From patrick at whetstonelogic.com Mon May 1 04:31:15 2000 From: patrick at whetstonelogic.com (Patrick Gardella) Date: Sun, 30 Apr 2000 14:31:15 -0400 Subject: OpenSSH ssh-keygen on Solaris8 x86 References: <390B7BB7.824163FC@whetstonelogic.com> <20000429162430.A19514@lisa.cs.purdue.edu> Message-ID: <390C7BF3.6E028DC6@whetstonelogic.com> (I've cc'd in Brian Warner, author of egd) Based on what you sent me, the problem is with egd, and not with OpenSSH, as suspected. Running egd in --debug-gather mode, it runs out of sources for entropy, initially finding 22, but one by one eliminating them. Then it loops: ran out of sources waiting for a source to become usable again Use of uninitialized value at ./egd.pl line 647. next available is in -957118987 Line 647 is: print STDERR " next available is in ", ($next_available - time()),"\n" if $debug_gather; It doesn't appear to try to spawn any more sources after that. I'll dig into egd this afternoon, and try to come up with a fix for it. Patrick Brian Carrier wrote: > > Patrick, > I haven't actually used OpenSSH with EGD, but I've been using EGD for some > research and have had 0.7 running on Solaris. The only thing I can recommend > is to run the client program: > > # eg/egc.pl /etc/entropy get > and > # eg/egc.pl /etc/entropy readb 256 > > The first tells you how much entropy EGD has collected and the second > does a blocking read (equivalent to the statement in random.c). You can > also run egd with --debug-client and it will display info on the requests > it gets, so it will tell you when you run 'make host-key' if there is enough > entropy for your request. If the readb command returns data, then I would > assume the problem is somewhere in OpenSSH. If it doesn't return data, then > EGD is not collecting any entropy from the system commands. At that point, > you can do a --debug-gather in egd.pl and it will display when the system > commands return and with how much entropy. > > I don't believe 'make test' does much except test the SHA installation. > > hope this helps, > brian > > On Sat, Apr 29, 2000 at 08:17:59PM -0400, Patrick Gardella wrote: > > I'm having a bit of trouble generating a host key on an x86 Solaris 8 > > system. > > I've gotten the following built and installed: > > egd-0.7 > > openssl-0.9.5a > > openssh-1.2.3 > > > > My perl version is 5.005_03. > > > > egd is running, and tests fine the egd "make test" and with: > > #./egd.pl /etc/entropy get > > 22 sources found > > forking into background... > > server starting > > > > But when I go to "make host-key", it just sits there. Tracking it down, > > the place it stops is in random.c (line 99): > > > > c = atomicio(write, random_pool, egd_message, > > sizeof(egd_message)); > > if (c == -1) > > fatal("Couldn't write to EGD socket \"%s\": %s", > > RANDOM_POOL, st > > rerror(errno)); > > > > c = atomicio(read, random_pool, buf, len); <--------- HERE > > > > It's this last line it never completes (line 99) > > > > I noticed from the list archives that egd-0.7 is fairly new. There was > > some talk on 4/20 about a similar problem ( John Weaver & Brian > > Carrier), but I don't see any conclusion. > > > > Any thoughts? -- Patrick ---------- Patrick Gardella patrick at whetstonelogic.com VP-Technology patrick at freebsd.org Whetstone Logic, Inc. This space intentionally left blank. From ishikawa at yk.rim.or.jp Mon May 1 02:14:03 2000 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Mon, 01 May 2000 01:14:03 +0900 Subject: scp problems References: <3908904B.2159CAD2@yk.rim.or.jp> <20000430095916.A86613@isc.upenn.edu> Message-ID: <390C5BCB.2B06D219@yk.rim.or.jp> John P Speno wrote: > > Anyone who has been experiencing problems with scp, please try the > > attached patch. It replaces all plain read() and write() calls with > > atomicio() reads and writes(). > > It's working! It's working! Thanks Damien. Great. So this proposed patch would go into the next version? (Just curious this time about when such update would be released.) Happy Hacking Ishikawa From karn at ka9q.ampr.org Mon May 1 05:20:23 2000 From: karn at ka9q.ampr.org (Phil Karn) Date: Sun, 30 Apr 2000 12:20:23 -0700 Subject: Problem finding openssl in openssh-2.0.0test1 Message-ID: <200004301920.MAA00946@homer.ka9q.ampr.org> Hi. I saw a new release appear today, and I pulled it down to see if some residual problems in port forwarding from openssh-1.2.3 were fixed. The configure script had trouble finding the openssl package, even though I had it installed in the standard place (/usr/local/ssl). I investigated and found that the failed test compile was caused by two nonfatal compiler warnings that memset and RAND_add were being implicitly defined. As a hackaround I inserted #include #include just before #include #include #include in the test program. configure succeeded, and so did the subsequent compile. I'm rather unfamiliar with the conventions for configure scripts, so I don't know if this is the right way to fix the problem. Phil From karn at ka9q.ampr.org Mon May 1 08:16:01 2000 From: karn at ka9q.ampr.org (Phil Karn) Date: Sun, 30 Apr 2000 15:16:01 -0700 Subject: Feature request: scp not overwriting existing files In-Reply-To: (openssh-unix-dev.mindrot.org@marc-haber.de) References: Message-ID: <200004302216.PAA02216@homer.ka9q.ampr.org> >I would like to have an option to have scp refrain from overwriting >target files if they already exist. Default behavior needs to be I agree, this would be useful. As a workaround, you can run rsync on top of ssh instead of using scp. rsync has all sorts of useful options, including --update, which inhibits overwriting of newer files with the same name, and --backup, which makes backup copies of overwritten files. Phil From patrick at whetstonelogic.com Mon May 1 14:43:51 2000 From: patrick at whetstonelogic.com (Patrick Gardella) Date: Mon, 01 May 2000 00:43:51 -0400 Subject: OpenSSH ssh-keygen on Solaris8 x86 References: <390B7BB7.824163FC@whetstonelogic.com> <20000429162430.A19514@lisa.cs.purdue.edu> <390C7BF3.6E028DC6@whetstonelogic.com> <20000430215653.22907.qmail@luther.lothar.com> Message-ID: <390D0B87.5892619B@whetstonelogic.com> The patched version below does indeed work for what I've tried so far. The only things I would suggest adding to the documentation for egd is a slightly modified copy of your text for GPG. I'll send it to you in another message. Patrick Brian Warner wrote: > > > Based on what you sent me, the problem is with egd, and not with > > OpenSSH, as suspected. > > Yup. There's a bug in select() handling in egd-0.7 that is exposed on recent > versions of Solaris (and possibly Irix). The symptom is the "ran out of > sources" message. (in short, select()ing for readability and exception-ability > will sometimes return both when an fd is at EOF, so you must try reading first > before believing the exception). > > I've got a patched version of egd.pl up for test at > that all are welcome to try. Feedback > is most welcome. I'm especially interested in hearing about whether clients > who terminate early (killed mid-transaction) cause the daemon to get confused, > since that feels like the most likely bug that could result from shuffling > those two blocks of code. > > BTW, if there is any openssh-specific documentation you'd like me to put into > the egd docs, just let me know. Something like "How to use EGD with OpenSSH" > to complement the GPG section. (I guess I should talk to the OpenSSL folks > about the same thing..) > > > Brian Carrier wrote: > > > > > > I don't believe 'make test' does much except test the SHA installation. > > The 0.6 'make test' did only that. The test.pl in 0.7 actually starts the > daemon does a few quick client commands to make sure it basically works. If it > isn't doing that when you do 'make test', let me know. > > cheers, > -Brian (warner) -- Patrick ---------- Patrick Gardella patrick at whetstonelogic.com VP-Technology patrick at freebsd.org Whetstone Logic, Inc. This space intentionally left blank. From markus.friedl at informatik.uni-erlangen.de Mon May 1 18:05:16 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 1 May 2000 10:05:16 +0200 Subject: Problem finding openssl in openssh-2.0.0test1 In-Reply-To: <200004301920.MAA00946@homer.ka9q.ampr.org>; from karn@ka9q.ampr.org on Sun, Apr 30, 2000 at 12:20:23PM -0700 References: <200004301920.MAA00946@homer.ka9q.ampr.org> Message-ID: <20000501100516.A11160@folly.informatik.uni-erlangen.de> On Sun, Apr 30, 2000 at 12:20:23PM -0700, Phil Karn wrote: > Hi. I saw a new release appear today, and I pulled it down to see if > some residual problems in port forwarding from openssh-1.2.3 were > fixed. what problems are you seeing? -markus From djm at mindrot.org Mon May 1 20:52:56 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 1 May 2000 20:52:56 +1000 (EST) Subject: Problem finding openssl in openssh-2.0.0test1 In-Reply-To: <200004301920.MAA00946@homer.ka9q.ampr.org> Message-ID: On Sun, 30 Apr 2000, Phil Karn wrote: > Hi. I saw a new release appear today, and I pulled it down to see if > some residual problems in port forwarding from openssh-1.2.3 were > fixed. > > The configure script had trouble finding the openssl package, even though > I had it installed in the standard place (/usr/local/ssl). I investigated > and found that the failed test compile was caused by two nonfatal compiler > warnings that memset and RAND_add were being implicitly defined. > > As a hackaround I inserted > > #include > #include That's perfect - applied. Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From domi at saargate.de Mon May 1 21:28:42 2000 From: domi at saargate.de (Dominik Brettnacher) Date: Mon, 1 May 2000 13:28:42 +0200 (CEST) Subject: FreeBSD issues and fix Message-ID: Hi, in order to make openssh-1.2.3 compile successfully on FreeBSD 4.0-STABLE with IPv6 support, configure has to be changed to include in the ipv6 checks. Maybe this patch can be applied the openssh distribution: --- configure.orig Mon May 1 12:06:56 2000 +++ configure Mon May 1 12:09:16 2000 @@ -2455,6 +2455,7 @@ cat > conftest.$ac_ext < #include int main() { struct sockaddr_in6 s; s.sin6_family = 0; @@ -2483,6 +2484,7 @@ cat > conftest.$ac_ext < #include int main() { struct in6_addr s; s.s6_addr[0] = 0; Another problem is the "scp: command not found" issue: in my opinion it would be good to include "/usr/local/bin" in the default PATH because "/usr/local" is also the default prefix. -- Dominik - http://www.brettnacher.org/users/dominik/ From karn at ka9q.ampr.org Tue May 2 01:49:13 2000 From: karn at ka9q.ampr.org (Phil Karn) Date: Mon, 1 May 2000 08:49:13 -0700 Subject: Problem finding openssl in openssh-2.0.0test1 In-Reply-To: <20000501100516.A11160@folly.informatik.uni-erlangen.de> (message from Markus Friedl on Mon, 1 May 2000 10:05:16 +0200) References: <200004301920.MAA00946@homer.ka9q.ampr.org> <20000501100516.A11160@folly.informatik.uni-erlangen.de> Message-ID: <200005011549.IAA05125@homer.ka9q.ampr.org> >> Hi. I saw a new release appear today, and I pulled it down to see if >> some residual problems in port forwarding from openssh-1.2.3 were >> fixed. >what problems are you seeing? I'm not actually sure it's SSH. I'm websurfing across a SSH tunnel, and there are a lot of components in the path. I'll test some more. Phil From openssh-unix-dev.mindrot.org at marc-haber.de Tue May 2 06:54:36 2000 From: openssh-unix-dev.mindrot.org at marc-haber.de (Marc Haber) Date: Mon, 01 May 2000 20:54:36 GMT Subject: Feature request: scp not overwriting existing files In-Reply-To: <200004302216.PAA02216@homer.ka9q.ampr.org> References: <200004302216.PAA02216@homer.ka9q.ampr.org> Message-ID: On Sun, 30 Apr 2000 15:16:01 -0700, you wrote: >As a workaround, you can run rsync on top of ssh instead of using scp. That'd require an rsyncd on the remote host. Never touch a running system ;-) Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From markus.friedl at informatik.uni-erlangen.de Tue May 2 06:53:23 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 1 May 2000 22:53:23 +0200 Subject: Feature request: scp not overwriting existing files In-Reply-To: ; from openssh-unix-dev.mindrot.org@marc-haber.de on Mon, May 01, 2000 at 08:54:36PM +0000 References: <200004302216.PAA02216@homer.ka9q.ampr.org> Message-ID: <20000501225323.A23408@folly.informatik.uni-erlangen.de> On Mon, May 01, 2000 at 08:54:36PM +0000, Marc Haber wrote: > On Sun, 30 Apr 2000 15:16:01 -0700, you wrote: > >As a workaround, you can run rsync on top of ssh instead of using scp. > > That'd require an rsyncd on the remote host. Never touch a running > system ;-) it does not require rsyncd, just a rsync binary somewhere on the remote host. From johnh at aproposretail.com Tue May 2 08:02:03 2000 From: johnh at aproposretail.com (John Hardin) Date: Mon, 01 May 2000 15:02:03 -0700 Subject: Status of SSH 2.0 protocol support? Message-ID: <390DFEDB.DBA69906@aproposretail.com> Just to bring everyone up to date, could we get a report on the status of support for the 2.x protocol? The home page says "next major release" - is that 1.3 or 2.0? And is there any feel for when it'll be generally available? -- John Hardin Internal Systems Administrator Apropos Retail Management Systems, Inc. From markus.friedl at informatik.uni-erlangen.de Tue May 2 08:57:07 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 2 May 2000 00:57:07 +0200 Subject: Status of SSH 2.0 protocol support? In-Reply-To: <390DFEDB.DBA69906@aproposretail.com>; from johnh@aproposretail.com on Mon, May 01, 2000 at 03:02:03PM -0700 References: <390DFEDB.DBA69906@aproposretail.com> Message-ID: <20000502005706.A4933@folly.informatik.uni-erlangen.de> On Mon, May 01, 2000 at 03:02:03PM -0700, John Hardin wrote: > Just to bring everyone up to date, could we get a report on the status > of support for the 2.x protocol? why do you want SSH2? % cat README.openssh2 $Id: README.openssh2,v 1.7 2000/04/28 08:10:20 markus Exp $ howto: 1) generate server key: $ ssh-keygen -d -f /etc/ssh_host_dsa_key -N '' 2) enable ssh2: server: add 'Protocol 2,1' to /etc/sshd_config client: ssh -o 'Protocol 2,1', or add to .ssh/config 3) DSA authentication similar to RSA (add keys to ~/.ssh/authorized_keys2) interop w/ ssh.com dsa-keys: ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2 and vice versa ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub echo Key mykey.pub >> ~/.ssh2/authorization works: secsh-transport: works w/o rekey proposal exchange, i.e. different enc/mac/comp per direction encryption: blowfish-cbc, 3des-cbc, arcfour, cast128-cbc mac: hmac-md5, hmac-sha1, (hmac-ripemd160) compression: zlib, none secsh-userauth: passwd and pubkey with DSA secsh-connection: pty+shell or command, flow control works (window adjust) tcp-forwarding: -L works, -R incomplete x11-fwd dss/dsa: host key database in ~/.ssh/known_hosts2 client interops w/ sshd2, lshd server interops w/ ssh2, lsh, ssh.com's Windows client, SecureCRT, F-Secure SSH Client 4.0 server supports multiple concurrent sessions (e.g. with SSH.com Windows client) todo: re-keying secsh-connection features: tcp-forwarding, agent-fwd auth other than passwd, and DSA-pubkey: keyboard-interactive, (PGP-pubkey?) config server-auth w/ old host-keys cleanup advanced key storage? keynote sftp -markus $Date: 2000/04/28 08:10:20 $ > The home page says "next major release" next major release of OpenBSD, i.e. OpenBSD 2.7 > - is that 1.3 or 2.0? And is there any feel for when it'll be generally > available? you can get OpenSSH w/ proto 1 and 2 support from the openbsd cvs right now. -markus From djm at mindrot.org Tue May 2 10:32:56 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 2 May 2000 10:32:56 +1000 (EST) Subject: Announce: openssh-2.0.0beta1 Message-ID: For the last couple of months, the OpenBSD team has been working hard to implement the SSH2 protocol in OpenSSH. The SSH2 protcol offers a number of advantages over the SSH1 protocol including standards compliance (SSH2 is on the IETF standards track), improved security and operation without RSA (which is patented in some countries). This release of the portable version incorporates this work and adds inbuilt entropy collection for Unices which lack a kernel random number pool. Since there is a lot of new and changed code, we are keen to gather feedback from users of the new features. In particular: - SSH2. Please read README.openssh2 and add "Protocol 2,1" to your sshd_config and ssh_config. - Entropy collection. There is little documentation on this so far. If your system lacks both a kernel random pool and EGD, a file ssh_prng_cmds will be created. This file contains the commands which will be used to seed the random number generator. We are interested in additional commands and refinements to the current set. Please send in the output of "ssh -v", which includes the amounts of entropy gathered. The beta release is available from http://violet.ibs.com.au/openssh/files/beta Note that this release _requires_ OpenSSL 0.9.5 or greater. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From johnh at aproposretail.com Tue May 2 10:36:39 2000 From: johnh at aproposretail.com (John Hardin) Date: Mon, 01 May 2000 17:36:39 -0700 Subject: Status of SSH 2.0 protocol support? References: <390DFEDB.DBA69906@aproposretail.com> <20000502005706.A4933@folly.informatik.uni-erlangen.de> Message-ID: <390E2317.6019D0A2@aproposretail.com> Markus Friedl wrote: > > On Mon, May 01, 2000 at 03:02:03PM -0700, John Hardin wrote: > > Just to bring everyone up to date, could we get a report on the status > > of support for the 2.x protocol? > > why do you want SSH2? Doesn't it address the security shortcomings in SSH1? Also, we're looking at interoperability with a commercial product that may only support SSH2. > > The home page says "next major release" > > next major release of OpenBSD, i.e. OpenBSD 2.7 Ah! Okay, that makes sense. > you can get OpenSSH w/ proto 1 and 2 support from the openbsd cvs right now. ...in the currently stable OpenSSH (1.2.3) or in a developer's release? -- John Hardin Internal Systems Administrator Apropos Retail Management Systems, Inc. From ishikawa at yk.rim.or.jp Wed May 3 03:24:02 2000 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Wed, 03 May 2000 02:24:02 +0900 Subject: Announce: openssh-2.0.0beta1 References: Message-ID: <390F0F32.AF880076@yk.rim.or.jp> Damien Miller wrote: > The beta release is available from > http://violet.ibs.com.au/openssh/files/beta > > Note that this release _requires_ OpenSSL 0.9.5 or greater. Thank you for the great openssh package. I have downloaded and began testing the beta. A few things I noticed. - For unknown reasons, I failed to ftp the .sig file for beta from au site. (Strange. Maybe this is my peculiar netscape bug or something. YMMV.) - The use of atomicio for read/write that saved the people who experienced scp failures is not reflected in scp.c, it seems. read() calls are not wrapped in atomicio at all. Most of write() calls except two are wrapped in atomicio. Happy Hacking, Ishikawa From karn at ka9q.ampr.org Wed May 3 04:13:35 2000 From: karn at ka9q.ampr.org (Phil Karn) Date: Tue, 2 May 2000 11:13:35 -0700 Subject: Announce: openssh-2.0.0beta1 In-Reply-To: (message from Damien Miller on Tue, 2 May 2000 10:32:56 +1000 (EST)) References: Message-ID: <200005021813.LAA13448@homer.ka9q.ampr.org> >Note that this release _requires_ OpenSSL 0.9.5 or greater. If so, then the configure script should be changed to eliminate references to SSLeay, especially the message checking for OpenSSL/SSLeay directory ... When I had the problem I reported the other day in finding openssl, I was initially confused by this message because I had SSLeay but not OpenSSL already installed on my system. Phil From xavier.coudin at wanadoo.fr Wed May 3 11:40:37 2000 From: xavier.coudin at wanadoo.fr (Xavier COUDIN) Date: Wed, 3 May 2000 03:40:37 +0200 Subject: Pb with password Message-ID: <00050303460302.01542@serveur.xcoudin.fr> Hi I am trying to user OpenSSH under Linux RH 5.2 I am facing this problem : OpenSSH is working almost well, with with 1 big and SERIOUS exception : whatever the password I give (except empty password) , the connection is accepted. This make anybody can me intrusion into my computer by giving any kind of password. I belive the problem is coming from the PAM functionnality, an especially the file "/etc/pam.d/sshd". I am right ? If yes (and also if NO ) please can somebedy tell my the solution, and eventually send me the correct version of the file "/etc/pam.d/sshd" -- Xavier COUDIN membre de l'AFUL-Lorraine gsm : 06 81 19 18 92 From gem at rellim.com Wed May 3 10:20:28 2000 From: gem at rellim.com (Gary E. Miller) Date: Tue, 2 May 2000 17:20:28 -0700 (PDT) Subject: Announce: openssh-2.0.0beta1 In-Reply-To: Message-ID: Yo Damien! Hooray! All it took to build on UnixWare 7.1.0 was: ./configure && make && make install I also edited the ssh*_config files as required. All the old stuff works fine so far and no more EGD! opensshd: I was unable to connect to the new sshd with SecureCRT Ver 3.0. If: I connect from that with 3DES or RC4 I get: "disconnect, reason code: 2" ?? If I connect from that with twofish, it says: "no compatible ciphers". Blowfish is not a SecureCRT option with SSH2. Similar results connecting from ssh 2.0.13 on Linux to opensshd ossh: openssh was able to connect out to ssh ver 2.0.13. On Tue, 2 May 2000, Damien Miller wrote: > The beta release is available from > http://violet.ibs.com.au/openssh/files/beta RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From gem at rellim.com Wed May 3 10:26:00 2000 From: gem at rellim.com (Gary E. Miller) Date: Tue, 2 May 2000 17:26:00 -0700 (PDT) Subject: Announce: openssh-2.0.0beta1 In-Reply-To: Message-ID: Yo Damien! Ooops, I forgot to say that ssh1 protol work fine, I only had problems with the ssh2 protocol inbound. RGDS GARY On Tue, 2 May 2000, Gary E. Miller wrote: > I was unable to connect to the new sshd with SecureCRT Ver 3.0. If: [...] --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From markus.friedl at informatik.uni-erlangen.de Wed May 3 16:53:53 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 3 May 2000 08:53:53 +0200 Subject: Announce: openssh-2.0.0beta1 In-Reply-To: ; from gem@rellim.com on Tue, May 02, 2000 at 05:20:28PM -0700 References: Message-ID: <20000503085353.A27028@folly.informatik.uni-erlangen.de> Could you please provide the debugging output from the sshd? e.g., start with # sshd -d -p 2222 I used SecureCRT while adding my SSH2 support to OpenSSH and it did work fine (3des and rc4). Also, make sure you select "Standard" instead of datafellows server. -markus On Tue, May 02, 2000 at 05:20:28PM -0700, Gary E. Miller wrote: > Yo Damien! > > Hooray! All it took to build on UnixWare 7.1.0 was: > ./configure && make && make install > > I also edited the ssh*_config files as required. > > All the old stuff works fine so far and no more EGD! > > opensshd: > > I was unable to connect to the new sshd with SecureCRT Ver 3.0. If: > > I connect from that with 3DES or RC4 I get: > "disconnect, reason code: 2" ?? > > If I connect from that with twofish, it says: > "no compatible ciphers". > > Blowfish is not a SecureCRT option with SSH2. > > Similar results connecting from ssh 2.0.13 on Linux to opensshd > > ossh: > > openssh was able to connect out to ssh ver 2.0.13. > > On Tue, 2 May 2000, Damien Miller wrote: > > > The beta release is available from > > http://violet.ibs.com.au/openssh/files/beta > > RGDS > GARY > --------------------------------------------------------------------------- > Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > From chrisdp at armscor.co.za Wed May 3 19:46:14 2000 From: chrisdp at armscor.co.za (Chris du Preez) Date: Wed, 03 May 2000 11:46:14 +0200 Subject: Openssh on Redhat References: <20000503085353.A27028@folly.informatik.uni-erlangen.de> Message-ID: <390FF566.D68CC8CD@armscor.co.za> I'm running Redhat 6.2 with kernel version 2.2.14-5 when i try to installl openssh from the rpms i get a message " openssl is needed by openssh-1.2.3-1 " and " libcrypto.so.0 is needed by openssh-1.2.3-1 " I will appreciate it if someone can tell me what is need to install before i can install Openssh From pucko at lysator.liu.se Wed May 3 19:52:37 2000 From: pucko at lysator.liu.se (Magnus Holmberg) Date: Wed, 3 May 2000 11:52:37 +0200 (CEST) Subject: Openssh on Redhat In-Reply-To: <390FF566.D68CC8CD@armscor.co.za> Message-ID: Install openssl check for it on http://rufus.w3.org/linux/RPM/OByName.html /M On Wed, 3 May 2000, Chris du Preez wrote: > I'm running Redhat 6.2 with kernel version 2.2.14-5 when i try to installl openssh from the rpms i get a message " > openssl is needed by openssh-1.2.3-1 " and " libcrypto.so.0 is needed by openssh-1.2.3-1 " I will appreciate it > if someone can tell me what is need to install before i can install Openssh > > -- _|_|_| _| _| _|_|_| _| _| _|_| _| _| _| _| _| _| _| _| _| _|_|_| _| _| _| _|_| _| _| _| _| _| _| _| _| _| _| _| _|_| _|_|_| _| _| _|_| --==** LIVETS VATTEN **==-- From Nigel.Metheringham at VData.co.uk Wed May 3 20:15:42 2000 From: Nigel.Metheringham at VData.co.uk (Nigel Metheringham) Date: Wed, 03 May 2000 11:15:42 +0100 Subject: Openssh on Redhat In-Reply-To: Message from Chris du Preez of "Wed, 03 May 2000 11:46:14 +0200." <390FF566.D68CC8CD@armscor.co.za> Message-ID: You need the openssl library set (contains the crypto libraries). These are available as a Red Hat contrib package. You can also build from source - see the openssl site for locations. Relevant URLs:- http://www.rpmfind.net/linux/RPM/contrib/libc6/i386/openssl-0.9.5-1.i3 86.html http://www.rpmfind.net/linux/RPM/contrib/libc6/i386/openssl-devel-0.9. 5-1.i386.html (you don't need the devel package unless you are compiling things) http://www.openssl.org/ [There does not seem to be an rpm for the 0.9.5a release yet] Nigel. -- [ - Opinions expressed are personal and may not be shared by VData - ] [ Nigel Metheringham Nigel.Metheringham at VData.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] From nalin at redhat.com Wed May 3 22:50:23 2000 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 3 May 2000 08:50:23 -0400 Subject: Openssh on Redhat In-Reply-To: ; from Nigel.Metheringham@VData.co.uk on Wed, May 03, 2000 at 11:15:42AM +0100 References: Message-ID: <20000503085023.C16716@devserv.devel.redhat.com> On Wed, May 03, 2000 at 11:15:42AM +0100, Nigel Metheringham wrote: > You need the openssl library set (contains the crypto libraries). > [snip] > > [There does not seem to be an rpm for the 0.9.5a release yet] RPM packages for 0.9.5a have been on Damien's FTP server for some time now, in the "support" subdirectory. Cheers, Nalin From speno at isc.upenn.edu Wed May 3 23:59:23 2000 From: speno at isc.upenn.edu (John P Speno) Date: Wed, 3 May 2000 09:59:23 -0400 Subject: SIA support patches for Tru64 UNIX Message-ID: <20000503095923.B94392@isc.upenn.edu> I think I'm ready with the SIA (Security Integration Architecture) patches for Tru64 UNIX. All of the code was written by Tom Woodburn, an engineer at Compaq. I've only performed integration and testing of the patches with more help from Tom. Tom's original patches were included in the "other" ssh. We'd both like to see SIA support get into OpenSSH. SIA provides PAM-like functionality on Tru64 UNIX systems. There are two choices for SIA out of the box: base or enhanced security. Base security is plain old BSD-style /etc/passwd. Enhanced Security provides C2 security. Other SIA modules can be created and added. For example, there are some for S/Key and Kerberos. These patches should work regardless of a system's current security mode, however they have only been tested with the two "default" SIA choices, base and enhanced security. Anyway, I do need some guidance on how to package them up and there are still some issues which I haven't solved. I've got patches for two existing files: auth-passwd.c sshd.c I've also got two new files: auth-sia.h auth-sia.c How should the patches and files get packaged together? (I'm not sure how to create a patch for a file where none existed before). On Tru64 UNIX systems, the USE_SIA macro needs to be defined, and sshd needs to be built using -lsecurity. I don't know how to hack the configure process to make this happen. I'd like to learn, but I'd be happy not to have to learn also. :-) Thanks. From mhw at wittsend.com Wed May 3 23:59:45 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Wed, 3 May 2000 09:59:45 -0400 Subject: Openssh on Redhat In-Reply-To: ; from Nigel.Metheringham@VData.co.uk on Wed, May 03, 2000 at 11:15:42AM +0100 References: Message-ID: <20000503095945.C12031@alcove.wittsend.com> On Wed, May 03, 2000 at 11:15:42AM +0100, Nigel Metheringham wrote: > You need the openssl library set (contains the crypto libraries). > These are available as a Red Hat contrib package. You can also build > from source - see the openssl site for locations. > Relevant URLs:- > http://www.rpmfind.net/linux/RPM/contrib/libc6/i386/openssl-0.9.5-1.i3 > 86.html > http://www.rpmfind.net/linux/RPM/contrib/libc6/i386/openssl-devel-0.9. > 5-1.i386.html > (you don't need the devel package unless you are compiling things) > http://www.openssl.org/ > [There does not seem to be an rpm for the 0.9.5a release yet] Look on the openssh ftp mirror sites under support. They're there. ftp://thermo.stat.ncsu.edu/pub/openssh/files/support ] -rw-r--r-- 1 665035 Oct 29 1999 openssl-0.9.4-3.i386.rpm ] -rw-r--r-- 1 1564901 Oct 29 1999 openssl-0.9.4-3.src.rpm ] -rw-r--r-- 1 934704 Apr 18 04:35 openssl-0.9.5a-1.i386.rpm ] -rw-r--r-- 1 1883194 Apr 18 04:35 openssl-0.9.5a-1.src.rpm ] -rw-r--r-- 1 524463 Oct 29 1999 openssl-devel-0.9.4-3.i386.rpm ] -rw-r--r-- 1 673563 Apr 18 04:35 openssl-devel-0.9.5a-1.i386.rpm ] -rw-r--r-- 1 221284 Nov 25 03:10 ssh-openbsd-1999112500.tar.gz Curriously enough, they don't even have the plain 0.9.5-1 any more... You can also get all the openssh stuff and the openssl rpms via rsync from here: rsync -avz --delete --force violet.ibs.com.au::openssh/ That will get you the whole kit kat and kaboddle which is far more than what you probably want. ;-) > Nigel. > -- > [ - Opinions expressed are personal and may not be shared by VData - ] > [ Nigel Metheringham Nigel.Metheringham at VData.co.uk ] > [ Phone: +44 1423 850000 Fax +44 1423 858866 ] Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From gem at rellim.com Thu May 4 15:30:35 2000 From: gem at rellim.com (Gary E. Miller) Date: Wed, 3 May 2000 22:30:35 -0700 (PDT) Subject: Announce: openssh-2.0.0beta1 In-Reply-To: <20000503085353.A27028@folly.informatik.uni-erlangen.de> Message-ID: Yo Markus! I tried setting SecureCRT to "standard" from "datafellows". Now it connects, I get a password prompt and I get disconnected. Nothing in the logs except that sshd accepted my ssh2 connection. I will try the debug stuff on Thursdayy. I also get a LOT of these: May 3 22:23:51 demo sshd[16252]: error: Couldn't wait for child '/usr/bin/uptime ' completion: Interrupted system call May 3 22:23:51 demo sshd[16252]: error: Couldn't wait for child '/usr/bin/ipcs -a' completion: Interrupted system call The commands are (mostly) OK, so any ideas? RGDS GARY On Wed, 3 May 2000, Markus Friedl wrote: > Could you please provide the debugging output from the sshd? e.g., > start with > # sshd -d -p 2222 > I used SecureCRT while adding my SSH2 support to OpenSSH and it did > work fine (3des and rc4). Also, make sure you select "Standard" > instead of datafellows server. > > -markus > > On Tue, May 02, 2000 at 05:20:28PM -0700, Gary E. Miller wrote: > > Yo Damien! > > > > Hooray! All it took to build on UnixWare 7.1.0 was: > > ./configure && make && make install > > > > I also edited the ssh*_config files as required. > > > > All the old stuff works fine so far and no more EGD! > > > > opensshd: > > > > I was unable to connect to the new sshd with SecureCRT Ver 3.0. If: > > > > I connect from that with 3DES or RC4 I get: > > "disconnect, reason code: 2" ?? > > > > If I connect from that with twofish, it says: > > "no compatible ciphers". > > > > Blowfish is not a SecureCRT option with SSH2. > > > > Similar results connecting from ssh 2.0.13 on Linux to opensshd > > > > ossh: > > > > openssh was able to connect out to ssh ver 2.0.13. > > > > On Tue, 2 May 2000, Damien Miller wrote: > > > > > The beta release is available from > > > http://violet.ibs.com.au/openssh/files/beta > > > > RGDS > > GARY > > --------------------------------------------------------------------------- > > Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 > > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > > > > --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From gem at rellim.com Fri May 5 09:55:46 2000 From: gem at rellim.com (Gary E. Miller) Date: Thu, 4 May 2000 16:55:46 -0700 (PDT) Subject: Announce: openssh-2.0.0beta1 In-Reply-To: <20000503085353.A27028@folly.informatik.uni-erlangen.de> Message-ID: Yo Markus! On Wed, 3 May 2000, Markus Friedl wrote: > Could you please provide the debugging output from the sshd? e.g., > start with > # sshd -d -p 2222 > I used SecureCRT while adding my SSH2 support to OpenSSH and it did > work fine (3des and rc4). Also, make sure you select "Standard" > instead of datafellows server. Here is what I get when I run openssh sshd ver 2.0.0.beta1 on Unixware7 and then connect from a SecureCRT client ver 3.0 set to "standard", 3DES and ssh2. bash-2.03# /usr/local/sbin/sshd -d > ssh.log 2>&1 Segmentation Fault The ssh.log is after my sig. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 debug: sshd version OpenSSH-2.0 debug: loaded 29 entropy commands from /usr/local/etc/ssh_prng_cmds debug: Seeding random number generator. debug: OpenSSL random status is now 0 debug: 3 bytes from system calls debug: Exit status was 2 debug: Got 0.00 bytes of entropy from /usr/bin/ls debug: Got 0.39 bytes of entropy from /usr/bin/ls debug: Got 0.33 bytes of entropy from /usr/bin/ls debug: Got 0.02 bytes of entropy from /usr/bin/ls debug: Got 1.73 bytes of entropy from /usr/bin/ls debug: Got 0.14 bytes of entropy from /usr/bin/ls debug: Got 2.00 bytes of entropy from /usr/bin/netstat debug: Got 0.38 bytes of entropy from /usr/bin/netstat debug: Got 0.11 bytes of entropy from /usr/bin/netstat debug: Got 0.73 bytes of entropy from /usr/bin/netstat debug: Got 0.12 bytes of entropy from /usr/sbin/arp debug: Got 0.11 bytes of entropy from /usr/sbin/ifconfig debug: Exit status was 1 debug: Got 0.00 bytes of entropy from /sbin/ps debug: Got 0.51 bytes of entropy from /sbin/ps debug: Got 2.00 bytes of entropy from /sbin/ps debug: Got 0.14 bytes of entropy from /usr/bin/w debug: Exit status was 1 debug: Got 0.00 bytes of entropy from /sbin/who debug: Got 0.13 bytes of entropy from /usr/bin/last debug: Got 0.82 bytes of entropy from /sbin/df debug: Got 0.81 bytes of entropy from /sbin/df debug: Got 0.00 bytes of entropy from /usr/bin/uptime debug: Got 0.07 bytes of entropy from /usr/bin/ipcs debug: Exit status was 2 debug: Got 0.00 bytes of entropy from /usr/bin/tail debug: Exit status was 2 debug: Got 0.00 bytes of entropy from /usr/bin/tail debug: Exit status was 2 debug: Got 0.00 bytes of entropy from /usr/bin/tail debug: Got 2.00 bytes of entropy from /usr/bin/tail debug: Exit status was 2 debug: Got 0.00 bytes of entropy from /usr/bin/tail debug: Exit status was 2 debug: Got 0.00 bytes of entropy from /usr/bin/tail debug: Exit status was 2 debug: Got 0.00 bytes of entropy from /usr/bin/tail debug: Command '/usr/bin/ls -alni /var/log' disabled (badness 128) debug: Got 0.19 bytes of entropy from /usr/bin/ls debug: Got 0.17 bytes of entropy from /usr/bin/ls debug: Got 0.01 bytes of entropy from /usr/bin/ls debug: Got 0.87 bytes of entropy from /usr/bin/ls debug: Got 0.07 bytes of entropy from /usr/bin/ls debug: Got 1.00 bytes of entropy from /usr/bin/netstat debug: Got 0.19 bytes of entropy from /usr/bin/netstat debug: Got 0.05 bytes of entropy from /usr/bin/netstat debug: Got 0.36 bytes of entropy from /usr/bin/netstat debug: Got 0.06 bytes of entropy from /usr/sbin/arp debug: Got 0.06 bytes of entropy from /usr/sbin/ifconfig debug: Command '/sbin/ps laxww ' disabled (badness 128) debug: Got 0.26 bytes of entropy from /sbin/ps debug: Got 1.00 bytes of entropy from /sbin/ps debug: Got 0.07 bytes of entropy from /usr/bin/w debug: Command '/sbin/who -i ' disabled (badness 128) debug: Got 0.06 bytes of entropy from /usr/bin/last debug: Got 0.41 bytes of entropy from /sbin/df debug: Got 0.40 bytes of entropy from /sbin/df debug: Got 0.00 bytes of entropy from /usr/bin/uptime debug: Got 0.04 bytes of entropy from /usr/bin/ipcs debug: Command '/usr/bin/tail -200 /var/log/messages' disabled (badness 128) debug: Command '/usr/bin/tail -200 /var/log/syslog' disabled (badness 128) debug: Command '/usr/bin/tail -200 /var/adm/messages' disabled (badness 128) debug: Got 1.00 bytes of entropy from /usr/bin/tail debug: Command '/usr/bin/tail -200 /var/adm/syslog/syslog.log' disabled (badness 128) debug: Command '/usr/bin/tail -200 /var/log/maillog' disabled (badness 128) debug: Command '/usr/bin/tail -200 /var/adm/maillog' disabled (badness 128) debug: 33 bytes from programs debug: OpenSSL random status is now 1 debug: loading PRNG seed from file /root/.ssh/prng_seed debug: read DSA private key done debug: Seeding random number generator. debug: OpenSSL random status is now 1 debug: 3 bytes from system calls debug: Command '/usr/bin/ls -alni /var/log' disabled (badness 127) debug: Got 0.39 bytes of entropy from /usr/bin/ls debug: Got 0.33 bytes of entropy from /usr/bin/ls debug: Got 0.02 bytes of entropy from /usr/bin/ls debug: Got 1.73 bytes of entropy from /usr/bin/ls debug: Got 0.14 bytes of entropy from /usr/bin/ls debug: Got 2.00 bytes of entropy from /usr/bin/netstat debug: Got 0.38 bytes of entropy from /usr/bin/netstat debug: Got 0.11 bytes of entropy from /usr/bin/netstat debug: Got 0.73 bytes of entropy from /usr/bin/netstat debug: Got 0.12 bytes of entropy from /usr/sbin/arp debug: Got 0.11 bytes of entropy from /usr/sbin/ifconfig debug: Command '/sbin/ps laxww ' disabled (badness 127) debug: Got 0.51 bytes of entropy from /sbin/ps debug: Got 2.00 bytes of entropy from /sbin/ps debug: Got 0.14 bytes of entropy from /usr/bin/w debug: Command '/sbin/who -i ' disabled (badness 127) debug: Got 0.13 bytes of entropy from /usr/bin/last debug: Got 0.82 bytes of entropy from /sbin/df debug: Got 0.81 bytes of entropy from /sbin/df debug: Got 0.00 bytes of entropy from /usr/bin/uptime debug: Got 0.07 bytes of entropy from /usr/bin/ipcs debug: Command '/usr/bin/tail -200 /var/log/messages' disabled (badness 127) debug: Command '/usr/bin/tail -200 /var/log/syslog' disabled (badness 127) debug: Command '/usr/bin/tail -200 /var/adm/messages' disabled (badness 127) debug: Got 2.00 bytes of entropy from /usr/bin/tail debug: Command '/usr/bin/tail -200 /var/adm/syslog/syslog.log' disabled (badness 127) debug: Command '/usr/bin/tail -200 /var/log/maillog' disabled (badness 127) debug: Command '/usr/bin/tail -200 /var/adm/maillog' disabled (badness 127) debug: Command '/usr/bin/ls -alni /var/log' disabled (badness 126) debug: Got 0.19 bytes of entropy from /usr/bin/ls debug: Got 0.17 bytes of entropy from /usr/bin/ls debug: Got 0.01 bytes of entropy from /usr/bin/ls debug: Got 0.87 bytes of entropy from /usr/bin/ls debug: Got 0.07 bytes of entropy from /usr/bin/ls debug: Got 1.00 bytes of entropy from /usr/bin/netstat debug: Got 0.19 bytes of entropy from /usr/bin/netstat debug: Got 0.05 bytes of entropy from /usr/bin/netstat debug: Got 0.36 bytes of entropy from /usr/bin/netstat debug: Got 0.06 bytes of entropy from /usr/sbin/arp debug: Got 0.06 bytes of entropy from /usr/sbin/ifconfig debug: Command '/sbin/ps laxww ' disabled (badness 126) debug: Got 0.26 bytes of entropy from /sbin/ps debug: Got 1.00 bytes of entropy from /sbin/ps debug: Got 0.07 bytes of entropy from /usr/bin/w debug: Command '/sbin/who -i ' disabled (badness 126) debug: Got 0.06 bytes of entropy from /usr/bin/last debug: Got 0.41 bytes of entropy from /sbin/df debug: Got 0.40 bytes of entropy from /sbin/df debug: Got 0.00 bytes of entropy from /usr/bin/uptime debug: Got 0.04 bytes of entropy from /usr/bin/ipcs debug: Command '/usr/bin/tail -200 /var/log/messages' disabled (badness 126) debug: Command '/usr/bin/tail -200 /var/log/syslog' disabled (badness 126) debug: Command '/usr/bin/tail -200 /var/adm/messages' disabled (badness 126) debug: Got 1.00 bytes of entropy from /usr/bin/tail debug: Command '/usr/bin/tail -200 /var/adm/syslog/syslog.log' disabled (badness 126) debug: Command '/usr/bin/tail -200 /var/log/maillog' disabled (badness 126) debug: Command '/usr/bin/tail -200 /var/adm/maillog' disabled (badness 126) debug: 30 bytes from programs debug: OpenSSL random status is now 1 debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. debug: Seeding random number generator. debug: OpenSSL random status is now 1 debug: 3 bytes from system calls debug: Command '/usr/bin/ls -alni /var/log' disabled (badness 125) debug: Got 0.39 bytes of entropy from /usr/bin/ls debug: Got 0.33 bytes of entropy from /usr/bin/ls debug: Got 0.02 bytes of entropy from /usr/bin/ls debug: Got 1.73 bytes of entropy from /usr/bin/ls debug: Got 0.14 bytes of entropy from /usr/bin/ls debug: Got 2.00 bytes of entropy from /usr/bin/netstat debug: Got 0.38 bytes of entropy from /usr/bin/netstat debug: Got 0.11 bytes of entropy from /usr/bin/netstat debug: Got 0.73 bytes of entropy from /usr/bin/netstat debug: Got 0.12 bytes of entropy from /usr/sbin/arp debug: Got 0.11 bytes of entropy from /usr/sbin/ifconfig debug: Command '/sbin/ps laxww ' disabled (badness 125) debug: Got 0.51 bytes of entropy from /sbin/ps debug: Got 2.00 bytes of entropy from /sbin/ps debug: Got 0.14 bytes of entropy from /usr/bin/w debug: Command '/sbin/who -i ' disabled (badness 125) debug: Got 0.13 bytes of entropy from /usr/bin/last debug: Got 0.82 bytes of entropy from /sbin/df debug: Got 0.81 bytes of entropy from /sbin/df debug: Got 0.00 bytes of entropy from /usr/bin/uptime debug: Got 0.07 bytes of entropy from /usr/bin/ipcs debug: Command '/usr/bin/tail -200 /var/log/messages' disabled (badness 125) debug: Command '/usr/bin/tail -200 /var/log/syslog' disabled (badness 125) debug: Command '/usr/bin/tail -200 /var/adm/messages' disabled (badness 125) debug: Got 2.00 bytes of entropy from /usr/bin/tail debug: Command '/usr/bin/tail -200 /var/adm/syslog/syslog.log' disabled (badness 125) debug: Command '/usr/bin/tail -200 /var/log/maillog' disabled (badness 125) debug: Command '/usr/bin/tail -200 /var/adm/maillog' disabled (badness 125) debug: Command '/usr/bin/ls -alni /var/log' disabled (badness 124) debug: Got 0.19 bytes of entropy from /usr/bin/ls debug: Got 0.17 bytes of entropy from /usr/bin/ls debug: Got 0.01 bytes of entropy from /usr/bin/ls debug: Got 0.87 bytes of entropy from /usr/bin/ls debug: Got 0.07 bytes of entropy from /usr/bin/ls debug: Got 1.00 bytes of entropy from /usr/bin/netstat debug: Got 0.19 bytes of entropy from /usr/bin/netstat debug: Got 0.05 bytes of entropy from /usr/bin/netstat debug: Got 0.36 bytes of entropy from /usr/bin/netstat debug: Got 0.06 bytes of entropy from /usr/sbin/arp debug: Got 0.06 bytes of entropy from /usr/sbin/ifconfig debug: Command '/sbin/ps laxww ' disabled (badness 124) debug: Got 0.26 bytes of entropy from /sbin/ps debug: Got 1.00 bytes of entropy from /sbin/ps debug: Got 0.07 bytes of entropy from /usr/bin/w debug: Command '/sbin/who -i ' disabled (badness 124) debug: Got 0.06 bytes of entropy from /usr/bin/last debug: Got 0.41 bytes of entropy from /sbin/df debug: Got 0.40 bytes of entropy from /sbin/df debug: Got 0.00 bytes of entropy from /usr/bin/uptime debug: Got 0.04 bytes of entropy from /usr/bin/ipcs debug: Command '/usr/bin/tail -200 /var/log/messages' disabled (badness 124) debug: Command '/usr/bin/tail -200 /var/log/syslog' disabled (badness 124) debug: Command '/usr/bin/tail -200 /var/adm/messages' disabled (badness 124) debug: Got 1.00 bytes of entropy from /usr/bin/tail debug: Command '/usr/bin/tail -200 /var/adm/syslog/syslog.log' disabled (badness 124) debug: Command '/usr/bin/tail -200 /var/log/maillog' disabled (badness 124) debug: Command '/usr/bin/tail -200 /var/adm/maillog' disabled (badness 124) debug: 30 bytes from programs debug: OpenSSL random status is now 1 debug: Seeding random number generator. debug: OpenSSL random status is now 1 debug: 3 bytes from system calls debug: Command '/usr/bin/ls -alni /var/log' disabled (badness 123) debug: Got 0.39 bytes of entropy from /usr/bin/ls debug: Got 0.33 bytes of entropy from /usr/bin/ls debug: Got 0.02 bytes of entropy from /usr/bin/ls debug: Got 1.73 bytes of entropy from /usr/bin/ls debug: Got 0.14 bytes of entropy from /usr/bin/ls debug: Got 2.00 bytes of entropy from /usr/bin/netstat debug: Got 0.38 bytes of entropy from /usr/bin/netstat debug: Got 0.11 bytes of entropy from /usr/bin/netstat debug: Got 0.73 bytes of entropy from /usr/bin/netstat debug: Got 0.12 bytes of entropy from /usr/sbin/arp debug: Got 0.11 bytes of entropy from /usr/sbin/ifconfig debug: Command '/sbin/ps laxww ' disabled (badness 123) debug: Got 0.51 bytes of entropy from /sbin/ps debug: Got 2.00 bytes of entropy from /sbin/ps debug: Got 0.14 bytes of entropy from /usr/bin/w debug: Command '/sbin/who -i ' disabled (badness 123) debug: Got 0.13 bytes of entropy from /usr/bin/last debug: Got 0.82 bytes of entropy from /sbin/df debug: Got 0.81 bytes of entropy from /sbin/df debug: Got 0.00 bytes of entropy from /usr/bin/uptime debug: Got 0.07 bytes of entropy from /usr/bin/ipcs debug: Command '/usr/bin/tail -200 /var/log/messages' disabled (badness 123) debug: Command '/usr/bin/tail -200 /var/log/syslog' disabled (badness 123) debug: Command '/usr/bin/tail -200 /var/adm/messages' disabled (badness 123) debug: Got 2.00 bytes of entropy from /usr/bin/tail debug: Command '/usr/bin/tail -200 /var/adm/syslog/syslog.log' disabled (badness 123) debug: Command '/usr/bin/tail -200 /var/log/maillog' disabled (badness 123) debug: Command '/usr/bin/tail -200 /var/adm/maillog' disabled (badness 123) debug: Command '/usr/bin/ls -alni /var/log' disabled (badness 122) debug: Got 0.19 bytes of entropy from /usr/bin/ls debug: Got 0.17 bytes of entropy from /usr/bin/ls debug: Got 0.01 bytes of entropy from /usr/bin/ls debug: Got 0.87 bytes of entropy from /usr/bin/ls debug: Got 0.07 bytes of entropy from /usr/bin/ls debug: Got 1.00 bytes of entropy from /usr/bin/netstat debug: Got 0.19 bytes of entropy from /usr/bin/netstat debug: Got 0.05 bytes of entropy from /usr/bin/netstat debug: Got 0.36 bytes of entropy from /usr/bin/netstat debug: Got 0.06 bytes of entropy from /usr/sbin/arp debug: Got 0.06 bytes of entropy from /usr/sbin/ifconfig debug: Command '/sbin/ps laxww ' disabled (badness 122) debug: Got 0.26 bytes of entropy from /sbin/ps debug: Got 1.00 bytes of entropy from /sbin/ps debug: Got 0.07 bytes of entropy from /usr/bin/w debug: Command '/sbin/who -i ' disabled (badness 122) debug: Got 0.06 bytes of entropy from /usr/bin/last debug: Got 0.41 bytes of entropy from /sbin/df debug: Got 0.40 bytes of entropy from /sbin/df debug: Got 0.00 bytes of entropy from /usr/bin/uptime debug: Got 0.04 bytes of entropy from /usr/bin/ipcs debug: Command '/usr/bin/tail -200 /var/log/messages' disabled (badness 122) debug: Command '/usr/bin/tail -200 /var/log/syslog' disabled (badness 122) debug: Command '/usr/bin/tail -200 /var/adm/messages' disabled (badness 122) debug: Got 1.00 bytes of entropy from /usr/bin/tail debug: Command '/usr/bin/tail -200 /var/adm/syslog/syslog.log' disabled (badness 122) debug: Command '/usr/bin/tail -200 /var/log/maillog' disabled (badness 122) debug: Command '/usr/bin/tail -200 /var/adm/maillog' disabled (badness 122) debug: 30 bytes from programs debug: OpenSSL random status is now 1 RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 208.139.26.70 port 4205 debug: Client protocol version 2.0; client software version 3.0 SecureCRT (tm), a product of Van Dyke Technologies, Inc. Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-1.99-OpenSSH-2.0 debug: Sending KEX init. debug: done debug: got kexinit string: diffie-hellman-group1-sha1 debug: got kexinit string: ssh-dss debug: got kexinit string: 3des-cbc debug: got kexinit string: 3des-cbc debug: got kexinit string: hmac-md5 debug: got kexinit string: hmac-md5 debug: got kexinit string: none debug: got kexinit string: none debug: got kexinit string: debug: got kexinit string: debug: first kex follow == 0 debug: reserved == 0 debug: done read kexinit debug: kex: client->server 3des-cbc hmac-md5 none debug: kex: server->client 3des-cbc hmac-md5 none debug: Wait SSH2_MSG_KEXDH_INIT. debug: bits set: 504/1024 debug: bits set: 507/1024 debug: sig size 20 20 debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: userauth-request for user gem service ssh-connection method password Accepted password for gem from 208.139.26.70 port 4205 ssh2 debug: Entering interactive session for SSH2. debug: server_init_dispatch_20 debug: channel_input_open: ctype session rchan 0 win 8192 max 8192 debug: open session debug: channel 0: new [server-session] debug: session_new: init debug: session_new: session 0 debug: session_open: channel 0 debug: session_open: session 0: link with channel 0 debug: confirm session debug: callback start debug: session_by_channel: session 0 channel 0 debug: session_input_channel_req: session 0 channel 0 request pty-req reply 0 debug: Received SIGCHLD. 14,000 of the last message and then core dump! From pekkas at netcore.fi Fri May 5 19:21:47 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 5 May 2000 12:21:47 +0300 (EEST) Subject: openssh-2.0beta ssh_config Protocol parsing error. Message-ID: Hello all, It seems that openssh-2.0beta's ssh doesn't parse /etc/ssh/ssh_config (or equivalent) properly. If I add e.g. 'Protocol 2,1' there, ssh will just complain '/etc/ssh/ssh_config line 30: garbage at end of line.'. I've tried changing the line, etc. but the error remains. True enough, README.openssh2 only mentions ~/.ssh/config, but IMO this must have been an oversight or something :) Running it on Redhat 5.1 w/ openssl-0.95a. Also, I didn't see any option to turn off those messages about 1023 vs 1024 bit key size bug in SSH inc.'s ssh. I'm not really interested in getting them, and after a while they get boring -- and I don't think I'm alone here. :) Regards, -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From speno at isc.upenn.edu Sat May 6 04:15:52 2000 From: speno at isc.upenn.edu (John P Speno) Date: Fri, 5 May 2000 14:15:52 -0400 Subject: SIA support patches for Tru64 UNIX In-Reply-To: <20000503095923.B94392@isc.upenn.edu> References: <20000503095923.B94392@isc.upenn.edu> Message-ID: <20000505141552.B103289@isc.upenn.edu> On Wed, May 03, 2000 at 09:59:23AM -0400, John P Speno wrote: > I think I'm ready with the SIA (Security Integration Architecture) patches > for Tru64 UNIX. All of the code was written by Tom Woodburn, an engineer The patches are available here: There's a README file in that tarball which gives instructions on what to hack after running configure to use SIA support. I will attempt to work up some configure patches unless someone beats me too it. :-) Tru64 UNIX users, if you are out there, please give these patches a try and send feedback. Thanks. From markus.friedl at informatik.uni-erlangen.de Sat May 6 00:56:38 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 5 May 2000 16:56:38 +0200 Subject: openssh-2.0beta ssh_config Protocol parsing error. In-Reply-To: ; from pekkas@netcore.fi on Fri, May 05, 2000 at 12:21:47PM +0300 References: Message-ID: <20000505165638.B19516@folly.informatik.uni-erlangen.de> On Fri, May 05, 2000 at 12:21:47PM +0300, Pekka Savola wrote: > It seems that openssh-2.0beta's ssh doesn't parse /etc/ssh/ssh_config (or > equivalent) properly. If I add e.g. 'Protocol 2,1' there, ssh will just > complain '/etc/ssh/ssh_config line 30: garbage at end of line.'. I've > tried changing the line, etc. but the error remains. options are parsed independent from the filename. > Also, I didn't see any option to turn off those messages about 1023 vs > 1024 bit key size bug in SSH inc.'s ssh. I'm not really interested in > getting them, and after a while they get boring -- and I don't think I'm > alone here. :) -q should turn the message off. BTW, why not replace the broken keys? -markus From pekkas at netcore.fi Sat May 6 08:12:01 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 6 May 2000 01:12:01 +0300 (EEST) Subject: openssh-2.0beta ssh_config Protocol parsing error. In-Reply-To: <20000505165638.B19516@folly.informatik.uni-erlangen.de> Message-ID: > On Fri, May 05, 2000 at 12:21:47PM +0300, Pekka Savola wrote: > > It seems that openssh-2.0beta's ssh doesn't parse /etc/ssh/ssh_config (or > > equivalent) properly. If I add e.g. 'Protocol 2,1' there, ssh will just > > complain '/etc/ssh/ssh_config line 30: garbage at end of line.'. I've > > tried changing the line, etc. but the error remains. > > options are parsed independent from the filename. Ok, I didn't check ~/.ssh/config because I believed README.openssh2 and thought it would of course work ;) Anyway: --- pekkas: /home/pekkas/.ssh$ more config Protocol 1 pekkas: /home/pekkas/.ssh$ ssh box2.test /home/pekkas/.ssh/config line 1: garbage at end of line. --- Protocol isn't recognized. It will work with 'ssh -o "Protocol 2"' or 'ssh -2' though. > > Also, I didn't see any option to turn off those messages about 1023 vs > > 1024 bit key size bug in SSH inc.'s ssh. I'm not really interested in > > getting them, and after a while they get boring -- and I don't think I'm > > alone here. :) > > -q should turn the message off. BTW, why not replace the broken keys? That'd require contacting all remote systems with that problem, reassuring replacing the keys is OK, etc. It's a little too much hassle for so little gain. -q option is nice, but it does suppress some other messages too -- even some you might want to see if they'd come across. Some option, like WarnAboutWrongHostKeysize, in ssh_config would probably be nice. Regards, -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From ueno at unixuser.org Sat May 6 23:41:55 2000 From: ueno at unixuser.org (Daiki Ueno) Date: 06 May 2000 22:41:55 +0900 Subject: Question about ssh-askpass In-Reply-To: (Damien Miller's message of "Sat, 29 Apr 2000 18:25:54 +1000 (EST)") References: <877ldrcq8n.fsf@mail.unixuser.org> Message-ID: <87d7mz4wyk.fsf@mail.unixuser.org> >>>>> In >>>>> Damien Miller wrote: > > I'd like to use ssh as a subprocess, and I'm looking for a generic way > > of passing passphrase. So far as I know, in SSH Communications' > > implementation of SSH, ssh invokes ssh-askpass as well as > > ssh-add does. Lacking of this is just because of security reason? > > > > Are there any plans to use some kind of readymade option parsing > > routine--such as getopt? > No. If passwords were passed in on the command line, then they would > show up to everyone else on the system in a "ps". I'm sorry for my illegible sentences above. There are no tie-in between these two questions. On the first question, create a new file contains following: | #include | #include | | int main (argc, argv) | int argc; | char *argv[]; | { | ioctl (0, TIOCNOTTY, 0); | close (0); | execvp (argv[1], &argv[1]); | return 0; | } and compile it: % gcc -o test test.c % ./test ssh ueno at suzuran ls SSH Version 1.2.27 pops up ssh-askpass, but OpenSSH just exits with "You have no controlling tty. Cannot read passphrase." As far as I know, `call-process' (the Emacs synchronous subprocess function) can also detach the child's controlling terminal. So, with using vc.el with CVS_RSH=ssh, I could input passphrase via ssh-askpass. > You could either use ssh-agent or create key files without > passphrases. Of course, I know that. Regards, -- Daiki Ueno From djm at mindrot.org Sun May 7 10:55:46 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 7 May 2000 10:55:46 +1000 (EST) Subject: Announce: openssh-2.0.0beta1 In-Reply-To: <200005021813.LAA13448@homer.ka9q.ampr.org> Message-ID: On Tue, 2 May 2000, Phil Karn wrote: > >Note that this release _requires_ OpenSSL 0.9.5 or greater. > > If so, then the configure script should be changed to eliminate > references to SSLeay, especially the message > > checking for OpenSSL/SSLeay directory ... Thanks, fixed. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun May 7 10:56:58 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 7 May 2000 10:56:58 +1000 (EST) Subject: Pb with password In-Reply-To: <00050303460302.01542@serveur.xcoudin.fr> Message-ID: On Wed, 3 May 2000, Xavier COUDIN wrote: > Hi I am trying to user OpenSSH under Linux RH 5.2 > > I am facing this problem : > > OpenSSH is working almost well, with with 1 big and SERIOUS > exception : > > whatever the password I give (except empty password) , the > connection is accepted. This make anybody can me intrusion into my > computer by giving any kind of password. > > I belive the problem is coming from the PAM functionnality, an > especially the file "/etc/pam.d/sshd". I am right ? > > If yes (and also if NO ) please can somebedy tell my the > solution, and eventually send me the correct version of the file > "/etc/pam.d/sshd" Have you tried the version that lives in the contrib/redhat/ subdirectory? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun May 7 10:58:21 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 7 May 2000 10:58:21 +1000 (EST) Subject: Openssh on Redhat In-Reply-To: <390FF566.D68CC8CD@armscor.co.za> Message-ID: On Wed, 3 May 2000, Chris du Preez wrote: > I'm running Redhat 6.2 with kernel version 2.2.14-5 when i try > to installl openssh from the rpms i get a message " openssl is > needed by openssh-1.2.3-1 " and " libcrypto.so.0 is needed by > openssh-1.2.3-1 " I will appreciate it if someone can tell me what > is need to install before i can install Openssh There are openssl RPMS available from the support/ subdirectory of the website. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Peter.Losher at nominum.com Sun May 7 12:15:23 2000 From: Peter.Losher at nominum.com (Peter Losher) Date: Sat, 6 May 2000 19:15:23 -0700 (PDT) Subject: OpenSSH and Kerberos V support... In-Reply-To: Message-ID: Was there ever any resolution to this (adding a patch for Krb6 support)? (I would like to replace all the SSH daemons here with OpenSSH, but it's a requirement that it be able to pass Krb5 tickets, etc.) Best Wishes - Peter On Thu, 9 Dec 1999, Mike Fisk wrote: > On Wed, 8 Dec 1999, Dug Song wrote: > > > On Thu, 9 Dec 1999, Damien Miller wrote: > > > > > There were questions regarding the exportability of the patches (they > > > were written in the USA) and the author eventually withdrew them. > > > > that's funny - Tatu Ylonen managed to merge, and then redistribute Glenn > > Machin's patch just fine for ssh-1.2.2x... > > We're consulting with our lawyers about the legality of exporting a U.S. > patch to add K5 support. Given that, I don't expect an answer right away. > > ===================================================================== > Mike Fisk | (505)667-5119 | MS B255 > Network Engineering (CIC-5) | | Los Alamos National Lab > mfisk at lanl.gov | FAX: 665-7793 | Los Alamos, NM 87545 > > --- Peter Losher Systems Admin. - Nominum, Inc. PGP key available on request From mfisk at lanl.gov Mon May 8 00:47:18 2000 From: mfisk at lanl.gov (Mike Fisk) Date: Sun, 7 May 2000 14:47:18 +0000 (GMT) Subject: OpenSSH and Kerberos V support... In-Reply-To: Message-ID: You have good timing. I just asked Theo (head of OpenBSD) and even with the new US crypto laws, he still wants to keep US crypto code out of the source. So that rules out the patch that LANL had. On February 7, I forwarded to the openssh list a link to a patch to make OpenSSH work with Heimdal. The auther appears to be in the Czech Republic. However, I didn't see any reaction to it on the openssh list. The patch still seems to be available at: http://www.fi.muni.cz/~kouril/openssh-1.2.1pre24.patch Many of us would greatly appreciate it if someone in the free world would please produce a patch for the current version of OpenSSH and submit it to OpenBSD. Thanks, -- Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information From noc at centroweb.net Sun May 7 19:12:25 2000 From: noc at centroweb.net (Noc) Date: Sun, 7 May 2000 04:12:25 -0500 Subject: OPENSSH and Red Hat Message-ID: <028901bfb804$5d8a7c00$3800a8c0@blackdata.net> Hi All We use Red Hat Linux 6.0 First we download openssh-1.2.3.tgz them we decompress the file. First we was unable to find the install instructions. We find it on violet.ibs.com.au them we was unable to find the ./configure file that its mention on the INSTALL instructions. And if we tried to run make we receive: Makefile:3: *** missing separator. Stop. How the tgz does not work for us we download the rpms for OPENSSH from: thermo.stat.ncsu.edu/pub/openssh-us. We install the rpms but we are unable to connect by SSH we receive: connection refuse from the server. P.D. We already install OpenSSL and Gnu Make with out any problem. Any suggestions or instructions will be appreciated. Thanks From djm at mindrot.org Mon May 8 22:17:15 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 8 May 2000 22:17:15 +1000 (EST) Subject: OPENSSH and Red Hat In-Reply-To: <028901bfb804$5d8a7c00$3800a8c0@blackdata.net> Message-ID: On Sun, 7 May 2000, Noc wrote: > Hi All > > We use Red Hat Linux 6.0 First we download openssh-1.2.3.tgz them > we decompress the file. First we was unable to find the install > instructions. We find it on violet.ibs.com.au them we was unable > to find the ./configure file that its mention on the INSTALL > instructions. It sounds like you downloaded the OpenBSD version. Try downloading the Redhat source RPM from http://violet.ibs.com.au/openssh/files/openssh-1.2.3-1.src.rpm and rebuilding it: rpm --rebuild openssh-1.2.3-1.src.rpm -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From rjune at ims1.imagestream-is.com Mon May 8 23:41:43 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Mon, 8 May 2000 08:41:43 -0500 (EST) Subject: OPENSSH and Red Hat In-Reply-To: <028901bfb804$5d8a7c00$3800a8c0@blackdata.net> Message-ID: Did you start OpenSSH? /etc/rc.d/init.d/sshd start also make sure you've set up the symlink in the rcX.d directory On Sun, 7 May 2000, Noc wrote: > Hi All > > We use Red Hat Linux 6.0 First we download openssh-1.2.3.tgz them we > decompress the file. First we was unable to find the install instructions. > We find it on violet.ibs.com.au them we was unable to find the ./configure > file that its mention on the INSTALL instructions. > And if we tried to run make we receive: > Makefile:3: *** missing separator. Stop. > How the tgz does not work for us we download the rpms for OPENSSH from: > thermo.stat.ncsu.edu/pub/openssh-us. We install the rpms but we are unable > to connect by SSH we receive: connection refuse from the server. > > P.D. We already install OpenSSL and Gnu Make with out any problem. > > Any suggestions or instructions will be appreciated. > > Thanks > > > > From root at rjimlad.org.uk Tue May 9 06:45:06 2000 From: root at rjimlad.org.uk (Jim) Date: Mon, 8 May 2000 21:45:06 +0100 (BST) Subject: OPENSSH and Red Hat In-Reply-To: Message-ID: Are you running the server as well as the client? I got this message tring to connect to an ssh-server running protocol version 2.0, and of course OpenSSH 1.2.3 only supports 1.3 and 1.5 - unless you're feeling brave enough for CVS, you may be best off using ssh (www.ssh.com) for the interim. On Mon, 8 May 2000, Richard June wrote: > Did you start OpenSSH? > /etc/rc.d/init.d/sshd start > also make sure you've set up the symlink in the rcX.d directory > > On Sun, 7 May 2000, Noc wrote: > > > Hi All > > > > We use Red Hat Linux 6.0 First we download openssh-1.2.3.tgz them we > > decompress the file. First we was unable to find the install instructions. > > We find it on violet.ibs.com.au them we was unable to find the ./configure > > file that its mention on the INSTALL instructions. > > And if we tried to run make we receive: > > Makefile:3: *** missing separator. Stop. > > How the tgz does not work for us we download the rpms for OPENSSH from: > > thermo.stat.ncsu.edu/pub/openssh-us. We install the rpms but we are unable > > to connect by SSH we receive: connection refuse from the server. > > > > P.D. We already install OpenSSL and Gnu Make with out any problem. > > > > Any suggestions or instructions will be appreciated. > > > > Thanks > > > > > > > > > > > > > From johnh at aproposretail.com Tue May 9 10:01:02 2000 From: johnh at aproposretail.com (John Hardin) Date: Mon, 08 May 2000 17:01:02 -0700 Subject: OpenSSH for SCO? Message-ID: <3917553E.84CDCE05@aproposretail.com> Has anybody here implemented OpenSSL+OpenSSH on SCO Open Server 5.0.5? Please contact me off-list. Thanks! -- John Hardin Internal Systems Administrator Apropos Retail Management Systems, Inc. From djm at mindrot.org Tue May 9 10:13:15 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 9 May 2000 10:13:15 +1000 (EST) Subject: OpenSSH and Kerberos V support... In-Reply-To: Message-ID: On Sun, 7 May 2000, Mike Fisk wrote: > You have good timing. I just asked Theo (head of OpenBSD) and even with > the new US crypto laws, he still wants to keep US crypto code out of the > source. So that rules out the patch that LANL had. > > On February 7, I forwarded to the openssh list a link to a patch to make > OpenSSH work with Heimdal. The auther appears to be in the Czech > Republic. However, I didn't see any reaction to it on the openssh list. > The patch still seems to be available at: > http://www.fi.muni.cz/~kouril/openssh-1.2.1pre24.patch > > Many of us would greatly appreciate it if someone in the free world would > please produce a patch for the current version of OpenSSH and submit it to > OpenBSD I think the OpenBSD developers would appreciate that too, as they are include krb5 in their upcoming release. If someone wants to clean up the above patch for the 2.0.0 beta then I will consider adding it. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From gem at rellim.com Tue May 9 10:13:41 2000 From: gem at rellim.com (Gary E. Miller) Date: Mon, 8 May 2000 17:13:41 -0700 (PDT) Subject: OpenSSH for SCO? In-Reply-To: <3917553E.84CDCE05@aproposretail.com> Message-ID: Yo John! Yes, works fine with a bit of tweaking. You need EGD or the new 2.0.0 beta. RGDS GARY On Mon, 8 May 2000, John Hardin wrote: > Has anybody here implemented OpenSSL+OpenSSH on SCO Open Server 5.0.5? > Please contact me off-list. Thanks! > > -- > John Hardin > Internal Systems Administrator > Apropos Retail Management Systems, Inc. > > > --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From doom at lcjdap.soroscj.ro Tue May 9 16:13:31 2000 From: doom at lcjdap.soroscj.ro (Doom) Date: Tue, 9 May 2000 09:13:31 +0300 (EEST) Subject: About ssh_host_dsa_key In-Reply-To: <3917553E.84CDCE05@aproposretail.com> Message-ID: Hi, When I starting the openssh daemon I recive this error: error: Could not load DSA host key: /etc/openssh2//ssh_host_dsa_key Disabling protocol version 2 How can I make ssh_host_dsa_key, to make my openssh 2b to work? Thanx, Cosmin -------------------------------------------------------- SysAdm @ "Alexandru Papiu Ilarian" Dej   <+40-93.514.225> It's nice to be important  But is more important to be nice  From pekkas at netcore.fi Tue May 9 17:31:39 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 9 May 2000 10:31:39 +0300 (EEST) Subject: About ssh_host_dsa_key In-Reply-To: Message-ID: > When I starting the openssh daemon I recive this error: > > error: Could not load DSA host key: /etc/openssh2//ssh_host_dsa_key > Disabling protocol version 2 > > How can I make ssh_host_dsa_key, to make my openssh 2b to work? This step is described in README.openssh2. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From djm at mindrot.org Tue May 9 22:37:37 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 9 May 2000 22:37:37 +1000 (EST) Subject: ANNOUNCE: portable openssh-2.1.0 Message-ID: [The is an announcement to the developers list only, please give the new version a try overnight and I will announce it to the wider community tomorrow.] This is to announce the release of openssh-2.1.0, the first stable release of portable OpenSSH to incorporate support for the SSH2 protocol. The SSH2 protocol offers a number of advantages over the SSH1 protocol including standards compliance (SSH2 is on the IETF standards track[1]), improved security and operation without RSA (which is patented in some countries). The SSH2 support in OpenSSH has been developed by Markus Friedl, with support from the OpenBSD team. This is also the first version of the portable version of OpenSSH to offer built-in entropy collection. This removes the requirement for EGD on systems that lack a /dev/random driver. As a result, OpenSSH-2.1.0 now requires a recent version of OpenSSL[2] to compile (version 0.9.5 or later). NB. The portable version of OpenSSH is currently in the process of merging its webpages with the official OpenBSD project. Please use http://www.openssh.com/ from now on. Distribution files are also available from the mirrors listed at http://violet.ibs.com.au/openssh/files/MIRRORS.html Please read http://www.openssh.com/report.html before reporting bugs. Patches, bug reports, developer and user queries are welcome on the mailing list (http://www.openssh.com/list.html). Regards, Damien Miller [1] http://www.ietf.org/html.charters/secsh-charter.html [2] http://www.openssl.org/ -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue May 9 23:01:46 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 9 May 2000 23:01:46 +1000 (EST) Subject: List opening Message-ID: The mailing list is now open to outside posters again. We haven't been spammed in the last month or so since the list was closed. If anyone can suggest a way to use the MAPS RBL with Postfix and Majordomo (without turning it on the whole server), it would be much appreciated. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From mhw at wittsend.com Tue May 9 23:02:10 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue, 9 May 2000 09:02:10 -0400 Subject: ANNOUNCE: portable openssh-2.1.0 In-Reply-To: ; from djm@mindrot.org on Tue, May 09, 2000 at 10:37:37PM +1000 References: Message-ID: <20000509090210.D21160@alcove.wittsend.com> This is regarding the rpm binary files... On Tue, May 09, 2000 at 10:37:37PM +1000, Damien Miller wrote: > [The is an announcement to the developers list only, please give > the new version a try overnight and I will announce it to the wider > community tomorrow.] > This is to announce the release of openssh-2.1.0, the first stable > release of portable OpenSSH to incorporate support for the SSH2 > protocol. Why is rpm >= 3.0.3 required for openssh-server-2.1.0-1.i386.rpm and openssh-2.1.0-1.i386.rpm? That causes a problem on RedHat 6.0 systems with rpm 3.0.2. I tried using --no-deps and it installs just fine and all the scripts seem to work. So what's the deal with just those two (the others don't complain)? What is suppose to be missing or not working under those circumstances? [...] > Regards, > Damien Miller > > [1] http://www.ietf.org/html.charters/secsh-charter.html > [2] http://www.openssl.org/ > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From djm at mindrot.org Wed May 10 00:10:02 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 10 May 2000 00:10:02 +1000 (EST) Subject: ANNOUNCE: portable openssh-2.1.0 In-Reply-To: <20000509090210.D21160@alcove.wittsend.com> Message-ID: On Tue, 9 May 2000, Michael H. Warfield wrote: > Why is rpm >= 3.0.3 required for openssh-server-2.1.0-1.i386.rpm > and openssh-2.1.0-1.i386.rpm? That causes a problem on RedHat 6.0 > systems with rpm 3.0.2. I tried using --no-deps and it installs > just fine and all the scripts seem to work. So what's the deal with > just those two (the others don't complain)? What is suppose to be > missing or not working under those circumstances? This dependancy is automatically inserted by the version of RPM that I am building with. Perhaps because I am using PreReqs and BuildPreRequs? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed May 10 00:18:05 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 9 May 2000 16:18:05 +0200 Subject: List opening In-Reply-To: ; from djm@mindrot.org on Tue, May 09, 2000 at 11:01:46PM +1000 References: Message-ID: <20000509161805.A4090@ws01.aet.tu-cottbus.de> On Tue, May 09, 2000 at 11:01:46PM +1000, Damien Miller wrote: > The mailing list is now open to outside posters again. We haven't been > spammed in the last month or so since the list was closed. > > If anyone can suggest a way to use the MAPS RBL with Postfix and > Majordomo (without turning it on the whole server), it would be much > appreciated. I doubt it will be possible to do this without modifying the postfix source. RBL lookup is performed with regard to the client connecting to the mailserver, so postfix must handle it. When the mail has reached majordomo it is already too late. Performing it with postfix would be a more or less difficult thing. In postfix-xxxx/smtpd/smtpd_check.c you will find a function "reject_maps_rbl(SMTPD_STATE *state)". The "state" variable at this point has a member "state->recipient". I know that it would be a crude hack but probably good enough to insert at the beginning of reject_maps_rbl(): if (strcasecmp(state->recipient, "openssh-unix-dev at mindrot.org")) { /* Not to the mailing list, skip the RBL test */ return(DUNNO); } So only if the mailing-list recipient is met, RBL is applied... No, it is neither elegant nor perfect, but the worst case is that the match does fail and RBL is not checked, so it cannot do worse than now... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From fandrei at rds.ro Wed May 10 01:31:52 2000 From: fandrei at rds.ro (Florin Andrei) Date: Tue, 09 May 2000 18:31:52 +0300 Subject: ANNOUNCE: portable openssh-2.1.0 References: Message-ID: <39182F68.4D8870C6@rds.ro> Damien Miller wrote: > > This is to announce the release of openssh-2.1.0, the first stable > release of portable OpenSSH to incorporate support for the SSH2 > protocol. Sorry if i don't get it: why 2.1.0 and not 2.0.0 ? -- Florin Andrei mailto:florin at linuxstart.com http://members.linuxstart.com/~florin/ tel: +40-93-261162 From leo at strike.wu-wien.ac.at Wed May 10 03:00:46 2000 From: leo at strike.wu-wien.ac.at (Alexander Bergolth) Date: Tue, 9 May 2000 19:00:46 +0200 (CEST) Subject: openssh-2.1.0 and AFS Message-ID: Hi! I've noticed that openssh always does a do_setpag() if compiled with AFS-support no matter which authentication method is used. Maybe I'm missing something but shouldn't it only get a pag, if AFS-token-passing is used? If password authentication is used, an AFS-pam-module (or the authenticate function on AIX) will do the job, otherwise, no token can be obtained and therefore no pag is needed. I noticed that because normally root wants to login without a pag, which is not possible now. I attached a small patch, that moves the do_setpag-part from do_authentication to the afs-token-passing section of do_authloop, maybe you'll find that useful. cheers, --leo ----------------------------------------------------------------------- Alexander (Leo) Bergolth leo at leo.wu-wien.ac.at WU-Wien - Zentrum fuer Informatikdienste http://leo.wu-wien.ac.at Info Center Computers are like air conditioners - they stop working properly when you open Windows -------------- next part -------------- --- auth1.c.orig Tue May 9 16:28:50 2000 +++ auth1.c Tue May 9 17:38:13 2000 @@ -183,6 +183,11 @@ /* Accept AFS token. */ char *token_string = packet_get_string(&dlen); packet_integrity_check(plen, 4 + dlen, type); + /* If machine has AFS, set process authentication group. */ + if (k_hasafs()) { + k_setpag(); + k_unlog(); + } if (!auth_afs_token(pw, token_string)) verbose("AFS token REFUSED for %s", pw->pw_name); xfree(token_string); @@ -441,14 +446,6 @@ packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER); setproctitle("%s", user); - -#ifdef AFS - /* If machine has AFS, set process authentication group. */ - if (k_hasafs()) { - k_setpag(); - k_unlog(); - } -#endif /* AFS */ /* Verify that the user is a valid user. */ pw = getpwnam(user); From axwagner at t-online.de Wed May 10 05:54:37 2000 From: axwagner at t-online.de (Axel Wagner) Date: Tue, 09 May 2000 19:54:37 +0000 Subject: OpenSSH compile error when enabling S/Key support Message-ID: <39186CFD.61B75D07@t-online.de> Hi, I know this issue has been addressed previously, but I'm still not able to compile OpenSSH with S/Key support. My System: SuSE Linux v6.3 (Kernel: 2.2.13) egcs-2.91.66 OpenSSL 0.9.5a S/Key 1.1 OpenSSH v1.2.3 / v2.0.0beta1 (error occurs in both versions) When I tried to configure (v2.0.0beta1 as an example) as follows: CFLAGS="-I/usr/local/openssl-0.9.5a/include -I/usr/local/skey-1.1/include" LDFLAGS="-L/usr/local/openssl-0.9.5a/lib -L/usr/local/skey-1.1/lib" ./configure --prefix=/usr/local/openssh-2.0.0beta1 --sysconfdir=/usr/local/openssh-2.0.0beta1/etc --with-ssl-dir=/usr/local/openssl-0.9.5a/lib --with-skey --with-tcp-wrappers a subsequent make will eventually die with: gcc -o sshd sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o servconf.o serverloop.o bsd-login.o md5crypt.o session.o -L. -L/usr/local/openssl-0.9.5a/lib -L/usr/local/skey-1.1/lib -lssh -ldl -lnsl -lz -lutil -lpam -lcrypto -lskey -lwrap auth1.o: In function `do_fake_authloop1': auth1.o(.text+0x126): undefined reference to `skey_fake_keyinfo' auth1.o: In function `do_authloop': auth1.o(.text+0x803): undefined reference to `skey_fake_keyinfo' collect2: ld returned 1 exit status make: *** [sshd] Error 1 Any Idea? Help would be very appreciated. Axel Wagner -- ---------------------------------------------------------------- Axel Wagner Internet Consulting und Webdesign Julius-Konegenstr. 19 Tel. : 0531/2502642 Fax: 0531/2502176 D-38114 Braunschweg E-Mail: axel at axel.org WWW: www.axel.org ---------------------------------------------------------------- From garrick at james.net Wed May 10 05:09:57 2000 From: garrick at james.net (Garrick James) Date: Tue, 9 May 2000 12:09:57 -0700 (PDT) Subject: OpenSSH 2.1.0 does not compile without RSA support Message-ID: I was very excited when I saw the announcement that openssh now supports the ssh2 protocol. The problem I have run into is that openssh v. 2.1.0 will not compile unless rsa is supported by openssl. Because I wish to use openssh in a commercial environment in the USA, I built openssl with no support for rsa, rc5, or idea (thus ensuring that I do not encroach on anyone's blasted patents). Openssh claims to be able to run without using any patented algorithms, but is there really any way to build such a binary? Details: portable openssh v. 2.1.0 openssl 0.9.5a (no-rsa, no-rc5, no-idea) solaris 2.6 (SPARC) Thanks, Garrick James P.S. Please CC me on any responses, as I am not subscribed to openssh-unix-dev. From cmg at dok.org Wed May 10 05:20:59 2000 From: cmg at dok.org (Chris Green) Date: 09 May 2000 14:20:59 -0500 Subject: ANNOUNCE: portable openssh-2.1.0 In-Reply-To: Damien Miller's message of "Tue, 9 May 2000 22:37:37 +1000 (EST)" References: Message-ID: really nice job ;) One curiousity comes to mind. What direction is ssh-agent going to take? Right now it supports RSA keys only. Will 2 different ssh-agents be needed for each flavor of key or will there be a way to use both DSA and RSA keys from within a single ssh-agent? Cheers, Chris -- Chris Green "Yeah, but you're taking the universe out of context." From cnetzer at stanford.edu Wed May 10 07:14:04 2000 From: cnetzer at stanford.edu (Chad Netzer) Date: Tue, 9 May 2000 14:14:04 -0700 Subject: Patch for 2.0.0beta2-1.src.rpm on Mandrake Message-ID: <20000509141404.B2341@cardinal0.Stanford.EDU> Damien, I had to apply the following simple patch for the openssh-2.0.0beta2-1.src.rpm package to build on my Mandrake Linux system (see below for patch). Basically, Mandrake auto compresses man pages in the build sequence (appending a .bz2 extension), so I had to change the %files sections to find the compressed man pages. By using wildcards, I expect that this patch will NOT break the build under Redhat systems, so hopefully a separate Mandrake spec file is not needed. Beta 2.0.0 seems to work fine, BTW. Cheers, -- Chad Netzer cnetzer at stanford.edu --------------------------- [ Cut Here ] ---------------------------- --- openssh.spec.rh.orig Mon May 1 16:59:01 2000 +++ openssh.spec.rh Tue May 9 12:35:57 2000 @@ -207,8 +207,8 @@ %doc CREDITS UPGRADING %attr(0755,root,root) /usr/bin/ssh-keygen %attr(0755,root,root) /usr/bin/scp -%attr(0644,root,root) /usr/man/man1/ssh-keygen.1 -%attr(0644,root,root) /usr/man/man1/scp.1 +%attr(0644,root,root) /usr/man/man1/ssh-keygen.1* +%attr(0644,root,root) /usr/man/man1/scp.1* %attr(0755,root,root) %dir /etc/ssh %attr(0755,root,root) %dir /usr/libexec/ssh @@ -217,17 +217,17 @@ %attr(4755,root,root) /usr/bin/ssh %attr(0755,root,root) /usr/bin/ssh-agent %attr(0755,root,root) /usr/bin/ssh-add -%attr(0644,root,root) /usr/man/man1/ssh.1 -%attr(0644,root,root) /usr/man/man1/ssh-agent.1 -%attr(0644,root,root) /usr/man/man1/ssh-add.1 +%attr(0644,root,root) /usr/man/man1/ssh.1* +%attr(0644,root,root) /usr/man/man1/ssh-agent.1* +%attr(0644,root,root) /usr/man/man1/ssh-add.1* %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config %attr(-,root,root) /usr/bin/slogin -%attr(-,root,root) /usr/man/man1/slogin.1 +%attr(-,root,root) /usr/man/man1/slogin.1* %files server %defattr(-,root,root) %attr(0755,root,root) /usr/sbin/sshd -%attr(0644,root,root) /usr/man/man8/sshd.8 +%attr(0644,root,root) /usr/man/man8/sshd.8* %attr(0600,root,root) %config(noreplace) /etc/ssh/sshd_config %attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0755,root,root) %config /etc/rc.d/init.d/sshd From pekkas at netcore.fi Wed May 10 07:22:38 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 10 May 2000 00:22:38 +0300 (EEST) Subject: Patch for 2.0.0beta2-1.src.rpm on Mandrake In-Reply-To: <20000509141404.B2341@cardinal0.Stanford.EDU> Message-ID: > By using wildcards, I expect that this patch will NOT break the build > under Redhat systems, so hopefully a separate Mandrake spec file is not > needed. Beta 2.0.0 seems to work fine, BTW. This is AFAIK preferred behaviour and things won't get broken. Newer RPM versions compress the man pages automatically, and if you try to rebuild the package using one, it'll fail on Redhat too unless something like ssh.1* is used. ssh.1* is the best solution anyway, because it supports .gz, .bz2 and non-compressed manpages. This will get very tricky however, if man pages have to be symlinked though. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From markus.friedl at informatik.uni-erlangen.de Wed May 10 07:38:57 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 9 May 2000 23:38:57 +0200 Subject: ANNOUNCE: portable openssh-2.1.0 In-Reply-To: ; from cmg@dok.org on Tue, May 09, 2000 at 02:20:59PM -0500 References: Message-ID: <20000509233857.A11068@folly.informatik.uni-erlangen.de> On Tue, May 09, 2000 at 02:20:59PM -0500, Chris Green wrote: > really nice job ;) One curiousity comes to mind. What direction is > ssh-agent going to take? Right now it supports RSA keys only. Will 2 > different ssh-agents be needed for each flavor of key or will there be > a way to use both DSA and RSA keys from within a single ssh-agent? feel free to send me patches :) of course, only one agent will be needed, but a protocol needs to be defined first... From markus.friedl at informatik.uni-erlangen.de Wed May 10 07:45:34 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 9 May 2000 23:45:34 +0200 Subject: ANNOUNCE: portable openssh-2.1.0 In-Reply-To: <39182F68.4D8870C6@rds.ro>; from fandrei@rds.ro on Tue, May 09, 2000 at 06:31:52PM +0300 References: <39182F68.4D8870C6@rds.ro> Message-ID: <20000509234534.A15305@folly.informatik.uni-erlangen.de> On Tue, May 09, 2000 at 06:31:52PM +0300, Florin Andrei wrote: > Damien Miller wrote: > > > > This is to announce the release of openssh-2.1.0, the first stable > > release of portable OpenSSH to incorporate support for the SSH2 > > protocol. > > Sorry if i don't get it: why 2.1.0 and not 2.0.0 ? 2.0 has been around for some time (months) and 2.1 is a stable release that should not be confused with 2.0. but why should it matter? From cmg at dok.org Wed May 10 07:57:18 2000 From: cmg at dok.org (Chris Green) Date: 09 May 2000 16:57:18 -0500 Subject: ANNOUNCE: portable openssh-2.1.0 In-Reply-To: Markus Friedl's message of "Tue, 9 May 2000 23:38:57 +0200" References: <20000509233857.A11068@folly.informatik.uni-erlangen.de> Message-ID: Ok. I was wondering if protocol had been defined yet or not for starters ;). My brain is failing to work today. Somehow my brain munged ssh-add and ssh-agent together - the easiest thing to do seems to be adding 10 to the agent client server states for RSA and defining the DSA protocol in the same way. Are there any key management issue aside from separate files that have changed between DSA and RSA? I don't see any but now's the right time to ask.. Markus Friedl writes: > On Tue, May 09, 2000 at 02:20:59PM -0500, Chris Green wrote: > > really nice job ;) One curiousity comes to mind. What direction is > > ssh-agent going to take? Right now it supports RSA keys only. Will 2 > > different ssh-agents be needed for each flavor of key or will there be > > a way to use both DSA and RSA keys from within a single ssh-agent? > > feel free to send me patches :) > of course, only one agent will be needed, but a protocol needs to > be defined first... -- Chris Green Let not the sands of time get in your lunch. From pucko at lysator.liu.se Wed May 10 09:35:28 2000 From: pucko at lysator.liu.se (Magnus Holmberg) Date: Wed, 10 May 2000 01:35:28 +0200 (CEST) Subject: openssl-0.9.5a ? In-Reply-To: <390E2317.6019D0A2@aproposretail.com> Message-ID: Where can i find openssl-0.9.5a ? All I can find on rpmfind.net is openssl-0.9.5-1 /M From Cibu_Johny at mw.3com.com Wed May 10 09:38:42 2000 From: Cibu_Johny at mw.3com.com (Cibu Johny) Date: Tue, 9 May 2000 18:38:42 -0500 Subject: quick start guide Message-ID: <862568DA.0081E0F2.00@mwgate02.mw.3com.com> Is there any quickstart guide for OpenSSH ? More over, is there any openssh-software or openssh-general mailing lists ? I could not find this either. thanks, Cibu From mark.baushke at nuasis.com Wed May 10 10:01:13 2000 From: mark.baushke at nuasis.com (Mark D. Baushke) Date: Tue, 09 May 2000 17:01:13 -0700 Subject: openssl-0.9.5a ? In-Reply-To: Mail from Magnus Holmberg dated Wed, 10 May 2000 01:35:28 +0200 Message-ID: <200005100001.RAA05073@mozart.nuasis.com> On Wed, 10 May 2000 01:35:28 +0200 (CEST), Magnus Holmberg wrote: > > Where can i find openssl-0.9.5a ? > > All I can find on rpmfind.net is openssl-0.9.5-1 You will find RPMs for openssl 0.9.5a in the following locations: Austria: http://gd.tuwien.ac.at/utils/shells/openssh/files/support/ ftp://gd.tuwien.ac.at/utils/shells/openssh/files/support/ Australia: http://the.wiretapped.net/security/cryptography/ssh/OpenSSH/files/support/ ftp://the.wiretapped.net/security/cryptography/ssh/OpenSSH/files/support/ Canada: ftp://ftp.localhost.ca/pub/openssh/files/support/ Czech Republic: http://openssh.gin.cz/files/support/ Greece: ftp://ftp.duth.gr/pub/OpenSSH/files/support/ Germany: ftp://ftp.franken.de/pub/Linux/openssh/files/support/ ftp://ftp.gigabell.net/pub/openssh/files/support/ Holland: Hungary: ftp://ftp.tvnet.hu/pub/openssh/files/support/ http://ftp.tvnet.hu/pub/openssh/files/support/ Japan: http://www.unixuser.org/mirror/openssh/files/support/ Mexico: ftp://ftp.styx.net/mirrors/crypto/openssh/files/support/ Slovakia: ftp://rak.isternet.sk/pub/linux/openssh/files/support/ http://rak.isternet.sk/pub/linux/openssh/files/support/ Switzerland: ftp://sunsite.cnlab-switch.ch/mirror/OpenSSH/support/ http://sunsite.cnlab-switch.ch/www/mirror/OpenSSH/support/ UK: http://www.firedrake.org/openssh/files/support/ ftp://ftp.firedrake.org/openssh/files/support/ Taiwan: http://openssh.fhl.net/files/support/ ftp://ftp.fhl.net/pub/openssh/files/support/ Master site (please use a mirror): http://violet.ibs.com.au/openssh/files/support/ Note that the mirror in Belgium http://mirror.grmbl.com/openssh/files/support/ has NOT been updated to include them. -- Mark From wyodlows at nj.devry.edu Wed May 10 12:07:51 2000 From: wyodlows at nj.devry.edu (William Yodlowsky) Date: Tue, 9 May 2000 22:07:51 -0400 (EDT) Subject: Solaris 7 - utmp Message-ID: Today I installed OpenSSH-2.1.0 together with zlib-1.1.3 and OpenSSL-0.9.5a on Solaris 7 on an Ultra box. There appears to be something odd with the utmp stuff... if I just do a normal configure, utmp logging works fine, but 'w' will give me this: 10:03pm up 13 day(s), 21:42, 3 users, load average: 0.04, 0.07, 0.10 User tty login@ idle JCPU PCPU what wyodlows pts/4 9:57pm w wyodlows pts/4 9:57pm w Yup. Duplicate entries... 'who' tells me: wyodlows pts/4 May 9 21:57 wyodlows pts/4 May 9 21:57 (me.my_isp.address) Now, if I use --without-utmpx, it doesn't affect the compile at all; "#define USE_UTMPX 1" gets put into the generated config.h anyway. If I manually comment that line out, then I get no utmp logging (what I'd expect) and 'w' and 'who' both work correctly. Thanks very much in advance! `- William Yodlowsky From bram at grmbl.be Wed May 10 15:00:43 2000 From: bram at grmbl.be (Bram Dumolin) Date: Wed, 10 May 2000 11:00:43 +0600 (LKT) Subject: openssl-0.9.5a ? In-Reply-To: <200005100001.RAA05073@mozart.nuasis.com> Message-ID: re, On Tue, 9 May 2000, Mark D. Baushke wrote: > Note that the mirror in Belgium > http://mirror.grmbl.com/openssh/files/support/ > has NOT been updated to include them. Now it has :) There was something wrong with our cronjobs. Sorry for the inconvenience. /bye Bram at grmbl.com -- [finger bram at vulva.grmbl.com] [http www.grmbl.com/~bram ] From cloos at jhcloos.com Wed May 10 18:38:39 2000 From: cloos at jhcloos.com (James H. Cloos Jr.) Date: 10 May 2000 03:38:39 -0500 Subject: ANNOUNCE: portable openssh-2.1.0 In-Reply-To: Damien Miller's message of "Tue, 9 May 2000 22:37:37 +1000 (EST)" References: Message-ID: I just upgraded one box from 2.0.0beta2 and another from 1.2.27-4i via RPM. (I compiled the src.rpm on each box myself; no errors were reported.) It went mostly OK. On the box which was still at 1.2.27, sshd would not restart; the ssh_config and sshd_config files were not replaced; the new ones were named *.rpmnew rather than the old ones saved as *.rpmsave. Happily, since I was doing it over an ssh connection, the existing sessions were not killed when sshd(8) was. This allowed me to fix it and get the server up. :) Small bug, though. From README.openssh2, I tried: cd ~/.ssh ssh-keygen -f authorized_keys -X >>authorized_keys2 where ~/.ssh/authorized_keys only contained one key. I got in return: buffer_get: trying to get more bytes than in buffer and an empty authorized_keys2 (to be expected since bash had already created the file before exec(2)ing ssh-keygen). So I used ssh-keygen -d to create new id_dsa{,.pub} files, transfered the .pubs over and added them to each authorized_keys2 file. But it is still defaulting to protocol 1 even though I have 2,1 in the sshd_config files. Finally, ssh -2 -v is unusable for interactive use; it prints debug messages for all data transfered; this does not occur when using protocol 1.*. -JimC -- James H. Cloos, Jr. 1024D/ED7DAEA6 E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Check out TGC: From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed May 10 19:31:44 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 10 May 2000 11:31:44 +0200 Subject: Trying to build OpenSSH-2.1.0 on HP-UX 10.20 Message-ID: <20000510113143.A7152@ws01.aet.tu-cottbus.de> Hi, I just tried building of OpenSSH-2.1.0 on HP-UX 10.20 and found the following items: - The configure command I used at the beginning: CC=cc CFLAGS="-Ae +O2 +DAportable" CPPFLAGS="-I/usr/local/include -I/usr/local/s sl/include -I/usr/include/X11R6" LDFLAGS="-L/usr/local/lib -L/usr/local/ssl/lib -L/usr/lib/X11R6" ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-rsh=/usr/local/lib/rsh/remsh --with-tcp-wrappers --with-pid-dir=/var/run --with-xauth=/usr/bin/X11/xauth --with-ssl-dir=/usr/local/ssl - Regardless if specified via "--with-ssl-dir" or not, /usr/local/ssl/include is not searched for include files. From config.log: ... configure:2003: checking for OpenSSL directory configure:2051: cc -o conftest -Ae +O2 +DAportable -Aa -D_HPUX_SOURCE -I/usr/loc al/include -I/usr/local/include -I/usr/local/ssl/include -I/usr/include/X11R6 -L /usr/local/lib -L/usr/local/ssl/lib -L/usr/lib/X11R6 -L/usr/local/lib conftest.c -lz -lcrypto 1>&5 cc: "configure", line 2046: warning 604: Pointers are not assignment-compatible. cc: "configure", line 2046: warning 563: Argument #2 is not the correct type. cc: "configure", line 2046: warning 604: Pointers are not assignment-compatible. cc: "configure", line 2046: warning 563: Argument #3 is not the correct type. ... [This is why I added /usr/local/ssl/include to CPPFLAGS] - Unlike typical "configure" operations, flags passed as CPPFLAGS are ignored during the actual build process. cc -Ae +O2 +DAportable -Aa -D_HPUX_SOURCE -I/usr/local/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c -o bsd-misc.o bsd-misc.c cpp: "rsa.h", line 21: error 4036: Can't open include file 'openssl/bn.h'. cpp: "rsa.h", line 22: error 4036: Can't open include file 'openssl/rsa.h'. cpp: "cipher.h", line 19: error 4036: Can't open include file 'openssl/des.h'. cpp: "cipher.h", line 20: error 4036: Can't open include file 'openssl/blowfish.h'. cpp: "cipher.h", line 21: error 4036: Can't open include file 'openssl/rc4.h'. cpp: "cipher.h", line 22: error 4036: Can't open include file 'openssl/cast.h'. cpp: "bsd-misc.c", line 50: error 4036: Can't open include file 'openssl/rand.h'. -> workaround: move CPPFLAGS into CFLAGS - The "-Aa -D_HPUX_SOURCE" hardcoded does not efficiently use the HP-UX environment. "-Ae" does include the above flags _and_ "+e" for 64bit long long support (as the -Aa overrides the CFLAGS given): configure:2267: checking size of long long int configure:2286: cc -o conftest -Ae +O2 +DAportable -Aa -D_HPUX_SOURCE -I/usr/local/include -I/usr/local/include -I/usr/local/ssl/include -I/usr/include/X11R6 -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/lib/X11R6 -L/usr/local/lib conftest.c -lz -lcrypto 1>&5 cc: "configure", line 2281: error 1681: Must use +e or -Ae for long long in ANSI mode. configure: failed program was: ... - The documentation says: --with-pid-dir=PATH specifies the directory in which the ssh.pid file is created. * ssh.pid != sshd.pid perfect, it won't interfere with my running ssh-1.2.27 :-) * At the end of the compilation: -D/var/run/sshd.pid=/var/run/sshd.pid Ok, lets reconfigure it to another path :-( - make install gives: /opt/imake/bin/install -c -d /usr/local/openssh/bin rm: /usr/local/openssh/bin/ directory cp: illegal option -- d Usage: cp [-f|-i] [-p] [-S] [-e warn|force|ignore] source_file target_file cp [-f|-i] [-p] [-S] [-e warn|force|ignore] source_file ... target_directory cp [-f|-i] [-p] [-S] -R|-r [-e warn|force|ignore] source_directory ... target_directory ... - The INSTALL document (and probably others) have not yet fully integrated ssh2 support. - First tests: openssh client -> ssh-1.2.27 server: works openssh client -> openssh-server [Proto 1]: works, but without X-forwarding even though configured with "X11Forwarding yes" [have not looked into it as of now] openssh client -> openssh-server [Proto 2]: does not work. serv01 111: /usr/local/openssh/bin/ssh -2 -p 24 serv01 PRNG seedfile /home/aet/serv01/jaenicke/.ssh/prng_seed must be mode 0600, owned by uid 11019 serv01 112: ls -al ~/.ssh/prng_seed -rw------- 1 jaenicke aet 1024 May 10 11:26 /home/aet/serv01/jaenicke/.ssh/prng_seed [my $HOME and $HOME/.ssh are 700, too] [Also no debugging until now] - Please note, that the internal PRNG is a problem: * Startup takes quite a long time when calling an ssh client. [The server startup is also slow, but it does not happen too often] * The sshd server clobbers my syslog.log: May 10 11:23:41 serv01 sshd[27220]: Server listening on 0.0.0.0 port 24. May 10 11:23:41 serv01 sshd[27220]: Generating 768 bit RSA key. May 10 11:23:49 serv01 sshd[27220]: RSA key generation complete. May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ls -alni' completion: No child processes May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ls -alni' completion: No child processes May 10 11:23:51 serv01 sshd[27220]: error: Command '/usr/bin/ls -alni': select() failed: Interrupted system call May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ls -alni' completion: No child processes May 10 11:23:51 serv01 sshd[27220]: error: Command '/usr/bin/netstat -an': select() failed: Interrupted system call May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -an' completion: No child processes May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -in' completion: No child processes May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -rn' completion: No child processes May 10 11:23:51 serv01 sshd[27220]: error: Command '/usr/bin/netstat -s': select() failed: Interrupted system call May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -s' completion: No child processes May 10 11:23:51 serv01 sshd[27220]: error: Command '/usr/bin/ps -al': select() failed: Interrupted system call May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ps -al' completion: No child processes May 10 11:23:51 serv01 sshd[27220]: error: Command '/usr/bin/ps -efl': select() failed: Interrupted system call May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ps -efl' completion: No child processes May 10 11:23:51 serv01 sshd[27220]: error: Command '/usr/bin/w ': select() failed: Interrupted system call May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/w ' completion: No child processes May 10 11:23:52 serv01 sshd[27220]: error: Command '/usr/bin/last ': select() failed: Interrupted system call May 10 11:23:52 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/last ' completion: No child processes May 10 11:23:53 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/df ' completion: Interrupted system call May 10 11:23:53 serv01 sshd[27394]: Accepted password for jaenicke from 141.43.132.161 port 989 May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/df -i' completion: Interrupted system call May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/vmstat ': select() failed: Interrupted system call May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/vmstat ' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/uptime ' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/ipcs -a': select() failed: Interrupted system call May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ipcs -a' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/tail -200': select() failed: Interrupted system call May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/tail -200' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/tail -200': select() failed: Interrupted system call May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/tail -200' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ls -alni' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/ls -alni': select() failed: Interrupted system call May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ls -alni' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ls -alni' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/netstat -an': select() failed: Interrupted system call May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -an' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/netstat -in': select() failed: Interrupted system call May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -in' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/netstat -rn': select() failed: Interrupted system call May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -rn' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/netstat -s': select() failed: Interrupted system call May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -s' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/ps -al': select() failed: Interrupted system call May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ps -al' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/ps -efl': select() failed: Interrupted system call May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ps -efl' completion: No child processes May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/w ' completion: No child processes May 10 11:23:56 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/last ' completion: Interrupted system call May 10 11:23:56 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/df ' completion: Interrupted system call May 10 11:23:57 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/df -i' completion: Interrupted system call May 10 11:23:57 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/vmstat ' completion: No child processes May 10 11:23:57 serv01 sshd[27220]: error: Command '/usr/bin/uptime ': select() failed: Interrupted system call May 10 11:23:57 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/uptime ' completion: No child processes May 10 11:23:57 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ipcs -a' completion: No child processes May 10 11:23:57 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/tail -200' completion: No child processes May 10 11:23:57 serv01 sshd[27220]: error: Command '/usr/bin/tail -200': select() failed: Interrupted system call May 10 11:23:57 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/tail -200' completion: No child processes ... Puh, so much for my first experiences. Seems I will stay with sshd-1.2.27 for some more time while trying to track all of these items down... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed May 10 19:44:28 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 10 May 2000 11:44:28 +0200 Subject: Trying to build OpenSSH-2.1.0 on HP-UX 10.20 In-Reply-To: <20000510113143.A7152@ws01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Wed, May 10, 2000 at 11:31:44AM +0200 References: <20000510113143.A7152@ws01.aet.tu-cottbus.de> Message-ID: <20000510114428.A7457@ws01.aet.tu-cottbus.de> On Wed, May 10, 2000 at 11:31:44AM +0200, Lutz Jaenicke wrote: ... > - First tests: > openssh client -> ssh-1.2.27 server: works > openssh client -> openssh-server [Proto 1]: works, but without X-forwarding > even though configured with "X11Forwarding yes" > [have not looked into it as of now] ... Ooops, X11-forwarding must of course also be enabled in ssh_config... fixed. Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From fandrei at rds.ro Wed May 10 19:52:51 2000 From: fandrei at rds.ro (Florin Andrei) Date: Wed, 10 May 2000 12:52:51 +0300 Subject: ANNOUNCE: portable openssh-2.1.0 References: <39182F68.4D8870C6@rds.ro> <20000509234534.A15305@folly.informatik.uni-erlangen.de> Message-ID: <39193173.F59F5FB1@rds.ro> Markus Friedl wrote: > > 2.0 has been around for some time (months) and 2.1 is a stable release > that should not be confused with 2.0. > > but why should it matter? Sorry, i thought 2.0 was still in beta stage, so i was waiting for 2.0.0-stable. :-) -- Florin Andrei mailto:florin at linuxstart.com http://members.linuxstart.com/~florin/ tel: +40-93-261162 From markus.friedl at informatik.uni-erlangen.de Wed May 10 19:56:51 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 10 May 2000 11:56:51 +0200 Subject: ANNOUNCE: portable openssh-2.1.0 In-Reply-To: ; from cloos@jhcloos.com on Wed, May 10, 2000 at 03:38:39AM -0500 References: Message-ID: <20000510115651.A7017@folly.informatik.uni-erlangen.de> On Wed, May 10, 2000 at 03:38:39AM -0500, James H. Cloos Jr. wrote: > From README.openssh2, I tried: > > cd ~/.ssh > ssh-keygen -f authorized_keys -X >>authorized_keys2 this line is not in the readme. please read the manpage: NAME ssh-keygen - authentication key generation SYNOPSIS ssh-keygen -x [-f keyfile] ssh-keygen -X [-f keyfile] -x This option will read a private OpenSSH DSA format file and print a SSH2-compatible public key to stdout. -X This option will read a SSH2-compatible public key file and print an OpenSSH DSA compatible public key to stdout. > where ~/.ssh/authorized_keys only contained one key. I got in return: > > buffer_get: trying to get more bytes than in buffer > > and an empty authorized_keys2 (to be expected since bash had already > created the file before exec(2)ing ssh-keygen). you are trying to convert a RSA key into DSA key :) -x/-X is for trading keys with the true and original ssh-2.1.0 or ssh-2.0.13 from ssh.com > So I used ssh-keygen -d to create new id_dsa{,.pub} files, transfered > the .pubs over and added them to each authorized_keys2 file. > > But it is still defaulting to protocol 1 even though I have 2,1 in the > sshd_config files. who defaults to what? for the server 1,2 or 2,1 does not matter since it's the client who decides what protocol to speak to the server. > Finally, ssh -2 -v is unusable for interactive use; it prints debug > messages for all data transfered; this does not occur when using > protocol 1.*. -v is for debugging. if ssh has been tested by more people, some messages will be removed. From markus.friedl at informatik.uni-erlangen.de Wed May 10 20:05:56 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 10 May 2000 12:05:56 +0200 Subject: ANNOUNCE: portable openssh-2.1.0 In-Reply-To: ; from cmg@dok.org on Tue, May 09, 2000 at 04:57:18PM -0500 References: <20000509233857.A11068@folly.informatik.uni-erlangen.de> Message-ID: <20000510120556.B7017@folly.informatik.uni-erlangen.de> On Tue, May 09, 2000 at 04:57:18PM -0500, Chris Green wrote: > Are there any key management issue aside from separate files that have > changed between DSA and RSA? I don't see any but now's the right time > to ask.. no, handling of DSA keys is similar to RSA, only the filenames changed for backward compatibility RSA: ~/.ssh/known_hosts ~/.ssh/identity ~/.ssh/authorized_keys /etc/ssh_host_key DSA: ~/.ssh/known_hosts2 ~/.ssh/id_dsa ~/.ssh/authorized_keys2 /etc/ssh_host_dsa_key From andre.lucas at dial.pipex.com Wed May 10 21:29:13 2000 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Wed, 10 May 2000 12:29:13 +0100 Subject: Trying to build OpenSSH-2.1.0 on HP-UX 10.20 References: <20000510113143.A7152@ws01.aet.tu-cottbus.de> Message-ID: <39194809.C723070C@dial.pipex.com> That's one *hell* of a configure line :-) I'll look at the SSL configure issues later. I sent Damien some autoconf caching changes a few days ago, looks like I missed something in testing. I'm a bit surprised, though, because my OpenSSL is in /usr/local/ssl too and it works fine. Also, my initial HP patch specified remsh instead of rsh, seems that's been lost somewhere. Thanks for the advice on switches for HP's ANSI compiler. I did the initial port to HP, but I won't pay for a UNIX compiler, just on principle :-) As stated on the web site, the entropy gatherer needs testing. 'Clobbered' is a harsh word for some overzealous entries in syslog, but if it bothers you greatly then change 'error' to 'debug' in lines 375 and 389 of entropy.c. This will most likely change in the next release anyway, IMO. The builtin PRNG timeout is set quite high by default, if it's not then slower machines time out too many commands, and the whole app fails (it actually reports 'no RSA support', though all it really means is that OpenSSL's PRNG isn't ready.) A better solution is to 'know' which commands are slow, and never try them - it will happen, probably quite soon, as it annoys me too. Again, if it bothers you unduly, add --with-entropy-timeout=20, or less depending on your machine speed, to your configure line. If it's of any use, a timeout of 10 is fine on my B132L+ at work. YMMV. If you can't wait, use EGD. Ta, -Andre' Lutz Jaenicke wrote: > > Hi, > > I just tried building of OpenSSH-2.1.0 on HP-UX 10.20 and found the following > items: > > - The configure command I used at the beginning: > CC=cc CFLAGS="-Ae +O2 +DAportable" CPPFLAGS="-I/usr/local/include -I/usr/local/s > sl/include -I/usr/include/X11R6" LDFLAGS="-L/usr/local/lib -L/usr/local/ssl/lib > -L/usr/lib/X11R6" ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh > --with-rsh=/usr/local/lib/rsh/remsh --with-tcp-wrappers --with-pid-dir=/var/run > --with-xauth=/usr/bin/X11/xauth --with-ssl-dir=/usr/local/ssl > > - Regardless if specified via "--with-ssl-dir" or not, /usr/local/ssl/include > is not searched for include files. > From config.log: > ... > configure:2003: checking for OpenSSL directory > configure:2051: cc -o conftest -Ae +O2 +DAportable -Aa -D_HPUX_SOURCE -I/usr/loc > al/include -I/usr/local/include -I/usr/local/ssl/include -I/usr/include/X11R6 -L > /usr/local/lib -L/usr/local/ssl/lib -L/usr/lib/X11R6 -L/usr/local/lib conftest.c > -lz -lcrypto 1>&5 > cc: "configure", line 2046: warning 604: Pointers are not assignment-compatible. > cc: "configure", line 2046: warning 563: Argument #2 is not the correct type. > cc: "configure", line 2046: warning 604: Pointers are not assignment-compatible. > cc: "configure", line 2046: warning 563: Argument #3 is not the correct type. > ... > > [This is why I added /usr/local/ssl/include to CPPFLAGS] > > - Unlike typical "configure" operations, flags passed as CPPFLAGS are ignored > during the actual build process. > cc -Ae +O2 +DAportable -Aa -D_HPUX_SOURCE -I/usr/local/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c -o bsd-misc.o bsd-misc.c > cpp: "rsa.h", line 21: error 4036: Can't open include file 'openssl/bn.h'. > cpp: "rsa.h", line 22: error 4036: Can't open include file 'openssl/rsa.h'. > cpp: "cipher.h", line 19: error 4036: Can't open include file 'openssl/des.h'. > cpp: "cipher.h", line 20: error 4036: Can't open include file 'openssl/blowfish.h'. > cpp: "cipher.h", line 21: error 4036: Can't open include file 'openssl/rc4.h'. > cpp: "cipher.h", line 22: error 4036: Can't open include file 'openssl/cast.h'. > cpp: "bsd-misc.c", line 50: error 4036: Can't open include file 'openssl/rand.h'. > -> workaround: move CPPFLAGS into CFLAGS > > - The "-Aa -D_HPUX_SOURCE" hardcoded does not efficiently use the HP-UX > environment. "-Ae" does include the above flags _and_ "+e" for 64bit > long long support (as the -Aa overrides the CFLAGS given): > configure:2267: checking size of long long int > configure:2286: cc -o conftest -Ae +O2 +DAportable -Aa -D_HPUX_SOURCE -I/usr/local/include -I/usr/local/include -I/usr/local/ssl/include -I/usr/include/X11R6 -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/lib/X11R6 -L/usr/local/lib conftest.c -lz -lcrypto 1>&5 > cc: "configure", line 2281: error 1681: Must use +e or -Ae for long long in ANSI > mode. > configure: failed program was: > ... > > - The documentation says: > --with-pid-dir=PATH specifies the directory in which the ssh.pid file is > created. > * ssh.pid != sshd.pid perfect, it won't interfere with my running > ssh-1.2.27 :-) > * At the end of the compilation: > -D/var/run/sshd.pid=/var/run/sshd.pid > Ok, lets reconfigure it to another path :-( > > - make install gives: > /opt/imake/bin/install -c -d /usr/local/openssh/bin > rm: /usr/local/openssh/bin/ directory > cp: illegal option -- d > Usage: cp [-f|-i] [-p] [-S] [-e warn|force|ignore] source_file target_file > cp [-f|-i] [-p] [-S] [-e warn|force|ignore] source_file ... target_directory > cp [-f|-i] [-p] [-S] -R|-r [-e warn|force|ignore] source_directory ... target_directory > ... > > - The INSTALL document (and probably others) have not yet fully integrated > ssh2 support. > > - First tests: > openssh client -> ssh-1.2.27 server: works > openssh client -> openssh-server [Proto 1]: works, but without X-forwarding > even though configured with "X11Forwarding yes" > [have not looked into it as of now] > openssh client -> openssh-server [Proto 2]: does not work. > > serv01 111: /usr/local/openssh/bin/ssh -2 -p 24 serv01 > PRNG seedfile /home/aet/serv01/jaenicke/.ssh/prng_seed must be mode 0600, owned by uid 11019 > serv01 112: ls -al ~/.ssh/prng_seed > -rw------- 1 jaenicke aet 1024 May 10 11:26 /home/aet/serv01/jaenicke/.ssh/prng_seed > [my $HOME and $HOME/.ssh are 700, too] > [Also no debugging until now] > > - Please note, that the internal PRNG is a problem: > * Startup takes quite a long time when calling an ssh client. > [The server startup is also slow, but it does not happen too often] > * The sshd server clobbers my syslog.log: > > May 10 11:23:41 serv01 sshd[27220]: Server listening on 0.0.0.0 port 24. > May 10 11:23:41 serv01 sshd[27220]: Generating 768 bit RSA key. > May 10 11:23:49 serv01 sshd[27220]: RSA key generation complete. > May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ls -alni' completion: No child processes > May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ls -alni' completion: No child processes > May 10 11:23:51 serv01 sshd[27220]: error: Command '/usr/bin/ls -alni': select() failed: Interrupted system call > May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ls -alni' completion: No child processes > May 10 11:23:51 serv01 sshd[27220]: error: Command '/usr/bin/netstat -an': select() failed: Interrupted system call > May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -an' completion: No child processes > May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -in' completion: No child processes > May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -rn' completion: No child processes > May 10 11:23:51 serv01 sshd[27220]: error: Command '/usr/bin/netstat -s': select() failed: Interrupted system call > May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -s' completion: No child processes > May 10 11:23:51 serv01 sshd[27220]: error: Command '/usr/bin/ps -al': select() failed: Interrupted system call > May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ps -al' completion: No child processes > May 10 11:23:51 serv01 sshd[27220]: error: Command '/usr/bin/ps -efl': select() failed: Interrupted system call > May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ps -efl' completion: No child processes > May 10 11:23:51 serv01 sshd[27220]: error: Command '/usr/bin/w ': select() failed: Interrupted system call > May 10 11:23:51 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/w ' completion: No child processes > May 10 11:23:52 serv01 sshd[27220]: error: Command '/usr/bin/last ': select() failed: Interrupted system call > May 10 11:23:52 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/last ' completion: No child processes > May 10 11:23:53 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/df ' completion: Interrupted system call > May 10 11:23:53 serv01 sshd[27394]: Accepted password for jaenicke from 141.43.132.161 port 989 > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/df -i' completion: Interrupted system call > May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/vmstat ': select() failed: Interrupted system call > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/vmstat ' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/uptime ' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/ipcs -a': select() failed: Interrupted system call > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ipcs -a' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/tail -200': select() failed: Interrupted system call > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/tail -200' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/tail -200': select() failed: Interrupted system call > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/tail -200' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ls -alni' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/ls -alni': select() failed: Interrupted system call > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ls -alni' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ls -alni' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/netstat -an': select() failed: Interrupted system call > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -an' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/netstat -in': select() failed: Interrupted system call > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -in' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/netstat -rn': select() failed: Interrupted system call > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -rn' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/netstat -s': select() failed: Interrupted system call > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/netstat -s' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/ps -al': select() failed: Interrupted system call > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ps -al' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Command '/usr/bin/ps -efl': select() failed: Interrupted system call > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ps -efl' completion: No child processes > May 10 11:23:54 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/w ' completion: No child processes > May 10 11:23:56 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/last ' completion: Interrupted system call > May 10 11:23:56 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/df ' completion: Interrupted system call > May 10 11:23:57 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/df -i' completion: Interrupted system call > May 10 11:23:57 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/vmstat ' completion: No child processes > May 10 11:23:57 serv01 sshd[27220]: error: Command '/usr/bin/uptime ': select() failed: Interrupted system call > May 10 11:23:57 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/uptime ' completion: No child processes > May 10 11:23:57 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/ipcs -a' completion: No child processes > May 10 11:23:57 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/tail -200' completion: No child processes > May 10 11:23:57 serv01 sshd[27220]: error: Command '/usr/bin/tail -200': select() failed: Interrupted system call > May 10 11:23:57 serv01 sshd[27220]: error: Couldn't wait for child '/usr/bin/tail -200' completion: No child processes > > ... > > Puh, so much for my first experiences. Seems I will stay with sshd-1.2.27 > for some more time while trying to track all of these items down... > > Best regards, > Lutz > -- > Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From cloos at jhcloos.com Wed May 10 22:30:16 2000 From: cloos at jhcloos.com (James H. Cloos Jr.) Date: 10 May 2000 07:30:16 -0500 Subject: ANNOUNCE: portable openssh-2.1.0 In-Reply-To: Markus Friedl's message of "Wed, 10 May 2000 11:56:51 +0200" References: <20000510115651.A7017@folly.informatik.uni-erlangen.de> Message-ID: >>>>> "Markus" == Markus Friedl writes: JimC> From README.openssh2, I tried: JimC> cd ~/.ssh JimC> ssh-keygen -f authorized_keys -X >>authorized_keys2 Markus> this line is not in the readme. It is in /usr/doc/openssh-2.1.0/README.openssh2: # rpm -ql openssh-2.1.0|egrep README /usr/doc/openssh-2.1.0/README /usr/doc/openssh-2.1.0/README.Ylonen /usr/doc/openssh-2.1.0/README.openssh2 File starts out with: $Id: README.openssh2,v 1.8 2000/05/07 18:30:03 markus Exp $ -JimC -- James H. Cloos, Jr. 1024D/ED7DAEA6 E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Check out TGC: From cloos at jhcloos.com Wed May 10 22:43:14 2000 From: cloos at jhcloos.com (James H. Cloos Jr.) Date: 10 May 2000 07:43:14 -0500 Subject: ANNOUNCE: portable openssh-2.1.0 In-Reply-To: Markus Friedl's message of "Wed, 10 May 2000 11:56:51 +0200" References: <20000510115651.A7017@folly.informatik.uni-erlangen.de> Message-ID: >>>>> "Markus" == Markus Friedl >>>>> writes: JimC> But it is still defaulting to protocol 1 even though I have 2,1 JimC> in the sshd_config files. Markus> who defaults to what? Markus> for the server 1,2 or 2,1 does not matter since it's the Markus> client who decides what protocol to speak to the server. D'oh. Added Protocol command to ssh_config as well. Now I get what I want. JimC> Finally, ssh -2 -v is unusable for interactive use; it prints JimC> debug messages for all data transfered; this does not occur when JimC> using protocol 1.*. Markus> -v is for debugging. Yes, but it is also useful to compare -v traces with various encryption, compression and now protocol options to discover what works best between given endpoints. Doing so requires typical usage across the session.... Markus> if ssh has been tested by more people, some messages will be Markus> removed. Cool. Lest there be any misunderstanding, I like. -JimC -- James H. Cloos, Jr. 1024D/ED7DAEA6 E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Check out TGC: From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed May 10 22:47:46 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 10 May 2000 14:47:46 +0200 Subject: Trying to build OpenSSH-2.1.0 on HP-UX 10.20 In-Reply-To: <39194809.C723070C@dial.pipex.com>; from andre.lucas@dial.pipex.com on Wed, May 10, 2000 at 12:29:13PM +0100 References: <20000510113143.A7152@ws01.aet.tu-cottbus.de> <39194809.C723070C@dial.pipex.com> Message-ID: <20000510144746.A10294@ws01.aet.tu-cottbus.de> On Wed, May 10, 2000 at 12:29:13PM +0100, Andre Lucas wrote: > That's one *hell* of a configure line :-) I just prescribe what I want. Actually, it is a one-line script calling configure that is saved the original source. Whenever I think that I have to rebuild from source, I just unpack it and call "sh /usr/local/Src/openssh/do_conf"... > testing. I'm a bit surprised, though, because my OpenSSL is in > /usr/local/ssl too and it works fine. Also, my initial HP patch > specified remsh instead of rsh, seems that's been lost somewhere. To be fair, I did not check the actual source code. I used the INSTALL document, which states that it will search for 'rsh' and that I better specify it: ...You may need to specify this option if rsh is not in your path or has a different name. > Thanks for the advice on switches for HP's ANSI compiler. I did the > initial port to HP, but I won't pay for a UNIX compiler, just on > principle :-) I get it for the campus price. And when I pay 15,000$ for a workstation, I can afford 800$ (old DM prices recalculated, not from any actual price list) for the compiler suite and other goodies. > 'Clobbered' is a harsh word for some overzealous entries in syslog, but > if it bothers you greatly then change 'error' to 'debug' in lines 375 > and 389 of entropy.c. This will most likely change in the next release > anyway, IMO. No problem. I just fired the daemon up and had a look. Consider that rlogin is not allowed at our site and telnet is only open "just in case sshd dies" (which actually never happened to me), so everybody uses ssh. I would have to increase the size of the /var partition :-) > Again, if it bothers you unduly, add --with-entropy-timeout=20, or less > depending on your machine speed, to your configure line. If it's of any > use, a timeout of 10 is fine on my B132L+ at work. YMMV. > > If you can't wait, use EGD. See, I have ssh-1.2.x running for many years for now. I don't care for some more months. Our computer center is at ssh-2.x, so having the new protocol would be nice, but it can wait. The startup problem _is_ significant. I don't know about your setup. In my case all connections are done with ssh. Additionally, several servers run Apache/Mod_SSL (might want to query EGD); all run Postfix/TLS (will query) EGD. So the risk of draining EGD and either get failures (because no entropy is obtained) or hangs (because we have to wait for entropy) is a bit high. I tend to push software via sdist (rdist over an ssh channel) to a lot of machines at once :-) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From markus.friedl at informatik.uni-erlangen.de Wed May 10 23:06:09 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 10 May 2000 15:06:09 +0200 Subject: ANNOUNCE: portable openssh-2.1.0 In-Reply-To: ; from cloos@jhcloos.com on Wed, May 10, 2000 at 07:30:16AM -0500 References: <20000510115651.A7017@folly.informatik.uni-erlangen.de> Message-ID: <20000510150609.A18665@folly.informatik.uni-erlangen.de> On Wed, May 10, 2000 at 07:30:16AM -0500, James H. Cloos Jr. wrote: > >>>>> "Markus" == Markus Friedl writes: > > JimC> From README.openssh2, I tried: > > JimC> cd ~/.ssh > JimC> ssh-keygen -f authorized_keys -X >>authorized_keys2 > > Markus> this line is not in the readme. > > It is in /usr/doc/openssh-2.1.0/README.openssh2: it is not :) as i wrote in my previous email. you are confusing RSA with DSA keys. README.openssh2 talks about SSH2 only. It talks about converting ssh.com's DSA keys to OpenSSH DSA keys, see ssh-keygen(1). you cannot convert authorized_keys to authorized_keys2, but you can convert .ssh2/id_dsa_1024.pub to a format that complies to the authorized_keys2 syntax. sorry for the confusion, README.openssh2 will be removed soon. From andre.lucas at dial.pipex.com Wed May 10 23:25:13 2000 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Wed, 10 May 2000 14:25:13 +0100 Subject: Trying to build OpenSSH-2.1.0 on HP-UX 10.20 References: <20000510113143.A7152@ws01.aet.tu-cottbus.de> <39194809.C723070C@dial.pipex.com> <20000510144746.A10294@ws01.aet.tu-cottbus.de> Message-ID: <39196339.E963D479@dial.pipex.com> Lutz Jaenicke wrote: > > On Wed, May 10, 2000 at 12:29:13PM +0100, Andre Lucas wrote: 8< > No problem. I just fired the daemon up and had a look. Consider that > rlogin is not allowed at our site and telnet is only open "just in case > sshd dies" (which actually never happened to me), so everybody uses ssh. > I would have to increase the size of the /var partition :-) :-) 8< > The startup problem _is_ significant. I don't know about your setup. > In my case all connections are done with ssh. Additionally, several > servers run Apache/Mod_SSL (might want to query EGD); all run > Postfix/TLS (will query) EGD. > So the risk of draining EGD and either get failures (because no entropy > is obtained) or hangs (because we have to wait for entropy) is a bit high. > I tend to push software via sdist (rdist over an ssh channel) to a lot > of machines at once :-) Sure. ssh-1.2.27 doesn't delay because it only runs seven commands. I think more is better but obviously the delay is a pain. I just saw it running on my colleague's old sparc5, and there was a five-second pause running ssh. It felt longer. Ta, -Andre' > > Best regards, > Lutz > -- > Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From ede370 at stl.rural.usda.gov Thu May 11 01:50:52 2000 From: ede370 at stl.rural.usda.gov (Ed Eden) Date: Wed, 10 May 2000 10:50:52 -0500 Subject: openssl w/ rsaref openssh won't configure Message-ID: <3919855C.56ECA401@stl.rural.usda.gov> I have openssl-0.9.5a and openssh-2.1.0. I configured ssl with rsaref and it passes the tests. When I configure ssh I get: ---- checking for OpenSSL directory... configure: error: Could not find working SSLeay / OpenSSL libraries, please install ---- it is failing RSA_private_decrypt function call. The RSA_generate_key seems to work (does not return null) but then goes on to fail at RSA_private_decrypt. Like I said, the openssl tests passed.... AnyHELP? conftest.c generated by configure: --------- gcc -o conftest -g -O2 -Wall -I/opt/openssl/include -L/opt/openssl/lib -L/opt/openssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto -lRSAglue -lrsaref 1>&5 configure: failed program was: #line 2032 "configure" #include "confdefs.h" #include #include #include #include #include int main(void) { RSA *key; char a[2048],b[2048];; memset(a, 0, sizeof(a));memset(b, 0, sizeof(b)); RAND_add(a, sizeof(a), sizeof(a)); key=RSA_generate_key(32,3,NULL,NULL); if (key==NULL) return(1); return(-1==RSA_private_decrypt(RSA_size(key),a,b,key,RSA_NO_PADDING)); } From ede370 at stl.rural.usda.gov Thu May 11 04:44:37 2000 From: ede370 at stl.rural.usda.gov (Ed Eden) Date: Wed, 10 May 2000 13:44:37 -0500 Subject: openssl w/ rsaref openssh won't configure Message-ID: <3919AE15.AADBFCA0@stl.rural.usda.gov> is it me or should there be an encrypt function before the decrypt? From tbert at abac.com Thu May 11 05:21:27 2000 From: tbert at abac.com (Tom Bertelson) Date: Wed, 10 May 2000 15:21:27 -0400 Subject: openssl w/ rsaref openssh won't configure References: <3919AE15.AADBFCA0@stl.rural.usda.gov> Message-ID: <3919B6B7.9C1CA2C3@abac.com> Ed Eden wrote: > > is it me or should there be an encrypt function before the decrypt? You can try it, but it didn't work for me. I tried bypassing the test and building anyway. RSA authentication works, but DSA doesn't. I'm using OpenSSL 0.9.5 on AIX 4.3.1. From madsen at mickey.evli.fi Thu May 11 05:29:15 2000 From: madsen at mickey.evli.fi (Madsen Wikholm) Date: Wed, 10 May 2000 22:29:15 +0300 (EEST) Subject: Socks support Message-ID: Hi! This is not exactly a development contibution but more an expression of opinion. Didn't find a better place to send this to. I've been using openssh on Linux for some time now. Works just fine with one exception. Since I work at a company which likes to live behind a wall we use a socks firewall for allowing some connections to the world (we *should* be a part of it, but I'm not sure ;-). So my problem is that the Dante support code was removed and supposed to be replaced with a ProxyCommand. My question is now: "Where's the beef?". Maybe I'm blind but I can't find any way of getting my ssh to work with a socks proxy. Some form of pointer in the readme or install would be nice. The Dante support in an older verion works great. I'm not on the list, so I be greatful for a CC to my address if you reply. says madsen. From markus.friedl at informatik.uni-erlangen.de Thu May 11 05:49:56 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 10 May 2000 21:49:56 +0200 Subject: Socks support In-Reply-To: ; from madsen@mickey.evli.fi on Wed, May 10, 2000 at 10:29:15PM +0300 References: Message-ID: <20000510214956.A2640@folly.informatik.uni-erlangen.de> On Wed, May 10, 2000 at 10:29:15PM +0300, Madsen Wikholm wrote: > So my problem is that the Dante support code was removed and supposed to be > replaced with a ProxyCommand. My question is now: "Where's the beef?". someone has to write a suitable dante/socks-proxy that can be used via ProxyCommand. do you want to give it a try? From markus.friedl at informatik.uni-erlangen.de Thu May 11 05:50:34 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 10 May 2000 21:50:34 +0200 Subject: openssl w/ rsaref openssh won't configure In-Reply-To: <3919B6B7.9C1CA2C3@abac.com>; from tbert@abac.com on Wed, May 10, 2000 at 03:21:27PM -0400 References: <3919AE15.AADBFCA0@stl.rural.usda.gov> <3919B6B7.9C1CA2C3@abac.com> Message-ID: <20000510215034.B2640@folly.informatik.uni-erlangen.de> what's the problem w/ DSA auth? did you generate a DSA server key? On Wed, May 10, 2000 at 03:21:27PM -0400, Tom Bertelson wrote: > Ed Eden wrote: > > > > is it me or should there be an encrypt function before the decrypt? > > You can try it, but it didn't work for me. > > I tried bypassing the test and building anyway. RSA authentication > works, but DSA doesn't. > > I'm using OpenSSL 0.9.5 on AIX 4.3.1. > From drankin at bohemians.lexington.ky.us Thu May 11 07:12:36 2000 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Wed, 10 May 2000 17:12:36 -0400 Subject: Socks support In-Reply-To: <20000510214956.A2640@folly.informatik.uni-erlangen.de>; from Markus Friedl on Wed, May 10, 2000 at 09:49:56PM +0200 References: <20000510214956.A2640@folly.informatik.uni-erlangen.de> Message-ID: <20000510171236.A1015@rumpole.bohemians.lexington.ky.us> On Wed, May 10, 2000 at 09:49:56PM +0200, Markus Friedl wrote: > On Wed, May 10, 2000 at 10:29:15PM +0300, Madsen Wikholm wrote: > > So my problem is that the Dante support code was removed and supposed to be > > replaced with a ProxyCommand. My question is now: "Where's the beef?". > someone has to write a suitable dante/socks-proxy > that can be used via ProxyCommand. > do you want to give it a try? M'lord, for the record, the defense wishes to renew its objections on this issue. (Sorry, been reading too much Rumpole of the Bailey of late.) While I am just as much a fan of "doing things the right way", for Socks client code, I still don't believe that this is the right way. To avoid 10-15 #defines and one extra -l statement for ld, ProxyCommand introduces an extra process (and associated scheduling latency and swapping for low-memory systems), and a minimum of two extra kernel boundry crossings per SSH packet (and associated kernel I/O overhead). Yes, for "modern" high-memory systems with cycles to spare this isn't that big of a deal, but for the systems that are already overloaded (through age, lack of memory, or through heavy utilization), this kind of extra overhead can be at the very least non-trivial, and at its worst make openssh seriously impact the system. That said, I don't have copies of my original patches to add Dante support to OpenSSH close at hand, but they are trivial to reimplement. If someone should feel the urge to do so but would like to see them, I'll try to find the last set of patches I had on the matter. Thanks, David -- David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin. Email: drankin at bohemians.lexington.ky.us Address/Phone Number: Ask me. From pekkas at netcore.fi Thu May 11 10:15:00 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 11 May 2000 03:15:00 +0300 (EEST) Subject: OpenSSH-2.1: FROM in 'w' empty? Message-ID: Hello all, I wonder if this is an oversight/bug/feature, but here it goes. It seems that in OpenSSH 2.1, 'w' (or who) command may print out something like this: ---- USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT pekkas ttyp1 - 3:10am 0.00s 0.08s 0.03s w ---- 2.0beta1 was the one I used before, and that printed FROM field properly. Now, every connection gets '-'. Regards, -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu May 11 18:55:17 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 11 May 2000 10:55:17 +0200 Subject: Trying to build OpenSSH-2.1.0 on HP-UX 10.20 In-Reply-To: <20000510113143.A7152@ws01.aet.tu-cottbus.de>; from jaenicke@ws01.aet.tu-cottbus.de on Wed, May 10, 2000 at 11:31:44AM +0200 References: <20000510113143.A7152@ws01.aet.tu-cottbus.de> Message-ID: <20000511105517.A17110@ws01.aet.tu-cottbus.de> On Wed, May 10, 2000 at 11:31:44AM +0200, Lutz Jaenicke wrote: > serv01 111: /usr/local/openssh/bin/ssh -2 -p 24 serv01 > PRNG seedfile /home/aet/serv01/jaenicke/.ssh/prng_seed must be mode 0600, owned by uid 11019 > serv01 112: ls -al ~/.ssh/prng_seed > -rw------- 1 jaenicke aet 1024 May 10 11:26 /home/aet/serv01/jaenicke/.ssh/prng_seed entropy.c:447 if (((st.st_mode & 0177) != 0) || !(st.st_uid == geteuid())) fatal("PRNG seedfile %.100s must be mode 0600, owned by uid %d," filename, getuid()); Since ssh is suid to root, geteuid() yields "0". Shouldn't the test be against getuid() (which is also used for the error message)? [works for me with this change] Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From djm at mindrot.org Thu May 11 19:09:04 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 May 2000 19:09:04 +1000 (EST) Subject: Trying to build OpenSSH-2.1.0 on HP-UX 10.20 In-Reply-To: <20000511105517.A17110@ws01.aet.tu-cottbus.de> Message-ID: On Thu, 11 May 2000, Lutz Jaenicke wrote: > entropy.c:447 > if (((st.st_mode & 0177) != 0) || !(st.st_uid == geteuid())) > fatal("PRNG seedfile %.100s must be mode 0600, owned by uid %d," > filename, getuid()); > > Since ssh is suid to root, geteuid() yields "0". Shouldn't the test be > against getuid() (which is also used for the error message)? > [works for me with this change] Quite correct. Thanks. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu May 11 19:11:04 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 May 2000 19:11:04 +1000 (EST) Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: Message-ID: On Thu, 11 May 2000, Pekka Savola wrote: > Hello all, > > I wonder if this is an oversight/bug/feature, but here it goes. ... > 2.0beta1 was the one I used before, and that printed FROM field properly. > Now, every connection gets '-'. It works for me. Can you describe your environment some more? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu May 11 19:21:19 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 May 2000 19:21:19 +1000 (EST) Subject: Socks support In-Reply-To: <20000510171236.A1015@rumpole.bohemians.lexington.ky.us> Message-ID: On Wed, 10 May 2000, David Rankin wrote: > M'lord, for the record, the defense wishes to renew its objections > on this issue. > > (Sorry, been reading too much Rumpole of the Bailey of late.) Where's Leo McKern(sp?) when you need him :) > That said, I don't have copies of my original patches to add > Dante support to OpenSSH close at hand, but they are trivial to > reimplement. If someone should feel the urge to do so but would > like to see them, I'll try to find the last set of patches I had on > the matter. Can't you just run "socksify ssh" or whatever? If someone wants to make a patch it can live in contrib/ -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu May 11 21:05:46 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 11 May 2000 13:05:46 +0200 Subject: Trying to build OpenSSH-2.1.0 on HP-UX 10.20 In-Reply-To: <20000511105517.A17110@ws01.aet.tu-cottbus.de>; from jaenicke@ws01.aet.tu-cottbus.de on Thu, May 11, 2000 at 10:55:17AM +0200 References: <20000510113143.A7152@ws01.aet.tu-cottbus.de> <20000511105517.A17110@ws01.aet.tu-cottbus.de> Message-ID: <20000511130545.A17781@ws01.aet.tu-cottbus.de> And on we go :-( I can now start the ssh2 client, but when connecting to the ssh server in Protocol 2 mode: serv01 174: /usr/local/openssh/bin/ssh -2 -p 24 serv01 jaenicke at serv01's password: Last login: Thu May 11 12:42:30 2000 from serv01.aet.tu-co Pid 8011 received a SIGSEGV for stack growth failure. Possible causes: insufficient memory or swap space, or stack size exceeded maxssiz. Connection to serv01 closed by remote host. Connection to serv01 closed. I receive a core dump, but it does not call me too much: (gdb) backtrace #0 0xc013ede8 in _sigvector () from /usr/lib/libc.1 #1 0xc0148dd4 in signalvector () from /usr/lib/libc.1 #2 0xc0148c74 in signal () from /usr/lib/libc.1 #3 0xe51c in sigchld_handler2 () #4 #5 debug (fmt=0x0) at log.c:60 #6 0xc013ede8 in _sigvector () from /usr/lib/libc.1 When running in debug mode, sshd claims to receive SIGCHLD in an endless amount. A trace of the normal sshd (no debug mode) system calls gives: 7967: fork() = 8011 7967: close(7 [/dev/pts/4]) = 0 7967: sigprocmask(2, 0x7b038a80, 0x7b03cb20) = 0 7967: sigprocmask(2, 0x7b03cb20, 0) = 0 7967: sigprocmask(2, 0x7b038a80, 0x7b03cb20) = 0 7967: sigprocmask(2, 0x7b03cb20, 0) = 0 7967: dup(5 [/dev/ptmx]) = 7 7967: dup(5 [/dev/ptmx]) = 11 7967: fcntl(7 [/dev/ptmx], F_GETFL, 0) = 0x20002 7967: fcntl(7 [/dev/ptmx], F_SETFL, 196610) = 0 7967: fcntl(5 [/dev/ptmx], F_GETFL, 0) = 0x30002 7967: select(9, 0x7b03b408, 0x7b03b508, 0, 0) = 2 7967: read(7 [/dev/ptmx], 0x7b03b710, 16384) = 61 7967: write(6, 0x40018bc8, 44) = 44 7967: select(9, 0x7b03b408, 0x7b03b508, 0, 0) = 1 7967: write(6, 0x40018bc8, 100) = 100 7967: select(9, 0x7b03b408, 0x7b03b508, 0, 0) = 1 7967: read(7 [/dev/ptmx], 0x7b03b710, 16384) = 147 7967: select(9, 0x7b03b408, 0x7b03b508, 0, 0) = 1 7967: write(6, 0x40018bc8, 188) = 188 7967: select(9, 0x7b03b408, 0x7b03b508, 0, 0) = 0 7967: sigvector(18, 0x7b03bd28, 0x7b03bd38) = 0 7967: sigvector(18, 0x7b03c3d8, 0x7b03c3e8) = 0 The last message being repeated with increasing addresses >39000 times (my stack size limit is 64M) (Yes, I know that 8011 should have received the SIGSEGV. I have another trace including the forked ones: the child corresponding to 8011 in this example also receives sigvector(18,...) without end, then dies and the calling process receives these sigvectors... The complete trace is availble, be prepared for 4MB of trace :-) Any ideas on how to track this down? Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From tbert at abac.com Thu May 11 22:21:56 2000 From: tbert at abac.com (Tom Bertelson) Date: Thu, 11 May 2000 08:21:56 -0400 Subject: Trying to build OpenSSH-2.1.0 on HP-UX 10.20 References: <20000510113143.A7152@ws01.aet.tu-cottbus.de> <20000511105517.A17110@ws01.aet.tu-cottbus.de> <20000511130545.A17781@ws01.aet.tu-cottbus.de> Message-ID: <391AA5E4.9DEF9A6@abac.com> Lutz Jaenicke wrote: > > And on we go :-( > > I can now start the ssh2 client, but when connecting to the ssh server > in Protocol 2 mode: > > serv01 174: /usr/local/openssh/bin/ssh -2 -p 24 serv01 > jaenicke at serv01's password: > Last login: Thu May 11 12:42:30 2000 from serv01.aet.tu-co > > Pid 8011 received a SIGSEGV for stack growth failure. > Possible causes: insufficient memory or swap space, > or stack size exceeded maxssiz. > Connection to serv01 closed by remote host. > Connection to serv01 closed. > > I receive a core dump, but it does not call me too much: > (gdb) backtrace > #0 0xc013ede8 in _sigvector () from /usr/lib/libc.1 > #1 0xc0148dd4 in signalvector () from /usr/lib/libc.1 > #2 0xc0148c74 in signal () from /usr/lib/libc.1 > #3 0xe51c in sigchld_handler2 () > #4 > #5 debug (fmt=0x0) at log.c:60 > #6 0xc013ede8 in _sigvector () from /usr/lib/libc.1 I had the same problem with AIX. It seems that the SIGCHLD handler immediately re-calls itself unless the dead process is first reaped. This fixes it for me: --- serverloop.c.orig Wed May 10 14:34:00 2000 +++ serverloop.c Thu May 11 08:17:17 2000 @@ -85,7 +85,6 @@ int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; - signal(SIGCHLD, sigchld_handler2); errno = save_errno; } @@ -640,6 +639,7 @@ while ((pid = waitpid(-1, &status, WNOHANG)) > 0) session_close_by_pid(pid, status); child_terminated = 0; + signal(SIGCHLD, sigchld_handler2); } channel_after_select(&readset, &writeset); process_input(&readset); From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu May 11 22:31:03 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 11 May 2000 14:31:03 +0200 Subject: Trying to build OpenSSH-2.1.0 on HP-UX 10.20 In-Reply-To: <391AA5E4.9DEF9A6@abac.com>; from tbert@abac.com on Thu, May 11, 2000 at 08:21:56AM -0400 References: <20000510113143.A7152@ws01.aet.tu-cottbus.de> <20000511105517.A17110@ws01.aet.tu-cottbus.de> <20000511130545.A17781@ws01.aet.tu-cottbus.de> <391AA5E4.9DEF9A6@abac.com> Message-ID: <20000511143102.A18069@ws01.aet.tu-cottbus.de> On Thu, May 11, 2000 at 08:21:56AM -0400, Tom Bertelson wrote: > Lutz Jaenicke wrote: > > > > Pid 8011 received a SIGSEGV for stack growth failure. > > Possible causes: insufficient memory or swap space, > > or stack size exceeded maxssiz. > > Connection to serv01 closed by remote host. > > Connection to serv01 closed. > > I had the same problem with AIX. It seems that the SIGCHLD handler > immediately re-calls itself unless the dead process is first reaped. [patch deleted] Yes, this helps in my case, too. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From tbert at abac.com Thu May 11 22:50:23 2000 From: tbert at abac.com (Tom Bertelson) Date: Thu, 11 May 2000 08:50:23 -0400 Subject: openssl w/ rsaref openssh won't configure References: <3919AE15.AADBFCA0@stl.rural.usda.gov> <3919B6B7.9C1CA2C3@abac.com> <20000510215034.B2640@folly.informatik.uni-erlangen.de> Message-ID: <391AAC8F.9E849559@abac.com> Markus Friedl wrote: > > what's the problem w/ DSA auth? did you generate a DSA server key? If you mean "ssh-keygen -d -N '' -f /etc/ssh_host_dsa_key" then yes. The problem is that it simply refuses the DSA key. Here are traces from sshd -d and ssh -v. Note the lines beginning with "**". Since the simple test in the configure script fails, I suspect the problem is with OpenSSL and not ssh. sshd -d: debug: sshd version OpenSSH-2.1 debug: Seeding random number generator debug: read DSA private key done debug: Seeding random number generator debug: Bind to port 2202 on 0.0.0.0. Server listening on 0.0.0.0 port 2202. Generating 768 bit RSA key. debug: Seeding random number generator debug: Seeding random number generator RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 37533 debug: Client protocol version 2.0; client software version OpenSSH-2.1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-1.99-OpenSSH-2.1 debug: Sending KEX init. debug: done debug: got kexinit string: diffie-hellman-group1-sha1 debug: got kexinit string: ssh-dss debug: got kexinit string: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit string: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit string: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit string: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit string: none debug: got kexinit string: none debug: got kexinit string: debug: got kexinit string: debug: first kex follow == 0 debug: reserved == 0 debug: done read kexinit debug: kex: client->server 3des-cbc hmac-sha1 none debug: kex: server->client 3des-cbc hmac-sha1 none debug: Wait SSH2_MSG_KEXDH_INIT. debug: bits set: 513/1024 debug: bits set: 500/1024 debug: sig size 20 20 debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: userauth-request for user tbert service ssh-connection method none Failed none for tbert from 127.0.0.1 port 37533 ssh2 ** debug: userauth-request for user tbert service ssh-connection method publickey ** debug: keytype ssh-dss ** Failed publickey for tbert from 127.0.0.1 port 37533 ssh2 debug: userauth-request for user tbert service ssh-connection method password Accepted password for tbert from 127.0.0.1 port 37533 ssh2 debug: Entering interactive session for SSH2. ** junk removed ** Connection closed by remote host. debug: Calling cleanup 0x20005a80(0x0) debug: Calling cleanup 0x20005990(0x0) ssh -v: SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. Compiled with SSL (0x00905100). debug: Reading configuration data /home/tbert/.ssh/config debug: Reading configuration data /home/tbert/SSH2/etc/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 200 geteuid 200 anon 1 debug: Connecting to localhost [127.0.0.1] port 2202. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH-2.1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH-2.1 debug: Sending KEX init. debug: Seeding random number generator debug: done debug: got kexinit string: diffie-hellman-group1-sha1 debug: got kexinit string: ssh-dss debug: got kexinit string: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit string: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit string: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit string: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit string: zlib,none debug: got kexinit string: zlib,none debug: got kexinit string: debug: got kexinit string: debug: first kex follow == 0 debug: reserved == 0 debug: done read kexinit debug: kex: server->client 3des-cbc hmac-sha1 none debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 500/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. ** debug: keytype ssh-dss ** debug: Forcing accepting of host key for loopback/localhost. ** debug: bits set: 513/1024 ** debug: len 55 datafellows 0 ** debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: try pubkey: /home/tbert/.ssh/id_dsa ** debug: PEM_read_bio_DSAPrivateKey failed debug: read DSA private key done debug: read DSA private key done debug: sig size 20 20 debug: authentications that can continue: publickey,password debug: ssh-userauth2 successfull debug: fd 5 setting O_NONBLOCK debug: fd 6 setting O_NONBLOCK debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. ** junk removed ** Connection to localhost closed. debug: Transferred: stdin 0, stdout 0, stderr 33 bytes in 8.1 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 4.1 debug: Exit status 0 -- Tom Bertelson "Any sufficiently advanced technology RHI Consulting is indistinguishable from magic." tbert at abac.com -- Arthur C. Clarke From pekkas at netcore.fi Thu May 11 23:01:37 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 11 May 2000 16:01:37 +0300 (EEST) Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: Message-ID: > > 2.0beta1 was the one I used before, and that printed FROM field properly. > > Now, every connection gets '-'. > > It works for me. Can you describe your environment some more? This is heavily updated (from src.rpm's) Redhat Linux 5.1 running 2.2.15 kernel. I tried to diagnose this a bit, some results below. I hope all of you forgive me for spamming the list. Hopefully these are of any use. ;) When running 2.0beta and 2.1 in debug mode, the following differences came up: --- Non-working 2.1: --- [...] Accepted password for pekkas from 10.0.0.1 port 1022 debug: PAM setting rhost to "other.box" debug: session_new: init debug: session_new: session 0 debug: Allocating pty. debug: Received request for X11 forwarding with auth spoofing. debug: bind port 6010: Address already in use debug: fd 7 setting O_NONBLOCK [extra] debug: channel 0: new [X11 inet listener] debug: PAM setting tty to "/dev/ttyp3" debug: PAM establishing creds debug: Entering interactive session. debug: Setting controlling tty using TIOCSCTTY. debug: server_init_dispatch_13 debug: server_init_dispatch_15 debug: tvp!=NULL kid 0 mili 10 [...] --- Working 2.0beta: --- Accepted password for pekkas from 10.0.0.1 port 1022 debug: PAM setting rhost to "other.box" debug: session_new: init debug: session_new: session 0 debug: Allocating pty. debug: Received request for X11 forwarding with auth spoofing. debug: bind port 6010: Address already in use debug: channel 0: new [X11 inet listener] debug: PAM setting tty to "/dev/ttyp3" debug: PAM establishing creds debug: Entering interactive session. debug: server_init_dispatch_13 debug: server_init_dispatch_15 debug: Setting controlling tty using TIOCSCTTY. debug: tvp!=NULL kid 0 mili 10 [...] --- Note: setver_init_dispatch was done before setting controlling tty. Also, O_NONBLOCK wasn't used in 2.0beta. Because I fear this won't help any, I did some stracing with command: 'strace -v -f -otmp.log ./sshd -d -p 2022' and diagnosed the logs. General overview (I concentrated on wtmp/utmp -- wtmp seemed fine): ----- 'grep utmp tmp.log' on non-working 2.1 ----- 9895 open("/var/run/utmp", O_RDWR) = 10 9895 open("/var/run/utmp", O_RDWR) = 10 9903 open("/var/run/utmp", O_RDWR) = 5 9915 open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) 9915 open("/var/run/utmp", O_RDONLY) = 3 9918 open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) 9918 open("/var/run/utmp", O_RDONLY) = 5 9918 open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) 9918 open("/var/run/utmp", O_RDONLY) = 6 9895 open("/var/run/utmp", O_RDWR) = 5 ----- ----- 'grep utmp tmp.log' on working 2.0beta ----- 11939 open("/var/run/utmp", O_RDWR) = 10 11939 open("/var/run/utmp", O_RDWR) = 10 11941 open("/var/run/utmp", O_RDWR) = 5 11953 open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) 11953 open("/var/run/utmp", O_RDONLY) = 3 11939 open("/var/run/utmp", O_RDWR) = 5 ----- And respective 'grep -2 utmp tmp.log' outputs: ----- non-working 2.1 ----- 9895 stat("/dev/ttyp2", {st_dev=makedev(8, 5), st_ino=386210, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=501, st_gid=5, st_blksize=4096, st_blocks=0, st_rdev=makedev(3, 2), st_atime=2000/05/11-14:54:08, st_mtime=2000/05/11-14:54:14, st_ctime=2000/05/11-14:50:46}) = 0 9895 close(10) = 0 9895 open("/var/run/utmp", O_RDWR) = 10 9895 lseek(10, 0, SEEK_SET) = 0 9895 fcntl(10, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 -- 9895 stat("/dev/ttyp2", {st_dev=makedev(8, 5), st_ino=386210, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=501, st_gid=5, st_blksize=4096, st_blocks=0, st_rdev=makedev(3, 2), st_atime=2000/05/11-14:54:08, st_mtime=2000/05/11-14:54:14, st_ctime=2000/05/11-14:50:46}) = 0 9895 close(10) = 0 9895 open("/var/run/utmp", O_RDWR) = 10 9895 lseek(10, 0, SEEK_SET) = 0 9895 fcntl(10, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 -- 9903 stat("/dev/ttyp3", {st_dev=makedev(8, 5), st_ino=386211, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=501, st_gid=5, st_blksize=4096, st_blocks=0, st_rdev=makedev(3, 3), st_atime=2000/05/11-14:52:30, st_mtime=2000/05/11-14:52:30, st_ctime=2000/05/11-14:54:14}) = 0 9903 close(5) = 0 9903 open("/var/run/utmp", O_RDWR) = 5 9903 lseek(5, 0, SEEK_SET) = 0 9903 fcntl(5, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 -- 9915 stat("/dev/ttyp3", {st_dev=makedev(8, 5), st_ino=386211, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=501, st_gid=5, st_blksize=4096, st_blocks=0, st_rdev=makedev(3, 3), st_atime=2000/05/11-14:52:30, st_mtime=2000/05/11-14:54:15, st_ctime=2000/05/11-14:54:14}) = 0 9915 close(3) = 0 9915 open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) 9915 open("/var/run/utmp", O_RDONLY) = 3 9915 lseek(3, 0, SEEK_SET) = 0 9915 fcntl(3, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 -- 9918 lseek(3, 0, SEEK_SET) = 0 9918 read(3, "531883.40 525611.77\n", 1023) = 20 9918 open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) 9918 open("/var/run/utmp", O_RDONLY) = 5 9918 lseek(5, 0, SEEK_SET) = 0 9918 fcntl(5, F_SETLK, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 -- 9895 write(2, "debug: tvp!=NULL kid 0 mili 10\n", 31) = 31 9895 select(9, [6 7 8], [], NULL, {0, 10000} 9918 open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) 9895 <... select resumed> ) = 0 (Timeout) 9895 select(9, [6 7 8], [6], NULL, NULL) = 1 (out [6]) 9895 write(6, "\0\0\0\227\304m\244\221\3320\t]\221\2567\222:\213\232\237"..., 156) = 156 9895 select(9, [6 7 8], [], NULL, NULL 9918 open("/var/run/utmp", O_RDONLY) = 6 9918 lseek(6, 0, SEEK_SET) = 0 9918 fcntl(6, F_SETLK, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 -- 9895 write(2, "debug: Received exit confirmatio"..., 35) = 35 9895 write(2, "debug: session_pty_cleanup: sess"..., 57) = 57 9895 open("/var/run/utmp", O_RDWR) = 5 9895 lseek(5, 0, SEEK_SET) = 0 9895 fcntl(5, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 ----- ----- working 2.0 beta ----- 11939 stat("/dev/ttyp2", {st_dev=makedev(8, 5), st_ino=386210, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=501, st_gid=5, st_blksize=4096, st_blocks=0, st_rdev=makedev(3, 2), st_atime=2000/05/11-15:04:16, st_mtime=2000/05/11-15:04:23, st_ctime=2000/05/11-14:50:46}) = 0 11939 close(10) = 0 11939 open("/var/run/utmp", O_RDWR) = 10 11939 lseek(10, 0, SEEK_SET) = 0 11939 fcntl(10, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 -- 11939 stat("/dev/ttyp2", {st_dev=makedev(8, 5), st_ino=386210, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=501, st_gid=5, st_blksize=4096, st_blocks=0, st_rdev=makedev(3, 2), st_atime=2000/05/11-15:04:16, st_mtime=2000/05/11-15:04:23, st_ctime=2000/05/11-14:50:46}) = 0 11939 close(10) = 0 11939 open("/var/run/utmp", O_RDWR) = 10 11939 lseek(10, 0, SEEK_SET) = 0 11939 fcntl(10, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 -- 11941 stat("/dev/ttyp3", {st_dev=makedev(8, 5), st_ino=386211, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=501, st_gid=5, st_blksize=4096, st_blocks=0, st_rdev=makedev(3, 3), st_atime=2000/05/11-15:01:08, st_mtime=2000/05/11-15:01:08, st_ctime=2000/05/11-15:04:23}) = 0 11941 close(5) = 0 11941 open("/var/run/utmp", O_RDWR) = 5 11941 lseek(5, 0, SEEK_SET) = 0 11941 fcntl(5, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 -- 11953 stat("/dev/ttyp3", {st_dev=makedev(8, 5), st_ino=386211, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=501, st_gid=5, st_blksize=4096, st_blocks=0, st_rdev=makedev(3, 3), st_atime=2000/05/11-15:01:08, st_mtime=2000/05/11-15:04:24, st_ctime=2000/05/11-15:04:23}) = 0 11953 close(3) = 0 11953 open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) 11953 open("/var/run/utmp", O_RDONLY) = 3 11953 lseek(3, 0, SEEK_SET) = 0 11953 fcntl(3, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 -- 11939 write(2, "debug: Received exit confirmatio"..., 35) = 35 11939 write(2, "debug: session_pty_cleanup: sess"..., 57) = 57 11939 open("/var/run/utmp", O_RDWR) = 5 11939 lseek(5, 0, SEEK_SET) = 0 11939 fcntl(5, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 ----- HTH, Regards -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From markus.friedl at informatik.uni-erlangen.de Fri May 12 00:34:51 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 11 May 2000 16:34:51 +0200 Subject: openssl w/ rsaref openssh won't configure In-Reply-To: <391AAC8F.9E849559@abac.com>; from tbert@abac.com on Thu, May 11, 2000 at 08:50:23AM -0400 References: <3919AE15.AADBFCA0@stl.rural.usda.gov> <3919B6B7.9C1CA2C3@abac.com> <20000510215034.B2640@folly.informatik.uni-erlangen.de> <391AAC8F.9E849559@abac.com> Message-ID: <20000511163451.B15848@folly.informatik.uni-erlangen.de> On Thu, May 11, 2000 at 08:50:23AM -0400, Tom Bertelson wrote: > The problem is that it simply refuses the DSA key. Here are traces from > sshd -d and ssh -v. Note the lines beginning with "**". could you please mail me your public DSA key... From markus.friedl at informatik.uni-erlangen.de Fri May 12 00:36:11 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 11 May 2000 16:36:11 +0200 Subject: Socks support In-Reply-To: <20000510214956.A2640@folly.informatik.uni-erlangen.de>; from markus.friedl@informatik.uni-erlangen.de on Wed, May 10, 2000 at 09:49:56PM +0200 References: <20000510214956.A2640@folly.informatik.uni-erlangen.de> Message-ID: <20000511163611.C15848@folly.informatik.uni-erlangen.de> On Wed, May 10, 2000 at 09:49:56PM +0200, Markus Friedl wrote: > On Wed, May 10, 2000 at 10:29:15PM +0300, Madsen Wikholm wrote: > > So my problem is that the Dante support code was removed and supposed to be > > replaced with a ProxyCommand. My question is now: "Where's the beef?". > > someone has to write a suitable dante/socks-proxy > that can be used via ProxyCommand. > > do you want to give it a try? > an example for a ProxyCommand proxy: ftp://ftp.nlc.net.au/pub/unix/tn-gw-nav/tn-gw-nav-1.4.tgz From wyodlows at nj.devry.edu Fri May 12 01:54:04 2000 From: wyodlows at nj.devry.edu (William Yodlowsky) Date: Thu, 11 May 2000 11:54:04 -0400 (EDT) Subject: 2nd try - Solaris 7 - utmp Message-ID: A few days ago I installed OpenSSH-2.1.0 together with zlib-1.1.3 and OpenSSL-0.9.5a on Solaris 7 on an Ultra box. There appears to be something odd with the utmp stuff... if I just do a normal configure, utmp logging works fine, but 'w' will give me this: 10:03pm up 13 day(s), 21:42, 3 users, load average: 0.04, 0.07, 0.10 User tty login@ idle JCPU PCPU what wyodlows pts/4 9:57pm w wyodlows pts/4 9:57pm w Yup. Duplicate entries... 'who' tells me: wyodlows pts/4 May 9 21:57 wyodlows pts/4 May 9 21:57 (me.my_isp.address) In the first line of who's output, the address is blank (like it looks here). Now, if I use --without-utmpx, it doesn't affect the compile at all; "#define USE_UTMPX 1" gets put into the generated config.h anyway. If I manually comment that line out, then I get no utmp logging (what I'd expect) and 'w' and 'who' both work correctly. Thanks very much in advance! `- William Yodlowsky From marc.fournier at acadiau.ca Fri May 12 03:01:57 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 11 May 2000 14:01:57 -0300 (ADT) Subject: OpenSSH 2.1.0 under Solaris 8 ... Message-ID: Compiled great, got both my RSA and DSA keys' generated for Protocol 1/2, started up fine ... try to connect and get a bunch of errors: May 11 14:01:47 iris sshd[8578]: error: Couldn't wait for child '/bin/ls -alni' completion: No child processes May 11 14:01:47 iris last message repeated 3 times May 11 14:01:47 iris sshd[8578]: error: Command '/bin/ls -alni': select() failed: Interrupted system call May 11 14:01:47 iris sshd[8578]: error: Couldn't wait for child '/bin/ls -alni' completion: No child processes May 11 14:01:47 iris sshd[8578]: error: Command '/bin/netstat -an': select() failed: Interrupted system call May 11 14:01:47 iris sshd[8578]: error: Couldn't wait for child '/bin/netstat -an' completion: No child processes May 11 14:01:47 iris sshd[8578]: error: Couldn't wait for child '/bin/netstat -in' completion: No child processes May 11 14:01:47 iris sshd[8578]: error: Couldn't wait for child '/bin/netstat -rn' completion: No child processes May 11 14:01:47 iris sshd[8578]: error: Command '/bin/netstat -s': select() failed: Interrupted system call May 11 14:01:47 iris sshd[8578]: error: Couldn't wait for child '/bin/netstat -s' completion: No child processes May 11 14:01:48 iris sshd[8578]: error: Command '/usr/sbin/arp -a': select() failed: Interrupted system call May 11 14:01:48 iris sshd[8578]: error: Couldn't wait for child '/usr/sbin/arp -a' completion: No child processes May 11 14:01:48 iris sshd[8578]: error: Command '/usr/sbin/ifconfig -a': select() failed: Interrupted system call May 11 14:01:48 iris sshd[8578]: error: Couldn't wait for child '/usr/sbin/ifconfig -a' completion: No child processes May 11 14:01:48 iris sshd[8578]: error: Command '/bin/ps -efl': select() failed: Interrupted system call May 11 14:01:48 iris sshd[8578]: error: Couldn't wait for child '/bin/ps -efl' completion: No child processes Proceeds to let me login, but a second attempt fails ... ps shows no more sshd processes running :( Known problem? Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From carl at bl.echidna.id.au Fri May 12 07:58:29 2000 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Fri, 12 May 2000 07:58:29 +1000 (EST) Subject: OpenSSH 2.1.0 under Solaris 8 ... Message-ID: <200005112158.e4BLwTQ18645@rollcage.bl.echidna.id.au> Marc, I'm seeing the same problem if I use the inbuilt entropy generator, but if I use SUNWski's /dev/random, it's fine. ssh also coredumps if I use the built in entropy generator if I run it in verbose mode. This is on a Sun SPARC 10 running Solaris 8 > Date: Thu, 11 May 2000 14:01:57 -0300 (ADT) > From: "Marc G. Fournier" > To: "Miller, Damien -- Damien Miller" , > openssh-unix-dev at mindrot.org > Subject: OpenSSH 2.1.0 under Solaris 8 ... > MIME-Version: 1.0 > Sender: owner-openssh-unix-dev at mindrot.org > Status: R > > > Compiled great, got both my RSA and DSA keys' generated for Protocol 1/2, > started up fine ... try to connect and get a bunch of errors: > > May 11 14:01:47 iris sshd[8578]: error: Couldn't wait for child '/bin/ls -alni' completion: No child processes > May 11 14:01:47 iris last message repeated 3 times > May 11 14:01:47 iris sshd[8578]: error: Command '/bin/ls -alni': select() failed: Interrupted system call > May 11 14:01:47 iris sshd[8578]: error: Couldn't wait for child '/bin/ls -alni' completion: No child processes > May 11 14:01:47 iris sshd[8578]: error: Command '/bin/netstat -an': select() failed: Interrupted system call > May 11 14:01:47 iris sshd[8578]: error: Couldn't wait for child '/bin/netstat -an' completion: No child processes > May 11 14:01:47 iris sshd[8578]: error: Couldn't wait for child '/bin/netstat -in' completion: No child processes > May 11 14:01:47 iris sshd[8578]: error: Couldn't wait for child '/bin/netstat -rn' completion: No child processes > May 11 14:01:47 iris sshd[8578]: error: Command '/bin/netstat -s': select() failed: Interrupted system call > May 11 14:01:47 iris sshd[8578]: error: Couldn't wait for child '/bin/netstat -s' completion: No child processes > May 11 14:01:48 iris sshd[8578]: error: Command '/usr/sbin/arp -a': select() failed: Interrupted system call > May 11 14:01:48 iris sshd[8578]: error: Couldn't wait for child '/usr/sbin/arp -a' completion: No child processes > May 11 14:01:48 iris sshd[8578]: error: Command '/usr/sbin/ifconfig -a': select() failed: Interrupted system call > May 11 14:01:48 iris sshd[8578]: error: Couldn't wait for child '/usr/sbin/ifconfig -a' completion: No child processes > May 11 14:01:48 iris sshd[8578]: error: Command '/bin/ps -efl': select() failed: Interrupted system call > May 11 14:01:48 iris sshd[8578]: error: Couldn't wait for child '/bin/ps -efl' completion: No child processes > > Proceeds to let me login, but a second attempt fails ... ps shows no more > sshd processes running :( > > Known problem? > > Marc G. Fournier marc.fournier at acadiau.ca > Senior Systems Administrator Acadia University > > "These are my opinions, which are not necessarily shared by my employer" > > > From mhwood at ameritech.net Fri May 12 11:16:17 2000 From: mhwood at ameritech.net (Mark H. Wood) Date: Thu, 11 May 2000 20:16:17 -0500 (EST) Subject: openssl w/ rsaref openssh won't configure Message-ID: I'm seeing this too. -- Mark H. Wood, radical centrist OpenPGP ID 876A8B75 mhwood at ameritech.net 01/01/00 00:00:00 -- Apocralypse Now From nalin at redhat.com Fri May 12 14:53:04 2000 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 12 May 2000 00:53:04 -0400 Subject: openssl w/ rsaref openssh won't configure In-Reply-To: ; from mhwood@ameritech.net on Thu, May 11, 2000 at 08:16:17PM -0500 References: Message-ID: <20000512005304.A12099@devserv.devel.redhat.com> On Thu, May 11, 2000 at 08:16:17PM -0500, Mark H. Wood wrote: > I'm seeing this too. > > -- > Mark H. Wood, radical centrist OpenPGP ID 876A8B75 mhwood at ameritech.net > 01/01/00 00:00:00 -- Apocralypse Now You can bypass the test with the attached patch -- it makes the test all but useless, however, and I've been meaning to look fixing it the Right way for a few days now. (The patch turns the test into a check to see that the app will link, instead of checking if it can actually encrypt data. This explanation is actually longer than the patch, I think.) The odd thing of it is that the rsa_test in the openssl test subdirectory can encrypt and decrypt just fine. Anyway, the patch is attached. Nalin -------------- next part -------------- diff -uNr openssh-2.1.0/configure openssh-2.1.0-rsaref/configure --- openssh-2.1.0/configure Tue May 9 03:00:58 2000 +++ openssh-2.1.0-rsaref/configure Thu May 11 08:04:58 2000 @@ -2043,7 +2043,7 @@ RAND_add(a, sizeof(a), sizeof(a)); key=RSA_generate_key(32,3,NULL,NULL); if (key==NULL) return(1); - return(-1==RSA_private_decrypt(RSA_size(key),a,b,key,RSA_NO_PADDING)); + return 0; } EOF diff -uNr openssh-2.1.0/configure.in openssh-2.1.0-rsaref/configure.in --- openssh-2.1.0/configure.in Mon May 8 06:49:37 2000 +++ openssh-2.1.0-rsaref/configure.in Thu May 11 08:04:48 2000 @@ -231,7 +231,7 @@ RAND_add(a, sizeof(a), sizeof(a)); key=RSA_generate_key(32,3,NULL,NULL); if (key==NULL) return(1); - return(-1==RSA_private_decrypt(RSA_size(key),a,b,key,RSA_NO_PADDING)); + return 0; } ], [ From karthy at kom.auc.dk Fri May 12 16:51:18 2000 From: karthy at kom.auc.dk (Karsten Thygesen) Date: 12 May 2000 08:51:18 +0200 Subject: OpenSSH 2.1.0 under Solaris 8 ... In-Reply-To: carl@bl.echidna.id.au's message of "Fri, 12 May 2000 07:58:29 +1000 (EST)" References: <200005112158.e4BLwTQ18645@rollcage.bl.echidna.id.au> Message-ID: >>>>> "carl" == carl writes: carl> Marc, I'm seeing the same problem if I use the inbuilt entropy carl> generator, but if I use SUNWski's /dev/random, it's fine. carl> ssh also coredumps if I use the built in entropy generator if I carl> run it in verbose mode. carl> This is on a Sun SPARC 10 running Solaris 8 The same goes for Solaris-7. I also switched to SUNWski and it works just fine. Karsten From bds at jhb.ucs.co.za Fri May 12 19:16:17 2000 From: bds at jhb.ucs.co.za (Berend De Schouwer) Date: Fri, 12 May 2000 11:16:17 +0200 (SAST) Subject: Socks support In-Reply-To: <20000510214956.A2640@folly.informatik.uni-erlangen.de> Message-ID: <200005120912.LAA12717@jhb.ucs.co.za> On 10 May, Markus Friedl wrote: > On Wed, May 10, 2000 at 10:29:15PM +0300, Madsen Wikholm wrote: >> So my problem is that the Dante support code was removed and supposed to be >> replaced with a ProxyCommand. My question is now: "Where's the beef?". > > someone has to write a suitable dante/socks-proxy > that can be used via ProxyCommand. I just export LDFLAGS="-ldsocks"; ./configure; make Just by linking it to the Dante Socks libraries, socks support is in. Is there a problem with doing it that way? Risks? > do you want to give it a try? -- Kind regards, Berend -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS From Norbert.Bladt at adi.ch Fri May 12 23:42:25 2000 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Fri, 12 May 2000 15:42:25 +0200 Subject: Patch: OpenSSH 2.1.0 under Solaris 8, Solaris 7 and other systems , too Message-ID: <81614DB47363D211A94A0008C71ECDD85CAB6F@naibe03.adi.ch> Hi ! Karsten Thygesen wrote: >>>>> "carl" == carl writes: > carl> Marc, I'm seeing the same problem if I use the inbuilt entropy > carl> generator, but if I use SUNWski's /dev/random, it's fine. > carl> ssh also coredumps if I use the built in entropy generator if I > carl> run it in verbose mode. > carl> This is on a Sun SPARC 10 running Solaris 8 > The same goes for Solaris-7. I also switched to SUNWski and it works > just fine. I found some time debugging the problem with using the built-in entropy generator in openssh-2.1.0. In the current condition, it should crash on every reasonable (?) system. The problem is in entropy.c in a debug call with a string argument (%s) of 0, if the command in ssh_prng_commands has no arg. Interesting enough, there is a "#if 1" in front of the offending statement and there is a note "FIXME: turn this off later", too. Why turn it off, it should work now and is a useful information in debug mode. Patch is following here - it works for me and my ssh_prng_cmds, YMMV: *** entropy.c.orig Tue May 2 01:56:41 2000 --- entropy.c Fri May 12 15:25:57 2000 *************** *** 225,233 **** --- 225,238 ---- } else { /* FIXME: turn this off later */ #if 1 + if (entropy_sources[c].args[2] != 0) debug("Command '%s %s %s' disabled (badness %d)", entropy_sources[c].path, entropy_sources[c].args[1], entropy_sources[c].args[2], entropy_sources[c].badness); + else + debug("Command '%s %s' disabled (badness %d)", + entropy_sources[c].path, entropy_sources[c].args[1], + entropy_sources[c].badness); #endif if (entropy_sources[c].badness > 0) -- Norbert Bladt ATAG debis Informatik, TZ1 - Z364 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From mweaver at adf.gov Fri May 12 23:49:39 2000 From: mweaver at adf.gov (Mike Weaver) Date: Fri, 12 May 2000 08:49:39 -0500 Subject: Error: Permission denied, please try again. Message-ID: <022b01bfbc18$ee7930e0$b1c2efce@adf.gov> Greetings: I hope it is okay to post this here. I have RedHat 6.1 on Intel. I believe I followed the instructions correctly. Everything seemed to compile without errors but when I try to log in I get the above error - any advice? I've poked through the FAQ and man pages with no luck. Thanks for any and all replies, Mike [root at ghana openssh-2.1.0]# ssh -v -l mweaver ghana SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to ghana port 22. debug: Seeding random number generator debug: Allocated local port 949. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH-2.1 debug: Local version string SSH-1.5-OpenSSH-2.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'ghana.adf.gov' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Doing password authentication. mweaver at ghana.adf.gov's password: Permission denied, please try again. mweaver at ghana.adf.gov's password: From rjune at ims1.imagestream-is.com Sat May 13 00:21:16 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Fri, 12 May 2000 09:21:16 -0500 (EST) Subject: Error: Permission denied, please try again. In-Reply-To: <022b01bfbc18$ee7930e0$b1c2efce@adf.gov> Message-ID: configure with --md5-passwords, or use the source rpms. On Fri, 12 May 2000, Mike Weaver wrote: > Greetings: I hope it is okay to post this here. I have RedHat 6.1 on > Intel. I believe I followed the instructions correctly. > Everything seemed to compile without errors but when I try to log in I get > the above error - any advice? I've poked through the FAQ and man pages with > no luck. > > Thanks for any and all replies, > > Mike > > > [root at ghana openssh-2.1.0]# ssh -v -l mweaver ghana > SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. > Compiled with SSL (0x0090581f). > debug: Reading configuration data /usr/local/etc/ssh_config > debug: Applying options for * > debug: Seeding random number generator > debug: ssh_connect: getuid 0 geteuid 0 anon 0 > debug: Connecting to ghana port 22. > debug: Seeding random number generator > debug: Allocated local port 949. > debug: Connection established. > debug: Remote protocol version 1.99, remote software version OpenSSH-2.1 > debug: Local version string SSH-1.5-OpenSSH-2.1 > debug: Waiting for server public key. > debug: Received server public key (768 bits) and host key (1024 bits). > debug: Host 'ghana.adf.gov' is known and matches the RSA host key. > debug: Seeding random number generator > debug: Encryption type: 3des > debug: Sent encrypted session key. > debug: Installing crc compensation attack detector. > debug: Received encrypted confirmation. > debug: Doing password authentication. > mweaver at ghana.adf.gov's password: > Permission denied, please try again. > mweaver at ghana.adf.gov's password: > > From andre.lucas at dial.pipex.com Sat May 13 00:36:33 2000 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Fri, 12 May 2000 15:36:33 +0100 Subject: Patch: OpenSSH 2.1.0 under Solaris 8, Solaris 7 and other systems, too References: <81614DB47363D211A94A0008C71ECDD85CAB6F@naibe03.adi.ch> Message-ID: <391C16F1.FA389502@dial.pipex.com> Well spotted. Doh. I think an even better way to fix this would be to save the string as parsed from ssh_prng_cmds in the command's entropy_source_t, and print that in debug messages. It's a tiny amount of memory for what is, as you say, useful debugging info. So useful, in fact, that the bug occurred when I added the second parameter to Damien's prng code, likely as a temporary measure, and left it in... -Andre Bladt Norbert wrote: > > Hi ! > > Karsten Thygesen wrote: > >>>>> "carl" == carl writes: > > > carl> Marc, I'm seeing the same problem if I use the inbuilt entropy > > carl> generator, but if I use SUNWski's /dev/random, it's fine. > > > carl> ssh also coredumps if I use the built in entropy generator if I > > carl> run it in verbose mode. > > > carl> This is on a Sun SPARC 10 running Solaris 8 > > > The same goes for Solaris-7. I also switched to SUNWski and it works > > just fine. > > I found some time debugging the problem with using the built-in entropy > generator in openssh-2.1.0. In the current condition, it should crash on > every reasonable (?) system. > > The problem is in entropy.c in a debug call with a string argument > (%s) of 0, if the command in ssh_prng_commands has no arg. > Interesting enough, there is a "#if 1" in front of the offending > statement and there is a note "FIXME: turn this off later", too. > Why turn it off, it should work now and is a useful information > in debug mode. > > Patch is following here - it works for me and my ssh_prng_cmds, YMMV: > > *** entropy.c.orig Tue May 2 01:56:41 2000 > --- entropy.c Fri May 12 15:25:57 2000 > *************** > *** 225,233 **** > --- 225,238 ---- > } else { > /* FIXME: turn this off later */ > #if 1 > + if (entropy_sources[c].args[2] != 0) > debug("Command '%s %s %s' disabled (badness > %d)", > entropy_sources[c].path, > entropy_sources[c].args[1], > entropy_sources[c].args[2], > entropy_sources[c].badness); > + else > + debug("Command '%s %s' disabled (badness > %d)", > + entropy_sources[c].path, > entropy_sources[c].args[1], > + entropy_sources[c].badness); > #endif > > if (entropy_sources[c].badness > 0) > > -- > Norbert Bladt > ATAG debis Informatik, TZ1 - Z364 > Industriestrasse 1, CH 3052-Zollikofen > E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From Norbert.Bladt at adi.ch Sat May 13 01:14:45 2000 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Fri, 12 May 2000 17:14:45 +0200 Subject: Patch: OpenSSH 2.1.0 under Solaris 8, Solaris 7 and other sys tems, too Message-ID: <81614DB47363D211A94A0008C71ECDD85CAB71@naibe03.adi.ch> > -----Urspr?ngliche Nachricht----- > Von: Andre Lucas [SMTP:andre.lucas at dial.pipex.com] > Gesendet am: Freitag, 12. Mai 2000 16:37 > An: Bladt Norbert > Cc: 'Karsten Thygesen'; 'openssh-unix-dev at mindrot.org'; > 'carl at bl.echidna.id.au' > Betreff: Re: Patch: OpenSSH 2.1.0 under Solaris 8, Solaris 7 and > other systems, too > > Well spotted. Doh. No problem. I had to use the debug mode to find out why the X11 forwarding didn't work. Finally, the problem was in the client, though. > I think an even better way to fix this would be to save the string as > parsed from ssh_prng_cmds in the command's entropy_source_t, and print > that in debug messages. It's a tiny amount of memory for what is, as you > say, useful debugging info. Sure. I did look at the sources for the first time and do not know a lot of OpenSSH, yet. So, just go ahead and apply your suggested fix for the next release and we are all happy. > So useful, in fact, that the bug occurred when I added the second > parameter to Damien's prng code, likely as a temporary measure, and left > it in... It was easy to spot and temporarily fixed, anyway. Norbert. From ede370 at stl.rural.usda.gov Sat May 13 01:29:52 2000 From: ede370 at stl.rural.usda.gov (Ed Eden) Date: Fri, 12 May 2000 10:29:52 -0500 Subject: openssl w/ rsaref openssh won't configure Message-ID: <391C2370.1846AD64@stl.rural.usda.gov> I kind of merged rsa_test and came up with the following that seems to work with rsaref. The problem areas on the original was 32 for the key gen, rsaref likes 1024 at least. And rsaref likes RSA_PKCS1_PADDING but not RSA_NO_PADDING for some reason. I am not versed in ssl but just tried different things with debugging until it worked. I assume it will work with the non-rsaref also. #line 2032 "configure" #include "confdefs.h" #include #include #include #include #include int main(void) { int num; RSA *key; char a[2048],b[2048]; static unsigned char ptext_ex[] = "This is the text to encrypt"; unsigned char ctext[256]; unsigned char ptext[256]; memset(a, 0, sizeof(a));memset(b, 0, sizeof(b)); RAND_add(a, sizeof(a), sizeof(a)); key=RSA_generate_key(512,3,NULL,NULL); if (key==NULL) return(1); num=RSA_public_encrypt(sizeof(ptext_ex)-1,ptext_ex,ctext, key,RSA_PKCS1_PADDING); return(-1==RSA_private_decrypt(num,ctext,ptext,key,RSA_PKCS1_PADDING)); } From ede370 at stl.rural.usda.gov Sat May 13 01:49:00 2000 From: ede370 at stl.rural.usda.gov (Ed Eden) Date: Fri, 12 May 2000 10:49:00 -0500 Subject: openssl w/ rsaref openssh won't configure Message-ID: <391C27EC.6B4F8B4B@stl.rural.usda.gov> >The problem areas on the original was 32 for the key gen, rsaref likes 1024 at least opps, i mean 512 or higher for the key size. From mweaver at adf.gov Sat May 13 04:14:19 2000 From: mweaver at adf.gov (Mike Weaver) Date: Fri, 12 May 2000 13:14:19 -0500 Subject: debug: Server refused our key. - Something to worry about? References: Message-ID: <028f01bfbc3d$e7a6f9d0$b1c2efce@adf.gov> Thanks to all who replied - I think it's running correctly now. Is the above something to be concerned with? And if so, is there any advice on how to fix it? Thanks, Mike Here's the whole output: SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 500 geteuid 0 anon 0 debug: Connecting to ghana.adf.gov [206.239.194.8] port 22. debug: Seeding random number generator debug: Allocated local port 801. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH-2.1 debug: Local version string SSH-1.5-OpenSSH-2.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'ghana.adf.gov' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 'mweaver at ghana' debug: Server refused our key. debug: Doing password authentication. mweaver at ghana.adf.gov's password: From openssh-unix-dev.mindrot.org at marc-haber.de Sat May 13 04:42:53 2000 From: openssh-unix-dev.mindrot.org at marc-haber.de (Marc Haber) Date: Fri, 12 May 2000 18:42:53 GMT Subject: different servers on different ports Message-ID: Hi, I have the following unusual setup: F is a firewall host. Its external Interface has IP 172.16.20.4, and the internal Interface ist 192.168.215.1. A and B are internal hosts with IPs 192.168.215.31 and 192.168.215.71. F's port 10022 is transparently forwarded to A's port 22; F's port 20022 is transparently forwarded to B's port 22. So, connecting to 172.16.20.4:10022 gives an ssh connection to A; connecting to 172.16.20.4:20022 gives an ssh connection to B. Obviously, the ssh client can't cope with that since it complains about the different host keys. Wouldn't it be a good idea to have the client cache IP:port to known_hosts instead of the IP only? That way, it would also be possible to run differently configured ssh daemons on a single box. Or am I missing something and there are reasons to handle IPs instead of IP:port pairs? Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From cloos at jhcloos.com Sat May 13 06:11:03 2000 From: cloos at jhcloos.com (James H. Cloos Jr.) Date: 12 May 2000 15:11:03 -0500 Subject: debug: Server refused our key. - Something to worry about? In-Reply-To: "Mike Weaver"'s message of "Fri, 12 May 2000 13:14:19 -0500" References: <028f01bfbc3d$e7a6f9d0$b1c2efce@adf.gov> Message-ID: >>>>> "Mike" == Mike Weaver writes: Mike> Thanks to all who replied - I think it's running correctly now. Mike> Is the above something to be concerned with? And if so, is Mike> there any advice on how to fix it? Check the syslog output on the server side, but I bet the permissions on ~/ssh/authorized_keys are too lax for sshd(8)'s taste. -JimC -- James H. Cloos, Jr. 1024D/ED7DAEA6 E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Check out TGC: From Todd.Miller at courtesan.com Sat May 13 08:38:56 2000 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 12 May 2000 16:38:56 -0600 Subject: SunOS 4.x port Message-ID: <200005122238.e4CMcuQ16659@xerxes.courtesan.com> This is based on openssh-2.0.0beta1. There are a few rough spots: 1) SunOS doesn't have ut_type in struct utmp so I just whacked in the old login() from openssh-1.2.3. 2) There is a SUNOS4 section added to defines.h -- this could probably be a bit cleaner. 3) sigaction on SunOS is implemented via #defines to sigvec, thus there is no SA_RESTART (this is the default behavior). This also supports SunOS 4.x shadow passwords (passwd adjunct). - todd --- configure.in.DIST Fri May 12 15:50:24 2000 +++ configure.in Fri May 12 16:08:22 2000 @@ -107,6 +107,10 @@ need_dash_r=1 AC_DEFINE(USE_UTMPX) ;; +*-*-sunos4*) + CFLAGS="$CFLAGS -DSUNOS4" + AC_CHECK_FUNCS(getpwanam) + ;; *-*-sysv*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" @@ -353,17 +357,6 @@ [size_t foo; foo = 1235;], [ AC_DEFINE(HAVE_SIZE_T) - AC_MSG_RESULT(yes) - ], - [AC_MSG_RESULT(no)] -) - -AC_MSG_CHECKING([for ssize_t]) -AC_TRY_COMPILE( - [#include ], - [ssize_t foo; foo = 1235;], - [ - AC_DEFINE(HAVE_SSIZE_T) AC_MSG_RESULT(yes) ], [AC_MSG_RESULT(no)] --- acconfig.h.DIST Mon May 1 17:56:41 2000 +++ acconfig.h Fri May 12 16:09:17 2000 @@ -101,6 +101,9 @@ /* Define if you want have trusted HPUX */ #undef HAVE_HPUX_TRUSTED_SYSTEM_PW +/* Define if you have getpwanam(3) [SunOS 4.x] */ +#undef HAVE_GETPWANAM + /* Defined if in_systm.h needs to be included with netinet/ip.h (HPUX - ) */ #undef NEED_IN_SYSTM_H @@ -117,6 +120,7 @@ #undef HAVE_UINTXX_T #undef HAVE_SOCKLEN_T #undef HAVE_SIZE_T +#undef HAVE_SSIZE_T #undef HAVE_STRUCT_SOCKADDR_STORAGE #undef HAVE_STRUCT_ADDRINFO #undef HAVE_STRUCT_IN6_ADDR --- defines.h.DIST Mon May 1 08:03:56 2000 +++ defines.h Fri May 12 15:54:59 2000 @@ -150,6 +150,11 @@ # define HAVE_SIZE_T #endif /* HAVE_SIZE_T */ +#ifndef HAVE_SSIZE_T +typedef int ssize_t; +# define HAVE_SSIZE_T +#endif /* HAVE_SSIZE_T */ + #if !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE___SS_FAMILY_IN_SS) # define ss_family __ss_family #endif /* !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE_SA_FAMILY_IN_SS) */ @@ -279,5 +284,10 @@ #if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) # undef HAVE_GETADDRINFO #endif /* defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO) */ + +#ifdef SUNOS4 +# define atexit on_exit +# define WCOREDUMP(x) (((union __wait*)&(x))->__w_coredump) +#endif #endif /* _DEFINES_H */ --- auth-passwd.c.DIST Sat Apr 29 08:47:29 2000 +++ auth-passwd.c Fri May 12 16:07:36 2000 @@ -28,6 +28,11 @@ #ifdef HAVE_SHADOW_H # include #endif +#ifdef HAVE_GETPWANAM +# include +# include +# include +#endif #if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) # include "md5crypt.h" #endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ @@ -46,6 +51,9 @@ #ifdef HAVE_SHADOW_H struct spwd *spw; #endif +#ifdef HAVE_GETPWANAM + struct passwd_adjunct *spw; +#endif #ifdef WITH_AIXAUTHENTICATE char *authmsg; char *loginmsg; @@ -99,6 +107,16 @@ pw_password = spw->sp_pwdp; } #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ +#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) + if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) + { + /* Check for users with no password. */ + if (strcmp(password, "") == 0 && strcmp(spw->pwa_passwd, "") == 0) + return 1; + + pw_password = spw->pwa_passwd; + } +#endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ if (pw_password[0] != '\0') salt = pw_password; --- bsd-login.c.DIST Mon May 1 06:53:53 2000 +++ bsd-login.c Fri May 5 12:30:48 2000 @@ -60,6 +60,7 @@ #include #include +#ifdef USER_PROCESS /* * find first matching slot in utmp, or "-1" for none * @@ -93,6 +94,13 @@ endutent(); return(-1); } +#else +int find_tty_slot( utp ) +struct utmp * utp; +{ + return(ttyslot()); +} +#endif #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) void @@ -127,13 +135,16 @@ } else { /* If no tty was found... */ if (tty == -1) { +#ifdef USER_PROCESS /* ... append it to utmp on login */ if (utp->ut_type == USER_PROCESS) { if ((fd = open(_PATH_UTMP, O_WRONLY|O_APPEND, 0)) >= 0) { (void)write(fd, utp, sizeof(struct utmp)); (void)close(fd); } - } else { + } else +#endif + { /* Shouldn't get to here unless somthing happened to utmp */ /* Between login and logout */ log("No tty slot found at logout"); --- packet.c.DIST Fri May 5 11:55:05 2000 +++ packet.c Fri May 5 11:56:42 2000 @@ -1233,21 +1233,24 @@ * IPTOS_LOWDELAY and TCP_NODELAY. */ int lowdelay = IPTOS_LOWDELAY; +#ifdef IP_TOS if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, (void *) &lowdelay, sizeof(lowdelay)) < 0) error("setsockopt IPTOS_LOWDELAY: %.100s", strerror(errno)); +#endif if (setsockopt(connection_in, IPPROTO_TCP, TCP_NODELAY, (void *) &on, sizeof(on)) < 0) error("setsockopt TCP_NODELAY: %.100s", strerror(errno)); +#ifdef IP_TOS } else { /* * Set IP options for a non-interactive connection. Use * IPTOS_THROUGHPUT. */ - int throughput = IPTOS_THROUGHPUT; if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, (void *) &throughput, sizeof(throughput)) < 0) error("setsockopt IPTOS_THROUGHPUT: %.100s", strerror(errno)); +#endif } } --- scp.c.DIST Mon May 1 05:10:33 2000 +++ scp.c Fri May 5 12:19:25 2000 @@ -1235,7 +1235,9 @@ struct sigaction sa; sa.sa_handler = updateprogressmeter; sigemptyset(&sa.sa_mask); +#ifdef SA_RESTART sa.sa_flags = SA_RESTART; +#endif sigaction(SIGALRM, &sa, NULL); alarmtimer(1); } else if (flag == 1) { --- ssh-agent.c.DIST Mon May 1 04:59:51 2000 +++ ssh-agent.c Fri May 5 12:22:05 2000 @@ -507,6 +507,7 @@ struct sockaddr_un sunaddr; pid_t pid; char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid]; + extern int optind; /* check if RSA support exists */ if (rsa_alive() == 0) { From djm at mindrot.org Sat May 13 12:41:58 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 13 May 2000 12:41:58 +1000 (EST) Subject: Error: Permission denied, please try again. In-Reply-To: <022b01bfbc18$ee7930e0$b1c2efce@adf.gov> Message-ID: On Fri, 12 May 2000, Mike Weaver wrote: > Greetings: I hope it is okay to post this here. I have RedHat > 6.1 on Intel. I believe I followed the instructions correctly. > Everything seemed to compile without errors but when I try to log in > I get the above error - any advice? I've poked through the FAQ and > man pages with no luck. You might want to try the RPMs that are on the FTP site - they will work with Redhat 6.1 (I use them myself on that platform). -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From ianj at chocobo.org Sun May 14 16:37:12 2000 From: ianj at chocobo.org (Ian R. Justman) Date: Sat, 13 May 2000 23:37:12 -0700 (PDT) Subject: OpenSSH 2.1.0+OpenSSL 0.9.5a+RSAref 2.0 trouble Message-ID: Hello. I have been having trouble configuring the source code for the abovementioned. I have to use RSARef as I'm a resident of the USA, so I can avoid patent violation. The configure script fails to see the OpenSSL+RSAref mix on three different platforms, including the following: FreeBSD 4.0-STABLE (Which has its own port, but I wanted to try it there to see if I could reliably reproduce the problem I'm experiencing under the following two platforms) Slackware Linux 7.0 S.u.S.E. Linux 6.4 The code which correctly compiles and links but fails is the following excerpt from config.log (the compiler/linker flags are different on each different platform, e.g. Slackware doesn't use PAM while FreeBSD and S.u.S.E. do, but the results are the same): configure:2051: gcc -o conftest -g -O2 -Wall -I/usr/local/ssl/include -L/usr/l ocal/ssl/lib -L/usr/local/ssl conftest.c -lz -lutil -lpam -lcrypto -lRSAglue -l rsaref 1>&5 configure: failed program was: #line 2032 "configure" #include "confdefs.h" #include #include #include #include #include int main(void) { RSA *key; char a[2048],b[2048];; memset(a, 0, sizeof(a));memset(b, 0, sizeof(b)); RAND_add(a, sizeof(a), sizeof(a)); key=RSA_generate_key(32,3,NULL,NULL); ---> if (key==NULL) return(1); return(-1==RSA_private_decrypt(RSA_size(key),a,b,key,RSA_NO_PADDING)); } The arrowhead points to the line that fails. I built this exact code on a Linux system, then wrote a Perl wrapper to get the return code. I got the 1 return code per that arrowheaded line. It should also be noted that I used the standard RSARef 2.0 code with and without the modulus bug patch, and RSARef 1.0 (from PGP 2.6.2). All yielded identical results. Any suggestions? Please let me know if you need anything further. Thanks in advance. --Ian. ----- Ian R. Justman Postmaster, System Administrator, ChocoboNet ianj at chocobo.org (home) ianj at calweb.com (work) NIC handle: IJ12 ICQ UIN# 14925819 UNIX system administrator by trade "An upset Windows NT administrator should be laughed at. An upset UNIX administrator should be deeply feared." --Me. Hard Disk Drive: n: Future windchimes From dugsong at monkey.org Mon May 15 03:20:28 2000 From: dugsong at monkey.org (Dug Song) Date: Sun, 14 May 2000 13:20:28 -0400 (EDT) Subject: openssh-2.1.0 and AFS In-Reply-To: Message-ID: On Tue, 9 May 2000, Alexander Bergolth wrote: > Maybe I'm missing something but shouldn't it only get a pag, if > AFS-token-passing is used? or if kerberos TGT, or kerberos password authentication is used. in any case, a PAG is set only if the local machine has AFS enabled. > If password authentication is used, an AFS-pam-module (or the authenticate > function on AIX) will do the job, otherwise, no token can be > obtained and therefore no pag is needed. a token can be obtained if a Kerberos TGT is passed as well. we don't want to do a setpag() for every token passed, as a user may pass several tokens at login (as is common at several large sites, with multiple cells). > I noticed that because normally root wants to login without a pag, which > is not possible now. you'll have to use 'pagsh' for now, the same as if you su'd. this issue has come up before on the ssh-afs at umich.edu list; i decided not to special-case UID 0, as there isn't any precedent for this in existing AFS code, and some people actually rely on token-passing as root. i'm still not sure what the right behaviour should be - perhaps a new server config option is in order? we can discuss this further on the ssh-afs at umich.edu list if you wish... -d. --- http://www.monkey.org/~dugsong/ From dcs at newsguy.com Mon May 15 16:15:16 2000 From: dcs at newsguy.com (Daniel C. Sobral) Date: Mon, 15 May 2000 15:15:16 +0900 Subject: ssh-add... Message-ID: <391F95F4.1182AD5D@newsguy.com> I'm not sure this is the appropriate place to suggest it, but... what about ssh ssh-add's -c flag, which enables it to get the input from stdin? -- Daniel C. Sobral (8-DCS) dcs at newsguy.com dcs at freebsd.org capo at tutti.capi.bsdconspiracy.org "I agree whole heartily! Who am I to disagree with a wacko like you?" From tbert at abac.com Mon May 15 22:53:48 2000 From: tbert at abac.com (Tom Bertelson) Date: Mon, 15 May 2000 08:53:48 -0400 Subject: AIX authenticate patches Message-ID: <391FF35C.7432DD45@abac.com> Here are some patches to re-enable support for AIX's authenticate routines. With them, ssh will honor locked & unlocked accounts, record successful and unsuccessful logins, and deny accounts that are prohibited to log in via the network. Tested with AIX 4.3. It also includes a fix for handling SIGCHLD that may be needed for other platforms (HP-UX 10.20, for example). If I get the time I'll see about rolling these changes into liblogin, where I guess they really belong. I didn't include the changes to configure; run "autoconf" to rebuild the configure script. [Is this the correct method for submitting patches, posting them to the list?] -- Tom Bertelson "Any sufficiently advanced technology RHI Consulting is indistinguishable from magic." tbert at abac.com -- Arthur C. Clarke -------------- next part -------------- --- acconfig.h.orig Tue May 9 09:50:13 2000 +++ acconfig.h Tue May 9 09:50:19 2000 @@ -9,7 +9,7 @@ /* Define if you want to disable PAM support */ #undef DISABLE_PAM -/* Define if you want to disable AIX4's authenticate function */ +/* Define if you want to enable AIX4's authenticate function */ #undef WITH_AIXAUTHENTICATE /* Define if you want to disable lastlog support */ --- auth.c.orig Wed May 10 16:00:39 2000 +++ auth.c Thu May 11 13:11:23 2000 @@ -19,6 +19,9 @@ #include "compat.h" #include "channels.h" #include "match.h" +#ifdef HAVE_LOGIN_H +#include +#endif #include "bufaux.h" #include "ssh2.h" @@ -111,8 +114,20 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0) + if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) { + if (loginmsg && *loginmsg) { + /* Remove embedded newlines (if any) */ + char *p; + for (p = loginmsg; *p; p++) + if (*p == '\n') + *p = ' '; + /* Remove trailing newline */ + *--p = '\0'; + log("Login restricted for %s: %.100s", + pw->pw_name, loginmsg); + } return 0; + } #endif /* WITH_AIXAUTHENTICATE */ /* We found no reason not to let this user try to log on... */ --- auth1.c.orig Wed May 10 15:53:51 2000 +++ auth1.c Thu May 11 15:13:37 2000 @@ -66,9 +66,7 @@ get_remote_port()); #ifdef WITH_AIXAUTHENTICATE - if (strncmp(get_authname(type),"password", - strlen(get_authname(type))) == 0) - loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); + loginfailed(user,get_canonical_hostname(),"ssh"); #endif /* WITH_AIXAUTHENTICATE */ /* Indicate that authentication is needed. */ @@ -408,8 +406,12 @@ client_user = NULL; } - if (attempt > AUTH_FAIL_MAX) + if (attempt > AUTH_FAIL_MAX) { +#ifdef WITH_AIXAUTHENTICATE + loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); + } /* Send a message indicating that the authentication attempt failed. */ packet_start(SSH_SMSG_FAILURE); @@ -430,7 +432,7 @@ unsigned int ulen; char *user; #ifdef WITH_AIXAUTHENTICATE - char *loginmsg; + extern char *aixloginmsg; #endif /* WITH_AIXAUTHENTICATE */ /* Get the name of the user that we wish to log in as. */ @@ -501,7 +503,9 @@ /* The user has been authenticated and accepted. */ #ifdef WITH_AIXAUTHENTICATE - loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg); + /* We don't have a pty yet, so just label the line as "ssh" */ + if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0) + aixloginmsg = NULL; #endif /* WITH_AIXAUTHENTICATE */ packet_start(SSH_SMSG_SUCCESS); packet_send(); --- auth2.c.orig Thu May 11 14:31:01 2000 +++ auth2.c Thu May 11 15:16:21 2000 @@ -154,9 +154,9 @@ int authenticated = 0; char *raw, *user, *service, *method, *authmsg = NULL; struct passwd *pw; - - if (++attempt == AUTH_FAIL_MAX) - packet_disconnect("too many failed userauth_requests"); +#ifdef WITH_AIXAUTHENTICATE + extern char *aixloginmsg; +#endif /* WITH_AIXAUTHENTICATE */ raw = packet_get_raw(&rlen); if (plen != rlen) @@ -164,6 +164,12 @@ user = packet_get_string(&len); service = packet_get_string(&len); method = packet_get_string(&len); + if (++attempt == AUTH_FAIL_MAX) { +#ifdef WITH_AIXAUTHENTICATE + loginfailed(user,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ + packet_disconnect("too many failed userauth_requests"); + } debug("userauth-request for user %s service %s method %s", user, service, method); /* XXX we only allow the ssh-connection service */ @@ -211,6 +217,12 @@ /* XXX todo: check if multiple auth methods are needed */ if (authenticated == 1) { +#ifdef WITH_AIXAUTHENTICATE + /* We don't have a pty yet, so just label the line as "ssh" */ + if (loginsuccess(user,get_canonical_hostname(),"ssh", + &aixloginmsg) < 0) + aixloginmsg = NULL; +#endif /* WITH_AIXAUTHENTICATE */ /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); packet_start(SSH2_MSG_USERAUTH_SUCCESS); --- config.h.in.orig Tue May 9 03:00:57 2000 +++ config.h.in Wed May 10 15:26:43 2000 @@ -12,6 +12,9 @@ /* Define if you want to disable PAM support */ #undef DISABLE_PAM +/* Define if you want to enable AIX4's authenticate function */ +#undef WITH_AIXAUTHENTICATE + /* Define if you want to disable lastlog support */ #undef DISABLE_LASTLOG --- configure.in.orig Tue May 9 09:53:53 2000 +++ configure.in Wed May 10 11:10:59 2000 @@ -32,6 +32,7 @@ if test "$LD" != "gcc" -a -z "$blibpath"; then blibpath="/usr/lib:/lib:/usr/local/lib" fi + AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)]) AC_DEFINE(BROKEN_GETADDRINFO) ;; *-*-hpux10*) --- login.c.orig Tue May 9 13:11:36 2000 +++ login.c Tue May 9 13:10:40 2000 @@ -53,6 +53,10 @@ get_last_login_time(uid_t uid, const char *logname, char *buf, unsigned int bufsize) { +#if defined(WITH_AIXAUTHENTICATE) + /* This is done in do_authentication */ + return (unsigned long) 0; +#else #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) struct lastlog ll; char *lastlog; @@ -128,6 +132,7 @@ return t; #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ +#endif /* defined(WITH_AIXAUTHENTICATE) */ } /* @@ -242,7 +247,8 @@ login(&u); #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ -#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) + /* AIX does this in do_authentication */ lastlog = _PATH_LASTLOG; /* Update lastlog unless actually recording a logout. */ @@ -272,7 +278,7 @@ close(fd); } } -#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) */ } /* Records that the user has logged out. */ --- serverloop.c.orig Wed May 10 14:34:00 2000 +++ serverloop.c Thu May 11 08:17:17 2000 @@ -85,7 +85,6 @@ int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; - signal(SIGCHLD, sigchld_handler2); errno = save_errno; } @@ -640,6 +639,7 @@ while ((pid = waitpid(-1, &status, WNOHANG)) > 0) session_close_by_pid(pid, status); child_terminated = 0; + signal(SIGCHLD, sigchld_handler2); } channel_after_select(&readset, &writeset); process_input(&readset); --- session.c.orig Wed May 10 10:23:59 2000 +++ session.c Wed May 10 16:16:06 2000 @@ -27,6 +27,13 @@ #include "ssh2.h" #include "auth.h" +#ifndef WCOREFLG +#define WCOREFLG 0200 +#endif +#ifndef WCOREDUMP +#define WCOREDUMP(stat) ((stat)&WCOREFLG) +#endif + /* types */ #define TTYSZ 64 @@ -83,6 +90,10 @@ /* data */ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; +#ifdef WITH_AIXAUTHENTICATE +/* AIX's lastlogin message, set in auth1.c */ +char *aixloginmsg; +#endif /* WITH_AIXAUTHENTICATE */ /* Flags set in auth-rsa from authorized_keys flags. These are set in auth-rsa.c. */ int no_port_forwarding_flag = 0; @@ -631,6 +642,15 @@ fclose(f); } } +#if defined(WITH_AIXAUTHENTICATE) + /* + * AIX handles the lastlog info differently. Display it here. + */ + if (command == NULL && aixloginmsg && *aixloginmsg && + !quiet_login && !options.use_login) { + printf("%s\n", aixloginmsg); + } +#endif /* Do common processing for the child, such as execing the command. */ do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty); /* NOTREACHED */  From andre.lucas at dial.pipex.com Mon May 15 23:04:02 2000 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Mon, 15 May 2000 14:04:02 +0100 Subject: liblogin (was: Re: AIX authenticate patches) References: <391FF35C.7432DD45@abac.com> Message-ID: <391FF5C2.1186EF3@dial.pipex.com> I've not had any feedback on liblogin for a long time, and I've not done any work on it for a while either. The login.c code in openssh is workable, does most of what's required, and is actively maintained. Like any such project, liblogin is only worth doing if it's being used. I never expected anyone to get excited about it - it is dull, all things considered - but I heard nothing at all for three months. So, I consider it an ex-project. It has ceased to be. I'm sorry I haven't changed the webpage to reflect this, I will do so tonight. -Andre' Tom Bertelson wrote: > > Here are some patches to re-enable support for AIX's authenticate > routines. With them, ssh will honor locked & unlocked accounts, record > successful and unsuccessful logins, and deny accounts that are > prohibited to log in via the network. Tested with AIX 4.3. > > It also includes a fix for handling SIGCHLD that may be needed for > other platforms (HP-UX 10.20, for example). > > If I get the time I'll see about rolling these changes into liblogin, > where I guess they really belong. > > I didn't include the changes to configure; run "autoconf" to rebuild the > configure script. > > [Is this the correct method for submitting patches, posting them to the > list?] > -- > Tom Bertelson "Any sufficiently advanced technology > RHI Consulting is indistinguishable from magic." > tbert at abac.com -- Arthur C. Clarke > > ------------------------------------------------------------------------ > --- acconfig.h.orig Tue May 9 09:50:13 2000 > +++ acconfig.h Tue May 9 09:50:19 2000 > @@ -9,7 +9,7 @@ > /* Define if you want to disable PAM support */ > #undef DISABLE_PAM > > -/* Define if you want to disable AIX4's authenticate function */ > +/* Define if you want to enable AIX4's authenticate function */ > #undef WITH_AIXAUTHENTICATE > > /* Define if you want to disable lastlog support */ > --- auth.c.orig Wed May 10 16:00:39 2000 > +++ auth.c Thu May 11 13:11:23 2000 > @@ -19,6 +19,9 @@ > #include "compat.h" > #include "channels.h" > #include "match.h" > +#ifdef HAVE_LOGIN_H > +#include > +#endif > > #include "bufaux.h" > #include "ssh2.h" > @@ -111,8 +114,20 @@ > } > > #ifdef WITH_AIXAUTHENTICATE > - if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0) > + if (loginrestrictions(pw->pw_name,S_RLOGIN,NULL,&loginmsg) != 0) { > + if (loginmsg && *loginmsg) { > + /* Remove embedded newlines (if any) */ > + char *p; > + for (p = loginmsg; *p; p++) > + if (*p == '\n') > + *p = ' '; > + /* Remove trailing newline */ > + *--p = '\0'; > + log("Login restricted for %s: %.100s", > + pw->pw_name, loginmsg); > + } > return 0; > + } > #endif /* WITH_AIXAUTHENTICATE */ > > /* We found no reason not to let this user try to log on... */ > --- auth1.c.orig Wed May 10 15:53:51 2000 > +++ auth1.c Thu May 11 15:13:37 2000 > @@ -66,9 +66,7 @@ > get_remote_port()); > > #ifdef WITH_AIXAUTHENTICATE > - if (strncmp(get_authname(type),"password", > - strlen(get_authname(type))) == 0) > - loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); > + loginfailed(user,get_canonical_hostname(),"ssh"); > #endif /* WITH_AIXAUTHENTICATE */ > > /* Indicate that authentication is needed. */ > @@ -408,8 +406,12 @@ > client_user = NULL; > } > > - if (attempt > AUTH_FAIL_MAX) > + if (attempt > AUTH_FAIL_MAX) { > +#ifdef WITH_AIXAUTHENTICATE > + loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); > +#endif /* WITH_AIXAUTHENTICATE */ > packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); > + } > > /* Send a message indicating that the authentication attempt failed. */ > packet_start(SSH_SMSG_FAILURE); > @@ -430,7 +432,7 @@ > unsigned int ulen; > char *user; > #ifdef WITH_AIXAUTHENTICATE > - char *loginmsg; > + extern char *aixloginmsg; > #endif /* WITH_AIXAUTHENTICATE */ > > /* Get the name of the user that we wish to log in as. */ > @@ -501,7 +503,9 @@ > > /* The user has been authenticated and accepted. */ > #ifdef WITH_AIXAUTHENTICATE > - loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg); > + /* We don't have a pty yet, so just label the line as "ssh" */ > + if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0) > + aixloginmsg = NULL; > #endif /* WITH_AIXAUTHENTICATE */ > packet_start(SSH_SMSG_SUCCESS); > packet_send(); > --- auth2.c.orig Thu May 11 14:31:01 2000 > +++ auth2.c Thu May 11 15:16:21 2000 > @@ -154,9 +154,9 @@ > int authenticated = 0; > char *raw, *user, *service, *method, *authmsg = NULL; > struct passwd *pw; > - > - if (++attempt == AUTH_FAIL_MAX) > - packet_disconnect("too many failed userauth_requests"); > +#ifdef WITH_AIXAUTHENTICATE > + extern char *aixloginmsg; > +#endif /* WITH_AIXAUTHENTICATE */ > > raw = packet_get_raw(&rlen); > if (plen != rlen) > @@ -164,6 +164,12 @@ > user = packet_get_string(&len); > service = packet_get_string(&len); > method = packet_get_string(&len); > + if (++attempt == AUTH_FAIL_MAX) { > +#ifdef WITH_AIXAUTHENTICATE > + loginfailed(user,get_canonical_hostname(),"ssh"); > +#endif /* WITH_AIXAUTHENTICATE */ > + packet_disconnect("too many failed userauth_requests"); > + } > debug("userauth-request for user %s service %s method %s", user, service, method); > > /* XXX we only allow the ssh-connection service */ > @@ -211,6 +217,12 @@ > > /* XXX todo: check if multiple auth methods are needed */ > if (authenticated == 1) { > +#ifdef WITH_AIXAUTHENTICATE > + /* We don't have a pty yet, so just label the line as "ssh" */ > + if (loginsuccess(user,get_canonical_hostname(),"ssh", > + &aixloginmsg) < 0) > + aixloginmsg = NULL; > +#endif /* WITH_AIXAUTHENTICATE */ > /* turn off userauth */ > dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); > packet_start(SSH2_MSG_USERAUTH_SUCCESS); > --- config.h.in.orig Tue May 9 03:00:57 2000 > +++ config.h.in Wed May 10 15:26:43 2000 > @@ -12,6 +12,9 @@ > /* Define if you want to disable PAM support */ > #undef DISABLE_PAM > > +/* Define if you want to enable AIX4's authenticate function */ > +#undef WITH_AIXAUTHENTICATE > + > /* Define if you want to disable lastlog support */ > #undef DISABLE_LASTLOG > > --- configure.in.orig Tue May 9 09:53:53 2000 > +++ configure.in Wed May 10 11:10:59 2000 > @@ -32,6 +32,7 @@ > if test "$LD" != "gcc" -a -z "$blibpath"; then > blibpath="/usr/lib:/lib:/usr/local/lib" > fi > + AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)]) > AC_DEFINE(BROKEN_GETADDRINFO) > ;; > *-*-hpux10*) > --- login.c.orig Tue May 9 13:11:36 2000 > +++ login.c Tue May 9 13:10:40 2000 > @@ -53,6 +53,10 @@ > get_last_login_time(uid_t uid, const char *logname, > char *buf, unsigned int bufsize) > { > +#if defined(WITH_AIXAUTHENTICATE) > + /* This is done in do_authentication */ > + return (unsigned long) 0; > +#else > #if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) > struct lastlog ll; > char *lastlog; > @@ -128,6 +132,7 @@ > > return t; > #endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ > +#endif /* defined(WITH_AIXAUTHENTICATE) */ > } > > /* > @@ -242,7 +247,8 @@ > login(&u); > #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ > > -#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) > +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) > + /* AIX does this in do_authentication */ > lastlog = _PATH_LASTLOG; > > /* Update lastlog unless actually recording a logout. */ > @@ -272,7 +278,7 @@ > close(fd); > } > } > -#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ > +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) && !defined(WITH_AIXAUTHENTICATE) */ > } > > /* Records that the user has logged out. */ > --- serverloop.c.orig Wed May 10 14:34:00 2000 > +++ serverloop.c Thu May 11 08:17:17 2000 > @@ -85,7 +85,6 @@ > int save_errno = errno; > debug("Received SIGCHLD."); > child_terminated = 1; > - signal(SIGCHLD, sigchld_handler2); > errno = save_errno; > } > > @@ -640,6 +639,7 @@ > while ((pid = waitpid(-1, &status, WNOHANG)) > 0) > session_close_by_pid(pid, status); > child_terminated = 0; > + signal(SIGCHLD, sigchld_handler2); > } > channel_after_select(&readset, &writeset); > process_input(&readset); > --- session.c.orig Wed May 10 10:23:59 2000 > +++ session.c Wed May 10 16:16:06 2000 > @@ -27,6 +27,13 @@ > #include "ssh2.h" > #include "auth.h" > > +#ifndef WCOREFLG > +#define WCOREFLG 0200 > +#endif > +#ifndef WCOREDUMP > +#define WCOREDUMP(stat) ((stat)&WCOREFLG) > +#endif > + > /* types */ > > #define TTYSZ 64 > @@ -83,6 +90,10 @@ > /* data */ > #define MAX_SESSIONS 10 > Session sessions[MAX_SESSIONS]; > +#ifdef WITH_AIXAUTHENTICATE > +/* AIX's lastlogin message, set in auth1.c */ > +char *aixloginmsg; > +#endif /* WITH_AIXAUTHENTICATE */ > > /* Flags set in auth-rsa from authorized_keys flags. These are set in auth-rsa.c. */ > int no_port_forwarding_flag = 0; > @@ -631,6 +642,15 @@ > fclose(f); > } > } > +#if defined(WITH_AIXAUTHENTICATE) > + /* > + * AIX handles the lastlog info differently. Display it here. > + */ > + if (command == NULL && aixloginmsg && *aixloginmsg && > + !quiet_login && !options.use_login) { > + printf("%s\n", aixloginmsg); > + } > +#endif > /* Do common processing for the child, such as execing the command. */ > do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty); > /* NOTREACHED */ > From tbert at abac.com Tue May 16 00:14:54 2000 From: tbert at abac.com (Tom Bertelson) Date: Mon, 15 May 2000 10:14:54 -0400 Subject: liblogin (was: Re: AIX authenticate patches) References: <391FF35C.7432DD45@abac.com> <391FF5C2.1186EF3@dial.pipex.com> Message-ID: <3920065E.4F226295@abac.com> Andre Lucas wrote: > > I've not had any feedback on liblogin for a long time, and I've not done > any work on it for a while either. The login.c code in openssh is > workable, does most of what's required, and is actively maintained. > > Like any such project, liblogin is only worth doing if it's being used. > I never expected anyone to get excited about it - it is dull, all things > considered - but I heard nothing at all for three months. So, I consider > it an ex-project. It has ceased to be. > > I'm sorry I haven't changed the webpage to reflect this, I will do so > tonight. That's fine -- less porting effort for me. Be sure to update openssh-2.1.0/contrib/README too so no one else gets confused. -- Tom Bertelson "Any sufficiently advanced technology RHI Consulting is indistinguishable from magic." tbert at abac.com -- Arthur C. Clarke From mhw at wittsend.com Mon May 15 23:45:14 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Mon, 15 May 2000 09:45:14 -0400 Subject: Strange problem with X11 forwarding... Message-ID: <20000515094514.D17459@alcove.wittsend.com> Ok... This could be cockpit error, but I just don't see it. I've installed OpenSSH 2.1.0 and I can't get X11 forwarding to work. I don't recall having this problem under 1.2.3, but I don't use X11 forwarding often enough to really say that I actually saw it work either. Both sides are running OpenSSH-2.1.0-1 installed from rpm. The client side is running RedHat Linux 6.1 while the server side is running RedHat Linux 6.2. Kernel is 2.3.99pre8 on the client side and 2.2.15 on the server side. I've got DSA and RSA keys defined for both systems but I'm connecting using RSA keys for my identity. I've enabled X11 forwarding on both the client and server side. When I connect to the other side and run an X app, I get two errors and it fails. Example: [mhw at alcove mhw]$ ssh canyon Last login: Mon May 15 05:41:07 2000 from alcove.wittsend.com [mhw at canyon mhw]$ xterm channel 0: istate 4 != open channel 0: ostate 64 != open X connection to canyon:10.0 broken (explicit kill or server shutdown). [mhw at canyon mhw]$ echo $DISPLAY canyon:10.0 [mhw at canyon mhw]$ Sooo.... Offset is 10 and DISPLAY is getting set properly, but I get these istate and ostate errors on channel 0. What have I got screwed up here? Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From gaa at ulticom.com Tue May 16 02:29:30 2000 From: gaa at ulticom.com (Gary Algier) Date: Mon, 15 May 2000 12:29:30 -0400 (EDT) Subject: Configurable PAM Service name Message-ID: <200005151629.MAA43883@garnet.dgms.com> I have created patches to allow for a configurable PAM service name. I use this with the ListenAddress configuration parameters, along with ipaliasing and firewall blocking, to force a SecurID authentication on remote connections but still allow for "normal" access internally. If anyone is interested, here they are: Index: auth-pam.c =================================================================== RCS file: /u/itsrc/cvs/security/openssh/auth-pam.c,v retrieving revision 1.1.1.3 retrieving revision 1.1.1.3.2.1 diff -u -r1.1.1.3 -r1.1.1.3.2.1 --- auth-pam.c 2000/05/11 21:28:36 1.1.1.3 +++ auth-pam.c 2000/05/13 17:33:09 1.1.1.3.2.1 @@ -211,11 +211,12 @@ /* Start PAM authentication for specified account */ void start_pam(struct passwd *pw) { + extern ServerOptions options; int pam_retval; - debug("Starting up PAM with username \"%.200s\"", pw->pw_name); + debug("Starting up PAM with service \"%s\" and username \"%.200s\"", options.pam_service, pw->pw_name); - pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, + pam_retval = pam_start(options.pam_service, pw->pw_name, &conv, (pam_handle_t**)&pamh); if (pam_retval != PAM_SUCCESS) fatal("PAM initialisation failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); Index: servconf.c =================================================================== RCS file: /u/itsrc/cvs/security/openssh/servconf.c,v retrieving revision 1.1.1.3 retrieving revision 1.1.1.3.2.1 diff -u -r1.1.1.3 -r1.1.1.3.2.1 --- servconf.c 2000/05/11 21:28:52 1.1.1.3 +++ servconf.c 2000/05/13 17:33:09 1.1.1.3.2.1 @@ -34,6 +34,7 @@ options->host_key_file = NULL; options->host_dsa_key_file = NULL; options->pid_file = NULL; + options->pam_service = NULL; options->server_key_bits = -1; options->login_grace_time = -1; options->key_regeneration_time = -1; @@ -89,6 +90,8 @@ options->host_dsa_key_file = HOST_DSA_KEY_FILE; if (options->pid_file == NULL) options->pid_file = SSH_DAEMON_PID_FILE; + if (options->pam_service == NULL) + options->pam_service = SSHD_PAM_SERVICE; if (options->server_key_bits == -1) options->server_key_bits = 768; if (options->login_grace_time == -1) @@ -177,7 +180,7 @@ sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, - sGatewayPorts, sDSAAuthentication + sPAMService, sGatewayPorts, sDSAAuthentication } ServerOpCodes; /* Textual representation of the tokens. */ @@ -189,6 +192,7 @@ { "hostkey", sHostKeyFile }, { "hostdsakey", sHostDSAKeyFile }, { "pidfile", sPidFile }, + { "pamservice", sPAMService }, { "serverkeybits", sServerKeyBits }, { "logingracetime", sLoginGraceTime }, { "keyregenerationinterval", sKeyRegenerationTime }, @@ -385,6 +389,18 @@ } if (*charptr == NULL) *charptr = tilde_expand_filename(cp, getuid()); + break; + + case sPAMService: + charptr = &options->pam_service; + cp = strtok(NULL, WHITESPACE); + if (!cp) { + fprintf(stderr, "%s line %d: missing PAM service name.\n", + filename, linenum); + exit(1); + } + if (*charptr == NULL) + *charptr = xstrdup(cp); break; case sRandomSeedFile: Index: servconf.h =================================================================== RCS file: /u/itsrc/cvs/security/openssh/servconf.h,v retrieving revision 1.1.1.2 retrieving revision 1.1.1.2.2.1 diff -u -r1.1.1.2 -r1.1.1.2.2.1 --- servconf.h 2000/05/11 21:28:53 1.1.1.2 +++ servconf.h 2000/05/13 17:33:10 1.1.1.2.2.1 @@ -34,6 +34,7 @@ char *host_key_file; /* File containing host key. */ char *host_dsa_key_file; /* File containing dsa host key. */ char *pid_file; /* Where to put our pid */ + char *pam_service; /* Service name for PAM */ int server_key_bits;/* Size of the server key. */ int login_grace_time; /* Disconnect if no auth in this time * (sec). */ From kevin_oconnor at standardandpoors.com Tue May 16 03:09:22 2000 From: kevin_oconnor at standardandpoors.com (kevin_oconnor at standardandpoors.com) Date: Mon, 15 May 2000 13:09:22 -0400 Subject: [PATCH] using openssl with no-rsa? Message-ID: <20000515171006.B4DCC2758B@toad.mindrot.org> Hello, Due to patent concerns, I compiled a version of openssl with the no-rsa, no-idea, no-rc5 options. I was able to then take this compile of openssl, with the standard openssh-2.1.0 rpms and run it on another machine. Most things seemed to work fine, except I was unable to ssh into the machine. After applying the following patch to the sshd code, a quick test with an ssh session worked: --- sshd.c~ Sat May 6 22:03:20 2000 +++ sshd.c Mon May 15 12:04:34 2000 @@ -404,9 +404,12 @@ destroy_sensitive_data(void) { /* Destroy the private and public keys. They will no longer be needed. */ - RSA_free(public_key); - RSA_free(sensitive_data.private_key); - RSA_free(sensitive_data.host_key); + if (public_key != NULL) + RSA_free(public_key); + if (sensitive_data.private_key != NULL) + RSA_free(sensitive_data.private_key); + if (sensitive_data.host_key != NULL) + RSA_free(sensitive_data.host_key); if (sensitive_data.dsa_host_key != NULL) key_free(sensitive_data.dsa_host_key); } The machine is an i686 using standard RedHat 6.2. It appears that the ssh binaries are doing some form of delayed linking that is allowing the program to run without all the functions defined. It appears that as long as no RSA_xxx calls are made the ssh server works. My question is - Am I doing something seriously wrong (that will definitely break at some point), or is this an acceptable fix for getting a working non-RSA ssh daemon on Linux? Am I going about this all wrong - is there a simpler method? I'm not on the list, so please CC me any replies. Thanks in advance, -Kevin From Christoph.Badura at Dresdner-Bank.com Tue May 16 03:41:44 2000 From: Christoph.Badura at Dresdner-Bank.com (Badura, Christoph) Date: Mon, 15 May 2000 19:41:44 +0200 Subject: Patch: OpenSSH 2.1.0 under Solaris 8, Solaris 7 and other sys tems, too Message-ID: <838E11BB31D0D3119DBF0008C7A47FE78E46CE@FFZ00ZA6> Because Norbert's patch didn't fix all the core dumps here's a minimal minimal patch that implements Andre's suggestion: *** entropy.c.orig Tue May 2 01:56:41 2000 --- entropy.c Mon May 15 16:18:22 2000 *************** *** 129,134 **** --- 129,136 ---- unsigned int badness; /* Increases by factor of two each timeout */ unsigned int sticky_badness; + /* Unparsed copy of cmd field in control file */ + char *cmd; /* Path to executable */ char *path; /* argv to pass to executable */ *************** *** 211,218 **** /* FIXME: turn this off later */ #if 1 ! debug("Got %0.2f bytes of entropy from %s", entropy_estimate, ! entropy_sources[c].path); #endif total_entropy_estimate += entropy_estimate; --- 213,220 ---- /* FIXME: turn this off later */ #if 1 ! debug("Got %0.2f bytes of entropy from '%s'", entropy_estimate, ! entropy_sources[c].cmd); #endif total_entropy_estimate += entropy_estimate; *************** *** 225,233 **** } else { /* FIXME: turn this off later */ #if 1 ! debug("Command '%s %s %s' disabled (badness %d)", ! entropy_sources[c].path, entropy_sources[c].args[1], ! entropy_sources[c].args[2], entropy_sources[c].badness); #endif if (entropy_sources[c].badness > 0) --- 227,235 ---- } else { /* FIXME: turn this off later */ #if 1 ! debug("Command '%s' disabled (badness %d)", ! entropy_sources[c].cmd, ! entropy_sources[c].badness); #endif if (entropy_sources[c].badness > 0) *************** *** 324,331 **** close(devnull); execv(src->path, (char**)(src->args)); ! debug("(child) Couldn't exec '%s %s %s': %s", src->path, ! src->args[1], src->args[2], strerror(errno)); src->badness = src->sticky_badness = 128; _exit(-1); default: /* Parent */ --- 326,333 ---- close(devnull); execv(src->path, (char**)(src->args)); ! debug("(child) Couldn't exec '%s': %s", src->cmd, ! strerror(errno)); src->badness = src->sticky_badness = 128; _exit(-1); default: /* Parent */ *************** *** 372,378 **** case -1: default: ! error("Command '%s %s': select() failed: %s", src->path, src->args[1], strerror(errno)); error_abort = 1; break; --- 374,380 ---- case -1: default: ! error("Command '%s': select() failed: %s", src->cmd, strerror(errno)); error_abort = 1; break; *************** *** 386,393 **** close(p[0]); if (waitpid(pid, &status, 0) == -1) { ! error("Couldn't wait for child '%s %s' completion: %s", src->path, ! src->args[1], strerror(errno)); /* return(-1); */ /* FIXME: (ATL) this doesn't feel right */ return(0.0); } --- 388,395 ---- close(p[0]); if (waitpid(pid, &status, 0) == -1) { ! error("Couldn't wait for child '%s' completion: %s", src->cmd, ! strerror(errno)); /* return(-1); */ /* FIXME: (ATL) this doesn't feel right */ return(0.0); } *************** *** 398,404 **** /* closing p[0] on timeout causes the entropy command to * SIGPIPE. Take whatever output we got, and mark this command * as slow */ ! debug("Command %s %s timed out", src->path, src->args[1]); src->sticky_badness *= 2; src->badness = src->sticky_badness; return(total_bytes_read); --- 400,406 ---- /* closing p[0] on timeout causes the entropy command to * SIGPIPE. Take whatever output we got, and mark this command * as slow */ ! debug("Command '%s' timed out", src->cmd); src->sticky_badness *= 2; src->badness = src->sticky_badness; return(total_bytes_read); *************** *** 408,419 **** if (WEXITSTATUS(status)==0) { return(total_bytes_read); } else { ! debug("Exit status was %d", WEXITSTATUS(status)); src->badness = src->sticky_badness = 128; return (0.0); } } else if (WIFSIGNALED(status)) { ! debug("Returned on uncaught signal %d !", status); src->badness = src->sticky_badness = 128; return(0.0); } else --- 410,422 ---- if (WEXITSTATUS(status)==0) { return(total_bytes_read); } else { ! debug("Exit status of '%s' was %d", src->cmd, ! WEXITSTATUS(status)); src->badness = src->sticky_badness = 128; return (0.0); } } else if (WIFSIGNALED(status)) { ! debug("Returned on uncaught signal %d for '%s'!", status, src->cmd); src->badness = src->sticky_badness = 128; return(0.0); } else *************** *** 614,619 **** --- 617,627 ---- linenum, cmdfilename); continue; } + + /* save copy of command args for use in debug() */ + cp = (char*)xmalloc(strlen(cmd)+1); + strcpy(cp, cmd); + entcmd[cur_cmd].cmd = cp; /* split the command args */ cp = strtok(cmd, WHITESPACE); From Christoph.Badura at Dresdner-Bank.com Tue May 16 03:50:00 2000 From: Christoph.Badura at Dresdner-Bank.com (Badura, Christoph) Date: Mon, 15 May 2000 19:50:00 +0200 Subject: Patch: utmp problems under Solaris 2.x Message-ID: <838E11BB31D0D3119DBF0008C7A47FE78E46CF@FFZ00ZA6> A couple of people have noticed inconsistent utmp entries under Solaris 2.x. The following patch solves these for me under SunOS 5.6. Basically, everything in bsd-login.c:login() but the last three statements are in the "#ifdef USE_UTMPX" block are superfluous and harmful. The utmp and wtmp files are kept in sync by the routines that update the -x versions. This should probably be cleaned up. *** bsd-login.c.orig Mon May 1 14:53:53 2000 --- bsd-login.c Mon May 15 18:44:09 2000 *************** *** 110,116 **** #endif #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) struct utmpx *old_utx; ! #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ register int fd; int tty; --- 110,116 ---- #endif #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) struct utmpx *old_utx; ! #else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ register int fd; int tty; *************** *** 169,174 **** --- 169,175 ---- (void)write(fd, utp, sizeof(struct utmp)); (void)close(fd); } + #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) old_utx = pututxline(utx); # ifdef HAVE_UPDWTMPX -chb From gaa at ulticom.com Tue May 16 05:00:31 2000 From: gaa at ulticom.com (Gary Algier) Date: Mon, 15 May 2000 15:00:31 -0400 Subject: A Heisenbug? Message-ID: <3920494F.57A7E6EF@dgms.com> I am trying to run OpenSSH 2.1.0 on Solaris 2.6. It seems to have what I call a Heisenbug. It only fails as long as you are not looking at it: 1) I run it as "sshd -f /etc/some-config-file". I can login, a "ps -ef | grep sshd" shows the parent and the child. When I exit, the child dies, but so does the parent. 2) I run it with "sshd -d ..." and this tells me nothing. 3) I "truss -f -p ..." the running parent and I see that it seems to do an "exit(0)". 4) I use gdb and attach to the running parent and IT WORKS JUST FINE. Every sshd running under gdb works fine, every sshd started normally dies. I guess I need to start sshd with gdb every time ;-). Any ideas? -- Gary Algier, WB2FWZ gary.algier at ulticom.com +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033 This space intentionally left blank by the censors. From ghelmer at cs.iastate.edu Tue May 16 07:15:43 2000 From: ghelmer at cs.iastate.edu (Guy Helmer) Date: Mon, 15 May 2000 16:15:43 -0500 (CDT) Subject: OpenSSH (1.2.3) sshd hanging when using rsync over ssh (retry) Message-ID: Now that the list is said to be open again, I'm resending this. I've merged my changes into OpenSSH 2.1.0 as Kris imported it into FreeBSD over the weekend. ---------- Forwarded message ---------- Date: Thu, 4 May 2000 08:40:22 -0500 (CDT) From: Guy Helmer To: openssh-unix-dev at mindrot.org Subject: OpenSSH (1.2.3) sshd hanging when using rsync over ssh I have debugged a problem with OpenSSH's sshd (as found in FreeBSD, based on OpenSSH 1.2.3) that has been bugging me ever since I switched from ssh-1.2.27. I use rsync (FreeBSD port ports/net/rsync) over ssh to synchronize and backup my main home directory and development directories to other systems. rsync always worked great with ssh-1.2.2[67]. Since I switched my machines to run OpenSSH's sshd, rsync over ssh would randomly hang (although the hangs were very persistent when synchronizing large files). I noticed from netstat that the connection to ssh on the sshd server machine showed waiting data in the Recv-Q, but no waiting data in the Send-Q, so I decided to look into sshd. I grabbed a core from sshd when this hang happened, and gdb showed this stack trace: #0 0x281e20c4 in write () from /usr/lib/libc.so.4 #1 0x804fb18 in process_output (writeset=0xbfbfed04) at /usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/serverloop.c:366 #2 0x8050029 in server_loop (pid=43486, fdin_arg=9, fdout_arg=9, fderr_arg=11) at /usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/serverloop.c:563 #3 0x8053b60 in do_exec_no_pty ( command=0x80750c0 "rsync --server --sender -vlgtpr --delete . /home/ghelmer/ ", pw=0xbfbfef80, display=0x806c0a0 "mocha.cs.iastate.edu:10.0", auth_proto=0x806c100 "MIT-MAGIC-COOKIE-1", auth_data=0x8075000 "cdf4b6cb730310be3d51a8abf77303fc") at /usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/sshd.c:2211 #4 0x805386c in do_authenticated (pw=0xbfbfef80) at /usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/sshd.c:2037 #5 0x80527b4 in do_authentication () at /usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/sshd.c:1408 #6 0x8051b43 in main (ac=1, av=0xbfbff624) at /usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/sshd.c:970 #7 0x804aae1 in _start () The code around frame #1 was 361 { 362 int len; 363 364 /* Write buffered data to program stdin. */ 365 if (fdin != -1 && FD_ISSET(fdin, writeset)) { 366 len = write(fdin, buffer_ptr(&stdin_buffer), 367 buffer_len(&stdin_buffer)); 368 if (len <= 0) { 369 #ifdef USE_PIPES 370 close(fdin); and stdin_buffer contains $2 = {buf = 0x80b1000 "?\004\212D\204?c?", alloc = 45056, offset = 0, end = 8192} So, it appears sshd was stuck in a write() that wouldn't complete. (Even when I kill the ssh client, sshd hangs around and never notices that the connection has gone away.) I figured this was probably something that was fixed in ssh-1.2.27, and sure enough, fdin was set to be nonblocking and errno was checked for the value EWOULDBLOCK in process_output. I added similar code to serverloop.c, and now rsync over ssh works great. I'm worried that my code is tainted, though, since I looked at the ssh-1.2.27 sources. If you don't think it is a problem, and if you are interested, I can send you my diffs... I don't have ties to OpenBSD, so I'm not sure who in particular I should contact about this. Thanks, Guy Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science Research Assistant, Dept. of Computer Science --- ghelmer at cs.iastate.edu http://www.cs.iastate.edu/~ghelmer From marc.fournier at acadiau.ca Tue May 16 23:33:16 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Tue, 16 May 2000 10:33:16 -0300 (ADT) Subject: Patch: OpenSSH 2.1.0 under Solaris 8, Solaris 7 and other sys tems, too In-Reply-To: <838E11BB31D0D3119DBF0008C7A47FE78E46CE@FFZ00ZA6> Message-ID: does this replace, or work over top of, Norbert's patch? On Mon, 15 May 2000, Badura, Christoph wrote: > Because Norbert's patch didn't fix all the core dumps here's a minimal > minimal patch that implements Andre's suggestion: > > *** entropy.c.orig Tue May 2 01:56:41 2000 > --- entropy.c Mon May 15 16:18:22 2000 > *************** > *** 129,134 **** > --- 129,136 ---- > unsigned int badness; > /* Increases by factor of two each timeout */ > unsigned int sticky_badness; > + /* Unparsed copy of cmd field in control file */ > + char *cmd; > /* Path to executable */ > char *path; > /* argv to pass to executable */ > *************** > *** 211,218 **** > > /* FIXME: turn this off later */ > #if 1 > ! debug("Got %0.2f bytes of entropy from %s", > entropy_estimate, > ! entropy_sources[c].path); > #endif > > total_entropy_estimate += entropy_estimate; > --- 213,220 ---- > > /* FIXME: turn this off later */ > #if 1 > ! debug("Got %0.2f bytes of entropy from > '%s'", entropy_estimate, > ! entropy_sources[c].cmd); > #endif > > total_entropy_estimate += entropy_estimate; > *************** > *** 225,233 **** > } else { > /* FIXME: turn this off later */ > #if 1 > ! debug("Command '%s %s %s' disabled (badness > %d)", > ! entropy_sources[c].path, > entropy_sources[c].args[1], > ! entropy_sources[c].args[2], > entropy_sources[c].badness); > #endif > > if (entropy_sources[c].badness > 0) > --- 227,235 ---- > } else { > /* FIXME: turn this off later */ > #if 1 > ! debug("Command '%s' disabled (badness %d)", > ! entropy_sources[c].cmd, > ! entropy_sources[c].badness); > #endif > > if (entropy_sources[c].badness > 0) > *************** > *** 324,331 **** > close(devnull); > > execv(src->path, (char**)(src->args)); > ! debug("(child) Couldn't exec '%s %s %s': %s", > src->path, > ! src->args[1], src->args[2], > strerror(errno)); > src->badness = src->sticky_badness = 128; > _exit(-1); > default: /* Parent */ > --- 326,333 ---- > close(devnull); > > execv(src->path, (char**)(src->args)); > ! debug("(child) Couldn't exec '%s': %s", src->cmd, > ! strerror(errno)); > src->badness = src->sticky_badness = 128; > _exit(-1); > default: /* Parent */ > *************** > *** 372,378 **** > > case -1: > default: > ! error("Command '%s %s': select() failed: %s", > src->path, src->args[1], > strerror(errno)); > error_abort = 1; > break; > --- 374,380 ---- > > case -1: > default: > ! error("Command '%s': select() failed: %s", src->cmd, > strerror(errno)); > error_abort = 1; > break; > *************** > *** 386,393 **** > close(p[0]); > > if (waitpid(pid, &status, 0) == -1) { > ! error("Couldn't wait for child '%s %s' completion: %s", > src->path, > ! src->args[1], strerror(errno)); > /* return(-1); */ /* FIXME: (ATL) this doesn't feel right */ > return(0.0); > } > --- 388,395 ---- > close(p[0]); > > if (waitpid(pid, &status, 0) == -1) { > ! error("Couldn't wait for child '%s' completion: %s", > src->cmd, > ! strerror(errno)); > /* return(-1); */ /* FIXME: (ATL) this doesn't feel right */ > return(0.0); > } > *************** > *** 398,404 **** > /* closing p[0] on timeout causes the entropy command to > * SIGPIPE. Take whatever output we got, and mark this > command > * as slow */ > ! debug("Command %s %s timed out", src->path, src->args[1]); > src->sticky_badness *= 2; > src->badness = src->sticky_badness; > return(total_bytes_read); > --- 400,406 ---- > /* closing p[0] on timeout causes the entropy command to > * SIGPIPE. Take whatever output we got, and mark this > command > * as slow */ > ! debug("Command '%s' timed out", src->cmd); > src->sticky_badness *= 2; > src->badness = src->sticky_badness; > return(total_bytes_read); > *************** > *** 408,419 **** > if (WEXITSTATUS(status)==0) { > return(total_bytes_read); > } else { > ! debug("Exit status was %d", WEXITSTATUS(status)); > src->badness = src->sticky_badness = 128; > return (0.0); > } > } else if (WIFSIGNALED(status)) { > ! debug("Returned on uncaught signal %d !", status); > src->badness = src->sticky_badness = 128; > return(0.0); > } else > --- 410,422 ---- > if (WEXITSTATUS(status)==0) { > return(total_bytes_read); > } else { > ! debug("Exit status of '%s' was %d", src->cmd, > ! WEXITSTATUS(status)); > src->badness = src->sticky_badness = 128; > return (0.0); > } > } else if (WIFSIGNALED(status)) { > ! debug("Returned on uncaught signal %d for '%s'!", status, > src->cmd); > src->badness = src->sticky_badness = 128; > return(0.0); > } else > *************** > *** 614,619 **** > --- 617,627 ---- > linenum, cmdfilename); > continue; > } > + > + /* save copy of command args for use in debug() */ > + cp = (char*)xmalloc(strlen(cmd)+1); > + strcpy(cp, cmd); > + entcmd[cur_cmd].cmd = cp; > > /* split the command args */ > cp = strtok(cmd, WHITESPACE); > > > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From Christoph.Badura at Dresdner-Bank.com Tue May 16 23:37:40 2000 From: Christoph.Badura at Dresdner-Bank.com (Badura, Christoph) Date: Tue, 16 May 2000 15:37:40 +0200 Subject: AW: Patch: OpenSSH 2.1.0 under Solaris 8, Solaris 7 and other sys tems, too Message-ID: <838E11BB31D0D3119DBF0008C7A47FE78E46D3@FFZ00ZA6> This replaces Norbert's patch. > does this replace, or work over top of, Norbert's patch? > From bole at falcon.etf.bg.ac.yu Wed May 17 03:54:56 2000 From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic) Date: Tue, 16 May 2000 19:54:56 +0200 (CEST) Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: Message-ID: On Thu, 11 May 2000, Damien Miller wrote: > It works for me. Can you describe your environment some more? I have the same problems. FROM field in utmp/wtmp are empty, but in lastlog is ok... System is Slackware 7.0 (glic-2.1.2). Cheers, Bole From bole at falcon.etf.bg.ac.yu Wed May 17 04:14:20 2000 From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic) Date: Tue, 16 May 2000 20:14:20 +0200 (CEST) Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: Message-ID: On Tue, 16 May 2000, Bosko Radivojevic wrote: > System is Slackware 7.0 (glic-2.1.2). ^^^^ ---> glibc ;) Bye From emanuel at heatdeath.org Wed May 17 07:32:27 2000 From: emanuel at heatdeath.org (Emanuel Borsboom) Date: Tue, 16 May 2000 14:32:27 -0700 Subject: on Solaris, "couldn't wait for child '...' completion: No child processes" Message-ID: <20000516143226.A6147@heatdeath.org> Trying to install the portable OpenSSH on Solaris 2.6. Compiling from openssh-2.1.0.tar.gz using gcc. Compiles and installs fine. sshd starts fine. First connection from another system works. Child sshd is forked, but the parent dies and logs: May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child '/usr/bin/ ls -alni' completion: No child processes May 16 11:40:56 qtrade-dev last message repeated 3 times May 16 11:40:56 qtrade-dev sshd[6510]: error: -1 Command '/usr/bin/ls -alni': se lect() failed: Interrupted system call May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child '/usr/bin/ ls -alni' completion: No child processes May 16 11:40:56 qtrade-dev sshd[6510]: error: -1 Command '/usr/bin/netstat -an': select() failed: Interrupted system call May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child '/usr/bin/ netstat -an' completion: No child processes May 16 11:40:56 qtrade-dev sshd[6510]: error: -1 Command '/usr/bin/netstat -rn': select() failed: Interrupted system call May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child '/usr/bin/ netstat -rn' completion: No child processes May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child '/usr/bin/ netstat -s' completion: Interrupted system call May 16 11:40:57 qtrade-dev sshd[6510]: error: -1 Command '/usr/sbin/arp -a': sel ect() failed: Interrupted system call May 16 11:40:57 qtrade-dev sshd[6510]: error: Couldn't wait for child '/usr/sbin /arp -a' completion: No child processes May 16 11:40:57 qtrade-dev sshd[6510]: error: Couldn't wait for child '/usr/sbin /ifconfig -a' completion: No child processes May 16 11:40:57 qtrade-dev sshd[6510]: error: Couldn't wait for child '/usr/bin/ ps -al' completion: No child processes May 16 11:40:57 qtrade-dev sshd[6510]: error: Couldn't wait for child '/usr/bin/ ps -efl' completion: No child processes Looks like the problem is happening in entropy.c. I'd track it down and fix it myself, but I don't have the time right now and am new to Solaris. Has anyone else run into this? Any help very much appreciated. I'm not on the list so please forward answers to me personally. Thanks. -- email.emanuel at heatdeath.org icq.32914582 name.emanuel.borsboom www.http://heatdeath.org/ tel.+1.250.812.2872 chat.http://heatdeath.org/Me/Chat ham.ve7nul webcam.http://headdeath.org/Me/Camera -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000516/d4f8f2eb/attachment.bin From paul.l.allen at boeing.com Wed May 17 06:54:53 2000 From: paul.l.allen at boeing.com (Paul Allen) Date: Tue, 16 May 2000 13:54:53 -0700 Subject: OpenSSH 2.1.0 won't build without rc5 and idea Message-ID: <3921B59D.E1FA9B6C@boeing.com> OK, I've hacked configure so that it simply checks that it can link with openssl. Now, when I run make, it dies on authfile.c while trying to include the non-existent headers openssl/rc5.h and openssl/idea.h. I built my installation of openssl without those algorithms in order to avoid commercial licensing issues. The following diff band-aids the problem, but I think it's down-stream of the proper fix. This configure stuff is cool when it works, but way too complex for my limited brainpower when it doesn't. :-) thumper% rcsdiff -r1.1 -r1.2 config.h =================================================================== RCS file: RCS/config.h,v retrieving revision 1.1 retrieving revision 1.2 diff -r1.1 -r1.2 36a37,40 > /* Define if you have excluded some crypto algorithms from your openssl > installation */ > #define OPENSSL_ALGORITHM_DEFINES > thumper% I still need to test the version I just compiled. Since I haven't seen any reports of this particular problem, I guess I'm in uncharted territory. I'll have more to report later today or next week. Paul Allen -- Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964 Unix Technical Support | paul.l.allen at boeing.com Boeing Phantom Works Math & Computing Technology Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207 From pekkas at netcore.fi Wed May 17 08:59:47 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 17 May 2000 01:59:47 +0300 (EEST) Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: Message-ID: > On Thu, 11 May 2000, Damien Miller wrote: > > > It works for me. Can you describe your environment some more? > > I have the same problems. FROM field in utmp/wtmp are empty, but in > lastlog is ok... > > System is Slackware 7.0 (glic-2.1.2). > I figured this out. When merging stuff to create portable openssh, it seems some autoconf stuff got changed and this causes the breakage. I didn't do a complete analysis of this (because my eye isn't autoconf-trained and it looked like a mess (playing with ossh_cv_* and ac_cv_* in 'configure'). It seems that if you don't have utmpx.h and your utmp.h does contain connecting hostname, autoconf doesn't configure required options AT ALL. Only utmp definition by autoconf in here was '#define HAVE_UTMP_H 1' Adding these (as created properly in 2.0beta1) to config.h afterwards made the compiling go well, and the bug disappeared: ----- #define HAVE_HOST_IN_UTMP 1 #define HAVE_ADDR_IN_UTMP 1 #define HAVE_ADDR_V6_IN_UTMP 1 #define HAVE_PID_IN_UTMP 1 #define HAVE_TYPE_IN_UTMP 1 #define HAVE_TV_IN_UTMP 1 #define HAVE_ID_IN_UTMP 1 ----- Of course, this isn't the "proper" way to do this, but at least the problem is pinpointed to configure script making wrong decisions now.. Regards, -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From satosh-t at ascii.co.jp Wed May 17 20:26:50 2000 From: satosh-t at ascii.co.jp (Satoshi Turuo) Date: Wed, 17 May 2000 19:26:50 +0900 Subject: ASCII Tech Linux in Japan Message-ID: <392273EA.B9E82AB9@ascii.co.jp> Hi,OpenSSH developers My name is Satoshi Turuo, and I'm an editor of Linux information magazine, called "TECH Linux", ASCII Corp in Japan. "TECH Linux" is Linux Magazine for Japanese LINUX Gamers, Newbie LINUX Game Programmers. Newest issue comes with 2 CD-ROMs that loaded with Playabledemos, FreeSoftwares, Sharewares, product advertisements. Right now, we are working on a particular project with which we would like to ask you for your cooperation. The title of this project is; "The COOL Softwares for Linux". We would like your permissions to accomodate the given materials to the CD-ROM of our magazine. (Linux client and server files for OpenSSH Unix Port 2.1.0.[openssh-2.1.0.tar.gz]) If you are interested in the project, please contact me as soon as possible. Actually, deadline of this project is staring us in the face, so I am desperately waiting for you to give the answer back. Thank you very much. If you have any question about TECH Linux or if you send your reply, please contact : Satoshi Turuo satosh-t at ascii.co.jp TECH Linux ASCII CORPORATION. TOKYO, JAPAN. From preed at sigkill.com Wed May 17 20:43:23 2000 From: preed at sigkill.com (J. Paul Reed) Date: Wed, 17 May 2000 03:43:23 -0700 (PDT) Subject: Confusion over versioning... In-Reply-To: <392273EA.B9E82AB9@ascii.co.jp> Message-ID: Hey all: Maybe this has been answered somewhere, or maybe I'm just being stupid, but I was looking at the webpage today, and the links to the "other" operating systems supported by OpenSSH has changed to a page about porting to other OS's, and where you can pick up the ports. So, my question is is the 1.2.x branch of OpenSSH effectively dead? I know OpenSSH 2.1 does SSH1 as well, but I only really want ssh1. Is 1.2.x not going to be maintained anymore, and will all the new bugfixes, etc. be going into OpenSSH 2.x? Thanks! Later, Paul ------------------------------------------------------------------------ J. Paul Reed preed at sigkill.com || www.sigkill.com/preed Forget that I know anything about metallurgy, physics, or engineering, and just tell me what the hell is going on. -- Dr. Venkman, Ghostbusters From markus.friedl at informatik.uni-erlangen.de Wed May 17 22:12:30 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 17 May 2000 14:12:30 +0200 Subject: Confusion over versioning... In-Reply-To: ; from preed@sigkill.com on Wed, May 17, 2000 at 03:43:23AM -0700 References: <392273EA.B9E82AB9@ascii.co.jp> Message-ID: <20000517141230.A4856@folly.informatik.uni-erlangen.de> On Wed, May 17, 2000 at 03:43:23AM -0700, J. Paul Reed wrote: > So, my question is is the 1.2.x branch of OpenSSH effectively dead? there are no branches of OpenSSH. version numbers are arbitrary. version numbers only tell you: beginning with version x this bug y is gone. > I know > OpenSSH 2.1 does SSH1 as well, but I only really want ssh1. Is 1.2.x not > going to be maintained anymore, and will all the new bugfixes, etc. be > going into OpenSSH 2.x? yes, only the current release will be maintained. or to put it in another way: 1.2.x is maintained and the maintained version is called 2.1. what are the problems with OpenSSH 2.1 ? there is no need to enable protocol 2. From preed at sigkill.com Wed May 17 22:24:57 2000 From: preed at sigkill.com (J. Paul Reed) Date: Wed, 17 May 2000 05:24:57 -0700 (PDT) Subject: Confusion over versioning... In-Reply-To: <20000517141230.A4856@folly.informatik.uni-erlangen.de> Message-ID: On Wed, 17 May 2000, Markus Friedl wrote: > On Wed, May 17, 2000 at 03:43:23AM -0700, J. Paul Reed wrote: > > So, my question is is the 1.2.x branch of OpenSSH effectively dead? > > there are no branches of OpenSSH. version numbers are arbitrary. > version numbers only tell you: beginning with version x this bug y is > gone. Ok...so this is different from how they originially did ssh (i.e. a 1.2.x "branch" and a 2.x branch for ssh2). > > I know > > OpenSSH 2.1 does SSH1 as well, but I only really want ssh1. Is 1.2.x not > > going to be maintained anymore, and will all the new bugfixes, etc. be > > going into OpenSSH 2.x? > > yes, only the current release will be maintained. or to put it in > another way: 1.2.x is maintained and the maintained version is called > 2.1. Hmmm...had to think about that for a second, but it makes sense...thanks! > what are the problems with OpenSSH 2.1 ? there is no need to enable > protocol 2. Is that a compile-time option? Can I disable ssh2 support in OpenSSH 2.1? I've heard some bug reports from the field about people getting OpenSSH 2.1 to work...but I haven't tried, and for everyone who has a problem, probably 10 people get it to work fine. I also can say that I honestly don't know the difference between the ssh1 protocol and the ssh2 protocol; I just like ssh1 because I feel I have a pretty good understanding of how it works, and don't feel like learning the nuances of ssh2, if they differe significantly. Basically, I'm just lazy. ;-) Thanks for the answer. Later, Paul ------------------------------------------------------------------------ J. Paul Reed preed at sigkill.com || www.sigkill.com/preed Forget that I know anything about metallurgy, physics, or engineering, and just tell me what the hell is going on. -- Dr. Venkman, Ghostbusters From djm at mindrot.org Wed May 17 22:55:33 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 May 2000 22:55:33 +1000 (EST) Subject: Confusion over versioning... In-Reply-To: Message-ID: On Wed, 17 May 2000, J. Paul Reed wrote: > > what are the problems with OpenSSH 2.1 ? there is no need to enable > > protocol 2. > > Is that a compile-time option? Can I disable ssh2 support in OpenSSH > 2.1? Better than that - it is a runtime option. > I've heard some bug reports from the field about people getting > OpenSSH 2.1 to work...but I haven't tried, and for everyone who has > a problem, probably 10 people get it to work fine. There are some problems with the new entropy collection on systems that lack /dev/random. I will be releasing a patch very shortly to address these. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed May 17 22:59:26 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 May 2000 22:59:26 +1000 (EST) Subject: ASCII Tech Linux in Japan In-Reply-To: <392273EA.B9E82AB9@ascii.co.jp> Message-ID: On Wed, 17 May 2000, Satoshi Turuo wrote: > Hi,OpenSSH developers > > My name is Satoshi Turuo, and I'm an editor > of Linux information magazine, > called "TECH Linux", ASCII Corp in Japan. > "TECH Linux" is Linux Magazine for Japanese LINUX Gamers, > Newbie LINUX Game Programmers. > Newest issue comes with 2 CD-ROMs that loaded > with Playabledemos, FreeSoftwares, Sharewares, product advertisements. > > Right now, we are working on a particular project > with which we would like to ask you for your cooperation. > The title of this project is; > "The COOL Softwares for Linux". > > We would like your permissions to accomodate the given > materials to the CD-ROM of our magazine. > (Linux client and server files for OpenSSH Unix Port > 2.1.0.[openssh-2.1.0.tar.gz]) Absolutely. OpenSSH is released under a free (BSD) license which explicitly allows such distribution. Please do credit the OpenBSD developers for their hard work in making OpenSSH available. > If you are interested in the project, please contact me > as soon as possible. > Actually, deadline of this project is staring us > in the face, so I am desperately waiting for you to > give the answer back. I hope that we were quick enough! When is your deadline? Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed May 17 23:30:30 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 May 2000 23:30:30 +1000 (EST) Subject: openssl w/ rsaref openssh won't configure In-Reply-To: <391C2370.1846AD64@stl.rural.usda.gov> Message-ID: On Fri, 12 May 2000, Ed Eden wrote: > I kind of merged rsa_test and came up with the following that > seems to work with rsaref. The problem areas on the original was > 32 for the key gen, rsaref likes 1024 at least. And rsaref likes > RSA_PKCS1_PADDING but not RSA_NO_PADDING for some reason. I am not > versed in ssl but just tried different things with debugging until > it worked. I assume it will work with the non-rsaref also. Thanks - I have adapted this for configure. configure now detects OpenSSL and RSA seperatly. This is to pave the way for RSAless operation. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed May 17 23:31:28 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 May 2000 23:31:28 +1000 (EST) Subject: [PATCH] using openssl with no-rsa? In-Reply-To: <20000515171006.B4DCC2758B@toad.mindrot.org> Message-ID: On Mon, 15 May 2000 kevin_oconnor at standardandpoors.com wrote: > Hello, > > Due to patent concerns, I compiled a version of openssl with the > no-rsa, no-idea, no-rc5 options. I was able to then take this > compile of openssl, with the standard openssh-2.1.0 rpms and run it > on another machine. Most things seemed to work fine, except I was > unable to ssh into the machine. After applying the following patch > to the sshd code, a quick test with an ssh session worked: Thanks, applied. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed May 17 23:47:48 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 May 2000 23:47:48 +1000 (EST) Subject: Openssh-2.1.0p1 test release Message-ID: This to announce a test release of 2.1.0p1 before making it widely available. This release includes many fixes to problems reported over the last week. In particular: - spurious error and coredumps caused by the inbuilt entropy gathering - RSAref detection - Compilation fixes for Solaris and others It also contains (completely untested) support for compiling without RSA support. This may be useful to those of you in the USA. I am interested to hear whether and how well this works. RSAless support is enabled if a) OpenSSL is available, b) OpenSSL is built without RSAref and c) RSAref cannot be found. In future it will be a config option. Please report bugs to this mailing list directly. It is open again to non-subscribers. Regards, Damien Full Changelog: 20000517 - Fix from Andre Lucas - Fixes command line printing segfaults (spotter: Bladt Norbert) - Fixes erroneous printing of debug messages to syslog - Fixes utmp for MacOS X (spotter: Aristedes Maniatis) - Gives useful error message if PRNG initialisation fails - Reduced ssh startup delay - Measures cumulative command time rather than the time between reads after select() - 'fixprogs' perl script to eliminate non-working entropy commands, and optionally run 'ent' to measure command entropy - Applied Tom Bertelson's AIX authentication fix - Avoid WCOREDUMP complation errors for systems that lack it - Avoid SIGCHLD warnings from entropy commands - Fix HAVE_PAM_GETENVLIST setting from Simon Wilkinson - OpenBSD CVS update: - markus at cvs.openbsd.org [ssh.c] fix usage() [ssh2.h] draft-ietf-secsh-architecture-05.txt [ssh.1] document ssh -T -N (ssh2 only) [channels.c serverloop.c ssh.h sshconnect.c sshd.c aux.c] enable nonblocking IO for sshd w/ proto 1, too; split out common code [aux.c] missing include - Several patches from SAKAI Kiyotaka - INSTALL typo and URL fix - Makefile fix - Solaris fixes - Checking for ssize_t and memmove. Based on patch from SAKAI Kiyotaka - RSAless operation patch from kevin_oconnor at standardandpoors.com - Detect OpenSSL seperatly from RSA - Better test for RSA (more compatible with RSAref). Based on work by Ed Eden 20000513 - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz 20000511 - Fix for prng_seed permissions checking from Lutz Jaenicke - "make host-key" fix for Irix -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From mfisk at lanl.gov Thu May 18 04:03:19 2000 From: mfisk at lanl.gov (Mike Fisk) Date: Wed, 17 May 2000 18:03:19 +0000 (GMT) Subject: Confusion over versioning... In-Reply-To: Message-ID: On Wed, 17 May 2000, J. Paul Reed wrote: > On Wed, 17 May 2000, Markus Friedl wrote: > > > On Wed, May 17, 2000 at 03:43:23AM -0700, J. Paul Reed wrote: > > > So, my question is is the 1.2.x branch of OpenSSH effectively dead? > > > > there are no branches of OpenSSH. version numbers are arbitrary. > > version numbers only tell you: beginning with version x this bug y is > > gone. > > Ok...so this is different from how they originially did ssh (i.e. a 1.2.x > "branch" and a 2.x branch for ssh2). Note that the Ylonen/DataFellows SSH2 appears to not even be a branch of their 1.x code --- it lacks many things that were already present in 1.x. OpenSSH is doing it the "right" way by having a unified package that supports protocols 1 and/or 2. -- Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information From garrick at james.net Thu May 18 05:59:38 2000 From: garrick at james.net (Garrick James) Date: Wed, 17 May 2000 12:59:38 -0700 (PDT) Subject: Openssh-2.1.0p1 test release Message-ID: The patch for building openssh w/o rsa support does not seem to work (for me, at least). It may allow you to link at run time to openssl w/o rsa, but it does not let you build against such an openssl. I built openssl-0.9.5a with no-rc5, no-rsa, and no-idea. When installing, it does not install headers for rc5, rsa, or idea (of course). (I know, exlcuding rc5 and idea is a little out of scope for the patch in question, but the issues are the same.) When trying to then build openssh-2.1.0p1 against this openssl, there are all kinds of compile time errors because of the missing headers. I went ahead and copied the rc5, rsa, and idea headers for openssl into the openssl include dir and tried to compile again. This time there are a bunch of errors at link time during the build. If rsa (and rc5 and idea, for that matter) is missing at build time, would it not be good to have some ifdefs in the openssh code to exclude sections of code that rely on them. I understand that this would basically turn openssh into ssh2 only, so maybe it would be better to implement all this as some compile time define that says ssh2 only. -Garrick James From djm at mindrot.org Thu May 18 08:18:38 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 May 2000 08:18:38 +1000 (EST) Subject: 2.1.0p1 Message-ID: Oops. The URL for that is: http://violet.ibs.com.au/files/openssh/test/ Sorry, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From pucko at lysator.liu.se Thu May 18 10:15:52 2000 From: pucko at lysator.liu.se (Magnus Holmberg) Date: Thu, 18 May 2000 02:15:52 +0200 (MET DST) Subject: 2.1.0p1 In-Reply-To: Message-ID: you don't mean http://violet.ibs.com.au/openssh/files/test ? /M On Thu, 18 May 2000, Damien Miller wrote: > Oops. The URL for that is: > > http://violet.ibs.com.au/files/openssh/test/ > > Sorry, > Damien Miller > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > > _|_|_| _| _| _|_|_| _| _| _|_| _| _| _| _| _| _| _| _| _| _|_|_| _| _| _| _|_| _| _| _| _| _| _| _| _| _| _| _| _|_| _|_|_| _| _| _|_| --==** LIVETS VATTEN **==-- From djm at mindrot.org Thu May 18 14:03:32 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 May 2000 14:03:32 +1000 (EST) Subject: 2.1.0p1 In-Reply-To: Message-ID: On Thu, 18 May 2000, Magnus Holmberg wrote: > you don't mean > > http://violet.ibs.com.au/openssh/files/test ? Doh. yes. -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu May 18 18:26:33 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 18 May 2000 10:26:33 +0200 Subject: Openssh-2.1.0p1 test release In-Reply-To: ; from djm@mindrot.org on Wed, May 17, 2000 at 11:47:48PM +1000 References: Message-ID: <20000518102633.A7061@ws01.aet.tu-cottbus.de> On Wed, May 17, 2000 at 11:47:48PM +1000, Damien Miller wrote: > This to announce a test release of 2.1.0p1 before making it widely > available. ... > Please report bugs to this mailing list directly. It is open again to > non-subscribers. Hi, again I am building OpenSSH-2.1.0p1 on HP-UX 10.20 :-) [Longish post, sorry] You have missed the patch sent from "Tom Bertelson " to fix a stacksize overflow on AIX (Tom) and HP-UX (experienced by myself): *** serverloop.c.orig Wed May 17 14:34:23 2000 --- serverloop.c Thu May 18 09:44:54 2000 *************** *** 85,91 **** int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; - signal(SIGCHLD, sigchld_handler2); errno = save_errno; } --- 85,90 ---- *************** *** 648,653 **** --- 647,653 ---- while ((pid = waitpid(-1, &status, WNOHANG)) > 0) session_close_by_pid(pid, status); child_terminated = 0; + signal(SIGCHLD, sigchld_handler2); } channel_after_select(&readset, &writeset); process_input(&readset); > Full Changelog: ... > - 'fixprogs' perl script to eliminate non-working entropy commands, and > optionally run 'ent' to measure command entropy Sorry, I could not find "fixprogs" in the distribution. Hence: ... if [ -f ssh_prng_cmds -a ! -z "yes" ]; then \ /usr/contrib/bin/perl fixprogs ssh_prng_cmds ; \ /opt/imake/bin/install -c -m 644 ssh_prng_cmds.out /etc/ssh/ssh_prng_cmds; \ fi Can't open perl script "fixprogs": No such file or directory *** Error exit code 2 Stop. ... I am not happy with the *-*-hpux10* stuff. Starting with HP-UX 10.0 the compiler understands the "-Ae" flag for extended ANSI mode (64bit long long). Please change line 42 in configure.in to CFLAGS="$CFLAGS -Ae" In lines 45,46 (and for hpux11 as well) the "/usr/local" hierarchy is used as a standard place to look for includes and libraries. As of HP-UX 10, the people at the "Software Porting and Archive Center for HP-UX" http://hpux.connect.org.uk/ have decided to move ported packages into the /opt hierarchy (with a subdirectory for each package). Even though I still enjoy using /usr/local instead (far more practical for exporting via NFS), the decision about adding the /usr/local hierarchy should be left to the user. Recommendation: remove lines 45,46 and the corresponding lines for hpux11. [I also think that the CFLAGS and CPPFLAGS (CPPFLAGS containing the "-I" include paths and "-D" definitions) should be separated as with most packages using "configure". Hence line 24 of Makefile.in should be changed from CFLAGS=@CFLAGS@ $(PATHS) @DEFS@ to CFLAGS=@CFLAGS@ @CPPFLAGS@ $(PATHS) @DEFS@ "configure" itself does handle CPPFLAGS.] In the install target the "install" command (or replacement, whatever might be found by configure) is used with the "-d" flag to create subdirectories. This is not portable and maybe only available with gnu-install. Other install programs, like the one delivered with HP-UX, or the bsdinst script do not understand the "-d" flag and either use the "mkdirhier" script/command or "mkinstalldirs" or "mkdir" the hierarchy themself. As far as I understand, bsdinst and mkdirhier are supplied with X11, so licensing should be no problem, mkinstalldirs is in the public domain (according to the comment in src/helpers/mkdir.sh, the script used by Apache). [This list of "install" replacements is for sure not complete :-)] Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From marc.fournier at acadiau.ca Thu May 18 22:15:15 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 18 May 2000 09:15:15 -0300 (ADT) Subject: 2.1.0p1 In-Reply-To: Message-ID: on a make install, I'm getting: if [ -f ssh_prng_cmds -a ! -z "yes" ]; then \ /bin/perl fixprogs ssh_prng_cmds ; \ ./install-sh -c -m 644 ssh_prng_cmds.out /usr/local/etc/ssh_prng_cmds; \ fi Can't open perl script "fixprogs": No such file or directory On Thu, 18 May 2000, Damien Miller wrote: > On Thu, 18 May 2000, Magnus Holmberg wrote: > > > you don't mean > > > > http://violet.ibs.com.au/openssh/files/test ? > > Doh. yes. > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From marc.fournier at acadiau.ca Thu May 18 22:16:27 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 18 May 2000 09:16:27 -0300 (ADT) Subject: 2.1.0p1 In-Reply-To: Message-ID: Under Solaris 8, at least it doesn't appear to crash anymore, but when I connect, I'm getting: May 18 09:17:15 iris sshd[15312]: error: fcntl(-1, F_GETFL, 0): Bad file number On Thu, 18 May 2000, Damien Miller wrote: > On Thu, 18 May 2000, Magnus Holmberg wrote: > > > you don't mean > > > > http://violet.ibs.com.au/openssh/files/test ? > > Doh. yes. > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From sxw at dcs.ed.ac.uk Fri May 19 00:38:09 2000 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Thu, 18 May 2000 15:38:09 +0100 (BST) Subject: Kerberos V support (again!) Message-ID: <11041.200005181438@mor.dcs.ed.ac.uk> I notice in the archives a reference to the patches contained at http://www.fi.muni.cz/~kouril/openssh-1.2.1pre24.patch and an offer to include them if someone was to take on the work of cleaning them up. Do you just want them cleaned so that they apply cleanly and work in the latest release, or are there outstanding implementation concerns? Is anyone else looking at this? Cheers, Simon From bds at jhb.ucs.co.za Fri May 19 01:04:34 2000 From: bds at jhb.ucs.co.za (Berend De Schouwer) Date: Thu, 18 May 2000 17:04:34 +0200 (SAST) Subject: SSH v2 known-hosts problem. Message-ID: <200005181506.RAA28272@jhb.ucs.co.za> When I connect from machine A to machine B, using ssh protocol 2, both running openssh2.1.0, there is a problem with comparing server DSA public keys to ~/.ssh/known_hosts2. The first time, it says The authenticity of host 'B' can't be established. DSA key fingerprint is blah-blah-blah Are you sure you want to continue connecting (yes/no)? If I type 'yes', it gets added to ~/.ssh/known_hosts2. (as it should). An entry gets added like: B,1.2.3.4 ssh-dss blah-blah-blah However, if I disconnect and connect again, it still says: The authenticity of host 'B' can't be established. DSA key fingerprint is blah-blah-blah Are you sure you want to continue connecting (yes/no)? If I say yes, it creates an identical second line to ~/.ssh/known_hosts2. Somewhere a comparison isn't working. An strace indicates that the ssh client indeed reads ~/.ssh/known-hosts2. The entry looks like the system B ssh_host_dsa_key.pub, so I assume the server is sending its DSA key. -- Kind regards, Berend -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS From bds at jhb.ucs.co.za Fri May 19 01:18:05 2000 From: bds at jhb.ucs.co.za (Berend De Schouwer) Date: Thu, 18 May 2000 17:18:05 +0200 (SAST) Subject: Followup: SSH v2 known-hosts problem. Message-ID: <200005181519.RAA31857@jhb.ucs.co.za> When I connect from machine A to machine B, using ssh protocol 2, both running openssh2.1.0, there is a problem with comparing server DSA public keys to ~/.ssh/known_hosts2. [...] Sorry, forgot: Both are RedHat Linux 6.x, on Intel i386. OpenSSL-0.9.5a and OpenSSH-2.1.0 compiled from source. SSH v1 works fine. -- Kind regards, Berend -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS From markus.friedl at informatik.uni-erlangen.de Fri May 19 01:23:41 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 18 May 2000 17:23:41 +0200 Subject: SSH v2 known-hosts problem. In-Reply-To: <200005181506.RAA28272@jhb.ucs.co.za>; from bds@jhb.ucs.co.za on Thu, May 18, 2000 at 05:04:34PM +0200 References: <200005181506.RAA28272@jhb.ucs.co.za> Message-ID: <20000518172341.A14582@folly.informatik.uni-erlangen.de> could you please send me the public key? (and the private key if you want to generate a new host key) On Thu, May 18, 2000 at 05:04:34PM +0200, Berend De Schouwer wrote: > When I connect from machine A to machine B, using ssh protocol 2, both > running openssh2.1.0, there is a problem with comparing server DSA > public keys to ~/.ssh/known_hosts2. > > The first time, it says > The authenticity of host 'B' can't be established. > DSA key fingerprint is blah-blah-blah > Are you sure you want to continue connecting (yes/no)? > > If I type 'yes', it gets added to ~/.ssh/known_hosts2. > (as it should). An entry gets added like: > B,1.2.3.4 ssh-dss blah-blah-blah > > However, if I disconnect and connect again, it still says: > The authenticity of host 'B' can't be established. > DSA key fingerprint is blah-blah-blah > Are you sure you want to continue connecting (yes/no)? > > If I say yes, it creates an identical second line to > ~/.ssh/known_hosts2. Somewhere a comparison isn't working. > > An strace indicates that the ssh client indeed reads > ~/.ssh/known-hosts2. The entry looks like the system B > ssh_host_dsa_key.pub, so I assume the server is sending its DSA key. > > > -- > Kind regards, > Berend > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Berend De Schouwer, +27-11-712-1435, UCS > > From fandrei at rds.ro Fri May 19 01:33:23 2000 From: fandrei at rds.ro (Florin Andrei) Date: Thu, 18 May 2000 18:33:23 +0300 Subject: SSH v2 known-hosts problem. References: <200005181506.RAA28272@jhb.ucs.co.za> Message-ID: <39240D43.6D01DD8B@rds.ro> Berend De Schouwer wrote: > > However, if I disconnect and connect again, it still says: > The authenticity of host 'B' can't be established. > DSA key fingerprint is blah-blah-blah > Are you sure you want to continue connecting (yes/no)? I have the same problem, with the same openssh-2.1.0 on multiple Red Hat 6.2 machines, installed from RPMs. -- Florin Andrei mailto:florin at linuxstart.com http://members.linuxstart.com/~florin/ tel: +40-93-261162 From weigel+ at pitt.edu Fri May 19 01:35:48 2000 From: weigel+ at pitt.edu (Matthew C. Weigel) Date: Thu, 18 May 2000 11:35:48 -0400 (EDT) Subject: X11 Forwarding and Red Hat In-Reply-To: <200005181519.RAA31857@jhb.ucs.co.za> Message-ID: I'm having some difficulty with X forwarding through SSH between OpenSSH and normal ssh. The problem system is running Red Hat 6.2, and I've seen several references to Red Hat clobbering $XAUTHORITY. Unfortunately, I can't find where this clobbering is done (someone mentioned on Mandrake 7 it's in /etc/profile.d/, but it isn't here). It's causing minor problems here, where one development server that I'm in charge of is using OpenSSH and others (that coworkers are in charge of) are running regular ssh. Since we do GUI Java development, remote X display is essential, and X forwarding makes it easier. Matthew Weigel Programmer/Sysadmin/Student weigel+ at pitt.edu From mhw at wittsend.com Fri May 19 00:45:45 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Thu, 18 May 2000 10:45:45 -0400 Subject: X11 Forwarding and Red Hat In-Reply-To: ; from weigel+@pitt.edu on Thu, May 18, 2000 at 11:35:48AM -0400 References: <200005181519.RAA31857@jhb.ucs.co.za> Message-ID: <20000518104545.D1879@alcove.wittsend.com> On Thu, May 18, 2000 at 11:35:48AM -0400, Matthew C. Weigel wrote: > I'm having some difficulty with X forwarding through SSH between OpenSSH and > normal ssh. The problem system is running Red Hat 6.2, and I've seen > several references to Red Hat clobbering $XAUTHORITY. Unfortunately, I > can't find where this clobbering is done (someone mentioned on Mandrake 7 > it's in /etc/profile.d/, but it isn't here). > It's causing minor problems here, where one development server that I'm in > charge of is using OpenSSH and others (that coworkers are in charge of) are > running regular ssh. Since we do GUI Java development, remote X display is > essential, and X forwarding makes it easier. It might help [a lot] if you were more specific about what the problems were that you were experiencing and not so much about what you think is wrong. I'm also having problems with X11 forwarding in OpenSSH 2.1.0 (which I don't THINK occured in 1.2.3) and it has nothing to do with $XAUTHORITY. What are the errors that you are experiencing? Oh... And, BTW, if you are loading OpenSSH 2.1.0, I noticed that both of the new config files have X forwarding disabled. That was the first thing I got burned on after upgrading my ssh*_config files. > Matthew Weigel > Programmer/Sysadmin/Student > weigel+ at pitt.edu Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From weigel+ at pitt.edu Fri May 19 02:02:29 2000 From: weigel+ at pitt.edu (Matthew C. Weigel) Date: Thu, 18 May 2000 12:02:29 -0400 (EDT) Subject: X11 Forwarding and Red Hat In-Reply-To: <20000518104545.D1879@alcove.wittsend.com> Message-ID: On Thu, 18 May 2000, Michael H. Warfield wrote: > On Thu, May 18, 2000 at 11:35:48AM -0400, Matthew C. Weigel wrote: > It might help [a lot] if you were more specific about what the > problems were that you were experiencing and not so much about what you > think is wrong. Well, judging from the archives, this is exactly the problem. For your perusal: $ ssh -v SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. When connected to the Red Hat 6.2 system (synapse) running OpenSSH from an O2 running regular ssh: $ xterm X11 connection rejected because of wrong authentication at Thu May 18 11:59:20 2000. a Rejected connection at Thu May 18 11:59:20 2000: X11 connection from synapse port 3439 X connection to synapse:10.0 broken (explicit kill or server shutdown). > I'm also having problems with X11 forwarding in OpenSSH > 2.1.0 (which I don't THINK occured in 1.2.3) and it has nothing to > do with $XAUTHORITY. What are the errors that you are experiencing? The error which, it is claimed in the archives, is directly attributable to Red Hat clobbering $XAUTHORITY: it is set automatically to /home/weigel/.Xauthority when I log in, but sshd sets it to /tmp/ssh-randomstring/cookies. I'm not familiar enough ssh to know why this is a problem, but it is. > Oh... And, BTW, if you are loading OpenSSH 2.1.0, I noticed that > both of the new config files have X forwarding disabled. That was the > first thing I got burned on after upgrading my ssh*_config files. I checked my config files and I'm not running 2.1.0 yet. Matthew Weigel Programmer/Sysadmin/Student weigel+ at pitt.edu From mhw at wittsend.com Fri May 19 01:14:53 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Thu, 18 May 2000 11:14:53 -0400 Subject: X11 Forwarding and Red Hat In-Reply-To: ; from weigel+@pitt.edu on Thu, May 18, 2000 at 12:02:29PM -0400 References: <20000518104545.D1879@alcove.wittsend.com> Message-ID: <20000518111453.K1980@alcove.wittsend.com> On Thu, May 18, 2000 at 12:02:29PM -0400, Matthew C. Weigel wrote: > On Thu, 18 May 2000, Michael H. Warfield wrote: > > On Thu, May 18, 2000 at 11:35:48AM -0400, Matthew C. Weigel wrote: > > It might help [a lot] if you were more specific about what the > > problems were that you were experiencing and not so much about what you > > think is wrong. > Well, judging from the archives, this is exactly the problem. For your > perusal: Ok... Sound's like it, I just couldn't judge from your earlier message. > $ ssh -v > SSH Version OpenSSH-1.2.3, protocol version 1.5. > Compiled with SSL. > When connected to the Red Hat 6.2 system (synapse) running OpenSSH from an > O2 running regular ssh: > $ xterm > X11 connection rejected because of wrong authentication at Thu May 18 > 11:59:20 2000. > a > Rejected connection at Thu May 18 11:59:20 2000: X11 connection from synapse > port 3439 > X connection to synapse:10.0 broken (explicit kill or server shutdown). > > I'm also having problems with X11 forwarding in OpenSSH > > 2.1.0 (which I don't THINK occured in 1.2.3) and it has nothing to > > do with $XAUTHORITY. What are the errors that you are experiencing? > The error which, it is claimed in the archives, is directly attributable to > Red Hat clobbering $XAUTHORITY: it is set automatically to > /home/weigel/.Xauthority when I log in, but sshd sets it to > /tmp/ssh-randomstring/cookies. I'm not familiar enough ssh to know why this > is a problem, but it is. > > > Oh... And, BTW, if you are loading OpenSSH 2.1.0, I noticed that > > both of the new config files have X forwarding disabled. That was the > > first thing I got burned on after upgrading my ssh*_config files. > I checked my config files and I'm not running 2.1.0 yet. Ok... That's what I needed to know! I've got a pretty vanilla RedHat setup... Here is what I see between my two systems (Alcove is RedHat 6.1 and Canyon is RedHat 6.2): [mhw at alcove mhw]$ set | grep XAUTH XAUTHORITY=/home/mhw/.Xauthority You have new mail in /var/spool/mail/mhw [mhw at alcove mhw]$ ssh canyon Last login: Tue May 16 16:17:38 2000 [mhw at canyon mhw]$ set | grep XAUTH XAUTHORITY=/tmp/ssh-zZvc2528/cookies [mhw at canyon mhw]$ Ok... My RedHat 6.2 did NOT clobber my XAUTHORITY variable. Have you checked your ".profile" and ".bashrc" files? You might also check /etc/profile and /etc/bashrc files. I don't have anything in any of those files, but something in there could commit that act of terrorism on you. Also, what shell are you using? I'm using sh (bash) and it could be different if you are using tcsh or ksh (shouldn't be, but might be). It could influence what startup files are involved. Unfortunately, the error that I see is NOT the error that you see. I get this with 2.1.0: [mhw at canyon mhw]$ xterm channel 0: istate 4 != open channel 0: ostate 64 != open X connection to canyon:10.0 broken (explicit kill or server shutdown). [mhw at canyon mhw]$ You are right about XAUTHORITY. If that gets screwed (or the .Xauthority is hosed) then you get the "wrong authentication" that you see. That was the tidbit (the error message) that I needed to know. > Matthew Weigel > Programmer/Sysadmin/Student > weigel+ at pitt.edu Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From shugarts at acsu.buffalo.edu Fri May 19 01:50:56 2000 From: shugarts at acsu.buffalo.edu (Travis Shugarts) Date: Thu, 18 May 2000 11:50:56 -0400 Subject: SSH v2 known-hosts problem. References: <200005181519.RAA31857@jhb.ucs.co.za> Message-ID: <39241160.42F6C50E@acsu.buffalo.edu> Berend De Schouwer wrote: > When I connect from machine A to machine B, using ssh protocol 2, both > running openssh2.1.0, there is a problem with comparing server DSA > public keys to ~/.ssh/known_hosts2. > > [...] > I have the same problem, only it occurs when I use openssh 2.1 on linux (redhat-6.2 kernel 2.2.15) to connect to ssh 2.1 on a Sun box (solaris 2.7). From markus.friedl at informatik.uni-erlangen.de Fri May 19 02:44:15 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 18 May 2000 18:44:15 +0200 Subject: 2.1.0p1 In-Reply-To: ; from marc.fournier@acadiau.ca on Thu, May 18, 2000 at 09:16:27AM -0300 References: Message-ID: <20000518184414.A22598@folly.informatik.uni-erlangen.de> On Thu, May 18, 2000 at 09:16:27AM -0300, Marc G. Fournier wrote: > > Under Solaris 8, at least it doesn't appear to crash anymore, but when I > connect, I'm getting: > > May 18 09:17:15 iris sshd[15312]: error: fcntl(-1, F_GETFL, 0): Bad file number this has been fixed. try: Index: serverloop.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/serverloop.c,v retrieving revision 1.23 retrieving revision 1.24 diff -u -r1.23 -r1.24 --- serverloop.c 2000/05/17 08:20:15 1.23 +++ serverloop.c 2000/05/18 06:35:57 1.24 @@ -392,7 +392,9 @@ /* nonblocking IO */ set_nonblock(fdin); set_nonblock(fdout); - set_nonblock(fderr); + /* we don't have stderr for interactive terminal sessions, see below */ + if (fderr != -1) + set_nonblock(fderr); connection_in = packet_get_connection_in(); connection_out = packet_get_connection_out(); From weigel+ at pitt.edu Fri May 19 02:50:35 2000 From: weigel+ at pitt.edu (Matthew C. Weigel) Date: Thu, 18 May 2000 12:50:35 -0400 (EDT) Subject: X11 Forwarding and Red Hat In-Reply-To: <20000518111453.K1980@alcove.wittsend.com> Message-ID: On Thu, 18 May 2000, Michael H. Warfield wrote: > I've got a pretty vanilla RedHat setup... Here is what I see between > my two systems (Alcove is RedHat 6.1 and Canyon is RedHat 6.2): > > [mhw at alcove mhw]$ set | grep XAUTH > XAUTHORITY=/home/mhw/.Xauthority > You have new mail in /var/spool/mail/mhw > [mhw at alcove mhw]$ ssh canyon > Last login: Tue May 16 16:17:38 2000 > [mhw at canyon mhw]$ set | grep XAUTH > XAUTHORITY=/tmp/ssh-zZvc2528/cookies > [mhw at canyon mhw]$ > > Ok... My RedHat 6.2 did NOT clobber my XAUTHORITY variable. > Have you checked your ".profile" and ".bashrc" files? You might also > check /etc/profile and /etc/bashrc files. I don't have anything in any > of those files, but something in there could commit that act of terrorism > on you. No settings in my login scripts. Hmmm... Actually, it would appear mine isn't being clobbered either... I could have sworn it was yesterday. The problem is still there, but $XAUTHORITY seems correct when I ssh in. > You are right about XAUTHORITY. If that gets screwed (or the > .Xauthority is hosed) then you get the "wrong authentication" that you > see. That was the tidbit (the error message) that I needed to know. So, have any idea how to fix it? Would upgrading to 2.1.0 fix it, or just give me your problem ? Matthew Weigel Programmer/Sysadmin/Student weigel+ at pitt.edu From mhw at wittsend.com Fri May 19 01:53:35 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Thu, 18 May 2000 11:53:35 -0400 Subject: Openssh-2.1.0p1 test release In-Reply-To: ; from djm@mindrot.org on Wed, May 17, 2000 at 11:47:48PM +1000 References: Message-ID: <20000518115335.A14882@alcove.wittsend.com> On Wed, May 17, 2000 at 11:47:48PM +1000, Damien Miller wrote: > This to announce a test release of 2.1.0p1 before making it widely > available. > This release includes many fixes to problems reported over the last > week. In particular: > - spurious error and coredumps caused by the inbuilt entropy gathering > - RSAref detection > - Compilation fixes for Solaris and others > It also contains (completely untested) support for compiling without > RSA support. This may be useful to those of you in the USA. I am > interested to hear whether and how well this works. RSAless support > is enabled if a) OpenSSL is available, b) OpenSSL is built without > RSAref and c) RSAref cannot be found. In future it will be a config > option. > Please report bugs to this mailing list directly. It is open again to > non-subscribers. Still having problems with X11 forwarding: [mhw at alcove mhw]$ ssh canyon Last login: Thu May 18 08:11:53 2000 from alcove.wittsend.com [mhw at canyon mhw]$ set | grep XAU XAUTHORITY=/tmp/ssh-sfsQ2629/cookies [mhw at canyon mhw]$ xterm channel 0: istate 4 != open channel 0: ostate 64 != open X connection to canyon:10.0 broken (explicit kill or server shutdown). From sshd_config on Canyon (the server system): X11Forwarding yes X11DisplayOffset 10 From ssh_config on Alcove (the client side): Host * ForwardAgent yes ForwardX11 yes FallBackToRsh no Here is what I get if I do this with with an ssh -v: [mhw at canyon mhw]$ xterm debug: Received X11 open request. debug: fd 6 setting O_NONBLOCK debug: channel 0: new [X11 connection from canyon port 1055] debug: X11 connection uses different authentication protocol. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ What's this all about? debug: X11 rejected 0 i1/o16 debug: channel 0: read failed debug: channel 0: input open -> drain debug: channel 0: close_read debug: channel 0: input: no drain shortcut debug: channel 0: ibuf empty debug: channel 0: input drain -> wait_oclose debug: channel 0: send ieof debug: channel 0: write failed debug: channel 0: output open -> wait_ieof debug: channel 0: send oclose debug: channel 0: close_write debug: X11 closed 0 i4/o64 debug: channel 0: rcvd ieof debug: channel 0: non-open channel 0: istate 4 != open channel 0: ostate 64 != open debug: channel 0: rcvd oclose debug: channel 0: input wait_oclose -> closed X connection to canyon:10.0 broken (explicit kill or server shutdown). [mhw at canyon mhw]$ So there is something foo'ed in the authentication protocol. Seems like this use to work (1.2.3, I think). What broke? > Regards, > Damien > > Full Changelog: > > 20000517 > - Fix from Andre Lucas > - Fixes command line printing segfaults (spotter: Bladt Norbert) > - Fixes erroneous printing of debug messages to syslog > - Fixes utmp for MacOS X (spotter: Aristedes Maniatis) > - Gives useful error message if PRNG initialisation fails > - Reduced ssh startup delay > - Measures cumulative command time rather than the time between reads > after select() > - 'fixprogs' perl script to eliminate non-working entropy commands, and > optionally run 'ent' to measure command entropy > - Applied Tom Bertelson's AIX authentication fix > - Avoid WCOREDUMP complation errors for systems that lack it > - Avoid SIGCHLD warnings from entropy commands > - Fix HAVE_PAM_GETENVLIST setting from Simon Wilkinson > - OpenBSD CVS update: > - markus at cvs.openbsd.org > [ssh.c] > fix usage() > [ssh2.h] > draft-ietf-secsh-architecture-05.txt > [ssh.1] > document ssh -T -N (ssh2 only) > [channels.c serverloop.c ssh.h sshconnect.c sshd.c aux.c] > enable nonblocking IO for sshd w/ proto 1, too; split out common code > [aux.c] > missing include > - Several patches from SAKAI Kiyotaka > - INSTALL typo and URL fix > - Makefile fix > - Solaris fixes > - Checking for ssize_t and memmove. Based on patch from SAKAI Kiyotaka > > - RSAless operation patch from kevin_oconnor at standardandpoors.com > - Detect OpenSSL seperatly from RSA > - Better test for RSA (more compatible with RSAref). Based on work by > Ed Eden > > 20000513 > - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz > > > 20000511 > - Fix for prng_seed permissions checking from Lutz Jaenicke > > - "make host-key" fix for Irix > > > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From mhw at wittsend.com Fri May 19 01:57:46 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Thu, 18 May 2000 11:57:46 -0400 Subject: X11 Forwarding and Red Hat In-Reply-To: ; from weigel+@pitt.edu on Thu, May 18, 2000 at 12:50:35PM -0400 References: <20000518111453.K1980@alcove.wittsend.com> Message-ID: <20000518115746.A14885@alcove.wittsend.com> On Thu, May 18, 2000 at 12:50:35PM -0400, Matthew C. Weigel wrote: > So, have any idea how to fix it? Would upgrading to 2.1.0 fix it, or just > give me your problem ? Right at the moment, I've confirmed that the problem still exists with 2.1.0p1 and, using a verbose mode connection, it seems to be something weird in the authentication protocol... Here's what I get when connect with ssh -v and then run xterm: ] [mhw at canyon mhw]$ xterm ] debug: Received X11 open request. ] debug: fd 6 setting O_NONBLOCK ] debug: channel 0: new [X11 connection from canyon port 1055] ] debug: X11 connection uses different authentication protocol. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ What the hell is this? ] debug: X11 rejected 0 i1/o16 ] debug: channel 0: read failed ] debug: channel 0: input open -> drain ] debug: channel 0: close_read ] debug: channel 0: input: no drain shortcut ] debug: channel 0: ibuf empty ] debug: channel 0: input drain -> wait_oclose ] debug: channel 0: send ieof ] debug: channel 0: write failed ] debug: channel 0: output open -> wait_ieof ] debug: channel 0: send oclose ] debug: channel 0: close_write ] debug: X11 closed 0 i4/o64 ] debug: channel 0: rcvd ieof ] debug: channel 0: non-open ] channel 0: istate 4 != open ] channel 0: ostate 64 != open ] debug: channel 0: rcvd oclose ] debug: channel 0: input wait_oclose -> closed ] X connection to canyon:10.0 broken (explicit kill or server shutdown). So to answer your question? I don't know. I'm afraid that it would just give you my problem (but it would confirm that it's not a cockpit error on my part :-) ). > Matthew Weigel > Programmer/Sysadmin/Student > weigel+ at pitt.edu Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From markus.friedl at informatik.uni-erlangen.de Fri May 19 05:28:05 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 18 May 2000 21:28:05 +0200 Subject: X11 Forwarding and Red Hat In-Reply-To: <20000518115746.A14885@alcove.wittsend.com>; from mhw@wittsend.com on Thu, May 18, 2000 at 11:57:46AM -0400 References: <20000518111453.K1980@alcove.wittsend.com> <20000518115746.A14885@alcove.wittsend.com> Message-ID: <20000518212805.A19444@folly.informatik.uni-erlangen.de> does this help? Index: session.c =================================================================== RCS file: /home/markus/cvs/ssh/session.c,v retrieving revision 1.12 diff -u -r1.12 session.c --- session.c 2000/05/03 18:03:07 1.12 +++ session.c 2000/05/18 19:18:53 @@ -949,13 +953,20 @@ else { /* Add authority data to .Xauthority if appropriate. */ if (auth_proto != NULL && auth_data != NULL) { - if (debug_flag) + char *screen = strchr(display, ':'); + if (debug_flag) { fprintf(stderr, "Running %.100s add %.100s %.100s %.100s\n", - XAUTH_PATH, display, auth_proto, auth_data); - + XAUTH_PATH, display, auth_proto, auth_data); + if (screen != NULL) + fprintf(stderr, "Adding %.*s/unix%s %s %s\n", + screen-display, display, screen, auth_proto, auth_data); + } f = popen(XAUTH_PATH " -q -", "w"); if (f) { fprintf(f, "add %s %s %s\n", display, auth_proto, auth_data); + if (screen != NULL) + fprintf(f, "add %.*s/unix%s %s %s\n", + screen-display, display, screen, auth_proto, auth_data); pclose(f); } else fprintf(stderr, "Could not run %s -q -\n", XAUTH_PATH); From mhw at wittsend.com Fri May 19 04:52:01 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Thu, 18 May 2000 14:52:01 -0400 Subject: X11 Forwarding and Red Hat In-Reply-To: <20000518212805.A19444@folly.informatik.uni-erlangen.de>; from markus.friedl@informatik.uni-erlangen.de on Thu, May 18, 2000 at 09:28:05PM +0200 References: <20000518111453.K1980@alcove.wittsend.com> <20000518115746.A14885@alcove.wittsend.com> <20000518212805.A19444@folly.informatik.uni-erlangen.de> Message-ID: <20000518145201.C16277@alcove.wittsend.com> On Thu, May 18, 2000 at 09:28:05PM +0200, Markus Friedl wrote: > does this help? Yes... That appears to fix my problem. > Index: session.c > =================================================================== > RCS file: /home/markus/cvs/ssh/session.c,v > retrieving revision 1.12 > diff -u -r1.12 session.c > --- session.c 2000/05/03 18:03:07 1.12 > +++ session.c 2000/05/18 19:18:53 > @@ -949,13 +953,20 @@ > else { > /* Add authority data to .Xauthority if appropriate. */ > if (auth_proto != NULL && auth_data != NULL) { > - if (debug_flag) > + char *screen = strchr(display, ':'); > + if (debug_flag) { > fprintf(stderr, "Running %.100s add %.100s %.100s %.100s\n", > - XAUTH_PATH, display, auth_proto, auth_data); > - > + XAUTH_PATH, display, auth_proto, auth_data); > + if (screen != NULL) > + fprintf(stderr, "Adding %.*s/unix%s %s %s\n", > + screen-display, display, screen, auth_proto, auth_data); > + } > f = popen(XAUTH_PATH " -q -", "w"); > if (f) { > fprintf(f, "add %s %s %s\n", display, auth_proto, auth_data); > + if (screen != NULL) > + fprintf(f, "add %.*s/unix%s %s %s\n", > + screen-display, display, screen, auth_proto, auth_data); > pclose(f); > } else > fprintf(stderr, "Could not run %s -q -\n", XAUTH_PATH); -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From bds at jhb.ucs.co.za Fri May 19 06:21:56 2000 From: bds at jhb.ucs.co.za (Berend De Schouwer) Date: Thu, 18 May 2000 22:21:56 +0200 (SAST) Subject: SSH v2 known-hosts problem. In-Reply-To: <20000518172341.A14582@folly.informatik.uni-erlangen.de> Message-ID: <200005182020.WAA11851@jhb.ucs.co.za> On 18 May, Markus Friedl wrote: > could you please send me the public key? (and the private key if > you want to generate a new host key) Okay, here they are. The server's key was regenerated, and the machines are not reachable over the Internet anyway. I hope people will forgive the attachments: they are tiny. I'd like to point out that it works fine with the new public/private key. The file looks identical in format and size - but of course a different key. > On Thu, May 18, 2000 at 05:04:34PM +0200, Berend De Schouwer wrote: >> When I connect from machine A to machine B, using ssh protocol 2, both >> running openssh2.1.0, there is a problem with comparing server DSA >> public keys to ~/.ssh/known_hosts2. >> >> The first time, it says >> The authenticity of host 'B' can't be established. >> DSA key fingerprint is blah-blah-blah >> Are you sure you want to continue connecting (yes/no)? >> >> If I type 'yes', it gets added to ~/.ssh/known_hosts2. >> (as it should). An entry gets added like: >> B,1.2.3.4 ssh-dss blah-blah-blah >> >> However, if I disconnect and connect again, it still says: >> The authenticity of host 'B' can't be established. >> DSA key fingerprint is blah-blah-blah >> Are you sure you want to continue connecting (yes/no)? >> >> If I say yes, it creates an identical second line to >> ~/.ssh/known_hosts2. Somewhere a comparison isn't working. >> >> An strace indicates that the ssh client indeed reads >> ~/.ssh/known-hosts2. The entry looks like the system B >> ssh_host_dsa_key.pub, so I assume the server is sending its DSA key. >> >> >> -- >> Kind regards, >> Berend >> >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> Berend De Schouwer, +27-11-712-1435, UCS >> >> -- Kind regards, Berend -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS -------------- next part -------------- -----BEGIN DSA PRIVATE KEY----- MIIBvAIBAAKBgQDJiDcknrjQeAz5/S8oN3QLeUhieas9Bdgr2nQSzSsgIOs4PeKb mk74yC67v7JE9SgO+8ZjEnOoTUpmUTWgxPmTSMfdFZW5s/ct5cHNk1xGZrDx/yQo 2OvhUcFkQNqgEaUu72Ie2A+y+LTWxmhJjpop10BI3UW+T0mHQkHJKDSUzQIVAODP IYSWVZat4+SmN8iRpnWPUSzjAoGBAKL+1z0Hrlzlo9wB1f0uRJNPg64QLiXlLTG0 zBNhnFPeKGmTfdt8s2//c1IpngFyG7R5k846F3lppcGtzSpBl+27ewjb6cHsmgAr c2gfY8UMSBP2ID9crmIBVqiPugJ0RUUNAl1ADZDcP9EDVq9kVOyx6i6OpOTeMNcs gMrja/p9AoGBAIvFevrxHnKULU4H5UilolEqbusP1rEsKW+M+bSqqm9I88Hc2cMp JlaP5b/5zLd8s9FmmnWJv4NR9DTa1cySeKlzmmSjwhxgQEzRLGVp5i2B3D2NMq+G onk+LKFp4IdL6ODefLTBkRGIiiP8BXWs42TJbTcWiHhL3u1240f0bHB/AhQc8anw VPZRIhdCVNglSGHy8RHz2A== -----END DSA PRIVATE KEY----- -------------- next part -------------- ssh-dss AAAAB3NzaC1kc3MAAACBAMmINySeuNB4DPn9Lyg3dAt5SGJ5qz0F2CvadBLNKyAg6zg94puaTvjILru/skT1KA77xmMSc6hNSmZRNaDE+ZNIx90Vlbmz9y3lwc2TXEZmsPH/JCjY6+FRwWRA2qARpS7vYh7YD7L4tNbGaEmOminXQEjdRb5PSYdCQckoNJTNAAAAFQDgzyGEllWWrePkpjfIkaZ1j1Es4wAAAIEAov7XPQeuXOWj3AHV/S5Ek0+DrhAuJeUtMbTME2GcU94oaZN923yzb/9zUimeAXIbtHmTzjoXeWmlwa3NKkGX7bt7CNvpweyaACtzaB9jxQxIE/YgP1yuYgFWqI+6AnRFRQ0CXUANkNw/0QNWr2RU7LHqLo6k5N4w1yyAyuNr+n0AAACBAIvFevrxHnKULU4H5UilolEqbusP1rEsKW+M+bSqqm9I88Hc2cMpJlaP5b/5zLd8s9FmmnWJv4NR9DTa1cySeKlzmmSjwhxgQEzRLGVp5i2B3D2NMq+Gonk+LKFp4IdL6ODefLTBkRGIiiP8BXWs42TJbTcWiHhL3u1240f0bHB/ root at javasrv.ucs.co.za -------------- next part -------------- javasrv.ucs.co.za,172.31.1.217 ssh-dss AAAAB3NzaC1kc3MAAACBAMmINySeuNB4DPn9Lyg3dAt5SGJ5qz0F2CvadBLNKyAg6zg94puaTvjILru/skT1KA77xmMSc6hNSmZRNaDE+ZNIx90Vlbmz9y3lwc2TXEZmsPH/JCjY6+FRwWRA2qARpS7vYh7YD7L4tNbGaEmOminXQEjdRb5PSYdCQckoNJTNAAAAFQDgzyGEllWWrePkpjfIkaZ1j1Es4wAAAIEAov7XPQeuXOWj3AHV/S5Ek0+DrhAuJeUtMbTME2GcU94oaZN923yzb/9zUimeAXIbtHmTzjoXeWmlwa3NKkGX7bt7CNvpweyaACtzaB9jxQxIE/YgP1yuYgFWqI+6AnRFRQ0CXUANkNw/0QNWr2RU7LHqLo6k5N4w1yyAyuNr+n0AAACBAIvFevrxHnKULU4H5UilolEqbusP1rEsKW+M+bSqqm9I88Hc2cMpJlaP5b/5zLd8s9FmmnWJv4NR9DTa1cySeKlzmmSjwhxgQEzRLGVp5i2B3D2NMq+Gonk+LKFp4IdL6ODefLTBkRGIiiP8BXWs42TJbTcWiHhL3u1240f0bHB/ javasrv.ucs.co.za,172.31.1.217 ssh-dss AAAAB3NzaC1kc3MAAACBAMmINySeuNB4DPn9Lyg3dAt5SGJ5qz0F2CvadBLNKyAg6zg94puaTvjILru/skT1KA77xmMSc6hNSmZRNaDE+ZNIx90Vlbmz9y3lwc2TXEZmsPH/JCjY6+FRwWRA2qARpS7vYh7YD7L4tNbGaEmOminXQEjdRb5PSYdCQckoNJTNAAAAFQDgzyGEllWWrePkpjfIkaZ1j1Es4wAAAIEAov7XPQeuXOWj3AHV/S5Ek0+DrhAuJeUtMbTME2GcU94oaZN923yzb/9zUimeAXIbtHmTzjoXeWmlwa3NKkGX7bt7CNvpweyaACtzaB9jxQxIE/YgP1yuYgFWqI+6AnRFRQ0CXUANkNw/0QNWr2RU7LHqLo6k5N4w1yyAyuNr+n0AAACBAIvFevrxHnKULU4H5UilolEqbusP1rEsKW+M+bSqqm9I88Hc2cMpJlaP5b/5zLd8s9FmmnWJv4NR9DTa1cySeKlzmmSjwhxgQEzRLGVp5i2B3D2NMq+Gonk+LKFp4IdL6ODefLTBkRGIiiP8BXWs42TJbTcWiHhL3u1240f0bHB/ From garrick at james.net Fri May 19 08:16:11 2000 From: garrick at james.net (Garrick James) Date: Thu, 18 May 2000 15:16:11 -0700 (PDT) Subject: 2.1.0p1 Message-ID: > on a make install, I'm getting: > > if [ -f ssh_prng_cmds -a ! -z "yes" ]; then \ > /bin/perl fixprogs ssh_prng_cmds ; \ > ./install-sh -c -m 644 ssh_prng_cmds.out > /usr/local/etc/ssh_prng_cmds; \ fi > Can't open perl script "fixprogs": No such file or directory I am getting the same thing, too (on Solaris 2.6). Does anyone know what/where fixprogs is? -Garrick James From jeff at eros.cis.jhu.edu Fri May 19 10:18:51 2000 From: jeff at eros.cis.jhu.edu (Jeff Homer) Date: Thu, 18 May 2000 20:18:51 -0400 Subject: WCOREDUMP Message-ID: (please Cc: your reply to jeff at cis.jhu.edu) hey :) I was trying to build 2.1 on AIX 4.3.3, and got an undefined symbol: ld: 0711-317 ERROR: Undefined symbol: .WCOREDUMP from wait(2): STANDARDS The wait() and waitpid() functions are defined by POSIX; wait4() and wait3() are not specified by POSIX. The WCOREDUMP() macro and the ability to restart a pending wait() call are extensions to the POSIX interface. Jeff :) "Very funny Scotty, now beam me down my clothes." {========================================================} | Jeff Homer Systems Admin | | | | Center for Imaging Science 410-516-7551 (ph) | | Whiting School of Engineering 410-516-4594 (fax) | | Johns Hopkins University jeff at cis.jhu.edu | | Baltimore MD | | | | rednoise at rednoise.net | {========================================================} From J.Horne at plymouth.ac.uk Fri May 19 22:03:01 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Fri, 19 May 2000 13:03:01 +0100 (BST) Subject: on Solaris, "couldn't wait for child '...' completion: No child processes" Message-ID: Emanuel Borsboom wrote: > Trying to install the portable OpenSSH on Solaris 2.6. Compiling from > openssh-2.1.0.tar.gz using gcc. Compiles and installs fine. sshd > starts fine. First connection from another system works. Child sshd is > forked, but the parent dies and logs: > > May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child > '/usr=/bin/ls -alni' completion: No child processes > May 16 11:40:56 qtrade-dev last message repeated 3 times > May 16 11:40:56 qtrade-dev sshd[6510]: error: -1 Command '/usr/bin/ls > -alni=': select() failed: Interrupted system call > May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child > '/usr=/bin/ls -alni' completion: No child processes > [rest snipped] I too get this on a Sun Ultra 10, Solaris 8 using SSL 0.9.5a; SSH 2.1.0 and gcc version 2.95.2. I'll take a look, but don't expect anything since I'm not really a C programmer! (sorry) Regards, John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From Norbert.Bladt at adi.ch Fri May 19 23:23:19 2000 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Fri, 19 May 2000 15:23:19 +0200 Subject: Solved: on Solaris, "couldn't wait for child '...' completion: No child processes" Message-ID: <81614DB47363D211A94A0008C71ECDD85CAB7D@naibe03.adi.ch> > John Horne [SMTP:J.Horne at plymouth.ac.uk] wrote: > > Emanuel Borsboom wrote: >> Trying to install the portable OpenSSH on Solaris 2.6. Compiling from >> openssh-2.1.0.tar.gz using gcc. Compiles and installs fine. sshd >> starts fine. First connection from another system works. Child sshd is >> forked, but the parent dies and logs: >> >> May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child >> '/usr=/bin/ls -alni' completion: No child processes >> May 16 11:40:56 qtrade-dev last message repeated 3 times >> May 16 11:40:56 qtrade-dev sshd[6510]: error: -1 Command '/usr/bin/ls >> -alni=': select() failed: Interrupted system call >> May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child >> '/usr=/bin/ls -alni' completion: No child processes >> >[rest snipped] > I too get this on a Sun Ultra 10, Solaris 8 using SSL 0.9.5a; SSH 2.1.0 and > gcc version 2.95.2. I'll take a look, but don't expect anything since I'm > not really a C programmer! (sorry) Me too on Solaris 7. However, I am a C programmer and I was able to fix it. The timeout ("interrupted system call" message above) occurs because the timeout for the entropy commands is to small (100 msec). I raised it to 2000 msec (500 msec was too small, too) and now it works without these error messages. The messages "No child process" is a consequence of the interrupted system call message. The location to fix is in config.h: /* Builtin PRNG command timeout */ #define ENTROPY_TIMEOUT_MSEC 100 I changed the original 100 to 2000, did a "make sshd" and that's it. Hope this helps, Norbert. P.S. The real fix for the next release would be to either ask for the timeout value, determine it automagically in some way or change the hard-coded value of 100 in the "configure" script to something more reasonable. -- Norbert Bladt ATAG debis Informatik, TZ1 - Z364 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From andre.lucas at dial.pipex.com Sat May 20 00:20:26 2000 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Fri, 19 May 2000 15:20:26 +0100 Subject: Solved: on Solaris, "couldn't wait for child '...' completion: Nochild processes" References: <81614DB47363D211A94A0008C71ECDD85CAB7D@naibe03.adi.ch> Message-ID: <39254DAA.6939A473@dial.pipex.com> No! The error message is because I used 'error()' instead of 'debug()'. That's changed in the 2.1.0p1 release, I believe. (I don't have access to it right now.) This was discussed last week for 2.1.0 - just change error() to debug() for those two messages. If you're not using 2.1.0p1, please check it out - other bugs are fixed there too. I'll post a cure for the 'missing fixprogs' problem later today, just install ssh_prng_cmds manually until then. Don't set the timeout so high. It's too much of a delay even with the delay at 100ms. 2.1.0p1 calculates the timeout differently, too. Work is under way to reduce the builtin PRNG delay to something that you won't notice. Expect a patch soon. Those error messages are just noise. Ta, -Andre' Bladt Norbert wrote: > > > John Horne [SMTP:J.Horne at plymouth.ac.uk] wrote: > > > > Emanuel Borsboom wrote: > >> Trying to install the portable OpenSSH on Solaris 2.6. Compiling from > >> openssh-2.1.0.tar.gz using gcc. Compiles and installs fine. sshd > >> starts fine. First connection from another system works. Child sshd is > >> forked, but the parent dies and logs: > >> > >> May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child > >> '/usr=/bin/ls -alni' completion: No child processes > >> May 16 11:40:56 qtrade-dev last message repeated 3 times > >> May 16 11:40:56 qtrade-dev sshd[6510]: error: -1 Command '/usr/bin/ls > >> -alni=': select() failed: Interrupted system call > >> May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child > >> '/usr=/bin/ls -alni' completion: No child processes > >> > >[rest snipped] > > > I too get this on a Sun Ultra 10, Solaris 8 using SSL 0.9.5a; SSH 2.1.0 > and > > gcc version 2.95.2. I'll take a look, but don't expect anything since I'm > > not really a C programmer! (sorry) > Me too on Solaris 7. > However, I am a C programmer and I was able to fix it. > The timeout ("interrupted system call" message above) > occurs because the timeout for the entropy commands is > to small (100 msec). > I raised it to 2000 msec (500 msec was too small, too) > and now it works without these error messages. > The messages "No child process" is a consequence of the > interrupted system call message. > > The location to fix is in config.h: > > /* Builtin PRNG command timeout */ > #define ENTROPY_TIMEOUT_MSEC 100 > > I changed the original 100 to 2000, did a "make sshd" and that's it. > > Hope this helps, > > Norbert. > > P.S. The real fix for the next release would be to either > ask for the timeout value, determine it automagically in > some way or change the hard-coded value of 100 in the "configure" > script to something more reasonable. > > -- > Norbert Bladt > ATAG debis Informatik, TZ1 - Z364 > Industriestrasse 1, CH 3052-Zollikofen > E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From Norbert.Bladt at adi.ch Sat May 20 00:28:12 2000 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Fri, 19 May 2000 16:28:12 +0200 Subject: AW: Solved: on Solaris, "couldn't wait for child '...' completion : Nochild processes" Message-ID: <81614DB47363D211A94A0008C71ECDD85CAB7E@naibe03.adi.ch> > Andre Lucas [SMTP:andre.lucas at dial.pipex.com] wrote: > > No! The error message is because I used 'error()' instead of 'debug()'. > That's changed in the 2.1.0p1 release, I believe. (I don't have access > to it right now.) This was discussed last week for 2.1.0 - just change > error() to debug() for those two messages. Sorry, you are completely right. I noticed it right now myself, that this is not the real fix. Regards, Norbert Bladt. -- Norbert Bladt ATAG debis Informatik, TZ1 - Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From acox at cv.telegroup.com Sat May 20 00:41:13 2000 From: acox at cv.telegroup.com (Aran Cox) Date: Fri, 19 May 2000 16:41:13 +0200 Subject: SCO OS 5.0.5, issues was Re: Solved: on Solaris, "couldn't wait for child '...' completion: Nochild processes" References: <81614DB47363D211A94A0008C71ECDD85CAB7D@naibe03.adi.ch> Message-ID: <39255289.3C3AE35E@cv.telegroup.com> I am seeing these same errors when using the built-in RNG. I raised the delay as suggested and it didn't change anything on my system. I am trying to get 2.1.0 to function on SCO OS 5.0.5 using the SCO development environment. Before I get into my troubles with the couldn't wait for child errors I'll lay out what I did to get ssh-2.1.0 to run on SCO OS: Had to define MAXPATHLEN in defines.h. I defined it as 1024. I couldn't figure out where this is defined in SCO OS, but I think I found MAXPATHLEN to be defined in /udk/usr/include/sys/param.h as 1024, so I added it to define.h by hand. If HAVE_DEV_PTMX is defined, code in pty.c (function pty_alloc) is used that seems to be designed for Solaris 2.X. The header above the code is /* * This code is used e.g. on Solaris 2.x. (Note that Solaris 2.3 * also has bsd-style ptys, but they simply do not work.) */ It tries to use device names like /dev/pts000 and the code in pty_make_controlling_tty to fail. Specifically this code fails: /* Verify that we now have a controlling tty. */ fd = open("/dev/tty", O_WRONLY); if (fd < 0) error("open /dev/tty failed - could not set controlling tty: %.100s", strerror(errno)); else { close(fd); } Causing this message to be generated by the sshd when run with the -d option: error: open /dev/tty failed - could not set controlling tty: No such device or address This doesn't stop openssh from functioning, but I can't issue the resize command and that's a problem. If I alter the config.h line that defines HAVE_DEV_PTMX to: #undef HAVE_DEV_PTMX then it compiles with code that seems to work exactly as expected, choosing tty device names like /dev/ttyp8. I don't know what to think about the /dev/pts* problem. Is it possible that /dev/pts* aren't tty's? Or are SCO OpenServers /dev/pts* devices broken just as the comment states that Solaris 2.3's are? Or is it simply that there is another method for releasing/setting controlling tty's under SCO? The Couldn't wait for child error messages is generated after a failed call to waitpid. Now, in the initial sshd process the commands issued to gather entropy exit and become zombies. As a consequence the waitpid call returns as expected. In the forked sshd processes spawned to handle an incoming connection, the processes do not become zombies, they just exit causing the subsequent call to waitpid to fail. At least, that's been my experience under SCO OS 5.0.5 This behaviour is also visible under linux if you use the built-in entropy generation code. Now, SCO OS 5.0.5 also fills the log with another error message which linux doesn't show. The sshd child (again not the master daemon, just the daemons spawned to handle connections) generates these error messages: May 19 09:32:15 ohare sshd[16872]: error: Command '/bin/df -i': select() failed: Interrupted system call These errors immediately precede the couldn't wait for child messages. And I assume they are being caused by the same thing. I realize I didn't supply any patches to fix the first two issues (MAXPATHLEN, PTY stuff), I'm a bit unfamiliar with autoconf just yet and I only have access to SCO machines while I'm at work (where I have a long list of things the boss actually wants me to be working on.) However, I will be looking in to what is up with the failed waitpid calls (under linux) and can hopefully figure it out this weekend. Bladt Norbert wrote: > > > John Horne [SMTP:J.Horne at plymouth.ac.uk] wrote: > > > > Emanuel Borsboom wrote: > >> Trying to install the portable OpenSSH on Solaris 2.6. Compiling from > >> openssh-2.1.0.tar.gz using gcc. Compiles and installs fine. sshd > >> starts fine. First connection from another system works. Child sshd is > >> forked, but the parent dies and logs: > >> > >> May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child > >> '/usr=/bin/ls -alni' completion: No child processes > >> May 16 11:40:56 qtrade-dev last message repeated 3 times > >> May 16 11:40:56 qtrade-dev sshd[6510]: error: -1 Command '/usr/bin/ls > >> -alni=': select() failed: Interrupted system call > >> May 16 11:40:56 qtrade-dev sshd[6510]: error: Couldn't wait for child > >> '/usr=/bin/ls -alni' completion: No child processes > >> > >[rest snipped] > > > I too get this on a Sun Ultra 10, Solaris 8 using SSL 0.9.5a; SSH 2.1.0 > and > > gcc version 2.95.2. I'll take a look, but don't expect anything since I'm > > not really a C programmer! (sorry) > Me too on Solaris 7. > However, I am a C programmer and I was able to fix it. > The timeout ("interrupted system call" message above) > occurs because the timeout for the entropy commands is > to small (100 msec). > I raised it to 2000 msec (500 msec was too small, too) > and now it works without these error messages. > The messages "No child process" is a consequence of the > interrupted system call message. > > The location to fix is in config.h: > > /* Builtin PRNG command timeout */ > #define ENTROPY_TIMEOUT_MSEC 100 > > I changed the original 100 to 2000, did a "make sshd" and that's it. > > Hope this helps, > > Norbert. > > P.S. The real fix for the next release would be to either > ask for the timeout value, determine it automagically in > some way or change the hard-coded value of 100 in the "configure" > script to something more reasonable. > > -- > Norbert Bladt > ATAG debis Informatik, TZ1 - Z364 > Industriestrasse 1, CH 3052-Zollikofen > E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 -- Aran Cox Engineering Telegroup Coralville - Coral Center From J.Horne at plymouth.ac.uk Sat May 20 01:48:33 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Fri, 19 May 2000 16:48:33 +0100 (BST) Subject: Solved: on Solaris, "couldn't wait for child '...' completio In-Reply-To: <39254DAA.6939A473@dial.pipex.com> Message-ID: On 19-May-00 at 14:20:26 Andre Lucas wrote: > If you're not using 2.1.0p1, please check it out - other bugs are fixed > there too. I'll post a cure for the 'missing fixprogs' problem later > today, just install ssh_prng_cmds manually until then. > Many thanks to the people who have replied with fixes. I noticed that 'configure' had a '--with-entropy-timeout' option which could be used to set the value as well. I have obtained 2.1.0p1 and it seems to work fine. Next problem though is that it (sshd I assume) seems to create /var/adm/utmp. I ran configure with '--with-utmpx' which is fine (to use utmpx) but utmp itself shouldn't be present. The Solaris man page says: The utmp and wtmp database files are obsolete and are no longer present on the system. They have been superseded by the extended database contained in the utmpx and wtmpx data- base files. See utmpx(4). It is possible for /var/adm/utmp to reappear on the system. This would most likely occur if a third party application that still uses utmp recreates the file if it finds it miss- ing. This file should not be allowed to remain on the sys- tem. The user should investigate to determine which applica- tion is recreating this file. The file does remain on the system and gets flagged as an error: May 19 08:03:39 bb /usr/lib/utmpd[223]: [ID 268571 daemon.warning] WARNING: /var/adm/utmp exists! once per hour on the system. I could change syslog so as not to see the message, but I think that is getting round it and not solving it. Many thanks, John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From smang at cs.jhu.edu Sat May 20 04:45:06 2000 From: smang at cs.jhu.edu (Stefan Mangard) Date: Fri, 19 May 2000 14:45:06 -0400 (EDT) Subject: openSSH2.1.0 Message-ID: Hi, I just installed openSSH2.1.0 an a linux system and tried to connect to a server running an SSH2 server. Unfortunately I wasn't able to connect because of a signature error. I am connecting to the host for the first time. Does anybody know, why I have this problem and why I can't connect? Thanks, Stefan Mangard Here is the debug output: [smang at grad1 bin]$ ssh -2 -v galaxy.acm.jhu.edu SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /home/smang/etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 544 geteuid 544 anon 1 debug: Connecting to galaxy.acm.jhu.edu [128.220.223.65] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version 2.0.13 (non-commercial) datafellows: 2.0.13 (non-commercial) Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH-2.1 debug: Sending KEX init. debug: Seeding random number generator debug: done debug: got kexinit string: diffie-hellman-group1-sha1 debug: got kexinit string: ssh-dss debug: got kexinit string: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour,none debug: got kexinit string: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour,none debug: got kexinit string: hmac-md5,md5-8,none debug: got kexinit string: hmac-md5,md5-8,none debug: got kexinit string: none,zlib debug: got kexinit string: none,zlib debug: got kexinit string: debug: got kexinit string: debug: first kex follow == 0 debug: reserved == 0 debug: done read kexinit debug: kex: server->client 3des-cbc hmac-md5 none debug: kex: client->server 3des-cbc hmac-md5 none debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 531/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: keytype ssh-dss The authenticity of host 'galaxy.acm.jhu.edu' can't be established. DSA key fingerprint is 6a:1d:ca:98:3f:cb:1a:ac:a7:ba:3f:60:51:8d:39:7d. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'galaxy.acm.jhu.edu,128.220.223.65' (DSA) to the list of knn hosts. debug: bits set: 510/1024 debug: len 40 datafellows 15 debug: dsa_verify: signature incorrect dsa_verify failed for server_host_key debug: Calling cleanup 0x8059884(0x0) From andre.lucas at dial.pipex.com Sat May 20 06:48:27 2000 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Fri, 19 May 2000 21:48:27 +0100 Subject: I present: The Elusive 'fixprogs' script Message-ID: <20000519214827.D19642@internal.domain> Hi, Here's the 'fixprogs' perl script that got missed off the 2.1.0p1 distribution. Please put this in your openssh directory, and re-run 'make install'. it doesn't need to be made executable. For those interested, it runs through all the commands in the ssh_prng_cmds file and tests if they work (as opposed to 'configure' merely verifying that the executable exists, as it was before.) Commands that fail are marked and never run by openssh. There is primitive measurement of each command's entropy rate as well, but this may not survive the next release. Ta, -Andre' -- Andre Lucas -------------- next part -------------- #!/usr/bin/perl # # fixprogs - run through the list of entropy commands and # score out the losers # $entscale = 50; # divisor for optional entropy measurement sub usage { return("Usage: $0 \n"); } if (($#ARGV == -1) || ($#ARGV>1)) { die(&usage); } # 'undocumented' option - run ent (in second param) on the output if ($#ARGV==1) { $entcmd=$ARGV[1] } else { $entcmd = "" }; $infilename = $ARGV[0]; if (!open(IN, "<".$infilename)) { die("Couldn't open input file"); } $outfilename=$infilename.".out"; if (!open(OUT, ">$outfilename")) { die("Couldn't open output file $outfilename"); } @infile=; select(OUT); $|=1; select(STDOUT); foreach (@infile) { if (/^\s*\#/ || /^\s*$/) { print OUT; next; } ($cmd, $path, $est) = /^\"([^\"]+)\"\s+([\w\/_-]+)\s+([\d\.\-]+)/o; @args = split(/ /, $cmd); if (! ($pid = fork())) { # child close STDIN; close STDOUT; close STDERR; open STDIN, "/dev/null"; open STDERR, ">/dev/null"; exec $path @args; exit 1; # shouldn't be here } # parent waitpid ($pid, 0); $ret=$? >> 8; if ($ret != 0) { $path = "undef"; } else { if ($entcmd ne "") { # now try to run ent on the command $mostargs=join(" ", splice(@args,1)); print "Evaluating '$path $mostargs'\n"; @ent = qx{$path $mostargs | $entcmd -b -t}; @ent = grep(/^1,/, @ent); ($null, $null, $rate) = split(/,/, $ent[0]); $est = $rate / $entscale; # scale the estimate back } } print OUT "\"$cmd\" $path $est\n"; } close(IN); From djm at mindrot.org Sat May 20 12:58:39 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 20 May 2000 12:58:39 +1000 (EST) Subject: Openssh-2.1.0p1 test release In-Reply-To: <20000519002042.A652@tehran.nmrc.ucc.ie> Message-ID: On Fri, 19 May 2000, Lars Hecking wrote: > Under Solaris 8, /var/tmp/utmp is gone, and only utmpx is > used. There is a utmp daemon to watch/update the latter. Actually, > a quick look into utmp(4) on Solaris 7 says the same thing, and > the utmp daemon is there as well, but I never noticed these syslog > messages before. The timestamp on the utmp file corresponds to the > time of my ssh login Does this patch help? Index: bsd-login.c =================================================================== RCS file: /var/cvs/openssh/bsd-login.c,v retrieving revision 1.11 diff -u -r1.11 bsd-login.c --- bsd-login.c 2000/05/17 12:53:34 1.11 +++ bsd-login.c 2000/05/20 02:55:51 @@ -73,7 +73,7 @@ int t = 0; struct utmp * u; -#ifdef HAVE_TYPE_IN_UTMP +#if defined(HAVE_TYPE_IN_UTMP) || defined(HAVE_TYPE_IN_UTMPX) setutent(); while((u = getutent()) != NULL) { @@ -123,16 +123,26 @@ */ tty = find_tty_slot(utp); +#ifdef USE_UTMPX + fd = open(_PATH_UTMPX, O_RDWR|O_CREAT, 0644); + if (fd == -1) { + log("Couldn't open %s: %s", _PATH_UTMPX, strerror(errno)); +#else /* USE_UTMPX */ fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644); if (fd == -1) { log("Couldn't open %s: %s", _PATH_UTMP, strerror(errno)); +#endif /* USE_UTMPX */ } else { /* If no tty was found... */ if (tty == -1) { /* ... append it to utmp on login */ -#ifdef HAVE_TYPE_IN_UTMP +#if defined(HAVE_TYPE_IN_UTMP) || defined(HAVE_TYPE_IN_UTMPX) if (utp->ut_type == USER_PROCESS) { +#ifdef USE_UTMPX + if ((fd = open(_PATH_UTMPX, O_WRONLY|O_APPEND, 0)) >= 0) { +#else /* USE_UTMPX */ if ((fd = open(_PATH_UTMP, O_WRONLY|O_APPEND, 0)) >= 0) { +#endif /* USE_UTMPX */ (void)write(fd, utp, sizeof(struct utmp)); (void)close(fd); } Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.123 diff -u -r1.123 configure.in --- configure.in 2000/05/17 13:29:18 1.123 +++ configure.in 2000/05/20 02:55:56 @@ -494,6 +494,7 @@ OSSH_CHECK_HEADER_FOR_FIELD(syslen, utmpx.h, HAVE_SYSLEN_IN_UTMPX) OSSH_CHECK_HEADER_FOR_FIELD(ut_pid, utmp.h, HAVE_PID_IN_UTMP) OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmp.h, HAVE_TYPE_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmpx.h, HAVE_TYPE_IN_UTMPX) OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmp.h, HAVE_TV_IN_UTMP) OSSH_CHECK_HEADER_FOR_FIELD(ut_id, utmp.h, HAVE_ID_IN_UTMP) OSSH_CHECK_HEADER_FOR_FIELD(ut_addr, utmp.h, HAVE_ADDR_IN_UTMP) -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From vsync at quadium.net Sat May 20 19:15:29 2000 From: vsync at quadium.net (vsync) Date: 20 May 2000 03:15:29 -0600 Subject: patch to shell-check code Message-ID: <87hfbt37m6.fsf@quadium.net> A non-text attachment was scrubbed... Name: auth.diff Type: text/x-patch Size: 736 bytes Desc: auth.diff Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000520/cca27b63/attachment.bin From djm at mindrot.org Sat May 20 19:13:06 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 20 May 2000 19:13:06 +1000 (EST) Subject: Portable OpenSSH-2.1.0p2 Message-ID: This is to announce the availability of portable OpenSSH-2.1.0p2. This is a bug-fix release, addressing the following issues: - X authentication works again (thanks to Markus Friedl) - Don't touch utmp if utmpx is in use - Fix SIGCHLD problems on AIX and HPUX (Thanks to Tom Bertelson) - HPUX compile fixes (Thanks to Lutz Jaenicke) - Accept an empty shell in /etc/passwd - SunOS4 compile fixes. (Thanks to Todd C. Miller) >From now on all portable releases will have a 'p' suffix to distinguish them from the official OpenBSD source. Thanks to all those who submitted bug reports and patches. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From sxw at dcs.ed.ac.uk Sun May 21 00:21:27 2000 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Sat, 20 May 2000 15:21:27 +0100 (BST) Subject: Kerberos V5 integration Message-ID: <200005201421.PAA18045@canna.dcs.ed.ac.uk> Hi, This is just a quick note to let people know that I've _almost_ got Kerberos V5 working based on the patches posted to this list. I'm currently at the stage where Kerberos principals can be used to verify logins (ie Kerberos credentials are correctly passed), but I haven't (yet) got ticket forwarding to work - this is the next step! I've taken the original patches and updated then to the OpenSSH portable 2.1.0 release, replaced the calls to Heimdal specific routines, so it builds with the MIT libraries as well, and bug fixed a number of problems with the code. In particular anyone using the original patches should be careful that it doesn't check that a given principal can access a given local username, so allowing anyone with a valid principal for a domain to use -l to become any user. I'll send some patches once I've got the TGT passing working. Cheers, Simon From lhecking at nmrc.ucc.ie Sun May 21 02:04:07 2000 From: lhecking at nmrc.ucc.ie (Lars Hecking) Date: Sat, 20 May 2000 17:04:07 +0100 Subject: Openssh-2.1.0p1 test release In-Reply-To: ; from djm@mindrot.org on Sat, May 20, 2000 at 12:58:39PM +1000 References: <20000519002042.A652@tehran.nmrc.ucc.ie> Message-ID: <20000520170407.A17144@tehran.nmrc.ucc.ie> Damien Miller writes: > On Fri, 19 May 2000, Lars Hecking wrote: > > > Under Solaris 8, /var/tmp/utmp is gone, and only utmpx is > > used. There is a utmp daemon to watch/update the latter. Actually, > > a quick look into utmp(4) on Solaris 7 says the same thing, and > > the utmp daemon is there as well, but I never noticed these syslog > > messages before. The timestamp on the utmp file corresponds to the > > time of my ssh login > > Does this patch help? I'm sorry, it doesn't. May 20 17:02:47 localhost sshd[17085]: [ID 800047 auth.error] error: fcntl(-1, F_GETFL, 0): Bad file number From djm at mindrot.org Sun May 21 02:14:25 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 21 May 2000 02:14:25 +1000 (EST) Subject: Openssh-2.1.0p1 test release In-Reply-To: <20000520170407.A17144@tehran.nmrc.ucc.ie> Message-ID: On Sat, 20 May 2000, Lars Hecking wrote: > > Does this patch help? > > I'm sorry, it doesn't. > > May 20 17:02:47 localhost sshd[17085]: [ID 800047 auth.error] error: > fcntl(-1, F_GETFL, 0): Bad file number That's a different error to the one that you were reporting earlier. Has the patch solved your utmp problems? BTW the above bug is fixed in the 2.1.0p2 release. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From dugsong at monkey.org Sun May 21 03:15:01 2000 From: dugsong at monkey.org (Dug Song) Date: Sat, 20 May 2000 13:15:01 -0400 (EDT) Subject: Kerberos V5 integration In-Reply-To: <200005201421.PAA18045@canna.dcs.ed.ac.uk> Message-ID: On Sat, 20 May 2000, Simon Wilkinson wrote: > I've taken the original patches and updated then to the OpenSSH portable > 2.1.0 release, replaced the calls to Heimdal specific routines, so it > builds with the MIT libraries as well, and bug fixed a number of problems > with the code. be very careful here. i've not looked at heimdal, but the MIT krb5 code has historically had very bad interactions with the ssh-1.2.2x implementation, such that an unprivileged user could manually set their KRB5CCNAME environment variable to use someone else's ticket file, and the setuid root ssh client would happily comply (which is why tatu disabled krb5 support in the official distribution). let me know if this still works? :-) the KTH krb4 library used to provide krb4 support for ssh/OpenSSH never had this problem, as they make an explicit check for the setuid root case. we also need to find a way to make krb4 and krb5 support interoperate. in my original krb4 patch, i added version information to the ticket encoding, which glenn machin didn't use in his krb5 port to distinguish Kerberos types. we may be able to support both versions with a simple failover instead. -d. --- http://www.monkey.org/~dugsong/ From sxw at dcs.ed.ac.uk Sun May 21 04:38:55 2000 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Sat, 20 May 2000 19:38:55 +0100 (BST) Subject: Kerberos V5 integration In-Reply-To: Dug Song's message of Sat, 20 May 2000 13:15:01 -0400 (EDT) Message-ID: <200005201838.TAA26410@canna.dcs.ed.ac.uk> > i've not looked at heimdal, but the MIT krb5 code has historically had > very bad interactions with the ssh-1.2.2x implementation, such that an > unprivileged user could manually set their KRB5CCNAME environment variable > to use someone else's ticket file, and the setuid root ssh client would > happily comply (which is why tatu disabled krb5 support in the official > distribution). let me know if this still works? :-) Yup. You need to check that the ticket file is owned by and readable by the user who invoked ssh, not just that you can access it. I'm using a check on the ticket file before I pass it to the krb5 libraries. > we also need to find a way to make krb4 and krb5 support interoperate. in > my original krb4 patch, i added version information to the ticket > encoding, which glenn machin didn't use in his krb5 port to distinguish > Kerberos types. we may be able to support both versions with a simple > failover instead. Yes. The code that I've built from appears to add two new message types - #define SSH_AUTH_KRB5 29 #define SSH_PASS_KRB5_TGT 30 which it uses for Kerberos 5 support. In its original state ticket granting didn't work. I've now reworked this so that it works, but only if the TGT message comes before the AUTH one. This is all rather nasty at the moment, but it works. Once I've got the simple case going, it would be nice to look at collapsing back into a form that doesn't require protocol extensions like these. At present, I can authenticate a session using credential passing, and forward credentials. I'd quite like to add support for destroying forwarded credentials at log out as well. I'll probably tidy up and post the patches for review tomorrow. Cheers, Simon. From mfisk at lanl.gov Sun May 21 07:06:27 2000 From: mfisk at lanl.gov (Mike Fisk) Date: Sat, 20 May 2000 21:06:27 +0000 (GMT) Subject: Kerberos V5 integration In-Reply-To: <200005201838.TAA26410@canna.dcs.ed.ac.uk> Message-ID: On Sat, 20 May 2000, Simon Wilkinson wrote: > At present, I can authenticate a session using credential passing, and > forward credentials. I'd quite like to add support for destroying > forwarded credentials at log out as well. I'll probably tidy up and > post the patches for review tomorrow. Are you also adding support for Kerberos to password authentication? -- Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information From moxie at vivid.net Sun May 21 07:29:55 2000 From: moxie at vivid.net (Mike Benham) Date: Sat, 20 May 2000 17:29:55 -0400 (EDT) Subject: hmac format? Message-ID: I was looking at the the way that ssh calculates an hmac, and I noticed that the ordering is a little strange - it does hash(key+message). Shouldn't this rather be hash(message+key)? In the former situation, it could be possible for an attacker to append something to the end of the data being sent. The attacker would be able to calculate a valid hmac without knowing the key. For instance, since md5 does rounds on blocks of 512bits, where the output of the last round is the input for the first round of the next block; an attacker could just use the existing hmac as input for a new block to append. If the hash were computed as hash(message+key), the attacker would have to know the key to do that. How do people feel about this? Am I missing something here? - Mike --------------------------------------------------------------------------- "A totalitarian state thrives on propaganda, and there is no more effective way to limit thought than to control the language itself. By changing definitions of words through continual association, any serious discussion involving the concepts that the words represent becomes hopelessly muddled." --------------------------------------------------------------------------- Moxie - moxie at thoughtcrime.org / moxie at vivid.net http://www.thoughtcrime.org From Todd.Miller at courtesan.com Sun May 21 10:26:24 2000 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 20 May 2000 18:26:24 -0600 Subject: Portable OpenSSH-2.1.0p2 In-Reply-To: Your message of "Sat, 20 May 2000 19:13:06 +1000." References: Message-ID: <200005210026.e4L0QOC26936@xerxes.courtesan.com> For SunOS 4.x atexit() needs to be #defined to on_exit() somewhere. Other than that, it seems to work fine on SunOS 4.1.3. - todd From djm at mindrot.org Sun May 21 11:49:56 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 21 May 2000 11:49:56 +1000 (EST) Subject: hmac format? In-Reply-To: Message-ID: On Sat, 20 May 2000, Mike Benham wrote: > I was looking at the the way that ssh calculates an hmac, > and I noticed that the ordering is a little strange - it does > hash(key+message). Shouldn't this rather be hash(message+key)? Which bit of code are you referring to? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun May 21 11:52:33 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 21 May 2000 11:52:33 +1000 (EST) Subject: Portable OpenSSH-2.1.0p2 In-Reply-To: <200005210026.e4L0QOC26936@xerxes.courtesan.com> Message-ID: On Sat, 20 May 2000, Todd C. Miller wrote: > For SunOS 4.x atexit() needs to be #defined to on_exit() somewhere. > Other than that, it seems to work fine on SunOS 4.1.3. This OK? Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.126 diff -u -r1.126 configure.in --- configure.in 2000/05/20 05:33:45 1.126 +++ configure.in 2000/05/21 01:51:55 @@ -135,7 +135,7 @@ AC_CHECK_HEADERS(bstring.h endian.h lastlog.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h util.h utmp.h utmpx.h) # Checks for library functions. -AC_CHECK_FUNCS(arc4random b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmove mkdtemp openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf vhangup _getpty __b64_ntop) +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf vhangup _getpty __b64_ntop) AC_CHECK_FUNC(login, [AC_DEFINE(HAVE_LOGIN)], Index: defines.h =================================================================== RCS file: /var/cvs/openssh/defines.h,v retrieving revision 1.21 diff -u -r1.21 defines.h --- defines.h 2000/05/17 12:53:35 1.21 +++ defines.h 2000/05/21 01:51:55 @@ -293,4 +293,8 @@ # define memmove(s1, s2, n) bcopy((s2), (s1), (n)) #endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */ +#if !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) +# define atexit(a) on_exit(a) +#endif /* !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) */ + #endif /* _DEFINES_H */ Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Todd.Miller at courtesan.com Sun May 21 11:58:55 2000 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 20 May 2000 19:58:55 -0600 Subject: Portable OpenSSH-2.1.0p2 In-Reply-To: Your message of "Sun, 21 May 2000 11:52:33 +1000." References: Message-ID: <200005210158.e4L1wt514928@xerxes.courtesan.com> Looks fine, although you might want to move the check into the *-*-sunos4* portion since there's really no need for it on other OSes. - todd In message so spake Damien Miller (djm): > On Sat, 20 May 2000, Todd C. Miller wrote: > > > For SunOS 4.x atexit() needs to be #defined to on_exit() somewhere. > > Other than that, it seems to work fine on SunOS 4.1.3. > > This OK? > > Index: configure.in > =================================================================== > RCS file: /var/cvs/openssh/configure.in,v > retrieving revision 1.126 > diff -u -r1.126 configure.in > --- configure.in 2000/05/20 05:33:45 1.126 > +++ configure.in 2000/05/21 01:51:55 > @@ -135,7 +135,7 @@ > AC_CHECK_HEADERS(bstring.h endian.h lastlog.h login.h maillock.h netdb.h net > group.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h > sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stropts.h > sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h util.h utmp.h utmpx.h) > > # Checks for library functions. > -AC_CHECK_FUNCS(arc4random b64_ntop bcopy bindresvport_af clock freeaddrinfo > gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmove mkdt > emp openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprin > tf strlcat strlcpy updwtmpx vsnprintf vhangup _getpty __b64_ntop) > +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freead > drinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmo > ve mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle > setreuid snprintf strlcat strlcpy updwtmpx vsnprintf vhangup _getpty __b64_nt > op) > > AC_CHECK_FUNC(login, > [AC_DEFINE(HAVE_LOGIN)], > Index: defines.h > =================================================================== > RCS file: /var/cvs/openssh/defines.h,v > retrieving revision 1.21 > diff -u -r1.21 defines.h > --- defines.h 2000/05/17 12:53:35 1.21 > +++ defines.h 2000/05/21 01:51:55 > @@ -293,4 +293,8 @@ > # define memmove(s1, s2, n) bcopy((s2), (s1), (n)) > #endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */ > > +#if !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) > +# define atexit(a) on_exit(a) > +#endif /* !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) */ > + > #endif /* _DEFINES_H */ > > > Thanks, > Damien Miller > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun May 21 12:01:17 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 21 May 2000 12:01:17 +1000 (EST) Subject: Portable OpenSSH-2.1.0p2 In-Reply-To: <200005210158.e4L1wt514928@xerxes.courtesan.com> Message-ID: On Sat, 20 May 2000, Todd C. Miller wrote: > Looks fine, although you might want to move the check into the > *-*-sunos4* portion since there's really no need for it on other > OSes. Well, it will only be acitvated if the other OS lacks atexit(), but has on_exit(). Do you know of any? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From mhw at wittsend.com Sun May 21 11:26:11 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Sat, 20 May 2000 21:26:11 -0400 Subject: Portable OpenSSH-2.1.0p2 In-Reply-To: ; from djm@mindrot.org on Sat, May 20, 2000 at 07:13:06PM +1000 References: Message-ID: <20000520212611.D22719@alcove.wittsend.com> On Sat, May 20, 2000 at 07:13:06PM +1000, Damien Miller wrote: [...] > >From now on all portable releases will have a 'p' suffix to > distinguish them from the official OpenBSD source. This tends to be a tad confusing. I though that the 'p' suffix meant "patch level". I would be a little concerned that someone who doesn't already no that will also jump to that conclusion. Just an observation. I don't have any better alternatives or suggestions... > Thanks to all those who submitted bug reports and patches. > Regards, > Damien Miller Thanks for all the work. (I've got OpenSSH 2.1.0p2 running on about a dozen systems right now - Good job!) Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From sxw at dcs.ed.ac.uk Sun May 21 12:42:45 2000 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Sun, 21 May 2000 03:42:45 +0100 (BST) Subject: Kerberos V5 integration In-Reply-To: Mike Fisk's message of Sat, 20 May 2000 21:06:27 +0000 (GMT) Message-ID: <200005210242.DAA10715@canna.dcs.ed.ac.uk> > Are you also adding support for Kerberos to password authentication? Not yet. We currently use PAM to do this (as it means we can use a common ticket granting mechanism across all of our login authentication services). The patches that I'm working from do have a krb5_auth_passwd routine, but this isn't linked in to the main authentication routines anywhere. Once I've got the credentials passing and ticket granting stuff down to my, and those who get to add it to the release's, satisfaction, I'll look into adding this as well. Cheers, Simon. From gem at rellim.com Sun May 21 15:44:53 2000 From: gem at rellim.com (Gary E. Miller) Date: Sat, 20 May 2000 22:44:53 -0700 (PDT) Subject: Kerberos V5 integration In-Reply-To: <200005210242.DAA10715@canna.dcs.ed.ac.uk> Message-ID: Yo All! I just installed Openssh 2.1.0p2 on a Slackware 7.0 host (libc 2.1.2, kernel 2.2.13). Outbound ssh, sftp, and scp (v1 and v2) work OK to itself and to ssh 1.2.27 and 2.0.13. Inbound ssh from ssh 1.2.27 and 2.0.13 also seem OK. Inbound scp from 1.2.27 seems OK. My problem is inbound scp from 2.0.13 scp2 user at openssh:/file . hangs forever. See below for the opensshd debug output. Seems like a problem with sftp. The compiled in path on the openssh side is OK. Any ideas? RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 debug: sshd version OpenSSH-2.1 debug: Seeding random number generator debug: read DSA private key done debug: Seeding random number generator debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. debug: Seeding random number generator debug: Seeding random number generator RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 208.139.26.74 port 2420 debug: Client protocol version 1.99; client software version 2.0.13 (non-commercial) datafellows: 2.0.13 (non-commercial) Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-1.99-OpenSSH-2.1 debug: Sending KEX init. debug: done debug: got kexinit string: diffie-hellman-group1-sha1 debug: got kexinit string: ssh-dss debug: got kexinit string: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour debug: got kexinit string: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour debug: got kexinit string: hmac-md5,md5-8,none debug: got kexinit string: hmac-md5,md5-8,none debug: got kexinit string: none,zlib debug: got kexinit string: none,zlib debug: got kexinit string: debug: got kexinit string: debug: first kex follow == 1 debug: reserved == 0 debug: done read kexinit debug: kex: client->server 3des-cbc hmac-md5 none debug: kex: server->client 3des-cbc hmac-md5 none debug: Wait SSH2_MSG_KEXDH_INIT. debug: bits set: 543/1024 debug: bits set: 499/1024 debug: sig size 20 20 debug: datafellows debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: userauth-request for user gem service ssh-connection method none Failed none for gem from 208.139.26.74 port 2420 ssh2 debug: userauth-request for user gem service ssh-connection method password Accepted password for gem from 208.139.26.74 port 2420 ssh2 debug: Entering interactive session for SSH2. debug: server_init_dispatch_20 debug: channel_input_open: ctype session rchan 0 win 100000 max 8192 debug: open session debug: channel 0: new [server-session] debug: session_new: init debug: session_new: session 0 debug: session_open: channel 0 debug: session_open: session 0: link with channel 0 debug: confirm session debug: callback start debug: session_by_channel: session 0 channel 0 debug: session_input_channel_req: session 0 channel 0 request subsystem reply 1 subsystem request for sftp debug: callback done debug: channel 0: rcvd close Connection closed by remote host. debug: Calling cleanup 0x8057540(0x0) debug: Calling cleanup 0x805c49c(0x0) From Todd.Miller at courtesan.com Mon May 22 02:29:21 2000 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sun, 21 May 2000 10:29:21 -0600 Subject: Portable OpenSSH-2.1.0p2 In-Reply-To: Your message of "Sun, 21 May 2000 12:01:17 +1000." References: Message-ID: <200005211629.e4LGTLx07763@xerxes.courtesan.com> In message so spake Damien Miller (djm): > Well, it will only be acitvated if the other OS lacks atexit(), but > has on_exit(). Do you know of any? No, I don't. It's just that configure scripts with lots of tests can take a long time to run so I didn't see the point in the non-sunos case. - todd From lhecking at nmrc.ucc.ie Mon May 22 02:41:27 2000 From: lhecking at nmrc.ucc.ie (Lars Hecking) Date: Sun, 21 May 2000 17:41:27 +0100 Subject: Openssh-2.1.0p1 test release In-Reply-To: ; from djm@mindrot.org on Sun, May 21, 2000 at 02:14:25AM +1000 References: <20000520170407.A17144@tehran.nmrc.ucc.ie> Message-ID: <20000521174127.A18448@tehran.nmrc.ucc.ie> Damien Miller writes: > On Sat, 20 May 2000, Lars Hecking wrote: > > > > Does this patch help? > > > > I'm sorry, it doesn't. > > > > May 20 17:02:47 localhost sshd[17085]: [ID 800047 auth.error] error: > > fcntl(-1, F_GETFL, 0): Bad file number > > That's a different error to the one that you were reporting earlier. Ooops, sorry. > Has the patch solved your utmp problems? Looks like it. utmp is not being recreated. > BTW the above bug is fixed in the 2.1.0p2 release. D/l'ing right now ... Thanks! From mfisk at lanl.gov Mon May 22 02:43:56 2000 From: mfisk at lanl.gov (Mike Fisk) Date: Sun, 21 May 2000 16:43:56 +0000 (GMT) Subject: Kerberos V5 integration In-Reply-To: <200005210242.DAA10715@canna.dcs.ed.ac.uk> Message-ID: On Sun, 21 May 2000, Simon Wilkinson wrote: > > Are you also adding support for Kerberos to password authentication? > > Not yet. We currently use PAM to do this (as it means we can use a > common ticket granting mechanism across all of our login > authentication services). The patches that I'm working from do have a > krb5_auth_passwd routine, but this isn't linked in to the main > authentication routines anywhere. > > Once I've got the credentials passing and ticket granting stuff down to > my, and those who get to add it to the release's, satisfaction, I'll look > into adding this as well. I assume that PAM still isn't available on some older platforms. Even when it is, it would be easier for our in-house distributions of SSH if we could have this capability statically linked in. Thanks again. Sorry I can't help with the implementation from the US, -- Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information From weigel+ at pitt.edu Mon May 22 03:35:36 2000 From: weigel+ at pitt.edu (Matthew C. Weigel) Date: Sun, 21 May 2000 13:35:36 -0400 (EDT) Subject: X11 Forwarding and Red Hat In-Reply-To: <20000518212805.A19444@folly.informatik.uni-erlangen.de> Message-ID: I just got around to upgrading th 2.1.0p2-1, and X11 forwarding is working great. Thanks all. On Thu, 18 May 2000, Markus Friedl wrote: > does this help? > > Index: session.c > =================================================================== > RCS file: /home/markus/cvs/ssh/session.c,v > retrieving revision 1.12 > diff -u -r1.12 session.c > --- session.c 2000/05/03 18:03:07 1.12 > +++ session.c 2000/05/18 19:18:53 > @@ -949,13 +953,20 @@ > else { > /* Add authority data to .Xauthority if appropriate. */ > if (auth_proto != NULL && auth_data != NULL) { > - if (debug_flag) > + char *screen = strchr(display, ':'); > + if (debug_flag) { > fprintf(stderr, "Running %.100s add %.100s %.100s %.100s\n", > - XAUTH_PATH, display, auth_proto, auth_data); > - > + XAUTH_PATH, display, auth_proto, auth_data); > + if (screen != NULL) > + fprintf(stderr, "Adding %.*s/unix%s %s %s\n", > + screen-display, display, screen, auth_proto, auth_data); > + } > f = popen(XAUTH_PATH " -q -", "w"); > if (f) { > fprintf(f, "add %s %s %s\n", display, auth_proto, auth_data); > + if (screen != NULL) > + fprintf(f, "add %.*s/unix%s %s %s\n", > + screen-display, display, screen, auth_proto, auth_data); > pclose(f); > } else > fprintf(stderr, "Could not run %s -q -\n", XAUTH_PATH); > Matthew Weigel Programmer/Sysadmin/Student weigel+ at pitt.edu From markus.friedl at informatik.uni-erlangen.de Mon May 22 04:07:14 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 21 May 2000 20:07:14 +0200 Subject: scp2 (Re: Kerberos V5 integration) In-Reply-To: ; from gem@rellim.com on Sat, May 20, 2000 at 10:44:53PM -0700 References: <200005210242.DAA10715@canna.dcs.ed.ac.uk> Message-ID: <20000521200714.A5253@folly.informatik.uni-erlangen.de> On Sat, May 20, 2000 at 10:44:53PM -0700, Gary E. Miller wrote: > Yo All! > > I just installed Openssh 2.1.0p2 on a Slackware 7.0 host (libc 2.1.2, > kernel 2.2.13). > > Outbound ssh, sftp, and scp (v1 and v2) work OK to itself and to ssh 1.2.27 > and 2.0.13. outbound sftp does work? openssh does not support SFTP since it is a proprietary protocol. > Inbound ssh from ssh 1.2.27 and 2.0.13 also seem OK. > > Inbound scp from 1.2.27 seems OK. > > My problem is inbound scp from 2.0.13 > scp2 user at openssh:/file . > hangs forever. See below for the opensshd debug output. Seems like > a problem with sftp. The compiled in path on the openssh side > is OK. scp2 from 2.0.13 uses SFTP. scp1 over 2.0.13's ssh2 client should work with OpenSSH. -markus From markus.friedl at informatik.uni-erlangen.de Mon May 22 04:07:41 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 21 May 2000 20:07:41 +0200 Subject: hmac format? In-Reply-To: ; from moxie@vivid.net on Sat, May 20, 2000 at 05:29:55PM -0400 References: Message-ID: <20000521200741.A15629@folly.informatik.uni-erlangen.de> On Sat, May 20, 2000 at 05:29:55PM -0400, Mike Benham wrote: > I was looking at the the way that ssh calculates an hmac, and I > noticed that the ordering is a little strange - it does hash(key+message). > Shouldn't this rather be hash(message+key)? In the former situation, it > could be possible for an attacker to append something to the end of the > data being sent. The attacker would be able to calculate a valid hmac > without knowing the key. For instance, since md5 does rounds on blocks of > 512bits, where the output of the last round is the input for the first > round of the next block; an attacker could just use the existing hmac as > input for a new block to append. If the hash were computed as > hash(message+key), the attacker would have to know the key to do that. > How do people feel about this? Am I missing something here? HMAC (rfc2104) works this way: F(k1, F(k2, x)), so the key influences both the 1st and the last invokation of the compression function. it's more like hash(key+message+key). -markus From carl at bl.echidna.id.au Mon May 22 17:57:06 2000 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Mon, 22 May 2000 17:57:06 +1000 (EST) Subject: scp not found with solaris 8/2.1.0p2 Message-ID: <200005220757.e4M7v6N03362@rollcage.bl.echidna.id.au> I've just upgraded to 2.1.0p2 on my solaris 8 boxes (now it survives a little longer, thanks!). But, I'm seeing "scp not found" where before it was fine. configure --prefix=/opt/local --with-random-/dev/random (the entropy generator is still broken), and in the past I had no problems with scp, but AFAIK something's broken in 2.1.0. Is anyone else seeing anything similar? Carl From markus.friedl at informatik.uni-erlangen.de Mon May 22 18:39:11 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 22 May 2000 10:39:11 +0200 Subject: SSH v2 known-hosts problem. In-Reply-To: <39240D43.6D01DD8B@rds.ro>; from fandrei@rds.ro on Thu, May 18, 2000 at 06:33:23PM +0300 References: <20000518172341.A14582@folly.informatik.uni-erlangen.de> <200005182020.WAA11851@jhb.ucs.co.za> <200005181506.RAA28272@jhb.ucs.co.za> <39240D43.6D01DD8B@rds.ro> Message-ID: <20000522103911.A7293@folly.informatik.uni-erlangen.de> Berend De Schouwer wrote: > However, if I disconnect and connect again, it still says: > The authenticity of host 'B' can't be established. > DSA key fingerprint is blah-blah-blah > Are you sure you want to continue connecting (yes/no)? key_read() ignores some valid keys. please try this: Index: key.c =================================================================== RCS file: /home/markus/cvs/ssh/key.c,v retrieving revision 1.6 diff -u -r1.6 key.c --- key.c 2000/05/05 18:53:42 1.6 +++ key.c 2000/05/22 07:32:04 @@ -269,10 +269,7 @@ k->dsa = NULL; key_free(k); bits = BN_num_bits(ret->dsa->p); - cp = strchr(cp, '='); - if (cp == NULL) - return 0; - *cpp = cp + 1; + *cpp = cp + n; break; default: fatal("key_read: bad key type: %d", ret->type); Index: uuencode.c =================================================================== RCS file: /home/markus/cvs/ssh/uuencode.c,v retrieving revision 1.5 diff -u -r1.5 uuencode.c --- uuencode.c 2000/05/05 18:53:42 1.5 +++ uuencode.c 2000/05/22 07:50:01 @@ -13,10 +13,11 @@ return __b64_ntop(src, srclength, target, targsize); } +/* return #bytes consumed from src[], < 0 on error */ int uudecode(const char *src, unsigned char *target, size_t targsize) { - int len; + int ret; char *encoded, *p; /* copy the 'readonly' source */ @@ -28,9 +29,15 @@ ; /* and remote trailing whitespace because __b64_pton needs this */ *p = '\0'; - len = __b64_pton(encoded, target, targsize); + /* + * __b64_pton() returns #bytes stored at target[], + * we need #bytes consumed from src[] + */ + ret = __b64_pton(encoded, target, targsize); + if (ret >= 0) + ret = strlen(encoded); xfree(encoded); - return len; + return ret; } void From J.Horne at plymouth.ac.uk Mon May 22 23:24:03 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Mon, 22 May 2000 14:24:03 +0100 (BST) Subject: scp not found with solaris 8/2.1.0p2 In-Reply-To: <200005220757.e4M7v6N03362@rollcage.bl.echidna.id.au> Message-ID: On 22-May-00 at 07:57:06 carl at bl.echidna.id.au wrote: > I've just upgraded to 2.1.0p2 on my solaris 8 boxes (now it > survives a little longer, thanks!). But, I'm seeing "scp not found" > where before it was fine. > > Is anyone else seeing anything similar? > Yes I get this under Solaris 8. However, I've only just started with openssh, so checking the FAQ (where the problem is listed) I simply ran configure with --with-default-path=/usr/bin:/usr/local/bin It runs fine then. For configure I use: ./configure --with-tcp-wrappers --with-catman=man --with-default-path=/usr/bin:/usr/local/bin TCP wrappers because I have it; catman because the man pages come out 'weird' without it; default path because of the scp problem you mention. Otherwise 2.1.0p2 seems to work fine - sshd stays running; no utmp problem; no bad file number messages; no fixprogs problem. Regards, John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From bole at falcon.etf.bg.ac.yu Tue May 23 00:14:34 2000 From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic) Date: Mon, 22 May 2000 16:14:34 +0200 (CEST) Subject: scp not found with solaris 8/2.1.0p2 In-Reply-To: <200005220757.e4M7v6N03362@rollcage.bl.echidna.id.au> Message-ID: On Mon, 22 May 2000 carl at bl.echidna.id.au wrote: > I've just upgraded to 2.1.0p2 on my solaris 8 boxes (now it > survives a little longer, thanks!). But, I'm seeing "scp not found" > where before it was fine. [..] > Is anyone else seeing anything similar? I think sshd is looking for scp in /usr/bin. Just make a link in /usr/bin. Cheers, Bole From kromJx at crosswinds.net Tue May 23 01:21:00 2000 From: kromJx at crosswinds.net (kromJx) Date: Mon, 22 May 2000 15:21:00 +0000 Subject: openssh-2.1.0p2 (and previous): reading incorrect options causes 'ssh' to crash Message-ID: 9c403b0bbfd79065f717821d88fad326 'ssh' will crash if the 'Cipher' option is given with no arguments Eg. a line like Cipher or Ciphers in $HOME/.ssh/config, or (equivalently) ssh -o 'Cipher' some_host will cause the command to crash with a Segmentation fault error. If some other option like 'Hostname' is used similarly ssh -o 'Hostname' some_host the program correctly returns command-line line 0: Missing argument. So there must be a problem with the 'cipher' keyword parsing code. This was all tested on a i386 linux box with both openssh-2.1.0 and openssh-2.1.0p2. - J From rjune at ims1.imagestream-is.com Tue May 23 02:57:44 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Mon, 22 May 2000 11:57:44 -0500 (EST) Subject: scp not found with solaris 8/2.1.0p2 In-Reply-To: <200005220757.e4M7v6N03362@rollcage.bl.echidna.id.au> Message-ID: Yeah, what happens is configure isn't smart enought to put the --prefix= value into your default path for sshd, Annoying as all getout, but fixable by symlinking scp to /usr/bin. On Mon, 22 May 2000 carl at bl.echidna.id.au wrote: > > I've just upgraded to 2.1.0p2 on my solaris 8 boxes (now it > survives a little longer, thanks!). But, I'm seeing "scp not found" > where before it was fine. > > configure --prefix=/opt/local --with-random-/dev/random (the entropy > generator is still broken), and in the past I had no problems > with scp, but AFAIK something's broken in 2.1.0. > > Is anyone else seeing anything similar? > > Carl > > From heinlein at cse.ogi.edu Tue May 23 04:15:59 2000 From: heinlein at cse.ogi.edu (Paul Heinlein) Date: Mon, 22 May 2000 11:15:59 -0700 (PDT) Subject: future of subsystem requests Message-ID: I was testing the Linux port of 2.1.0p2 and noticed that the F-Secure SSH client for Windows 4.0 couldn't successfully connect using its secure file-transfer facility. The server log reported that authentication was successful, then the log left off with a semi-cryptic "subsystem request for sftp" line. After that, nothing. Poking around the source, I found this little routine in session.c (it appears to be identical to the same routine in the OpenBSD source, so it's not a porting issue): int session_subsystem_req(Session *s) { unsigned int len; int success = 0; char *subsys = packet_get_string(&len); packet_done(); log("subsystem request for %s", subsys); xfree(subsys); return success; } To my eyes, this looks like a planned no-op. Markus Friedl earlier reported that, as of late April, sftp was still on the to-do list. What about the future (or lack thereof) of an OpenSSH subsystem facility in general? Paul Heinlein heinlein at cse.ogi.edu From markus.friedl at informatik.uni-erlangen.de Tue May 23 04:57:45 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 22 May 2000 20:57:45 +0200 Subject: future of subsystem requests In-Reply-To: ; from heinlein@cse.ogi.edu on Mon, May 22, 2000 at 11:15:59AM -0700 References: Message-ID: <20000522205745.A20232@folly.informatik.uni-erlangen.de> On Mon, May 22, 2000 at 11:15:59AM -0700, Paul Heinlein wrote: > I was testing the Linux port of 2.1.0p2 and noticed that the F-Secure SSH > client for Windows 4.0 couldn't successfully connect using its secure > file-transfer facility. SFTP is a proprietary protocol, but feel free to re-engineer it :) it is not related to SSH at all. > int > session_subsystem_req(Session *s) > { > unsigned int len; > int success = 0; > char *subsys = packet_get_string(&len); > > packet_done(); > log("subsystem request for %s", subsys); > > xfree(subsys); > return success; > } > > To my eyes, this looks like a planned no-op. Markus Friedl earlier > reported that, as of late April, sftp was still on the to-do list. What SFTP is not a top priority. SecureFX works fine with OpenSSH. > about the future (or lack thereof) of an OpenSSH subsystem facility in > general? subsystem support is almost complete, you can try this patch if you want to test: Index: session.c =================================================================== RCS file: /home/markus/cvs/ssh/session.c,v retrieving revision 1.12 diff -u -r1.12 session.c --- session.c 2000/05/03 18:03:07 1.12 +++ session.c 2000/05/18 19:18:53 @@ -1203,6 +1214,14 @@ packet_done(); log("subsystem request for %s", subsys); +#define SFTPSERVER "/path/to/ssh/com/source/sftp-server2" +#ifdef SFTPSERVER + if (strcmp(subsys, "sftp") == 0) { + debug("subsystem: exec() " SFTPSERVER); + do_exec_no_pty(s, SFTPSERVER, s->pw); + success = 1; + } +#endif xfree(subsys); return success; } -markus From sxw at dcs.ed.ac.uk Tue May 23 07:16:57 2000 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Mon, 22 May 2000 22:16:57 +0100 (BST) Subject: Kerberos V5 integration In-Reply-To: Mike Fisk's message of Sun, 21 May 2000 16:43:56 +0000 (GMT) Message-ID: <200005222116.WAA05318@canna.dcs.ed.ac.uk> > > Once I've got the credentials passing and ticket granting stuff down to > > my, and those who get to add it to the release's, satisfaction, I'll look > > into adding this as well. > > I assume that PAM still isn't available on some older platforms. Even > when it is, it would be easier for our in-house distributions of SSH if we > could have this capability statically linked in. Now available from http://www.dcs.ed.ac.uk/home/sxw/openssh/openssh-2.1.0-kerberosV.patch is a patch which implements Kerberos 5 credential passing, ticket granting and password authentication. I've built this, and tested it, with MIT Kerberos, I believe that it should work with Heimdal, but I haven't (yet) had a chance to test it. This is probably _not_ compatible with some other implementations, in particular those which overload the existing kerberos message types to carry Kerberos 5 credentials (this patch currently uses a new set of message types). I'd like to merge this code with the Kerberos 4 code so that both can coexist on the same pair of types, if anyone's interested in collaborating on this. Please take a look and let me know what you think. I'd especially welcome feedback on the ticket file checking code. Cheers, Simon. From gem at rellim.com Tue May 23 10:12:58 2000 From: gem at rellim.com (Gary E. Miller) Date: Mon, 22 May 2000 17:12:58 -0700 (PDT) Subject: scp2 (Re: Kerberos V5 integration) In-Reply-To: <20000521200714.A5253@folly.informatik.uni-erlangen.de> Message-ID: Yo Markus! I now see that you are correct. sftp inbound is not supported by openssh. I never guessed that scp2 used sftp. Something else I will have to educate my users on. Long ago I realized that scp1 had a lot fewer bugs than scp2. RGDS GARY On Sun, 21 May 2000, Markus Friedl wrote: > scp2 from 2.0.13 uses SFTP. > scp1 over 2.0.13's ssh2 client should work with OpenSSH. --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From stevesk at sweden.hp.com Tue May 23 23:11:25 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 23 May 2000 15:11:25 +0200 (CEST) Subject: HP-UX 11.0 scp -t hangs and PAM Message-ID: <200005231308.PAA14988@b0fh.sweden.hp.com> openssh-2.1.0p2 on HP-UX 11.0 trusted system. One problem is that scp does not exit after a file transfer: stevesk 14074 14073 0 13:21:46 ? 0:00 scp -t . Attaching to the running process with gdb yields: (gdb) bt #0 0xc01ed230 in _read_sys () from /usr/lib/libc.2 #1 0xc01f85e4 in read () from /usr/lib/libc.2 #2 0x8228 in atomicio (f=0x400025c2 , fd=0, _s=0x7bff03e0 "C0644 59 resolv.conf", n=1) at atomicio.c:46 #3 0x620c in sink (argc=1, argv=0x7bff0164) at scp.c:695 #4 0x4bb8 in main (argc=1, argv=0x7bff0164) at scp.c:328 So we're blocked in read() on fd 0 for some reason. The file transfer does complete. Another issue is we get this message from sshd when logging out: May 23 13:22:16 robinson sshd[14075]: Cannot delete credentials: Permission denied So pam_setcred(PAM_DELETE_CRED) isn't working. From pekkas at netcore.fi Wed May 24 01:15:19 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 23 May 2000 18:15:19 +0300 (EEST) Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: Message-ID: Hello all, I had more time to dig into this problem. Configure script would print stuff like: checking for ut_host field in utmp.h... ossh_cv_utmp_h_has_ut_host instead of: checking for ut_host field in utmp.h... yes This is caused by discontinuation of an undocumented feature of /bin/sh. If you have bash-2.x as your /bin/sh, the configure script goes wrong. I patched configure and aclocal.m4. The method used works for both bash1 and bash2, so the changes should be backward compatible. I tested this syntax on a couple of Redhat boxes and on Irix. Regards, Pekka --- configure Sat May 20 08:48:05 2000 +++ configure.fixed Tue May 23 17:59:14 2000 @@ -2957,7 +2957,7 @@ fi - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then echo "$ac_t""$ossh_result" 1>&6 if test "x$ossh_result" = "xyes"; then @@ -2997,7 +2997,7 @@ fi - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then echo "$ac_t""$ossh_result" 1>&6 if test "x$ossh_result" = "xyes"; then @@ -3037,7 +3037,7 @@ fi - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then echo "$ac_t""$ossh_result" 1>&6 if test "x$ossh_result" = "xyes"; then @@ -3077,7 +3077,7 @@ fi - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then echo "$ac_t""$ossh_result" 1>&6 if test "x$ossh_result" = "xyes"; then @@ -3117,7 +3117,7 @@ fi - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then echo "$ac_t""$ossh_result" 1>&6 if test "x$ossh_result" = "xyes"; then @@ -3157,7 +3157,7 @@ fi - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then echo "$ac_t""$ossh_result" 1>&6 if test "x$ossh_result" = "xyes"; then @@ -3197,7 +3197,7 @@ fi - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then echo "$ac_t""$ossh_result" 1>&6 if test "x$ossh_result" = "xyes"; then @@ -3237,7 +3237,7 @@ fi - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then echo "$ac_t""$ossh_result" 1>&6 if test "x$ossh_result" = "xyes"; then @@ -3277,7 +3277,7 @@ fi - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then echo "$ac_t""$ossh_result" 1>&6 if test "x$ossh_result" = "xyes"; then @@ -3317,7 +3317,7 @@ fi - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then echo "$ac_t""$ossh_result" 1>&6 if test "x$ossh_result" = "xyes"; then @@ -3357,7 +3357,7 @@ fi - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then echo "$ac_t""$ossh_result" 1>&6 if test "x$ossh_result" = "xyes"; then @@ -3397,7 +3397,7 @@ fi - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then echo "$ac_t""$ossh_result" 1>&6 if test "x$ossh_result" = "xyes"; then --- aclocal.m4 Mon May 8 13:49:37 2000 +++ aclocal.m4.fixed Tue May 23 17:58:52 2000 @@ -22,7 +22,7 @@ eval "$ossh_varname=no" dnl ]) dnl ]) - ossh_result=`eval "echo "$"$ossh_varname"` + eval ossh_result=\$${ossh_varname} if test -n "`echo $ossh_varname`"; then AC_MSG_RESULT($ossh_result) if test "x$ossh_result" = "xyes"; then ---------- -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From carl at bl.echidna.id.au Wed May 24 09:51:26 2000 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Wed, 24 May 2000 09:51:26 +1000 (EST) Subject: further problems Re: scp not found with solaris 8/2.1.0p2 Message-ID: <200005232351.e4NNpQP14289@rollcage.bl.echidna.id.au> Thanks to Richard June, John Horne and Bosko Radivojevic, who pointed out that I probably need to set the configure-time option --with-default-path, so I did this (rather than make symlink messes, which I'd prefer to avoid) : 1489 ./configure --with-default-path=/bin:/usr/bin:/opt/local/bin --prefix=/opt/local --with-random=/dev/random 1490 make 1491 make install 1492 pkill -TERM sshd 1493 ps -ef | grep sshd 1494 /opt/local/sbin/sshd teste ssh .. worked fine tested scp : {1503} : scp hosts localhost:/tmp/. root at localhost's password: sh: scp: not found lost connection It's the right scp, and the right sshd : -rwsr-xr-x 1 root other 745728 May 24 09:32 /opt/local/bin/ssh -rwxr-xr-x 1 root other 22232 May 24 09:32 /opt/local/bin/scp -rwxr-xr-x 1 root other 695372 May 24 09:32 /opt/local/sbin/sshd I compiled them all at 9.30am, so they're the right ones. Here's some info about the box : SunOS fwljump02 5.8 Generic sun4m sparc SUNW,SPARCstation-5 Any ideas? I don't want to lodge a bug report if it's just something dumb I'm missing :) It's got to be the path somehow, despite having /opt/local/bin in the config path, it can't find anything in there. I can symlink to /usr/bin and things work, but that's not what I want to have to do. thanks again Carl From rjune at ims1.imagestream-is.com Wed May 24 11:01:31 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Tue, 23 May 2000 20:01:31 -0500 (EST) Subject: further problems Re: scp not found with solaris 8/2.1.0p2 In-Reply-To: <200005232351.e4NNpQP14289@rollcage.bl.echidna.id.au> Message-ID: This is an ongoing problem if you don't compile w/ --prefix=/usr or --prefix=/ is there anyway to fix this for good? _PATH_STDPATH is what isn't being defined correctly, if you make these modifacations to Makefile and to sshd.c after you've run configure, things should work. add -DBIN_PREFIX=\"$(bindir)\" to the PATHS line in Makefile like this... PATHS=-DBIN_PREFIX=\"$(bindir)\" -DETCDIR=\"$(sysconfdir)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" then add these lines to sshd.c after all the #includes, I put them around line 40 #ifdef _PATH_STDPATH #undef _PATH_STDPATH #endif /* _PATH_STDPATH */ #define _PATH_STDPATH BIN_PREFIX ":/bin:/usr/bin:/sbin:/usr/sbin" and *DON'T* configure OpenSSH to use Login. This should work with OpenSSH version 1.2.3, I dunno for sure, mostly this is theory based on what I've seen. I have no idea if it's even applicable to OpenSSH 2.x, Good luck. From marc.fournier at acadiau.ca Thu May 25 00:56:50 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Wed, 24 May 2000 11:56:50 -0300 (ADT) Subject: [2.1.0p2] Couldn't initialise builtin random ... Message-ID: I get this an awful lot under solaris 8 ... anyone have any thoughts on how to correct it? From tbert at abac.com Thu May 25 01:57:13 2000 From: tbert at abac.com (Tom Bertelson) Date: Wed, 24 May 2000 11:57:13 -0400 Subject: further problems Re: scp not found with solaris 8/2.1.0p2 References: Message-ID: <392BFBD9.2D0A6BF2@abac.com> Richard June wrote: > > This is an ongoing problem if you don't compile w/ --prefix=/usr or > --prefix=/ is there anyway to fix this for good? > > _PATH_STDPATH is what isn't being defined correctly, if you make these > modifacations to Makefile and to sshd.c after you've run configure, > things should work. > > add -DBIN_PREFIX=\"$(bindir)\" to the PATHS line in Makefile like this... > > PATHS=-DBIN_PREFIX=\"$(bindir)\" -DETCDIR=\"$(sysconfdir)\" > -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" > -DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" > > then add these lines to sshd.c after all the #includes, I put them around > line 40 > #ifdef _PATH_STDPATH > #undef _PATH_STDPATH > #endif /* _PATH_STDPATH */ > #define _PATH_STDPATH BIN_PREFIX ":/bin:/usr/bin:/sbin:/usr/sbin" > > and *DON'T* configure OpenSSH to use Login. > This should work with OpenSSH version 1.2.3, I dunno for sure, mostly this > is theory based on what I've seen. I have no idea if it's even applicable > to OpenSSH 2.x, Good luck. There's still a problem. If you have the files /etc/environment or $HOME/.ssh/environment and they contain a definition for PATH, this overrides the compiled-in path. Perhaps sshd should always append BIN_PREFIX or _PATH_STDPATH to the PATH variable *after* all the config files have been read. Opinions? -- Tom Bertelson "Any sufficiently advanced technology RHI Consulting is indistinguishable from magic." tbert at abac.com -- Arthur C. Clarke From rjune at ims1.imagestream-is.com Thu May 25 02:04:26 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Wed, 24 May 2000 11:04:26 -0500 (EST) Subject: further problems Re: scp not found with solaris 8/2.1.0p2 In-Reply-To: <392BFBD9.2D0A6BF2@abac.com> Message-ID: But when you use scp do /etc/environment or ${HOME}/.ssh/environment get read? I wasn't sure, and I haven't had time to play with them enough to know for sure. I'm of the opinion that BIN_PREFIX should find it's way into PATH *always* however that's not always possible, e.g. the user resets PATH in thier initscripts. however that's not OpenSSH's problem. From tbert at abac.com Thu May 25 02:08:49 2000 From: tbert at abac.com (Tom Bertelson) Date: Wed, 24 May 2000 12:08:49 -0400 Subject: OpenSSH-2.1: FROM in 'w' empty? Message-ID: <392BFE91.86C34E72@abac.com> Pekka Savola wrote: > > Hello all, > > I had more time to dig into this problem. Configure script would print > stuff like: > checking for ut_host field in utmp.h... ossh_cv_utmp_h_has_ut_host > > instead of: > checking for ut_host field in utmp.h... yes > > This is caused by discontinuation of an undocumented feature of > /bin/sh. If you have bash-2.x as your /bin/sh, the configure script goes > wrong. > > I patched configure and aclocal.m4. The method used works for both bash1 > and bash2, so the changes should be backward compatible. I tested this > syntax on a couple of Redhat boxes and on Irix. > > Regards, > Pekka > > --- configure Sat May 20 08:48:05 2000 > +++ configure.fixed Tue May 23 17:59:14 2000 > @@ -2957,7 +2957,7 @@ > > fi > > - ossh_result=`eval "echo "$"$ossh_varname"` > + eval ossh_result=\$${ossh_varname} > if test -n "`echo $ossh_varname`"; then > echo "$ac_t""$ossh_result" 1>&6 > if test "x$ossh_result" = "xyes"; then I suspect this change will break a lot of other systems. Remember there are still machines out there that don't understand the $(command) syntax (my stock Solaris with /bin/sh is one of them). Is there another way to fix this and preserve the use of backticks? -- Tom Bertelson "Any sufficiently advanced technology RHI Consulting is indistinguishable from magic." tbert at abac.com -- Arthur C. Clarke From tbert at abac.com Thu May 25 02:18:34 2000 From: tbert at abac.com (Tom Bertelson) Date: Wed, 24 May 2000 12:18:34 -0400 Subject: further problems Re: scp not found with solaris 8/2.1.0p2 References: Message-ID: <392C00DA.A0A1F7E7@abac.com> Richard June wrote: > > But when you use scp do /etc/environment or ${HOME}/.ssh/environment get > read? I wasn't sure, and I haven't had time to play with them enough to > know for sure. I'm of the opinion that BIN_PREFIX should find it's way > into PATH *always* however that's not always possible, e.g. the user > resets PATH in thier initscripts. however that's not OpenSSH's problem. Yes, they are read. Scp does the equivalent of "ssh remotehost scp -t destination". Hard-coding the path in the client doesn't work, since each host may have it in a different directory. I like the BIN_PREFIX idea. This is probably safer than _PATH_STDPATH. -- Tom Bertelson "Any sufficiently advanced technology RHI Consulting is indistinguishable from magic." tbert at abac.com -- Arthur C. Clarke From rjune at ims1.imagestream-is.com Thu May 25 02:23:42 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Wed, 24 May 2000 11:23:42 -0500 (EST) Subject: further problems Re: scp not found with solaris 8/2.1.0p2 In-Reply-To: <392C00DA.A0A1F7E7@abac.com> Message-ID: On Wed, 24 May 2000, Tom Bertelson wrote: > > > Richard June wrote: > > > > But when you use scp do /etc/environment or ${HOME}/.ssh/environment get > > read? I wasn't sure, and I haven't had time to play with them enough to > > know for sure. I'm of the opinion that BIN_PREFIX should find it's way > > into PATH *always* however that's not always possible, e.g. the user > > resets PATH in thier initscripts. however that's not OpenSSH's problem. > > Yes, they are read. Scp does the equivalent of "ssh remotehost scp -t > destination". Hard-coding the path in the client doesn't work, since > each host may have it in a different directory. > > I like the BIN_PREFIX idea. This is probably safer than _PATH_STDPATH. Yeah, I didn't think about that the first time I asked the question, then I realized that... which lead the the patch to sshd and Makefile... I don't know about safer as long as you have BIN_PREFIX *before* _PATH_STDPATH which is what I do. From Leakin at dfw.nostrum.com Thu May 25 04:32:01 2000 From: Leakin at dfw.nostrum.com (Lee Eakin) Date: Wed, 24 May 2000 13:32:01 -0500 Subject: 'command' option in authorized_keys Message-ID: <20000524133200.C16260@japh.itg.ti.com> I am a recent convert to openssh. I am very pleased with it, and find it superior to ssh-1.2.27 in many ways (thanks for the good work). I recently found one piece missing from the current release. I have used the 'command' option in the authorized_keys file to restrict access. Using ssh-1.2.27 the original command was placed in the SSH_ORIGINAL_COMMAND envrionment variable. If command is set to a wrapper script, it was able to parse contents of the variable, verify that any variable args are proper and legal, then execute a predefined program passing the appropriate args to that program. Without the environment variable there appears to be no way to access the original command. It appears only 3 lines are needed to enable this feature. The diff is included below. Note that this diff applies to the portable version after ./configure --with-tcp-wrappers --with-ipv4-default has run on a Linux box. My initials are included at the end of each added line to make them easy to spot (this is my personal convention for marking my changes, the code is almost verbatim from ssh-1.2.26, I do not claim any credit). Please consider this addition with all proper security review. This is a suggestion and example. It works, but may have security implications. -Lee diff -u openssh-2.1.0p2/session.c.orig openssh-2.1.0p2/session.c --- openssh-2.1.0p2/session.c.orig Fri May 19 21:49:31 2000 +++ openssh-2.1.0p2/session.c Wed May 24 12:56:12 2000 @@ -96,6 +96,7 @@ /* RSA authentication "command=" option. */ char *forced_command = NULL; +char *original_command = NULL; /* original command from protocol. */ /* LEE */ /* RSA authentication "environment=" options. */ struct envstring *custom_environment = NULL; @@ -343,6 +344,7 @@ packet_integrity_check(plen, 0, type); } if (forced_command != NULL) { + original_command = command; command = forced_command; debug("Forced command '%.500s'", forced_command); } @@ -911,6 +913,8 @@ child_set_env(&env, &envsize, "TERM", term); if (display) child_set_env(&env, &envsize, "DISPLAY", display); + if (original_command) /* LEE */ + child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", original_command); /* LEE */ #ifdef _AIX { -- Lee Eakin - leakin at ti.com - Naming Services, Texas Instruments -o) [ permanent e-mail: Lee at Eakin.Org ] /\\ _\_v echo "forgot::0:0::/:/bin/sh" >> /etc/passwd; echo "If you forgot your password, then login as 'forgot' with no password, and do "passwd " >> /etc/issue --nolander at NOLANDER.PP.SE From tech at studsys.mscs.mu.edu Thu May 25 07:06:07 2000 From: tech at studsys.mscs.mu.edu (MSCS Technician) Date: Wed, 24 May 2000 16:06:07 -0500 Subject: ssh, .shosts and RH6.2: user logins ok, root not Message-ID: <20000524160607.A5804@studsys.mscs.mu.edu> Hi, I'm running OpenSSH 1.2.3 here on assorted Solaris and Linux machines. On the Linux machines, users are able to ssh back and forth among the machines without a password assuming proper .shosts files, but root is never able to do the same: it always gets prompted for a password. I'm using RH6.2 here. I've tried fiddling with PAM, /etc/securetty, /etc/hosts.equiv, all to no avail: I still get prompted for a password. On the Solaris boxes using the same OpenSSH, ssh(d)_config files, and proper .shosts, both users and root can do the passwordless login. Any ideas what else to try? I'm sure it's something simple but I can't see it. I'd really like to do the .shosts authenticated remote root logins in some admin scripts. Thanks! From naddy at mips.inka.de Thu May 25 07:54:36 2000 From: naddy at mips.inka.de (Christian Weisgerber) Date: 24 May 2000 23:54:36 +0200 Subject: SSH v2 known-hosts problem. References: <20000518172341.A14582@folly.informatik.uni-erlangen.de> <200005181506.RAA28272@jhb.ucs.co.za> <39240D43.6D01DD8B@rds.ro> <20000522103911.A7293@folly.informatik.uni-erlangen.de> Message-ID: <8ghj2s$2spb$1@bigeye.rhein-neckar.de> Markus Friedl wrote: > key_read() ignores some valid keys. please try this: Seems to fix the problem, but now I get this: dsa_key_from_blob: remaining bytes in key blob 147 Is this informational? A warning? -- Christian "naddy" Weisgerber naddy at mips.inka.de From djm at mindrot.org Thu May 25 08:23:52 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 25 May 2000 08:23:52 +1000 (EST) Subject: [2.1.0p2] Couldn't initialise builtin random ... In-Reply-To: Message-ID: On Wed, 24 May 2000, Marc G. Fournier wrote: > > I get this an awful lot under solaris 8 ... anyone have any thoughts on > how to correct it? Server or client? What appears in the log? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From sxw at dcs.ed.ac.uk Thu May 25 10:16:39 2000 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Thu, 25 May 2000 01:16:39 +0100 (BST) Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: Tom Bertelson's message of Wed, 24 May 2000 12:08:49 -0400 Message-ID: <200005250016.BAA29195@canna.dcs.ed.ac.uk> > > I patched configure and aclocal.m4. The method used works for both bash1 > > and bash2, so the changes should be backward compatible. I tested this > > syntax on a couple of Redhat boxes and on Irix. > > - ossh_result=`eval "echo "$"$ossh_varname"` > > + eval ossh_result=\$${ossh_varname} > > I suspect this change will break a lot of other systems. Remember there > are still machines out there that don't understand the $(command) syntax > (my stock Solaris with /bin/sh is one of them). > > Is there another way to fix this and preserve the use of backticks? Does ossh_result=`eval echo \"\\\$$ossh_varname\"` do the required trick? This works for me with Bash 1, 2 and Solaris sh. Cheers, Simon. From gem at rellim.com Thu May 25 10:30:46 2000 From: gem at rellim.com (Gary E. Miller) Date: Wed, 24 May 2000 17:30:46 -0700 (PDT) Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: <200005250016.BAA29195@canna.dcs.ed.ac.uk> Message-ID: Yo All! I just tried to connect to an OpenSSH 2.1.0p2 server from a SecureCRT 3.0.3 client using ssh2 protocol. The server is on Linux and the client is on Win98. It did not work. ssh1 protocol works. And yes, I set SecureCRT to 3DES/MD5 and 3DES/SHA1 with the server type set to "standard". So at least I am not repeating that mistake. SecureCRT says: "Corrupt or invalid host key or algorithm" See below for a debug dump of the server side. The only odd thing about my setup is a 2048 bit host key. Could that be a problem? Any ideas? RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 # sshd -d -p 240 debug: sshd version OpenSSH-2.1 debug: Seeding random number generator debug: read DSA private key done debug: Seeding random number generator debug: Bind to port 240 on 0.0.0.0. Server listening on 0.0.0.0 port 240. Generating 768 bit RSA key. debug: Seeding random number generator debug: Seeding random number generator RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 208.139.26.70 port 1749 debug: Client protocol version 2.0; client software version 3.0 SecureCRT (tm), a product of Van Dyke Technologies, Inc. Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-1.99-OpenSSH-2.1 debug: Sending KEX init. debug: done debug: got kexinit string: diffie-hellman-group1-sha1 debug: got kexinit string: ssh-dss debug: got kexinit string: 3des-cbc debug: got kexinit string: 3des-cbc debug: got kexinit string: hmac-md5 debug: got kexinit string: hmac-md5 debug: got kexinit string: none debug: got kexinit string: none debug: got kexinit string: debug: got kexinit string: debug: first kex follow == 0 debug: reserved == 0 debug: done read kexinit debug: kex: client->server 3des-cbc hmac-md5 none debug: kex: server->client 3des-cbc hmac-md5 none debug: Wait SSH2_MSG_KEXDH_INIT. debug: bits set: 508/1024 debug: bits set: 488/1024 debug: sig size 20 20 debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: Wait SSH2_MSG_NEWKEYS. Received disconnect: 2: Corrupt or invalid host key or algorithm. debug: Calling cleanup 0x805c49c(0x0) From jmknoble at pint-stowp.cx Thu May 25 15:43:25 2000 From: jmknoble at pint-stowp.cx (Jim Knoble) Date: Thu, 25 May 2000 01:43:25 -0400 Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: <392BFE91.86C34E72@abac.com> References: <392BFE91.86C34E72@abac.com> Message-ID: <20000525014325.A7256@quipu.half.pint-stowp.cx> Circa 2000-May-24 12:08:49 -0400 schrieb Tom Bertelson: : Pekka Savola wrote: : > This is caused by discontinuation of an undocumented feature of : > /bin/sh. If you have bash-2.x as your /bin/sh, the configure script goes : > wrong. Pekka, what undocumented feature is that? The line that you replace below is (mostly; see below) an incredibly common Bourne shell idiom. : > I patched configure and aclocal.m4. The method used works for both bash1 : > and bash2, so the changes should be backward compatible. I tested this : > syntax on a couple of Redhat boxes and on Irix. : > : > Regards, : > Pekka : > : > --- configure Sat May 20 08:48:05 2000 : > +++ configure.fixed Tue May 23 17:59:14 2000 : > @@ -2957,7 +2957,7 @@ : > : > fi : > : > - ossh_result=`eval "echo "$"$ossh_varname"` ^^^^^^^^^^^^^^^^^^^^^^^^^^^ This use of double quotes is confusing anyway and looks broken. It ought to read: ossh_result=`eval echo \$"$ossh_varname"` or perhaps: ossh_result=`eval echo \$\{"${ossh_varname}"\}` : > + eval ossh_result=\$${ossh_varname} Does this actually work? I thought 'eval' spawned a subshell, but i may be misremembering. [Testing in bash-1.14.7....] Hmm, it does actually work. I certainly find that to be a much less complex expression and like it better. I would suggest the following, though: eval ossh_result=\$\{${ossh_varname}\} in the general case, since it's possible for ${ossh_varname} to expand to more than one word (or for that matter, to a parameter expression such as 'blah:-haha'. : I suspect this change will break a lot of other systems. Remember there : are still machines out there that don't understand the $(command) syntax : (my stock Solaris with /bin/sh is one of them). : : Is there another way to fix this and preserve the use of backticks? Tom, i don't see any $() expression in the above change. What are you referring to? -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From markus.friedl at informatik.uni-erlangen.de Thu May 25 16:35:14 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 25 May 2000 08:35:14 +0200 Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: ; from gem@rellim.com on Wed, May 24, 2000 at 05:30:46PM -0700 References: <200005250016.BAA29195@canna.dcs.ed.ac.uk> Message-ID: <20000525083514.A12070@folly.informatik.uni-erlangen.de> On Wed, May 24, 2000 at 05:30:46PM -0700, Gary E. Miller wrote: > SecureCRT says: > "Corrupt or invalid host key or algorithm" > > See below for a debug dump of the server side. > > The only odd thing about my setup is a 2048 bit host key. Could > that be a problem? Any ideas? yes, this could be the problem, please try a 1024 bit key. From markus.friedl at informatik.uni-erlangen.de Thu May 25 16:20:44 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 25 May 2000 08:20:44 +0200 Subject: SSH v2 known-hosts problem. In-Reply-To: <200005182020.WAA11851@jhb.ucs.co.za>; from bds@jhb.ucs.co.za on Thu, May 18, 2000 at 10:21:56PM +0200 References: <20000518172341.A14582@folly.informatik.uni-erlangen.de> <200005181506.RAA28272@jhb.ucs.co.za> <39240D43.6D01DD8B@rds.ro> <20000522103911.A7293@folly.informatik.uni-erlangen.de> <8ghj2s$2spb$1@bigeye.rhein-neckar.de> <200005181506.RAA28272@jhb.ucs.co.za> <39240D43.6D01DD8B@rds.ro> <20000518172341.A14582@folly.informatik.uni-erlangen.de> <200005182020.WAA11851@jhb.ucs.co.za> Message-ID: <20000525082044.A25951@folly.informatik.uni-erlangen.de> On Wed, May 24, 2000 at 11:54:36PM +0200, Christian Weisgerber wrote: > Markus Friedl wrote: > > > key_read() ignores some valid keys. please try this: > > Seems to fix the problem, but now I get this: > dsa_key_from_blob: remaining bytes in key blob 147 > > Is this informational? A warning? the patch was broken. try this. Index: key.c =================================================================== RCS file: /home/markus/cvs/ssh/key.c,v retrieving revision 1.6 diff -u -r1.6 key.c --- key.c 2000/05/05 18:53:42 1.6 +++ key.c 2000/05/22 17:29:24 @@ -256,12 +256,14 @@ blob = xmalloc(len); n = uudecode(cp, blob, len); if (n < 0) { - error("uudecode %s failed", cp); + error("key_read: uudecode %s failed", cp); return 0; } k = dsa_key_from_blob(blob, n); - if (k == NULL) - return 0; + if (k == NULL) { + error("key_read: dsa_key_from_blob %s failed", cp); + return 0; + } xfree(blob); if (ret->dsa != NULL) DSA_free(ret->dsa); @@ -269,10 +271,12 @@ k->dsa = NULL; key_free(k); bits = BN_num_bits(ret->dsa->p); - cp = strchr(cp, '='); - if (cp == NULL) - return 0; - *cpp = cp + 1; + /* advance cp: skip whitespace and data */ + while (*cp == ' ' || *cp == '\t') + cp++; + while (*cp != '\0' && *cp != ' ' && *cp != '\t') + cp++; + *cpp = cp; break; default: fatal("key_read: bad key type: %d", ret->type); From pekkas at netcore.fi Thu May 25 21:55:26 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 25 May 2000 14:55:26 +0300 (EEST) Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: <20000525014325.A7256@quipu.half.pint-stowp.cx> Message-ID: > Pekka, what undocumented feature is that? The line that you replace > below is (mostly; see below) an incredibly common Bourne shell idiom. I'm not intimate with sh syntax, so I don't really know, but COMPAT file with bash2 states the following: ---- 1. Bash now uses a new quoting syntax, $"...", to do locale-specific string translation. Users who have relied on the (undocumented) behavior of bash-1.14 will have to change their scripts. For instance, if you are doing something like this to get the value of a variable whose name is the value of a second variable: eval var2=$"$var1" you will have to change to a different syntax. This capability is directly supported by bash-2.0: var2=${!var1} This alternate syntax will work portably between bash-1.14 and bash-2.0: eval var2=\$${var1} ---- > : I suspect this change will break a lot of other systems. Remember there > : are still machines out there that don't understand the $(command) syntax > : (my stock Solaris with /bin/sh is one of them). > : > : Is there another way to fix this and preserve the use of backticks? > > Tom, i don't see any $() expression in the above change. What are you > referring to? OpenSSH-2.0beta used internal autoconf macros to do this stuff. It worked. I don't see why ossh's own aclocal.m4 stuff had to be defined anyway. Perhaps there's some reason for it, but I sure can't figure it out. :) -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From marc.fournier at acadiau.ca Thu May 25 22:02:47 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 25 May 2000 09:02:47 -0300 (ADT) Subject: [2.1.0p2] Couldn't initialise builtin random ... In-Reply-To: Message-ID: On Thu, 25 May 2000, Damien Miller wrote: > On Wed, 24 May 2000, Marc G. Fournier wrote: > > > > > I get this an awful lot under solaris 8 ... anyone have any thoughts on > > how to correct it? > > Server or client? What appears in the log? I don't know and nothing ... I just checked through to make sure I was loggign properly (which I wasn't), fixed that and tried it again. Error comes back as: eris:/var/src/openssh-2.1.0p2> resync hawk: updating host hawk owl: updating host owl dalmation: updating host dalmation hercules: updating host hercules owl: LOCAL ERROR: Unexpected input from server: "Couldn't initialise builtin ran".m number generator -- exiting. owl: updating of owl finished dalmation: LOCAL ERROR: Unexpected input from server: "Couldn't initialise built". random number generator -- exiting. dalmation: updating of dalmation finished hercules: LOCAL ERROR: Unexpected input from server: "Couldn't initialise builti".random number generator -- exiting. hercules: updating of hercules finished hawk: LOCAL ERROR: Unexpected input from server: "Couldn't initialise builtin ra".om number generator -- exiting. hawk: updating of hawk finished resync is an alias for: rdist -P /usr/slocal/bin/ssh -Rf /root/sync-systems If I do an 'ssh' to any one of those machines alone, from the command line, it goes through ... it isn't until I do it as part of rdist that it fails. If I add -F to the options, to force it to go through the servers sequentially, it all appears to go through fine ... but if I leave it in its default state, where it does multiple hosts at once, it fails as above ... Too many 'start ups' at once? From tbert at abac.com Thu May 25 23:01:37 2000 From: tbert at abac.com (Tom Bertelson) Date: Thu, 25 May 2000 09:01:37 -0400 Subject: OpenSSH-2.1: FROM in 'w' empty? References: <392BFE91.86C34E72@abac.com> <20000525014325.A7256@quipu.half.pint-stowp.cx> Message-ID: <392D2431.8EE609EC@abac.com> Jim Knoble wrote: > : I suspect this change will break a lot of other systems. Remember there > : are still machines out there that don't understand the $(command) syntax > : (my stock Solaris with /bin/sh is one of them). > : > : Is there another way to fix this and preserve the use of backticks? > > Tom, i don't see any $() expression in the above change. What are you > referring to? Sorry, I've been poring over Makefiles and running into this problem lately. I misread the braces as parens, jumped the gun, and, well, enough said. I guess it's time to switch to a bigger font for my windows :-( (And I just had my eyes checked last week!) -- Tom Bertelson "Any sufficiently advanced technology RHI Consulting is indistinguishable from magic." tbert at abac.com -- Arthur C. Clarke From chip at princetonecom.com Thu May 25 23:52:28 2000 From: chip at princetonecom.com (Chip Christian) Date: Thu, 25 May 2000 09:52:28 -0400 Subject: grace logins on solaris Message-ID: <20000525135228.704F5B47B@fleck.princetonecom.com> We just started using NDS for Solaris to authenticate users on our SOlaris 2.6 boxes. Works great with OpenSSH except for one thing. When a user's password is expired, sshd won't allow them access, while telnetd reports the number of grace logins left, and asks to change the user's password. Seems to be an interaction with the PAM account module, but I'm not familiar enough with any of the code/APIs to say much more. Any ideas on getting this implemented? -Chip From naddy at unix-ag.uni-kl.de Thu May 25 23:50:41 2000 From: naddy at unix-ag.uni-kl.de (Christian Weisgerber) Date: Thu, 25 May 2000 15:50:41 +0200 Subject: SSH v2 known-hosts problem. In-Reply-To: <20000525082044.A25951@folly.informatik.uni-erlangen.de>; from markus.friedl@informatik.uni-erlangen.de on Thu, May 25, 2000 at 08:20:44AM +0200 References: <20000518172341.A14582@folly.informatik.uni-erlangen.de> <200005181506.RAA28272@jhb.ucs.co.za> <39240D43.6D01DD8B@rds.ro> <20000522103911.A7293@folly.informatik.uni-erlangen.de> <8ghj2s$2spb$1@bigeye.rhein-neckar.de> <200005181506.RAA28272@jhb.ucs.co.za> <39240D43.6D01DD8B@rds.ro> <20000518172341.A14582@folly.informatik.uni-erlangen.de> <200005182020.WAA11851@jhb.ucs.co.za> <20000525082044.A25951@folly.informatik.uni-erlangen.de> Message-ID: <20000525155041.C69109@fettuccini.unix-ag.uni-kl.de> Markus Friedl: > the patch was broken. try this. > [...] Thumbs up! Works for me. -- Christian "naddy" Weisgerber naddy at unix-ag.uni-kl.de From pekkas at netcore.fi Fri May 26 06:24:42 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 25 May 2000 23:24:42 +0300 (EEST) Subject: AllowHosts support in sshd missing. Message-ID: Hello all, I just noticed that AllowHosts feature of SSH Inc's sshd isn't there in OpenSSH yet. Has anyone been working on this? Am I the only one that seems to miss this feature? AllowUsers and AllowGroups is a very nice feature though :) -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From Todd.Miller at courtesan.com Fri May 26 07:27:25 2000 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 25 May 2000 15:27:25 -0600 Subject: AllowHosts support in sshd missing. In-Reply-To: Your message of "Thu, 25 May 2000 23:24:42 +0300." References: Message-ID: <200005252127.e4PLRPx05353@xerxes.courtesan.com> You are expected to use libwrap for that... - todd In message so spake Pekka Savola (pekkas): > Hello all, > > I just noticed that AllowHosts feature of SSH Inc's sshd isn't there in > OpenSSH yet. > > Has anyone been working on this? Am I the only one that seems to miss > this feature? > > AllowUsers and AllowGroups is a very nice feature though :) > > -- > Pekka Savola "Tell me of difficulties surmounted, > Pekka.Savola at netcore.fi not those you stumble over and fall" > > From cymax at takt.com Fri May 26 18:14:09 2000 From: cymax at takt.com (Max Pashkov) Date: Fri, 26 May 2000 12:14:09 +0400 Subject: openssh-2.1.0p2 ans Solaris 8 Message-ID: <392E3251.3F73BCE4@takt.com> I have some troubles with subj and proper utmpx/wtmpx functionality. After successfull ssh connect to Solaris 8 box, I run #w 11:59am up 13:45, 1 user, load average: 0.00, 0.01, 0.02 User tty login@ idle JCPU PCPU what root console 11:43am 9 bash # Record about my pts/1 login is absent. Next command I run from Solaris 8 console after my ssh session is finished #who root console May 26 11:43 who: Error --- entry has ut_type of 29808 when maximum is 9 who: Error --- entry has ut_type of 29808 when maximum is 9 # Do anyone has some ideas? Max From gem at rellim.com Fri May 26 19:22:35 2000 From: gem at rellim.com (Gary E. Miller) Date: Fri, 26 May 2000 02:22:35 -0700 (PDT) Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: <20000525083514.A12070@folly.informatik.uni-erlangen.de> Message-ID: Yo Markus! I set up a 1024 bit key on the openssh end and I still could not connect from the SecureCRT client using ssh v2. So that was not it. ssh v2.1.23 had no problems with either key size. You can get a 30 day trial copy of SecureCRT from www.vandyke.com. Anyone outside of the 7 countries on the US hate list can get it off ther web now. It is the best ssh I have found for Windows. I just tried SecureCRT 3.1 Beta 1 with the same results. RGDS GARY On Thu, 25 May 2000, Markus Friedl wrote: > On Wed, May 24, 2000 at 05:30:46PM -0700, Gary E. Miller wrote: > > SecureCRT says: > > "Corrupt or invalid host key or algorithm" > > > > See below for a debug dump of the server side. > > > > The only odd thing about my setup is a 2048 bit host key. Could > > that be a problem? Any ideas? > > yes, this could be the problem, please try a 1024 bit key. > --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From markus.friedl at informatik.uni-erlangen.de Fri May 26 19:37:14 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 26 May 2000 11:37:14 +0200 Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: ; from gem@rellim.com on Fri, May 26, 2000 at 02:22:35AM -0700 References: <20000525083514.A12070@folly.informatik.uni-erlangen.de> Message-ID: <20000526113714.A3513@folly.informatik.uni-erlangen.de> On Fri, May 26, 2000 at 02:22:35AM -0700, Gary E. Miller wrote: > Yo Markus! > > I set up a 1024 bit key on the openssh end and I still could not > connect from the SecureCRT client using ssh v2. So that was not > it. > > ssh v2.1.23 had no problems with either key size. 2.1.23? on the server side? for me SecureCRT with 1024 bit DSA server key works, 2048 but DSA does not, it shows the same error you did get. > You can get a 30 day trial copy of SecureCRT from www.vandyke.com. > Anyone outside of the 7 countries on the US hate list can get it > off ther web now. It is the best ssh I have found for Windows. > > I just tried SecureCRT 3.1 Beta 1 with the same results. i'll try this one, too. From markus.friedl at informatik.uni-erlangen.de Fri May 26 20:12:48 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 26 May 2000 12:12:48 +0200 Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: <20000526113714.A3513@folly.informatik.uni-erlangen.de>; from markus.friedl@informatik.uni-erlangen.de on Fri, May 26, 2000 at 11:37:14AM +0200 References: <20000525083514.A12070@folly.informatik.uni-erlangen.de> <20000526113714.A3513@folly.informatik.uni-erlangen.de> Message-ID: <20000526121248.A10342@folly.informatik.uni-erlangen.de> i tried SecureCRT 3.1beta1 and it works with 1024 but fails with 2048 bit keys. On Fri, May 26, 2000 at 11:37:14AM +0200, Markus Friedl wrote: > On Fri, May 26, 2000 at 02:22:35AM -0700, Gary E. Miller wrote: > > Yo Markus! > > > > I set up a 1024 bit key on the openssh end and I still could not > > connect from the SecureCRT client using ssh v2. So that was not > > it. > > > > ssh v2.1.23 had no problems with either key size. > > 2.1.23? on the server side? > > for me SecureCRT with 1024 bit DSA server key works, > 2048 but DSA does not, it shows the same error you did get. > > > You can get a 30 day trial copy of SecureCRT from www.vandyke.com. > > Anyone outside of the 7 countries on the US hate list can get it > > off ther web now. It is the best ssh I have found for Windows. > > > > I just tried SecureCRT 3.1 Beta 1 with the same results. > > i'll try this one, too. > From gem at rellim.com Fri May 26 21:09:53 2000 From: gem at rellim.com (Gary E. Miller) Date: Fri, 26 May 2000 04:09:53 -0700 (PDT) Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: <20000526113714.A3513@folly.informatik.uni-erlangen.de> Message-ID: Yo Markus! On Fri, 26 May 2000, Markus Friedl wrote: > On Fri, May 26, 2000 at 02:22:35AM -0700, Gary E. Miller wrote: > > Yo Markus! > > > > I set up a 1024 bit key on the openssh end and I still could not > > connect from the SecureCRT client using ssh v2. So that was not > > it. > > > > ssh v2.1.23 had no problems with either key size. > > 2.1.23? on the server side? I meant 2.0.13 on the client side. > for me SecureCRT with 1024 bit DSA server key works, > 2048 but DSA does not, it shows the same error you did get. I will try it again. I could not figure out how to override the key on the command line and I might have made a mistake. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From basv at sara.nl Fri May 26 23:45:41 2000 From: basv at sara.nl (Bas van der Vlies) Date: Fri, 26 May 2000 15:45:41 +0200 Subject: IRIX6 experience Message-ID: <392E8004.9AB2D43D@sara.nl> Hello, I have just compiled openssh version 2.1.0p2 n irix 6.5.5 an encounterd the following 'problem'. On IRIX there are 3 abi's (Application Binary Interface). o32) The old 32-bit ABI which was standard on IRIX 5 systems n64) The 64-bit ABI n32) The new high performance 32-bit ABI On IRIX the libraries are installed as follows: /usr/lib) For the o32 libraries /usr/lib32) For the n32 libraries (is usual the default) /usr/lib64) For the 64 libraries With this as background many people install the libraries for IRIX in /usr/local as follows: /usr/local/lib /usr/local/lib32 /usr/local/lib64 I encounterd the following problems: -) The LDFLAGS was wrong for my system, must be /usr/local/lib32 -) --with-ssl-dir=/usr/local/ssl doesn't find ssl because the libraries are in /usr/local/ssl/lib32 instead of /usr/local/ssl/lib. This was my experience with compiling the openssh software. I used the native CC-compiler from SGI. Regards -- ******************************************************************** * * * Bas van der Vlies e-mail: basv at sara.nl * * SARA - Academic Computing Services phone: +31 20 592 8012 * * Kruislaan 415 fax: +31 20 6683167 * * 1098 SJ Amsterdam * * * ******************************************************************** From dprevett at cs.unm.edu Fri May 26 11:18:44 2000 From: dprevett at cs.unm.edu (Daniel Prevett) Date: Thu, 25 May 2000 19:18:44 -0600 (MDT) Subject: OpenSSH-2.1: FROM in 'w' empty? In-Reply-To: Message-ID: On Fri, 26 May 2000, Gary E. Miller wrote: > Yo Markus! > > On Fri, 26 May 2000, Markus Friedl wrote: > > > On Fri, May 26, 2000 at 02:22:35AM -0700, Gary E. Miller wrote: > > > Yo Markus! > > > > > > I set up a 1024 bit key on the openssh end and I still could not > > > connect from the SecureCRT client using ssh v2. So that was not > > > it. > > > > > > ssh v2.1.23 had no problems with either key size. > > > > 2.1.23? on the server side? > I meant 2.0.13 on the client side. > > > for me SecureCRT with 1024 bit DSA server key works, > > 2048 but DSA does not, it shows the same error you did get. > I will try it again. I could not figure out how to override the key > on the command line and I might have made a mistake. > > RGDS > GARY Hi Gary, What does SecureCRT say if you turn on Trace Options (File \ Trace Options) before you connect? -Daniel Prevett From chip at princetonecom.com Sat May 27 02:59:56 2000 From: chip at princetonecom.com (Chip Christian) Date: Fri, 26 May 2000 12:59:56 -0400 Subject: grace logins on solaris In-Reply-To: Message from Chip Christian of "Thu, 25 May 2000 09:52:28 EDT." <20000525135228.704F5B47B@fleck.princetonecom.com> Message-ID: <20000526165956.4E853B47B@fleck.princetonecom.com> When I run sshd -d and connect using an expired login, this is what I get: debug: Server will not fork when running in debugging mode. Connection from 192.168.12.2 port 901 debug: Client protocol version 1.5; client software version OpenSSH-2.1 debug: Local version string SSH-1.99-OpenSSH-2.1 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Starting up PAM with username "chip" debug: Attempting authentication for chip. Failed rsa for chip from 192.168.12.2 port 901 debug: Adding PAM message: Your password has expired and you have 4 grace login(s). debug: PAM Password authentication accepted for user "chip" Accepted password for chip from 192.168.12.2 port 901 debug: PAM setting rhost to "fleck.princetonecom.com" May 26 12:39:38 piglet.princetonecom.com sshd[8029]: PAM_NDS : Password expired. PAM rejected by account configuration: Get new authentication token Faking authloop for illegal user chip from 192.168.12.2 port 901 pam_acct_mgmt is returning PAM_NEW_AUTHTOK_REQD. Is there BSD licensed code out there already to deal with asking users to change an expired password? > We just started using NDS for Solaris to authenticate users on our SOlaris > 2.6 boxes. Works great with OpenSSH except for one thing. When a user's > password is expired, sshd won't allow them access, while telnetd reports > the number of grace logins left, and asks to change the user's password. > Seems to be an interaction with the PAM account module, but I'm not > familiar enough with any of the code/APIs to say much more. Any ideas on > getting this implemented? From djm at mindrot.org Sat May 27 10:09:04 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 27 May 2000 10:09:04 +1000 (EST) Subject: grace logins on solaris In-Reply-To: <20000526165956.4E853B47B@fleck.princetonecom.com> Message-ID: On Fri, 26 May 2000, Chip Christian wrote: > May 26 12:39:38 piglet.princetonecom.com sshd[8029]: PAM_NDS : Password > expired. > PAM rejected by account configuration: Get new authentication token > Faking authloop for illegal user chip from 192.168.12.2 port 901 > > pam_acct_mgmt is returning PAM_NEW_AUTHTOK_REQD. Is there BSD > licensed code out there already to deal with asking users to change > an expired password? In the absence of this, would allowing access (and displaying a suitable warning) when PAM returns PAM_NEW_AUTHTOK_REQD be acceptable? At least the users could change their passwords themselves. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat May 27 10:11:17 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 27 May 2000 10:11:17 +1000 (EST) Subject: IRIX6 experience In-Reply-To: <392E8004.9AB2D43D@sara.nl> Message-ID: On Fri, 26 May 2000, Bas van der Vlies wrote: > Hello, > > I have just compiled openssh version 2.1.0p2 n irix 6.5.5 an > encounterd the following 'problem'. On IRIX there are 3 abi's > (Application Binary Interface). A couple of questions: How does one tell which is in use? What CFLAGS need to be present to select an ABI? (-32/-64?) I presume that you cannot link an o32 binary against a n32, etc. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat May 27 10:14:37 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 27 May 2000 10:14:37 +1000 (EST) Subject: openssh-2.1.0p2 ans Solaris 8 In-Reply-To: <392E3251.3F73BCE4@takt.com> Message-ID: On Fri, 26 May 2000, Max Pashkov wrote: > I have some troubles with subj and proper utmpx/wtmpx functionality. > After successfull ssh connect to Solaris 8 box, I run What options did you pass to ./configure? Could you send me the output of such configure. Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From weigel+ at pitt.edu Sat May 27 12:14:48 2000 From: weigel+ at pitt.edu (Matthew C. Weigel) Date: Fri, 26 May 2000 22:14:48 -0400 (EDT) Subject: IRIX6 experience In-Reply-To: Message-ID: On Sat, 27 May 2000, Damien Miller wrote: > A couple of questions: > > How does one tell which is in use? As I understand it, all three are available at any time. I'm not sure, though, since the code *I* write on SGI's is generally Java. > What CFLAGS need to be present to select an ABI? (-32/-64?) -o32 or -32, -n32, and -64. o32 is probably the right one to use for binaries distributed from an FTP site. > I presume that you cannot link an o32 binary against a n32, etc. >From abi(5) on an IRIX system: IRIX supports three ABIs: o32 The old 32-bit ABI which was standard on IRIX 5 systems. n64 The 64-bit ABI which was introduced on IRIX 6.0 systems. n32 The new high performance 32-bit ABI which was introduced on IRIX 6.2. Each of these ABIs defines unique interfaces which make it impossible to link object files of one ABI with object files of another ABI. The man page is a little out of date, since it refers to the R8000 as the only processor that supports 64-bit ABI (and specifically, mips3 and 4 arch's). -o32 seems to support more, since on the O2 I'm screwing around with this on, -32 and -n32 produce code it can run, but -64 produces code it can't run. I'm not sure if there's extra work that I need to be doing, though. Matthew Weigel Programmer/Sysadmin/Student weigel+ at pitt.edu From lars at larsshack.org Sat May 27 12:34:24 2000 From: lars at larsshack.org (Lars Kellogg-Stedman) Date: Fri, 26 May 2000 22:34:24 -0400 (EDT) Subject: IRIX6 experience In-Reply-To: Message-ID: > -o32 or -32, -n32, and -64. o32 is probably the right one to use for > binaries distributed from an FTP site. I wasn't going to reply until tomorrow because I'm dead tired, but I wanted to nip this in the bud...*all* versions of Irix since 6.2, and possibly earlier, use n32 as the default ABI. o32 is deprecated and will cause all manner of breakage because any locally compiled shared libraries will probably be in n32 format. The entire ssh config process has problems on Irix because it tries to second guess the default library search path -- that is, it will explicitly look for libraries in /usr/lib that are in fact in /usr/lib32; I've seen folks with this problem post to the list in the past. The safest course of action is to not worry about specifying the ABI. If a local installation has to support a deprecated binary format they will have set up the appropriate compiler defaults. -- Lars -- Lars Kellogg-Stedman --> http://www.larsshack.org/ From weigel+ at pitt.edu Sat May 27 13:25:47 2000 From: weigel+ at pitt.edu (Matthew C. Weigel) Date: Fri, 26 May 2000 23:25:47 -0400 (EDT) Subject: IRIX6 experience In-Reply-To: Message-ID: On Fri, 26 May 2000, Lars Kellogg-Stedman wrote: > > -o32 or -32, -n32, and -64. o32 is probably the right one to use for > > binaries distributed from an FTP site. > > I wasn't going to reply until tomorrow because I'm dead tired, but I > wanted to nip this in the bud...*all* versions of Irix since 6.2, and > possibly earlier, use n32 as the default ABI. And some people still use pre-6.2 Irix. > o32 is deprecated and will > cause all manner of breakage because any locally compiled shared libraries > will probably be in n32 format. > > The entire ssh config process has problems on Irix because it tries to > second guess the default library search path -- that is, it will > explicitly look for libraries in /usr/lib that are in fact in > /usr/lib32; I've seen folks with this problem post to the list in the > past. > > The safest course of action is to not worry about specifying the > ABI. If a local installation has to support a deprecated binary format > they will have set up the appropriate compiler defaults. Ah, so no binary packages? Matthew Weigel Programmer/Sysadmin/Student weigel+ at pitt.edu From egagnon at j-meg.com Sat May 27 23:35:55 2000 From: egagnon at j-meg.com (Etienne M. Gagnon) Date: Sat, 27 May 2000 09:35:55 -0400 Subject: Could somebody check-in my patch for "scp -L" please? Message-ID: <392FCF3B.C9EB4516@j-meg.com> Hi! A month ago, I have submitted a simple patch for adding the missing "-L" option to scp. This option is quite useful for people behind a firewall. You can find the archived message containing the patch at: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95685065722849&w=2 If there's any issue, please tell me about it. I am willing to help as much as I can. Thanks! Etienne -- ---------------------------------------------------------------------- Etienne M. Gagnon, M.Sc. e-mail: egagnon at j-meg.com Author of SableCC: http://www.sable.mcgill.ca/sablecc/ ---------------------------------------------------------------------- From basv at sara.nl Sat May 27 23:59:09 2000 From: basv at sara.nl (Bas van der Vlies) Date: Sat, 27 May 2000 15:59:09 +0200 (MET DST) Subject: IRIX6 experience In-Reply-To: from "Lars Kellogg-Stedman" at May 26, 2000 10:34:24 PM Message-ID: <200005271359.PAA03023@mailgate.sara.nl> > In /etc/compiler.defaults tells which abi is the default one, eg: my machine: more /etc/compiler.defaults -DEFAULT:abi=n32:isa=mips4:proc=r10k Just an hint. Regards ******************************************************************** * * * Bas van der Vlies e-mail: basv at sara.nl * * SARA - Academic Computing Services phone: +31 20 592 8012 * * Kruislaan 415 fax: +31 20 6683167 * * 1098 SJ Amsterdam WWW: www.sara.nl * * * ******************************************************************** From lars at larsshack.org Sun May 28 00:13:22 2000 From: lars at larsshack.org (Lars Kellogg-Stedman) Date: Sat, 27 May 2000 10:13:22 -0400 (EDT) Subject: IRIX6 experience In-Reply-To: Message-ID: > And some people still use pre-6.2 Irix. True, but not even SGI supports pre-6.2 systems anymore. There's comes a point where support for a minority of systems running outdated software shouldn't be a priority. > Ah, so no binary packages? Why not? Or you you just being snide? n32 format binaries will work for the vast majority of people. If there are a substantial number of requests for o32 format binaries, one could simply distribute an additional package. -- Lars -- Lars Kellogg-Stedman --> http://www.larsshack.org/ From lars at larsshack.org Sun May 28 00:14:33 2000 From: lars at larsshack.org (Lars Kellogg-Stedman) Date: Sat, 27 May 2000 10:14:33 -0400 (EDT) Subject: IRIX6 experience In-Reply-To: <200005271359.PAA03023@mailgate.sara.nl> Message-ID: > In /etc/compiler.defaults tells which abi is the default one Yes, that is what I was referring to. Since this wasn't an Irix specific list I figured the details could wait :). -- Lars -- Lars Kellogg-Stedman --> http://www.larsshack.org/ From weigel+ at pitt.edu Sun May 28 01:27:48 2000 From: weigel+ at pitt.edu (Matthew C. Weigel) Date: Sat, 27 May 2000 11:27:48 -0400 (EDT) Subject: IRIX6 experience In-Reply-To: Message-ID: On Sat, 27 May 2000, Lars Kellogg-Stedman wrote: > > And some people still use pre-6.2 Irix. > > True, but not even SGI supports pre-6.2 systems anymore. There's comes a > point where support for a minority of systems running outdated software > shouldn't be a priority. OK, fair enough. > > Ah, so no binary packages? > > Why not? Or you you just being snide? Not at all. I was just looking at it differently. If n32 will work for most people, fine. Matthew Weigel Programmer/Sysadmin/Student weigel+ at pitt.edu From djm at mindrot.org Sun May 28 04:39:57 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 28 May 2000 04:39:57 +1000 (EST) Subject: IRIX6 experience In-Reply-To: Message-ID: On Sat, 27 May 2000, Lars Kellogg-Stedman wrote: > > In /etc/compiler.defaults tells which abi is the default one > > > Yes, that is what I was referring to. Since this wasn't an Irix specific > list I figured the details could wait :). > > -- Lars > > -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From pekkas at netcore.fi Mon May 29 06:55:15 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sun, 28 May 2000 23:55:15 +0300 (EEST) Subject: Kerberos/AFS options in ssh/sshd while disabling them in configure Message-ID: Hello all, If you don't compile in Kerberos, AFS etc. support, the ssh/sshd man page still mentions them as valid options, and ssh/sshd complains loudly and refuses to run if you set options about them in ssh_config or sshd_config. I'm not sure if this is the intended (or good?) behaviour. Should it be better to modify the man pages when ./configuring too? Like, adding a small sentence about stuff disabled at compile time. An example: KerberosTgtPassing Specifies whether a Kerberos TGT will be forwarded to the server. This will only work if the Kerberos server is actually an AFS kaserver. The argument to this keyword must be ``yes'' or ``no''. This option has been disabled at compile time. What do you think? :) -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From al at 9b.com Mon May 29 07:13:03 2000 From: al at 9b.com (A.L.) Date: Sun, 28 May 2000 16:13:03 -0500 (CDT) Subject: Protocol error's with 2.1.0p2 Message-ID: I'm getting "Protocol errors" when trying to scp files from my laptop to my desktop (only when trying to scp root at laptop:/path/file, not vis-vis). See screen dump's at end of e-mail for exact details. The most confusing thing about this problem (to me anyway), is that this is a one-way problem. I can log into the laptop and scp files down from the desktop no problems. System software spec's. Desktop: RedHat 6.2, fairly vanilla - 2.2.15 kernel compiled with fairly standard options, extra packages and such, but no real "changes" per-se as far as packages, just additions. Laptop: RedHat 6.2, very vanilla - stock kernel, a few extra packages, and not much else. OpenSSL version: 0.9.5a OpenSSH version: 2.1.0p2 Both packages were built from SRPM's on the desktop machine. I have also gone through and verified that all lib's and versions reported by ldd /usr/bin/scp and ldd /usr/sbin/sshd are identical. Config files on both boxes match as far as options, and with the desktop, and I have no problem scp'ing with any other box I use openssh to communicate with (although they are mostly openssh-1.2.x flavor's), this is isolated to scp'ing with the laptop. I've also stripped openssh from both boxen completely (even rpm -Rf ~/.ssh), and re-installed, to no avail. Anyway, long and short of explanations above, I have some small amount of clue, and have done as much homework on trying to figure this out as I know how to do. Obviously I don't know everything, or I'd have this working by now though. :) Screen dump's of debug output below: [root at desktop] [~]# scp root at 10.10.10.220:/etc/inetd.conf . root at 10.10.10.220's password: protocol error: unexpected Connection to 10.10.10.220 closed by remote host. [root at desktop] [~]# # dump below was generated by scp -v root at 10.10.10.220:/etc/inetd.conf 2> ssh.debug Executing: host 10.10.10.220, user root, command scp -v -f /etc/inetd.conf SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to 10.10.10.220 [10.10.10.220] port 22. debug: Seeding random number generator debug: Allocated local port 767. debug: Connection established. debug: Remote protocol version 2.0, remote software version OpenSSH-2.1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH-2.1 debug: Sending KEX init. debug: done debug: got kexinit string: diffie-hellman-group1-sha1 debug: got kexinit string: ssh-dss debug: got kexinit string: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit string: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit string: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit string: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit string: zlib,none debug: got kexinit string: zlib,none debug: got kexinit string: debug: got kexinit string: debug: first kex follow == 0 debug: reserved == 0 debug: done read kexinit debug: kex: server->client blowfish-cbc hmac-sha1 none debug: kex: client->server blowfish-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 516/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: keytype ssh-dss debug: keytype ssh-dss debug: Host '10.10.10.220' is known and matches the DSA host key. debug: bits set: 520/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: key does not exist: /root/.ssh/id_dsa debug: ssh-userauth2 successfull debug: fd 7 setting O_NONBLOCK debug: fd 8 setting O_NONBLOCK debug: fd 9 setting O_NONBLOCK debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: callback start debug: client_init id 0 arg 0 debug: Sending command: scp -v -f /etc/inetd.conf debug: client_set_session_ident: id 0 debug: callback done debug: channel 0: open confirm rwindow 0 rmax 32768 debug: channel 0: rcvd adjust 16384 debug: channel 0: send data len 1 protocol error: unexpected debug: channel 0: send data len 43 debug: channel 0: read<=0 rfd 7 len 0 debug: channel 0: read failed debug: channel 0: input open -> drain debug: channel 0: close_read debug: channel 0: input: no drain shortcut debug: channel 0: ibuf empty debug: channel 0: input drain -> closed debug: channel 0: send eof debug: channel 0: write failed debug: channel 0: output open -> closed debug: channel 0: close_write debug: channel 0: send close debug: channel 0: rcvd close debug: channel 0: full closed2 debug: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) Connection to 10.10.10.220 closed by remote host. debug: Transferred: stdin 0, stdout 0, stderr 51 bytes in 0.1 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 448.1 debug: Exit status -1 Anyway, any help is appreciated. Cheers! -- A.L.Lambert -------------------------------------------------------------------------- If what they've been doing hasn't solved the problem, tell them to do something else. -- Gerald Weinberg, "The Secrets of Consulting" -------------------------------------------------------------------------- From cloos at jhcloos.com Mon May 29 08:38:38 2000 From: cloos at jhcloos.com (James H. Cloos Jr.) Date: 28 May 2000 17:38:38 -0500 Subject: archive location Message-ID: I just went to grab p2 to upgrade and couldn't find it from . The OpenBSD/OpenSSH directory is empty on all of the OpenBSD mirrors I looked at, including ftp.openbsd.org. I had to follow the links from mindrot.org to find the old pages. does point to usable locations for the portable version. -JimC -- James H. Cloos, Jr. 1024D/ED7DAEA6 E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Is this post worth two cents? Then goto ! From djm at mindrot.org Mon May 29 09:17:27 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 29 May 2000 09:17:27 +1000 (EST) Subject: Protocol error's with 2.1.0p2 In-Reply-To: Message-ID: On Sun, 28 May 2000, A.L. wrote: > I'm getting "Protocol errors" when trying to scp files > from my laptop to my desktop (only when trying to scp > root at laptop:/path/file, not vis-vis). See screen dump's at end > of e-mail for exact details. The most confusing thing about this > problem (to me anyway), is that this is a one-way problem. I can > log into the laptop and scp files down from the desktop no problems. Do you have something in you .bashrc (or similar) which causes output at login time? This is likely the problem. Move whatever it is to .bash_login or similar so it only gets executed when you are starting an interactive session. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From paul at cr355112-a.slnt1.on.wave.home.com Mon May 29 09:33:08 2000 From: paul at cr355112-a.slnt1.on.wave.home.com (paul) Date: Sun, 28 May 2000 19:33:08 -0400 (EDT) Subject: Warning for expired password In-Reply-To: <20000528231116.1683727599@toad.mindrot.org> Message-ID: Is it possible to get sshd to report the number of days till a password expires after a login ? If not, how else could I do it ? Thanks ___________________________________________________________ Paul Faure paul at engsoc.carleton.ca From al at 9b.com Mon May 29 15:51:15 2000 From: al at 9b.com (A.L.) Date: Mon, 29 May 2000 00:51:15 -0500 (CDT) Subject: Protocol error's with 2.1.0p2 In-Reply-To: Message-ID: > > I'm getting "Protocol errors" when trying to scp files > > from my laptop to my desktop (only when trying to scp > > root at laptop:/path/file, not vis-vis). See screen dump's at end > > of e-mail for exact details. The most confusing thing about this > > problem (to me anyway), is that this is a one-way problem. I can > > log into the laptop and scp files down from the desktop no problems. > > Do you have something in you .bashrc (or similar) which causes output > at login time? This is likely the problem. > > Move whatever it is to .bash_login or similar so it only gets executed > when you are starting an interactive session. > > -d As a mater of fact... DOH! And now that you mention it, it makes sense to me. Removed the MOTD printout, and all works great again. Many many thanks Damien, you saved me from pulling out what's left of my hair. :) -- A.L.Lambert -------------------------------------------------------------------------- If what they've been doing hasn't solved the problem, tell them to do something else. -- Gerald Weinberg, "The Secrets of Consulting" -------------------------------------------------------------------------- From cymax at takt.com Mon May 29 16:44:06 2000 From: cymax at takt.com (Max Pashkov) Date: Mon, 29 May 2000 10:44:06 +0400 Subject: openssh-2.1.0p2 ans Solaris 8 References: Message-ID: <393211B6.885D7B7F@takt.com> Damien Miller wrote: > On Fri, 26 May 2000, Max Pashkov wrote: > > > I have some troubles with subj and proper utmpx/wtmpx functionality. > > After successfull ssh connect to Solaris 8 box, I run > > What options did you pass to ./configure? Could you send me the output > of such configure. ./configure --sysconfdir=/usr/local/etc/ssh --with-ipv4-default creating cache ./config.cache checking for gcc... gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... yes checking whether gcc accepts -g... yes checking host system type... i386-pc-solaris2.8 checking how to run the C preprocessor... gcc -E checking for ranlib... ranlib checking for a BSD compatible install... ./install-sh -c checking for ar... ar checking for perl... /usr/bin/perl checking for ent... no checking for inline... inline checking for deflate in -lz... yes checking for login in -lutil... no checking for yp_match in -lnsl... yes checking for main in -lsocket... yes checking for bstring.h... no checking for endian.h... no checking for lastlog.h... yes checking for login.h... no checking for maillock.h... yes checking for netdb.h... yes checking for netgroup.h... no checking for netinet/in_systm.h... yes checking for paths.h... no checking for poll.h... yes checking for pty.h... no checking for shadow.h... yes checking for security/pam_appl.h... yes checking for sys/bitypes.h... no checking for sys/bsdtty.h... no checking for sys/cdefs.h... no checking for sys/poll.h... yes checking for sys/select.h... yes checking for sys/stropts.h... yes checking for sys/sysmacros.h... yes checking for sys/time.h... yes checking for sys/ttcompat.h... yes checking for stddef.h... yes checking for util.h... no checking for utmp.h... yes checking for utmpx.h... yes checking for arc4random... no checking for b64_ntop... no checking for bcopy... yes checking for bindresvport_af... no checking for clock... yes checking for freeaddrinfo... yes checking for gai_strerror... yes checking for getaddrinfo... yes checking for getnameinfo... yes checking for getrusage... yes checking for innetgr... yes checking for md5_crypt... no checking for memmove... yes checking for mkdtemp... no checking for openpty... no checking for rresvport_af... yes checking for setenv... no checking for seteuid... yes checking for setlogin... no checking for setproctitle... no checking for setreuid... yes checking for snprintf... yes checking for strlcat... yes checking for strlcpy... yes checking for updwtmpx... yes checking for vsnprintf... yes checking for vhangup... yes checking for _getpty... no checking for __b64_ntop... no checking for login... no checking for login in -lbsd... no checking for daemon... no checking for daemon in -lbsd... no checking for getpagesize... yes checking for dlopen in -ldl... yes checking for pam_getenvlist... yes checking whether pam_strerror takes only one argument... no checking for OpenSSL directory... (system) checking for RSA support... yes checking size of char... 1 checking size of short int... 2 checking size of int... 4 checking size of long int... 4 checking size of long long int... 8 checking for intXX_t types... yes checking for u_intXX_t types... no checking for intXX_t and u_intXX_t types in sys/bitypes.h... no checking for uintXX_t types... yes checking for socklen_t... yes checking for size_t... yes checking for ssize_t... yes checking for struct sockaddr_storage... yes checking for struct sockaddr_in6... yes checking for struct in6_addr... yes checking for struct addrinfo... yes checking for ut_host field in utmp.h... no checking for ut_host field in utmpx.h... yes checking for syslen field in utmpx.h... yes checking for ut_pid field in utmp.h... yes checking for ut_type field in utmp.h... yes checking for ut_type field in utmpx.h... yes checking for ut_tv field in utmp.h... no checking for ut_id field in utmp.h... yes checking for ut_addr field in utmp.h... no checking for ut_addr field in utmpx.h... no checking for ut_addr_v6 field in utmp.h... no checking for ut_addr_v6 field in utmpx.h... no checking for ss_family field in struct sockaddr_storage... yes checking for __ss_family field in struct sockaddr_storage... no checking if libc defines __progname... no checking for rsh... /usr/bin/rsh checking for xauth... no checking location of lastlog file... /var/adm/lastlog checking for /dev/ptmx... yes checking for /dev/ptc... no checking for /dev/urandom... no checking for ls... /usr/bin/ls checking for netstat... /usr/bin/netstat checking for arp... /usr/sbin/arp checking for ifconfig... /usr/sbin/ifconfig checking for ps... /usr/bin/ps checking for w... /usr/bin/w checking for who... /usr/bin/who checking for last... /usr/bin/last checking for lastlog... no checking for df... /usr/sbin/df checking for vmstat... /usr/bin/vmstat checking for uptime... /usr/bin/uptime checking for ipcs... no checking for tail... /usr/bin/tail checking for ls... (cached) /usr/bin/ls checking if we need to convert IPv4 in IPv6-mapped addresses... no (default) updating cache ./config.cache creating ./config.status creating Makefile creating ssh_prng_cmds creating config.h Here some sshd output in debug mode: RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 212.15.113.8 port 38154 debug: Client protocol version 1.5; client software version 1.2.27 debug: Local version string SSH-1.99-OpenSSH-2.1 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Starting up PAM with username "root" debug: Attempting authentication for root. debug: PAM Password authentication accepted for user "root" Accepted password for ROOT from 212.15.113.8 port 38154 debug: PAM setting rhost to "cymax" debug: session_new: init debug: session_new: session 0 debug: Allocating pty. debug: PAM setting tty to "/dev/pts/1" debug: PAM establishing creds debug: Entering interactive session. debug: fd 8 setting O_NONBLOCK debug: server_init_dispatch_13 debug: server_init_dispatch_15 debug: tvp!=NULL kid 0 mili 10 debug: tvp!=NULL kid 0 mili 10 debug: tvp!=NULL kid 0 mili 10 debug: End of interactive session; stdin 15, stdout (read 444, sent 444), stderr 0 bytes. debug: Received SIGCHLD. debug: Command exited with status 0. debug: Received exit confirmation. debug: session_pty_cleanup: session 0 release /dev/pts/1 No tty slot found at logout Closing connection to 212.15.113.8 Cannot delete credentials: Permission denied debug: writing PRNG seed to file //.ssh/prng_seed > Thanks, > Damien Miller > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Mon May 29 17:45:05 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 29 May 2000 17:45:05 +1000 (EST) Subject: openssh-2.1.0p2 ans Solaris 8 In-Reply-To: <393211B6.885D7B7F@takt.com> Message-ID: On Mon, 29 May 2000, Max Pashkov wrote: > Damien Miller wrote: > > > On Fri, 26 May 2000, Max Pashkov wrote: > > > > > I have some troubles with subj and proper utmpx/wtmpx functionality. > > > After successfull ssh connect to Solaris 8 box, I run > > > > What options did you pass to ./configure? Could you send me the output > > of such configure. > > ./configure --sysconfdir=/usr/local/etc/ssh --with-ipv4-default How does it go when you add a '--with-utmpx' to that? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From hume at Den.BOFH.Halifax.NS.Ca Mon May 29 20:02:11 2000 From: hume at Den.BOFH.Halifax.NS.Ca (Brandon Hume) Date: Mon, 29 May 2000 07:02:11 -0300 (ADT) Subject: openssh-2.1.0p2 ans Solaris 8 In-Reply-To: <393211B6.885D7B7F@takt.com> from Max Pashkov at "May 29, 2000 10:44: 6 am" Message-ID: <200005291002.HAA05260@Den.BOFH.Halifax.NS.Ca> > I have some troubles with subj and proper utmpx/wtmpx functionality. > After successfull ssh connect to Solaris 8 box, I run The problem arises because if you check line 154 of bsd-login.c, OpenSSH writes out a *utmp* record into utmpx. (Along with a variety of other nasty things, like opening the same file twice and not closing any of them, etc...) I think somebody already mentioned this problem on the list, and submitted a patch. I avoided the problem by gutting login() to look like: void login(utp,utx) struct utmp *utp; struct utmpx *utx; { struct utmpx *old_utx; if((old_utx = pututxline(utx)) == NULL) { log("Could not update utmpx!"); } updwtmpx(_PATH_WTMPX, utx); endutxent(); } Obviously it destroys portability to other platforms, but it was just a quick "make it go" fix. -- Brandon Hume - hume -> BOFH.Halifax.NS.Ca, http://WWW.BOFH.Halifax.NS.Ca/ -> Solaris Snob and general NOCMonkey From lkarrer at trash.net Mon May 29 20:13:27 2000 From: lkarrer at trash.net (Lukas Karrer) Date: Mon, 29 May 2000 12:13:27 +0200 Subject: WARNING: OpenSSH BREAKS Solaris utmp!! Message-ID: Hi, there have been several posts regarding Solaris utmp and OpenSSH problems. The posts I have read, mentioned that using the 'w' command does not show the correct output when loging on. For me, openssh-2.1.0p2, Solaris 2.7, sparc the problem goes much further. After a couple SSH logins, the utmp(x)? file gets screwed up so badly, that telnet logins are NOT accepted anymore by 'login'. When loging in with telnet from another client pc, Solaris prints: " No utmpx entry: Please login from the entry level shell " Telnet login is NOT possible anymore from this time on. IMHO, this is quite a serious bug :=) I hope this problem can be tackled as soon as possible! Lukas PS: Thanks for your work, openssh guys!!!! -- +------------------------------------------------------------------------+ Lukas Karrer Email: lkarrer at trash.net WWW: http://www.trash.net/ +------------------------------------------------------------------------+ Check out the stinkiest site on the web! Get a sniff from www.trash.net From douglas.manton at uk.ibm.com Tue May 30 00:18:16 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Mon, 29 May 2000 15:18:16 +0100 Subject: Warning for expired password Message-ID: <802568EE.004E95FE.00@d06mta05.portsmouth.uk.ibm.com> Paul, I have added a small routine to connect.c after line 645 (right after the motd gets printed) to test for an expired password and to prompt for a new one. This is AIX code but I guess something similar must exist for other systems: if (passwdexpired(pw->pw_name,line)==1) { setpwdb(S_READ); printf("3004-610 You are required to change your password.\n"); printf(" Please choose a new one.\n\n"); strcpy(Password->upw_name,pw->pw_name); . . . } I have not made this available because it is a kludge to suit my requirements. I don't see why a simple three line password expiration routing couldn't sit just here...? Anyone see any problems with this? Am I missing anything important? Paul Faure wrote: > Is it possible to get sshd to report the number of days till a password > expires after a login ? > If not, how else could I do it ? > Thanks Doug. -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions douglas.manton at uk.ibm.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From jhuuskon at messi.uku.fi Tue May 30 01:01:27 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Mon, 29 May 2000 18:01:27 +0300 Subject: Syslog facility in Linux Message-ID: <20000529180127.A26366@messi.uku.fi> Hi ! While browsing Linux manpages (man 3 syslog) I noticed that the manual says that the LOG_AUTH facility is deprecated use LOG_AUTHPRIV instead. Is there a good reason why OpenSSH doesn't have an option to use LOG_AUTHPRIV facility ? (Looks like that tcpd/telnet etc. use the AUTHPRIV facility (in RH6.2)). Shouldn't be too hard to add the AUTH_PRIV facility ? Cheers, -Jarno -- ,,,, /'^'\ ( o o ) -oOOO--(_)--OOOo------------------------------ .oooO .oOo. Jarno Huuskonen .oOo. ( ) Oooo. jhuuskon at messi.uku.fi ---\ (----( )------------------------------- \_) ) / Mobile: +358-40-5388169 (_/ Work: +358-17-162822 From jhuuskon at messi.uku.fi Tue May 30 02:42:11 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Mon, 29 May 2000 19:42:11 +0300 Subject: Syslog facility in Linux In-Reply-To: <20000529180127.A26366@messi.uku.fi>; from jhuuskon@messi.uku.fi on Mon, May 29, 2000 at 06:01:27PM +0300 References: <20000529180127.A26366@messi.uku.fi> Message-ID: <20000529194211.A100512@messi.uku.fi> On Mon, May 29, Jarno Huuskonen wrote: > Hi ! > > While browsing Linux manpages (man 3 syslog) I noticed that the manual > says that the LOG_AUTH facility is deprecated use LOG_AUTHPRIV instead. > > Is there a good reason why OpenSSH doesn't have an option to use > LOG_AUTHPRIV facility ? (Looks like that tcpd/telnet etc. use the AUTHPRIV > facility (in RH6.2)). > > Shouldn't be too hard to add the AUTH_PRIV facility ? Replying to myself ;-) I hacked together a small patch that adds the LOG_AUTHPRIV option to sshd. I tested it briefly and it worked for me ;-) diff -u openssh-2.1.0p2-orig/log-server.c openssh-2.1.0p2/log-server.c --- openssh-2.1.0p2-orig/log-server.c Tue May 2 02:56:42 2000 +++ openssh-2.1.0p2/log-server.c Mon May 29 19:17:22 2000 @@ -65,6 +65,9 @@ case SYSLOG_FACILITY_AUTH: log_facility = LOG_AUTH; break; + case SYSLOG_FACILITY_AUTHPRIV: + log_facility = LOG_AUTHPRIV; + break; case SYSLOG_FACILITY_LOCAL0: log_facility = LOG_LOCAL0; break; diff -u openssh-2.1.0p2-orig/log.c openssh-2.1.0p2/log.c --- openssh-2.1.0p2-orig/log.c Fri Jan 14 06:45:50 2000 +++ openssh-2.1.0p2/log.c Mon May 29 19:17:22 2000 @@ -136,6 +136,7 @@ { "DAEMON", SYSLOG_FACILITY_DAEMON }, { "USER", SYSLOG_FACILITY_USER }, { "AUTH", SYSLOG_FACILITY_AUTH }, + { "AUTHPRIV", SYSLOG_FACILITY_AUTHPRIV }, { "LOCAL0", SYSLOG_FACILITY_LOCAL0 }, { "LOCAL1", SYSLOG_FACILITY_LOCAL1 }, { "LOCAL2", SYSLOG_FACILITY_LOCAL2 }, diff -u openssh-2.1.0p2-orig/ssh.h openssh-2.1.0p2/ssh.h --- openssh-2.1.0p2-orig/ssh.h Wed May 17 15:34:24 2000 +++ openssh-2.1.0p2/ssh.h Mon May 29 19:17:26 2000 @@ -430,6 +430,7 @@ SYSLOG_FACILITY_DAEMON, SYSLOG_FACILITY_USER, SYSLOG_FACILITY_AUTH, + SYSLOG_FACILITY_AUTHPRIV, SYSLOG_FACILITY_LOCAL0, SYSLOG_FACILITY_LOCAL1, SYSLOG_FACILITY_LOCAL2, diff -u openssh-2.1.0p2-orig/sshd.8 openssh-2.1.0p2/sshd.8 --- openssh-2.1.0p2-orig/sshd.8 Tue May 9 04:03:03 2000 +++ openssh-2.1.0p2/sshd.8 Mon May 29 19:19:13 2000 @@ -546,7 +546,7 @@ .It Cm SyslogFacility Gives the facility code that is used when logging messages from .Nm sshd . -The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, +The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. .It Cm UseLogin -- ,,,, /'^'\ ( o o ) -oOOO--(_)--OOOo------------------------------ .oooO .oOo. Jarno Huuskonen .oOo. ( ) Oooo. jhuuskon at messi.uku.fi ---\ (----( )------------------------------- \_) ) / Mobile: +358-40-5388169 (_/ Work: +358-17-162822 From deraadt at cvs.openbsd.org Tue May 30 07:28:33 2000 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Mon, 29 May 2000 15:28:33 -0600 Subject: Where's the software? In-Reply-To: Your message of "Mon, 29 May 2000 16:24:25 CDT." <008101bfc9b4$62550ae0$a43a2ed0@theiqgroup.com> Message-ID: <200005292128.e4TLSXD12573@cvs.openbsd.org> > I've been to 10 of the mirrors listed but on every one the /pub/OpenBSD/OpenSSH > directory is empty. Was the software pulled or what? I made a mistake. The mirrors will start repairing themselves in about 20 minutes. From Nils at InfoSun.FMI.Uni-Passau.De Tue May 30 20:26:03 2000 From: Nils at InfoSun.FMI.Uni-Passau.De (Nils Ellmenreich) Date: Tue, 30 May 2000 12:26:03 +0200 (MEST) Subject: utmpx bug in openssh-2.1.0p2 using Solaris 8 Message-ID: <14643.38715.714273.320323@skrjabin.fmi.uni-passau.de> Hi, I've installed openssh-2.1.0p2 on a Solaris 8 host (SPARC). The sshd corrupts utmpx/wtmpx when a client connects to this machine. Observable error: $ who who: Error --- entry has ut_type of 28265 when maximum is 9 It can be repeated and is attributable to the login done by sshd. Now, Solaris has only utmpx/wtmpx and not the old utmp/wtmp. It get's worse as more logins take place until utmpx is so corrupted that user login at console is refused by the system. A look at bsd-login.c revealed that, if USE_UTMPX is defined, in line 135 utmpx is being opened, but later on regardless of this define a utmp structure is being written to it, thereby destroying utmpx's consistency. I don't have a bug fix, but a workaround (that won't work in general): $ diff bsd-login.c bsd-login.c.orig 127d126 < #if 0 190c189 < #endif /* 0 */ --- > A proper bugfix will probably mean to examine the code between lines 126 and 190 and check which data structure is actually being written to which file. I'm not familiar with all the differences on various Unices so I'm afraid I can't provide one. Related to that, I wonder why bsd-login.c is actually writing utmpx/wtmpx directly and not using updwtmpx all the time. It does so at the very end of bsd-login.c anyhow, which is the reason why the lines 126-190 can be safely ignored in my case. BTW, I've not subscribed to this list. In case you'd like to reply please be so kind and CC directly to me. Thanks. Cheers, Nils -- Nils Ellmenreich - Fak. fuer Math./Informatik - Please use gpg - Nils @ http://www.fmi.uni-passau.de/~nils - Univ. Passau - Uni-Passau.DE From iwa at mmp.fujitsu.co.jp Tue May 30 20:34:52 2000 From: iwa at mmp.fujitsu.co.jp (IWAMURO Motonori) Date: 30 May 2000 19:34:52 +0900 Subject: [BUG?] openssh-2.1.0p3 Message-ID: <20000530103452.1269.qmail@moonstone.inet.mmp.fujitsu.co.jp> Is this bug? % runsocks ssh HOST.DOMAIN.COM Segmentation fault (core dumped) My environemnt: Solaris2.6 for Sparc gcc-2.95.2 perl.5.005_03 openssl-0.9.5a zlib-1.1.3 egd-0.7 socks5-v1.0r10 (`runsocks' is a tool in it.) --- entropy.c.ORIG Tue May 30 18:34:31 2000 +++ entropy.c Tue May 30 18:49:45 2000 @@ -82,8 +82,6 @@ c = atomicio(read, egd_socket, buf, len); if (c <= 0) fatal("Couldn't read from EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); - - close(EGD_SOCKET); } #else /* !EGD_SOCKET */ #ifdef RANDOM_POOL (When close(EGD_SOCKET) -> close(egd_socket), ssh don't work.) -- IWAMURO, Motonori [E-Mail: vmi at kw.netlaputa.ne.jp / iwa at mmp.fujitsu.co.jp] From cymax at takt.com Tue May 30 21:03:11 2000 From: cymax at takt.com (Max Pashkov) Date: Tue, 30 May 2000 15:03:11 +0400 Subject: openssh-2.1.0p2 ans Solaris 8 Message-ID: <39339FEF.CE865FAA@takt.com> Thanks, that's work. './configure --with-utmpx' don't resolves this problem, but patching bsd-login.c do. I hope such Solaris 8 login functionality will being incorporated into next patchlevel of portable openssh. > > I have some troubles with subj and proper utmpx/wtmpx functionality. > > After successfull ssh connect to Solaris 8 box, I run > > The problem arises because if you check line 154 of bsd-login.c, OpenSSH > writes out a *utmp* record into utmpx. (Along with a variety of other nasty > things, like opening the same file twice and not closing any of them, etc...) > > I think somebody already mentioned this problem on the list, and submitted a > patch. > > I avoided the problem by gutting login() to look like: > > void > login(utp,utx) > struct utmp *utp; > struct utmpx *utx; > { > struct utmpx *old_utx; > > if((old_utx = pututxline(utx)) == NULL) { > log("Could not update utmpx!"); > } > > updwtmpx(_PATH_WTMPX, utx); > endutxent(); > } > > Obviously it destroys portability to other platforms, but it was just a quick > "make it go" fix. > > -- > Brandon Hume - hume -> BOFH.Halifax.NS.Ca, http://WWW.BOFH.Halifax.NS.Ca/ > -> Solaris Snob and general NOCMonkey > > From chip at princetonecom.com Wed May 31 00:25:15 2000 From: chip at princetonecom.com (Chip Christian) Date: Tue, 30 May 2000 10:25:15 -0400 Subject: grace logins on solaris In-Reply-To: Message from Damien Miller of "Sat, 27 May 2000 10:09:04 +1000." Message-ID: <20000530142515.8E2A0B47B@fleck.princetonecom.com> That's a step in the right direction, sure. I'll test, but I assume when grace logins are exhausted, pam_acct_mgmt returns something else. Can this string (found from a -d invocation) also be displayed in this case? debug: Adding PAM message: \ Your password has expired and you have 4 grace login(s). At some point I might find the free time to craft up the code for the other case... > On Fri, 26 May 2000, Chip Christian wrote: > > > May 26 12:39:38 piglet.princetonecom.com sshd[8029]: PAM_NDS : Password > > expired. > > PAM rejected by account configuration: Get new authentication token > > Faking authloop for illegal user chip from 192.168.12.2 port 901 > > > > pam_acct_mgmt is returning PAM_NEW_AUTHTOK_REQD. Is there BSD > > licensed code out there already to deal with asking users to change > > an expired password? > > In the absence of this, would allowing access (and displaying a > suitable warning) when PAM returns PAM_NEW_AUTHTOK_REQD be acceptable? > > At least the users could change their passwords themselves. > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > > From marc.fournier at acadiau.ca Wed May 31 02:40:55 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Tue, 30 May 2000 13:40:55 -0300 (ADT) Subject: Unable to use rdist in parrellel mode with 2.1.0p2 ... Message-ID: Morning all ... using the following command to sync up the binaries on several machines: rdist -P /usr/slocal/bin/ssh -Rf /root/sync-systems generates the following error message(s): jasper: updating host jasper hermes: updating host hermes attila: updating host attila hercules: updating host hercules ".rcules: LOCAL ERROR: Unexpected input from server: "Couldn't initialise builtin random number generator -- exiting. hercules: updating of hercules finished ".rmes: LOCAL ERROR: Unexpected input from server: "Couldn't initialise builtin random number generator -- exiting. hermes: updating of hermes finished webster: updating host webster iceberg: updating host iceberg ".sper: LOCAL ERROR: Unexpected input from server: "Couldn't initialise builtin random number generator -- exiting. jasper: updating of jasper finished ".eberg: LOCAL ERROR: Unexpected input from server: "Couldn't initialise builtin random number generator -- exiting. hawk: updating host hawk iceberg: updating of iceberg finished ".bster: LOCAL ERROR: Unexpected input from server: "Couldn't initialise builtin random number generator -- exiting. webster: updating of webster finished dalmation: updating host dalmation owl: updating host owl ".wk: LOCAL ERROR: Unexpected input from server: "Couldn't initialise builtin random number generator -- exiting. hawk: updating of hawk finished ".lmation: LOCAL ERROR: Unexpected input from server: "Couldn't initialise builtin random number generator -- exiting. dalmation: updating of dalmation finished If I change the -Rf to -RFf, to force it to do one at a time, it will work ... even narrowing it down to only 2 hosts at once generates the same errors ... This is on a Solaris 7/sparc machine ... contention for the entropy pool? *raised eyebrow* Thanks .. Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From djm at mindrot.org Wed May 31 09:56:06 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 31 May 2000 09:56:06 +1000 (EST) Subject: grace logins on solaris In-Reply-To: <20000530142515.8E2A0B47B@fleck.princetonecom.com> Message-ID: On Tue, 30 May 2000, Chip Christian wrote: > That's a step in the right direction, sure. I'll test, but I assume when > grace logins are exhausted, pam_acct_mgmt returns something else. > > Can this string (found from a -d invocation) also be displayed in this case? > > debug: Adding PAM message: \ > Your password has expired and you have 4 grace login(s). > > At some point I might find the free time to craft up the code for the > other case... Hmmm, that message should have been displayed. Can you try this patch: Index: auth-pam.c =================================================================== RCS file: /var/cvs/openssh/auth-pam.c,v retrieving revision 1.4 diff -u -r1.4 auth-pam.c --- auth-pam.c 2000/04/29 14:47:29 1.4 +++ auth-pam.c 2000/05/30 23:52:46 @@ -15,10 +15,14 @@ RCSID("$Id: auth-pam.c,v 1.4 2000/04/29 14:47:29 damien Exp $"); +#define NEW_AUTHTOK_MSG \ + "Warning: You password has expired, please change it now" + /* Callbacks */ static int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); void pam_cleanup_proc(void *context); +void pam_msg_cat(const char *msg); /* module-local variables */ static struct pam_conv conv = { @@ -27,7 +31,7 @@ }; static struct pam_handle_t *pamh = NULL; static const char *pampasswd = NULL; -static char *pamconv_msg = NULL; +static char *pam_msg = NULL; /* PAM conversation function. This is really a kludge to get the password */ /* into PAM and to pick up any messages generated by PAM into pamconv_msg */ @@ -36,8 +40,6 @@ { struct pam_response *reply; int count; - size_t msg_len; - char *p; /* PAM will free this later */ reply = malloc(num_msg * sizeof(*reply)); @@ -54,31 +56,14 @@ reply[count].resp_retcode = PAM_SUCCESS; reply[count].resp = xstrdup(pampasswd); break; - case PAM_TEXT_INFO: reply[count].resp_retcode = PAM_SUCCESS; reply[count].resp = xstrdup(""); - if (msg[count]->msg == NULL) - break; + if (msg[count]->msg != NULL) + pam_msg_cat(msg[count]->msg); - debug("Adding PAM message: %s", msg[count]->msg); - - msg_len = strlen(msg[count]->msg); - if (pamconv_msg) { - size_t n = strlen(pamconv_msg); - pamconv_msg = xrealloc(pamconv_msg, n + msg_len + 2); - p = pamconv_msg + n; - } else { - pamconv_msg = p = xmalloc(msg_len + 2); - } - memcpy(p, msg[count]->msg, msg_len); - p[msg_len] = '\n'; - p[msg_len + 1] = '\0'; break; - - case PAM_PROMPT_ECHO_ON: - case PAM_ERROR_MSG: default: free(reply); return PAM_CONV_ERR; @@ -100,19 +85,19 @@ pam_retval = pam_close_session((pam_handle_t *)pamh, 0); if (pam_retval != PAM_SUCCESS) { log("Cannot close PAM session: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) { log("Cannot delete credentials: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); if (pam_retval != PAM_SUCCESS) { log("Cannot release PAM authentication: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } } } @@ -135,7 +120,8 @@ pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); if (pam_retval == PAM_SUCCESS) { - debug("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name); + debug("PAM Password authentication accepted for user \"%.100s\"", + pw->pw_name); return 1; } else { debug("PAM Password authentication for \"%.100s\" failed: %s", @@ -148,26 +134,36 @@ int do_pam_account(char *username, char *remote_user) { int pam_retval; - + debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, get_canonical_hostname()); if (pam_retval != PAM_SUCCESS) { - fatal("PAM set rhost failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + fatal("PAM set rhost failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } if (remote_user != NULL) { debug("PAM setting ruser to \"%.200s\"", remote_user); pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); if (pam_retval != PAM_SUCCESS) { - fatal("PAM set ruser failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + fatal("PAM set ruser failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } } pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); - if (pam_retval != PAM_SUCCESS) { - log("PAM rejected by account configuration: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); - return(0); + switch (pam_retval) { + case PAM_SUCCESS: + /* This is what we want */ + break; + case PAM_NEW_AUTHTOK_REQD: + pam_msg_cat(NEW_AUTHTOK_MSG); + break; + default: + log("PAM rejected by account configuration: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + return(0); } return(1); @@ -181,13 +177,17 @@ if (ttyname != NULL) { debug("PAM setting tty to \"%.200s\"", ttyname); pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname); - if (pam_retval != PAM_SUCCESS) - fatal("PAM set tty failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM set tty failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } } pam_retval = pam_open_session((pam_handle_t *)pamh, 0); - if (pam_retval != PAM_SUCCESS) - fatal("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM session setup failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } } /* Set PAM credentials */ @@ -197,8 +197,10 @@ debug("PAM establishing creds"); pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED); - if (pam_retval != PAM_SUCCESS) - fatal("PAM setcred failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM setcred failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } } /* Cleanly shutdown PAM */ @@ -217,9 +219,12 @@ pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, (pam_handle_t**)&pamh); - if (pam_retval != PAM_SUCCESS) - fatal("PAM initialisation failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + if (pam_retval != PAM_SUCCESS) { + fatal("PAM initialisation failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + fatal_add_cleanup(&pam_cleanup_proc, NULL); } @@ -237,8 +242,30 @@ /* or account checking to stderr */ void print_pam_messages(void) { - if (pamconv_msg != NULL) - fprintf(stderr, pamconv_msg); + if (pam_msg != NULL) + fprintf(stderr, pam_msg); +} + +/* Append a message to the PAM message buffer */ +void pam_msg_cat(const char *msg) +{ + char *p; + size_t new_msg_len; + size_t pam_msg_len; + + new_msg_len = strlen(msg); + + if (pam_msg) { + pam_msg_len = strlen(pam_msg); + pam_msg = xrealloc(pam_msg, new_msg_len + pam_msg_len + 2); + p = pam_msg + pam_msg_len; + } else { + pam_msg = p = xmalloc(new_msg_len + 2); + } + + memcpy(p, msg, new_msg_len); + p[new_msg_len] = '\n'; + p[new_msg_len + 1] = '\0'; } #endif /* USE_PAM */ -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed May 31 11:25:28 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 31 May 2000 11:25:28 +1000 (EST) Subject: [BUG?] openssh-2.1.0p3 In-Reply-To: <20000530103452.1269.qmail@moonstone.inet.mmp.fujitsu.co.jp> Message-ID: On 30 May 2000, IWAMURO Motonori wrote: > Is this bug? Yes it was. You fix is correct and has been applied. Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed May 31 11:28:39 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 31 May 2000 11:28:39 +1000 (EST) Subject: Unable to use rdist in parrellel mode with 2.1.0p2 ... In-Reply-To: Message-ID: On Tue, 30 May 2000, Marc G. Fournier wrote: > > Morning all ... > > using the following command to sync up the binaries on several > machines: > > rdist -P /usr/slocal/bin/ssh -Rf /root/sync-systems > > generates the following error message(s): > (snip) > If I change the -Rf to -RFf, to force it to do one at a time, it > will work ... even narrowing it down to only 2 hosts at once generates the > same errors ... > > This is on a Solaris 7/sparc machine ... contention for the > entropy pool? *raised eyebrow* Are you using EGD or the builtin entropy collection code? In any case what is really needed here is the full output from a failing client. Would it be possible to run the client with a wrapper to collect its log output to a file? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed May 31 14:06:59 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 31 May 2000 14:06:59 +1000 (EST) Subject: Solaris utmp problems Message-ID: Could all those who were having problems with utmp logging on Solaris please try the test release at: http://violet.ibs.com.au/openssh/files/test/openssh-TEST-2000053100.tar.gz Users on other platforms, particularly HP/UX, AIX and SCO are invited as well, to test compatibility. The login code is heaps cleaner now. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From itojun at iijlab.net Wed May 31 19:48:34 2000 From: itojun at iijlab.net (itojun at iijlab.net) Date: Wed, 31 May 2000 18:48:34 +0900 Subject: configure.in fix (netbsd-current) for 2.1.0p3 Message-ID: <5301.959766514@coconut.itojun.org> thanks for great package. configure.in shipped with 2.1.0p3 includes too few header files for detecting struct sockaddr_in6 and in6_addr, and the build will fail on netbsd-current (1.4Z). here's a tiny patch to make the build successful. itojun diff -u1 openssh-2.1.0p3/configure.in openssh-2.1.0p3+/configure.in --- openssh-2.1.0p3/configure.in Tue May 30 11:57:47 2000 +++ openssh-2.1.0p3+/configure.in Wed May 31 18:31:52 2000 @@ -447,3 +447,5 @@ [ +#include #include +#include ], @@ -461,2 +463,3 @@ [ +#include #include From yozo at ipc.chiba-u.ac.jp Wed May 31 22:15:51 2000 From: yozo at ipc.chiba-u.ac.jp (Yozo TODA) Date: Wed, 31 May 2000 21:15:51 +0900 Subject: Solaris utmp problems In-Reply-To: Your message of "Wed, 31 May 2000 14:06:59 JST." Message-ID: <200005311215.VAA00623@aohakobe.ipc.chiba-u.ac.jp> > http://violet.ibs.com.au/openssh/files/test/openssh-TEST-2000053100.tar.gz I tried on Solaris8/sparc (with IPv6 enabled). login.c should be fixed to compile all. % diff login.c.orig login.c 256c256 < login(&utx); --- > login(&u,&utx); then compilation and installation done smoothly, though I saw many warning messages like gcc -g -O2 -Wall -I/usr/local/include -I/opt/openssl/include -DETCDIR=\"/opt/openssh/etc\" -DSSH_PROGRAM=\"/opt/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/opt/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c -o pty.o pty.c pty.c: In function `pty_setowner': pty.c:298: warning: int format, uid_t arg (arg 3) pty.c:298: warning: int format, gid_t arg (arg 4) pty.c:301: warning: unsigned int format, mode_t arg (arg 3) actually I did the following three-step; % configure --prefix=/opt/openssh --with-utmpx --with-catman=cat % make % make install but I have two (and one more) problems. (1) looks like sshd doesn't update utmpx (and other files?) appropriately. I login to the system, but last command indicates nothing. % last -n 10 reboot system boot Wed May 31 17:52 yozo console Wed May 31 17:44 - down (00:08) reboot system boot Wed May 31 17:43 yozo console Wed May 31 17:39 - down (00:03) moreover, w and who commands don't work. % w 8:36pm up 11157 day(s), 19:50, 0 users, load average: 0.02, 0.03, 0.04 User tty login@ idle JCPU PCPU what % who Segmentation Fault (core dumped) % (2) sshd opens two IPv4 sockets for tcp port 22. in the following, one process(pid 712) of sshd is serving my login session, another process(pid 326) is opening two sockets for ipv4, one socket for ipv6. % ps -ef | grep ssh root 326 1 0 17:52:43 ? 0:01 /opt/openssh/sbin/sshd root 712 326 0 19:57:20 ? 0:01 /opt/openssh/sbin/sshd yozo 1174 748 0 20:41:54 pts/1 0:00 grep ssh % netstat -an | grep 22 *.22 *.* 0 0 24576 0 LISTEN *.22 *.* 0 0 24576 0 LISTEN *.22 *.* 0 0 24576 0 LISTEN fe80::a00:20ff:fecf:d309.22 fe80::a00:20ff:fecf:d339.32771 25920 19 25920 0 ESTABLISHED % I don't know how openssh treats IPv4 and IPv6 sockets, but I think the problem is in IPv4 part. (3) when connecting to openssh hosts from ssh-2.0.12 hosts, publickey authentication doesn't work. openssh sshd writes the following message to syslog; May 31 18:21:52 host sshd[525]: [ID 800047 auth.info] bug compatibility w ith ssh-2.0.13 pubkey not implemented I suppose this part is not yet implemented... -- yozo. From marc.fournier at acadiau.ca Wed May 31 22:20:48 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Wed, 31 May 2000 09:20:48 -0300 (ADT) Subject: Unable to use rdist in parrellel mode with 2.1.0p2 ... In-Reply-To: Message-ID: On Wed, 31 May 2000, Damien Miller wrote: > On Tue, 30 May 2000, Marc G. Fournier wrote: > > > > > Morning all ... > > > > using the following command to sync up the binaries on several > > machines: > > > > rdist -P /usr/slocal/bin/ssh -Rf /root/sync-systems > > > > generates the following error message(s): > > > (snip) > > > If I change the -Rf to -RFf, to force it to do one at a time, it > > will work ... even narrowing it down to only 2 hosts at once generates the > > same errors ... > > > > This is on a Solaris 7/sparc machine ... contention for the > > entropy pool? *raised eyebrow* > > Are you using EGD or the builtin entropy collection code? builtin entropy code ... > In any case what is really needed here is the full output from > a failing client. Would it be possible to run the client with a wrapper > to collect its log output to a file? okay, when you say 'client', do you mean the side that I'm sending from (ie. ssh -> sshd) or the side I'm connecting to? if the first, I tried to create simple wrapper of: #!/bin/tcsh /usr/slocal/bin/ssh -v ${*} >& /tmp/out.$$ that appears to generate a bunch of code, but I can't see any of them fail this way :( on the 'sshd' side of things, when I try to do a connect, I see (without running with the above wrapper on the 'ssh' side of things): RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 131.162.200.78 port 34960 Did not receive ident string from 131.162.200.78. debug: Calling cleanup 0x4a888(0x0) debug: Calling cleanup 0x50418(0x0) debug: writing PRNG seed to file //.ssh/prng_seed the above wrapper, when I run with it, doesn't appear to try to do a connection to the remote end, so either I'm writtin that wrong, or rdist is expecting something that I'm not anticipating :( Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed May 31 22:39:06 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 31 May 2000 14:39:06 +0200 Subject: Solaris utmp problems In-Reply-To: <200005311215.VAA00623@aohakobe.ipc.chiba-u.ac.jp>; from yozo@ipc.chiba-u.ac.jp on Wed, May 31, 2000 at 09:15:51PM +0900 References: <200005311215.VAA00623@aohakobe.ipc.chiba-u.ac.jp> Message-ID: <20000531143906.A24974@ws01.aet.tu-cottbus.de> On Wed, May 31, 2000 at 09:15:51PM +0900, Yozo TODA wrote: > > http://violet.ibs.com.au/openssh/files/test/openssh-TEST-2000053100.tar.gz > > I tried on Solaris8/sparc (with IPv6 enabled). > login.c should be fixed to compile all. > > % diff login.c.orig login.c > 256c256 > < login(&utx); > --- > > login(&u,&utx); Same holds for HP-UX 10.20. > (1) > looks like sshd doesn't update utmpx (and other files?) appropriately. > I login to the system, but last command indicates nothing. ... Same for HP-UX 10.20. > moreover, w and who commands don't work. > > % w > 8:36pm up 11157 day(s), 19:50, 0 users, load average: 0.02, 0.03, 0.04 > User tty login@ idle JCPU PCPU what > % who > Segmentation Fault (core dumped) > % I don't see this on HP-UX 10.20. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From djm at mindrot.org Wed May 31 22:48:20 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 31 May 2000 22:48:20 +1000 (EST) Subject: Solaris utmp problems In-Reply-To: <200005311215.VAA00623@aohakobe.ipc.chiba-u.ac.jp> Message-ID: On Wed, 31 May 2000, Yozo TODA wrote: > looks like sshd doesn't update utmpx (and other files?) appropriately. > I login to the system, but last command indicates nothing. Can you send me the output of a ./configure run? -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From greg at nest.cx Wed May 10 01:55:25 2000 From: greg at nest.cx (Gregory Steuck) Date: Tue, 9 May 2000 08:55:25 -0700 Subject: 2.9: remote port forwarding doesn't work Message-ID: <20000509085525.A13716@cv.nexprise.com> Hello, I'm running OpenBSD 2.9 (-rOPENBSD_2_9) on i386. Remote port forwarding doesn't work. Attached are 2 logs of ssh -v -R2828:localhost:22 localhost and sshd -p 2222 -d Note that server tries to forward to Connection to port 2828 forwarding to 0.0.0.0 port 0 requested. instead of localhost port 22 as it should. what ssh, what sshd and /etc/sshd_config are also attached. Thanks Greg -------------- next part -------------- 2000-05-09 08:33:01.905766500 debug1: sshd version OpenSSH_2.9 2000-05-09 08:33:01.905771500 debug1: private host key: #0 type 0 RSA1 2000-05-09 08:33:01.905773500 debug1: read PEM private key done: type RSA 2000-05-09 08:33:01.905775500 debug1: private host key: #1 type 1 RSA 2000-05-09 08:33:01.905778500 debug1: read PEM private key done: type DSA 2000-05-09 08:33:01.905780500 debug1: private host key: #2 type 2 DSA 2000-05-09 08:33:01.905782500 debug1: Bind to port 2222 on ::. 2000-05-09 08:33:01.905784500 Server listening on :: port 2222. 2000-05-09 08:33:01.905787500 debug1: Bind to port 2222 on 0.0.0.0. 2000-05-09 08:33:01.905789500 Server listening on 0.0.0.0 port 2222. 2000-05-09 08:33:01.905791500 Generating 768 bit RSA key. 2000-05-09 08:33:01.985047500 RSA key generation complete. 2000-05-09 08:33:12.477331500 debug1: Server will not fork when running in debugging mode. 2000-05-09 08:33:12.483409500 Connection from 127.0.0.1 port 19869 2000-05-09 08:33:12.488342500 debug1: Client protocol version 2.0; client software version OpenSSH_2.9 2000-05-09 08:33:12.489226500 debug1: match: OpenSSH_2.9 pat ^OpenSSH 2000-05-09 08:33:12.489229500 Enabling compatibility mode for protocol 2.0 2000-05-09 08:33:12.489232500 debug1: Local version string SSH-1.99-OpenSSH_2.9 2000-05-09 08:33:12.489234500 debug1: Rhosts Authentication disabled, originating port not trusted. 2000-05-09 08:33:12.489237500 debug1: list_hostkey_types: ssh-rsa,ssh-dss 2000-05-09 08:33:12.489240500 debug1: SSH2_MSG_KEXINIT sent 2000-05-09 08:33:12.489862500 debug1: SSH2_MSG_KEXINIT received 2000-05-09 08:33:12.490573500 debug1: kex: client->server blowfish-cbc hmac-md5 none 2000-05-09 08:33:12.491014500 debug1: kex: server->client blowfish-cbc hmac-md5 none 2000-05-09 08:33:12.491822500 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received 2000-05-09 08:33:12.538971500 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent 2000-05-09 08:33:12.581931500 debug1: dh_gen_key: priv key bits set: 128/256 2000-05-09 08:33:12.582196500 debug1: bits set: 1030/2049 2000-05-09 08:33:12.582198500 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT 2000-05-09 08:33:12.583148500 debug1: bits set: 1011/2049 2000-05-09 08:33:12.660428500 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent 2000-05-09 08:33:12.660809500 debug1: kex_derive_keys 2000-05-09 08:33:12.660944500 debug1: newkeys: mode 1 2000-05-09 08:33:12.661393500 debug1: SSH2_MSG_NEWKEYS sent 2000-05-09 08:33:12.661492500 debug1: waiting for SSH2_MSG_NEWKEYS 2000-05-09 08:33:12.722291500 debug1: newkeys: mode 0 2000-05-09 08:33:12.722974500 debug1: SSH2_MSG_NEWKEYS received 2000-05-09 08:33:12.723584500 debug1: KEX done 2000-05-09 08:33:12.724792500 debug1: userauth-request for user greg service ssh-connection method none 2000-05-09 08:33:12.724986500 debug1: attempt 0 failures 0 2000-05-09 08:33:12.725813500 Failed none for greg from 127.0.0.1 port 19869 ssh2 2000-05-09 08:33:19.526449500 debug1: userauth-request for user greg service ssh-connection method password 2000-05-09 08:33:19.550013500 debug1: attempt 1 failures 1 2000-05-09 08:33:19.592179500 Accepted password for greg from 127.0.0.1 port 19869 ssh2 2000-05-09 08:33:19.593486500 debug1: Entering interactive session for SSH2. 2000-05-09 08:33:19.593697500 debug1: server_init_dispatch_20 2000-05-09 08:33:19.594002500 debug1: server_input_global_request: rtype tcpip-forward want_reply 0 2000-05-09 08:33:19.594156500 debug1: server_input_global_request: tcpip-forward listen 0.0.0.0 port 2828 2000-05-09 08:33:19.594377500 debug1: Local forwarding listening on ::1 port 2828. 2000-05-09 08:33:19.594705500 debug1: fd 3 setting O_NONBLOCK 2000-05-09 08:33:19.594839500 debug1: fd 3 IS O_NONBLOCK 2000-05-09 08:33:19.594959500 debug1: channel 0: new [port listener] 2000-05-09 08:33:19.595111500 debug1: Local forwarding listening on 127.0.0.1 port 2828. 2000-05-09 08:33:19.595257500 debug1: fd 4 setting O_NONBLOCK 2000-05-09 08:33:19.595360500 debug1: fd 4 IS O_NONBLOCK 2000-05-09 08:33:19.595459500 debug1: channel 1: new [port listener] 2000-05-09 08:33:19.595656500 debug1: server_input_channel_open: ctype session rchan 0 win 32768 max 16384 2000-05-09 08:33:19.595774500 debug1: input_session_request 2000-05-09 08:33:19.595901500 debug1: channel 2: new [server-session] 2000-05-09 08:33:19.596002500 debug1: session_new: init 2000-05-09 08:33:19.596116500 debug1: session_new: session 0 2000-05-09 08:33:19.596212500 debug1: session_open: channel 2 2000-05-09 08:33:19.596311500 debug1: session_open: session 0: link with channel 2 2000-05-09 08:33:19.596413500 debug1: server_input_channel_open: confirm session 2000-05-09 08:33:19.597531500 debug1: session_by_channel: session 0 channel 2 2000-05-09 08:33:19.597683500 debug1: session_input_channel_req: session 0 channel 2 request pty-req reply 0 2000-05-09 08:33:19.598260500 debug1: session_pty_req: session 0 alloc /dev/ttyp2 2000-05-09 08:33:19.598659500 debug1: session_by_channel: session 0 channel 2 2000-05-09 08:33:19.598773500 debug1: session_input_channel_req: session 0 channel 2 request shell reply 0 2000-05-09 08:33:19.599653500 debug1: channel 2: rfd 9 isatty 2000-05-09 08:33:19.599946500 debug1: fd 9 setting O_NONBLOCK 2000-05-09 08:33:19.600149500 debug1: Setting controlling tty using TIOCSCTTY. 2000-05-09 08:33:19.600250500 debug1: fd 8 IS O_NONBLOCK 2000-05-09 08:33:28.201290500 debug1: Connection to port 2828 forwarding to 0.0.0.0 port 0 requested. 2000-05-09 08:33:28.201766500 debug1: fd 11 setting O_NONBLOCK 2000-05-09 08:33:28.201769500 debug1: fd 11 IS O_NONBLOCK 2000-05-09 08:33:28.201771500 debug1: channel 3: new [forwarded-tcpip] 2000-05-09 08:33:37.299841500 debug1: channel_free: channel 3: status: The following connections are open: 2000-05-09 08:33:37.299844500 #2 server-session (t4 r0 i1/0 o16/0 fd 9/8) 2000-05-09 08:33:37.299847500 #3 forwarded-tcpip (t13 r-1 i1/23 o16/0 fd 11/11) 2000-05-09 08:33:37.299850500 2000-05-09 08:33:41.765736500 debug1: Received SIGCHLD. 2000-05-09 08:33:41.767220500 debug1: session_by_pid: pid 20125 2000-05-09 08:33:41.767224500 debug1: session_exit_message: session 0 channel 2 pid 20125 2000-05-09 08:33:41.767226500 debug1: session_exit_message: release channel 2 2000-05-09 08:33:41.767229500 debug1: channel 2: write failed 2000-05-09 08:33:41.767231500 debug1: channel 2: output open -> closed 2000-05-09 08:33:41.767233500 debug1: channel 2: close_write 2000-05-09 08:33:41.767235500 debug1: session_pty_cleanup: session 0 release /dev/ttyp2 2000-05-09 08:33:41.767238500 debug1: session_free: session 0 pid 20125 2000-05-09 08:33:41.767240500 debug1: channel 2: read<=0 rfd 9 len 0 2000-05-09 08:33:41.767243500 debug1: channel 2: read failed 2000-05-09 08:33:41.767245500 debug1: channel 2: input open -> drain 2000-05-09 08:33:41.767247500 debug1: channel 2: close_read 2000-05-09 08:33:41.767249500 debug1: channel 2: input: no drain shortcut 2000-05-09 08:33:41.767252500 debug1: channel 2: ibuf empty 2000-05-09 08:33:41.767254500 debug1: channel 2: input drain -> closed 2000-05-09 08:33:41.767256500 debug1: channel 2: send eof 2000-05-09 08:33:41.767258500 debug1: channel 2: send close 2000-05-09 08:33:41.768438500 debug1: channel 2: rcvd close 2000-05-09 08:33:41.768875500 debug1: channel 2: is dead 2000-05-09 08:33:41.768878500 debug1: channel_free: channel 2: status: The following connections are open: 2000-05-09 08:33:41.768881500 #2 server-session (t4 r0 i8/0 o128/0 fd -1/-1) 2000-05-09 08:33:41.768884500 2000-05-09 08:33:41.769454500 Connection closed by remote host. 2000-05-09 08:33:41.770699500 debug1: channel_free: channel 0: status: The following connections are open: 2000-05-09 08:33:41.770703500 2000-05-09 08:33:41.771568500 debug1: channel_free: channel 1: status: The following connections are open: 2000-05-09 08:33:41.771572500 2000-05-09 08:33:41.771890500 Closing connection to 127.0.0.1 -------------- next part -------------- 2000-05-09 08:33:12.479529500 OpenSSH_2.9, SSH protocols 1.5/2.0, OpenSSL 0x0090600f 2000-05-09 08:33:12.479534500 debug1: Reading configuration data /home/greg/.ssh/config 2000-05-09 08:33:12.479536500 debug1: Applying options for * 2000-05-09 08:33:12.479539500 debug1: Reading configuration data /etc/ssh_config 2000-05-09 08:33:12.479541500 debug1: Rhosts Authentication disabled, originating port will not be trusted. 2000-05-09 08:33:12.479544500 debug1: restore_uid 2000-05-09 08:33:12.479546500 debug1: ssh_connect: getuid 1000 geteuid 0 anon 1 2000-05-09 08:33:12.479548500 debug1: Connecting to localhost [127.0.0.1] port 2222. 2000-05-09 08:33:12.479551500 debug1: temporarily_use_uid: 1000/1000 (e=0) 2000-05-09 08:33:12.479553500 debug1: restore_uid 2000-05-09 08:33:12.479555500 debug1: temporarily_use_uid: 1000/1000 (e=0) 2000-05-09 08:33:12.482575500 debug1: restore_uid 2000-05-09 08:33:12.483828500 debug1: Connection established. 2000-05-09 08:33:12.485089500 debug1: read PEM private key done: type DSA 2000-05-09 08:33:12.485579500 debug1: read PEM private key done: type RSA 2000-05-09 08:33:12.486215500 debug1: identity file /home/greg/.ssh/identity type -1 2000-05-09 08:33:12.486594500 debug1: identity file /home/greg/.ssh/id_rsa type -1 2000-05-09 08:33:12.486952500 debug1: identity file /home/greg/.ssh/id_dsa type -1 2000-05-09 08:33:12.487467500 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 2000-05-09 08:33:12.487870500 debug1: match: OpenSSH_2.9 pat ^OpenSSH 2000-05-09 08:33:12.487997500 Enabling compatibility mode for protocol 2.0 2000-05-09 08:33:12.488552500 debug1: Local version string SSH-2.0-OpenSSH_2.9 2000-05-09 08:33:12.489878500 debug1: SSH2_MSG_KEXINIT sent 2000-05-09 08:33:12.490391500 debug1: SSH2_MSG_KEXINIT received 2000-05-09 08:33:12.490962500 debug1: kex: server->client blowfish-cbc hmac-md5 none 2000-05-09 08:33:12.491296500 debug1: kex: client->server blowfish-cbc hmac-md5 none 2000-05-09 08:33:12.491477500 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent 2000-05-09 08:33:12.491603500 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP 2000-05-09 08:33:12.538699500 debug1: dh_gen_key: priv key bits set: 123/256 2000-05-09 08:33:12.582429500 debug1: bits set: 1011/2049 2000-05-09 08:33:12.582549500 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent 2000-05-09 08:33:12.582664500 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY 2000-05-09 08:33:12.661795500 debug1: Forcing accepting of host key for loopback/localhost. 2000-05-09 08:33:12.662070500 debug1: bits set: 1030/2049 2000-05-09 08:33:12.721089500 debug1: ssh_rsa_verify: signature correct 2000-05-09 08:33:12.721436500 debug1: kex_derive_keys 2000-05-09 08:33:12.721535500 debug1: newkeys: mode 1 2000-05-09 08:33:12.721966500 debug1: SSH2_MSG_NEWKEYS sent 2000-05-09 08:33:12.722052500 debug1: waiting for SSH2_MSG_NEWKEYS 2000-05-09 08:33:12.722519500 debug1: newkeys: mode 0 2000-05-09 08:33:12.723474500 debug1: SSH2_MSG_NEWKEYS received 2000-05-09 08:33:12.723725500 debug1: done: ssh_kex2. 2000-05-09 08:33:12.723857500 debug1: send SSH2_MSG_SERVICE_REQUEST 2000-05-09 08:33:12.724384500 debug1: service_accept: ssh-userauth 2000-05-09 08:33:12.724508500 debug1: got SSH2_MSG_SERVICE_ACCEPT 2000-05-09 08:33:12.726256500 debug1: authentications that can continue: publickey,password,keyboard-interactive 2000-05-09 08:33:12.726432500 debug1: next auth method to try is publickey 2000-05-09 08:33:12.726522500 debug1: try privkey: /home/greg/.ssh/identity 2000-05-09 08:33:12.726659500 debug1: try privkey: /home/greg/.ssh/id_rsa 2000-05-09 08:33:12.726771500 debug1: try privkey: /home/greg/.ssh/id_dsa 2000-05-09 08:33:12.726891500 debug1: next auth method to try is password 2000-05-09 08:33:19.592496500 debug1: ssh-userauth2 successful: method password 2000-05-09 08:33:19.592991500 debug1: Connections to remote port 2828 forwarded to local address localhost:22 2000-05-09 08:33:19.592995500 debug1: fd 5 setting O_NONBLOCK 2000-05-09 08:33:19.592997500 debug1: fd 6 IS O_NONBLOCK 2000-05-09 08:33:19.592999500 debug1: channel 0: new [client-session] 2000-05-09 08:33:19.593001500 debug1: channel_new: 0 2000-05-09 08:33:19.593003500 debug1: send channel open 0 2000-05-09 08:33:19.593005500 debug1: Entering interactive session. 2000-05-09 08:33:19.596698500 debug1: client_init id 0 arg 0 2000-05-09 08:33:19.597222500 debug1: channel request 0: shell 2000-05-09 08:33:19.597225500 debug1: channel 0: open confirm rwindow 0 rmax 16384 2000-05-09 08:33:19.606665500 Last login: Tue May 9 08:32:13 2000 from localhost 2000-05-09 08:33:19.606669500 OpenBSD 2.9 (GENERIC) #1: Thu May 3 10:50:23 PDT 2001 2000-05-09 08:33:19.606672500 2000-05-09 08:33:19.606673500 Welcome to OpenBSD: The proactively secure Unix-like operating system. 2000-05-09 08:33:19.606676500 2000-05-09 08:33:19.606678500 Please use the sendbug(1) utility to report bugs in the system. 2000-05-09 08:33:19.606681500 Before reporting a bug, please try to reproduce it with the latest 2000-05-09 08:33:19.606684500 version of the code. With bug reports, please try to ensure that 2000-05-09 08:33:19.606687500 enough information to reproduce the problem is enclosed, and if a 2000-05-09 08:33:19.606689500 known fix for it exists, include that as well. 2000-05-09 08:33:19.606692500 2000-05-09 08:33:19.606693500 Environment: 2000-05-09 08:33:19.606695500 USER=greg 2000-05-09 08:33:19.606697500 LOGNAME=greg 2000-05-09 08:33:19.606699500 HOME=/home/greg 2000-05-09 08:33:19.606700500 PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin 2000-05-09 08:33:19.606703500 MAIL=/var/mail/greg 2000-05-09 08:33:19.606705500 SHELL=/bin/ksh 2000-05-09 08:33:19.606707500 SSH_CLIENT=127.0.0.1 19869 2222 2000-05-09 08:33:19.606709500 SSH_TTY=/dev/ttyp2 2000-05-09 08:33:19.606711500 TERM=xterm 2000-05-09 08:33:19.607426500 $ nc localhost 2828 2000-05-09 08:33:32.067196500 ? 2000-05-09 08:33:35.688673500 fjdsklfjsdfjkldsjflk 2000-05-09 08:33:37.301522500 $ debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 2000-05-09 08:33:41.767672500 debug1: channel 0: rcvd eof 2000-05-09 08:33:41.767675500 debug1: channel 0: output open -> drain 2000-05-09 08:33:41.767677500 debug1: channel 0: rcvd close 2000-05-09 08:33:41.767679500 debug1: channel 0: input open -> closed 2000-05-09 08:33:41.767681500 debug1: channel 0: close_read 2000-05-09 08:33:41.767683500 debug1: channel 0: obuf empty 2000-05-09 08:33:41.767686500 debug1: channel 0: output drain -> closed 2000-05-09 08:33:41.767688500 debug1: channel 0: close_write 2000-05-09 08:33:41.767690500 debug1: channel 0: send close 2000-05-09 08:33:41.767692500 debug1: channel 0: is dead 2000-05-09 08:33:41.767694500 debug1: channel_free: channel 0: status: The following connections are open: 2000-05-09 08:33:41.767697500 #0 client-session (t4 r2 i8/0 o128/0 fd -1/-1) 2000-05-09 08:33:41.767700500 2000-05-09 08:33:41.767701500 debug1: channel_free: channel 0: dettaching channel user 2000-05-09 08:33:41.768610500 Connection to localhost closed. 2000-05-09 08:33:41.769469500 debug1: Transferred: stdin 0, stdout 0, stderr 33 bytes in 22.2 seconds 2000-05-09 08:33:41.769472500 debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 1.5 2000-05-09 08:33:41.769475500 debug1: Exit status 0 -------------- next part -------------- /usr/sbin/sshd $OpenBSD: sshd.c,v 1.195 2001/04/15 16:58:03 markus Exp $ $OpenBSD: auth-rhosts.c,v 1.23 2001/04/12 19:15:24 markus Exp $ $OpenBSD: auth-passwd.c,v 1.22 2001/03/20 18:57:04 markus Exp $ $OpenBSD: auth-rsa.c,v 1.40 2001/04/06 21:00:07 markus Exp $ $OpenBSD: auth-rh-rsa.c,v 1.23 2001/04/06 21:00:04 markus Exp $ $OpenBSD: sshpty.c,v 1.1 2001/03/04 01:46:30 djm Exp $ $OpenBSD: sshlogin.c,v 1.2 2001/03/24 16:43:27 stevesk Exp $ $OpenBSD: servconf.c,v 1.78 2001/04/15 21:28:35 stevesk Exp $ $OpenBSD: serverloop.c,v 1.61 2001/04/13 22:46:54 beck Exp $ $OpenBSD: auth.c,v 1.21 2001/03/19 17:07:23 markus Exp $ $OpenBSD: auth1.c,v 1.22 2001/03/23 12:02:49 markus Exp $ $OpenBSD: auth2.c,v 1.56 2001/04/19 00:05:11 markus Exp $ $OpenBSD: auth-options.c,v 1.16 2001/03/18 12:07:52 markus Exp $ $OpenBSD: session.c,v 1.74 2001/04/17 19:34:25 markus Exp $ $OpenBSD: auth-chall.c,v 1.7 2001/04/05 10:42:47 markus Exp $ $OpenBSD: auth2-chall.c,v 1.4 2001/03/28 22:43:31 markus Exp $ $OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $ $OpenBSD: mpaux.c,v 1.16 2001/02/08 19:30:52 itojun Exp $ $OpenBSD: radix.c,v 1.15 2001/01/16 23:58:09 deraadt Exp $ $OpenBSD: ttymodes.c,v 1.13 2001/04/15 01:35:22 stevesk Exp $ $OpenBSD: authfile.c,v 1.32 2001/04/18 23:44:51 markus Exp $ $OpenBSD: hostfile.c,v 1.26 2001/04/12 19:15:24 markus Exp $ $OpenBSD: tildexpand.c,v 1.11 2001/02/08 19:30:53 itojun Exp $ $OpenBSD: rsa.c,v 1.22 2001/03/26 23:23:23 markus Exp $ $OpenBSD: uuencode.c,v 1.12 2001/03/01 02:27:18 deraadt Exp $ $OpenBSD: uidswap.c,v 1.16 2001/04/20 16:32:22 markus Exp $ $OpenBSD: dispatch.c,v 1.10 2001/02/18 18:33:53 markus Exp $ $OpenBSD: nchan.c,v 1.23 2001/02/28 08:54:55 markus Exp $ $OpenBSD: match.c,v 1.12 2001/03/10 17:51:04 markus Exp $ $OpenBSD: atomicio.c,v 1.9 2001/03/02 18:54:30 deraadt Exp $ $OpenBSD: misc.c,v 1.5 2001/04/12 20:09:37 stevesk Exp $ $OpenBSD: channels.c,v 1.109 2001/04/17 12:55:03 markus Exp $ $OpenBSD: canohost.c,v 1.26 2001/04/18 14:15:00 markus Exp $ $OpenBSD: kex.c,v 1.33 2001/04/05 10:42:50 markus Exp $ $OpenBSD: key.c,v 1.25 2001/04/17 10:53:24 markus Exp $ $OpenBSD: packet.c,v 1.61 2001/04/05 10:42:51 markus Exp $ $OpenBSD: bufaux.c,v 1.17 2001/01/21 19:05:45 markus Exp $ $OpenBSD: buffer.c,v 1.13 2001/04/12 19:15:24 markus Exp $ $OpenBSD: cipher.c,v 1.43 2001/02/04 15:32:23 stevesk Exp $ $OpenBSD: compat.c,v 1.47 2001/04/18 23:43:25 markus Exp $ $OpenBSD: mac.c,v 1.2 2001/04/05 10:42:51 markus Exp $ $OpenBSD: xmalloc.c,v 1.15 2001/04/16 08:05:34 deraadt Exp $ $OpenBSD: log.c,v 1.17 2001/03/04 17:42:28 millert Exp $ $OpenBSD: ssh-rsa.c,v 1.8 2001/03/27 10:57:00 markus Exp $ $OpenBSD: compress.c,v 1.14 2001/04/05 10:39:01 markus Exp $ $OpenBSD: ssh-dss.c,v 1.6 2001/02/08 19:30:52 itojun Exp $ $OpenBSD: authfd.c,v 1.39 2001/04/05 10:42:48 markus Exp $ $OpenBSD: kexgex.c,v 1.5 2001/04/05 10:42:50 markus Exp $ $OpenBSD: dh.c,v 1.14 2001/04/15 08:43:45 markus Exp $ $OpenBSD: crc32.c,v 1.8 2000/12/19 23:17:56 markus Exp $ $OpenBSD: kexdh.c,v 1.3 2001/04/04 09:48:34 markus Exp $ $OpenBSD: crt0.c,v 1.3 1997/06/24 17:15:49 tholo Exp $ -------------- next part -------------- /usr/bin/ssh $OpenBSD: ssh.c,v 1.116 2001/04/17 12:55:04 markus Exp $ $OpenBSD: readconf.c,v 1.76 2001/04/17 10:53:25 markus Exp $ $OpenBSD: clientloop.c,v 1.65 2001/04/20 07:17:51 djm Exp $ $OpenBSD: sshconnect.c,v 1.104 2001/04/12 19:15:25 markus Exp $ $OpenBSD: sshconnect1.c,v 1.31 2001/04/17 08:14:01 markus Exp $ $OpenBSD: sshconnect2.c,v 1.72 2001/04/18 23:43:26 markus Exp $ $OpenBSD: mpaux.c,v 1.16 2001/02/08 19:30:52 itojun Exp $ $OpenBSD: radix.c,v 1.15 2001/01/16 23:58:09 deraadt Exp $ $OpenBSD: readpass.c,v 1.15 2001/04/18 21:57:41 markus Exp $ $OpenBSD: cli.c,v 1.11 2001/03/06 00:33:04 deraadt Exp $ $OpenBSD: ttymodes.c,v 1.13 2001/04/15 01:35:22 stevesk Exp $ $OpenBSD: authfile.c,v 1.32 2001/04/18 23:44:51 markus Exp $ $OpenBSD: hostfile.c,v 1.26 2001/04/12 19:15:24 markus Exp $ $OpenBSD: tildexpand.c,v 1.11 2001/02/08 19:30:53 itojun Exp $ $OpenBSD: rsa.c,v 1.22 2001/03/26 23:23:23 markus Exp $ $OpenBSD: uuencode.c,v 1.12 2001/03/01 02:27:18 deraadt Exp $ $OpenBSD: uidswap.c,v 1.16 2001/04/20 16:32:22 markus Exp $ $OpenBSD: dispatch.c,v 1.10 2001/02/18 18:33:53 markus Exp $ $OpenBSD: match.c,v 1.12 2001/03/10 17:51:04 markus Exp $ $OpenBSD: authfd.c,v 1.39 2001/04/05 10:42:48 markus Exp $ $OpenBSD: atomicio.c,v 1.9 2001/03/02 18:54:30 deraadt Exp $ $OpenBSD: misc.c,v 1.5 2001/04/12 20:09:37 stevesk Exp $ $OpenBSD: channels.c,v 1.109 2001/04/17 12:55:03 markus Exp $ $OpenBSD: canohost.c,v 1.26 2001/04/18 14:15:00 markus Exp $ $OpenBSD: kex.c,v 1.33 2001/04/05 10:42:50 markus Exp $ $OpenBSD: key.c,v 1.25 2001/04/17 10:53:24 markus Exp $ $OpenBSD: packet.c,v 1.61 2001/04/05 10:42:51 markus Exp $ $OpenBSD: bufaux.c,v 1.17 2001/01/21 19:05:45 markus Exp $ $OpenBSD: buffer.c,v 1.13 2001/04/12 19:15:24 markus Exp $ $OpenBSD: cipher.c,v 1.43 2001/02/04 15:32:23 stevesk Exp $ $OpenBSD: compat.c,v 1.47 2001/04/18 23:43:25 markus Exp $ $OpenBSD: mac.c,v 1.2 2001/04/05 10:42:51 markus Exp $ $OpenBSD: xmalloc.c,v 1.15 2001/04/16 08:05:34 deraadt Exp $ $OpenBSD: log.c,v 1.17 2001/03/04 17:42:28 millert Exp $ $OpenBSD: ssh-rsa.c,v 1.8 2001/03/27 10:57:00 markus Exp $ $OpenBSD: compress.c,v 1.14 2001/04/05 10:39:01 markus Exp $ $OpenBSD: ssh-dss.c,v 1.6 2001/02/08 19:30:52 itojun Exp $ $OpenBSD: nchan.c,v 1.23 2001/02/28 08:54:55 markus Exp $ $OpenBSD: kexgex.c,v 1.5 2001/04/05 10:42:50 markus Exp $ $OpenBSD: dh.c,v 1.14 2001/04/15 08:43:45 markus Exp $ $OpenBSD: crc32.c,v 1.8 2000/12/19 23:17:56 markus Exp $ $OpenBSD: kexdh.c,v 1.3 2001/04/04 09:48:34 markus Exp $ $OpenBSD: crt0.c,v 1.3 1997/06/24 17:15:49 tholo Exp $ -------------- next part -------------- # $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $ # This is the sshd server system-wide configuration file. See sshd(8) # for more information. Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh_host_key HostKey /etc/ssh_host_rsa_key HostKey /etc/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes #PrintLastLog no KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes #CheckMail yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /usr/libexec/sftp-server