From dunlap at apl.washington.edu Sun Apr 1 05:23:50 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Sat, 31 Mar 2001 11:23:50 -0800 (PST) Subject: linux tcsetattr failed Message-ID: <200103311923.LAA01802@c572157-a.sttln1.wa.home.com> > localhost sshd[14418]: Setting tty modes failed: Invalid argument One of our users always causes the above message. Experimenting with client side stty settings I found that it can be caused by "stty parenb" on the client side. "stty -parenb" stops the error message. The client runs ssh -V: SSH Version 1.2.31 [rs6000-ibm-aix4.2.0.0], protocol version 1.5. Standard version. Does not use RSAREF. uname -a: AIX dante21 3 4 00600155C000. By default on the client, using csh gives stty parenb, using bash-2.01 gives stty -parenb. The server runs ssh -V: OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f compiled with default ./config (no options), RHL6.2 with all RHL6.2 updates except new kernel, uname -a: Linux ohm.apl.washington.edu 2.2.16-3 #1 Mon Jun 19 19:11:44 EDT 2000 i686 unknown, bash -version: GNU bash, version 1.14.7(1). The following are results of two runs with max debugging on server side. The first is with stty parenb on the client side, the second is with stty -parenb on the client side. -- John server: sshd -d -d -d -p 99 > /tmp/sshd.parenb 2>&1 client: stty parenb client: ssh ohm.apl -l jhd -p 99 client: password server log, /tmp/sshd.parenb: ------------------------ cut here ------------------------------ debug1: Seeding random number generator debug1: sshd version OpenSSH_2.5.2p2 debug1: load_private_key_autodetect: type 0 RSA1 debug3: Bad RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read SSH2 private key done: name rsa w/o comment success 1 debug1: load_private_key_autodetect: type 1 RSA debug3: Bad RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read SSH2 private key done: name dsa w/o comment success 1 debug1: load_private_key_autodetect: type 2 DSA socket: Invalid argument debug1: Bind to port 99 on 0.0.0.0. Server listening on 0.0.0.0 port 99. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 140.142.8.24 port 1017 debug1: Client protocol version 1.5; client software version 1.2.31 debug1: no match: 1.2.31 debug1: Local version string SSH-1.99-OpenSSH_2.5.2p2 debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for jhd. Failed rsa for jhd from 140.142.8.24 port 1017 Accepted password for jhd from 140.142.8.24 port 1017 debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug1: Ignoring unsupported tty mode opcode 11 (0xb) Setting tty modes failed: Invalid argument debug1: Received request for X11 forwarding with auth spoofing. debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1 debug1: x11_create_display_inet: Socket family 10 not supported debug1: bind port 6010: Address already in use debug1: x11_create_display_inet: Socket family 10 not supported debug1: bind port 6011: Address already in use debug1: x11_create_display_inet: Socket family 10 not supported debug1: bind port 6012: Address already in use debug1: x11_create_display_inet: Socket family 10 not supported debug1: bind port 6013: Address already in use debug1: x11_create_display_inet: Socket family 10 not supported debug1: fd 8 setting O_NONBLOCK debug1: fd 8 IS O_NONBLOCK debug1: channel 0: new [X11 inet listener] debug1: Entering interactive session. debug1: fd 3 setting O_NONBLOCK debug1: fd 7 IS O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug1: Setting controlling tty using TIOCSCTTY. debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug1: Received SIGCHLD. debug3: tvp!=NULL kid 1 mili 100 debug1: End of interactive session; stdin 1, stdout (read 659, sent 659), stderr 0 bytes. debug1: channel_free: channel 0: status: The following connections are open: debug1: Command exited with status 0. debug1: Received exit confirmation. debug1: session_pty_cleanup: session 0 release /dev/pts/7 debug1: xauthfile_cleanup_proc called Closing connection to 140.142.8.24 ------------------------ cut here ------------------------------ server: sshd -d -d -d -p 99 > /tmp/sshd.-parenb 2>&1 client: stty -parenb client: ssh ohm.apl -l jhd -p 99 client: password server log, /tmp/sshd.-parenb: ------------------------ cut here ------------------------------ debug1: Seeding random number generator debug1: sshd version OpenSSH_2.5.2p2 debug1: load_private_key_autodetect: type 0 RSA1 debug3: Bad RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read SSH2 private key done: name rsa w/o comment success 1 debug1: load_private_key_autodetect: type 1 RSA debug3: Bad RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read SSH2 private key done: name dsa w/o comment success 1 debug1: load_private_key_autodetect: type 2 DSA socket: Invalid argument debug1: Bind to port 99 on 0.0.0.0. Server listening on 0.0.0.0 port 99. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 140.142.8.24 port 1022 debug1: Client protocol version 1.5; client software version 1.2.31 debug1: no match: 1.2.31 debug1: Local version string SSH-1.99-OpenSSH_2.5.2p2 debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for jhd. Failed rsa for jhd from 140.142.8.24 port 1022 Accepted password for jhd from 140.142.8.24 port 1022 debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug1: Ignoring unsupported tty mode opcode 11 (0xb) debug1: Received request for X11 forwarding with auth spoofing. debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1 debug1: x11_create_display_inet: Socket family 10 not supported debug1: bind port 6010: Address already in use debug1: x11_create_display_inet: Socket family 10 not supported debug1: bind port 6011: Address already in use debug1: x11_create_display_inet: Socket family 10 not supported debug1: bind port 6012: Address already in use debug1: x11_create_display_inet: Socket family 10 not supported debug1: bind port 6013: Address already in use debug1: x11_create_display_inet: Socket family 10 not supported debug1: bind port 6014: Address already in use debug1: x11_create_display_inet: Socket family 10 not supported debug1: fd 8 setting O_NONBLOCK debug1: fd 8 IS O_NONBLOCK debug1: channel 0: new [X11 inet listener] debug1: Entering interactive session. debug1: fd 3 setting O_NONBLOCK debug1: fd 7 IS O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug1: Setting controlling tty using TIOCSCTTY. debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug1: Received SIGCHLD. debug3: tvp!=NULL kid 1 mili 100 debug1: End of interactive session; stdin 1, stdout (read 659, sent 659), stderr 0 bytes. debug1: channel_free: channel 0: status: The following connections are open: debug1: Command exited with status 0. debug1: Received exit confirmation. debug1: session_pty_cleanup: session 0 release /dev/pts/7 debug1: xauthfile_cleanup_proc called Closing connection to 140.142.8.24 ------------------------ cut here ------------------------------ -- John Dunlap University of Washington Senior Electrical Engineer Applied Physics Laboratory dunlap at apl.washington.edu 1013 NE 40th Street 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 From jmknoble at jmknoble.cx Sun Apr 1 08:36:48 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Sat, 31 Mar 2001 17:36:48 -0500 Subject: libexecdir changed again? Message-ID: <20010331173648.V1777@quipu.half.pint-stowp.cx> [See my comments below.] ----- Forwarded message from an x11-ssh-askpass customer ----- Date: Fri, 30 Mar 2001 16:34:28 -0800 Subject: x11-ssh-askpass 1.2.0 To: jmknoble at jmknoble.cx I just installed x11-ssh-askpass 1.2.0 on some systems, and ran into a couple of minor problems: OpenSSH 2.5.2p2 by default is looking for ssh-askpass in /usr/local/libexec, not /usr/local/libexec/openssh. It works OK when manually installed. [...] ----- End forwarded message ----- (Sigh). It wasn't very long ago that the default libexecdir changed from /usr/local/libexec/ssh/ to /usr/local/libexec/openssh/. I, of course, haven't been paying much attention to defaults because i roll my own RPM packages of OpenSSH-X.X.Xp. But i do read the ChangeLog religiously, and i can't find anything in there about libexecdir in the Recent Era except for these entries: 20010225 - (djm) Use %{_libexecdir} rather than hardcoded path in RPM specfile 20000916 [...] - (djm) Use libexecdir from configure , rather than libexecdir/ssh 19991119 [...] - Move ssh-askpass from ${libdir}/ssh to ${libexecdir}/ssh at request of David Rankin <[...]> Is the default libexecdir going to remain as /usr/local/libexec/ now, or will it change again? I'd like to release x11-ssh-askpass-1.2.1 and leave it alone for quite some time, absent bugs or actual flaws.... -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From markus.friedl at informatik.uni-erlangen.de Sun Apr 1 19:52:34 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 1 Apr 2001 11:52:34 +0200 Subject: OpenSSH 2.5.2p2 client to 2.5.1p1 server problem In-Reply-To: ; from martang@clearcommerce.com on Thu, Mar 29, 2001 at 05:57:49PM -0600 References: Message-ID: <20010401115234.C6597@folly> On Thu, Mar 29, 2001 at 05:57:49PM -0600, Marty Hoff wrote: > ssh dozer > 51 f6 46 8d 9d 98 17 a6 b6 10 79 43 57 d2 30 f8 > Disconnecting: Bad packet length 1375094413. openssh < 2.5.2 contains broken AES code. use Ciphers (see ssh(1) or sshd(2) to turn off AES (e.g.: "Ciphers blowfish,3des") or update the older openssh installations. sorry, -m From djm at mindrot.org Sun Apr 1 19:09:52 2001 From: djm at mindrot.org (Damien Miller) Date: Sun, 1 Apr 2001 19:09:52 +1000 (EST) Subject: libexecdir changed again? In-Reply-To: <20010331173648.V1777@quipu.half.pint-stowp.cx> Message-ID: On Sat, 31 Mar 2001, Jim Knoble wrote: > [See my comments below.] > > ----- Forwarded message from an x11-ssh-askpass customer ----- > > Date: Fri, 30 Mar 2001 16:34:28 -0800 > Subject: x11-ssh-askpass 1.2.0 > To: jmknoble at jmknoble.cx > > I just installed x11-ssh-askpass 1.2.0 on some systems, and ran into a > couple of minor problems: > > OpenSSH 2.5.2p2 by default is looking for ssh-askpass in > /usr/local/libexec, not /usr/local/libexec/openssh. It works OK when > manually installed. Recent version of OpenSSH look wherever configure.in's libexecdir is set. The RPMs set /usr/libexec/openssh explicitly. > Is the default libexecdir going to remain as /usr/local/libexec/ now, > or will it change again? I'd like to release x11-ssh-askpass-1.2.1 and > leave it alone for quite some time, absent bugs or actual flaws.... The default would change if autoconf changes. The RPMs would change if rpm's default changes. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Scott.Russell at unitech.net Sun Apr 1 20:54:08 2001 From: Scott.Russell at unitech.net (Scott Russell) Date: Sun, 1 Apr 2001 11:54:08 +0100 Subject: remove Message-ID: From Scott.Russell at unitech.net Sun Apr 1 20:54:28 2001 From: Scott.Russell at unitech.net (Scott Russell) Date: Sun, 1 Apr 2001 11:54:28 +0100 Subject: remove Message-ID: From jmknoble at jmknoble.cx Mon Apr 2 16:01:58 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Mon, 2 Apr 2001 02:01:58 -0400 Subject: ANNOUNCE: x11-ssh-askpass v1.2.1 Message-ID: <20010402020158.W1777@quipu.half.pint-stowp.cx> x11-ssh-askpass version 1.2.1 (code name: Fatoomsh) is now available from the following locations: http://www.jmknoble.cx/software/x11-ssh-askpass/ http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/ x11-ssh-askpass is a passphrase dialog for use with OpenSSH (www.openssh.com) under the X Window System. The important changes since version 1.2.1 are as follows: - Added a 'configure' script to make installation easier; uses the expected options (--prefix, --libexecdir, etc.) and allows you to decide whether and where to install the application defaults file. See the "Installing" section of the README for details. - I give in. Some operating platforms (e.g., SunOS 4) are broken and don't support 'realloc(NULL, )'. I've modified dynlist.c to allow them to work anyway. If you're using x11-ssh-askpass on such a broken operating platform, here are the steps to take: (1) Configure and build x11-ssh-askpass as usual. No patches necessary. (2) Find your Barry Manilow karaoke CD. If you don't have a Barry Manilow karaoke CD, find either a BeeGees album on 8-track or a Wang Chung album (any one will do) on your favorite medium. Insert into your CD-ROM drive (you may have to cut and/or flatten to fit). (3) Install x11-ssh-askpass according to the regular instructions. (4) Call your OS vendor's technical or customer support line. (5) The following day, when you finally get a support rep on the line, immediately set your system to self-destruct mode with a 5-minute pre-detonation sequence: su touch /etc/nologin countdown 300; halt -D now (6) Commit harakiri. Make certain you perform this step such that neither your head nor your internal fluids hit the keyboard; that might cause the pre-detonation sequence to abort. Be sure to inform the support rep why you are committing harakiri. Offer to sing the rep a Barry Manilow tune while passing the tanto through your major internal organs (but before your standing-at-the-ready colleague cuts off your head with the katana).[*] (7) Done. ________________ [*] If you used the BeeGees or Wang Chung instead of Barry Manilow in step 2, don't offer to sing. Not only would it be too much for the phone rep on top of their experiencing your suicide live over the telephone, but in your weakened state it would be likely to kill you instantly, preventing you from properly completing this step. Cheers. ;) -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From vinschen at redhat.com Tue Apr 3 05:58:29 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 2 Apr 2001 21:58:29 +0200 Subject: [PATCH]: scp could hang in Cygwin Message-ID: <20010402215829.Q956@cygbert.vinschen.de> Hi, attached is a patch which solves the following problem: Sometimes scp could hang in Cygwin when used as remote end using the -t option. This is due to a binmode/textmode problem which could be raised by the login shell which is used by the user and it's setting of textmode on stdin. The patch solves that problem by explicitly setting binmode on stdin. Besides solving the hanging problem, the patch results in a way faster copy process. Corinna Index: scp.c =================================================================== RCS file: /cvs/openssh_cvs/scp.c,v retrieving revision 1.66 diff -u -p -r1.66 scp.c --- scp.c 2001/03/29 00:43:54 1.66 +++ scp.c 2001/04/02 19:47:14 @@ -291,6 +291,9 @@ main(argc, argv) case 't': /* "to" */ iamremote = 1; tflag = 1; +#ifdef HAVE_CYGWIN + setmode (0, O_BINARY); +#endif break; default: usage(); Index: openbsd-compat/bsd-cygwin_util.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.c,v retrieving revision 1.3 diff -u -p -r1.3 bsd-cygwin_util.c --- openbsd-compat/bsd-cygwin_util.c 2001/02/18 01:30:56 1.3 +++ openbsd-compat/bsd-cygwin_util.c 2001/04/02 19:47:14 @@ -20,7 +20,6 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.3 2001 #ifdef HAVE_CYGWIN #include -#include #include #include #include Index: openbsd-compat/bsd-cygwin_util.h =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.h,v retrieving revision 1.3 diff -u -p -r1.3 bsd-cygwin_util.h --- openbsd-compat/bsd-cygwin_util.h 2001/02/18 01:30:56 1.3 +++ openbsd-compat/bsd-cygwin_util.h 2001/04/02 19:47:14 @@ -20,6 +20,8 @@ #ifdef HAVE_CYGWIN +#include + int binary_open(const char *filename, int flags, ...); int binary_pipe(int fd[2]); int check_nt_auth(int pwd_authenticated, uid_t uid); -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From jmknoble at jmknoble.cx Tue Apr 3 08:10:52 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Mon, 2 Apr 2001 18:10:52 -0400 Subject: ANNOUNCE: x11-ssh-askpass v1.2.1 In-Reply-To: <20010402020158.W1777@quipu.half.pint-stowp.cx>; from jmknoble@jmknoble.cx on Mon, Apr 02, 2001 at 02:01:58AM -0400 References: <20010402020158.W1777@quipu.half.pint-stowp.cx> Message-ID: <20010402181052.Z1777@quipu.half.pint-stowp.cx> Circa 2001-Apr-02 02:01:58 -0400 dixit Jim Knoble: : x11-ssh-askpass version 1.2.1 (code name: Fatoomsh) is now available ^^^^^^^^^^^^^^^ : from the following locations: [...] : The important changes since version 1.2.1 are as follows: /^^^^^^^^^^^^^^^^^^^^^ / Hmm ... little bit of a time warp there. I suppose it's not as bad as releasing version 1.2.1 and listing important changes since 2.0.0, though.... :) Obviously, this should have read "since version 1.2.0". Must remember not to release software so early in the morning. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From jmknoble at jmknoble.cx Tue Apr 3 09:42:09 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Mon, 2 Apr 2001 19:42:09 -0400 Subject: ANNOUNCE: x11-ssh-askpass v1.2.2 Message-ID: <20010402194209.A1777@quipu.half.pint-stowp.cx> x11-ssh-askpass version 1.2.2 (code name: What's In The Box?) is now available from the following locations: http://www.jmknoble.cx/software/x11-ssh-askpass/ http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/ x11-ssh-askpass is a passphrase dialog for use with OpenSSH (www.openssh.com) under the X Window System. The important changes since version 1.2.1 are as follows: - Minor updates to 'configure' script, including detection of 'CC' environment variable. This ought to be the last release for quite a while. (Of course, as soon as i wrote that, bits in the source code began flipping randomly and mysteriously...). -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From provos at citi.umich.edu Tue Apr 3 11:58:52 2001 From: provos at citi.umich.edu (Niels Provos) Date: Mon, 02 Apr 2001 21:58:52 -0400 Subject: arc4randomstir() in OpenSSH In-Reply-To: Darren J Moffat, Wed, 28 Mar 2001 12:15:12 PST Message-ID: <20010403015839.54A5E207C1@citi.umich.edu> In message <3AC24650.6BE258C at Eng.Sun.COM>, Darren J Moffat writes: >Would it be acceptable to replace the calls to arc4random() with >reading from /dev/random and drop the arc4random_stir() all together ? arc4random() does not block. It is initalized with data from /dev/arandom. arc4randomstir() reintializes arc4random() with new random data from the kernel. If you replace all calls to arc4random() with a read from /dev/random, you might cause OpenSSH to block for a long time. Niels. From tomh at po.crl.go.jp Tue Apr 3 17:14:52 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Tue, 3 Apr 2001 16:14:52 +0900 (JST) Subject: SRP verifier strength In-Reply-To: Message-ID: Measurement of SRP verifier strength against an offline dictionary attack. Intro In a dictionary attack, an SRP verifier is computed for all words in a dictionary of possible passwords, given constant username, salt, and SRP parameters (prime modulus and generator), and compared against a stolen verifier. Methods The dictionary used contained 10,000 words chosen at random from a larger corpus. The average word length was 7.76 characters. A large sample of verifiers were prepared using passphrase lengths of 8, 16, 24, and 32 characters, and the user name 'alice'. 10 verifiers were prepared for each prime in the default list (the 'primes' file plus the libsrp primes) from the OpenSSH+SRP distribution. The passphrases were not in the dictionary. The user time (returned by the times() function) was measured for the time taken to check all 10,000 words against each known verifier. Times were measured on a 667 MHz Linux/Alpha 21264. Results are given as the "crack rate" in words per second (wps). Higher rates mean the dictionary attack succeeds sooner. Results In general, longer primes had lower crack rates. The following table summarizes the average wps across all primes of a given size. +------+----------+------+ | bits | avg_wps | n | +------+----------+------+ | 512 | 2123.036 | 40 | | 640 | 1588.509 | 40 | | 768 | 1381.072 | 80 | | 1024 | 1015.222 | 80 | | 1026 | 947.602 | 1680 | | 1280 | 742.186 | 40 | | 1536 | 576.117 | 40 | | 2048 | 368.924 | 40 | | 2049 | 357.929 | 1040 | +------+----------+------+ For these rates, doubling the size of the prime increases the time to do the dictionary search by an average factor of approximately 2.5. These rates are to be compared with the DES (*nix crypt()) rate on the same machine of ~300,000 wps, the MD5 rate of 704 wps, and the Blowfish rate of 90 wps (values from a "John the Ripper" benchmark). Thus a prime length of about 1350 bits matches the MD5 rate. (Note that md5_crypt() was designed to be very slow, and runs over 1000 separate hashes to build the passwd entry, while most of the SRP time is in a single modular exponentiation.) For a given bit length, the choice of prime (when a choice was available) made only a small difference. The table shows the percent difference between the minimum and maximum average crack rates across primes of a given length. +------+----------+----------+---------+----+ | bits | min_wps | max_wps | percent | n | +------+----------+----------+---------+----+ | 768 | 1379.679 | 1382.464 | 0.201 | 2 | | 1024 | 1001.226 | 1033.758 | 3.147*| 2 | | 1026 | 938.486 | 959.641 | 2.204*| 42 | | 2049 | 356.257 | 360.235 | 1.104 | 26 | +------+----------+----------+---------+----+ * these values are actually too high because network time synchronization operations on this machine caused several jumps in the system clock during the test Passphrase length was not a factor; the differences in crack rate were negligible, and when the average rate was appropriately normalized, the passphrase lengths were ordered randomly. This was to be expected, because all passphrases are hashed to the same length. In summary, while the SRP protocol itself remains strong even with a low entropy passphrase, the verifier entries are no stronger than with other common methods (except DES). Thus it may be assumed that stolen verifier files (such as /etc/tpasswd and $HOME/.ssh/verifier) are typically vulnerable, where "typically" refers to the fact that many users choose very bad passwords. Even for 2049 bit primes, 10 million passphrases can be checked in less than 8 hours on this machine. High entropy passphrases, of course, result in verifiers that resist dictionary or brute force attack: 8 characters chosen at random from [a-z0-9] takes over 90 years on average with a 1026 bit modulus, and 250 years with a 2049 bit modulus. Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From tomh at po.crl.go.jp Tue Apr 3 17:42:08 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Tue, 3 Apr 2001 16:42:08 +0900 (JST) Subject: the "primes" file In-Reply-To: Message-ID: I'm curious about the "primes" file included with OpenSSH-2.5.2p2. Where did it come from and what is the policy regarding the values it contains, or will contain in the future? SRP has different requirements from Diffie-Hellman. In particular, for SRP the generator must be primitive. It turns out that the "primes" file contains only safe primes with primitive generators, and is thus ideal for SRP, but so far in OpenSSH it has only been used for DH, which doesn't require this. Right now the SRP patch uses these primes during construction of the srp-param.c file. It does test them first, and will reject any entries that are not safe enough, but it would be nice to know that there are no plans to put unsafe primes or non-primitive generators in this file. As a side issue, the SRP patch compiles the primes into libssh, and provides a function srp_get_param() which could be used to replace the file-reading code that is currently in dh.c, as well as an is_safe_group() function that can be used to check DH parameters*. This removes the requirement of having to install an extra configuration file. * This is not currently done in OpenSSH -- in fact as far as I can tell, using the DH_GEX_SHA1 key exchange method, an attacker can send a modulus that is not prime (only the length is checked). Is this not a problem? Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From tomh at po.crl.go.jp Tue Apr 3 20:58:02 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Tue, 3 Apr 2001 19:58:02 +0900 (JST) Subject: user:style Message-ID: I noticed that (perhaps because ':' is invalid in a username) you can say ssh -l user:style host, where the "user:style" is sent by the client, and the server strips the ":style" part off and makes it available as part of the authentication context. It's currently unused. What are the plans for this, if any? I was experimenting with the idea of using it with SRP to have several "names" that are allowed to log in as root, by using ssh -l root:name where the $HOME/.ssh/verifier file is searched for "name" (as opposed to the more usual "root"). Thus root:joe and root:fred both work, are administered by root (since the file lives in ~root/.ssh), and I can fire fred without having to change the passphrase for joe. There are several problems with this idea, not the least of which is that if anybody except root uses it, it allows at least group access to a verifier, which is bad juju. Besides that, I noticed that just stripping it off the way it's currently done in auth2.c means one has to tack it back on later if you actually use the full name for something (which SRP needs to do). It would be better to make a copy of the string sent by the client, and nuke the ':' in that, so as to make both styled and unstyled versions available in the authentication context. But this is really only an issue if anybody's going to actually use it for anything. Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From Markus.Friedl at informatik.uni-erlangen.de Tue Apr 3 21:39:05 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 3 Apr 2001 13:39:05 +0200 Subject: user:style In-Reply-To: ; from tomh@po.crl.go.jp on Tue, Apr 03, 2001 at 07:58:02PM +0900 References: Message-ID: <20010403133905.D3616@faui02.informatik.uni-erlangen.de> user:style is used for BSD_AUTH authentication. e.g. ssh -l user:skey host but it's usage currenly not consistent. in ssh v2 you can used keyboardinteractive+devices, e.g. device={secureid,cryptocard,skey}. however in ssh v1 there is no 'device' string in the challenge reponse packets, so user:submethod is 'abused' in a way similar to BSD_AUTH as used in BSD/OS. all this is not very consistent, it's just experimental. -m On Tue, Apr 03, 2001 at 07:58:02PM +0900, Tom Holroyd wrote: > I noticed that (perhaps because ':' is invalid in a username) you can > say ssh -l user:style host, where the "user:style" is sent by the client, > and the server strips the ":style" part off and makes it available as > part of the authentication context. It's currently unused. > > What are the plans for this, if any? I was experimenting with the idea of > using it with SRP to have several "names" that are allowed to log in as > root, by using > ssh -l root:name > where the $HOME/.ssh/verifier file is searched for "name" (as opposed to > the more usual "root"). Thus root:joe and root:fred both work, are > administered by root (since the file lives in ~root/.ssh), and I can fire > fred without having to change the passphrase for joe. There are several > problems with this idea, not the least of which is that if anybody except > root uses it, it allows at least group access to a verifier, which is bad > juju. > > Besides that, I noticed that just stripping it off the way it's currently > done in auth2.c means one has to tack it back on later if you actually use > the full name for something (which SRP needs to do). It would be better > to make a copy of the string sent by the client, and nuke the ':' in that, > so as to make both styled and unstyled versions available in the > authentication context. But this is really only an issue if anybody's > going to actually use it for anything. > > Dr. Tom Holroyd > "I am, as I said, inspired by the biological phenomena in which > chemical forces are used in repetitious fashion to produce all > kinds of weird effects (one of which is the author)." > -- Richard Feynman, _There's Plenty of Room at the Bottom_ > From hammond at solarz.Colorado.EDU Wed Apr 4 05:46:11 2001 From: hammond at solarz.Colorado.EDU (Anne M. Hammond) Date: Tue, 3 Apr 2001 13:46:11 -0600 Subject: openssh-2.5.2p2 - SGI - compiles but dumps core Message-ID: <10104031346.ZM87649@plutus.Colorado.EDU> SGI IRIX 6.5.9 gcc 2.95.2 gnu make ./configure make make install /usr/include/string.h:67: warning: conflicting types for built-in function `memcpy' /usr/include/string.h:74: warning: conflicting types for built-in function `memcmp' /usr/include/string.h:95: warning: conflicting types for built-in function `memset' /usr/include/string.h:97: warning: conflicting types for built-in function `strlen' In file included from /usr/include/sys/select.h:80, from /usr/include/sys/bsd_types.h:44, from /usr/include/sys/types.h:373, from defines.h:13, from config.h:719, from rijndael.c:41: /usr/include/string.h:67: warning: conflicting types for built-in function `memcpy' /usr/include/string.h:74: warning: conflicting types for built-in function `memcmp' /usr/include/string.h:95: warning: conflicting types for built-in function `memset' /usr/include/string.h:97: warning: conflicting types for built-in function `strlen' --- gcc -o sftp sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lz -lgen -lcrypto ld32: WARNING 84 : /usr/lib32/libz.so is not used for resolving any symbol. ld32: WARNING 84 : /usr/lib32/libgen.so is not used for resolving any symbol. make: warning: Clock skew detected. Your build may be incomplete. ----------- I looked at the FAQ, but didn't find anything concerning compiling for SGI. If you could reply directly, I would really appreciate it. Anne Hammond hammond at colorado.edu From provos at citi.umich.edu Wed Apr 4 06:10:10 2001 From: provos at citi.umich.edu (Niels Provos) Date: Tue, 03 Apr 2001 16:10:10 -0400 Subject: the "primes" file In-Reply-To: Tom Holroyd, Tue, 03 Apr 2001 16:42:08 +0900 Message-ID: <20010403200947.88AAF207C3@citi.umich.edu> In message , Tom Holro yd writes: >SRP has different requirements from Diffie-Hellman. In particular, >for SRP the generator must be primitive. It turns out that the "primes" >file contains only safe primes with primitive generators, and is thus >ideal for SRP, but so far in OpenSSH it has only been used for DH, >which doesn't require this. The primes file is used for the Diffie-Hellman group exchange. If you read the draft, you will see that safe primes are required and that the generators all generate the full sub-group size q. >As a side issue, the SRP patch compiles the primes into libssh, and >provides a function srp_get_param() which could be used to replace the >file-reading code that is currently in dh.c, as well as an is_safe_group() >function that can be used to check DH parameters*. This removes >the requirement of having to install an extra configuration file. I do not see that as a benefit. The purpose of having an extra file is that you can use new groups without recompiling the binaries. >* This is not currently done in OpenSSH -- in fact as far as I can tell, >using the DH_GEX_SHA1 key exchange method, an attacker can send a modulus >that is not prime (only the length is checked). Is this not a problem? No. It is not a problem. You have to trust the server already for everything that you do. If you do not trust your server, I suggest that you do not connect to it. niels. From tomh at po.crl.go.jp Wed Apr 4 13:11:50 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Wed, 4 Apr 2001 12:11:50 +0900 (JST) Subject: the "primes" file In-Reply-To: <20010403200947.88AAF207C3@citi.umich.edu> Message-ID: On Tue, 3 Apr 2001, Niels Provos wrote: > The primes file is used for the Diffie-Hellman group exchange. If > you read the draft, you will see that safe primes are required and > that the generators all generate the full sub-group size q. The draft says, for p = 2q + 1, the order has to be _either_ q or p - 1. DH only requires the subgroup be of size q, but SRP requires that the subgroup be of size p - 1. Now it turns out that the generators in the "primes" file all generate the full p - 1 group, and in fact the OpenSSL routine DH_generate_parameters() will always create parameters like this. But it seems that it *is* allowed (according to the draft) that someday somebody will use a generator that generates the q subgroup but not the p - 1 subgroup. (For example, the diffie-hellman-group1-sha1 prime uses a generator of 2, but this is unacceptable for SRP; libsrp uses this same prime with a generator of 5.) Thus SRP can't use the primes file directly -- although the embeded primes are built from it (but they are tested to make sure the subgroup is size p - 1 first). > >As a side issue, the SRP patch compiles the primes into libssh ... > >This removes the requirement of having to install an extra > >configuration file. > I do not see that as a benefit. The purpose of having an extra file > is that you can use new groups without recompiling the binaries. The current SRP patch also reads from the system configuration file /etc/tpasswd.conf, both for compatibility with existing SRP installations and to address your concern. So you can add new primes without recompiling. However if you ever want to *retire* a prime, you must recompile. It is not necessary to embed the primes in the binary, but some people like to have as few configuration files as possible. Since SRP can't use the primes file directly, we'd need to have another file (likely ETCDIR/verifier.conf) that contains all the same values (plus the libsrp values). Is retiring primes likely to be an issue? Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From carson at taltos.org Wed Apr 4 14:26:01 2001 From: carson at taltos.org (Carson Gaspar) Date: Tue, 03 Apr 2001 21:26:01 -0700 Subject: OpenSSH 2.5.2p2 client to 2.5.1p1 server problem In-Reply-To: <20010401115234.C6597@folly> Message-ID: <2785650885.986333161@[10.10.1.43]> --On Sunday, April 01, 2001 11:52 AM +0200 Markus Friedl wrote: > openssh < 2.5.2 contains broken AES code. > > use Ciphers (see ssh(1) or sshd(2) to turn off > AES (e.g.: "Ciphers blowfish,3des") > > or update the older openssh installations. > > sorry, -m Since OpenSSH already parses the server string to work around various bugs, is there some reason it doesn't automatically disable AES when connecting to an old server? Of course, this won't fix the old client -> new server case, but it's better than nothing. -- Carson From tomh at po.crl.go.jp Wed Apr 4 14:34:24 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Wed, 4 Apr 2001 13:34:24 +0900 (JST) Subject: SRP verifier strength In-Reply-To: Message-ID: On Tue, 3 Apr 2001, Tom Holroyd wrote: > Measurement of SRP verifier strength against an offline dictionary attack. > > +------+----------+------+ > | bits | avg_wps | n | > +------+----------+------+ > | 512 | 2123.036 | 40 | > | 640 | 1588.509 | 40 | > | 768 | 1381.072 | 80 | > | 1024 | 1015.222 | 80 | > | 1026 | 947.602 | 1680 | > | 1280 | 742.186 | 40 | md5crypt level > | 1536 | 576.117 | 40 | > | 2048 | 368.924 | 40 | > | 2049 | 357.929 | 1040 | > +------+----------+------+ Another datapoint (measured the same way as before): +------+----------+------+ | 4096 | 111.387 | 10 | +------+----------+------+ ~90 blowfish level > For these rates, doubling the size of the prime increases the time to do > the dictionary search by an average factor of approximately 2.5. It's apparent that this isn't exactly a power law, but the regression line now stands at about 2.6 (closer to 3 for just the large primes), and SRP with a 4096 bit prime is getting close to the level of OpenBSD Blowfish hashes. It's not slow enough to be noticable on this machine, either, when used for authentication. You still shouldn't set your passphrase to "green" though. :-) Dr. Tom Holroyd chmod 000 / From tomh at po.crl.go.jp Wed Apr 4 14:46:38 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Wed, 4 Apr 2001 13:46:38 +0900 (JST) Subject: SRP verifier strength In-Reply-To: Message-ID: > ... SRP with a 4096 bit prime is getting close to the level of OpenBSD > Blowfish hashes ... Sorry for the multiple post, but I just wanted to remind folks that this attack assumes that your server has already been rooted and your password database stolen -- during normal SRP operation a password of "green" is much, much stronger than this. From tom at arcot.com Wed Apr 4 14:59:14 2001 From: tom at arcot.com (Tom Wu) Date: Tue, 03 Apr 2001 21:59:14 -0700 Subject: SRP verifier strength References: Message-ID: <3ACAAA22.AC322FD9@arcot.com> Tom, Great work on filling in those tables. Have you investigated the impact of using g=2 versus other values (like g being the same size as the modulus)? Are the current numbers with g=2? Would there be any way to test with different math library implementations? Tom Tom Holroyd wrote: > > On Tue, 3 Apr 2001, Tom Holroyd wrote: > > > Measurement of SRP verifier strength against an offline dictionary attack. > > > > +------+----------+------+ > > | bits | avg_wps | n | > > +------+----------+------+ > > | 512 | 2123.036 | 40 | > > | 640 | 1588.509 | 40 | > > | 768 | 1381.072 | 80 | > > | 1024 | 1015.222 | 80 | > > | 1026 | 947.602 | 1680 | > > | 1280 | 742.186 | 40 | md5crypt level > > | 1536 | 576.117 | 40 | > > | 2048 | 368.924 | 40 | > > | 2049 | 357.929 | 1040 | > > +------+----------+------+ > > Another datapoint (measured the same way as before): > > +------+----------+------+ > | 4096 | 111.387 | 10 | > +------+----------+------+ > ~90 blowfish level > > > For these rates, doubling the size of the prime increases the time to do > > the dictionary search by an average factor of approximately 2.5. > > It's apparent that this isn't exactly a power law, but the regression line > now stands at about 2.6 (closer to 3 for just the large primes), and SRP > with a 4096 bit prime is getting close to the level of OpenBSD Blowfish > hashes. It's not slow enough to be noticable on this machine, either, > when used for authentication. You still shouldn't set your passphrase to > "green" though. :-) > > Dr. Tom Holroyd > chmod 000 / -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From tomh at po.crl.go.jp Wed Apr 4 15:17:57 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Wed, 4 Apr 2001 14:17:57 +0900 (JST) Subject: SRP verifier strength In-Reply-To: <3ACAAA22.AC322FD9@arcot.com> Message-ID: On Tue, 3 Apr 2001, Tom Wu wrote: > Great work on filling in those tables. Have you investigated the impact > of using g=2 versus other values (like g being the same size as the > modulus)? Are the current numbers with g=2? Would there be any way to > test with different math library implementations? They all used 2 except for two of the smaller primes from the libsrp distribution (#3 & #5 counting from 0). +-------+-----+------+-----------------+ | prime | gen | bits | avg(wps) | +-------+-----+------+-----------------+ | 2 | 2 | 768 | 1382.4638397217 | | 3 | 7 | 768 | 1379.6794891357 | +-------+-----+------+-----------------+ Not so much difference there. +-------+-----+------+-----------------+ | prime | gen | bits | avg(wps) | +-------+-----+------+-----------------+ | 4 | 2 | 1024 | 996.68488616943 | | 5 | 5 | 1024 | 1033.7584777832 | +-------+-----+------+-----------------+ Hmm. 5 is actually faster. It probably depends on the structure of the primes, too -- like the number of 1 bits, but that's a guess. I'm sure that using g = big would slow it down, and both the protocol and implementation support it, so I'll have a look. I'm not going to try this with anything other than OpenSSL's libcrypto for now. Most of the time is spent in the modular exponentiation, of course, so speeding that up would of course increase the crack rates. Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From wayne at blorf.net Wed Apr 4 17:25:51 2001 From: wayne at blorf.net (Wayne Davison) Date: Wed, 4 Apr 2001 00:25:51 -0700 (PDT) Subject: Solaris UseLogin problems Message-ID: I'm using openssh 2.5.2p2 on Solaris-x86 2.6. I ran into a couple problems when I set UseLogin to "yes": The big one seems to have been reported before: login refuses to run without a utmpx entry. This problem appears to have been caused by the changes in revision 1.24 of session.c. Before this revision, the record_login() function was always called, no matter how UseLogin was set (FYI, the comment for revision 1.24 is "cleanup login(1)-like jobs, no duplicate utmp entries".) I had already created a fix for this problem by the time I finally found this mailing list and noticed that a recent message from Matt Eagleson had supplied a potential patch. My version of the fix is fairly similar to Matt's, but I put the relocated record_login() call into its own function rather than putting it back into do_exec_pty(). The appended patch makes use of Matt's LOGIN_NEEDS_UTMPX autoconf changes, and has the added benefit that it doesn't call record_login() twice in the "UseLogin no" code path (which is a bug in Matt's patch). Another problem I noticed (that I haven't seen mentioned elsewhere) was that the terminal type failed to be passed through to "login" unless I added an extra commandline parameter. The solaris version of login has an optional "terminal" arg after the "-h hostname" arg, and without this being supplied, the value of TERM gets lost. I have added a define, LOGIN_NEEDS_TERM, and made configure set it if we're running Solaris. What I did not notice was any problems with duplicated wtmpx entries like Matt did. Matt: What was the symptom you noticed that made you add the code to loginrec.c? Duplicated entries when running "w"? Or something else? ..wayne.. ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- Index: acconfig.h @@ -169,6 +169,12 @@ /* Define if you want to specify the path to your wtmpx file */ #undef CONF_WTMPX_FILE +/* Some systems need a utmpx entry for /bin/login to work */ +#undef LOGIN_NEEDS_UTMPX + +/* Some versions of /bin/login need the TERM supplied on the commandline */ +#undef LOGIN_NEEDS_TERM + /* Define is libutil has login() function */ #undef HAVE_LIBUTIL_LOGIN Index: configure.in @@ -165,6 +165,8 @@ LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" need_dash_r=1 AC_DEFINE(PAM_SUN_CODEBASE) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(LOGIN_NEEDS_TERM) # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) Index: session.c @@ -126,6 +126,7 @@ void session_proctitle(Session *s); void do_exec_pty(Session *s, const char *command, struct passwd * pw); void do_exec_no_pty(Session *s, const char *command, struct passwd * pw); +void call_record_login(Session *s); void do_login(Session *s, const char *command); void do_child(Session *s, const char *command); @@ -632,6 +633,10 @@ /* record login, etc. similar to login(1) */ if (!(options.use_login && command == NULL)) do_login(s, command); +#ifdef LOGIN_NEEDS_UTMPX + else + call_record_login(s); +#endif /* Do common processing for the child, such as execing the command. */ do_child(s, command); @@ -685,18 +690,11 @@ return remote; } -/* administrative, login(1)-like work */ void -do_login(Session *s, const char *command) +call_record_login(Session *s) { - FILE *f; - char *time_string; - char buf[256]; - char hostname[MAXHOSTNAMELEN]; socklen_t fromlen; struct sockaddr_storage from; - struct stat st; - time_t last_login_time; struct passwd * pw = s->pw; pid_t pid = getpid(); @@ -714,15 +712,30 @@ } } + /* Record that there was a login on that tty from the remote host. */ + record_login(pid, s->tty, pw->pw_name, pw->pw_uid, + get_remote_name_or_ip(), (struct sockaddr *)&from); +} + +/* administrative, login(1)-like work */ +void +do_login(Session *s, const char *command) +{ + FILE *f; + char *time_string; + char buf[256]; + char hostname[MAXHOSTNAMELEN]; + struct stat st; + time_t last_login_time; + struct passwd * pw = s->pw; + + call_record_login(s); + /* Get the time and hostname when the user last logged in. */ hostname[0] = '\0'; last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, hostname, sizeof(hostname)); - /* Record that there was a login on that tty from the remote host. */ - record_login(pid, s->tty, pw->pw_name, pw->pw_uid, - get_remote_name_or_ip(), (struct sockaddr *)&from); - #ifdef USE_PAM /* * If password change is needed, do it now. @@ -1466,6 +1479,9 @@ /* Launch login(1). */ execl(LOGIN_PROGRAM, "login", "-h", hostname, +#ifdef LOGIN_NEEDS_TERM + s->term? s->term : "unknown", +#endif "-p", "-f", "--", pw->pw_name, NULL); /* Login couldn't be executed, die. */ ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- From wayne at blorf.net Wed Apr 4 17:56:06 2001 From: wayne at blorf.net (Wayne Davison) Date: Wed, 4 Apr 2001 00:56:06 -0700 (PDT) Subject: compiler warnings about format strings Message-ID: Is anyone bothered by the compiler warnings that indicate that the format strings don't match the associated variables? I was, so I cast most of the objectionable args (pids, uids, gids) to "long", and added an "l" (el) to the format string. A single item was cast to an int. Here's the patch. If you haven't applied my UseLogin patch, the line numbers in session.c will be offset by -16 lines. ..wayne.. ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- Index: authfile.c @@ -519,7 +519,7 @@ error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("Bad ownership or mode(0%3.3o) for '%s'.", - st.st_mode & 0777, filename); + (int)(st.st_mode & 0777), filename); error("It is recommended that your private key files are NOT accessible by others."); return 0; } Index: serverloop.c @@ -96,8 +96,8 @@ wait_pid = wait((int *) &child_wait_status); if (wait_pid != -1) { if (wait_pid != child_pid) - error("Strange, got SIGCHLD and wait returned pid %d but child is %d", - wait_pid, child_pid); + error("Strange, got SIGCHLD and wait returned pid %ld but child is %ld", + (long)wait_pid, (long)child_pid); if (WIFEXITED(child_wait_status) || WIFSIGNALED(child_wait_status)) child_terminated = 1; @@ -601,8 +601,8 @@ } else { /* Check if it matches the process we forked. */ if (wait_pid != pid) - error("Strange, wait returned pid %d, expected %d", - wait_pid, pid); + error("Strange, wait returned pid %ld, expected %ld", + (long)wait_pid, (long)pid); } /* We no longer want our SIGCHLD handler to be called. */ Index: session.c @@ -1545,12 +1545,12 @@ int i; for(i = 0; i < MAX_SESSIONS; i++) { Session *s = &sessions[i]; - debug("dump: used %d session %d %p channel %d pid %d", + debug("dump: used %d session %d %p channel %d pid %ld", s->used, s->self, s, s->chanid, - s->pid); + (long)s->pid); } } @@ -1591,13 +1591,13 @@ session_by_pid(pid_t pid) { int i; - debug("session_by_pid: pid %d", pid); + debug("session_by_pid: pid %ld", (long)pid); for(i = 0; i < MAX_SESSIONS; i++) { Session *s = &sessions[i]; if (s->used && s->pid == pid) return s; } - error("session_by_pid: unknown pid %d", pid); + error("session_by_pid: unknown pid %ld", (long)pid); session_dump(); return NULL; } @@ -1905,8 +1905,8 @@ if (c == NULL) fatal("session_close: session %d: no channel %d", s->self, s->chanid); - debug("session_exit_message: session %d channel %d pid %d", - s->self, s->chanid, s->pid); + debug("session_exit_message: session %d channel %d pid %ld", + s->self, s->chanid, (long)s->pid); if (WIFEXITED(status)) { channel_request_start(s->chanid, @@ -1947,7 +1947,7 @@ void session_free(Session *s) { - debug("session_free: session %d pid %d", s->self, s->pid); + debug("session_free: session %d pid %ld", s->self, (long)s->pid); if (s->term) xfree(s->term); if (s->display) @@ -1972,7 +1972,7 @@ { Session *s = session_by_pid(pid); if (s == NULL) { - debug("session_close_by_pid: no session for pid %d", s->pid); + debug("session_close_by_pid: no session for pid %ld", (long)s->pid); return; } if (s->chanid != -1) @@ -1996,15 +1996,15 @@ channel_cancel_cleanup(s->chanid); s->chanid = -1; - debug("session_close_by_channel: channel %d kill %d", id, s->pid); + debug("session_close_by_channel: channel %d kill %ld", id, (long)s->pid); if (s->pid == 0) { /* close session immediately */ session_close(s); } else { /* notify child, delay session cleanup */ if (kill(s->pid, (s->ttyfd == -1) ? SIGTERM : SIGHUP) < 0) - error("session_close_by_channel: kill %d: %s", - s->pid, strerror(errno)); + error("session_close_by_channel: kill %ld: %s", + (long)s->pid, strerror(errno)); } } Index: ssh-agent.c @@ -796,7 +796,7 @@ format = c_flag ? "unsetenv %s;\n" : "unset %s;\n"; printf(format, SSH_AUTHSOCKET_ENV_NAME); printf(format, SSH_AGENTPID_ENV_NAME); - printf("echo Agent pid %d killed;\n", pid); + printf("echo Agent pid %ld killed;\n", (long)pid); exit(0); } parent_pid = getpid(); @@ -849,7 +849,7 @@ SSH_AUTHSOCKET_ENV_NAME); printf(format, SSH_AGENTPID_ENV_NAME, pidstrbuf, SSH_AGENTPID_ENV_NAME); - printf("echo Agent pid %d;\n", pid); + printf("echo Agent pid %ld;\n", (long)pid); exit(0); } if (setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1) == -1 || Index: sshconnect.c @@ -748,7 +748,7 @@ /* Get local user name. Use it as server user if no user name was given. */ pw = getpwuid(original_real_uid); if (!pw) - fatal("User id %u not found from user database.", original_real_uid); + fatal("User id %lu not found from user database.", (long)original_real_uid); local_user = xstrdup(pw->pw_name); server_user = options.user ? options.user : local_user; Index: sshd.c @@ -1053,7 +1053,7 @@ if (pid < 0) error("fork: %.100s", strerror(errno)); else - debug("Forked child %d.", pid); + debug("Forked child %ld.", (long)pid); close(startup_p[1]); Index: sshpty.c @@ -318,12 +318,12 @@ if (st.st_uid != pw->pw_uid || st.st_gid != gid) { if (chown(ttyname, pw->pw_uid, gid) < 0) { if (errno == EROFS && st.st_uid == pw->pw_uid) - error("chown(%.100s, %d, %d) failed: %.100s", - ttyname, pw->pw_uid, gid, + error("chown(%.100s, %ld, %ld) failed: %.100s", + ttyname, (long)pw->pw_uid, (long)gid, strerror(errno)); else - fatal("chown(%.100s, %d, %d) failed: %.100s", - ttyname, pw->pw_uid, gid, + fatal("chown(%.100s, %ld, %ld) failed: %.100s", + ttyname, (long)pw->pw_uid, (long)gid, strerror(errno)); } } @@ -332,11 +332,11 @@ if (chmod(ttyname, mode) < 0) { if (errno == EROFS && (st.st_mode & (S_IRGRP | S_IROTH)) == 0) - error("chmod(%.100s, 0%o) failed: %.100s", - ttyname, mode, strerror(errno)); + error("chmod(%.100s, 0%lo) failed: %.100s", + ttyname, (long)mode, strerror(errno)); else - fatal("chmod(%.100s, 0%o) failed: %.100s", - ttyname, mode, strerror(errno)); + fatal("chmod(%.100s, 0%lo) failed: %.100s", + ttyname, (long)mode, strerror(errno)); } } } ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- From Markus.Friedl at informatik.uni-erlangen.de Wed Apr 4 18:07:03 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 4 Apr 2001 10:07:03 +0200 Subject: OpenSSH 2.5.2p2 client to 2.5.1p1 server problem In-Reply-To: <2785650885.986333161@[10.10.1.43]>; from carson@taltos.org on Tue, Apr 03, 2001 at 09:26:01PM -0700 References: <20010401115234.C6597@folly> <2785650885.986333161@[10.10.1.43]> Message-ID: <20010404100703.A22049@faui02.informatik.uni-erlangen.de> On Tue, Apr 03, 2001 at 09:26:01PM -0700, Carson Gaspar wrote: > Since OpenSSH already parses the server string to work around various bugs, > is there some reason it doesn't automatically disable AES when connecting > to an old server? > > Of course, this won't fix the old client -> new server case, but it's > better than nothing. the current snapshot tries to detect broken openssh AES implementations. -m From vinschen at redhat.com Wed Apr 4 19:34:58 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 4 Apr 2001 11:34:58 +0200 Subject: [PATCH]: scp could hang in Cygwin In-Reply-To: <20010402215829.Q956@cygbert.vinschen.de>; from vinschen@redhat.com on Mon, Apr 02, 2001 at 09:58:29PM +0200 References: <20010402215829.Q956@cygbert.vinschen.de> Message-ID: <20010404113458.C956@cygbert.vinschen.de> On Mon, Apr 02, 2001 at 09:58:29PM +0200, Corinna Vinschen wrote: > Hi, > > attached is a patch which solves the following problem: > > Sometimes scp could hang in Cygwin when used as remote end using > the -t option. This is due to a binmode/textmode problem which > could be raised by the login shell which is used by the user and > it's setting of textmode on stdin. The patch solves that problem > by explicitly setting binmode on stdin. > > Besides solving the hanging problem, the patch results in a way > faster copy process. Ok, I had to review that patch. Unfortunately, sftp-server is affected by the same problem. I have attached a new patch which includes the change to scp and additionally patches sftp-server to deal with that situation. Thanks, Corinna Index: scp.c =================================================================== RCS file: /cvs/openssh_cvs/scp.c,v retrieving revision 1.66 diff -u -p -r1.66 scp.c --- scp.c 2001/03/29 00:43:54 1.66 +++ scp.c 2001/04/04 09:30:52 @@ -291,6 +291,9 @@ main(argc, argv) case 't': /* "to" */ iamremote = 1; tflag = 1; +#ifdef HAVE_CYGWIN + setmode (0, O_BINARY); +#endif break; default: usage(); Index: sftp-server.c =================================================================== RCS file: /cvs/openssh_cvs/sftp-server.c,v retrieving revision 1.28 diff -u -p -r1.28 sftp-server.c --- sftp-server.c 2001/03/15 00:09:16 1.28 +++ sftp-server.c 2001/04/04 09:30:52 @@ -1043,6 +1043,11 @@ main(int ac, char **av) in = dup(STDIN_FILENO); out = dup(STDOUT_FILENO); +#ifdef HAVE_CYGWIN + setmode (in, O_BINARY); + setmode (out, O_BINARY); +#endif + max = 0; if (in > max) max = in; Index: openbsd-compat/bsd-cygwin_util.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.c,v retrieving revision 1.3 diff -u -p -r1.3 bsd-cygwin_util.c --- openbsd-compat/bsd-cygwin_util.c 2001/02/18 01:30:56 1.3 +++ openbsd-compat/bsd-cygwin_util.c 2001/04/04 09:30:52 @@ -20,7 +20,6 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.3 2001 #ifdef HAVE_CYGWIN #include -#include #include #include #include Index: openbsd-compat/bsd-cygwin_util.h =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.h,v retrieving revision 1.3 diff -u -p -r1.3 bsd-cygwin_util.h --- openbsd-compat/bsd-cygwin_util.h 2001/02/18 01:30:56 1.3 +++ openbsd-compat/bsd-cygwin_util.h 2001/04/04 09:30:52 @@ -20,6 +20,8 @@ #ifdef HAVE_CYGWIN +#include + int binary_open(const char *filename, int flags, ...); int binary_pipe(int fd[2]); int check_nt_auth(int pwd_authenticated, uid_t uid); From paul at xtdnet.nl Wed Apr 4 21:02:10 2001 From: paul at xtdnet.nl (Paul Wouters) Date: Wed, 4 Apr 2001 13:02:10 +0200 (MET DST) Subject: Heh? In-Reply-To: <20010403222917.81C6F207C1@citi.umich.edu> Message-ID: On Tue, 3 Apr 2001, Niels Provos wrote: > Paul, something is broken in your openssh install. Definately. But is it the client or the server? I've sent it to the portable OpenSSH bug address. I'm using OpenSSH 2.5.2p2-1.7 on a RedHat 7.0 with all updates. Sometimes I can login fine, and sometimes I can't. It actually seems to almost alternate, "success,failed,success,failed,success" because at some point I thought it was a hostname problem (using host or FQDN), but it isn't Traces of the two with ssh -v -l root: Failed: [root at bofh /root]# ssh -v -l root undoable.xtdnet.nl OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to undoable.xtdnet.nl [213.160.202.1] port 22. debug1: Connection established. debug1: identity file /root/.ssh/identity type 0 debug1: unknown identity file /root/.ssh/id_rsa debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2 debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-rsa,ssh-dss debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: none,zlib debug1: got kexinit: none,zlib debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug1: dh_gen_key: priv key bits set: 123/256 debug1: bits set: 1013/2049 debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug1: Got SSH2_MSG_KEXDH_REPLY. debug1: Host 'undoable.xtdnet.nl' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts2:14 debug1: bits set: 992/2049 debug1: ssh_rsa_verify: signature correct debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password debug1: next auth method to try is publickey debug1: try privkey: /root/.ssh/id_rsa debug1: try pubkey: /root/.ssh/id_dsa debug1: authentications that can continue: publickey,password debug1: next auth method to try is password root at undoable.xtdnet.nl's password: debug1: ssh-userauth2 successful: method password debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: client_init id 0 arg 0 debug1: Requesting X11 forwarding with authentication spoofing. debug1: channel request 0: shell debug1: channel 0: open confirm rwindow 0 rmax 16384 Last login: Wed Apr 4 20:46:55 2001 from node146c7.a2000.nl debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0 debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: rcvd close debug1: channel 0: input open -> closed debug1: channel 0: close_read sh: /usr/X11R6/bin/xauth: No such file or directory debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) Connection to undoable.xtdnet.nl closed. debug1: Transferred: stdin 0, stdout 0, stderr 42 bytes in 0.1 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 324.8 debug1: Exit status -1 [root at bofh /root]# Working: [root at bofh /root]# ssh -v -l root undoable.xtdnet.nl OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to undoable.xtdnet.nl [213.160.202.1] port 22. debug1: Connection established. debug1: identity file /root/.ssh/identity type 0 debug1: unknown identity file /root/.ssh/id_rsa debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2 debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-rsa,ssh-dss debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192 -cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: none,zlib debug1: got kexinit: none,zlib debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug1: dh_gen_key: priv key bits set: 137/256 debug1: bits set: 997/2049 debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug1: Got SSH2_MSG_KEXDH_REPLY. debug1: Host 'undoable.xtdnet.nl' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts2:14 debug1: bits set: 1018/2049 debug1: ssh_rsa_verify: signature correct debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password debug1: next auth method to try is publickey debug1: try privkey: /root/.ssh/id_rsa debug1: try pubkey: /root/.ssh/id_dsa debug1: authentications that can continue: publickey,password debug1: next auth method to try is password root at undoable.xtdnet.nl's password: debug1: ssh-userauth2 successful: method password debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: client_init id 0 arg 0 debug1: Requesting X11 forwarding with authentication spoofing. debug1: channel request 0: shell debug1: channel 0: open confirm rwindow 0 rmax 16384 Last login: Wed Apr 4 20:51:19 2001 from node146c7.a2000.nl sh: /usr/X11R6/bin/xauth: No such file or directory [root at undoable /root]# On the serverside I see just lots of: Apr 4 20:49:25 undoable PAM_unix[6366]: (sshd) session closed for user root Apr 4 20:50:54 undoable PAM_unix[6374]: (sshd) session opened for user root by (uid=0) Apr 4 20:50:54 undoable PAM_unix[6374]: (sshd) session closed for user root Apr 4 20:51:19 undoable PAM_unix[6379]: (sshd) session opened for user root by (uid=0) Apr 4 20:51:19 undoable PAM_unix[6379]: (sshd) session closed for user root Apr 4 20:51:32 undoable PAM_unix[6383]: (sshd) session opened for user root by (uid=0) And in the secure log: Apr 4 20:46:50 undoable sshd[6307]: Connection closed by 24.132.70.199 Apr 4 20:46:55 undoable sshd[6309]: Accepted password for ROOT from 24.132.70.199 port 62503 ssh2 Apr 4 20:48:01 undoable sshd[6335]: Did not receive identification string from 213.160.202.99. Apr 4 20:48:03 undoable sshd[6333]: Connection closed by 24.132.70.199 Apr 4 20:48:53 undoable sshd[6338]: Accepted password for ROOT from 24.132.70.199 port 62505 ssh2 Apr 4 20:49:13 undoable sshd[6344]: Accepted password for ROOT from 24.132.70.199 port 62506 ssh2 Apr 4 20:49:25 undoable sshd[6366]: Accepted password for ROOT from 24.132.70.199 port 62508 ssh2 Apr 4 20:50:54 undoable sshd[6374]: Accepted password for ROOT from 24.132.70.199 port 62510 ssh2 Apr 4 20:51:19 undoable sshd[6379]: Accepted password for ROOT from 24.132.70.199 port 62511 ssh2 Apr 4 20:51:32 undoable sshd[6383]: Accepted password for ROOT from 24.132.70.199 port 62513 ssh2 Apr 4 20:53:03 undoable sshd[6412]: Did not receive identification string from 213.160.202.99. I do notice the time is totally wrong, but after fixing that the problem didn't go away either. Cheers, Paul From Markus.Friedl at informatik.uni-erlangen.de Wed Apr 4 22:58:53 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 4 Apr 2001 14:58:53 +0200 Subject: [follow-up/fix] openssh 2.5.2p2 not allowing RSA authentication In-Reply-To: <3ACB0E60.F2169CC3@cisco.com>; from janjust@cisco.com on Wed, Apr 04, 2001 at 02:06:56PM +0200 References: <3AC9EDF6.4A7A2FC1@cisco.com> <3ACB0E60.F2169CC3@cisco.com> Message-ID: <20010404145853.B1695@faui02.informatik.uni-erlangen.de> the stat() on which file? On Wed, Apr 04, 2001 at 02:06:56PM +0200, Jan Just Keijser wrote: > hmmm, I found the problem and managed to fix it, but I am not sure if this > isn't broken: > > using gdb, I found that sshd fails to stat the 'authorized_keys' files, > which was in /local/home/janjust/.ssh/authorized_keys. Here were the > permissions for the directories and files leading to that file: > > drwxr-sr-x 11 root root 4096 Mar 20 15:57 /local > drwxr-s--- 3 root users 4096 Jan 18 11:24 /local/home > drwxr-sr-x 27 janjust users 4096 Apr 4 13:34 /local/home/janjust > drwx------ 2 janjust users 4096 Apr 4 13:12 > /local/home/janjust/.ssh > -rw------- 1 janjust users 1357 Jan 16 10:39 > /local/home/janjust/.ssh/authorized_keys > > the error that stat() returned is 'Permission denied'. After changing the > permissions to > > drwxr-sr-x 11 root root 4096 Mar 20 15:57 /local > drwxr-sr-x 3 root users 4096 Jan 18 11:24 /local/home > drwxr-sr-x 27 janjust users 4096 Apr 4 13:59 /local/home/janjust > drwx------ 2 janjust users 4096 Apr 4 13:12 > /local/home/janjust/.ssh > -rw------- 1 janjust users 1357 Jan 16 10:39 > /local/home/janjust/.ssh/authorized_keys > > (i.e. I changed the permissions on /local/home !) everything is working > fine. That's bizar, and I wonder where this is broken - not in OpenSSH > probably, more likely somewhere in glibc... > > comments, any one? > > TIA, > > JJK / Jan Just Keijser > Cisco Systems International BV From janjust at cisco.com Wed Apr 4 23:09:19 2001 From: janjust at cisco.com (Jan Just Keijser) Date: Wed, 04 Apr 2001 15:09:19 +0200 Subject: [follow-up/fix] openssh 2.5.2p2 not allowing RSA authentication References: <3AC9EDF6.4A7A2FC1@cisco.com> <3ACB0E60.F2169CC3@cisco.com> <20010404145853.B1695@faui02.informatik.uni-erlangen.de> Message-ID: <3ACB1CFF.43F0FDB0@cisco.com> the stat() on $HOME/.ssh/authorized_keys fails, which the server needs to read to determine whether RSA authentications are allowed. My bet about what's happening is this: sshd runs as euid root, gid 0 auth-rsa.c switches to euid janjust, but does not change the egid using setegid() euid janjust, gid 0 does *NOT* have access to the directory /local/home with permissions 750 the stat() call walks down the path of the file and runs into this permission problem and bails out, even though the user would have access to directories and files below the troublesome /local/home directory. HTH, JJK Markus Friedl wrote: > the stat() on which file? > > On Wed, Apr 04, 2001 at 02:06:56PM +0200, Jan Just Keijser wrote: > > hmmm, I found the problem and managed to fix it, but I am not sure if this > > isn't broken: > > > > using gdb, I found that sshd fails to stat the 'authorized_keys' files, > > which was in /local/home/janjust/.ssh/authorized_keys. Here were the > > permissions for the directories and files leading to that file: > > > > drwxr-sr-x 11 root root 4096 Mar 20 15:57 /local > > drwxr-s--- 3 root users 4096 Jan 18 11:24 /local/home > > drwxr-sr-x 27 janjust users 4096 Apr 4 13:34 /local/home/janjust > > drwx------ 2 janjust users 4096 Apr 4 13:12 > > /local/home/janjust/.ssh > > -rw------- 1 janjust users 1357 Jan 16 10:39 > > /local/home/janjust/.ssh/authorized_keys > > > > the error that stat() returned is 'Permission denied'. After changing the > > permissions to > > > > drwxr-sr-x 11 root root 4096 Mar 20 15:57 /local > > drwxr-sr-x 3 root users 4096 Jan 18 11:24 /local/home > > drwxr-sr-x 27 janjust users 4096 Apr 4 13:59 /local/home/janjust > > drwx------ 2 janjust users 4096 Apr 4 13:12 > > /local/home/janjust/.ssh > > -rw------- 1 janjust users 1357 Jan 16 10:39 > > /local/home/janjust/.ssh/authorized_keys > > > > (i.e. I changed the permissions on /local/home !) everything is working > > fine. That's bizar, and I wonder where this is broken - not in OpenSSH > > probably, more likely somewhere in glibc... > > > > comments, any one? > > > > TIA, > > > > JJK / Jan Just Keijser > > Cisco Systems International BV From janjust at cisco.com Wed Apr 4 23:32:03 2001 From: janjust at cisco.com (Jan Just Keijser) Date: Wed, 04 Apr 2001 15:32:03 +0200 Subject: [follow-up/fix] openssh 2.5.2p2 not allowing RSA authentication References: <3AC9EDF6.4A7A2FC1@cisco.com> <3ACB0E60.F2169CC3@cisco.com> <20010404145853.B1695@faui02.informatik.uni-erlangen.de> Message-ID: <3ACB2253.5D274EDA@cisco.com> > the stat() on $HOME/.ssh/authorized_keys fails, which the server needs to read > to determine whether RSA authentications are allowed. My bet about what's > happening is this: > > sshd runs as euid root, gid 0 > auth-rsa.c switches to euid janjust, but does not change the egid using > setegid() > euid janjust, gid 0 does *NOT* have access to the directory /local/home with > permissions 750 > the stat() call walks down the path of the file and runs into this permission > problem and bails out, even though the user would have access to directories > and files below the troublesome /local/home directory. > I should've accepted bets :-) : when I add the following (ugly) hack: gid_t old_gid; /* no user given */ if (pw == NULL) return 0; /* Temporarily use the user's uid. */ old_gid = getegid(); if (setegid(pw->pw_gid) < 0 ) { packet_send_debug("setegid(%d) failed: %s!", pw->pw_gid, strerror( errno ) ); } temporarily_use_uid(pw->pw_uid); /* The authorized keys. */ snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir, _PATH_SSH_USER_PERMITTED_KEYS); /* Fail quietly if file does not exist */ if (stat(file, &st) < 0) { packet_send_debug("euid = %d egid = %d", geteuid(), getegid() ); packet_send_debug("stat() returned error: %s", strerror(errno) ); /* Restore the privileged uid. */ restore_uid(); setegid(old_gid); packet_send_debug("Could not stat %.900s.", file); return 0; } i.e. I save the current gid and then set the egid to pw->pw_gid then the stat() call on $HOME/.ssh/authorized_keys works without problems (yes, I changed the permission back to 750 - the unpatched sshd is broken again); you have to do setegid BEFORE seteuid, coz once you're a mere user you're not allowed to do this anymore (as I found out the hard way). A proper fix would be to add this to uidswap.c, I guess... share and enjoy, JJK / Jan Just Keijser Cisco Systems International BV From Chantal.Hunter at durhamc.on.ca Thu Apr 5 02:10:30 2001 From: Chantal.Hunter at durhamc.on.ca (Chantal Hunter) Date: Wed, 4 Apr 2001 12:10:30 -0400 Subject: known_hosts Message-ID: <5E1C5EB128EB6F40A86339FD644325F5010826E5@DCMAILEX.durhamc.on.ca> Hello, I have just set-up SSH on my UNIX systems. I can connect to all of them just fine using Win32 client. But when I try to ssh from one UNIX system to another I keep getting this message: RSA1 key fingerprint is fa:a2:ac:d6:58:a6:48:0b:cc:13:ea:b7:d5:bd:fd:de. Are you sure you want to continue connecting (yes/no)? When I choose yes to the above message it just keeps looping through, never actually allowing me to connect and never creating the known _hosts file which I believe it should. I realize that I need a known_hosts file since that is what is in my config, but how does this file get created? I created the known_hosts file manually by cat'ng the ssh_host_key.pub and redirecting it to another then editing it and adding the servername and IP and removing the whoever at whatever at the bottom of the file. I then ftp the file to the servers that need to know about this host. This worked, but was a major pain in the butt. I did notice in the archives, a reference to make-ssh-known-hosts, but I have not been able to find any documentation on this. I also tried using ssh-keygen to create the file but this failed as well, probably a syntax error. I would really appreciate if someone could point me in the right direction on this :) Thanks in advance! Chantal From celinn at mtu.edu Thu Apr 5 02:58:29 2001 From: celinn at mtu.edu (Christopher Linn) Date: Wed, 4 Apr 2001 12:58:29 -0400 Subject: known_hosts In-Reply-To: <5E1C5EB128EB6F40A86339FD644325F5010826E5@DCMAILEX.durhamc.on.ca>; from Chantal.Hunter@durhamc.on.ca on Wed, Apr 04, 2001 at 12:10:30PM -0400 References: <5E1C5EB128EB6F40A86339FD644325F5010826E5@DCMAILEX.durhamc.on.ca> Message-ID: <20010404125829.B6682@mtu.edu> On Wed, Apr 04, 2001 at 12:10:30PM -0400, Chantal Hunter wrote: > Hello, > I have just set-up SSH on my UNIX systems. I can connect to all of them > just fine using Win32 client. But when I try to ssh from one UNIX system to > another I keep getting this message: > RSA1 key fingerprint is fa:a2:ac:d6:58:a6:48:0b:cc:13:ea:b7:d5:bd:fd:de. > Are you sure you want to continue connecting (yes/no)? > > When I choose yes to the above message it just keeps looping through, never when you answer yes, do you actually type out "yes"? simply typing "y" does not work. this has always been the way this particular question needs to be answered, all the way from the early versions of Tatu Ylonen's SSH. cheers, chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From kpachla at umich.edu Thu Apr 5 04:08:25 2001 From: kpachla at umich.edu (K. Pachla) Date: Wed, 4 Apr 2001 14:08:25 -0400 (EDT) Subject: Another prob. w/keygen on Sol8 Message-ID: Hi All, I'm seeing the same problem reported by Don Cooley on 3/30/01. Compiling OpenSSH 2.5.2p2 on Solaris 8, sun4u, 64bit using Sun's Forte 6 C compiler (-xarch=v9 option), /usr/ccs/bin/make and OpenSSL-0.9.6. RSA keygen works, DSA fails with Bus Error. I already had DSA keys generated on my test machine that were generated with Openssh-2.3.0p1 and trying to start the 2.5.2p2 sshd daemon with those keys causes an error message that the keys can't load and disabling of SSH 2 protocol. ---------------------------------------------------------------- K. Pachla LSA SST University of Michigan kpachla at umich.edu From mouring at etoh.eviladmin.org Thu Apr 5 04:05:44 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 4 Apr 2001 13:05:44 -0500 (CDT) Subject: compiler warnings about format strings In-Reply-To: Message-ID: On Wed, 4 Apr 2001, Wayne Davison wrote: > Is anyone bothered by the compiler warnings that indicate that the > format strings don't match the associated variables? I was, so I cast > most of the objectionable args (pids, uids, gids) to "long", and added > an "l" (el) to the format string. A single item was cast to an int. > > Here's the patch. If you haven't applied my UseLogin patch, the line > numbers in session.c will be offset by -16 lines. > What platform is this for? Majority of the platforms I'm on pid is defined as u_int/int not u_long/long so I don't personally see such mismatch errors. - Ben From wayne at blorf.net Thu Apr 5 04:47:46 2001 From: wayne at blorf.net (Wayne Davison) Date: Wed, 4 Apr 2001 11:47:46 -0700 (PDT) Subject: compiler warnings about format strings In-Reply-To: Message-ID: On Wed, 4 Apr 2001 mouring at etoh.eviladmin.org wrote: > What platform is this for? Majority of the platforms I'm on pid is > defined as u_int/int not u_long/long so I don't personally see > such mismatch errors. I'm compiling on Solaris x86 v2.6. Pids, uids, & gids are all longs here (which just happens to be the same physical size as an int, but that's beside the point). For maximum portability, the code should always cast a system-defined type (such as pid_t) when combining it with a fixed-size type format string (such as %d or %ld). Casting it up to "long" ensures that no data is lost (at least until "long long" pids come about :-) ). ..wayne.. From Markus.Friedl at informatik.uni-erlangen.de Thu Apr 5 06:05:01 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 4 Apr 2001 22:05:01 +0200 Subject: random openssh todo notes Message-ID: <20010404220501.A1045@faui02.informatik.uni-erlangen.de> fyi http://wwwcip.informatik.uni-erlangen.de/~msfriedl/openssh/TODO From kwolters at h2.com Thu Apr 5 07:05:21 2001 From: kwolters at h2.com (Keith Wolters) Date: Wed, 04 Apr 2001 17:05:21 -0400 Subject: openssh-2.5.2p2 on RedHat 6.2-1 Message-ID: <3ACB8C91.974F6B58@h2.com> I'm attempting to install openshh on my Linux machine. I installed openssl-0.9.6 and then openssh. Everything appears to compile and the keys are generated. When I attempt to connect I get an error indicating an incorrect password. A system log entry from sshd indicates a failed password. I get the same results both with and without PAM support, and with and without MD5 support. From mouring at etoh.eviladmin.org Thu Apr 5 07:17:48 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 4 Apr 2001 16:17:48 -0500 (CDT) Subject: openssh-2.5.2p2 on RedHat 6.2-1 In-Reply-To: <3ACB8C91.974F6B58@h2.com> Message-ID: On Wed, 4 Apr 2001, Keith Wolters wrote: > I'm attempting to install openshh on my Linux machine. > > I installed openssl-0.9.6 and then openssh. Everything appears to > compile and the keys are generated. When I attempt to connect I get an > error indicating an incorrect password. A system log entry from sshd > indicates a failed password. > > I get the same results both with and without PAM support, and with and > without MD5 support. > If your compiling w/ PAM support I assume you copied the right sshd.pam file to the correct /etc location.. On Redhat it would be /etc/pam.d/sshd. - Ben From jd108 at pacbell.net Wed Apr 4 23:19:40 2001 From: jd108 at pacbell.net (Joseph I. Davida) Date: Wed, 04 Apr 2001 13:19:40 +0000 Subject: Building Message-ID: <3ACB1F6C.D5A25AC1@pacbell.net> After doing ./config and make install . . . . if [ ! -d /usr/local/etc ]; then \ ./mkinstalldirs /usr/local/etc; \ fi if [ ! -f /usr/local/etc/ssh_config ]; then \ /usr/bin/install -c -m 644 ssh_config.out /usr/local/etc/ssh_config; \ else \ echo "/usr/local/etc/ssh_config already exists, install will not overwrite"; \ fi /usr/bin/install: cannot stat `ssh_config.out': No such file or directory make: *** [install-files] Error 1 Cheers, Joe From no at pad.zuken.de Thu Apr 5 03:31:20 2001 From: no at pad.zuken.de (no at pad.zuken.de) Date: Wed, 04 Apr 2001 19:31:20 +0200 Subject: Solaris Install Inconsistency (Portable Release) Message-ID: <3ACB5A67.189C06B@pad.zuken.de> hello Openssh developers, i am administrating a Solaris Network and installed the openssh2.5.2p2 server on one mashine, the clients network-wide. I had a problem with sftp and solved it, but maybe it is at least worth mentioning in the faq: By default, the sftp subsystem is commented out in the sshd_config. Simply removing the comment does not work because the path of the sftpd executable is wrong, in the config-file it is /usr/local/sbin/sftpd, but make install has installed it under /usr/local/bin/sftp-server. This took me a while to find out, because the log-facilities regarding sftp are somewhat poor. If i set Logging to DEBUG or VERBOSE nothing can be read in the authlog (nor in messages), with INFO Loglevel, just the authentications are logged, if i start sftpclient with -v i got more to read in my shell, but not anything which could lead me to the idea that it couldn't find the executable of sftpd. This is a bit tricky. We tried the sshd from ssh communications before, but its not free, and i was missing the possibility to permit ssh just for some users. With openssh i found this feature at the first look. Well Done! thank you for developing such an important piece of software, bye, Enno -- ZUKEN GmbH * Vattmannstr. 3 * D-33100 Paderborn * Germany Phone: +49 (0) 52 51-150 600 * Fax: +49 (0) 52 51-150 700 ******* http://www.zuken.com * mailto:Enno.Ostendorf at zuken.de ******* Enno Ostendorf * http://www.supersmart.de * mailto:no at supersmart.de Download PGP public key: http://www.supersmart.de/nopgp.askey From lbohm at lightbridge.com Thu Apr 5 04:46:34 2001 From: lbohm at lightbridge.com (Louis Bohm) Date: Wed, 04 Apr 2001 14:46:34 -0400 Subject: Getting a make error when compiling Message-ID: <3ACB6C0A.30122BF7@lightbridge.com> I would post this on the list but we are unable to get to the listservs from our site. The problem is I am trying to compile OpenSSH 2.5.2p2 on Solaris 8 and having problems. OpenSSL is installed and Zlib is installed. The error I am getting is: (cd openbsd-compat; make) make: Fatal error: No arguments to build Current working directory /opt/othersoftware/openssh-2.5.2p2/openbsd-compat *** Error code 1 make: Fatal error: Command failed for target `openbsd-compat/libopenbsd-compat.a' After running config I got the following: OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Random number collection: Builtin (timeout 200) Manpage format: man PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: sparc-sun-solaris2.8 Compiler: gcc Compiler flags: -g -O2 -Wall Preprocessor flags: -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/lib -R/usr/local/lib -L/usr/local/ssl/lib -R/us r/local/ssl/lib Libraries: -lz -lsocket -lnsl -lgen -lcrypto WARNING: you are using the builtin random number collection service. Please read WARNING.RNG and request that your OS vendor includes /dev/random in future versions of their OS. root at newdazed:/opt/othersoftware/openssh-2.5.2p2% What am I doing wrong??? Please help me... Thanks, Louis -- ????`????,??,????`????????`????,??,????`????????`??? ??`?Systems Manager and Tivoli Support Geek ??`?Lightbridge, Inc ??`?67 South Bedford St. ??`?Burlington MA 01832 ??`?781.359.4795 mailto:lbohm at lightbridge.com ??`?http://www.lightbridge.com ??`?Free Tivoli scripts at: http://www.microgeek.com ????`????,??,????`????????`????,??,????`????????`??? From blbates at vigyan.com Thu Apr 5 04:56:11 2001 From: blbates at vigyan.com (Brent L. Bates) Date: Wed, 4 Apr 2001 14:56:11 -0400 Subject: Problem with latest OpenSSH - 2.5.2p2 Message-ID: <10104041456.ZM135795@vigyan.com> We have been using OpenSSH version 2.3.0p1 for a couple of months now with out problems. The same goes for several previous versions we have used over the last year. However, I have just installed version 2.5.2p2 and it is giving me some problems. If it were not for the latest security bulletins strongly suggesting we upgrade, I would reinstall the 2.3.0p1 version. I am running on a SGI Indigo2 R10000 running IRIX64 6.5.11f. I downloaded the source, compiled, and installed the latest version just like I have for all previous versions. We are using OpenSSL version 0.9.6, downloaded October 9, 2000. The problem I am seeing is that every once and a while I get the following error in the current OpenSSH connected window: `read: Interrupted function call' After this point, I can't type or do anything else in this `xwsh' window. I have to kill the entire window and start the window and connection all over again. This is completely repeatable. I get this error if I resize the window quickly several times. I have X Windows forwarding on. Below is the line I use to configure OpenSSH: configure --with-cflags="-n32 -mips4 -O3 -r10000 -TARG:processor=r10000:platform=ip28 -I/usr/local/include" --with-ldflags="-n32 -mips4 -L/usr/local/lib -Wl,-s,-x -Wl,-rpath,/usr/local/lib" --prefix=/usr/local --with-tcp-wrappers --with-prngd-socket=/var/adm/entropy --with-ssl-dir=/usr/local/lib --with-catman=man --mandir=/usr/share/man/local Has anyone seen anything like this before? I did make two changes from previous compilations/installs. I've switched from using EGD for random numbers to PRNGD and I've added the TCP-Wrappers library. The switch to PRNGD doesn't seem to be a problem as I'm also running it on another system with the 2.3.0p1 version of OpenSSH and I see no problems there. At this point, I've only seen the problem for `ssh/slogin' from this system to others. Incoming connections don't seem to have any problems, so I'm guessing the problem is with `ssh/slogin'. If you have any suggestions, please let me know. Thanks. From wendyp at cray.com Thu Apr 5 09:25:07 2001 From: wendyp at cray.com (Wendy Palm) Date: Wed, 04 Apr 2001 18:25:07 -0500 Subject: Solaris UseLogin problems References: Message-ID: <3ACBAD53.18C437AE@cray.com> i'd like to add my support to including this mod. unicos machines need the utmp entry before login is called also. since unicos uses a database for user information, there are a lot of things that i had to add to openssh for logging in that would be best done with login() itself. this modification elimated a lot of udb code. thanks, wendy Wayne Davison wrote: > > I'm using openssh 2.5.2p2 on Solaris-x86 2.6. I ran into a couple > problems when I set UseLogin to "yes": > > The big one seems to have been reported before: login refuses to run > without a utmpx entry. This problem appears to have been caused by > the changes in revision 1.24 of session.c. Before this revision, the > record_login() function was always called, no matter how UseLogin was > set (FYI, the comment for revision 1.24 is "cleanup login(1)-like > jobs, no duplicate utmp entries".) > ... > What I did not notice was any problems with duplicated wtmpx entries > like Matt did. > > Matt: What was the symptom you noticed that made you add the code to > loginrec.c? Duplicated entries when running "w"? Or something else? > > ..wayne.. > -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From mouring at etoh.eviladmin.org Thu Apr 5 11:06:01 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 4 Apr 2001 20:06:01 -0500 (CDT) Subject: Solaris Install Inconsistency (Portable Release) In-Reply-To: <3ACB5A67.189C06B@pad.zuken.de> Message-ID: On Wed, 4 Apr 2001 no at pad.zuken.de wrote: > hello Openssh developers, > > i am administrating a Solaris Network and installed the openssh2.5.2p2 > server on one mashine, the clients network-wide. > > I had a problem with sftp and solved it, but maybe it is at least worth > mentioning in the faq: > > By default, the sftp subsystem is commented out in the sshd_config. > Simply removing the comment does not work because the path of the sftpd > executable is wrong, in the config-file it is /usr/local/sbin/sftpd, but > make install has installed it under /usr/local/bin/sftp-server. This This is not consistant with any of my installs nor the CVS tree. sshd_config in 2.5.2 has 'subsystem' uncommented and the default before processing is: Subsystem sftp /usr/libexec/sftp-server As far as I know we have never named sftp server 'sftpd'. So I'm confused at what your seeing here. - Ben From tomh at po.crl.go.jp Thu Apr 5 11:56:08 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Thu, 5 Apr 2001 10:56:08 +0900 (JST) Subject: random openssh todo notes In-Reply-To: <20010404220501.A1045@faui02.informatik.uni-erlangen.de> Message-ID: On Wed, 4 Apr 2001, Markus Friedl wrote: > http://wwwcip.informatik.uni-erlangen.de/~msfriedl/openssh/TODO -> require multiple methods for user authentication (e.g. password AND public-key must both succeed to log in) I think the patch submitted by Carson Gaspar to implement partial authentication does this. -> specify the order of user authentication methods the client tries PreferredAuthentications is already in 2.5.2p2. --- By the way, is there any way to restrict the use of one authentication method until after another has been performed? For example, I would like to disallow pubkey logins until that user has performed at least one password login. I can simulate this now by storing the private key on the server, so that the client must log in by password first, in order to GET the private key, which he can then load into the agent or whatever and do passwordless logins. This doesn't work, though, because the private key is permanent -- if there were an ephemeral key that would work better. The goal is to get rid of stuff like this: sshd[18736]: Accepted publickey for joe from 123.456.789.012 port 34567 ssh2 where that just pops up in the log out of nowhere, leading one to wonder if that's really joe or if some bad guy broke into joe's computer and got joe's private key. (joe is a travelling salesman so his IP address is allowed to be random.) Partial auth doesn't do it because that only works WITHIN a session, not across sessions. Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From carson at taltos.org Thu Apr 5 13:00:55 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 04 Apr 2001 20:00:55 -0700 Subject: [follow-up/fix] openssh 2.5.2p2 not allowing RSA authentication In-Reply-To: <3ACB1CFF.43F0FDB0@cisco.com> References: <3ACB1CFF.43F0FDB0@cisco.com> Message-ID: <498597843.986414455@ZATHROS> --On Wednesday, April 04, 2001 3:09 PM +0200 Jan Just Keijser wrote: > the stat() on $HOME/.ssh/authorized_keys fails, which the server needs to > read to determine whether RSA authentications are allowed. My bet about > what's happening is this: > > sshd runs as euid root, gid 0 > auth-rsa.c switches to euid janjust, but does not change the egid using > setegid() > euid janjust, gid 0 does *NOT* have access to the directory /local/home > with permissions 750 > the stat() call walks down the path of the file and runs into this > permission problem and bails out, even though the user would have access > to directories and files below the troublesome /local/home directory. Calling setegid is not necessarily enough. You really should call initgroups() before calling seteuid() if you want the same access as the user. If you revert to root's uid, you'll have to call initgroups() again. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body From rmoss at CDS.CA Thu Apr 5 15:02:04 2001 From: rmoss at CDS.CA (Roland Moss) Date: Thu, 5 Apr 2001 01:02:04 -0400 Subject: Roland Moss/TOR/CDS is out of the office. Message-ID: <85256A25.001D17DA.00@CDSSMTP1.CDS.CA> I will be out of the office starting 04/02/2001 and will not return until 04/09/2001. I am away on course and I will respond to your message when I return. The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. When addressed to our participants or other clients, any information contained in this e-mail is subject to the terms and conditions expressed in any applicable agreement governing the use of CDS services. From brett at pulse.itd.uts.edu.au Thu Apr 5 15:32:27 2001 From: brett at pulse.itd.uts.edu.au (Brett Morgan) Date: Thu, 5 Apr 2001 15:32:27 +1000 Subject: JNI Wrappering OpenSSH ? Message-ID: <20010405153227.E27705@pulse.itd.uts.edu.au> I am currently toying with various avenues for doing some secured file transfers from a javaland process. Realistically on the server side the thing I want is OpenSSH's sftp server. My question is, on the client side, how to get java to talk ssh2 secsh file xfer. Would a sane approach be to find the appropriate points of OpenSSH and turn it into a java library by liberal application of JNI, or should I be turning my hand at using JCE to implement a ssh2 comms lib? Pros / Cons / Ideas / Flames all appreciated... brett -- email: Brett.Morgan at uts.edu.au Only democracy saves us from the ravages of being animals. From epl at myriad.its.unimelb.edu.au Thu Apr 5 16:46:08 2001 From: epl at myriad.its.unimelb.edu.au (Edmund Lam) Date: Thu, 5 Apr 2001 16:46:08 +1000 (AEST) Subject: 2.5.2 cannot handle 2048bit DSA keys? Message-ID: Hi, I believe I may have found a bug with OpenSSH 2.5.2p2 My guess would be that it exists with 2.5.x, though my only experience so far has been ONLY with Red Hat's RPMS openssh-2.5.2p2-1.7.i386.rpm and openssh-2.5.2p2-1.7.2.i386.rpm It seems that ssh-keygen can generate a large DSA identity key easily (ssh-keygen -t dsa -b 2048), but that ssh itself cannot handle such a large key and fails. In particular, an error message is from key.c:421 of the source (openssh-2.5.2p2.tar.gz). On the screen, it displays === key_read: uudecode AAAAB3NzaC1kc3... ... === but interestingly, does NOT print the final "failed". Since DSA identity keys are only used with protocol 2, that is what I've tested so far. I have NOT tested OpenSSH with large RSA1 or RSA keys. Furthermore, this bug may also occur with host keys, but again I have not tested. Lastly, I agree that there is limited amount of extra security afforded by a 2048bit key, but that isn't the point here. Note that I am NOT subscribed to this list. Therefore, I'd like to have replies and any eventual resolution CC'ed to me please. Thanks Eddie From mats at mindbright.se Thu Apr 5 17:18:30 2001 From: mats at mindbright.se (Mats Andersson) Date: Thu, 5 Apr 2001 09:18:30 +0200 (MEST) Subject: JNI Wrappering OpenSSH ? In-Reply-To: <20010405153227.E27705@pulse.itd.uts.edu.au> Message-ID: Hi, On Thu, 5 Apr 2001, Brett Morgan wrote: > client side, how to get java to talk ssh2 secsh file xfer. > > Would a sane approach be to find the appropriate points of OpenSSH and > turn it into a java library by liberal application of JNI, or should I > be turning my hand at using JCE to implement a ssh2 comms lib? Depending on what you are going to do we have an ssh2 implementation in pure java including the sftp protocol. Currently it's a binary demo (in the form of a simple ssh client). It will be available in source form also later on (free for non-commercial use). See www.mindbright.se/mindterm for more info on licensing et.c. Cheers, /Mats From slade at shore.net Thu Apr 5 18:09:18 2001 From: slade at shore.net (Richard E. Silverman) Date: Thu, 5 Apr 2001 04:09:18 -0400 Subject: bug in channel_still_open() ? Message-ID: <200104050809.EAA17948@syrinx.oankali.net> channel_still_open() does not count "larval" channels as open. If the server sets up a protocol 2 connection with no remote command (as with "ssh -N ..."), the "server-session" channel remains larval, and the server exits as soon as it notices that there are no open channels besides this one. Typically, it exits right after the first use of a port forwarding closes. Below I'm appending a post I just made to comp.security.ssh, with a patch which fixes the problem. I don't know if it's the right thing to do, though. I'm guessing that not counting larval channels might have been a mistake. Perhaps counting them will cause some other problem, though, and the right fix is something else? -- Richard Silverman slade at shore.net ============================================================================ Newsgroups: comp.security.ssh Subject: Re: POP3 Tunnel Closes on Second Connection References: <3AC4AAE0.4EE58BE9 at well.com> From: slade at shore.net (Richard E. Silverman) Date: 05 Apr 2001 03:56:34 -0400 Message-ID: Lines: 40 > We have set up a local server to tunnel pop3 connections to our "real" > mail server, using ssh2 local port forwarding: > > ssh -f -g -l {user} -L 110:mailserver:110 -N -P mailserver > > The first time we make a pop3 connection to the local server, everything > works fine: the connection is forwarded across the ssh tunnel to the > remote mail server, and we retrieve our mail. The second time we attempt > a pop3 connection, the remote mail server drops the ssh connection. > > What is going on? What is the fix? This appears to be a bug; it doesn't happen if you e.g. remove the -f -N. The problem is that without a session channel, OpenSSH uses a sort of placeholder channel of a special internal type which does not get counted as "open", so sshd thinks that all channels are closed and exits. I think the fact you get even one chance is an accident. A quick fix is this: --- channels.c Thu Apr 5 03:53:30 2001 +++ channels.c.new Thu Apr 5 03:54:56 2001 @@ -1503,7 +1503,6 @@ case SSH_CHANNEL_LARVAL: if (!compat20) fatal("cannot happen: SSH_CHANNEL_LARVAL"); - continue; case SSH_CHANNEL_OPENING: case SSH_CHANNEL_OPEN: case SSH_CHANNEL_X11_OPEN: (That is, remove the "continue" statement.) I'm not 100% sure this is the right fix, though; I'm going to post to the OpenSSH developers list and see what they say. -- Richard Silverman slade at shore.net ============================================================================ From Markus.Friedl at informatik.uni-erlangen.de Thu Apr 5 18:14:47 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 5 Apr 2001 10:14:47 +0200 Subject: bug in channel_still_open() ? In-Reply-To: <200104050809.EAA17948@syrinx.oankali.net>; from slade@shore.net on Thu, Apr 05, 2001 at 04:09:18AM -0400 References: <200104050809.EAA17948@syrinx.oankali.net> Message-ID: <20010405101447.C3040@faui02.informatik.uni-erlangen.de> On Thu, Apr 05, 2001 at 04:09:18AM -0400, Richard E. Silverman wrote: > > channel_still_open() does not count "larval" channels as open. If the server > sets up a protocol 2 connection with no remote command (as with "ssh -N ..."), > the "server-session" channel remains larval, and the server exits as soon as > it notices that there are no open channels besides this one. Typically, it > exits right after the first use of a port forwarding closes. > > Below I'm appending a post I just made to comp.security.ssh, with a patch > which fixes the problem. I don't know if it's the right thing to do, though. > I'm guessing that not counting larval channels might have been a mistake. > Perhaps counting them will cause some other problem, though, and the right fix > is something else? it depends on what $ ssh -N -L xxx should do. how do you close the ssh session if a "larval" channel counts a 'open'? -m From res at shore.net Thu Apr 5 19:07:24 2001 From: res at shore.net (Richard E. Silverman) Date: Thu, 5 Apr 2001 05:07:24 -0400 (EDT) Subject: bug in channel_still_open() ? In-Reply-To: <20010405101447.C3040@faui02.informatik.uni-erlangen.de> Message-ID: On Thu, 5 Apr 2001, Markus Friedl wrote: > it depends on what > $ ssh -N -L xxx > > should do. I think users expect it to behave just as it would without the -N, except that stdin/out/err are not connected to a remote program. That is, it should persist, performing port forwarding, until the user kills it. Having a mode in which a forwarding goes away the second time its instance count hits zero is also useful; SSH2 has "one-shot" forwardings (-fo) for that purpose. > how do you close the ssh session if a "larval" channel counts a 'open'? I'm not clear on the use of the "larval" state in the OpenSSH code, which is why I phrased it as a question. Since -N removes the usual ways to close the SSH connection (exit the remote shell/command, type "~.", etc.), the user has to kill the client manually with ^C, "kill", etc. anyway. The code appears to assume that normally, the server should end the SSH session when there are no open channels remaining. This only seems reasonable if you think about the typical behavior of a standard command-line SSH client; I don't think it's correct in general. There need not be any session channel, larval or otherwise. The OpenSSH client always opens a channel which it calls "client-session", even with -N; it just never issues an SSH "exec" request on it if -N is given. But there's no protocol requirement for this -- the ssh.com Windows client, when given the analogous option ("disable terminal" checkbox), establishes no channels at all. More generally, I see no reason to assume that a channel count of 0 in the connection protocol means that the transport should be closed. I think a client should expect to be able to establish a transport session, start the connection protocol, start some channels for whatever purposes, close them all, wait an hour, and then start some more channels. -- Richard Silverman slade at shore.net From esm at pobox.com Thu Apr 5 22:36:00 2001 From: esm at pobox.com (Eduardo Santiago) Date: Thu, 05 Apr 2001 06:36:00 -0600 Subject: [PATCH]: ssh-add and multiple keys Message-ID: <20010405123605.C96EE184DE@dsl081-105-106.den1.dsl.speakeasy.net> Greetings, The enclosed patch to ssh-add.c (from OpenSSH 2.5.2p2) changes the behavior of ssh-add when called with no arguments. Instead of defaulting to ~/.ssh/identity, it checks for the existence of, and processes if it exists, each of the following (from pathnames.h): _PATH_SSH_CLIENT_IDENTITY ~/.ssh/identity _PATH_SSH_CLIENT_ID_DSA ~/.ssh/id_dsa _PATH_SSH_CLIENT_ID_RSA ~/.ssh/id_rsa I understand the arguments against this sort of thing; I even agree that the clueful user should explicitly specify the keys. However, the defaults are already there. ssh-keygen and ssh default to these, and it is confusing that ssh-add does not. Thanks to all for your efforts; OpenSSH is a terrific product. ^E -- Ed Santiago Toolsmith esm at pobox.com -------------- next part -------------- --- ssh-add.c.ORIG Tue Apr 3 12:51:55 2001 +++ ssh-add.c Tue Apr 3 18:32:45 2001 @@ -287,6 +287,11 @@ add_file(ac, argv[i]); } if (no_files) { + char *ident_files[] = { _PATH_SSH_CLIENT_IDENTITY, + _PATH_SSH_CLIENT_ID_DSA, + _PATH_SSH_CLIENT_ID_RSA }; + struct stat st; + pw = getpwuid(getuid()); if (!pw) { fprintf(stderr, "No user found with uid %u\n", @@ -294,11 +299,17 @@ ssh_close_authentication_connection(ac); exit(1); } - snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, _PATH_SSH_CLIENT_IDENTITY); - if (deleting) - delete_file(ac, buf); - else - add_file(ac, buf); + + /* Default (no args): try to load all "standard" ID files */ + for (i=0; i < sizeof(ident_files) / sizeof(ident_files[0]); i++) { + snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, ident_files[i]); + if (stat(buf, &st) == 0) { + if (deleting) + delete_file(ac, buf); + else + add_file(ac, buf); + } + } } ssh_close_authentication_connection(ac); exit(0); From kwolters at h2.com Fri Apr 6 00:26:17 2001 From: kwolters at h2.com (Keith Wolters) Date: Thu, 5 Apr 2001 10:26:17 -0400 Subject: openssh-2.5.2p2 on RedHat 6.2-1 In-Reply-To: Message-ID: My ssh works now after rebuilding ssl and ssh. Not sure what it was that changed, but it works. Thanks for your help those who replied with suggestions. From armin.kunaschik at varetis.de Fri Apr 6 01:15:44 2001 From: armin.kunaschik at varetis.de (Armin Kunaschik) Date: Thu, 05 Apr 2001 17:15:44 +0200 Subject: Variable path to ssh_prng_cmds? Message-ID: <3ACC8C20.49BD97B5@varetis.de> Hi there, I have all my additional software mounted from one central place. Therefore I'm trying to limit all unnecessary local files. Local config files are ok... e.g. keys, ssh_config etc, but why needs ssh_prng_cmds to be in /etc? So why not put it into $bindir? There are no problems doing this with a few manual fixes. So are there any security concerns? Is it possible to make this a configuration option in the furure? Best regards, Armin From mouring at etoh.eviladmin.org Fri Apr 6 03:17:16 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 5 Apr 2001 12:17:16 -0500 (CDT) Subject: Variable path to ssh_prng_cmds? In-Reply-To: <3ACC8C20.49BD97B5@varetis.de> Message-ID: On Thu, 5 Apr 2001, Armin Kunaschik wrote: > Hi there, > > I have all my additional software mounted from one central place. > Therefore I'm trying to limit all unnecessary local files. > Local config files are ok... e.g. keys, ssh_config etc, but why > needs ssh_prng_cmds to be in /etc? So why not put it into $bindir? > There are no problems doing this with a few manual fixes. So > are there any security concerns? Is it possible to make this a > configuration option in the furure? > I don't agree with 'ssh_prng_cmds' being in $bindir. It's a configuration file, and therefor should be in /etc or ${PREFIX}/etc. Putting it in ${BINDIR} is illogical and not something that people would think of without refering to any technical notes you leave behind if you were to leave for vacation or a new job. However, I suggest you really use PRNGd instead of the built in entropy generation if you can. You get higher quality entropy and you don't have to worry about 'ssh_prng_cmds' in /etc. - Ben From wooledg at eeg.ccf.org Fri Apr 6 05:19:54 2001 From: wooledg at eeg.ccf.org (Greg Wooledge) Date: Thu, 5 Apr 2001 15:19:54 -0400 Subject: HP-UX 9 problems (hangs on logout; tty isn't sane) Message-ID: <20010405151954.D384@imadev.eeg.ccf.org> I'm trying to get OpenSSH 2.5.2p2 to run on HP-UX 9.05. I've had some decent results, but I'm also seeing some problems. I'm using the EGD (I configured with --with-prngd-socket=/tmp/entropy). * Compiling required some changes, which I've attached. Two of the changes are "hackish", and not at all suited to inclusion in the source tree, but they might point someone in the right direction for a more robust solution. The seteuid() "hack" isn't too bad, though the comments are a bit excessive. (Upshot: HP-UX 9.05 has setuid() and setresuid() but not seteuid() or setreuid(); RLIMIT_CORE is only defined if _KERNEL is defined (it's labeled "unsupported BSD stuff" in ); and the "#ifdef __hpux" stuff in auth-passwd.c doesn't work on 9.05. Ugh.) * "ssh localhost command" works just fine, as does "ssh remotehost command". * "ssh remotehost" works just fine (the remote host is running ssh.com's sshd2 on Linux). * "ssh localhost" (no command) works fine *until* I try to logout. When I press Ctrl-D, the ssh client "hangs". I've read the FAQ, and no, I'm *not* running background jobs. "shopt -s huponexit" had no effect. In order to get control back in the terminal that ran "ssh localhost", I have to kill the ssh process from another window. * If I connect to the HP-UX sshd using Putty on a Win32 box, the terminal doesn't act correctly. Symptoms: + \n -> CRLF translation is not being performed; the MOTD "stair steps". I can work around this by running "stty sane". + Commands that I type are not echoed on the screen (and their output "stair steps", as above). I can work around this one by running "stty echo". + When I logout, Putty does not terminate -- I get the same "hang" problem that I have when I use "ssh localhost". Workaround for this is to close the Putty window (click the [X]). (For what it's worth, if I connect to the same HP-UX system using Putty's telnet client, from the very same Win32 box, I don't have any of these problems.) * If I connect to the HP-UX sshd from the Linux system (using the ssh.com ssh client), I get very similar symptoms -- "stair steps", no echo, hang on logout. "stty sane" works around it. * When I login (with either ssh or Putty), the current directory seems to be set strangely. This environment uses NFS and NIS extensively. Rather than try to explain, I'll just paste: imadev:~$ grep $LOGNAME /etc/passwd +wooledg::0:0:::/usr/local/bin/bash imadev:~$ ypmatch $LOGNAME passwd wooledg:XXXXXXXXXXXXX:563:22:Greg Wooledge:/net/home/wooledg:/bin/ksh imadev:~$ ypmatch /net/home auto.master auto.home -rw,hard,intr imadev:~$ ypmatch $LOGNAME auto.home imadev:/usrs/wooledg imadev:~$ ls -ld /net/home/wooledg lrwxrwxrwx 1 root root 13 Apr 5 14:51 /net/home/wooledg -> /usrs/wooledg imadev:~$ ls -ld /usrs/wooledg drwxr-xr-x 12 wooledg pgmr 1024 Apr 5 14:38 /usrs/wooledg Now, when I login "normally" (on the console, or via telnetd), my home directory is set to "/net/home/wooledg" and my login shell begins its life in that directory. However, when I login through sshd, my login shell starts in "/usrs/wooledg" instead of "/net/home/wooledg", despite the fact that $HOME gets set to "/net/home/wooledg". I have to "cd" to get my bash prompt to expand "\w" to "~". (This is a relatively minor problem; it just takes a lot of explaining. I can certainly live with this one... it's the others that worry me.) I attempted some basic diagnostics myself. When I run sshd with the "-d" option and connect to it, it looks like this: debug1: Allocating pty. debug1: Setting controlling tty using TIOCSCTTY.debug1: Entering interactive session. debug1: fd 3 setting O_NONBLOCK debug1: fd 8 IS O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 ioctl(TIOCSCTTY): Invalid argument When I logout of the session: debug1: Received SIGCHLD. When I kill the ssh client: Connection closed by remote host. debug1: Calling cleanup 0x40009202(0x40015688) debug1: pty_cleanup_proc: /dev/ttypb debug1: Calling cleanup 0x400092fa(0x0) If I start the sshd with "-d -d -d", I get an infinite stream of: debug3: tvp!=NULL kid 1 mili 100 debug3: tvp!=NULL kid 1 mili 100 after logging out of the session, until I kill the ssh client. -------------- next part -------------- *** auth-passwd.c.orig Thu Apr 5 10:29:48 2001 --- auth-passwd.c Thu Apr 5 10:36:55 2001 *************** *** 46,51 **** --- 46,53 ---- #include "servconf.h" #include "auth.h" + #undef __hpux /* This must be for 10.x... doesn't work on 9. -GJW */ + #ifdef WITH_AIXAUTHENTICATE # include #endif *** includes.h.orig Thu Apr 5 10:08:23 2001 --- includes.h Thu Apr 5 10:08:57 2001 *************** *** 27,33 **** --- 27,36 ---- #include #include #include + + #define _KERNEL /* RLIMIT_CORE undefined without this -GJW */ #include + #undef _KERNEL /* -GJW */ #include #include *** uidswap.c.orig Thu Apr 5 10:19:08 2001 --- uidswap.c Thu Apr 5 10:24:28 2001 *************** *** 17,22 **** --- 17,59 ---- #include "log.h" #include "uidswap.h" + #ifndef HAS_SETEUID + /* Linux man page says: + + int setreuid(uid_t ruid, uid_t euid); + int seteuid(uid_t euid); + + setreuid sets real and effective user ID's of the current process. + Un-privileged users may change the real user ID to the effective + user ID and vice-versa. + + [...] + + Currently seteuid(euid) is functionally equivalent to setreuid(-1, euid). + + HP-UX man page says: + + int setresuid(uid_t ruid, uid_t euid, uid_t suid); + + setresuid() sets the real, effective and/or saved user ID of the calling + process. + + If the current real, effective or saved user ID is equal to that of a + user with having appropriate privileges, setresuid() sets the real, + effective and saved user IDs to ruid, euid, and suid, respectively. + Otherwise, setresuid() only sets the real, effective, and saved user + IDs if ruid, euid, and suid each match at least one of the current + real, effective, or saved user IDs. + + If ruid, euid, or suid is -1, setresuid() leaves the current real, + effective or saved user ID unchanged. + */ + int seteuid(uid_t euid) + { + return setresuid(-1, euid, -1); + } + #endif /* HAS_SETEUID */ + /* * Note: all these functions must work in all of the following cases: * 1. euid=0, ruid=0 From markus.friedl at informatik.uni-erlangen.de Fri Apr 6 06:30:04 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 5 Apr 2001 22:30:04 +0200 Subject: bug in channel_still_open() ? In-Reply-To: ; from res@shore.net on Thu, Apr 05, 2001 at 05:07:24AM -0400 References: <20010405101447.C3040@faui02.informatik.uni-erlangen.de> Message-ID: <20010405223004.A4275@folly> On Thu, Apr 05, 2001 at 05:07:24AM -0400, Richard E. Silverman wrote: > The code appears to assume that normally, the server should end the SSH > session when there are no open channels remaining. This only seems > reasonable if you think about the typical behavior of a standard > command-line SSH client; I don't think it's correct in general. There > need not be any session channel, larval or otherwise. The OpenSSH client > always opens a channel which it calls "client-session", even with -N; it > just never issues an SSH "exec" request on it if -N is given. But there's > no protocol requirement for this -- the ssh.com Windows client, when given > the analogous option ("disable terminal" checkbox), establishes no > channels at all. thanks, i changed this in openssh-current. this is very old code > More generally, I see no reason to assume that a channel count of 0 in the > connection protocol means that the transport should be closed. I think a > client should expect to be able to establish a transport session, start > the connection protocol, start some channels for whatever purposes, close > them all, wait an hour, and then start some more channels. all this is due to a reuse of protocol v1 code, about a year ago i did not know less about v2 than i know today. -m From stas at peterstar.com Fri Apr 6 18:41:34 2001 From: stas at peterstar.com (Stanislav S. Anokhin) Date: Fri, 6 Apr 2001 11:41:34 +0300 Subject: Problem with getnameinfo in Tru64 v5.1 Message-ID: <308864176.20010406114134@peterstar.com> Hello, When make ./configure && make on my Tru64 v5.1 machine, sshd couldnot start with diagnostic "Cannot bind any address.". Problem was in getnameinfo which don't return error if you don't set address family before call to it. Patch included. -- Best regards, Stanislav mailto:stas at peterstar.com -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-2.5.2p2.patch Type: application/octet-stream Size: 2574 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010406/9ed7d5eb/attachment.obj From tomh at po.crl.go.jp Fri Apr 6 21:11:11 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Fri, 6 Apr 2001 20:11:11 +0900 (JST) Subject: -n vs batch_mode vs batch_flag Message-ID: How is -n supposed to work? When you say ssh -n, it sets stdin_null_flag but not batch mode. When the client is choosing authmethods, there is a batch_flag that is tested to see (presumably) if we are in batch mode or perhaps if -n has been given. But nothing sets it. It looks like it's supposed to point to options.batch_mode, but it's never even initialized! Even if it did point to batch_mode, that's independent of -n, so when you say -n it still (tries to) ask for a password. % ssh -n localhost & [1] 5220 % tomh at localhost's password: [1] + Suspended (tty input) ssh -n localhost It seems to me that -n (without -f) should mean "stdin doesn't exist, so don't try any authmethods that ask for passwords from stdin", which would imply that it should set batch_mode too, and batch_flag should point to that. Or maybe batch_mode should be checked instead of batch_flag. Or is this all supposed to be handled somehow by ssh-askpass (which is currently only used by ssh-agent)? Thanks, Dr. Tom From provos at citi.umich.edu Fri Apr 6 23:13:30 2001 From: provos at citi.umich.edu (Niels Provos) Date: Fri, 06 Apr 2001 09:13:30 -0400 Subject: the "primes" file In-Reply-To: Tom Holroyd, Wed, 04 Apr 2001 12:11:50 +0900 Message-ID: <20010406131235.2934F207C1@citi.umich.edu> In message , Tom Holr oyd writes: >On Tue, 3 Apr 2001, Niels Provos wrote: >DH only requires the subgroup be of size q, but SRP requires that the >subgroup be of size p - 1. Now it turns out that the generators in the >"primes" file all generate the full p - 1 group, and in fact the OpenSSL >routine DH_generate_parameters() will always create parameters like this. Ah. I didn't remember that SRP required the whole group to be generated. But you are right the program I use to generate the primes file generates only primes with generators for the whole geoup. >But it seems that it *is* allowed (according to the draft) that someday >somebody will use a generator that generates the q subgroup but not the >p - 1 subgroup. (For example, the diffie-hellman-group1-sha1 prime uses a >generator of 2, but this is unacceptable for SRP; libsrp uses this same >prime with a generator of 5.) That is true. There is no reason to not allow a generator that generates the large subgroup. At least when you are looking at a DH key exchange. >Thus SRP can't use the primes file directly -- although the embeded primes >are built from it (but they are tested to make sure the subgroup is size >p - 1 first). You can probably use the primes file, and do some very quick filtering along the lines of 2 when p (mod 24) = 11. 5 when p (mod 10) = 3 or 7. That is the filter I use for the primes. >The current SRP patch also reads from the system configuration file >/etc/tpasswd.conf, both for compatibility with existing SRP installations >and to address your concern. So you can add new primes without >recompiling. However if you ever want to *retire* a prime, you must >recompile. That should not be a problem then. >values). Is retiring primes likely to be an issue? Not really. The only issue is one of variety. Discourage precomputation of any particular prime. Niels. From RCDavis at intermedia.com Sat Apr 7 02:11:19 2001 From: RCDavis at intermedia.com (Davis, Ricardo C.) Date: Fri, 6 Apr 2001 12:11:19 -0400 Subject: SFTP client script broken after OpenSSH 2.5.1p1 to 2.5.2p2-1 Message-ID: <77DA8BE17C46D2118B7A00805FA7D051047ADB0D@TPAEXCH2> Hello friends, I have a script that uses the sftp client to transfer a file to another server using PK authentication. It was working until I upgraded from OpenSSH 2.5.1p1 to 2.5.2p2-1 yesterday (on a RH Linux 6.2 system). The sftp command is: sftp -o "IdentityFile ~/.ssh/id_dsa" \ $PUSERNAME@$PSERVER >$TEMPFILE 2>&1 <<-! cd $PDIR put $DOC_ARCHIVE ls quit ! Now when I run the script in test mode where it logs into an account on the same box the script appears to ignore the current directory set by the "cd" command and will "put" the file in the home directory of PUSERNAME. I checked to make sure $PDIR was set and it is ... because when I do the "ls" in sftp it lists the other files already present in the target subdirectory. When I do a "set -x" before this command, here's what happens: sftp> sftp> Uploading fci0406a.zip to fci0406a.zip sftp> drwxrwxr-x 2 pusernam pusernam 4096 Mar 26 15:58 . drwxr-x--- 5 pusernam acctAdm 4096 Apr 6 11:30 .. -rw-r--r-- 1 pusernam pusernam 76280 Mar 23 17:20 fci0323a.zip -rw-r--r-- 1 pusernam pusernam 38151 Mar 23 17:20 fcd0323a.zip -rw-r--r-- 1 pusernam pusernam 38151 Mar 23 17:20 fcp0323a.zip -rw-r--r-- 1 pusernam pusernam 76280 Mar 26 17:39 fci0326a.zip -rw-r--r-- 1 pusernam pusernam 38151 Mar 26 17:39 fcd0326a.zip -rw-r--r-- 1 pusernam pusernam 38151 Mar 26 17:39 fcp0326a.zip When I check out the home directory of this account I find the file was transferred there. Has this problem been identified (I didn't see it on the errata page) and fixed? How long before the next release with the fix? -Ricardo ...going back to 2.5.1p1 :( -------------------------------------------------------------------- Intermedia Communications Ricardo Davis ABN-Information Systems rcdavis at intermedia.com http://www.intermedia.com/products/abn/ -------------------------------------------------------------------- From mouring at etoh.eviladmin.org Sat Apr 7 02:23:16 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 6 Apr 2001 11:23:16 -0500 (CDT) Subject: SFTP client script broken after OpenSSH 2.5.1p1 to 2.5.2p2-1 In-Reply-To: <77DA8BE17C46D2118B7A00805FA7D051047ADB0D@TPAEXCH2> Message-ID: Hmm.. I can't mimic this under the current CVS version. sftp localhost < Hello friends, > > I have a script that uses the sftp client to transfer a file to another > server using PK authentication. It was working until I upgraded from > OpenSSH 2.5.1p1 to 2.5.2p2-1 yesterday (on a RH Linux 6.2 system). The sftp > command is: > > sftp -o "IdentityFile ~/.ssh/id_dsa" \ > $PUSERNAME@$PSERVER >$TEMPFILE 2>&1 <<-! > cd $PDIR > put $DOC_ARCHIVE > ls > quit > ! > > Now when I run the script in test mode where it logs into an account on the > same box the script appears to ignore the current directory set by the "cd" > command and will "put" the file in the home directory of PUSERNAME. I > checked to make sure $PDIR was set and it is ... because when I do the "ls" > in sftp it lists the other files already present in the target subdirectory. > When I do a "set -x" before this command, here's what happens: > > sftp> sftp> Uploading fci0406a.zip to fci0406a.zip > sftp> drwxrwxr-x 2 pusernam pusernam 4096 Mar 26 15:58 . > drwxr-x--- 5 pusernam acctAdm 4096 Apr 6 11:30 .. > -rw-r--r-- 1 pusernam pusernam 76280 Mar 23 17:20 fci0323a.zip > -rw-r--r-- 1 pusernam pusernam 38151 Mar 23 17:20 fcd0323a.zip > -rw-r--r-- 1 pusernam pusernam 38151 Mar 23 17:20 fcp0323a.zip > -rw-r--r-- 1 pusernam pusernam 76280 Mar 26 17:39 fci0326a.zip > -rw-r--r-- 1 pusernam pusernam 38151 Mar 26 17:39 fcd0326a.zip > -rw-r--r-- 1 pusernam pusernam 38151 Mar 26 17:39 fcp0326a.zip > > When I check out the home directory of this account I find the file was > transferred there. > > Has this problem been identified (I didn't see it on the errata page) and > fixed? How long before the next release with the fix? > > > -Ricardo > ...going back to 2.5.1p1 :( > > -------------------------------------------------------------------- > Intermedia Communications > Ricardo Davis ABN-Information Systems > rcdavis at intermedia.com http://www.intermedia.com/products/abn/ > -------------------------------------------------------------------- > From mouring at etoh.eviladmin.org Sat Apr 7 02:39:04 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 6 Apr 2001 11:39:04 -0500 (CDT) Subject: SFTP client script broken after OpenSSH 2.5.1p1 to 2.5.2p2-1 In-Reply-To: <77DA8BE17C46D2118B7A00805FA7D051047ADB0E@TPAEXCH2> Message-ID: $ sftp localhost < cd /tmp > put canohost.c > ls > EOF Connecting to localhost... mouring at localhost's password: sftp> sftp> Uploading canohost.c to /tmp/canohost.c sftp> drwxrwxrwt 2 root wheel 512 Apr 6 11:33 . drwxr-xr-x 15 root wheel 512 Mar 16 21:35 .. -rw------- 1 mouring wheel 0 Apr 4 11:22 ccbe9396.c -rw------- 1 mouring wheel 0 Apr 4 11:22 ccfp9396.o -rw------- 1 mouring wheel 0 Apr 4 11:25 ccOY9396.ld -rw------- 1 mouring wheel 26 Apr 6 11:32 shWob21730 -rw-r--r-- 1 mouring wheel 8686 Apr 6 11:33 canohost.c sftp> $ Works perfectly fine. Without more information not sure what to tell you. sftp localhost < But did you try to "put" a file into /tmp? Did it work? > > I will give it a try with the blank line in the here document. > > > -Ricardo > > -----Original Message----- > From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] > Sent: Friday, April 06, 2001 12:23 PM > To: Davis, Ricardo C. > Cc: openssh-unix-dev at mindrot.org > Subject: Re: SFTP client script broken after OpenSSH 2.5.1p1 to > 2.5.2p2-1 > > > > Hmm.. I can't mimic this under the current CVS version. > > sftp localhost < cd /tmp > ls > EOF > > works fine over here.. When I was testing 2.5.2 w/ the new -b batchfile > mode I was very careful not to break that feature. > > Can you try something for me and put a blank line before the 'cd $PDIR'? > > - Ben > > > On Fri, 6 Apr 2001, Davis, Ricardo C. wrote: > > > Hello friends, > > > > I have a script that uses the sftp client to transfer a file to another > > server using PK authentication. It was working until I upgraded from > > OpenSSH 2.5.1p1 to 2.5.2p2-1 yesterday (on a RH Linux 6.2 system). The > sftp > > command is: > > > > sftp -o "IdentityFile ~/.ssh/id_dsa" \ > > $PUSERNAME@$PSERVER >$TEMPFILE 2>&1 <<-! > > cd $PDIR > > put $DOC_ARCHIVE > > ls > > quit > > ! > > > > Now when I run the script in test mode where it logs into an account on > the > > same box the script appears to ignore the current directory set by the > "cd" > > command and will "put" the file in the home directory of PUSERNAME. I > > checked to make sure $PDIR was set and it is ... because when I do the > "ls" > > in sftp it lists the other files already present in the target > subdirectory. > > When I do a "set -x" before this command, here's what happens: > > > > sftp> sftp> Uploading fci0406a.zip to fci0406a.zip > > sftp> drwxrwxr-x 2 pusernam pusernam 4096 Mar 26 15:58 . > > drwxr-x--- 5 pusernam acctAdm 4096 Apr 6 11:30 .. > > -rw-r--r-- 1 pusernam pusernam 76280 Mar 23 17:20 fci0323a.zip > > -rw-r--r-- 1 pusernam pusernam 38151 Mar 23 17:20 fcd0323a.zip > > -rw-r--r-- 1 pusernam pusernam 38151 Mar 23 17:20 fcp0323a.zip > > -rw-r--r-- 1 pusernam pusernam 76280 Mar 26 17:39 fci0326a.zip > > -rw-r--r-- 1 pusernam pusernam 38151 Mar 26 17:39 fcd0326a.zip > > -rw-r--r-- 1 pusernam pusernam 38151 Mar 26 17:39 fcp0326a.zip > > > > When I check out the home directory of this account I find the file was > > transferred there. > > > > Has this problem been identified (I didn't see it on the errata page) and > > fixed? How long before the next release with the fix? > > > > > > -Ricardo > > ...going back to 2.5.1p1 :( > > > > -------------------------------------------------------------------- > > Intermedia Communications > > Ricardo Davis ABN-Information Systems > > rcdavis at intermedia.com http://www.intermedia.com/products/abn/ > > -------------------------------------------------------------------- > > > > From RCDavis at intermedia.com Sat Apr 7 04:29:00 2001 From: RCDavis at intermedia.com (Davis, Ricardo C.) Date: Fri, 6 Apr 2001 14:29:00 -0400 Subject: SFTP client script broken after OpenSSH 2.5.1p1 to 2.5.2p2-1 Message-ID: <77DA8BE17C46D2118B7A00805FA7D051047ADB10@TPAEXCH2> Ben, I was able to get the "put " sftp command to work. I'm somewhat concerned that the server I'm sending this to is a Win2k box and this command may not work properly in that environment. We shall see... The -b option is great -- anything to help catch errors is good. Maybe I'll stay with 2.5.2p2 after all and hope my other problem shakes out in 2.5.3p1. :) Thanks again for your help! -Ricardo -----Original Message----- From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] Sent: Friday, April 06, 2001 12:39 PM To: Davis, Ricardo C. Cc: openssh-unix-dev at mindrot.org Subject: RE: SFTP client script broken after OpenSSH 2.5.1p1 to 2.5.2p2-1 $ sftp localhost < cd /tmp > put canohost.c > ls > EOF Connecting to localhost... mouring at localhost's password: sftp> sftp> Uploading canohost.c to /tmp/canohost.c sftp> drwxrwxrwt 2 root wheel 512 Apr 6 11:33 . drwxr-xr-x 15 root wheel 512 Mar 16 21:35 .. -rw------- 1 mouring wheel 0 Apr 4 11:22 ccbe9396.c -rw------- 1 mouring wheel 0 Apr 4 11:22 ccfp9396.o -rw------- 1 mouring wheel 0 Apr 4 11:25 ccOY9396.ld -rw------- 1 mouring wheel 26 Apr 6 11:32 shWob21730 -rw-r--r-- 1 mouring wheel 8686 Apr 6 11:33 canohost.c sftp> $ Works perfectly fine. Without more information not sure what to tell you. sftp localhost < But did you try to "put" a file into /tmp? Did it work? > > I will give it a try with the blank line in the here document. > > > -Ricardo > > -----Original Message----- > From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] > Sent: Friday, April 06, 2001 12:23 PM > To: Davis, Ricardo C. > Cc: openssh-unix-dev at mindrot.org > Subject: Re: SFTP client script broken after OpenSSH 2.5.1p1 to > 2.5.2p2-1 > > > > Hmm.. I can't mimic this under the current CVS version. > > sftp localhost < cd /tmp > ls > EOF > > works fine over here.. When I was testing 2.5.2 w/ the new -b batchfile > mode I was very careful not to break that feature. > > Can you try something for me and put a blank line before the 'cd $PDIR'? > > - Ben > > > On Fri, 6 Apr 2001, Davis, Ricardo C. wrote: > > > Hello friends, > > > > I have a script that uses the sftp client to transfer a file to another > > server using PK authentication. It was working until I upgraded from > > OpenSSH 2.5.1p1 to 2.5.2p2-1 yesterday (on a RH Linux 6.2 system). The > sftp > > command is: > > > > sftp -o "IdentityFile ~/.ssh/id_dsa" \ > > $PUSERNAME@$PSERVER >$TEMPFILE 2>&1 <<-! > > cd $PDIR > > put $DOC_ARCHIVE > > ls > > quit > > ! > > > > Now when I run the script in test mode where it logs into an account on > the > > same box the script appears to ignore the current directory set by the > "cd" > > command and will "put" the file in the home directory of PUSERNAME. I > > checked to make sure $PDIR was set and it is ... because when I do the > "ls" > > in sftp it lists the other files already present in the target > subdirectory. > > When I do a "set -x" before this command, here's what happens: > > > > sftp> sftp> Uploading fci0406a.zip to fci0406a.zip > > sftp> drwxrwxr-x 2 pusernam pusernam 4096 Mar 26 15:58 . > > drwxr-x--- 5 pusernam acctAdm 4096 Apr 6 11:30 .. > > -rw-r--r-- 1 pusernam pusernam 76280 Mar 23 17:20 fci0323a.zip > > -rw-r--r-- 1 pusernam pusernam 38151 Mar 23 17:20 fcd0323a.zip > > -rw-r--r-- 1 pusernam pusernam 38151 Mar 23 17:20 fcp0323a.zip > > -rw-r--r-- 1 pusernam pusernam 76280 Mar 26 17:39 fci0326a.zip > > -rw-r--r-- 1 pusernam pusernam 38151 Mar 26 17:39 fcd0326a.zip > > -rw-r--r-- 1 pusernam pusernam 38151 Mar 26 17:39 fcp0326a.zip > > > > When I check out the home directory of this account I find the file was > > transferred there. > > > > Has this problem been identified (I didn't see it on the errata page) and > > fixed? How long before the next release with the fix? > > > > > > -Ricardo > > ...going back to 2.5.1p1 :( > > > > -------------------------------------------------------------------- > > Intermedia Communications > > Ricardo Davis ABN-Information Systems > > rcdavis at intermedia.com http://www.intermedia.com/products/abn/ > > -------------------------------------------------------------------- > > > > From stevev at darkwing.uoregon.edu Sat Apr 7 05:18:18 2001 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Fri, 6 Apr 2001 12:18:18 -0700 Subject: $MAIL surprise Message-ID: <15054.5754.741849.310593@darkwing.uoregon.edu> I got email yesterday from a user who had run 'from' and got the message "No mail in /home/stevev/$USER" (where $USER was that person's username). At first I thought he had pilfered my .bashrc, but on further investigation I discovered that my home directory path had been compiled in to sshd, because the configuration tests assume that the directory part of $MAIL is the systemwide mail spool. Unfortunately on this system we deliver mail into user home directories, so we set MAIL to $HOME/.mail rather than /var/{,spool/}mail/$USER, and this user's shell initialization did not change MAIL from the default set by sshd. Given that I'm doing something nonstandard, an answer of "don't configure OpenSSH with your funky setting of MAIL" is reasonable enough. I can't really think of any clean solution to put into the Portable OpenSSH code base to address this; I may end up tweaking our local source tree so we get the right thing for our users, but this is an interesting configuration problem that people might want to know about. From dbt at meat.net Sat Apr 7 06:05:39 2001 From: dbt at meat.net (David Terrell) Date: Fri, 6 Apr 2001 13:05:39 -0700 Subject: $MAIL surprise In-Reply-To: <15054.5754.741849.310593@darkwing.uoregon.edu>; from stevev@darkwing.uoregon.edu on Fri, Apr 06, 2001 at 12:18:18PM -0700 References: <15054.5754.741849.310593@darkwing.uoregon.edu> Message-ID: <20010406130539.B15637@pianosa.catch22.org> On Fri, Apr 06, 2001 at 12:18:18PM -0700, Steve VanDevender wrote: > I got email yesterday from a user who had run 'from' and got the message > "No mail in /home/stevev/$USER" (where $USER was that person's > username). At first I thought he had pilfered my .bashrc, but on > further investigation I discovered that my home directory path had been > compiled in to sshd, because the configuration tests assume that the > directory part of $MAIL is the systemwide mail spool. Unfortunately on > this system we deliver mail into user home directories, so we set MAIL > to $HOME/.mail rather than /var/{,spool/}mail/$USER, and this user's > shell initialization did not change MAIL from the default set by sshd. > > Given that I'm doing something nonstandard, an answer of "don't > configure OpenSSH with your funky setting of MAIL" is reasonable > enough. I can't really think of any clean solution to put into the > Portable OpenSSH code base to address this; I may end up tweaking our > local source tree so we get the right thing for our users, but this is > an interesting configuration problem that people might want to know > about. Are you sure the real problem isn't that sshd is started with your environment at runtime? I recently had a similar problem with inetd. Try starting it like this: env -i PATH=/some:/reasonable:/subset /usr/local/sbin/sshd -- David Terrell | "The fact that you can't name the place dbt at meat.net | you're going to die doesn't mean you http://wwn.nebcorp.com/ | shouldn't pay attention to your health." -whg3 From stevev at darkwing.uoregon.edu Sat Apr 7 06:14:48 2001 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Fri, 6 Apr 2001 13:14:48 -0700 Subject: $MAIL surprise In-Reply-To: <20010406130539.B15637@pianosa.catch22.org> References: <15054.5754.741849.310593@darkwing.uoregon.edu> <20010406130539.B15637@pianosa.catch22.org> Message-ID: <15054.9144.648535.194365@darkwing.uoregon.edu> David Terrell writes: > Are you sure the real problem isn't that sshd is started with your > environment at runtime? I recently had a similar problem with inetd. > Try starting it like this: > > env -i PATH=/some:/reasonable:/subset /usr/local/sbin/sshd That was my first thought too, and I restarted sshd with "env -i" on that host and it didn't change anything. I looked and here's what's in config.h: /* Set this to your mail directory if you don't have maillock.h */ #define MAIL_DIRECTORY "/home/staff/stevev" So then in defines.h this happens: #ifndef MAIL_DIRECTORY # define MAIL_DIRECTORY "/var/spool/mail" #endif #ifndef MAILDIR # define MAILDIR MAIL_DIRECTORY #endif #if !defined(_PATH_MAILDIR) && defined(MAILDIR) # define _PATH_MAILDIR MAILDIR #endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ And finally in session.c this environment variable setting is created: snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); child_set_env(&env, &envsize, "MAIL", buf); And this is what is in configure that gets it all started: # Check for mail directory (last resort if we cannot get it from headers) if test ! -z "$MAIL" ; then maildir=`dirname $MAIL` cat >> confdefs.h < Is there anyway for it to evaluate, at runtime, say $HOME? As your mailspools are under each users's home directory, if I read correctly... Unfortunately I have no machines which I can test this on easily at the moment. (At least not with greatly upsetting a few people...) Just a thought. --Matt > -----Original Message----- > From: Steve VanDevender [mailto:stevev at darkwing.uoregon.edu] > Sent: Friday, April 06, 2001 1:15 PM > To: David Terrell > Cc: openssh-unix-dev at mindrot.org > Subject: Re: $MAIL surprise > > > David Terrell writes: > > Are you sure the real problem isn't that sshd is started with your > > environment at runtime? I recently had a similar problem > with inetd. > > Try starting it like this: > > > > env -i PATH=/some:/reasonable:/subset /usr/local/sbin/sshd > > That was my first thought too, and I restarted sshd with "env -i" on > that host and it didn't change anything. I looked and here's > what's in > config.h: > > /* Set this to your mail directory if you don't have maillock.h */ > #define MAIL_DIRECTORY "/home/staff/stevev" > > So then in defines.h this happens: > > #ifndef MAIL_DIRECTORY > # define MAIL_DIRECTORY "/var/spool/mail" > #endif > > #ifndef MAILDIR > # define MAILDIR MAIL_DIRECTORY > #endif > > #if !defined(_PATH_MAILDIR) && defined(MAILDIR) > # define _PATH_MAILDIR MAILDIR > #endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ > > And finally in session.c this environment variable setting is created: > > snprintf(buf, sizeof buf, "%.200s/%.50s", > _PATH_MAILDIR, pw->pw_name); > child_set_env(&env, &envsize, "MAIL", buf); > > And this is what is in configure that gets it all started: > > # Check for mail directory (last resort if we cannot get it > from headers) > if test ! -z "$MAIL" ; then > maildir=`dirname $MAIL` > cat >> confdefs.h < #define MAIL_DIRECTORY "$maildir" > EOF > > The code in defines.h should use _PATH_MAILDIR if it's defined in the > system headers, but at least in the case of the Solaris and SunOS > systems where I'm seeing this happen, there is no setting for > _PATH_MAILDIR in the system include files. > > Like I said before, though, I'm not really arguing that this code or > this approach to finding $MAIL is wrong, but it is surprising. > From stevev at darkwing.uoregon.edu Sat Apr 7 06:32:42 2001 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Fri, 6 Apr 2001 13:32:42 -0700 Subject: $MAIL surprise In-Reply-To: <71D01DB8DA698947A6F5D666D62A2DB001C42F@exchange.livecapital.com> References: <71D01DB8DA698947A6F5D666D62A2DB001C42F@exchange.livecapital.com> Message-ID: <15054.10218.893346.273463@darkwing.uoregon.edu> Lewandowsky, Matt writes: > Is there anyway for it to evaluate, at runtime, say $HOME? As your > mailspools are under each users's home directory, if I read correctly... It wouldn't be that hard to add some code in session.c to do something like this: #ifdef MAILSPOOLHOME snprintf(buf, sizeof buf, "%.200s/.50s", pw->pw_dir, MAILSPOOLHOME); child_set_env(&env, &envsize, "MAIL", buf); #else snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); child_set_env(&env, &envsize, "MAIL", buf); #endif This is probably the local change I'll put into our source tree. However, this isn't the only way that people modify mail spooling in large installations; another is the "/var/mail/u/user" hashing scheme. I'm certainly not arguing for putting in a bunch of code to deal with all these kinds of customizations, especially when there's no good way to specify the different methods algorithmically. Just as a random thought, what about making the setting of MAIL conditional on whether "CheckMail yes" is specified in sshd_config? From drosih at rpi.edu Sat Apr 7 06:42:53 2001 From: drosih at rpi.edu (Garance A Drosihn) Date: Fri, 6 Apr 2001 16:42:53 -0400 Subject: $MAIL surprise In-Reply-To: <15054.5754.741849.310593@darkwing.uoregon.edu> References: <15054.5754.741849.310593@darkwing.uoregon.edu> Message-ID: At 12:18 PM -0700 4/6/01, Steve VanDevender wrote: >... At first I thought he had pilfered my .bashrc, but on >further investigation I discovered that my home directory path had been >compiled in to sshd, because the configuration tests assume that the >directory part of $MAIL is the systemwide mail spool. Unfortunately on >this system we deliver mail into user home directories, so we set MAIL >to $HOME/.mail rather than /var/{,spool/}mail/$USER, and this user's >shell initialization did not change MAIL from the default set by sshd. > >Given that I'm doing something nonstandard, an answer of "don't >configure OpenSSH with your funky setting of MAIL" is reasonable >enough. I can't really think of any clean solution to put into the >Portable OpenSSH code base to address this; ... What happens for your mail programs if you set MAIL to ~/.mail (with the ~ literally in the environment variable, don't let the shell expand it out when the value is being set). Do your applications understand ~ = $HOME ? If so, then openssh could at least recognize ~ (which it may already do...), and you might have one plausible option. Or at least, you could COMPILE openssh with that value set, even if you can't just arbitrary set that for all users. Another option MIGHT be to see what happens if the value for 'MAIL' is literally '$HOME/.mail' (again, without having $HOME expanded by the shell when setting the variable), but I suspect this is less likely to work in other email applications. More importantly, that then means that openssh's behavior depends on an environment variable the user can directly change, and that does not sound like a good idea to me. -- Garance Alistair Drosehn = gad at eclipse.acs.rpi.edu Senior Systems Programmer or gad at freebsd.org Rensselaer Polytechnic Institute or drosih at rpi.edu From dprevett at cs.unm.edu Sat Apr 7 08:06:02 2001 From: dprevett at cs.unm.edu (Daniel Prevett) Date: Fri, 6 Apr 2001 16:06:02 -0600 (MDT) Subject: sftp-server configuration error Message-ID: Hi, I do tech support for Van Dyke Technologies, and I've run into an interesting problem with the sftp-server under some redhat linux boxes. Two separate customers reported that they were having problems using sftp with SecureFX and OpenSSH. Upon further investigation, the sshd_config file on the redhat box had an incorrect path for the sftp-server in it. The problem is that if the path to sftp-server is incorrect in the sshd-config file, no error message is returned to the client, it is just disconnected. When the sftp subsystem is disabled, we get an error message about the subsystem request failing, and I think this would be a reasonable error to return in the case of the path in the sshd_config file being wrong as well. This occurs with the sftp client that ships with OpenSSH as well. I can't remember what the path was that the redhat boxes have, but it ocurred with redhat 7.0, was probably an OpenSSH 2.1.1 install that came with the redhat dist that was updated with an rpm. The path ended with "openssh/openssh/libexec/sftp-server" or something similar. Taking out the extraneous openssh in the path fixed the problem with the sftp subsystem not starting. -Daniel From factorf2 at yahoo.com Sun Apr 8 09:21:15 2001 From: factorf2 at yahoo.com (Daniel Yount) Date: Sat, 7 Apr 2001 16:21:15 -0700 (PDT) Subject: ssh/scp lib Message-ID: <20010407232115.62471.qmail@web11104.mail.yahoo.com> Does anyone know of a libssh package or tarball or does it only come in a single package right now. It would be really nice to see this protocol spread to other progs other than ssh/scp itself(i.e kde browser, zope,etc..). Am I alone on this one and have to split it up myself or am I stepping on toes for someone else who has already done this? [Icarus] Factor (aka Daniel Yount) factorf2 at yahoo.com __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ From mouring at etoh.eviladmin.org Sun Apr 8 18:51:28 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 8 Apr 2001 03:51:28 -0500 (CDT) Subject: ssh/scp lib In-Reply-To: <20010407232115.62471.qmail@web11104.mail.yahoo.com> Message-ID: I'd like to see sometime down the road a well documented API for libssh.a for integration into other software, but I think it's impratical at this point. However, there is a patch that has been approved (it's not in the Portable CVS tree pending help on a patch that pretty much rewrites uidswap.c =) to allow SSH to act like a simple sock4 server (Thanks to Dan). On Sat, 7 Apr 2001, Daniel Yount wrote: > Does anyone know of a libssh package or tarball > or does it only come in a single package right now. > It would be really nice to see this protocol spread to > other progs other than ssh/scp itself(i.e kde browser, > zope,etc..). A hack to KDE file browser should be pretty easy. One just needs to integrate the sftp code into it. Which may not be too hard. Then require having OpenSSH installed and it will work without too much of a problem. However, since KDE itself is GPL.. One may have a licensing conflict. But I won't attempt to admit to understanding the minor anonying features of GPL. =) But in general sftp protocol is extremely simple if one was required to reinvent the wheel. - Ben From markus.friedl at informatik.uni-erlangen.de Sun Apr 8 21:34:52 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 8 Apr 2001 13:34:52 +0200 Subject: ssh/scp lib In-Reply-To: <20010407232115.62471.qmail@web11104.mail.yahoo.com>; from factorf2@yahoo.com on Sat, Apr 07, 2001 at 04:21:15PM -0700 References: <20010407232115.62471.qmail@web11104.mail.yahoo.com> Message-ID: <20010408133452.A21495@folly> On Sat, Apr 07, 2001 at 04:21:15PM -0700, Daniel Yount wrote: > Does anyone know of a libssh package or tarball > or does it only come in a single package right now. > It would be really nice to see this protocol spread to > other progs other than ssh/scp itself(i.e kde browser, > zope,etc..). you don't need libssh for this. use openssh and write a kde-sftp client. you can reuse parts of the CLI sftp from openssh. -m From karlm30 at hotmail.com Sun Apr 8 21:51:32 2001 From: karlm30 at hotmail.com (Karl M) Date: Sun, 08 Apr 2001 04:51:32 -0700 Subject: Initial patch to implement partial auth with SSH2 Message-ID: Hi All... I am using the CygWin port of OpenSSH with NT/Win2k servers. I was looking at this issue and was advised of this thread. With the CygWin port, a password is required to do the setuid if you log in with a different user-id than the server. CygWin solves this by only allowing password authentication if the user-id must be changed. I am concerned about password only authentication and wanted to require RSA first then password authentication. (The password authentication is then used to feed the password to sshd for the setuid.) This patch is a nice generalization of what I am looking for. I think that multiple authentications would be a big plus in the WinNT/Win2k environemt. I would love to be able to do RSA + Password authentication. Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From sspies at apple.com Fri Apr 6 08:38:43 2001 From: sspies at apple.com (Soren Spies) Date: Thu, 5 Apr 2001 15:38:43 -0700 Subject: portable OpenSSH bugs. In-Reply-To: <200104052109.f35L9im24852@cvs.openbsd.org> Message-ID: <200104052238.PAA21123@scv2.apple.com> On Thursday, April 5, 2001, at 02:09 , Theo de Raadt wrote: > please mail details about the bugs asap. The first bug I sent (pending/1759: 2.5.2p2 can't connect using protocol 2 to a 2.3.0p1 server), got sent back as "fixed in current" so hopefully that is taken care of (details at the bottom of this message). I'm happy to try and repro / debug these if necessary. The others may have been caught by now: 2) the timeout for initial server replies appears small so sometimes the ssh client will give up before the server has a chance to wake up and reply. ssh -v will show debug1: Trying again... debug1: Trying again... debug1: Trying again... in quick sucesssion. The timeouts for retries under OpenBSD (portable OpenSSH) as suggested by observing bug #3 suggest this is probably a problem there too. This bug has occurred under OS X in 2.3.0p1, 2.5.1p2, & 2.5.2p2, but doesn't happen every time. I see the problem most often ssh'ing to bigw.org, which is a 20 MHz microSparc: boris:~/src=> ssh -v bigw.org # see ssh fail OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Seeded RNG with 28 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1 debug1: Trying again... debug1: Trying again... debug1: Trying again... Secure connection to bigw.org refused. debug1: writing PRNG seed to file /Users/soren/.ssh/prng_seed boris:~/src=> telnet bigw.org 22 Trying 128.2.156.111... Connected to bigw.org. Escape character is '^]'. SSH-1.5-1.2.27 ^] telnet> q Connection closed. boris:~/src=> ssh bigw.org # see ssh work b/c the server is awake? sspies at bigw.org's password: My theory is that the kernel accept()'s the connection but then sshd is swapped out and takes a bit of time to reply. The trouble with this theory is that I have to do the telnet 22 from each client I want to connect to. This is inside of Apple's firewall ... so there may be some extra delay induced by it. 3) Under OS X, if you try to ssh to a host that has no DNS entry: boris:~/src=> ssh -v aoeu OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Seeded RNG with 28 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1 debug1: Trying again... debug1: Trying again... debug1: Trying again... Secure connection to aoeu refused. debug1: writing PRNG seed to file /Users/soren/.ssh/prng_seed boris:~/src=> uname -a Darwin localhost 1.3 Darwin Kernel Version 1.3: Thu Mar 1 06:56:40 PST 2001; root:xnu/xnu-123.5.obj~1/RELEASE_PPC Power Macintosh powerpc 3.5) Same repeat dialing if the connection is refused. Reproducible on OS X and with 2.5.2p2 on an OpenBSD 2.8 system: tofu:/home/soren/dev/openssh-2.5.2p2=> ./ssh -v -p 5555 localhost OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 1003 geteuid 1003 anon 1 debug1: Connecting to localhost [127.0.0.1] port 5555. debug1: connect: Connection refused debug1: Trying again... debug1: Connecting to localhost [127.0.0.1] port 5555. debug1: connect: Connection refused debug1: Trying again... debug1: Connecting to localhost [127.0.0.1] port 5555. debug1: connect: Connection refused debug1: Trying again... debug1: Connecting to localhost [127.0.0.1] port 5555. debug1: connect: Connection refused Secure connection to localhost on port 5555 refused. tofu:/home/soren/dev/openssh-2.5.2p2=> uname -a OpenBSD tofu 2.8 TOFU#0 i386 Don't see any of these problems with a native OpenBSD's ssh. All of the problems seem to be in the portable client & server (in the case of 2.3.0p1) implementations, versions as noted. Here's my notes of the first bug: > 3) if you connect with protocol version 2 to a server running OpenSSH > 2.3.0p1, > You will get the following message instead of a password prompt: > debug1: send SSH2_MSG_SERVICE_REQUEST > b5 e8 37 62 5e 16 5e 03 b0 8f 99 7a d6 9a 03 af > Disconnecting: Bad packet length -1243072670. > This only seems to happen with OpenSSH 2.5.2p2, not 2.5.1p2 > but is reproducible running 2.5.2p2 on an OpenBSD 2.8 system. > -- Soren Spies Apple Computer, Inc. From anthonyu at yahoo.com Fri Apr 6 13:06:17 2001 From: anthonyu at yahoo.com (Anthon Yu) Date: Thu, 5 Apr 2001 20:06:17 -0700 (PDT) Subject: Protocol 1 not working in openssh-2.5.2p2 Message-ID: <20010406030617.11094.qmail@web9612.mail.yahoo.com> After upgrading to openssh-2.5.2p2, my users were unable to login using ssh Protocol 1. Entries like this were showing up in syslog: Apr 5 19:29:45 maple sshd[16726]: Accepted password for anthonyu from ::ffff:192.168.0.2 port 1019 Apr 5 19:29:45 maple sshd[16726]: fatal: stat(/dev/pts/1 19:29:45 sshd[16726]: Accepted password for anthonyu) failed: No such file or directory Apr 5 19:29:45 maple sshd[16726]: error: chown /dev/pts/1 19:29:45 sshd[16726]: Accepted password for anthonyu 0 0 failed: No such file or directory Apr 5 19:29:45 maple sshd[16726]: error: chmod /dev/pts/1 19:29:45 sshd[16726]: Accepted password for anthonyu 0666 failed: No such file or directory And, a quick test showed this when using ssh2: Apr 5 19:32:07 original sshd[16821]: fatal: TTYNAME: /dev/pts/1 As opposed to this when using ssh1: Apr 5 19:32:25 original sshd[16823]: fatal: TTYNAME: /dev/pts/1 19:32:25 sshd[16823]: Accepted password for anthonyu So I dont think it's a problem with ttyname(3). Below is a workaround patch that allows logins, but I doubt it will be useful in anything but troubleshooting. YMMV. Please let me know if a proper fix is committed. Thanks, diff -Nurd openssh-2.5.2p2-orig/sshpty.c openssh-2.5.2p2/sshpty.c --- openssh-2.5.2p2-orig/sshpty.c Sun Mar 4 19:53:03 2001 +++ openssh-2.5.2p2/sshpty.c Thu Apr 5 19:41:55 2001 @@ -296,6 +296,10 @@ gid_t gid; mode_t mode; struct stat st; + char *dex; + + dex = index(ttyname, ' '); + *dex = 0; /* Determine the group to make the owner of the tty. */ grp = getgrnam("tty"); ===== -- Au __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ From anthonyu at yahoo.com Fri Apr 6 13:25:28 2001 From: anthonyu at yahoo.com (Anthon Yu) Date: Thu, 5 Apr 2001 20:25:28 -0700 (PDT) Subject: Now Protocol 2 doesn't work ;) Message-ID: <20010406032528.12394.qmail@web9612.mail.yahoo.com> Actually, this is a better workaround: --- openssh-2.5.2p2-orig/sshpty.c Sun Mar 4 19:53:03 2001 +++ openssh-2.5.2p2/sshpty.c Thu Apr 5 19:41:55 2001 @@ -296,6 +296,10 @@ gid_t gid; mode_t mode; struct stat st; + char *dex; + + if ((dex = index(ttyname, ' ')) != NULL) + *dex = 0; /* Determine the group to make the owner of the tty. */ grp = getgrnam("tty"); ===== -- Au __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ From linarecm at e-xtra.net.co Sat Apr 7 02:01:34 2001 From: linarecm at e-xtra.net.co (Linares, Claudia M (SAIC)) Date: Fri, 6 Apr 2001 11:01:34 -0500 Subject: error:*** zlib missing Message-ID: Hi, my Name is Claudia Linares and in this moment, I try to install the SSH in a machine Sun with Solaris 2.7. When I want to compile the software openssh-2.5.1p1 ( with Compiler CC or with gcc), I execute the comand: ./configure but in this instant I view the following messages: config : error:*** zlib missing - please install first or check config .log The file config.log is this: <> Thanks for your colaboration. CML / > Claudia Monica Linares G. > SAIC - INTESA > Unix Administrator > *Tel: (57-1) 628-4666 > *Fax: (57-1) 628-4673 > *E-mail: linarecm at e-xtra.net.co -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010406/b861a115/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: config.log Type: application/octet-stream Size: 3201 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010406/b861a115/attachment.obj From twalsky at planalytics.com Sat Apr 7 08:37:18 2001 From: twalsky at planalytics.com (twalsky at planalytics.com) Date: Fri, 6 Apr 2001 18:37:18 -0400 Subject: man page for openssh on solaris Message-ID: <85256A26.007C447A.00@mailhost.planalytics.com> Hi ! I downloaded openssh for solaris (2.7) and compiled and installed it fine. However when I went to read the man page, it was not in "man" page format which made it difficult and extremely awkward to read. How can I get a man for open ssh that I can read? -thanx -ted walsky From mcb at ssaihq.com Sat Apr 7 08:43:39 2001 From: mcb at ssaihq.com (Stanley McBroom) Date: Fri, 06 Apr 2001 18:43:39 -0400 Subject: ./configure can't find zlib Message-ID: <3ACE469B.F614A67E@ssaihq.com> I've tried to compile OpenSSH using the ./configure script, but it always fails with the message: checking for deflate in -lz... no configure: error: *** zlib missing - please install first *** Nothing I've tried has been able to tell it where zlib lives ; I have it installed in : /usr/local/zlib/lib/libz.a (and .so) and also /usr/local/zlib/include/zlib.h (and zcinf.h) on a DEC UNIX OSF/1 version 4.0 alpha machine. I've tried the LD="/usr/local/zlib/lib" and LIBS="-lz /usr/local/zlib/lib/libz", both before and after the ./configure. I've also tried various combinations of those plus --with-ldflags="-L/usr/local/zlib/lib -lz" and --with-cflags="-I/usr/local/zlib/include", to go along with other switches ./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/ssl/lib \ --with-lastlog=/usr/var/adm/lastlog Somehow, my understanding of the desired syntax is off - What am I doing wrong? Thanx for any help you can give, S. McB. From markus.friedl at informatik.uni-erlangen.de Sun Apr 8 22:28:33 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 8 Apr 2001 14:28:33 +0200 Subject: -n vs batch_mode vs batch_flag In-Reply-To: ; from tomh@po.crl.go.jp on Fri, Apr 06, 2001 at 08:11:11PM +0900 References: Message-ID: <20010408142833.B21495@folly> i did not invent '-n' but the manpage reads: -n Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background. A common trick is to use this to run X11 programs on a remote ma- chine. For example, ssh -n shadows.cs.hut.fi emacs & will start an emacs on shadows.cs.hut.fi, and the X11 connection will be au- tomatically forwarded over an encrypted channel. The ssh program will be put in the background. (This does not work if ssh needs ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to ask for a password or passphrase; see also the -f option.) ^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^ On Fri, Apr 06, 2001 at 08:11:11PM +0900, Tom Holroyd wrote: > How is -n supposed to work? When you say ssh -n, it sets stdin_null_flag > but not batch mode. When the client is choosing authmethods, there is a > batch_flag that is tested to see (presumably) if we are in batch mode or > perhaps if -n has been given. But nothing sets it. It looks like it's > supposed to point to options.batch_mode, but it's never even initialized! > > Even if it did point to batch_mode, that's independent of -n, so when you > say -n it still (tries to) ask for a password. > > % ssh -n localhost & > [1] 5220 > % tomh at localhost's password: > [1] + Suspended (tty input) ssh -n localhost > > It seems to me that -n (without -f) should mean "stdin doesn't exist, so > don't try any authmethods that ask for passwords from stdin", which would > imply that it should set batch_mode too, and batch_flag should point to > that. Or maybe batch_mode should be checked instead of batch_flag. > > Or is this all supposed to be handled somehow by ssh-askpass (which is > currently only used by ssh-agent)? > > Thanks, > > Dr. Tom > From mouring at etoh.eviladmin.org Mon Apr 9 03:10:27 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 8 Apr 2001 12:10:27 -0500 (CDT) Subject: man page for openssh on solaris In-Reply-To: <85256A26.007C447A.00@mailhost.planalytics.com> Message-ID: On Fri, 6 Apr 2001 twalsky at planalytics.com wrote: > > Hi ! > > I downloaded openssh for solaris (2.7) and compiled and installed it fine. > > However when I went to read the man page, it was not in "man" page format which > made it > difficult and extremely awkward to read. > How can I get a man for open ssh that I can read? > All formatted pages are in mdoc format. Pre-formated packages are included otherwise you can use contrib/mdoc2man.pl to convert them into something readable in Solaris. - Ben From tomh at po.crl.go.jp Mon Apr 9 11:58:59 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Mon, 9 Apr 2001 10:58:59 +0900 (JST) Subject: [patch] Re: -n vs batch_mode vs batch_flag In-Reply-To: <20010408142833.B21495@folly> Message-ID: On Sun, 8 Apr 2001, Markus Friedl wrote: > i did not invent '-n' but the manpage reads: > > -n Redirects stdin from /dev/null (actually, prevents reading from > stdin). This must be used when ssh is run in the background. A > common trick is to use this to run X11 programs on a remote ma- > chine. For example, ssh -n shadows.cs.hut.fi emacs & will start > an emacs on shadows.cs.hut.fi, and the X11 connection will be au- > tomatically forwarded over an encrypted channel. The ssh program > will be put in the background. (This does not work if ssh needs > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > to ask for a password or passphrase; see also the -f option.) > ^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^ Yes, I read that. Notice how ssh doesn't do what that says. > > % ssh -n localhost & > > [1] 5220 > > % tomh at localhost's password: > > [1] + Suspended (tty input) ssh -n localhost According to the man page, -n should _prevent_ reading from stdin, but it doesn't. There is a mechanism for this (batch mode) but it isn't used. I was suggesting that -n set options.batch_mode (the stuff I said about batch_flag was all wrong; if -n sets options.batch_mode it works). Here's a patch. With this, you can put ssh -n host command & in a background script (or a menu item) and it will die gracefully if a passwordless method (such as pubkey) isn't available. If you say -f then it's an error to use batch mode. --- ssh.c.old Mon Apr 9 10:44:52 2001 +++ ssh.c Mon Apr 9 10:53:35 2001 @@ -335,6 +335,7 @@ break; case 'n': stdin_null_flag = 1; + options.batch_mode = 1; break; case 'f': fork_after_authentication_flag = 1; @@ -533,6 +534,8 @@ /* Cannot fork to background if no command. */ if (fork_after_authentication_flag && buffer_len(&command) == 0 && !no_shell_flag) fatal("Cannot fork into background without a command to execute."); + if (fork_after_authentication_flag) + options.batch_mode = 0; /* Allocate a tty by default if no command specified. */ if (buffer_len(&command) == 0) Dr. Tom From wstearns at pobox.com Mon Apr 9 16:40:15 2001 From: wstearns at pobox.com (William Stearns) Date: Mon, 9 Apr 2001 02:40:15 -0400 (EDT) Subject: Automatic ssh key installer available Message-ID: Good day, all, I had some trouble getting ssh keys to work. Since the different ssh implementations use different filenames, directories, and internal formats, it's not at all obvious how to set them up to use rsa or dsa keys. I finally found a sample chapter from the O'Reilly ssh book online that covered the process (many thanks, O'Reilly; I went out to buy the book the next day!) I've written a program that will set up the various keys and files involved in an ssh connection. One runs it on the client box like so: ssh-keyinstall -s TheRemoteServerName and it sets up the local files and uses ssh and scp to set up the remote box. Obviously, you need a valid account and password on the remote box. The program can be found at ftp://ftp.stearns.org/pub/ssh-keyinstall/ A tar file and rh7 rpm's can be found there. While it hasn't been tested with all combinations, I believe it should work with any combination of ssh.com's ssh1, openssh, ssh.com's ssh2, and datafellows ssh1 on the client and server. Datafellows ssh2 should also work, but I don't have a signature for that yet. I'd sincerely love to get any feedback about whether it works or not for any client and server combinations, as I only have a few of the client/server combinations available. Cheers, - Bill (Please CC me on any discussion as I'm not subscribed to the openssh-dev list - thanks.) --------------------------------------------------------------------------- "Anyone who can contemplate quantum mechanics without getting dizzy hasn't understood it." - Neils Bohr, father of quantum mechanics, in The Code Book, Simon Singh. -------------------------------------------------------------------------- William Stearns (wstearns at pobox.com). Mason, Buildkernel, named2hosts, and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns LinuxMonth; articles for Linux Enthusiasts! http://www.linuxmonth.com -------------------------------------------------------------------------- From Markus.Friedl at informatik.uni-erlangen.de Mon Apr 9 17:16:36 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 9 Apr 2001 09:16:36 +0200 Subject: [patch] Re: -n vs batch_mode vs batch_flag In-Reply-To: ; from tomh@po.crl.go.jp on Mon, Apr 09, 2001 at 10:58:59AM +0900 References: <20010408142833.B21495@folly> Message-ID: <20010409091635.B22340@faui02.informatik.uni-erlangen.de> On Mon, Apr 09, 2001 at 10:58:59AM +0900, Tom Holroyd wrote: > On Sun, 8 Apr 2001, Markus Friedl wrote: > > > i did not invent '-n' but the manpage reads: > > > > -n Redirects stdin from /dev/null (actually, prevents reading from > > stdin). This must be used when ssh is run in the background. A > > common trick is to use this to run X11 programs on a remote ma- > > chine. For example, ssh -n shadows.cs.hut.fi emacs & will start > > an emacs on shadows.cs.hut.fi, and the X11 connection will be au- > > tomatically forwarded over an encrypted channel. The ssh program > > will be put in the background. (This does not work if ssh needs > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > to ask for a password or passphrase; see also the -f option.) > > ^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^ > > Yes, I read that. Notice how ssh doesn't do what that says. > > > > % ssh -n localhost & > > > [1] 5220 > > > % tomh at localhost's password: > > > [1] + Suspended (tty input) ssh -n localhost this is what the manpages says. > According to the man page, -n should _prevent_ reading from stdin, but it > doesn't. ssh does not read from stdin, but from the tty. why don't you use -f ? -m From hgot at ecip.tohoku.ac.jp Mon Apr 9 17:51:14 2001 From: hgot at ecip.tohoku.ac.jp (Hideaki Goto) Date: Mon, 09 Apr 2001 16:51:14 +0900 Subject: [PATCH]: Heartbeat/Watchdog Patch Message-ID: <200104090751.QAA22707@swift.ecip.tohoku.ac.jp> Dear Developers, I've released a patch against openssh-2.5.2p2. The patch adds heartbeat (keepalive) function to ssh(1), and watchdog timeout function to sshd(8). The watchdog timeout is intended to terminate user's processes as soon as possible after the link has been lost. http://www.ecip.tohoku.ac.jp/~hgot/sources/openssh-watchdog.html The combination of the heartbeat and the watchdog timeout is very useful for detecting link down over unreliable connections, especially Wireless Networks. We are using this patch in our wireless gateway. I'm looking for other ssh clients which are capable of sending heartbeats to ssh server. PuTTY was the only one I could find. Please let me know if you have any info. -------- Hideaki Goto From mats at mindbright.se Mon Apr 9 19:08:04 2001 From: mats at mindbright.se (Mats Andersson) Date: Mon, 9 Apr 2001 11:08:04 +0200 (MEST) Subject: [PATCH]: Heartbeat/Watchdog Patch In-Reply-To: <200104090751.QAA22707@swift.ecip.tohoku.ac.jp> Message-ID: Hi, On Mon, 9 Apr 2001, Hideaki Goto wrote: > I'm looking for other ssh clients which are capable of sending > heartbeats to ssh server. PuTTY was the only one I could find. Please > let me know if you have any info. MindTerm available at http://www.mindbright.se/mindterm/ has had that feature since july 1999. Feel free to check it out. Cheers, /Mats From tomh at po.crl.go.jp Mon Apr 9 18:55:33 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Mon, 9 Apr 2001 17:55:33 +0900 (JST) Subject: [patch] Re: -n vs batch_mode vs batch_flag In-Reply-To: <20010409091635.B22340@faui02.informatik.uni-erlangen.de> Message-ID: On Mon, 9 Apr 2001, Markus Friedl wrote: > ssh does not read from stdin, but from the tty. Yes, I misspoke, it's reading the passphrase from the tty, not stdin. I was thinking -n mean "no input", not "no input from stdin". > why don't you use -f ? Because I don't want it to ask for a passphrase. I want to have two authentication methods available: password and publickey. Then I want to select a menu item from my GUI that does ssh -n host command & and I want it to be in batch mode, so the password method will not be tried, and it'll go by pubkey if it can. So what I *really* want is this: ssh -n -o 'batchmode yes' host command & BUT I thought it would be nice if -n did this for me automatically, just as a convenience, since it seems much clearer to me. Maybe it's just me. :-) From tomh at po.crl.go.jp Mon Apr 9 20:58:11 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Mon, 9 Apr 2001 19:58:11 +0900 (JST) Subject: input_userauth_request() vs. stateful authmethods Message-ID: The way things are now, input_userauth_request() calls the authmethod, and then does a bunch of checks, like the special case for root. If an authmethod requires a challenge-response conversation, these checks are skipped, unless they are duplicated by the authmethod. For example, in auth2-chall.c, some of the code is duplicated (logging, sending the reply), but the root special case is skipped. One way to fix this, and make life easier for authmethods that require some state to be hauled around, is to take all the post-authmethod stuff currently in input_userauth_request(), and put it after the call to dispatch_run() in do_authentication2(). That would simplify that code (it's currently mostly conditional on 'authenticated') and ensure that the root & other tests get done all the time. (You might want to leave the auth_log() call in there, so debug sessions keep the "Postponed" entries.) Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From Markus.Friedl at informatik.uni-erlangen.de Mon Apr 9 21:08:28 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 9 Apr 2001 13:08:28 +0200 Subject: input_userauth_request() vs. stateful authmethods In-Reply-To: ; from tomh@po.crl.go.jp on Mon, Apr 09, 2001 at 07:58:11PM +0900 References: Message-ID: <20010409130828.B9447@faui02.informatik.uni-erlangen.de> please try the sources from the CVS, these should be fixed. On Mon, Apr 09, 2001 at 07:58:11PM +0900, Tom Holroyd wrote: > The way things are now, input_userauth_request() calls the authmethod, > and then does a bunch of checks, like the special case for root. If > an authmethod requires a challenge-response conversation, these checks are > skipped, unless they are duplicated by the authmethod. For example, in > auth2-chall.c, some of the code is duplicated (logging, sending the > reply), but the root special case is skipped. > > One way to fix this, and make life easier for authmethods that require > some state to be hauled around, is to take all the post-authmethod stuff > currently in input_userauth_request(), and put it after the call to > dispatch_run() in do_authentication2(). That would simplify that code > (it's currently mostly conditional on 'authenticated') and ensure that > the root & other tests get done all the time. (You might want to leave > the auth_log() call in there, so debug sessions keep the "Postponed" > entries.) > > Dr. Tom Holroyd > "I am, as I said, inspired by the biological phenomena in which > chemical forces are used in repetitious fashion to produce all > kinds of weird effects (one of which is the author)." > -- Richard Feynman, _There's Plenty of Room at the Bottom_ > > From Markus.Friedl at informatik.uni-erlangen.de Mon Apr 9 21:18:58 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 9 Apr 2001 13:18:58 +0200 Subject: random openssh todo notes In-Reply-To: ; from tomh@po.crl.go.jp on Thu, Apr 05, 2001 at 10:56:08AM +0900 References: <20010404220501.A1045@faui02.informatik.uni-erlangen.de> Message-ID: <20010409131858.A21794@faui02.informatik.uni-erlangen.de> On Thu, Apr 05, 2001 at 10:56:08AM +0900, Tom Holroyd wrote: > On Wed, 4 Apr 2001, Markus Friedl wrote: > > > http://wwwcip.informatik.uni-erlangen.de/~msfriedl/openssh/TODO > > -> > require multiple methods for user authentication > (e.g. password AND public-key must both succeed to log in) > > I think the patch submitted by Carson Gaspar > to implement partial authentication does this. yes, i've seen this. there is a similar (unfinished) patch that the TODO list is talking about: http://wwwcip.informatik.uni-erlangen.de/~msfriedl/openssh/required-unfinished i'd like to get rid of PasswordAuthention yes/no RSAAuthention yes/no and move to SupportedAuthentications for both SSH1/2 > -> > specify the order of user authentication methods the client tries > > PreferredAuthentications is already in 2.5.2p2. oh yes :) i didn't say the TODO list is up-to-date :) -m From mouring at etoh.eviladmin.org Mon Apr 9 23:16:09 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 9 Apr 2001 08:16:09 -0500 (CDT) Subject: [PATCH]: Heartbeat/Watchdog Patch In-Reply-To: <200104090751.QAA22707@swift.ecip.tohoku.ac.jp> Message-ID: On Mon, 9 Apr 2001, Hideaki Goto wrote: > Dear Developers, > > I've released a patch against openssh-2.5.2p2. > The patch adds heartbeat (keepalive) function to ssh(1), > and watchdog timeout function to sshd(8). The watchdog > timeout is intended to terminate user's processes > as soon as possible after the link has been lost. > > http://www.ecip.tohoku.ac.jp/~hgot/sources/openssh-watchdog.html > > The combination of the heartbeat and the watchdog timeout > is very useful for detecting link down over unreliable > connections, especially Wireless Networks. > We are using this patch in our wireless gateway. > You use SSH_MSG_IGNORE. A lot of F-Secure clients will ignore the the message: [..snip from compat.c] { "^1\\.2\\.1[89]", SSH_BUG_IGNOREMSG }, { "^1\\.2\\.2[012]", SSH_BUG_IGNOREMSG }, { "^1\\.3\\.2", SSH_BUG_IGNOREMSG }, /* f-secure */ [..] You need to work around theses clients. - Ben From GILBERT.R.LOOMIS at saic.com Tue Apr 10 01:48:16 2001 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Mon, 9 Apr 2001 11:48:16 -0400 Subject: error:*** zlib missing Message-ID: <791BD3CB503DD411A6510008C7CF647701F40AD8@col-581-exs01.cist.saic.com> Claudia-- You need to compile and install the "zlib" compression library on your compile host, as well as the OpenSSL crypto toolkit, in order to compile OpenSSH on Solaris 7. You can get the source for these from their normal distribution sites or we have a copy on a server in our lab: 1. Zlib (currently 1.1.3): Homepage http://www.info-zip.org/pub/infozip/zlib/ Source http://www.info-zip.org/pub/infozip/zlib/zlib.tar.gz Mirror http://www.cist-east.saic.com/ftp/Sysadmin/Libraries/zlib-1.1.3.tar.gz 2. OpenSSL (currently 0.9.6a - new release!) Homepage http://www.openssl.org Source ftp://ftp.openssl.org/source/openssl-0.9.6a.tar.gz Mirror http://www.cist-east.saic.com/ftp/Crypto/OpenSSL/openssl-0.9.6a.tar.gz This requirement and other information is found in the README and INSTALL files included with the OpenSSH source code. Please drop me an e-mail or give me a call if you have any additional questions (others here can translate English <-> Spanish if that's useful). Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com -----Original Message----- From: Linares, Claudia M (SAIC) [mailto:linarecm at e-xtra.net.co] Sent: Friday, April 06, 2001 12:02 PM To: 'openssh at openssh.com' Subject: error:*** zlib missing Hi, my Name is Claudia Linares and in this moment, I try to install the SSH in a machine Sun with Solaris 2.7. When I want to compile the software openssh-2.5.1p1 ( with Compiler CC or with gcc), I execute the comand: ./configure but in this instant I view the following messages: config : error:*** zlib missing - please install first or check config .log The file config.log is this: <> Thanks for your colaboration. CML / Claudia Monica Linares G. SAIC - INTESA Unix Administrator *Tel: (57-1) 628-4666 *Fax: (57-1) 628-4673 *E-mail: linarecm at e-xtra.net.co From graham_guttocks at yahoo.co.nz Tue Apr 10 02:36:33 2001 From: graham_guttocks at yahoo.co.nz (=?iso-8859-1?q?Graham=20Guttocks?=) Date: Tue, 10 Apr 2001 04:36:33 +1200 (NZST) Subject: "X11Forwarding yes" causes "error: socket: Protocol not supported" Message-ID: <20010409163633.55277.qmail@web10301.mail.yahoo.com> Greetings, I'm running OpenSSH_2.5.2p2, and OpenSSL-0.9.6a, on BSD/OS 4.0. Following the FAQ, I added the following line to my sshd_config in order to enable X11 forwarding: X11Forwarding yes Now openssh is disconnecting my sessions immediately after authentication and login with the following error messages: "error: socket: Protocol not supported" "Disconnecting: Command terminated on signal 11." Any ideas what the problem is? # sshd -d debug1: Seeded RNG with 39 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: sshd version OpenSSH_2.5.2p2 debug1: load_private_key_autodetect: type 0 RSA1 debug1: read SSH2 private key done: name rsa w/o comment success 1 debug1: load_private_key_autodetect: type 1 RSA debug1: read SSH2 private key done: name dsa w/o comment success 1 debug1: load_private_key_autodetect: type 2 DSA socket: Protocol not supported debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 128.165.147.151 port 858 debug1: Client protocol version 1.5; client software version OpenSSH-1.2.2 debug1: match: OpenSSH-1.2.2 pat ^OpenSSH debug1: Local version string SSH-1.99-OpenSSH_2.5.2p2 debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for jason. Accepted password for jason from 128.165.147.151 port 858 debug1: session_new: init debug1: session_new: session 0 debug1: Enabling compression at level 6. debug1: Allocating pty. debug1: Ignoring unsupported tty mode opcode 37 (0x25) debug1: Ignoring unsupported tty mode opcode 52 (0x34) debug1: Ignoring unsupported tty mode opcode 71 (0x47) debug1: Ignoring unsupported tty mode opcode 73 (0x49) debug1: Ignoring unsupported tty mode opcode 74 (0x4a) debug1: Ignoring unsupported tty mode opcode 75 (0x4b) debug1: Received request for X11 forwarding with auth spoofing. socket: Protocol not supported debug1: Entering interactive session. debug1: fd 5 setting O_NONBLOCK debug1: Setting controlling tty using TIOCSCTTY. debug1: fd 9 IS O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug1: Received SIGCHLD. debug1: End of interactive session; stdin 0, stdout (read 712, sent 712), stderr 0 bytes. debug1: compress outgoing: raw data 761, compressed 526, factor 0.69 debug1: compress incoming: raw data 199, compressed 192, factor 0.96 Disconnecting: Command terminated on signal 11. debug1: Calling cleanup 0x8054864(0x80e8088) debug1: pty_cleanup_proc: /dev/ttyp1 debug1: Calling cleanup 0x8060fd8(0x0) debug1: Calling cleanup 0x8065bf0(0x0) debug1: writing PRNG seed to file /root/.ssh/prng_seed _____________________________________________________________________________ http://movies.yahoo.com.au - Yahoo! Movies - Now showing: Dude Where's My Car, The Wedding Planner, Traffic.. From Greg.Scheidel at ed.gov Tue Apr 10 02:53:58 2001 From: Greg.Scheidel at ed.gov (Scheidel, Greg (Contractor)) Date: Mon, 9 Apr 2001 12:53:58 -0400 Subject: Running 'ssh' and 'scp' from a chroot jail (sandbox) Message-ID: I have a need to have users SSH into a server where they are limited to a chroot jail (sandbox). Once they are there, they need to be able to execute 'ssh' and 'scp' to other systems. I've no problem setting up the basic chroot jail and providing basic functionality (ls, cat, less, etc). The part that is stopping me is setting it up so that that user can then 'ssh' and 'scp' out. Actually I've got (nearly) working based on ldd and strace testing, but it seems somewhat kludgy: - Requires links from the chroot jail /etc to non-chroot'd /etc/tty and /etc/urandom (bad idea for a chroot jail?) - 'ssh' from the chroot jailed user sees the user's home directory as the full non-chroot'd path - 'scp' into the chroot jailed user home directory fails with 'Permission denied.', despite the home directory being 777, the correct password being used, and 'ssh' into the chroot jailed user working fine What are the bare bones requirements for enabling these binaries within the chroot jail? Any assistance on what I am missing here would be appreciated. Greg S. PS - Apologies if this is not the proper list for a question of this nature; it seemed the most appropriate. If it isn't, please just let me know. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010409/3037944d/attachment.html From wayne at blorf.net Tue Apr 10 03:18:41 2001 From: wayne at blorf.net (Wayne Davison) Date: Mon, 9 Apr 2001 10:18:41 -0700 (PDT) Subject: [patch] Re: -n vs batch_mode vs batch_flag In-Reply-To: <20010409091635.B22340@faui02.informatik.uni-erlangen.de> Message-ID: On Mon, 9 Apr 2001, Markus Friedl wrote: > Redirects stdin from /dev/null (actually, prevents reading from > stdin). This must be used when ssh is run in the background. A > common trick is to use this to run X11 programs on a remote ma- > chine. For example, ssh -n shadows.cs.hut.fi emacs & will start > an emacs on shadows.cs.hut.fi, and the X11 connection will be au- > tomatically forwarded over an encrypted channel. The ssh program > will be put in the background. (This does not work if ssh needs > to ask for a password or passphrase; see also the -f option.) I think this could be improved a bit. The problems I have with it: - It should say explicitly that it doesn't stop authentication prompts. - Someone reading too casually might think that ssh puts the program into the background, not the shell. - A better explanation for why -n and prompts don't work well together is needed (since -n works just fine with prompting, it's the backgrounding by the shell that makes it not work right). The following patch improves this section on -n, and makes a slight tweak to the -f section. ..wayne.. ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- Index: ssh.1 @@ -399,8 +399,9 @@ to go to background just before command execution. This is useful if .Nm -is going to ask for passwords or passphrases, but the user -wants it in the background. +is going to ask for passwords or passphrases (since it needs to be +in the foreground for that), but the user +wants the command to be run in the background. This implies .Fl n . The recommended way to start X11 programs at a remote site is with @@ -437,6 +438,7 @@ Redirects stdin from .Pa /dev/null (actually, prevents reading from stdin). +Does not prevent authentication prompts (which get read from /dev/tty). This must be used when .Nm is run in the background. @@ -447,12 +449,13 @@ connection will be automatically forwarded over an encrypted channel. The .Nm -program will be put in the background. -(This does not work if +program will be put in the background by the shell (because of the '&'). +This shell idiom does not work well when .Nm -needs to ask for a password or passphrase; see also the +needs to ask for a password or passphrase (because ssh will block +waiting for a foreground response from the user); see the .Fl f -option.) +option for a way to solve this. .It Fl N Do not execute a remote command. This is useful if you just want to forward ports ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- From mouring at etoh.eviladmin.org Tue Apr 10 07:34:07 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 9 Apr 2001 16:34:07 -0500 (CDT) Subject: "X11Forwarding yes" causes "error: socket: Protocol not supported" In-Reply-To: <20010409163633.55277.qmail@web10301.mail.yahoo.com> Message-ID: What client? On Tue, 10 Apr 2001, [iso-8859-1] Graham Guttocks wrote: > Greetings, > > I'm running OpenSSH_2.5.2p2, and OpenSSL-0.9.6a, on BSD/OS 4.0. > > Following the FAQ, I added the following line to my sshd_config > in order to enable X11 forwarding: > > X11Forwarding yes > > Now openssh is disconnecting my sessions immediately after > authentication and login with the following error messages: > > "error: socket: Protocol not supported" > "Disconnecting: Command terminated on signal 11." > > Any ideas what the problem is? > > # sshd -d > debug1: Seeded RNG with 39 bytes from programs > debug1: Seeded RNG with 3 bytes from system calls > debug1: sshd version OpenSSH_2.5.2p2 > debug1: load_private_key_autodetect: type 0 RSA1 > debug1: read SSH2 private key done: name rsa w/o comment success 1 > debug1: load_private_key_autodetect: type 1 RSA > debug1: read SSH2 private key done: name dsa w/o comment success 1 > debug1: load_private_key_autodetect: type 2 DSA > socket: Protocol not supported > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > Generating 768 bit RSA key. > RSA key generation complete. > debug1: Server will not fork when running in debugging mode. > Connection from 128.165.147.151 port 858 > debug1: Client protocol version 1.5; client software version OpenSSH-1.2.2 > debug1: match: OpenSSH-1.2.2 pat ^OpenSSH > debug1: Local version string SSH-1.99-OpenSSH_2.5.2p2 > debug1: Sent 768 bit server key and 1024 bit host key. > debug1: Encryption type: blowfish > debug1: Received session key; encryption turned on. > debug1: Installing crc compensation attack detector. > debug1: Attempting authentication for jason. > Accepted password for jason from 128.165.147.151 port 858 > debug1: session_new: init > debug1: session_new: session 0 > debug1: Enabling compression at level 6. > debug1: Allocating pty. > debug1: Ignoring unsupported tty mode opcode 37 (0x25) > debug1: Ignoring unsupported tty mode opcode 52 (0x34) > debug1: Ignoring unsupported tty mode opcode 71 (0x47) > debug1: Ignoring unsupported tty mode opcode 73 (0x49) > debug1: Ignoring unsupported tty mode opcode 74 (0x4a) > debug1: Ignoring unsupported tty mode opcode 75 (0x4b) > debug1: Received request for X11 forwarding with auth spoofing. > socket: Protocol not supported > debug1: Entering interactive session. > debug1: fd 5 setting O_NONBLOCK > debug1: Setting controlling tty using TIOCSCTTY. > debug1: fd 9 IS O_NONBLOCK > debug1: server_init_dispatch_13 > debug1: server_init_dispatch_15 > debug1: Received SIGCHLD. > debug1: End of interactive session; stdin 0, stdout (read 712, sent 712), > stderr 0 bytes. > debug1: compress outgoing: raw data 761, compressed 526, factor 0.69 > debug1: compress incoming: raw data 199, compressed 192, factor 0.96 > Disconnecting: Command terminated on signal 11. > debug1: Calling cleanup 0x8054864(0x80e8088) > debug1: pty_cleanup_proc: /dev/ttyp1 > debug1: Calling cleanup 0x8060fd8(0x0) > debug1: Calling cleanup 0x8065bf0(0x0) > debug1: writing PRNG seed to file /root/.ssh/prng_seed > > > > _____________________________________________________________________________ > http://movies.yahoo.com.au - Yahoo! Movies > - Now showing: Dude Where's My Car, The Wedding Planner, Traffic.. > From denebeim at deepthot.org Tue Apr 10 11:00:07 2001 From: denebeim at deepthot.org (Jay Denebeim) Date: Mon, 9 Apr 2001 18:00:07 -0700 (MST) Subject: Securid revisited Message-ID: I read the thread on securid back in march. openssh doesn't support it because it's propriatary, right? I understand that, however I've still got a problem. Work use securid *exclusively* using ssh2. It uses an authentication protocol of securid-1 at ssh.com. The client side does *not* need the securid propriatary stuff, no need for the include files or the library. So, given that, is there any reason securid couldn't be supported on the client side talking to an ssh2 server? I *really* don't want to put ssh2 on my systems at home. Jay -- * Jay Denebeim Moderator rec.arts.sf.tv.babylon5.moderated * * newsgroup submission address: b5mod at deepthot.org * * moderator contact address: b5mod-request at deepthot.org * * personal contact address: denebeim at deepthot.org * From hgot at ecip.tohoku.ac.jp Tue Apr 10 11:27:10 2001 From: hgot at ecip.tohoku.ac.jp (Hideaki Goto) Date: Tue, 10 Apr 2001 10:27:10 +0900 Subject: [PATCH]: Heartbeat/Watchdog Patch In-Reply-To: Your message of "Mon, 09 Apr 2001 08:16:09 JST." Message-ID: <200104100127.KAA03119@swift.ecip.tohoku.ac.jp> Are you connecting F-Secure clients to OpenSSH's server? How does it affect to the server? Ben wrote: >> You use SSH_MSG_IGNORE. A lot of F-Secure clients will ignore the >> the message: >> >> [..snip from compat.c] >> { "^1\\.2\\.1[89]", SSH_BUG_IGNOREMSG }, >> { "^1\\.2\\.2[012]", SSH_BUG_IGNOREMSG }, >> { "^1\\.3\\.2", SSH_BUG_IGNOREMSG }, /* f-secure */ >> [..] >> >> You need to work around theses clients. SSH_MSG_IGNORE is sent only from clients to the server. -------- Hideaki Goto From hgot at ecip.tohoku.ac.jp Tue Apr 10 11:31:46 2001 From: hgot at ecip.tohoku.ac.jp (Hideaki Goto) Date: Tue, 10 Apr 2001 10:31:46 +0900 Subject: [PATCH]: Heartbeat/Watchdog Patch In-Reply-To: Your message of "Mon, 09 Apr 2001 11:08:04 JST." Message-ID: <200104100131.KAA03178@swift.ecip.tohoku.ac.jp> Thanks Mats, Mats Andersson wrote: >> On Mon, 9 Apr 2001, Hideaki Goto wrote: >> > I'm looking for other ssh clients which are capable of sending >> > heartbeats to ssh server. PuTTY was the only one I could find. Please >> > let me know if you have any info. >> >> MindTerm available at http://www.mindbright.se/mindterm/ has had that >> feature since july 1999. Feel free to check it out. But it always crashes my Navigator... -------- Hideaki Goto From dan at latestwave.com Tue Apr 10 10:21:39 2001 From: dan at latestwave.com (Dan Mouw) Date: Mon, 9 Apr 2001 20:21:39 -0400 Subject: open ssl References: <3AD20C19.ECC710B@exp.pmh.org> <20010410011305.C14844@serv01.aet.tu-cottbus.de> Message-ID: <001201c0c154$3600a740$178878d8@thelatestwave.net> I am trying to get any version of sshd working on a cobalt raq3/4(one of each). I tried ssh.com's version(1.2.31) and I got linking errors. I am going to try to install openssh, but I need to install openssl, and was wondering if that will mess up the web server on the raqs. Any responses are welcome. errors: gcc -pipe -c -I. -I./gmp-2.0.2-ssh-2 -I./zlib-1.0.4 -DHAVE_CONFIG_H -DHOST _KEY_FILE=\"/etc/ssh_host_key\"-DHOST_CONFIG_FILE=\"/etc/ssh_config\" -DSERV ER_CONFIG_FILE=\"/etc/sshd_config\"-DSSH_PROGRAM=\"/usr/local/bin/ssh1\" -DE TCDIR=\"/etc\" -DPIDDIR=\"/var/run\"-DSSH_BINDIR=\"/usr/local/bin\" -DTIS_MA P_FILE=\"/etc/sshd_tis.map\" -D_GNU_SOURCE -g -O2 ssh.c In file included from /usr/include/errno.h:36, from includes.h:167, from ssh.c:199: /usr/include/bits/errno.h:25: linux/errno.h: No such file or directory In file included from /usr/include/signal.h:300, from includes.h:170, from ssh.c:199: /usr/include/bits/sigcontext.h:28: asm/sigcontext.h: No such file or directory In file included from /usr/include/bits/posix1_lim.h:126, from /usr/include/limits.h:30, from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/include/limits.h:117, from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/include/syslimits.h:7, from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/include/limits.h:11, from /usr/include/bits/socket.h:31, from /usr/include/sys/socket.h:34, from includes.h:219, from ssh.c:199: /usr/include/bits/local_lim.h:27: linux/limits.h: No such file or directory In file included from /usr/include/sys/socket.h:34, from includes.h:219, from ssh.c:199: /usr/include/bits/socket.h:295: asm/socket.h: No such file or directory In file included from includes.h:170, from ssh.c:199: /usr/include/signal.h:303: warning: `struct sigcontext' declared inside parameter list /usr/include/signal.h:303: warning: its scope is only this definition or declaration, /usr/include/signal.h:303: warning: which is probably not what you want. ssh.c: In function `main': ssh.c:418: storage size of `ws' isn't known ssh.c:903: `TIOCGWINSZ' undeclared (first use in this function) ssh.c:903: (Each undeclared identifier is reported only once ssh.c:903: for each function it appears in.) make: *** [ssh.o] Error 1 From jakob at crt.se Tue Apr 10 18:48:39 2001 From: jakob at crt.se (Jakob Schlyter) Date: Tue, 10 Apr 2001 10:48:39 +0200 (CEST) Subject: Securid revisited In-Reply-To: Message-ID: On Mon, 9 Apr 2001, Jay Denebeim wrote: > Work use securid *exclusively* using ssh2. It uses an authentication > protocol of securid-1 at ssh.com. The client side does *not* need the > securid propriatary stuff, no need for the include files or the library. why doesn't ssh2 use keyboard-interactive instead? this is one of things it was designed for. we use it for crypto-card authentication. /Jakob -- Jakob Schlyter Network Analyst Phone: +46 31 701 42 13, +46 70 595 07 94 Carlstedt Research & Technology From Markus.Friedl at informatik.uni-erlangen.de Tue Apr 10 18:55:10 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 10 Apr 2001 10:55:10 +0200 Subject: Securid revisited In-Reply-To: ; from denebeim@deepthot.org on Mon, Apr 09, 2001 at 06:00:07PM -0700 References: Message-ID: <20010410105510.C28068@faui02.informatik.uni-erlangen.de> On Mon, Apr 09, 2001 at 06:00:07PM -0700, Jay Denebeim wrote: > I read the thread on securid back in march. openssh doesn't support it > because it's propriatary, right? I understand that, however I've still > got a problem. i think we could even add the securid changes to openssh-portable. we already support propriatary AIX authentication things. however, the securid patch needs some work. is there an up-to-date patch? > Work use securid *exclusively* using ssh2. It uses an authentication > protocol of securid-1 at ssh.com. The client side does *not* need the > securid propriatary stuff, no need for the include files or the library. SSH.com uses a proprietary protocol instead of the standard keyboard-interactive authentication. > So, given that, is there any reason securid couldn't be supported on the > client side talking to an ssh2 server? I *really* don't want to put ssh2 > on my systems at home. send me a spec of securid-1 at ssh.com and i'll look into this. -m From aspa at kronodoc.fi Tue Apr 10 20:58:17 2001 From: aspa at kronodoc.fi (Marko Asplund) Date: Tue, 10 Apr 2001 13:58:17 +0300 (EEST) Subject: [PATCH]: Heartbeat/Watchdog Patch In-Reply-To: <200104100131.KAA03178@swift.ecip.tohoku.ac.jp> Message-ID: On Tue, 10 Apr 2001, Hideaki Goto wrote: > Thanks Mats, > > Mats Andersson wrote: > >> On Mon, 9 Apr 2001, Hideaki Goto wrote: > >> > I'm looking for other ssh clients which are capable of sending > >> > heartbeats to ssh server. PuTTY was the only one I could find. Please > >> > let me know if you have any info. > >> > >> MindTerm available at http://www.mindbright.se/mindterm/ has had that > >> feature since july 1999. Feel free to check it out. > > But it always crashes my Navigator... you could try running MindTerm as an application. best regards, -- aspa From mats at mindbright.se Tue Apr 10 22:10:58 2001 From: mats at mindbright.se (Mats Andersson) Date: Tue, 10 Apr 2001 14:10:58 +0200 (MEST) Subject: [PATCH]: Heartbeat/Watchdog Patch In-Reply-To: <200104100131.KAA03178@swift.ecip.tohoku.ac.jp> Message-ID: Hi, On Tue, 10 Apr 2001, Hideaki Goto wrote: > Mats Andersson wrote: > >> On Mon, 9 Apr 2001, Hideaki Goto wrote: > >> > I'm looking for other ssh clients which are capable of sending > >> > heartbeats to ssh server. PuTTY was the only one I could find. Please > >> > let me know if you have any info. > >> > >> MindTerm available at http://www.mindbright.se/mindterm/ has had that > >> feature since july 1999. Feel free to check it out. > > But it always crashes my Navigator... Ouch! Well, it seems that there is something in the code triggering a bug in the Netscape JVM (on Unix), not very uncommon, there are quite a few in Netscape... :-) We are looking into some workaround for this. In the mean-time you can always run it standalone. Cheers, /Mats From dean.domikulic at pbz.hr Wed Apr 11 00:23:59 2001 From: dean.domikulic at pbz.hr (=?iso-8859-2?Q?Dean_Luka_Domikuli=E6?=) Date: Tue, 10 Apr 2001 16:23:59 +0200 Subject: Compiling openssh 2.5.p1 on unixware 7.0.1 Message-ID: Hi. I'm tryng to compile openssh 2.5.p1 (latest) on sco unixware 7.0.1 and I'm getting this error in make: cc -o sshd sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o log-server.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o -L. -Lopenbsd-compat/ -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lz -lsocket -lnsl -lgen -lcrypto Undefined first referenced symbol in file getspnam auth.o UX:ld: ERROR: sshd: fatal error: Symbol referencing errors. No output written to sshd make: *** [sshd] Error 1 Basically some problems with getspnam. I checked on internet and some solutions are to look in LIBS to -lgen, but from output it looks like it is looking in lgen. Is there some workaround? Here is output from configure: # ./configure loading cache ./config.cache checking for gcc... (cached) cc checking whether the C compiler (cc ) works... yes checking whether the C compiler (cc ) is a cross-compiler... no checking whether we are using GNU C... (cached) no checking whether cc accepts -g... (cached) yes checking host system type... i586-sco-sysv5uw7.0.1 checking how to run the C preprocessor... (cached) cc -E checking for ranlib... (cached) : checking for a BSD compatible install... ./install-sh -c checking for ar... (cached) /usr/bin/ar checking for perl... (cached) /usr/bin/perl checking for ent... no checking for filepriv... (cached) /sbin/filepriv checking for bash... (cached) /usr/bin/ksh checking for ksh... (cached) /usr/bin/ksh checking for sh... (cached) /usr/bin/ksh checking for login... (cached) /usr/bin/login checking for inline... (cached) no checking for yp_match in -lnsl... (cached) yes checking for main in -lsocket... (cached) yes checking for innetgr in -lrpc... (cached) no checking for getspnam in -lgen... (cached) no checking for deflate in -lz... (cached) yes checking for login in -lutil... (cached) no checking for regcomp... (cached) yes checking for strcasecmp... (cached) yes checking for utimes... (cached) yes checking for bstring.h... (cached) no checking for endian.h... (cached) no checking for floatingpoint.h... (cached) no checking for getopt.h... (cached) no checking for lastlog.h... (cached) yes checking for limits.h... (cached) yes checking for login.h... (cached) no checking for login_cap.h... (cached) no checking for maillock.h... (cached) yes checking for netdb.h... (cached) yes checking for netgroup.h... (cached) no checking for netinet/in_systm.h... (cached) yes checking for paths.h... (cached) yes checking for poll.h... (cached) yes checking for pty.h... (cached) no checking for regex.h... (cached) yes checking for shadow.h... (cached) yes checking for security/pam_appl.h... (cached) no checking for sys/bitypes.h... (cached) yes checking for sys/bsdtty.h... (cached) no checking for sys/cdefs.h... (cached) yes checking for sys/poll.h... (cached) yes checking for sys/queue.h... (cached) no checking for sys/select.h... (cached) yes checking for sys/stat.h... (cached) yes checking for sys/stropts.h... (cached) yes checking for sys/sysmacros.h... (cached) yes checking for sys/time.h... (cached) yes checking for sys/ttcompat.h... (cached) no checking for sys/un.h... (cached) yes checking for stddef.h... (cached) yes checking for time.h... (cached) yes checking for ttyent.h... (cached) no checking for usersec.h... (cached) no checking for util.h... (cached) no checking for utime.h... (cached) yes checking for utmp.h... (cached) yes checking for utmpx.h... (cached) yes checking for vis.h... (cached) no checking for arc4random... (cached) no checking for atexit... (cached) yes checking for b64_ntop... (cached) no checking for bcopy... (cached) yes checking for bindresvport_sa... (cached) no checking for clock... (cached) yes checking for fchown... (cached) yes checking for fchmod... (cached) yes checking for freeaddrinfo... (cached) yes checking for futimes... (cached) no checking for gai_strerror... (cached) yes checking for getcwd... (cached) yes checking for getaddrinfo... (cached) yes checking for getgrouplist... (cached) no checking for getnameinfo... (cached) yes checking for getrlimit... (cached) yes checking for getrusage... (cached) yes checking for getttyent... (cached) no checking for inet_aton... (cached) yes checking for inet_ntoa... (cached) yes checking for innetgr... (cached) yes checking for login_getcapbool... (cached) no checking for md5_crypt... (cached) no checking for memmove... (cached) yes checking for mkdtemp... (cached) no checking for on_exit... (cached) no checking for openpty... (cached) no checking for realpath... (cached) yes checking for rresvport_af... (cached) no checking for setdtablesize... (cached) no checking for setenv... (cached) no checking for seteuid... (cached) yes checking for setlogin... (cached) no checking for setproctitle... (cached) no checking for setreuid... (cached) yes checking for setrlimit... (cached) yes checking for setsid... (cached) yes checking for sigaction... (cached) yes checking for sigvec... (cached) no checking for snprintf... (cached) yes checking for strerror... (cached) yes checking for strlcat... (cached) no checking for strlcpy... (cached) no checking for strmode... (cached) no checking for strsep... (cached) no checking for strtok_r... (cached) yes checking for sysconf... (cached) yes checking for tcgetpgrp... (cached) yes checking for utimes... (cached) yes checking for vsnprintf... (cached) yes checking for vhangup... (cached) no checking for vis... (cached) no checking for waitpid... (cached) yes checking for _getpty... (cached) no checking for __b64_ntop... (cached) no checking for gettimeofday... (cached) yes checking for time... (cached) yes checking for libutil.h... (cached) no checking for login... (cached) no checking for logout... (cached) no checking for updwtmp... (cached) yes checking for logwtmp... (cached) no checking for endutent... (cached) yes checking for getutent... (cached) yes checking for getutid... (cached) yes checking for getutline... (cached) yes checking for pututline... (cached) yes checking for setutent... (cached) yes checking for utmpname... (cached) yes checking for endutxent... (cached) yes checking for getutxent... (cached) yes checking for getutxid... (cached) yes checking for getutxline... (cached) yes checking for pututxline... (cached) yes checking for setutxent... (cached) yes checking for utmpxname... (cached) yes checking for getuserattr... (cached) no checking for getuserattr in -ls... (cached) no checking for login... (cached) no checking for login in -lbsd... (cached) no checking for daemon... (cached) no checking for daemon in -lbsd... (cached) no checking for getpagesize... (cached) yes checking whether snprintf correctly terminates long strings... yes checking whether getpgrp takes no argument... (cached) yes checking for strftime... (cached) yes checking for OpenSSL directory... (cached) /usr/local/ssl checking for RSA support... yes checking size of char... (cached) 1 checking size of short int... (cached) 2 checking size of int... (cached) 4 checking size of long int... (cached) 4 checking size of long long int... (cached) 8 checking for u_int type... (cached) yes checking for intXX_t types... (cached) no checking for int64_t type... (cached) no checking for u_intXX_t types... (cached) no checking for u_int64_t types... (cached) no checking for intXX_t and u_intXX_t types in sys/bitypes.h... yes checking for uintXX_t types... (cached) no checking for socklen_t... (cached) no checking for size_t... (cached) yes checking for ssize_t... (cached) yes checking for clock_t... (cached) yes checking for sa_family_t... (cached) yes checking for pid_t... (cached) yes checking for mode_t... (cached) yes checking for struct sockaddr_storage... (cached) no checking for struct sockaddr_in6... (cached) yes checking for struct in6_addr... (cached) yes checking for struct addrinfo... (cached) yes checking for struct timeval... (cached) yes checking for ut_host field in utmp.h... (cached) no checking for ut_host field in utmpx.h... (cached) yes checking for syslen field in utmpx.h... (cached) yes checking for ut_pid field in utmp.h... (cached) yes checking for ut_type field in utmp.h... (cached) yes checking for ut_type field in utmpx.h... (cached) yes checking for ut_tv field in utmp.h... (cached) no checking for ut_id field in utmp.h... (cached) yes checking for ut_id field in utmpx.h... (cached) yes checking for ut_addr field in utmp.h... (cached) no checking for ut_addr field in utmpx.h... (cached) no checking for ut_addr_v6 field in utmp.h... (cached) no checking for ut_addr_v6 field in utmpx.h... (cached) no checking for ut_exit field in utmp.h... (cached) yes checking for ut_time field in utmp.h... (cached) yes checking for ut_time field in utmpx.h... (cached) yes checking for ut_tv field in utmpx.h... (cached) yes checking for st_blksize in struct stat... (cached) yes checking for sun_len field in struct sockaddr_un... (cached) no checking for ss_family field in struct sockaddr_storage... (cached) no checking for __ss_family field in struct sockaddr_storage... (cached) no checking for pw_class field in struct passwd... (cached) no checking if libc defines __progname... (cached) no checking if libc defines sys_errlist... (cached) yes checking if libc defines sys_nerr... (cached) yes checking for rsh... (cached) /usr/bin/rsh checking for xauth... (cached) /usr/X/bin/xauth checking for /dev/ptmx... (cached) yes checking for /dev/ptc... (cached) no checking for /dev/urandom... (cached) no checking for PRNGD/EGD socket... not found checking for ls... (cached) /usr/bin/ls checking for netstat... (cached) /usr/bin/netstat checking for arp... (cached) /usr/sbin/arp checking for ifconfig... (cached) /usr/sbin/ifconfig checking for ps... (cached) /sbin/ps checking for w... (cached) /usr/bin/w checking for who... (cached) /sbin/who checking for last... (cached) /usr/bin/last checking for lastlog... no checking for df... (cached) /sbin/df checking for vmstat... no checking for uptime... (cached) /usr/bin/uptime checking for ipcs... (cached) /usr/bin/ipcs checking for tail... (cached) /usr/bin/tail checking if the systems has expire shadow information... yes checking if we need to convert IPv4 in IPv6-mapped addresses... no (default) checking whether to install ssh as suid root... no checking if your system defines LASTLOG_FILE... no checking if your system defines _PATH_LASTLOG... no checking if your system defines UTMP_FILE... yes checking if your system defines WTMP_FILE... yes checking if your system defines UTMPX_FILE... yes checking if your system defines WTMPX_FILE... yes checking for Cygwin environment... (cached) no checking for mingw32 environment... (cached) no checking for executable suffix... (cached) no creating ./config.status creating Makefile creating openbsd-compat/Makefile creating ssh_prng_cmds creating config.h config.h is unchanged OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/catX PID file: /usr/local/etc Random number collection: Builtin (timeout 200) Manpage format: cat PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: i586-sco-sysv5uw7.0.1 Compiler: cc Compiler flags: -g Preprocessor flags: -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/lib -L/usr/local/ssl/lib Libraries: -lz -lsocket -lnsl -lcrypto WARNING: you are using the builtin random number collection service. Please read WARNING.RNG and request that your OS vendor includes /dev/random in future versions of their OS. From dongra at nortelnetworks.com Tue Apr 10 23:53:27 2001 From: dongra at nortelnetworks.com (Don Graves) Date: Tue, 10 Apr 2001 10:53:27 -0300 Subject: configurable authenticator References: Message-ID: <3AD31057.8941433E@nortelnetworks.com> G'day, I am new to the list, but not to ssh. I have been testing openssh for a while, and in the process, I have been able to modifiy it to meet a special need. I'll try to explain: I have a need to use an external password authentication mechanism in conjunction with sshd. The way it works is sshd sends the userid and password to another program that lives on the same machine as the sshd server via stdin. This external authenticator takes the userid and password, performs the authentication (uses its own method) and returns an exit code of 0 on success (authenticated) and non-0 on failure (not authenticated). The sshd server uses this to determine whether or not the user is allowed to remain connected. I have set it up so that sshd needs to know almost nothing about the external authenticator. It just knows that it accepts the userid and password via stdin, and that it exits with zero or not. The external authenticator is configured in sshd_config something like so: ExternalAuthenticator /usr/local/bin/ext_auth In my case, ext_auth is a compiled C program that calls up a central authentication serve, and it does its own syslogging. I chose to use stdin because passing the password via commandline or a temp file are obviously insecure methods. This way, the password only lives in memory (plus it never goes over the network). The reason for making this configurable was to make it so that we could upgrade ext_auth without ever having to touch sshd code. Also, this gives up an opportunity to centrally control which users are able to connect to which unix servers (we have thousands of them). ext_auth could potentially be anything you want it to be (hook into securid if you want). My questions: 1) Would this type of thing be useful to anyone else? 2) Did I reinvent the wheel (keep in mind I did this last summer, then put it aside for several months)? 3) Would I be able to get this feature into the openssh release cycle somehow? We don't want to have to edit each new version of openssh. :-) Any feedback (positive or negative) would be greatly appreciated. Thanks, Don Graves From graham_guttocks at yahoo.co.nz Wed Apr 11 01:08:50 2001 From: graham_guttocks at yahoo.co.nz (=?iso-8859-1?q?Graham=20Guttocks?=) Date: Wed, 11 Apr 2001 03:08:50 +1200 (NZST) Subject: "X11Forwarding yes" causes "error: socket: Protocol not supported" In-Reply-To: Message-ID: <20010410150850.69502.qmail@web10302.mail.yahoo.com> mouring at etoh.eviladmin.org wrote: > What client? OpenSSH-1.2.2 on Linux. Regards, Graham _____________________________________________________________________________ http://movies.yahoo.com.au - Yahoo! Movies - Now showing: Dude Where's My Car, The Wedding Planner, Traffic.. From Nigel.Metheringham at InTechnology.co.uk Wed Apr 11 01:24:25 2001 From: Nigel.Metheringham at InTechnology.co.uk (Nigel Metheringham) Date: Tue, 10 Apr 2001 16:24:25 +0100 Subject: "X11Forwarding yes" causes "error: socket: Protocol not supported" In-Reply-To: Message from =?iso-8859-1?q?Graham=20Guttocks?= of "Tue, 10 Apr 2001 04:36:33 +1200." <20010409163633.55277.qmail@web10301.mail.yahoo.com> Message-ID: graham_guttocks at yahoo.co.nz said: > Now openssh is disconnecting my sessions immediately after > authentication and login with the following error messages: > "error: socket: Protocol not supported" "Disconnecting: Command > terminated on signal 11." Most likely that you have an entry in your /etc/hosts that maps your machine name to 127.0.0.1 X appears to special case localhost connections, and use unix sockets rather than inet ones. Openssh cannot X forward from unix sockets. You should see 127.0.0.1 in the authenticated list if you do xauth -n list Change your hosts entry so that it uses the ip address of a real interface for this. If your interfaces are dynamic and so you can't easily get an ip address, you might find you can safely set the hosts file value to 127.0.0.2 (really - it seems to work OK!). Nigel. -- [ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] [ - Comments in this message are my own and not ITO opinion/policy - ] From denebeim at deepthot.org Wed Apr 11 01:40:19 2001 From: denebeim at deepthot.org (Jay Denebeim) Date: Tue, 10 Apr 2001 08:40:19 -0700 (MST) Subject: Securid revisited In-Reply-To: Message-ID: On Tue, 10 Apr 2001, Jakob Schlyter wrote: > On Mon, 9 Apr 2001, Jay Denebeim wrote: > > > Work use securid *exclusively* using ssh2. It uses an authentication > > protocol of securid-1 at ssh.com. The client side does *not* need the > > securid propriatary stuff, no need for the include files or the library. > > why doesn't ssh2 use keyboard-interactive instead? this is one of things > it was designed for. we use it for crypto-card authentication. I don't know. Actually I don't know much about this whole technology, I've just installed it, and know in very general terms what is going on here. I was reading in the man pages for ssh2, and I did not run across a 'keyboard-interactive' authentication protocol. There is one that calls a program, but I don't know if that's one openssh uses. Jay -- * Jay Denebeim Moderator rec.arts.sf.tv.babylon5.moderated * * newsgroup submission address: b5mod at deepthot.org * * moderator contact address: b5mod-request at deepthot.org * * personal contact address: denebeim at deepthot.org * From denebeim at deepthot.org Wed Apr 11 01:43:11 2001 From: denebeim at deepthot.org (Jay Denebeim) Date: Tue, 10 Apr 2001 08:43:11 -0700 (MST) Subject: Securid revisited In-Reply-To: <20010410105510.C28068@faui02.informatik.uni-erlangen.de> Message-ID: On Tue, 10 Apr 2001, Markus Friedl wrote: > send me a spec of securid-1 at ssh.com and i'll look into this. Thanks, I'll see if I can track one down. I've specifically not looked at the implemention in the ssh2 source to avoid any problems if I end up implementing it. Jay -- * Jay Denebeim Moderator rec.arts.sf.tv.babylon5.moderated * * newsgroup submission address: b5mod at deepthot.org * * moderator contact address: b5mod-request at deepthot.org * * personal contact address: denebeim at deepthot.org * From solidaridad at ninosdepapel.org Wed Apr 11 01:59:19 2001 From: solidaridad at ninosdepapel.org (Niņos de Papel) Date: Tue, 10 Apr 2001 10:59:19 -0500 Subject: Las Cosas de Papel - Periodico Informativo Trimestral Message-ID: <200104101214406.SM00670@segundo> ***** This is an HTML Message ! ***** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010410/416a83bb/attachment.html From Markus.Friedl at informatik.uni-erlangen.de Wed Apr 11 02:20:46 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 10 Apr 2001 18:20:46 +0200 Subject: configurable authenticator In-Reply-To: <3AD31057.8941433E@nortelnetworks.com>; from dongra@nortelnetworks.com on Tue, Apr 10, 2001 at 10:53:27AM -0300 References: <3AD31057.8941433E@nortelnetworks.com> Message-ID: <20010410182046.B19796@faui02.informatik.uni-erlangen.de> On Tue, Apr 10, 2001 at 10:53:27AM -0300, Don Graves wrote: > ExternalAuthenticator /usr/local/bin/ext_auth this is what BSD_AUTH does: /usr/libexec/auth/login_activ /usr/libexec/auth/login_chpass /usr/libexec/auth/login_crypto /usr/libexec/auth/login_kerberos /usr/libexec/auth/login_krb-or-pwd /usr/libexec/auth/login_lchpass /usr/libexec/auth/login_passwd /usr/libexec/auth/login_reject /usr/libexec/auth/login_skey /usr/libexec/auth/login_snk /usr/libexec/auth/login_token openssh already supports the bsd-auth API, so porting this api to other systems would help. -m From graham_guttocks at yahoo.co.nz Wed Apr 11 02:43:56 2001 From: graham_guttocks at yahoo.co.nz (=?iso-8859-1?q?Graham=20Guttocks?=) Date: Wed, 11 Apr 2001 04:43:56 +1200 (NZST) Subject: "X11Forwarding yes" causes "error: socket: Protocol not supported" In-Reply-To: Message-ID: <20010410164356.26068.qmail@web10306.mail.yahoo.com> Nigel Metheringham wrote: > Most likely that you have an entry in your /etc/hosts that maps your > machine name to 127.0.0.1 Actually, this machine doesn't use /etc/hosts (all lines commented out) > You should see 127.0.0.1 in the authenticated list if you do xauth -n > list Doesn't look like it. sclp3# /usr/X11/bin/xauth list sclp3.sclp.com:10 MIT-MAGIC-COOKIE-1 7c295a679d1715cf3bcbf2670aff3eaa sclp3/unix:10 MIT-MAGIC-COOKIE-1 7c295a679d1715cf3bcbf2670aff3eaa sclp3.sclp.com:11 MIT-MAGIC-COOKIE-1 945deab564d9b67549add99bf8eaf9bb sclp3/unix:11 MIT-MAGIC-COOKIE-1 945deab564d9b67549add99bf8eaf9bb sclp3.sclp.com:12 MIT-MAGIC-COOKIE-1 679a47a7d9cc0af6b2066ae0b4196f7f sclp3/unix:12 MIT-MAGIC-COOKIE-1 679a47a7d9cc0af6b2066ae0b4196f7f Regards, Graham _____________________________________________________________________________ http://movies.yahoo.com.au - Yahoo! Movies - Now showing: Dude Where's My Car, The Wedding Planner, Traffic.. From cperry at spooz.com Wed Apr 11 06:43:08 2001 From: cperry at spooz.com (Carl Perry) Date: Tue, 10 Apr 2001 15:43:08 -0500 Subject: LBX Support : Where to start Message-ID: <3AD3705C.8020500@spooz.com> I would like to put a patch in OpenSSH start lbxproxy on the server if both ends of the connection support LBX. I'm having difficulty figuring out where to put this code, specifically I can't seem to find where the X11 handshaking happens. Could someone help me out on this?? -Carl From Torbjorn.Wictorin at its.uu.se Wed Apr 11 06:44:00 2001 From: Torbjorn.Wictorin at its.uu.se (Torbjorn.Wictorin at its.uu.se) Date: Tue, 10 Apr 2001 22:44:00 +0200 (CEST) Subject: Suspicious shadow listen port Message-ID: # netstat -an | grep LISTEN tcp4 0 0 *.32785 *.* LISTEN tcp4 0 0 130.238.4.133.22 *.* LISTEN What in ?@# is 32785 ?? # lsof ... sshd 11152 root 5u IPv4 0x7003ded8 0t0 TCP *:32785 (LISTEN) sshd 11152 root 6u IPv4 0x7004ded8 0t0 TCP xxx.yyy.zzz.hhh:22 (LISTEN) ... #cat /etc/sshd_config Port 22 Protocol 2,1 ListenAddress xxx.yyy.zzz.hhh ListenAddress xxx.yyy.zzz.XXX .... OOPS, forgot to remove a old ListenAddress for a removed interface... Did that and HUP-ed sshd # lsof ... sshd 11152 root 6u IPv4 0x7004ded8 0t0 TCP xxx.yyy.zzz.hhh:22 (LISTEN) ... That is, a Listen config line for a non-existing address gives a shadow port on ((-1 & 0x7fff) - 22). Rather spooky... cheers, Torbj?rn Wictorin, Uppsala univ. From jmknoble at jmknoble.cx Wed Apr 11 08:10:45 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Tue, 10 Apr 2001 18:10:45 -0400 Subject: LBX Support : Where to start In-Reply-To: <3AD3705C.8020500@spooz.com>; from cperry@spooz.com on Tue, Apr 10, 2001 at 03:43:08PM -0500 References: <3AD3705C.8020500@spooz.com> Message-ID: <20010410181045.A3900@shell.ntrnet.net> Circa 2001-Apr-10 15:43:08 -0500 dixit Carl Perry: : I would like to put a patch in OpenSSH start lbxproxy on the server if : both ends of the connection support LBX. I'm having difficulty figuring : out where to put this code, specifically I can't seem to find where the : X11 handshaking happens. Could someone help me out on this?? >From a brief gander through the code: - The X display is created in channels.c:x11_create_display_inet(); it's pretty much a socket bound to port 6000+X11DisplayOffset+n. - The calling code is in session.c:do_authenticated(), case SSH_CMSG_X11_REQUEST_FORWARDING; that's where the xauth stuff is set up. Hope that helps. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From GORDONFR at Attachmate.com Wed Apr 11 08:27:43 2001 From: GORDONFR at Attachmate.com (Gordon Fritsch) Date: Tue, 10 Apr 2001 15:27:43 -0700 Subject: LBX Support : Where to start Message-ID: <512C2140816ED111B22E00600857374B0180F715@EXCH-VAN1> Could this problem be tackled from a slightly different angle: LBXproxy is like an X client for the X Server - an X client which "talks using the LBX extension protocol rather than X11". Another way of tackling this problem is to fina a way to start the lbxproxy and use its display# instead of the SshServer's display#. Can this be done by modifying the code in the proxymngr and xfindproxy programs that come with the X source code? Gordon -----Original Message----- From: Jim Knoble [mailto:jmknoble at jmknoble.cx] Sent: Tuesday, April 10, 2001 3:11 PM To: openssh-unix-dev at mindrot.org Subject: Re: LBX Support : Where to start Circa 2001-Apr-10 15:43:08 -0500 dixit Carl Perry: : I would like to put a patch in OpenSSH start lbxproxy on the server if : both ends of the connection support LBX. I'm having difficulty figuring : out where to put this code, specifically I can't seem to find where the : X11 handshaking happens. Could someone help me out on this?? >From a brief gander through the code: - The X display is created in channels.c:x11_create_display_inet(); it's pretty much a socket bound to port 6000+X11DisplayOffset+n. - The calling code is in session.c:do_authenticated(), case SSH_CMSG_X11_REQUEST_FORWARDING; that's where the xauth stuff is set up. Hope that helps. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From jason at shalott.net Wed Apr 11 10:26:39 2001 From: jason at shalott.net (Jason Stone) Date: Tue, 10 Apr 2001 17:26:39 -0700 (PDT) Subject: configurable authenticator In-Reply-To: <3AD31057.8941433E@nortelnetworks.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I have set it up so that sshd needs to know almost nothing about the > external authenticator. It just knows that it accepts the userid and > password via stdin, and that it exits with zero or not. The external > authenticator is configured in sshd_config something like so: > > ExternalAuthenticator /usr/local/bin/ext_auth > > In my case, ext_auth is a compiled C program that calls up a central > authentication serve, and it does its own syslogging. Perhaps a better way to do this would be via pam. Since openssh is already pam-aware, you could re-write your ext_auth program as a pam module and just add it to the pam configuration for sshd. This has the benefits that: 1) You don't have to hack any code. 2) Other pam-aware apps (eg, apache) can auth to your master authentication list. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE606TFswXMWWtptckRAhXdAKCFbpyTyfdD6mEmr8CigVJyft3qxACg8hAu W/V2Yr6qGQ694V9F6ZzYltI= =SIv8 -----END PGP SIGNATURE----- From djm at mindrot.org Wed Apr 11 11:09:38 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 11 Apr 2001 11:09:38 +1000 (EST) Subject: Variable path to ssh_prng_cmds? In-Reply-To: <3ACC8C20.49BD97B5@varetis.de> Message-ID: On Thu, 5 Apr 2001, Armin Kunaschik wrote: > Hi there, > > I have all my additional software mounted from one central place. > Therefore I'm trying to limit all unnecessary local files. > Local config files are ok... e.g. keys, ssh_config etc, but why > needs ssh_prng_cmds to be in /etc? So why not put it into $bindir? > There are no problems doing this with a few manual fixes. So > are there any security concerns? Is it possible to make this a > configuration option in the furure? You are better off using PRNGd[1] rather than portable OpenSSH's own RNG. It is more secure, reduces your system load and is more configurable. -d [1] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Apr 11 11:19:44 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 11 Apr 2001 11:19:44 +1000 (EST) Subject: Compiling openssh 2.5.p1 on unixware 7.0.1 In-Reply-To: Message-ID: On Tue, 10 Apr 2001, [iso-8859-2] Dean Luka Domikuli? wrote: > Hi. > > I'm tryng to compile openssh 2.5.p1 (latest) > on sco unixware 7.0.1 and I'm getting > this error in make: > > cc -o sshd sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o > auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o > auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o log-server.o > sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o > groupaccess.o -L. -Lopenbsd-compat/ -L/usr/local/lib -L/usr/local/ssl/lib > -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lz -lsocket -lnsl -lgen > -lcrypto > Undefined first referenced > symbol in file > getspnam auth.o > UX:ld: ERROR: sshd: fatal error: Symbol referencing errors. No output > written to sshd > make: *** [sshd] Error 1 Can you try: LIBS=-lshadow ./configure [whatever] -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Apr 11 11:23:05 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 11 Apr 2001 11:23:05 +1000 (EST) Subject: Securid revisited In-Reply-To: <20010410105510.C28068@faui02.informatik.uni-erlangen.de> Message-ID: On Tue, 10 Apr 2001, Markus Friedl wrote: > On Mon, Apr 09, 2001 at 06:00:07PM -0700, Jay Denebeim wrote: > > I read the thread on securid back in march. openssh doesn't support it > > because it's propriatary, right? I understand that, however I've still > > got a problem. > > i think we could even add the securid changes to openssh-portable. > we already support propriatary AIX authentication things. > however, the securid patch needs some work. is there an up-to-date > patch? What might be nicer is a generic kbd-interactive wrapper to allow OpenSSH to use authentication subprogams which talk on stdio. You could use the kbd-interactive 'device' field to select which. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Apr 11 11:25:15 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 11 Apr 2001 11:25:15 +1000 (EST) Subject: Securid revisited In-Reply-To: Message-ID: On Wed, 11 Apr 2001, Damien Miller wrote: > > i think we could even add the securid changes to openssh-portable. > > we already support propriatary AIX authentication things. > > however, the securid patch needs some work. is there an up-to-date > > patch? > > What might be nicer is a generic kbd-interactive wrapper to allow > OpenSSH to use authentication subprogams which talk on stdio. > > You could use the kbd-interactive 'device' field to select which. Ahh, BSD AUTH does this :) Does anyone want to port it to other systems? It would make supporting things like securid and cryptocard very easy. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tomh at po.crl.go.jp Wed Apr 11 16:58:46 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Wed, 11 Apr 2001 15:58:46 +0900 (JST) Subject: 2nd BETA release of OpenSSH with SRP Message-ID: This is the 2nd beta release of SRP for OpenSSH. The patch attached to this message is relative to the current (20010411) CVS sources of OpenSSH-portable (2.5.4p1). A tarball is also available: http://members.tripod.com/professor_tom/archives/ http://members.tripod.com/professor_tom/archives/openssh-2.5.4p1-srp6.tar.gz (Note: Tripod requires you to LEFT click on links to download files, and your browser may or may not decompress it on the fly.) md5sum: 85d42cec8a1b9c6241202352218edc16 openssh-2.5.4p1-srp6.tar Main features: * Strong authentication of both client *and* server, to protect against server-spoofing attacks. * Authentication of the host key is built into the SRP exchange. This protects against spoofed servers even when the host key changes and/or the client doesn't know the host key. * Fully compatible with the Stanford SRP distribution, so if you already have an /etc/tpasswd file it'll get used (libsrp is NOT required). Changes from OpenSSH-2.5.2p2-srp5 to OpenSSH-2.5.4p1-srp6: * Major parameters are now wrapped in an SRP_CTX struct, and both the client and server sides were rewritten to use dispatching. * Config files (that store SRP parameters) must be owned by root and must not be writable by group or other ((mode & 033) == 0). $HOME/.ssh/verifier must be owned by the user and must not be readable by group or other ((mode & 077) == 0). Other verifier files must be owned by root and must not be readable by group or other. * The parameter test code in srp-util.c and tconf2embed.c was missing the test for g^2 mod p != 1. Thus 6 was accepted as a primitive generator for 7, which it ain't. * tconf2embed -f means skip the primality check. * Installation instructions in README.SRP. Please send all bug reports/patches/complaints to . Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ -------------- next part -------------- A non-text attachment was scrubbed... Name: srp6.patch.gz Type: application/octet-stream Size: 37923 bytes Desc: Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010411/3cf49d65/attachment.obj From dean.domikulic at pbz.hr Wed Apr 11 18:21:55 2001 From: dean.domikulic at pbz.hr (=?iso-8859-2?Q?Dean_Luka_Domikuli=E6?=) Date: Wed, 11 Apr 2001 10:21:55 +0200 Subject: Compiling openssh 2.5.p1 on unixware 7.0.1 Message-ID: Mea culpa, it looks like the system was missconfigured. LIBS=-lshadow did not help. But thanks for the advice. getspnam is in shadow.h in /usr/include but there is no libshadow* library. Library in which getspnam really is is libgen. I found that library with find and it is in /usr/ccs/lib. I checked with grep and strings and it realy contains getspnam. So I added /usr/ccs/lib to LD_LIBRARY_PATH, removed config.cache, started ./configure again and everything went fine. Maybe /usr/ccs/lib should be added in lib path for this platform. > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Wednesday, April 11, 2001 3:20 AM > To: Dean Luka Domikuli? > Cc: 'openssh-unix-dev at mindrot.org' > Subject: Re: Compiling openssh 2.5.p1 on unixware 7.0.1 > > > On Tue, 10 Apr 2001, [iso-8859-2] Dean Luka Domikuliae wrote: > > > Hi. > > > > I'm tryng to compile openssh 2.5.p1 (latest) > > on sco unixware 7.0.1 and I'm getting > > this error in make: > > > > cc -o sshd sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o > > auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o > > auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o > sshpty.o log-server.o > > sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o > > groupaccess.o -L. -Lopenbsd-compat/ -L/usr/local/lib > -L/usr/local/ssl/lib > > -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lz -lsocket -lnsl -lgen > > -lcrypto > > Undefined first referenced > > symbol in file > > getspnam auth.o > > UX:ld: ERROR: sshd: fatal error: Symbol referencing errors. > No output > > written to sshd > > make: *** [sshd] Error 1 > > Can you try: > > LIBS=-lshadow ./configure [whatever] > > -d > > -- > | Damien Miller \ ``E-mail attachments are > the poor man's > | http://www.mindrot.org / distributed > filesystem'' - Dan Geer > From Armin.Kunaschik at varetis.de Wed Apr 11 18:28:27 2001 From: Armin.Kunaschik at varetis.de (Armin.Kunaschik at varetis.de) Date: Wed, 11 Apr 2001 10:28:27 +0200 Subject: Variable path to ssh_prng_cmds? Message-ID: >You are better off using PRNGd[1] rather than portable OpenSSH's >own RNG. It is more secure, reduces your system load and is more >configurable. I'm not sure if I understand this. I have checked PRNGd out... it uses the same scheme (output from various system commands) to get random bytes. The should causes the same amount of system load!? I don't know if it's more secure... but the amount of work is higher, especially in a heterogenous environment. Therefore I would prefer the buildin feature... Are there any plans to include the PRNGd functionality into OpenSSH? Regards, Armin From luzian.scherrer at zi.unizh.ch Wed Apr 11 18:37:41 2001 From: luzian.scherrer at zi.unizh.ch (Luzian Scherrer) Date: Wed, 11 Apr 2001 10:37:41 +0200 (MEST) Subject: $HOME/.shosts and setegid() Message-ID: <200104110837.KAA20135@zisunlsc.unizh.ch> Hello, The ssh deamon from OpenSSH_2.5.2p2 first does a seteuid(uid) and then stat($HOME/.shosts) to check whether a .shosts file is there. This seems to be a problem when homedirectories are only accessible "by group permission"; for example in the following (as I guess quite common) case: drwxr-x--- root mygroup 512 Apr 10 12:09 mygroup And my personal homedirectory would now be one level below: /home/mygroup/myhome So my question: is there a particular reason that setegid() and initgroups() are not used? Regards, -Luzian -- University of Zurich, Centre for Computing Services Luzian Scherrer Winterthurerstrasse 190, CH-8057 Zurich Tel: +41 1 63 56778 Fax: +41 1 63 54505 Office: Y11-F-76 From Markus.Friedl at informatik.uni-erlangen.de Wed Apr 11 18:43:01 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 11 Apr 2001 10:43:01 +0200 Subject: $HOME/.shosts and setegid() In-Reply-To: <200104110837.KAA20135@zisunlsc.unizh.ch>; from luzian.scherrer@zi.unizh.ch on Wed, Apr 11, 2001 at 10:37:41AM +0200 References: <200104110837.KAA20135@zisunlsc.unizh.ch> Message-ID: <20010411104301.B10471@faui02.informatik.uni-erlangen.de> On Wed, Apr 11, 2001 at 10:37:41AM +0200, Luzian Scherrer wrote: > So my question: is there a particular reason that setegid() and > initgroups() are not used? setegid + initgroups are now used in openssh-current and will be used soon in portable. From mouring at etoh.eviladmin.org Wed Apr 11 22:51:46 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 11 Apr 2001 07:51:46 -0500 (CDT) Subject: Variable path to ssh_prng_cmds? In-Reply-To: Message-ID: On Wed, 11 Apr 2001 Armin.Kunaschik at varetis.de wrote: > > >You are better off using PRNGd[1] rather than portable OpenSSH's > >own RNG. It is more secure, reduces your system load and is more > >configurable. > I'm not sure if I understand this. I have checked PRNGd out... it uses the > same scheme (output from various system commands) to get random > bytes. The should causes the same amount of system load!? It's less load because it's a long-lived process. Which means it can gather entropy across ssh/sshd startup and shutdown. Which means you get higher quality entropy without having the same 15 commands spawned at the begining of each session. > I don't know if it's more secure... but the amount of work is higher, > especially in a heterogenous environment. Therefore I would prefer > the buildin feature... > Are there any plans to include the PRNGd functionality into OpenSSH? > PRNGd was drived from OpenSSH portable work, but no it will not merge back into OpenSSH. Sure it is. You can run PRNGd as a normal user if you wish. And you avoid spawing off random commands as root or as a setuid user (ssh). - Ben From mouring at etoh.eviladmin.org Wed Apr 11 22:53:35 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 11 Apr 2001 07:53:35 -0500 (CDT) Subject: $HOME/.shosts and setegid() In-Reply-To: <20010411104301.B10471@faui02.informatik.uni-erlangen.de> Message-ID: On Wed, 11 Apr 2001, Markus Friedl wrote: > On Wed, Apr 11, 2001 at 10:37:41AM +0200, Luzian Scherrer wrote: > > So my question: is there a particular reason that setegid() and > > initgroups() are not used? > > setegid + initgroups are now used in openssh-current and > will be used soon in portable. > It's already in the OpenSSH portable tree under -current. - Ben From bhm at ufl.edu Thu Apr 12 00:05:46 2001 From: bhm at ufl.edu (Bruce H. McIntosh) Date: Wed, 11 Apr 2001 10:05:46 -0400 (EDT) Subject: OpenSSH 2.5.2p2 and askass (fwd) Message-ID: My c skills are remarkably rusty, but... I've been from one end of the source to the other and it doesn't seem that OpenSSH 2.5.2p2 will *EVER* use ssh-askpass (or any variation thereof). Is there some flag to flip when trying to compile it? I've looked at the SRPM that RedHat distributes, and at the latest CVS source from openssh.com. Neither appears to have any mechanism for calling any askpass utility; if a real live tty doesn't exist the program just aborts. What am I missing here? ssh-askpass worked fine with my old ssh 1.2.27; it appeared to stop working at 1.2.30, and this not-working behavior was picked up by OpenSSH (and maintained thru the current commercial SSH as well). -- ---------------------------------------------------------------------- Bruce H. McIntosh brucem at nersp.nerdc.ufl.edu Senior Engineer http://nersp.nerdc.ufl.edu/~brucem UF/Northeast Regional Data Center 352-392-2061 From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Apr 12 01:42:08 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 11 Apr 2001 17:42:08 +0200 Subject: OpenSSH 2.5.2p2 and askass (fwd) In-Reply-To: ; from bhm@ufl.edu on Wed, Apr 11, 2001 at 10:05:46AM -0400 References: Message-ID: <20010411174208.A21265@ws01.aet.tu-cottbus.de> On Wed, Apr 11, 2001 at 10:05:46AM -0400, Bruce H. McIntosh wrote: > I've been from one end of the source to the other and it doesn't seem that > OpenSSH 2.5.2p2 will *EVER* use ssh-askpass (or any variation thereof). > Is there some flag to flip when trying to compile it? I've looked at the > SRPM that RedHat distributes, and at the latest CVS source from > openssh.com. Neither appears to have any mechanism for calling any > askpass utility; if a real live tty doesn't exist the program just aborts. > What am I missing here? Hmm, it works fine for me. Whenever I do a "ssh-add (keyfile) < /dev/null" a x11-ssh-askpass window will open up... It will not be used for any other purpose like scp, only for ssh-add. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From tim at multitalents.net Thu Apr 12 01:43:47 2001 From: tim at multitalents.net (Tim Rice) Date: Wed, 11 Apr 2001 08:43:47 -0700 (PDT) Subject: Compiling openssh 2.5.p1 on unixware 7.0.1 In-Reply-To: Message-ID: On Wed, 11 Apr 2001, [iso-8859-2] Dean Luka Domikuli? wrote: > Mea culpa, > it looks like the system was missconfigured. Do you have ptf7123a installed? I'm not seing any problem on UnixWare 7.1.0 > LIBS=-lshadow did not help. > But thanks for the advice. > getspnam is in shadow.h in /usr/include > but there is no libshadow* library. > Library in which getspnam really is is libgen. > I found that library with find and it is in /usr/ccs/lib. > I checked with grep and strings and it realy contains getspnam. > > So I added /usr/ccs/lib to LD_LIBRARY_PATH, > removed config.cache, started ./configure > again and everything went fine. > > Maybe /usr/ccs/lib should be added in > lib path for this platform. > > > -----Original Message----- > > From: Damien Miller [mailto:djm at mindrot.org] > > Sent: Wednesday, April 11, 2001 3:20 AM > > To: Dean Luka Domikuli? > > Cc: 'openssh-unix-dev at mindrot.org' > > Subject: Re: Compiling openssh 2.5.p1 on unixware 7.0.1 > > > > > > On Tue, 10 Apr 2001, [iso-8859-2] Dean Luka Domikuliae wrote: > > > > > Hi. > > > > > > I'm tryng to compile openssh 2.5.p1 (latest) > > > on sco unixware 7.0.1 and I'm getting > > > this error in make: > > > > > > cc -o sshd sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o > > > auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o > > > auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o > > sshpty.o log-server.o > > > sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o > > > groupaccess.o -L. -Lopenbsd-compat/ -L/usr/local/lib > > -L/usr/local/ssl/lib > > > -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lz -lsocket -lnsl -lgen > > > -lcrypto > > > Undefined first referenced > > > symbol in file > > > getspnam auth.o > > > UX:ld: ERROR: sshd: fatal error: Symbol referencing errors. > > No output > > > written to sshd > > > make: *** [sshd] Error 1 > > > > Can you try: > > > > LIBS=-lshadow ./configure [whatever] > > > > -d > > > > -- > > | Damien Miller \ ``E-mail attachments are > > the poor man's > > | http://www.mindrot.org / distributed > > filesystem'' - Dan Geer > > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From markus.friedl at informatik.uni-erlangen.de Thu Apr 12 02:49:46 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 11 Apr 2001 18:49:46 +0200 Subject: OpenSSH 2.5.2p2 and askass (fwd) In-Reply-To: ; from bhm@ufl.edu on Wed, Apr 11, 2001 at 10:05:46AM -0400 References: Message-ID: <20010411184945.A23379@folly> On Wed, Apr 11, 2001 at 10:05:46AM -0400, Bruce H. McIntosh wrote: > I've been from one end of the source to the other and it doesn't seem that > OpenSSH 2.5.2p2 will *EVER* use ssh-askpass (or any variation thereof). ssh-add uses ssh-askpass, see ssh-add(1) From moyman at ecn.purdue.edu Thu Apr 12 08:45:41 2001 From: moyman at ecn.purdue.edu (James M Moya) Date: Wed, 11 Apr 2001 17:45:41 -0500 (EST) Subject: openssh 2.5.2p2/Solaris 5.8 problems Message-ID: <200104112245.f3BMjf013081@golfer.ecn.purdue.edu> openssh 2.5.2p2 on Solaris 8 has PAM/cron problems. If I build it with PAM then cron quits working giving "cron audit problem." errors. If I turn PAM off then cron works but I get kicked out of any session where a password is needed (i.e. no .rhosts/.shosts or not using ssh-agent) with the message "Connection closed by IP#". I get through if I have a .rhosts/.shosts or use ssh-agent. The following shows the latter error with debugging turned on for both ssh and sshd: On the server: terl:/[35]# cat /var/ssh/sshd_config Port 22 ListenAddress 0.0.0.0 HostKey /var/ssh/ssh_host_key HostKey /var/ssh/ssh_host_dsa_key ServerKeyBits 640 LoginGraceTime 600 KeyRegenerationInterval 86400 PermitRootLogin yes IgnoreRhosts no StrictModes no X11Forwarding yes X11DisplayOffset 11 PrintMotd no KeepAlive yes SyslogFacility AUTH LogLevel INFO RhostsAuthentication yes RhostsRSAAuthentication yes RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no CheckMail no UseLogin no Subsystem sftp /opt/openssh/libexec/sftp-server MaxStartups 10:30:60 terl:/[36]# /opt/openssh/sbin/sshd -b 640 -f /var/ssh/sshd_config -h /var/ssh/ssh_host_key -d -d -d debug1: Seeding random number generator debug1: sshd version OpenSSH_2.5.2p2 debug1: load_private_key_autodetect: type 0 RSA1 debug1: load_private_key_autodetect: type 0 RSA1 debug3: Bad RSA1 key file /var/ssh/ssh_host_dsa_key. debug1: read SSH2 private key done: name dsa w/o comment success 1 debug1: load_private_key_autodetect: type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 640 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 128.46.154.96 port 51943 debug1: Client protocol version 1.5; client software version OpenSSH_2.5.2p2 debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH debug1: Local version string SSH-1.99-OpenSSH_2.5.2p2 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: Sent 640 bit server key and 768 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for root. debug1: Trying rhosts with RSA host authentication for client user root debug1: Trying to reverse map address 128.46.154.96. debug1: Rhosts RSA authentication: canonical host tsunami.ecn.purdue.edu Rhosts with RSA host authentication accepted for root, root on tsunami.ecn.purdue.edu. Accepted rhosts-rsa for ROOT from 128.46.154.96 port 51943 ruser root debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug1: Received request for X11 forwarding with auth spoofing. debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1 debug1: bind port 6011: Address already in use debug1: fd 10 setting O_NONBLOCK debug1: fd 10 IS O_NONBLOCK debug1: channel 0: new [X11 inet listener] debug1: Received authentication agent forwarding request. debug1: fd 11 setting O_NONBLOCK debug1: fd 11 IS O_NONBLOCK debug1: channel 1: new [auth socket] debug1: Entering interactive session. debug1: fd 8 setting O_NONBLOCK debug1: fd 9 IS O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug1: End of interactive session; stdin 5, stdout (read 614, sent 614), stderr 0 bytes. debug1: Received SIGCHLD. debug1: channel_free: channel 0: status: The following connections are open: debug1: channel_free: channel 1: status: The following connections are open: debug1: Command exited with status 0. debug1: Received exit confirmation. debug1: session_pty_cleanup: session 0 release /dev/pts/7 debug1: xauthfile_cleanup_proc called Closing connection to 128.46.154.96 ************************************************************** On the client: tsunami:/[42] cat /var/ssh/ssh_config Host * ForwardAgent yes ForwardX11 yes RhostsAuthentication yes RhostsRSAAuthentication yes RSAAuthentication yes PasswordAuthentication yes FallBackToRsh yes UseRsh no BatchMode no CheckHostIP yes StrictHostKeyChecking no GlobalKnownHostsFile /var/ssh/ssh_known_hosts IdentityFile ~/.ssh/identity Port 22 Protocol 1,2 Cipher blowfish EscapeChar ~ KeepAlive yes NumberOfPasswordPrompts 3 tsunami:/[43] ssh -v -l root terl OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 19350 geteuid 0 anon 1 debug1: Connecting to terl [128.46.200.119] port 22. debug1: Connection established. debug1: identity file /home/golfer/a/moyman/.ssh/identity type 0 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2 debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.5.2p2 debug1: Waiting for server public key. debug1: Received server public key (640 bits) and host key (768 bits). debug1: Host 'terl' is known and matches the RSA1 host key. debug1: Found key in /var/ssh/ssh_known_hosts:696 debug1: Encryption type: blowfish debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication. debug1: Server refused our rhosts authentication or host key. debug1: Trying RSA authentication via agent with 'moyman at golfer.ecn.purdue.edu' debug1: Server refused our key. debug1: RSA authentication using agent refused. debug1: Trying RSA authentication with key 'moyman at golfer.ecn.purdue.edu' debug1: Server refused our key. debug1: Doing password authentication. root at terl's password: Connection closed by 128.46.200.119 debug1: Calling cleanup 0x1000472e0(0x0) Here is how openssh was built: harbor:/usr/src/local/openssh-2.5.2p2[381]# cat ecn rm config.cache ./configure \ --prefix=/opt/openssh \ --sysconfdir=/var/ssh \ --with-rsh=/usr/local/etc/rsh \ --with-ipv4-default \ --with-ssl-dir=/usr/local/ssl \ --with-lastlog=/usr/adm/lastlog \ --with-pid-dir=/var/ssh Other Solaris problems I have, no /etc/default/login support, no /etc/nologin support. --mike From Darren.Moffat at eng.sun.com Thu Apr 12 08:54:26 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Wed, 11 Apr 2001 15:54:26 -0700 (PDT) Subject: openssh 2.5.2p2/Solaris 5.8 problems Message-ID: <200104112254.f3BMsYB2280435@jurassic.eng.sun.com> >openssh 2.5.2p2 on Solaris 8 has PAM/cron problems. If I build it with PAM >then cron quits working giving "cron audit problem." errors. If I turn >PAM off then cron works but I get kicked out of any session where a password >is needed (i.e. no .rhosts/.shosts or not using ssh-agent) with the message >"Connection closed by IP#". I get through if I have a .rhosts/.shosts or use >ssh-agent. The following shows the latter error with debugging turned on for >both ssh and sshd: I'm confused where is cron coming into this ? I don't see any other mention of cron in your debug output. Are you using the Solaris cron ? What is in your pam.conf ? What authe methods are in your sshd_config and ssh_config files ? -- Darren J Moffat From blbates at vigyan.com Thu Apr 12 22:46:20 2001 From: blbates at vigyan.com (Brent L. Bates) Date: Thu, 12 Apr 2001 08:46:20 -0400 Subject: Problem with latest OpenSSH - 2.5.2p2 Message-ID: <10104120846.ZM200891@vigyan.com> This is my second attempt at reporting this problem. I sent my first message to `openssh at openssh.com' and was told I needed to send it to this address. Any help would be greatly appreciated. Thanks. We have been using OpenSSH version 2.3.0p1 for a couple of months now with out problems. The same goes for several previous versions we have used over the last year. However, I have just installed version 2.5.2p2 and it is giving me some problems. If it were not for the latest security bulletins strongly suggesting we upgrade, I would reinstall the 2.3.0p1 version. I am running on a SGI Indigo2 R10000 running IRIX64 6.5.11f. I downloaded the source, compiled, and installed the latest version just like I have for all previous versions. We are using OpenSSL version 0.9.6, downloaded October 9, 2000. The problem I am seeing is that every once and a while I get the following error in the current OpenSSH connected window: `read: Interrupted function call' After this point, I can't type or do anything else in this `xwsh' window. I have to kill the entire window, start a new window, and start a new ssh connection all over again. This is completely repeatable. I get this error if I resize the window quickly several times. I have X Windows forwarding on. Below is the line I use to configure OpenSSH: configure --with-cflags="-n32 -mips4 -O3 -r10000 -TARG:processor=r10000:platform=ip28 -I/usr/local/include" --with-ldflags="-n32 -mips4 -L/usr/local/lib -Wl,-s,-x -Wl,-rpath,/usr/local/lib" --prefix=/usr/local --with-tcp-wrappers --with-prngd-socket=/var/adm/entropy --with-ssl-dir=/usr/local/lib --with-catman=man --mandir=/usr/share/man/local Has anyone seen anything like this before? I did make two changes from previous compilations/installs. I've switched from using EGD for random numbers to PRNGD and I've added the TCP-Wrappers library. The switch to PRNGD doesn't seem to be a problem as I'm also running it on another system with the 2.3.0p1 version of OpenSSH and I see no problems there. At this point, I've only seen the problem for `ssh/slogin' from this system to others. Incoming connections don't seem to have any problems, so I'm guessing the problem is with `ssh/slogin'. I recently downloaded the latest version of OpenSSL, 0.9.6a-beta3, to see if that would help things any. However, that has done nothing to effect the problem. If you have any suggestions, please let me know. Thanks. From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Apr 12 23:16:37 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 12 Apr 2001 15:16:37 +0200 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: <10104120846.ZM200891@vigyan.com>; from blbates@vigyan.com on Thu, Apr 12, 2001 at 08:46:20AM -0400 References: <10104120846.ZM200891@vigyan.com> Message-ID: <20010412151637.A26262@ws01.aet.tu-cottbus.de> On Thu, Apr 12, 2001 at 08:46:20AM -0400, Brent L. Bates wrote: > I am running on a SGI Indigo2 R10000 running IRIX64 6.5.11f. I > downloaded the source, compiled, and installed the latest version just like I > have for all previous versions. We are using OpenSSL version 0.9.6, > downloaded October 9, 2000. > The problem I am seeing is that every once and a while I get the > following error in the current OpenSSH connected window: > > `read: Interrupted function call' I just did a grep on 'read:' and there is only one place where this error could be generated. It is in clientloop.c:client_process_input(). Here we find a len = read(fileno(stdin), buf, sizeof(buf)); if (len <= 0) { /* * Received EOF or error. They are treated * similarly, except that an error message is printed * if it was an error condition. */ if (len < 0) { snprintf(buf, sizeof buf, "read: %.100s\r\n", st rerror(errno)); ... There is no check for EINTR (and EAGAIN), and the occurance of EINTR would be treated as error. Without fully analyzing the code (I just jumped into it), it should be sufficient to insert if (len <= 0) { /* * Received EOF or error. They are treated * similarly, except that an error message is printed * if it was an error condition. */ if (len < 0) { + if ((errno == EINTR) || (errno == EAGAIN)) + continue; snprintf(buf, sizeof buf, "read: %.100s\r\n", st rerror(errno)); to deal with this condition. But I am sure that the OpenSSH developpers will know whether this has any unwanted side effect. Best regards, Lutz PS. Operating systems tend to behave differently. I have never seen such effects on HP-UX, while e.g. Unixware behaves completely different, as I have learned when tracking down problems with EINTR in the EGD interface code of OpenSSL... Therefore it is well possible, that other people not working on Irix won't be able to reproduce this problem. -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From pekkas at netcore.fi Fri Apr 13 00:02:13 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 12 Apr 2001 17:02:13 +0300 (EEST) Subject: ssh's readconf.c debug() goes to /dev/null Message-ID: Hi, Related to: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh.c.diff?r1=1.100&r2=1.101 It'd appear that logging in readconf.c: --- debug("Applying options for %.100s", arg); debug("Reading configuration data %.200s", filename); --- Goes to /dev/null. This is caused by the fact, that in ssh.c there is: --- /* * Initialize "log" output. Since we are the client all output * actually goes to stderr. */ ==> log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); /* Read per-user configuration file. */ snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_CONFFILE); read_config_file(buf, host, &options); /* Read systemwide configuration file. */ read_config_file(_PATH_HOST_CONFIG_FILE, host, &options); /* Fill configuration defaults. */ fill_default_options(&options); /* reinit */ log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); --- The first time Because of this, if you use 'ssh -v -v -v somewhere', you won't get messages like: --- debug1: Reading configuration data /home/pekkas/.ssh/config <== debug1: Reading configuration data /etc/ssh/ssh_config <== debug1: Applying options for * <== debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. [...] --- Is this intentional? If not, changing the first log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); to log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); helps. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From Markus.Friedl at informatik.uni-erlangen.de Fri Apr 13 00:28:23 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 12 Apr 2001 16:28:23 +0200 Subject: ssh's readconf.c debug() goes to /dev/null In-Reply-To: ; from pekkas@netcore.fi on Thu, Apr 12, 2001 at 05:02:13PM +0300 References: Message-ID: <20010412162823.G10832@faui02.informatik.uni-erlangen.de> On Thu, Apr 12, 2001 at 05:02:13PM +0300, Pekka Savola wrote: > If not, changing the first > > log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); > > to > > log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); > > helps. try ssh localhost after this patch. you have to check options.log_level != -1 -m From jmknoble at jmknoble.cx Fri Apr 13 06:38:14 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Thu, 12 Apr 2001 16:38:14 -0400 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: <20010412151637.A26262@ws01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Thu, Apr 12, 2001 at 03:16:37PM +0200 References: <10104120846.ZM200891@vigyan.com> <20010412151637.A26262@ws01.aet.tu-cottbus.de> Message-ID: <20010412163814.C7812@quipu.half.pint-stowp.cx> Circa 2001-Apr-12 15:16:37 +0200 dixit Lutz Jaenicke: : On Thu, Apr 12, 2001 at 08:46:20AM -0400, Brent L. Bates wrote: : > The problem I am seeing is that every once and a while I get the : > following error in the current OpenSSH connected window: : > : > `read: Interrupted function call' : : I just did a grep on 'read:' and there is only one place where this error : could be generated. It is in clientloop.c:client_process_input(). [...] : There is no check for EINTR (and EAGAIN), and the occurance of EINTR : would be treated as error. : Without fully analyzing the code (I just jumped into it), it should be : sufficient to insert : if (len <= 0) { : /* : * Received EOF or error. They are treated : * similarly, except that an error message is printed : * if it was an error condition. : */ : if (len < 0) { : + if ((errno == EINTR) || (errno == EAGAIN)) : + continue; Don't you mean 'return;'? There's no enclosing loop in client_process_input(). : snprintf(buf, sizeof buf, "read: %.100s\r\n", strerror(errno)); This technique doesn't restart the read() if it was interrupted. Shouldn't it read something like the following? restart_interrupted: len = read(fileno(stdin), buf, sizeof(buf)); if (len <= 0) { if (len < 0) { if (EINTR == errno) { /* Interrupted by signal. */ goto restart_interrupted; } else if ((EAGAIN == errno) || (EWOULDBLOCK == errno)) { /* Read operation would block; come back later. */ return; } else { /* An actual error. */ snprintf(buf, sizeof buf, "read: %.100s\r\n", strerror(errno)); buffer_append(&tderro_buffer, buf, strlen(buf)); } } stdin_eof = 1; /* etc. */ } : PS. Operating systems tend to behave differently. I have never seen such : effects on HP-UX, while e.g. Unixware behaves completely different, as : I have learned when tracking down problems with EINTR in the EGD interface : code of OpenSSL... Therefore it is well possible, that other people not : working on Irix won't be able to reproduce this problem. It may well depend on whether signals restart interrupted system calls by default or not. See APUE. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Apr 13 07:00:10 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 12 Apr 2001 23:00:10 +0200 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: <20010412163814.C7812@quipu.half.pint-stowp.cx>; from jmknoble@jmknoble.cx on Thu, Apr 12, 2001 at 04:38:14PM -0400 References: <10104120846.ZM200891@vigyan.com> <20010412151637.A26262@ws01.aet.tu-cottbus.de> <20010412163814.C7812@quipu.half.pint-stowp.cx> Message-ID: <20010412230009.A16892@serv01.aet.tu-cottbus.de> On Thu, Apr 12, 2001 at 04:38:14PM -0400, Jim Knoble wrote: > : There is no check for EINTR (and EAGAIN), and the occurance of EINTR > : would be treated as error. > : Without fully analyzing the code (I just jumped into it), it should be > : sufficient to insert > : if (len <= 0) { > : /* > : * Received EOF or error. They are treated > : * similarly, except that an error message is printed > : * if it was an error condition. > : */ > : if (len < 0) { > : + if ((errno == EINTR) || (errno == EAGAIN)) > : + continue; > > Don't you mean 'return;'? There's no enclosing loop in > client_process_input(). Arrghh. Of course you are right. I actually wanted to form a loop around it when the telephone rang and I finished the mail just thereafter. Without a loop ... (The lesson is obvious: don't answer phone calls while writing emails :-) > This technique doesn't restart the read() if it was interrupted. > Shouldn't it read something like the following? Yes :-) > > restart_interrupted: > len = read(fileno(stdin), buf, sizeof(buf)); > if (len <= 0) { > if (len < 0) { > if (EINTR == errno) { > /* Interrupted by signal. */ > goto restart_interrupted; > } else if ((EAGAIN == errno) || (EWOULDBLOCK == errno)) { > /* Read operation would block; come back later. */ > return; > } else { > /* An actual error. */ > snprintf(buf, sizeof buf, "read: %.100s\r\n", strerror(errno)); > buffer_append(&tderro_buffer, buf, strlen(buf)); > } > } > stdin_eof = 1; > /* etc. */ > } Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From stevesk at sweden.hp.com Fri Apr 13 07:14:09 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Thu, 12 Apr 2001 23:14:09 +0200 (METDST) Subject: Suspicious shadow listen port In-Reply-To: Message-ID: On Tue, 10 Apr 2001 Torbjorn.Wictorin at its.uu.se wrote: : # netstat -an | grep LISTEN : : tcp4 0 0 *.32785 *.* LISTEN : tcp4 0 0 130.238.4.133.22 *.* LISTEN : : What in ?@# is 32785 ?? : : # lsof : ... : sshd 11152 root 5u IPv4 0x7003ded8 0t0 TCP *:32785 (LISTEN) : sshd 11152 root 6u IPv4 0x7004ded8 0t0 TCP xxx.yyy.zzz.hhh:22 (LISTEN) which platform is this? i can't dup on hp-ux 11. does it come back when you re-add the bogus listenaddr? From mas at ucla.edu Fri Apr 13 07:26:15 2001 From: mas at ucla.edu (Michael Stein) Date: Thu, 12 Apr 2001 14:26:15 -0700 Subject: ssh not using priv port if target prot not priv Message-ID: <20010412142615.A30948@mas1.oac.ucla.edu> The openSSH ssh command appears to not use a source privileged port (no matter what the options/configs) if the target port isn't a privileged port. For example: ssh -p 22222 foo.ucla.edu would never try to connect from a privileged port. Even with useprivilegedport=yes. This disallows .shosts RSA host authentication without a password. This breaks compatability with ssh-1.2.27 and isn't documented anywhere except possibly in the source to the ssh_create_socket function in sshconnect.c: /* * If we are running as root and want to connect to a privileged * port, bind our own socket to a privileged port. */ if (privileged) { int p = IPPORT_RESERVED - 1; sock = rresvport_af(&p, family); if (sock < 0) error("rresvport: af=%d %.100s", family, strerror(errno) ); else debug("Allocated local port %d.", p); } else { /* * Just create an ordinary socket on arbitrary port. We use * the user's uid to create the socket. */ temporarily_use_uid(original_real_uid); sock = socket(family, SOCK_STREAM, 0); if (sock < 0) error("socket: %.100s", strerror(errno)); restore_uid(); } It would make more sense to me that "useprivilegedport=yes" would result in the use of a privileged port (assuming possible) no matter what the target port was. Is there any real reason that the ssh target port should affect the choice of source port? From sdn at sprintlabs.com Fri Apr 13 09:00:50 2001 From: sdn at sprintlabs.com (Steven Davidson) Date: Thu, 12 Apr 2001 16:00:50 -0700 Subject: openSSH static link Message-ID: <3AD633A2.8DF5B284@sprintlabs.com> I'm trying to do a static link of openSSH, in preparation for a chrooted install. Normally, I would do a './configure --enable-static' but there is no configure script. Is there a way to do a static link of openSSH? I've looked at the makefiles to no avail. sdn at sprintlabs.com From Darren.Moffat at eng.sun.com Fri Apr 13 09:00:53 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Thu, 12 Apr 2001 16:00:53 -0700 (PDT) Subject: openSSH static link Message-ID: <200104122301.f3CN14B2485482@jurassic.eng.sun.com> >I'm trying to do a static link of openSSH, in preparation >for a chrooted install. >Normally, I would do a './configure --enable-static' >but there is no configure script. > >Is there a way to do a static link of openSSH? >I've looked at the makefiles to no avail. Have a look in the list archives this was disuccsed just recently. Archives are available from a number of places including: http://marc.theaimsgroup.com/?l=openssh-unix-dev&r=1&w=2 -- Darren J Moffat From tim at multitalents.net Fri Apr 13 12:35:24 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 12 Apr 2001 19:35:24 -0700 (PDT) Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: <20010412163814.C7812@quipu.half.pint-stowp.cx> Message-ID: On Thu, 12 Apr 2001, Jim Knoble wrote: > Circa 2001-Apr-12 15:16:37 +0200 dixit Lutz Jaenicke: > > : On Thu, Apr 12, 2001 at 08:46:20AM -0400, Brent L. Bates wrote: [snip] > This technique doesn't restart the read() if it was interrupted. > Shouldn't it read something like the following? > > restart_interrupted: > len = read(fileno(stdin), buf, sizeof(buf)); > if (len <= 0) { > if (len < 0) { > if (EINTR == errno) { > /* Interrupted by signal. */ > goto restart_interrupted; ^^^^^^^^^^^^^ Even if this works, find another way. I don't think goto is portable. > } else if ((EAGAIN == errno) || (EWOULDBLOCK == errno)) { > /* Read operation would block; come back later. */ > return; > } else { > /* An actual error. */ > snprintf(buf, sizeof buf, "read: %.100s\r\n", strerror(errno)); > buffer_append(&tderro_buffer, buf, strlen(buf)); > } > } > stdin_eof = 1; > /* etc. */ > } > > : PS. Operating systems tend to behave differently. I have never seen such > : effects on HP-UX, while e.g. Unixware behaves completely different, as > : I have learned when tracking down problems with EINTR in the EGD interface > : code of OpenSSL... Therefore it is well possible, that other people not > : working on Irix won't be able to reproduce this problem. > > It may well depend on whether signals restart interrupted system calls > by default or not. See APUE. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Fri Apr 13 12:49:27 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 12 Apr 2001 21:49:27 -0500 (CDT) Subject: doubt In-Reply-To: <000e01c0c3c5$47cc0320$fe0da8c0@intranet.net> Message-ID: http://www.openssh.com/faq.html#3.5 It's a documented issue with Slackware. - Ben On Thu, 12 Apr 2001, Luiz Henrique wrote: > hi, i'm trying to configure the opensshd package.. > i'm on a slack 7.1 box, but i always got the permision denied message, the auth is by password.... i've tried to change the sshd_config but it hasn't work. > I don't have pam instaled. What could be the problem ? > > So i've instaled the lsh and it worked out. > Could you help me in this case. Maybe i need to add my host to any file.. but i don't know what. :) so if you could give me a hand I would apreciate :) > > Tanks ! > > Luiz - Student of Information Systens ( i don't know the name of this abroad :p, maybe it's the same ) > UFSC - University of Santa Catarina > Brazil > From devon at admin2.gisnetworks.com Fri Apr 13 13:46:43 2001 From: devon at admin2.gisnetworks.com (Devon Bleak) Date: Thu, 12 Apr 2001 20:46:43 -0700 Subject: doubt References: Message-ID: <003401c0c3cc$5b823ae0$1900a8c0@devn> funny, i use slackware 7.1 and haven't once run into that problem... maybe i'm more special than i thought :P devon ----- Original Message ----- From: To: "Luiz Henrique" Cc: Sent: Thursday, April 12, 2001 7:49 PM Subject: Re: doubt > > http://www.openssh.com/faq.html#3.5 > > It's a documented issue with Slackware. > > - Ben > > On Thu, 12 Apr 2001, Luiz Henrique wrote: > > > hi, i'm trying to configure the opensshd package.. > > i'm on a slack 7.1 box, but i always got the permision denied message, the auth is by password.... i've tried to change the sshd_config but it hasn't work. > > I don't have pam instaled. What could be the problem ? > > > > So i've instaled the lsh and it worked out. > > Could you help me in this case. Maybe i need to add my host to any file.. but i don't know what. :) so if you could give me a hand I would apreciate :) > > > > Tanks ! > > > > Luiz - Student of Information Systens ( i don't know the name of this abroad :p, maybe it's the same ) > > UFSC - University of Santa Catarina > > Brazil > > > > From carson at taltos.org Fri Apr 13 16:06:10 2001 From: carson at taltos.org (Carson Gaspar) Date: Thu, 12 Apr 2001 23:06:10 -0700 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: References: Message-ID: <1200955421.987116770@ZATHROS> --On Thursday, April 12, 2001 7:35 PM -0700 Tim Rice wrote: > Even if this works, find another way. > I don't think goto is portable. Ummm... portable to what? It's been part of C forever. You may use it or despise it, but portability ain't one of its problems. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body From jmknoble at jmknoble.cx Fri Apr 13 16:23:44 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Fri, 13 Apr 2001 02:23:44 -0400 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: ; from tim@multitalents.net on Thu, Apr 12, 2001 at 07:35:24PM -0700 References: <20010412163814.C7812@quipu.half.pint-stowp.cx> Message-ID: <20010413022344.D7812@quipu.half.pint-stowp.cx> Circa 2001-Apr-12 19:35:24 -0700 dixit Tim Rice: : > goto restart_interrupted; : ^^^^^^^^^^^^^ : Even if this works, find another way. : I don't think goto is portable. Nice try, Tim. Only 12 days late. :) -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From gert at greenie.muc.de Fri Apr 13 17:50:47 2001 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 13 Apr 2001 09:50:47 +0200 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: ; from Tim Rice on Thu, Apr 12, 2001 at 07:35:24PM -0700 References: <20010412163814.C7812@quipu.half.pint-stowp.cx> Message-ID: <20010413095047.D17575@greenie.muc.de> Hi, On Thu, Apr 12, 2001 at 07:35:24PM -0700, Tim Rice wrote: > > /* Interrupted by signal. */ > > goto restart_interrupted; > ^^^^^^^^^^^^^ > Even if this works, find another way. > I don't think goto is portable. It is fairly portable (never seen a C compiler that doesn't support it). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Apr 13 20:03:50 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 13 Apr 2001 12:03:50 +0200 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: <20010413095047.D17575@greenie.muc.de>; from gert@greenie.muc.de on Fri, Apr 13, 2001 at 09:50:47AM +0200 References: <20010412163814.C7812@quipu.half.pint-stowp.cx> <20010413095047.D17575@greenie.muc.de> Message-ID: <20010413120350.A21585@serv01.aet.tu-cottbus.de> On Fri, Apr 13, 2001 at 09:50:47AM +0200, Gert Doering wrote: > On Thu, Apr 12, 2001 at 07:35:24PM -0700, Tim Rice wrote: > > > /* Interrupted by signal. */ > > > goto restart_interrupted; > > ^^^^^^^^^^^^^ > > Even if this works, find another way. > > I don't think goto is portable. > > It is fairly portable (never seen a C compiler that doesn't support it). It's part of the standard, so in fact it is portable. With respect to OpenSSH: if you would find a platform without it, openssh still wouldn't have a problem. OpenSSL is full of goto statements, and without OpenSSL nobody would have to care about OpenSSH anyway :-) The question whether using goto is to be recommended or not is a different question, that might easily lead to a flame war... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Torbjorn.Wictorin at its.uu.se Fri Apr 13 21:00:25 2001 From: Torbjorn.Wictorin at its.uu.se (Torbjorn.Wictorin at its.uu.se) Date: Fri, 13 Apr 2001 13:00:25 +0200 (CEST) Subject: Suspicious shadow listen port In-Reply-To: Message-ID: On Thu, 12 Apr 2001, Kevin Steves wrote: ... > which platform is this? i can't dup on hp-ux 11. does it come back AIX 4.3.2, sshd version OpenSSH_2.3.0p1 > when you re-add the bogus listenaddr? I added it again and now a listen popped up on port 45909. So my theory about (0x7fff - 22) did not hold (45909 = 0xb355). Looks like openssh does not fully handle the return code from bind(). /torbj?rn w From stevesk at sweden.hp.com Sat Apr 14 00:00:01 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 13 Apr 2001 16:00:01 +0200 (METDST) Subject: Suspicious shadow listen port In-Reply-To: Message-ID: On Fri, 13 Apr 2001 Torbjorn.Wictorin at its.uu.se wrote: : On Thu, 12 Apr 2001, Kevin Steves wrote: : > which platform is this? i can't dup on hp-ux 11. does it come back : : AIX 4.3.2, sshd version OpenSSH_2.3.0p1 : : > when you re-add the bogus listenaddr? : : I added it again and now a listen popped up on port 45909. So my theory : about (0x7fff - 22) did not hold (45909 = 0xb355). : : Looks like openssh does not fully handle the return code from bind(). it is handled. there is some error suppress code in there that i think should be removed, but i can't see how that causes your issue. does aix have truss/trace? can you get output from that? From mouring at etoh.eviladmin.org Sat Apr 14 00:00:52 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 13 Apr 2001 09:00:52 -0500 (CDT) Subject: Suspicious shadow listen port In-Reply-To: Message-ID: On Fri, 13 Apr 2001, Kevin Steves wrote: > On Fri, 13 Apr 2001 Torbjorn.Wictorin at its.uu.se wrote: > : On Thu, 12 Apr 2001, Kevin Steves wrote: > : > which platform is this? i can't dup on hp-ux 11. does it come back > : > : AIX 4.3.2, sshd version OpenSSH_2.3.0p1 > : Have you tried the latest 2.5.2pX release? I'd rather verify against behavior against the latest release to ensure that we are not seeing something that was fixed indirectly. - Ben From djm at mindrot.org Sat Apr 14 00:11:39 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Apr 2001 00:11:39 +1000 (EST) Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: <20010412151637.A26262@ws01.aet.tu-cottbus.de> Message-ID: On Thu, 12 Apr 2001, Lutz Jaenicke wrote: > I just did a grep on 'read:' and there is only one place where this error > could be generated. It is in clientloop.c:client_process_input(). [snip] > There is no check for EINTR (and EAGAIN), and the occurance of EINTR > would be treated as error. Does this work? Index: clientloop.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v retrieving revision 1.61 diff -u -r1.61 clientloop.c --- clientloop.c 2001/04/08 11:27:33 1.61 +++ clientloop.c 2001/04/13 14:07:41 @@ -671,7 +671,9 @@ /* Read input from stdin. */ if (FD_ISSET(fileno(stdin), readset)) { /* Read as much as possible. */ - len = read(fileno(stdin), buf, sizeof(buf)); + do + len = read(fileno(stdin), buf, sizeof(buf)); + while (len == -1 && (errno == EINTR || errno == EAGAIN)); if (len <= 0) { /* * Received EOF or error. They are treated -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From cmadams at hiwaay.net Sat Apr 14 00:30:27 2001 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 13 Apr 2001 09:30:27 -0500 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: ; from tim@multitalents.net on Thu, Apr 12, 2001 at 07:35:24PM -0700 References: <20010412163814.C7812@quipu.half.pint-stowp.cx> Message-ID: <20010413093027.C2640@HiWAAY.net> Once upon a time, Tim Rice said: > > goto restart_interrupted; > ^^^^^^^^^^^^^ > Even if this works, find another way. > I don't think goto is portable. Then how does OpenSSH compile at all? $ grep -l goto *.[ch] auth-krb4.c auth-options.c auth2.c authfile.c buffer.c dh.c entropy.c readconf.c scp.c servconf.c serverloop.c sftp-client.c sftp-int.c ssh-agent.c ssh-keygen.c ttymodes.c $ And it looks like every one of them is an actual goto, not a variable name, comment, or something like that. Now, goto is not part of official structured programming, but that does not mean that it is not the best solution to a problem sometimes. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From niles at scyld.com Sat Apr 14 01:22:24 2001 From: niles at scyld.com (Rick Niles) Date: Fri, 13 Apr 2001 11:22:24 -0400 Subject: LFS changes... Message-ID: <200104131522.f3DFMOk17223@bowler.niles.scyld.com> < This patch is against openssh-2.5.2p2 > Here's a few lines we changed a while back in "scp.c" to get it to transfer large (>2GB) file on a 32-bit system using LFS. Obviously, you don't want the line hard-coded in that sets _FILE_OFFSET_BIT=64, but perhaps you could make it a configure option. (Is it already perhaps?) Do you agree that these lines are neccessary or not? It does seem that statbytes (number of bytes xfer'ed so far), must be an off_t doesn't it? Thanks, Rick Niles. Scyld Computing Corporation ------------ diff -ur openssh-2.5.2p2.orig/scp.c openssh-2.5.2p2/scp.c --- openssh-2.5.2p2.orig/scp.c Sun Mar 18 22:09:40 2001 +++ openssh-2.5.2p2/scp.c Thu Apr 12 22:20:38 2001 @@ -74,6 +74,7 @@ * */ +#define _FILE_OFFSET_BITS 64 #include "includes.h" RCSID("$OpenBSD: scp.c,v 1.61 2001/03/15 15:05:59 markus Exp $"); @@ -114,7 +115,7 @@ static struct timeval start; /* Number of bytes of current file transferred so far. */ -volatile u_long statbytes; +volatile off_t statbytes; /* Total size of current file. */ off_t totalbytes = 0; @@ -501,8 +502,8 @@ struct stat stb; static BUF buffer; BUF *bp; - off_t i; - int amt, fd, haderr, indx, result; + off_t i, amt, result; + int fd, haderr, indx; char *last, *name, buf[2048]; for (indx = 0; indx < argc; ++indx) { From cmadams at hiwaay.net Sat Apr 14 02:06:41 2001 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 13 Apr 2001 11:06:41 -0500 Subject: Fixed patch for Digital Unix SIA Message-ID: <20010413110641.E2640@HiWAAY.net> Okay, here is a fixed version of the patch I sent before for fixing the problems I know about with Digital Unix SIA: displaying too much info (MOTD, last login, etc.) when access is denied, and the loss of the error message sometimes when access is denied. It does break some code out of do_login into a couple of separate functions. I did this to avoid duplicating the code in a couple of places. If that's a problem, I can generate a patch that doesn't touch anything else (but duplicates code); just let me know. This is against CVS as of a little while ago. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. diff -urN openssh_cvs/auth-sia.c openssh/auth-sia.c --- openssh_cvs/auth-sia.c Tue Feb 13 08:25:23 2001 +++ openssh/auth-sia.c Fri Apr 13 11:00:07 2001 @@ -61,35 +61,46 @@ host = get_canonical_hostname (options.reverse_mapping_check); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) - fatal("sia_ses_init failed"); + NULL) != SIASUCCESS) { + error("sia_ses_init failed"); + exit(1); + } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); - fatal("getpwnam(%s) failed: %s", user, strerror(errno)); + error("getpwnam(%s) failed: %s", user, strerror(errno)); + exit(1); } if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { sia_ses_release(&ent); - fatal("sia_make_entity_pwd failed"); + error("sia_make_entity_pwd failed"); + exit(1); } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) - fatal("couldn't establish session for %s from %s", user, + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { + error("couldn't establish session for %s from %s", user, host); + exit(1); + } if (setpriority(PRIO_PROCESS, 0, 0) == -1) { sia_ses_release(&ent); - fatal("setpriority failed: %s", strerror (errno)); + error("setpriority failed: %s", strerror (errno)); + exit(1); } - if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) - fatal("couldn't launch session for %s from %s", user, host); + if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) { + error("couldn't launch session for %s from %s", user, host); + exit(1); + } sia_ses_release(&ent); - if (setreuid(geteuid(), geteuid()) < 0) - fatal("setreuid failed: %s", strerror (errno)); + if (setreuid(geteuid(), geteuid()) < 0) { + error("setreuid failed: %s", strerror (errno)); + exit(1); + } } #endif /* HAVE_OSF_SIA */ diff -urN openssh_cvs/session.c openssh/session.c --- openssh_cvs/session.c Fri Apr 13 09:28:30 2001 +++ openssh/session.c Fri Apr 13 09:32:41 2001 @@ -128,9 +128,11 @@ void do_exec_no_pty(Session *s, const char *command); void do_login(Session *s, const char *command); void do_child(Session *s, const char *command); +void do_motd(void); void do_authenticated1(Authctxt *authctxt); void do_authenticated2(Authctxt *authctxt); +int check_quietlogin(Session *s, const char *command); /* import */ extern ServerOptions options; @@ -633,8 +635,10 @@ close(ttyfd); /* record login, etc. similar to login(1) */ +#ifndef HAVE_OSF_SIA if (!(options.use_login && command == NULL)) do_login(s, command); +#endif /* Do common processing for the child, such as execing the command. */ do_child(s, command); @@ -681,7 +685,6 @@ void do_login(Session *s, const char *command) { - FILE *f; char *time_string; char buf[256]; char hostname[MAXHOSTNAMELEN]; @@ -729,15 +732,8 @@ } #endif - /* Done if .hushlogin exists or a command given. */ - if (command != NULL) - return; - snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir); -#ifdef HAVE_LOGIN_CAP - if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) -#else - if (stat(buf, &st) >= 0) -#endif + /* Done if quiet login. */ + if (check_quietlogin(s, command)) return; #ifdef USE_PAM @@ -758,6 +754,19 @@ else printf("Last login: %s from %s\r\n", time_string, hostname); } + + do_motd(); +} + +/* + * Display the message of the day. + */ +void +do_motd(void) +{ + FILE *f; + char buf[256]; + if (options.print_motd) { #ifdef HAVE_LOGIN_CAP f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", @@ -1023,7 +1032,7 @@ if (options.use_login && command != NULL) options.use_login = 0; -#ifndef USE_PAM /* pam_nologin handles this */ +#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) if (!options.use_login) { # ifdef HAVE_LOGIN_CAP if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid) @@ -1041,7 +1050,7 @@ exit(254); } } -#endif /* USE_PAM */ +#endif /* USE_PAM || HAVE_OSF_SIA */ /* Set login name, uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" @@ -1049,6 +1058,8 @@ if (!options.use_login) { #ifdef HAVE_OSF_SIA session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); + if (! check_quietlogin(s, command)) + do_motd(); #else /* HAVE_OSF_SIA */ #ifdef HAVE_CYGWIN if (is_winnt) { @@ -2027,4 +2038,27 @@ server_loop2(); if (xauthfile) xauthfile_cleanup_proc(NULL); +} + +/* + * Check for quiet login, either .hushlogin or command given. + */ +int +check_quietlogin(Session *s, const char *command) +{ + char buf[256]; + struct passwd * pw = s->pw; + struct stat st; + + /* Return 1 if .hushlogin exists or a command given. */ + if (command != NULL) + return 1; + snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir); +#ifdef HAVE_LOGIN_CAP + if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) +#else + if (stat(buf, &st) >= 0) +#endif + return 1; + return 0; } From tim at multitalents.net Sat Apr 14 04:24:39 2001 From: tim at multitalents.net (Tim Rice) Date: Fri, 13 Apr 2001 11:24:39 -0700 (PDT) Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: <1200955421.987116770@ZATHROS> Message-ID: On Thu, 12 Apr 2001, Carson Gaspar wrote: > > > --On Thursday, April 12, 2001 7:35 PM -0700 Tim Rice > wrote: > > > Even if this works, find another way. > > I don't think goto is portable. > > > > Ummm... portable to what? It's been part of C forever. You may use it or > despise it, but portability ain't one of its problems. That's the trouble with replying to e-mail late at night. Yes it has been a part of C forever. What I was remembering was a problem with goto in C++ on a SCO platform. Nevermind. :-) > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From markus.friedl at informatik.uni-erlangen.de Fri Apr 13 22:37:20 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 13 Apr 2001 14:37:20 +0200 Subject: ssh not using priv port if target prot not priv In-Reply-To: <20010412142615.A30948@mas1.oac.ucla.edu>; from mas@ucla.edu on Thu, Apr 12, 2001 at 02:26:15PM -0700 References: <20010412142615.A30948@mas1.oac.ucla.edu> Message-ID: <20010413143720.A25363@folly> On Thu, Apr 12, 2001 at 02:26:15PM -0700, Michael Stein wrote: > The openSSH ssh command appears to not use a source privileged port > (no matter what the options/configs) if the target port > isn't a privileged port. are you using a recent openssh version? what OS? what openssh version? From anderson at more.net Fri Apr 13 23:11:21 2001 From: anderson at more.net (Eric L. Anderson) Date: Fri, 13 Apr 2001 08:11:21 -0500 Subject: [anderson@more.net: OpenSSH_2.5.2p2 with -L problem] Message-ID: <20010413081121.N16995@more.net> I failed to mention the contact info for the employee of Sun who also encountered a similar problem (with -R but to a Solaris 8_x86 box). Robert Vassar He said he was interested in working on an OpenSSH patch if necessary. Please CC him also if additional information is needed. ----- Forwarded message from "Eric L. Anderson" ----- > Date: Thu, 12 Apr 2001 16:34:47 -0500 > From: "Eric L. Anderson" > To: openssh at openssh.com > Subject: OpenSSH_2.5.2p2 with -L problem > > Here is a problem an employee of Sun and I have discovered about portforwarding > (-L or -R) on Solaris 8 (x86 only). I am using OpenSSH_2.5.2p2 and when I try > to do portforwarding with -L (on x86) I see the following (when running ssh > with the -v option): > > debug1: Local forwarding listening on 1.0.0.127 port 6500. > bind: Cannot assign requested address > > This looks quite odd considering I do not have any ethernet interfaces > configured with that IP. When I do the same on a SPARC (which works) I see > the following: > > debug1: Local forwarding listening on 127.0.0.1 port 6500. > > That of course looks normal. This appears to be an endianness issue. I have > looked at the code (channels.c) but I do not see where the bug might be (then > again, I have little experience in network programming). > > Please let me know if you need additional information or let me know if I am > barking up the wrong tree (perhaps this is a Solaris issue ;) > > Thanks > -- > Eric L. Anderson > anderson at more.net ----- End forwarded message ----- -- Eric L. Anderson anderson at more.net From pekkas at netcore.fi Sat Apr 14 05:06:49 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 13 Apr 2001 22:06:49 +0300 (EEST) Subject: ssh not using priv port if target prot not priv In-Reply-To: <20010413143720.A25363@folly> Message-ID: On Fri, 13 Apr 2001, Markus Friedl wrote: > On Thu, Apr 12, 2001 at 02:26:15PM -0700, Michael Stein wrote: > > The openSSH ssh command appears to not use a source privileged port > > (no matter what the options/configs) if the target port > > isn't a privileged port. > > are you using a recent openssh version? what OS? > what openssh version? For what it's worth, I'm seeing this behaviour on 2.3.0p1 but not 2.5.2p2. I believe this was changed around Dec 12, perhaps in: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh.c.diff?r1=1.76&r2=1.77 -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From jmknoble at jmknoble.cx Sat Apr 14 06:37:23 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Fri, 13 Apr 2001 16:37:23 -0400 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: ; from djm@mindrot.org on Sat, Apr 14, 2001 at 12:11:39AM +1000 References: <20010412151637.A26262@ws01.aet.tu-cottbus.de> Message-ID: <20010413163723.B5478@quipu.half.pint-stowp.cx> Circa 2001-Apr-14 00:11:39 +1000 dixit Damien Miller: : On Thu, 12 Apr 2001, Lutz Jaenicke wrote: : > There is no check for EINTR (and EAGAIN), and the occurance of EINTR : > would be treated as error. : : Does this work? : : Index: clientloop.c : =================================================================== : RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v : retrieving revision 1.61 : diff -u -r1.61 clientloop.c : --- clientloop.c 2001/04/08 11:27:33 1.61 : +++ clientloop.c 2001/04/13 14:07:41 : @@ -671,7 +671,9 @@ : /* Read input from stdin. */ : if (FD_ISSET(fileno(stdin), readset)) { : /* Read as much as possible. */ : - len = read(fileno(stdin), buf, sizeof(buf)); : + do : + len = read(fileno(stdin), buf, sizeof(buf)); : + while (len == -1 && (errno == EINTR || errno == EAGAIN)); ^^^^^^^^^^^^^^^^^ Damien, is stdin set up for non-blocking I/O at this point? If it is, then retrying the read() after EAGAIN is liable to cause ssh to effectively block (by spinning in this loop) until there's some input on stdin. If stdin isn't set up for non-blocking I/O, then why would read() return EAGAIN? Wouldn't it make more sense to simply return from client_process_input() on EAGAIN? : if (len <= 0) { : /* : * Received EOF or error. They are treated -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010413/d077e51b/attachment.bin From kaelin at everest.com Sat Apr 14 11:02:02 2001 From: kaelin at everest.com (Kaelin Colclasure) Date: Fri, 13 Apr 2001 18:02:02 -0700 Subject: ssh-agent for kerberos-like authentication to my own daemon? Message-ID: <3AD7A18A.7F0175CF@everest.com> Greetings, I am writing a daemon which will be deployed internally across a largish server farm. I am also writing the client program a user runs to invoke operations at said daemon. The client communicates with one or more daemons simultaneously using a simple UDP-based protocol. I would like to add authentication to this protocol. From what I have read of such things, Kerberos-style tickets seem perfect for this kind of application -- but I am quite reluctant to approach the operations folks and propose they set up and maintain a Kerberos domain. (A spot lynching might ensue.) Right now we use OpenSSH on all of the machines and up 'till now it has met all our needs. SO, I'm wondering if it's possible to formulate a simple-yet-secure handshake that takes advantage of the SSH infrastructure we already have deployed. Something like a simple ticket generated and signed by the client, with which my daemon can do the following: - Check the timestamp against a +/-5 minute window (like Kerberos) - Verify the message is not in a 10-minute anti-replay cache - Check the signature against the user's locally stored public key - Assuming all this looks good, check a local access list, and - Run the operation only if the user is authorized I'm not chartered to spend a lot of time on this aspect of this daemon, but the site is a somewhat high-profile target, so it's worth a bit of effort to come up with something that can't trivially be broken or bypassed. Is this a reasonable idea? Is the code in OpenSSH that I can use to implement it reasonably quickly? -- Kaelin From hgot at ecip.tohoku.ac.jp Sat Apr 14 23:45:14 2001 From: hgot at ecip.tohoku.ac.jp (Hideaki Goto) Date: Sat, 14 Apr 2001 22:45:14 +0900 Subject: [PATCH]: Heartbeat/Watchdog Patch with SSH2 support In-Reply-To: Your message of "Mon, 09 Apr 2001 16:51:14 JST." <200104090751.QAA22707@swift.ecip.tohoku.ac.jp> Message-ID: <200104141345.WAA25805@swift.ecip.tohoku.ac.jp> Hello, I've released a new version of the Heartbeat/Watchdog Patch against openssh-2.5.2p2. http://www.ecip.tohoku.ac.jp/~hgot/sources/openssh-watchdog.html Both MindTerm and PuTTY worked well with the watchdog timer which this patch added to sshd. CHANGES -------- openssh-2.5.2p2-watchdog.patch2 : * Watchdog timeout for SSH2 connection has been supported. * Option name "HeartbeatInterval" has been shortened to "Heartbeat" since the former one was too long. * Fixed the child termination process of watchdog timeout so that the forked sshd will die immediately after its child has died. -------- Hideaki Goto From markus.friedl at informatik.uni-erlangen.de Sat Apr 14 21:03:29 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 14 Apr 2001 13:03:29 +0200 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: <20010413163723.B5478@quipu.half.pint-stowp.cx>; from jmknoble@jmknoble.cx on Fri, Apr 13, 2001 at 04:37:23PM -0400 References: <20010412151637.A26262@ws01.aet.tu-cottbus.de> <20010413163723.B5478@quipu.half.pint-stowp.cx> Message-ID: <20010414130329.C22524@folly> On Fri, Apr 13, 2001 at 04:37:23PM -0400, Jim Knoble wrote: > Wouldn't it make more sense to simply return from > client_process_input() on EAGAIN? yes, this is what i prefer. > > : if (len <= 0) { > : /* > : * Received EOF or error. They are treated > > -- > jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ > (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) From roth+openssh at feep.net Sun Apr 15 07:52:34 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Sat, 14 Apr 2001 16:52:34 -0500 Subject: PAM Service Name Patch In-Reply-To: <20010222105515.A6457@yorktown.isdn.uiuc.edu>; from roth+openssh@feep.net on Thu, Feb 22, 2001 at 10:55:15AM -0600 References: <20010222105515.A6457@yorktown.isdn.uiuc.edu> Message-ID: <20010414165234.A18691@yorktown.isdn.uiuc.edu> On Thu Feb 22 10:55 2001 -0600, Mark D. Roth wrote: > I've attached a patch relative to OpenSSH 2.5.1p1 which sets the > default PAM service name to __progname instead of the hard-coded value > "sshd". This allows you to have multiple invokations of sshd under > different names, each with its own PAM configuration. I just noticed that this patch is still not in the current CVS tree. Did it just get overlooked, or is there some problem with it? Thanks for the info! -- Mark D. Roth http://www.feep.net/~roth/ From roth+openssh at feep.net Sun Apr 15 08:04:07 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Sat, 14 Apr 2001 17:04:07 -0500 Subject: OpenSSH 2.5.2p2 and askass (fwd) In-Reply-To: <20010411184945.A23379@folly>; from markus.friedl@informatik.uni-erlangen.de on Wed, Apr 11, 2001 at 06:49:46PM +0200 References: <20010411184945.A23379@folly> Message-ID: <20010414170407.A18724@yorktown.isdn.uiuc.edu> On Wed Apr 11 18:49 2001 +0200, Markus Friedl wrote: > On Wed, Apr 11, 2001 at 10:05:46AM -0400, Bruce H. McIntosh wrote: > > I've been from one end of the source to the other and it doesn't seem that > > OpenSSH 2.5.2p2 will *EVER* use ssh-askpass (or any variation thereof). > > ssh-add uses ssh-askpass, see ssh-add(1) There are still times when it's useful to have this functionality in ssh itself. The most common example I run into is when using ChallengeResponseAuthentication and launching ssh from a window manager menu button. I submitted a patch back in December to add ssh-askpass support to ssh. What's the status of this? If it would help expedite, I can update the patch for the current CVS snapshot. Please let me know about this. Thanks! -- Mark D. Roth http://www.feep.net/~roth/ From roth+openssh at feep.net Sun Apr 15 08:46:58 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Sat, 14 Apr 2001 17:46:58 -0500 Subject: PAM under AIX Message-ID: <20010414174658.A18918@yorktown.isdn.uiuc.edu> I apologize in advance for this slightly-off-topic message, but I thought it would be of interest to those running OpenSSH under AIX... Earlier today, I submitted a patch to the Linux-PAM folks to port the library to AIX. The patch includes a pam_aix module to provide backward compatibility to the traditional AIX authentication methods. My main impetus for doing this is that I don't want to continue maintaining my version of the TIS authentication patch for OpenSSH. I've already written a pam_authsrv module which provides TIS authentication to any PAM-aware application. This solved the problem under Solaris, Linux, and HP-UX, but I couldn't ditch the custom patch until I could use the same PAM module under AIX. Now that I can, I have no further need for the custom OpenSSH patch. Both the patch for building Linux-PAM under AIX and the pam_authsrv module are available from: http://www-dev.cso.uiuc.edu/authsrv/ Feedback is welcome on all of this code. Thanks! -- Mark D. Roth http://www.feep.net/~roth/ From markus.friedl at informatik.uni-erlangen.de Sun Apr 15 18:05:20 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 15 Apr 2001 10:05:20 +0200 Subject: OpenSSH 2.5.2p2 and askass (fwd) In-Reply-To: <20010414170407.A18724@yorktown.isdn.uiuc.edu>; from roth+openssh@feep.net on Sat, Apr 14, 2001 at 05:04:07PM -0500 References: <20010411184945.A23379@folly> <20010414170407.A18724@yorktown.isdn.uiuc.edu> Message-ID: <20010415100520.A18181@folly> On Sat, Apr 14, 2001 at 05:04:07PM -0500, Mark D. Roth wrote: > On Wed Apr 11 18:49 2001 +0200, Markus Friedl wrote: > > On Wed, Apr 11, 2001 at 10:05:46AM -0400, Bruce H. McIntosh wrote: > > > I've been from one end of the source to the other and it doesn't seem that > > > OpenSSH 2.5.2p2 will *EVER* use ssh-askpass (or any variation thereof). > > > > ssh-add uses ssh-askpass, see ssh-add(1) > > There are still times when it's useful to have this functionality in > ssh itself. The most common example I run into is when using > ChallengeResponseAuthentication and launching ssh from a window > manager menu button. > > I submitted a patch back in December to add ssh-askpass support to > ssh. What's the status of this? If it would help expedite, I can > update the patch for the current CVS snapshot. the patch will be delayed for openssh-3.1 From szh at 7ka.mipt.ru Mon Apr 16 00:30:23 2001 From: szh at 7ka.mipt.ru (Zhitomirsky Sergey) Date: Sun, 15 Apr 2001 18:30:23 +0400 Subject: lacking user@host feature in sshd Message-ID: <01041518302300.05485@kharkov.7ka.mipt.ru> Hi There is a feature ssh-1.2.xx posess , but openssh still doesn't have, namely in sshd_config in the option AllowUsers and DenyUsers : in ssh-1.2.xx it is possible to specify user at host.net , so specifying what users from what hosts are allowed to login , openssh (it seems) treats the whole "user at host.net" as username, so it is impossible to Allow/Deny specific users from specific hosts using password authentication. may be someone will add this? P.S. I'm not subscribed to your list, pls make Cc: to me in reply. Best regards, Sergey. From roth+openssh at feep.net Mon Apr 16 01:56:41 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Sun, 15 Apr 2001 10:56:41 -0500 Subject: man pages screwed In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Feb 20, 2001 at 02:53:25PM -0600 References: <20010220143829.A3547@yorktown.isdn.uiuc.edu> Message-ID: <20010415105640.A25030@yorktown.isdn.uiuc.edu> On Tue Feb 20 14:53 2001 -0600, mouring at etoh.eviladmin.org wrote: > I'll make sure it stays on my list. If you have a first run at > configure.in patch feel free to post it. I've finally gotten a chance to work on this. The attached patch replaces the current --with-catman option with this new option: --with-mantype=man|cat|doc Set man page type Selecting "man" will automatically run the pages through mdoc2man.pl, selecting "cat" will install the preformatted pages, and selecting "doc" will install the BSD-style pages without modification. fixpaths still gets run no matter what you select. The default is "doc" on most BSD systems, and "man" everywhere else. The patch is relative to openssh-2.5.2p2. If there are problems applying it to the current CVS snapshot, please let me know and I'll take a look at it. Please let me know what you think. -- Mark D. Roth http://www.feep.net/~roth/ -------------- next part -------------- diff -urN openssh-2.5.2p2/Makefile.in openssh-2.5.2p2-work/Makefile.in --- openssh-2.5.2p2/Makefile.in Tue Mar 20 20:12:12 2001 +++ openssh-2.5.2p2-work/Makefile.in Sun Apr 15 10:46:55 2001 @@ -6,7 +6,6 @@ sbindir=@sbindir@ libexecdir=@libexecdir@ mandir=@mandir@ -mansubdir=@mansubdir@ sysconfdir=@sysconfdir@ piddir=@piddir@ srcdir=@srcdir@ @@ -50,9 +49,8 @@ SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o -TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 -CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0 -MANPAGES = @MANTYPE@ +MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out +MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config ssh_config primes @@ -73,9 +71,7 @@ FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) -all: $(CONFIGFILES) $(TARGETS) - -manpages: $(MANPAGES) +all: $(CONFIGFILES) $(TARGETS) $(MANPAGES) $(LIBSSH_OBJS): config.h $(SSHOBJS): config.h @@ -123,8 +119,20 @@ logintest: logintest.o $(LIBCOMPAT) libssh.a log.o loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh log.o $(LIBS) -$(MANPAGES) $(CONFIGFILES):: - $(FIXPATHSCMD) $(srcdir)/$@ +$(MANPAGES): %.out: % + if test "$(MANTYPE)" = "cat"; then \ + manpage=`echo $< | sed 's/\.[1-9]$$/\.0/'`; \ + else \ + manpage=$<; \ + fi; \ + if test "$(MANTYPE)" = "man"; then \ + $(FIXPATHSCMD) $(srcdir)/$${manpage} | $(PERL) $(srcdir)/contrib/mdoc2man.pl > $@; \ + else \ + $(FIXPATHSCMD) $(srcdir)/$${manpage} > $@; \ + fi + +$(CONFIGFILES):: + $(FIXPATHSCMD) $(srcdir)/$@ > $@.out clean: (cd openbsd-compat; $(MAKE) clean) @@ -151,14 +159,12 @@ distprep: catman-do autoreconf -install: manpages $(TARGETS) install-files host-key +install: $(TARGETS) install-files host-key install-files: $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir) $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir) - $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 - $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) $(INSTALL) -m $(SSH_MODE) -s ssh $(DESTDIR)$(bindir)/ssh $(INSTALL) -m 0755 -s scp $(DESTDIR)$(bindir)/scp @@ -169,15 +175,22 @@ $(INSTALL) -m 0755 -s sshd $(DESTDIR)$(sbindir)/sshd @NO_SFTP@$(INSTALL) -m 0755 -s sftp $(DESTDIR)$(bindir)/sftp @NO_SFTP@$(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(SFTP_SERVER) - $(INSTALL) -m 644 ssh.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 - $(INSTALL) -m 644 scp.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 - $(INSTALL) -m 644 ssh-add.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 - $(INSTALL) -m 644 ssh-agent.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 - $(INSTALL) -m 644 ssh-keygen.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 - $(INSTALL) -m 644 ssh-keyscan.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 - $(INSTALL) -m 644 sshd.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 - @NO_SFTP@$(INSTALL) -m 644 sftp.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 - @NO_SFTP@$(INSTALL) -m 644 sftp-server.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + if test "$(MANTYPE)" = "doc"; then \ + mansubdir="man"; \ + else \ + mansubdir="$(MANTYPE)"; \ + fi; \ + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$${mansubdir}1; \ + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$${mansubdir}8; \ + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/ssh.1; \ + $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/scp.1; \ + $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/ssh-add.1; \ + $(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/ssh-agent.1; \ + $(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/ssh-keygen.1; \ + $(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/ssh-keyscan.1; \ + $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$${mansubdir}8/sshd.8; \ + @NO_SFTP@$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/sftp.1; \ + @NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$${mansubdir}8/sftp-server.8; -rm -f $(DESTDIR)$(bindir)/slogin ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 diff -urN openssh-2.5.2p2/configure.in openssh-2.5.2p2-work/configure.in --- openssh-2.5.2p2/configure.in Sun Mar 18 17:09:28 2001 +++ openssh-2.5.2p2-work/configure.in Sun Apr 15 09:52:42 2001 @@ -58,12 +58,8 @@ fi AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)]) AC_DEFINE(BROKEN_GETADDRINFO) - MANTYPE='$(CATMAN)' - mansubdir=cat dnl AIX handles lastlog as part of its login message AC_DEFINE(DISABLE_LASTLOG) - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-*-cygwin*) LIBS="$LIBS -lregex /usr/lib/textmode.o" @@ -75,9 +71,11 @@ AC_DEFINE(NO_X11_UNIX_SOCKETS) no_libsocket=1 no_libnsl=1 + MANTYPE=doc ;; *-*-dgux*) AC_DEFINE(IP_TOS_IS_BROKEN) + MANTYPE=doc ;; *-*-hpux10*) if test -z "$GCC"; then @@ -90,8 +88,6 @@ AC_DEFINE(DISABLE_UTMP) AC_DEFINE(SPT_TYPE,SPT_PSTAT) LIBS="$LIBS -lsec" - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-*-hpux11*) CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE" @@ -102,14 +98,11 @@ AC_DEFINE(DISABLE_UTMP) AC_DEFINE(SPT_TYPE,SPT_PSTAT) LIBS="$LIBS -lsec" - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-*-irix5*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" - MANTYPE='$(CATMAN)' no_libsocket=1 no_libnsl=1 AC_DEFINE(BROKEN_INET_NTOA) @@ -118,7 +111,6 @@ CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" - MANTYPE='$(CATMAN)' AC_DEFINE(WITH_IRIX_ARRAY) AC_DEFINE(WITH_IRIX_PROJECT) AC_DEFINE(WITH_IRIX_AUDIT) @@ -126,7 +118,6 @@ no_libsocket=1 no_libnsl=1 AC_DEFINE(BROKEN_INET_NTOA) - mansubdir=man ;; *-*-linux*) no_dev_ptmx=1 @@ -134,6 +125,7 @@ AC_DEFINE(DONT_TRY_OTHER_AF) AC_DEFINE(PAM_TTY_KLUDGE) inet6_default_4in6=yes + MANTYPE=doc ;; mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(HAVE_NEWS4) @@ -141,12 +133,15 @@ AC_CHECK_LIB(iberty, xatexit, AC_DEFINE(HAVE_XATEXIT), AC_MSG_ERROR([*** libiberty missing - please install first or check config.log ***]) ) + MANTYPE=doc ;; *-*-netbsd*) need_dash_r=1 + MANTYPE=doc ;; *-*-freebsd*) check_for_libcrypt_later=1 + MANTYPE=doc ;; *-next-*) conf_lastlog_location="/usr/adm/lastlog" @@ -159,6 +154,7 @@ AC_DEFINE(BROKEN_SAVED_UIDS) CPPFLAGS="$CPPFLAGS -I/usr/local/include" CFLAGS="$CFLAGS" + MANTYPE=doc ;; *-*-solaris*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" @@ -186,56 +182,42 @@ conf_wtmp_location=/var/adm/wtmp conf_lastlog_location=/var/adm/lastlog AC_DEFINE(USE_PIPES) - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-ncr-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat LIBS="$LIBS -lc89 -lnsl -lgen -lsocket" ;; *-sni-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib -L/usr/ucblib" - MANTYPE='$(CATMAN)' IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(IP_TOS_IS_BROKEN) AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) - mansubdir=cat LIBS="$LIBS -lgen -lnsl -lucb" ;; *-*-sysv4.2*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat enable_suid_ssh=no AC_DEFINE(USE_PIPES) ;; *-*-sysv5*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat enable_suid_ssh=no AC_DEFINE(USE_PIPES) ;; *-*-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat LIBS="$LIBS -lgen -lsocket" ;; *-*-sco3.2v4*) CPPFLAGS="$CPPFLAGS -Dftruncate=chsize -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' LIBS="$LIBS -lgen -lsocket -los -lprot -lx -ltinfo -lm" - mansubdir=cat rsh_path="/usr/bin/rcmd" RANLIB=true no_dev_ptmx=1 @@ -251,8 +233,6 @@ CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lprot -lx -ltinfo -lm" - MANTYPE='$(CATMAN)' - mansubdir=cat no_dev_ptmx=1 rsh_path="/usr/bin/rcmd" AC_DEFINE(USE_PIPES) @@ -1399,23 +1379,23 @@ AC_ARG_WITH(catman, - [ --with-catman=man|cat Install preformatted manpages[no]], + [ --with-mantype=man|cat|doc Set man page type], [ - MANTYPE='$(CATMAN)' - if test x"$withval" != x"yes" ; then - mansubdir=$withval - else - mansubdir=cat - fi + case "$withval" in + man|cat|doc) + MANTYPE=$withval + ;; + *) + AC_MSG_ERROR(invalid man type: $withval) + ;; + esac ], [ if test -z "$MANTYPE" ; then - MANTYPE='$(TROFFMAN)' - mansubdir=man + MANTYPE=man fi ] ) AC_SUBST(MANTYPE) -AC_SUBST(mansubdir) # Check whether to enable MD5 passwords MD5_MSG="no" @@ -1870,11 +1850,6 @@ # Print summary of options -if test x$MANTYPE = x'$(CATMAN)' ; then - MAN_MSG=cat -else - MAN_MSG=man -fi if test ! -z "$RANDOM_POOL" ; then RAND_MSG="Device ($RANDOM_POOL)" else @@ -1894,7 +1869,7 @@ C=`eval echo ${sbindir}` ; C=`eval echo ${C}` D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}` E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}` -F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}` +F=`eval echo ${mandir}` ; F=`eval echo ${F}` G=`eval echo ${piddir}` ; G=`eval echo ${G}` H=`eval echo ${user_path}` ; H=`eval echo ${H}` @@ -1908,7 +1883,7 @@ echo " PID file: $G" echo " sshd default user PATH: $H" echo " Random number collection: $RAND_MSG" -echo " Manpage format: $MAN_MSG" +echo " Manpage format: $MANTYPE" echo " PAM support: ${PAM_MSG}" echo " KerberosIV support: $KRB4_MSG" echo " AFS support: $AFS_MSG" diff -urN openssh-2.5.2p2/contrib/mdoc2man.pl openssh-2.5.2p2-work/contrib/mdoc2man.pl --- openssh-2.5.2p2/contrib/mdoc2man.pl Thu Feb 22 00:20:10 2001 +++ openssh-2.5.2p2-work/contrib/mdoc2man.pl Sun Apr 15 09:35:01 2001 @@ -1,6 +1,6 @@ #!/usr/bin/perl ### -### Quick usage: mdoc2man.pl < mdoc_manpage.8 > doc_manpage.8 +### Quick usage: mdoc2man.pl < mdoc_manpage.8 > man_manpage.8 ### ### ### Copyright (c) 2001 University of Illinois Board of Trustees diff -urN openssh-2.5.2p2/fixpaths openssh-2.5.2p2-work/fixpaths --- openssh-2.5.2p2/fixpaths Tue Nov 7 19:07:51 2000 +++ openssh-2.5.2p2-work/fixpaths Sun Apr 15 10:17:11 2001 @@ -3,21 +3,17 @@ # fixpaths - substitute makefile variables into text files -$usage = "Usage: $0 [-x] [-Dstring=replacement] [[infile] ...]\n"; - -$ext="out"; +$usage = "Usage: $0 [-Dstring=replacement] [[infile] ...]\n"; if (!defined(@ARGV)) { die ("$usage"); } # read in the command line and get some definitions while ($_=$ARGV[0], /^-/) { - if (/^-[Dx]/) { + if (/^-D/) { # definition shift(@ARGV); if ( /-D(.*)=(.*)/ ) { $def{"$1"}=$2; - } elsif ( /-x\s*(\w+)/ ) { - $ext=$1; } else { die ("$usage$0: error in command line arguments.\n"); } @@ -34,15 +30,13 @@ for $f (@ARGV) { $f =~ /(.*\/)*(.*)$/; - $of = $2.".$ext"; open(IN, "<$f") || die ("$0: input file $f missing!\n"); - open(OUT, ">$of") || die ("$0: cannot create output file $of: $!\n"); while () { for $s (keys(%def)) { s#$s#$def{$s}#; } # for $s - print OUT; + print; } # while } # for $f From djm at mindrot.org Mon Apr 16 10:42:36 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 16 Apr 2001 10:42:36 +1000 (EST) Subject: man pages screwed In-Reply-To: <20010415105640.A25030@yorktown.isdn.uiuc.edu> Message-ID: On Sun, 15 Apr 2001, Mark D. Roth wrote: > On Tue Feb 20 14:53 2001 -0600, mouring at etoh.eviladmin.org wrote: > > I'll make sure it stays on my list. If you have a first run at > > configure.in patch feel free to post it. > > I've finally gotten a chance to work on this. The attached patch > replaces the current --with-catman option with this new option: > > --with-mantype=man|cat|doc Set man page type Excellent - thanks heaps! I have committed this, could people please test CVS head to make sure it gets your manpages right now? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Mon Apr 16 11:15:36 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 16 Apr 2001 11:15:36 +1000 (EST) Subject: Problem with getnameinfo in Tru64 v5.1 In-Reply-To: <308864176.20010406114134@peterstar.com> Message-ID: On Fri, 6 Apr 2001, Stanislav S. Anokhin wrote: > Hello, > > When make ./configure && make on my Tru64 v5.1 machine, sshd couldnot > start with diagnostic "Cannot bind any address.". Problem was in > getnameinfo which don't return error if you don't set address family > before call to it. Patch included. Does Tru64 5.1 provide its own getaddrinfo and getnameinfo functions or is it using the ones provided in openbsd-compat? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From mouring at etoh.eviladmin.org Mon Apr 16 11:39:10 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 15 Apr 2001 20:39:10 -0500 (CDT) Subject: man pages screwed In-Reply-To: <20010415105640.A25030@yorktown.isdn.uiuc.edu> Message-ID: Nice... Thanks. - Ben On Sun, 15 Apr 2001, Mark D. Roth wrote: > On Tue Feb 20 14:53 2001 -0600, mouring at etoh.eviladmin.org wrote: > > I'll make sure it stays on my list. If you have a first run at > > configure.in patch feel free to post it. > > I've finally gotten a chance to work on this. The attached patch > replaces the current --with-catman option with this new option: > > --with-mantype=man|cat|doc Set man page type > > Selecting "man" will automatically run the pages through mdoc2man.pl, > selecting "cat" will install the preformatted pages, and selecting > "doc" will install the BSD-style pages without modification. fixpaths > still gets run no matter what you select. The default is "doc" on > most BSD systems, and "man" everywhere else. > > The patch is relative to openssh-2.5.2p2. If there are problems > applying it to the current CVS snapshot, please let me know and I'll > take a look at it. > > Please let me know what you think. > > -- > Mark D. Roth > http://www.feep.net/~roth/ > From mydeez at bitch.org Mon Apr 16 13:36:45 2001 From: mydeez at bitch.org (mydeez at bitch.org) Date: Sun, 15 Apr 2001 22:36:45 -0500 Subject: IT Contact Database... Message-ID: As a dot.com professional you know that it is essential to your teams' success to advertise your web site, business, product, service, or your organizations' cause to the masses. You also know that your marketing and advertising budget limits your options. If you are a Fortune 500 corporation, you have the advantage of being able to book 30 second TV spots during the SuperBowl. Most of us are not in that position though. Besides, did you know that something on the order of 92% of TV viewers run to the washroom at commercial breaks during the program, thereby missing the expensive commercial spot. Q: Of all the various advertising mediums which do you feel is most effective, in cases when you require your prospect to remember your telephone number or web address? Let's outline and agree on a list of the main advertising and marketing mediums first: - Television Commercial - Television Infomercial - Internet Banner Ads (paid for on a click-through basis) - Internet Banner Ads (paid for on an impression basis) - So-Called opted-in email list rental and broadcast - Radio Commercial - Print Media (Newspapers, Magazines) - Print Media (Hand-Outs) - Trade Shows - News or Media organization story or profile on your project - Affiliate Links - Signage - Telemarketing - Direct Mail - Broadcast Fax (not personalized to its recipients) - Broadcast Fax (personalized and to the Attention of its recipients) - Targeted Broadcast Email (personalized or not) Now consider the effectiveness of each advertising choice, remembering that in many cases your audience must still remember a telephone number in order to contact you. Q: Which is the least costly and most effective? E-mail marketing works! Why? There are many reasons, but primarily because people are focused on their monitors while checking their e-mail. Totally focused. In addition, they have a hard copy of your ad on their hard drive, and it is simple for them to forward the ad to their friends and associates as well. You can tell your story with more words and target your list to particular types of recipients or geographical areas. We offer some of the best delivery and bulk e-mail prices on the Internet. Bulk e-mail can get you the best exposure on the net. What makes this kind of advertising so effective is the fact that you go to the potential customer. Not like search engines or print ads that the potential customer has to do all the searching. Dollar for dollar bulk e-mailing is also the most economical. We do all the mailing for you. You just provide us with the ad! It's that simple! What we offer is simple: *General Lists or other ISPs #100,000 Emails $495.00 #250,000 Emails $995.00 #500,000 Emails $1,495.00 #1,000,000 Emails $2,495.00 #2,500,000 Emails $4,995.00 #5,000,000+ Emails (Call for Quote) WE ALSO HAVE LARGER PACKAGES! *Targeted Lists (Starting @): #100,000 Emails $995.00 #250,000 Emails $1,495.00 #500,000 Emails $2,995.00 #1,000,000 Emails (Call for Quote) METHOD OF PAYMENT, CASHIERS CHECK MONEY ORDER OR BANK WIRE. $$$GET AN ADDITIONAL FREE 25% ON TOP OF EVERY ORDER... IF YOU ORDER WITHIN 5 DAYS OF RECIEVING THIS MESSAGE! Call for bigger packages! ORDER NOW!!! AND GET THE RIGHT EXPOSURE! For more details on Email Services, please call: #954.340.1628 (US & International) IF YOU ARE THE DO IT YOURSLF TYPE OR ARE STILL USING TRADITONAL MARKETING TECHNICS, YOU MUST TAKE A LOOK AT THE 8 1/2 MILLION BUSINESS TO BUSINESS DATABASE!! Our 3.0 Version B2B Database Will Go Online and Sell For 2.5 to 25 Cents Per Record in early July! (Extended Due to Delays From The 1st) You can now access contact data for over 8.5 Million Records. All of them have their own .com .org or .net domain name, making them serious prospects for Internet business. Our data base readily accessible on CD-Rom, list the Names, Contact Information, Physical Address, Phone #, Fax #, SIC Industry Code, URL (Domain Name), and Contact Email Address which you can use to efficiently target companies worldwide. Over 8.5 Million Physical Addresses let you target businesses by Country, State, City, Province, Zip Code, Area Code or by using the SIC Industry Code. The data comes in a Comma-Delimited ASCII format which makes it easy to manipulate and Import/Export records to your Contact-Management, Spreadsheet, analysis and Broadcasting Applications. We?d be happy to give you rough counts for your industry target market. We also build databases to order and carry more than a dozen other data bases both Domestic and International ( B2B and B2C). Please send me more info about: [ ] Master Disc 2000 8.5 Million Records, Cost US$799.00 [ ] Online Updates & Download Access Cost US$199.00 (Annually) [ ] Commercial Email Services & Products Note: Not all records contain complete data, call for breakdowns. For more details on Database, please call: #954.340.1628 (US & International) or fax form below to: #954.753.2846 (Make Sure To Mention Reseller Id #1789 When Calling) Company name: ___________________________________________ Web Site Url: ___________________________________________ Contact name: ___________________________________________ Email: __________________________________________________ Phone: __________________________________________________ Fax: ___________________________________________________ Street address: _________________________________________ City, Zip, State: _______________________________________ Country: ________________________________________________ Check the following that apply: _____ Please Notify Me Of Online Web Site & Register Me For Access Using The Information Above. Also Please, Send Additional Information on: _____ Online Adult & Gaming Owner/Operaters _____ Online Adult Subscribers & Online Gamers Databases _____ Online Billing/Credit Card Processing _____ Emailing Services and Databases _____ Search Engine Positioning _____ International Contact Lists _____ Buying / Selling Traffic _____ Web Site Hosting Services _____ Internet Bandwidth Services (T-1's Starting at $999.00) _____ Other:_______________________________ ############################################################################## ############################################# THIS MESSAGE IS BEING SENT IN COMPLIANCE OF THE EMAIL BILL: SECTION 301. PER SECTION, PARAGRAPH (a) (2) (c) of S. 1618. To discontinue receipt of further notice at not cost and to be removed from our database, please reply with the word "Remove" in subject. Or call us at #954.340.1628 leave your email address for removal from the database and future mailings. Any attempts to disrupt the removal email address etc., will not allow us to be able to retrieve and process the remove requests. ############################################################################## ############################################# 0401601 From jmknoble at jmknoble.cx Mon Apr 16 16:44:45 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Mon, 16 Apr 2001 02:44:45 -0400 Subject: man pages screwed In-Reply-To: <20010415105640.A25030@yorktown.isdn.uiuc.edu>; from roth+openssh@feep.net on Sun, Apr 15, 2001 at 10:56:41AM -0500 References: <20010220143829.A3547@yorktown.isdn.uiuc.edu> <20010415105640.A25030@yorktown.isdn.uiuc.edu> Message-ID: <20010416024445.H5478@quipu.half.pint-stowp.cx> Circa 2001-Apr-15 10:56:41 -0500 dixit Mark D. Roth: : I've finally gotten a chance to work on this. The attached patch : replaces the current --with-catman option with this new option: : : --with-mantype=man|cat|doc Set man page type : : Selecting "man" will automatically run the pages through mdoc2man.pl, : selecting "cat" will install the preformatted pages, and selecting : "doc" will install the BSD-style pages without modification. fixpaths : still gets run no matter what you select. The default is "doc" on : most BSD systems, and "man" everywhere else. Hmm ... wouldn't it be better to actually detect whether the -mdoc macros were available rather than defaulting to -man for non-BSD systems? Most releases of GNU groff have pretty good -mdoc macros and can handle the OpenSSH man pages with no problem. I think pages formatted with -mdoc look better and are easier to read than those formatted with -man (no reflection on you or on mdoc2man.pl, Mark). Perhaps it's just me who thinks that? Anyway, it should be relatively easy to detect what format to use: AC_PATH_PROG(NROFF, nroff) if test -z "${NROFF}"; then MANTYPE=cat elif ${NROFF} -mdoc ssh.1 >/dev/null 2>&1; then MANTYPE=doc elif ${NROFF} -man ssh.1 >/dev/null 2>&1; then MANTYPE=man else MANTYPE=cat fi Anyone know of any systems with a really broken nroff that won't work with that? It seems like the best solution to me. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010416/86a4c27f/attachment.bin From bhm at ufl.edu Mon Apr 16 22:52:01 2001 From: bhm at ufl.edu (Bruce H. McIntosh) Date: Mon, 16 Apr 2001 08:52:01 -0400 (EDT) Subject: OpenSSH 2.5.2p2 and askass (fwd) In-Reply-To: <20010414170407.A18724@yorktown.isdn.uiuc.edu> Message-ID: On Sat, 14 Apr 2001, Mark D. Roth wrote: > On Wed Apr 11 18:49 2001 +0200, Markus Friedl wrote: > > On Wed, Apr 11, 2001 at 10:05:46AM -0400, Bruce H. McIntosh wrote: > > > I've been from one end of the source to the other and it doesn't seem that > > > OpenSSH 2.5.2p2 will *EVER* use ssh-askpass (or any variation thereof). > > > > ssh-add uses ssh-askpass, see ssh-add(1) > > There are still times when it's useful to have this functionality in > ssh itself. The most common example I run into is when using > ChallengeResponseAuthentication and launching ssh from a window > manager menu button. That's precisely the functionality I'm looking for. I'm back to using ssh-1.2.27 to get it. I'd be very keen to see this capability back into ssh itself, maybe along with an toggle in the config files to turn it on and off? -- ---------------------------------------------------------------------- Bruce H. McIntosh brucem at nersp.nerdc.ufl.edu Senior Engineer http://nersp.nerdc.ufl.edu/~brucem UF/Northeast Regional Data Center 352-392-2061 From roth+openssh at feep.net Mon Apr 16 23:48:41 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Mon, 16 Apr 2001 08:48:41 -0500 Subject: man pages screwed In-Reply-To: ; from djm@mindrot.org on Mon, Apr 16, 2001 at 10:42:36AM +1000 References: <20010415105640.A25030@yorktown.isdn.uiuc.edu> Message-ID: <20010416084841.A25973@yorktown.isdn.uiuc.edu> On Mon Apr 16 10:42 2001 +1000, Damien Miller wrote: > Excellent - thanks heaps! I have committed this, could people please > test CVS head to make sure it gets your manpages right now? I just discovered a few autoconf and Makefile bugs in my original patch. Please back it out and apply the attached patch instead. Sorry for the screw-up. That's what I get for trying to get stuff done on the weekend. ;/ -- Mark D. Roth http://www.feep.net/~roth/ -------------- next part -------------- diff -urN openssh-2.5.2p2/Makefile.in openssh-2.5.2p2-mantype/Makefile.in --- openssh-2.5.2p2/Makefile.in Tue Mar 20 20:12:12 2001 +++ openssh-2.5.2p2-mantype/Makefile.in Sun Apr 15 14:19:33 2001 @@ -50,9 +50,8 @@ SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o -TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 -CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0 -MANPAGES = @MANTYPE@ +MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out +MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config ssh_config primes @@ -73,9 +72,7 @@ FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) -all: $(CONFIGFILES) $(TARGETS) - -manpages: $(MANPAGES) +all: $(CONFIGFILES) $(TARGETS) $(MANPAGES) $(LIBSSH_OBJS): config.h $(SSHOBJS): config.h @@ -123,8 +120,20 @@ logintest: logintest.o $(LIBCOMPAT) libssh.a log.o loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh log.o $(LIBS) -$(MANPAGES) $(CONFIGFILES):: - $(FIXPATHSCMD) $(srcdir)/$@ +$(MANPAGES): %.out: % + if test "$(MANTYPE)" = "cat"; then \ + manpage=`echo $< | sed 's/\.[1-9]$$/\.0/'`; \ + else \ + manpage=$<; \ + fi; \ + if test "$(MANTYPE)" = "man"; then \ + $(FIXPATHSCMD) $${manpage} | $(PERL) $(srcdir)/contrib/mdoc2man.pl > $@; \ + else \ + $(FIXPATHSCMD) $${manpage} > $@; \ + fi + +$(CONFIGFILES):: + $(FIXPATHSCMD) $(srcdir)/$@ > $@.out clean: (cd openbsd-compat; $(MAKE) clean) @@ -151,7 +160,7 @@ distprep: catman-do autoreconf -install: manpages $(TARGETS) install-files host-key +install: $(TARGETS) install-files host-key install-files: $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) @@ -169,15 +178,15 @@ $(INSTALL) -m 0755 -s sshd $(DESTDIR)$(sbindir)/sshd @NO_SFTP@$(INSTALL) -m 0755 -s sftp $(DESTDIR)$(bindir)/sftp @NO_SFTP@$(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(SFTP_SERVER) - $(INSTALL) -m 644 ssh.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 - $(INSTALL) -m 644 scp.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 - $(INSTALL) -m 644 ssh-add.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 - $(INSTALL) -m 644 ssh-agent.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 - $(INSTALL) -m 644 ssh-keygen.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 - $(INSTALL) -m 644 ssh-keyscan.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 - $(INSTALL) -m 644 sshd.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 - @NO_SFTP@$(INSTALL) -m 644 sftp.[01].out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 - @NO_SFTP@$(INSTALL) -m 644 sftp-server.[08].out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + $(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + $(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + $(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 + $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + @NO_SFTP@$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 + @NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(bindir)/slogin ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 diff -urN openssh-2.5.2p2/configure.in openssh-2.5.2p2-mantype/configure.in --- openssh-2.5.2p2/configure.in Sun Mar 18 17:09:28 2001 +++ openssh-2.5.2p2-mantype/configure.in Sun Apr 15 14:21:04 2001 @@ -58,12 +58,8 @@ fi AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)]) AC_DEFINE(BROKEN_GETADDRINFO) - MANTYPE='$(CATMAN)' - mansubdir=cat dnl AIX handles lastlog as part of its login message AC_DEFINE(DISABLE_LASTLOG) - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-*-cygwin*) LIBS="$LIBS -lregex /usr/lib/textmode.o" @@ -75,9 +71,11 @@ AC_DEFINE(NO_X11_UNIX_SOCKETS) no_libsocket=1 no_libnsl=1 + MANTYPE=doc ;; *-*-dgux*) AC_DEFINE(IP_TOS_IS_BROKEN) + MANTYPE=doc ;; *-*-hpux10*) if test -z "$GCC"; then @@ -90,8 +88,6 @@ AC_DEFINE(DISABLE_UTMP) AC_DEFINE(SPT_TYPE,SPT_PSTAT) LIBS="$LIBS -lsec" - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-*-hpux11*) CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE" @@ -102,14 +98,11 @@ AC_DEFINE(DISABLE_UTMP) AC_DEFINE(SPT_TYPE,SPT_PSTAT) LIBS="$LIBS -lsec" - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-*-irix5*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" - MANTYPE='$(CATMAN)' no_libsocket=1 no_libnsl=1 AC_DEFINE(BROKEN_INET_NTOA) @@ -118,7 +111,6 @@ CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" - MANTYPE='$(CATMAN)' AC_DEFINE(WITH_IRIX_ARRAY) AC_DEFINE(WITH_IRIX_PROJECT) AC_DEFINE(WITH_IRIX_AUDIT) @@ -126,7 +118,6 @@ no_libsocket=1 no_libnsl=1 AC_DEFINE(BROKEN_INET_NTOA) - mansubdir=man ;; *-*-linux*) no_dev_ptmx=1 @@ -134,6 +125,7 @@ AC_DEFINE(DONT_TRY_OTHER_AF) AC_DEFINE(PAM_TTY_KLUDGE) inet6_default_4in6=yes + MANTYPE=doc ;; mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(HAVE_NEWS4) @@ -141,12 +133,15 @@ AC_CHECK_LIB(iberty, xatexit, AC_DEFINE(HAVE_XATEXIT), AC_MSG_ERROR([*** libiberty missing - please install first or check config.log ***]) ) + MANTYPE=doc ;; *-*-netbsd*) need_dash_r=1 + MANTYPE=doc ;; *-*-freebsd*) check_for_libcrypt_later=1 + MANTYPE=doc ;; *-next-*) conf_lastlog_location="/usr/adm/lastlog" @@ -159,6 +154,7 @@ AC_DEFINE(BROKEN_SAVED_UIDS) CPPFLAGS="$CPPFLAGS -I/usr/local/include" CFLAGS="$CFLAGS" + MANTYPE=doc ;; *-*-solaris*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" @@ -186,56 +182,42 @@ conf_wtmp_location=/var/adm/wtmp conf_lastlog_location=/var/adm/lastlog AC_DEFINE(USE_PIPES) - MANTYPE='$(CATMAN)' - mansubdir=cat ;; *-ncr-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat LIBS="$LIBS -lc89 -lnsl -lgen -lsocket" ;; *-sni-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib -L/usr/ucblib" - MANTYPE='$(CATMAN)' IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(IP_TOS_IS_BROKEN) AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) - mansubdir=cat LIBS="$LIBS -lgen -lnsl -lucb" ;; *-*-sysv4.2*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat enable_suid_ssh=no AC_DEFINE(USE_PIPES) ;; *-*-sysv5*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat enable_suid_ssh=no AC_DEFINE(USE_PIPES) ;; *-*-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' - mansubdir=cat LIBS="$LIBS -lgen -lsocket" ;; *-*-sco3.2v4*) CPPFLAGS="$CPPFLAGS -Dftruncate=chsize -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - MANTYPE='$(CATMAN)' LIBS="$LIBS -lgen -lsocket -los -lprot -lx -ltinfo -lm" - mansubdir=cat rsh_path="/usr/bin/rcmd" RANLIB=true no_dev_ptmx=1 @@ -251,8 +233,6 @@ CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lprot -lx -ltinfo -lm" - MANTYPE='$(CATMAN)' - mansubdir=cat no_dev_ptmx=1 rsh_path="/usr/bin/rcmd" AC_DEFINE(USE_PIPES) @@ -1399,22 +1379,28 @@ AC_ARG_WITH(catman, - [ --with-catman=man|cat Install preformatted manpages[no]], + [ --with-mantype=man|cat|doc Set man page type], [ - MANTYPE='$(CATMAN)' - if test x"$withval" != x"yes" ; then - mansubdir=$withval - else - mansubdir=cat - fi + case "$withval" in + man|cat|doc) + MANTYPE=$withval + ;; + *) + AC_MSG_ERROR(invalid man type: $withval) + ;; + esac ], [ if test -z "$MANTYPE" ; then - MANTYPE='$(TROFFMAN)' - mansubdir=man + MANTYPE=man fi ] ) AC_SUBST(MANTYPE) +if test "$MANTYPE" = "doc"; then + mansubdir=man; +else + mansubdir=$MANTYPE; +fi AC_SUBST(mansubdir) # Check whether to enable MD5 passwords @@ -1870,11 +1856,6 @@ # Print summary of options -if test x$MANTYPE = x'$(CATMAN)' ; then - MAN_MSG=cat -else - MAN_MSG=man -fi if test ! -z "$RANDOM_POOL" ; then RAND_MSG="Device ($RANDOM_POOL)" else @@ -1908,7 +1889,7 @@ echo " PID file: $G" echo " sshd default user PATH: $H" echo " Random number collection: $RAND_MSG" -echo " Manpage format: $MAN_MSG" +echo " Manpage format: $MANTYPE" echo " PAM support: ${PAM_MSG}" echo " KerberosIV support: $KRB4_MSG" echo " AFS support: $AFS_MSG" diff -urN openssh-2.5.2p2/contrib/mdoc2man.pl openssh-2.5.2p2-mantype/contrib/mdoc2man.pl --- openssh-2.5.2p2/contrib/mdoc2man.pl Thu Feb 22 00:20:10 2001 +++ openssh-2.5.2p2-mantype/contrib/mdoc2man.pl Sun Apr 15 14:14:53 2001 @@ -1,6 +1,6 @@ #!/usr/bin/perl ### -### Quick usage: mdoc2man.pl < mdoc_manpage.8 > doc_manpage.8 +### Quick usage: mdoc2man.pl < mdoc_manpage.8 > man_manpage.8 ### ### ### Copyright (c) 2001 University of Illinois Board of Trustees diff -urN openssh-2.5.2p2/fixpaths openssh-2.5.2p2-mantype/fixpaths --- openssh-2.5.2p2/fixpaths Tue Nov 7 19:07:51 2000 +++ openssh-2.5.2p2-mantype/fixpaths Sun Apr 15 14:14:53 2001 @@ -3,21 +3,17 @@ # fixpaths - substitute makefile variables into text files -$usage = "Usage: $0 [-x] [-Dstring=replacement] [[infile] ...]\n"; - -$ext="out"; +$usage = "Usage: $0 [-Dstring=replacement] [[infile] ...]\n"; if (!defined(@ARGV)) { die ("$usage"); } # read in the command line and get some definitions while ($_=$ARGV[0], /^-/) { - if (/^-[Dx]/) { + if (/^-D/) { # definition shift(@ARGV); if ( /-D(.*)=(.*)/ ) { $def{"$1"}=$2; - } elsif ( /-x\s*(\w+)/ ) { - $ext=$1; } else { die ("$usage$0: error in command line arguments.\n"); } @@ -34,15 +30,13 @@ for $f (@ARGV) { $f =~ /(.*\/)*(.*)$/; - $of = $2.".$ext"; open(IN, "<$f") || die ("$0: input file $f missing!\n"); - open(OUT, ">$of") || die ("$0: cannot create output file $of: $!\n"); while () { for $s (keys(%def)) { s#$s#$def{$s}#; } # for $s - print OUT; + print; } # while } # for $f From roth+openssh at feep.net Tue Apr 17 00:02:52 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Mon, 16 Apr 2001 09:02:52 -0500 Subject: man pages screwed In-Reply-To: <20010416024445.H5478@quipu.half.pint-stowp.cx>; from jmknoble@jmknoble.cx on Mon, Apr 16, 2001 at 02:44:45AM -0400 References: <20010220143829.A3547@yorktown.isdn.uiuc.edu> <20010415105640.A25030@yorktown.isdn.uiuc.edu> <20010416024445.H5478@quipu.half.pint-stowp.cx> Message-ID: <20010416090252.B25973@yorktown.isdn.uiuc.edu> On Mon Apr 16 02:44 2001 -0400, Jim Knoble wrote: > Hmm ... wouldn't it be better to actually detect whether the -mdoc > macros were available rather than defaulting to -man for non-BSD > systems? Most releases of GNU groff have pretty good -mdoc macros and I thought of this as well, but I wasn't sure how portable it was to some of the more esoteric systems which I don't have access to. There's also the problem of avoiding mis-detection; even if groff is installed, the man command on many systems will only invoke the vendor version. In general, I do prefer manual testing to hard-coded assumptions when it comes to autoconf. However, the OpenSSH configure.in already has a lot of hard-coded assumptions for many platforms, so that battle has already been lost. Also, I wasn't too worried about the wrong choice being made, since the --with-mantype option allows the user to manually force the desired behavior. Anyway, if you'd like to take a stab at this nroff test, please feel free to do so. If it can be done in a reliable way, I'm all for it. > can handle the OpenSSH man pages with no problem. I think pages > formatted with -mdoc look better and are easier to read than those > formatted with -man (no reflection on you or on mdoc2man.pl, Mark). Heh, no problem. It happens that I also like -mdoc pages better, since the format lends itself to translation to HTML and other formats much more easily. Unfortunately, -man is more portable. -- Mark D. Roth http://www.feep.net/~roth/ From roth+openssh at feep.net Tue Apr 17 00:06:32 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Mon, 16 Apr 2001 09:06:32 -0500 Subject: OpenSSH 2.5.2p2 and askass (fwd) In-Reply-To: ; from bhm@ufl.edu on Mon, Apr 16, 2001 at 08:52:01AM -0400 References: <20010414170407.A18724@yorktown.isdn.uiuc.edu> Message-ID: <20010416090632.A26009@yorktown.isdn.uiuc.edu> On Mon Apr 16 08:52 2001 -0400, Bruce H. McIntosh wrote: > On Sat, 14 Apr 2001, Mark D. Roth wrote: > > There are still times when it's useful to have this functionality in > > ssh itself. The most common example I run into is when using > > ChallengeResponseAuthentication and launching ssh from a window > > manager menu button. > > That's precisely the functionality I'm looking for. I'm back to using > ssh-1.2.27 to get it. I'd be very keen to see this capability back into > ssh itself, maybe along with an toggle in the config files to turn it on > and off? I've attached a patch for openssh-2.5.2p2 which adds support for ssh-askpass to ssh. Looks like it will be a little while before it makes its way into the main code base, but feel free to use this patch in the interim. Please let me know if you have any questions or problems. -- Mark D. Roth http://www.feep.net/~roth/ -------------- next part -------------- diff -urN openssh-2.5.2p2/readpass.c openssh-2.5.2p2-askpass/readpass.c --- openssh-2.5.2p2/readpass.c Thu Feb 8 20:11:24 2001 +++ openssh-2.5.2p2-askpass/readpass.c Sun Apr 15 13:56:27 2001 @@ -37,6 +37,52 @@ #include "xmalloc.h" #include "cli.h" #include "readpass.h" +#include "ssh.h" +#include "pathnames.h" + + +static char * +ssh_askpass(char *askpass, char *msg) +{ + pid_t pid; + size_t len; + char *nl, *pass; + int p[2], status; + char buf[1024]; + + if (askpass == NULL) + fatal("internal error: askpass undefined"); + if (pipe(p) < 0) + fatal("ssh_askpass: pipe: %s", strerror(errno)); + if ((pid = fork()) < 0) + fatal("ssh_askpass: fork: %s", strerror(errno)); + if (pid == 0) { + close(p[0]); + if (dup2(p[1], STDOUT_FILENO) < 0) + fatal("ssh_askpass: dup2: %s", strerror(errno)); + if (geteuid() == 0 && setuid(getuid()) == -1) + fatal("ssh_askpass: setuid: %s", strerror(errno)); + execlp(askpass, askpass, msg, (char *) 0); + fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); + } + close(p[1]); + buf[0] = '\0'; + atomicio(read, p[0], buf, sizeof buf); + len = strlen(buf); + close(p[0]); + while (waitpid(pid, &status, 0) < 0) + if (errno != EINTR) + break; + if (len <= 1) + return xstrdup(""); + nl = strchr(buf, '\n'); + if (nl) + *nl = '\0'; + pass = xstrdup(buf); + memset(buf, 0, sizeof(buf)); + return pass; +} + /* * Reads a passphrase from /dev/tty with echo turned off. Returns the @@ -51,5 +97,27 @@ char * read_passphrase(const char *prompt, int from_stdin) { + char *askpass = NULL; + int use_askpass = 0, ttyfd; + + if (from_stdin) { + if (!isatty(STDIN_FILENO)) + use_askpass = 1; + } else { + ttyfd = open("/dev/tty", O_RDWR); + if (ttyfd >= 0) + close(ttyfd); + else + use_askpass = 1; + } + + if (use_askpass && getenv("DISPLAY")) { + if (getenv(SSH_ASKPASS_ENV)) + askpass = getenv(SSH_ASKPASS_ENV); + else + askpass = _PATH_SSH_ASKPASS_DEFAULT; + return ssh_askpass(askpass, prompt); + } + return cli_read_passphrase(prompt, from_stdin, 0); } diff -urN openssh-2.5.2p2/ssh-add.c openssh-2.5.2p2-askpass/ssh-add.c --- openssh-2.5.2p2/ssh-add.c Mon Mar 12 22:57:59 2001 +++ openssh-2.5.2p2-askpass/ssh-add.c Sun Apr 15 13:53:13 2001 @@ -95,54 +95,14 @@ fprintf(stderr, "Failed to remove all identities.\n"); } -char * -ssh_askpass(char *askpass, char *msg) -{ - pid_t pid; - size_t len; - char *nl, *pass; - int p[2], status; - char buf[1024]; - - if (fflush(stdout) != 0) - error("ssh_askpass: fflush: %s", strerror(errno)); - if (askpass == NULL) - fatal("internal error: askpass undefined"); - if (pipe(p) < 0) - fatal("ssh_askpass: pipe: %s", strerror(errno)); - if ((pid = fork()) < 0) - fatal("ssh_askpass: fork: %s", strerror(errno)); - if (pid == 0) { - close(p[0]); - if (dup2(p[1], STDOUT_FILENO) < 0) - fatal("ssh_askpass: dup2: %s", strerror(errno)); - execlp(askpass, askpass, msg, (char *) 0); - fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); - } - close(p[1]); - len = read(p[0], buf, sizeof buf); - close(p[0]); - while (waitpid(pid, &status, 0) < 0) - if (errno != EINTR) - break; - if (len <= 1) - return xstrdup(""); - nl = strchr(buf, '\n'); - if (nl) - *nl = '\0'; - pass = xstrdup(buf); - memset(buf, 0, sizeof(buf)); - return pass; -} - void add_file(AuthenticationConnection *ac, const char *filename) { struct stat st; Key *public; Key *private; - char *saved_comment, *comment, *askpass = NULL; - char buf[1024], msg[1024]; + char *saved_comment, *comment; + char msg[1024]; int success; int interactive = isatty(STDIN_FILENO); int type = KEY_RSA1; @@ -163,31 +123,15 @@ } key_free(public); - if (!interactive && getenv("DISPLAY")) { - if (getenv(SSH_ASKPASS_ENV)) - askpass = getenv(SSH_ASKPASS_ENV); - else - askpass = _PATH_SSH_ASKPASS_DEFAULT; - } - /* At first, try empty passphrase */ private = key_new(type); success = load_private_key(filename, "", private, &comment); if (!success) { printf("Need passphrase for %.200s\n", filename); - if (!interactive && askpass == NULL) { - xfree(saved_comment); - return; - } - snprintf(msg, sizeof msg, "Enter passphrase for %.200s", saved_comment); + snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ", saved_comment); for (;;) { char *pass; - if (interactive) { - snprintf(buf, sizeof buf, "%s: ", msg); - pass = read_passphrase(buf, 1); - } else { - pass = ssh_askpass(askpass, msg); - } + pass = read_passphrase(msg, 1); if (strcmp(pass, "") == 0) { xfree(pass); xfree(saved_comment); @@ -198,7 +142,7 @@ xfree(pass); if (success) break; - strlcpy(msg, "Bad passphrase, try again", sizeof msg); + strlcpy(msg, "Bad passphrase, try again: ", sizeof msg); } } xfree(comment); From provos at citi.umich.edu Tue Apr 17 00:29:26 2001 From: provos at citi.umich.edu (Niels Provos) Date: Mon, 16 Apr 2001 10:29:26 -0400 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: Jim Knoble, Fri, 13 Apr 2001 16:37:23 EDT Message-ID: <20010416142927.2705C207C3@citi.umich.edu> In message <20010413163723.B5478 at quipu.half.pint-stowp.cx>, Jim Knoble writes: >: diff -u -r1.61 clientloop.c >: --- clientloop.c 2001/04/08 11:27:33 1.61 >: +++ clientloop.c 2001/04/13 14:07:41 >: @@ -671,7 +671,9 @@ >: /* Read input from stdin. */ >: if (FD_ISSET(fileno(stdin), readset)) { >: /* Read as much as possible. */ >: - len = read(fileno(stdin), buf, sizeof(buf)); >: + do >: + len = read(fileno(stdin), buf, sizeof(buf)); >: + while (len == -1 && (errno == EINTR || errno == EAGAIN)); >Damien, is stdin set up for non-blocking I/O at this point? If it is, >then retrying the read() after EAGAIN is liable to cause ssh to >effectively block (by spinning in this loop) until there's some input >on stdin. If stdin isn't set up for non-blocking I/O, then why would >read() return EAGAIN? > >Wouldn't it make more sense to simply return from >client_process_input() on EAGAIN? Given that this is already in a select() loop, a return value of -1 with either EINTR or EAGAIN should cause the loop to continue and wait for the next select(). Calling read() again is certainly wrong. If you want that behaviour you should use atomicio(read, ...). Niels. From jmknoble at jmknoble.cx Tue Apr 17 01:36:48 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Mon, 16 Apr 2001 11:36:48 -0400 Subject: man pages screwed In-Reply-To: <20010416090252.B25973@yorktown.isdn.uiuc.edu>; from roth+openssh@feep.net on Mon, Apr 16, 2001 at 09:02:52AM -0500 References: <20010220143829.A3547@yorktown.isdn.uiuc.edu> <20010415105640.A25030@yorktown.isdn.uiuc.edu> <20010416024445.H5478@quipu.half.pint-stowp.cx> <20010416090252.B25973@yorktown.isdn.uiuc.edu> Message-ID: <20010416113648.S5478@quipu.half.pint-stowp.cx> Circa 2001-Apr-16 09:02:52 -0500 dixit Mark D. Roth: : On Mon Apr 16 02:44 2001 -0400, Jim Knoble wrote: : > Hmm ... wouldn't it be better to actually detect whether the -mdoc : > macros were available rather than defaulting to -man for non-BSD : > systems? Most releases of GNU groff have pretty good -mdoc macros and : : I thought of this as well, but I wasn't sure how portable it was to : some of the more esoteric systems which I don't have access to. : There's also the problem of avoiding mis-detection; even if groff is : installed, the man command on many systems will only invoke the vendor : version. True; see below. : In general, I do prefer manual testing to hard-coded assumptions when : it comes to autoconf. However, the OpenSSH configure.in already has a : lot of hard-coded assumptions for many platforms, so that battle has : already been lost. Also, I wasn't too worried about the wrong choice : being made, since the --with-mantype option allows the user to : manually force the desired behavior. True; but it doesn't make sense to me to translate -mdoc to -man by default on systems where there's a perfectly good tmac.mdoc. : Anyway, if you'd like to take a stab at this nroff test, please feel : free to do so. If it can be done in a reliable way, I'm all for it. Okay, here's what i've found from the range of systems i have access to: platform man formatter -mdoc works (status works)[*] -------- ------------- ------------------------------ sparc-sun-solaris2.5: /usr/bin/nroff no (yes) parisc-hp-hpux10.20: /usr/bin/nroff no (yes) mips-sgi-irix6.2: /usr/bin/awf[+] no (yes) rs6000-ibm-aix4.1.x: /usr/bin/nroff no (yes) mips-dec-ultrix4.5: /usr/bin/nroff no (yes) alpha-dec-osf3.2: /usr/bin/nroff no (yes) i386-redhat-linux: /usr/bin/nroff yes (yes) ________ [*] I.e., nroff returns non-zero if -mdoc doesn't work. [+] Yes, really. Bearing in mind that i haven't looked at the *really* weird (SunOS-4.x, NeXTStep/OpenStep, SCO BrokenServer or UnixWare) or esoteric (DG/UX, CrayOS, Reliant, LynxOS, Darwin) platforms yet, nor have i checked Cygwin, it looks as if the following is a good first cut: # Allow user to set NROFF if desired. if [ -z "${NROFF}" ]; then for i in nroff awf; do if [ -x /usr/bin/${i} ]; then NROFF=/usr/bin/${i} break fi done fi if [ -z "${NROFF}" ]; then MANTYPE=cat elif ${NROFF} -mdoc ssh.1 >/dev/null 2>&1; then MANTYPE=doc elif ${NROFF} -man ssh.1 >/dev/null 2>&1; then MANTYPE=man else MANTYPE=cat fi This isn't much different from what i proposed earlier, except that the system nroff (or, in the case of IRIX, awf) is used instead of the first nroff on the PATH, and the user can set NROFF in the environment if desired. Ben, could you check whether this would work on {NeXT,Open}Step? Corinna, what should Cygwin do regarding this (probably just ignore it)? Anyone who has access to a non-listed platform (or a significantly later version of one that is listed), please let us know whether this would work there as well. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010416/1ab42ff1/attachment.bin From mouring at etoh.eviladmin.org Tue Apr 17 03:03:34 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 16 Apr 2001 12:03:34 -0500 (CDT) Subject: man pages screwed In-Reply-To: <20010416113648.S5478@quipu.half.pint-stowp.cx> Message-ID: > : Anyway, if you'd like to take a stab at this nroff test, please feel > : free to do so. If it can be done in a reliable way, I'm all for it. > > Okay, here's what i've found from the range of systems i have access to: > > platform man formatter -mdoc works (status works)[*] > -------- ------------- ------------------------------ > sparc-sun-solaris2.5: /usr/bin/nroff no (yes) > parisc-hp-hpux10.20: /usr/bin/nroff no (yes) > mips-sgi-irix6.2: /usr/bin/awf[+] no (yes) > rs6000-ibm-aix4.1.x: /usr/bin/nroff no (yes) > mips-dec-ultrix4.5: /usr/bin/nroff no (yes) > alpha-dec-osf3.2: /usr/bin/nroff no (yes) > i386-redhat-linux: /usr/bin/nroff yes (yes) > ________ > [*] I.e., nroff returns non-zero if -mdoc doesn't work. > [+] Yes, really. > > Bearing in mind that i haven't looked at the *really* weird (SunOS-4.x, > NeXTStep/OpenStep, SCO BrokenServer or UnixWare) or esoteric (DG/UX, > CrayOS, Reliant, LynxOS, Darwin) platforms yet, nor have i checked > Cygwin, it looks as if the following is a good first cut: > > # Allow user to set NROFF if desired. > if [ -z "${NROFF}" ]; then > for i in nroff awf; do > if [ -x /usr/bin/${i} ]; then > NROFF=/usr/bin/${i} > break > fi > done > fi > if [ -z "${NROFF}" ]; then > MANTYPE=cat > elif ${NROFF} -mdoc ssh.1 >/dev/null 2>&1; then > MANTYPE=doc > elif ${NROFF} -man ssh.1 >/dev/null 2>&1; then > MANTYPE=man > else > MANTYPE=cat > fi > > This isn't much different from what i proposed earlier, except that the > system nroff (or, in the case of IRIX, awf) is used instead of the > first nroff on the PATH, and the user can set NROFF in the environment > if desired. > > Ben, could you check whether this would work on {NeXT,Open}Step? > nroff -mdoc returns '2' on {NeXT,Open}Step. May I suggest wrapping the above code fragment in 'if [ -z "$MANTYPE" ]; then; ..; fi'. That way we can still have --with-mantype={..} and on a case-by-case requirement for broken systems. Mark, As for other hard-coded features. If there is places where it can be made more robusts, feel free to let us know. A lot of configure.in/Makefile.in stuff appeared because it was the best solution at the time. - Ben From mouring at etoh.eviladmin.org Tue Apr 17 03:04:21 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 16 Apr 2001 12:04:21 -0500 (CDT) Subject: man pages screwed In-Reply-To: <20010416084841.A25973@yorktown.isdn.uiuc.edu> Message-ID: On Mon, 16 Apr 2001, Mark D. Roth wrote: > On Mon Apr 16 10:42 2001 +1000, Damien Miller wrote: > > Excellent - thanks heaps! I have committed this, could people please > > test CVS head to make sure it gets your manpages right now? > > I just discovered a few autoconf and Makefile bugs in my original > patch. Please back it out and apply the attached patch instead. > > Sorry for the screw-up. That's what I get for trying to get stuff > done on the weekend. ;/ > I suggest we hold off for a day or to assure we are not going to change this again. Then we can make a diff from the current CVS version. - Ben From gert at greenie.muc.de Tue Apr 17 03:14:56 2001 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 16 Apr 2001 19:14:56 +0200 Subject: man pages screwed In-Reply-To: <20010416113648.S5478@quipu.half.pint-stowp.cx>; from Jim Knoble on Mon, Apr 16, 2001 at 11:36:48AM -0400 References: <20010220143829.A3547@yorktown.isdn.uiuc.edu> <20010415105640.A25030@yorktown.isdn.uiuc.edu> <20010416024445.H5478@quipu.half.pint-stowp.cx> <20010416090252.B25973@yorktown.isdn.uiuc.edu> <20010416113648.S5478@quipu.half.pint-stowp.cx> Message-ID: <20010416191456.A20396@greenie.muc.de> Hi, On Mon, Apr 16, 2001 at 11:36:48AM -0400, Jim Knoble wrote: > Bearing in mind that i haven't looked at the *really* weird (SunOS-4.x, > NeXTStep/OpenStep, SCO BrokenServer or UnixWare) or esoteric (DG/UX, > CrayOS, Reliant, LynxOS, Darwin) platforms yet, nor have i checked > Cygwin, it looks as if the following is a good first cut: SCO 3 doesn't have nroff, so if it exists at all, it's awf or groff :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From wayne at blorf.net Tue Apr 17 03:15:44 2001 From: wayne at blorf.net (Wayne Davison) Date: Mon, 16 Apr 2001 10:15:44 -0700 (PDT) Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: <20010416142927.2705C207C3@citi.umich.edu> Message-ID: On Mon, 16 Apr 2001, Niels Provos wrote: > Calling read() again is certainly wrong. If you want that behaviour > you should use atomicio(read, ...). It looks like atomicio() hard-loops on EAGAIN and EWOULDBLOCK. Shouldn't it have something like the following? ..wayne.. ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- Index: atomicio.c --- openssh-2.5.2p2/atomicio.c Sun Mar 4 22:59:27 2001 +++ ./atomicio.c Mon Apr 16 10:02:10 2001 @@ -46,12 +46,27 @@ res = (f) (fd, s + pos, n - pos); switch (res) { case -1: + if (errno == EINTR) + continue; + if (errno == EAGAIN #ifdef EWOULDBLOCK - if (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK) -#else - if (errno == EINTR || errno == EAGAIN) + || errno == EWOULDBLOCK #endif + ) { + fd_set bits, *r, *w; + FD_ZERO(&bits); + FD_SET(fd, &bits); + if (f == read) + r = &bits, w = NULL; + else + r = NULL, w = &bits; + do { + res = select(fd+1, r, w, NULL, NULL); + } while (res == -1 && errno == EINTR); + if (res == -1) + return res; continue; + } case 0: return (res); default: ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- From wayne at blorf.net Tue Apr 17 03:32:33 2001 From: wayne at blorf.net (Wayne Davison) Date: Mon, 16 Apr 2001 10:32:33 -0700 (PDT) Subject: UseLogin portability Message-ID: Back on April 4th I sent a patch that makes UseLogin work on Solaris. This change also made UseLogin work with Unicos (both of which require a valid utmpx entry before /usr/bin/login will run). I have not heard back from any of the ssh developers about this issue, and the current snapshot doesn't appear to deal with this problem at all. So, is there some issue here we still need to deal with? Or was this change simply missed somehow? ..wayne.. From OomKoos1 at cs.com Tue Apr 17 04:02:01 2001 From: OomKoos1 at cs.com (OomKoos1 at cs.com) Date: Mon, 16 Apr 2001 14:02:01 EDT Subject: openssh-2.3.0p1, Krb5 and rdist Message-ID: <48.14627605.280c8d99@cs.com> Krb5-authentication and Kerb5-TGT-passing is working well with openssh-2.3.0p1. Question: Is there a solution using rdist -P "/usr/local/bin/ssh" without the need for RhostRSAAuthentication, RSAAuthentication or using the Kerberos r-command set? The objective is to do away with ".rhosts/.shost" and private-key authentication when Kerberos authentication is already in place. Using the Kerberos r-command set leads to more work and maintenance on ACLs. Best Herman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010416/7182b13c/attachment.html From wendyp at cray.com Tue Apr 17 04:25:01 2001 From: wendyp at cray.com (Wendy Palm) Date: Mon, 16 Apr 2001 13:25:01 -0500 Subject: man pages screwed References: <20010220143829.A3547@yorktown.isdn.uiuc.edu> <20010415105640.A25030@yorktown.isdn.uiuc.edu> <20010416024445.H5478@quipu.half.pint-stowp.cx> <20010416090252.B25973@yorktown.isdn.uiuc.edu> <20010416113648.S5478@quipu.half.pint-stowp.cx> Message-ID: <3ADB38FD.3E8EE45E@cray.com> cray unicos /usr/bin/nroff returns a status "2". Jim Knoble wrote: > > Circa 2001-Apr-16 09:02:52 -0500 dixit Mark D. Roth: > > : On Mon Apr 16 02:44 2001 -0400, Jim Knoble wrote: > : > Hmm ... wouldn't it be better to actually detect whether the -mdoc > : > macros were available rather than defaulting to -man for non-BSD > : > systems? Most releases of GNU groff have pretty good -mdoc macros and > : > : I thought of this as well, but I wasn't sure how portable it was to > : some of the more esoteric systems which I don't have access to. > : There's also the problem of avoiding mis-detection; even if groff is > : installed, the man command on many systems will only invoke the vendor > : version. > > True; see below. > > : In general, I do prefer manual testing to hard-coded assumptions when > : it comes to autoconf. However, the OpenSSH configure.in already has a > : lot of hard-coded assumptions for many platforms, so that battle has > : already been lost. Also, I wasn't too worried about the wrong choice > : being made, since the --with-mantype option allows the user to > : manually force the desired behavior. > > True; but it doesn't make sense to me to translate -mdoc to -man by > default on systems where there's a perfectly good tmac.mdoc. > > : Anyway, if you'd like to take a stab at this nroff test, please feel > : free to do so. If it can be done in a reliable way, I'm all for it. > > Okay, here's what i've found from the range of systems i have access to: > > platform man formatter -mdoc works (status works)[*] > -------- ------------- ------------------------------ > sparc-sun-solaris2.5: /usr/bin/nroff no (yes) > parisc-hp-hpux10.20: /usr/bin/nroff no (yes) > mips-sgi-irix6.2: /usr/bin/awf[+] no (yes) > rs6000-ibm-aix4.1.x: /usr/bin/nroff no (yes) > mips-dec-ultrix4.5: /usr/bin/nroff no (yes) > alpha-dec-osf3.2: /usr/bin/nroff no (yes) > i386-redhat-linux: /usr/bin/nroff yes (yes) > ________ > [*] I.e., nroff returns non-zero if -mdoc doesn't work. > [+] Yes, really. > > Bearing in mind that i haven't looked at the *really* weird (SunOS-4.x, > NeXTStep/OpenStep, SCO BrokenServer or UnixWare) or esoteric (DG/UX, > CrayOS, Reliant, LynxOS, Darwin) platforms yet, nor have i checked > Cygwin, it looks as if the following is a good first cut: > > # Allow user to set NROFF if desired. > if [ -z "${NROFF}" ]; then > for i in nroff awf; do > if [ -x /usr/bin/${i} ]; then > NROFF=/usr/bin/${i} > break > fi > done > fi > if [ -z "${NROFF}" ]; then > MANTYPE=cat > elif ${NROFF} -mdoc ssh.1 >/dev/null 2>&1; then > MANTYPE=doc > elif ${NROFF} -man ssh.1 >/dev/null 2>&1; then > MANTYPE=man > else > MANTYPE=cat > fi > > This isn't much different from what i proposed earlier, except that the > system nroff (or, in the case of IRIX, awf) is used instead of the > first nroff on the PATH, and the user can set NROFF in the environment > if desired. > > Ben, could you check whether this would work on {NeXT,Open}Step? > > Corinna, what should Cygwin do regarding this (probably just ignore it)? > > Anyone who has access to a non-listed platform (or a significantly > later version of one that is listed), please let us know whether this > would work there as well. > > -- > jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ > (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) > > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Part 1.2Type: application/pgp-signature -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From stevesk at sweden.hp.com Tue Apr 17 06:08:38 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Mon, 16 Apr 2001 22:08:38 +0200 (METDST) Subject: PAM Service Name Patch In-Reply-To: <20010414165234.A18691@yorktown.isdn.uiuc.edu> Message-ID: On Sat, 14 Apr 2001, Mark D. Roth wrote: : > I've attached a patch relative to OpenSSH 2.5.1p1 which sets the : > default PAM service name to __progname instead of the hard-coded value : > "sshd". This allows you to have multiple invokations of sshd under : > different names, each with its own PAM configuration. : : I just noticed that this patch is still not in the current CVS tree. : Did it just get overlooked, or is there some problem with it? did we agree that there were no security issues with that patch? i think so, and i don't see any problem with it. From edgy at us.ibm.com Tue Apr 17 06:14:14 2001 From: edgy at us.ibm.com (Edward Geraghty) Date: Mon, 16 Apr 2001 16:14:14 -0400 Subject: man pages screwed Message-ID: AIX v4.3 returns the correct error $ /usr/bin/nroff -mdoc a /usr/bin/nroff: 1004-010 Cannot find or open /usr/lib/tmac/tmac.doc $ echo $? 130 $ EdGy From roth+openssh at feep.net Tue Apr 17 06:36:09 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Mon, 16 Apr 2001 15:36:09 -0500 Subject: PAM Service Name Patch In-Reply-To: ; from stevesk@sweden.hp.com on Mon, Apr 16, 2001 at 10:08:38PM +0200 References: <20010414165234.A18691@yorktown.isdn.uiuc.edu> Message-ID: <20010416153609.A26383@yorktown.isdn.uiuc.edu> On Mon Apr 16 22:08 2001 +0200, Kevin Steves wrote: > On Sat, 14 Apr 2001, Mark D. Roth wrote: > : > I've attached a patch relative to OpenSSH 2.5.1p1 which sets the > : > default PAM service name to __progname instead of the hard-coded value > : > "sshd". This allows you to have multiple invokations of sshd under > : > different names, each with its own PAM configuration. > : > : I just noticed that this patch is still not in the current CVS tree. > : Did it just get overlooked, or is there some problem with it? > > did we agree that there were no security issues with that patch? i > think so, and i don't see any problem with it. IIRC, no one identified any problems with it, so it should be good to go. -- Mark D. Roth http://www.feep.net/~roth/ From djm at mindrot.org Tue Apr 17 08:22:37 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 17 Apr 2001 08:22:37 +1000 (EST) Subject: UseLogin portability In-Reply-To: Message-ID: On Mon, 16 Apr 2001, Wayne Davison wrote: > Back on April 4th I sent a patch that makes UseLogin work on Solaris. > This change also made UseLogin work with Unicos (both of which require > a valid utmpx entry before /usr/bin/login will run). I have not heard > back from any of the ssh developers about this issue, and the current > snapshot doesn't appear to deal with this problem at all. I am looking at the patch and trying to figure the best way to integrate it. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From jmknoble at jmknoble.cx Tue Apr 17 08:40:55 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Mon, 16 Apr 2001 18:40:55 -0400 Subject: PAM Service Name Patch In-Reply-To: <20010416153609.A26383@yorktown.isdn.uiuc.edu>; from roth+openssh@feep.net on Mon, Apr 16, 2001 at 03:36:09PM -0500 References: <20010414165234.A18691@yorktown.isdn.uiuc.edu> <20010416153609.A26383@yorktown.isdn.uiuc.edu> Message-ID: <20010416184055.A2524@zax.half.pint-stowp.cx> Circa 2001-Apr-16 15:36:09 -0500 dixit Mark D. Roth: : On Mon Apr 16 22:08 2001 +0200, Kevin Steves wrote: : > On Sat, 14 Apr 2001, Mark D. Roth wrote: : > : > I've attached a patch relative to OpenSSH 2.5.1p1 which sets the : > : > default PAM service name to __progname instead of the hard-coded value : > : > "sshd". : > : > did we agree that there were no security issues with that patch? i : > think so, and i don't see any problem with it. : : IIRC, no one identified any problems with it, so it should be good to : go. If i recall, there were concerns voiced that a local user would be able to create a link to sshd using a different service name which would be handled by a more lenient PAM configlet (such as 'other'). I believe the response was that that didn't really matter, since local users would have to have privilege to begin with in order to run sshd such that they could take advantage of the link to gain privilege. Chicken-and-egg. Anyone else remember differently? -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010416/483ee978/attachment.bin From dbt at meat.net Tue Apr 17 08:48:58 2001 From: dbt at meat.net (David Terrell) Date: Mon, 16 Apr 2001 15:48:58 -0700 Subject: PAM Service Name Patch In-Reply-To: <20010416184055.A2524@zax.half.pint-stowp.cx>; from jmknoble@jmknoble.cx on Mon, Apr 16, 2001 at 06:40:55PM -0400 References: <20010414165234.A18691@yorktown.isdn.uiuc.edu> <20010416153609.A26383@yorktown.isdn.uiuc.edu> <20010416184055.A2524@zax.half.pint-stowp.cx> Message-ID: <20010416154858.A13140@pianosa.catch22.org> On Mon, Apr 16, 2001 at 06:40:55PM -0400, Jim Knoble wrote: > If i recall, there were concerns voiced that a local user would be able > to create a link to sshd using a different service name which would be > handled by a more lenient PAM configlet (such as 'other'). > > I believe the response was that that didn't really matter, since local > users would have to have privilege to begin with in order to run sshd > such that they could take advantage of the link to gain privilege. > Chicken-and-egg. > > Anyone else remember differently? If a local user can make a hardlink and run sshd with some privilege, they can compile their own sshd with their own PAM config option and run it with some privilege. The only time this could possibly be an issue is if you're running something that's setuid (on the authenticating side, a setuid ssh client obviously makes no difference)... and anybody with a setuid sshd deserves all the trouble they get. -- David Terrell | "We must go forward, not backwards; upwards, Nebcorp Prime Minister | not forwards; and always twirling, twirling, dbt at meat.net | twirling towards freedom!" http://wwn.nebcorp.com/ | - The Simpsons From jbryans at csulb.edu Tue Apr 17 09:22:35 2001 From: jbryans at csulb.edu (Jack Bryans) Date: Mon, 16 Apr 2001 16:22:35 -0700 Subject: man pages screwed In-Reply-To: References: <20010416113648.S5478@quipu.half.pint-stowp.cx> Message-ID: <15067.32443.263553.631114@swift.csulb.edu> mouring at etoh.eviladmin.org writes: > nroff -mdoc returns '2' on {NeXT,Open}Step. Depends if it's got the doc macros installed. System w/'em: henson:/usr/local/man/man1 53$ if nroff -mdoc ssh.1 >/dev/null 2>&1; then echo true;fi true henson:/usr/local/man/man1 54$ System w/o 'em: set:/usr/local/man/man1 53$ if nroff -mdoc ssh.1 >/dev/null 2>&1; then echo true;fi set:/usr/local/man/man1 54$ So, the test in the script's OK for NeXT -- better than making an assumption based on OS. Jack From sxw at dcs.ed.ac.uk Tue Apr 17 20:24:32 2001 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Tue, 17 Apr 2001 11:24:32 +0100 (BST) Subject: openssh-2.3.0p1, Krb5 and rdist In-Reply-To: OomKoos1@cs.com's message of Mon, 16 Apr 2001 14:02:01 EDT Message-ID: <200104171024.LAA09680@canna.dcs.ed.ac.uk> > Krb5-authentication and Kerb5-TGT-passing is working well with > openssh-2.3.0p1. > > Question: Is there a solution using rdist -P "/usr/local/bin/ssh" without the > need for RhostRSAAuthentication, RSAAuthentication or using the Kerberos > r-command set? If you've got Kerberos authentication correctly set up and the principal you're using maps to the local user you're accessing, this should just work. You'll need to kinit before running rdist, and after that you should not need to enter a password until your credentials expire. Cheers, Simon. From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Apr 18 00:41:45 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 17 Apr 2001 16:41:45 +0200 Subject: Latest CVS: small portability issues Message-ID: <20010417164145.A27633@serv01.aet.tu-cottbus.de> Hi! I just run a test build of the latest CVS on HP-UX 10.20 and found two issues, both related to the new mdoc2man.pl support: - In Makefile.in, line 122, the construction $(MANPAGES): %.out: % is used. HP's "make" command does not understand this syntax (gmake does). - In configure, the first "perl" command in the PATH seems to be found. On HP-UX this is an ancient Perl-4, that cannot handle mdoc2man.pl. I would recommend to try to detect a "perl5" in PATH first and only then fall back to "perl" in the PATH. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From mouring at etoh.eviladmin.org Wed Apr 18 01:56:18 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 17 Apr 2001 10:56:18 -0500 (CDT) Subject: Latest CVS: small portability issues In-Reply-To: <20010417164145.A27633@serv01.aet.tu-cottbus.de> Message-ID: On Tue, 17 Apr 2001, Lutz Jaenicke wrote: > Hi! > > I just run a test build of the latest CVS on HP-UX 10.20 and found two > issues, both related to the new mdoc2man.pl support: > - In Makefile.in, line 122, the construction > $(MANPAGES): %.out: % > is used. HP's "make" command does not understand this syntax (gmake does). This is part of the new rewrite of to provide manpages in multiple formats. Do you have a non-gnu suggestion? I don't have an HP/UX near me. > - In configure, the first "perl" command in the PATH seems to be found. > On HP-UX this is an ancient Perl-4, that cannot handle mdoc2man.pl. > I would recommend to try to detect a "perl5" in PATH first and only then > fall back to "perl" in the PATH. > I'm unconfortable with guessing at which is the perl we want. It's been over two years since perl4 has been abandoned. And I've not met very many correctly written perl applications that won't work in perl 5. Maybe someone in perl4 should look at making it perl5/perl4 compatable instead. - Ben From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Apr 18 02:48:54 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 17 Apr 2001 18:48:54 +0200 Subject: Latest CVS: small portability issues In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Apr 17, 2001 at 10:56:18AM -0500 References: <20010417164145.A27633@serv01.aet.tu-cottbus.de> Message-ID: <20010417184854.A28647@serv01.aet.tu-cottbus.de> On Tue, Apr 17, 2001 at 10:56:18AM -0500, mouring at etoh.eviladmin.org wrote: > On Tue, 17 Apr 2001, Lutz Jaenicke wrote: > > I just run a test build of the latest CVS on HP-UX 10.20 and found two > > issues, both related to the new mdoc2man.pl support: > > - In Makefile.in, line 122, the construction > > $(MANPAGES): %.out: % > > is used. HP's "make" command does not understand this syntax (gmake does). > > This is part of the new rewrite of to provide manpages in multiple > formats. Do you have a non-gnu suggestion? I don't have an HP/UX near > me. "make" says: Make: Don't know how to make %.out:. Stop. So it seems that "%" is not supported at all. I have changed the construction to be similar to that of CONFIGFILES, patch is attached. > > - In configure, the first "perl" command in the PATH seems to be found. > > On HP-UX this is an ancient Perl-4, that cannot handle mdoc2man.pl. > > I would recommend to try to detect a "perl5" in PATH first and only then > > fall back to "perl" in the PATH. > > > > I'm unconfortable with guessing at which is the perl we want. It's been > over two years since perl4 has been abandoned. And I've not met very many > correctly written perl applications that won't work in perl 5. > > Maybe someone in perl4 should look at making it perl5/perl4 compatable > instead. I don't have the slightest clue about perl, so I don't know what it takes to make the script Perl-4 compatible... I have checked out some packages that require Perl-5 and they typically use a construct like AC_CHECK_PROGS(PERL, perl5 perl) or AC_PATH_PROGS(PERL, perl5 perl) in configure.in. All of them work flawlessly for me (since perl5 is available as binary name for Perl-5). HP's Q4 debugger needs Perl-4 so it is still on the system (even though your comment on perl4 being abandoned applies). Of course, I can always specify PERL=... ./configure, in a certain sense I however anticipate what is going to happen on this and other mailing lists and newsgroups about 'I get a syntax error in mdoc2man.pl'. Of course, those systems _not_ needing mdoc2man.pl typically have perl5 installed and those, which need it by default come with perl4 (!?). Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 -------------- next part -------------- --- Makefile.in.orig Mon Apr 16 16:10:23 2001 +++ Makefile.in Tue Apr 17 18:39:50 2001 @@ -49,7 +49,7 @@ SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o -MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out +MANPAGES = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config ssh_config primes @@ -119,16 +119,16 @@ logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) -$(MANPAGES): %.out: % +$(MANPAGES):: if test "$(MANTYPE)" = "cat"; then \ - manpage=`echo $< | sed 's/\.[1-9]$$/\.0/'`; \ + manpage=`echo $@ | sed 's/\.[1-9]$$/\.0/'`; \ else \ - manpage=$<; \ + manpage=$@; \ fi; \ if test "$(MANTYPE)" = "man"; then \ - $(FIXPATHSCMD) $(srcdir)/$${manpage} | $(PERL) $(srcdir)/mdoc2man.pl > $@; \ + $(FIXPATHSCMD) $(srcdir)/$${manpage} | $(PERL) $(srcdir)/mdoc2man.pl > $@.out; \ else \ - $(FIXPATHSCMD) $(srcdir)/$${manpage} > $@; \ + $(FIXPATHSCMD) $(srcdir)/$${manpage} > $@.out; \ fi $(CONFIGFILES):: From mouring at etoh.eviladmin.org Wed Apr 18 03:45:24 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 17 Apr 2001 12:45:24 -0500 (CDT) Subject: Latest CVS: small portability issues In-Reply-To: <20010417184854.A28647@serv01.aet.tu-cottbus.de> Message-ID: On Tue, 17 Apr 2001, Lutz Jaenicke wrote: > On Tue, Apr 17, 2001 at 10:56:18AM -0500, mouring at etoh.eviladmin.org wrote: > > On Tue, 17 Apr 2001, Lutz Jaenicke wrote: > > > I just run a test build of the latest CVS on HP-UX 10.20 and found two > > > issues, both related to the new mdoc2man.pl support: > > > - In Makefile.in, line 122, the construction > > > $(MANPAGES): %.out: % > > > is used. HP's "make" command does not understand this syntax (gmake does). > > > > This is part of the new rewrite of to provide manpages in multiple > > formats. Do you have a non-gnu suggestion? I don't have an HP/UX near > > me. > > "make" says: > Make: Don't know how to make %.out:. Stop. > So it seems that "%" is not supported at all. > I have changed the construction to be similar to that of CONFIGFILES, > patch is attached. > Hmm.. found a different bug.. but Yes.. I'll commit it. Thanks. > > > - In configure, the first "perl" command in the PATH seems to be found. > > > On HP-UX this is an ancient Perl-4, that cannot handle mdoc2man.pl. > > > I would recommend to try to detect a "perl5" in PATH first and only then > > > fall back to "perl" in the PATH. > > > > > > > I'm unconfortable with guessing at which is the perl we want. It's been > > over two years since perl4 has been abandoned. And I've not met very many > > correctly written perl applications that won't work in perl 5. > > > > Maybe someone in perl4 should look at making it perl5/perl4 compatable > > instead. > > I don't have the slightest clue about perl, so I don't know what it takes > to make the script Perl-4 compatible... > I have checked out some packages that require Perl-5 and they typically use > a construct like > AC_CHECK_PROGS(PERL, perl5 perl) > or > AC_PATH_PROGS(PERL, perl5 perl) Ok.. I'll buy that. I was not thinking about AC_PATH_PROGS. I'll make this change also. Thanks. - Ben From markus.friedl at informatik.uni-erlangen.de Wed Apr 18 03:21:31 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 17 Apr 2001 19:21:31 +0200 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: ; from wayne@blorf.net on Mon, Apr 16, 2001 at 10:15:44AM -0700 References: <20010416142927.2705C207C3@citi.umich.edu> Message-ID: <20010417192131.A24242@folly> On Mon, Apr 16, 2001 at 10:15:44AM -0700, Wayne Davison wrote: > On Mon, 16 Apr 2001, Niels Provos wrote: > > Calling read() again is certainly wrong. If you want that behaviour > > you should use atomicio(read, ...). > > It looks like atomicio() hard-loops on EAGAIN and EWOULDBLOCK. > Shouldn't it have something like the following? no. just return on EAGAIN. From wayne at blorf.net Wed Apr 18 08:13:09 2001 From: wayne at blorf.net (Wayne Davison) Date: Tue, 17 Apr 2001 15:13:09 -0700 (PDT) Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: <20010417192131.A24242@folly> Message-ID: > On Mon, Apr 16, 2001 at 10:15:44AM -0700, Wayne Davison wrote: > > It looks like atomicio() hard-loops on EAGAIN and EWOULDBLOCK. > > Shouldn't it have something like the following? [...select code...] On Tue, 17 Apr 2001, Markus Friedl wrote: > no. just return on EAGAIN. Why do you say that? That's not what the callers of atomicio() are expecting. They're expecting the entire specified number of bytes to be read/written, and only a real error should stop it from completing this. If you are talking about the read() call that was being tweaked in client_process_input(), you're right that that doesn't need to loop on EAGAIN (nor does it expect to completely fill the specified read buffer size), and thus it would be wrong to make it use atomicio(). ..wayne.. From Markus.Friedl at informatik.uni-erlangen.de Wed Apr 18 18:23:17 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 18 Apr 2001 10:23:17 +0200 Subject: Problem with latest OpenSSH - 2.5.2p2 In-Reply-To: ; from wayne@blorf.net on Tue, Apr 17, 2001 at 03:13:09PM -0700 References: <20010417192131.A24242@folly> Message-ID: <20010418102317.B13405@faui02.informatik.uni-erlangen.de> On Tue, Apr 17, 2001 at 03:13:09PM -0700, Wayne Davison wrote: > > On Mon, Apr 16, 2001 at 10:15:44AM -0700, Wayne Davison wrote: > > > It looks like atomicio() hard-loops on EAGAIN and EWOULDBLOCK. > > > Shouldn't it have something like the following? [...select code...] > > On Tue, 17 Apr 2001, Markus Friedl wrote: > > no. just return on EAGAIN. > > Why do you say that? i'm talking about the bug, not about atomicio() From mouring at etoh.eviladmin.org Thu Apr 19 01:43:17 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 18 Apr 2001 10:43:17 -0500 (CDT) Subject: man pages screwed In-Reply-To: <15067.32443.263553.631114@swift.csulb.edu> Message-ID: What was the final result? I would perfer testing for BSD formated manpages before defaulting to lower quality pages as long as there is a way to override it from the ./configure.in. Just in case we need it. I just fixed up the catman pages a few moments ago (Mark, remember people use 'make -f Makefile.in distprep' =). - Ben From roth+openssh at feep.net Thu Apr 19 02:33:05 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Wed, 18 Apr 2001 11:33:05 -0500 Subject: man pages screwed In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Apr 18, 2001 at 10:43:17AM -0500 References: <15067.32443.263553.631114@swift.csulb.edu> Message-ID: <20010418113305.A28861@yorktown.isdn.uiuc.edu> On Wed Apr 18 10:43 2001 -0500, mouring at etoh.eviladmin.org wrote: > What was the final result? I would perfer testing for BSD formated > manpages before defaulting to lower quality pages as long as there is > a way to override it from the ./configure.in. Just in case we need > it. I've attached a patch relative to the current CVS snapshot. It includes both my autoconf/Makefile fixes and a slightly modified version of Jim's automatic nroff detection stuff. I've done the usual basic round of testing on this, but I'd appreciate it if others would take a look at it as well. > I just fixed up the catman pages a few moments ago (Mark, remember people > use 'make -f Makefile.in distprep' =). Sorry about that. ;) -- Mark D. Roth http://www.feep.net/~roth/ -------------- next part -------------- Index: Makefile.in =================================================================== RCS file: /cvs/openssh_cvs/Makefile.in,v retrieving revision 1.168 diff -u -r1.168 Makefile.in --- Makefile.in 2001/04/16 00:41:46 1.168 +++ Makefile.in 2001/04/18 16:26:06 @@ -6,6 +6,7 @@ sbindir=@sbindir@ libexecdir=@libexecdir@ mandir=@mandir@ +mansubdir=@mansubdir@ sysconfdir=@sysconfdir@ piddir=@piddir@ srcdir=@srcdir@ @@ -126,9 +127,9 @@ manpage=$<; \ fi; \ if test "$(MANTYPE)" = "man"; then \ - $(FIXPATHSCMD) $(srcdir)/$${manpage} | $(PERL) $(srcdir)/mdoc2man.pl > $@; \ + $(FIXPATHSCMD) $${manpage} | $(PERL) $(srcdir)/mdoc2man.pl > $@; \ else \ - $(FIXPATHSCMD) $(srcdir)/$${manpage} > $@; \ + $(FIXPATHSCMD) $${manpage} > $@; \ fi $(CONFIGFILES):: @@ -165,6 +166,8 @@ $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir) $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) $(INSTALL) -m $(SSH_MODE) -s ssh $(DESTDIR)$(bindir)/ssh $(INSTALL) -m 0755 -s scp $(DESTDIR)$(bindir)/scp @@ -175,22 +178,15 @@ $(INSTALL) -m 0755 -s sshd $(DESTDIR)$(sbindir)/sshd @NO_SFTP@$(INSTALL) -m 0755 -s sftp $(DESTDIR)$(bindir)/sftp @NO_SFTP@$(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(SFTP_SERVER) - if test "$(MANTYPE)" = "doc"; then \ - mansubdir="man"; \ - else \ - mansubdir="$(MANTYPE)"; \ - fi; \ - $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$${mansubdir}1; \ - $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$${mansubdir}8; \ - $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/ssh.1; \ - $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/scp.1; \ - $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/ssh-add.1; \ - $(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/ssh-agent.1; \ - $(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/ssh-keygen.1; \ - $(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/ssh-keyscan.1; \ - $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$${mansubdir}8/sshd.8; \ - @NO_SFTP@$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$${mansubdir}1/sftp.1; \ - @NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$${mansubdir}8/sftp-server.8; + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 + $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 + $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 + $(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 + $(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + $(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 + $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + @NO_SFTP@$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 + @NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(bindir)/slogin ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 Index: configure.in =================================================================== RCS file: /cvs/openssh_cvs/configure.in,v retrieving revision 1.276 diff -u -r1.276 configure.in --- configure.in 2001/04/16 00:41:46 1.276 +++ configure.in 2001/04/18 16:26:06 @@ -70,11 +70,9 @@ AC_DEFINE(NO_X11_UNIX_SOCKETS) no_libsocket=1 no_libnsl=1 - MANTYPE=doc ;; *-*-dgux*) AC_DEFINE(IP_TOS_IS_BROKEN) - MANTYPE=doc ;; *-*-hpux10*) if test -z "$GCC"; then @@ -124,7 +122,6 @@ AC_DEFINE(DONT_TRY_OTHER_AF) AC_DEFINE(PAM_TTY_KLUDGE) inet6_default_4in6=yes - MANTYPE=doc ;; mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(HAVE_NEWS4) @@ -132,15 +129,12 @@ AC_CHECK_LIB(iberty, xatexit, AC_DEFINE(HAVE_XATEXIT), AC_MSG_ERROR([*** libiberty missing - please install first or check config.log ***]) ) - MANTYPE=doc ;; *-*-netbsd*) need_dash_r=1 - MANTYPE=doc ;; *-*-freebsd*) check_for_libcrypt_later=1 - MANTYPE=doc ;; *-next-*) conf_lastlog_location="/usr/adm/lastlog" @@ -153,7 +147,6 @@ AC_DEFINE(BROKEN_SAVED_UIDS) CPPFLAGS="$CPPFLAGS -I/usr/local/include" CFLAGS="$CFLAGS" - MANTYPE=doc ;; *-*-solaris*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" @@ -1416,13 +1409,25 @@ AC_MSG_ERROR(invalid man type: $withval) ;; esac - ], [ - if test -z "$MANTYPE" ; then - MANTYPE=man - fi ] ) +if test -z "$MANTYPE"; then + AC_PATH_PROGS(NROFF, nroff awf, /bin/false, /usr/bin) + if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=doc + elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then + MANTYPE=man + else + MANTYPE=cat + fi +fi AC_SUBST(MANTYPE) +if test "$MANTYPE" = "doc"; then + mansubdir=man; +else + mansubdir=$MANTYPE; +fi +AC_SUBST(mansubdir) # Check whether to enable MD5 passwords MD5_MSG="no" @@ -1896,7 +1901,7 @@ C=`eval echo ${sbindir}` ; C=`eval echo ${C}` D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}` E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}` -F=`eval echo ${mandir}` ; F=`eval echo ${F}` +F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}` G=`eval echo ${piddir}` ; G=`eval echo ${G}` H=`eval echo ${user_path}` ; H=`eval echo ${H}` From roth+openssh at feep.net Thu Apr 19 02:46:33 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Wed, 18 Apr 2001 11:46:33 -0500 Subject: man pages screwed In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Apr 16, 2001 at 12:03:34PM -0500 References: <20010416113648.S5478@quipu.half.pint-stowp.cx> Message-ID: <20010418114633.B28861@yorktown.isdn.uiuc.edu> On Mon Apr 16 12:03 2001 -0500, mouring at etoh.eviladmin.org wrote: > As for other hard-coded features. If there is places where it can > be made more robusts, feel free to let us know. A lot of > configure.in/Makefile.in stuff appeared because it was the best solution > at the time. As I mentioned before, I don't really have the time to dive into this in detail, but here are a few of the more obvious examples for platforms I'm fairly familiar with: * AIX: AC_DEFINE(BROKEN_GETADDRINFO) AC_DEFINE(DISABLE_LASTLOG) * HP-UX: AC_DEFINE(PAM_SUN_CODEBASE) AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(DISABLE_UTMP) LIBS="$LIBS -lsec" * Solaris: AC_DEFINE(PAM_SUN_CODEBASE) AC_DEFINE(DISABLE_UTMP) AC_DEFINE(DISABLE_WTMP) These are all things which can be tested for instead of being hard-coded by platform name. In my experience, things work much better that way. Quite frankly, I wouldn't be upset to see the entire ``case "$host"'' block disappear from configure.in. Of course, it's pretty easy to point this stuff out when you don't have the time to work on fixing it, so I'll shut up now... ;) -- Mark D. Roth http://www.feep.net/~roth/ From mouring at etoh.eviladmin.org Thu Apr 19 03:51:13 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 18 Apr 2001 12:51:13 -0500 (CDT) Subject: Portable openssh build problems. In-Reply-To: <20010418105220.A17190@elysium.stortek.com> Message-ID: [Moved to openssh port from openssh at openbsd.org for broader comments] On Wed, 18 Apr 2001, Mike Crowl wrote: > > To whom it may concern, > > I've been building openssh for various versions of solaris and noticed > that I'm having to jump through hoops to get it done because the build > process for openssh is pretty sloppy. Specifically there are several > option flags in the configure script which do not work at all. > > --includedir > --libdir > > (do not place the correct locations of zlib into the make when I > specify the include directory and lib directory under my installed zlib) > Hmm..Can't comment on either one of theses because I never use them. Even under Solaris, I tend to install common libraries in /usr/local. > --with-pid-dir > > (does not do anything...but is mentioned in the install page on > website. I tried this, but it ignores my input entirely. Also it does > not place the pid file in a uniform location across different OS > versions of solaris. I.E. if /var/run exists, then pid goes there...if > not then it goes into the dir with the local configs. It should go to a > uniform place if you are not going to have this option work correctly.) > Thank you very much for pointing this out. I've corrected it. Somewhere in the Makefile.in clean up it was lost. If you add to your Makefile.in: PATHS= [..] \ -D_PATH_SSH_PIDDIR=\"$(piddir)\" Then re-run your ./configure it should compile with the correct path for the PID directory. > make install - always creates a host key....assumes that you always > want to do so. This is not a good idea when you have just > cross-compiled for multiple architectures and need to install the > binaries into you apps tree for later dist to various OS/server types. > make install tests to see if you have keys. If you don't it will automaticly generate them. This is the correct behavior. There was a long talk about this long time ago, and the agreement was that this was the correct behavior. I'm not sure if it's worth adding a 'make install-nokeys' for those who don't wish to generate keys at install time. > Also the location of tcpd.h and libwrap.a cannot be fed in via the > configure script. The build blindly assumes they are installed in > /usr/include and /usr/lib. > /usr/include, /usr/local/include /usr/lib, /usr/local/lib are currently the default search path for the installer (for Solaris). --with-cppflags="/path/to/wrapperinclude/" \ --with-ldflags="/path/to/wrapperlib/" should work fine to add a new Inlcude and Library paths. > I know I'm not offering anything in the way of a fix here, but maybe > noting this stuff as a bug will allow someone to have justification to > work on it. > > I'm a little surprised that I'm having this much trouble. I run > openssh on my three linux servers at home and had no problems getting it > built and running. > - Ben From mouring at etoh.eviladmin.org Thu Apr 19 03:55:30 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 18 Apr 2001 12:55:30 -0500 (CDT) Subject: man pages screwed In-Reply-To: <20010418113305.A28861@yorktown.isdn.uiuc.edu> Message-ID: Applied.. Thanks. On Wed, 18 Apr 2001, Mark D. Roth wrote: > On Wed Apr 18 10:43 2001 -0500, mouring at etoh.eviladmin.org wrote: > > What was the final result? I would perfer testing for BSD formated > > manpages before defaulting to lower quality pages as long as there is > > a way to override it from the ./configure.in. Just in case we need > > it. > > I've attached a patch relative to the current CVS snapshot. It > includes both my autoconf/Makefile fixes and a slightly modified > version of Jim's automatic nroff detection stuff. > > I've done the usual basic round of testing on this, but I'd appreciate > it if others would take a look at it as well. > > > > I just fixed up the catman pages a few moments ago (Mark, remember people > > use 'make -f Makefile.in distprep' =). > > Sorry about that. ;) > > -- > Mark D. Roth > http://www.feep.net/~roth/ > From Marc at SoftwareHackery.Com Thu Apr 19 06:57:57 2001 From: Marc at SoftwareHackery.Com (Marc Evans) Date: Wed, 18 Apr 2001 16:57:57 -0400 (EDT) Subject: Bug report - openssh-2.5.2p2 In-Reply-To: <20010418225258.A17445@folly> Message-ID: Well, I guess that depends on what "everything" includes. Both openssl-0.9.6a and openssh-2.5.2p2 were built with gcc-2.95. On the other hand libc was probably built with some older version by REDHAT. The SPARC itself is a simple SPARC 20, so hopefully nothing 64-bit oriented is being encountered... - Marc On Wed, 18 Apr 2001, Markus Friedl wrote: > On Wed, Apr 18, 2001 at 01:31:09PM -0400, Marc Evans wrote: > > Hello - > > > > I have openssh-2.5.2p2 built with openssl-0.9.6a on a SPARC running Redhat > > Linux 6.2 that has been modified to use the 2.4.3 kernel and gcc-2.95. I > > am experiencing a consistent problem using the ssh client to communicate > > with the sshd located at shell.segnet.com, as shown here: > > > > Program received signal SIGILL, Illegal instruction. > > 0x54a44 in bn_div_words () > > (gdb) where > > #0 0x54a44 in bn_div_words () > > #1 0x544b0 in BN_div_word () > > #2 0x53250 in BN_bn2dec () > > #3 0x30e1c in write_bignum (f=0xfbe40, num=0xfbd80) at key.c:350 > > #4 0x31504 in key_write (key=0xefffe660, f=0xfbe40) at key.c:482 > > #5 0x2fcf4 in add_host_to_hostfile ( > > filename=0xfbb38 "/root/.ssh/known_hosts", > > host=0xefffe130 "shell.segnet.com,216.107.208.4", key=0xefffe660) > > at hostfile.c:208 > > #6 0x16b80 in check_host_key (host=0xfbba0 "shell.segnet.com", > > hostaddr=0xe78b8, host_key=0xefffe660, > > user_hostfile=0xfbb38 "/root/.ssh/known_hosts", > > system_hostfile=0xfbb10 "/usr/local/etc/ssh_known_hosts") > > at sshconnect.c:632 > > #7 0x18660 in ssh_kex (host=0xfbba0 "shell.segnet.com", hostaddr=0xe78b8) > > at sshconnect1.c:787 > > #8 0x171d0 in ssh_login (host_key_valid=1, own_host_key=0xfb480, > > orighost=0xefffebcf "shell.segnet.com", hostaddr=0xe78b8, > > original_real_uid=0) at sshconnect.c:773 > > #9 0x13ccc in main (ac=3, av=0xefffea9c) at ssh.c:698 > > is everything built with the same compiler? no 64 vs 32 bit issues? > From djm at mindrot.org Thu Apr 19 08:04:55 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 19 Apr 2001 08:04:55 +1000 (EST) Subject: man pages screwed In-Reply-To: <20010418114633.B28861@yorktown.isdn.uiuc.edu> Message-ID: On Wed, 18 Apr 2001, Mark D. Roth wrote: > As I mentioned before, I don't really have the time to dive into this > in detail, but here are a few of the more obvious examples for > platforms I'm fairly familiar with: > > * AIX: > AC_DEFINE(BROKEN_GETADDRINFO) This might be tricky to test for at runtime, you cant assume that DNS is configured. > AC_DEFINE(DISABLE_LASTLOG) I can't think of a way to test for this. > * HP-UX: > AC_DEFINE(PAM_SUN_CODEBASE) A test for this would be nice. Take a look in defines.h to see what it is used for. > AC_DEFINE(USE_PIPES) The pipe bugs can be pretty subtle on some systems. If you can develop testcases, then IMO they should be used to browbeat your OS vendor into fixing them :) -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From brian.king at xwave.com Fri Apr 20 01:44:04 2001 From: brian.king at xwave.com (King, Brian) Date: Thu, 19 Apr 2001 12:44:04 -0300 Subject: Converting keys from commercial ssh Message-ID: I'm not sure if this is useful to anyone else, but around here people are insisting we use key-ed authentication with windows clients and Unix servers over SSH protocol version 2. I couldn't find a free windows client that would meet those requirements. The closest was PuTTY, but it would only use password authentication with SSH2. In the end, this means we will probably have to go with OpenSSH on the servers, and ssh.com's client on the windows workstations. The problem that appears then is the differing public key file formats between the commercial SSH and OpenSSH. I've quickly put together a short script that should convert a public key (generated by the commercial windows client and pushed to a Unix server) to be used with OpenSSH's sshd. It appears to work fine with the limited testing I've done. If anyone decides to make improvements, I would appreciate receiving them. Brian King <> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010419/19c3b397/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh-convkeys2.sh Type: application/octet-stream Size: 458 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010419/19c3b397/attachment.obj From austin at coremetrics.com Fri Apr 20 07:08:32 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Thu, 19 Apr 2001 16:08:32 -0500 (CDT) Subject: Converting keys from commercial ssh In-Reply-To: Message-ID: Pretty nifty! -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Thu, 19 Apr 2001, King, Brian wrote: > I'm not sure if this is useful to anyone else, but around here people > are insisting we use key-ed authentication with windows clients and Unix > servers over SSH protocol version 2. > > I couldn't find a free windows client that would meet those > requirements. The closest was PuTTY, but it would only use password > authentication with SSH2. In the end, this means we will probably have > to go with OpenSSH on the servers, and ssh.com's client on the windows > workstations. The problem that appears then is the differing public key > file formats between the commercial SSH and OpenSSH. > > I've quickly put together a short script that should convert a public > key (generated by the commercial windows client and pushed to a Unix > server) to be used with OpenSSH's sshd. It appears to work fine with > the limited testing I've done. If anyone decides to make improvements, I > would appreciate receiving them. > > Brian King > > <> > > From vinschen at redhat.com Fri Apr 20 07:34:46 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 19 Apr 2001 23:34:46 +0200 Subject: Converting keys from commercial ssh In-Reply-To: ; from brian.king@xwave.com on Thu, Apr 19, 2001 at 12:44:04PM -0300 References: Message-ID: <20010419233446.S12557@cygbert.vinschen.de> On Thu, Apr 19, 2001 at 12:44:04PM -0300, King, Brian wrote: > I'm not sure if this is useful to anyone else, but around here people are > insisting we use key-ed authentication with windows clients and Unix servers > over SSH protocol version 2. > > I couldn't find a free windows client that would meet those requirements. > The closest was PuTTY, but it would only use password authentication with > SSH2. In the end, this means we will probably have to go with OpenSSH on the > servers, and ssh.com's client on the windows workstations. The problem that > appears then is the differing public key file formats between the commercial > SSH and OpenSSH. OpenSSH is available as Windows client and server using the Cygwin POSIX emulation layer. Look into http://cygwin.com. The net distro of Cygwin contains OpenSSH-2.5.2p2. Hope, that helps, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From rachit at ensim.com Fri Apr 20 09:15:39 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Thu, 19 Apr 2001 16:15:39 -0700 Subject: Converting keys from commercial ssh Message-ID: <9AC41B8C4781464695BB013F106FCA31D2BCD5@nasdaq.ms.ensim.com> Doesn't ssh-keygen -X do the same thing? it works for private keys too. This ssh-keygen -X seems like a hidden feature noone knows about. This is actually quite funny. I had a similair problem scouring the net and the list for answers on how to convert ssh.com private keys to openssh (the public key conversion is easy as you found out, the private key conversion was not so straightforward). I was looking and asked the list, and noone knew the answer. A few weeks later i actually went around poking the openssh code grepping for code to read / write keys, and i stumbled on some code in keygen that actually did what i needed. Lo and behold, when i manned ssh-keygen, the "-X" option was right there glaring at me. -rchit -----Original Message----- From: Austin Gonyou [mailto:austin at coremetrics.com] Sent: Thursday, April 19, 2001 2:09 PM To: King, Brian Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: Converting keys from commercial ssh Pretty nifty! -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Thu, 19 Apr 2001, King, Brian wrote: > I'm not sure if this is useful to anyone else, but around here people > are insisting we use key-ed authentication with windows clients and Unix > servers over SSH protocol version 2. > > I couldn't find a free windows client that would meet those > requirements. The closest was PuTTY, but it would only use password > authentication with SSH2. In the end, this means we will probably have > to go with OpenSSH on the servers, and ssh.com's client on the windows > workstations. The problem that appears then is the differing public key > file formats between the commercial SSH and OpenSSH. > > I've quickly put together a short script that should convert a public > key (generated by the commercial windows client and pushed to a Unix > server) to be used with OpenSSH's sshd. It appears to work fine with > the limited testing I've done. If anyone decides to make improvements, I > would appreciate receiving them. > > Brian King > > <> > > From tomh at po.crl.go.jp Fri Apr 20 14:51:29 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Fri, 20 Apr 2001 13:51:29 +0900 (JST) Subject: [patch] one warning, one omission, and two requests; portable CVS Message-ID: Requests first: after a build, "make" always remakes all the .out files; maybe we could add a few dependencies there? And could we possibly have a few more '@if' lines in the Makefile to quiet it down? These should be obvious: --- #readpass.c Fri Apr 20 13:17:39 2001 +++ readpass.c Fri Apr 20 13:37:26 2001 @@ -43,7 +43,7 @@ #include "ssh.h" char * -ssh_askpass(char *askpass, char *msg) +ssh_askpass(char *askpass, const char *msg) { pid_t pid; size_t len; --- #scp.c Fri Apr 20 13:17:39 2001 +++ scp.c Fri Apr 20 13:45:32 2001 @@ -82,6 +82,7 @@ #include "pathnames.h" #include "log.h" #include "misc.h" +#include "scp-common.h" #ifdef HAVE___PROGNAME extern char *__progname; From mouring at etoh.eviladmin.org Fri Apr 20 14:46:21 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 19 Apr 2001 23:46:21 -0500 (CDT) Subject: [patch] one warning, one omission, and two requests; portable CVS In-Reply-To: Message-ID: On Fri, 20 Apr 2001, Tom Holroyd wrote: > +++ scp.c Fri Apr 20 13:45:32 2001 > @@ -82,6 +82,7 @@ > #include "pathnames.h" > #include "log.h" > #include "misc.h" > +#include "scp-common.h" > Where did that get dropped out.. Thanks.. - Ben From j.petersen at msh.de Fri Apr 20 15:52:51 2001 From: j.petersen at msh.de (=?ISO-8859-1?Q?=22Petersen=2C_J=F6rg=22?=) Date: Fri, 20 Apr 2001 07:52:51 +0200 Subject: Converting keys from commercial ssh Message-ID: Just as a notice: PuTTY (at least the newest developer-versions) allows public key authentification with SSH2 - but only RSA keys. Works fine with me... J?rg -----Original Message----- From: King, Brian [mailto:brian.king at xwave.com] ... I couldn't find a free windows client that would meet those requirements. The closest was PuTTY, but it would only use password authentication with SSH2. ... From karlm30 at hotmail.com Fri Apr 20 18:29:42 2001 From: karlm30 at hotmail.com (Karl M) Date: Fri, 20 Apr 2001 01:29:42 -0700 Subject: Initial patch to implement partial auth with SSH2 Message-ID: Hi All... I've been experimenting with the partial authorization patch for OpenSSH-2.5.2. I'm using CygWin on a Windows 2000 (SP1) box. I noticed a bug in the patch that shows up for CygWin users. The problem is that publickey authentication only works if sshd is running with the same user-id as the ssh client. When I run sshd as a service with a user-id of LocalSystem publickey authentication fails. This is because the check_nt_auth call in userauth-pubkey fails if the ssh user-id is different from the sshd user-id. It looks to me like userauth_pubkey needs to "suspend disbelief" (and not call check_nt_auth and auth_password) for partial authentication, in the hope that a password may come later. Then somewhere check_nt_auth auth_password need to be called to make sure that we don't forget to set the sshd user-id to the ssh user-id. Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From vinschen at redhat.com Fri Apr 20 21:13:54 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 20 Apr 2001 13:13:54 +0200 Subject: Initial patch to implement partial auth with SSH2 In-Reply-To: ; from karlm30@hotmail.com on Fri, Apr 20, 2001 at 01:29:42AM -0700 References: Message-ID: <20010420131354.Y12557@cygbert.vinschen.de> On Fri, Apr 20, 2001 at 01:29:42AM -0700, Karl M wrote: > Hi All... > > I've been experimenting with the partial authorization patch for > OpenSSH-2.5.2. I'm using CygWin on a Windows 2000 (SP1) box. > > I noticed a bug in the patch that shows up for CygWin users. The problem is > that publickey authentication only works if sshd is running with the same > user-id as the ssh client. When I run sshd as a service with a user-id of > LocalSystem publickey authentication fails. > > This is because the check_nt_auth call in userauth-pubkey fails if the ssh > user-id is different from the sshd user-id. > > It looks to me like userauth_pubkey needs to "suspend disbelief" (and not > call check_nt_auth and auth_password) for partial authentication, in the > hope that a password may come later. Then somewhere check_nt_auth > auth_password need to be called to make sure that we don't forget to set the > sshd user-id to the ssh user-id. Since the original partial authorization patch isn't applied yet, you're somwhat on your own. Why don't you simply override the check in `check_ntsec' for now? Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From karlm30 at hotmail.com Sat Apr 21 00:46:51 2001 From: karlm30 at hotmail.com (Karl M) Date: Fri, 20 Apr 2001 07:46:51 -0700 Subject: Initial patch to implement partial auth with SSH2 Message-ID: From: "Karl M" To: cygwin at cygwin.com Subject: Re: Initial patch to implement partial auth with SSH2 Date: Fri, 20 Apr 2001 07:32:39 -0700 Hi Corinna... I was thinking...for the CygWin environment (on WinNT and Win2k) we could avoid the problem of where to place a new call to check_nt_auth and auth_password by requiring that if the ssh and sshd user-ids are different, that password authentication is required (which was the reason I was interested in this in the first place). I can do that for now by using Authorder2 publickey:password and commenting out the check in userauth_publickey. Thanks, ...Karl >From: Corinna Vinschen >To: cygwin at cygwin.com, openssh-unix-dev at mindrot.org >Subject: Re: Initial patch to implement partial auth with SSH2 >Date: Fri, 20 Apr 2001 13:13:54 +0200 > >On Fri, Apr 20, 2001 at 01:29:42AM -0700, Karl M wrote: > > Hi All... > > > > I've been experimenting with the partial authorization patch for > > OpenSSH-2.5.2. I'm using CygWin on a Windows 2000 (SP1) box. > > > > I noticed a bug in the patch that shows up for CygWin users. The problem >is > > that publickey authentication only works if sshd is running with the >same > > user-id as the ssh client. When I run sshd as a service with a user-id >of > > LocalSystem publickey authentication fails. > > > > This is because the check_nt_auth call in userauth-pubkey fails if the >ssh > > user-id is different from the sshd user-id. > > > > It looks to me like userauth_pubkey needs to "suspend disbelief" (and >not > > call check_nt_auth and auth_password) for partial authentication, in the > > hope that a password may come later. Then somewhere check_nt_auth > > auth_password need to be called to make sure that we don't forget to set >the > > sshd user-id to the ssh user-id. > >Since the original partial authorization patch isn't applied yet, >you're somwhat on your own. Why don't you simply override the >check in `check_ntsec' for now? > >Corinna > >-- >Corinna Vinschen >Cygwin Developer >Red Hat, Inc. >mailto:vinschen at redhat.com _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From roth+openssh at feep.net Sat Apr 21 01:33:58 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Fri, 20 Apr 2001 10:33:58 -0500 Subject: PAM Service Name Patch In-Reply-To: ; from stevesk@sweden.hp.com on Mon, Apr 16, 2001 at 10:08:38PM +0200 References: <20010414165234.A18691@yorktown.isdn.uiuc.edu> Message-ID: <20010420103358.A32037@yorktown.isdn.uiuc.edu> On Mon Apr 16 22:08 2001 +0200, Kevin Steves wrote: > On Sat, 14 Apr 2001, Mark D. Roth wrote: > : > I've attached a patch relative to OpenSSH 2.5.1p1 which sets the > : > default PAM service name to __progname instead of the hard-coded value > : > "sshd". This allows you to have multiple invokations of sshd under > : > different names, each with its own PAM configuration. > : > : I just noticed that this patch is still not in the current CVS tree. > : Did it just get overlooked, or is there some problem with it? > > did we agree that there were no security issues with that patch? i > think so, and i don't see any problem with it. It looks like the consensus is that there's no problem with the patch. Can we get it applied? Thanks! -- Mark D. Roth http://www.feep.net/~roth/ From Bill.Petersen at usa.alcatel.com Sat Apr 21 03:03:55 2001 From: Bill.Petersen at usa.alcatel.com (Bill Petersen) Date: Fri, 20 Apr 2001 12:03:55 -0500 Subject: sftp is broken Message-ID: <3AE06BFB.761E4F01@usa.alcatel.com> I just built openssh 2.5.2p2 for solaris 2.5.1, 2.6 and 2.8. All show the same problem mentioned earlier. sftp somehost ls cd /tmp ls put abc ls HELP! Bill Petersen bill.petersen at usa.alcatel.com From Bill.Petersen at usa.alcatel.com Sat Apr 21 03:08:30 2001 From: Bill.Petersen at usa.alcatel.com (Bill Petersen) Date: Fri, 20 Apr 2001 12:08:30 -0500 Subject: sftp is broken References: <3AE06BFB.761E4F01@usa.alcatel.com> Message-ID: <3AE06D0E.1D6ACFBC@usa.alcatel.com> NOTE: put abc abc works put abc will put the file in my home directory! Bill Bill Petersen wrote: > I just built openssh 2.5.2p2 for solaris 2.5.1, 2.6 and 2.8. > All show the same problem mentioned earlier. > > sftp somehost > ls > > cd /tmp > ls > > put abc > ls > there!> > > HELP! > > Bill Petersen > bill.petersen at usa.alcatel.com From mouring at etoh.eviladmin.org Sat Apr 21 03:26:01 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 20 Apr 2001 12:26:01 -0500 (CDT) Subject: sftp is broken In-Reply-To: <3AE06D0E.1D6ACFBC@usa.alcatel.com> Message-ID: There is a bug 2.5.2p2. I just compiled it under Solaris and it does the same result. However the current snapshot does not shows this problem. I'm not sure if it's worth putting out a 2.5.2p3 with 3.0p1 coming soon. I never saw it under Linux/OpenBSD because both of those machines are following the -current branch. - Ben On Fri, 20 Apr 2001, Bill Petersen wrote: > NOTE: > > > put abc abc > works > > put abc > will put the file in my home directory! > > Bill > > Bill Petersen wrote: > > > I just built openssh 2.5.2p2 for solaris 2.5.1, 2.6 and 2.8. > > All show the same problem mentioned earlier. > > > > sftp somehost > > ls > > > > cd /tmp > > ls > > > > put abc > > ls > > > there!> > > > > HELP! > > > > Bill Petersen > > bill.petersen at usa.alcatel.com > > From stevesk at sweden.hp.com Sat Apr 21 03:45:26 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 20 Apr 2001 19:45:26 +0200 (METDST) Subject: PAM Service Name Patch In-Reply-To: <20010420103358.A32037@yorktown.isdn.uiuc.edu> Message-ID: On Fri, 20 Apr 2001, Mark D. Roth wrote: : It looks like the consensus is that there's no problem with the : patch. Can we get it applied? Thanks! yes, done. From mouring at etoh.eviladmin.org Sat Apr 21 03:40:41 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 20 Apr 2001 12:40:41 -0500 (CDT) Subject: PAM Service Name Patch In-Reply-To: Message-ID: Can we get this documented somewhere since it's new behavior. Maybe in INSTALL or README.PAM or something. I really don't want to hear complaints about this if people decide they want to rename 'sshd' to 'opensshd' for side-by-side testing w/ another sshd. - Ben On Fri, 20 Apr 2001, Kevin Steves wrote: > On Fri, 20 Apr 2001, Mark D. Roth wrote: > : It looks like the consensus is that there's no problem with the > : patch. Can we get it applied? Thanks! > > yes, done. > > From markus.friedl at informatik.uni-erlangen.de Fri Apr 20 03:30:32 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 19 Apr 2001 19:30:32 +0200 Subject: Converting keys from commercial ssh In-Reply-To: ; from brian.king@xwave.com on Thu, Apr 19, 2001 at 12:44:04PM -0300 References: Message-ID: <20010419193032.D27973@folly> On Thu, Apr 19, 2001 at 12:44:04PM -0300, King, Brian wrote: > I'm not sure if this is useful to anyone else, but around here people are > insisting we use key-ed authentication with windows clients and Unix servers > over SSH protocol version 2. > > I couldn't find a free windows client that would meet those requirements. > The closest was PuTTY, but it would only use password authentication with > SSH2. In the end, this means we will probably have to go with OpenSSH on the > servers, and ssh.com's client on the windows workstations. The problem that > appears then is the differing public key file formats between the commercial > SSH and OpenSSH. you can try 1) a recent PuTTY with SSH 2 and RSA authentication. 2) ssh-keygen -f ssh.com-key -X >> .ssh/authorized_keys2 -m From markus.friedl at informatik.uni-erlangen.de Fri Apr 20 03:19:48 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 19 Apr 2001 19:19:48 +0200 Subject: Why we can't login ? (fwd) Message-ID: <20010419191948.C27973@folly> hints? -------------- next part -------------- An embedded message was scrubbed... From: Markus Friedl Subject: Why we can't login ? Date: Thu, 19 Apr 2001 09:18:02 +0200 (MET DST) Size: 4357 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010419/b433827e/attachment.mht From jcs at rt.fm Sat Apr 21 05:28:46 2001 From: jcs at rt.fm (Joshua Stein) Date: Fri, 20 Apr 2001 14:28:46 -0500 Subject: Why we can't login ? (fwd) In-Reply-To: <20010419191948.C27973@folly>; from markus.friedl@informatik.uni-erlangen.de on Thu, Apr 19, 2001 at 07:19:48PM +0200 References: <20010419191948.C27973@folly> Message-ID: <20010420142844.B13076@rt.fm> Markus Friedl wrote: > hints? > We uninstalled the default SSH packages openssh-2.1.1p4-1, > openssh-server-2.1.1p4-1, and openssh-clients-2.1.1p4-1 of RedHat 7.0 > and installed openssh-2.5.2p2 (config, make, install, not from RPM's). A shot in the dark: The RPM uninstallation probably removed /etc/pam.d/sshd and was not created/setup correctly when OpenSSH was reinstalled from the source. From mouring at etoh.eviladmin.org Sat Apr 21 05:32:13 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 20 Apr 2001 14:32:13 -0500 (CDT) Subject: Why we can't login ? (fwd) In-Reply-To: <20010419191948.C27973@folly> Message-ID: It's redhat... I would check to ensure (with that release) that they have a /etc/pam.d/sshd file. That tends to be the major cause of users unable to login. - Ben On Thu, 19 Apr 2001, Markus Friedl wrote: > hints? > From josb at cncdsl.com Sat Apr 21 05:46:41 2001 From: josb at cncdsl.com (Jos Backus) Date: Fri, 20 Apr 2001 12:46:41 -0700 Subject: 2.5.2p2: comments in key files Message-ID: <20010420124641.A4594@lizzy.bugworks.com> It appears to be possible to put comments in DSA key files, even though comments are not supported in those files: taiko:/depot/src/openssh-2.5.2p2% ./ssh-keygen -d -f mykey -C "comment" Generating public/private dsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in mykey. Your public key has been saved in mykey.pub. The key fingerprint is: 7c:20:82:55:a2:2d:80:2c:e2:89:37:cf:f8:de:f4:39 comment taiko:/depot/src/openssh-2.5.2p2% ./ssh-keygen -d -f mykey -c -C "new comment" mykey is not a valid key file. Comments are only supported in RSA1 keys taiko:/depot/src/openssh-2.5.2p2% -- Jos Backus _/ _/_/_/ "Modularity is not a hack." _/ _/ _/ -- D. J. Bernstein _/ _/_/_/ _/ _/ _/ _/ josb at cncdsl.com _/_/ _/_/_/ use Std::Disclaimer; From Jarno.Huuskonen at uku.fi Sat Apr 21 05:50:17 2001 From: Jarno.Huuskonen at uku.fi (Jarno Huuskonen) Date: Fri, 20 Apr 2001 22:50:17 +0300 Subject: Why we can't login ? (fwd) In-Reply-To: <20010420142844.B13076@rt.fm>; from jcs@rt.fm on Fri, Apr 20, 2001 at 02:28:46PM -0500 References: <20010419191948.C27973@folly> <20010420142844.B13076@rt.fm> Message-ID: <20010420225017.A42214@messi.uku.fi> On Fri, Apr 20, Joshua Stein wrote: > Markus Friedl wrote: > > hints? > > > We uninstalled the default SSH packages openssh-2.1.1p4-1, > > openssh-server-2.1.1p4-1, and openssh-clients-2.1.1p4-1 of RedHat 7.0 > > and installed openssh-2.5.2p2 (config, make, install, not from RPM's). > > A shot in the dark: > > The RPM uninstallation probably removed /etc/pam.d/sshd and was not > created/setup correctly when OpenSSH was reinstalled from the source. One more possible problem: openssh-2.5.2p2 compiled w/out pam/md5 support (--with-pam/--with-md5-passwords). (Quite a few people have compiled 2.5.x without pam support (wasn't pam enabled by default earlier?). Perhaps readme/install should have a warning that you'll probably need either md5-passwords or pam (on Linux anyway) ?) -Jarno From Markus.Friedl at informatik.uni-erlangen.de Sat Apr 21 05:51:38 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 20 Apr 2001 21:51:38 +0200 Subject: 2.5.2p2: comments in key files In-Reply-To: <20010420124641.A4594@lizzy.bugworks.com>; from josb@cncdsl.com on Fri, Apr 20, 2001 at 12:46:41PM -0700 References: <20010420124641.A4594@lizzy.bugworks.com> Message-ID: <20010420215138.B244@faui02.informatik.uni-erlangen.de> On Fri, Apr 20, 2001 at 12:46:41PM -0700, Jos Backus wrote: > It appears to be possible to put comments in DSA key files, even though > comments are not supported in those files: you can put a comment in the public key file, but not in the private key file. this is why '-c' does not work. -m From jmknoble at jmknoble.cx Sat Apr 21 05:44:56 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Fri, 20 Apr 2001 15:44:56 -0400 Subject: Why we can't login ? (fwd) In-Reply-To: <20010419191948.C27973@folly>; from markus.friedl@informatik.uni-erlangen.de on Thu, Apr 19, 2001 at 07:19:48PM +0200 References: <20010419191948.C27973@folly> Message-ID: <20010420154456.F3872@zax.half.pint-stowp.cx> Circa 2001-Apr-19 19:19:48 +0200 dixit Markus Friedl: : hints? Did they install the PAM configuration file from OpenSSH-2.5.2p2/contrib/redhat/ into /etc/pam.d/? : >From: ted_jmt at zapta.com : >Newsgroups: comp.security.ssh : >Subject: Why we can't login ? : >Message-ID: : >Date: Wed, 18 Apr 2001 22:30:26 GMT : >Organization: Verio : >Xref: news.uni-erlangen.de comp.security.ssh:20489 : : Hello, : : We uninstalled the default SSH packages openssh-2.1.1p4-1, : openssh-server-2.1.1p4-1, and openssh-clients-2.1.1p4-1 of RedHat 7.0 : and installed openssh-2.5.2p2 (config, make, install, not from RPM's). : : Now we cannot login at all (we are using the client Secure Shell 2.4.0 : as from www.ssh.com on Windows NT 4.0). : : We are really clueless where to look for the problem so any help will : be greatly appreciated. : : Included blow is the log of running the ssh server in debug mode. : : Thanks, : : Tal -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010420/23f90764/attachment.bin From Darren.Moffat at eng.sun.com Sat Apr 21 06:26:48 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Fri, 20 Apr 2001 13:26:48 -0700 (PDT) Subject: scp with files > 2gb Message-ID: <200104202026.f3KKQkB2956810@jurassic.eng.sun.com> A while back someone posted a patch for scp that updates it to deal with files > 2gb by using 64 bit offsets as defined by LFS (Large File Sumit). I belive the patch was tested on Linux but maybe not on other systems that support largefiles. I've tried this under Solaris and scp fails with a broken pipe on only the second write to the pipe between scp and ssh if the file is over 2gb. If the file is under 2gb it works fine. it fails the second time around the for loop that looks like this in scp.c:source() for (haderr = i = 0; i < stb.st_size; i += bp->cnt) { amt = bp->cnt; if (i + amt > stb.st_size) amt = stb.st_size - i; if (!haderr) { SIGPIPE =====>>> result = atomicio(read, fd, bp->buf, amt); .... } scp from: OpenSSH 2.5.1p2 client and server both Solaris. Any comments ? -- Darren J Moffat From stevesk at sweden.hp.com Sat Apr 21 06:28:32 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 20 Apr 2001 22:28:32 +0200 (METDST) Subject: PAM Service Name Patch In-Reply-To: Message-ID: On Fri, 20 Apr 2001 mouring at etoh.eviladmin.org wrote: : Can we get this documented somewhere since it's new behavior. Maybe in : INSTALL or README.PAM or something. I really don't want to hear : complaints about this if people decide they want to rename 'sshd' to : 'opensshd' for side-by-side testing w/ another sshd. i wouldn't mind seeing README.PAM with: PAM general Solaris Linux distro specific ... HP-UX does someone want to do this (start with the stuff in INSTALL)? but for now, what about: Index: INSTALL =================================================================== RCS file: /var/cvs/openssh/INSTALL,v retrieving revision 1.42 diff -u -r1.42 INSTALL --- INSTALL 2001/03/03 13:29:21 1.42 +++ INSTALL 2001/04/20 20:25:43 @@ -91,16 +91,20 @@ This will install the binaries in /opt/{bin,lib,sbin}, but will place the configuration files in /etc/ssh. -If you are using PAM, you may need to manually install a PAM -control file as "/etc/pam.d/sshd" (or wherever your system -prefers to keep them). A generic PAM configuration is included as -"contrib/sshd.pam.generic", you may need to edit it before using it on -your system. If you are using a recent version of Red Hat Linux, the -config file in contrib/redhat/sshd.pam should be more useful. -Failure to install a valid PAM file may result in an inability to -use password authentication. On HP-UX 11, the standard /etc/pam.conf -configuration will work with sshd (sshd will match the OTHER service -name). +If you are using PAM, you may need to manually install a PAM control +file as "/etc/pam.d/sshd" (or wherever your system prefers to keep +them). Note that the service name used to start PAM is __progname, +which is the basename of the path of your sshd (e.g., the service name +for /usr/sbin/osshd will be osshd). If you have renamed your sshd +executable, your PAM configuration may need to be modified. + +A generic PAM configuration is included as "contrib/sshd.pam.generic", +you may need to edit it before using it on your system. If you are +using a recent version of Red Hat Linux, the config file in +contrib/redhat/sshd.pam should be more useful. Failure to install a +valid PAM file may result in an inability to use password +authentication. On HP-UX 11, the standard /etc/pam.conf configuration +will work with sshd (sshd will match the OTHER service name). There are a few other options to the configure script: From Darren.Moffat at eng.sun.com Sat Apr 21 06:31:44 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Fri, 20 Apr 2001 13:31:44 -0700 (PDT) Subject: PAM Service Name Patch Message-ID: <200104202031.f3KKVhB2957509@jurassic.eng.sun.com> >+authentication. On HP-UX 11, the standard /etc/pam.conf configuration >+will work with sshd (sshd will match the OTHER service name). s/HP-UX/HP-UX & Solaris/ s/OTHER/other/ -- Darren J Moffat From mouring at etoh.eviladmin.org Sat Apr 21 06:24:39 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 20 Apr 2001 15:24:39 -0500 (CDT) Subject: PAM Service Name Patch In-Reply-To: Message-ID: Looks good enough for now. I just want something that we can point to. Even if it's a file most people don't read.=) - Ben On Fri, 20 Apr 2001, Kevin Steves wrote: > On Fri, 20 Apr 2001 mouring at etoh.eviladmin.org wrote: > : Can we get this documented somewhere since it's new behavior. Maybe in > : INSTALL or README.PAM or something. I really don't want to hear > : complaints about this if people decide they want to rename 'sshd' to > : 'opensshd' for side-by-side testing w/ another sshd. > > i wouldn't mind seeing README.PAM with: > > PAM general > > Solaris > > Linux > distro specific > ... > > HP-UX > > does someone want to do this (start with the stuff in INSTALL)? > > but for now, what about: > > Index: INSTALL > =================================================================== > RCS file: /var/cvs/openssh/INSTALL,v > retrieving revision 1.42 > diff -u -r1.42 INSTALL > --- INSTALL 2001/03/03 13:29:21 1.42 > +++ INSTALL 2001/04/20 20:25:43 > @@ -91,16 +91,20 @@ > This will install the binaries in /opt/{bin,lib,sbin}, but will place the > configuration files in /etc/ssh. > > -If you are using PAM, you may need to manually install a PAM > -control file as "/etc/pam.d/sshd" (or wherever your system > -prefers to keep them). A generic PAM configuration is included as > -"contrib/sshd.pam.generic", you may need to edit it before using it on > -your system. If you are using a recent version of Red Hat Linux, the > -config file in contrib/redhat/sshd.pam should be more useful. > -Failure to install a valid PAM file may result in an inability to > -use password authentication. On HP-UX 11, the standard /etc/pam.conf > -configuration will work with sshd (sshd will match the OTHER service > -name). > +If you are using PAM, you may need to manually install a PAM control > +file as "/etc/pam.d/sshd" (or wherever your system prefers to keep > +them). Note that the service name used to start PAM is __progname, > +which is the basename of the path of your sshd (e.g., the service name > +for /usr/sbin/osshd will be osshd). If you have renamed your sshd > +executable, your PAM configuration may need to be modified. > + > +A generic PAM configuration is included as "contrib/sshd.pam.generic", > +you may need to edit it before using it on your system. If you are > +using a recent version of Red Hat Linux, the config file in > +contrib/redhat/sshd.pam should be more useful. Failure to install a > +valid PAM file may result in an inability to use password > +authentication. On HP-UX 11, the standard /etc/pam.conf configuration > +will work with sshd (sshd will match the OTHER service name). > > There are a few other options to the configure script: > > > From stevesk at sweden.hp.com Sat Apr 21 06:51:15 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 20 Apr 2001 22:51:15 +0200 (METDST) Subject: PAM Service Name Patch In-Reply-To: <200104202031.f3KKVhB2957509@jurassic.eng.sun.com> Message-ID: On Fri, 20 Apr 2001, Darren Moffat wrote: : s/HP-UX/HP-UX & Solaris/ : : s/OTHER/other/ other is matched case insensitive, at least on hp-ux. and default pam.conf does use OTHER there, which is why i used uppercase when i originally added that text. but i think other is fine. From tal at zapta.com Sat Apr 21 06:48:42 2001 From: tal at zapta.com (Tal Dayan) Date: Fri, 20 Apr 2001 13:48:42 -0700 Subject: Why we can't login ? (fwd) In-Reply-To: <20010420154456.F3872@zax.half.pint-stowp.cx> Message-ID: Hi Jim, Yes, we had the pam.d/sshd in place but the problem is that by default it does not install the PAM support at all. When we reinstalled it with the '--with-pam' switch of ./configure, it worked just fine. I would expect the password authentication to be enabled by default since it a very common method of authentications. Tal > -----Original Message----- > From: Jim Knoble [mailto:jmknoble at jmknoble.cx] > Sent: Friday, April 20, 2001 12:45 PM > To: openssh-unix-dev at mindrot.org > Cc: ted_jmt at zapta.com > Subject: Re: Why we can't login ? (fwd) > > > Circa 2001-Apr-19 19:19:48 +0200 dixit Markus Friedl: > > : hints? > > Did they install the PAM configuration file from > OpenSSH-2.5.2p2/contrib/redhat/ into /etc/pam.d/? > > : >From: ted_jmt at zapta.com > : >Newsgroups: comp.security.ssh > : >Subject: Why we can't login ? > : >Message-ID: > : >Date: Wed, 18 Apr 2001 22:30:26 GMT > : >Organization: Verio > : >Xref: news.uni-erlangen.de comp.security.ssh:20489 > : > : Hello, > : > : We uninstalled the default SSH packages openssh-2.1.1p4-1, > : openssh-server-2.1.1p4-1, and openssh-clients-2.1.1p4-1 of RedHat 7.0 > : and installed openssh-2.5.2p2 (config, make, install, not from RPM's). > : > : Now we cannot login at all (we are using the client Secure Shell 2.4.0 > : as from www.ssh.com on Windows NT 4.0). > : > : We are really clueless where to look for the problem so any help will > : be greatly appreciated. > : > : Included blow is the log of running the ssh server in debug mode. > : > : Thanks, > : > : Tal > > -- > jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ > (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) > From josb at cncdsl.com Sat Apr 21 07:15:45 2001 From: josb at cncdsl.com (Jos Backus) Date: Fri, 20 Apr 2001 14:15:45 -0700 Subject: 2.5.2p2: comments in key files In-Reply-To: <20010420215138.B244@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Fri, Apr 20, 2001 at 09:51:16PM +0200 References: <20010420124641.A4594@lizzy.bugworks.com> <20010420215138.B244@faui02.informatik.uni-erlangen.de> Message-ID: <20010420141545.B4594@lizzy.bugworks.com> On Fri, Apr 20, 2001 at 09:51:16PM +0200, Markus Friedl wrote: > On Fri, Apr 20, 2001 at 12:46:41PM -0700, Jos Backus wrote: > > It appears to be possible to put comments in DSA key files, even though > > comments are not supported in those files: > > you can put a comment in the public key file, but > not in the private key file. this is why '-c' > does not work. I know, but the current behavior of -c seems wrong, as it is supposed to let you edit comments but it doesn't let you. -- Jos Backus _/ _/_/_/ "Modularity is not a hack." _/ _/ _/ -- D. J. Bernstein _/ _/_/_/ _/ _/ _/ _/ josb at cncdsl.com _/_/ _/_/_/ use Std::Disclaimer; From stevesk at sweden.hp.com Sat Apr 21 07:22:31 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 20 Apr 2001 23:22:31 +0200 (METDST) Subject: PAM and -u0 In-Reply-To: Message-ID: On Sat, 31 Mar 2001, Damien Miller wrote: : > is this change ok? goal is that PAM with -u0 does not use DNS (like : > without PAM). : : You should also remove the 'extern ServerOptions options;' from the : beginning of the function. : : > +/* XXX: move to header file */ : > +const char * : > +get_remote_name_or_ip(void); : : Either that or add the remote host/address as an argument to start_pam() get_remote_name_or_ip() is now public, so we can do this: ok? Index: auth-pam.c =================================================================== RCS file: /var/cvs/openssh/auth-pam.c,v retrieving revision 1.35 diff -u -r1.35 auth-pam.c --- auth-pam.c 2001/04/20 17:43:47 1.35 +++ auth-pam.c 2001/04/20 21:19:07 @@ -348,6 +348,8 @@ { int pam_retval; extern ServerOptions options; + extern int utmp_len; + const char *rhost; debug("Starting up PAM with username \"%.200s\"", user); @@ -357,10 +359,10 @@ fatal("PAM initialisation failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); - debug("PAM setting rhost to \"%.200s\"", - get_canonical_hostname(options.reverse_mapping_check)); - pam_retval = pam_set_item(__pamh, PAM_RHOST, - get_canonical_hostname(options.reverse_mapping_check)); + rhost = get_remote_name_or_ip(utmp_len, options.reverse_mapping_check); + debug("PAM setting rhost to \"%.200s\"", rhost); + + pam_retval = pam_set_item(__pamh, PAM_RHOST, rhost); if (pam_retval != PAM_SUCCESS) fatal("PAM set rhost failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); From jseymour at LinxNet.com Sat Apr 21 07:24:07 2001 From: jseymour at LinxNet.com (Jim Seymour) Date: Fri, 20 Apr 2001 17:24:07 -0400 (EDT) Subject: Could not load host key Message-ID: <20010420212407.6CF014301@jimsun.LinxNet.com> Hi All, So I tried to upgrade to 2.5.2p2 today. Got this when I stopped/started sshd: Disabling protocol version 2. Could not load host key Re-installed 2.3.0p1 and all was well again. This look familiar to anybody? Thanks, Jim -- Jim Seymour | PGP Public Key available at: jseymour at jimsun.LinxNet.com | http://www.uk.pgp.net/pgpnet/pks-commands.html http://jimsun.LinxNet.com | From dprevett at cs.unm.edu Sat Apr 21 07:37:02 2001 From: dprevett at cs.unm.edu (Daniel Prevett) Date: Fri, 20 Apr 2001 15:37:02 -0600 (MDT) Subject: Could not load host key In-Reply-To: <20010420212407.6CF014301@jimsun.LinxNet.com> Message-ID: On Fri, 20 Apr 2001, Jim Seymour wrote: > Hi All, > > So I tried to upgrade to 2.5.2p2 today. Got this when I stopped/started > sshd: > > Disabling protocol version 2. Could not load host key > > Re-installed 2.3.0p1 and all was well again. > > This look familiar to anybody? > > > Thanks, > Jim > -- > Jim Seymour | PGP Public Key available at: > jseymour at jimsun.LinxNet.com | http://www.uk.pgp.net/pgpnet/pks-commands.html > http://jimsun.LinxNet.com | Yep, it does look familiar. Look at your sshd_config for the HostKey entries. If I remember correctly, 2.5.1 added support for DSA and RSA hostkeys. My guess is that sshd is not finding either of those for SSH2 support. I have the following in my sshd_config file: HostKey /usr/local/etc/ssh_host_key HostKey /usr/local/etc/ssh_host_dsa_key HostKey /usr/local/etc/ssh_host_rsa_key and of course those three host keys exist. ssh_host_dsa_key and ssh_host_rsa_key are for SSH2 (I believe). ssh_host_key is for SSH1 only. I belive all three keys are generated by the makefile and are installed when you do a 'make install'. If you're upgrading from rpms you're on your own, as I know nothing about them. -Daniel From stevev at darkwing.uoregon.edu Sat Apr 21 07:40:41 2001 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Fri, 20 Apr 2001 14:40:41 -0700 Subject: Could not load host key In-Reply-To: <20010420212407.6CF014301@jimsun.LinxNet.com> References: <20010420212407.6CF014301@jimsun.LinxNet.com> Message-ID: <15072.44249.553073.757461@darkwing.uoregon.edu> Jim Seymour writes: > Hi All, > > So I tried to upgrade to 2.5.2p2 today. Got this when I stopped/started > sshd: > > Disabling protocol version 2. Could not load host key > > Re-installed 2.3.0p1 and all was well again. > > This look familiar to anybody? You need to update your sshd_config with the pathnames of the various host keys it needs. See the default config file created in your OpenSSH build. You may also need to create additional host keys (specifically the SSH2 RSA key). From jesus at omniti.com Sat Apr 21 08:18:34 2001 From: jesus at omniti.com (Theo E. Schlossnagle) Date: Fri, 20 Apr 2001 18:18:34 -0400 Subject: scp with files > 2gb References: <200104202026.f3KKQkB2956810@jurassic.eng.sun.com> Message-ID: <3AE0B5D0.6124A268@omniti.com> Darren Moffat wrote: > > A while back someone posted a patch for scp that updates it to deal with > files > 2gb by using 64 bit offsets as defined by LFS (Large File Sumit). > > I belive the patch was tested on Linux but maybe not on other systems > that support largefiles. > > I've tried this under Solaris and scp fails with a broken pipe on only the > second write to the pipe between scp and ssh if the file is over 2gb. > If the file is under 2gb it works fine. > scp from: OpenSSH 2.5.1p2 > > client and server both Solaris. > Any comments ? I am running OpenSSH on Solaris 2.6 and I can copy large files from Sol2.6 -> Sol2.6 using OpenSSH 2.5.1p2 and 2.3.0p1. I did get a sigpipe when my filesystem wasn't created and mounted with largefiles enabled. I use Veritas, so after I make the fs, I mount it and use fsadm to turn on largefiles support. After that, everything worked like a charm. -- Theo Schlossnagle 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 From RCDavis at intermedia.com Sat Apr 21 08:28:46 2001 From: RCDavis at intermedia.com (Davis, Ricardo C.) Date: Fri, 20 Apr 2001 18:28:46 -0400 Subject: Restrict account to only use sftp not working Message-ID: <77DA8BE17C46D2118B7A00805FA7D051047ADB52@TPAEXCH2> Hi all, I'm setting up a system where users will only be able to use "sftp" but not "ssh" to connect to the server (http://www.snailbook.com/faq/restricted-scp.auto.html). Here's the setup... Server: OpenSSH 2.5.2p2-1 on RH Linux Client: Commercial SSH 2.4 on Solaris The vendor on the client system creates a key pair and sends it to me. I then add the vendor's public key to the authorized_keys2 file on the account on the server that the vendor will be using: __________________________________________________________________________ from="server.vendor.com",command="/usr/libexec/openssh/sftp-server",no-port- forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss __________________________________________________________________________ But when the vendor logged in using the ssh2 client, here's what happened: ___________________________________________________________________________ {vendor on telluride}/export/home/vendor% ssh -d2 vendor at ftserver debug: connecting to ftserver... debug: entering event loop debug: ssh_client_wrap: creating transport protocol debug: SshAuthMethodClient/sshauthmethodc.c:105/ssh_client_authentication_initializ e: Added "publickey" to usable meth debug: SshAuthMethodClient/sshauthmethodc.c:105/ssh_client_authentication_initializ e: Added "password" to usable metho debug: Ssh2Client/sshclient.c:1104/ssh_client_wrap: creating userauth protocol debug: Ssh2Common/sshcommon.c:487/ssh_common_wrap: local ip = ...., local port = 32912 debug: Ssh2Common/sshcommon.c:489/ssh_common_wrap: remote ip = ...., remote port = 22 debug: SshConnection/sshconn.c:1853/ssh_conn_wrap: Wrapping... debug: Ssh2Transport/trcommon.c:593/ssh_tr_input_version: Remote version: SSH-2.0-OpenSSH_2.5.2p2 debug: Ssh2Transport/trcommon.c:1068/ssh_tr_negotiate: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none debug: Ssh2Transport/trcommon.c:1071/ssh_tr_negotiate: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none debug: Ssh2Client/sshclient.c:399/keycheck_key_match: Host key found from database. debug: Ssh2Common/sshcommon.c:297/ssh_common_special: Received SSH_CROSS_STARTUP packet from connection protocol. debug: Ssh2Common/sshcommon.c:347/ssh_common_special: Received SSH_CROSS_ALGORITHMS packet from connection protocol. debug: Ssh2AuthPubKeyClient/authc-pubkey.c:777/ssh_client_auth_pubkey_agent_list_co mplete: adding keyfile "/export/hom Forced command: /usr/libexec/openssh/sftp-server debug: Ssh2AuthPubKeyClient/authc-pubkey.c:330/ssh_client_auth_pubkey_send_signatur e: Constructing and sending signatu debug: Ssh2AuthPubKeyClient/authc-pubkey.c:423/ssh_client_auth_pubkey_send_signatur e: ssh_client_auth_pubkey_send_sign Port forwarding disabled. X11 forwarding disabled. Agent forwarding disabled. Forced command: /usr/libexec/openssh/sftp-server Port forwarding disabled. X11 forwarding disabled. Agent forwarding disabled. debug: Ssh2Common/sshcommon.c:263/ssh_common_special: Received SSH_CROSS_AUTHENTICATED packet from connection protocol Authentication successful. debug: Ssh2Common/sshcommon.c:686/ssh_common_new_channel: num_channels now 1 debug: DISPLAY not set; X11 forwarding disabled. ... ___________________________________________________________________________ After the "Authentication successful." message, the vendor did not get a system prompt. But the vendor could get a listing and move around the filesystem. I would expect that the vendor would not be able to do anything. Indeed, to test this I set up an account on the server and used the OpenSSH "ssh" client to log into the account as the vendor did. I authenticated but didn't get a command prompt and when I typed any command the server responded with "bad command" and exited. If I used the OpenSSH "sftp" client and logged in, it operated as expected. Did I missing something in setting up the server, or was the client able to do something it shouldn't have? From Darren.Moffat at eng.sun.com Sat Apr 21 09:04:57 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Fri, 20 Apr 2001 16:04:57 -0700 (PDT) Subject: scp with files > 2gb Message-ID: <200104202304.f3KN4tB2987657@jurassic.eng.sun.com> Theo E. Schlossnagle wrote: >> I've tried this under Solaris and scp fails with a broken pipe on only the >> second write to the pipe between scp and ssh if the file is over 2gb. Theo>filesystem wasn't created and mounted with largefiles enabled. That wasn't it. I found the problem, I hadn't copied the scp program with the patch applied to the remote machine, doh! So I can now confirm that the patch does indeed work just fine on Solaris. -- Darren J Moffat From djm at mindrot.org Sat Apr 21 10:38:17 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 21 Apr 2001 10:38:17 +1000 (EST) Subject: PAM and -u0 In-Reply-To: Message-ID: On Fri, 20 Apr 2001, Kevin Steves wrote: > On Sat, 31 Mar 2001, Damien Miller wrote: > : > is this change ok? goal is that PAM with -u0 does not use DNS (like > : > without PAM). > : > : You should also remove the 'extern ServerOptions options;' from the > : beginning of the function. > : > : > +/* XXX: move to header file */ > : > +const char * > : > +get_remote_name_or_ip(void); > : > : Either that or add the remote host/address as an argument to start_pam() > > get_remote_name_or_ip() is now public, so we can do this: Perhaps pass the hostname in to start_pam so we can get rid of the extern ServerOptions too? > ok? > > Index: auth-pam.c > =================================================================== > RCS file: /var/cvs/openssh/auth-pam.c,v > retrieving revision 1.35 > diff -u -r1.35 auth-pam.c > --- auth-pam.c 2001/04/20 17:43:47 1.35 > +++ auth-pam.c 2001/04/20 21:19:07 > @@ -348,6 +348,8 @@ > { > int pam_retval; > extern ServerOptions options; > + extern int utmp_len; > + const char *rhost; > > debug("Starting up PAM with username \"%.200s\"", user); > > @@ -357,10 +359,10 @@ > fatal("PAM initialisation failed[%d]: %.200s", > pam_retval, PAM_STRERROR(__pamh, pam_retval)); > > - debug("PAM setting rhost to \"%.200s\"", > - get_canonical_hostname(options.reverse_mapping_check)); > - pam_retval = pam_set_item(__pamh, PAM_RHOST, > - get_canonical_hostname(options.reverse_mapping_check)); > + rhost = get_remote_name_or_ip(utmp_len, options.reverse_mapping_check); > + debug("PAM setting rhost to \"%.200s\"", rhost); > + > + pam_retval = pam_set_item(__pamh, PAM_RHOST, rhost); > if (pam_retval != PAM_SUCCESS) > fatal("PAM set rhost failed[%d]: %.200s", pam_retval, > PAM_STRERROR(__pamh, pam_retval)); > -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From markus.friedl at informatik.uni-erlangen.de Sat Apr 21 22:36:02 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 21 Apr 2001 14:36:02 +0200 Subject: Why we can't login ? (fwd) In-Reply-To: ; from tal@zapta.com on Fri, Apr 20, 2001 at 01:48:42PM -0700 References: <20010420154456.F3872@zax.half.pint-stowp.cx> Message-ID: <20010421143602.A29537@folly> On Fri, Apr 20, 2001 at 01:48:42PM -0700, Tal Dayan wrote: > Hi Jim, > > Yes, we had the pam.d/sshd in place but the problem is that by default > it does not install the PAM support at all. When we reinstalled it with the > '--with-pam' switch of ./configure, it worked just fine. > > I would expect the password authentication to be enabled by default since it > a very common method of authentications. PAM is different from unix to unix and from linux to linux. this is why it's not enabled by default. From markus.friedl at informatik.uni-erlangen.de Sat Apr 21 22:38:56 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 21 Apr 2001 14:38:56 +0200 Subject: 2.5.2p2: comments in key files In-Reply-To: <20010420141545.B4594@lizzy.bugworks.com>; from josb@cncdsl.com on Fri, Apr 20, 2001 at 02:15:45PM -0700 References: <20010420124641.A4594@lizzy.bugworks.com> <20010420215138.B244@faui02.informatik.uni-erlangen.de> <20010420141545.B4594@lizzy.bugworks.com> Message-ID: <20010421143856.B29537@folly> On Fri, Apr 20, 2001 at 02:15:45PM -0700, Jos Backus wrote: > On Fri, Apr 20, 2001 at 09:51:16PM +0200, Markus Friedl wrote: > > On Fri, Apr 20, 2001 at 12:46:41PM -0700, Jos Backus wrote: > > > It appears to be possible to put comments in DSA key files, even though > > > comments are not supported in those files: > > > > you can put a comment in the public key file, but > > not in the private key file. this is why '-c' > > does not work. > > I know, but the current behavior of -c seems wrong, as it is supposed to let > you edit comments but it doesn't let you. i'm not sure. -c does not edit this private key. for editing the public key you don't need ssh-keygen. From stevesk at sweden.hp.com Sun Apr 22 05:11:42 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 21 Apr 2001 21:11:42 +0200 (METDST) Subject: PAM and -u0 In-Reply-To: Message-ID: On Sat, 21 Apr 2001, Damien Miller wrote: : Perhaps pass the hostname in to start_pam so we can get rid of the : extern ServerOptions too? like this? cleaner from a auth-pam api standpoint, but adds more to the openbsd diff. not sure what is best. Index: auth-pam.h =================================================================== RCS file: /var/cvs/openssh/auth-pam.h,v retrieving revision 1.11 diff -u -r1.11 auth-pam.h --- auth-pam.h 2001/03/27 06:12:24 1.11 +++ auth-pam.h 2001/04/21 19:04:24 @@ -5,7 +5,7 @@ #include /* For struct passwd */ -void start_pam(const char *user); +void start_pam(const char *user, const char *rhost); void finish_pam(void); int auth_pam_password(struct passwd *pw, const char *password); char **fetch_pam_environment(void); Index: auth-pam.c =================================================================== RCS file: /var/cvs/openssh/auth-pam.c,v retrieving revision 1.35 diff -u -r1.35 auth-pam.c --- auth-pam.c 2001/04/20 17:43:47 1.35 +++ auth-pam.c 2001/04/21 19:04:26 @@ -344,7 +344,7 @@ } /* Start PAM authentication for specified account */ -void start_pam(const char *user) +void start_pam(const char *user, const char *rhost) { int pam_retval; extern ServerOptions options; @@ -357,10 +357,8 @@ fatal("PAM initialisation failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); - debug("PAM setting rhost to \"%.200s\"", - get_canonical_hostname(options.reverse_mapping_check)); - pam_retval = pam_set_item(__pamh, PAM_RHOST, - get_canonical_hostname(options.reverse_mapping_check)); + debug("PAM setting rhost to \"%.200s\"", rhost); + pam_retval = pam_set_item(__pamh, PAM_RHOST, rhost); if (pam_retval != PAM_SUCCESS) fatal("PAM set rhost failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); Index: auth1.c =================================================================== RCS file: /var/cvs/openssh/auth1.c,v retrieving revision 1.40 diff -u -r1.40 auth1.c --- auth1.c 2001/03/24 00:37:59 1.40 +++ auth1.c 2001/04/21 19:04:27 @@ -24,9 +24,11 @@ #include "auth.h" #include "session.h" #include "misc.h" +#include "canohost.h" /* import */ extern ServerOptions options; +extern u_int utmp_len; #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; @@ -399,7 +401,8 @@ #ifdef USE_PAM if (pw) - start_pam(user); + start_pam(user, get_remote_name_or_ip(utmp_len, + options.reverse_mapping_check)); #endif /* Index: auth2.c =================================================================== RCS file: /var/cvs/openssh/auth2.c,v retrieving revision 1.58 diff -u -r1.58 auth2.c --- auth2.c 2001/04/19 20:50:07 1.58 +++ auth2.c 2001/04/21 19:04:31 @@ -56,6 +56,7 @@ extern ServerOptions options; extern u_char *session_id2; extern int session_id2_len; +extern u_int utmp_len; #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; @@ -206,12 +207,14 @@ authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); #ifdef USE_PAM - start_pam(pw->pw_name); + start_pam(pw->pw_name, get_remote_name_or_ip(utmp_len, + options.reverse_mapping_check)); #endif } else { log("input_userauth_request: illegal user %s", user); #ifdef USE_PAM - start_pam("NOUSER"); + start_pam("NOUSER", get_remote_name_or_ip(utmp_len, + options.reverse_mapping_check)); #endif } setproctitle("%s", pw ? user : "unknown"); From tal at zapta.com Sun Apr 22 05:20:53 2001 From: tal at zapta.com (Tal Dayan) Date: Sat, 21 Apr 2001 12:20:53 -0700 Subject: Why we can't login ? (fwd) In-Reply-To: <20010421143602.A29537@folly> Message-ID: Yes, I understand the technical reason, and it is probably very challenging to support so many derivatives of Unix. However, password authentication is a key feature of SSH and Redhat Linux is one of the primary platforms on which Openssh is used. Isn't it the job of the 'configure' step to customize the configuration to specifics of the platform in use ? Having it making an intelligent decision regarding the PAM, at least for few common platforms, will be appreciated by many users. Tal > -----Original Message----- > From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de] > Sent: Saturday, April 21, 2001 5:36 AM > To: Tal Dayan > Cc: Jim Knoble; openssh-unix-dev at mindrot.org; ted_jmt at zapta.com > Subject: Re: Why we can't login ? (fwd) > > > On Fri, Apr 20, 2001 at 01:48:42PM -0700, Tal Dayan wrote: > > Hi Jim, > > > > Yes, we had the pam.d/sshd in place but the problem is that by default > > it does not install the PAM support at all. When we reinstalled > it with the > > '--with-pam' switch of ./configure, it worked just fine. > > > > I would expect the password authentication to be enabled by > default since it > > a very common method of authentications. > > PAM is different from unix to unix and from linux to linux. > > this is why it's not enabled by default. > From josb at cncdsl.com Sun Apr 22 07:57:00 2001 From: josb at cncdsl.com (Jos Backus) Date: Sat, 21 Apr 2001 14:57:00 -0700 Subject: 2.5.2p2: comments in key files In-Reply-To: <20010421143856.B29537@folly>; from markus.friedl@informatik.uni-erlangen.de on Sat, Apr 21, 2001 at 02:38:34PM +0200 References: <20010420124641.A4594@lizzy.bugworks.com> <20010420215138.B244@faui02.informatik.uni-erlangen.de> <20010420141545.B4594@lizzy.bugworks.com> <20010421143856.B29537@folly> Message-ID: <20010421145700.A15534@lizzy.bugworks.com> On Sat, Apr 21, 2001 at 02:38:34PM +0200, Markus Friedl wrote: > i'm not sure. -c does not edit this private key. > for editing the public key you don't need ssh-keygen. So editing the public key to add/edit a comment is the sanctioned way? Sounds good to me, thanks. -- Jos Backus _/ _/_/_/ "Modularity is not a hack." _/ _/ _/ -- D. J. Bernstein _/ _/_/_/ _/ _/ _/ _/ josb at cncdsl.com _/_/ _/_/_/ use Std::Disclaimer; From djm at mindrot.org Sun Apr 22 10:15:52 2001 From: djm at mindrot.org (Damien Miller) Date: Sun, 22 Apr 2001 10:15:52 +1000 (EST) Subject: PAM and -u0 In-Reply-To: Message-ID: On Sat, 21 Apr 2001, Kevin Steves wrote: > On Sat, 21 Apr 2001, Damien Miller wrote: > : Perhaps pass the hostname in to start_pam so we can get rid of the > : extern ServerOptions too? > > like this? cleaner from a auth-pam api standpoint, but adds more to the > openbsd diff. not sure what is best. I see what you mean now, I have a slight preference to avoiding externs in places that don't already have them. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Denis.Ducamp at hsc.fr Sun Apr 22 11:41:08 2001 From: Denis.Ducamp at hsc.fr (Denis Ducamp) Date: Sun, 22 Apr 2001 03:41:08 +0200 Subject: relaxing access rights verifications Message-ID: <20010422034108.M19561@hsc.fr> Hello, I was trying to build a chrooted sftp account when I faced a problem. The chroot is done with the patch present in the contrib subdirectory in the portable version (I'm under linux slackware current). My problem is that verifying access rights on directories and files are too tight and then I couldn't have the following things : The user sftp, with primary group sftp, is chrooted in /home/sftp/ and his home is / (in the chroot). drwxrwxr-t 8 root sftp 4096 Apr 22 03:13 /home/sftp/./ drwxr-x--- 3 root sftp 4096 Apr 22 03:07 /home/sftp/.//.ssh/ -rw-r----- 1 root sftp 641 Apr 22 03:12 /home/sftp/.//.ssh/authorized_keys2 -rw-r----- 1 root sftp 668 Apr 21 23:42 /home/sftp/.//.ssh/id_dsa -rw-r----- 1 root sftp 600 Apr 21 23:42 /home/sftp/.//.ssh/id_dsa.pub This is necessary because I don't want him to modify directories such as .ssh , bin , lib , ... in his chroot whereas he is able to create all that he wants in his home. So here is a patch to permit : . file readable by group if owned by root . directories writeable by group if owned by root I added two functions temporarily_use_gid and restore_gid to permit to access the authorized_keys2 file. The gid used is the primary group of the user. This patch fixes only the cases I met. Here is an up to date chroot patch for 2.5.2p2 too. And the most important : thanks to all developers of such a great tools. Regards, Denis Ducamp. -- Denis.Ducamp at hsc.fr --- Herv? Schauer Consultants --- http://www.hsc.fr/ snort, hping & dsniff en fran?ais : http://www.groar.org/~ducamp/#sec-trad Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html Netiquette Guidelines .... http://www.pasteur.fr/infosci/RFC/18xx/1855 -------------- next part -------------- diff -ur openssh-2.5.2p2.orig/auth-rhosts.c openssh-2.5.2p2/auth-rhosts.c --- openssh-2.5.2p2.orig/auth-rhosts.c Fri Feb 9 03:11:24 2001 +++ openssh-2.5.2p2/auth-rhosts.c Sun Apr 22 01:19:56 2001 @@ -215,7 +215,8 @@ } if (options.strict_modes && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0)) { + (st.st_uid == 0 && (st.st_mode & 002) != 0) || + (st.st_uid != 0 && (st.st_mode & 022) != 0))) { log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", pw->pw_name); packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", diff -ur openssh-2.5.2p2.orig/auth-rsa.c openssh-2.5.2p2/auth-rsa.c --- openssh-2.5.2p2.orig/auth-rsa.c Mon Mar 5 07:47:00 2001 +++ openssh-2.5.2p2/auth-rsa.c Sun Apr 22 01:14:18 2001 @@ -162,7 +162,8 @@ /* Check open file in order to avoid open/stat races */ if (fstat(fileno(f), &st) < 0 || (st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0) { + (st.st_uid == 0 && (st.st_mode & 002) != 0) || + (st.st_uid != 0 && (st.st_mode & 022) != 0)) { snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: " "bad ownership or modes for '%s'.", pw->pw_name, file); fail = 1; @@ -176,7 +177,8 @@ snprintf(line, sizeof line, "%.500s/%.100s", pw->pw_dir, check[i]); if (stat(line, &st) < 0 || (st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0) { + (st.st_uid == 0 && (st.st_mode & 002) != 0) || + (st.st_uid != 0 && (st.st_mode & 022) != 0)) { snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: " "bad ownership or modes for '%s'.", pw->pw_name, line); fail = 1; diff -ur openssh-2.5.2p2.orig/auth2.c openssh-2.5.2p2/auth2.c --- openssh-2.5.2p2.orig/auth2.c Sun Mar 11 21:01:56 2001 +++ openssh-2.5.2p2/auth2.c Sun Apr 22 01:05:40 2001 @@ -586,6 +586,7 @@ return 0; /* Temporarily use the user's uid. */ + temporarily_use_gid(pw->pw_gid); temporarily_use_uid(pw->pw_uid); /* The authorized keys. */ @@ -596,6 +597,7 @@ if (stat(file, &st) < 0) { /* Restore the privileged uid. */ restore_uid(); + restore_gid(); return 0; } /* Open the file containing the authorized keys. */ @@ -603,6 +605,7 @@ if (!f) { /* Restore the privileged uid. */ restore_uid(); + restore_gid(); return 0; } if (options.strict_modes) { @@ -611,7 +614,8 @@ /* Check open file in order to avoid open/stat races */ if (fstat(fileno(f), &st) < 0 || (st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0) { + (st.st_uid == 0 && (st.st_mode & 002) != 0) || + (st.st_uid != 0 && (st.st_mode & 022) != 0)) { snprintf(buf, sizeof buf, "%s authentication refused for %.100s: " "bad ownership or modes for '%s'.", @@ -628,7 +632,8 @@ pw->pw_dir, check[i]); if (stat(line, &st) < 0 || (st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0) { + (st.st_uid == 0 && (st.st_mode & 002) != 0) || + (st.st_uid != 0 && (st.st_mode & 022) != 0)) { snprintf(buf, sizeof buf, "%s authentication refused for %.100s: " "bad ownership or modes for '%s'.", @@ -642,6 +647,7 @@ fclose(f); log("%s", buf); restore_uid(); + restore_gid(); return 0; } } @@ -686,6 +692,7 @@ } } restore_uid(); + restore_gid(); fclose(f); key_free(found); if (!found_key) diff -ur openssh-2.5.2p2.orig/authfile.c openssh-2.5.2p2/authfile.c --- openssh-2.5.2p2.orig/authfile.c Mon Mar 5 05:59:27 2001 +++ openssh-2.5.2p2/authfile.c Sun Apr 22 02:04:53 2001 @@ -513,7 +513,8 @@ #endif if (fstat(fd, &st) < 0 || (st.st_uid != 0 && getuid() != 0 && st.st_uid != getuid()) || - (st.st_mode & 077) != 0) { + (st.st_uid == 0 && (st.st_mode & 037) != 0) || + (st.st_uid != 0 && (st.st_mode & 077) != 0)) { close(fd); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); diff -ur openssh-2.5.2p2.orig/uidswap.c openssh-2.5.2p2/uidswap.c --- openssh-2.5.2p2.orig/uidswap.c Mon Feb 26 22:39:07 2001 +++ openssh-2.5.2p2/uidswap.c Sat Apr 21 23:23:00 2001 @@ -32,6 +32,7 @@ #define SAVED_IDS_WORK_WITH_SETEUID /* Saved effective uid. */ static uid_t saved_euid = 0; +static gid_t saved_egid = 0; #endif /* @@ -59,6 +60,27 @@ #endif /* SAVED_IDS_WORK_WITH_SETEUID */ } +void +temporarily_use_gid(gid_t gid) +{ +#ifdef SAVED_IDS_WORK_WITH_SETEUID + /* Save the current egid. */ + saved_egid = getegid(); + + /* Set the effective gid to the given (unprivileged) gid. */ + if (setegid(gid) == -1) + debug("setegid %u: %.100s", (u_int) gid, strerror(errno)); +#else /* SAVED_IDS_WORK_WITH_SETEUID */ + /* Propagate the privileged gid to all of our gids. */ + if (setgid(getegid()) < 0) + debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno)); + + /* Set the effective gid to the given (unprivileged) gid. */ + if (setegid(gid) == -1) + debug("setegid %u: %.100s", (u_int) gid, strerror(errno)); +#endif /* SAVED_IDS_WORK_WITH_SETEUID */ +} + /* * Restores to the original uid. */ @@ -76,6 +98,23 @@ * as well. */ setuid(getuid()); +#endif /* SAVED_IDS_WORK_WITH_SETEUID */ +} + +void +restore_gid(void) +{ +#ifdef SAVED_IDS_WORK_WITH_SETEUID + /* Set the effective gid back to the saved gid. */ + if (setegid(saved_egid) < 0) + debug("setegid %u: %.100s", (u_int) saved_egid, strerror(errno)); +#else /* SAVED_IDS_WORK_WITH_SETEUID */ + /* + * We are unable to restore the real gid to its unprivileged value. + * Propagate the real gid (usually more privileged) to effective gid + * as well. + */ + setgid(getgid()); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ } diff -ur openssh-2.5.2p2.orig/uidswap.h openssh-2.5.2p2/uidswap.h --- openssh-2.5.2p2.orig/uidswap.h Mon Jan 29 08:39:26 2001 +++ openssh-2.5.2p2/uidswap.h Sat Apr 21 23:18:07 2001 @@ -20,12 +20,14 @@ * root, this does nothing. This call cannot be nested. */ void temporarily_use_uid(uid_t uid); +void temporarily_use_gid(uid_t uid); /* * Restores the original effective user id after temporarily_use_uid(). * This should only be called while temporarily_use_uid is effective. */ void restore_uid(void); +void restore_gid(void); /* * Permanently sets all uids to the given uid. This cannot be called while -------------- next part -------------- diff -ur openssh-2.5.2p2.orig/session.c openssh-2.5.2p2/session.c --- openssh-2.5.2p2.orig/session.c Thu Mar 22 01:58:27 2001 +++ openssh-2.5.2p2/session.c Fri Apr 20 15:45:09 2001 @@ -93,6 +93,8 @@ # include #endif +#define CHROOT + /* types */ #define TTYSZ 64 @@ -1012,6 +1014,10 @@ extern char **environ; struct stat st; char *argv[10]; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ int do_xauth = s->auth_proto != NULL && s->auth_data != NULL; #ifdef WITH_IRIX_PROJECT prid_t projid; @@ -1085,6 +1091,28 @@ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); + +#ifdef CHROOT + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + + while((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if(strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); + + pw->pw_dir = new_root; + break; + } + new_root += 2; + } +#endif /* CHROOT */ + if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1); From mouring at etoh.eviladmin.org Sun Apr 22 15:39:49 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 22 Apr 2001 00:39:49 -0500 (CDT) Subject: relaxing access rights verifications In-Reply-To: <20010422034108.M19561@hsc.fr> Message-ID: [..] > > So here is a patch to permit : > . file readable by group if owned by root > . directories writeable by group if owned by root > > I added two functions temporarily_use_gid and restore_gid to permit to > access the authorized_keys2 file. The gid used is the primary group of the > user. > You'll have to maintain this yourself. The topic of GID readable keys has come up quite a bit over the last month or so and the final word seems to be 'No'. I have no real stand on it because I don't need such functinality, but I think having such a feature native may encourage wrong solutions to be deployed. > This patch fixes only the cases I met. > > Here is an up to date chroot patch for 2.5.2p2 too. > It would be nicer of the chroot patch was updated in relationship to the current snapshots/cvs release (http://www.openssh.com/portable.html). After this release is done (and if I can get time), I'd like to look at a different approach to chrooting and sftp. After thinking about it, I think the better solution is to do chroot in the sftp-server software and not in ssh. Mainly because I don't feel one should have Users+1 copies of sftp-server floating around. It's a managing nightmare. If it is accepted by OpenBSD folks is a different story. But if not and if there is enough interest I may provide it in contrib/. - Ben From rob at hagopian.net Sun Apr 22 16:46:02 2001 From: rob at hagopian.net (Rob Hagopian) Date: Sun, 22 Apr 2001 02:46:02 -0400 (EDT) Subject: scp with files > 2gb In-Reply-To: <200104202304.f3KN4tB2987657@jurassic.eng.sun.com> Message-ID: Anyone know if this patch will make it into 2.5.2p3, or will it have to go back to the OpenBSD version first? -Rob On Fri, 20 Apr 2001, Darren Moffat wrote: > Theo E. Schlossnagle wrote: > > >> I've tried this under Solaris and scp fails with a broken pipe on only the > >> second write to the pipe between scp and ssh if the file is over 2gb. > > Theo>filesystem wasn't created and mounted with largefiles enabled. > > That wasn't it. > > I found the problem, I hadn't copied the scp program with the patch > applied to the remote machine, doh! > > So I can now confirm that the patch does indeed work just fine on Solaris. > > -- > Darren J Moffat > From Markus.Friedl at informatik.uni-erlangen.de Sun Apr 22 22:30:09 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 22 Apr 2001 14:30:09 +0200 Subject: Why we can't login ? (fwd) In-Reply-To: ; from tal@zapta.com on Sat, Apr 21, 2001 at 12:20:53PM -0700 References: <20010421143602.A29537@folly> Message-ID: <20010422143009.B8370@faui02.informatik.uni-erlangen.de> On Sat, Apr 21, 2001 at 12:20:53PM -0700, Tal Dayan wrote: > Isn't it the job of the 'configure' step to customize the configuration to > specifics of the platform in use ? Having it making an intelligent decision > regarding the PAM, at least for few common platforms, will be appreciated > by many users. feel free to send patches. From slade at shore.net Mon Apr 23 05:58:39 2001 From: slade at shore.net (Richard E. Silverman) Date: Sun, 22 Apr 2001 15:58:39 -0400 Subject: Restrict account to only use sftp not working Message-ID: <200104221958.PAA06010@syrinx.oankali.net> > After the "Authentication successful." message, the vendor did not get a > system prompt. But the vendor could get a listing and move around the > filesystem. I would expect that the vendor would not be able to do anything. I don't understand. You wanted to restrict the account to using sftp. The client could use sftp, but not do anything else ("get a system prompt"). In what way does this behavior not correspond to your expectations? > Indeed, to test this I set up an account on the server and used the OpenSSH > "ssh" client to log into the account as the vendor did. I authenticated but > didn't get a command prompt and when I typed any command the server > responded with "bad command" and exited. If I used the OpenSSH "sftp" > client and logged in, it operated as expected. > > Did I missing something in setting up the server, or was the client able to > do something it shouldn't have? No, and no. I still don't understand what you think is wrong. If you read the snailbook.com page you mentioned, then you understand that the sftp client works by running ssh in a subprocess to connect to the server and run the sftp-server. So of course, you can run the SSH client by hand and do the same thing. You got a connection to sftp-server. When you typed text at it, it exited because the text did not fit the SFTP protocol. Note also the comments on that web page about the difficulty of securing this if you choose not to employ a limited shell for the account. For instance, if sshd uses the shell to start sftp-server, and the target user can write the account's shell startup files using sftp (~/.login, ~/.bashrc, etc.), then the client can arrange to run arbitrary programs anyway. sshd2 has AllowCshrcSourcingWithSubsystems set to false by default, so that it passes -f to the shell to suppress some startup processing, but how that's interpreted and how effective it will be depends on the shell... - Richard From jesus at omniti.com Tue Apr 24 06:57:50 2001 From: jesus at omniti.com (Theo Schlossnagle) Date: Mon, 23 Apr 2001 16:57:50 -0400 Subject: OpenSSH SecurID patch (updated for 2.5.2p2) Message-ID: The native SecurID support for OpenSSH patch has been updated to release 2.5.2p2 and incorporates fixes to the "validate next token" code. It is available at: http://www.omniti.com/~jesus/projects/ Enjoy. From tom.orban at corp.usa.net Tue Apr 24 09:09:14 2001 From: tom.orban at corp.usa.net (Tom Orban) Date: Mon, 23 Apr 2001 17:09:14 -0600 Subject: Bad packet length error Message-ID: <3AE4B61A.157CEBDE@corp.usa.net> Hello, I just built openssh-2.5.2p2 on an HP running HP-UX 11.00. Seems now when I try and connect to other HP's running ssh with version openssh-2.3.0p1 (using protocol version 2), I'm getting disconnected because of a "Bad packet length" error: ssh -v isd1 ... debug1: ssh_dss_verify: signature correct debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: send SSH2_MSG_SERVICE_REQUEST 42 71 58 e0 7b e7 3b 4f 0d 3d 83 9c a2 01 c6 22 Disconnecting: Bad packet length 1114724576. <------------ ERROR debug1: Calling cleanup 0x400102a2(0x0) debug1: Calling cleanup 0x400102aa(0x0) debug1: writing PRNG seed to file //.ssh/prng_seed Other info: - Going from box running 2.3.0p1 to box with 2.5.2p2 works fine with protocol 2. - 2.5.2p2 box to another 2.5.2p2 box works fine. Workarounds: 1) upgrade offending machine to 2.5.2p2, although I can't for all machines. 2) (Interim fix) connect to offending machine with protocol version 1. Anyone else seen this behavior? Any chance there's a patch for this? Thanks. -Tom From kreuzing at dbai.tuwien.ac.at Tue Apr 24 21:29:58 2001 From: kreuzing at dbai.tuwien.ac.at (Andreas Kreuzinger) Date: Tue, 24 Apr 2001 13:29:58 +0200 (CEST) Subject: About the configure.in patch for 2.5.2p2 Message-ID: Hi ! According to http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98577747029227&w=2 [...snip...] List: openssh-unix-dev Subject: Updated configure.in patch for 2.5.2p2 From: Carson Gaspar Date: 2001-03-28 11:03:29 [...snip...] there exists a patch to add --with-zlib (needed when zlib isn't installed in the standard path. Happens on Solaris sometimes.) Today I checked out the cvs version and it wasn't part of this version. Why isn't this patch added? mfg andy -- I am from Austria - but I did not vote for Joerg Haider and the FPOE. Administrative contact: admin at dbai.tuwien.ac.at Vienna University of Technology - Database & Artificial Intelligence Group A-1040 Wien, Favoritenstr. 9-11 - Tel.: ++43-1-58801/18429 From jseymour at LinxNet.com Tue Apr 24 22:09:17 2001 From: jseymour at LinxNet.com (Jim Seymour) Date: Tue, 24 Apr 2001 08:09:17 -0400 (EDT) Subject: Bad packet length error Message-ID: <20010424120917.9B7D34301@jimsun.LinxNet.com> > > Hello, > > I just built openssh-2.5.2p2 on an HP running HP-UX 11.00. Seems now > when I try and connect to other HP's running ssh with version > openssh-2.3.0p1 (using protocol version 2), I'm getting disconnected > because of a "Bad packet length" error: [snip] Heh. Funny you should mention that. After finding out here what the "Disabling protocol version 2. Could not load host key" problem was all about (thanks, guys!), I just tried re-installing 2.5.2p2 on one of my machines this morning. As with your experience: incoming from a box running 2.3.0p1 works fine, outgoing to that same 2.3.0p1 from the upgraded 2.5.2p2 results: $ ssh -2 nnn.nnn.nnn.nnn xx xx xx xx xx xx xx xx xx xx xx xx xx xxx xx xx Disconnecting: Bad packet length -112560745. Back to 2.3.0p1 for the moment... Regards, Jim -- Jim Seymour | PGP Public Key available at: jseymour at jimsun.LinxNet.com | http://www.uk.pgp.net/pgpnet/pks-commands.html http://jimsun.LinxNet.com | From gert at greenie.muc.de Tue Apr 24 22:51:59 2001 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 24 Apr 2001 14:51:59 +0200 Subject: man pages screwed In-Reply-To: ; from Damien Miller on Mon, Apr 16, 2001 at 10:42:36AM +1000 References: <20010415105640.A25030@yorktown.isdn.uiuc.edu> Message-ID: <20010424145159.F20262@greenie.muc.de> Hi, sorry for being late with this...: On Mon, Apr 16, 2001 at 10:42:36AM +1000, Damien Miller wrote: > > I've finally gotten a chance to work on this. The attached patch > > replaces the current --with-catman option with this new option: > > > > --with-mantype=man|cat|doc Set man page type > > Excellent - thanks heaps! I have committed this, could people please > test CVS head to make sure it gets your manpages right now? just tested on AIX 4.3, which has no -mdoc, and it works like a charm. Impressing this, suddenly having documentation :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From mstone at cs.loyola.edu Tue Apr 24 23:13:46 2001 From: mstone at cs.loyola.edu (Michael Stone) Date: Tue, 24 Apr 2001 09:13:46 -0400 Subject: change in rhosts-rsa behavior Message-ID: <20010424091346.P15731@justice.loyola.edu> Can anyone remind me of the reason for breaking the rhosts-rsa protcol (by not using a privilaged port by default)? -- Mike Stone From Markus.Friedl at informatik.uni-erlangen.de Tue Apr 24 23:40:13 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 24 Apr 2001 15:40:13 +0200 Subject: change in rhosts-rsa behavior In-Reply-To: <20010424091346.P15731@justice.loyola.edu>; from mstone@cs.loyola.edu on Tue, Apr 24, 2001 at 09:13:46AM -0400 References: <20010424091346.P15731@justice.loyola.edu> Message-ID: <20010424154013.A28576@faui02.informatik.uni-erlangen.de> On Tue, Apr 24, 2001 at 09:13:46AM -0400, Michael Stone wrote: > Can anyone remind me of the reason for breaking the rhosts-rsa protcol > (by not using a privilaged port by default)? it's a requirement from the obsolete rlogin protocol. it does not provide additional security. it is not required for protocol version 2. privileged ports require setuid root and cause problems. openssh's sshd does not require this. you can always force the client to allocate privileged ports. From mstone at cs.loyola.edu Tue Apr 24 23:48:00 2001 From: mstone at cs.loyola.edu (Michael Stone) Date: Tue, 24 Apr 2001 09:48:00 -0400 Subject: change in rhosts-rsa behavior In-Reply-To: <20010424154013.A28576@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Tue, Apr 24, 2001 at 03:40:13PM +0200 References: <20010424091346.P15731@justice.loyola.edu> <20010424154013.A28576@faui02.informatik.uni-erlangen.de> Message-ID: <20010424094800.Q15731@justice.loyola.edu> On Tue, Apr 24, 2001 at 03:40:13PM +0200, Markus Friedl wrote: > privileged ports require setuid root and cause problems. Don't you need this anyway to read the private key? If you install without suid, didn't everything else work find without privileged ports? > openssh's sshd does not require this. It did up until a little while ago. Wouldn't it make sense to change the server default first, wait a major release, and then change the client default? > you can always force the client to allocate privileged ports. openssh seems to have a nasty habit of breaking compatibility a *lot*. (It's one of the things I hear quite often when people are installing new openssh's.) It would be nice if compatibility concerns were given more weight, especially in a case like this, where the benefits of the change aren't really driven by security. -- Mike Stone From Markus.Friedl at informatik.uni-erlangen.de Tue Apr 24 23:58:02 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 24 Apr 2001 15:58:02 +0200 Subject: change in rhosts-rsa behavior In-Reply-To: <20010424094800.Q15731@justice.loyola.edu>; from mstone@cs.loyola.edu on Tue, Apr 24, 2001 at 09:48:00AM -0400 References: <20010424091346.P15731@justice.loyola.edu> <20010424154013.A28576@faui02.informatik.uni-erlangen.de> <20010424094800.Q15731@justice.loyola.edu> Message-ID: <20010424155802.B28576@faui02.informatik.uni-erlangen.de> On Tue, Apr 24, 2001 at 09:48:00AM -0400, Michael Stone wrote: > On Tue, Apr 24, 2001 at 03:40:13PM +0200, Markus Friedl wrote: > > privileged ports require setuid root and cause problems. > > Don't you need this anyway to read the private key? If you install > without suid, didn't everything else work find without privileged ports? probably not in the future. an external program can do this for protocol version 2. > > openssh's sshd does not require this. > > It did up until a little while ago. Wouldn't it make sense to change the > server default first, wait a major release, and then change the client > default? there was a release between these changes. > > you can always force the client to allocate privileged ports. > > openssh seems to have a nasty habit of breaking compatibility a *lot*. not that i'm aware of. please, show me. > (It's one of the things I hear quite often when people are installing > new openssh's.) It would be nice if compatibility concerns were given > more weight, especially in a case like this, where the benefits of the > change aren't really driven by security. we got much more complaints with: "why does openssl allocate a privileged port" than "why does openssl not allocate a privileged port" plus: this change is driven by security, since openssh's client should not need to be setuid in the future. -m From dwh at ovro.caltech.edu Wed Apr 25 03:53:22 2001 From: dwh at ovro.caltech.edu (David Hawkins) Date: Tue, 24 Apr 2001 10:53:22 -0700 Subject: HELP! sftp hangs on exit / Bug? Message-ID: <006501c0cce7$7576b740$241064c0@ovro.caltech.edu> Hi, The following discussion was posted to comp.security.ssh however, it seems that my problems may be a bug in SSH. Could someone please indicate whether there is a bug fix, or perhaps whether I should go back a version or so. In summary: - Win98 machine (client) - OpenSSH as packaged with Cygwin tools 1.1.8 (openssh-2.5.2p2-3) - Connecting to a Sun running Solaris. ssh: SSH Secure Shell 2.4.0 (non-commercial version) on sparc-sun-solaris2.7 Copyright (c) 1995-2000 SSH Communications Security Corp (www.ssh.com) All rights reserved. See LICENSE file for usage and distribution terms. All the key files have been converted appropriately. We have a similar setup running ok under Linux - ssh works ok, scp works ok. - sftp works ok during an interactive session (i.e., files can be moved to and from the remote machine) - sftp hangs on exit. (see output below for sftp -v.) I would have a look at the source code, but CVS also fails to work. The ultimate goal here was to setup CVS (and WinCVS) with ssh. The command line CVS (under Cygwin bash) transfers files during a checkout, then hangs at the end. The WinCVS tool just hangs after a checkout. If I can be of assistance in running tests or providing more information, please ask. I have not subscribed to these lists, as I hope that once this issue is resolved, I can simply use ssh as a tool. Please reply to my email directly. Thanks. Dave Hawkins Caltech. dwh at ovro.caltech.edu ----- Original Message ----- From: "David Hawkins" Newsgroups: comp.security.ssh Sent: Tuesday, April 24, 2001 10:23 AM Subject: Re: HELP! sftp hangs on exit / Bug? > > Thanks for this reference Dan, however, it did not help. > > From the FAQ: > > Current versions of OpenSSH may hang when exiting. This can > > occur when there is an active background process. This is known to > > occur on Linux and HP-UX. The problem can be verified by doing > > the following: sleep 20&exit. > > > > A work around for bash users is to place "shopt -s huponexit" in > > either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's man > > page for an option to enable it to send a HUP signal to active > > jobs when exiting. > > I added 'shopt -s huponexit' to /etc/profile (since this > is the file sourced by bash - I used an echo to confirm > this), and also tried $HOME/.bashrc. > > In either case, sftp hung. > > I ssh'ed into inyo and called 'sleep 5& exit' and the shell > exited back to my Cygwin bash shell without problems. > > So ... anyone else out there got suggestions? > > Regards, > Dave Hawkins > > > ----- Original Message ----- > From: "Daniel Barrett" > Newsgroups: comp.security.ssh > To: > Sent: Tuesday, April 24, 2001 9:09 AM > Subject: Re: HELP! sftp hangs on exit / Bug? > > > > In article <9c23r7$h56 at gap.cco.caltech.edu> you write: > > >sftp hangs when I exit it. > > > > I think this is a known openssh bug. > > > > http://www.openssh.com/faq.html#3.10 > > > > Dan > > > > > //////////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ > > | Dan Barrett dbarrett at blazemonger.com > www.blazemonger.com | > > > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\///////////////////////////////////// > > > > "David Hawkins" wrote in message > news:9c23r7$h56 at gap.cco.caltech.edu... > > Hi, > > > > I have ssh working for logins and scp working for > > copying, however, sftp hangs when I exit it. > > Here's my setup > > > > - Win98 machine (client) > > - OpenSSH as packaged with Cygwin tools 1.1.8 > > (openssh-2.5.2p2-3) > > - Connecting to a Sun running Solaris. All the > > key files have been converted appropriately. > > We have a similar setup running ok under Linux. > > > > The Solaris machine is 'inyo', the local machine is > > 'kiwi', and the user is dwh. I did the following from > > the Cygwin bash command line ... > > > > > sftp -v inyo >& temp > > > > and typed exit to 'attempt' to leave sftp. However, > > to get it to end I actually had to ctrl-c it. The > > output file is included below. The connection > > works fine, i.e., I don't have to use a password, > > and files transfer ok. It's just that when try to exit > > the process hangs. > > > > I am using SSH to access a CVS repository. > > If I perform 'cvs checkout ' on a > > module, then the files get copied to my local > > machine, and then the process hangs after the > > last file is correctly transferred. > > > > We have a similar setup to some Linux machines > > and do not have these problems. Is this perhaps > > a bug, or maybe the Cygnus bash shell and DOS > > shells are not responding correctly. > > > > Can someone suggest how to get this up and running? > > I'd be happy to run any tests anyone can suggest. > > > > Please reply to both the newsgroup and my email > > address. > > > > Regards, > > > > Dave Hawkins > > Caltech > > dwh at ovro.caltech.edu > > > > > > > > Connecting to inyo... > > debug1: SSH args "ssh -v > > inyo -s -oForwardX11=no -oForwardAgent=no -oProtocol=2 sftp" > > OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > > debug1: Seeding random number generator > > debug1: Rhosts Authentication disabled, originating port will not be > > trusted. > > debug1: ssh_connect: getuid 500 geteuid 500 anon 1 > > debug1: Connecting to inyo [192.100.16.7] port 22. > > debug1: Connection established. > > debug1: unknown identity file /cygdrive/f/.ssh/id_rsa > > debug1: identity file /cygdrive/f/.ssh/id_rsa type -1 > > debug1: unknown identity file /cygdrive/f/.ssh/id_dsa > > debug1: identity file /cygdrive/f/.ssh/id_dsa type -1 > > debug1: Remote protocol version 1.99, remote software version 2.4.0 SSH > > Secure Shell (non-commercial) > > debug1: match: 2.4.0 SSH Secure Shell (non-commercial) pat ^2\.[2-9]\. > > Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2 > > debug1: send KEXINIT > > debug1: done > > debug1: wait KEXINIT > > debug1: got kexinit: diffie-hellman-group1-sha1 > > debug1: got kexinit: ssh-dss > > debug1: got kexinit: > > 3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none > > debug1: got kexinit: > > 3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none > > debug1: got kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none > > debug1: got kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none > > debug1: got kexinit: none,zlib > > debug1: got kexinit: none,zlib > > debug1: got kexinit: > > debug1: got kexinit: > > debug1: first kex follow: 0 > > debug1: reserved: 0 > > debug1: done > > debug1: kex: server->client 3des-cbc hmac-md5 none > > debug1: kex: client->server 3des-cbc hmac-md5 none > > debug1: Sending SSH2_MSG_KEXDH_INIT. > > debug1: dh_gen_key: priv key bits set: 179/384 > > debug1: bits set: 532/1024 > > debug1: Wait SSH2_MSG_KEXDH_REPLY. > > debug1: Got SSH2_MSG_KEXDH_REPLY. > > debug1: Host 'inyo' is known and matches the DSA host key. > > debug1: Found key in /cygdrive/f/.ssh/known_hosts2:1 > > debug1: bits set: 518/1024 > > debug1: len 55 datafellows 0 > > debug1: ssh_dss_verify: signature correct > > debug1: Wait SSH2_MSG_NEWKEYS. > > debug1: GOT SSH2_MSG_NEWKEYS. > > debug1: send SSH2_MSG_NEWKEYS. > > debug1: done: send SSH2_MSG_NEWKEYS. > > debug1: done: KEX2. > > debug1: send SSH2_MSG_SERVICE_REQUEST > > debug1: service_accept: ssh-userauth > > debug1: got SSH2_MSG_SERVICE_ACCEPT > > debug1: authentications that can continue: publickey,password > > debug1: next auth method to try is publickey > > debug1: try privkey: /cygdrive/f/.ssh/id_rsa > > debug1: try privkey: /cygdrive/f/.ssh/id_dsa > > debug1: read SSH2 private key done: name dsa w/o comment success 1 > > debug1: sig size 20 20 > > debug1: ssh-userauth2 successful: method publickey > > debug1: fd 4 setting O_NONBLOCK > > debug1: fd 5 setting O_NONBLOCK > > debug1: fd 6 setting O_NONBLOCK > > debug1: channel 0: new [client-session] > > debug1: send channel open 0 > > debug1: Entering interactive session. > > debug1: client_init id 0 arg 0 > > debug1: Sending subsystem: sftp > > debug1: channel 0: open confirm rwindow 10000 rmax 32768 > > sftp> sftp> Killed by signal 2. > > debug1: Calling cleanup 0x416e08(0x0) > > debug1: Calling cleanup 0x41a304(0x0) > > > > > > > > From mouring at etoh.eviladmin.org Wed Apr 25 04:01:14 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 24 Apr 2001 13:01:14 -0500 (CDT) Subject: Call for testing for coming 2.9 release. Message-ID: If we can get people to test their platforms against the last snapshot/cvs tree I'd be greatful. (http://www.openssh.com/portable.html) I know NeXT platform has problems. I'm going to spend tonight looking at it. Also, take a moment to see what manpage type ./configure decided for your system and if it's 'cat' please let us know. Thanks. - Ben From mouring at etoh.eviladmin.org Wed Apr 25 04:04:31 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 24 Apr 2001 13:04:31 -0500 (CDT) Subject: HELP! sftp hangs on exit / Bug? In-Reply-To: <006501c0cce7$7576b740$241064c0@ovro.caltech.edu> Message-ID: Can you please test one of the latest snapshots of OpenSSH (http://www.openssh.com/portable)? I know there was talk on the list in regards to sftp issues on Cygwin platform. Thanks. - Ben On Tue, 24 Apr 2001, David Hawkins wrote: > Hi, > > The following discussion was posted to comp.security.ssh > however, it seems that my problems may be a bug in > SSH. Could someone please indicate whether there > is a bug fix, or perhaps whether I should go back a > version or so. > > In summary: > - Win98 machine (client) > - OpenSSH as packaged with Cygwin tools 1.1.8 > (openssh-2.5.2p2-3) > - Connecting to a Sun running Solaris. > > ssh: SSH Secure Shell 2.4.0 (non-commercial version) on > sparc-sun-solaris2.7 > Copyright (c) 1995-2000 SSH Communications Security Corp (www.ssh.com) > All rights reserved. See LICENSE file for usage and distribution terms. > > All the key files have been converted appropriately. > We have a similar setup running ok under Linux > > - ssh works ok, scp works ok. > - sftp works ok during an interactive session (i.e., files can be > moved to and from the remote machine) > - sftp hangs on exit. (see output below for sftp -v.) > > I would have a look at the source code, but CVS also fails > to work. The ultimate goal here was to setup CVS (and WinCVS) > with ssh. The command line CVS (under Cygwin bash) transfers > files during a checkout, then hangs at the end. The WinCVS > tool just hangs after a checkout. > > If I can be of assistance in running tests or providing more > information, please ask. > > I have not subscribed to these lists, as I hope that once this > issue is resolved, I can simply use ssh as a tool. Please reply > to my email directly. > > Thanks. > > Dave Hawkins > Caltech. > dwh at ovro.caltech.edu > > ----- Original Message ----- > From: "David Hawkins" > Newsgroups: comp.security.ssh > Sent: Tuesday, April 24, 2001 10:23 AM > Subject: Re: HELP! sftp hangs on exit / Bug? > > > > > > Thanks for this reference Dan, however, it did not help. > > > > From the FAQ: > > > Current versions of OpenSSH may hang when exiting. This can > > > occur when there is an active background process. This is known to > > > occur on Linux and HP-UX. The problem can be verified by doing > > > the following: sleep 20&exit. > > > > > > A work around for bash users is to place "shopt -s huponexit" in > > > either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's man > > > page for an option to enable it to send a HUP signal to active > > > jobs when exiting. > > > > I added 'shopt -s huponexit' to /etc/profile (since this > > is the file sourced by bash - I used an echo to confirm > > this), and also tried $HOME/.bashrc. > > > > In either case, sftp hung. > > > > I ssh'ed into inyo and called 'sleep 5& exit' and the shell > > exited back to my Cygwin bash shell without problems. > > > > So ... anyone else out there got suggestions? > > > > Regards, > > Dave Hawkins > > > > > > ----- Original Message ----- > > From: "Daniel Barrett" > > Newsgroups: comp.security.ssh > > To: > > Sent: Tuesday, April 24, 2001 9:09 AM > > Subject: Re: HELP! sftp hangs on exit / Bug? > > > > > > > In article <9c23r7$h56 at gap.cco.caltech.edu> you write: > > > >sftp hangs when I exit it. > > > > > > I think this is a known openssh bug. > > > > > > http://www.openssh.com/faq.html#3.10 > > > > > > Dan > > > > > > > > > //////////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ > > > | Dan Barrett dbarrett at blazemonger.com > > www.blazemonger.com | > > > > > > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\///////////////////////////////////// > > > > > > > > "David Hawkins" wrote in message > > news:9c23r7$h56 at gap.cco.caltech.edu... > > > Hi, > > > > > > I have ssh working for logins and scp working for > > > copying, however, sftp hangs when I exit it. > > > Here's my setup > > > > > > - Win98 machine (client) > > > - OpenSSH as packaged with Cygwin tools 1.1.8 > > > (openssh-2.5.2p2-3) > > > - Connecting to a Sun running Solaris. All the > > > key files have been converted appropriately. > > > We have a similar setup running ok under Linux. > > > > > > The Solaris machine is 'inyo', the local machine is > > > 'kiwi', and the user is dwh. I did the following from > > > the Cygwin bash command line ... > > > > > > > sftp -v inyo >& temp > > > > > > and typed exit to 'attempt' to leave sftp. However, > > > to get it to end I actually had to ctrl-c it. The > > > output file is included below. The connection > > > works fine, i.e., I don't have to use a password, > > > and files transfer ok. It's just that when try to exit > > > the process hangs. > > > > > > I am using SSH to access a CVS repository. > > > If I perform 'cvs checkout ' on a > > > module, then the files get copied to my local > > > machine, and then the process hangs after the > > > last file is correctly transferred. > > > > > > We have a similar setup to some Linux machines > > > and do not have these problems. Is this perhaps > > > a bug, or maybe the Cygnus bash shell and DOS > > > shells are not responding correctly. > > > > > > Can someone suggest how to get this up and running? > > > I'd be happy to run any tests anyone can suggest. > > > > > > Please reply to both the newsgroup and my email > > > address. > > > > > > Regards, > > > > > > Dave Hawkins > > > Caltech > > > dwh at ovro.caltech.edu > > > > > > > > > > > > Connecting to inyo... > > > debug1: SSH args "ssh -v > > > inyo -s -oForwardX11=no -oForwardAgent=no -oProtocol=2 sftp" > > > OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > > > debug1: Seeding random number generator > > > debug1: Rhosts Authentication disabled, originating port will not be > > > trusted. > > > debug1: ssh_connect: getuid 500 geteuid 500 anon 1 > > > debug1: Connecting to inyo [192.100.16.7] port 22. > > > debug1: Connection established. > > > debug1: unknown identity file /cygdrive/f/.ssh/id_rsa > > > debug1: identity file /cygdrive/f/.ssh/id_rsa type -1 > > > debug1: unknown identity file /cygdrive/f/.ssh/id_dsa > > > debug1: identity file /cygdrive/f/.ssh/id_dsa type -1 > > > debug1: Remote protocol version 1.99, remote software version 2.4.0 SSH > > > Secure Shell (non-commercial) > > > debug1: match: 2.4.0 SSH Secure Shell (non-commercial) pat ^2\.[2-9]\. > > > Enabling compatibility mode for protocol 2.0 > > > debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2 > > > debug1: send KEXINIT > > > debug1: done > > > debug1: wait KEXINIT > > > debug1: got kexinit: diffie-hellman-group1-sha1 > > > debug1: got kexinit: ssh-dss > > > debug1: got kexinit: > > > 3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none > > > debug1: got kexinit: > > > 3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none > > > debug1: got kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none > > > debug1: got kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none > > > debug1: got kexinit: none,zlib > > > debug1: got kexinit: none,zlib > > > debug1: got kexinit: > > > debug1: got kexinit: > > > debug1: first kex follow: 0 > > > debug1: reserved: 0 > > > debug1: done > > > debug1: kex: server->client 3des-cbc hmac-md5 none > > > debug1: kex: client->server 3des-cbc hmac-md5 none > > > debug1: Sending SSH2_MSG_KEXDH_INIT. > > > debug1: dh_gen_key: priv key bits set: 179/384 > > > debug1: bits set: 532/1024 > > > debug1: Wait SSH2_MSG_KEXDH_REPLY. > > > debug1: Got SSH2_MSG_KEXDH_REPLY. > > > debug1: Host 'inyo' is known and matches the DSA host key. > > > debug1: Found key in /cygdrive/f/.ssh/known_hosts2:1 > > > debug1: bits set: 518/1024 > > > debug1: len 55 datafellows 0 > > > debug1: ssh_dss_verify: signature correct > > > debug1: Wait SSH2_MSG_NEWKEYS. > > > debug1: GOT SSH2_MSG_NEWKEYS. > > > debug1: send SSH2_MSG_NEWKEYS. > > > debug1: done: send SSH2_MSG_NEWKEYS. > > > debug1: done: KEX2. > > > debug1: send SSH2_MSG_SERVICE_REQUEST > > > debug1: service_accept: ssh-userauth > > > debug1: got SSH2_MSG_SERVICE_ACCEPT > > > debug1: authentications that can continue: publickey,password > > > debug1: next auth method to try is publickey > > > debug1: try privkey: /cygdrive/f/.ssh/id_rsa > > > debug1: try privkey: /cygdrive/f/.ssh/id_dsa > > > debug1: read SSH2 private key done: name dsa w/o comment success 1 > > > debug1: sig size 20 20 > > > debug1: ssh-userauth2 successful: method publickey > > > debug1: fd 4 setting O_NONBLOCK > > > debug1: fd 5 setting O_NONBLOCK > > > debug1: fd 6 setting O_NONBLOCK > > > debug1: channel 0: new [client-session] > > > debug1: send channel open 0 > > > debug1: Entering interactive session. > > > debug1: client_init id 0 arg 0 > > > debug1: Sending subsystem: sftp > > > debug1: channel 0: open confirm rwindow 10000 rmax 32768 > > > sftp> sftp> Killed by signal 2. > > > debug1: Calling cleanup 0x416e08(0x0) > > > debug1: Calling cleanup 0x41a304(0x0) > > > > > > > > > > > > > > > From dwh at ovro.caltech.edu Wed Apr 25 04:27:27 2001 From: dwh at ovro.caltech.edu (David Hawkins) Date: Tue, 24 Apr 2001 11:27:27 -0700 Subject: HELP! sftp hangs on exit / Bug? References: Message-ID: <006b01c0ccec$36fef2c0$241064c0@ovro.caltech.edu> This link failed ... I'd be happy to test a new version. Can you check this link and resend any correction. Thanks. Dave ----- Original Message ----- From: To: "David Hawkins" Cc: ; Sent: Tuesday, April 24, 2001 11:04 AM Subject: Re: HELP! sftp hangs on exit / Bug? > > Can you please test one of the latest snapshots of OpenSSH > (http://www.openssh.com/portable)? > > I know there was talk on the list in regards to sftp issues on Cygwin > platform. > > Thanks. > > - Ben > > On Tue, 24 Apr 2001, David Hawkins wrote: > > > Hi, > > > > The following discussion was posted to comp.security.ssh > > however, it seems that my problems may be a bug in > > SSH. Could someone please indicate whether there > > is a bug fix, or perhaps whether I should go back a > > version or so. > > > > In summary: > > - Win98 machine (client) > > - OpenSSH as packaged with Cygwin tools 1.1.8 > > (openssh-2.5.2p2-3) > > - Connecting to a Sun running Solaris. > > > > ssh: SSH Secure Shell 2.4.0 (non-commercial version) on > > sparc-sun-solaris2.7 > > Copyright (c) 1995-2000 SSH Communications Security Corp (www.ssh.com) > > All rights reserved. See LICENSE file for usage and distribution terms. > > > > All the key files have been converted appropriately. > > We have a similar setup running ok under Linux > > > > - ssh works ok, scp works ok. > > - sftp works ok during an interactive session (i.e., files can be > > moved to and from the remote machine) > > - sftp hangs on exit. (see output below for sftp -v.) > > > > I would have a look at the source code, but CVS also fails > > to work. The ultimate goal here was to setup CVS (and WinCVS) > > with ssh. The command line CVS (under Cygwin bash) transfers > > files during a checkout, then hangs at the end. The WinCVS > > tool just hangs after a checkout. > > > > If I can be of assistance in running tests or providing more > > information, please ask. > > > > I have not subscribed to these lists, as I hope that once this > > issue is resolved, I can simply use ssh as a tool. Please reply > > to my email directly. > > > > Thanks. > > > > Dave Hawkins > > Caltech. > > dwh at ovro.caltech.edu > > > > ----- Original Message ----- > > From: "David Hawkins" > > Newsgroups: comp.security.ssh > > Sent: Tuesday, April 24, 2001 10:23 AM > > Subject: Re: HELP! sftp hangs on exit / Bug? > > > > > > > > > > Thanks for this reference Dan, however, it did not help. > > > > > > From the FAQ: > > > > Current versions of OpenSSH may hang when exiting. This can > > > > occur when there is an active background process. This is known to > > > > occur on Linux and HP-UX. The problem can be verified by doing > > > > the following: sleep 20&exit. > > > > > > > > A work around for bash users is to place "shopt -s huponexit" in > > > > either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's man > > > > page for an option to enable it to send a HUP signal to active > > > > jobs when exiting. > > > > > > I added 'shopt -s huponexit' to /etc/profile (since this > > > is the file sourced by bash - I used an echo to confirm > > > this), and also tried $HOME/.bashrc. > > > > > > In either case, sftp hung. > > > > > > I ssh'ed into inyo and called 'sleep 5& exit' and the shell > > > exited back to my Cygwin bash shell without problems. > > > > > > So ... anyone else out there got suggestions? > > > > > > Regards, > > > Dave Hawkins > > > > > > > > > ----- Original Message ----- > > > From: "Daniel Barrett" > > > Newsgroups: comp.security.ssh > > > To: > > > Sent: Tuesday, April 24, 2001 9:09 AM > > > Subject: Re: HELP! sftp hangs on exit / Bug? > > > > > > > > > > In article <9c23r7$h56 at gap.cco.caltech.edu> you write: > > > > >sftp hangs when I exit it. > > > > > > > > I think this is a known openssh bug. > > > > > > > > http://www.openssh.com/faq.html#3.10 > > > > > > > > Dan > > > > > > > > > > > > > //////////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ > > > > | Dan Barrett dbarrett at blazemonger.com > > > www.blazemonger.com | > > > > > > > > > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\///////////////////////////////////// > > > > > > > > > > > > "David Hawkins" wrote in message > > > news:9c23r7$h56 at gap.cco.caltech.edu... > > > > Hi, > > > > > > > > I have ssh working for logins and scp working for > > > > copying, however, sftp hangs when I exit it. > > > > Here's my setup > > > > > > > > - Win98 machine (client) > > > > - OpenSSH as packaged with Cygwin tools 1.1.8 > > > > (openssh-2.5.2p2-3) > > > > - Connecting to a Sun running Solaris. All the > > > > key files have been converted appropriately. > > > > We have a similar setup running ok under Linux. > > > > > > > > The Solaris machine is 'inyo', the local machine is > > > > 'kiwi', and the user is dwh. I did the following from > > > > the Cygwin bash command line ... > > > > > > > > > sftp -v inyo >& temp > > > > > > > > and typed exit to 'attempt' to leave sftp. However, > > > > to get it to end I actually had to ctrl-c it. The > > > > output file is included below. The connection > > > > works fine, i.e., I don't have to use a password, > > > > and files transfer ok. It's just that when try to exit > > > > the process hangs. > > > > > > > > I am using SSH to access a CVS repository. > > > > If I perform 'cvs checkout ' on a > > > > module, then the files get copied to my local > > > > machine, and then the process hangs after the > > > > last file is correctly transferred. > > > > > > > > We have a similar setup to some Linux machines > > > > and do not have these problems. Is this perhaps > > > > a bug, or maybe the Cygnus bash shell and DOS > > > > shells are not responding correctly. > > > > > > > > Can someone suggest how to get this up and running? > > > > I'd be happy to run any tests anyone can suggest. > > > > > > > > Please reply to both the newsgroup and my email > > > > address. > > > > > > > > Regards, > > > > > > > > Dave Hawkins > > > > Caltech > > > > dwh at ovro.caltech.edu > > > > > > > > > > > > > > > > Connecting to inyo... > > > > debug1: SSH args "ssh -v > > > > inyo -s -oForwardX11=no -oForwardAgent=no -oProtocol=2 sftp" > > > > OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > > > > debug1: Seeding random number generator > > > > debug1: Rhosts Authentication disabled, originating port will not be > > > > trusted. > > > > debug1: ssh_connect: getuid 500 geteuid 500 anon 1 > > > > debug1: Connecting to inyo [192.100.16.7] port 22. > > > > debug1: Connection established. > > > > debug1: unknown identity file /cygdrive/f/.ssh/id_rsa > > > > debug1: identity file /cygdrive/f/.ssh/id_rsa type -1 > > > > debug1: unknown identity file /cygdrive/f/.ssh/id_dsa > > > > debug1: identity file /cygdrive/f/.ssh/id_dsa type -1 > > > > debug1: Remote protocol version 1.99, remote software version 2.4.0 SSH > > > > Secure Shell (non-commercial) > > > > debug1: match: 2.4.0 SSH Secure Shell (non-commercial) pat ^2\.[2-9]\. > > > > Enabling compatibility mode for protocol 2.0 > > > > debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2 > > > > debug1: send KEXINIT > > > > debug1: done > > > > debug1: wait KEXINIT > > > > debug1: got kexinit: diffie-hellman-group1-sha1 > > > > debug1: got kexinit: ssh-dss > > > > debug1: got kexinit: > > > > 3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none > > > > debug1: got kexinit: > > > > 3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none > > > > debug1: got kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none > > > > debug1: got kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none > > > > debug1: got kexinit: none,zlib > > > > debug1: got kexinit: none,zlib > > > > debug1: got kexinit: > > > > debug1: got kexinit: > > > > debug1: first kex follow: 0 > > > > debug1: reserved: 0 > > > > debug1: done > > > > debug1: kex: server->client 3des-cbc hmac-md5 none > > > > debug1: kex: client->server 3des-cbc hmac-md5 none > > > > debug1: Sending SSH2_MSG_KEXDH_INIT. > > > > debug1: dh_gen_key: priv key bits set: 179/384 > > > > debug1: bits set: 532/1024 > > > > debug1: Wait SSH2_MSG_KEXDH_REPLY. > > > > debug1: Got SSH2_MSG_KEXDH_REPLY. > > > > debug1: Host 'inyo' is known and matches the DSA host key. > > > > debug1: Found key in /cygdrive/f/.ssh/known_hosts2:1 > > > > debug1: bits set: 518/1024 > > > > debug1: len 55 datafellows 0 > > > > debug1: ssh_dss_verify: signature correct > > > > debug1: Wait SSH2_MSG_NEWKEYS. > > > > debug1: GOT SSH2_MSG_NEWKEYS. > > > > debug1: send SSH2_MSG_NEWKEYS. > > > > debug1: done: send SSH2_MSG_NEWKEYS. > > > > debug1: done: KEX2. > > > > debug1: send SSH2_MSG_SERVICE_REQUEST > > > > debug1: service_accept: ssh-userauth > > > > debug1: got SSH2_MSG_SERVICE_ACCEPT > > > > debug1: authentications that can continue: publickey,password > > > > debug1: next auth method to try is publickey > > > > debug1: try privkey: /cygdrive/f/.ssh/id_rsa > > > > debug1: try privkey: /cygdrive/f/.ssh/id_dsa > > > > debug1: read SSH2 private key done: name dsa w/o comment success 1 > > > > debug1: sig size 20 20 > > > > debug1: ssh-userauth2 successful: method publickey > > > > debug1: fd 4 setting O_NONBLOCK > > > > debug1: fd 5 setting O_NONBLOCK > > > > debug1: fd 6 setting O_NONBLOCK > > > > debug1: channel 0: new [client-session] > > > > debug1: send channel open 0 > > > > debug1: Entering interactive session. > > > > debug1: client_init id 0 arg 0 > > > > debug1: Sending subsystem: sftp > > > > debug1: channel 0: open confirm rwindow 10000 rmax 32768 > > > > sftp> sftp> Killed by signal 2. > > > > debug1: Calling cleanup 0x416e08(0x0) > > > > debug1: Calling cleanup 0x41a304(0x0) > > > > > > > > > > > > > > > > > > > > > > > From mouring at etoh.eviladmin.org Wed Apr 25 04:15:42 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 24 Apr 2001 13:15:42 -0500 (CDT) Subject: HELP! sftp hangs on exit / Bug? In-Reply-To: <006b01c0ccec$36fef2c0$241064c0@ovro.caltech.edu> Message-ID: Sorry.. http://www.openssh.com/portable.html Too many things at once.=) And not succeeding at any of them. =( - Ben On Tue, 24 Apr 2001, David Hawkins wrote: > This link failed ... I'd be happy to test a new version. > Can you check this link and resend any correction. > > Thanks. > Dave > > ----- Original Message ----- > From: > To: "David Hawkins" > Cc: ; > Sent: Tuesday, April 24, 2001 11:04 AM > Subject: Re: HELP! sftp hangs on exit / Bug? > > > > > > Can you please test one of the latest snapshots of OpenSSH > > (http://www.openssh.com/portable)? > > > > I know there was talk on the list in regards to sftp issues on Cygwin > > platform. > > > > Thanks. > > > > - Ben > > > > On Tue, 24 Apr 2001, David Hawkins wrote: > > > > > Hi, > > > > > > The following discussion was posted to comp.security.ssh > > > however, it seems that my problems may be a bug in > > > SSH. Could someone please indicate whether there > > > is a bug fix, or perhaps whether I should go back a > > > version or so. > > > > > > In summary: > > > - Win98 machine (client) > > > - OpenSSH as packaged with Cygwin tools 1.1.8 > > > (openssh-2.5.2p2-3) > > > - Connecting to a Sun running Solaris. > > > > > > ssh: SSH Secure Shell 2.4.0 (non-commercial version) on > > > sparc-sun-solaris2.7 > > > Copyright (c) 1995-2000 SSH Communications Security Corp > (www.ssh.com) > > > All rights reserved. See LICENSE file for usage and distribution > terms. > > > > > > All the key files have been converted appropriately. > > > We have a similar setup running ok under Linux > > > > > > - ssh works ok, scp works ok. > > > - sftp works ok during an interactive session (i.e., files can be > > > moved to and from the remote machine) > > > - sftp hangs on exit. (see output below for sftp -v.) > > > > > > I would have a look at the source code, but CVS also fails > > > to work. The ultimate goal here was to setup CVS (and WinCVS) > > > with ssh. The command line CVS (under Cygwin bash) transfers > > > files during a checkout, then hangs at the end. The WinCVS > > > tool just hangs after a checkout. > > > > > > If I can be of assistance in running tests or providing more > > > information, please ask. > > > > > > I have not subscribed to these lists, as I hope that once this > > > issue is resolved, I can simply use ssh as a tool. Please reply > > > to my email directly. > > > > > > Thanks. > > > > > > Dave Hawkins > > > Caltech. > > > dwh at ovro.caltech.edu > > > > > > ----- Original Message ----- > > > From: "David Hawkins" > > > Newsgroups: comp.security.ssh > > > Sent: Tuesday, April 24, 2001 10:23 AM > > > Subject: Re: HELP! sftp hangs on exit / Bug? > > > > > > > > > > > > > > Thanks for this reference Dan, however, it did not help. > > > > > > > > From the FAQ: > > > > > Current versions of OpenSSH may hang when exiting. This can > > > > > occur when there is an active background process. This is known to > > > > > occur on Linux and HP-UX. The problem can be verified by doing > > > > > the following: sleep 20&exit. > > > > > > > > > > A work around for bash users is to place "shopt -s huponexit" in > > > > > either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's man > > > > > page for an option to enable it to send a HUP signal to active > > > > > jobs when exiting. > > > > > > > > I added 'shopt -s huponexit' to /etc/profile (since this > > > > is the file sourced by bash - I used an echo to confirm > > > > this), and also tried $HOME/.bashrc. > > > > > > > > In either case, sftp hung. > > > > > > > > I ssh'ed into inyo and called 'sleep 5& exit' and the shell > > > > exited back to my Cygwin bash shell without problems. > > > > > > > > So ... anyone else out there got suggestions? > > > > > > > > Regards, > > > > Dave Hawkins > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Daniel Barrett" > > > > Newsgroups: comp.security.ssh > > > > To: > > > > Sent: Tuesday, April 24, 2001 9:09 AM > > > > Subject: Re: HELP! sftp hangs on exit / Bug? > > > > > > > > > > > > > In article <9c23r7$h56 at gap.cco.caltech.edu> you write: > > > > > >sftp hangs when I exit it. > > > > > > > > > > I think this is a known openssh bug. > > > > > > > > > > http://www.openssh.com/faq.html#3.10 > > > > > > > > > > Dan > > > > > > > > > > > > > > > > > > //////////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ > > > > > | Dan Barrett dbarrett at blazemonger.com > > > > www.blazemonger.com | > > > > > > > > > > > > > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\///////////////////////////////////// > > > > > > > > > > > > > > > > "David Hawkins" wrote in message > > > > news:9c23r7$h56 at gap.cco.caltech.edu... > > > > > Hi, > > > > > > > > > > I have ssh working for logins and scp working for > > > > > copying, however, sftp hangs when I exit it. > > > > > Here's my setup > > > > > > > > > > - Win98 machine (client) > > > > > - OpenSSH as packaged with Cygwin tools 1.1.8 > > > > > (openssh-2.5.2p2-3) > > > > > - Connecting to a Sun running Solaris. All the > > > > > key files have been converted appropriately. > > > > > We have a similar setup running ok under Linux. > > > > > > > > > > The Solaris machine is 'inyo', the local machine is > > > > > 'kiwi', and the user is dwh. I did the following from > > > > > the Cygwin bash command line ... > > > > > > > > > > > sftp -v inyo >& temp > > > > > > > > > > and typed exit to 'attempt' to leave sftp. However, > > > > > to get it to end I actually had to ctrl-c it. The > > > > > output file is included below. The connection > > > > > works fine, i.e., I don't have to use a password, > > > > > and files transfer ok. It's just that when try to exit > > > > > the process hangs. > > > > > > > > > > I am using SSH to access a CVS repository. > > > > > If I perform 'cvs checkout ' on a > > > > > module, then the files get copied to my local > > > > > machine, and then the process hangs after the > > > > > last file is correctly transferred. > > > > > > > > > > We have a similar setup to some Linux machines > > > > > and do not have these problems. Is this perhaps > > > > > a bug, or maybe the Cygnus bash shell and DOS > > > > > shells are not responding correctly. > > > > > > > > > > Can someone suggest how to get this up and running? > > > > > I'd be happy to run any tests anyone can suggest. > > > > > > > > > > Please reply to both the newsgroup and my email > > > > > address. > > > > > > > > > > Regards, > > > > > > > > > > Dave Hawkins > > > > > Caltech > > > > > dwh at ovro.caltech.edu > > > > > > > > > > > > > > > > > > > > Connecting to inyo... > > > > > debug1: SSH args "ssh -v > > > > > inyo -s -oForwardX11=no -oForwardAgent=no -oProtocol=2 sftp" > > > > > OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > > > > > debug1: Seeding random number generator > > > > > debug1: Rhosts Authentication disabled, originating port will not be > > > > > trusted. > > > > > debug1: ssh_connect: getuid 500 geteuid 500 anon 1 > > > > > debug1: Connecting to inyo [192.100.16.7] port 22. > > > > > debug1: Connection established. > > > > > debug1: unknown identity file /cygdrive/f/.ssh/id_rsa > > > > > debug1: identity file /cygdrive/f/.ssh/id_rsa type -1 > > > > > debug1: unknown identity file /cygdrive/f/.ssh/id_dsa > > > > > debug1: identity file /cygdrive/f/.ssh/id_dsa type -1 > > > > > debug1: Remote protocol version 1.99, remote software version 2.4.0 > SSH > > > > > Secure Shell (non-commercial) > > > > > debug1: match: 2.4.0 SSH Secure Shell (non-commercial) pat > ^2\.[2-9]\. > > > > > Enabling compatibility mode for protocol 2.0 > > > > > debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2 > > > > > debug1: send KEXINIT > > > > > debug1: done > > > > > debug1: wait KEXINIT > > > > > debug1: got kexinit: diffie-hellman-group1-sha1 > > > > > debug1: got kexinit: ssh-dss > > > > > debug1: got kexinit: > > > > > 3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none > > > > > debug1: got kexinit: > > > > > 3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none > > > > > debug1: got kexinit: > hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none > > > > > debug1: got kexinit: > hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none > > > > > debug1: got kexinit: none,zlib > > > > > debug1: got kexinit: none,zlib > > > > > debug1: got kexinit: > > > > > debug1: got kexinit: > > > > > debug1: first kex follow: 0 > > > > > debug1: reserved: 0 > > > > > debug1: done > > > > > debug1: kex: server->client 3des-cbc hmac-md5 none > > > > > debug1: kex: client->server 3des-cbc hmac-md5 none > > > > > debug1: Sending SSH2_MSG_KEXDH_INIT. > > > > > debug1: dh_gen_key: priv key bits set: 179/384 > > > > > debug1: bits set: 532/1024 > > > > > debug1: Wait SSH2_MSG_KEXDH_REPLY. > > > > > debug1: Got SSH2_MSG_KEXDH_REPLY. > > > > > debug1: Host 'inyo' is known and matches the DSA host key. > > > > > debug1: Found key in /cygdrive/f/.ssh/known_hosts2:1 > > > > > debug1: bits set: 518/1024 > > > > > debug1: len 55 datafellows 0 > > > > > debug1: ssh_dss_verify: signature correct > > > > > debug1: Wait SSH2_MSG_NEWKEYS. > > > > > debug1: GOT SSH2_MSG_NEWKEYS. > > > > > debug1: send SSH2_MSG_NEWKEYS. > > > > > debug1: done: send SSH2_MSG_NEWKEYS. > > > > > debug1: done: KEX2. > > > > > debug1: send SSH2_MSG_SERVICE_REQUEST > > > > > debug1: service_accept: ssh-userauth > > > > > debug1: got SSH2_MSG_SERVICE_ACCEPT > > > > > debug1: authentications that can continue: publickey,password > > > > > debug1: next auth method to try is publickey > > > > > debug1: try privkey: /cygdrive/f/.ssh/id_rsa > > > > > debug1: try privkey: /cygdrive/f/.ssh/id_dsa > > > > > debug1: read SSH2 private key done: name dsa w/o comment success 1 > > > > > debug1: sig size 20 20 > > > > > debug1: ssh-userauth2 successful: method publickey > > > > > debug1: fd 4 setting O_NONBLOCK > > > > > debug1: fd 5 setting O_NONBLOCK > > > > > debug1: fd 6 setting O_NONBLOCK > > > > > debug1: channel 0: new [client-session] > > > > > debug1: send channel open 0 > > > > > debug1: Entering interactive session. > > > > > debug1: client_init id 0 arg 0 > > > > > debug1: Sending subsystem: sftp > > > > > debug1: channel 0: open confirm rwindow 10000 rmax 32768 > > > > > sftp> sftp> Killed by signal 2. > > > > > debug1: Calling cleanup 0x416e08(0x0) > > > > > debug1: Calling cleanup 0x41a304(0x0) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From wendyp at cray.com Wed Apr 25 04:28:24 2001 From: wendyp at cray.com (Wendy Palm) Date: Tue, 24 Apr 2001 13:28:24 -0500 Subject: Bad packet length error References: <3AE4B61A.157CEBDE@corp.usa.net> Message-ID: <3AE5C5C8.78641860@cray.com> i'm getting the same problem ssh'ing from a cray running 2.5.3p1 (using either protocol 1 or 2) to another cray running 2.5.3p1 or to an sgi running 2.5.1p2. running from the sgi (2.5.1p2) to the cray (2.5.3p1) works fine. cray-cray running 2.3 didn't have this problem at all. this looks like the rijndael "endianness" problem we found in february. (see the mail archives, 2001-02-27) using -c blowfish or -c 3des works with protocol 1 and 2 adding a "Ciphers" list to the ssh_config file for protocol 1 (removing aes) worked great. however, setting "Cipher" for protocol 2 didn't work at all. wendy Tom Orban wrote: > > Hello, > > I just built openssh-2.5.2p2 on an HP running HP-UX 11.00. Seems now > when I try and connect to other HP's running ssh with version > openssh-2.3.0p1 (using protocol version 2), I'm getting disconnected > because of a "Bad packet length" error: > > ssh -v isd1 > ... > debug1: ssh_dss_verify: signature correct > debug1: Wait SSH2_MSG_NEWKEYS. > debug1: GOT SSH2_MSG_NEWKEYS. > debug1: send SSH2_MSG_NEWKEYS. > debug1: done: send SSH2_MSG_NEWKEYS. > debug1: done: KEX2. > debug1: send SSH2_MSG_SERVICE_REQUEST > 42 71 58 e0 7b e7 3b 4f 0d 3d 83 9c a2 01 c6 22 > Disconnecting: Bad packet length 1114724576. <------------ ERROR > debug1: Calling cleanup 0x400102a2(0x0) > debug1: Calling cleanup 0x400102aa(0x0) > debug1: writing PRNG seed to file //.ssh/prng_seed > > Other info: > - Going from box running 2.3.0p1 to box with 2.5.2p2 works fine with > protocol 2. > - 2.5.2p2 box to another 2.5.2p2 box works fine. > > Workarounds: > 1) upgrade offending machine to 2.5.2p2, although I can't for all > machines. > 2) (Interim fix) connect to offending machine with protocol version 1. > > Anyone else seen this behavior? Any chance there's a patch for this? > > Thanks. > > -Tom -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From wendyp at cray.com Wed Apr 25 04:33:51 2001 From: wendyp at cray.com (Wendy Palm) Date: Tue, 24 Apr 2001 13:33:51 -0500 Subject: ciphers (was Re: Bad packet length error) References: <3AE4B61A.157CEBDE@corp.usa.net> <3AE5C5C8.78641860@cray.com> Message-ID: <3AE5C70F.EF49983A@cray.com> sorry, misread it. protocol 1 works fine. adding a "Ciphers" list to the ssh_config file for protocol 2 (removing aes) didn't work at all. according to the manpage, the default list is ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc'' so shouldn't i be able to use Ciphers blowfish-cbc,3des-cbc ? wendy Wendy Palm wrote: > > i'm getting the same problem ssh'ing from a cray running 2.5.3p1 > (using either protocol 1 or 2) to another cray running 2.5.3p1 or > to an sgi running 2.5.1p2. > > running from the sgi (2.5.1p2) to the cray (2.5.3p1) works fine. > cray-cray running 2.3 didn't have this problem at all. > > this looks like the rijndael "endianness" problem we found in february. > (see the mail archives, 2001-02-27) > > using -c blowfish or -c 3des works with protocol 1 and 2 > > adding a "Ciphers" list to the ssh_config file for protocol 1 > (removing aes) worked great. however, setting "Cipher" for protocol 2 didn't > work at all. > > wendy > > Tom Orban wrote: > > > > Hello, > > > > I just built openssh-2.5.2p2 on an HP running HP-UX 11.00. Seems now > > when I try and connect to other HP's running ssh with version > > openssh-2.3.0p1 (using protocol version 2), I'm getting disconnected > > because of a "Bad packet length" error: > > > > ssh -v isd1 > > ... > > debug1: ssh_dss_verify: signature correct > > debug1: Wait SSH2_MSG_NEWKEYS. > > debug1: GOT SSH2_MSG_NEWKEYS. > > debug1: send SSH2_MSG_NEWKEYS. > > debug1: done: send SSH2_MSG_NEWKEYS. > > debug1: done: KEX2. > > debug1: send SSH2_MSG_SERVICE_REQUEST > > 42 71 58 e0 7b e7 3b 4f 0d 3d 83 9c a2 01 c6 22 > > Disconnecting: Bad packet length 1114724576. <------------ ERROR > > debug1: Calling cleanup 0x400102a2(0x0) > > debug1: Calling cleanup 0x400102aa(0x0) > > debug1: writing PRNG seed to file //.ssh/prng_seed > > > > Other info: > > - Going from box running 2.3.0p1 to box with 2.5.2p2 works fine with > > protocol 2. > > - 2.5.2p2 box to another 2.5.2p2 box works fine. > > > > Workarounds: > > 1) upgrade offending machine to 2.5.2p2, although I can't for all > > machines. > > 2) (Interim fix) connect to offending machine with protocol version 1. > > > > Anyone else seen this behavior? Any chance there's a patch for this? > > > > Thanks. > > > > -Tom > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From jmknoble at jmknoble.cx Wed Apr 25 04:40:58 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Tue, 24 Apr 2001 14:40:58 -0400 Subject: HELP! sftp hangs on exit / Bug? In-Reply-To: <006b01c0ccec$36fef2c0$241064c0@ovro.caltech.edu>; from dwh@ovro.caltech.edu on Tue, Apr 24, 2001 at 11:27:27AM -0700 References: <006b01c0ccec$36fef2c0$241064c0@ovro.caltech.edu> Message-ID: <20010424144058.C9092@zax.half.pint-stowp.cx> Circa 2001-Apr-24 11:27:27 -0700 dixit David Hawkins: : This link failed ... I'd be happy to test a new version. : Can you check this link and resend any correction I'm pretty sure that was supposed to be: http://www.openssh.com/portable.html : ----- Original Message ----- : From: : To: "David Hawkins" : Cc: ; : Sent: Tuesday, April 24, 2001 11:04 AM : Subject: Re: HELP! sftp hangs on exit / Bug? : : > Can you please test one of the latest snapshots of OpenSSH : > (http://www.openssh.com/portable)? -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010424/0700b0c6/attachment.bin From gem at rellim.com Wed Apr 25 05:07:11 2001 From: gem at rellim.com (Gary E. Miller) Date: Tue, 24 Apr 2001 12:07:11 -0700 (PDT) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: Yo Ben! On Tue, 24 Apr 2001 mouring at etoh.eviladmin.org wrote: > If we can get people to test their platforms against the last snapshot/cvs > tree I'd be greatful. (http://www.openssh.com/portable.html) First pass, it seems fine on Slackware 7. A few problems on Unixware 7.1.0 > Also, take a moment to see what manpage type ./configure decided for your > system and if it's 'cat' please let us know. Here is the config output from Unixware 7.1.0: OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/catX PID file: /usr/local/etc Random number collection: Builtin (timeout 200) Manpage format: cat PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: i586-sco-sysv5uw7.1.0 Compiler: cc Compiler flags: -g -I. -I. -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lsocket -lnsl -lz -lgen -lsocket -lcrypto Linker flags: -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl Man pages are now fine. I could compile and install fine, but when I try to start sshd I get this: bash-2.03# sshd error: Could not load host key: /usr/local/etc/ssh_host_dsa_key: Bad file number Disabling protocol version 1 I deleted this file (and the .pub) and did a new "make install" to regenerate it. Same results. The key files looks OK to me. "sshd -ddd" gives me no clue. Everything else seems OK, first pass, on UNixware 7.1 openssh-SNAP-20010217 runs fine. I did update from openssl 0.9.6 to 0.9.6a at the same time, but I dounbt that is the problem here. Any ideas? RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Apr 25 05:09:53 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 24 Apr 2001 21:09:53 +0200 Subject: Call for testing for coming 2.9 release. In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Apr 24, 2001 at 01:01:14PM -0500 References: Message-ID: <20010424210953.A13100@serv01.aet.tu-cottbus.de> On Tue, Apr 24, 2001 at 01:01:14PM -0500, mouring at etoh.eviladmin.org wrote: > If we can get people to test their platforms against the last snapshot/cvs > tree I'd be greatful. (http://www.openssh.com/portable.html) I have just performed another "cvs update" and did not receive any changes for the last days. The ChangeLog ends 20010420, looking a bit strange as typically (for every kind of software :-) there is a rush of changes when a new release is due... Is the CVS really up to date? ws01 27: cat CVS/Root :pserver:cvs at bass.directhit.com:/cvs Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From pekkas at netcore.fi Wed Apr 25 05:09:58 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 24 Apr 2001 22:09:58 +0300 (EEST) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: On Tue, 24 Apr 2001 mouring at etoh.eviladmin.org wrote: > If we can get people to test their platforms against the last snapshot/cvs > tree I'd be greatful. (http://www.openssh.com/portable.html) [ IMO, lots of this is also worth a read for Markus and the rest of the original OpenSSH folks ] Tested on RHL62 and RHL71, built an RPM of the snapshot. There is zero man page documentation for HostbasedAuthentication, either in ssh.1 or sshd.8. This has to be fixed. Some experimental features like HostbasedUsesNameFromPacketOnly might be left out, but the main procedure and the files involved should be added. HostbasedAuthentication does not seem to consider files like shosts.equiv, just ~/.shosts. This is a serious shortcoming in campus-like computing environments, where traditionally hosts.equiv etc. are used. The new functionality could be easily added, just a few extra checks, I think. hostbased auth in ssh client is tried after password. Should this be reversed (at least when this is more tested)? You can also gather data from the server configuration, like: --- [...] debug1: next auth method to try is hostbased debug1: sig size 20 20 debug1: Remote: Server has been configured to ignore .shosts. debug1: authentications that can continue: publickey,password,hostbased debug1: Remote: Server has been configured to ignore .shosts. [...] --- Is this notification a feature of the protocol, or some extra information sshd gives? Some people might call this an unnecessary disclosure (I'm not too concerned though), and this has it's uses. With: $ ssh -o HostbasedAuthentication=yes -o PasswordAuthentication=no -v pekkas at netcore.fi --- [...] debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,hostbased debug1: next auth method to try is publickey debug1: try privkey: /home/psavola/.ssh/id_rsa debug1: try pubkey: /home/psavola/.ssh/id_dsa debug1: authentications that can continue: publickey,password,hostbased debug1: next auth method to try is hostbased debug1: sig size 20 20 debug1: Remote: Accepted by .shosts. debug1: authentications that can continue: publickey,password,hostbased debug1: Remote: Accepted by .shosts. debug1: authentications that can continue: publickey,password,hostbased debug1: no more auth methods to try Permission denied (publickey,password,hostbased). debug1: Calling cleanup 0x8063580(0x0) [...] --- Somehow the hostbased ends up being refused after all; dunno why (can't run sshd -d -d -d at the moment). HostbasedAuthentication is enabled in sshd_config. Also: shouldn't the list of authentications that can continue reduce when previous ones fail or does this list have some other meaning? What I mean, is the output like: --- debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,hostbased debug1: next auth method to try is publickey debug1: try privkey: /home/psavola/.ssh/id_rsa debug1: try pubkey: /home/psavola/.ssh/id_dsa debug1: authentications that can continue: hostbased debug1: next auth method to try is hostbased debug1: sig size 20 20 debug1: Remote: Accepted by .shosts. debug1: authentications that can continue: hostbased debug1: Remote: Accepted by .shosts. debug1: authentications that can continue: [none] debug1: no more auth methods to try --- Also, perhaps it might be a good idea to remove noreplace from sshd_config in contrib/redhat/openssh.spec %files? It was added by djm, but if you upgrade (esp. unattended), you may find yourself in a situation where your sshd_config changes radically and you can no longer log in. whew. a long one. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From gert at greenie.muc.de Wed Apr 25 07:09:17 2001 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 24 Apr 2001 23:09:17 +0200 Subject: Call for testing for coming 2.9 release. In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Apr 24, 2001 at 01:01:14PM -0500 References: Message-ID: <20010424230917.B1265@greenie.muc.de> Hi, On Tue, Apr 24, 2001 at 01:01:14PM -0500, mouring at etoh.eviladmin.org wrote: > If we can get people to test their platforms against the last snapshot/cvs > tree I'd be greatful. (http://www.openssh.com/portable.html) I tested AIX 4.3 today (snapshot of about 14:00 MET). No issues. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From gert at greenie.muc.de Wed Apr 25 07:49:31 2001 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 24 Apr 2001 23:49:31 +0200 Subject: News from AIX In-Reply-To: ; from Damien Miller on Fri, Mar 16, 2001 at 10:16:44AM +1100 References: <20010315162230.G27193@greenie.muc.de> Message-ID: <20010424234931.C1265@greenie.muc.de> Hi, On Fri, Mar 16, 2001 at 10:16:44AM +1100, Damien Miller wrote: > > News from the "AIX is different than the rest of the world" department... > > > > AIX has something similar to setluid() on SCO, just that it uses text > > strings (similar to setenv()) and calls it "usrinfo". I've appended > > the man page below. [..] > Thanks - how does this work for you? It is based on you patch, except > the buffer is exactly allocated and usrinfo's return value is checked. I'm very late in testing, sorry. But I did test the current CVS snapshot today, and it works like a charm. Thanks! gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From markus.friedl at informatik.uni-erlangen.de Wed Apr 25 07:56:44 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 24 Apr 2001 23:56:44 +0200 Subject: Call for testing for coming 2.9 release. In-Reply-To: ; from pekkas@netcore.fi on Tue, Apr 24, 2001 at 10:09:58PM +0300 References: Message-ID: <20010424235644.B20530@folly> On Tue, Apr 24, 2001 at 10:09:58PM +0300, Pekka Savola wrote: > On Tue, 24 Apr 2001 mouring at etoh.eviladmin.org wrote: > > If we can get people to test their platforms against the last snapshot/cvs > > tree I'd be greatful. (http://www.openssh.com/portable.html) > > [ IMO, lots of this is also worth a read for Markus and the rest of the > original OpenSSH folks ] > > Tested on RHL62 and RHL71, built an RPM of the snapshot. > > There is zero man page documentation for HostbasedAuthentication, either > in ssh.1 or sshd.8. This has to be fixed. Some experimental features > like HostbasedUsesNameFromPacketOnly might be left out, but the main > procedure and the files involved should be added. this has been fixed. > HostbasedAuthentication does not seem to consider files like shosts.equiv, > just ~/.shosts. This is a serious shortcoming in campus-like computing > environments, where traditionally hosts.equiv etc. are used. The new > functionality could be easily added, just a few extra checks, I think. well, HostbasedAuthentication uses the same routine as RhostsRSAAuthentication for .shosts and friends, so i don't understand this problem > hostbased auth in ssh client is tried after password. Should this be > reversed (at least when this is more tested)? you can use PreferredAuthentications to change this order. Currently hostbased is not really tested. > You can also gather data from the server configuration, like: > --- > [...] > debug1: next auth method to try is hostbased > debug1: sig size 20 20 > debug1: Remote: Server has been configured to ignore .shosts. > debug1: authentications that can continue: publickey,password,hostbased > debug1: Remote: Server has been configured to ignore .shosts. this is the same for RhostsRSAAuthentication. i think i'll add a switch to disable debug messages before authentication unless debugging is enabled in the server. -m From dwh at ovro.caltech.edu Wed Apr 25 08:09:17 2001 From: dwh at ovro.caltech.edu (David Hawkins) Date: Tue, 24 Apr 2001 15:09:17 -0700 Subject: HELP! sftp hangs on exit / Bug? References: Message-ID: <000f01c0cd0b$34ec2740$241064c0@ovro.caltech.edu> Ok, I downloaded, and installed the latest snapshot as referred to below. The file name was openssh-2.5.2p2, whereas the Cygwin file was openssh-2.5.2p2-3. I'm not sure what the appropriate dash would be for this download. Anyway - sftp no longer hangs - yeah! BUT, CVS continues to hang ARGGHHH! So, below I have included a trace of 'cvs -t checkout cvsinfo' where cvsinfo is a bunch of files setup to explain the setup of CVS. Once these files have been downloaded to my local machine, the process hangs and I have to ctrl-c to exit. >From this trace, can anyone comment on whether this is related to ssh or CVS? CVS works ok with rsh ... so I still suspect something with ssh. I need to get ssh setup so that I can access the repository through a firewall. The last thing that CVS is trying to do is to unlink a file. Perhaps there is a permission problem. Is that file local or on the remote machine? Again, help is appreciated! Dave > > ----- Original Message ----- > > From: > > To: "David Hawkins" > > Cc: ; > > Sent: Tuesday, April 24, 2001 11:04 AM > > Subject: Re: HELP! sftp hangs on exit / Bug? > > > > > > > > > > Can you please test one of the latest snapshots of OpenSSH > > > (http://www.openssh.com/portable)? > > > > > > I know there was talk on the list in regards to sftp issues on Cygwin > > > platform. > > > > > > Thanks. > > > > > > - Ben > > > cvs checkout: notice: main loop with CVSROOT=dwh at inyo:/cvs -> Starting server: ssh inyo -l dwh cvs server S-> do_module (cvsinfo, Updating, , ) S-> do_module (cvsinfo, Updating, , ) S-> Create_Admin (., cvsinfo, /cvs/cvsinfo, , , 0, 0) S-> unlink(./CVS/Tag) -> Create_Admin (cvsinfo, cvsinfo, /cvs/cvsinfo, , , 0, 0) -> unlink(cvsinfo/CVS/Tag) <- Create_Admin -> unlink(CVS/Tag) -> ParseInfo(/cvs/CVSROOT/rcsinfo, cvsinfo, ALL) S<- Create_Admin S-> fopen(/cvs/CVSROOT/history,a) S-> unlink(./CVS/Entries.Static) S-> checkout (/cvs/cvsinfo/WinCvs_rsh_setup.html,v, 1.4, -kb, (function)) S-> server_register(WinCvs_rsh_setup.html, 1.4, , -kb, , , ) S-> Register(WinCvs_rsh_setup.html, 1.4, , -kb, ) S-> checkout (/cvs/cvsinfo/WinCvs_rsh_setup.pdf,v, 1.2, -kb, (function)) S-> server_register(WinCvs_rsh_setup.pdf, 1.2, , -kb, , , ) S-> Register(WinCvs_rsh_setup.pdf, 1.2, , -kb, ) -> unlink(CVS/Entries.Static) cvs server: Updating cvsinfo U cvsinfo/WinCvs_rsh_setup.html -> rename(.new.WinCvs_rsh_setup.html,WinCvs_rsh_setup.html) -> Register(WinCvs_rsh_setup.html, 1.4, Wed Apr 4 04:27:56 2001, -kb, ) U cvsinfo/WinCvs_rsh_setup.pdf -> rename(.new.WinCvs_rsh_setup.pdf,WinCvs_rsh_setup.pdf) -> Register(WinCvs_rsh_setup.pdf, 1.2, Wed Apr 4 04:27:56 2001, -kb, ) S-> checkout (/cvs/cvsinfo/WinCvs_rsh_setup.ps,v, 1.2, -kb, (function)) S-> server_register(WinCvs_rsh_setup.ps, 1.2, , -kb, , , ) S-> Register(WinCvs_rsh_setup.ps, 1.2, , -kb, ) U cvsinfo/WinCvs_rsh_setup.ps -> rename(.new.WinCvs_rsh_setup.ps,WinCvs_rsh_setup.ps) -> Register(WinCvs_rsh_setup.ps, 1.2, Wed Apr 4 04:27:56 2001, -kb, ) S-> checkout (/cvs/cvsinfo/WinCvs_rsh_setup.sdw,v, 1.2, -kb, (function)) S-> server_register(WinCvs_rsh_setup.sdw, 1.2, , -kb, , , ) S-> Register(WinCvs_rsh_setup.sdw, 1.2, , -kb, ) U cvsinfo/WinCvs_rsh_setup.sdw -> rename(.new.WinCvs_rsh_setup.sdw,WinCvs_rsh_setup.sdw) -> Register(WinCvs_rsh_setup.sdw, 1.2, Wed Apr 4 04:27:56 2001, -kb, ) S-> checkout (/cvs/cvsinfo/WinCvs_rsh_setup.txt,v, 1.1.1.1, -kb, (function)) S-> server_register(WinCvs_rsh_setup.txt, 1.1.1.1, , -kb, , , ) S-> Register(WinCvs_rsh_setup.txt, 1.1.1.1, , -kb, ) S-> checkout (/cvs/cvsinfo/WinCvs_ssh_setup.html,v, 1.2, -kb, (function)) S-> server_register(WinCvs_ssh_setup.html, 1.2, , -kb, , , ) S-> Register(WinCvs_ssh_setup.html, 1.2, , -kb, ) S-> checkout (/cvs/cvsinfo/WinCvs_ssh_setup.pdf,v, 1.2, -kb, (function)) S-> server_register(WinCvs_ssh_setup.pdf, 1.2, , -kb, , , ) S-> Register(WinCvs_ssh_setup.pdf, 1.2, , -kb, ) U cvsinfo/WinCvs_rsh_setup.txt -> rename(.new.WinCvs_rsh_setup.txt,WinCvs_rsh_setup.txt) -> Register(WinCvs_rsh_setup.txt, 1.1.1.1, Mon Mar 26 23:41:24 001, -kb, ) U cvsinfo/WinCvs_ssh_setup.html -> rename(.new.WinCvs_ssh_setup.html,WinCvs_ssh_setup.html) -> Register(WinCvs_ssh_setup.html, 1.2, Wed Apr 4 04:27:56 2001, -kb, ) U cvsinfo/WinCvs_ssh_setup.pdf -> rename(.new.WinCvs_ssh_setup.pdf,WinCvs_ssh_setup.pdf) -> Register(WinCvs_ssh_setup.pdf, 1.2, Wed Apr 4 04:27:56 2001, -kb, ) S-> checkout (/cvs/cvsinfo/WinCvs_ssh_setup.ps,v, 1.2, -kb, (function)) S-> server_register(WinCvs_ssh_setup.ps, 1.2, , -kb, , , ) S-> Register(WinCvs_ssh_setup.ps, 1.2, , -kb, ) U cvsinfo/WinCvs_ssh_setup.ps -> rename(.new.WinCvs_ssh_setup.ps,WinCvs_ssh_setup.ps) -> Register(WinCvs_ssh_setup.ps, 1.2, Wed Apr 4 04:27:56 2001, -kb, ) S-> checkout (/cvs/cvsinfo/WinCvs_ssh_setup.sdw,v, 1.2, -kb, (function)) S-> server_register(WinCvs_ssh_setup.sdw, 1.2, , -kb, , , ) S-> Register(WinCvs_ssh_setup.sdw, 1.2, , -kb, ) U cvsinfo/WinCvs_ssh_setup.sdw -> rename(.new.WinCvs_ssh_setup.sdw,WinCvs_ssh_setup.sdw) -> Register(WinCvs_ssh_setup.sdw, 1.2, Wed Apr 4 04:27:56 2001, -kb, ) S-> checkout (/cvs/cvsinfo/WinCvs_ssh_setup.txt,v, 1.1.1.1, -kb, (function)) S-> server_register(WinCvs_ssh_setup.txt, 1.1.1.1, , -kb, , , ) S-> Register(WinCvs_ssh_setup.txt, 1.1.1.1, , -kb, ) U cvsinfo/WinCvs_ssh_setup.txt -> rename(.new.WinCvs_ssh_setup.txt,WinCvs_ssh_setup.txt) -> Register(WinCvs_ssh_setup.txt, 1.1.1.1, Mon Mar 26 23:41:24 001, -kb, ) S-> checkout (/cvs/cvsinfo/wincvs11.pdf,v, 1.1, -kb, (function)) S-> server_register(wincvs11.pdf, 1.1, , -kb, , , ) S-> Register(wincvs11.pdf, 1.1, , -kb, ) U cvsinfo/wincvs11.pdf -> rename(.new.wincvs11.pdf,wincvs11.pdf) -> Register(wincvs11.pdf, 1.1, Thu Apr 5 01:12:38 2001, -kb, ) S-> rename(CVS/Entries.Backup,CVS/Entries) S-> unlink(CVS/Entries.Log) -> rename(CVS/Entries.Backup,CVS/Entries) -> unlink(CVS/Entries.Log) Killed by signal 2. cvs [checkout aborted]: received interrupt signal From cls at radiate.com Wed Apr 25 08:29:47 2001 From: cls at radiate.com (Chris Seawood) Date: Tue, 24 Apr 2001 15:29:47 -0700 Subject: Call for testing for coming 2.9 release. References: <20010424235644.B20530@folly> Message-ID: <3AE5FE5B.4060500@radiate.com> > If we can get people to test their platforms against the last snapshot/cvs > tree I'd be greatful. (http://www.openssh.com/portable.html) > A snapshot pulled from CVS this afternoon (15:00 PST) appears to fix the immediate logout on login problem I was seeing with the 2.5.2p2 release but the hang waiting for background processes to exit problem still exists. Are there any plans to fix this before the next release? Btw, the workaround listed in the FAQ must only apply to bash2 as bash1 from the RedHat 6.2 dist complains about the 'shopt' command. - cls From NetZoom.USA at AltimaTech.com Tue Apr 24 17:43:59 2001 From: NetZoom.USA at AltimaTech.com (Product Manager) Date: Tue, 24 Apr 2001 17:43:59 Subject: Network Diagrams - the professional way Message-ID: <20010424224509.5C9934002@bb.vitnet.com.sg> Essential Tool for Every Professional: Now there is an easy way to prepare dynamic network diagrams and proposals that really get the point across! Use NetZoom, an inexpensive solution starting at $99, to get detailed exact-replica images of your equipment in either Visio stencils or in a compact add-on to your favorite application including Visio, Adobe Illustrator, Microsoft PowerPoint, CorelDRAW, FrontPage, and many others. NetZoom has over 35,000 updated detailed network equipment shapes representing over 750 manufacturers? equipment. We take customer requests to draw equipment shapes not already in NetZoom and provide updated shapes via web download 24x7. Visit http://www.altimatech.com for more information. To see sample network diagrams/presentations created with NetZoom, please visit http://www.altimatech.com/altimatech/products/samplenetworks.htm To download a demo version of NetZoom, please visit: http://www.altimatech.com/altimatech/products/demodownload.htm Best Regards, Altima Technologies, Inc. **The Leader in Network Diagramming Solutions** Contact Information: Altima Technologies, Inc. 799 Roosevelt Road, Building 6 Glen Ellyn, IL 60137 USA Phone: 630.790.0500 Fax: 630.790.9995 Email: info at altimatech.com http://www.altimatech.com/ ----------------------------------------------------------------- If you prefer not to receive future email communications from Altima Technologies, Inc., please click here mailto: NZ.Remove at altimatech.com Altima Technologies, Inc does not share your email information with other organizations. Your email address is used solely to keep you updated on Altima Technologies, Inc products, updates, events and special offers. ----------------------------------------------------------------- From stevesk at pobox.com Wed Apr 25 08:55:57 2001 From: stevesk at pobox.com (Kevin Steves) Date: Wed, 25 Apr 2001 00:55:57 +0200 (CEST) Subject: man pages screwed In-Reply-To: Message-ID: On Mon, 16 Apr 2001, Damien Miller wrote: : Excellent - thanks heaps! I have committed this, could people please : test CVS head to make sure it gets your manpages right now? it seems to hickup starting at some markup here (hp-ux 11.0): ListenAddress Specifies the local addresses sshd should listen on. The following forms may be used: ListenAddress host|IPv4_addr|IPv6_addr ListenAddress host|IPv4_addr:port ListenAddress [host|IPv6_addr]:port If port is not specified, sshd will listen on the address and all prior Port options specified. The default is to listen on all local addresses. Multiple ListenAddress options are permitted. Additionally, any Port options must precede this option for non port qualified addresses. It LoginGraceTime The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 600 (seconds). It LogLevel Gives the verbosity level that is used when logging messages from sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. The default is INFO. Logging with level DEBUG violates the privacy of users and is not recommended. It MACs Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. The - 7 - Formatted: April 24, 2001 SSHD(8) SSHD(8) September 25, 1999 From tim at multitalents.net Wed Apr 25 10:31:24 2001 From: tim at multitalents.net (Tim Rice) Date: Tue, 24 Apr 2001 17:31:24 -0700 (PDT) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: On Tue, 24 Apr 2001, Gary E. Miller wrote: > Yo Ben! > > On Tue, 24 Apr 2001 mouring at etoh.eviladmin.org wrote: > > > If we can get people to test their platforms against the last snapshot/cvs > > tree I'd be greatful. (http://www.openssh.com/portable.html) > First pass, it seems fine on Slackware 7. A few problems on Unixware 7.1.0 > > > Also, take a moment to see what manpage type ./configure decided for your > > system and if it's 'cat' please let us know. > > Here is the config output from Unixware 7.1.0: > > OpenSSH configured has been configured with the following options. > User binaries: /usr/local/bin > User binaries: /usr/local/bin > System binaries: /usr/local/sbin > Configuration files: /usr/local/etc > Askpass program: /usr/local/libexec/ssh-askpass > Manual pages: /usr/local/man/catX > PID file: /usr/local/etc > Random number collection: Builtin (timeout 200) > Manpage format: cat Hmm, uses man like it should here. Manual pages: /usr/local/man/manX Manpage format: man (more below) > PAM support: no > KerberosIV support: no > AFS support: no > S/KEY support: no > TCP Wrappers support: no > MD5 password support: no > IP address in $DISPLAY hack: no > Use IPv4 by default hack: no > Translate v4 in v6 hack: no > > Host: i586-sco-sysv5uw7.1.0 > Compiler: cc > Compiler flags: -g -I. -I. -I/usr/local/include -I/usr/local/ssl/include > Linker flags: -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl > Libraries: -lsocket -lnsl -lz -lgen -lsocket -lcrypto > Linker flags: -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl > > Man pages are now fine. I could compile and install fine, but when I > try to start sshd I get this: > > bash-2.03# sshd > error: Could not load host key: /usr/local/etc/ssh_host_dsa_key: Bad file number > Disabling protocol version 1 > > I deleted this file (and the .pub) and did a new "make install" to regenerate > it. Same results. The key files looks OK to me. "sshd -ddd" gives me no > clue. > > Everything else seems OK, first pass, on UNixware 7.1 > > openssh-SNAP-20010217 runs fine. I did update from openssl 0.9.6 to 0.9.6a > at the same time, but I dounbt that is the problem here. Any ideas? It's working fine here on UnixWare 7.1.0 even with openssl 0.9.6a Try moving your sshd_config file somewhere else and doing a make install > > RGDS > GARY > --------------------------------------------------------------------------- > Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From wayne at blorf.net Wed Apr 25 10:34:30 2001 From: wayne at blorf.net (Wayne Davison) Date: Tue, 24 Apr 2001 17:34:30 -0700 (PDT) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: On Tue, 24 Apr 2001 mouring at etoh.eviladmin.org wrote: > If we can get people to test their platforms against the last snapshot/cvs > tree I'd be greatful. (http://www.openssh.com/portable.html) The snapshot hasn't been updated since the May 19th. The CVS version has some changes from the 20th, but nothing more recent. Is there anything newer that we're supposed to be testing? The version.h file says that it is "OpenSSH_2.5.4p1", and it was last changed on the 5th of April. (This all refers to the bass.directhit.com site that is referenced on the portable.html web page.) One simple change that is needed is to fix the check for perl5 in configure. The check fails if "perl5" is not found because it does not check for just "perl" (since it's calling the wrong macro). Here's a patch: Index: configure.in @@ -12,7 +12,7 @@ AC_PROG_RANLIB AC_PROG_INSTALL AC_PATH_PROG(AR, ar) -AC_PATH_PROG(PERL, perl5 perl) +AC_PATH_PROGS(PERL, perl5 perl) AC_SUBST(PERL) AC_PATH_PROG(ENT, ent) AC_SUBST(ENT) Once this is fixed, the man pages got properly generated in "man" format for Solaris 2.6 (x86). I noticed that the changes that are needed to get ssh to work on Solaris using "UseLogin true" are not present in the CVS version. I've ported them to the version I just grabbed from CVS -- shall I send an updated diff? ..wayne.. From wayne at blorf.net Wed Apr 25 10:41:16 2001 From: wayne at blorf.net (Wayne Davison) Date: Tue, 24 Apr 2001 17:41:16 -0700 (PDT) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: On Tue, 24 Apr 2001, Wayne Davison wrote: > The snapshot hasn't been updated since the May 19th. The CVS version Sorry, I meant to say "since April 19th". ..wayne.. From mouring at etoh.eviladmin.org Wed Apr 25 10:42:42 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 24 Apr 2001 19:42:42 -0500 (CDT) Subject: Private Snapshot (Re: Call for testing for coming 2.9 release.) In-Reply-To: Message-ID: Since there seems to be an issue with the CVS/Snapshot server. I'm making a private snapshot. http://www.eviladmin.org/~mouring/openssh/openssh-20010424bal.tar.gz Just be kind.. It is my link to the outside world. =) - Ben On Tue, 24 Apr 2001, Wayne Davison wrote: > On Tue, 24 Apr 2001 mouring at etoh.eviladmin.org wrote: > > If we can get people to test their platforms against the last snapshot/cvs > > tree I'd be greatful. (http://www.openssh.com/portable.html) > > The snapshot hasn't been updated since the May 19th. The CVS version > has some changes from the 20th, but nothing more recent. Is there > anything newer that we're supposed to be testing? The version.h file > says that it is "OpenSSH_2.5.4p1", and it was last changed on the 5th > of April. (This all refers to the bass.directhit.com site that is > referenced on the portable.html web page.) > > One simple change that is needed is to fix the check for perl5 in > configure. The check fails if "perl5" is not found because it does > not check for just "perl" (since it's calling the wrong macro). > Here's a patch: > > Index: configure.in > @@ -12,7 +12,7 @@ > AC_PROG_RANLIB > AC_PROG_INSTALL > AC_PATH_PROG(AR, ar) > -AC_PATH_PROG(PERL, perl5 perl) > +AC_PATH_PROGS(PERL, perl5 perl) > AC_SUBST(PERL) > AC_PATH_PROG(ENT, ent) > AC_SUBST(ENT) > > Once this is fixed, the man pages got properly generated in "man" > format for Solaris 2.6 (x86). > > I noticed that the changes that are needed to get ssh to work on > Solaris using "UseLogin true" are not present in the CVS version. > I've ported them to the version I just grabbed from CVS -- shall I > send an updated diff? > > ..wayne.. > > From mikem at alaska.net Wed Apr 25 11:22:02 2001 From: mikem at alaska.net (mikem at alaska.net) Date: Tue, 24 Apr 2001 17:22:02 -0800 (AKDT) Subject: Functionality bug (possibly) in openssh on AIX 4.3 Message-ID: Hi Folks, While compiling and testing openssh-2.5.2p2 on various AIX platforms, I've found that ssh will not accept root (based on ssh key credentials) logins at all if the AIX security features have been set to disallow remote root logins. If I disable the AIX security feature (enable remote root logins), I can then do bad things like rsh, telnet, etc. into the box as root. This deviates somewhat from a linux (via /etc/securetty) or solaris machine where you can disallow root logins and still have ssh allow root access based upon credentials (i.e. PermitRootLogin without-password) I'm submitting the patch I came up with for your consideration, but I'm concerned that by allowing this functionality I've created a potential hole. I've gone over it several times, but I'm still paranoid. The patch basically excludes checking for restricted logins for root on a system that has AIX_AUTHENTICATE defined. All other users are checked against the AIX authenication mechanism in the normal fashion. If you do see something glaringly wrong with this approach, please let me know so I can fix it. If it does make sense, then I'd like to see the change incorporated into the next release so that others who've experience the same problems I have can have some relief. I've tested this on AIX 4.3.x only, and it doesn't appear to be necessary on older 3.2 systems, although it shouldn't hurt anything if it's applied on those OSs. Thanks in advance for your consideration and review of this. Sincerely, Mike Messick email: mikem at alaska.net Information Security Architect Phillips Alaska, Inc. PGP Key Fingerprint: 2048/0x57318496 053B 412B 82FC 3808 E141 CDCD 74AE 01C5 5731 8496 -------------- next part -------------- *** auth.c Tue Apr 24 16:01:02 2001 --- ../openssh-2.5.2p2/auth.c Mon Mar 19 13:15:57 2001 *************** *** 142,164 **** } #ifdef WITH_AIXAUTHENTICATE ! if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0)) { ! if (loginmsg && *loginmsg) { ! /* Remove embedded newlines (if any) */ ! char *p; ! for (p = loginmsg; *p; p++) { ! if (*p == '\n') ! *p = ' '; ! } ! /* Remove trailing newline */ ! *--p = '\0'; ! log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); ! } ! return 0; ! } #endif /* WITH_AIXAUTHENTICATE */ - - /* We found no reason not to let this user try to log on... */ return 1; --- 142,162 ---- } #ifdef WITH_AIXAUTHENTICATE ! if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { ! if (loginmsg && *loginmsg) { ! /* Remove embedded newlines (if any) */ ! char *p; ! for (p = loginmsg; *p; p++) { ! if (*p == '\n') ! *p = ' '; ! } ! /* Remove trailing newline */ ! *--p = '\0'; ! log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); ! } ! return 0; ! } #endif /* WITH_AIXAUTHENTICATE */ /* We found no reason not to let this user try to log on... */ return 1; From tim at multitalents.net Wed Apr 25 12:00:17 2001 From: tim at multitalents.net (Tim Rice) Date: Tue, 24 Apr 2001 19:00:17 -0700 (PDT) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: On Tue, 24 Apr 2001, Wayne Davison wrote: > > Index: configure.in > @@ -12,7 +12,7 @@ > AC_PROG_RANLIB > AC_PROG_INSTALL > AC_PATH_PROG(AR, ar) > -AC_PATH_PROG(PERL, perl5 perl) > +AC_PATH_PROGS(PERL, perl5 perl) > AC_SUBST(PERL) > AC_PATH_PROG(ENT, ent) > AC_SUBST(ENT) > > Once this is fixed, the man pages got properly generated in "man" > format for Solaris 2.6 (x86). I fixed this a few days ago. > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From gem at rellim.com Wed Apr 25 13:34:38 2001 From: gem at rellim.com (Gary E. Miller) Date: Tue, 24 Apr 2001 20:34:38 -0700 (PDT) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: Yo Tim! On Tue, 24 Apr 2001, Tim Rice wrote: > > Here is the config output from Unixware 7.1.0: > > Manual pages: /usr/local/man/catX > > Hmm, uses man like it should here. > Manual pages: /usr/local/man/manX > Manpage format: man I also tried manually installing the man pages and the man version I have will not present them correctly. I did a "strings" on the man page and there is no version number. The ls shows: -rwxr-xr-x 1 bin bin 36164 Mar 5 1999 /usr/bin/man > It's working fine here on UnixWare 7.1.0 even with openssl 0.9.6a > > Try moving your sshd_config file somewhere else and doing a make install I used the sshd_config from the distribution. Same results. BTW, I am installing openssh-SNAP-20010420. Is yours a fresh install of 7.1.0? I have a 7.0.1 updated to 7.1.0 What are your config options? Here are mine: ./configure --libdir=/usr/local/lib \ --with-default-path=/usr/local/bin:/usr/sbin:/bin:/usr/bin:/usr/ucb RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From tomh at po.crl.go.jp Wed Apr 25 13:55:50 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Wed, 25 Apr 2001 12:55:50 +0900 (JST) Subject: Call for testing for coming 2.9 release. Message-ID: Alpha Linux RedHat. readpass.c: In function `read_passphrase': readpass.c:120: warning: passing arg 2 of `ssh_askpass' discards qualifiers from pointer target type auth-passwd.c: In function `auth_password': auth-passwd.c:209: warning: implicit declaration of function `crypt' auth-passwd.c:209: warning: assignment makes pointer from integer without a cast sftp-server.c: In function `process_read': sftp-server.c:440: warning: long long unsigned int format, long unsigned int arg (arg 4) sftp-server.c: In function `process_write': sftp-server.c:481: warning: long long unsigned int format, long unsigned int arg (arg 4) sftp-server.c: In function `ls_file': sftp-server.c:724: warning: long long unsigned int format, long unsigned int arg (arg 8) sftp-client.c: In function `do_download': sftp-client.c:745: warning: long long unsigned int format, long unsigned int arg (arg 3) sftp-client.c:778: warning: long long unsigned int format, long unsigned int arg (arg 3) sftp-client.c: In function `do_upload': sftp-client.c:899: warning: long long unsigned int format, long unsigned int arg (arg 3) sftp-client.c:910: warning: long long unsigned int format, long unsigned int arg (arg 3) The one in auth-passwd.c is bad because sizeof(void *) == 8 but sizeof(int) == 4. From carson at taltos.org Wed Apr 25 14:38:46 2001 From: carson at taltos.org (Carson Gaspar) Date: Tue, 24 Apr 2001 21:38:46 -0700 Subject: configure.in aclocal.m4 patch against CVS Message-ID: <441275500.988148326@ZATHROS> The attached unified diff fixes configure so that all --with-libfoo options are allowed to be --with-libfoo=PATH. If the option is specified with a PATH, only that PATH is searched for the library. If it is specified as =yes or with no argument, it tries without modifying anything, and then tries looking in /usr/local. The SunOS5 targets no longer add /usr/local to include or library paths unless something actually lives there. The same change should probably be made for other targets, but I didn't as I cannot test them. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body From carson at taltos.org Wed Apr 25 14:48:13 2001 From: carson at taltos.org (Carson Gaspar) Date: Tue, 24 Apr 2001 21:48:13 -0700 Subject: Once more, with diffs... (configure.in aclocal.m4 patch against CVS) Message-ID: <441841812.988148893@ZATHROS> The attached unified diff fixes configure so that all --with-libfoo options are allowed to be --with-libfoo=PATH. If the option is specified with a PATH, only that PATH is searched for the library. If it is specified as =yes or with no argument, it tries without modifying anything, and then tries looking in /usr/local. The SunOS5 targets no longer add /usr/local to include or library paths unless something actually lives there. The same change should probably be made for other targets, but I didn't as I cannot test them. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body -------------- next part -------------- A non-text attachment was scrubbed... Name: confdiff Type: application/octet-stream Size: 12186 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010424/91cdf97c/attachment.obj From tim at multitalents.net Wed Apr 25 15:07:53 2001 From: tim at multitalents.net (Tim Rice) Date: Tue, 24 Apr 2001 22:07:53 -0700 (PDT) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: On Tue, 24 Apr 2001, Gary E. Miller wrote: > Yo Tim! > > On Tue, 24 Apr 2001, Tim Rice wrote: > > > > Here is the config output from Unixware 7.1.0: > > > Manual pages: /usr/local/man/catX > > > > Hmm, uses man like it should here. > > Manual pages: /usr/local/man/manX > > Manpage format: man > > I also tried manually installing the man pages and the man version > I have will not present them correctly. I did a "strings" on > the man page and there is no version number. The ls shows: > > -rwxr-xr-x 1 bin bin 36164 Mar 5 1999 /usr/bin/man > > > It's working fine here on UnixWare 7.1.0 even with openssl 0.9.6a > > > > Try moving your sshd_config file somewhere else and doing a make install > > I used the sshd_config from the distribution. Same results. > > BTW, I am installing openssh-SNAP-20010420. I made some small changes on the 21'st to fix the man pages on UnixWare I'm using today's CVS. > > Is yours a fresh install of 7.1.0? I have a 7.0.1 updated to 7.1.0 Fresh 7.1.0 with lots of ptfs > > What are your config options? Here are mine: > > ./configure --libdir=/usr/local/lib \ > --with-default-path=/usr/local/bin:/usr/sbin:/bin:/usr/bin:/usr/ucb src/configure --with-default-path=/usr/bin:/usr/X/bin:/usr/local/bin -\ -with-tcp-wrappers 2>&1 | tee x.conf > > RGDS > GARY > --------------------------------------------------------------------------- > Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From carson at taltos.org Wed Apr 25 15:31:45 2001 From: carson at taltos.org (Carson Gaspar) Date: Tue, 24 Apr 2001 22:31:45 -0700 Subject: Makefile.in diff against CVS to prevent man/config rebuild every make Message-ID: <444453812.988151505@ZATHROS> Bug: all .out files get rebuilt every make. This is silly, and breaks make install if root cannot write to your build dir. Fix: add dependancy check sop .out files only get rebuilt if the source file changes FixBug: if any source file gets changed, all .out files get rebuilt. This is because man pages and config files both get .out extensions but get created differently. It's sub-optimal, but still better than what's in CVS. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body -------------- next part -------------- A non-text attachment was scrubbed... Name: makediff Type: application/octet-stream Size: 3275 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010424/daf23224/attachment.obj From carson at taltos.org Wed Apr 25 15:48:32 2001 From: carson at taltos.org (Carson Gaspar) Date: Tue, 24 Apr 2001 22:48:32 -0700 Subject: Corrected Makefile.in diff Message-ID: <445461515.988152512@ZATHROS> I attached a broken diff to my last mail. This one actually works. Sorry for the brain-o's tonight... -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body -------------- next part -------------- A non-text attachment was scrubbed... Name: makediff Type: application/octet-stream Size: 3569 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010424/1af68e95/attachment.obj From mouring at etoh.eviladmin.org Wed Apr 25 16:19:36 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 25 Apr 2001 01:19:36 -0500 (CDT) Subject: NeXT // Broken _POSIX_SAVED_ID patch Message-ID: Ok, for those running NeXT and other platforms with broken/missing _POSIX_SAVED_ID please try this patch, and anyone that has spent any amount of time dealing with this problem. I believe it's right. BTW, this patch is no where near as big as it looks. The patch was done against an earily version of the tree which had an issue with white space. - Ben --- ../openssh/uidswap.c Sun Apr 22 06:58:50 2001 +++ uidswap.c.new Tue Apr 24 20:13:22 2001 @@ -26,17 +26,21 @@ * POSIX saved uids or not. */ +#if defined(_POSIX_SAVED_IDS) && !defined(BROKEN_SAVED_UIDS) /* Lets assume that posix saved ids also work with seteuid, even though that is not part of the posix specification. */ - +#define SAVED_IDS_WORK_WITH_SETEUID +/* Saved effective uid. */ +static uid_t saved_euid = 0; +static gid_t saved_egid = 0; +#endif + /* Saved effective uid. */ static int privileged = 0; static int temporarily_use_uid_effective = 0; -static uid_t saved_euid = 0; -static gid_t saved_egid; static gid_t saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX]; static int saved_egroupslen = -1, user_groupslen = -1; - + /* * Temporarily changes to the given uid. If the effective user * id is not root, this does nothing. This call cannot be nested. @@ -44,42 +48,57 @@ void temporarily_use_uid(struct passwd *pw) { - /* Save the current euid, and egroups. */ - saved_euid = geteuid(); - debug("temporarily_use_uid: %d/%d (e=%d)", - pw->pw_uid, pw->pw_gid, saved_euid); - if (saved_euid != 0) { - privileged = 0; - return; - } - privileged = 1; - temporarily_use_uid_effective = 1; + /* Save the current euid, and egroups. */ +#ifdef SAVED_IDS_WORK_WITH_SETEUID + saved_euid = geteuid(); saved_egid = getegid(); - saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); - if (saved_egroupslen < 0) - fatal("getgroups: %.100s", strerror(errno)); - - /* set and save the user's groups */ - if (user_groupslen == -1) { - if (initgroups(pw->pw_name, pw->pw_gid) < 0) - fatal("initgroups: %s: %.100s", pw->pw_name, - strerror(errno)); - user_groupslen = getgroups(NGROUPS_MAX, user_groups); - if (user_groupslen < 0) - fatal("getgroups: %.100s", strerror(errno)); - } - /* Set the effective uid to the given (unprivileged) uid. */ + debug("temporarily_use_uid: %d/%d (e=%d)", + pw->pw_uid, pw->pw_gid, saved_euid); + if (saved_euid != 0) { + privileged = 0; + return; + } +#else + if (geteuid() != 0) { + privileged = 0; + return; + } +#endif /* SAVED_IDS_WORK_WITH_SETEUID */ + + privileged = 1; + temporarily_use_uid_effective = 1; + saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); + if (saved_egroupslen < 0) + fatal("getgroups: %.100s", strerror(errno)); + + /* set and save the user's groups */ + if (user_groupslen == -1) { + if (initgroups(pw->pw_name, pw->pw_gid) < 0) + fatal("initgroups: %s: %.100s", pw->pw_name, + strerror(errno)); + user_groupslen = getgroups(NGROUPS_MAX, user_groups); + if (user_groupslen < 0) + fatal("getgroups: %.100s", strerror(errno)); + } + /* Set the effective uid to the given (unprivileged) uid. */ if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); - pw->pw_gid = pw->pw_gid; +#ifndef SAVED_IDS_WORK_WITH_SETEUID + /* Propagate the privileged gid to all of our gids. */ + if (setgid(getegid()) < 0) + debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno)); + /* Propagate the privileged uid to all of our uids. */ + if (setuid(geteuid()) < 0) + debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno)); +#endif /* SAVED_IDS_WORK_WITH_SETEUID */ if (setegid(pw->pw_gid) < 0) - fatal("setegid %u: %.100s", (u_int) pw->pw_gid, - strerror(errno)); - if (seteuid(pw->pw_uid) == -1) - fatal("seteuid %u: %.100s", (u_int) pw->pw_uid, - strerror(errno)); + fatal("setegid %u: %.100s", (u_int) pw->pw_gid, + strerror(errno)); + if (seteuid(pw->pw_uid) == -1) + fatal("seteuid %u: %.100s", (u_int) pw->pw_uid, + strerror(errno)); } - + /* * Restores to the original (privileged) uid. */ @@ -92,13 +111,27 @@ return; if (!temporarily_use_uid_effective) fatal("restore_uid: temporarily_use_uid not effective"); + +#ifdef SAVED_IDS_WORK_WITH_SETEUID /* Set the effective uid back to the saved privileged uid. */ if (seteuid(saved_euid) < 0) - fatal("seteuid %u: %.100s", (u_int) saved_euid, strerror(errno)); + fatal("seteuid %u: %.100s", (u_int) saved_euid, + strerror(errno)); + if (setegid(saved_egid) < 0) + fatal("setegid %u: %.100s", (u_int) saved_egid, + strerror(errno)); +#else /* SAVED_IDS_WORK_WITH_SETEUID */ + /* + * We are unable to restore the real uid to its unprivileged value. + * Propagate the real uid (usually more privileged) to effective uid + * as well. + */ + setuid(getuid()); + setgid(getgid()); +#endif /* SAVED_IDS_WORK_WITH_SETEUID */ + if (setgroups(saved_egroupslen, saved_egroups) < 0) fatal("setgroups: %.100s", strerror(errno)); - if (setegid(saved_egid) < 0) - fatal("setegid %u: %.100s", (u_int) saved_egid, strerror(errno)); temporarily_use_uid_effective = 0; } From carson at taltos.org Wed Apr 25 16:39:39 2001 From: carson at taltos.org (Carson Gaspar) Date: Tue, 24 Apr 2001 23:39:39 -0700 Subject: Minor bug in HostbasedAuthentication Message-ID: <448528078.988155579@ZATHROS> When using "HostbasedUsesNameFromPacketOnly yes", the ssh client sends the hostname with a trailing dot, but the server does not strip off the trailing dot when matching against .shosts et. al., or when looking up keys in ssh_known_hosts2. This causes the host to not be found. Adding the hostname with trailing dot to the config files "fixes" this, but I think sshd should do this itself. If you like, I can try to gen a patch. I thought I'd ask first, in case major restructuring was going to occur in this code. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body From carson at taltos.org Wed Apr 25 16:50:25 2001 From: carson at taltos.org (Carson Gaspar) Date: Tue, 24 Apr 2001 23:50:25 -0700 Subject: Updated partial auth patch against CVS Message-ID: <449174078.988156225@ZATHROS> Here is a new version of my partial auth patch against the April 24, 2001 CVS image. It fixes a couple of things (thanks to Karl M ), and includes support for hostbased auth. It's still not pretty, but it works. 2 things Karl mentioned aren't fixed: - auth methods are still hard-coded into servconf.c. Fixing this would require a lot of work, and all the auth methods are hard-coded there as options, anyway. - The code has not been updated to follow the OpenBSD style guide. The style guide itself says that code should be updated if more than 50% of it is new. This is definitely not the case here, and I'm not about to go and reformat everything I touch. I'd appreciate any feedback folks have. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body -------------- next part -------------- A non-text attachment was scrubbed... Name: partialdiff Type: application/octet-stream Size: 16209 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010424/282994a4/attachment.obj From carson at taltos.org Wed Apr 25 17:27:02 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 25 Apr 2001 00:27:02 -0700 Subject: Case study of new possibilities with PartialAuth and HostbasedAuth Message-ID: <451371296.988158422@ZATHROS> Finally all the pieces are in place to allow strong user and host authentication with SSH2 and the latest OpenSSH code (plus my partial auth patch). Herein I describe one problem case, and a possible solution thereof. Target: Allow user logins from host charles to host steve using passwords Previously, you would have had to trust the IP headers to authenticate charles. If charles had a dynamic IP address, or was behind dynamic NAT or a non-transparent firewall, you lost. If someone could spoof charles' IP address, you lost. Now, you can solve this securely (assuming charles' host security is good!). on steve: sshd_config: HostbasedAuthentication yes HostbasedUsesNameFromPacketOnly yes PasswordAuthentication yes # if you don't want users to add clients, you either need to stop parsing .[rs]hosts IgnoreRhosts yes # or control which hosts have trusted keys with IgnoreUserKnownHosts yes # or both AuthOrder2 hostbased:password ssh_known_hosts2: charles.dom.ain.,charles.dom.ain ssh-dss [charles_dsa_public_key] shosts.equiv: charles.dom.ain charles.dom.ain. NOTE: trailing dot form included in ssh_known_hosts2 and shosts.equiv to work around a bug in the current codebase. On charles: ssh must have access to ssh_host_dsa_key. For now this means ssh must be setuid root. ssh_config: Host steve HostbasedAuthentication yes PasswordAuthentication yes At this point, you should be good to go! -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Apr 25 19:37:57 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 25 Apr 2001 11:37:57 +0200 Subject: Call for testing for coming 2.9 release. In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Apr 24, 2001 at 01:01:14PM -0500 References: Message-ID: <20010425113756.A9944@ws01.aet.tu-cottbus.de> On Tue, Apr 24, 2001 at 01:01:14PM -0500, mouring at etoh.eviladmin.org wrote: > If we can get people to test their platforms against the last snapshot/cvs > tree I'd be greatful. (http://www.openssh.com/portable.html) > Also, take a moment to see what manpage type ./configure decided for your > system and if it's 'cat' please let us know. FYI: for HP-UX (10.20), "man" format is recognized. I have been running some short tests by now and the new version seems to work quite well. Some points: * The "sleep 5 &" test still let's the connection hang. I only have a small amount of trouble with it. Unfortunately, some startup scripts (like the one for mysql) have the habit to not properly daemonize and thus exiting after doing some maintenance doesn't work. (This was/is also true for 2.5.2p2, but since I do not restart mysql every day, I won't note for a long time.) * As somebody else already pointed out, "hostbased" authentication should be first, because there is no reason to bother for a public key passphrase or password, when another option will help anyway. (Markus' comment about not being tested enough applies, so the final decision for the default value is up to the developpers team.) What is definitely missing is a listing of the possible options in the "PreferredAuthentications" syntax in ssh.1 and ssh_config. A slogin -v gives the correct idea to use "hostbased", "publickey", and "password" as keywords, but as the nameing scheme is not consistent "HostbasedAuthentication yes" vs "PreferredAuthentications hostbased..." an example line in ssh_config would probably save some time to dig into the source :-) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Apr 25 19:43:55 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 25 Apr 2001 11:43:55 +0200 Subject: Call for testing for coming 2.9 release. In-Reply-To: <20010425113756.A9944@ws01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Wed, Apr 25, 2001 at 11:37:57AM +0200 References: <20010425113756.A9944@ws01.aet.tu-cottbus.de> Message-ID: <20010425114355.A18795@serv01.aet.tu-cottbus.de> On Wed, Apr 25, 2001 at 11:37:57AM +0200, Lutz Jaenicke wrote: > A slogin -v gives the correct idea to use "hostbased", "publickey", > and "password" as keywords, but as the nameing scheme is not consistent > "HostbasedAuthentication yes" vs "PreferredAuthentications hostbased..." > an example line in ssh_config would probably save some time to dig > into the source :-) Oh, and it seems that the default for HostbasedAuthentication is "no" (ssh.1 states it would be "yes")... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From vinschen at redhat.com Wed Apr 25 21:32:59 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 25 Apr 2001 13:32:59 +0200 Subject: HELP! sftp hangs on exit / Bug? In-Reply-To: <000f01c0cd0b$34ec2740$241064c0@ovro.caltech.edu>; from dwh@ovro.caltech.edu on Tue, Apr 24, 2001 at 03:09:17PM -0700 References: <000f01c0cd0b$34ec2740$241064c0@ovro.caltech.edu> Message-ID: <20010425133259.P23753@cygbert.vinschen.de> On Tue, Apr 24, 2001 at 03:09:17PM -0700, David Hawkins wrote: > Ok, I downloaded, and installed the latest snapshot as > referred to below. > > The file name was openssh-2.5.2p2, whereas > the Cygwin file was openssh-2.5.2p2-3. I'm not > sure what the appropriate dash would be for this > download. -3 is the latest and correct one. It contains two Cygwin specific fixes which have become part of the official sources in the meantime. > Anyway - sftp no longer hangs - yeah! BUT, > CVS continues to hang ARGGHHH! Would you mind to try it using the latest official Cygwin version (1.3.1)? I suspect what you see is a Win 9x/ME issue which is related to using anonymous pipes. It's one of the bugs which Microsoft has given up to fix. Upgrading to NT/W2K helps ;-) Another try is to download the openssh sources and compile them without setting USE_PIPES in define.h as it's done in the Cygwin release version due to some problems with socketpairs. This error might be resolved in 1.3.1 but I have to check that... Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From djm at mindrot.org Wed Apr 25 22:47:44 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 25 Apr 2001 22:47:44 +1000 (EST) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: On Tue, 24 Apr 2001, Wayne Davison wrote: > On Tue, 24 Apr 2001 mouring at etoh.eviladmin.org wrote: > > If we can get people to test their platforms against the last snapshot/cvs > > tree I'd be greatful. (http://www.openssh.com/portable.html) > > The snapshot hasn't been updated since the May 19th. The CVS version > has some changes from the 20th, but nothing more recent. Is there > anything newer that we're supposed to be testing? The version.h file > says that it is "OpenSSH_2.5.4p1", and it was last changed on the 5th > of April. (This all refers to the bass.directhit.com site that is > referenced on the portable.html web page.) I don't know what it happening with the mirror site. Until it is repaired you can grab snapshots from: http://www.mindrot.org/~djm/openssh-snap/ directly. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Apr 25 22:50:57 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 25 Apr 2001 22:50:57 +1000 (EST) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: On Wed, 25 Apr 2001, Tom Holroyd wrote: > Alpha Linux RedHat. > > readpass.c: In function `read_passphrase': > readpass.c:120: warning: passing arg 2 of `ssh_askpass' discards > qualifiers from pointer target type > > auth-passwd.c: In function `auth_password': > auth-passwd.c:209: warning: implicit declaration of function `crypt' > auth-passwd.c:209: warning: assignment makes pointer from integer without > a cast Please give the next snapshot a try. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From vinschen at redhat.com Wed Apr 25 23:53:32 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 25 Apr 2001 15:53:32 +0200 Subject: Call for testing for coming 2.9 release. In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Apr 24, 2001 at 01:01:14PM -0500 References: Message-ID: <20010425155332.A30677@cygbert.vinschen.de> On Tue, Apr 24, 2001 at 01:01:14PM -0500, mouring at etoh.eviladmin.org wrote: > > > If we can get people to test their platforms against the last snapshot/cvs > tree I'd be greatful. (http://www.openssh.com/portable.html) > > I know NeXT platform has problems. I'm going to spend tonight looking at > it. > > Also, take a moment to see what manpage type ./configure decided for your > system and if it's 'cat' please let us know. > > > Thanks. Hi, the following patches are necessary to build the latest OpenSSH from CVS on Cygwin. The patch in `Makefile.in' is needed to be able to build in another dir than the sourcedir. Cygwin lacks `setgroups' and the header file `arpa/nameser.h'. I couldn't check that it runs due to a eminent lack of time. I will try to check it 'til tomorrow. Corinna Index: Makefile.in =================================================================== RCS file: /cvs/openssh_cvs/Makefile.in,v retrieving revision 1.172 diff -u -p -r1.172 Makefile.in --- Makefile.in 2001/04/18 18:04:22 1.172 +++ Makefile.in 2001/04/25 13:49:27 @@ -123,9 +123,9 @@ logintest: logintest.o $(LIBCOMPAT) libs $(MANPAGES):: if test "$(MANTYPE)" = "cat"; then \ - manpage=`echo $@ | sed 's/\.[1-9]$$/\.0/'`; \ + manpage=`echo $(srcdir)/$@ | sed 's/\.[1-9]$$/\.0/'`; \ else \ - manpage=$@; \ + manpage=$(srcdir)/$@; \ fi; \ if test "$(MANTYPE)" = "man"; then \ $(FIXPATHSCMD) $${manpage} | $(PERL) $(srcdir)/mdoc2man.pl > $@.out; \ Index: uidswap.c =================================================================== RCS file: /cvs/openssh_cvs/uidswap.c,v retrieving revision 1.19 diff -u -p -r1.19 uidswap.c --- uidswap.c 2001/04/08 18:38:05 1.19 +++ uidswap.c 2001/04/25 13:49:27 @@ -68,10 +68,11 @@ temporarily_use_uid(struct passwd *pw) if (user_groupslen < 0) fatal("getgroups: %.100s", strerror(errno)); } +#ifndef HAVE_CYGWIN /* Set the effective uid to the given (unprivileged) uid. */ if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); - pw->pw_gid = pw->pw_gid; +#endif if (setegid(pw->pw_gid) < 0) fatal("setegid %u: %.100s", (u_int) pw->pw_gid, strerror(errno)); @@ -95,8 +96,10 @@ restore_uid(void) /* Set the effective uid back to the saved uid. */ if (seteuid(saved_euid) < 0) fatal("seteuid %u: %.100s", (u_int) saved_euid, strerror(errno)); +#ifndef HAVE_CYGWIN if (setgroups(saved_egroupslen, saved_egroups) < 0) fatal("setgroups: %.100s", strerror(errno)); +#endif if (setegid(saved_egid) < 0) fatal("setegid %u: %.100s", (u_int) saved_egid, strerror(errno)); temporarily_use_uid_effective = 0; Index: openbsd-compat/inet_ntop.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/inet_ntop.c,v retrieving revision 1.1 diff -u -p -r1.1 inet_ntop.c --- openbsd-compat/inet_ntop.c 2001/04/12 21:35:53 1.1 +++ openbsd-compat/inet_ntop.c 2001/04/25 13:49:27 @@ -34,7 +34,9 @@ static char rcsid[] = "$OpenBSD: inet_nt #include "openbsd-compat/fake-socket.h" #include #include +#ifndef HAVE_CYGWIN #include +#endif #include #include #include -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From tim at multitalents.net Thu Apr 26 00:45:03 2001 From: tim at multitalents.net (Tim Rice) Date: Wed, 25 Apr 2001 07:45:03 -0700 (PDT) Subject: Once more, with diffs... (configure.in aclocal.m4 patch against CVS) In-Reply-To: <441841812.988148893@ZATHROS> Message-ID: Cool, this has been on my personal TODO list for sometime. I should have time to check this out in a couple of days. I'll test the .out patch too. On Tue, 24 Apr 2001, Carson Gaspar wrote: > The attached unified diff fixes configure so that all --with-libfoo options > are allowed to be --with-libfoo=PATH. If the option is specified with a > PATH, only that PATH is searched for the library. If it is specified as > =yes or with no argument, it tries without modifying anything, and then > tries looking in /usr/local. The SunOS5 targets no longer add /usr/local to > include or library paths unless something actually lives there. The same > change should probably be made for other targets, but I didn't as I cannot > test them. > > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From pekkas at netcore.fi Thu Apr 26 01:07:17 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 25 Apr 2001 18:07:17 +0300 (EEST) Subject: RHL init.d/sshd ipv6 hack Message-ID: Hello all, I'm using the attached patch. With it, if you add OPTIONS="-6" in /etc/sysconfig/sshd (this kind of sysconfig/ is a pretty normal RHL practice), then you can enable ipv4 and ipv6 on RHL without problems and without having to modify the init.d/sshd script. This or something like should IMO be added. Removing 'noreplace' from sshd_config definition in openssh.spec should also be considered. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------- next part -------------- --- contrib/redhat/sshd.init.orig Wed Feb 28 02:21:22 2001 +++ contrib/redhat/sshd.init Wed Apr 25 18:00:53 2001 @@ -15,6 +15,8 @@ # source function library . /etc/rc.d/init.d/functions +[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd + RETVAL=0 # Some functions to make the below more readable @@ -104,7 +106,7 @@ echo -n "Starting sshd: " if [ ! -f $PID_FILE ] ; then - sshd + sshd $OPTIONS RETVAL=$? if [ "$RETVAL" = "0" ] ; then my_success "sshd startup" "sshd" From mouring at etoh.eviladmin.org Thu Apr 26 00:57:20 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 25 Apr 2001 09:57:20 -0500 (CDT) Subject: Once more, with diffs... (configure.in aclocal.m4 patch against CVS) In-Reply-To: Message-ID: Can we hold off on this patch.. until after 2.9 release. I really don't want to change that much of the configuration file so close to release. - Ben On Wed, 25 Apr 2001, Tim Rice wrote: > > Cool, this has been on my personal TODO list for sometime. > I should have time to check this out in a couple of days. > I'll test the .out patch too. > > On Tue, 24 Apr 2001, Carson Gaspar wrote: > > > The attached unified diff fixes configure so that all --with-libfoo options > > are allowed to be --with-libfoo=PATH. If the option is specified with a > > PATH, only that PATH is searched for the library. If it is specified as > > =yes or with no argument, it tries without modifying anything, and then > > tries looking in /usr/local. The SunOS5 targets no longer add /usr/local to > > include or library paths unless something actually lives there. The same > > change should probably be made for other targets, but I didn't as I cannot > > test them. > > > > > > > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > > > From tim at multitalents.net Thu Apr 26 01:13:39 2001 From: tim at multitalents.net (Tim Rice) Date: Wed, 25 Apr 2001 08:13:39 -0700 (PDT) Subject: Once more, with diffs... (configure.in aclocal.m4 patch against CVS) In-Reply-To: Message-ID: On Wed, 25 Apr 2001 mouring at etoh.eviladmin.org wrote: > > Can we hold off on this patch.. until after 2.9 release. I really don't > want to change that much of the configuration file so close to release. It's OK with me. I'm kind of pressed for time anyway. And this will require some serious testing. > > - Ben > > On Wed, 25 Apr 2001, Tim Rice wrote: > > > > > Cool, this has been on my personal TODO list for sometime. > > I should have time to check this out in a couple of days. > > I'll test the .out patch too. > > > > On Tue, 24 Apr 2001, Carson Gaspar wrote: > > > > > The attached unified diff fixes configure so that all --with-libfoo options > > > are allowed to be --with-libfoo=PATH. If the option is specified with a > > > PATH, only that PATH is searched for the library. If it is specified as > > > =yes or with no argument, it tries without modifying anything, and then > > > tries looking in /usr/local. The SunOS5 targets no longer add /usr/local to > > > include or library paths unless something actually lives there. The same > > > change should probably be made for other targets, but I didn't as I cannot > > > test them. > > > > > > > > > > > > > -- > > Tim Rice Multitalents (707) 887-1469 > > tim at multitalents.net > > > > > > > > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From wayne at blorf.net Thu Apr 26 02:46:55 2001 From: wayne at blorf.net (Wayne Davison) Date: Wed, 25 Apr 2001 09:46:55 -0700 (PDT) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: On Wed, 25 Apr 2001, Damien Miller wrote: > [...] you can grab snapshots from: > > http://www.mindrot.org/~djm/openssh-snap/ > > directly. Thanks for the pointer. I grabbed the April 25th snapshot, and these are the changes I needed to make Solaris work with UseLogin enabled. ..wayne.. -------------- next part -------------- Index: acconfig.h --- openssh-20010424bal/acconfig.h Tue Apr 24 12:38:51 2001 +++ ./acconfig.h Tue Apr 24 18:27:48 2001 @@ -169,6 +169,12 @@ /* Define if you want to specify the path to your wtmpx file */ #undef CONF_WTMPX_FILE +/* Some systems need a utmpx entry for /bin/login to work */ +#undef LOGIN_NEEDS_UTMPX + +/* Some versions of /bin/login need the TERM supplied on the commandline */ +#undef LOGIN_NEEDS_TERM + /* Define is libutil has login() function */ #undef HAVE_LIBUTIL_LOGIN Index: configure.in --- openssh-20010424bal/configure.in Tue Apr 24 12:38:51 2001 +++ ./configure.in Tue Apr 24 18:27:48 2001 @@ -152,6 +152,8 @@ CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" need_dash_r=1 + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(LOGIN_NEEDS_TERM) AC_DEFINE(PAM_SUN_CODEBASE) # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" Index: session.c --- openssh-20010424bal/session.c Tue Apr 24 12:38:51 2001 +++ ./session.c Tue Apr 24 18:27:48 2001 @@ -126,6 +126,7 @@ void session_proctitle(Session *s); void do_exec_pty(Session *s, const char *command); void do_exec_no_pty(Session *s, const char *command); +void call_record_login(Session *s); void do_login(Session *s, const char *command); void do_child(Session *s, const char *command); void do_motd(void); @@ -644,6 +645,10 @@ #ifndef HAVE_OSF_SIA if (!(options.use_login && command == NULL)) do_login(s, command); +# ifdef LOGIN_NEEDS_UTMPX + else + call_record_login(s); +# endif #endif /* Do common processing for the child, such as execing the command. */ @@ -687,15 +692,11 @@ } } -/* administrative, login(1)-like work */ void -do_login(Session *s, const char *command) +call_record_login(Session *s) { - char *time_string; - char hostname[MAXHOSTNAMELEN]; socklen_t fromlen; struct sockaddr_storage from; - time_t last_login_time; struct passwd * pw = s->pw; pid_t pid = getpid(); @@ -713,6 +714,23 @@ } } + /* Record that there was a login on that tty from the remote host. */ + record_login(pid, s->tty, pw->pw_name, pw->pw_uid, + get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), + (struct sockaddr *)&from); +} + +/* administrative, login(1)-like work */ +void +do_login(Session *s, const char *command) +{ + char *time_string; + char hostname[MAXHOSTNAMELEN]; + time_t last_login_time; + struct passwd * pw = s->pw; + + call_record_login(s); + /* Get the time and hostname when the user last logged in. */ if (options.print_lastlog) { hostname[0] = '\0'; @@ -720,11 +738,6 @@ hostname, sizeof(hostname)); } - /* Record that there was a login on that tty from the remote host. */ - record_login(pid, s->tty, pw->pw_name, pw->pw_uid, - get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), - (struct sockaddr *)&from); - #ifdef USE_PAM /* * If password change is needed, do it now. @@ -1511,6 +1524,9 @@ /* Launch login(1). */ execl(LOGIN_PROGRAM, "login", "-h", hostname, +#ifdef LOGIN_NEEDS_TERM + s->term? s->term : "unknown", +#endif "-p", "-f", "--", pw->pw_name, NULL); /* Login couldn't be executed, die. */ From tom.orban at corp.usa.net Thu Apr 26 06:19:22 2001 From: tom.orban at corp.usa.net (Tom Orban) Date: Wed, 25 Apr 2001 14:19:22 -0600 Subject: ciphers (was Re: Bad packet length error) References: <3AE4B61A.157CEBDE@corp.usa.net> <3AE5C5C8.78641860@cray.com> <3AE5C70F.EF49983A@cray.com> Message-ID: <3AE7314A.467C0B6B@corp.usa.net> Actually Richard Silverman suggested using a different "bulk cipher", and that works fine. If I "ssh -c blowfish" or ssh -c 3des, I can go to the 2.5.0.p1 sshd's without the bad packet length errors. So in summary, I'm upgrading the machines that I can, to 2.5.2p2, and for the ones I can't, then I just ssh with -c blowfish or -c 3des, and all is well using protocol 2. -Tom Wendy Palm wrote: > > sorry, misread it. > > protocol 1 works fine. > > adding a "Ciphers" list to the ssh_config file for protocol 2 > (removing aes) didn't work at all. according to the manpage, > the default list is > ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc'' > > so shouldn't i be able to use > Ciphers blowfish-cbc,3des-cbc > ? > > wendy > > Wendy Palm wrote: > > > > i'm getting the same problem ssh'ing from a cray running 2.5.3p1 > > (using either protocol 1 or 2) to another cray running 2.5.3p1 or > > to an sgi running 2.5.1p2. > > > > running from the sgi (2.5.1p2) to the cray (2.5.3p1) works fine. > > cray-cray running 2.3 didn't have this problem at all. > > > > this looks like the rijndael "endianness" problem we found in february. > > (see the mail archives, 2001-02-27) > > > > using -c blowfish or -c 3des works with protocol 1 and 2 > > > > adding a "Ciphers" list to the ssh_config file for protocol 1 > > (removing aes) worked great. however, setting "Cipher" for protocol 2 didn't > > work at all. > > > > wendy > > > > Tom Orban wrote: > > > > > > Hello, > > > > > > I just built openssh-2.5.2p2 on an HP running HP-UX 11.00. Seems now > > > when I try and connect to other HP's running ssh with version > > > openssh-2.3.0p1 (using protocol version 2), I'm getting disconnected > > > because of a "Bad packet length" error: > > > > > > ssh -v isd1 > > > ... > > > debug1: ssh_dss_verify: signature correct > > > debug1: Wait SSH2_MSG_NEWKEYS. > > > debug1: GOT SSH2_MSG_NEWKEYS. > > > debug1: send SSH2_MSG_NEWKEYS. > > > debug1: done: send SSH2_MSG_NEWKEYS. > > > debug1: done: KEX2. > > > debug1: send SSH2_MSG_SERVICE_REQUEST > > > 42 71 58 e0 7b e7 3b 4f 0d 3d 83 9c a2 01 c6 22 > > > Disconnecting: Bad packet length 1114724576. <------------ ERROR > > > debug1: Calling cleanup 0x400102a2(0x0) > > > debug1: Calling cleanup 0x400102aa(0x0) > > > debug1: writing PRNG seed to file //.ssh/prng_seed > > > > > > Other info: > > > - Going from box running 2.3.0p1 to box with 2.5.2p2 works fine with > > > protocol 2. > > > - 2.5.2p2 box to another 2.5.2p2 box works fine. > > > > > > Workarounds: > > > 1) upgrade offending machine to 2.5.2p2, although I can't for all > > > machines. > > > 2) (Interim fix) connect to offending machine with protocol version 1. > > > > > > Anyone else seen this behavior? Any chance there's a patch for this? > > > > > > Thanks. > > > > > > -Tom > > > > -- > > wendy palm > > Cray OS Sustaining Engineering, Cray Inc. > > wendyp at cray.com, 651-605-9154 > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 From am at pmh.org Wed Apr 25 07:46:47 2001 From: am at pmh.org (am) Date: Tue, 24 Apr 2001 16:46:47 -0500 Subject: Please Help me Message-ID: <00d401c0cd08$0fe5ba40$b14cd7c6@PMH.ORG> When attempted to install openssh-2.5.2p2 I go the following compilation error. Whne I went to download the patches for openssh they it said it is for openBSD. My platform is Aix4.3.3 and I do not know what patched to dowload and how to install patches. The errors glob.h", line 31.15: 1506-120 (S) Function cannot return a const qualified type. "sftp-glob.c", line 144.15: 1506-120 (S) Function cannot return a const qualified e. "sftp-glob.c", line 146.27: 1506-068 (W) Operation between types "void*(*)(const unsigned char*)" and "void*" is not allowed. "sftp-glob.c", line 147.27: 1506-068 (W) Operation between types "struct dirent*(*)(void*)" and "void*" is not allowed. "sftp-glob.c", line 148.28: 1506-068 (W) Operation between types "void(*)(void*)" and "void*" is not allowed. "sftp-glob.c", line 156.55: 1506-280 (W) Function argument assignment between types "int(*)(const unsigned char*,int)" and "void *" is not allowed. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010424/0f498f71/attachment.html From pekkas at netcore.fi Thu Apr 26 07:21:29 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 26 Apr 2001 00:21:29 +0300 (EEST) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: On Wed, 25 Apr 2001, Damien Miller wrote: > On Tue, 24 Apr 2001, Wayne Davison wrote: > > > On Tue, 24 Apr 2001 mouring at etoh.eviladmin.org wrote: > > > If we can get people to test their platforms against the last snapshot/cvs > > > tree I'd be greatful. (http://www.openssh.com/portable.html) > > > > The snapshot hasn't been updated since the May 19th. The CVS version > > has some changes from the 20th, but nothing more recent. Is there > > anything newer that we're supposed to be testing? The version.h file > > says that it is "OpenSSH_2.5.4p1", and it was last changed on the 5th > > of April. (This all refers to the bass.directhit.com site that is > > referenced on the portable.html web page.) > > I don't know what it happening with the mirror site. Until it is > repaired you can grab snapshots from: > > http://www.mindrot.org/~djm/openssh-snap/ Unfortunately, there is no second CVS repository, as the current one hasn't also seen any updates in 5 days.. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Thu Apr 26 07:48:45 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 25 Apr 2001 16:48:45 -0500 (CDT) Subject: Call for testing for coming 2.9 release. In-Reply-To: Message-ID: > > I don't know what it happening with the mirror site. Until it is > > repaired you can grab snapshots from: > > > > http://www.mindrot.org/~djm/openssh-snap/ > > Unfortunately, there is no second CVS repository, as the current one > hasn't also seen any updates in 5 days.. > I had one setup.. Until I moved to my Sparc box and then it stopped mirror w/ 'connection refused'.. So I disabled it and never got back to it. - Ben From mouring at etoh.eviladmin.org Thu Apr 26 10:50:15 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 25 Apr 2001 19:50:15 -0500 (CDT) Subject: Please Help me (fwd) Message-ID: ---------- Forwarded message ---------- Date: Tue, 24 Apr 2001 16:46:47 -0500 From: am To: openssh at openssh.com Subject: Please Help me When attempted to install openssh-2.5.2p2 I go the following compilation error. Whne I went to download the patches for openssh they it said it is for openBSD. My platform is Aix4.3.3 and I do not know what patched to dowload and how to install patches. The errors glob.h", line 31.15: 1506-120 (S) Function cannot return a const qualified type. "sftp-glob.c", line 144.15: 1506-120 (S) Function cannot return a const qualified e. "sftp-glob.c", line 146.27: 1506-068 (W) Operation between types "void*(*)(const unsigned char*)" and "void*" is not allowed. "sftp-glob.c", line 147.27: 1506-068 (W) Operation between types "struct dirent*(*)(void*)" and "void*" is not allowed. "sftp-glob.c", line 148.28: 1506-068 (W) Operation between types "void(*)(void*)" and "void*" is not allowed. "sftp-glob.c", line 156.55: 1506-280 (W) Function argument assignment between types "int(*)(const unsigned char*,int)" and "void *" is not allowed. From per at appgate.com Thu Apr 26 17:47:40 2001 From: per at appgate.com (Per Allansson) Date: Thu, 26 Apr 2001 09:47:40 +0200 Subject: Yet Another Compatibility Fix (SSH_MSG_CHANNEL_OPEN_FAILURE) Message-ID: <3AE7D29C.EC6C24A2@appgate.com> Hi, SSH.COM/F-Secure version 2.0.xx sends/receives SSH_MSG_CHANNEL_OPEN_FAILURE packets without the additional two strings (additional info/language tag) - I think the SecSH drafts at that time didn't have those two strings. Possibly some other implementations have this problem too. Anyway, a fix for OpenSSH (against latest cvs tree) is included. (This has been partially fixed before in channels.c - look at the patch...) /p -------------- next part -------------- A non-text attachment was scrubbed... Name: openfailure.diff Type: application/octet-stream Size: 3288 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010426/1825969e/attachment.obj From mouring at etoh.eviladmin.org Fri Apr 27 09:00:56 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 26 Apr 2001 18:00:56 -0500 (CDT) Subject: Functionality bug (possibly) in openssh on AIX 4.3 (fwd) Message-ID: Has anyone else running AIX tried this patch? I'm looking for feedback if it should be applied before we release 2.9p1. - Ben ---------- Forwarded message ---------- Date: Tue, 24 Apr 2001 17:22:02 -0800 (AKDT) From: mikem at alaska.net To: openssh-unix-dev at mindrot.org Subject: Functionality bug (possibly) in openssh on AIX 4.3 Hi Folks, While compiling and testing openssh-2.5.2p2 on various AIX platforms, I've found that ssh will not accept root (based on ssh key credentials) logins at all if the AIX security features have been set to disallow remote root logins. If I disable the AIX security feature (enable remote root logins), I can then do bad things like rsh, telnet, etc. into the box as root. [...] *** auth.c Tue Apr 24 16:01:02 2001 --- ../openssh-2.5.2p2/auth.c Mon Mar 19 13:15:57 2001 *************** *** 142,164 **** } #ifdef WITH_AIXAUTHENTICATE ! if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0)) { ! if (loginmsg && *loginmsg) { ! /* Remove embedded newlines (if any) */ ! char *p; ! for (p = loginmsg; *p; p++) { ! if (*p == '\n') ! *p = ' '; ! } ! /* Remove trailing newline */ ! *--p = '\0'; ! log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); ! } ! return 0; ! } #endif /* WITH_AIXAUTHENTICATE */ - - /* We found no reason not to let this user try to log on... */ return 1; --- 142,162 ---- } #ifdef WITH_AIXAUTHENTICATE ! if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { ! if (loginmsg && *loginmsg) { ! /* Remove embedded newlines (if any) */ ! char *p; ! for (p = loginmsg; *p; p++) { ! if (*p == '\n') ! *p = ' '; ! } ! /* Remove trailing newline */ ! *--p = '\0'; ! log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); ! } ! return 0; ! } #endif /* WITH_AIXAUTHENTICATE */ /* We found no reason not to let this user try to log on... */ return 1; From mouring at etoh.eviladmin.org Fri Apr 27 09:07:23 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 26 Apr 2001 18:07:23 -0500 (CDT) Subject: Call for testing for coming 2.9 release. In-Reply-To: <20010425155332.A30677@cygbert.vinschen.de> Message-ID: On Wed, 25 Apr 2001, Corinna Vinschen wrote: > Hi, > > the following patches are necessary to build the latest OpenSSH from > CVS on Cygwin. > > The patch in `Makefile.in' is needed to be able to build in another dir > than the sourcedir. > > Cygwin lacks `setgroups' and the header file `arpa/nameser.h'. > > I couldn't check that it runs due to a eminent lack of time. I will > try to check it 'til tomorrow. > Sorry, I'm just getting time to go through my backlog. Cygwin has getgroups() but not setgroups()? That seems odd to me. - Ben From david-bronder at uiowa.edu Fri Apr 27 09:42:31 2001 From: david-bronder at uiowa.edu (David Bronder) Date: Thu, 26 Apr 2001 18:42:31 -0500 (CDT) Subject: [openssh-unix-dev] Functionality bug (possibly) in openssh on AIX 4.3 (fwd) In-Reply-To: from "mouring@etoh.eviladmin.org" at Apr 26, 2001 06:00:56 PM Message-ID: <200104262342.f3QNgW957034@fire.its.uiowa.edu> I haven't tried the patch (still fighting another possibly-AIX problem that I haven't seen other reports of yet). But I'd recommend against this patch, at least as a default. What he is proposing is for OpenSSH to disregard a system-wide policy decision -- that root should not be permitted to directly log in from the network. There are more reasons to disable remote logins as root (vs. normal login then su) than just to prevent plaintext use of the root password; for example, audit trails for a group of admins or site security policies. This patch would violate the expected behavior of the system. A good compromise would probably be to make it a configure-time feature that also required a run-time config option to enable it (defaulting to the current and expected behavior). That way, it's only active if the admin consciously chooses it. =Dave mouring at etoh.eviladmin.org wrote: > > > Has anyone else running AIX tried this patch? I'm looking for feedback > if it should be applied before we release 2.9p1. > > - Ben > > ---------- Forwarded message ---------- > Date: Tue, 24 Apr 2001 17:22:02 -0800 (AKDT) > From: mikem at alaska.net > To: openssh-unix-dev at mindrot.org > Subject: Functionality bug (possibly) in openssh on AIX 4.3 > > > Hi Folks, > > While compiling and testing openssh-2.5.2p2 on various AIX platforms, I've > found that ssh will not accept root (based on ssh key credentials) logins > at all if the AIX security features have been set to disallow remote root > logins. If I disable the AIX security feature (enable remote root > logins), I can then do bad things like rsh, telnet, etc. into the box as > root. > > [...] > -- Hello World. David Bronder - Systems Admin Segmentation Fault ITS-SPA, Univ. of Iowa Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu From mouring at etoh.eviladmin.org Fri Apr 27 09:39:26 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 26 Apr 2001 18:39:26 -0500 (CDT) Subject: Makefile.in diff against CVS to prevent man/config rebuild every make In-Reply-To: <444453812.988151505@ZATHROS> Message-ID: So we go from rebuilding every time to building once. Even if the .out have files change. The first is anonying, the latter is unacceptable. =) - Ben On Tue, 24 Apr 2001, Carson Gaspar wrote: > Bug: all .out files get rebuilt every make. This is silly, and breaks make > install if root cannot write to your build dir. > > Fix: add dependancy check sop .out files only get rebuilt if the source > file changes > > FixBug: if any source file gets changed, all .out files get rebuilt. This > is because man pages and config files both get .out extensions but get > created differently. It's sub-optimal, but still better than what's in CVS. > > -- > Carson Gaspar - carson at taltos.org > Queen trapped in a butch body From mouring at etoh.eviladmin.org Fri Apr 27 09:40:31 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 26 Apr 2001 18:40:31 -0500 (CDT) Subject: [openssh-unix-dev] Functionality bug (possibly) in openssh on AIX 4.3 (fwd) In-Reply-To: <200104262342.f3QNgW957034@fire.its.uiowa.edu> Message-ID: Which is why I'm not really too eager to apply. Ignoring system policies is not really the best thing. - Ben On Thu, 26 Apr 2001, David Bronder wrote: > I haven't tried the patch (still fighting another possibly-AIX problem > that I haven't seen other reports of yet). But I'd recommend against > this patch, at least as a default. > > What he is proposing is for OpenSSH to disregard a system-wide policy > decision -- that root should not be permitted to directly log in from > the network. There are more reasons to disable remote logins as root > (vs. normal login then su) than just to prevent plaintext use of the > root password; for example, audit trails for a group of admins or site > security policies. This patch would violate the expected behavior of > the system. > > A good compromise would probably be to make it a configure-time feature > that also required a run-time config option to enable it (defaulting to > the current and expected behavior). That way, it's only active if the > admin consciously chooses it. > > =Dave > > mouring at etoh.eviladmin.org wrote: > > > > > > Has anyone else running AIX tried this patch? I'm looking for feedback > > if it should be applied before we release 2.9p1. > > > > - Ben > > > > ---------- Forwarded message ---------- > > Date: Tue, 24 Apr 2001 17:22:02 -0800 (AKDT) > > From: mikem at alaska.net > > To: openssh-unix-dev at mindrot.org > > Subject: Functionality bug (possibly) in openssh on AIX 4.3 > > > > > > Hi Folks, > > > > While compiling and testing openssh-2.5.2p2 on various AIX platforms, I've > > found that ssh will not accept root (based on ssh key credentials) logins > > at all if the AIX security features have been set to disallow remote root > > logins. If I disable the AIX security feature (enable remote root > > logins), I can then do bad things like rsh, telnet, etc. into the box as > > root. > > > > [...] > > > > > -- > Hello World. David Bronder - Systems Admin > Segmentation Fault ITS-SPA, Univ. of Iowa > Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu > From carson at taltos.org Fri Apr 27 09:57:26 2001 From: carson at taltos.org (Carson Gaspar) Date: Thu, 26 Apr 2001 16:57:26 -0700 Subject: Makefile.in diff against CVS to prevent man/config rebuild every make In-Reply-To: References: Message-ID: <260094218.988304246@athyra> --On Thursday, April 26, 2001 6:39 PM -0500 mouring at etoh.eviladmin.org wrote: > > So we go from rebuilding every time to building once. Even if the .out > have files change. The first is anonying, the latter is unacceptable. =) Huh??? carson:john 0 $ make carson:john 0 $ touch sftp.1 carson:john 0 $ make if test "man" = "cat"; then \ manpage=`echo scp.1.out | sed 's/\.[1-9].out$/\.0/'`; \ else \ manpage=`echo scp.1.out | sed 's/.out$//'`; \ fi; \ ... etc., etc. If you hand-edit the .out files, of course they don't get rebuilt. They're not source files, they're output files. What's your beef? -- Carson From mouring at etoh.eviladmin.org Fri Apr 27 09:50:32 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 26 Apr 2001 18:50:32 -0500 (CDT) Subject: Makefile.in diff against CVS to prevent man/config rebuild every make In-Reply-To: <260094218.988304246@athyra> Message-ID: On Thu, 26 Apr 2001, Carson Gaspar wrote: > > > --On Thursday, April 26, 2001 6:39 PM -0500 mouring at etoh.eviladmin.org > wrote: > > > > > So we go from rebuilding every time to building once. Even if the .out > > have files change. The first is anonying, the latter is unacceptable. =) > > Huh??? > > carson:john 0 $ make > > carson:john 0 $ touch sftp.1 > > carson:john 0 $ make > if test "man" = "cat"; then \ > manpage=`echo scp.1.out | sed 's/\.[1-9].out$/\.0/'`; \ > else \ > manpage=`echo scp.1.out | sed 's/.out$//'`; \ > fi; \ > ... > etc., etc. > > If you hand-edit the .out files, of course they don't get rebuilt. They're > not source files, they're output files. What's your beef? > After fixing up your patch to the current CVS tree I do: make [...does it's first run through..] touch sftp.1 make [..does nothing..] That's my beef. If sftp.1 gets changed (date/content/etc). It should be REBUILT. - Ben From carson at taltos.org Fri Apr 27 10:09:38 2001 From: carson at taltos.org (Carson Gaspar) Date: Thu, 26 Apr 2001 17:09:38 -0700 Subject: Makefile.in diff against CVS to prevent man/config rebuild every make In-Reply-To: References: Message-ID: <260825609.988304977@athyra> Attached is my Makefile.in Please diff your Makefile.in against mine and send me the diffs. Mine works. Perhaps something else changed? -- Carson -------------- next part -------------- A non-text attachment was scrubbed... Name: Makefile.in Type: application/octet-stream Size: 11070 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010426/e34d9469/attachment.obj From mouring at etoh.eviladmin.org Fri Apr 27 10:18:09 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 26 Apr 2001 19:18:09 -0500 (CDT) Subject: Makefile.in diff against CVS to prevent man/config rebuild every make In-Reply-To: <261691750.988305844@athyra> Message-ID: On Thu, 26 Apr 2001, Carson Gaspar wrote: > > > --On Thursday, April 26, 2001 7:07 PM -0500 mouring at etoh.eviladmin.org > wrote: > > > This patch works, but I still not right to me. Changing a single manpage > > rebuilds every manpage. Which is not optimal either. > > Ah! > > You used the _first_ diff I sent. I sent a second one fixing these problems. > > As for every manpage being rebuilt if any of them change, this is a known > issue, documented in my e-mail. It's sub-optimal, but better than the > current state of affairs. Fixing it correctly realy requires significant > changes to the Makefile, and I didn't want to re-write the entire conf/man > make process. > > If you'd care to submit a better patch, I'd happily use it. > Hmm.. It's not a high priority. Post-2.9 it should be looked at. Thanks, applied. - Ben From mouring at etoh.eviladmin.org Fri Apr 27 10:44:15 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 26 Apr 2001 19:44:15 -0500 (CDT) Subject: RHL init.d/sshd ipv6 hack In-Reply-To: Message-ID: Applied, thanks. As for 'noreplace'... Ermm.. Another one of those 'size of one, half of dozen of other'. I have no opinion either way. - Ben On Wed, 25 Apr 2001, Pekka Savola wrote: > Hello all, > > I'm using the attached patch. > > With it, if you add > > OPTIONS="-6" > > in > > /etc/sysconfig/sshd > > (this kind of sysconfig/ is a pretty normal RHL practice), then you > can enable ipv4 and ipv6 on RHL without problems and without having to > modify the init.d/sshd script. > > This or something like should IMO be added. > > Removing 'noreplace' from sshd_config definition in openssh.spec should > also be considered. > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > From djm at mindrot.org Fri Apr 27 10:59:00 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 27 Apr 2001 10:59:00 +1000 (EST) Subject: RHL init.d/sshd ipv6 hack In-Reply-To: Message-ID: On Thu, 26 Apr 2001 mouring at etoh.eviladmin.org wrote: > > Applied, thanks. > > As for 'noreplace'... Ermm.. Another one of those 'size of one, half of > dozen of other'. I have no opinion either way. I think noreplace should go. We have made a few backwards-incompatible config file changes and we will probably make a few more. Since rpm backs up the config file, and the default config file is reasonably conservative, but usable I think this is a safe change. /etc/pam.d/sshd should keep it though - the format is unlikely to change and we don't want to lose local customisations. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From dbt at meat.net Fri Apr 27 10:59:36 2001 From: dbt at meat.net (David Terrell) Date: Thu, 26 Apr 2001 17:59:36 -0700 Subject: [openssh-unix-dev] Functionality bug (possibly) in openssh on AIX 4.3 (fwd) In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Apr 26, 2001 at 06:40:31PM -0500 References: <200104262342.f3QNgW957034@fire.its.uiowa.edu> Message-ID: <20010426175936.C21766@pianosa.catch22.org> On Thu, Apr 26, 2001 at 06:40:31PM -0500, mouring at etoh.eviladmin.org wrote: > On Thu, 26 Apr 2001, David Bronder wrote: > > > I haven't tried the patch (still fighting another possibly-AIX problem > > that I haven't seen other reports of yet). But I'd recommend against > > this patch, at least as a default. > > > > What he is proposing is for OpenSSH to disregard a system-wide policy > > decision -- that root should not be permitted to directly log in from > > the network. There are more reasons to disable remote logins as root > > (vs. normal login then su) than just to prevent plaintext use of the > > root password; for example, audit trails for a group of admins or site > > security policies. This patch would violate the expected behavior of > > the system. > > > > A good compromise would probably be to make it a configure-time feature > > that also required a run-time config option to enable it (defaulting to > > the current and expected behavior). That way, it's only active if the > > admin consciously chooses it. > > Which is why I'm not really too eager to apply. Ignoring system policies > is not really the best thing. Why not, PermitRootLogin already ignores 'insecure' markings in /etc/ttys on openbsd, and similar features in other operating systems. -- David Terrell | "I went into Barnes and Noble to look for a Prime Minister, Nebcorp | book on A.D.D., but I got bored and left." dbt at meat.net | - Benjy Feen http://wwn.nebcorp.com/ | From mouring at etoh.eviladmin.org Fri Apr 27 10:52:48 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 26 Apr 2001 19:52:48 -0500 (CDT) Subject: RHL init.d/sshd ipv6 hack In-Reply-To: Message-ID: On Fri, 27 Apr 2001, Damien Miller wrote: > On Thu, 26 Apr 2001 mouring at etoh.eviladmin.org wrote: > > > > > Applied, thanks. > > > > As for 'noreplace'... Ermm.. Another one of those 'size of one, half of > > dozen of other'. I have no opinion either way. > > I think noreplace should go. We have made a few backwards-incompatible > config file changes and we will probably make a few more. Since rpm > backs up the config file, and the default config file is reasonably > conservative, but usable I think this is a safe change. > > /etc/pam.d/sshd should keep it though - the format is unlikely to change > and we don't want to lose local customisations. > Looks like it was already changed: 2/27/01 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* #%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sshd_config %attr(0600,root,root) %config %{_sysconfdir}/sshd_config %attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0755,root,root) %config /etc/rc.d/init.d/sshd I really should consult the ChangeLog more offen.=) - Ben From tomh at po.crl.go.jp Fri Apr 27 11:25:35 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Fri, 27 Apr 2001 10:25:35 +0900 (JST) Subject: Functionality In-Reply-To: Message-ID: > > What he is proposing is for OpenSSH to disregard a system-wide policy > > decision -- that root should not be permitted to directly log in from > > the network. There are more reasons to disable remote logins as root > > (vs. normal login then su) than just to prevent plaintext use of the > > root password; for example, audit trails for a group of admins or site > > security policies. This patch would violate the expected behavior of > > the system. As we all know, disabling remote root logins as a security measure is an old policy from the days before strong authentication methods. As pointed out above, there *are* other issues, but they also have other solutions. These days, normal login followed by su is less secure than allowing a direct root login. ssh -l user host su vs. ssh -l root host and if you want a better audit trail: root:x:0:0:root:/root:/bin/sh fred:x:0:0:root:/root:/bin/sh joe:x:0:0:root:/root:/bin/sh frank:x:0:0:root:/root:/bin/sh where they all have different passwords (and 'root' has no valid password). A weirder idea would be to write a version of su that talks to the ssh-agent, but ssh-agent can't ask for passwords right now... Of course, OpenSSH should not attempt to dictate policy. From carl at bl.echidna.id.au Fri Apr 27 11:30:08 2001 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Fri, 27 Apr 2001 11:30:08 +1000 (EST) Subject: Functionality Message-ID: <200104270130.f3R1U8Yu008697@rollcage.bl.echidna.id.au> > From: Tom Holroyd > > > > What he is proposing is for OpenSSH to disregard a system-wide policy > > > decision -- that root should not be permitted to directly log in from > > > the network. There are more reasons to disable remote logins as root > > > (vs. normal login then su) than just to prevent plaintext use of the > > > root password; for example, audit trails for a group of admins or site > > > security policies. This patch would violate the expected behavior of > > > the system. > > As we all know, disabling remote root logins as a security measure is an > old policy from the days before strong authentication methods. As pointed > out above, there *are* other issues, but they also have other solutions. > These days, normal login followed by su is less secure than allowing a > direct root login. > > ssh -l user host > su > Erm ... traffic analysis? Where? Ssh is encrypted. From dbt at meat.net Fri Apr 27 11:31:13 2001 From: dbt at meat.net (David Terrell) Date: Thu, 26 Apr 2001 18:31:13 -0700 Subject: Functionality In-Reply-To: ; from tomh@po.crl.go.jp on Fri, Apr 27, 2001 at 10:25:35AM +0900 References: Message-ID: <20010426183113.A32305@pianosa.catch22.org> On Fri, Apr 27, 2001 at 10:25:35AM +0900, Tom Holroyd wrote: > A weirder idea would be to write a version of su that talks to the > ssh-agent, but ssh-agent can't ask for passwords right now... ssu (uses ssh's public key auth and ssh-agent)... hmmm.... -- David Terrell | p = "you are nasty" q = "my first name is Janet" Nebcorp PM | r = "my first name is baby" s = "My name is Miss Jackson" dbt at meat.net | (!r -> q) & (p -> s) - Braverman's Third Lemma wwn.nebcorp.com | !r & (!p -> q) & (p -> s) - Libor's Corollary From dbt at meat.net Fri Apr 27 11:41:04 2001 From: dbt at meat.net (David Terrell) Date: Thu, 26 Apr 2001 18:41:04 -0700 Subject: Functionality In-Reply-To: <200104270130.f3R1U8Yu008697@rollcage.bl.echidna.id.au>; from carl@bl.echidna.id.au on Fri, Apr 27, 2001 at 11:30:08AM +1000 References: <200104270130.f3R1U8Yu008697@rollcage.bl.echidna.id.au> Message-ID: <20010426184103.C32305@pianosa.catch22.org> On Fri, Apr 27, 2001 at 11:30:08AM +1000, carl at bl.echidna.id.au wrote: > > As we all know, disabling remote root logins as a security measure is an > > old policy from the days before strong authentication methods. As pointed > > out above, there *are* other issues, but they also have other solutions. > > These days, normal login followed by su is less secure than allowing a > > direct root login. > > > > ssh -l user host > > su > > > > Erm ... traffic analysis? Where? > > Ssh is encrypted. > Nothing earth shattering: http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt Guess the lengths of your passwords maybe. -- David Terrell | "The reasons for my decision to quit were myriad, but Nebcorp PM | central to the decision was the realization that there are dbt at meat.net | two kinds of companies: Good ones ask you to think for wwn.nebcorp.com | them. The others tell you to think like them." -Benjy Feen From Darren.Moffat at eng.sun.com Fri Apr 27 11:41:37 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Thu, 26 Apr 2001 18:41:37 -0700 (PDT) Subject: Functionality Message-ID: <200104270141.f3R1fciF533716@jurassic.eng.sun.com> >vs. > > ssh -l root host > > >and if you want a better audit trail: > > root:x:0:0:root:/root:/bin/sh > fred:x:0:0:root:/root:/bin/sh > joe:x:0:0:root:/root:/bin/sh > frank:x:0:0:root:/root:/bin/sh > >where they all have different passwords (and 'root' has no valid password). First this isn't the correct alias to be disussing the virtues of direct or non direct root login so it is offtopic. This does NOT provide the correct level of auditing because all the uid's are the same. The kernel doesn't know about names it only cares about uids so in systems where the auditing is kernel based this doesn't help you to identify which real person it was. It also increases the vulnerability of the machine because now there are 4 passwords that give access to the root account rather than 1. So the probability of cracking or social engineering attempts has moved in favour of the attacker. As for the traffic analysis argument I though that current OpenSSH snapshots had a fix for that. -- Darren J Moffat From djm at mindrot.org Fri Apr 27 11:42:01 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 27 Apr 2001 11:42:01 +1000 (EST) Subject: Functionality In-Reply-To: <200104270130.f3R1U8Yu008697@rollcage.bl.echidna.id.au> Message-ID: On Fri, 27 Apr 2001 carl at bl.echidna.id.au wrote: > > ssh -l user host > > su > > > > Erm ... traffic analysis? Where? > > Ssh is encrypted. Not traffic sniffing - but you can still try to estimate password lengths and infer a few liklihoods about what characters are used through keystroke timings. This may be enough to make a brute-force search tractable. Best read the advisory at http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt OpenSSH tries to prevent such attacks using the methods discussed in the advisory. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From ssklar at stanford.edu Fri Apr 27 13:27:10 2001 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Thu, 26 Apr 2001 20:27:10 -0700 Subject: [openssh-unix-dev] Functionality bug (possibly) in openssh on AIX 4.3 (fwd) In-Reply-To: <20010426175936.C21766@pianosa.catch22.org> References: <200104262342.f3QNgW957034@fire.its.uiowa.edu> <20010426175936.C21766@pianosa.catch22.org> Message-ID: At 5:59 PM -0700 4/26/01, David Terrell wrote: >On Thu, Apr 26, 2001 at 06:40:31PM -0500, mouring at etoh.eviladmin.org wrote: > > On Thu, 26 Apr 2001, David Bronder wrote: > > > > Which is why I'm not really too eager to apply. Ignoring system policies > > is not really the best thing. > >Why not, PermitRootLogin already ignores 'insecure' markings in >/etc/ttys on openbsd, and similar features in other operating systems. > have to vote against its inclusion; just because PermitRootLogin is "broken" (I'm not saying that it is; that is just my opinion) on the other platforms, it doesn't mean it should be broken everywhere. as an aix admin, if I want to turn off root login via the network, I really want it turned off. -- sandor w. sklar unix systems administrator stanford university itss-css From jason at shalott.net Fri Apr 27 17:00:25 2001 From: jason at shalott.net (Jason Stone) Date: Fri, 27 Apr 2001 00:00:25 -0700 (PDT) Subject: [openssh-unix-dev] Functionality bug (possibly) in openssh on AIX 4.3 (fwd) In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > Which is why I'm not really too eager to apply. Ignoring system > > > policies is not really the best thing. > > > >Why not, PermitRootLogin already ignores 'insecure' markings in > >/etc/ttys on openbsd, and similar features in other operating systems. > > have to vote against its inclusion; just because PermitRootLogin is > "broken" (I'm not saying that it is; that is just my opinion) on the > other platforms, it doesn't mean it should be broken everywhere. > > as an aix admin, if I want to turn off root login via the network, I > really want it turned off. So then don't enable that option in your config. My feeling on PermitRootLogin is that it's there so that admins who feel comfortable with it can override system policy for old stuff like telnet, but make the descision to trust ssh. It's real easy - if you want no direct root logins at all, ever, then leave PermitRootLogin=no. This is the default. If the default is to be conservative and follow system policy, but the experienced admin has the ability to override that when he wants/needs, then what's the problem? Anyway, this debate seems silly as PermitRootLogin already exists. All that this patch does is to make the behaviour on AIX consitent with the behaviour on other platforms. And as and administrator of a heterogenous network, I can tell you that consistent behaviour is very important. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE66RkMswXMWWtptckRAhtoAKDBm0BNNL5J4KuaytQd6l0JQE9tBgCfbzrQ TjiTjQY5ydYCvQycPPXZ6RA= =YOoG -----END PGP SIGNATURE----- From vinschen at redhat.com Fri Apr 27 18:53:38 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 27 Apr 2001 10:53:38 +0200 Subject: Call for testing for coming 2.9 release. In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Apr 26, 2001 at 06:07:23PM -0500 References: <20010425155332.A30677@cygbert.vinschen.de> Message-ID: <20010427105338.A10526@cygbert.vinschen.de> On Thu, Apr 26, 2001 at 06:07:23PM -0500, mouring at etoh.eviladmin.org wrote: > > > On Wed, 25 Apr 2001, Corinna Vinschen wrote: > > > Hi, > > > > the following patches are necessary to build the latest OpenSSH from > > CVS on Cygwin. > > > > The patch in `Makefile.in' is needed to be able to build in another dir > > than the sourcedir. > > > > Cygwin lacks `setgroups' and the header file `arpa/nameser.h'. > > > > I couldn't check that it runs due to a eminent lack of time. I will > > try to check it 'til tomorrow. > > > > Sorry, I'm just getting time to go through my backlog. Cygwin has > getgroups() but not setgroups()? That seems odd to me. No, that's not odd, that's Windows (uhm, ok, that's odd). Each process has attached a so called `access token' which contains the information about the user (owner, primary group, supplementary groups, special user rights, discretionary access control list, ...). Obviously you can _read_ the information from that access token. But only a few changes to an existing access token are allowed, as setting the owner and the primary group to user/group values already in the token or setting and resetting special user rights. There's no such functionality as changing the content of the supplementary group list. That list is automatically determined by the Windows logon procedure. The only functionality on the supplementary group list is enabling/disabling groups which are already members in that list. Sure, that could be treated as a partial implementation of setgroups. However, a real setgroups functionality would only be fake. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From stoegbauer at hrz.tu-darmstadt.de Fri Apr 27 19:00:00 2001 From: stoegbauer at hrz.tu-darmstadt.de (Marcus Stoegbauer) Date: Fri, 27 Apr 2001 11:00:00 +0200 Subject: key_verify failed for server_host_key from Solaris 2.7 to non-Solaris hosts Message-ID: <20010427110000.A5887@sun10.hrz.tu-darmstadt.de> Hi, I am using OpenSSH 2.5.2p2 on Solaris 2.7 (Ultra 10) with 64bit support and have the following problem when connecting with the ssh2 protocol to non-solaris OS: On the client side, I do: /local/work/lysis/bin/slogin -v -2 -p 2222 rs30 On the server side (AIX 4.3), the sshd runs as follows: aix/sbin/sshd -p 2222 -d Full output follows at the end of this mail. The server is compiled with EGD support, on the client side I tested EGD and ANDIrand (http://www.cosy.sbg.ac.at/~andi/), both with the same result: key_verify failed for server_host_key The same happens when I connect from Solaris to Linux servers running OpenSSH versions 2.3 and above. During the tests I noticed that I get no errors when I rename the "primes" file at server side. Has anyone a similar problem or knows what is wrong here? If more information is needed, please let me know. Thanks in advance, Marcus Client output: ============== OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 27046 geteuid 27046 anon 1 debug1: Connecting to rs30 [130.83.126.33] port 2222. debug1: Connection established. debug1: unknown identity file /home/lysis/.ssh/id_rsa debug1: identity file /home/lysis/.ssh/id_rsa type -1 debug1: identity file /home/lysis/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p2 debug1: match: OpenSSH_2.5.1p2 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: none,zlib debug1: got kexinit: none,zlib debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug1: dh_gen_key: priv key bits set: 121/256 debug1: bits set: 1000/2049 debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug1: Got SSH2_MSG_KEXDH_REPLY. debug1: Host 'rs30' is known and matches the DSA host key. debug1: Found key in /home/lysis/.ssh/known_hosts2:22 debug1: bits set: 1016/2049 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature incorrect key_verify failed for server_host_key debug1: Calling cleanup 0x3d4f0(0x0) Server output: ============== debug1: sshd version OpenSSH_2.5.1p2 debug1: load_private_key_autodetect: type 0 RSA1 debug1: read SSH2 private key done: name dsa w/o comment success 1 debug1: load_private_key_autodetect: type 2 DSA debug1: Seeding random number generator debug1: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. Generating 768 bit RSA key. debug1: Seeding random number generator RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 130.83.126.55 port 33706 debug1: Client protocol version 2.0; client software version OpenSSH_2.5.2p2 debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.5.1p2 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: list_hostkey_types: ssh-dss debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-rsa,ssh-dss debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: none debug1: got kexinit: none debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: Wait SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Sending SSH2_MSG_KEX_DH_GEX_GROUP. debug1: bits set: 1016/2049 debug1: Wait SSH2_MSG_KEX_DH_GEX_INIT. debug1: bits set: 1000/2049 debug1: sig size 20 20 debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: Wait SSH2_MSG_NEWKEYS. Connection closed by 130.83.126.55 debug1: Calling cleanup 0x200077f4(0x0) -- Technische Universitaet Darmstadt Hochschulrechenzentrum (HRZ) Technical University Darmstadt University Computing Center D 64287 Darmstadt Germany Petersenstrasse 30 From tomh at po.crl.go.jp Fri Apr 27 19:40:09 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Fri, 27 Apr 2001 18:40:09 +0900 (JST) Subject: Call for testing for coming 2.9 release. In-Reply-To: <20010427105338.A10526@cygbert.vinschen.de> Message-ID: OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /usr/local/etc sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Random number collection: Builtin (timeout 200) Manpage format: man PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: mips-sgi-irix6.5 Compiler: cc Compiler flags: -O2 -woff 1164,1515 Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include Linker flags: -L/usr/local/ssl/lib Libraries: -lz -lgen -lcrypto The -woff options suppress lots of unsigned vs. signed warnings. The rest are: cc-1185 cc: WARNING File = log.c, Line = 71 An enumerated type is mixed with another type. { NULL, 0 } ^ cc-1185 cc: WARNING File = log.c, Line = 88 An enumerated type is mixed with another type. { NULL, 0 } ^ cc-1185 cc: WARNING File = readconf.c, Line = 180 An enumerated type is mixed with another type. { NULL, 0 } ^ cc-1185 cc: WARNING File = servconf.c, Line = 301 An enumerated type is mixed with another type. { NULL, 0 } ^ cc-1552 cc: WARNING File = ssh-keygen.c, Line = 187 The variable "ignore" is set but never used. int ignore, magic, rlen, ktype; ^ cc-1185 cc: WARNING File = ssh-keygen.c, Line = 383 An enumerated type is mixed with another type. fp = key_fingerprint(public, fptype, rep); ^ cc-1185 cc: WARNING File = ssh-keygen.c, Line = 383 An enumerated type is mixed with another type. fp = key_fingerprint(public, fptype, rep); ^ cc-1185 cc: WARNING File = ssh-keygen.c, Line = 440 An enumerated type is mixed with another type. fp = key_fingerprint(public, fptype, rep); ^ cc-1185 cc: WARNING File = ssh-keygen.c, Line = 440 An enumerated type is mixed with another type. fp = key_fingerprint(public, fptype, rep); ^ cc-1185 cc: WARNING File = ssh-agent.c, Line = 524 An enumerated type is mixed with another type. sockets[i].type = type; ^ cc-1185 cc: WARNING File = ssh-agent.c, Line = 537 An enumerated type is mixed with another type. sockets[old_alloc].type = type; ^ cc-1552 cc: WARNING File = sftp-client.c, Line = 534 The variable "a" is set but never used. Attrib *a; ^ cc-1552 cc: WARNING File = sftp-client.c, Line = 634 The variable "a" is set but never used. Attrib *a; ^ From tom at arcot.com Fri Apr 27 20:26:15 2001 From: tom at arcot.com (Tom Wu) Date: Fri, 27 Apr 2001 03:26:15 -0700 Subject: SRP unencumbered license statement available Message-ID: <3AE94947.D2549545@arcot.com> For those of you who were following the discussion about the new draft and implementation of SRP-based password authentication in OpenSSH, I promised to have Stanford issue the IETF an official, explicit, statement reiterating the unencumbered royalty-free licensing terms. The new statement is now available from the IETF's IPR page. Tom From mouring at etoh.eviladmin.org Fri Apr 27 21:34:04 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 27 Apr 2001 06:34:04 -0500 (CDT) Subject: Call for testing for coming 2.9 release. In-Reply-To: <20010427105338.A10526@cygbert.vinschen.de> Message-ID: On Fri, 27 Apr 2001, Corinna Vinschen wrote: > On Thu, Apr 26, 2001 at 06:07:23PM -0500, mouring at etoh.eviladmin.org wrote: > > > > > > On Wed, 25 Apr 2001, Corinna Vinschen wrote: > > > > > Hi, > > > > > > the following patches are necessary to build the latest OpenSSH from > > > CVS on Cygwin. > > > > > > The patch in `Makefile.in' is needed to be able to build in another dir > > > than the sourcedir. > > > > > > Cygwin lacks `setgroups' and the header file `arpa/nameser.h'. > > > > > > I couldn't check that it runs due to a eminent lack of time. I will > > > try to check it 'til tomorrow. > > > > > > > Sorry, I'm just getting time to go through my backlog. Cygwin has > > getgroups() but not setgroups()? That seems odd to me. > > No, that's not odd, that's Windows (uhm, ok, that's odd). Each process > has attached a so called `access token' which contains the information > about the user (owner, primary group, supplementary groups, special > user rights, discretionary access control list, ...). > I applied it as is.. So if you could test the next snapshot to verify it's correct. - Ben From markus.friedl at informatik.uni-erlangen.de Sat Apr 28 02:28:09 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 27 Apr 2001 18:28:09 +0200 Subject: Functionality In-Reply-To: ; from tomh@po.crl.go.jp on Fri, Apr 27, 2001 at 10:25:35AM +0900 References: Message-ID: <20010427182809.A14375@folly> On Fri, Apr 27, 2001 at 10:25:35AM +0900, Tom Holroyd wrote: > root:x:0:0:root:/root:/bin/sh > fred:x:0:0:root:/root:/bin/sh > joe:x:0:0:root:/root:/bin/sh > frank:x:0:0:root:/root:/bin/sh not all systems support this. some systems hash the passwd database by uid. -m From markus.friedl at informatik.uni-erlangen.de Sat Apr 28 02:30:22 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 27 Apr 2001 18:30:22 +0200 Subject: [openssh-unix-dev] Functionality bug (possibly) in openssh on AIX 4.3 (fwd) In-Reply-To: <20010426175936.C21766@pianosa.catch22.org>; from dbt@meat.net on Thu, Apr 26, 2001 at 05:59:36PM -0700 References: <200104262342.f3QNgW957034@fire.its.uiowa.edu> <20010426175936.C21766@pianosa.catch22.org> Message-ID: <20010427183022.B14375@folly> On Thu, Apr 26, 2001 at 05:59:36PM -0700, David Terrell wrote: > > Which is why I'm not really too eager to apply. Ignoring system policies > > is not really the best thing. > > Why not, PermitRootLogin already ignores 'insecure' markings in > /etc/ttys on openbsd, and similar features in other operating systems. respecting the system policy in a portable way is hard. e.g. using /etc/login.conf on *BSD systems will not help on Linux. -m From david-bronder at uiowa.edu Sat Apr 28 04:12:44 2001 From: david-bronder at uiowa.edu (David Bronder) Date: Fri, 27 Apr 2001 13:12:44 -0500 (CDT) Subject: [openssh-unix-dev] Re: Functionality In-Reply-To: <20010427182809.A14375@folly> from "Markus Friedl" at Apr 27, 2001 06:28:09 PM Message-ID: <200104271812.f3RICik33728@fire.its.uiowa.edu> Markus Friedl wrote: > > On Fri, Apr 27, 2001 at 10:25:35AM +0900, Tom Holroyd wrote: > > root:x:0:0:root:/root:/bin/sh > > fred:x:0:0:root:/root:/bin/sh > > joe:x:0:0:root:/root:/bin/sh > > frank:x:0:0:root:/root:/bin/sh > > not all systems support this. > > some systems hash the passwd database by uid. > AIX included (optionally)... :) -- Hello World. David Bronder - Systems Admin Segmentation Fault ITS-SPA, Univ. of Iowa Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu From alv at alv.cl Sat Apr 28 06:21:53 2001 From: alv at alv.cl (Alvaro Navarro) Date: Fri, 27 Apr 2001 16:21:53 -0400 (CLT) Subject: openssh-2.5.2p2 on SunOS 4.1.3 Message-ID: Hi developers, I'm not sure if this is the right place to ask this question, so please don't crcify me if it isn't :) I'm trying to compile openssh-2.5.2p2 on SunOS 4.1.3. Since SunOS is not in the portable list, I took a look at this mailing list archive and found some of you guys have been able to compile it. My ./configure says I don't have the regex library : configure: error: *** No regex library found. Where can I get such library? T.I.A. -alv- PS : I'm not a suscriber (obviously :)) so please Cc: me From gyepi at praxis-sw.com Sat Apr 28 23:26:19 2001 From: gyepi at praxis-sw.com (Gyepi SAM) Date: Sat, 28 Apr 2001 09:26:19 -0400 Subject: restricted shell Message-ID: <20010428132619.2629.qmail@nome.praxis-sw.com> Hello, I would like to elicit a discussion about the merits of a statically linked restricted chrooting shell like scponly which incorporates the functionality of scp and sftp. The benefits is that a chrooted user directory does not have to contain the binaries or libraries for scp and sftp and an administrator does not have to play games with the home path to chroot a user. The disadvantage, of course, is that any other functionality like 'ls' would also have to be compiled into the shell. I am thinking that the easiest way to add scp and sftp is to build them as libraries which can be linked to the shell. This requires that the code in main() be moved into another function which can then be called by bin_main(), which would be used for the binary and called from main(), and scp_main() and sftp_main which would be called by the shell. The archive appear to show that this kind of functionality has been desired for some time. -Gyepi Sam -- Write it on your heart that every day is the best day in the year. No man has learned anything rightly, until he know that every day is Doomsday. --Ralph Waldo Emerson From mouring at etoh.eviladmin.org Sun Apr 29 01:04:31 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 28 Apr 2001 10:04:31 -0500 (CDT) Subject: openssh-2.5.2p2 on SunOS 4.1.3 In-Reply-To: Message-ID: In the INSTALL file it lists the perfered one: PCRE (PERL-compatible Regular Expression library): ftp://ftp.cus.cam.ac.uk/pub/software/programs/pcre/ Most platforms do not require this. However older Unices may not have a posix regex library. PCRE provides a POSIX interface. - Ben On Fri, 27 Apr 2001, Alvaro Navarro wrote: > > Hi developers, I'm not sure if this is the right place to ask this > question, so please don't crcify me if it isn't :) > > I'm trying to compile openssh-2.5.2p2 on SunOS 4.1.3. > > Since SunOS is not in the portable list, I took a look at this mailing > list archive and found some of you guys have been able to compile it. > > My ./configure says I don't have the regex library : > > configure: error: *** No regex library found. > > Where can I get such library? > > > T.I.A. > > > -alv- > > > PS : I'm not a suscriber (obviously :)) so please Cc: me > > From solidaridad at ninosdepapel.org Sat Apr 28 17:51:24 2001 From: solidaridad at ninosdepapel.org (Niņos de Papel) Date: Sat, 28 Apr 2001 02:51:24 -0500 Subject: Cuarto Brindis por los Niņos de Colombia Message-ID: <200104281117937.SM00226@segundo> ***** This is an HTML Message ! ***** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010428/bc481ead/attachment.html From Todd.Miller at courtesan.com Sun Apr 29 01:31:02 2001 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 28 Apr 2001 09:31:02 -0600 Subject: openssh-2.5.2p2 on SunOS 4.1.3 In-Reply-To: Your message of "Sat, 28 Apr 2001 10:04:31 CDT." References: Message-ID: <200104281531.f3SFV3W29817@xerxes.courtesan.com> In message so spake (mouring): > In the INSTALL file it lists the perfered one: > > PCRE (PERL-compatible Regular Expression library): > ftp://ftp.cus.cam.ac.uk/pub/software/programs/pcre/ > > Most platforms do not require this. However older Unices may not have a > posix regex library. PCRE provides a POSIX interface. Also, the GNU regex package works just fine with OpenSSH on SunOS 4.x and older IRIX version that lack these routines. - todd From josb at cncdsl.com Sun Apr 29 02:22:59 2001 From: josb at cncdsl.com (Jos Backus) Date: Sat, 28 Apr 2001 09:22:59 -0700 Subject: openssh-2.5.2p2 on SunOS 4.1.3 In-Reply-To: ; from mouring@etoh.eviladmin.org on Sat, Apr 28, 2001 at 10:04:09AM -0500 References: Message-ID: <20010428092259.C6731@lizzy.bugworks.com> On Sat, Apr 28, 2001 at 10:04:09AM -0500, mouring at etoh.eviladmin.org wrote: > PCRE (PERL-compatible Regular Expression library): > ftp://ftp.cus.cam.ac.uk/pub/software/programs/pcre/ That site appears to no longer host PCRE. The README found there says: This was the old primary ftp site for PCRE. At the start of the year 2000, the site moved to ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre. And that's indeed where it is now. So the INSTALL file should be updated. -- Jos Backus _/ _/_/_/ "Modularity is not a hack." _/ _/ _/ -- D. J. Bernstein _/ _/_/_/ _/ _/ _/ _/ josb at cncdsl.com _/_/ _/_/_/ use Std::Disclaimer; From markus.friedl at informatik.uni-erlangen.de Sun Apr 29 02:24:48 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 28 Apr 2001 18:24:48 +0200 Subject: restricted shell In-Reply-To: <20010428132619.2629.qmail@nome.praxis-sw.com>; from gyepi@praxis-sw.com on Sat, Apr 28, 2001 at 09:26:19AM -0400 References: <20010428132619.2629.qmail@nome.praxis-sw.com> Message-ID: <20010428182448.A4062@folly> it's easier if the sftp-server does chroot. however you need a setuid sftp-server. additionally you have to disallow writing of $HOME, restrict sftp to subdirs only. otherwise the user can modify .ssh or .forward... -m From mouring at etoh.eviladmin.org Sun Apr 29 02:17:51 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 28 Apr 2001 11:17:51 -0500 (CDT) Subject: openssh-2.5.2p2 on SunOS 4.1.3 In-Reply-To: <20010428092259.C6731@lizzy.bugworks.com> Message-ID: thanks. I'll update that in a few minutes. - Ben On Sat, 28 Apr 2001, Jos Backus wrote: > On Sat, Apr 28, 2001 at 10:04:09AM -0500, mouring at etoh.eviladmin.org wrote: > > PCRE (PERL-compatible Regular Expression library): > > ftp://ftp.cus.cam.ac.uk/pub/software/programs/pcre/ > > That site appears to no longer host PCRE. The README found there says: > > This was the old primary ftp site for PCRE. At the start of the year 2000, > the site moved to ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre. > > And that's indeed where it is now. So the INSTALL file should be updated. > > -- > Jos Backus _/ _/_/_/ "Modularity is not a hack." > _/ _/ _/ -- D. J. Bernstein > _/ _/_/_/ > _/ _/ _/ _/ > josb at cncdsl.com _/_/ _/_/_/ use Std::Disclaimer; > From gyepi at praxis-sw.com Sun Apr 29 02:44:32 2001 From: gyepi at praxis-sw.com (Gyepi SAM) Date: Sat, 28 Apr 2001 12:44:32 -0400 Subject: restricted shell In-Reply-To: <20010428182448.A4062@folly>; from markus.friedl@informatik.uni-erlangen.de on Sat, Apr 28, 2001 at 06:24:48PM +0200 References: <20010428132619.2629.qmail@nome.praxis-sw.com> <20010428182448.A4062@folly> Message-ID: <20010428164432.2900.qmail@nome.praxis-sw.com> On Sat, Apr 28, 2001 at 06:24:48PM +0200, Markus Friedl wrote: > it's easier if the sftp-server does chroot. But then scp would also have to do the same thing if we are allowing both. It would seem easier to be to leave sftp-server and scp as they are and centralize the chroot and other related local security measures in the restricted shell, no? > however you need a setuid sftp-server. Same response. > additionally you have to disallow writing of $HOME, > restrict sftp to subdirs only. otherwise the user > can modify .ssh or .forward... I would leave this as an administrator option since I can imagine scenarios where both of those actions might be desirable. -Gyepi -- Anything that won't sell, I don't want to invent. Its sale is proof of utility and utility is success. --Thomas Alva Edison From mouring at etoh.eviladmin.org Sun Apr 29 03:26:50 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 28 Apr 2001 12:26:50 -0500 (CDT) Subject: Cygwin and sshd (fwd) Message-ID: ---------- Forwarded message ---------- Date: Sat, 28 Apr 2001 13:12:47 -0400 From: Brandon Barker To: openssh at openssh.com Subject: Cygwin and sshd Is it possible to compile and run sshd on win32 with cygwin? When I trie to ./configure and make and make install, only the client programs are produced. Thanks, Brandon Barker From carson at taltos.org Sun Apr 29 05:14:37 2001 From: carson at taltos.org (Carson Gaspar) Date: Sat, 28 Apr 2001 12:14:37 -0700 Subject: openssh-2.5.2p2 on SunOS 4.1.3 In-Reply-To: <200104281531.f3SFV3W29817@xerxes.courtesan.com> References: <200104281531.f3SFV3W29817@xerxes.courtesan.com> Message-ID: <415924421.988460076@athyra> --On Saturday, April 28, 2001 9:31 AM -0600 "Todd C. Miller" wrote: > Also, the GNU regex package works just fine with OpenSSH on SunOS 4.x > and older IRIX version that lack these routines. But PCRE is _much_ faster. Having just tested many regex routines while performance tuning my firewall reporting software, PCRE beats everything else by a factor of 4-13. Not that it matters much for these purposes, I suppose. -- Carson From vinschen at redhat.com Sun Apr 29 06:25:54 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Sat, 28 Apr 2001 22:25:54 +0200 Subject: Cygwin and sshd (fwd) In-Reply-To: ; from mouring@etoh.eviladmin.org on Sat, Apr 28, 2001 at 12:26:50PM -0500 References: Message-ID: <20010428222554.B13989@cygbert.vinschen.de> On Sat, Apr 28, 2001 at 12:26:50PM -0500, mouring at etoh.eviladmin.org wrote: > > > ---------- Forwarded message ---------- > Date: Sat, 28 Apr 2001 13:12:47 -0400 > From: Brandon Barker > To: openssh at openssh.com > Subject: Cygwin and sshd > > Is it possible to compile and run sshd on win32 with cygwin? When I trie to ./configure and make and make install, only the client programs are produced. I'm doing this for the Cygwin distro with each new openssh version and sshd is build then as well. I'm using it all day long. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From roth+openssh at feep.net Mon Apr 30 02:10:36 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Sun, 29 Apr 2001 11:10:36 -0500 Subject: man pages screwed In-Reply-To: ; from stevesk@pobox.com on Wed, Apr 25, 2001 at 12:55:57AM +0200 References: Message-ID: <20010429111036.A23624@yorktown.isdn.uiuc.edu> On Wed Apr 25 00:55 2001 +0200, Kevin Steves wrote: > it seems to hickup starting at some markup here (hp-ux 11.0): [...] I've attached a new version of mdoc2man.pl which fixes this (and several other bugs). This new versions seems to work fine on all of the OpenSSH man pages. Please let me know if you have any further questions or problems. Thanks! -- Mark D. Roth http://www.feep.net/~roth/ -------------- next part -------------- A non-text attachment was scrubbed... Name: mdoc2man.pl Type: application/x-perl Size: 9845 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010429/bf1b2919/attachment.bin From vinschen at redhat.com Mon Apr 30 03:00:53 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Sun, 29 Apr 2001 19:00:53 +0200 Subject: Call for testing for coming 2.9 release. In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, Apr 27, 2001 at 06:34:04AM -0500 References: <20010427105338.A10526@cygbert.vinschen.de> Message-ID: <20010429190053.A22095@cygbert.vinschen.de> On Fri, Apr 27, 2001 at 06:34:04AM -0500, mouring at etoh.eviladmin.org wrote: > > > On Fri, 27 Apr 2001, Corinna Vinschen wrote: > > > On Thu, Apr 26, 2001 at 06:07:23PM -0500, mouring at etoh.eviladmin.org wrote: > > > > > > > > > On Wed, 25 Apr 2001, Corinna Vinschen wrote: > > > > > > > Hi, > > > > > > > > the following patches are necessary to build the latest OpenSSH from > > > > CVS on Cygwin. > > > > > > > > The patch in `Makefile.in' is needed to be able to build in another dir > > > > than the sourcedir. > > > > > > > > Cygwin lacks `setgroups' and the header file `arpa/nameser.h'. > > > > > > > > I couldn't check that it runs due to a eminent lack of time. I will > > > > try to check it 'til tomorrow. > > > > > > > > > > Sorry, I'm just getting time to go through my backlog. Cygwin has > > > getgroups() but not setgroups()? That seems odd to me. > > > > No, that's not odd, that's Windows (uhm, ok, that's odd). Each process > > has attached a so called `access token' which contains the information > > about the user (owner, primary group, supplementary groups, special > > user rights, discretionary access control list, ...). > > > > I applied it as is.. So if you could test the next snapshot to > verify it's correct. Thanks Ben, I have just build and installed the latest from CVS on a Cygwin 1.3.1 (latest as well) system and it seems to run well. Building itself was uneventful. I used PCRE for the first time instead of GNU regex. OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc Askpass program: /usr/sbin/ssh-askpass Manual pages: /usr/man/manX PID file: /var/run sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Random number collection: Device (/dev/urandom) Manpage format: doc PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: i686-pc-cygwin Compiler: gcc Compiler flags: -g -O2 -Wall Preprocessor flags: Linker flags: Libraries: -lz -lregex /usr/lib/textmode.o -lpcreposix -lpcre -lcrypto Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From markus.friedl at informatik.uni-erlangen.de Mon Apr 30 02:03:04 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 29 Apr 2001 18:03:04 +0200 Subject: restricted shell In-Reply-To: <20010428164432.2900.qmail@nome.praxis-sw.com>; from gyepi@praxis-sw.com on Sat, Apr 28, 2001 at 12:44:32PM -0400 References: <20010428132619.2629.qmail@nome.praxis-sw.com> <20010428182448.A4062@folly> <20010428164432.2900.qmail@nome.praxis-sw.com> Message-ID: <20010429180304.A16624@folly> On Sat, Apr 28, 2001 at 12:44:32PM -0400, Gyepi SAM wrote: > On Sat, Apr 28, 2001 at 06:24:48PM +0200, Markus Friedl wrote: > > it's easier if the sftp-server does chroot. > > But then scp would also have to do the same thing if we are allowing both. > It would seem easier to be to leave sftp-server and scp as they are and > centralize the chroot and other related local security measures in the > restricted shell, no? no :) if sshd chroots, you need to copy the (static?) sftp-server to every home-dir. this is no fun on solaris, just look at the mess ssh-chrootmgr(1) creates. > > additionally you have to disallow writing of $HOME, > > restrict sftp to subdirs only. otherwise the user > > can modify .ssh or .forward... > > I would leave this as an administrator option since I can imagine scenarios > where both of those actions might be desirable. yes, but they are usually not aware of this. -m From mouring at etoh.eviladmin.org Mon Apr 30 04:00:10 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 29 Apr 2001 13:00:10 -0500 (CDT) Subject: restricted shell In-Reply-To: <20010429180304.A16624@folly> Message-ID: On Sun, 29 Apr 2001, Markus Friedl wrote: > On Sat, Apr 28, 2001 at 12:44:32PM -0400, Gyepi SAM wrote: > > On Sat, Apr 28, 2001 at 06:24:48PM +0200, Markus Friedl wrote: > > > it's easier if the sftp-server does chroot. > > > > But then scp would also have to do the same thing if we are allowing both. > > It would seem easier to be to leave sftp-server and scp as they are and > > centralize the chroot and other related local security measures in the > > restricted shell, no? > > no :) > I would much perfer chroot() done in sftp-server. I plan on looking at that after I get a few of the other patches queued up done with. =) > if sshd chroots, you need to copy the (static?) sftp-server > to every home-dir. this is no fun on solaris, just > look at the mess ssh-chrootmgr(1) creates. > > > > additionally you have to disallow writing of $HOME, > > > restrict sftp to subdirs only. otherwise the user > > > can modify .ssh or .forward... > > > > I would leave this as an administrator option since I can imagine scenarios > > where both of those actions might be desirable. > > yes, but they are usually not aware of this. > Hmm.. .forward is harder to deal with because it's outside the scope of SSH. ftp-only accounts have the same issues. For everything in .ssh it would be nice if we could provide a 'Class' based system. So you can assign users to a class which limits what ssh functionality is accepted, and the ability to set a default. Much the same way that ncftpd/proftpd does. But how much bloat do we need to include to build enough flexibility to handle the most cases. - Ben From gyepi at praxis-sw.com Mon Apr 30 03:43:19 2001 From: gyepi at praxis-sw.com (Gyepi SAM) Date: Sun, 29 Apr 2001 13:43:19 -0400 Subject: restricted shell In-Reply-To: <20010429180304.A16624@folly>; from markus.friedl@informatik.uni-erlangen.de on Sun, Apr 29, 2001 at 06:03:04PM +0200 References: <20010428132619.2629.qmail@nome.praxis-sw.com> <20010428182448.A4062@folly> <20010428164432.2900.qmail@nome.praxis-sw.com> <20010429180304.A16624@folly> Message-ID: <20010429174319.1699.qmail@nome.praxis-sw.com> On Sun, Apr 29, 2001 at 06:03:04PM +0200, Markus Friedl wrote: > On Sat, Apr 28, 2001 at 12:44:32PM -0400, Gyepi SAM wrote: > > On Sat, Apr 28, 2001 at 06:24:48PM +0200, Markus Friedl wrote: > > > it's easier if the sftp-server does chroot. > if sshd chroots, you need to copy the (static?) sftp-server > to every home-dir. this is no fun on solaris, just > look at the mess ssh-chrootmgr(1) creates. Precisely! Which is why I am proposing a static shell which incorporates the functionality of sftp-server and scp so that the shell chroots to $HOME and we do not have to copy ANY static binaries into the chrooted environment. This will even allow the paranoid admin to mount the $HOME filesystem noexec. I do not believe that the chrooting should be done by sshd (because the user shell then has to exist inside the chrooted filesystem) or sftp-server (OK, but messy since we cannot allow such users to also use scp if they wish) or scp (converse of sftp-server case). Therefore, the chrooting should be done by my restricted shell. -Gyepi -- What usually happens in the educational process is that the faculties are dulled,overloaded, stuffed and paralyzed so that by the time most people are mature they have lost their innate capabilities. -- R. Buckminster Fuller From wayne at blorf.net Mon Apr 30 06:05:26 2001 From: wayne at blorf.net (Wayne Davison) Date: Sun, 29 Apr 2001 13:05:26 -0700 (PDT) Subject: PATCH: UseLogin fix for 2.9p1 (w/improved last-login time) Message-ID: Attached is the latest version of my UseLogin patch that makes "UseLogin true" work on Solaris and UNICOS. As usual, I have provided configure.in changes that set the appropriate defines for Solaris, but I have not provided the configure.in changes for UNICOS (since they would be incomplete, and Wendy is working on this). This version fixes a problem with the last-login time always being reported as the current time (I had to add a new record_*() function since record_login() was changing other things than the {u,w}tmp{x,} data). This version also changes less existing code, to hopefully make it easier to maintain against the BSD source. The patch is relative to the 2.9p1 source I just grabbed out of CVS. ..wayne.. -------------- next part -------------- Index: acconfig.h --- acconfig.h 2001/04/05 17:15:08 1.110 +++ acconfig.h 2001/04/29 18:12:31 @@ -154,6 +154,12 @@ /* Define if you don't want to use wtmpx */ #undef DISABLE_WTMPX +/* Some systems need a utmpx entry for /bin/login to work */ +#undef LOGIN_NEEDS_UTMPX + +/* Some versions of /bin/login need the TERM supplied on the commandline */ +#undef LOGIN_NEEDS_TERM + /* Define if you want to specify the path to your lastlog file */ #undef CONF_LASTLOG_FILE Index: configure.in --- configure.in 2001/04/26 04:40:28 1.282 +++ configure.in 2001/04/29 18:12:36 @@ -153,6 +153,8 @@ LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" need_dash_r=1 AC_DEFINE(PAM_SUN_CODEBASE) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(LOGIN_NEEDS_TERM) # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) Index: loginrec.c --- loginrec.c 2001/02/22 21:23:21 1.32 +++ loginrec.c 2001/04/29 18:12:40 @@ -443,6 +443,27 @@ return 0; } +#ifdef LOGIN_NEEDS_UTMPX +int +login_utmp_only(struct logininfo *li) +{ + li->type = LTYPE_LOGIN; +# ifdef USE_UTMP + utmp_write_entry(li); +# endif +# ifdef USE_WTMP + wtmp_write_entry(li); +# endif +# ifdef USE_UTMPX + utmpx_write_entry(li); +# endif +# ifdef USE_WTMPX + wtmpx_write_entry(li); +# endif + return 0; +} +#endif + /** ** getlast_entry: Call low-level functions to retrieve the last login ** time. Index: loginrec.h --- loginrec.h 2001/02/05 12:42:18 1.5 +++ loginrec.h 2001/04/29 18:12:41 @@ -110,6 +110,9 @@ /* record the entry */ int login_login (struct logininfo *li); int login_logout(struct logininfo *li); +#ifdef LOGIN_NEEDS_UTMPX +int login_utmp_only(struct logininfo *li); +#endif /** End of public functions */ Index: session.c --- session.c 2001/04/18 15:29:34 1.111 +++ session.c 2001/04/29 18:12:41 @@ -127,6 +127,9 @@ void do_exec_pty(Session *s, const char *command); void do_exec_no_pty(Session *s, const char *command); void do_login(Session *s, const char *command); +#ifdef LOGIN_NEEDS_UTMPX +void do_pre_login(Session *s); +#endif void do_child(Session *s, const char *command); void do_motd(void); int check_quietlogin(Session *s, const char *command); @@ -644,6 +647,10 @@ #ifndef HAVE_OSF_SIA if (!(options.use_login && command == NULL)) do_login(s, command); +# ifdef LOGIN_NEEDS_UTMPX + else + do_pre_login(s); +# endif #endif /* Do common processing for the child, such as execing the command. */ @@ -687,6 +694,34 @@ } } +#ifdef LOGIN_NEEDS_UTMPX +void +do_pre_login(Session *s) +{ + socklen_t fromlen; + struct sockaddr_storage from; + pid_t pid = getpid(); + + /* + * Get IP address of client. If the connection is not a socket, let + * the address be 0.0.0.0. + */ + memset(&from, 0, sizeof(from)); + if (packet_connection_is_on_socket()) { + fromlen = sizeof(from); + if (getpeername(packet_get_connection_in(), + (struct sockaddr *) & from, &fromlen) < 0) { + debug("getpeername: %.100s", strerror(errno)); + fatal_cleanup(); + } + } + + record_utmp_only(pid, s->tty, s->pw->pw_name, + get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), + (struct sockaddr *)&from); +} +#endif + /* administrative, login(1)-like work */ void do_login(Session *s, const char *command) @@ -1511,6 +1546,9 @@ /* Launch login(1). */ execl(LOGIN_PROGRAM, "login", "-h", hostname, +#ifdef LOGIN_NEEDS_TERM + s->term? s->term : "unknown", +#endif "-p", "-f", "--", pw->pw_name, NULL); /* Login couldn't be executed, die. */ Index: sshlogin.c --- sshlogin.c 2001/03/26 05:32:17 1.3 +++ sshlogin.c 2001/04/29 18:12:41 @@ -77,6 +77,20 @@ login_free_entry(li); } +#ifdef LOGIN_NEEDS_UTMPX +void +record_utmp_only(pid_t pid, const char *ttyname, const char *user, + const char *host, struct sockaddr * addr) +{ + struct logininfo *li; + + li = login_alloc_entry(pid, user, host, ttyname); + login_set_addr(li, addr, sizeof(struct sockaddr)); + login_utmp_only(li); + login_free_entry(li); +} +#endif + /* Records that the user has logged out. */ void Index: sshlogin.h --- sshlogin.h 2001/03/05 03:53:03 1.2 +++ sshlogin.h 2001/04/29 18:12:41 @@ -31,6 +31,15 @@ record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, const char *host, struct sockaddr *addr); +#ifdef LOGIN_NEEDS_UTMPX +/* + * Record just the utmp info for /bin/login. + */ +void +record_utmp_only(pid_t pid, const char *ttyname, const char *user, + const char *host, struct sockaddr * addr); +#endif + /* * Records that the user has logged out. This does many thigs normally done * by login(1) or init. From dbt at meat.net Mon Apr 30 07:19:15 2001 From: dbt at meat.net (David Terrell) Date: Sun, 29 Apr 2001 14:19:15 -0700 Subject: openssh-2.5.2p2 on SunOS 4.1.3 In-Reply-To: <20010428092259.C6731@lizzy.bugworks.com>; from josb@cncdsl.com on Sat, Apr 28, 2001 at 09:22:59AM -0700 References: <20010428092259.C6731@lizzy.bugworks.com> Message-ID: <20010429141915.B22849@pianosa.catch22.org> On Sat, Apr 28, 2001 at 09:22:59AM -0700, Jos Backus wrote: > On Sat, Apr 28, 2001 at 10:04:09AM -0500, mouring at etoh.eviladmin.org wrote: > > PCRE (PERL-compatible Regular Expression library): > > ftp://ftp.cus.cam.ac.uk/pub/software/programs/pcre/ > > That site appears to no longer host PCRE. The README found there says: > > This was the old primary ftp site for PCRE. At the start of the year 2000, > the site moved to ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre. > > And that's indeed where it is now. So the INSTALL file should be updated. And like any other software package these days, you can find it at www.pcre.org and pcre.sourceforge.net. Dave, who happens to do DNS and www for pcre.org... -- David Terrell | "Any sufficiently advanced technology Prime Minister, Nebcorp | is indistinguishable from a rigged demo." dbt at meat.net | - Brian Swetland http://wwn.nebcorp.com/ From tim at multitalents.net Mon Apr 30 11:06:05 2001 From: tim at multitalents.net (Tim Rice) Date: Sun, 29 Apr 2001 18:06:05 -0700 (PDT) Subject: man pages screwed In-Reply-To: <20010429111036.A23624@yorktown.isdn.uiuc.edu> Message-ID: On Sun, 29 Apr 2001, Mark D. Roth wrote: > On Wed Apr 25 00:55 2001 +0200, Kevin Steves wrote: > > it seems to hickup starting at some markup here (hp-ux 11.0): > [...] > > I've attached a new version of mdoc2man.pl which fixes this (and > several other bugs). This new versions seems to work fine on all of > the OpenSSH man pages. Applied. Thanks. > > Please let me know if you have any further questions or problems. > Thanks! > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From wayne at blorf.net Mon Apr 30 12:42:25 2001 From: wayne at blorf.net (Wayne Davison) Date: Sun, 29 Apr 2001 19:42:25 -0700 (PDT) Subject: Add a couple .cvsignore files? Message-ID: It would be nice if the CVS source had a .cvsignore file in the main dir with the following items: ssh scp sshd ssh-add ssh-keygen ssh-keyscan ssh-agent sftp-server sftp configure config.h.in config.h config.status Makefile ssh_prng_cmds *.out Plus a .cvsignore file in openbsd-compat that ignored "Makefile". ..wayne.. From tim at multitalents.net Mon Apr 30 13:44:19 2001 From: tim at multitalents.net (Tim Rice) Date: Sun, 29 Apr 2001 20:44:19 -0700 (PDT) Subject: Add a couple .cvsignore files? In-Reply-To: Message-ID: On Sun, 29 Apr 2001, Wayne Davison wrote: > It would be nice if the CVS source had a .cvsignore file in the main > dir with the following items: > > ssh scp sshd ssh-add ssh-keygen ssh-keyscan ssh-agent sftp-server sftp > configure config.h.in config.h config.status Makefile > ssh_prng_cmds *.out > > Plus a .cvsignore file in openbsd-compat that ignored "Makefile". Or you could build outside of the source tree. > > ..wayne.. > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Mon Apr 30 13:56:11 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 30 Apr 2001 13:56:11 +1000 (EST) Subject: Add a couple .cvsignore files? In-Reply-To: Message-ID: On Sun, 29 Apr 2001, Wayne Davison wrote: > It would be nice if the CVS source had a .cvsignore file in the main > dir with the following items: > > ssh scp sshd ssh-add ssh-keygen ssh-keyscan ssh-agent sftp-server sftp > configure config.h.in config.h config.status Makefile > ssh_prng_cmds *.out > > Plus a .cvsignore file in openbsd-compat that ignored "Makefile". Great idea, done. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From karlm30 at hotmail.com Mon Apr 30 15:22:18 2001 From: karlm30 at hotmail.com (Karl M) Date: Sun, 29 Apr 2001 22:22:18 -0700 Subject: Updated partial auth patch against CVS Message-ID: Hi Carson... I'm a little confused...I don't think that I mentioned these points. I was looking at getting partial authentication working with CygWin. The code image I am running now, takes advantage of the fact that password authentication is done (last) as part of the list and that public key is the only other method used (so I only comment out the check_nt_auth there). I think that the check needs to be removed from the other methods (except password) and done as a final step after all methods in the authentication list have been completed. I didn't think I saw that when I read your patch. Also...It seems to me that it would be possible to do something similar for ssh1 authentication (possibly without the nice partial success messages and possible wothout control of the order of the steps). What are your thoughts on this? Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From lazio at rsd.nrl.navy.mil Mon Apr 30 22:57:20 2001 From: lazio at rsd.nrl.navy.mil (Joseph Lazio) Date: Mon, 30 Apr 2001 08:57:20 -0400 (EDT) Subject: hostname as static link Message-ID: <15085.24427.452059.995631@exeter.nrl.navy.mil> I'm in the process of installing OpenSSH-2.5.1p1 on a cluster of machines. One of the aspects of a previous (non-OpenSSH) version of ssh that I had been using was its ability to tolerate soft links to it. Thus, one could set up # ln -s /usr/bin/ssh /usr/local/bin/machine and thereafter type just 'machine' to connect to that host. This version of OpenSSH doesn't appear to accept that kind of set up. FWIW, a context diff(1) of the change I made to ssh.c is appended. -- Joseph *** ssh.old.c Mon Feb 19 05:51:08 2001 --- ssh.c Mon Apr 30 08:38:33 2001 *************** *** 498,505 **** } /* Check that we got a host name. */ if (!host) ! usage(); SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); --- 499,512 ---- } /* Check that we got a host name. */ + /* TJWL */ if (!host) ! { ! if ( strcmp(av[0], "ssh") == 0 ) ! usage(); ! else ! host = av[0]; ! } SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); -- T. Joseph W. Lazio, Ph.D. voice: +1 202 404 6329 Remote Sensing Division fax: +1 202 404 8894 Naval Research Lab, Code 7213 lazio at rsd.nrl.navy.mil Washington, DC 20375-5351 USA http://rsd-www.nrl.navy.mil/7213/lazio/ From abartlet at pcug.org.au Mon Apr 30 23:42:08 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Mon, 30 Apr 2001 23:42:08 +1000 Subject: [PATCH] Re: restricted shell References: <20010428132619.2629.qmail@nome.praxis-sw.com> <20010428182448.A4062@folly> <20010428164432.2900.qmail@nome.praxis-sw.com> <20010429180304.A16624@folly> Message-ID: <3AED6BB0.53777208@bartlett.house> Markus Friedl wrote: > > On Sat, Apr 28, 2001 at 12:44:32PM -0400, Gyepi SAM wrote: > > On Sat, Apr 28, 2001 at 06:24:48PM +0200, Markus Friedl wrote: > > > it's easier if the sftp-server does chroot. > > > > But then scp would also have to do the same thing if we are allowing both. > > It would seem easier to be to leave sftp-server and scp as they are and > > centralize the chroot and other related local security measures in the > > restricted shell, no? > > no :) > > if sshd chroots, you need to copy the (static?) sftp-server > to every home-dir. this is no fun on solaris, just > look at the mess ssh-chrootmgr(1) creates. > > > > additionally you have to disallow writing of $HOME, > > > restrict sftp to subdirs only. otherwise the user > > > can modify .ssh or .forward... > > > > I would leave this as an administrator option since I can imagine scenarios > > where both of those actions might be desirable. > > yes, but they are usually not aware of this. > > -m What about just adding realpath() checks to all the paths used in sftp? Not as secure as a chroot setup I agree, but I would have thought it might just be simple enough to work without yet another set-uid binary. (One of the reason's I deployed sftp at my site was that it did not require a root-run process/set-uid root program to do any of the work). Also, while we are looking at restricted shells, adding this patch might be worth it (if its not added already, I never got confirmation - and havn't been following OpenSSH as much recently. (Then again, I can't find a record I sent it either...). I'm also not sure how much testing it got. Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au -------------- next part -------------- --- openssh-2.5.1p1/session.orig Fri Mar 9 18:51:12 2001 +++ openssh-2.5.1p1/session.c Fri Mar 9 22:43:54 2001 @@ -1332,9 +1333,10 @@ if (!options.use_login) { if (stat(_PATH_SSH_USER_RC, &st) >= 0) { if (debug_flag) - fprintf(stderr, "Running %s %s\n", _PATH_BSHELL, _PATH_SSH_USER_RC); + fprintf(stderr, "Running %s -c \"%s %s\"\n", shell, _PATH_BSHELL, _PATH_SSH_USER_RC); - f = popen(_PATH_BSHELL " " _PATH_SSH_USER_RC, "w"); + snprintf(buf, sizeof buf, "%s -c \"%s %s\"", shell, _PATH_BSHELL, _PATH_SSH_USER_RC); + f = popen(buf, "w"); if (f) { if (auth_proto != NULL && auth_data != NULL) fprintf(f, "%s %s\n", auth_proto, auth_data); From Markus.Friedl at informatik.uni-erlangen.de Mon Apr 30 23:44:39 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 30 Apr 2001 15:44:39 +0200 Subject: [PATCH] Re: restricted shell In-Reply-To: <3AED6BB0.53777208@bartlett.house>; from abartlet@pcug.org.au on Mon, Apr 30, 2001 at 11:42:08PM +1000 References: <20010428132619.2629.qmail@nome.praxis-sw.com> <20010428182448.A4062@folly> <20010428164432.2900.qmail@nome.praxis-sw.com> <20010429180304.A16624@folly> <3AED6BB0.53777208@bartlett.house> Message-ID: <20010430154439.A24601@faui02.informatik.uni-erlangen.de> On Mon, Apr 30, 2001 at 11:42:08PM +1000, Andrew Bartlett wrote: > Also, while we are looking at restricted shells, adding this patch might > be worth it (if its not added already, I never got confirmation - and > havn't been following OpenSSH as much recently. (Then again, I can't > find a record I sent it either...). I'm also not sure how much testing > it got. a similer patch is in openssh-current (i hope). -m From abartlet at pcug.org.au Mon Apr 30 23:48:10 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Mon, 30 Apr 2001 23:48:10 +1000 Subject: [PATCH] Re: restricted shell References: <20010428132619.2629.qmail@nome.praxis-sw.com> <20010428182448.A4062@folly> <20010428164432.2900.qmail@nome.praxis-sw.com> <20010429180304.A16624@folly> <3AED6BB0.53777208@bartlett.house> <20010430154439.A24601@faui02.informatik.uni-erlangen.de> Message-ID: <3AED6D1A.A78CDF3C@bartlett.house> Markus Friedl wrote: > > On Mon, Apr 30, 2001 at 11:42:08PM +1000, Andrew Bartlett wrote: > > Also, while we are looking at restricted shells, adding this patch might > > be worth it (if its not added already, I never got confirmation - and > > havn't been following OpenSSH as much recently. (Then again, I can't > > find a record I sent it either...). I'm also not sure how much testing > > it got. > > a similer patch is in openssh-current (i hope). > > -m Thanks -- Andrew Bartlett abartlet at pcug.org.au From abartlet at pcug.org.au Mon Apr 30 23:57:10 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Mon, 30 Apr 2001 23:57:10 +1000 Subject: [PATCH] Re: restricted shell References: <20010428132619.2629.qmail@nome.praxis-sw.com> <20010428182448.A4062@folly> <20010428164432.2900.qmail@nome.praxis-sw.com> <20010429180304.A16624@folly> <3AED6BB0.53777208@bartlett.house> <20010430154439.A24601@faui02.informatik.uni-erlangen.de> Message-ID: <3AED6F36.E53FD9E6@bartlett.house> Markus Friedl wrote: > > On Mon, Apr 30, 2001 at 11:42:08PM +1000, Andrew Bartlett wrote: > > Also, while we are looking at restricted shells, adding this patch might > > be worth it (if its not added already, I never got confirmation - and > > havn't been following OpenSSH as much recently. (Then again, I can't > > find a record I sent it either...). I'm also not sure how much testing > > it got. > > a similer patch is in openssh-current (i hope). > > -m Actualy, no. Presuming that cvs-web is openssh-current, we still use /bin/sh to execute the user's sshrc. I allow my users a restricted shell (taint-mode enabled perl script) that lets them do things like change their password, so this kind of matters. I also allow them sftp access. -- Andrew Bartlett abartlet at pcug.org.au