From costello at iki.fi Wed Mar 1 02:21:38 2000 From: costello at iki.fi (Antti Järvinen) Date: Tue, 29 Feb 2000 17:21:38 +0200 (EET) Subject: openssh for digital unix.. Message-ID: <14523.58087.172971.843990@cs72168.pp.htv.fi> well, the reason for that you're reading this is that this is about the only e-mail address I could find from openssh web pages. story: with some tweaking (and with that propably introducing ten million security holes and two million little bugs) I did get OpenSSH 1.2.2 to compile under digital unix v4.0d with dec c 5.6. if anybody is interested in diffs or binaries or anything, just drop me a line. I have done ugly things :-) and at least right now I don't subscribe to this list (openssh-unix-dev). -- Antti J?rvinen costello at iki.fi From pault at bigplanet.net Thu Mar 2 05:40:43 2000 From: pault at bigplanet.net (Paul Tiemann) Date: Wed, 01 Mar 2000 11:40:43 -0700 Subject: Problem in sshconnect.c? Message-ID: <38BD642B.73F1B9F5@bigplanet.net> Hey all, I installed OpenSSH on a redhat 6.0 box using the 1.2.2 i386 rpms, and I can't connect to it from other machines. I edited the sshd_config file and changed the ListenAddress from 0.0.0.0 to the machine's IP number. The error I have been getting at first confused me, so I checked out the code, and found the function in the sshconnect.c file. The strange thing is that sometimes the error message is different, (not less confusing, unfortunately) This is the error message I've been getting: -> ssh_exchange_identification: read: Success I have also got it to give me these error messages: -> ssh_exchange_identification: read: Address already in use -> ssh_exchange_identification: read: File not found (something to that effect) It looks like the sshd on the server I am connecting to is not sending anything back to me when I try to connect, but I go to the server through telnet, and the /var/log/messages file logs the attempt to log in... So I know I'm getting through to the server at least... I put some debug printf statements in the loop right after the read() function call, and found that it would not even read one byte from the server I was connecting to... I tried for a few hours to troubleshoot any kinds of networking problems the box might have, but couldn't find anything... If you want to try to ssh in to the box itself, it is www.cyboards.com. It should give you the same error message as I am getting. Any help you guys can give would be greatly appreciated. Regards, Paul Tiemann //------------- Here's a code snip from the sshconnect.c file below void ssh_exchange_identification() { char buf[256], remote_version[256]; /* must be same size! */ int remote_major, remote_minor, i; int connection_in = packet_get_connection_in(); int connection_out = packet_get_connection_out(); /* Read other side\'s version identification. */ for (i = 0; i < sizeof(buf) - 1; i++) { buf[i + 1] = 0; if (read(connection_in, &buf[i], 1) != 1) fatal("ssh_exchange_identification: read: %.100s", strerror(errno)); if (buf[i] == '\r') { buf[i] = '\n'; buf[i + 1] = 0; break; } if (buf[i] == '\n') { buf[i + 1] = 0; break; } } From pault at bigplanet.net Thu Mar 2 05:49:15 2000 From: pault at bigplanet.net (Paul Tiemann) Date: Wed, 01 Mar 2000 11:49:15 -0700 Subject: SORRY! Message-ID: <38BD662B.7A9BE11A@bigplanet.net> I am very very sorry for not having found this problem before. I just reported a problem I was having in ssh_exchange_identification() function... My fault: I didn't look hard enough in the archives. Turns out that my problem was fixed by adding a line to my hosts.allow file. Again, I'm sorry I didn't research the archives long enough to find the fix myself. :Paul Tiemann From rip at clark.net Thu Mar 2 06:33:17 2000 From: rip at clark.net (Rip Loomis) Date: Wed, 1 Mar 2000 14:33:17 -0500 (EST) Subject: Post-compile RSA error with 1.2.2, Solaris 7, OpenSSL 0.9.5 Message-ID: I've been happily using the pre-packaged OpenSSH on my Debian systems for several weeks. Yesterday I finally started the process of getting OpenSSH up and running on all our Solaris boxes, to replace the existing (patched) 1.2.27 non-free version. (Our in-house patches to 1.2.27 include generation of kernel-level audit data for both IRIX and Solaris, and I want to port/contribute that code to OpenSSH). What I did: 1. Installed a new fresh Solaris 7 box with all current Sun recommended patches. 2. Downloaded and installed the precompiled GCC 2.95.2 and perl 5.005.03 from sunfreeware.com 3. Downloaded source code for the following, compiled and installed with no problems: - OpenSSL 0.9.5 - zlib 1.1.3 - egd 0.6 4. Downloaded OpenSSH 1.2.2 tarball, compiled and installed. Some warnings, but nothing appeared significant. Up to this point, everything looks fine. If I run ssh with no arguments, then I get the expected usage error message. If I try to ssh to a host that is running SSH, or I try to start the local sshd, I get (with the appropriate program name in place of $0): $0: no RSA support in libssl and libcrypto -- exiting. See ssl(8) I've looked through the archives and glanced at the source, but nothing jumps out as the obvious cause. Other folks seem to have OpenSSH up on Solaris 7 already--so does anyone have any hints as I start trying to RTFM and RTFS? Note: After my first attempt blew up, I also tried (as an alternate method) downloading, compiling, installing, and linking against RSAREF2. That apparently worked okay, but the end result was the same. Any chance that SSH found the correct libraries at compile time, but can't find them at runtime? --Rip From bent at clark.net Thu Mar 2 06:52:56 2000 From: bent at clark.net (Ben Taylor) Date: Wed, 1 Mar 2000 14:52:56 -0500 (EST) Subject: Post-compile RSA error with 1.2.2, Solaris 7, OpenSSL 0.9.5 In-Reply-To: Message-ID: On Wed, 1 Mar 2000, Rip Loomis wrote: > If I try to ssh to a host that is running SSH, or I try to start the local > sshd, I get (with the appropriate program name in place of $0): > $0: no RSA support in libssl and libcrypto -- exiting. See ssl(8) > > I've looked through the archives and glanced at the source, but nothing > jumps out as the obvious cause. Other folks seem to have OpenSSH up > on Solaris 7 already--so does anyone have any hints as I start trying to > RTFM and RTFS? > > Note: After my first attempt blew up, I also tried (as an alternate > method) downloading, compiling, installing, and linking against RSAREF2. > That apparently worked okay, but the end result was the same. Any chance > that SSH found the correct libraries at compile time, but can't find them > at runtime? Rebuild openssl. It has links into the rsaref2 code. Other than that, it sounds like my setup. Ben From rip at clark.net Thu Mar 2 07:01:26 2000 From: rip at clark.net (Rip Loomis) Date: Wed, 1 Mar 2000 15:01:26 -0500 (EST) Subject: Post-compile RSA error with 1.2.2, Solaris 7, OpenSSL 0.9.5 In-Reply-To: Message-ID: Ben-- Sorry I wasn't clear in my first message. I *have* rebuilt OpenSSL 0.9.5 linked against the RSAREF2 code, but OpenSSH still can't find any RSA support. (The error message is exactly the same). That tends to indicate that the problem isn't in OpenSSL, it's in the configuration of my local system or in the way OpenSSH autoconf works. (Another message asked if I was sure that RSA was enabled in OpenSSL--the answer is yes, since I compiled OpenSSL myself, and RSA is enabled by default). It looks as though even though the autoconf notes that it found OpenSSL, there's a problem with my library paths such that libssl can't be found. I'm not sure yet, but I'm guessing that the problem is at runtime rather than compile time. If anyone has other suggestions, feel free to send them directly to me, and I'll summarize to the list when I sort things out. Thanks-- --Rip On Wed, 1 Mar 2000, Ben Taylor wrote: > On Wed, 1 Mar 2000, Rip Loomis wrote: > > > If I try to ssh to a host that is running SSH, or I try to start the local > > sshd, I get (with the appropriate program name in place of $0): > > $0: no RSA support in libssl and libcrypto -- exiting. See ssl(8) > > > > I've looked through the archives and glanced at the source, but nothing > > jumps out as the obvious cause. Other folks seem to have OpenSSH up > > on Solaris 7 already--so does anyone have any hints as I start trying to > > RTFM and RTFS? > > > > Note: After my first attempt blew up, I also tried (as an alternate > > method) downloading, compiling, installing, and linking against RSAREF2. > > That apparently worked okay, but the end result was the same. Any chance > > that SSH found the correct libraries at compile time, but can't find them > > at runtime? > > Rebuild openssl. It has links into the rsaref2 code. Other than > that, it sounds like my setup. > > Ben > > > > From dgames at isoc.net Thu Mar 2 07:48:37 2000 From: dgames at isoc.net (dgames at isoc.net) Date: Wed, 1 Mar 2000 15:48:37 -0500 Subject: X11 forwarding between from Mandrake(sshd) to Caldera(ssh) doesn't work! Message-ID: <20483720500044@isoc.net> I am having great difficulty getting X11 forwarding to work between my openssh server (Linux Mandrake 6.1) and my openssh client (Caldera OpenLinux 2.x). I get "X11 connection rejected because of wrong authentication." on the Caldera box when I ssh into the Mandrake box and try to run any X app. If I make the Caldera box the server all is fine and works perfectly. Terminal connections via ssh work great in both directions. On both boxes I downloaded the sources for openssh 1.2.2 and openssl 0.9.4 compiled and installed with defaults. I then enabled X11 forwarding in /etc/sshd/sshd_config and /etc/sshd/ssh_config. Any help would be greatly appreciated. I am not a member of this list so CC's to would also be very helpful. Thanks in advance. Dax Games From dgames at isoc.net Thu Mar 2 07:51:15 2000 From: dgames at isoc.net (dgames at isoc.net) Date: Wed, 1 Mar 2000 15:51:15 -0500 Subject: X11 forwarding between from Mandrake(sshd) to Caldera(ssh) doesn't work! Message-ID: <20511540200046@isoc.net> I am having great difficulty getting X11 forwarding to work between my openssh server (Linux Mandrake 6.1) and my openssh client (Caldera OpenLinux 2.x). I get "X11 connection rejected because of wrong authentication." on the Caldera box when I ssh into the Mandrake box and try to run any X app. If I make the Caldera box the server all is fine and works perfectly. Terminal connections via ssh work great in both directions. On both boxes I downloaded the sources for openssh 1.2.2 and openssl 0.9.4 compiled and installed with defaults. I then enabled X11 forwarding in /etc/sshd/sshd_config and /etc/sshd/ssh_config. Any help would be greatly appreciated. I am not a member of this list so CC's to would also be very helpful. Thanks in advance. Dax Games From bent at clark.net Thu Mar 2 07:58:53 2000 From: bent at clark.net (Ben Taylor) Date: Wed, 1 Mar 2000 15:58:53 -0500 (EST) Subject: Post-compile RSA error with 1.2.2, Solaris 7, OpenSSL 0.9.5 In-Reply-To: Message-ID: On Wed, 1 Mar 2000, Rip Loomis wrote: > It looks as though even though the autoconf notes > that it found OpenSSL, there's a problem with my > library paths such that libssl can't be found. > I'm not sure yet, but I'm guessing that the problem > is at runtime rather than compile time. Generally when I configure openssh on solaris, I have to add env LDFLAGS="-R/usr/local/lib -L/usr/local/lib -L/usr/local/lib/ssl" ./configure to get it to build without intervention. I haven't had a whole lot of time recently to work on this, but it sounds like this might be your problem. Ben > > If anyone has other suggestions, feel free to send them > directly to me, and I'll summarize to the list > when I sort things out. Thanks-- > > --Rip > > On Wed, 1 Mar 2000, Ben Taylor wrote: > > > On Wed, 1 Mar 2000, Rip Loomis wrote: > > > > > If I try to ssh to a host that is running SSH, or I try to start the local > > > sshd, I get (with the appropriate program name in place of $0): > > > $0: no RSA support in libssl and libcrypto -- exiting. See ssl(8) > > > > > > I've looked through the archives and glanced at the source, but nothing > > > jumps out as the obvious cause. Other folks seem to have OpenSSH up > > > on Solaris 7 already--so does anyone have any hints as I start trying to > > > RTFM and RTFS? > > > > > > Note: After my first attempt blew up, I also tried (as an alternate > > > method) downloading, compiling, installing, and linking against RSAREF2. > > > That apparently worked okay, but the end result was the same. Any chance > > > that SSH found the correct libraries at compile time, but can't find them > > > at runtime? > > > > Rebuild openssl. It has links into the rsaref2 code. Other than > > that, it sounds like my setup. > > > > Ben > > > > > > > > > From victorm at genesys.ro Thu Mar 2 19:35:49 2000 From: victorm at genesys.ro (Victor Meghesan) Date: Thu, 2 Mar 2000 10:35:49 +0200 (EET) Subject: wtmp bug in OpenSSH Message-ID: Hello, I recently switched from SSH-1.2.27 to OpenSSH-1.2.2 and I found this bug: OpenSSH-1.2.2 (SSH-1.5-OpenSSH-1.2.2) does not update the wtmp file. Software: Linux/Unix port of OpenSSH version 1.2.2 OS: Linux Slackware 3.6 & 4.0 (x86) Problem: When logging in/out via sshd there is no update to the wtmp file -- Victor Meghesan From skh at yarene.elektra.ru Thu Mar 2 19:34:58 2000 From: skh at yarene.elektra.ru (=?koi8-r?B?6M/Sxdcg88XSx8XKIO7Jy8/MwcXXyd4=?=) Date: Thu, 2 Mar 2000 11:34:58 +0300 Subject: Is it securely: `hostname`:10 ? Message-ID: <20000302113458.A8018@yarene.elektra.ru> Hello, I am using OpenSSH 1.2.1 on Solaris 2.6. I am using X forwarding intensively. During work OpenSSH creates display like `hostname`:10. Is it securely?? Why not 127.0.0.1:10 or localhost:10 ? Best regards Sergey Khorev. From djm at mindrot.org Thu Mar 2 21:09:38 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 2 Mar 2000 21:09:38 +1100 (EST) Subject: Is it securely: `hostname`:10 ? In-Reply-To: <20000302113458.A8018@yarene.elektra.ru> Message-ID: On Thu, 2 Mar 2000, ????? ?????? ?????????? wrote: > Hello, > I am using OpenSSH 1.2.1 on Solaris 2.6. > I am using X forwarding intensively. During work OpenSSH creates > display like `hostname`:10. Is it securely?? Why not 127.0.0.1:10 or > localhost:10 ? Where "hostname" is the machine you logged in _to_. If the target does not know its own hostname then things are very broken. IIRC some broken Unices (references?) autodetect localhost:xx $DISPLAYs and starting using shared memory to communicate. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Nigel.Metheringham at VData.co.uk Thu Mar 2 21:58:27 2000 From: Nigel.Metheringham at VData.co.uk (Nigel Metheringham) Date: Thu, 02 Mar 2000 10:58:27 +0000 Subject: Is it securely: `hostname`:10 ? In-Reply-To: Message from Damien Miller of "Thu, 02 Mar 2000 21:09:38 +1100." Message-ID: djm at mindrot.org said: > If the target does not know its own hostname then things are very > broken. > IIRC some broken Unices (references?) autodetect localhost:xx > $DISPLAYs and starting using shared memory to communicate. This certainly happens on Linux/XFree - I think it actually uses a local socket rather than shmem, but the communication method is not the same as for other IP addresses. To make life more complicated, a machine that gets its IP address from DHCP or similar may have an entry in hosts for its machine name but with 127.0.0.1 (saves rewriting hosts on each address acquisition). It would be good if openssh could handle this brokenness effectively. Nigel. -- [ - Opinions expressed are personal and may not be shared by VData - ] [ Nigel Metheringham Nigel.Metheringham at VData.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] From andre.lucas at dial.pipex.com Thu Mar 2 22:36:44 2000 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Thu, 02 Mar 2000 11:36:44 +0000 Subject: Is it securely: `hostname`:10 ? References: Message-ID: <38BE524C.7C2F1FE3@dial.pipex.com> Nigel Metheringham wrote: > > djm at mindrot.org said: > > IIRC some broken Unices (references?) autodetect localhost:xx > > $DISPLAYs and starting using shared memory to communicate. > This certainly happens on Linux/XFree - I think it actually uses a > local socket rather than shmem, but the communication method is not the > same as for other IP addresses. HPUX uses shmem. > To make life more complicated, a machine that gets its IP address from > DHCP or similar may have an entry in hosts for its machine name but > with 127.0.0.1 (saves rewriting hosts on each address acquisition). > > It would be good if openssh could handle this brokenness effectively. You could add '--with-ipaddr-display' to your configure options to get DISPLAY in the form '192.168.1.1:10'. However, if the host returns 127.0.0.1 as the first address from gethostbyname(hostname) then this might not work as expected. If, as has been said, some hosts use an AF_UNIX socket whenever they detect the loopback address, this still won't work. I started making changes to this code to check for the loopback address in the list of addresses returned by gethostbyname(). However, I'm not sure how this would work with IPv6 (I've not really coded anything for v6 yet, and I don't have an IPv6 box to test it on at work) so I stopped. All I think needs done is, instead of just memcpy()ing h_addr_list[0] as the IP address, take the first address that isn't 127.0.0.1, or use that address as the last resort if no others are available. -Andre From markus.friedl at informatik.uni-erlangen.de Thu Mar 2 22:42:19 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 2 Mar 2000 12:42:19 +0100 Subject: Is it securely: `hostname`:10 ? In-Reply-To: ; from djm@mindrot.org on Thu, Mar 02, 2000 at 09:09:38PM +1100 References: <20000302113458.A8018@yarene.elektra.ru> Message-ID: <20000302124219.A3898@folly.informatik.uni-erlangen.de> On Thu, Mar 02, 2000 at 09:09:38PM +1100, Damien Miller wrote: > IIRC some broken Unices (references?) autodetect localhost:xx > $DISPLAYs and starting using shared memory to communicate. the X lib is buggy: >Path: news.uni-erlangen.de!uni-erlangen.de!newsfeed1.telenordia.se!algonet!uab.ericsson.se!erix.ericsson.se!per >From: per at erix.ericsson.se (Per Hedeland) >Newsgroups: comp.security.ssh >Subject: Re: X forwarding works w/ some progs, not others >Date: 16 Dec 1999 11:24:29 GMT >Organization: Ericsson Utvecklings AB, Stockholm, Sweden >Lines: 64 >Sender: per at aalborg (Per Hedeland) >Message-ID: <83ai5d$65p$1 at news.du.uab.ericsson.se> >References: <83abh4$mif$1 at pegasus.csx.cam.ac.uk> >NNTP-Posting-Host: aalborg.du.uab.ericsson.se >NNTP-Posting-User: per >X-Newsreader: xrn 9.01 >Xref: news.uni-erlangen.de comp.security.ssh:12211 In article <83abh4$mif$1 at pegasus.csx.cam.ac.uk>, pjb1008 at cus.cam.ac.uk (Peter Benie) writes: >In article , >Steven A. Richman wrote: >>Programs that work include: emacs, xv, xcalc, x3270, xfontsel, xbiff, >>acroread, xgremlin, xman, and xedit. >>Programs that don't work include: xterm, xemacs, gv, netscape, xlogo, >>xmag, xdvi... and most others. > >Another problem is that some X libraries are too clever and spot local >displays and force the use of the UDP sockets in /tmp. Are some of your >programs linked with different versions of the X libraries? If they are, >check how the X client is trying to make the connection to the X server by >running the client under strace. This is almost certainly the case (and has been mentioned a couple of times before here - they aren't UDP sockets though). Recent versions of Xlib from x.org (at least the one in X11R6.4) have an extremely brain-dead "optimization" that does just this - totally disregarding the fact that the semantics of DISPLAY=:[.] have always been "use TCP", while you'd leave out the part to request connection via Unix domain socket / named pipe. Steven wrote that sshd/X-client was on Solaris 7, I haven't tried it there but the Xlib that ships with Solaris 2.6 while X11R6-based does *not* have this problem - however if you've also installed the version from x.org you get precisely this kind of mixed behaviour depending on how the different clients were built (might even be dependant on LD_LIBRARY_PATH etc settings at runtime). Below is the patch I applied to my X11R6.4 installation to just get rid of this nonsense - as libX11 is shared you "just" need to rebuild and re-install it to fix all the broken clients in one sweep. (Unless you have multiple broken versions installed, that is...:-) A workaround would be to change the DISPLAY setting to use :x.y instead of :x.y - actually you can even get sshd to do that for you, if you #define NONSTANDARD_IP_ADDRESS_X11_KLUDGE in config.h and rebuild - not sure if that works in the old 1.2.22 though. --Per Hedeland per at erix.ericsson.se --- X11R6.4/xc/lib/X11/ConnDis.c.ORIG Fri Feb 6 23:12:07 1998 +++ X11R6.4/xc/lib/X11/ConnDis.c Thu Oct 15 12:43:15 1998 @@ -177,6 +177,11 @@ p = lastc; +/* This is broken - no reason to assume there is anyone listening on + the named pipe or whatever just because it is listening on the TCP + socket. Plus it's broken even if that were true due to strncmp + potentially matching a substring of the display-hostname. /Per H */ +#if 0 #ifdef LOCALCONN /* check if phostname == localnodename */ if (phostname && uname(&sys) >= 0 && @@ -185,6 +190,7 @@ Xfree (phostname); phostname = copystring ("unix", 4); } +#endif #endif From Nigel.Metheringham at VData.co.uk Thu Mar 2 22:51:33 2000 From: Nigel.Metheringham at VData.co.uk (Nigel Metheringham) Date: Thu, 02 Mar 2000 11:51:33 +0000 Subject: Is it securely: `hostname`:10 ? In-Reply-To: Message from Andre Lucas of "Thu, 02 Mar 2000 11:36:44 GMT." <38BE524C.7C2F1FE3@dial.pipex.com> Message-ID: andre.lucas at dial.pipex.com said: > You could add '--with-ipaddr-display' to your configure options to get > DISPLAY in the form '192.168.1.1:10'. However, if the host returns > 127.0.0.1 as the first address from gethostbyname(hostname) then this > might not work as expected. If, as has been said, some hosts use an > AF_UNIX socket whenever they detect the loopback address, this still > won't work. Another seriously tacky solution, would be to check the hostname/ip mapping of the display hostname, and if it points to 127.0.0.1, change it so that you use 127.0.0.2 as the display hostname. Believe it or not this does work on the boxes I tries - the code that does the loopback "optimization" isn't bright enough to realise that in general the whole 127.0.0.0/8 network is looped. Nigel. -- [ - Opinions expressed are personal and may not be shared by VData - ] [ Nigel Metheringham Nigel.Metheringham at VData.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] From pp at pietrek.priv.pl Fri Mar 3 18:58:25 2000 From: pp at pietrek.priv.pl (piotr pogorzelski) Date: Fri, 3 Mar 2000 08:58:25 +0100 Subject: small bug in ssh-copy-id Message-ID: <87hfeopk7l.fsf@pietrek.priv.pl> Hi, I'm using Debian with OpenSSH (Deb)Version: 1:1.2.2-1.3 . Debian uses ssh-agent to start window manager. Trying to use ssh-copy-id without using ssh-add ends up with string 'The agent has no identities.' landing in remote `/.ssh/authorized_keys. -- piotr pogorzelski From jmknoble at pobox.com Fri Mar 3 19:19:01 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 3 Mar 2000 03:19:01 -0500 Subject: small bug in ssh-copy-id In-Reply-To: <87hfeopk7l.fsf@pietrek.priv.pl>; from piotr pogorzelski on Fri, Mar 03, 2000 at 08:58:25AM +0100 References: <87hfeopk7l.fsf@pietrek.priv.pl> Message-ID: <20000303031901.B2184@quipu.earth> What's ssh-copy-id? I've never heard of that. It doesn't come with the openssh-1.2.2 tarball, that i know of. -- jim knoble jmknoble at pobox.com P? 2000-Mar-03 klokka 08:58:25 +0100 skrivet piotr pogorzelski: : I'm using Debian with OpenSSH (Deb)Version: 1:1.2.2-1.3 . : Debian uses ssh-agent to start window manager. : Trying to use ssh-copy-id without using ssh-add : ends up with string 'The agent has no identities.' landing : in remote `/.ssh/authorized_keys. From sen_ml at eccosys.com Fri Mar 3 19:26:56 2000 From: sen_ml at eccosys.com (sen_ml at eccosys.com) Date: Fri, 03 Mar 2000 17:26:56 +0900 Subject: limiting port forwarding? (do better than just 'on' or 'off'?) In-Reply-To: References: <19991218114559I.1000@eccosys.com> Message-ID: <20000303172656J.1000@eccosys.com> thanks for responding. i don't know how i missed your response :-( my apologies. my comments follow below. > i would like to be able to have users access a specific set of > ports (and no others) on a machine running an ssh daemon via ssh's > port-forwarding. > > i was thinking of doing this by not providing shell access (so > using an appropriate command="command" option in each user's > authorized_keys file), but i did not find an appropriate keyword > for the sshd configuration file to control which ports should be > permitted to be forwarded. i know about the AllowTcpForwarding > keyword, but it does not appear to allow the granularity of control > i would like, to put it mildly ;-) djm> I was thinking of doing something along these lines. The mechanism djm> I had in mind was a /etc/ssh/portforward file (suggestions for a djm> better name welcomed) containing the following fields: djm> username group remote_addr remote_port djm> username could be a name, uid or an asterisk meaning "any" djm> group could be a name, gid or an asterisk meaning "any" djm> remote_addr could be a hostname, ip address or network in CIDR format djm> remote_port could be a service name, port, port range (numbers with a djm> hyphen between them) or an asterisk. djm> That which is not implicitly allowed would be denied. We could ship a djm> default file of "* * * *" for backwards compatibility. djm> Thoughts? one thing that comes to mind is that i would like to be able to have the limiting apply per authorized key. clearly, when using the tcp forwarding limiting, shell access should be denied for the limiting to be of any use. one scenario i have in mind is to provide a dummy account which is used by all users of the ssh service. users are told apart by which rsa key is used for authentication -- each entry in the authorized_keys file is treated as a "user". imho, ideally, there would be a virtual user mechanism that could be shared by all services (e.g. ssh, pop, etc.) on a machine -- afaik, once you create a user under the current unix user mechanism, this allows code to run under the corresponding user id. i'd prefer not to have to think about that scenario. w/ such a user mechanism, i would be happy w/ the method you outlined concerning how to configure the limiting of port-forwarding. afaik, no such user mechanism exists (even if it does, it certainly doesn't seem widespread), so i guess that point is moot. since shell access for users should be denied if port forwarding is to be limited, if you are going to be doing a per-user configuration of port forwarding, it seems reasonable to place the limiting settings inside ~/.ssh in some file. if authorized_keys is used, the settings could go in there. if not, a separate file could exist. i guess there is the issue of whether you prefer to have these settings distributed or all in one place... what do you think? From phil at hands.com Fri Mar 3 20:10:02 2000 From: phil at hands.com (Philip Hands) Date: 03 Mar 2000 09:10:02 +0000 Subject: small bug in ssh-copy-id In-Reply-To: <20000303031901.B2184@quipu.earth> (Jim Knoble's message of "Fri, 3 Mar 2000 03:19:01 -0500") References: <87hfeopk7l.fsf@pietrek.priv.pl> <20000303031901.B2184@quipu.earth> Message-ID: <87hfeo4dxx.fsf@sheikh.hands.com> Jim Knoble writes: > What's ssh-copy-id? I've never heard of that. It doesn't come with > the openssh-1.2.2 tarball, that i know of. Its a script I knocked up and included in the Debian package. Its been included in the Debian patches that I've submitted to Damien for several releases, but he either didn't like it or didn't notice. It's for getting RSA logins up and running in short order, you run this: ssh-copy-id user at machine and it uses ssh to install your identity into the remote .ssh/authorized_keys, and to ensure that the permissions of files and directories are set correctly. Obviously, you need to be able to log in for this to work, so either password logins need to be enabled, or you need to populate your ssh-agent with a key that already works, along with the new key(s) you want to add. Cheers, Phil. From mfisk at lanl.gov Sat Mar 4 04:08:02 2000 From: mfisk at lanl.gov (Mike Fisk) Date: Fri, 3 Mar 2000 17:08:02 +0000 (GMT) Subject: SSH & xauth (fwd) In-Reply-To: Message-ID: I have a suggestion that I think would be useful to implement. People who have seen the Firewall Toolkit's X proxy will find this suggestion familiar. The fwtk provides a small proxy that users set their DISPLAY to. Whenever a new connection is initiated to that proxy, the proxy pops-up a dialog box on the user's real DISPLAY. The user must agree to accept that incoming connection before the proxy will forward the data from it. The ssh client could be made to, whenever an X tunnel was opened, run an external dialog program, before the client would accept the tunnel. Depending on the exit status of that program, the connection would either be allowed on rejected. Presumably this functionality would be optional (but perhaps enabled by default). Of course there is a tendancy for users to treat dialog boxes as a reflex test and to click them without reading them. However, this mechanism does provide a way for cautious users to enable X forwarding without blindly allowing all X clients to connect. Comments, ambitious coders? On Mon, 28 Feb 2000, Gary E. Miller wrote: > Have you guys been following the SSH discussion on Bugtraq lately? > > I like their idea the X forwarding should be OFF by default on the > client. > > RGDS > GARY > --------------------------------------------------------------------------- > Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > ---------- Forwarded message ---------- > Date: Fri, 25 Feb 2000 21:52:15 -0500 > From: Robert Watson > Reply-To: Robert Watson > To: BUGTRAQ at SECURITYFOCUS.COM > Subject: Re: SSH & xauth > > This is a very round-about way of observing that allowing X11 forwarding > from a client to any untrusted server (by any means -- sshd, xauth, common > accounts, poor file permissions, compromised kernel, etc, etc) with the > current SSH clients results in security problems (which you observe). > > What's more curious is that in OpenSSH, which I observed some time ago, > the default configuration is to enable X11 forwarding in the client and > disable it in the server. This is, of course, backwards, as the client is > the one accepting risk by forwarding X11, not the server. :-) > > If you search back a few years in the bugtraq archives, you'll see that > one suggestion for dealing with this, and still allowing X11 forwarding > from untrusted clients, is to use the Xnest server, limiting access by the > ssh client to that DISPLAY. As I observed at the time, Xnest was probably > not designed with this use in mind, and as such is probably ``breakable,'' > meaning that a pursuaded party might be able to gain access to the proper > display through exploiting weaknesses in the Xnest server. I have not > audited the Xnest code to verify that this is or is not the case. > > I believe at the time, Alan Cox responded with information about using the > Broadway extensions to limit access by specific applications to other X11 > applications, the X event queue, etc. These messages were circa 1997, and > should appear in bugtraq archives. > > Presumably the correct configuration is for clients to disable X11 by > default, and only have it enabled specifically by the user via appropriate > flags to ssh, or via the config file. You could imagine a more > comprehensive interface to new host key adoption that also inquired as to > a trust level for X11 forwarding using Broadway, etc. In this manner, the > user could specify ``limited'' access that would be sandboxed, not > allowing access to screen data, X event queue access, etc, ``full,'' or > ``none.'' With a little imagination, you could even imagine it spawning > an Xnest to generate a sandbox for remote access. > > I would conclude by observing that this is *very* old news--the only new > news is that it has not yet been ``fixed.'' Of course, there's a decent > argument that many consumers of SSH are the kind of people who also > blindly accept new hostkeys without verifying fingerprints or using a PKI, > so this kind of default won't help them at all, just causing frustration. > :-) > > If you want another puzzling OpenSSH tidbit, it's that the CheckIP option > is enabled by default in the base implementation. It has recently been > turned off in the FreeBSD version for the following reason (which was > rejected by OpenSSH developers shortly after OpenSSH was released). > > The CheckHostIP feature introduces automatic modification of the known > hosts key file to include the IP address of the host after connecting by > name. This option introduces unnecessary modifications of keying material > entries, and can cause spurious keying errors following IP address > changes, especially in a dynamic DNS/IP allocation environment. When a > user requests a connection by-name, the key storage should be by-name, as > SSH is not aware of whether or not the name/key binding is persistent. > Presumably, just as the user is responsible for performing by-name key > verification and management, the user should also be responsible for > managing by-number key verification and management. > > This also causes management problems for hosts employing centralized > ssh_known_hosts entries--SSH replicates the key from the central file into > the user's personal key file using the IP address to index the key. If > the IP of the host is a variable IP, putting the IP into the centralized > file makes no sense, but SSH will take the liberty of?replicating the > keying material unnecessarily. If a host key now changes, and the > centralized file is updated to reflect it, SSH will now generate warnings > as its spuriously replicated key no longer matches up. > > You can even imagine DNS-based spoofing causing some problems, if combined > with IP spoofing, as ssh-by-ip to a spoofed host would not generate an > unknown key warning, instead, it would connect with full trust. This > attack is a little of a stretch on convenience for the attacker, but is > feasible. The end conclusion is really that key introduction for key > indexes (names, IPs) should only occur when specifically authorized by the > user and following a fingerprint display, never automatically. > > Robert N M Watson > > robert at fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > TIS Labs at Network Associates, Safeport Network Services > > > On Thu, 24 Feb 2000, Brian Caswell wrote: > > > The default SSH configuration for SSH1 and SSH2 allow for remote > > controlling of X sessions through X forwarding. > > > > All children of the SSH connection are able to tunnel X11 sessions > > through the X tunnel to the client X11 session. This is accomplished > > by running xauth upon logging in. > > > > If xauth is replaced on the server by a malicious program that does > > both of the following: > > - runs xauth, adding in the "correct" information allowing the > > children of the session to tunnel X11 programs through the SSH > > session > > - runs xauth, adding in the "malicious" information, allowing a > > malicious source to tunnel X11 programs through the SSH session. > > > > With the added data in .Xauthority, a malicious source can fully control > > the client X session. The malicious source can then do most anything to > > the X session, from logging keystrokes of the X session, to taking > > screen captures, to typing in commands to open terminals. > > > > The only thing that is required for the client system to be compromised > > is for the client to remotely log via ssh (with X11 forwarding enabled) > > into a compromised server. > > > > Allowing X forwarding seems to be turned on by default in SSH1, SSH2, > > and OpenSSH. > > > > To fix this "issue" add the following lines to the SSH client > > configuration. ($HOME/.ssh/config or ssh_config) > > > > > > Host * > > ForwardX11 no > > > > > > Discussions of security flaws within X11 have been going on for years. > > The "issue" in SSH X11 forwarding is not new. SSH has added to the > > security of X11, but by no means does the use of SSH secure X11. > > > > -- > > Brian Caswell > > If I could load the world into vi, the first command I would use is: > > %s/Windows NT//gi > -- Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information From mfisk at lanl.gov Sat Mar 4 04:16:45 2000 From: mfisk at lanl.gov (Mike Fisk) Date: Fri, 3 Mar 2000 17:16:45 +0000 (GMT) Subject: FTP tunneling Message-ID: If people haven't seen it, there's a pretty nice Java SSH client called MindTerm: http://www.mindbright.se/mindterm/ One of the things they did is add some hacks to make FTP tunneling over SSH trivial. This client looks at the data being forwarded over port 21 (ftp control port), and looks for the FTP PORT and PASV commands used to establish the ftp data connections. On-the-fly, it then opens up another tunnel for the data connection and rewrites the address and port in the FTP command to refer to the proper end of the tunnel. It works very nicely and is nice functionality for people who are stuck using FTP clients instead of SCP. Damien, would you include a patch that included this functionality? Is anybody else interested in working on this before I get around to it? -- Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information From gem at rellim.com Sat Mar 4 06:01:44 2000 From: gem at rellim.com (Gary E. Miller) Date: Fri, 3 Mar 2000 11:01:44 -0800 (PST) Subject: SSH & xauth (fwd) In-Reply-To: Message-ID: Yo Mike! I only run X clients (Xwin-32) on my WinXX laptop. From the laptop I use SecureCRT to connect to remote UNIX hosts running OpenSSH. Then I tunnel X in the SSH session. The way you describe is EXACTLY the way that I have my Xwin-32 set up on the WinXX host. Each time an X window opens on my laptop a box pops up to ask me to allow/deny. This usually works find unless a popup gets buried under other stuff and I do not see it in time. RGDS GARY On Fri, 3 Mar 2000, Mike Fisk wrote: > I have a suggestion that I think would be useful to implement. > People who have seen the Firewall Toolkit's X proxy will find this > suggestion familiar. The fwtk provides a small proxy that users set their > DISPLAY to. Whenever a new connection is initiated to that proxy, the > proxy pops-up a dialog box on the user's real DISPLAY. The user must > agree to accept that incoming connection before the proxy will forward the > data from it. > > The ssh client could be made to, whenever an X tunnel was opened, run an > external dialog program, before the client would accept the tunnel. > Depending on the exit status of that program, the connection would either > be allowed on rejected. Presumably this functionality would be optional > (but perhaps enabled by default). > > Of course there is a tendancy for users to treat dialog boxes as a reflex > test and to click them without reading them. However, this mechanism does > provide a way for cautious users to enable X forwarding without blindly > allowing all X clients to connect. > > Comments, ambitious coders? > > On Mon, 28 Feb 2000, Gary E. Miller wrote: > > > Have you guys been following the SSH discussion on Bugtraq lately? > > > > I like their idea the X forwarding should be OFF by default on the > > client. > > > > RGDS > > GARY > > --------------------------------------------------------------------------- > > Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 > > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > > > ---------- Forwarded message ---------- > > Date: Fri, 25 Feb 2000 21:52:15 -0500 > > From: Robert Watson > > Reply-To: Robert Watson > > To: BUGTRAQ at SECURITYFOCUS.COM > > Subject: Re: SSH & xauth > > > > This is a very round-about way of observing that allowing X11 forwarding > > from a client to any untrusted server (by any means -- sshd, xauth, common > > accounts, poor file permissions, compromised kernel, etc, etc) with the > > current SSH clients results in security problems (which you observe). > > > > What's more curious is that in OpenSSH, which I observed some time ago, > > the default configuration is to enable X11 forwarding in the client and > > disable it in the server. This is, of course, backwards, as the client is > > the one accepting risk by forwarding X11, not the server. :-) > > > > If you search back a few years in the bugtraq archives, you'll see that > > one suggestion for dealing with this, and still allowing X11 forwarding > > from untrusted clients, is to use the Xnest server, limiting access by the > > ssh client to that DISPLAY. As I observed at the time, Xnest was probably > > not designed with this use in mind, and as such is probably ``breakable,'' > > meaning that a pursuaded party might be able to gain access to the proper > > display through exploiting weaknesses in the Xnest server. I have not > > audited the Xnest code to verify that this is or is not the case. > > > > I believe at the time, Alan Cox responded with information about using the > > Broadway extensions to limit access by specific applications to other X11 > > applications, the X event queue, etc. These messages were circa 1997, and > > should appear in bugtraq archives. > > > > Presumably the correct configuration is for clients to disable X11 by > > default, and only have it enabled specifically by the user via appropriate > > flags to ssh, or via the config file. You could imagine a more > > comprehensive interface to new host key adoption that also inquired as to > > a trust level for X11 forwarding using Broadway, etc. In this manner, the > > user could specify ``limited'' access that would be sandboxed, not > > allowing access to screen data, X event queue access, etc, ``full,'' or > > ``none.'' With a little imagination, you could even imagine it spawning > > an Xnest to generate a sandbox for remote access. > > > > I would conclude by observing that this is *very* old news--the only new > > news is that it has not yet been ``fixed.'' Of course, there's a decent > > argument that many consumers of SSH are the kind of people who also > > blindly accept new hostkeys without verifying fingerprints or using a PKI, > > so this kind of default won't help them at all, just causing frustration. > > :-) > > > > If you want another puzzling OpenSSH tidbit, it's that the CheckIP option > > is enabled by default in the base implementation. It has recently been > > turned off in the FreeBSD version for the following reason (which was > > rejected by OpenSSH developers shortly after OpenSSH was released). > > > > The CheckHostIP feature introduces automatic modification of the known > > hosts key file to include the IP address of the host after connecting by > > name. This option introduces unnecessary modifications of keying material > > entries, and can cause spurious keying errors following IP address > > changes, especially in a dynamic DNS/IP allocation environment. When a > > user requests a connection by-name, the key storage should be by-name, as > > SSH is not aware of whether or not the name/key binding is persistent. > > Presumably, just as the user is responsible for performing by-name key > > verification and management, the user should also be responsible for > > managing by-number key verification and management. > > > > This also causes management problems for hosts employing centralized > > ssh_known_hosts entries--SSH replicates the key from the central file into > > the user's personal key file using the IP address to index the key. If > > the IP of the host is a variable IP, putting the IP into the centralized > > file makes no sense, but SSH will take the liberty of?replicating the > > keying material unnecessarily. If a host key now changes, and the > > centralized file is updated to reflect it, SSH will now generate warnings > > as its spuriously replicated key no longer matches up. > > > > You can even imagine DNS-based spoofing causing some problems, if combined > > with IP spoofing, as ssh-by-ip to a spoofed host would not generate an > > unknown key warning, instead, it would connect with full trust. This > > attack is a little of a stretch on convenience for the attacker, but is > > feasible. The end conclusion is really that key introduction for key > > indexes (names, IPs) should only occur when specifically authorized by the > > user and following a fingerprint display, never automatically. > > > > Robert N M Watson > > > > robert at fledge.watson.org http://www.watson.org/~robert/ > > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > TIS Labs at Network Associates, Safeport Network Services > > > > > > On Thu, 24 Feb 2000, Brian Caswell wrote: > > > > > The default SSH configuration for SSH1 and SSH2 allow for remote > > > controlling of X sessions through X forwarding. > > > > > > All children of the SSH connection are able to tunnel X11 sessions > > > through the X tunnel to the client X11 session. This is accomplished > > > by running xauth upon logging in. > > > > > > If xauth is replaced on the server by a malicious program that does > > > both of the following: > > > - runs xauth, adding in the "correct" information allowing the > > > children of the session to tunnel X11 programs through the SSH > > > session > > > - runs xauth, adding in the "malicious" information, allowing a > > > malicious source to tunnel X11 programs through the SSH session. > > > > > > With the added data in .Xauthority, a malicious source can fully control > > > the client X session. The malicious source can then do most anything to > > > the X session, from logging keystrokes of the X session, to taking > > > screen captures, to typing in commands to open terminals. > > > > > > The only thing that is required for the client system to be compromised > > > is for the client to remotely log via ssh (with X11 forwarding enabled) > > > into a compromised server. > > > > > > Allowing X forwarding seems to be turned on by default in SSH1, SSH2, > > > and OpenSSH. > > > > > > To fix this "issue" add the following lines to the SSH client > > > configuration. ($HOME/.ssh/config or ssh_config) > > > > > > > > > Host * > > > ForwardX11 no > > > > > > > > > Discussions of security flaws within X11 have been going on for years. > > > The "issue" in SSH X11 forwarding is not new. SSH has added to the > > > security of X11, but by no means does the use of SSH secure X11. > > > > > > -- > > > Brian Caswell > > > If I could load the world into vi, the first command I would use is: > > > %s/Windows NT//gi > > > > -- > Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab > See http://home.lanl.gov/mfisk/ for contact information > > --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From mfisk at lanl.gov Sat Mar 4 06:08:19 2000 From: mfisk at lanl.gov (Mike Fisk) Date: Fri, 3 Mar 2000 19:08:19 +0000 (GMT) Subject: SSH & xauth (fwd) In-Reply-To: Message-ID: On Fri, 3 Mar 2000, Sean Aaron Lisse wrote: > > I have a suggestion that I think would be useful to implement. > > People who have seen the Firewall Toolkit's X proxy will find this > > suggestion familiar. The fwtk provides a small proxy that users set their > > DISPLAY to. Whenever a new connection is initiated to that proxy, the > > proxy pops-up a dialog box on the user's real DISPLAY. The user must > > agree to accept that incoming connection before the proxy will forward the > > data from it. > > My main objection to this would be that it's dependent upon the dialog-box > program's presence. You're tying down X forwarding to the > presence/absence of another (perhaps machine-specific!) program in the > system, and perhaps the compilation of SSH to the presence of X at all. > > Not a wonderful idea for a uniform text-based suite like SSH. I'd have > no problems at all if SSH was originally designed to be GUI with adding > another dialog box. Since it's not, however, I'd argue against it. I wasn't been paying complete attention, but there have been some threads on this list about the X programs (ssh-askpass, etc.) that prompt for passwords. I would assume that this dialog box would be provided the same way that that functionality is provided (however that is or isn't bundled). The client could issue a text prompt in the tty, but that disrupts whatever output is on that window (which might also be iconified and ignored). -- Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information From nebulous at owlnet.rice.edu Sat Mar 4 06:10:55 2000 From: nebulous at owlnet.rice.edu (Sean Aaron Lisse) Date: Fri, 3 Mar 2000 13:10:55 -0600 (CST) Subject: SSH & xauth (fwd) In-Reply-To: Message-ID: You're right. I need to study my ssh distro more... had never even seen ssh-askpass. I withdraw my objection. -Sean > > My main objection to this would be that it's dependent upon the dialog-box > > program's presence. You're tying down X forwarding to the > > presence/absence of another (perhaps machine-specific!) program in the > > system, and perhaps the compilation of SSH to the presence of X at all. > > > > Not a wonderful idea for a uniform text-based suite like SSH. I'd have > > no problems at all if SSH was originally designed to be GUI with adding > > another dialog box. Since it's not, however, I'd argue against it. > > I wasn't been paying complete attention, but there have been some threads > on this list about the X programs (ssh-askpass, etc.) that prompt for > passwords. I would assume that this dialog box would be provided the same > way that that functionality is provided (however that is or isn't > bundled). > > The client could issue a text prompt in the tty, but that disrupts > whatever output is on that window (which might also be iconified and > ignored). From jacob at velius.chaos2.org Sat Mar 4 08:33:40 2000 From: jacob at velius.chaos2.org (Jacob Luna Lundberg) Date: Fri, 3 Mar 2000 13:33:40 -0800 (PST) Subject: [PATCH] Add a Maximum Idle Time (1.2.2) Message-ID: The attached patch adds an option (off by default to preserve current behavior) to set a timeout on the select() statement that waits for input in clientloop.c. This fixes a timeout issue for me (explained below) and probably also fixes the timeouts mentioned in last month's thread "Idle time out". The patch is also available by http from: http://www.chaos2.org/~jacob/code/patch-openssh-1.2.2-trans_inter I am ssh-ing from a machine on my home network to one on the internet. This goes out over a Linux ip_masquerade firewall. When I wrote the attached patch, I thought it was the firewall that was killing the connection by timing out on the redirected port due to lack of traffic. But after reading some similar posts on this list, I think there might be problems even if a firewall isn't involved. Also note that in the tcpdump below, I did have KeepAlive turned on (both server and client) and yet I don't see any traffic being generated due to this, which seems to render KeepAlive pretty useless... When ssh dies on me (when no max idle time is set) it gives me the error below: " velius:~% Read from remote host velius.chaos2.org: Connection reset by peer Connection to velius.chaos2.org closed. jacob:~# " From the tcpdump below, we see that the firewall has assigned a new ip_masq port. This shows all the packets; specifically, none are generated in the interim. " 00:59:19.987703 velius.chaos2.org.ssh > c392100-a.crvlls1.or.home.com.64579: P 1:21(20) ack 20 win 32120 (DF) 00:59:19.998389 c392100-a.crvlls1.or.home.com.64579 > velius.chaos2.org.ssh: . ack 21 win 32120 (DF) [tos 0x10] ... time passes here but no traffic to velius ... 01:20:37.477884 c392100-a.crvlls1.or.home.com.64687 > velius.chaos2.org.ssh: P 2954940853:2954940873(20) ack 2970631452 win 32120 (DF) [tos 0x10] 01:20:37.583097 velius.chaos2.org.ssh > c392100-a.crvlls1.or.home.com.64687: R 2970631452:2970631452(0) win 0 [tos 0x10] " The attached patch allows the user to put a TransmitInterlude option in their ssh_config file that gives how many seconds are allowed to pass without generating traffic. A value of 300 completely solves the timeouts for me and I haven't observed any stability issues. Please cc me with comments as I am not subscribed to the list. Jacob Lundberg jacob at chaos2.org -- "Heh. You mean this is Stef's source code?" -User Friendly -------------- next part -------------- diff -ur openssh-1.2.2/clientloop.c openssh-1.2.2-trans_inter/clientloop.c --- openssh-1.2.2/clientloop.c Mon Dec 6 20:38:32 1999 +++ openssh-1.2.2-trans_inter/clientloop.c Fri Mar 3 11:21:12 2000 @@ -396,8 +396,10 @@ */ void -client_wait_until_can_do_something(fd_set * readset, fd_set * writeset) +client_wait_until_can_do_something(fd_set * readset, fd_set * writeset, int trans_inter) { + int select_return; + /* Initialize select masks. */ FD_ZERO(readset); @@ -436,15 +438,32 @@ max_fd = channel_max_fd(); /* - * Wait for something to happen. This will suspend the process until - * some selected descriptor can be read, written, or has some other - * event pending. Note: if you want to implement SSH_MSG_IGNORE - * messages to fool traffic analysis, this might be the place to do - * it: just have a random timeout for the select, and send a random - * SSH_MSG_IGNORE packet when the timeout expires. + * Wait for something to happen. This will suspend the process + * until some selected descriptor can be read, written, or has some + * other event pending. + * Implemented timeout SSH_MSG_NONE packets to keep a minimum + * frequency of traffic present on a connection. This can be used to + * prevent a firewall (ip_masq f.e.) from timing out and causing a new + * port to be allocated which effectively kills the connection. + * To fool traffic analysis, use SSH_MSG_IGNORE packets and set + * the timeout randomly. Fill the packets with some random traffic. + * But NOTE that this packet type seems to cause some ssh servers to + * close the connection when it arrives and they are expecting data. */ - if (select(max_fd + 1, readset, writeset, NULL, NULL) < 0) { + if( trans_inter > 0 ) { + struct timeval timeout; + timeout.tv_sec = trans_inter; + timeout.tv_usec = 0; + select_return = select(max_fd + 1, readset, writeset, NULL, &timeout); + if(select_return == 0) { + packet_start(SSH_MSG_NONE); + packet_send(); + } + } else + select_return = select(max_fd + 1, readset, writeset, NULL, NULL); + + if( select_return < 0 ) { char buf[100]; /* Some systems fail to clear these automatically. */ FD_ZERO(readset); @@ -863,7 +882,7 @@ * Wait until we have something to do (something becomes * available on one of the descriptors). */ - client_wait_until_can_do_something(&readset, &writeset); + client_wait_until_can_do_something(&readset, &writeset, options.trans_inter); if (quit_pending) break; diff -ur openssh-1.2.2/readconf.c openssh-1.2.2-trans_inter/readconf.c --- openssh-1.2.2/readconf.c Sun Dec 5 16:47:29 1999 +++ openssh-1.2.2-trans_inter/readconf.c Fri Mar 3 11:21:12 2000 @@ -78,6 +78,7 @@ UseRsh no StrictHostKeyChecking yes KeepAlives no + TransmitInterlude 0 IdentityFile ~/.ssh/identity Port 22 EscapeChar ~ @@ -101,8 +102,8 @@ oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, - oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication, - oUsePrivilegedPort, oLogLevel + oCompressionLevel, oKeepAlives, oTransmitInterlude, oNumberOfPasswordPrompts, + oTISAuthentication, oUsePrivilegedPort, oLogLevel } OpCodes; /* Textual representations of the tokens. */ @@ -148,6 +149,7 @@ { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, { "keepalive", oKeepAlives }, + { "transmitinterlude", oTransmitInterlude }, { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "tisauthentication", oTISAuthentication }, { "loglevel", oLogLevel }, @@ -355,6 +357,10 @@ intptr = &options->keepalives; goto parse_flag; + case oTransmitInterlude: + intptr = &options->trans_inter; + goto parse_int; + case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; @@ -610,6 +616,7 @@ options->strict_host_key_checking = -1; options->compression = -1; options->keepalives = -1; + options->trans_inter = -1; options->compression_level = -1; options->port = -1; options->connection_attempts = -1; @@ -677,6 +684,8 @@ options->compression = 0; if (options->keepalives == -1) options->keepalives = 1; + if (options->trans_inter == -1) + options->trans_inter = 0; if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) diff -ur openssh-1.2.2/readconf.h openssh-1.2.2-trans_inter/readconf.h --- openssh-1.2.2/readconf.h Sun Dec 5 16:47:29 1999 +++ openssh-1.2.2-trans_inter/readconf.h Fri Mar 3 11:21:12 2000 @@ -56,6 +56,7 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int keepalives; /* Set SO_KEEPALIVE. */ + int trans_inter; /* Guarantee transmit every n seconds. */ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ diff -ur openssh-1.2.2/ssh.0 openssh-1.2.2-trans_inter/ssh.0 --- openssh-1.2.2/ssh.0 Wed Jan 26 19:17:09 2000 +++ openssh-1.2.2-trans_inter/ssh.0 Fri Mar 3 11:21:12 2000 @@ -486,6 +486,19 @@ be verified automatically in either case. The argument must be ``yes'' or ``no''. + TransmitInterlude + Specifies a maximum time to allow between transmitting packets, + in seconds. If this amount of time passes and the client has no + data to send, it will send an empty packet to the server. One + example where this is useful is when using ssh from behind a Lin- + ux ip_masquerade firewall. If packets aren't sent through such a + firewall periodically, the firewall may forget about the connec- + tion. Then when a packet finally is sent, the firewall will as- + sign a new port, which will cause the remote server to disconnect + the session. This option defaults to ``0'', which means not + sending periodic packets. A setting of a few hundred seconds + should be about right if this is needed. + UsePrivilegedPort Specifies whether to use a privileged port for outgoing connec- tions. The argument must be ``yes'' or ``no''. The default is diff -ur openssh-1.2.2/ssh.1 openssh-1.2.2-trans_inter/ssh.1 --- openssh-1.2.2/ssh.1 Sat Jan 22 00:57:40 2000 +++ openssh-1.2.2-trans_inter/ssh.1 Fri Mar 3 11:21:12 2000 @@ -720,6 +720,19 @@ .Dq yes or .Dq no . +.It Cm TransmitInterlude +Specifies a maximum time to allow between transmitting packets, +in seconds. If this amount of time passes and the client has +no data to send, it will send an empty packet to the server. +One example where this is useful is when using ssh from behind +a Linux ip_masquerade firewall. If packets aren't sent through +such a firewall periodically, the firewall may forget about the +connection. Then when a packet finally is sent, the firewall +will assign a new port, which will cause the remote server to +disconnect the session. This option defaults to +.Dq 0 , +which means not sending periodic packets. A setting of a few +hundred seconds should be about right if this is needed. .It Cm UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be From jfaria at mediaone.net Sun Mar 5 08:08:32 2000 From: jfaria at mediaone.net (Jim Faria) Date: Sat, 4 Mar 2000 16:08:32 -0500 Subject: Where is the tarball for Solaris Message-ID: I'm trying to install openssh-1.2.2 on a Solaris 7 box. I've downloaded the file openssh-1.2.2.tar.gz from ftp://thermo.stat.ncsu.edu/pub/openssh/files/ and http://the.wiretapped.net/security/cryptography/ssh/OpenSSH/files/. neither of theses tar's include the configure program as referenced in the INSTALL file. Where can I obtain the full distribution that will build on a Soalris 7 box ?? From djm at mindrot.org Sun Mar 5 09:24:50 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 5 Mar 2000 09:24:50 +1100 (EST) Subject: Where is the tarball for Solaris In-Reply-To: Message-ID: On Sat, 4 Mar 2000, Jim Faria wrote: > I'm trying to install openssh-1.2.2 on a Solaris 7 > box. I've downloaded the file openssh-1.2.2.tar.gz > from ftp://thermo.stat.ncsu.edu/pub/openssh/files/ and > http://the.wiretapped.net/security/cryptography/ssh/OpenSSH/files/. > neither of theses tar's include the configure program as referenced > in the INSTALL file. > Where can I obtain the full distribution that will build on a > Soalris 7 box ?? I just checked both of the above mirrors. openssh-1.2.2.tar.gz seems OK on both of them and contains configure. Can you send me the output of: openssl md5 openssh-1.2.2.tar.gz -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From dzhao1 at gl.umbc.edu Sun Mar 5 09:24:32 2000 From: dzhao1 at gl.umbc.edu (Di Zhao) Date: Sat, 4 Mar 2000 17:24:32 -0500 (EST) Subject: [PATCH] Add a Maximum Idle Time (1.2.2) In-Reply-To: Message-ID: Hi, I have applied this patch, and it works pretty well. Well, I agree with you about the KeepAlive thing, it seems not functioning, at least on Linux machine. I just glaced at your patch, seems you send a "NOP" every TransInterclude time. While this solves the problem while using the openssh client, but people who use different ssh client may be unlucky. Maybe the best choice is to implement it on server side?? Anyway, my problem is gone and thank you very much! On Fri, 3 Mar 2000, Jacob Luna Lundberg wrote: > > The attached patch adds an option (off by default to preserve current > behavior) to set a timeout on the select() statement that waits for input > in clientloop.c. This fixes a timeout issue for me (explained below) and > probably also fixes the timeouts mentioned in last month's thread "Idle > time out". The patch is also available by http from: > http://www.chaos2.org/~jacob/code/patch-openssh-1.2.2-trans_inter > > I am ssh-ing from a machine on my home network to one on the > internet. This goes out over a Linux ip_masquerade firewall. When I > wrote the attached patch, I thought it was the firewall that was killing > the connection by timing out on the redirected port due to lack of > traffic. But after reading some similar posts on this list, I think there > might be problems even if a firewall isn't involved. Also note that in > the tcpdump below, I did have KeepAlive turned on (both server and client) > and yet I don't see any traffic being generated due to this, which seems > to render KeepAlive pretty useless... > > When ssh dies on me (when no max idle time is set) it gives me the > error below: > > " > velius:~% Read from remote host velius.chaos2.org: Connection reset by peer > Connection to velius.chaos2.org closed. > jacob:~# > " > > From the tcpdump below, we see that the firewall has assigned a new > ip_masq port. This shows all the packets; specifically, none are > generated in the interim. > > " > 00:59:19.987703 velius.chaos2.org.ssh > c392100-a.crvlls1.or.home.com.64579: P 1:21(20) ack 20 win 32120 > (DF) > 00:59:19.998389 c392100-a.crvlls1.or.home.com.64579 > velius.chaos2.org.ssh: . ack 21 win 32120 > (DF) [tos 0x10] > ... time passes here but no traffic to velius ... > 01:20:37.477884 c392100-a.crvlls1.or.home.com.64687 > velius.chaos2.org.ssh: P 2954940853:2954940873(20) ack > 2970631452 win 32120 (DF) [tos 0x10] > 01:20:37.583097 velius.chaos2.org.ssh > c392100-a.crvlls1.or.home.com.64687: R 2970631452:2970631452(0) win 0 > [tos 0x10] > " > > The attached patch allows the user to put a TransmitInterlude option > in their ssh_config file that gives how many seconds are allowed to pass > without generating traffic. A value of 300 completely solves the timeouts > for me and I haven't observed any stability issues. > > Please cc me with comments as I am not subscribed to the list. > > Jacob Lundberg > jacob at chaos2.org > > -- > > "Heh. You mean this is Stef's source code?" > -User Friendly > -- "My grandpa told me to remember two things in life. Look out for Number One, and remember your number" - Orville Cogswell -- http://members.xoom.com/_XOOM/dizhao/index.html From djm at mindrot.org Sun Mar 5 09:27:03 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 5 Mar 2000 09:27:03 +1100 (EST) Subject: FTP tunneling In-Reply-To: Message-ID: On Fri, 3 Mar 2000, Mike Fisk wrote: > Damien, would you include a patch that included this functionality? > Is anybody else interested in working on this before I get around to it? I think it is a great idea, but one that is better pursued by the OpenBSD developers. I would prefer that new features went in at their end. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Mar 5 09:44:20 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 5 Mar 2000 09:44:20 +1100 (EST) Subject: [PATCH] Add a Maximum Idle Time (1.2.2) In-Reply-To: Message-ID: On Fri, 3 Mar 2000, Jacob Luna Lundberg wrote: > The attached patch allows the user to put a TransmitInterlude > option in their ssh_config file that gives how many seconds are > allowed to pass without generating traffic. A value of 300 > completely solves the timeouts for me and I haven't observed any > stability issues. I would first rather get to the bottom of figuring out why keepalives aren't working. Is "KeepAlive yes" set for both client and server? Is /proc/sys/net/ipv4/tcp_keepalive_time set to less than the masquerading timeouts? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From jacob at velius.chaos2.org Sun Mar 5 10:12:16 2000 From: jacob at velius.chaos2.org (Jacob Luna Lundberg) Date: Sat, 4 Mar 2000 15:12:16 -0800 (PST) Subject: [PATCH] Add a Maximum Idle Time (1.2.2) In-Reply-To: Message-ID: On Sun, 5 Mar 2000, Damien Miller wrote: > I would first rather get to the bottom of figuring out why keepalives > aren't working. Which brings a question to mind. I haven't really programmed with keepalives before. I presume they're a field in the tcp frames (as opposed to a periodic empty frame)? > Is "KeepAlive yes" set for both client and server? Yes. To no avail. Both are Linux 2.2.14 boxen, but I have been seeing this problem since I switched to 2.1.x (client with server still 2.0.x). I still see it with the not-so-open ssh suite as well, both 1.x and 2.x. I tried kernel 2.3.42 and was still seeing it there too. > Is /proc/sys/net/ipv4/tcp_keepalive_time set It is set to 7200. > to less than the masquerading timeouts? I checked after reading the recent list entries and actually I see the exact same behavior when I run ssh out from the firewall (thus bypassing the ip_masq). So while the ip_masq is an issue, it is orthogonal to the problem and could be resolved (as you say) by setting the keepalives to less than the ip_masq timeout. For some reason, keepalives aren't sufficient to keep some connections alive right now. On a side note, Di Zhao asked if I should have implemented a server version of the patch as well. I rather felt that (from what I've seen) the problem is a bit too infrequent for that (let the users turn it on if they discover they need it)... But I suppose it does leave people using different clients out in the cold. Any preference there? -Jacob -- "Heh. You mean this is Stef's source code?" -User Friendly From mw at moni.msci.memphis.edu Sun Mar 5 12:45:57 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Sat, 4 Mar 2000 19:45:57 -0600 Subject: entry in pam.conf Message-ID: <20000304194557.A677@moni.msci.memphis.edu> Can somebody recommend an entry to pam.conf for openssh on solaris (2.6)? Thx Mate -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From mw at moni.msci.memphis.edu Sun Mar 5 12:49:18 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Sat, 4 Mar 2000 19:49:18 -0600 Subject: specify openssl libs for configure Message-ID: <20000304194918.A687@moni.msci.memphis.edu> My openssl libs are in /space/local/lib. How can I tell configure about it ? Also, can a nonroot user install ssh* ? Thx Mate -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From jfaria at mediaone.net Sun Mar 5 13:26:41 2000 From: jfaria at mediaone.net (Jim Faria) Date: Sat, 4 Mar 2000 21:26:41 -0500 Subject: No subject Message-ID: I've installed openssl-0.9.5 using rsaref.a. When I build ssh-1.2.2 with ./configure rsaref is still get the following error when running ssh: ssh: no RSA support in libssl and libcrypto. See ssl(8). What am I doing wrong ? From mw at moni.msci.memphis.edu Sun Mar 5 13:40:10 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Sat, 4 Mar 2000 20:40:10 -0600 Subject: /dev/random on solaris Message-ID: <20000304204010.A1430@moni.msci.memphis.edu> Trying to install openssh on Solaris, I got checking for /dev/urandom... no configure: error: No random device found, and no EGD random pool specified On the other hand, I have ls -l /dev/random prw-r--r-- 1 root other 9216 Mar 2 10:37 /dev/random What can I do? Thx Mate -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From mw at moni.msci.memphis.edu Sun Mar 5 13:49:34 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Sat, 4 Mar 2000 20:49:34 -0600 Subject: /dev/random question: ignore Message-ID: <20000304204934.A1982@moni.msci.memphis.edu> Sorry, I got it now, that it is a configure option. Mate From jmknoble at pobox.com Sun Mar 5 14:22:14 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Sat, 4 Mar 2000 22:22:14 -0500 Subject: your mail In-Reply-To: ; from Jim Faria on Sat, Mar 04, 2000 at 09:26:41PM -0500 References: Message-ID: <20000304222214.C2555@quipu.earth> You've installed an OpenSSL library that doesn't include RSA support. OpenSSH requires RSA support in OpenSSL, since it's required for the SSH-1.5 protocol. You'll need to either rebuild OpenSSL to include RSA support, or find a binary package for your system that includes RSA support. Remember that, if you're in the USA, you need to use the RSAREF library to provide RSA support in order to comply with patent licensing, until September of this year. I am not a lawyer. -- jim knoble jmknoble at pobox.com P? 2000-Mar-04 klokka 21:26:41 -0500 skrivet Jim Faria: : I've installed openssl-0.9.5 using rsaref.a. When I build ssh-1.2.2 with : ./configure rsaref is still get the following error when running ssh: ssh: : no RSA support in libssl and libcrypto. See ssl(8). : : What am I doing wrong ? From mw at moni.msci.memphis.edu Sun Mar 5 14:49:25 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Sat, 4 Mar 2000 21:49:25 -0600 Subject: libwrap.a check Message-ID: <20000304214925.A2746@moni.msci.memphis.edu> I know that it is kind of my fault, but: I specified --with-tcp-wrappers to configure, and make failed saying -lwrap not found. Now I did not have libwrap.a on this Solaris 2.6 box---though there is tcpd. I thought it would be advisable for configure to look for libwrap.a and tcpd.h if --with-tcp-wrappers is specified. Thx mate --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From djm at mindrot.org Sun Mar 5 16:25:28 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 5 Mar 2000 16:25:28 +1100 (EST) Subject: your mail In-Reply-To: <20000304222214.C2555@quipu.earth> Message-ID: On Sat, 4 Mar 2000, Jim Knoble wrote: > You've installed an OpenSSL library that doesn't include RSA support. > OpenSSH requires RSA support in OpenSSL, since it's required for the > SSH-1.5 protocol. It is not quite that simple. OpenSSL 0.9.5 is more paranoid about checking RNG seeding and will refuse to generate RSA keys until enough entropy has been depoisted into its pool. I will be releasing a fix for this and the other problems reported over the last month shortly. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Mar 5 16:29:13 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 5 Mar 2000 16:29:13 +1100 (EST) Subject: wtmp bug in OpenSSH In-Reply-To: Message-ID: On Thu, 2 Mar 2000, Victor Meghesan wrote: > > Hello, > > I recently switched from SSH-1.2.27 to OpenSSH-1.2.2 > and I found this bug: > > OpenSSH-1.2.2 (SSH-1.5-OpenSSH-1.2.2) does not update the wtmp file. > > Software: Linux/Unix port of OpenSSH version 1.2.2 > OS: Linux Slackware 3.6 & 4.0 (x86) > Problem: When logging in/out via sshd there is no update to the wtmp > file There have been a few such reports with older Slackware, but I have been unable to replicate the problem. You might want to try Andre Lucas' liblogin, which is a clean path through the morass of splatform-specific [uw]tmp options. http://dspace.dial.pipex.com/andre.lucas/liblogin.html -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Mar 5 17:01:06 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 5 Mar 2000 17:01:06 +1100 (EST) Subject: libwrap.a check In-Reply-To: <20000304214925.A2746@moni.msci.memphis.edu> Message-ID: On Sat, 4 Mar 2000, Mate Wierdl wrote: > I thought it would be advisable for configure to look for libwrap.a > and tcpd.h if --with-tcp-wrappers is specified. Good idea. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From bent at clark.net Sun Mar 5 18:43:53 2000 From: bent at clark.net (Ben Taylor) Date: Sun, 5 Mar 2000 02:43:53 -0500 (EST) Subject: specify openssl libs for configure In-Reply-To: <20000304194918.A687@moni.msci.memphis.edu> Message-ID: On Sat, 4 Mar 2000, Mate Wierdl wrote: > My openssl libs are in /space/local/lib. How can I tell configure > about it ? env LDFLAGS="-R/space/local/lib -L/space/local/lib" ./configure > Also, can a nonroot user install ssh* ? Yes, but the server must run on a port > 1024, since those ports are non-privileged. Ben From jacob at velius.chaos2.org Sun Mar 5 19:55:01 2000 From: jacob at velius.chaos2.org (Jacob Luna Lundberg) Date: Sun, 5 Mar 2000 00:55:01 -0800 (PST) Subject: [PATCH] Add a Maximum Idle Time (1.2.2) In-Reply-To: Message-ID: > I would first rather get to the bottom of figuring out why keepalives > aren't working. Ok. I've played around some and now understand keepalives a bit better. So that 7200 setting would be two hours, which is rather long. And in fact it turns out that setting it to 300 solves the problem for me. But it is of note that 7200 is the _default_ value. And also I'm still not sure why a setting of 7200 (both server and client) would break things. (Also finally I see some keepalive packets going by so now I understand much better what they are.) > /proc/sys/net/ipv4/tcp_keepalive_time set to less than the masquerading timeouts? The question remains here: what if you can't get your sysadmin to go tweaking with the kernel default keepalive of 7200 seconds? Do we just say to such a person, "too bad!" or do we let them send packets on their own to keep the connection alive? Unless I misunderstand, keepalive default is set here: /usr/src/linux/include/net/tcp.h line 264 (Linux 2.2.14) #define TCP_KEEPALIVE_TIME (120*60*HZ) /* two hours */ I know it could be contrued as bloat, which is why my patch didn't include a commandline option. I think the option itself is useful for the purpose of empowering the user (in a non-security threatening way ;). -Jacob -- "Heh. You mean this is Stef's source code?" -User Friendly From openssh-unix-dev.mindrot.org at marc-haber.de Sun Mar 5 22:08:46 2000 From: openssh-unix-dev.mindrot.org at marc-haber.de (Marc Haber) Date: Sun, 05 Mar 2000 11:08:46 GMT Subject: [PATCH] Add a Maximum Idle Time (1.2.2) In-Reply-To: References: Message-ID: On Fri, 3 Mar 2000 13:33:40 -0800 (PST), you wrote: > When ssh dies on me (when no max idle time is set) it gives me the >error below: > >" >velius:~% Read from remote host velius.chaos2.org: Connection reset by peer >Connection to velius.chaos2.org closed. >jacob:~# >" I see the very same problem in my setup. Do I have to apply that patch to both client and server? Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From jacob at velius.chaos2.org Mon Mar 6 07:57:42 2000 From: jacob at velius.chaos2.org (Jacob Luna Lundberg) Date: Sun, 5 Mar 2000 12:57:42 -0800 (PST) Subject: [PATCH] Add a Maximum Idle Time (1.2.2) Message-ID: > I see the very same problem in my setup. Do I have to apply that patch > to both client and server? It only patches the client, so you can get away with just putting it on your client (which won't help people ssh-ing _from_ the server). If you're running Linux on the client and can become root, you could also try (with KeepAlive yes set on both server and client): /bin/echo "300\c" > /proc/sys/net/ipv4/tcp_keepalive_time > !! No courtesy copies, please !! Fair enough, but please do cc me; I don't usually read the list. -Jacob -- "Heh. You mean this is Stef's source code?" -User Friendly From manson at ricochet.net Mon Mar 6 17:19:52 2000 From: manson at ricochet.net (Bob Manson) Date: Sun, 05 Mar 2000 22:19:52 -0800 Subject: openssh-1.2.2 bug/patch Message-ID: <200003060619.WAA11391@newsguy.com> sshd can free a buffer twice in some circumstances; here's a patch. (causes sshd to crash under linux; a similar fix is probably needed for the pam code, btw) --- sshd.c~ Tue Jan 25 16:07:22 2000 +++ sshd.c Sun Mar 5 22:14:40 2000 @@ -1525,7 +1525,10 @@ } if (client_user != NULL) + { xfree(client_user); + client_user = NULL; + } if (attempt > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); From markus.friedl at informatik.uni-erlangen.de Mon Mar 6 18:50:06 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 6 Mar 2000 08:50:06 +0100 Subject: [PATCH] Add a Maximum Idle Time (1.2.2) In-Reply-To: ; from jacob@velius.chaos2.org on Fri, Mar 03, 2000 at 01:33:40PM -0800 References: Message-ID: <20000306085006.A3981@folly.informatik.uni-erlangen.de> the patch looks reasonable, but SSH_MSG_NONE type packets must not travel over the wire. this violates the protocol spec. On Fri, Mar 03, 2000 at 01:33:40PM -0800, Jacob Luna Lundberg wrote: > + packet_start(SSH_MSG_NONE); > + packet_send(); SSH_MSG_IGNORE should be used, e.g.: packet_start(SSH_MSG_IGNORE); packet_put_string("bla", 3); packet_send(); -markus From openssh-unix-dev.mindrot.org at marc-haber.de Mon Mar 6 19:45:29 2000 From: openssh-unix-dev.mindrot.org at marc-haber.de (Marc Haber) Date: Mon, 06 Mar 2000 08:45:29 GMT Subject: [PATCH] Add a Maximum Idle Time (1.2.2) In-Reply-To: References: Message-ID: On Sun, 5 Mar 2000 12:57:42 -0800 (PST), you wrote: >> I see the very same problem in my setup. Do I have to apply that patch >> to both client and server? > > It only patches the client, so you can get away with just putting it >on your client (which won't help people ssh-ing _from_ the server). Then my problem is somewhere else since my client is TeraTerm ssh on a Windows box. >> !! No courtesy copies, please !! > > Fair enough, but please do cc me; I don't usually read the list. Done. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From jacob at velius.chaos2.org Mon Mar 6 19:38:37 2000 From: jacob at velius.chaos2.org (Jacob Luna Lundberg) Date: Mon, 6 Mar 2000 00:38:37 -0800 (PST) Subject: [PATCH] Add a Maximum Idle Time (1.2.2) In-Reply-To: <20000306085006.A3981@folly.informatik.uni-erlangen.de> Message-ID: On Mon, 6 Mar 2000, Markus Friedl wrote: > the patch looks reasonable, but SSH_MSG_NONE type packets > must not travel over the wire. this violates the protocol spec. Ok. Corrected patch attached. :) As before, it's also here: http://www.chaos2.org/~jacob/code/patch-openssh-1.2.2-trans_inter-r1 > SSH_MSG_IGNORE should be used, e.g.: > packet_start(SSH_MSG_IGNORE); > packet_put_string("bla", 3); > packet_send(); I wondered if I needed to stuff them with something. Open sshd didn't seem to mind if they were empty, but closed sshd terminated the connection. Thanks for the showing me how... -Jacob -- "Heh. You mean this is Stef's source code?" -User Friendly -------------- next part -------------- diff -ur openssh-1.2.2/clientloop.c openssh-1.2.2-trans_inter-r1/clientloop.c --- openssh-1.2.2/clientloop.c Mon Dec 6 20:38:32 1999 +++ openssh-1.2.2-trans_inter-r1/clientloop.c Mon Mar 6 00:22:46 2000 @@ -396,8 +396,10 @@ */ void -client_wait_until_can_do_something(fd_set * readset, fd_set * writeset) +client_wait_until_can_do_something(fd_set * readset, fd_set * writeset, int trans_inter) { + int select_return; + /* Initialize select masks. */ FD_ZERO(readset); @@ -436,15 +438,31 @@ max_fd = channel_max_fd(); /* - * Wait for something to happen. This will suspend the process until - * some selected descriptor can be read, written, or has some other - * event pending. Note: if you want to implement SSH_MSG_IGNORE - * messages to fool traffic analysis, this might be the place to do - * it: just have a random timeout for the select, and send a random - * SSH_MSG_IGNORE packet when the timeout expires. + * Wait for something to happen. This will suspend the process + * until some selected descriptor can be read, written, or has some + * other event pending. + * Implemented timeout SSH_MSG_IGNORE packets to keep a minimum + * frequency of traffic present on a connection. This can be used to + * prevent a firewall (ip_masq f.e.) from timing out and causing a new + * port to be allocated which effectively kills the connection. + * To fool traffic analysis, set the timeout on the SSH_MSG_IGNORE + * packets randomly. Fill the packets with random-length traffic. */ - if (select(max_fd + 1, readset, writeset, NULL, NULL) < 0) { + if( trans_inter > 0 ) { + struct timeval timeout; + timeout.tv_sec = trans_inter; + timeout.tv_usec = 0; + select_return = select(max_fd + 1, readset, writeset, NULL, &timeout); + if(select_return == 0) { + packet_start(SSH_MSG_IGNORE); + packet_put_string("TransmitInterlude", 17); + packet_send(); + } + } else + select_return = select(max_fd + 1, readset, writeset, NULL, NULL); + + if( select_return < 0 ) { char buf[100]; /* Some systems fail to clear these automatically. */ FD_ZERO(readset); @@ -863,7 +881,7 @@ * Wait until we have something to do (something becomes * available on one of the descriptors). */ - client_wait_until_can_do_something(&readset, &writeset); + client_wait_until_can_do_something(&readset, &writeset, options.trans_inter); if (quit_pending) break; diff -ur openssh-1.2.2/readconf.c openssh-1.2.2-trans_inter-r1/readconf.c --- openssh-1.2.2/readconf.c Sun Dec 5 16:47:29 1999 +++ openssh-1.2.2-trans_inter-r1/readconf.c Mon Mar 6 00:22:46 2000 @@ -78,6 +78,7 @@ UseRsh no StrictHostKeyChecking yes KeepAlives no + TransmitInterlude 0 IdentityFile ~/.ssh/identity Port 22 EscapeChar ~ @@ -101,8 +102,8 @@ oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, - oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication, - oUsePrivilegedPort, oLogLevel + oCompressionLevel, oKeepAlives, oTransmitInterlude, oNumberOfPasswordPrompts, + oTISAuthentication, oUsePrivilegedPort, oLogLevel } OpCodes; /* Textual representations of the tokens. */ @@ -148,6 +149,7 @@ { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, { "keepalive", oKeepAlives }, + { "transmitinterlude", oTransmitInterlude }, { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "tisauthentication", oTISAuthentication }, { "loglevel", oLogLevel }, @@ -355,6 +357,10 @@ intptr = &options->keepalives; goto parse_flag; + case oTransmitInterlude: + intptr = &options->trans_inter; + goto parse_int; + case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; @@ -610,6 +616,7 @@ options->strict_host_key_checking = -1; options->compression = -1; options->keepalives = -1; + options->trans_inter = -1; options->compression_level = -1; options->port = -1; options->connection_attempts = -1; @@ -677,6 +684,8 @@ options->compression = 0; if (options->keepalives == -1) options->keepalives = 1; + if (options->trans_inter == -1) + options->trans_inter = 0; if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) diff -ur openssh-1.2.2/readconf.h openssh-1.2.2-trans_inter-r1/readconf.h --- openssh-1.2.2/readconf.h Sun Dec 5 16:47:29 1999 +++ openssh-1.2.2-trans_inter-r1/readconf.h Mon Mar 6 00:22:46 2000 @@ -56,6 +56,7 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int keepalives; /* Set SO_KEEPALIVE. */ + int trans_inter; /* Guarantee transmit every n seconds. */ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ diff -ur openssh-1.2.2/ssh.0 openssh-1.2.2-trans_inter-r1/ssh.0 --- openssh-1.2.2/ssh.0 Wed Jan 26 19:17:09 2000 +++ openssh-1.2.2-trans_inter-r1/ssh.0 Mon Mar 6 00:32:28 2000 @@ -486,6 +486,21 @@ be verified automatically in either case. The argument must be ``yes'' or ``no''. + TransmitInterlude + Specifies a maximum time to allow between transmitting packets, + in seconds. If this amount of time passes and the client has no + data to send, it will send an ignore packet to the server. One + example where this is useful is when using ssh from behind a Lin- + ux ip_masquerade firewall. If packets aren't sent through such a + firewall periodically, the firewall may forget about the connec- + tion. Then when a packet finally is sent, the firewall will as- + sign a new port, which will cause the remote server to disconnect + the session. This option defaults to ``0'', which means not + sending periodic packets. A setting of a few hundred seconds + should be about right if this is needed. You should probably try + setting KeepAlive to ``yes'' in your conf files on both the serv- + er and the client first. + UsePrivilegedPort Specifies whether to use a privileged port for outgoing connec- tions. The argument must be ``yes'' or ``no''. The default is diff -ur openssh-1.2.2/ssh.1 openssh-1.2.2-trans_inter-r1/ssh.1 --- openssh-1.2.2/ssh.1 Sat Jan 22 00:57:40 2000 +++ openssh-1.2.2-trans_inter-r1/ssh.1 Mon Mar 6 00:30:30 2000 @@ -720,6 +720,22 @@ .Dq yes or .Dq no . +.It Cm TransmitInterlude +Specifies a maximum time to allow between transmitting packets, +in seconds. If this amount of time passes and the client has +no data to send, it will send an ignore packet to the server. +One example where this is useful is when using ssh from behind +a Linux ip_masquerade firewall. If packets aren't sent through +such a firewall periodically, the firewall may forget about the +connection. Then when a packet finally is sent, the firewall +will assign a new port, which will cause the remote server to +disconnect the session. This option defaults to +.Dq 0 , +which means not sending periodic packets. A setting of a few +hundred seconds should be about right if this is needed. You +should probably try setting KeepAlive to +.Dq yes +in your conf files on both the server and the client first. .It Cm UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be From jacob at velius.chaos2.org Mon Mar 6 20:08:59 2000 From: jacob at velius.chaos2.org (Jacob Luna Lundberg) Date: Mon, 6 Mar 2000 01:08:59 -0800 (PST) Subject: [PATCH] Add a Maximum Idle Time (1.2.2) In-Reply-To: Message-ID: Marc Haber wrote: > Then my problem is somewhere else since my client is TeraTerm ssh on a > Windows box. I presume that the server is a Linux box? If you can get root on the box that houses the server, try changing _its_ keepalive timeout to 300 seconds. That might do it for you. The serverloop itself is a bit more complex conceptually than the clientloop and already implements a timeout in order to collate small transmissions into larger ones. The attached patch should be categorized under "Garish Malformed Hackish Patchlets" and is not really implemented right but could give a general idea of where you'd have to work to implement ignore packets in the serverloop. -Jacob -- "Heh. You mean this is Stef's source code?" -User Friendly -------------- next part -------------- --- openssh-1.2.2/serverloop.c Mon Jan 17 01:55:19 2000 +++ openssh-1.2.2-trans_inter-r1/serverloop.c Mon Mar 6 01:01:35 2000 @@ -290,15 +290,18 @@ max_time_milliseconds = 100; if (max_time_milliseconds == 0) - tvp = NULL; + tv.tv_sec = 300; else { tv.tv_sec = max_time_milliseconds / 1000; tv.tv_usec = 1000 * (max_time_milliseconds % 1000); - tvp = &tv; } + tvp = &tv; /* Wait for something to happen, or the timeout to expire. */ ret = select(max_fd + 1, readset, writeset, NULL, tvp); + packet_start(SSH_MSG_IGNORE); + packet_put_string("JunkPacket", 10); + packet_send(); if (ret < 0) { if (errno != EINTR) From nebulous at owlnet.rice.edu Tue Mar 7 04:07:51 2000 From: nebulous at owlnet.rice.edu (Sean Aaron Lisse) Date: Mon, 6 Mar 2000 11:07:51 -0600 (CST) Subject: [PATCH] Add a Maximum Idle Time (1.2.2) In-Reply-To: <20000306085006.A3981@folly.informatik.uni-erlangen.de> Message-ID: > the patch looks reasonable, but SSH_MSG_NONE type packets > must not travel over the wire. this violates the protocol spec. > SSH_MSG_IGNORE should be used, e.g.: > > packet_start(SSH_MSG_IGNORE); > packet_put_string("bla", 3); > packet_send(); > > -markus One worry... I don't know very much about the protocol specs for ssh, but I know a -little- about crypto. Would this allow an attacker to mount a known-text attack? I.e. given that an attacker could now look for regularly-spaced (probably default-spaced in most cases) packets, and assume that they contained the string "bla", could the attacker then have a toehold on finding out the key? I recommend sending some random characters instead of a constant string like "bla". -Sean Lisse From mw at moni.msci.memphis.edu Tue Mar 7 06:45:48 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 6 Mar 2000 13:45:48 -0600 Subject: spec file Message-ID: <20000306134548.A2174@moni.msci.memphis.edu> I have looked into the spec file for the openssh rpm. In the %preun stanza, I noticed that the currently running sshd is stopped only when removing the package. On the other hand, it is theoretically possible that a new version of openssh may install files which would make the old sshd misbehave. So I think, it is better to stop sshd every time the package is upgraded. Also, the %post stanza for the server package, starts sshd. But what if the upgrade is done in single user mode? The sysV initscript does not check if networking is up---it just seems to start the service no matter what. Best, Mate --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From edw at detel.com Tue Mar 7 07:35:04 2000 From: edw at detel.com (Ed Weinberg) Date: Mon, 06 Mar 2000 15:35:04 -0500 Subject: ./configure cannot find zlib Message-ID: I am trying to compile openssh on a Red Hat 5.2 system with the zlib rpm installed. For some reason when I run ./configure it gives me the error that I must install zlib first. it is here: # ls /usr/lib/libz* /usr/lib/libz.so.1@ /usr/lib/libz.so.1.1.3* The RPM seems to only work on RH6.x, so I downloaded the src rpm...which I am guessing is already patched for compiling with Linux. Any ideas? -- Ed Weinberg, RHCE Now at Q5 Comm, LLC edw at q5comm.com The monopoly is broken! Q5 Comm, LLC now registers domains for $25 for one year or $45 for two years. Why pay Internic $70 for the same thing? From jmknoble at pobox.com Tue Mar 7 08:03:12 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Mon, 6 Mar 2000 16:03:12 -0500 Subject: ./configure cannot find zlib In-Reply-To: ; from Ed Weinberg on Mon, Mar 06, 2000 at 03:35:04PM -0500 References: Message-ID: <20000306160312.A28385@ntrnet.net> P? 2000-Mar-06 klokka 15:35:04 -0500 skrivet Ed Weinberg: : I am trying to compile openssh on a Red Hat 5.2 system with the zlib : rpm installed. For some reason when I run ./configure it gives me the : error that I must install zlib first. : : it is here: : # ls /usr/lib/libz* : /usr/lib/libz.so.1@ /usr/lib/libz.so.1.1.3* You need to install the zlib-devel package. : Any ideas? : : -- Ed Weinberg, RHCE /^^^^^^ You might consider studying for the test again. Installing the devel packages is pretty basic stuff for a Red Hat platform, and something you ought to know to claim an RHCE. -- jim knoble jmknoble at pobox.com From mw at moni.msci.memphis.edu Tue Mar 7 09:01:34 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 6 Mar 2000 16:01:34 -0600 Subject: openssl and rsa Message-ID: <20000306160134.B2884@moni.msci.memphis.edu> The openssl list does not seem to respond to this, so let me ask you here: my librsaref.a is in /space/local/lib. How do I tell about this to openssl's config/make? Also, how do I tell config/make to use /usr/ccs/bin/ld instead of the default (gnu linker has problems on Solaris). Thx, Mate From mw at moni.msci.memphis.edu Tue Mar 7 09:06:04 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 6 Mar 2000 16:06:04 -0600 Subject: how not to use rsa Message-ID: <20000306160604.C2884@moni.msci.memphis.edu> Does openssl have to be built with rsa support to be usable by openssh? I did not specify `rsaref' to config for openssl, and only after I installed and tried to start sshd when I got the error Starting sshd: ssh-keygen: no RSA support in libssl and libcrypto. See ssl(8). sshd: no RSA support in libssl and libcrypto -- exiting. See ssl(8) no RSA support in libssl and libcrypto -- exiting. See ssl(8) Thx Mate From mw at moni.msci.memphis.edu Tue Mar 7 11:08:59 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 6 Mar 2000 18:08:59 -0600 Subject: rsaref usage Message-ID: <20000306180859.A4029@moni.msci.memphis.edu> First, when I tried to start sshd, I got the message Starting sshd: ssh-keygen: no RSA support in libssl and libcrypto. See ssl(8). sshd: no RSA support in libssl and libcrypto -- exiting. See ssl(8) no RSA support in libssl and libcrypto -- exiting. See ssl(8) So I thought I have to recompile openssl with rsaref flag to config. When I did that, I got compilation error (this is version 0.9.5 of openssl): gcc -o openssl -DMONOLITH -I../include -DTHREADS -D_REENTRANT -DRSAref -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o -L. -L.. -L../.. -L../../.. -L.. -lssl -L.. -lcrypto -L/space/local/lib s_server.o: In function `sv_body': s_server.o(.text+0x10a4): undefined reference to `shutdown' s_server.o(.text+0x142c): undefined reference to `shutdown' s_server.o: In function `close_accept_socket': s_server.o(.text+0x24ec): undefined reference to `shutdown' s_client.o: In function `s_client_main': s_client.o(.text+0x940): undefined reference to `shutdown' s_client.o(.text+0xa14): undefined reference to `shutdown' s_client.o(.text+0x12a0): more undefined references to `shutdown' follow speed.o: In function `speed_main': speed.o(.text+0x3ec): undefined reference to `RSA_PKCS1_RSAref' s_time.o: In function `s_time_main': s_time.o(.text+0x72c): undefined reference to `shutdown' s_time.o(.text+0x98c): undefined reference to `shutdown' s_time.o(.text+0xab0): undefined reference to `shutdown' s_socket.o: In function `nbio_init_client_ip': s_socket.o(.text+0x6c): undefined reference to `socket' s_socket.o(.text+0xa4): undefined reference to `setsockopt' s_socket.o(.text+0xf4): undefined reference to `connect' s_socket.o: In function `init_server': [...] rand_egd.o(.text+0x78): undefined reference to `connect' ../libcrypto.a(err_all.o): In function `ERR_load_crypto_strings': err_all.o(.text+0x40): undefined reference to `ERR_load_RSAREF_strings' *** Error code 1 make: Fatal error: Command failed for target `openssl' Current working directory /space/local/src/redhat/BUILD/openssl-0.9.5/apps *** Error code 1 make: Fatal error: Command failed for target `all' This is on Solaris 2.6. Can I compile openssl without rsaref, and still use it with openssh? Thx Mate --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From phen at school.net.th Tue Mar 7 13:51:41 2000 From: phen at school.net.th (Siriphen Wikaisuksakul) Date: Tue, 7 Mar 2000 09:51:41 +0700 Subject: Fail to compile on FreeBSD 3.3 Message-ID: <000c01bf87e0$1296a5b0$149a96cb@cassiopeia> I had some problem when I compiled openssh-1.2.2 on FreeBSD 3.3 with enable skey option like this: ./configure --with-tcp-wrappers --with-skey .. .... ...... gcc -o sshd sshd.o auth-rhosts.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o servconf.o serverloop.o bsd-login.o md5crypt.o -L. -L/usr/local/ssl/lib -lssh -lz -lcrypto -lutil -lpam -lskey -lwrap sshd.o: In function `do_authloop': /usr/local/src/openssh-1.2.2/sshd.c(.text+0x1d68): undefined reference to `skey_keyinfo' /usr/local/src/openssh-1.2.2/sshd.c(.text+0x1d8a): undefined reference to `skey_fake_keyinfo' /usr/local/src/openssh-1.2.2/sshd.c(.text+0x1e52): undefined reference to `skey_haskey' /usr/local/src/openssh-1.2.2/sshd.c(.text+0x1e64): undefined reference to `skey_passcheck' sshd.o: In function `do_fake_authloop': /usr/local/src/openssh-1.2.2/sshd.c(.text+0x1fff): undefined reference to `skey_fake_keyinfo' *** Error code 1 Stop. How can I solve it, please help? Regards, Phen. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000307/da49a412/attachment.html From Nigel.Metheringham at VData.co.uk Tue Mar 7 20:37:13 2000 From: Nigel.Metheringham at VData.co.uk (Nigel Metheringham) Date: Tue, 07 Mar 2000 09:37:13 +0000 Subject: spec file In-Reply-To: Message from Mate Wierdl of "Mon, 06 Mar 2000 13:45:48 CST." <20000306134548.A2174@moni.msci.memphis.edu> Message-ID: mw at moni.msci.memphis.edu said: > So I think, it is better to stop sshd every time the package is > upgraded. I agree - be slightly careful here in that you don't have (effectively) a killall sshd here, because thats very embarassing if you are upgrading a remote machine over a ssh session (I speak from experience). > Also, the %post stanza for the server package, starts sshd. But what > if the upgrade is done in single user mode? The sysV initscript does > not check if networking is up---it just seems to start the service no > matter what. I'm unhappy about this - its a complete pain if you are installing ssh as part of your machine build. You may also happen to be missing decent entropy etc under these conditions. I personally modify the spec & init.d files to do the key generation within the start part of the init.d file. I guess if sshd *was* running then starting it again is reasonable, otherwise do not start it. Nigel. -- [ - Opinions expressed are personal and may not be shared by VData - ] [ Nigel Metheringham Nigel.Metheringham at VData.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] From jacob at velius.chaos2.org Tue Mar 7 20:51:15 2000 From: jacob at velius.chaos2.org (Jacob Luna Lundberg) Date: Tue, 7 Mar 2000 01:51:15 -0800 (PST) Subject: tcpdump says "truncated-ip"? Message-ID: Below are three examples of tcpdump complaining about truncated-ip, whatever that is. Is this a problem? It doesn't seem to impact my connection negatively. I am getting these when using a plain-vanilla openssh client to connect to an ssh-1.2.27 server. inbetween:~# tcpdump -i eth1 | grep truncated tcpdump: listening on eth1 01:45:30.454190 truncated-ip - 10 bytes missing!velius.chaos2.org.ssh > c392100-a.crvlls1.or.home.com.64080: P 3169:3433(264) ack 1580 win 32120 (DF) 01:45:40.501069 truncated-ip - 186 bytes missing!velius.chaos2.org.ssh > c392100-a.crvlls1.or.home.com.64080: P 5809:6249(440) ack 2840 win 32120 (DF) 01:45:42.327067 truncated-ip - 274 bytes missing!velius.chaos2.org.ssh > c392100-a.crvlls1.or.home.com.64080: P 6337:6865(528) ack 3120 win 32120 (DF) Thanks, -Jacob -- "Heh. You mean this is Stef's source code?" -User Friendly From djm at mindrot.org Tue Mar 7 21:31:34 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 7 Mar 2000 21:31:34 +1100 (EST) Subject: rsaref usage In-Reply-To: <20000306180859.A4029@moni.msci.memphis.edu> Message-ID: On Mon, 6 Mar 2000, Mate Wierdl wrote: > First, when I tried to start sshd, I got the message > > Starting sshd: ssh-keygen: no RSA support in libssl and libcrypto. > See ssl(8). openssh-0.9.5 right? I have a patch coming (probably tomorrow) which fixes this and other problems. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Mar 7 21:35:21 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 7 Mar 2000 21:35:21 +1100 (EST) Subject: spec file In-Reply-To: <20000306134548.A2174@moni.msci.memphis.edu> Message-ID: On Mon, 6 Mar 2000, Mate Wierdl wrote: > I have looked into the spec file for the openssh rpm. > In the %preun stanza, I noticed that the currently running sshd is > stopped only when removing the package. On the other hand, it is > theoretically possible that a new version of openssh may install files > which would make the old sshd misbehave. Have a look in %post The server is restarted whenever it is upgraded, but the config files are not replaced. I will change this if I feel an upgrade changes semantics sufficiently but I think it is reasonable now. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Mar 7 21:36:49 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 7 Mar 2000 21:36:49 +1100 (EST) Subject: spec file In-Reply-To: Message-ID: On Tue, 7 Mar 2000, Nigel Metheringham wrote: > > Also, the %post stanza for the server package, starts sshd. But what > > if the upgrade is done in single user mode? The sysV initscript does > > not check if networking is up---it just seems to start the service no > > matter what. > > I'm unhappy about this - its a complete pain if you are installing ssh > as part of your machine build. You may also happen to be missing > decent entropy etc under these conditions. I personally modify the > spec & init.d files to do the key generation within the start part of > the init.d file. I guess if sshd *was* running then starting it again > is reasonable, otherwise do not start it. RTFS: %post server /sbin/chkconfig --add sshd if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 fi if test -r /var/run/sshd.pid ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ then /etc/rc.d/init.d/sshd restart >&2 fi -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From jacob at velius.chaos2.org Tue Mar 7 21:54:37 2000 From: jacob at velius.chaos2.org (Jacob Luna Lundberg) Date: Tue, 7 Mar 2000 02:54:37 -0800 (PST) Subject: [PATCH] Add a Maximum Idle Time (1.2.2) In-Reply-To: Message-ID: Sean Aaron Lisse wrote: > I recommend sending some random characters instead of a constant string > like "bla". Done. I used random strings with a maximum length of 256 chars. Sound good to everybody? And the patch is also at: http://www.chaos2.org/~jacob/code/patch-openssh-1.2.2-trans_inter-r2 -Jacob -- "Heh. You mean this is Stef's source code?" -User Friendly -------------- next part -------------- diff -ur openssh-1.2.2/bsd-misc.c openssh-1.2.2-trans_inter-r2/bsd-misc.c --- openssh-1.2.2/bsd-misc.c Sat Jan 22 15:32:03 2000 +++ openssh-1.2.2-trans_inter-r2/bsd-misc.c Tue Mar 7 02:25:48 2000 @@ -68,7 +68,6 @@ int j; } rc4_t; -void get_random_bytes(unsigned char *buf, int len); void rc4_key(rc4_t *r, unsigned char *key, int len); void rc4_getbytes(rc4_t *r, unsigned char *buffer, int len); diff -ur openssh-1.2.2/bsd-misc.h openssh-1.2.2-trans_inter-r2/bsd-misc.h --- openssh-1.2.2/bsd-misc.h Thu Jan 6 01:28:41 2000 +++ openssh-1.2.2-trans_inter-r2/bsd-misc.h Tue Mar 7 02:25:49 2000 @@ -42,6 +42,7 @@ #ifndef HAVE_ARC4RANDOM unsigned int arc4random(void); void arc4random_stir(void); +void get_random_bytes(unsigned char *buf, int len); #endif /* !HAVE_ARC4RANDOM */ #ifndef HAVE_SETPROCTITLE diff -ur openssh-1.2.2/clientloop.c openssh-1.2.2-trans_inter-r2/clientloop.c --- openssh-1.2.2/clientloop.c Mon Dec 6 20:38:32 1999 +++ openssh-1.2.2-trans_inter-r2/clientloop.c Tue Mar 7 02:28:31 2000 @@ -396,8 +396,10 @@ */ void -client_wait_until_can_do_something(fd_set * readset, fd_set * writeset) +client_wait_until_can_do_something(fd_set * readset, fd_set * writeset, int trans_inter) { + int select_return; + /* Initialize select masks. */ FD_ZERO(readset); @@ -436,15 +438,35 @@ max_fd = channel_max_fd(); /* - * Wait for something to happen. This will suspend the process until - * some selected descriptor can be read, written, or has some other - * event pending. Note: if you want to implement SSH_MSG_IGNORE - * messages to fool traffic analysis, this might be the place to do - * it: just have a random timeout for the select, and send a random - * SSH_MSG_IGNORE packet when the timeout expires. + * Wait for something to happen. This will suspend the process + * until some selected descriptor can be read, written, or has some + * other event pending. + * Implemented timeout SSH_MSG_IGNORE packets to keep a minimum + * frequency of traffic present on a connection. This can be used to + * prevent a firewall (ip_masq f.e.) from timing out and causing a new + * port to be allocated which effectively kills the connection. + * To fool traffic analysis, set the timeout on the SSH_MSG_IGNORE + * packets randomly instead of periodically. */ - if (select(max_fd + 1, readset, writeset, NULL, NULL) < 0) { + if( trans_inter > 0 ) { + struct timeval timeout; + timeout.tv_sec = trans_inter; + timeout.tv_usec = 0; + select_return = select(max_fd + 1, readset, writeset, NULL, &timeout); + if(select_return == 0) { + int random_length = arc4random() & 0xff; + char *random_string = (char *)xmalloc(random_length); + get_random_bytes(random_string, random_length); + packet_start(SSH_MSG_IGNORE); + packet_put_string(random_string, random_length); + packet_send(); + xfree(random_string); + } + } else + select_return = select(max_fd + 1, readset, writeset, NULL, NULL); + + if( select_return < 0 ) { char buf[100]; /* Some systems fail to clear these automatically. */ FD_ZERO(readset); @@ -863,7 +885,7 @@ * Wait until we have something to do (something becomes * available on one of the descriptors). */ - client_wait_until_can_do_something(&readset, &writeset); + client_wait_until_can_do_something(&readset, &writeset, options.trans_inter); if (quit_pending) break; diff -ur openssh-1.2.2/readconf.c openssh-1.2.2-trans_inter-r2/readconf.c --- openssh-1.2.2/readconf.c Sun Dec 5 16:47:29 1999 +++ openssh-1.2.2-trans_inter-r2/readconf.c Tue Mar 7 02:25:23 2000 @@ -78,6 +78,7 @@ UseRsh no StrictHostKeyChecking yes KeepAlives no + TransmitInterlude 0 IdentityFile ~/.ssh/identity Port 22 EscapeChar ~ @@ -101,8 +102,8 @@ oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, - oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication, - oUsePrivilegedPort, oLogLevel + oCompressionLevel, oKeepAlives, oTransmitInterlude, oNumberOfPasswordPrompts, + oTISAuthentication, oUsePrivilegedPort, oLogLevel } OpCodes; /* Textual representations of the tokens. */ @@ -148,6 +149,7 @@ { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, { "keepalive", oKeepAlives }, + { "transmitinterlude", oTransmitInterlude }, { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "tisauthentication", oTISAuthentication }, { "loglevel", oLogLevel }, @@ -355,6 +357,10 @@ intptr = &options->keepalives; goto parse_flag; + case oTransmitInterlude: + intptr = &options->trans_inter; + goto parse_int; + case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; @@ -610,6 +616,7 @@ options->strict_host_key_checking = -1; options->compression = -1; options->keepalives = -1; + options->trans_inter = -1; options->compression_level = -1; options->port = -1; options->connection_attempts = -1; @@ -677,6 +684,8 @@ options->compression = 0; if (options->keepalives == -1) options->keepalives = 1; + if (options->trans_inter == -1) + options->trans_inter = 0; if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) diff -ur openssh-1.2.2/readconf.h openssh-1.2.2-trans_inter-r2/readconf.h --- openssh-1.2.2/readconf.h Sun Dec 5 16:47:29 1999 +++ openssh-1.2.2-trans_inter-r2/readconf.h Tue Mar 7 02:25:23 2000 @@ -56,6 +56,7 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int keepalives; /* Set SO_KEEPALIVE. */ + int trans_inter; /* Guarantee transmit every n seconds. */ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ diff -ur openssh-1.2.2/ssh.0 openssh-1.2.2-trans_inter-r2/ssh.0 --- openssh-1.2.2/ssh.0 Wed Jan 26 19:17:09 2000 +++ openssh-1.2.2-trans_inter-r2/ssh.0 Tue Mar 7 02:25:23 2000 @@ -486,6 +486,21 @@ be verified automatically in either case. The argument must be ``yes'' or ``no''. + TransmitInterlude + Specifies a maximum time to allow between transmitting packets, + in seconds. If this amount of time passes and the client has no + data to send, it will send an ignore packet to the server. One + example where this is useful is when using ssh from behind a Lin- + ux ip_masquerade firewall. If packets aren't sent through such a + firewall periodically, the firewall may forget about the connec- + tion. Then when a packet finally is sent, the firewall will as- + sign a new port, which will cause the remote server to disconnect + the session. This option defaults to ``0'', which means not + sending periodic packets. A setting of a few hundred seconds + should be about right if this is needed. You should probably try + setting KeepAlive to ``yes'' in your conf files on both the serv- + er and the client first. + UsePrivilegedPort Specifies whether to use a privileged port for outgoing connec- tions. The argument must be ``yes'' or ``no''. The default is diff -ur openssh-1.2.2/ssh.1 openssh-1.2.2-trans_inter-r2/ssh.1 --- openssh-1.2.2/ssh.1 Sat Jan 22 00:57:40 2000 +++ openssh-1.2.2-trans_inter-r2/ssh.1 Tue Mar 7 02:25:23 2000 @@ -720,6 +720,22 @@ .Dq yes or .Dq no . +.It Cm TransmitInterlude +Specifies a maximum time to allow between transmitting packets, +in seconds. If this amount of time passes and the client has +no data to send, it will send an ignore packet to the server. +One example where this is useful is when using ssh from behind +a Linux ip_masquerade firewall. If packets aren't sent through +such a firewall periodically, the firewall may forget about the +connection. Then when a packet finally is sent, the firewall +will assign a new port, which will cause the remote server to +disconnect the session. This option defaults to +.Dq 0 , +which means not sending periodic packets. A setting of a few +hundred seconds should be about right if this is needed. You +should probably try setting KeepAlive to +.Dq yes +in your conf files on both the server and the client first. .It Cm UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be From djm at mindrot.org Tue Mar 7 22:42:37 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 7 Mar 2000 22:42:37 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.2p1 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is a patch release which contains fixes to all the problems which have been reported over the last month. Most importantly: OpenSSL-0.9.5 has exposed a bug in RSA key generation on systems which lack a /dev/random (Solaris, HPUX, SCO). On such systems this port was not properly initialising OpenSSL's entropy pool. This results in lower quality (more easily predicted) RSA keys on these systems. If you have created host or user keys on such as system, please create new keys using openssh-1.2.2p1 which explicitly seeds OpenSSL from EGD. A lot of cleaning up of the autoconf configuration has gone on recently and this may break on some systems. If so, do not worry as I OpenSSH-1.2.3 will be out in the next week or two (I just noticed OpenBSD's version update). Regards, Damien 20000305 - Fix DEC compile fix - Explicitly seed OpenSSL's PRNG before checking rsa_alive() - Check for getpagesize in libucb.a if not found in libc. Fix for old Solaris from Andre Lucas - Check for libwrap if --with-tcp-wrappers option specified. Suggestion Mate Wierdl 20000303 - Added "make host-key" target, Suggestion from Dominik Brettnacher - Don't permanently fail on bind() if getaddrinfo has more choices left for us. Needed to work around messy IPv6 on Linux. Patch from Arkadiusz Miskiewicz - DEC Unix compile fix from David Del Piero - Manpage fix from David Del Piero 20000302 - Big cleanup of autoconf code - Rearranged to be a little more logical - Added -R option for Solaris - Rewrote OpenSSL detection code. Now uses AC_TRY_RUN with a test program to detect library and header location _and_ ensure library has proper RSA support built in (this is a problem with OpenSSL 0.9.5). - Applied pty cleanup patch from markus.friedl at informatik.uni-erlangen.de - Avoid warning message with Unix98 ptys - Warning was valid - possible race condition on PTYs. Avoided using platform-specific code. - Document some common problems - Allow root access to any key. Patch from markus.friedl at informatik.uni-erlangen.de 20000207 - Removed SOCKS code. Will support through a ProxyCommand. 20000203 - Fixed SEGVs in authloop, fix from vbzoli at hbrt.hu - Add --with-ssl-dir option 20000202 - Fix lastlog code for directory based lastlogs. Fix from Josh Durham - Documentation fixes from HARUYAMA Seigo - Added URLs to Japanese translations of documents by HARUYAMA Seigo 20000201 - Use socket pairs by default (instead of pipes). Prevents race condition on several (buggy) OSs. Report and fix from tridge at linuxcare.com 20000127 - Seed OpenSSL's random number generator before generating RSA keypairs - Split random collector into seperate file - Compile fix from Andre Lucas - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4xOsxormJ9RG1dI8RAq0/AKDd7P4irWNSH1FPC66VUE2fFcyzNQCdHenW wulCPRiDs7dC/WxBOuy4QsQ= =X97+ -----END PGP SIGNATURE----- From openssh-unix-dev.mindrot.org at marc-haber.de Wed Mar 8 01:02:49 2000 From: openssh-unix-dev.mindrot.org at marc-haber.de (Marc Haber) Date: Tue, 07 Mar 2000 14:02:49 GMT Subject: [PATCH] Add a Maximum Idle Time (1.2.2) In-Reply-To: References: Message-ID: On Mon, 6 Mar 2000 01:08:59 -0800 (PST), you wrote: >Marc Haber wrote: >> Then my problem is somewhere else since my client is TeraTerm ssh on a >> Windows box. > > I presume that the server is a Linux box? Right. >If you can get root on the >box that houses the server, try changing _its_ keepalive timeout to 300 >seconds. That might do it for you. Which config setting is that? sshd_config does only seem to have keepalive = yes. And I still don't understand why this problem only shows when the TCP connection is NATed. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From naddy at mips.rhein-neckar.de Wed Mar 8 00:59:25 2000 From: naddy at mips.rhein-neckar.de (Christian Weisgerber) Date: 7 Mar 2000 14:59:25 +0100 Subject: Fail to compile on FreeBSD 3.3 References: <000c01bf87e0$1296a5b0$149a96cb@cassiopeia> Message-ID: <8a31vt$1fa0$1@bigeye.rhein-neckar.de> Siriphen Wikaisuksakul wrote: > I had some problem when I compiled openssh-1.2.2 on FreeBSD 3.3 Use the port (ports/security/openssh). > with enable skey option like this: OpenSSH's S/key support on FreeBSD is broken due to differences in libskey between FreeBSD and OpenBSD. This may get fixed eventually in libskey. > [Alternative: text/html] Don't. -- Christian "naddy" Weisgerber naddy at mips.rhein-neckar.de From abush at microcenter.com Wed Mar 8 02:47:44 2000 From: abush at microcenter.com (abush at microcenter.com) Date: Tue, 07 Mar 2000 10:47:44 -0500 Subject: compile error on HPUX 10.20 Message-ID: <38C524A0.BFCDD422@microcenter.com> I'm trying to get openssh-1.2.2p1 to compile on HPUX 10.20 using gcc. I have installed zlib, egd, and openssl. This is the compile errror i am getting: gcc -o ssh ssh.o sshconnect.o log-client.o readconf.o clientloop.o -L. -L/usr/local/ssl/lib -L/usr/local/lib -lssh -lz -L/usr/local/lib/ -L/usr/local/ssl/lib -lcrypto /usr/ccs/bin/ld: Unsatisfied symbols: __builtin_va_start (code) collect2: ld returned 1 exit status *** Error exit code 1 Stop. Anyone know how to get past this? If this is the wrong list them please point me in the right direction. Thanks, Aaron From yoshfuji at ecei.tohoku.ac.jp Wed Mar 8 03:00:04 2000 From: yoshfuji at ecei.tohoku.ac.jp (Hideaki YOSHIFUJI) Date: Wed, 08 Mar 2000 01:00:04 +0900 Subject: patch for openssh-1.2.2p1 Message-ID: <20000308010004L.yoshfuji@cerberus.nemoto.ecei.tohoku.ac.jp> Hi, openssh-1.2.2p1 seems to have 2 problems on ipv6 (and ipv4 mapped addresses). 1. "BREAKIN ATTEMPT" warnings from ipv4 node 2. X forwarding The following patche fixes them. Thanks. diff -ru openssh-1.2.2p1/canohost.c openssh-1.2.2p1-20000308/canohost.c --- openssh-1.2.2p1/canohost.c Fri Jan 14 13:45:48 2000 +++ openssh-1.2.2p1-20000308/canohost.c Wed Mar 8 00:25:18 2000 @@ -42,6 +42,22 @@ debug("getpeername failed: %.100s", strerror(errno)); fatal_cleanup(); } + +#ifdef IPV4_IN_IPV6 + if (((struct sockaddr *)&from)->sa_family == AF_INET6 && + IN6_IS_ADDR_V4MAPPED((&((struct sockaddr_in6 *)&from)->sin6_addr))){ + struct in_addr addr; + u_int16_t port; + memcpy(&addr, ((char *)&((struct sockaddr_in6 *)&from)->sin6_addr)+12, + sizeof(addr)); + port = ((struct sockaddr_in6 *)&from)->sin6_port; + memset(&from, 0, sizeof(from)); + ((struct sockaddr_in *)&from)->sin_family = AF_INET; + memcpy(&((struct sockaddr_in *)&from)->sin_addr, &addr, sizeof(addr)); + ((struct sockaddr_in *)&from)->sin_port = port; + } +#endif + if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); diff -ru openssh-1.2.2p1/channels.c openssh-1.2.2p1-20000308/channels.c --- openssh-1.2.2p1/channels.c Fri Mar 3 20:35:33 2000 +++ openssh-1.2.2p1-20000308/channels.c Wed Mar 8 00:25:18 2000 @@ -1215,8 +1215,12 @@ break; } socks[num_socks++] = sock; +#ifndef DONT_TRY_OTHER_AF if (num_socks == NUM_SOCKS) break; +#else + break; +#endif } if (num_socks > 0) break; diff -ru openssh-1.2.2p1/config.h.in openssh-1.2.2p1-20000308/config.h.in --- openssh-1.2.2p1/config.h.in Tue Mar 7 20:05:59 2000 +++ openssh-1.2.2p1-20000308/config.h.in Wed Mar 8 00:25:18 2000 @@ -131,6 +131,9 @@ /* Use IPv4 for connection by default, IPv6 can still if explicity asked */ #undef IPV4_DEFAULT +/* Assume IPv4 mapped addresses IPv4 addresses */ +#undef IPV4_IN_IPV6 + /* getaddrinfo is broken (if present) */ #undef BROKEN_GETADDRINFO diff -ru openssh-1.2.2p1/configure.in openssh-1.2.2p1-20000308/configure.in --- openssh-1.2.2p1/configure.in Sun Mar 5 15:02:46 2000 +++ openssh-1.2.2p1-20000308/configure.in Wed Mar 8 00:26:15 2000 @@ -56,6 +56,8 @@ *-*-linux*) no_dev_ptmx=1 need_pty_removed_on_close=1 + CFLAGS="$CFLAGS -DDONT_TRY_OTHER_AF" + inet6_default_4in6=yes ;; *-*-netbsd*) need_dash_r=1 @@ -778,6 +780,26 @@ [ if test "x$withval" != "xno" ; then AC_DEFINE(IPV4_DEFAULT) + fi + ] +) + +AC_MSG_CHECKING([whether we assume IPv6-mapped addresses IPv4 addresses]) +AC_ARG_WITH(ipv4-in-ipv6, + [ --with-ipv4-in-ipv6 assumes ipv4 mapped addresses ipv4 addresses], + [ + if test "x$withval" != "xno" ; then + AC_MSG_RESULT(yes) + AC_DEFINE(IPV4_IN_IPV6) + else + AC_MSG_RESULT(no) + fi + ],[ + if test "x$inet6_default_4in6" = "xyes"; then + AC_MSG_RESULT([yes (default)]) + AC_DEFINE(IPV4_IN_IPV6) + else + AC_MSG_RESULT([no (default)]) fi ] ) -- Hideaki YOSHIFUJI Web Page: http://www.ecei.tohoku.ac.jp/%7Eyoshfuji/ PGP5i FP: F731 6599 5EB2 BBA7 1515 1323 1806 A96F 5700 6B25 From jacob at velius.chaos2.org Wed Mar 8 08:12:55 2000 From: jacob at velius.chaos2.org (Jacob Luna Lundberg) Date: Tue, 7 Mar 2000 13:12:55 -0800 (PST) Subject: [PATCH] Add a Maximum Idle Time (1.2.2) Message-ID: Marc Haber wrote: > >If you can get root on the box that houses the server, try changing > >_its_ keepalive timeout to 300 seconds. That might do it for you. > > Which config setting is that? sshd_config does only seem to have > keepalive =3D yes. /proc/sys/net/ipv4/tcp_keepalive_time Which defaults to 7200 on recent Linux kernel. So try: /bin/echo "300\c" > /proc/sys/net/ipv4/tcp_keepalive_time Which will give you a 5 min timeout instead of 2 hours... > And I still don't understand why this problem only shows when the TCP > connection is NATed. A good question. The ssh connection seems to expect the keepalives more frequently than every two hours. So without keepalives (or other packets) happening however frequently it is ssh wants them to, it terminates the connection (or perhaps linux reclaims the socket, I don't know). -Jacob -- "Heh. You mean this is Stef's source code?" -User Friendly From jacob at velius.chaos2.org Wed Mar 8 08:56:55 2000 From: jacob at velius.chaos2.org (Jacob Luna Lundberg) Date: Tue, 7 Mar 2000 13:56:55 -0800 (PST) Subject: [PATCH] Add a Maximum Idle Time (1.2.2) Message-ID: Updated my last patch to 1.2.2p1. http://www.chaos2.org/~jacob/code/patch-openssh-1.2.2p1-trans_inter-r2 I presume ;) that you guys will let me know if there is a preferred way to generate a random string rather than using the function that just moved into random.c... -Jacob -- "Heh. You mean this is Stef's source code?" -User Friendly -------------- next part -------------- diff -ur openssh-1.2.2p1/clientloop.c openssh-1.2.2p1-trans_inter-r2/clientloop.c --- openssh-1.2.2p1/clientloop.c Mon Dec 6 20:38:32 1999 +++ openssh-1.2.2p1-trans_inter-r2/clientloop.c Tue Mar 7 13:23:29 2000 @@ -23,6 +23,7 @@ #include "buffer.h" #include "authfd.h" #include "readconf.h" +#include "random.h" /* Flag indicating that stdin should be redirected from /dev/null. */ extern int stdin_null_flag; @@ -396,8 +397,10 @@ */ void -client_wait_until_can_do_something(fd_set * readset, fd_set * writeset) +client_wait_until_can_do_something(fd_set * readset, fd_set * writeset, int trans_inter) { + int select_return; + /* Initialize select masks. */ FD_ZERO(readset); @@ -436,15 +439,35 @@ max_fd = channel_max_fd(); /* - * Wait for something to happen. This will suspend the process until - * some selected descriptor can be read, written, or has some other - * event pending. Note: if you want to implement SSH_MSG_IGNORE - * messages to fool traffic analysis, this might be the place to do - * it: just have a random timeout for the select, and send a random - * SSH_MSG_IGNORE packet when the timeout expires. + * Wait for something to happen. This will suspend the process + * until some selected descriptor can be read, written, or has some + * other event pending. + * Implemented timeout SSH_MSG_IGNORE packets to keep a minimum + * frequency of traffic present on a connection. This can be used to + * prevent a firewall (ip_masq f.e.) from timing out and causing a new + * port to be allocated which effectively kills the connection. + * To fool traffic analysis, set the timeout on the SSH_MSG_IGNORE + * packets randomly instead of periodically. */ - if (select(max_fd + 1, readset, writeset, NULL, NULL) < 0) { + if( trans_inter > 0 ) { + struct timeval timeout; + timeout.tv_sec = trans_inter; + timeout.tv_usec = 0; + select_return = select(max_fd + 1, readset, writeset, NULL, &timeout); + if(select_return == 0) { + int random_length = arc4random() & 0xff; + char *random_string = (char *)xmalloc(random_length); + get_random_bytes(random_string, random_length); + packet_start(SSH_MSG_IGNORE); + packet_put_string(random_string, random_length); + packet_send(); + xfree(random_string); + } + } else + select_return = select(max_fd + 1, readset, writeset, NULL, NULL); + + if( select_return < 0 ) { char buf[100]; /* Some systems fail to clear these automatically. */ FD_ZERO(readset); @@ -863,7 +886,7 @@ * Wait until we have something to do (something becomes * available on one of the descriptors). */ - client_wait_until_can_do_something(&readset, &writeset); + client_wait_until_can_do_something(&readset, &writeset, options.trans_inter); if (quit_pending) break; diff -ur openssh-1.2.2p1/readconf.c openssh-1.2.2p1-trans_inter-r2/readconf.c --- openssh-1.2.2p1/readconf.c Sun Dec 5 16:47:29 1999 +++ openssh-1.2.2p1-trans_inter-r2/readconf.c Tue Mar 7 13:19:29 2000 @@ -78,6 +78,7 @@ UseRsh no StrictHostKeyChecking yes KeepAlives no + TransmitInterlude 0 IdentityFile ~/.ssh/identity Port 22 EscapeChar ~ @@ -101,8 +102,8 @@ oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, - oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication, - oUsePrivilegedPort, oLogLevel + oCompressionLevel, oKeepAlives, oTransmitInterlude, oNumberOfPasswordPrompts, + oTISAuthentication, oUsePrivilegedPort, oLogLevel } OpCodes; /* Textual representations of the tokens. */ @@ -148,6 +149,7 @@ { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, { "keepalive", oKeepAlives }, + { "transmitinterlude", oTransmitInterlude }, { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "tisauthentication", oTISAuthentication }, { "loglevel", oLogLevel }, @@ -355,6 +357,10 @@ intptr = &options->keepalives; goto parse_flag; + case oTransmitInterlude: + intptr = &options->trans_inter; + goto parse_int; + case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; @@ -610,6 +616,7 @@ options->strict_host_key_checking = -1; options->compression = -1; options->keepalives = -1; + options->trans_inter = -1; options->compression_level = -1; options->port = -1; options->connection_attempts = -1; @@ -677,6 +684,8 @@ options->compression = 0; if (options->keepalives == -1) options->keepalives = 1; + if (options->trans_inter == -1) + options->trans_inter = 0; if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) diff -ur openssh-1.2.2p1/readconf.h openssh-1.2.2p1-trans_inter-r2/readconf.h --- openssh-1.2.2p1/readconf.h Sun Dec 5 16:47:29 1999 +++ openssh-1.2.2p1-trans_inter-r2/readconf.h Tue Mar 7 13:19:29 2000 @@ -56,6 +56,7 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int keepalives; /* Set SO_KEEPALIVE. */ + int trans_inter; /* Guarantee transmit every n seconds. */ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ diff -ur openssh-1.2.2p1/ssh.0 openssh-1.2.2p1-trans_inter-r2/ssh.0 --- openssh-1.2.2p1/ssh.0 Tue Mar 7 03:06:05 2000 +++ openssh-1.2.2p1-trans_inter-r2/ssh.0 Tue Mar 7 13:19:29 2000 @@ -486,6 +486,21 @@ be verified automatically in either case. The argument must be ``yes'' or ``no''. + TransmitInterlude + Specifies a maximum time to allow between transmitting packets, + in seconds. If this amount of time passes and the client has no + data to send, it will send an ignore packet to the server. One + example where this is useful is when using ssh from behind a Lin- + ux ip_masquerade firewall. If packets aren't sent through such a + firewall periodically, the firewall may forget about the connec- + tion. Then when a packet finally is sent, the firewall will as- + sign a new port, which will cause the remote server to disconnect + the session. This option defaults to ``0'', which means not + sending periodic packets. A setting of a few hundred seconds + should be about right if this is needed. You should probably try + setting KeepAlive to ``yes'' in your conf files on both the serv- + er and the client first. + UsePrivilegedPort Specifies whether to use a privileged port for outgoing connec- tions. The argument must be ``yes'' or ``no''. The default is diff -ur openssh-1.2.2p1/ssh.1 openssh-1.2.2p1-trans_inter-r2/ssh.1 --- openssh-1.2.2p1/ssh.1 Fri Mar 3 03:48:49 2000 +++ openssh-1.2.2p1-trans_inter-r2/ssh.1 Tue Mar 7 13:19:29 2000 @@ -720,6 +720,22 @@ .Dq yes or .Dq no . +.It Cm TransmitInterlude +Specifies a maximum time to allow between transmitting packets, +in seconds. If this amount of time passes and the client has +no data to send, it will send an ignore packet to the server. +One example where this is useful is when using ssh from behind +a Linux ip_masquerade firewall. If packets aren't sent through +such a firewall periodically, the firewall may forget about the +connection. Then when a packet finally is sent, the firewall +will assign a new port, which will cause the remote server to +disconnect the session. This option defaults to +.Dq 0 , +which means not sending periodic packets. A setting of a few +hundred seconds should be about right if this is needed. You +should probably try setting KeepAlive to +.Dq yes +in your conf files on both the server and the client first. .It Cm UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be From pucko at lysator.liu.se Wed Mar 8 09:00:05 2000 From: pucko at lysator.liu.se (Magnus Holmberg) Date: Tue, 7 Mar 2000 23:00:05 +0100 (CET) Subject: X11Forwarding problem Message-ID: I have just installed openssh-1.2.2p1-1 on two of my machines and I have one problem. I have X11Forwarding yes in my /etc/ssh/sshd_config but when I try to ssh to that machine I get this when i try to start rxvt: [pucko at b202 pucko]$ rxvt X11 connection rejected because of wrong authentication. X connection to b202.ryd.student.liu.se:11.0 broken (explicit kill or server shutdown). [pucko at b202 pucko]$ The strange thing is that it works if I do the same thing as root. What can be wrong? /M From djm at ibs.com.au Wed Mar 8 10:05:11 2000 From: djm at ibs.com.au (Damien Miller) Date: Wed, 08 Mar 2000 10:05:11 +1100 Subject: [Fwd: va_list problems on Solaris] Message-ID: <38C58B27.C6AFD7CB@ibs.com.au> This might shed some light on the va_list problem reported previously. -d David Hesprich wrote: > > On Wed, 8 Mar 2000, Damien Miller wrote: > > > > log.c: In function `fatal': > > > log.c:17: `__builtin_va_alist' undeclared (first use in this function) > > > > A few people have reported this - it looks like a gcc vs native cc > > problem. > > > > Can you try: > > CC=cc ./configure > > It's a Solaris box, which means that cc=gcc (Solaris doesn't ship with a > compilier, and since gcc is free and works with just about everything...) > > However, I screwed up and downgraded gcc from 2.95.1 to 2.8.1, which left > version 2.95.1 of gcc in /usr/ucb/cc, and version 2.8.1 in > /usr/local/bin/gcc. Removing the errant binary from /usr/ucb allowed the > compile to proceed to completion. > > I haven't testing the results though, I gotta bolt out the door for a > meeting, but perhaps this anecdote might be helpful for others that are > hanving the same problem. Perhaps they should check to make sure their cc > and gcc version are consistent. > > -David Hesprich -------------- next part -------------- An embedded message was scrubbed... From: Damien Miller Subject: va_list problems on Solaris Date: Wed, 08 Mar 2000 10:04:13 +1100 Size: 1735 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000308/3b048fc6/attachment.mht From dghespri at sprintparanet.com Wed Mar 8 16:51:31 2000 From: dghespri at sprintparanet.com (David G. Hesprich) Date: Wed, 8 Mar 2000 00:51:31 -0500 Subject: va_list problems on Solaris References: <38C58B27.C6AFD7CB@ibs.com.au> Message-ID: <017701bf88c2$5c13d5e0$1500a8c0@alex1.va.home.com> > However, I screwed up and downgraded gcc from 2.95.1 to 2.8.1, which left > version 2.95.1 of gcc in /usr/ucb/cc, and version 2.8.1 in > /usr/local/bin/gcc. Removing the errant binary from /usr/ucb allowed the > compile to proceed to completion. Mea cupla. Looks like I spoke too soon. Further experimentation shows the same error. Only thing I can figure was that I was compiling version 1.2.2 (always compiled fine), which I was comparing to p1 at the time, and never noticed it. Back to square one, or perhaps not... I tried copying the Makefile generated by the v1.2.2 distribution into p1, after modifying LDFLAGS and LIBOBJS, and lo, it compiles! Looks like it runs too, so far... Perhaps more problems have snuck into configure? -David Hesprich From djm at mindrot.org Wed Mar 8 21:33:49 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 8 Mar 2000 21:33:49 +1100 (EST) Subject: va_list problems on Solaris In-Reply-To: <017701bf88c2$5c13d5e0$1500a8c0@alex1.va.home.com> Message-ID: On Wed, 8 Mar 2000, David G. Hesprich wrote: > Back to square one, or perhaps not... I tried copying the Makefile > generated by the v1.2.2 distribution into p1, after modifying > LDFLAGS and LIBOBJS, and lo, it compiles! Looks like it runs too, so > far... Can you run diff on your modified Makefile and the one that configure produces? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From bent at clark.net Wed Mar 8 23:05:59 2000 From: bent at clark.net (Ben Taylor) Date: Wed, 8 Mar 2000 07:05:59 -0500 (EST) Subject: va_list problems on Solaris In-Reply-To: <017701bf88c2$5c13d5e0$1500a8c0@alex1.va.home.com> Message-ID: On Wed, 8 Mar 2000, David G. Hesprich wrote: > > However, I screwed up and downgraded gcc from 2.95.1 to 2.8.1, which left > > version 2.95.1 of gcc in /usr/ucb/cc, and version 2.8.1 in > > /usr/local/bin/gcc. Removing the errant binary from /usr/ucb allowed the > > compile to proceed to completion. > > Mea cupla. > > Looks like I spoke too soon. Further experimentation shows the same error. > Only thing I can figure was that I was compiling version 1.2.2 (always > compiled fine), which I was comparing to p1 at the time, and never noticed > it. Are you sure you're also not getting any of the library files from 2.95.1? Also, apparently if you build on 2.8.1, your libraries should be build by the same compiler (This is a suggestion I got from the gcc list when I couldn't get a shared library thing working...) You may want to make sure everything from 2.95.1 is uninstalled. I'm running gcc-2.95.2 on Solaris 7 x86 and it builds just fine. I suspect you've probably roached something. I've also got gcc-2.8.1 in another tree, but it would be very hard for configure to guess where it was. Ben From dghespri at sprintparanet.com Thu Mar 9 00:22:01 2000 From: dghespri at sprintparanet.com (dghespri at sprintparanet.com) Date: Wed, 8 Mar 2000 08:22:01 -0500 (EST) Subject: va_list problems on Solaris In-Reply-To: Message-ID: On Wed, 8 Mar 2000, Ben Taylor wrote: > Are you sure you're also not getting any of the library files from > 2.95.1? Also, apparently if you build on 2.8.1, your libraries > should be build by the same compiler (This is a suggestion I got > from the gcc list when I couldn't get a shared library thing working...) > You may want to make sure everything from 2.95.1 is uninstalled. I had to back down from 2.95.2 because a particular package I was working with had a known problem with 2.95.x, .2 inclusive. I went back, and with the exception of the /usr/ucb/cc being left around I previously, there wasn't anything left around fromany other version of gcc. At least, that's what I could determine to the best of my ability. I got both gcc 2.8.1 and libstdc++ 2.8.1.1 as packages from sunfreeware. The installation has worked pretty good so far (I've been able to compile and install all sorts of things), so I don't think there's a massive error in there. I'm open to suggestions, of course. -David Hesprich From paul at xtdnet.nl Thu Mar 9 01:17:33 2000 From: paul at xtdnet.nl (paul at xtdnet.nl) Date: Wed, 8 Mar 2000 15:17:33 +0100 (MET) Subject: NIS, PAM, OpenSSH. Seems to work perfectly (one minor concern) Message-ID: I just spent some time trying to figure out how to get OpenSSH to work correctly with NIS and PAM. It seems to work fine, apart from one minor worry I still have (see below). Feedback about grave security risks are welcome :) This is using RedHat 6.1 with updates and the OpenSSH 1.2.2p1-1 RPM's on the NIS server as well as the client. In short, my configuration is: /etc/nssswitch.conf: passwd: compat group: compat shadow: files nis in /etc/passwd I added: + at staff:::::: +::::::/bin/nologin /etc/pam.d/login: #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_unix_auth.so auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_unix_passwd.so session required /lib/security/pam_unix_session.so /etc/pam.d/ssh #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nodelay auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session required /lib/security/pam_limits.so I'm not using MD5 (Though I thought I was, must have been caused by a RedHat update). I'm using the default /etc/ssh settings In this setup, I can login as the local users. The NIS users in the netgroup staff can login fine, and NIS users not in that netgroup get /bin/nologin. Users have a shared homedir, and the ones that have done: cat .ssh/identity.pub >> .ssh/authorized_keys can also not login when not in the stafdf netgroup. And when NIS isn't running, it nicely fakes authlookup for NIS users (any non local users actually) and local users can still nicely login. Excellent! Now, in the above case where a user is not a member of the netgroup, I tried to execute a command using ssh: ssh -l test host /bin/date The client gives me: debug: Trying RSA authentication with key 'paul at host' debug: Received RSA challenge from server. debug: Sending response to host key RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication accepted by server. debug: Sending command: /bin/date debug: Entering interactive session. Environment: USER=paul LOGNAME=paul HOME=/vol/staff/paul PATH=/usr/bin:/bin:/usr/sbin:/sbin MAIL=/var/spool/mail/paul SHELL=/bin/nologin SSH_CLIENT=127.0.0.1 622 22 You have no login on this machine, go away. and the server: debug: Starting up PAM with username "paul" debug: Attempting authentication for paul. Accepted rsa for paul from 127.0.0.1 port 622 debug: PAM setting rhost to "localhost" debug: Executing command '/bin/date' debug: PAM establishing creds debug: Entering interactive session. debug: Received SIGCHLD. debug: End of interactive session; stdin 0, stdout (read 44, sent 44), stderr 179 bytes. debug: Command exited with status 0. debug: Received exit confirmation. Closing connection to 127.0.0.1 Mar 8 15:09:45 bofh sshd[2356]: Accepted rsa for paul from 127.0.0.1 port 622 Mar 8 15:10:48 bofh sshd[2356]: Closing connection to 127.0.0.1 Mar 8 15:10:48 bofh PAM_pwdb[2356]: (sshd) session closed for user paul My question is if it is possible to change /etc/pam.d/ssh so that the session can still be disallowed. It doesn't seem to execute /bin/date but it's trying much to hard imho. One solution would be ofcourse only to put those netgroup/users in that are allowed to have a login, but for instance that won't work nicely on the mail server, where all accounts need to exist, and the users are not allowed to login. But, I'm quite pleased with OpenSSH within the NIS/Pam/Linux environment as it is right now. Cheers to those that deserve it :) Paul PS. On a side note, the previous version I tried OpenSSH-1.2.1pre11 didn't work. From mw at moni.msci.memphis.edu Thu Mar 9 14:00:52 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 8 Mar 2000 21:00:52 -0600 Subject: openssl and rsa In-Reply-To: References: <20000306160134.B2884@moni.msci.memphis.edu> Message-ID: <20000308210052.A21985@moni.msci.memphis.edu> On Mon, Mar 06, 2000 at 07:04:01PM -0500, Ben Taylor wrote: > On Mon, 6 Mar 2000, Mate Wierdl wrote: > > > The openssl list does not seem to respond to this, so let me ask you > > here: > > > > my librsaref.a is in /space/local/lib. How do I tell about this to > > openssl's config/make? > > > > Also, how do I tell config/make to use /usr/ccs/bin/ld instead of the > > default (gnu linker has problems on Solaris). > > env "PATH=/usr/ccs/bin:${PATH} LDFLAGS=-L/space/local/lib -I/space/local/include" ./configure > > This should take care of it. Sorry, but openssl has only config, and not configure, and as the name hints, it does not take these variables. For example: grep LD openssl-0.9.5/config |wc -l 0 grep LD openssh-1.2.2/configure|wc -l 13 In any case, I am just trying to see clearly here: is librsaref.a needed for a working openssh? In other words, do I need to compile openssl with rsaref specified for config? (I see that the openssl rpm does not specify this option, but it does install libRSAglue.a the function of which is not clear to me.) Thx, as always Mate From mw at moni.msci.memphis.edu Thu Mar 9 14:21:47 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 8 Mar 2000 21:21:47 -0600 Subject: spec file In-Reply-To: References: Message-ID: <20000308212147.B21985@moni.msci.memphis.edu> On Tue, Mar 07, 2000 at 09:36:49PM +1100, Damien Miller wrote: > On Tue, 7 Mar 2000, Nigel Metheringham wrote: > > > > Also, the %post stanza for the server package, starts sshd. But what > > > if the upgrade is done in single user mode? The sysV initscript does > > > not check if networking is up---it just seems to start the service no > > > matter what. > > > > I'm unhappy about this - its a complete pain if you are installing ssh > > as part of your machine build. You may also happen to be missing > > decent entropy etc under these conditions. I personally modify the > > spec & init.d files to do the key generation within the start part of > > the init.d file. I guess if sshd *was* running then starting it again > > is reasonable, otherwise do not start it. > > RTFS: > > %post server > /sbin/chkconfig --add sshd > if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then > /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 > fi > if test -r /var/run/sshd.pid > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > then > /etc/rc.d/init.d/sshd restart >&2 > fi > In my case: I already had a non rpm installation of a "non open" sshd which was running at the time of the installation. Hence I had /var/run/sshd.pid. I wanted to install the openssh rpm to check openssh out (run it first on a different port). If I just installed the rpm as it is, opensshd would have been started without me having a chance to think about configuration, etc. Mate From mw at moni.msci.memphis.edu Thu Mar 9 14:24:52 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 8 Mar 2000 21:24:52 -0600 Subject: rsaref usage In-Reply-To: References: <20000306180859.A4029@moni.msci.memphis.edu> Message-ID: <20000308212452.C21985@moni.msci.memphis.edu> On Tue, Mar 07, 2000 at 09:31:34PM +1100, Damien Miller wrote: > On Mon, 6 Mar 2000, Mate Wierdl wrote: > > > First, when I tried to start sshd, I got the message > > > > Starting sshd: ssh-keygen: no RSA support in libssl and libcrypto. > > See ssl(8). > > openssh-0.9.5 right? Correct. Somebody told me I need to have this new version of openssl since there is some kind of leak associated with the random device that is fixed only in this new version. (I am installing on a solaris 2.6 box). > > I have a patch coming (probably tomorrow) which fixes this and other > problems. Where is the patch available? Mate From acs at alumni.princeton.edu Thu Mar 9 14:46:50 2000 From: acs at alumni.princeton.edu (Vin Shelton) Date: 08 Mar 2000 22:46:50 -0500 Subject: Can not configure openssh-1.2.2p1 Message-ID: (I'm not subscribed to the list, so if you have any comments, please mail them to me directly.) Thanks for openssh! I downloaded openssh-1.2.2p1 and found I could not configure it on my linux 2.2.15pre13 i686 kernel. The error I got was: configure: error: Could not find working SSLeay / OpenSSL libraries, please install I had previously installed openssl (first 0.9.4 and then 0.9.5) into /usr/local/ssl. I had previously managed to configure, build and install openssh-1.2.2 with this same openssl configuration. I needed the following patch to configure.in in order to enable configure to find the -lcrypto library: --- configure.in.orig Sun Mar 5 01:02:46 2000 +++ configure.in Wed Mar 8 22:28:19 2000 @@ -152,10 +152,10 @@ AC_MSG_CHECKING([for OpenSSL/SSLeay directory]) for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do if test ! -z "$ssldir" ; then - LIBS="$saved_LIBS -L$ssldir" + LIBS="$saved_LIBS -L$ssldir/lib" CFLAGS="$CFLAGS -I$ssldir/include" if test "x$need_dash_r" = "x1" ; then - LIBS="$LIBS -R$ssldir" + LIBS="$LIBS -R$ssldir/lib" fi fi LIBS="$LIBS -lcrypto" In an unrelated problem, I am unable to build from a different build directory than my source directory. In other words, if I follow my usual build procedure and do: cd /usr/local/src tar xfz ~/openssh-1.2.2p1.tar.gz cd /usr/local/build mkdir openssh-1.2.2p1 cd ./openssh-1.2.2p1 ../../src/openssh-1.2.2p1/configure make I get the following errors: In file included from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/includes.h:22: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/includes.h:96, from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/bsd-bindresvport.h:4: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/includes.h:97, from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/bsd-rresvport.h:4: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/includes.h:98, from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/bsd-misc.h:40: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/includes.h:99, from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/bsd-strlcpy.h:4: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/includes.h:100, from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/bsd-strlcat.h:4: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/includes.h:101, from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/bsd-mktemp.h:4: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/includes.h:102, from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/bsd-snprintf.h:4: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/includes.h:103, from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/bsd-daemon.h:4: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/includes.h:104, from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/bsd-login.h:4: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/includes.h:107, from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/fake-getaddrinfo.h:4: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/includes.h:108, from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/fake-getnameinfo.h:4: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/includes.h:109, from ../../src/openssh-1.2.2p1/atomicio.c:26: ../../src/openssh-1.2.2p1/fake-socket.h:4: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/ssh.h:29, from ../../src/openssh-1.2.2p1/atomicio.c:30: ../../src/openssh-1.2.2p1/rsa.h:21: config.h: No such file or directory In file included from ../../src/openssh-1.2.2p1/ssh.h:30, from ../../src/openssh-1.2.2p1/atomicio.c:30: ../../src/openssh-1.2.2p1/cipher.h:19: config.h: No such file or directory make: *** [atomicio.o] Error 1 I worked around this problem by adding "-I. -I$(srcdir)" to the CFLAGS in the generated Makefile, but I'm sure there's a nice configure-oriented way to support this. Thanks again for openssh! If you want some more information, I'd be happy to hear from you. - vin shelton From mw at moni.msci.memphis.edu Thu Mar 9 15:47:06 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 8 Mar 2000 22:47:06 -0600 Subject: p1 configure error Message-ID: <20000308224706.A24496@moni.msci.memphis.edu> I did not see this error with 1.2.2: checking for OpenSSL/SSLeay directory... configure: error: Could not find working SSLeay / OpenSSL libraries, please install I tried LD=/usr/ccs/bin/ld ./configure --prefix=/space/local --with-random="/dev/random" --with-ssl-dir=/space/local/lib with rpm -ql openssl|grep /space/local/lib /space/local/lib/libRSAglue.a /space/local/lib/libcrypto.a /space/local/lib/libssl.a on a solaris 2.6 box. Thx -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From mouring at pconline.com Thu Mar 9 18:01:25 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 9 Mar 2000 01:01:25 -0600 (CST) Subject: sigsuspend() replacement In-Reply-To: <20000308010004L.yoshfuji@cerberus.nemoto.ecei.tohoku.ac.jp> Message-ID: Anyone want to provide me with better detailed information as to what sigsuspend() really does. It seems to be linked to Ctrl-Z. Since Ctrl-Z at the password prompt does not re-enable shell echoing. thanks. From cervenka at MagicalMusic.com Thu Mar 9 18:48:14 2000 From: cervenka at MagicalMusic.com (Brian Cervenka) Date: Wed, 8 Mar 2000 23:48:14 -0800 (PST) Subject: openssh 1.2.2p1 Message-ID: The configure script seems to be broken when doing the install for 1.2.2p1. It can not locate the OpenSSL directory which I just installed as default. I even tried using the --with-ssl-directory switch mentioned in the INSTALL file, and still no cigar. I reverted to 1.2.2 and it worked just fine. --brian From rich at annexia.org Thu Mar 9 21:42:14 2000 From: rich at annexia.org (rich at annexia.org) Date: Thu, 9 Mar 2000 10:42:14 +0000 Subject: Key server for (Open)SSH? Message-ID: <20000309104214.A3072@www.annexia.org> We have a situation here where we have a lot of hosts and a lot of users with potential access to those hosts. Copying keys around to authorized_keys files is a major pain. Is there such a thing as a key server for ssh? Rich. -- rich at annexia.org | Is your school part of http://www.schoolmaster.net ? BiblioTech Ltd, Unit 2 Piper Centre, 50 Carnwath Road, London, SW6 3EG. +44 20 7384 6917 | Click here to play XRacer: http://xracer.annexia.org Copyright ? 2000 Richard Jones | GnuPG/PGP key from www.annexia.org From djm at mindrot.org Thu Mar 9 22:03:30 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 9 Mar 2000 22:03:30 +1100 (EST) Subject: openssh 1.2.2p1 In-Reply-To: Message-ID: On Wed, 8 Mar 2000, Brian Cervenka wrote: > The configure script seems to be broken when doing the install for > 1.2.2p1. It can not locate the OpenSSL directory which I just > installed as default. I even tried using the --with-ssl-directory > switch mentioned in the INSTALL file, and still no cigar. I reverted > to 1.2.2 and it worked just fine. Know bug - you can work around by: LDFLAGS="-L/path/to/ssl/libs" CFLAGS="-I/path/to/ssl/includes" ./configure -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu Mar 9 22:05:11 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 9 Mar 2000 22:05:11 +1100 (EST) Subject: Key server for (Open)SSH? In-Reply-To: <20000309104214.A3072@www.annexia.org> Message-ID: On Thu, 9 Mar 2000 rich at annexia.org wrote: > > We have a situation here where we have a lot of hosts and > a lot of users with potential access to those hosts. Copying > keys around to authorized_keys files is a major pain. Is there > such a thing as a key server for ssh? Yes. Neil Dunbar has a set of patches that allow OpenSSH to use a X.509 PKI with certs served from an LDAP server. His patches are available from ftp://ftp-uk.hpl.hp.com/pub/nd/ -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From tim.tassonis at trivadis.com Thu Mar 9 22:52:30 2000 From: tim.tassonis at trivadis.com (tit) Date: Thu, 09 Mar 2000 12:52:30 +0100 Subject: Patch for scp (openssh 1.2.2p1) Message-ID: <38C7907E.2AB71481@trivadis.com> Hi While ssh allows for usernames containing a dot, scp gives an error "Invalid user name". The following patch fixed that behaviour: diff -ru scp.c-save scp.c --- scp.c-save Thu Mar 9 12:21:43 2000 +++ scp.c Thu Mar 9 12:22:25 2000 @@ -1062,7 +1062,7 @@ c = *cp; if (c & 0200) goto bad; - if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-') + if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-' && c != '.') goto bad; } while (*++cp); return (1); Hope that this can be applied (so i don't have to do it anymore with any upgrade). Regards Tim From djm at mindrot.org Thu Mar 9 22:58:47 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 9 Mar 2000 22:58:47 +1100 (EST) Subject: Patch for scp (openssh 1.2.2p1) In-Reply-To: <38C7907E.2AB71481@trivadis.com> Message-ID: On Thu, 9 Mar 2000, tit wrote: > Hi > > While ssh allows for usernames containing a dot, scp gives an error > "Invalid user name". The following patch fixed that behaviour: Just picked this one up from OpenBSD's CVS tree. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From nkbj at image.dk Thu Mar 9 23:27:22 2000 From: nkbj at image.dk (Niels Kristian Bech Jensen) Date: Thu, 9 Mar 2000 13:27:22 +0100 (CET) Subject: Bug in openssh-1.2.2p1 scp program? Message-ID: The scp program from openssh-1.2.2p1 behaves different from the scp program from ssh-1.2.27. In ssh-1.2.27 you can copy one or more file(s) to a remote users home directory using the command: scp filename(s) user at remotehost In openssh-1.2.2p1 this copies the file(s) to a file named "user at remotehost" in the current (local) directory. To copy the files to the wanted (remote) location you have to use this command: scp filename(s) user at remotehost: ^ Is this a bug or a feature? -- Niels Kristian Bech Jensen -- nkbj at image.dk -- http://www.image.dk/~nkbj/ ----------->> Stop software piracy --- use free software! <<----------- From j.gritsch at gmx.at Thu Mar 9 23:58:20 2000 From: j.gritsch at gmx.at (Johannes Gritsch) Date: Thu, 9 Mar 2000 13:58:20 +0100 (MET) Subject: No subject Message-ID: <15392.952606700@www11.gmx.net> Hi! I?m not a subscriber of the mailing list since I?m usually not too deep involved into cryptography and hacking. I found an annoying bug (or at least I consider it to be one) in the configure script of openssh. I tried to compile openssh-1.2.2p1 in conjunction with openssl-0.9.5. I downloaded both from mirror sites, so there might already exist a solution for this. When I tried to run configure in the open-ssh directory, it complained to be unable to locate ssl, even when I gave it the correct (Default-) path: /usr/local/ssl. After a little investigation I found the reason for this: configure searches for the library files in $ssldir, but for include files in $ssldir/include. I changed one line:1893c1893 < LIBS="$saved_LIBS -L$ssldir" --- > LIBS="$saved_LIBS -L$ssldir/lib" Maybe I overlooked something - then forgive me for intruding :-} Hannes -- Johannes Gritsch Unix Consultant Windschnur, Austria Sent through GMX FreeMail - http://www.gmx.net From markus.friedl at informatik.uni-erlangen.de Thu Mar 9 23:59:28 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 9 Mar 2000 13:59:28 +0100 Subject: Bug in openssh-1.2.2p1 scp program? In-Reply-To: ; from nkbj@image.dk on Thu, Mar 09, 2000 at 01:27:22PM +0100 References: Message-ID: <20000309135928.B32733@folly.informatik.uni-erlangen.de> On Thu, Mar 09, 2000 at 01:27:22PM +0100, Niels Kristian Bech Jensen wrote: > Is this a bug or a feature? it's a feature. rcp and scp did always work this way. From phil at hands.com Fri Mar 10 04:12:02 2000 From: phil at hands.com (Philip Hands) Date: 09 Mar 2000 17:12:02 +0000 Subject: [Galen Hancock ] Information leakage in sshd Message-ID: <8766uwoyot.fsf@sheikh.hands.com> Hi, Thought I'd just forward this here, because I don't have time to look into it right now, and am off skiing next week. I'd guess that we should be checking for username = ``root'' before going off to do password checks, and rejecting it on that basis first. Cheers, Phil. -- Mind-numbingly stupid UK law alert! Act now to stop it! http://www.stand.org.uk/ -------------- next part -------------- An embedded message was scrubbed... From: Galen Hancock Subject: Information leakage in sshd Date: Wed, 8 Mar 2000 11:20:39 -0800 Size: 1430 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000309/7f094309/attachment.mht -------------- next part -------------- From markus.friedl at informatik.uni-erlangen.de Fri Mar 10 06:48:34 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 9 Mar 2000 20:48:34 +0100 Subject: [Galen Hancock ] Information leakage in sshd In-Reply-To: <8766uwoyot.fsf@sheikh.hands.com>; from phil@hands.com on Thu, Mar 09, 2000 at 05:12:02PM +0000 References: <8766uwoyot.fsf@sheikh.hands.com> Message-ID: <20000309204834.A14266@folly.informatik.uni-erlangen.de> i just commited my fix posted on Feb 17. On Thu, Mar 09, 2000 at 05:12:02PM +0000, Philip Hands wrote: > Hi, > > Thought I'd just forward this here, because I don't have time to look > into it right now, and am off skiing next week. > > I'd guess that we should be checking for username = ``root'' before > going off to do password checks, and rejecting it on that basis first. > > Cheers, Phil. > -- > Mind-numbingly stupid UK law alert! > Act now to stop it! http://www.stand.org.uk/ > Resent-Date: 8 Mar 2000 20:35:57 -0000 > Resent-Cc: recipient list not shown: ; > Date: Wed, 8 Mar 2000 11:20:39 -0800 > From: Galen Hancock > To: security at debian.org, submit at bugs.debian.org > Subject: Information leakage in sshd > Gnus-Warning: This is a duplicate of message <20000308112038.O5093 at c109854-a.frmt1.sfba.home.com> > Message-ID: <20000308112038.O5093 at c109854-a.frmt1.sfba.home.com> > Mime-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Resent-Message-ID: <0xvpe.A.p4D.rmrx4 at murphy> > Resent-From: debian-private at lists.debian.org > Resent-Sender: debian-private-request at lists.debian.org > > Package: ssh > Version: 1:1.2.2-1.4 > > When PermitRootLogin is set to no in /etc/ssh/sshd_config it should not > be possible to determine whether a root password is correct remotely. > However sshd behaves differently depending on whether the password is > correct. > > fre-76-51% ssh root at localhost > root at localhost's password: [typed the correct password] > Received disconnect: ROOT LOGIN REFUSED FROM localhost > > fre-76-51% ssh root at localhost > root at localhost's password: [typed an incorrect password] > [pauses a second, then prints:] > Permission denied, please try again. > > Thanks, > Galen > > > -- > Please respect the privacy of this mailing list. > > To UNSUBSCRIBE, email to debian-private-request at lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster at lists.debian.org > > > From mw at moni.msci.memphis.edu Fri Mar 10 08:03:02 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Thu, 9 Mar 2000 15:03:02 -0600 Subject: openssh 1.2.2p1 In-Reply-To: References: Message-ID: <20000309150302.A11035@moni.msci.memphis.edu> On Thu, Mar 09, 2000 at 10:03:30PM +1100, Damien Miller wrote: > On Wed, 8 Mar 2000, Brian Cervenka wrote: > > > The configure script seems to be broken when doing the install for > > 1.2.2p1. It can not locate the OpenSSL directory which I just > > installed as default. I even tried using the --with-ssl-directory > > switch mentioned in the INSTALL file, and still no cigar. I reverted > > to 1.2.2 and it worked just fine. > > Know bug - you can work around by: > > LDFLAGS="-L/path/to/ssl/libs" CFLAGS="-I/path/to/ssl/includes" ./configure No dice for me: checking for OpenSSL/SSLeay directory... configure: error: Could not find working SSLeay / OpenSSL libraries, please install and I did LDFLAGS="-L/space/local/lib" \ CFLAGS="$RPM_OPT_FLAGS -I/space/local/include" \ LD=/usr/ccs/bin/ld ./configure while I have rpm -q openssl openssl-0.9.5-3 rpm -ql openssl|egrep "(lib/|include)" /space/local/include/openssl /space/local/include/openssl/asn1.h /space/local/include/openssl/asn1_mac.h /space/local/include/openssl/bio.h /space/local/include/openssl/blowfish.h /space/local/include/openssl/bn.h /space/local/include/openssl/buffer.h /space/local/include/openssl/cast.h /space/local/include/openssl/comp.h /space/local/include/openssl/conf.h /space/local/include/openssl/crypto.h /space/local/include/openssl/des.h /space/local/include/openssl/dh.h /space/local/include/openssl/dsa.h /space/local/include/openssl/e_os.h /space/local/include/openssl/e_os2.h /space/local/include/openssl/ebcdic.h /space/local/include/openssl/err.h /space/local/include/openssl/evp.h /space/local/include/openssl/hmac.h /space/local/include/openssl/idea.h /space/local/include/openssl/lhash.h /space/local/include/openssl/md2.h /space/local/include/openssl/md5.h /space/local/include/openssl/mdc2.h /space/local/include/openssl/objects.h /space/local/include/openssl/opensslconf.h /space/local/include/openssl/opensslv.h /space/local/include/openssl/pem.h /space/local/include/openssl/pem2.h /space/local/include/openssl/pkcs12.h /space/local/include/openssl/pkcs7.h /space/local/include/openssl/rand.h /space/local/include/openssl/rc2.h /space/local/include/openssl/rc4.h /space/local/include/openssl/rc5.h /space/local/include/openssl/ripemd.h /space/local/include/openssl/rsa.h /space/local/include/openssl/rsaref.h /space/local/include/openssl/safestack.h /space/local/include/openssl/sha.h /space/local/include/openssl/ssl.h /space/local/include/openssl/ssl2.h /space/local/include/openssl/ssl23.h /space/local/include/openssl/ssl3.h /space/local/include/openssl/stack.h /space/local/include/openssl/tls1.h /space/local/include/openssl/tmdiff.h /space/local/include/openssl/txt_db.h /space/local/include/openssl/x509.h /space/local/include/openssl/x509_vfy.h /space/local/include/openssl/x509v3.h /space/local/lib/libRSAglue.a /space/local/lib/libcrypto.a /space/local/lib/libssl.a Thx Mate From djm at mindrot.org Fri Mar 10 11:31:04 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 10 Mar 2000 11:31:04 +1100 (EST) Subject: your mail In-Reply-To: <15392.952606700@www11.gmx.net> Message-ID: On Thu, 9 Mar 2000, Johannes Gritsch wrote: > Maybe I overlooked something - then forgive me for intruding :-} You are perfectly correct. The fix shall be in the upcoming 1.2.3 release. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From rlpowell at calum.csclub.uwaterloo.ca Fri Mar 10 16:40:47 2000 From: rlpowell at calum.csclub.uwaterloo.ca (Robin Lee Powell) Date: Fri, 10 Mar 2000 00:40:47 -0500 (EST) Subject: ssh bug? on Solaris Message-ID: <200003100540.AAA09696@calum.csclub.uwaterloo.ca> On Solaris, and presumably other architectures that don't have /dev/random, there's a problem with a portion of OpenSSL that is used by OpenSSH. The cause is line 390 in md_rand.c, which, as far as I can tell, in effect causes everything up the line to kak if not enough entropy has been gathered. Which is fine, except that it only seems to know about /dev/random as a source of entropy. There seems to be egd support in openssl, but I haven't a clue how to make it work with the RAND_METHOD stuff. The simplest fix is to replace that line with 'ok = 1;', but that's not exactly a good solution. The resulting error in OpenSSH is ssh: no RSA support in libssl and libcrypto. See ssl(8). Note that I have no idea what a good solution to this would be, and I'm sure this isn't even the best place to post this problem. However, if someone does figure it out, please drop me a line. I don't read the list. -Robin From djm at mindrot.org Fri Mar 10 21:05:56 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 10 Mar 2000 21:05:56 +1100 (EST) Subject: ssh bug? on Solaris In-Reply-To: <200003100540.AAA09696@calum.csclub.uwaterloo.ca> Message-ID: On Fri, 10 Mar 2000, Robin Lee Powell wrote: > The resulting error in OpenSSH is > > ssh: no RSA support in libssl and libcrypto. See ssl(8). Fixed in 1.2.2p1. Unfortunatly there is a dumb configure bug in 1.2.2p1. You can work around it by doing: LDFLAGS="-L/path/to/openssl/lib" CFLAGS="-I/path/to/openssl/include" ./configure 1.2.3 will be out soon which fixes this. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From peter at frontierflying.com Sat Mar 11 07:14:25 2000 From: peter at frontierflying.com (peter at frontierflying.com) Date: Fri, 10 Mar 2000 11:14:25 -0900 (AKST) Subject: problems running configure Message-ID: I am trying to run the configure script under SuSE 6.3 and get the same error message that others have seen being unable to find working openssl libraries. I tried the patch to configure.in suggested in this list but it did not solve my problem. openssl(latest version) compiled and installed with no problems in /usr/local/ssl. I then installed the ssl mods for apache and the compilation, installation and operation of apache seemed to be trouble free. It seems like the openssl libraries are in fact installed correctly. Any other suggestions? Thank you, peter From mouring at pconline.com Sat Mar 11 07:17:26 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Fri, 10 Mar 2000 14:17:26 -0600 (CST) Subject: problems running configure In-Reply-To: Message-ID: skim back through the list.. there was a solution.. or 'vi configure' search for your "OpenSSL" area and add /lib to the two variables that are noticably missing it. On Fri, 10 Mar 2000 peter at frontierflying.com wrote: > I am trying to run the configure script under SuSE 6.3 and get the same > error message that others have seen being unable to find working openssl > libraries. I tried the patch to configure.in suggested in this list but it > did not solve my problem. > > openssl(latest version) compiled and installed with no problems in > /usr/local/ssl. I then installed the ssl mods for apache and the > compilation, installation and operation of apache seemed to be trouble > free. It seems like the openssl libraries are in fact installed correctly. > > Any other suggestions? > > Thank you, > > peter > > > > From peter at frontierflying.com Sat Mar 11 09:04:10 2000 From: peter at frontierflying.com (peter at frontierflying.com) Date: Fri, 10 Mar 2000 13:04:10 -0900 (AKST) Subject: problems running configure In-Reply-To: Message-ID: I did try adding the /lib to the ssldir in configure.in but that still would not work. I have since tried the same installation on a SuSE 6.0 box and had exactly the same problems. openssl.0.9.5, apache 1.3.12, mod_ssl-2.6.2-1.3.12 all install with no problems. It remains that openssh won't configure. peter peter stern Frontier Flying Service Inc. Network Administrator 5245 Airport Industrial Rd 907-474-1739 x249 Fairbanks AK 99709 On Fri, 10 Mar 2000, Ben Lindstrom wrote: > > skim back through the list.. there was a solution.. > > or 'vi configure' search for your "OpenSSL" area and add /lib to > the two variables that are noticably missing it. > > > > On Fri, 10 Mar 2000 peter at frontierflying.com wrote: > > > I am trying to run the configure script under SuSE 6.3 and get the same > > error message that others have seen being unable to find working openssl > > libraries. I tried the patch to configure.in suggested in this list but it > > did not solve my problem. > > > > openssl(latest version) compiled and installed with no problems in > > /usr/local/ssl. I then installed the ssl mods for apache and the > > compilation, installation and operation of apache seemed to be trouble > > free. It seems like the openssl libraries are in fact installed correctly. > > > > Any other suggestions? > > > > Thank you, > > > > peter > > > > > > > > > > From mouring at pconline.com Sat Mar 11 09:13:33 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Fri, 10 Mar 2000 16:13:33 -0600 (CST) Subject: problems running configure In-Reply-To: Message-ID: Two Places.. LIBS="$saved_LIBS -L$ssldir" CFLAGS="$CFLAGS -I$ssldir/include" if test "x$need_dash_r" = "x1" ; then LIBS="$LIBS -R$ssldir" both LIBS lines have to change.. as stated about 4 times on this list now in the last few days. FAQ on a website anyone? =) On Fri, 10 Mar 2000 peter at frontierflying.com wrote: > I did try adding the /lib to the ssldir in configure.in but that still > would not work. I have since tried the same installation on a SuSE 6.0 box > and had exactly the same problems. openssl.0.9.5, apache 1.3.12, > mod_ssl-2.6.2-1.3.12 all install with no problems. It remains that openssh > won't configure. > > peter > > peter stern Frontier Flying Service Inc. > Network Administrator 5245 Airport Industrial Rd > 907-474-1739 x249 Fairbanks AK 99709 > > > On Fri, 10 Mar 2000, Ben Lindstrom wrote: > > > > > skim back through the list.. there was a solution.. > > > > or 'vi configure' search for your "OpenSSL" area and add /lib to > > the two variables that are noticably missing it. > > > > > > > > On Fri, 10 Mar 2000 peter at frontierflying.com wrote: > > > > > I am trying to run the configure script under SuSE 6.3 and get the same > > > error message that others have seen being unable to find working openssl > > > libraries. I tried the patch to configure.in suggested in this list but it > > > did not solve my problem. > > > > > > openssl(latest version) compiled and installed with no problems in > > > /usr/local/ssl. I then installed the ssl mods for apache and the > > > compilation, installation and operation of apache seemed to be trouble > > > free. It seems like the openssl libraries are in fact installed correctly. > > > > > > Any other suggestions? > > > > > > Thank you, > > > > > > peter > > > > > > > > > > > > > > > > > > From mw at moni.msci.memphis.edu Sat Mar 11 09:17:03 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Fri, 10 Mar 2000 16:17:03 -0600 Subject: problems running configure In-Reply-To: References: Message-ID: <20000310161703.A11162@moni.msci.memphis.edu> On Fri, Mar 10, 2000 at 01:04:10PM -0900, peter at frontierflying.com wrote: > I did try adding the /lib to the ssldir in configure.in but that still > would not work. I have since tried the same installation on a SuSE 6.0 box > and had exactly the same problems. openssl.0.9.5, apache 1.3.12, > mod_ssl-2.6.2-1.3.12 all install with no problems. It remains that openssh > won't configure. > I wonder what your config.log say (search for `SS')? First, I also thought on my Solaris box that the problem is not finding the (open)ssl libraries. But I have this in config.log configure:1918: gcc -o conftest -O2 -I/space/local/include -I/space/local/lib/incl ude -L/usr/ucblib conftest.c -ldl -lsocket -lnsl -lz -L/space/local/lib -lpam -L/ space/local/lib -R/space/local/lib -lcrypto 1>&5 /space/local/lib/libcrypto.a(rsa_lib.o): In function `RSA_new_method': /space/local/src/redhat/BUILD/wierdlm/openssl-0.9.4/crypto/rsa/rsa_lib.c:109: unde fined reference to `RSA_PKCS1_RSAref' collect2: ld returned 1 exit status So you see "it seems" that configure finds my libs---it just does not like libcrypto.a. This error message appears both when I have openssl-0.9.5 or openssl-0.9.4 installed. I have a Solaris box, so maybe the reason for the error is different from yours. Mate From mw at moni.msci.memphis.edu Sat Mar 11 09:23:15 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Fri, 10 Mar 2000 16:23:15 -0600 Subject: problems running configure In-Reply-To: References: Message-ID: <20000310162315.B11162@moni.msci.memphis.edu> On Fri, Mar 10, 2000 at 04:13:33PM -0600, Ben Lindstrom wrote: > > Two Places.. > > LIBS="$saved_LIBS -L$ssldir" > CFLAGS="$CFLAGS -I$ssldir/include" > if test "x$need_dash_r" = "x1" ; then > LIBS="$LIBS -R$ssldir" > > both LIBS lines have to change.. as stated about 4 times on this > list now in the last few days. OK. Look at my configure lines LDFLAGS="-L/space/local/lib" \ LIBS="-L/space/local/lib" \ CFLAGS="$RPM_OPT_FLAGS -I/space/local/include" \ LD=/usr/ccs/bin/ld ./configure --prefix=/space/local \ --with-ssl-dir=/space/local/lib Nevertheless, I get, in config.log,: configure:1918: gcc -o conftest -O2 -I/space/local/include -I/space/local/lib/incl ude -L/usr/ucblib conftest.c -ldl -lsocket -lnsl -lz -L/space/local/lib -lpam -L/ space/local/lib -R/space/local/lib -lcrypto 1>&5 /space/local/lib/libcrypto.a(rsa_lib.o): In function `RSA_new_method': /space/local/src/redhat/BUILD/wierdlm/openssl-0.9.4/crypto/rsa/rsa_lib.c:109: unde fined reference to `RSA_PKCS1_RSAref' collect2: ld returned 1 exit status So I think the problem is not not finding the libs. Mate From mouring at pconline.com Sat Mar 11 09:36:09 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Fri, 10 Mar 2000 16:36:09 -0600 (CST) Subject: problems running configure In-Reply-To: <20000310162315.B11162@moni.msci.memphis.edu> Message-ID: On Fri, 10 Mar 2000, Mate Wierdl wrote: > On Fri, Mar 10, 2000 at 04:13:33PM -0600, Ben Lindstrom wrote: > > > > Two Places.. > > > > LIBS="$saved_LIBS -L$ssldir" > > CFLAGS="$CFLAGS -I$ssldir/include" > > if test "x$need_dash_r" = "x1" ; then > > LIBS="$LIBS -R$ssldir" > > > > both LIBS lines have to change.. as stated about 4 times on this > > list now in the last few days. > > OK. Look at my configure lines > > LDFLAGS="-L/space/local/lib" \ > LIBS="-L/space/local/lib" \ > CFLAGS="$RPM_OPT_FLAGS -I/space/local/include" \ > LD=/usr/ccs/bin/ld ./configure --prefix=/space/local \ > --with-ssl-dir=/space/local/lib > Note the above code and what your doing. --with-ssl-dir is a *BASE* directory. It attempts to add on $BASE/include to find the header files. So in your case it's trying to find the header files at "/space/local/lib/include" If you change the LIBS= lines in the above configure file (ignore configure.in unless you want to build a new configure file) to reflect: 1st spot: LIBS="$saved_LIBS -L$ssldir/lib" 2nd spot: LIBS="$LIBS -R$ssldir/lib" The above fix has solved the problem on NeXT and Linux at my home. Note.. the configure.in is file is wrong and the above correction is the same for it. Can we get a 1.2.2p2 with this patch and the other minor ones suggested so we can put this issue to rest? From peter at frontierflying.com Sat Mar 11 09:56:20 2000 From: peter at frontierflying.com (peter at frontierflying.com) Date: Fri, 10 Mar 2000 13:56:20 -0900 (AKST) Subject: problems running configure In-Reply-To: <20000310162315.B11162@moni.msci.memphis.edu> Message-ID: It certainly seems like it doesn't find the files yet they exist and the paths look correct for the ssldir/lib and the #include etc Contents of /usr/local/ssl/include/openssl asn1.h conf.h err.h objects.h rc2.h ssl2.h x509_vfy.h asn1_mac.h crypto.h evp.h opensslconf.h rc4.h ssl23.h x509v3.h bio.h des.h hmac.h opensslv.h rc5.h ssl3.h blowfish.h dh.h idea.h pem.h ripemd.h stack.h bn.h dsa.h lhash.h pem2.h rsa.h tls1.h buffer.h e_os.h md2.h pkcs12.h safestack.h tmdiff.h cast.h e_os2.h md5.h pkcs7.h sha.h txt_db.h comp.h ebcdic.h mdc2.h rand.h ssl.h x509.h >From my configure.in AC_MSG_CHECKING([for OpenSSL/SSLeay directory]) for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl \ /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl if test ! -z "$ssldir" ; then LIBS="$saved_LIBS -L$ssldir/lib" CFLAGS="$CFLAGS -I$ssldir/include" if test "x$need_dash_r" = "x1" ; then LIBS="$LIBS -R$ssldir/lib" >From config.log configure:1918: gcc -o conftest -g -O2 -I/usr/include -I/usr/local/openssl/include -I/usr/lib/openssl/include \ -I/usr/local/ssl/include -I/usr/lib/ssl/include -I/usr/local/include -I/usr/pkg/include \ conftest.c -lnsl -lz -lutil -L/usr/pkg -lcrypto 1>&5 /usr/i486-linux/bin/ld: cannot open -lcrypto: No such file or directory collect2: ld returned 1 exit status configure: failed program was: #line 1906 "configure" #include "confdefs.h" #include #include #include int main(void) {RSA *key; char seed[2048];memset(seed, 0, sizeof(seed)) ; RAND_seed(seed, sizeof(seed));key=RSA_generate_key(32,3,NULL,NULL); return(key==NULL);} configure:1954: gcc -o conftest -g -O2 -I/usr/include -I/usr/local/openssl/include -I/usr/lib/openssl/include \ -I/usr/local/ssl/include -I/usr/lib/ssl/include -I/usr/local/include \ -I/usr/pkg/include conftest.c -lnsl -lz -lutil -L/usr/pkg \ -lcrypto 1>&5 configure:1944: ssl/rsa.h: No such file or directory configure:1945: ssl/bn.h: No such file or directory configure:1946: ssl/sha.h: No such file or directory configure: failed program was: #line 1942 "configure" #include "confdefs.h" #include #include #include int main(void) {RSA *key; char seed[2048];memset(seed, 0, sizeof(seed)); RAND_seed(seed, sizeof(seed));key=RSA_generate_key(32,3,NULL,NULL); return(key==NULL);} configure:1918: gcc -o conftest -g -O2 -I/usr/include -I/usr/local/openssl/include -I/usr/lib/openssl/include \ -I/usr/local/ssl/include -I/usr/lib/ssl/include -I/usr/local/include \ -I/usr/pkg/include -I/opt/include -I/opt/openssl/include \ conftest.c -lnsl -lz -lutil -L/opt/openssl -lcrypto 1>&5 /usr/i486-linux/bin/ld: cannot open -lcrypto: No such file or directory collect2: ld returned 1 exit status configure: failed program was: #line 1906 "configure" #include "confdefs.h" #include #include #include int main(void) {RSA *key; char seed[2048];memset(seed, 0, sizeof(seed)); RAND_seed(seed, sizeof(seed));key=RSA_generate_key(32,3,NULL,NULL); return(key==NULL);} configure:1954: gcc -o conftest -g -O2 -I/usr/include -I/usr/local/openssl/include -I/usr/lib/openssl/include \ -I/usr/local/ssl/include -I/usr/lib/ssl/include -I/usr/local/include \ -I/usr/pkg/include -I/opt/include -I/opt/openssl/include \ conftest.c -lnsl -lz -lutil -L/opt/openssl -lcrypto 1>&5 configure:1944: ssl/rsa.h: No such file or directory configure:1945: ssl/bn.h: No such file or directory configure:1946: ssl/sha.h: No such file or directory configure: failed program was: #line 1942 "configure" #include "confdefs.h" #include #include #include int main(void) {RSA *key; char seed[2048];memset(seed, 0, sizeof(seed)); RAND_seed(seed, sizeof(seed));key=RSA_generate_key(32,3,NULL,NULL); return(key==NULL);} peter peter stern Frontier Flying Service Inc. Network Administrator 5245 Airport Industrial Rd 907-474-1739 x249 Fairbanks AK 99709 On Fri, 10 Mar 2000, Mate Wierdl wrote: > On Fri, Mar 10, 2000 at 04:13:33PM -0600, Ben Lindstrom wrote: > > > > Two Places.. > > > > LIBS="$saved_LIBS -L$ssldir" > > CFLAGS="$CFLAGS -I$ssldir/include" > > if test "x$need_dash_r" = "x1" ; then > > LIBS="$LIBS -R$ssldir" > > > > both LIBS lines have to change.. as stated about 4 times on this > > list now in the last few days. > > OK. Look at my configure lines > > LDFLAGS="-L/space/local/lib" \ > LIBS="-L/space/local/lib" \ > CFLAGS="$RPM_OPT_FLAGS -I/space/local/include" \ > LD=/usr/ccs/bin/ld ./configure --prefix=/space/local \ > --with-ssl-dir=/space/local/lib > > Nevertheless, I get, in config.log,: > > configure:1918: gcc -o conftest -O2 -I/space/local/include > -I/space/local/lib/incl > ude -L/usr/ucblib conftest.c -ldl -lsocket -lnsl -lz > -L/space/local/lib -lpam -L/ > space/local/lib -R/space/local/lib -lcrypto 1>&5 > /space/local/lib/libcrypto.a(rsa_lib.o): In function `RSA_new_method': > /space/local/src/redhat/BUILD/wierdlm/openssl-0.9.4/crypto/rsa/rsa_lib.c:109: > unde > fined reference to `RSA_PKCS1_RSAref' > collect2: ld returned 1 exit status > > So I think the problem is not not finding the libs. > > Mate > From mw at moni.msci.memphis.edu Sat Mar 11 10:13:44 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Fri, 10 Mar 2000 17:13:44 -0600 Subject: problems running configure In-Reply-To: References: <20000310165208.A12921@moni.msci.memphis.edu> Message-ID: <20000310171344.B12921@moni.msci.memphis.edu> On Fri, Mar 10, 2000 at 04:58:05PM -0600, Ben Lindstrom wrote: > > > On Fri, 10 Mar 2000, Mate Wierdl wrote: > > [..] > > > > My libs are > > > > /space/local/lib/libRSAglue.a > > /space/local/lib/libcrypto.a > > /space/local/lib/libssl.a > > > > my includes are in > > > > /space/local/include/openssl > > > > so could you recommend a `./configure' line? > > > Ermm... Since the headers are kinda in non-standard location Well, this is the directory setup in the openssl rpm (I am trying to adopt the rpm to solaris). > I can't realy give a good suggestion > > Only suggestion (assuming it takes) is to do a: > > CFLAGS="-I/space/local/include/openssl"; export CFLAGS > configure --with-ssl-dir=/space/local > > (Assuming the patch was applied to ./configure) Which patch do you mean? I am just using the tarball for 1.2.2p1. In any case, it seems to me that the problem is not not finding the include or lib files: in config.log, I see configure:1891: checking for OpenSSL/SSLeay directory configure:1918: gcc -o conftest -I/space/local/include -L/usr/ucblib conftest.c -ldl -lsocket -lnsl -lz -L/space/local/lib -lpam -lcrypto 1>&5 /space/local/lib/libcrypto.a(rsa_lib.o): In function `RSA_new_method': /space/local/src/redhat/BUILD/wierdlm/openssl-0.9.4/crypto/rsa/rsa_lib.c:109: unde fined reference to `RSA_PKCS1_RSAref' collect2: ld returned 1 exit status configure: failed program was: #line 1906 "configure" #include "confdefs.h" #include #include #include int main(void) {RSA *key; char seed[2048];memset(seed, 0, #sizeof(seed)); RAND_seed(seed, #sizeof(seed));key=RSA_generate_key(32,3,NULL,NULL); return(key==NULL);} So the gcc line seem to be correct. I'd like to add, that 1.2.2 works with openssl-0.9.4 but 1.2.2 does not work with openssl-0.9.4 (above configure problem) 1.2.2p1 does not work with openssl-0.9.{4,5} (above configure problem) The reason I am trying to use openssl-0.9.5 is that somebody mentioned a leak (related to the random device) on solaris when using 0.9.4, and supposedly this leak is fixed in 0.9.5. Mate From rlpowell at calum.csclub.uwaterloo.ca Sat Mar 11 11:09:18 2000 From: rlpowell at calum.csclub.uwaterloo.ca (Robin Lee Powell) Date: Fri, 10 Mar 2000 19:09:18 -0500 (EST) Subject: ssh bug? on Solaris Message-ID: <200003110009.TAA04634@calum.csclub.uwaterloo.ca> Damien said: >On Fri, 10 Mar 2000, Robin Lee Powell wrote: > >> The resulting error in OpenSSH is >> >> ssh: no RSA support in libssl and libcrypto. See ssl(8). > >Fixed in 1.2.2p1. Unfortunatly there is a dumb configure bug in >1.2.2p1. > >You can work around it by doing: > >LDFLAGS="-L/path/to/openssl/lib" CFLAGS="-I/path/to/openssl/include" >./configure > >1.2.3 will be out soon which fixes this. Woohoo! Thanks man! -Robin From djm at mindrot.org Sat Mar 11 11:36:50 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 11 Mar 2000 11:36:50 +1100 (EST) Subject: problems running configure In-Reply-To: <20000310161703.A11162@moni.msci.memphis.edu> Message-ID: On Fri, 10 Mar 2000, Mate Wierdl wrote: > I wonder what your config.log say (search for `SS')? First, I also > thought on my Solaris box that the problem is not finding the > (open)ssl libraries. But I have this in config.log > > configure:1918: gcc -o conftest -O2 -I/space/local/include > -I/space/local/lib/incl > ude -L/usr/ucblib conftest.c -ldl -lsocket -lnsl -lz > -L/space/local/lib -lpam -L/ > space/local/lib -R/space/local/lib -lcrypto 1>&5 > /space/local/lib/libcrypto.a(rsa_lib.o): In function `RSA_new_method': > /space/local/src/redhat/BUILD/wierdlm/openssl-0.9.4/crypto/rsa/rsa_lib.c:109: > unde > fined reference to `RSA_PKCS1_RSAref' > collect2: ld returned 1 exit status It liiks like you have built your OpenSSH with RSAref. You need to add a LIBS="-lRSAref -lRSAglue" before ./configure. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Mar 11 12:42:39 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 11 Mar 2000 12:42:39 +1100 (EST) Subject: TEST RELEASE: openssh-1.2.3pre1 Message-ID: I have just uploaded a test release of 1.2.3. It includes numerous fixes from the OpenBSD team and should fix the stupid configure bugs of 1.2.2p1. http://violet.ibs.com.au/openssh/files/test/ A detailed ChangeLog is in the directory. Please report successes and failures. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From peter at frontierflying.com Sat Mar 11 12:43:28 2000 From: peter at frontierflying.com (peter at frontierflying.com) Date: Fri, 10 Mar 2000 16:43:28 -0900 (AKST) Subject: problems running configure In-Reply-To: Message-ID: root at hangar:/usr/tmp/openssh-1.2.2p1 > LIBS="-lRSAref -lRSAglue" ./configure loading cache ./config.cache checking host system type... i686-pc-linux-gnu checking for inline... inline checking for gcc... gcc checking whether the C compiler (gcc ) works... no configure: error: installation or configuration problem: C compiler cannot create executables. from the config.log configure:593: checking host system type configure:617: checking for inline configure:631: cc -c conftest.c 1>&5 configure:661: checking for gcc configure:774: checking whether the C compiler (gcc ) works configure:790: gcc -o conftest conftest.c -lRSAref -lRSAglue 1>&5 /usr/i486-linux/bin/ld: cannot open -lRSAref: No such file or directory collect2: ld returned 1 exit status configure: failed program was: #line 785 "configure" #include "confdefs.h" Suggestions? peter peter stern Frontier Flying Service Inc. Network Administrator 5245 Airport Industrial Rd 907-474-1739 x249 Fairbanks AK 99709 On Sat, 11 Mar 2000, Damien Miller wrote: > On Fri, 10 Mar 2000, Mate Wierdl wrote: > > > I wonder what your config.log say (search for `SS')? First, I also > > thought on my Solaris box that the problem is not finding the > > (open)ssl libraries. But I have this in config.log > > > > configure:1918: gcc -o conftest -O2 -I/space/local/include > > -I/space/local/lib/incl > > ude -L/usr/ucblib conftest.c -ldl -lsocket -lnsl -lz > > -L/space/local/lib -lpam -L/ > > space/local/lib -R/space/local/lib -lcrypto 1>&5 > > /space/local/lib/libcrypto.a(rsa_lib.o): In function `RSA_new_method': > > /space/local/src/redhat/BUILD/wierdlm/openssl-0.9.4/crypto/rsa/rsa_lib.c:109: > > unde > > fined reference to `RSA_PKCS1_RSAref' > > collect2: ld returned 1 exit status > > It liiks like you have built your OpenSSH with RSAref. You need to > add a LIBS="-lRSAref -lRSAglue" before ./configure. > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > From djm at mindrot.org Sat Mar 11 12:48:48 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 11 Mar 2000 12:48:48 +1100 (EST) Subject: problems running configure In-Reply-To: Message-ID: On Fri, 10 Mar 2000 peter at frontierflying.com wrote: > root at hangar:/usr/tmp/openssh-1.2.2p1 > LIBS="-lRSAref -lRSAglue" ./configure You will also need to set LDFLAGS and CFLAGS as has been described in other messages. You could also try the 1.2.3pre1 test release. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From dghespri at sprintparanet.com Sat Mar 11 19:47:23 2000 From: dghespri at sprintparanet.com (David G. Hesprich) Date: Sat, 11 Mar 2000 03:47:23 -0500 Subject: OpenSSH 1.2.3 Configure Message-ID: <000a01bf8b36$6cce0880$1500a8c0@alex1.va.home.com> It's *very* late here (or very early, depending on how you look at it), so please forgive me if this is incoherent. I thought I'd put this out there and perhaps save a few people some frustration. The configure script is much improved, but I still had problems with the OpenSSL detection. Had to tweak it a bit: *** configure-1.2.3pre1 Sat Mar 11 03:29:00 2000 --- configure Sat Mar 11 03:15:55 2000 *************** *** 1887,1895 **** fi echo $ac_n "checking for OpenSSL/SSLeay directory""... $ac_c" 1>&6 echo "configure:1890: checking for OpenSSL/SSLeay directory" >&5 ! for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do if test ! -z "$ssldir" ; then ! LIBS="$saved_LIBS -L$ssldir -lcrypto" CFLAGS="$CFLAGS -I$ssldir/include" if test "x$need_dash_r" = "x1" ; then LIBS="$LIBS -R$ssldir/lib" --- 1887,1896 ---- fi echo $ac_n "checking for OpenSSL/SSLeay directory""... $ac_c" 1>&6 echo "configure:1890: checking for OpenSSL/SSLeay directory" >&5 ! #for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do ! for ssldir in "" $tryssldir ; do if test ! -z "$ssldir" ; then ! LIBS="$saved_LIBS -L$ssldir/lib -lcrypto" CFLAGS="$CFLAGS -I$ssldir/include" if test "x$need_dash_r" = "x1" ; then LIBS="$LIBS -R$ssldir/lib" Checking for all the alternate locations is a bit excessive - cutting down on the search path reduces the time it takes those test to complete dramatically, asking the user to provide something like "--with-ssl-dir=/usr/local/ssl" isn't too bad, IMHO. The rsaref2 defetection appeared to work fine. Manuals are still complete hash on my Solaris 7 box. Any pointers on what's causing it and how to fix would be appreciated. Oh, hey - how about adding a configuration file token for setting the connection banner (assuming my request isn't violating any protocol specs)? Giving away the version number is convenient, but not very secure. It'd be nice to be able to say, put "Banner "sshd (you can't have my version number)"" in the sshd_config, and connect to port 22 and see that, rather than "SSH-1.5-OpenSSH-1.2.3" (which is a good default, but not my first choice for a production box)... Thanks, -David Hesprich From ishikawa at yk.rim.or.jp Sat Mar 11 20:00:52 2000 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Sat, 11 Mar 2000 18:00:52 +0900 Subject: TEST RELEASE: openssh-1.2.3pre1 References: Message-ID: <38CA0B44.2BBFC6E3@yk.rim.or.jp> Damien Miller wrote: > I have just uploaded a test release of 1.2.3. It includes numerous > fixes from the OpenBSD team and should fix the stupid configure bugs > of 1.2.2p1. > > http://violet.ibs.com.au/openssh/files/test/ > > A detailed ChangeLog is in the directory. > > Please report successes and failures. Tried the 1.2.3pre1. Here is a bug report. openssh-1.2.3pre1 configure failed on my Debian GNU/Linux configure confusion: Fact. I am using openssl-0.9.4.tar.gz and installed it under what I believe to be the default directory. Header files are under /usr/local/ssl/include/openssl whereas the library files are under /usr/local/ssl/lib Please note that the header files need additional intermediate directory "openssl". Directory listing. ishikawa at standard$ ls /usr/local/ssl ./ ../ bin/ certs/ include/ lib/ misc/ openssl.cnf private/ ishikawa at standard$ ls /usr/local/ssl/include ./ ../ openssl/ ishikawa at standard$ ls /usr/local/ssl ./ ../ bin/ certs/ include/ lib/ misc/ openssl.cnf private/ ishikawa at standard$ ls /usr/local/ssl/include ./ ../ openssl/ ishikawa at standard$ ls /usr/local/ssl/lib ./ ../ libcrypto.a libssl.a ishikawa at standard$ Fix to configure. For library search path, I added -L$ssldir/lib before -L$ssldir, and for header search path, I added th -I$ssldir/openssh/include before -I$ssldir/include. This worked. Your milage may vary. ishikawa at standard$ pwd /opt2/tools/openssh-1.2.3pre1 rcsdiff -u configure =================================================================== RCS file: RCS/configure,v retrieving revision 1.1 diff -u -r1.1 configure --- configure 2000/03/11 08:14:38 1.1 +++ configure 2000/03/11 08:44:11 @@ -986,6 +986,8 @@ echo "$ac_t""no" 1>&6 fi +# set -vx + # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or # incompatible versions: @@ -1042,6 +1044,9 @@ fi echo "$ac_t""$INSTALL" 1>&6 +#echo "INSTALL : $INSTALL " +#set +vx + # Use test -z because SunOS4 sh mishandles braces in ${var-val}. # It thinks the first close brace ends the variable substitution. test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' @@ -1885,12 +1890,16 @@ if test "x$prefix" != "xNONE" ; then tryssldir="$tryssldir $prefix" fi + +#set -vx +#echo "tryssldir: $tryssldir" + echo $ac_n "checking for OpenSSL/SSLeay directory""... $ac_c" 1>&6 echo "configure:1890: checking for OpenSSL/SSLeay directory" >&5 for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do if test ! -z "$ssldir" ; then - LIBS="$saved_LIBS -L$ssldir -lcrypto" - CFLAGS="$CFLAGS -I$ssldir/include" + LIBS="$saved_LIBS -L$ssldir/lib -L$ssldir -lcrypto" + CFLAGS="$CFLAGS -I$ssldir/openssh/include -I$ssldir/include" if test "x$need_dash_r" = "x1" ; then LIBS="$LIBS -R$ssldir/lib" fi ishikawa at standard$ Possible Better fix. It is better to modify the configure.in and re-create the configure for testing. But, when I modified configure.in and tried to re-created configure using autoconf, it failed with the following messages. (This error also resulted with the original configure.in in the tar file.) Maybe my autoconf is not up-to-date. Someone in the know can fix configure.in and recreate configure for distribution. Eg. ishikawa at standard$ autoconf --version Autoconf version 2.13 ishikawa at standard$ autoconf configure.in:184: warning: AC_TRY_RUN called without default to allow cross compiling configure.in:200: warning: AC_TRY_RUN called without default to allow cross compiling configure.in:551: warning: Cannot check for file existence when cross compiling configure.in:558: warning: Cannot check for file existence when cross compiling configure.in:598: warning: Cannot check for file existence when cross compiling ishikawa at standard$ Thank you again for the great package. Happy Hacking! From djm at mindrot.org Sat Mar 11 20:40:36 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 11 Mar 2000 20:40:36 +1100 (EST) Subject: patch for openssh-1.2.2p1 In-Reply-To: <20000308010004L.yoshfuji@cerberus.nemoto.ecei.tohoku.ac.jp> Message-ID: On Wed, 8 Mar 2000, Hideaki YOSHIFUJI wrote: > Hi, > > openssh-1.2.2p1 seems to have 2 problems on ipv6 (and > ipv4 mapped addresses). > > 1. "BREAKIN ATTEMPT" warnings from ipv4 node > 2. X forwarding How does this patch look to you? Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -------------- next part -------------- Index: acconfig.h =================================================================== RCS file: /var/cvs/openssh/acconfig.h,v retrieving revision 1.53 diff -u -r1.53 acconfig.h --- acconfig.h 2000/03/09 11:31:13 1.53 +++ acconfig.h 2000/03/11 09:38:46 @@ -153,6 +153,12 @@ /* getaddrinfo is broken (if present) */ #undef BROKEN_GETADDRINFO +/* Workaround more Linux IPv6 bugs */ +#undef DONT_TRY_OTHER_AF + +/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */ +#undef IPV4_IN_IPV6 + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ Index: canohost.c =================================================================== RCS file: /var/cvs/openssh/canohost.c,v retrieving revision 1.7 diff -u -r1.7 canohost.c --- canohost.c 2000/01/14 04:45:48 1.7 +++ canohost.c 2000/03/11 09:38:49 @@ -42,6 +42,30 @@ debug("getpeername failed: %.100s", strerror(errno)); fatal_cleanup(); } + +#ifdef IPV4_IN_IPV6 + if (from.ss_family == AF_INET6) { + struct sockaddr_in6 *from6 = (struct sockaddr_in6 *)&from; + + /* Detect IPv4 in IPv6 mapped address and convert it to */ + /* plain (AF_INET) IPv4 address */ + if (IN6_IS_ADDR_V4MAPPED(&from6->sin6_addr)) { + struct sockaddr_in *from4 = (struct sockaddr_in *)&from; + struct in_addr addr; + u_int16_t port; + + memcpy(&addr, ((char *)&from6->sin6_addr) + 12, sizeof(addr)); + port = from6->sin6_port; + + memset(&from, 0, sizeof(from)); + + from4->sin_family = AF_INET; + memcpy(&from4->sin_addr, &addr, sizeof(addr)); + from4->sin_port = port; + } + } +#endif + if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); Index: channels.c =================================================================== RCS file: /var/cvs/openssh/channels.c,v retrieving revision 1.17 diff -u -r1.17 channels.c --- channels.c 2000/03/03 11:35:33 1.17 +++ channels.c 2000/03/11 09:39:12 @@ -1215,8 +1215,12 @@ break; } socks[num_socks++] = sock; +#ifndef DONT_TRY_OTHER_AF if (num_socks == NUM_SOCKS) break; +#else + break; +#endif } if (num_socks > 0) break; Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.93 diff -u -r1.93 configure.in --- configure.in 2000/03/11 09:05:12 1.93 +++ configure.in 2000/03/11 09:39:22 @@ -55,6 +55,8 @@ ;; *-*-linux*) no_dev_ptmx=1 + AC_DEFINE(DONT_TRY_OTHER_AF) + inet6_default_4in6=yes ;; *-*-netbsd*) need_dash_r=1 @@ -784,6 +786,26 @@ [ if test "x$withval" != "xno" ; then AC_DEFINE(IPV4_DEFAULT) + fi + ] +) + +AC_MSG_CHECKING([to convert IPv4 in IPv6-mapped addresses]) +AC_ARG_WITH(4in6, + [ --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses], + [ + if test "x$withval" != "xno" ; then + AC_MSG_RESULT(yes) + AC_DEFINE(IPV4_IN_IPV6) + else + AC_MSG_RESULT(no) + fi + ],[ + if test "x$inet6_default_4in6" = "xyes"; then + AC_MSG_RESULT([yes (default)]) + AC_DEFINE(IPV4_IN_IPV6) + else + AC_MSG_RESULT([no (default)]) fi ] ) From djm at mindrot.org Sat Mar 11 20:53:33 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 11 Mar 2000 20:53:33 +1100 (EST) Subject: TEST RELEASE: openssh-1.2.3pre1 In-Reply-To: <38CA0B44.2BBFC6E3@yk.rim.or.jp> Message-ID: On Sat, 11 Mar 2000, Ishikawa wrote: > - LIBS="$saved_LIBS -L$ssldir -lcrypto" > - CFLAGS="$CFLAGS -I$ssldir/include" > + LIBS="$saved_LIBS -L$ssldir/lib -L$ssldir -lcrypto" > + CFLAGS="$CFLAGS -I$ssldir/openssh/include There is not a 1.2.3pre2 on violet.ibs.com.au which fixes this problem. Thanks for the report, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From ishikawa at yk.rim.or.jp Sun Mar 12 07:41:15 2000 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Sun, 12 Mar 2000 05:41:15 +0900 Subject: TEST RELEASE: openssh-1.2.3pre1 References: Message-ID: <38CAAF6B.B7F9CF21@yk.rim.or.jp> Damien Miller wrote: > On Sat, 11 Mar 2000, Ishikawa wrote: > > > - LIBS="$saved_LIBS -L$ssldir -lcrypto" > > - CFLAGS="$CFLAGS -I$ssldir/include" > > + LIBS="$saved_LIBS -L$ssldir/lib -L$ssldir -lcrypto" > > + CFLAGS="$CFLAGS -I$ssldir/openssh/include > > There is not a 1.2.3pre2 on violet.ibs.com.au which fixes this > problem. > > Thanks for the report, > Damien You are very welcome, and I tested the new pre2 and it insalled without a hitch! >ishikawa at standard$ cat do-conf.sh >: ># >./configure --prefix=/usr/local --with-ssl-dir=/usr/local/ssl >ishikawa at standard$ ./do-conf.sh ; make It worked like a charm. Thank you again. Happy Hacking! PS: I realize now that the problem I had was only related to libraries and not the header files. Header files were included with "openssl/..." prefix already. From jack_kcaj at hotmail.com Sun Mar 12 09:28:45 2000 From: jack_kcaj at hotmail.com (jackjack jack) Date: Sat, 11 Mar 2000 17:28:45 EST Subject: closed connections when using X11 forwarding Message-ID: <20000311222845.28726.qmail@hotmail.com> I'm experiencing a problem with X11 forwarding over ssh connections. If one of the X11 apps that is opened remotely is shut down, the entire connection is released with the output: Connection to joe.bl.com closed by remote host. Connection to joe.bl.com closed. It seems like this only happens in certain instances of exiting X11 apps, e.g., when an app dies unexpectedly (I can replicate this with LyX), or for certain classes of apps (appletviewer distributed with jdk1.2.pre-v2). I can't find any mention of this type of behavior being expected in the docs, though there may be some explanation for it. I definitely would classify it as a bug, since on a ssh connection where multiple apps are being run, this results in data loss for those apps when the whole thing comes crashing down. openssh version 1.2.2 openssl version 0.9.4 Linux (RH6.1) kernel 2.2.12, glibc 2.1.2. (both machines match this description) ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From Jay at aol.com Sun Mar 12 18:32:36 2000 From: Jay at aol.com (Jay at aol.com) Date: Sun, 12 Mar 2000 02:32:36 EST Subject: Trouble building 1.2.2p1 on Solaris 2.7 Message-ID: I installed OpenSSL 0.9.5 in the default location (/usr/local/ssl) on my Solaris 2.7 box, and then tried to install OpenSSH 1.2.2p1. Configure (with no arguments) complains that it can't find working OpenSSL libraries. The last few lines of config.log show a whole bunch of attempts to compile the test code, all failing of course. My /usr/local/ssl DOES have an include/openssl directory with the three relevant header files (rsa.h, bn.h, sha.h), and /usr/local/ssl/lib does have libcrypto.a. What could the problem be? I'm not familiar with autoconf, but the configure.in looks like it ought to be trying all possible combinations and one ought to be working. The full config.log is at http://members.aol.com/jay/openssh-config.log; I didn't want to clutter up the list with it. Jay Levitt jay at aol.com From djm at mindrot.org Sun Mar 12 18:36:08 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 12 Mar 2000 18:36:08 +1100 (EST) Subject: Trouble building 1.2.2p1 on Solaris 2.7 In-Reply-To: Message-ID: On Sun, 12 Mar 2000 Jay at aol.com wrote: > What could the problem be? I'm not familiar with autoconf, but > the configure.in looks like it ought to be trying all possible > combinations and one ought to be working. The full config.log is > at http://members.aol.com/jay/openssh-config.log; I didn't want to > clutter up the list with it. Known problem. You can edit configure so that it uses -L$ssldir/lib (instead of -l$ssldir) or use the 1.2.3pre2 release. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Jay at aol.com Mon Mar 13 07:15:04 2000 From: Jay at aol.com (Jay at aol.com) Date: Sun, 12 Mar 2000 15:15:04 EST Subject: Trouble building 1.2.2p1 on Solaris 2.7 Message-ID: <68.1c95ce5.25fd54c8@aol.com> In a message dated 3/12/2000 2:36:17 AM Eastern Standard Time, djm at mindrot.org writes: > Known problem. You can edit configure so that it uses -L$ssldir/lib > (instead of -l$ssldir) or use the 1.2.3pre2 release. Thanks. I moved to 1.2.3pre2, but got: checking for OpenSSL/SSLeay directory... configure: test: argument expected It looks like there are quotes missing around the test for $WANTS_RSAREF around line 227 of configure.in. I fixed that, and it got past the OpenSSL problem. Now to find a random number source... but that's not OpenSSH's problem :) Jay From yoshfuji at ecei.tohoku.ac.jp Mon Mar 13 15:19:33 2000 From: yoshfuji at ecei.tohoku.ac.jp (Hideaki YOSHIFUJI) Date: Mon, 13 Mar 2000 13:19:33 +0900 Subject: patch for openssh-1.2.2p1 In-Reply-To: References: <20000308010004L.yoshfuji@cerberus.nemoto.ecei.tohoku.ac.jp> Message-ID: <20000313131933L.yoshfuji@cerberus.nemoto.ecei.tohoku.ac.jp> In article (at Sat, 11 Mar 2000 20:40:36 +1100 (EST)), Damien Miller says: > > 1. "BREAKIN ATTEMPT" warnings from ipv4 node > > 2. X forwarding > > How does this patch look to you? With your revised patch, openssh looks fine. P.S. The Linux's behavior is not compatible with other OSes, but it's NOT a BUG. -- Hideaki YOSHIFUJI Web Page: http://www.ecei.tohoku.ac.jp/%7Eyoshfuji/ PGP5i FP: F731 6599 5EB2 BBA7 1515 1323 1806 A96F 5700 6B25 From alex at forbin.diebold.net Mon Mar 13 17:00:59 2000 From: alex at forbin.diebold.net (Alex) Date: Mon, 13 Mar 2000 01:00:59 -0500 (EST) Subject: duplicate log entries Message-ID: When i use openssh's UseLogin option (i.e. set it to "Yes").. i get duplicate entries in the wtmp file (when i type 'last' it displays users who logged on via sshd twice), like this: tempest ttyp4 63.10.229.126 Sat Mar 11 22:33 - 14:03 (15:29) tempest ttyp4 1cust126.tnt5.ta Sat Mar 11 22:33 still logged in note however that this is AFTER a user has logged off. It shows how long the user was logged on in the first entry (the one by login(1)) and correctly logs only the IP address. However, sshd STILL logged the entry, incorrectly i might add, saying the user is 'still logged in' as well as logging the whole hostname (which gets cut off) instead of just the IP address. An obvious solution is to set UseLogin to "No" and have sshd do the logging. This however doesn't solve the problem that sshd doesn't properly 'log off' users (with respect to the wtmp) and logs those ugly long hostnames letting them get cut off (instead of nicely logging just the IP). How can i make sshd log via ONLY login(1) w/o sshd re-logging the event, OR How can i make sshd do the logging properly (not logging hostnames that get cut off). The OpenSSH version I'm working with is 1.2.2. Thank you in advance. Regards, Alex From Jay at aol.com Mon Mar 13 16:37:44 2000 From: Jay at aol.com (Jay at aol.com) Date: Mon, 13 Mar 2000 00:37:44 EST Subject: A few more Solaris 7 bugs in 1.2.3pre2 Message-ID: <62.1a86f4f.25fdd8a8@aol.com> These are all in the port of 1.2.3pre2: - configure accepts --includedir, but doesn't seem to pass it on to the Makefile. You have to edit the Makefile manually if you have include files anywhere but /usr/include. Which is a problem because... - The Makefile doesn't include /usr/local/include by default, which is where zlib installs itself by default. Probably oughta be in there. Same with /usr/local/lib. If you install your gcc to the default directory /usr/local, gcc will include them automatically, but if your gcc is in, say, /usr/cygnus it won't. - The Makefile DOES include /usr/include, however. Unfortunately, running gcc on a Solaris box, you want to pick up varargs.h from (gcc-lib)/include, not /usr/include, or else you'll get errors about __builtin_va_alist, which Solaris cc provides but GNU does not. I put /usr/include as -idirafter instead of -I, and it worked for me. Perhaps check for -idirafter as a compiler option, and use it if available? - The man pages don't format properly ("what nroff" gives roff: n1.c 2.13). All the text runs together into one long paragraph. I am unfamiliar with writing man and nroff, and my attempts to fix things just made it worse. ` Jay Levitt From markus.friedl at informatik.uni-erlangen.de Mon Mar 13 18:34:34 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 13 Mar 2000 08:34:34 +0100 Subject: OpenSSH 1.2.3 Configure In-Reply-To: <000a01bf8b36$6cce0880$1500a8c0@alex1.va.home.com>; from dghespri@sprintparanet.com on Sat, Mar 11, 2000 at 03:47:23AM -0500 References: <000a01bf8b36$6cce0880$1500a8c0@alex1.va.home.com> Message-ID: <20000313083434.A32362@folly.informatik.uni-erlangen.de> On Sat, Mar 11, 2000 at 03:47:23AM -0500, David G. Hesprich wrote: > Oh, hey - how about adding a configuration file token for setting the > connection banner (assuming my request isn't violating any protocol specs)? this would be very confusing. > Giving away the version number is convenient, but not very secure. It'd be > nice to be able to say, put "Banner "sshd (you can't have my version > number)"" in the sshd_config, and connect to port 22 and see that, rather > than "SSH-1.5-OpenSSH-1.2.3" (which is a good default, but not my first > choice for a production box)... you chould edit version.h, but i do not recommend this at all. i don't see a reason why openssh should say: SSH-1.5-ssh-1.2.27 or SSH-1.5-OpenSSH-1.2.3 if you still run 1.2.2. Changing the version number does not fix bugs. Note that the SSH-1.5 prefix is obligatory. Additionally, clients may use the vendor suffix for bug/feature-compatibility, so it's a bad idea to change this. From mw at moni.msci.memphis.edu Tue Mar 14 02:44:30 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 13 Mar 2000 09:44:30 -0600 Subject: A few more Solaris 7 bugs in 1.2.3pre2 In-Reply-To: <62.1a86f4f.25fdd8a8@aol.com> References: <62.1a86f4f.25fdd8a8@aol.com> Message-ID: <20000313094430.A25036@moni.msci.memphis.edu> On Mon, Mar 13, 2000 at 12:37:44AM -0500, Jay at aol.com wrote: > These are all in the port of 1.2.3pre2: > > - configure accepts --includedir, but doesn't seem to pass it on to the > Makefile. You have to edit the Makefile manually if you have include files > anywhere but /usr/include. Which is a problem because... > > - The Makefile doesn't include /usr/local/include by default, which is where > zlib installs itself by default. Probably oughta be in there. Same with > /usr/local/lib. If you install your gcc to the default directory /usr/local, I had a problem which might be related to this: while openssh compiles fine, when I try to run ssh as a nonprivileged user, it complains not being able to find zlib (libz.so). When I run ssh as root, all is well. This is on Solaris 2.6 (+ many patches of 2.7). > - The man pages don't format properly ("what nroff" gives roff: n1.c 2.13). > All the text runs together into one long paragraph. I am unfamiliar with > writing man and nroff, and my attempts to fix things just made it worse. I verify the above. Maybe we need to install groff? Mate --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From mw at moni.msci.memphis.edu Tue Mar 14 04:37:46 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 13 Mar 2000 11:37:46 -0600 Subject: following your openssh footsteps In-Reply-To: <20000313154309.12363.qmail@web125.yahoomail.com> References: <20000313154309.12363.qmail@web125.yahoomail.com> Message-ID: <20000313113746.D25036@moni.msci.memphis.edu> On Mon, Mar 13, 2000 at 07:43:09AM -0800, jeet M wrote: > Mate, > I seem to be doing the same install you are for open > ssh on a solaris 7 box. I am getting the same error > you did when starting sshd (no RSA support in libssl > and libcrypto ...). I've installed zlib, > openssl-0.9.5 and egd-0.6, did the LDFLAGS and CFLAGS > declarations and configured --with-egd pointing to my > egd.pl file. I have not been able to make openssh work with openssl-0.9.5. I could make it work with openssl-0.9.4. But I *had* to install rsaref. I have to add that I do have /dev/random. Here is how I configured openssl: ======== ./config -d --prefix=/space/local --openssldir=/space/local/openssl \ --install_prefix="$RPM_BUILD_ROOT" \ rsaref then I ran make as make PEX_LIBS="-L. -L.. -L../.. -L../../.. -L/space/local/lib" openssh: ======== LDFLAGS="-L/space/local/lib" \ LIBS="-L/space/local/lib" \ CFLAGS="-I/space/local/include" \ LD=/usr/ccs/bin/ld ./configure --prefix=/space/local \ --with-tcp-wrappers \ --with-random="/dev/random" \ --sysconfdir=/space/local/etc/ssh \ --with-ipv4-default make Mate From mw at moni.msci.memphis.edu Tue Mar 14 04:46:54 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 13 Mar 2000 11:46:54 -0600 Subject: A few more Solaris 7 bugs in 1.2.3pre2 In-Reply-To: References: <20000313094430.A25036@moni.msci.memphis.edu> Message-ID: <20000313114654.A27584@moni.msci.memphis.edu> On Mon, Mar 13, 2000 at 09:52:01AM -0600, Sean Aaron Lisse wrote: > > > - The Makefile doesn't include /usr/local/include by default, which is where > > > zlib installs itself by default. Probably oughta be in there. Same with > > > /usr/local/lib. If you install your gcc to the default directory /usr/local, > > I had a problem which might be related to this: while openssh compiles > > fine, when I try to run ssh as a nonprivileged user, it complains not > > being able to find zlib (libz.so). When I run ssh as root, all is > > well. > > Silly question: Have you checked the access permissions on the libraries > to make sure they are user-readable? > ls -l /space/local/lib/libz.* -rwxr-xr-x 1 root other 70488 Mar 10 17:26 /space/local/lib/libz.a lrwxrwxrwx 1 root other 13 Mar 10 17:31 /space/local/lib/libz.so -> libz.so.1.1.3 lrwxrwxrwx 1 root other 13 Mar 10 17:31 /space/local/lib/libz.so.1 -> libz.so.1.1.3 -rwxr-xr-x 1 root other 85600 Mar 10 17:26 /space/local/lib/libz.so.1.1.3 Thx -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From jeetm at yahoo.com Tue Mar 14 06:11:51 2000 From: jeetm at yahoo.com (jeet M) Date: Mon, 13 Mar 2000 11:11:51 -0800 (PST) Subject: checking for OpenSSL/SSLeay directory..... Message-ID: <20000313191152.29509.qmail@web120.yahoomail.com> This is a request for a little more detailed information regarding the fix for the 1.2.2p1 on Solaris 7. Jay referenced missing quotes in the configure.in file, however I was unable to match his reference. I have installed openssl with rsa support in the /usr/local/ssl directory and set the LDFLAGS, LIBS and CFLAGS env variables before configuring (with egd pool option). I have also tried setting the with ssl dir option during configure, but it returned the same error. Thanks, Jeet __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com From Jay at aol.com Tue Mar 14 06:16:57 2000 From: Jay at aol.com (Jay at aol.com) Date: Mon, 13 Mar 2000 14:16:57 EST Subject: checking for OpenSSL/SSLeay directory..... Message-ID: <11.1c98ce1.25fe98a9@aol.com> In a message dated 3/13/00 2:12:56 PM Eastern Standard Time, jeetm at yahoo.com writes: > This is a request for a little more detailed > information regarding the fix for the 1.2.2p1 on > Solaris 7. Jay referenced missing quotes in the > configure.in file, however I was unable to match his > reference. Those quotes were in a test statement that's new to 1.2.3pre2; it wasn't in 1.2.2p1. For 1.2.2p1, you need to go to the configure program and change any mention of "-L$ssldir" to "-L$ssldir/lib"; I believe there are two or three. If you haven't worked with configure before (I hadn't), note that you have to change configure itself - the .in file is used to create configure before the package is uploaded, but once it's on your system the .in is never used. Jay From Jay at aol.com Tue Mar 14 06:55:48 2000 From: Jay at aol.com (Jay at aol.com) Date: Mon, 13 Mar 2000 14:55:48 EST Subject: A few more Solaris 7 bugs in 1.2.3pre2 Message-ID: <61.1f7a123.25fea1c4@aol.com> In a message dated 3/13/00 10:47:35 AM Eastern Standard Time, mw at moni.msci.memphis.edu writes: > I had a problem which might be related to this: while openssh compiles > fine, when I try to run ssh as a nonprivileged user, it complains not > being able to find zlib (libz.so). When I run ssh as root, all is > well. Is it possible something is in your LD_LIBRARY_PATH variable in root's .profile/.cshrc that isn't in your own? Also, try rebuilding while adding -L/usr/local/lib to the Makefile. Jay From mw at moni.msci.memphis.edu Tue Mar 14 06:54:24 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 13 Mar 2000 13:54:24 -0600 Subject: ssh works only as root Message-ID: <20000313135424.A32383@moni.msci.memphis.edu> On my solaris 2.6 box, I get ssh moni ld.so.1: ssh: fatal: libz.so: open failed: No such file or directory Killed while as root, I have no problem. Note that echo $LD_LIBRARY_PATH /space/local/lib:/usr/local/lib:/usr/openwin/lib:/usr/lib:/opt/x11r5/lib ls -l /space/local/lib/libz.* -rwxr-xr-x 1 wierdlm faculty 70488 Mar 10 17:26 /space/local/lib/libz.a -rwxr-xr-x 1 bin bin 85600 Mar 10 17:26 /space/local/lib/libz.so -rwxr-xr-x 1 bin bin 85600 Mar 10 17:26 /space/local/lib/libz.so.1 -rwxr-xr-x 1 bin bin 85600 Mar 10 17:26 /space/local/lib/libz.so.1.1.3 Also, when I run ssh as root as truss -e -o truss.out ssh moni I get grep libz truss.out open("/space/local/lib/libz.so", O_RDONLY) = 4 I do not know how to trace ssh when as nonroot though. I get truss -e -o truss.out ssh moni ld.so.1: ssh: fatal: libz.so: open failed: No such file or directory truss: cannot trace set-id or unreadable object file: /space/local/bin/ssh Any ideas? Thx Mate From mw at moni.msci.memphis.edu Tue Mar 14 07:16:01 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 13 Mar 2000 14:16:01 -0600 Subject: A few more Solaris 7 bugs in 1.2.3pre2 In-Reply-To: <61.1f7a123.25fea1c4@aol.com> References: <61.1f7a123.25fea1c4@aol.com> Message-ID: <20000313141601.A1299@moni.msci.memphis.edu> On Mon, Mar 13, 2000 at 02:55:48PM -0500, Jay at aol.com wrote: > In a message dated 3/13/00 10:47:35 AM Eastern Standard Time, > mw at moni.msci.memphis.edu writes: > > > I had a problem which might be related to this: while openssh compiles > > fine, when I try to run ssh as a nonprivileged user, it complains not > > being able to find zlib (libz.so). When I run ssh as root, all is > > well. > > Is it possible something is in your LD_LIBRARY_PATH variable in root's > .profile/.cshrc that isn't in your own? > $ echo $LD_LIBRARY_PATH /space/local/lib:/usr/local/lib:/usr/openwin/lib:/usr/lib:/opt/x11r5/lib # echo $LD_LIBRARY_PATH /space/local/lib:/usr/local/lib:/usr/openwin/lib:/usr/lib:/opt/x11r5/lib Mate From bent at clark.net Tue Mar 14 07:17:34 2000 From: bent at clark.net (Ben Taylor) Date: Mon, 13 Mar 2000 15:17:34 -0500 (EST) Subject: ssh works only as root In-Reply-To: <20000313135424.A32383@moni.msci.memphis.edu> Message-ID: On Mon, 13 Mar 2000, Mate Wierdl wrote: > On my solaris 2.6 box, I get > > ssh moni > ld.so.1: ssh: fatal: libz.so: open failed: No such file or directory > Killed what happens when you export your LD_LIBRARY_PATH? Is it the same as the one below? > while as root, I have no problem. Note that > > echo $LD_LIBRARY_PATH > /space/local/lib:/usr/local/lib:/usr/openwin/lib:/usr/lib:/opt/x11r5/lib To avoid LD_LIBRARY_PATH on Solaris, I always build my executables with LD_RUN_PATH= and -R (in your case). If for whatever reason you end up putting libraries elsewhere, then you can use LD_LIBRARY_PATH to maek the binary work. > ls -l /space/local/lib/libz.* > -rwxr-xr-x 1 wierdlm faculty 70488 Mar 10 17:26 /space/local/lib/libz.a > -rwxr-xr-x 1 bin bin 85600 Mar 10 17:26 /space/local/lib/libz.so > -rwxr-xr-x 1 bin bin 85600 Mar 10 17:26 /space/local/lib/libz.so.1 > -rwxr-xr-x 1 bin bin 85600 Mar 10 17:26 /space/local/lib/libz.so.1.1.3 > > Also, when I run ssh as root as > > truss -e -o truss.out ssh moni > > I get > > grep libz truss.out > open("/space/local/lib/libz.so", O_RDONLY) = 4 > > I do not know how to trace ssh when as nonroot though. I get > > truss -e -o truss.out ssh moni > ld.so.1: ssh: fatal: libz.so: open failed: No such file or directory > truss: cannot trace set-id or unreadable object file: /space/local/bin/ssh > Any ideas? Add "env LDFLAGS='-R/space/local/lib'" to your configure line. I just built openssl-0.9.5 and openssh-1.2.2 and everything worked. (Solaris 7, x86, gcc-2.95.2) Ben From mw at moni.msci.memphis.edu Tue Mar 14 07:56:16 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 13 Mar 2000 14:56:16 -0600 Subject: ssh works only as root In-Reply-To: References: <20000313135424.A32383@moni.msci.memphis.edu> Message-ID: <20000313145616.B1299@moni.msci.memphis.edu> On Mon, Mar 13, 2000 at 03:17:34PM -0500, Ben Taylor wrote: > Add "env LDFLAGS='-R/space/local/lib'" to your configure line. This is it, thx. All is well now. > > I just built openssl-0.9.5 and openssh-1.2.2 and everything worked. > (Solaris 7, x86, gcc-2.95.2) Right now, I have only openssh-1.2.2 on top of openssl-0.9.4, but I'll try now openssl-0.9.5. May I ask you for your pam config lines? (I guess, I have an older pam with a pam conf file, but that makes no difference I guess). Mate From mw at moni.msci.memphis.edu Tue Mar 14 08:19:03 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 13 Mar 2000 15:19:03 -0600 Subject: rsaref test Message-ID: <20000313151903.A2915@moni.msci.memphis.edu> Is it true that configure tests for the existence of librsaref.a, and if it finds it, it assumes that that rsaref is supposed to be used---*even if openssl was not built with rsaref support* ? Mate From peter at frontierflying.com Tue Mar 14 08:20:42 2000 From: peter at frontierflying.com (peter at frontierflying.com) Date: Mon, 13 Mar 2000 12:20:42 -0900 (AKST) Subject: TEST RELEASE: openssh-1.2.3pre2 In-Reply-To: Message-ID: Under SuSE 6.0 configure ran with no compliants. Trying to compile however generated the following error: -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c -o clientloop.o clientloop.c gcc -o ssh ssh.o sshconnect.o log-client.o readconf.o clientloop.o -L. -L/usr/local/ssl/lib -lssh -lnsl -lz -lutil -lcrypto ./libssh.a(canohost.o): In function `get_remote_hostname': /usr/tmp/openssh-1.2.3pre2/canohost.c:52: undefined reference to `IN6_IS_ADDR_V4MAPPED' collect2: ld returned 1 exit status make: *** [ssh] Error 1 peter peter stern Frontier Flying Service Inc. Network Administrator 5245 Airport Industrial Rd 907-474-1739 x249 Fairbanks AK 99709 From mw at moni.msci.memphis.edu Tue Mar 14 09:16:10 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 13 Mar 2000 16:16:10 -0600 Subject: configure error Message-ID: <20000313161610.A3755@moni.msci.memphis.edu> Trying to run configure for 1.2.3pre2 on solaris, I get the error; checking for OpenSSL/SSLeay directory... ./configure: test: argument expected Thx Mate From Jay at aol.com Tue Mar 14 09:23:45 2000 From: Jay at aol.com (Jay at aol.com) Date: Mon, 13 Mar 2000 17:23:45 EST Subject: configure error Message-ID: In a message dated 3/13/00 5:16:15 PM Eastern Standard Time, mw at moni.msci.memphis.edu writes: > checking for OpenSSL/SSLeay directory... ./configure: test: argument > expected > Yes, this is the bug I was talking about the other day. Edit configure, on line 2008, and add quotes around the $RSAREF. From nalin at redhat.com Tue Mar 14 09:36:47 2000 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 13 Mar 2000 17:36:47 -0500 Subject: rsaref test In-Reply-To: <20000313151903.A2915@moni.msci.memphis.edu>; from mw@wierdlmpc.msci.memphis.edu on Mon, Mar 13, 2000 at 03:19:03PM -0600 References: <20000313151903.A2915@moni.msci.memphis.edu> Message-ID: <20000313173647.A5438@devserv.devel.redhat.com> On Mon, Mar 13, 2000 at 03:19:03PM -0600, Mate Wierdl wrote: > Is it true that configure tests for the existence of librsaref.a, and > if it finds it, it assumes that that rsaref is supposed to be used---*even > if openssl was not built with rsaref support* ? My understanding of things is that OpenSSH doesn't care either way; the RSA routines are all accessed through OpenSSL's libcrypto. The only check OpenSSH's configure script makes is to see if librsaglue is installed, which signals that OpenSSL was built with rsaref. OpenSSH reports this, but except for that, has no use for the information. Nalin From djm at mindrot.org Tue Mar 14 10:03:58 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 14 Mar 2000 10:03:58 +1100 (EST) Subject: TEST RELEASE: openssh-1.2.3pre2 In-Reply-To: Message-ID: On Mon, 13 Mar 2000 peter at frontierflying.com wrote: > Under SuSE 6.0 configure ran with no compliants. > > Trying to compile however generated the following error: > > -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H > -c -o clientloop.o clientloop.c > gcc -o ssh ssh.o sshconnect.o log-client.o readconf.o clientloop.o > -L. -L/usr/local/ssl/lib -lssh -lnsl -lz -lutil -lcrypto > ./libssh.a(canohost.o): In function `get_remote_hostname': > /usr/tmp/openssh-1.2.3pre2/canohost.c:52: undefined reference to > `IN6_IS_ADDR_V4MAPPED' > collect2: ld returned 1 exit status > make: *** [ssh] Error 1 Could you send me the output of: find /usr/include -type f -exec grep -l IN6_IS_ADDR_V4MAPPED {} \; Thanks, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From mw at moni.msci.memphis.edu Tue Mar 14 10:30:31 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 13 Mar 2000 17:30:31 -0600 Subject: pam_conf Message-ID: <20000313173031.A5234@moni.msci.memphis.edu> Could anybody suggest one for Solaris 2.6 and for sshd? Thx Mate From djm at mindrot.org Tue Mar 14 13:03:44 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 14 Mar 2000 13:03:44 +1100 (EST) Subject: A few more Solaris 7 bugs in 1.2.3pre2 In-Reply-To: <62.1a86f4f.25fdd8a8@aol.com> Message-ID: On Mon, 13 Mar 2000 Jay at aol.com wrote: > These are all in the port of 1.2.3pre2: > > - configure accepts --includedir, but doesn't seem to pass it on to the > Makefile. You have to edit the Makefile manually if you have include files > anywhere but /usr/include. Which is a problem because... You can use CFLAGS="-I/path/to/includes" ./configure to work around this. > - The Makefile doesn't include /usr/local/include by default, which is where > zlib installs itself by default. Probably oughta be in there. Same with > /usr/local/lib. If you install your gcc to the default directory /usr/local, > gcc will include them automatically, but if your gcc is in, say, /usr/cygnus > it won't. I have added /usr/local/include and /usr/local/lib to the platform specific defines in configure for the next version. > - The Makefile DOES include /usr/include, however. Unfortunately, running > gcc on a Solaris box, you want to pick up varargs.h from (gcc-lib)/include, > not /usr/include, or else you'll get errors about __builtin_va_alist, which > Solaris cc provides but GNU does not. I put /usr/include as -idirafter > instead of -I, and it worked for me. Perhaps check for -idirafter as a > compiler option, and use it if available? Can you send me the exact flags that you used so I can include them? > - The man pages don't format properly ("what nroff" gives roff: n1.c 2.13). > All the text runs together into one long paragraph. I am unfamiliar with > writing man and nroff, and my attempts to fix things just made it worse. You can always use the preformatted manpages "./configure --with-catman=cat" Thanks, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Mar 14 13:09:59 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 14 Mar 2000 13:09:59 +1100 (EST) Subject: ssh works only as root In-Reply-To: Message-ID: On Mon, 13 Mar 2000, Ben Taylor wrote: > > Any ideas? > > Add "env LDFLAGS='-R/space/local/lib'" to your configure line. The 1.2.3pre snapshots should do this automagically. What LDFLAGS are getting set in the Makefile? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Mar 14 13:13:01 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 14 Mar 2000 13:13:01 +1100 (EST) Subject: rsaref test In-Reply-To: <20000313151903.A2915@moni.msci.memphis.edu> Message-ID: On Mon, 13 Mar 2000, Mate Wierdl wrote: > Is it true that configure tests for the existence of librsaref.a, and > if it finds it, it assumes that that rsaref is supposed to be used---*even > if openssl was not built with rsaref support* ? The 1.2.3pre2 snapshot configure tries to compile and execute a test program. It tries first without RSAref and then with RSAref. It stops when the test program compiles and executes. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Mar 14 13:15:41 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 14 Mar 2000 13:15:41 +1100 (EST) Subject: configure error In-Reply-To: <20000313161610.A3755@moni.msci.memphis.edu> Message-ID: On Mon, 13 Mar 2000, Mate Wierdl wrote: > Trying to run configure for 1.2.3pre2 on solaris, I get the error; > > checking for OpenSSL/SSLeay directory... ./configure: test: argument > expected Replace if test ! -z $WANTS_RSAREF ; then With if test ! -z "$WANTS_RSAREF" ; then -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Mar 14 13:57:16 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 14 Mar 2000 13:57:16 +1100 (EST) Subject: pam_conf In-Reply-To: <20000313173031.A5234@moni.msci.memphis.edu> Message-ID: On Mon, 13 Mar 2000, Mate Wierdl wrote: > Could anybody suggest one for Solaris 2.6 and for sshd? Please send it to the list so I can include it in the next release. -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From pucko at lysator.liu.se Tue Mar 14 14:31:20 2000 From: pucko at lysator.liu.se (Magnus Holmberg) Date: Tue, 14 Mar 2000 04:31:20 +0100 (CET) Subject: SSH-Trouble In-Reply-To: Message-ID: I have some trouble to get openssh to work with X11Forwarding. I have installed it on 2 machines with ecactly the same configfiles. If I use ssh from machine B to machine A X11Forwaring works but from A to B X11Forwarding only works when I ssh as root. The error message I get is: X11 connection rejected because of wrong authentication. X connection to B:12.0 broken (explicit kill or server shutdown). Here is the debug output from sshd: [root at b202 /root]# sshd -d -p 2222 debug: sshd version OpenSSH-1.2.2 debug: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 192.168.0.1 port 1913 debug: Client protocol version 1.5; client software version OpenSSH-1.2.2 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Starting up PAM with username "pucko" debug: Attempting authentication for pucko. Failed rsa for pucko from 192.168.0.1 port 1913 debug: PAM Password authentication accepted for user "pucko" Accepted password for pucko from 192.168.0.1 port 1913 debug: PAM setting rhost to "pucko.local" debug: Allocating pty. debug: Received request for X11 forwarding with auth spoofing. debug: Socket family 10 not supported [X11 disp create] debug: bind port 6010: Address alredy in use debug: Socket family 10 not supported [X11 disp create] debug: bind port 6011: Address already in use debug: Socket family 10 not supported [X11 disp create] debug: channel 0: new [X11 inet listener] debug: Forking shell. debug: PAM setting tty to "/dev/pts/2" debug: PAM establishing creds debug: Entering interactive session. debug: Setting controlling tty using TIOCSCTTY. debug: X11 connection requested. debug: channel 1: new [X11 connection from B port 1031] debug: Received channel open confirmation. debug: Received channel close confirmation. debug: channel 1: INPUT_OPEN -> INPUT_CLOSED [rvcd OCLOSE, send IEOF] debug: channel 1: shutdown_read debug: Received channel close. debug: channel 1: OUTPUT_OPEN -> OUTPUT_WAIT_DRAIN [rvcd IEOF] debug: channel 1: OUTPUT_WAIT_DRAIN -> OUTPUT_CLOSED [obuf empty, send OCLOSE] debug: channel 1: shutdown_write debug: channel 1: full closed And when I login I get this: Environment: USER=pucko LOGNAME=pucko HOME=/home/pucko PATH=/usr/bin:/bin:/usr/sbin:/sbin MAIL=/var/spool/mail/pucko SHELL=/bin/bash SSH_CLIENT=192.168.0.1 1913 2222 SSH_TTY=/dev/pts/2 TERM=xterm DISPLAY=B:12.0 XAUTHORITY=/tmp/Xauthrl1311 Running /usr/X11R6/bin/xauth add B:12.0 MIT-MAGIC-COOKIE-1 298a198449785459dce1f9d8571604fe [pucko at b202 pucko]$ rxvt X11 connection rejected because of wrong authentication. X connection to B:12.0 broken (explicit kill or server shutdown). Can someone help me? /M From O.Stahl at lsw.uni-heidelberg.de Wed Mar 15 01:07:05 2000 From: O.Stahl at lsw.uni-heidelberg.de (Otmar Stahl) Date: Tue, 14 Mar 2000 15:07:05 +0100 Subject: openssh-1.2.3pre2 on HP-UX Message-ID: <20000314150705.A22098@fors.lsw.uni-heidelberg.de> Hi, I just did a test installation of openssh-1.2.3pre2 on a "trusted" HP-UX system. Compilation went fine, but only after changing /usr/include to /usr/local/include in Makefile. Without this change I got the following error: gcc -o ssh ssh.o sshconnect.o log-client.o readconf.o clientloop.o -L. -L/usr/local/ssl/lib -lssh -lz -lsec -lcrypto /usr/ccs/bin/ld: Unsatisfied symbols: __builtin_va_start (code) collect2: ld returned 1 exit status *** Error exit code 1 Everything seems to work ok now, but I am still getting errors in the syslog of the form: ... sshd[26178]: error: ioctl I_PUSH ttcompat: Invalid argument Regards, Otmar Stahl From matsf at init.se Wed Mar 15 02:16:36 2000 From: matsf at init.se (matsf at init.se) Date: Tue, 14 Mar 2000 16:16:36 +0100 (MET) Subject: Problems compiling 1.2.2 on HP-UX 10.20 Message-ID: <200003141516.QAA07982@miranda.init.se> Hi, I'm trying to compile OpenSSH-1.2.2 on HP-UX 10.20 but immediately fall into the problem pit.. I've got gcc v2.8.1 and the first error is something like: defines.h:93: parse error before `u_int64_t` I got around this by uncommenting (guessing) line 118 in config.h: #define HAVE_UINTXX_T 1 But then I got another error when trying to compile sshd.c, I get an error message like: sshd.c:2408: 'MAIL_DIRECTORY' undeclared Are there known problems compiling on Hp-UX 10.20 ? TIA, Mats (not subscribed to this alias) ----------------------------------------------------- This mail sent through IMP: http://web.horde.org/imp/ From j.gritsch at gmx.at Wed Mar 15 02:59:02 2000 From: j.gritsch at gmx.at (Johannes Gritsch) Date: Tue, 14 Mar 2000 16:59:02 +0100 (MET) Subject: Config problem Solaris 2.7 Message-ID: <12400.953049542@www4.gmx.net> Hi all! I think I uncovered a kind of bug in the configuration file, but it may be related to my specific configuration. Anyway, I tried to install the latest version on our Sun Sparc, running Solaris 2.7 with gcc 2.8.1. I ran configure with --with-egd-pool --prefix=/usr/local. When I finally started make gcc failed with some strange error message (see attachement). When I tried to track down that error I found the following in my Makefile: ... CFLAGS=-g -O2 -I/usr/local/include -I/usr/include -I/usr/local/openssl/include -I/usr/lib/openssl/include -I/usr/local/ssl/include -I/usr/local/ssl/include $(PATHS) -DHAVE_CONFIG_H ... The problm seems to be "-I/usr/include". IMHO a rather redundant entry, but after removing it, openssh compiled beautifully. I have no idea behind the intention of including those standard files, maybe they are needed in machines running both cc and gcc. At least in Solaris 2.7 wiht gcc only it?s necessary to suppress that entry in Makefile. best wishes Hannes -- Johannes Gritsch Unix Consultant Windschnur, Austria Sent through GMX FreeMail - http://www.gmx.net -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: errlog Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000314/52bf84ad/attachment.ksh From Jay at aol.com Wed Mar 15 03:19:11 2000 From: Jay at aol.com (Jay at aol.com) Date: Tue, 14 Mar 2000 11:19:11 EST Subject: Config problem Solaris 2.7 Message-ID: In a message dated 3/14/00 11:00:33 AM Eastern Standard Time, j.gritsch at gmx.at writes: > The problm seems to be "-I/usr/include". IMHO a rather redundant entry, > but > after removing it, openssh compiled beautifully. I have no idea behind the > intention of including those standard files, maybe they are needed in > machines running both cc and gcc. > > At least in Solaris 2.7 wiht gcc only it?s necessary to suppress that > entry in Makefile. I believe Damien's already making this fix for the next rev. I'm not sure why /usr/include needs to be there either, but assuming some people do need it, putting it as -dirafter instead of -I should fix the problem for all (assuming that -idirafter is accepted by many compilers..) Jay From kriss at fnal.gov Wed Mar 15 08:45:53 2000 From: kriss at fnal.gov (Michael Kriss) Date: Tue, 14 Mar 2000 15:45:53 -0600 (CST) Subject: tar distribution question Message-ID: Hi, Perhaps I've done something wrong... Today I went to www.openssh.com and downloaded the ftp file from the Canadian site, gunzipped and extracted the tar file and found: - No configure script - No INSTALL file - A BSDish makefile that won't compile under linux INSTALL and configure are in the CVS attic. What am I doing wrong? michael From mouring at pconline.com Wed Mar 15 08:48:58 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Tue, 14 Mar 2000 15:48:58 -0600 (CST) Subject: tar distribution question In-Reply-To: Message-ID: You more then likely downloaded the OpenBSD version. http://violet.ibs.com.au/openssh/ Is the site that has the more portable version of OpehSSH. On Tue, 14 Mar 2000, Michael Kriss wrote: > > Hi, > > Perhaps I've done something wrong... Today I went to www.openssh.com and > downloaded the ftp file from the Canadian site, gunzipped and extracted the tar > file and found: > > - No configure script > - No INSTALL file > - A BSDish makefile that won't compile under linux > > INSTALL and configure are in the CVS attic. > > What am I doing wrong? > > michael > > From kriss at fnal.gov Wed Mar 15 09:04:24 2000 From: kriss at fnal.gov (Michael Kriss) Date: Tue, 14 Mar 2000 16:04:24 -0600 (CST) Subject: tar distribution question In-Reply-To: Message-ID: On Tue, 14 Mar 2000, Ben Lindstrom wrote: > You more then likely downloaded the OpenBSD version. > > http://violet.ibs.com.au/openssh/ > > Is the site that has the more portable version of OpehSSH. Doh! I see the link now to 'Linux, Solaris, AIX, IRIX, HP/UX'. Is it Friday yet? michael > > On Tue, 14 Mar 2000, Michael Kriss wrote: > >> >> Hi, >> >> Perhaps I've done something wrong... Today I went to www.openssh.com and >> downloaded the ftp file from the Canadian site, gunzipped and extracted the tar >> file and found: >> >> - No configure script >> - No INSTALL file >> - A BSDish makefile that won't compile under linux >> >> INSTALL and configure are in the CVS attic. >> >> What am I doing wrong? >> >> michael >> >> From djm at mindrot.org Wed Mar 15 09:46:26 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 15 Mar 2000 09:46:26 +1100 (EST) Subject: openssh-1.2.3pre2 on HP-UX In-Reply-To: <20000314150705.A22098@fors.lsw.uni-heidelberg.de> Message-ID: On Tue, 14 Mar 2000, Otmar Stahl wrote: > Hi, > > I just did a test installation of openssh-1.2.3pre2 on a "trusted" HP-UX > system. Compilation went fine, but only after changing /usr/include to > /usr/local/include in Makefile. Without this change I got the following > error: What was the exact change you made? A few people have had similar problems and I would like to nail it down. > Everything seems to work ok now, but I am still getting errors in the syslog > of the form: > > ... sshd[26178]: error: ioctl I_PUSH ttcompat: Invalid argument Does HP/UX have /dev/ptmx but lack an openpty() function? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Mar 15 09:49:47 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 15 Mar 2000 09:49:47 +1100 (EST) Subject: Problems compiling 1.2.2 on HP-UX 10.20 In-Reply-To: <200003141516.QAA07982@miranda.init.se> Message-ID: On Tue, 14 Mar 2000 matsf at init.se wrote: > Hi, > I'm trying to compile OpenSSH-1.2.2 on HP-UX 10.20 but > immediately fall into the problem pit.. > > I've got gcc v2.8.1 and the first error is something > like: > > defines.h:93: parse error before `u_int64_t` The definition for uint64_t is not being found. Could you grep for it in /usr/include? > But then I got another error when trying to compile > sshd.c, I get an error message like: > > sshd.c:2408: 'MAIL_DIRECTORY' undeclared You can specify it manually using: MAIL="/path/to/mail" ./configure -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Mar 15 10:02:27 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 15 Mar 2000 10:02:27 +1100 (EST) Subject: Config problem Solaris 2.7 In-Reply-To: <12400.953049542@www4.gmx.net> Message-ID: On Tue, 14 Mar 2000, Johannes Gritsch wrote: > The problm seems to be "-I/usr/include". IMHO a rather redundant entry, > but > after removing it, openssh compiled beautifully. I have no idea behind the > intention of including those standard files, maybe they are needed in > machines running both cc and gcc. I think I have found the source of this bug - the search for OpenSSL wasn't correctly restoring the original CFLAGS. this change will be part of 1.2.3pre3 which will be released very shortly. Could you please give it a go and report back? Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Mar 15 12:17:04 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 15 Mar 2000 12:17:04 +1100 (EST) Subject: small bug in ssh-copy-id In-Reply-To: <87hfeo4dxx.fsf@sheikh.hands.com> Message-ID: On 3 Mar 2000, Philip Hands wrote: > Its a script I knocked up and included in the Debian package. Its > been included in the Debian patches that I've submitted to Damien for > several releases, but he either didn't like it or didn't notice. Neither actually - I saw it, liked it and let it slip my mind. Sorry. Anyway, it is now in a contrib/ subdirectory with a few other patches and goodies. Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Mar 15 14:57:28 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 15 Mar 2000 14:57:28 +1100 (EST) Subject: TEST RELEASE: 1.2.3pre3 Message-ID: A new test release of OpenSSH-1.2.3 is now available at http://violet.ibs.com.au/openssh/files/test/ This release should fix the problems reported with the previous test release over the last few days. Please give it a try and report back. -d Changelog: 20000315 - Fix broken CFLAGS handling during search for OpenSSL. Fixes va_list problems with gcc/Solaris. - Don't free argument to putenv() after use (in setenv() replacement). Report from Seigo Tanimura - Created contrib/ subdirectory. Included helpers from Phil Hands' Debian package, README file and chroot patch from Ricardo Cerqueira - Moved gnome-ssh-askpass.c to contrib directory and reomved config option. - Slight cleanup to doc files 20000314 - Include macro for IN6_IS_ADDR_V4MAPPED. Report from peter at frontierflying.com - Include /usr/local/include and /usr/local/lib for systems that don't do it themselves - -R/usr/local/lib for Solaris - Fix RSAref detection - Fix IN6_IS_ADDR_V4MAPPED macro -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From jlcooke at jlcooke.net Wed Mar 15 15:06:44 2000 From: jlcooke at jlcooke.net (Jean-Luc Cooke) Date: Tue, 14 Mar 2000 23:06:44 -0500 Subject: CAST5 encryption Message-ID: <38CF0C54.9D06E1CD@jlcooke.net> Hello all, I was wondering if CAST5 encryption is currently being added the openssh? It's a steller block cipher. No one's found any weaknesses in it yet and it's free for non profit use. TTYL JLC -- #!/bin/perl -sp0777i Message-ID: On Tue, 14 Mar 2000, Jean-Luc Cooke wrote: > Hello all, > > I was wondering if CAST5 encryption is currently being added the > openssh? It's a steller block cipher. No one's found any weaknesses > in it yet and it's free for non profit use. I am not aware of any plans to add ciphers. What benefit would CAST5 give over 3DES (excellent security but slow) or Blowfish (fast)? A couple of other things constrain us as well: we don't want to have to change the SSH protocol and we would prefer support for any new ciphers in OpenSSL first. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From mhw at wittsend.com Wed Mar 15 15:20:48 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue, 14 Mar 2000 23:20:48 -0500 Subject: CAST5 encryption In-Reply-To: <38CF0C54.9D06E1CD@jlcooke.net>; from jlcooke@jlcooke.net on Tue, Mar 14, 2000 at 11:06:44PM -0500 References: <38CF0C54.9D06E1CD@jlcooke.net> Message-ID: <20000314232048.A15481@alcove.wittsend.com> On Tue, Mar 14, 2000 at 11:06:44PM -0500, Jean-Luc Cooke wrote: > Hello all, > I was wondering if CAST5 encryption is currently being added the > openssh? It's a steller block cipher. No one's found any weaknesses > in it yet and it's free for non profit use. ^^^^^^^^^^^^^^^^^^ I think you just shot yourself in the ass. They've been really restrictive about no encumbered algorithms (like RSA) and you've just said this was encumbered for commercial use. > TTYL > JLC > -- > #!/bin/perl -sp0777i $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 > lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) > - I'm an international arms trafficker > Explained: http://jlcooke.net/perlrsa Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From djm at mindrot.org Wed Mar 15 18:16:35 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 15 Mar 2000 18:16:35 +1100 (EST) Subject: CAST5 encryption In-Reply-To: <20000314232048.A15481@alcove.wittsend.com> Message-ID: On Tue, 14 Mar 2000, Michael H. Warfield wrote: > On Tue, Mar 14, 2000 at 11:06:44PM -0500, Jean-Luc Cooke wrote: > > Hello all, > > > I was wondering if CAST5 encryption is currently being added the > > openssh? It's a steller block cipher. No one's found any weaknesses > > in it yet and it's free for non profit use. > ^^^^^^^^^^^^^^^^^^ > I think you just shot yourself in the ass. > > They've been really restrictive about no encumbered algorithms > (like RSA) and you've just said this was encumbered for commercial use. Ahhh, no. OpenSSH _depends_ on RSA, it is a real thorn in our sides :( Fortunatly the RSA patent expires on Sept 20th this year. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From dghespri at sprintparanet.com Thu Mar 16 02:33:20 2000 From: dghespri at sprintparanet.com (David G. Hesprich) Date: Wed, 15 Mar 2000 10:33:20 -0500 Subject: TEST RELEASE: 1.2.3pre3 References: Message-ID: <00d201bf8e93$cbfdae40$1500a8c0@alex1.va.home.com> I had to change the LDFLAGS to get this release to work on my Solaris 2.7 box: removed "-L/usr/ucblib", "-R/usr/ucblib", "-L/usr/local/ssl" and "-R/usr/local/ssl" (not necessary to get sshd to run, they're just superfluous). added "-L/usr/local/lib" and "-R/usr/local/lib" (to get rid of the can't find zlib problem when starting sshd from a default environment where LD_LIBRARY_PATH isn't set - my zlib is in /usr/local/lib). -David Hesprich +--------------------------------------------------------------------------- -+ | David G. Hesprich, CISSP, TIP #245 | "You have created a new world among | | darkgrue at iname.com | the three of you. I congratulate | | http://www.gue-tech.org/darkgrue/ | you. Happy goldfish bowl to you, to | | | me, to everyone, and may each of you | | It is dark. You might be eaten by | fry in hell forever. Arrest | | a grue. | recended." - Asimov, "The Dead Past" | +--------------------------------------------------------------------------- -+ From mw at moni.msci.memphis.edu Thu Mar 16 03:29:00 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 15 Mar 2000 10:29:00 -0600 Subject: scp problem Message-ID: <20000315102900.A32271@moni.msci.memphis.edu> On the box moni, I have rpm -q openssh openssh-1.2.1pre25-1us on the box karadi, I have rpm -q openssh openssh-1.2.3pre2-2 On moni, I do/get: scp "wierdlm at karadi:11Lecture/lecture.tex" . wierdlm at karadi.msci.memphis.edu's password: bash: scp: command not found What can be wrong? Do I have to specify the remote path to scp? (It is in $PATH for wierdlm at karadi: ssh wierdlm at karadi wierdlm at karadi.msci.memphis.edu's password: Last login: Wed Mar 15 10:08:50 2000 from wierdlmpc.msci.m Sun Microsystems Inc. SunOS 5.6 Generic August 1997 $ which scp /space/local/bin/scp Here is the debug version of the scp session: scp -v "wierdlm at karadi:11Lecture/lecture.tex" . Executing: host karadi, user wierdlm, command scp -v -f 11Lecture/lecture.tex SSH Version OpenSSH-1.2.1, protocol version 1.5. Compiled with SSL (RSAref version). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 500 geteuid 0 anon 0 debug: Connecting to karadi.msci.memphis.edu [141.225.11.110] port 22. debug: Allocated local port 1021. debug: Connection established. debug: Remote protocol version 1.5, remote software version OpenSSH-1.2.3 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'karadi.msci.memphis.edu' is known and matches the host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 'mw at moni.msci.memphis.edu' debug: Server refused our key. debug: Doing password authentication. wierdlm at karadi.msci.memphis.edu's password: debug: Sending command: scp -v -f 11Lecture/lecture.tex debug: Entering interactive session. bash: scp: command not found debug: Transferred: stdin 1, stdout 29, stderr 0 bytes in 0.1 seconds debug: Bytes per second: stdin 14.3, stdout 414.2, stderr 0.0 debug: Exit status 127 All is working well when I try to copy from karadi to moni: scp mw at moni:install.html . mw at moni's password: install.html 100% |********************************| 3397 00:00 ETA or in debug mode: scp mw at moni:install.html . mw at moni's password: install.html 100% |********************************| 3397 00:00 ETA wierdlm at karadi: ~ $ scp -v mw at moni:install.html . Executing: host moni, user mw, command scp -v -f install.html SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. debug: Reading configuration data /space/local/etc/ssh/ssh_config debug: ssh_connect: getuid 863 geteuid 0 anon 0 debug: Connecting to moni [141.225.11.87] port 22. debug: Allocated local port 976. debug: Connection established. debug: Remote protocol version 1.5, remote software version OpenSSH-1.2.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'moni' is known and matches the host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Doing password authentication. mw at moni's password: debug: Sending command: scp -v -f install.html debug: Entering interactive session. Sending file modes: C0664 3397 install.html install.html 100% |********************************| 3397 00:00 ETA debug: Transferred: stdin 3, stdout 3466, stderr 0 bytes in 0.2 seconds debug: Bytes per second: stdin 17.7, stdout 20423.1, stderr 0.0 debug: Exit status 0 Thx, Mate From mw at moni.msci.memphis.edu Thu Mar 16 04:17:27 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 15 Mar 2000 11:17:27 -0600 Subject: ssh works only as root In-Reply-To: References: <20000314131719.A32007@moni.msci.memphis.edu> Message-ID: <20000315111727.C444@moni.msci.memphis.edu> On Wed, Mar 15, 2000 at 07:13:33PM +1100, Damien Miller wrote: > On Tue, 14 Mar 2000, Mate Wierdl wrote: > > > This must be the problem: while I specify > > [snip] > > > This is on Solaris 2.6 > > Caould you try the 1.2.3pre3 snapshot? it should set most of the > -R flags automatically. > > > One more remark: configure does not seem to understand the LD > > variable (to specify the ld program to use). Since apparently the > > most recent GNU ld does not work well on Solaris (it is on the egcs > > webpage), perhaps it may be worth making configure LD aware. > > Refresh my memory - why do you need to use a different ld? I am not sure I understand the question. On our system, the sysadm installed gcc so that it uses the gnu linker. But one can read at http://gcc.gnu.org/install/specific.html#sparc-sun-solaris* that ================================ sparc-sun-solaris* binutils 2.9.1 has known bugs on this platform. We recommend to use the vendor tools (Sun as, Sun ld) until these have been fixed. Unfortunately, C++ shared libraries, including libstdc++, won't work properly if assembled with Sun as: the linker will complain about relocations in read-only sections, in the definition of virtual tables. Some possible work-arounds: use some development release of binutils, wait for the next stable binutils release or refrain from creating C++ shared libraries. =============================== For example, the program RPM's configure exits with an error if it finds that the gnu linker is used. Mate From mw at moni.msci.memphis.edu Thu Mar 16 04:55:45 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 15 Mar 2000 11:55:45 -0600 Subject: TEST RELEASE: 1.2.3pre3 In-Reply-To: <00d201bf8e93$cbfdae40$1500a8c0@alex1.va.home.com> References: <00d201bf8e93$cbfdae40$1500a8c0@alex1.va.home.com> Message-ID: <20000315115545.A1077@moni.msci.memphis.edu> On Wed, Mar 15, 2000 at 10:33:20AM -0500, David G. Hesprich wrote: > I had to change the LDFLAGS to get this release to work on my Solaris 2.7 > box: > > removed "-L/usr/ucblib", "-R/usr/ucblib", "-L/usr/local/ssl" and > "-R/usr/local/ssl" (not necessary to get sshd to run, they're just > superfluous). I do wonder about the inclusion of /usr/ucblib in the first place: even if gcc is used (probably bacuse the native compiler package is probably not installed), /usr/ucblib is included. Unless the SPROcc package is installed, `man cc' shows: NAME cc - C compiler SYNOPSIS /usr/ucb/cc [ options ] DESCRIPTION /usr/ucb/cc is the interface to the BSD Compatibility Pack- age C compiler. It is a script that looks for the link /usr/ccs/bin/ucbcc to the C compiler. /usr/ccs/bin/ucbcc is available only with the SPROcc package, whose default loca- tion is /opt/SUNWspro. /usr/ucb/cc is identical to /usr/ccs/bin/ucbcc, except that BSD headers are used and BSD libraries are linked before base libraries. The /opt/SUNWspro/man/man1/acc.1 man page is available only with the SPROcc package. [...] My feeling is that /usr/ucb* stuff may not be used unless the native sun compiler is to be used. Could be wrong here though, since I am just temporarily tinkering with solaris to put openssh and rpm on. Mate From mw at moni.msci.memphis.edu Thu Mar 16 06:11:14 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 15 Mar 2000 13:11:14 -0600 Subject: TEST RELEASE: 1.2.3pre3 In-Reply-To: <00d201bf8e93$cbfdae40$1500a8c0@alex1.va.home.com> References: <00d201bf8e93$cbfdae40$1500a8c0@alex1.va.home.com> Message-ID: <20000315131114.A1893@moni.msci.memphis.edu> On Wed, Mar 15, 2000 at 10:33:20AM -0500, David G. Hesprich wrote: > I had to change the LDFLAGS to get this release to work on my Solaris 2.7 > box: > > removed "-L/usr/ucblib", "-R/usr/ucblib", "-L/usr/local/ssl" and > "-R/usr/local/ssl" (not necessary to get sshd to run, they're just > superfluous). > > added "-L/usr/local/lib" and "-R/usr/local/lib" (to get rid of the can't > find zlib problem when starting sshd from a default environment where > LD_LIBRARY_PATH isn't set - my zlib is in /usr/local/lib). > In my case, I do have zlib in /usr/local/lib, and echo $LD_LIBRARY_PATH /space/local/lib:/usr/local/lib:/usr/openwin/lib:/usr/lib:/opt/x11r5/lib Nevertheless, LDFLAGS="-L/usr/local/lib -R/usr/local/lib" is not enough. Indeed, I tried export LD_RUN_PATH=$LD_LIBRARY_PATH LDFLAGS="-L/usr/local/lib -R/usr/local/lib" \ ./configure --prefix=/space/local but I still have ssh mw at moni ld.so.1: ssh: fatal: libz.so: open failed: No such file or directory Killed I think this is because in the Makefile, I still see LDFLAGS=-L. -L/usr/ucblib -R/usr/ucblib -L/space/local/lib -L/space/local -R/space/local/lib -R/space/local so no /usr/local anywhere. I'd like to add, that the only way I could make ssh work was to move zlib to /space/local/lib. Alternatively, all worked if I did ./configure --prefix=/space/local make LDFLAGS="-L. -L/space/local/lib -R/space/local/lib -L/usr/local/lib -R/usr/local/lib" Perhaps configure could detect this problem of ssh not finding zlib---I see the problem *only* after compiling, and then trying to run ssh. Mate From mw at moni.msci.memphis.edu Thu Mar 16 06:26:31 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 15 Mar 2000 13:26:31 -0600 Subject: TEST RELEASE: 1.2.3pre3 In-Reply-To: <01fd01bf8eb3$b230dc60$1500a8c0@alex1.va.home.com> References: <00d201bf8e93$cbfdae40$1500a8c0@alex1.va.home.com> <20000315131114.A1893@moni.msci.memphis.edu> <01fd01bf8eb3$b230dc60$1500a8c0@alex1.va.home.com> Message-ID: <20000315132631.C1893@moni.msci.memphis.edu> On Wed, Mar 15, 2000 at 02:21:41PM -0500, Dark Grue wrote: > > > I think this is because in the Makefile, I still see > > > > LDFLAGS=-L. -L/usr/ucblib -R/usr/ucblib -L/space/local/lib > > -L/space/local -R/space/local/lib -R/space/local > > > > so no /usr/local anywhere. > > Sorry, I should have been less obtuse. The changes I mentioned that I made > (adding and removing -L and -R flags) I made to the Makefile after running > configure with the appropriate input vectors. I found it easier to make the > change there, rather than try and induce the behavior by setting environment > variables and such. Nevertheless, I thought configure needs to propagate LDFLAGS to the Makefile. Apparently, it does not. Mate From jmknoble at pobox.com Thu Mar 16 07:36:46 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Wed, 15 Mar 2000 15:36:46 -0500 Subject: scp problem In-Reply-To: <20000315102900.A32271@moni.msci.memphis.edu>; from Mate Wierdl on Wed, Mar 15, 2000 at 10:29:00AM -0600 References: <20000315102900.A32271@moni.msci.memphis.edu> Message-ID: <20000315153646.C20242@ntrnet.net> You should configure openssh with `--with-default-path=...' on karadi. -- jim knoble jmknoble at pobox.com P? 2000-Mar-15 klokka 10:29:00 -0600 skrivet Mate Wierdl: : On the box moni, I have : : rpm -q openssh : openssh-1.2.1pre25-1us : : on the box karadi, I have : : rpm -q openssh : openssh-1.2.3pre2-2 : : On moni, I do/get: : : scp "wierdlm at karadi:11Lecture/lecture.tex" . : wierdlm at karadi.msci.memphis.edu's password: : bash: scp: command not found : : What can be wrong? Do I have to specify the remote path to scp? (It : is in $PATH for wierdlm at karadi: : : ssh wierdlm at karadi : wierdlm at karadi.msci.memphis.edu's password: : Last login: Wed Mar 15 10:08:50 2000 from wierdlmpc.msci.m : Sun Microsystems Inc. SunOS 5.6 Generic August 1997 : $ which scp : /space/local/bin/scp From djm at mindrot.org Thu Mar 16 07:49:57 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Mar 2000 07:49:57 +1100 (EST) Subject: TEST RELEASE: 1.2.3pre3 In-Reply-To: <00d201bf8e93$cbfdae40$1500a8c0@alex1.va.home.com> Message-ID: On Wed, 15 Mar 2000, David G. Hesprich wrote: > I had to change the LDFLAGS to get this release to work on my Solaris 2.7 > box: > > removed "-L/usr/ucblib", "-R/usr/ucblib", "-L/usr/local/ssl" and > "-R/usr/local/ssl" (not necessary to get sshd to run, they're just > superfluous). > > added "-L/usr/local/lib" and "-R/usr/local/lib" (to get rid of the can't > find zlib problem when starting sshd from a default environment where > LD_LIBRARY_PATH isn't set - my zlib is in /usr/local/lib). Found the problem: on line 1196 of configure change LDFLAGS="-L/usr/ucblib -R/usr/ucblib" to LDFLAGS="$LDFLAGS -L/usr/ucblib -R/usr/ucblib" Tell me if it works. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu Mar 16 07:54:55 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Mar 2000 07:54:55 +1100 (EST) Subject: scp problem In-Reply-To: <20000315102900.A32271@moni.msci.memphis.edu> Message-ID: On Wed, 15 Mar 2000, Mate Wierdl wrote: > On the box moni, I have > > rpm -q openssh > openssh-1.2.1pre25-1us > > on the box karadi, I have > > rpm -q openssh > openssh-1.2.3pre2-2 > > On moni, I do/get: > > scp "wierdlm at karadi:11Lecture/lecture.tex" . > wierdlm at karadi.msci.memphis.edu's password: > bash: scp: command not found You might have to use the --with-default-path option to specify the path to scp. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From mw at moni.msci.memphis.edu Thu Mar 16 08:33:56 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 15 Mar 2000 15:33:56 -0600 Subject: scp problem In-Reply-To: References: <20000315102900.A32271@moni.msci.memphis.edu> Message-ID: <20000315153356.A5568@moni.msci.memphis.edu> On Thu, Mar 16, 2000 at 07:54:55AM +1100, Damien Miller wrote: > On Wed, 15 Mar 2000, Mate Wierdl wrote: > > > On the box moni, I have > > > > rpm -q openssh > > openssh-1.2.1pre25-1us > > > > on the box karadi, I have > > > > rpm -q openssh > > openssh-1.2.3pre2-2 > > > > On moni, I do/get: > > > > scp "wierdlm at karadi:11Lecture/lecture.tex" . > > wierdlm at karadi.msci.memphis.edu's password: > > bash: scp: command not found > > You might have to use the --with-default-path option to specify the > path to scp. So it is not set to $prefix/bin automatically? What is it set to then? Thx Mate From mw at moni.msci.memphis.edu Thu Mar 16 08:35:40 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 15 Mar 2000 15:35:40 -0600 Subject: scp problem In-Reply-To: References: <20000315102900.A32271@moni.msci.memphis.edu> Message-ID: <20000315153540.B5568@moni.msci.memphis.edu> On Thu, Mar 16, 2000 at 07:54:55AM +1100, Damien Miller wrote: > On Wed, 15 Mar 2000, Mate Wierdl wrote: > > > On the box moni, I have > > > > rpm -q openssh > > openssh-1.2.1pre25-1us > > > > on the box karadi, I have > > > > rpm -q openssh > > openssh-1.2.3pre2-2 > > > > On moni, I do/get: > > > > scp "wierdlm at karadi:11Lecture/lecture.tex" . > > wierdlm at karadi.msci.memphis.edu's password: > > bash: scp: command not found > > You might have to use the --with-default-path option to specify the > path to scp. Is it unsafe to make it settable in the sshd conf file? Or perhaps give an option to scp that could specify it (as -p to rdist). Thx Mate From Jay at aol.com Thu Mar 16 08:44:42 2000 From: Jay at aol.com (Jay at aol.com) Date: Wed, 15 Mar 2000 16:44:42 EST Subject: 1.2.3pre2 works great on Solaris 2.7 except man Message-ID: <4a.2d0995d.26015e4a@aol.com> Right out of the box (after I made Damien's LDFLAGS fix in configure) using gcc-2.95.2. The only problem I have now is the man pages. I still can't read them using Solaris nroff, and when I tried to build with --with-catman=cat, I got the following during a make install: /rtr/bin/install -c -m 644 ssh.[01].out /usr/local/man/cat1/ssh.1 Try `/rtr/bin/install --help' for more information. From mw at moni.msci.memphis.edu Thu Mar 16 09:06:35 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 15 Mar 2000 16:06:35 -0600 Subject: scp problem In-Reply-To: References: <20000315102900.A32271@moni.msci.memphis.edu> Message-ID: <20000315160635.A6052@moni.msci.memphis.edu> On Thu, Mar 16, 2000 at 07:54:55AM +1100, Damien Miller wrote: > On Wed, 15 Mar 2000, Mate Wierdl wrote: > > > On the box moni, I have > > > > rpm -q openssh > > openssh-1.2.1pre25-1us > > > > on the box karadi, I have > > > > rpm -q openssh > > openssh-1.2.3pre2-2 > > > > On moni, I do/get: > > > > scp "wierdlm at karadi:11Lecture/lecture.tex" . > > wierdlm at karadi.msci.memphis.edu's password: > > bash: scp: command not found > > You might have to use the --with-default-path option to specify the > path to scp. > I specified it as ./configure --prefix=%myprefix --with-default-path=%myprefix/bin on *karadi*, but I still get running on moni: scp wierdlm at karadi:diane.C . wierdlm at karadi.msci.memphis.edu's password: bash: scp: command not found What is the role of $default-path ? Mate From djm at mindrot.org Thu Mar 16 12:09:25 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Mar 2000 12:09:25 +1100 (EST) Subject: ssh works only as root In-Reply-To: <20000315111727.C444@moni.msci.memphis.edu> Message-ID: On Wed, 15 Mar 2000, Mate Wierdl wrote: > > Refresh my memory - why do you need to use a different ld? > > I am not sure I understand the question. On our system, the sysadm > installed gcc so that it uses the gnu linker. But one can read at OK - configure now honours a LD enviornment variable: LD=/some/other/ld ./configure It defaults to $CC -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu Mar 16 12:11:53 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Mar 2000 12:11:53 +1100 (EST) Subject: scp problem In-Reply-To: <20000315153356.A5568@moni.msci.memphis.edu> Message-ID: On Wed, 15 Mar 2000, Mate Wierdl wrote: > So it is not set to $prefix/bin automatically? What is it set to > then? _PATH_STDPATH from your /usr/include/paths.h -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu Mar 16 12:18:45 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Mar 2000 12:18:45 +1100 (EST) Subject: 1.2.3pre2 works great on Solaris 2.7 except man In-Reply-To: <4a.2d0995d.26015e4a@aol.com> Message-ID: On Wed, 15 Mar 2000 Jay at aol.com wrote: > Right out of the box (after I made Damien's LDFLAGS fix in configure) using > gcc-2.95.2. The only problem I have now is the man pages. I still can't > read them using Solaris nroff, and when I tried to build with > --with-catman=cat, I got the following during a make install: > > /rtr/bin/install -c -m 644 ssh.[01].out /usr/local/man/cat1/ssh.1 > Try `/rtr/bin/install --help' for more information. Strange - it seems to work OK for me. Is that GNU install in /rtr/bin/install? You could try to work around it using make INSTALL=`pwd`/install-sh install -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu Mar 16 12:21:21 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Mar 2000 12:21:21 +1100 (EST) Subject: scp problem In-Reply-To: <20000315160635.A6052@moni.msci.memphis.edu> Message-ID: On Wed, 15 Mar 2000, Mate Wierdl wrote: > I specified it as > > ./configure --prefix=%myprefix --with-default-path=%myprefix/bin Shouldn't that be "--with-default-path=%{myprefix}/bin"? The use of --with-default-path fixed this problem for everyone else who has reported it. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu Mar 16 13:02:43 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Mar 2000 13:02:43 +1100 (EST) Subject: TEST RELEASE: 1.2.3pre4 Message-ID: This will be the last test release before 1.2.3. It consists of only a few lines difference to 1.2.3pre3, but please test it anyway. Changelog: 20000316 - Fixed configure not passing LDFLAGS to Solaris. Report from David G. Hesprich - Propogate LD through to Makefile - Doc cleanups - Added blurb about "scp: command not found" errors to UPGRADING 20000315 - Configure fix from Bratislav ILICH -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From dghespri at sprintparanet.com Thu Mar 16 14:07:47 2000 From: dghespri at sprintparanet.com (David G. Hesprich) Date: Wed, 15 Mar 2000 22:07:47 -0500 Subject: TEST RELEASE: 1.2.3pre4 References: Message-ID: <000801bf8ef4$cfcdd200$1500a8c0@alex1.va.home.com> Works great! I needed no changes to the Makefile after performing a configure. I am still having one remaining noticible problem, not sure if it's bug or a configuration thing. If I log in as a user, upon logging out, I get "Cannot delete credentials: Permission denied". Doesn't seem to affect operation, but... Also still looking for a way to convince Solaris' catman to index the man pages the way they were meant to be seen... Thanks, -David Hesprich -- David G. Hesprich, CISSP Technical Solutions Consultant Sprint Enterprise Network Services Numeric Pager:800-724-3329 PIN 382-8387 Alpha Pager: dghespri at pager.paranet.com From bioboy at arches.uga.edu Thu Mar 16 19:16:52 2000 From: bioboy at arches.uga.edu (avid) Date: Thu, 16 Mar 2000 03:16:52 -0500 (EST) Subject: openssh RH 6.1 linux install Message-ID: I have installed the most recent openssl from the source grabbed off their website via "./config ; make ; make install " and then openssh from source grabbed off your website via "./configure --with-ipv4-default " i am told "checking for OpenSSL/SSLeay directory... configure: error: Could not find working SSLeay / OpenSSL libraries, please instal" by ./configure i have tried using the "--with-ssl-dir=/usr/local/ssl" flag, also using DIR as /usr/local/ssl/include, /usr/local/ssl/include/openssl, /usr/local/ssl/lib, where /usr/local/ssl/include/openssl is the directory containing rsa.h i tried looking inside ./configure, but the problem was not immediately apparent to me of limited abilities:) am i doing something wrong? -christian _________________________________________________________ Get Your Neighbor's Email Free at http://www.hotmail.com From djm at mindrot.org Thu Mar 16 21:56:42 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Mar 2000 21:56:42 +1100 (EST) Subject: openssh RH 6.1 linux install In-Reply-To: Message-ID: On Thu, 16 Mar 2000, avid wrote: > I have installed the most recent openssl from the source grabbed off their website via "./config ; make ; make install " > and then openssh from source grabbed off your website via "./configure --with-ipv4-default " Which version of OpenSSH? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Florian.Weimer at RUS.Uni-Stuttgart.DE Fri Mar 17 00:22:52 2000 From: Florian.Weimer at RUS.Uni-Stuttgart.DE (Florian Weimer) Date: 16 Mar 2000 14:22:52 +0100 Subject: ssh works only as root In-Reply-To: Mate Wierdl's message of "Mon, 13 Mar 2000 13:54:24 -0600" References: <20000313135424.A32383@moni.msci.memphis.edu> Message-ID: Mate Wierdl writes: > ssh moni > ld.so.1: ssh: fatal: libz.so: open failed: No such file or directory > Killed Is libz.so in the default library search path? ssh is typically a setuid binary, and LD_LIBRARY_PATH is ignored for setuid binaries (for obivious security reasons). From mw at moni.msci.memphis.edu Fri Mar 17 02:30:06 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Thu, 16 Mar 2000 09:30:06 -0600 Subject: scp problem In-Reply-To: References: <20000315153356.A5568@moni.msci.memphis.edu> Message-ID: <20000316093006.C21519@moni.msci.memphis.edu> On Thu, Mar 16, 2000 at 12:11:53PM +1100, Damien Miller wrote: > On Wed, 15 Mar 2000, Mate Wierdl wrote: > > > > So it is not set to $prefix/bin automatically? What is it set to > > then? > > _PATH_STDPATH from your /usr/include/paths.h > I only have /usr/local/include/paths.h which is from the kpathsea library. Nevertheless, setting default-path to /space/local/bin did not help. Mate From mw at moni.msci.memphis.edu Fri Mar 17 05:44:22 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Thu, 16 Mar 2000 12:44:22 -0600 Subject: scp problem In-Reply-To: References: <20000315160635.A6052@moni.msci.memphis.edu> Message-ID: <20000316124422.D21519@moni.msci.memphis.edu> On Thu, Mar 16, 2000 at 12:21:21PM +1100, Damien Miller wrote: > On Wed, 15 Mar 2000, Mate Wierdl wrote: > > > I specified it as > > > > ./configure --prefix=%myprefix --with-default-path=%myprefix/bin > > Shouldn't that be "--with-default-path=%{myprefix}/bin"? > {} not needed. > The use of --with-default-path fixed this problem for everyone else > who has reported it. > It would help me if somebody told me what this default-path is used for by sshd on the remote system. When I see the error scp wierdlm at karadi:.bashrc bashrc wierdlm at karadi.msci.memphis.edu's password: bash: scp: command not found which bash reports the error, the remote (on karadi) or the local? Is sshd on the remote server karadi trying to run scp on karadi? If that is the case, why is not it trying to find scp where scp was installed? How can I test *where* sshd on karadi is trying search for scp? Finally, is default-path used to find scp, or it is used for some other purpose? Thx Mate From mw at moni.msci.memphis.edu Fri Mar 17 06:21:26 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Thu, 16 Mar 2000 13:21:26 -0600 Subject: default-path Message-ID: <20000316132126.A26244@moni.msci.memphis.edu> I now specified --with-default-path=/space/local/bin but when I log in to the system, I get ssh wierdlm at karadi wierdlm at karadi.msci.memphis.edu's password: Warning: Remote host denied X11 forwarding. Last login: Thu Mar 16 12:28:52 2000 from wierdlmpc.msci.m Sun Microsystems Inc. SunOS 5.6 Generic August 1997 bash: stty: command not found bash: stty: command not found bash: stty: command not found bash: uname: command not found I suppose I need to put some more dirs in default-path. What other dirs do I need to specify on my Solaris box? What is the syntax to specify a path? Is it correct to write --with-default-path=/space/local/bin:/usr/local/bin:/usr/bin ? Does the list of dirs affect the security of ssh somehow? Should I just do --with-default-path=$PATH ? Thx Mate From jmknoble at pobox.com Fri Mar 17 09:03:33 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 16 Mar 2000 17:03:33 -0500 Subject: default-path In-Reply-To: <20000316132126.A26244@moni.msci.memphis.edu>; from Mate Wierdl on Thu, Mar 16, 2000 at 01:21:26PM -0600 References: <20000316132126.A26244@moni.msci.memphis.edu> Message-ID: <20000316170333.B2292@ntrnet.net> What is your default system path? On my Red Hat Linux 5.2 system, it's: [jmknoble at zax:/usr/include] $ grep -A 1 _PATH_STDPATH *.h paths.h:#define _PATH_STDPATH\ paths.h- "/usr/bin:/bin:/usr/sbin:/sbin" [jmknoble at zax:/usr/include] $ For such a standard path, what i recommend doing is something like: --with-default-path="\ /space/local/bin:\ /usr/bin:\ /bin:\ /space/local/sbin:\ /usr/sbin:\ /sbin" The key is that the contents of --with-default-path *replace* _PATH_STDPATH, they don't add to it. Damien, perhaps this can be made more clear in the install docs? -- jim knoble jmknoble at pobox.com P? 2000-Mar-16 klokka 13:21:26 -0600 skrivet Mate Wierdl: : I now specified : : --with-default-path=/space/local/bin : : but when I log in to the system, I get : : ssh wierdlm at karadi : wierdlm at karadi.msci.memphis.edu's password: : Warning: Remote host denied X11 forwarding. : Last login: Thu Mar 16 12:28:52 2000 from wierdlmpc.msci.m : Sun Microsystems Inc. SunOS 5.6 Generic August 1997 : bash: stty: command not found : bash: stty: command not found : bash: stty: command not found : bash: uname: command not found : : I suppose I need to put some more dirs in default-path. What other : dirs do I need to specify on my Solaris box? What is the syntax to : specify a path? Is it correct to write : : --with-default-path=/space/local/bin:/usr/local/bin:/usr/bin : : ? Does the list of dirs affect the security of ssh somehow? Should I : just do : : --with-default-path=$PATH : : ? : : Thx : : Mate From mw at moni.msci.memphis.edu Fri Mar 17 09:15:43 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Thu, 16 Mar 2000 16:15:43 -0600 Subject: default-path In-Reply-To: <20000316170333.B2292@ntrnet.net> References: <20000316132126.A26244@moni.msci.memphis.edu> <20000316170333.B2292@ntrnet.net> Message-ID: <20000316161543.A30634@moni.msci.memphis.edu> On Thu, Mar 16, 2000 at 05:03:33PM -0500, Jim Knoble wrote: > What is your default system path? On my Red Hat Linux 5.2 system, it's: > > [jmknoble at zax:/usr/include] > $ grep -A 1 _PATH_STDPATH *.h > paths.h:#define _PATH_STDPATH\ > paths.h- "/usr/bin:/bin:/usr/sbin:/sbin" > [jmknoble at zax:/usr/include] > $ This is Solaris, and I have grep _PATH_STDPATH /usr/include/*.h echo $? 1 > > For such a standard path, what i recommend doing is something like: > > --with-default-path="\ > /space/local/bin:\ > /usr/bin:\ > /bin:\ > /space/local/sbin:\ > /usr/sbin:\ > /sbin" So I should put the sbin directories there too? > > The key is that the contents of --with-default-path *replace* > _PATH_STDPATH, they don't add to it. > > Damien, perhaps this can be made more clear in the install docs? Perhaps a word or two how default-path is used (what programs will be searched along the path). Also, the question remains: why $prefix/bin is not added to default-path? Mate From mw at moni.msci.memphis.edu Fri Mar 17 10:16:23 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Thu, 16 Mar 2000 17:16:23 -0600 Subject: ssh problem Message-ID: <20000316171623.A31704@moni.msci.memphis.edu> On two Redhat boxes we installed the openssh rpms: rpm -qa|grep open openssh-1.2.1pre25-1us openssh-askpass-1.2.1pre25-1us openssl-0.9.4-3us openssl-devel-0.9.4-3us openssh-clients-1.2.1pre25-1us openssh-server-1.2.1pre25-1us The only difference between the two machines is that one is 6.0, the other is 6.1. Now trying to ssh from the 6.1 machine to the 6.0, gives ssh -v troy SSH Version OpenSSH-1.2.1, protocol version 1.5. Compiled with SSL (RSAref version). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 500 geteuid 0 anon 0 debug: Connecting to troy.msci.memphis.edu [141.225.11.160] port 22. debug: Allocated local port 1023. debug: Connection established. ssh_exchange_identification: read: Success debug: Calling cleanup 0x8054c80(0x0) There is no problem with ssh the other way around. Any hints? Thx Mate From djm at mindrot.org Fri Mar 17 10:43:38 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 17 Mar 2000 10:43:38 +1100 (EST) Subject: default-path In-Reply-To: <20000316170333.B2292@ntrnet.net> Message-ID: On Thu, 16 Mar 2000, Jim Knoble wrote: > Damien, perhaps this can be made more clear in the install docs? Done. Thanks, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Fri Mar 17 10:45:16 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 17 Mar 2000 10:45:16 +1100 (EST) Subject: ssh problem In-Reply-To: <20000316171623.A31704@moni.msci.memphis.edu> Message-ID: On Thu, 16 Mar 2000, Mate Wierdl wrote: > ssh_exchange_identification: read: Success > debug: Calling cleanup 0x8054c80(0x0) > > There is no problem with ssh the other way around. > > Any hints? Do you have /etc/hosts.allow and /etc/hosts.deny files? If not, create them. Does this help? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From bent at clark.net Fri Mar 17 11:01:16 2000 From: bent at clark.net (Ben Taylor) Date: Thu, 16 Mar 2000 19:01:16 -0500 (EST) Subject: default-path In-Reply-To: <20000316161543.A30634@moni.msci.memphis.edu> Message-ID: On Thu, 16 Mar 2000, Mate Wierdl wrote: > On Thu, Mar 16, 2000 at 05:03:33PM -0500, Jim Knoble wrote: > > What is your default system path? On my Red Hat Linux 5.2 system, it's: > > > > [jmknoble at zax:/usr/include] > > $ grep -A 1 _PATH_STDPATH *.h > > paths.h:#define _PATH_STDPATH\ > > paths.h- "/usr/bin:/bin:/usr/sbin:/sbin" > > [jmknoble at zax:/usr/include] > > $ > > This is Solaris, and I have > > grep _PATH_STDPATH /usr/include/*.h > echo $? > 1 _PATH_STDPATH is defined in some unices and not others. In the case of Solaris, we just override it. > > --with-default-path="\ > > /space/local/bin:\ > > /usr/bin:\ > > /bin:\ > > /space/local/sbin:\ > > /usr/sbin:\ > > /sbin" > > So I should put the sbin directories there too? It's really up to you. You want to make sure you have /usr/bin and whereever ssh/scp clients are as a minimum. The rest is just gravy and makes like easier for doing remote maintainance. In Solaris, you might want to add /sbin, /usr/sbin, /usr/local/bin, and maybe /usr/openwin/bin (for xauth). YMMV and there are a bunch of other recommendations other people will suggest. Pretty much all are valid as long as /usr/bin and /space/local/bin is in your default path. > Also, the question remains: why $prefix/bin is not added to > default-path? Actually, that is a good recommendation. Damien? Ben From djm at mindrot.org Fri Mar 17 15:36:29 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 17 Mar 2000 15:36:29 +1100 (EST) Subject: yarrow unix source In-Reply-To: <38B5D68E.EE182B72@zeroknowledge.com> Message-ID: On Thu, 24 Feb 2000, Adam Back wrote: > Hi guys > > We at ZKS were also interested in yarrow under unix. However the > implementation that counterpane have on their web page doesn't correspond to > the paper -- it is a pretty different design. > > Also the windows code is hairy in the extreme -- I decided to reimplement it > from scratch from the paper, rather than try to look at that windows code too > much (yeuch!). And in writing from the paper, this is when I found that > contrary to expectations from reading their webpage, the code is completely > unrelated to the paper. > > I asked them about this discrepency and apparently there was a previous > version of the paper with a different design. However they don't reference > the previous paper at all on their web page. > > I suggested they should mention that there is a difference as people will be > using the code under false assumptions about it's design, and they've done > this now. > > So I have some nice, clean unix source code for the new yarrow design, which > we're going to release under BSD or other open license, asap. Has there been any movement on this release? We are keen to use Yarrow as an entropy source for OpenSSH. I would be willing to test and debug such code :) -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Mar 18 00:36:44 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 18 Mar 2000 00:36:44 +1100 (EST) Subject: TEST RELEASE: 1.2.3pre5 Message-ID: Yeat another test release. This fixes a few problems that were reported in the last 24 hours. One security problem fixed by this release is the braindead linking behaviour of AIX's ld. In their infinite wisdom, IBM decided to make the -L linker flag specify /runtime/ link paths. This could allow someone to substitute a modified shared library to a suid program. For gory details, have a look for a recent message "Unexpected and dangerous AIX 4.X linker behavior" in a BUGTRAQ archive. Thanks to Jim Knoble for pointing this out. I am keen to hear reports from AIX users. Regards, Damien Miller 20000317 - Clarified --with-default-path option. - Added -blibpath handling for AIX to work around stupid runtime linking. Problem elucidated by gshapiro at SENDMAIL.ORG by way of Jim Knoble - Checks for 64 bit int types. Problem report from Mats Fredholm - OpenBSD CVS updates: - [atomicio.c auth-krb4.c bufaux.c channels.c compress.c fingerprint.c] [packet.h radix.c rsa.c scp.c ssh-agent.c ssh-keygen.c sshconnect.c] [sshd.c] pedantic: signed vs. unsigned, void*-arithm, etc - [ssh.1 sshd.8] Various cleanups and standardizations. - Runtime error fix for HPUX from Otmar Stahl -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Mar 18 00:43:56 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 18 Mar 2000 00:43:56 +1100 (EST) Subject: URL for test release Message-ID: The direct URL for the test release is: http://violet.ibs.com.au/openssh/files/test/ -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From mw at moni.msci.memphis.edu Sat Mar 18 02:07:27 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Fri, 17 Mar 2000 09:07:27 -0600 Subject: default-path In-Reply-To: References: <20000316161543.A30634@moni.msci.memphis.edu> Message-ID: <20000317090727.A16180@moni.msci.memphis.edu> On Thu, Mar 16, 2000 at 07:01:16PM -0500, Ben Taylor wrote: > _PATH_STDPATH is defined in some unices and not others. In > the case of Solaris, we just override it. So what is default-path on Solaris if it is not specified for configure? > It's really up to you. You want to make sure you have /usr/bin > and whereever ssh/scp clients are as a minimum. The rest is > just gravy and makes like easier for doing remote maintainance. > In Solaris, you might want to add /sbin, /usr/sbin, /usr/local/bin, > and maybe /usr/openwin/bin (for xauth). YMMV and there are > a bunch of other recommendations other people will suggest. > Pretty much all are valid as long as /usr/bin and /space/local/bin > is in your default path. So default-path is the PATH ssh would use to execute commands. So probably it is not bad to set default-path to $PATH afterall. But I would think, it is best if the user executing ssh would have the option to set the path (both on the command line and in the config file). I have not seen an option like that in the man page for ssh. Would an option like that be insecure? Reading the the sshd man page, I see 6. Reads $HOME/.ssh/environment if it exists. Does this mean that I can/should set PATH for scp sessions on the *remote* system? So how does scp work? Does it call ssh at one point? At what point of the copying process does the default-path gets used? Thx Mate From mw at moni.msci.memphis.edu Sat Mar 18 02:13:04 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Fri, 17 Mar 2000 09:13:04 -0600 Subject: default-path In-Reply-To: References: <20000316161543.A30634@moni.msci.memphis.edu> Message-ID: <20000317091304.B16180@moni.msci.memphis.edu> On Thu, Mar 16, 2000 at 07:01:16PM -0500, Ben Taylor wrote: > It's really up to you. You want to make sure you have /usr/bin > and whereever ssh/scp clients are as a minimum. The rest is This is the part which is not clear to me: So in order to use scp, the remote site also has to have scp. In other words, it is not enough to have just sshd running. But looking at how the openssh rpm is divided up, I see that scp is in the package required by both the server and the client packages. Mate From mw at moni.msci.memphis.edu Sat Mar 18 02:22:52 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Fri, 17 Mar 2000 09:22:52 -0600 Subject: ssh problem In-Reply-To: References: <20000316171623.A31704@moni.msci.memphis.edu> Message-ID: <20000317092252.C16180@moni.msci.memphis.edu> On Fri, Mar 17, 2000 at 10:45:16AM +1100, Damien Miller wrote: > On Thu, 16 Mar 2000, Mate Wierdl wrote: > > > ssh_exchange_identification: read: Success > > debug: Calling cleanup 0x8054c80(0x0) > > > > There is no problem with ssh the other way around. > > > > Any hints? > > Do you have /etc/hosts.allow and /etc/hosts.deny files? If not, create > them. > There we go: hosts.deny had ALL:ALL in it. I guess one should put sshd: ALL in hosts.allow? Thx Mate From bent at clark.net Sat Mar 18 02:29:44 2000 From: bent at clark.net (Ben Taylor) Date: Fri, 17 Mar 2000 10:29:44 -0500 (EST) Subject: default-path In-Reply-To: <20000317091304.B16180@moni.msci.memphis.edu> Message-ID: On Fri, 17 Mar 2000, Mate Wierdl wrote: > On Thu, Mar 16, 2000 at 07:01:16PM -0500, Ben Taylor wrote: > > It's really up to you. You want to make sure you have /usr/bin > > and whereever ssh/scp clients are as a minimum. The rest is > > This is the part which is not clear to me: So in order to use scp, > the remote site also has to have scp. In other words, it is not > enough to have just sshd running. if you only have sshd loaded, I think you can only do port forwarding and secure logins. If you have scp, ssh, etc (on the server side), then you can do secure copies and secure remote shell activities. (I'm sure someone will correct me if I'm wrong on this) > But looking at how the openssh rpm is divided up, I see that scp is in > the package required by both the server and the client packages. The rpm is just a distribution. I would guess that the RPM is setup so you don't have any extra overhead in loading the client, as opposed to the server, if you will only be doing client activities. Ben From a.d.stribblehill at durham.ac.uk Sat Mar 18 03:00:18 2000 From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill) Date: Fri, 17 Mar 2000 16:00:18 +0000 Subject: ssh_config's Hosts directive Message-ID: <20000317160018.G21497@womble.dur.ac.uk> I'm trying to arrange the SSH client here to default to allowing X forwarding etc. to local machines (within the .dur.ac.uk domain) without forwarding X to off-site machines. Now, I read that the hostname isn't canonicalised (what a horrible word!) so I presume I have to match on both *.dur.ac.uk and *-without-any-dots-in-it. How do I do this in practice? If ssh is presently not configurable enough to do this, can we extend the functionality of Hosts in some useful but still backward-compatible manner? Thanks, Andrew Stribblehill Systems programmer, IT Service, University of Durham From nebulous at owlnet.rice.edu Sat Mar 18 03:34:49 2000 From: nebulous at owlnet.rice.edu (Sean Aaron Lisse) Date: Fri, 17 Mar 2000 10:34:49 -0600 (CST) Subject: ssh_config's Hosts directive In-Reply-To: <20000317160018.G21497@womble.dur.ac.uk> Message-ID: > I'm trying to arrange the SSH client here to default to allowing > X forwarding etc. to local machines (within the .dur.ac.uk domain) > without forwarding X to off-site machines. Note that using names instead of ip addresses leaves you vulnerable to some nasty DNS attacks (of course, IP authentication in the first place is less than perfect). They're not too likely to give you problems so long as you also use (password/crypto/whatever) authentication such as ssh uses normally, but they're something to watch out for. -Sean Lisse From jmknoble at pobox.com Sat Mar 18 04:10:46 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 17 Mar 2000 12:10:46 -0500 Subject: default-path In-Reply-To: ; from Ben Taylor on Fri, Mar 17, 2000 at 10:29:44AM -0500 References: <20000317091304.B16180@moni.msci.memphis.edu> Message-ID: <20000317121046.B12689@ntrnet.net> P? 2000-Mar-17 klokka 10:29:44 -0500 skrivet Ben Taylor: : On Fri, 17 Mar 2000, Mate Wierdl wrote: : : > This is the part which is not clear to me: So in order to use scp, : > the remote site also has to have scp. In other words, it is not : > enough to have just sshd running. : : if you only have sshd loaded, I think you can only do port forwarding : and secure logins. If you have scp, ssh, etc (on the server side), : then you can do secure copies and secure remote shell activities. : (I'm sure someone will correct me if I'm wrong on this) You're mostly right. For the following, `local' means the place one is ssh-ing from (the ``client''), and `remote' is the place one is ssh-ing to (the ``server''). The following table describes what is needed at the local and remote ends: Purpose Local Remote ------- ----- ------ Execute remote shell commands or create ssh sshd interactive login sessions Forward X11 connections ssh sshd Forward arbitrary TCP/IP ports, in either ssh sshd direction Copy files via scp ssh, scp sshd, scp As you can see, scp is needed at both ends of the session in order to copy files (using scp). It's possible to copy files without using scp, using ``only'' ssh/sshd. For example: cat foo |ssh remote.example.net 'cat >foo' This is actually similar in principle to the way scp is used, which is why it's the shell who complains that scp isn't found when it's not on sshd's default path. : The rpm is just a distribution. I would guess that the RPM is setup so : you don't have any extra overhead in loading the client, as opposed : to the server, if you will only be doing client activities. Correct. And the reverse as well. The packaging scheme allows one to install only a client or only a server if that's what's desired. -- jim knoble jmknoble at pobox.com From drankin at bohemians.lexington.ky.us Sat Mar 18 08:25:53 2000 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Fri, 17 Mar 2000 16:25:53 -0500 Subject: Problem with 1.2.3pre4 and RSAref Message-ID: <20000317162553.H10247@rumpole.bohemians.lexington.ky.us> The following code snippet will not compile support for RSAref on NetBSD even if it exists on the system (which breaks OpenSSL): for WANTS_RSAREF in "" 1 ; do if test -z "$WANTS_RSAREF" ; then LIBS="$saved_LIBS -lcrypto" else LIBS="$saved_LIBS -lcrypto -lRSAglue -lrsaref" fi .... It appears that the code referenced in configure just before line 1950 works correctly even without the RSAglue and rsaref libraries, but "in production" work fails needing "_RSAPrivateDecrypt". If someone wants to run a patch by me on this one, I'll be happy to test it. Thanks, David -- David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin. Email: drankin at bohemians.lexington.ky.us Address/Phone Number: Ask me. "It's too bad she won't live! But then again, who does?" -- Gaff, _Blade Runner_ From drankin at bohemians.lexington.ky.us Sat Mar 18 09:07:59 2000 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Fri, 17 Mar 2000 17:07:59 -0500 Subject: Problem with 1.2.3pre4 and RSAref In-Reply-To: <20000317162553.H10247@rumpole.bohemians.lexington.ky.us>; from David Rankin on Fri, Mar 17, 2000 at 04:25:53PM -0500 References: <20000317162553.H10247@rumpole.bohemians.lexington.ky.us> Message-ID: <20000317170759.I10247@rumpole.bohemians.lexington.ky.us> OK, I know it's not that tasteful to reply to your own post, but... On Fri, Mar 17, 2000 at 04:25:53PM -0500, David Rankin wrote: > The following code snippet will not compile support for RSAref on NetBSD even > if it exists on the system (which breaks OpenSSL): > > for WANTS_RSAREF in "" 1 ; do If the above line gets replaced with for WANTS_RSAREF in 1 "" ; do things seem to work. That said, I have to use rsaref, so I don't have a system that can test the opposite assumptions. Thanks David -- David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin. Email: drankin at bohemians.lexington.ky.us Address/Phone Number: Ask me. "It's too bad she won't live! But then again, who does?" -- Gaff, _Blade Runner_ From gem at rellim.com Sat Mar 18 09:43:02 2000 From: gem at rellim.com (Gary E. Miller) Date: Fri, 17 Mar 2000 14:43:02 -0800 (PST) Subject: TEST RELEASE: 1.2.3pre5 In-Reply-To: Message-ID: Yo Damien! First pass this works fine with UnixWare 7.1.0. Even the man pages work now. Good work all. RGDS GARY On Sat, 18 Mar 2000, Damien Miller wrote: > Yeat another test release. This fixes a few problems that were > reported in the last 24 hours. --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From djm at mindrot.org Sat Mar 18 10:05:06 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 18 Mar 2000 10:05:06 +1100 (EST) Subject: default-path In-Reply-To: <20000317090727.A16180@moni.msci.memphis.edu> Message-ID: On Fri, 17 Mar 2000, Mate Wierdl wrote: > On Thu, Mar 16, 2000 at 07:01:16PM -0500, Ben Taylor wrote: > > > _PATH_STDPATH is defined in some unices and not others. In > > the case of Solaris, we just override it. > > So what is default-path on Solaris if it is not specified for > configure? It is the one in defines.h > Reading the the sshd man page, I see > > 6. Reads $HOME/.ssh/environment if it exists. > > Does this mean that I can/should set PATH for scp sessions on the > *remote* system? Yes, this should work. > So how does scp work? Does it call ssh at one point? At what point > of the copying process does the default-path gets used? Yes. scp on the local machine runs scp on the remote machine via ssh. The default path is used by the sshd on the remote machine when it tries to execute scp. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Mar 18 10:06:41 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 18 Mar 2000 10:06:41 +1100 (EST) Subject: default-path In-Reply-To: <20000317091304.B16180@moni.msci.memphis.edu> Message-ID: On Fri, 17 Mar 2000, Mate Wierdl wrote: > This is the part which is not clear to me: So in order to use scp, > the remote site also has to have scp. In other words, it is not > enough to have just sshd running. Correct. > But looking at how the openssh rpm is divided up, I see that scp is in > the package required by both the server and the client packages. That is beacuse it is both :) -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Mar 18 10:07:03 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 18 Mar 2000 10:07:03 +1100 (EST) Subject: ssh problem In-Reply-To: <20000317092252.C16180@moni.msci.memphis.edu> Message-ID: On Fri, 17 Mar 2000, Mate Wierdl wrote: > in it. I guess one should put > > sshd: ALL > > in hosts.allow? yep -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From tfarrell at futuristics.net Sat Mar 18 11:06:27 2000 From: tfarrell at futuristics.net (Tim G. Farrell) Date: Fri, 17 Mar 2000 19:06:27 -0500 Subject: Keysize mismatch error on host key Message-ID: <38D2C883.98A5AA31@futuristics.net> I've got a problem that I'm hoping the list can help with, otherwise ... Heres the problem, I've got OpenSSH 1.2.2p1 running on my Intel Linux box as the secure server. I can connect from another Intel Linux box using scp and it all seems to work fine. Another box tries to connect and it gets a warning about the host keysize not matching. I'm thinking this could be some byte swapping issue because this box is running Solaris 2.6. This Solaris box is using the EGD script for its random stuff, if that makes a difference. Anyone have any ideas on where to start looking ? I'm willing to chase it down. I tried modifing the known_hosts file as the warning suggests to no avail. Heres the output of what I'm seeing: The authenticity of host 'xxx.somewhere.net' can't be established. Key fingerprint is 1024 28:b0:37:af:d4:ec:09:1f:fb:4f:5e:47:e8:fb:b1:c8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'xxx.somewhere.net,1.1.1.1' to the list of known hosts. Warning: /usr/guest/.ssh/known_hosts, line 1: keysize mismatch for host xxx.somewhere.net: actual 1048 vs. announced 1024. Warning: replace 1024 with 1048 in /usr/guest/.ssh/known_hosts, line 1. Warning: /usr/guest/.ssh/known_hosts, line 1: keysize mismatch for host 1.1.1.1: actual 1048 vs. announced 1024. Warning: replace 1024 with 1048 in /usr/guest/.ssh/known_hosts, line 1. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the host key has just been changed. Please contact your system administrator. Add correct host key in /usr/guest/.ssh/known_hosts to get rid of this message. Host key for xxx.somewhere.net has changed and you have requested strict checking. lost connection Tim Farrell tfarrell-t at futuristics.net ( remove the -t to use this address ) From djm at mindrot.org Sat Mar 18 10:39:11 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 18 Mar 2000 10:39:11 +1100 (EST) Subject: Problem with 1.2.3pre4 and RSAref In-Reply-To: <20000317162553.H10247@rumpole.bohemians.lexington.ky.us> Message-ID: On Fri, 17 Mar 2000, David Rankin wrote: > The following code snippet will not compile support for RSAref on > NetBSD even if it exists on the system (which breaks OpenSSL): [snip] > It appears that the code referenced in configure just before line > 1950 works correctly even without the RSAglue and rsaref libraries, > but "in production" work fails needing "_RSAPrivateDecrypt". It looks like the test code is not complete enough. > If someone wants to run a patch by me on this one, I'll be happy to > test it. Attached. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -------------- next part -------------- ? configure ? config.h.in ? config.log ? config.cache Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.103 diff -u -r1.103 configure.in --- configure.in 2000/03/17 12:26:46 1.103 +++ configure.in 2000/03/17 23:33:07 @@ -198,9 +198,14 @@ #include #include int main(void) - {RSA *key; char seed[2048];memset(seed, 0, sizeof(seed)); - RAND_seed(seed, sizeof(seed));key=RSA_generate_key(32,3,NULL,NULL); - return(key==NULL);} + { + RSA *key; char a[2048],b[2048];; + memset(a, 0, sizeof(a));memset(b, 0, sizeof(b)); + RAND_seed(a, sizeof(a)); + key=RSA_generate_key(32,3,NULL,NULL); + if (key==NULL) return(1); + return(-1==RSA_private_decrypt(RSA_size(key),a,b,key,RSA_NO_PADDING)); + } ], [ AC_DEFINE(HAVE_OPENSSL) @@ -214,9 +219,14 @@ #include #include int main(void) - {RSA *key; char seed[2048];memset(seed, 0, sizeof(seed)); - RAND_seed(seed, sizeof(seed));key=RSA_generate_key(32,3,NULL,NULL); - return(key==NULL);} + { + RSA *key; char a[2048],b[2048];; + memset(a, 0, sizeof(a));memset(b, 0, sizeof(b)); + RAND_seed(a, sizeof(a)); + key=RSA_generate_key(32,3,NULL,NULL); + if (key==NULL) return(1); + return(-1==RSA_private_decrypt(RSA_size(key),a,b,key,RSA_NO_PADDING)); + } ], [ AC_DEFINE(HAVE_SSL) From tfarrell at futuristics.net Sat Mar 18 11:26:16 2000 From: tfarrell at futuristics.net (Tim G. Farrell) Date: Fri, 17 Mar 2000 19:26:16 -0500 Subject: Keysize mismatch error on host key References: <38D2C883.98A5AA31@futuristics.net> <20000317173550.B21893@moni.msci.memphis.edu> Message-ID: <38D2CD28.7BC680D2@futuristics.net> Thanks for the reply Mate. Problem is that scp puts that entry in there as part of its processing. Is there a way to prevent scp from updating the known_host file altogether ? Through config maybe ? I'll look into that. But if I side step it this way can I be sure it won't choke on the next key lookup for the identity of the sender ? I'll get back to list with the results. Thanks Tim Mate Wierdl wrote: > > So why not just delete the appropriate entry from the the local > known_hosts file? > > Mate > On Fri, Mar 17, 2000 at 07:06:27PM -0500, Tim G. Farrell wrote: > > I've got a problem that I'm hoping the list can help with, otherwise ... > > > > Heres the problem, I've got OpenSSH 1.2.2p1 running on my Intel Linux > > box as the secure server. I can connect from another Intel Linux box > > using scp and it all seems to work fine. > > > > Another box tries to connect and it gets a warning about the host > > keysize not matching. I'm thinking this could be some byte swapping > > issue because this box is running Solaris 2.6. This Solaris box is using > > the EGD script for its random stuff, if that makes a difference. Anyone > > have any ideas on where to start looking ? I'm willing to chase it > > down. > > > > I tried modifing the known_hosts file as the warning suggests to no > > avail. > > > > Heres the output of what I'm seeing: > > > > The authenticity of host 'xxx.somewhere.net' can't be > > established. > > Key fingerprint is 1024 > > 28:b0:37:af:d4:ec:09:1f:fb:4f:5e:47:e8:fb:b1:c8. > > Are you sure you want to continue connecting (yes/no)? yes > > Warning: Permanently added 'xxx.somewhere.net,1.1.1.1' > > to the list > > of known hosts. > > Warning: /usr/guest/.ssh/known_hosts, line 1: keysize > > mismatch for host > > xxx.somewhere.net: actual 1048 vs. announced 1024. > > Warning: replace 1024 with 1048 in > > /usr/guest/.ssh/known_hosts, line 1. > > Warning: /usr/guest/.ssh/known_hosts, line 1: keysize > > mismatch for host > > 1.1.1.1: actual 1048 vs. announced 1024. > > Warning: replace 1024 with 1048 in > > /usr/guest/.ssh/known_hosts, line 1. > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > > Someone could be eavesdropping on you right now > > (man-in-the-middle attack)! > > It is also possible that the host key has just been changed. > > Please contact your system administrator. > > Add correct host key in /usr/guest/.ssh/known_hosts to get > > rid of this > > message. > > Host key for xxx.somewhere.net has changed and you have > > requested strict > > checking. > > lost connection > > > > Tim Farrell tfarrell-t at futuristics.net ( remove the -t to use this > > address ) > > > > -- > --- > Mate Wierdl | Dept. of Math. Sciences | University of Memphis -- Tim Farrell Futuristics, Inc email: tfarrell at futuristics.net Senior Suite 200 voice: (724) 934-9750 Software 9500 Brooktree Rd. fax: (724) 934-9780 Engineer Wexford, PA 15090 http://www.futuristics.net Tomorrow's results today! From djm at mindrot.org Sat Mar 18 10:55:52 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 18 Mar 2000 10:55:52 +1100 (EST) Subject: Keysize mismatch error on host key In-Reply-To: <38D2C883.98A5AA31@futuristics.net> Message-ID: On Fri, 17 Mar 2000, Tim G. Farrell wrote: > I've got a problem that I'm hoping the list can help with, otherwise ... > > Heres the problem, I've got OpenSSH 1.2.2p1 running on my Intel Linux > box as the secure server. I can connect from another Intel Linux box > using scp and it all seems to work fine. What version of OpenSSL are you running on the Linux box? These errors are often symptomatic of a OpenSSL version mismatch. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From B.Candler at pobox.com Sun Mar 19 06:55:56 2000 From: B.Candler at pobox.com (Brian Candler) Date: Sat, 18 Mar 2000 19:55:56 +0000 Subject: X forwarding / hostname Message-ID: <20000318195556.B1325@linnet.org> Hi, I'm running OpenSSH-1.2.2p1 under RH Linux 6.1. One of my machines is a laptop, and its IP address tends to change as I move it around. I have set its kernel hostname to "vaio.linnet.org", and have the following in /etc/hosts to ensure this name is always usable: 127.0.0.1 localhost.localdomain localhost vaio.linnet.org Now, the problem is with X forwarding. If I ssh into this box with X forwarding, it doesn't work - see transcript below. I have to set "hostname " (where real-hostname is whatever today's name is), and restart sshd, before it will work. Now, ssh appears to use the kernel hostname when deciding what address to provide the tunneled X service on: [brian at vaio brian]$ echo $DISPLAY vaio.linnet.org:10.0 So, my questions are: (1) Why doesn't this work when the hostname resolves to 127.0.0.1? (2) Wouldn't it be better/more secure to do all the host forwarding via 127.0.0.1 anyway? (i.e. DISPLAY=127.0.0.1:10.0) In this case, sshd wouldn't actually care what the kernel thought the hostname was. Thanks, Brian Candler. [please CC me on any reply] -------------------------------------------------------------------------- $ ssh -v -X ... debug: Requesting X11 forwarding with authentication spoofing. ... [brian at vaio brian]$ xclock debug: Received X11 open request. debug: channel 0: new [X11 connection from localhost.localdomain port 1117] debug: X11 connection uses different authentication protocol. X11 connection rejected because of wrong authentication. debug: X11 rejected 0 i1/o16 debug: channel 0: INPUT_OPEN -> INPUT_WAIT_DRAIN [read failed] debug: channel 0: shutdown_read debug: channel 0: OUTPUT_OPEN -> OUTPUT_WAIT_IEOF [write failed] debug: channel 0: shutdown_write debug: X11 rejected 0 i2/o64 debug: channel 0: INPUT_WAIT_DRAIN -> INPUT_WAIT_OCLOSE [inbuf empty, send IEOF] debug: channel 0: OUTPUT_WAIT_IEOF -> OUTPUT_CLOSED [rvcd IEOF] debug: channel 0: INPUT_WAIT_OCLOSE -> INPUT_CLOSED [rcvd OCLOSE] debug: channel 0: full closed X connection to vaio.linnet.org:10.0 broken (explicit kill or server shutdown). [brian at vaio brian]$ xauth list localhost.localdomain:10 MIT-MAGIC-COOKIE-1 95578613453a5bc68fc0f40d9acfe1b2 [brian at vaio brian]$ hostname vaio.linnet.org [brian at vaio brian]$ [P.S. It also doesn't work if I set "hostname localhost.localdomain" before restarting sshd] From markus.friedl at informatik.uni-erlangen.de Mon Mar 20 04:45:56 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 19 Mar 2000 18:45:56 +0100 Subject: X forwarding / hostname In-Reply-To: <20000318195556.B1325@linnet.org>; from B.Candler@pobox.com on Sat, Mar 18, 2000 at 07:55:56PM +0000 References: <20000318195556.B1325@linnet.org> Message-ID: <20000319184556.A13785@folly.informatik.uni-erlangen.de> On Sat, Mar 18, 2000 at 07:55:56PM +0000, Brian Candler wrote: > (1) Why doesn't this work when the hostname resolves to 127.0.0.1? it's a bug in a X library, see my posting some weeks ago. > (2) Wouldn't it be better/more secure to do all the host forwarding via > 127.0.0.1 anyway? (i.e. DISPLAY=127.0.0.1:10.0) In this case, sshd > wouldn't actually care what the kernel thought the hostname was. yes, this would be better. From johnnyb at wolfram.com Mon Mar 20 10:11:33 2000 From: johnnyb at wolfram.com (Jonathan Bartlett) Date: Sun, 19 Mar 2000 17:11:33 -0600 (CST) Subject: problem using openssh in a mixed environment Message-ID: If I ssh into a host that uses openssh, and then try to ssh into a host using ssh-1.2.27-5i, I get an error saying: You have no controlling tty. Cannot read passphrase. If I am doing something wrong, please email me directly because I am not subscribed to this list. Jon From tfarrell at futuristics.net Tue Mar 21 01:29:28 2000 From: tfarrell at futuristics.net (Tim G. Farrell) Date: Mon, 20 Mar 2000 09:29:28 -0500 Subject: Keysize mismatch error on host key References: Message-ID: <38D635C8.CBD71AFA@futuristics.net> Its OpenSSL version 0.9.5 on both the Linux and Solaris sides of the connection. If theres something better to run, let me know. Could the identity files cause an error like this, even though its talking about the known_hosts file ? I wonder. I supplied the identity files to the other side of the connection, mostly to make it easier for them. Maybe they got currupted in transmition. Damien Miller wrote: > > On Fri, 17 Mar 2000, Tim G. Farrell wrote: > > > I've got a problem that I'm hoping the list can help with, otherwise ... > > > > Heres the problem, I've got OpenSSH 1.2.2p1 running on my Intel Linux > > box as the secure server. I can connect from another Intel Linux box > > using scp and it all seems to work fine. > > What version of OpenSSL are you running on the Linux box? > > These errors are often symptomatic of a OpenSSL version mismatch. > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -- Tim Farrell Futuristics, Inc email: tfarrell at futuristics.net Senior Suite 200 voice: (724) 934-9750 Software 9500 Brooktree Rd. fax: (724) 934-9780 Engineer Wexford, PA 15090 http://www.futuristics.net Tomorrow's results today! From marc.fournier at acadiau.ca Tue Mar 21 02:13:37 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Mon, 20 Mar 2000 11:13:37 -0400 (AST) Subject: scp as user -> user ends up as root ? Message-ID: Is the following a known "bug", fixed in newer releases, or something new? Thanks ... >From sysA: hermes:/tmp> scp LOG sais at iceberg:/tmp/LOG.test LOG 100% |*****************************| 138 00:00 ETA hermes:/tmp> id uid=113(edenauto) gid=680(edndev) hermes:/tmp> To sysB: iceberg:/tmp> ls -lt LOG* -rw-r--r-- 1 root centre 138 Mar 20 11:11 LOG.test -rw-r--r-- 1 root other 138 Mar 20 01:30 LOG iceberg:/tmp> hermes:/tmp> ssh -v SSH Version OpenSSH-1.2.1, protocol version 1.5. Compiled with SSL. Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From djm at mindrot.org Wed Mar 22 17:39:12 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 22 Mar 2000 17:39:12 +1100 (EST) Subject: Keysize mismatch error on host key In-Reply-To: <38D635C8.CBD71AFA@futuristics.net> Message-ID: On Mon, 20 Mar 2000, Tim G. Farrell wrote: > Its OpenSSL version 0.9.5 on both the Linux and Solaris sides of the > connection. If theres something better to run, let me know. OpenSSL 0.9.5 works fine for me and most others who have tried it. > Could the identity files cause an error like this, even though its > talking about the known_hosts file ? I wonder. I supplied the identity > files to the other side of the connection, mostly to make it easier for > them. Maybe they got currupted in transmition. Check for linebreaks and other junk that may have got in there. Perhaps it would be easier to delete the offending lines and allow an normal ssh connection to fetch the public keys again (after checking the fingerprints, of course) -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Mar 22 17:39:46 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 22 Mar 2000 17:39:46 +1100 (EST) Subject: scp as user -> user ends up as root ? In-Reply-To: Message-ID: On Mon, 20 Mar 2000, Marc G. Fournier wrote: > > Is the following a known "bug", fixed in newer releases, or something new? What are the permissions on your scp binary? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From marc.fournier at acadiau.ca Thu Mar 23 00:18:06 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Wed, 22 Mar 2000 09:18:06 -0400 (AST) Subject: scp as user -> user ends up as root ? In-Reply-To: Message-ID: hermes:/home/centre/marc> ls -lt `which scp` -r-sr-xr-x 1 root other 23288 Jan 18 13:21 /usr/slocal/bin/scp On Wed, 22 Mar 2000, Damien Miller wrote: > On Mon, 20 Mar 2000, Marc G. Fournier wrote: > > > > > Is the following a known "bug", fixed in newer releases, or something new? > > What are the permissions on your scp binary? > > -d > > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From markus.friedl at informatik.uni-erlangen.de Thu Mar 23 01:42:32 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 22 Mar 2000 15:42:32 +0100 Subject: scp as user -> user ends up as root ? In-Reply-To: ; from marc.fournier@acadiau.ca on Wed, Mar 22, 2000 at 09:18:06AM -0400 References: Message-ID: <20000322154232.A11937@folly.informatik.uni-erlangen.de> > -r-sr-xr-x 1 root other 23288 Jan 18 13:21 /usr/slocal/bin/scp only the 'ssh' binary needs a s-bit. From yashy at yashy.com Thu Mar 23 03:57:24 2000 From: yashy at yashy.com (Yasholomew Yashinski) Date: Wed, 22 Mar 2000 11:57:24 -0500 (EST) Subject: ssh 1.2.3 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just downloaded the source tarball and noticed the "configure" file is missing, as well as an INSTALL file. I am not subscribed to the list, just thought I'd bring it to your attention in case you weren't aware. - -- ..Yashy http://crypto.yashy.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE42Pt5FM22zL2gTQcRAg/XAJ9DahMY0of3t9gxzXD4cqXmq9KxlACfZaFX nwES+XsdhiUPfhGlOJgD9UY= =uMku -----END PGP SIGNATURE----- From dustin.offutt at saraide.com Thu Mar 23 03:52:26 2000 From: dustin.offutt at saraide.com (Dustin Offutt) Date: Wed, 22 Mar 2000 10:52:26 -0600 Subject: configure: error: *** zlib missing Message-ID: <001701bf941f$0143c9a0$390e0a0a@sparrow.saraide.net> OpenSSH v1.2.2p1 Solaris v2.6 Sun e450 gcc v2.8.1 Problem description: zlib has been installed, yet after using advice gleaned from mail-list archives, got past what sounds like the normal Solaris/OpenSSHv1.2.2p1 errors and am receiving a "configure: error: *** zlib missing - please install first ***". .../archive/zlib/1.1.3# make install cp zlib.h zconf.h /usr/local/include chmod 644 /usr/local/include/zlib.h /usr/local/include/zconf.h cp libz.a /usr/local/lib cd /usr/local/lib; chmod 755 libz.a cd /usr/local/lib; if test -f libz.so.1.1.3; then \ rm -f libz.so libz.so.1; \ ln -s libz.so.1.1.3 libz.so; \ ln -s libz.so.1.1.3 libz.so.1; \ (ldconfig || true) >/dev/null 2>&1; \ fi cd .../archive/OpenSSH/solaris/1.2.2p1 ./configure checking for OpenSSL/SSLeay directory... configure: error: Could not find working SSLeay / OpenSSL libraries, please install LDFLAGS="-L/usr/local/ssl/lib" \ CFLAGS="-I/usr/local/ssl/include" \ LIBS="-lRSAref -lRSAglue" ./configure LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib" \ CFLAGS="-I/usr/local/ssl/include" \ LIBS="-lRSAref -lRSAglue" ./configure configure: error: *** zlib missing - please install first *** LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib" \ CFLAGS="-I/usr/local/ssl/include" \ LIBS="-lRSAref -lRSAglue -lz" ./configure checking whether the C compiler (gcc -I/usr/local/ssl/include -L/usr/local/ssl/lib) works... no configure: error: installation or configuration problem: C compiler cannot create executables. LDFLAGS="-L/usr/local/ssl/lib" CFLAGS="-I/usr/local/ssl/include" LIBS="-lRSAref -lRSAglue -lz" ./configure configure: error: *** zlib missing - please install first *** From mouring at pconline.com Thu Mar 23 03:53:30 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 22 Mar 2000 10:53:30 -0600 (CST) Subject: ssh 1.2.3 In-Reply-To: Message-ID: You downloaded the OpenBSD version.. Try here: http://violet.ibs.com.au/openssh/ We are testing a 1.2.3pre5 (last I looked). On Wed, 22 Mar 2000, Yasholomew Yashinski wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > I just downloaded the source tarball and noticed the "configure" file is > missing, as well as an INSTALL file. I am not subscribed to the list, just > thought I'd bring it to your attention in case you weren't aware. > > - -- > ..Yashy > http://crypto.yashy.com > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.0 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE42Pt5FM22zL2gTQcRAg/XAJ9DahMY0of3t9gxzXD4cqXmq9KxlACfZaFX > nwES+XsdhiUPfhGlOJgD9UY= > =uMku > -----END PGP SIGNATURE----- > > From marc.fournier at acadiau.ca Thu Mar 23 04:02:35 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Wed, 22 Mar 2000 13:02:35 -0400 (AST) Subject: scp as user -> user ends up as root ? In-Reply-To: <20000322154232.A11937@folly.informatik.uni-erlangen.de> Message-ID: so, do we have a problem with install? I know I haven't modified anything from the simple 'make install' .. On Wed, 22 Mar 2000, Markus Friedl wrote: > > -r-sr-xr-x 1 root other 23288 Jan 18 13:21 /usr/slocal/bin/scp > > only the 'ssh' binary needs a s-bit. > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From tpiselli at atcc.org Thu Mar 23 06:12:47 2000 From: tpiselli at atcc.org (Piselli, Tony) Date: Wed, 22 Mar 2000 14:12:47 -0500 Subject: solaris build error for version 1.2.2p1 Message-ID: <371D57C8E3FCD2119B6A0090274F6BBECC9900@michael.atcc.org> Hi folks, I'm tryingto build openssh on a Sun Ultra 10 running Solaris 7. I've installed the latest version of openssl, egd, and zlib without any problems. I was able to build and install openssh 1.2.2 without problems but could not create a host key due to an error stating that RSA was not available in the openssl libraries. So, I decided to build the latest version of openssh (1.2.2p1) first to see if the patch fixes this problem. When I run 'make' it dies with the following error: gcc -g -O2 -I/usr/include -I/usr/local/openssl/include -I/usr/lib/openssl/include -I/usr/local/ssl/include -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c log.c log.c: In function `fatal': log.c:17: `__builtin_va_alist' undeclared (first use in this function) log.c:17: (Each undeclared identifier is reported only once log.c:17: for each function it appears in.) log.c: In function `error': log.c:29: `__builtin_va_alist' undeclared (first use in this function) log.c: In function `log': log.c:40: `__builtin_va_alist' undeclared (first use in this function) log.c: In function `verbose': log.c:51: `__builtin_va_alist' undeclared (first use in this function) log.c: In function `debug': log.c:62: `__builtin_va_alist' undeclared (first use in this function) *** Error code 1 make: Fatal error: Command failed for target `log.o' Some help or guidence with this problem would be great. Please email me directly since I've yet to subscribe to this list. Thanks, Tony //============================================ Tony Piselli Jr. Systems Analyst Bioinformatics Department (www.bif.atcc.org) American Type Culture Collection (www.atcc.org) tpiselli at atcc.org A.T.C.C. Bioinformatics and Information Technology: Just BIF IT! //============================================ From paul at xtdnet.nl Thu Mar 23 07:53:00 2000 From: paul at xtdnet.nl (Paul Wouters) Date: Wed, 22 Mar 2000 21:53:00 +0100 (MET) Subject: scp and .bashrc Message-ID: Between two Linux/x86 servers, running RedHat 6.1 and openssh-1.2.2p1-1 I found that "scp" fails with a : Write failed flushing stdout buffer. write stdout: Broken pipe if your .bashrc file generates any output (eg my todo list :) Paul -- "Artificial realms such as mathematics and theology are carefully built to be free of interesting inconsistency. But love is beautiful in its lack of logical restraint" --- The Voltaire Sim, FF, Gregory Benford From djm at mindrot.org Thu Mar 23 08:13:10 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 23 Mar 2000 08:13:10 +1100 (EST) Subject: scp as user -> user ends up as root ? In-Reply-To: Message-ID: On Wed, 22 Mar 2000, Marc G. Fournier wrote: > hermes:/home/centre/marc> ls -lt `which scp` > -r-sr-xr-x 1 root other 23288 Jan 18 13:21 /usr/slocal/bin/scp scp should _not_ be setuid. Did "make install" install it as such? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu Mar 23 08:15:58 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 23 Mar 2000 08:15:58 +1100 (EST) Subject: scp and .bashrc In-Reply-To: Message-ID: On Wed, 22 Mar 2000, Paul Wouters wrote: > Between two Linux/x86 servers, running RedHat 6.1 and openssh-1.2.2p1-1 I > found that "scp" fails with a : > > Write failed flushing stdout buffer. > write stdout: Broken pipe > > if your .bashrc file generates any output (eg my todo list :) Things that generate output should be in you .bash_login file. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From lhecking at nmrc.ucc.ie Thu Mar 23 12:25:56 2000 From: lhecking at nmrc.ucc.ie (Lars Hecking) Date: Thu, 23 Mar 2000 01:25:56 +0000 Subject: Man pages ... Message-ID: <20000323012556.A16387@tehran.nmrc.ucc.ie> Hi all. I can't read the openssh man pages on Solaris. I tried all the nroff macro packages I could find, with more or less garbled success. Could someone point me to versions suitable for Solaris, or a man2sgml converter? Or to a good online tutorial covering this issue (SysV vs. BSD?) that would allow me to translate the nroff dialects involved? In the latter case, I would of course contribute the results back :) [yes, I know about the online html versions, but I want man pages :)] I'm not on the list btw. Thanks for listening! -- Tia ma aven Moridin isainde vadin. From marc.fournier at acadiau.ca Thu Mar 23 23:55:44 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 23 Mar 2000 08:55:44 -0400 (AST) Subject: scp as user -> user ends up as root ? In-Reply-To: Message-ID: On Thu, 23 Mar 2000, Damien Miller wrote: > On Wed, 22 Mar 2000, Marc G. Fournier wrote: > > > hermes:/home/centre/marc> ls -lt `which scp` > > -r-sr-xr-x 1 root other 23288 Jan 18 13:21 /usr/slocal/bin/scp > > scp should _not_ be setuid. Did "make install" install it as such? its been awhile, but I don't recall having done it manually :( it is entirely possible that I did, just not sure why I would ... From levitte at stacken.kth.se Fri Mar 24 05:08:20 2000 From: levitte at stacken.kth.se (Richard Levitte - VMS Whacker) Date: Thu, 23 Mar 2000 19:08:20 +0100 Subject: Found a bug in the OpsnSSH configuration script Message-ID: <20000323190820M.levitte@pizza.stacken.kth.se> [I'm cc:ing openssl-users at openssl.org, because questions about this are getting there over and over...] There's a problem that several people who installed OpenSSL to be able to uyse OpenSSH have faced: Could not find working SSLeay / OpenSSL libraries, please install I don't recall how SSLeay was installed, but for OpenSSL, there's a glitch in the way it tries to find the libraries. The following fix works for me: --- configure.in.orig Thu Mar 23 18:56:58 2000 +++ configure.in Thu Mar 23 18:55:05 2000 @@ -152,10 +152,10 @@ AC_MSG_CHECKING([for OpenSSL/SSLeay directory]) for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do if test ! -z "$ssldir" ; then - LIBS="$saved_LIBS -L$ssldir" + LIBS="$saved_LIBS -L$ssldir/lib" CFLAGS="$CFLAGS -I$ssldir/include" if test "x$need_dash_r" = "x1" ; then - LIBS="$LIBS -R$ssldir" + LIBS="$LIBS -R$ssldir/lib" fi fi LIBS="$LIBS -lcrypto" --- configure.orig Thu Mar 23 18:55:02 2000 +++ configure Thu Mar 23 18:57:08 2000 @@ -1890,10 +1890,10 @@ echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5 for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do if test ! -z "$ssldir" ; then - LIBS="$saved_LIBS -L$ssldir" + LIBS="$saved_LIBS -L$ssldir/lib" CFLAGS="$CFLAGS -I$ssldir/include" if test "x$need_dash_r" = "x1" ; then - LIBS="$LIBS -R$ssldir" + LIBS="$LIBS -R$ssldir/lib" fi fi LIBS="$LIBS -lcrypto" -- Richard Levitte \ Spannv?gen 38, II \ LeViMS at stacken.kth.se Chairman at Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur at Stacken \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- bastard at bofh.se Member of the OpenSSL development team Unsolicited commercial email is subject to an archival fee of $400. See for more info. From jeckstei at rutcor.rutgers.edu Fri Mar 24 08:20:08 2000 From: jeckstei at rutcor.rutgers.edu (Jonathan Eckstein) Date: Thu, 23 Mar 2000 16:20:08 -0500 Subject: How to install openssh? Message-ID: <38DA8A88.6011EB88@rutcor.rutgers.edu> I need to use ssh (both incoming and outgoing) on a SPARC Solaris 7 workstation. I just downloaded openssh from ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/openssh-1.2.3.tgz as instructe on the www.openssh.com website. After gunzipping and untarring everything, I note that is says that installation instructions are in the file "INSTALL". But there is no such file! I am not sure how to proceed. Please advise. -- Jonathan -- Associate Professor Jonathan Eckstein MSIS Department, Faculty of Management, Rutgers University TEACHING ADDRESS RESEARCH ADDRESS +------------------------------+--------------------------------+ | 255 J.H. Levin Building | RUTCOR, Room 148 | | 94 Rockafeller Road | 640 Bartholomew Road | | Livingston Campus | Busch Campus | | Rutgers University | Rutgers University | | Piscataway, NJ 08854 USA | Piscataway, NJ 08854 USA | | (732) 445-0510 | (732) 445-3596 | | FAX (732) 445-6329 | FAX (732) 445-5472 | +------------------------------+--------------------------------+ jeckstei at rutcor.rutgers.edu http://rutcor.rutgers.edu:80/~jeckstei/ From mw at moni.msci.memphis.edu Fri Mar 24 09:38:11 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Thu, 23 Mar 2000 16:38:11 -0600 Subject: How to install openssh? In-Reply-To: <38DA8A88.6011EB88@rutcor.rutgers.edu>; from jeckstei@rutcor.rutgers.edu on Thu, Mar 23, 2000 at 04:20:08PM -0500 References: <38DA8A88.6011EB88@rutcor.rutgers.edu> Message-ID: <20000323163811.A13012@moni.msci.memphis.edu> You got the openbsd version. Try ftp://thermo.stat.ncsu.edu/pub/openssh/files/test//openssh-1.2.3pre5.tar.gz Mate On Thu, Mar 23, 2000 at 04:20:08PM -0500, Jonathan Eckstein wrote: > I need to use ssh (both incoming and outgoing) on a SPARC Solaris 7 > workstation. > > I just downloaded openssh from > > ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/openssh-1.2.3.tgz > > as instructe on the www.openssh.com website. > > After gunzipping and untarring everything, I note that is says that > installation instructions are in the file "INSTALL". But there is no > such file! > > I am not sure how to proceed. Please advise. > > -- Jonathan > > > -- > > Associate Professor Jonathan Eckstein > MSIS Department, Faculty of Management, Rutgers University > > TEACHING ADDRESS RESEARCH ADDRESS > +------------------------------+--------------------------------+ > | 255 J.H. Levin Building | RUTCOR, Room 148 | > | 94 Rockafeller Road | 640 Bartholomew Road | > | Livingston Campus | Busch Campus | > | Rutgers University | Rutgers University | > | Piscataway, NJ 08854 USA | Piscataway, NJ 08854 USA | > | (732) 445-0510 | (732) 445-3596 | > | FAX (732) 445-6329 | FAX (732) 445-5472 | > +------------------------------+--------------------------------+ > > jeckstei at rutcor.rutgers.edu > > http://rutcor.rutgers.edu:80/~jeckstei/ > -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From mpp at FreeBSD.org Fri Mar 24 14:22:39 2000 From: mpp at FreeBSD.org (mpp at FreeBSD.org) Date: Thu, 23 Mar 2000 19:22:39 -0800 (PST) Subject: typos in ssh.1 & sshd.8 man pages Message-ID: <200003240322.TAA67842@freefall.freebsd.org> Attached is a patch to fix a few typos in the ssh.1 and sshd.8 man pages. I just committed these to FreeBSD, and hope that you can incorporate them in your version. -Mike -- Mike Pritchard mpp at FreeBSD.org or mpp at mppsystems.com ----cut here--- Index: ssh.1 =================================================================== RCS file: /home/ncvs/src/crypto/openssh/ssh.1,v retrieving revision 1.4 retrieving revision 1.5 diff -u -u -r1.4 -r1.5 --- ssh.1 2000/03/10 11:48:49 1.4 +++ ssh.1 2000/03/24 02:26:54 1.5 @@ -360,7 +360,7 @@ Quiet mode. Causes all warning and diagnostic messages to be suppressed. Only fatal errors are displayed. .It Fl t -Force pseudo-tty allocation. This can be used to execute arbitary +Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful e.g. when implementing menu services. .It Fl v @@ -574,7 +574,7 @@ .Pa /etc/ssh/ssh_known_hosts . .It Cm HostName Specifies the real host name to log into. This can be used to specify -nicnames or abbreviations for hosts. Default is the name given on the +nicknames or abbreviations for hosts. Default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in .Cm HostName Index: sshd.8 =================================================================== RCS file: /home/ncvs/src/crypto/openssh/sshd.8,v retrieving revision 1.5 retrieving revision 1.6 diff -u -u -r1.5 -r1.6 --- sshd.8 2000/03/13 00:17:43 1.5 +++ sshd.8 2000/03/24 02:26:54 1.6 @@ -612,7 +612,7 @@ and .Pa $HOME/.ssh/known_hosts files contain host public keys for all known hosts. The global file should -be prepared by the admistrator (optional), and the per-user file is +be prepared by the administrator (optional), and the per-user file is maintained automatically: whenever the user connects an unknown host its key is added to the per-user file. .Pp From ben at algroup.co.uk Sat Mar 25 00:12:08 2000 From: ben at algroup.co.uk (Ben Laurie) Date: Fri, 24 Mar 2000 13:12:08 +0000 Subject: Found a bug in the OpsnSSH configuration script References: <20000323190820M.levitte@pizza.stacken.kth.se> Message-ID: <38DB69A8.1DB23163@algroup.co.uk> Richard Levitte - VMS Whacker wrote: > > [I'm cc:ing openssl-users at openssl.org, because questions about this > are getting there over and over...] > > There's a problem that several people who installed OpenSSL to be able > to uyse OpenSSH have faced: > > Could not find working SSLeay / OpenSSL libraries, please install > > I don't recall how SSLeay was installed, but for OpenSSL, there's a > glitch in the way it tries to find the libraries. The following fix > works for me: Its looking for an uninstalled version, handy for developers, not so handy for users. Ideally it should try both. Cheers, Ben. > > --- configure.in.orig Thu Mar 23 18:56:58 2000 > +++ configure.in Thu Mar 23 18:55:05 2000 > @@ -152,10 +152,10 @@ > AC_MSG_CHECKING([for OpenSSL/SSLeay directory]) > for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do > if test ! -z "$ssldir" ; then > - LIBS="$saved_LIBS -L$ssldir" > + LIBS="$saved_LIBS -L$ssldir/lib" > CFLAGS="$CFLAGS -I$ssldir/include" > if test "x$need_dash_r" = "x1" ; then > - LIBS="$LIBS -R$ssldir" > + LIBS="$LIBS -R$ssldir/lib" > fi > fi > LIBS="$LIBS -lcrypto" > --- configure.orig Thu Mar 23 18:55:02 2000 > +++ configure Thu Mar 23 18:57:08 2000 > @@ -1890,10 +1890,10 @@ > echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5 > for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do > if test ! -z "$ssldir" ; then > - LIBS="$saved_LIBS -L$ssldir" > + LIBS="$saved_LIBS -L$ssldir/lib" > CFLAGS="$CFLAGS -I$ssldir/include" > if test "x$need_dash_r" = "x1" ; then > - LIBS="$LIBS -R$ssldir" > + LIBS="$LIBS -R$ssldir/lib" > fi > fi > LIBS="$LIBS -lcrypto" > > -- > Richard Levitte \ Spannv?gen 38, II \ LeViMS at stacken.kth.se > Chairman at Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 > Redakteur at Stacken \ SWEDEN \ or +46-708-26 53 44 > Procurator Odiosus Ex Infernis -- bastard at bofh.se > Member of the OpenSSL development team > > Unsolicited commercial email is subject to an archival fee of $400. > See for more info. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users at openssl.org > Automated List Manager majordomo at openssl.org -- http://www.apache-ssl.org/ben.html From levitte at stacken.kth.se Sat Mar 25 01:58:53 2000 From: levitte at stacken.kth.se (Richard Levitte - VMS Whacker) Date: Fri, 24 Mar 2000 15:58:53 +0100 Subject: Found a bug in the OpsnSSH configuration script In-Reply-To: Your message of "Fri, 24 Mar 2000 13:12:08 +0000" <38DB69A8.1DB23163@algroup.co.uk> References: <38DB69A8.1DB23163@algroup.co.uk> Message-ID: <20000324155853D.levitte@pizza.stacken.kth.se> ben> > I don't recall how SSLeay was installed, but for OpenSSL, there's a ben> > glitch in the way it tries to find the libraries. The following fix ben> > works for me: ben> ben> Its looking for an uninstalled version, handy for developers, not so ben> handy for users. Ideally it should try both. In that list of directories? I'm baffled... ben> > for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do -- Richard Levitte \ Spannv?gen 38, II \ LeViMS at stacken.kth.se Chairman at Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur at Stacken \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- bastard at bofh.se Member of the OpenSSL development team Unsolicited commercial email is subject to an archival fee of $400. See for more info. From ben at algroup.co.uk Sat Mar 25 04:36:47 2000 From: ben at algroup.co.uk (Ben Laurie) Date: Fri, 24 Mar 2000 17:36:47 +0000 Subject: Found a bug in the OpsnSSH configuration script References: <38DB69A8.1DB23163@algroup.co.uk> <20000324155853D.levitte@pizza.stacken.kth.se> Message-ID: <38DBA7AF.6414BE1E@algroup.co.uk> Richard Levitte - VMS Whacker wrote: > > ben> > I don't recall how SSLeay was installed, but for OpenSSL, there's a > ben> > glitch in the way it tries to find the libraries. The following fix > ben> > works for me: > ben> > ben> Its looking for an uninstalled version, handy for developers, not so > ben> handy for users. Ideally it should try both. > > In that list of directories? I'm baffled... > > ben> > for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do I expect you'll find that "" or $tryssldir is the relevant one. :-) Cheers, Ben. -- http://www.apache-ssl.org/ben.html From stevem at Digital-Integrity.com Sat Mar 25 05:38:52 2000 From: stevem at Digital-Integrity.com (Steve Mertz) Date: Fri, 24 Mar 2000 10:38:52 -0800 (PST) Subject: Problem 'ssh root@server' not working... Message-ID: I'm trying to ssh into a server (RedHat 6.1) as root. And it's complaining about bad password. I set logging to debug and this is what it comes up with in the /var/log/messages file... Mar 24 10:38:08 clunk sshd[9830]: Connection from 192.168.0.102 port 605 Mar 24 10:38:08 clunk sshd[9830]: Failed rsa for ROOT from 192.168.0.102 port 605 Mar 24 10:38:14 clunk sshd[9830]: Failed password for ROOT from 192.168.0.102 port 605 Mar 24 10:38:18 clunk sshd[9830]: Connection closed by 192.168.0.102 Mar 24 10:38:18 clunk sshd[9830]: Cannot close PAM session: System error Mar 24 10:38:18 clunk sshd[9830]: Cannot delete credentials: Authentication service cannot retrieve user credentials Any help on how to get this up and working would be appreciated. Thanks, Steve From djm at mindrot.org Sat Mar 25 12:00:30 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 25 Mar 2000 12:00:30 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.3 Message-ID: The Unix/Linux port of OpenSSH 1.2.3 was released yesterday and should be available from a mirror near you. A mirror list is available from: http://violet.ibs.com.au/openssh/files/MIRRORS.html This release fixes the bugs reported since 1.2.2p1 and contains many cleanups from the OpenBSD tree. In particular, the OpenSSL detection problems have been resolved. The layout has changed a little bit. The packages/ subdirectory has been replaced with a contrib/ subdirectory which contains platform specific code and other patches. Submissions are welcome. Enjoy, Damien Miller 20000317 - Clarified --with-default-path option. - Added -blibpath handling for AIX to work around stupid runtime linking. Problem elucidated by gshapiro at SENDMAIL.ORG by way of Jim Knoble - Checks for 64 bit int types. Problem report from Mats Fredholm - OpenBSD CVS updates: - [atomicio.c auth-krb4.c bufaux.c channels.c compress.c fingerprint.c] [packet.h radix.c rsa.c scp.c ssh-agent.c ssh-keygen.c sshconnect.c] [sshd.c] pedantic: signed vs. unsigned, void*-arithm, etc - [ssh.1 sshd.8] Various cleanups and standardizations. - Runtime error fix for HPUX from Otmar Stahl 20000316 - Fixed configure not passing LDFLAGS to Solaris. Report from David G. Hesprich - Propogate LD through to Makefile - Doc cleanups - Added blurb about "scp: command not found" errors to UPGRADING 20000315 - Fix broken CFLAGS handling during search for OpenSSL. Fixes va_list problems with gcc/Solaris. - Don't free argument to putenv() after use (in setenv() replacement). Report from Seigo Tanimura - Created contrib/ subdirectory. Included helpers from Phil Hands' Debian package, README file and chroot patch from Ricardo Cerqueira - Moved gnome-ssh-askpass.c to contrib directory and removed config option. - Slight cleanup to doc files - Configure fix from Bratislav ILICH 20000314 - Include macro for IN6_IS_ADDR_V4MAPPED. Report from peter at frontierflying.com - Include /usr/local/include and /usr/local/lib for systems that don't do it themselves - -R/usr/local/lib for Solaris - Fix RSAref detection - Fix IN6_IS_ADDR_V4MAPPED macro 20000311 - Detect RSAref - OpenBSD CVS change [sshd.c] - disallow guessing of root password - More configure fixes - IPv6 workarounds from Hideaki YOSHIFUJI 20000309 - OpenBSD CVS updates to v1.2.3 [ssh.h atomicio.c] - int atomicio -> ssize_t (for alpha). ok deraadt@ [auth-rsa.c] - delay MD5 computation until client sends response, free() early, cleanup. [cipher.c] - void* -> unsigned char*, ok niels@ [hostfile.c] - remove unused variable 'len'. fix comments. - remove unused variable [log-client.c log-server.c] - rename a cpp symbol, to avoid param.h collision [packet.c] - missing xfree() - getsockname() requires initialized tolen; andy at guildsoftware.com - use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp at Informatik.TU-Chemnitz.DE [pty.c pty.h] - register cleanup for pty earlier. move code for pty-owner handling to pty.c ok provos@, dugsong@ [readconf.c] - turn off x11-fwd for the client, too. [rsa.c] - PKCS#1 padding [scp.c] - allow '.' in usernames; from jedgar at fxp.org [servconf.c] - typo: ignore_user_known_hosts int->flag; naddy at mips.rhein-neckar.de - sync with sshd_config [ssh-keygen.c] - enable ssh-keygen -l -f ~/.ssh/known_hosts, ok deraadt@ [ssh.1] - Change invalid 'CHAT' loglevel to 'VERBOSE' [ssh.c] - suppress AAAA query host when '-4' is used; from shin at nd.net.fujitsu.co.jp - turn off x11-fwd for the client, too. [sshconnect.c] - missing xfree() - retry rresvport_af(), too. from sumikawa at ebina.hitachi.co.jp. - read error vs. "Connection closed by remote host" [sshd.8] - ie. -> i.e., - do not link to a commercial page.. - sync with sshd_config [sshd.c] - no need for poll.h; from bright at wintelcom.net - log with level log() not fatal() if peer behaves badly. - don't panic if client behaves strange. ok deraadt@ - make no-port-forwarding for RSA keys deny both -L and -R style fwding - delay close() of pty until the pty has been chowned back to root - oops, fix comment, too. - missing xfree() - move XAUTHORITY to subdir. ok dugsong at . fixes debian bug #57907, too. (http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57907) - register cleanup for pty earlier. move code for pty-owner handling to pty.c ok provos@, dugsong@ - create x11 cookie file - fix pr 1113, fclose() -> pclose(), todo: remote popen() - version 1.2.3 - Cleaned up - Removed warning workaround for Linux and devpts filesystems (no longer required after OpenBSD updates) 20000308 - Configure fix from Hiroshi Takekawa -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From weigel+ at pitt.edu Sat Mar 25 13:03:30 2000 From: weigel+ at pitt.edu (Matthew C. Weigel) Date: Fri, 24 Mar 2000 21:03:30 -0500 (EST) Subject: NeXTSTEP support In-Reply-To: Message-ID: Hi, I read that support for NeXT is in the works, what can I do to help? Is there currently anyone working on it, or should I do it? Matthew Weigel Programmer/Sysadmin/Student weigel+ at pitt.edu From mouring at pconline.com Sat Mar 25 13:40:10 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Fri, 24 Mar 2000 20:40:10 -0600 (CST) Subject: NeXTSTEP support In-Reply-To: Message-ID: I guess I should field this. I currently have a very nasty patch set for 1.2.3pre3 to let it compile under NeXTStep 4.2 .. It mostly works. There are a few errors it spews out, and signal support is a bit spotty in readpass.c If you want to have a copy of my current 1.2.3pre3 tree that's fine. I plan on putting out a patchset for 1.2.3 final in the next day. And hopefully some smaller patches that will be accepted into the core OpenSSH software until I feel happy with the major of the patches. BTW.. I don't use the libposix.a due to all the bugs, so the patch is a decent size. On Fri, 24 Mar 2000, Matthew C. Weigel wrote: > Hi, > > I read that support for NeXT is in the works, what can I do to help? Is > there currently anyone working on it, or should I do it? > > Matthew Weigel > Programmer/Sysadmin/Student > weigel+ at pitt.edu > > From weigel+ at pitt.edu Sat Mar 25 15:58:12 2000 From: weigel+ at pitt.edu (Matthew C. Weigel) Date: Fri, 24 Mar 2000 23:58:12 -0500 (EST) Subject: NeXTSTEP support In-Reply-To: Message-ID: On Fri, 24 Mar 2000, Ben Lindstrom wrote: > I guess I should field this. > > I currently have a very nasty patch set for 1.2.3pre3 to let it compile > under NeXTStep 4.2 .. It mostly works. There are a few errors it spews > out, and signal support is a bit spotty in readpass.c Hmmm... I use NeXTSTEP on an HP, which is only supported by 3.3. Due to the vageries of NeXT, if you build it from 4.2 it won't run on my machine. > If you want to have a copy of my current 1.2.3pre3 tree that's fine. > I plan on putting out a patchset for 1.2.3 final in the next day. I'd appreciate it. I'd really like ssh on my HP, and even the port of the non-free SSH doesn't run on it. > And hopefully some smaller patches that will be accepted into > the core OpenSSH software until I feel happy with the major > of the patches. > > BTW.. I don't use the libposix.a due to all the bugs, so the patch > is a decent size. I wouldn't, myself :) Matthew Weigel Programmer/Sysadmin/Student weigel+ at pitt.edu From mouring at pconline.com Sun Mar 26 08:05:45 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 25 Mar 2000 16:05:45 -0600 (CST) Subject: replacement putenv() Message-ID: Can we get this as a replacement to the current putenv()? It's out of the OpenBSD source tree and is a complete replacement instead of a wrapper around setenv(). Thanks. -------------- next part -------------- #ifndef HAVE_SETENV /* ** Borrowed from OpenBSD 2.6. Some platforms don't even support putenv() ** So therefor we need a real setenv(). */ int setenv(name, value, rewrite) register const char *name; register const char *value; int rewrite; { extern char **environ; static int alloced; /* if allocated space before */ register char *C; int l_value, offset; char *__findenv(); if (*value == '=') /* no `=' in value */ ++value; l_value = strlen(value); if ((C = __findenv(name, &offset))) { /* find if already exists */ if (!rewrite) return (0); if (strlen(C) >= l_value) { /* old larger; copy over */ while (*C++ = *value++); return (0); } } else { /* create new slot */ register int cnt; register char **P; for (P = environ, cnt = 0; *P; ++P, ++cnt); if (alloced) { /* just increase size */ P = (char **)realloc((void *)environ, (size_t)(sizeof(char *) * (cnt + 2))); if (!P) return (-1); environ = P; } else { /* get new space */ alloced = 1; /* copy old entries into it */ P = (char **)malloc((size_t)(sizeof(char *) * (cnt + 2))); if (!P) return (-1); bcopy(environ, P, cnt * sizeof(char *)); environ = P; } environ[cnt + 1] = NULL; offset = cnt; } for (C = (char *)name; *C && *C != '='; ++C); /* no `=' in name */ if (!(environ[offset] = /* name + `=' + value */ malloc((size_t)((int)(C - name) + l_value + 2)))) return (-1); for (C = environ[offset]; (*C = *name++) && *C != '='; ++C) ; for (*C++ = '='; *C++ = *value++; ) ; return (0); } char * __findenv(name, offset) register const char *name; int *offset; { extern char **environ; register int len, i; register const char *np; register char **p, *cp; if (name == NULL || environ == NULL) return (NULL); for (np = name; *np && *np != '='; ++np) ; len = np - name; for (p = environ; (cp = *p) != NULL; ++p) { for (np = name, i = len; i && *cp; i--) if (*cp++ != *np++) break; if (i == 0 && *cp++ == '=') { *offset = p - environ; return (cp); } } return (NULL); } #endif /* !HAVE_SETENV */ From speno at isc.upenn.edu Tue Mar 28 02:41:08 2000 From: speno at isc.upenn.edu (John P Speno) Date: Mon, 27 Mar 2000 11:41:08 -0500 Subject: scp: write stdout: Broken pipe error (Tru64 UNIX) Message-ID: <20000327114108.A124292@isc.upenn.edu> I'm working on adding SIA authentication support to OpenSSH for use on Tru64 UNIX. The authentication bits are working but there's more work to be done including checking for locked accounts and setting resource limits. Anyway, most things seem to be working fine except for scp and I'm looking for a little help. Here's some output: % scp -v lopan:sl.tar . Executing: host lopan, user (unspecified), command scp -v -f sl.tar SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. debug: ssh_connect: getuid 4056 geteuid 0 anon 0 debug: Connecting to lopan [165.123.210.223] port 22. debug: Allocated local port 685. debug: Connection established. debug: Remote protocol version 1.5, remote software version OpenSSH-1.2.3 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'lopan' is known and matches the host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Doing password authentication. speno at lopan's password: debug: Sending command: scp -v -f sl.tar debug: Entering interactive session. Cannot find terminal. Sending file modes: C0600 11530240 sl.tar sl.tar 4% |*** | 512 KB 00:20 ETAInterrupted system call 11:33am Write failed flushing stdout buffer. write stdout: Broken pipe debug: Transferred: stdin 32, stdout 540758, stderr 27 bytes in 1.3 seconds debug: Bytes per second: stdin 25.2, stdout 426281.1, stderr 21.3 debug: Exit status -1 I've got a working scp from ssh-1.2.27 around and that still works fine. Any ideas? Thanks. From wth at id.pl Tue Mar 28 02:52:35 2000 From: wth at id.pl (Waldemar Thiel) Date: Mon, 27 Mar 2000 18:52:35 +0200 Subject: Few question... Message-ID: Hello I have few questions about openssh... 1/ there is probably bug in auth-password.c in auth_password function if (pw->pw_uid == 0 && options.permit_root_login == 2) return 0; if (*password == '\0' && options.permit_empty_passwd == 0) return 0; /* deny if no user. */ if (pw == NULL) <----------- this should be first checked .... return 0; 2/ do I have to always read whole packed ? In example: I send packet with int and string as a data. Can I forget about reading string when I don't need it or there is a possibility of memory fragmentation ? - Waldemar Thiel (wth at id.pl) From mike.esler at nrlssc.navy.mil Tue Mar 28 07:07:59 2000 From: mike.esler at nrlssc.navy.mil (Mike Esler) Date: Mon, 27 Mar 2000 15:07:59 -0600 Subject: FreeBSD 3.1 & OpenSSH 1.2.3 Message-ID: <38DFCDAE.9EE1B4FF@nrlssc.navy.mil> Hi all, I am trying to get OpenSSH working on an i386 BSD 3.1 box we have. Everything compiles OK, installs, and I can launch SSHD. Here is a sample session of sshd with the debug switch: computer# /usr/local/sbin/sshd -d debug: sshd version OpenSSH-1.2.3 debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 909 debug: Client protocol version 1.5; client software version OpenSSH-1.2.3 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Starting up PAM with username "mesler" debug: Attempting authentication for mesler. Failed rsa for mesler from 127.0.0.1 port 909 debug: PAM Password authentication for "joe.blow" failed: Module is unknown Failed password for mesler from 127.0.0.1 port 909 On the user end, the only error I get is : Permission denied, please try again. Here is what the error spits into the logs: Mar 27 14:32:15 tortoise sshd[66176]: adding faulty module: /usr/lib/pam_unix.so Mar 27 14:34:55 tortoise sshd[66380]: unable to dlopen(/usr/lib/pam_unix.so) Mar 27 14:34:55 tortoise sshd[66380]: [dlerror: /usr/lib/pam_unix.so: Undefined symbol "crypt" I have included the 4 PAM entries that came from the $SRCDIR/contrib/sshd.pam.freebsd into my pam.conf file. Those lines are: sshd auth required pam_unix.so try_first_pass sshd account required pam_unix.so sshd password required pam_unix.so sshd session required pam_unix.so the login entry in my pam.conf file also uses pam_unix.so Can someone shed some light on this for me? What am I missing? It almost seems as if the server is using the wrong encryption type. Thanks in advance. -- Mike Esler Sverdrup Technology System Administrator From nalin at redhat.com Tue Mar 28 07:10:37 2000 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 27 Mar 2000 16:10:37 -0500 Subject: FreeBSD 3.1 & OpenSSH 1.2.3 In-Reply-To: <38DFCDAE.9EE1B4FF@nrlssc.navy.mil>; from mike.esler@nrlssc.navy.mil on Mon, Mar 27, 2000 at 03:07:59PM -0600 References: <38DFCDAE.9EE1B4FF@nrlssc.navy.mil> Message-ID: <20000327161037.A1630@devserv.devel.redhat.com> On Mon, Mar 27, 2000 at 03:07:59PM -0600, Mike Esler wrote: > Hi all, > > I am trying to get OpenSSH working on an i386 BSD 3.1 box we have. > Everything compiles OK, installs, and I can launch SSHD. [snip] > On the user end, the only error I get is : > Permission denied, please try again. > > Here is what the error spits into the logs: > Mar 27 14:32:15 tortoise sshd[66176]: adding faulty module: > /usr/lib/pam_unix.so > Mar 27 14:34:55 tortoise sshd[66380]: unable to > dlopen(/usr/lib/pam_unix.so) > Mar 27 14:34:55 tortoise sshd[66380]: [dlerror: /usr/lib/pam_unix.so: > Undefined > symbol "crypt" If your system has a separate libcrypt.so, then your pam_unix.so module isn't linked against it, and you're getting an error when the PAM library tries to demand-load it. If sshd isn't working right with pam_unix, odds are that other PAM-aware applications won't work right, either. Update your PAM installation. Hope this helps, Nalin From paul at cuenet.com Tue Mar 28 14:05:13 2000 From: paul at cuenet.com (Paul Thomas) Date: Mon, 27 Mar 2000 20:05:13 -0800 Subject: Failed password Message-ID: <38E02F79.EE47431B@cuenet.com> Hi, If there is a place to post this, please advise, but I am stuck. I have recently installed openssh-1.2.3 on a Red Hat 6.1 installation. Everything compile ok but I don't get no password auththenticcation. So I recompiled openssh-1.2.3 without PAM support and it still does not work. I can log into the system otherwise (shadow password is enabled). Here is what I have in my /var/log/messages: Mar 27 19:13:11 localhost sshd[23711]: Failed password for itchy from 199.174.197.138 port 1022 Mar 27 19:13:11 localhost sshd[23711]: Connection closed by 199.174.197.138 Any suggestions how I might enable a more verbose error log or get some idea of what is failing? Thanks, --Paul T. From jamest at math.ksu.edu Tue Mar 28 14:11:51 2000 From: jamest at math.ksu.edu (James Thompson) Date: Mon, 27 Mar 2000 22:11:51 -0600 (CST) Subject: Failed password In-Reply-To: <38E02F79.EE47431B@cuenet.com> Message-ID: On Mon, 27 Mar 2000, Paul Thomas wrote: > Hi, > > If there is a place to post this, please advise, but I am stuck. I > have recently installed openssh-1.2.3 on a Red Hat 6.1 installation. > Everything compile ok but I don't get no password auththenticcation. Did you remember to copy the sshd.pam file in contrib/redhat/sshd.pam to /etc/pam.d/ssh? ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< James Thompson 138 Cardwell Hall Manhattan, Ks 66506 785-532-0561 Kansas State University Department of Mathematics ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< From domi at saargate.de Tue Mar 28 14:30:02 2000 From: domi at saargate.de (Dominik Brettnacher) Date: Tue, 28 Mar 2000 06:30:02 +0200 (CEST) Subject: FreeBSD 3.1 & OpenSSH 1.2.3 In-Reply-To: Message-ID: On Mon, 27 Mar 2000, mike.esler at nrlssc.navy.mil wrote: > Here is what the error spits into the logs: > Mar 27 14:32:15 tortoise sshd[66176]: adding faulty module: > /usr/lib/pam_unix.so > Mar 27 14:34:55 tortoise sshd[66380]: unable to > dlopen(/usr/lib/pam_unix.so) > Mar 27 14:34:55 tortoise sshd[66380]: [dlerror: /usr/lib/pam_unix.so: > Undefined > symbol "crypt" you should link "sshd" against libcrypt.so, then it works. -- Dominik - http://www.brettnacher.org/users/dominik/ From paul at cuenet.com Tue Mar 28 15:00:12 2000 From: paul at cuenet.com (Paul Thomas) Date: Mon, 27 Mar 2000 21:00:12 -0800 (PST) Subject: Failed password In-Reply-To: Message-ID: On Mon, 27 Mar 2000, James Thompson wrote: > On Mon, 27 Mar 2000, Paul Thomas wrote: > > > Hi, > > > > If there is a place to post this, please advise, but I am stuck. I > > have recently installed openssh-1.2.3 on a Red Hat 6.1 installation. > > Everything compile ok but I don't get no password auththenticcation. > > Did you remember to copy the sshd.pam file in contrib/redhat/sshd.pam to > /etc/pam.d/ssh? No, I didn't do that but now I just did and still no go. I recompiled ssh without PAM support to try and simplify things somewhat. I just changed the LogLevel from INFO to DEBUG in sshd_config and restarted sshd, but the logging has not become more verbose or if logging is not in /var/log/messages, I don't know where the logging is being written to. Thanks, --Paul T. -- '...if clones are outlawed then only outlaws will have clones...' From markus.friedl at informatik.uni-erlangen.de Tue Mar 28 19:52:53 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 28 Mar 2000 11:52:53 +0200 Subject: Few question... In-Reply-To: ; from wth@id.pl on Mon, Mar 27, 2000 at 06:52:35PM +0200 References: Message-ID: <20000328115253.A3814@folly.informatik.uni-erlangen.de> On Mon, Mar 27, 2000 at 06:52:35PM +0200, Waldemar Thiel wrote: > 1/ there is probably bug in auth-password.c in auth_password function > > if (pw->pw_uid == 0 && options.permit_root_login == 2) > return 0; > if (*password == '\0' && options.permit_empty_passwd == 0) > return 0; > /* deny if no user. */ > if (pw == NULL) <----------- this should be first checked .... > return 0; this has been fixed in December. are you using a recent version? > 2/ do I have to always read whole packed ? In example: I send packet with > int and string > as a data. Can I forget about reading string when I don't need it or there > is a possibility > of memory fragmentation ? i assume you are talking about packet_get_int() and packet_get_string(): no, you don't need to add matching packet_get_string() calls on the receving side. the next packet_read() discards the current packet. note that you need to xfree() the string returned by packet_get_string(). -markus PS: are you extending the protocol? From ramalho at panther2.amd.com Tue Mar 28 20:55:37 2000 From: ramalho at panther2.amd.com (Glenn S. Ramalho) Date: Tue, 28 Mar 2000 02:55:37 -0800 Subject: A bug in installing OpenSSH Message-ID: <200003281055.CAA13322@vulture1.amd.com> I hope this is the correct place to send this to. I was trying to build OpenSSH on a HP/UX 10.20 system and I got an error message. The Ansi C compiler did not understand the uint64_t stuff. I did some investigating and it seems that its a problem in how the compiler is being called. Your code ran: cc -Aa -D_HPUX_SOURCE According to the manpage this combination does not produce 64 bit ints. You need to add the +e option or run it with the -Ae option. I changed the makefile and it went ok. Well, I still had to find a replacement for /dev/urandom but after I got that going it went ok. The final result for me was: cc -Ae -D_HPUX_SOURCE I also added +O4 to get it optimized for my case as I do not expect to be runnign dbx/gdb/whatever here. That though of course has nothing to do with +e. PS: gcc failed too. Although GCC does not need the +e option, it still does not read the typedefs to set uint64_t and int64_t to long long. Those are only set if the includes have the correct set of defines. From Florian.Weimer at RUS.Uni-Stuttgart.DE Wed Mar 29 02:39:32 2000 From: Florian.Weimer at RUS.Uni-Stuttgart.DE (Florian Weimer) Date: 28 Mar 2000 18:39:32 +0200 Subject: Cannot connect to OpenSSH 1.2.3 running on HP-UX 11.00 Message-ID: The server daemon writes the following error message to the syslog (running on a HP 9000/712/80 box): | Mar 28 18:01:54 sshd[755]: Did not receive ident string from . Any suggestions? This happens if I connect using OpenSSH from the same box or another one (running the Linux version of OpenSSH). BTW: OpenSSH didn't compile out-of-the-box. I had to disable PAM support (HP-UX 11.00 seems to lack pam_getenvlist) and manually add "-lsec" to the list of libraries. In addition, EGD behaves a bit strange (it dies almost instantly when started from the rc scripts). -- Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5 From tnibbe at sprint.net Wed Mar 29 06:16:20 2000 From: tnibbe at sprint.net (tnibbe) Date: Tue, 28 Mar 2000 15:16:20 -0500 (EST) Subject: /etc/urandom and Solaris Message-ID: <200003282016.PAA10964@bubba.pdsc.sprint.com> I feel very silly asking this, because I saw the answer to this question one time and can't remember what it was. OpenSSH uses /dev/urandom or /dev/random which Solaris does not have (verified with a call to the Sun software folks). How do I make OpenSSH happy with a Solaris substitute for /etc/urandom? Thanks Tim Nibbe Supervisor of System Administration Sprint IP Dial Support Services From RHunter at StockwalkGroup.com Wed Mar 29 06:29:09 2000 From: RHunter at StockwalkGroup.com (Hunter, Ryan) Date: Tue, 28 Mar 2000 14:29:09 -0600 Subject: /etc/urandom and Solaris Message-ID: <654F80C49DD0D311A0D6009027D4DE9A2DC171@ntswgmail.stockwalkgroup.com> Tim- You need to use the Entropy Gathering Daemon (EGD) developed by Brian Werner. The EGD collects entropy from various OS/Solaris facilities, creating an entropy pool for random number generation. Read the readme included with the distribution of OpenSSH and visit http://www.lothar.com/tech/crypto/ for the EGD source and documentation. Mahalo, Ryan RYAN J. HUNTER Senior UNIX Systems Administrator Stockwalk.com Group, Inc. -- Information Architecture email: rhunter at stockwalkgroup.com ph: 612-542-3538 -----Original Message----- From: tnibbe [mailto:tnibbe at sprint.net] Sent: Tuesday, March 28, 2000 2:16 PM To: openssh-unix-dev at mindrot.org Subject: /etc/urandom and Solaris I feel very silly asking this, because I saw the answer to this question one time and can't remember what it was. OpenSSH uses /dev/urandom or /dev/random which Solaris does not have (verified with a call to the Sun software folks). How do I make OpenSSH happy with a Solaris substitute for /etc/urandom? Thanks Tim Nibbe Supervisor of System Administration Sprint IP Dial Support Services -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000328/ea21a632/attachment.html From knopper at linuxtag.de Wed Mar 29 06:58:03 2000 From: knopper at linuxtag.de (Klaus Knopper) Date: Tue, 28 Mar 2000 22:58:03 +0200 Subject: openssh X11Forwarding problem solution Message-ID: <20000328225803.B30766@hyperion.linuxtag.de> Hi! Several people noticed problems with openssh Version 1.2.2 through 1.2.3 related to X11 forwarding under Linux. For example: Magnus Holmberg wrote: > I have just installed openssh-1.2.2p1-1 > on two of my machines and I have one problem. > > I have > X11Forwarding yes > in my /etc/ssh/sshd_config > > but when I try to ssh to that machine I get this when i try to start rxvt: > > [pucko at b202 pucko]$ rxvt > X11 connection rejected because of wrong authentication. > > X connection to b202.ryd.student.liu.se:11.0 broken (explicit kill or > server shutdown). [pucko at b202 pucko]$ > > The strange thing is that it works if I do the same thing as root. > > What can be wrong? > > /M I believe the source of the problem is the automatic setup of the XAUTHORITY environment variable in different distributions (Mandrake, RedHat, others...) during login. openssh seems to create its own Xauthority cookie file in /tmp rather than create an entry in the user's $HOME/.Xauthority (why?). After successful ssh login, XAUTHORITY points to /tmp/ssh-randomstring/cookies, but the shell's profiles (/etc/profile.d/xhost.* in Mandrake 7.0) reset this variable to its default location $HOME/.Xauthority (except for root, this is why it works in the above context). So, the valid X11-cookie cannot be found by X11-applications because XAUTHORITY points to the wrong file. Two possible workarounds: a) Developers: How about using $HOME/.Xauthority as default cookie file instead of /tmp/ssh-something, at least as a configurable option? b) Sysadmins: Disable the (re-)setting of XAUTHORITY in the shell profiles, or add [ -z "$XAUTHORITY" ] as condition. Replies, comments or questions to knopper at linuxtag.de, please, since I'm not on the openssh-unix-dev mailinglist. Sincerely -Klaus Knopper mailto:knopper at linuxtag.de http://www.linuxtag.de/ From carl at bl.echidna.id.au Wed Mar 29 07:27:12 2000 From: carl at bl.echidna.id.au (Carl Brewer) Date: Wed, 29 Mar 2000 07:27:12 +1000 (EST) Subject: /etc/urandom and Solaris Message-ID: <200003282127.e2SLRCE24388@oversteer.bl.echidna.id.au> This probably should have made it into some of the OpenSSH doco by now (*hint*) Sun *does* have a /dev/random, and it works with OpenSSH It's not bundled, it's part of the package SUNWski. You can find SUNWski on Sunsolve if you go scanning through the patch reports. Carl From willard.dawson at sbs.siemens.com Wed Mar 29 07:55:23 2000 From: willard.dawson at sbs.siemens.com (Willard Dawson) Date: Tue, 28 Mar 2000 16:55:23 -0500 Subject: /etc/urandom and Solaris In-Reply-To: <200003282127.e2SLRCE24388@oversteer.bl.echidna.id.au>; from carl@bl.echidna.id.au on Wed, Mar 29, 2000 at 07:27:12AM +1000 References: <200003282127.e2SLRCE24388@oversteer.bl.echidna.id.au> Message-ID: <20000328165523.A22222@wdawson-sun.sbs.siemens.com> On Wed, Mar 29, 2000 at 07:27:12AM +1000, Carl Brewer wrote: > Sun *does* have a /dev/random, and it works with OpenSSH > > It's not bundled, it's part of the package SUNWski. > > You can find SUNWski on Sunsolve if you go scanning through the > patch reports. I for one would appreciate seeing a specific URL to get it from. There's precious little free time (for me, anyway) for surfing on the hope I might find something. -- Willard Francis Otto Dawson +1 770 814 5099 / +1 770 814 5202 FAX Siemens Business Services, ENS mailto:willard.dawson at sbs.siemens.com 4570 River Green Pkwy, Ste 140 http://www.sbs.siemens.com/ Duluth, GA 30096-2564 Standard disclaimer applies. From jmknoble at pobox.com Wed Mar 29 08:36:18 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 28 Mar 2000 17:36:18 -0500 Subject: openssh X11Forwarding problem solution In-Reply-To: <20000328225803.B30766@hyperion.linuxtag.de>; from Klaus Knopper on Tue, Mar 28, 2000 at 10:58:03PM +0200 References: <20000328225803.B30766@hyperion.linuxtag.de> Message-ID: <20000328173618.C2186@ntrnet.net> P? 2000-Mar-28 klokka 22:58:03 +0200 skrivet Klaus Knopper: : I believe the source of the problem is the automatic setup of the : XAUTHORITY environment variable in different distributions : (Mandrake, RedHat, others...) during login. openssh seems to create : its own Xauthority cookie file in /tmp rather than create an entry : in the user's $HOME/.Xauthority (why?). After successful ssh login, : XAUTHORITY points to /tmp/ssh-randomstring/cookies, but the : shell's profiles (/etc/profile.d/xhost.* in Mandrake 7.0) reset : this variable to its default location $HOME/.Xauthority (except : for root, this is why it works in the above context). So, the : valid X11-cookie cannot be found by X11-applications because : XAUTHORITY points to the wrong file. Distributions that blindly set XAUTHORITY are broken. They should check whether it's already set first, e.g.: if [ -z "${XAUTHORITY}" ]; then XAUTHORITY="${HOME}/.Xauthority" export XAUTHORITY fi If the system administrator were to use PAM to set XAUTHORITY to a desired value on login, it would be silently overridden, in the same way that sshd's XAUTHORITY is. Violates principle of least surprise. If i recall correctly, the reasons why OpenSSH doesn't use ~/.Xauthority are: (1) alleviates problems with NFS-mounted home directories. (2) authority entries can be cleaned up properly on logout instead of sitting around. Someone correct me there, please; i'm bound to be wrong. -- jim knoble jmknoble at pobox.com From djm at mindrot.org Wed Mar 29 12:21:43 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 29 Mar 2000 12:21:43 +1000 (EST) Subject: Failed password In-Reply-To: Message-ID: On Mon, 27 Mar 2000, Paul Thomas wrote: > No, I didn't do that but now I just did and still no go. I recompiled > ssh without PAM support to try and simplify things somewhat. > > I just changed the LogLevel from INFO to DEBUG in sshd_config and > restarted sshd, but the logging has not become more verbose or > if logging is not in /var/log/messages, I don't know where the > logging is being written to. The easiest way to get verbose debugging is to run sshd in debug mode: ssh -d -p 2222 Will start a sshd in the foreground with all logs going to stderr listening on port 2222. You can then connect to it with: ssh -p 2222 localhost Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Mar 29 12:26:10 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 29 Mar 2000 12:26:10 +1000 (EST) Subject: Email Advertising Special--Ends Friday In-Reply-To: <20000328125217.B23141@moni.msci.memphis.edu> Message-ID: On Tue, 28 Mar 2000, Mate Wierdl wrote: > This email did not have the list address in the Cc: or To: fields. > > Perhaps the list maintainer would consider putting filter that would > just bounce such messages to sender? I want to keep the list as open as possible, but will close it if it gets spammed repeatedly. My definition of "repeatedly" at the moment is two times within a calendar month. Do you have a handy recipe that I can do this filtering with? Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From amc at cs.berkeley.edu Wed Mar 29 12:51:18 2000 From: amc at cs.berkeley.edu (Adam M. Costello) Date: Wed, 29 Mar 2000 02:51:18 +0000 Subject: spam and majordomo In-Reply-To: ; from djm@mindrot.org on Wed, Mar 29, 2000 at 12:26:10PM +1000 References: <20000328125217.B23141@moni.msci.memphis.edu> Message-ID: <20000329025118.G9256@arwen.cs.berkeley.edu> Damien Miller wrote: > I want to keep the list as open as possible, but will close it if it > gets spammed repeatedly. If it's a majordomo list, then restricting posts to subscribers merely means that posts from non-subscribers get bounced to the list owner (or moderator, if one is specified), who can simply pipe the message through the "approve" command if it's not spam. Here's what we do for some lists I maintain: The config file for mailing list foo (foo.config) contains a line like: restrict_post = foo senders senders is a fake mailing list--there are no aliases allowing you to send mail to it, but you can subscribe and unsubscribe addresses to/from it. Now when a post comes from a non-member address, it gets bounced to owner-foo. If it's not spam, the list owner can approve it, and if they expect more messages to be coming from that address (for example, if it's an alternate address of a subscriber), they can subscribe that address to the senders list and not be bothered again. This is not a perfect solution, because the list owner still gets the spam, but I know of no perfect solution to the spam problem. This also gives the list owner an opportunity to insert a note into the message, like "[non-member submission]", so that people know they should Cc their replies to the sender as well as the list. AMC From paul.l.allen at boeing.com Wed Mar 29 14:33:58 2000 From: paul.l.allen at boeing.com (Paul Allen) Date: Tue, 28 Mar 2000 20:33:58 -0800 Subject: /etc/urandom and Solaris References: <200003282127.e2SLRCE24388@oversteer.bl.echidna.id.au> Message-ID: <38E187B6.67156027@boeing.com> Carl Brewer wrote: > > Sun *does* have a /dev/random, and it works with OpenSSH > > It's not bundled, it's part of the package SUNWski. > > You can find SUNWski on Sunsolve if you go scanning through the > patch reports. Hmmm... There are both international and domestic versions of the Sun Web Server patch that contains SUNWski. One can only download the international version with no crypto. Will the international version have a functioning /dev/random, or will I have to get the folks at 1-800-USA4SUN to send me a tape? Also, the above patches are from 1998. I need this to work on Solaris 8. Has anybody tried this? Or am I back to 1-800-USA4SUN? Thanks! Paul Allen -- Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964 Unix Technical Support | paul.l.allen at boeing.com Boeing Phantom Works Math & Computing Technology Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207 From djm at mindrot.org Wed Mar 29 14:45:18 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 29 Mar 2000 14:45:18 +1000 (EST) Subject: /etc/urandom and Solaris In-Reply-To: <38E187B6.67156027@boeing.com> Message-ID: On Tue, 28 Mar 2000, Paul Allen wrote: > Hmmm... There are both international and domestic versions of the > Sun Web Server patch that contains SUNWski. One can only download > the international version with no crypto. Will the international > version have a functioning /dev/random, or will I have to get the > folks at 1-800-USA4SUN to send me a tape? If you can find a URL from which the package can be downloaded I would love to include it in the docs. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From carl at bl.echidna.id.au Wed Mar 29 15:21:05 2000 From: carl at bl.echidna.id.au (Carl Brewer) Date: Wed, 29 Mar 2000 15:21:05 +1000 (EST) Subject: /etc/urandom and Solaris Message-ID: <200003290521.e2T5L5K24953@oversteer.bl.echidna.id.au> > Carl Brewer wrote: > > > > Sun *does* have a /dev/random, and it works with OpenSSH > > > > It's not bundled, it's part of the package SUNWski. > > > > You can find SUNWski on Sunsolve if you go scanning through the > > patch reports. > > Hmmm... There are both international and domestic versions of the > Sun Web Server patch that contains SUNWski. One can only download > the international version with no crypto. Will the international > version have a functioning /dev/random, or will I have to get the > folks at 1-800-USA4SUN to send me a tape? I don't know the story wrt the versions, but the one that I have I got from SunSolve by searchign for /dev/random in the patch reports, and finding SUNWski, and then downloading the patch, pulling out the package and applying it. It works on Solaris 2.6, 7 and 8ea (personal experience). Carl From paul.l.allen at boeing.com Wed Mar 29 16:20:17 2000 From: paul.l.allen at boeing.com (Paul Allen) Date: Tue, 28 Mar 2000 22:20:17 -0800 Subject: /etc/urandom and Solaris References: <200003290521.e2T5L5K24953@oversteer.bl.echidna.id.au> Message-ID: <38E1A0A1.117F9E23@boeing.com> Carl Brewer wrote: > > > Carl Brewer wrote: > > > > > > Sun *does* have a /dev/random, and it works with OpenSSH > > > > > > It's not bundled, it's part of the package SUNWski. > > > > > > You can find SUNWski on Sunsolve if you go scanning through the > > > patch reports. > > > > Hmmm... There are both international and domestic versions of the > > Sun Web Server patch that contains SUNWski. One can only download > > the international version with no crypto. Will the international > > version have a functioning /dev/random, or will I have to get the > > folks at 1-800-USA4SUN to send me a tape? > > I don't know the story wrt the versions, but the one that I have > I got from SunSolve by searchign for /dev/random in the patch > reports, and finding SUNWski, and then downloading the patch, > pulling out the package and applying it. It works on Solaris 2.6, 7 > and 8ea (personal experience). OK, it's just like Carl says. Download patch 105710-01 (this is the SPARC version) from SunSolve. If you have a SunSolve account, you know how to do this. Unpack the patch and do something like: pkgadd -d 105710-01 Have it install the SUNWski package. Among other things, this gives you /etc/init.d/cryptorand and /etc/init.d/skiserv. You probably want to disable the skiserv script, but the cryptorand script is the one that creates a fifo called /dev/random with a daemon connected to it. Reading from /dev/random after saying "/etc/init.d/cryptorand start" gets apparently random data. Does anybody know how to tell if this is "good" random data? I know less than nothing about cryptography and am not sure how to judge this versus egd.pl. Paul Allen -- Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964 Unix Technical Support | paul.l.allen at boeing.com Boeing Phantom Works Math & Computing Technology Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207 From jmknoble at pobox.com Wed Mar 29 16:26:32 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Wed, 29 Mar 2000 01:26:32 -0500 Subject: OpenSSH-1.2.3: return of ulimit problem Message-ID: <20000329012632.B23215@quipu.earth> The ulimit problem appears to have reared its head again with openssh-1.2.3, under Red Hat Linux 6.1 (kernel-2.2.12, glibc-2.1.2, egcs-1.1.2, openssl-0.9.5, pam-0.68, pwdb-0.60): $ telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-1.5-OpenSSH-1.2.3 ^] telnet> quit Connection closed. $ ssh localhost Last login: Wed Mar 29 01:10:36 2000 from quipu.earth You have mail. ulimit: cannot raise limit: Operation not permitted ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Reading ~/.bashrc ... Reading ~/.profile ... today is Wed Mar 29 01:11:07 EST 2000 $ The error message is caused by the following line in /etc/profile: $ grep ulimit /etc/profile ulimit -c 1000000 $ With openssh-1.2.2 on the same system, the problem doesn't exhibit itself: $ telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-1.5-OpenSSH-1.2.2 ^] telnet> quit Connection closed. $ ssh localhost Last login: Wed Mar 29 01:11:05 2000 from quipu.earth You have mail. Reading ~/.bashrc ... Reading ~/.profile ... today is Wed Mar 29 01:18:30 EST 2000 $ The last time this happened, i solved the problem by putting an appropriate directive in /etc/security/limits.conf to allow core dumps: # grep '^[^#].*core' /etc/security/limits.conf @wheel hard core 1000000 # grep wheel /etc/group wheel:x:10:root,jmknoble This appears not to be working with openssh-1.2.3. Any ideas on what change could have caused this to resurface? -- jim knoble jmknoble at pobox.com From jeckstei at rutcor.rutgers.edu Thu Mar 30 02:23:18 2000 From: jeckstei at rutcor.rutgers.edu (Jonathan Eckstein) Date: Wed, 29 Mar 2000 11:23:18 -0500 Subject: How to install openssh? References: <38DA8A88.6011EB88@rutcor.rutgers.edu> <20000323163811.A13012@moni.msci.memphis.edu> Message-ID: <38E22DF6.763E990C@rutcor.rutgers.edu> Hello again: I am still working on installing OpenSSH. I am a fairly experienced unix user, but am new to system administration. Anyway, I got the right version, and I'm trying to install it under Solaris 7. Following the directions in the INSTALL file, I have downloaded, compiled, and "make install"-ed the following: Zlib OpenSSL Perl5 (required by OpenSSL) EGD GCC (required by EGD) I put in EGD because the make for OpenSSH complained that there was no /dev/{u}random and no EGD. I assume I really do need EGD under solaris 7 (right?). However, even after "make install" on EGD, the OpenSSH "make host-key" command complains there is no EGD. I assume that I need to have a host key (right?). There is a sentence in the INSTALL document that says "If you have configured OpenSSH with EGD support, ensure that EGD is running and has collected some Entropy." Obviously I have missed this step. Unfortunately, the "documentation" provided with EGD assumes you are using EGD for some other purpose and is quite unhelpful as to how to start the daemon for use with OpenSSH, or even what the arguments to egd mean. Would it be too much to ask what commands I should place where to get ssh to work and sshd and egd (if necessary) automatically started at system boot? Yours Frustratedly, Jonathan Mate Wierdl wrote: > > You got the openbsd version. Try > > ftp://thermo.stat.ncsu.edu/pub/openssh/files/test//openssh-1.2.3pre5.tar.gz > > Mate > > On Thu, Mar 23, 2000 at 04:20:08PM -0500, Jonathan Eckstein wrote: > > I need to use ssh (both incoming and outgoing) on a SPARC Solaris 7 > > workstation. > > > > I just downloaded openssh from > > > > ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/openssh-1.2.3.tgz > > > > as instructe on the www.openssh.com website. > > > > After gunzipping and untarring everything, I note that is says that > > installation instructions are in the file "INSTALL". But there is no > > such file! > > > > I am not sure how to proceed. Please advise. > > > > -- Jonathan > > > --- > Mate Wierdl | Dept. of Math. Sciences | University of Memphis -- Associate Professor Jonathan Eckstein MSIS Department, Faculty of Management, Rutgers University TEACHING ADDRESS RESEARCH ADDRESS +------------------------------+--------------------------------+ | 255 J.H. Levin Building | RUTCOR, Room 148 | | 94 Rockafeller Road | 640 Bartholomew Road | | Livingston Campus | Busch Campus | | Rutgers University | Rutgers University | | Piscataway, NJ 08854 USA | Piscataway, NJ 08854 USA | | (732) 445-0510 | (732) 445-3596 | | FAX (732) 445-6329 | FAX (732) 445-5472 | +------------------------------+--------------------------------+ jeckstei at rutcor.rutgers.edu http://rutcor.rutgers.edu:80/~jeckstei/ From geoff at mrv.com Thu Mar 30 03:42:01 2000 From: geoff at mrv.com (Geoff Cummins) Date: Wed, 29 Mar 2000 09:42:01 -0800 (PST) Subject: no controlling tty Message-ID: I finally figured out why I was getting this message: geoff at newzippy:~$ ssh dammit You have no controlling tty. Cannot read passphrase. As root I wouldn't get this, so I figured it to be some permission problem. Using strace I see: open("/dev/tty", O_RDWR) = -1 EACCES (Permission denied) write(2, "You have no controlling tty. Ca"..., 54) = 54 then comparing the permissions on /dev/tty between the this system, and another where I am not having the problem I see that /dev/tty wants to be world writeable. I don't know if this is the best case, but it seems most my boxes have this. The system I got that didn't have this set was Essential Debian from CheapBytes, which had similar odd settings like read-only /dev/null and /tmp I hope this helps. Geoff Cummins From speno at isc.upenn.edu Thu Mar 30 04:21:12 2000 From: speno at isc.upenn.edu (John P Speno) Date: Wed, 29 Mar 2000 13:21:12 -0500 Subject: no controlling tty In-Reply-To: References: Message-ID: <20000329132112.A146275@isc.upenn.edu> > then comparing the permissions on /dev/tty between the this system, and > another where I am not having the problem I see that /dev/tty wants to be > world writeable. > > I don't know if this is the best case, but it seems most my boxes have It's the correct case. /dev/tty is special. It refers to your controlling terminal. If it's not world writable I wouldn't be surprised if you saw other problems. On Tru64 UNIX, see man 7 tty for details. Linux? Try man 4 tty. From paul at cuenet.com Thu Mar 30 05:04:24 2000 From: paul at cuenet.com (Paul Thomas) Date: Wed, 29 Mar 2000 11:04:24 -0800 (PST) Subject: Failed password In-Reply-To: Message-ID: On Wed, 29 Mar 2000, Damien Miller wrote: > The easiest way to get verbose debugging is to run sshd in debug > mode: > > ssh -d -p 2222 > > Will start a sshd in the foreground with all logs going to stderr > listening on port 2222. You can then connect to it with: > > ssh -p 2222 localhost Thanks Damien, I took your suggestion and the error message is still the same basically. Here is what happens: [root at chime etc]# /usr/local/sbin/sshd -d -p 2222 debug: sshd version OpenSSH-1.2.3 debug: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 1053 debug: Client protocol version 1.5; client software version OpenSSH-1.2.3 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Attempting authentication for paul. Failed password for paul from 127.0.0.1 port 1053 Failed password for paul from 127.0.0.1 port 1053 [paul at chime paul]$ ssh -p 2222 localhost paul at localhost's password: Permission denied, please try again. paul at localhost's password: Permission denied, please try again. paul at localhost's password: Also, I don't know if it is related, but if I try to login via openssh to the localhost machine by hostname or other hosts with a working sshd in place, I get the following error message that gets stuck in a loop: [paul at chime paul]$ ssh chime.cuenet.com The authenticity of host 'chime.cuenet.com' can't be established. Key fingerprint is 1024 5c:cf:16:4c:34:80:32:bd:e5:05:2f:1e:a5:fe:08:7e. Are you sure you want to continue connecting (yes/no)? n The authenticity of host 'chime.cuenet.com' can't be established. Key fingerprint is 1024 5c:cf:16:4c:34:80:32:bd:e5:05:2f:1e:a5:fe:08:7e. Are you sure you want to continue connecting (yes/no)? n The authenticity of host 'chime.cuenet.com' can't be established. Key fingerprint is 1024 5c:cf:16:4c:34:80:32:bd:e5:05:2f:1e:a5:fe:08:7e. Are you sure you want to continue connecting (yes/no)? n The authenticity of host 'chime.cuenet.com' can't be established. Key fingerprint is 1024 5c:cf:16:4c:34:80:32:bd:e5:05:2f:1e:a5:fe:08:7e. Are you sure you want to continue connecting (yes/no)? Maybe Openssh is not ready for the production environment? Thanks, --Paul T. -- '...if clones are outlawed then only outlaws will have clones...' From mw at moni.msci.memphis.edu Thu Mar 30 05:37:06 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 29 Mar 2000 13:37:06 -0600 Subject: Failed password In-Reply-To: ; from paul@cuenet.com on Wed, Mar 29, 2000 at 10:52:09AM -0800 References: <20000329111212.B15569@moni.msci.memphis.edu> Message-ID: <20000329133706.A22068@moni.msci.memphis.edu> On Wed, Mar 29, 2000 at 10:52:09AM -0800, Paul Thomas wrote: > On Wed, 29 Mar 2000, Mate Wierdl wrote: > > > On Tue, Mar 28, 2000 at 04:46:31PM -0800, Paul Thomas wrote: > > > On Tue, 28 Mar 2000, Mate Wierdl wrote: > > > > > > > You can then just look at the spec file for the openss{h,l} srpm's to > > > > see what to do to compile. > > > > > > You may have missed my original post, it compiles fine. Sshd is > > > not able to find passwords for some reason and the logging > > > feature in sshd_config does not seem to work in VERBOSE or > > > DEBUG mode so I don't get very good error messages to work > > > with. > > > > No I did not miss it, but I was not precise either. I meant to say: > > look at the spec file to see *how* to compile to make openss{h,l} > > work. > > Thanks for your time but you are not addressing my question(s) > about openssh. Like I previously stated to you, my RH product > contains no references to ssh anything due to licenesing restrictions > (RSA?). Perhaps at this point you want to tell the list how you configured/compiled openss{h,l}. Seeing the exact command lines can give us hints. Also, describing your system exactly can help, since we run openssh on all kinds of systems. I am running it on Solaris 2.6, 2.7, and Redhat Linux 5.2, 6.0, 6.1, 6.2beta installed from customized rpms that do not use rsaref. > > My questions have been concerned with how to enable debugging, > etc. in openssh. Part of the debugging is provided by openssh, but in your case you may need the mailinglist as well. But I think more info about your setup is needed. > If openssh is as flakey as it appears to be so > far and lacks an adequate support/user base as it seems to, then > it is a something I may want to avoid. It certainly is not flaky, only the porting to various platforms requires smoothing out. > > I am well aware I can ask RH about RH products. > Are you talking about RH=Redhat ? If that is the case, what does openssh have to do with RedHat? From paul at cuenet.com Thu Mar 30 06:55:25 2000 From: paul at cuenet.com (Paul Thomas) Date: Wed, 29 Mar 2000 12:55:25 -0800 (PST) Subject: Failed password In-Reply-To: <20000329133706.A22068@moni.msci.memphis.edu> Message-ID: On Wed, 29 Mar 2000, Mate Wierdl wrote: > Perhaps at this point you want to tell the list how you configured/compiled > openss{h,l}. Seeing the exact command lines can give us hints. I provided that info in my original post. I will be happy to provide any further details to anyone who requests something specific so as not to inundate the list with needless posts/information. > Also, describing your system exactly can help, since we run openssh on > all kinds of systems. I am running it on Solaris 2.6, 2.7, and Redhat > Linux 5.2, 6.0, 6.1, 6.2beta installed from customized rpms that do > not use rsaref. See above comment. > Part of the debugging is provided by openssh, but in your case you may > need the mailinglist as well. But I think more info about your setup > is needed. Duh, please refer once again to my previous post(s) to the _mailinglist_. > > I am well aware I can ask RH about RH products. > > > > Are you talking about RH=Redhat ? If that is the case, what does > openssh have to do with RedHat? Yes, RH refers to Red Hat. Openssh does not have anything to do with Red Hat and that is what I was telling you in a private email becuase you are sending me private emails referring me to Red Hat for info on how to compile Openssh on a Red Hat product. I will thank you not to further forward my private emails to you to this or any other mailing lists and at this point do not desire to correspond with your further as your correspondance so far has had nothing to do with my situation with Openssh. Thanks, --Paul T. -- '...if clones are outlawed then only outlaws will have clones...' From paul at cuenet.com Thu Mar 30 07:06:10 2000 From: paul at cuenet.com (Paul Thomas) Date: Wed, 29 Mar 2000 13:06:10 -0800 (PST) Subject: Spam filter In-Reply-To: Message-ID: Hi, You might consider using a simple Procmail rule to filter out email not addressed to the list. I can help with that if needed. Thanks, --Paul T. -- '...if clones are outlawed then only outlaws will have clones...' From mw at moni.msci.memphis.edu Thu Mar 30 07:33:22 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Wed, 29 Mar 2000 15:33:22 -0600 Subject: Failed password In-Reply-To: ; from paul@cuenet.com on Wed, Mar 29, 2000 at 12:55:25PM -0800 References: <20000329133706.A22068@moni.msci.memphis.edu> Message-ID: <20000329153322.A24599@moni.msci.memphis.edu> On Wed, Mar 29, 2000 at 12:55:25PM -0800, Paul Thomas wrote: > On Wed, 29 Mar 2000, Mate Wierdl wrote: > > > Perhaps at this point you want to tell the list how you configured/compiled > > openss{h,l}. Seeing the exact command lines can give us hints. > > I provided that info in my original post. I will be happy to provide > any further details to anyone who requests something specific so > as not to inundate the list with needless posts/information. I am aware of your original post; it is http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95421642721481&w=2 and I cannot find the line where you told us how you ran configure/make of openssh, and config/make for openssl. > > > Also, describing your system exactly can help, since we run openssh on > > all kinds of systems. I am running it on Solaris 2.6, 2.7, and Redhat > > Linux 5.2, 6.0, 6.1, 6.2beta installed from customized rpms that do > > not use rsaref. > > See above comment. Saying RH 6.1 is not enough obviously, since many of us run openssh on RH 6.1 without a glitch. So there must be something about your setup that is special---or the way you compiled openss{h,l}. > > Yes, RH refers to Red Hat. Openssh does not have anything to do with > Red Hat and that is what I was telling you in a private email becuase > you are sending me private emails referring me to Red Hat for info > on how to compile Openssh on a Red Hat product. I have never referred you to RH. I told you to look at the openssh and openssl rpm packages *made by openssh's maintainer*. In particular, to look at the spec file, which would tell you how openssh can be compiled to make it work for sure on RH systems. You decided not to use the rpms, and compile the progs yourself, but I thought it is important info to those on the list who are trying to help you to see that you are not using the "standard" rpm installation on your RH system. Hence I forwarded part of our conversation to the openssh list. I think in this case, you got upset, because you wanted to figure out what is wrong with your ssh setup by reading logs and running ssh in debug mode, while I suggested to go back one step, and see how you compiled ssh in the first place. Best, Mate --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From djm at mindrot.org Thu Mar 30 08:09:13 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 30 Mar 2000 08:09:13 +1000 (EST) Subject: Failed password In-Reply-To: <38E02F79.EE47431B@cuenet.com> Message-ID: On Mon, 27 Mar 2000, Paul Thomas wrote: > Hi, > > If there is a place to post this, please advise, but I am stuck. I have > recently installed openssh-1.2.3 > on a Red Hat 6.1 installation. Everything compile ok but I don't get no > password auththenticcation. > So I recompiled openssh-1.2.3 without PAM support and it still does not > work. I can log into > the system otherwise (shadow password is enabled). Have you tried the RPM versions? I build these myself on Redhat 6.1 and they work perfectly. If you want to rebuild from source, consider rebuilding the SRPM. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From paul at cuenet.com Thu Mar 30 08:46:30 2000 From: paul at cuenet.com (Paul Thomas) Date: Wed, 29 Mar 2000 14:46:30 -0800 (PST) Subject: Failed password In-Reply-To: Message-ID: On Thu, 30 Mar 2000, Damien Miller wrote: > Have you tried the RPM versions? I build these myself on Redhat 6.1 > and they work perfectly. If you want to rebuild from source, consider > rebuilding the SRPM. For one thing there does not seem to be an Openssh RPM included in my 6.1 distribution CD's and there is no reference to it in the texts they supply with that product. Besides, this is not going to help better understand Openssh, I also need to do an install on a couple older Slackware machines. Thanks, but maybe the old ssh-1.2.17 is adequate for basic functions. I have not had any trouble with it whatsoever to date. Cheers, --Paul T. -- '...if clones are outlawed then only outlaws will have clones...' From jmknoble at pobox.com Thu Mar 30 09:27:52 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Wed, 29 Mar 2000 18:27:52 -0500 Subject: Failed password In-Reply-To: ; from Paul Thomas on Wed, Mar 29, 2000 at 02:46:30PM -0800 References: Message-ID: <20000329182752.C15111@ntrnet.net> Paul, i think you misunderstand. The OpenSSH RPMs are not provided by Red Hat. They're built by Damien Miller (who also coordinates the non-BSD port of OpenSSH) and are available in the same location you downloaded the OpenSSH source from. I don't think anyone here is trying to waste your time or imply anything about your level of knowledge or intelligence; they're mostly trying to understand the nature of the problem you're experiencing. Since Damien builds OpenSSH and uses it on Red Hat Linux 6.1 systems, there must be something funky about either the configuration of your system or the way you configured and compiled OpenSSH. Please help us help you and discover what the differences are. -- jim knoble jmknoble at pobox.com P? 2000-Mar-29 klokka 14:46:30 -0800 skrivet Paul Thomas: : For one thing there does not seem to be an Openssh RPM included : in my 6.1 distribution CD's and there is no reference to it : in the texts they supply with that product. Besides, this is not : going to help better understand Openssh, I also need to do an : install on a couple older Slackware machines. : : Thanks, but maybe the old ssh-1.2.17 is adequate for basic : functions. I have not had any trouble with it whatsoever to : date. From amc at cs.berkeley.edu Thu Mar 30 10:59:34 2000 From: amc at cs.berkeley.edu (Adam M. Costello) Date: Thu, 30 Mar 2000 00:59:34 +0000 Subject: reconsider SRP, it's way cool Message-ID: <20000330005933.C12692@arwen.cs.berkeley.edu> I just joined the list, and I see in the archives that about a month ago there was a brief discussion of SRP, but it was dismissed. I urge people to take a look at this site: http://srp.stanford.edu/srp/ It's very cool. Let's say I'm on vacation visiting a friend, and I want to log in to my account back home. I trust my friend's machine, but I don't have my home machine's public key, nor my personal keys, and there's no secure way for me to get them. If I try to use ssh with password authentication, a man in the middle can get my password. Ssh is a wonderful tool that solves almost all my security problems, except for this one, and it's a fairly common one. With SRP, all I need to know is my password, and the two machines can mutually authenticate each other with no risk of a man in the middle learning anything. If this technique had existed when ssh was originally written, it surely would have been used. I think SRP would be a valuable addition to the ssh protocol, but where should that discussion should take place? Are there still people working on standardizing the ssh protocol? It's tricky because ssh and SRP use different models of session establishment: ssh first authenticates the server using a public key, then chooses a session key, then authenticates the client using any of a number of methods. SRP first mutually authenticates both the server and client using only a password, and a session key falls out. One idea is to have a mode where ssh provisionally accepts an unknown host key, but doesn't write it to known_hosts unless SRP is subsequently used successfully. The key that falls out of SRP could be used to change the session key, but I'm not sure that's necessary. AMC From mouring at pconline.com Thu Mar 30 14:20:05 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 29 Mar 2000 22:20:05 -0600 (CST) Subject: ttyslot(), forking and NeXT. Message-ID: I'm surprise this is right on any machine. But I'll check my Suse 6.3 box here in a few hours. In bsd-login.c if you go down to the 'tty = ttyslot();' and insert a debug("LOGIN: ttyslot = %d",tty); then run the server in debug mode and log with a client. You'll see the ttyslot your using in the utmp file. Now.. The kicker. I can log into my NeXT box and I get assigned one ttyslot() number for my session (which I assume is done after the fork()).. But when I logout I get assigned a different ttyslot() number. Suprised? I sure was.. What this does is causes the utmp file to not be updated correctly. Wonder if this has anything to do with a lack of complete sig*() functions. Any one have any perls of wisdom? From paul at cuenet.com Thu Mar 30 17:22:53 2000 From: paul at cuenet.com (Paul Thomas) Date: Wed, 29 Mar 2000 23:22:53 -0800 (PST) Subject: Password and RH 6.1 Message-ID: Jim Knobel said: >Paul, i think you misunderstand. The OpenSSH RPMs are not provided by >Red Hat. They're built by Damien Miller (who also coordinates the >non-BSD port of OpenSSH) and are available in the same location you >downloaded the OpenSSH source from. I just figured this out. I apologize, I am new to Red Hat and I just don't think to grab an RPM when I need to install something. >Since Damien builds OpenSSH and uses it on Red Hat Linux 6.1 systems, >there must be something funky about either the configuration of your >system or the way you configured and compiled OpenSSH. Please help us >help you and discover what the differences are. This is possible. I just tried to install Damien's RPM and get the following: [root at chime src]# rpm -ivh openssh-1.2.3-1.i386.rpm error: failed dependencies: openssl is needed by openssh-1.2.3-1 openssl is needed by openssh-1.2.3-1 libcrypto.so.0 is needed by openssh-1.2.3-1 I have already installed and compiles Openssl, did a make test and it passed so I did a make install. I don't seem to have libcrypto.so.0 anywhere on my system. If there is an Openssl RPM I couldn't find it at openssl.org. I found that Openssh does allow root to login but just does not seem to be able to find the password for any other users. Thanks for your patience. --Paul T. -- '...if clones are outlawed then only outlaws will have clones...' From Nigel.Metheringham at VData.co.uk Thu Mar 30 18:30:32 2000 From: Nigel.Metheringham at VData.co.uk (Nigel Metheringham) Date: Thu, 30 Mar 2000 09:30:32 +0100 Subject: Password and RH 6.1 In-Reply-To: Message from Paul Thomas of "Wed, 29 Mar 2000 23:22:53 -0800." Message-ID: > [root at chime src]# rpm -ivh openssh-1.2.3-1.i386.rpm > error: failed dependencies: > openssl is needed by openssh-1.2.3-1 > openssl is needed by openssh-1.2.3-1 > libcrypto.so.0 is needed by openssh-1.2.3-1 My best guess.... You compiled/installed openssl using the defaults, it installed the libraries into /usr/local/lib, your /etc/ld.so.conf does not list /usr/local/lib as a directory with dynamic libraries in it. Fix: 1. Add /usr/local/lib to the dynamic library search list RTFM ldconfig for details 2. Alternatively rebuild openssl setting --prefix=/usr on the configure line (BTW you need to run ldconfig asfter install). 3. Best of all make/get/rebuild openssl as an RPM. There is a current one, with SRPM too at http://www.rpmfind.net/linux/RPM/contrib/libc6/i386/openssl-0.9.5-1.i38 6.html I have come to the conclusion that on a package managed system like RH, any software that does not live in a user's own directories, should always be built and installed as packages. This allows you to be able to link pretty much every file on the system with the package that generated it, do upgrades neatly, and in general be able to control your system rather than have it accumulate cruft over the years. Nigel. -- [ - Opinions expressed are personal and may not be shared by VData - ] [ Nigel Metheringham Nigel.Metheringham at VData.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] From paul at cuenet.com Thu Mar 30 19:07:08 2000 From: paul at cuenet.com (Paul Thomas) Date: Thu, 30 Mar 2000 01:07:08 -0800 (PST) Subject: Password and RH 6.1 In-Reply-To: Message-ID: On Thu, 30 Mar 2000, Nigel Metheringham wrote: > 3. Best of all make/get/rebuild openssl as an RPM. There is a > current one, with SRPM too at > http://www.rpmfind.net/linux/RPM/contrib/libc6/i386/openssl-0.9.5-1.i38 > 6.html Thanks for the pointer to the openssl rpm. I picked it up, installed it, the other openssh rpms then installed correctly, the whole proces took about 3 minutes and now it all works! Hee, kind of takes the fun out of it. > I have come to the conclusion that on a package managed system like RH, > any software that does not live in a user's own directories, should > always be built and installed as packages. This allows you to be able You are probably right. I am used to incrementally upgrading things and just don't like feeling dependant on someone to create an RPM I might need. That's my problem. Thank you all for you patience once again and thank you Damien Miller for your great work! Cheers, --Paul T. -- '...if clones are outlawed then only outlaws will have clones...' From a.d.stribblehill at durham.ac.uk Thu Mar 30 19:11:47 2000 From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill) Date: Thu, 30 Mar 2000 10:11:47 +0100 Subject: How to install openssh? In-Reply-To: <38E22DF6.763E990C@rutcor.rutgers.edu>; from jeckstei@rutcor.rutgers.edu on Wed, Mar 29, 2000 at 11:23:18AM -0500 References: <38DA8A88.6011EB88@rutcor.rutgers.edu> <20000323163811.A13012@moni.msci.memphis.edu> <38E22DF6.763E990C@rutcor.rutgers.edu> Message-ID: <20000330101147.D10722@womble.dur.ac.uk> Quoting Jonathan Eckstein : > > Would it be too much to ask what commands I should place where to get > ssh to work and sshd and egd (if necessary) automatically started at > system boot? If it would help, I have packaged (in the Sun fashion) OpenSSH 1.2.3 along with the pertinent bits of openssl-0.9.4 and egd-0.6 in such a way that it installs into /usr of a Solaris system. It has been developed on a Solaris 7 box but compatibility with Solaris 2.6 has been vaguely tested. I probably put in some Durham-specific things so you may need to modify some stuff if you want it. If this proves to be of large-scale interest, I can probably maintain a standard version and a Durham version (if the boss lets me!) Cheerio, Andrew Stribblehill Systems Programmer, IT Service, University of Durham, England From jmknoble at pobox.com Thu Mar 30 21:23:57 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 30 Mar 2000 06:23:57 -0500 Subject: OpenSSH-1.2.3: More info on ulimit problem In-Reply-To: <20000329012632.B23215@quipu.earth> References: <20000329012632.B23215@quipu.earth> Message-ID: <20000330062356.C5614@quipu.earth> P? 2000-Mar-29 klokka 01:26:32 -0500 skrivet Jim Knoble: : The ulimit problem appears to have reared its head again with : openssh-1.2.3, under Red Hat Linux 6.1 (kernel-2.2.12, glibc-2.1.2, : egcs-1.1.2, openssl-0.9.5, pam-0.68, pwdb-0.60): [...] : $ ssh localhost : Last login: Wed Mar 29 01:10:36 2000 from quipu.earth : You have mail. : ulimit: cannot raise limit: Operation not permitted : ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Further info: openssh-1.2.3 appears to be ignoring /etc/pam.d/sshd. The following pam file ought not to allow me to login via ssh: #%PAM-1.0 auth required /lib/security/pam_deny.so account required /lib/security/pam_deny.so password required /lib/security/pam_deny.so session required /lib/security/pam_deny.so Yet, i can still log in as though nothing were wrong. sshd appears to be linked against the PAM libs: # ldd /usr/sbin/sshd libdl.so.2 => /lib/libdl.so.2 (0x40018000) libnsl.so.1 => /lib/libnsl.so.1 (0x4001c000) libz.so.1 => /usr/lib/libz.so.1 (0x40032000) libutil.so.1 => /lib/libutil.so.1 (0x40041000) libpam.so.0 => /lib/libpam.so.0 (0x40044000) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ libcrypto.so.0 => /usr/lib/libcrypto.so.0 (0x4004c000) libc.so.6 => /lib/libc.so.6 (0x400fd000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) And i'm certain i didn't build with '--without-pam': $ grep -B 2 -A 7 '\./configure' openssh.jmk.spec %build CFLAGS="${RPM_OPT_FLAGS}" \ ./configure \ --prefix="%{Prefix}" \ --sysconfdir="%{EtcDir}" \ --with-ipv4-default \ --with-tcp-wrappers \ --with-default-path="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin" make I'm mystified. Damien, can you confirm whether anything similar to this is happening for you under RHL-6.1? -- jim knoble jmknoble at pobox.com From baptista at linuxsolutions.com.br Fri Mar 31 02:37:08 2000 From: baptista at linuxsolutions.com.br (Paulo Henrique Baptista de Oliveira) Date: Thu, 30 Mar 2000 08:37:08 -0800 Subject: Log files with scp Message-ID: <20000330083707.C5405@init.linuxsolutions.com.br> Hi OpenSSH folks, first thanks for this great program. I have a slink Debian machine with aweb server and I have to make an account to someone get only one or two log files day by day. This person I dont trust and he can get a lot of my files with scp that I dont want! What I want is to log what files he gets all day. But reading the scp, ssh and sshd I cant find a manner to log the files. What I can do to do this? Thanks for any answer. -- Abra?os, PH Linux Solutions - Renovando Conceitos - http://www.linuxsolutions.com.br OLinux - O maior e melhor site de Linux do Brasil - http://www.olinux.com.br Paulo Henrique Baptista de Oliveira -- baptista at linuxsolutions.com.br Information Technology Consultant From tom at arcot.com Thu Mar 30 22:32:43 2000 From: tom at arcot.com (Tom Wu) Date: Thu, 30 Mar 2000 04:32:43 -0800 Subject: reconsider SRP, it's way cool References: <20000330005933.C12692@arwen.cs.berkeley.edu> Message-ID: <38E3496B.A0299E49@arcot.com> "Adam M. Costello" wrote: > > I just joined the list, and I see in the archives that about a month ago > there was a brief discussion of SRP, but it was dismissed. > > I urge people to take a look at this site: > > http://srp.stanford.edu/srp/ > > It's very cool. As the author/inventor of SRP, I'd be willing to lend a hand to help get SRP incorporated as an authentication mechanism in OpenSSH. It fixes the public key spoofing attack without having to rely on stored keys, and it resists attacks against low-entropy passphrases. I would suggest incorporating the SSH host public key into the SRP exchange, so that the authentication step also confirms the integrity of the SSH host key. This way, the underlying SSH protocol need not change, and it gains the extra security offered by SRP with no inconvenience penalty. SRP is Open Source, so it is even less encumbered that RSA authentication, at least until this September. :) > Let's say I'm on vacation visiting a friend, and I want to log in to > my account back home. I trust my friend's machine, but I don't have > my home machine's public key, nor my personal keys, and there's no > secure way for me to get them. If I try to use ssh with password > authentication, a man in the middle can get my password. Ssh is a > wonderful tool that solves almost all my security problems, except for > this one, and it's a fairly common one. > > With SRP, all I need to know is my password, and the two machines > can mutually authenticate each other with no risk of a man in the > middle learning anything. If this technique had existed when ssh was > originally written, it surely would have been used. > > I think SRP would be a valuable addition to the ssh protocol, but where > should that discussion should take place? Are there still people > working on standardizing the ssh protocol? > > It's tricky because ssh and SRP use different models of session > establishment: ssh first authenticates the server using a public key, > then chooses a session key, then authenticates the client using any of a > number of methods. SRP first mutually authenticates both the server and > client using only a password, and a session key falls out. > > One idea is to have a mode where ssh provisionally accepts an unknown > host key, but doesn't write it to known_hosts unless SRP is subsequently > used successfully. The key that falls out of SRP could be used to > change the session key, but I'm not sure that's necessary. > > AMC -- Tom Wu Principal Software Engineer Arcot Systems Inc. (650) 565-7007 From markus.friedl at informatik.uni-erlangen.de Thu Mar 30 21:06:49 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 30 Mar 2000 13:06:49 +0200 Subject: Failed password In-Reply-To: ; from paul@cuenet.com on Wed, Mar 29, 2000 at 11:04:24AM -0800 References: Message-ID: <20000330130649.A3441@folly.informatik.uni-erlangen.de> On Wed, Mar 29, 2000 at 11:04:24AM -0800, Paul Thomas wrote: > Also, I don't know if it is related, but if I try to login > via openssh to the localhost machine by hostname or other > hosts with a working sshd in place, I get the following > error message that gets stuck in a loop: > > [paul at chime paul]$ ssh chime.cuenet.com > The authenticity of host 'chime.cuenet.com' can't be established. > Key fingerprint is 1024 5c:cf:16:4c:34:80:32:bd:e5:05:2f:1e:a5:fe:08:7e. > Are you sure you want to continue connecting (yes/no)? n > The authenticity of host 'chime.cuenet.com' can't be established. > Key fingerprint is 1024 5c:cf:16:4c:34:80:32:bd:e5:05:2f:1e:a5:fe:08:7e. > Are you sure you want to continue connecting (yes/no)? n > The authenticity of host 'chime.cuenet.com' can't be established. > Key fingerprint is 1024 5c:cf:16:4c:34:80:32:bd:e5:05:2f:1e:a5:fe:08:7e. > Are you sure you want to continue connecting (yes/no)? n > The authenticity of host 'chime.cuenet.com' can't be established. > Key fingerprint is 1024 5c:cf:16:4c:34:80:32:bd:e5:05:2f:1e:a5:fe:08:7e. > Are you sure you want to continue connecting (yes/no)? This is an important question, so you are supposed to answer with 'yes' or 'no' > Maybe Openssh is not ready for the production environment? why not? -markus From nalin at redhat.com Thu Mar 30 23:10:15 2000 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 30 Mar 2000 08:10:15 -0500 Subject: Password and RH 6.1 In-Reply-To: ; from paul@cuenet.com on Wed, Mar 29, 2000 at 11:22:53PM -0800 References: Message-ID: <20000330081015.C6233@devserv.devel.redhat.com> On Wed, Mar 29, 2000 at 11:22:53PM -0800, Paul Thomas wrote: > >Since Damien builds OpenSSH and uses it on Red Hat Linux 6.1 systems, > >there must be something funky about either the configuration of your > >system or the way you configured and compiled OpenSSH. Please help us > >help you and discover what the differences are. > > This is possible. I just tried to install Damien's RPM and get > the following: > > [root at chime src]# rpm -ivh openssh-1.2.3-1.i386.rpm > error: failed dependencies: > openssl is needed by openssh-1.2.3-1 > openssl is needed by openssh-1.2.3-1 > libcrypto.so.0 is needed by openssh-1.2.3-1 > > I have already installed and compiles Openssl, did a make test > and it passed so I did a make install. I don't seem to have > libcrypto.so.0 anywhere on my system. If there is an Openssl > RPM I couldn't find it at openssl.org. The failed dependency messages are there because RPM's database doesn't include the fact that you built and installed OpenSSL manually. There should be ready-made packages of OpenSSL in the same directory as the one you got OpenSSH from. If you don't use the RPM packages, you can still get things running by adding the directory your libcrypto was installed in to /etc/ld.so.conf, running "/sbin/ldconfig", and installing OpenSSH using RPM's "--nodeps" flag. If you're uncertain of where OpenSSL got installed, running 'find /usr -name "libcrypto*" -print' should give you a listing of any files under /usr with names that start with libcrypto. Nalin From jamest at math.ksu.edu Fri Mar 31 00:11:30 2000 From: jamest at math.ksu.edu (James Thompson) Date: Thu, 30 Mar 2000 08:11:30 -0600 (CST) Subject: Password and RH 6.1 In-Reply-To: Message-ID: > > I have come to the conclusion that on a package managed system like RH, > any software that does not live in a user's own directories, should > always be built and installed as packages. As an alternative you can use Stow (http://www.gnu.org/software/stow/). It's simple to use and lets you avoid the IMHO nightmare of non-relocatable RPMs. Real nice if you want to install, say GNOME, on an NFS mounted /usr/local and share it among workstations. James ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< James Thompson 138 Cardwell Hall Manhattan, Ks 66506 785-532-0561 Kansas State University Department of Mathematics ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< From mouring at pconline.com Fri Mar 31 02:12:07 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 30 Mar 2000 10:12:07 -0600 (CST) Subject: ssh.com gossup. Message-ID: http://www.newsalert.com/bin/story?StoryId=CoolFubKbytaWmZm Version 2.1 of ssh is out for sale. $89 for the client, and $399 for the server. Joy, Joy.. Ben Lindstrom ...We now return you to the Microsoft trials... From mw at moni.msci.memphis.edu Fri Mar 31 02:53:14 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Thu, 30 Mar 2000 10:53:14 -0600 Subject: Password and RH 6.1 In-Reply-To: ; from paul@cuenet.com on Wed, Mar 29, 2000 at 11:22:53PM -0800 References: Message-ID: <20000330105314.B17299@moni.msci.memphis.edu> On Wed, Mar 29, 2000 at 11:22:53PM -0800, Paul Thomas wrote: > > Jim Knobel said: > > >Paul, i think you misunderstand. The OpenSSH RPMs are not provided by > >Red Hat. They're built by Damien Miller (who also coordinates the > >non-BSD port of OpenSSH) and are available in the same location you > >downloaded the OpenSSH source from. > > I just figured this out. I apologize, I am new to Red Hat and I > just don't think to grab an RPM when I need to install something. > > >Since Damien builds OpenSSH and uses it on Red Hat Linux 6.1 systems, > >there must be something funky about either the configuration of your > >system or the way you configured and compiled OpenSSH. Please help us > >help you and discover what the differences are. > > This is possible. I just tried to install Damien's RPM and get > the following: > > [root at chime src]# rpm -ivh openssh-1.2.3-1.i386.rpm > error: failed dependencies: > openssl is needed by openssh-1.2.3-1 > openssl is needed by openssh-1.2.3-1 > libcrypto.so.0 is needed by openssh-1.2.3-1 > The linux shared libraries from openssl are apparently needed by the openssh package. So you need to build and install them too, and then install openssh with rpm -Uvh --nodeps openssh... But I think you are better off with installing openssl* rpms instead of installing the openssl libraries by hand. After removing your openssl installation, just issue rpm -Uvh ftp://thermo.stat.ncsu.edu/pub/openssh/files/support/openssl-0.9.4-3.i386.rpm and possibly rpm -Uvh ftp://thermo.stat.ncsu.edu/pub/openssh/files/support/openssl-devel-0.9.4-3.i386.rpm Mate From mw at moni.msci.memphis.edu Fri Mar 31 03:26:59 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Thu, 30 Mar 2000 11:26:59 -0600 Subject: OpenSSH-1.2.3: More info on ulimit problem In-Reply-To: <20000330062356.C5614@quipu.earth>; from jmknoble@pobox.com on Thu, Mar 30, 2000 at 06:23:57AM -0500 References: <20000329012632.B23215@quipu.earth> <20000330062356.C5614@quipu.earth> Message-ID: <20000330112659.D17299@moni.msci.memphis.edu> On Thu, Mar 30, 2000 at 06:23:57AM -0500, Jim Knoble wrote: > P? 2000-Mar-29 klokka 01:26:32 -0500 skrivet Jim Knoble: > > : The ulimit problem appears to have reared its head again with > : openssh-1.2.3, under Red Hat Linux 6.1 (kernel-2.2.12, glibc-2.1.2, > : egcs-1.1.2, openssl-0.9.5, pam-0.68, pwdb-0.60): > > [...] > > : $ ssh localhost > : Last login: Wed Mar 29 01:10:36 2000 from quipu.earth > : You have mail. > : ulimit: cannot raise limit: Operation not permitted > : ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Further info: openssh-1.2.3 appears to be ignoring /etc/pam.d/sshd. > The following pam file ought not to allow me to login via ssh: > > #%PAM-1.0 > auth required /lib/security/pam_deny.so > account required /lib/security/pam_deny.so > password required /lib/security/pam_deny.so > session required /lib/security/pam_deny.so > > Yet, i can still log in as though nothing were wrong. sshd appears to > be linked against the PAM libs: > > # ldd /usr/sbin/sshd > libdl.so.2 => /lib/libdl.so.2 (0x40018000) > libnsl.so.1 => /lib/libnsl.so.1 (0x4001c000) > libz.so.1 => /usr/lib/libz.so.1 (0x40032000) > libutil.so.1 => /lib/libutil.so.1 (0x40041000) > libpam.so.0 => /lib/libpam.so.0 (0x40044000) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > libcrypto.so.0 => /usr/lib/libcrypto.so.0 (0x4004c000) > libc.so.6 => /lib/libc.so.6 (0x400fd000) > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) > > And i'm certain i didn't build with '--without-pam': > > $ grep -B 2 -A 7 '\./configure' openssh.jmk.spec > %build > CFLAGS="${RPM_OPT_FLAGS}" \ > ./configure \ > --prefix="%{Prefix}" \ > --sysconfdir="%{EtcDir}" \ > --with-ipv4-default \ > --with-tcp-wrappers \ > --with-default-path="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin" > > make > > I'm mystified. Damien, can you confirm whether anything similar to > this is happening for you under RHL-6.1? > I am running rh 6.2beta and 6.1, and all is well with pam. When I tried your sshd pam file, I could not log in. I am using the official rpms: rpm -q openss{h,l} openssh-1.2.3-1 openssl-0.9.4-3 But of course, I can verify the ulimit stuff. Mate From jmknoble at pobox.com Fri Mar 31 07:07:57 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 30 Mar 2000 16:07:57 -0500 Subject: Password and RH 6.1 In-Reply-To: ; from James Thompson on Thu, Mar 30, 2000 at 08:11:30AM -0600 References: Message-ID: <20000330160757.B29403@ntrnet.net> Gaaah! Don't use stow. It's old and breaks easily. Use ekpg: http://encap.cso.uiuc.edu/epkg/ -- jim knoble jmknoble at pobox.com P? 2000-Mar-30 klokka 08:11:30 -0600 skrivet James Thompson: : As an alternative you can use Stow (http://www.gnu.org/software/stow/). : It's simple to use and lets you avoid the IMHO nightmare of : non-relocatable RPMs. Real nice if you want to install, say GNOME, on an : NFS mounted /usr/local and share it among workstations. From Jay at aol.com Fri Mar 31 07:16:05 2000 From: Jay at aol.com (Jay at aol.com) Date: Thu, 30 Mar 2000 16:16:05 EST Subject: 1.2.3pre2 works great on Solaris 2.7 except man Message-ID: <92.2f89dda.26151e15@aol.com> In a message dated 3/15/00 8:20:01 PM Eastern Standard Time, djm at mindrot.org writes: > > Right out of the box (after I made Damien's LDFLAGS fix in configure) using > > > gcc-2.95.2. The only problem I have now is the man pages. I still can't > > read them using Solaris nroff, and when I tried to build with > > --with-catman=cat, I got the following during a make install: > > > > /rtr/bin/install -c -m 644 ssh.[01].out /usr/local/man/cat1/ssh.1 > > Try `/rtr/bin/install --help' for more information. > > Strange - it seems to work OK for me. Is that GNU install in > /rtr/bin/install? Nope: /rtr/bin/install: SunOS 5.5 Generic November 1995 From djm at mindrot.org Fri Mar 31 09:35:55 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 31 Mar 2000 09:35:55 +1000 (EST) Subject: 1.2.3pre2 works great on Solaris 2.7 except man In-Reply-To: <92.2f89dda.26151e15@aol.com> Message-ID: On Thu, 30 Mar 2000 Jay at aol.com wrote: > /rtr/bin/install: > SunOS 5.5 Generic November 1995 You can work around the incompatibility by using make install INSTALL=`pwd`/install-sh -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From alex at forbin.diebold.net Fri Mar 31 18:31:19 2000 From: alex at forbin.diebold.net (Alex) Date: Fri, 31 Mar 2000 03:31:19 -0500 (EST) Subject: anomalous wtmp logging bug Message-ID: I've noticed rather strange wtmp logging behavior in sshd. Can anyone confirm or solve the following: Once a user authenticates themself to sshd, sshd among other things records the login in the wtmp, which `last` reads. However, sshd logs hostnames which are longer than 16 characters instead of IPs like normal programs would. As a result, I have useless entries such as: tempest ttyp4 1cust126.tnt5.ta Sat Mar 11 22:33 - 14:03 (15:29) which there is no way of telling what IP that was from. One option I found using was the UseLogin option, where openssh authenticates via login(1). This would work correctly but the wtmp logging was awkward: tempest ttyp4 63.10.229.126 Sat Mar 11 22:33 - 14:03 (15:29) tempest ttyp4 1cust126.tnt5.ta Sat Mar 11 22:33 still logged in Instead of only login(1) making the entry, both login(1) and sshd did, however login(1) logged it correctly (via only the IP) but sshd also logged it, incorrectly, and didn't 'log the user off' properly. How can i make sshd log via ONLY login(1) w/o sshd re-logging the event, OR How can i make sshd do the logging properly (not logging hostnames that get cut off). The OpenSSH version I'm working with is 1.2.2 on a FreeBSD system. Thanks in advance. Regards, Alex From djm at mindrot.org Fri Mar 31 19:42:52 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 31 Mar 2000 19:42:52 +1000 (EST) Subject: OpenSSH-1.2.3: More info on ulimit problem In-Reply-To: <20000330062356.C5614@quipu.earth> Message-ID: On Thu, 30 Mar 2000, Jim Knoble wrote: > I'm mystified. Damien, can you confirm whether anything similar to > this is happening for you under RHL-6.1? I can't replicate this - a pam_deny.so will indeed lock me out. You don't have an old binary floating around? What does "ident `which sshd` | grep pam" say? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Fri Mar 31 19:48:50 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 31 Mar 2000 19:48:50 +1000 (EST) Subject: anomalous wtmp logging bug In-Reply-To: Message-ID: On Fri, 31 Mar 2000, Alex wrote: > > I've noticed rather strange wtmp logging behavior in sshd. Can anyone > confirm or solve the following: > > Once a user authenticates themself to sshd, sshd among other things > records the login in the wtmp, which `last` reads. However, sshd > logs hostnames which are longer than 16 characters instead of IPs > like normal programs would. As a result, I have useless entries > such as: OpenSSH logs both hostname and IP address if you wtmp supports it. Under RedHat Linux I can get the IP addresses using "last -i". If you would prefer IP addresses being logged instead of hostname, you may want to hack on login.c. grep for ut_host and ut_addr. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From jmknoble at pobox.com Fri Mar 31 20:04:25 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 31 Mar 2000 05:04:25 -0500 Subject: OpenSSH-1.2.3: More info on ulimit problem In-Reply-To: References: <20000330062356.C5614@quipu.earth> Message-ID: <20000331050425.A14785@quipu.earth> P? 2000-Mar-31 klokka 19:42:52 +1000 skrivet Damien Miller: : On Thu, 30 Mar 2000, Jim Knoble wrote: : : > I'm mystified. Damien, can you confirm whether anything similar to : > this is happening for you under RHL-6.1? : : I can't replicate this - a pam_deny.so will indeed lock me out. : : You don't have an old binary floating around? I'm certain i don't; i've never installed ssh or openssh with anything but RPM on this system (or any other software, for that matter). : What does "ident `which sshd` | grep pam" say? Hmmm ... this is interesting: $ sudo which sshd /usr/sbin/sshd $ ident /usr/sbin/sshd |grep pam $ Also interesting: $ strings /usr/sbin/sshd |grep pam libpam.so.0 $ [pause] Nope, no 'pam' anywhere in sshd. Lack of pam stuff in sshd is obviously the cause of the mysterious behavior i'm seeing, but i'm rather stumped as to why the pam portion of sshd should think it's permissible to quietly walk off set during production. [pause for configuring and compiling of openssh under observation] How suspicious. A newly compiled binary includes the 'auth-pam' module. Time for rpm --rebuild. I'm still rather mystified, but the fault clearly lies somewhere between chair and magnetic medium. Chalk this one up to the gremlins. -- jim knoble jmknoble at pobox.com