul 2000 21:13:41 +0200 Subject: SSH-2.2.0 (for Windows) and OpenSSH-2.1.1p1 In-Reply-To: ; from JPhillips@matrasystems.com on Wed, Jun 28, 2000 at 07:24:13PM -0400 References: Message-ID: <20000714211341.A14509@folly.informatik.uni-erlangen.de> On Wed, Jun 28, 2000 at 07:24:13PM -0400, Jim Phillips wrote: > I just upgraded my Windows SSH client from the 2.1.x version (whatever it > was) to 2.2.0 and am now experiencing difficulties connecting to my > OpenSSH-2.1.1p1 Linux servers. upgrade your openssh version. From markus.friedl at informatik.uni-erlangen.de Sat Jul 15 05:32:31 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 14 Jul 2000 21:32:31 +0200 Subject: keyboard-interactive authentication mehtod? In-Reply-To: <20000707162746.8DECFF811@nayarit.avantgo.com>; from mkiernan@avantgo.com on Fri, Jul 07, 2000 at 09:27:46AM -0700 References: <20000707162746.8DECFF811@nayarit.avantgo.com> Message-ID: <20000714213231.B14509@folly.informatik.uni-erlangen.de> not to my knowledge. i'm happy if someone sends patches. On Fri, Jul 07, 2000 at 09:27:46AM -0700, Michael Kiernan wrote: > Hi all, > > I noticed that support for the keyboard-interactive user authentication method > is mentioned on the "todo" list in the README.openssh2 file. Is anybody > actively working on this? > > Thanks, > > Mike > > -- > Michael Kiernan mkiernan at avantgo.com +1-650-638-7581 > > > From djm at mindrot.org Sat Jul 15 14:17:00 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 15 Jul 2000 14:17:00 +1000 (EST) Subject: Still a problem with openssh and rsaref In-Reply-To: Message-ID: On Fri, 14 Jul 2000, Jeremy Hansen wrote: > > I have openssl linked against rsaref and rsaref libraries are in > my path but for some reason openssh now fails on SSLeay / OpenSSL > tests. What version of OpenSSL? Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Jul 15 14:59:17 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 15 Jul 2000 14:59:17 +1000 (EST) Subject: Patch to make openssh-2.1.1p3 compile on SunOS 4.1.4 In-Reply-To: <20000714204452Z433263-24860+179@scapa.cs.ualberta.ca> Message-ID: On Fri, 14 Jul 2000, Gordon Atwood wrote: > SOLUTION: (mine :-) Insert '#include ' into entropy.c Configure now detects the presence of this and will include it if necessary. > Of less importance: you need to compile with '-liberty' in order to > get the system call for 'strerror' to work. Isn't libiberty built and installed as part of some of the GNU packages? Does your libc define sys_errlist? We should be able to use it in a replacement. > Finally, is there some way to turn of the debugging compile option > from the configure line? The only 'easy' way I could find was to > edit the 'config.cache' and change CFLAGS="" ./configure doesn't work? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From jeremy at xxedgexx.com Sat Jul 15 15:20:38 2000 From: jeremy at xxedgexx.com (Jeremy Hansen) Date: Sat, 15 Jul 2000 01:20:38 -0400 (EDT) Subject: Still a problem with openssh and rsaref In-Reply-To: Message-ID: That would be openssl 0.9.5a -jeremy > > > > I have openssl linked against rsaref and rsaref libraries are in > > my path but for some reason openssh now fails on SSLeay / OpenSSL > > tests. > > What version of OpenSSL? > > Regards, > Damien Miller > > > -- http://www.xxedgexx.com | jeremy at xxedgexx.com --------------------------------------------- From blp at exile.net Sun Jul 16 05:26:12 2000 From: blp at exile.net (Ben L. Perkins) Date: Sat, 15 Jul 2000 14:26:12 -0500 Subject: openssh-2.1.1p3 - problem with -i option Message-ID: <20000715142612.A27511@maelstrom.exile.net> Greetings: I've just attempted to upgrade from openssh-2.1.1p1 to openssh-2.1.1p3 and I'm having problems with the server component. My system runs RedHat Linux 6.2 (x86 version) with all currently released updates applied. The sshd daemon is being spawned by xinetd with the -i option and worked fine with the p1 level release. Now, when a remote client attempts to connect to the daemon, the authentication challenge occurs and is processed and the session is logged in, but then it's logged out again immediately before any user input is allowed. >From the remote client end, it looks like the following: [blp at anotherhost ~]# ssh -l dummy somehost.example.com dummy at somehost.example.com's password: Last login: Sat Jul 15 14:05:52 2000 from anotherhost.example.com Connection to somehost.example.com closed. I attempted to run sshd with the -d option in order to get a better feel for what's happening, but the problem did not occur in this mode. I then just fired up sshd in stand-alone mode (no options) and the problem did not occur in this situation either, thus my assertion that the problem is confined to the inetd mode. My first attempts were using the binary rpm release from the openssh site, but after grabbing the source rpm and building it myself the results were the same. My sshd_config file is pretty much all defaults, with the exception of the loglevel change mentioned below. Since the -d option didn't help, I changed the loglevel setting in /etc/ssh/sshd_config to DEBUG and caught the output of one of the failed connection attempts. The sshd output below matches the client side login attempt above. Jul 15 14:06:06 somehost xinetd[27138]: START: ssh from=some.ip.address Jul 15 14:06:06 somehost sshd[27621]: debug: Seeding random number generator Jul 15 14:06:06 somehost sshd[27621]: debug: inetd sockets after dupping: 5, 6 Jul 15 14:06:06 somehost sshd[27621]: Generating 768 bit RSA key. Jul 15 14:06:06 somehost sshd[27621]: debug: Seeding random number generator Jul 15 14:06:07 somehost sshd[27621]: debug: Seeding random number generator Jul 15 14:06:07 somehost sshd[27621]: RSA key generation complete. Jul 15 14:06:07 somehost sshd[27621]: Connection from some.ip.address port 2011 Jul 15 14:06:07 somehost sshd[27621]: debug: Client protocol version 1.5; client software version OpenSSH_2.1.1 Jul 15 14:06:07 somehost sshd[27621]: debug: Local version string SSH-1.99-OpenSSH_2.1.1 Jul 15 14:06:07 somehost sshd[27621]: debug: Sent 768 bit public key and 1024 bit host key. Jul 15 14:06:07 somehost sshd[27621]: debug: Encryption type: 3des Jul 15 14:06:07 somehost sshd[27621]: debug: Received session key; encryption turned on. Jul 15 14:06:07 somehost sshd[27621]: debug: Installing crc compensation attack detector. Jul 15 14:06:07 somehost sshd[27621]: debug: Starting up PAM with username "dummy" Jul 15 14:06:07 somehost sshd[27621]: debug: Attempting authentication for dummy. Jul 15 14:06:09 somehost sshd[27621]: debug: PAM Password authentication accepted for user "dummy" Jul 15 14:06:09 somehost sshd[27621]: Accepted password for dummy from some.ip.address port 2011 Jul 15 14:06:09 somehost sshd[27621]: debug: PAM setting rhost to "anotherhost.example.com" Jul 15 14:06:09 somehost sshd[27621]: debug: session_new: init Jul 15 14:06:09 somehost sshd[27621]: debug: session_new: session 0 Jul 15 14:06:09 somehost sshd[27621]: debug: Allocating pty. Jul 15 14:06:09 somehost sshd[27621]: debug: PAM setting tty to "/dev/pts/8" Jul 15 14:06:09 somehost PAM_pwdb[27621]: (sshd) session opened for user dummy by (uid=0) Jul 15 14:06:09 somehost sshd[27621]: debug: PAM establishing creds Jul 15 14:06:09 somehost sshd[27621]: debug: Entering interactive session. Jul 15 14:06:09 somehost sshd[27621]: debug: no set_nonblock for tty fd 0 Jul 15 14:06:09 somehost sshd[27622]: debug: Setting controlling tty using TIOCSCTTY. Jul 15 14:06:09 somehost sshd[27621]: debug: no set_nonblock for tty fd 7 Jul 15 14:06:09 somehost sshd[27621]: debug: server_init_dispatch_13 Jul 15 14:06:09 somehost sshd[27621]: debug: server_init_dispatch_15 Jul 15 14:06:09 somehost sshd[27621]: debug: tvp!=NULL kid 0 mili 10 Jul 15 14:06:09 somehost sshd[27621]: debug: End of interactive session; stdin 0, stdout (read 65, sent 65), stderr 0 bytes. Jul 15 14:06:09 somehost sshd[27621]: debug: Command exited with status 0. Jul 15 14:06:09 somehost sshd[27621]: debug: Received exit confirmation. Jul 15 14:06:09 somehost sshd[27621]: debug: session_pty_cleanup: session 0 release /dev/pts/8 Jul 15 14:06:09 somehost sshd[27621]: syslogin_perform_logout: logout() returned an error Jul 15 14:06:09 somehost sshd[27621]: Closing connection to some.ip.address Jul 15 14:06:09 somehost PAM_pwdb[27621]: (sshd) session closed for user dummy I'm not on the list, so if any more information is needed please contact me directly via email. Thanks for looking into this, and for the great work the entire team has done in making a free ssh implementation available. Ben -- Ben L. Perkins -=- Houston, TX, USA From djm at mindrot.org Sun Jul 16 16:07:44 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 16 Jul 2000 16:07:44 +1000 (EST) Subject: Announce: portable OpenSSH 2.1.1p4 Message-ID: I have just uploaded portable OpenSSH 2.1.1p4, it should be making its way to the mirrors listed at http://www.openssh.com/portable.html soon. This release contains several bugfixes from the OpenBSD team, primarily the config file parsing problem reported by Ralf Engelschall Regards, Damien Miller --------------- Changelog: 20000716 - Release 2.1.1p4 20000715 - (djm) OpenBSD CVS updates - provos at cvs.openbsd.org 2000/07/13 16:53:22 [aux.c readconf.c servconf.c ssh.h] allow multiple whitespace but only one '=' between tokens, bug report from Ralf S. Engelschall but different fix. okay deraadt@ - provos at cvs.openbsd.org 2000/07/13 17:14:09 [clientloop.c] typo; todd at fries.net - provos at cvs.openbsd.org 2000/07/13 17:19:31 [scp.c] close can fail on AFS, report error; from Greg Hudson - markus at cvs.openbsd.org 2000/07/14 16:59:46 [readconf.c servconf.c] allow leading whitespace. ok niels - djm at cvs.openbsd.org 2000/07/14 22:01:38 [ssh-keygen.c ssh.c] Always create ~/.ssh with mode 700; ok Markus - Fixes for SunOS 4.1.4 from Gordon Atwood - Include floatingpoint.h for entropy.c - strerror replacement --------------- -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From lists at fips.de Sun Jul 16 18:37:10 2000 From: lists at fips.de (Philipp Buehler) Date: Sun, 16 Jul 2000 10:37:10 +0200 Subject: F-secure -> Openssh Compatibility (fwd) In-Reply-To: <20000714115134.C32529@folly.informatik.uni-erlangen.de>; "Markus Friedl" on 14.07.2000 @ 11:51:34 METDST References: <20000714115134.C32529@folly.informatik.uni-erlangen.de> Message-ID: <20000716103709.A19957@pohl.fips.de> Markus Friedl wrote To Mike Fisk: > i think i read that the mac client does not sends only > SSH-x.y-VERSION\r It's typical for Mac to have only \r as a newline character, so it's possible. No mac around though. ciao -- Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | %SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time. Artificial Intelligence stands no chance against Natural Stupidity. From mhw at wittsend.com Mon Jul 17 02:18:55 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Sun, 16 Jul 2000 12:18:55 -0400 Subject: F-secure -> Openssh Compatibility (fwd) In-Reply-To: <20000716103709.A19957@pohl.fips.de>; from lists@fips.de on Sun, Jul 16, 2000 at 10:37:10AM +0200 References: <20000714115134.C32529@folly.informatik.uni-erlangen.de> <20000716103709.A19957@pohl.fips.de> Message-ID: <20000716121855.B587@alcove.wittsend.com> On Sun, Jul 16, 2000 at 10:37:10AM +0200, Philipp Buehler wrote: > Markus Friedl wrote To Mike Fisk: > > i think i read that the mac client does not sends only > > SSH-x.y-VERSION\r > It's typical for Mac to have only \r as a newline character, > so it's possible. No mac around though. I saw some discussion and confirmation up on the ssh mailing lists that some earlier versions of the Mac ssh client was doing that. Someone had a patch to fix OpenSSH and I thought they said they were going to submit it. I've attached on of those messages below... > ciao > -- > Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | > > %SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time. > Artificial Intelligence stands no chance against Natural Stupidity. Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ===== Begin Forwarded Message ===== > From owner-ssh at clinet.fi Thu Jun 29 17:28:53 2000 Return-Path: Date: Thu, 29 Jun 2000 12:43:46 -0600 (MDT) From: "W. Scott Wilburn" To: Andy Polyakov cc: ssh at clinet.fi, mfisk at lanl.gov Subject: Re: F-secure -> Openssh Compatibility In-Reply-To: <395B8AFF.4CE224EF at fy.chalmers.se> Message-ID: Andy, That would certainly solve the problem, but I try to avoid maintaining local patches. Any chance this could be accepted by openssh, or is there a good reason they wouldn't want it? Scott On Thu, 29 Jun 2000, Andy Polyakov wrote: > > > We have Macintoshes running Fsecure SSH client 1.0.1 which are unable to > > > connect to a server running Openssh 2.1.1 on Red Hat 6.2. > > > > I have it on the authority of our resident Mac expert that F-Secure SSH > > clients for the Mac, versions 1.0 and 1.0.1 indeed do have a bug that > > prevents them from successfully connecting to a server running SSH1 in > > compatilibility mode under SSH2. > > Meaning that F-Secure SSH for Mac prior 1.0.2 sends '\r'-terminated > protocol identification string. SSH 1.2.x server simply replaces it with > '\n' and proceeds. SSH 2.x and OpenSSH 2.1 servers in turn ultimately > insist on '\n' and waits for it forever. I've posted a patch for SSH > 2.1.0 on the list some time ago. In OpenSSH 1.2.1(p1) case one can do > something similar to the following: > > *** ./sshd.c.orig Tue May 30 05:44:54 2000 > --- ./sshd.c Thu Jun 29 19:10:54 2000 > *************** > *** 303,308 **** > --- 303,315 ---- > if (buf[i] == '\r') { > buf[i] = '\n'; > buf[i + 1] = 0; > + /* > + * Kludge to let F-Secure for Macintosh prior > + * 1.0.2 through. > + */ > + if (i==12 && !memcmp(buf,"SSH-1.5-W1.0",12)) > + break; /* the original SSH 1.2.x way */ > + > continue; > } > if (buf[i] == '\n') { > > > I am not sure how NiftyTelnet with SSH would react, > > It would react fine as it sends '\n'-terminated string. > > > It also does scp, > > unlike the F-Secure client, but it does not do port forwarding. > > > > (I don't know about you, but our experiences with port forwarding on the > > Mac are really bad anyway -- it's so slow it's useless, > > Not with all applications. Our users report that e.g Fetch and Anarchie > work fine, but not MI/X (Microimages' X-server) nor DreamWeaver (an FTP > client). It should be noted that F-Secure 2.1 for Macintosh (implementing > protocol version 2) apparently does better job forwarding ports and it's > *perfectly* usable (at least with the mentioned applications). > > Martin Forssen wrote: > > the client gets confused by > > the version number it initially receives. > > False statement. Client doesn't get confused at all. Server simply > never replies to the client's "hello." > > Andy. > -- *--------------------------------*-------------------------* | W. Scott Wilburn | Email: wilburn at lanl.gov | | Los Alamos National Laboratory | Phone: (505) 667-2107 | | MS H803 | Fax: (505) 665-4121 | | Los Alamos, NM 87545 | | *--------------------------------*-------------------------* From support at oeko.net Mon Jul 17 03:49:58 2000 From: support at oeko.net (Toni Mueller) Date: Sun, 16 Jul 2000 19:49:58 +0200 Subject: OpenSSH 2.1.1p3 problem on Debian 2.2 Message-ID: <20000716174958.24492.qmail@oak.oeko.net> Hello, because it doesn't seem as if the upstream tracks OpenSSH close enough I tried to compile from source. It fails on ./configure with the claim that it could not find the OpenSSL installation. But getting the test program right together with an empty main(), I can compile that by hand, resulting in: $ ldd conftest libnsl.so.1 => /lib/libnsl.so.1 (0x4001a000) libz.so.1 => /usr/lib/libz.so.1 (0x40030000) libutil.so.1 => /lib/libutil.so.1 (0x4003f000) libcrypto.so.0 => /usr/lib/libcrypto.so.0 (0x40042000) libc.so.6 => /lib/libc.so.6 (0x400ed000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) Trying to add /usr and /usr/lib to the path list where it says it would check for the libs didn't help. Btw, Debian installs the OpenSSL libs in /usr/lib. Best Regards, --Toni++ From shorty at getuid.com Mon Jul 17 06:42:32 2000 From: shorty at getuid.com (Christian Kurz) Date: Sun, 16 Jul 2000 22:42:32 +0200 Subject: OpenSSH 2.1.1p3 problem on Debian 2.2 In-Reply-To: <20000716174958.24492.qmail@oak.oeko.net> References: <20000716174958.24492.qmail@oak.oeko.net> Message-ID: <20000716224232.A28005@seteuid.getuid.com> On 00-07-16 Toni Mueller wrote: > because it doesn't seem as if the upstream tracks OpenSSH close enough > I tried to compile from source. It fails on ./configure with the > claim that it could not find the OpenSSL installation. Which version of openssl do you have installed? You need openssl 0.9.5 for openssh 2.1.1 to compile. So you need to upgrade your system libraries to get openssh to compile. Ciao Christian -- #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa 2/d0 I have encountered the same problem with sshd -i (under Mandrake linux 6.1) as that described by Ben L Perkins, this time with 2.1.1p4: ... Last login: Mon Jul 17 12:04:50 2000 from orpheus.qimr.edu.au -bash: ?oe90: command not found -bash: glorious: command not found -bash: ?]r90: command not found -bash: marshall4: command not found Connection to orpheus.qimr.edu.au closed. log: Jul 17 11:55:44 orpheus PAM_pwdb[14041]: (sshd) session opened for user davidD by (uid=0) Jul 17 11:55:45 orpheus sshd[14041]: syslogin_perform_logout: logout() returned an error The junk includes names of hosts on our local network who engage in ftp or telnet with my machine. There is no problem when sshd is run as a demon on another port. Cheers, David Duffy. | David Duffy. ,-_|\ | email: davidD at qimr.edu.au ph: INT+61+7+3362-0217 fax: -0101 / * | Epidemiology Unit, The Queensland Institute of Medical Research \_,-._/ | 300 Herston Rd, Brisbane, Queensland 4029, Australia v From charles at comm.polymtl.ca Mon Jul 17 17:14:05 2000 From: charles at comm.polymtl.ca (Charles Levert) Date: Mon, 17 Jul 2000 03:14:05 -0400 Subject: patch for getting 2.1.1p4 to compile on SunOS 4 Message-ID: <200007170714.DAA04440@faucon.comm.polymtl.ca> Hi. SunOS 4 is one system that relies on the strerror() in bsd-misc.[ch]. However, that replacement function does not have the right prototype. This is fixed in the patch below. There was also an error with sys_errlist not being explicitely declared. Also fixed. There was another weird link-time problem with bsd-misc.o being at the same time used by some *.o in libssh.a and using itself entropy.o in libssh.a. This only showed up in linking scp which doesn't need libssh.a. The only solution to this is to separate those functions (the rc4 stuff) that exhibit this property in their own file so that programs like scp that attempt to use other functions in bsd-misc.o link correctly. I tried all other potential solutions of removing bsd-misc.o and placing it separately on the command line, or leaving it where it is, in all possible orders, and those don't work. So, I placed the rc4 stuff in bsd-rc4.[ch]. Here is the patch, as well as the error lines if you are curious about those. Charles ======================================================================== --- Makefile.in.orig-2.1.1p4 Tue Jul 11 07:34:34 2000 +++ Makefile.in Mon Jul 17 02:55:46 2000 @@ -36,7 +36,7 @@ LIBSSH_OBJS=atomicio.o authfd.o authfile.o aux.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dispatch.o dsa.o fingerprint.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o -LIBOPENBSD_COMPAT_OBJS=bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-inet_aton.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o +LIBOPENBSD_COMPAT_OBJS=bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-inet_aton.o bsd-misc.o bsd-mktemp.o bsd-rc4.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o --- bsd-misc.c.orig-2.1.1p4 Sat Jul 15 00:59:14 2000 +++ bsd-misc.c Mon Jul 17 02:03:59 2000 @@ -45,90 +45,9 @@ #include "xmalloc.h" #include "ssh.h" #include "bsd-misc.h" -#include "entropy.h" #include -#ifndef HAVE_ARC4RANDOM - -typedef struct -{ - unsigned int s[256]; - int i; - int j; -} rc4_t; - -void rc4_key(rc4_t *r, unsigned char *key, int len); -void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len); - -static rc4_t *rc4 = NULL; - -void rc4_key(rc4_t *r, unsigned char *key, int len) -{ - int t; - - for(r->i = 0; r->i < 256; r->i++) - r->s[r->i] = r->i; - - r->j = 0; - for(r->i = 0; r->i < 256; r->i++) - { - r->j = (r->j + r->s[r->i] + key[r->i % len]) % 256; - t = r->s[r->i]; - r->s[r->i] = r->s[r->j]; - r->s[r->j] = t; - } - r->i = r->j = 0; -} - -void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len) -{ - int t; - int c; - - c = 0; - while(c < len) - { - r->i = (r->i + 1) % 256; - r->j = (r->j + r->s[r->i]) % 256; - t = r->s[r->i]; - r->s[r->i] = r->s[r->j]; - r->s[r->j] = t; - - t = (r->s[r->i] + r->s[r->j]) % 256; - - buffer[c] = r->s[t]; - c++; - } -} - -unsigned int arc4random(void) -{ - unsigned int r; - - if (rc4 == NULL) - arc4random_stir(); - - rc4_getbytes(rc4, (unsigned char *)&r, sizeof(r)); - - return(r); -} - -void arc4random_stir(void) -{ - unsigned char rand_buf[32]; - - if (rc4 == NULL) - rc4 = xmalloc(sizeof(*rc4)); - - seed_rng(); - RAND_bytes(rand_buf, sizeof(rand_buf)); - - rc4_key(rc4, rand_buf, sizeof(rand_buf)); - memset(rand_buf, 0, sizeof(rand_buf)); -} -#endif /* !HAVE_ARC4RANDOM */ - #ifndef HAVE_SETPROCTITLE void setproctitle(const char *fmt, ...) { @@ -159,8 +78,13 @@ #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ #if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) -const char *strerror(void) +const char *strerror(int e) { - return(sys_errlist[errno]); + extern int sys_nerr; + extern char *sys_errlist[]; + + return (e >= 0 && e < sys_nerr) + ? sys_errlist[e] + : "unlisted error" ; } #endif /* !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) */ --- bsd-misc.h.orig-2.1.1p4 Sat Jul 15 00:59:14 2000 +++ bsd-misc.h Mon Jul 17 02:04:17 2000 @@ -32,11 +32,6 @@ #include "config.h" -#ifndef HAVE_ARC4RANDOM -unsigned int arc4random(void); -void arc4random_stir(void); -#endif /* !HAVE_ARC4RANDOM */ - #ifndef HAVE_SETPROCTITLE void setproctitle(const char *fmt, ...); #endif /* !HAVE_SETPROCTITLE */ @@ -59,7 +54,7 @@ #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ #if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) -const char *strerror(void); +const char *strerror(int e); #endif /* !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) */ #endif /* _BSD_MISC_H */ --- bsd-rc4.c.orig-2.1.1p4 Mon Jul 17 03:03:30 2000 +++ bsd-rc4.c Mon Jul 17 01:52:31 2000 @@ -0,0 +1,118 @@ +/* + * Copyright (c) 1999-2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include + +#include "xmalloc.h" +#include "bsd-rc4.h" +#include "entropy.h" + +#include + +#ifndef HAVE_ARC4RANDOM + +typedef struct +{ + unsigned int s[256]; + int i; + int j; +} rc4_t; + +void rc4_key(rc4_t *r, unsigned char *key, int len); +void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len); + +static rc4_t *rc4 = NULL; + +void rc4_key(rc4_t *r, unsigned char *key, int len) +{ + int t; + + for(r->i = 0; r->i < 256; r->i++) + r->s[r->i] = r->i; + + r->j = 0; + for(r->i = 0; r->i < 256; r->i++) + { + r->j = (r->j + r->s[r->i] + key[r->i % len]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + } + r->i = r->j = 0; +} + +void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len) +{ + int t; + int c; + + c = 0; + while(c < len) + { + r->i = (r->i + 1) % 256; + r->j = (r->j + r->s[r->i]) % 256; + t = r->s[r->i]; + r->s[r->i] = r->s[r->j]; + r->s[r->j] = t; + + t = (r->s[r->i] + r->s[r->j]) % 256; + + buffer[c] = r->s[t]; + c++; + } +} + +unsigned int arc4random(void) +{ + unsigned int r; + + if (rc4 == NULL) + arc4random_stir(); + + rc4_getbytes(rc4, (unsigned char *)&r, sizeof(r)); + + return(r); +} + +void arc4random_stir(void) +{ + unsigned char rand_buf[32]; + + if (rc4 == NULL) + rc4 = xmalloc(sizeof(*rc4)); + + seed_rng(); + RAND_bytes(rand_buf, sizeof(rand_buf)); + + rc4_key(rc4, rand_buf, sizeof(rand_buf)); + memset(rand_buf, 0, sizeof(rand_buf)); +} +#endif /* !HAVE_ARC4RANDOM */ --- bsd-rc4.h.orig-2.1.1p4 Mon Jul 17 03:03:35 2000 +++ bsd-rc4.h Mon Jul 17 01:55:18 2000 @@ -0,0 +1,40 @@ +/* + * Copyright (c) 1999-2000 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Markus Friedl. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _BSD_RC4_H +#define _BSD_RC4_H + +#include "config.h" + +#ifndef HAVE_ARC4RANDOM +unsigned int arc4random(void); +void arc4random_stir(void); +#endif /* !HAVE_ARC4RANDOM */ + +#endif /* _BSD_RC4_H */ ======================================================================== bsd-misc.c: In function `strerror': bsd-misc.c:164: `sys_errlist' undeclared (first use this function) bsd-misc.c:164: (Each undeclared identifier is reported only once bsd-misc.c:164: for each function it appears in.) bsd-misc.c:165: warning: control reaches end of non-void function ======================================================================== authfd.c: In function `ssh_get_first_identity': authfd.c:147: too many arguments to function `strerror' authfd.c:155: too many arguments to function `strerror' ======================================================================== gcc -o scp scp.o -L. -lssh -lopenbsd-compat -lnsl -lz -lcrypto -lwrap collect2: ld returned 2 exit status ld: Undefined symbol _seed_rng ======================================================================== From tklein2 at ix.urz.uni-heidelberg.de Mon Jul 17 19:55:34 2000 From: tklein2 at ix.urz.uni-heidelberg.de (Tobias Klein) Date: Mon, 17 Jul 2000 11:55:34 +0200 Subject: logout() returned an error Message-ID: Hi everybody, I got the following problems, as I tried to connect from ssh (1.2.27) client to openssh (2.1.1p4) server: Client: ------- $ ssh -l user1 192.168.0.2 user1 at 192.168.0.2's password: Last login: Mon Jul 17 11.05.44 2000 from 192.168.0.1 -bash: ?Ptty3: command not found -bash: Zg9tty3: command not found connection to 192.168.0.2 closed. Server: ------- logfile-entries: Jul 17 11:10:40 nec xinetd[7877]: START: ssh pid=7975 from=192.168.0.2 Jul 17 11:10:40 nec sshd[7975]: Generating 1152 bit RSA Key. Jul 17 11:10:40 nec sshd[7975]: RSA key generation complete. Jul 17 11:10:40 nec sshd[7975]: Accepted password for user1 from 192.168.0.1 port 1023 Jul 17 11:10:43 nec PAM_pwdb[7975]: (sshd) session opened for user user1 by (uid=0) Jul 17 11:10:43 nec sshd[7975]: syslogin_perform_logout: logout() returned an error Jul 17 11:10:53 nec PAM_pwdb[7975]: (sshd) session closed for user1. Jul 17 11:10:53 nec xinetd[7877]: EXIT: ssh pid=7975 duration = 13 (sec) any hints on this? As I tried to connect from the openssh-client to the ssh-(1.2.27)-server, then everything seems to work correctly. Hm. Thanx in advance, Tobi From djm at mindrot.org Mon Jul 17 22:42:57 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 17 Jul 2000 22:42:57 +1000 (EST) Subject: logout() returned an error In-Reply-To: Message-ID: On Mon, 17 Jul 2000, Tobias Klein wrote: > Hi everybody, > > I got the following problems, as I tried to connect from ssh > (1.2.27) client to openssh (2.1.1p4) server: Does this patch help? Otherwise, can you replicate the problem when running the server in debug mode "ssh -d". -d Index: sshd.c =================================================================== RCS file: /var/cvs/openssh/sshd.c,v retrieving revision 1.85 diff -u -r1.85 sshd.c --- sshd.c 2000/07/11 23:45:27 1.85 +++ sshd.c 2000/07/17 12:42:17 @@ -642,6 +642,7 @@ s2 = dup(s1); sock_in = dup(0); sock_out = dup(1); + startup_pipe = -1; /* * We intentionally do not close the descriptors 0, 1, and 2 * as our code for setting the descriptors won\'t work if -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Mon Jul 17 22:43:34 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 17 Jul 2000 22:43:34 +1000 (EST) Subject: sshd -i problem under 2.1.1p4 as well In-Reply-To: <20000717030929.0DDA927588@orpheus.qimr.edu.au> Message-ID: On Mon, 17 Jul 2000, David Duffy wrote: > I have encountered the same problem with sshd -i (under Mandrake > linux 6.1) as that described by Ben L Perkins, this time with > 2.1.1p4: ... Does this help? Index: sshd.c =================================================================== RCS file: /var/cvs/openssh/sshd.c,v retrieving revision 1.85 diff -u -r1.85 sshd.c --- sshd.c 2000/07/11 23:45:27 1.85 +++ sshd.c 2000/07/17 12:42:17 @@ -642,6 +642,7 @@ s2 = dup(s1); sock_in = dup(0); sock_out = dup(1); + startup_pipe = -1; /* * We intentionally do not close the descriptors 0, 1, and 2 * as our code for setting the descriptors won\'t work if -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From blp at exile.net Tue Jul 18 00:48:39 2000 From: blp at exile.net (Ben L. Perkins) Date: Mon, 17 Jul 2000 09:48:39 -0500 Subject: sshd -i problem under 2.1.1p4 as well Message-ID: <20000717094839.A13142@maelstrom.exile.net> On Mon, 17 Jul 2000, Damien Miller wrote: >Does this help? [tiny patch for sshd.c snipped] Damien, Indeed it does help. I applied that patch to the source for p4 and the -i option now appears to work correctly on my RedHat Linux 6.2 system. Thanks! Ben -- Ben L. Perkins -=- Houston, TX, USA From celinn at mtu.edu Tue Jul 18 04:17:24 2000 From: celinn at mtu.edu (Christopher Linn) Date: Mon, 17 Jul 2000 14:17:24 -0400 Subject: /dev/random on Solaris In-Reply-To: <20000630010836.F29371@mtu.edu>; from Christopher Linn on Fri, Jun 30, 2000 at 01:08:36AM -0400 References: <20000630010836.F29371@mtu.edu> Message-ID: <20000717141724.A1369@mtu.edu> hi, has anyone ever attempted to port a /dev/random, /dev/urandom clone to Solaris? the project is attractive to me for various reasons, and I wonder if any work has been done on this before... chris -- Christopher Linn Staff System Administrator Center for Experimental Computation Michigan Technological University All opinions are my own, and do not represent the opinions of my employer. ============================================================================== "...and then i read the directions, where it said ``don't do that''." -- JRH From rachit at ensim.com Tue Jul 18 07:15:17 2000 From: rachit at ensim.com (Rachit Siamwalla) Date: Mon, 17 Jul 2000 14:15:17 -0700 Subject: /dev/random on Solaris References: <20000630010836.F29371@mtu.edu> <20000717141724.A1369@mtu.edu> Message-ID: <39737765.9FE27B1A@ensim.com> Contemplated on using it, but never did, but here is a link anyway.... good luck :) http://www.cosy.sbg.ac.at/~andi/ Christopher Linn wrote: > > hi, > > has anyone ever attempted to port a /dev/random, /dev/urandom clone > to Solaris? the project is attractive to me for various reasons, and > I wonder if any work has been done on this before... > > chris > > -- > Christopher Linn Staff System Administrator > Center for Experimental Computation Michigan Technological University > All opinions are my own, and do not represent the opinions of my employer. > ============================================================================== > "...and then i read the directions, where it said ``don't do that''." -- JRH From garrick at james.net Tue Jul 18 09:28:57 2000 From: garrick at james.net (Garrick James) Date: Mon, 17 Jul 2000 16:28:57 -0700 (PDT) Subject: Control-c not work under openssh? In-Reply-To: <39737765.9FE27B1A@ensim.com> Message-ID: Sorry this reply is pieced together wierd--I had to cut and paste from the web archives. Anyway, I am seeing this same control-C problem, also. Was there ever any fix found? My details: When making ssh connections to openssh-2.1.1p4 servers running on Solaris 2.6, Control-C no longer causes an interrupt. The stty settings are reported as the same that are reported when just using telnet to the box (and control-c works then). Strangely enough, it seems to be somewhat dependant on the client being used. When the client is openssh-2.1.1p4 (on Solaris 2.6), the problem exists (that is, control-c does not work). When the client is Tera Term Pro with the ssh1 add-on (Win32 client), the problem does NOT exist (that is, control-c works fine). When the client is SecureCRT 3.1 (Win32 client), the problem DOES exist. When the client is openssh-2.1.1p4 (on Solaris 2.6) and the server is openssh-2.1.1p4 (on Linux), the problem does NOT exist. Strange matrix, eh? When the problem does exist, 'su - username' seems to fix it (regardless of the client :). Needless to say, it is very annoying to have to su everytime I log in just to get control-c working. Anyway, has anyone found the reason for this problem? Anybody have an idea how to fix it? -Garrick James ----- Previous Message(s) in Thread ----- >>>"JH" == John Horne writes: JH> I'm using openSSH 2.1.1p2 from my Linux PC to Solaris 7 and 8 systems (using JH> 2.1.1p1). No problem, except that if I run a program on the Sun, having used JH> slogin to connect to it, and then try and issue a control-c to break into JH> the program it seems to be ignored. I can control-z and then kill the ... Hi, I got the same problem and want to add some details that might help to track down the problem. We have a heterogeneous environment of Solaris 2.6 and 8 and Linux, most using ssh 1.x and some OpenSSH 2.1.1p1. After some testing, we are certain that the problem is with the OpenSSH daemon. The ctrl-c is ignored whenever the target host runs this sshd on Solaris 8 (didn't try 2.6; no problem on Linux). The problem exists, if the user has a Bourne shell or a bash. However, if you invoke (in a broken tty/shell) either /bin/su or zsh, ctrl-c works again. The ssty -a output in a broken and not-broken tty are the same. sshd might be doing something wrong when initializing the pty/tty. A truss/strace comparison of Solaris 8 and Linux shows that the Linux sshd does some more ioctls on the tty during login. Maybe su and zsh repair the problem by default but bash and sh don't. Hope that helps someone who know more about this stuff ... ;-) Cheers, Nils From irving at uscybernetics.com Tue Jul 18 09:41:56 2000 From: irving at uscybernetics.com (Irving Popovetsky) Date: Mon, 17 Jul 2000 19:41:56 -0400 Subject: Control-c not work under openssh? In-Reply-To: ; from garrick@james.net on Mon, Jul 17, 2000 at 04:28:57PM -0700 References: <39737765.9FE27B1A@ensim.com> Message-ID: <20000717194156.A2108@uscybernetics.com> I am seeing the exact same thing, on all of the versions of Solaris (2.6,2.7,2.8) that we have running here. No problems on my Linux or *BSD boxen. To clarify, when I ssh to a box running OpenSSH (any ssh client will do), and then from the OpenSSH box attempt to ssh to anywhere else, it will not catch SIGINT properly. I think I've narrowed it down to some possibly faulty SIGINT catching in readpass.c, and am toying with some ideas. But I haven't figured anything out yet. I have truss output if anyone wants it. -Irving On Mon, Jul 17, 2000 at 04:28:57PM -0700, Garrick James wrote: > Sorry this reply is pieced together wierd--I had to cut and paste from the > web archives. > > Anyway, I am seeing this same control-C problem, also. Was there ever > any fix found? > > My details: > > When making ssh connections to openssh-2.1.1p4 servers running on Solaris > 2.6, Control-C no longer causes an interrupt. The stty settings are > reported as the same that are reported when just using telnet to the box > (and control-c works then). > > Strangely enough, it seems to be somewhat dependant on the client being > used. When the client is openssh-2.1.1p4 (on Solaris 2.6), the problem > exists (that is, control-c does not work). When the client is Tera Term > Pro with the ssh1 add-on (Win32 client), the problem does NOT exist (that > is, control-c works fine). When the client is SecureCRT 3.1 (Win32 > client), the problem DOES exist. When the client is openssh-2.1.1p4 (on > Solaris 2.6) and the server is openssh-2.1.1p4 (on Linux), the problem > does NOT exist. Strange matrix, eh? > > When the problem does exist, 'su - username' seems to fix it (regardless > of the client :). Needless to say, it is very annoying to have to su > everytime I log in just to get control-c working. > > Anyway, has anyone found the reason for this problem? Anybody have an > idea how to fix it? > > -Garrick James > > > ----- Previous Message(s) in Thread ----- > > >>>"JH" == John Horne writes: > > JH> I'm using openSSH 2.1.1p2 from my Linux PC to Solaris 7 and 8 systems > (using > JH> 2.1.1p1). No problem, except that if I run a program on the Sun, > having used > JH> slogin to connect to it, and then try and issue a control-c to break > into > JH> the program it seems to be ignored. I can control-z and then kill the > ... > > Hi, > > I got the same problem and want to add some details that might help to > track down the problem. > > We have a heterogeneous environment of Solaris 2.6 and 8 and Linux, most > using ssh 1.x and some OpenSSH 2.1.1p1. After some testing, we are > certain that the problem is with the OpenSSH daemon. The ctrl-c is > ignored whenever the target host runs this sshd on Solaris 8 (didn't try > 2.6; no problem on Linux). The problem exists, if the user has a Bourne > shell or a bash. However, if you invoke (in a broken tty/shell) either > /bin/su or zsh, ctrl-c works again. The ssty -a output in a broken and > not-broken tty are the same. > > > sshd might be doing something wrong when initializing the > pty/tty. A truss/strace comparison of Solaris 8 and Linux shows that the > Linux sshd does some more ioctls on the tty during login. Maybe su and > zsh repair the problem by default but bash and sh don't. > > > Hope that helps someone who know more about this stuff ... ;-) > > Cheers, Nils > > From garrick at james.net Tue Jul 18 09:54:04 2000 From: garrick at james.net (Garrick James) Date: Mon, 17 Jul 2000 16:54:04 -0700 (PDT) Subject: Control-c not work under openssh? In-Reply-To: <20000717194156.A2108@uscybernetics.com> Message-ID: On Mon, 17 Jul 2000, Irving Popovetsky wrote: > I am seeing the exact same thing, on all of the versions of Solaris > (2.6,2.7,2.8) that we have running here. No problems on my Linux or *BSD > boxen. > > To clarify, when I ssh to a box running OpenSSH (any ssh client will do), > and then from the OpenSSH box attempt to ssh to anywhere else, it will > not catch SIGINT properly. So you only see this problem when you ssh to box A and then from box A ssh to box B (with the interrupt catching on box B broken)? I see the problem on box A (no need to ssh to box B before I see the problem). > > I think I've narrowed it down to some possibly faulty SIGINT catching in > readpass.c, and am toying with some ideas. But I haven't figured > anything out yet. > > I have truss output if anyone wants it. > > -Irving From irving at uscybernetics.com Tue Jul 18 10:04:14 2000 From: irving at uscybernetics.com (Irving Popovetsky) Date: Mon, 17 Jul 2000 20:04:14 -0400 Subject: Control-c not work under openssh? In-Reply-To: ; from garrick@james.net on Mon, Jul 17, 2000 at 04:54:04PM -0700 References: <20000717194156.A2108@uscybernetics.com> Message-ID: <20000717200413.A2310@uscybernetics.com> > So you only see this problem when you ssh to box A and then from box A ssh > to box B (with the interrupt catching on box B broken)? > > I see the problem on box A (no need to ssh to box B before I see the > problem). nonono. The interrupt catching is in fact broken on Box A, in that scenario. If I rsh or telnet to Box A, then SIGINT catching works fine when I ssh to anywhere. If I am logged into the console of Box A, it catches SIGINT without a problem. But if I have sshed into Box A, thats when ssh sessions from Box A to Box B don't catch it. Makes sense? barely :) -Irving From davidD at qimr.edu.au Tue Jul 18 11:14:59 2000 From: davidD at qimr.edu.au (David Duffy) Date: Tue, 18 Jul 2000 11:14:59 +1000 (EST) Subject: sshd -i problem under 2.1.1p4 as well In-Reply-To: Message-ID: On Mon, 17 Jul 2000, Damien Miller wrote: > Does this help? > Index: sshd.c > =================================================================== > RCS file: /var/cvs/openssh/sshd.c,v > retrieving revision 1.85 > diff -u -r1.85 sshd.c > --- sshd.c 2000/07/11 23:45:27 1.85 > +++ sshd.c 2000/07/17 12:42:17 > @@ -642,6 +642,7 @@ > s2 = dup(s1); > sock_in = dup(0); > sock_out = dup(1); > + startup_pipe = -1; > /* > * We intentionally do not close the descriptors 0, 1, and 2 > * as our code for setting the descriptors won\'t work if Indeed it does! Thanking you, David Duffy. From J.Horne at plymouth.ac.uk Tue Jul 18 19:19:29 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Tue, 18 Jul 2000 10:19:29 +0100 (BST) Subject: Control-c not work under openssh? In-Reply-To: Message-ID: On 17-Jul-00 at 23:28:57 Garrick James wrote: > Anyway, I am seeing this same control-C problem, also. Was there ever > any fix found? > None that I know of, and yes it is a pain of a problem. I have looked at the code, but must admit I am a bit stumped by it (the problem). > When the problem does exist, 'su - username' seems to fix it (regardless > of the client :). Needless to say, it is very annoying to have to su > everytime I log in just to get control-c working. > Even just 'su' or 'su ' works okay. su must be resetting the interrupts somewhere, however setting them using stty makes no effect. I tried using one of the early openssh 2.0 and the problem still occurred. John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Jul 18 19:24:32 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 18 Jul 2000 11:24:32 +0200 Subject: scp not shutting down in 2.1.1p4 Message-ID: <20000718112432.A9621@ws02.aet.tu-cottbus.de> Hi! as I just noted, after scp the connection does not shut down properly. When I do a "scp file targethost:path", on targethost a "sshd" process is left running. I do use --with-default-path="/usr/local/openssh/bin:/usr/bin:/usr/local/bin" to assure, that the corrensponding openssh-scp is used. It also seems, that normal sessions are not always closed properly. I run OpenSSH 2.1.1p4 (with the startup_pipe = -1; patch posted yesterday, but that should not matter here) on HP-UX 10.20. Any ideas what to do or what to look for? The behaviour occurs with both ssh-1.2.27 "scp" and openssh "scp". Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Jul 18 19:28:19 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 18 Jul 2000 11:28:19 +0200 Subject: scp not shutting down in 2.1.1p4 In-Reply-To: <20000718112432.A9621@ws02.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Tue, Jul 18, 2000 at 11:24:32AM +0200 References: <20000718112432.A9621@ws02.aet.tu-cottbus.de> Message-ID: <20000718112819.A22425@ws01.aet.tu-cottbus.de> On Tue, Jul 18, 2000 at 11:24:32AM +0200, Lutz Jaenicke wrote: > When I do a "scp file targethost:path", on targethost a "sshd" process is > left running. I do use > --with-default-path="/usr/local/openssh/bin:/usr/bin:/usr/local/bin" > to assure, that the corrensponding openssh-scp is used. > It also seems, that normal sessions are not always closed properly. Oops, I withdraw this last remark. I had a window open on another host that was still listed. Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Jul 18 22:55:44 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 18 Jul 2000 14:55:44 +0200 Subject: scp not shutting down in 2.1.1p4 In-Reply-To: <20000718112432.A9621@ws02.aet.tu-cottbus.de>; from jaenicke@ws02.aet.tu-cottbus.de on Tue, Jul 18, 2000 at 11:24:32AM +0200 References: <20000718112432.A9621@ws02.aet.tu-cottbus.de> Message-ID: <20000718145544.A23662@ws01.aet.tu-cottbus.de> On Tue, Jul 18, 2000 at 11:24:32AM +0200, Lutz Jaenicke wrote: > Hi! > > as I just noted, after scp the connection does not shut down properly. > > When I do a "scp file targethost:path", on targethost a "sshd" process is > left running. I do use > --with-default-path="/usr/local/openssh/bin:/usr/bin:/usr/local/bin" > to assure, that the corrensponding openssh-scp is used. In the good old habit of following up to myself :-) I have by now investigated the behaviour a bit more and of course, when doing a "ps -ef | grep sshd", it seems that the sshd-processes are hanging around. Of course, when looking a bit more precise "ps -ef | grep scp", the corresponding scp-processes are still around on the server, so that the sshd-processes will not terminate. That brings the problem down to the problem, why the remote scp processes won't die. (The are called in sink-mode (-t) and the copying is completed ok. When used in source mode (scp sourcehost:path localfile), it seems to work ok.) The calling "scp" process also does not terminate but seems to go to background(?) (is still in the process list) because I can continue the work, but still get the error message (e.g. broken pipe) when I kill the hung scp process on the targethost. Hmm, still digging in the scp source... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From markus.friedl at informatik.uni-erlangen.de Wed Jul 19 00:20:57 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 18 Jul 2000 16:20:57 +0200 Subject: scp not shutting down in 2.1.1p4 In-Reply-To: <20000718145544.A23662@ws01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Tue, Jul 18, 2000 at 02:55:44PM +0200 References: <20000718112432.A9621@ws02.aet.tu-cottbus.de> <20000718145544.A23662@ws01.aet.tu-cottbus.de> Message-ID: <20000718162057.A4880@folly.informatik.uni-erlangen.de> On Tue, Jul 18, 2000 at 02:55:44PM +0200, Lutz Jaenicke wrote: > Hmm, still digging in the scp source... do you have problems with $ ssh host cat file > ~/tmp/x too? -markus From irving at uscybernetics.com Wed Jul 19 05:37:29 2000 From: irving at uscybernetics.com (Irving Popovetsky) Date: Tue, 18 Jul 2000 15:37:29 -0400 Subject: Control-c not work under openssh? In-Reply-To: ; from J.Horne@plymouth.ac.uk on Tue, Jul 18, 2000 at 10:19:29AM +0100 References: Message-ID: <20000718153729.A4089@uscybernetics.com> A note on this: Is UseLogin safe to use yet? If I set "UseLogin yes" in my sshd_config, the Solaris control-c problem goes away. -Irving On Tue, Jul 18, 2000 at 10:19:29AM +0100, John Horne wrote: > On 17-Jul-00 at 23:28:57 Garrick James wrote: > > Anyway, I am seeing this same control-C problem, also. Was there ever > > any fix found? > > > None that I know of, and yes it is a pain of a problem. I have looked at the > code, but must admit I am a bit stumped by it (the problem). > > > When the problem does exist, 'su - username' seems to fix it (regardless > > of the client :). Needless to say, it is very annoying to have to su > > everytime I log in just to get control-c working. > > > Even just 'su' or 'su ' works okay. su must be resetting the > interrupts somewhere, however setting them using stty makes no effect. > > I tried using one of the early openssh 2.0 and the problem still occurred. > > John. > > -------------------------------------------------------------------------- > John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 > E-mail: jhorne at plymouth.ac.uk > PGP key available from public key servers > From robert.pouliot at bell.ca Wed Jul 19 05:50:11 2000 From: robert.pouliot at bell.ca (Robert Pouliot) Date: Tue, 18 Jul 2000 15:50:11 -0400 Subject: OpenSSH bug with Trusted/UX Message-ID: <3974B4F3.AE8D4523@bell.ca> Being brave and bold (or more exactly needing a SSH on HP Trusted/UX systems), I decided to try OpenSSH on them. At first I did the (standard): configure; gmake; gmake install However, everytime it said that the password was wrong. The problem reside in the fact that shadow.h does exist on HP-UX but seem not detected by configure. The normal non-Trusted, do have this file too, but according to the man page it should only be used on Trusted/UX systems. My tests also seem to indicate that this function return a NULL pointer on non-Trusted systems. Changing the #define HAVE_SHADOW_H 1 in config.h and recompiling makes it work fine. Due to my very limited knowledge of autoconf and requirement listed above (Trusted vs non-Trusted) altough both systems do have the library function (checking if result is NULL and keeping the value of "normal passwd function" should be enough). thanks! PS: I'm not subscribed, so please cc questions to my e-mail. From pekkas at netcore.fi Wed Jul 19 16:14:45 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 19 Jul 2000 09:14:45 +0300 (EEST) Subject: UseLogin yes and 'w': IP address used Message-ID: Hello all, I just noticed that if I enable UseLogin, IP address will be shown in 'w' when logging on. If UseLogin is disabled, the hostname will be used. I tested this on 2.1.1p2 and p4, on home-grown Redhat Linux 6.2. Anyone else notice this? Is this an issue with OpenSSH or login? -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From robbie at serendipity.palo-alto.ca.us Wed Jul 19 17:16:01 2000 From: robbie at serendipity.palo-alto.ca.us (Robbie Stone) Date: Wed, 19 Jul 2000 00:16:01 -0700 Subject: Why do I *still* need RSA? Message-ID: <397555B1.20B389DC@serendipity.palo-alto.ca.us> OpenSSH Developers, I'm researching whether or not OpenSSH is a viable commercial alternative to F-SECURE SSH or SSH.COM's ssh, but I'm not getting the kind of results that I expected from a "Non patent encumbered ssh client". When I attempt to build OpenSSH against an OpenSSL build without rc5, idea, or rsa it bombs since OpenSSL doesn't place the header files in the include dir. Now, that's fine and went away after I copied them to the appropriate location (hoping that it just *needed* the file, but that it didn't need any rc5, idea, or rsa functions exported by the OpenSSL libraries) but it looks like the RSA (aka, non SSH-2.0) functions are required to have a successful build of OpenSSH. Then question now is how OpenBSD is making available a solely SSH 2.0 client/server without RSA, IDEA or RC5. I noticed on the OpenBSD web site that it became RSA equipped upon the installation of the rsaref module, but how to I make a system like that under something that isn't OpenBSD? I do not believe that in this stage of the game it is wise for me to go to RSA Security and get a copy of BSAFE. Not only is it costly, but they charge an arm and a leg for runtime licensing (not to mention it is sort of stupid to pay that much money for a package that is not going to be patent encumbered in 3 months.) I'm hoping that somebody can shed some light on build options or library strategies to make my woes go away. Thanks, -- Robbie Stone Serendipity Simplex From matt at theBachChoir.org.uk Wed Jul 19 17:30:34 2000 From: matt at theBachChoir.org.uk (matt at theBachChoir.org.uk) Date: Wed, 19 Jul 2000 08:30:34 +0100 (BST) Subject: RhostsRSAAuthentication not working in OpenSSH-2.1.1p4 Message-ID: ..in the ssh client, that is. Couldn't spot this in the web archive and am not subscribed--please cc me any replies From jmknoble at pint-stowp.cx Wed Jul 19 17:41:35 2000 From: jmknoble at pint-stowp.cx (Jim Knoble) Date: Wed, 19 Jul 2000 03:41:35 -0400 Subject: Why do I *still* need RSA? In-Reply-To: <397555B1.20B389DC@serendipity.palo-alto.ca.us>; from robbie@serendipity.palo-alto.ca.us on Wed, Jul 19, 2000 at 12:16:01AM -0700 References: <397555B1.20B389DC@serendipity.palo-alto.ca.us> Message-ID: <20000719034135.B7901@quipu.half.pint-stowp.cx> Circa 2000-Jul-19 00:16:01 -0700 dixit Robbie Stone: : OpenSSH Developers, : : I'm researching whether or not OpenSSH is a viable commercial : alternative to F-SECURE SSH or SSH.COM's ssh, but I'm not getting the : kind of results that I expected from a "Non patent encumbered ssh : client". : : When I attempt to build OpenSSH against an OpenSSL build without rc5, : idea, or rsa it bombs since OpenSSL doesn't place the header files in : the include dir. Now, that's fine and went away after I copied them to : the appropriate location (hoping that it just *needed* the file, but : that it didn't need any rc5, idea, or rsa functions exported by the : OpenSSL libraries) As of openssl-0.9.5a, if you compile with -DOPENSSL_ALGORITHM_DEFINES -DOPENSSL_THREAD_DEFINES -DOPENSSL_OTHER_DEFINES, you get all the definitions that OpenSSL was built with (e.g., NO_IDEA, NO_RC5, etc.). See opensslconf.h in your installed OpenSSL tree for further info. That may help things a bit. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From wassa at postoffice.memphis.edu Thu Jul 20 04:04:57 2000 From: wassa at postoffice.memphis.edu (Walter F Hoehn) Date: Wed, 19 Jul 2000 13:04:57 -0500 Subject: ssh-keygen -X Message-ID: <793e973678.73678793e9@memphis.edu> Hello, I recently tried to convert a dsa pubilc key from an ssh.com client with the -X paramater. ssh-keygen prints the converted key to STDOUT, but first prompts for the location of the keyfile to be converted. So, re-directing the output of this program to authorized_keys2 does not work. After browsing the source, I noticed that the -f paramater can be used with the -X paramter to specify the INFILE in this process. This is inconsistent with the other uses of -f (as an OUTFILE) and is confusing to some users. As a matter of fact, that is why I was testing this...because some members of my userbase could not figure it out. Can the -X paramater can be changed to accept a value of INFILE? I think that this would be far more intuitive from a user perspective. It would be a simple change and I would be willing to submit a diff if necessary. -Walter Hoehn -------------- next part -------------- A non-text attachment was scrubbed... Name: "wassa.vcf Type: text/x-vcard Size: 112 bytes Desc: Card for Walter F Hoehn Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000719/83e8b103/attachment.vcf From markus.friedl at informatik.uni-erlangen.de Thu Jul 20 08:52:12 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 20 Jul 2000 00:52:12 +0200 Subject: ssh-keygen -X In-Reply-To: <793e973678.73678793e9@memphis.edu>; from wassa@postoffice.memphis.edu on Wed, Jul 19, 2000 at 01:04:57PM -0500 References: <793e973678.73678793e9@memphis.edu> Message-ID: <20000720005212.A11835@folly.informatik.uni-erlangen.de> On Wed, Jul 19, 2000 at 01:04:57PM -0500, Walter F Hoehn wrote: > I recently tried to convert a dsa pubilc key from an ssh.com client > with the -X paramater. ssh-keygen prints the converted key to STDOUT, > but first prompts for the location of the keyfile to be converted. So, > re-directing the output of this program to authorized_keys2 does not > work. After browsing the source, I noticed that the -f paramater can > be used with the -X paramter to specify the INFILE in this process. > This is inconsistent with the other uses of -f (as an OUTFILE) and is > confusing to some users. [...] how about a documentation change? commit? Index: ssh-keygen.1 =================================================================== RCS file: /home/markus/cvs/ssh/ssh-keygen.1,v retrieving revision 1.19 diff -u -r1.19 ssh-keygen.1 --- ssh-keygen.1 2000/07/06 04:06:56 1.19 +++ ssh-keygen.1 2000/07/19 22:47:40 @@ -23,7 +23,7 @@ .Op Fl b Ar bits .Op Fl N Ar new_passphrase .Op Fl C Ar comment -.Op Fl f Ar keyfile +.Op Fl f Ar output_keyfile .Nm ssh-keygen .Fl p .Op Fl P Ar old_passphrase @@ -31,13 +31,13 @@ .Op Fl f Ar keyfile .Nm ssh-keygen .Fl x -.Op Fl f Ar keyfile +.Op Fl f Ar input_keyfile .Nm ssh-keygen .Fl X -.Op Fl f Ar keyfile +.Op Fl f Ar input_keyfile .Nm ssh-keygen .Fl y -.Op Fl f Ar keyfile +.Op Fl f Ar input_keyfile .Nm ssh-keygen .Fl c .Op Fl P Ar passphrase @@ -45,7 +45,7 @@ .Op Fl f Ar keyfile .Nm ssh-keygen .Fl l -.Op Fl f Ar keyfile +.Op Fl f Ar input_keyfile .Nm ssh-keygen .Fl R .Sh DESCRIPTION From pekkas at netcore.fi Thu Jul 20 16:37:33 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 20 Jul 2000 09:37:33 +0300 (EEST) Subject: UseLogin creates duplicate 'last' entries; configure issue Message-ID: Hello all, I enabled UseLogin briefly on my homegrown Redhat Linux 6.2 system. Redhat's 'login' is in /bin/login, not /usr/bin/login. Perhaps this check should be moved to autoconf rather than #define'd. I also noticed that it creates "duplicate" 'last' entries: ---- esa pts/1 x.y.z.159 Thu Jul 20 07:56 still logged in esa pts/1 host.domain Thu Jul 20 07:56 - 07:56 (00:00) ---- Anyone else notice this? -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From Stephan.Hendl at lds.brandenburg.de Thu Jul 20 18:24:42 2000 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Thu, 20 Jul 2000 10:24:42 +0200 Subject: openssh-2.1.1p4 and sco 5.0.5 Message-ID: Hi folks, just I installed openssh 2.1.1p4 on a sco OpenServer 5.0.5 machine and it works fine. The only problem I have is the X11 forwarding. I have allowed this feature in the /etc/sshd_config and the /etc/ssh_config, respectively and the /usr/bin/X11/xauth program was in the PATH during compilation. As you can see in the logfile the sco system enables the X11 forwarding and sets the DISPLAY variable properly like other systems. The problem is that the system must have two device files according to the displaynumber in $DISPLAY like /dev/X10R uand /dev/X10S. hendl at sco-pers:/home/hendl > xterm /dev/X10R: No such file or directory Error: Can't open display: sco-pers:10.0 I tried to create these two files but the error was still: "Error: Can't open display: sco-pers:10.0". Thanks for your help. Stephan ---------------- hendl at lkvbb1:~ > ssh -v sco-pers SSH Version 1.2.27 [i686-unknown-linux], protocol version 1.5. Standard version. Does not use RSAREF. lkvbb1: Reading configuration data /etc/ssh_config lkvbb1: ssh_connect: getuid 114 geteuid 0 anon 0 lkvbb1: Connecting to sco-pers [10.128.7.50] port 22. lkvbb1: Allocated local port 1022. lkvbb1: Connection established. lkvbb1: Remote protocol version 1.99, remote software version OpenSSH_2.1.1 lkvbb1: Waiting for server public key. lkvbb1: Received server public key (768 bits) and host key (1024 bits). lkvbb1: Host 'sco-pers' is known and matches the host key. lkvbb1: Initializing random; seed file /home/hendl/.ssh/random_seed lkvbb1: IDEA not supported, using 3des instead. lkvbb1: Encryption type: 3des lkvbb1: Sent encrypted session key. lkvbb1: Installing crc compensation attack detector. lkvbb1: Received encrypted confirmation. lkvbb1: Connection to authentication agent opened. lkvbb1: Trying RSA authentication via agent with 'hendl at hp_www' lkvbb1: Received RSA challenge from server. lkvbb1: Sending response to RSA challenge. lkvbb1: Remote: RSA authentication accepted. lkvbb1: RSA authentication accepted by server. lkvbb1: Requesting pty. lkvbb1: Requesting X11 forwarding with authentication spoofing. lkvbb1: Requesting authentication agent forwarding. lkvbb1: Requesting shell. lkvbb1: Entering interactive session. Last login: Thu Jul 20 10:12:53 2000 Terminal type? [xterm] Terminal type is xterm. hendl at sco-pers:/home/hendl > echo $DISPLAY sco-pers:10.0 hendl at sco-pers:/home/hendl > ls -l /dev/X* crw-rw-rw- 1 root sys 60, 254 Jul 16 12:03 /dev/X0R crw-rw-rw- 1 root sys 60, 255 Dec 20 1999 /dev/X0S crw-rw-rw- 1 root sys 60, 240 Jul 20 10:19 /dev/X10R crw-rw-rw- 1 root sys 60, 241 Jul 20 10:19 /dev/X10S crw-rw-rw- 1 root sys 60, 242 Jul 20 08:25 /dev/X12R crw-rw-rw- 1 root sys 60, 243 Jul 20 08:21 /dev/X12S crw-rw-rw- 1 root sys 60, 252 Dec 20 1999 /dev/X1R crw-rw-rw- 1 root sys 60, 253 Dec 20 1999 /dev/X1S crw-rw-rw- 1 root sys 60, 250 Dec 20 1999 /dev/X2R crw-rw-rw- 1 root sys 60, 251 Dec 20 1999 /dev/X2S crw-rw-rw- 1 root sys 60, 248 Jul 20 08:34 /dev/X3R crw-rw-rw- 1 root sys 60, 249 Dec 20 1999 /dev/X3S crw-rw-rw- 1 root sys 60, 246 Dec 20 1999 /dev/X4R crw-rw-rw- 1 root sys 60, 247 Dec 20 1999 /dev/X4S crw-rw-rw- 1 root sys 60, 244 Dec 20 1999 /dev/X5R crw-rw-rw- 1 root sys 60, 245 Dec 20 1999 /dev/X5S From ETARDIEU at CPR.FR Thu Jul 20 18:47:03 2000 From: ETARDIEU at CPR.FR (TARDIEU Emmanuel) Date: Thu, 20 Jul 2000 10:47:03 +0200 Subject: sftp Message-ID: <5BF932D2CD05D211B54800805FE60FEB08F525FE@serv-hermes.systeme.cpr.fr> Hi, What is the status on sftp ? People here who are not familiar with "command line ftp" would like to use the new spiffy graphical sftp provided with ssh.com new NT client. As we are planning on replacing all our sshd with openssh, we need sftpd as well. Thanks, Emmanuel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000720/6cff9bf9/attachment.html From djm at mindrot.org Thu Jul 20 23:09:21 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 20 Jul 2000 23:09:21 +1000 (EST) Subject: sftp In-Reply-To: <5BF932D2CD05D211B54800805FE60FEB08F525FE@serv-hermes.systeme.cpr.fr> Message-ID: On Thu, 20 Jul 2000, TARDIEU Emmanuel wrote: > Hi, > > What is the status on sftp ? People here who are not familiar with > "command line ftp" would like to use the new spiffy graphical > sftp provided with ssh.com new NT client. As we are planning on > replacing all our sshd with openssh, we need sftpd as well. sftp is not supported by OpenSSH. There is no specification of the protocol used by the commercial ssh sftp and no one has reverse engineered it. I don't know of any replacements with spiffy graphical interfaces, but you may be able to use rsync. Rsync has been ported to NT and uses some clever algorithms to reduce network traffic. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From stevesk at sweden.hp.com Thu Jul 20 23:21:40 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Thu, 20 Jul 2000 15:21:40 +0200 (CEST) Subject: scp not shutting down in 2.1.1p4 In-Reply-To: <20000718162057.A4880@folly.informatik.uni-erlangen.de> Message-ID: <200007201316.PAA00465@b0fh.sweden.hp.com> On Tue, 18 Jul 2000, Markus Friedl wrote: : On Tue, Jul 18, 2000 at 02:55:44PM +0200, Lutz Jaenicke wrote: : > Hmm, still digging in the scp source... : : do you have problems with : $ ssh host cat file > ~/tmp/x : too? That works fine. From jmknoble at pint-stowp.cx Thu Jul 20 23:26:41 2000 From: jmknoble at pint-stowp.cx (Jim Knoble) Date: Thu, 20 Jul 2000 09:26:41 -0400 Subject: sftp In-Reply-To: ; from djm@mindrot.org on Thu, Jul 20, 2000 at 11:09:21PM +1000 References: <5BF932D2CD05D211B54800805FE60FEB08F525FE@serv-hermes.systeme.cpr.fr> Message-ID: <20000720092641.A2775@quipu.half.pint-stowp.cx> : On Thu, 20 Jul 2000, TARDIEU Emmanuel wrote: : > What is the status on sftp ? People here who are not familiar with : > "command line ftp" would like to use the new spiffy graphical : > sftp provided with ssh.com new NT client. As we are planning on : > replacing all our sshd with openssh, we need sftpd as well. [To which came the response] Circa 2000-Jul-20 23:09:21 +1000 dixit Damien Miller: : sftp is not supported by OpenSSH. There is no specification of the : protocol used by the commercial ssh sftp and no one has reverse : engineered it. : : I don't know of any replacements with spiffy graphical interfaces, : but you may be able to use rsync. Rsync has been ported to NT and : uses some clever algorithms to reduce network traffic. A recent release of gftp is supposed to allow file transfer via SSH: http://freshmeat.net/news/2000/07/09/963181411.html http://freshmeat.net/appindex/1998/12/04/912798127.html I have no idea whether it works with OpenSSH or, if so, how well. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From Stephan.Hendl at lds.brandenburg.de Thu Jul 20 23:49:34 2000 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Thu, 20 Jul 2000 15:49:34 +0200 Subject: scp over 2 hosts Message-ID: Hi folks, I have the that I must copy some through a Plag-Gateway of a Firewall over 2 host. A secure connection via "ssh - t hosta ssh -t hostb" works fine, but does this work with scp too? Icould not realize it either with scp (1.2.27 of ssh.com) or scp from openssh. Do you have any ideas? Thanks Stephan From jasons at usemail.com Fri Jul 21 00:00:30 2000 From: jasons at usemail.com (Jason Spangler) Date: Thu, 20 Jul 2000 09:00:30 -0500 Subject: scp over 2 hosts References: Message-ID: <397705FE.F3EDFD80@usemail.com> Stephan Hendl wrote: > > Hi folks, > > I have the that I must copy some through a Plag-Gateway of a Firewall over > 2 host. A secure connection via "ssh - t hosta ssh -t hostb" works fine, > but does this work with scp too? Icould not realize it either with scp > (1.2.27 of ssh.com) or scp from openssh. Do you have any ideas? My firewall blocks incoming connections to low ports so I have to use "ssh -P host1" to tell ssh to use a high numbered port. The commercial ssh's scp includes the -L option to do the same (scp -L host1:file host2:file), but OpenSSH's scp is missing this option. Attached is a patch I submitted to the list a week or two ago that adds the -L option to scp. Hope this helps! -------------- next part -------------- --- openssh-2.1.1p2.orig/scp.c Thu Jun 22 06:32:32 2000 +++ openssh-2.1.1p2/scp.c Fri Jul 7 12:28:27 2000 @@ -8,6 +8,11 @@ * * 1995 Timo Rinne , Tatu Ylonen * + * Changes: + * + * 2000/7/7 Jason Spangler + * Added nonprivilaged port option -L that passes -P option to SSH + * */ /* @@ -93,6 +98,9 @@ and passphrase queries are not allowed). */ int batchmode = 0; +/* This is set to non-zero if a non-privilaged port is desired. */ +int nonprivilaged_port = 0; + /* This is set to the cipher type string if given on the command line. */ char *cipher = NULL; @@ -161,6 +169,8 @@ args[i++] = "-C"; if (batchmode) args[i++] = "-oBatchMode yes"; + if (nonprivilaged_port) + args[i++] = "-P"; if (cipher != NULL) { args[i++] = "-c"; args[i++] = cipher; @@ -252,7 +262,7 @@ extern int optind; fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46")) != EOF) + while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46L")) != EOF) switch (ch) { /* User-visible flags. */ case '4': @@ -300,6 +310,9 @@ case 'q': showprogress = 0; break; + case 'L': + nonprivilaged_port = 1; + break; case '?': default: usage(); @@ -406,16 +419,18 @@ else if (!okname(suser)) continue; (void) sprintf(bp, - "%s%s -x -o'FallBackToRsh no' -n -l %s %s %s %s '%s%s%s:%s'", + "%s%s%s -x -o'FallBackToRsh no' -n -l %s %s %s %s '%s%s%s:%s'", SSH_PROGRAM, verbose_mode ? " -v" : "", + nonprivilaged_port ? " -P" : "", suser, host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); } else { host = cleanhostname(argv[i]); (void) sprintf(bp, - "exec %s%s -x -o'FallBackToRsh no' -n %s %s %s '%s%s%s:%s'", + "exec %s%s%s -x -o'FallBackToRsh no' -n %s %s %s '%s%s%s:%s'", SSH_PROGRAM, verbose_mode ? " -v" : "", + nonprivilaged_port ? " -P" : "", host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); --- openssh-2.1.1p2.orig/scp.1 Wed Apr 12 21:26:37 2000 +++ openssh-2.1.1p2/scp.1 Fri Jul 7 12:25:32 2000 @@ -106,6 +106,14 @@ Forces .Nm to use IPv6 addresses only. +.It Fl L +Use a non-privileged port for outgoing connections. +This can be used if your firewall does +not permit connections from privileged ports. +Note that this option turns off +.Cm RhostsAuthentication +and +.Cm RhostsRSAAuthentication . .Sh AUTHORS Timo Rinne and Tatu Ylonen .Sh HISTORY --- openssh-2.1.1p2.orig/scp.0 Sat Jul 1 04:43:10 2000 +++ openssh-2.1.1p2/scp.0 Fri Jul 7 12:27:42 2000 @@ -56,6 +56,11 @@ -6 Forces scp to use IPv6 addresses only. + -L Use a non-privileged port for outgoing connections. This can be + used if your firewall does not permit connections from privileged + ports. Note that this option turns off RhostsAuthentication and + RhostsRSAAuthentication. + AUTHORS Timo Rinne and Tatu Ylonen From jmknoble at pint-stowp.cx Fri Jul 21 00:14:31 2000 From: jmknoble at pint-stowp.cx (Jim Knoble) Date: Thu, 20 Jul 2000 10:14:31 -0400 Subject: sftp In-Reply-To: <20000720092641.A2775@quipu.half.pint-stowp.cx>; from jmknoble@pint-stowp.cx on Thu, Jul 20, 2000 at 09:26:41AM -0400 References: <5BF932D2CD05D211B54800805FE60FEB08F525FE@serv-hermes.systeme.cpr.fr> <20000720092641.A2775@quipu.half.pint-stowp.cx> Message-ID: <20000720101431.C2775@quipu.half.pint-stowp.cx> [Continuing in the grand tradition of replying to one's own messages....] Circa 2000-Jul-20 09:26:41 -0400 dixit Jim Knoble: : A recent release of gftp is supposed to allow file transfer via SSH: : : http://freshmeat.net/news/2000/07/09/963181411.html : http://freshmeat.net/appindex/1998/12/04/912798127.html : : I have no idea whether it works with OpenSSH or, if so, how well. gftp-2.0.7 apparently requires a package called 'sftp' (not the program accompanying F-Secure's SSH), also referred to as 'Secure FTP': http://freshmeat.net/news/2000/06/16/961189605.html http://freshmeat.net/appindex/1999/10/25/940863495.html I've just built and installed sftp-0.9.5 and tried out gftp with the "SSH transport" (meaning that gftp uses the ssh client to invoke the sftp server on the remote end). It seems to work as one would expect any FTP session to work. (The only problem i've encountered is that gftp insists on asking for a password, even if i have private-key authentication set up and ssh-agent running. If i press 'Connect' with a blank password, gftp refuses to connect. Entering arbitrary text as the password seems to allow me to connect. I vote that it's a bug in gftp.) Sftp notes that it's not been ported to any non-Unix platform (i don't remember whether that was a requirement). I have no knowledge of whether gftp has been or is able to be ported to not-Unix platforms. Cheers. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From Higdon.David at cnf.com Fri Jul 21 00:42:34 2000 From: Higdon.David at cnf.com (Higdon, David M - CNF) Date: Thu, 20 Jul 2000 07:42:34 -0700 Subject: First time install Message-ID: <7B73D5F649D0D311B1E30008C7A4D92A020D8E37@cnfqs029.cnf.com> This is my first time installing ssh and I am getting the following error: $ ssh The authenticity of host can't be established. RSA key fingerprint is . Are you sure you want to continue connecting (yes/no)? David From mouring at pconline.com Fri Jul 21 00:48:25 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 20 Jul 2000 09:48:25 -0500 (CDT) Subject: First time install In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E37@cnfqs029.cnf.com> Message-ID: That is just stating that ssh currently does not know the RSA/DSA public key for machine in which your logging into, and therefor is asking you if it's the right fingerprint. Which it will save for later use. It's normal. After the first time connecting to a host that messages goes away. Ben Lindstrom On Thu, 20 Jul 2000, Higdon, David M - CNF wrote: > This is my first time installing ssh and I am getting the following error: > > $ ssh > The authenticity of host can't be established. > RSA key fingerprint is . > Are you sure you want to continue connecting (yes/no)? > > > > David > > > From loomisg at cist.saic.com Fri Jul 21 00:54:40 2000 From: loomisg at cist.saic.com (Rip Loomis) Date: Thu, 20 Jul 2000 10:54:40 -0400 Subject: First time install In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E37@cnfqs029.cnf.com> Message-ID: <000201bff25a$6ee36d00$275346d1@rloomis.cist.saic.com> David-- This is not an error (in your case), but simply a warning condition. OpenSSH is properly warning you that the host you are trying to contact is not "known" to it, and that it cannot otherwise verify that you are in fact connecting to the host you think you are. This is a feature, designed to keep you from accidentally supplying your login/password information to an improper or impostor host. RTFM, apropos make-ssh-known-hosts(1). Alternatively, if you're sure that you *really* are connecting to the desired host, just answer "yes" to that warning and it will appropriately populate your known-hosts file. Hope this helps, and congratulations on choosing to install SSH and improve your security. --Rip Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com -----Original Message----- From: owner-openssh-unix-dev at mindrot.org [mailto:owner-openssh-unix-dev at mindrot.org]On Behalf Of Higdon, David M - CNF Sent: Thursday, July 20, 2000 10:43 AM To: 'openssh-unix-dev at mindrot.org' Subject: First time install This is my first time installing ssh and I am getting the following error: $ ssh The authenticity of host can't be established. RSA key fingerprint is . Are you sure you want to continue connecting (yes/no)? David From stevesk at sweden.hp.com Fri Jul 21 01:19:02 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Thu, 20 Jul 2000 17:19:02 +0200 (CEST) Subject: scp not shutting down in 2.1.1p4 In-Reply-To: <200007201316.PAA00465@b0fh.sweden.hp.com> Message-ID: <200007201513.RAA21708@b0fh.sweden.hp.com> Here are some trace (tusc) and stacks traces from HP-UX 11.0. scp trace output: write(2, "5 3 X \n", 5) ...................................................... = 5 write(6, "C 0 6 6 4 5 3 X \n", 11) ......................................... = 11 read(7, "\0", 1) ............................................................... = 1 fstat(3, 0x7bff1084) ........................................................... = 0 gettimeofday(0x40002780, NULL) ................................................. = 0 setpgrp(0) ..................................................................... = 8809 ioctl(1, TIOCGPGRP, 0x7bff1280) ................................................ = 0 gettimeofday(0x7bff10b0, NULL) ................................................. = 0 ioctl(1, TIOCGWINSZ, 0x7bff1280) ............................................... = 0 X 0% | | 0 --:-- ETAwrite(1, "\rX ".., 102) ............................ = 102 sigsetreturn(0x7bfcba1a, 0x6211988, 1392) ...................................... = 0 sigaction(SIGALRM, 0x7bff11e8, NULL) ........................................... = 0 setitimer(ITIMER_REAL, 0x7bff1280, NULL) ....................................... = 0 read(3, "G e n e r i c S y s N a m e [ ".., 53) .............................. = 53 write(6, "G e n e r i c S y s N a m e [ ".., 53) ............................. = 53 ioctl(1, TIOCGPGRP, 0x7bff1280) ................................................ = 0 gettimeofday(0x7bff10b0, NULL) ................................................. = 0 ioctl(1, TIOCGWINSZ, 0x7bff1280) ............................................... = 0 X 100% |***************************************************| 53 00:00 write(1, "\rX ".., 102) ............................ = 102 setitimer(ITIMER_REAL, 0x7bff1280, NULL) ....................................... = 0 write(1, "\n", 1) .............................................................. = 1 close(3) ....................................................................... = 0 write(6, "\0", 1) .............................................................. = 1 read(7, "\0", 1) ............................................................... = 1 exit(0) ........................................................................ WIFEXITED(0) stack trace of blocked scp ssh child: (gdb) attach 8613 Attaching to process 8613 Reading symbols from /opt/openssh-2.1.1p4/bin/ssh...done. warning: The shared libraries were not privately mapped; setting a breakpoint in a shared library will not work until you rerun the program. Reading symbols from /usr/lib/libnsl.1...done. Reading symbols from /usr/lib/libxti.2...done. Reading symbols from /usr/lib/libsec.2...done. Reading symbols from /usr/lib/libm.2...done. Reading symbols from /usr/lib/libpam.1...done. Reading symbols from /usr/lib/libc.2...done. Reading symbols from /usr/lib/libdld.2...done. Reading symbols from /usr/lib/libnss_files.1...done. Reading symbols from /usr/lib/libnss_dns.1...done. 0xc01ed428 in _select_sys () from /usr/lib/libc.2 (gdb) bt #0 0xc01ed428 in _select_sys () from /usr/lib/libc.2 #1 0xc01f8fa8 in select () from /usr/lib/libc.2 #2 0x1a004 in client_wait_until_can_do_something (readset=0x7bff0ddc, writeset=0x7bff0edc) at clientloop.c:368 #3 0x1b248 in client_loop (have_pty=0, escape_char_arg=-1) at clientloop.c:824 #4 0x12a48 in ssh_session () at ssh.c:874 #5 0x12000 in main (ac=5, av=0x7bff0514) at ssh.c:670 stack trace of server blocked sshd: Attaching to process 8777 Reading symbols from /opt/ssh/sbin/sshd...done. warning: The shared libraries were not privately mapped; setting a breakpoint in a shared library will not work until you rerun the program. Reading symbols from /usr/lib/libnsl.1...done. Reading symbols from /usr/lib/libxti.2...done. Reading symbols from /usr/lib/libsec.2...done. Reading symbols from /usr/lib/libm.2...done. Reading symbols from /usr/lib/libpam.1...done. Reading symbols from /usr/lib/libc.2...done. Reading symbols from /usr/lib/libdld.2...done. Reading symbols from /usr/lib/libnss_files.1...done. Reading symbols from /usr/lib/libnss_dns.1...done. Reading symbols from /usr/lib/security/libpam_unix.1...done. Reading symbols from /usr/lib/libpsm.1...done. 0xc01ed428 in _select_sys () from /usr/lib/libc.2 (gdb) bt #0 0xc01ed428 in _select_sys () from /usr/lib/libc.2 #1 0xc01f8fa8 in select () from /usr/lib/libc.2 #2 0x1b90c in wait_until_can_do_something (readset=0x7bff0ea8, writeset=0x7bff0fa8, max_time_milliseconds=0) at serverloop.c:232 #3 0x1c490 in server_loop (pid=8778, fdin_arg=8, fdout_arg=8, fderr_arg=10) at serverloop.c:519 #4 0x1e408 in do_exec_no_pty (s=0x4001d540, command=0x4002c910 "scp -t y", pw=0x7bff0cac) at session.c:500 #5 0x1e060 in do_authenticated (pw=0x7bff0cac) at session.c:358 #6 0x13d08 in do_authentication () at auth1.c:535 #7 0x12010 in main (ac=1, av=0x7bff02c4) at sshd.c:1003 stack trace "hung" scp process: Attaching to process 8893 Reading symbols from /usr/src/openssh/openssh-2.1.1p4/scp...done. warning: The shared libraries were not privately mapped; setting a breakpoint in a shared library will not work until you rerun the program. Reading symbols from /usr/lib/libnsl.1...done. Reading symbols from /usr/lib/libxti.2...done. Reading symbols from /usr/lib/libsec.2...done. Reading symbols from /usr/lib/libm.2...done. Reading symbols from /usr/lib/libpam.1...done. Reading symbols from /usr/lib/libc.2...done. Reading symbols from /usr/lib/libdld.2...done. Reading symbols from /usr/lib/libnss_files.1...done. 0xc01ed230 in _read_sys () from /usr/lib/libc.2 (gdb) bt #0 0xc01ed230 in _read_sys () from /usr/lib/libc.2 #1 0xc01f85e4 in read () from /usr/lib/libc.2 #2 0x82a8 in atomicio (f=0x400026d2 , fd=0, _s=0x7bff03c0 "C0664 53 X", n=1) at atomicio.c:46 #3 0x625c in sink (argc=1, argv=0x7bff014c) at scp.c:702 #4 0x4c08 in main (argc=1, argv=0x7bff014c) at scp.c:335 From Higdon.David at cnf.com Fri Jul 21 01:30:13 2000 From: Higdon.David at cnf.com (Higdon, David M - CNF) Date: Thu, 20 Jul 2000 08:30:13 -0700 Subject: First time install Message-ID: <7B73D5F649D0D311B1E30008C7A4D92A020D8E38@cnfqs029.cnf.com> Ben, thanks for your response. My problem is that after I answer yes to continue I am able to snoop my passwd over the network. - David -----Original Message----- From: Ben Lindstrom [mailto:mouring at pconline.com] Sent: Thursday, July 20, 2000 7:48 AM To: Higdon, David M - CNF Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: First time install That is just stating that ssh currently does not know the RSA/DSA public key for machine in which your logging into, and therefor is asking you if it's the right fingerprint. Which it will save for later use. It's normal. After the first time connecting to a host that messages goes away. Ben Lindstrom On Thu, 20 Jul 2000, Higdon, David M - CNF wrote: > This is my first time installing ssh and I am getting the following error: > > $ ssh > The authenticity of host can't be established. > RSA key fingerprint is . > Are you sure you want to continue connecting (yes/no)? > > > > David > > > From hdiwan at ssd.loral.com Fri Jul 21 01:52:29 2000 From: hdiwan at ssd.loral.com (Hasan Diwan) Date: Thu, 20 Jul 2000 08:52:29 -0700 Subject: Incompatibility with free version Message-ID: <20000720085229.A35399@hdroam.ssd.loral.com> First off, I am not a subscriber, so please CC replies to my email address. The problem I am having -- I do not know who is to blame, but am just covering all angles. I run OpenSSH 2.1.1 on FreeBSD. When I try to connect to a server running ssh2d from ftp.ssh.com, it fails saying corrupted MAC on input. I am including a log of my connection below: % ssh -v -l diwanh tomcat SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x00904100). debug: Reading configuration data /usr/local/etc/ssh_config debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to tomcat.ssd.loral.com [158.184.44.31] port 22. debug: Allocated local port 920. debug: Connection established. debug: Remote protocol version 2.0, remote software version 2.2.0 SSH Secure Shell Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.1.1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour,none debug: got kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour,none debug: got kexinit: hmac-sha1,hmac-md5,hmac-md5-96,none debug: got kexinit: hmac-sha1,hmac-md5,hmac-md5-96,none debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 none debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 516/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: keytype ssh-dss debug: keytype ssh-dss debug: keytype ssh-dss debug: Host 'tomcat.ssd.loral.com' is known and matches the DSA host key. debug: bits set: 506/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST Disconnecting: Corrupted HMAC on input. debug: Calling cleanup 0x80571ac(0x0) and tomcat is running: % telnet tomcat 22 SSH-2.0-2.2.0 SSH Secure Shell From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Jul 21 02:14:51 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 20 Jul 2000 18:14:51 +0200 Subject: scp not shutting down in 2.1.1p4 In-Reply-To: <200007201513.RAA21708@b0fh.sweden.hp.com>; from stevesk@sweden.hp.com on Thu, Jul 20, 2000 at 05:19:02PM +0200 References: <200007201316.PAA00465@b0fh.sweden.hp.com> <200007201513.RAA21708@b0fh.sweden.hp.com> Message-ID: <20000720181451.A27492@serv01.aet.tu-cottbus.de> On Thu, Jul 20, 2000 at 05:19:02PM +0200, Kevin Steves wrote: ... > write(1, "\n", 1) .............................................................. = 1 > close(3) ....................................................................... = 0 > write(6, "\0", 1) .............................................................. = 1 > read(7, "\0", 1) ............................................................... = 1 > exit(0) ........................................................................ WIFEXITED(0) ... > stack trace "hung" scp process: ... > 0xc01ed230 in _read_sys () from /usr/lib/libc.2 > (gdb) bt > #0 0xc01ed230 in _read_sys () from /usr/lib/libc.2 > #1 0xc01f85e4 in read () from /usr/lib/libc.2 > #2 0x82a8 in atomicio (f=0x400026d2 , fd=0, _s=0x7bff03c0 "C0664 53 X", n=1) at atomicio.c:46 > #3 0x625c in sink (argc=1, argv=0x7bff014c) at scp.c:702 > #4 0x4c08 in main (argc=1, argv=0x7bff014c) at scp.c:335 Thanks for your effort. I have browsed through the scp.c source, but it seems I must understand the rcp protocol first. My impression from source() is, that the transfer is finished with '\0', which would coincide with your trace of the calling scp. I however did not find the corresponding check in sink(), which either 'return's from sink() or 'exit's the remote scp. I rather hangs in a read, as both the calling ssh and the sshd wait the remote scp to exit... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From dabe_spam at excite.com Fri Jul 21 03:12:39 2000 From: dabe_spam at excite.com (dabe_spam at excite.com) Date: Thu, 20 Jul 2000 10:12:39 -0700 (PDT) Subject: fatal: Not enough entropy in RNG Message-ID: <23127358.964113159958.JavaMail.imail@neon.excite.com> Hi, I'm running openssh 2.1.1p4 on Solaris 7 (sparc). Occationally, when I boot up the server, the startup script I wrote to start sshd fails to start sshd with the following error: fatal: Not enough entropy in RNG What am I doing wrong?? Is there anything I can do to prevent this from happening? Is just restarting sshd a valid thing to do?? Thanks for any thoughts, David _______________________________________________________ Say Bye to Slow Internet! http://www.home.com/xinbox/signup.html From gem at rellim.com Fri Jul 21 03:18:55 2000 From: gem at rellim.com (Gary E. Miller) Date: Thu, 20 Jul 2000 10:18:55 -0700 (PDT) Subject: sftp In-Reply-To: Message-ID: Yo TARDIEU! Just do what I do. Use the spiffy graphical FTP of your choice on your NT box. Then just config your ssh connection to tunnel your plain old FTP protocol to the remote host. Voila! And fully standards compliant. On Thu, 20 Jul 2000, TARDIEU Emmanuel wrote: > Hi, > > What is the status on sftp ? People here who are not familiar with > "command line ftp" would like to use the new spiffy graphical > sftp provided with ssh.com new NT client. As we are planning on > replacing all our sshd with openssh, we need sftpd as well. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Jul 21 03:25:42 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 20 Jul 2000 19:25:42 +0200 Subject: fatal: Not enough entropy in RNG In-Reply-To: <23127358.964113159958.JavaMail.imail@neon.excite.com>; from dabe_spam@excite.com on Thu, Jul 20, 2000 at 10:12:39AM -0700 References: <23127358.964113159958.JavaMail.imail@neon.excite.com> Message-ID: <20000720192542.A28188@serv01.aet.tu-cottbus.de> On Thu, Jul 20, 2000 at 10:12:39AM -0700, dabe_spam at excite.com wrote: > Hi, > I'm running openssh 2.1.1p4 on Solaris 7 (sparc). Occationally, when I > boot up the server, the startup script I wrote to start sshd fails to start > sshd with the following error: > fatal: Not enough entropy in RNG > > What am I doing wrong?? > Is there anything I can do to prevent this from happening? > Is just restarting sshd a valid thing to do?? What kind of entropy source did you select? EGD or the integrated entropy collector? (If you did not select one, the integrated collector should be configured) EGD can be drained and then an upstarting sshd can fail. I have written my own prngd to come around this problem (early alpha stage :-) on HP-UX. The integrated entropy collector should better not fail... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From mouring at pconline.com Fri Jul 21 03:26:13 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 20 Jul 2000 12:26:13 -0500 (CDT) Subject: ssh -V reporting. In-Reply-To: Message-ID: Should we technically modify the -V to state which portable version that is being ran. I've seen it cause some confusing when people are checking which version they are running for help. Change it to like: SSH Version OpenSSH_2.1.1p4, protocol versions 1.5/2.0 or SSH Version OpenSSH_2.1.1 Portable 4, protocol version 1.5./20 From dugsong at monkey.org Fri Jul 21 03:28:02 2000 From: dugsong at monkey.org (Dug Song) Date: Thu, 20 Jul 2000 13:28:02 -0400 (EDT) Subject: sftp In-Reply-To: Message-ID: On Thu, 20 Jul 2000, Gary E. Miller wrote: > Just do what I do. Use the spiffy graphical FTP of your choice on > your NT box. Then just config your ssh connection to tunnel your > plain old FTP protocol to the remote host. this certainly secures the FTP control channel, but be aware that ephemeral data transfer connections are still in the clear. -d. --- http://www.monkey.org/~dugsong/ From pekkas at netcore.fi Fri Jul 21 03:35:58 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 20 Jul 2000 20:35:58 +0300 (EEST) Subject: sftp In-Reply-To: Message-ID: On Thu, 20 Jul 2000, Gary E. Miller wrote: > Just do what I do. Use the spiffy graphical FTP of your choice > on your NT box. Then just config your ssh connection to tunnel > your plain old FTP protocol to the remote host. > > Voila! And fully standards compliant. Yes. This is very usually done. However, there are some difficulties. - data channels cannot be encrypted. - you have to have a working shell account as well as ftp account (I think with sftp it could be restricted) - When you want to transfer files, you have to use SSH first. This seems like an unnecessary procedure for newbie'ish people. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From weigel+ at pitt.edu Fri Jul 21 04:00:23 2000 From: weigel+ at pitt.edu (Matthew C. Weigel) Date: Thu, 20 Jul 2000 14:00:23 -0400 (EDT) Subject: fatal: Not enough entropy in RNG In-Reply-To: <20000720192542.A28188@serv01.aet.tu-cottbus.de> Message-ID: On Thu, 20 Jul 2000, Lutz Jaenicke wrote: > The integrated entropy collector should better not fail... But it can, at least on boring machines. My HP running NeXTSTEP can *occasionally* get enough activity to let sshd start up, but tweaking /etc/ssh_prng_cmds to very high values still doesn't always work. Matthew Weigel Programmer/Student weigel+ at pitt.edu From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Jul 21 04:09:33 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 20 Jul 2000 20:09:33 +0200 Subject: fatal: Not enough entropy in RNG In-Reply-To: ; from weigel+@pitt.edu on Thu, Jul 20, 2000 at 02:00:23PM -0400 References: <20000720192542.A28188@serv01.aet.tu-cottbus.de> Message-ID: <20000720200933.A28765@serv01.aet.tu-cottbus.de> On Thu, Jul 20, 2000 at 02:00:23PM -0400, Matthew C. Weigel wrote: > On Thu, 20 Jul 2000, Lutz Jaenicke wrote: > > > The integrated entropy collector should better not fail... > > But it can, at least on boring machines. My HP running NeXTSTEP can > *occasionally* get enough activity to let sshd start up, but tweaking > /etc/ssh_prng_cmds to very high values still doesn't always work. That's why I wrote PRNGD :-) You can get it from my site in the Postfix/TLS path. Since I announced it on openssl-users, I have seen several downloads in my ftp-log, but did not receive any comment about it. If you port it to NeXTSTEP, your input would be welcome :-) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From mouring at pconline.com Fri Jul 21 04:16:35 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 20 Jul 2000 13:16:35 -0500 (CDT) Subject: fatal: Not enough entropy in RNG In-Reply-To: <20000720200933.A28765@serv01.aet.tu-cottbus.de> Message-ID: On Thu, 20 Jul 2000, Lutz Jaenicke wrote: > On Thu, Jul 20, 2000 at 02:00:23PM -0400, Matthew C. Weigel wrote: > > On Thu, 20 Jul 2000, Lutz Jaenicke wrote: > > > > > The integrated entropy collector should better not fail... > > > > But it can, at least on boring machines. My HP running NeXTSTEP can > > *occasionally* get enough activity to let sshd start up, but tweaking > > /etc/ssh_prng_cmds to very high values still doesn't always work. > > That's why I wrote PRNGD :-) You can get it from my site in the Postfix/TLS > path. Since I announced it on openssl-users, I have seen several downloads > in my ftp-log, but did not receive any comment about it. > If you port it to NeXTSTEP, your input would be welcome :-) > Ermm.. May be something to look at in the future. On my NeXT box I just use egd.pl. It works for the little traffic that occurs on that box at this moment. I would perfer the internal ssh prng generator to work on my machine or a kernel based prng.. I'm not a fan of attempting to ensure that some external prng software is running. OH.BTW..I've not tried it.. Anyone running the NeXT port that has a system handy (mine is not.. It's been brought down again for a while due to space restrictions on my subnet) try doing "UseLogin YES" in the sshd_config .. See if that temporary solves the utmp issue. At least as a work around until we figure out what the trouble is. Ben Lindstrom From svaughan at asterion.com Fri Jul 21 04:53:39 2000 From: svaughan at asterion.com (svaughan) Date: Thu, 20 Jul 2000 11:53:39 -0700 (PDT) Subject: SCO help Message-ID: Hello, I need some help. I have compiled openssh-2.1.1p3 on SCO 5.0.5. It compiled without any complaints. My problem is the when someone tries to connect to the sshd, they get the message Warning: Remote host failed or refused to allocate a pseudo tty. stty: tcgetattr failed: Bad address (error 14) I have upped the pseudo ttys in the kernel and relinked but I still get this error. Could this have something to do with the fact that I have a /dev/ptmx but no /dev/pts ?? I looked through the config.h and found HAVE_DEV_PTMX commented. /* #undef HAVE_DEV_PTMX */ I also noticed SCO uses /dev/ttyp?? for pseudo ttys Any help would be greatly appreciated. Sam From weigel+ at pitt.edu Fri Jul 21 04:59:42 2000 From: weigel+ at pitt.edu (Matthew C. Weigel) Date: Thu, 20 Jul 2000 14:59:42 -0400 (EDT) Subject: fatal: Not enough entropy in RNG In-Reply-To: Message-ID: On Thu, 20 Jul 2000, Ben Lindstrom wrote: > Ermm.. May be something to look at in the future. On my NeXT box I just > use egd.pl. That's the one running 4.2, not 3.3, right? Steve Blackford, I think, reported egd.pl working fine for him in 3.3, but I've had no such luck on my HP... and I'm not familiar enough with named pipes to debug it (although IIRC, 'file' reported it as a directory not a pipe, so perhaps that's the problem...). > It works for the little traffic that occurs on that box at > this moment. I would perfer the internal ssh prng generator to work on my > machine or a kernel based prng.. I'm not a fan of attempting to ensure > that some external prng software is running. Yeah, but I'd like anything that worked. > OH.BTW..I've not tried it.. Anyone running the NeXT port that has a system > handy (mine is not.. It's been brought down again for a while due to space > restrictions on my subnet) try doing "UseLogin YES" in the sshd_config .. > See if that temporary solves the utmp issue. At least as a work around > until we figure out what the trouble is. I'm still tooling around with PRNG and trying to change stuff enough to get sshd running. I know someone else here at CMU who's wanting to use OpenSSH on his hppa/NeXT system, so I'll point him towards that. Matthew Weigel Programmer/Student weigel+ at pitt.edu From mouring at pconline.com Fri Jul 21 05:30:31 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 20 Jul 2000 14:30:31 -0500 (CDT) Subject: fatal: Not enough entropy in RNG In-Reply-To: Message-ID: On Thu, 20 Jul 2000, Matthew C. Weigel wrote: > On Thu, 20 Jul 2000, Ben Lindstrom wrote: > > > Ermm.. May be something to look at in the future. On my NeXT box I just > > use egd.pl. > > That's the one running 4.2, not 3.3, right? Steve Blackford, I think, > reported egd.pl working fine for him in 3.3, but I've had no such luck on my > HP... and I'm not familiar enough with named pipes to debug it > (although IIRC, 'file' reported it as a directory not a pipe, so perhaps > that's the problem...). > Only tried it on OpenStep 4.2 m68k. It worked right out of the box. > > OH.BTW..I've not tried it.. Anyone running the NeXT port that has a system > > handy (mine is not.. It's been brought down again for a while due to space > > restrictions on my subnet) try doing "UseLogin YES" in the sshd_config .. > > See if that temporary solves the utmp issue. At least as a work around > > until we figure out what the trouble is. > > I'm still tooling around with PRNG and trying to change stuff enough to get > sshd running. I know someone else here at CMU who's wanting to use OpenSSH > on his hppa/NeXT system, so I'll point him towards that. > I'll end up getting back to OpenSSH in any major coding way after GenCon so sometime mid-august. too many other machines to build and not enough places to put them in my small appartment. Ben Lindstrom From Higdon.David at cnf.com Fri Jul 21 06:42:03 2000 From: Higdon.David at cnf.com (Higdon, David M - CNF) Date: Thu, 20 Jul 2000 13:42:03 -0700 Subject: SUNWski Message-ID: <7B73D5F649D0D311B1E30008C7A4D92A020D8E39@cnfqs029.cnf.com> Has anyone had success with getting /dev/random to work after installing SUNWski? After I install the pkg and start /etc/ init.d/cryptorand, the /dev/random file remains 0 bytes. I am running Solaris 2.8 - David From bfriday at LaSierra.edu Fri Jul 21 06:46:27 2000 From: bfriday at LaSierra.edu (Brian Friday) Date: Thu, 20 Jul 2000 13:46:27 -0700 (PDT) Subject: SUNWski In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E39@cnfqs029.cnf.com> Message-ID: On Thu, 20 Jul 2000, Higdon, David M - CNF wrote: > Has anyone had success with getting /dev/random to work > after installing SUNWski? After I install the pkg and start /etc/ > init.d/cryptorand, the /dev/random file remains 0 bytes. > > I am running Solaris 2.8 I'm running Solaris 2.8 sun4m 32-bit and SUNWski without any problem. I did notice that on my Sol 7 E250 Machine running in 64-bit the SUNWski would not run. I assume this is because of the system running at 64-bit rather than 32-bit although I haven't had the time to confirm this. Sincerely, Brian Friday Systems Administrator La Sierra University (909) 785-2554 x2 From Higdon.David at cnf.com Fri Jul 21 06:52:17 2000 From: Higdon.David at cnf.com (Higdon, David M - CNF) Date: Thu, 20 Jul 2000 13:52:17 -0700 Subject: SUNWski Message-ID: <7B73D5F649D0D311B1E30008C7A4D92A020D8E3A@cnfqs029.cnf.com> Did the /dev/random file start growing immeadiately or did it take a while? Thanks David Higdon UNIX System Administrator -----Original Message----- From: Brian Friday [mailto:bfriday at LaSierra.edu] Sent: Thursday, July 20, 2000 1:46 PM To: 'openssh-unix-dev at mindrot.org' Subject: Re: SUNWski On Thu, 20 Jul 2000, Higdon, David M - CNF wrote: > Has anyone had success with getting /dev/random to work > after installing SUNWski? After I install the pkg and start /etc/ > init.d/cryptorand, the /dev/random file remains 0 bytes. > > I am running Solaris 2.8 I'm running Solaris 2.8 sun4m 32-bit and SUNWski without any problem. I did notice that on my Sol 7 E250 Machine running in 64-bit the SUNWski would not run. I assume this is because of the system running at 64-bit rather than 32-bit although I haven't had the time to confirm this. Sincerely, Brian Friday Systems Administrator La Sierra University (909) 785-2554 x2 From chip at princetonecom.com Fri Jul 21 06:53:04 2000 From: chip at princetonecom.com (Chip Christian) Date: Thu, 20 Jul 2000 16:53:04 -0400 Subject: SUNWski In-Reply-To: Message from Brian Friday of "Thu, 20 Jul 2000 13:46:27 PDT." Message-ID: <20000720205304.5560DB47B@fleck.princetonecom.com> Make sure you have SUNWlmsx installed. That's the only undocumented dependency I found. > On Thu, 20 Jul 2000, Higdon, David M - CNF wrote: > > > Has anyone had success with getting /dev/random to work > > after installing SUNWski? After I install the pkg and start /etc/ > > init.d/cryptorand, the /dev/random file remains 0 bytes. > > > > I am running Solaris 2.8 > > I'm running Solaris 2.8 sun4m 32-bit and SUNWski without any problem. > > I did notice that on my Sol 7 E250 Machine running in 64-bit the SUNWski > would not run. I assume this is because of the system running at 64-bit > rather than 32-bit although I haven't had the time to confirm this. > > > > Sincerely, > > Brian Friday > Systems Administrator > La Sierra University > (909) 785-2554 x2 > > > From jmknoble at pint-stowp.cx Fri Jul 21 07:01:19 2000 From: jmknoble at pint-stowp.cx (Jim Knoble) Date: Thu, 20 Jul 2000 17:01:19 -0400 Subject: ssh -V reporting. In-Reply-To: ; from Ben Lindstrom on Thu, Jul 20, 2000 at 12:26:13PM -0500 References: Message-ID: <20000720170119.A10544@ntrnet.net> I think this is a fantastic idea. I've been doing this in local installs for my own sanity since 1.2.somethingorother. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ Circa 2000-Jul-20 12:26:13 -0500 dixit Ben Lindstrom: : Should we technically modify the -V to state which portable version that : is being ran. I've seen it cause some confusing when people are checking : which version they are running for help. : : Change it to like: : SSH Version OpenSSH_2.1.1p4, protocol versions 1.5/2.0 : : or : : SSH Version OpenSSH_2.1.1 Portable 4, protocol version 1.5./20 From bfriday at LaSierra.edu Fri Jul 21 07:02:31 2000 From: bfriday at LaSierra.edu (Brian Friday) Date: Thu, 20 Jul 2000 14:02:31 -0700 (PDT) Subject: SUNWski In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E3A@cnfqs029.cnf.com> Message-ID: On Thu, 20 Jul 2000, Higdon, David M - CNF wrote: > Did the /dev/random file start growing immeadiately or > did it take a while? Hmm... Well it wasn't something I looked at right away but I gave it about 2-5 minutes after first starting the SUNWski package up and everything worked fine. Although I waited this long because of earlier experiences with EGD. Sincerely, Brian Friday Systems Administrator La Sierra University (909) 785-2554 x2 From rachit at ensim.com Fri Jul 21 07:13:09 2000 From: rachit at ensim.com (Rachit Siamwalla) Date: Thu, 20 Jul 2000 14:13:09 -0700 Subject: scp over 2 hosts References: Message-ID: <39776B65.83DBAC20@ensim.com> I dunno, if scp doesn't work, then you can always do the following: copy from: ssh hosta ssh hostb cat /tmp/yourfile > yourfile copy to: cat yourfile | ssh hosta ssh hostb "cat > /tmp/yourfile" I use this to perform backups / remote restorations (replacing cat with tar). Stephan Hendl wrote: > > Hi folks, > > I have the that I must copy some through a Plag-Gateway of a Firewall over 2 host. A secure connection via "ssh - t hosta ssh -t hostb" works fine, but does this work with scp too? Icould not realize it either with scp (1.2.27 of ssh.com) or scp from openssh. Do you have any ideas? > > Thanks > Stephan From dabe_spam at excite.com Fri Jul 21 07:16:28 2000 From: dabe_spam at excite.com (dabe_spam at excite.com) Date: Thu, 20 Jul 2000 14:16:28 -0700 (PDT) Subject: fatal: Not enough entropy in RNG Message-ID: <1439113.964127788712.JavaMail.imail@neon.excite.com> >On Thu, Jul 20, 2000 at 10:12:39AM -0700, dabe_spam at excite.com wrote: >> Hi, >> I'm running openssh 2.1.1p4 on Solaris 7 (sparc). Occationally, when I >> boot up the server, the startup script I wrote to start sshd fails to start >> sshd with the following error: >> fatal: Not enough entropy in RNG >> >> What am I doing wrong?? >> Is there anything I can do to prevent this from happening? >> Is just restarting sshd a valid thing to do?? >What kind of entropy source did you select? EGD or the integrated >entropy collector? (If you did not select one, the integrated >collector >should be configured) I did not specifically select an entropy source, so it sounds like I got the integrated one. >EGD can be drained and then an upstarting sshd can fail. I have >written >my own prngd to come around this problem (early alpha stage :-) on >HP-UX. >The integrated entropy collector should better not fail... Well, it looks like I'm just lucky today. Since it looks like the integrated entropy collector has failed, what are my options? I don't know much about openssh and openssl, but it looks like maybe I need to change the configuration in ssh_prng_cmds to give it more stuff to pull from. Do I have any other options to get the integrated entropy collector to work reliably?? >Best regards, > Lutz >-- Thanks, David _______________________________________________________ Say Bye to Slow Internet! http://www.home.com/xinbox/signup.html From bfriday at LaSierra.edu Fri Jul 21 07:31:01 2000 From: bfriday at LaSierra.edu (Brian Friday) Date: Thu, 20 Jul 2000 14:31:01 -0700 (PDT) Subject: SUNWski In-Reply-To: <20000720205304.5560DB47B@fleck.princetonecom.com> Message-ID: On Thu, 20 Jul 2000, Chip Christian wrote: > Make sure you have SUNWlmsx installed. That's the only undocumented > dependency I found. > Well I've got 3 systems running openssh and 2 of those 3 are running SUNWski successfully. Here is the breakdown: Sol 2.6 System: Has SUNWski but not SUNWlmsx Sol 7 System: Has SUNWski and SUNWlmsx (64-bit kernel) but when /etc/rc2.d/S50cryptorand starts it exits with the error message in our log files: cryptorand: kvm_open: Bad file number Sol 8 System: Has SUNWski and SUNWlmsx (32-bit kernel) no problems at all with this system. Sincerely, Brian Friday Systems Administrator La Sierra University (909) 785-2554 x2 From Higdon.David at cnf.com Fri Jul 21 07:31:36 2000 From: Higdon.David at cnf.com (Higdon, David M - CNF) Date: Thu, 20 Jul 2000 14:31:36 -0700 Subject: SUNWski Message-ID: <7B73D5F649D0D311B1E30008C7A4D92A020D8E3C@cnfqs029.cnf.com> Still no luck. I verified that I have the SUNWski pkg installed too. David -----Original Message----- From: Brian Friday [mailto:bfriday at LaSierra.edu] Sent: Thursday, July 20, 2000 2:03 PM To: Higdon, David M - CNF Cc: 'openssh-unix-dev at mindrot.org' Subject: RE: SUNWski On Thu, 20 Jul 2000, Higdon, David M - CNF wrote: > Did the /dev/random file start growing immeadiately or > did it take a while? Hmm... Well it wasn't something I looked at right away but I gave it about 2-5 minutes after first starting the SUNWski package up and everything worked fine. Although I waited this long because of earlier experiences with EGD. Sincerely, Brian Friday Systems Administrator La Sierra University (909) 785-2554 x2 From bfriday at LaSierra.edu Fri Jul 21 07:36:57 2000 From: bfriday at LaSierra.edu (Brian Friday) Date: Thu, 20 Jul 2000 14:36:57 -0700 (PDT) Subject: SUNWski In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E3C@cnfqs029.cnf.com> Message-ID: I've got the following packages installed application SUNWski SKI 1.0 Software (User Package) application SUNWskimu SKI 1.0 Software (User Manual Page Package) Chip mentioned this is a undocumented dependency but this should be installed with your regular operating system (Sol 7 or 8) as it is just workshop libraries not the actual workshop. system SUNWlmsx Sun WorkShop Bundled 64-bit shared libm Sincerely, Brian Friday Systems Administrator La Sierra University (909) 785-2554 x2 From jweaver at aens.net Fri Jul 21 07:38:42 2000 From: jweaver at aens.net (jweaver at aens.net) Date: Thu, 20 Jul 2000 21:38:42 +0000 (GMT) Subject: SUNWski In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E39@cnfqs029.cnf.com> Message-ID: I am running 2.8 on an Ultra 10 in 64bit mode. I have both SUNWski and SUNWlmsx. It works. -- john weaver -- jweaver at aens.net | Systems Administrator From Higdon.David at cnf.com Fri Jul 21 07:43:30 2000 From: Higdon.David at cnf.com (Higdon, David M - CNF) Date: Thu, 20 Jul 2000 14:43:30 -0700 Subject: SUNWski Message-ID: <7B73D5F649D0D311B1E30008C7A4D92A020D8E3D@cnfqs029.cnf.com> What happens when you run snoop on the system that you ssh from? Can you see your input in clear text? Because I can! David -----Original Message----- From: Brian Friday [mailto:bfriday at LaSierra.edu] Sent: Thursday, July 20, 2000 2:37 PM To: Higdon, David M - CNF Cc: 'openssh-unix-dev at mindrot.org' Subject: RE: SUNWski I've got the following packages installed application SUNWski SKI 1.0 Software (User Package) application SUNWskimu SKI 1.0 Software (User Manual Page Package) Chip mentioned this is a undocumented dependency but this should be installed with your regular operating system (Sol 7 or 8) as it is just workshop libraries not the actual workshop. system SUNWlmsx Sun WorkShop Bundled 64-bit shared libm Sincerely, Brian Friday Systems Administrator La Sierra University (909) 785-2554 x2 From gem at rellim.com Fri Jul 21 09:14:31 2000 From: gem at rellim.com (Gary E. Miller) Date: Thu, 20 Jul 2000 16:14:31 -0700 (PDT) Subject: sftp In-Reply-To: Message-ID: Yo Pekka! On Thu, 20 Jul 2000, Pekka Savola wrote: > On Thu, 20 Jul 2000, Gary E. Miller wrote: > > Just do what I do. Use the spiffy graphical FTP of your choice > > on your NT box. Then just config your ssh connection to tunnel > > your plain old FTP protocol to the remote host. > > > > Voila! And fully standards compliant. > > Yes. This is very usually done. However, there are some difficulties. > > - data channels cannot be encrypted. True. I am far more worried about my password than the data but this is a problem for many. This could (should) be fixed in SSH. > - you have to have a working shell account as well as ftp account (I think > with sftp it could be restricted) Well, it is not called the "Secure Shell" protocol for nothing. Not sure why you need an "ftp account". You do not mean an anonymous ftp account do you? And ftpd only need only accept connections from localhost. > - When you want to transfer files, you have to use SSH first. This seems > like an unnecessary procedure for newbie'ish people. That is what scripts are for. :-) True, it should be easier. IMHO, the world does not need yet another file transfer protocol. We should fix OpenSSH to work with the file transfer protocol we have to fix the rough spots. UNIX works because it does not keep reinventing the wheel but instead building on prior work. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From djm at mindrot.org Fri Jul 21 09:54:15 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 21 Jul 2000 09:54:15 +1000 (EST) Subject: openssh-2.1.1p4 (fwd) Message-ID: Can any HP/UX users comment? -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) ---------- Forwarded message ---------- Date: Thu, 20 Jul 2000 09:16:23 +0200 From: "[iso-8859-1] SOETE Jo?l" To: "'openssh at openssh.com'" Subject: openssh-2.1.1p4 Hi all, I successfully compiled (gcc 2.95.1) on HPUX (11.00 & 10.20) and installed and configured both openssh client and a server (with openssl-0.9.5a). A slogin session works fine (with and without ssl authentication). But a scp causes a problem: as server side scp receive well EOF against background slogin session (launch normally by client scp itself) loop (end only with a kill). I do not have opportunity to test on another OS, so I do not know if it is an error in my configuration and no more where to look for. Any idea? Joel From djm at mindrot.org Fri Jul 21 09:55:27 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 21 Jul 2000 09:55:27 +1000 (EST) Subject: WITH_IRIX_AUDIT causes error (fwd) Message-ID: -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) ---------- Forwarded message ---------- Date: Thu, 20 Jul 2000 15:46:23 -0500 From: Brian Hanna To: openssh at openssh.com Subject: WITH_IRIX_AUDIT causes error Hi, I compiled and was able to run sshd. I started ssh as root and was able to get to my local host. I dropped down to a regular user and tried ssh again. I got the error error setting satid and no connection. I read a bit in the archives and found the patch that Mark Stone posted regarding WITH_IRIX_*. The patch referred to uidswap.c and permanently_set_uid(). I found his patch was already in the version I compiled. I could see that if WITH_IRIX_AUDIT was not defined, the satsetid() call would not be made, and the error could be avoided. I looked for satsetid on my system and didn't find it. I am on Irix 6.4. I commented out the #define in config.h and was able to compile and run ssh as a normal user. /* Define if you want IRIX audit trails */ /* problems for us */ /* #define WITH_IRIX_AUDIT 1 */ Questions: 1) Is it still secure? (I'm guessing yes.) 2) What should I install so that setsatid() is on my system? 3) Is there a better way for the configure to work, so as not to force this on? Hope this is helpful. Brian Brian Hanna Unix System Admin bdhanna at cmrr.umn.edu From racsho at cpdc.canon.co.jp Fri Jul 21 11:35:26 2000 From: racsho at cpdc.canon.co.jp (NISHIJIMA Takanori -- =?ISO-2022-JP?B?GyRCQD5FZzknRkEbKEI=?=) Date: Fri, 21 Jul 2000 10:35:26 +0900 Subject: SUNWski In-Reply-To: Your message of "Thu, 20 Jul 2000 13:42:03 MST." <7B73D5F649D0D311B1E30008C7A4D92A020D8E39@cnfqs029.cnf.com> Message-ID: <200007210135.e6L1ZQq26655@venezia.pure.cpdc.canon.co.jp> Hi, On Thu, 20 Jul 2000 13:42:03 -0700, about the topic "SUNWski", "Higdon, David M - CNF" wrote: > Has anyone had success with getting /dev/random to work > after installing SUNWski? After I install the pkg and start /etc/ > init.d/cryptorand, the /dev/random file remains 0 bytes. By what did you know /dev/random size? /usr/ucb/ls always tells /dev/random size is zero... -- NISHIJIMA, Takanori / Canon Inc., Office Imaging Products Development Center 3 From mstone at cs.loyola.edu Fri Jul 21 12:06:18 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Thu, 20 Jul 2000 22:06:18 -0400 Subject: WITH_IRIX_AUDIT causes error (fwd) In-Reply-To: ; from Damien Miller on Fri, Jul 21, 2000 at 09:55:27AM +1000 References: Message-ID: <20000720220618.T13699@justice.loyola.edu> On Fri, Jul 21, 2000 at 09:55:27AM +1000, Damien Miller wrote: > I compiled and was able to run sshd. I started ssh as root and was able > to get to my local host. I dropped down to a regular user and tried > ssh again. I got the error > > error setting satid Hmm. There should be more. (The relevant code in the patch was "error setting satid: %.100s", strerror(errno). There should be a colon and hopefully some more info.) > I could see that if WITH_IRIX_AUDIT was not defined, the satsetid() call would not > be made, and the error could be avoided. I looked for satsetid on my system > and didn't find it. I am on Irix 6.4. What is the output of the following (from the command line): chkconfig | grep audit sysconf | egrep AUDIT\|SAT > 1) Is it still secure? (I'm guessing yes.) Yes. The satid is only used for audit trails. (If you're using them, you would know. They're really big :) > 2) What should I install so that setsatid() is on my system? For IRIX 6.4 it may be part of trusted IRIX. In IRIX 6.5 it's eoe.sw.audit > 3) Is there a better way for the configure to work, so as not to force this on? Well, I've got a theory. The line that says if (sysconf(_SC_AUDIT)) { was based on the "here's how to make sure it works on all systems" instructions. Serves me right to trust a manual. IRIX 6.4 probably doesn't define _SC_AUDIT, and sysconf is returning -1 on error. Change the above line to if (sysconf(_SC_AUDIT) == 1) { I'm interested in the sysconf output above because the flag we're looking for might have had a different name in IRIX 6.4, which would make the check something like if (sysconf(_SC_AUDIT) == 1 || sysconf(_SC_SAT) == 1) { -- Mike Stone From stevesk at sweden.hp.com Fri Jul 21 15:45:44 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 21 Jul 2000 07:45:44 +0200 (METDST) Subject: openssh-2.1.1p4 (fwd) In-Reply-To: Message-ID: This seems to be the "scp not shutting down" problem. ssh isn't looping on the client scp side, it's blocked in select(). See the trace and gdb output I posted in the other thread. Kevin On Fri, 21 Jul 2000, Damien Miller wrote: > Can any HP/UX users comment? > ---------- Forwarded message ---------- > Date: Thu, 20 Jul 2000 09:16:23 +0200 > From: "[iso-8859-1] SOETE Jo?l" > To: "'openssh at openssh.com'" > Subject: openssh-2.1.1p4 > > Hi all, > > I successfully compiled (gcc 2.95.1) on HPUX (11.00 & 10.20) and installed > and configured both openssh client and a server (with openssl-0.9.5a). > A slogin session works fine (with and without ssl authentication). > > But a scp causes a problem: as server side scp receive well EOF against > background slogin session (launch normally by client scp itself) loop (end > only with a kill). > > I do not have opportunity to test on another OS, so I do not know if it is > an error in my configuration and no more where to look for. > Any idea? > > Joel From pekkas at netcore.fi Fri Jul 21 16:39:02 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 21 Jul 2000 09:39:02 +0300 (EEST) Subject: sftp In-Reply-To: Message-ID: On Thu, 20 Jul 2000, Gary E. Miller wrote: > > - data channels cannot be encrypted. > True. I am far more worried about my password than the data but > this is a problem for many. This could (should) be fixed in SSH. The most important thing, yes. Well, ftp is one of those "What the hell were they thinking.. oh it was 30 years ago" protocols; Encrypting these channels would require dynamic allocation of SSH forwardings, or a very special FTP client which would you let you specify the port you want to use for FTP data. Can't be done, really. That's what 'scp' and VPN's are for though. > > - you have to have a working shell account as well as ftp account (I think > > with sftp it could be restricted) > Well, it is not called the "Secure Shell" protocol for nothing. > Not sure why you need an "ftp account". You do not mean an anonymous > ftp account do you? And ftpd only need only accept connections from > localhost. No. I mean the case when when people can only use FTP (personal, chrooted "guest" accounts), but they don't have shell access. Obviously, then ssh cannot be used, because those people don't have access to SSH endpoint. A lot of ISPs, usually, do that. Giving out only FTP and not shell is so much more secure.. people can't poke around the system. I'm not sure if you'd be able to "restrict" users to specific subsystems using ssh, but that should be a goal there. > IMHO, the world does not need yet another file transfer protocol. I kinda agree.. > We should fix OpenSSH to work with the file transfer protocol we have > to fix the rough spots. UNIX works because it does not keep reinventing > the wheel but instead building on prior work. .. but when it's widely accepted that ftp isn't designed very well (damn data channel!), this would have to be done anyway. I think the main reason people are using SSH Inc.'s (etc.) ssh2 are the easy, secure filetransfers (from Windows, from Unix it isn't an issue). -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Jul 21 17:25:49 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 21 Jul 2000 09:25:49 +0200 Subject: fatal: Not enough entropy in RNG In-Reply-To: <1439113.964127788712.JavaMail.imail@neon.excite.com>; from dabe_spam@excite.com on Thu, Jul 20, 2000 at 02:16:28PM -0700 References: <1439113.964127788712.JavaMail.imail@neon.excite.com> Message-ID: <20000721092549.A3737@serv01.aet.tu-cottbus.de> On Thu, Jul 20, 2000 at 02:16:28PM -0700, dabe_spam at excite.com wrote: > >What kind of entropy source did you select? EGD or the integrated > >entropy collector? (If you did not select one, the integrated >collector > >should be configured) > > I did not specifically select an entropy source, so it sounds like I got the > integrated one. > > >EGD can be drained and then an upstarting sshd can fail. I have >written > >my own prngd to come around this problem (early alpha stage :-) on >HP-UX. > >The integrated entropy collector should better not fail... > > Well, it looks like I'm just lucky today. Since it looks like the > integrated entropy collector has failed, what are my options? That's one of those things that are hard to say from remote. I have not seen problems with the internal collector (even though I do use a different scheme as I wrote). > I don't know much about openssh and openssl, but it looks like maybe I need > to change the configuration in ssh_prng_cmds to give it more stuff to pull > from. Yes, that is one option. Actually openssh does not need too much entropy to start up (openssl requires 16 bytes), so if you take care of the weight factor you could easily "trick" openssh to account some input as 16 bytes. Something like "cat /etc/entropy.data", with entropy_data you have obtained from a high quality entropy source like EGD on a busy host. Use it as the first command in ssh_prng_cmds :-) OpenSSH will then add additional entropy while running. And don't forget to add new entropy to this file regularly! One hint: it seems that the ssh_prng_cmds file is not updated automatically when performing a "make install", so maybe you have an old one without much entropy sources? > Do I have any other options to get the integrated entropy collector to work > reliably?? Use EGD. Have it start very early in the sequence, so that is has time to collect entropy. Don't use it to seed other daemons, so that it is not drained. (The latest portable release does not complain if the re-seed during runtime is not succesful, once it has been seeded at startup.) Good luck, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Jul 21 20:40:36 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 21 Jul 2000 12:40:36 +0200 Subject: scp not shutting down in 2.1.1p4 In-Reply-To: <200007201513.RAA21708@b0fh.sweden.hp.com>; from stevesk@sweden.hp.com on Thu, Jul 20, 2000 at 05:19:02PM +0200 References: <200007201316.PAA00465@b0fh.sweden.hp.com> <200007201513.RAA21708@b0fh.sweden.hp.com> Message-ID: <20000721124035.A5239@serv01.aet.tu-cottbus.de> On Thu, Jul 20, 2000 at 05:19:02PM +0200, Kevin Steves wrote: > Here are some trace (tusc) and stacks traces from HP-UX 11.0. ... > stack trace of server blocked sshd: .. > #1 0xc01f8fa8 in select () from /usr/lib/libc.2 > #2 0x1b90c in wait_until_can_do_something (readset=0x7bff0ea8, writeset=0x7bff0fa8, > max_time_milliseconds=0) at serverloop.c:232 ... > stack trace "hung" scp process: ... > #0 0xc01ed230 in _read_sys () from /usr/lib/libc.2 > #1 0xc01f85e4 in read () from /usr/lib/libc.2 ... Ok, I have by now "finally" analyzed the problem. The protocol seems to be as follows: * Once the scp is done, the calling scp will close its output channel causing an EOF condition in the sshd. The sshd will then close its channel to the scp process (hanging in the read scp.c:702). The scp recognizes the close, kindly exits and the sshd will finish. * On HP-UX 10.20 (seems also to affect HP-UX 11, don't know about other platforms), the shutdown() in serverloop.c:320 does not yield the necessary effect, the scp-child does not see the EOF. I have now recompiled with USE_PIPES (see includes.h) and the full close() of the fdin descriptor yields the desired effect. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Lutz.Jaenicke at aet.TU-Cottbus.DE Sat Jul 22 00:58:10 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 21 Jul 2000 16:58:10 +0200 Subject: Minor "make install" problem with 2.1.1p4 Message-ID: <20000721165810.A16338@serv01.aet.tu-cottbus.de> Hi! I am currently switching from ssh-1.2.27 to OpenSSH for production use, so some more things pop up :-) In Makefile.in:127-131 the executables are installed without "-m 755", so that they may be unusable when installed after a umask 077 make :-( Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From charvel at link.pl Sat Jul 22 06:49:52 2000 From: charvel at link.pl (Piotr Majka) Date: Fri, 21 Jul 2000 22:49:52 +0200 (CEST) Subject: OpenSsh 2.1.1p4 - OPIE patch Message-ID: Welcome :) This patch is ported version of opie patch to 1.2pre release which never be released. Why ? I don't known. Ask Damien. ;) -- Piotr "Charvel" Majka | PGP & GPG Public Key: finger charvel at link.pl | Uin: 20873695 GCM d- s-:- a- C++ UL++++ P+ L+++ E--- W+ N+++ !o !K w--- !O M V- PS+ PE !Y PGP+ t--- !5 X R tv- b !DI D+ G++ e h r y++** -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-2.1.1p4-opie.patch.bz2 Type: application/x-bzip2 Size: 4889 bytes Desc: Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000721/659cacfb/attachment.bin From djm at mindrot.org Sat Jul 22 10:26:59 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 22 Jul 2000 10:26:59 +1000 (EST) Subject: fatal: Not enough entropy in RNG In-Reply-To: <20000721092549.A3737@serv01.aet.tu-cottbus.de> Message-ID: On Fri, 21 Jul 2000, Lutz Jaenicke wrote: > One hint: it seems that the ssh_prng_cmds file is not updated > automatically when performing a "make install", so maybe you have an > old one without much entropy sources? This reminds me: If people can submit commands for you favourite platform to be included in ssh_prng_commands, it would be much appreciated. --d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From jeremy at xxedgexx.com Sat Jul 22 12:31:20 2000 From: jeremy at xxedgexx.com (Jeremy Hansen) Date: Fri, 21 Jul 2000 22:31:20 -0400 (EDT) Subject: weird openssh port forward In-Reply-To: Message-ID: So basically I was forwarding a remote port to my local machine. I was scping over the tunnel when it stalled and my connection was just locked. So I reiniated the connection from the remote machine and it dropped me becasue it said the remote prot was in use, but my scp picked up again and continued. Is this right? If the connection dropped, it seems that it shouldn't resume with the scp when no real connection was there. -jeremy -- http://www.xxedgexx.com | jeremy at xxedgexx.com --------------------------------------------- From mouring at pconline.com Sat Jul 22 17:28:41 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 22 Jul 2000 02:28:41 -0500 (CDT) Subject: sftp In-Reply-To: Message-ID: On Thu, 20 Jul 2000, Gary E. Miller wrote: [..] > IMHO, the world does not need yet another file transfer protocol. > > We should fix OpenSSH to work with the file transfer protocol we have > to fix the rough spots. UNIX works because it does not keep reinventing > the wheel but instead building on prior work. > This may be a silly idea, but if we are looking to write an "Open Standard" replacement version of the commerical sftp, and we currently agree that doing ssh w/ standard ftp would be a pain in the arse. What would stop us from using passive ftp? It survives firewalls very well (in some cases it's all you can use). It does not spawn off a data channel. So everything would be encrypted. And to boot it's very well documented via current RFCs. I don't forsee a sftp replacing anonymous FTP. So the concept of requiring accounts does not bother me. (In some respects if it would catch on it would simplify anonymous FTP by removing all the account options and it can focusly just on anonymous security.) I just get a little concern with bloating OpenSSH binary. It would be nice if we could support a single file transfer protocol out of OpenSSH. Be it scp with some added features to get directory listings and persistant connections. Or sftp with a 'single file transfer' mode to emulate scp (like what the commerical ssh 2.x sounds like it does). It would be nice to hear what is being proposed for the final draft of SSH 2.0 suite. So we know if they have attempted to address this issue. Ben Lindstrom From gert at greenie.muc.de Sat Jul 22 21:47:58 2000 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 22 Jul 2000 13:47:58 +0200 Subject: sftp In-Reply-To: ; from Ben Lindstrom on Sat, Jul 22, 2000 at 02:28:41AM -0500 References: Message-ID: <20000722134758.B19871@greenie.muc.de> Hi, On Sat, Jul 22, 2000 at 02:28:41AM -0500, Ben Lindstrom wrote: > This may be a silly idea, but if we are looking to write an "Open > Standard" replacement version of the commerical sftp, and we currently > agree that doing ssh w/ standard ftp would be a pain in the arse. What > would stop us from using passive ftp? It survives firewalls very well (in > some cases it's all you can use). It does not spawn off a data channel. It does. It's just the other way round (client->server, not server->client). > So everything would be encrypted. It won't. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From markus.friedl at informatik.uni-erlangen.de Sat Jul 22 19:25:39 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 22 Jul 2000 11:25:39 +0200 Subject: sftp In-Reply-To: ; from gem@rellim.com on Thu, Jul 20, 2000 at 04:14:31PM -0700 References: Message-ID: <20000722112539.A9517@folly.informatik.uni-erlangen.de> On Thu, Jul 20, 2000 at 04:14:31PM -0700, Gary E. Miller wrote: > We should fix OpenSSH to work with the file transfer protocol we have > to fix the rough spots. UNIX works because it does not keep reinventing > the wheel but instead building on prior work. SecureFX does tunneling of standard FTP over SSH2 using portforwarding (both data+passwd is tunneled) and works fine with OpenSSH, so why should OpenSSH be fixed? From phil-openssh-unix-dev at ipal.net Sun Jul 23 16:53:06 2000 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Sun, 23 Jul 2000 01:53:06 -0500 (CDT) Subject: close then select of stderr fd in client (openssh) Message-ID: <20000723065306.18145.qmail@ipal.net> Under certain circumstances (repeatable with a workaround) the client in openssh-2.1.1p3 and p4 closes file descriptors and then calls select() with the stderr one in the write fd_set. The circumstances which cause this appears to be that the closing of stdin/stdout/stderr occurs before the last of the stderr data is written to stderr. This occurs when a tty is not allocated, but the error occurs on the client side. So apparently is it perhaps the timing or order of data coming from the server that triggers this. This occurs on platforms Solaris 7, Slackware 7.0, Slackare 3.4, and Redhat 6.0 with all of them being used as either client or server in various combinations. In all cases protocol version 2 is configured. Here is a simple example with Slackware 7.0 as client and server: phil at procyon:/home/phil 1311> ssh izar 'ls this_file_does_not_exist' ls: select: Bad file descriptor phil at procyon:/home/phil 1312> ssh izar 'ls this_file_does_not_exist;sleep 1' ls: this_file_does_not_exist: No such file or directory phil at procyon:/home/phil 1313> Another example with Solaris 7 client and Redhat 6.0 server: phil at sirius:/home/phil 57> ssh mira 'ls this_file_does_not_exist' ls: select: Bad file number phil at sirius:/home/phil 58> ssh mira 'ls this_file_does_not_exist;sleep 1' ls: this_file_does_not_exist: No such file or directory phil at sirius:/home/phil 59> The problem also occurs when client and server are the same machine, so physical network timings aren't expected to be the trigger: phil at procyon:/home/phil 1315> ssh procyon 'ls this_file_does_not_exist' ls: select: Bad file descriptor phil at procyon:/home/phil 1316> I did strace of ssh -v and discovered the following syscall events: close(6) = 0 select(7, [3], [3 6], NULL, NULL) = -1 EBADF (Bad file descriptor) occurred in the failing case. Notice the 6 in the write fd_set (3rd arg). The successful case (using the 1 second sleep) looked like: close(6) = 0 select(7, [3], [3], NULL, NULL) = 1 (out [3]) So regardless of any failings that may exist on the server side, the client is clearly doing the wrong thing at times with respect to the building of the write fd_set for select(). I'm too unfamiliar with the organization of the code (it's jumping around to too many different functions for me to keep track of in clientloop.c) to really figure out exactly why this is happening. I can just see that it is definitely happening At first I thought the bug was on the server side, so I was doing strace of sshd -d to see what was happening. There definitely is a difference in the sequence of events in the server side for the failing and successful cases. This may be triggering the problem on the client side, or just be the result of it; I don't know. Here's documentation I have captured: The "failure" and "success" names are the failure and success cases. The "combine" is the failure and success cases interleaved with the difference set aside as its own block of lines. Server straces of sshd -d: http://phil.ipal.org/openssh/ssh-strace-servers-combine.txt http://phil.ipal.org/openssh/ssh-strace-servers-failure.txt http://phil.ipal.org/openssh/ssh-strace-servers-success.txt Client straces of ssh -v: http://phil.ipal.org/openssh/ssh-strace-clients-combine.txt http://phil.ipal.org/openssh/ssh-strace-clients-failure.txt http://phil.ipal.org/openssh/ssh-strace-clients-success.txt In the combine files, the indicator "S-" is on each line from the success case, and "-F" is on each line from the failure case. The blocks of differences are set apart with a row of 77 equal signs. The interesting parts are at near the bottom of each file, but the whole thing is included to make sure all relevant information is there. I hope someone who understands the organization of the client code can figure out the cause. Since I'm in the USA I can't contribute back a patch even if I do find it. Again, this is all protocol version 2 as I have both clients and servers configured to do version 2 only and all keys are DSA. If you are having trouble reproducing it, it does not always occur. Give it several tries. Another factor that may be involved is that I have no passphrase for the key (but I don't really expect this to be relevant). -- | Phil Howard - KA9WGN | My current websites: linuxhomepage.com, ham.org | phil (at) ipal.net +---------------------------------------------------- | Dallas - Texas - USA | phil-evaluates-email-ads-750-dollars-each at ipal.net From markus.friedl at informatik.uni-erlangen.de Mon Jul 24 00:18:45 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 23 Jul 2000 16:18:45 +0200 Subject: sftp In-Reply-To: ; from mouring@pconline.com on Sat, Jul 22, 2000 at 02:28:41AM -0500 References: Message-ID: <20000723161845.E28980@folly.informatik.uni-erlangen.de> On Sat, Jul 22, 2000 at 02:28:41AM -0500, Ben Lindstrom wrote: > It would be nice to hear what is being proposed for the final draft of > SSH 2.0 suite. So we know if they have attempted to address this issue. nothing. right now you can use the Subsystem option in sshd_config and make openssh's sshd accept SFTP connection. just specify the path to the commercial sftp-server binary. From markus.friedl at informatik.uni-erlangen.de Mon Jul 24 00:07:07 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 23 Jul 2000 16:07:07 +0200 Subject: Incompatibility with free version In-Reply-To: <20000720085229.A35399@hdroam.ssd.loral.com>; from hdiwan@ssd.loral.com on Thu, Jul 20, 2000 at 08:52:29AM -0700 References: <20000720085229.A35399@hdroam.ssd.loral.com> Message-ID: <20000723160707.C28980@folly.informatik.uni-erlangen.de> On Thu, Jul 20, 2000 at 08:52:29AM -0700, Hasan Diwan wrote: > First off, I am not a subscriber, so please CC replies to my > email address. The problem I am having -- I do not know who is to blame, > but am just covering all angles. I run OpenSSH 2.1.1 on FreeBSD. When I > try to connect to a server running ssh2d from ftp.ssh.com, it fails > saying corrupted MAC on input. I am including a log of my connection > below: hm, you need to update your free openssh copy if you want to interop with the latest restricted version from ssh.com. alternatively you could disabled hmac-sha1 in the restricted ssh config. -markus From markus.friedl at informatik.uni-erlangen.de Mon Jul 24 00:09:36 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 23 Jul 2000 16:09:36 +0200 Subject: SUNWski In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E3D@cnfqs029.cnf.com>; from Higdon.David@cnf.com on Thu, Jul 20, 2000 at 02:43:30PM -0700 References: <7B73D5F649D0D311B1E30008C7A4D92A020D8E3D@cnfqs029.cnf.com> Message-ID: <20000723160936.D28980@folly.informatik.uni-erlangen.de> On Thu, Jul 20, 2000 at 02:43:30PM -0700, Higdon, David M - CNF wrote: > What happens when you run snoop on the system > that you ssh from? Can you see your input in > clear text? Because I can! could you please show me? what versions of ssh are you using? From markus.friedl at informatik.uni-erlangen.de Mon Jul 24 00:05:08 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 23 Jul 2000 16:05:08 +0200 Subject: First time install In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E38@cnfqs029.cnf.com>; from Higdon.David@cnf.com on Thu, Jul 20, 2000 at 08:30:13AM -0700 References: <7B73D5F649D0D311B1E30008C7A4D92A020D8E38@cnfqs029.cnf.com> Message-ID: <20000723160508.B28980@folly.informatik.uni-erlangen.de> On Thu, Jul 20, 2000 at 08:30:13AM -0700, Higdon, David M - CNF wrote: > thanks for your response. My problem is that after I answer > yes to continue I am able to snoop my passwd over the network. are you sure you are using OpenSSH? can you please show us the output from 'snoop'? -markus From markus.friedl at informatik.uni-erlangen.de Mon Jul 24 00:00:21 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 23 Jul 2000 16:00:21 +0200 Subject: Why do I *still* need RSA? In-Reply-To: <397555B1.20B389DC@serendipity.palo-alto.ca.us>; from robbie@serendipity.palo-alto.ca.us on Wed, Jul 19, 2000 at 12:16:01AM -0700 References: <397555B1.20B389DC@serendipity.palo-alto.ca.us> Message-ID: <20000723160020.A28980@folly.informatik.uni-erlangen.de> On Wed, Jul 19, 2000 at 12:16:01AM -0700, Robbie Stone wrote: > When I attempt to build OpenSSH against an OpenSSL build without rc5, > idea, or rsa it bombs since OpenSSL doesn't place the header files in > the include dir. Now, that's fine and went away after I copied them to > the appropriate location (hoping that it just *needed* the file, but > that it didn't need any rc5, idea, or rsa functions exported by the > OpenSSL libraries) but it looks like the RSA (aka, non SSH-2.0) > functions are required to have a successful build of OpenSSH. you still need RSA defines and stub-routines if you want to build OpenSSH w/o RSA. you can patch OpenSSL with a patch similar to the attached one. it replaces the RSA function calls with functions returning error codes. but it should be easy to add dummy functions and struct RSA defines to OpenSSH and exclude RSA from OpenSSL. > Then question now is how OpenBSD is making available a solely SSH 2.0 > client/server without RSA, IDEA or RC5. I noticed on the OpenBSD web > site that it became RSA equipped upon the installation of the rsaref > module, but how to I make a system like that under something that isn't > OpenBSD? openbsd ships an openssl libcrypto that includes dummy rsa functions returning errors if called. -markus -------------- next part -------------- diff -u --recursive /usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c ./crypto/rsa/rsa_eay.c --- /usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c Tue Apr 11 19:19:52 2000 +++ ./crypto/rsa/rsa_eay.c Tue Apr 11 19:44:59 2000 @@ -1,13 +1,3 @@ - -/* This file has been explicitly broken by ryker for OpenBSD, July - * 1, 1998. In spite of the title, there is no implementation of the - * RSA algorithm left in this file. All these routines will return an - * error and fail when called. They exist as stubs and can be - * ressurected from the bit bucket by someone in the free world once - * the RSA algorithm is no longer subject to patent problems. Eric - * Young's original copyright is below. - */ - /* crypto/rsa/rsa_eay.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. @@ -184,13 +174,62 @@ unsigned char *buf=NULL; BN_CTX *ctx=NULL; - BN_init(&f); - BN_init(&ret); + BN_init(&f); + BN_init(&ret); - /* Body of this routine removed for OpenBSD - will return - * when the RSA patent expires - */ + if ((ctx=BN_CTX_new()) == NULL) goto err; + num=BN_num_bytes(rsa->n); + if ((buf=(unsigned char *)Malloc(num)) == NULL) + { + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); + goto err; + } + switch (padding) + { + case RSA_PKCS1_PADDING: + i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); + break; + case RSA_NO_PADDING: + i=RSA_padding_add_none(buf,num,from,flen); + break; + case RSA_SSLV23_PADDING: + default: + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); + goto err; + } + if (i <= 0) goto err; + + if (BN_bin2bn(buf,num,&f) == NULL) goto err; + + if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) + RSA_blinding_on(rsa,ctx); + if (rsa->flags & RSA_FLAG_BLINDING) + if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; + + if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || + ((rsa->p != NULL) && + (rsa->q != NULL) && + (rsa->dmp1 != NULL) && + (rsa->dmq1 != NULL) && + (rsa->iqmp != NULL)) ) + { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } + else + { + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; + } + + if (rsa->flags & RSA_FLAG_BLINDING) + if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; + + /* put in leading 0 bytes if the number is less than the + * length of the modulus */ + j=BN_num_bytes(&ret); + i=BN_bn2bin(&ret,&(to[num-j])); + for (k=0; k<(num-i); k++) + to[k]=0; + + r=num; err: if (ctx != NULL) BN_CTX_free(ctx); BN_clear_free(&ret); @@ -212,12 +251,77 @@ unsigned char *buf=NULL; BN_CTX *ctx=NULL; - BN_init(&f); - BN_init(&ret); + BN_init(&f); + BN_init(&ret); + ctx=BN_CTX_new(); + if (ctx == NULL) goto err; + + num=BN_num_bytes(rsa->n); + + if ((buf=(unsigned char *)Malloc(num)) == NULL) + { + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); + goto err; + } + + /* This check was for equality but PGP does evil things + * and chops off the top '0' bytes */ + if (flen > num) + { + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); + goto err; + } + + /* make data into a big number */ + if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; + + if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) + RSA_blinding_on(rsa,ctx); + if (rsa->flags & RSA_FLAG_BLINDING) + if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; + + /* do the decrypt */ + if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || + ((rsa->p != NULL) && + (rsa->q != NULL) && + (rsa->dmp1 != NULL) && + (rsa->dmq1 != NULL) && + (rsa->iqmp != NULL)) ) + { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } + else + { + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) + goto err; + } - /* Body of this routine removed for OpenBSD - will return - * when the RSA patent expires - */ + if (rsa->flags & RSA_FLAG_BLINDING) + if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; + + p=buf; + j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ + + switch (padding) + { + case RSA_PKCS1_PADDING: + r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); + break; +#ifndef NO_SHA + case RSA_PKCS1_OAEP_PADDING: + r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); + break; +#endif + case RSA_SSLV23_PADDING: + r=RSA_padding_check_SSLv23(to,num,buf,j,num); + break; + case RSA_NO_PADDING: + r=RSA_padding_check_none(to,num,buf,j,num); + break; + default: + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); + goto err; + } + if (r < 0) + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); err: if (ctx != NULL) BN_CTX_free(ctx); @@ -240,12 +344,56 @@ unsigned char *buf=NULL; BN_CTX *ctx=NULL; - BN_init(&f); - BN_init(&ret); + BN_init(&f); + BN_init(&ret); + ctx=BN_CTX_new(); + if (ctx == NULL) goto err; - /* Body of this routine removed for OpenBSD - will return - * when the RSA patent expires - */ + num=BN_num_bytes(rsa->n); + buf=(unsigned char *)Malloc(num); + if (buf == NULL) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); + goto err; + } + + /* This check was for equality but PGP does evil things + * and chops off the top '0' bytes */ + if (flen > num) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); + goto err; + } + + if (BN_bin2bn(from,flen,&f) == NULL) goto err; + /* do the decrypt */ + if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) + { + if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) + if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) + goto err; + } + + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, + rsa->_method_mod_n)) goto err; + + p=buf; + i=BN_bn2bin(&ret,p); + + switch (padding) + { + case RSA_PKCS1_PADDING: + r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); + break; + case RSA_NO_PADDING: + r=RSA_padding_check_none(to,num,buf,i,num); + break; + default: + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); + goto err; + } + if (r < 0) + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); err: if (ctx != NULL) BN_CTX_free(ctx); @@ -263,15 +411,59 @@ { BIGNUM r1,m1; int ret=0; - BN_CTX *ctx = NULL; + BN_CTX *ctx; + if ((ctx=BN_CTX_new()) == NULL) goto err; BN_init(&m1); BN_init(&r1); - if ((ctx=BN_CTX_new()) == NULL) goto err; - /* Body of this routine removed for OpenBSD - will return - * when the RSA patent expires - */ + if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) + { + if (rsa->_method_mod_p == NULL) + { + if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL) + if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p, + ctx)) + goto err; + } + if (rsa->_method_mod_q == NULL) + { + if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL) + if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q, + ctx)) + goto err; + } + } + + if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; + if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, + rsa->_method_mod_q)) goto err; + + if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; + if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx, + rsa->_method_mod_p)) goto err; + + if (!BN_sub(r0,r0,&m1)) goto err; + /* This will help stop the size of r0 increasing, which does + * affect the multiply if it optimised for a power of 2 size */ + if (r0->neg) + if (!BN_add(r0,r0,rsa->p)) goto err; + + if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; + if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; + /* If p < q it is occasionally possible for the correction of + * adding 'p' if r0 is negative above to leave the result still + * negative. This can break the private key operations: the following + * second correction should *always* correct this rare occurrence. + * This will *never* happen with OpenSSL generated keys because + * they ensure p > q [steve] + */ + if (r0->neg) + if (!BN_add(r0,r0,rsa->p)) goto err; + if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; + if (!BN_add(r0,&r1,&m1)) goto err; + + ret=1; err: BN_clear_free(&m1); BN_clear_free(&r1); diff -u --recursive /usr/src/lib/libssl/src/crypto/rsa/rsa_gen.c ./crypto/rsa/rsa_gen.c --- /usr/src/lib/libssl/src/crypto/rsa/rsa_gen.c Sun Mar 19 04:11:39 2000 +++ ./crypto/rsa/rsa_gen.c Tue Apr 11 19:44:59 2000 @@ -74,11 +74,108 @@ if (ctx == NULL) goto err; ctx2=BN_CTX_new(); if (ctx2 == NULL) goto err; + BN_CTX_start(ctx); + r0 = BN_CTX_get(ctx); + r1 = BN_CTX_get(ctx); + r2 = BN_CTX_get(ctx); + r3 = BN_CTX_get(ctx); + if (r3 == NULL) goto err; - /* Body of this routine removed for OpenBSD - will return - * when the RSA patent expires - */ + bitsp=(bits+1)/2; + bitsq=bits-bitsp; + rsa=RSA_new(); + if (rsa == NULL) goto err; + /* set e */ + rsa->e=BN_new(); + if (rsa->e == NULL) goto err; + +#if 1 + /* The problem is when building with 8, 16, or 32 BN_ULONG, + * unsigned long can be larger */ + for (i=0; ie,i); + } +#else + if (!BN_set_word(rsa->e,e_value)) goto err; +#endif + + /* generate p and q */ + for (;;) + { + rsa->p=BN_generate_prime(NULL,bitsp,0,NULL,NULL,callback,cb_arg); + if (rsa->p == NULL) goto err; + if (!BN_sub(r2,rsa->p,BN_value_one())) goto err; + if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; + if (BN_is_one(r1)) break; + if (callback != NULL) callback(2,n++,cb_arg); + BN_free(rsa->p); + } + if (callback != NULL) callback(3,0,cb_arg); + for (;;) + { + rsa->q=BN_generate_prime(NULL,bitsq,0,NULL,NULL,callback,cb_arg); + if (rsa->q == NULL) goto err; + if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; + if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; + if (BN_is_one(r1) && (BN_cmp(rsa->p,rsa->q) != 0)) + break; + if (callback != NULL) callback(2,n++,cb_arg); + BN_free(rsa->q); + } + if (callback != NULL) callback(3,1,cb_arg); + if (BN_cmp(rsa->p,rsa->q) < 0) + { + tmp=rsa->p; + rsa->p=rsa->q; + rsa->q=tmp; + } + + /* calculate n */ + rsa->n=BN_new(); + if (rsa->n == NULL) goto err; + if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err; + + /* calculate d */ + if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */ + if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */ + if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */ + +/* should not be needed, since gcd(p-1,e) == 1 and gcd(q-1,e) == 1 */ +/* for (;;) + { + if (!BN_gcd(r3,r0,rsa->e,ctx)) goto err; + if (BN_is_one(r3)) break; + + if (1) + { + if (!BN_add_word(rsa->e,2L)) goto err; + continue; + } + RSAerr(RSA_F_RSA_GENERATE_KEY,RSA_R_BAD_E_VALUE); + goto err; + } +*/ + rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */ + if (rsa->d == NULL) goto err; + + /* calculate d mod (p-1) */ + rsa->dmp1=BN_new(); + if (rsa->dmp1 == NULL) goto err; + if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) goto err; + + /* calculate d mod (q-1) */ + rsa->dmq1=BN_new(); + if (rsa->dmq1 == NULL) goto err; + if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) goto err; + + /* calculate inverse of q mod p */ + rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2); + if (rsa->iqmp == NULL) goto err; + + ok=1; err: if (ok == -1) { From zack at wolery.cumb.org Mon Jul 24 03:03:23 2000 From: zack at wolery.cumb.org (Zack Weinberg) Date: Sun, 23 Jul 2000 10:03:23 -0700 Subject: Work around Linux kernel bug provoked by nchan.c Message-ID: <20000723100323.F263@wolery.cumb.org> The Linux implementation of TCP sockets has a bug which causes shutdown(sock, SHUT_RD) to fail spuriously (ENOTCONN) if the write side of the socket has already been shut down. If you are using SSH port forwarding to tunnel HTTP through a firewall, nchan.c will tickle this bug once for every HTTP exchange. You will therefore get lots of useless, annoying error messages: channel 2: chan_shutdown_read: shutdown() failed for fd7 [i1 o128]: Transport endpoint is not connected Here's a complete debugging trace of one such forwarded channel. This is SSH1 protocol; I haven't got the setup to do SSH2 yet. The remote server is 2.0.12 F-SECURE SSH on Solaris 2.6; I am using openssh 2.1.1p4 with kernel 2.2.16. debug: channel 2: new [listen port 3128 for webcache.example.com port 3128, connect from localhost port 1817] debug: channel 2: rcvd ieof debug: channel 2: output open -> drain debug: channel 2: obuf empty debug: channel 2: output drain -> closed debug: channel 2: send oclose debug: channel 2: close_write debug: channel 2: read<=0 rfd 7 len 0 debug: channel 2: read failed debug: channel 2: input open -> drain debug: channel 2: close_read channel 2: chan_shutdown_read: shutdown() failed for fd7 [i1 o128]: Transport endpoint is not connected debug: channel 2: input: no drain shortcut debug: channel 2: ibuf empty debug: channel 2: input drain -> wait_oclose debug: channel 2: send ieof debug: channel 2: rcvd oclose debug: channel 2: input wait_oclose -> closed debug: channel 2: full closed I'd appreciate it if the appended patch could be applied. It causes ssh to recognize the bug and not emit the error message. [I've reported the bug to the kernel developers but they do not seem interested in fixing it.] zw --- openssh-2.1.1p4.orig/nchan.c Thu Jun 22 04:32:31 2000 +++ openssh-2.1.1p4/nchan.c Sun Jul 23 09:42:23 2000 @@ -483,7 +483,12 @@ return; debug("channel %d: close_read", c->self); if (c->sock != -1) { - if (shutdown(c->sock, SHUT_RD) < 0) + /* shutdown(sock, SHUT_READ) may return ENOTCONN if the + write side has been closed already. */ + if (shutdown(c->sock, SHUT_RD) < 0 + && (errno != ENOTCONN + || c->ostate == CHAN_OUTPUT_OPEN + || c->ostate == CHAN_OUTPUT_WAIT_DRAIN)) error("channel %d: chan_shutdown_read: shutdown() failed for fd%d [i%d o%d]: %.100s", c->self, c->sock, c->istate, c->ostate, strerror(errno)); } else { From Higdon.David at cnf.com Tue Jul 25 01:28:44 2000 From: Higdon.David at cnf.com (Higdon, David M - CNF) Date: Mon, 24 Jul 2000 08:28:44 -0700 Subject: SUNWski Message-ID: <7B73D5F649D0D311B1E30008C7A4D92A020D8E44@cnfqs029.cnf.com> solaris 2.8 openssh 2.1.1p4 openssl 0.0.5a zlib 1.1.3 SUNWski - David -----Original Message----- From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de] Sent: Sunday, July 23, 2000 7:10 AM To: Higdon, David M - CNF Cc: 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; openssh at openssh.com Subject: Re: SUNWski On Thu, Jul 20, 2000 at 02:43:30PM -0700, Higdon, David M - CNF wrote: > What happens when you run snoop on the system > that you ssh from? Can you see your input in > clear text? Because I can! could you please show me? what versions of ssh are you using? From djm at mindrot.org Tue Jul 25 09:40:40 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 25 Jul 2000 09:40:40 +1000 (EST) Subject: SUNWski In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E44@cnfqs029.cnf.com> Message-ID: On Mon, 23 Jul 2000, Higdon, David M - CNF wrote: How do you see the login and password in the clear? Can you send a log of such an event? > > solaris 2.8 > openssh 2.1.1p4 > openssl 0.0.5a > zlib 1.1.3 > SUNWski > > > - David > > > > -----Original Message----- > From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de] > Sent: Sunday, July 23, 2000 7:10 AM > To: Higdon, David M - CNF > Cc: 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; openssh at openssh.com > Subject: Re: SUNWski > > > On Thu, Jul 20, 2000 at 02:43:30PM -0700, Higdon, David M - CNF wrote: > > What happens when you run snoop on the system > > that you ssh from? Can you see your input in > > clear text? Because I can! > > could you please show me? what versions of ssh are you using? > > -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Higdon.David at cnf.com Tue Jul 25 10:45:13 2000 From: Higdon.David at cnf.com (Higdon, David M - CNF) Date: Mon, 24 Jul 2000 17:45:13 -0700 Subject: SUNWski Message-ID: <7B73D5F649D0D311B1E30008C7A4D92A020D8E4C@cnfqs029.cnf.com> By running the snoop utility that comes with the Solaris OS. Here is the output from running snoop Snoop is running on a third system that does not have ssh installed. I am trying to ssh from machine A to machine B from machine C # snoop machine A machine A -> hostname.xxx.com TELNET C port=38920 s hostname.xxx.com -> machine A TELNET R port=38920 s machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 s hostname.xxx.com -> machine A TELNET R port=38920 s machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 h hostname.xxx.com -> machine A TELNET R port=38920 h machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 2 hostname.xxx.com -> machine A TELNET R port=38920 2 machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 hostname.xxx.com -> machine A TELNET R port=38920 machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 m hostname.xxx.com -> machine A TELNET R port=38920 m machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 a hostname.xxx.com -> machine A TELNET R port=38920 a machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 c hostname.xxx.com -> machine A TELNET R port=38920 c machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 h hostname.xxx.com -> machine A TELNET R port=38920 h machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 i hostname.xxx.com -> machine A TELNET R port=38920 i machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 n hostname.xxx.com -> machine A TELNET R port=38920 n machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 e hostname.xxx.com -> machine A TELNET R port=38920 e machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 B hostname.xxx.com -> machine A TELNET R port=38920 B machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 hostname.xxx.com -> machine A TELNET R port=38920 machine A -> hostname.xxx.com TELNET C port=38920 hostname.xxx.com -> machine A TELNET R port=38920 Passphrase for key " machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 m hostname.xxx.com -> machine A TELNET R port=38920 machine A -> hostname.xxx.com TELNET C port=38920 o hostname.xxx.com -> machine A TELNET R port=38920 machine A -> hostname.xxx.com TELNET C port=38920 n hostname.xxx.com -> machine A TELNET R port=38920 machine A -> hostname.xxx.com TELNET C port=38920 g hostname.xxx.com -> machine A TELNET R port=38920 machine A -> hostname.xxx.com TELNET C port=38920 0 hostname.xxx.com -> machine A TELNET R port=38920 machine A -> hostname.xxx.com TELNET C port=38920 0 hostname.xxx.com -> machine A TELNET R port=38920 machine A -> hostname.xxx.com TELNET C port=38920 s hostname.xxx.com -> machine A TELNET R port=38920 machine A -> hostname.xxx.com TELNET C port=38920 e hostname.xxx.com -> machine A TELNET R port=38920 machine A -> hostname.xxx.com TELNET C port=38920 hostname.xxx.com -> machine A TELNET R port=38920 machine A -> hostname.xxx.com TELNET C port=38920 hostname.xxx.com -> machine A TELNET R port=38920 Authentication succe machine A -> hostname.xxx.com TELNET C port=38920 hostname.xxx.com -> machine A TELNET R port=38920 Last login: Tue Jul machine A -> hostname.xxx.com TELNET C port=38920 hostname.xxx.com -> machine A TELNET R port=38920 Sun Microsystems Inc machine A -> hostname.xxx.com TELNET C port=38920 -David -----Original Message----- From: Damien Miller [mailto:djm at mindrot.org] Sent: Monday, July 24, 2000 4:47 PM To: Higdon.David at cnf.com Cc: 'Markus Friedl'; 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; openssh at openssh.com Subject: RE: SUNWski On Mon, 23 Jul 2000, Higdon, David M - CNF wrote: How do you see the login and password in the clear? Can you send a log of such an event? > > solaris 2.8 > openssh 2.1.1p4 > openssl 0.0.5a > zlib 1.1.3 > SUNWski > > > - David > > > > -----Original Message----- > From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de] > Sent: Sunday, July 23, 2000 7:10 AM > To: Higdon, David M - CNF > Cc: 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; openssh at openssh.com > Subject: Re: SUNWski > > > On Thu, Jul 20, 2000 at 02:43:30PM -0700, Higdon, David M - CNF wrote: > > What happens when you run snoop on the system > > that you ssh from? Can you see your input in > > clear text? Because I can! > > could you please show me? what versions of ssh are you using? > > -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Jul 25 12:36:17 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 25 Jul 2000 12:36:17 +1000 (EST) Subject: SUNWski In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E4C@cnfqs029.cnf.com> Message-ID: On Mon, 24 Jul 2000, Higdon, David M - CNF wrote: > > By running the snoop utility that comes with the Solaris > OS. > > Here is the output from running snoop > > Snoop is running on a third system that does not have ssh > installed. > > I am trying to ssh from machine A to machine B It looks like you have telnetted to machine A from hostname.xxx.com! This traffic is going across your net in the clear. -d > > from machine C > > # snoop machine A > machine A -> hostname.xxx.com TELNET C port=38920 s > hostname.xxx.com -> machine A TELNET R port=38920 s > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 s > hostname.xxx.com -> machine A TELNET R port=38920 s > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 h > hostname.xxx.com -> machine A TELNET R port=38920 h > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 2 > hostname.xxx.com -> machine A TELNET R port=38920 2 > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 m > hostname.xxx.com -> machine A TELNET R port=38920 m > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 a > hostname.xxx.com -> machine A TELNET R port=38920 a > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 c > hostname.xxx.com -> machine A TELNET R port=38920 c > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 h > hostname.xxx.com -> machine A TELNET R port=38920 h > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 i > hostname.xxx.com -> machine A TELNET R port=38920 i > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 n > hostname.xxx.com -> machine A TELNET R port=38920 n > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 e > hostname.xxx.com -> machine A TELNET R port=38920 e > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 B > hostname.xxx.com -> machine A TELNET R port=38920 B > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 Passphrase for key " > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 m > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 o > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 n > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 g > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 0 > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 0 > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 s > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 e > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 Authentication succe > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 Last login: Tue Jul > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 Sun Microsystems Inc > machine A -> hostname.xxx.com TELNET C port=38920 > > > -David > > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Monday, July 24, 2000 4:47 PM > To: Higdon.David at cnf.com > Cc: 'Markus Friedl'; 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; > openssh at openssh.com > Subject: RE: SUNWski > > > On Mon, 23 Jul 2000, Higdon, David M - CNF wrote: > > How do you see the login and password in the clear? Can you send a log > of such an event? > > > > > solaris 2.8 > > openssh 2.1.1p4 > > openssl 0.0.5a > > zlib 1.1.3 > > SUNWski > > > > > > - David > > > > > > > > -----Original Message----- > > From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de] > > Sent: Sunday, July 23, 2000 7:10 AM > > To: Higdon, David M - CNF > > Cc: 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; openssh at openssh.com > > Subject: Re: SUNWski > > > > > > On Thu, Jul 20, 2000 at 02:43:30PM -0700, Higdon, David M - CNF wrote: > > > What happens when you run snoop on the system > > > that you ssh from? Can you see your input in > > > clear text? Because I can! > > > > could you please show me? what versions of ssh are you using? > > > > > > -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Jul 25 18:42:08 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 25 Jul 2000 10:42:08 +0200 Subject: fatal: Not enough entropy in RNG In-Reply-To: ; from djm@mindrot.org on Sat, Jul 22, 2000 at 10:26:59AM +1000 References: <20000721092549.A3737@serv01.aet.tu-cottbus.de> Message-ID: <20000725104208.A21301@serv01.aet.tu-cottbus.de> On Sat, Jul 22, 2000 at 10:26:59AM +1000, Damien Miller wrote: > On Fri, 21 Jul 2000, Lutz Jaenicke wrote: > > > One hint: it seems that the ssh_prng_cmds file is not updated > > automatically when performing a "make install", so maybe you have an > > old one without much entropy sources? > > This reminds me: If people can submit commands for you favourite > platform to be included in ssh_prng_commands, it would be much > appreciated. HP-UX 10.20 might use the following additions: "ls -alni /var/adm/syslog" 0.02 "ls -alni /var/adm/lp" 0.01 "ls -alni /var/tmp" 0.02 "arp -a -n" 0.02 (without -n) "tail -200 /var/adm/syslog/mail.log" 0.01 "xntpdc -c sysinfo" 0.02 (root access only) Sure that there is even more :-) Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From rmcc at novis.pt Tue Jul 25 21:10:16 2000 From: rmcc at novis.pt (Ricardo Cerqueira) Date: Tue, 25 Jul 2000 12:10:16 +0100 Subject: SUNWski In-Reply-To: References: <7B73D5F649D0D311B1E30008C7A4D92A020D8E4C@cnfqs029.cnf.com> Message-ID: <20000725121016.T2415@clix.pt> On Tue, Jul 25, 2000 at 12:36:17PM +1000, Damien Miller wrote: > On Mon, 24 Jul 2000, Higdon, David M - CNF wrote: > > > > > By running the snoop utility that comes with the Solaris > > OS. > > > > Here is the output from running snoop > > > > Snoop is running on a third system that does not have ssh > > installed. > > > > I am trying to ssh from machine A to machine B > > It looks like you have telnetted to machine A from hostname.xxx.com! > This traffic is going across your net in the clear. Right. He's using Telnet, and not SSH. snoop should show something like this: host1 -> host2 TCP D=22 S=4404 Syn Seq=3951258970 Len=0 Win=16384 host2 -> host1 TCP D=4404 S=22 Rst Ack=3951258971 Win=0 RC > > -d > > > > > from machine C > > > > # snoop machine A > > machine A -> hostname.xxx.com TELNET C port=38920 s > > hostname.xxx.com -> machine A TELNET R port=38920 s > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 s > > hostname.xxx.com -> machine A TELNET R port=38920 s > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 h > > hostname.xxx.com -> machine A TELNET R port=38920 h > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 2 > > hostname.xxx.com -> machine A TELNET R port=38920 2 > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 m > > hostname.xxx.com -> machine A TELNET R port=38920 m > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 a > > hostname.xxx.com -> machine A TELNET R port=38920 a > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 c > > hostname.xxx.com -> machine A TELNET R port=38920 c > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 h > > hostname.xxx.com -> machine A TELNET R port=38920 h > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 i > > hostname.xxx.com -> machine A TELNET R port=38920 i > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 n > > hostname.xxx.com -> machine A TELNET R port=38920 n > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 e > > hostname.xxx.com -> machine A TELNET R port=38920 e > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 B > > hostname.xxx.com -> machine A TELNET R port=38920 B > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 Passphrase for key " > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 m > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 o > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 n > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 g > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 0 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 0 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 s > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 e > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 Authentication succe > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 Last login: Tue Jul > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 Sun Microsystems Inc > > machine A -> hostname.xxx.com TELNET C port=38920 > > > > > > -David > > > > -----Original Message----- > > From: Damien Miller [mailto:djm at mindrot.org] > > Sent: Monday, July 24, 2000 4:47 PM > > To: Higdon.David at cnf.com > > Cc: 'Markus Friedl'; 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; > > openssh at openssh.com > > Subject: RE: SUNWski > > > > > > On Mon, 23 Jul 2000, Higdon, David M - CNF wrote: > > > > How do you see the login and password in the clear? Can you send a log > > of such an event? > > > > > > > > solaris 2.8 > > > openssh 2.1.1p4 > > > openssl 0.0.5a > > > zlib 1.1.3 > > > SUNWski > > > > > > > > > - David > > > > > > > > > > > > -----Original Message----- > > > From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de] > > > Sent: Sunday, July 23, 2000 7:10 AM > > > To: Higdon, David M - CNF > > > Cc: 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; openssh at openssh.com > > > Subject: Re: SUNWski > > > > > > > > > On Thu, Jul 20, 2000 at 02:43:30PM -0700, Higdon, David M - CNF wrote: > > > > What happens when you run snoop on the system > > > > that you ssh from? Can you see your input in > > > > clear text? Because I can! > > > > > > could you please show me? what versions of ssh are you using? > > > > > > > > > > > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > -- +------------------- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis - Engenharia ISP / Rede T?cnica | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal | Tel: +351 21 3166700 (24h/dia) - Fax: +351 21 3166701 From Pete.Chown at skygate.co.uk Wed Jul 26 00:00:03 2000 From: Pete.Chown at skygate.co.uk (Pete Chown) Date: Tue, 25 Jul 2000 15:00:03 +0100 Subject: sftp In-Reply-To: ; from mouring@pconline.com on Sat, Jul 22, 2000 at 02:28:41AM -0500 References: Message-ID: <20000725150003.J13003@hyena.skygate.co.uk> Ben Lindstrom wrote: > This may be a silly idea, but if we are looking to write an "Open > Standard" replacement version of the commerical sftp, and we currently > agree that doing ssh w/ standard ftp would be a pain in the arse. What > would stop us from using passive ftp? How would passive FTP help? You could set openssh to forward the control connection, but the ports for the data connections would be chosen at random by the server. > It does not spawn off a data channel. Someone will correct me if I am wrong, but I thought it did. It simply reverses the direction. In normal FTP the client listens and the server connects. In passive FTP the server listens (on the data port as well as the control port) and the client connects. HTTP might be a better bet, but then we would have to define a format for directory listings. HTTP can transfer files fine, but directory listings are usually just HTML designed for humans to read. (BTW, on a different subject, I've been looking at supporting the OpenPGP key blobs described in the secsh drafts. The client basically works but the server still needs a bit of work. It's looking quite interesting though -- for example you can arrange it so that signing someone's key is sufficient to enable them to log in.) -- Pete From Higdon.David at cnf.com Wed Jul 26 00:34:46 2000 From: Higdon.David at cnf.com (Higdon, David M - CNF) Date: Tue, 25 Jul 2000 07:34:46 -0700 Subject: SUNWski Message-ID: <7B73D5F649D0D311B1E30008C7A4D92A020D8E4D@cnfqs029.cnf.com> It clearly shows that I have used the ssh command! I am not using telnet. That is why I have such a concern. It only shows this type of output from when I run the snoop command from a system that has ssh installed. host1 -> host2 TCP D=22 S=4404 Syn Seq=3951258970 Len=0 Win=16384 host2 -> host1 TCP D=4404 S=22 Rst Ack=3951258971 Win=0 -David -----Original Message----- From: Ricardo Cerqueira [mailto:rmcc at novis.pt] Sent: Tuesday, July 25, 2000 4:10 AM To: openssh-unix-dev at mindrot.org Subject: Re: SUNWski On Tue, Jul 25, 2000 at 12:36:17PM +1000, Damien Miller wrote: > On Mon, 24 Jul 2000, Higdon, David M - CNF wrote: > > > > > By running the snoop utility that comes with the Solaris > > OS. > > > > Here is the output from running snoop > > > > Snoop is running on a third system that does not have ssh > > installed. > > > > I am trying to ssh from machine A to machine B > > It looks like you have telnetted to machine A from hostname.xxx.com! > This traffic is going across your net in the clear. Right. He's using Telnet, and not SSH. snoop should show something like this: host1 -> host2 TCP D=22 S=4404 Syn Seq=3951258970 Len=0 Win=16384 host2 -> host1 TCP D=4404 S=22 Rst Ack=3951258971 Win=0 RC > > -d > > > > > from machine C > > > > # snoop machine A > > machine A -> hostname.xxx.com TELNET C port=38920 s > > hostname.xxx.com -> machine A TELNET R port=38920 s > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 s > > hostname.xxx.com -> machine A TELNET R port=38920 s > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 h > > hostname.xxx.com -> machine A TELNET R port=38920 h > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 2 > > hostname.xxx.com -> machine A TELNET R port=38920 2 > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 m > > hostname.xxx.com -> machine A TELNET R port=38920 m > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 a > > hostname.xxx.com -> machine A TELNET R port=38920 a > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 c > > hostname.xxx.com -> machine A TELNET R port=38920 c > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 h > > hostname.xxx.com -> machine A TELNET R port=38920 h > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 i > > hostname.xxx.com -> machine A TELNET R port=38920 i > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 n > > hostname.xxx.com -> machine A TELNET R port=38920 n > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 e > > hostname.xxx.com -> machine A TELNET R port=38920 e > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 B > > hostname.xxx.com -> machine A TELNET R port=38920 B > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 Passphrase for key " > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 m > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 o > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 n > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 g > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 0 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 0 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 s > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 e > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 Authentication succe > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 Last login: Tue Jul > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 Sun Microsystems Inc > > machine A -> hostname.xxx.com TELNET C port=38920 > > > > > > -David > > > > -----Original Message----- > > From: Damien Miller [mailto:djm at mindrot.org] > > Sent: Monday, July 24, 2000 4:47 PM > > To: Higdon.David at cnf.com > > Cc: 'Markus Friedl'; 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; > > openssh at openssh.com > > Subject: RE: SUNWski > > > > > > On Mon, 23 Jul 2000, Higdon, David M - CNF wrote: > > > > How do you see the login and password in the clear? Can you send a log > > of such an event? > > > > > > > > solaris 2.8 > > > openssh 2.1.1p4 > > > openssl 0.0.5a > > > zlib 1.1.3 > > > SUNWski > > > > > > > > > - David > > > > > > > > > > > > -----Original Message----- > > > From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de] > > > Sent: Sunday, July 23, 2000 7:10 AM > > > To: Higdon, David M - CNF > > > Cc: 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; openssh at openssh.com > > > Subject: Re: SUNWski > > > > > > > > > On Thu, Jul 20, 2000 at 02:43:30PM -0700, Higdon, David M - CNF wrote: > > > > What happens when you run snoop on the system > > > > that you ssh from? Can you see your input in > > > > clear text? Because I can! > > > > > > could you please show me? what versions of ssh are you using? > > > > > > > > > > > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > -- +------------------- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis - Engenharia ISP / Rede T?cnica | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal | Tel: +351 21 3166700 (24h/dia) - Fax: +351 21 3166701 From loomisg at cist.saic.com Wed Jul 26 00:57:34 2000 From: loomisg at cist.saic.com (Rip Loomis) Date: Tue, 25 Jul 2000 10:57:34 -0400 Subject: Snoopable SSH? (was RE: SUNWski) In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E4D@cnfqs029.cnf.com> Message-ID: <002601bff648$aad61be0$275346d1@rloomis.cist.saic.com> David-- The original "snoop" output that you provided sure does look to me as though you're using SSH...but only *after* you've telnetted. It looks as though this is the sequence of events: 1. Telnet from your local system to "machineA" 2. Once logged into "machineA", run "ssh2 machineB" to secure shell to "machineB". The problem with the above configuration is that the communications between machineA and machineB are being properly protected by ssh, but your password can still be sniffed over the telnet connection (between your local system and "machineA"). There's no way we should be able to see the keystrokes for the "ssh2 machineB" through snoop if it was being done locally on "machineA". Try sitting down at the console of "machineA" and running the same command with snoop going. Let us know if you can still sniff your password. If you're already sitting at the console of "machineA", then please provide us a *complete* description of all the systems involved--OS version, SSH version, exactly what systems are connected to what others, etc. I've got OpenSSH compiled and installed on several Solaris systems here and haven't been able to sniff any of the traffic--as designed. Hope this helps-- --Rip -----Original Message----- From: owner-openssh-unix-dev at mindrot.org [mailto:owner-openssh-unix-dev at mindrot.org]On Behalf Of Higdon, David M - CNF Sent: Tuesday, July 25, 2000 10:35 AM To: 'Ricardo Cerqueira'; openssh-unix-dev at mindrot.org Subject: RE: SUNWski It clearly shows that I have used the ssh command! I am not using telnet. That is why I have such a concern. It only shows this type of output from when I run the snoop command from a system that has ssh installed. host1 -> host2 TCP D=22 S=4404 Syn Seq=3951258970 Len=0 Win=16384 host2 -> host1 TCP D=4404 S=22 Rst Ack=3951258971 Win=0 -David -----Original Message----- From: Ricardo Cerqueira [mailto:rmcc at novis.pt] Sent: Tuesday, July 25, 2000 4:10 AM To: openssh-unix-dev at mindrot.org Subject: Re: SUNWski On Tue, Jul 25, 2000 at 12:36:17PM +1000, Damien Miller wrote: > On Mon, 24 Jul 2000, Higdon, David M - CNF wrote: > > > > > By running the snoop utility that comes with the Solaris > > OS. > > > > Here is the output from running snoop > > > > Snoop is running on a third system that does not have ssh > > installed. > > > > I am trying to ssh from machine A to machine B > > It looks like you have telnetted to machine A from hostname.xxx.com! > This traffic is going across your net in the clear. Right. He's using Telnet, and not SSH. snoop should show something like this: host1 -> host2 TCP D=22 S=4404 Syn Seq=3951258970 Len=0 Win=16384 host2 -> host1 TCP D=4404 S=22 Rst Ack=3951258971 Win=0 RC > > -d > > > > > from machine C > > > > # snoop machine A > > machine A -> hostname.xxx.com TELNET C port=38920 s > > hostname.xxx.com -> machine A TELNET R port=38920 s > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 s > > hostname.xxx.com -> machine A TELNET R port=38920 s > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 h > > hostname.xxx.com -> machine A TELNET R port=38920 h > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 2 > > hostname.xxx.com -> machine A TELNET R port=38920 2 > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 m > > hostname.xxx.com -> machine A TELNET R port=38920 m > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 a > > hostname.xxx.com -> machine A TELNET R port=38920 a > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 c > > hostname.xxx.com -> machine A TELNET R port=38920 c > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 h > > hostname.xxx.com -> machine A TELNET R port=38920 h > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 i > > hostname.xxx.com -> machine A TELNET R port=38920 i > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 n > > hostname.xxx.com -> machine A TELNET R port=38920 n > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 e > > hostname.xxx.com -> machine A TELNET R port=38920 e > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 B > > hostname.xxx.com -> machine A TELNET R port=38920 B > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 Passphrase for key " > > machine A -> hostname.xxx.com TELNET C port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 m > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 o > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 n > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 g > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 0 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 0 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 s > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 e > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 Authentication succe > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 Last login: Tue Jul > > machine A -> hostname.xxx.com TELNET C port=38920 > > hostname.xxx.com -> machine A TELNET R port=38920 Sun Microsystems Inc > > machine A -> hostname.xxx.com TELNET C port=38920 > > > > > > -David > > > > -----Original Message----- > > From: Damien Miller [mailto:djm at mindrot.org] > > Sent: Monday, July 24, 2000 4:47 PM > > To: Higdon.David at cnf.com > > Cc: 'Markus Friedl'; 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; > > openssh at openssh.com > > Subject: RE: SUNWski > > > > > > On Mon, 23 Jul 2000, Higdon, David M - CNF wrote: > > > > How do you see the login and password in the clear? Can you send a log > > of such an event? > > > > > > > > solaris 2.8 > > > openssh 2.1.1p4 > > > openssl 0.0.5a > > > zlib 1.1.3 > > > SUNWski > > > > > > > > > - David > > > > > > > > > > > > -----Original Message----- > > > From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de] > > > Sent: Sunday, July 23, 2000 7:10 AM > > > To: Higdon, David M - CNF > > > Cc: 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; openssh at openssh.com > > > Subject: Re: SUNWski > > > > > > > > > On Thu, Jul 20, 2000 at 02:43:30PM -0700, Higdon, David M - CNF wrote: > > > > What happens when you run snoop on the system > > > > that you ssh from? Can you see your input in > > > > clear text? Because I can! > > > > > > could you please show me? what versions of ssh are you using? > > > > > > > > > > > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > -- +------------------- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis - Engenharia ISP / Rede T?cnica | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal | Tel: +351 21 3166700 (24h/dia) - Fax: +351 21 3166701 From rmcc at novis.pt Wed Jul 26 01:08:22 2000 From: rmcc at novis.pt (Ricardo Cerqueira) Date: Tue, 25 Jul 2000 16:08:22 +0100 Subject: SUNWski In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E4D@cnfqs029.cnf.com> References: <7B73D5F649D0D311B1E30008C7A4D92A020D8E4D@cnfqs029.cnf.com> Message-ID: <20000725160822.G23586@clix.pt> On Tue, Jul 25, 2000 at 07:34:46AM -0700, Higdon, David M - CNF wrote: > It clearly shows that I have used the ssh command! > I am not using telnet. That is why I have such a > concern. No, it doesn't. By the contrary... machine A -> hostname.xxx.com TELNET C port=38920 s hostname.xxx.com -> machine A TELNET R port=38920 s machine A -> hostname.xxx.com TELNET C port=38920 machine A -> hostname.xxx.com TELNET C port=38920 s This implies a connection between a 23 port (TELNET, not SSH) and a 38920 port (source port for the telnet session) > > It only shows this type of output from when I run > the snoop command from a system that has ssh installed. > > host1 -> host2 TCP D=22 S=4404 Syn Seq=3951258970 Len=0 Win=16384 > host2 -> host1 TCP D=4404 S=22 Rst Ack=3951258971 Win=0 > This, on the other hand, is a connection from a 4404 (source) to a 22 (SSH). And this is my example, which is different from your output. RC P.S. - Don't CC me, I'm on the list. -- +------------------- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis - Engenharia ISP / Rede T?cnica | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal | Tel: +351 21 3166700 (24h/dia) - Fax: +351 21 3166701 From willard.dawson at sbs.siemens.com Wed Jul 26 01:13:03 2000 From: willard.dawson at sbs.siemens.com (Willard Dawson) Date: Tue, 25 Jul 2000 11:13:03 -0400 Subject: SUNWski In-Reply-To: <20000725160822.G23586@clix.pt>; from rmcc@novis.pt on Tue, Jul 25, 2000 at 04:08:22PM +0100 References: <7B73D5F649D0D311B1E30008C7A4D92A020D8E4D@cnfqs029.cnf.com> <20000725160822.G23586@clix.pt> Message-ID: <20000725111303.A29250@wdawson-sun.sbs.siemens.com> Does snoop read ports from /etc/services? Is the port in /etc/services on this box say ssh...23? On Tue, Jul 25, 2000 at 04:08:22PM +0100, Ricardo Cerqueira wrote: > On Tue, Jul 25, 2000 at 07:34:46AM -0700, Higdon, David M - CNF wrote: > > It clearly shows that I have used the ssh command! > > I am not using telnet. That is why I have such a > > concern. > > No, it doesn't. By the contrary... > > machine A -> hostname.xxx.com TELNET C port=38920 s > hostname.xxx.com -> machine A TELNET R port=38920 s > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 s > > This implies a connection between a 23 port (TELNET, not SSH) and a 38920 port (source port for the telnet session) > > > > > It only shows this type of output from when I run > > the snoop command from a system that has ssh installed. > > > > host1 -> host2 TCP D=22 S=4404 Syn Seq=3951258970 Len=0 Win=16384 > > host2 -> host1 TCP D=4404 S=22 Rst Ack=3951258971 Win=0 > > > > This, on the other hand, is a connection from a 4404 (source) to a 22 (SSH). And this is my example, which is different from your output. > > RC > > P.S. - Don't CC me, I'm on the list. > > -- > +------------------- > | Ricardo Cerqueira > | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 > | Novis - Engenharia ISP / Rede T?cnica > | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal > | Tel: +351 21 3166700 (24h/dia) - Fax: +351 21 3166701 -- Willard Francis Otto Dawson +1 770 814 5099 / +1 770 814 5202 FAX Siemens Business Services, ENS mailto:willard.dawson at sbs.siemens.com 4570 River Green Pkwy, Ste 140 http://www.sbs.siemens.com/ Duluth, GA 30096-2564 Standard disclaimer applies. From markus.friedl at informatik.uni-erlangen.de Wed Jul 26 04:18:35 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 25 Jul 2000 20:18:35 +0200 Subject: SUNWski In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E4C@cnfqs029.cnf.com>; from Higdon.David@cnf.com on Mon, Jul 24, 2000 at 05:45:13PM -0700 References: <7B73D5F649D0D311B1E30008C7A4D92A020D8E4C@cnfqs029.cnf.com> Message-ID: <20000725201835.B5064@folly.informatik.uni-erlangen.de> you are using telnet and then ssh. On Mon, Jul 24, 2000 at 05:45:13PM -0700, Higdon, David M - CNF wrote: > > By running the snoop utility that comes with the Solaris > OS. > > Here is the output from running snoop > > Snoop is running on a third system that does not have ssh > installed. > > I am trying to ssh from machine A to machine B > > > from machine C > > # snoop machine A > machine A -> hostname.xxx.com TELNET C port=38920 s > hostname.xxx.com -> machine A TELNET R port=38920 s > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 s > hostname.xxx.com -> machine A TELNET R port=38920 s > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 h > hostname.xxx.com -> machine A TELNET R port=38920 h > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 2 > hostname.xxx.com -> machine A TELNET R port=38920 2 > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 m > hostname.xxx.com -> machine A TELNET R port=38920 m > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 a > hostname.xxx.com -> machine A TELNET R port=38920 a > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 c > hostname.xxx.com -> machine A TELNET R port=38920 c > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 h > hostname.xxx.com -> machine A TELNET R port=38920 h > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 i > hostname.xxx.com -> machine A TELNET R port=38920 i > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 n > hostname.xxx.com -> machine A TELNET R port=38920 n > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 e > hostname.xxx.com -> machine A TELNET R port=38920 e > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 B > hostname.xxx.com -> machine A TELNET R port=38920 B > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 Passphrase for key " > machine A -> hostname.xxx.com TELNET C port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 m > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 o > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 n > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 g > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 0 > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 0 > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 s > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 e > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 Authentication succe > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 Last login: Tue Jul > machine A -> hostname.xxx.com TELNET C port=38920 > hostname.xxx.com -> machine A TELNET R port=38920 Sun Microsystems Inc > machine A -> hostname.xxx.com TELNET C port=38920 > > > -David > > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Monday, July 24, 2000 4:47 PM > To: Higdon.David at cnf.com > Cc: 'Markus Friedl'; 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; > openssh at openssh.com > Subject: RE: SUNWski > > > On Mon, 23 Jul 2000, Higdon, David M - CNF wrote: > > How do you see the login and password in the clear? Can you send a log > of such an event? > > > > > solaris 2.8 > > openssh 2.1.1p4 > > openssl 0.0.5a > > zlib 1.1.3 > > SUNWski > > > > > > - David > > > > > > > > -----Original Message----- > > From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de] > > Sent: Sunday, July 23, 2000 7:10 AM > > To: Higdon, David M - CNF > > Cc: 'Brian Friday'; 'openssh-unix-dev at mindrot.org'; openssh at openssh.com > > Subject: Re: SUNWski > > > > > > On Thu, Jul 20, 2000 at 02:43:30PM -0700, Higdon, David M - CNF wrote: > > > What happens when you run snoop on the system > > > that you ssh from? Can you see your input in > > > clear text? Because I can! > > > > could you please show me? what versions of ssh are you using? > > > > > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > From sen_ml at eccosys.com Wed Jul 26 12:04:40 2000 From: sen_ml at eccosys.com (sen_ml at eccosys.com) Date: Wed, 26 Jul 2000 11:04:40 +0900 Subject: sftp In-Reply-To: <20000725150003.J13003@hyena.skygate.co.uk> References: <20000725150003.J13003@hyena.skygate.co.uk> Message-ID: <20000726110440W.1001@eccosys.com> From: Pete Chown Subject: Re: sftp Date: Tue, 25 Jul 2000 15:00:03 +0100 Message-ID: <20000725150003.J13003 at hyena.skygate.co.uk> > Ben Lindstrom wrote: > > > This may be a silly idea, but if we are looking to write an "Open > > Standard" replacement version of the commerical sftp, and we currently > > agree that doing ssh w/ standard ftp would be a pain in the arse. What > > would stop us from using passive ftp? > > How would passive FTP help? You could set openssh to forward the > control connection, but the ports for the data connections would be > chosen at random by the server. > > > It does not spawn off a data channel. > > Someone will correct me if I am wrong, but I thought it did. that's my understanding too. > HTTP might be a better bet, but then we would have to define a format > for directory listings. HTTP can transfer files fine, but directory > listings are usually just HTML designed for humans to read. fwiw, there's webdav that can be port-forwarded...though it doesn't seem to be widely deployed yet. > (BTW, on a different subject, I've been looking at supporting the > OpenPGP key blobs described in the secsh drafts. The client basically > works but the server still needs a bit of work. It's looking quite > interesting though -- for example you can arrange it so that signing > someone's key is sufficient to enable them to log in.) so, are you going to write an openpgp packet manipulation library? that'd be very useful for other purposes as well -- for instance, it could be used to write a pam module that will allow a challenge-and-response type of authentication using openpgp keys. for reference, there's someone who's writing an openpgp implementation in java -- i mention it because there are design details available at: http://cvs.cryptix.org/~edwin/openpgp/design/ and more info at: http://www.cryptix.org/products/openpgp/index.html From Pete.Chown at skygate.co.uk Thu Jul 27 03:24:11 2000 From: Pete.Chown at skygate.co.uk (Pete Chown) Date: Wed, 26 Jul 2000 18:24:11 +0100 Subject: OpenPGP auth In-Reply-To: <20000726110440W.1001@eccosys.com>; from sen_ml@eccosys.com on Wed, Jul 26, 2000 at 11:04:40AM +0900 References: <20000725150003.J13003@hyena.skygate.co.uk> <20000726110440W.1001@eccosys.com> Message-ID: <20000726182411.C6904@hyena.skygate.co.uk> sen_ml at eccosys.com wrote: > so, are you going to write an openpgp packet manipulation library? At present I am just invoking the gnupg binary. I think the gnupg people have a project to create a library, so I would probably be duplicating work. (Also it would be a *lot* of work -- much more than just doing OpenPGP authentication for OpenSSH.) > that'd be very useful for other purposes as well -- for instance, it > could be used to write a pam module that will allow a > challenge-and-response type of authentication using openpgp keys. That's an interesting idea... Also you could do a SASL method that used OpenPGP. Actually how about a SASL or GSSAPI method that uses ssh? Then if you use IMAP forwarded by ssh, you don't have to worry about sending a password. -- Pete From Steven.G.Smith.1 at gsfc.nasa.gov Thu Jul 27 05:06:04 2000 From: Steven.G.Smith.1 at gsfc.nasa.gov (Steven G. Smith) Date: Wed, 26 Jul 2000 15:06:04 -0400 Subject: compiling openssh with skey? Fails on redhat linux Message-ID: <397F369C.A09027F1@rogue.stx.com> If I configure openssh-2.1.1p4 with the --with-skey option on a Redhat Linux 6.2 system which has openssl-0.9.5a and skey (the logdaemon 6.2 version) installed, the compile fails with the following errors: auth1.c: In function `do_authloop': auth1.c:331: warning: implicit declaration of function `skey_keyinfo' auth1.c:331: warning: initialization makes pointer from integer without a cast auth1.c:353: warning: implicit declaration of function `skey_haskey' auth1.c:354: warning: implicit declaration of function `skey_passcheck' session.c: In function `do_authenticated': session.c:159: warning: `type' might be used uninitialized in this function session.c:195: warning: `success' might be used uninitialized in this function auth1.o: In function `do_fake_authloop1': auth1.c:101: undefined reference to `skey_fake_key info' auth1.o: In function `do_authloop': auth1.c:331: undefined reference to `skey_keyinfo' auth1.c:334: undefined reference to `skey_fake_key info' auth1.c:353: undefined reference to `skey_haskey' auth1.c:353: undefined reference to `skey_passcheck' Also, the file auth-skey.c which is included with the source is not referenced in the Makefile constructed by the configure command, and if inserted by hand it fails to compile with many undefined values: auth-skey.c: In function `auth_skey_password': auth-skey.c:20: warning: implicit declaration of function `skey_keyinfo' auth-skey.c:20: warning: initialization makes pointer from integer without a cast auth-skey.c:30: warning: implicit declaration of function `skey_haskey' auth-skey.c:31: warning: implicit declaration of function `skey_passcheck' auth-skey.c: In function `skey_fake_keyinfo': auth-skey.c:70: `SKEY_MAX_SEED_LEN' undeclared (first use in this function) auth-skey.c:70: (Each undeclared identifier is reported only once auth-skey.c:70: for each function it appears in.) auth-skey.c:71: `SKEY_MAX_PW_LEN' undeclared (first use in this function) auth-skey.c:71: size of array `pbuf' has non-integer type auth-skey.c:72: `SKEY_MAX_CHALLENGE' undeclared (first use in this function) auth-skey.c:72: size of array `skeyprompt' has non-integer type auth-skey.c:108: `_SKEY_RAND_FILE_PATH_' undeclared (first use in this function) auth-skey.c:161: `SKEY_MAX_HASHNAME_LEN' undeclared (first use in this function) auth-skey.c:162: warning: implicit declaration of function `skey_get_algorithm'auth-skey.c:164: warning: field width is not type int (arg 4) auth-skey.c:164: warning: format argument is not a pointer (arg 5) auth-skey.c:164: warning: field width is not type int (arg 7) auth-skey.c:186: warning: field width is not type int (arg 4) auth-skey.c:186: warning: format argument is not a pointer (arg 5) auth-skey.c:186: warning: field width is not type int (arg 7) -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Steven G Smith Room: 317 Raytheon Phone: 301-794-3026 4500 Forbes Boulevard FAX: 301-794-3165 Lanham, MD 20704 From charles at comm.polymtl.ca Thu Jul 27 05:45:09 2000 From: charles at comm.polymtl.ca (Charles Levert) Date: Wed, 26 Jul 2000 15:45:09 -0400 Subject: [2.1.1p4] utmp related patches plus unresolved bugs description Message-ID: <200007261945.PAA26373@faucon.comm.polymtl.ca> Fixed: -- On systems such as SunOS4 where the system include files are no help in locating the utmp file (et al.), configure can define their location in CONF_*, but defines.h never used these. -- Might as well put in the usual location for SunOS4. -- In loginrec.c (utmp_write_direct), writing to the utmp file was not done correctly. Remaining: -- At logout, the utmp entry cannot be cleared since ttyslot cannot find the offset for the terminal since it is the parent process that calls this stuff and it does not execute in the context of the terminal. It works at login since it is then done by the child process (the one that will eventually exec the user shell). The solution involves having the child process inform the parent process of the ttyslot and of the fact that a utmp entry was written at login and needs to be removed. ======================================================================== --- loginrec.c.orig-2.1.1p4 Mon Jul 10 22:15:54 2000 +++ loginrec.c Wed Jul 26 15:25:49 2000 @@ -740,7 +740,7 @@ } (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); - if (atomicio(write, fd, ut, sizeof(ut)) != sizeof(ut)) + if (atomicio(write, fd, ut, sizeof(*ut)) != sizeof(*ut)) log("utmp_write_direct: error writing %s: %s", UTMP_FILE, strerror(errno)); --- defines.h.orig-2.1.1p4 Thu Jun 22 18:23:34 2000 +++ defines.h Tue Jul 25 00:43:22 2000 @@ -329,18 +329,33 @@ #endif /* FIXME: put default paths back in */ -#if !defined(UTMP_FILE) && defined(_PATH_UTMP) -# define UTMP_FILE _PATH_UTMP +#ifndef UTMP_FILE +# ifdef _PATH_UTMP +# define UTMP_FILE _PATH_UTMP +# else +# ifdef CONF_UTMP_FILE +# define UTMP_FILE CONF_UTMP_FILE +# endif +# endif #endif -#if !defined(WTMP_FILE) && defined(_PATH_WTMP) -# define WTMP_FILE _PATH_WTMP +#ifndef WTMP_FILE +# ifdef _PATH_WTMP +# define WTMP_FILE _PATH_WTMP +# else +# ifdef CONF_WTMP_FILE +# define WTMP_FILE CONF_WTMP_FILE +# endif +# endif #endif /* pick up the user's location for lastlog if given */ -#if !defined(LASTLOG_FILE) && defined(_PATH_LASTLOG) -# define LASTLOG_FILE _PATH_LASTLOG -#endif -#if !defined(LASTLOG_FILE) && defined(CONF_LASTLOG_FILE) -# define LASTLOG_FILE CONF_LASTLOG_FILE +#ifndef LASTLOG_FILE +# ifdef _PATH_LASTLOG +# define LASTLOG_FILE _PATH_LASTLOG +# else +# ifdef CONF_LASTLOG_FILE +# define LASTLOG_FILE CONF_LASTLOG_FILE +# endif +# endif #endif --- configure.in.orig-2.1.1p4 Sat Jul 15 00:59:14 2000 +++ configure.in Tue Jul 25 00:23:52 2000 @@ -137,6 +137,11 @@ *-*-sunos4*) CFLAGS="$CFLAGS -DSUNOS4" AC_CHECK_FUNCS(getpwanam) + conf_utmp_location=/etc/utmp + conf_wtmp_location=/var/adm/wtmp + conf_lastlog_location=/var/adm/lastlog + MANTYPE='$(CATMAN)' + mansubdir=cat ;; *-sni-sysv*) CFLAGS="$CFLAGS -I/usr/local/include" ======================================================================== From mouring at pconline.com Thu Jul 27 06:10:07 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 26 Jul 2000 15:10:07 -0500 (CDT) Subject: [2.1.1p4] utmp related patches plus unresolved bugs description In-Reply-To: <200007261945.PAA26373@faucon.comm.polymtl.ca> Message-ID: On Wed, 26 Jul 2000, Charles Levert wrote: [..] > Remaining: > > -- At logout, the utmp entry cannot be cleared since ttyslot > cannot find the offset for the terminal since it is the parent > process that calls this stuff and it does not execute in the > context of the terminal. It works at login since it is then > done by the child process (the one that will eventually exec > the user shell). The solution involves having the child > process inform the parent process of the ttyslot and of the > fact that a utmp entry was written at login and needs to be > removed. > This is pretty much the same problem I had after getting logins to work under NeXT. I could not see a clean way of doing it besides tracking the orignal ttyslot() output until it was needed to clear the utmp file. I ended up just tracking what tty the user was on and wrote a primative ttyslot(char *) that took in the tty and returned the slot to change. That patch should help NeXT (I did something like that before, but it was not as clean nor was finished) resolve it's utmp/wtmp issues. Ben. From mfisk at lanl.gov Thu Jul 27 12:11:18 2000 From: mfisk at lanl.gov (Mike Fisk) Date: Thu, 27 Jul 2000 02:11:18 +0000 (GMT) Subject: sftp In-Reply-To: Message-ID: On Fri, 21 Jul 2000, Pekka Savola wrote: > On Thu, 20 Jul 2000, Gary E. Miller wrote: > > > > - data channels cannot be encrypted. > > True. I am far more worried about my password than the data but > > this is a problem for many. This could (should) be fixed in SSH. > > The most important thing, yes. > > Well, ftp is one of those "What the hell were they > thinking.. oh it was 30 years ago" protocols; > Encrypting these channels would require dynamic allocation of SSH > forwardings, or a very special FTP client which would you let you specify > the port you want to use for FTP data. > > Can't be done, really. Well, it can be done. The MindTerm SSH client looks at the data going over the port 21 (FTP control) connection and proxies the data connection setup. It dynamically requests the creation of a new tunnel and then modifies the control data so that the tunnel is used. -- Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information From mfisk at lanl.gov Thu Jul 27 12:18:24 2000 From: mfisk at lanl.gov (Mike Fisk) Date: Thu, 27 Jul 2000 02:18:24 +0000 (GMT) Subject: scp over 2 hosts In-Reply-To: Message-ID: On Thu, 20 Jul 2000, Stephan Hendl wrote: > Hi folks, > > I have the that I must copy some through a Plag-Gateway of a Firewall > over 2 host. A secure connection via "ssh - t hosta ssh -t hostb" > works fine, but does this work with scp too? Icould not realize it > either with scp (1.2.27 of ssh.com) or scp from openssh. Do you have > any ideas? Yes, I do the following scp jdoe at firewall:joe at myserver:/tmp/source /tmp/dest I use Kerberos authentication, however. I wrote the following note for some internal documentation for F-Secure SSH. It may very well apply to OpenSSH: SCP uses the same communications channel for transferring data that would be used to prompt the user for a password. Further, the standard SCP client insists on not forwarding RSA authentication or X-windows. Therefore the above commands will normally work only if the internal machine (myserver) accepts Kerberos tickets. To allow scp to work with RSA keys or open a password authentication X-Window (using ssh-askpass), you will need to do the following: 1.Download the scpssh Perl script to the client and remember the path to where you save it. 2.Make scpssh executable: chmod +x /path/to/scpssh 3.Always begin SCP commands with the -S option and the pathname of the scpssh: scp -S /path/to/scpssh The scpssh script is as follows: #!/usr/local/bin/perl while ($_ = shift(@ARGV)) { if ($_ eq "-x") { next; } elsif ($_ eq "-a") { next; } elsif ($_ eq "-oClearAllForwardings yes") { next; } else { push(@args, $_); } } exec("/usr/local/bin/ssh", @args); -- Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information From Higdon.David at cnf.com Fri Jul 28 02:07:40 2000 From: Higdon.David at cnf.com (Higdon, David M - CNF) Date: Thu, 27 Jul 2000 09:07:40 -0700 Subject: Permission Denied Message-ID: <7B73D5F649D0D311B1E30008C7A4D92A020D8E5E@cnfqs029.cnf.com> Solaris 8 Openssh 2.1.1p4 Openssl-0.9.5a Zlib 1.1.3 Anyone know why one would get the permission denied error? It seems to be failing on the "Doing passwd authentication" phase after the "Received encrypted confirmation" phase. I have included the output of ssh -v. Thanks, David # ssh -v hostname SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: Command 'arp -a -n' timed out debug: Command 'ipcs -a' timed out debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to hostname.cnf.com [10.0.114.69] port 22. debug: Allocated local port 1023. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1 debug: Local version string SSH-1.5-OpenSSH_2.1.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'hostname.cnf.com' is known and matches the RSA host key. debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. Permission denied. debug: Calling cleanup 0x3d6c8(0x0) debug: Calling cleanup 0x3ffb8(0x0) debug: writing PRNG seed to file //.ssh/prng_seed From thorpe at weasel.lz.att.com Fri Jul 28 05:08:02 2000 From: thorpe at weasel.lz.att.com (Henry E. Thorpe) Date: Thu, 27 Jul 2000 15:08:02 -0400 Subject: bug in lastlog logging? Message-ID: <20000727150802.A31546@lynxhub.att.com> Folks; I couldn't find anything on my archive of the mailing list on this, and it may just be my mis-understanding, but: When I "ssh machine1 -l user1" as user2 on machine2, if user2 has the same uid on machine1, then user2's name ends up in lastlog, instead of user1's. This is a bit disconcerting when user2 is root, and root isn't allowed to remotely log in on machine1. I haven't dived into the code yet? Is the bug in openssh, or my understanding? This is with machine1 running openssh-2.1.1p1 under RedHat Linux 6.2, and machine2 being either openssh-2.1.0p2 on RedHat Linux 6.0, "SSH Version 1.2.26 [i386-unknown-freebsd3.1], protocol version 1.5" on FreeBSD 3.1-RELEASE, or openssh-2.1.1p2 on Sparc/Solaris 2.6. Please slap me if this is of no import. -- ____________________________________________________________ Henry E. Thorpe AT&T Labs WorldNet Hosting Planning and Development thorpe at lynxhub.att.com From loomisg at cist.saic.com Fri Jul 28 05:21:57 2000 From: loomisg at cist.saic.com (Rip Loomis) Date: Thu, 27 Jul 2000 15:21:57 -0400 Subject: Permission Denied In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A020D8E5E@cnfqs029.cnf.com> Message-ID: <005a01bff7ff$eefb9710$275346d1@rloomis.cist.saic.com> David-- That exact error doesn't look familiar. One method that has always helped me to debug things like this, however, is to run both ends in debug mode. If you run sshd in debug mode then it doesn't background itself and continues to print output on the controlling terminal. Start sshd on a non-standard port in debug mode: sshd -d -p 2022 Then ssh to the target system in verbose mode: ssh -v -p 2022 hostname You might get more info that way as to exactly what's failing on the remote end. I would hazard a guess that the permissions on some file don't allow the user you're ssh-ing in as to overwrite something... Hope this helps-- --Rip -----Original Message----- From: owner-openssh-unix-dev at mindrot.org [mailto:owner-openssh-unix-dev at mindrot.org]On Behalf Of Higdon, David M - CNF Sent: Thursday, July 27, 2000 12:08 PM To: 'openssh-unix-dev at mindrot.org' Subject: Permission Denied Solaris 8 Openssh 2.1.1p4 Openssl-0.9.5a Zlib 1.1.3 Anyone know why one would get the permission denied error? It seems to be failing on the "Doing passwd authentication" phase after the "Received encrypted confirmation" phase. I have included the output of ssh -v. Thanks, David # ssh -v hostname SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: Command 'arp -a -n' timed out debug: Command 'ipcs -a' timed out debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to hostname.cnf.com [10.0.114.69] port 22. debug: Allocated local port 1023. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1 debug: Local version string SSH-1.5-OpenSSH_2.1.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'hostname.cnf.com' is known and matches the RSA host key. debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. Permission denied. debug: Calling cleanup 0x3d6c8(0x0) debug: Calling cleanup 0x3ffb8(0x0) debug: writing PRNG seed to file //.ssh/prng_seed From loomisg at cist.saic.com Fri Jul 28 05:31:39 2000 From: loomisg at cist.saic.com (Rip Loomis) Date: Thu, 27 Jul 2000 15:31:39 -0400 Subject: bug in lastlog logging? In-Reply-To: <20000727150802.A31546@lynxhub.att.com> Message-ID: <005b01bff801$49d69a80$275346d1@rloomis.cist.saic.com> Henry-- Frequently, the login name that shows up in logs and such is the first account listed in /etc/passwd with the correct UID. I've personally seen this in a lot of other cases, although not specifically with OpenSSH. One of the steps we normally do when hardening a system is to ensure that no two accounts have the same UID--essentially, there is always a better solution. Not 100% sure if this is what is causing the symptom you're seeing, but it sure sounds like it. I think the answer is "Hey doc...it hurts when I do this!" "Well, then don't do that any more." Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com -----Original Message----- From: owner-openssh-unix-dev at mindrot.org [mailto:owner-openssh-unix-dev at mindrot.org]On Behalf Of Henry E. Thorpe Sent: Thursday, July 27, 2000 3:08 PM To: openssh-unix-dev at mindrot.org Subject: bug in lastlog logging? Folks; I couldn't find anything on my archive of the mailing list on this, and it may just be my mis-understanding, but: When I "ssh machine1 -l user1" as user2 on machine2, if user2 has the same uid on machine1, then user2's name ends up in lastlog, instead of user1's. This is a bit disconcerting when user2 is root, and root isn't allowed to remotely log in on machine1. I haven't dived into the code yet? Is the bug in openssh, or my understanding? This is with machine1 running openssh-2.1.1p1 under RedHat Linux 6.2, and machine2 being either openssh-2.1.0p2 on RedHat Linux 6.0, "SSH Version 1.2.26 [i386-unknown-freebsd3.1], protocol version 1.5" on FreeBSD 3.1-RELEASE, or openssh-2.1.1p2 on Sparc/Solaris 2.6. Please slap me if this is of no import. -- ____________________________________________________________ Henry E. Thorpe AT&T Labs WorldNet Hosting Planning and Development thorpe at lynxhub.att.com From rafi at ugcs.caltech.edu Fri Jul 28 12:55:06 2000 From: rafi at ugcs.caltech.edu (Rafi Rubin) Date: Thu, 27 Jul 2000 19:55:06 -0700 (PDT) Subject: Group permisions Message-ID: ssh supports an override for StrictModes which allows a user to use group-writable .ssh directories. Is there an easy way to make openssh do this (I didn't see options in the source)? Or is this worth adding? Rafi From emarshall at logic.net Sat Jul 29 07:45:55 2000 From: emarshall at logic.net (Edward S. Marshall) Date: Fri, 28 Jul 2000 16:45:55 -0500 (CDT) Subject: buildroot patch for 2.1.1p4 Message-ID: Hi, There's a small problem with 2.1.1p4; you can't build it outside of the source tree without the small attached patch to Makefile.in. Hope this helps. -- Edward S. Marshall http://www.nyx.net/~emarshal/ ------------------------------------------------------------------------------- [ Felix qui potuit rerum cognoscere causas. ] -------------- next part -------------- 24c24 < CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ --- > CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ -I at top_srcdir@ -I. 28a29 > MKINSTALLDIRS=@srcdir@/mkinstalldirs 121,125c122,126 < ./mkinstalldirs $(DESTDIR)$(bindir) < ./mkinstalldirs $(DESTDIR)$(sbindir) < ./mkinstalldirs $(DESTDIR)$(mandir) < ./mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 < ./mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 --- > $(MKINSTALLDIRS) $(DESTDIR)$(bindir) > $(MKINSTALLDIRS) $(DESTDIR)$(sbindir) > $(MKINSTALLDIRS) $(DESTDIR)$(mandir) > $(MKINSTALLDIRS) $(DESTDIR)$(mandir)/$(mansubdir)1 > $(MKINSTALLDIRS) $(DESTDIR)$(mandir)/$(mansubdir)8 From emarshall at mercantec.com Sat Jul 29 07:49:19 2000 From: emarshall at mercantec.com (Edward S. Marshall) Date: Fri, 28 Jul 2000 16:49:19 -0500 (CDT) Subject: whoops, revised patch for buildroot in 2.1.1p4 Message-ID: Whoops, missed a ./mkinstalldirs. Correct patch to Makefile.in is attached. -- Edward S. Marshall UNIX Administrator http://www.nyx.net/~emarshal/ Mercantec, Inc. -------------- next part -------------- 24c24 < CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ --- > CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ -I at top_srcdir@ -I. 28a29 > MKINSTALLDIRS=@srcdir@/mkinstalldirs 121,125c122,126 < ./mkinstalldirs $(DESTDIR)$(bindir) < ./mkinstalldirs $(DESTDIR)$(sbindir) < ./mkinstalldirs $(DESTDIR)$(mandir) < ./mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 < ./mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 --- > $(MKINSTALLDIRS) $(DESTDIR)$(bindir) > $(MKINSTALLDIRS) $(DESTDIR)$(sbindir) > $(MKINSTALLDIRS) $(DESTDIR)$(mandir) > $(MKINSTALLDIRS) $(DESTDIR)$(mandir)/$(mansubdir)1 > $(MKINSTALLDIRS) $(DESTDIR)$(mandir)/$(mansubdir)8 143c144 < ./mkinstalldirs $(DESTDIR)$(sysconfdir); \ --- > $(MKINSTALLDIRS) $(DESTDIR)$(sysconfdir); \ From willday at rom.oit.gatech.edu Sat Jul 29 09:13:50 2000 From: willday at rom.oit.gatech.edu (Will Day) Date: Fri, 28 Jul 2000 19:13:50 -0400 Subject: SUNWski In-Reply-To: ; from bfriday@LaSierra.edu on Thu, Jul 20, 2000 at 01:46:27PM -0700 References: <20000720205304.5560DB47B@fleck.princetonecom.com> <7B73D5F649D0D311B1E30008C7A4D92A020D8E39@cnfqs029.cnf.com> Message-ID: <20000728191350.A1813@rom.oit.gatech.edu> A short time ago, at a computer terminal far, far away, Brian Friday wrote: >Well I've got 3 systems running openssh and 2 of those 3 are running >SUNWski successfully. Here is the breakdown: > > Sol 2.6 System: Has SUNWski but not SUNWlmsx > Sol 7 System: Has SUNWski and SUNWlmsx (64-bit kernel) but when > /etc/rc2.d/S50cryptorand starts it exits with the > error message in our log files: > > cryptorand: kvm_open: Bad file number > > Sol 8 System: Has SUNWski and SUNWlmsx (32-bit kernel) no problems > at all with this system. > Just now installing SUNWski today, I noticed that the SUNWski in patch 105710-01 appears to differ slightly from the SUNWski on the Solaris 7 Easy Access Server 3.0 CD (seas_3_0). In particular, the SEAS3 version includes not only: /usr/lib/security/cryptorand but also: /usr/lib/security/sparcv9/cryptorand which is what I think you'll need when running in 64-bit mode. Generally, it looked to me like the version on the SEAS3 CD was dated later than the version in the patch. If you're not sure where yours came from, you should be able to do: pkgparam SUNWski VERSION The patch version should report: 1.0 and the SEAS3 version should report: 1.0,REV=1998.09.24.00.00 -- Will Day OIT / O&E / Technical Support willday at rom.oit.gatech.edu Georgia Tech, Atlanta 30332-0715 -> Opinions expressed are mine alone and do not reflect OIT policy <- Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin, Pennsylvania Assembly, Nov. 11, 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 360 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000728/239ae275/attachment.bin