From cet at carlthompson.net Wed Aug 1 13:30:40 2001 From: cet at carlthompson.net (Carl Thompson) Date: Tue, 31 Jul 2001 20:30:40 -0700 Subject: Possible bug Message-ID: <3B6777E0.3080402@carlthompson.net> Hello, I have found what I believe to be a bug in OpenSSH. I have tested versions 2.1.1 and 2.5.2p2 only. Please CC me on any responses as I am not subscribed to the mailing list. (Is this address the proper one for reporting bugs?) When using the "-N" option to "ssh" to forward ports without running a command, ssh terminates after only one connection to the forwarded ports. For example, if I want to forward local port 8080 to my web server at home, I would use ssh -N -L 8080:localhost:80 carlthompson.net However, after just one successful connection to local port 8080, ssh terminates and the port is no longer redirected. I believe the correct behavior should be that ssh continue to forward connections until the program is explicitly terminated as is the case when "-N" is not used. Thank you, Carl Thompson From bhavesh_patel at yahoo.com Wed Aug 1 06:44:05 2001 From: bhavesh_patel at yahoo.com (Bhavesh Patel) Date: Tue, 31 Jul 2001 13:44:05 -0700 (PDT) Subject: using scp for files larger than 2 gig Message-ID: <20010731204405.41121.qmail@web11605.mail.yahoo.com> Hi guys, I was not able to copy files larger than 2 gb with scp.From the discussion forum I found out that this is a know problem. I am using workaround which is cat file1 | ssh ipaddress 'cat > file2' I have checked file with md5sum looks like it is ok. I just want to know is this approch ok. Will it loose any data during transter. I was also wondering do you guys have fix for it or you are planning to support in future version. I am using OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f Thanking you in anticipation Bhavesh __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ From rolek at linvision.com Wed Aug 1 23:59:32 2001 From: rolek at linvision.com (Roel van Meer) Date: Wed, 01 Aug 2001 15:59:32 +0200 Subject: Unable to login via ssh when UseLogin is yes and dns not working. Message-ID: <3B680B44.8D36899E@linvision.com> Hi list, I have a problem with openssh-2.9p1-1 on an updated RedHat 6.2 system. When i specify UseLogin yes in the sshd_config file, i am unable to login if the ip of the client host cannot be resolved. Anybody have some clues about this? I am not sure whether this actually is an ssh problem, so before i start posting debug listings please tell me if i need to look elsewhere. Regards, rolek -- 1A First Alternative rolek at alt001.com www.alt001.com Linvision BV rolek at linvision.com (www|devel).linvision.com -- From abush at microcenter.com Thu Aug 2 00:35:00 2001 From: abush at microcenter.com (Aaron Bush) Date: Wed, 01 Aug 2001 10:35:00 -0400 Subject: Unable to login via ssh when UseLogin is yes and dns not working. References: <3B680B44.8D36899E@linvision.com> Message-ID: <3B681394.7E0DF97A@mail.microcenter.com> Roel van Meer wrote: > > Hi list, > > I have a problem with openssh-2.9p1-1 on an updated RedHat 6.2 > system. > When i specify UseLogin yes in the sshd_config file, i am unable to > login if the ip of the client host cannot be resolved. > > Anybody have some clues about this? > Do you get an error message? Or does it just hang there? I have seen this before w/o using ssh to login to a box from a machine that is not in DNS. After a timeout period (minutes maybe, not sure exactly how long) the login will succeed. -ab From rolek at linvision.com Thu Aug 2 01:05:02 2001 From: rolek at linvision.com (Roel van Meer) Date: Wed, 01 Aug 2001 17:05:02 +0200 Subject: Unable to login via ssh when UseLogin is yes and dns not working. References: <3B680B44.8D36899E@linvision.com> <3B681394.7E0DF97A@mail.microcenter.com> Message-ID: <3B681A9E.31F28833@linvision.com> Aaron Bush wrote: > > > I have a problem with openssh-2.9p1-1 on an updated RedHat 6.2 > > system. > > When i specify UseLogin yes in the sshd_config file, i am unable to > > login if the ip of the client host cannot be resolved. > > Do you get an error message? Or does it just hang there? > I have seen this before w/o using ssh to login to a box from a machine > that is not in DNS. After a timeout period (minutes maybe, not sure > exactly how long) the login will succeed. Yes, the timeout is there sometimes. After the timeout, the login prompt appears. After specifying (the correct) password, i get loggind in and immediatly logged out again. The timeout occurs when i connect from a machine, and dns is set up but cannot find the machine. The timeout does not occur when i disable dns (removing or emptying /etc/resolv.conf) If you need debug output, just let me know. Regards, rolek -- 1A First Alternative rolek at alt001.com www.alt001.com Linvision BV rolek at linvision.com (www|devel).linvision.com -- From wendyp at cray.com Thu Aug 2 07:27:52 2001 From: wendyp at cray.com (Wendy Palm) Date: Wed, 01 Aug 2001 16:27:52 -0500 Subject: Updated Cray patch against openssh SNAP-20010725 References: Message-ID: <3B687458.F9FA90EA@cray.com> "William L. Jones" wrote: ... > If you are building this on a T3E you may have to edit the Makefile > and edit out "-lrpc -lyp -lrpc". There a patch for sco that > incorrectly assume that you have a yp library if you > have a rpc library. I will submit a generic fix to this list > latter since it is generic problem. if you are building this (or other open source) package on a cray, this is a perpetual problem. most configure scripts figure out the existence of a library by creating a small program and compiling it with the library, then checking the exit status to determine if the loader found the library. the default exit status on unicos machines is "0" for a library not found message. to overcome this, add -Wl,"-Dmsglevel=334:fatal" to your loader flags. % diff -u configure.in.orig configure.in --- configure.in.orig Wed Aug 1 16:24:39 2001 +++ configure.in Wed Aug 1 16:26:43 2001 @@ -247,6 +247,7 @@ AC_DEFINE(USE_PIPES) LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lgen -lrsc" + LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal" ;; *-dec-osf*) AC_MSG_CHECKING(for Digital Unix SIA) -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From wendyp at cray.com Thu Aug 2 07:41:33 2001 From: wendyp at cray.com (Wendy Palm) Date: Wed, 01 Aug 2001 16:41:33 -0500 Subject: Updated Cray patch against openssh SNAP-20010725 References: <3B687458.F9FA90EA@cray.com> Message-ID: <3B68778D.17A994A1@cray.com> Wendy Palm wrote: > > "William L. Jones" wrote: > ... > > If you are building this on a T3E you may have to edit the Makefile > > and edit out "-lrpc -lyp -lrpc". There a patch for sco that > > incorrectly assume that you have a yp library if you > > have a rpc library. I will submit a generic fix to this list > > latter since it is generic problem. > > if you are building this (or other open source) package on a cray, > this is a perpetual problem. > > most configure scripts figure out the existence of a library by > creating a small program and compiling it with the library, then > checking the exit status to determine if the loader found the library. > the default exit status on unicos machines is "0" for a library > not found message. > > to overcome this, add -Wl,"-Dmsglevel=334:fatal" to your loader flags. > sorry, here's the correct patch- % diff -u configure.in.orig configure.in --- configure.in.orig Wed Aug 1 16:24:39 2001 +++ configure.in Wed Aug 1 16:40:40 2001 @@ -245,7 +245,7 @@ no_libsocket=1 no_libnsl=1 AC_DEFINE(USE_PIPES) - LDFLAGS="$LDFLAGS -L/usr/local/lib" + LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal",-L/usr/local/lib" LIBS="$LIBS -lgen -lrsc" ;; *-dec-osf*) -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From a_ghsek at yahoo.co.in Thu Aug 2 15:49:03 2001 From: a_ghsek at yahoo.co.in (=?iso-8859-1?q?hari=20sekar?=) Date: Thu, 2 Aug 2001 06:49:03 +0100 (BST) Subject: Ported openssh-2.9p2 to LynxOS Message-ID: <20010802054903.95059.qmail@web8005.mail.in.yahoo.com> Hi, I have ported the portable version of openssh (openssh-2.9p2) to LynxOS. I have had to install Perl5 and openssl-0.9.5a. Also since the regex library in LynxOS is not POSIX compliant I had to use PCRE. Then I configured openssh-2.9p2 with the library option -lbsd. One more problem was the macro "howmany(x,y)" is not defined in any of the /usr/include header files n LynxOS. So I copied the Linux version of this macro and included this header. It now works without any problem. I would like to appreciate the porting team of OpenSSH for the splendid work done on porting that it was so easy to install in LynxOS. I understand that the team has provided all the OS specific details. But I don't find any mention of LynxOS in config file. *** I would be immensely happy if I could get some information from anyone on the Porting Issues that are to be taken care of while porting any application. What are the Operatig System specific informations that need to be addressed and how it has been done in openssh-portable release? Expecting your kind help, A.Gnana Hari Sekar. ____________________________________________________________ Do You Yahoo!? For regular News updates go to http://in.news.yahoo.com From v_t_m at seznam.cz Thu Aug 2 20:10:59 2001 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Thu, 02 Aug 2001 12:10:59 +0200 (CEST) Subject: =?iso-8859-2?Q?SecurID=20authentication?= Message-ID: <4338.8511-21576-2112602384-996747059@seznam.cz> Hello, on this page (http://sweb.cz/v_t_m/)you can find my implementation of SecurID authentication. In this implementation is done NewPIN and NextTokencode. All is described in man pages. Vaclav ______________________________________________________________________ WWW stranky zdarma na http://www.sweb.cz From jones at mail.utexas.edu Thu Aug 2 21:35:28 2001 From: jones at mail.utexas.edu (William L. Jones) Date: Thu, 2 Aug 2001 06:35:28 -0500 Subject: Test Message Message-ID: Test message From jones at mail.utexas.edu Fri Aug 3 01:01:11 2001 From: jones at mail.utexas.edu (William L. Jones) Date: Thu, 2 Aug 2001 10:01:11 -0500 Subject: Cray patch against openssh-SNAP-20010802 Message-ID: Significant changes since last patch. Deleted patches to packet.c and channel.c - not needed. Add small patch to sshd.c and openbsd/ssh-cray.c to disable cray process privileges. Depending on how a cray unicos/unicosmk system is configured user could su to root without a password with out this mod. Add no_sco flag to noop check for -lrpc which assumes that their was a -lyp library. Changed ifdef around sigchld_handler to ifdef out mysignal on crays. This works around a unicos sigacton bug. Defined INADDR_LOOPBACK in entropy.c The details on all the patches: configure.in - Add work around to sco libyp assumution. sshd.c - Turn off cray process privileges root is enough on PRIV_SU unicos/unicosmk systems. entropy.c - Define INADDR_LOOPBACK deattack.c - Modified to not depend on u_int16_t being 16bit in size. scp.c - Modified to use alarm instead of setitimer. Unicos does not support setitier. serverloop.c - Modified sigchld_handler to not reset on Crays. This is the only case its needs to be reset, the side effect is it fixes the problem with a infinite signal loop under unicos and unicosmk. Modified waitpid to keep trying if it gets an EINTR, this can happen due to job termination signal on unicos and unicosmk. session.c - Added unicos/unicosmk job termination signal handler. Add TMPDIR environment variable. Add code to set up a unicos/unicosmk job and system limits. sshpty.c - Unicos/unicosk pty support. In openbsd-compat directory: bindresvport.c & - Code around the fact that the address of sin_port rresvport.c. really is 64 bit aligned on a SV1. bsd-cray.c - Clean up cray support routines. Fix su related security bug. bsd-cray.h - Cray support subroutine proto types. Bill Jones -------------- next part -------------- A non-text attachment was scrubbed... Name: craymods Type: application/octet-stream Size: 17570 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010802/5be5ff8a/attachment.obj From spkane at genomatica.com Fri Aug 3 01:20:47 2001 From: spkane at genomatica.com (Sean P. Kane) Date: Thu, 2 Aug 2001 08:20:47 -0700 Subject: CURRENT port of OpenSSH for Windows available Message-ID: Just thought that I'd point out that there is a CURRENT port of OpenSSH for Windows available at http://www.networksimplicity.com/openssh/ . I stumbled upon it today and noticed that it was mentioned on your web site. It is OpenSSH v2.9p1 on Windows and includes ssh, scp, and sftp clients and servers. Hope this helps. Sean From pekkas at netcore.fi Fri Aug 3 02:11:44 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 2 Aug 2001 19:11:44 +0300 (EEST) Subject: patch: properly zeroing fd_set in clientloop Message-ID: Hello all, This is a problem and patch reported to Red Hat Bugzilla by Jonathan Kamens . I'm just acting as a relay :-) jik has experienced some weird crashes relating to window size changes or some similar activity. These are rather hard to trace. Problem was fixed by patching clientloop, where fd_set structures appear to be improperly zeroed (bytes vs bits). FD_ZERO does not appear to work as fd_sets are just pointers in this case, so alternative method is used. Patch by jik attached (does not apply cleantly to CVS but the idea should be apparent). -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------- next part -------------- --- channels.h~ Wed Jun 13 15:18:05 2001 +++ channels.h Thu Jul 12 08:31:58 2001 @@ -168,6 +168,13 @@ void channel_free(int channel); /* + * Zero out a select file-descriptor set. Analogous to the FD_ZERO + * macro, but works with different-sized sets. + */ +void +channel_zero_set(fd_set *setp, int maxfdp); + +/* * Allocate/update select bitmasks and add any bits relevant to channels in * select bitmasks. */ --- channels.c~ Wed Jun 13 15:18:05 2001 +++ channels.c Thu Jul 12 08:32:53 2001 @@ -1160,6 +1160,14 @@ } void +channel_zero_set(fd_set *setp, int maxfdp) +{ + u_int sz = howmany(maxfdp+1, NFDBITS) * sizeof(fd_mask); + + memset(setp, 0, sz); +} + +void channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, int rekeying) { @@ -1178,8 +1186,8 @@ *writesetp = xmalloc(sz); *maxfdp = n; } - memset(*readsetp, 0, sz); - memset(*writesetp, 0, sz); + channel_zero_set(*readsetp, *maxfdp); + channel_zero_set(*writesetp, *maxfdp); if (!rekeying) channel_handler(channel_pre, *readsetp, *writesetp); --- clientloop.c~ Fri Apr 20 08:50:51 2001 +++ clientloop.c Thu Jul 12 08:33:33 2001 @@ -370,8 +370,8 @@ * We have to return, because the mainloop checks for the flags * set by the signal handlers. */ - memset(*readsetp, 0, *maxfdp); - memset(*writesetp, 0, *maxfdp); + channel_zero_set(*readsetp, *maxfdp); + channel_zero_set(*writesetp, *maxfdp); if (errno == EINTR) return; From vinschen at redhat.com Fri Aug 3 02:22:33 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 2 Aug 2001 18:22:33 +0200 Subject: CURRENT port of OpenSSH for Windows available In-Reply-To: ; from spkane@genomatica.com on Thu, Aug 02, 2001 at 08:20:47AM -0700 References: Message-ID: <20010802182233.I23782@cygbert.vinschen.de> On Thu, Aug 02, 2001 at 08:20:47AM -0700, Sean P. Kane wrote: > Just thought that I'd point out that there is a CURRENT port of OpenSSH > for Windows available at http://www.networksimplicity.com/openssh/ > . I stumbled upon it today > and noticed that it was mentioned on your web site. It is OpenSSH v2.9p1 > on Windows and includes ssh, scp, and sftp clients and servers. Which is EXACTLY the Cygwin version of OpenSSH. Unfortunately Mark has packed it w/o the sources for Cygwin which violates the GPL. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From jcrane at packeteer.com Fri Aug 3 04:28:17 2001 From: jcrane at packeteer.com (Jared Crane) Date: Thu, 02 Aug 2001 11:28:17 -0700 Subject: Port for PSOS? Message-ID: <3B699BC1.6BB413FC@packeteer.com> Does anyone have a port for PSOS or know if anyone has tried? Any info on the extent of the changes that will be required for the port would be greatly appreciated. Thanks, Jared From pekkas at netcore.fi Fri Aug 3 05:20:21 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 2 Aug 2001 22:20:21 +0300 (EEST) Subject: CURRENT port of OpenSSH for Windows available In-Reply-To: <20010802182233.I23782@cygbert.vinschen.de> Message-ID: On Thu, 2 Aug 2001, Corinna Vinschen wrote: > On Thu, Aug 02, 2001 at 08:20:47AM -0700, Sean P. Kane wrote: > > Just thought that I'd point out that there is a CURRENT port of OpenSSH > > for Windows available at http://www.networksimplicity.com/openssh/ > > . I stumbled upon it today > > and noticed that it was mentioned on your web site. It is OpenSSH v2.9p1 > > on Windows and includes ssh, scp, and sftp clients and servers. > > Which is EXACTLY the Cygwin version of OpenSSH. Unfortunately Mark > has packed it w/o the sources for Cygwin which violates the GPL. Umm, how exactly does that violate the GPL? The sources just have to be available (upon request, if not to all) for those who have gotten the binaries. Aren't they? -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From packard at mail2.jpl.nasa.gov Fri Aug 3 05:52:03 2001 From: packard at mail2.jpl.nasa.gov (packard) Date: Thu, 2 Aug 2001 12:52:03 -0700 (PDT) Subject: CURRENT port of OpenSSH for Windows available In-Reply-To: Message-ID: On Thu, 2 Aug 2001, Corinna Vinschen wrote: > On Thu, Aug 02, 2001 at 08:20:47AM -0700, Sean P. Kane wrote: > > Just thought that I'd point out that there is a CURRENT port of OpenSSH > > for Windows available at http://www.networksimplicity.com/openssh/ > > . I stumbled upon it today > > and noticed that it was mentioned on your web site. It is OpenSSH v2.9p1 > > on Windows and includes ssh, scp, and sftp clients and servers. > > Which is EXACTLY the Cygwin version of OpenSSH. Unfortunately Mark > has packed it w/o the sources for Cygwin which violates the GPL. The Cygwin version is nice in speed and functionality, but from my experience does not emulate a VT100 enough to use vi to edit a file. It identifies its term type as "cygwin", which defaults to "dumb" on several existing ISPs and Solaris hosts, then when I specifically set the TERM= variable to a VT100, VT220, or dtterm (for Solaris) it doesn't display the edited file with any particular attention to line and cursor alignment, not to mention backward scrolling. Regards, Scott From Darren.Moffat at eng.sun.com Fri Aug 3 05:56:24 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Thu, 2 Aug 2001 12:56:24 -0700 (PDT) Subject: CURRENT port of OpenSSH for Windows available Message-ID: <200108021957.f72Jveb647718@jurassic.eng.sun.com> >> Which is EXACTLY the Cygwin version of OpenSSH. Unfortunately Mark >> has packed it w/o the sources for Cygwin which violates the GPL. > >Umm, how exactly does that violate the GPL? The sources just have to be >available (upon request, if not to all) for those who have gotten the >binaries. Aren't they? But OpenSSH isn't under the GPL license it is under a "BSD style" license which doesn't have the requirements of source distribution. Are you saying that there is GPL code in this port ? If so I hope one of if has made it back into the OpenSSH core or portable trees otherwise there are serious legal issues because you can't do that. -- Darren J Moffat From pinterj at netposta.net Fri Aug 3 06:18:15 2001 From: pinterj at netposta.net (Pinter Jozsef) Date: Thu, 02 Aug 2001 22:18:15 +0200 Subject: Feature request Message-ID: Hello, I have an idea, is this a good list for it? I hope it won't be offtopic. So... it would be nice, if you change the host resolver code to this: it should lookup MX records like mail transport agents, but only if A record for host doesn't present. Demonstration: foo.org MX 7 bigboy.foo.org bigboy.foo.org A 1.2.3.4 west.foo.org MX 1 mail.fooisp.net west.foo.org MX 7 bigboy.foo.org west.foo.org A 1.2.3.6 1st case: ssh bigboy.foo.org only A record presents -> good 2nd case: ssh west.foo.org A record presents -> no MX lookup (compatibility) -> good 3rd case: ssh foo.org A record doesn't present -> MX lookup -> connect to bigboy -> short, comfortable, *cool* If you don't like new things, let make it configurable, so the user should decide about using this function in configuration file of ssh client. Thank for your attention, -- Pinter uber alles --------------------------------------------------------------------- http://www.netposta.net NetPosta, E-m at il ingyen! From vinschen at redhat.com Fri Aug 3 07:01:45 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 2 Aug 2001 23:01:45 +0200 Subject: CURRENT port of OpenSSH for Windows available In-Reply-To: <200108021957.f72Jveb647718@jurassic.eng.sun.com>; from Darren.Moffat@eng.sun.com on Thu, Aug 02, 2001 at 12:56:24PM -0700 References: <200108021957.f72Jveb647718@jurassic.eng.sun.com> Message-ID: <20010802230145.N23782@cygbert.vinschen.de> On Thu, Aug 02, 2001 at 12:56:24PM -0700, Darren Moffat wrote: > >> Which is EXACTLY the Cygwin version of OpenSSH. Unfortunately Mark > >> has packed it w/o the sources for Cygwin which violates the GPL. > > > >Umm, how exactly does that violate the GPL? The sources just have to be > >available (upon request, if not to all) for those who have gotten the > >binaries. Aren't they? > > But OpenSSH isn't under the GPL license it is under a "BSD style" license > which doesn't have the requirements of source distribution. > > Are you saying that there is GPL code in this port ? If so I hope one > of if has made it back into the OpenSSH core or portable trees otherwise > there are serious legal issues because you can't do that. No. Cygwin is under GPL and it's a DLL. OpenSSH is only linked against Cygwin and remains under BSD, of course. The problem is, if you create a binary archive with OpenSSH and the Cygwin DLL you'll have to provide the Cygwin sources to comply with the GPL. That's all. Mark should simply put a matching Cygwin source archive onto his site and everything is fine. OpenSSH itself is not concerned at all. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From vinschen at redhat.com Fri Aug 3 07:04:27 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 2 Aug 2001 23:04:27 +0200 Subject: CURRENT port of OpenSSH for Windows available In-Reply-To: ; from packard@mail2.jpl.nasa.gov on Thu, Aug 02, 2001 at 12:52:03PM -0700 References: Message-ID: <20010802230427.O23782@cygbert.vinschen.de> On Thu, Aug 02, 2001 at 12:52:03PM -0700, packard wrote: > > > > On Thu, 2 Aug 2001, Corinna Vinschen wrote: > > On Thu, Aug 02, 2001 at 08:20:47AM -0700, Sean P. Kane wrote: > > > Just thought that I'd point out that there is a CURRENT port of OpenSSH > > > for Windows available at http://www.networksimplicity.com/openssh/ > > > . I stumbled upon it today > > > and noticed that it was mentioned on your web site. It is OpenSSH v2.9p1 > > > on Windows and includes ssh, scp, and sftp clients and servers. > > > > Which is EXACTLY the Cygwin version of OpenSSH. Unfortunately Mark > > has packed it w/o the sources for Cygwin which violates the GPL. > > The Cygwin version is nice in speed and functionality, but from > my experience does not emulate a VT100 enough to use vi to edit > a file. It identifies its term type as "cygwin", which defaults > to "dumb" on several existing ISPs and Solaris hosts, then when > I specifically set the TERM= variable to a VT100, VT220, or dtterm > (for Solaris) it doesn't display the edited file with any > particular attention to line and cursor alignment, not to mention > backward scrolling. You can put the cygwin terminfo into your home directory on the host and you can do similar with the cygwin tercap entry. Newer Linux versions already have termcap and terminfo entries for cygwin. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From vinschen at redhat.com Fri Aug 3 07:07:17 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 2 Aug 2001 23:07:17 +0200 Subject: CURRENT port of OpenSSH for Windows available In-Reply-To: ; from pekkas@netcore.fi on Thu, Aug 02, 2001 at 10:20:21PM +0300 References: <20010802182233.I23782@cygbert.vinschen.de> Message-ID: <20010802230717.P23782@cygbert.vinschen.de> On Thu, Aug 02, 2001 at 10:20:21PM +0300, Pekka Savola wrote: > On Thu, 2 Aug 2001, Corinna Vinschen wrote: > > On Thu, Aug 02, 2001 at 08:20:47AM -0700, Sean P. Kane wrote: > > > Just thought that I'd point out that there is a CURRENT port of OpenSSH > > > for Windows available at http://www.networksimplicity.com/openssh/ > > > . I stumbled upon it today > > > and noticed that it was mentioned on your web site. It is OpenSSH v2.9p1 > > > on Windows and includes ssh, scp, and sftp clients and servers. > > > > Which is EXACTLY the Cygwin version of OpenSSH. Unfortunately Mark > > has packed it w/o the sources for Cygwin which violates the GPL. > > Umm, how exactly does that violate the GPL? The sources just have to be > available (upon request, if not to all) for those who have gotten the > binaries. Aren't they? That's not enough to comply with the GPL. Just a mail snippet from our GPL expert: ======================== We (Red Hat) use 3a, which means every binary file we distribute must be accompanied by sources - on the same site/media/whatever. With 3a, you (the distributor) must guarantee that the sources are available to every recipient of the binaries - which means you can't rely on someone else's site, or a different type of media (cd vs floppy vs web), because if you do you can't guarantee that the sources are as available as the binaries. [...] 3b is an option for anyone, but there are three reasons to avoid it. First, "written" legally means a legal document, which implies *paper* or some other legally enforceable contract. That's very hard to do with an ftp site (especially as the document needs to be dated, and re-dated every day, and cryptographically signed with a legally accepted electronic signature), and I think popular opinion is that 3b just isn't an option for internet delivery. Second, you *must* keep *every* set of sources around for three years from the *last* time the binaries were available. That's expensive, both in space and effort. [...] ======================== Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From gert at greenie.muc.de Fri Aug 3 07:12:57 2001 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 2 Aug 2001 23:12:57 +0200 Subject: Feature request In-Reply-To: ; from Pinter Jozsef on Thu, Aug 02, 2001 at 10:18:15PM +0200 References: Message-ID: <20010802231257.C6587@greenie.muc.de> Hi, On Thu, Aug 02, 2001 at 10:18:15PM +0200, Pinter Jozsef wrote: > 3rd case: ssh foo.org > A record doesn't present -> MX lookup -> connect to bigboy > -> short, comfortable, *cool* MXes are for *mail*. Nothing else. If you want an A, add an A. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From jakob at openbsd.org Fri Aug 3 08:48:00 2001 From: jakob at openbsd.org (jakob at openbsd.org) Date: Fri, 3 Aug 2001 00:48:00 +0200 (MEST) Subject: Feature request In-Reply-To: Message-ID: On Thu, 2 Aug 2001, Pinter Jozsef wrote: > So... it would be nice, if you change the host resolver code to this: > it should lookup MX records like mail transport agents, but only if A > record for host doesn't present. this is really a bad idea. for the purpose I think you're looking for a solution to, one could consider adding support for SRV-records (as described in RFC 2782). example: _ssh._tcp.example.com. IN SRV 0 0 1022 host1.example.com. IN SRV 10 0 2022 host2.example.com. in this example 'ssh example.com' would first try host1.example.com port 1022 and then host2.example.com port 2022. jakob From sturle.sunde at usit.uio.no Fri Aug 3 09:00:29 2001 From: sturle.sunde at usit.uio.no (Sturle Sunde) Date: 03 Aug 2001 01:00:29 +0200 Subject: Bugs: SSH sometimes failing to report exit-status and more Message-ID: I have a few bug reports and some comments after upgrading from SSH 1.2.27 to OpenSSH 2.9p2 at a large university. OpenSSH often fail to return the correct exit status from the remote command if small amounts of data are transfered, SSH version is 2 and ssh is run with no STDIN or with the -n option. Below is an example. Authentication method is hostbased and the file sizes are 1KB, 4KB and 8KB: [sturles at ulrik]~ $ for i in `seq 1 20`; do ssh -n pat cat 1kfile > /dev/null || echo $i failed; done 1 failed 3 failed 5 failed 8 failed 10 failed 12 failed 18 failed 19 failed [sturles at ulrik]~ $ for i in `seq 1 20`; do ssh -n pat cat 4kfile > /dev/null || echo $i failed; done 10 failed [sturles at ulrik]~ $ for i in `seq 1 20`; do ssh -n pat cat 8kfile > /dev/null || echo $i failed; done [sturles at ulrik]~ $ If run with -v, the difference between correctly reporting and wrong reporting instances, is the following lines: Correct: debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: Exit status 0 Wrong: debug1: Exit status -1 More verbose versions: Correct: debug1: Sending command: cat 8kfile debug1: channel 0: open confirm rwindow 0 rmax 16384 debug1: channel 0: read<=0 rfd 7 len 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: rcvd close debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.6 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 Wrong: debug1: Sending command: cat 1kfile debug1: channel 0: open confirm rwindow 0 rmax 16384 debug1: channel 0: read<=0 rfd 7 len 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: rcvd close debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.6 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status -1 ssh -2 also always report 0 byted trasfered, regardless of real amount: debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.6 seconds If compression is enabeled, however (btw, protocol verson 2 ignores CompressionLevel -- this is not documented), it reports the total amount of data transfered: debug1: compress outgoing: raw data 777, compressed 709, factor 0.91 debug1: compress incoming: raw data 9656, compressed 1663, factor 0.17 The manual claims compression slows things down on fast networks, but my client uses less CPU when compression is enabeled (with a low CopmressionLevel) and the data transfered is not already compressed. I guess decompression is cheaper than decryption, and compressed data means less data to decrypt. This is highly data dependant and probably architecture dependant too, but generally I think using compression is a good idea. And a comment about having "ForwardX11 no" as default: When lusers don't get their X programs to work, they ask for advice from some other luser, who tells them to set $DISPLAY and do "xhost +" localy. (Usenet, mailing lists and universities are full of lusers giving bad advice.) Users with a clue, who know what "xhost +" mean, also knows when to enable or disable X11 forwarding themselves, so the default doesn't do much for security for users who know why they are using ssh in the first place. I think having "ForwardX11 yes" as default is far more secure, as it makes the clueless lusers -- the ones we need to protect from doing stupid things -- less likely to disable security completely with "xhost +". -- Sturle All eyes were on Ford Prefect. Some of them were on stalks. ~~~~~~ -- Douglas Adams, So long, and thanks for all the fish From atossava at cc.helsinki.fi Fri Aug 3 16:42:10 2001 From: atossava at cc.helsinki.fi (Atro Tossavainen) Date: Fri, 3 Aug 2001 09:42:10 +0300 (EET DST) Subject: Trying to get Openssh with AFS on HP 10.20 to work In-Reply-To: <200108022340.QAA09207@miranda.jpl.nasa.gov> from "Robert M. Beswick" at "Aug 2, 2001 04:40:46 pm" Message-ID: <200108030642.f736gAv30874@sirppi.helsinki.fi> Robert, [OpenSSH with AFS not compiling on HP-UX 10.20] I'm using OpenSSH 2.9p2, OpenSSL 0.9.6a, KTH KerberosIV 1.0.8, and AFS 3.4 5.81. > cc: "auth-passwd.c", line 188: error 1530: Undefined struct or union. > cc: "auth-passwd.c", line 188: error 1529: Cannot select field of non-structure. I had exactly the same problem compiling SSH Inc. ssh-1.2.27 with AFS for both HP-UX 10.20 and Digital UNIX 4.0F. The reason is that the Kerberos include files clash with the system-supplied include files for passwd information management. At least in SSH Inc. ssh, auth-passwd.c is concerned with authenticating against host-managed passwords only, and omitting the include directory -I/usr/athena/include from the compile command line for this source file caused no problems and allowed me to produce a working sshd binary for HP. -- Atro Tossavainen (Mr.) / The Institute of Biotechnology at Systems Analyst, Techno-Amish & / the University of Helsinki, Finland, +358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own. < URL : http : / / www . iki . fi / atro . tossavainen / > --------------------------------------------------------------------- To unsubscribe, e-mail: secureshell-unsubscribe at securityfocus.com For additional commands, e-mail: secureshell-help at securityfocus.com From a.d.stribblehill at durham.ac.uk Sat Aug 4 00:34:19 2001 From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill) Date: Fri, 3 Aug 2001 15:34:19 +0100 Subject: Disconnecting: protocol error: rcvd type 98 Message-ID: <20010803153419.D8359@womble.dur.ac.uk> When I SSH using protocol 1 from a Debian box running OpenSSH 2.9p2-4 to a sparc.sunos5 box running vanilla OpenSSH 2.9.1, after a little while (of inactivity?) I get the following message on the client terminal: Disconnecting: protocol error: rcvd type 98 Looking further, this message is actually caused by the SSH daemon. However, I'm at a loss to determine why sshd is doing this. I attach a sample 'ssh -1 -v -v -v' session client log, and a 'sshd -d -d -d' log. If I can help debug this in any way, please say. -- Andrew Stribblehill Systems programmer, IT Service, University of Durham, England -------------- next part -------------- OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /home/ads/.ssh/config debug1: Applying options for polaris debug1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1000 geteuid 1000 anon 1 debug1: Connecting to polaris [129.234.2.123] port 2222. debug1: temporarily_use_uid: 1000/1000 (e=1000) debug1: restore_uid debug1: temporarily_use_uid: 1000/1000 (e=1000) debug1: restore_uid debug1: Connection established. debug1: identity file /home/ads/.ssh/identity type 0 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9p2 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug3: check_host_in_hostfile: filename /home/ads/.ssh/known_hosts debug3: check_host_in_hostfile: match line 39 debug3: check_host_in_hostfile: filename /home/ads/.ssh/known_hosts debug3: check_host_in_hostfile: match line 40 debug1: Host 'polaris' is known and matches the RSA1 host key. debug1: Found key in /home/ads/.ssh/known_hosts:39 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication via agent with 'ads at itspc142' debug1: Received RSA challenge from server. debug1: Sending response to RSA challenge. debug1: Remote: RSA authentication accepted. debug1: RSA authentication accepted by server. debug1: Requesting pty. debug2: tty_make_modes: ospeed 38400 debug2: tty_make_modes: ispeed 38400 debug2: tty_make_modes: 1 3 debug2: tty_make_modes: 2 28 debug2: tty_make_modes: 3 127 debug2: tty_make_modes: 4 21 debug2: tty_make_modes: 5 4 debug2: tty_make_modes: 6 255 debug2: tty_make_modes: 7 255 debug2: tty_make_modes: 8 17 debug2: tty_make_modes: 9 19 debug2: tty_make_modes: 10 26 debug2: tty_make_modes: 12 18 debug2: tty_make_modes: 13 23 debug2: tty_make_modes: 14 22 debug2: tty_make_modes: 18 15 debug2: tty_make_modes: 30 0 debug2: tty_make_modes: 31 0 debug2: tty_make_modes: 32 0 debug2: tty_make_modes: 33 0 debug2: tty_make_modes: 34 0 debug2: tty_make_modes: 35 0 debug2: tty_make_modes: 36 1 debug2: tty_make_modes: 37 0 debug2: tty_make_modes: 38 1 debug2: tty_make_modes: 39 1 debug2: tty_make_modes: 40 0 debug2: tty_make_modes: 41 1 debug2: tty_make_modes: 50 1 debug2: tty_make_modes: 51 1 debug2: tty_make_modes: 52 0 debug2: tty_make_modes: 53 1 debug2: tty_make_modes: 54 1 debug2: tty_make_modes: 55 1 debug2: tty_make_modes: 56 0 debug2: tty_make_modes: 57 0 debug2: tty_make_modes: 58 0 debug2: tty_make_modes: 59 1 debug2: tty_make_modes: 60 1 debug2: tty_make_modes: 61 1 debug2: tty_make_modes: 62 0 debug2: tty_make_modes: 70 1 debug2: tty_make_modes: 71 0 debug2: tty_make_modes: 72 1 debug2: tty_make_modes: 73 0 debug2: tty_make_modes: 74 0 debug2: tty_make_modes: 75 0 debug2: tty_make_modes: 90 1 debug2: tty_make_modes: 91 1 debug2: tty_make_modes: 92 0 debug2: tty_make_modes: 93 0 debug1: Requesting X11 forwarding with authentication spoofing. debug1: Requesting authentication agent forwarding. debug1: Requesting shell. debug1: Entering interactive session. debug1: fd 1 setting O_NONBLOCK debug1: fd 2 IS O_NONBLOCK debug3: Trying to reverse map address 129.234.2.142. wtmp_write: problem writing /var/adm/wtmp: No such file or directory Last login: Fri Aug 3 14:59:16 2001 from womble.dur.ac.u Environment: USER=dcl0ads LOGNAME=dcl0ads HOME=/home/jeeves/dit/dcl0ads PATH=/usr/bin:/bin:/usr/sbin:/sbin MAIL=/var/mail//dcl0ads SHELL=/usr/local/bin/bash TZ=GB SSH_CLIENT=129.234.2.142 3568 2222 SSH_TTY=/dev/pts/4 TERM=xterm DISPLAY=polaris:10.0 XAUTHORITY=/tmp/ssh-fCL24467/cookies SSH_AUTH_SOCK=/tmp/ssh-CXr24467/agent.24467 Running /usr/openwin/bin/xauth add polaris:10.0 MIT-MAGIC-COOKIE-1 dfeb40c9d56991c81526290c79fa292a Adding polaris/unix:10.0 MIT-MAGIC-COOKIE-1 dfeb40c9d56991c81526290c79fa292a The SIRCAM virus appears to have hit a number of systems in the University. Please ensure that your virus protection is up to date. The current virus definition files have been updated and are 4150 (27 July 2001) and scan engine 4.1.40. =============================================================================== ]0;dcl0ads at polarisYou have no mail polaris 1$ Disconnecting: protocol error: rcvd type 98 debug1: Calling cleanup 0x805174c(0x0) debug1: Calling cleanup 0x8062c7c(0x0) -------------- next part -------------- Script started on Fri Aug 03 15:31:36 2001 # /usr/sbin/sshd -d -d -d -p 2222 debug1: Seeding random number generator debug1: sshd version OpenSSH_2.9p1 debug1: private host key: #0 type 0 RSA1 debug3: No RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug3: No RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #2 type 1 RSA debug1: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 129.234.2.142 port 3568 debug1: Client protocol version 1.5; client software version OpenSSH_2.9p2 debug1: match: OpenSSH_2.9p2 pat ^OpenSSH debug1: Local version string SSH-1.99-OpenSSH_2.9p1 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: 3des debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for dcl0ads. debug1: temporarily_use_uid: 32540/2400 (e=0) debug1: restore_uid Accepted rsa for dcl0ads from 129.234.2.142 port 3568 debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug2: tty_parse_modes: ospeed 38400 debug2: tty_parse_modes: ispeed 38400 debug2: tty_parse_modes: 1 3 debug2: tty_parse_modes: 2 28 debug2: tty_parse_modes: 3 127 debug2: tty_parse_modes: 4 21 debug2: tty_parse_modes: 5 4 debug2: tty_parse_modes: 6 255 debug2: tty_parse_modes: 7 255 debug2: tty_parse_modes: 8 17 debug2: tty_parse_modes: 9 19 debug2: tty_parse_modes: 10 26 debug2: tty_parse_modes: 12 18 debug2: tty_parse_modes: 13 23 debug2: tty_parse_modes: 14 22 debug2: tty_parse_modes: 18 15 debug2: tty_parse_modes: 30 0 debug2: tty_parse_modes: 31 0 debug2: tty_parse_modes: 32 0 debug2: tty_parse_modes: 33 0 debug2: tty_parse_modes: 34 0 debug2: tty_parse_modes: 35 0 debug2: tty_parse_modes: 36 1 debug2: tty_parse_modes: 37 0 debug2: tty_parse_modes: 38 1 debug2: tty_parse_modes: 39 1 debug2: tty_parse_modes: 40 0 debug2: tty_parse_modes: 41 1 debug2: tty_parse_modes: 50 1 debug2: tty_parse_modes: 51 1 debug2: tty_parse_modes: 52 0 debug2: tty_parse_modes: 53 1 debug2: tty_parse_modes: 54 1 debug2: tty_parse_modes: 55 1 debug2: tty_parse_modes: 56 0 debug2: tty_parse_modes: 57 0 debug2: tty_parse_modes: 58 0 debug2: tty_parse_modes: 59 1 debug2: tty_parse_modes: 60 1 debug2: tty_parse_modes: 61 1 debug2: tty_parse_modes: 62 0 debug2: tty_parse_modes: 70 1 debug2: tty_parse_modes: 71 0 debug2: tty_parse_modes: 72 1 debug2: tty_parse_modes: 73 0 debug2: tty_parse_modes: 74 0 debug2: tty_parse_modes: 75 0 debug2: tty_parse_modes: 90 1 debug2: tty_parse_modes: 91 1 debug2: tty_parse_modes: 92 0 debug2: tty_parse_modes: 93 0 debug1: Received request for X11 forwarding with auth spoofing. debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1 debug1: fd 10 setting O_NONBLOCK debug1: fd 10 IS O_NONBLOCK debug1: channel 0: new [X11 inet listener] debug1: temporarily_use_uid: 32540/2400 (e=0) debug1: restore_uid debug1: Received authentication agent forwarding request. debug1: temporarily_use_uid: 32540/2400 (e=0) debug1: restore_uid debug1: fd 11 setting O_NONBLOCK debug1: fd 11 IS O_NONBLOCK debug1: channel 1: new [auth socket] debug1: Entering interactive session. debug1: fd 8 setting O_NONBLOCK debug1: fd 9 IS O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 60000 debug3: tvp!=NULL kid 0 mili 60000 Received disconnect from 129.234.2.142: protocol error: rcvd type 98 debug1: Calling cleanup 0x26da0(0x0) debug1: xauthfile_cleanup_proc called debug1: Calling cleanup 0x2ea24(0x0) debug1: channel_free: channel 0: status: The following connections are open: debug1: channel_free: channel 1: status: The following connections are open: debug1: Calling cleanup 0x26e04(0xf433c) debug1: pty_cleanup_proc: /dev/pts/4 wtmp_write: problem writing /var/adm/wtmp: No such file or directory debug1: Calling cleanup 0x37164(0x0) # script done on Fri Aug 03 15:34:05 2001 From Darren.Moffat at eng.sun.com Sat Aug 4 03:04:37 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Fri, 3 Aug 2001 10:04:37 -0700 (PDT) Subject: Feature request Message-ID: <200108031705.f73H5Ab912019@jurassic.eng.sun.com> >On Thu, 2 Aug 2001, Pinter Jozsef wrote: > >> So... it would be nice, if you change the host resolver code to this: >> it should lookup MX records like mail transport agents, but only if A >> record for host doesn't present. > >this is really a bad idea. for the purpose I think you're looking for a Not only is is a bad idea because it is abuse of the DNS it would mean a pretty serious restructuring of the code because OpenSSH does NOT call DNS it calls the getXbyY calls provided by the OS and they do what ever that OS wants. On Solaris the look at nsswitch.conf on OpenBSD resolv.conf might say to use nis. -- Darren J Moffat From markus.friedl at informatik.uni-erlangen.de Sat Aug 4 06:15:20 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 3 Aug 2001 22:15:20 +0200 Subject: Disconnecting: protocol error: rcvd type 98 In-Reply-To: <20010803153419.D8359@womble.dur.ac.uk>; from a.d.stribblehill@durham.ac.uk on Fri, Aug 03, 2001 at 03:34:19PM +0100 References: <20010803153419.D8359@womble.dur.ac.uk> Message-ID: <20010803221520.A32080@folly> in serverloop.c:wait_until... add compat20 like this: if (compat20 && max_time_milliseconds == 0 && options.client_alive_interval) { client_alive_scheduled = 1; max_time_milliseconds = options.client_alive_interval * 1000; } On Fri, Aug 03, 2001 at 03:34:19PM +0100, Andrew Stribblehill wrote: > When I SSH using protocol 1 from a Debian box running OpenSSH 2.9p2-4 > to a sparc.sunos5 box running vanilla OpenSSH 2.9.1, after a little > while (of inactivity?) I get the following message on the client > terminal: > > Disconnecting: protocol error: rcvd type 98 > > Looking further, this message is actually caused by the SSH daemon. > However, I'm at a loss to determine why sshd is doing this. > > I attach a sample 'ssh -1 -v -v -v' session client log, and a 'sshd > -d -d -d' log. > > If I can help debug this in any way, please say. > > -- > Andrew Stribblehill > Systems programmer, IT Service, University of Durham, England > OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f > debug1: Reading configuration data /home/ads/.ssh/config > debug1: Applying options for polaris > debug1: Applying options for * > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Seeding random number generator > debug1: Rhosts Authentication disabled, originating port will not be trusted. > debug1: restore_uid > debug1: ssh_connect: getuid 1000 geteuid 1000 anon 1 > debug1: Connecting to polaris [129.234.2.123] port 2222. > debug1: temporarily_use_uid: 1000/1000 (e=1000) > debug1: restore_uid > debug1: temporarily_use_uid: 1000/1000 (e=1000) > debug1: restore_uid > debug1: Connection established. > debug1: identity file /home/ads/.ssh/identity type 0 > debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 > debug1: match: OpenSSH_2.9p1 pat ^OpenSSH > debug1: Local version string SSH-1.5-OpenSSH_2.9p2 > debug1: Waiting for server public key. > debug1: Received server public key (768 bits) and host key (1024 bits). > debug3: check_host_in_hostfile: filename /home/ads/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 39 > debug3: check_host_in_hostfile: filename /home/ads/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 40 > debug1: Host 'polaris' is known and matches the RSA1 host key. > debug1: Found key in /home/ads/.ssh/known_hosts:39 > debug1: Encryption type: 3des > debug1: Sent encrypted session key. > debug1: Installing crc compensation attack detector. > debug1: Received encrypted confirmation. > debug1: Trying RSA authentication via agent with 'ads at itspc142' > debug1: Received RSA challenge from server. > debug1: Sending response to RSA challenge. > debug1: Remote: RSA authentication accepted. > debug1: RSA authentication accepted by server. > debug1: Requesting pty. > debug2: tty_make_modes: ospeed 38400 > debug2: tty_make_modes: ispeed 38400 > debug2: tty_make_modes: 1 3 > debug2: tty_make_modes: 2 28 > debug2: tty_make_modes: 3 127 > debug2: tty_make_modes: 4 21 > debug2: tty_make_modes: 5 4 > debug2: tty_make_modes: 6 255 > debug2: tty_make_modes: 7 255 > debug2: tty_make_modes: 8 17 > debug2: tty_make_modes: 9 19 > debug2: tty_make_modes: 10 26 > debug2: tty_make_modes: 12 18 > debug2: tty_make_modes: 13 23 > debug2: tty_make_modes: 14 22 > debug2: tty_make_modes: 18 15 > debug2: tty_make_modes: 30 0 > debug2: tty_make_modes: 31 0 > debug2: tty_make_modes: 32 0 > debug2: tty_make_modes: 33 0 > debug2: tty_make_modes: 34 0 > debug2: tty_make_modes: 35 0 > debug2: tty_make_modes: 36 1 > debug2: tty_make_modes: 37 0 > debug2: tty_make_modes: 38 1 > debug2: tty_make_modes: 39 1 > debug2: tty_make_modes: 40 0 > debug2: tty_make_modes: 41 1 > debug2: tty_make_modes: 50 1 > debug2: tty_make_modes: 51 1 > debug2: tty_make_modes: 52 0 > debug2: tty_make_modes: 53 1 > debug2: tty_make_modes: 54 1 > debug2: tty_make_modes: 55 1 > debug2: tty_make_modes: 56 0 > debug2: tty_make_modes: 57 0 > debug2: tty_make_modes: 58 0 > debug2: tty_make_modes: 59 1 > debug2: tty_make_modes: 60 1 > debug2: tty_make_modes: 61 1 > debug2: tty_make_modes: 62 0 > debug2: tty_make_modes: 70 1 > debug2: tty_make_modes: 71 0 > debug2: tty_make_modes: 72 1 > debug2: tty_make_modes: 73 0 > debug2: tty_make_modes: 74 0 > debug2: tty_make_modes: 75 0 > debug2: tty_make_modes: 90 1 > debug2: tty_make_modes: 91 1 > debug2: tty_make_modes: 92 0 > debug2: tty_make_modes: 93 0 > debug1: Requesting X11 forwarding with authentication spoofing. > debug1: Requesting authentication agent forwarding. > debug1: Requesting shell. > debug1: Entering interactive session. > debug1: fd 1 setting O_NONBLOCK > debug1: fd 2 IS O_NONBLOCK > debug3: Trying to reverse map address 129.234.2.142. > wtmp_write: problem writing /var/adm/wtmp: No such file or directory > Last login: Fri Aug 3 14:59:16 2001 from womble.dur.ac.u > Environment: > USER=dcl0ads > LOGNAME=dcl0ads > HOME=/home/jeeves/dit/dcl0ads > PATH=/usr/bin:/bin:/usr/sbin:/sbin > MAIL=/var/mail//dcl0ads > SHELL=/usr/local/bin/bash > TZ=GB > SSH_CLIENT=129.234.2.142 3568 2222 > SSH_TTY=/dev/pts/4 > TERM=xterm > DISPLAY=polaris:10.0 > XAUTHORITY=/tmp/ssh-fCL24467/cookies > SSH_AUTH_SOCK=/tmp/ssh-CXr24467/agent.24467 > Running /usr/openwin/bin/xauth add polaris:10.0 MIT-MAGIC-COOKIE-1 dfeb40c9d56991c81526290c79fa292a > Adding polaris/unix:10.0 MIT-MAGIC-COOKIE-1 dfeb40c9d56991c81526290c79fa292a > The SIRCAM virus appears to have hit a number of systems in the > University. Please ensure that your virus protection is up to date. The > current virus definition files have been updated and are 4150 (27 July > 2001) and scan engine 4.1.40. > =============================================================================== > ]0;dcl0ads at polarisYou have no mail > polaris 1$ Disconnecting: protocol error: rcvd type 98 > debug1: Calling cleanup 0x805174c(0x0) > debug1: Calling cleanup 0x8062c7c(0x0) > Script started on Fri Aug 03 15:31:36 2001 > # /usr/sbin/sshd -d -d -d -p 2222 > debug1: Seeding random number generator > debug1: sshd version OpenSSH_2.9p1 > debug1: private host key: #0 type 0 RSA1 > debug3: No RSA1 key file /etc/ssh/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #1 type 2 DSA > debug3: No RSA1 key file /etc/ssh/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #2 type 1 RSA > debug1: Bind to port 2222 on 0.0.0.0. > Server listening on 0.0.0.0 port 2222. > Generating 768 bit RSA key. > RSA key generation complete. > debug1: Server will not fork when running in debugging mode. > Connection from 129.234.2.142 port 3568 > debug1: Client protocol version 1.5; client software version OpenSSH_2.9p2 > debug1: match: OpenSSH_2.9p2 pat ^OpenSSH > debug1: Local version string SSH-1.99-OpenSSH_2.9p1 > debug1: Rhosts Authentication disabled, originating port not trusted. > debug1: Sent 768 bit server key and 1024 bit host key. > debug1: Encryption type: 3des > debug1: Received session key; encryption turned on. > debug1: Installing crc compensation attack detector. > debug1: Attempting authentication for dcl0ads. > debug1: temporarily_use_uid: 32540/2400 (e=0) > debug1: restore_uid > Accepted rsa for dcl0ads from 129.234.2.142 port 3568 > debug1: session_new: init > debug1: session_new: session 0 > debug1: Allocating pty. > debug2: tty_parse_modes: ospeed 38400 > debug2: tty_parse_modes: ispeed 38400 > debug2: tty_parse_modes: 1 3 > debug2: tty_parse_modes: 2 28 > debug2: tty_parse_modes: 3 127 > debug2: tty_parse_modes: 4 21 > debug2: tty_parse_modes: 5 4 > debug2: tty_parse_modes: 6 255 > debug2: tty_parse_modes: 7 255 > debug2: tty_parse_modes: 8 17 > debug2: tty_parse_modes: 9 19 > debug2: tty_parse_modes: 10 26 > debug2: tty_parse_modes: 12 18 > debug2: tty_parse_modes: 13 23 > debug2: tty_parse_modes: 14 22 > debug2: tty_parse_modes: 18 15 > debug2: tty_parse_modes: 30 0 > debug2: tty_parse_modes: 31 0 > debug2: tty_parse_modes: 32 0 > debug2: tty_parse_modes: 33 0 > debug2: tty_parse_modes: 34 0 > debug2: tty_parse_modes: 35 0 > debug2: tty_parse_modes: 36 1 > debug2: tty_parse_modes: 37 0 > debug2: tty_parse_modes: 38 1 > debug2: tty_parse_modes: 39 1 > debug2: tty_parse_modes: 40 0 > debug2: tty_parse_modes: 41 1 > debug2: tty_parse_modes: 50 1 > debug2: tty_parse_modes: 51 1 > debug2: tty_parse_modes: 52 0 > debug2: tty_parse_modes: 53 1 > debug2: tty_parse_modes: 54 1 > debug2: tty_parse_modes: 55 1 > debug2: tty_parse_modes: 56 0 > debug2: tty_parse_modes: 57 0 > debug2: tty_parse_modes: 58 0 > debug2: tty_parse_modes: 59 1 > debug2: tty_parse_modes: 60 1 > debug2: tty_parse_modes: 61 1 > debug2: tty_parse_modes: 62 0 > debug2: tty_parse_modes: 70 1 > debug2: tty_parse_modes: 71 0 > debug2: tty_parse_modes: 72 1 > debug2: tty_parse_modes: 73 0 > debug2: tty_parse_modes: 74 0 > debug2: tty_parse_modes: 75 0 > debug2: tty_parse_modes: 90 1 > debug2: tty_parse_modes: 91 1 > debug2: tty_parse_modes: 92 0 > debug2: tty_parse_modes: 93 0 > debug1: Received request for X11 forwarding with auth spoofing. > debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1 > debug1: fd 10 setting O_NONBLOCK > debug1: fd 10 IS O_NONBLOCK > debug1: channel 0: new [X11 inet listener] > debug1: temporarily_use_uid: 32540/2400 (e=0) > debug1: restore_uid > debug1: Received authentication agent forwarding request. > debug1: temporarily_use_uid: 32540/2400 (e=0) > debug1: restore_uid > debug1: fd 11 setting O_NONBLOCK > debug1: fd 11 IS O_NONBLOCK > debug1: channel 1: new [auth socket] > debug1: Entering interactive session. > debug1: fd 8 setting O_NONBLOCK > debug1: fd 9 IS O_NONBLOCK > debug1: server_init_dispatch_13 > debug1: server_init_dispatch_15 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 10 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 10 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 10 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 10 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 10 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 60000 > debug3: tvp!=NULL kid 0 mili 60000 > Received disconnect from 129.234.2.142: protocol error: rcvd type 98 > debug1: Calling cleanup 0x26da0(0x0) > debug1: xauthfile_cleanup_proc called > debug1: Calling cleanup 0x2ea24(0x0) > debug1: channel_free: channel 0: status: The following connections are open: > > debug1: channel_free: channel 1: status: The following connections are open: > > debug1: Calling cleanup 0x26e04(0xf433c) > debug1: pty_cleanup_proc: /dev/pts/4 > wtmp_write: problem writing /var/adm/wtmp: No such file or directory > debug1: Calling cleanup 0x37164(0x0) > # > script done on Fri Aug 03 15:34:05 2001 From mouring at etoh.eviladmin.org Mon Aug 6 05:53:40 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 5 Aug 2001 14:53:40 -0500 (CDT) Subject: Ported openssh-2.9p2 to LynxOS In-Reply-To: <20010802054903.95059.qmail@web8005.mail.in.yahoo.com> Message-ID: Besides, being back from GenCon.. Finally. Yes, if you could provide a diff -u patch against either 2.9p1 or the -current portable CVS tree it will make it easier for us. If there is no entry in the ./configure section for LynxOS proper then that means there is not real special cases for that platform.. which is a GOOD thing. We perfer if you 'borrowed' code that it came from a non-GPL tree. It really saves us a lot of hassle. OpenBSD is the perfer tree... Free or Net are also good places. - Ben On Thu, 2 Aug 2001, [iso-8859-1] hari sekar wrote: > Hi, > I have ported the portable version of openssh > (openssh-2.9p2) to LynxOS. I have had to install Perl5 > and openssl-0.9.5a. Also since the regex library in > LynxOS is not POSIX compliant I had to use PCRE. Then > I configured openssh-2.9p2 with the library option > -lbsd. One more problem was the macro "howmany(x,y)" > is not defined in any of the /usr/include header files > n LynxOS. So I copied the Linux version of this macro > and included this header. It now works without any > problem. > I would like to appreciate the porting team of > OpenSSH for the splendid work done on porting that it > was so easy to install in LynxOS. I understand that > the team has provided all the OS specific details. But > I don't find any mention of LynxOS in config file. > > *** I would be immensely happy if I could get some > information from anyone on the Porting Issues that are > to be taken care of while porting any application. > What are the Operatig System specific informations > that need to be addressed and how it has been done in > openssh-portable release? > > Expecting your kind help, > A.Gnana Hari Sekar. > > ____________________________________________________________ > Do You Yahoo!? > For regular News updates go to http://in.news.yahoo.com > From tim at multitalents.net Mon Aug 6 10:06:15 2001 From: tim at multitalents.net (Tim Rice) Date: Sun, 5 Aug 2001 17:06:15 -0700 (PDT) Subject: Cray patch against openssh-SNAP-20010802 In-Reply-To: Message-ID: On Thu, 2 Aug 2001, William L. Jones wrote: > Significant changes since last patch. > [snip] > > Add no_sco flag to noop check for -lrpc which assumes that > their was a -lyp library. Did Wendy's patch not fix your -lyp problem? .... % diff -u configure.in.orig configure.in --- configure.in.orig Wed Aug 1 16:24:39 2001 +++ configure.in Wed Aug 1 16:40:40 2001 @@ -245,7 +245,7 @@ no_libsocket=1 no_libnsl=1 AC_DEFINE(USE_PIPES) - LDFLAGS="$LDFLAGS -L/usr/local/lib" + LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal",-L/usr/local/lib" LIBS="$LIBS -lgen -lrsc" ;; *-dec-osf*) -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 .... > [snip] > > Bill Jones -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Mon Aug 6 13:37:17 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 5 Aug 2001 22:37:17 -0500 (CDT) Subject: Port for PSOS? In-Reply-To: <3B699BC1.6BB413FC@packeteer.com> Message-ID: I've never seen nor heard of 'PSOS'.. But OpenSSH pretty much follows most of the POSIX API. So as long as you have something that mostly smells like POSIX/UNIX. It may not be too hard. Just keep in mind if you wish to have it included in the portable you need to keep your core changes down as much as possible. - Ben On Thu, 2 Aug 2001, Jared Crane wrote: > > Does anyone have a port for PSOS or know if anyone has tried? Any info > on the extent of the changes that will be required for the port would be > greatly appreciated. > > Thanks, > Jared > > From frank-m.mohr at db.com Tue Aug 7 04:44:31 2001 From: frank-m.mohr at db.com (Frank-M Mohr) Date: Mon, 6 Aug 2001 19:44:31 +0100 Subject: Setting of DISPLAY Variable Message-ID: Hi I'm currently testing OpenSSH_2.9p2 on AIX. Is there any reason why the hostname is used for the DISPLAY variable instead of localhost? I just had problems with X11 forwarding on a AIX test machine that has HCMP configured but not running. (the network interface has a different IP address in that state) After changing the DISPLAY variable X11 forwarding worked fine. Frank -- Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. From info at ninosdepapel.org Tue Aug 7 05:21:58 2001 From: info at ninosdepapel.org (Niņos de Papel) Date: Mon, 06 Aug 2001 14:21:58 -0500 Subject: Las Cosas de Papel- Segunda Edicion Message-ID: <200108061534218.SM00181@computer> ***** This is an HTML Message ! ***** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010806/7e01d34e/attachment.html From mouring at etoh.eviladmin.org Tue Aug 7 09:10:09 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 6 Aug 2001 18:10:09 -0500 (CDT) Subject: Cray patch against openssh-SNAP-20010802 In-Reply-To: Message-ID: > The details on all the patches: > > configure.in - Add work around to sco libyp assumution. Does Wendy's patch work? I'd rather use her's. > sshd.c - Turn off cray process privileges root is enough on PRIV_SU > unicos/unicosmk systems. applied. > entropy.c - Define INADDR_LOOPBACK Can we put this in defines.h instead? > deattack.c - Modified to not depend on u_int16_t > being 16bit in size. I still want Markus or someone in the OpenBSD group to bless this or come up with a high-breed idea for the OpenBSD tree. > scp.c - Modified to use alarm instead of setitimer. > Unicos does not support setitier. This was commited to the upstream tree. > serverloop.c - Modified sigchld_handler to not reset > on Crays. This is the > only case its needs to be reset, the side effect > is it fixes the problem with a infinite signal loop > under unicos and unicosmk. > Modified waitpid to keep trying if it gets an EINTR, > this can happen due to job termination signal on unicos and > unicosmk. Still not included. Waiting for feed back from others.. > session.c - Added unicos/unicosmk job termination signal handler. > Add TMPDIR environment variable. > Add code to set up a unicos/unicosmk job and system > limits. Applied most. > sshpty.c - Unicos/unicosk pty support. > > In openbsd-compat directory: > bindresvport.c & - Code around the fact that the address of sin_port > rresvport.c. really is 64 bit aligned on a SV1. I can get Damien or someone else agree this is what we want to do? It looks fine to me. > bsd-cray.c - Clean up cray support routines. Fix su related > security bug. > bsd-cray.h - Cray support subroutine proto types. Applied. I added bsd-cray.h to openbsd-compat.h where it should be.. If does not work out there then we should try defines.h before putting it into a single file. - Ben From wendyp at cray.com Tue Aug 7 10:34:33 2001 From: wendyp at cray.com (Wendy Palm) Date: Mon, 06 Aug 2001 19:34:33 -0500 Subject: Cray patch against openssh-SNAP-20010802 References: Message-ID: <3B6F3799.70F1E1D7@cray.com> mouring at etoh.eviladmin.org wrote: > > > The details on all the patches: > > > > configure.in - Add work around to sco libyp assumution. > Does Wendy's patch work? I'd rather use her's. it does on all my systems. i haven't heard from bill about it, but i sent the fix after he'd sent the patch into you. > > entropy.c - Define INADDR_LOOPBACK > > Can we put this in defines.h instead? seems to work there just fine. no problem. > > deattack.c - Modified to not depend on u_int16_t > > being 16bit in size. > I still want Markus or someone in the OpenBSD group to bless this or > come up with a high-breed idea for the OpenBSD tree. eager to hear one. it's a real problem on a 64-bit machine. > > serverloop.c - Modified sigchld_handler to not reset > > on Crays. This is the > > only case its needs to be reset, the side effect > > is it fixes the problem with a infinite signal loop > > under unicos and unicosmk. > > Modified waitpid to keep trying if it gets an EINTR, > > this can happen due to job termination signal on unicos and > > unicosmk. > > Still not included. Waiting for feed back from others.. ok, eager to hear about this too. > > > session.c - Added unicos/unicosmk job termination signal handler. > > Add TMPDIR environment variable. > > Add code to set up a unicos/unicosmk job and system > > limits. > > Applied most. cool. problems? or just taking it slow? (i know there's a lot in there) > > bsd-cray.c - Clean up cray support routines. Fix su related > > security bug. > > bsd-cray.h - Cray support subroutine proto types. > > Applied. > > I added bsd-cray.h to openbsd-compat.h where it should be.. If does not > work out there then we should try defines.h before putting it into a > single file. it seems to work. i haven't had it fail yet. thanks, wendy -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From tim at multitalents.net Tue Aug 7 12:29:15 2001 From: tim at multitalents.net (Tim Rice) Date: Mon, 6 Aug 2001 19:29:15 -0700 (PDT) Subject: Cray patch against openssh-SNAP-20010802 In-Reply-To: Message-ID: On Mon, 6 Aug 2001, William L. Jones wrote: > > Two problems. Their an " just after fatal that I don't think should be > their Ah yes, I see the extra " But if remove it it should work. The AC_CHECK_LIB(rpc, innetgr, LIBS="-lrpc -lyp -lrpc $LIBS" , , -lyp -lrpc) test should fail on anything other than SCO Open Server 3 > and I can still get errors because I don't have libyp.a. As you should. > > My solution works! > > A better solution is to have the offinding code check for both rpc and yp > lib before add them. > > Or just alway look for rpc and add it. Then look for yp and add it. Are you saying you need to link in librpc to get openssh to work? > > Just don't assume that yp exist if rpc does. > > How do you think the problem should be solved? > > BIll Jones > > > -----Original Message----- > > From: Tim Rice [mailto:tim at multitalents.net] > > Sent: Monday, August 06, 2001 1:06 PM > > To: William L. Jones > > Subject: Re: Cray patch against openssh-SNAP-20010802 > > > > > > On Sun, 5 Aug 2001, William L. Jones wrote: > > > > > I look and see. Is her patch in the daily drop yet? > > > > Not yet. I was about to add it when I saw your message. > > Please try the small patch below and let me know. > > > > > > > > ----- Original Message ----- > > > From: "Tim Rice" > > > To: "William L. Jones" > > > Cc: > > > Sent: Sunday, August 05, 2001 7:06 PM > > > Subject: Re: Cray patch against openssh-SNAP-20010802 > > > > > > > > > > On Thu, 2 Aug 2001, William L. Jones wrote: > > > > > > > > > Significant changes since last patch. > > > > > > > > > [snip] > > > > > > > > > > Add no_sco flag to noop check for -lrpc which assumes that > > > > > their was a -lyp library. > > > > > > > > Did Wendy's patch not fix your -lyp problem? > > > > .... > > > > > > > > % diff -u configure.in.orig configure.in > > > > --- configure.in.orig Wed Aug 1 16:24:39 2001 > > > > +++ configure.in Wed Aug 1 16:40:40 2001 > > > > @@ -245,7 +245,7 @@ > > > > no_libsocket=1 > > > > no_libnsl=1 > > > > AC_DEFINE(USE_PIPES) > > > > - LDFLAGS="$LDFLAGS -L/usr/local/lib" > > > > + LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal",-L/usr/local/lib" > > > > LIBS="$LIBS -lgen -lrsc" > > > > ;; > > > > *-dec-osf*) > > > > > > > > > > > > -- > > > > wendy palm > > > > Cray OS Sustaining Engineering, Cray Inc. > > > > wendyp at cray.com, 651-605-9154 > > > > .... > > > > > > > > > > > > > [snip] > > > > -- > > Tim Rice Multitalents (707) 887-1469 > > tim at multitalents.net > > > > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Tue Aug 7 20:30:47 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 7 Aug 2001 20:30:47 +1000 (EST) Subject: Setting of DISPLAY Variable In-Reply-To: Message-ID: On Mon, 6 Aug 2001, Frank-M Mohr wrote: > > Hi > > I'm currently testing OpenSSH_2.9p2 on AIX. > > Is there any reason why the hostname is used for the DISPLAY > variable instead of localhost? IIRC some broken X server detect "localhost" in $DISPLAY and force the use of a Unix socket. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From jones at mail.utexas.edu Tue Aug 7 23:25:54 2001 From: jones at mail.utexas.edu (William L. Jones) Date: Tue, 7 Aug 2001 08:25:54 -0500 Subject: Cray patch against openssh-SNAP-20010802 In-Reply-To: Message-ID: > -----Original Message----- > From: owner-openssh-unix-dev at mindrot.org > [mailto:owner-openssh-unix-dev at mindrot.org]On Behalf Of Tim Rice > Sent: Monday, August 06, 2001 9:29 PM > To: William L. Jones > Cc: openssh-unix-dev at mindrot.org > Subject: RE: Cray patch against openssh-SNAP-20010802 > > > On Mon, 6 Aug 2001, William L. Jones wrote: > > > > > Two problems. Their an " just after fatal that I don't think should be > > their > > Ah yes, I see the extra " > But if remove it it should work. > > The AC_CHECK_LIB(rpc, innetgr, LIBS="-lrpc -lyp -lrpc $LIBS" , , > -lyp -lrpc) > test should fail on anything other than SCO Open Server 3 It not complicated enough. If I underand it right it will add the loading of rpc and yp if if finds a rpc lib. Cray have a rpc lib so it adds both rpc and yp to the load list which is bad since cray don't have a yp lib. Why can't this just be removed and the extra lib just be added to the LIB definition in the target-specific stuff for sco? > > > and I can still get errors because I don't have libyp.a. > As you should. > > > > > My solution works! > > > > A better solution is to have the offinding code check for both > rpc and yp > > lib before add them. > > > > Or just alway look for rpc and add it. Then look for yp and add it. > > Are you saying you need to link in librpc to get openssh to work? > > > > > Just don't assume that yp exist if rpc does. > > > > How do you think the problem should be solved? > > > > BIll Jones > > > > > -----Original Message----- > > > From: Tim Rice [mailto:tim at multitalents.net] > > > Sent: Monday, August 06, 2001 1:06 PM > > > To: William L. Jones > > > Subject: Re: Cray patch against openssh-SNAP-20010802 > > > > > > > > > On Sun, 5 Aug 2001, William L. Jones wrote: > > > > > > > I look and see. Is her patch in the daily drop yet? > > > > > > Not yet. I was about to add it when I saw your message. > > > Please try the small patch below and let me know. > > > > > > > > > > > ----- Original Message ----- > > > > From: "Tim Rice" > > > > To: "William L. Jones" > > > > Cc: > > > > Sent: Sunday, August 05, 2001 7:06 PM > > > > Subject: Re: Cray patch against openssh-SNAP-20010802 > > > > > > > > > > > > > On Thu, 2 Aug 2001, William L. Jones wrote: > > > > > > > > > > > Significant changes since last patch. > > > > > > > > > > > [snip] > > > > > > > > > > > > Add no_sco flag to noop check for -lrpc which assumes that > > > > > > their was a -lyp library. > > > > > > > > > > Did Wendy's patch not fix your -lyp problem? > > > > > .... > > > > > > > > > > % diff -u configure.in.orig configure.in > > > > > --- configure.in.orig Wed Aug 1 16:24:39 2001 > > > > > +++ configure.in Wed Aug 1 16:40:40 2001 > > > > > @@ -245,7 +245,7 @@ > > > > > no_libsocket=1 > > > > > no_libnsl=1 > > > > > AC_DEFINE(USE_PIPES) > > > > > - LDFLAGS="$LDFLAGS -L/usr/local/lib" > > > > > + LDFLAGS="$LDFLAGS > -Wl,-Dmsglevel=334:fatal",-L/usr/local/lib" > > > > > LIBS="$LIBS -lgen -lrsc" > > > > > ;; > > > > > *-dec-osf*) > > > > > > > > > > > > > > > -- > > > > > wendy palm > > > > > Cray OS Sustaining Engineering, Cray Inc. > > > > > wendyp at cray.com, 651-605-9154 > > > > > .... > > > > > > > > > > > > > > > > [snip] > > > > > > -- > > > Tim Rice Multitalents (707) 887-1469 > > > tim at multitalents.net > > > > > > > > > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > From sturle.sunde at usit.uio.no Tue Aug 7 23:54:16 2001 From: sturle.sunde at usit.uio.no (Sturle Sunde) Date: 07 Aug 2001 15:54:16 +0200 Subject: Setting of DISPLAY Variable In-Reply-To: References: Message-ID: Damien Miller writes: > On Mon, 6 Aug 2001, Frank-M Mohr wrote: >> I'm currently testing OpenSSH_2.9p2 on AIX. >> >> Is there any reason why the hostname is used for the DISPLAY >> variable instead of localhost? > > IIRC some broken X server detect "localhost" in $DISPLAY and force > the use of a Unix socket. X11R6.4 is the last release with this bug. In xc/lib/X11/ConnDis.c: #ifdef LOCALCONN /* check if phostname == localnodename */ if (phostname && uname(&sys) >= 0 && !strncmp(phostname, sys.nodename, strlen(sys.nodename))) { Xfree (phostname); phostname = copystring ("unix", 4); } #endif I added "&& idisplay == 0" to the if test above to fix this problem in my X11R6.4, but that's a quick and dirty solution. Newer releases use this: #ifdef LOCALCONN /* check if phostname == localnodename AND protocol not specified */ if (!pprotocol && phostname && uname(&sys) >= 0 && !strncmp(phostname, sys.nodename, (strlen(sys.nodename) < strlen(phostname) ? strlen(phostname) : strlen(sys.nodename)))) { #ifdef TCPCONN /* * We'll first attempt to connect using the local transport. If * this fails (which is the case if sshd X protocol forwarding is * being used), retry using tcp and this hostname. */ tcphostname = copystring(phostname, strlen(phostname)); #endif Xfree (phostname); phostname = copystring ("unix", 4); } #endif Anyone working with the exit status bug in OpenSSH? My script for deleting users fails randomly because of it, so it's critical! 8-) -- Sturle All eyes were on Ford Prefect. Some of them were on stalks. ~~~~~~ -- Douglas Adams, So long, and thanks for all the fish From Markus.Friedl at informatik.uni-erlangen.de Wed Aug 8 00:04:23 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 7 Aug 2001 16:04:23 +0200 Subject: Setting of DISPLAY Variable In-Reply-To: ; from sturle.sunde@usit.uio.no on Tue, Aug 07, 2001 at 03:54:16PM +0200 References: Message-ID: <20010807160423.A5364@faui02.informatik.uni-erlangen.de> On Tue, Aug 07, 2001 at 03:54:16PM +0200, Sturle Sunde wrote: > Anyone working with the exit status bug in OpenSSH? My script for > deleting users fails randomly because of it, so it's critical! 8-) should be fixed in the cvs version From tim at multitalents.net Wed Aug 8 06:49:05 2001 From: tim at multitalents.net (Tim Rice) Date: Tue, 7 Aug 2001 13:49:05 -0700 (PDT) Subject: Cray patch against openssh-SNAP-20010802 In-Reply-To: Message-ID: On Tue, 7 Aug 2001, William L. Jones wrote: > > > > -----Original Message----- > > From: owner-openssh-unix-dev at mindrot.org > > [mailto:owner-openssh-unix-dev at mindrot.org]On Behalf Of Tim Rice > > Sent: Monday, August 06, 2001 9:29 PM > > To: William L. Jones > > Cc: openssh-unix-dev at mindrot.org > > Subject: RE: Cray patch against openssh-SNAP-20010802 > > > > > > On Mon, 6 Aug 2001, William L. Jones wrote: > > > > > > > > Two problems. Their an " just after fatal that I don't think should be > > > their > > > > Ah yes, I see the extra " > > But if remove it it should work. > > > > The AC_CHECK_LIB(rpc, innetgr, LIBS="-lrpc -lyp -lrpc $LIBS" , , > > -lyp -lrpc) > > test should fail on anything other than SCO Open Server 3 > > It not complicated enough. If I underand it right it will add the > loading of rpc and yp if if finds a rpc lib. Cray have a rpc > lib so it adds both rpc and yp to the load list which is bad > since cray don't have a yp lib. If Cray passes that test without having libyp it's broken. Wendy's patch is suposed to correct this so it will properly fail on that test. Unless I hear someone say "I've added Wendy's configure.in patch and it still adds -lrpc -lyp to LIBS" I'm going to commit the patch. > > Why can't this just be removed and the extra lib just be added > to the LIB definition in the target-specific stuff for sco? > > > > > > > and I can still get errors because I don't have libyp.a. > > As you should. > > > > > > > > My solution works! > > > > > > A better solution is to have the offinding code check for both > > rpc and yp > > > lib before add them. > > > > > > Or just alway look for rpc and add it. Then look for yp and add it. > > > > Are you saying you need to link in librpc to get openssh to work? > > > > > > > > Just don't assume that yp exist if rpc does. > > > > > > How do you think the problem should be solved? > > > > > > BIll Jones > > > > > > > -----Original Message----- > > > > From: Tim Rice [mailto:tim at multitalents.net] > > > > Sent: Monday, August 06, 2001 1:06 PM > > > > To: William L. Jones > > > > Subject: Re: Cray patch against openssh-SNAP-20010802 > > > > > > > > > > > > On Sun, 5 Aug 2001, William L. Jones wrote: > > > > > > > > > I look and see. Is her patch in the daily drop yet? > > > > > > > > Not yet. I was about to add it when I saw your message. > > > > Please try the small patch below and let me know. > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Tim Rice" > > > > > To: "William L. Jones" > > > > > Cc: > > > > > Sent: Sunday, August 05, 2001 7:06 PM > > > > > Subject: Re: Cray patch against openssh-SNAP-20010802 > > > > > > > > > > > > > > > > On Thu, 2 Aug 2001, William L. Jones wrote: > > > > > > > > > > > > > Significant changes since last patch. > > > > > > > > > > > > > [snip] > > > > > > > > > > > > > > Add no_sco flag to noop check for -lrpc which assumes that > > > > > > > their was a -lyp library. > > > > > > > > > > > > Did Wendy's patch not fix your -lyp problem? > > > > > > .... > > > > > > > > > > > > % diff -u configure.in.orig configure.in > > > > > > --- configure.in.orig Wed Aug 1 16:24:39 2001 > > > > > > +++ configure.in Wed Aug 1 16:40:40 2001 > > > > > > @@ -245,7 +245,7 @@ > > > > > > no_libsocket=1 > > > > > > no_libnsl=1 > > > > > > AC_DEFINE(USE_PIPES) > > > > > > - LDFLAGS="$LDFLAGS -L/usr/local/lib" > > > > > > + LDFLAGS="$LDFLAGS > > -Wl,-Dmsglevel=334:fatal",-L/usr/local/lib" > > > > > > LIBS="$LIBS -lgen -lrsc" > > > > > > ;; > > > > > > *-dec-osf*) > > > > > > > > > > > > > > > > > > -- > > > > > > wendy palm > > > > > > Cray OS Sustaining Engineering, Cray Inc. > > > > > > wendyp at cray.com, 651-605-9154 > > > > > > .... > > > > > > > > > > > > > > > > > > > [snip] > > > > > > > > -- > > > > Tim Rice Multitalents (707) 887-1469 > > > > tim at multitalents.net > > > > > > > > > > > > > > > -- > > Tim Rice Multitalents (707) 887-1469 > > tim at multitalents.net > > > > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From wendyp at cray.com Wed Aug 8 07:27:27 2001 From: wendyp at cray.com (Wendy Palm) Date: Tue, 07 Aug 2001 16:27:27 -0500 Subject: do_pre_login() used before declared Message-ID: <3B705D3F.5DE78302@cray.com> do_pre_login() in session.c is used (in do_exec_pty()) before it's declared, which is causing some problems for me. please move it up a couple hundred lines in the file. patch included for 0807 snapshot. thanks, wendy % diff -u session.c.orig session.c.mod --- session.c.orig Tue Aug 7 13:11:51 2001 +++ session.c.mod Tue Aug 7 16:21:07 2001 @@ -397,6 +397,34 @@ } } +#ifdef LOGIN_NEEDS_UTMPX +void +do_pre_login(Session *s) +{ + socklen_t fromlen; + struct sockaddr_storage from; + pid_t pid = getpid(); + + /* + * Get IP address of client. If the connection is not a socket, let + * the address be 0.0.0.0. + */ + memset(&from, 0, sizeof(from)); + if (packet_connection_is_on_socket()) { + fromlen = sizeof(from); + if (getpeername(packet_get_connection_in(), + (struct sockaddr *) & from, &fromlen) < 0) { + debug("getpeername: %.100s", strerror(errno)); + fatal_cleanup(); + } + } + + record_utmp_only(pid, s->tty, s->pw->pw_name, + get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), + (struct sockaddr *)&from); +} +#endif + /* * This is called to fork and execute a command when we have no tty. This * will call do_child from the child, and server_loop from the parent after @@ -621,34 +649,6 @@ /* server_loop _has_ closed ptyfd and fdout. */ } } - -#ifdef LOGIN_NEEDS_UTMPX -void -do_pre_login(Session *s) -{ - socklen_t fromlen; - struct sockaddr_storage from; - pid_t pid = getpid(); - - /* - * Get IP address of client. If the connection is not a socket, let - * the address be 0.0.0.0. - */ - memset(&from, 0, sizeof(from)); - if (packet_connection_is_on_socket()) { - fromlen = sizeof(from); - if (getpeername(packet_get_connection_in(), - (struct sockaddr *) & from, &fromlen) < 0) { - debug("getpeername: %.100s", strerror(errno)); - fatal_cleanup(); - } - } - - record_utmp_only(pid, s->tty, s->pw->pw_name, - get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), - (struct sockaddr *)&from); -} -#endif /* * This is called to fork and execute a command. If another command is -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From wendyp at cray.com Wed Aug 8 07:34:41 2001 From: wendyp at cray.com (Wendy Palm) Date: Tue, 07 Aug 2001 16:34:41 -0500 Subject: do_pre_login() used before declared References: <3B705D3F.5DE78302@cray.com> Message-ID: <3B705EF1.721D08E7@cray.com> or better yet (why do we think of these things AFTER "send"?) add the prototype where it belongs: % diff -u session.c.orig session.c.mod @@ -129,6 +129,7 @@ void do_exec_no_pty(Session *, const char *); void do_exec(Session *, const char *); void do_login(Session *, const char *); +void do_pre_login(Session *) void do_child(Session *, const char *); void do_motd(void); int check_quietlogin(Session *, const char *); Wendy Palm wrote: > > do_pre_login() in session.c is used (in do_exec_pty()) before > it's declared, which is causing some problems for me. > > please move it up a couple hundred lines in the file. > > patch included for 0807 snapshot. > > thanks, > wendy > > % diff -u session.c.orig session.c.mod > --- session.c.orig Tue Aug 7 13:11:51 2001 > +++ session.c.mod Tue Aug 7 16:21:07 2001 > @@ -397,6 +397,34 @@ > } > } > > +#ifdef LOGIN_NEEDS_UTMPX > +void > +do_pre_login(Session *s) > +{ > + socklen_t fromlen; > + struct sockaddr_storage from; > + pid_t pid = getpid(); > + > + /* > + * Get IP address of client. If the connection is not a socket, let > + * the address be 0.0.0.0. > + */ > + memset(&from, 0, sizeof(from)); > + if (packet_connection_is_on_socket()) { > + fromlen = sizeof(from); > + if (getpeername(packet_get_connection_in(), > + (struct sockaddr *) & from, &fromlen) < 0) { > + debug("getpeername: %.100s", strerror(errno)); > + fatal_cleanup(); > + } > + } > + > + record_utmp_only(pid, s->tty, s->pw->pw_name, > + get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), > + (struct sockaddr *)&from); > +} > +#endif > + > /* > * This is called to fork and execute a command when we have no tty. This > * will call do_child from the child, and server_loop from the parent after > @@ -621,34 +649,6 @@ > /* server_loop _has_ closed ptyfd and fdout. */ > } > } > - > -#ifdef LOGIN_NEEDS_UTMPX > -void > -do_pre_login(Session *s) > -{ > - socklen_t fromlen; > - struct sockaddr_storage from; > - pid_t pid = getpid(); > - > - /* > - * Get IP address of client. If the connection is not a socket, let > - * the address be 0.0.0.0. > - */ > - memset(&from, 0, sizeof(from)); > - if (packet_connection_is_on_socket()) { > - fromlen = sizeof(from); > - if (getpeername(packet_get_connection_in(), > - (struct sockaddr *) & from, &fromlen) < 0) { > - debug("getpeername: %.100s", strerror(errno)); > - fatal_cleanup(); > - } > - } > - > - record_utmp_only(pid, s->tty, s->pw->pw_name, > - get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), > - (struct sockaddr *)&from); > -} > -#endif > > /* > * This is called to fork and execute a command. If another command is > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From tim at multitalents.net Wed Aug 8 08:41:43 2001 From: tim at multitalents.net (Tim Rice) Date: Tue, 7 Aug 2001 15:41:43 -0700 (PDT) Subject: Updated Cray patch against openssh SNAP-20010725 In-Reply-To: <3B68778D.17A994A1@cray.com> Message-ID: Thanks, I applied your patch (without the extra " ) :-) It's been bugging me for days trying to figure out why a system would pass a test that was missing a library. On Wed, 1 Aug 2001, Wendy Palm wrote: > Wendy Palm wrote: > > > > "William L. Jones" wrote: > > ... > > > If you are building this on a T3E you may have to edit the Makefile > > > and edit out "-lrpc -lyp -lrpc". There a patch for sco that > > > incorrectly assume that you have a yp library if you > > > have a rpc library. I will submit a generic fix to this list > > > latter since it is generic problem. > > > > if you are building this (or other open source) package on a cray, > > this is a perpetual problem. > > > > most configure scripts figure out the existence of a library by > > creating a small program and compiling it with the library, then > > checking the exit status to determine if the loader found the library. > > the default exit status on unicos machines is "0" for a library > > not found message. > > > > to overcome this, add -Wl,"-Dmsglevel=334:fatal" to your loader flags. > > > sorry, here's the correct patch- > > % diff -u configure.in.orig configure.in > --- configure.in.orig Wed Aug 1 16:24:39 2001 > +++ configure.in Wed Aug 1 16:40:40 2001 > @@ -245,7 +245,7 @@ > no_libsocket=1 > no_libnsl=1 > AC_DEFINE(USE_PIPES) > - LDFLAGS="$LDFLAGS -L/usr/local/lib" > + LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal",-L/usr/local/lib" > LIBS="$LIBS -lgen -lrsc" > ;; > *-dec-osf*) > > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From sturle.sunde at usit.uio.no Wed Aug 8 22:36:36 2001 From: sturle.sunde at usit.uio.no (Sturle Sunde) Date: 08 Aug 2001 14:36:36 +0200 Subject: AUTH_FAIL_MAX reached too early Message-ID: This looks like a bug (ssh -v output from user included below). AUTH_FAIL_MAX is reached before all supported authentication methods are tried. One possible solution is to count authentication failures separately for each method tried, and disconnect if one fails more than times. Btw: The exit status bug is fixed in the CVS version of OpenSSH, but I'm not very enthusiastic about deploying a random CVS version of OpenSSH on a network with about 1000 unix machines and exactly 32767(!) users. Any time estimate for a bugfix release? Report from user: [larsar at lpsa larsar]$ ssh -v root at foobar OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: restore_uid debug1: ssh_connect: getuid 2024 geteuid 0 anon 0 debug1: Connecting to foobar [129.240.148.27] port 22. debug1: Allocated local port 733. debug1: temporarily_use_uid: 2024/12024 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /usit/sauron/u4/larsar/.ssh/identity type 0 debug1: identity file /usit/sauron/u4/larsar/.ssh/id_rsa type 1 debug1: identity file /usit/sauron/u4/larsar/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p2 debug1: match: OpenSSH_2.9p2 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 128/256 debug1: bits set: 1016/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'foobar' is known and matches the DSA host key. debug1: Found key in /etc/ssh/ssh_known_hosts2:201 debug1: bits set: 995/2049 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /hom/larsar/.ssh/id_rsa debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: try pubkey: /usit/sauron/u4/larsar/.ssh/id_rsa debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: try pubkey: /usit/sauron/u4/larsar/.ssh/id_dsa debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: next auth method to try is hostbased debug1: sig size 20 20 debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: next auth method to try is keyboard-interactive debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased Received disconnect from 129.240.148.27: 2: Too many authentication failures for root debug1: Calling cleanup 0x8060104(0x0) -- Sturle All eyes were on Ford Prefect. Some of them were on stalks. ~~~~~~ -- Douglas Adams, So long, and thanks for all the fish From ktaylor at eosdata.gsfc.nasa.gov Wed Aug 8 23:30:13 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Wed, 08 Aug 2001 09:30:13 -0400 Subject: sshfwd hosts.allow syntax Message-ID: <3B713EE5.5029391F@daac.gsfc.nasa.gov> Is there a new syntax, or procecure for handling specific port forwarding through tcp wrappers (as is done with the ssh.com version)? It looks like someone had a patch back in october, but the source code has changed a lot since then and I'm not sure how to incorporate it. Any help is appeciated. From Fabien.Muller at ipcms.u-strasbg.fr Wed Aug 8 23:48:00 2001 From: Fabien.Muller at ipcms.u-strasbg.fr (Fabien Muller) Date: Wed, 08 Aug 2001 15:48:00 +0200 Subject: with-tcp-wrappers enable ? Message-ID: <3B71430F.CEF83A80@ipcms.u-strasbg.fr> Hello, I try to compile openssh-2.9p1 on a SGI Origin 200 computer under IRIX 6.5 with the option --with-tcp-wrappers enable. I have also compiled tcp-wrapper and have installed the library libwrap.a in /usr/lib and the file tcpd.h in /usr/include. When i run the ./configure script i have a error. The script asked me that the libwrap is missing. How can i resolve this ? Thanks. Bests Regards Fabien Muller From ktaylor at eosdata.gsfc.nasa.gov Wed Aug 8 23:50:16 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Wed, 08 Aug 2001 09:50:16 -0400 Subject: with-tcp-wrappers enable ? References: <3B71430F.CEF83A80@ipcms.u-strasbg.fr> Message-ID: <3B714398.4428EC2@daac.gsfc.nasa.gov> Fabien Muller wrote: > > Hello, > > I try to compile openssh-2.9p1 on a SGI Origin 200 computer under IRIX > 6.5 with the option --with-tcp-wrappers enable. I have also compiled > tcp-wrapper and have installed the library libwrap.a in /usr/lib and the > file tcpd.h in /usr/include. > > When i run the ./configure script i have a error. The script asked me > that the libwrap is missing. > > How can i resolve this ? > > Thanks. > > Bests Regards > > Fabien Muller Try putting the libwrap.a in /usr/lib32....the default compile on SGI is to use n32 mode (which uses libraries located in /usr/lib32)....it's all very messy, but that should work -- ---------------------------------------------------------. Kevin Taylor \ Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / Science Systems and Applications, Inc. \ Goddard Space Flight Center / Greenbelt, MD 20771 \ / Phone: (301) 614-5505 \ e-mail: ktaylor at daac.gsfc.nasa.gov / ----------------------------------------------------------' From neal at cs.uml.edu Thu Aug 9 00:31:41 2001 From: neal at cs.uml.edu (Neal H Walfield) Date: Wed, 8 Aug 2001 16:31:41 +0200 Subject: forwarded message from mouring@etoh.eviladmin.org In-Reply-To: References: Message-ID: <20010808163141.A8086@walfield.org> > I have no problems if we handle ENAMETOOLONG using xgethostname() > (mirroring naming already used for replacement functions [xstrdup, > xmalloc, etc]). However, since OpenBSD currently does not suppot > ENAMETOOLONG it really should not be in the OpenBSD tree which leaves us > with 3 unique changes for portable. Which is tolerable. I am not sure what you mean by not supported. ENAMETOOLONG is both defined in (as required by at least SUSv2) and it is also used in . -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010808/f67ea159/attachment.bin From frank-m.mohr at db.com Thu Aug 9 02:24:08 2001 From: frank-m.mohr at db.com (Frank-M Mohr) Date: Wed, 8 Aug 2001 17:24:08 +0100 Subject: Setting of DISPLAY Variable - Patch Message-ID: Hi thanks for the answers I'm using the following Patch now (Works for AIX 4.3.3, I'll check other AIX Versions, Solaris and Linux later) configure --with-cppflags=-DLOCALHOST_IN_DISPLAY activates the change *** channels.c Wed Jun 13 21:18:05 2001 --- ../openssh-2.9p2.aix/channels.c Wed Aug 8 14:55:24 2001 *************** *** 2268,2276 **** --- 2268,2282 ---- display_number, screen_number); } #else /* IPADDR_IN_DISPLAY */ + #ifdef LOCALHOST_IN_DISPLAY + /* Just set DISPLAY to localhost:screen.display */ + snprintf(display, sizeof display, "%.400s:%d.%d", "localhost", + display_number, screen_number); + #else /* Just set DISPLAY to hostname:screen.display */ snprintf(display, sizeof display, "%.400s:%d.%d", hostname, display_number, screen_number); + #endif /* LOCALHOST_IN_DISPLAY */ #endif /* IPADDR_IN_DISPLAY */ /* Allocate a channel for each socket. */ -- Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. From markus.friedl at informatik.uni-erlangen.de Thu Aug 9 05:03:22 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 8 Aug 2001 21:03:22 +0200 Subject: AUTH_FAIL_MAX reached too early In-Reply-To: ; from sturle.sunde@usit.uio.no on Wed, Aug 08, 2001 at 02:36:36PM +0200 References: Message-ID: <20010808210321.C12363@folly> On Wed, Aug 08, 2001 at 02:36:36PM +0200, Sturle Sunde wrote: > Btw: The exit status bug is fixed in the CVS version of OpenSSH, but > I'm not very enthusiastic about deploying a random CVS version of > OpenSSH on a network with about 1000 unix machines and exactly > 32767(!) users. Any time estimate for a bugfix release? it's not likely. there are too many changes, you probably have to wait for the next release. From j.ploeg at planet.nl Thu Aug 9 06:58:04 2001 From: j.ploeg at planet.nl (John van der Ploeg) Date: Wed, 08 Aug 2001 22:58:04 +0200 Subject: openssh-2.9p2 Config - undefined references Message-ID: <3B71A7DB.A56AD390@planet.nl> Hi Damien, I have a problem getting openssh-2.9p2 properly configured. This is the problem: configure:4433: gcc -o conftest -g -O2 -Wall -I/opt/openssl/include -L/opt/open ssl/lib conftest.c -lz -lnsl -lutil -lcrypto 1>&5 /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': dso_dlfcn.o(.text+0x8e): undefined reference to `dlopen' dso_dlfcn.o(.text+0xa4): undefined reference to `dlopen' dso_dlfcn.o(.text+0x10a): undefined reference to `dlclose' /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': dso_dlfcn.o(.text+0x1d2): undefined reference to `dlclose' /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': dso_dlfcn.o(.text+0x283): undefined reference to `dlsym' /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func': dso_dlfcn.o(.text+0x353): undefined reference to `dlsym' configure: failed program was: #line 4419 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } I use it with openssl-engine-0.9.6b and openssl-0.9.6b installed to /opt/openssl and /usr/local/ssl (ln -s). When running the make test option of openssl, it reports no problems (which kind of indicates the problem is not with openssl I hope) The machine is a Linux version 2.2.5 kernel, gcc version 2.7.2.3 Any idea what could be wrong here? Regards, - John -- John van der Ploeg http://home.planet.nl/~jvdploe j.ploeg at planet.nl -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010808/5484682c/attachment.html From mvihel at paragee.com Thu Aug 9 08:34:19 2001 From: mvihel at paragee.com (Mike Vihel) Date: Wed, 08 Aug 2001 15:34:19 -0700 Subject: build problem with 2.9p1 & p2 Message-ID: <3B71BE6B.EF5A4267@paragee.com> Greetings - I don't think this is a bug; just something I don't understand. I'm using RedHat Linux v7.0 with an i686 processor. I've been using openssl v0.9.5a with openssh v2.2.1 I've upgraded to openssl v0.9.6b and openssh v2.9.p2 I've built both packages with the '--prefix=/usr' option. During the openssh 'make install' at 'host-key' I get an error 255 OpenSSL Version mismatch. Built against 90601f, you have 90581f I also get the same error when trying to start the sshd daemon. I've re-installed openssl v0.9.5a and it fixed the problem. Can you tell me what's goin on here? Thanks, Mike. -- Michael Vihel Server Farm Director Paragee Zero Search 109 4th Street, Suite B Eureka, California 95501 707.445.2678 ext. 207 707.445.4655 fax www.paragee.com mvihel at paragee.com From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Aug 9 19:05:06 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 9 Aug 2001 11:05:06 +0200 Subject: openssh-2.9p2 Config - undefined references In-Reply-To: <3B71A7DB.A56AD390@planet.nl>; from j.ploeg@planet.nl on Wed, Aug 08, 2001 at 10:58:04PM +0200 References: <3B71A7DB.A56AD390@planet.nl> Message-ID: <20010809110506.A20286@serv01.aet.tu-cottbus.de> On Wed, Aug 08, 2001 at 10:58:04PM +0200, John van der Ploeg wrote: > configure:4433: gcc -o conftest -g -O2 -Wall -I/opt/openssl/include > -L/opt/open > ssl/lib conftest.c -lz -lnsl -lutil -lcrypto 1>&5 > /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': > dso_dlfcn.o(.text+0x8e): undefined reference to `dlopen' > dso_dlfcn.o(.text+0xa4): undefined reference to `dlopen' > dso_dlfcn.o(.text+0x10a): undefined reference to `dlclose' > /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': > dso_dlfcn.o(.text+0x1d2): undefined reference to `dlclose' > /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': > > dso_dlfcn.o(.text+0x283): undefined reference to `dlsym' > /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function > `dlfcn_bind_func': > dso_dlfcn.o(.text+0x353): undefined reference to `dlsym' > configure: failed program was: > #line 4419 "configure" > #include "confdefs.h" > > #include > #include > int main(void) > { > char a[2048]; > memset(a, 0, sizeof(a)); > RAND_add(a, sizeof(a), sizeof(a)); > return(RAND_status() <= 0); > } > > > > I use it with openssl-engine-0.9.6b and openssl-0.9.6b installed > to /opt/openssl and /usr/local/ssl (ln -s). When running the > make test option of openssl, it reports no problems (which kind > of indicates the problem is not with openssl I hope) The use of the openssl-engine modules implies loading shared libraries at runtime. To provide this functionality, you have to link against libdl by supplying "-ldl" after linking against -lcrypto. LIBS="-ldl" ./configure --other-options Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Aug 9 19:08:02 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 9 Aug 2001 11:08:02 +0200 Subject: build problem with 2.9p1 & p2 In-Reply-To: <3B71BE6B.EF5A4267@paragee.com>; from mvihel@paragee.com on Wed, Aug 08, 2001 at 03:34:19PM -0700 References: <3B71BE6B.EF5A4267@paragee.com> Message-ID: <20010809110802.B20286@serv01.aet.tu-cottbus.de> On Wed, Aug 08, 2001 at 03:34:19PM -0700, Mike Vihel wrote: > Greetings - > > I don't think this is a bug; just something I don't understand. > > I'm using RedHat Linux v7.0 with an i686 processor. > > I've been using openssl v0.9.5a with openssh v2.2.1 > > I've upgraded to openssl v0.9.6b and openssh v2.9.p2 > > I've built both packages with the '--prefix=/usr' option. > > During the openssh 'make install' at 'host-key' I get an error 255 > OpenSSL Version mismatch. Built against 90601f, you have 90581f > > I also get the same error when trying to start the sshd daemon. > > I've re-installed openssl v0.9.5a and it fixed the problem. > > Can you tell me what's goin on here? For reasons that you will have to check out yourself, the runtime loader loads the old shared libraries of OpenSSL-0.9.5 (that are still on the system) instead of picking up the new libraries... Probably it is necessary to perform an 'ldconfig' after installing the new openssl-0.9.6b shared libraries. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Fabien.Muller at ipcms.u-strasbg.fr Thu Aug 9 22:56:56 2001 From: Fabien.Muller at ipcms.u-strasbg.fr (Fabien Muller) Date: Thu, 09 Aug 2001 14:56:56 +0200 Subject: Problem with the --with-tcp-warppers option enable Message-ID: <3B728898.92008847@ipcms.u-strasbg.fr> Hello, I have compiled with succes openssh on a SGI Origin 200 computer under Irix 6.5 with the option --with-tcp-wrappers enable. When i try to connect with ssh, i have the following message : ssh_exchange_identification: Connection closed by remote host. My files hosts.allow and hosts.deny are in /etc and look like this : hosts.allow ALL: LOCAL host1 host2 ect hosts.deny ALL: ALL: /usr/etc/safe_finger -l @%h | /usr/sbin/Mail -s 'INTRUSION tcpd: \ %d-%h' root & This files work for telnet When i erase them i can use ssh. Has someone resolve a similar problem ? Thanks. Fabien Muller From mouring at etoh.eviladmin.org Thu Aug 9 23:04:30 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 9 Aug 2001 08:04:30 -0500 (CDT) Subject: openssh-2.9p2 Config - undefined references In-Reply-To: <20010809110506.A20286@serv01.aet.tu-cottbus.de> Message-ID: [,,] > > I use it with openssl-engine-0.9.6b and openssl-0.9.6b installed > > to /opt/openssl and /usr/local/ssl (ln -s). When running the > > make test option of openssl, it reports no problems (which kind > > of indicates the problem is not with openssl I hope) > > The use of the openssl-engine modules implies loading shared libraries > at runtime. To provide this functionality, you have to link against > libdl by supplying "-ldl" after linking against -lcrypto. > LIBS="-ldl" ./configure --other-options > Is there any way we can detect openssl-engine independant of openssl and add -ldl in? I think more people are going to start to use openssl-engine as more crypto cards are supported. - Ben From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Aug 9 23:29:06 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 9 Aug 2001 15:29:06 +0200 Subject: openssh-2.9p2 Config - undefined references In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Aug 09, 2001 at 08:04:30AM -0500 References: <20010809110506.A20286@serv01.aet.tu-cottbus.de> Message-ID: <20010809152906.A23122@serv01.aet.tu-cottbus.de> On Thu, Aug 09, 2001 at 08:04:30AM -0500, mouring at etoh.eviladmin.org wrote: > [,,] > > > I use it with openssl-engine-0.9.6b and openssl-0.9.6b installed > > > to /opt/openssl and /usr/local/ssl (ln -s). When running the > > > make test option of openssl, it reports no problems (which kind > > > of indicates the problem is not with openssl I hope) > > > > The use of the openssl-engine modules implies loading shared libraries > > at runtime. To provide this functionality, you have to link against > > libdl by supplying "-ldl" after linking against -lcrypto. > > LIBS="-ldl" ./configure --other-options > > > > Is there any way we can detect openssl-engine independant of openssl and > add -ldl in? I think more people are going to start to use openssl-engine > as more crypto cards are supported. OpenSSL as of 0.9.7 will have engine support built in, there won't be any special -engine release. Typically the problem should not occur, as the shared libs should be built with "-ldl" itself, so that they already include this dependency. 0.9.7 will have the shared library building reworked and included by default. Up to 0.9.6x it is considered "experimental" and -- as we see here -- may break on occasion. Coming back to the original question: I don't have an idea on how to test for this problem. It probably won't hurt to link against "-ldl" unconditionally. (On HP-UX for 32bit executables this is -ldld, not sure about other platforms...) Another option would be to make this an FAQ, as 0.9.7 should solve the problem by itself and for 0.9.6x-engine users it is a question of the (experimental) shared library building not including -ldl... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From bradshaw at staff.crosswalk.com Fri Aug 10 01:08:36 2001 From: bradshaw at staff.crosswalk.com (Mark Bradshaw) Date: Thu, 9 Aug 2001 11:08:36 -0400 Subject: [PATCH]: ssh: Avoid paths beginning with "//" Message-ID: <911C684A29ACD311921800508B7293BA010A8BB6@cnmail> We patched a few bugs in the sftp implementation last month that dealt with path concatenation created paths beginning with "//", which caused problems on Windows machines. Unfortunately, a few slipped by in ssh as well that I'd like to get patched. Ssh runs into the same problem when dealing with known_hosts files. When the home directory for a user is set to "/", it attempts to use "//.ssh" as its location to store the known_hosts files, key pairs, etc. This doesn't adversely affect unix installations, but causes windows grief. For further info on this problem reference Corinna Vinschen's post on July 25. As far as I can tell only two locations need to be patched to correct this. Ssh.c needs to be patched where it attempts to located and possible create the .ssh directory, and tildexpand.c needs to be patched so that it correctly expands the home directory of the user when it's set to root. I've attached the diffs. Mark -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: diffs.txt Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010809/9790aed5/attachment.txt From jmknoble at pobox.com Fri Aug 10 01:32:44 2001 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 9 Aug 2001 10:32:44 -0500 Subject: build problem with 2.9p1 & p2 In-Reply-To: <3B71BE6B.EF5A4267@paragee.com>; from mvihel@paragee.com on Wed, Aug 08, 2001 at 03:34:19PM -0700 References: <3B71BE6B.EF5A4267@paragee.com> Message-ID: <20010809103244.A1225@zax.half.pint-stowp.cx> Circa 2001-Aug-08 15:34:19 -0700 dixit Mike Vihel: : Greetings - : : I don't think this is a bug; just something I don't understand. : : I'm using RedHat Linux v7.0 with an i686 processor. : : I've been using openssl v0.9.5a with openssh v2.2.1 : : I've upgraded to openssl v0.9.6b and openssh v2.9.p2 : : I've built both packages with the '--prefix=/usr' option. : : During the openssh 'make install' at 'host-key' I get an error 255 : OpenSSL Version mismatch. Built against 90601f, you have 90581f : : I also get the same error when trying to start the sshd daemon. : : I've re-installed openssl v0.9.5a and it fixed the problem. : : Can you tell me what's goin on here? If you're installing OpenSSL by compiling from source instead of from a pre-built RPM package, then it's very likely that you're not installing everything that Red Hat's OpenSSL RPM package does. In particular, Red Hat's package installs shared libraries, and, by default, OpenSSL-0.9.6b does not. Additionally, gcc on Red Hat Linux is set up to link against a shared library if one exists in preference to a static library. If you're going to install OpenSSL from source, you really should uninstall the existing openssl-devel package before doing so: su rpm -e openssl-devel Also, under package-managed systems such as Red Hat Linux (or Mandrake, SuSE, Connectiva, or Debian) it's recommended to configure packages you install from source with a --prefix of /usr/local or /opt or similar, so that you (or someone else) can tell the software is not installed via the package management system. Otherwise, you end up with a system where 'rpm -q openssl' claims that openssl-0.9.5a is installed, but somehow magically openssl-0.9.6b is what applications get built against.... Of course, it can often be worth the time to roll your own RPM packages of openssl-0.9.6b, using Red Hat's packages as an example. Then you can install them on multiple systems without having to compile each time, and you've got the spec file to document how the package was built and with what options it was configured. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010809/3bf509bb/attachment.bin From tim at multitalents.net Fri Aug 10 01:41:39 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 9 Aug 2001 08:41:39 -0700 (PDT) Subject: Problem with the --with-tcp-warppers option enable In-Reply-To: <3B728898.92008847@ipcms.u-strasbg.fr> Message-ID: I think ALL: doesn't work for sshd. (doesn't use tcpd) Try creating a seperate entry for sshd in hosts.allow On Thu, 9 Aug 2001, Fabien Muller wrote: > Hello, > > I have compiled with succes openssh on a SGI Origin 200 computer under > Irix 6.5 with the option --with-tcp-wrappers enable. When i try to > connect with ssh, i have the following message : > > ssh_exchange_identification: Connection closed by remote host. > > My files hosts.allow and hosts.deny are in /etc and look like this : > > hosts.allow > > ALL: LOCAL host1 host2 ect > > hosts.deny > > ALL: ALL: /usr/etc/safe_finger -l @%h | /usr/sbin/Mail -s 'INTRUSION > tcpd: \ %d-%h' root & > > This files work for telnet > > When i erase them i can use ssh. > > Has someone resolve a similar problem ? > > Thanks. > > Fabien Muller > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From pekkas at netcore.fi Fri Aug 10 06:27:13 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 9 Aug 2001 23:27:13 +0300 (EEST) Subject: Problem with the --with-tcp-warppers option enable In-Reply-To: <3B728898.92008847@ipcms.u-strasbg.fr> Message-ID: On Thu, 9 Aug 2001, Fabien Muller wrote: > I have compiled with succes openssh on a SGI Origin 200 computer under > Irix 6.5 with the option --with-tcp-wrappers enable. When i try to > connect with ssh, i have the following message : > > ssh_exchange_identification: Connection closed by remote host. > > My files hosts.allow and hosts.deny are in /etc and look like this : > > hosts.allow > > ALL: LOCAL host1 host2 ect The hostnames are most probably canonized. Use host1.yourdomain.com and it should work. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mstone at cs.loyola.edu Sat Aug 11 04:01:40 2001 From: mstone at cs.loyola.edu (Michael Stone) Date: Fri, 10 Aug 2001 14:01:40 -0400 Subject: large files scp problem Message-ID: <20010810140140.O19215@justice.loyola.edu> scp sends the size of the file it's copying to the remote system. The printf string uses %lu by default, and %lld if the host system supports long long's. Unfortunately, the check for whether the system supports long longs' isn't correct and the wrong format string is used in some cases. Specifically, HAVE_LONG_LONG_INT isn't defined if int64_t is defined in the system headers. The patch below seperates the HAVE_LONG_LONG_INT logic from the HAVE_INT64_T logic. --- openssh-2.9p2.orig/defines.h Wed May 9 00:39:19 2001 +++ openssh-2.9p2/defines.h Fri Aug 10 17:44:58 2001 @@ -226,6 +226,10 @@ # endif #endif +#if (SIZEOF_LONG_LONG_INT == 8) +# define HAVE_LONG_LONG_INT +#endif + #ifndef HAVE_SOCKLEN_T typedef unsigned int socklen_t; # define HAVE_SOCKLEN_T -- Mike Stone From rachit at ensim.com Sat Aug 11 07:37:14 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Fri, 10 Aug 2001 14:37:14 -0700 Subject: build problem with 2.9p1 & p2 Message-ID: <9AC41B8C4781464695BB013F106FCA3102900B6C@nasdaq.ms.ensim.com> i general for openssl, if you are not overly concerned about executable size and code sharing, you should link with it statically when compiling with openssh. This is because other programs may use specific versions of openssl as well, and openssl has had a bad history of having different versions of the library binary compatible with each other. -rchit -----Original Message----- From: Jim Knoble [mailto:jmknoble at pobox.com] Sent: Thursday, August 09, 2001 8:33 AM To: OpenSSH Unix Dev Subject: Re: build problem with 2.9p1 & p2 Circa 2001-Aug-08 15:34:19 -0700 dixit Mike Vihel: : Greetings - : : I don't think this is a bug; just something I don't understand. : : I'm using RedHat Linux v7.0 with an i686 processor. : : I've been using openssl v0.9.5a with openssh v2.2.1 : : I've upgraded to openssl v0.9.6b and openssh v2.9.p2 : : I've built both packages with the '--prefix=/usr' option. : : During the openssh 'make install' at 'host-key' I get an error 255 : OpenSSL Version mismatch. Built against 90601f, you have 90581f : : I also get the same error when trying to start the sshd daemon. : : I've re-installed openssl v0.9.5a and it fixed the problem. : : Can you tell me what's goin on here? If you're installing OpenSSL by compiling from source instead of from a pre-built RPM package, then it's very likely that you're not installing everything that Red Hat's OpenSSL RPM package does. In particular, Red Hat's package installs shared libraries, and, by default, OpenSSL-0.9.6b does not. Additionally, gcc on Red Hat Linux is set up to link against a shared library if one exists in preference to a static library. If you're going to install OpenSSL from source, you really should uninstall the existing openssl-devel package before doing so: su rpm -e openssl-devel Also, under package-managed systems such as Red Hat Linux (or Mandrake, SuSE, Connectiva, or Debian) it's recommended to configure packages you install from source with a --prefix of /usr/local or /opt or similar, so that you (or someone else) can tell the software is not installed via the package management system. Otherwise, you end up with a system where 'rpm -q openssl' claims that openssl-0.9.5a is installed, but somehow magically openssl-0.9.6b is what applications get built against.... Of course, it can often be worth the time to roll your own RPM packages of openssl-0.9.6b, using Red Hat's packages as an example. Then you can install them on multiple systems without having to compile each time, and you've got the spec file to document how the package was built and with what options it was configured. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) From edwin.cubi at gasoc.com Sat Aug 11 09:07:19 2001 From: edwin.cubi at gasoc.com (Cubi, Edwin) Date: Fri, 10 Aug 2001 19:07:19 -0400 Subject: Rhosts Authentication Problem on Solaris Message-ID: <69E302899020D511AEC700B0D049474374B988@exgsoc.gasoc.com> Anyone, HELP!!!!!!!!!!!!!! I currently installed openssh-2.9p2 on SunOS 5.7 and 5.8. From the very moment that start to ssh out I get "Rhosts Authentication disabled ;the originating ip will not be trusted". I 've put "Useprivileged yes " in the ssh_config file, but then the ssh complains that there is a bad config line. Can some one tell me what is going on and how can I get around this. I would like to use the scp capability and it will not work unless I can get around this problem. The ssh file is correctly setuided. HELP!!! I'm floundering Eddie C. Unix Sys Admin From nalin at redhat.com Sat Aug 11 09:22:28 2001 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 10 Aug 2001 19:22:28 -0400 Subject: Rhosts Authentication Problem on Solaris In-Reply-To: <69E302899020D511AEC700B0D049474374B988@exgsoc.gasoc.com>; from edwin.cubi@gasoc.com on Fri, Aug 10, 2001 at 07:07:19PM -0400 References: <69E302899020D511AEC700B0D049474374B988@exgsoc.gasoc.com> Message-ID: <20010810192227.D31887@redhat.com> On Fri, Aug 10, 2001 at 07:07:19PM -0400, Cubi, Edwin wrote: > Anyone, HELP!!!!!!!!!!!!!! > > I currently installed openssh-2.9p2 on SunOS 5.7 and 5.8. From the very > moment that start to ssh out I get "Rhosts Authentication disabled ;the > originating ip will not be trusted". I 've put "Useprivileged yes " in the > ssh_config file, but then the ssh complains that there is a bad config line. > Can some one tell me what is going on and how can I get around this. I would > like to use the scp capability and it will not work unless I can get around > this problem. The ssh file is correctly setuided. HELP!!! I'm floundering The configuration directive is UsePrivilegedPort, not Useprivileged, so it's understandable that ssh wouldn't recognize it. RhostsAuthentication can also only be used with protocol 1, and at least in 2.9, protocol 2 is the default. Try adding "-1" or "-o 'protocol 1'" to your ssh invocation, and see if that helps. Cheers, Nalin From markus.friedl at informatik.uni-erlangen.de Thu Aug 9 18:33:59 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 9 Aug 2001 10:33:59 +0200 Subject: openssh-2.9p2 Config - undefined references In-Reply-To: <3B71A7DB.A56AD390@planet.nl>; from j.ploeg@planet.nl on Wed, Aug 08, 2001 at 10:58:04PM +0200 References: <3B71A7DB.A56AD390@planet.nl> Message-ID: <20010809103359.A18056@folly> you can: 1) build openssl w/o DSO support 2) add -ldl to the LDFLAGS -m On Wed, Aug 08, 2001 at 10:58:04PM +0200, John van der Ploeg wrote: > Hi Damien, > > I have a problem getting openssh-2.9p2 properly configured. > > This is the problem: > > configure:4433: gcc -o conftest -g -O2 -Wall -I/opt/openssl/include > -L/opt/open > ssl/lib conftest.c -lz -lnsl -lutil -lcrypto 1>&5 > /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': > dso_dlfcn.o(.text+0x8e): undefined reference to `dlopen' > dso_dlfcn.o(.text+0xa4): undefined reference to `dlopen' > dso_dlfcn.o(.text+0x10a): undefined reference to `dlclose' > /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': > dso_dlfcn.o(.text+0x1d2): undefined reference to `dlclose' > /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': > > dso_dlfcn.o(.text+0x283): undefined reference to `dlsym' > /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function > `dlfcn_bind_func': > dso_dlfcn.o(.text+0x353): undefined reference to `dlsym' > configure: failed program was: > #line 4419 "configure" > #include "confdefs.h" > > #include > #include > int main(void) > { > char a[2048]; > memset(a, 0, sizeof(a)); > RAND_add(a, sizeof(a), sizeof(a)); > return(RAND_status() <= 0); > } > > > > I use it with openssl-engine-0.9.6b and openssl-0.9.6b installed > to /opt/openssl and /usr/local/ssl (ln -s). When running the > make test option of openssl, it reports no problems (which kind > of indicates the problem is not with openssl I hope) > > The machine is a Linux version 2.2.5 kernel, gcc version 2.7.2.3 > > Any idea what could be wrong here? > > Regards, > > - John > > -- > John van der Ploeg > http://home.planet.nl/~jvdploe > j.ploeg at planet.nl > > From rachit at ensim.com Sat Aug 11 12:51:15 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Fri, 10 Aug 2001 19:51:15 -0700 Subject: build problem with 2.9p1 & p2 Message-ID: <9AC41B8C4781464695BB013F106FCA3102900B6F@nasdaq.ms.ensim.com> I meant "incompatible", sorry.. -rchit -----Original Message----- From: Rachit Siamwalla [mailto:rachit at ensim.com] Sent: Friday, August 10, 2001 2:37 PM To: 'Jim Knoble'; OpenSSH Unix Dev Subject: RE: build problem with 2.9p1 & p2 i general for openssl, if you are not overly concerned about executable size and code sharing, you should link with it statically when compiling with openssh. This is because other programs may use specific versions of openssl as well, and openssl has had a bad history of having different versions of the library binary compatible with each other. -rchit -----Original Message----- From: Jim Knoble [mailto:jmknoble at pobox.com] Sent: Thursday, August 09, 2001 8:33 AM To: OpenSSH Unix Dev Subject: Re: build problem with 2.9p1 & p2 Circa 2001-Aug-08 15:34:19 -0700 dixit Mike Vihel: : Greetings - : : I don't think this is a bug; just something I don't understand. : : I'm using RedHat Linux v7.0 with an i686 processor. : : I've been using openssl v0.9.5a with openssh v2.2.1 : : I've upgraded to openssl v0.9.6b and openssh v2.9.p2 : : I've built both packages with the '--prefix=/usr' option. : : During the openssh 'make install' at 'host-key' I get an error 255 : OpenSSL Version mismatch. Built against 90601f, you have 90581f : : I also get the same error when trying to start the sshd daemon. : : I've re-installed openssl v0.9.5a and it fixed the problem. : : Can you tell me what's goin on here? If you're installing OpenSSL by compiling from source instead of from a pre-built RPM package, then it's very likely that you're not installing everything that Red Hat's OpenSSL RPM package does. In particular, Red Hat's package installs shared libraries, and, by default, OpenSSL-0.9.6b does not. Additionally, gcc on Red Hat Linux is set up to link against a shared library if one exists in preference to a static library. If you're going to install OpenSSL from source, you really should uninstall the existing openssl-devel package before doing so: su rpm -e openssl-devel Also, under package-managed systems such as Red Hat Linux (or Mandrake, SuSE, Connectiva, or Debian) it's recommended to configure packages you install from source with a --prefix of /usr/local or /opt or similar, so that you (or someone else) can tell the software is not installed via the package management system. Otherwise, you end up with a system where 'rpm -q openssl' claims that openssl-0.9.5a is installed, but somehow magically openssl-0.9.6b is what applications get built against.... Of course, it can often be worth the time to roll your own RPM packages of openssl-0.9.6b, using Red Hat's packages as an example. Then you can install them on multiple systems without having to compile each time, and you've got the spec file to document how the package was built and with what options it was configured. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) From ljfisher at iastate.edu Sat Aug 11 16:29:32 2001 From: ljfisher at iastate.edu (Lucas Fisher) Date: Sat, 11 Aug 2001 01:29:32 -0500 Subject: determining whether passwd auth succeeds Message-ID: <200108110629.XAA09420@albatross.prod.itd.earthlink.net> Hi, I'm writing a c++ wrapper around ssh for KDE, mainly for use in a sftp client. My problem is when starting ssh with the sftp subsystem openssh gives no indication that password authentication succeeded. This makes it difficult for my wrapper to determine if the connection succeeded. Now determining it didn't succeed can be done by checking for another password prompt. The problem with this is password verification could take time (correct?). So if I send the password then immediately do a read from the terminal, there is no guarantee I'll get the second password prompt if the password was incorrect, right? I could wait a couple of seconds and if I don't get another password prompt assume authentication succeeded, but this is a bad solution. Are there any other techniques I could employ? thanks, Lucas From djm at mindrot.org Sat Aug 11 16:51:05 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 11 Aug 2001 16:51:05 +1000 (EST) Subject: with-tcp-wrappers enable ? In-Reply-To: <3B71430F.CEF83A80@ipcms.u-strasbg.fr> Message-ID: On Wed, 8 Aug 2001, Fabien Muller wrote: > Hello, > > I try to compile openssh-2.9p1 on a SGI Origin 200 computer under IRIX > 6.5 with the option --with-tcp-wrappers enable. I have also compiled > tcp-wrapper and have installed the library libwrap.a in /usr/lib and the > file tcpd.h in /usr/include. > > When i run the ./configure script i have a error. The script asked me > that the libwrap is missing. > > How can i resolve this ? A more detailed error will be left in config.log -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Sat Aug 11 16:55:18 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 11 Aug 2001 16:55:18 +1000 (EST) Subject: build problem with 2.9p1 & p2 In-Reply-To: <9AC41B8C4781464695BB013F106FCA3102900B6C@nasdaq.ms.ensim.com> Message-ID: On Fri, 10 Aug 2001, Rachit Siamwalla wrote: > i general for openssl, if you are not overly concerned about > executable size and code sharing, you should link with it statically > when compiling with openssh. This is because other programs may > use specific versions of openssl as well, and openssl has had a > bad history of having different versions of the library binary > compatible with each other. Thus the annoying version check :) -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Sat Aug 11 16:56:26 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 11 Aug 2001 16:56:26 +1000 (EST) Subject: Rhosts Authentication Problem on Solaris In-Reply-To: <69E302899020D511AEC700B0D049474374B988@exgsoc.gasoc.com> Message-ID: On Fri, 10 Aug 2001, Cubi, Edwin wrote: > Anyone, HELP!!!!!!!!!!!!!! > > I currently installed openssh-2.9p2 on SunOS 5.7 and 5.8. From the > very moment that start to ssh out I get "Rhosts Authentication > disabled ;the originating ip will not be trusted". I 've put > "Useprivileged yes " in the ssh_config file, but then the ssh > complains that there is a bad config line. The correct config directive is documented in the manpage. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Sat Aug 11 16:58:14 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 11 Aug 2001 16:58:14 +1000 (EST) Subject: determining whether passwd auth succeeds In-Reply-To: <200108110629.XAA09420@albatross.prod.itd.earthlink.net> Message-ID: On Sat, 11 Aug 2001, Lucas Fisher wrote: > Hi, > I'm writing a c++ wrapper around ssh for KDE, mainly for use in a sftp > client. My problem is when starting ssh with the sftp subsystem openssh > gives no indication that password authentication succeeded. This makes it > difficult for my wrapper to determine if the connection succeeded. Now > determining it didn't succeed can be done by checking for another password > prompt. The problem with this is password verification could take time > (correct?). So if I send the password then immediately do a read from the > terminal, there is no guarantee I'll get the second password prompt > if the password was incorrect, right? I could wait a couple > of seconds and if I don't get another password prompt assume > authentication succeeded, but this is a bad solution. Are there any > other techniques I could employ? You could select() with a timeout. Better still you could write a native GUI sftp client using the routines in sftp-client.[ch]. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From ljfisher at iastate.edu Sat Aug 11 17:00:41 2001 From: ljfisher at iastate.edu (Lucas Fisher) Date: Sat, 11 Aug 2001 02:00:41 -0500 Subject: determining whether passwd auth succeeds Message-ID: <3B74D819.DBFA6F96@iastate.edu> Of course I realize right after I sent the last message that I could use the -v option to increase the verbosity and parse that information. Lucas From Markus.Friedl at informatik.uni-erlangen.de Sat Aug 11 19:45:18 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 11 Aug 2001 11:45:18 +0200 Subject: determining whether passwd auth succeeds In-Reply-To: <200108110629.XAA09420@albatross.prod.itd.earthlink.net>; from ljfisher@iastate.edu on Sat, Aug 11, 2001 at 01:29:32AM -0500 References: <200108110629.XAA09420@albatross.prod.itd.earthlink.net> Message-ID: <20010811114518.A5737@faui02.informatik.uni-erlangen.de> i think the commercial ssh.com ssh client has a special option that makes ssh print out a string when authentication is successful. On Sat, Aug 11, 2001 at 01:29:32AM -0500, Lucas Fisher wrote: > Hi, > I'm writing a c++ wrapper around ssh for KDE, mainly for use in a sftp > client. My problem is when starting ssh with the sftp subsystem openssh > gives no indication that password authentication succeeded. This makes it > difficult for my wrapper to determine if the connection succeeded. Now > determining it didn't succeed can be done by checking for another password > prompt. The problem with this is password verification could take time > (correct?). So if I send the password then immediately do a read from the > terminal, there is no guarantee I'll get the second password prompt if the > password was incorrect, right? I could wait a couple of seconds and if I > don't get another password prompt assume authentication succeeded, but this > is a bad solution. Are there any other techniques I could employ? > > thanks, > Lucas From j.ploeg at planet.nl Sun Aug 12 08:44:57 2001 From: j.ploeg at planet.nl (John van der Ploeg) Date: Sun, 12 Aug 2001 00:44:57 +0200 Subject: openssh-2.9p2 Config - undefined references References: <3B71A7DB.A56AD390@planet.nl> <20010809103359.A18056@folly> Message-ID: <3B75B569.6047348C@planet.nl> It works (both solutions do)! Thanks for the Execelent help - John Markus Friedl wrote: > you can: > 1) build openssl w/o DSO support > 2) add -ldl to the LDFLAGS > > -m > > On Wed, Aug 08, 2001 at 10:58:04PM +0200, John van der Ploeg wrote: > > Hi Damien, > > > > I have a problem getting openssh-2.9p2 properly configured. > > > > This is the problem: > > > > configure:4433: gcc -o conftest -g -O2 -Wall -I/opt/openssl/include > > -L/opt/open > > ssl/lib conftest.c -lz -lnsl -lutil -lcrypto 1>&5 > > /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': > > dso_dlfcn.o(.text+0x8e): undefined reference to `dlopen' > > dso_dlfcn.o(.text+0xa4): undefined reference to `dlopen' > > dso_dlfcn.o(.text+0x10a): undefined reference to `dlclose' > > /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': > > dso_dlfcn.o(.text+0x1d2): undefined reference to `dlclose' > > /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': > > > > dso_dlfcn.o(.text+0x283): undefined reference to `dlsym' > > /opt/openssl/lib/libcrypto.a(dso_dlfcn.o): In function > > `dlfcn_bind_func': > > dso_dlfcn.o(.text+0x353): undefined reference to `dlsym' > > configure: failed program was: > > #line 4419 "configure" > > #include "confdefs.h" > > > > #include > > #include > > int main(void) > > { > > char a[2048]; > > memset(a, 0, sizeof(a)); > > RAND_add(a, sizeof(a), sizeof(a)); > > return(RAND_status() <= 0); > > } > > > > > > > > I use it with openssl-engine-0.9.6b and openssl-0.9.6b installed > > to /opt/openssl and /usr/local/ssl (ln -s). When running the > > make test option of openssl, it reports no problems (which kind > > of indicates the problem is not with openssl I hope) > > > > The machine is a Linux version 2.2.5 kernel, gcc version 2.7.2.3 > > > > Any idea what could be wrong here? > > > > Regards, > > > > - John > > > > -- > > John van der Ploeg > > http://home.planet.nl/~jvdploe > > j.ploeg at planet.nl > > > > -- John van der Ploeg http://home.planet.nl/~jvdploe j.ploeg at planet.nl -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010812/88bfcd1a/attachment.html From jakob at openbsd.org Sun Aug 12 08:50:07 2001 From: jakob at openbsd.org (jakob at openbsd.org) Date: Sun, 12 Aug 2001 00:50:07 +0200 (MEST) Subject: [PATCH]: ssh: Avoid paths beginning with "//" In-Reply-To: <911C684A29ACD311921800508B7293BA010A8BB6@cnmail> Message-ID: On Thu, 9 Aug 2001, Mark Bradshaw wrote: > We patched a few bugs in the sftp implementation last month that dealt with > path concatenation created paths beginning with "//", which caused problems > on Windows machines. Unfortunately, a few slipped by in ssh as well that > I'd like to get patched. > > [...] fixed. jakob From martin at fatbob.nu Tue Aug 14 00:42:23 2001 From: martin at fatbob.nu (Martin Johansson) Date: Mon, 13 Aug 2001 16:42:23 +0200 Subject: [PATCH] Maildir support Message-ID: <20010813164223.A13948@fatbob.nu> Hi! Here is a patch against openssh-2.9.p2 that adds support for Maildir style mailboxes, the way which qmail prefers to store mails in. The changes/additions are the following: 1) $MAIL env. variable is set to $HOME/Maildir if it exists, or else to _PATH_MAIL/$USER. 2) Mail checking (the main purpose of this patch) is done by first checking whether $MAIL is a regular file or directory. If it is a file, it is assumed to be an mbox format mailbox, if it is a directory it is assumed to be a Maildir format mailbox, and the checking is done accordingly. 3) A new configure option: --enable-maildir mbox functionality should be unaffected (if $HOME/Maildir doesn't exist) even if Maildir support is enabled (untested, since I only use Maildir on my system). The status of the patch is Works For Me (TM), and I haven't tested all possible configurations. BTW, I tested this on a RedHat 7.1 box with glibc 2.2.2. Regards /Martin Johansson diff -ur --exclude=configure openssh-2.9p2/config.h.in openssh-2.9p2.maildir/config.h.in --- openssh-2.9p2/config.h.in Sun Jun 17 06:09:47 2001 +++ openssh-2.9p2.maildir/config.h.in Fri Aug 10 12:53:30 2001 @@ -237,8 +237,11 @@ /* to the conversation function with an extra level of indirection */ #undef PAM_SUN_CODEBASE -/* Set this to your mail directory if you don't have maillock.h */ +/* Set this to your mail directory if you don't have maillock.h or paths.h */ #undef MAIL_DIRECTORY + +/* Set this to enable support for Maildir style mailboxes. */ +#undef MAILDIR_FORMAT /* Data types */ #undef HAVE_U_INT diff -ur --exclude=configure openssh-2.9p2/configure.in openssh-2.9p2.maildir/configure.in --- openssh-2.9p2/configure.in Mon May 28 19:21:44 2001 +++ openssh-2.9p2.maildir/configure.in Mon Aug 13 14:38:26 2001 @@ -1632,6 +1632,23 @@ ) AC_SUBST(SSHMODE) +AC_MSG_CHECKING(whether to enable support for Maildir style mailboxes) +AC_ARG_ENABLE(maildir, +[ --enable-maildir Enable support for Maildir format mailbox in \$HOME/Maildir + --disable-maildir Disable support for Maildir format mailbox (default)], +[ case "$enableval" in + no) + AC_MSG_RESULT(no) + MAILDIR_FORMAT=no + ;; + *) AC_MSG_RESULT(yes) + MAILDIR_FORMAT=yes + AC_DEFINE(MAILDIR_FORMAT) + ;; + esac ], + AC_MSG_RESULT(no) + MAILDIR_FORMAT=no +) # Where to place sshd.pid piddir=/var/run @@ -1940,6 +1957,7 @@ echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" +echo " Maildir style mailbox: $MAILDIR_FORMAT" if test ! -z "$bsd_auth"; then echo " BSD Auth support: yes" diff -ur --exclude=configure openssh-2.9p2/session.c openssh-2.9p2.maildir/session.c --- openssh-2.9p2/session.c Sun Jun 17 05:40:51 2001 +++ openssh-2.9p2.maildir/session.c Mon Aug 13 14:32:47 2001 @@ -1019,6 +1019,82 @@ } #endif /* defined(HAVE_GETUSERATTR) */ +void +do_mailcheck(const char *mailbox) +{ + struct stat mailstat; + + if (stat(mailbox, &mailstat) != 0) { + debug("Mailcheck failed: %s: %s", mailbox, + strerror(errno)); + return; + } + /* mbox format mailcheck */ + if (S_ISREG(mailstat.st_mode)) { + if (mailstat.st_size == 0) + printf("No mail.\n"); + else if (mailstat.st_mtime < mailstat.st_atime) + printf("You have mail.\n"); + else + printf("You have new mail.\n"); + } + +#ifdef MAILDIR_FORMAT + /* Maildir format mailcheck */ + else if (S_ISDIR(mailstat.st_mode)) { + char *dirname; + int pathlen; + DIR *newdir, *curdir; + + pathlen = strlen(mailbox) + 5; + dirname = malloc(pathlen); + + snprintf(dirname, pathlen, "%s/new", mailbox); + newdir = opendir(dirname); + + snprintf(dirname, pathlen, "%s/cur", mailbox); + curdir = opendir(dirname); + free(dirname); + + if (newdir && curdir) { + long newmail = -2; + long curmail = -2; + char buf[64]; + + while (readdir(newdir)) + newmail++; + closedir(newdir); + while (readdir(curdir)) + curmail++; + closedir(curdir); + + if (curmail > 0 || newmail > 0) { + sprintf(buf, "You have "); + if (newmail > 0) { + sprintf(buf + strlen(buf), "%ld new mail%s", + newmail, (newmail > 1) ? "s" : ""); + } + if (curmail > 0 && newmail > 0) + sprintf(buf + strlen(buf), " and "); + if (curmail > 0) { + sprintf(buf + strlen(buf), "%ld read mail%s", curmail, + (curmail > 1) ? "s" : ""); + } + printf("%s.\n", buf); + } + else + printf("No mail.\n"); + } + else { + if (newdir) closedir(newdir); + if (curdir) closedir(curdir); + debug("Mailcheck failed: Invalid Maildir"); + } + } + +#endif /* #ifdef MAILDIR_FORMAT */ +} + /* * Performs common processing for the child, such as setting up the * environment, closing extra file descriptors, setting the user and group @@ -1226,6 +1302,8 @@ #endif if (!options.use_login) { + struct stat mailstat; + /* Set basic environment. */ child_set_env(&env, &envsize, "USER", pw->pw_name); child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); @@ -1245,10 +1323,22 @@ # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ +#ifndef MAILDIR_FORMAT snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); +#else + snprintf(buf, sizeof buf, "%.240s/Maildir", + pw->pw_dir); + /* + * Check if $HOME/Maildir exists, otherwise set $MAIL to + * _PATH_MAILDIR/$USER + */ + if (stat(buf, &mailstat) != 0) { + snprintf(buf, sizeof buf, "%.200s/%.50s", + _PATH_MAILDIR, pw->pw_name); + } +#endif child_set_env(&env, &envsize, "MAIL", buf); - /* Normal systems set SHELL by default. */ child_set_env(&env, &envsize, "SHELL", shell); } @@ -1471,19 +1561,12 @@ */ if (s->ttyfd != -1 && options.check_mail) { char *mailbox; - struct stat mailstat; - mailbox = getenv("MAIL"); if (mailbox != NULL) { - if (stat(mailbox, &mailstat) != 0 || - mailstat.st_size == 0) - printf("No mail.\n"); - else if (mailstat.st_mtime < mailstat.st_atime) - printf("You have mail.\n"); - else - printf("You have new mail.\n"); + do_mailcheck(mailbox); } } + /* Start the shell. Set initial character to '-'. */ buf[0] = '-'; strncpy(buf + 1, cp, sizeof(buf) - 1); From jakob at crt.se Tue Aug 14 01:00:22 2001 From: jakob at crt.se (Jakob Schlyter) Date: Mon, 13 Aug 2001 17:00:22 +0200 (MEST) Subject: [PATCH] Maildir support In-Reply-To: <20010813164223.A13948@fatbob.nu> Message-ID: On Mon, 13 Aug 2001, Martin Johansson wrote: > Here is a patch against openssh-2.9.p2 that adds support for Maildir style > mailboxes, the way which qmail prefers to store mails in. why should OpenSSH even bother checking mail? isn't that what your mailreader is for? I think this is featurism. jakob From wsloan at occamnetworks.com Tue Aug 14 02:41:26 2001 From: wsloan at occamnetworks.com (William Sloan) Date: Mon, 13 Aug 2001 09:41:26 -0700 Subject: New Feature Message-ID: <3B780336.47B1958F@occamnetworks.com> Hello All -- I was wondering if anyone is either working on or has started work on being able to do public key authentication using PGP keys?? If someone is currently working on such a feature I would be glad to help. If no one is working on this feature is there a reason why?? Thanks for your time. Will -- William Sloan Computer Scientist Occam Networks -- "What can be done with fewer, is done in vain with more." From martin at fatbob.nu Tue Aug 14 05:02:49 2001 From: martin at fatbob.nu (Martin Johansson) Date: Mon, 13 Aug 2001 21:02:49 +0200 Subject: [PATCH] Maildir support In-Reply-To: ; from jakob@crt.se on Mon, Aug 13, 2001 at 05:00:22PM +0200 References: <20010813164223.A13948@fatbob.nu> Message-ID: <20010813210249.A15239@fatbob.nu> On Mon, Aug 13, 2001 at 05:00:22PM +0200, Jakob Schlyter wrote: > why should OpenSSH even bother checking mail? isn't that what your > mailreader is for? I think this is featurism. Well, it already does (see the configuration keyword CheckMail in sshd's man page), but only for mbox style mailboxes. The patch does not add a feature but tweaks an already existing feature to work with Maildir style mailboxes. Since the feature is there, I want it to work with my setup, which is Maildir style mailboxes. Whether it is OpenSSH's job to inform about mail status at login-time is a different matter. Regards /Martin From jakob at crt.se Tue Aug 14 05:05:59 2001 From: jakob at crt.se (Jakob Schlyter) Date: Mon, 13 Aug 2001 21:05:59 +0200 (MEST) Subject: [PATCH] Maildir support In-Reply-To: <20010813210249.A15239@fatbob.nu> Message-ID: On Mon, 13 Aug 2001, Martin Johansson wrote: > On Mon, Aug 13, 2001 at 05:00:22PM +0200, Jakob Schlyter wrote: > > > why should OpenSSH even bother checking mail? isn't that what your > > mailreader is for? I think this is featurism. > > Well, it already does (see the configuration keyword CheckMail in > sshd's man page), but only for mbox style mailboxes. The patch does > not add a feature but tweaks an already existing feature to work > with Maildir style mailboxes. should we also add support for MH, MBX and - why not - imap or pop? jakob From pete at more.net Tue Aug 14 05:20:48 2001 From: pete at more.net (pete at more.net) Date: Mon, 13 Aug 2001 14:20:48 -0500 Subject: [jakob@crt.se: Re: [PATCH] Maildir support] Message-ID: <20010813142048.B1835@more.net> I don't think he's talking about mail server or clients here. I think this needs some clairification. This really only effects the $MAIL upon login. I've messed with this some, because it's caused problems for me personally at work. Here's the deal with an example: If you do a configure, on a Solaris 2.7 box, and then build sshd, when you log in you get this is you echo $MAIL, MAIL=/var/mail// . These two slashes get botched because of the way Sun defines MAILDIR in maillock.h #define MAILDIR "/var/mail/" So, this (even though broke in Sun's case because of the trailing "/"), is what the guy is talking about. This example is for the Mbox not Maildir mail format which how mail is stored. So in this case we have the same problem though using different formats. The MAIL variable NEEDS the right info. This is not feature creep. It's just another (abeit., awesome!) way that systems can store mail, and many new mail servers and mail clients support it. If that MAIL variable is set wrong. This needs to be fixed and patched for both formats. As he said in the original patch, whether you want to support the MAIL var is another question, but if you're going to, it should be done correctly for both mbox and mailder. By the way, can someone fix the configure for Solaris, so that it doesn't use this? #define MAILDIR "/var/mail/" ----- Forwarded message from Jakob Schlyter ----- Delivered-To: openssh-unix-dev-list-93873 at shitei.mindrot.org Date: Mon, 13 Aug 2001 21:05:59 +0200 (MEST) From: Jakob Schlyter To: Martin Johansson Cc: Subject: Re: [PATCH] Maildir support In-Reply-To: <20010813210249.A15239 at fatbob.nu> Precedence: bulk On Mon, 13 Aug 2001, Martin Johansson wrote: > On Mon, Aug 13, 2001 at 05:00:22PM +0200, Jakob Schlyter wrote: > > > why should OpenSSH even bother checking mail? isn't that what your > > mailreader is for? I think this is featurism. > > Well, it already does (see the configuration keyword CheckMail in > sshd's man page), but only for mbox style mailboxes. The patch does > not add a feature but tweaks an already existing feature to work > with Maildir style mailboxes. should we also add support for MH, MBX and - why not - imap or pop? jakob ----- End forwarded message ----- -- Pete Greenwell System Administrator Missouri Research and Education Network [MOREnet] http://www.more.net From jakob at crt.se Tue Aug 14 05:59:00 2001 From: jakob at crt.se (Jakob Schlyter) Date: Mon, 13 Aug 2001 21:59:00 +0200 (MEST) Subject: [jakob@crt.se: Re: [PATCH] Maildir support] In-Reply-To: <20010813142048.B1835@more.net> Message-ID: On Mon, 13 Aug 2001 pete at more.net wrote: > As he said in the original patch, whether you want to support the MAIL > var is another question, but if you're going to, it should be done > correctly for both mbox and mailder. if we add support for maildir, why not support other mailbox formats as well? when should we stop? if someone thinks the answer is to start adding support for mbx, mh and others - think again - this is a remote login program, not a mail client. jakob From kevin at tgivan.com Tue Aug 14 06:57:19 2001 From: kevin at tgivan.com (Kevin Sindhu) Date: Mon, 13 Aug 2001 13:57:19 -0700 Subject: [jakob@crt.se: Re: [PATCH] Maildir support] References: Message-ID: <3B783F2F.6D7F70FC@tgivan.com> Jakob Schlyter wrote: > > On Mon, 13 Aug 2001 pete at more.net wrote: > > > As he said in the original patch, whether you want to support the MAIL > > var is another question, but if you're going to, it should be done > > correctly for both mbox and mailder. > > if we add support for maildir, why not support other mailbox formats as > well? when should we stop? if someone thinks the answer is to start adding > support for mbx, mh and others - think again - this is a remote login > program, not a mail client. I somewhat agree with your argument, but still we already have CheckMail in sshd code. Following your argument, one may be tempted to take that support out as well...I mean, why have CheckMail in the first place? Personally, I don't see any "major" harm. *Shrug* My 2 cents -- Kevin Sindhu Systems Engineer TGI Technologies Inc. 107 E 3rd Avenue Vancouver, British Columbia V5T 1C7 Canada. Tel: (604) 872-6676 Ext 321 Fax: (604) 872-6601 From mouring at etoh.eviladmin.org Tue Aug 14 06:46:59 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 13 Aug 2001 15:46:59 -0500 (CDT) Subject: [jakob@crt.se: Re: [PATCH] Maildir support] In-Reply-To: <3B783F2F.6D7F70FC@tgivan.com> Message-ID: Personally, (Just my IMHO) CheckMail should go away. There are too many different formats and it should not be SSHD's job to understand them. It's biff and other evil program's responsiblity to do such things. - Ben On Mon, 13 Aug 2001, Kevin Sindhu wrote: > Jakob Schlyter wrote: > > > > On Mon, 13 Aug 2001 pete at more.net wrote: > > > > > As he said in the original patch, whether you want to support the MAIL > > > var is another question, but if you're going to, it should be done > > > correctly for both mbox and mailder. > > > > if we add support for maildir, why not support other mailbox formats as > > well? when should we stop? if someone thinks the answer is to start adding > > support for mbx, mh and others - think again - this is a remote login > > program, not a mail client. > > I somewhat agree with your argument, but still we already have > CheckMail in sshd code. Following your argument, one may be tempted to > take that support out as well...I mean, why have CheckMail in the > first place? > > Personally, I don't see any "major" harm. *Shrug* > > My 2 cents > > -- > Kevin Sindhu > Systems Engineer > > TGI Technologies Inc. > 107 E 3rd Avenue > Vancouver, British Columbia V5T 1C7 > Canada. > Tel: (604) 872-6676 Ext 321 > Fax: (604) 872-6601 > From Darren.Moffat at eng.sun.com Tue Aug 14 07:12:35 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Mon, 13 Aug 2001 14:12:35 -0700 (PDT) Subject: [jakob@crt.se: Re: [PATCH] Maildir support] Message-ID: <200108132113.f7DLDrB780653@jurassic.eng.sun.com> >Personally, (Just my IMHO) CheckMail should go away. There are too >many different formats and it should not be SSHD's job to understand >them. It's biff and other evil program's responsiblity to do such >things. And IMHO PrintMOTD as well, since both CheckMail and PrintMOTD are often implemented either in a PAM module on some Linux systems or via the global shell profile (/etc/profile, /etc/.login) on others. Getting rid of both of these gets rid of big chunk of code of of sshd that is too heavily indented. I also think that if CheckMail goes away then so should setting of the MAIL environment variable. If CheckMail stays then we should only set the MAIL environment variable if CheckMail is on. -- Darren J Moffat From kevin at tgivan.com Tue Aug 14 07:19:02 2001 From: kevin at tgivan.com (Kevin Sindhu) Date: Mon, 13 Aug 2001 14:19:02 -0700 Subject: [jakob@crt.se: Re: [PATCH] Maildir support] References: Message-ID: <3B784446.B81B8BAE@tgivan.com> mouring at etoh.eviladmin.org wrote: > > Personally, (Just my IMHO) CheckMail should go away. There are too > many different formats and it should not be SSHD's job to understand > them. It's biff and other evil program's responsiblity to do such > things. True. *Most* shellrc/profilerc's etc. already have a biff if/else already which notifies a user. Is there a reason why we have CheckMail in the first place? -- Kevin Sindhu Systems Engineer TGI Technologies Inc. 107 E 3rd Avenue Vancouver, British Columbia V5T 1C7 Canada. Tel: (604) 872-6676 Ext 321 Fax: (604) 872-6601 From mouring at etoh.eviladmin.org Tue Aug 14 07:08:44 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 13 Aug 2001 16:08:44 -0500 (CDT) Subject: [jakob@crt.se: Re: [PATCH] Maildir support] In-Reply-To: <3B784446.B81B8BAE@tgivan.com> Message-ID: Legacy code from the old 1.2.x ssh days.. - Ben On Mon, 13 Aug 2001, Kevin Sindhu wrote: > mouring at etoh.eviladmin.org wrote: > > > > Personally, (Just my IMHO) CheckMail should go away. There are too > > many different formats and it should not be SSHD's job to understand > > them. It's biff and other evil program's responsiblity to do such > > things. > > True. *Most* shellrc/profilerc's etc. already have a biff if/else > already which notifies a user. Is there a reason why we have CheckMail > in the first place? > > -- > Kevin Sindhu > Systems Engineer > > TGI Technologies Inc. > 107 E 3rd Avenue > Vancouver, British Columbia V5T 1C7 > Canada. > Tel: (604) 872-6676 Ext 321 > Fax: (604) 872-6601 > From martin at fatbob.nu Tue Aug 14 07:50:37 2001 From: martin at fatbob.nu (Martin Johansson) Date: Mon, 13 Aug 2001 23:50:37 +0200 Subject: [PATCH] Maildir support In-Reply-To: ; from jakob@crt.se on Mon, Aug 13, 2001 at 09:05:59PM +0200 References: <20010813210249.A15239@fatbob.nu> Message-ID: <20010813235037.A15494@fatbob.nu> On Mon, Aug 13, 2001 at 09:05:59PM +0200, Jakob Schlyter wrote: > On Mon, 13 Aug 2001, Martin Johansson wrote: > > > On Mon, Aug 13, 2001 at 05:00:22PM +0200, Jakob Schlyter wrote: > > > > > why should OpenSSH even bother checking mail? isn't that what your > > > mailreader is for? I think this is featurism. > > > > Well, it already does (see the configuration keyword CheckMail in > > sshd's man page), but only for mbox style mailboxes. The patch does > > not add a feature but tweaks an already existing feature to work > > with Maildir style mailboxes. > > should we also add support for MH, MBX and - why not - imap or pop? > I don't really care since I'm not using these formats/protocols on my system. Those that feel the need for that kind of support would probably be sending in patches, right? To be a little more constructive, one could add the ability to call an external program to do the mail check, instead of doing it internally, and have a solution that works for everybody who wants this, regardless of the mail file format they use. As it is now, it supports one out of, ..counting... , four formats, although I guess MBX is already supported since it uses a single file to store the mails in. Six if we really would want to have IMAP and POP checking also... The current feature seems pretty crippled in the light of this, and should be replaced with a more general one, like the one described above, or dropped totally. I'm not demanding that my patch must go into the the official codebase, it's a couple of minutes of hand patching for me each new release, which I can live with. I just figured that there probably are some other people out there that want to have this working, and posted the patch in the hope that it'd be useful to someone more than me. /Martin From djm at mindrot.org Tue Aug 14 13:25:45 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 14 Aug 2001 13:25:45 +1000 (EST) Subject: [jakob@crt.se: Re: [PATCH] Maildir support] In-Reply-To: Message-ID: On Mon, 13 Aug 2001, Jakob Schlyter wrote: > if we add support for maildir, why not support other mailbox formats as > well? when should we stop? if someone thinks the answer is to start adding > support for mbx, mh and others - think again - this is a remote login > program, not a mail client. I agree - IMO the CheckMail feature should be removed. If people want it, then can put a check in their .profile or whatever. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From moyman at ecn.purdue.edu Tue Aug 14 08:55:09 2001 From: moyman at ecn.purdue.edu (James M Moya) Date: Mon, 13 Aug 2001 17:55:09 -0500 (EST) Subject: Latest won't compile under Solaris 8 Message-ID: <200108132255.f7DMt9a21323@golfer.ecn.purdue.edu> Here the setup: # cat ecn rm config.cache CC="cc -O -xarch=v9" ./configure \ --prefix=/opt/openssh \ --sysconfdir=/var/ssh \ --with-rsh=/usr/local/etc/rsh \ --with-ipv4-default \ --with-ssl-dir=/usr/local/ssl \ --with-pam \ --with-ipaddr-display \ --with-pid-dir=/var/ssh ALthough I have tried several different configs, all die at the same spot: cc -O -xarch=v9 -g -I. -I. -I/usr/local/ssl/include -I/usr/local/include -DETCDIR=\"/var/ssh\" -D_PATH_SSH_PROGRAM=\"/opt/openssh/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/openssh/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/openssh/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/ssh\" -DHAVE_CONFIG_H -c session.c "session.c", line 628: identifier redeclared: do_pre_login current : function(pointer to struct Session {int used, int self, pointer to struct passwd {..} pw, pointer to struct Authctxt {..} authctxt, int pid, pointer to char term, int ptyfd, int ttyfd, int ptymaster, int row, int col, int xpixel, int ypixel, array[64] of char tty, pointer to char display, int screen, pointer to char auth_proto, pointer to char auth_data, int single_connection, int chanid, int is_subsystem}) returning void previous: function() returning int : "session.c", line 581 cc: acomp failed for session.c *** Error code 2 make: Fatal error: Command failed for target `session.o' 2.9p1 compiled fine with the same config file. The compilers is Forte 6 update 1up to the the latest patcher level. --mike From chris at herbst.com Tue Aug 14 23:27:06 2001 From: chris at herbst.com (Chris J. Herbst) Date: Tue, 14 Aug 2001 09:27:06 -0400 (EDT) Subject: configure bug Message-ID: This was dicovered in openssh-2.9p2 on BSDi 4.1. If you configure --with-ssl-dir and give a relative path (like ../openssl-0.9.6b), it will not compile because that path is no longer valid once it cds to openbsd-compat. In the CPPFLAGS variable in openbsd-compat/Makefile, you can put in another ../ (-I../openssl-0.9.6a/include becomes -I../../openssl-0.9.6a/include) and it works. Perhaps there should be some warning about configuring with a relative path, or perhaps configure can convert to an absolute path, or even better, make sure the relative path in openbsd-compat/Makefile is still valid. From frank-m.mohr at db.com Wed Aug 15 06:35:39 2001 From: frank-m.mohr at db.com (Frank-M Mohr) Date: Tue, 14 Aug 2001 21:35:39 +0100 Subject: int/u_int Data Types Used Message-ID: I was looking after some compiler warnings in openssh-2.9p2, same with yesterday's snap (about 15 Warnings, some for void*/function ptr warnings) IBM's compiler gives warnings, gcc on Linux doesn't complain about them. Example: "authfd.c", line 414.49: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. I found a few things: - pointers to signed/unsigned ints are used for buffer/packet length parameters -> should I try to fix these warnings / maximum buffer size is defined as 256k so there should be no problem to use a typecast - in configure the size of int is checked, but 2 byte int's (Ansi C minimum) would cause an overflow for buffer sizes of 256k -> shouldn't configure stop there? (btw are 16bit ints still used on any unix systems? minix or embeded systems might do so) frank -- Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. From gert at greenie.muc.de Wed Aug 15 08:11:15 2001 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 15 Aug 2001 00:11:15 +0200 Subject: Mailing list duplication? [was: Re: configure bug] In-Reply-To: ; from Chris J. Herbst on Tue, Aug 14, 2001 at 09:27:06AM -0400 References: Message-ID: <20010815001115.B1741@greenie.muc.de> Hi, On Tue, Aug 14, 2001 at 09:27:06AM -0400, Chris J. Herbst wrote: [..] Something is wrong with the mailing list. I just received 5 copies of this e-mail, and the only difference is the Received: line on my machine here. This means, mindrot.org sent it 5 times to me, so it's something there (or in between). Damien, could you please check? A "diff -u5" of two of those e-mails is appended. gert ------- snip ------- --- a1 Wed Aug 15 00:08:44 2001 +++ a2 Wed Aug 15 00:08:47 2001 @@ -1,11 +1,11 @@ -From mindrot.org!owner-openssh-unix-dev Tue Aug 14 18:18:19 2001 +From mindrot.org!owner-openssh-unix-dev Tue Aug 14 19:41:40 2001 Return-Path: Received: from shitei.mindrot.org(really [139.130.53.38]) by greenie.muc.de via smtpd with smtp - id - for ; Tue, 14 Aug 2001 18:18:19 +0200 (MEST) + id + for ; Tue, 14 Aug 2001 19:41:40 +0200 (MEST) (Smail-3.2 1996-Jul-4 #27 built 2000-Oct-3) Received: by shitei.mindrot.org (Postfix) id 0FA202DF66; Tue, 14 Aug 2001 23:27:19 +1000 (EST) Delivered-To: openssh-unix-dev-list-93873 at shitei.mindrot.org Received: by shitei.mindrot.org (Postfix, from userid 1000) -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From wendyp at cray.com Wed Aug 15 08:15:33 2001 From: wendyp at cray.com (Wendy Palm) Date: Tue, 14 Aug 2001 17:15:33 -0500 Subject: Mailing list duplication? [was: Re: configure bug] References: <20010815001115.B1741@greenie.muc.de> Message-ID: <3B79A305.ECBBB48F@cray.com> gert - i didn't get any duplicates at all. wendy Gert Doering wrote: > > Hi, > > On Tue, Aug 14, 2001 at 09:27:06AM -0400, Chris J. Herbst wrote: > [..] > > Something is wrong with the mailing list. I just received 5 copies > of this e-mail, and the only difference is the Received: line on my > machine here. This means, mindrot.org sent it 5 times to me, so it's > something there (or in between). Damien, could you please check? > > A "diff -u5" of two of those e-mails is appended. > > gert > ------- snip ------- > --- a1 Wed Aug 15 00:08:44 2001 > +++ a2 Wed Aug 15 00:08:47 2001 > @@ -1,11 +1,11 @@ > -From mindrot.org!owner-openssh-unix-dev Tue Aug 14 18:18:19 2001 > +From mindrot.org!owner-openssh-unix-dev Tue Aug 14 19:41:40 2001 > Return-Path: > Received: from shitei.mindrot.org(really [139.130.53.38]) by greenie.muc.de > via smtpd with smtp > - id > - for ; Tue, 14 Aug 2001 18:18:19 +0200 (MEST) > + id > + for ; Tue, 14 Aug 2001 19:41:40 +0200 (MEST) > (Smail-3.2 1996-Jul-4 #27 built 2000-Oct-3) > Received: by shitei.mindrot.org (Postfix) > id 0FA202DF66; Tue, 14 Aug 2001 23:27:19 +1000 (EST) > Delivered-To: openssh-unix-dev-list-93873 at shitei.mindrot.org > Received: by shitei.mindrot.org (Postfix, from userid 1000) > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From yozo at imit.chiba-u.ac.jp Wed Aug 15 16:28:47 2001 From: yozo at imit.chiba-u.ac.jp (Yozo TODA) Date: Wed, 15 Aug 2001 15:28:47 +0900 Subject: Mailing list duplication? [was: Re: configure bug] In-Reply-To: Your message of "Tue, 14 Aug 2001 17:15:33 JST." <3B79A305.ECBBB48F@cray.com> Message-ID: <200108150628.f7F6SmC18100@aohakobe.imit.chiba-u.ac.jp> > i didn't get any duplicates at all. I'm also receiving duplicated mails (not all, but some messages are duplicated). I've not seen any duplication with other mailing lists. I suppose something's wrong with shitei.mindrot.org. and, sorry, today I cannot see logs of the mail server on my part. ====================================================================== % scan ssh 80891 08/14 Wendy Palm Re: Mailing list duplication? [was: Re: config 80898 08/14 "Chris J. Herbst" configure bug< Message-ID: Message-ID: Message-ID: Message-ID: Message-ID: Message-ID: % gdiff -u ${HOME}/Mail/inbox/80945 ${HOME}/Mail/inbox/80959 --- /homes/yozo/Mail/inbox/80945 Wed Aug 15 14:03:03 2001 +++ /homes/yozo/Mail/inbox/80959 Wed Aug 15 15:16:01 2001 @@ -1,10 +1,10 @@ Return-Path: owner-openssh-unix-dev at mindrot.org Received: from suzuran.ipc.chiba-u.ac.jp (root at suzuran.imit.chiba-u.ac.jp [133.82.241.67]) - by aohakobe.imit.chiba-u.ac.jp (8.11.1/8.11.1) with ESMTP id f7F4lbC16913 - for ; Wed, 15 Aug 2001 13:47:37 +0900 (JST) -Received: from shitei.mindrot.org (IDENT:fg75c5r5ham5xg137bml at intern12.lnk.telstra.net [139.130.53.38]) - by suzuran.ipc.chiba-u.ac.jp (8.9.3/3.7W) with ESMTP id NAA25120 - for ; Wed, 15 Aug 2001 13:47:26 +0900 (JST) + by aohakobe.imit.chiba-u.ac.jp (8.11.1/8.11.1) with ESMTP id f7F6B6C17999 + for ; Wed, 15 Aug 2001 15:11:06 +0900 (JST) +Received: from shitei.mindrot.org (IDENT:mf44duveg2kbco4in3rk at intern12.lnk.telstra.net [139.130.53.38]) + by suzuran.ipc.chiba-u.ac.jp (8.9.3/3.7W) with ESMTP id PAA25300 + for ; Wed, 15 Aug 2001 15:10:46 +0900 (JST) Received: by shitei.mindrot.org (Postfix) id 0FA202DF66; Tue, 14 Aug 2001 23:27:19 +1000 (EST) Delivered-To: openssh-unix-dev-list-93873 at shitei.mindrot.org ====================================================================== -- yozo. From djm at mindrot.org Wed Aug 15 16:34:50 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 15 Aug 2001 16:34:50 +1000 (EST) Subject: Mailing list duplication? [was: Re: configure bug] In-Reply-To: <200108150628.f7F6SmC18100@aohakobe.imit.chiba-u.ac.jp> Message-ID: On Wed, 15 Aug 2001, Yozo TODA wrote: > > > i didn't get any duplicates at all. > > I'm also receiving duplicated mails > (not all, but some messages are duplicated). > I've not seen any duplication with other mailing lists. > I suppose something's wrong with shitei.mindrot.org. > > and, sorry, today I cannot see logs of the mail server on my part. This is probably the issue: Aug 14 10:27:27 shitei postfix/smtp[27897]: EB2742DF57: to=, relay=suzuran.imit.chiba-u.ac.jp[133.82.241.67], delay=35090, status=deferred (lost connection with suzuran.imit.chiba-u.ac.jp[133.82.241.67] while sending message body) Aug 14 10:44:07 shitei postfix/smtp[15722]: 43B942DF61: to=, relay=suzuran.imit.chiba-u.ac.jp[133.82.241.67], delay=10403, status=deferred (lost connection with suzuran.imit.chiba-u.ac.jp[133.82.241.67] while sending end of data -- message may be sent more than once) I'll see if it is something at this end. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From roger at interpeak.se Thu Aug 16 00:34:07 2001 From: roger at interpeak.se (=?iso-8859-1?Q?Roger_Bod=E9n?=) Date: Wed, 15 Aug 2001 16:34:07 +0200 Subject: Password change request Message-ID: Are there any plans to support the SSH_MSG_USERAUTH_CHANGEREQ message (part of ssh v2 authentication protocol). We have an SSH server for RTOSs that is able to send that message. So we're interested in support in the ssh client. Roger Bod?n INTERPEAK Box 7498 SE-103 92 Stockholm Sweden Office: +46 8 545 275 80 Fax: +46 8 545 275 99 www.interpeak.com From peak at argo.troja.mff.cuni.cz Thu Aug 16 03:22:57 2001 From: peak at argo.troja.mff.cuni.cz (Pavel Kankovsky) Date: Wed, 15 Aug 2001 19:22:57 +0200 (MET DST) Subject: ProxyCommand broken in SNAP-20010814 Message-ID: <20010815191836.672C.0@argo.troja.mff.cuni.cz> For some odd reason, one line was removed from the handling of ProxyCommand in readconf.c. As a result, ssh crashes on strlen(string) when it parses this option. --- readconf.c:X Mon Aug 6 23:35:52 2001 +++ readconf.c Wed Aug 15 16:11:44 2001 @@ -475,6 +475,7 @@ case oProxyCommand: charptr = &options->proxy_command; + string = xstrdup(""); while ((arg = strdelim(&s)) != NULL && *arg != '\0') { string = xrealloc(string, strlen(string) + strlen(arg) + 2); strcat(string, " "); --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." From erik at math.uu.se Thu Aug 16 06:40:37 2001 From: erik at math.uu.se (erik at math.uu.se) Date: Wed, 15 Aug 2001 22:40:37 +0200 (CEST) Subject: PAM and getpwnam [ struct passwd *getpwnam(const char * name) ] Message-ID: Hello! I use a PAM-module (pam_ncp_auth from ncpfs) for authentication against a netware server. pam_ncp_auth can create local UNIX user accounts from information in NDS, and it works perfect with login, gdm and telnet. But not with openssh (2.5 and 2.9). It works perfect if the user already is in /etc/passwd, but the first time he logs on he doesn't exist there. In that case openssh call the function getpwnam to see if the user exist at all, and if he doesn't the sshd refuse the user to login. Aaarg, I have tried one whole day to make some simple patch, but I am to stupid. Hence, I want pam_ncp_auth to add the user's line in /etc/passwd before openssh make the call to getpwnam. Perhaps that is the prefered order for other PAM-modules also? Please, any suggestions... regards /Erik S Erik Starb?ck KTH Syd, S?dert?lje, Sweden From Darren.Moffat at eng.sun.com Thu Aug 16 06:57:13 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Wed, 15 Aug 2001 13:57:13 -0700 (PDT) Subject: PAM and getpwnam [ struct passwd *getpwnam(const char * name) ] Message-ID: <200108152058.f7FKwbg354820@jurassic.eng.sun.com> >I use a PAM-module (pam_ncp_auth from ncpfs) for authentication against a >netware server. > >pam_ncp_auth can create local UNIX user accounts from information in NDS, >and it works perfect with login, gdm and telnet. But not with openssh (2.5 >and 2.9). This module is broken. This is completely the wrong thing to do, a PAM module should not be adding entries into /etc/passwd. What you should have is a PAM module for the authentication to NDS and an NSS (nsswitch.conf) module (nss_nds.so) for the lookups so that getpwnam() will actually get the data from NDS. I believe this is how Novell's NDS for Solaris actually works. >It works perfect if the user already is in /etc/passwd, but the first time >he logs on he doesn't exist there. In that case openssh call the function >getpwnam to see if the user exist at all, and if he doesn't the sshd >refuse the user to login. Correct behaviour. I don't think OpenSSH should be patched to fix a very broken solution like you have. -- Darren J Moffat From Nicolas.Williams at ubsw.com Thu Aug 16 07:03:34 2001 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Wed, 15 Aug 2001 17:03:34 -0400 Subject: [ossh patch] principal name/patterns in authorized_keys2 Message-ID: <20010815170333.J5739@sm2p1386swk.wdr.com> As you know, revoking RSA/DSA keys in an SSH environment requires editing all authorized_keys and authorized_keys2 files that reference those public keys. This is, well, difficult at best but certainly very obnoxious, particularly in a large environment. SSH key management is difficult. This patch simplifies key management wherever GSS-API/Kerberos is used and is general enough to be used with any authentication system that binds keys and names securely enough. Other GSS-API mechanisms and Kerberos IV can be supported as well. This patch adds support for referencing named keys (not SSH RSA/DSA, but Kerberos) in authorized_keys2. Here's some example authorized_keys2 entries: ssh-ext-named:krb5 someuser at FOOBAR.COM deny-access ssh-ext-named:krb5 loser at FOOBAR.COM ssh-ext-name-pat:krb5 */superroot at FOOBAR.COM command=/tools/inventory ssh-ext-name-pat:krb5 */inventory at FOOBAR.COM command=/tools/audit ssh-ext-name-pat:krb5 */audit at FOOBAR.COM ... What's cool about this is that administrators come and go, and so will those */superroot at FOOBAR.COM Kerberos principals, but there's no need to modify those authorized_keys2 files referencing those keys. This patch (to OpenSSH 2.9p2) adds: - ssh-ext-named key entry type for authorized_keys2 files - ssh-ext-name-pat key entry type for authorized_keys2 files - deny-access option for authorized_keys2 entries - SSH_AUTH_EXT_NAME environment variable added by sshd - SSH_AUTH_EXT_NAME_TYPE similar You'll need Simon Wilkinson's GSS-API patches for OpenSSH for this patch to be much use, or add support for Kerberos IV key names (a trivial patch, but I can't test it). I really hope that this feature or a variation thereof will find its way into OpenSSH. In conjunction with Kerberos (IV or V) it can be extremely useful: - key management is simplified: key management is done at the KDC and there is no need to edit authorized_keys2 files all over to revoke keys! - authorized_keys2 is *much* more featureful than .klogin and .k5login are, regardless of Kerberos implementation source (KTH, Heimdal, MIT, SEAM, all implement pretty much the same all-or-nothing .klogin/.k5login functionality). A similar patch of gss-serv.c:ssh_gssapi_gsi_userok() to support the use of 'gsi' key names in authorized_keys2 would be trivial, but I cannot test GSI. A similar patch to auth-krb4.c:auth_krb4() to support the use of 'krb4' key names would be trivial, but I cannot test such a patch. A question, in my mind, is whether the krb4/gss:krb5/gss:gsi ssh_*userok() code should require both, authorized_keys2 check *and* the underlying mechanism userok() check to succeed, or either, or what. My patch to gss-serv.c:ssh_gssapi_krb5_userok() requires either check to succeed. Below you should find two versions of this patch, one against OpenSSH 2.9p2, the other against 2.9p2 + Simon Wilkinson's GSS-API patches (*). NOTE: I did not strive too hard to keep to the code style of OpenSSH. Point me a the description of the OpenSSH code style and I'll modify my patch accordingly. Files modified: - key.h - added KEY_NAME key type - added KEY_NAME_PAT key type - added name, name_len and name_type fields to the Key struct (I realize that the name_len field is useless, I may remove it) - added prototype for key_match() - key.c - added initialization/finalization of new Key fields to key_new()/key_free() - added named/pattern key type support to a variety of functions, including key_read() and key_write(), among others - added key_match() implementation - auth-options.h - added void auth_set_key_env(Key *) prototype - auth-options.c - added auth_set_key_env() implementation - modified auth_parse_options() to return (-1) when new deny-access option is encountered - auth-rsa.c - modified auth_parse_options() return value check according to the change made to auth_parse_options() - auth2.c - modified user_key_allowed() to: - try key_match() if key_equal() fails - check the result of auth_parse_options() for negative, 0, or positive values. - modified userauth_pubkey() to check for positive return value of user_key_allowed() - sshd.8 - added documentation - gss-serv.c - modified ssh_gssapi_krb5_userok() to build a Key struct and call user_key_allowed() - modified input_gssapi_token() and input_gssapi_exchange_complete() to log successful authentication correctly. (*) You can get Simon Wilkinson's GSS-API patches for OpenSSH here: http://www.sxw.org.uk/computing/patches/openssh.html There are four weaknesses with this patch that I am aware of currently: - while key names can be [double-]quoted, double-quotes in key names cannot be backslash-quoted - the name_len field added to the Key struct is unnecessary - there should be a way to limit the greediness of '*' in key name globs, with something like "*{/}" meaning "any number of characters upto a '/'" - the name_type of Key structs for Kerberos V principals should reflect the type of the Kerberos principal name (see RFC1510 and revisions) so that the name_type of ssh-ext-named/pattern authorized_keys2 entries should look something like: "krb5user", "krb5host", "krb5x500", etc... Feedback would be greatly appreciated! Nico -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- ******************************************************************************** Index: 2_9_p2.1/sshd.8 --- 2_9_p2.1/sshd.8 Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/h/28_sshd.8 1.1 644) +++ 2_9_p2_w_named_keys.2/sshd.8 Tue, 03 Jul 2001 14:20:28 -0400 willian (OpenSSH/h/28_sshd.8 1.1.1.1 644) @@ -852,7 +852,8 @@ .Pa $HOME/.ssh/authorized_keys2 file lists the DSA and RSA keys that are permitted for public key authentication (PubkeyAuthentication) -in protocol version 2. +in protocol version 2. It can also list key names or key patterns +for external authentication systems, such as krb4, krb5, gsi, etc... .Pp Each line of the file contains one key (empty lines and lines starting with a @@ -873,7 +874,19 @@ For protocol version 2 the keytype is .Dq ssh-dss or -.Dq ssh-rsa . +.Dq ssh-rsa +or +.Dq ssh-ext-named: +or +.Dq ssh-ext-name-pat: . +.Pp +Named keys and key name patterns follow the latter two, in double +quotes if they contain whitespace. Named key types may include: +.Dq krb4 , +.Dq krb5 +and/or +.Dq gsi , +depending on what features are compiled in to OpenSSH. .Pp Note that lines in this file are usually several hundred bytes long (because of the size of the RSA key modulus). @@ -930,6 +943,10 @@ Environment variables set this way override other default environment values. Multiple options of this type are permitted. +.It Cm deny-access +This option ends authorized_keys2 processing if the key matches. This +option is only really useful with named key and named key pattern +entries. .It Cm no-port-forwarding Forbids TCP/IP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. Index: 2_9_p2.1/key.h --- 2_9_p2.1/key.h Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/j/7_key.h 1.1 644) +++ 2_9_p2_w_named_keys.2/key.h Tue, 03 Jul 2001 13:57:30 -0400 willian (OpenSSH/j/7_key.h 1.1.1.1 644) @@ -34,7 +34,9 @@ KEY_RSA1, KEY_RSA, KEY_DSA, - KEY_UNSPEC + KEY_UNSPEC, + KEY_NAME, + KEY_NAME_PAT }; enum fp_type { SSH_FP_SHA1, @@ -48,12 +50,16 @@ int type; RSA *rsa; DSA *dsa; + u_char *name; + u_int name_len; + char *name_type; }; Key *key_new(int type); Key *key_new_private(int type); void key_free(Key *k); int key_equal(Key *a, Key *b); +int key_match(Key *a, Key *b); char *key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep); char *key_type(Key *k); int key_write(Key *key, FILE *f); Index: 2_9_p2.1/key.c --- 2_9_p2.1/key.c Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/j/8_key.c 1.1 644) +++ 2_9_p2_w_named_keys.2/key.c Tue, 03 Jul 2001 13:57:30 -0400 willian (OpenSSH/j/8_key.c 1.1.1.1 644) @@ -56,6 +56,9 @@ k->type = type; k->dsa = NULL; k->rsa = NULL; + k->name = NULL; + k->name_len = 0; + k->name_type = NULL; switch (k->type) { case KEY_RSA1: case KEY_RSA: @@ -72,6 +75,8 @@ dsa->pub_key = BN_new(); k->dsa = dsa; break; + case KEY_NAME: + case KEY_NAME_PAT: case KEY_UNSPEC: break; default: @@ -119,6 +124,14 @@ DSA_free(k->dsa); k->dsa = NULL; break; + case KEY_NAME: + case KEY_NAME_PAT: + if (k->name != NULL) + xfree(k->name); + k->name_len = 0; + if (k->name_type != NULL) + xfree(k->name_type); + break; case KEY_UNSPEC: break; default: @@ -130,8 +143,9 @@ int key_equal(Key *a, Key *b) { - if (a == NULL || b == NULL || a->type != b->type) + if (a == NULL || b == NULL || a->type != b->type) { return 0; + } switch (a->type) { case KEY_RSA1: case KEY_RSA: @@ -146,12 +160,67 @@ BN_cmp(a->dsa->g, b->dsa->g) == 0 && BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; break; + case KEY_NAME: + if ((a->name_type == NULL && b->name_type == NULL) || + (a->name_type == b->name_type)) + return (a->name_len == b->name_len) && + (memcmp(a->name, b->name, a->name_len) == 0); + if (a->name_type == NULL || b->name_type == NULL) + return 0; + if (strcmp(a->name_type, b->name_type) == 0) + return (a->name_len == b->name_len) && + (memcmp(a->name, b->name, a->name_len) == 0); + break; + case KEY_NAME_PAT: + return 0; + break; default: fatal("key_equal: bad key type %d", a->type); break; } return 0; } +int +key_match(Key *a, Key *b) +{ + debug3("key_match: trying to match %x and %x", a, b); + if (a == NULL || b == NULL) + return 0; + + debug3("key_match: trying to match key types %d and %d -- KEY_NAME_PAT == %d", a->type, b->type, KEY_NAME_PAT); + /* One key must be a name pattern, the other must be a name */ + if (!(a->type == KEY_NAME_PAT && b->type == KEY_NAME) && + !(b->type == KEY_NAME_PAT && a->type == KEY_NAME)) + return 0; + + /* Both keys must have name types, or both must not */ + /* or one key must have '*' as its name type */ + if ((a->name_type == NULL && b->name_type != NULL) || + (b->name_type == NULL && a->name_type != NULL)) { + + debug3("key_match: foo"); + if (a->name_type != NULL && *(a->name_type) != '*') + return 0; + if (b->name_type != NULL && *(b->name_type) != '*') + return 0; + } + + /* Name type "*" matches any name type */ + /* Otherwise name types must match */ + if ((a->name_type != NULL && strcmp(a->name_type, b->name_type) != 0) && + (*(a->name_type) != '*' || *(b->name_type) != '*')) { + debug3("key_match: a->name_type == %s", a->name_type ? a->name_type : ""); + debug3("key_match: b->name_type == %s", b->name_type ? b->name_type : ""); + return 0; + } + + debug3("key_match: trying to match %s WITH %s", a->name, b->name); + if (a->type == KEY_NAME_PAT) + return match_pattern(b->name, a->name); + else + return match_pattern(a->name, b->name); +} + u_char* key_fingerprint_raw(Key *k, enum fp_type dgst_type, size_t *dgst_raw_length) @@ -160,7 +229,7 @@ EVP_MD_CTX ctx; u_char *blob = NULL; u_char *retval = NULL; - int len = 0; + u_int len = 0; int nlen, elen; *dgst_raw_length = 0; @@ -363,11 +432,12 @@ { Key *k; int success = -1; - char *cp, *space; + char *cp, *space, *name_type; int len, n, type; u_int bits; - u_char *blob; + u_char *blob = NULL; + name_type = NULL; cp = *cpp; switch(ret->type) { @@ -390,6 +460,8 @@ case KEY_UNSPEC: case KEY_RSA: case KEY_DSA: + case KEY_NAME: + case KEY_NAME_PAT: space = strchr(cp, ' '); if (space == NULL) { debug3("key_read: no space"); @@ -397,6 +469,17 @@ } *space = '\0'; type = key_type_from_name(cp); + if ((type == KEY_NAME) || (type == KEY_NAME_PAT)) { + char * colon = NULL; + + colon = strchr(cp, ':'); + + debug3("key_read: handling named key or pattern (%d), %s, colon at %x", type, cp, colon); + if (colon != NULL && *(++colon) != '\0') { + name_type = xstrdup(colon); + } else + name_type == NULL; + } *space = ' '; if (type == KEY_UNSPEC) { debug3("key_read: no key found"); @@ -410,30 +493,80 @@ if (ret->type == KEY_UNSPEC) { ret->type = type; } else if (ret->type != type) { - /* is a key, but different type */ - debug3("key_read: type mismatch"); - return 0; + if (! ((ret->type == KEY_NAME) && + type == KEY_NAME_PAT)) { + /* is a key, but different type */ + debug3("key_read: type mismatch"); + return 0; + } + ret->type = type; } - len = 2*strlen(cp); - blob = xmalloc(len); - n = uudecode(cp, blob, len); - if (n < 0) { - error("key_read: uudecode %s failed", cp); - return -1; + debug3("key_read: here -- ret->type == %d", ret->type); + if ((ret->type == KEY_NAME) || (ret->type == KEY_NAME_PAT)) { + char *quote, *newline; + debug3("key_read: reading named key %s", cp); + if (cp == NULL || *cp == '\0') + return 0; + if (*cp == '"') { + quote = strchr(++cp, '"'); + if (quote == NULL) { + debug3("key_read: missing quote"); + return 0; + } + *quote = '\0'; + } + newline = strchr(cp, '\n'); + if (newline != NULL) + *newline = '\0'; + debug3("key_read: reading named key %s", cp); + k = key_new(ret->type); + k->name = (unsigned char *) xstrdup(cp); + k->name_len = strlen(cp); + k->name_type = name_type; + if (newline !=NULL) + *newline = '\n'; + if (quote !=NULL) + *quote = '"'; + debug3("key_read: read named key %s", k->name_type); + } else { + len = 2*strlen(cp); + blob = xmalloc(len); + n = uudecode(cp, blob, len); + if (n < 0) { + error("key_read: uudecode %s failed", cp); + return -1; + } + debug3("key_read: reading uuencoded key %s", blob); + k = key_from_blob(blob, n); } - k = key_from_blob(blob, n); if (k == NULL) { error("key_read: key_from_blob %s failed", cp); return -1; } - xfree(blob); + if (blob != NULL) + xfree(blob); if (k->type != type) { - error("key_read: type mismatch: encoding error"); - key_free(k); - return -1; + if (! ((ret->type == KEY_NAME) && + type == KEY_NAME_PAT)) { + error("key_read: type mismatch: encoding error"); + key_free(k); + return -1; + } } /*XXXX*/ - if (ret->type == KEY_RSA) { + if ((ret->type == KEY_NAME) || (ret->type == KEY_NAME_PAT)) { + /* + if (ret->name != NULL) + xfree(ret->name); + */ + ret->name = k->name; + ret->name_len = k->name_len; + ret->name_type = k->name_type; + k->name = NULL; + k->name_type = NULL; + k->name_len = 0; + success = 1; + } else if (ret->type == KEY_RSA) { if (ret->rsa != NULL) RSA_free(ret->rsa); ret->rsa = k->rsa; @@ -487,7 +620,7 @@ } } else if ((key->type == KEY_DSA && key->dsa != NULL) || (key->type == KEY_RSA && key->rsa != NULL)) { - int len, n; + u_int len, n; u_char *blob, *uu; key_to_blob(key, &blob, &len); uu = xmalloc(2*len); @@ -498,6 +631,14 @@ } xfree(blob); xfree(uu); + } else if (key->type == KEY_NAME && key->name != NULL && + key->name_len) { + + fprintf(f, "%s ", key_ssh_name(key)); + if (key->name_type != NULL) + fprintf(f, ":%s", key->name_type); + else + fprintf(f, " \"%.*s\"", key->name, key->name_len); } return success; } @@ -514,6 +655,12 @@ case KEY_DSA: return "DSA"; break; + case KEY_NAME: + return "Named"; + break; + case KEY_NAME_PAT: + return "Name_Pattern"; + break; } return "unknown"; } @@ -527,6 +674,12 @@ case KEY_DSA: return "ssh-dss"; break; + case KEY_NAME: + return "ssh-ext-named"; + break; + case KEY_NAME_PAT: + return "ssh-ext-name-pat"; + break; } return "ssh-unknown"; } @@ -604,6 +757,16 @@ BN_copy(n->rsa->n, k->rsa->n); BN_copy(n->rsa->e, k->rsa->e); break; + case KEY_NAME: + case KEY_NAME_PAT: + n = key_new(k->type); + n->name_len = k->name_len; + n->name = xmalloc(k->name_len); + memcpy(n->name, k->name, n->name_len); + if (k->name_type) { + n->name_type = xstrdup(k->name_type); + } + break; default: fatal("key_from_private: unknown type %d", k->type); break; @@ -624,7 +787,16 @@ return KEY_RSA; } else if (strcmp(name, "ssh-dss") == 0){ return KEY_DSA; + } else if (strcmp(name, "ssh-ext-named") == 0){ + return KEY_NAME; + } else if (strncmp(name, "ssh-ext-named:", strlen("ssh-ext-named:")) == 0){ + return KEY_NAME; + } else if (strcmp(name, "ssh-ext-name-pat") == 0){ + return KEY_NAME_PAT; + } else if (strncmp(name, "ssh-ext-name-pat:", strlen("ssh-ext-name-pat:")) == 0){ + return KEY_NAME_PAT; } + debug2("key_type_from_name: unknown key type '%s'", name); return KEY_UNSPEC; } Index: 2_9_p2.1/auth2.c --- 2_9_p2.1/auth2.c Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/k/6_auth2.c 1.1 644) +++ 2_9_p2_w_named_keys.2/auth2.c Tue, 03 Jul 2001 13:57:30 -0400 willian (OpenSSH/k/6_auth2.c 1.1.1.1 644) @@ -491,7 +491,7 @@ buffer_dump(&b); #endif /* test for correct signature */ - if (user_key_allowed(authctxt->pw, key) && + if (user_key_allowed(authctxt->pw, key) > 0 && key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) authenticated = 1; buffer_clear(&b); @@ -508,7 +508,7 @@ * if a user is not allowed to login. is this an * issue? -markus */ - if (user_key_allowed(authctxt->pw, key)) { + if (user_key_allowed(authctxt->pw, key) > 0) { packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); packet_put_string(pkblob, blen); @@ -768,19 +768,36 @@ continue; } } - if (key_equal(found, key) && - auth_parse_options(pw, options, file, linenum) == 1) { - found_key = 1; - debug("matching key found: file %s, line %ld", - file, linenum); + if (key_equal(found, key)) { + found_key = auth_parse_options(pw, options, file, linenum); + if (found_key == 0) + continue; + break; + } + if (key_match(found, key)) { + found_key = auth_parse_options(pw, options, file, linenum); + if (found_key == 0) + continue; + /* Special treatment for key name patterns belongs here */ break; } } + +done: restore_uid(); fclose(f); key_free(found); - if (!found_key) + if (found_key > 0) { + debug("matching key found: file %s, line %ld", + file, linenum); + auth_set_key_env(key); + } + if (found_key == 0) debug2("key not found"); + if (found_key < 0) { + debug("user_key_allowed: matching deny key found: " + "file %s, line %ld", file, linenum); + } return found_key; } Index: 2_9_p2.1/auth-rsa.c --- 2_9_p2.1/auth-rsa.c Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/k/15_auth-rsa.c 1.1 644) +++ 2_9_p2_w_named_keys.2/auth-rsa.c Tue, 03 Jul 2001 13:57:30 -0400 willian (OpenSSH/k/15_auth-rsa.c 1.1.1.1 644) @@ -259,7 +259,7 @@ * If our options do not allow this key to be used, * do not send challenge. */ - if (!auth_parse_options(pw, options, file, linenum)) + if (auth_parse_options(pw, options, file, linenum) < 1) continue; /* Perform the challenge-response dialog for this key. */ Index: 2_9_p2.1/auth-options.h --- 2_9_p2.1/auth-options.h Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/k/21_auth-optio 1.1 644) +++ 2_9_p2_w_named_keys.2/auth-options.h Tue, 03 Jul 2001 13:57:30 -0400 willian (OpenSSH/k/21_auth-optio 1.1.1.1 644) @@ -16,6 +16,8 @@ #ifndef AUTH_OPTIONS_H #define AUTH_OPTIONS_H +#include "key.h" + /* Linked list of custom environment strings */ struct envstring { struct envstring *next; @@ -37,6 +39,9 @@ int auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum); + +void +auth_set_key_env(Key *k); /* reset options flags */ void auth_clear_options(void); Index: 2_9_p2.1/auth-options.c --- 2_9_p2.1/auth-options.c Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/k/22_auth-optio 1.1 644) +++ 2_9_p2_w_named_keys.2/auth-options.c Tue, 03 Jul 2001 13:57:30 -0400 willian (OpenSSH/k/22_auth-optio 1.1.1.1 644) @@ -55,8 +55,43 @@ channel_clear_permitted_opens(); } +void auth_set_key_env(Key *k) +{ + struct envstring *new_env; + char *s; + int len; + + if (k->type != KEY_NAME) + return; + + len = strlen("SSH_AUTH_EXT_NAME="); + len += k->name_len + 1; + s = xmalloc(len); + snprintf(s, len, "SSH_AUTH_EXT_NAME=%.*s", k->name_len, k->name); + debug3("auth_set_key_env: Adding to the environment: %.*s", len, s); + new_env = xmalloc(sizeof(struct envstring)); + new_env->s = s; + new_env->next = custom_environment; + custom_environment = new_env; + + if (k->name_type == NULL) + return; + + len = strlen("SSH_AUTH_EXT_NAME_TYPE="); + len += strlen(k->name_type) + 1; + s = xmalloc(len); + snprintf(s, len, "SSH_AUTH_EXT_NAME_TYPE=%s", k->name_type); + + new_env = xmalloc(sizeof(struct envstring)); + new_env->s = s; + new_env->next = custom_environment; + custom_environment = new_env; + + return; +} + /* - * return 1 if access is granted, 0 if not. + * return 1 if access is granted, 0 if not, -1 if access explicitly denied * side effect: sets key option flags */ int @@ -72,6 +107,12 @@ return 1; while (*opts && *opts != ' ' && *opts != '\t') { + cp = "deny-access"; + if (strncasecmp(opts, cp, strlen(cp)) == 0) { + log("Authentication successful, but authorization denied"); + packet_send_debug("Permission denied"); + return -1; + } cp = "no-port-forwarding"; if (strncasecmp(opts, cp, strlen(cp)) == 0) { packet_send_debug("Port forwarding disabled."); ******************************************************************************** Index: 2_9_p2_w_gss_and_krb5.1/sshd.8 --- 2_9_p2_w_gss_and_krb5.1/sshd.8 Tue, 26 Jun 2001 16:27:13 -0400 willian (OpenSSH/h/28_sshd.8 1.2 644) +++ 2_9_p2_w_gss_krb5_named_keys.6/sshd.8 Tue, 03 Jul 2001 14:20:01 -0400 willian (OpenSSH/h/28_sshd.8 1.3 644) @@ -871,7 +871,8 @@ .Pa $HOME/.ssh/authorized_keys2 file lists the DSA and RSA keys that are permitted for public key authentication (PubkeyAuthentication) -in protocol version 2. +in protocol version 2. It can also list key names or key patterns +for external authentication systems, such as krb4, krb5, gsi, etc... .Pp Each line of the file contains one key (empty lines and lines starting with a @@ -892,7 +893,19 @@ For protocol version 2 the keytype is .Dq ssh-dss or -.Dq ssh-rsa . +.Dq ssh-rsa +or +.Dq ssh-ext-named: +or +.Dq ssh-ext-name-pat: . +.Pp +Named keys and key name patterns follow the latter two, in double +quotes if they contain whitespace. Named key types may include: +.Dq krb4 , +.Dq krb5 +and/or +.Dq gsi , +depending on what features are compiled in to OpenSSH. .Pp Note that lines in this file are usually several hundred bytes long (because of the size of the RSA key modulus). @@ -949,6 +962,10 @@ Environment variables set this way override other default environment values. Multiple options of this type are permitted. +.It Cm deny-access +This option ends authorized_keys2 processing if the key matches. This +option is only really useful with named key and named key pattern +entries. .It Cm no-port-forwarding Forbids TCP/IP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. Index: 2_9_p2_w_gss_and_krb5.1/key.h --- 2_9_p2_w_gss_and_krb5.1/key.h Tue, 26 Jun 2001 16:27:13 -0400 willian (OpenSSH/j/7_key.h 1.2 644) +++ 2_9_p2_w_gss_krb5_named_keys.6/key.h Tue, 03 Jul 2001 13:14:57 -0400 willian (OpenSSH/j/7_key.h 1.4 644) @@ -35,7 +35,9 @@ KEY_RSA, KEY_DSA, KEY_NULL, - KEY_UNSPEC + KEY_UNSPEC, + KEY_NAME, + KEY_NAME_PAT }; enum fp_type { SSH_FP_SHA1, @@ -49,12 +51,16 @@ int type; RSA *rsa; DSA *dsa; + u_char *name; + u_int name_len; + char *name_type; }; Key *key_new(int type); Key *key_new_private(int type); void key_free(Key *k); int key_equal(Key *a, Key *b); +int key_match(Key *a, Key *b); char *key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep); char *key_type(Key *k); int key_write(Key *key, FILE *f); Index: 2_9_p2_w_gss_and_krb5.1/key.c --- 2_9_p2_w_gss_and_krb5.1/key.c Tue, 26 Jun 2001 16:27:13 -0400 willian (OpenSSH/j/8_key.c 1.2 644) +++ 2_9_p2_w_gss_krb5_named_keys.6/key.c Tue, 03 Jul 2001 14:23:39 -0400 willian (OpenSSH/j/8_key.c 1.6 644) @@ -56,6 +56,9 @@ k->type = type; k->dsa = NULL; k->rsa = NULL; + k->name = NULL; + k->name_len = 0; + k->name_type = NULL; switch (k->type) { case KEY_RSA1: case KEY_RSA: @@ -72,6 +75,8 @@ dsa->pub_key = BN_new(); k->dsa = dsa; break; + case KEY_NAME: + case KEY_NAME_PAT: case KEY_UNSPEC: break; default: @@ -119,6 +124,14 @@ DSA_free(k->dsa); k->dsa = NULL; break; + case KEY_NAME: + case KEY_NAME_PAT: + if (k->name != NULL) + xfree(k->name); + k->name_len = 0; + if (k->name_type != NULL) + xfree(k->name_type); + break; case KEY_UNSPEC: break; default: @@ -130,8 +143,9 @@ int key_equal(Key *a, Key *b) { - if (a == NULL || b == NULL || a->type != b->type) + if (a == NULL || b == NULL || a->type != b->type) { return 0; + } switch (a->type) { case KEY_RSA1: case KEY_RSA: @@ -146,12 +160,67 @@ BN_cmp(a->dsa->g, b->dsa->g) == 0 && BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; break; + case KEY_NAME: + if ((a->name_type == NULL && b->name_type == NULL) || + (a->name_type == b->name_type)) + return (a->name_len == b->name_len) && + (memcmp(a->name, b->name, a->name_len) == 0); + if (a->name_type == NULL || b->name_type == NULL) + return 0; + if (strcmp(a->name_type, b->name_type) == 0) + return (a->name_len == b->name_len) && + (memcmp(a->name, b->name, a->name_len) == 0); + break; + case KEY_NAME_PAT: + return 0; + break; default: fatal("key_equal: bad key type %d", a->type); break; } return 0; } +int +key_match(Key *a, Key *b) +{ + debug3("key_match: trying to match %x and %x", a, b); + if (a == NULL || b == NULL) + return 0; + + debug3("key_match: trying to match key types %d and %d -- KEY_NAME_PAT == %d", a->type, b->type, KEY_NAME_PAT); + /* One key must be a name pattern, the other must be a name */ + if (!(a->type == KEY_NAME_PAT && b->type == KEY_NAME) && + !(b->type == KEY_NAME_PAT && a->type == KEY_NAME)) + return 0; + + /* Both keys must have name types, or both must not */ + /* or one key must have '*' as its name type */ + if ((a->name_type == NULL && b->name_type != NULL) || + (b->name_type == NULL && a->name_type != NULL)) { + + debug3("key_match: foo"); + if (a->name_type != NULL && *(a->name_type) != '*') + return 0; + if (b->name_type != NULL && *(b->name_type) != '*') + return 0; + } + + /* Name type "*" matches any name type */ + /* Otherwise name types must match */ + if ((a->name_type != NULL && strcmp(a->name_type, b->name_type) != 0) && + (*(a->name_type) != '*' || *(b->name_type) != '*')) { + debug3("key_match: a->name_type == %s", a->name_type ? a->name_type : ""); + debug3("key_match: b->name_type == %s", b->name_type ? b->name_type : ""); + return 0; + } + + debug3("key_match: trying to match %s WITH %s", a->name, b->name); + if (a->type == KEY_NAME_PAT) + return match_pattern(b->name, a->name); + else + return match_pattern(a->name, b->name); +} + u_char* key_fingerprint_raw(Key *k, enum fp_type dgst_type, size_t *dgst_raw_length) @@ -160,7 +229,7 @@ EVP_MD_CTX ctx; u_char *blob = NULL; u_char *retval = NULL; - int len = 0; + u_int len = 0; int nlen, elen; *dgst_raw_length = 0; @@ -363,11 +432,12 @@ { Key *k; int success = -1; - char *cp, *space; + char *cp, *space, *name_type; int len, n, type; u_int bits; - u_char *blob; + u_char *blob = NULL; + name_type = NULL; cp = *cpp; switch(ret->type) { @@ -390,6 +460,8 @@ case KEY_UNSPEC: case KEY_RSA: case KEY_DSA: + case KEY_NAME: + case KEY_NAME_PAT: space = strchr(cp, ' '); if (space == NULL) { debug3("key_read: no space"); @@ -397,6 +469,17 @@ } *space = '\0'; type = key_type_from_name(cp); + if ((type == KEY_NAME) || (type == KEY_NAME_PAT)) { + char * colon = NULL; + + colon = strchr(cp, ':'); + + debug3("key_read: handling named key or pattern (%d), %s, colon at %x", type, cp, colon); + if (colon != NULL && *(++colon) != '\0') { + name_type = xstrdup(colon); + } else + name_type == NULL; + } *space = ' '; if (type == KEY_UNSPEC) { debug3("key_read: no key found"); @@ -410,30 +493,80 @@ if (ret->type == KEY_UNSPEC) { ret->type = type; } else if (ret->type != type) { - /* is a key, but different type */ - debug3("key_read: type mismatch"); - return 0; + if (! ((ret->type == KEY_NAME) && + type == KEY_NAME_PAT)) { + /* is a key, but different type */ + debug3("key_read: type mismatch"); + return 0; + } + ret->type = type; } - len = 2*strlen(cp); - blob = xmalloc(len); - n = uudecode(cp, blob, len); - if (n < 0) { - error("key_read: uudecode %s failed", cp); - return -1; + debug3("key_read: here -- ret->type == %d", ret->type); + if ((ret->type == KEY_NAME) || (ret->type == KEY_NAME_PAT)) { + char *quote, *newline; + debug3("key_read: reading named key %s", cp); + if (cp == NULL || *cp == '\0') + return 0; + if (*cp == '"') { + quote = strchr(++cp, '"'); + if (quote == NULL) { + debug3("key_read: missing quote"); + return 0; + } + *quote = '\0'; + } + newline = strchr(cp, '\n'); + if (newline != NULL) + *newline = '\0'; + debug3("key_read: reading named key %s", cp); + k = key_new(ret->type); + k->name = (unsigned char *) xstrdup(cp); + k->name_len = strlen(cp); + k->name_type = name_type; + if (newline !=NULL) + *newline = '\n'; + if (quote !=NULL) + *quote = '"'; + debug3("key_read: read named key %s", k->name_type); + } else { + len = 2*strlen(cp); + blob = xmalloc(len); + n = uudecode(cp, blob, len); + if (n < 0) { + error("key_read: uudecode %s failed", cp); + return -1; + } + debug3("key_read: reading uuencoded key %s", blob); + k = key_from_blob(blob, n); } - k = key_from_blob(blob, n); if (k == NULL) { error("key_read: key_from_blob %s failed", cp); return -1; } - xfree(blob); + if (blob != NULL) + xfree(blob); if (k->type != type) { - error("key_read: type mismatch: encoding error"); - key_free(k); - return -1; + if (! ((ret->type == KEY_NAME) && + type == KEY_NAME_PAT)) { + error("key_read: type mismatch: encoding error"); + key_free(k); + return -1; + } } /*XXXX*/ - if (ret->type == KEY_RSA) { + if ((ret->type == KEY_NAME) || (ret->type == KEY_NAME_PAT)) { + /* + if (ret->name != NULL) + xfree(ret->name); + */ + ret->name = k->name; + ret->name_len = k->name_len; + ret->name_type = k->name_type; + k->name = NULL; + k->name_type = NULL; + k->name_len = 0; + success = 1; + } else if (ret->type == KEY_RSA) { if (ret->rsa != NULL) RSA_free(ret->rsa); ret->rsa = k->rsa; @@ -487,7 +620,7 @@ } } else if ((key->type == KEY_DSA && key->dsa != NULL) || (key->type == KEY_RSA && key->rsa != NULL)) { - int len, n; + u_int len, n; u_char *blob, *uu; key_to_blob(key, &blob, &len); uu = xmalloc(2*len); @@ -498,6 +631,14 @@ } xfree(blob); xfree(uu); + } else if (key->type == KEY_NAME && key->name != NULL && + key->name_len) { + + fprintf(f, "%s ", key_ssh_name(key)); + if (key->name_type != NULL) + fprintf(f, ":%s", key->name_type); + else + fprintf(f, " \"%.*s\"", key->name, key->name_len); } return success; } @@ -514,6 +655,12 @@ case KEY_DSA: return "DSA"; break; + case KEY_NAME: + return "Named"; + break; + case KEY_NAME_PAT: + return "Name_Pattern"; + break; } return "unknown"; } @@ -527,6 +674,12 @@ case KEY_DSA: return "ssh-dss"; break; + case KEY_NAME: + return "ssh-ext-named"; + break; + case KEY_NAME_PAT: + return "ssh-ext-name-pat"; + break; } return "ssh-unknown"; } @@ -604,6 +757,16 @@ BN_copy(n->rsa->n, k->rsa->n); BN_copy(n->rsa->e, k->rsa->e); break; + case KEY_NAME: + case KEY_NAME_PAT: + n = key_new(k->type); + n->name_len = k->name_len; + n->name = xmalloc(k->name_len); + memcpy(n->name, k->name, n->name_len); + if (k->name_type) { + n->name_type = xstrdup(k->name_type); + } + break; default: fatal("key_from_private: unknown type %d", k->type); break; @@ -624,6 +787,14 @@ return KEY_RSA; } else if (strcmp(name, "ssh-dss") == 0){ return KEY_DSA; + } else if (strcmp(name, "ssh-ext-named") == 0){ + return KEY_NAME; + } else if (strncmp(name, "ssh-ext-named:", strlen("ssh-ext-named:")) == 0){ + return KEY_NAME; + } else if (strcmp(name, "ssh-ext-name-pat") == 0){ + return KEY_NAME_PAT; + } else if (strncmp(name, "ssh-ext-name-pat:", strlen("ssh-ext-name-pat:")) == 0){ + return KEY_NAME_PAT; } else if (strcmp(name, "null") == 0){ return KEY_NULL; } Index: 2_9_p2_w_gss_and_krb5.1/auth2.c --- 2_9_p2_w_gss_and_krb5.1/auth2.c Tue, 26 Jun 2001 16:27:13 -0400 willian (OpenSSH/k/6_auth2.c 1.2 644) +++ 2_9_p2_w_gss_krb5_named_keys.6/auth2.c Tue, 03 Jul 2001 13:14:57 -0400 willian (OpenSSH/k/6_auth2.c 1.3 644) @@ -514,7 +514,7 @@ buffer_dump(&b); #endif /* test for correct signature */ - if (user_key_allowed(authctxt->pw, key) && + if (user_key_allowed(authctxt->pw, key) > 0 && key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) authenticated = 1; buffer_clear(&b); @@ -531,7 +531,7 @@ * if a user is not allowed to login. is this an * issue? -markus */ - if (user_key_allowed(authctxt->pw, key)) { + if (user_key_allowed(authctxt->pw, key) > 0) { packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); packet_put_string(pkblob, blen); @@ -791,19 +791,36 @@ continue; } } - if (key_equal(found, key) && - auth_parse_options(pw, options, file, linenum) == 1) { - found_key = 1; - debug("matching key found: file %s, line %ld", - file, linenum); + if (key_equal(found, key)) { + found_key = auth_parse_options(pw, options, file, linenum); + if (found_key == 0) + continue; + break; + } + if (key_match(found, key)) { + found_key = auth_parse_options(pw, options, file, linenum); + if (found_key == 0) + continue; + /* Special treatment for key name patterns belongs here */ break; } } + +done: restore_uid(); fclose(f); key_free(found); - if (!found_key) + if (found_key > 0) { + debug("matching key found: file %s, line %ld", + file, linenum); + auth_set_key_env(key); + } + if (found_key == 0) debug2("key not found"); + if (found_key < 0) { + debug("user_key_allowed: matching deny key found: " + "file %s, line %ld", file, linenum); + } return found_key; } Index: 2_9_p2_w_gss_and_krb5.1/auth-rsa.c --- 2_9_p2_w_gss_and_krb5.1/auth-rsa.c Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/k/15_auth-rsa.c 1.1 644) +++ 2_9_p2_w_gss_krb5_named_keys.6/auth-rsa.c Tue, 03 Jul 2001 13:14:57 -0400 willian (OpenSSH/k/15_auth-rsa.c 1.2 644) @@ -259,7 +259,7 @@ * If our options do not allow this key to be used, * do not send challenge. */ - if (!auth_parse_options(pw, options, file, linenum)) + if (auth_parse_options(pw, options, file, linenum) < 1) continue; /* Perform the challenge-response dialog for this key. */ Index: 2_9_p2_w_gss_and_krb5.1/auth-options.h --- 2_9_p2_w_gss_and_krb5.1/auth-options.h Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/k/21_auth-optio 1.1 644) +++ 2_9_p2_w_gss_krb5_named_keys.6/auth-options.h Tue, 03 Jul 2001 13:14:57 -0400 willian (OpenSSH/k/21_auth-optio 1.2 644) @@ -16,6 +16,8 @@ #ifndef AUTH_OPTIONS_H #define AUTH_OPTIONS_H +#include "key.h" + /* Linked list of custom environment strings */ struct envstring { struct envstring *next; @@ -37,6 +39,9 @@ int auth_parse_options(struct passwd *pw, char *options, char *file, u_long linenum); + +void +auth_set_key_env(Key *k); /* reset options flags */ void auth_clear_options(void); Index: 2_9_p2_w_gss_and_krb5.1/auth-options.c --- 2_9_p2_w_gss_and_krb5.1/auth-options.c Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/k/22_auth-optio 1.1 644) +++ 2_9_p2_w_gss_krb5_named_keys.6/auth-options.c Tue, 03 Jul 2001 13:14:57 -0400 willian (OpenSSH/k/22_auth-optio 1.2 644) @@ -55,8 +55,43 @@ channel_clear_permitted_opens(); } +void auth_set_key_env(Key *k) +{ + struct envstring *new_env; + char *s; + int len; + + if (k->type != KEY_NAME) + return; + + len = strlen("SSH_AUTH_EXT_NAME="); + len += k->name_len + 1; + s = xmalloc(len); + snprintf(s, len, "SSH_AUTH_EXT_NAME=%.*s", k->name_len, k->name); + debug3("auth_set_key_env: Adding to the environment: %.*s", len, s); + new_env = xmalloc(sizeof(struct envstring)); + new_env->s = s; + new_env->next = custom_environment; + custom_environment = new_env; + + if (k->name_type == NULL) + return; + + len = strlen("SSH_AUTH_EXT_NAME_TYPE="); + len += strlen(k->name_type) + 1; + s = xmalloc(len); + snprintf(s, len, "SSH_AUTH_EXT_NAME_TYPE=%s", k->name_type); + + new_env = xmalloc(sizeof(struct envstring)); + new_env->s = s; + new_env->next = custom_environment; + custom_environment = new_env; + + return; +} + /* - * return 1 if access is granted, 0 if not. + * return 1 if access is granted, 0 if not, -1 if access explicitly denied * side effect: sets key option flags */ int @@ -72,6 +107,12 @@ return 1; while (*opts && *opts != ' ' && *opts != '\t') { + cp = "deny-access"; + if (strncasecmp(opts, cp, strlen(cp)) == 0) { + log("Authentication successful, but authorization denied"); + packet_send_debug("Permission denied"); + return -1; + } cp = "no-port-forwarding"; if (strncasecmp(opts, cp, strlen(cp)) == 0) { packet_send_debug("Port forwarding disabled."); Index: 2_9_p2_w_gss_and_krb5.1/gss-serv.c --- 2_9_p2_w_gss_and_krb5.1/gss-serv.c Tue, 26 Jun 2001 16:27:13 -0400 willian (OpenSSH/l/25_gss-serv.c 1.1 644) +++ 2_9_p2_w_gss_krb5_named_keys.6/gss-serv.c Thu, 05 Jul 2001 18:25:48 -0400 willian (OpenSSH/l/25_gss-serv.c 1.5 644) @@ -127,24 +127,45 @@ int ssh_gssapi_krb5_userok(char *name) { krb5_principal princ; - int retval; + int retval, retval2; + Key k; if (ssh_gssapi_krb5_init() == 0) return 0; + k.type = KEY_NAME; + k.name = gssapi_client_name.value; + k.name_len = strlen(gssapi_client_name.value); + k.name_type = "krb5"; + + debug3("ssh_gssapi_krb5_userok:"); + debug3("ssh_gssapi_krb5_userok: %s", k.name_type); + if ((retval=krb5_parse_name(krb_context, gssapi_client_name.value, &princ))) { log("krb5_parse_name(): %.100s", krb5_get_err_text(krb_context,retval)); return 0; } + + retval2 = user_key_allowed(getpwnam(name), &k); + if (retval2 < 0) { + krb5_free_principal(krb_context, princ); + return 0; + } + if (krb5_kuserok(krb_context, princ, name)) retval = 1; else retval = 0; + if (retval2 > 0) + log("Authorized to %s, krb5 principal %s (authorized_keys2)", name, gssapi_client_name.value); + else if (retval > 0) + log("Authorized to %s, krb5 principal %s (.k5login)", name, gssapi_client_name.value); + krb5_free_principal(krb_context, princ); - return retval; + return retval | retval2; } /* Make sure that this is called _after_ we've setuid to the user */ @@ -524,8 +545,8 @@ if (GSS_ERROR(maj_status)) { /* Failure */ - auth_log(authctxt, 0, "gssapi", " ssh2"); authctxt->postponed = 0; + auth_log(authctxt, 0, "gssapi", " ssh2"); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); userauth_reply(authctxt, 0); } @@ -563,6 +584,8 @@ OM_uint32 maj_status, min_status; int authenticated; gss_buffer_desc gssbuf,msg_tok; + char *info; + int info_len; if (authctxt == NULL || authctxt->methoddata == NULL) fatal("No authentication or GSSAPI context"); @@ -598,8 +621,24 @@ packet_write_wait(); } - auth_log(authctxt, authenticated, "gssapi", " ssh2"); + switch (gssapi_client_type) { +#ifdef KRB5 + case GSS_KERBEROS: + info_len = strlen(gssapi_client_name.value) + strlen("krb5") + 2 + 1; + info = xmalloc(info_len); + (void) snprintf(info, info_len, " %s:%s", "krb5", gssapi_client_name.value); + break; +#endif /* KRB5 */ +#ifdef GSI + case GSS_GSI: + info_len = strlen(gssapi_client_name.value) + strlen("gsi") + 2 + 1; + info = xmalloc(info_len); + (void) snprintf(info, info_len, " %s:%s", "gsi", gssapi_client_name.value); + break; +#endif /* GSI */ + } authctxt->postponed = 0; + auth_log(authctxt, authenticated, "gssapi", info); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); userauth_reply(authctxt, authenticated); ******************************************************************************** Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From stevesk at pobox.com Thu Aug 16 07:39:05 2001 From: stevesk at pobox.com (Kevin Steves) Date: Wed, 15 Aug 2001 14:39:05 -0700 (PDT) Subject: ProxyCommand broken in SNAP-20010814 In-Reply-To: <20010815191836.672C.0@argo.troja.mff.cuni.cz> Message-ID: On Wed, 15 Aug 2001, Pavel Kankovsky wrote: :For some odd reason, one line was removed from the handling of :ProxyCommand in readconf.c. As a result, ssh crashes on strlen(string) :when it parses this option. : :--- readconf.c:X Mon Aug 6 23:35:52 2001 :+++ readconf.c Wed Aug 15 16:11:44 2001 :@@ -475,6 +475,7 @@ : : case oProxyCommand: : charptr = &options->proxy_command; :+ string = xstrdup(""); : while ((arg = strdelim(&s)) != NULL && *arg != '\0') { : string = xrealloc(string, strlen(string) + strlen(arg) + 2); strcat(string, " "); this was the change, with the commit message below. i'm guessing a local change ben was working on accidentally made it into this commit. it looks like the goal was to use xrealloc(NULL,...). Index: readconf.c =================================================================== RCS file: /var/cvs/openssh/readconf.c,v retrieving revision 1.55 retrieving revision 1.56 diff -u -r1.55 -r1.56 --- readconf.c 2001/07/04 04:21:16 1.55 +++ readconf.c 2001/08/06 20:47:24 1.56 @@ -256,7 +256,8 @@ char *line, const char *filename, int linenum, int *activep) { - char buf[256], *s, *string, **charptr, *endofnumber, *keyword, *arg; + char buf[256], *s, *string = NULL, **charptr, *endofnumber, *keyword, + *arg; int opcode, *intptr, value; u_short fwd_port, fwd_host_port; @@ -469,7 +470,6 @@ case oProxyCommand: charptr = &options->proxy_command; - string = xstrdup(""); while ((arg = strdelim(&s)) != NULL && *arg != '\0') { string = xrealloc(string, strlen(string) + strlen(arg) + 2); strcat(string, " "); revision 1.56 date: 2001/08/06 20:47:24; author: mouring; state: Exp; lines: +2 -2 - markus at cvs.openbsd.org 2001/07/22 21:32:27 [sshpty.c] update comment From mouring at etoh.eviladmin.org Thu Aug 16 08:24:46 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 15 Aug 2001 17:24:46 -0500 (CDT) Subject: ProxyCommand broken in SNAP-20010814 In-Reply-To: Message-ID: That is wierd.. I could have swore I was doing that test under OpenBSD 2.8 and not on my Linux box. Sorry.. I'll take care of it in a few minutes. - Ben Confuzed... On Wed, 15 Aug 2001, Kevin Steves wrote: > On Wed, 15 Aug 2001, Pavel Kankovsky wrote: > :For some odd reason, one line was removed from the handling of > :ProxyCommand in readconf.c. As a result, ssh crashes on strlen(string) > :when it parses this option. > : > :--- readconf.c:X Mon Aug 6 23:35:52 2001 > :+++ readconf.c Wed Aug 15 16:11:44 2001 > :@@ -475,6 +475,7 @@ > : > : case oProxyCommand: > : charptr = &options->proxy_command; > :+ string = xstrdup(""); > : while ((arg = strdelim(&s)) != NULL && *arg != '\0') { > : string = xrealloc(string, strlen(string) + strlen(arg) + 2); strcat(string, " "); > > this was the change, with the commit message below. i'm guessing a local > change ben was working on accidentally made it into this commit. it looks > like the goal was to use xrealloc(NULL,...). > > Index: readconf.c > =================================================================== > RCS file: /var/cvs/openssh/readconf.c,v > retrieving revision 1.55 > retrieving revision 1.56 > diff -u -r1.55 -r1.56 > --- readconf.c 2001/07/04 04:21:16 1.55 > +++ readconf.c 2001/08/06 20:47:24 1.56 > @@ -256,7 +256,8 @@ > char *line, const char *filename, int linenum, > int *activep) > { > - char buf[256], *s, *string, **charptr, *endofnumber, *keyword, *arg; > + char buf[256], *s, *string = NULL, **charptr, *endofnumber, *keyword, > + *arg; > int opcode, *intptr, value; > u_short fwd_port, fwd_host_port; > > @@ -469,7 +470,6 @@ > > case oProxyCommand: > charptr = &options->proxy_command; > - string = xstrdup(""); > while ((arg = strdelim(&s)) != NULL && *arg != '\0') { > string = xrealloc(string, strlen(string) + strlen(arg) + 2); > strcat(string, " "); > > revision 1.56 > date: 2001/08/06 20:47:24; author: mouring; state: Exp; lines: +2 -2 > - markus at cvs.openbsd.org 2001/07/22 21:32:27 > [sshpty.c] > update comment > > From djm at mindrot.org Thu Aug 16 10:17:16 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Aug 2001 10:17:16 +1000 (EST) Subject: PAM and getpwnam [ struct passwd *getpwnam(const char * name) ] In-Reply-To: Message-ID: On Wed, 15 Aug 2001 erik at math.uu.se wrote: > Hello! > > I use a PAM-module (pam_ncp_auth from ncpfs) for authentication against a > netware server. > > pam_ncp_auth can create local UNIX user accounts from information in NDS, > and it works perfect with login, gdm and telnet. But not with openssh (2.5 > and 2.9). This query has come up in various forms a couple of times. My position is that, if you want to use alternate stores of account information, you should emulate the standard Unix APIs for accessing them. This means that your NDS must implement getpwnam, getpwuid, etc. Typically this is done through nsswitch libraries. PAM is an authentication API, it shouldn't try to be a "authentication and fiddle with account information" API. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From stuart_kemp at hotmail.com Thu Aug 16 01:55:51 2001 From: stuart_kemp at hotmail.com (Stuart Kemp) Date: Thu, 16 Aug 2001 01:55:51 Subject: port-forwarding problem!? Message-ID: Using OpenSSH_2.9p2 on Linux and Sparc Solaris. Trying to connect from Linux to Solaris, with remote port-forwarding i.e. On Linux, ssh -R 3000:Linux:23 Solaris The connection is established okay, but the port-forwarding does not work; on Solaris, the connection to localhost port 3000 is accepted, but it appears as if no data makes it back to port 23 on Linux. If an older 1.2.30 sshd is used on Solaris, then things work okay (i.e. the telnet connection can be established). Problem happens every time. Running in debug-mode does not indicate that there are any config-options that are denying the forwarding. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp From Leakin at dfw.Nostrum.com Thu Aug 16 12:03:48 2001 From: Leakin at dfw.Nostrum.com (Lee Eakin) Date: Wed, 15 Aug 2001 21:03:48 -0500 Subject: port-forwarding problem!? In-Reply-To: References: Message-ID: <20010815210348.A3721@japh.itg.ti.com> This is a known issue with 2.9p2 that is fixed in the current CVS tree. Applu this patch (I got it from the list a while back). -Lee --- channels.c.orig Wed Jun 13 14:18:05 2001 +++ channels.c Thu Aug 2 20:26:25 2001 @@ -773,8 +773,9 @@ rtype = (c->type == SSH_CHANNEL_RPORT_LISTENER) ? "forwarded-tcpip" : "direct-tcpip"; - nextstate = (c->host_port == 0) ? SSH_CHANNEL_DYNAMIC : - SSH_CHANNEL_OPENING; + nextstate = (c->host_port == 0 && + c->type != SSH_CHANNEL_RPORT_LISTENER) ? + SSH_CHANNEL_DYNAMIC : SSH_CHANNEL_OPENING; addrlen = sizeof(addr); newsock = accept(c->sock, &addr, &addrlen); ---begin quoted text--- > From: "Stuart Kemp" > To: openssh-unix-dev at mindrot.org > Subject: port-forwarding problem!? > Date: Thu, 16 Aug 2001 01:55:51 > > Using OpenSSH_2.9p2 on Linux and Sparc Solaris. > Trying to connect from Linux to Solaris, with remote port-forwarding > i.e. On Linux, ssh -R 3000:Linux:23 Solaris ---end quoted text--- -- Lee Eakin - leakin at dfw.nostrum.com "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." -- Jeremy S. Anderson From Jeroen.Scheerder at phil.uu.nl Thu Aug 16 20:06:39 2001 From: Jeroen.Scheerder at phil.uu.nl (Jeroen Scheerder) Date: Thu, 16 Aug 2001 12:06:39 +0200 Subject: ossh, S/Key AND password authentication Message-ID: <20010816120639.A27495@phil.uu.nl> I've been trying to establish the following setup: * on port 22, a vanilla sshd that allows publickey and keyboard-interactive requests using only protocol v2 * on port 1022, a sshd that allows publickey, password and keyboard-interactive requests using both protocol 1 and 2 The first is meant to be open to the world, the second is accessible only from within the (firewalled) private network. The reason for that is that I'd like to have a means of relatively secure outside access for which the -- possibly insecure -- reusable passwords do not suffice. I wanted to start teaching my users to use publickey authentication, with encrypted keys. A first transfer could then be acomplished with a session authenticated using S/Key. My OpenSSH 2.9p2, on Solaris, is compiled with S/Key 1.1.5 (which I've patched to deal with Solaris shadow passwords). It works, but there's a snag. S/Key is nice, but when researchers travel abroad, they're bound to have the OTPs printed with them. When using them as an authentication strategy, it suffices to have a username and a OTP to log in; I'm not at ease with that, given that these cards can easily be lost, stolen, copied and used by anyone to gain access this way. What I'd *like* to have, is a somewhat more sophisticated authentication strategy: - public key auth succeeded? Ok, carry on. - otherwise, try S/Key. S/Key failed? Bail out. S/Key succeeded? Use password authentication as a second step. The authentication process, though, is heavily client-driven. I've found no way yet to get this done in OpenSSH. Hints, or good ideas, anyone? Regards, Jeroen. From markus.friedl at informatik.uni-erlangen.de Thu Aug 16 21:27:30 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 16 Aug 2001 13:27:30 +0200 Subject: Password change request In-Reply-To: ; from roger@interpeak.se on Wed, Aug 15, 2001 at 04:34:07PM +0200 References: Message-ID: <20010816132730.A28444@folly> it's not very high on the todo list. On Wed, Aug 15, 2001 at 04:34:07PM +0200, Roger Bod?n wrote: > Are there any plans to support the SSH_MSG_USERAUTH_CHANGEREQ message (part > of ssh v2 authentication protocol). We have an SSH server for RTOSs that is > able to send that message. So we're interested in support in the ssh client. > > Roger Bod?n > INTERPEAK > Box 7498 > SE-103 92 Stockholm > Sweden > Office: +46 8 545 275 80 > Fax: +46 8 545 275 99 > www.interpeak.com > From jjaakkol at cs.Helsinki.FI Thu Aug 16 22:04:19 2001 From: jjaakkol at cs.Helsinki.FI (Jani Jaakkola) Date: Thu, 16 Aug 2001 15:04:19 +0300 (EEST) Subject: Idletimeout patch Message-ID: While I was updating our ssh-servers, I rewrote my old patch that adds idletimeout (just like in old ssh1) parameter to openssh. Since reapplying the patch for all new versions of openssh is not fun at all, I would like to have it included in the official openssh, if you consider the patch worthy. Unlike ClientAlive, idletimeout works for both protocol versions. It also works together with ClientAlive (however, the code which prevents clientalive-messages from resetting idletimeout is not foolproof. Foolproof patch would require to add different idletimeout support to different packets, which would be too complex). It adds two time() syscalls to select loop, but only if idletimeout is used in the configuration file. Attached patch (also available from http://www.cs.helsinki.fi/u/jjaakkol/idletimeout.patch ) is against openssh-2.9p2. If you will include it in the official openssh, I would be very happy to also document it. - Jani -------------- next part -------------- diff -ru openssh-2.9p2.orig/CREDITS openssh-2.9p2/CREDITS --- openssh-2.9p2.orig/CREDITS Mon Apr 16 03:41:46 2001 +++ openssh-2.9p2/CREDITS Wed Aug 15 22:00:02 2001 @@ -42,6 +42,7 @@ IWAMURO Motonori - bugfixes Jani Hakala - Patches Jarno Huuskonen - Bugfixes +Jani Jaakkola - IdleTimeOut Jim Knoble - Many patches Jonchen (email unknown) - the original author of PAM support of SSH Juergen Keil - scp bugfixing diff -ru openssh-2.9p2.orig/servconf.c openssh-2.9p2/servconf.c --- openssh-2.9p2.orig/servconf.c Wed Apr 25 15:44:15 2001 +++ openssh-2.9p2/servconf.c Wed Aug 15 22:10:23 2001 @@ -102,6 +102,7 @@ options->client_alive_interval = -1; options->client_alive_count_max = -1; options->pam_authentication_via_kbd_int = -1; + options->idletimeout = -1; } void @@ -210,6 +211,8 @@ options->client_alive_count_max = 3; if (options->pam_authentication_via_kbd_int == -1) options->pam_authentication_via_kbd_int = 0; + if (options->idletimeout == -1) + options->idletimeout=0; } /* Keyword tokens. */ @@ -235,7 +238,8 @@ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sPAMAuthenticationViaKbdInt + sClientAliveCountMax, sPAMAuthenticationViaKbdInt, + sIdleTimeout } ServerOpCodes; /* Textual representation of the tokens. */ @@ -302,6 +306,7 @@ { "clientaliveinterval", sClientAliveInterval }, { "clientalivecountmax", sClientAliveCountMax }, { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, + { "idletimeout", sIdleTimeout }, { NULL, 0 } }; @@ -801,7 +806,28 @@ case sPAMAuthenticationViaKbdInt: intptr = &options->pam_authentication_via_kbd_int; goto parse_flag; - + case sIdleTimeout: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing IdleTimeout argument", + filename,linenum); + options->idletimeout=atoi(arg); + switch(arg[strlen(arg)-1]) { + case 'w': options->idletimeout*=7; + case 'd': options->idletimeout*=24; + case 'h': options->idletimeout*=60; + case 'm': options->idletimeout*=60; + case 's': + case '0': case '1': case '2': case '3': + case '4': case '5': case '6': case '7': + case '8': case '9': + break; + default: + fatal("%s line %d: Invalid IdleTimeout argument", + filename,linenum); + } + break; + default: fatal("%s line %d: Missing handler for opcode %s (%d)", filename, linenum, arg, opcode); diff -ru openssh-2.9p2.orig/servconf.h openssh-2.9p2/servconf.h --- openssh-2.9p2.orig/servconf.h Wed Apr 25 15:44:16 2001 +++ openssh-2.9p2/servconf.h Wed Aug 15 22:09:33 2001 @@ -125,6 +125,10 @@ * diconnect the session */ int pam_authentication_via_kbd_int; + int idletimeout; /* + * If nonzero, the number of second + * after which idle connections + * will be terminated */ } ServerOptions; /* * Initializes the server options to special values that indicate that they diff -ru openssh-2.9p2.orig/serverloop.c openssh-2.9p2/serverloop.c --- openssh-2.9p2.orig/serverloop.c Sat Apr 14 02:28:03 2001 +++ openssh-2.9p2/serverloop.c Thu Aug 16 14:12:14 2001 @@ -79,7 +79,8 @@ static int connection_out; /* Connection to client (output). */ static int connection_closed = 0; /* Connection to client closed. */ static u_int buffer_high; /* "Soft" max buffer size. */ - +static time_t idletime_last=0; /* The last time something happened + * for idletimeout. */ /* * This SIGCHLD kludge is used to detect when the child exits. The server * will exit after that, as soon as forwarded connections have terminated. @@ -193,7 +194,9 @@ struct timeval tv, *tvp; int ret; int client_alive_scheduled = 0; - + /* Secs until idletimeout, zero if no idletimeout */ + int max_time_seconds=0; + /* * if using client_alive, set the max timeout accordingly, * and indicate that this particular timeout was for client @@ -208,6 +211,24 @@ } else client_alive_scheduled = 0; + + if (options.idletimeout>0) { + if (idletime_last==0) { + /* Initialize idletime_last */ + time(&idletime_last); + } + /* Schedule idletimeout if no other timeouts are scheduled. + * Idletimeouts are the longest and it is not a big deal, + * if they are missed by few seconds. */ + if (max_time_milliseconds == 0) { + time_t diff=time(NULL)-idletime_last; + if (diff>=options.idletimeout) + max_time_seconds=1; + else + max_time_seconds=options.idletimeout-diff; + } + } + /* When select fails we restart from here. */ retry_select: @@ -258,10 +279,17 @@ if (child_terminated && packet_not_very_much_data_to_write()) if (max_time_milliseconds == 0 || client_alive_scheduled) max_time_milliseconds = 100; - - if (max_time_milliseconds == 0) - tvp = NULL; - else { + + if (max_time_milliseconds == 0) { + /* Use max_time_seconds only if max_time_milliseconds is + * not set */ + if (max_time_seconds>0) { + tv.tv_sec=max_time_seconds; + tv.tv_usec=0; + tvp=&tv; + } else + tvp = NULL; + } else { tv.tv_sec = max_time_milliseconds / 1000; tv.tv_usec = 1000 * (max_time_milliseconds % 1000); tvp = &tv; @@ -301,7 +329,22 @@ packet_disconnect( "No open channels after timeout!"); } - } + } + + if (options.idletimeout>0) { + /* Reset idletimeout if something happened. + * NOTE: events events happening while there is + * active client_alive_timeouts are ignored. This way + * client_alive messages won't reset idletimeout counter.*/ + if (ret>0 && client_alive_timeouts==0) { + time(&idletime_last); + } + /* Check if idletimeout has happened */ + if (ret==0 && time(NULL)-idletime_last>options.idletimeout) { + packet_disconnect("Idletimeout."); + options.idletimeout=0; + } + } } /* From mouring at etoh.eviladmin.org Thu Aug 16 22:55:53 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 16 Aug 2001 07:55:53 -0500 (CDT) Subject: Idletimeout patch In-Reply-To: Message-ID: This is pretty much equiv to idled or the hundreds of other idle testing deamons out there. Except it's more limited. Idled is much nicer for doing such things. It gives you more control the whole process so you can disable it for certian groups of people. Your patch does not so to most people it would be useless. I really don't want to this patch go in. - Ben On Thu, 16 Aug 2001, Jani Jaakkola wrote: > > While I was updating our ssh-servers, I rewrote my old patch that adds > idletimeout (just like in old ssh1) parameter to openssh. Since reapplying > the patch for all new versions of openssh is not fun at all, I would like > to have it included in the official openssh, if you consider the patch > worthy. > > Unlike ClientAlive, idletimeout works for both protocol versions. It also > works together with ClientAlive (however, the code which prevents > clientalive-messages from resetting idletimeout is not foolproof. > Foolproof patch would require to add different idletimeout support to > different packets, which would be too complex). > > It adds two time() syscalls to select loop, but only if idletimeout is > used in the configuration file. > > Attached patch (also available from > http://www.cs.helsinki.fi/u/jjaakkol/idletimeout.patch > ) is against openssh-2.9p2. If you will include it in the > official openssh, I would be very happy to also document it. > > - Jani > > From carson at taltos.org Fri Aug 17 01:57:21 2001 From: carson at taltos.org (Carson Gaspar) Date: Thu, 16 Aug 2001 08:57:21 -0700 Subject: ossh, S/Key AND password authentication In-Reply-To: <20010816120639.A27495@phil.uu.nl> References: <20010816120639.A27495@phil.uu.nl> Message-ID: <78309583.997952240@[10.0.69.69]> My partial authentication support patch will allow you to do most of this. I should have a new version of the patch against current CVS soon. The only issue is the s/key followed by password, since the SSH protocol uses the same mechanism for both of these. I'll see if I can leverage the bsdauth stuff to allow something like: AuthOrder publickey, password at skey:password at passwd, kbd-interactive at skey:kbd-interactive at passwd -- Carson From jakob at openbsd.org Fri Aug 17 19:32:12 2001 From: jakob at openbsd.org (jakob at openbsd.org) Date: Fri, 17 Aug 2001 11:32:12 +0200 (MEST) Subject: [jakob@crt.se: Re: [PATCH] Maildir support] In-Reply-To: Message-ID: On Tue, 14 Aug 2001, Damien Miller wrote: > I agree - IMO the CheckMail feature should be removed. If people want it, > then can put a check in their .profile or whatever. we have now deprecated the CheckMail option. jakob From jjaakkol at cs.Helsinki.FI Fri Aug 17 22:45:24 2001 From: jjaakkol at cs.Helsinki.FI (Jani Jaakkola) Date: Fri, 17 Aug 2001 15:45:24 +0300 (EEST) Subject: Idletimeout patch In-Reply-To: Message-ID: On Thu, 16 Aug 2001 mouring at etoh.eviladmin.org wrote: > > This is pretty much equiv to idled or the hundreds of other idle testing > deamons out there. Except it's more limited. Idled is much nicer for > doing such things. I checked on idled and it seems to be a tool for throwing out users from ttys. I don't need a tool like that: I need a tool that kills idle _ssh_-sessions, regardless of protocol version or whether the sessions have a tty or not. In our environment we have thousands of users and hundreds of ssh-session (both protocol versions) in a day and hanged or just forgotten ssh-sessions (also sessions without a tty) are a real problem. > It gives you more control the whole process so you can > disable it for certian groups of people. Your patch does not so to most > people it would be useless. I guess that ssh already has lots of features that are useles for most people. Is there any technical reason to not accept the patch? I there is something wrong with patch I would like to know it, since I will be installing it to couple hundred machines. - Jani From per at appgate.com Fri Aug 17 23:01:42 2001 From: per at appgate.com (Per Allansson) Date: Fri, 17 Aug 2001 15:01:42 +0200 Subject: Idletimeout patch References: Message-ID: <3B7D15B6.E4B895D4@appgate.com> I agree with Jani - this is not a useless feature - and it can not be solved by using other programs like idled. There is at least one thing missing in the patch - handling of key re-exchange - a key re-exchange should not reset the idle timeout timer. Jani Jaakkola wrote: > > On Thu, 16 Aug 2001 mouring at etoh.eviladmin.org wrote: > > > > > This is pretty much equiv to idled or the hundreds of other idle testing > > deamons out there. Except it's more limited. Idled is much nicer for > > doing such things. > > I checked on idled and it seems to be a tool for throwing out users from > ttys. I don't need a tool like that: I need a tool that kills idle > _ssh_-sessions, regardless of protocol version or whether the sessions > have a tty or not. In our environment we have thousands of users and > hundreds of ssh-session (both protocol versions) in a day and hanged or > just forgotten ssh-sessions (also sessions without a tty) are a real > problem. > > > It gives you more control the whole process so you can > > disable it for certian groups of people. Your patch does not so to most > > people it would be useless. > > I guess that ssh already has lots of features that are useles for most > people. > > Is there any technical reason to not accept the patch? I there is > something wrong with patch I would like to know it, since I will be > installing it to couple hundred machines. > > - Jani From nico at sonycom.com Fri Aug 17 23:20:23 2001 From: nico at sonycom.com (Nico De Ranter) Date: Fri, 17 Aug 2001 15:20:23 +0200 Subject: openssh-2.9p2 not allowing root access? Message-ID: <20010817152023.E25902@immortelle.sonytel.be> Howdy, I just installed openssh-2.9p2 on a Solaris 8 system. I use the same configuration files as the previous installation (which was 2.9p1) however I suddenly can't login as root anymore. Loging in as a regular user + "su" still works so it's not a password issue. I'm very sure the sshd_config has "PermitRootLogin yes". Did any of the sshd_config change? Nico --------------------------------------------------------- "It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry." --------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From Nicolas.Williams at ubsw.com Fri Aug 17 23:39:54 2001 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 17 Aug 2001 09:39:54 -0400 Subject: Idletimeout patch In-Reply-To: ; from jjaakkol@cs.Helsinki.FI on Fri, Aug 17, 2001 at 03:45:24PM +0300 References: Message-ID: <20010817093952.K5739@sm2p1386swk.wdr.com> On Fri, Aug 17, 2001 at 03:45:24PM +0300, Jani Jaakkola wrote: > I checked on idled and it seems to be a tool for throwing out users from > ttys. I don't need a tool like that: I need a tool that kills idle > _ssh_-sessions, regardless of protocol version or whether the sessions > have a tty or not. In our environment we have thousands of users and > hundreds of ssh-session (both protocol versions) in a day and hanged or > just forgotten ssh-sessions (also sessions without a tty) are a real > problem. I agree with this sentiment, but see below. > I guess that ssh already has lots of features that are useles for most > people. And we keep asking for more. :) > Is there any technical reason to not accept the patch? I there is > something wrong with patch I would like to know it, since I will be > installing it to couple hundred machines. Well, the F-Secure SSH supports an idle-timeout option for use in authorized_keys file entries. I'd like OpenSSH to at least recognize that option, even if it's not implemented (and warn if it isn't). > - Jani Nico -- . Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From stevesk at pobox.com Sat Aug 18 03:12:41 2001 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 17 Aug 2001 10:12:41 -0700 (PDT) Subject: Idletimeout patch In-Reply-To: Message-ID: On Thu, 16 Aug 2001 mouring at etoh.eviladmin.org wrote: :This is pretty much equiv to idled or the hundreds of other idle testing :deamons out there. Except it's more limited. Idled is much nicer for :doing such things. It gives you more control the whole process so you can :disable it for certian groups of people. Your patch does not so to most :people it would be useless. actually, idletimeout needs to be internal. an external program can't determine whether no data has passed over a channel for the timeout period. it also needs to know about things like clientalive messages, which jani has tried to tackle. we also want a key file option to be able to override the server value. i think this is an important configuration option that can be used to increase security. From stevesk at pobox.com Sat Aug 18 08:01:03 2001 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 17 Aug 2001 15:01:03 -0700 (PDT) Subject: Idletimeout patch In-Reply-To: Message-ID: thanks. here's the patch against current portable CVS with KNF and cleanups. i wonder if this could be shortened by eliminating max_time_seconds and using max_time_milliseconds? i'll also add key file support for idle-timeout later. Index: servconf.h =================================================================== RCS file: /var/cvs/openssh/servconf.h,v retrieving revision 1.38 diff -u -r1.38 servconf.h --- servconf.h 2001/07/04 18:37:21 1.38 +++ servconf.h 2001/08/17 20:24:43 @@ -129,6 +129,11 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; + long idle_timeout; /* + * If nonzero, the number of seconds + * after which idle connections + * will be terminated + */ int pam_authentication_via_kbd_int; } ServerOptions; Index: servconf.c =================================================================== RCS file: /var/cvs/openssh/servconf.c,v retrieving revision 1.63 diff -u -r1.63 servconf.c --- servconf.c 2001/07/14 02:20:32 1.63 +++ servconf.c 2001/08/17 20:24:47 @@ -105,6 +105,7 @@ options->client_alive_count_max = -1; options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; + options->idle_timeout = -1; options->pam_authentication_via_kbd_int = -1; } @@ -218,6 +219,8 @@ options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; if (options->authorized_keys_file2 == NULL) options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; + if (options->idle_timeout == -1) + options->idle_timeout = 0; if (options->pam_authentication_via_kbd_int == -1) options->pam_authentication_via_kbd_int = 0; } @@ -249,6 +252,7 @@ sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sIdleTimeout, sPAMAuthenticationViaKbdInt } ServerOpCodes; @@ -320,6 +324,7 @@ { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, + { "idletimeout", sIdleTimeout }, { NULL, 0 } }; @@ -846,6 +851,10 @@ intptr = &options->pam_authentication_via_kbd_int; goto parse_flag; + case sIdleTimeout: + intptr = &options->idle_timeout; + goto parse_time; + default: fatal("%s line %d: Missing handler for opcode %s (%d)", filename, linenum, arg, opcode); Index: serverloop.c =================================================================== RCS file: /var/cvs/openssh/serverloop.c,v retrieving revision 1.75 diff -u -r1.75 serverloop.c --- serverloop.c 2001/07/26 17:51:50 1.75 +++ serverloop.c 2001/08/17 20:24:53 @@ -80,7 +80,6 @@ static int connection_out; /* Connection to client (output). */ static int connection_closed = 0; /* Connection to client closed. */ static u_int buffer_high; /* "Soft" max buffer size. */ - /* * This SIGCHLD kludge is used to detect when the child exits. The server * will exit after that, as soon as forwarded connections have terminated. @@ -174,7 +173,11 @@ struct timeval tv, *tvp; int ret; int client_alive_scheduled = 0; - + /* idletimeout last activity time */ + static time_t idletime_last = 0; + /* time until idletimeout, zero if no idletimeout */ + int max_time_seconds = 0; + /* * if using client_alive, set the max timeout accordingly, * and indicate that this particular timeout was for client @@ -189,6 +192,24 @@ max_time_milliseconds = options.client_alive_interval * 1000; } + if (options.idle_timeout > 0) { + if (idletime_last == 0) + time(&idletime_last); /* Initialize */ + + /* + * Schedule idletimeout if no other timeouts are scheduled. + * Idletimeouts are the longest and it is not a big deal + * if they are missed by few seconds. + */ + if (max_time_milliseconds == 0) { + time_t diff = time(NULL) - idletime_last; + if (diff >= options.idle_timeout) + max_time_seconds = 1; + else + max_time_seconds = options.idle_timeout - diff; + } + } + /* When select fails we restart from here. */ retry_select: @@ -239,10 +260,19 @@ if (child_terminated && packet_not_very_much_data_to_write()) if (max_time_milliseconds == 0 || client_alive_scheduled) max_time_milliseconds = 100; - - if (max_time_milliseconds == 0) - tvp = NULL; - else { + + if (max_time_milliseconds == 0) { + /* + * Use max_time_seconds only if max_time_milliseconds is + * not set + */ + if (max_time_seconds > 0) { + tv.tv_sec = max_time_seconds; + tv.tv_usec = 0; + tvp = &tv; + } else + tvp = NULL; + } else { tv.tv_sec = max_time_milliseconds / 1000; tv.tv_usec = 1000 * (max_time_milliseconds % 1000); tvp = &tv; @@ -282,7 +312,22 @@ packet_disconnect( "No open channels after timeout!"); } - } + } + + if (options.idle_timeout > 0) { + /* + * Reset idletimeout if something happened. + * NOTE: events happening while there is + * active client_alive_timeouts are ignored. This way + * client_alive messages won't reset idletimeout counter. + */ + if (ret > 0 && client_alive_timeouts == 0) + time(&idletime_last); + /* Check if idletimeout has happened */ + if (ret == 0 && + time(NULL) - idletime_last > options.idle_timeout) + packet_disconnect("Timeout, idle time exceeded."); + } } /* From smeyer at umich.edu Sat Aug 18 08:35:21 2001 From: smeyer at umich.edu (Seth Meyer) Date: Fri, 17 Aug 2001 18:35:21 -0400 (EDT) Subject: Comment Re: http://www.openssh.com/faq.html#3.2 Message-ID: The analysis given in section 3.2 of the portable OpenSSH FAQ regarding "Empty passwords not allowed with PAM authentication" appears to be specific to Linux's pam_unix.so. No mention is made that this is in fact a Linux-specific remedy. Some text should probably be added to this extent. If anyone has worked on this on Solaris 8 I'd be interested to hear what solution was found. (assuming it was not running a different instance of sshd w/o PAM support on another port) Seth Meyer From rabat at web.de Sun Aug 19 05:56:46 2001 From: rabat at web.de (clemensF) Date: 18 Aug 2001 21:56:46 +0200 Subject: installing openssh-2.9p2 after openssl-0.9.6b on freebsd-4.3-RELEASE Message-ID: <20010818215646.C746@spotteswoode.yi.org> hi. please cc comments 2 me, i'm not subscribed. what i did is simply this (you might have guessed :) i had to install the improved version of openssl after recent, urgent improvements. with this came came the urgent desire for openssh-CURRENT, which had to be reinstalled, because an old(?) version comes with the distribution. here's the diff. spare me and yourselfs a desciption of what i went through to get so far: -------------------------8<---------------------------- diff -dicbB openssh-2.9p2-FIXED/Makefile openssh-2.9p2/Makefile *** openssh-2.9p2-FIXED/Makefile Sat Aug 18 21:12:53 2001 --- openssh-2.9p2/Makefile Sat Aug 18 21:34:12 2001 *************** *** 27,43 **** CC=gcc LD=gcc CFLAGS=-O -pipe -Wall -I/l/ssl/include ! CPPFLAGS=-I. -I$(srcdir) $(PATHS) -DHAVE_CONFIG_H ! # -ino: Sat-18.08.01-21:02 ! #LIBS=-lwrap -lz -lutil -lcrypto -lRSAglue -lrsaref -lcrypt ! LIBS=-lwrap -lz -lutil -lcrypt -L/l/ssl/lib -lcrypto -lssl -L/l/lib -lrsaref AR=/usr/bin/ar RANLIB=ranlib INSTALL=/usr/bin/install -c PERL=/usr/bin/perl5 ENT= XAUTH_PATH=/usr/X11R6/bin/xauth ! LDFLAGS=-L. -Lopenbsd-compat/ EXEEXT= SSH_MODE= 04711 --- 27,41 ---- CC=gcc LD=gcc CFLAGS=-O -pipe -Wall -I/l/ssl/include ! CPPFLAGS=-I. -I$(srcdir) -I/usr/local/ssl/include $(PATHS) -DHAVE_CONFIG_H ! LIBS=-lwrap -lz -lutil -lcrypto -lcrypt AR=/usr/bin/ar RANLIB=ranlib INSTALL=/usr/bin/install -c PERL=/usr/bin/perl5 ENT= XAUTH_PATH=/usr/X11R6/bin/xauth ! LDFLAGS=-L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -L/l/ssl/lib -lcrypto -lssl EXEEXT= SSH_MODE= 04711 *************** *** 73,79 **** -D/etc/primes=$(sysconfdir)/primes \ -D/etc/sshrc=$(sysconfdir)/sshrc \ -D/usr/X11R6/bin/xauth=$(XAUTH_PATH) \ ! -D/usr/bin:/bin:/usr/sbin:/sbin=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) --- 71,77 ---- -D/etc/primes=$(sysconfdir)/primes \ -D/etc/sshrc=$(sysconfdir)/sshrc \ -D/usr/X11R6/bin/xauth=$(XAUTH_PATH) \ ! -D/usr/bin:/bin:/usr/sbin:/sbin=/usr/bin:/bin:/usr/sbin:/sbin::/usr/local/bin FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) -------------------------8<---------------------------- one other thing: i am not a usa-resident, i do not have RSAglue, but i treated myself to the rsaref-lib, which was to be found in the ports. regards, clemens ps: i just noticed: a very, very, very important clue to understanding this is the symlink here at my place pointing from /l -> /usr/local that's it. From wichert at wiggy.net Sun Aug 19 09:25:59 2001 From: wichert at wiggy.net (Wichert Akkerman) Date: Sun, 19 Aug 2001 01:25:59 +0200 Subject: Comment Re: http://www.openssh.com/faq.html#3.2 In-Reply-To: References: Message-ID: <20010819012559.A24542@wiggy.net> Previously Seth Meyer wrote: > The analysis given in section 3.2 of the portable OpenSSH FAQ regarding > > "Empty passwords not allowed with PAM authentication" > > appears to be specific to Linux's pam_unix.so. No mention is made that > this is in fact a Linux-specific remedy. Some text should probably be > added to this extent. You can easily allow those by using the "null_ok" option for the PAM module. Wichert. -- _________________________________________________________________ / Nothing is fool-proof to a sufficiently talented fool \ | wichert at wiggy.net http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | From jjaakkol at cs.Helsinki.FI Mon Aug 20 23:30:17 2001 From: jjaakkol at cs.Helsinki.FI (Jani Jaakkola) Date: Mon, 20 Aug 2001 16:30:17 +0300 (EEST) Subject: Idletimeout patch In-Reply-To: <3B7D15B6.E4B895D4@appgate.com> Message-ID: On Fri, 17 Aug 2001, Per Allansson wrote: > There is at least one thing missing in the patch - handling > of key re-exchange - a key re-exchange should not reset > the idle timeout timer. Right. So it seems that it really is necessary to reset idletimeout on certain packets, but not on others. Included is a more complicated but hopefully more correct patch; this patch does not reset idletimeout on packets which are used for rekeying and for packets which are used client alive timeouts. It also only resets idletimeouts on actual packets and not on other events in the select loop. Included patch is also available from http://www.cs.helsinki.fi/u/jjaakkol/idletimeout.patch The old patch is available from http://www.cs.helsinki.fi/u/jjaakkol/idletimeout.patch.old I'm still willing to improve the patch and also to document it, if you are willing to include it in the openssh distribution. - Jani -------------- next part -------------- diff -ru openssh-2.9p2.orig/CREDITS openssh-2.9p2/CREDITS --- openssh-2.9p2.orig/CREDITS Mon Apr 16 03:41:46 2001 +++ openssh-2.9p2/CREDITS Wed Aug 15 22:00:02 2001 @@ -42,6 +42,7 @@ IWAMURO Motonori - bugfixes Jani Hakala - Patches Jarno Huuskonen - Bugfixes +Jani Jaakkola - IdleTimeOut Jim Knoble - Many patches Jonchen (email unknown) - the original author of PAM support of SSH Juergen Keil - scp bugfixing diff -ru openssh-2.9p2.orig/clientloop.c openssh-2.9p2/clientloop.c --- openssh-2.9p2.orig/clientloop.c Fri Apr 20 15:50:51 2001 +++ openssh-2.9p2/clientloop.c Mon Aug 20 15:08:36 2001 @@ -1250,3 +1250,9 @@ else client_init_dispatch_15(); } + +/* Idletimeouts not implemented on client side (yet) */ +void idletimeout_check(int type, int received) +{ + /* Nothing here */ +} diff -ru openssh-2.9p2.orig/dispatch.c openssh-2.9p2/dispatch.c --- openssh-2.9p2.orig/dispatch.c Mon Feb 19 12:51:08 2001 +++ openssh-2.9p2/dispatch.c Mon Aug 20 15:00:38 2001 @@ -69,9 +69,10 @@ if (type == SSH_MSG_NONE) return; } - if (type > 0 && type < DISPATCH_MAX && dispatch[type] != NULL) + if (type > 0 && type < DISPATCH_MAX && dispatch[type] != NULL) { + idletimeout_check(type,1); (*dispatch[type])(type, plen, ctxt); - else + } else packet_disconnect("protocol error: rcvd type %d", type); if (done != NULL && *done) return; diff -ru openssh-2.9p2.orig/packet.c openssh-2.9p2/packet.c --- openssh-2.9p2.orig/packet.c Fri Apr 6 02:26:33 2001 +++ openssh-2.9p2/packet.c Mon Aug 20 15:01:06 2001 @@ -383,6 +383,7 @@ packet_start2(type); else packet_start1(type); + idletimeout_check(type,0); } /* Appends a character to the packet data. */ diff -ru openssh-2.9p2.orig/packet.h openssh-2.9p2/packet.h --- openssh-2.9p2.orig/packet.h Sun Apr 15 02:13:03 2001 +++ openssh-2.9p2/packet.h Mon Aug 20 14:59:34 2001 @@ -220,4 +220,9 @@ /* add an ignore message and make sure size (current+ignore) = n*sumlen */ void packet_inject_ignore(int sumlen); +/* This is called whenever packets are being received or sent to check + * if idletimeout counter should be reset. Type is packet type, received==1 + * if packet was received, zero if packet was sent. */ +void idletimeout_check(int type, int received); + #endif /* PACKET_H */ diff -ru openssh-2.9p2.orig/servconf.c openssh-2.9p2/servconf.c --- openssh-2.9p2.orig/servconf.c Wed Apr 25 15:44:15 2001 +++ openssh-2.9p2/servconf.c Wed Aug 15 22:10:23 2001 @@ -102,6 +102,7 @@ options->client_alive_interval = -1; options->client_alive_count_max = -1; options->pam_authentication_via_kbd_int = -1; + options->idletimeout = -1; } void @@ -210,6 +211,8 @@ options->client_alive_count_max = 3; if (options->pam_authentication_via_kbd_int == -1) options->pam_authentication_via_kbd_int = 0; + if (options->idletimeout == -1) + options->idletimeout=0; } /* Keyword tokens. */ @@ -235,7 +238,8 @@ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sPAMAuthenticationViaKbdInt + sClientAliveCountMax, sPAMAuthenticationViaKbdInt, + sIdleTimeout } ServerOpCodes; /* Textual representation of the tokens. */ @@ -302,6 +306,7 @@ { "clientaliveinterval", sClientAliveInterval }, { "clientalivecountmax", sClientAliveCountMax }, { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, + { "idletimeout", sIdleTimeout }, { NULL, 0 } }; @@ -801,7 +806,28 @@ case sPAMAuthenticationViaKbdInt: intptr = &options->pam_authentication_via_kbd_int; goto parse_flag; - + case sIdleTimeout: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing IdleTimeout argument", + filename,linenum); + options->idletimeout=atoi(arg); + switch(arg[strlen(arg)-1]) { + case 'w': options->idletimeout*=7; + case 'd': options->idletimeout*=24; + case 'h': options->idletimeout*=60; + case 'm': options->idletimeout*=60; + case 's': + case '0': case '1': case '2': case '3': + case '4': case '5': case '6': case '7': + case '8': case '9': + break; + default: + fatal("%s line %d: Invalid IdleTimeout argument", + filename,linenum); + } + break; + default: fatal("%s line %d: Missing handler for opcode %s (%d)", filename, linenum, arg, opcode); diff -ru openssh-2.9p2.orig/servconf.h openssh-2.9p2/servconf.h --- openssh-2.9p2.orig/servconf.h Wed Apr 25 15:44:16 2001 +++ openssh-2.9p2/servconf.h Wed Aug 15 22:09:33 2001 @@ -125,6 +125,10 @@ * diconnect the session */ int pam_authentication_via_kbd_int; + int idletimeout; /* + * If nonzero, the number of second + * after which idle connections + * will be terminated */ } ServerOptions; /* * Initializes the server options to special values that indicate that they diff -ru openssh-2.9p2.orig/serverloop.c openssh-2.9p2/serverloop.c --- openssh-2.9p2.orig/serverloop.c Sat Apr 14 02:28:03 2001 +++ openssh-2.9p2/serverloop.c Mon Aug 20 15:57:05 2001 @@ -79,7 +79,8 @@ static int connection_out; /* Connection to client (output). */ static int connection_closed = 0; /* Connection to client closed. */ static u_int buffer_high; /* "Soft" max buffer size. */ - +static time_t idletime_last=0; /* The last time something happened + * for idletimeout. */ /* * This SIGCHLD kludge is used to detect when the child exits. The server * will exit after that, as soon as forwarded connections have terminated. @@ -180,6 +181,46 @@ } } +/* Called by dispatch.c and packet.c whenever packets are sent or received. + * This function decides whenever server idletimeout should be reset */ +void idletimeout_check(int type, int received) { + /* No-op, if idletimeouts are not configured */ + if (options.idletimeout==0) return; + + /* The following packets receive idletimeout on input or output */ + switch(type) { + case SSH2_MSG_KEXINIT: /* Ignore rekeying */ + case SSH2_MSG_NEWKEYS: + case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD: + case SSH2_MSG_KEX_DH_GEX_GROUP: + case SSH2_MSG_KEX_DH_GEX_INIT: + case SSH2_MSG_KEX_DH_GEX_REPLY: + case SSH2_MSG_KEX_DH_GEX_REQUEST: + case SSH_MSG_NONE: /* Ignore dummies */ + debug("Server i/o idlecheck ignored msg %d, received=%d", + type,received); + return; + } + + if (received) { + /* The following packets do not reset idletimeout on input */ + switch(type) { + case SSH2_MSG_CHANNEL_FAILURE: /* used for client alive */ + debug("Server i idlecheck ignored msg %d",type); + return; + } + } else { + /* The following packets do not reset idletimeout on output */ + switch(type) { + case SSH2_MSG_CHANNEL_REQUEST: /* used for client alive */ + debug("Server o idlecheck ignored msg %d",type); + return; + } + } + /* Reset idletime */ + time(&idletime_last); +} + /* * Sleep in select() until we can do something. This will initialize the * select masks. Upon return, the masks will indicate which descriptors @@ -193,7 +234,9 @@ struct timeval tv, *tvp; int ret; int client_alive_scheduled = 0; - + /* Secs until idletimeout, zero if no idletimeout */ + int max_time_seconds=0; + /* * if using client_alive, set the max timeout accordingly, * and indicate that this particular timeout was for client @@ -208,6 +251,24 @@ } else client_alive_scheduled = 0; + + if (options.idletimeout>0) { + if (idletime_last==0) { + /* Initialize idletime_last */ + time(&idletime_last); + } + /* Schedule idletimeout if no other timeouts are scheduled. + * Idletimeouts are the longest and it is not a big deal, + * if they are missed by few seconds. */ + if (max_time_milliseconds == 0) { + time_t diff=time(NULL)-idletime_last; + if (diff>=options.idletimeout) + max_time_seconds=1; + else + max_time_seconds=options.idletimeout-diff; + } + } + /* When select fails we restart from here. */ retry_select: @@ -258,10 +319,17 @@ if (child_terminated && packet_not_very_much_data_to_write()) if (max_time_milliseconds == 0 || client_alive_scheduled) max_time_milliseconds = 100; - - if (max_time_milliseconds == 0) - tvp = NULL; - else { + + if (max_time_milliseconds == 0) { + /* Use max_time_seconds only if max_time_milliseconds is + * not set */ + if (max_time_seconds>0) { + tv.tv_sec=max_time_seconds; + tv.tv_usec=0; + tvp=&tv; + } else + tvp = NULL; + } else { tv.tv_sec = max_time_milliseconds / 1000; tv.tv_usec = 1000 * (max_time_milliseconds % 1000); tvp = &tv; @@ -301,7 +369,14 @@ packet_disconnect( "No open channels after timeout!"); } - } + } + + /* Check if idletimeout has happened */ + if (options.idletimeout>0 && ret==0 && + time(NULL)-idletime_last>options.idletimeout) { + packet_disconnect("Idletimeout."); + options.idletimeout=0; + } } /* From jjaakkol at cs.Helsinki.FI Mon Aug 20 23:38:55 2001 From: jjaakkol at cs.Helsinki.FI (Jani Jaakkola) Date: Mon, 20 Aug 2001 16:38:55 +0300 (EEST) Subject: Idletimeout patch In-Reply-To: Message-ID: On Fri, 17 Aug 2001, Kevin Steves wrote: > thanks. here's the patch against current portable CVS with KNF and I don't know what is KNF :( Is there anonymous access to portable CVS? I think in http://www.openbsd.org/anoncvs.html only the openbsd cvs tree is mentioned. > cleanups. i wonder if this could be shortened by eliminating > max_time_seconds and using max_time_milliseconds? Maybe it could be shortened, but then it would need to worry about integer overflows in max_time_milliseconds with very long idle timeouts (if I did not miscalculate, it would be 24 days). - Jani From Markus.Friedl at informatik.uni-erlangen.de Tue Aug 21 00:02:01 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 20 Aug 2001 16:02:01 +0200 Subject: Idletimeout patch In-Reply-To: ; from jjaakkol@cs.Helsinki.FI on Mon, Aug 20, 2001 at 04:30:17PM +0300 References: <3B7D15B6.E4B895D4@appgate.com> Message-ID: <20010820160201.C3223@faui02.informatik.uni-erlangen.de> but how large is the benefit/line ratio for this patch? From pekkas at netcore.fi Tue Aug 21 00:06:07 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 20 Aug 2001 17:06:07 +0300 (EEST) Subject: Idletimeout patch In-Reply-To: <20010820160201.C3223@faui02.informatik.uni-erlangen.de> Message-ID: On Mon, 20 Aug 2001, Markus Friedl wrote: > but how large is the benefit/line ratio for this patch? Also, what's the benefit when compared to e.g. tcsh 'autologout' variable? -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From jjaakkol at cs.Helsinki.FI Tue Aug 21 00:08:25 2001 From: jjaakkol at cs.Helsinki.FI (Jani Jaakkola) Date: Mon, 20 Aug 2001 17:08:25 +0300 (EEST) Subject: Idletimeout patch In-Reply-To: <20010820160201.C3223@faui02.informatik.uni-erlangen.de> Message-ID: On Mon, 20 Aug 2001, Markus Friedl wrote: > but how large is the benefit/line ratio for this patch? Well, in the environment where I am network administrator we must have this functionality, so the amount of extra lines is definetely acceptable. IMHO, this patch is actually more useful than the client alive thing. I guess it could be easily made a configure time option, if the extra amount of bytes is not acceptable for some people. - Jani From Christophe_Moret at hp.com Tue Aug 21 00:17:06 2001 From: Christophe_Moret at hp.com (Christophe Moret) Date: Mon, 20 Aug 2001 16:17:06 +0200 Subject: Idletimeout patch References: Message-ID: <3B811BE2.7616C28F@hp.com> In the environment I am working on, I already use an equivalent patch that I sent some time ago for years & would love to have it in the standard delivery ! I could not live without it. -Christophe Jani Jaakkola wrote: > On Mon, 20 Aug 2001, Markus Friedl wrote: > > > but how large is the benefit/line ratio for this patch? > > Well, in the environment where I am network administrator we must > have this functionality, so the amount of extra lines is definetely > acceptable. IMHO, this patch is actually more useful than the client > alive thing. > > I guess it could be easily made a configure time option, if the extra > amount of bytes is not acceptable for some people. > > - Jani -- Christophe Moret mailto:Christophe_Moret at hp.com Hewlett Packard Phone :+33 4 76 14 40 78 5, avenue Raymond Chanas Fax :+33 4 76 14 47 06 38053 GRENOBLE Cedex 09 Mobile:+33 6 72 99 16 51 -------------- next part -------------- A non-text attachment was scrubbed... Name: Christophe_Moret.vcf Type: text/x-vcard Size: 377 bytes Desc: Card for Christophe Moret Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010820/6ab97320/attachment.vcf From jjaakkol at cs.Helsinki.FI Tue Aug 21 00:19:19 2001 From: jjaakkol at cs.Helsinki.FI (Jani Jaakkola) Date: Mon, 20 Aug 2001 17:19:19 +0300 (EEST) Subject: Idletimeout patch In-Reply-To: Message-ID: uOn Mon, 20 Aug 2001, Pekka Savola wrote: > On Mon, 20 Aug 2001, Markus Friedl wrote: > > but how large is the benefit/line ratio for this patch? > > Also, what's the benefit when compared to e.g. tcsh 'autologout' variable? As I said before, not all ssh sessions have a tty and not all ssh sessions actually even have a shell. In our environment we are tunneling imap traffic through ssh with a command like 'ssh mail-server "exec /etc/rimapd"' where there is no shell left after the exec. Also tcsh:s autologout does not work, if the user is running any program in the session instead of a plain shell (which users most of the time do, since nobody is interested in plain shell access). I am well aware that many if not most programs which are run remotely over ssh can be configured to do autologout/idletimeout themselves, but I need a solution which works for all possible programs our users could be using at once. I am also aware that telnet and rlogin do not have this functionality. But since we do have the far superior ssh, we have disabled those services and I don't need to implement idletimeout for them. - Jani From Markus.Friedl at informatik.uni-erlangen.de Tue Aug 21 00:25:59 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 20 Aug 2001 16:25:59 +0200 Subject: Idletimeout patch In-Reply-To: ; from jjaakkol@cs.Helsinki.FI on Mon, Aug 20, 2001 at 04:30:17PM +0300 References: <3B7D15B6.E4B895D4@appgate.com> Message-ID: <20010820162559.A21136@faui02.informatik.uni-erlangen.de> On Mon, Aug 20, 2001 at 04:30:17PM +0300, Jani Jaakkola wrote: > diff -ru openssh-2.9p2.orig/dispatch.c openssh-2.9p2/dispatch.c > --- openssh-2.9p2.orig/dispatch.c Mon Feb 19 12:51:08 2001 > +++ openssh-2.9p2/dispatch.c Mon Aug 20 15:00:38 2001 > @@ -69,9 +69,10 @@ > if (type == SSH_MSG_NONE) > return; > } > - if (type > 0 && type < DISPATCH_MAX && dispatch[type] != NULL) > + if (type > 0 && type < DISPATCH_MAX && dispatch[type] != NULL) { > + idletimeout_check(type,1); > (*dispatch[type])(type, plen, ctxt); > - else > + } else > packet_disconnect("protocol error: rcvd type %d", type); > if (done != NULL && *done) > return; > diff -ru openssh-2.9p2.orig/packet.c openssh-2.9p2/packet.c > --- openssh-2.9p2.orig/packet.c Fri Apr 6 02:26:33 2001 > +++ openssh-2.9p2/packet.c Mon Aug 20 15:01:06 2001 > @@ -383,6 +383,7 @@ > packet_start2(type); > else > packet_start1(type); > + idletimeout_check(type,0); > } i don't think that both dispatch.c and packet.c should be touched. > + case sIdleTimeout: > + arg = strdelim(&cp); > + if (!arg || *arg == '\0') > + fatal("%s line %d: Missing IdleTimeout argument", > + filename,linenum); > + options->idletimeout=atoi(arg); > + switch(arg[strlen(arg)-1]) { > + case 'w': options->idletimeout*=7; > + case 'd': options->idletimeout*=24; > + case 'h': options->idletimeout*=60; > + case 'm': options->idletimeout*=60; > + case 's': > + case '0': case '1': case '2': case '3': > + case '4': case '5': case '6': case '7': > + case '8': case '9': > + break; > + default: > + fatal("%s line %d: Invalid IdleTimeout argument", > + filename,linenum); > + } > + break; openssh-current can parse time. > +/* Called by dispatch.c and packet.c whenever packets are sent or received. > + * This function decides whenever server idletimeout should be reset */ > +void idletimeout_check(int type, int received) { > + case SSH2_MSG_KEXINIT: /* Ignore rekeying */ > + case SSH2_MSG_NEWKEYS: > + case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD: > + case SSH2_MSG_KEX_DH_GEX_GROUP: > + case SSH2_MSG_KEX_DH_GEX_INIT: > + case SSH2_MSG_KEX_DH_GEX_REPLY: > + case SSH2_MSG_KEX_DH_GEX_REQUEST: there are ranges defined for KEX packets. not that kex packets are only defined for protocol 2 so you break ssh1 with this patch. > + case SSH_MSG_NONE: /* Ignore dummies */ this is not allowed on the wire. it's a protocol violation. > + debug("Server i/o idlecheck ignored msg %d, received=%d", > + type,received); > + return; > + } > + > + if (received) { > + /* The following packets do not reset idletimeout on input */ > + switch(type) { > + case SSH2_MSG_CHANNEL_FAILURE: /* used for client alive */ > + debug("Server i idlecheck ignored msg %d",type); > + return; > + } > + } else { > + /* The following packets do not reset idletimeout on output */ > + switch(type) { > + case SSH2_MSG_CHANNEL_REQUEST: /* used for client alive */ > + debug("Server o idlecheck ignored msg %d",type); > + return; > + } > + } > + /* Reset idletime */ > + time(&idletime_last); > +} ^^^ i don't like this at all. i think it should be simpler to have a positive list. e.g. all packets related to interactive traffic, e.g channel/stdin/out/err packets reset the counter, control messages don't). > + > /* > * Sleep in select() until we can do something. This will initialize the > * select masks. Upon return, the masks will indicate which descriptors > @@ -193,7 +234,9 @@ > struct timeval tv, *tvp; > int ret; > int client_alive_scheduled = 0; > - > + /* Secs until idletimeout, zero if no idletimeout */ > + int max_time_seconds=0; > + > /* > * if using client_alive, set the max timeout accordingly, > * and indicate that this particular timeout was for client > @@ -208,6 +251,24 @@ > } else > client_alive_scheduled = 0; > > + > + if (options.idletimeout>0) { > + if (idletime_last==0) { > + /* Initialize idletime_last */ > + time(&idletime_last); > + } > + /* Schedule idletimeout if no other timeouts are scheduled. > + * Idletimeouts are the longest and it is not a big deal, > + * if they are missed by few seconds. */ > + if (max_time_milliseconds == 0) { > + time_t diff=time(NULL)-idletime_last; > + if (diff>=options.idletimeout) > + max_time_seconds=1; > + else > + max_time_seconds=options.idletimeout-diff; > + } > + } > + > /* When select fails we restart from here. */ > retry_select: > > @@ -258,10 +319,17 @@ > if (child_terminated && packet_not_very_much_data_to_write()) > if (max_time_milliseconds == 0 || client_alive_scheduled) > max_time_milliseconds = 100; > - > - if (max_time_milliseconds == 0) > - tvp = NULL; > - else { > + > + if (max_time_milliseconds == 0) { > + /* Use max_time_seconds only if max_time_milliseconds is > + * not set */ > + if (max_time_seconds>0) { > + tv.tv_sec=max_time_seconds; > + tv.tv_usec=0; > + tvp=&tv; > + } else > + tvp = NULL; > + } else { > tv.tv_sec = max_time_milliseconds / 1000; > tv.tv_usec = 1000 * (max_time_milliseconds % 1000); > tvp = &tv; > @@ -301,7 +369,14 @@ > packet_disconnect( > "No open channels after timeout!"); > } > - } > + } > + > + /* Check if idletimeout has happened */ > + if (options.idletimeout>0 && ret==0 && > + time(NULL)-idletime_last>options.idletimeout) { > + packet_disconnect("Idletimeout."); > + options.idletimeout=0; > + } > } so many changes..... From Nicolas.Williams at ubsw.com Tue Aug 21 00:36:27 2001 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 20 Aug 2001 10:36:27 -0400 Subject: Idletimeout patch In-Reply-To: ; from jjaakkol@cs.Helsinki.FI on Mon, Aug 20, 2001 at 05:19:19PM +0300 References: Message-ID: <20010820103626.L5739@sm2p1386swk.wdr.com> On Mon, Aug 20, 2001 at 05:19:19PM +0300, Jani Jaakkola wrote: > uOn Mon, 20 Aug 2001, Pekka Savola wrote: > > > On Mon, 20 Aug 2001, Markus Friedl wrote: > > > but how large is the benefit/line ratio for this patch? > > > > Also, what's the benefit when compared to e.g. tcsh 'autologout' variable? > > As I said before, not all ssh sessions have a tty and not all ssh sessions > actually even have a shell. In our environment we are tunneling imap > traffic through ssh with a command like > 'ssh mail-server "exec /etc/rimapd"' where there is no shell left after > the exec. Also tcsh:s autologout does not work, if the user is running > any program in the session instead of a plain shell (which users most > of the time do, since nobody is interested in plain shell access). You could use the command= auth_keys option to force the interposition of a process which enforces a timeout. This would work, but it would also badly affect performance since you'd now have this process, with so little value to add, doubling the number of context switches and [probably] doubling the number of data copies that would be involved without the idle timeout process. It's really much better to have this feature in OpenSSH. > I am also aware that telnet and rlogin do not have this functionality. But > since we do have the far superior ssh, we have disabled those services > and I don't need to implement idletimeout for them. Other SSHs have it... > - Jani Nico -- . Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From jjaakkol at cs.Helsinki.FI Tue Aug 21 00:55:31 2001 From: jjaakkol at cs.Helsinki.FI (Jani Jaakkola) Date: Mon, 20 Aug 2001 17:55:31 +0300 (EEST) Subject: Idletimeout patch In-Reply-To: <20010820162559.A21136@faui02.informatik.uni-erlangen.de> Message-ID: On Mon, 20 Aug 2001, Markus Friedl wrote: > i don't think that both dispatch.c and packet.c should be touched. I agree, but I could not find any other way to hook to both incoming and outgoing packets with their types known (at least without doing de-assembly of allready assembled packets). > openssh-current can parse time. Yes, I noticed this in Kevin Steves patch. I have the cvs version of openssh-current and could provide the patch against it too (given a few hours a time) if we can agree how this should be implemented. > > +/* Called by dispatch.c and packet.c whenever packets are sent or received. > > + * This function decides whenever server idletimeout should be reset */ > > +void idletimeout_check(int type, int received) { > > + case SSH2_MSG_KEXINIT: /* Ignore rekeying */ > > + case SSH2_MSG_NEWKEYS: > > + case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD: > > + case SSH2_MSG_KEX_DH_GEX_GROUP: > > + case SSH2_MSG_KEX_DH_GEX_INIT: > > + case SSH2_MSG_KEX_DH_GEX_REPLY: > > + case SSH2_MSG_KEX_DH_GEX_REQUEST: > > there are ranges defined for KEX packets. > > not that kex packets are only defined for protocol 2 > so you break ssh1 with this patch. I don't think so and I actually tested that it works. Those messages are never seen in the version 1 protocol, so the case will never be taken. And even if it would, it would only skip the reset of idletimeout, which would not be a big deal. > > + case SSH_MSG_NONE: /* Ignore dummies */ > > this is not allowed on the wire. it's a protocol violation. OK, I never did bother to read the spec. > > + return; > > + } > > + } > > + /* Reset idletime */ > > + time(&idletime_last); > > +} > > ^^^ i don't like this at all. i think it should be > simpler to have a positive list. e.g. all packets > related to interactive traffic, e.g channel/stdin/out/err > packets reset the counter, control messages don't). OK, That would probably be simpler and easier to maintain. I will fix that. > so many changes..... Yes, I too thought that it would be easier. Maybe I should make it a configure option and tag it as 'experimental' (which off course would make the patch even bigger). - Jani From Markus.Friedl at informatik.uni-erlangen.de Tue Aug 21 01:06:33 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 20 Aug 2001 17:06:33 +0200 Subject: Idletimeout patch In-Reply-To: ; from jjaakkol@cs.Helsinki.FI on Mon, Aug 20, 2001 at 05:55:31PM +0300 References: <20010820162559.A21136@faui02.informatik.uni-erlangen.de> Message-ID: <20010820170633.B21503@faui02.informatik.uni-erlangen.de> On Mon, Aug 20, 2001 at 05:55:31PM +0300, Jani Jaakkola wrote: > On Mon, 20 Aug 2001, Markus Friedl wrote: > > > i don't think that both dispatch.c and packet.c should be touched. > > I agree, but I could not find any other way to hook to both incoming > and outgoing packets with their types known (at least without doing > de-assembly of allready assembled packets). ? i don't understand. you can add both checks to packet.c (packet_read/packet_start) > > > + case SSH2_MSG_KEX_DH_GEX_INIT: > > > + case SSH2_MSG_KEX_DH_GEX_REPLY: > > > + case SSH2_MSG_KEX_DH_GEX_REQUEST: > > > > there are ranges defined for KEX packets. > > > > not that kex packets are only defined for protocol 2 > > so you break ssh1 with this patch. > > I don't think so and I actually tested that it works. Those messages are > never seen in the version 1 protocol, yes, but this is pure chance. it's still not correct to rely on this. > so the case will never be taken. > And even if it would, it would only skip the reset of idletimeout, which > would not be a big deal. > > > > + case SSH_MSG_NONE: /* Ignore dummies */ > > > > this is not allowed on the wire. it's a protocol violation. > > OK, I never did bother to read the spec. > > > > + return; > > > + } > > > + } > > > + /* Reset idletime */ > > > + time(&idletime_last); > > > +} > > > > ^^^ i don't like this at all. i think it should be > > simpler to have a positive list. e.g. all packets > > related to interactive traffic, e.g channel/stdin/out/err > > packets reset the counter, control messages don't). > > OK, That would probably be simpler and easier to maintain. I will fix > that. > > > so many changes..... > > Yes, I too thought that it would be easier. Maybe I should make it a > configure option and tag it as 'experimental' (which off course would make > the patch even bigger). having lots of #ifdef makes debugging/support very hard... From jjaakkol at cs.Helsinki.FI Tue Aug 21 01:20:36 2001 From: jjaakkol at cs.Helsinki.FI (Jani Jaakkola) Date: Mon, 20 Aug 2001 18:20:36 +0300 (EEST) Subject: Idletimeout patch In-Reply-To: <20010820170633.B21503@faui02.informatik.uni-erlangen.de> Message-ID: On Mon, 20 Aug 2001, Markus Friedl wrote: > On Mon, Aug 20, 2001 at 05:55:31PM +0300, Jani Jaakkola wrote: > > On Mon, 20 Aug 2001, Markus Friedl wrote: > > > > > i don't think that both dispatch.c and packet.c should be touched. > > > > I agree, but I could not find any other way to hook to both incoming > > and outgoing packets with their types known (at least without doing > > de-assembly of allready assembled packets). > > ? i don't understand. > > you can add both checks to packet.c (packet_read/packet_start) Silly me. I stand corrected. > > I don't think so and I actually tested that it works. Those messages are > > never seen in the version 1 protocol, > > yes, but this is pure chance. it's still not correct > to rely on this. Even if ssh2 messages would be found in the incoming ssh1 protocol stream, it would not break anything in the idletimeout check. It would never even get there, because dispatch_run() would exit on a protocol error before idletimeout_check() would be called. But I guess it does not matter anyway, since I will rewrite the check to work the other way and move the call of idletimeout_check() away from dispatch.c. This also means, that idletimeout_check() might be called before protocol violations are detected, but I still think that it would not be a big deal. > > Yes, I too thought that it would be easier. Maybe I should make it a > > configure option and tag it as 'experimental' (which off course would make > > the patch even bigger). > > having lots of #ifdef makes debugging/support very hard... Yes. And it would be more trouble for lazy me :) - Jani From Robert.Dahlem at ffm2.siemens.de Tue Aug 21 02:33:39 2001 From: Robert.Dahlem at ffm2.siemens.de (Robert Dahlem) Date: Mon, 20 Aug 2001 18:33:39 +0200 Subject: [PATCH] some patches for Fujitsu-Siemens ReliantUNIX, minor fixes and XXXes Message-ID: <200108201635.f7KGZVn09514@mail2.siemens.de> Hi, attached please find some patches for ReliantUNIX. This was tested under Reliant UNIX V5.43C40 with Compiler CDSDEV V2.0C00. Here is what I did: - there is a common misunderstanding how to use /usr/libucb/libucb.a: There are some library functions only in libucb.a under ReliantUNIX, so one needs to bind it. The problem is: there are some other functions in this library you should never bind from there (i.e. fopen()). The trick is to first search through libc.so and then through libucb.a. Don't let ld search in /usr/ucblib, it will virtually always produce nonsense. - often found mistake with libsocket and libnsl: Especially libsocket MUST be bound before libc. Otherwise you will get lots of messages like unix: syslog: 7784 sshd:_accept: SIOCGPGRP failed errno 22 - -ldl not choosen by configure: Something in OpenSSH (I did not find) needs libdl. configure checks for dlopen() only when it finds PAM. No PAM on ReliantUNIX, so not libdl, thus no binding. Ouch! :-) I made an XXX fix for ReliantUNIX and left it for someone else to de-nest the dlopen() check in configure.in. Sorry, but it's beyond my understanding of autoconf. BTW: Why does autoconf-2.50 bounce on configure.in? - --with-mantype configure tells about --with-mantype, but checked for --with-catman - /etc/default/login There is a file /etc/default/login on Solaris 2.x and ReliantUNIX. See http://docs.sun.com/ab2/coll.40.6/REFMAN1/@Ab2PageView/171170 for a description. It handles things like setting a different PATH for root and normal users at login time, quite a convenient feature for administrators. This was handled in SSH 1 since at least 1998. I rewrote some of the old code to gather at least PATH. Rest will be done at a later time (when I better understand the code :-). I added a paranoia check to have always a minimum PATH set but take care! I fear this changed the semantics of --with-default-path. Regards, Robert -- Robert.Dahlem at ffm2.siemens.de Siemens Business Services - FS CBS KORDOBA-Outsourcing Tel: +49-69-797-6530 Fax: +49-69-797-6599 ---------------------------------------------------------------------- Sent using PMMail (http://www.pmmail2000.com) - fast, decent, email software; far better than Outlook. Try it sometime. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/octet-stream Size: 4669 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010820/ed90e5e2/attachment.obj From Olds.Aaron at emeryworld.com Tue Aug 21 03:43:28 2001 From: Olds.Aaron at emeryworld.com (Olds, Aaron M) Date: Mon, 20 Aug 2001 17:43:28 -0000 Subject: sshd problem Message-ID: <65418613A1311B478A9FCF4A55F490A5F866AC@ljcbs061> I appologize in advance if this is a "stupid user problem" but here goes. I have a RH 6.1 machine with PAM 0.75. I installed OpenSSL and OpenSSH (2.9p1). ssh works fine however when I try to run sshd and then ssh into this same machine I get Failed Password for user x. I copied the RH sshd.pam file into /etc/pam.d/sshd. I even deleted the user and readded it. He can log onto the console but can't ssh into that machine. Root is the only user who can ssh into that machine. When I run sshd -d and try ssh -l amolds LinuxBox I get Permission Denied. What am I doing wrong? Thanks in advance. Aaron From mouring at etoh.eviladmin.org Tue Aug 21 06:51:47 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 20 Aug 2001 15:51:47 -0500 (CDT) Subject: sshd problem In-Reply-To: <65418613A1311B478A9FCF4A55F490A5F866AC@ljcbs061> Message-ID: did you do ./configure --with-pam ? - Ben On Mon, 20 Aug 2001, Olds, Aaron M wrote: > I appologize in advance if this is a "stupid user problem" but here goes. > I have a RH 6.1 machine with PAM 0.75. I installed OpenSSL and OpenSSH > (2.9p1). > ssh works fine however when I try to run sshd and then ssh into this same > machine > I get Failed Password for user x. I copied the RH sshd.pam file into > /etc/pam.d/sshd. > I even deleted the user and readded it. He can log onto the console but > can't ssh into > that machine. Root is the only user who can ssh into that machine. When I > run > sshd -d and try ssh -l amolds LinuxBox I get Permission Denied. What am I > doing wrong? > > Thanks in advance. > > Aaron > From Olds.Aaron at emeryworld.com Tue Aug 21 07:06:49 2001 From: Olds.Aaron at emeryworld.com (Olds, Aaron M) Date: Mon, 20 Aug 2001 21:06:49 -0000 Subject: sshd problem Message-ID: <65418613A1311B478A9FCF4A55F490A5F866AD@ljcbs061> yes. could it be directory permissions? i could not find any reference to what it should be. thanks Aaron M. Olds, CIW Research and Development Emery Worldwide, a CNF Company 2701 N.W. Vaughn St., Suite 650 Portland, OR 97210 Phone: 503.450.6665 mailto:olds.aaron at emeryworld.com -----Original Message----- From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] Sent: Monday, August 20, 2001 1:52 PM To: Olds, Aaron M Cc: openssh-unix-dev at mindrot.org Subject: Re: sshd problem did you do ./configure --with-pam ? - Ben On Mon, 20 Aug 2001, Olds, Aaron M wrote: > I appologize in advance if this is a "stupid user problem" but here goes. > I have a RH 6.1 machine with PAM 0.75. I installed OpenSSL and OpenSSH > (2.9p1). > ssh works fine however when I try to run sshd and then ssh into this same > machine > I get Failed Password for user x. I copied the RH sshd.pam file into > /etc/pam.d/sshd. > I even deleted the user and readded it. He can log onto the console but > can't ssh into > that machine. Root is the only user who can ssh into that machine. When I > run > sshd -d and try ssh -l amolds LinuxBox I get Permission Denied. What am I > doing wrong? > > Thanks in advance. > > Aaron > From jjaakkol at cs.Helsinki.FI Tue Aug 21 07:56:52 2001 From: jjaakkol at cs.Helsinki.FI (Jani Jaakkola) Date: Tue, 21 Aug 2001 00:56:52 +0300 (EEST) Subject: Idletimeout patch, third attempt Message-ID: Here is my third attempt at the idletimeout patch. I tried to address the points which Marcus Friedl brought up. It is actually bigger than the previous patches, but not as intrusive. It is big because it moves some stuff from serverloop.c to packet.c. - I moved all the logic to packet.c. This means that I also had to move the actual select() call, which used to be in serverloop.c to packet.c. Now serverloop.c only uses packet.c and not the other way around, so dependencies are cleaner. - I implemented packet_select() in packet.c. This makes possible to catch idletimeouts not only when when server is sitting in wait_until_can_do_something() but also when server is waiting for completion of full packet in packet_read() or waiting for completion of writing full packet in packet_write_wait(). With previous patches sshd could (in theory at least) hang on packet_read() or packet_write_wait() even if idletimeout or clientalive was set. - with packet_select() ssh-client side idletimeout could be easily implemented, if anybody would need a feature like that. - Counting of idle timeouts starts now immediately after authorization has been successfull, not when sshd first enters wait_until_can_do_something() - IMHO, the patch is much cleaner. max_time_seconds variable has been removed. - It fixes two places, where select() might have been called after EAGAIN or EINTR, but the fd_sets would not have been reinitialized. - If select returns error other than EAGAIN or EINTR, it exits with fatal(). Before the error would either be ignored or just logged, but the program would have continued like nothing would have happened. The manual says, that after select() error (like ENOMEM) the values of fd_sets are undefined. I guess that in some perverse situation sshd could also have got stuck in infinite select() loop. Again, I have actually done some testing (but not much) and have found no problems. This patch is also available from: http://www.cs.helsinki.fi/u/jjaakkol/idletimeout.patch - Jani -------------- next part -------------- diff -ru openssh-2.9p2.orig/CREDITS openssh-2.9p2/CREDITS --- openssh-2.9p2.orig/CREDITS Mon Apr 16 03:41:46 2001 +++ openssh-2.9p2/CREDITS Wed Aug 15 22:00:02 2001 @@ -42,6 +42,7 @@ IWAMURO Motonori - bugfixes Jani Hakala - Patches Jarno Huuskonen - Bugfixes +Jani Jaakkola - IdleTimeOut Jim Knoble - Many patches Jonchen (email unknown) - the original author of PAM support of SSH Juergen Keil - scp bugfixing diff -ru openssh-2.9p2.orig/clientloop.c openssh-2.9p2/clientloop.c --- openssh-2.9p2.orig/clientloop.c Fri Apr 20 15:50:51 2001 +++ openssh-2.9p2/clientloop.c Mon Aug 20 22:20:38 2001 @@ -1250,3 +1250,4 @@ else client_init_dispatch_15(); } + diff -ru openssh-2.9p2.orig/packet.c openssh-2.9p2/packet.c --- openssh-2.9p2.orig/packet.c Fri Apr 6 02:26:33 2001 +++ openssh-2.9p2/packet.c Tue Aug 21 00:04:48 2001 @@ -121,10 +121,91 @@ /* True if SSH2 packet format is used */ int use_ssh2_packet_format = 0; +static time_t idletime_last=0; /* The last time something happened + * for idletimeout. */ +static int idletimeout=0; /* The current idletimeout */ + /* Session key information for Encryption and MAC */ Newkeys *newkeys[MODE_MAX]; void +packet_set_idletimeout(int max_idle_seconds) +{ + idletimeout=max_idle_seconds; + if (max_idle_seconds>0) { + /* Initialize */ + time(&idletime_last); + } +} + +/* Called by whenever packets are sent or received. + * This function decides on which packets idletimeout should + * be reset */ +void +idletimeout_check(int type) +{ + /* No-op, if idletimeouts are not configured */ + if (idletimeout==0) return; + + /* The following packets reset idletimeout on input or output. + * Note that only actual data resets idletimeout, control packets + * do not. */ + switch(type) { + case SSH_MSG_CHANNEL_DATA: + case SSH_CMSG_STDIN_DATA: + case SSH_SMSG_STDOUT_DATA: + case SSH_SMSG_STDERR_DATA: + case SSH2_MSG_CHANNEL_DATA: + case SSH2_MSG_CHANNEL_EXTENDED_DATA: + time(&idletime_last); + } +} + +int +packet_select(int maxfds, + fd_set *readset, fd_set *writeset, fd_set *exceptset, + int max_time_milliseconds) +{ + struct timeval tv, *tvp=NULL; + int ret; + + if (idletimeout>0) { + /* Count the time to idletimeout */ + time_t diff=time(NULL)-idletime_last; + if (diff>=idletimeout) + tv.tv_sec=1; + else + tv.tv_sec=idletimeout-diff+1; + tv.tv_usec=0; + tvp = &tv; + debug("idletimeout after %ld seconds",tv.tv_sec); + } + /* If a timeout value was given and the timeout happens before + * idletimeout, use it */ + if (max_time_milliseconds>0 && + (tvp==NULL || max_time_milliseconds/10000 && ret==0 && + time(NULL)-idletime_last>idletimeout) { + packet_disconnect("Idletimeout."); + idletimeout=0; + } + return ret; +} + +void packet_set_ssh2_format(void) { DBG(debug("use_ssh2_packet_format")); @@ -383,6 +464,7 @@ packet_start2(type); else packet_start1(type); + idletimeout_check(type); } /* Appends a character to the packet data. */ @@ -708,20 +790,21 @@ /* If we got a packet, return it. */ if (type != SSH_MSG_NONE) { xfree(setp); + idletimeout_check(type); return type; } /* * Otherwise, wait for some data to arrive, add it to the * buffer, and try again. */ - memset(setp, 0, howmany(connection_in + 1, NFDBITS) * - sizeof(fd_mask)); - FD_SET(connection_in, setp); - - /* Wait for some data to arrive. */ - while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 && - (errno == EAGAIN || errno == EINTR)) - ; + do { + memset(setp, 0, howmany(connection_in + 1, NFDBITS) * + sizeof(fd_mask)); + FD_SET(connection_in, setp); + + /* Wait for some data to arrive. */ + } while (packet_select(connection_in + 1, + setp, NULL, NULL, 0) == -1); /* Read data from the socket. */ len = read(connection_in, buf, sizeof(buf)); @@ -974,6 +1057,7 @@ packet_read_poll2(payload_len_ptr): packet_read_poll1(payload_len_ptr); + idletimeout_check(type); if(compat20) { int reason; if (type != 0) @@ -1217,12 +1301,12 @@ sizeof(fd_mask)); packet_write_poll(); while (packet_have_data_to_write()) { - memset(setp, 0, howmany(connection_out + 1, NFDBITS) * - sizeof(fd_mask)); - FD_SET(connection_out, setp); - while (select(connection_out + 1, NULL, setp, NULL, NULL) == -1 && - (errno == EAGAIN || errno == EINTR)) - ; + do { + memset(setp, 0, howmany(connection_out + 1, NFDBITS) * + sizeof(fd_mask)); + FD_SET(connection_out, setp); + } while (packet_select(connection_out + 1, + NULL, setp, NULL, 0) == -1); packet_write_poll(); } xfree(setp); diff -ru openssh-2.9p2.orig/packet.h openssh-2.9p2/packet.h --- openssh-2.9p2.orig/packet.h Sun Apr 15 02:13:03 2001 +++ openssh-2.9p2/packet.h Mon Aug 20 23:36:10 2001 @@ -220,4 +220,20 @@ /* add an ignore message and make sure size (current+ignore) = n*sumlen */ void packet_inject_ignore(int sumlen); +/* This sets the maximum idle time before packet_select() automatically + * disconnects with packet_disconnect("Idletimeout"). + * Never autodisconnects if set to zero. zero is the default */ +void packet_set_idletimeout(int max_idle_seconds); + +/* This is an quite normal select, except that it implements idletimeouts + * set with packet_set_idletimeout(). + * It also returns exits, if select() returns any other error than AGAIN + * or EINTR. So if packet_select returns -1, you can safely reinit fd_sets + * and call packet_select again, without checking errno. + */ +int packet_select(int maxfds, + fd_set *readset, fd_set *writeset, fd_set *exceptset, + int max_time_milliseconds); + + #endif /* PACKET_H */ diff -ru openssh-2.9p2.orig/servconf.c openssh-2.9p2/servconf.c --- openssh-2.9p2.orig/servconf.c Wed Apr 25 15:44:15 2001 +++ openssh-2.9p2/servconf.c Wed Aug 15 22:10:23 2001 @@ -102,6 +102,7 @@ options->client_alive_interval = -1; options->client_alive_count_max = -1; options->pam_authentication_via_kbd_int = -1; + options->idletimeout = -1; } void @@ -210,6 +211,8 @@ options->client_alive_count_max = 3; if (options->pam_authentication_via_kbd_int == -1) options->pam_authentication_via_kbd_int = 0; + if (options->idletimeout == -1) + options->idletimeout=0; } /* Keyword tokens. */ @@ -235,7 +238,8 @@ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sPAMAuthenticationViaKbdInt + sClientAliveCountMax, sPAMAuthenticationViaKbdInt, + sIdleTimeout } ServerOpCodes; /* Textual representation of the tokens. */ @@ -302,6 +306,7 @@ { "clientaliveinterval", sClientAliveInterval }, { "clientalivecountmax", sClientAliveCountMax }, { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, + { "idletimeout", sIdleTimeout }, { NULL, 0 } }; @@ -801,7 +806,28 @@ case sPAMAuthenticationViaKbdInt: intptr = &options->pam_authentication_via_kbd_int; goto parse_flag; - + case sIdleTimeout: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing IdleTimeout argument", + filename,linenum); + options->idletimeout=atoi(arg); + switch(arg[strlen(arg)-1]) { + case 'w': options->idletimeout*=7; + case 'd': options->idletimeout*=24; + case 'h': options->idletimeout*=60; + case 'm': options->idletimeout*=60; + case 's': + case '0': case '1': case '2': case '3': + case '4': case '5': case '6': case '7': + case '8': case '9': + break; + default: + fatal("%s line %d: Invalid IdleTimeout argument", + filename,linenum); + } + break; + default: fatal("%s line %d: Missing handler for opcode %s (%d)", filename, linenum, arg, opcode); diff -ru openssh-2.9p2.orig/servconf.h openssh-2.9p2/servconf.h --- openssh-2.9p2.orig/servconf.h Wed Apr 25 15:44:16 2001 +++ openssh-2.9p2/servconf.h Wed Aug 15 22:09:33 2001 @@ -125,6 +125,10 @@ * diconnect the session */ int pam_authentication_via_kbd_int; + int idletimeout; /* + * If nonzero, the number of second + * after which idle connections + * will be terminated */ } ServerOptions; /* * Initializes the server options to special values that indicate that they diff -ru openssh-2.9p2.orig/serverloop.c openssh-2.9p2/serverloop.c --- openssh-2.9p2.orig/serverloop.c Sat Apr 14 02:28:03 2001 +++ openssh-2.9p2/serverloop.c Mon Aug 20 23:33:30 2001 @@ -190,7 +190,6 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, u_int max_time_milliseconds) { - struct timeval tv, *tvp; int ret; int client_alive_scheduled = 0; @@ -259,25 +258,15 @@ if (max_time_milliseconds == 0 || client_alive_scheduled) max_time_milliseconds = 100; - if (max_time_milliseconds == 0) - tvp = NULL; - else { - tv.tv_sec = max_time_milliseconds / 1000; - tv.tv_usec = 1000 * (max_time_milliseconds % 1000); - tvp = &tv; - } - if (tvp!=NULL) - debug3("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds); - /* Wait for something to happen, or the timeout to expire. */ - ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); + /* Wait for something to happen, or the timeout to expire. + * packet select also implements server idletimeouts for us. */ + ret = packet_select((*maxfdp)+1, *readsetp, *writesetp, NULL, + max_time_milliseconds); + + if (ret == -1) + goto retry_select; - if (ret == -1) { - if (errno != EINTR) - error("select: %.100s", strerror(errno)); - else - goto retry_select; - } if (ret == 0 && client_alive_scheduled) { /* timeout, check to see how many we have had */ client_alive_timeouts++; diff -ru openssh-2.9p2.orig/session.c openssh-2.9p2/session.c --- openssh-2.9p2.orig/session.c Sun Jun 17 06:40:51 2001 +++ openssh-2.9p2/session.c Mon Aug 20 22:47:16 2001 @@ -170,6 +170,11 @@ * authentication. */ alarm(0); + /* + * Now that the login grace alarm is cleared it is time to apply + * idletimeout */ + packet_set_idletimeout(options.idletimeout); + if (startup_pipe != -1) { close(startup_pipe); startup_pipe = -1; From jjaakkol at cs.Helsinki.FI Tue Aug 21 17:12:35 2001 From: jjaakkol at cs.Helsinki.FI (Jani Jaakkola) Date: Tue, 21 Aug 2001 10:12:35 +0300 (EEST) Subject: Idletimeout patch, 4th attempt In-Reply-To: Message-ID: On Tue, 21 Aug 2001, Jani Jaakkola wrote: > > Here is my third attempt at the idletimeout patch. I tried to address > the points which Marcus Friedl brought up. After having a good night sleep I finally realized that ssh1 and ssh2 are actually different protocols and therefore may and do have overlapping message numbers. This needs to be addressed at idletimeout_check (which Markus was telling me, but I was too boneheaded to believe him). The 4th version of the attached patch is also available from: http://www.cs.helsinki.fi/u/jjaakkol/idletimeout.patch - Jani -------------- next part -------------- diff -ru openssh-2.9p2.orig/CREDITS openssh-2.9p2/CREDITS --- openssh-2.9p2.orig/CREDITS Mon Apr 16 03:41:46 2001 +++ openssh-2.9p2/CREDITS Wed Aug 15 22:00:02 2001 @@ -42,6 +42,7 @@ IWAMURO Motonori - bugfixes Jani Hakala - Patches Jarno Huuskonen - Bugfixes +Jani Jaakkola - IdleTimeOut Jim Knoble - Many patches Jonchen (email unknown) - the original author of PAM support of SSH Juergen Keil - scp bugfixing diff -ru openssh-2.9p2.orig/clientloop.c openssh-2.9p2/clientloop.c --- openssh-2.9p2.orig/clientloop.c Fri Apr 20 15:50:51 2001 +++ openssh-2.9p2/clientloop.c Mon Aug 20 22:20:38 2001 @@ -1250,3 +1250,4 @@ else client_init_dispatch_15(); } + diff -ru openssh-2.9p2.orig/packet.c openssh-2.9p2/packet.c --- openssh-2.9p2.orig/packet.c Fri Apr 6 02:26:33 2001 +++ openssh-2.9p2/packet.c Tue Aug 21 09:46:40 2001 @@ -121,10 +121,97 @@ /* True if SSH2 packet format is used */ int use_ssh2_packet_format = 0; +static time_t idletime_last=0; /* The last time something happened + * for idletimeout. */ +static int idletimeout=0; /* The current idletimeout */ + /* Session key information for Encryption and MAC */ Newkeys *newkeys[MODE_MAX]; void +packet_set_idletimeout(int max_idle_seconds) +{ + idletimeout=max_idle_seconds; + if (max_idle_seconds>0) { + /* Initialize */ + time(&idletime_last); + } +} + +/* Called by whenever packets are sent or received. + * This function decides on which packets idletimeout should + * be reset */ +void +idletimeout_check(int type) +{ + /* No-op, if idletimeouts are not configured */ + if (idletimeout==0) return; + + /* The following packets reset idletimeout on input or output. + * Note that only actual data resets idletimeout, control packets + * do not. */ + if (compat20) { + switch(type) { + case SSH2_MSG_CHANNEL_DATA: + case SSH2_MSG_CHANNEL_EXTENDED_DATA: + time(&idletime_last); + } + } else { + switch(type) { + case SSH_MSG_CHANNEL_DATA: + case SSH_CMSG_STDIN_DATA: + case SSH_SMSG_STDOUT_DATA: + case SSH_SMSG_STDERR_DATA: + time(&idletime_last); + } + } +} + +int +packet_select(int maxfds, + fd_set *readset, fd_set *writeset, fd_set *exceptset, + int max_time_milliseconds) +{ + struct timeval tv, *tvp=NULL; + int ret; + + if (idletimeout>0) { + /* Count the time to idletimeout */ + time_t diff=time(NULL)-idletime_last; + if (diff>=idletimeout) + tv.tv_sec=1; + else + tv.tv_sec=idletimeout-diff+1; + tv.tv_usec=0; + tvp = &tv; + debug("idletimeout after %ld seconds",tv.tv_sec); + } + /* If a timeout value was given and the timeout happens before + * idletimeout, use it */ + if (max_time_milliseconds>0 && + (tvp==NULL || max_time_milliseconds/10000 && ret==0 && + time(NULL)-idletime_last>idletimeout) { + packet_disconnect("Idletimeout."); + idletimeout=0; + } + return ret; +} + +void packet_set_ssh2_format(void) { DBG(debug("use_ssh2_packet_format")); @@ -383,6 +470,7 @@ packet_start2(type); else packet_start1(type); + idletimeout_check(type); } /* Appends a character to the packet data. */ @@ -708,20 +796,21 @@ /* If we got a packet, return it. */ if (type != SSH_MSG_NONE) { xfree(setp); + idletimeout_check(type); return type; } /* * Otherwise, wait for some data to arrive, add it to the * buffer, and try again. */ - memset(setp, 0, howmany(connection_in + 1, NFDBITS) * - sizeof(fd_mask)); - FD_SET(connection_in, setp); - - /* Wait for some data to arrive. */ - while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 && - (errno == EAGAIN || errno == EINTR)) - ; + do { + memset(setp, 0, howmany(connection_in + 1, NFDBITS) * + sizeof(fd_mask)); + FD_SET(connection_in, setp); + + /* Wait for some data to arrive. */ + } while (packet_select(connection_in + 1, + setp, NULL, NULL, 0) == -1); /* Read data from the socket. */ len = read(connection_in, buf, sizeof(buf)); @@ -974,6 +1063,7 @@ packet_read_poll2(payload_len_ptr): packet_read_poll1(payload_len_ptr); + idletimeout_check(type); if(compat20) { int reason; if (type != 0) @@ -1217,12 +1307,12 @@ sizeof(fd_mask)); packet_write_poll(); while (packet_have_data_to_write()) { - memset(setp, 0, howmany(connection_out + 1, NFDBITS) * - sizeof(fd_mask)); - FD_SET(connection_out, setp); - while (select(connection_out + 1, NULL, setp, NULL, NULL) == -1 && - (errno == EAGAIN || errno == EINTR)) - ; + do { + memset(setp, 0, howmany(connection_out + 1, NFDBITS) * + sizeof(fd_mask)); + FD_SET(connection_out, setp); + } while (packet_select(connection_out + 1, + NULL, setp, NULL, 0) == -1); packet_write_poll(); } xfree(setp); diff -ru openssh-2.9p2.orig/packet.h openssh-2.9p2/packet.h --- openssh-2.9p2.orig/packet.h Sun Apr 15 02:13:03 2001 +++ openssh-2.9p2/packet.h Mon Aug 20 23:36:10 2001 @@ -220,4 +220,20 @@ /* add an ignore message and make sure size (current+ignore) = n*sumlen */ void packet_inject_ignore(int sumlen); +/* This sets the maximum idle time before packet_select() automatically + * disconnects with packet_disconnect("Idletimeout"). + * Never autodisconnects if set to zero. zero is the default */ +void packet_set_idletimeout(int max_idle_seconds); + +/* This is an quite normal select, except that it implements idletimeouts + * set with packet_set_idletimeout(). + * It also returns exits, if select() returns any other error than AGAIN + * or EINTR. So if packet_select returns -1, you can safely reinit fd_sets + * and call packet_select again, without checking errno. + */ +int packet_select(int maxfds, + fd_set *readset, fd_set *writeset, fd_set *exceptset, + int max_time_milliseconds); + + #endif /* PACKET_H */ diff -ru openssh-2.9p2.orig/servconf.c openssh-2.9p2/servconf.c --- openssh-2.9p2.orig/servconf.c Wed Apr 25 15:44:15 2001 +++ openssh-2.9p2/servconf.c Wed Aug 15 22:10:23 2001 @@ -102,6 +102,7 @@ options->client_alive_interval = -1; options->client_alive_count_max = -1; options->pam_authentication_via_kbd_int = -1; + options->idletimeout = -1; } void @@ -210,6 +211,8 @@ options->client_alive_count_max = 3; if (options->pam_authentication_via_kbd_int == -1) options->pam_authentication_via_kbd_int = 0; + if (options->idletimeout == -1) + options->idletimeout=0; } /* Keyword tokens. */ @@ -235,7 +238,8 @@ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sPAMAuthenticationViaKbdInt + sClientAliveCountMax, sPAMAuthenticationViaKbdInt, + sIdleTimeout } ServerOpCodes; /* Textual representation of the tokens. */ @@ -302,6 +306,7 @@ { "clientaliveinterval", sClientAliveInterval }, { "clientalivecountmax", sClientAliveCountMax }, { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, + { "idletimeout", sIdleTimeout }, { NULL, 0 } }; @@ -801,7 +806,28 @@ case sPAMAuthenticationViaKbdInt: intptr = &options->pam_authentication_via_kbd_int; goto parse_flag; - + case sIdleTimeout: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing IdleTimeout argument", + filename,linenum); + options->idletimeout=atoi(arg); + switch(arg[strlen(arg)-1]) { + case 'w': options->idletimeout*=7; + case 'd': options->idletimeout*=24; + case 'h': options->idletimeout*=60; + case 'm': options->idletimeout*=60; + case 's': + case '0': case '1': case '2': case '3': + case '4': case '5': case '6': case '7': + case '8': case '9': + break; + default: + fatal("%s line %d: Invalid IdleTimeout argument", + filename,linenum); + } + break; + default: fatal("%s line %d: Missing handler for opcode %s (%d)", filename, linenum, arg, opcode); diff -ru openssh-2.9p2.orig/servconf.h openssh-2.9p2/servconf.h --- openssh-2.9p2.orig/servconf.h Wed Apr 25 15:44:16 2001 +++ openssh-2.9p2/servconf.h Wed Aug 15 22:09:33 2001 @@ -125,6 +125,10 @@ * diconnect the session */ int pam_authentication_via_kbd_int; + int idletimeout; /* + * If nonzero, the number of second + * after which idle connections + * will be terminated */ } ServerOptions; /* * Initializes the server options to special values that indicate that they diff -ru openssh-2.9p2.orig/serverloop.c openssh-2.9p2/serverloop.c --- openssh-2.9p2.orig/serverloop.c Sat Apr 14 02:28:03 2001 +++ openssh-2.9p2/serverloop.c Mon Aug 20 23:33:30 2001 @@ -190,7 +190,6 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, u_int max_time_milliseconds) { - struct timeval tv, *tvp; int ret; int client_alive_scheduled = 0; @@ -259,25 +258,15 @@ if (max_time_milliseconds == 0 || client_alive_scheduled) max_time_milliseconds = 100; - if (max_time_milliseconds == 0) - tvp = NULL; - else { - tv.tv_sec = max_time_milliseconds / 1000; - tv.tv_usec = 1000 * (max_time_milliseconds % 1000); - tvp = &tv; - } - if (tvp!=NULL) - debug3("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds); - /* Wait for something to happen, or the timeout to expire. */ - ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); + /* Wait for something to happen, or the timeout to expire. + * packet select also implements server idletimeouts for us. */ + ret = packet_select((*maxfdp)+1, *readsetp, *writesetp, NULL, + max_time_milliseconds); + + if (ret == -1) + goto retry_select; - if (ret == -1) { - if (errno != EINTR) - error("select: %.100s", strerror(errno)); - else - goto retry_select; - } if (ret == 0 && client_alive_scheduled) { /* timeout, check to see how many we have had */ client_alive_timeouts++; diff -ru openssh-2.9p2.orig/session.c openssh-2.9p2/session.c --- openssh-2.9p2.orig/session.c Sun Jun 17 06:40:51 2001 +++ openssh-2.9p2/session.c Mon Aug 20 22:47:16 2001 @@ -170,6 +170,11 @@ * authentication. */ alarm(0); + /* + * Now that the login grace alarm is cleared it is time to apply + * idletimeout */ + packet_set_idletimeout(options.idletimeout); + if (startup_pipe != -1) { close(startup_pipe); startup_pipe = -1; From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Aug 21 19:22:15 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 21 Aug 2001 11:22:15 +0200 Subject: [PATCH] some patches for Fujitsu-Siemens ReliantUNIX, minor fixes and XXXes In-Reply-To: <200108201635.f7KGZVn09514@mail2.siemens.de>; from Robert.Dahlem@ffm2.siemens.de on Mon, Aug 20, 2001 at 06:33:39PM +0200 References: <200108201635.f7KGZVn09514@mail2.siemens.de> Message-ID: <20010821112215.A16924@serv01.aet.tu-cottbus.de> On Mon, Aug 20, 2001 at 06:33:39PM +0200, Robert Dahlem wrote: > - -ldl not choosen by configure: > > Something in OpenSSH (I did not find) needs libdl. configure checks for > dlopen() only when it finds PAM. No PAM on ReliantUNIX, so not libdl, > thus no binding. Ouch! :-) > > I made an XXX fix for ReliantUNIX and left it for someone else to > de-nest the dlopen() check in configure.in. Sorry, but it's beyond my > understanding of autoconf. BTW: Why does autoconf-2.50 bounce on > configure.in? I'll give it a guess. The 'engine' release of OpenSSL requires dynamic loading, while the normal release does not. You therefore won't see any relation to OpenSSH. One could add -ldl (-ldld for some platforms) to the OpenSSH build process: the next major release of 0.9.7 will use dynamic loading anyway. 0.9.7 shared libraries will be built against -ldl, so this problem will not pop up too often. I am not sure whether I should recommend adding -ldl (or -ldld) generally. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From markus.friedl at informatik.uni-erlangen.de Tue Aug 21 20:56:35 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 21 Aug 2001 12:56:35 +0200 Subject: How to configure the OPEN SSH with DSA.......... In-Reply-To: ; from Jayant.SonSurkar@ogilvy.com on Mon, Aug 20, 2001 at 11:21:03PM -0400 References: Message-ID: <20010821125635.A21495@folly> 1) please don't send images. thanks. 2) you don't tell us your software versions. 3) please ask openssh-unix-dev at mindrot.org -m On Mon, Aug 20, 2001 at 11:21:03PM -0400, Jayant.SonSurkar at ogilvy.com wrote: > > Hi, This is the first time I am trying to set-up the Open SSH. I want to > connect to my Unix systems from Windows or from any other Unix system by > using DSA public and private key > without password. With this I can run the scripts on the remove system and > use the scp etc on remote system. > > Can you please help me to configure this system. I don't know how to set-up > this. > I am getting the following error message........... > > (Embedded image moved to file: pic00041.pcx) ... From Jayant.SonSurkar at ogilvy.com Tue Aug 21 23:13:54 2001 From: Jayant.SonSurkar at ogilvy.com (Jayant.SonSurkar at ogilvy.com) Date: Tue, 21 Aug 2001 09:13:54 -0400 Subject: No subject Message-ID: Hi, I am trying to set-up the Open SSH. I want to connect to my Unix systems from Windows or from any other Unix system by using DSA public and private key without password. With this I can run the scripts on the remove system and use the scp etc on remote system. Can you please help me to configure this system. I don't know how to set-up this. I am getting the following error message........... [SSH LOCAL ONLY] : State Change: SSH_STATE_UNKNOWN->SSH_STATE_CONNECTING [SSH LOCAL ONLY] : State Change: SSH_STATE_CONNECTING->SSH_STATE_EXPECT_IDENTIFIER [SSH LOCAL ONLY] : connected [SSH LOCAL ONLY] : RECV : Remote Identifier = "SSH-1.99-OpenSSH_2.9p2" [SSH LOCAL ONLY] : SEND : KEXINIT [SSH LOCAL ONLY] : State Change: SSH_STATE_EXPECT_IDENTIFIER->SSH_STATE_INITIAL_KEYEXCHANGE [SSH LOCAL ONLY] : RECV : Read kexinit [SSH LOCAL ONLY] : Kex Method = diffie-hellman-group1-sha1 [SSH LOCAL ONLY] : Host Key Algo = ssh-dss [SSH LOCAL ONLY] : Send Cipher = 3des-cbc [SSH LOCAL ONLY] : Recv Cipher = 3des-cbc [SSH LOCAL ONLY] : Send Mac = hmac-md5 [SSH LOCAL ONLY] : Recv Mac = hmac-md5 [SSH LOCAL ONLY] : Compressor = none [SSH LOCAL ONLY] : Decompressor = none [SSH LOCAL ONLY] : SEND : KEXDH_INIT [SSH LOCAL ONLY] : RECV : KEXDH_REPLY [SSH LOCAL ONLY] : 00000000 | 00 00 02 7c 06 1f 00 00 01 b1 00 00 00 07 73 73 ...|.........ss [SSH LOCAL ONLY] : 00000016 | 68 2d 64 73 73 00 00 00 81 00 d6 4b da 24 00 8f h-dss......K.$.. [SSH LOCAL ONLY] : 00000032 | 6d ef 6b 0a a7 cd a4 2f 7c c7 cc c2 a0 26 fb 1e m.k..../|....&. [SSH LOCAL ONLY] : 00000048 | 97 bb 5f 4b 8c 8c 97 30 66 cb 26 dd 80 5b 26 c9 .._K...0f.&..[&. [SSH LOCAL ONLY] : 00000064 | c7 b7 2e d5 64 9f 56 51 54 30 1d 4d 8f 5a 34 7f ....d.VQT0M.Z4 [SSH LOCAL ONLY] : 00000080 | 73 b7 e1 21 d4 a6 14 25 42 37 c9 ad 0f 0b a0 1a s..!...%B7..... [SSH LOCAL ONLY] : 00000096 | 3a c1 7d e6 ba 3a 74 07 ef 61 16 ff 51 28 19 b8 :.}..:t..a..Q(.. [SSH LOCAL ONLY] : 00000112 | 21 26 6f ab 99 57 97 df b0 4e 75 06 57 c9 d0 96 !&o..W...Nu.W... [SSH LOCAL ONLY] : 00000128 | 7f 4a fb b2 d7 7b f6 f9 33 47 a2 0c 73 8c 61 0a J...{..3G..s.a. [SSH LOCAL ONLY] : 00000144 | 16 0b ef ac f8 e0 a2 aa e0 39 00 00 00 15 00 b4 .........9...... [SSH LOCAL ONLY] : 00000160 | 1c e1 bc a1 fe 49 6a f0 31 06 f6 56 08 0f 6a 8e ....Ij.1..V..j. [SSH LOCAL ONLY] : 00000176 | 92 fb 77 00 00 00 80 74 ba cc 89 2f 06 d1 98 d9 ..w....t.../.... [SSH LOCAL ONLY] : 00000192 | c0 5d 15 c0 18 89 f8 a0 ca 55 40 a3 cf 6c 25 5b .].......U at ..l%[ [SSH LOCAL ONLY] : 00000208 | cb 66 e9 8f 30 97 a9 6b 9c c3 d1 49 8d c2 0e 43 .f..0..k...I...C [SSH LOCAL ONLY] : 00000224 | ae ac 29 af f9 cb 7a c5 6a f2 e6 7f 39 98 d0 07 ..)...z.j..9... [SSH LOCAL ONLY] : 00000240 | ba 85 55 fc 2d 81 f0 a1 c6 02 f7 f4 03 d1 6f 69 ..U.-.........oi [SSH LOCAL ONLY] : 00000256 | 91 4e 4f 29 67 fb 03 e4 55 c2 fe 62 8d 90 2d b3 .NO)g...U..b..-. [SSH LOCAL ONLY] : 00000272 | c9 d3 a9 16 e0 ff a0 3a dd 42 0f 1b d7 94 6c f6 .......:.B..l. [SSH LOCAL ONLY] : 00000288 | 10 93 2e 39 c4 ef 33 65 a0 65 ef fd 93 ea 6d ed ...9..3e.e....m. [SSH LOCAL ONLY] : 00000304 | 53 7a 5d 75 49 77 05 00 00 00 80 29 d9 d3 e7 98 Sz]uIw.....).... [SSH LOCAL ONLY] : 00000320 | ed 3a 89 67 f7 ab 63 82 27 00 6e cd c3 d4 5a aa .:.g..c.'.n...Z. [SSH LOCAL ONLY] : 00000336 | 82 40 c2 1d db 49 82 61 6e db 19 4e fa 1e 02 29 . at ..I.an..N..) [SSH LOCAL ONLY] : 00000352 | bc 04 81 ff b8 a4 6e 80 d0 c5 c5 5d 56 2b 0f ce ......n....]V+.. [SSH LOCAL ONLY] : 00000368 | 1c f9 2b be 69 37 cd 49 c9 03 20 bf 1f d1 c5 b2 .+.i7.I.. .... [SSH LOCAL ONLY] : 00000384 | 0a 34 25 ef 4b 84 e8 75 54 56 2b 9f f1 43 c3 70 .4%.K..uTV+..C.p [SSH LOCAL ONLY] : 00000400 | 85 48 27 71 b8 87 bf 0d d6 24 f1 90 88 ed 7c 81 .H'q.....$....|. [SSH LOCAL ONLY] : 00000416 | f5 b4 8b 25 9d 0f b9 7b 6a 6c 6b 94 a4 cc d0 31 ...%...{jlk....1 [SSH LOCAL ONLY] : 00000432 | 91 d3 08 0c 88 78 72 3b 79 f3 db 00 00 00 80 03 .....xr;y....... [SSH LOCAL ONLY] : 00000448 | 9d 8a 24 38 92 80 32 83 c1 e6 bf 59 ed 39 a0 31 ..$8..2....Y.9.1 [SSH LOCAL ONLY] : 00000464 | a2 c2 5c 93 ad 1c c2 ae 21 b8 26 73 11 75 84 30 ..\....!.&s.u.0 [SSH LOCAL ONLY] : 00000480 | 62 4f 40 36 9d f5 28 c6 e2 91 8c 9d 43 c4 d8 d1 bO at 6..(.....C... [SSH LOCAL ONLY] : 00000496 | e7 5f ab 56 68 27 c0 fd b7 f9 25 cc 52 07 28 ee ._.Vh'....%.R.(. [SSH LOCAL ONLY] : 00000512 | d3 14 2d 7c 6a 45 47 8a 89 bb 25 0f d6 a4 a5 3c ..-|jEG...%....< [SSH LOCAL ONLY] : 00000528 | 63 78 54 31 bf a5 8e 2c 05 bb a9 cd 72 34 c9 c7 cxT1...,....r4.. [SSH LOCAL ONLY] : 00000544 | 2b d8 03 56 ad 94 98 c9 99 ea 70 30 62 2c 24 8b +..V......p0b,$. [SSH LOCAL ONLY] : 00000560 | 1f 6e 63 fb b7 83 1b f4 be b3 f4 3f 66 be a4 00 nc......?f... [SSH LOCAL ONLY] : 00000576 | 00 00 37 00 00 00 07 73 73 68 2d 64 73 73 00 00 ..7....ssh-dss.. [SSH LOCAL ONLY] : 00000592 | 00 28 43 61 8f 2d 1b 98 02 8b 18 25 f0 71 8e dc .(Ca.-...%.q.. [SSH LOCAL ONLY] : 00000608 | ae f8 97 9e 66 64 5e 71 6f f8 09 89 c6 7c f6 7b ....fd^qo....|.{ [SSH LOCAL ONLY] : 00000624 | 6c e6 6c 02 c7 0a 64 53 a2 15 l.l...dS.. [SSH LOCAL ONLY] : SEND: Disconnect packet. Disconnect message #2. [SSH LOCAL ONLY] : SEND: Disconnect packet: [SSH LOCAL ONLY] : State Change: SSH_STATE_INITIAL_KEYEXCHANGE->SSH_STATE_CLOSING [SSH LOCAL ONLY] : RECV : NEWKEYS [SSH LOCAL ONLY] : SEND: Disconnect packet. Disconnect message #2. [SSH LOCAL ONLY] : SEND: Disconnect packet: Read newkeys in invalid state. [SSH LOCAL ONLY] : State Change: SSH_STATE_CLOSING->SSH_STATE_CLOSED Regards, Jay Office Phone No. (212) 237-4239 Cell Phone No. (917) 968-7950 -------------- next part -------------- ----------------------------------------- (on natasha.ogilvy.com) Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of the Ogilvy Group shall be understood as neither given nor endorsed by it. --------------------------------------------------------- From aultj at crd.ge.com Wed Aug 22 00:41:00 2001 From: aultj at crd.ge.com (Ault, James R (CRD)) Date: Tue, 21 Aug 2001 10:41:00 -0400 Subject: OpenSSH 2.9p2 / SSH3 vulnerability? Message-ID: I have a few questions: 1) Is OpenSSH 2.9p2 (or any other version of OpenSSH) vulnerable to the same problem as SSH3.0.0? (described here: http://www.kb.cert.org/vuls/id/737451 ) 2) There is a "SECURID" patch in the contrib section since 2.5.2p2. I am using it, but applying this patch to each new version is growing more difficult as time goes on. Would you consider merging this function into the core of openssh? (with a configure flag and everything)? I would certainly appreciate it... 3) when is the next version of OpenSSH due to come out? It seems that a new one arrives only moments after I finish my "make install" on 4-5 different platforms.. :-) Jim Ault, aultj at crd.ge.com From mouring at etoh.eviladmin.org Wed Aug 22 01:32:55 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 21 Aug 2001 10:32:55 -0500 (CDT) Subject: OpenSSH 2.9p2 / SSH3 vulnerability? In-Reply-To: Message-ID: On Tue, 21 Aug 2001, Ault, James R (CRD) wrote: > > I have a few questions: > > 1) Is OpenSSH 2.9p2 (or any other version of OpenSSH) vulnerable to the same problem as SSH3.0.0? > (described here: > http://www.kb.cert.org/vuls/id/737451 ) > I looked around and tried it out.. and I could not find anything that resembled that security hole in OpenSSH. I'm sure Markus and other did a more indepth check. > 2) There is a "SECURID" patch in the contrib section since 2.5.2p2. I am using it, but applying this > patch to each new version is growing more difficult as time goes on. Would you consider merging this > function into the core of openssh? (with a configure flag and everything)? I would certainly > appreciate it... > There is? I don't see it in the -current version of the portable. I don't believe there is any plans on adding Secure ID. I no longer remember the reasons.. But doing a simple grep for "SecureID" in my archives I see comments like "Integrating SecureID is additional complexity which has to be maintained," .. So I think it's a safe bet it will not. =) Version 3.0 will ship with Crytocard support (currently not tested well outside of OpenBSD platform). > 3) when is the next version of OpenSSH due to come out? It seems that a new one arrives only moments > after I finish my "make install" on 4-5 different platforms.. :-) > Can't say for sure.=) When ever I do I get corrected by Theo and Markus, but a release is 'Coming'... I know Markus would like a release before Sept. Unless Damien has any quarms I was going to call for people to start testing in the next day or so (if I can catch my breath from other projects). - Ben From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Aug 22 01:55:24 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 21 Aug 2001 17:55:24 +0200 Subject: OpenSSH 2.9p2 / SSH3 vulnerability? In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Aug 21, 2001 at 10:32:55AM -0500 References: Message-ID: <20010821175524.A22469@serv01.aet.tu-cottbus.de> On Tue, Aug 21, 2001 at 10:32:55AM -0500, mouring at etoh.eviladmin.org wrote: > Can't say for sure.=) When ever I do I get corrected by Theo and Markus, > but a release is 'Coming'... I know Markus would like a release before > Sept. > > Unless Damien has any quarms I was going to call for people to > start testing in the next day or so (if I can catch my breath from other > projects). That reminds me that the "connection does not close with agent-forwarding on some platforms" patch I posted quite some time ago still did not lead to any reponse on the list. I tested it on HP-UX, people on other platforms with the same problem should test and report about success, so that it will hopefully be added to the release! I will attach the same patch (worked out between Markus and me) again... Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 -------------- next part -------------- diff -r -u newsoft/openssh_cvs/channels.c n2/openssh/channels.c --- newsoft/openssh_cvs/channels.c Thu Jul 19 18:03:32 2001 +++ n2/openssh/channels.c Wed Jul 25 18:09:44 2001 @@ -260,6 +260,7 @@ c->cb_fn = NULL; c->cb_arg = NULL; c->cb_event = 0; + c->force_drain = 0; c->detach_user = NULL; c->input_filter = NULL; debug("channel %d: new [%s]", found, remote_name); @@ -1031,6 +1032,7 @@ xfree(remote_ipaddr); return; } + nc->force_drain = 0; if (compat20) { packet_start(SSH2_MSG_CHANNEL_OPEN); packet_put_cstring("x11"); @@ -1185,6 +1187,7 @@ xfree(name); close(newsock); } + nc->force_drain = 0; if (compat20) { packet_start(SSH2_MSG_CHANNEL_OPEN); packet_put_cstring("auth-agent at openssh.com"); @@ -1781,6 +1784,13 @@ if (c == NULL) packet_disconnect("Received ieof for nonexistent channel %d.", id); chan_rcvd_ieof(c); + + /* XXX force input close */ + if (c->force_drain) { + debug2("channel %d: XXX FORCE input drain", c->self); + c->istate = CHAN_INPUT_WAIT_DRAIN; + } + } void @@ -2669,6 +2679,7 @@ close(sock); } else { c->remote_id = remote_id; + c->force_drain = 1; } } if (c == NULL) { @@ -2931,6 +2942,7 @@ close(sock); } else { c->remote_id = remote_id; + c->force_drain = 1; } } if (c == NULL) { diff -r -u newsoft/openssh_cvs/channels.h n2/openssh/channels.h --- newsoft/openssh_cvs/channels.h Thu Jul 19 18:03:33 2001 +++ n2/openssh/channels.h Thu Jul 19 18:31:56 2001 @@ -77,6 +77,7 @@ int efd; /* extended fd */ int sock; /* sock fd */ int isatty; /* rfd is a tty */ + int force_drain; /* force close on iEOF */ Buffer input; /* data read from socket, to be sent over * encrypted connection */ Buffer output; /* data received over encrypted connection for diff -r -u newsoft/openssh_cvs/clientloop.c n2/openssh/clientloop.c --- newsoft/openssh_cvs/clientloop.c Thu Jul 19 18:03:33 2001 +++ n2/openssh/clientloop.c Thu Jul 19 19:24:27 2001 @@ -1111,6 +1111,7 @@ error("client_request_x11: channel_new failed"); close(sock); } + c->force_drain = 1; return c; } @@ -1136,6 +1137,7 @@ error("client_request_agent: channel_new failed"); close(sock); } + c->force_drain = 1; return c; } From mouring at etoh.eviladmin.org Wed Aug 22 01:50:35 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 21 Aug 2001 10:50:35 -0500 (CDT) Subject: OpenSSH 2.9p2 / SSH3 vulnerability? In-Reply-To: <20010821175524.A22469@serv01.aet.tu-cottbus.de> Message-ID: I'm unsure if this was targeted at the upstream source or at the portable. I assumed it was targeted for being included in the upstream source. - Ben On Tue, 21 Aug 2001, Lutz Jaenicke wrote: > On Tue, Aug 21, 2001 at 10:32:55AM -0500, mouring at etoh.eviladmin.org wrote: > > Can't say for sure.=) When ever I do I get corrected by Theo and Markus, > > but a release is 'Coming'... I know Markus would like a release before > > Sept. > > > > Unless Damien has any quarms I was going to call for people to > > start testing in the next day or so (if I can catch my breath from other > > projects). > > That reminds me that the > "connection does not close with agent-forwarding on some platforms" > patch I posted quite some time ago still did not lead to any reponse > on the list. I tested it on HP-UX, people on other platforms with the > same problem should test and report about success, so that it will > hopefully be added to the release! > > I will attach the same patch (worked out between Markus and me) again... > Lutz > -- > Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 > From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Aug 22 02:08:34 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 21 Aug 2001 18:08:34 +0200 Subject: OpenSSH 2.9p2 / SSH3 vulnerability? In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Aug 21, 2001 at 10:50:35AM -0500 References: <20010821175524.A22469@serv01.aet.tu-cottbus.de> Message-ID: <20010821180834.A22692@serv01.aet.tu-cottbus.de> On Tue, Aug 21, 2001 at 10:50:35AM -0500, mouring at etoh.eviladmin.org wrote: > I'm unsure if this was targeted at the upstream source or at the > portable. I assumed it was targeted for being included in the upstream > source. Yes. It is targeted at the upstream source. Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From stevesk at pobox.com Wed Aug 22 02:57:06 2001 From: stevesk at pobox.com (Kevin Steves) Date: Tue, 21 Aug 2001 09:57:06 -0700 (PDT) Subject: Idletimeout patch In-Reply-To: Message-ID: On Mon, 20 Aug 2001, Jani Jaakkola wrote: :> thanks. here's the patch against current portable CVS with KNF and : :I don't know what is KNF :( see: http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 this is referred to in the README :Is there anonymous access to portable CVS? I think in :http://www.openbsd.org/anoncvs.html :only the openbsd cvs tree is mentioned. http://www.openssh.com/portable.html you should use the patch i posted earlier as a base for your changes because it follows the guidelines above and is against the current release. From wayned at users.sourceforge.net Wed Aug 22 04:00:43 2001 From: wayned at users.sourceforge.net (Wayne Davison) Date: Tue, 21 Aug 2001 11:00:43 -0700 (PDT) Subject: Resend: loginrec.c patch Message-ID: I'm resending this patch just in case it got lost. The first hunk of the patch fixes a problem with the LOGIN_NEEDS_UTMPX support in that the date was not being set in the logininfo structure (causing wrong timestamps in the "last" log). The second hunk just omits the USE_WTMPX code in the LOGIN_NEEDS_UTMPX section if USE_UTMPX is defined. This prevents duplicate events in the last log under Solaris. Neither of these changes affect the non-LOGIN_NEEDS_UTMPX code. ..wayne.. ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- Index: loginrec.c --- loginrec.c 2001/08/06 23:29:17 1.34 +++ loginrec.c 2001/08/21 17:53:43 @@ -448,6 +448,8 @@ login_utmp_only(struct logininfo *li) { li->type = LTYPE_LOGIN; + /* set the timestamp */ + login_set_current_time(li); # ifdef USE_UTMP utmp_write_entry(li); # endif @@ -456,9 +458,10 @@ # endif # ifdef USE_UTMPX utmpx_write_entry(li); -# endif -# ifdef USE_WTMPX +# else +# ifdef USE_WTMPX wtmpx_write_entry(li); +# endif # endif return 0; } ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- From mooney at dogbert.cc.ndsu.NoDak.edu Wed Aug 22 05:43:45 2001 From: mooney at dogbert.cc.ndsu.NoDak.edu (Tim Mooney) Date: Tue, 21 Aug 2001 14:43:45 -0500 (CDT) Subject: [patch] 64 bit types in bitypes.h Message-ID: [cc'ed to exports at crypto.com. This patch contains no changes to cryptographic routines, it only changes how the package's configure script works] [I'm not subscribed to this list, please cc me on responses. Thanks] I noticed a minor configure problem in OpenSSH 2.9p2. Basically, configure will check sys/types.h for various "sized" prototypes, and then it separately checks for int64_t and u_int64_t. If it doesn't find the standard sized types (int32, int16, etc) it falls back to checking sys/bitypes.h *but* it doesn't check for the 64 bit types in there. It should. The patch below my sig addresses the problem. Also, unless there's a good reason I'm not aware of, the newer inttypes.h header file should also be checked, in the event that the typedefs aren't available in either of the other header files (inttypes.h should probably even be preferred to sys/bitypes.h). Tim -- Tim Mooney mooney at dogbert.cc.ndsu.NoDak.edu Information Technology Services (701) 231-1076 (Voice) Room 242-J6, IACC Building (701) 231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 diff -ur openssh-2.9p2.orig/configure.in openssh-2.9p2/configure.in --- openssh-2.9p2.orig/configure.in Mon May 28 12:21:44 2001 +++ openssh-2.9p2/configure.in Thu Aug 16 15:01:04 2001 @@ -821,6 +821,49 @@ ) fi +# if we didn't find int64_t and u_int64_t in sys/types.h but there is +# a sys/bitypes.h, check it too. +if (test -z "$have_int64_t" && \ + test "x$ac_cv_header_sys_bitypes_h" = "xyes") +then + AC_MSG_CHECKING([for int64_t in sys/bitypes.h]) + AC_TRY_COMPILE( + [ #include ], + [ int64_t a; a = 1;], + [ ac_cv_have_int64_t="yes" ], + [ ac_cv_have_int64_t="no" ] + ) + if test "x$ac_cv_have_int64_t" = "xyes" ; then + AC_DEFINE(HAVE_INT64_T) + AC_MSG_RESULT([yes]) + have_int64_t=1 + else + AC_MSG_RESULT([no]) + fi +fi + +if (test -z "$have_u_int64_t" && \ + test "x$ac_cv_header_sys_bitypes_h" = "xyes") +then + AC_MSG_CHECKING([for u_int64_t in sys/bitypes.h]) + AC_TRY_COMPILE( + [ #include ], + [ u_int64_t a; a = 1;], + [ ac_cv_have_u_int64_t="yes" ], + [ ac_cv_have_u_int64_t="no" ] + ) + if test "x$ac_cv_have_u_int64_t" = "xyes" ; then + AC_DEFINE(HAVE_U_INT64_T) + AC_MSG_RESULT([yes]) + have_u_int64_t=1 + else + AC_MSG_RESULT([no]) + fi +fi + +# should also explicitly check for inttypes.h, and the various intXX_T +# and u_intXX_t in there. + if test -z "$have_u_intxx_t" ; then AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [ AC_TRY_COMPILE( From edgpua at yahoo.com Wed Aug 22 19:12:45 2001 From: edgpua at yahoo.com (edwin pua) Date: Wed, 22 Aug 2001 02:12:45 -0700 (PDT) Subject: open-ssh error... Message-ID: <20010822091245.31198.qmail@web11001.mail.yahoo.com> hi everyone, i do have a Redhat7.0 with open-ssh-2.1.1p4-1.src.rpm installed together with openssh-server-2.1.1p4 and openssh-clients in my linux server. i used the default configuration under /etc/ssh/sshd_config. but when i ran ssh -v root at x.x.x.x, it doesn't establish a connection and i have this error: ssh_exchange_identification error what does it mean? and can you help me also on what openssh-agent that i need on my window machine to remote login my linux server? thanx. -----result---- SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to 172.30.1.41 [172.30.1.41] port 22. debug: Allocated local port 1023. debug: Connection established. ssh_exchange_identification: Connection closed by remote host debug: Calling cleanup 0x805db00(0x0) __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ From Markus.Friedl at informatik.uni-erlangen.de Wed Aug 22 19:15:52 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 22 Aug 2001 11:15:52 +0200 Subject: open-ssh error... In-Reply-To: <20010822091245.31198.qmail@web11001.mail.yahoo.com>; from edgpua@yahoo.com on Wed, Aug 22, 2001 at 02:12:45AM -0700 References: <20010822091245.31198.qmail@web11001.mail.yahoo.com> Message-ID: <20010822111552.B21800@faui02.informatik.uni-erlangen.de> 1) please upgrate your version of openssh 2) check /etc/hosts* and your tcpwrapper config. On Wed, Aug 22, 2001 at 02:12:45AM -0700, edwin pua wrote: > > hi everyone, > > i do have a Redhat7.0 with > open-ssh-2.1.1p4-1.src.rpm installed together with > openssh-server-2.1.1p4 and openssh-clients in my linux > server. > > i used the default configuration under > /etc/ssh/sshd_config. but when i ran ssh -v > root at x.x.x.x, it doesn't establish a connection and i > have this error: ssh_exchange_identification error > > what does it mean? and can you help me also on > what openssh-agent that i need on my window machine to > remote login my linux server? > > thanx. > > -----result---- > SSH Version OpenSSH_2.1.1, protocol versions > 1.5/2.0. > Compiled with SSL (0x0090581f). > debug: Reading configuration data /etc/ssh/ssh_config > debug: Applying options for * > debug: Seeding random number generator > debug: ssh_connect: getuid 0 geteuid 0 anon 0 > debug: Connecting to 172.30.1.41 [172.30.1.41] port > 22. > debug: Allocated local port 1023. > debug: Connection established. > > ssh_exchange_identification: Connection closed by > remote host > debug: Calling cleanup 0x805db00(0x0) > > > > > > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ From edgpua at yahoo.com Wed Aug 22 19:25:14 2001 From: edgpua at yahoo.com (edwin pua) Date: Wed, 22 Aug 2001 02:25:14 -0700 (PDT) Subject: open-ssh error... In-Reply-To: <20010822111552.B21800@faui02.informatik.uni-erlangen.de> Message-ID: <20010822092514.46869.qmail@web11006.mail.yahoo.com> hi mark, what is latest version for openssh? are you using the latest version? will that help me on the problem i have encountered? rgds, edwin --- Markus Friedl wrote: > 1) please upgrate your version of openssh > 2) check /etc/hosts* and your tcpwrapper config. > > On Wed, Aug 22, 2001 at 02:12:45AM -0700, edwin pua > wrote: > > > > hi everyone, > > > > i do have a Redhat7.0 with > > open-ssh-2.1.1p4-1.src.rpm installed together with > > openssh-server-2.1.1p4 and openssh-clients in my > linux > > server. > > > > i used the default configuration under > > /etc/ssh/sshd_config. but when i ran ssh -v > > root at x.x.x.x, it doesn't establish a connection > and i > > have this error: ssh_exchange_identification > error > > > > what does it mean? and can you help me also > on > > what openssh-agent that i need on my window > machine to > > remote login my linux server? > > > > thanx. > > > > -----result---- > > SSH Version OpenSSH_2.1.1, protocol versions > > 1.5/2.0. > > Compiled with SSL (0x0090581f). > > debug: Reading configuration data > /etc/ssh/ssh_config > > debug: Applying options for * > > debug: Seeding random number generator > > debug: ssh_connect: getuid 0 geteuid 0 anon 0 > > debug: Connecting to 172.30.1.41 [172.30.1.41] > port > > 22. > > debug: Allocated local port 1023. > > debug: Connection established. > > > > ssh_exchange_identification: Connection closed by > > remote host > > debug: Calling cleanup 0x805db00(0x0) > > > > > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Make international calls for as low as $.04/minute > with Yahoo! Messenger > > http://phonecard.yahoo.com/ __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ From Markus.Friedl at informatik.uni-erlangen.de Wed Aug 22 20:03:46 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 22 Aug 2001 12:03:46 +0200 Subject: open-ssh error... In-Reply-To: <20010822092514.46869.qmail@web11006.mail.yahoo.com>; from edgpua@yahoo.com on Wed, Aug 22, 2001 at 02:25:14AM -0700 References: <20010822111552.B21800@faui02.informatik.uni-erlangen.de> <20010822092514.46869.qmail@web11006.mail.yahoo.com> Message-ID: <20010822120346.C21800@faui02.informatik.uni-erlangen.de> On Wed, Aug 22, 2001 at 02:25:14AM -0700, edwin pua wrote: > > hi mark, > > what is latest version for openssh? 2.9p2 > are you using > the latest version? yes. > will that help me on the problem i have > encountered? 2.1.x has too many bugs, even remote root. so, did you check the tcpwrapper config on the server? does 'telnet host 22' work? From thomas.boyle at openwave.com Wed Aug 22 22:13:07 2001 From: thomas.boyle at openwave.com (TJ Boyle) Date: Wed, 22 Aug 2001 13:13:07 +0100 Subject: Problems with SSH when using pam_radius_auth? Message-ID: <3B83A1D3.469B3ED@openwave.com> Hi, I have installed OpenSSH 2.9p2 on Linux Redhat 7.0 with PAM support and using pam_radius_auth to authenticate of a radius server also running Redhat, My problem is that the request goes via the radius server fine and sends back a rad.accept to the pam module but ssh refuses to let me in, it looks like sometihng to do with rhosts but complains very loud about expired accounts. I've looked at the archives and lots of similar issues but no actual responses, so I'm a bit worried because I think this is my last resource to tap on for help :/ [root at netmon pam.d]# /usr/local/sbin/sshd -d -d -d debug1: Seeding random number generator debug1: sshd version OpenSSH_2.9p2 debug1: private host key: #0 type 0 RSA1 debug3: No RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: No RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Invalid argument debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 10.20.110.68 port 3887 debug1: Client protocol version 1.99; client software version 2.4.0 SSH Secure S hell for Windows debug1: match: 2.4.0 SSH Secure Shell for Windows pat ^2\.[2-9]\. Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.9p2 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro up1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-c bc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-c bc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour debug2: kex_parse_kexinit: hmac-md5,hmac-sha1 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 1 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server 3des-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client 3des-cbc hmac-md5 none debug1: dh_gen_key: priv key bits set: 191/384 debug1: bits set: 523/1024 debug1: expecting SSH2_MSG_KEXDH_INIT debug1: bits set: 524/1024 debug1: sig size 20 20 debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user tb0343 service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for tb0343 debug1: Starting up PAM with username "tb0343" debug3: Trying to reverse map address 10.20.110.68. debug1: PAM setting rhost to "capdhcp68" debug2: input_userauth_request: try method none Failed none for tb0343 from 10.20.110.68 port 3887 ssh2 debug1: userauth-request for user tb0343 service ssh-connection method none debug1: attempt 1 failures 1 debug2: Unrecognized authentication method name: none Failed none for tb0343 from 10.20.110.68 port 3887 ssh2 debug1: userauth-request for user tb0343 service ssh-connection method password debug1: attempt 2 failures 2 debug2: input_userauth_request: try method password debug1: PAM Password authentication accepted for user "tb0343" PAM rejected by account configuration[13]: User account has expired Failed password for tb0343 from 10.20.110.68 port 3887 ssh2 My pam.d/sshd config file looks like this; #%PAM-1.0 auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so session required /lib/security/pam_pwdb.so my login definitions state that min password age = 0 so I don't see why it would say the account has expired. my /var/log/messages looks like; Aug 18 00:08:34 netmon sshd[9430]: PAM rejected by account configuration[13]: User account has expired Aug 18 00:08:34 netmon sshd[9430]: Failed password for tb0343 from 10.20.110.68 port 3854 ssh2 Any ideas anyone? TJ From mark.reardon at irl.xerox.com Wed Aug 22 20:37:23 2001 From: mark.reardon at irl.xerox.com (Mark Reardon) Date: Wed, 22 Aug 2001 11:37:23 +0100 Subject: [Fwd: [Fwd: openssh 2.9p2 hang problem]] Message-ID: <3B838B63.7915C98A@irl.xerox.com> Markus Friedl wrote: > > ?'m not sure where the 'bug' is and whether this is 'really' a bug. > > try to talk to the openssh-unix-dev list, i'm too busy right now :( > > -m > > On Thu, Aug 16, 2001 at 03:51:19PM +0100, Mark Reardon wrote: > > Hello Markus, > > > > I recently posted you with a mention of the 2.9p2 possible problem with > > Solaris 2.6 - 8. > > > > Just forwarding on other feedback that users are sending me regarding my > > original posting to the mailing list. > > > > If there is any way at all I can help [ including go away :) ] please do > > not hesitate to mail me. > > > > Rgds, > > > > Mark > > > > "Hull, Deron" wrote: > > > > > > Mark, > > > > > > We have the exact same problem with ssh hanging if called from a cron job. > > > We're also running solaris 2.6 at the server but I'm calling ssh from a cron > > > job on a 2.8 box > > > Both are openssh 2.9p2. The only thing I did in the configure script was to > > > include --with-pam. > > > We would have used 2.9p1 but X forwarding was broken on our 2.6 boxes by it. > > > It was creating a directory under tmp (for mit cookie ) with permissions of > > > 600 even though truss showed it attempting to do a mkdir of 0700. ??? umask > > > problem? > > > > > > I'd be very interested to hear if there was any resolution to this problem. > > > Haven't seen anything on the mailing list. > > > I'm going to talk to one of our C programmers that has made custom changes > > > to openssh for us in the past. > > > > > > Please let me know if you hear anything. > > > > > > Thanks > > > > > > Deron Hull > > Hello, > > I believe I may have discovered what appears to be a small anomoly in > the way > OpenSSH closes connections and thought if I gave you some feedback I > might > be able to make a very small contributution to the development of > openssh. > This might be a Solaris 2.6 anomoly or an openssh anomoly or a > combination of both. > I came across this apparent anomoly because we use openssh (via cron) > here > to check on our many Solaris boxes for archive logs filling up so we can > kick > off an archive log backup on the machine if needs be. It was noticed > after a > few days that cron began to behave strangely on the box that was ssh'ing > out > to all the servers. This was because cron had too many outstanding > processes > to kick off any more ( we would literally be doing hundreds of cron'd > ssh tasks > every hour ). It appears that openssh sometimes has trouble closing > connections > on Solaris. To try and get as much detail as possible I set up a simple > job > that continually ssh'd into a box and executed a command until it > finally froze. > It took literally hours for it to happen, but eventually it did. I also > hacked > around with the sshd code in a effort to be able to run sshd continually > in debug > mode to try and pick up any information there but this yielded no more > clues to > what the problem might be ( apart from pointing back to ssh closing > connections > on the Solaris client). Included below is the tail of the debug log on > the client. > last successful connection and then the freeze... > > If I can provide any more information I will be glad to help. > > Best Regards, > > Mark Reardon > > PS Many thanks for an excellent piece of software. > > + ssh -v -v -v xcalibur ps -ef | egrep '(arc0|arch)'_xitprd00 | grep -v > grep | wc -l > OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > debug1: Reading configuration data //.ssh/config > debug1: Applying options for * > debug1: Reading configuration data /usr/local/etc/ssh_config > debug1: Applying options for * > debug1: Seeding random number generator > debug1: Rhosts Authentication disabled, originating port will not be > trusted. > debug1: restore_uid > debug1: ssh_connect: getuid 0 geteuid 0 anon 1 > debug1: Connecting to xcalibur [13.219.48.22] port 22. > debug1: temporarily_use_uid: 0/1 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 0/1 (e=0) > debug1: restore_uid > debug1: Connection established. > debug1: identity file //.ssh/identity type 0 > debug3: No RSA1 key file //.ssh/id_dsa. > debug2: key_type_from_name: unknown key type '-----BEGIN' > debug3: key_read: no key found > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug2: key_type_from_name: unknown key type '-----END' > debug3: key_read: no key found > debug1: identity file //.ssh/id_dsa type 2 > debug1: identity file //.ssh/id_rsa1 type -1 > debug1: identity file //.ssh/id_rsa2 type -1 > debug1: Remote protocol version 1.99, remote software version > OpenSSH_2.9p2 > debug1: match: OpenSSH_2.9p2 pat ^OpenSSH > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_2.9p2 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: zlib > debug2: kex_parse_kexinit: zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-dss,ssh-rsa > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 zlib > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 zlib > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: dh_gen_key: priv key bits set: 127/256 > debug1: bits set: 1019/2049 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug3: check_host_in_hostfile: filename //.ssh/known_hosts2 > debug3: check_host_in_hostfile: match line 195 > debug3: check_host_in_hostfile: filename //.ssh/known_hosts2 > debug3: key_read: type mismatch > debug3: check_host_in_hostfile: match line 195 > debug1: Host 'xcalibur' is known and matches the RSA host key. > debug1: Found key in //.ssh/known_hosts2:195 > debug1: bits set: 1017/2049 > debug1: ssh_rsa_verify: signature correct > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: Enabling compression at level 6. > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: done: ssh_kex2. > debug1: send SSH2_MSG_SERVICE_REQUEST > debug1: service_accept: ssh-userauth > debug1: got SSH2_MSG_SERVICE_ACCEPT > debug1: authentications that can continue: > publickey,password,keyboard-interactive > debug3: start over, passed a different list > publickey,password,keyboard-interactive > debug3: preferred publickey,password,keyboard-interactive > debug3: authmethod_lookup publickey > debug3: remaining preferred: password,keyboard-interactive > debug3: authmethod_is_enabled publickey > debug1: next auth method to try is publickey > debug1: try pubkey: //.ssh/id_dsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 10ae98 hint > 1 > debug2: input_userauth_pk_ok: fp > b2:48:f6:61:cd:b8:d0:b5:58:85:95:be:7e:20:68:a8 > debug3: sign_and_send_pubkey > debug1: read PEM private key done: type DSA > debug1: sig size 20 20 > debug1: ssh-userauth2 successful: method publickey > debug1: fd 6 setting O_NONBLOCK > debug1: channel 0: new [client-session] > debug1: channel_new: 0 > debug1: send channel open 0 > debug1: Entering interactive session. > debug2: callback start > debug1: client_init id 0 arg 0 > debug1: Sending command: ps -ef | egrep '(arc0|arch)'_xitprd00 | grep -v > grep | wc -l > debug2: callback done > debug1: channel 0: open confirm rwindow 0 rmax 16384 > debug2: channel 0: rcvd adjust 32768 > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: channel 0: rcvd eof > debug1: channel 0: output open -> drain > debug1: channel 0: rcvd close > debug1: channel 0: input open -> closed > debug1: channel 0: close_read > debug2: channel 0: no data after CLOSE > debug1: channel 0: obuf empty > debug1: channel 0: output drain -> closed > debug1: channel 0: close_write > debug1: channel 0: send close > debug1: channel 0: is dead > debug1: channel_free: channel 0: status: The following connections are > open: > #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) > > debug1: channel_free: channel 0: dettaching channel user > debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.3 seconds > debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 > debug1: Exit status 0 > debug1: compress outgoing: raw data 1198, compressed 667, factor 0.56 > debug1: compress incoming: raw data 592, compressed 580, factor 0.98 > + ssh -v -v -v xcalibur ps -ef | egrep '(arc0|arch)'_xitprd00 | grep -v > grep | wc -l > OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > debug1: Reading configuration data //.ssh/config > debug1: Applying options for * > debug1: Reading configuration data /usr/local/etc/ssh_config > debug1: Applying options for * > debug1: Seeding random number generator > debug1: Rhosts Authentication disabled, originating port will not be > trusted. > debug1: restore_uid > debug1: ssh_connect: getuid 0 geteuid 0 anon 1 > debug1: Connecting to xcalibur [13.219.48.22] port 22. > debug1: temporarily_use_uid: 0/1 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 0/1 (e=0) > debug1: restore_uid > debug1: Connection established. > debug1: identity file //.ssh/identity type 0 > debug3: No RSA1 key file //.ssh/id_dsa. > debug2: key_type_from_name: unknown key type '-----BEGIN' > debug3: key_read: no key found > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug3: key_read: no space > debug2: key_type_from_name: unknown key type '-----END' > debug3: key_read: no key found > debug1: identity file //.ssh/id_dsa type 2 > debug1: identity file //.ssh/id_rsa1 type -1 > debug1: identity file //.ssh/id_rsa2 type -1 > debug1: Remote protocol version 1.99, remote software version > OpenSSH_2.9p2 > debug1: match: OpenSSH_2.9p2 pat ^OpenSSH > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_2.9p2 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: zlib > debug2: kex_parse_kexinit: zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-dss,ssh-rsa > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 zlib > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 zlib > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: dh_gen_key: priv key bits set: 134/256 > debug1: bits set: 1009/2049 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug3: check_host_in_hostfile: filename //.ssh/known_hosts2 > debug3: check_host_in_hostfile: match line 195 > debug3: check_host_in_hostfile: filename //.ssh/known_hosts2 > debug3: key_read: type mismatch > debug3: check_host_in_hostfile: match line 195 > debug1: Host 'xcalibur' is known and matches the RSA host key. > debug1: Found key in //.ssh/known_hosts2:195 > debug1: bits set: 1039/2049 > debug1: ssh_rsa_verify: signature correct > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: Enabling compression at level 6. > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: done: ssh_kex2. > debug1: send SSH2_MSG_SERVICE_REQUEST > debug1: service_accept: ssh-userauth > debug1: got SSH2_MSG_SERVICE_ACCEPT > debug1: authentications that can continue: > publickey,password,keyboard-interactive > debug3: start over, passed a different list > publickey,password,keyboard-interactive > debug3: preferred publickey,password,keyboard-interactive > debug3: authmethod_lookup publickey > debug3: remaining preferred: password,keyboard-interactive > debug3: authmethod_is_enabled publickey > debug1: next auth method to try is publickey > debug1: try pubkey: //.ssh/id_dsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 10ae98 hint > 1 > debug2: input_userauth_pk_ok: fp > b2:48:f6:61:cd:b8:d0:b5:58:85:95:be:7e:20:68:a8 > debug3: sign_and_send_pubkey > debug1: read PEM private key done: type DSA > debug1: sig size 20 20 > debug1: ssh-userauth2 successful: method publickey > debug1: fd 6 setting O_NONBLOCK > debug1: channel 0: new [client-session] > debug1: channel_new: 0 > debug1: send channel open 0 > debug1: Entering interactive session. > debug2: callback start > debug1: client_init id 0 arg 0 > debug1: Sending command: ps -ef | egrep '(arc0|arch)'_xitprd00 | grep -v > grep | wc -l > debug2: callback done > debug1: channel 0: open confirm rwindow 0 rmax 16384 > debug2: channel 0: rcvd adjust 32768 > debug1: channel 0: rcvd eof > debug1: channel 0: output open -> drain > debug1: channel 0: obuf empty > debug1: channel 0: output drain -> closed > debug1: channel 0: close_write > > freeze happens here...( I have run this test lots of times and it always > freezes at exactly the same spot > - when it eventually does freeze ) > > On the server we are ssh'ing from ( next morninng there are a few > freezes overnight but not all are on host xcalibur ) > > > # ps -ef | grep ssh | grep -v sshd > > root 6202 6201 0 06:30:29 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xnnprd00/arch > > root 21855 21854 0 01:00:20 ? 0:00 ssh xcalibur du -sk /oracle/u01/admin/xdnprd00/arch > > root 21904 21903 0 16:45:41 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xvkprd00/arch > > root 27654 27653 0 01:15:38 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xunprd00/arch > > root 6857 6856 0 17:45:09 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xanprd00/arch > > root 25886 25885 0 15:00:40 ? 0:00 ssh xcalibur du -sk /oracle/u01/admin/xvkprd00/arch > > root 22924 22923 0 14:45:27 ? 0:00 ssh xcalibur du -sk /oracle/u01/admin/xitprd00/arch > > root 6335 6334 0 09:19:33 ? 0:00 /usr/local/bin/ssh -x -oFallBackToRsh no -C -4 monet scp -p -f /etc/hosts.allow > > root 25047 25026 0 08:20:56 pts/16 0:00 grep ssh > > root 22533 22393 0 08:13:13 pts/6 0:00 ssh middleware > > root 10348 10347 0 05:45:07 ? 0:00 ssh xesapbw df -k | grep saparch > > root 17284 17283 0 14:27:59 ? 0:00 ssh xcalibur du -sk /oracle/u01/admin/xunprd00/arch > > root 3007 3006 0 15:30:20 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xdnprd00/arch > > root 9024 8592 0 18:00:46 ? 0:00 ssh xesapdb1 grep '^tmproot' /etc/shadow | grep -v '*LK*' > > root 26020 2746 0 17:03:19 pts/17 0:00 ssh -v -v -v xcalibur ps -ef | egrep '(arc0|arch)'_xitprd00 | grep -v grep | wc > > root 13526 13525 0 06:00:22 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xenprd00/arch > > root 12757 12673 0 14:24:03 pts/2 0:01 ssh solar-2 > > root 28679 28678 0 17:15:40 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xvkprd00/arch > > root 20119 40 0 07:55:18 pts/22 0:00 ssh devsrv1 > > root 13956 13955 0 02:00:03 ? 0:00 ssh -v -v -v devsrv1 df -k | grep saparch From mouring at etoh.eviladmin.org Thu Aug 23 00:41:05 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 22 Aug 2001 09:41:05 -0500 (CDT) Subject: [Fwd: [Fwd: openssh 2.9p2 hang problem]] In-Reply-To: <3B838B63.7915C98A@irl.xerox.com> Message-ID: If it's a problem with ssh it does not seem to affect scp. I do scp multiple times a day from Solaris 7 to Solaris 2.5.1 in cron with no problems. Have you tried doing ssh -n to see if that stops it from happening? I just setup a test here at work using 'ssh' instead of scp. And I'll see if I can reproduce it. Off hand it looks a lot like when ssh hangs on background processes on some platforms. - Ben On Wed, 22 Aug 2001, Mark Reardon wrote: > Markus Friedl wrote: > > > > ?'m not sure where the 'bug' is and whether this is 'really' a bug. > > > > try to talk to the openssh-unix-dev list, i'm too busy right now :( > > > > -m > > > > On Thu, Aug 16, 2001 at 03:51:19PM +0100, Mark Reardon wrote: > > > Hello Markus, > > > > > > I recently posted you with a mention of the 2.9p2 possible problem with > > > Solaris 2.6 - 8. > > > > > > Just forwarding on other feedback that users are sending me regarding my > > > original posting to the mailing list. > > > > > > If there is any way at all I can help [ including go away :) ] please do > > > not hesitate to mail me. > > > > > > Rgds, > > > > > > Mark > > > > > > "Hull, Deron" wrote: > > > > > > > > Mark, > > > > > > > > We have the exact same problem with ssh hanging if called from a cron job. > > > > We're also running solaris 2.6 at the server but I'm calling ssh from a cron > > > > job on a 2.8 box > > > > Both are openssh 2.9p2. The only thing I did in the configure script was to > > > > include --with-pam. > > > > We would have used 2.9p1 but X forwarding was broken on our 2.6 boxes by it. > > > > It was creating a directory under tmp (for mit cookie ) with permissions of > > > > 600 even though truss showed it attempting to do a mkdir of 0700. ??? umask > > > > problem? > > > > > > > > I'd be very interested to hear if there was any resolution to this problem. > > > > Haven't seen anything on the mailing list. > > > > I'm going to talk to one of our C programmers that has made custom changes > > > > to openssh for us in the past. > > > > > > > > Please let me know if you hear anything. > > > > > > > > Thanks > > > > > > > > Deron Hull > > > > > > Hello, > > > > I believe I may have discovered what appears to be a small anomoly in > > the way > > OpenSSH closes connections and thought if I gave you some feedback I > > might > > be able to make a very small contributution to the development of > > openssh. > > This might be a Solaris 2.6 anomoly or an openssh anomoly or a > > combination of both. > > I came across this apparent anomoly because we use openssh (via cron) > > here > > to check on our many Solaris boxes for archive logs filling up so we can > > kick > > off an archive log backup on the machine if needs be. It was noticed > > after a > > few days that cron began to behave strangely on the box that was ssh'ing > > out > > to all the servers. This was because cron had too many outstanding > > processes > > to kick off any more ( we would literally be doing hundreds of cron'd > > ssh tasks > > every hour ). It appears that openssh sometimes has trouble closing > > connections > > on Solaris. To try and get as much detail as possible I set up a simple > > job > > that continually ssh'd into a box and executed a command until it > > finally froze. > > It took literally hours for it to happen, but eventually it did. I also > > hacked > > around with the sshd code in a effort to be able to run sshd continually > > in debug > > mode to try and pick up any information there but this yielded no more > > clues to > > what the problem might be ( apart from pointing back to ssh closing > > connections > > on the Solaris client). Included below is the tail of the debug log on > > the client. > > last successful connection and then the freeze... > > > > If I can provide any more information I will be glad to help. > > > > Best Regards, > > > > Mark Reardon > > > > PS Many thanks for an excellent piece of software. > > > > + ssh -v -v -v xcalibur ps -ef | egrep '(arc0|arch)'_xitprd00 | grep -v > > grep | wc -l > > OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > > debug1: Reading configuration data //.ssh/config > > debug1: Applying options for * > > debug1: Reading configuration data /usr/local/etc/ssh_config > > debug1: Applying options for * > > debug1: Seeding random number generator > > debug1: Rhosts Authentication disabled, originating port will not be > > trusted. > > debug1: restore_uid > > debug1: ssh_connect: getuid 0 geteuid 0 anon 1 > > debug1: Connecting to xcalibur [13.219.48.22] port 22. > > debug1: temporarily_use_uid: 0/1 (e=0) > > debug1: restore_uid > > debug1: temporarily_use_uid: 0/1 (e=0) > > debug1: restore_uid > > debug1: Connection established. > > debug1: identity file //.ssh/identity type 0 > > debug3: No RSA1 key file //.ssh/id_dsa. > > debug2: key_type_from_name: unknown key type '-----BEGIN' > > debug3: key_read: no key found > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug2: key_type_from_name: unknown key type '-----END' > > debug3: key_read: no key found > > debug1: identity file //.ssh/id_dsa type 2 > > debug1: identity file //.ssh/id_rsa1 type -1 > > debug1: identity file //.ssh/id_rsa2 type -1 > > debug1: Remote protocol version 1.99, remote software version > > OpenSSH_2.9p2 > > debug1: match: OpenSSH_2.9p2 pat ^OpenSSH > > Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_2.9p2 > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug2: kex_parse_kexinit: > > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: zlib > > debug2: kex_parse_kexinit: zlib > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: kex_parse_kexinit: > > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-dss,ssh-rsa > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: mac_init: found hmac-md5 > > debug1: kex: server->client aes128-cbc hmac-md5 zlib > > debug2: mac_init: found hmac-md5 > > debug1: kex: client->server aes128-cbc hmac-md5 zlib > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > > debug1: dh_gen_key: priv key bits set: 127/256 > > debug1: bits set: 1019/2049 > > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > > debug3: check_host_in_hostfile: filename //.ssh/known_hosts2 > > debug3: check_host_in_hostfile: match line 195 > > debug3: check_host_in_hostfile: filename //.ssh/known_hosts2 > > debug3: key_read: type mismatch > > debug3: check_host_in_hostfile: match line 195 > > debug1: Host 'xcalibur' is known and matches the RSA host key. > > debug1: Found key in //.ssh/known_hosts2:195 > > debug1: bits set: 1017/2049 > > debug1: ssh_rsa_verify: signature correct > > debug1: kex_derive_keys > > debug1: newkeys: mode 1 > > debug1: Enabling compression at level 6. > > debug1: SSH2_MSG_NEWKEYS sent > > debug1: waiting for SSH2_MSG_NEWKEYS > > debug1: newkeys: mode 0 > > debug1: SSH2_MSG_NEWKEYS received > > debug1: done: ssh_kex2. > > debug1: send SSH2_MSG_SERVICE_REQUEST > > debug1: service_accept: ssh-userauth > > debug1: got SSH2_MSG_SERVICE_ACCEPT > > debug1: authentications that can continue: > > publickey,password,keyboard-interactive > > debug3: start over, passed a different list > > publickey,password,keyboard-interactive > > debug3: preferred publickey,password,keyboard-interactive > > debug3: authmethod_lookup publickey > > debug3: remaining preferred: password,keyboard-interactive > > debug3: authmethod_is_enabled publickey > > debug1: next auth method to try is publickey > > debug1: try pubkey: //.ssh/id_dsa > > debug3: send_pubkey_test > > debug2: we sent a publickey packet, wait for reply > > debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 10ae98 hint > > 1 > > debug2: input_userauth_pk_ok: fp > > b2:48:f6:61:cd:b8:d0:b5:58:85:95:be:7e:20:68:a8 > > debug3: sign_and_send_pubkey > > debug1: read PEM private key done: type DSA > > debug1: sig size 20 20 > > debug1: ssh-userauth2 successful: method publickey > > debug1: fd 6 setting O_NONBLOCK > > debug1: channel 0: new [client-session] > > debug1: channel_new: 0 > > debug1: send channel open 0 > > debug1: Entering interactive session. > > debug2: callback start > > debug1: client_init id 0 arg 0 > > debug1: Sending command: ps -ef | egrep '(arc0|arch)'_xitprd00 | grep -v > > grep | wc -l > > debug2: callback done > > debug1: channel 0: open confirm rwindow 0 rmax 16384 > > debug2: channel 0: rcvd adjust 32768 > > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > > debug1: channel 0: rcvd eof > > debug1: channel 0: output open -> drain > > debug1: channel 0: rcvd close > > debug1: channel 0: input open -> closed > > debug1: channel 0: close_read > > debug2: channel 0: no data after CLOSE > > debug1: channel 0: obuf empty > > debug1: channel 0: output drain -> closed > > debug1: channel 0: close_write > > debug1: channel 0: send close > > debug1: channel 0: is dead > > debug1: channel_free: channel 0: status: The following connections are > > open: > > #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) > > > > debug1: channel_free: channel 0: dettaching channel user > > debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.3 seconds > > debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 > > debug1: Exit status 0 > > debug1: compress outgoing: raw data 1198, compressed 667, factor 0.56 > > debug1: compress incoming: raw data 592, compressed 580, factor 0.98 > > + ssh -v -v -v xcalibur ps -ef | egrep '(arc0|arch)'_xitprd00 | grep -v > > grep | wc -l > > OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > > debug1: Reading configuration data //.ssh/config > > debug1: Applying options for * > > debug1: Reading configuration data /usr/local/etc/ssh_config > > debug1: Applying options for * > > debug1: Seeding random number generator > > debug1: Rhosts Authentication disabled, originating port will not be > > trusted. > > debug1: restore_uid > > debug1: ssh_connect: getuid 0 geteuid 0 anon 1 > > debug1: Connecting to xcalibur [13.219.48.22] port 22. > > debug1: temporarily_use_uid: 0/1 (e=0) > > debug1: restore_uid > > debug1: temporarily_use_uid: 0/1 (e=0) > > debug1: restore_uid > > debug1: Connection established. > > debug1: identity file //.ssh/identity type 0 > > debug3: No RSA1 key file //.ssh/id_dsa. > > debug2: key_type_from_name: unknown key type '-----BEGIN' > > debug3: key_read: no key found > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug3: key_read: no space > > debug2: key_type_from_name: unknown key type '-----END' > > debug3: key_read: no key found > > debug1: identity file //.ssh/id_dsa type 2 > > debug1: identity file //.ssh/id_rsa1 type -1 > > debug1: identity file //.ssh/id_rsa2 type -1 > > debug1: Remote protocol version 1.99, remote software version > > OpenSSH_2.9p2 > > debug1: match: OpenSSH_2.9p2 pat ^OpenSSH > > Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_2.9p2 > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug2: kex_parse_kexinit: > > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: zlib > > debug2: kex_parse_kexinit: zlib > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: kex_parse_kexinit: > > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-dss,ssh-rsa > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: mac_init: found hmac-md5 > > debug1: kex: server->client aes128-cbc hmac-md5 zlib > > debug2: mac_init: found hmac-md5 > > debug1: kex: client->server aes128-cbc hmac-md5 zlib > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > > debug1: dh_gen_key: priv key bits set: 134/256 > > debug1: bits set: 1009/2049 > > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > > debug3: check_host_in_hostfile: filename //.ssh/known_hosts2 > > debug3: check_host_in_hostfile: match line 195 > > debug3: check_host_in_hostfile: filename //.ssh/known_hosts2 > > debug3: key_read: type mismatch > > debug3: check_host_in_hostfile: match line 195 > > debug1: Host 'xcalibur' is known and matches the RSA host key. > > debug1: Found key in //.ssh/known_hosts2:195 > > debug1: bits set: 1039/2049 > > debug1: ssh_rsa_verify: signature correct > > debug1: kex_derive_keys > > debug1: newkeys: mode 1 > > debug1: Enabling compression at level 6. > > debug1: SSH2_MSG_NEWKEYS sent > > debug1: waiting for SSH2_MSG_NEWKEYS > > debug1: newkeys: mode 0 > > debug1: SSH2_MSG_NEWKEYS received > > debug1: done: ssh_kex2. > > debug1: send SSH2_MSG_SERVICE_REQUEST > > debug1: service_accept: ssh-userauth > > debug1: got SSH2_MSG_SERVICE_ACCEPT > > debug1: authentications that can continue: > > publickey,password,keyboard-interactive > > debug3: start over, passed a different list > > publickey,password,keyboard-interactive > > debug3: preferred publickey,password,keyboard-interactive > > debug3: authmethod_lookup publickey > > debug3: remaining preferred: password,keyboard-interactive > > debug3: authmethod_is_enabled publickey > > debug1: next auth method to try is publickey > > debug1: try pubkey: //.ssh/id_dsa > > debug3: send_pubkey_test > > debug2: we sent a publickey packet, wait for reply > > debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 10ae98 hint > > 1 > > debug2: input_userauth_pk_ok: fp > > b2:48:f6:61:cd:b8:d0:b5:58:85:95:be:7e:20:68:a8 > > debug3: sign_and_send_pubkey > > debug1: read PEM private key done: type DSA > > debug1: sig size 20 20 > > debug1: ssh-userauth2 successful: method publickey > > debug1: fd 6 setting O_NONBLOCK > > debug1: channel 0: new [client-session] > > debug1: channel_new: 0 > > debug1: send channel open 0 > > debug1: Entering interactive session. > > debug2: callback start > > debug1: client_init id 0 arg 0 > > debug1: Sending command: ps -ef | egrep '(arc0|arch)'_xitprd00 | grep -v > > grep | wc -l > > debug2: callback done > > debug1: channel 0: open confirm rwindow 0 rmax 16384 > > debug2: channel 0: rcvd adjust 32768 > > debug1: channel 0: rcvd eof > > debug1: channel 0: output open -> drain > > debug1: channel 0: obuf empty > > debug1: channel 0: output drain -> closed > > debug1: channel 0: close_write > > > > freeze happens here...( I have run this test lots of times and it always > > freezes at exactly the same spot > > - when it eventually does freeze ) > > > > On the server we are ssh'ing from ( next morninng there are a few > > freezes overnight but not all are on host xcalibur ) > > > > > # ps -ef | grep ssh | grep -v sshd > > > root 6202 6201 0 06:30:29 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xnnprd00/arch > > > root 21855 21854 0 01:00:20 ? 0:00 ssh xcalibur du -sk /oracle/u01/admin/xdnprd00/arch > > > root 21904 21903 0 16:45:41 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xvkprd00/arch > > > root 27654 27653 0 01:15:38 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xunprd00/arch > > > root 6857 6856 0 17:45:09 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xanprd00/arch > > > root 25886 25885 0 15:00:40 ? 0:00 ssh xcalibur du -sk /oracle/u01/admin/xvkprd00/arch > > > root 22924 22923 0 14:45:27 ? 0:00 ssh xcalibur du -sk /oracle/u01/admin/xitprd00/arch > > > root 6335 6334 0 09:19:33 ? 0:00 /usr/local/bin/ssh -x -oFallBackToRsh no -C -4 monet scp -p -f /etc/hosts.allow > > > root 25047 25026 0 08:20:56 pts/16 0:00 grep ssh > > > root 22533 22393 0 08:13:13 pts/6 0:00 ssh middleware > > > root 10348 10347 0 05:45:07 ? 0:00 ssh xesapbw df -k | grep saparch > > > root 17284 17283 0 14:27:59 ? 0:00 ssh xcalibur du -sk /oracle/u01/admin/xunprd00/arch > > > root 3007 3006 0 15:30:20 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xdnprd00/arch > > > root 9024 8592 0 18:00:46 ? 0:00 ssh xesapdb1 grep '^tmproot' /etc/shadow | grep -v '*LK*' > > > root 26020 2746 0 17:03:19 pts/17 0:00 ssh -v -v -v xcalibur ps -ef | egrep '(arc0|arch)'_xitprd00 | grep -v grep | wc > > > root 13526 13525 0 06:00:22 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xenprd00/arch > > > root 12757 12673 0 14:24:03 pts/2 0:01 ssh solar-2 > > > root 28679 28678 0 17:15:40 ? 0:00 ssh xcalibur df -k /oracle/u01/admin/xvkprd00/arch > > > root 20119 40 0 07:55:18 pts/22 0:00 ssh devsrv1 > > > root 13956 13955 0 02:00:03 ? 0:00 ssh -v -v -v devsrv1 df -k | grep saparch > From LT1 at ok.aiva.lt Thu Aug 23 05:31:08 2001 From: LT1 at ok.aiva.lt (LT1 at ok.aiva.lt) Date: 22 Aug 2001 19:31:08 -0000 Subject: No subject Message-ID: <20010822193108.15413.qmail@ok.aiva.lt> Dear Sirs and Madams, Request for information regarding the vending machines We are interested in your vending machines. We would like to know more about the prices and discounts you could offer us. We are looking for cooperation possibilities and possibilities of becoming dealers/representatives of your products in the Baltic States market. We would be very grateful if you could, please, send the price lists, specifications, advertisement brochures, cooperation conditions' versions and etc. We are looking forward to your quick answer and the information after which we can discuss mutually relevant questions. Sincerely yours, Sales manager Tadas Bukys Info&Comservis Baltijos pr. 81-37 Klaipeda, 5800-LT Lithuania +370-6-495545 +370-80-93018 LT1 at takas.lt From mouring at etoh.eviladmin.org Thu Aug 23 02:53:46 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 22 Aug 2001 11:53:46 -0500 (CDT) Subject: CVS oddness on Solaris. Message-ID: Ok.. While helping someone else out with a Solaris 6 issue.. I'm noticing something is broken on Solaris 7.. I've not verified it on Linux.. That is my next step. But this is what I'm seeing. I installed the latest CVS snapshot (actually from the Developer's tree but no changes have been made since 21th), compiled, and installed.. and now: ssh localhost "ps -ef" does not work. It acts like it works, -v -v -v shows everything right, but.. no output.. [..] debug3: clear hostkey 0 debug3: clear hostkey 1 debug3: clear hostkey 2 debug1: channel 0: new [client-session] debug3: ssh_session2_command: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug2: callback start debug1: client_init id 0 arg 0 debug1: Sending command: ps -ef debug2: callback done debug1: channel 0: open confirm rwindow 0 rmax 16384 debug1: channel_free: channel 0: client-session, nchannels 1 debug3: channel_free: status: The following connections are open: #0 client-session (t4 r0 i1/0 o16/0 fd 6/8) [..] Has anyone else see this? Well, off to throw up OpenSSH -current on Linux for testing... - Ben From matthew at debian.org Thu Aug 23 10:20:04 2001 From: matthew at debian.org (Matthew Vernon) Date: 23 Aug 2001 01:20:04 +0100 Subject: -q option doesn't do what it says in the man page? Message-ID: <5bitff1vbf.fsf@chiark.greenend.org.uk> Hi, Man page: -q Quiet mode. Causes all warning and diagnostic messages to be suppressed. Only fatal errors are displayed. But in log.h: typedef enum { SYSLOG_LEVEL_QUIET, SYSLOG_LEVEL_FATAL, so in log.c: void do_log(LogLevel level, const char *fmt, va_list args) { char msgbuf[MSGBUFSIZ]; char fmtbuf[MSGBUFSIZ]; char *txt = NULL; int pri = LOG_INFO; if (level > log_level) return; This means that even fatal errors will be ignored if the -q flag is passed. The simple fix would appear to be to reverse the ordering in the enum. Any reason why this should not be done? Thanks, Matthew -- "At least you know where you are with Microsoft." "True. I just wish I'd brought a paddle." http://www.debian.org From edgpua at yahoo.com Thu Aug 23 11:03:37 2001 From: edgpua at yahoo.com (edwin pua) Date: Wed, 22 Aug 2001 18:03:37 -0700 (PDT) Subject: ssh_identification error Message-ID: <20010823010337.96524.qmail@web11006.mail.yahoo.com> i do have a Redhat7.0 with open-ssh-2.9 installed together with openssh-server-2.9 and openssh-clients in my linux server. i used the default configuration under /etc/ssh/sshd_config. but when i ran ssh -v root at x.x.x.x, it doesn't establish a connection and i have this error: ssh_exchange_identification connection closed by remote host. i'm using secureCRT3.3 on my window machine to login to my server. is there anything that i need to configure on my sshd_config? i'm currently using the default config. edwin -----result---- SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to 172.30.1.41 [172.30.1.41] port 22. debug: Allocated local port 1023. debug: Connection established. ssh_exchange_identification: Connection closed by remote host debug: Calling cleanup 0x805db00(0x0) __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ From jesus at omniti.com Thu Aug 23 12:10:38 2001 From: jesus at omniti.com (Theo E. Schlossnagle) Date: Wed, 22 Aug 2001 22:10:38 -0400 Subject: OpenSSH 2.9p2 / SSH3 vulnerability? References: Message-ID: <3B84661E.7050904@omniti.com> Ault, James R (CRD) wrote: > 2) There is a "SECURID" patch in the contrib section since 2.5.2p2. > I am using it, but applying this patch to each new version is growing > more difficult as time goes on. Would you consider merging this > function into the core of openssh? (with a configure flag and > everything)? I would certainly appreciate it... The newest version of this patch is always available at: http://www.omniti.com/~jesus/projects/ (as it says in the diff included with openssh). I was latent in getting the OpenSSH maintainer the 2.9p2 patch (read: never sent it). I will try to be better about that for next release. -- Theo Schlossnagle 1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 From jesus at omniti.com Thu Aug 23 12:13:31 2001 From: jesus at omniti.com (Theo E. Schlossnagle) Date: Wed, 22 Aug 2001 22:13:31 -0400 Subject: OpenSSH 2.9p2 / SSH3 vulnerability? References: Message-ID: <3B8466CB.2020901@omniti.com> mouring at etoh.eviladmin.org wrote: >>2) There is a "SECURID" patch in the contrib section since 2.5.2p2. I am using it, but applying this >>patch to each new version is growing more difficult as time goes on. Would you consider merging this >>function into the core of openssh? (with a configure flag and everything)? I would certainly >>appreciate it... >> >> > > There is? I don't see it in the -current version of the portable. > > I don't believe there is any plans on adding Secure ID. I no longer > remember the reasons.. > > But doing a simple grep for "SecureID" in my archives I see comments like > > "Integrating SecureID is additional complexity which has to be > maintained," > > .. So I think it's a safe bet it will not. =) Your grep failed because it is spelled SecurID (no second 'e'). Thank RSA for the jewel. That patch is actively maintained (by me). It was not incorporated into the main distribution because it is commercial product that requires proprietary client libraries available only in binary form. -- Theo Schlossnagle 1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 From cucinotta at sssup.it Thu Aug 23 13:56:32 2001 From: cucinotta at sssup.it (Tommaso Cucinotta) Date: Wed, 22 Aug 2001 22:56:32 -0500 Subject: Example SmartCard enabled OpenSSH agent. Message-ID: <3B847EF0.2075182E@sssup.it> Hi all, as an example of SSP-Lite middleware, I modified the OpenSSH-2.9p2 sources to support Smart Cards. The new module is just an experiment. It uses an OpenSSL's new RSA method I built to communicate with the smartcard through the SSP/PCSC stack when normal OpenSSL RSA operations are invoked by OpenSSH. I couldn't embed the module as I wanted into the OpenSSH sources because of the lack of generality of the "key.h" interface. I have some ideas to change that. If anybody is interested in using/testing/developing, please write to the smartsign mailing list. A quick overview of the module follows. Thank you for your attention. Best regards, Tommaso Cucinotta. ************************************************************ This is a modified version of the OpenSSL 2.9p2 source tree, containing an experimental, pre-pre-alpha, smartcard module for use with SSP-Lite from the SmartSign project (http://smartsign.sourceforge.net) Summary of changes: - Requires PCSC-Lite, a PCSC reader driver, SSP-Lite and a SSP-Lite card driver (actually only Schlumberger Cyberflex Access 16K supported) - Enabling SSP-Lite module during configuration ./configure --with-ssplite - Building modified programs . make ssh-agent . make ssh-add . make ssh-keygen ** DO NOT TRY TO BUILD OTHER OPEN-SSH STUFF, PLEASE ** - ssh-agent . Launch as usual, here you don't need anything special - ssh-add . Launch with the '-sc' option to add the smartcard identity: you will be prompted with smartcard PIN . Launch as usual to add other (file) identities . Use 'ssh-add -L' to view the actual smartcard identity . After adding the identity, use the NORMAL ssh client to connect to a remote server using the smartcard - ssh-keygen . Launch with the '-t rsa-sc' option to generate a keypair and store it on the smartcard. Please, note that after key generation the program will fail, but key generation/storing process would be fine. Try a 'eval `./ssh-agent`; ssh-add -L' to view new identity public information . Launch as usual to generate file-based key pairs. . Sorry, this is really unfinished, yet. I couldn't figure out how to embed the key generation process in the OpenSSH framework... - For further information, please, refer to the SmartSign mailing list: smartsign-users at lists.sourceforge.net ************************************************************ -- /------------------------------------------------\ | Dr. Tommaso Cucinotta | +------------------------------------------------+ | Scuola Superiore di Studi Universitari | | e Perfezionamento S.Anna | | Pisa Italy | \------------------------------------------------/ From pekkas at netcore.fi Thu Aug 23 15:50:07 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 23 Aug 2001 08:50:07 +0300 (EEST) Subject: ssh_identification error In-Reply-To: <20010823010337.96524.qmail@web11006.mail.yahoo.com> Message-ID: On Wed, 22 Aug 2001, edwin pua wrote: > i do have a Redhat7.0 with > open-ssh-2.9 installed together with > openssh-server-2.9 and openssh-clients in my linux > server. > -----result---- > SSH Version OpenSSH_2.1.1, protocol versions ^^^^^^^^^^^^^ Doesn't sound 2.9 to me... > 1.5/2.0. > Compiled with SSL (0x0090581f). > debug: Reading configuration data /etc/ssh/ssh_config > debug: Applying options for * > debug: Seeding random number generator > debug: ssh_connect: getuid 0 geteuid 0 anon 0 > debug: Connecting to 172.30.1.41 [172.30.1.41] port > 22. > debug: Allocated local port 1023. > debug: Connection established. > > ssh_exchange_identification: Connection closed by > remote host > debug: Calling cleanup 0x805db00(0x0) Anyway, this is probably caused by you blocking the access from that address in /etc/hosts.allow. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From edgpua at yahoo.com Thu Aug 23 16:01:58 2001 From: edgpua at yahoo.com (edwin pua) Date: Wed, 22 Aug 2001 23:01:58 -0700 (PDT) Subject: ssh_identification error In-Reply-To: Message-ID: <20010823060158.40924.qmail@web11006.mail.yahoo.com> hi pekka, it works now... i just add my sshd2, and sshd into my hosts.allow file and i was able to connect via password authentication. btw, i wanted to enable the "public key" as my authentication for every user. how will i set that in my ssh server? i'm currently using secureCRT3.3 as my sshclient and there's this option, public key and password as authentication option. thanx for the assistance. rgds, edwin __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ From pekkas at netcore.fi Thu Aug 23 16:18:54 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 23 Aug 2001 09:18:54 +0300 (EEST) Subject: ssh_identification error In-Reply-To: <20010823060158.40924.qmail@web11006.mail.yahoo.com> Message-ID: On Wed, 22 Aug 2001, edwin pua wrote: > btw, i wanted to enable the "public key" as my > authentication for every user. how will i set that in > my ssh server? See default sshd_config and man sshd. If that doesn't work outright, I suggest enabling debugging on server end (not possible with securecrt) to see what might be wrong. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From markus.friedl at informatik.uni-erlangen.de Thu Aug 23 22:38:39 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 23 Aug 2001 14:38:39 +0200 Subject: [PATCH] some patches for Fujitsu-Siemens ReliantUNIX, minor fixes and XXXes In-Reply-To: <200108201635.f7KGZVn09514@mail2.siemens.de>; from Robert.Dahlem@ffm2.siemens.de on Mon, Aug 20, 2001 at 06:33:39PM +0200 References: <200108201635.f7KGZVn09514@mail2.siemens.de> Message-ID: <20010823143839.C15972@folly> On Mon, Aug 20, 2001 at 06:33:39PM +0200, Robert Dahlem wrote: > - -ldl not choosen by configure: you can try to build openssl w/o DSO support From markus.friedl at informatik.uni-erlangen.de Thu Aug 23 22:40:06 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 23 Aug 2001 14:40:06 +0200 Subject: -q option doesn't do what it says in the man page? In-Reply-To: <5bitff1vbf.fsf@chiark.greenend.org.uk>; from matthew@debian.org on Thu, Aug 23, 2001 at 01:20:04AM +0100 References: <5bitff1vbf.fsf@chiark.greenend.org.uk> Message-ID: <20010823144006.D15972@folly> On Thu, Aug 23, 2001 at 01:20:04AM +0100, Matthew Vernon wrote: > typedef enum { > SYSLOG_LEVEL_QUIET, > SYSLOG_LEVEL_FATAL, thanks! From Markus.Friedl at informatik.uni-erlangen.de Thu Aug 23 23:09:35 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 23 Aug 2001 15:09:35 +0200 Subject: -q option doesn't do what it says in the man page? In-Reply-To: <20010823144006.D15972@folly>; from markus.friedl@informatik.uni-erlangen.de on Thu, Aug 23, 2001 at 02:40:06PM +0200 References: <5bitff1vbf.fsf@chiark.greenend.org.uk> <20010823144006.D15972@folly> Message-ID: <20010823150935.A982@faui02.informatik.uni-erlangen.de> On Thu, Aug 23, 2001 at 02:40:06PM +0200, Markus Friedl wrote: > On Thu, Aug 23, 2001 at 01:20:04AM +0100, Matthew Vernon wrote: > > typedef enum { > > SYSLOG_LEVEL_QUIET, > > SYSLOG_LEVEL_FATAL, hm, i'm not 100% sure, the sshd manpage says with -q: Nothing is sent to the system log. so, it's probably better to fix the ssh.1 manpage... From mcv21 at cus.cam.ac.uk Thu Aug 23 23:18:10 2001 From: mcv21 at cus.cam.ac.uk (M.C. Vernon) Date: Thu, 23 Aug 2001 14:18:10 +0100 (BST) Subject: -q option doesn't do what it says in the man page? In-Reply-To: <20010823150935.A982@faui02.informatik.uni-erlangen.de> Message-ID: On Thu, 23 Aug 2001, Markus Friedl wrote: > On Thu, Aug 23, 2001 at 02:40:06PM +0200, Markus Friedl wrote: > > On Thu, Aug 23, 2001 at 01:20:04AM +0100, Matthew Vernon wrote: > > > typedef enum { > > > SYSLOG_LEVEL_QUIET, > > > SYSLOG_LEVEL_FATAL, > > hm, i'm not 100% sure, the sshd manpage says with -q: > > Nothing is sent to the system log. > > so, it's probably better to fix the ssh.1 manpage... I'm not convinced, actually; I think having -q say everything except fatal messages is more useful that ignoring fatal messages as well. Having ssh fail silently is probably a bad thing in most cases... Matthew -- "At least you know where you are with Microsoft." "True. I just wish I'd brought a paddle." http://www.debian.org From Markus.Friedl at informatik.uni-erlangen.de Thu Aug 23 23:19:22 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 23 Aug 2001 15:19:22 +0200 Subject: -q option doesn't do what it says in the man page? In-Reply-To: ; from mcv21@cus.cam.ac.uk on Thu, Aug 23, 2001 at 02:18:10PM +0100 References: <20010823150935.A982@faui02.informatik.uni-erlangen.de> Message-ID: <20010823151922.B982@faui02.informatik.uni-erlangen.de> On Thu, Aug 23, 2001 at 02:18:10PM +0100, M.C. Vernon wrote: > On Thu, 23 Aug 2001, Markus Friedl wrote: > > > On Thu, Aug 23, 2001 at 02:40:06PM +0200, Markus Friedl wrote: > > > On Thu, Aug 23, 2001 at 01:20:04AM +0100, Matthew Vernon wrote: > > > > typedef enum { > > > > SYSLOG_LEVEL_QUIET, > > > > SYSLOG_LEVEL_FATAL, > > > > hm, i'm not 100% sure, the sshd manpage says with -q: > > > > Nothing is sent to the system log. > > > > so, it's probably better to fix the ssh.1 manpage... > > I'm not convinced, actually; I think having -q say everything except fatal > messages is more useful that ignoring fatal messages as well. Having ssh > fail silently is probably a bad thing in most cases... sure, but consider how many people relay on sshd -q printing nothing to syslog? hm. From Robert.Dahlem at ffm2.siemens.de Thu Aug 23 23:21:28 2001 From: Robert.Dahlem at ffm2.siemens.de (Robert Dahlem) Date: Thu, 23 Aug 2001 15:21:28 +0200 Subject: [PATCH] some patches for Fujitsu-Siemens ReliantUNIX, minor fixes and XXXes In-Reply-To: <20010823143839.C15972@folly> Message-ID: <200108231323.f7NDNIm06701@mail2.siemens.de> Markus, On Thu, 23 Aug 2001 14:38:39 +0200, Markus Friedl wrote: >> - -ldl not choosen by configure: >you can try to build openssl w/o DSO support I'm seriously trying to avoid this. :-) Please correct me if I'm wrong: I thougt I would need DSO support for building shared objects. I would like shared objects to keep code for OepnSSH small. Regards, Robert -- Robert.Dahlem at ffm2.siemens.de Siemens Business Services - FS CBS KORDOBA-Outsourcing Tel: +49-69-797-6530 Fax: +49-69-797-6599 ---------------------------------------------------------------------- Sent using PMMail (http://www.pmmail2000.com) - fast, decent, email software; far better than Outlook. Try it sometime. From wichert at wiggy.net Thu Aug 23 23:31:06 2001 From: wichert at wiggy.net (Wichert Akkerman) Date: Thu, 23 Aug 2001 15:31:06 +0200 Subject: -q option doesn't do what it says in the man page? In-Reply-To: References: <20010823150935.A982@faui02.informatik.uni-erlangen.de> Message-ID: <20010823153106.I21505@wiggy.net> Previously M.C. Vernon wrote: > I'm not convinced, actually; I think having -q say everything except fatal > messages is more useful that ignoring fatal messages as well. Having ssh > fail silently is probably a bad thing in most cases... How about introducing -qq to make it completely silent? Wichert. -- _________________________________________________________________ / Nothing is fool-proof to a sufficiently talented fool \ | wichert at wiggy.net http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Aug 23 23:38:29 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 23 Aug 2001 15:38:29 +0200 Subject: [PATCH] some patches for Fujitsu-Siemens ReliantUNIX, minor fixes and XXXes In-Reply-To: <200108231323.f7NDNIm06701@mail2.siemens.de>; from Robert.Dahlem@ffm2.siemens.de on Thu, Aug 23, 2001 at 03:21:28PM +0200 References: <20010823143839.C15972@folly> <200108231323.f7NDNIm06701@mail2.siemens.de> Message-ID: <20010823153829.A16628@serv01.aet.tu-cottbus.de> On Thu, Aug 23, 2001 at 03:21:28PM +0200, Robert Dahlem wrote: > On Thu, 23 Aug 2001 14:38:39 +0200, Markus Friedl wrote: > > >> - -ldl not choosen by configure: > > >you can try to build openssl w/o DSO support > > I'm seriously trying to avoid this. :-) > > Please correct me if I'm wrong: I thougt I would need DSO support for > building shared objects. I would like shared objects to keep code for > OepnSSH small. These things are not necessarily related. You can build OpenSSL with shared libraries. This means that applications using OpenSSL (e.g. OpenSSH) will link against the shared libraries. This will not need -ldl. DSO support means, that OpenSSL's routines itself can load other shared libraries on demand at runtime. This should only be needed when accessing crypto hardware, like an accelerator card. This requires -ldl. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From mcv21 at cus.cam.ac.uk Fri Aug 24 00:52:52 2001 From: mcv21 at cus.cam.ac.uk (M.C. Vernon) Date: Thu, 23 Aug 2001 15:52:52 +0100 (BST) Subject: -q option doesn't do what it says in the man page? In-Reply-To: <20010823151922.B982@faui02.informatik.uni-erlangen.de> Message-ID: On Thu, 23 Aug 2001, Markus Friedl wrote: > On Thu, Aug 23, 2001 at 02:18:10PM +0100, M.C. Vernon wrote: > > On Thu, 23 Aug 2001, Markus Friedl wrote: > > > > > On Thu, Aug 23, 2001 at 02:40:06PM +0200, Markus Friedl wrote: > > > > On Thu, Aug 23, 2001 at 01:20:04AM +0100, Matthew Vernon wrote: > > > > > typedef enum { > > > > > SYSLOG_LEVEL_QUIET, > > > > > SYSLOG_LEVEL_FATAL, > > > > > > hm, i'm not 100% sure, the sshd manpage says with -q: > > > > > > Nothing is sent to the system log. > > > > > > so, it's probably better to fix the ssh.1 manpage... > > > > I'm not convinced, actually; I think having -q say everything except fatal > > messages is more useful that ignoring fatal messages as well. Having ssh > > fail silently is probably a bad thing in most cases... > > sure, but consider how many people relay on sshd -q printing nothing to syslog? Is this a significant number? If so, perhaps the two options should do different things? Matthew -- "At least you know where you are with Microsoft." "True. I just wish I'd brought a paddle." http://www.debian.org From Markus.Friedl at informatik.uni-erlangen.de Fri Aug 24 00:54:37 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 23 Aug 2001 16:54:37 +0200 Subject: -q option doesn't do what it says in the man page? In-Reply-To: ; from mcv21@cus.cam.ac.uk on Thu, Aug 23, 2001 at 03:52:52PM +0100 References: <20010823151922.B982@faui02.informatik.uni-erlangen.de> Message-ID: <20010823165437.B14252@faui02.informatik.uni-erlangen.de> On Thu, Aug 23, 2001 at 03:52:52PM +0100, M.C. Vernon wrote: > On Thu, 23 Aug 2001, Markus Friedl wrote: > > > On Thu, Aug 23, 2001 at 02:18:10PM +0100, M.C. Vernon wrote: > > > On Thu, 23 Aug 2001, Markus Friedl wrote: > > > > > > > On Thu, Aug 23, 2001 at 02:40:06PM +0200, Markus Friedl wrote: > > > > > On Thu, Aug 23, 2001 at 01:20:04AM +0100, Matthew Vernon wrote: > > > > > > typedef enum { > > > > > > SYSLOG_LEVEL_QUIET, > > > > > > SYSLOG_LEVEL_FATAL, > > > > > > > > hm, i'm not 100% sure, the sshd manpage says with -q: > > > > > > > > Nothing is sent to the system log. > > > > > > > > so, it's probably better to fix the ssh.1 manpage... > > > > > > I'm not convinced, actually; I think having -q say everything except fatal > > > messages is more useful that ignoring fatal messages as well. Having ssh > > > fail silently is probably a bad thing in most cases... > > > > sure, but consider how many people relay on sshd -q printing nothing to syslog? > > Is this a significant number? i'll check the calls to fatal(), and decide whether we should care. > If so, perhaps the two options should do > different things? now it get's ugly :) From dwd at bell-labs.com Fri Aug 24 02:46:51 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Thu, 23 Aug 2001 11:46:51 -0500 Subject: Patch to enable multiple possible sources of entropy In-Reply-To: ; from mouring@etoh.eviladmin.org on Sun, Jun 24, 2001 at 02:19:23AM -0500 References: <20010611091947.A4269@lucent.com> Message-ID: <20010823114651.A24117@lucent.com> Ben & Damien, Do you still expect to get this feature in before the next release? (The included text is only part of the patch). I see there have been hardly no changes to entropy.c in the current CVS. If you want me to update the patch to the latest CVS, let me know. - Dave Dykstra On Sun, Jun 24, 2001 at 02:19:23AM -0500, mouring at etoh.eviladmin.org wrote: > > To let you know I'm not ignoring this. Damien has code like this already > from the sounds of it. Just working out minor detials of how to deal with > ssh-keygen, etc which don't read the sshd_config nor ssh_config for the > admin's perfer order of entropy gathering. > > - Ben > > On Mon, 11 Jun 2001, Dave Dykstra wrote: > > > On Sun, Jun 10, 2001 at 10:41:14PM -0400, Michael Stone wrote: > > > On Sun, Jun 10, 2001 at 12:49:18PM -0500, mouring at etoh.eviladmin.org wrote: > > > > Hmm.. my only complaints about the patch is that seed_rng and init_rng are > > > > pretty unreadable due to #ifdef/#end > > > > I could make it a lot more readable by having it always do access() to > > probe for RANDOM_POOOL and PRNGD_SOCKET even if one of them is the only > > choice. I initially elected to trade off exact compatibility for > > readability, but I'd be happy to change it. I've included the more > > readable init_rng() below for you to take a look at. The difference is > > that even if only one of RANDOM_POOL or PRNGD_SOCKET is compiled in, if it > > isn't there the error message will be the more generic > > Couldn't find source for random number generator seed > > rather than a message about the problem accessing the specific source. I > > put in some debug level 2 messages to help debugging that case (those are > > good even if you choose to keep the extra ifdefs), and I slightly improved > > the fatal error message. > > > > Also, the ifdefs for PRNGD_SOCKET and USE_BUILTIN_ENTROPY do not really > > need to be in the else case of PRNGD_PORT because configure enforces that > > already, but I think it's more understandable this way. > > > > > > > > > > and that I don't know if I like the > > > > idea of ssh/sshd stepping down in entropy quality on a whim. Which is > > > > what this patch would do if for some odd reason prngd is offline at > > > > startup of sshd/ssh. > > > > > > What if there were some kind of warning message? We've already seen the > > > obnoxious key-is-1023 message, what's one more? > > > > I don't mind a debug message but I really would not want a warning message > > because that's going to be the normal case on a lot of my systems. My > > answer is that most likely even if prngd is offline, the PRNGD_SOCKET will > > still exist even though there's no process listening on the other side. In > > that case, ssh will go ahead into the prngd_get_random_bytes case but get a > > Connection Refused error (this happened during my testing). > > > > Another idea would be to improve the fatal error message by saving some > > information when the access() calls fail rather than just printing debug > > messages. For example, there could be a variable that points to the error > > message to use if it gets to the fatal condition at the end. Do you like > > that better? I don't think that complication is necessary. > > > > > > > Obviously the entropy > > > requirement depends on the application, but there are a lot of machines > > > where I'm far more concerned about not getting in at all (because prngd > > > is busted) than I am about bad entropy in that case. It's no worse than > > > if prngd weren't being used at all, and might make it easier to accept > > > prngd. > > > > Good point. > > > > - Dave Dykstra > > > > > > ------ more readable init_rng() follows ------------------------ > > > > void > > init_rng(void) > > { > > check_openssl_version(); > > > > #ifdef RANDOM_POOL > > if (access(RANDOM_POOL, F_OK) == 0) { > > seed_source = POOL_SOURCE; > > return; > > } > > else { > > debug2("Random pool %s does not exist", RANDOM_POOL); > > } > > #endif /* RANDOM_POOL */ > > > > /* it's not trivial to probe for an open port so just make it > > * take priority over the other sources if it is defined > > */ > > #ifdef PRNGD_PORT > > seed_source = PRNGD_SOURCE; > > #else > > > > #ifdef PRNGD_SOCKET > > if (access(PRNGD_SOCKET, F_OK) == 0) { > > seed_source = PRNGD_SOURCE; > > return; > > } > > else { > > debug2("Entropy socket %s does not exist", PRNGD_SOCKET); > > } > > #endif /* PRNGD_SOCKET */ > > > > #ifdef USE_BUILTIN_ENTROPY > > seed_source = BUILTIN_SOURCE; > > prng_init_rng(); > > #endif > > > > #endif /* PRNGD_PORT */ > > > > if (seed_source == 0) > > fatal("Couldn't find entropy source for random number generator"); > > } > > From dwd at bell-labs.com Fri Aug 24 03:02:56 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Thu, 23 Aug 2001 12:02:56 -0500 Subject: Patch to workaround host key size mismatch bug in old SSH sshd In-Reply-To: <20010705105925.A10910@lucent.com>; from dwd@bell-labs.com on Thu, Jul 05, 2001 at 10:59:25AM -0500 References: <20010705105925.A10910@lucent.com> Message-ID: <20010823120256.A24468@lucent.com> Markus, Do you want to include this patch before the next release? I checked the current CVS and the code around the patch hasn't appeared to change so the patch should still apply cleanly. - Dave Dykstra On Thu, Jul 05, 2001 at 10:59:25AM -0500, Dave Dykstra wrote: > Below is a patch against the current OpenBSD OpenSSH CVS to workaround a > behavior I have observed when converting from SSH 1.2.27 to OpenSSH while > using the same old RSA1 host key for protocol 1. In several cases I saw > that old SSH sshd reported a host key size of 1024 bits when OpenSSH saw it > as 1023 bits. Without the patch, when OpenSSH's ssh client connects to an > old SSH sshd it warns that the server lies about the size, and when an old > SSH ssh client connects to an OpenSSH sshd it reports the dreaded "WARNING: > HOST IDENTIFICATION HAS CHANGED! IT IS POSSIBLE THAT SOMEONE IS DOING > SOMETHING NASTY!" An OpenSSH ssh client conveniently ignores the key size > in ~/.ssh/authorized_keys (in a kind of convoluted way, I might add) so it > doesn't care that the key size reported by OpenSSH sshd is 1023 even if > authorized_keys says it's 1024. > > A pleasant side effect of this patch is that compat.c no longer prints the > disconcerting debug message "no match" when communicating with SSH 1.2.23 > through 1.2.31. > > - Dave Dykstra > > > --- compat.h.O Thu Jul 5 10:49:47 2001 > +++ compat.h Thu Jul 5 10:50:04 2001 > @@ -50,6 +50,7 @@ > #define SSH_BUG_HBSERVICE 0x00010000 > #define SSH_BUG_OPENFAILURE 0x00020000 > #define SSH_BUG_DERIVEKEY 0x00040000 > +#define SSH_BUG_SERVERLIESSIZE 0x00080000 > > void enable_compat13(void); > void enable_compat20(void); > --- compat.c.O Thu Jul 5 10:49:21 2001 > +++ compat.c Thu Jul 5 10:49:27 2001 > @@ -105,6 +105,8 @@ > { "^1\\.7 SecureFX", SSH_OLD_SESSIONID }, > { "^1\\.2\\.1[89]", SSH_BUG_IGNOREMSG }, > { "^1\\.2\\.2[012]", SSH_BUG_IGNOREMSG }, > + { "^1\\.2\\.2[3-9]", SSH_BUG_SERVERLIESSIZE }, > + { "^1\\.2\\.3[0-1]", SSH_BUG_SERVERLIESSIZE }, > { "^1\\.3\\.2", SSH_BUG_IGNOREMSG }, /* f-secure */ > { "^SSH Compatible Server", /* Netscreen */ > SSH_BUG_PASSWORDPAD }, > --- sshconnect1.c.O Thu Jul 5 10:49:13 2001 > +++ sshconnect1.c Thu Jul 5 10:49:28 2001 > @@ -37,6 +37,7 @@ > #include "packet.h" > #include "mpaux.h" > #include "uidswap.h" > +#include "compat.h" > #include "log.h" > #include "readconf.h" > #include "key.h" > @@ -960,7 +961,8 @@ > sum_len += clen; > > rbits = BN_num_bits(host_key->n); > - if (bits != rbits) { > + if (bits != rbits && > + !((datafellows & SSH_BUG_SERVERLIESSIZE) && (rbits + 1 == bits))) { > log("Warning: Server lies about size of server host key: " > "actual size is %d bits vs. announced %d.", rbits, bits); > log("Warning: This may be due to an old implementation of ssh."); > --- sshd.c.O Thu Jul 5 10:49:10 2001 > +++ sshd.c Thu Jul 5 10:49:27 2001 > @@ -1217,7 +1217,12 @@ > packet_put_bignum(sensitive_data.server_key->rsa->n); > > /* Store our public host RSA key. */ > - packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n)); > + len = BN_num_bits(sensitive_data.ssh1_host_key->rsa->n); > + if ((datafellows & SSH_BUG_SERVERLIESSIZE) && (len & 1)) { > + /* old ssh client expects even number for host key */ > + len += 1; > + } > + packet_put_int(len); > packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e); > packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n); > From dwd at bell-labs.com Fri Aug 24 03:22:40 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Thu, 23 Aug 2001 12:22:40 -0500 Subject: Patch for changing expired passwords In-Reply-To: <20010621130806.A26314@lucent.com>; from dwd@bell-labs.com on Thu, Jun 21, 2001 at 01:08:07PM -0500 References: <20010618155545.A5924@lucent.com> <20010619143046.A22082@folly> <20010619082309.A17644@lucent.com> <20010621130806.A26314@lucent.com> Message-ID: <20010823122240.A24755@lucent.com> Ben & Damien, On Thu, Jun 21, 2001 at 01:08:07PM -0500, Dave Dykstra wrote: > Markus has now installed a variation on my changes to session.c into > openbsd openssh CVS, and Ben has pulled in the session.c changes into the > portable openssh CVS, so here is an update of my patch based on the current > portable openssh CVS. Markus decided to defer the additional logging I > suggested in auth.c, so I left that out. Will this patch be able to be incorporated in the next portable release? I've seen several people asking about this functionality, and Markus did the preparation work in the base code. > Note: I pointed out to Markus in private email that the line > "forced_command = NULL" should not be there in do_exec(), and it is > unfortunately in the context of the following diff so if that change > gets applied first this might not apply cleanly anymore. That has since happened, but the patch still applied to the current CVS with some small fuzz factors. Here's an updated version anyhow. - Dave --- auth.c.O Thu Aug 23 12:12:37 2001 +++ auth.c Thu Aug 23 12:12:58 2001 @@ -49,6 +49,9 @@ #include "uidswap.h" #include "tildexpand.h" +/* set when password has expired */ +int forced_passwd_change = 0; + /* import */ extern ServerOptions options; @@ -89,8 +92,12 @@ /* Check password expiry */ if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && - (days > (spw->sp_lstchg + spw->sp_max))) - return 0; + (days > (spw->sp_lstchg + spw->sp_max))) { + if ((pw->pw_uid == 0)) + return 0; + + forced_passwd_change = 1; + } } #else /* Shouldn't be called if pw is NULL, but better safe than sorry... */ --- auth.h.O Thu Aug 23 12:12:37 2001 +++ auth.h Thu Aug 23 12:12:58 2001 @@ -40,6 +40,9 @@ #include #endif +/* set when password has expired */ +extern int forced_passwd_change; + typedef struct Authctxt Authctxt; typedef struct KbdintDevice KbdintDevice; --- session.c.O Thu Aug 23 12:12:37 2001 +++ session.c Thu Aug 23 12:12:58 2001 @@ -657,7 +657,31 @@ void do_exec(Session *s, const char *command) { - if (forced_command) { + if (forced_passwd_change) { + char *user = s->pw->pw_name; + char *msg; + + if (s->ttyfd != -1) { + msg = "Password for %.100s has expired, running 'passwd' to reset it"; + /* + * Can't pass "user" to 'passwd' because Linux doesn't + * allow it. + * Also, the prompt is friendlier without "user". + */ + command = PASSWD_PATH; + } else { + msg = "Password for %.100s has expired and cannot be changed without a pty"; + /* + * Without a pty, Solaris 'passwd' prints "Permission + * denied", but Linux attempts to change the password + * and fails miserably, so echo an error message instead + */ + command = "/bin/sh -c 'echo Permission denied >&2; exit 1'"; + } + log(msg, user); + packet_send_debug(msg, user); + + } else if (forced_command) { original_command = command; command = forced_command; debug("Forced command '%.900s'", command); --- configure.in.O Thu Aug 23 12:12:37 2001 +++ configure.in Thu Aug 23 12:12:58 2001 @@ -1418,6 +1418,10 @@ AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") fi +AC_PATH_PROG(PASSWD_PATH, passwd) +AC_DEFINE_UNQUOTED(PASSWD_PATH, "$PASSWD_PATH") + + # Check for mail directory (last resort if we cannot get it from headers) if test ! -z "$MAIL" ; then maildir=`dirname $MAIL` --- acconfig.h.O Thu Aug 23 12:12:37 2001 +++ acconfig.h Thu Aug 23 12:12:58 2001 @@ -217,6 +217,9 @@ /* Define if rsh is found in your path */ #undef RSH_PATH +/* Define if passwd is found in your path */ +#undef PASSWD_PATH + /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS From mouring at etoh.eviladmin.org Fri Aug 24 03:48:36 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 23 Aug 2001 12:48:36 -0500 (CDT) Subject: Patch to enable multiple possible sources of entropy In-Reply-To: <20010823114651.A24117@lucent.com> Message-ID: Multiple Entropy sources won't be in 3.0.. It's getting far to late in the process for including features. Maybe post 3.0... - Ben On Thu, 23 Aug 2001, Dave Dykstra wrote: > Ben & Damien, > > Do you still expect to get this feature in before the next release? > (The included text is only part of the patch). I see there have been > hardly no changes to entropy.c in the current CVS. If you want me > to update the patch to the latest CVS, let me know. > > - Dave Dykstra > > On Sun, Jun 24, 2001 at 02:19:23AM -0500, mouring at etoh.eviladmin.org wrote: > > > > To let you know I'm not ignoring this. Damien has code like this already > > from the sounds of it. Just working out minor detials of how to deal with > > ssh-keygen, etc which don't read the sshd_config nor ssh_config for the > > admin's perfer order of entropy gathering. > > > > - Ben > > > > On Mon, 11 Jun 2001, Dave Dykstra wrote: > > > > > On Sun, Jun 10, 2001 at 10:41:14PM -0400, Michael Stone wrote: > > > > On Sun, Jun 10, 2001 at 12:49:18PM -0500, mouring at etoh.eviladmin.org wrote: > > > > > Hmm.. my only complaints about the patch is that seed_rng and init_rng are > > > > > pretty unreadable due to #ifdef/#end > > > > > > I could make it a lot more readable by having it always do access() to > > > probe for RANDOM_POOOL and PRNGD_SOCKET even if one of them is the only > > > choice. I initially elected to trade off exact compatibility for > > > readability, but I'd be happy to change it. I've included the more > > > readable init_rng() below for you to take a look at. The difference is > > > that even if only one of RANDOM_POOL or PRNGD_SOCKET is compiled in, if it > > > isn't there the error message will be the more generic > > > Couldn't find source for random number generator seed > > > rather than a message about the problem accessing the specific source. I > > > put in some debug level 2 messages to help debugging that case (those are > > > good even if you choose to keep the extra ifdefs), and I slightly improved > > > the fatal error message. > > > > > > Also, the ifdefs for PRNGD_SOCKET and USE_BUILTIN_ENTROPY do not really > > > need to be in the else case of PRNGD_PORT because configure enforces that > > > already, but I think it's more understandable this way. > > > > > > > > > > > > > > and that I don't know if I like the > > > > > idea of ssh/sshd stepping down in entropy quality on a whim. Which is > > > > > what this patch would do if for some odd reason prngd is offline at > > > > > startup of sshd/ssh. > > > > > > > > What if there were some kind of warning message? We've already seen the > > > > obnoxious key-is-1023 message, what's one more? > > > > > > I don't mind a debug message but I really would not want a warning message > > > because that's going to be the normal case on a lot of my systems. My > > > answer is that most likely even if prngd is offline, the PRNGD_SOCKET will > > > still exist even though there's no process listening on the other side. In > > > that case, ssh will go ahead into the prngd_get_random_bytes case but get a > > > Connection Refused error (this happened during my testing). > > > > > > Another idea would be to improve the fatal error message by saving some > > > information when the access() calls fail rather than just printing debug > > > messages. For example, there could be a variable that points to the error > > > message to use if it gets to the fatal condition at the end. Do you like > > > that better? I don't think that complication is necessary. > > > > > > > > > > Obviously the entropy > > > > requirement depends on the application, but there are a lot of machines > > > > where I'm far more concerned about not getting in at all (because prngd > > > > is busted) than I am about bad entropy in that case. It's no worse than > > > > if prngd weren't being used at all, and might make it easier to accept > > > > prngd. > > > > > > Good point. > > > > > > - Dave Dykstra > > > > > > > > > ------ more readable init_rng() follows ------------------------ > > > > > > void > > > init_rng(void) > > > { > > > check_openssl_version(); > > > > > > #ifdef RANDOM_POOL > > > if (access(RANDOM_POOL, F_OK) == 0) { > > > seed_source = POOL_SOURCE; > > > return; > > > } > > > else { > > > debug2("Random pool %s does not exist", RANDOM_POOL); > > > } > > > #endif /* RANDOM_POOL */ > > > > > > /* it's not trivial to probe for an open port so just make it > > > * take priority over the other sources if it is defined > > > */ > > > #ifdef PRNGD_PORT > > > seed_source = PRNGD_SOURCE; > > > #else > > > > > > #ifdef PRNGD_SOCKET > > > if (access(PRNGD_SOCKET, F_OK) == 0) { > > > seed_source = PRNGD_SOURCE; > > > return; > > > } > > > else { > > > debug2("Entropy socket %s does not exist", PRNGD_SOCKET); > > > } > > > #endif /* PRNGD_SOCKET */ > > > > > > #ifdef USE_BUILTIN_ENTROPY > > > seed_source = BUILTIN_SOURCE; > > > prng_init_rng(); > > > #endif > > > > > > #endif /* PRNGD_PORT */ > > > > > > if (seed_source == 0) > > > fatal("Couldn't find entropy source for random number generator"); > > > } > > > > From stevesk at pobox.com Fri Aug 24 05:42:40 2001 From: stevesk at pobox.com (Kevin Steves) Date: Thu, 23 Aug 2001 12:42:40 -0700 (PDT) Subject: Patch for changing expired passwords In-Reply-To: <20010823122240.A24755@lucent.com> Message-ID: On Thu, 23 Aug 2001, Dave Dykstra wrote: :Will this patch be able to be incorporated in the next portable release? :I've seen several people asking about this functionality, and Markus did :the preparation work in the base code. patch looks ok for systems with spwd. i think we need something like this, but it should ideally work for all or most systems we support. in the case of hp-ux for example, it has spwd and pr_passwd, but spwd can't currently be used, and i don't think it should be. SCO or other systems that use secureware-based trusted systems may have similar issues. there's also passwd_adjunct and systems that have pw_change and probably other mechanisms. what changes might be in openssh native, and what are in portable only? From manoj at collab.net Fri Aug 24 10:48:08 2001 From: manoj at collab.net (Manoj Kasichainula) Date: Thu, 23 Aug 2001 17:48:08 -0700 Subject: [PATCH] SO_KEEPALIVE for port forwards Message-ID: <20010823174808.C16171@samosa.nojie.com> Attached is a patch to allow a user to turn on TCP keepalives for port forwarded connections. It's mainly useful when the connections to the ssh listener are coming from many different boxes, some of which crash, leaving the service on the other side of the port forwarder waiting on connections indefinitely. It creates a new option named "KeepAliveForward" to control this behavior. It's off by default for backward compatibility. This patch was made for 2.9p2, but it applies almost perfectly to the CVS HEAD. I would've provided a patch to CVS instead, but the HEAD doesn't build for me at the moment. Thoughts? Please cc: me, I'm not on the list. Thanks. -------------- next part -------------- --- openssh-2.9p2/channels.c.keepalivetunnel Wed Jun 13 12:18:05 2001 +++ openssh-2.9p2/channels.c Thu Aug 23 15:40:43 2001 @@ -61,6 +61,9 @@ #include "canohost.h" #include "key.h" #include "authfd.h" +#include "readconf.h" + +extern Options options; /* Maximum number of fake X11 displays to try. */ #define MAX_DISPLAYS 1000 @@ -765,6 +768,7 @@ int newsock, newch, nextstate; socklen_t addrlen; char *rtype; + int one = 1; if (FD_ISSET(c->sock, readset)) { debug("Connection to port %d forwarding " @@ -781,6 +785,13 @@ if (newsock < 0) { error("accept: %.100s", strerror(errno)); return; + } + /* Set keepalives if requested */ + if (options.keepalives_forward && + setsockopt(newsock, SOL_SOCKET, SO_KEEPALIVE, + (void *) &one, sizeof(one)) < 0) + { + error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); } newch = channel_new(rtype, nextstate, newsock, newsock, -1, --- openssh-2.9p2/readconf.c.keepalivetunnel Tue Apr 17 11:11:37 2001 +++ openssh-2.9p2/readconf.c Thu Aug 23 15:42:37 2001 @@ -106,7 +106,7 @@ oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, - oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, + oCompressionLevel, oKeepAlives, oKeepAlivesForward, oNumberOfPasswordPrompts, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, @@ -172,6 +172,7 @@ { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, { "keepalive", oKeepAlives }, + { "keepaliveforward", oKeepAlivesForward }, { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "loglevel", oLogLevel }, { "dynamicforward", oDynamicForward }, @@ -394,6 +395,10 @@ intptr = &options->keepalives; goto parse_flag; + case oKeepAlivesForward: + intptr = &options->keepalives_forward; + goto parse_flag; + case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; @@ -738,6 +743,7 @@ options->strict_host_key_checking = -1; options->compression = -1; options->keepalives = -1; + options->keepalives_forward = -1; options->compression_level = -1; options->port = -1; options->connection_attempts = -1; @@ -825,6 +831,8 @@ options->compression = 0; if (options->keepalives == -1) options->keepalives = 1; + if (options->keepalives_forward == -1) + options->keepalives_forward = 0; if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) --- openssh-2.9p2/readconf.h.keepalivetunnel Tue Apr 17 11:11:37 2001 +++ openssh-2.9p2/readconf.h Thu Aug 23 15:40:43 2001 @@ -62,6 +62,7 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int keepalives; /* Set SO_KEEPALIVE. */ + int keepalives_forward; /* Set SO_KEEPALIVE for port forwards. */ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ --- openssh-2.9p2/ssh.1.keepalivetunnel Mon Apr 23 06:02:17 2001 +++ openssh-2.9p2/ssh.1 Thu Aug 23 15:40:43 2001 @@ -844,6 +844,12 @@ To disable keepalives, the value should be set to .Dq no in both the server and the client configuration files. +.It Cm KeepAliveForward +Similar to KeepAlive, but applies to port forwards +.Pp +The default is +.Dq no +(to not send keepalives) .It Cm KerberosAuthentication Specifies whether Kerberos authentication will be used. The argument to this keyword must be From markus.friedl at informatik.uni-erlangen.de Fri Aug 24 17:50:11 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 24 Aug 2001 09:50:11 +0200 Subject: [PATCH] SO_KEEPALIVE for port forwards In-Reply-To: <20010823174808.C16171@samosa.nojie.com>; from manoj@collab.net on Thu, Aug 23, 2001 at 05:48:08PM -0700 References: <20010823174808.C16171@samosa.nojie.com> Message-ID: <20010824095011.A23074@folly> On Thu, Aug 23, 2001 at 05:48:08PM -0700, Manoj Kasichainula wrote: > Attached is a patch to allow a user to turn on TCP keepalives for port > forwarded connections. It's mainly useful when the connections to the > ssh listener are coming from many different boxes, some of which > crash, leaving the service on the other side of the port forwarder > waiting on connections indefinitely. > > It creates a new option named "KeepAliveForward" to control this > behavior. It's off by default for backward compatibility. > > This patch was made for 2.9p2, but it applies almost perfectly to the > CVS HEAD. I would've provided a patch to CVS instead, but the HEAD > doesn't build for me at the moment. > > Thoughts? > > Please cc: me, I'm not on the list. Thanks. > --- openssh-2.9p2/channels.c.keepalivetunnel Wed Jun 13 12:18:05 2001 > +++ openssh-2.9p2/channels.c Thu Aug 23 15:40:43 2001 > @@ -61,6 +61,9 @@ > #include "canohost.h" > #include "key.h" > #include "authfd.h" > +#include "readconf.h" > + > +extern Options options; not allowed in channels.c From markus.friedl at informatik.uni-erlangen.de Fri Aug 24 17:55:05 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 24 Aug 2001 09:55:05 +0200 Subject: Example SmartCard enabled OpenSSH agent. In-Reply-To: <3B847EF0.2075182E@sssup.it>; from cucinotta@sssup.it on Wed, Aug 22, 2001 at 10:56:32PM -0500 References: <3B847EF0.2075182E@sssup.it> Message-ID: <20010824095505.B23074@folly> On Wed, Aug 22, 2001 at 10:56:32PM -0500, Tommaso Cucinotta wrote: > as an example of SSP-Lite middleware, I modified the > OpenSSH-2.9p2 sources to support Smart Cards. OpenSSH-current has some smartcard support, too. it's based on work done by citi/umich. perhaps it's possible to integrate your work... From dwd at bell-labs.com Sat Aug 25 02:47:14 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Fri, 24 Aug 2001 11:47:14 -0500 Subject: Patch for changing expired passwords In-Reply-To: ; from stevesk@pobox.com on Thu, Aug 23, 2001 at 12:42:40PM -0700 References: <20010823122240.A24755@lucent.com> Message-ID: <20010824114714.A15427@lucent.com> On Thu, Aug 23, 2001 at 12:42:40PM -0700, Kevin Steves wrote: > On Thu, 23 Aug 2001, Dave Dykstra wrote: > :Will this patch be able to be incorporated in the next portable release? > :I've seen several people asking about this functionality, and Markus did > :the preparation work in the base code. > > patch looks ok for systems with spwd. i think we need something like this, > but it should ideally work for all or most systems we support. I agree with you. However, I think the best way to do that is to put in a solution that works at least on the most common systems; then people who need it on other systems will have something to patch for the next release. I have tested that it at least compiles and runs on Solaris 5.5.1 & 5.7 Sunos 4.1.4 HP-UX 10.20 Linux Redhat 6.2 Irix 6.2 Unixware 1.1.2 > in the case > of hp-ux for example, it has spwd and pr_passwd, but spwd can't currently > be used, and i don't think it should be. I see that my HP-UX machine does not have /etc/shadow so I must not have tested expiration over there. I was unaware of pr_passwd, but now that you mention it I see it documented under getprpwent(). However, it says it is "for trusted systems only" and mine isn't set up that way so I won't be able to test it. > SCO or other systems that use > secureware-based trusted systems may have similar issues. there's also > passwd_adjunct and systems that have pw_change and probably other > mechanisms. All these systems have a relatively low user base, so if somebody has a need for it let them submit a patch. The changes should be able to be isolated to a few lines in auth.c and a probe in configure.in, so they don't seem to me to be a bother for support. > what changes might be in openssh native, and what are in > portable only? All the changes that were needed in openssh native were already done by Markus; the patch I submitted is for portable only. - Dave Dykstra From saju.nair at wipro.com Sat Aug 25 15:34:51 2001 From: saju.nair at wipro.com (SAJU NAIR) Date: Sat, 25 Aug 2001 11:04:51 +0530 Subject: restrict shell access in Openssh References: <20010823122240.A24755@lucent.com> <20010824114714.A15427@lucent.com> Message-ID: <00df01c12d27$a9df6950$f997a8c0@sajump> Hi All, How do I restrict shell access in Openssh ? I would like to enable only sftp for the users. Is there any dummy shell for Openssh ?? Thanks in advance. Saju -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010825/71f8f57f/attachment.html -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: InterScan_Disclaimer.txt Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010825/71f8f57f/attachment.txt From f_mohr at yahoo.de Sat Aug 25 21:52:20 2001 From: f_mohr at yahoo.de (Frank Mohr) Date: Sat, 25 Aug 2001 13:52:20 +0200 Subject: restrict shell access in Openssh References: <20010823122240.A24755@lucent.com> <20010824114714.A15427@lucent.com> <00df01c12d27$a9df6950$f997a8c0@sajump> Message-ID: <3B879174.731425A9@yahoo.de> SAJU NAIR wrote: > > Hi All, > > How do I restrict shell access in Openssh ? I would like to enable only sftp > for the users. > Is there any dummy shell for Openssh ?? > > Thanks in advance. > > Saju I have not tried this with sftp, but I use a forced command script that checks the original command variable to restrict access to scp only for some accounts frank From gert at greenie.muc.de Sun Aug 26 06:22:46 2001 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 25 Aug 2001 22:22:46 +0200 Subject: Duplicates (was: Re: Example SmartCard enabled OpenSSH agent.) In-Reply-To: <20010824095505.B23074@folly>; from Markus Friedl on Fri, Aug 24, 2001 at 09:55:05AM +0200 References: <3B847EF0.2075182E@sssup.it> <20010824095505.B23074@folly> Message-ID: <20010825222246.A4605@greenie.muc.de> Hi, On Fri, Aug 24, 2001 at 09:55:05AM +0200, Markus Friedl wrote: > On Wed, Aug 22, 2001 at 10:56:32PM -0500, Tommaso Cucinotta wrote: > > as an example of SSP-Lite middleware, I modified the > > OpenSSH-2.9p2 sources to support Smart Cards. > > OpenSSH-current has some smartcard support, too. > it's based on work done by citi/umich. > > perhaps it's possible to integrate your work... I again get duplicates from the mailing list - got about 15 copies of this e-mail. Damien, any findings? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From djm at mindrot.org Mon Aug 27 14:04:51 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 27 Aug 2001 14:04:51 +1000 (EST) Subject: Duplicates (was: Re: Example SmartCard enabled OpenSSH agent.) In-Reply-To: <20010825222246.A4605@greenie.muc.de> Message-ID: On Sat, 25 Aug 2001, Gert Doering wrote: > I again get duplicates from the mailing list - got about 15 copies of > this e-mail. I have upgraded the mail server and dropped the MTU on my Internet link (Postfix seems sensitive to MTU problems). Please tell me if you get any more duplicates after this message. Regards, Damien Miller -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From manoj at collab.net Mon Aug 27 17:41:22 2001 From: manoj at collab.net (Manoj Kasichainula) Date: Mon, 27 Aug 2001 00:41:22 -0700 Subject: [PATCH] SO_KEEPALIVE for port forwards In-Reply-To: <20010824095011.A23074@folly> References: <20010823174808.C16171@samosa.nojie.com> <20010824095011.A23074@folly> Message-ID: <20010827004122.A26443@samosa.nojie.com> On Fri, Aug 24, 2001 at 09:50:11AM +0200, Markus Friedl wrote: > On Thu, Aug 23, 2001 at 05:48:08PM -0700, Manoj Kasichainula wrote: > > --- openssh-2.9p2/channels.c.keepalivetunnel Wed Jun 13 12:18:05 2001 > > +++ openssh-2.9p2/channels.c Thu Aug 23 15:40:43 2001 > > @@ -61,6 +61,9 @@ > > #include "canohost.h" > > #include "key.h" > > #include "authfd.h" > > +#include "readconf.h" > > + > > +extern Options options; > > not allowed in channels.c Would it be acceptable to instead add a field to the Channel structure? This field would be set by an additional argument to channel_new(), and used in channel_post_port_listener. From khaled at w-arts.com Mon Aug 27 23:50:01 2001 From: khaled at w-arts.com (Khaled Daham) Date: Mon, 27 Aug 2001 15:50:01 +0200 (CEST) Subject: scp1 issue Message-ID: Hi. I hope this is not entirely inappropriate, I have tried comp.security.ssh but have not received any response, anyhow I am wondering how scp1 really works, as far as I can tell it should be quite straight forward, just send version string CMSG_SESSION_KEY CMSG_USER CMSG_AUTH_PASSWORD CMSG_EXEC_CMD And wait for SMSG_STDOUT_DATA until SMSG_EXITSTATUS. I have read the scp.c code and and it more or less just starts ssh with the command "scp -f file-to-get", however when I do that in a little client i made it just hangs after sshd does its server_init_dispatch() debug1: session_new: init debug1: session_new: session 0 debug1: Exec command 'scp -f .profile' debug1: PAM establishing creds debug1: Entering interactive session. debug1: fd 7 setting O_NONBLOCK debug1: fd 7 IS O_NONBLOCK debug1: fd 9 setting O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 --- This is with my client and here it stops, additional lines below is with scp that comes with OpenSSH --- debug1: tvp!=NULL kid 0 mili 10 debug1: Received SIGCHLD. debug1: tvp!=NULL kid 1 mili 100 debug1: End of interactive session; stdin 3, stdout (read 2710, sent 2710), stderr 338 bytes. debug1: Command exited with status 0. debug1: Received exit confirmation. Closing connection to 127.0.0.1 Now any other command works, like if i do cat/ls or anything i get data back in STDOUT_DATA packets, so I am wondering if scp executed on the remote side is waiting for something, but I can not figure out what, no channels or anything is invoked as far as I can see in the OpenSSH code. Any suggestions ? /Khaled Daham, w.arts Mail: khaled at w-arts.com Cell: +46-70-6785492 FreeBSD: The Power to Serve! http://www.FreeBSD.org/ From stevesk at pobox.com Tue Aug 28 02:54:05 2001 From: stevesk at pobox.com (Kevin Steves) Date: Mon, 27 Aug 2001 09:54:05 -0700 (PDT) Subject: Patch for changing expired passwords In-Reply-To: <20010824114714.A15427@lucent.com> Message-ID: On Fri, 24 Aug 2001, Dave Dykstra wrote: :On Thu, Aug 23, 2001 at 12:42:40PM -0700, Kevin Steves wrote: :> patch looks ok for systems with spwd. i think we need something like this, :> but it should ideally work for all or most systems we support. : :I agree with you. However, I think the best way to do that is to put in a :solution that works at least on the most common systems; then people who :need it on other systems will have something to patch for the next release. : :I have tested that it at least compiles and runs on : Solaris 5.5.1 & 5.7 : Sunos 4.1.4 : HP-UX 10.20 : Linux Redhat 6.2 : Irix 6.2 : Unixware 1.1.2 : :> in the case :> of hp-ux for example, it has spwd and pr_passwd, but spwd can't currently :> be used, and i don't think it should be. : :I see that my HP-UX machine does not have /etc/shadow so I must not have :tested expiration over there. I was unaware of pr_passwd, but now that you :mention it I see it documented under getprpwent(). However, it says it is :"for trusted systems only" and mine isn't set up that way so I won't be :able to test it. hp-ux doesn't use /etc/shadow (yet). it uses the secureware-based /tcb/ stuff. it has both getspent() and getprpwent(). today openssh will not use getpwent() because DISABLE_SHADOW is defined. 10.20 could use support for password expiration, because it can't use PAM, but that would require changes to use getpwent() in some cases or to use the expire fields from getprpwent(). :> what changes might be in openssh native, and what are in :> portable only? : :All the changes that were needed in openssh native were already done by :Markus; the patch I submitted is for portable only. i think basic changes for checking expired passwords (and accounts) should perhaps go upstream. right now openssh native doesn't check pw_expire, pw_change, and i'm not sure about its BSD_AUTH changes. i recall NetBSD may have changes to do the former. From Florian.Weimer at RUS.Uni-Stuttgart.DE Tue Aug 28 04:35:18 2001 From: Florian.Weimer at RUS.Uni-Stuttgart.DE (Florian Weimer) Date: 27 Aug 2001 20:35:18 +0200 Subject: permitopen flag in authorized_keys file Message-ID: I've just discovered the permitopen flag. We need such a feature for our poor man's VPN services, but this flag seems to be usable only if you generate your authorized_keys file from a database or something like that: keeping a long list of host/port combinations up to date for several users and keys is no fun. As announced before, we have developed a far more powerful mechanism for controlling port forwarding, see: http://cert.uni-stuttgart.de/projects/openssh.php (I'm currenty porting it to the most recent portable OpenSSH version.) Why haven't you used this already existing code? -- Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 From insyte at emt-p.org Tue Aug 28 04:55:27 2001 From: insyte at emt-p.org (Ben Beuchler) Date: Mon, 27 Aug 2001 13:55:27 -0500 Subject: agent forwarding with v2 Message-ID: <20010827135526.A1933@emt-p.org> I'm confused about the status of auth agent forwarding while using v2 protocols. I found an old newsgroup post that said it was not available but an entry in the ChangeLog entry dated 20001113 seems to indicate that it was added. So. Does agent forwarding work while using v2 protocols? I've been unable to get it to work since I switched to using v2. Thanks, Ben -- Ben Beuchler There is no spoon. insyte at emt-p.org -- The Matrix From markus at openbsd.org Tue Aug 28 04:28:49 2001 From: markus at openbsd.org (Markus Friedl) Date: Mon, 27 Aug 2001 20:28:49 +0200 Subject: Patch for changing expired passwords In-Reply-To: ; from stevesk@pobox.com on Mon, Aug 27, 2001 at 09:54:05AM -0700 References: <20010824114714.A15427@lucent.com> Message-ID: <20010827202849.A4699@faui02.informatik.uni-erlangen.de> on openbsd BSD_AUTH checks for expiration, but i think i'll add check for the non-bsd-auth case. -m From jmknoble at pobox.com Tue Aug 28 05:37:19 2001 From: jmknoble at pobox.com (Jim Knoble) Date: Mon, 27 Aug 2001 14:37:19 -0500 Subject: agent forwarding with v2 In-Reply-To: <20010827135526.A1933@emt-p.org>; from insyte@emt-p.org on Mon, Aug 27, 2001 at 01:55:27PM -0500 References: <20010827135526.A1933@emt-p.org> Message-ID: <20010827143719.A23811@zax.half.pint-stowp.cx> Circa 2001-Aug-27 13:55:27 -0500 dixit Ben Beuchler: : I'm confused about the status of auth agent forwarding while using : v2 protocols. I found an old newsgroup post that said it was not : available but an entry in the ChangeLog entry dated 20001113 seems : to indicate that it was added. : : So. Does agent forwarding work while using v2 protocols? I've been : unable to get it to work since I switched to using v2. Works for me. OpenSSH-2.9p2 (portable) on Red Hat Linux 6.2. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010827/d7b62a33/attachment.bin From insyte at emt-p.org Tue Aug 28 06:51:27 2001 From: insyte at emt-p.org (Ben Beuchler) Date: Mon, 27 Aug 2001 15:51:27 -0500 Subject: Troubleshooting ssh-agent forwarding w/ v2 protocols Message-ID: <20010827155126.F1933@emt-p.org> OK. I've had a few replies to my earlier question about auth agent forwarding that indicate that it is currently supported. So now I'm confused as to why it is not working for me. I'm trying to chain between servers. With v1 I could load my key into the ssh-agent on my workstation (a) and ssh to server b and ssh from there to server c, all without typing a passphrase/password. Now I can go from a to b, but if I ssh to c I am prompted for my password. On my workstation, I have these lines in my /usr/local/etc/ssh_config: Host * ForwardAgent yes ForwardX11 no The config looks the same on b. I have upgraded all three machines to OpenSSH 2.9p2. Would it be worthwhile to post debugging output from either the client or the server? Thanks, Ben -- Ben Beuchler There is no spoon. insyte at emt-p.org -- The Matrix From markus at openbsd.org Tue Aug 28 06:51:33 2001 From: markus at openbsd.org (Markus Friedl) Date: Mon, 27 Aug 2001 22:51:33 +0200 Subject: agent forwarding with v2 In-Reply-To: <20010827135526.A1933@emt-p.org>; from insyte@emt-p.org on Mon, Aug 27, 2001 at 01:55:27PM -0500 References: <20010827135526.A1933@emt-p.org> Message-ID: <20010827225133.B3277@folly> with v2 agent forwarding works if a openssh client talks to a openssh agent. On Mon, Aug 27, 2001 at 01:55:27PM -0500, Ben Beuchler wrote: > I'm confused about the status of auth agent forwarding while using v2 > protocols. I found an old newsgroup post that said it was not available but > an entry in the ChangeLog entry dated 20001113 seems to indicate that it was > added. > > So. Does agent forwarding work while using v2 protocols? I've been unable to > get it to work since I switched to using v2. > > Thanks, > Ben > > -- > Ben Beuchler There is no spoon. > insyte at emt-p.org -- The Matrix From jmknoble at pobox.com Tue Aug 28 07:44:10 2001 From: jmknoble at pobox.com (Jim Knoble) Date: Mon, 27 Aug 2001 16:44:10 -0500 Subject: Troubleshooting ssh-agent forwarding w/ v2 protocols In-Reply-To: <20010827155126.F1933@emt-p.org>; from insyte@emt-p.org on Mon, Aug 27, 2001 at 03:51:27PM -0500 References: <20010827155126.F1933@emt-p.org> Message-ID: <20010827164410.B23951@zax.half.pint-stowp.cx> Circa 2001-Aug-27 15:51:27 -0500 dixit Ben Beuchler: : OK. I've had a few replies to my earlier question about auth agent : forwarding that indicate that it is currently supported. So now I'm : confused as to why it is not working for me. [...] [...] : I have upgraded all three machines to OpenSSH 2.9p2. : : Would it be worthwhile to post debugging output from either the : client or the server? Probably. At the very least, i'd recommend trying it yourself, twice: once with 'ssh -A' to explicitly enable agent forwarding, and once with plain 'ssh', to see if there's a difference. Also, do 'ssh-agent -V' to make certain the ssh-agent on your PATH is the one from 2.9p2. You may also need to log out and log back in again (or restart ssh-agent) in order to be certain you're running the newly installed ssh-agent. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010827/48b92b23/attachment.bin From manoj at collab.net Tue Aug 28 10:46:21 2001 From: manoj at collab.net (Manoj Kasichainula) Date: Mon, 27 Aug 2001 17:46:21 -0700 Subject: [PATCH] SO_KEEPALIVE for port forwards In-Reply-To: <20010824095011.A23074@folly> References: <20010823174808.C16171@samosa.nojie.com> <20010824095011.A23074@folly> Message-ID: <20010827174621.A14034@samosa.nojie.com> [Please keep cc:ing me on replies] On Fri, Aug 24, 2001 at 09:50:11AM +0200, Markus Friedl wrote: > On Thu, Aug 23, 2001 at 05:48:08PM -0700, Manoj Kasichainula wrote: > > --- openssh-2.9p2/channels.c.keepalivetunnel Wed Jun 13 12:18:05 2001 > > +++ openssh-2.9p2/channels.c Thu Aug 23 15:40:43 2001 > > @@ -61,6 +61,9 @@ > > #include "canohost.h" > > #include "key.h" > > #include "authfd.h" > > +#include "readconf.h" > > + > > +extern Options options; > > not allowed in channels.c Now that I understand the code somewhat better, I see why. Here's a rewritten version. It sets SO_KEEPALIVE on the listening socket instead of each of the accepted sockets. It passes around a keepalive parameter to a few different functions to avoid putting client or server options in channels.c. And, since the basis was there, I added support for keepalives in -R style port forwards too. This patch is now against the cvs repo instead of the 2.9p2 tarball. How is this? -------------- next part -------------- Index: channels.c =================================================================== RCS file: /cvs/openssh_cvs/channels.c,v retrieving revision 1.103 diff -u -d -r1.103 channels.c --- channels.c 2001/07/18 16:01:47 1.103 +++ channels.c 2001/08/28 00:41:19 @@ -2029,12 +2029,12 @@ */ int channel_request_local_forwarding(u_short listen_port, const char *host_to_connect, - u_short port_to_connect, int gateway_ports) + u_short port_to_connect, int gateway_ports, int keepalive) { return channel_request_forwarding( NULL, listen_port, host_to_connect, port_to_connect, - gateway_ports, /*remote_fwd*/ 0); + gateway_ports, /*remote_fwd*/ 0, keepalive); } /* @@ -2045,7 +2045,7 @@ channel_request_forwarding( const char *listen_address, u_short listen_port, const char *host_to_connect, u_short port_to_connect, - int gateway_ports, int remote_fwd) + int gateway_ports, int remote_fwd, int keepalive) { Channel *c; int success, sock, on = 1, type; @@ -2105,6 +2105,10 @@ linger.l_onoff = 1; linger.l_linger = 5; setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger)); + if (keepalive) { + setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, sizeof(on)); + } + debug("Local forwarding listening on %s port %s.", ntop, strport); /* Bind the socket to the address. */ @@ -2210,7 +2214,7 @@ */ void -channel_input_port_forward_request(int is_root, int gateway_ports) +channel_input_port_forward_request(int is_root, int gateway_ports, int keepalive) { u_short port, host_port; char *hostname; @@ -2230,7 +2234,8 @@ port); #endif /* Initiate forwarding */ - channel_request_local_forwarding(port, hostname, host_port, gateway_ports); + channel_request_local_forwarding(port, hostname, host_port, gateway_ports, + keepalive); /* Free the argument string. */ xfree(hostname); Index: channels.h =================================================================== RCS file: /cvs/openssh_cvs/channels.h,v retrieving revision 1.37 diff -u -d -r1.37 channels.h --- channels.h 2001/07/18 16:01:47 1.37 +++ channels.h 2001/08/28 00:41:19 @@ -185,14 +185,15 @@ void channel_permit_all_opens(void); void channel_add_permitted_opens(char *, int); void channel_clear_permitted_opens(void); -void channel_input_port_forward_request(int, int); +void channel_input_port_forward_request(int, int, int); int channel_connect_to(const char *, u_short); int channel_connect_by_listen_address(u_short); void channel_request_remote_forwarding(u_short, const char *, u_short); -int channel_request_local_forwarding(u_short, const char *, u_short, int); +int channel_request_local_forwarding(u_short, const char *, u_short, int, + int); int channel_request_forwarding(const char *, u_short, const char *, u_short, int, - int); + int, int); /* x11 forwarding */ Index: readconf.c =================================================================== RCS file: /cvs/openssh_cvs/readconf.c,v retrieving revision 1.61 diff -u -d -r1.61 readconf.c --- readconf.c 2001/08/15 22:59:00 1.61 +++ readconf.c 2001/08/28 00:41:19 @@ -109,7 +109,7 @@ oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, - oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, + oCompressionLevel, oKeepAlives, oKeepAlivesForward, oNumberOfPasswordPrompts, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, @@ -177,6 +177,7 @@ { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, { "keepalive", oKeepAlives }, + { "keepaliveforward", oKeepAlivesForward }, { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "loglevel", oLogLevel }, { "dynamicforward", oDynamicForward }, @@ -399,6 +400,10 @@ intptr = &options->keepalives; goto parse_flag; + case oKeepAlivesForward: + intptr = &options->keepalives_forward; + goto parse_flag; + case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; @@ -753,6 +758,7 @@ options->strict_host_key_checking = -1; options->compression = -1; options->keepalives = -1; + options->keepalives_forward = -1; options->compression_level = -1; options->port = -1; options->connection_attempts = -1; @@ -844,6 +850,8 @@ options->compression = 0; if (options->keepalives == -1) options->keepalives = 1; + if (options->keepalives_forward == -1) + options->keepalives_forward = 0; if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) Index: readconf.h =================================================================== RCS file: /cvs/openssh_cvs/readconf.h,v retrieving revision 1.30 diff -u -d -r1.30 readconf.h --- readconf.h 2001/08/06 21:35:52 1.30 +++ readconf.h 2001/08/28 00:41:19 @@ -63,6 +63,7 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int keepalives; /* Set SO_KEEPALIVE. */ + int keepalives_forward; /* Set SO_KEEPALIVE for port forwards. */ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ Index: servconf.c =================================================================== RCS file: /cvs/openssh_cvs/servconf.c,v retrieving revision 1.63 diff -u -d -r1.63 servconf.c --- servconf.c 2001/07/14 02:20:32 1.63 +++ servconf.c 2001/08/28 00:41:20 @@ -62,6 +62,7 @@ options->xauth_location = NULL; options->strict_modes = -1; options->keepalives = -1; + options->keepalives_forward = -1; options->log_facility = (SyslogFacility) - 1; options->log_level = (LogLevel) - 1; options->rhosts_authentication = -1; @@ -156,6 +157,8 @@ options->strict_modes = 1; if (options->keepalives == -1) options->keepalives = 1; + if (options->keepalives_forward == -1) + options->keepalives_forward = 0; if (options->log_facility == (SyslogFacility) (-1)) options->log_facility = SYSLOG_FACILITY_AUTH; if (options->log_level == (LogLevel) (-1)) @@ -241,7 +244,7 @@ sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, - sStrictModes, sEmptyPasswd, sKeepAlives, sCheckMail, + sStrictModes, sEmptyPasswd, sKeepAlives, sKeepAlivesForward, sCheckMail, sUseLogin, sAllowTcpForwarding, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, @@ -302,6 +305,7 @@ { "permitemptypasswords", sEmptyPasswd }, { "uselogin", sUseLogin }, { "keepalive", sKeepAlives }, + { "keepaliveforward", sKeepAlivesForward }, { "allowtcpforwarding", sAllowTcpForwarding }, { "allowusers", sAllowUsers }, { "denyusers", sDenyUsers }, @@ -659,6 +663,10 @@ case sKeepAlives: intptr = &options->keepalives; + goto parse_flag; + + case sKeepAlivesForward: + intptr = &options->keepalives_forward; goto parse_flag; case sEmptyPasswd: Index: servconf.h =================================================================== RCS file: /cvs/openssh_cvs/servconf.h,v retrieving revision 1.38 diff -u -d -r1.38 servconf.h --- servconf.h 2001/07/04 18:37:21 1.38 +++ servconf.h 2001/08/28 00:41:20 @@ -59,6 +59,7 @@ char *xauth_location; /* Location of xauth program */ int strict_modes; /* If true, require string home dir modes. */ int keepalives; /* If true, set SO_KEEPALIVE. */ + int keepalives_forward; /* If true, set SO_KEEPALIVE for -R port forwards. */ char *ciphers; /* Supported SSH2 ciphers. */ char *macs; /* Supported SSH2 macs. */ int protocol; /* Supported protocol versions. */ Index: serverloop.c =================================================================== RCS file: /cvs/openssh_cvs/serverloop.c,v retrieving revision 1.75 diff -u -d -r1.75 serverloop.c --- serverloop.c 2001/07/26 17:51:50 1.75 +++ serverloop.c 2001/08/28 00:41:21 @@ -941,7 +941,8 @@ listen_address, listen_port, /*unspec host_to_connect*/ "", /*unspec port_to_connect*/ 0, - options.gateway_ports, /*remote*/ 1); + options.gateway_ports, /*remote*/ 1, + options.keepalives_forward); } xfree(listen_address); } Index: session.c =================================================================== RCS file: /cvs/openssh_cvs/session.c,v retrieving revision 1.143 diff -u -d -r1.143 session.c --- session.c 2001/07/14 02:19:36 1.143 +++ session.c 2001/08/28 00:41:22 @@ -303,7 +303,7 @@ break; } debug("Received TCP/IP port forwarding request."); - channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports); + channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports, options.keepalives_forward); success = 1; break; Index: ssh.1 =================================================================== RCS file: /cvs/openssh_cvs/ssh.1,v retrieving revision 1.86 diff -u -d -r1.86 ssh.1 --- ssh.1 2001/08/15 23:25:46 1.86 +++ ssh.1 2001/08/28 00:41:22 @@ -871,6 +871,12 @@ To disable keepalives, the value should be set to .Dq no in both the server and the client configuration files. +.It Cm KeepAliveForward +Similar to KeepAlive, but applies to -L port forwards +.Pp +The default is +.Dq no +(to not send keepalives) .It Cm KerberosAuthentication Specifies whether Kerberos authentication will be used. The argument to this keyword must be Index: ssh.c =================================================================== RCS file: /cvs/openssh_cvs/ssh.c,v retrieving revision 1.112 diff -u -d -r1.112 ssh.c --- ssh.c 2001/08/15 23:19:22 1.112 +++ ssh.c 2001/08/28 00:41:25 @@ -830,7 +830,7 @@ options.local_forwards[i].port, options.local_forwards[i].host, options.local_forwards[i].host_port, - options.gateway_ports); + options.gateway_ports, options.keepalives_forward); } if (i > 0 && success == 0) error("Could not request local forwarding."); Index: sshd.8 =================================================================== RCS file: /cvs/openssh_cvs/sshd.8,v retrieving revision 1.96 diff -u -d -r1.96 sshd.8 --- sshd.8 2001/08/06 21:38:11 1.96 +++ sshd.8 2001/08/28 00:41:25 @@ -514,6 +514,12 @@ To disable keepalives, the value should be set to .Dq no in both the server and the client configuration files. +.It Cm KeepAliveForward +Similar to KeepAlive, but applies to -R port forwards +.Pp +The default is +.Dq no +(to not send keepalives) .It Cm KerberosAuthentication Specifies whether Kerberos authentication is allowed. This can be in the form of a Kerberos ticket, or if From sjl at debian.lib.monash.edu.au Tue Aug 28 14:40:51 2001 From: sjl at debian.lib.monash.edu.au (Stuart Lamble) Date: Tue, 28 Aug 2001 14:40:51 +1000 (EST) Subject: OpenSSHd barfs upon reauthentication: PAM, Solaris 8 Message-ID: <200108280440.OAA02504@debian.lib.monash.edu.au> We've been having trouble with OpenSSH 2.9p2, running on Solaris 8 (a domain of an E10k), with PAM authentication turned on. It intermittently crashes with signal 11 (seg fault) after the password is entered, after the MOTD is displayed, but before control is passed over to the login shell. I eventually managed to persuade sshd's child process to consistently crash, upon entry of an invalid password (of nine characters in length initially; subsequent tests worked for a password of just five characters ["hello", for what it's worth :) ]), followed by the correct password. Investigation (using copious debug() statements) has isolated the problem down to one line of code: pam_retval = pam_setcred(__pamh, init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); in auth-pam.c, function do_pam_setcred(). It appears that this function is being called twice: once with init set, once without (ie: once with PAM_ESTABLISH_CRED, once with PAM_REINITIALIZE_CRED). It's on the call to pam_setcred(__pamh, PAM_REINITIALIZE_CRED) that the seg fault occurs. To clarify why we're using PAM: the system in question is set up to communicate with a Kerberos server, with all authentication being done using Kerberos. It's somewhat easier to do all of that with PAM than to try to replace login, etc. There's also been the question of whether do_pam_setcred() should be called before or after the uid has been set to the user's. Changing the code to call do_pam_setcred() after the call to permanently_set_uid(), however, seems to make no difference to the crashing. Any clues would be very much appreciated. sshd is now at the point where it *mostly* works; it'd just be nice to get it to the point where it *completely* works, no ifs, buts, or maybes :) Otherwise, I foresee myself going bald in a very short space of time. *wry smile* Ta muchly, Stuart. From Florian.Weimer at RUS.Uni-Stuttgart.DE Tue Aug 28 22:55:42 2001 From: Florian.Weimer at RUS.Uni-Stuttgart.DE (Florian Weimer) Date: 28 Aug 2001 14:55:42 +0200 Subject: Compile-time warning in readpass.c Message-ID: The patch below fixes a compile-time warning in readpass.c. MIME-Version: 1.0 Content-Type: application/aegis-patch Subject: openssh.2 - Fix warning in readpass.c Content-Name: openssh.2.C010.patch Content-Disposition: attachment; filename=openssh.2.C010.patch X-Aegis-Project-Name: openssh.2 X-Aegis-Change-Number: 10 # # Fix the following warning in readpass.c: # # readpass.c: In function `read_passphrase': # readpass.c:120: warning: passing arg 2 of `ssh_askpass' discards # qualifiers from pointer target type # Index: openssh/readpass.c --- /usr/local/aegis/public/openssh/baseline/openssh/readpass.c Mon Aug 27 19:15:44 2001 +++ /usr/local/aegis/public/openssh/branch.2/baseline/openssh/readpass.c Tue Aug 28 11:03:52 2001 @@ -43,7 +43,7 @@ #include "ssh.h" char * -ssh_askpass(char *askpass, char *msg) +ssh_askpass(const char *askpass, const char *msg) { pid_t pid; size_t len; -- Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 From mouring at etoh.eviladmin.org Tue Aug 28 23:14:17 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 28 Aug 2001 08:14:17 -0500 (CDT) Subject: Compile-time warning in readpass.c In-Reply-To: Message-ID: Thanks, but this has already been fixed in the -current branch. - Ben On 28 Aug 2001, Florian Weimer wrote: > The patch below fixes a compile-time warning in readpass.c. > > MIME-Version: 1.0 > Content-Type: application/aegis-patch > Subject: openssh.2 - Fix warning in readpass.c > Content-Name: openssh.2.C010.patch > Content-Disposition: attachment; filename=openssh.2.C010.patch > X-Aegis-Project-Name: openssh.2 > X-Aegis-Change-Number: 10 > > # > # Fix the following warning in readpass.c: > # > # readpass.c: In function `read_passphrase': > # readpass.c:120: warning: passing arg 2 of `ssh_askpass' discards > # qualifiers from pointer target type > # > Index: openssh/readpass.c > --- /usr/local/aegis/public/openssh/baseline/openssh/readpass.c Mon Aug 27 19:15:44 2001 > +++ /usr/local/aegis/public/openssh/branch.2/baseline/openssh/readpass.c Tue Aug 28 11:03:52 2001 > @@ -43,7 +43,7 @@ > #include "ssh.h" > > char * > -ssh_askpass(char *askpass, char *msg) > +ssh_askpass(const char *askpass, const char *msg) > { > pid_t pid; > size_t len; > > > -- > Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE > University of Stuttgart http://cert.uni-stuttgart.de/ > RUS-CERT +49-711-685-5973/fax +49-711-685-5898 > From m.lavy at jesus.cam.ac.uk Wed Aug 29 01:09:44 2001 From: m.lavy at jesus.cam.ac.uk (m.lavy) Date: Tue, 28 Aug 2001 15:09:44 GMT Subject: [patch] known hosts with ports Message-ID: Hello. We are currently installing a new firewall, and would like to use a mixture of NAT and port mapping to have a single "gateway" host address which exposes a range of open ports, each of which maps to sshd of a different host in our internal network (e.g. ssh.jesus.cam.ac.uk on port 6789 maps to internal host1 port 22 whereas ssh.jesus.cam.ac.uk on port 6790 maps to internal host2 port 22). There is a problem here: client A connects on port 6789 and reaches host1 successfully; he saves the host key (which ssh client sees as the host key for ssh.jesus.cam.ac.uk) in known_hosts. He then connects on port 6790, but on connection will be warned that the host key has changed, because he will connecting to a host that LOOKS as though it is the same as host1, even though it is not the same in reality. I don't know if this is a problem that anyone else has faced, or if attempting to solve it is a particularly good idea. However, my solution has been to patch the ssh client so that it looks up known hosts by host AND PORT. I've patched main() in ssh.c because that seemed the cleanest place to do it without making lots of code changes. Patch is attached to this mail. I'd be grateful for thoughts on whether this is a sane approach to the problem; anyone please feel free to use the patch under the BSD licence. Apologies if this is not an appropriate list for the mailing. Regards, Matthew -- Matthew M Lavy MA MPhil ARCM LTCL Technical Systems Developer Jesus College, Cambridge CB5 8BL Tel: 01223 339944 -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh-client.diff Type: application/octet-stream Size: 406 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010828/88fe21ae/attachment.obj From wichert at wiggy.net Wed Aug 29 01:14:50 2001 From: wichert at wiggy.net (Wichert Akkerman) Date: Tue, 28 Aug 2001 17:14:50 +0200 Subject: [patch] known hosts with ports In-Reply-To: References: Message-ID: <20010828171450.D30759@wiggy.net> Previously m.lavy wrote: > I don't know if this is a problem that anyone else has faced, or if > attempting to solve it is a particularly good idea. It's a common problem. I avoided the problem so far by adding CNAMEs but this is definitely a better approach. Wichert. -- _________________________________________________________________ / Nothing is fool-proof to a sufficiently talented fool \ | wichert at wiggy.net http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | From markus at openbsd.org Wed Aug 29 01:32:32 2001 From: markus at openbsd.org (Markus Friedl) Date: Tue, 28 Aug 2001 17:32:32 +0200 Subject: [patch] known hosts with ports In-Reply-To: ; from m.lavy@jesus.cam.ac.uk on Tue, Aug 28, 2001 at 03:09:44PM +0000 References: Message-ID: <20010828173231.A1586@faui02.informatik.uni-erlangen.de> I'm using HostKeyAlias for this. perhaps it's useful to add this option, but HostKeyAlias and CheckHostIP should help, too. however, with HostKeyAlias you need to specify this per target host. e.g. Host cvs.openssh.com Hostname localhost # port 2222 is forwarded to cvs.openssh.com port 22 Port 2222 HostKeyAlias cvs.openssh.com On Tue, Aug 28, 2001 at 03:09:44PM +0000, m.lavy wrote: > Hello. We are currently installing a new firewall, and would like to use a > mixture of NAT and port mapping to have a single "gateway" host address > which exposes a range of open ports, each of which maps to sshd of a > different host in our internal network (e.g. ssh.jesus.cam.ac.uk on port > 6789 maps to internal host1 port 22 whereas ssh.jesus.cam.ac.uk on port 6790 > maps to internal host2 port 22). > > There is a problem here: client A connects on port 6789 and reaches host1 > successfully; he saves the host key (which ssh client sees as the host key > for ssh.jesus.cam.ac.uk) in known_hosts. He then connects on port 6790, but > on connection will be warned that the host key has changed, because he will > connecting to a host that LOOKS as though it is the same as host1, even > though it is not the same in reality. > > I don't know if this is a problem that anyone else has faced, or if > attempting to solve it is a particularly good idea. However, my solution has > been to patch the ssh client so that it looks up known hosts by host AND > PORT. I've patched main() in ssh.c because that seemed the cleanest place to > do it without making lots of code changes. Patch is attached to this mail. > I'd be grateful for thoughts on whether this is a sane approach to the > problem; anyone please feel free to use the patch under the BSD licence. > > Apologies if this is not an appropriate list for the mailing. > > Regards, > > Matthew > > -- > Matthew M Lavy MA MPhil ARCM LTCL > Technical Systems Developer > Jesus College, Cambridge CB5 8BL > Tel: 01223 339944 > From info at ninosdepapel.org Wed Aug 29 02:58:50 2001 From: info at ninosdepapel.org (Niņos de Papel) Date: Tue, 28 Aug 2001 11:58:50 -0500 Subject: Gran Re-inauguracion Cafe con un Proposito Message-ID: <200108281310187.SM00290@computer> ***** This is an HTML Message ! ***** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010828/1145b40f/attachment.html From darrenm at eng.sun.com Wed Aug 29 04:45:40 2001 From: darrenm at eng.sun.com (Darren J Moffat) Date: Tue, 28 Aug 2001 11:45:40 -0700 (PDT) Subject: OpenSSHd barfs upon reauthentication: PAM, Solaris 8 In-Reply-To: <200108280440.OAA02504@debian.lib.monash.edu.au> Message-ID: On Tue, 28 Aug 2001, Stuart Lamble wrote: > To clarify why we're using PAM: the system in question is set up to > communicate with a Kerberos server, with all authentication being done > using Kerberos. It's somewhat easier to do all of that with PAM than to > try to replace login, etc. Are you using the pam_krb5 module shipped with Solaris ? Does pam_krb5 work properly for you when used with dtlogin or /bin/login (ie login at the console). > There's also been the question of whether do_pam_setcred() should be called > before or after the uid has been set to the user's. Changing the code to > call do_pam_setcred() after the call to permanently_set_uid(), however, > seems to make no difference to the crashing. It has to before you give up root creds since there are assumptions in some PAM modules that it can do things only root can do (making private nfs system calls to pass creds down to the kernel for use by NFS). Does sshd work for you when you use pam_unix instead of pam_krb5 ? Are you using only pam_krb5 ? Are you doing authentication via PAM or via publickey ? (This I think is could be the critical part because I have a feeling there is an assumption in the pam_krb5 module that pam_sm_setcred is only being called after pam_sm_authenticate. -- Darren J Moffat From sven.luehrs at aksl.de Wed Aug 29 06:12:56 2001 From: sven.luehrs at aksl.de (sven.luehrs at aksl.de) Date: Tue, 28 Aug 2001 22:12:56 +0200 Subject: SCP-Logging Message-ID: Hi, as much people in the past i'm looking for a way to "syslog" the files people copy to and from our sshd via scp. Unfortunatly SFTP/FTP-over-SSH2 are not an option. The people using the scp-access are configured for an scp-only-shell ( http://www.sublimation.org/scponly/). We use OpenSSH-2.9p1 in a chrooted-environment for content-deployment, therefore we need to log every file transfer. Seeking through the mailing list i found no answer for my needs. Did i miss any feature ? Regarding possible privacy-concerns, every user has to sign a service-agreement before he gets an account. The service-agreement clarifies that we log as much as we can ... so everybody knows what's going on ... Unfortunatly i have no experience in programming C, but while looking around the code had the idea to add a "syslog"-systemcall to the "source"- and "sink" -functions. Combined with some other thoughts, like the problem that logging needs to be enabled/disabled by parameter on the server-side, the fact that scp doesn't use any config files and the solution to write some kind of "shell-script-wrapper" to add some parameters to the scp-call is not that clean, i quite fast hit the border of my skills. It would be great if anybody had a patch for scp to integrate logging ... Can anybody help ? Other suggestions ? Regards Sven L?hrs -- +----------+ aksl GmbH Tel. +49 69 907368 0 | a k s l | Schmidtstra?e 51 Fax. +49 69 907368 77 +----------+ D-60326 Frankfurt am Main |['a:k'sel]| +----------+ http://www.aksl.de mailto:sven.luehrs at aksl.de From vader at conflict.net Wed Aug 29 10:26:24 2001 From: vader at conflict.net (Jim Breton) Date: Wed, 29 Aug 2001 00:26:24 +0000 Subject: "Strange, wait returned pid 1075805752" error in authlog Message-ID: <20010829002624259632.27502@conflict.net> Aug 28 20:34:42 vader sshd[14806]: error: Strange, wait returned pid 1075805752, expected 14884 Aug 28 20:34:42 vader sshd[14806]: Disconnecting: Command terminated on signal 4. OS is OpenBSD 2.9, i386. That error was generated when a user logged out. This is the first time I've seen this, but I notice I'm not the only one: http://www.monkey.org/openbsd/archive/misc/0106/msg00918.html Fwiw here are the syslog entries from when that user logged in: Aug 28 12:20:53 vader sshd[14806]: Accepted password for (user) from 171.78.112.20 port 1064 Aug 28 12:20:53 vader sshd[14806]: packet_set_maxsize: setting to 4096 Here is the accounting dump from the same time frame, dunno if it helps: procmail - (user) __ 0.08 secs Tue Aug 28 20:35 (0:00:00.50) bash -S (user) ttyp1 0.25 secs Tue Aug 28 12:20 (8:14:44.00) bash -F (user) ttyp1 0.02 secs Tue Aug 28 20:34 (0:00:00.09) tty - (user) ttyp1 0.02 secs Tue Aug 28 20:34 (0:00:00.05) (I wish process accounting recorded process IDs... sigh.) -- Jim B. vader at conflict.net From sjl at debian.lib.monash.edu.au Wed Aug 29 11:31:54 2001 From: sjl at debian.lib.monash.edu.au (Stuart Lamble) Date: Wed, 29 Aug 2001 11:31:54 +1000 (EST) Subject: OpenSSHd barfs upon reauthentication: PAM, Solaris 8 In-Reply-To: from Darren J Moffat at "Aug 28, 2001 11:45:40 am" Message-ID: <200108290131.LAA19489@debian.lib.monash.edu.au> > On Tue, 28 Aug 2001, Stuart Lamble wrote: > > > To clarify why we're using PAM: the system in question is set up to > > communicate with a Kerberos server, with all authentication being done > > using Kerberos. It's somewhat easier to do all of that with PAM than to > > try to replace login, etc. > > Are you using the pam_krb5 module shipped with Solaris ? Yes. > Does pam_krb5 work properly for you when used with dtlogin or /bin/login (ie > login at the console). It seemed to; it certainly didn't die in the way that ssh did. > > There's also been the question of whether do_pam_setcred() should be called > > before or after the uid has been set to the user's. Changing the code to > > call do_pam_setcred() after the call to permanently_set_uid(), however, > > seems to make no difference to the crashing. > > It has to before you give up root creds since there are assumptions in > some PAM modules that it can do things only root can do (making private > nfs system calls to pass creds down to the kernel for use by NFS). Hrm. Then this is a bit of a problem -- if the pam stuff is called as root, the kerberos module writes out the TGT in /tmp as owned by root, rather than by the user it represents. This raises obvious problems with renewing and destroying the ticket, and probably other, rather more subtle problems too. > Does sshd work for you when you use pam_unix instead of pam_krb5 ? Yes, both normally, and in the way that normally fails with ssh (pretty sure I described it in the original email, but it's outlined below just in case.) > Are you using only pam_krb5 ? There is a fallback to unix (pam_unix.so.1 is listed as "sufficient", before the kerberos authentication). Actually... *clickety clickety* nope, putting kerberos authentication as "sufficient" prior to the standard pam_unix ("required") doesn't solve the problem. If anything, it makes it worse (impossible to ssh in as root). *puts everything back so that pam_unix is called first* Note that removing pam_unix from the list is not really an option, since that's how we authenticate root (although I suppose we could leave it so that we ssh in as the user, and then su to root... that's something to discuss with the other sysadmins, if necessary.) > Are you doing authentication via PAM or via publickey ? (This I think is > could be the critical part because I have a feeling there is an assumption > in the pam_krb5 module that pam_sm_setcred is only being called after > pam_sm_authenticate. Via PAM (ie: ssh in, it asks me for a password [NOT a passphrase], I give it an invalid password followed by a valid password ==> bang. I give it a valid password ==> everything works happily.) I haven't yet set up an ssh private/public keypair for myself. Again, many thanks, Stuart. From philippe at le-berre.com Wed Aug 29 14:01:26 2001 From: philippe at le-berre.com (Philippe Le Berre) Date: Tue, 28 Aug 2001 21:01:26 -0700 Subject: OpenSSH 2.9.2p2 passwd work but not publickey on HPUX 11 Message-ID: <5.1.0.14.0.20010828183454.02fbfd98@pop.le-berre.com> Hi, I have hard figuring out what I did wrong ... On HPUX 11 I have compiled OpenSSH 2.9.2p2 with gcc 2.9 (taken from hp opensource server) and zlib also downloaded from hp. As long as I do passwd authentication everything work fine (I have used --with-pam), but if I tried publickey either in sshv1 or sshv2 authentication fails. I have tried a bunch of things but none worked so all suggestions are welcomed! thanks -philippe ---- sshd debug ----- debug1: Seeded RNG with 32 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: sshd version OpenSSH_2.9p2 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 15.112.21.52 port 1789 debug1: Client protocol version 2.0; client software version MindTerm_2.0 2.0 (non-commercial) debug1: match: MindTerm_2.0 2.0 (non-commercial) pat MindTerm Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.9p2 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: 3des-cbc debug2: kex_parse_kexinit: 3des-cbc debug2: kex_parse_kexinit: hmac-md5 debug2: kex_parse_kexinit: hmac-md5 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server 3des-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client 3des-cbc hmac-md5 none debug1: dh_gen_key: priv key bits set: 179/384 debug1: bits set: 518/1024 debug1: expecting SSH2_MSG_KEXDH_INIT debug1: bits set: 493/1024 debug2: ssh_rsa_sign: done debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user rplb service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for rplb debug1: Starting up PAM with username "rplb" debug1: PAM setting rhost to "pal3narpl01c.le-berre.com" debug2: input_userauth_request: try method none Failed none for rplb from 15.112.21.52 port 1789 ssh2 debug1: userauth-request for user rplb service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 102/4 (e=0) debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for rplb from 15.112.21.52 port 1789 ssh2 From koenig at tat.physik.uni-tuebingen.de Wed Aug 29 19:16:35 2001 From: koenig at tat.physik.uni-tuebingen.de (Harald Koenig) Date: Wed, 29 Aug 2001 11:16:35 +0200 Subject: bug in scp (OpenSSH) Message-ID: <20010829111635.A31069@turtle.tat.physik.uni-tuebingen.de> Hi, using both OpenSSH_2.5.1p1 (compiled myself) and openssh-2.9p1-23.i386.rpm from ftp.suse.com 7.2_update I get the following "leak" : using `scp' I tried to copy a file from a local floppy disk to a remote system, but the disk had an read error and scp didn't get any real data from floppy: turtle koenig > scp /media/floppy/file.c harald:file.c koenig at harald's password: file.c 0% | | 0 00:01 ==> /media/floppy/file.c: Input/output error turtle koenig > ssh -V OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f note the "Input/output error"! unlike with normal `cp', the copied file size wasn't 0 bytes but the regular size of the original file (7988 bytes) and the remote file was filled with "binary trash". BAD: this "binary trash" contained 8 copies of the passwd entry line for my account including the encrypted password (we're using NIS) and internal phone number. I don't like to copy my (crypted) password to remote sites, do you ??? Harald -- All SCSI disks will from now on ___ _____ be required to send an email notice 0--,| /OOOOOOO\ 24 hours prior to complete hardware failure! <_/ / /OOOOOOOOOOO\ \ \/OOOOOOOOOOOOOOO\ \ OOOOOOOOOOOOOOOOO|// Harald Koenig, \/\/\/\/\/\/\/\/\/ Inst.f.Theoret.Astrophysik // / \\ \ koenig at tat.physik.uni-tuebingen.de ^^^^^ ^^^^^ From markus at openbsd.org Thu Aug 30 06:23:42 2001 From: markus at openbsd.org (Markus Friedl) Date: Wed, 29 Aug 2001 22:23:42 +0200 Subject: bug in scp (OpenSSH) In-Reply-To: <20010829111635.A31069@turtle.tat.physik.uni-tuebingen.de>; from koenig@tat.physik.uni-tuebingen.de on Wed, Aug 29, 2001 at 11:16:35AM +0200 References: <20010829111635.A31069@turtle.tat.physik.uni-tuebingen.de> Message-ID: <20010829222342.A22269@folly> can you please try this: Index: scp.c =================================================================== RCS file: /home/markus/cvs/ssh/scp.c,v retrieving revision 1.79 diff -U10 -r1.79 scp.c --- scp.c 2001/08/06 19:47:05 1.79 +++ scp.c 2001/08/29 20:13:09 @@ -1004,20 +1004,21 @@ size = blksize; else size = blksize + (stb.st_blksize - blksize % stb.st_blksize) % stb.st_blksize; if (bp->cnt >= size) return (bp); if (bp->buf == NULL) bp->buf = xmalloc(size); else bp->buf = xrealloc(bp->buf, size); + memset(bp->buf, 0, size); bp->cnt = size; return (bp); } void lostconn(signo) int signo; { if (!iamremote) write(STDERR_FILENO, "lost connection\n", 16); On Wed, Aug 29, 2001 at 11:16:35AM +0200, Harald Koenig wrote: > Hi, > > using both OpenSSH_2.5.1p1 (compiled myself) and openssh-2.9p1-23.i386.rpm > from ftp.suse.com 7.2_update I get the following "leak" : > > > using `scp' I tried to copy a file from a local floppy disk to a > remote system, but the disk had an read error and scp didn't get > any real data from floppy: > > turtle koenig > scp /media/floppy/file.c > harald:file.c > koenig at harald's password: > file.c 0% | | 0 00:01 > ==> /media/floppy/file.c: Input/output error > turtle koenig > ssh -V > OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > > note the "Input/output error"! > > unlike with normal `cp', the copied file size wasn't 0 bytes but the regular > size of the original file (7988 bytes) and the remote file was filled > with "binary trash". > > BAD: this "binary trash" contained 8 copies of the passwd entry line for my > account including the encrypted password (we're using NIS) and > internal phone number. > > I don't like to copy my (crypted) password to remote sites, do you ??? > > > > Harald > -- > All SCSI disks will from now on ___ _____ > be required to send an email notice 0--,| /OOOOOOO\ > 24 hours prior to complete hardware failure! <_/ / /OOOOOOOOOOO\ > \ \/OOOOOOOOOOOOOOO\ > \ OOOOOOOOOOOOOOOOO|// > Harald Koenig, \/\/\/\/\/\/\/\/\/ > Inst.f.Theoret.Astrophysik // / \\ \ > koenig at tat.physik.uni-tuebingen.de ^^^^^ ^^^^^ From sjl at debian.lib.monash.edu.au Thu Aug 30 14:57:19 2001 From: sjl at debian.lib.monash.edu.au (Stuart Lamble) Date: Thu, 30 Aug 2001 14:57:19 +1000 (EST) Subject: OpenSSHd barfs upon reauthentication: PAM, Solaris 8 In-Reply-To: <200108290131.LAA19489@debian.lib.monash.edu.au> from Stuart Lamble at "Aug 29, 2001 11:31:54 am" Message-ID: <200108300457.OAA26294@debian.lib.monash.edu.au> Yesterday, I wrote: > Via PAM (ie: ssh in, it asks me for a password [NOT a passphrase], I give > it an invalid password followed by a valid password ==> bang. I give it > a valid password ==> everything works happily.) I haven't yet set up an > ssh private/public keypair for myself. Well, that was right yesterday. Today, it has decided to barf if I give it a valid password up front, and not if I give it an invalid one followed by a valid one. To add insult to injury, the other sysadmin (who has looked at the problem previously) said, basically, "I had the same problem some time ago. Came to the conclusion I must be an idiot." Two idiots in one building, working on the same problem. Hmm. I give up. Time to start a new career, I think... mowing lawns sounds like it could be fun... Anybody want to buy a slightly used E10k? :P From carl at bl.echidna.id.au Thu Aug 30 16:03:57 2001 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Thu, 30 Aug 2001 16:03:57 +1000 (EST) Subject: linux ssh never shuts down fix release? Message-ID: <200108300603.f7U63v5q020626@rollcage.bl.echidna.id.au> A while ago I saw some stuff about fixes for the problem with ssh2 and linux (which the FAQ on www.openssh.com is still mentioning but not offering any real solutions for). Is there any news on when/if these fixes will find their way into a release? OpenSSH 2.9p3 perhaps? :) Carl From vinschen at redhat.com Thu Aug 30 18:43:48 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 30 Aug 2001 10:43:48 +0200 Subject: [PATCH]: Drop Cygwin workaround Message-ID: <20010830104348.F8703@cygbert.vinschen.de> Hi, the Cygwin specific workaround to sleep a second in daemon() isn't needed anymore. We can eliminate it from the OpenSSH sources. Index: daemon.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/daemon.c,v retrieving revision 1.1 diff -u -p -r1.1 daemon.c --- daemon.c 2001/01/31 21:52:03 1.1 +++ daemon.c 2001/08/30 08:41:39 @@ -51,13 +51,6 @@ daemon(nochdir, noclose) case 0: break; default: -#ifdef HAVE_CYGWIN - /* - * This sleep avoids a race condition which kills the - * child process if parent is started by a NT/W2K service. - */ - sleep(1); -#endif _exit(0); } Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From markus at openbsd.org Thu Aug 30 19:42:23 2001 From: markus at openbsd.org (Markus Friedl) Date: Thu, 30 Aug 2001 11:42:23 +0200 Subject: linux ssh never shuts down fix release? In-Reply-To: <200108300603.f7U63v5q020626@rollcage.bl.echidna.id.au>; from carl@bl.echidna.id.au on Thu, Aug 30, 2001 at 04:03:57PM +1000 References: <200108300603.f7U63v5q020626@rollcage.bl.echidna.id.au> Message-ID: <20010830114223.A2274@folly> On Thu, Aug 30, 2001 at 04:03:57PM +1000, carl at bl.echidna.id.au wrote: > A while ago I saw some stuff about fixes for the problem with > ssh2 and linux (which the FAQ on www.openssh.com is still > mentioning but not offering any real solutions for). Is there > any news on when/if these fixes will find their way into a > release? OpenSSH 2.9p3 perhaps? :) what exactly are you referring to? does ssh hang if you do this: $ sleep 10 < /dev/null & ? From koenig at tat.physik.uni-tuebingen.de Thu Aug 30 20:29:50 2001 From: koenig at tat.physik.uni-tuebingen.de (Harald Koenig) Date: Thu, 30 Aug 2001 12:29:50 +0200 Subject: bug in scp (OpenSSH) In-Reply-To: <20010829222342.A22269@folly>; from markus@openbsd.org on Wed, Aug 29, 2001 at 10:23:42PM +0200 References: <20010829111635.A31069@turtle.tat.physik.uni-tuebingen.de> <20010829222342.A22269@folly> Message-ID: <20010830122950.B2891@turtle.tat.physik.uni-tuebingen.de> On Aug 29, Markus Friedl wrote: > can you please try this: well, this "fixes" (works around) the passwd leakage, but nothing more. it still copies the file with wrong "contents" (all zeros now) and still doesn't handle the I/O error correctly (which IMHO means it should stop writing/copying like cp(1) and most other tools do). > Index: scp.c > =================================================================== > RCS file: /home/markus/cvs/ssh/scp.c,v > retrieving revision 1.79 > diff -U10 -r1.79 scp.c > --- scp.c 2001/08/06 19:47:05 1.79 > +++ scp.c 2001/08/29 20:13:09 > @@ -1004,20 +1004,21 @@ > size = blksize; > else > size = blksize + (stb.st_blksize - blksize % stb.st_blksize) % > stb.st_blksize; > if (bp->cnt >= size) > return (bp); > if (bp->buf == NULL) > bp->buf = xmalloc(size); > else > bp->buf = xrealloc(bp->buf, size); > + memset(bp->buf, 0, size); > bp->cnt = size; > return (bp); > } > > void > lostconn(signo) > int signo; > { > if (!iamremote) > write(STDERR_FILENO, "lost connection\n", 16); > Harald -- All SCSI disks will from now on ___ _____ be required to send an email notice 0--,| /OOOOOOO\ 24 hours prior to complete hardware failure! <_/ / /OOOOOOOOOOO\ \ \/OOOOOOOOOOOOOOO\ \ OOOOOOOOOOOOOOOOO|// Harald Koenig, \/\/\/\/\/\/\/\/\/ Inst.f.Theoret.Astrophysik // / \\ \ koenig at tat.physik.uni-tuebingen.de ^^^^^ ^^^^^ From markus at openbsd.org Thu Aug 30 21:15:19 2001 From: markus at openbsd.org (Markus Friedl) Date: Thu, 30 Aug 2001 13:15:19 +0200 Subject: bug in scp (OpenSSH) In-Reply-To: <20010830122950.B2891@turtle.tat.physik.uni-tuebingen.de>; from koenig@tat.physik.uni-tuebingen.de on Thu, Aug 30, 2001 at 12:29:50PM +0200 References: <20010829111635.A31069@turtle.tat.physik.uni-tuebingen.de> <20010829222342.A22269@folly> <20010830122950.B2891@turtle.tat.physik.uni-tuebingen.de> Message-ID: <20010830131519.A13380@faui02.informatik.uni-erlangen.de> On Thu, Aug 30, 2001 at 12:29:50PM +0200, Harald Koenig wrote: > On Aug 29, Markus Friedl wrote: > > > can you please try this: > > well, this "fixes" (works around) the passwd leakage, but nothing more. > > it still copies the file with wrong "contents" (all zeros now) and still > doesn't handle the I/O error correctly (which IMHO means it should > stop writing/copying like cp(1) and most other tools do). this is the way rcp protocol works. > > Index: scp.c > > =================================================================== > > RCS file: /home/markus/cvs/ssh/scp.c,v > > retrieving revision 1.79 > > diff -U10 -r1.79 scp.c > > --- scp.c 2001/08/06 19:47:05 1.79 > > +++ scp.c 2001/08/29 20:13:09 > > @@ -1004,20 +1004,21 @@ > > size = blksize; > > else > > size = blksize + (stb.st_blksize - blksize % stb.st_blksize) % > > stb.st_blksize; > > if (bp->cnt >= size) > > return (bp); > > if (bp->buf == NULL) > > bp->buf = xmalloc(size); > > else > > bp->buf = xrealloc(bp->buf, size); > > + memset(bp->buf, 0, size); > > bp->cnt = size; > > return (bp); > > } > > > > void > > lostconn(signo) > > int signo; > > { > > if (!iamremote) > > write(STDERR_FILENO, "lost connection\n", 16); > > > > > Harald > -- > All SCSI disks will from now on ___ _____ > be required to send an email notice 0--,| /OOOOOOO\ > 24 hours prior to complete hardware failure! <_/ / /OOOOOOOOOOO\ > \ \/OOOOOOOOOOOOOOO\ > \ OOOOOOOOOOOOOOOOO|// > Harald Koenig, \/\/\/\/\/\/\/\/\/ > Inst.f.Theoret.Astrophysik // / \\ \ > koenig at tat.physik.uni-tuebingen.de ^^^^^ ^^^^^ From carl at bl.echidna.id.au Thu Aug 30 21:32:46 2001 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Thu, 30 Aug 2001 21:32:46 +1000 (EST) Subject: linux ssh never shuts down fix release? Message-ID: <200108301132.f7UBWkGc021771@rollcage.bl.echidna.id.au> > From: Markus Friedl > > On Thu, Aug 30, 2001 at 04:03:57PM +1000, carl at bl.echidna.id.au wrote: > > A while ago I saw some stuff about fixes for the problem with > > ssh2 and linux (which the FAQ on www.openssh.com is still > > mentioning but not offering any real solutions for). Is there > > any news on when/if these fixes will find their way into a > > release? OpenSSH 2.9p3 perhaps? :) > > what exactly are you referring to? > > does ssh hang if you do this: > > $ sleep 10 < /dev/null & Probably, but it doesn't like it when I ssh in and start a daemon, and then try to log out. It doesn't drop the session. It's a known bug, there's fixes for it in the current snapshots, I believe. I'm wondering if there's a formal release planned anytime soon, or if I should make up my own rpm for the current one. Which I'd rather not do, linux not really being my platform of most expertise, but rather one that I'm having to support, rather than wanting to :) Carl From markus at openbsd.org Thu Aug 30 21:37:39 2001 From: markus at openbsd.org (Markus Friedl) Date: Thu, 30 Aug 2001 13:37:39 +0200 Subject: linux ssh never shuts down fix release? In-Reply-To: <200108301132.f7UBWkGc021771@rollcage.bl.echidna.id.au>; from carl@bl.echidna.id.au on Thu, Aug 30, 2001 at 09:32:46PM +1000 References: <200108301132.f7UBWkGc021771@rollcage.bl.echidna.id.au> Message-ID: <20010830133739.A18640@faui02.informatik.uni-erlangen.de> On Thu, Aug 30, 2001 at 09:32:46PM +1000, carl at bl.echidna.id.au wrote: > > From: Markus Friedl > > > > On Thu, Aug 30, 2001 at 04:03:57PM +1000, carl at bl.echidna.id.au wrote: > > > A while ago I saw some stuff about fixes for the problem with > > > ssh2 and linux (which the FAQ on www.openssh.com is still > > > mentioning but not offering any real solutions for). Is there > > > any news on when/if these fixes will find their way into a > > > release? OpenSSH 2.9p3 perhaps? :) > > > > what exactly are you referring to? > > > > does ssh hang if you do this: > > > > $ sleep 10 < /dev/null & > > Probably, but it doesn't like it when I ssh in and start a > daemon, and then try to log out. It doesn't drop the > session. It's a known bug, there's fixes for it in the > current snapshots, I believe. a fix for _what_ bug? can you show some debug output for the bug? > I'm wondering if there's a > formal release planned anytime soon, or if I should > make up my own rpm for the current one. Which I'd > rather not do, linux not really being my platform of > most expertise, but rather one that I'm having to > support, rather than wanting to :) > > Carl > From carl at bl.echidna.id.au Thu Aug 30 21:43:53 2001 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Thu, 30 Aug 2001 21:43:53 +1000 (EST) Subject: linux ssh never shuts down fix release? Message-ID: <200108301143.f7UBhrpt021850@rollcage.bl.echidna.id.au> > From: Markus Friedl > > > > > > On Thu, Aug 30, 2001 at 04:03:57PM +1000, carl at bl.echidna.id.au wrote: > > > > A while ago I saw some stuff about fixes for the problem with > > > > ssh2 and linux (which the FAQ on www.openssh.com is still > > > > mentioning but not offering any real solutions for). Is there > > > > any news on when/if these fixes will find their way into a > > > > release? OpenSSH 2.9p3 perhaps? :) > > > > > > what exactly are you referring to? > > > > > > does ssh hang if you do this: > > > > > > $ sleep 10 < /dev/null & > > > > Probably, but it doesn't like it when I ssh in and start a > > daemon, and then try to log out. It doesn't drop the > > session. It's a known bug, there's fixes for it in the > > current snapshots, I believe. > > a fix for _what_ bug? I can't remember the bloke's name who wrote some patches, but AFAIK, it's basically the same bug as the one triggered by the sleep 10 & stunt. If I OpenSSH v2 to our RH loonucks boxes, and start a daemon process (in this case, SNPd, but that's not relevant), I can then not disconnect. ssh just hangs after I attempt to log out. As above, it's a known problem, I believe it's fixed in -current, but I haven't had time to play with it yet to see if it is or not. > can you show some debug output for the bug? Not right now, but I can tomorrow. It doesn't really matter, the gist of my question is "are you planning a patch release anytime soon?". If you're not, I'll go to the trouble to try and test the current snapshot, if you are, I'll wait and try it then, as that'll be easier for me :) From markus at openbsd.org Thu Aug 30 21:47:11 2001 From: markus at openbsd.org (Markus Friedl) Date: Thu, 30 Aug 2001 13:47:11 +0200 Subject: linux ssh never shuts down fix release? In-Reply-To: <200108301143.f7UBhrpt021850@rollcage.bl.echidna.id.au>; from carl@bl.echidna.id.au on Thu, Aug 30, 2001 at 09:43:53PM +1000 References: <200108301143.f7UBhrpt021850@rollcage.bl.echidna.id.au> Message-ID: <20010830134711.B18640@faui02.informatik.uni-erlangen.de> On Thu, Aug 30, 2001 at 09:43:53PM +1000, carl at bl.echidna.id.au wrote: > > > From: Markus Friedl > > > > > > > > On Thu, Aug 30, 2001 at 04:03:57PM +1000, carl at bl.echidna.id.au wrote: > > > > > A while ago I saw some stuff about fixes for the problem with > > > > > ssh2 and linux (which the FAQ on www.openssh.com is still > > > > > mentioning but not offering any real solutions for). Is there > > > > > any news on when/if these fixes will find their way into a > > > > > release? OpenSSH 2.9p3 perhaps? :) > > > > > > > > what exactly are you referring to? > > > > > > > > does ssh hang if you do this: > > > > > > > > $ sleep 10 < /dev/null & > > > > > > Probably, but it doesn't like it when I ssh in and start a > > > daemon, and then try to log out. It doesn't drop the > > > session. It's a known bug, there's fixes for it in the > > > current snapshots, I believe. > > > > a fix for _what_ bug? > > I can't remember the bloke's name who wrote some patches, but AFAIK, > it's basically the same bug as the one triggered by the sleep 10 & stunt. > > If I OpenSSH v2 to our RH loonucks boxes, and start a daemon > process (in this case, SNPd, but that's not relevant), I can > then not disconnect. ssh just hangs after I > attempt to log out. As above, it's a known problem, I believe it's > fixed in -current, but I haven't had time to play with it yet to > see if it is or not. i don't think it's a bug, and it's not fixed in current. you cannot start the daemon with stdin/out/err redirected? $ daemon > /dev/null 2>&1 ? > > can you show some debug output for the bug? > > Not right now, but I can tomorrow. It doesn't really matter, the > gist of my question is "are you planning a patch release anytime > soon?". If you're not, I'll go to the trouble to try and test > the current snapshot, if you are, I'll wait and try it then, as > that'll be easier for me :) > From pekkas at netcore.fi Thu Aug 30 21:54:18 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 30 Aug 2001 14:54:18 +0300 (EEST) Subject: linux ssh never shuts down fix release? In-Reply-To: <200108301143.f7UBhrpt021850@rollcage.bl.echidna.id.au> Message-ID: On Thu, 30 Aug 2001 carl at bl.echidna.id.au wrote: > If I OpenSSH v2 to our RH loonucks boxes, and start a daemon > process (in this case, SNPd, but that's not relevant), I can > then not disconnect. ssh just hangs after I > attempt to log out. As above, it's a known problem, I believe it's > fixed in -current, but I haven't had time to play with it yet to > see if it is or not. Do you run SNPd with like 'SNPd &' or does it fork? I had this same problem with forking 'radvd'. It turned out that it didn't give up /dev/std{in,out,err} when forking (ouch!), and ssh sessions would not terminate. Bugfixed the daemon, and all was well :-) -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From marek at bmlv.gv.at Thu Aug 30 22:18:30 2001 From: marek at bmlv.gv.at (Ph. Marek) Date: Thu, 30 Aug 2001 14:18:30 +0200 Subject: Q: patch for logging rsa-fingerprint on login/logout? Message-ID: <3.0.6.32.20010830141830.00926a80@pop3.bmlv.gv.at> Hello everybody! I'm currently looking for a patch to openssh which allows logging of the fingerprint on rsa2-based authentification. I've had a look at the FAQ, and a view at the source. As I couldn't find a patch for my wish, I'm telling what I thought. Suggestions welcome (a patch moreso :-) I've started to modify login_write() which seems the best point for this. BUT: how can I get the fingerprint cleanly into that? I think the cleanest version would be to add two fields to login_info: - authenticate-type (rsa, rhosts, rh-rsa, dsa, password, ...) - authenticate-info (fingerprint of key) But that means some work, as I have to change every authenticate-function to fill in these fields. Is there any architectural better solution for that? Or maybe there are volunteers? (at least for part of the work ;-) Regards, Phil From Nicolas.Williams at ubsw.com Fri Aug 31 00:15:56 2001 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 30 Aug 2001 10:15:56 -0400 Subject: OpenSSHd barfs upon reauthentication: PAM, Solaris 8 In-Reply-To: <200108300457.OAA26294@debian.lib.monash.edu.au>; from sjl@debian.lib.monash.edu.au on Thu, Aug 30, 2001 at 02:57:19PM +1000 References: <200108290131.LAA19489@debian.lib.monash.edu.au> <200108300457.OAA26294@debian.lib.monash.edu.au> Message-ID: <20010830101555.N5739@sm2p1386swk.wdr.com> Try a different PAM_KRB5. There's several versions lying around. Nico On Thu, Aug 30, 2001 at 02:57:19PM +1000, Stuart Lamble wrote: > Yesterday, I wrote: > > Via PAM (ie: ssh in, it asks me for a password [NOT a passphrase], I give > > it an invalid password followed by a valid password ==> bang. I give it > > a valid password ==> everything works happily.) I haven't yet set up an > > ssh private/public keypair for myself. > > Well, that was right yesterday. Today, it has decided to barf if I give it > a valid password up front, and not if I give it an invalid one followed by > a valid one. > > To add insult to injury, the other sysadmin (who has looked at the problem > previously) said, basically, "I had the same problem some time ago. Came > to the conclusion I must be an idiot." Two idiots in one building, working > on the same problem. Hmm. > > I give up. Time to start a new career, I think... mowing lawns sounds like > it could be fun... > > Anybody want to buy a slightly used E10k? :P -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From gert at greenie.muc.de Fri Aug 31 00:55:35 2001 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 30 Aug 2001 16:55:35 +0200 Subject: Force S/Key for all but known hosts? Message-ID: <20010830165535.A2622@greenie.muc.de> Hi, I'm not sure if what I'm thinking of is doable with current OpenSSH's, and if yes, how. I want to force our users to use S/Key-Authentication, but only if they do not come from "known hosts". "known hosts" could be hosts that are listed via IP address ("network 192.168.0.0/24") or hosts that are listed in ssh_known_hosts - this doesn't really matter, the important thing is: - known hosts -> password authentication is OK - unknown hosts -> only S/Key authentication is permitted is that possible? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From edgpua at yahoo.com Fri Aug 31 17:48:19 2001 From: edgpua at yahoo.com (edwin pua) Date: Fri, 31 Aug 2001 00:48:19 -0700 (PDT) Subject: ssh_identification error In-Reply-To: Message-ID: <20010831074819.55234.qmail@web11008.mail.yahoo.com> hi, i have an old linux box using RedHat5.0 and still running some programs that's i why i couldn't upgrade it easily, but i want to install the "openssh" on this server. can this new version "openssh2.9" will run properly on my RedHat5.0? thanx for the assistance. edwin __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com From edgpua at yahoo.com Fri Aug 31 18:00:10 2001 From: edgpua at yahoo.com (edwin pua) Date: Fri, 31 Aug 2001 01:00:10 -0700 (PDT) Subject: No subject Message-ID: <20010831080010.26075.qmail@web11004.mail.yahoo.com> hi, i have an old linux box using RedHat5.0 and still running some programs that's i why i couldn't upgrade it easily, but i want to install the "openssh" on this server. can this new version "openssh2.9" will run properly on my RedHat5.0? thanx for the assistance. edwin __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com From draht at suse.de Fri Aug 31 20:20:23 2001 From: draht at suse.de (Roman Drahtmueller) Date: Fri, 31 Aug 2001 12:20:23 +0200 (MEST) Subject: bug in scp (OpenSSH) In-Reply-To: <20010830131519.A13380@faui02.informatik.uni-erlangen.de> Message-ID: > From: Markus Friedl [...] > > > can you please try this: > > > > well, this "fixes" (works around) the passwd leakage, but nothing more. > > > > it still copies the file with wrong "contents" (all zeros now) and still > > doesn't handle the I/O error correctly (which IMHO means it should > > stop writing/copying like cp(1) and most other tools do). > > this is the way rcp protocol works. Are you serious that you want to keep a bug because "this is how the rcp protocol works"? It is clearly flawed. Is it necessary to make full quotes for a single sentence? Roman. -- - - | Roman Drahtm?ller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | N?rnberg, Germany +49-911-740530 // (Batman Costume warning label) | - - From markus at openbsd.org Fri Aug 31 21:18:46 2001 From: markus at openbsd.org (Markus Friedl) Date: Fri, 31 Aug 2001 13:18:46 +0200 Subject: bug in scp (OpenSSH) In-Reply-To: ; from draht@suse.de on Fri, Aug 31, 2001 at 12:20:23PM +0200 References: <20010830131519.A13380@faui02.informatik.uni-erlangen.de> Message-ID: <20010831131846.A1399@folly> On Fri, Aug 31, 2001 at 12:20:23PM +0200, Roman Drahtmueller wrote: > Are you serious that you want to keep a bug because "this is how the rcp > protocol works"? It is clearly flawed. should we really change the semantics of a 17 year old protocol, if you can use sftp, rsync or tar instead? however, you can try to modify sink() to truncate the ofd if response() returns an error. so the data will be sent but discarded. i'm not sure whether i like the idea. it might break other things. > Is it necessary to make full quotes for a single sentence? depends. -m Index: scp.c =================================================================== RCS file: /home/markus/cvs/ssh/scp.c,v retrieving revision 1.81 diff -u -r1.81 scp.c --- scp.c 2001/08/29 20:44:03 1.81 +++ scp.c 2001/08/31 11:17:53 @@ -853,11 +853,15 @@ run_err("%s: set mode: %s", np, strerror(errno)); } + if (response() < 0) { + ftruncate(ofd, 0); + wrerr = YES; + wrerrno = EIO; + } if (close(ofd) == -1) { wrerr = YES; wrerrno = errno; } - (void) response(); if (setimes && wrerr == NO) { setimes = 0; if (utimes(np, tv) < 0) { From jason at shalott.net Fri Aug 31 22:13:51 2001 From: jason at shalott.net (Jason Stone) Date: Fri, 31 Aug 2001 05:13:51 -0700 (PDT) Subject: bug in scp (OpenSSH) In-Reply-To: <20010831131846.A1399@folly> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Are you serious that you want to keep a bug because "this is how the rcp > > protocol works"? It is clearly flawed. > > should we really change the semantics of a 17 year old protocol, if > you can use sftp, rsync or tar instead? This has come up many times before, and the consensus of the developers seems to be that they're not interested in fixing or adding features to scp because they want to make scp just the secure version of rcp, and it's not up to them to change rcp. They tell you that the features you're looking for can be gotten from sftp or rsync. This of course begs the question of why bother with scp at all. Anyway, you really want to be using rsync rather than scp most of the time anyway. While somewhat heavier, rsync has lots more features, most notably, it defaults to atomic transfers (ie, during the transfer, the file will never exist in a partial or corrupted state) which are important in many applications. I've been encouraging all my users to alias scp to "rsync -e ssh" - the commandline syntax is close enough in most cases that users don't notice any difference. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE7j3+DswXMWWtptckRAmG6AKDDEXtwwMLMvZum1R6s5jo60LxOkACeKqOK 4VVvxd5+UjuB2PX+RbUWGmc= =9Xwn -----END PGP SIGNATURE----- From jones at tacc.utexas.edu Fri Aug 31 23:23:37 2001 From: jones at tacc.utexas.edu (William L. Jones) Date: Fri, 31 Aug 2001 08:23:37 -0500 Subject: Is this a bug in atomicio.c Message-ID: It looks to me like atomicio can return 0, EOF, after it has read some data. Shouldn't it just return the data already read? Bill Jones