From papier at sdv.fr Thu Mar 1 00:24:41 2001 From: papier at sdv.fr (Laurent Papier) Date: Wed, 28 Feb 2001 14:24:41 +0100 Subject: AllowHosts / DenyHosts Message-ID: <3A9CFC19.6112C2BC@sdv.fr> Markus Friedl wrote: > > On Wed, Feb 28, 2001 at 09:57:11AM +0100, Andreas Vetter wrote: > > Tcp-wrappers are invoked by inetd, so when there is a DoS-attack against > > the inetd (usually this is done port by port): game over. > > tcp-wrappers are not at all related to inetd. > they only can be used with inetd. you don't > need inetd if you want to use sshd + tcpwrappers > since sshd uses libwrap directly. I agree. I don't think we need a AllowHosts/DenyHosts. tcp-wrappers compile easily even on old system (AIX 3), and do the job just fine. -- Laurent Papier - Admin. systeme Sdv Plurimedia - From djm at mindrot.org Thu Mar 1 00:20:11 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 1 Mar 2001 00:20:11 +1100 (EST) Subject: AllowHosts / DenyHosts In-Reply-To: Message-ID: On Wed, 28 Feb 2001, Yuliy Minchev wrote: > > re > > > > There are some old (or exotic) systems which haven't nor ip > > > filtering capabilities, nor tcp-wrapper. So it would be a good > > > think if OpenSSH can handle Allow/Deny clauses. > > > > tcp-wrappers is _very_ portable. What platforms that OpenSSH supports > > are not supported by TCP wrappers? > > In fact you are right. But if I want just to run OpenSSH on some hosts > and to control access - why should I need to install yet another program > (tcp-wrapper) and then to track yet another program (tcp-wrapper) for new > bugs discovered? TCP wrappers hasn't had a security bug in years IIRC. > It's enough that you need zlib/openssl/egd to install OpenSSH on some > machines. > It's a good thing that in 2.5 there is an internal way to gather entropy. > > Someone said a few weeks ago, he wants to see OpenSSH capable to compile > without you have installed openssl and zlib. This will never happen, if anything we will be using more 3rd party libraries in the future rather than less (libkeynote, libedit, etc). -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From celinn at mtu.edu Thu Mar 1 00:38:36 2001 From: celinn at mtu.edu (Christopher Linn) Date: Wed, 28 Feb 2001 08:38:36 -0500 Subject: AllowHosts / DenyHosts In-Reply-To: ; from Damien Miller on Thu, Mar 01, 2001 at 12:20:11AM +1100 References: Message-ID: <20010228083836.A7455@mtu.edu> On Thu, Mar 01, 2001 at 12:20:11AM +1100, Damien Miller wrote: > On Wed, 28 Feb 2001, Yuliy Minchev wrote: > > > > In fact you are right. But if I want just to run OpenSSH on some hosts > > and to control access - why should I need to install yet another program > > (tcp-wrapper) and then to track yet another program (tcp-wrapper) for new > > bugs discovered? you would simply build the static libwrap.a, and toss it in the same place as your libcrypto.a, libssl.a and libz.a ... > TCP wrappers hasn't had a security bug in years IIRC. not only that, but libwrap is only used to read the hosts.{allow,deny} files in this case, right? > -d chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From gert at greenie.muc.de Thu Mar 1 00:45:31 2001 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 28 Feb 2001 14:45:31 +0100 Subject: Fwd: OpenSSH on Ultrix? In-Reply-To: <20010228121800.A4682@serv01.aet.tu-cottbus.de>; from Lutz Jaenicke on Wed, Feb 28, 2001 at 12:18:00PM +0100 References: <20010227234133.A15038@greenie.muc.de> <20010228121800.A4682@serv01.aet.tu-cottbus.de> Message-ID: <20010228144531.A27224@greenie.muc.de> Hi, On Wed, Feb 28, 2001 at 12:18:00PM +0100, Lutz Jaenicke wrote: > Yes, that should be possible. I don't see a problem as long as we can > stay with 127.0.0.1 (otherwise access control via tcpd would be needed > to be built in and we would probably come a bit far from what PRNGD > actually should do :-). 127.0.0.1 should be fine for all those old systems. (I *do* have a customer system that doesn't even have TCP, but I won't need ssh on that box either :-) ). A kind of network-PRNGD would be an interesting thought, but the security implications are "interesting". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From mouring at etoh.eviladmin.org Thu Mar 1 01:55:16 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 28 Feb 2001 08:55:16 -0600 (CST) Subject: AllowHosts / DenyHosts In-Reply-To: Message-ID: On Wed, 28 Feb 2001, Yuliy Minchev wrote: > > re > > > > > why should every feature, even if there exist special solutions, > > > > included in openssh? you can deny ip-addresses with tcp-wrapper, > > > > ipfw, ipf, etc, etc. > > > > > > There are some old (or exotic) systems which haven't nor ip filtering > > > capabilities, nor tcp-wrapper. > > > So it would be a good think if OpenSSH can handle Allow/Deny clauses. > > > > [Cc: list tailored a bit] > > > > These ancient systems should not be trusted to be connected to the > > internet anyway, unless they're behind a firewall which can do this kind > > of thing. > > Yes, you are right. But, how can one increase security indoors of > organization? Especialy if he takes care only for this old machines and > not for communications and firewall policy? > > What about an organization with offices all over the country (or the > world), with private network connecting these offices. No one talks about > Internet in this situation. > If OpenSSH can compile on the platform in question. TCP Wrapper can compile on the same platform. I don't see where nothing having this feature is a real issue. - Ben From vinschen at redhat.com Thu Mar 1 02:54:43 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 28 Feb 2001 16:54:43 +0100 Subject: [PATCH]: auth.c (pwcopy): Copy pw_gecos field when build for Cygwin Message-ID: <20010228165443.N8464@cygbert.vinschen.de> Hi, the attached patch is very important for Cygwin. I don't know how I could have missed that for months now :-( I hope this can be included in 2.5.1p2. The pw_gecos field in Cygwin's /etc/passwd contains Windows specific authentication informations which let NT domain users logon to a machine without the need to inform the logon server (sshd in our case) about the name of the NT domain. As a side effect you can have a different name under Cygwin than your NT account name. Unfortunately, without copying pw_gecos this functionality is completely broken in sshd. The patch: Index: auth.c =================================================================== RCS file: /cvs/openssh_cvs/auth.c,v retrieving revision 1.23 diff -u -p -r1.23 auth.c --- auth.c 2001/02/15 03:08:27 1.23 +++ auth.c 2001/02/28 15:47:23 @@ -182,6 +182,9 @@ pwcopy(struct passwd *pw) #ifdef HAVE_PW_CLASS_IN_PASSWD copy->pw_class = xstrdup(pw->pw_class); #endif +#ifdef HAVE_CYGWIN + copy->pw_gecos = xstrdup(pw->pw_gecos); +#endif copy->pw_dir = xstrdup(pw->pw_dir); copy->pw_shell = xstrdup(pw->pw_shell); return copy; Thanks in advance, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From markus.friedl at informatik.uni-erlangen.de Thu Mar 1 00:45:35 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 28 Feb 2001 14:45:35 +0100 Subject: AllowHosts / DenyHosts In-Reply-To: <200102281109.LAA26221@tiffany.tigress.pgs.com.>; from rmy@tigress.co.uk on Wed, Feb 28, 2001 at 11:09:16AM +0000 References: <200102281109.LAA26221@tiffany.tigress.pgs.com.> Message-ID: <20010228144535.C9503@folly> this looks like a protocol modification to me and i really don't want to touch the ssh-1 protocol. On Wed, Feb 28, 2001 at 11:09:16AM +0000, rmy at tigress.co.uk wrote: > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=96538738531641&w=2 From darryl at netbauds.net Thu Mar 1 03:05:32 2001 From: darryl at netbauds.net (Darryl Miles) Date: Wed, 28 Feb 2001 16:05:32 +0000 Subject: openssh-2.5.1p1 Linux port Message-ID: <3A9D21CC.1E7B77ED@netbauds.net> When I have openssl-0.9.6 simply compiled in a directory along site the extracted openssh-2.5.1p1 files. I ran the ./configure as: CFLAGS="-O2 -Wall" ./configure --prefix=/opt/openssh --with-ssl-dir=../openssl-0.9.6 --with-tcp-wrappers I needed to apply this diff to get it to work. Would it be possible to detect an absolute path or releative path (for the --with-ssl-dir= option) and appand and extra "../" in the relative case. Or simply insist upon an absolute path by bombing out of the ./configure explaining why. I'm not subscribed to this list, please Cc: me. Thanks --- openbsd-compat/Makefile~ Mon Feb 26 20:40:55 2001 +++ openbsd-compat/Makefile Mon Feb 26 20:41:18 2001 @@ -9,7 +9,7 @@ CC=gcc LD=gcc CFLAGS=-O2 -Wall -Wall -CPPFLAGS= -I../openssl-0.9.6/include -I../openssl-0.9.6/include -I. -I.. -I$(srcdir) -I$(srcdir)/.. -DHAVE_CONFIG_H +CPPFLAGS= -I../../openssl-0.9.6/include -I../openssl-0.9.6/include -I. -I.. -I$(srcdir) -I$(srcdir)/.. -DHAVE_CONFIG_H LIBS=-lcrypt -lwrap -lz -lnsl -lutil -lcrypto AR=/usr/bin/ar RANLIB=ranlib From jmknoble at jmknoble.cx Thu Mar 1 03:19:36 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Wed, 28 Feb 2001 10:19:36 -0600 Subject: [Script] ssh-add dropping keys when xscreensaver blanks In-Reply-To: <20010228105908.B22836@womble.dur.ac.uk>; from a.d.stribblehill@durham.ac.uk on Wed, Feb 28, 2001 at 10:59:08AM +0000 References: <20010228101036.A22836@womble.dur.ac.uk> <20010228105908.B22836@womble.dur.ac.uk> Message-ID: <20010228101936.B12089@zax.half.pint-stowp.cx> Circa 2001-Feb-28 10:59:08 +0000 dixit Andrew Stribblehill: : Quoting Damien Miller : : > I like the concept, but I don't like how it only adds the default protocol : > 1 key. Could you get it to parse the output of "ssh-add -l" to pick up : > the other keys too? : : I'm not sure I can, since it can't find out the filename (or : hostname, for that matter) from which the keys are read. Or is : there something I'm missing. I was expecting that people using : this script would hack it themselves to get it to add their extra : keys. Here's the list of my ssh-agent's key fingerprints (OpenSSH-2.5.1p1): $ ssh-add -l 1024 f7:30:8d:ed:84:08:80:[...]:86 jmknoble at zax.half.pint-stowp.cx (RSA1) 1024 3e:ca:af:5e:61:20:35:[...]:34 /local/home/jmknoble/.ssh/id_rsa (RSA) 1024 8d:b3:86:e2:aa:4f:a1:[...]:c2 /local/home/jmknoble/.ssh/id_dsa (DSA) $ Note how the RSA1 key has the comment in the third column, but the other keys have their filename. In fact, it's actually harder to add the proper RSA1 key back than it is to add the RSA2 or DSA key, since it's possible for RSA1 keys to be loaded from a filename other than ~/.ssh/identity (for example, my RSA1 key lives in ~/.ssh/id_rsa1). This is perhaps a good method to discourage folks from making it easy to use Protocol 1. ;) -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From jmknoble at jmknoble.cx Thu Mar 1 03:23:36 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Wed, 28 Feb 2001 10:23:36 -0600 Subject: AllowHosts / DenyHosts In-Reply-To: <3A9CFC19.6112C2BC@sdv.fr>; from papier@sdv.fr on Wed, Feb 28, 2001 at 02:24:41PM +0100 References: <3A9CFC19.6112C2BC@sdv.fr> Message-ID: <20010228102336.C12089@zax.half.pint-stowp.cx> Circa 2001-Feb-28 14:24:41 +0100 dixit Laurent Papier: : Markus Friedl wrote: : > tcp-wrappers are not at all related to inetd. : > they only can be used with inetd. you don't : > need inetd if you want to use sshd + tcpwrappers : > since sshd uses libwrap directly. : : I agree. I don't think we need a AllowHosts/DenyHosts. : tcp-wrappers compile easily even on old system (AIX 3), and do the job : just fine. Out of curiosity, do tcp_wrappers handle IPv6 addresses properly? I seem to recall that /etc/hosts.allow uses a colon ':' as a field separator.... -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From Markus.Friedl at informatik.uni-erlangen.de Thu Mar 1 03:43:44 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 28 Feb 2001 17:43:44 +0100 Subject: AllowHosts / DenyHosts In-Reply-To: <20010228102336.C12089@zax.half.pint-stowp.cx>; from jmknoble@jmknoble.cx on Wed, Feb 28, 2001 at 10:23:36AM -0600 References: <3A9CFC19.6112C2BC@sdv.fr> <20010228102336.C12089@zax.half.pint-stowp.cx> Message-ID: <20010228174344.A1163@faui02.informatik.uni-erlangen.de> On Wed, Feb 28, 2001 at 10:23:36AM -0600, Jim Knoble wrote: > Out of curiosity, do tcp_wrappers handle IPv6 addresses properly? I > seem to recall that /etc/hosts.allow uses a colon ':' as a field > separator.... newer versions do. the syntax for ipv6 is [1080:0:0:0:8:800:200C:417A]:25 according to RFC2732 From appro at fy.chalmers.se Thu Mar 1 04:20:28 2001 From: appro at fy.chalmers.se (Andy Polyakov) Date: Wed, 28 Feb 2001 18:20:28 +0100 Subject: AllowHosts / DenyHosts References: <3A9CFC19.6112C2BC@sdv.fr> <20010228102336.C12089@zax.half.pint-stowp.cx> Message-ID: <3A9D335C.DED39242@fy.chalmers.se> > Out of curiosity, do tcp_wrappers handle IPv6 addresses properly? I > seem to recall that /etc/hosts.allow uses a colon ':' as a field > separator.... There's an IPv6-ized version found directly at Wietse's ftp://ftp.porcupine.org/pub/security/index.html. The problem is worked around by enclosing IPv6 addresses into square brackets. A. From stevesk at sweden.hp.com Thu Mar 1 04:54:27 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 28 Feb 2001 18:54:27 +0100 (MET) Subject: add scp path to _PATH_STDPATH In-Reply-To: Message-ID: On Sat, 17 Feb 2001, Tim Rice wrote: : Try this patch out. : : In addition to the things mentioned below, it adds a line : to sshd_config telling what PATH was compiled into sshd. thanks, i finally looked at this. i don't like munging path if a user specified a path (--with-default-path). i don't know if we want to try to maintain per platform default paths, and they probably should not include '.', as some of the defaults in the patch do. i would like to see the path to scp added only if the user did not specify --with-default-path, and the default path does not contain scp. From djm at mindrot.org Thu Mar 1 08:33:08 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 1 Mar 2001 08:33:08 +1100 (EST) Subject: add scp path to _PATH_STDPATH In-Reply-To: Message-ID: On Wed, 28 Feb 2001, Kevin Steves wrote: > thanks, i finally looked at this. > > i don't like munging path if a user specified a path > (--with-default-path). i don't know if we want to try to maintain per > platform default paths, and they probably should not include '.', as > some of the defaults in the patch do. > > i would like to see the path to scp added only if the user did not > specify --with-default-path, and the default path does not contain scp. Because the PATH is usually obtained from the system include files, you'll need to write a little autoconf test program which includes the same path setting logic as defines.h and check whether @bindir@ is in the resultant path. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From hahnw at psi.com Thu Mar 1 09:33:48 2001 From: hahnw at psi.com (William Hahn) Date: Wed, 28 Feb 2001 17:33:48 -0500 Subject: SSH 2.5.1p1 doing only protocol 2 with RSA Message-ID: <3A9D7CCC.408004E8@psi.com> Has any got the windows putty(0.51) working with ssh 2.5.1p1 only doing protocol 2 with only RSA key. The server(sshd) is on Solaris 2.8. The server(sshd) syslog error is: sshd[22064]: [ID 800047 auth.crit] fatal: no hostkey alg The putty error is internal fault: chaos in SSH 2 transport layer. This most likely is a putty problem, but I was just wondering if anyone did testing with the putty client and sshd 2.5.1p1. From djm at mindrot.org Thu Mar 1 09:48:28 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 1 Mar 2001 09:48:28 +1100 (EST) Subject: [PATCH]: auth.c (pwcopy): Copy pw_gecos field when build for Cygwin In-Reply-To: <20010228165443.N8464@cygbert.vinschen.de> Message-ID: On Wed, 28 Feb 2001, Corinna Vinschen wrote: > Hi, > > the attached patch is very important for Cygwin. I don't know > how I could have missed that for months now :-( I hope this > can be included in 2.5.1p2. Applied. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From solidaridad at ninosdepapel.org Thu Mar 1 09:11:18 2001 From: solidaridad at ninosdepapel.org (Niños de Papel) Date: Wed, 28 Feb 2001 17:11:18 -0500 Subject: ¿Es usted Solidario? Message-ID: <200102281722562.SM00670@segundo> ***** This is an HTML Message ! ***** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010228/9e68f839/attachment.html From vdewan at brocade.com Thu Mar 1 10:47:48 2001 From: vdewan at brocade.com (Vikas Dewan) Date: Wed, 28 Feb 2001 15:47:48 -0800 Subject: how can I reduce binary size of sshd? Message-ID: Hi Guys I need to implement ssh server daemon on OLD installations of real time OS, which uses flash memory and every program gets loaded in flash mem, once the device is booted. I have very limited space in flash memory of this device. SO what we are trying to do is reducing the size of sshd by taking out least common used things. Can someone give me input what features, version and crypto algorithm - most of recent ssh clients are using, so that we cover most of them. I already took out SSHv1, RSA and X11 from sshd. I need to reduce more in terms of size. Please guide me what-else I can safely remove without effecting major ssh clients. thanks Vikas From devon at admin2.gisnetworks.com Thu Mar 1 11:18:02 2001 From: devon at admin2.gisnetworks.com (Devon Bleak) Date: Wed, 28 Feb 2001 16:18:02 -0800 Subject: how can I reduce binary size of sshd? References: Message-ID: <020701c0a1e5$14a56420$1900a8c0@devn> this is purely speculation, but you could probably eliminate quite a bit by taking out unneeded algorithms from openssl? i have no idea what it'd break, if anything... devon ----- Original Message ----- From: "Vikas Dewan" To: Sent: Wednesday, February 28, 2001 3:47 PM Subject: how can I reduce binary size of sshd? > Hi Guys > > I need to implement ssh server daemon on OLD installations of real time OS, which uses flash memory and every program gets loaded in flash mem, once the device is booted. > > I have very limited space in flash memory of this device. > > SO what we are trying to do is reducing the size of sshd by taking out least common used things. > > Can someone give me input what features, version and crypto algorithm - most of recent ssh clients are using, so that we cover most of them. > > I already took out SSHv1, RSA and X11 from sshd. I need to reduce more in terms of size. Please guide me what-else I can safely remove without effecting major ssh clients. > > thanks > Vikas > > From vdewan at brocade.com Thu Mar 1 11:24:17 2001 From: vdewan at brocade.com (Vikas Dewan) Date: Wed, 28 Feb 2001 16:24:17 -0800 Subject: how can I reduce binary size of sshd? Message-ID: Yes, I mean both ssl & ssh, I took out rsa, idea and rc5 from crypto ssl. SSHv1 and X11 code from openSSH, but I am thriving for more, without impacting most of ssh clients. Also studying the impact of taking out x509 certification stuff. Any idea? -----Original Message----- From: Devon Bleak [mailto:devon at admin2.gisnetworks.com] Sent: Wednesday, February 28, 2001 4:18 PM To: Vikas Dewan; openssh-unix-dev at mindrot.org Subject: Re: how can I reduce binary size of sshd? this is purely speculation, but you could probably eliminate quite a bit by taking out unneeded algorithms from openssl? i have no idea what it'd break, if anything... devon ----- Original Message ----- From: "Vikas Dewan" To: Sent: Wednesday, February 28, 2001 3:47 PM Subject: how can I reduce binary size of sshd? > Hi Guys > > I need to implement ssh server daemon on OLD installations of real time OS, which uses flash memory and every program gets loaded in flash mem, once the device is booted. > > I have very limited space in flash memory of this device. > > SO what we are trying to do is reducing the size of sshd by taking out least common used things. > > Can someone give me input what features, version and crypto algorithm - most of recent ssh clients are using, so that we cover most of them. > > I already took out SSHv1, RSA and X11 from sshd. I need to reduce more in terms of size. Please guide me what-else I can safely remove without effecting major ssh clients. > > thanks > Vikas > > From tim at multitalents.net Thu Mar 1 11:30:58 2001 From: tim at multitalents.net (Tim Rice) Date: Wed, 28 Feb 2001 16:30:58 -0800 (PST) Subject: add scp path to _PATH_STDPATH In-Reply-To: Message-ID: On Wed, 28 Feb 2001, Kevin Steves wrote: > On Sat, 17 Feb 2001, Tim Rice wrote: > : Try this patch out. > : > : In addition to the things mentioned below, it adds a line > : to sshd_config telling what PATH was compiled into sshd. > > thanks, i finally looked at this. > > i don't like munging path if a user specified a path Then you still have the same problem of scp not working. Configure does give ample warning when it modifies the path. I figure if someone REALLY wants a path that doesn't iclude the location of scp they can edit config.h after configure runs. > (--with-default-path). i don't know if we want to try to maintain per > platform default paths, and they probably should not include '.', as > some of the defaults in the patch do. The per platform defaults were an attempt to make "ssh somehost somecommand" behave the same as rsh would on that platform. I don't think I like the '.' ethier. That's the PATH rshd used. Probably for sshd we should not include '.' in the path even the platform's rshd did. > > i would like to see the path to scp added only if the user did not > specify --with-default-path, and the default path does not contain scp. > Speaking of PATHS. For some version after 2.5.1p2 we should look into adding support for setting the path according to the PATH/SUPATH lines in /etc/default/login on those platforms that have it. (SCO, UnixWare, Solaris, others?) -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Thu Mar 1 11:31:07 2001 From: tim at multitalents.net (Tim Rice) Date: Wed, 28 Feb 2001 16:31:07 -0800 (PST) Subject: add scp path to _PATH_STDPATH In-Reply-To: Message-ID: On Thu, 1 Mar 2001, Damien Miller wrote: > On Wed, 28 Feb 2001, Kevin Steves wrote: > > > thanks, i finally looked at this. > > > > i don't like munging path if a user specified a path > > (--with-default-path). i don't know if we want to try to maintain per > > platform default paths, and they probably should not include '.', as > > some of the defaults in the patch do. > > > > i would like to see the path to scp added only if the user did not > > specify --with-default-path, and the default path does not contain scp. > > Because the PATH is usually obtained from the system include files, ^^^^^^^ Hmm, Of all the platfoms I heve here only the linux ones do. I hadn't even noticed that before. Looks like I need to improve my patch. > you'll need to write a little autoconf test program which includes the > same path setting logic as defines.h and check whether @bindir@ is in > the resultant path. Another interesing chalange. > > -d > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From sunil at redback.com Thu Mar 1 11:37:29 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Wed, 28 Feb 2001 16:37:29 -0800 (PST) Subject: do_exec_pty(..) Message-ID: Hello, I see that incase of command execution: :fork()" is called twice, in sshd. Once to spin off child sshd from parenat and second from child sshd, to execute command. Due to this I see 3 processes being created for each connection viz: 16398 0.0 0.3 1284 892 ?? S 4:33PM 0:00.05 sshd:child 16399 0.0 0.1 320 232 p4 Is+ 4:33PM 0:00.06 -sh -c foo_command 16401 0.0 0.3 2076 840 p4 S+ 4:33PM 0:00.01 foo_command I may be missing something, but I was wondering to why second fork() is required to execute a command on server. To execute a command, the child sshd could execve(..). thus eliminate the need for second fork() and possibly simpler code path. Thank you. From djm at mindrot.org Thu Mar 1 11:41:11 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 1 Mar 2001 11:41:11 +1100 (EST) Subject: Portable OpenSSH 2.5.1p2 Message-ID: Portable OpenSSH 2.5.1p2 has just been uploaded and will be making its way to the mirror sites (http://www.openssh.com/portable.html) in due course. This release contains primarily bug-fixes over 2.5.1p1 but an upgrade is recommended. Specific bug-fixes include: - Fixed endianess issue causing failues when usin Rijndael/AES cipher - Fix PAM failures on Solaris and Linux - Fix RPM spec file for Redhat systems - Fixed several compatibility functions - Fix entropy collection code for SCO3 and NeXTStep - Many other minor fixes (see Changelog for details) This release includes Mark Roth's mdoc2man.pl script which can be used to fix up the manpages on systems that lack the full andoc set of macros (e.g. Solaris). A future release of portable OpenSSH will automate this scripts use for systems that require it. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Thu Mar 1 11:45:47 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 1 Mar 2001 11:45:47 +1100 (EST) Subject: how can I reduce binary size of sshd? In-Reply-To: Message-ID: On Wed, 28 Feb 2001, Vikas Dewan wrote: > Yes, I mean both ssl & ssh, I took out rsa, idea and rc5 from crypto > ssl. SSHv1 and X11 code from openSSH, but I am thriving for more, > without impacting most of ssh clients. Also studying the impact of > taking out x509 certification stuff. Any idea? This is what we pull in from the OpenSSL headers. It may be a rough guide to what we use: #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include Note that quite a few of the OpenSSL files have #define controlled space/time optimisation tradeoffs (e.g the loop unrolling in the RC4 implementation). -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From mouring at etoh.eviladmin.org Thu Mar 1 12:42:16 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 28 Feb 2001 19:42:16 -0600 (CST) Subject: how can I reduce binary size of sshd? In-Reply-To: Message-ID: Umm.. I would trust RSA over DSA any day of the week. Unless you know you have a solid system entropy (aka /dev/random) on the machine your porting to. I also suggest looking at what parts of openbsd-compat/ is being included and update your core libraries with better tuned code for your platform. If your using sshv2 only you may want to limit your crypto to one or two. 3DES is required. Blowfish would be a good secondary one. Also limit your MACs to maybe a subset of the Internet draft. Other then that.. All you can do is attempt to tighten up existing code. If you staticly compile ssl into ssh then you should not have to worry about stripping OpenSSL. - Ben On Wed, 28 Feb 2001, Vikas Dewan wrote: > Yes, I mean both ssl & ssh, I took out rsa, idea and rc5 from crypto ssl. SSHv1 and X11 code from openSSH, but I am thriving for more, without impacting most of ssh clients. > Also studying the impact of taking out x509 certification stuff. Any idea? > > -----Original Message----- > From: Devon Bleak [mailto:devon at admin2.gisnetworks.com] > Sent: Wednesday, February 28, 2001 4:18 PM > To: Vikas Dewan; openssh-unix-dev at mindrot.org > Subject: Re: how can I reduce binary size of sshd? > > > this is purely speculation, but you could probably eliminate quite a bit by > taking out unneeded algorithms from openssl? i have no idea what it'd > break, if anything... > > devon > > > ----- Original Message ----- > From: "Vikas Dewan" > To: > Sent: Wednesday, February 28, 2001 3:47 PM > Subject: how can I reduce binary size of sshd? > > > > Hi Guys > > > > I need to implement ssh server daemon on OLD installations of real time > OS, which uses flash memory and every program gets loaded in flash mem, once > the device is booted. > > > > I have very limited space in flash memory of this device. > > > > SO what we are trying to do is reducing the size of sshd by taking out > least common used things. > > > > Can someone give me input what features, version and crypto algorithm - > most of recent ssh clients are using, so that we cover most of them. > > > > I already took out SSHv1, RSA and X11 from sshd. I need to reduce more in > terms of size. Please guide me what-else I can safely remove without > effecting major ssh clients. > > > > thanks > > Vikas > > > > > > From djm at mindrot.org Thu Mar 1 11:49:56 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 1 Mar 2001 11:49:56 +1100 (EST) Subject: do_exec_pty(..) In-Reply-To: Message-ID: On Wed, 28 Feb 2001, Sunil K. Vallamkonda wrote: > Hello, > > I see that incase of command execution: > :fork()" is called twice, in sshd. > Once to spin off child sshd from parenat and > second from child sshd, to execute command. > Due to this I see 3 processes being created > for each connection viz: > > 16398 0.0 0.3 1284 892 ?? S 4:33PM 0:00.05 sshd:child > 16399 0.0 0.1 320 232 p4 Is+ 4:33PM 0:00.06 -sh -c foo_command > 16401 0.0 0.3 2076 840 p4 S+ 4:33PM 0:00.01 foo_command > > I may be missing something, but > I was wondering to why second > fork() is required to execute a command > on server. > To execute a command, the child sshd could execve(..). > thus eliminate the need for second fork() and possibly > simpler code path. The first fork is because the long-term sshd process is acting much like inetd. If you don't want it, then you can run sshd in inetd mode. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From mouring at etoh.eviladmin.org Thu Mar 1 12:57:25 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 28 Feb 2001 19:57:25 -0600 (CST) Subject: do_exec_pty(..) In-Reply-To: Message-ID: On Wed, 28 Feb 2001, Sunil K. Vallamkonda wrote: > Hello, > > I see that incase of command execution: > :fork()" is called twice, in sshd. > Once to spin off child sshd from parenat and > second from child sshd, to execute command. > Due to this I see 3 processes being created > for each connection viz: > > 16398 0.0 0.3 1284 892 ?? S 4:33PM 0:00.05 sshd:child > 16399 0.0 0.1 320 232 p4 Is+ 4:33PM 0:00.06 -sh -c foo_command > 16401 0.0 0.3 2076 840 p4 S+ 4:33PM 0:00.01 foo_command > > I may be missing something, but > I was wondering to why second > fork() is required to execute a command > on server. > To execute a command, the child sshd could execve(..). > thus eliminate the need for second fork() and possibly > simpler code path. > I don't follow. do_exec_pty() forks.. and the child calls do_child() which goes through a bunch of security and environmental hoops then execve(...). Which runs 'sh -c ..' then sh itself forks to run the -c command. I don't see how it's sshd fault that sh forks() on -c stead of doing a exec*(). - Ben From sunil at redback.com Thu Mar 1 12:31:08 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Wed, 28 Feb 2001 17:31:08 -0800 (PST) Subject: do_exec_pty(..) In-Reply-To: Message-ID: This is running in inetd mode 'sshd -i' and having entry in inetd.conf. On Thu, 1 Mar 2001, Damien Miller wrote: > On Wed, 28 Feb 2001, Sunil K. Vallamkonda wrote: > > > Hello, > > > > I see that incase of command execution: > > :fork()" is called twice, in sshd. > > Once to spin off child sshd from parenat and > > second from child sshd, to execute command. > > Due to this I see 3 processes being created > > for each connection viz: > > > > 16398 0.0 0.3 1284 892 ?? S 4:33PM 0:00.05 sshd:child > > 16399 0.0 0.1 320 232 p4 Is+ 4:33PM 0:00.06 -sh -c foo_command > > 16401 0.0 0.3 2076 840 p4 S+ 4:33PM 0:00.01 foo_command > > > > I may be missing something, but > > I was wondering to why second > > fork() is required to execute a command > > on server. > > To execute a command, the child sshd could execve(..). > > thus eliminate the need for second fork() and possibly > > simpler code path. > > The first fork is because the long-term sshd process is acting much like > inetd. If you don't want it, then you can run sshd in inetd mode. > > -d > > -- > | Damien Miller \ ``E-mail attachments are the poor man's > | http://www.mindrot.org / distributed filesystem'' - Dan Geer > > From brian.kuschak at skystream.com Thu Mar 1 16:20:37 2001 From: brian.kuschak at skystream.com (Brian Kuschak) Date: Wed, 28 Feb 2001 21:20:37 -0800 Subject: Ack...OpenSSH no longer compatible with SSH 1.2.26 clients? Message-ID: Hi Marc, I am seeing this exact same problem on OpenSSH-2.5.1p1 compiled on a PowerPC. The same code compiled for an x86 machine works fine. Your messages on the list didn't seem to indicate any resolution to this problem. Have you figured out how to make it work? checksum: 2d2711e2 stored checksum: 2d2711e2 checksum: 72f2b13c stored checksum: e230f836 Disconnecting: Corrupted check bytes on input. Thanks, Brian Kuschak On Tue, 4 Jan 2000, Damien Miller wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 3 Jan 2000, Marc G. Fournier wrote: > > > > > If you are referring to: > > > > /* If sys/types.h does not supply u_intXX_t, supply them ourselves */ > > #ifndef HAVE_U_INTXX_T > > # ifdef HAVE_UINTXX_T > > # define u_int16_t uint16_t; > > # define u_int32_t uint32_t; > > # define u_int64_t uint64_t; > > # define HAVE_U_INTXX_T 1 > > # else > > The lines shouldn't have a semicolon at the end. D'oh ... Same problem though: debug: sshd version OpenSSH-1.2.1 Server listening on port 22. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 131.162.2.90 port 1023 debug: Client protocol version 1.5; client software version 1.2.26 debug: Sent 768 bit public key and 1024 bit host key. debug: checksum: da122795 debug: stored_checksum: da122795 debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: checksum: dcef8dff debug: stored_checksum: 6fd685d7 Disconnecting: Corrupted check bytes on input. debug: Calling cleanup 0x806028c(0x0) > > Damien > > - -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.0 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE4cVBWormJ9RG1dI8RAlCgAKCqMZ3h/slpyyeYJKk9wTQZjnfnjACfWRlX > M1vOtwEKxYwl+eOh430ZeLM= > =hew2 > -----END PGP SIGNATURE----- > > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" [prev in list] [next in list] [prev in thread] [next in thread] Log in / Log out About MARC We're Hiring! Want to add a list? Tell us about it. The AIMS Group From dankamin at cisco.com Thu Mar 1 22:30:42 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Thu, 1 Mar 2001 03:30:42 -0800 Subject: AllowHosts / DenyHosts References: <20010228095851.E13239@folly> <01bd01c0a16c$bfd4d430$0200040a@na.cisco.com> <20010228110136.A8531@faui02.informatik.uni-erlangen.de> <001301c0a176$feb6ce60$0200040a@na.cisco.com> <20010228124306.A14063@faui02.informatik.uni-erlangen.de> Message-ID: <009901c0a243$10359730$0300040a@na.cisco.com> > keynote is not about certificates, it's about policy. Looked like a way of putting policies into a certificate style syntax. My point is that there's a pretty high barrier to using certificates, which has made them fail spectacularly. Adopting their syntax, when it's not: A) Brain Dead Simple B) XMLish ...doesn't really seem like it'll gain alot of followers. I mean, I thoroughly grant you that I haven't examined Keynote nearly enough to dismiss it, and honestly am interested in what you think SSH would get out what might be a very significant amount of code. Yours Truly, Dan Kaminsky, CISSP www.doxpara.com From djm at mindrot.org Thu Mar 1 23:24:25 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 1 Mar 2001 23:24:25 +1100 (EST) Subject: AllowHosts / DenyHosts In-Reply-To: <009901c0a243$10359730$0300040a@na.cisco.com> Message-ID: On Thu, 1 Mar 2001, Dan Kaminsky wrote: > > keynote is not about certificates, it's about policy. > > Looked like a way of putting policies into a certificate style > syntax. My point is that there's a pretty high barrier to using > certificates, which has made them fail spectacularly. Adopting > their syntax, when it's not: > > A) Brain Dead Simple Keynote is about as simple as it can be, for the job it does. It's syntax is nothing like X.509, unless you are using X.509 certificates with it. > B) XMLish yuk. Of the many things that XML is useful for, expressing human-readable security policy is not one of them. > ...doesn't really seem like it'll gain alot of followers. I mean, I > thoroughly grant you that I haven't examined Keynote nearly enough > to dismiss it, and honestly am interested in what you think SSH > would get out what might be a very significant amount of code. Keynote is pretty compact. It offers administrators and users the ability to define and delegate policy in a general and powerful manner. OpenBSD uses it pretty heavily to good effect, in their Kerberos and isakmpd implementations. Do investigate it further - I think that you will be suprised by how general and flexible it is. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Markus.Friedl at informatik.uni-erlangen.de Fri Mar 2 01:26:22 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 1 Mar 2001 15:26:22 +0100 Subject: AllowHosts / DenyHosts In-Reply-To: <009901c0a243$10359730$0300040a@na.cisco.com>; from dankamin@cisco.com on Thu, Mar 01, 2001 at 03:30:42AM -0800 References: <20010228095851.E13239@folly> <01bd01c0a16c$bfd4d430$0200040a@na.cisco.com> <20010228110136.A8531@faui02.informatik.uni-erlangen.de> <001301c0a176$feb6ce60$0200040a@na.cisco.com> <20010228124306.A14063@faui02.informatik.uni-erlangen.de> <009901c0a243$10359730$0300040a@na.cisco.com> Message-ID: <20010301152622.A27047@faui02.informatik.uni-erlangen.de> On Thu, Mar 01, 2001 at 03:30:42AM -0800, Dan Kaminsky wrote: > A) Brain Dead Simple Keynote is used in isakmpd (a IKE daemon for OpenBSD, Linux, etc) and allows easy specification of policies, e.g. % cat /path/to/isakmpd.policy Authorizer: "POLICY" licensees: "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" Conditions: app_domain == "IPsec policy" && esp_auth_alg == "hmac-sha" && esp_present == "yes" -> "true"; Authorizer: "POLICY" Licensees: "passphrase:blafasel" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; and this is really simple. So for openssh I'd like to have a /etc/sshd_policy per system and a .ssh/policy per user. > ...doesn't really seem like it'll gain alot of followers. I mean, I > thoroughly grant you that I haven't examined Keynote nearly enough to > dismiss it, and honestly am interested in what you think SSH would get out > what might be a very significant amount of code. the parsing and eval is done by libkeynote, so all ssh has to do is set the variables (e.g. remote_use, remote_ip, forward_target) and call kn_query(). -m From dankamin at cisco.com Fri Mar 2 02:17:34 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Thu, 1 Mar 2001 07:17:34 -0800 Subject: AllowHosts / DenyHosts References: <20010228095851.E13239@folly> <01bd01c0a16c$bfd4d430$0200040a@na.cisco.com> <20010228110136.A8531@faui02.informatik.uni-erlangen.de> <001301c0a176$feb6ce60$0200040a@na.cisco.com> <20010228124306.A14063@faui02.informatik.uni-erlangen.de> <009901c0a243$10359730$0300040a@na.cisco.com> <20010301152622.A27047@faui02.informatik.uni-erlangen.de> Message-ID: <01f301c0a262$be6b6d60$0300040a@na.cisco.com> > % cat /path/to/isakmpd.policy > Authorizer: "POLICY" > licensees: "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" > Conditions: app_domain == "IPsec policy" && > esp_auth_alg == "hmac-sha" && > esp_present == "yes" -> "true"; > > Authorizer: "POLICY" > Licensees: "passphrase:blafasel" > Conditions: app_domain == "IPsec policy" && esp_present == "yes" > && esp_enc_alg != "null" -> "true"; > > and this is really simple. I believe it should be a federal offense to call anything related to IPSec "really simple". *sighs* Once upon a time, I spec'd out a user interface component that was essentially "taskbar sorted by application instead of by boot time, with miniaturized images of windows replacing icons". Called it minbars, wrapped it in all this really funky set of UI widgets, and thus spoke what became a semi-infamous line: "Now, some documentation is necessary to understand what you're seeing." Considering this was a user interface component, that should theoretically have been self-documenting, the idea that you had to be *told* what that morass of pixels was; that you couldn't just *see* it, meant I had pretty much lost any right to call what I had created "simple". Half the reason I love SSH is because I don't get spontaneous nosebleeds trying to configure it. While there are many things we might be able to learn from IPSec, I *assure* you its configuration burden is *not* one of them! Even syntaxwise, our present system scales nicely to express the above rules as follows: Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" ApplicationDomain "IPsec policy" EspAuthenticationAlgorithm hmac-sha EspRequired yes Need to select on multiple? Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" Host 129.210.*.* ApplicationDomain "IPsec policy" EspAuthenticationAlgorithm hmac-sha EspRequired yes [Licensees must be matched BEFORE conditions may be met; this way you can chain licensee requirements] > the parsing and eval is done by libkeynote, so all ssh has to > do is set the variables (e.g. remote_use, remote_ip, forward_target) > and call kn_query(). Building library dependancies into SSH is a *really* tough sell. I don't *want* SSHD to blow up if libkeynote can't read something. Show me some seriously cool things I'll be able to do with keynote, that I *can't* do with our existing, not-so-fugly-that-we-need-to-pawn-it-off-to-a-library servconf.c...and you stand a good chance of converting me(for whatever that's worth). Yours Truly, Dan Kaminsky, CISSP www.doxpara.com From yuliy at mobiltel.bg Fri Mar 2 02:30:37 2001 From: yuliy at mobiltel.bg (Yuliy Minchev) Date: Thu, 1 Mar 2001 17:30:37 +0200 (EET) Subject: Strange connection closing on HPUX 11 In-Reply-To: <01f301c0a262$be6b6d60$0300040a@na.cisco.com> Message-ID: Hi I've just upgraded OpenSSH from 2.3.0p1 to 2.5.1p2 on my HPUX 11.00. Everything works fine, but when I want to cancel connection (type 'exit' or press Ctrl-D), the session hangs and waits any key to be pressed before it prints 'Connection to host closed.' I've upgraded and some of our AIX hosts to 2.5.1p2 - there is no such problem there. I think that there is no matter which version of client I use - I tried 2.3.0p1 (on RH and AIX), and 2.5.1p2 (on HPUX and AIX) - same thing happens. yuliy -- Yuliy Minchev, UNIX Administrator From Markus.Friedl at informatik.uni-erlangen.de Fri Mar 2 02:30:42 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 1 Mar 2001 16:30:42 +0100 Subject: AllowHosts / DenyHosts In-Reply-To: <01f301c0a262$be6b6d60$0300040a@na.cisco.com>; from dankamin@cisco.com on Thu, Mar 01, 2001 at 07:17:34AM -0800 References: <20010228095851.E13239@folly> <01bd01c0a16c$bfd4d430$0200040a@na.cisco.com> <20010228110136.A8531@faui02.informatik.uni-erlangen.de> <001301c0a176$feb6ce60$0200040a@na.cisco.com> <20010228124306.A14063@faui02.informatik.uni-erlangen.de> <009901c0a243$10359730$0300040a@na.cisco.com> <20010301152622.A27047@faui02.informatik.uni-erlangen.de> <01f301c0a262$be6b6d60$0300040a@na.cisco.com> Message-ID: <20010301163041.A6311@faui02.informatik.uni-erlangen.de> On Thu, Mar 01, 2001 at 07:17:34AM -0800, Dan Kaminsky wrote: > > % cat /path/to/isakmpd.policy > > Authorizer: "POLICY" > > licensees: "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" > > Conditions: app_domain == "IPsec policy" && > > esp_auth_alg == "hmac-sha" && > > esp_present == "yes" -> "true"; > > > > Authorizer: "POLICY" > > Licensees: "passphrase:blafasel" > > Conditions: app_domain == "IPsec policy" && esp_present == "yes" > > && esp_enc_alg != "null" -> "true"; > > > > and this is really simple. > > I believe it should be a federal offense to call anything related to IPSec > "really simple". you miss the point. the example is not about ipsec. > Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" > ApplicationDomain "IPsec policy" > EspAuthenticationAlgorithm hmac-sha > EspRequired yes this only works because the above example uses && > Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" > Host 129.210.*.* this won't work with current ssh config. > ApplicationDomain "IPsec policy" > EspAuthenticationAlgorithm hmac-sha > EspRequired yes > > [Licensees must be matched BEFORE conditions may be met; this way you can > chain licensee requirements] > > > the parsing and eval is done by libkeynote, so all ssh has to > > do is set the variables (e.g. remote_use, remote_ip, forward_target) > > and call kn_query(). > > Building library dependancies into SSH is a *really* tough sell. if you want to have complex policies that you will depend on keynote. if you don't need complex policies, then you don't need keynote. -m From moyman at ecn.purdue.edu Fri Mar 2 02:37:10 2001 From: moyman at ecn.purdue.edu (James M Moya) Date: Thu, 1 Mar 2001 10:37:10 -0500 (EST) Subject: 2.5.1p1/p2 PermitRootLogin broke (Solaris) Message-ID: <200103011537.f21FbAv06891@pier.ecn.purdue.edu> I updated my Solaris 8 machines from openssh-2.3.0p1 to 2.5.1p1 yesterday and it fixed the cron/audit issue but now root logins are no longer permitted. I updated it to 2.5.1p2 this morning and that is still the case: golfer:/[207]# ssh -v tsunami OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug: Reading configuration data /var/ssh/ssh_config debug: Applying options for * debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to tsunami [128.46.154.96] port 22. debug: Allocated local port 662. debug: Connection established. debug: identity file //.ssh/known_hosts type 3 debug: Remote protocol version 1.5, remote software version OpenSSH_2.5.1p2 debug: match: OpenSSH_2.5.1p2 pat ^OpenSSH debug: Local version string SSH-1.5-OpenSSH_2.5.1p2 debug: Waiting for server public key. debug: Received server public key (640 bits) and host key (768 bits). debug: Host 'tsunami' is known and matches the RSA1 host key. debug: Found key in /var/ssh/ssh_known_hosts:651 debug: Seeding random number generator debug: Encryption type: blowfish debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying rhosts authentication. debug: Trying rhosts or /etc/hosts.equiv with RSA host authentication. debug: Server refused our rhosts authentication or host key. debug: Doing password authentication. root at tsunami's password: Connection closed by 128.46.154.96 debug: Calling cleanup 0x100042e18(0x0) golfer:/[208]# ...and... tsunami:/[441]# grep PermitRoot /var/ssh/sshd_config PermitRootLogin yes --mike From mouring at etoh.eviladmin.org Fri Mar 2 03:49:14 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 1 Mar 2001 10:49:14 -0600 (CST) Subject: AllowHosts / DenyHosts In-Reply-To: <20010301163041.A6311@faui02.informatik.uni-erlangen.de> Message-ID: Can we assume that if one does not need such functionality it will be simple enough to do a ./configure --without-keynotes? From the sounds of it the answer is yes. - Ben On Thu, 1 Mar 2001, Markus Friedl wrote: > On Thu, Mar 01, 2001 at 07:17:34AM -0800, Dan Kaminsky wrote: > > > % cat /path/to/isakmpd.policy > > > Authorizer: "POLICY" > > > licensees: "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" > > > Conditions: app_domain == "IPsec policy" && > > > esp_auth_alg == "hmac-sha" && > > > esp_present == "yes" -> "true"; > > > > > > Authorizer: "POLICY" > > > Licensees: "passphrase:blafasel" > > > Conditions: app_domain == "IPsec policy" && esp_present == "yes" > > > && esp_enc_alg != "null" -> "true"; > > > > > > and this is really simple. > > > > I believe it should be a federal offense to call anything related to IPSec > > "really simple". > > you miss the point. the example is not about ipsec. > > > Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" > > ApplicationDomain "IPsec policy" > > EspAuthenticationAlgorithm hmac-sha > > EspRequired yes > > this only works because the above example uses && > > > Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" > > Host 129.210.*.* > > this won't work with current ssh config. > > > ApplicationDomain "IPsec policy" > > EspAuthenticationAlgorithm hmac-sha > > EspRequired yes > > > > [Licensees must be matched BEFORE conditions may be met; this way you can > > chain licensee requirements] > > > > > the parsing and eval is done by libkeynote, so all ssh has to > > > do is set the variables (e.g. remote_use, remote_ip, forward_target) > > > and call kn_query(). > > > > Building library dependancies into SSH is a *really* tough sell. > > if you want to have complex policies that you will depend on keynote. > > if you don't need complex policies, then you don't need keynote. > > -m > From dankamin at cisco.com Fri Mar 2 03:04:28 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Thu, 1 Mar 2001 08:04:28 -0800 Subject: AllowHosts / DenyHosts References: <20010228095851.E13239@folly> <01bd01c0a16c$bfd4d430$0200040a@na.cisco.com> <20010228110136.A8531@faui02.informatik.uni-erlangen.de> <001301c0a176$feb6ce60$0200040a@na.cisco.com> <20010228124306.A14063@faui02.informatik.uni-erlangen.de> <009901c0a243$10359730$0300040a@na.cisco.com> <20010301152622.A27047@faui02.informatik.uni-erlangen.de> <01f301c0a262$be6b6d60$0300040a@na.cisco.com> <20010301163041.A6311@faui02.informatik.uni-erlangen.de> Message-ID: <022301c0a269$4bc52150$0300040a@na.cisco.com> > you miss the point. the example is not about ipsec. Markus, you miss the point: IPsec is *misery incarnate* to configure and the keynote syntax certainly doesn't help that. > > Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" > > ApplicationDomain "IPsec policy" > > EspAuthenticationAlgorithm hmac-sha > > EspRequired yes > > this only works because the above example uses && Fine. Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" ApplicationDomain "IPsec policy" EspAuthenticationAlgorithm hmac-sha hmac-md5 ripemd-whatever EspRequired yes > > Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY" > > Host 129.210.*.* > > this won't work with current ssh config. You're talking about linking a new library in that'll inherit root permissions by dint of being linked into SSHD--I think we're safely out of the realm of "what servconf.c can do right now." My point is that 90% of what we'd want from Keynote we can do without resorting to an outside library, and as nice as that extra 10% might be, if it prevents 80% of people from using 80% of the power of SSH, we've weakened the code considerably. > if you want to have complex policies that you will depend on keynote. > > if you don't need complex policies, then you don't need keynote. So tell me some complex policies that would be useful, that require keynote. From Markus.Friedl at informatik.uni-erlangen.de Fri Mar 2 03:07:10 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 1 Mar 2001 17:07:10 +0100 Subject: AllowHosts / DenyHosts In-Reply-To: <022301c0a269$4bc52150$0300040a@na.cisco.com>; from dankamin@cisco.com on Thu, Mar 01, 2001 at 08:04:28AM -0800 References: <20010228095851.E13239@folly> <01bd01c0a16c$bfd4d430$0200040a@na.cisco.com> <20010228110136.A8531@faui02.informatik.uni-erlangen.de> <001301c0a176$feb6ce60$0200040a@na.cisco.com> <20010228124306.A14063@faui02.informatik.uni-erlangen.de> <009901c0a243$10359730$0300040a@na.cisco.com> <20010301152622.A27047@faui02.informatik.uni-erlangen.de> <01f301c0a262$be6b6d60$0300040a@na.cisco.com> <20010301163041.A6311@faui02.informatik.uni-erlangen.de> <022301c0a269$4bc52150$0300040a@na.cisco.com> Message-ID: <20010301170710.B7177@faui02.informatik.uni-erlangen.de> On Thu, Mar 01, 2001 at 08:04:28AM -0800, Dan Kaminsky wrote: > So tell me some complex policies that would be useful, that require keynote. everything that requires some kind of hierarchy. everything that requires some kind of delegation. From dankamin at cisco.com Fri Mar 2 03:27:06 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Thu, 1 Mar 2001 08:27:06 -0800 Subject: AllowHosts / DenyHosts References: <20010228095851.E13239@folly> <01bd01c0a16c$bfd4d430$0200040a@na.cisco.com> <20010228110136.A8531@faui02.informatik.uni-erlangen.de> <001301c0a176$feb6ce60$0200040a@na.cisco.com> <20010228124306.A14063@faui02.informatik.uni-erlangen.de> <009901c0a243$10359730$0300040a@na.cisco.com> <20010301152622.A27047@faui02.informatik.uni-erlangen.de> <01f301c0a262$be6b6d60$0300040a@na.cisco.com> <20010301163041.A6311@faui02.informatik.uni-erlangen.de> <022301c0a269$4bc52150$0300040a@na.cisco.com> <20010301170710.B7177@faui02.informatik.uni-erlangen.de> Message-ID: <023101c0a26c$752aa2b0$0300040a@na.cisco.com> > > So tell me some complex policies that would be useful, that require keynote. > > everything that requires some kind of hierarchy. > > everything that requires some kind of delegation. OK, I can see this being useful. Lets explicitly create a suffix, "If", that matches any configuration option selectable by the opposite(could be client or server). === IfHost 129.210.*.* Ciphers blowfish-cbc IfCiphers blowfish-cbc X11Forwarding no === Want negation? === IfHost not 129.210.*.* Ciphers blowfish-cbc IfCiphers != blowfish-cbc X11Forwarding no === But still, give me a concrete example of something really cool we can do with Keynote that doesn't fit with trivial modifications to your existing very readable syntax. Thus far, I just haven't seen anything that justifies either the security risk or the difficulty in learning the syntax. Yours Truly, Dan Kaminsky, CISSP www.doxpara.com From speno at isc.upenn.edu Fri Mar 2 03:33:11 2001 From: speno at isc.upenn.edu (John P Speno) Date: Thu, 1 Mar 2001 11:33:11 -0500 Subject: OSF_SIA bug in 2.3.0p1 In-Reply-To: <20010212112224.F7301@HiWAAY.net>; from cmadams@hiwaay.net on Mon, Feb 12, 2001 at 11:22:24AM -0600 References: <200102120514.f1C5Eex16051@ariel.ucs.unimelb.edu.au> <20010212112224.F7301@HiWAAY.net> Message-ID: <20010301113311.B167828@isc.upenn.edu> On Mon, Feb 12, 2001 at 11:22:24AM -0600, Chris Adams wrote: > > There may still be a problem with information going back to the user. > Someone reported to me that on Tru64 5.1, the last login times are > printed when connecting to an account that is locked. It doesn't happen > under 4.0F, so I haven't been able to track down what is happening > (don't have 5.x installed here yet - CDs are still on the bookshelf). That someone was me. And it's not just 5.x, it also happens under 4.0F. The issue is that last login times and /etc/motd are printed from do_login in session.c, but session_setup_sia which checks for locked accounts is in do_child which runs after do_login. So, if you authenticate yourself but your account is locked, you will still see your last login time and /etc/motd. What's worse is that the login will be recorded in /var/adm/lastlog as if it were a normal successful login (which it really isn't, as the account is locked). When using SIA on Tru64 UNIX, perhaps it would be "best" if updating and printing the last login time was disabled because sia_ses_launch will already take care of it (and do it "better" in this case). By the same token, perhaps the printing of /etc/motd could be disabled in do_login when SIA support is enabled, and moved into session_setup_sia? From stevesk at sweden.hp.com Fri Mar 2 03:49:20 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Thu, 1 Mar 2001 17:49:20 +0100 (MET) Subject: Strange connection closing on HPUX 11 In-Reply-To: Message-ID: On Thu, 1 Mar 2001, Yuliy Minchev wrote: : I've just upgraded OpenSSH from 2.3.0p1 to 2.5.1p2 on my HPUX 11.00. : Everything works fine, but when I want to cancel connection (type 'exit' : or press Ctrl-D), the session hangs and waits any key to be pressed : before it prints 'Connection to host closed.' : : I've upgraded and some of our AIX hosts to 2.5.1p2 - there is no such : problem there. : : I think that there is no matter which version of client I use - I tried : 2.3.0p1 (on RH and AIX), and 2.5.1p2 (on HPUX and AIX) - same thing : happens. i've seen that too, starting only a few weeks ago if i recall, but it doesn't happen all the time. From dankamin at cisco.com Fri Mar 2 03:54:48 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Thu, 1 Mar 2001 08:54:48 -0800 Subject: 2.5.1p1/p2 PermitRootLogin broke (Solaris) References: <200103011537.f21FbAv06891@pier.ecn.purdue.edu> Message-ID: <027f01c0a270$5408e5c0$0300040a@na.cisco.com> James-- Did you set your configure script correctly to use /var/ssh/sshd_config when you recompiled? Does anything different occur if you use sshd -f /var/ssh/sshd_config ? --Dan P.S. Hmmm, no sshd -o ServerOption support... ----- Original Message ----- From: "James M Moya" To: Sent: Thursday, March 01, 2001 7:37 AM Subject: 2.5.1p1/p2 PermitRootLogin broke (Solaris) > > I updated my Solaris 8 machines from openssh-2.3.0p1 to 2.5.1p1 yesterday and > it fixed the cron/audit issue but now root logins are no longer permitted. I > updated it to 2.5.1p2 this morning and that is still the case: > > golfer:/[207]# ssh -v tsunami > OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > debug: Reading configuration data /var/ssh/ssh_config > debug: Applying options for * > debug: ssh_connect: getuid 0 geteuid 0 anon 0 > debug: Connecting to tsunami [128.46.154.96] port 22. > debug: Allocated local port 662. > debug: Connection established. > debug: identity file //.ssh/known_hosts type 3 > debug: Remote protocol version 1.5, remote software version OpenSSH_2.5.1p2 > debug: match: OpenSSH_2.5.1p2 pat ^OpenSSH > debug: Local version string SSH-1.5-OpenSSH_2.5.1p2 > debug: Waiting for server public key. > debug: Received server public key (640 bits) and host key (768 bits). > debug: Host 'tsunami' is known and matches the RSA1 host key. > debug: Found key in /var/ssh/ssh_known_hosts:651 > debug: Seeding random number generator > debug: Encryption type: blowfish > debug: Sent encrypted session key. > debug: Installing crc compensation attack detector. > debug: Received encrypted confirmation. > debug: Trying rhosts authentication. > debug: Trying rhosts or /etc/hosts.equiv with RSA host authentication. > debug: Server refused our rhosts authentication or host key. > debug: Doing password authentication. > root at tsunami's password: > Connection closed by 128.46.154.96 > debug: Calling cleanup 0x100042e18(0x0) > golfer:/[208]# > > ...and... > > tsunami:/[441]# grep PermitRoot /var/ssh/sshd_config > PermitRootLogin yes > > --mike > From ktaylor at eosdata.gsfc.nasa.gov Fri Mar 2 03:58:53 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Thu, 01 Mar 2001 11:58:53 -0500 Subject: Expired password handling in openssh-2.5.1p1/2 Message-ID: <3A9E7FCD.BF9C36CA@daac.gsfc.nasa.gov> Are there plans, or does someone have a fix, for having openssh force users to change passwords when they're expired? Right now the program closes the connection....the commercial ssh manages to exec /bin/passwd after they enter their current password. Any ideas? From moyman at ecn.purdue.edu Fri Mar 2 04:00:39 2001 From: moyman at ecn.purdue.edu (James M Moya) Date: Thu, 01 Mar 2001 12:00:39 -0500 Subject: 2.5.1p1/p2 PermitRootLogin broke (Solaris) In-Reply-To: Your message of "Thu, 01 Mar 2001 08:54:48 PST." <027f01c0a270$5408e5c0$0300040a@na.cisco.com> Message-ID: <200103011700.f21H0eK09342@golfer.ecn.purdue.edu> "Dan Kaminsky" said: >James-- > > Did you set your configure script correctly to use /var/ssh/sshd_config >when you recompiled? > > Does anything different occur if you use sshd -f /var/ssh/sshd_config ? > >--Dan > >P.S. Hmmm, no sshd -o ServerOption support... > Yes, and the startup uses it explicitly anyway: tsunami:/[442]# more /etc/init.d/sshd #!/bin/sh # case "$1" in 'start') if [ -f /var/ssh/sshd_config -a -f /opt/openssh/sbin/sshd ] ; then /opt/openssh/sbin/sshd -b 640 -f /var/ssh/sshd_config \ -h /var/ssh/ssh_host_key 1> /dev/null 2>&1 fi ;; ...etc... Here is my configure script that I used for 2.3 through 2.5p2: riptide:/usr/src/local/openssh-2.5.1p2[14] more ecn rm config.cache CC="cc -xO4 -xarch=v9" ./configure \ --prefix=/opt/openssh \ --sysconfdir=/var/ssh \ --with-rsh=/usr/local/etc/rsh \ --with-ipv4-default \ --with-ssl-dir=/usr/local/ssl \ --with-default-path=/usr/local/bin:/usr/opt/bin:/usr/bin:/usr/site/ecn/ b in:/opt/openssh/bin \ --with-pid-dir=/var/ssh --mike From htodd at twofifty.com Fri Mar 2 04:02:34 2001 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Thu, 1 Mar 2001 09:02:34 -0800 (PST) Subject: Solaris port configure not recognizing --sysconfidir? In-Reply-To: <200103011537.f21FbAv06891@pier.ecn.purdue.edu> Message-ID: I tried to move the configuration directory to /etc/ssh. Unfortunately, there appears to be something compiled into sshd and into the solaris build script. Rather than thrash around and try to hack random files on my end, I thought I'd ask to see if I'm just doing something stupid or if someone could tell me which files I really need to edit. Thanks. -- Hisashi T Fujinaka - htodd at twofifty.com BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte From devon at admin2.gisnetworks.com Fri Mar 2 04:26:53 2001 From: devon at admin2.gisnetworks.com (Devon Bleak) Date: Thu, 1 Mar 2001 09:26:53 -0800 Subject: AllowHosts / DenyHosts References: <20010228095851.E13239@folly> <01bd01c0a16c$bfd4d430$0200040a@na.cisco.com> <20010228110136.A8531@faui02.informatik.uni-erlangen.de> <001301c0a176$feb6ce60$0200040a@na.cisco.com> <20010228124306.A14063@faui02.informatik.uni-erlangen.de> <009901c0a243$10359730$0300040a@na.cisco.com> <20010301152622.A27047@faui02.informatik.uni-erlangen.de> <01f301c0a262$be6b6d60$0300040a@na.cisco.com> <20010301163041.A6311@faui02.informatik.uni-erlangen.de> <022301c0a269$4bc52150$0300040a@na.cisco.com> <20010301170710.B7177@faui02.informatik.uni-erlangen.de> <023101c0a26c$752aa2b0$0300040a@na.cisco.com> Message-ID: <005b01c0a274$cf60af60$1900a8c0@devn> i really don't see where this thread is going (if it's not my place to make this comment then please forgive me)... if you don't want/trust/need keynote support, then don't compile it in (although i haven't actually heard that this is going to be something you can opt out of, most of the stuff like this in OpenSSH is, and i'm sure that at this point in the game it wouldn't require much effort to make it so). i've gone over and over keynote notation/whatever you want to call it, and still can't understand it. that doesn't mean that i don't think it's a good thing to have there if i want to learn and use it at some point in the future. personally, i think it'd be great to be able to set options in sshd based on what user is logging in or what host they're logging in from or what key they're using to log in or any number of other things. i was actually going to suggest/request something like that a couple days ago, but now that the opportunity and possibility of using someone else's code and not having to reinvent the wheel has come up, i think we should definitely grab it! devon ----- Original Message ----- From: "Dan Kaminsky" To: "Markus Friedl" Cc: Sent: Thursday, March 01, 2001 8:27 AM Subject: Re: AllowHosts / DenyHosts > > > So tell me some complex policies that would be useful, that require > keynote. > > > > everything that requires some kind of hierarchy. > > > > everything that requires some kind of delegation. > > OK, I can see this being useful. Lets explicitly create a suffix, "If", > that matches any configuration option selectable by the opposite(could be > client or server). > > === > IfHost 129.210.*.* > Ciphers blowfish-cbc > > IfCiphers blowfish-cbc > X11Forwarding no > === > > Want negation? > > === > IfHost not 129.210.*.* > Ciphers blowfish-cbc > > IfCiphers != blowfish-cbc > X11Forwarding no > === > > But still, give me a concrete example of something really cool we can do > with Keynote that doesn't fit with trivial modifications to your existing > very readable syntax. Thus far, I just haven't seen anything that justifies > either the security risk or the difficulty in learning the syntax. > > Yours Truly, > > Dan Kaminsky, CISSP > www.doxpara.com > > > > From dankamin at cisco.com Fri Mar 2 04:24:21 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Thu, 1 Mar 2001 09:24:21 -0800 Subject: Expired password handling in openssh-2.5.1p1/2 References: <3A9E7FCD.BF9C36CA@daac.gsfc.nasa.gov> Message-ID: <029301c0a274$74a54c70$0300040a@na.cisco.com> > Are there plans, or does someone have a fix, for having openssh force > users to change passwords when they're expired? > > Right now the program closes the connection....the commercial ssh > manages to exec /bin/passwd after they enter their current password. > > Any ideas? Hmm, does PAM send back a special message when the password needs to be changed? I could envision changing the user shell to /bin/passwd if PAM complains... --Dan From ktaylor at eosdata.gsfc.nasa.gov Fri Mar 2 04:25:22 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Thu, 01 Mar 2001 12:25:22 -0500 Subject: Expired password handling in openssh-2.5.1p1/2 References: <3A9E7FCD.BF9C36CA@daac.gsfc.nasa.gov> <029301c0a274$74a54c70$0300040a@na.cisco.com> Message-ID: <3A9E8602.44B1D8FF@daac.gsfc.nasa.gov> Dan Kaminsky wrote: > > > Are there plans, or does someone have a fix, for having openssh force > > users to change passwords when they're expired? > > > > Right now the program closes the connection....the commercial ssh > > manages to exec /bin/passwd after they enter their current password. > > > > Any ideas? > > Hmm, does PAM send back a special message when the password needs to be > changed? > > I could envision changing the user shell to /bin/passwd if PAM complains... > > --Dan Sorry, I didn't give any other useful info. This is not using PAM, on IRIX and on Solaris systems. -- ---------------------------------------------------------. Kevin Taylor \ Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / Science Systems and Applications, Inc. \ Goddard Space Flight Center / Greenbelt, MD 20771 \ / Phone: (301) 614-5505 \ e-mail: ktaylor at daac.gsfc.nasa.gov / ----------------------------------------------------------' From stevesk at sweden.hp.com Fri Mar 2 04:36:45 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Thu, 1 Mar 2001 18:36:45 +0100 (MET) Subject: rsa_public_encrypt() exponent too small or not odd In-Reply-To: <4341EF5F8B4AD311AB4B00902740B9F20460570A@xcup02.cup.hp.com> Message-ID: On Tue, 27 Feb 2001, CARLSON,MATTHEW (Non-HP-Cupertino,ex1) wrote: : I am attempting to deploy OpenSSH. : : The trouble is I keep getting the rsa_public_encrypt() exponent too small or : not odd with the SSH 1 or 1.5 protocols. I can't get OpenSSH to communicate : with itself with any protocal other than SSH 2. i have never seen this on hp-ux 11. what openssh version? i would guess it has to do with either your specific build or your configuration. does openssl pass make test? can you try with a new host key? : Platform notes: : : HP-UX 11.00 Dart 51 64bit : OpenSSL 0.9.6 : Zlib 1.1.3 : : Cflags: : -Ae -Ae is the default for ansi cc on 11. From stevesk at sweden.hp.com Fri Mar 2 04:46:09 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Thu, 1 Mar 2001 18:46:09 +0100 (MET) Subject: add scp path to _PATH_STDPATH In-Reply-To: Message-ID: On Wed, 28 Feb 2001, Tim Rice wrote: : > i don't like munging path if a user specified a path : : Then you still have the same problem of scp not working. : Configure does give ample warning when it modifies the path. : I figure if someone REALLY wants a path that doesn't iclude the location : of scp they can edit config.h after configure runs. i still believe --with-default-path= should *not* be modified. the default settings should work (today they don't) and if a user chooses to override them we shouldn't assume to know more than they do. if we want, we can display warning message for this case. From cj10 at cam.ac.uk Fri Mar 2 04:46:22 2001 From: cj10 at cam.ac.uk (Charles Jardine) Date: Thu, 01 Mar 2001 17:46:22 +0000 Subject: Bug report against openssh-2.3.0p1 Message-ID: <3A9E8AEE.EDC484E3@cam.ac.uk> I am writing to report a bug in openssh-2.3.0p1, and to suggest a fix. I have OpenSSH installed on a Solaris 8 box. The output of uname -a is: > SunOS dipper.csi.cam.ac.uk 5.8 Generic_108528-06 sun4u sparc SUNW,Ultra-5_10 OpenSSH was configured with the following options: > ./configure --prefix=/jackdaw --with-default-path=/jackdaw/bin:/usr/bin On this OS, with this configuration, it uses PAM. I have a passwordless account. and passwordless login is permitted, both by 'PASSREQ=NO' in /etc/default/login and 'PermitEmptyPasswords yes' in sshd_config. The symptom of the bug is that interactive ssh to the passwordless account fails. The sshd session process takes a SIGSEGV just after the debugging message 'PAM setting tty to ...'. I think that the SIGSEGV is inside pam_open_session. Truss shows that the lastlog file has just been opened for writing. Non-interactive uses of ssh work. The cause is that, on this route through the code, do_pam_account is _not_ called, but do_pam_session is. This results in pam_open_session being called with PAM_TTY set but PAM_RHOST not set. (In the non-interactive case, PAM_TTY is not set either, so the PAM module does not try to update lastlog, and so does not look at PAM_RHOST). The SIGSEGV might be regarded as a bug in Sun's code, but the failure to set PAM_RHOST in the case of a passwordless login is a bug in OpenSSH. I have applied the following patch to my copy. It seems to fix the problem. *** auth1.c Thu Mar 1 17:33:31 2001 --- auth1.c.patched Thu Mar 1 17:33:18 2001 *************** *** 455,461 **** (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ #ifdef USE_PAM ! auth_pam_password(pw, "")) { #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, --- 455,461 ---- (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ #ifdef USE_PAM ! auth_pam_password(pw, "") && do_pam_account(pw->pw_name, NULL)) { #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, -- Charles Jardine - Computing Service, University of Cambridge cj10 at cam.ac.uk Tel: +44 1223 334506, Fax: +44 1223 334679 From ktaylor at eosdata.gsfc.nasa.gov Fri Mar 2 04:51:10 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Thu, 01 Mar 2001 12:51:10 -0500 Subject: add scp path to _PATH_STDPATH References: Message-ID: <3A9E8C0E.AB893F45@daac.gsfc.nasa.gov> Kevin Steves wrote: > > On Wed, 28 Feb 2001, Tim Rice wrote: > : > i don't like munging path if a user specified a path > : > : Then you still have the same problem of scp not working. > : Configure does give ample warning when it modifies the path. > : I figure if someone REALLY wants a path that doesn't iclude the location > : of scp they can edit config.h after configure runs. > > i still believe --with-default-path= should *not* be modified. the > default settings should work (today they don't) and if a user chooses to > override them we shouldn't assume to know more than they do. if we > want, we can display warning message for this case. I had to set --with-default-path because openssh wasn't reading stuff in my /etc/default/login file (on IRIX)....and because UseLogin wasn't working, the correct path to scp was not being found. That's an instance where it needs to be modified. From stevesk at sweden.hp.com Fri Mar 2 04:53:50 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Thu, 1 Mar 2001 18:53:50 +0100 (MET) Subject: Expired password handling in openssh-2.5.1p1/2 In-Reply-To: <3A9E7FCD.BF9C36CA@daac.gsfc.nasa.gov> Message-ID: On Thu, 1 Mar 2001, Kevin Taylor wrote: : Are there plans, or does someone have a fix, for having openssh force : users to change passwords when they're expired? : : Right now the program closes the connection....the commercial ssh : manages to exec /bin/passwd after they enter their current password. there is only support thru PAM right now. i had started a multi-platform password interface last year, and while it was close to the point of being integrated, i have been side-tracked with stuff that was more interesting to work on. adding just code to run passwd if the password has expired isn't hard, and maybe we should do that. From ktaylor at eosdata.gsfc.nasa.gov Fri Mar 2 04:54:28 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Thu, 01 Mar 2001 12:54:28 -0500 Subject: Expired password handling in openssh-2.5.1p1/2 References: Message-ID: <3A9E8CD4.50D69164@daac.gsfc.nasa.gov> Kevin Steves wrote: > > On Thu, 1 Mar 2001, Kevin Taylor wrote: > : Are there plans, or does someone have a fix, for having openssh force > : users to change passwords when they're expired? > : > : Right now the program closes the connection....the commercial ssh > : manages to exec /bin/passwd after they enter their current password. > > there is only support thru PAM right now. i had started a > multi-platform password interface last year, and while it was close to > the point of being integrated, i have been side-tracked with stuff that > was more interesting to work on. adding just code to run passwd if the > password has expired isn't hard, and maybe we should do that. It would be greatly appreciated. -- ---------------------------------------------------------. Kevin Taylor \ Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / Science Systems and Applications, Inc. \ Goddard Space Flight Center / Greenbelt, MD 20771 \ / Phone: (301) 614-5505 \ e-mail: ktaylor at daac.gsfc.nasa.gov / ----------------------------------------------------------' From stevesk at sweden.hp.com Fri Mar 2 04:57:45 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Thu, 1 Mar 2001 18:57:45 +0100 (MET) Subject: add scp path to _PATH_STDPATH In-Reply-To: <3A9E8C0E.AB893F45@daac.gsfc.nasa.gov> Message-ID: On Thu, 1 Mar 2001, Kevin Taylor wrote: : > i still believe --with-default-path= should *not* be modified. the : > default settings should work (today they don't) and if a user chooses to : > override them we shouldn't assume to know more than they do. if we : > want, we can display warning message for this case. : : I had to set --with-default-path because openssh wasn't reading stuff in : my /etc/default/login file (on IRIX)....and because UseLogin wasn't : working, the correct path to scp was not being found. : : That's an instance where it needs to be modified. i feel that's a case where you should to add it yourself. From stevesk at sweden.hp.com Fri Mar 2 05:06:50 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Thu, 1 Mar 2001 19:06:50 +0100 (MET) Subject: OpenSSH 2.5.1p1 on HP-UX: No CTRL+C possible!!! In-Reply-To: <20010228111019.A3891@rhs-notebook> Message-ID: On Wed, 28 Feb 2001, Randolf Skerka wrote: : On a System: HP-UX B.11.00 A 9000/887 two-user license no CTRL+C is : possible. When I make a telnet localhost within the SecureShell session : CTRL+C works as expected. : : On a System HP-UX B.11.00 B 9000/800 16-user license CTRL+C works as : expected within SSH! : : I've checked /etc/termcap and /bin/sh on both systems. They are identically. : More hints? : : Totally confused! it would help to try to narrow this down a bit, to note the ssh<->sshd platforms, ssh versions, protocol and any other information that might be useful for each success/failure case. i really don't have any ideas right now. From cmadams at hiwaay.net Fri Mar 2 05:16:52 2001 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 1 Mar 2001 12:16:52 -0600 Subject: OSF_SIA bug in 2.3.0p1 In-Reply-To: <20010301113311.B167828@isc.upenn.edu>; from speno@isc.upenn.edu on Thu, Mar 01, 2001 at 11:33:11AM -0500 References: <200102120514.f1C5Eex16051@ariel.ucs.unimelb.edu.au> <20010212112224.F7301@HiWAAY.net> <20010301113311.B167828@isc.upenn.edu> Message-ID: <20010301121652.E29610@HiWAAY.net> Once upon a time, John P Speno said: > On Mon, Feb 12, 2001 at 11:22:24AM -0600, Chris Adams wrote: > > There may still be a problem with information going back to the user. > > Someone reported to me that on Tru64 5.1, the last login times are > > printed when connecting to an account that is locked. It doesn't happen > > under 4.0F, so I haven't been able to track down what is happening > > (don't have 5.x installed here yet - CDs are still on the bookshelf). > > That someone was me. And it's not just 5.x, it also happens under 4.0F. There must be some kind of configuration difference then, because it does not happen under 4.0F for me. With OpenSSH 2.3.0p1 on 4.0F, I get: $ ssh dns Account is disabled -- see Account Administrator. Connection to dns closed. $ This is the same thing that rsh returns. There is a problem with OpenSSH 2.5.1p1 that I need to look at: $ ssh fly Connection to fly closed by remote host. Connection to fly closed. $ It should report that the account is disabled like 2.3.0p1. > The issue is that last login times and /etc/motd are printed from do_login > in session.c, but session_setup_sia which checks for locked accounts is in > do_child which runs after do_login. So, if you authenticate yourself but > your account is locked, you will still see your last login time and > /etc/motd. What's worse is that the login will be recorded in > /var/adm/lastlog as if it were a normal successful login (which it really > isn't, as the account is locked). I don't get that behavoir either - "Last successful login" reflects the last _successful_ login; the attempt to login to a locked account fails and that time is reflected in "Last unsuccessful login". I did just realize that I had ".hushlogin", so I did not get the MOTD. D'oh! I do now get the MOTD, even on locked accounts. I will look into this. I still do not get my last login times printed. I will look at this some more. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From mouring at etoh.eviladmin.org Fri Mar 2 06:56:11 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 1 Mar 2001 13:56:11 -0600 (CST) Subject: Redhat 6.2 report. Message-ID: I'm getting minor reports from the EFNET irc channel I hang out that ./configure fails to find OpenSSL. However ./configure --with-pam successed. The config.log hints to the fact that -ldl is not included when one does not use --with-pam. Can I get conformation on this? It does not occur on Redhat 7.0. - Ben From pekkas at netcore.fi Fri Mar 2 06:12:13 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 1 Mar 2001 21:12:13 +0200 (EET) Subject: Redhat 6.2 report. In-Reply-To: Message-ID: On Thu, 1 Mar 2001 mouring at etoh.eviladmin.org wrote: > I'm getting minor reports from the EFNET irc channel I hang out that > ./configure fails to find OpenSSL. However ./configure --with-pam > successed. > > The config.log hints to the fact that -ldl is not included when one > does not use --with-pam. > > Can I get conformation on this? It does not occur on Redhat 7.0. On Red Hat Linux 6.2, plaing './configure' finishes just fine here. OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Random number collection: Device (/dev/urandom) Manpage format: man PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: yes Host: i586-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall Preprocessor flags: Linker flags: Libraries: -lz -lnsl -lutil -lcrypto -lcrypt If it's significant, I'm using RHL errata OpenSSL, not djm's. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Fri Mar 2 07:18:13 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 1 Mar 2001 14:18:13 -0600 (CST) Subject: Redhat 6.2 report. In-Reply-To: Message-ID: On Thu, 1 Mar 2001, Pekka Savola wrote: > On Thu, 1 Mar 2001 mouring at etoh.eviladmin.org wrote: > > I'm getting minor reports from the EFNET irc channel I hang out that > > ./configure fails to find OpenSSL. However ./configure --with-pam > > successed. > > > > The config.log hints to the fact that -ldl is not included when one > > does not use --with-pam. > > > > Can I get conformation on this? It does not occur on Redhat 7.0. > > On Red Hat Linux 6.2, plaing './configure' finishes just fine here. > Hmm.. I've asked if he could do some more testing and post his results to the list directly. So.. I guess I'll leave it at that. Thanks - Ben From matthew_carlson at non.hp.com Fri Mar 2 07:14:44 2001 From: matthew_carlson at non.hp.com (CARLSON,MATTHEW (Non-HP-Cupertino,ex1)) Date: Thu, 1 Mar 2001 12:14:44 -0800 Subject: rsa_public_encrypt() exponent too small or not odd Message-ID: <4341EF5F8B4AD311AB4B00902740B9F204605715@xcup02.cup.hp.com> After a very late night I have some info for this. I had installed openssl in an initial directory tree. /opt/ims/include /opt/ims/bin /opt/ims/ssl I then installed it in its own tree and deleted the initial trees. /opt/ims/openssl/0.9.6 I forgot to delete /opt/ims/include/openssl Now I am not quite sure if there was a possible version overwrite of 0.9.6 on top of 0.9.5a in /opt/ims/include/openssl since 0.9.5a was installed in there before. After deleting the /opt/ims/include/openssl tree and just using /opt/ims/openssl/0.9.6 then recompiling OpenSSH it worked fine. If you could point out in the fact that rsa problems like this may be in fact caused by the OpenSSL build or include files it would be very helpful. Matthew Carlson -----Original Message----- From: Kevin Steves [mailto:stevesk at sweden.hp.com] Sent: Thursday, March 01, 2001 9:37 AM To: CARLSON,MATTHEW (Non-HP-Cupertino,ex1) Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: rsa_public_encrypt() exponent too small or not odd On Tue, 27 Feb 2001, CARLSON,MATTHEW (Non-HP-Cupertino,ex1) wrote: : I am attempting to deploy OpenSSH. : : The trouble is I keep getting the rsa_public_encrypt() exponent too small or : not odd with the SSH 1 or 1.5 protocols. I can't get OpenSSH to communicate : with itself with any protocal other than SSH 2. i have never seen this on hp-ux 11. what openssh version? i would guess it has to do with either your specific build or your configuration. does openssl pass make test? can you try with a new host key? : Platform notes: : : HP-UX 11.00 Dart 51 64bit : OpenSSL 0.9.6 : Zlib 1.1.3 : : Cflags: : -Ae -Ae is the default for ansi cc on 11. From dankamin at cisco.com Fri Mar 2 08:32:20 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Thu, 01 Mar 2001 13:32:20 -0800 Subject: AllowHosts / DenyHosts References: <20010228095851.E13239@folly> <01bd01c0a16c$bfd4d430$0200040a@na.cisco.com> <20010228110136.A8531@faui02.informatik.uni-erlangen.de> <001301c0a176$feb6ce60$0200040a@na.cisco.com> <20010228124306.A14063@faui02.informatik.uni-erlangen.de> <009901c0a243$10359730$0300040a@na.cisco.com> <20010301152622.A27047@faui02.informatik.uni-erlangen.de> <01f301c0a262$be6b6d60$0300040a@na.cisco.com> <20010301163041.A6311@faui02.informatik.uni-erlangen.de> <022301c0a269$4bc52150$0300040a@na.cisco.com> <20010301170710.B7177@faui02.informatik.uni-erlangen.de> <023101c0a26c$752aa2b0$0300040a@na.cisco.com> <005b01c0a274$cf60af60$1900a8c0@devn> Message-ID: <3A9EBFE4.3050905@cisco.com> > i've gone over and over keynote notation/whatever you want to call it, and > still can't understand it. that doesn't mean that i don't think it's a good > thing to have there if i want to learn and use it at some point in the > future. You want the feature--but cannot grok the syntax. I don't think you're alone. > > personally, i think it'd be great to be able to set options in sshd based on > what user is logging in or what host they're logging in from or what key > they're using to log in or any number of other things. i was actually going > to suggest/request something like that a couple days ago, but now that the > opportunity and possibility of using someone else's code and not having to > reinvent the wheel has come up, i think we should definitely grab it! I don't like the concept of a huge barrier to entry in configuring SSH. I think we *all* agree it'd be good to be able to have more fine grained controls. The disagreement comes in whether or not Keynote is an appropriate infrastructure for those controls. I think its overcomplicated, too dangerous to use as an external library(consider--it needs the ability to view, and possibly change, all SSHD parameters dynamically), and unnecessary--we can get most of the gains of keynote by simply extending *slightly* on the work done in readconf.c. There are things that are important--we should be able to switch on the criticals, like Who is coming from Where, *When*, maybe using What. We can do this without Keynote--though please, if anyone can correct, do so! If we can do without, do it safer, do it easier, do it arguably even faster... Isn't that doing it right? Yours Truly, Dan Kaminsky, CISSP www.doxpara.com From devon at admin2.gisnetworks.com Fri Mar 2 08:24:20 2001 From: devon at admin2.gisnetworks.com (Devon Bleak) Date: Thu, 1 Mar 2001 13:24:20 -0800 Subject: AllowHosts / DenyHosts References: <20010228095851.E13239@folly> <01bd01c0a16c$bfd4d430$0200040a@na.cisco.com> <20010228110136.A8531@faui02.informatik.uni-erlangen.de> <001301c0a176$feb6ce60$0200040a@na.cisco.com> <20010228124306.A14063@faui02.informatik.uni-erlangen.de> <009901c0a243$10359730$0300040a@na.cisco.com> <20010301152622.A27047@faui02.informatik.uni-erlangen.de> <01f301c0a262$be6b6d60$0300040a@na.cisco.com> <20010301163041.A6311@faui02.informatik.uni-erlangen.de> <022301c0a269$4bc52150$0300040a@na.cisco.com> <20010301170710.B7177@faui02.informatik.uni-erlangen.de> <023101c0a26c$752aa2b0$0300040a@na.cisco.com> <005b01c0a274$cf60af60$1900a8c0@devn> <3A9EBFE4.3050905@cisco.com> Message-ID: <012101c0a296$0244c7b0$1900a8c0@devn> my main point is development time. in the end, it's really left up to the people who write the code whether they want to implement something that's already been implemented in a library, or just link to the library. to me, keynote seems reasonable. if you need a security policy as complex as the one i think you're describing, then there's not going to be a simple way to describe it. i'm not saying that keynote should be something that's _required_ to configure OpenSSH, just that we should have the option of using it. that way, the people that grok can, and the people that don't will determine if it's worth their time and energy to learn. i definitely think that the default should be to NOT require keynote support, or if it is, then to supply a working, simple, open (as in not requiring any modification to let anybody connect) default configuration, much like the default sshd_config that's supplied now. both solutions seem viable to me, the only difference being that keynote is already in a handy library and would probably require less development time to implement while giving the greatest flexibility (keeping in mind that i haven't actually read through servconf.c, so i really don't know for sure what it would take to implement something like what you're talking about). devon ----- Original Message ----- From: "Dan Kaminsky" To: "Devon Bleak" Cc: "Markus Friedl" ; Sent: Thursday, March 01, 2001 1:32 PM Subject: Re: AllowHosts / DenyHosts > > i've gone over and over keynote notation/whatever you want to call it, and > > still can't understand it. that doesn't mean that i don't think it's a good > > thing to have there if i want to learn and use it at some point in the > > future. > > You want the feature--but cannot grok the syntax. I don't think you're > alone. > > > > > personally, i think it'd be great to be able to set options in sshd based on > > what user is logging in or what host they're logging in from or what key > > they're using to log in or any number of other things. i was actually going > > to suggest/request something like that a couple days ago, but now that the > > opportunity and possibility of using someone else's code and not having to > > reinvent the wheel has come up, i think we should definitely grab it! > > I don't like the concept of a huge barrier to entry in configuring SSH. > I think we *all* agree it'd be good to be able to have more fine grained > controls. The disagreement comes in whether or not Keynote is an > appropriate infrastructure for those controls. I think its > overcomplicated, too dangerous to use as an external > library(consider--it needs the ability to view, and possibly change, all > SSHD parameters dynamically), and unnecessary--we can get most of the > gains of keynote by simply extending *slightly* on the work done in > readconf.c. > > There are things that are important--we should be able to switch on the > criticals, like Who is coming from Where, *When*, maybe using What. We > can do this without Keynote--though please, if anyone can correct, do > so! If we can do without, do it safer, do it easier, do it arguably > even faster... > > Isn't that doing it right? > > Yours Truly, > > Dan Kaminsky, CISSP > www.doxpara.com > > From Leigh.Klotz at pahv.xerox.com Fri Mar 2 09:10:49 2001 From: Leigh.Klotz at pahv.xerox.com (Leigh L. Klotz, Jr.) Date: Thu, 01 Mar 2001 14:10:49 -0800 Subject: ssh-add won't look for id_dsa in ssh-clients-2.3.0p1-4 but did in ssh-clients-2.5.1p2-1 Message-ID: <3A9EC8E9.A146E6E6@pahv.xerox.com> I've been running ssh-clients-2.3.0p1-4 on RedHat 7.0 and upgraded to 2.5.1p2-1 yesterday from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/SRPMS/. I noticed that 2.5.1p2-1 ssh-add won't look for id_dsa.pub by default -- if I have no identity file it just says "/home/klotz/.ssh/identity: No such file or directory" The 2.5.1p1-1 I got from RedHat's rawhide site *does* look for it. Is this a RedHat patch? It works if I explicitly specify /home/klotz/.ssh/id_dsa.pub I looked in ssh-add.c from openssh-2.5.1p2-1.src.rpm from the OpenBSD rpm directory mentioned above, and I see that at line 295 it looks in _PATH_SSH_CLIENT_IDENTITY but no further. I see that readconf.c in line 810 does check options->protocol && SSH_PROTO_2 and will also check _PATH_SSH_CLIENT_ID_DSA, but this logic is not present in ssh-add. Since I don't have the CVS tree, I couldn't check to see if this log was previously present in ssh-add.c or not, or if it is a RedHat patch. Am I broken in some way to expect ssh-add simply to work with id_dsa without an explicit argument? Leigh. From markus.friedl at informatik.uni-erlangen.de Fri Mar 2 09:38:43 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 1 Mar 2001 23:38:43 +0100 Subject: AllowHosts / DenyHosts In-Reply-To: <022301c0a269$4bc52150$0300040a@na.cisco.com>; from dankamin@cisco.com on Thu, Mar 01, 2001 at 08:04:28AM -0800 References: <20010228095851.E13239@folly> <01bd01c0a16c$bfd4d430$0200040a@na.cisco.com> <20010228110136.A8531@faui02.informatik.uni-erlangen.de> <001301c0a176$feb6ce60$0200040a@na.cisco.com> <20010228124306.A14063@faui02.informatik.uni-erlangen.de> <009901c0a243$10359730$0300040a@na.cisco.com> <20010301152622.A27047@faui02.informatik.uni-erlangen.de> <01f301c0a262$be6b6d60$0300040a@na.cisco.com> <20010301163041.A6311@faui02.informatik.uni-erlangen.de> <022301c0a269$4bc52150$0300040a@na.cisco.com> Message-ID: <20010301233843.B9520@folly> On Thu, Mar 01, 2001 at 08:04:28AM -0800, Dan Kaminsky wrote: > > you miss the point. the example is not about ipsec. > > Markus, you miss the point: IPsec is *misery incarnate* to configure and > the keynote syntax certainly doesn't help that. talk to Angelos if you think that keynote does not help making ipsec policy handling simpler. -markus From mouring at etoh.eviladmin.org Fri Mar 2 10:46:28 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 1 Mar 2001 17:46:28 -0600 (CST) Subject: OpenSSH 2.5.1 compatibility problem In-Reply-To: <5.0.2.1.0.20010221113907.00a217d0@mailandnews.com> Message-ID: You install OpenSSH how? Redhat RPMs? OpenSSH.com RPMS? (If your using this one you *MUST* run 0.9.6 OpenSSL) Compiled it yourself? Also have you tried 2.5.1p2? - Ben On Wed, 21 Feb 2001, Neal Barney wrote: > SSH server specs: > ----------------------- > Redhat Linux 6.2 > Custom built 2.2.17 kernel > OpenSSL 0.9.5a (update from RedHat). > OpenSSH 2.5.1p1 > > I am using my Linux box as an Internet gateway. I wanted to keep > the box as secure as possible while still having the functionality I > needed. The only way to connect to my server is through SSH. A fair > majority of the time I am attempting to connect to the server from a > Windows box (whether at work, home, or on the road...). The software that > I have used extensively in the past is a great little program called PuTTY > (http://www.chiark.greenend.org.uk/~sgtatham/putty/). It supports SSH1 and > SSH2 protocols. I have never had any problems in the past using these two > pieces of software together. PuTTY has worked flawlessly with OpenSSH > 2.2.0p1 and 2.3.0p1. > However, using OpenSSH 2.5.1p1 PuTTY will no longer work. PuTTY > will briefly flash a window and exit. No error messages are given from > PuTTY. However, the sshd daemon outputs the following line to the Linux > log file: > > Feb 21 10:13:04 rugen sshd[21915]: fatal: xfree: NULL pointer given as argument > > Everything works fine if I downgrade to OpenSSH 2.3.0p1. > > For completeness sake, I'll include some info about the client machine: > > PuTTY version: 0.51 (also downloaded snapshot on Feb 21st, 2001). > OS: Windows 98 > Connection mode: SSH > > Options selected: > -------------------------- > Connection > Terminal type string xterm > Auto-login username (blank) (also tried using local login name) > > SSH > Remote command (blank) > Attempt TIS or Cryptocard... (not checked) > Allows agent forwarding (not checked) > Don't allocate a pseudo-term. (not checked) > Preferred Protocol vers. SSH2 > Preferred Encryption algo. 3DES > Imitate MAC bug in com... (not checked) > > The author of putty (putty at projects.tartarus.org) has already been > contacted about this problem. I hope that enough information was given and > is helpful in locating the problem. > > From pekkas at netcore.fi Fri Mar 2 09:58:55 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 2 Mar 2001 00:58:55 +0200 (EET) Subject: OpenSSH 2.5.1 compatibility problem In-Reply-To: Message-ID: On Thu, 1 Mar 2001 mouring at etoh.eviladmin.org wrote: > > You install OpenSSH how? > > Redhat RPMs? > OpenSSH.com RPMS? (If your using this one you *MUST* run 0.9.6 OpenSSL) > Compiled it yourself? > > Also have you tried 2.5.1p2? Hmm.. I wonder if there should be a note in the docs about how you you rebuild the RPM from .src.rpm. This might be helpful because I think it's a wrong approach to tell people to upgrade their OpenSSL (because that'll break their _other_ apps using it..). > On Wed, 21 Feb 2001, Neal Barney wrote: > > > SSH server specs: > > ----------------------- > > Redhat Linux 6.2 > > Custom built 2.2.17 kernel > > OpenSSL 0.9.5a (update from RedHat). > > OpenSSH 2.5.1p1 > > > > I am using my Linux box as an Internet gateway. I wanted to keep > > the box as secure as possible while still having the functionality I > > needed. The only way to connect to my server is through SSH. A fair > > majority of the time I am attempting to connect to the server from a > > Windows box (whether at work, home, or on the road...). The software that > > I have used extensively in the past is a great little program called PuTTY > > (http://www.chiark.greenend.org.uk/~sgtatham/putty/). It supports SSH1 and > > SSH2 protocols. I have never had any problems in the past using these two > > pieces of software together. PuTTY has worked flawlessly with OpenSSH > > 2.2.0p1 and 2.3.0p1. > > However, using OpenSSH 2.5.1p1 PuTTY will no longer work. PuTTY > > will briefly flash a window and exit. No error messages are given from > > PuTTY. However, the sshd daemon outputs the following line to the Linux > > log file: > > > > Feb 21 10:13:04 rugen sshd[21915]: fatal: xfree: NULL pointer given as argument > > > > Everything works fine if I downgrade to OpenSSH 2.3.0p1. > > > > For completeness sake, I'll include some info about the client machine: > > > > PuTTY version: 0.51 (also downloaded snapshot on Feb 21st, 2001). > > OS: Windows 98 > > Connection mode: SSH > > > > Options selected: > > -------------------------- > > Connection > > Terminal type string xterm > > Auto-login username (blank) (also tried using local login name) > > > > SSH > > Remote command (blank) > > Attempt TIS or Cryptocard... (not checked) > > Allows agent forwarding (not checked) > > Don't allocate a pseudo-term. (not checked) > > Preferred Protocol vers. SSH2 > > Preferred Encryption algo. 3DES > > Imitate MAC bug in com... (not checked) > > > > The author of putty (putty at projects.tartarus.org) has already been > > contacted about this problem. I hope that enough information was given and > > is helpful in locating the problem. > > > > > > -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Fri Mar 2 10:52:58 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 1 Mar 2001 17:52:58 -0600 (CST) Subject: OpenSSH 2.5.1 compatibility problem In-Reply-To: Message-ID: On Fri, 2 Mar 2001, Pekka Savola wrote: > On Thu, 1 Mar 2001 mouring at etoh.eviladmin.org wrote: > > > > > You install OpenSSH how? > > > > Redhat RPMs? > > OpenSSH.com RPMS? (If your using this one you *MUST* run 0.9.6 OpenSSL) > > Compiled it yourself? > > > > Also have you tried 2.5.1p2? > > Hmm.. I wonder if there should be a note in the docs about how you you > rebuild the RPM from .src.rpm. > > This might be helpful because I think it's a wrong approach to tell people > to upgrade their OpenSSL (because that'll break their _other_ apps > using it..). > No need.. outside the fact that the RPM requires the same release as it was compiled against. If you attempt to run the 2.5.1p2 release and it was not compiled for that OpenSSL shared library it will fatal(..) out. - Ben From carioli at mit.it Thu Mar 1 20:45:31 2001 From: carioli at mit.it (Gabriele Carioli) Date: Thu, 1 Mar 2001 10:45:31 +0100 Subject: RedHat 6.2 RPMs vs OpenSSL 0.9.6 Message-ID: <000d01c0a234$5b6f6500$0b00a8c0@mit.home> Hi! I'm writing to signal a problem with RehHat Linux 6.2 RPMs for openssh 2.5.1p2. They need exclusively openssl = 0.9.5a ( not ">=" ) while 0.9.6 is the latest versions of OpenSSL. I wonder if there is a problem with openssl 0.9.6. Or maybe binaries compiled with 0.9.6 support aren't compatible with those built with 0.9.5a ? By the way, I've rebuild the RPMs on my system from the source package and upgraded openssh: looks like it's working fine. Thanks a lot for your excellent work ! ------------------------------------------- Gabriele Carioli Management Innovative Tools S.p.A. Piazza Falcone Borsellino n. 23 47100 Forl? (FC) - ITALY (EU) tel. 0039.0543.412941 fax. 0039.0543.412929 http://www.mit.it/ From matthew_carlson at non.hp.com Thu Mar 1 13:54:23 2001 From: matthew_carlson at non.hp.com (CARLSON,MATTHEW (Non-HP-Cupertino,ex1)) Date: Wed, 28 Feb 2001 18:54:23 -0800 Subject: FW: rsa_public_encrypt() exponent too small or not odd Message-ID: <4341EF5F8B4AD311AB4B00902740B9F204605713@xcup02.cup.hp.com> I have the following bug report to submit. OpenSSH 2.5.1p1 and 2.5.1p2 HP-UX 11.00 Dart 51 64bit (32bit compile) OpenSSL 0.9.6 Zlib 1.1.3 Cflags: -Ae I keep getting "rsa_public_encrypt() exponent too small or not odd" with the SSH 1 or 1.5 protocols. I can't get OpenSSH to communicate with itself with any protocal other than SSH 2. I have searched everywhere. Google, OpenBSD, Dejanews, etc... I found a very old problem that was similar in the OpenSSH mail archives but the rsa.c code file is newer then the fix described. Any help would be greatly appreciated. Matthew Carlson > -----Original Message----- > From: CARLSON,MATTHEW (Non-HP-Cupertino,ex1) > Sent: Tuesday, February 27, 2001 3:32 PM > To: 'openssh-unix-dev at mindrot.org' > Subject: rsa_public_encrypt() exponent too small or not odd > > > I am attempting to deploy OpenSSH. > > The trouble is I keep getting the rsa_public_encrypt() exponent too small or not odd with the SSH 1 or 1.5 protocols. I can't get OpenSSH to communicate with itself with any protocal other than SSH 2. > > > Platform notes: > > HP-UX 11.00 Dart 51 64bit > OpenSSL 0.9.6 > Zlib 1.1.3 > > Cflags: > -Ae > > > I have tried with and without optimizations. I noticed that this problem has cropped up in the past on other platforms. But that was on much older releases. > > > Anyone got any ideas? > > > > > Matthew Carlson > From agt at ieng9.ucsd.edu Fri Mar 2 11:35:04 2001 From: agt at ieng9.ucsd.edu (Adam Tilghman) Date: Thu, 1 Mar 2001 16:35:04 -0800 (PST) Subject: Patch for system-wide default environment Message-ID: <200103020035.f220Z5h10152@ieng9.ucsd.edu> We recently switched to OpenSSH from ssh 1.2.x and I quickly noticed that /etc/environment processing has gone AWOL. This patch adds a new sshd_config variable: SysEnvFile Specifies a file containing the system-wide default environment in ``VARNAME=value'' format (default is none.) The contents of a user's $HOME/.ssh/environment file, if found, will override vari- ables set within the SysEnvFile. There is already some AIX-specific code which reads in /etc/environment. I left that code alone for now, but it could probably be removed if this more general patch is accepted. Thanks, Adam Tilghman, UC San Diego -- Adam Tilghman | Systems Support / Academic Computing | +1 858 822 0711 agt at ucsd.edu | University of California, San Diego | fax +1 858 534 7018 --- cut here --- diff -r -c openssh-2.5.1p1/servconf.c openssh-2.5.1p1-1/servconf.c *** openssh-2.5.1p1/servconf.c Wed Feb 14 19:08:27 2001 --- openssh-2.5.1p1-1/servconf.c Thu Mar 1 15:45:03 2001 *************** *** 81,86 **** --- 81,87 ---- options->challenge_reponse_authentication = -1; options->permit_empty_passwd = -1; options->use_login = -1; + options->sys_environment_file = NULL; options->allow_tcp_forwarding = -1; options->num_allow_users = 0; options->num_deny_users = 0; *************** *** 210,216 **** sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, ! sUseLogin, sAllowTcpForwarding, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, --- 211,217 ---- sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, ! sUseLogin, sSysEnvFile, sAllowTcpForwarding, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, *************** *** 261,266 **** --- 262,268 ---- { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, { "uselogin", sUseLogin }, + { "sysenvfile", sSysEnvFile }, { "randomseed", sRandomSeedFile }, { "keepalive", sKeepAlives }, { "allowtcpforwarding", sAllowTcpForwarding }, *************** *** 583,588 **** --- 585,594 ---- case sUseLogin: intptr = &options->use_login; goto parse_flag; + + case sSysEnvFile: + charptr = &options->sys_environment_file; + goto parse_filename; case sGatewayPorts: intptr = &options->gateway_ports; diff -r -c openssh-2.5.1p1/servconf.h openssh-2.5.1p1-1/servconf.h *** openssh-2.5.1p1/servconf.h Wed Feb 14 19:08:27 2001 --- openssh-2.5.1p1-1/servconf.h Thu Mar 1 15:46:40 2001 *************** *** 93,98 **** --- 93,99 ---- int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ + char *sys_environment_file; int allow_tcp_forwarding; u_int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; diff -r -c openssh-2.5.1p1/session.c openssh-2.5.1p1-1/session.c *** openssh-2.5.1p1/session.c Sun Feb 18 11:13:34 2001 --- openssh-2.5.1p1-1/session.c Thu Mar 1 15:46:11 2001 *************** *** 1261,1266 **** --- 1261,1269 ---- /* read $HOME/.ssh/environment. */ if (!options.use_login) { + if (options.sys_environment_file != NULL) { + read_environment_file(&env, &envsize, options.sys_environment_file); + } snprintf(buf, sizeof buf, "%.200s/.ssh/environment", pw->pw_dir); read_environment_file(&env, &envsize, buf); diff -r -c openssh-2.5.1p1/sshd.8 openssh-2.5.1p1-1/sshd.8 *** openssh-2.5.1p1/sshd.8 Wed Feb 14 19:08:28 2001 --- openssh-2.5.1p1-1/sshd.8 Thu Mar 1 16:03:04 2001 *************** *** 669,674 **** --- 669,681 ---- file transfer subsystem. By default no subsystems are defined. Note that this option applies to protocol version 2 only. + .It Cm SysEnvFile + Specifies a file containing the system-wide default environment in + .Dq VARNAME=value + format (default is none.) The contents of a user's + .Pa $HOME/.ssh/environment + file, if found, will override variables set within the + .Cm SysEnvFile . .It Cm SyslogFacility Gives the facility code that is used when logging messages from .Nm sshd . From tim at multitalents.net Fri Mar 2 12:12:36 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 1 Mar 2001 17:12:36 -0800 (PST) Subject: add scp path to _PATH_STDPATH In-Reply-To: <3A9E8C0E.AB893F45@daac.gsfc.nasa.gov> Message-ID: On Thu, 1 Mar 2001, Kevin Taylor wrote: > Kevin Steves wrote: > > > > On Wed, 28 Feb 2001, Tim Rice wrote: > > : > i don't like munging path if a user specified a path > > : > > : Then you still have the same problem of scp not working. > > : Configure does give ample warning when it modifies the path. > > : I figure if someone REALLY wants a path that doesn't iclude the location > > : of scp they can edit config.h after configure runs. > > > > i still believe --with-default-path= should *not* be modified. the > > default settings should work (today they don't) and if a user chooses to > > override them we shouldn't assume to know more than they do. if we > > want, we can display warning message for this case. > > > I had to set --with-default-path because openssh wasn't reading stuff in > my /etc/default/login file (on IRIX)....and because UseLogin wasn't Ah, another platform that could take advantage of reading PATH/SUPATH from /etc/default/login. Perhaps something for the TODO list. > working, the correct path to scp was not being found. > > That's an instance where it needs to be modified. > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Fri Mar 2 18:23:51 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 2 Mar 2001 18:23:51 +1100 (EST) Subject: add scp path to _PATH_STDPATH In-Reply-To: Message-ID: On Thu, 1 Mar 2001, Kevin Steves wrote: > On Wed, 28 Feb 2001, Tim Rice wrote: > : > i don't like munging path if a user specified a path > : > : Then you still have the same problem of scp not working. > : Configure does give ample warning when it modifies the path. > : I figure if someone REALLY wants a path that doesn't iclude the location > : of scp they can edit config.h after configure runs. > > i still believe --with-default-path= should *not* be modified. the > default settings should work (today they don't) and if a user chooses to > override them we shouldn't assume to know more than they do. if we > want, we can display warning message for this case. I agree - if people are specifying a PATH themselves, then it is not too much to ask that it be correct. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri Mar 2 19:24:41 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 2 Mar 2001 19:24:41 +1100 (EST) Subject: AllowHosts / DenyHosts In-Reply-To: <20010301152622.A27047@faui02.informatik.uni-erlangen.de> Message-ID: On Thu, 1 Mar 2001, Markus Friedl wrote: > So for openssh I'd like to have > a /etc/sshd_policy per system and a .ssh/policy per user. Longer term, being able to send signed credentials either before or during authentication would be really cool. > > ...doesn't really seem like it'll gain alot of followers. I mean, > > I thoroughly grant you that I haven't examined Keynote nearly > > enough to dismiss it, and honestly am interested in what you think > > SSH would get out what might be a very significant amount of code. > > the parsing and eval is done by libkeynote, so all ssh has to > do is set the variables (e.g. remote_use, remote_ip, forward_target) > and call kn_query(). How would we handle forced commands? I couldn't see any way to get keynote to return anything other than a pre-determined answer. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri Mar 2 19:29:37 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 2 Mar 2001 19:29:37 +1100 (EST) Subject: Solaris port configure not recognizing --sysconfidir? In-Reply-To: Message-ID: On Thu, 1 Mar 2001, Hisashi T Fujinaka wrote: > I tried to move the configuration directory to /etc/ssh. Unfortunately, > there appears to be something compiled into sshd and into the solaris > build script. > > Rather than thrash around and try to hack random files on my end, I > thought I'd ask to see if I'm just doing something stupid or if someone > could tell me which files I really need to edit. You are talking about the stuff in contrib/solaris? This needs tweaking if you build with anything other than default configure options. A good project for someone would be to integrate the contrib/solaris stuff with configure so the paths, etc are automatically filled in. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri Mar 2 19:30:09 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 2 Mar 2001 19:30:09 +1100 (EST) Subject: Expired password handling in openssh-2.5.1p1/2 In-Reply-To: <029301c0a274$74a54c70$0300040a@na.cisco.com> Message-ID: On Thu, 1 Mar 2001, Dan Kaminsky wrote: > > Are there plans, or does someone have a fix, for having openssh force > > users to change passwords when they're expired? > > > > Right now the program closes the connection....the commercial ssh > > manages to exec /bin/passwd after they enter their current password. > > > > Any ideas? > > Hmm, does PAM send back a special message when the password needs to > be changed? > > I could envision changing the user shell to /bin/passwd if PAM > complains... It works for PAM now, but not for non-PAM. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri Mar 2 19:31:14 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 2 Mar 2001 19:31:14 +1100 (EST) Subject: Bug report against openssh-2.3.0p1 In-Reply-To: <3A9E8AEE.EDC484E3@cam.ac.uk> Message-ID: On Thu, 1 Mar 2001, Charles Jardine wrote: > I am writing to report a bug in openssh-2.3.0p1, and to suggest > a fix. Can you give the new 2.5.1p2 version a try? There has been a fair bit of change to the auth code. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri Mar 2 19:39:09 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 2 Mar 2001 19:39:09 +1100 (EST) Subject: AllowHosts / DenyHosts In-Reply-To: <3A9EBFE4.3050905@cisco.com> Message-ID: On Thu, 1 Mar 2001, Dan Kaminsky wrote: > I don't like the concept of a huge barrier to entry in configuring SSH. > I think we *all* agree it'd be good to be able to have more fine grained > controls. The disagreement comes in whether or not Keynote is an > appropriate infrastructure for those controls. I think its > overcomplicated, too dangerous to use as an external > library(consider--it needs the ability to view, and possibly change, all > SSHD parameters dynamically), and unnecessary--we can get most of the > gains of keynote by simply extending *slightly* on the work done in > readconf.c. > > There are things that are important--we should be able to switch on the > criticals, like Who is coming from Where, *When*, maybe using What. We > can do this without Keynote--though please, if anyone can correct, do > so! If we can do without, do it safer, do it easier, do it arguably > even faster... > > Isn't that doing it right? I would much rather take an existing language which has been custom designed for the role rather than reinvent yet another half-baked policy language which is incompatible with everything else. Keynote may not fit your asthetics, but it has the advantage of being a published standard already being used in quite a few other software packages (OpenBSD IPsec & Kerberos, Apache-SSL). It also has a standard library which can be the focus of *everyone's* review and auditing efforts. I don't think it is too difficult to learn either - its logic is very clear: IF precondition [&&/|| precondition ...] THEN result. It only gets complicated if you plan on doing things like heirarchial or delegated authentication, which are inherently complex anyway. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri Mar 2 19:41:06 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 2 Mar 2001 19:41:06 +1100 (EST) Subject: AllowHosts / DenyHosts In-Reply-To: <022301c0a269$4bc52150$0300040a@na.cisco.com> Message-ID: On Thu, 1 Mar 2001, Dan Kaminsky wrote: > > you miss the point. the example is not about ipsec. > > Markus, you miss the point: IPsec is *misery incarnate* to > configure and the keynote syntax certainly doesn't help that. IPsec is a complex protocol (read the SPD requirements), OpenBSD's use of keynote is _optional_ for basic configurations. It is a case of making the easy easy and the difficult possible. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Christophe_Moret at hp.com Fri Mar 2 19:41:28 2001 From: Christophe_Moret at hp.com (Christophe Moret) Date: Fri, 02 Mar 2001 09:41:28 +0100 Subject: OpenSSH 2.5.1p1 on HP-UX: No CTRL+C possible!!! References: Message-ID: <3A9F5CB7.A006937B@hp.com> I guess this is linked to Protocol 2, and is not specific to HP-UX: in Protocol 1, tty modes are copied (ssh.c/tty_make_modes) from ssh client's tty into server's tty (in ssh_session) in Protocol 2, no copy is done (see ssh_session2) I do not know if this is a feature or a bug. Thus you get default stty (intr=DEL...), unless you set it explicitely in your .profile. -Christophe Kevin Steves wrote: > On Wed, 28 Feb 2001, Randolf Skerka wrote: > : On a System: HP-UX B.11.00 A 9000/887 two-user license no CTRL+C is > : possible. When I make a telnet localhost within the SecureShell session > : CTRL+C works as expected. > : > : On a System HP-UX B.11.00 B 9000/800 16-user license CTRL+C works as > : expected within SSH! > : > : I've checked /etc/termcap and /bin/sh on both systems. They are identically. > : More hints? > : > : Totally confused! > > it would help to try to narrow this down a bit, to note the ssh<->sshd > platforms, ssh versions, protocol and any other information that might > be useful for each success/failure case. i really don't have any ideas > right now. -- Christophe Moret mailto:Christophe_Moret at hp.com Hewlett Packard Phone :+33 4 76 14 40 78 5, avenue Raymond Chanas Fax :+33 4 76 14 47 06 38053 GRENOBLE Cedex 09 Mobile:+33 6 72 99 16 51 -------------- next part -------------- A non-text attachment was scrubbed... Name: Christophe_Moret.vcf Type: text/x-vcard Size: 377 bytes Desc: Card for Christophe Moret Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010302/c2a4749c/attachment.vcf From Markus.Friedl at informatik.uni-erlangen.de Fri Mar 2 21:08:14 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 2 Mar 2001 11:08:14 +0100 Subject: AllowHosts / DenyHosts In-Reply-To: ; from djm@mindrot.org on Fri, Mar 02, 2001 at 07:24:41PM +1100 References: <20010301152622.A27047@faui02.informatik.uni-erlangen.de> Message-ID: <20010302110813.B22656@faui02.informatik.uni-erlangen.de> On Fri, Mar 02, 2001 at 07:24:41PM +1100, Damien Miller wrote: > On Thu, 1 Mar 2001, Markus Friedl wrote: > > > So for openssh I'd like to have > > a /etc/sshd_policy per system and a .ssh/policy per user. > > Longer term, being able to send signed credentials either before or > during authentication would be really cool. yes, i think this would be the next step. minimal server configuration + signed credentials: allowed to connect: no shell, only forwarding. -markus From djm at mindrot.org Fri Mar 2 22:12:54 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 2 Mar 2001 22:12:54 +1100 (EST) Subject: OpenSSH 2.5.1 compatibility problem In-Reply-To: <5.0.2.1.0.20010221113907.00a217d0@mailandnews.com> Message-ID: On Wed, 21 Feb 2001, Neal Barney wrote: > SSH server specs: > ----------------------- > Redhat Linux 6.2 > Custom built 2.2.17 kernel > OpenSSL 0.9.5a (update from RedHat). > OpenSSH 2.5.1p1 [snip] > Feb 21 10:13:04 rugen sshd[21915]: fatal: xfree: NULL pointer given > as argument Are you using the RPM version of OpenSSH? If yes, could you send me the output of "rpm -qa | sort"? This will help me determine whether the problem is caused by a library incompatability. Could you also try rebuilding from the .src.rpm? "rpm --rebuild openssh-2.5.1p2-1.src.rpm", install the result and see if you can elicit the same problem. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri Mar 2 22:14:18 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 2 Mar 2001 22:14:18 +1100 (EST) Subject: make 2.5.1p1 on Solaris8 (fwd) Message-ID: Can a Solaris person take a look at this? -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer ---------- Forwarded message ---------- Date: Wed, 28 Feb 2001 12:33:48 +0200 From: owner-ssh at clinet.fi To: ssh at clinet.fi Subject: make 2.5.1p1 on Solaris8 Trying to build 2.5.1p1 on Solaris 8 x86 with patches from 01/01: gcc -g -O2 -Wall -I/opt/include -I/opt/include/openssl -I/usr/local/include -I/o pt/include -I/opt/include -I. -I./openbsd-compat -I. -DETCDIR=\"/etc/opt/ssh\" - D_PATH_SSH_PROGRAM=\"/opt/openssh/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/o penssh/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/openssh/libexec/sftp-ser ver\" -DHAVE_CONFIG_H -c scp.c scp.c: In function `foregroundproc': scp.c:1124: too many arguments to function `getpgrp' make: *** [scp.o] Error 1 Do you know what is wrong? Thanks in advance, Peter From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Mar 2 22:21:51 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 2 Mar 2001 12:21:51 +0100 Subject: Fwd: OpenSSH on Ultrix? In-Reply-To: ; from djm@mindrot.org on Wed, Feb 28, 2001 at 09:45:19AM +1100 References: <20010227234133.A15038@greenie.muc.de> Message-ID: <20010302122151.A2372@serv01.aet.tu-cottbus.de> On Wed, Feb 28, 2001 at 09:45:19AM +1100, Damien Miller wrote: > On Tue, 27 Feb 2001, Gert Doering wrote: > > > Hi, > > > > On Wed, Feb 28, 2001 at 08:27:08AM +1100, Damien Miller wrote: > > > Yes - PRNGd is very nice and is superior to portable OpenSSH's own > > [..] > > > I strongly recommend it to everyone without a /dev/random. > > > > Are there any chances to use it on a system without unix sockets > > (always the same problem here - SCO 3.0)? > > Lutz, > > Is there any chance of teaching PRNGd to listen on a localhost socket > rather than (or in addition to) a Unix domain socket? I have just released version 0.9.11 of PRNGd which supports TCP sockets (localhost only) additional to Unix domain sockets. The change needed in entropy.c should not be that large, but the configure options need to be decided. --with-egd-port=portnum, than setting some EGD_PORT variable. Support could be built into the existing get_random_bytes() for EGD_SOCKET with some #ifdef's for EGD_SOCKET or EGD_PORT. What do you think? Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From a.d.stribblehill at durham.ac.uk Fri Mar 2 23:36:57 2001 From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill) Date: Fri, 2 Mar 2001 12:36:57 +0000 Subject: make 2.5.1p1 on Solaris8 (fwd) In-Reply-To: ; from djm@mindrot.org on Fri, Mar 02, 2001 at 10:14:18PM +1100 References: Message-ID: <20010302123657.E19147@womble.dur.ac.uk> Quoting Damien Miller : > Can a Solaris person take a look at this? > > -- > | Damien Miller \ ``E-mail attachments are the poor man's > | http://www.mindrot.org / distributed filesystem'' - Dan Geer > > ---------- Forwarded message ---------- > Date: Wed, 28 Feb 2001 12:33:48 +0200 > From: owner-ssh at clinet.fi > To: ssh at clinet.fi > Subject: make 2.5.1p1 on Solaris8 > > Trying to build 2.5.1p1 on Solaris 8 x86 with patches from 01/01: > > gcc -g -O2 -Wall -I/opt/include -I/opt/include/openssl -I/usr/local/include > -I/o > pt/include -I/opt/include -I. -I./openbsd-compat -I. > -DETCDIR=\"/etc/opt/ssh\" - > D_PATH_SSH_PROGRAM=\"/opt/openssh/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/o > penssh/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/opt/openssh/libexec/sftp-ser > ver\" -DHAVE_CONFIG_H -c scp.c > scp.c: In function `foregroundproc': > scp.c:1124: too many arguments to function `getpgrp' > make: *** [scp.o] Error 1 Well, the Solaris 8 manpage says that getpgrp takes no arguments. My guess is that GETPGRP_VOID is not being defined so the macro #define getpgrp() getpgrp(0) is being used. This would point to a bug in autoconf, specifically in the AC_FUNC_GETPGRP macro. To confirm my guess, look in config.h for the line #define GETPGRP_VOID 1 Note: I don't get this problem with Solaris 8 (Sparc) on CVS as of a week ago. Cheerio, Andrew Stribblehill Systems programmer, IT Service, University of Durham England From ktaylor at eosdata.gsfc.nasa.gov Fri Mar 2 23:44:54 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Fri, 02 Mar 2001 07:44:54 -0500 Subject: Expired password handling in openssh-2.5.1p1/2 Message-ID: <3A9F95C6.9A05D8E2@daac.gsfc.nasa.gov> On Thu, 1 Mar 2001, Dan Kaminsky wrote: >>> Are there plans, or does someone have a fix, for having openssh force >>> users to change passwords when they're expired? >>> >>> Right now the program closes the connection....the commercial ssh >>> manages to exec /bin/passwd after they enter their current password. >>> >>> Any ideas? >> >> Hmm, does PAM send back a special message when the password needs to >> be changed? >> >> I could envision changing the user shell to /bin/passwd if PAM >> complains... >It works for PAM now, but not for non-PAM. >-d That's what Kevin Steves was saying. Hopefully the code he was working on for the password interface for other systems will be implemented soon. -- ---------------------------------------------------------. Kevin Taylor \ Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / Science Systems and Applications, Inc. \ Goddard Space Flight Center / Greenbelt, MD 20771 \ / Phone: (301) 614-5505 \ e-mail: ktaylor at daac.gsfc.nasa.gov / ----------------------------------------------------------' From djm at mindrot.org Sat Mar 3 00:17:33 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 3 Mar 2001 00:17:33 +1100 (EST) Subject: Fwd: OpenSSH on Ultrix? In-Reply-To: <20010302122151.A2372@serv01.aet.tu-cottbus.de> Message-ID: On Fri, 2 Mar 2001, Lutz Jaenicke wrote: > The change needed in entropy.c should not be that large, but the configure > options need to be decided. --with-egd-port=portnum, than setting some > EGD_PORT variable. Support could be built into the existing > get_random_bytes() for EGD_SOCKET with some #ifdef's for EGD_SOCKET or > EGD_PORT. What do you think? I think this is exactly what I will do :) Can you give the below patch a try for both Unix domain and localhost sockets? It replaces the current --with-egd-pool configure option with --with-prngd-port and --with-prngd-socket options. BTW You should apply to the IANA to get a well known port number assigned for PRNGd. Index: acconfig.h =================================================================== RCS file: /var/cvs/openssh/acconfig.h,v retrieving revision 1.105 diff -u -r1.105 acconfig.h --- acconfig.h 2001/02/26 21:39:07 1.105 +++ acconfig.h 2001/03/02 13:16:00 @@ -89,8 +89,11 @@ /* Location of random number pool */ #undef RANDOM_POOL -/* Location of EGD random number socket */ -#undef EGD_SOCKET +/* Location of PRNGD/EGD random number socket */ +#undef PRNGD_SOCKET + +/* Port number of PRNGD/EGD random number socket */ +#undef PRNGD_PORT /* Builtin PRNG command timeout */ #undef ENTROPY_TIMEOUT_MSEC Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.260 diff -u -r1.260 configure.in --- configure.in 2001/02/28 22:16:12 1.260 +++ configure.in 2001/03/02 13:16:00 @@ -1266,13 +1266,24 @@ ] ) -# Check for EGD pool file -AC_ARG_WITH(egd-pool, - [ --with-egd-pool=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], +# Check for PRNGD/EGD pool file +AC_ARG_WITH(prngd-port, + [ --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT], [ + if test ! -z "$withval" -a "x$withval" != "xno" ; then + PRNGD_PORT="$withval" + AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT) + fi + ] +) + +# Check for PRNGD/EGD pool file +AC_ARG_WITH(prngd-socket, + [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], + [ if test "x$withval" != "xno" ; then - EGD_SOCKET="$withval"; - AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") + PRNGD_SOCKET="$withval" + AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") fi ], [ @@ -1280,15 +1291,15 @@ if test -z "$RANDOM_POOL" ; then AC_MSG_CHECKING(for PRNGD/EGD socket) # Insert other locations here - for egdsock in /var/run/egd-pool /etc/entropy; do - if test -r $egdsock && $TEST_MINUS_S_SH -c "test -S $egdsock -o -p $egdsock" ; then - EGD_SOCKET="$egdsock" - AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") + for sock in /var/run/egd-pool /etc/entropy; do + if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then + PRNGD_SOCKET="$sock" + AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") break; fi done - if test ! -z "$EGD_SOCKET" ; then - AC_MSG_RESULT($EGD_SOCKET) + if test ! -z "$PRNGD_SOCKET" ; then + AC_MSG_RESULT($PRNGD_SOCKET) else AC_MSG_RESULT(not found) fi @@ -1300,7 +1311,7 @@ # detect pathnames for entropy gathering commands, if we need them INSTALL_SSH_PRNG_CMDS="" rm -f prng_commands -if (test -z "$RANDOM_POOL" && test -z "$EGD_SOCKET") ; then +if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then # Use these commands to collect entropy OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) @@ -1749,8 +1760,10 @@ if test ! -z "$RANDOM_POOL" ; then RAND_MSG="Device ($RANDOM_POOL)" else - if test ! -z "$EGD_SOCKET" ; then - RAND_MSG="EGD/PRNGD ($EGD_SOCKET)" + if test ! -z "$PRNGD_PORT" ; then + RAND_MSG="PRNGD/EGD (port localhost:$PRNGD_PORT)" + elif test ! -z "$PRNGD_SOCKET" ; then + RAND_MSG="PRNGD/EGD (socket $PRNGD_SOCKET)" else RAND_MSG="Builtin (timeout $entropy_timeout)" BUILTIN_RNG=1 Index: entropy.c =================================================================== RCS file: /var/cvs/openssh/entropy.c,v retrieving revision 1.34 diff -u -r1.34 entropy.c --- entropy.c 2001/02/27 00:00:52 1.34 +++ entropy.c 2001/03/02 13:16:00 @@ -68,6 +68,9 @@ # define SAVED_IDS_WORK_WITH_SETEUID #endif +#define SOCK_AF_INET(x) (*((struct sockaddr_in*)(&(x)))) +#define SOCK_AF_UNIX(x) (*((struct sockaddr_un*)(&(x)))) + void check_openssl_version(void) { if (SSLeay() != OPENSSL_VERSION_NUMBER) @@ -75,47 +78,65 @@ "have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); } +#if defined(PRNGD_SOCKET) || defined(PRNGD_PORT) +# define USE_PRNGD +#endif -#if defined(EGD_SOCKET) || defined(RANDOM_POOL) +#if defined(USE_PRNGD) || defined(RANDOM_POOL) -#ifdef EGD_SOCKET -/* Collect entropy from EGD */ +#ifdef USE_PRNGD +/* Collect entropy from PRNGD/EGD */ int get_random_bytes(unsigned char *buf, int len) { int fd; char msg[2]; - struct sockaddr_un addr; + struct sockaddr addr; int addr_len, rval, errors; mysig_t old_sigpipe; + memset(&addr, '\0', sizeof(addr)); + +#ifdef PRNGD_PORT + addr.sa_family = AF_INET; + SOCK_AF_INET(addr).sin_addr.s_addr = htonl(INADDR_LOOPBACK); + SOCK_AF_INET(addr).sin_port = htons(PRNGD_PORT); + addr_len = sizeof(struct sockaddr_in); +#else /* use IP socket PRNGD_SOCKET instead */ /* Sanity checks */ - if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) + if (sizeof(PRNGD_SOCKET) > sizeof(SOCK_AF_UNIX(addr).sun_path)) fatal("Random pool path is too long"); if (len > 255) - fatal("Too many bytes to read from EGD"); + fatal("Too many bytes to read from PRNGD"); - memset(&addr, '\0', sizeof(addr)); - addr.sun_family = AF_UNIX; - strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path)); - addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); + addr.sa_family = AF_UNIX; + strlcpy(SOCK_AF_UNIX(addr).sun_path, PRNGD_SOCKET, + sizeof(SOCK_AF_UNIX(addr).sun_path)); + addr_len = offsetof(struct sockaddr_un, sun_path) + + sizeof(PRNGD_SOCKET); +#endif old_sigpipe = mysignal(SIGPIPE, SIG_IGN); errors = rval = 0; reopen: - fd = socket(AF_UNIX, SOCK_STREAM, 0); + fd = socket(addr.sa_family, SOCK_STREAM, 0); if (fd == -1) { error("Couldn't create AF_UNIX socket: %s", strerror(errno)); goto done; } if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { - error("Couldn't connect to EGD socket \"%s\": %s", - addr.sun_path, strerror(errno)); +#ifdef PRNGD_PORT + error("Couldn't connect to PRNGD port %d: %s", + PRNGD_PORT, strerror(errno)); +#else + error("Couldn't connect to PRNGD socket \"%s\": %s", + SOCK_AF_UNIX(addr).sun_path, strerror(errno)); +#endif goto done; } - /* Send blocking read request to EGD */ + /* Send blocking read request to PRNGD */ msg[0] = 0x02; msg[1] = len; @@ -125,8 +146,8 @@ errors++; goto reopen; } - error("Couldn't write to EGD socket \"%s\": %s", - EGD_SOCKET, strerror(errno)); + error("Couldn't write to PRNGD socket: %s", + strerror(errno)); goto done; } @@ -136,8 +157,8 @@ errors++; goto reopen; } - error("Couldn't read from EGD socket \"%s\": %s", - EGD_SOCKET, strerror(errno)); + error("Couldn't read from PRNGD socket: %s", + strerror(errno)); goto done; } @@ -148,7 +169,7 @@ close(fd); return(rval); } -#else /* !EGD_SOCKET */ +#else /* !USE_PRNGD */ #ifdef RANDOM_POOL /* Collect entropy from /dev/urandom or pipe */ int get_random_bytes(unsigned char *buf, int len) @@ -174,11 +195,11 @@ return(1); } #endif /* RANDOM_POOL */ -#endif /* EGD_SOCKET */ +#endif /* USE_PRNGD */ /* * Seed OpenSSL's random number pool from Kernel random number generator - * or EGD + * or PRNGD/EGD */ void seed_rng(void) @@ -202,7 +223,7 @@ check_openssl_version(); } -#else /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ +#else /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ /* * FIXME: proper entropy estimations. All current values are guesses @@ -877,4 +898,4 @@ prng_initialised = 1; } -#endif /* defined(EGD_SOCKET) || defined(RANDOM_POOL) */ +#endif /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From mouring at etoh.eviladmin.org Sat Mar 3 00:50:20 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 2 Mar 2001 07:50:20 -0600 (CST) Subject: add scp path to _PATH_STDPATH In-Reply-To: Message-ID: On Fri, 2 Mar 2001, Damien Miller wrote: [..] > > I agree - if people are specifying a PATH themselves, then it is not too > much to ask that it be correct. > Which really brings up another can of worms.. Since not everyone installs OpenSSH in the same place.. sftping between machines is a nightmare. $ sftp -1 etoh Connecting to etoh... mouring at etoh's password: bash: /usr/libexec/sftp-server: No such file or directory Couldn't read packet: Undefined error: 0 If we are going to solve scp. We should resolve where sftp-server is to make sftp using protocol 1 easier. - Ben From Lutz.Jaenicke at aet.TU-Cottbus.DE Sat Mar 3 00:54:58 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 2 Mar 2001 14:54:58 +0100 Subject: Fwd: OpenSSH on Ultrix? In-Reply-To: ; from djm@mindrot.org on Sat, Mar 03, 2001 at 12:17:33AM +1100 References: <20010302122151.A2372@serv01.aet.tu-cottbus.de> Message-ID: <20010302145458.A4277@serv01.aet.tu-cottbus.de> On Sat, Mar 03, 2001 at 12:17:33AM +1100, Damien Miller wrote: > On Fri, 2 Mar 2001, Lutz Jaenicke wrote: > > > The change needed in entropy.c should not be that large, but the configure > > options need to be decided. --with-egd-port=portnum, than setting some > > EGD_PORT variable. Support could be built into the existing > > get_random_bytes() for EGD_SOCKET with some #ifdef's for EGD_SOCKET or > > EGD_PORT. What do you think? > > I think this is exactly what I will do :) Can you give the below patch > a try for both Unix domain and localhost sockets? It replaces the > current --with-egd-pool configure option with --with-prngd-port and > --with-prngd-socket options. You were faster than me. I just thought about starting after lunch. Unfortunately, your patch gives me a SIGBUS on HP-UX 10.20 at: SOCK_AF_INET(addr).sin_addr.s_addr = htonl(INADDR_LOOPBACK); I'll see to unwrap the macro and try some debugging. Best regards, Lutz PS. There is a minor inconsistency in get get_random_bytes and seed_rng (unsigned char <-> char). -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Lutz.Jaenicke at aet.TU-Cottbus.DE Sat Mar 3 01:26:48 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 2 Mar 2001 15:26:48 +0100 Subject: Fwd: OpenSSH on Ultrix? In-Reply-To: ; from djm@mindrot.org on Sat, Mar 03, 2001 at 12:17:33AM +1100 References: <20010302122151.A2372@serv01.aet.tu-cottbus.de> Message-ID: <20010302152648.A9679@ws01.aet.tu-cottbus.de> On Sat, Mar 03, 2001 at 12:17:33AM +1100, Damien Miller wrote: > I think this is exactly what I will do :) Can you give the below patch > a try for both Unix domain and localhost sockets? It replaces the > current --with-egd-pool configure option with --with-prngd-port and > --with-prngd-socket options. Ok. I have rewritten entropy.c to a more "defensive" handling :-) With this version, it works with both Unix and TCP socket. I have attached the complete file, since my CVS checkout is from the public server which seems not to be completely in sync with your archive, so, to be on the safe side... > BTW You should apply to the IANA to get a well known port number > assigned for PRNGd. I'll have a look into the procedure. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 -------------- next part -------------- /* * Copyright (c) 2000 Damien Miller. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" #include #include #include /* SunOS 4.4.4 needs this */ #ifdef HAVE_FLOATINGPOINT_H # include #endif /* HAVE_FLOATINGPOINT_H */ #include "ssh.h" #include "misc.h" #include "xmalloc.h" #include "atomicio.h" #include "pathnames.h" #include "log.h" RCSID("$Id: entropy.c,v 1.34 2001/02/27 00:00:52 djm Exp $"); #ifndef offsetof # define offsetof(type, member) ((size_t) &((type *)0)->member) #endif /* Number of times to pass through command list gathering entropy */ #define NUM_ENTROPY_RUNS 1 /* Scale entropy estimates back by this amount on subsequent runs */ #define SCALE_PER_RUN 10.0 /* Minimum number of commands to be considered valid */ #define MIN_ENTROPY_SOURCES 16 #define WHITESPACE " \t\n" #ifndef RUSAGE_SELF # define RUSAGE_SELF 0 #endif #ifndef RUSAGE_CHILDREN # define RUSAGE_CHILDREN 0 #endif #if defined(_POSIX_SAVED_IDS) && !defined(BROKEN_SAVED_UIDS) # define SAVED_IDS_WORK_WITH_SETEUID #endif void check_openssl_version(void) { if (SSLeay() != OPENSSL_VERSION_NUMBER) fatal("OpenSSL version mismatch. Built against %lx, you " "have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); } #if defined(PRNGD_SOCKET) || defined(PRNGD_PORT) # define USE_PRNGD #endif #if defined(USE_PRNGD) || defined(RANDOM_POOL) #ifdef USE_PRNGD /* Collect entropy from PRNGD/EGD */ int get_random_bytes(unsigned char *buf, int len) { int fd; char msg[2]; #ifdef PRNGD_PORT struct sockaddr_in addr; #else struct sockaddr_un addr; #endif int addr_len, rval, errors; mysig_t old_sigpipe; memset(&addr, '\0', sizeof(addr)); #ifdef PRNGD_PORT addr.sin_family = AF_INET; addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); addr.sin_port = htons(PRNGD_PORT); addr_len = sizeof(struct sockaddr_in); #else /* use IP socket PRNGD_SOCKET instead */ /* Sanity checks */ if (sizeof(PRNGD_SOCKET) > sizeof(addr.sun_path)) fatal("Random pool path is too long"); if (len > 255) fatal("Too many bytes to read from PRNGD"); addr.sun_family = AF_UNIX; strlcpy(addr.sun_path, PRNGD_SOCKET, sizeof(addr.sun_path)); addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(PRNGD_SOCKET); #endif old_sigpipe = mysignal(SIGPIPE, SIG_IGN); errors = rval = 0; reopen: #ifdef PRNGD_PORT fd = socket(addr.sin_family, SOCK_STREAM, 0); if (fd == -1) { error("Couldn't create AF_INET socket: %s", strerror(errno)); goto done; } #else fd = socket(addr.sun_family, SOCK_STREAM, 0); if (fd == -1) { error("Couldn't create AF_UNIX socket: %s", strerror(errno)); goto done; } #endif if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { #ifdef PRNGD_PORT error("Couldn't connect to PRNGD port %d: %s", PRNGD_PORT, strerror(errno)); #else error("Couldn't connect to PRNGD socket \"%s\": %s", addr.sun_path, strerror(errno)); #endif goto done; } /* Send blocking read request to PRNGD */ msg[0] = 0x02; msg[1] = len; if (atomicio(write, fd, msg, sizeof(msg)) != sizeof(msg)) { if (errno == EPIPE && errors < 10) { close(fd); errors++; goto reopen; } error("Couldn't write to PRNGD socket: %s", strerror(errno)); goto done; } if (atomicio(read, fd, buf, len) != len) { if (errno == EPIPE && errors < 10) { close(fd); errors++; goto reopen; } error("Couldn't read from PRNGD socket: %s", strerror(errno)); goto done; } rval = 1; done: mysignal(SIGPIPE, old_sigpipe); if (fd != -1) close(fd); return(rval); } #else /* !USE_PRNGD */ #ifdef RANDOM_POOL /* Collect entropy from /dev/urandom or pipe */ int get_random_bytes(unsigned char *buf, int len) { int random_pool; random_pool = open(RANDOM_POOL, O_RDONLY); if (random_pool == -1) { error("Couldn't open random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); return(0); } if (atomicio(read, random_pool, buf, len) != len) { error("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); close(random_pool); return(0); } close(random_pool); return(1); } #endif /* RANDOM_POOL */ #endif /* USE_PRNGD */ /* * Seed OpenSSL's random number pool from Kernel random number generator * or PRNGD/EGD */ void seed_rng(void) { unsigned char buf[32]; debug("Seeding random number generator"); if (!get_random_bytes(buf, sizeof(buf))) { if (!RAND_status()) fatal("Entropy collection failed and entropy exhausted"); } else { RAND_add(buf, sizeof(buf), sizeof(buf)); } memset(buf, '\0', sizeof(buf)); } void init_rng(void) { check_openssl_version(); } #else /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ /* * FIXME: proper entropy estimations. All current values are guesses * FIXME: (ATL) do estimates at compile time? * FIXME: More entropy sources */ /* slow command timeouts (all in milliseconds) */ /* static int entropy_timeout_default = ENTROPY_TIMEOUT_MSEC; */ static int entropy_timeout_current = ENTROPY_TIMEOUT_MSEC; static int prng_seed_saved = 0; static int prng_initialised = 0; uid_t original_uid; typedef struct { /* Proportion of data that is entropy */ double rate; /* Counter goes positive if this command times out */ unsigned int badness; /* Increases by factor of two each timeout */ unsigned int sticky_badness; /* Path to executable */ char *path; /* argv to pass to executable */ char *args[5]; /* full command string (debug) */ char *cmdstring; } entropy_source_t; double stir_from_system(void); double stir_from_programs(void); double stir_gettimeofday(double entropy_estimate); double stir_clock(double entropy_estimate); double stir_rusage(int who, double entropy_estimate); double hash_output_from_command(entropy_source_t *src, char *hash); /* this is initialised from a file, by prng_read_commands() */ entropy_source_t *entropy_sources = NULL; double stir_from_system(void) { double total_entropy_estimate; long int i; total_entropy_estimate = 0; i = getpid(); RAND_add(&i, sizeof(i), 0.5); total_entropy_estimate += 0.1; i = getppid(); RAND_add(&i, sizeof(i), 0.5); total_entropy_estimate += 0.1; i = getuid(); RAND_add(&i, sizeof(i), 0.0); i = getgid(); RAND_add(&i, sizeof(i), 0.0); total_entropy_estimate += stir_gettimeofday(1.0); total_entropy_estimate += stir_clock(0.5); total_entropy_estimate += stir_rusage(RUSAGE_SELF, 2.0); return(total_entropy_estimate); } double stir_from_programs(void) { int i; int c; double entropy_estimate; double total_entropy_estimate; char hash[SHA_DIGEST_LENGTH]; total_entropy_estimate = 0; for(i = 0; i < NUM_ENTROPY_RUNS; i++) { c = 0; while (entropy_sources[c].path != NULL) { if (!entropy_sources[c].badness) { /* Hash output from command */ entropy_estimate = hash_output_from_command(&entropy_sources[c], hash); /* Scale back entropy estimate according to command's rate */ entropy_estimate *= entropy_sources[c].rate; /* Upper bound of entropy estimate is SHA_DIGEST_LENGTH */ if (entropy_estimate > SHA_DIGEST_LENGTH) entropy_estimate = SHA_DIGEST_LENGTH; /* Scale back estimates for subsequent passes through list */ entropy_estimate /= SCALE_PER_RUN * (i + 1.0); /* Stir it in */ RAND_add(hash, sizeof(hash), entropy_estimate); debug3("Got %0.2f bytes of entropy from '%s'", entropy_estimate, entropy_sources[c].cmdstring); total_entropy_estimate += entropy_estimate; /* Execution times should be a little unpredictable */ total_entropy_estimate += stir_gettimeofday(0.05); total_entropy_estimate += stir_clock(0.05); total_entropy_estimate += stir_rusage(RUSAGE_SELF, 0.1); total_entropy_estimate += stir_rusage(RUSAGE_CHILDREN, 0.1); } else { debug2("Command '%s' disabled (badness %d)", entropy_sources[c].cmdstring, entropy_sources[c].badness); if (entropy_sources[c].badness > 0) entropy_sources[c].badness--; } c++; } } return(total_entropy_estimate); } double stir_gettimeofday(double entropy_estimate) { struct timeval tv; if (gettimeofday(&tv, NULL) == -1) fatal("Couldn't gettimeofday: %s", strerror(errno)); RAND_add(&tv, sizeof(tv), entropy_estimate); return(entropy_estimate); } double stir_clock(double entropy_estimate) { #ifdef HAVE_CLOCK clock_t c; c = clock(); RAND_add(&c, sizeof(c), entropy_estimate); return(entropy_estimate); #else /* _HAVE_CLOCK */ return(0); #endif /* _HAVE_CLOCK */ } double stir_rusage(int who, double entropy_estimate) { #ifdef HAVE_GETRUSAGE struct rusage ru; if (getrusage(who, &ru) == -1) return(0); RAND_add(&ru, sizeof(ru), entropy_estimate); return(entropy_estimate); #else /* _HAVE_GETRUSAGE */ return(0); #endif /* _HAVE_GETRUSAGE */ } static int _get_timeval_msec_difference(struct timeval *t1, struct timeval *t2) { int secdiff, usecdiff; secdiff = t2->tv_sec - t1->tv_sec; usecdiff = (secdiff*1000000) + (t2->tv_usec - t1->tv_usec); return (int)(usecdiff / 1000); } double hash_output_from_command(entropy_source_t *src, char *hash) { static int devnull = -1; int p[2]; fd_set rdset; int cmd_eof = 0, error_abort = 0; struct timeval tv_start, tv_current; int msec_elapsed = 0; pid_t pid; int status; char buf[16384]; int bytes_read; int total_bytes_read; SHA_CTX sha; debug3("Reading output from \'%s\'", src->cmdstring); if (devnull == -1) { devnull = open("/dev/null", O_RDWR); if (devnull == -1) fatal("Couldn't open /dev/null: %s", strerror(errno)); } if (pipe(p) == -1) fatal("Couldn't open pipe: %s", strerror(errno)); (void)gettimeofday(&tv_start, NULL); /* record start time */ switch (pid = fork()) { case -1: /* Error */ close(p[0]); close(p[1]); fatal("Couldn't fork: %s", strerror(errno)); /* NOTREACHED */ case 0: /* Child */ dup2(devnull, STDIN_FILENO); dup2(p[1], STDOUT_FILENO); dup2(p[1], STDERR_FILENO); close(p[0]); close(p[1]); close(devnull); setuid(original_uid); execv(src->path, (char**)(src->args)); debug("(child) Couldn't exec '%s': %s", src->cmdstring, strerror(errno)); _exit(-1); default: /* Parent */ break; } RAND_add(&pid, sizeof(&pid), 0.0); close(p[1]); /* Hash output from child */ SHA1_Init(&sha); total_bytes_read = 0; while (!error_abort && !cmd_eof) { int ret; struct timeval tv; int msec_remaining; (void) gettimeofday(&tv_current, 0); msec_elapsed = _get_timeval_msec_difference(&tv_start, &tv_current); if (msec_elapsed >= entropy_timeout_current) { error_abort=1; continue; } msec_remaining = entropy_timeout_current - msec_elapsed; FD_ZERO(&rdset); FD_SET(p[0], &rdset); tv.tv_sec = msec_remaining / 1000; tv.tv_usec = (msec_remaining % 1000) * 1000; ret = select(p[0]+1, &rdset, NULL, NULL, &tv); RAND_add(&tv, sizeof(tv), 0.0); switch (ret) { case 0: /* timer expired */ error_abort = 1; break; case 1: /* command input */ bytes_read = read(p[0], buf, sizeof(buf)); RAND_add(&bytes_read, sizeof(&bytes_read), 0.0); if (bytes_read == -1) { error_abort = 1; break; } else if (bytes_read) { SHA1_Update(&sha, buf, bytes_read); total_bytes_read += bytes_read; } else { cmd_eof = 1; } break; case -1: default: /* error */ debug("Command '%s': select() failed: %s", src->cmdstring, strerror(errno)); error_abort = 1; break; } } SHA1_Final(hash, &sha); close(p[0]); debug3("Time elapsed: %d msec", msec_elapsed); if (waitpid(pid, &status, 0) == -1) { error("Couldn't wait for child '%s' completion: %s", src->cmdstring, strerror(errno)); return(0.0); } RAND_add(&status, sizeof(&status), 0.0); if (error_abort) { /* closing p[0] on timeout causes the entropy command to * SIGPIPE. Take whatever output we got, and mark this command * as slow */ debug2("Command '%s' timed out", src->cmdstring); src->sticky_badness *= 2; src->badness = src->sticky_badness; return(total_bytes_read); } if (WIFEXITED(status)) { if (WEXITSTATUS(status)==0) { return(total_bytes_read); } else { debug2("Command '%s' exit status was %d", src->cmdstring, WEXITSTATUS(status)); src->badness = src->sticky_badness = 128; return (0.0); } } else if (WIFSIGNALED(status)) { debug2("Command '%s' returned on uncaught signal %d !", src->cmdstring, status); src->badness = src->sticky_badness = 128; return(0.0); } else return(0.0); } /* * prng seedfile functions */ int prng_check_seedfile(char *filename) { struct stat st; /* FIXME raceable: eg replace seed between this stat and subsequent open */ /* Not such a problem because we don't trust the seed file anyway */ if (lstat(filename, &st) == -1) { /* Give up on hard errors */ if (errno != ENOENT) debug("WARNING: Couldn't stat random seed file \"%s\": %s", filename, strerror(errno)); return(0); } /* regular file? */ if (!S_ISREG(st.st_mode)) fatal("PRNG seedfile %.100s is not a regular file", filename); /* mode 0600, owned by root or the current user? */ if (((st.st_mode & 0177) != 0) || !(st.st_uid == original_uid)) { debug("WARNING: PRNG seedfile %.100s must be mode 0600, owned by uid %d", filename, getuid()); return(0); } return(1); } void prng_write_seedfile(void) { int fd; char seed[1024]; char filename[1024]; struct passwd *pw; /* Don't bother if we have already saved a seed */ if (prng_seed_saved) return; setuid(original_uid); prng_seed_saved = 1; pw = getpwuid(original_uid); if (pw == NULL) fatal("Couldn't get password entry for current user (%i): %s", original_uid, strerror(errno)); /* Try to ensure that the parent directory is there */ snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, _PATH_SSH_USER_DIR); mkdir(filename, 0700); snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, SSH_PRNG_SEED_FILE); debug("writing PRNG seed to file %.100s", filename); RAND_bytes(seed, sizeof(seed)); /* Don't care if the seed doesn't exist */ prng_check_seedfile(filename); if ((fd = open(filename, O_WRONLY|O_TRUNC|O_CREAT, 0600)) == -1) { debug("WARNING: couldn't access PRNG seedfile %.100s (%.100s)", filename, strerror(errno)); } else { if (atomicio(write, fd, &seed, sizeof(seed)) != sizeof(seed)) fatal("problem writing PRNG seedfile %.100s (%.100s)", filename, strerror(errno)); close(fd); } } void prng_read_seedfile(void) { int fd; char seed[1024]; char filename[1024]; struct passwd *pw; pw = getpwuid(original_uid); if (pw == NULL) fatal("Couldn't get password entry for current user (%i): %s", original_uid, strerror(errno)); snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, SSH_PRNG_SEED_FILE); debug("loading PRNG seed from file %.100s", filename); if (!prng_check_seedfile(filename)) { verbose("Random seed file not found or not valid, ignoring."); return; } /* open the file and read in the seed */ fd = open(filename, O_RDONLY); if (fd == -1) fatal("could not open PRNG seedfile %.100s (%.100s)", filename, strerror(errno)); if (atomicio(read, fd, &seed, sizeof(seed)) != sizeof(seed)) { verbose("invalid or short read from PRNG seedfile %.100s - ignoring", filename); memset(seed, '\0', sizeof(seed)); } close(fd); /* stir in the seed, with estimated entropy zero */ RAND_add(&seed, sizeof(seed), 0.0); } /* * entropy command initialisation functions */ int prng_read_commands(char *cmdfilename) { FILE *f; char *cp; char line[1024]; char cmd[1024]; char path[256]; int linenum; int num_cmds = 64; int cur_cmd = 0; double est; entropy_source_t *entcmd; f = fopen(cmdfilename, "r"); if (!f) { fatal("couldn't read entropy commands file %.100s: %.100s", cmdfilename, strerror(errno)); } entcmd = (entropy_source_t *)xmalloc(num_cmds * sizeof(entropy_source_t)); memset(entcmd, '\0', num_cmds * sizeof(entropy_source_t)); /* Read in file */ linenum = 0; while (fgets(line, sizeof(line), f)) { int arg; char *argv; linenum++; /* skip leading whitespace, test for blank line or comment */ cp = line + strspn(line, WHITESPACE); if ((*cp == 0) || (*cp == '#')) continue; /* done with this line */ /* First non-whitespace char should be double quote delimiting */ /* commandline */ if (*cp != '"') { error("bad entropy command, %.100s line %d", cmdfilename, linenum); continue; } /* first token, command args (incl. argv[0]) in double quotes */ cp = strtok(cp, "\""); if (cp == NULL) { error("missing or bad command string, %.100s line %d -- ignored", cmdfilename, linenum); continue; } strlcpy(cmd, cp, sizeof(cmd)); /* second token, full command path */ if ((cp = strtok(NULL, WHITESPACE)) == NULL) { error("missing command path, %.100s line %d -- ignored", cmdfilename, linenum); continue; } /* did configure mark this as dead? */ if (strncmp("undef", cp, 5) == 0) continue; strlcpy(path, cp, sizeof(path)); /* third token, entropy rate estimate for this command */ if ((cp = strtok(NULL, WHITESPACE)) == NULL) { error("missing entropy estimate, %.100s line %d -- ignored", cmdfilename, linenum); continue; } est = strtod(cp, &argv); /* end of line */ if ((cp = strtok(NULL, WHITESPACE)) != NULL) { error("garbage at end of line %d in %.100s -- ignored", linenum, cmdfilename); continue; } /* save the command for debug messages */ entcmd[cur_cmd].cmdstring = xstrdup(cmd); /* split the command args */ cp = strtok(cmd, WHITESPACE); arg = 0; argv = NULL; do { char *s = (char*)xmalloc(strlen(cp) + 1); strncpy(s, cp, strlen(cp) + 1); entcmd[cur_cmd].args[arg] = s; arg++; } while ((arg < 5) && (cp = strtok(NULL, WHITESPACE))); if (strtok(NULL, WHITESPACE)) error("ignored extra command elements (max 5), %.100s line %d", cmdfilename, linenum); /* Copy the command path and rate estimate */ entcmd[cur_cmd].path = xstrdup(path); entcmd[cur_cmd].rate = est; /* Initialise other values */ entcmd[cur_cmd].sticky_badness = 1; cur_cmd++; /* If we've filled the array, reallocate it twice the size */ /* Do this now because even if this we're on the last command, we need another slot to mark the last entry */ if (cur_cmd == num_cmds) { num_cmds *= 2; entcmd = xrealloc(entcmd, num_cmds * sizeof(entropy_source_t)); } } /* zero the last entry */ memset(&entcmd[cur_cmd], '\0', sizeof(entropy_source_t)); /* trim to size */ entropy_sources = xrealloc(entcmd, (cur_cmd+1) * sizeof(entropy_source_t)); debug("Loaded %d entropy commands from %.100s", cur_cmd, cmdfilename); return (cur_cmd >= MIN_ENTROPY_SOURCES); } /* * Write a keyfile at exit */ void prng_seed_cleanup(void *junk) { prng_write_seedfile(); } /* * Conditionally Seed OpenSSL's random number pool from * syscalls and program output */ void seed_rng(void) { mysig_t old_sigchld_handler; if (!prng_initialised) fatal("RNG not initialised"); /* Make sure some other sigchld handler doesn't reap our entropy */ /* commands */ old_sigchld_handler = mysignal(SIGCHLD, SIG_DFL); debug("Seeded RNG with %i bytes from programs", (int)stir_from_programs()); debug("Seeded RNG with %i bytes from system calls", (int)stir_from_system()); if (!RAND_status()) fatal("Not enough entropy in RNG"); mysignal(SIGCHLD, old_sigchld_handler); if (!RAND_status()) fatal("Couldn't initialise builtin random number generator -- exiting."); } void init_rng(void) { int original_euid; check_openssl_version(); original_uid = getuid(); original_euid = geteuid(); /* Read in collection commands */ if (!prng_read_commands(SSH_PRNG_COMMAND_FILE)) fatal("PRNG initialisation failed -- exiting."); /* Set ourselves up to save a seed upon exit */ prng_seed_saved = 0; /* Give up privs while reading seed file */ #ifdef SAVED_IDS_WORK_WITH_SETEUID if ((original_uid != original_euid) && (seteuid(original_uid) == -1)) fatal("Couldn't give up privileges"); #else /* SAVED_IDS_WORK_WITH_SETEUID */ /* * Propagate the privileged uid to all of our uids. * Set the effective uid to the given (unprivileged) uid. */ if (original_uid != original_euid && (setuid(original_euid) == -1 || seteuid(original_uid) == -1)) fatal("Couldn't give up privileges"); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ prng_read_seedfile(); #ifdef SAVED_IDS_WORK_WITH_SETEUID if ((original_uid != original_euid) && (seteuid(original_euid) == -1)) fatal("Couldn't restore privileges"); #else /* SAVED_IDS_WORK_WITH_SETEUID */ /* * We are unable to restore the real uid to its unprivileged value. * Propagate the real uid (usually more privileged) to effective uid * as well. */ if (original_uid != original_euid && (seteuid(original_euid) == -1 || setuid(original_uid) == -1)) fatal("Couldn't restore privileges"); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ fatal_add_cleanup(prng_seed_cleanup, NULL); atexit(prng_write_seedfile); prng_initialised = 1; } #endif /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ From devon at admin2.gisnetworks.com Sat Mar 3 03:44:36 2001 From: devon at admin2.gisnetworks.com (Devon Bleak) Date: Fri, 2 Mar 2001 08:44:36 -0800 Subject: make 2.5.1p1 on Solaris8 (fwd) References: Message-ID: <007b01c0a338$11386ae0$1900a8c0@devn> i built 2.5.1p2 on 4 or 5 solaris 7 machines yesterday without incident. they were all sparc machines running solaris 7, using: ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --disable-suid-ss h unfortunately, i don't have any solaris 8 machines to test on, so this may be a solaris 8 or solaris-on-x86 specific issue :/ devon ----- Original Message ----- From: "Damien Miller" To: Sent: Friday, March 02, 2001 3:14 AM Subject: make 2.5.1p1 on Solaris8 (fwd) > Can a Solaris person take a look at this? > > -- > | Damien Miller \ ``E-mail attachments are the poor man's > | http://www.mindrot.org / distributed filesystem'' - Dan Geer > > ---------- Forwarded message ---------- > Date: Wed, 28 Feb 2001 12:33:48 +0200 > From: owner-ssh at clinet.fi > To: ssh at clinet.fi > Subject: make 2.5.1p1 on Solaris8 > > Trying to build 2.5.1p1 on Solaris 8 x86 with patches from 01/01: > > gcc -g -O2 -Wall -I/opt/include -I/opt/include/openssl -I/usr/local/include > -I/o > pt/include -I/opt/include -I. -I./openbsd-compat -I. > -DETCDIR=\"/etc/opt/ssh\" - > D_PATH_SSH_PROGRAM=\"/opt/openssh/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/o > penssh/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/opt/openssh/libexec/sftp-ser > ver\" -DHAVE_CONFIG_H -c scp.c > scp.c: In function `foregroundproc': > scp.c:1124: too many arguments to function `getpgrp' > make: *** [scp.o] Error 1 > > Do you know what is wrong? > > Thanks in advance, > > Peter > > > From mouring at etoh.eviladmin.org Sat Mar 3 05:21:22 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 2 Mar 2001 12:21:22 -0600 (CST) Subject: Improving v2 connection exchange. Message-ID: I just finished net-installing OpenBSD on my Sparc (yay.. ), and I'm noticing how extremely slow it is to connect (20 - 30 seconds) as compared to v1 protocol to the Sparc.. or even v2 from my dual 533mhz to itself. (The sparc is a ss20 w/ a 150mhz processor, it's works nicely after the key exchange is finished.) Is there any reasonable way to improve the connection speed for v2 on slower hardware? debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug: Got SSH2_MSG_KEX_DH_GEX_GROUP. [..hangs here for a bit..] debug: bits set: 1046/2049 debug: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY. [..hangs here for a bit..] - Ben From htodd at twofifty.com Sat Mar 3 05:29:41 2001 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Fri, 2 Mar 2001 10:29:41 -0800 (PST) Subject: Solaris port configure not recognizing --sysconfidir? In-Reply-To: Message-ID: On Fri, 2 Mar 2001, Damien Miller wrote: > On Thu, 1 Mar 2001, Hisashi T Fujinaka wrote: > > > I tried to move the configuration directory to /etc/ssh. Unfortunately, > > there appears to be something compiled into sshd and into the solaris > > build script. > > > > Rather than thrash around and try to hack random files on my end, I > > thought I'd ask to see if I'm just doing something stupid or if someone > > could tell me which files I really need to edit. > > You are talking about the stuff in contrib/solaris? > > This needs tweaking if you build with anything other than default > configure options. A good project for someone would be to integrate the > contrib/solaris stuff with configure so the paths, etc are automatically > filled in. Editting the stuff in contrib/solaris was my first try. Then I started over (deleted the directory and untarred again) and did a 'configure --sysconfdir=/etc/ssh'. Running sshd (and I made sure it was the newest sshd by checking timestamps) complained about not being able to find /usr/local/etc. I dunno. I give up. /usr/local/etc isn't so bad. -- Hisashi T Fujinaka - htodd at twofifty.com BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte From hahnw at psi.com Sat Mar 3 06:24:18 2001 From: hahnw at psi.com (William Hahn) Date: Fri, 02 Mar 2001 14:24:18 -0500 Subject: Security problem depending on your point of view with OpenSSH 2.5.1p1 related to Password authentication. Message-ID: <3A9FF361.ACBE830@psi.com> I compiled 2.5.1p1 on solaris and linux with PAM support and produced the same problem. If I set sshd_config to not allow password authentication( PasswordAuthentication no ) and restart sshd. I then ssh in with password authentication in ssh protocol version 2. $ ssh -v -2 jenn at billsnet.com OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug: Reading configuration data /home1/hahnw/.ssh/config debug: Applying options for * debug: Reading configuration data /opt/PSIssh/etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 412 geteuid 0 anon 0 debug: Connecting to billsnet.com [38.211.200.1] port 22. debug: Allocated local port 894. debug: Connection established. debug: identity file /home1/hahnw/.ssh/identity type 0 debug: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1 debug: match: OpenSSH_2.5.1p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.5.1p1 debug: Seeded RNG with 41 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss,ssh-rsa debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 none debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug: bits set: 1078/2049 debug: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: Host 'billsnet.com' is known and matches the RSA host key. debug: Found key in /home1/hahnw/.ssh/known_hosts2:8 debug: bits set: 1047/2049 debug: ssh_rsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,keyboard-interactive debug: next auth method to try is publickey debug: userauth_pubkey_agent: trying agent key /home1/hahnw/.ssh/id_dsa debug: authentications that can continue: publickey,keyboard-interactive debug: next auth method to try is publickey debug: next auth method to try is keyboard-interactive Password: debug: authentications that can continue: publickey,keyboard-interactive debug: next auth method to try is keyboard-interactive Password: debug: ssh-userauth2 successful: method keyboard-interactive debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: client_init id 0 arg 0 debug: Requesting authentication agent forwarding. debug: channel request 0: shell debug: channel 0: open confirm rwindow 0 rmax 16384 Last login: Fri Mar 2 13:45:54 2001 from jt.billsnet.com If I try to ssh in with protocol 1 with I get Permission denied. which is what I would expect. (hahnw at jt.billsnet.com)$ ssh -v -1 jenn at billsnet.com OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug: Reading configuration data /home1/hahnw/.ssh/config debug: Applying options for * debug: Reading configuration data /opt/PSIssh/etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 412 geteuid 0 anon 0 debug: Connecting to billsnet.com [38.211.200.1] port 22. debug: Allocated local port 895. debug: Connection established. debug: identity file /home1/hahnw/.ssh/identity type 0 debug: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1 debug: match: OpenSSH_2.5.1p1 pat ^OpenSSH debug: Local version string SSH-1.5-OpenSSH_2.5.1p1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'billsnet.com' is known and matches the RSA1 host key. debug: Found key in /home1/hahnw/.ssh/known_hosts:11 debug: Seeded RNG with 41 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Encryption type: blowfish debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication via agent with 'hahnw at jt.billsnet.com' debug: Server refused our key. debug: RSA authentication using agent refused. debug: Trying RSA authentication with key 'hahnw at jt.billsnet.com' debug: Server refused our key. Permission denied. debug: Calling cleanup 0x3bfec(0x0) debug: Calling cleanup 0x4146c(0x0) debug: writing PRNG seed to file /home1/hahnw/.ssh/prng_seed From ishikawa at yk.rim.or.jp Sat Mar 3 06:55:47 2001 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Sat, 03 Mar 2001 04:55:47 +0900 Subject: add scp path to _PATH_STDPATH References: Message-ID: <3A9FFAC3.9B43E2F8@yk.rim.or.jp> Looking at the discussion, I initially thought that adding a command option to specify where the expected program would be found might help. Naturally, this poses new problems. - suppose the user doesn't know the non-standard path name. - what if the user specifies the totally unrelated path for, say, scp? We should not be fooled to run a file specified user so easily. The second question above might be solved using a scheme similar to the restricted shell that comes with sendmail. The restricted shell that comes with sendmail only permits the execution of files under admin's control. From what I recall, if I say, for a response to an e-mail delivery run the following file, /whatever/the/intermediate/path/is/vacation the restricted shell picks up the last element of the pathname and perform look up under a pre-specified directory, say, /var/adm/sm Under /var/adm/sm, we make entries for permissible programs as in vacation -> /usr/ucb/vacation or whatever. The restricted shell ignores the intermediate path and only uses the last filename component to pick up the final executable. But this is a little complicated. I think a good solution would be define a new entry in the sshd_config file which would be something like PATH subsystem-name full-path-to-the-executable [, ...] and honor the entry when we look for the binary. Instead, a la sendmail/rsh combination, we might introduce something lile EXECDIR directory-where-symbolic-link-of-subsys-exec-is-found [, ...] eg. PATH scp /usr/local/bin/scp PATH sftp /usr/local/bin/sftp or EXECDIR /usr/local/bin (from which scp, or sftp or whatever is picked up.] I allow a possibility of specifying multiple pathnames or directories just in case. The directories need to be checked to avoid trojan horse being implanted. But usual sanity checking about - owned by root, - no rwx permission to others, etc.. - the intermediate path to the final executable not group writable or world-writable, etc.. should suffice. (Come to think of it, does sshd check for this currently???) Shouldn't such entries in sshd_config solve the problems discussed? (Or do we need a similar entry for ssh_config as well?) I, for one, was a little uncomfortable to add /usr/local/bin to the default-path spec when I found out that I needed to re-compile sshd to search /usr/local/bin for scp: I had put scp under /usr/local/bin somehow and realized that I needed to let sshd know that scp is there. From mouring at etoh.eviladmin.org Sat Mar 3 07:23:18 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 2 Mar 2001 14:23:18 -0600 (CST) Subject: add scp path to _PATH_STDPATH In-Reply-To: <3A9FFAC3.9B43E2F8@yk.rim.or.jp> Message-ID: On Sat, 3 Mar 2001, Ishikawa wrote: [..] > But this is a little complicated. > > I think a good solution would be define a new entry > in the sshd_config file which would be something like > > PATH subsystem-name full-path-to-the-executable [, ...] > v2 protocol has no issues with this. Since 'subsystem' defines out such things (One could more then likely tweak scp to work as a 'subsystem' with every little effort). Pretty much your suggesting adding the same style of feature to v1. I really don't know if I like the idea since it attempts to shoe horn two different concepts. Attempting to 'guess' the users intent is not always a good thing. > and honor the entry when we look for the binary. > Instead, a la sendmail/rsh combination, we might introduce something lile > > EXECDIR directory-where-symbolic-link-of-subsys-exec-is-found [, ...] > > eg. > PATH scp /usr/local/bin/scp > > PATH sftp /usr/local/bin/sftp > > or > > EXECDIR /usr/local/bin > (from which scp, or sftp or whatever is picked up.] > > I allow a possibility of specifying multiple pathnames or directories > just in case. The directories > need to be checked to avoid trojan horse being implanted. > But usual sanity checking about > - owned by root, > - no rwx permission to others, etc.. > - the intermediate path to the final executable > not group writable or world-writable, etc.. > ssh '/path/to/scp file machine:file' .. Do we really want to strip the '/path/to/' off of that line and replace it with our path? how do we know that /path/to/ is actually right? It could be a modified scp that is in a different directory for a special task (not saying it's wise =). Do you really want to remove the ability of the end-user to 'fix' scp if the ISP/shell provider has a broken one? Maybe I wrote an add-on to scp and I wish to use my special version bewteen home and my ISP? Changing standard behaviors is touchy. > should suffice. (Come to think of it, does sshd > check for this currently???) > > Shouldn't such entries in sshd_config solve the problems discussed? > (Or do we need a similar entry for ssh_config as well?) > > I, for one, was a little uncomfortable to add /usr/local/bin > to the default-path spec when I found out that I needed to re-compile > sshd to search /usr/local/bin for scp: I had put scp under /usr/local/bin > somehow > and realized that I needed to let sshd know that scp is there. > > Solutions: a) Back-port 'subsystem' concept to v1 .. Never will happen b) Fix up the path and ignore the problem. c) add support for scp as a subsystem for v2 and dump v1 support. d) Add some complex hack that could cause things to not work as the user expects them to under certian cases. I'm more in favorate of (b) and (c). (I believe Markus stated it would be an interesting project to do a 'scp2' emulation. scp over sftp. Which after looking at our current sftp client it would be pretty easy to do. Minus the 'scp site:file site2:file' concept. =) - Ben From ishikawa at yk.rim.or.jp Sat Mar 3 08:19:27 2001 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Sat, 03 Mar 2001 06:19:27 +0900 Subject: add scp path to _PATH_STDPATH References: Message-ID: <3AA00E5F.BBEAD312@yk.rim.or.jp> > > > I think a good solution would be define a new entry > > in the sshd_config file which would be something like > > > > PATH subsystem-name full-path-to-the-executable [, ...] > > > > v2 protocol has no issues with this. Since 'subsystem' defines out > such things (One could more then likely tweak scp to work as a > 'subsystem' with every little effort). > I am not that familiar with v1 protocol and so this may be indeed very difficult to retrofit to the existing v1 protocol. > Attempting to 'guess' the users intent is not always a good thing. Generally speaking, this is true. > ssh '/path/to/scp file machine:file' .. Do we really want to strip > the '/path/to/' off of that line and replace it with our path? how > do we know that /path/to/ is actually right? It could be a modified scp > that is in a different directory for a special task (not saying it's wise > =). Do you really want to remove the ability of the end-user to 'fix' scp > if the ISP/shell provider has a broken one? Maybe I wrote an add-on to > scp and I wish to use my special version bewteen home and my > ISP? Changing standard behaviors is touchy. > Here I was a little confused and actually hoped someone would clear this up when I wondered if ssh_config (not sshD_config) was needed. Are you saying that mean that the perceived scp problem is only on the caller's side? If so, I have no problem letting the user override the scp binary's path at least. [The problem I was thinking of is one in the case if the sshD needs to pick up scp binary and somehow it can't. Wasn't this the problem after all? In this case (if so), I would not want a remote user (even if somehow the user successfully log in to run "scp" from any directory of the user's choice since "scp" seems to be handled rather specially in ssh/sshd. [Oh well, come to think of it, by then, the intruder or impersonator can plant any binaries by simple "scp", if available, or whatever and so this problem is moot by then.] Maybe my understanding of how scp is handled within ssh/sshd is totally incorrect. Let me see scp my-local-data remote-host:/tmp/t.dat would invoke ssh locally and the remote host would accept the ssh connection and run a program, right? For example, scp -v /tmp/t.dat host.example.com:/tmp/t.dat Executing: program /usr/local/bin/ssh host host.example.com, user (unspecified), command scp -v -t /tmp/t.dat ... The program "scp" is searched on the REMOTE side, and seems to use the default path of sshd I had a problem since I didn't installed scp in the default PATH of sshd. (Or rather the default PATH of sshd is restrictive as it should be.) Since I had a nagging suspicion that future changes might introduce "other" binaries searched from the PATH, I was reluctant to add the additional directory in the sshd's PATH, but eventually did so. > > > Shouldn't such entries in sshd_config solve the problems discussed? > > (Or do we need a similar entry for ssh_config as well?) > > When I wrote above, I didn't think that the client side (caller) needed to worry about this problem.. > Solutions: > > a) Back-port 'subsystem' concept to v1 .. Never will happen > b) Fix up the path and ignore the problem. > c) add support for scp as a subsystem for v2 and dump v1 support. > d) Add some complex hack that could cause things to not work as the user > expects them to under certian cases. > I trust the judgement of developers. > do. Minus the 'scp site:file site2:file' concept. =) Yes, this one is a tough one. (In this case, sshd on both the site and site2 need to be able to pick up scp from their respective PATH. ) ftp have similar features and I wonder if sftp tries to support such proxy copying, too. From dankamin at cisco.com Sat Mar 3 09:38:25 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Fri, 02 Mar 2001 14:38:25 -0800 Subject: AllowHosts / DenyHosts References: Message-ID: <3AA020E1.5020703@cisco.com> > I would much rather take an existing language which has been custom > designed for the role rather than reinvent yet another half-baked > policy language which is incompatible with everything else. You have a point, but for reasons I hadn't realized. SSH *does* use a half-baked approach to configuration. ssh_config and sshd_config use a unified syntax...but then we have per user authorized_keys, known_hosts, and so on, along with sometimes a server known_hosts...and now we're talking about adding per-key permission switching on a server level too... It is, indeed, getting messy(though there are advantages to having separated files--highly granular file permissions!) > Keynote may not fit your asthetics, but it has the advantage of being > a published standard already being used in quite a few other software > packages (OpenBSD IPsec & Kerberos, Apache-SSL). It also has a standard > library which can be the focus of *everyone's* review and auditing > efforts. I wasn't aware it was used outside OpenBSD IPSec. With a sufficiently loose policy specification, one could create a single policy that would cover IPSec tunnels, SSL web pages, and SSH servers. Now *that's* useful--say "Must3DES" in one place, and all cryptosystems must follow the same rules. The problems come from the differences in the various architectures--you can't mandate what a protocol doesn't support, after all. > > I don't think it is too difficult to learn either - its logic is very > clear: IF precondition [&&/|| precondition ...] THEN result. It only > gets complicated if you plan on doing things like heirarchial or > delegated authentication, which are inherently complex anyway. The problem with coding is that the better you get at it, the less strange you see vast amounts of seemingly arbitrary punctuation. :-) What you describe is not keynote. What you describe is: IF host == 129.210.*.* && keyprint == DEADBEEF THEN RejectImmediately That ain't keynote. Do not discount the complexity of Keynote for the user. If integrated, it will be the single most confusing aspect of OpenSSH--a credit to the elegance and simplicity of SSH. Keynote does make difficult things--like synchronizing configurations across cryptosystems and syntax across config files--possible. But it doesn't make easy things easy, don't pretend it does--and even the difficult things it enables are all somewhat tangential. Damien, Markus, anyone--what really useful policy statements can I express efficiently using a Keynote based system that I couldn't really do with a slight expansion of what we support in ssh_config? I've been putting some thought to it...you do get things like this: IF ((host == foo AND keyprint == CAFEBABE) OR (host == bar AND keyprint == DEADBEEF)) AND (time > 0600GMT AND time < 1200GMT) THEN AllowAccess This, of course, isn't Keynote syntax...but it's pretty ugly to port to my system, because there's no way to express that CAFEBABE shouldn't be allowed on host Bar or DEADBEEF shouldn't be host foo, without having really redundant configuration information. Keynote would be much more amenable to such a system, I believe. Just don't tell me Keynote will ever be easier than: IfHost foo OR bar AllowAccess Incidentally--what of its portability? OpenSSH is compatible with a ridiculous number of systems--will LibKeynote be? Securely? This isn't an accusation; I'm just interested if you've investigated the portability of the library. Yours Truly, Dan Kaminsky, CISSP www.doxpara.com From htodd at twofifty.com Sat Mar 3 08:50:22 2001 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Fri, 2 Mar 2001 13:50:22 -0800 (PST) Subject: Security problem depending on your point of view with OpenSSH 2.5.1p1 related to Password authentication. In-Reply-To: <3A9FF361.ACBE830@psi.com> Message-ID: We're seeing the same problem on redhat systems with 2.5.1p2. Looks like the code for both protocols is checking the same flag, but ssh2 is ignoring it. Anyone have a patch? On Fri, 2 Mar 2001, William Hahn wrote: > I compiled 2.5.1p1 on solaris and linux with PAM support and produced the same problem. > > If I set sshd_config to not allow password authentication( PasswordAuthentication no ) and restart sshd. > > I then ssh in with password authentication in ssh protocol version 2. ... > If I try to ssh in with protocol 1 with I get Permission denied. which is what I would expect. -- Hisashi T Fujinaka - htodd at twofifty.com BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte From dusha at dnttm.ru Sat Mar 3 09:55:53 2001 From: dusha at dnttm.ru (Sergei Dushenkov) Date: Sat, 3 Mar 2001 01:55:53 +0300 Subject: Sftp client improvements Message-ID: <013101c0a36b$f2773260$f4da55c2@future> Hello, I want to know are there any plans on the sftp client (not server) improvents? Previously I was using ssh-2.4 packages (non-commercial) and they have Fantastic sftp client. And when I've moved to openssh I found that openssh sftp client functionality is more poor then ordinary ftp client have! Here is some of the features I think, developers must concentrate on: 1. Include support for wildcards ('get opens*' for example) 1.1 If the wirlcards with "get" cannot be done, then at least mget should be included (with wildcards support) 2. TAB competes the filename/s (as it is done in shell) 3. "ls" should normally do a short list, and if user want a long list, then "ls -l" must do that 4. Download status (to control the progress of the transfer) Thanks. ---------------------------------------------------------------------------- --- Sergei Dushenkov - DNTTM Network Services Administrator Phone: +7-(095)-2373609 e-mail: dusha at dnttm.ru ICQ: 1618633 ---------------------------------------------------------------------------- --- From rachit at ensim.com Sat Mar 3 10:08:06 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Fri, 02 Mar 2001 15:08:06 -0800 Subject: Sftp client improvements References: <013101c0a36b$f2773260$f4da55c2@future> Message-ID: <3AA027D6.B9867404@ensim.com> Hmm, i wonder if it would be just better to integrate a full featured open FTP client in and plug it into an openssh backend / networking layer rather than the openssh team implementing it themselves. > 1. Include support for wildcards ('get opens*' for example) > 1.1 If the wirlcards with "get" cannot be done, then at least mget should be > included (with wildcards support) > 2. TAB competes the filename/s (as it is done in shell) > 3. "ls" should normally do a short list, and if user want a long list, then > "ls -l" > must do that > 4. Download status (to control the progress of the transfer) From mouring at etoh.eviladmin.org Sat Mar 3 10:44:37 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 2 Mar 2001 17:44:37 -0600 (CST) Subject: Sftp client improvements In-Reply-To: <013101c0a36b$f2773260$f4da55c2@future> Message-ID: On Sat, 3 Mar 2001, Sergei Dushenkov wrote: > Hello, > > I want to know are there any plans on the sftp client (not server) > improvents? > > Previously I was using ssh-2.4 packages (non-commercial) and they have > Fantastic > sftp client. > > And when I've moved to openssh I found that openssh sftp client > functionality is more poor then ordinary ftp client have! > Give us time will ya? =) sftp client support for OpenSSH has only existed for less then a month. Majority of your issues are on the list of things we want to do. Feel free to help us out. - Ben From mouring at etoh.eviladmin.org Sat Mar 3 10:48:04 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 2 Mar 2001 17:48:04 -0600 (CST) Subject: Sftp client improvements In-Reply-To: <3AA027D6.B9867404@ensim.com> Message-ID: On Fri, 2 Mar 2001, Rachit Siamwalla wrote: > > Hmm, i wonder if it would be just better to integrate a full featured > open FTP client in and plug it into an openssh backend / networking > layer rather than the openssh team implementing it themselves. > The framework is in place. There is a globing patch floating around and when libedit is supported a lot of the complaints about sftp will disappear. I personally don't know if it's worth throwing it away just to try and shoehorn an existing ftp client. I think we are better off adding to the current framework. - Ben From chip at valinux.com Sat Mar 3 11:09:11 2001 From: chip at valinux.com (Chip Salzenberg) Date: Fri, 2 Mar 2001 16:09:11 -0800 Subject: [PATCH] PrintLastLog option Message-ID: <20010302160911.A24705@valinux.com> Some time ago, Ben wrote about a PrintLastLog patch: > If the person who originally submitted it wants to write a complete > patch and submit it. Then we would be happy to debate if it will be > included. Well, here it is, because: "You Asked For It!" PS: I'm tired of maintaining my own version of Debian's ssh just to have this option available, so I hope you find it acceptable. -- Chip Salzenberg - a.k.a. - "We have no fuel on board, plus or minus 8 kilograms." -- NEAR tech -------------- next part -------------- Index: servconf.h --- servconf.h.prev +++ servconf.h Thu Feb 22 20:59:45 2001 @@ -52,4 +52,5 @@ * for RhostsRsaAuth */ int print_motd; /* If true, print /etc/motd. */ + int print_lastlog; /* If true, print lastlog */ int check_mail; /* If true, check for new mail. */ int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */ Index: servconf.c --- servconf.c.prev +++ servconf.c Thu Feb 22 20:59:45 2001 @@ -56,4 +56,5 @@ initialize_server_options(ServerOptions options->ignore_user_known_hosts = -1; options->print_motd = -1; + options->print_lastlog = -1; options->check_mail = -1; options->x11_forwarding = -1; @@ -133,4 +134,6 @@ fill_default_server_options(ServerOption if (options->print_motd == -1) options->print_motd = 1; + if (options->print_lastlog == -1) + options->print_lastlog = 1; if (options->x11_forwarding == -1) options->x11_forwarding = 0; @@ -209,5 +212,6 @@ typedef enum { sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, - sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, + sPrintMotd, sPrintLastLog, sIgnoreRhosts, + sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, sUseLogin, sAllowTcpForwarding, @@ -254,4 +258,5 @@ static struct { { "listenaddress", sListenAddress }, { "printmotd", sPrintMotd }, + { "printlastlog", sPrintLastLog }, { "ignorerhosts", sIgnoreRhosts }, { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, @@ -555,4 +560,8 @@ parse_flag: case sPrintMotd: intptr = &options->print_motd; + goto parse_flag; + + case sPrintLastLog: + intptr = &options->print_lastlog; goto parse_flag; Index: session.c --- session.c.prev +++ session.c Thu Feb 22 20:59:45 2001 @@ -708,8 +708,10 @@ do_login(Session *s, const char *command } - /* Get the time and hostname when the user last logged in. */ - hostname[0] = '\0'; - last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, - hostname, sizeof(hostname)); + if (options.print_lastlog) { + /* Get the time and hostname when the user last logged in. */ + hostname[0] = '\0'; + last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, + hostname, sizeof(hostname)); + } /* Record that there was a login on that tty from the remote host. */ @@ -748,5 +750,5 @@ do_login(Session *s, const char *command #endif /* WITH_AIXAUTHENTICATE */ - if (last_login_time != 0) { + if (options.print_lastlog && last_login_time != 0) { time_string = ctime(&last_login_time); if (strchr(time_string, '\n')) Index: sshd.8 --- sshd.8.prev +++ sshd.8 Thu Feb 22 20:59:46 2001 @@ -350,4 +350,20 @@ The default is .Dq no . +.Pp +Note: These messages can also be generated by PAM, so if you find that +you are getting the message twice, switch this one +.Dq off +and let PAM handle it. +.It Cm PrintLastLogin +Specifies whether +.Nm +should print the date and tty of last login when a user logs in +interactively. The default is +.Dq no . +.Pp +Note: These messages can also be generated by PAM, so if you find that +you are getting the message twice, switch this one +.Dq off +and let PAM handle it. .It Cm DenyGroups This keyword can be followed by a number of group names, separated Index: sshd_config --- sshd_config.prev +++ sshd_config Thu Feb 22 20:59:46 2001 @@ -19,4 +19,5 @@ X11DisplayOffset 10 PrintMotd yes +PrintLastLog yes KeepAlive yes From djm at mindrot.org Sat Mar 3 17:14:11 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 3 Mar 2001 17:14:11 +1100 (EST) Subject: Sftp client improvements In-Reply-To: <013101c0a36b$f2773260$f4da55c2@future> Message-ID: On Sat, 3 Mar 2001, Sergei Dushenkov wrote: > Hello, > > I want to know are there any plans on the sftp client (not server) > improvents? I have a fair TODO list on the sftp client and am working though it as time permits. Patches are always welcome. > Previously I was using ssh-2.4 packages (non-commercial) and they have > Fantastic sftp client. > > And when I've moved to openssh I found that openssh sftp client > functionality is more poor then ordinary ftp client have! It is pretty young, please give us time. > Here is some of the features I think, developers must concentrate on: > > 1. Include support for wildcards ('get opens*' for example) > 1.1 If the wirlcards with "get" cannot be done, then at least mget > should be included (with wildcards support) I have made a patch for wildcard support for get, put, ch{mod,grp,own}. It is currently under review. > 2. TAB competes the filename/s (as it is done in shell) This is a bit more work, but is planned eventally. > 3. "ls" should normally do a short list, and if user want a long list, then > "ls -l" must do that This would be very easy to do now, and would be a good project for someone to take on. > 4. Download status (to control the progress of the transfer) This too would be a good project for someone to take on. If anyone wants to take on any of the above tasks, do yell out on the list so that there is no duplication of effort and you are aware of the current and pending changes. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Sat Mar 3 17:17:00 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 3 Mar 2001 17:17:00 +1100 (EST) Subject: Sftp client improvements In-Reply-To: Message-ID: On Fri, 2 Mar 2001 mouring at etoh.eviladmin.org wrote: > On Fri, 2 Mar 2001, Rachit Siamwalla wrote: > > > > > Hmm, i wonder if it would be just better to integrate a full featured > > open FTP client in and plug it into an openssh backend / networking > > layer rather than the openssh team implementing it themselves. > > > The framework is in place. There is a globing patch floating around and > when libedit is supported a lot of the complaints about sftp will > disappear. > > I personally don't know if it's worth throwing it away just to try and > shoehorn an existing ftp client. I think we are better off adding to the > current framework. That being said - I have tried to make it easy for other to implement clients using the sftp code. Most of the client-side protocol stuff is in sftp-client.[ch] and there is a fair bit of reusable infrastructure in sftp.c. If you think that adaping an existing FTP client would be more productive then please go ahead! Bear in mind that we won't be able to integrate it unless it is BSD licensed. Teaching the OpenBSD commandline ftp client SFTP may be a productive course of action. A GUI client might also be nice. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From stevesk at sweden.hp.com Sat Mar 3 23:58:39 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 3 Mar 2001 13:58:39 +0100 (MET) Subject: Security problem depending on your point of view with OpenSSH 2.5.1p1 related to Password authentication. In-Reply-To: Message-ID: i can't duplicate this on hp-ux+pam, or redhat+pam. can you provide sshd -ddd output? On Fri, 2 Mar 2001, Hisashi T Fujinaka wrote: : We're seeing the same problem on redhat systems with 2.5.1p2. Looks like : the code for both protocols is checking the same flag, but ssh2 is : ignoring it. : : Anyone have a patch? : : On Fri, 2 Mar 2001, William Hahn wrote: : : > I compiled 2.5.1p1 on solaris and linux with PAM support and produced the same problem. : > : > If I set sshd_config to not allow password authentication( PasswordAuthentication no ) and restart sshd. : > : > I then ssh in with password authentication in ssh protocol version 2. : ... : > If I try to ssh in with protocol 1 with I get Permission denied. which is what I would expect. : : -- : Hisashi T Fujinaka - htodd at twofifty.com : BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte From djm at mindrot.org Sun Mar 4 00:22:10 2001 From: djm at mindrot.org (Damien Miller) Date: Sun, 4 Mar 2001 00:22:10 +1100 (EST) Subject: Security problem depending on your point of view with OpenSSH 2.5.1p1 related to Password authentication. In-Reply-To: <3A9FF361.ACBE830@psi.com> Message-ID: On Fri, 2 Mar 2001, William Hahn wrote: > I compiled 2.5.1p1 on solaris and linux with PAM support and > produced the same problem. > > If I set sshd_config to not allow password authentication( > PasswordAuthentication no ) and restart sshd. This is a documentation problem. Using ChallengeResponseAuthentication with PAM bypasses OpenSSH's password code - the "Password:" prompts that you are seeing are coming directly from PAM and the replies are going straight back to it. I have disabled ChallengeResponseAuthentication by default in sshd_config (it doesn't do much unless you are bulding against s/key and/or PAM) and have documented that it bypasses the password checking in the manpage. You can control whether password authentication is allowed using the /etc/pam.d/sshd file. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Sun Mar 4 00:40:14 2001 From: djm at mindrot.org (Damien Miller) Date: Sun, 4 Mar 2001 00:40:14 +1100 (EST) Subject: Fwd: OpenSSH on Ultrix? In-Reply-To: <20010302152648.A9679@ws01.aet.tu-cottbus.de> Message-ID: On Fri, 2 Mar 2001, Lutz Jaenicke wrote: > On Sat, Mar 03, 2001 at 12:17:33AM +1100, Damien Miller wrote: > > I think this is exactly what I will do :) Can you give the below patch > > a try for both Unix domain and localhost sockets? It replaces the > > current --with-egd-pool configure option with --with-prngd-port and > > --with-prngd-socket options. > > Ok. I have rewritten entropy.c to a more "defensive" handling :-) > With this version, it works with both Unix and TCP socket. > I have attached the complete file, since my CVS checkout is from the > public server which seems not to be completely in sync with your > archive, so, to be on the safe side... Applied - thanks. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From mouring at etoh.eviladmin.org Sun Mar 4 09:07:02 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 3 Mar 2001 16:07:02 -0600 (CST) Subject: [PATCH]: auth.c (pwcopy): Copy pw_gecos field when build for Cygwin In-Reply-To: <20010228165443.N8464@cygbert.vinschen.de> Message-ID: On Wed, 28 Feb 2001, Corinna Vinschen wrote: > Hi, > > the attached patch is very important for Cygwin. I don't know > how I could have missed that for months now :-( I hope this > can be included in 2.5.1p2. > > The pw_gecos field in Cygwin's /etc/passwd contains Windows > specific authentication informations which let NT domain > users logon to a machine without the need to inform the > logon server (sshd in our case) about the name of the NT domain. > As a side effect you can have a different name under Cygwin than > your NT account name. > > Unfortunately, without copying pw_gecos this functionality is > completely broken in sshd. > pw_gecos is done by defeault in the OpenBSD source.. Any reason why we can't just get rid of the #ifdef and allow this for all platforms? - Ben From markus.friedl at informatik.uni-erlangen.de Sun Mar 4 09:47:31 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 3 Mar 2001 23:47:31 +0100 Subject: ssh-add won't look for id_dsa in ssh-clients-2.3.0p1-4 but did in ssh-clients-2.5.1p2-1 In-Reply-To: <3A9EC8E9.A146E6E6@pahv.xerox.com>; from Leigh.Klotz@pahv.xerox.com on Thu, Mar 01, 2001 at 02:10:49PM -0800 References: <3A9EC8E9.A146E6E6@pahv.xerox.com> Message-ID: <20010303234731.A12096@folly> On Thu, Mar 01, 2001 at 02:10:49PM -0800, Leigh L. Klotz, Jr. wrote: > Am I broken in some way > to expect ssh-add simply > to work with id_dsa without an explicit argument? no, you are not. but ssh-add did not add the keys before. should a default behaviour be changed? apart from that, i don't like 'ssh-add' having default arguments. people forget where the private keys can be found if 'ssh-add' acts 'smart'. keys should always be explicit since they are important. but i could be wrong. -m From markus.friedl at informatik.uni-erlangen.de Sun Mar 4 09:51:06 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 3 Mar 2001 23:51:06 +0100 Subject: Expired password handling in openssh-2.5.1p1/2 In-Reply-To: ; from stevesk@sweden.hp.com on Thu, Mar 01, 2001 at 06:53:50PM +0100 References: <3A9E7FCD.BF9C36CA@daac.gsfc.nasa.gov> Message-ID: <20010303235106.B12096@folly> the kbd-interactive draft has an example for how this could be implemented in ssh-2. On Thu, Mar 01, 2001 at 06:53:50PM +0100, Kevin Steves wrote: > On Thu, 1 Mar 2001, Kevin Taylor wrote: > : Are there plans, or does someone have a fix, for having openssh force > : users to change passwords when they're expired? > : > : Right now the program closes the connection....the commercial ssh > : manages to exec /bin/passwd after they enter their current password. > > there is only support thru PAM right now. i had started a > multi-platform password interface last year, and while it was close to > the point of being integrated, i have been side-tracked with stuff that > was more interesting to work on. adding just code to run passwd if the > password has expired isn't hard, and maybe we should do that. > > From djm at mindrot.org Sun Mar 4 10:21:07 2001 From: djm at mindrot.org (Damien Miller) Date: Sun, 4 Mar 2001 10:21:07 +1100 (EST) Subject: [PATCH]: auth.c (pwcopy): Copy pw_gecos field when build for Cygwin In-Reply-To: Message-ID: On Sat, 3 Mar 2001 mouring at etoh.eviladmin.org wrote: > pw_gecos is done by defeault in the OpenBSD source.. Any reason why we > can't just get rid of the #ifdef and allow this for all platforms? Yes - this only went in to OpenBSD after 2.5.1p2 -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Sun Mar 4 10:22:23 2001 From: djm at mindrot.org (Damien Miller) Date: Sun, 4 Mar 2001 10:22:23 +1100 (EST) Subject: ssh-add won't look for id_dsa in ssh-clients-2.3.0p1-4 but did in ssh-clients-2.5.1p2-1 In-Reply-To: <20010303234731.A12096@folly> Message-ID: On Sat, 3 Mar 2001, Markus Friedl wrote: > no, you are not. but ssh-add did not add the keys before. > should a default behaviour be changed? > > apart from that, i don't like 'ssh-add' having default > arguments. people forget where the private keys can be > found if 'ssh-add' acts 'smart'. keys should always be > explicit since they are important. but i could be wrong. I agree, but it will annoy people if their scripts suddenly break. Perhaps a transitional error("You must specify the path...") is in order. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From markus.friedl at informatik.uni-erlangen.de Sun Mar 4 10:06:22 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 4 Mar 2001 00:06:22 +0100 Subject: add scp path to _PATH_STDPATH In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, Mar 02, 2001 at 02:23:18PM -0600 References: <3A9FFAC3.9B43E2F8@yk.rim.or.jp> Message-ID: <20010304000622.D12096@folly> On Fri, Mar 02, 2001 at 02:23:18PM -0600, mouring at etoh.eviladmin.org wrote: > a) Back-port 'subsystem' concept to v1 .. Never will happen your are right. this won't happen. > b) Fix up the path and ignore the problem. good idea :) > c) add support for scp as a subsystem for v2 and dump v1 support. good idea :) perhaps an option like scp -X /path/to/scp/binary/on/server server:/x /tmp could help? > (I believe Markus stated it would > be an interesting project to do a 'scp2' emulation. scp over sftp. yes, this is what 'scp2' from ssh.com does. and this is the reason why they don't have the 'scp is not in the default path' problem. > Which > after looking at our current sftp client it would be pretty easy to > do. Minus the 'scp site:file site2:file' concept. =) scp site1:file site2:file would be much more useful if you have 1 ssh connection to site1 and a 2nd connection to site2 and relay packets over localhost. this way you could scp between networks that don't have a physical connection. -m From markus.friedl at informatik.uni-erlangen.de Sun Mar 4 09:59:29 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 3 Mar 2001 23:59:29 +0100 Subject: add scp path to _PATH_STDPATH In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, Mar 02, 2001 at 07:50:20AM -0600 References: Message-ID: <20010303235929.C12096@folly> On Fri, Mar 02, 2001 at 07:50:20AM -0600, mouring at etoh.eviladmin.org wrote: > $ sftp -1 etoh > Connecting to etoh... > mouring at etoh's password: > bash: /usr/libexec/sftp-server: No such file or directory > Couldn't read packet: Undefined error: 0 > > > If we are going to solve scp. We should resolve where sftp-server is to > make sftp using protocol 1 easier. hey, sftp over protocol 1 is not even documented, it just works :) however, you can also use % sftp -1 -s /home/markus/s/ssh.com/2.3.0/sftp-server2 etoh or % sftp -1 -s /path/to/some/binary/implementing/sftp etoh for protocol v1. this is impossible to fix, since the client and the server are not installed by the same person, so we don't know where the sftp-server binary is located. however, you 'can' hope it's in the default path: % sftp -1 -s sftp-server etoh -m From jmknoble at jmknoble.cx Sun Mar 4 17:45:18 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Sun, 4 Mar 2001 01:45:18 -0500 Subject: ssh-add won't look for id_dsa in ssh-clients-2.3.0p1-4 but did in ssh-clients-2.5.1p2-1 In-Reply-To: <20010303234731.A12096@folly>; from markus.friedl@informatik.uni-erlangen.de on Sat, Mar 03, 2001 at 11:47:31PM +0100 References: <3A9EC8E9.A146E6E6@pahv.xerox.com> <20010303234731.A12096@folly> Message-ID: <20010304014518.A7127@quipu.half.pint-stowp.cx> Circa 2001-Mar-03 23:47:31 +0100 dixit Markus Friedl: : On Thu, Mar 01, 2001 at 02:10:49PM -0800, Leigh L. Klotz, Jr. wrote: : > Am I broken in some way : > to expect ssh-add simply : > to work with id_dsa without an explicit argument? : : no, you are not. but ssh-add did not add the keys before. : should a default behaviour be changed? : : apart from that, i don't like 'ssh-add' having default : arguments. people forget where the private keys can be : found if 'ssh-add' acts 'smart'. keys should always be : explicit since they are important. but i could be wrong. This reminds me of something else (which actually does have a bearing on this discussion; please remain calm): When multiple IdentityFile lines occur in both /etc/ssh/ssh_config and ~/.ssh/config, ssh checks through *all* of the listed keys, even if the ones in ~/.ssh/config repeat the ones in /etc/ssh/ssh_config. Why is this? Is it a good idea? I'm of the opinion that it's not. What if i as a regular user don't want any of the keys specified in /etc/ssh/ssh_config to be checked for at all? In fact, i would prefer to see the more-than-one-line type of configuration option go away completely and be replaced by one-line items with comma-separated values, such as the Ciphers and MACs items already use. For example, this: IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/id_rsa1 IdentityFile ~/.ssh/identity would change to this: IdentityFile ~/.ssh/id_rsa,~/.ssh/id_dsa,~/.ssh/id_rsa1,~/.ssh/identity Granted, that's perhaps not quite as legible, but the following SHOULD (in the RFC sense) also parse the same way: IdentityFile ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_rsa1, ~/.ssh/identity What this syntax does is solve the problem i allude to above and in addition answer the question "Which key is the default key?": obviously, the first one listed. Then, ssh-add must simply check ~/.ssh/config and /etc/ssh/ssh_config to find out what the default key is, and add that one if no key is specified on the command line. Simple, obvious, and flexible, no? Don't know if LocalForward and RemoteForward also are in the more-than-one-line category or not; if so, they should probably also migrate to comma-separated syntax. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From cara at int.tele.dk Mon Mar 5 02:42:40 2001 From: cara at int.tele.dk (Carsten Raskgaard) Date: Sun, 04 Mar 2001 16:42:40 +0100 Subject: bubblebabble patch Message-ID: <3AA26270.CDDAFC51@mail.tele.dk> Hi, Here is a patch that adds the possibility of displaying key fingerprints in the bubblebabble format used by ssh.com ssh implementations. I hope it makes its way into the source. --- ./openssh-2.5.1/key_original.h Sun Mar 4 00:47:55 2001 +++ ./openssh-2.5.1/key.h Sun Mar 4 00:57:57 2001 @@ -36,6 +36,17 @@ KEY_DSA, KEY_UNSPEC }; + +enum digest_type { + DIGEST_TYPE_SHA1, + DIGEST_TYPE_MD5 +}; + +enum digest_representation { + DIGEST_REPRESENTATION_HEX, + DIGEST_REPRESENTATION_BUBBLEBABBLE +}; + struct Key { int type; RSA *rsa; @@ -46,6 +57,7 @@ Key *key_new_private(int type); void key_free(Key *k); int key_equal(Key *a, Key *b); +char *key_fingerprint_ex(Key *k, enum digest_type dgst_type, enum digest_representation dgst_representation); char *key_fingerprint(Key *k); char *key_type(Key *k); int key_write(Key *key, FILE *f); --- ./openssh-2.5.1/key_original.c Sun Mar 4 00:48:41 2001 +++ ./openssh-2.5.1/key.c Sun Mar 4 01:07:21 2001 @@ -153,6 +153,179 @@ return 0; } +u_char* +key_fingerprint_raw(Key *k, enum digest_type dgst_type, size_t *dgst_raw_length) +{ + u_char *blob = NULL; + u_char* retval = NULL; + int len = 0; + int nlen, elen; + + switch (k->type) { + case KEY_RSA1: + nlen = BN_num_bytes(k->rsa->n); + elen = BN_num_bytes(k->rsa->e); + len = nlen + elen; + blob = xmalloc(len); + BN_bn2bin(k->rsa->n, blob); + BN_bn2bin(k->rsa->e, blob + nlen); + break; + case KEY_DSA: + case KEY_RSA: + key_to_blob(k, &blob, &len); + break; + case KEY_UNSPEC: + fatal("key_fingerprint_raw: bad key type %d",k->type); + break; + default: + fatal("key_fingerprint_raw: bad key type %d", k->type); + break; + } + + if (blob != NULL) { + EVP_MD *md = NULL; + EVP_MD_CTX ctx; + + retval = xmalloc(EVP_MAX_MD_SIZE); + + switch (dgst_type) { + case DIGEST_TYPE_MD5: + md = EVP_md5(); + break; + case DIGEST_TYPE_SHA1: + md = EVP_sha1(); + break; + default: + fatal("key_fingerprint_raw: bad digest type %d", dgst_type); + } + + EVP_DigestInit(&ctx, md); + EVP_DigestUpdate(&ctx, blob, len); + EVP_DigestFinal(&ctx, retval, NULL); + + *dgst_raw_length = md->md_size; + + memset(blob, 0, len); + xfree(blob); + } else + fatal("key_fingerprint_raw: blob is null"); + + return retval; +} + +char* +key_fingerprint_hex(u_char* dgst_raw, size_t dgst_raw_len) +{ + char *retval; + int i; + + retval = xmalloc(dgst_raw_len*3); + + for(i = 0; i < dgst_raw_len; i++) { + + char hex[4]; + + snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]); + strcat(retval, hex); + } + + retval[(dgst_raw_len * 3) - 1] = '\0'; + return retval; +} + +char* +key_fingerprint_bubblebabble(u_char* dgst_raw, size_t dgst_raw_len) +{ + char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; + char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; + unsigned int rounds, idx, retval_idx, seed; + char *retval; + + rounds = (dgst_raw_len / 2) + 1; + + retval = xmalloc(sizeof(char)*(rounds*6)); + + seed = 1; + + retval_idx = 0; + + retval[retval_idx++] = 'x'; + + for (idx=0;idx> 6) & 3) + seed) % 6; + idx1 = (((unsigned int)(dgst_raw[2*idx])) >> 2) & 15; + idx2 = ((((unsigned int)(dgst_raw[2*idx])) & 3) + (seed / 6)) % 6; + + retval[retval_idx++] = vowels[idx0]; + retval[retval_idx++] = consonants[idx1]; + retval[retval_idx++] = vowels[idx2]; + + if ((idx + 1) < rounds) { + + idx3 = (((unsigned int)(dgst_raw[(2*idx) + 1])) >> 4) & 15; + idx4 = (((unsigned int)(dgst_raw[(2*idx) + 1]))) & 15; + + retval[retval_idx++] = consonants[idx3]; + retval[retval_idx++] = '-'; + retval[retval_idx++] = consonants[idx4]; + + seed = ((seed * 5) + ((((unsigned int)(dgst_raw[2*idx])) * 7) + ((unsigned int)(dgst_raw[(2*idx) + 1])))) % 36; + } + } else { + + idx0 = seed % 6; + idx1 = 16; + idx2 = seed / 6; + + retval[retval_idx++] = vowels[idx0]; + retval[retval_idx++] = consonants[idx1]; + retval[retval_idx++] = vowels[idx2]; + + } + } + + retval[retval_idx++] = 'x'; + retval[retval_idx++] = '\0'; + + return retval; +} + +char* +key_fingerprint_ex(Key *k, enum digest_type dgst_type, enum digest_representation dgst_representation) +{ + char *retval = NULL; + u_char *dgst_raw; + size_t dgst_raw_len; + + dgst_raw = key_fingerprint_raw(k,dgst_type,&dgst_raw_len); + + if (!dgst_raw) + fatal("key_fingerprint_ex: null value returned from key_fingerprint_raw()"); + + switch(dgst_representation) { + case DIGEST_REPRESENTATION_HEX: + retval = key_fingerprint_hex(dgst_raw,dgst_raw_len); + break; + + case DIGEST_REPRESENTATION_BUBBLEBABBLE: + retval = key_fingerprint_bubblebabble(dgst_raw,dgst_raw_len); + break; + default: + fatal("key_fingerprint_ex: bad digest representation %d",dgst_representation); + break; + } + + memset(dgst_raw, 0, dgst_raw_len); + xfree(dgst_raw); + + return retval; +} + /* * Generate key fingerprint in ascii format. * Based on ideas and code from Bjoern Groenvall --- ./openssh-2.5.1/ssh-keygen_original.c Sun Mar 4 00:49:31 2001 +++ ./openssh-2.5.1/ssh-keygen.c Sun Mar 4 00:52:56 2001 @@ -346,9 +346,22 @@ debug("try_load_public_key KEY_UNSPEC failed"); } if (success) { + + char *digest_sha1, *digest_bubblebabble; + + digest_sha1 = key_fingerprint_ex(public,DIGEST_TYPE_SHA1,DIGEST_REPRESENTATION_HEX); + digest_bubblebabble = key_fingerprint_ex(public,DIGEST_TYPE_SHA1,DIGEST_REPRESENTATION_BUBBLEBABBLE); + printf("%d %s %s\n", key_size(public), key_fingerprint(public), comment); + printf("Alternative digests:\n"); + printf(" sha1 : %s\n",digest_sha1); + printf(" bubblebabble : %s\n",digest_bubblebabble); + key_free(public); xfree(comment); + xfree(digest_sha1); + xfree(digest_bubblebabble); + exit(0); } -- Carsten Raskgaard From ishikawa at yk.rim.or.jp Mon Mar 5 06:01:25 2001 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Mon, 05 Mar 2001 04:01:25 +0900 Subject: "-v" handling in scp (was Re: add scp path to _PATH_STDPATH) References: <3A9FFAC3.9B43E2F8@yk.rim.or.jp> <20010304000622.D12096@folly> Message-ID: <3AA29104.63198A65@yk.rim.or.jp> Hi, while trying to figure out what scp does locally and remotely, I found that the "-v" option to scp doesn't do what it is supposed to do. (Or rather it doesn't do what it can possibly do more.) Currently, if I give "-v", only the remote invocation of scp is given a single "-v". Whereas, the local "ssh" invocation is not given "-v" and so if my intention is to debug or analyze the ssh connection problem, actually this "-v" is not quite useful. (Currently all it does is print the invoked command line.) Also, giving "-v" more than once doesn't change the number of "-v"'s passed scp, either. If we wanted to debug (or analyze) the connection in detail, being able to give "-v" multiple times (to the underlying ssh) is also useful. So I modified scp.c so that - "-v" is passed to the remote invocation of "scp" multiple times up to three times if the user specifies "-v" multiple times on the command line. - "-v" is now passed to the local invocation of "ssh" as well. In this case, "-v" is given as many times as the user specified. With this change, the low-level ssh is invoked with "-v" automatically if we specify "-v" to scp, and thus the tracking of connection problems might be easier. Someone might this useful. Happy Hacking, Chiaki Ishikawa Eg. Using "-v" three times with the modification. ishikawa at duron$ !./scp ./scp -v -v -v /tmp/t.bug ishikawa at host.example.com:/tmp/t.bug Executing: program /usr/local/bin/ssh host host.example.com, user ishikawa, command scp -v -v -v -t /tmp/t.bug OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 1001 geteuid 0 anon 0 debug: Connecting to host.example.com [123.123.123.123] port 22. debug: Seeding random number generator debug: Allocated local port 700. debug: Connection established. debug: identity file /home/ishikawa/.ssh/identity type 0 debug: identity file /home/ishikawa/.ssh/id_dsa type 3 debug: Remote protocol version 1.5, remote software version 1.2.22 debug: match: 1.2.22 pat ^1\.2\.2[012] (* Ouch, rather old ssh. *) debug: Local version string SSH-1.5-OpenSSH_2.5.1p2 debug: Waiting for server public key. ... ... ... debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Remote: Server does not permit empty password login. debug: Trying RSA authentication with key 'ishikawa at standard' debug: Server refused our key. debug: Doing password authentication. ishikawa at host.example.com: **************** debug: Sending command: scp -v -v -v -t /tmp/t.bug debug: Entering interactive session. Sending file modes: C0644 226 t.bug ... ... ... ishikawa at duron$ debug: Transferred: stdin 243, stdout 3, stderr 0 bytes in 0.9 seconds debug: Bytes per second: stdin 266.9, stdout 3.3, stderr 0.0 debug: Exit status 0 ishikawa at duron$ rcsdiff -c scp.c =================================================================== RCS file: RCS/scp.c,v retrieving revision 1.1 diff -c -r1.1 scp.c *** scp.c 2001/03/04 18:35:17 1.1 --- scp.c 2001/03/04 18:46:21 *************** *** 277,283 **** ssh_program = xstrdup(optarg); break; case 'v': ! verbose_mode = 1; break; case 'q': showprogress = 0; --- 277,284 ---- ssh_program = xstrdup(optarg); break; case 'v': ! verbose_mode ++; /* for remote */ ! addargs("-v"); /* for local ssh */ break; case 'q': showprogress = 0; *************** *** 330,336 **** remin = remout = -1; /* Command to be executed on remote system using "ssh". */ (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", ! verbose_mode ? " -v" : "", iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); --- 331,341 ---- remin = remout = -1; /* Command to be executed on remote system using "ssh". */ (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", ! /** try to handle up to three '-v's. */ ! verbose_mode <=0 ? "" ! : ( verbose_mode == 1 ? " -v" ! : ( verbose_mode == 2 ? " -v -v" ! : " -v -v -v" )), iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); *************** *** 404,410 **** snprintf(bp, len, "%s%s -x -o'FallBackToRsh no' -n " "-l %s %s %s %s '%s%s%s:%s'", ! ssh_program, verbose_mode ? " -v" : "", suser, host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); --- 409,421 ---- snprintf(bp, len, "%s%s -x -o'FallBackToRsh no' -n " "-l %s %s %s %s '%s%s%s:%s'", ! ssh_program, ! /** try to handle up to three '-v's. */ ! verbose_mode <=0 ? "" ! : ( verbose_mode == 1 ? " -v" ! : ( verbose_mode == 2 ? " -v -v" ! : " -v -v -v" )), ! suser, host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); *************** *** 413,419 **** snprintf(bp, len, "exec %s%s -x -o'FallBackToRsh no' -n %s " "%s %s '%s%s%s:%s'", ! ssh_program, verbose_mode ? " -v" : "", host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); --- 424,435 ---- snprintf(bp, len, "exec %s%s -x -o'FallBackToRsh no' -n %s " "%s %s '%s%s%s:%s'", ! ssh_program, ! /** try to handle up to three '-v's. */ ! verbose_mode <=0 ? "" ! : ( verbose_mode == 1 ? " -v" ! : ( verbose_mode == 2 ? " -v -v" ! : " -v -v -v" )), host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); ishikawa at duron$ From mouring at etoh.eviladmin.org Mon Mar 5 07:09:23 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 4 Mar 2001 14:09:23 -0600 (CST) Subject: "-v" handling in scp (was Re: add scp path to _PATH_STDPATH) In-Reply-To: <3AA29104.63198A65@yk.rim.or.jp> Message-ID: > ishikawa at duron$ rcsdiff -c scp.c > =================================================================== > RCS file: RCS/scp.c,v > retrieving revision 1.1 > diff -c -r1.1 scp.c > *** scp.c 2001/03/04 18:35:17 1.1 > --- scp.c 2001/03/04 18:46:21 > *************** > *** 277,283 **** > ssh_program = xstrdup(optarg); > break; > case 'v': > ! verbose_mode = 1; > break; > case 'q': > showprogress = 0; > --- 277,284 ---- > ssh_program = xstrdup(optarg); > break; > case 'v': > ! verbose_mode ++; /* for remote */ > ! addargs("-v"); /* for local ssh */ > break; if ( verbose_mode < 3) { verboase_mode++; addargs("-v"); } else fatal("Too high debugging level."); Would be better because your patch accepts unlimited -v, but only honors the first three. - Ben From ishikawa at yk.rim.or.jp Mon Mar 5 08:52:52 2001 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Mon, 05 Mar 2001 06:52:52 +0900 Subject: "-v" handling in scp (was Re: add scp path to _PATH_STDPATH) References: Message-ID: <3AA2B934.792A829A@yk.rim.or.jp> mouring at etoh.eviladmin.org wrote: > Would be better because your patch accepts unlimited -v, but only honors > the first three. > > How about the modified patch. As it turned out, while I tried to modify the '-v' handling to warn the user about more than three '-v's, I found out if I specify more than three "-v"s, the local ssh barfs! Example: ishikawa at duron$ ./scp -v -v -v -v /tmp/t.bug ishikawa at host.example.com:/tmp/t.bug Only the first three '-v's are honoured for passing to remote scp. The rest is ignored. The local ssh receive as many '-v's as specified. Executing: program /usr/local/bin/ssh host ishikawa at host.example.com, user ishikawa, command scp -v -v -v -t /tmp/t.bug OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f Too high debugging level. lost connection (* what ?! *) ishikawa at duron$ ./ssh -v -v -v -v OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f Too high debugging level. So here is a slightly modified patch. With this, the user at least gets the warning if s/he specifies more than three "-v"s. The rest is ignored. Example. ./scp -v -v -v -v /tmp/t.lst host:/tmp/t.lst Only the first three '-v's are honoured for passing to remote scp. OpenSSH ssh 2.5.1p2 only accepts only up to three '-v's. The rest is ignored. Executing: program /usr/local/bin/ssh host host, user (unspecified), command scp -v -v -v -t /tmp/t.lst OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 1001 geteuid 0 anon 0 ... ishikawa at duron$ rcsdiff -c scp.c =================================================================== RCS file: RCS/scp.c,v retrieving revision 1.1 diff -c -r1.1 scp.c *** scp.c 2001/03/04 18:35:17 1.1 --- scp.c 2001/03/04 21:44:14 *************** *** 277,284 **** ssh_program = xstrdup(optarg); break; case 'v': ! verbose_mode = 1; ! break; case 'q': showprogress = 0; break; --- 277,294 ---- ssh_program = xstrdup(optarg); break; case 'v': ! verbose_mode ++; /* for remote */ ! if(verbose_mode <= 3) ! addargs("-v"); /* for local ssh */ ! if(verbose_mode == 4) ! { ! ! fprintf(stderr,"\nOnly the first three '-v's are honoured for passing to remote scp. \n"); ! fprintf(stderr,"OpenSSH ssh 2.5.1p2 only accepts only up to three '-v's.\n"); ! fprintf(stderr,"The rest is ignored.\n\n"); ! ! } ! break; case 'q': showprogress = 0; break; *************** *** 330,336 **** remin = remout = -1; /* Command to be executed on remote system using "ssh". */ (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", ! verbose_mode ? " -v" : "", iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); --- 340,350 ---- remin = remout = -1; /* Command to be executed on remote system using "ssh". */ (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", ! /** try to handle up to three '-v's. */ ! verbose_mode <=0 ? "" ! : ( verbose_mode == 1 ? " -v" ! : ( verbose_mode == 2 ? " -v -v" ! : " -v -v -v" )), iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); *************** *** 404,410 **** snprintf(bp, len, "%s%s -x -o'FallBackToRsh no' -n " "-l %s %s %s %s '%s%s%s:%s'", ! ssh_program, verbose_mode ? " -v" : "", suser, host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); --- 418,430 ---- snprintf(bp, len, "%s%s -x -o'FallBackToRsh no' -n " "-l %s %s %s %s '%s%s%s:%s'", ! ssh_program, ! /** try to handle up to three '-v's. */ ! verbose_mode <=0 ? "" ! : ( verbose_mode == 1 ? " -v" ! : ( verbose_mode == 2 ? " -v -v" ! : " -v -v -v" )), ! suser, host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); *************** *** 413,419 **** snprintf(bp, len, "exec %s%s -x -o'FallBackToRsh no' -n %s " "%s %s '%s%s%s:%s'", ! ssh_program, verbose_mode ? " -v" : "", host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); --- 433,444 ---- snprintf(bp, len, "exec %s%s -x -o'FallBackToRsh no' -n %s " "%s %s '%s%s%s:%s'", ! ssh_program, ! /** try to handle up to three '-v's. */ ! verbose_mode <=0 ? "" ! : ( verbose_mode == 1 ? " -v" ! : ( verbose_mode == 2 ? " -v -v" ! : " -v -v -v" )), host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); ishikawa at duron$ From mouring at etoh.eviladmin.org Mon Mar 5 10:07:55 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 4 Mar 2001 17:07:55 -0600 (CST) Subject: "-v" handling in scp (was Re: add scp path to _PATH_STDPATH) In-Reply-To: <3AA2B934.792A829A@yk.rim.or.jp> Message-ID: > case 'v': > ! verbose_mode ++; /* for remote */ > ! if(verbose_mode <= 3) > ! addargs("-v"); /* for local ssh */ > ! if(verbose_mode == 4) > ! { > ! > ! fprintf(stderr,"\nOnly the first three '-v's are > honoured for passing to remote scp. \n"); > ! fprintf(stderr,"OpenSSH ssh 2.5.1p2 only accepts only > up to three '-v's.\n"); > ! fprintf(stderr,"The rest is ignored.\n\n"); > ! > ! } > ! break; Why? It's much better just outright fail. > case 'q': > showprogress = 0; > break; > *************** > *** 330,336 **** > remin = remout = -1; > /* Command to be executed on remote system using "ssh". */ > (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", > ! verbose_mode ? " -v" : "", > iamrecursive ? " -r" : "", pflag ? " -p" : "", > targetshouldbedirectory ? " -d" : ""); > > --- 340,350 ---- > remin = remout = -1; > /* Command to be executed on remote system using "ssh". */ > (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", > ! /** try to handle up to three '-v's. */ > ! verbose_mode <=0 ? "" > ! : ( verbose_mode == 1 ? " -v" > ! : ( verbose_mode == 2 ? " -v -v" > ! : " -v -v -v" )), I'd rather see: /* Macro to handle verbosity of scp */ #define print_verbose(count)\ (count == 0 ? "" : ( count == 1 ? " -v" : ( count == 2 ? " -v -v" : " -v -v -v" ))) And then reuse the 'print_verbose()' macro. Incase some day we wish to support more or less verboseness. Unsure, what Markus' view are. - Ben From gtc at cheshirelaw.com Mon Mar 5 11:27:09 2001 From: gtc at cheshirelaw.com (Geoffrey T. Cheshire) Date: Sun, 4 Mar 2001 17:27:09 -0700 Subject: Question re wtmp and 2.5.1 Message-ID: Hi, I've got a 2.8-RELEASE box that uses the old utmp.h with: #define UT_NAMESIZE 8 #define UT_LINESIZE 8 #define UT_HOSTSIZE 16 2.5.1's ssh/login.c seems use this by including . However, when a remote user logs into this box, the wtmp file is munged from that point on. There are no notes about this on the OpenSSH site ("OpenSSH compiles cleanly on OpenBSD 2.8"). Question: where is OpenSSH getting confused about the format of my wtmp/utmp files, and how can I fix it? Thanks, Geoff - - - Geoffrey T. Cheshire PGP IDs: 0xA898DA75, 0x7B9C0691 (office), 0x43713B0D (RSA) From dankamin at cisco.com Mon Mar 5 14:41:36 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Sun, 4 Mar 2001 19:41:36 -0800 Subject: "-v" handling in scp (was Re: add scp path to _PATH_STDPATH) References: Message-ID: <00a201c0a529$d24b3440$0400040a@na.cisco.com> > Why? It's much better just outright fail. Why outright fail? It's not inconcievable that future versions of OpenSSH might support greater than 3 instances of -v. Why should we break upwards compatibility? > And then reuse the 'print_verbose()' macro. Incase some day we > wish to support more or less verboseness. Like you say ;-) --Dan From pekkas at netcore.fi Mon Mar 5 19:01:41 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 5 Mar 2001 10:01:41 +0200 (EET) Subject: --with-ipv4-default and sshd IPv4/6 dual bind hack Message-ID: Hello all, I just found a bug a nice bug that can be turned into a real feature on systems (usually Linux) that are built with --with-ipv4-default. If you enable IPv6 in kernel, and enable both listenaddress 0.0.0.0 and ::, sshd will error out 'address family not supported'. However, you can work around this error by starting sshd with 'sshd -4 -6'. As far as man page is concerned, I'm getting the impression that you should be able to use only -4 or -6, not both. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From pekkas at netcore.fi Mon Mar 5 19:10:09 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 5 Mar 2001 10:10:09 +0200 (EET) Subject: --with-ipv4-default and sshd IPv4/6 dual bind hack In-Reply-To: Message-ID: On Mon, 5 Mar 2001, Pekka Savola wrote: > Hello all, > > I just found a bug a nice bug that can be turned into a real feature on > systems (usually Linux) that are built with --with-ipv4-default. > > If you enable IPv6 in kernel, and enable both listenaddress 0.0.0.0 and > ::, sshd will error out 'address family not supported'. > > However, you can work around this error by starting sshd with 'sshd -4 -6'. > > As far as man page is concerned, I'm getting the impression that you > should be able to use only -4 or -6, not both. Please disregard "the hack". It doesn't work after all. My eyes betrayed me and I wasn't caffeinated. :-) Still, it would be very nice to get sshd to bind to both address families with ipv4-default. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From djm at mindrot.org Mon Mar 5 23:23:49 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 5 Mar 2001 23:23:49 +1100 (EST) Subject: --with-ipv4-default and sshd IPv4/6 dual bind hack In-Reply-To: Message-ID: On Mon, 5 Mar 2001, Pekka Savola wrote: > Hello all, > > I just found a bug a nice bug that can be turned into a real feature on > systems (usually Linux) that are built with --with-ipv4-default. > > If you enable IPv6 in kernel, and enable both listenaddress 0.0.0.0 and > ::, sshd will error out 'address family not supported'. > > However, you can work around this error by starting sshd with 'sshd -4 -6'. > > As far as man page is concerned, I'm getting the impression that you > should be able to use only -4 or -6, not both. It may be that the reason for the hack has been fixed. Can someone with a recent Linux kernel with IPv6 compiled in (or module loaded) build OpenSSH without the --with-ipv4-default hack and see whether it still waits ages for nameserver lookups at connect? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From flepied at mandrakesoft.com Mon Mar 5 23:49:01 2001 From: flepied at mandrakesoft.com (Frederic Lepied) Date: 05 Mar 2001 13:49:01 +0100 Subject: --with-ipv4-default and sshd IPv4/6 dual bind hack In-Reply-To: References: Message-ID: Damien Miller writes: > On Mon, 5 Mar 2001, Pekka Savola wrote: > > > Hello all, > > > > I just found a bug a nice bug that can be turned into a real feature on > > systems (usually Linux) that are built with --with-ipv4-default. > > > > If you enable IPv6 in kernel, and enable both listenaddress 0.0.0.0 and > > ::, sshd will error out 'address family not supported'. > > > > However, you can work around this error by starting sshd with 'sshd -4 -6'. > > > > As far as man page is concerned, I'm getting the impression that you > > should be able to use only -4 or -6, not both. > > It may be that the reason for the hack has been fixed. Can someone > with a recent Linux kernel with IPv6 compiled in (or module loaded) > build OpenSSH without the --with-ipv4-default hack and see whether > it still waits ages for nameserver lookups at connect? > No more hang here. -- Fred - May the source be with you From marco.fioretti at tei.ericsson.se Tue Mar 6 00:10:01 2001 From: marco.fioretti at tei.ericsson.se (Marco Fioretti) Date: Mon, 05 Mar 2001 14:10:01 +0100 Subject: SSH RPM for Red Hat 6.2 not useable Message-ID: <3AA39029.FEB27E10@tei.ericsson.se> Hello, I downloaded yesterday the Red Hat 6.2 RPMs for openssl and openssh from one of the official mirrors. I could install them on a stock Red Hat 6.2 box because rpm -Uvh says (quoting from memory...): cannot install because there is dependency conflict between this rpm (openssh core) and the version of rpm and rpmlib that you are using...... In other words, the rpm packages generated *for* Red Hat 6.2 don't want to be installed by the version of RPM which *comes* with Red Hat 6.2..... I am signalling this because it looks to me like somebody labeled by mistake as 6.2 something which is only meant to go on Red Hat 7.0 systems. What do you think? Please let me know your opinion. I am downloading the tarball now, and will try to build from it, but I'd really rather keep anything under rpm control. Please let me know if and where tested rpms for Red Hat 6.2 are, and, of course, if you need the complete exact report from rpm. Regards, Marco Fioretti P.S.:Please send any follow up also to: marco.fioretti at tiscalinet.it From Nigel.Metheringham at InTechnology.co.uk Tue Mar 6 00:18:59 2001 From: Nigel.Metheringham at InTechnology.co.uk (Nigel Metheringham) Date: Mon, 05 Mar 2001 13:18:59 +0000 Subject: SSH RPM for Red Hat 6.2 not useable In-Reply-To: Message from Marco Fioretti of "Mon, 05 Mar 2001 14:10:01 +0100." <3AA39029.FEB27E10@tei.ericsson.se> Message-ID: marco.fioretti at tei.ericsson.se said: > I could install them on a stock Red Hat 6.2 box because > rpm -Uvh says (quoting from memory...): > cannot install because there is dependency conflict between this rpm > (openssh core) and the version of rpm and rpmlib that you are > using...... Although that does not sound like the right error message, are you running at least rpm version 3.0.5? RH released an updated version of rpm with the 6.2 errata quite some time ago, this version reads the rpm v4 format files, which are now being issued as standard RH62 errata updates. If you are running an older version of rpm then you will also be substantially behind on your erata updates. I suggest you do a check on all your boxes immediately. Nigel. -- [ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] [ - Comments in this message are my own and not ITO opinion/policy - ] From ishikawa at yk.rim.or.jp Tue Mar 6 05:10:49 2001 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Tue, 06 Mar 2001 03:10:49 +0900 Subject: "-v" handling in scp (was Re: add scp path to _PATH_STDPATH) References: Message-ID: <3AA3D6A9.7E772A3@yk.rim.or.jp> Hi, Attached is the cleaned patch. I have just realized that the 2.5.1p2 has not solved the PATH issue for scp searched by the sshd daemon if we choose the default installation: i.e., ./configure; make ; make install. Eg. The scp against the local sshd fails since scp could not be found by the local sshd's built-in path. (scp is installed into /usr/local/bin/scp.) Failure: ishikawa at duron$ ./scp -v -v -v /tmp/t.lst localhost:/tmp/t2.lst Executing: program /usr/local/bin/ssh host localhost, user (unspecified), command scp -v -v -v -t /tmp/t2.lst OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 1001 geteuid 0 anon 0 debug: Connecting to localhost [::1] port 22. rresvport: af=10 Address family not supported by protocol debug: Connecting to localhost [127.0.0.1] port 22. debug: Seeding random number generator debug: Allocated local port 651. debug: Connection established. debug: identity file /home/ishikawa/.ssh/identity type 0 debug: identity file /home/ishikawa/.ssh/id_dsa type 3 debug: Remote protocol version 1.5, remote software version OpenSSH_2.5.1p2 debug: match: OpenSSH_2.5.1p2 pat ^OpenSSH debug: Local version string SSH-1.5-OpenSSH_2.5.1p2 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Forcing accepting of host key for loopback/localhost. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 'ishikawa at standard' debug: Received RSA challenge from server. Enter passphrase for RSA key 'ishikawa at standard': Bad passphrase. debug: Remote: Wrong response to RSA authentication challenge. debug: Doing password authentication. ishikawa at localhost's password: debug: Sending command: scp -v -v -v -t /tmp/t2.lst debug: Entering interactive session. bash: scp: command not found debug: Transferred: stdin 0, stdout 29, stderr 0 bytes in 0.1 seconds debug: Bytes per second: stdin 0.0, stdout 534.0, stderr 0.0 debug: Exit status 127 lost connection After reconfiguring with the following configure command line (since scp is installed into /usr/local/bin by default), and re-run the daemon locally, scp against the local sshd succeeded. ./configure --with-default-path=/usr/sbin:/sbin:/bin:/usr/bin:/usr/local/bin However, there was one issue. I am not sure why. But I have to hit RETURN to obtain the shell prompt after seeing the debug message and saw the transfer finish. Success example, but note the extra RETURN I needed to hit. ishikawa at duron$ !./scp ./scp -v -v -v /tmp/t.lst localhost:/tmp/t2.lst Executing: program /usr/local/bin/ssh host localhost, user (unspecified), command scp -v -v -v -t /tmp/t2.lst OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 1001 geteuid 0 anon 0 debug: Connecting to localhost [::1] port 22. rresvport: af=10 Address family not supported by protocol debug: Connecting to localhost [127.0.0.1] port 22. debug: Seeding random number generator debug: Allocated local port 970. debug: Connection established. debug: identity file /home/ishikawa/.ssh/identity type 0 debug: identity file /home/ishikawa/.ssh/id_dsa type 3 debug: Remote protocol version 1.5, remote software version OpenSSH_2.5.1p2 debug: match: OpenSSH_2.5.1p2 pat ^OpenSSH debug: Local version string SSH-1.5-OpenSSH_2.5.1p2 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Forcing accepting of host key for loopback/localhost. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 'ishikawa at standard' debug: Received RSA challenge from server. Enter passphrase for RSA key 'ishikawa at standard': Bad passphrase. debug: Remote: Wrong response to RSA authentication challenge. debug: Doing password authentication. ishikawa at localhost's password: debug: Sending command: scp -v -v -v -t /tmp/t2.lst debug: Entering interactive session. Sending file modes: C0644 0 t.lst t.lst 100% |*****************************| 0 --:-- ETAt.lst 100% |*****************************| 0 00:00 ishikawa at duron$ debug: Transferred: stdin 15, stdout 3, stderr 0 bytes in 0.0 seconds debug: Bytes per second: stdin 321.3, stdout 64.3, stderr 0.0 debug: Exit status 0 <==== HERE I NEEDED TO HIT RETURN or prompt won't appear. why??? ishikawa at duron$ Another puzzle: where did the output of "-v" verbose messages from the remote ssh go? (Maybe I should re-phrase the question to where should they go, or why they should not appear at all.) I have a suspicion that the extra RETURN necessary may have something to do with this, but I may be wrong. Patch: I have not bothered to change the option parsing yet. =================================================================== RCS file: RCS/scp.c,v retrieving revision 1.1 diff -c -r1.1 scp.c *** scp.c 2001/03/04 18:35:17 1.1 --- scp.c 2001/03/05 17:45:52 *************** *** 277,284 **** ssh_program = xstrdup(optarg); break; case 'v': ! verbose_mode = 1; ! break; case 'q': showprogress = 0; break; --- 277,294 ---- ssh_program = xstrdup(optarg); break; case 'v': ! verbose_mode ++; /* for remote */ ! if(verbose_mode <= 3) ! addargs("-v"); /* for local ssh */ ! if(verbose_mode == 4) ! { ! ! fprintf(stderr,"\nOnly the first three '-v's are honoured for passing to remote scp. \n"); ! fprintf(stderr,"OpenSSH ssh 2.5.1p2 only accepts only up to three '-v's.\n"); ! fprintf(stderr,"The rest is ignored.\n\n"); ! ! } ! break; case 'q': showprogress = 0; break; *************** *** 327,336 **** if (argc > 2) targetshouldbedirectory = 1; remin = remout = -1; /* Command to be executed on remote system using "ssh". */ (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", ! verbose_mode ? " -v" : "", iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); --- 337,352 ---- if (argc > 2) targetshouldbedirectory = 1; + /* macros to print up to three "-v"s. */ + + #define print_verbose(count) \ + ((count) <= 0 ? "" : ( (count) == 1 ? " -v" : ( (count) == 2 ? " -v -v" \ + : " -v -v -v" ))) + remin = remout = -1; /* Command to be executed on remote system using "ssh". */ (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", ! print_verbose(verbose_mode), iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); *************** *** 404,410 **** snprintf(bp, len, "%s%s -x -o'FallBackToRsh no' -n " "-l %s %s %s %s '%s%s%s:%s'", ! ssh_program, verbose_mode ? " -v" : "", suser, host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); --- 420,429 ---- snprintf(bp, len, "%s%s -x -o'FallBackToRsh no' -n " "-l %s %s %s %s '%s%s%s:%s'", ! ssh_program, ! ! print_verbose(verbose_mode), ! suser, host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); *************** *** 413,419 **** snprintf(bp, len, "exec %s%s -x -o'FallBackToRsh no' -n %s " "%s %s '%s%s%s:%s'", ! ssh_program, verbose_mode ? " -v" : "", host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); --- 432,441 ---- snprintf(bp, len, "exec %s%s -x -o'FallBackToRsh no' -n %s " "%s %s '%s%s%s:%s'", ! ssh_program, ! ! print_verbose(verbose_mode), ! host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); *************** *** 1263,1265 **** --- 1285,1288 ---- args.list[args.num++] = xstrdup(buf); args.list[args.num] = NULL; } + From pekkas at netcore.fi Tue Mar 6 07:15:04 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 5 Mar 2001 22:15:04 +0200 (EET) Subject: --with-ipv4-default and sshd IPv4/6 dual bind hack In-Reply-To: Message-ID: On Mon, 5 Mar 2001, Damien Miller wrote: > On Mon, 5 Mar 2001, Pekka Savola wrote: > > > Hello all, > > > > I just found a bug a nice bug that can be turned into a real feature on > > systems (usually Linux) that are built with --with-ipv4-default. > > > > If you enable IPv6 in kernel, and enable both listenaddress 0.0.0.0 and > > ::, sshd will error out 'address family not supported'. > > > > However, you can work around this error by starting sshd with 'sshd -4 -6'. > > > > As far as man page is concerned, I'm getting the impression that you > > should be able to use only -4 or -6, not both. > > It may be that the reason for the hack has been fixed. Can someone > with a recent Linux kernel with IPv6 compiled in (or module loaded) > build OpenSSH without the --with-ipv4-default hack and see whether > it still waits ages for nameserver lookups at connect? Is there some design reason why sshd couldn't bind to both address families if specified to do so (non-default behaviour) even without --with-ipv4-default. Most people will probably want to use IPv4 by default. But some would enable IPv6 in packages as far as possible in case it doesn't hurt anyone not using it. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From ss99hi at yahoo.com Tue Mar 6 07:33:00 2001 From: ss99hi at yahoo.com (Sam Smith) Date: Mon, 5 Mar 2001 12:33:00 -0800 (PST) Subject: OpenSSH ssh-agent compat. problem (bug?) Message-ID: <20010305203300.32963.qmail@web12608.mail.yahoo.com> I've noticed a problem with the ssh-agent for OpenSSH. When I list the identities found in the agent, I'm given a warning that the keysize doesn't match. $ ./ssh-add -L Warning: identity keysize mismatch: actual 1023, announced 1024 1023 35 61...63 sam at host The problem only exhibits itself with the OpenSSH version of ssh-add, but using the SSH version of ssh-agent/ssh-add. Here's a little table that shows what I tested. I've keyed the two versions of ssh as follows: T = SSH version, 1.2.27 [i686-unknown-linux], protocol version 1.5. O = OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f (SSH) (OpenSSH) ssh-agent ssh-add "ssh-add -l" (T) "ssh-add -L" (O) ========================================================== T T ok error T O ok ok O T ok ok O O ok ok For example, in the first case, I used SSH v1.2.27 to start the agent and to add my identity. When I used SSH v1.2.27 to list the identity, it came back fine, but when I used OpenSSH to list the identity, I got the error, as above. All other combinations of agent/add/list work ok. Any suggestions? Thanks, Sam __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ From mdb at juniper.net Tue Mar 6 08:28:15 2001 From: mdb at juniper.net (Mark D. Baushke) Date: Mon, 05 Mar 2001 13:28:15 -0800 Subject: OpenSSH ssh-agent compat. problem (bug?) In-Reply-To: Mail from Sam Smith dated Mon, 05 Mar 2001 12:33:00 PST <20010305203300.32963.qmail@web12608.mail.yahoo.com> Message-ID: <200103052128.NAA90918@garnet.juniper.net> Hi Sam, > Date: Mon, 5 Mar 2001 12:33:00 -0800 (PST) > From: Sam Smith > > I've noticed a problem with the ssh-agent for > OpenSSH. When I list the identities found in the > agent, I'm given a warning that the keysize > doesn't match. > > $ ./ssh-add -L > Warning: identity keysize mismatch: actual 1023, > announced 1024 > 1023 35 61...63 sam at host >... > Any suggestions? You may wish to read http://www.openssh.com/faq.html#2.5 as I believe it addresses your problem. Enjoy! -- Mark From campin at pobox.com Tue Mar 6 09:23:35 2001 From: campin at pobox.com (Mike Campin) Date: Mon, 5 Mar 2001 14:23:35 -0800 Subject: Portable openssh-2.5.1p1, auth-passwd.c, yellow pages, expire field Message-ID: <20010305142335.A27021@hash.com> Hi, I'm having trouble with auth_password() failing on my linux box using yellow pages. I've tracked the problem down to the following: pw_password = "RMf.YivanoZc2,o01N" encrypted_password = "RMf.YivanoZc2" This fails on the return(strcmp(encrypted_password, pw_password) == 0). because crypt() only returns 13 characters. I seem to remember the ",o01N" having something to do with password expiration. The same problem exists in openssh-2.5.1p2. I've tried 2 different solutions. The 1st is to use strncmp with the length set to 13. The 2nd is to force character 13 to an '\0'. This works for me, but it may break other system. This used to work on the 2.3 versions. Unfortunately, I do not have a copy of the source to compare. Thanks, Mike -- Mike Campin campin at pobox dot com http://www.pobox.com/~spampin From djm at mindrot.org Tue Mar 6 09:55:43 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 6 Mar 2001 09:55:43 +1100 (EST) Subject: SSH RPM for Red Hat 6.2 not useable In-Reply-To: <3AA39029.FEB27E10@tei.ericsson.se> Message-ID: On Mon, 5 Mar 2001, Marco Fioretti wrote: > Hello, > > I downloaded yesterday the Red Hat 6.2 RPMs for openssl > and openssh from one of the official mirrors. > > I could install them on a stock Red Hat 6.2 box because > > rpm -Uvh says (quoting from memory...): > > cannot install because there is dependency conflict > between this rpm (openssh core) and the version of > rpm and rpmlib that you are using...... > > In other words, the rpm packages generated *for* > Red Hat 6.2 don't want to be installed by the version > of RPM which *comes* with Red Hat 6.2..... If you had read the README in the directory that you downloaded the RPMs from you would have seen this: ``To install these RPMs you will need the latest versions of OpenSSL and rpm available from Redhat Errata.'' -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Tue Mar 6 09:57:11 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 6 Mar 2001 09:57:11 +1100 (EST) Subject: OpenSSH ssh-agent compat. problem (bug?) In-Reply-To: <20010305203300.32963.qmail@web12608.mail.yahoo.com> Message-ID: On Mon, 5 Mar 2001, Sam Smith wrote: > I've noticed a problem with the ssh-agent for > OpenSSH. When I list the identities found in the > agent, I'm given a warning that the keysize > doesn't match. http://www.openssh.com/faq.html#2.5 -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From ss99hi at yahoo.com Tue Mar 6 09:16:11 2001 From: ss99hi at yahoo.com (Sam Smith) Date: Mon, 5 Mar 2001 14:16:11 -0800 (PST) Subject: OpenSSH ssh-agent compat. problem (bug?) In-Reply-To: <200103052128.NAA90918@garnet.juniper.net> Message-ID: <20010305221611.28890.qmail@web12602.mail.yahoo.com> Thanks, that fixed it. -Sam --- "Mark D. Baushke" wrote: > Hi Sam, > > > Date: Mon, 5 Mar 2001 12:33:00 -0800 (PST) > > From: Sam Smith > > > > I've noticed a problem with the ssh-agent for > > OpenSSH. When I list the identities found in the > > agent, I'm given a warning that the keysize > > doesn't match. > > > > $ ./ssh-add -L > > Warning: identity keysize mismatch: actual 1023, > > announced 1024 > > 1023 35 61...63 sam at host > >... > > Any suggestions? > > You may wish to read http://www.openssh.com/faq.html#2.5 > as I believe it addresses your problem. > > Enjoy! > -- Mark __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ From djm at mindrot.org Tue Mar 6 10:17:26 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 6 Mar 2001 10:17:26 +1100 (EST) Subject: List Policy Message-ID: Apologies for this interruption, but the .au government has passed some fairly idiotic laws recently that force me to make explicit that which (IMO) should be in the realm of the "bleeding obvious": ] Some legal jurisdictions (including Australia) have laws which treat ] email as intellectual property and allow for the possibility of legal ] action for unauthorised copying. ] ] If you choose to post to this mailing list, you must agree to allow ] unlimited copying, distribution and archival of your email and any ] attachments by the mailing list itself, its users and any third-party ] archivers (e.g. webmail archives, search engines). ] ] If you choose not to agree with this policy, do not post to the list. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From vader at conflict.net Tue Mar 6 13:15:29 2001 From: vader at conflict.net (Jim B) Date: Tue, 6 Mar 2001 02:15:29 +0000 Subject: OpenSSH-2.5.1p1 scp hangs when scping into an RH (6.0|7.0) bo x In-Reply-To: <20010223032419.A26236@conflict.net>; from vader@conflict.net on Fri, Feb 23, 2001 at 03:24:19AM +0000 References: <20010221231441.15853.qmail@conflict.net> <20010223032419.A26236@conflict.net> Message-ID: <20010306021529.4895.qmail@conflict.net> On Fri, Feb 23, 2001 at 03:24:19AM +0000, Jim Breton wrote: > Well, I am now volunteering to be called an *sshole. > > For some reason, and I promise with *no* changes of which I am aware on > either the client or the server machines, this is working fine now > (except scp but you already know about that... fyi I get "lost > connection" on scp, hopefully that is the error everyone else gets and > not something special happening to me ;) ). OK... well if anyone is interested in the mysteries of this thread anymore, we seem to have nailed down the problem just a few minutes ago. The box I was SSHing/SCPing into... had some problem with the RAID array (not my box so I don't know the details of that). After its admin noticed some other funky filesystem behaviors, he moved the home dir of my account to another spot in the filesystem... and immediately it all started working correctly. :P Sigh. :) -- I have a feeling that your responses are in a chicken. -- Classic MegaHAL Quotes (http://www.amristar.com.au/~hutch/hal/Classic.html) Jim B GPG: 0xAD65004B | PGP: 0x020D072B From gtc at cheshirelaw.com Tue Mar 6 15:50:05 2001 From: gtc at cheshirelaw.com (Geoffrey T. Cheshire) Date: Mon, 5 Mar 2001 21:50:05 -0700 Subject: Continued utmp probs with sshlogin.c Message-ID: Hi all, I've hacked in some better logging for what's going on with my logins and utmp/wtmp. Everything seems OK except for u.ut_host. In my case, the actual variable host for this test case is aragon.cheshirelaw.com. This is fine (as my logs show): Mar 5 21:22:47 frodo sshd[10274]: Actual: 983852567 /dev/ttyp0 aragon.cheshirelaw.com However, check out what u.ut_host is logged as: Mar 5 21:22:47 frodo sshd[10274]: wtmp entry: ttyp0 983852567 gtc aragon.cheshirel\^Wf\M-$:0\M-S\M-?\M-_\M-*\^D\^A This whacks w, who, and utmp. all the sizeof's seem ok for my 2.8 release box: Mar 5 21:22:47 frodo sshd[10274]: wtmp: sizeof(u)=36, sizeof(u.ut_host)=16 Mar 5 21:22:47 frodo sshd[10274]: wtmp: sizeof(u.ut_line)=8, sizeof(u.ut_name)=8 Mar 5 21:22:47 frodo sshd[10274]: wtmp: sizeof(u.ut_time)=4 Any ideas? - - - Geoffrey T. Cheshire PGP IDs: 0xA898DA75, 0x7B9C0691 (office), 0x43713B0D (RSA) From carl at bl.echidna.id.au Tue Mar 6 17:41:19 2001 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Tue, 6 Mar 2001 17:41:19 +1100 (EST) Subject: pam/radius, SecurID, any news? Message-ID: <200103060641.f266fJd21797@rollcage.bl.echidna.id.au> I've been through the archive, and not found anything conclusive, except for a problem report of sorts from Theo E. Schlossnag (who has a set of patches for SecurID integration). I'm about to replace some ssh 1.2.26 (I know!) installations with OpenSSH 2.5.1p2, on Solaris 2.6 sparc boxes, and we use SecurID tokens for these boxes. I've compiled up OpenSSH 2.5.1p2 with --with-pam, and thrown pam-radius 1.3.11 into a package, and I think it'll work, but I can't test on the boxes that need the tokens without jumping through a lot of firewall admin hoops. Can anyone tell me if it will work? The SecurID server is a radius daemon, we have a lot of ssh v1 stuff still (I'm getting rid of it slowly, but can't do it all at once), has anyone got this working at all? Theo's comments in Jan have me worried, and if I lock myself out of these boxes, it's a flight interstate with a boot up my backside to fix it! So, before I go to the trouble of setting up VPN's etc to this server, can anyone tell me if they have it working? Or, what's the status with Theo's patches? Thanks Carl From djm at mindrot.org Tue Mar 6 17:50:12 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 6 Mar 2001 17:50:12 +1100 (EST) Subject: pam/radius, SecurID, any news? In-Reply-To: <200103060641.f266fJd21797@rollcage.bl.echidna.id.au> Message-ID: On Tue, 6 Mar 2001 carl at bl.echidna.id.au wrote: > > I've been through the archive, and not found anything > conclusive, except for a problem report of sorts from > Theo E. Schlossnag (who has a set of patches for SecurID > integration). > > I'm about to replace some ssh 1.2.26 (I know!) installations > with OpenSSH 2.5.1p2, on Solaris 2.6 sparc boxes, and > we use SecurID tokens for these boxes. > > I've compiled up OpenSSH 2.5.1p2 with --with-pam, and > thrown pam-radius 1.3.11 into a package, and I think it'll > work, but I can't test on the boxes that need the tokens > without jumping through a lot of firewall admin hoops. If you limit yourself to SSH protocol 2, using ChallengeResponseAuthentication, then just about any PAM module should work. Not that I have tried them all :) If you are concerned about locking yourself out of a box, you can always run OpenSSH on a high numbered port (2222 is a favourite) while testing. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Erwin.DeMunter at siemens.atea.be Tue Mar 6 18:14:46 2001 From: Erwin.DeMunter at siemens.atea.be (De Munter Erwin) Date: Tue, 6 Mar 2001 08:14:46 +0100 Subject: FW: SSH RPM for Red Hat 6.2 not useable Message-ID: <6B546A602AD2D211BFF00008C7A4288903336906@hrtades2.atea.be> Hello, rpm's for 6.2 also did not work here. ( With latest rpm, openssl,...) Compiling myself the binaries did not give any error and working fine. De Munter Erwin -----Original Message----- From: Damien Miller [mailto:djm at mindrot.org] Sent: Monday, March 05, 2001 11:56 PM To: Marco Fioretti Cc: openssh-unix-dev at mindrot.org; marco.fioretti at tiscalinet.it Subject: Re: SSH RPM for Red Hat 6.2 not useable On Mon, 5 Mar 2001, Marco Fioretti wrote: > Hello, > > I downloaded yesterday the Red Hat 6.2 RPMs for openssl > and openssh from one of the official mirrors. > > I could install them on a stock Red Hat 6.2 box because > > rpm -Uvh says (quoting from memory...): > > cannot install because there is dependency conflict > between this rpm (openssh core) and the version of > rpm and rpmlib that you are using...... > > In other words, the rpm packages generated *for* > Red Hat 6.2 don't want to be installed by the version > of RPM which *comes* with Red Hat 6.2..... If you had read the README in the directory that you downloaded the RPMs from you would have seen this: ``To install these RPMs you will need the latest versions of OpenSSL and rpm available from Redhat Errata.'' -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From mats at mindbright.se Tue Mar 6 18:57:10 2001 From: mats at mindbright.se (Mats Andersson) Date: Tue, 6 Mar 2001 08:57:10 +0100 (MET) Subject: Sftp client improvements In-Reply-To: Message-ID: Hi, On Sat, 3 Mar 2001, Damien Miller wrote: > On Fri, 2 Mar 2001 mouring at etoh.eviladmin.org wrote: > > On Fri, 2 Mar 2001, Rachit Siamwalla wrote: > > > > > Hmm, i wonder if it would be just better to integrate a full featured > > > open FTP client in and plug it into an openssh backend / networking > > > > > > > I personally don't know if it's worth throwing it away just to try and > > shoehorn an existing ftp client. I think we are better off adding to the > > current framework. > > That being said - I have tried to make it easy for other to implement > clients using the sftp code. Most of the client-side protocol stuff is > in sftp-client.[ch] and there is a fair bit of reusable infrastructure in > sftp.c. I've done a fun thing with our sftp code (for our ssh client in java) which might be something someone wants to try with openSSH aswell. Just make a "bridge" between ftp and sftp so any ordinary ftp-client can connect to the "bridge" and "speak" to the sftp-server in the other end (i.e. implement a simple ftpd whose bottom is doing sftp). It's not a very complicated hack so I guess it wouldn't be too much work to do on top of the openSSH sftp code too (especially if it's made with modularity in mind as you said). Our ftp to sftp bridge will soon be available, in the next pre-release of MindTerm (see http://www.mindbright.se/mindterm/). Cheers, /Mats From Stephan.Hendl at lds.brandenburg.de Tue Mar 6 19:01:00 2001 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Tue, 06 Mar 2001 09:01:00 +0100 Subject: PAM on HP-UX 11 Message-ID: Hi all, just I compiled openssh-2.5.1p2 on HP-UX 11 including the --with-pam option in ./configure. The contrib/ directory shows a generic pam.conf example with several pam_*.so files which I miss on my system. How can I update the /etc/pam.conf in order to use the PAM authentication scheme? regards Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 EMail: stephan.hendl at lds.brandenburg.de From Markus.Friedl at informatik.uni-erlangen.de Tue Mar 6 19:39:05 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 6 Mar 2001 09:39:05 +0100 Subject: compatibility problem between openssh2.5.1 p1 or p2 and ssf (fwd) Message-ID: <20010306093905.A23488@faui02.informatik.uni-erlangen.de> hi, i think that sftp-server should work fine, even if there are no 64 bit integers, just try 32 bit and panic if the top bit's are set... -------------- next part -------------- An embedded message was scrubbed... From: Brian Candler Subject: Re: compatibility problem between openssh2.5.1 p1 or p2 and ssf Date: Sun, 4 Mar 2001 21:28:28 +0000 Size: 2221 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010306/b6550195/attachment.mht From ellinger at informatik.uni-tuebingen.de Wed Mar 7 04:03:21 2001 From: ellinger at informatik.uni-tuebingen.de (=?iso-8859-1?Q?J=FCrgen?= Ellinger) Date: Tue, 06 Mar 2001 18:03:21 +0100 Subject: openssh-2.5.1p[1,2] and scp-problems on Solaris7 Message-ID: <3AA51859.263DB04A@informatik.uni-tuebingen.de> Hi, I'm not subscribed to that list, so please keep me in cc, if you decide to answer my question I'm trying to compile and install openssh for some solaris7-machines. Everything works fine, but I'm continuously failing to connect openssh's sshd with scp: I've tried openssh-2.5.1p1: the daemon died with signal 11 (SIG_SEGV) - sure I've read the hint on that list (http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98322740311031&w=2), and with the described workaround the daemon no longer crashes - but the whole transaction hangs. In the meantime openssh-2.5.1p2 appeared and I tested, whether the problems are fixed in this version. Without any patch the daemon does not crash, but the communication still is hanging. The daemon starts a shell, the shell execs a 'scp -t ' and nothing happens. A traceback of the running process (done with Solaris proctool) shows, that scp seems to block while reading (from a socket, I suppose). I tried to contact the server with several implementations of the client (linux, solaris, ssh, openssh etc), but I cant get the stuff working. So if anybody on the list has an helpful hint I would be very happy. Feel free to ask if you need more information about config params or something like that. Thanks in advance! J?rgen --------------------------------------------------------------------- J?rgen Ellinger Siemensstra?e 44 D-88250 Weingarten, Germany e-mail: ellinger at informatik.uni-tuebingen.de From rdump at river.com Tue Mar 6 19:17:47 2001 From: rdump at river.com (Richard Johnson) Date: Tue, 6 Mar 2001 01:17:47 -0700 Subject: Segfaults with ssh from Red Hat 6.2 openssh-clients-2.5.1p2-1.i386.rpm Message-ID: The segfault logged below occurs on two different Red Hat 6.2 systems running OpenSSH installed from the 2.5.1p2 RPM. (Similar problems occured with the 2.5.1p1 RPM.) The most recent of the Red Hat 6.2 systems tested is stock except for an upgrade of rpm-3.0.5-9.6x.i386.rpm and the install of Red Hat's release of openssl-0.9.5a-3.i386.rpm, both necessary for the OpenSSH RPM install. The segfaults occur when connecting to OpenSSH 2.3.0p1 (Solaris 7), OpenSSH 2.5.1p1 (Solaris 2.5.1), OpenSSH 2.3.X (OpenBSD), and OpenSSH 2.5.X (OpenBSD current as of January), among other systems. The segfaults do not occur when connecting to localhost on the Red Hat 6.2 box. Is this a known problem with the ssh-clients RPM for 2.5.1p2? I can provide core dumps if anyone is interested. Richard ------ # openssh -v -v -v server.example.com # running Solaris 7, OpenSSH 2.3.0p1 OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to server.example.com [192.168.8.223] port 22. debug: Seeding random number generator debug: Allocated local port 678. debug: Connection established. debug: identity file /root/.ssh/identity type 3 debug: identity file /root/.ssh/id_dsa type 3 debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug: match: OpenSSH_2.3.0p1 pat ^OpenSSH_2\.3\.0 debug: Local version string SSH-1.5-OpenSSH_2.5.1p2 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). Segmentation fault (core dumped) # openssh -v -v -v -2 server.example.com # running Solaris 7, OpenSSH 2.3.0p1 OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to server.example.com [192.168.8.223] port 22. debug: Seeding random number generator debug: Allocated local port 652. debug: Connection established. debug: identity file /root/.ssh/id_dsa type 3 debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug: match: OpenSSH_2.3.0p1 pat ^OpenSSH_2\.3\.0 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.5.1p2 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha 1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192- cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysa tor.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192- cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysa tor.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: mac_init: found hmac-sha1 debug: kex: server->client 3des-cbc hmac-sha1 none debug: mac_init: found hmac-sha1 debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug: bits set: 516/1024 debug: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. Segmentation fault (core dumped) From stevesk at sweden.hp.com Wed Mar 7 05:16:11 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 6 Mar 2001 19:16:11 +0100 (MET) Subject: PAM on HP-UX 11 In-Reply-To: Message-ID: On Tue, 6 Mar 2001, Stephan Hendl wrote: : just I compiled openssh-2.5.1p2 on HP-UX 11 including the --with-pam : option in ./configure. The contrib/ directory shows a generic : pam.conf example with several pam_*.so files which I miss on my : system. How can I update the /etc/pam.conf in order to use the PAM : authentication scheme? openssh --with-pam+hp-ux 11 pam should work by default (with the default /etc/pam.conf) due to a match on OTHER service. this is mentioned in the INSTALL file. From ktaylor at eosdata.gsfc.nasa.gov Wed Mar 7 06:36:50 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Tue, 06 Mar 2001 14:36:50 -0500 Subject: suggestion: saving old binaries during installation Message-ID: <3AA53C52.473EAF3B@daac.gsfc.nasa.gov> Just as a suggestion, I liked the way the ssh.com's ssh would move the old binaries to filename.old then install the new ones....so that way you have an old copy to revert back to if needed (without copying them all by hand). From kbarry at snaz.com Wed Mar 7 07:48:28 2001 From: kbarry at snaz.com (Kieran Barry) Date: Tue, 6 Mar 2001 20:48:28 -0000 Subject: Better port forwarding control In-Reply-To: <3AA51859.263DB04A@informatik.uni-tuebingen.de> Message-ID: Hi, I've just joined the list, so please forgive if I missed something in the FAQ/docs etc. Overview I am likely to need to allow someone (untrusted) to forward a port on one of my boxes to one of theirs for EDI. It appears to involve only one port, so an IPSEC-type VPN is likely to be over the top. I'd like to do this with ssh port forwarding, but to only allow a single port to be forwarded. I'd also like to prevent the remote party forwarding a local (on their machine) port to random ports on machines in my DMZ. The target platforms I am aware of are Linux/Solaris boxes. This raises questions about coding against the portable vs non-portable code bases. Since I know less about the codebase than you guys, I'd like some guidance on the following: My plan is to provide an account, a dsa key, and a shell which effectively goes to sleep for a week, and ask the other party to put this in a loop. Is there an easier way to do what I want to do, either with ssh or another tool? I have a couple of questions on the project 1. Would patches adding this sort of functionality be accepted by the project if it followed man 9 style? 2. Which source tree would patches need to work against? 3. I would need to add statements to sshd_config (and the ServerOptions struct in serverconf.h). Could someone sanity check the outline spec below to tell me what they think? Spec Sshd_config changes Either: New values for the AllTcpForwarding keyword (valid values now [no | incoming | outgoing | yes]) incoming would allow a -L type connection outgoing would allow a -R type connection yes would allow both Or New keywords IncomingPortsAllowed, OutgoingPortsAllowed, (and maybe IncomingPortsDenied, OutgoingPortsDenied. I would prefer a default deny stance, but I could be persuaded otherwise.) Probably a combination of both is best. type ServerOptions (from servconf.h) changes: Add the following to the structure: u_int num_allow_incoming_forwarded_ports; char *allow_incoming_forwarded_ports; u_int num_allow_outgoing_forwarded_ports; char *allow_outgoing_forwarded_ports; Extra source files: Add .c and .h files portaccess or incomingportaccess and outgoingportaccess similar to groupaccess.[ch] Any other tips would be useful. Thanks for your time. Regards Kieran From ktaylor at eosdata.gsfc.nasa.gov Wed Mar 7 07:51:25 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Tue, 06 Mar 2001 15:51:25 -0500 Subject: utmpx/wtmpx problems with 2.5.1p2 on irix... Message-ID: <3AA54DCD.5E8ACCA7@daac.gsfc.nasa.gov> I installed 2.5.1p2 on an irix system and noticed that if a user logged in typed "logname" it was providing the wrong username. File creations were correct, "w" produces the correct output....so something is funky in p2 that wasn't there in p1. From djm at mindrot.org Wed Mar 7 08:23:53 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Mar 2001 08:23:53 +1100 (EST) Subject: Segfaults with ssh from Red Hat 6.2 openssh-clients-2.5.1p2-1.i386.rpm In-Reply-To: Message-ID: On Tue, 6 Mar 2001, Richard Johnson wrote: > The segfault logged below occurs on two different Red Hat 6.2 systems > running OpenSSH installed from the 2.5.1p2 RPM. (Similar problems occured > with the 2.5.1p1 RPM.) > > The most recent of the Red Hat 6.2 systems tested is stock except for an > upgrade of rpm-3.0.5-9.6x.i386.rpm and the install of Red Hat's release of > openssl-0.9.5a-3.i386.rpm, both necessary for the OpenSSH RPM install. This is not Redhat's release of openssl. You need openssl-0.9.5a-2.6.x -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From rachit at ensim.com Wed Mar 7 08:49:57 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Tue, 06 Mar 2001 13:49:57 -0800 Subject: FW: SSH RPM for Red Hat 6.2 not useable References: <6B546A602AD2D211BFF00008C7A4288903336906@hrtades2.atea.be> Message-ID: <3AA55B85.303BFA36@ensim.com> You need RPM 3.0.5. RH 6.2 by default comes with RPM 3.0.4. You need to download the RH 6.2 Updates / Errata as stated in the README. It has RPM 3.0.5. Besides, if you want a secure box you should keep up to date with the updates; i guess this is another way the openssh folks force you to to secure your system :) -rchit De Munter Erwin wrote: > > Hello, rpm's for 6.2 also did not work here. ( With latest rpm, openssl,...) > Compiling myself the binaries did not give any error and working fine. > De Munter Erwin > > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Monday, March 05, 2001 11:56 PM > To: Marco Fioretti > Cc: openssh-unix-dev at mindrot.org; marco.fioretti at tiscalinet.it > Subject: Re: SSH RPM for Red Hat 6.2 not useable > > On Mon, 5 Mar 2001, Marco Fioretti wrote: > > > Hello, > > > > I downloaded yesterday the Red Hat 6.2 RPMs for openssl > > and openssh from one of the official mirrors. > > > > I could install them on a stock Red Hat 6.2 box because > > > > rpm -Uvh says (quoting from memory...): > > > > cannot install because there is dependency conflict > > between this rpm (openssh core) and the version of > > rpm and rpmlib that you are using...... > > > > In other words, the rpm packages generated *for* > > Red Hat 6.2 don't want to be installed by the version > > of RPM which *comes* with Red Hat 6.2..... > > If you had read the README in the directory that you downloaded the RPMs > from you would have seen this: > > ``To install these RPMs you will need the latest versions of OpenSSL > and rpm available from Redhat Errata.'' > > -d > > -- > | Damien Miller \ ``E-mail attachments are the poor man's > | http://www.mindrot.org / distributed filesystem'' - Dan Geer From ms at speakeasy.net Wed Mar 7 09:14:22 2001 From: ms at speakeasy.net (Michael Salmon) Date: Tue, 6 Mar 2001 14:14:22 -0800 Subject: Better port forwarding control In-Reply-To: ; from kbarry@snaz.com on Tue, Mar 06, 2001 at 08:48:28PM -0000 References: <3AA51859.263DB04A@informatik.uni-tuebingen.de> Message-ID: <20010306141422.B23233@speakeasy.net> hi kieran, i've had the same need before and have the patches to do this also, we needed to allow only specific ports to be forwarded. This was rejected to the mainstream because it was requested to be implemented using a security protocol that i once bookmarked, planned on reading over, and have since forgotten and deleted it. (ring a bell anyone?) If you want to get together and work on adding this feature using the protocol markus said it required, i'd be happy to talk with you about it since I think this is a good feature to have for many users. I was told this was already in an older version of openssh, but I havent tried it out. It was removed from the head before i checked out the code. cheers, ms On Tue, Mar 06, 2001 at 08:48:28PM -0000, Kieran Barry wrote: > Hi, > > I've just joined the list, so please forgive if I missed something in > the FAQ/docs etc. > > Overview > I am likely to need to allow someone (untrusted) to forward a port on > one of my boxes > to one of theirs for EDI. It appears to involve only one port, so an > IPSEC-type VPN is > likely to be over the top. I'd like to do this with ssh port > forwarding, but to only > allow a single port to be forwarded. I'd also like to prevent the > remote party forwarding > a local (on their machine) port to random ports on machines in my DMZ. > The target platforms I am aware of are Linux/Solaris boxes. This > raises questions about > coding against the portable vs non-portable code bases. > > > > Since I know less about the codebase than you guys, I'd like some > guidance on the following: > > My plan is to provide an account, a dsa key, and a shell which > effectively goes to sleep > for a week, and ask the other party to put this in a loop. > > Is there an easier way to do what I want to do, either with ssh or > another tool? > > I have a couple of questions on the project > 1. Would patches adding this sort of functionality be accepted by the > project if it > followed man 9 style? > 2. Which source tree would patches need to work against? > 3. I would need to add statements to sshd_config (and the > ServerOptions struct in > serverconf.h). Could someone sanity check the outline spec below to > tell me what > they think? > > Spec > Sshd_config changes > Either: > New values for the AllTcpForwarding keyword (valid values now > [no | incoming | outgoing | yes]) > incoming would allow a -L type connection > outgoing would allow a -R type connection > yes would allow both > > Or > New keywords IncomingPortsAllowed, OutgoingPortsAllowed, (and maybe > IncomingPortsDenied, OutgoingPortsDenied. I would prefer a default > deny stance, but I could be persuaded > otherwise.) > > Probably a combination of both is best. > > type ServerOptions (from servconf.h) changes: > Add the following to the structure: > u_int num_allow_incoming_forwarded_ports; > char *allow_incoming_forwarded_ports; > u_int num_allow_outgoing_forwarded_ports; > char *allow_outgoing_forwarded_ports; > > Extra source files: > Add .c and .h files > portaccess > or > incomingportaccess and outgoingportaccess > similar to groupaccess.[ch] > > Any other tips would be useful. > > Thanks for your time. > > Regards > > Kieran > > From kbarry at snaz.com Wed Mar 7 09:32:35 2001 From: kbarry at snaz.com (Kieran Barry) Date: Tue, 6 Mar 2001 22:32:35 -0000 Subject: Better port forwarding control In-Reply-To: <20010306141422.B23233@speakeasy.net> Message-ID: Michael Salmon wrote: > > hi kieran, > i've had the same need before and have the patches to do > this also, we needed to > allow only specific ports to be forwarded. This was > rejected to the mainstream > because it was requested to be implemented using a security > protocol that i > once bookmarked, planned on reading over, and have since > forgotten and deleted > it. (ring a bell anyone?) > If you want to get together and work on adding this feature > using the protocol > markus said it required, i'd be happy to talk with you > about it since I think > this is a good feature to have for many users. > I was told this was already in an older version of openssh, > but I havent tried > it out. It was removed from the head before i checked out the code. > > cheers, > ms > Hi Michael, I'd be very interested in looking at your patches! Certainly, for the short term, that is the easiest way forward. I've done a quick mailing list search on keys: port & forwarding & markus and I have dug up the keynote trust management system: http://www.cis.upenn.edu/~angelos/keynote.html Is this what was recommended previously? Regards Kieran From markus.friedl at informatik.uni-erlangen.de Wed Mar 7 08:50:59 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 6 Mar 2001 22:50:59 +0100 Subject: Sftp client improvements In-Reply-To: ; from mats@mindbright.se on Tue, Mar 06, 2001 at 08:57:10AM +0100 References: Message-ID: <20010306225059.A18432@folly> oh, this is a great idea. who's going to add this to OpenSSH? :) -markus On Tue, Mar 06, 2001 at 08:57:10AM +0100, Mats Andersson wrote: > I've done a fun thing with our sftp code (for our ssh client in java) > which might be something someone wants to try with openSSH aswell. Just > make a "bridge" between ftp and sftp so any ordinary ftp-client can > connect to the "bridge" and "speak" to the sftp-server in the other end > (i.e. implement a simple ftpd whose bottom is doing sftp). It's not a very > complicated hack so I guess it wouldn't be too much work to do on top of > the openSSH sftp code too (especially if it's made with modularity in mind > as you said). > > Our ftp to sftp bridge will soon be available, in the next pre-release of > MindTerm (see http://www.mindbright.se/mindterm/). From ssklar at stanford.edu Tue Mar 6 05:32:24 2001 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Mon, 5 Mar 2001 10:32:24 -0800 Subject: AIX 4.3.3 + sshd = bug Message-ID: Hello, I believe that there is a bug in OpenSSH that affects its usage on AIX 4.3.3 - Maintenance Level 3 and higher. This bug was introduced by a change by IBM in the "/usr/lib/drivers/ptydd" driver, and it affected IBM's own telnetd daemon (reference ). However, IBM chose not to fix the cause of the problem, but to instead modify telnetd to deal with the issue. The problem occurs in the sshd program; when a program on the server writes a zero-length string to the terminal, the sshd daemon abruptly closes the connection, logging no information. The following code causes the problem to exhibit itself: #include #include main() { int tty_fd; int old_tty_fd; int old_stdout_fd; char str[100]; old_tty_fd = open("/dev/tty",O_RDWR); tty_fd = dup(old_tty_fd); /* 1 will be /dev/tty */ close(old_tty_fd); strcpy(str,"this is the last thing you will see if sshd is broken.\n"); fprintf(stderr,"len = %d str = %s",strlen(str),str); write(tty_fd,str,strlen(str)); strcpy(str,""); fprintf(stderr,"len = %d str = %s\n",strlen(str),str); write(tty_fd,str,strlen(str)); /* we die here on 433 */ fprintf(stderr,"if you can read this then all is good.\n"); } This bug pops up with both OpenSSH 2.3.0.p1 and 2.5.1p1 (and with the commercial ssh 1.2.26), but only when the daemon is running on 4.3.3-ML3 or higher. The same daemon works fine on AIX 4.3.2-ML2, and 4.3.3 with no ML applied. With a lot of help, I figured that the cause of the disconnect is a comparison in the "serverloop.c" file. Changing the comparison operator from a "<=" to just a "<" in the serverloop.c file fixes the issue. Here is the code block (taken from the 2.3.0p1 source distribution: +304 /* Read and buffer any available stdout data from the program. */ +305 if (!fdout_eof && FD_ISSET(fdout, readset)) { +306 len = read(fdout, buf, sizeof(buf)); +307 if (len < 0 && (errno == EINTR || errno == EAGAIN)) { +308 /* do nothing */ +309 } else if (len <= 0) { +310 fdout_eof = 1; +311 } else { +312 buffer_append(&stdout_buffer, buf, len); +313 fdout_bytes += len; +314 } Line # 309 needs to be changed to ... +309 } else if (len < 0) { Making the above change in the 2.3.0p1 and the 2.5.1p1 source distributions solves the problem, however, I don't know if there might be any other ill effect, or if the change will have an effect on other platforms. Thanks, --Sandy -- sandor w. sklar http://lindy.stanford.edu/~ssklar/ unix systems administrator polya hall, 255 panama -- mc: 4136 stanford university itss-css mailto:ssklar at stanford.edu From sunil at redback.com Wed Mar 7 10:10:54 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Tue, 6 Mar 2001 15:10:54 -0800 (PST) Subject: openSSH: configure ciphers. In-Reply-To: Message-ID: Does OpenSSH use RC4 or Arcfour ? 40-bit or 128-bit RC4 ? Thank you. Sunil. On Tue, 9 Jan 2001, Pekka Savola wrote: > On Mon, 8 Jan 2001, Sunil K. Vallamkonda wrote: > > I see that: > > SSH uses the following ciphers for encryption: > > Cipher SSH1 SSH2 > > DES yes no > > 3DES yes yes > > IDEA yes no > > Blowfish yes yes > > Twofish no yes > > Arcfour no yes > > Cast128-cbc no yes > > Your list is a based on ssh by ssh communications, I assume. > > There has never been Idea in OpenSSH due to patents. Recent versions of > SSHv2 also support AES aka Rijndael for SSHv2. > > DES is just there for SSHv1 compability with certain SSH-enabled routers. > Because of it's insufficient length, it has been disabled elsewhere. > > There are no compile-time configuration options to toggle these on and > off. You can specify which to use at run time or in configuration using > 'Cipher' and 'Ciphers'. > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > > From djm at mindrot.org Wed Mar 7 10:13:35 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Mar 2001 10:13:35 +1100 (EST) Subject: Sftp client improvements In-Reply-To: <20010306225059.A18432@folly> Message-ID: On Tue, 6 Mar 2001, Markus Friedl wrote: > oh, this is a great idea. who's going to add this to OpenSSH? :) It is a neat trick, but IMO anything that extends the life of the FTP protocol is bad mojo :) -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Markus.Friedl at informatik.uni-erlangen.de Wed Mar 7 10:15:29 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 7 Mar 2001 00:15:29 +0100 Subject: Sftp client improvements In-Reply-To: ; from djm@mindrot.org on Wed, Mar 07, 2001 at 10:13:35AM +1100 References: <20010306225059.A18432@folly> Message-ID: <20010307001529.C6895@faui02.informatik.uni-erlangen.de> On Wed, Mar 07, 2001 at 10:13:35AM +1100, Damien Miller wrote: > On Tue, 6 Mar 2001, Markus Friedl wrote: > > > oh, this is a great idea. who's going to add this to OpenSSH? :) > > It is a neat trick, but IMO anything that extends the life of the FTP > protocol is bad mojo :) ok, but you're going to write the new sftp windows clients. From mouring at etoh.eviladmin.org Wed Mar 7 10:21:06 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 6 Mar 2001 17:21:06 -0600 (CST) Subject: Sftp client improvements In-Reply-To: <20010307001529.C6895@faui02.informatik.uni-erlangen.de> Message-ID: On Wed, 7 Mar 2001, Markus Friedl wrote: > On Wed, Mar 07, 2001 at 10:13:35AM +1100, Damien Miller wrote: > > On Tue, 6 Mar 2001, Markus Friedl wrote: > > > > > oh, this is a great idea. who's going to add this to OpenSSH? :) > > > > It is a neat trick, but IMO anything that extends the life of the FTP > > protocol is bad mojo :) > > ok, but you're going to write the new sftp windows clients. > I keep putting pressure on CuteFTP folk as I find bugs or missing funcationality. They have a LONG list of complaints from me. So maybe in post v1.0 CuteFTP it may be an good windows client for sftp. Heck, it works nicely right now.=) If there is any other windows FTP software that is adding sftp that I should hound let me know. - Ben From mouring at etoh.eviladmin.org Wed Mar 7 10:25:58 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 6 Mar 2001 17:25:58 -0600 (CST) Subject: openSSH: configure ciphers. In-Reply-To: Message-ID: On Tue, 6 Mar 2001, Sunil K. Vallamkonda wrote: > > Does OpenSSH use RC4 or Arcfour ? > > 40-bit or 128-bit RC4 ? > RC4 support was removed long ago from OpenSSH. - Ben From djm at mindrot.org Wed Mar 7 10:27:18 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Mar 2001 10:27:18 +1100 (EST) Subject: openSSH: configure ciphers. In-Reply-To: Message-ID: On Tue, 6 Mar 2001, Sunil K. Vallamkonda wrote: > > Does OpenSSH use RC4 or Arcfour ? Same thing. > 40-bit or 128-bit RC4 ? 128. Look at the ciphers[] table in cipher.c -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From sdean at eng.utah.edu Wed Mar 7 10:38:25 2001 From: sdean at eng.utah.edu (Steven Dean) Date: Tue, 06 Mar 2001 16:38:25 -0700 Subject: Ldap and host keys Message-ID: <200103062338.f26NcPp02512@gutter.eng.utah.edu> Hi, I am looking at the possibility of storing the public ssh host keys in ldap and having the clients look there rather then the standard known_hosts file. I am not looking at having the clients write anything to the ldap server just check the validity of the public keys. Would there be any serious security implications with this type of setup? Thanks, -- Steven Dean From RCDavis at intermedia.com Wed Mar 7 10:47:10 2001 From: RCDavis at intermedia.com (Davis, Ricardo C.) Date: Tue, 6 Mar 2001 18:47:10 -0500 Subject: OpenSSH/scp ->> F-Secure SSH server Problems Message-ID: <77DA8BE17C46D2118B7A00805FA7D051047ADA7E@TPAEXCH2> Hi, Is there some know problem between the 'scp' client in OpenSSH 2.5.1p1 and F-Secure's SSH 2.4.0 server? The client is running on a Linux (2.2.17) box and server is running on Win2K. When I try to transfer files it asks me for the password (which I provide) then it hangs. Using 'scp -v' didn't provide any helpful info; it's as though the problem happened before the authentication completed. I've looked through both the openssh-unix-dev and secure-shell list archives and I haven't seen any issue between the two. -Ricardo From Donald.Smith at qwest.com Wed Mar 7 10:42:42 2001 From: Donald.Smith at qwest.com (Smith, Donald ) Date: Tue, 6 Mar 2001 16:42:42 -0700 Subject: suggestion: saving old binaries during installation Message-ID: <2D00AD0E4D36D411BD300008C786E42401258464@Denntex021.qwest.net> And that's exactly what a make install (IN THE SOURCE CODE DIR) will do. Donald.Smith at qwest.com IP Engineering Security 303-226-9939/0688 Office/Fax 720-320-1537 cell > -----Original Message----- > From: Kevin Taylor [mailto:ktaylor at eosdata.gsfc.nasa.gov] > Sent: Tuesday, March 06, 2001 12:37 PM > To: openssh-unix-dev at mindrot.org > Subject: suggestion: saving old binaries during installation > > > > Just as a suggestion, I liked the way the ssh.com's ssh would move the > old binaries to filename.old then install the new ones....so that way > you have an old copy to revert back to if needed (without copying them > all by hand). > From djm at mindrot.org Wed Mar 7 10:47:58 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Mar 2001 10:47:58 +1100 (EST) Subject: Ldap and host keys In-Reply-To: <200103062338.f26NcPp02512@gutter.eng.utah.edu> Message-ID: On Tue, 6 Mar 2001, Steven Dean wrote: > Hi, > > I am looking at the possibility of storing the public ssh host keys in ldap > and having the clients look there rather then the standard known_hosts file. > I am not looking at having the clients write anything to the ldap server just > check the validity of the public keys. Would there be any serious security > implications with this type of setup? You are trusting your LDAP server and LDAP client library, which is a fair bit of code. What happens if your LDAP server is down or unavailable? Will you fail-open or fail-closed? If you fail-open, then a DoS against your LDAP server could be expanded to an attack against your clients, if you fail-closed then an attack against your LDAP server is a very effective DoS against all your clients. If your LDAP server is not on that same machine as your ssh client, then you are also trusting any networks between the two. LDAP over SSL/TLS might mitigate this. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Mar 7 10:50:09 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Mar 2001 10:50:09 +1100 (EST) Subject: Problem compiling openssh on Solaris 2.6 with AFS-krb4 (fwd) Message-ID: -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer ---------- Forwarded message ---------- Date: Tue, 6 Mar 2001 22:28:52 +0100 (MET) From: "[iso-8859-2] Martin MOKREJ?" To: openssh at openssh.com Subject: Re: Problem compiling openssh on Solaris 2.6 with AFS-krb4 (fwd) Hello, people even using openssh-2.5.1p2 ask me for this patch, is it possible to implement some part of it into the main source tree? Date: Tue, 06 Mar 2001 12:53:55 -0800 From: Heide Li To: mmokrejs at natur.cuni.cz Subject: openssh on Solaris 2.6 with AFS-krb4 Hello, I saw your post on openssh-unix-dev regarding compilation problems w/ openssh. Did you ever find a solution? I'm getting the same errors (conflicts with typedefs in ktypes.h and then the probs w/ send_afs_tokens). Any tips would be much appreciated. I'm using: openssh-2.5.1p2 openssl-0.9.6 krb4-1.0.6 Solaris 2.6 -- Martin Mokrejs - PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs Faculty of Science, The Charles University ---------- Forwarded message ---------- Date: 08 Feb 2001 09:22:04 +0100 From: Jan IVEN To: Martin MOKREJ? Cc: openssh at openssh.com Subject: Re: Problem compiling openssh on Solaris 2.6 with AFS-krb4 >>>>> "MM" == Martin MOKREJ? writes: MM> Heelo, MM> I'm trying to copmpile openssh-2.3.0p1 against KTH-KRB MM> dist. (ftp.pdc.kth.se/pub/krb/src) of kerberosIV and AFS 3.6. However, I MM> get two errors: MM> 1. redifinition of types, conflicting with krb.h (which #includes MM> ktypes.h) - removing temporarily the u_int code from ktypes.h helped MM> 2. send_afs_tokens() - in the sshconnect1.c show both problems, although MM> the redefinition problems occured at the early beginning of compilation. MM> Are there any patches available? MM> TIA See below. MM> $ uname -a MM> SunOS pf-i400 5.6 Generic_105181-23 sun4u sparc MM> $ gcc -v MM> Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.6/2.8.1/specs MM> gcc version 2.8.1 MM> $ MM> /usr/local/bin/gcc -I/usr/athena/include -L/usr/athena/lib MM> -I/usr/local/include -L/usr/local/lib -I/software/@sys/usr/local/include MM> -L/software/@sys/usr/local/lib -Wall -I. -I. -I/usr/local/include MM> -I/software/@sys/usr/local/include -I/usr/athena/include MM> -I/usr/afsws/include MM> -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H MM> -c sshconnect1.c -o sshconnect1.o MM> In file included from /usr/athena/include/krb.h:17, MM> from ssh.h:523, MM> from sshconnect1.c:25: MM> /usr/athena/include/ktypes.h:14: redefinition of `u_int8_t' MM> defines.h:142: `u_int8_t' previously declared here MM> /usr/athena/include/ktypes.h:15: redefinition of `u_int16_t' MM> defines.h:143: `u_int16_t' previously declared here MM> /usr/athena/include/ktypes.h:16: redefinition of `u_int32_t' MM> defines.h:144: `u_int32_t' previously declared here --- openssh-SNAP-20001016.orig/defines.h Fri Sep 29 14:01:36 2000 +++ openssh-SNAP-20001016.patched/defines.h Thu Oct 19 11:17:57 2000 @@ -160,6 +160,7 @@ # error "32 bit int type not found." # endif # endif +#define __BIT_TYPES_DEFINED__ #endif /* 64-bit types */ MM> sshconnect1.c: In function `send_afs_tokens': MM> sshconnect1.c:543: warning: implicit declaration of function `_IOW' MM> sshconnect1.c:543: parse error before `struct' MM> make: *** [sshconnect1.o] Error 1 --- kafs.h~ Tue Dec 12 15:53:47 2000 +++ kafs.h Fri Dec 15 12:22:05 2000 @@ -36,6 +36,9 @@ #ifndef __KAFS_H #define __KAFS_H +/* need _IOW on Solaris , 15.12.00 JI */ +#include + /* XXX must include krb5.h or krb.h */ /* sys/ioctl.h must be included manually before kafs.h */ Best regards Jan From wendyp at cray.com Wed Mar 7 11:05:48 2001 From: wendyp at cray.com (Wendy Palm) Date: Tue, 06 Mar 2001 18:05:48 -0600 Subject: protocol default Message-ID: <3AA57B5C.7B94E097@cray.com> we are encouraging the use of protocol 2 over protocol 1, correct? but ssh's default is that protocol 1 is tried first, then protocol 2. this can be overridden in the ssh_config file and by command line options, of course, but shouldn't we set the default to be what we want users to use? thanks, wendy -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From Higdon.David at cnf.com Wed Mar 7 11:09:49 2001 From: Higdon.David at cnf.com (Higdon, David M - CNF) Date: Tue, 6 Mar 2001 16:09:49 -0800 Subject: protocol 2 performance gain? Message-ID: <7B73D5F649D0D311B1E30008C7A4D92A07D5FED6@cnfqs029.cnf.com> has anyone noticed a performance gain with protocol 2? -David Higdon From johnh at aproposretail.com Wed Mar 7 11:13:48 2001 From: johnh at aproposretail.com (John Hardin) Date: Tue, 06 Mar 2001 16:13:48 -0800 Subject: protocol default References: <3AA57B5C.7B94E097@cray.com> Message-ID: <3AA57D3C.FA574CF0@aproposretail.com> Wendy Palm wrote: > > we are encouraging the use of protocol 2 over protocol 1, correct? > > but ssh's default is that protocol 1 is tried first, then protocol 2. > this can be overridden in the ssh_config file and by command line options, > of course, but shouldn't we set the default to be what we want users to use? Seconded. I hacked the ssh_config for this before building our RPMs - it should be the default. -- John Hardin Internal Systems Administrator Apropos Retail Management Systems, Inc. - (425) 672-1304 From mouring at etoh.eviladmin.org Wed Mar 7 11:17:04 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 6 Mar 2001 18:17:04 -0600 (CST) Subject: protocol 2 performance gain? In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A07D5FED6@cnfqs029.cnf.com> Message-ID: On Tue, 6 Mar 2001, Higdon, David M - CNF wrote: > has anyone noticed a performance gain with protocol 2? > I assume your refering to the current snapshot. ChangeLog: [..] - deraadt at cvs.openbsd.org 2001/03/05 15:56:16 [myproposal.h ssh.1] switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok [..] - markus at cvs.openbsd.org 2001/03/05 17:17:21 [kex.c kex.h sshconnect2.c sshd.c] generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only. References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343. - Ben From mouring at etoh.eviladmin.org Wed Mar 7 11:20:13 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 6 Mar 2001 18:20:13 -0600 (CST) Subject: protocol default In-Reply-To: <3AA57D3C.FA574CF0@aproposretail.com> Message-ID: On Tue, 6 Mar 2001, John Hardin wrote: > Wendy Palm wrote: > > > > we are encouraging the use of protocol 2 over protocol 1, correct? > > > > but ssh's default is that protocol 1 is tried first, then protocol 2. > > this can be overridden in the ssh_config file and by command line options, > > of course, but shouldn't we set the default to be what we want users to use? > > Seconded. > > I hacked the ssh_config for this before building our RPMs - it should be > the default. > Hmmm... I'd rather see rekey support before we push to have protocol 2 as the default protocol. - Ben From mstone at cs.loyola.edu Wed Mar 7 11:22:07 2001 From: mstone at cs.loyola.edu (Michael Stone) Date: Tue, 6 Mar 2001 19:22:07 -0500 Subject: utmpx/wtmpx problems with 2.5.1p2 on irix... In-Reply-To: <3AA54DCD.5E8ACCA7@daac.gsfc.nasa.gov>; from ktaylor@eosdata.gsfc.nasa.gov on Tue, Mar 06, 2001 at 03:51:25PM -0500 References: <3AA54DCD.5E8ACCA7@daac.gsfc.nasa.gov> Message-ID: <20010306192207.Y1211@justice.loyola.edu> On Tue, Mar 06, 2001 at 03:51:25PM -0500, Kevin Taylor wrote: > I installed 2.5.1p2 on an irix system and noticed that if a user logged What version of irix? -- Mike Stone From wendyp at cray.com Wed Mar 7 11:27:05 2001 From: wendyp at cray.com (Wendy Palm) Date: Tue, 06 Mar 2001 18:27:05 -0600 Subject: utmpx/wtmpx problems with 2.5.1p2 on irix... References: <3AA54DCD.5E8ACCA7@daac.gsfc.nasa.gov> <20010306192207.Y1211@justice.loyola.edu> Message-ID: <3AA58059.F7347DB7@cray.com> i have it happening on irix 6.5 kumo 60% uname -a IRIX kumo 6.5 07112053 IP22 Michael Stone wrote: > > On Tue, Mar 06, 2001 at 03:51:25PM -0500, Kevin Taylor wrote: > > I installed 2.5.1p2 on an irix system and noticed that if a user logged > > What version of irix? > > -- > Mike Stone -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From Markus.Friedl at informatik.uni-erlangen.de Wed Mar 7 11:28:03 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 7 Mar 2001 01:28:03 +0100 Subject: openSSH: configure ciphers. In-Reply-To: ; from sunil@redback.com on Tue, Mar 06, 2001 at 03:10:54PM -0800 References: Message-ID: <20010307012803.A12017@faui02.informatik.uni-erlangen.de> > Does OpenSSH use RC4 or Arcfour ? what is the difference? :) From Higdon.David at cnf.com Wed Mar 7 11:39:41 2001 From: Higdon.David at cnf.com (Higdon, David M - CNF) Date: Tue, 6 Mar 2001 16:39:41 -0800 Subject: protocol 2 performance gain? Message-ID: <7B73D5F649D0D311B1E30008C7A4D92A07D5FED7@cnfqs029.cnf.com> I was not really referring to anything but I noticed what appeared to be a gain so I thought I would ask the group. -David -----Original Message----- From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] Sent: Tuesday, March 06, 2001 4:17 PM To: Higdon, David M - CNF Cc: openssh-unix-dev at mindrot.org Subject: Re: protocol 2 performance gain? On Tue, 6 Mar 2001, Higdon, David M - CNF wrote: > has anyone noticed a performance gain with protocol 2? > I assume your refering to the current snapshot. ChangeLog: [..] - deraadt at cvs.openbsd.org 2001/03/05 15:56:16 [myproposal.h ssh.1] switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; provos & markus ok [..] - markus at cvs.openbsd.org 2001/03/05 17:17:21 [kex.c kex.h sshconnect2.c sshd.c] generate a 2*need size (~300 instead of 1024/2048) random private exponent during the DH key agreement. according to Niels (the great german advisor) this is safe since /etc/primes contains strong primes only. References: P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343. - Ben From slade at shore.net Wed Mar 7 17:36:51 2001 From: slade at shore.net (Richard E. Silverman) Date: Wed, 7 Mar 2001 01:36:51 -0500 Subject: patch to select pkalg Message-ID: <200103070636.BAA21136@syrinx.oankali.net> Suppose an SSH server has both RSA and DSA host keys for protocol 2, but I only have the DSA key, and I want to use that. I'm stuck; the OpenSSH client is hard-wired to offer both algorithms in the key exchange, and will select ssh-rsa if it's available (see myproposal.h, KEX_DEFAULT_PK_ALG). Below is a patch adding the client configuration option "PKAlgorithms" for this purpose. It doesn't validate the supplied list; I'm not sure if that's really necessary or desirable. This situation raises a couple of questions. The first is about the protocol, which forces the client to commit to a choice of host key algorithm before it sees the keys, and hence before it can determine whether that choice has any chance of succeeding -- and if it fails, the whole connection fails. I wonder if there's a better way of doing this? The second is about implementation -- given the protocol as it is now, would it be a good idea to automatically retry connections that fail because of an unverifiable host key, using the next available host key algorithm? -- Richard Silverman slade at shore.net ================================================================================ *** ../../openssh-2.5.1p2/readconf.c Wed Feb 14 22:02:00 2001 --- readconf.c Wed Mar 7 00:59:44 2001 *************** *** 109,115 **** oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, ! oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias } OpCodes; /* Textual representations of the tokens. */ --- 109,116 ---- oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, ! oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, ! oPKAlgorithms } OpCodes; /* Textual representations of the tokens. */ *************** *** 171,176 **** --- 172,178 ---- { "keepalive", oKeepAlives }, { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "loglevel", oLogLevel }, + { "pkalgorithms", oPKAlgorithms }, { NULL, 0 } }; *************** *** 516,521 **** --- 518,532 ---- options->macs = xstrdup(arg); break; + case oPKAlgorithms: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + /* XXX validate pkalg list? */ + if (*activep && options->pkalgorithms == NULL) + options->pkalgorithms = xstrdup(arg); + break; + case oProtocol: intptr = &options->protocol; arg = strdelim(&s); *************** *** 708,713 **** --- 719,725 ---- options->cipher = -1; options->ciphers = NULL; options->macs = NULL; + options->pkalgorithms = NULL; options->protocol = SSH_PROTO_UNKNOWN; options->num_identity_files = 0; options->hostname = NULL; *************** *** 797,802 **** --- 809,815 ---- options->cipher = SSH_CIPHER_NOT_SET; /* options->ciphers, default set in myproposals.h */ /* options->macs, default set in myproposals.h */ + /* options->pkalgorithms, default set in myproposals.h */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2|SSH_PROTO_1_PREFERRED; if (options->num_identity_files == 0) { *** ../../openssh-2.5.1p2/readconf.h Wed Feb 14 22:02:00 2001 --- readconf.h Tue Mar 6 23:58:08 2001 *************** *** 69,74 **** --- 69,75 ---- int cipher; /* Cipher to use. */ char *ciphers; /* SSH2 ciphers in order of preference. */ char *macs; /* SSH2 macs in order of preference. */ + char *pkalgorithms; /* SSH2 server key types in order of preference. */ int protocol; /* Protocol in order of preference. */ char *hostname; /* Real host to connect. */ char *host_key_alias; /* hostname alias for .ssh/known_hosts */ *** ../../openssh-2.5.1p2/sshconnect2.c Thu Feb 15 20:34:57 2001 --- sshconnect2.c Wed Mar 7 00:06:05 2001 *************** *** 94,99 **** --- 94,102 ---- myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; } + if (options.pkalgorithms != NULL) { + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = options.pkalgorithms; + } /* buffers with raw kexinit messages */ server_kexinit = xmalloc(sizeof(*server_kexinit)); ================================================================================ From ShesMax at ru.hilti.com Wed Mar 7 18:38:45 2001 From: ShesMax at ru.hilti.com (Shesterikov Maxim (sm)) Date: Wed, 7 Mar 2001 10:38:45 +0300 Subject: Porting OpenSSH's authentication to PNIAM Message-ID: We ported OpenSSH's authentication to Pluggable Non-Interactive Authentication Modules (PNIAM). PNIAM is a development effort carried out under GPL in Moscow State University. Pluggable Non Interactive Authentication Modules provide applications with a generic interface to authentication related functions. Actions to be done for each authentication request are specified by a system administrator in terms of dynamically loaded modules. PNIAM design incorporates best ideas of PAM (Pluggable Authentication Modules) project. The main difference between PAM and PNIAM is the target. The main target of PNIAM is a clear and reliable authentication scheme for Internet servers. Internet protocols usually specify a fixed set of requests and replies between the server and the client. It makes the interactive authentication hardly possible. PNIAM deals with a set of requests and replies rather than interacts with the user. That's why words ``Non Interactive'' are in the name. Request and replies are exchanged using lists of named items. PNIAM runs on Linux, but it has a generic architecture that allows to port it to other systems, too. AAA modules are system-specific or generic. We provide variety of authentication, authorization, and accounting modules. Authentication: Using /etc/passwd, /etc/shadow; plain password, challenge - response, OTP using separate user database; Authorization: Dealing with /etc/passwd, setting chroots, providing access according to time/terminal name/host name; Accounting: Dealing with lastlog and utmp; Authentication token Simple checks, cracklib; validation: Miscellaneous: pniam_rootok, pniam_count,pniam_nologin, pniam_allow and pniam_deny. We also incorporated PNIAM support in a quite a few, but important applications: - login - passwd - su - chfn - vlock - FTP - RADIUS - OpenSSH We consider OpenSSH as a crucial component of PNIAM-aware infrastructure. We ported all authentication schemes supported in OpenSSH 2.3.1p1: SSH1, SSH2 including keyboard-interactive, (although discussion with Martin Forssen showed that our implementation is somewhat incorrect). OpenSSH's port is used on a experimetal cluster system at MSU. It appears to be stable and reliable. >From a technical point of view most of the changes are stored in separate files. They also contain modified versions of auth_: functions. Configure.in script is amended in a way that it links PNIAM-aware files instead of conventional ones if either -with-pniam is specified or pniam.h is found. There are also quite a few places where we ifdef-ed our changes into the main code trunk: - OpenSSH requires from a user to be present in /etc/passwd. This is not true in PNIAM, because an authentication stack is the only decider about authentication success / failures. - This principle also eliminates the need in sshd_config's configuration parameters dealing with authentication. As a consequence the server advertises itself as supporting all known authentication schemes. The server does not disclose information about valid authentication methods. - All user credentials are retrieved from PNIAM authorization stack instead from /etc/passwd - Accounting is done through PNIAM's accounting stack, not by the server itself. We believe that PNIAM provides Internet community with clear and reliable AAA architecture. Thus, it contributes benefits for all authentication-requiring applications. From our point of view there are mutual gains for PNIAM and OpenSSH, too. We would like to know whether it is possible to incorporate our changes in OpenSSH code trunk. PNIAM home page is at http://www.msu.ru/pniam.html OpenSSH port is at http://libraftp.narod.ru/pniam.html Alexey Galatenko Maxim Shesterikov Andrey Savochkin From mats at mindbright.se Wed Mar 7 19:06:55 2001 From: mats at mindbright.se (Mats Andersson) Date: Wed, 7 Mar 2001 09:06:55 +0100 (MET) Subject: Sftp client improvements In-Reply-To: Message-ID: On Wed, 7 Mar 2001, Damien Miller wrote: > It is a neat trick, but IMO anything that extends the life of the FTP > protocol is bad mojo :) Try telling that to WinDOS people having become fond of their integrated totally fancy heavily desktop-integrated ftp-client without giving them an alternative :-). I'm not protecting ftp here, but given our client is written in java we can't easily compete feature-wise with any "real" ftp-client anyway so this was the best thing I could come up with :-). Cheers, /Mats From ckthin at csam.com.my Wed Mar 7 19:26:50 2001 From: ckthin at csam.com.my (Thin Chin Kung) Date: Wed, 07 Mar 2001 16:26:50 +0800 Subject: Problem after upgraded to OpenSSH 2.5.1p2 Message-ID: <3AA5F0CA.95544336@csam.com.my> Hi, I'm running OpenSSH2.3.0 on Redhat 6.2 previously. After upgraded to OpenSSH2.5.1p2, I was unable to contect to external host via ssh. I got the following error message " xfree: NULL pointer given as argument". I try to regenerate the host key, but everytime I run keygen, I got a core dump. Anyidea whats went wrong? Rgds. ckthin From djm at mindrot.org Wed Mar 7 19:34:40 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Mar 2001 19:34:40 +1100 (EST) Subject: Problem after upgraded to OpenSSH 2.5.1p2 In-Reply-To: <3AA5F0CA.95544336@csam.com.my> Message-ID: On Wed, 7 Mar 2001, Thin Chin Kung wrote: > Hi, > > I'm running OpenSSH2.3.0 on Redhat 6.2 previously. After upgraded to > OpenSSH2.5.1p2, I was unable to contect to external host via ssh. I got > the following error message " xfree: NULL pointer given as argument". > I try to regenerate the host key, but everytime I run keygen, I got a > core dump. > Anyidea whats went wrong? You are using the wrong OpenSSL version. You need openssl-0.9.5a-2.6.x from Redhat errata. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From ckthin at csam.com.my Wed Mar 7 19:44:13 2001 From: ckthin at csam.com.my (Thin Chin Kung) Date: Wed, 07 Mar 2001 16:44:13 +0800 Subject: Problem after upgraded to OpenSSH 2.5.1p2 References: Message-ID: <3AA5F4DD.E824CB9D@csam.com.my> I'm using openssl-0.9.5a-3, is it ok? Damien Miller wrote: > On Wed, 7 Mar 2001, Thin Chin Kung wrote: > > > Hi, > > > > I'm running OpenSSH2.3.0 on Redhat 6.2 previously. After upgraded to > > OpenSSH2.5.1p2, I was unable to contect to external host via ssh. I got > > the following error message " xfree: NULL pointer given as argument". > > I try to regenerate the host key, but everytime I run keygen, I got a > > core dump. > > Anyidea whats went wrong? > > You are using the wrong OpenSSL version. You need openssl-0.9.5a-2.6.x > from Redhat errata. > > -d > > -- > | Damien Miller \ ``E-mail attachments are the poor man's > | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Mar 7 19:45:19 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Mar 2001 19:45:19 +1100 (EST) Subject: Problem after upgraded to OpenSSH 2.5.1p2 In-Reply-To: <3AA5F4DD.E824CB9D@csam.com.my> Message-ID: On Wed, 7 Mar 2001, Thin Chin Kung wrote: > I'm using openssl-0.9.5a-3, is it ok? Unfortunately no - even differences in compilation options can affect the binary compatability of openssl. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Nigel.Metheringham at InTechnology.co.uk Wed Mar 7 21:04:13 2001 From: Nigel.Metheringham at InTechnology.co.uk (Nigel Metheringham) Date: Wed, 07 Mar 2001 10:04:13 +0000 Subject: Problem after upgraded to OpenSSH 2.5.1p2 In-Reply-To: Message from Damien Miller of "Wed, 07 Mar 2001 19:45:19 +1100." Message-ID: djm at mindrot.org said: > Unfortunately no - even differences in compilation options can affect > the binary compatability of openssl. This is a complete pig - only way round it at present is to build your own packages with their own version extension and nail the openssh dependencies to it... This isn't really an openssh problem, but is there some way forward that could make the openssl library less fragile? Nigel. -- [ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] [ - Comments in this message are my own and not ITO opinion/policy - ] From vinschen at redhat.com Wed Mar 7 21:15:07 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 7 Mar 2001 11:15:07 +0100 Subject: [PATCH]: contrib/cygwin/ssh-host-config Message-ID: <20010307111507.E21275@cygbert.vinschen.de> Hi, below is a patch to contrib/cygwin/ssh-host-config and the corresponding README in the same dir. It adds a `--port' option to the config script to allow setting another port than 22 for sshd. Additionally the script used to add `sshd 22/tcp' to the services file while the IANA proposes `ssh 22/tcp' and `ssh 22/udp' as services entries. The new version removes old `sshd' entries from services and inetd.conf and substitutes them with `ssh' entries. The patch file is relative to the contrib/cygwin dir: Index: README =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/README,v retrieving revision 1.2 diff -u -p -r1.2 README --- README 2001/01/19 05:37:32 1.2 +++ README 2001/03/07 10:13:00 @@ -15,12 +15,8 @@ filesystem (which is recommended) due to features of the FAT/FAT32 filesystems. =========================================================================== -Since this package is part of the base distribution now, the location -of the files has changed from /usr/local to /usr. The global configuration -files are in /etc now. - -If you are installing OpenSSH the first time, you can generate -global config files and server keys by running +If you are installing OpenSSH the first time, you can generate global config +files and server keys by running /usr/bin/ssh-host-config @@ -39,6 +35,7 @@ Options: --debug -d Enable shell's debug output. --yes -y Answer all questions with "yes" automatically. --no -n Answer all questions with "no" automatically. + --port -p sshd listens on port n. You can create the private and public keys for a user now by running Index: ssh-host-config =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-host-config,v retrieving revision 1.1 diff -u -p -r1.1 ssh-host-config --- ssh-host-config 2001/01/19 05:37:32 1.1 +++ ssh-host-config 2001/03/07 10:13:04 @@ -16,6 +16,7 @@ OLDSYSCONFDIR=${OLDPREFIX}/etc progname=$0 auto_answer="" +port_number=22 request() { @@ -67,6 +68,11 @@ do auto_answer=no ;; + -p | --port ) + port_number=$1 + shift + ;; + *) echo "usage: ${progname} [OPTION]..." echo @@ -76,6 +82,7 @@ do echo " --debug -d Enable shell's debug output." echo " --yes -y Answer all questions with \"yes\" automatically." echo " --no -n Answer all questions with \"no\" automatically." + echo " --port -p sshd listens on port n." echo exit 1 ;; @@ -254,6 +261,11 @@ Host * IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_dsa EOF + if [ "$port_number" != "22" ] + then + echo "Host localhost" >> ${SYSCONFDIR}/ssh_config + echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config + fi fi # Check if sshd_config exists. If yes, ask for overwriting @@ -278,7 +290,7 @@ then cat > ${SYSCONFDIR}/sshd_config << EOF # This is ssh server systemwide configuration file. -Port 22 +Port $port_number # Protocol 2,1 ListenAddress 0.0.0.0 @@ -330,7 +342,7 @@ UseLogin no EOF fi -# Add port 22/tcp to services +# Care for services file _sys="`uname -a`" _nt=`expr "$_sys" : "CYGWIN_NT"` if [ $_nt -gt 0 ] @@ -344,33 +356,86 @@ fi _services=`cygpath -u "${_wservices}"` _serv_tmp=`cygpath -u "${_wserv_tmp}"` -mount -b -f "${_wservices}" "${_services}" -mount -b -f "${_wserv_tmp}" "${_serv_tmp}" +mount -t -f "${_wservices}" "${_services}" +mount -t -f "${_wserv_tmp}" "${_serv_tmp}" + +# Remove sshd 22/port from services +if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] +then + grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" + if [ -f "${_serv_tmp}" ] + then + if mv "${_serv_tmp}" "${_services}" + then + echo "Removing sshd from ${_services}" + else + echo "Removing sshd from ${_services} failed\!" + fi + rm -f "${_serv_tmp}" + else + echo "Removing sshd from ${_services} failed\!" + fi +fi -if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] +# Add ssh 22/tcp and ssh 22/udp to services +if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] then - awk '{ if ( $2 ~ /^23\/tcp/ ) print "sshd 22/tcp #SSH daemon\r"; print $0; }' < "${_services}" > "${_serv_tmp}" + awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" if [ -f "${_serv_tmp}" ] then if mv "${_serv_tmp}" "${_services}" then - echo "Added sshd to ${_services}" + echo "Added ssh to ${_services}" else - echo "Adding sshd to ${_services} failed\!" + echo "Adding ssh to ${_services} failed\!" fi rm -f "${_serv_tmp}" else - echo "Adding sshd to ${_services} failed\!" + echo "Adding ssh to ${_services} failed\!" fi fi umount "${_services}" umount "${_serv_tmp}" -# Add sshd line to inetd.conf -if [ -f /etc/inetd.conf ] -then - grep -q "^[# \t]*sshd" /etc/inetd.conf || echo "# sshd stream tcp nowait root /usr/sbin/sshd -i" >> /etc/inetd.conf +# Care for inetd.conf file +_inetcnf="/etc/inetd.conf" +_inetcnf_tmp="/etc/inetd.conf.$$" + +if [ -f "${_inetcnf}" ] +then + # Check if ssh service is already in use as sshd + with_comment=1 + grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0 + # Remove sshd line from inetd.conf + if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] + then + grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" + if [ -f "${_inetcnf_tmp}" ] + then + if mv "${_inetcnf_tmp}" "${_inetcnf}" + then + echo "Removed sshd from ${_inetcnf}" + else + echo "Removing sshd from ${_inetcnf} failed\!" + fi + rm -f "${_inetcnf_tmp}" + else + echo "Removing sshd from ${_inetcnf} failed\!" + fi + fi + + # Add ssh line to inetd.conf + if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] + then + if [ "${with_comment}" -eq 0 ] + then + echo 'ssh stream tcp nowait root /usr/sbin/sshd -i' >> "${_inetcnf}" + else + echo '# ssh stream tcp nowait root /usr/sbin/sshd -i' >> "${_inetcnf}" + fi + echo "Added ssh to ${_inetcnf}" + fi fi if [ "${old_install}" = "1" ] Thanks, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From ckthin at csam.com.my Wed Mar 7 21:35:30 2001 From: ckthin at csam.com.my (Thin Chin Kung) Date: Wed, 07 Mar 2001 18:35:30 +0800 Subject: Problem after upgraded to OpenSSH 2.5.1p2 References: Message-ID: <3AA60EF2.2A42E73B@csam.com.my> Thanks for the info. After re-installed the openssl-0.9.5a-2.6x, now ssh is working. Damien Miller wrote: > On Wed, 7 Mar 2001, Thin Chin Kung wrote: > > > I'm using openssl-0.9.5a-3, is it ok? > > Unfortunately no - even differences in compilation options can affect > the binary compatability of openssl. > > -d > > -- > | Damien Miller \ ``E-mail attachments are the poor man's > | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Mar 7 21:35:48 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Mar 2001 21:35:48 +1100 (EST) Subject: Problem after upgraded to OpenSSH 2.5.1p2 In-Reply-To: Message-ID: On Wed, 7 Mar 2001, Nigel Metheringham wrote: > This is a complete pig - only way round it at present is to build your > own packages with their own version extension and nail the openssh > dependencies to it... > > This isn't really an openssh problem, but is there some way forward > that could make the openssl library less fragile? I'll probably redo the Redhat 6.2 RPMs to either force the use of the exact RPM release of OpenSSL or statically link them. RH7 doesn't suffer as much becuase it has always had an official OpenSSL RPM. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Mar 7 21:38:32 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Mar 2001 21:38:32 +1100 (EST) Subject: [PATCH]: contrib/cygwin/ssh-host-config In-Reply-To: <20010307111507.E21275@cygbert.vinschen.de> Message-ID: On Wed, 7 Mar 2001, Corinna Vinschen wrote: > Hi, > > below is a patch to contrib/cygwin/ssh-host-config and the corresponding > README in the same dir. It adds a `--port' option to the config script > to allow setting another port than 22 for sshd. > > Additionally the script used to add `sshd 22/tcp' to the services file > while the IANA proposes `ssh 22/tcp' and `ssh 22/udp' as services entries. > The new version removes old `sshd' entries from services and inetd.conf > and substitutes them with `ssh' entries. Applied - thanks. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From vinschen at redhat.com Wed Mar 7 22:34:55 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 7 Mar 2001 12:34:55 +0100 Subject: [PATCH]: contrib/cygwin/ssh-host-config In-Reply-To: ; from djm@mindrot.org on Wed, Mar 07, 2001 at 09:38:32PM +1100 References: <20010307111507.E21275@cygbert.vinschen.de> Message-ID: <20010307123455.J21275@cygbert.vinschen.de> On Wed, Mar 07, 2001 at 09:38:32PM +1100, Damien Miller wrote: > On Wed, 7 Mar 2001, Corinna Vinschen wrote: > > > Hi, > > > > below is a patch to contrib/cygwin/ssh-host-config and the corresponding > > README in the same dir. It adds a `--port' option to the config script > > to allow setting another port than 22 for sshd. > > > > Additionally the script used to add `sshd 22/tcp' to the services file > > while the IANA proposes `ssh 22/tcp' and `ssh 22/udp' as services entries. > > The new version removes old `sshd' entries from services and inetd.conf > > and substitutes them with `ssh' entries. > > Applied - thanks. Thanks, too. This might be OT but I have a question related to the "ssh 22/tcp" entry in /etc/services. If somebody decides to change the local sshd port to, say, 22022, would it make sense to change the ssh-host-config script so that it generates a "ssh 22022/tcp" entry instead of "ssh 22/tcp"? I'm asking because I refused to patch my script to do so. My reasoning was that the services file should always contain the IANA proposed ports for well known services and that the local defined port should usually has another name, for example "local_ssh 22022/tcp" which then should be used in /etc/inetd.conf. Am I correct or is that too picky? Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From djm at mindrot.org Wed Mar 7 22:45:39 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Mar 2001 22:45:39 +1100 (EST) Subject: [PATCH]: contrib/cygwin/ssh-host-config In-Reply-To: <20010307123455.J21275@cygbert.vinschen.de> Message-ID: On Wed, 7 Mar 2001, Corinna Vinschen wrote: > Thanks, too. > > This might be OT but I have a question related to the "ssh 22/tcp" > entry in /etc/services. If somebody decides to change the local > sshd port to, say, 22022, would it make sense to change the > ssh-host-config script so that it generates a "ssh 22022/tcp" entry > instead of "ssh 22/tcp"? > > I'm asking because I refused to patch my script to do so. My reasoning > was that the services file should always contain the IANA proposed > ports for well known services and that the local defined port should > usually has another name, for example "local_ssh 22022/tcp" which > then should be used in /etc/inetd.conf. > > Am I correct or is that too picky? I think that is correct. You don't need to modify /etc/services to change ssh's port, so you shouldn't. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From gert at greenie.muc.de Thu Mar 8 00:19:53 2001 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 7 Mar 2001 14:19:53 +0100 Subject: [PATCH]: contrib/cygwin/ssh-host-config In-Reply-To: <20010307111507.E21275@cygbert.vinschen.de>; from Corinna Vinschen on Wed, Mar 07, 2001 at 11:15:07AM +0100 References: <20010307111507.E21275@cygbert.vinschen.de> Message-ID: <20010307141953.A9622@greenie.muc.de> Hi, On Wed, Mar 07, 2001 at 11:15:07AM +0100, Corinna Vinschen wrote: > while the IANA proposes `ssh 22/tcp' and `ssh 22/udp' as services entries. Which brings me to a thing that I have always wondered about. What is "ssh 22/udp" good for? I see this for many standard TCP services in recent /etc/services files, but it makes no sense. SSH is not UDP, and will never be, so why make "22/udp" an official port number for it? (This might not be the appropriate list, but maybe someone knows and can enlighten me...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From ktaylor at eosdata.gsfc.nasa.gov Thu Mar 8 00:40:51 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Wed, 07 Mar 2001 08:40:51 -0500 Subject: suggestion: saving old binaries during installation References: <2D00AD0E4D36D411BD300008C786E42401258464@Denntex021.qwest.net> Message-ID: <3AA63A63.78DD27E5@daac.gsfc.nasa.gov> "Smith, Donald" wrote: > > And that's exactly what a make install (IN THE SOURCE CODE DIR) will do. > > Donald.Smith at qwest.com IP Engineering Security > 303-226-9939/0688 Office/Fax > 720-320-1537 cell > > > -----Original Message----- > > From: Kevin Taylor [mailto:ktaylor at eosdata.gsfc.nasa.gov] > > Sent: Tuesday, March 06, 2001 12:37 PM > > To: openssh-unix-dev at mindrot.org > > Subject: suggestion: saving old binaries during installation > > > > > > > > Just as a suggestion, I liked the way the ssh.com's ssh would move the > > old binaries to filename.old then install the new ones....so that way > > you have an old copy to revert back to if needed (without copying them > > all by hand). > > but it doesn't. -- ---------------------------------------------------------. Kevin Taylor \ Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / Science Systems and Applications, Inc. \ Goddard Space Flight Center / Greenbelt, MD 20771 \ / Phone: (301) 614-5505 \ e-mail: ktaylor at daac.gsfc.nasa.gov / ----------------------------------------------------------' From ktaylor at eosdata.gsfc.nasa.gov Thu Mar 8 00:41:58 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Wed, 07 Mar 2001 08:41:58 -0500 Subject: utmpx/wtmpx problems with 2.5.1p2 on irix... References: <3AA54DCD.5E8ACCA7@daac.gsfc.nasa.gov> <20010306192207.Y1211@justice.loyola.edu> <3AA58059.F7347DB7@cray.com> Message-ID: <3AA63AA6.29092422@daac.gsfc.nasa.gov> yes, mine too. It was 6.5.3f to be exact. Wendy Palm wrote: > > i have it happening on irix 6.5 > kumo 60% uname -a > IRIX kumo 6.5 07112053 IP22 > > Michael Stone wrote: > > > > On Tue, Mar 06, 2001 at 03:51:25PM -0500, Kevin Taylor wrote: > > > I installed 2.5.1p2 on an irix system and noticed that if a user logged > > > > What version of irix? > > > > -- > > Mike Stone > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 From RCDavis at intermedia.com Thu Mar 8 01:33:39 2001 From: RCDavis at intermedia.com (Davis, Ricardo C.) Date: Wed, 7 Mar 2001 09:33:39 -0500 Subject: OpenSSH/scp ->> F-Secure SSH server Problems Message-ID: <77DA8BE17C46D2118B7A00805FA7D051047ADA81@TPAEXCH2> Thanks VERY much, Antti! We've been working on this problem since Friday with no success. I'll do some testing with the OpenSSH 'sftp' client in our scripts to see if can make it work for our needs. -Ricardo -----Original Message----- From: Antti Akonniemi [mailto:Antti.Akonniemi at F-Secure.com] Sent: Wednesday, March 07, 2001 4:24 AM To: Davis, Ricardo C. Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems Ok here's what I found in testing: OpenSSH's scp seems not be SSH2 compatible OpenSSH's sftp seems to work without any problems (use this) I'm still puzzled how the scp let's you authenticate your self.. but the problem seems to be still on the openssh side. Hope this helped, Antti "Davis, Ricardo C." wrote: > > Hi, > > Is there some know problem between the 'scp' client in OpenSSH 2.5.1p1 and > F-Secure's SSH 2.4.0 server? The client is running on a Linux (2.2.17) box > and server is running on Win2K. When I try to transfer files it asks me for > the password (which I provide) then it hangs. Using 'scp -v' didn't provide > any helpful info; it's as though the problem happened before the > authentication completed. I've looked through both the openssh-unix-dev and > secure-shell list archives and I haven't seen any issue between the two. > > -Ricardo -- Antti Akonniemi tel: +358 9 2520 5205 Quality Engineer, CFSFE fax : +358 9 2520 5001 mobile: +358 40 505 1909 F-Secure Corporation http://www.F-Secure.com F-Secure: Securing the Mobile, Distributed Enterprise From mstone at cs.loyola.edu Thu Mar 8 01:41:26 2001 From: mstone at cs.loyola.edu (Michael Stone) Date: Wed, 7 Mar 2001 09:41:26 -0500 Subject: utmpx/wtmpx problems with 2.5.1p2 on irix... In-Reply-To: <3AA58059.F7347DB7@cray.com>; from wendyp@cray.com on Tue, Mar 06, 2001 at 06:27:05PM -0600 References: <3AA54DCD.5E8ACCA7@daac.gsfc.nasa.gov> <20010306192207.Y1211@justice.loyola.edu> <3AA58059.F7347DB7@cray.com> Message-ID: <20010307094126.A1211@justice.loyola.edu> On Tue, Mar 06, 2001 at 06:27:05PM -0600, Wendy Palm wrote: > i have it happening on irix 6.5 > kumo 60% uname -a > IRIX kumo 6.5 07112053 IP22 Not having the maintenance release number doesn't help much. What's uname -R say? -- Mike Stone From ktaylor at eosdata.gsfc.nasa.gov Thu Mar 8 02:05:36 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Wed, 7 Mar 2001 10:05:36 -0500 Subject: Compiling openssh-2.5.1p1 on IRIX in o32 mode Message-ID: I get this error: cc -o32 -g -I/usr/local/include -I/var/tmp/openssl-o32/include -I/var/tmp/openssl-o32/include -I. -I./openbsd-compat -I. -DETCDIR=\"/usr/local/ssh/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/ssh/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/ssh/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/ssh/libexec/sftp-server\" -DHAVE_CONFIG_H -c rijndael.c cfe: Error: rijndael.c, line 272: redeclaration of 'rijndael_set_key'; previous declaration at line 31 in file './rijndael.h' rijndael_set_key(rijndael_ctx *ctx, const u4byte *in_key, const u4byte key_len, ^ cfe: Error: rijndael.c, line 272: Incompatible type for the function parameter rijndael_set_key(rijndael_ctx *ctx, const u4byte *in_key, const u4byte key_len, -----------------------------------------------------------------------^ *** Error code 1 (bu21) From RCDavis at intermedia.com Thu Mar 8 02:57:13 2001 From: RCDavis at intermedia.com (Davis, Ricardo C.) Date: Wed, 7 Mar 2001 10:57:13 -0500 Subject: OpenSSH/scp ->> F-Secure SSH server Problems Message-ID: <77DA8BE17C46D2118B7A00805FA7D051047ADA84@TPAEXCH2> Thanks for your reply, Ben. If I'm reading your response correctly, 'scp' actually uses SSH1 protocol to transfer files. My assumption was that 'scp', by using the 'ssh' client, would operate based on the settings in the /etc/ssh/ssh_config file. In this file the site-wide default settings I have "Protocol 2", that is that the 'ssh' client would always use SSH2 protocol unless I specify SSH1 protocol at the command line. I guess I was wrong here. However, reading the 'man' pages for 'scp' and 'ssh' would lead to the conclusion that is possible. To satisfy my curiosity, I tried using the scp '-o' option to pass the '-2' option to 'ssh' -- which forces 'ssh' to force SSH2. The result: $ scp -o -2 fci07230.998 ricardo at 205.215.35.38: command-line: line 0: Bad configuration option: -2 lost connection I guess this means that scp will not allow the use of '-2' for the transfer, correct? Perhaps the 'scp' man page needs to explicitly state the limitation that it can only use SSH1. I was unaware that there was a different implementation of secure copy that allowed the use of SSH2 (that is, scp2). -Ricardo -----Original Message----- From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] Sent: Wednesday, March 07, 2001 10:20 AM To: Davis, Ricardo C. Cc: 'Antti Akonniemi' Subject: RE: OpenSSH/scp ->> F-Secure SSH server Problems OpenSSH will allow for authentication because scp2 like scp and sftp uses the 'ssh' program to create the secure connection. Thus allowing scp2, scp, and sftp to be non-setuid root binaries. There is talk about implementing scp2 for OpenSSH, but I think that features first need to be added to sftp before we write an scp2 wrapper around sftp. Hopefully in the near future we will have scp2 support. We just acquired sftp client support within the last month. - Ben On Wed, 7 Mar 2001, Davis, Ricardo C. wrote: > Thanks VERY much, Antti! We've been working on this problem since Friday > with no success. I'll do some testing with the OpenSSH 'sftp' client in our > scripts to see if can make it work for our needs. > > > -Ricardo > > -----Original Message----- > From: Antti Akonniemi [mailto:Antti.Akonniemi at F-Secure.com] > Sent: Wednesday, March 07, 2001 4:24 AM > To: Davis, Ricardo C. > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > > Ok here's what I found in testing: > > OpenSSH's scp seems not be SSH2 compatible > OpenSSH's sftp seems to work without any problems (use this) > > I'm still puzzled how the scp let's you authenticate your self.. but the > problem seems to be still on the openssh side. > > Hope this helped, > > Antti > > "Davis, Ricardo C." wrote: > > > > Hi, > > > > Is there some know problem between the 'scp' client in OpenSSH 2.5.1p1 and > > F-Secure's SSH 2.4.0 server? The client is running on a Linux (2.2.17) > box > > and server is running on Win2K. When I try to transfer files it asks me > for > > the password (which I provide) then it hangs. Using 'scp -v' didn't > provide > > any helpful info; it's as though the problem happened before the > > authentication completed. I've looked through both the openssh-unix-dev > and > > secure-shell list archives and I haven't seen any issue between the two. > > > > -Ricardo > > From mouring at etoh.eviladmin.org Thu Mar 8 03:20:30 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 7 Mar 2001 10:20:30 -0600 (CST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <77DA8BE17C46D2118B7A00805FA7D051047ADA84@TPAEXCH2> Message-ID: On Wed, 7 Mar 2001, Davis, Ricardo C. wrote: > Thanks for your reply, Ben. > > If I'm reading your response correctly, 'scp' actually uses SSH1 protocol to > transfer files. My assumption was that 'scp', by using the 'ssh' client, > would operate based on the settings in the /etc/ssh/ssh_config file. In > this file the site-wide default settings I have "Protocol 2", that is that > the 'ssh' client would always use SSH2 protocol unless I specify SSH1 > protocol at the command line. I guess I was wrong here. However, reading > the 'man' pages for 'scp' and 'ssh' would lead to the conclusion that is > possible. To satisfy my curiosity, I tried using the scp '-o' option to > pass the '-2' option to 'ssh' -- which forces 'ssh' to force SSH2. The > result: > scp can use protocol 1 or protocol 2 as it's transport. Both of theses work well: scp '-o Protocol 2' file karla: scp '-o Protocol 1' file karla: However, when Tatu's company put out SSH 2.x program they decided to drop the rcp concept and implement scp over top of sftp. Since F-secure used SSH Corp's code (IIRC). They have the same limitation. =-) I refuse to make comments on the illogicness of this. But 'scp' (OpenSSH and ssh-1.2.x) is not the same transfer protocol as 'scp2' (SSH-2.x, f-secure, etc). So OpenSSH supports the former, but not the latter at this moment. However, sftp (as of the latest snapshot, or soon) supports -b batchmode which allows the following: sftp -b batchfile user at site or echo "put file /tmp/path/" | sftp user at site Granted it's not as nice as "scp2 file user at site:", but it works all the same. If anyone wishes to provide patches to create scp2 using our existing sftp code feel free. I personally am waiting for a bit more sftp functionality before doing it (recursive get/put at least need to go in before scp2 would be useful). I think someone could write a rought scp2 patch in a day or two. Damien has done a nice job at splitting common code into thier own .c files. My current project is libedit + sftp (history, tab completion framework, etc). The framework is done, but I have some clean up before I present it to the OpenBSD group. - Ben From johnh at aproposretail.com Thu Mar 8 03:25:10 2001 From: johnh at aproposretail.com (John Hardin) Date: Wed, 07 Mar 2001 08:25:10 -0800 Subject: [PATCH]: contrib/cygwin/ssh-host-config References: <20010307111507.E21275@cygbert.vinschen.de> Message-ID: <3AA660E6.AF9B9DBE@aproposretail.com> Corinna Vinschen wrote: > > Additionally the script used to add `sshd 22/tcp' to the services file > while the IANA proposes `ssh 22/tcp' and `ssh 22/udp' as services entries. Just FYI, 22/udp collides with PC Anywhere. -- John Hardin Internal Systems Administrator Apropos Retail Management Systems, Inc. - (425) 672-1304 From wendyp at cray.com Thu Mar 8 05:27:00 2001 From: wendyp at cray.com (Wendy Palm) Date: Wed, 07 Mar 2001 12:27:00 -0600 Subject: utmpx/wtmpx problems with 2.5.1p2 on irix... References: <3AA54DCD.5E8ACCA7@daac.gsfc.nasa.gov> <20010306192207.Y1211@justice.loyola.edu> <3AA58059.F7347DB7@cray.com> <20010307094126.A1211@justice.loyola.edu> Message-ID: <3AA67D74.58ECCAD7@cray.com> Michael Stone wrote: > > On Tue, Mar 06, 2001 at 06:27:05PM -0600, Wendy Palm wrote: > > i have it happening on irix 6.5 > > kumo 60% uname -a > > IRIX kumo 6.5 07112053 IP22 > > Not having the maintenance release number doesn't help much. What's > uname -R say? > > -- > Mike Stone 6.5 6.5.9m -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From vinschen at redhat.com Thu Mar 8 05:30:50 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 7 Mar 2001 19:30:50 +0100 Subject: [PATCH]: contrib/cygwin/ssh-host-config In-Reply-To: <3AA660E6.AF9B9DBE@aproposretail.com>; from johnh@aproposretail.com on Wed, Mar 07, 2001 at 08:25:10AM -0800 References: <20010307111507.E21275@cygbert.vinschen.de> <3AA660E6.AF9B9DBE@aproposretail.com> Message-ID: <20010307193050.V21275@cygbert.vinschen.de> On Wed, Mar 07, 2001 at 08:25:10AM -0800, John Hardin wrote: > Corinna Vinschen wrote: > > > > Additionally the script used to add `sshd 22/tcp' to the services file > > while the IANA proposes `ssh 22/tcp' and `ssh 22/udp' as services entries. > > Just FYI, 22/udp collides with PC Anywhere. They are using a well known port without keeping IANA informed? Anyway, the "ssh 22/udp" port entry is noted in http://www.isi.edu/in-notes/iana/assignments/port-numbers and it's no problem to add two and more entries for one port number. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From mstone at cs.loyola.edu Thu Mar 8 05:33:17 2001 From: mstone at cs.loyola.edu (Michael Stone) Date: Wed, 7 Mar 2001 13:33:17 -0500 Subject: utmpx/wtmpx problems with 2.5.1p2 on irix... In-Reply-To: <3AA67D74.58ECCAD7@cray.com>; from wendyp@cray.com on Wed, Mar 07, 2001 at 12:27:00PM -0600 References: <3AA54DCD.5E8ACCA7@daac.gsfc.nasa.gov> <20010306192207.Y1211@justice.loyola.edu> <3AA58059.F7347DB7@cray.com> <20010307094126.A1211@justice.loyola.edu> <3AA67D74.58ECCAD7@cray.com> Message-ID: <20010307133317.C1211@justice.loyola.edu> On Wed, Mar 07, 2001 at 12:27:00PM -0600, Wendy Palm wrote: > 6.5 6.5.9m I talked to Kevin Taylor about the problem he was seeing, and I think this is a transition pain related to the patch removing the special case for sgi in loginrec.c. You may see these artifacts when moving to 2.5.1p2 from an earlier version of openssh. chkutent may clean them up, and a reboot should definately eliminate them. -- Mike Stone From olemx at ans.pl Thu Mar 8 05:44:05 2001 From: olemx at ans.pl (Krzysztof Oledzki) Date: Wed, 7 Mar 2001 19:44:05 +0100 (CET) Subject: Strange problem with OpenSSH_2.5.1p1 Message-ID: Hello :) I have just installed OpenSSH_2.5.1p1 in one of my machines and I've one strange problem during connection from at least ssh-1.2.x clients. When I'm connected and only receiving data (for example looking into logs with fail -f, watching my talk session, or something similar) after some time (and some received data) session hangs until I send any data (by pressing any key - like backspace, space, etc). My configuration: Linux Slackware 7.1 glibc-2.1.3 OpenSSH_2.5.1p1: UseLogin on --without-pam --with-md5-passwords --with-tcp-wrappers SSL - 0.9.6 Any ideas? Best regards, Krzysztof Oledzki From ktaylor at eosdata.gsfc.nasa.gov Thu Mar 8 05:52:42 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Wed, 7 Mar 2001 13:52:42 -0500 Subject: F-secure v1 client has trouble connecting to openssh-2.5.1p1 Message-ID: I'm observing that mac clients using F-Secure ssh v1 client log into the ssh server, and then the client just hangs with nothing on the screen. In the SYSLOG file, I see this: Accepted password for user from host port whatever Packet integrity error (62 != 58) at session.c:350 Disconnecting: Packet integrity error. (34) This is sshd running on IRIX 6.5.3f From ktaylor at eosdata.gsfc.nasa.gov Thu Mar 8 06:18:02 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Wed, 7 Mar 2001 14:18:02 -0500 Subject: F-secure v1 client has trouble connecting to openssh-2.5.1p1 In-Reply-To: Message-ID: I determined that this is only happening when X11 forwarding is turned on for the client. When turning X forwarding off the problem goes away. ....but X forwarding is needed. On Wed, 7 Mar 2001, it was written: > > I'm observing that mac clients using F-Secure ssh v1 client log into the > ssh server, and then the client just hangs with nothing on the screen. > > In the SYSLOG file, I see this: > > Accepted password for user from host port whatever > > Packet integrity error (62 != 58) at session.c:350 > Disconnecting: Packet integrity error. (34) > > This is sshd running on IRIX 6.5.3f > > > From johnh at aproposretail.com Thu Mar 8 06:29:21 2001 From: johnh at aproposretail.com (John Hardin) Date: Wed, 07 Mar 2001 11:29:21 -0800 Subject: [PATCH]: contrib/cygwin/ssh-host-config References: <20010307111507.E21275@cygbert.vinschen.de> <3AA660E6.AF9B9DBE@aproposretail.com> <20010307193050.V21275@cygbert.vinschen.de> Message-ID: <3AA68C11.1A9A3698@aproposretail.com> Corinna Vinschen wrote: > > On Wed, Mar 07, 2001 at 08:25:10AM -0800, John Hardin wrote: > > Corinna Vinschen wrote: > > > > > > Additionally the script used to add `sshd 22/tcp' to the services file > > > while the IANA proposes `ssh 22/tcp' and `ssh 22/udp' as services entries. > > > > Just FYI, 22/udp collides with PC Anywhere. > > They are using a well known port without keeping IANA informed? It seems the've stopped doing this with newer versions, but there's likely to be a lot of the older versions around for a while yet... http://service1.symantec.com/SUPPORT/pca.nsf/docid/1998122810210812 -- John Hardin Internal Systems Administrator Apropos Retail Management Systems, Inc. - (425) 672-1304 From sunil at redback.com Thu Mar 8 06:41:40 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Wed, 7 Mar 2001 11:41:40 -0800 (PST) Subject: password authenticaton secure ? Message-ID: My question is regarding the possibility of someone wiretapping the communication and repeat the action. What if an intruder notice that there's a secure session starting (by guessing at the dst IP address and unintelligible payload) and then start capturing all the packets on this session for the purpose of repeating the whole session again? The secure user could add/delete interfaces and stuff, therefore just by repeating this operation the intruder could generate a big problem on the network. This could be prevented only by having a timestamp. Question: 1) Is there any timestamp mechanism on the ssh? 2) Is user's public key (RSA/DSA) method more secure that password based authentication (even though the channel itself is encrypted) ? Thank you, Sunil. From mdb at juniper.net Thu Mar 8 06:44:35 2001 From: mdb at juniper.net (Mark D. Baushke) Date: Wed, 07 Mar 2001 11:44:35 -0800 Subject: F-secure v1 client has trouble connecting to openssh-2.5.1p1 In-Reply-To: Mail from Kevin Taylor dated Wed, 07 Mar 2001 13:52:42 EST Message-ID: <200103071944.LAA53385@garnet.juniper.net> Hi Kevin, I believe this problem is worked around in the OpenSSH-2.5.1p2 release (version 1.57 of session.c). You should try to upgrade your server and see if that helps to fix your problem. The bug is actually in your F-Secure ssh v1 client (see attached message). Enjoy! -- Mark >Date: Wed, 7 Mar 2001 14:18:02 -0500 >From: Kevin Taylor > >I determined that this is only happening when X11 forwarding is turned on >for the client. When turning X forwarding off the problem goes away. > >....but X forwarding is needed. > Date: Wed, 7 Mar 2001 13:52:42 -0500 > From: Kevin Taylor > > I'm observing that mac clients using F-Secure ssh v1 client log into the > ssh server, and then the client just hangs with nothing on the screen. > > In the SYSLOG file, I see this: > > Accepted password for user from host port whatever > > Packet integrity error (62 != 58) at session.c:350 > Disconnecting: Packet integrity error. (34) > > This is sshd running on IRIX 6.5.3f ------- Forwarded Message Date: Wed, 21 Feb 2001 19:00:39 -0500 Message-Id: <200102220000.TAA09881 at syrinx.oankali.net> From: "Richard E. Silverman" To: OpenSSH Developers Subject: Re: Packet integrity error. (34) markus> it seems that SecureCRT sends a display 'screen' number in the x11 markus> request packet, but did not set the matching protocol flag in an markus> earlier message. this worked before because OpenSSH-2.3.0p1 was buggy markus> and ignored the protocol flag.... I actually also noticed this also a day or so ago, and was about to post about it here when I checked and saw this thread. This is a problem with the F-Secure client as well as SecureCRT. Both programs do not set the SSH_PROTOFLAG_SCREEN_NUMBER protocol flag in SSH-1 sessions, even though they do in fact include the X11 screen number field in SSH_CMSG_X11_REQUEST_FORWARDING packets. This was not a problem -- until Markus added code to session.c in 2.5 to check actual vs expected packet lengths on these requests. Now, SSH-1 connections with X forwarding from these clients fail immediately with the message, "packet integrity error." I've submitted bug reports to both companies. A small note: I think it would be good to change the error message -- "packet integrity error" sounds like the crc-32 integrity check failed, which isn't what happened. Perhaps instead, "expected packet length did not match actual." - - Richard ------- End of Forwarded Message From mouring at etoh.eviladmin.org Thu Mar 8 06:49:04 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 7 Mar 2001 13:49:04 -0600 (CST) Subject: F-secure v1 client has trouble connecting to openssh-2.5.1p1 In-Reply-To: Message-ID: Can you please try 2.5.1p2? There was issues with X11 forwarding in p1 that should have been resolved. On Wed, 7 Mar 2001, Kevin Taylor wrote: > > I determined that this is only happening when X11 forwarding is turned on > for the client. When turning X forwarding off the problem goes away. > > ....but X forwarding is needed. > > > On Wed, 7 Mar 2001, it was written: > > > > > I'm observing that mac clients using F-Secure ssh v1 client log into the > > ssh server, and then the client just hangs with nothing on the screen. > > > > In the SYSLOG file, I see this: > > > > Accepted password for user from host port whatever > > > > Packet integrity error (62 != 58) at session.c:350 > > Disconnecting: Packet integrity error. (34) > > > > This is sshd running on IRIX 6.5.3f > > > > > > > > From ktaylor at eosdata.gsfc.nasa.gov Thu Mar 8 06:56:47 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Wed, 7 Mar 2001 14:56:47 -0500 Subject: F-secure v1 client has trouble connecting to openssh-2.5.1p1 In-Reply-To: Message-ID: Thanks. It worked. I didn't see the messages about that one from the earlier posts. On Wed, 7 Mar 2001 mouring at etoh.eviladmin.org wrote: > > > Can you please try 2.5.1p2? There was issues with X11 forwarding in p1 > that should have been resolved. > > On Wed, 7 Mar 2001, Kevin Taylor wrote: > > > > > I determined that this is only happening when X11 forwarding is turned on > > for the client. When turning X forwarding off the problem goes away. > > > > ....but X forwarding is needed. > > > > > > On Wed, 7 Mar 2001, it was written: > > > > > > > > I'm observing that mac clients using F-Secure ssh v1 client log into the > > > ssh server, and then the client just hangs with nothing on the screen. > > > > > > In the SYSLOG file, I see this: > > > > > > Accepted password for user from host port whatever > > > > > > Packet integrity error (62 != 58) at session.c:350 > > > Disconnecting: Packet integrity error. (34) > > > > > > This is sshd running on IRIX 6.5.3f > > > > > > > > > > > > > > > From ktaylor at eosdata.gsfc.nasa.gov Thu Mar 8 07:30:29 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Wed, 07 Mar 2001 15:30:29 -0500 Subject: openssh logging of remote commands in syslog Message-ID: <3AA69A65.A30EE6A@daac.gsfc.nasa.gov> Another wonderful email from me. :) The ssh.com version of ssh will log information on the remotely executed command in the syslog: Mar 7 15:29:20 6D:marx sshd[21346]: log: executing remote command as root: ls It seems that openssh doesn't do that by default. If you put the server in debug mode you'll see the command, but a lot of extra stuff that you don't want to see. Feature suggestion...? From olemx at ans.pl Thu Mar 8 07:52:26 2001 From: olemx at ans.pl (Krzysztof Oledzki) Date: Wed, 7 Mar 2001 21:52:26 +0100 (CET) Subject: openssh logging of remote commands in syslog In-Reply-To: <3AA69A65.A30EE6A@daac.gsfc.nasa.gov> Message-ID: On Wed, 7 Mar 2001, Kevin Taylor wrote: > > Another wonderful email from me. :) > > The ssh.com version of ssh will log information on the remotely executed > command in the syslog: > > Mar 7 15:29:20 6D:marx sshd[21346]: log: executing remote command as > root: ls > > It seems that openssh doesn't do that by default. If you put the server > in debug mode you'll see the command, but a lot of extra stuff that you > don't want to see. > > Feature suggestion...? Some days ago I have created small patch for openssh. It is possible that you don't need all my changes but there is the one so you can use only a part of this patch :) http://www.ans.pl/Unix/ole-openssh-2.5.1p1.patch.gz Best regards, Krzysztof Oledzki From jmknoble at jmknoble.cx Thu Mar 8 08:23:48 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Wed, 7 Mar 2001 16:23:48 -0500 Subject: suggestion: saving old binaries during installation In-Reply-To: <3AA53C52.473EAF3B@daac.gsfc.nasa.gov>; from ktaylor@eosdata.gsfc.nasa.gov on Tue, Mar 06, 2001 at 02:36:50PM -0500 References: <3AA53C52.473EAF3B@daac.gsfc.nasa.gov> Message-ID: <20010307162348.D7127@quipu.half.pint-stowp.cx> Circa 2001-Mar-06 14:36:50 -0500 dixit Kevin Taylor: : Just as a suggestion, I liked the way the ssh.com's ssh would move : the old binaries to filename.old then install the new ones....so : that way you have an old copy to revert back to if needed (without : copying them all by hand). I would recommend instead installing the "new" binaries to a different spot and using something like epkg to symlink the binaries into the usual spot: ./configure --prefix=/usr/local/encap/openssh-2.5.1p2 [...] See the epkg website for further info. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From djm at mindrot.org Thu Mar 8 08:34:45 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 8 Mar 2001 08:34:45 +1100 (EST) Subject: Strange problem with OpenSSH_2.5.1p1 In-Reply-To: Message-ID: On Wed, 7 Mar 2001, Krzysztof Oledzki wrote: > Hello :) > > I have just installed OpenSSH_2.5.1p1 in one of my machines and I've one > strange problem during connection from at least ssh-1.2.x clients. > > When I'm connected and only receiving data (for example looking into logs > with fail -f, watching my talk session, or something similar) after some > time (and some received data) session hangs until I send any data (by > pressing any key - like backspace, space, etc). Is there are firewall, NAT device or masquerading router between you and the machine that you are connecting to? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Thu Mar 8 08:36:58 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 8 Mar 2001 08:36:58 +1100 (EST) Subject: password authenticaton secure ? In-Reply-To: Message-ID: On Wed, 7 Mar 2001, Sunil K. Vallamkonda wrote: > > My question is regarding the possibility of someone wiretapping the > communication and repeat the action. What if an intruder notice > that there's a secure session starting (by guessing at the dst IP > address and unintelligible payload) and then start capturing all > the packets on this session for the purpose of repeating the whole > session again? The secure user could add/delete interfaces and > stuff, therefore just by repeating this operation the intruder could > generate a big problem on the network. > > This could be prevented only by having a timestamp. You don't need a timestamp, just random numbers. > Question: > > 1) Is there any timestamp mechanism on the ssh? No. > 2) Is user's public key (RSA/DSA) method more secure that password > based authentication (even though the channel itself is encrypted) ? >From a protocol perspective, yes. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From markus.friedl at informatik.uni-erlangen.de Thu Mar 8 06:38:29 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 7 Mar 2001 20:38:29 +0100 Subject: protocol 2 performance gain? In-Reply-To: <7B73D5F649D0D311B1E30008C7A4D92A07D5FED7@cnfqs029.cnf.com>; from Higdon.David@cnf.com on Tue, Mar 06, 2001 at 04:39:41PM -0800 References: <7B73D5F649D0D311B1E30008C7A4D92A07D5FED7@cnfqs029.cnf.com> Message-ID: <20010307203829.B16434@folly> On Tue, Mar 06, 2001 at 04:39:41PM -0800, Higdon, David M - CNF wrote: > I was not really referring to anything but I noticed what > appeared to be a gain [...] what config/version did you try? From markus.friedl at informatik.uni-erlangen.de Thu Mar 8 05:31:50 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 7 Mar 2001 19:31:50 +0100 Subject: protocol default In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Mar 06, 2001 at 06:20:13PM -0600 References: <3AA57D3C.FA574CF0@aproposretail.com> Message-ID: <20010307193150.A16434@folly> On Tue, Mar 06, 2001 at 06:20:13PM -0600, mouring at etoh.eviladmin.org wrote: > Hmmm... I'd rather see rekey support before we push to have protocol 2 as > the default protocol. rekey and an rhost-rsa like thing for ssh-2. -m From ktaylor at eosdata.gsfc.nasa.gov Thu Mar 8 09:12:02 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Wed, 07 Mar 2001 17:12:02 -0500 Subject: openssh logging of remote commands in syslog References: Message-ID: <3AA6B232.D81819FF@daac.gsfc.nasa.gov> Krzysztof Oledzki wrote: > > On Wed, 7 Mar 2001, Kevin Taylor wrote: > > > > > Another wonderful email from me. :) > > > > The ssh.com version of ssh will log information on the remotely executed > > command in the syslog: > > > > Mar 7 15:29:20 6D:marx sshd[21346]: log: executing remote command as > > root: ls > > > > It seems that openssh doesn't do that by default. If you put the server > > in debug mode you'll see the command, but a lot of extra stuff that you > > don't want to see. > > > > Feature suggestion...? > > Some days ago I have created small patch for openssh. It is possible that > you don't need all my changes but there is the one so you can use only a > part of this patch :) > > http://www.ans.pl/Unix/ole-openssh-2.5.1p1.patch.gz > > Best regards, > > Krzysztof Oledzki yup. Just one line provides what I was looking for: # diff session.c.orig session.c 1464a1465 > log("executing remote command as user %.200s: %.200s", pw->pw_name, command); Hopefully they can add this to the next release of openssh. Thanks. -- ---------------------------------------------------------. Kevin Taylor \ Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / Science Systems and Applications, Inc. \ Goddard Space Flight Center / Greenbelt, MD 20771 \ / Phone: (301) 614-5505 \ e-mail: ktaylor at daac.gsfc.nasa.gov / ----------------------------------------------------------' From pekkas at netcore.fi Thu Mar 8 09:19:59 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 8 Mar 2001 00:19:59 +0200 (EET) Subject: openssh logging of remote commands in syslog In-Reply-To: <3AA69A65.A30EE6A@daac.gsfc.nasa.gov> Message-ID: On Wed, 7 Mar 2001, Kevin Taylor wrote: > > Another wonderful email from me. :) > > The ssh.com version of ssh will log information on the remotely executed > command in the syslog: > > Mar 7 15:29:20 6D:marx sshd[21346]: log: executing remote command as > root: ls > > It seems that openssh doesn't do that by default. If you put the server > in debug mode you'll see the command, but a lot of extra stuff that you > don't want to see. IMO, this kind of logging can be rather intrusive.. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From ktaylor at eosdata.gsfc.nasa.gov Thu Mar 8 09:23:45 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Wed, 07 Mar 2001 17:23:45 -0500 Subject: openssh logging of remote commands in syslog References: Message-ID: <3AA6B4F1.BD6B30DA@daac.gsfc.nasa.gov> Pekka Savola wrote: > > On Wed, 7 Mar 2001, Kevin Taylor wrote: > > > > > Another wonderful email from me. :) > > > > The ssh.com version of ssh will log information on the remotely executed > > command in the syslog: > > > > Mar 7 15:29:20 6D:marx sshd[21346]: log: executing remote command as > > root: ls > > > > It seems that openssh doesn't do that by default. If you put the server > > in debug mode you'll see the command, but a lot of extra stuff that you > > don't want to see. > > IMO, this kind of logging can be rather intrusive.. > Well, maybe it can be something added to a different log level. Something that is not as severe as debug, so it can be set to be logged or not....but also not get gobs of info that lower log levels provide From Darren.Moffat at eng.sun.com Thu Mar 8 09:26:01 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Wed, 7 Mar 2001 14:26:01 -0800 (PST) Subject: [PATCH]: contrib/cygwin/ssh-host-config Message-ID: <200103072226.f27MQ1v381081@jurassic.eng.sun.com> >> Additionally the script used to add `sshd 22/tcp' to the services file >> while the IANA proposes `ssh 22/tcp' and `ssh 22/udp' as services entries. > >Just FYI, 22/udp collides with PC Anywhere. Then that is a PC Anywhere problem port 22 is an IANA registered port number. -- Darren J Moffat From mouring at etoh.eviladmin.org Thu Mar 8 09:33:43 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 7 Mar 2001 16:33:43 -0600 (CST) Subject: openssh logging of remote commands in syslog In-Reply-To: <3AA6B4F1.BD6B30DA@daac.gsfc.nasa.gov> Message-ID: On Wed, 7 Mar 2001, Kevin Taylor wrote: > Pekka Savola wrote: > > > > On Wed, 7 Mar 2001, Kevin Taylor wrote: > > > > > > > > Another wonderful email from me. :) > > > > > > The ssh.com version of ssh will log information on the remotely executed > > > command in the syslog: > > > > > > Mar 7 15:29:20 6D:marx sshd[21346]: log: executing remote command as > > > root: ls > > > > > > It seems that openssh doesn't do that by default. If you put the server > > > in debug mode you'll see the command, but a lot of extra stuff that you > > > don't want to see. > > > > IMO, this kind of logging can be rather intrusive.. > > > > Well, maybe it can be something added to a different log level. > Something that is not as severe as debug, so it can be set to be logged > or not....but also not get gobs of info that lower log levels provide > I'd rather not see this crap in my /var/log/messages. If it was to be done it should be logged to /var/log/sshd.log. There are still WAY too many machines that have /var/log/messages set world readable by default. Besides, this functionality is best left up to the auditd and other such software that does auditing of userspace commands. It really has no place in sshd, IMHO. - Ben From djm at mindrot.org Thu Mar 8 10:23:44 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 8 Mar 2001 10:23:44 +1100 (EST) Subject: openssh logging of remote commands in syslog In-Reply-To: <3AA6B4F1.BD6B30DA@daac.gsfc.nasa.gov> Message-ID: On Wed, 7 Mar 2001, Kevin Taylor wrote: > Well, maybe it can be something added to a different log level. > Something that is not as severe as debug, so it can be set to be logged > or not....but also not get gobs of info that lower log levels provide Search for (regex) ".*command in session.c and change the debug()s to verbose()s. I don't think logging of commands should be encourages for the general case though. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From jason at dfmm.org Thu Mar 8 10:06:35 2001 From: jason at dfmm.org (Jason Stone) Date: Wed, 7 Mar 2001 15:06:35 -0800 (PST) Subject: openssh logging of remote commands in syslog In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > The ssh.com version of ssh will log information on the remotely > > executed command in the syslog: > > > > Mar 7 15:29:20 6D:marx sshd[21346]: log: executing remote command as > > root: ls > > > > It seems that openssh doesn't do that > IMO, this kind of logging can be rather intrusive.. Yes, but not moreso than, say, bsd-style ps accounting, or, even better, ktracing init, etc. The point is, paranoid sysadmins are gonna log stuff anyway - we might as well help by providing tools to do so. We already do in the form of "-d -d -d" so I don't see the problem in adding an option to finetune what's logged. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE6pr7/swXMWWtptckRArfEAKCwEySWsUJxUOqeYgHwoyMUoHKQwwCdFP2M FsvEHSoHlV+oG1Fzb+tCUO0= =HjGF -----END PGP SIGNATURE----- From Donald.Smith at qwest.com Thu Mar 8 10:51:02 2001 From: Donald.Smith at qwest.com (Smith, Donald ) Date: Wed, 7 Mar 2001 16:51:02 -0700 Subject: suggestion: saving old binaries during installation Message-ID: <2D00AD0E4D36D411BD300008C786E42401258471@Denntex021.qwest.net> kevin your right. The Makefile for ssh-1.2.31 does copy current FILENAME to FILENAME.old then cp binaries around but the Openssh Makefile doesn't. The make install part of the Openssh's Makefile just calls install-sh it would be fairly trivial to fix the install-sh to make backup copies of the binaries. I have been spending too much time between the Openssh code and ssh.com's code. Sorry for the confusion. Donald.Smith at qwest.com IP Engineering Security 303-226-9939/0688 Office/Fax 720-320-1537 cell > -----Original Message----- > From: Kevin Taylor [mailto:ktaylor at eosdata.gsfc.nasa.gov] > Sent: Wednesday, March 07, 2001 6:41 AM > To: Smith, Donald > Cc: 'Kevin Taylor'; openssh-unix-dev at mindrot.org > Subject: Re: suggestion: saving old binaries during installation > > > "Smith, Donald" wrote: > > > > And that's exactly what a make install (IN THE SOURCE CODE > DIR) will do. > > > > Donald.Smith at qwest.com IP Engineering Security > > 303-226-9939/0688 Office/Fax > > 720-320-1537 cell > > > > > -----Original Message----- > > > From: Kevin Taylor [mailto:ktaylor at eosdata.gsfc.nasa.gov] > > > Sent: Tuesday, March 06, 2001 12:37 PM > > > To: openssh-unix-dev at mindrot.org > > > Subject: suggestion: saving old binaries during installation > > > > > > > > > > > > Just as a suggestion, I liked the way the ssh.com's ssh > would move the > > > old binaries to filename.old then install the new > ones....so that way > > > you have an old copy to revert back to if needed (without > copying them > > > all by hand). > > > > > > but it doesn't. > > > -- > ---------------------------------------------------------. > Kevin Taylor \ > Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / > Science Systems and Applications, Inc. \ > Goddard Space Flight Center / > Greenbelt, MD 20771 \ > / > Phone: (301) 614-5505 \ > e-mail: ktaylor at daac.gsfc.nasa.gov / > ----------------------------------------------------------' > From markus.friedl at informatik.uni-erlangen.de Thu Mar 8 10:56:43 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 8 Mar 2001 00:56:43 +0100 Subject: ssh-agent and id_dsa In-Reply-To: <20010220233523.A8120@serv01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Tue, Feb 20, 2001 at 11:35:23PM +0100 References: <20010220104029.A19671@ws01.aet.tu-cottbus.de> <20010220111219.A25897@faui02.informatik.uni-erlangen.de> <20010220113536.B19903@ws01.aet.tu-cottbus.de> <20010220225837.B16424@faui02l.informatik.uni-erlangen.de> <20010220233523.A8120@serv01.aet.tu-cottbus.de> Message-ID: <20010308005643.A29261@folly> On Tue, Feb 20, 2001 at 11:35:23PM +0100, Lutz Jaenicke wrote: > > perhaps i add handling of SSH2_MSG_USERAUTH_PK_OK to the > > ssh client, but i'm not sure. > > We'll see :-) ok try this: this patch implements client side handling of SSH2_MSG_USERAUTH_PK_OK messages. this means that the client can check whether the server will accept the public key and can delay the expensive signature operation until the server replies: "yes this key is valid for login". Index: compat.c =================================================================== RCS file: /home/markus/cvs/ssh/compat.c,v retrieving revision 1.36 diff -u -r1.36 compat.c --- compat.c 2001/02/27 11:00:11 1.36 +++ compat.c 2001/03/07 23:19:03 @@ -70,11 +70,12 @@ SSH_OLD_SESSIONID|SSH_BUG_DEBUG }, { "^2\\.0\\.1[3-9]", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG| - SSH_BUG_PKSERVICE|SSH_BUG_X11FWD }, + SSH_BUG_PKSERVICE|SSH_BUG_X11FWD| + SSH_BUG_PKOK }, { "^2\\.0\\.", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG| SSH_BUG_PKSERVICE|SSH_BUG_X11FWD| - SSH_BUG_PKAUTH }, + SSH_BUG_PKAUTH|SSH_BUG_PKOK }, { "^2\\.[23]\\.0", SSH_BUG_HMAC}, { "^2\\.[2-9]\\.", 0 }, { "^2\\.4$", SSH_OLD_SESSIONID}, /* Van Dyke */ Index: compat.h =================================================================== RCS file: /home/markus/cvs/ssh/compat.h,v retrieving revision 1.15 diff -u -r1.15 compat.h --- compat.h 2001/02/19 09:53:31 1.15 +++ compat.h 2001/03/07 23:19:28 @@ -40,6 +40,7 @@ #define SSH_BUG_DEBUG 0x0040 #define SSH_BUG_BANNER 0x0080 #define SSH_BUG_IGNOREMSG 0x0100 +#define SSH_BUG_PKOK 0x0200 void enable_compat13(void); void enable_compat20(void); Index: readconf.c Index: readconf.h =================================================================== RCS file: /home/markus/cvs/ssh/readconf.h,v retrieving revision 1.26 diff -u -r1.26 readconf.h --- readconf.h 2001/02/11 12:59:25 1.26 +++ readconf.h 2001/03/07 21:00:05 @@ -16,6 +16,8 @@ #ifndef READCONF_H #define READCONF_H +#include "key.h" + /* Data structure for representing a forwarding request. */ typedef struct { @@ -83,7 +85,7 @@ int num_identity_files; /* Number of files for RSA/DSA identities. */ char *identity_files[SSH_MAX_IDENTITY_FILES]; - int identity_files_type[SSH_MAX_IDENTITY_FILES]; + Key *identity_keys[SSH_MAX_IDENTITY_FILES]; /* Local TCP/IP forward requests. */ int num_local_forwards; Index: ssh.c =================================================================== RCS file: /home/markus/cvs/ssh/ssh.c,v retrieving revision 1.103 diff -u -r1.103 ssh.c --- ssh.c 2001/03/04 17:42:28 1.103 +++ ssh.c 2001/03/07 23:46:31 @@ -225,7 +225,7 @@ int ssh_session(void); int ssh_session2(void); -int guess_identity_file_type(const char *filename); +void load_public_identity_files(void); /* * Main program for the ssh client. @@ -660,15 +660,11 @@ } exit(1); } - /* Expand ~ in options.identity_files, known host file names. */ - /* XXX mem-leaks */ - for (i = 0; i < options.num_identity_files; i++) { - options.identity_files[i] = - tilde_expand_filename(options.identity_files[i], original_real_uid); - options.identity_files_type[i] = guess_identity_file_type(options.identity_files[i]); - debug("identity file %s type %d", options.identity_files[i], - options.identity_files_type[i]); - } + /* load options.identity_files */ + load_public_identity_files(); + + /* Expand ~ in known host file names. */ + /* XXX mem-leaks: */ options.system_hostfile = tilde_expand_filename(options.system_hostfile, original_real_uid); options.user_hostfile = @@ -1076,4 +1072,32 @@ } key_free(public); return type; +} + +void +load_public_identity_files(void) +{ + char *filename; + Key *public; + int i; + + for (i = 0; i < options.num_identity_files; i++) { + filename = tilde_expand_filename(options.identity_files[i], + original_real_uid); + public = key_new(KEY_RSA1); + if (!load_public_key(filename, public, NULL)) { + key_free(public); + public = key_new(KEY_UNSPEC); + if (!try_load_public_key(filename, public, NULL)) { + debug("unknown identity file %s", filename); + key_free(public); + public = NULL; + } + } + debug("identity file %s type %d", filename, + public ? public->type : -1); + xfree(options.identity_files[i]); + options.identity_files[i] = filename; + options.identity_keys[i] = public; + } } Index: sshconnect1.c =================================================================== RCS file: /home/markus/cvs/ssh/sshconnect1.c,v retrieving revision 1.27 diff -u -r1.27 sshconnect1.c --- sshconnect1.c 2001/02/15 23:19:59 1.27 +++ sshconnect1.c 2001/03/07 23:49:39 @@ -1017,7 +1017,8 @@ /* Try RSA authentication for each identity. */ for (i = 0; i < options.num_identity_files; i++) - if (options.identity_files_type[i] == KEY_RSA1 && + if (options.identity_keys[i] != NULL && + options.identity_keys[i]->type == KEY_RSA1 && try_rsa_authentication(options.identity_files[i])) return; } Index: sshconnect2.c =================================================================== RCS file: /home/markus/cvs/ssh/sshconnect2.c,v retrieving revision 1.50 diff -u -r1.50 sshconnect2.c --- sshconnect2.c 2001/03/05 17:17:21 1.50 +++ sshconnect2.c 2001/03/07 23:43:47 @@ -467,6 +467,10 @@ AuthenticationConnection *agent; Authmethod *method; int success; + char *authlist; + Key *last_key; + sign_cb_fn *last_key_sign; + int last_key_hint; }; struct Authmethod { char *name; /* string to compare against server's list */ @@ -480,12 +484,19 @@ void input_userauth_banner(int type, int plen, void *ctxt); void input_userauth_error(int type, int plen, void *ctxt); void input_userauth_info_req(int type, int plen, void *ctxt); +void input_userauth_pk_ok(int type, int plen, void *ctxt); int userauth_none(Authctxt *authctxt); int userauth_pubkey(Authctxt *authctxt); int userauth_passwd(Authctxt *authctxt); int userauth_kbdint(Authctxt *authctxt); +void userauth(Authctxt *authctxt, char *authlist); + +int +sign_and_send_pubkey(Authctxt *authctxt, Key *k, + sign_cb_fn *sign_callback); + void authmethod_clear(void); Authmethod *authmethod_get(char *authlist); Authmethod *authmethod_lookup(const char *name); @@ -546,6 +557,7 @@ authctxt.service = "ssh-connection"; /* service name */ authctxt.success = 0; authctxt.method = authmethod_lookup("none"); + authctxt.authlist = NULL; if (authctxt.method == NULL) fatal("ssh_userauth2: internal error: cannot send userauth none request"); authmethod_clear(); @@ -565,6 +577,30 @@ debug("ssh-userauth2 successful: method %s", authctxt.method->name); } void +userauth(Authctxt *authctxt, char *authlist) +{ + if (authlist == NULL) { + authlist = authctxt->authlist; + } else { + if (authctxt->authlist) + xfree(authctxt->authlist); + authctxt->authlist = authlist; + } + for (;;) { + Authmethod *method = authmethod_get(authlist); + if (method == NULL) + fatal("Permission denied (%s).", authlist); + authctxt->method = method; + if (method->userauth(authctxt) != 0) { + debug2("we sent a %s packet, wait for reply", method->name); + break; + } else { + debug2("we did not send a packet, disable method"); + method->enabled = NULL; + } + } +} +void input_userauth_error(int type, int plen, void *ctxt) { fatal("input_userauth_error: bad message during authentication: " @@ -587,12 +623,13 @@ Authctxt *authctxt = ctxt; if (authctxt == NULL) fatal("input_userauth_success: no authentication context"); + if (authctxt->authlist) + xfree(authctxt->authlist); authctxt->success = 1; /* break out */ } void input_userauth_failure(int type, int plen, void *ctxt) { - Authmethod *method = NULL; Authctxt *authctxt = ctxt; char *authlist = NULL; int partial; @@ -608,20 +645,59 @@ log("Authenticated with partial success."); debug("authentications that can continue: %s", authlist); - for (;;) { - method = authmethod_get(authlist); - if (method == NULL) - fatal("Permission denied (%s).", authlist); - authctxt->method = method; - if (method->userauth(authctxt) != 0) { - debug2("we sent a %s packet, wait for reply", method->name); - break; - } else { - debug2("we did not send a packet, disable method"); - method->enabled = NULL; - } + userauth(authctxt, authlist); +} +void +input_userauth_pk_ok(int type, int plen, void *ctxt) +{ + Authctxt *authctxt = ctxt; + Key *key = NULL; + Buffer b; + int alen, blen, sent = 0; + char *pkalg, *pkblob; + + if (authctxt == NULL) + fatal("input_userauth_pk_ok: no authentication context"); + if (datafellows & SSH_BUG_PKOK) { + /* this is similar to SSH_BUG_PKAUTH */ + debug2("input_userauth_pk_ok: SSH_BUG_PKOK"); + pkblob = packet_get_string(&blen); + buffer_init(&b); + buffer_append(&b, pkblob, blen); + pkalg = buffer_get_string(&b, &alen); + buffer_free(&b); + } else { + pkalg = packet_get_string(&alen); + pkblob = packet_get_string(&blen); } - xfree(authlist); + packet_done(); + + debug("input_userauth_pk_ok: pkalg %s blen %d lastkey %p hint %d", + pkalg, blen, authctxt->last_key, authctxt->last_key_hint); + + if (authctxt->last_key != NULL && + authctxt->last_key_sign != NULL && + key_type_from_name(pkalg) != KEY_UNSPEC && + (key = key_from_blob(pkblob, blen)) != NULL && + key_equal(key, authctxt->last_key)) { + debug2("input_userauth_pk_ok: fp %s", key_fingerprint(key)); + sent = sign_and_send_pubkey(authctxt, key, + authctxt->last_key_sign); + } + if (key != NULL) + key_free(key); + xfree(pkalg); + xfree(pkblob); + + /* or try another method */ + if (sent == 0) + userauth(authctxt, NULL); + + /* unregister */ + authctxt->last_key_sign = NULL; + authctxt->last_key_hint = -1; + authctxt->last_key = NULL; + dispatch_set(SSH2_MSG_USERAUTH_PK_OK, NULL); } int @@ -633,7 +709,6 @@ packet_put_cstring(authctxt->service); packet_put_cstring(authctxt->method->name); packet_send(); - packet_write_wait(); return 1; } @@ -663,7 +738,6 @@ xfree(password); packet_inject_ignore(64); packet_send(); - packet_write_wait(); return 1; } @@ -678,6 +752,7 @@ int have_sig = 1; debug3("sign_and_send_pubkey"); + if (key_to_blob(k, &blob, &bloblen) == 0) { /* we cannot handle this key */ debug3("sign_and_send_pubkey: cannot handle key"); @@ -708,7 +783,8 @@ buffer_put_string(&b, blob, bloblen); /* generate signature */ - ret = (*sign_callback)(authctxt, k, &signature, &slen, buffer_ptr(&b), buffer_len(&b)); + ret = (*sign_callback)(authctxt, k, &signature, &slen, + buffer_ptr(&b), buffer_len(&b)); if (ret == -1) { xfree(blob); buffer_free(&b); @@ -720,6 +796,7 @@ if (datafellows & SSH_BUG_PKSERVICE) { buffer_clear(&b); buffer_append(&b, session_id2, session_id2_len); + skip = session_id2_len; buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); buffer_put_cstring(&b, authctxt->server_user); buffer_put_cstring(&b, authctxt->service); @@ -730,6 +807,7 @@ buffer_put_string(&b, blob, bloblen); } xfree(blob); + /* append signature */ buffer_put_string(&b, signature, slen); xfree(signature); @@ -743,76 +821,111 @@ packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_raw(buffer_ptr(&b), buffer_len(&b)); buffer_free(&b); - - /* send */ packet_send(); - packet_write_wait(); return 1; } -/* sign callback */ -int key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp, - u_char *data, int datalen) -{ - return key_sign(key, sigp, lenp, data, datalen); -} - int -userauth_pubkey_identity(Authctxt *authctxt, char *filename) +send_pubkey_test(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback, + int hint) { - Key *k; - int i, ret, try_next, success = 0; - struct stat st; - char *passphrase; - char prompt[300]; + u_char *blob; + int bloblen, have_sig = 0; - if (stat(filename, &st) != 0) { - debug("key does not exist: %s", filename); + if (key_to_blob(k, &blob, &bloblen) == 0) { + /* we cannot handle this key */ + debug3("send_pubkey_test: cannot handle key"); return 0; } - debug("try pubkey: %s", filename); + /* register callback for USERAUTH_PK_OK message */ + authctxt->last_key_sign = sign_callback; + authctxt->last_key_hint = hint; + authctxt->last_key = k; + dispatch_set(SSH2_MSG_USERAUTH_PK_OK, &input_userauth_pk_ok); + + packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->method->name); + packet_put_char(have_sig); + if (!(datafellows & SSH_BUG_PKAUTH)) + packet_put_cstring(key_ssh_name(k)); + packet_put_string(blob, bloblen); + xfree(blob); + packet_send(); + return 1; +} + +Key * +load_identity_file(char *filename) +{ + Key *private; + char prompt[300], *passphrase; + int success = 0, quit, i; - k = key_new(KEY_UNSPEC); - if (!load_private_key(filename, "", k, NULL)) { + private = key_new(KEY_UNSPEC); + if (!load_private_key(filename, "", private, NULL)) { if (options.batch_mode) { - key_free(k); - return 0; + key_free(private); + return NULL; } snprintf(prompt, sizeof prompt, "Enter passphrase for key '%.100s': ", filename); for (i = 0; i < options.number_of_password_prompts; i++) { passphrase = read_passphrase(prompt, 0); if (strcmp(passphrase, "") != 0) { - success = load_private_key(filename, passphrase, k, NULL); - try_next = 0; + success = load_private_key(filename, + passphrase, private, NULL); + quit = 0; } else { debug2("no passphrase given, try next key"); - try_next = 1; + quit = 1; } memset(passphrase, 0, strlen(passphrase)); xfree(passphrase); - if (success || try_next) + if (success || quit) break; debug2("bad passphrase given, try again..."); } if (!success) { - key_free(k); - return 0; + key_free(private); + return NULL; } } - ret = sign_and_send_pubkey(authctxt, k, key_sign_cb); - key_free(k); + return private; +} + +int +identity_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp, + u_char *data, int datalen) +{ + Key *private; + int idx, ret; + + idx = authctxt->last_key_hint; + if (idx == -1) + return -1; + private = load_identity_file(options.identity_files[idx]); + if (private == NULL) + return -1; + ret = key_sign(private, sigp, lenp, data, datalen); + key_free(private); return ret; } -/* sign callback */ int agent_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp, u_char *data, int datalen) { return ssh_agent_sign(authctxt->agent, key, sigp, lenp, data, datalen); } +int key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp, + u_char *data, int datalen) +{ + return key_sign(key, sigp, lenp, data, datalen); +} + int userauth_pubkey_agent(Authctxt *authctxt) { @@ -830,9 +943,9 @@ if (k == NULL) { debug2("userauth_pubkey_agent: no more keys"); } else { - debug("userauth_pubkey_agent: trying agent key %s", comment); + debug("userauth_pubkey_agent: testing agent key %s", comment); xfree(comment); - ret = sign_and_send_pubkey(authctxt, k, agent_sign_cb); + ret = send_pubkey_test(authctxt, k, agent_sign_cb, -1); key_free(k); } if (ret == 0) @@ -845,6 +958,8 @@ { static int idx = 0; int sent = 0; + Key *key; + char *filename; if (authctxt->agent != NULL) { do { @@ -852,9 +967,21 @@ } while(!sent && authctxt->agent->howmany > 0); } while (!sent && idx < options.num_identity_files) { - if (options.identity_files_type[idx] != KEY_RSA1) - sent = userauth_pubkey_identity(authctxt, - options.identity_files[idx]); + key = options.identity_keys[idx]; + filename = options.identity_files[idx]; + if (key == NULL) { + debug("try privkey: %s", filename); + key = load_identity_file(filename); + if (key != NULL) { + sent = sign_and_send_pubkey(authctxt, key, + key_sign_cb); + key_free(key); + } + } else if (key->type != KEY_RSA1) { + debug("try pubkey: %s", filename); + sent = send_pubkey_test(authctxt, key, + identity_sign_cb, idx); + } idx++; } return sent; @@ -880,7 +1007,6 @@ packet_put_cstring(options.kbd_interactive_devices ? options.kbd_interactive_devices : ""); packet_send(); - packet_write_wait(); dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_info_req); return 1; @@ -938,7 +1064,6 @@ packet_inject_ignore(64); packet_send(); - packet_write_wait(); } /* find auth method */ From markus.friedl at informatik.uni-erlangen.de Thu Mar 8 11:41:26 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 8 Mar 2001 01:41:26 +0100 Subject: password authenticaton secure ? In-Reply-To: ; from sunil@redback.com on Wed, Mar 07, 2001 at 11:41:40AM -0800 References: Message-ID: <20010308014126.A15263@folly> On Wed, Mar 07, 2001 at 11:41:40AM -0800, Sunil K. Vallamkonda wrote: > > My question is regarding the possibility of someone wiretapping the > communication and repeat the action. What if an intruder notice that there's > a secure session starting (by guessing at the dst IP address and > unintelligible payload) and then start capturing all the packets on this > session for the purpose of repeating the whole session again? The secure > user could add/delete interfaces and stuff, therefore just by repeating this > operation the intruder could generate a big problem on the network. > > This could be prevented only by having a timestamp. no, you are wrong. the session id is unique to each ssh connection, so you cannot replay the data. From dhighley at mail.highley-recommended.com Thu Mar 8 12:47:35 2001 From: dhighley at mail.highley-recommended.com (David Highley) Date: Wed, 7 Mar 2001 17:47:35 -0800 (PST) Subject: Make Install Problems Message-ID: <200103080147.f281lZQ07555@hemlock.highley-recommended.com> I'm in the process of installing openssh 2.5.1p2 and the make install step fails. I did the build without problems. Now when I attempt to do the make install it fails with the output below. Software build process should have to separate steps. A build step and an install step. The install step should not create or modify any files in the tree structure as this will fail when a root user is installing from an NFS mounted build tree. This is very common. If it is found that it is necessary to have a temporary file then it should be created in a location like /var/tmp. spruce: # gmake install /usr/local/bin/perl ./fixpaths -D/etc/ssh_config=/usr/local/etc/ssh_config -D/etc/ssh_known_hosts=/usr/local/etc/ssh_known_hosts -D/etc/sshd_config=/usr/local/etc/sshd_config -D/usr/libexec=/usr/local/libexec -D/etc/shosts.equiv=/usr/local/etc/shosts.equiv -D/etc/ssh_host_key=/usr/local/etc/ssh_host_key -D/etc/ssh_host_dsa_key=/usr/local/etc/ssh_host_dsa_key -D/etc/ssh_host_rsa_key=/usr/local/etc/ssh_host_rsa_key -D/var/run/sshd.pid=/var/run/sshd.pid -D/etc/primes=/usr/local/etc/primes -D/etc/sshrc=/usr/local/etc/sshrc -D/usr/X11R6/bin/xauth=/usr/openwin/bin/xauth ./scp.1 ./fixpaths: cannot create output file scp.1.out: Permission denied gmake: *** [scp.1] Error 13 -- Regards, David Highley Highley Recommended, Inc. 2927 SW 339th Street Federal Way, WA 98023-7732 Phone: (206) 669-0081 FAX: (253) 838-8509 Email: dhighley at highley-recommended.com WEB: http://www.highley-recommended.com From dhighley at mail.highley-recommended.com Thu Mar 8 17:22:40 2001 From: dhighley at mail.highley-recommended.com (David Highley) Date: Wed, 7 Mar 2001 22:22:40 -0800 (PST) Subject: Make Install Problems Message-ID: <200103080622.f286MeU08056@hemlock.highley-recommended.com> Attached are some quick modifications I made to fix the make install problems that I previously sent e-mail about. I modified the Makefile and the fixpaths perl script. In the make file I added suffixes for the manual pages and the configuration files. Then I added implicit rules for translating the manual files and configuration files to ".out" files. I also renamed the configuration files to have a .cfg suffix. Its not perfect as it makes no sense wasting time running the primes file through the fixpaths script. But at least make does not try and do any work if all the work requested is done all ready. I also needed to modify the install files target for the file name changes. Attached are the modified Makefile and fixpaths script. -- Regards, David Highley Highley Recommended, Inc. 2927 SW 339th Street Federal Way, WA 98023-7732 Phone: (206) 669-0081 FAX: (253) 838-8509 Email: dhighley at highley-recommended.com WEB: http://www.highley-recommended.com -------------- next part -------------- #!/usr/bin/perl -w # # fixpaths - substitute makefile variables into text files $usage = "Usage: $0 [-x] [-Dstring=replacement] [[infile] ...]\n"; $ext="out"; if (!defined(@ARGV)) { die ("$usage"); } # read in the command line and get some definitions while ($_=$ARGV[0], /^-/) { if (/^-[Dx]/) { # definition shift(@ARGV); if ( /-D(.*)=(.*)/ ) { $def{"$1"}=$2; } elsif ( /-x\s*(\w+)/ ) { $ext=$1; } else { die ("$usage$0: error in command line arguments.\n"); } } else { @cmd = split(//, $ARGV[0]); $opt = $cmd[1]; die ("$usage$0: unknown option '-$opt'\n"); } } # while parsing arguments if (!defined(%def)) { die ("$0: nothing to do - no substitutions listed!\n"); } for $f (@ARGV) { $f =~ /(.*\/)*(.*)$/; $of = $2; $of =~ s/^(.*?)(\.)(.*)$/$1/; $of = $of . ".$ext"; open(IN, "<$f") || die ("$0: input file $f missing!\n"); open(OUT, ">$of") || die ("$0: cannot create output file $of: $!\n"); while () { for $s (keys(%def)) { s#$s#$def{$s}#; } # for $s print OUT; } # while } # for $f exit 0; -------------- next part -------------- A non-text attachment was scrubbed... Name: Makefile.new Type: application/octet-stream Size: 11064 bytes Desc: ascii text Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010307/7257989e/attachment.obj From djm at mindrot.org Thu Mar 8 20:21:40 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 8 Mar 2001 20:21:40 +1100 (EST) Subject: OpenSSH 2.5.1p1 won't compile on Solaris 8 x86 (fwd) Message-ID: -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer ---------- Forwarded message ---------- Date: Thu, 8 Mar 2001 09:39:19 +0100 (MET) From: Martijn de Munnik To: openssh at openssh.com Subject: OpenSSH 2.5.1p1 won't compile on Solaris 8 x86 The error I get when I run make gcc -g -O2 -Wall -I/usr/local/include -I/opt/include -I/opt/include -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c getcwd.c getcwd.c:39: sys/dir.h: No such file or directory *** Error code 1 make: Fatal error: Command failed for target `getcwd.o' Current working directory /export/home/munnik/openssh-2.5.1p1/openbsd-compat *** Error code 1 make: Fatal error: Command failed for target `openbsd-compat/libopenbsd-compat.a' /usr/include/sys/dir.h doesn't exist on Solaris 8 x86, but there is a /usr/ucbinclude/sys/dir.h but when I include that directory it is getting even worse Is this a known problem and is there a solution? with regards Martijn de Munnik From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Mar 8 20:55:44 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 8 Mar 2001 10:55:44 +0100 Subject: ssh-agent and id_dsa In-Reply-To: <20010308005643.A29261@folly>; from markus.friedl@informatik.uni-erlangen.de on Thu, Mar 08, 2001 at 12:56:43AM +0100 References: <20010220104029.A19671@ws01.aet.tu-cottbus.de> <20010220111219.A25897@faui02.informatik.uni-erlangen.de> <20010220113536.B19903@ws01.aet.tu-cottbus.de> <20010220225837.B16424@faui02l.informatik.uni-erlangen.de> <20010220233523.A8120@serv01.aet.tu-cottbus.de> <20010308005643.A29261@folly> Message-ID: <20010308105544.A25035@serv01.aet.tu-cottbus.de> On Thu, Mar 08, 2001 at 12:56:43AM +0100, Markus Friedl wrote: > On Tue, Feb 20, 2001 at 11:35:23PM +0100, Lutz Jaenicke wrote: > > > perhaps i add handling of SSH2_MSG_USERAUTH_PK_OK to the > > > ssh client, but i'm not sure. > > > > We'll see :-) > > ok try this: > > this patch implements client side handling of SSH2_MSG_USERAUTH_PK_OK > messages. > > this means that the client can check whether the server will accept > the public key and can delay the expensive signature operation until > the server replies: "yes this key is valid for login". Ok, I have applied the patch to today's CVS and it compiles fine. I have now connected to the resulting OpenSSH server without ssh-agent, it asked for my id_rsa key and the connection succeeded. Output from slogin is: ... debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try pubkey: /home/aet/serv01/jaenicke/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001d8b8 hint 0 debug2: input_userauth_pk_ok: fp 04:c5:6a:dc:b9:44:e9:be:0a:5f:43:77:c5:49:21:83debug1: PEM_read_PrivateKey failed debug1: read SSH2 private key done: name success 0 Enter passphrase for key '/home/aet/serv01/jaenicke/.ssh/id_rsa': ... I have then started ssh-agent and loaded the id_rsa key. The connection failed with ... debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /home/aet/serv01/jaenicke/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001da88 hint -1 debug1: next auth method to try is publickey debug2: userauth_pubkey_agent: no more keys debug2: userauth_pubkey_agent: no message sent debug1: try pubkey: /home/aet/serv01/jaenicke/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply Disconnecting: protocol error: rcvd type 60 debug1: Calling cleanup 0x4000dffa(0x0) On the serverside, this looked like: ... debug2: input_userauth_request: try method none Failed none for jaenicke from 141.43.132.151 port 1579 ssh2 debug1: userauth-request for user jaenicke service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: matching key found: file /home/aet/serv01/jaenicke/.ssh/authorized_keys2, line 2 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for jaenicke from 141.43.132.151 port 1579 ssh2 debug1: userauth-request for user jaenicke service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: matching key found: file /home/aet/serv01/jaenicke/.ssh/authorized_keys2, line 2 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for jaenicke from 141.43.132.151 port 1579 ssh2 Received disconnect from 141.43.132.151: 2: protocol error: rcvd type 60 debug1: Calling cleanup 0x4000ec22(0x0) I then wanted to retry with id_dsa instead of id_rsa, so I moved away my id_rsa key (and even commented out the key in authorized_keys2), but slogin insisted on asking me for the passphrase for a non-existant key... (Ok, it did stop after the third attempt and advanced to the id_dsa key which let me log in.) The login then succeeded and it did succeed as well with ssh-agent this time. (I have ommitted the logs to keep this email reasonably short.) Anything more you need? Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Mar 8 21:49:12 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 8 Mar 2001 11:49:12 +0100 Subject: ssh-agent and id_dsa In-Reply-To: <20010308105544.A25035@serv01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Thu, Mar 08, 2001 at 10:55:44AM +0100 References: <20010220104029.A19671@ws01.aet.tu-cottbus.de> <20010220111219.A25897@faui02.informatik.uni-erlangen.de> <20010220113536.B19903@ws01.aet.tu-cottbus.de> <20010220225837.B16424@faui02l.informatik.uni-erlangen.de> <20010220233523.A8120@serv01.aet.tu-cottbus.de> <20010308005643.A29261@folly> <20010308105544.A25035@serv01.aet.tu-cottbus.de> Message-ID: <20010308114912.A13746@serv01.aet.tu-cottbus.de> On Thu, Mar 08, 2001 at 10:55:44AM +0100, Lutz Jaenicke wrote: > On Thu, Mar 08, 2001 at 12:56:43AM +0100, Markus Friedl wrote: > > On Tue, Feb 20, 2001 at 11:35:23PM +0100, Lutz Jaenicke wrote: > > > > perhaps i add handling of SSH2_MSG_USERAUTH_PK_OK to the > > > > ssh client, but i'm not sure. > > > > > > We'll see :-) > > > > ok try this: > > > > this patch implements client side handling of SSH2_MSG_USERAUTH_PK_OK > > messages. > > > > this means that the client can check whether the server will accept > > the public key and can delay the expensive signature operation until > > the server replies: "yes this key is valid for login". Ok, as another update: the functionality intended (do not try a key if it won't work anyway) seems to work. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Markus.Friedl at informatik.uni-erlangen.de Thu Mar 8 22:25:51 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 8 Mar 2001 12:25:51 +0100 Subject: ssh-agent and id_dsa In-Reply-To: <20010308105544.A25035@serv01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Thu, Mar 08, 2001 at 10:55:44AM +0100 References: <20010220104029.A19671@ws01.aet.tu-cottbus.de> <20010220111219.A25897@faui02.informatik.uni-erlangen.de> <20010220113536.B19903@ws01.aet.tu-cottbus.de> <20010220225837.B16424@faui02l.informatik.uni-erlangen.de> <20010220233523.A8120@serv01.aet.tu-cottbus.de> <20010308005643.A29261@folly> <20010308105544.A25035@serv01.aet.tu-cottbus.de> Message-ID: <20010308122551.A27461@faui02.informatik.uni-erlangen.de> On Thu, Mar 08, 2001 at 10:55:44AM +0100, Lutz Jaenicke wrote: > debug1: got SSH2_MSG_SERVICE_ACCEPT > debug1: authentications that can continue: publickey,password,keyboard-interactive > debug1: next auth method to try is publickey > debug1: userauth_pubkey_agent: testing agent key /home/aet/serv01/jaenicke/.ssh/id_rsa > debug2: we sent a publickey packet, wait for reply > debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001da88 hint -1 this means the server will accept the agent key. it did stop here? you did not login automatically?? could you try -v -v -v? (server output is not relevant). > debug1: next auth method to try is publickey > debug2: userauth_pubkey_agent: no more keys > debug2: userauth_pubkey_agent: no message sent > debug1: try pubkey: /home/aet/serv01/jaenicke/.ssh/id_rsa > debug2: we sent a publickey packet, wait for reply > Disconnecting: protocol error: rcvd type 60 > debug1: Calling cleanup 0x4000dffa(0x0) From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Mar 8 22:49:43 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 8 Mar 2001 12:49:43 +0100 Subject: ssh-agent and id_dsa In-Reply-To: <20010308122551.A27461@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Thu, Mar 08, 2001 at 12:25:51PM +0100 References: <20010220104029.A19671@ws01.aet.tu-cottbus.de> <20010220111219.A25897@faui02.informatik.uni-erlangen.de> <20010220113536.B19903@ws01.aet.tu-cottbus.de> <20010220225837.B16424@faui02l.informatik.uni-erlangen.de> <20010220233523.A8120@serv01.aet.tu-cottbus.de> <20010308005643.A29261@folly> <20010308105544.A25035@serv01.aet.tu-cottbus.de> <20010308122551.A27461@faui02.informatik.uni-erlangen.de> Message-ID: <20010308124943.A20128@serv01.aet.tu-cottbus.de> On Thu, Mar 08, 2001 at 12:25:51PM +0100, Markus Friedl wrote: > On Thu, Mar 08, 2001 at 10:55:44AM +0100, Lutz Jaenicke wrote: > > debug1: got SSH2_MSG_SERVICE_ACCEPT > > debug1: authentications that can continue: publickey,password,keyboard-interactive > > debug1: next auth method to try is publickey > > debug1: userauth_pubkey_agent: testing agent key /home/aet/serv01/jaenicke/.ssh/id_rsa > > debug2: we sent a publickey packet, wait for reply > > debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001da88 hint -1 > > this means the server will accept the agent key. > > it did stop here? you did not login automatically?? It does mean precisely that, the login failed with the error shown below. > could you try -v -v -v? > (server output is not relevant). > > > debug1: next auth method to try is publickey > > debug2: userauth_pubkey_agent: no more keys > > debug2: userauth_pubkey_agent: no message sent > > debug1: try pubkey: /home/aet/serv01/jaenicke/.ssh/id_rsa > > debug2: we sent a publickey packet, wait for reply > > Disconnecting: protocol error: rcvd type 60 > > debug1: Calling cleanup 0x4000dffa(0x0) And here is the output with triple -v: debug1: done: KEX2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list debug3: authmethod_lookup publickey debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /home/aet/serv01/jaenicke/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001da88 hint -1 debug3: authmethod_lookup publickey debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug2: userauth_pubkey_agent: no more keys debug2: userauth_pubkey_agent: no message sent debug1: try pubkey: /home/aet/serv01/jaenicke/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply Disconnecting: protocol error: rcvd type 60 debug1: Calling cleanup 0x4000dffa(0x0) I can also add my id_dsa key into ssh-agent to no avail: debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list debug3: authmethod_lookup publickey debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /home/aet/serv01/jaenicke/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001da88 hint -1 debug3: authmethod_lookup publickey debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /home/aet/serv01/jaenicke/.ssh/id_dsa debug2: we sent a publickey packet, wait for reply Disconnecting: protocol error: rcvd type 60 debug1: Calling cleanup 0x4000dffa(0x0) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Markus.Friedl at informatik.uni-erlangen.de Thu Mar 8 23:29:00 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 8 Mar 2001 13:29:00 +0100 Subject: ssh-agent and id_dsa In-Reply-To: <20010308124943.A20128@serv01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Thu, Mar 08, 2001 at 12:49:43PM +0100 References: <20010220104029.A19671@ws01.aet.tu-cottbus.de> <20010220111219.A25897@faui02.informatik.uni-erlangen.de> <20010220113536.B19903@ws01.aet.tu-cottbus.de> <20010220225837.B16424@faui02l.informatik.uni-erlangen.de> <20010220233523.A8120@serv01.aet.tu-cottbus.de> <20010308005643.A29261@folly> <20010308105544.A25035@serv01.aet.tu-cottbus.de> <20010308122551.A27461@faui02.informatik.uni-erlangen.de> <20010308124943.A20128@serv01.aet.tu-cottbus.de> Message-ID: <20010308132900.A141@faui02.informatik.uni-erlangen.de> On Thu, Mar 08, 2001 at 12:49:43PM +0100, Lutz Jaenicke wrote: > debug1: userauth_pubkey_agent: testing agent key /home/aet/serv01/jaenicke/.ssh/id_rsa > debug2: we sent a publickey packet, wait for reply > debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001da88 hint -1 i don't understand why 'ssh' does not try to send a pubkey packet. could you please add debug statements to the 'if': if (authctxt->last_key != NULL && authctxt->last_key_sign != NULL && key_type_from_name(pkalg) != KEY_UNSPEC && -> debug key_type_from_name(pkalg) (key = key_from_blob(pkblob, blen)) != NULL && -> debug %p, key -> debug key_fingerprint(key) -> debug key_fingerprint(authctxt->last_key) key_equal(key, authctxt->last_key)) { debug2("input_userauth_pk_ok: fp %s", key_fingerprint(key)); sent = sign_and_send_pubkey(authctxt, key, authctxt->last_key_sign); } > debug3: authmethod_lookup publickey > debug3: authmethod_is_enabled publickey > debug1: next auth method to try is publickey > debug2: userauth_pubkey_agent: no more keys > debug2: userauth_pubkey_agent: no message sent > debug1: try pubkey: /home/aet/serv01/jaenicke/.ssh/id_rsa > debug2: we sent a publickey packet, wait for reply > Disconnecting: protocol error: rcvd type 60 > debug1: Calling cleanup 0x4000dffa(0x0) > > I can also add my id_dsa key into ssh-agent to no avail: > debug1: send SSH2_MSG_SERVICE_REQUEST > debug1: service_accept: ssh-userauth > debug1: got SSH2_MSG_SERVICE_ACCEPT > debug1: authentications that can continue: publickey,password,keyboard-interactive > debug3: start over, passed a different list > debug3: authmethod_lookup publickey > debug3: authmethod_is_enabled publickey > debug1: next auth method to try is publickey > debug1: userauth_pubkey_agent: testing agent key /home/aet/serv01/jaenicke/.ssh/id_rsa > debug2: we sent a publickey packet, wait for reply > debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001da88 hint -1 > debug3: authmethod_lookup publickey > debug3: authmethod_is_enabled publickey > debug1: next auth method to try is publickey > debug1: userauth_pubkey_agent: testing agent key /home/aet/serv01/jaenicke/.ssh/id_dsa > debug2: we sent a publickey packet, wait for reply > Disconnecting: protocol error: rcvd type 60 > debug1: Calling cleanup 0x4000dffa(0x0) > > Best regards, > Lutz > -- > Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 > From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Mar 9 00:37:14 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 8 Mar 2001 14:37:14 +0100 Subject: ssh-agent and id_dsa In-Reply-To: <20010308132900.A141@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Thu, Mar 08, 2001 at 01:29:00PM +0100 References: <20010220104029.A19671@ws01.aet.tu-cottbus.de> <20010220111219.A25897@faui02.informatik.uni-erlangen.de> <20010220113536.B19903@ws01.aet.tu-cottbus.de> <20010220225837.B16424@faui02l.informatik.uni-erlangen.de> <20010220233523.A8120@serv01.aet.tu-cottbus.de> <20010308005643.A29261@folly> <20010308105544.A25035@serv01.aet.tu-cottbus.de> <20010308122551.A27461@faui02.informatik.uni-erlangen.de> <20010308124943.A20128@serv01.aet.tu-cottbus.de> <20010308132900.A141@faui02.informatik.uni-erlangen.de> Message-ID: <20010308143714.A26745@serv01.aet.tu-cottbus.de> On Thu, Mar 08, 2001 at 01:29:00PM +0100, Markus Friedl wrote: > On Thu, Mar 08, 2001 at 12:49:43PM +0100, Lutz Jaenicke wrote: > > debug1: userauth_pubkey_agent: testing agent key /home/aet/serv01/jaenicke/.ssh/id_rsa > > debug2: we sent a publickey packet, wait for reply > > debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001da88 hint -1 > > i don't understand why 'ssh' does not try to send a pubkey packet. > > could you please add debug statements to the 'if': I have used the following construct: ... debug("input_userauth_pk_ok: pkalg %s blen %d lastkey %p hint %d", pkalg, blen, authctxt->last_key, authctxt->last_key_hint); debug2("key_type_from_name(pkalg)=%d", key_type_from_name(pkalg)); key = key_from_blob(pkblob, blen); debug2("key at %p", key); debug2("key_fingerprint(key)=%s", key_fingerprint(key)); debug2("key_fingerprint(authctxt->last_key)=%s", key_fingerprint(authctxt->last_key)); if (authctxt->last_key != NULL && authctxt->last_key_sign != NULL && key_type_from_name(pkalg) != KEY_UNSPEC && (key = key_from_blob(pkblob, blen)) != NULL && key_equal(key, authctxt->last_key)) { debug2("input_userauth_pk_ok: fp %s", key_fingerprint(key)); sent = sign_and_send_pubkey(authctxt, key, authctxt->last_key_sign); } ... and found the following result: debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001db08 hint -1 debug2: key_type_from_name(pkalg)=1 debug2: key at 40028ad0 debug2: key_fingerprint(key)=04:c5:6a:dc:b9:44:e9:be:0a:5f:43:77:c5:49:21:83 key_fingerprint: bad key type 26669 debug1: Calling cleanup 0x4000e06a(0x0) Following this output it seems, that something is strange with authctxt->last_key Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From mouring at etoh.eviladmin.org Fri Mar 9 01:58:47 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 8 Mar 2001 08:58:47 -0600 (CST) Subject: OpenSSH 2.5.1p1 won't compile on Solaris 8 x86 (fwd) In-Reply-To: Message-ID: >---------- Forwarded message ---------- >Date: Thu, 8 Mar 2001 09:39:19 +0100 (MET) >From: Martijn de Munnik >To: openssh at openssh.com >Subject: OpenSSH 2.5.1p1 won't compile on Solaris 8 x86 > >The error I get when I run make > >gcc -g -O2 -Wall -I/usr/local/include -I/opt/include -I/opt/include -I. >-I.. -I. -I./.. -DHAVE_CONFIG_H -c getcwd.c >getcwd.c:39: sys/dir.h: No such file or directory >*** Error code 1 >make: Fatal error: Command failed for target `getcwd.o' >Current working directory >/export/home/munnik/openssh-2.5.1p1/openbsd-compat >*** Error code 1 >make: Fatal error: Command failed for target >`openbsd-compat/libopenbsd-compat.a' Can you check to see if you have a manpage for 'getcwd' for Solaris 8? I have one for Solaris 7. I can't see them throwing out a standard C function. You should be using 2.5.1p2. 2.5.1p1 has a few known issues with Solaris. Thanks. - Ben From brhamon at cisco.com Fri Mar 9 03:20:44 2001 From: brhamon at cisco.com (Brian Hamon) Date: Thu, 08 Mar 2001 10:20:44 -0600 Subject: OpenSSH 2.5.1p1 won't compile on Solaris 8 x86 (fwd) In-Reply-To: References: Message-ID: <4.3.2.7.2.20010308101256.018ce648@3rdclass.cisco.com> sys/dir.h is normally found in the /usr/include directory. The file bears a GNU license, so it is likely part of the gcc environment. If you are missing this file, you might have gcc installed improperly. I've successfully built OpenSSH-2.5.1p2 on Solaris8 x86 with Forte Workshop 6.0 ("cc"). Those boxes do not have "sys/dir.h". At 08:58 AM 3/8/2001, mouring at etoh.eviladmin.org wrote: > >---------- Forwarded message ---------- > >Date: Thu, 8 Mar 2001 09:39:19 +0100 (MET) > >From: Martijn de Munnik > >To: openssh at openssh.com > >Subject: OpenSSH 2.5.1p1 won't compile on Solaris 8 x86 > > > >The error I get when I run make > > > >gcc -g -O2 -Wall -I/usr/local/include -I/opt/include -I/opt/include -I. > >-I.. -I. -I./.. -DHAVE_CONFIG_H -c getcwd.c > >getcwd.c:39: sys/dir.h: No such file or directory > >*** Error code 1 > >make: Fatal error: Command failed for target `getcwd.o' > >Current working directory > >/export/home/munnik/openssh-2.5.1p1/openbsd-compat > >*** Error code 1 > >make: Fatal error: Command failed for target > >`openbsd-compat/libopenbsd-compat.a' > > >Can you check to see if you have a manpage for 'getcwd' for Solaris 8? I >have one for Solaris 7. I can't see them throwing out a standard C >function. > > >You should be using 2.5.1p2. 2.5.1p1 has a few known issues with Solaris. > > >Thanks. > >- Ben From astrand at lysator.liu.se Fri Mar 9 03:17:34 2001 From: astrand at lysator.liu.se (=?iso-8859-1?Q?Peter_=C5strand?=) Date: Thu, 8 Mar 2001 17:17:34 +0100 (CET) Subject: how can I reduce binary size of sshd? Message-ID: Damien Miller wrote: >This is what we pull in from the OpenSSL headers. It may be a >rough guide to what we use: > >#include >#include >#include >#include >#include >#include >#include >#include >#include >#include >#include >#include >#include >#include >#include >#include >#include Which algorithms is really required in OpenSSH? I've tried to compile OpenSSL without for example RSA support, but then I couldn't compile OpenSSH. I'm also wondering if anobody has experience with running lots of SSH connections on one single server (1000 or so). -- /Peter ?strand From starback at ling.uu.se Fri Mar 9 04:46:51 2001 From: starback at ling.uu.se (Per Starback) Date: 08 Mar 2001 18:46:51 +0100 Subject: -I order Message-ID: When I built openssh 2.5.1p2 on AIX it included /usr/local/include for me. That's in configure: case "$host" in *-*-aix*) AFS_LIBS="-lld" CPPFLAGS="$CPPFLAGS -I/usr/local/include" [...] Then when including "config.h" in openbsd-compat/openbsd-compat.h that found some old /usr/local/include/config.h I had instead of the config.h that it meant to use. I suggest using another order for those -I arguments. From olemx at ans.pl Fri Mar 9 06:25:09 2001 From: olemx at ans.pl (Krzysztof Oledzki) Date: Thu, 8 Mar 2001 20:25:09 +0100 (CET) Subject: Strange problem with OpenSSH_2.5.1p1 In-Reply-To: Message-ID: On Thu, 8 Mar 2001, Damien Miller wrote: > On Wed, 7 Mar 2001, Krzysztof Oledzki wrote: > > > Hello :) > > > > I have just installed OpenSSH_2.5.1p1 in one of my machines and I've one > > strange problem during connection from at least ssh-1.2.x clients. > > > > When I'm connected and only receiving data (for example looking into logs > > with fail -f, watching my talk session, or something similar) after some > > time (and some received data) session hangs until I send any data (by > > pressing any key - like backspace, space, etc). > > Is there are firewall, NAT device or masquerading router between you and > the machine that you are connecting to? Ok. I'v done some tests: 1. local computer: ssh-1.2.27 remote computer: OpenSSH_2.5.1p1 Both are connected to internet without NAT, local by 2Mbits HDSL, remote by 1 Mbit HDSL command watched: watch -n 1 tc -s class show dev eth1 2. local computer: ssh-1.2.27 (the same like in first case) remote computer: OpenSSH_2.5.1p1 Both are directly connected to local havy loaded 100Mbit network command watched: watch -n 1 w And... sometimes it is posible to observe this behaviour after ~10-30 secound and sometimes I can wait for more than 20 minuts without any result :( 3. local computer: ssh-1.2.30 (but I'm not sure if this is 1.2.30) remote computer: OpenSSH_2.5.1p1 (the same like in first case) Both are connected to internet without NAT, by 2Mbits HDSL command watched: talk to friend... after some typed chcracters session hanged. Then I pressed space and 5 new lines appeard.. Today I have connected from the same local computer to that remote computer and.. I have not been able to observe my problem :(( I understand that it is vary hard to find the reason of my problem but it realy happends to me! ;-)) Best regards, Krzysztof Oledzki From mouring at etoh.eviladmin.org Fri Mar 9 06:32:02 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 8 Mar 2001 13:32:02 -0600 (CST) Subject: -I order In-Reply-To: Message-ID: On 8 Mar 2001, Per Starback wrote: > When I built openssh 2.5.1p2 on AIX it included /usr/local/include > for me. That's in configure: > > case "$host" in > *-*-aix*) > AFS_LIBS="-lld" > CPPFLAGS="$CPPFLAGS -I/usr/local/include" > [...] > > Then when including "config.h" in openbsd-compat/openbsd-compat.h > that found some old /usr/local/include/config.h I had instead of > the config.h that it meant to use. I suggest using another order for > those -I arguments. > The better place for this would be in the Makefile.in files. However I would love to know what broken application calls it's header file 'config.h'. =) CPPFLAGS=@CPPFLAGS@ -I. -I$(srcdir)/openbsd-compat -I$(srcdir) $(PATHS) @DEFS@ Should be considered changed to: CPPFLAGS=-I. -I$(srcdir)/openbsd-compat -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ - Ben From gert at greenie.muc.de Fri Mar 9 08:17:38 2001 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 8 Mar 2001 22:17:38 +0100 Subject: PRNGD/TCP In-Reply-To: ; from Damien Miller on Wed, Mar 07, 2001 at 10:05:07AM +1100 References: <20010306234319.D19733@greenie.muc.de> Message-ID: <20010308221738.D20719@greenie.muc.de> Hi, On Wed, Mar 07, 2001 at 10:05:07AM +1100, Damien Miller wrote: > > now to patching openssh to actually *use* prngd/socket... :-) > Was done last week - use the "--with-prngd-port=XXX" configure option. OpenSSH + PRNGD + SCO3 seem to work nicely. Thanks! One other thing: I'm not fully convinced that current OpenSSH does everything right regarding utmp/wtmp on SCO3 yet (ttys have been allocated ttyp10, ttyp13, ttyp15 in my last test - with nobody using p11, p12 and p14 -> ???), but it looks pretty promising otherwise. Will look into that utmp issue RSN. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From djm at mindrot.org Fri Mar 9 10:42:54 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 9 Mar 2001 10:42:54 +1100 (EST) Subject: how can I reduce binary size of sshd? In-Reply-To: Message-ID: On Thu, 8 Mar 2001, Peter ?strand wrote: > > Damien Miller wrote: > > >This is what we pull in from the OpenSSL headers. It may be a > >rough guide to what we use: > > > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > >#include > > Which algorithms is really required in OpenSSH? I've tried to compile > OpenSSL without for example RSA support, but then I couldn't compile OpenSSH. Blowfish, Casti-128, (3)DES, Diffie-Hellman, DSA, HMAC, MD5, RC4, RSA, SHA, Rijndael (not from OpenSSL, though). I think that is all of them :) > I'm also wondering if anobody has experience with running lots of SSH > connections on one single server (1000 or so). Make sure you do run into process or fd limits. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From slade at shore.net Fri Mar 9 19:09:35 2001 From: slade at shore.net (Richard E. Silverman) Date: Fri, 9 Mar 2001 03:09:35 -0500 Subject: spelling error Message-ID: <200103090809.DAA08754@syrinx.oankali.net> minor bug: generate_empheral_server_key() is mis-spelled; it should be: generate_ephemeral_server_key - Richard From abartlet at pcug.org.au Fri Mar 9 22:46:55 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Fri, 09 Mar 2001 22:46:55 +1100 Subject: Forcing PTY usage. Message-ID: <3AA8C2AF.8215A194@bartlett.house> I have been studing the OpenSSH code, and am looking to use it in an envriornment with untrusted local users. I have some patches to this effect, which I will post to the list in due course. In any case, I would like all users who sucessfully authenitcate to leave their mark in the system logs, in particular utmp and wtmp. As these logs mean didily-squat without unique terminal names (and don't work anyway), I was wondering what would happen if all sesions were forced to use a pty? I presume the 'forced' tty would need to be modified to ignore escape characters, but are there any other fundemenal problmes with the idea? Thanks, Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au From keithw at rightorder.com Sat Mar 10 04:52:45 2001 From: keithw at rightorder.com (Keith Wesolowski) Date: Fri, 9 Mar 2001 09:52:45 -0800 Subject: Port forwarding problem with 2.5.1p2 Message-ID: <20010309095245.A32745@rightorder.com> Hi, There appears to be a bug in 2.5.1p2 that is not present on 2.3.0p1. The environment in question is Solaris, on either Intel or Sparc. The arrangement is as follows: System bar forwards a port from itself to system baz by doing su portfw -c 'ssh -2 -P -N -f -g -L 3333:baz:22 baz' System foo, which can talk to bar but not baz, initiates an ssh connection to bar port 3333, and is able to log in through that to baz, which runs an sshd on port 22. The problem is that this only works once. After disconnecting from baz, a subsequent attempt to connect in this manner causes an error ssh_exchange_identification: Connection closed by remote host, and the ssh process doing port forwarding on bar dies (it also gives a message, Connection closed by remote host). Restarting the ssh port forwarding process causes it to work again, once, and so on so that if I run the port forwarder in a loop, so that when it dies a new one starts up, then connection attempts from foo to baz alternate between error and proper functioning. This did not happen with 2.3.0p1. Further investigation reveals that if baz is running 2.3.0p1 then it works regardless of the versions that foo and bar are running. Any ideas? It seems likely that this is a bug, or at least an undocumented behaviour change. Thanks in advance for any help. -- Keith M Wesolowski Systems Administrator RightOrder, Inc. From kevino at eonline.com Fri Mar 9 02:34:31 2001 From: kevino at eonline.com (Kevin O'Brien) Date: Thu, 8 Mar 2001 07:34:31 -0800 Subject: OpenSSH 2.5.0p* hangs and logout when process backgrounded Message-ID: <450A452751F25C4BA4E2228A5186D71606C5E0E7@LA_EXCHANGE.eentertainment.com> Since I upgraded everything up to OpenSSH2.5.0p*, anytime I logout from a terminal where I backgrounded a process, the terminal will not close until the process is finished. Anyone else experiencing this or know why this is going on? Kevin O'Brien Systems/Network Administrator E! Online, LLC http://www.eonline.com From dfetter at pdx.medscapeinc.com Thu Mar 8 05:58:26 2001 From: dfetter at pdx.medscapeinc.com (David Fetter) Date: Wed, 7 Mar 2001 10:58:26 -0800 Subject: OpenSSH 2.5.1p2 w/ skey support fails Message-ID: <1D8183D5157DD411B8D7009027DDD54201AE5A42@MS-PDX-EX01> I'm trying to compile skey support into our OpenSSH distro and it's failing to configure. It complains about missing libraries. I downloaded and compiled the latest skey-1.1 and installed it into /usr/local. I tried using --with-skey=/usr/local, --with-skey=/usr/local/lib, --with-skey=/usr/local/include and --with-skey=/usr/local/bin. None of these worked. I'm assuming the correct syntax should be to point it to /usr/local/lib but perhaps I'm mistaken. Has any body else gotten this to compile in properly? David M. Fetter UNIX Systems Administrator From speno at isc.upenn.edu Sat Mar 10 07:38:14 2001 From: speno at isc.upenn.edu (John P Speno) Date: Fri, 9 Mar 2001 15:38:14 -0500 Subject: [PATCH] for Re: OSF_SIA bug in 2.3.0p1 In-Reply-To: <20010301113311.B167828@isc.upenn.edu>; from speno@isc.upenn.edu on Thu, Mar 01, 2001 at 11:33:11AM -0500 References: <200102120514.f1C5Eex16051@ariel.ucs.unimelb.edu.au> <20010212112224.F7301@HiWAAY.net> <20010301113311.B167828@isc.upenn.edu> Message-ID: <20010309153814.K298109@isc.upenn.edu> On Thu, Mar 01, 2001 at 11:33:11AM -0500, John P Speno wrote: > The issue is that last login times and /etc/motd are printed from do_login > in session.c, but session_setup_sia which checks for locked accounts is in > do_child which runs after do_login. So, if you authenticate yourself but > your account is locked, you will still see your last login time and > /etc/motd. What's worse is that the login will be recorded in > /var/adm/lastlog as if it were a normal successful login (which it really > isn't, as the account is locked). > > When using SIA on Tru64 UNIX, perhaps it would be "best" if updating and > printing the last login time was disabled because sia_ses_launch will > already take care of it (and do it "better" in this case). > > By the same token, perhaps the printing of /etc/motd could be disabled in > do_login when SIA support is enabled, and moved into session_setup_sia? Chris (et al): Could you test these patches on your Tru64 UNIX 4.x and 5.x systems. They implement the above ideas. In short, do_login is skipped when HAVE_OSF_SIA is enabled since the things do_login does are also done better in the Tru64 SIA routines. Also, session_setup_sia will now show /etc/motd if appropriate. I needed a place to stick this, and session_setup_sia in auth-sia.c seemed ok at the time. I'm not sure of that now. Consider this a first draft for changes: --- session.c 2001/03/01 15:59:54 +++ session.c 2001/03/09 20:22:25 @@ -638,10 +638,11 @@ /* Close the extra descriptor for the pseudo tty. */ close(ttyfd); +#ifndef HAVE_OSF_SIA /* record login, etc. similar to login(1) */ if (!(options.use_login && command == NULL)) do_login(s, command); - +#endif /* Do common processing for the child, such as execing the command. */ do_child(command, pw, s->term, s->display, s->auth_proto, s->auth_data, s->tty); @@ -773,6 +774,7 @@ else printf("Last login: %s from %s\r\n", time_string, hostname); } + if (options.print_motd) { #ifdef HAVE_LOGIN_CAP f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", @@ -1042,7 +1044,7 @@ /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) options.use_login = 0; - +#ifndef HAVE_OSF_SIA #ifndef USE_PAM /* pam_nologin handles this */ if (!options.use_login) { # ifdef HAVE_LOGIN_CAP @@ -1062,6 +1064,7 @@ } } #endif /* USE_PAM */ +#endif /* HAVE_OSF_SIA */ /* Set login name, uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" @@ -1068,7 +1071,7 @@ switch, so we let login(1) to this for us. */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - session_setup_sia(pw->pw_name, ttyname); + session_setup_sia(pw->pw_name, ttyname, command==NULL); #else /* HAVE_OSF_SIA */ #ifdef HAVE_CYGWIN if (is_winnt) { --- auth-sia.h 2001/03/01 20:43:38 +++ auth-sia.h 2001/03/09 20:22:38 @@ -3,6 +3,6 @@ #ifdef HAVE_OSF_SIA int auth_sia_password(char *user, char *pass); -void session_setup_sia(char *user, char *tty); +void session_setup_sia(char *user, char *tty, int showmotd); #endif /* HAVE_OSF_SIA */ --- auth-sia.c 2001/03/01 19:29:24 +++ auth-sia.c 2001/03/09 20:22:51 @@ -51,7 +51,7 @@ } void -session_setup_sia(char *user, char *tty) +session_setup_sia(char *user, char *tty, int showmotd) { int ret; struct passwd *pw; @@ -88,6 +88,20 @@ sia_ses_release(&ent); + if (showmotd) + if (options.print_motd) { + char buf[256]; + FILE *f = NULL; + + f = fopen("/etc/motd", "r"); + + if (f) { + while (fgets(buf, sizeof(buf), f)) + fputs(buf, stderr); + fclose(f); + } + } + if (setreuid(geteuid(), geteuid()) < 0) fatal("setreuid failed: %s", strerror (errno)); } From krivacek at directlink.net Sat Mar 10 09:26:33 2001 From: krivacek at directlink.net (Michael Krivacek) Date: Fri, 9 Mar 2001 16:26:33 -0600 (CST) Subject: Possible problem with sshconnect1.c in openssh-2.5.1p2 Message-ID: Hi all, I have come across a problem that seems to have been introduced between openssh-2.3.0p1 and openssh-2.5.1. I sadly admit that my SSH knowledge is limited, so this problem could very well be with the server implementation. Hopefully someone can educate me... Netscreen produces hardware encryption boxes which have the capability of being managed by SSH (protocol version 1.) With the 2.3.0 series of OpenSSH I was able to access my Netscreen boxes fine. However I was initially able to connect with the 2.5.1 series. I followed the source code and noticed a change in sshconnect1.c between 2.3.0 and 2.5.1. In the function "try_password_authentication" the line: packet_put_string(password, strlen(password)); became: ssh_put_password(password); "ssh_put_password" appears to pad the password prior to encrypting and sending it. If I modify sshconnect1.c and change "ssh_put_password(password);" to "packet_put_string(password,strlen(password));" it starts working. What are implications of doing this? Does it sound like the Netscreen SSH server implementation is not correct? Thanks, Michael Krivacek From jennings at triumf.ca Sat Mar 10 10:52:28 2001 From: jennings at triumf.ca (Byron Jennings) Date: Fri, 9 Mar 2001 15:52:28 -0800 (PST) Subject: Possible problem with sshconnect1.c in openssh-2.5.1p2 In-Reply-To: Message-ID: I have the same problem connect to a vax. The vax (VMS) is using OSU_1.1 ssh. The change you suggested fixed the problem. Byron Jennings On Fri, 9 Mar 2001, Michael Krivacek wrote: > > Hi all, > > I have come across a problem that seems to have been introduced > between openssh-2.3.0p1 and openssh-2.5.1. I sadly admit that my > SSH knowledge is limited, so this problem could very well be with > the server implementation. Hopefully someone can educate me... > > Netscreen produces hardware encryption boxes which have the > capability of being managed by SSH (protocol version 1.) With the > 2.3.0 series of OpenSSH I was able to access my Netscreen boxes > fine. However I was initially able to connect with the 2.5.1 > series. I followed the source code and noticed a change in > sshconnect1.c between 2.3.0 and 2.5.1. In the function > "try_password_authentication" the line: > > packet_put_string(password, strlen(password)); > > became: > > ssh_put_password(password); > > "ssh_put_password" appears to pad the password prior to > encrypting and sending it. > > If I modify sshconnect1.c and change > "ssh_put_password(password);" to "packet_put_string(password,strlen(password));" > it starts working. > > What are implications of doing this? Does it sound like the > Netscreen SSH server implementation is not correct? > > Thanks, > > Michael Krivacek > > > -- From sunil at redback.com Sat Mar 10 11:18:17 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Fri, 9 Mar 2001 16:18:17 -0800 (PST) Subject: ssh-client wait... In-Reply-To: <20010308132900.A141@faui02.informatik.uni-erlangen.de> Message-ID: I am using ssh-client: SSH Version OpenSSH_2.3.1p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f) I see that client waits indefinitely for server requesting public key: Here are debugs: Rhosts Authentication disabled, originating port will not be trusted. Connecting to xxxx port 22. Remote protocol version 1.99, remote software version OpenSSH_2.3.1p1 Local version string SSH-1.5-OpenSSH_2.3.1p1 Waiting for server public key. <--- client hangs here ! Any suggestions ? Thank you. From dankamin at cisco.com Sat Mar 10 12:30:03 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Fri, 9 Mar 2001 17:30:03 -0800 Subject: ssh-client wait... References: Message-ID: <00a201c0a901$a1ec1900$616545ab@na.cisco.com> > Any suggestions ? Yeah, throw up a trace and see who got the last packet. I believe ssh -v -v -v will display additional packet level traces too. --Dan From rjmooney at mediaone.net Sat Mar 10 17:28:34 2001 From: rjmooney at mediaone.net (Robert Mooney) Date: Sat, 10 Mar 2001 01:28:34 -0500 Subject: passphrase for non existent key? Message-ID: Hi there. I'm being asked for a passphrase for a key file that does not exist. See debug output below. Both client and server default to SSH2. Creating a DSA key without a password and copying the public portion to the server's authorized_keys2 allowed me to login w/o a password. I downloaded and installed the latest version of SSH from OpenBSD CVS, and now its asking me for the passphrase to a non-existent RSA key. i.e. /home/rjmooney/.ssh/identity doesn't exist on either end. Nor does id_rsa. Yet, I'm still being prompted. IMO (and maybe this just a problem with the OpenBSD version), SSH should just skip keys that don't exist. - Rob cafefx:~/.ssh$ ssh motion -v -v -v OpenSSH_2.5.1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 1000 geteuid 0 anon 1 debug1: Connecting to motion [x.x.x.x] port 22. debug1: Connection established. debug1: unknown identity file /home/rjmooney/.ssh/identity debug1: identity file /home/rjmooney/.ssh/identity type -1 debug1: unknown identity file /home/rjmooney/.ssh/id_rsa debug1: identity file /home/rjmooney/.ssh/id_rsa type -1 debug3: Bad RSA1 key file /home/rjmooney/.ssh/id_dsa. debug1: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: no key found debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug1: key_type_from_name: unknown key type '-----END' debug3: key_read: no key found debug1: identity file /home/rjmooney/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_2.5.1 debug1: match: OpenSSH_2.5.1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.5.1 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael- cbc at lysator.liu.se debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael- cbc at lysator.liu.se debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: none,zlib debug1: got kexinit: none,zlib debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug1: dh_gen_key: priv key bits set: 127/256 debug1: bits set: 1012/2049 debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug1: Got SSH2_MSG_KEXDH_REPLY. debug1: Host 'motion' is known and matches the DSA host key. debug1: Found key in /home/rjmooney/.ssh/known_hosts2:1 debug1: bits set: 1032/2049 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list debug3: authmethod_lookup publickey debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try privkey: /home/rjmooney/.ssh/identity Enter passphrase for key '/home/rjmooney/.ssh/identity': debug2: no passphrase given, try next key debug1: try privkey: /home/rjmooney/.ssh/id_rsa Enter passphrase for key '/home/rjmooney/.ssh/id_rsa': debug2: no passphrase given, try next key debug1: try pubkey: /home/rjmooney/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply ... at this point I am logged in. From djm at mindrot.org Sat Mar 10 18:46:10 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 10 Mar 2001 18:46:10 +1100 (EST) Subject: Forcing PTY usage. In-Reply-To: <3AA8C2AF.8215A194@bartlett.house> Message-ID: On Fri, 9 Mar 2001, Andrew Bartlett wrote: > I have been studing the OpenSSH code, and am looking to use it in an > envriornment with untrusted local users. I have some patches to this > effect, which I will post to the list in due course. > > In any case, I would like all users who sucessfully authenitcate to > leave their mark in the system logs, in particular utmp and wtmp. As > these logs mean didily-squat without unique terminal names (and don't > work anyway), I was wondering what would happen if all sesions were > forced to use a pty? I presume the 'forced' tty would need to be > modified to ignore escape characters, but are there any other fundemenal > problmes with the idea? ptys are not 8-bit clean. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From dankamin at cisco.com Sat Mar 10 22:04:06 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Sat, 10 Mar 2001 03:04:06 -0800 Subject: Forcing PTY usage. References: Message-ID: <006401c0a951$d3ad9ef0$0700040a@na.cisco.com> > ptys are not 8-bit clean. Damien-- Speaking of 8 bit clean, do you (or anyone else) know of any decent 8->6bit telnet compatible proxies that are truly 8 bit clean and don't introduce strange delays? It'd be very nice to have *some* way to access SSH over a telnet gateway. httptunnel is a start but is outside the problem set, and mmencode just wasn't built for streaming usage. Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From Markus.Friedl at informatik.uni-erlangen.de Sat Mar 10 23:39:28 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 10 Mar 2001 13:39:28 +0100 Subject: password padding (Re: Possible problem with sshconnect1.c in openssh-2.5.1p2) In-Reply-To: ; from krivacek@directlink.net on Fri, Mar 09, 2001 at 04:26:33PM -0600 References: Message-ID: <20010310133928.A7933@faui02.informatik.uni-erlangen.de> seems there are more servers affected. what is the banner of the server if you telnet server 22 ? -m On Fri, Mar 09, 2001 at 04:26:33PM -0600, Michael Krivacek wrote: > Netscreen produces hardware encryption boxes which have the > capability of being managed by SSH (protocol version 1.) With the > 2.3.0 series of OpenSSH I was able to access my Netscreen boxes > fine. However I was initially able to connect with the 2.5.1 > series. I followed the source code and noticed a change in > sshconnect1.c between 2.3.0 and 2.5.1. In the function > "try_password_authentication" the line: > > packet_put_string(password, strlen(password)); > > became: > > ssh_put_password(password); On Fri, Mar 09, 2001 at 03:52:28PM -0800, Byron Jennings wrote: > I have the same problem connect to a vax. The vax (VMS) is using > OSU_1.1 ssh. From asgard at hellnet.cz Sat Mar 10 23:41:38 2001 From: asgard at hellnet.cz (Jan Samohyl) Date: Sat, 10 Mar 2001 13:41:38 +0100 (CET) Subject: problem with openssh-2.3.0p1 and pam-0.72-20.6.x under Redhat 6.1 Message-ID: Hello, I am using Redhat 6.1 on pentium. I have a problem with sshd in openssh, when I try to connect by ssh to sshd even on the local machine, the pam module will not authenticate my password. Here is a transcript of sshd -ddd: debug1: sshd version OpenSSH_2.3.0p1 debug1: Seeding random number generator debug1: read DSA private key done debug1: Seeding random number generator debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 512 bit RSA key. debug1: Seeding random number generator debug1: Seeding random number generator RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.4.1 port 802 debug1: Client protocol version 1.5; client software version OpenSSH_2.3.0p1 debug1: no match: OpenSSH_2.3.0p1 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: Sent 512 bit public key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "root" debug1: Attempting authentication for root. debug1: PAM Password authentication for "root" failed[7]: Authentication failure Failed password for ROOT from 192.168.4.1 port 802 Connection closed by 192.168.4.1 debug1: Calling cleanup 0x804fd10(0x0) Cannot close PAM session[4]: System error debug1: Cannot delete credentials[15]: Authentication service cannot retrieve user credentials debug1: Calling cleanup 0x805fe0c(0x0) I have tried to upgrade pam to pam-0.72-20.6.x from redhat website, but it didn't help. I have 'PermitEmptyPasswords no' option. Can you help me to find out what is the problem ? Thank you Jan Samohyl From gert at greenie.muc.de Sun Mar 11 02:25:46 2001 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 10 Mar 2001 16:25:46 +0100 Subject: NeXT 3.3 vs openssh-2.5.1p1 (Couldn't restore privileges) In-Reply-To: ; from Tim Rice on Sun, Feb 25, 2001 at 09:45:39PM -0800 References: <20010225103157.A24968@greenie.muc.de> Message-ID: <20010310162546.F23792@greenie.muc.de> Hi, On Sun, Feb 25, 2001 at 09:45:39PM -0800, Tim Rice wrote: > > What I don't really understand is why the seteuid() stuff in entropy.c > > isn't working here - from the docs, it should... - how is uid changing > > done in other parts of ssh? > > See uidswap.c > > Have a look at this patch. It might work (it does run) but > it might be doing the wrong thing security wise. > I came up with this after looking at uidswap.c > > For SCO 3 and NeXT, > #define SAVED_IDS_DO_NOT_WORK_WITH_SETEUID The current openssh_cvs works now on SCO 3, with and without being suid. Good work! gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From RCDavis at intermedia.com Wed Mar 7 10:47:10 2001 From: RCDavis at intermedia.com (Davis, Ricardo C.) Date: Tue, 6 Mar 2001 18:47:10 -0500 Subject: OpenSSH/scp ->> F-Secure SSH server Problems Message-ID: <77DA8BE17C46D2118B7A00805FA7D051047ADA7E@TPAEXCH2> Hi, Is there some know problem between the 'scp' client in OpenSSH 2.5.1p1 and F-Secure's SSH 2.4.0 server? The client is running on a Linux (2.2.17) box and server is running on Win2K. When I try to transfer files it asks me for the password (which I provide) then it hangs. Using 'scp -v' didn't provide any helpful info; it's as though the problem happened before the authentication completed. I've looked through both the openssh-unix-dev and secure-shell list archives and I haven't seen any issue between the two. -Ricardo From mouring at etoh.eviladmin.org Sun Mar 11 10:28:28 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 10 Mar 2001 17:28:28 -0600 (CST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <77DA8BE17C46D2118B7A00805FA7D051047ADA7E@TPAEXCH2> Message-ID: On Tue, 6 Mar 2001, Davis, Ricardo C. wrote: > Hi, > > Is there some know problem between the 'scp' client in OpenSSH 2.5.1p1 and > F-Secure's SSH 2.4.0 server? The client is running on a Linux (2.2.17) box > and server is running on Win2K. When I try to transfer files it asks me for > the password (which I provide) then it hangs. Using 'scp -v' didn't provide > any helpful info; it's as though the problem happened before the > authentication completed. I've looked through both the openssh-unix-dev and > secure-shell list archives and I haven't seen any issue between the two. > This has come up before.. F-Secure uses scp2 which is scp over sftp subsytem. Where OpenSSH only supports scp which is rcp over ssh. I suggest you check out the sftp client provided in the latest release of OpenSSH for transfer compatiblity with F-Secure. When time permits I'm sure someone will write an scp2 replacement for OpenSSH, but I believe our sftp client needs improvement before we write an scp2 replacement. - Ben From michael at bizsystems.com Sun Mar 11 12:30:03 2001 From: michael at bizsystems.com (Michael) Date: Sat, 10 Mar 2001 17:30:03 -0800 Subject: what about socks support? Message-ID: <200103110130.RAA21153@bzs.org> Is there any plan to add socks 4 or socks 5 support to openssh like the original ssh developed in finland?? Michael Michael at bizsystems.com From tim at multitalents.net Sun Mar 11 16:11:58 2001 From: tim at multitalents.net (Tim Rice) Date: Sat, 10 Mar 2001 21:11:58 -0800 (PST) Subject: Problems with sftp under SCO OpenServer In-Reply-To: Message-ID: On Thu, 22 Feb 2001, Greg Jewell wrote: > Hello, > > I compiled OpenSSH 2.5.1p1 for SCO OpenServer 5.0.5, HPUX B.11.00, and > SunOS 5.7. When I sftp into the HP or Sun box, everything works fine. > However, whenever I sftp into the OpenServer box, all remote filenames > are shown as "(null)". File sizes, owners, etc. display properly. This > behavior is exhibited from all origination points. I have verified this problem with 2.5.1p2 and 03/10 CVS. ... debug2: Remote version: 3 debug3: Sent message fd 6 T:16 I:1 debug3: SSH_FXP_REALPATH . -> /tmp_mnt/homes/tim sftp> dir xx debug3: Sent message fd 6 T:16 I:2 debug3: SSH_FXP_REALPATH /tmp_mnt/homes/tim/xx -> /tmp_mnt/homes/tim/xx debug3: Sent message fd 6 T:17 I:3 debug3: Received stat reply T:105 I:3 debug3: Sending SSH2_FXP_READDIR I:5 debug3: Received reply T:104 I:5 debug3: Received 6 SSH2_FXP_NAME responses drwxrwxr-x 6 tim trr 4096 (null) Aug 23 2000 drwxr-xr-x 23 tim trr 4096 (null) Mar 10 19:44 drwxrwxr-x 2 tim trr 4096 (null) May 10 2000 drwxrwxr-x 2 tim trr 4096 (null) Sep 17 10:42 drwxrwxr-x 2 tim trr 4096 (null) Jun 22 2000 drwxrwxr-x 4 tim trr 4096 (null) Aug 28 2000 debug3: Sending SSH2_FXP_READDIR I:6 debug3: Received reply T:101 I:6 debug3: Received SSH2_FXP_STATUS 1 debug3: Sent message SSH2_FXP_CLOSE I:7 debug3: SSH2_FXP_STATUS 0 sftp> ... The server side debuging seems to be non existant. I've looked at the sftp-server code and I am stumped. Again, the problem only shows up on Open Server 5 sftp-server Any clues how to track this down? > > OpenSSH was configured with identical parameters (apart from the path to > xauth), and compiled with OpenSSL 0.9.6 and zlib-1.1.3 under all > systems. > > > Thanks, > Greg Jewell > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Sun Mar 11 16:14:43 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 10 Mar 2001 23:14:43 -0600 (CST) Subject: Problems with sftp under SCO OpenServer In-Reply-To: Message-ID: On Sat, 10 Mar 2001, Tim Rice wrote: > On Thu, 22 Feb 2001, Greg Jewell wrote: > > > Hello, > > > > I compiled OpenSSH 2.5.1p1 for SCO OpenServer 5.0.5, HPUX B.11.00, and > > SunOS 5.7. When I sftp into the HP or Sun box, everything works fine. > > However, whenever I sftp into the OpenServer box, all remote filenames > > are shown as "(null)". File sizes, owners, etc. display properly. This > > behavior is exhibited from all origination points. > > I have verified this problem with 2.5.1p2 and 03/10 CVS. > ... > debug2: Remote version: 3 > debug3: Sent message fd 6 T:16 I:1 > debug3: SSH_FXP_REALPATH . -> /tmp_mnt/homes/tim > sftp> dir xx > debug3: Sent message fd 6 T:16 I:2 > debug3: SSH_FXP_REALPATH /tmp_mnt/homes/tim/xx -> /tmp_mnt/homes/tim/xx > debug3: Sent message fd 6 T:17 I:3 > debug3: Received stat reply T:105 I:3 > debug3: Sending SSH2_FXP_READDIR I:5 > debug3: Received reply T:104 I:5 > debug3: Received 6 SSH2_FXP_NAME responses > drwxrwxr-x 6 tim trr 4096 (null) Aug 23 2000 > drwxr-xr-x 23 tim trr 4096 (null) Mar 10 19:44 > drwxrwxr-x 2 tim trr 4096 (null) May 10 2000 > drwxrwxr-x 2 tim trr 4096 (null) Sep 17 10:42 > drwxrwxr-x 2 tim trr 4096 (null) Jun 22 2000 > drwxrwxr-x 4 tim trr 4096 (null) Aug 28 2000 There was an off list talk about this. Since SCO native snprintf() does not support %ll concept it does things incorrectly. However the new 64bit development does support %ll. The best way to deal with this is to test to see if the snprintf() supports %ll and define BROKEN_SNPRINTF if it does not. - Ben From mouring at etoh.eviladmin.org Sun Mar 11 16:17:39 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 10 Mar 2001 23:17:39 -0600 (CST) Subject: Problems with sftp under SCO OpenServer (fwd) Message-ID: This is the final results of sftp on SCO OpenServer. ---------- Forwarded message ---------- Date: Mon, 26 Feb 2001 12:27:51 -0700 From: Greg Jewell To: mouring at etoh.eviladmin.org Subject: RE: Problems with sftp under SCO OpenServer > -----Original Message----- > From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] > Sent: Monday, February 26, 2001 12:53 PM > To: Greg Jewell > Subject: RE: Problems with sftp under SCO OpenServer > > > > > I downloaded today's snap, and placed #undef HAVE_SNPRINTF > and #undef > > HAVE_VSNPRINTF in the openbsd-compat/bsd-snprintf.c file. When I > > compiled this and connected to the system, everything looked good... > > > That is what I was afraid of. > > Is 'llu' even valid under SCO's snprintf? > > - Ben > > With SCO's "native" development kit, it is not. With the newly released UnixWare and OpenServer Development Kit, it is. Right now, gcc is configured to look into /usr/include /usr/lib, etc. which is where the native development environment resides. I am not certain how to change this to /udk/usr/*, which is where the new development kit resides. Even if gcc can be reconfigured to look into these new directories by default, though, I don't know whether it would break something else. The gcc package for OpenServer was built with the older libraries in mind. From woods at weird.com Sun Mar 11 16:21:47 2001 From: woods at weird.com (Greg A. Woods) Date: Sun, 11 Mar 2001 00:21:47 -0500 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <77DA8BE17C46D2118B7A00805FA7D051047ADA7E@TPAEXCH2> References: <77DA8BE17C46D2118B7A00805FA7D051047ADA7E@TPAEXCH2> Message-ID: <20010311052147.F3AE18C@proven.weird.com> [ On Tuesday, March 6, 2001 at 18:47:10 (-0500), Davis, Ricardo C. wrote: ] > Subject: OpenSSH/scp ->> F-Secure SSH server Problems > > Is there some know problem between the 'scp' client in OpenSSH 2.5.1p1 and > F-Secure's SSH 2.4.0 server? The client is running on a Linux (2.2.17) box > and server is running on Win2K. When I try to transfer files it asks me for > the password (which I provide) then it hangs. Using 'scp -v' didn't provide > any helpful info; it's as though the problem happened before the > authentication completed. I've looked through both the openssh-unix-dev and > secure-shell list archives and I haven't seen any issue between the two. OpenSSH does not yet seem to implement server support for SSH-v2.4's "scp" which now, for reasons that mystify me greatly, seems to now depend on sftp on the server side. However I have not had any trouble with any OpenSSH client "scp" talking to an SSH-2.4 server. -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird From djm at mindrot.org Sun Mar 11 18:33:13 2001 From: djm at mindrot.org (Damien Miller) Date: Sun, 11 Mar 2001 18:33:13 +1100 (EST) Subject: [SUMMARY] compiling problems on Solaris 2.6 x86 (fwd) Message-ID: Can someone explain why we need this fix on Solaris 2.6? -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer ---------- Forwarded message ---------- Date: Tue, 6 Mar 2001 10:05:56 -0600 (CST) From: Sec. Acct. To: ssh at clinet.fi Subject: [SUMMARY] compiling problems on Solaris 2.6 x86 Hello, I just wanted to post this fix action as Mailed to me from Juergen Georgi as I received many off-line post of "did you figure it out" and "please email me if this is fixed". As it turns out (see example below) that a simple ln -s resolves the problem. Thank you Juergen. Jerry > >On Mon 2001-03-05 (10:29), Sec. Acct. wrote: >> Hello all, >> >> As p2 has been released, I pulled down the source for it but am encountering >> the same problems that I did under 2.5.1p1. Currently, I am still using >> 2.3.0 without issues. >> [...] >> >> The ./configure completes without errors. >> The make stops with this: >> >> gcc -g -O2 -Wall -I/usr/local/include -I/usr/local/ssl/include >> -I/usr/local/ssl/include -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c getcwd.c >> getcwd.c:39: sys/dir.h: No such file or directory >> make[1]: *** [getcwd.o] Error 1 >> make[1]: Leaving directory `/usr/local/vendor/o/openssh-2.5.1p1/openbsd-compat' >> make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 > >cd openbsd-compat >ln -s ../config.h > >-Juergen From bfriday at LaSierra.edu Sun Mar 11 18:41:43 2001 From: bfriday at LaSierra.edu (Brian Friday) Date: Sat, 10 Mar 2001 23:41:43 -0800 (PST) Subject: [SUMMARY] compiling problems on Solaris 2.6 x86 (fwd) In-Reply-To: Message-ID: Hi all, I've just compiled 2.5.1p2 on x86 Solaris 8 and I did not get this error. Has this person tried with the latest version? - Brian From michael.herrmann at informatik.tu-muenchen.de Sun Mar 11 20:47:43 2001 From: michael.herrmann at informatik.tu-muenchen.de (Michael Herrmann) Date: Sun, 11 Mar 2001 10:47:43 +0100 Subject: [SUMMARY] compiling problems on Solaris 2.6 x86 (fwd) In-Reply-To: ; from djm@mindrot.org on Sun, Mar 11, 2001 at 06:33:13PM +1100 References: Message-ID: <20010311104743.A6907@sunrbg8.informatik.tu-muenchen.de> On Sun, Mar 11, 2001 at 06:33:13PM +1100, Damien Miller wrote: > Can someone explain why we need this fix on Solaris 2.6? 2.5.1p2 on Solaris 2.6/sparc works for me without any patch. Michael From Markus.Friedl at informatik.uni-erlangen.de Sun Mar 11 22:06:51 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 11 Mar 2001 12:06:51 +0100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010311052147.F3AE18C@proven.weird.com>; from woods@weird.com on Sun, Mar 11, 2001 at 12:21:47AM -0500 References: <77DA8BE17C46D2118B7A00805FA7D051047ADA7E@TPAEXCH2> <20010311052147.F3AE18C@proven.weird.com> Message-ID: <20010311120651.A25112@faui02.informatik.uni-erlangen.de> On Sun, Mar 11, 2001 at 12:21:47AM -0500, Greg A. Woods wrote: > OpenSSH does not yet seem to implement server support for SSH-v2.4's > "scp" which now, for reasons that mystify me greatly, seems to now > depend on sftp on the server side. > > However I have not had any trouble with any OpenSSH client "scp" talking > to an SSH-2.4 server. you could install openssh's scp on the server then scp works from the openssh client. From douglas.manton at uk.ibm.com Sun Mar 11 22:16:31 2001 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Sun, 11 Mar 2001 11:16:31 +0000 Subject: what about socks support? Message-ID: <80256A0C.003DF15E.00@d06mta05.portsmouth.uk.ibm.com> Michael, It is quite simple to socksify OpenSSH using the NEC socks code from http://www.socks.nec.com. If you comile the socks library then you can add the support to OpenSSH by: adding #include in front of the other includes in sshconnect.c configuring with: --with-cflags="-DSOCKS" --with-libs="-lsocks5" This will give you socks4 and socks5 support which you can define using libsocks5.conf (see the NEC socks man pages). An alternative socks implementation to use is Dante. I have no experience with that library but I have heard good things about it. Hope this helps, -------------------------------------------------------- Doug Manton, AT&T EMEA Commercial Security Solutions E: demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" Please respond to michael at bizsystems.com To: openssh-unix-dev at mindrot.org cc: Subject: what about socks support? Is there any plan to add socks 4 or socks 5 support to openssh like the original ssh developed in finland?? Michael Michael at bizsystems.com From bds at jhb.ucs.co.za Mon Mar 12 01:04:05 2001 From: bds at jhb.ucs.co.za (Berend De Schouwer) Date: Sun, 11 Mar 2001 16:04:05 +0200 Subject: what about socks support? In-Reply-To: <80256A0C.003DF15E.00@d06mta05.portsmouth.uk.ibm.com>; from douglas.manton@uk.ibm.com on Sun, Mar 11, 2001 at 13:16:31 +0200 References: <80256A0C.003DF15E.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: <20010311160405.E6486@sausage.home.ucs.co.za> On Sun, 11 Mar 2001 13:16:31 douglas.manton at uk.ibm.com wrote: | | | | Michael, | | It is quite simple to socksify OpenSSH using the NEC socks code from | http://www.socks.nec.com. If you comile the socks library then you can | add the support to OpenSSH by: | | adding #include in front of the other includes in | sshconnect.c | configuring with: --with-cflags="-DSOCKS" --with-libs="-lsocks5" | | This will give you socks4 and socks5 support which you can define using | libsocks5.conf (see the NEC socks man pages). | | An alternative socks implementation to use is Dante. I have no | experience | with that library but I have heard good things about it. Even easier: run LDFLAGS=-ldsocks ./configure and you are away :) This basically just preloads libdsocks, which you can't do with LD_LIBRARY_PRELOAD since ssh is suid'd. If you can disable the suid bit, you could run 'socksify ssh '. | Hope this helps, | -------------------------------------------------------- | Doug Manton, AT&T EMEA Commercial Security Solutions | | E: demanton at att.com | -------------------------------------------------------- | "If privacy is outlawed, only outlaws will have privacy" | | | Please respond to michael at bizsystems.com | To: openssh-unix-dev at mindrot.org | cc: | Subject: what about socks support? | | | | | Is there any plan to add socks 4 or socks 5 support to openssh like | the original ssh developed in finland?? | | Michael | Michael at bizsystems.com | | | | | Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS From douglas.manton at uk.ibm.com Mon Mar 12 01:14:59 2001 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Sun, 11 Mar 2001 14:14:59 +0000 Subject: what about socks support? Message-ID: <80256A0C.004E47E9.00@d06mta05.portsmouth.uk.ibm.com> > Even easier: run > LDFLAGS=-ldsocks ./configure > and you are away :) > > This basically just preloads libdsocks, which you can't do with > LD_LIBRARY_PRELOAD since ssh is suid'd. If you can disable the suid > bit, you could run 'socksify ssh '. But not under AIX :-( -------------------------------------------------------- Doug Manton, AT&T EMEA Commercial Security Solutions E: demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From Markus.Friedl at informatik.uni-erlangen.de Mon Mar 12 01:29:14 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 11 Mar 2001 15:29:14 +0100 Subject: what about socks support? In-Reply-To: <80256A0C.004E47E9.00@d06mta05.portsmouth.uk.ibm.com>; from douglas.manton@uk.ibm.com on Sun, Mar 11, 2001 at 02:14:59PM +0000 References: <80256A0C.004E47E9.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: <20010311152914.A3045@faui02.informatik.uni-erlangen.de> On Sun, Mar 11, 2001 at 02:14:59PM +0000, douglas.manton at uk.ibm.com wrote: > But not under AIX :-( but ProxyCommand from ssh(1) should work on every system. From jakob at openbsd.org Mon Mar 12 02:33:18 2001 From: jakob at openbsd.org (Jakob Schlyter) Date: Sun, 11 Mar 2001 16:33:18 +0100 (CET) Subject: bubblebabble patch In-Reply-To: <3AA26270.CDDAFC51@mail.tele.dk> Message-ID: On Sun, 4 Mar 2001, Carsten Raskgaard wrote: > Here is a patch that adds the possibility of displaying key fingerprints > in the bubblebabble format used by ssh.com ssh implementations. I've committed this patch with a few adjustments. the bubblebabble fingerprint is printed when using 'ssh-keygen -l -v'. /Jakob From woods at weird.com Mon Mar 12 03:31:19 2001 From: woods at weird.com (Greg A. Woods) Date: Sun, 11 Mar 2001 11:31:19 -0500 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010311120651.A25112@faui02.informatik.uni-erlangen.de> References: <77DA8BE17C46D2118B7A00805FA7D051047ADA7E@TPAEXCH2> <20010311052147.F3AE18C@proven.weird.com> <20010311120651.A25112@faui02.informatik.uni-erlangen.de> Message-ID: <20010311163119.DBC348C@proven.weird.com> [ On Sunday, March 11, 2001 at 12:06:51 (+0100), Markus Friedl wrote: ] > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > On Sun, Mar 11, 2001 at 12:21:47AM -0500, Greg A. Woods wrote: > > OpenSSH does not yet seem to implement server support for SSH-v2.4's > > "scp" which now, for reasons that mystify me greatly, seems to now > > depend on sftp on the server side. > > > > However I have not had any trouble with any OpenSSH client "scp" talking > > to an SSH-2.4 server. > > you could install openssh's scp on the server then scp works > from the openssh client. But that's the part that works already. It's SSH-2.4.0 client scp to OpenSSH server that doesn't work (and which needs sftp server-side support). (I don't really understand why rcp over ssh wasn't sufficient and why SSH-2.4.0 now uses the sftp gunge to implement scp, but perhaps there's a reasonable reason....) -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird From mouring at etoh.eviladmin.org Mon Mar 12 06:37:09 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 11 Mar 2001 13:37:09 -0600 (CST) Subject: [SUMMARY] compiling problems on Solaris 2.6 x86 (fwd) In-Reply-To: Message-ID: On Sun, 11 Mar 2001, Damien Miller wrote: > Can someone explain why we need this fix on Solaris 2.6? > The heart of the issue is the fact he has a /usr/local/include/config.h Maybe we should resolve it by doing the following: CPPFLAGS=@CPPFLAGS@ -I. -I$(srcdir)/openbsd-compat -I$(srcdir) $(PATHS) @DEFS@ to CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ -I$(srcdir)/openbsd-compat $(PATHS) @DEFS@ That would ensure that our directories are given priority over what the user requests. - Ben From J.S.Peatfield at damtp.cam.ac.uk Mon Mar 12 05:51:36 2001 From: J.S.Peatfield at damtp.cam.ac.uk (Jon Peatfield) Date: Sun, 11 Mar 2001 18:51:36 GMT Subject: prng_cmds/init_rng() question/patch Message-ID: <200103111851.SAA17628.declaim.amtp.cam.ac.uk@damtp.cam.ac.uk> I have a need to provide ssh client binaries for use elsewhere on several platforms, some without /dev/random support. I can't assume that users will know how to install/run prngd or egd, so I was planning to rely on the builtin prng code. However this require the ssh_prng_cmds file to exist in a fixed location -- which would mean making binaries which either look for it in . or other similar hacks. To avoid this I altered entropy.c to include a copy (as a string) of the ssh_prng_cmds generated by configure and use that if the file can't be opened -- at a cost of about +2K to the client size.. (I considered having a command line option to specify the location but that would mean changes in too many other places). Having got some working code, it took me some time to spot that debug/verbose do nothing in init_rng() since it is called before options processing. It is also called before giving up any privelage. Is this right? Would it be safe to move the call to init_rng() to later when we have options and have dropped priv? I don't know which calls need the rng to have already been initialized. My current patch possibly isn't the right way to do some of this (like the generation of the string from the ssh_prng_cmds file or the hack function I dropped in the place of the fgets() call). [ I'm not including the patch itself in case there is already a better solution. ] -- Jon Peatfield, DAMTP, Computer Officer, University of Cambridge Telephone: +44 1223 3 37852 Mail: J.S.Peatfield at damtp.cam.ac.uk From edgy at us.ibm.com Mon Mar 12 06:34:12 2001 From: edgy at us.ibm.com (Edward Geraghty) Date: Sun, 11 Mar 2001 14:34:12 -0500 Subject: what about socks support? Message-ID: On AIX > v4.3.2 you could always use the built-in sockified stack.. It is for socks v5 servers only I believe.. It also does unauthenticated SOCKS connection. Docs on this can be found at ... http://www.rs6000.ibm.com/doc_link/en_US/a_doc_lib/libs/commtrf2/socks5c_conf.htm#scs70399bkm Just need to create a socks5c.conf file and set the varable pointing to that.. e.g. export SOCKS5C_CONFIG=/etc/socks5c.conf EdGy Doug E Manton/UK/IBM at IBMGB@mindrot.org on 03/11/2001 06:16:31 Sent by: owner-openssh-unix-dev at mindrot.org To: michael at bizsystems.com cc: openssh-unix-dev at mindrot.org Subject: Re: what about socks support? Michael, It is quite simple to socksify OpenSSH using the NEC socks code from http://www.socks.nec.com. If you comile the socks library then you can add the support to OpenSSH by: adding #include in front of the other includes in sshconnect.c configuring with: --with-cflags="-DSOCKS" --with-libs="-lsocks5" This will give you socks4 and socks5 support which you can define using libsocks5.conf (see the NEC socks man pages). An alternative socks implementation to use is Dante. I have no experience with that library but I have heard good things about it. Hope this helps, -------------------------------------------------------- Doug Manton, AT&T EMEA Commercial Security Solutions E: demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" Please respond to michael at bizsystems.com To: openssh-unix-dev at mindrot.org cc: Subject: what about socks support? Is there any plan to add socks 4 or socks 5 support to openssh like the original ssh developed in finland?? Michael Michael at bizsystems.com From rmeyer at mhsc.com Mon Mar 12 08:37:34 2001 From: rmeyer at mhsc.com (Roeland Meyer) Date: Sun, 11 Mar 2001 13:37:34 -0800 Subject: OpenSSH/scp ->> F-Secure SSH server Problems Message-ID: <9DC8BBAD4FF100408FC7D18D1F092286039C96@condor.mhsc.com> > From: woods at weird.com [mailto:woods at weird.com] > Sent: Sunday, March 11, 2001 8:31 AM > > [ On Sunday, March 11, 2001 at 12:06:51 (+0100), Markus > Friedl wrote: ] > > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > > > On Sun, Mar 11, 2001 at 12:21:47AM -0500, Greg A. Woods wrote: > > > OpenSSH does not yet seem to implement server support for > > > depend on sftp on the server side. > > > > > > However I have not had any trouble with any OpenSSH > > you could install openssh's scp on the server then scp works > > from the openssh client. > > But that's the part that works already. It's SSH-2.4.0 client scp to > OpenSSH server that doesn't work (and which needs sftp server-side > support). > > (I don't really understand why rcp over ssh wasn't sufficient and why > SSH-2.4.0 now uses the sftp gunge to implement scp, but > perhaps there's > a reasonable reason....) I echo your lack of understanding. Sometimes, "if it ain't broke ... don't fix it" applies and if you *are* going to muck with it, create an enhancement and leave the, working, original alone. I've been using 1.2.27 (non-com), w/ the 2.0.13 patch, for quite a while now. It works fine, but I'd really like to have a Win32 version of both. I haven't gone to OpenSSH because of issues like what we're talking about here (however, I use OpenSSL quite a bit). I also don't understand the fascination folks have for FTP. Anything that uses non-deterministic dynamically reassigned ports is fundimentally insecurable. Full authentication can only be accomplished when both sides of the connection are fully deterministic. In short, sftp ain't... FTP must die. If you want secure files distro, use https. If you want secure file uploads, scp does the job nicely, or a Java uploader, under https. Getting the SSH/FTP(sftp) kludge to work only weakens SSH. From markus.friedl at informatik.uni-erlangen.de Mon Mar 12 09:40:11 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 11 Mar 2001 23:40:11 +0100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010311163119.DBC348C@proven.weird.com>; from woods@weird.com on Sun, Mar 11, 2001 at 11:31:19AM -0500 References: <77DA8BE17C46D2118B7A00805FA7D051047ADA7E@TPAEXCH2> <20010311052147.F3AE18C@proven.weird.com> <20010311120651.A25112@faui02.informatik.uni-erlangen.de> <20010311163119.DBC348C@proven.weird.com> Message-ID: <20010311234011.B24456@folly> On Sun, Mar 11, 2001 at 11:31:19AM -0500, Greg A. Woods wrote: > But that's the part that works already. It's SSH-2.4.0 client scp to > OpenSSH server that doesn't work (and which needs sftp server-side > support). this should work. you just have to enable sftp-server in OpenSSH's sshd_config. -m From djm at mindrot.org Mon Mar 12 10:03:57 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 12 Mar 2001 10:03:57 +1100 (EST) Subject: [SUMMARY] compiling problems on Solaris 2.6 x86 (fwd) In-Reply-To: Message-ID: On Sun, 11 Mar 2001 mouring at etoh.eviladmin.org wrote: > On Sun, 11 Mar 2001, Damien Miller wrote: > > > Can someone explain why we need this fix on Solaris 2.6? > > > > The heart of the issue is the fact he has a > /usr/local/include/config.h > > Maybe we should resolve it by doing the following: > > CPPFLAGS=@CPPFLAGS@ -I. -I$(srcdir)/openbsd-compat -I$(srcdir) > $(PATHS) @DEFS@ > > to > > CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ -I$(srcdir)/openbsd-compat > $(PATHS) @DEFS@ > > That would ensure that our directories are given priority over what > the user requests. I think that this is safe to do now that we have renamed the conflicting headers. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From J.S.Peatfield at damtp.cam.ac.uk Mon Mar 12 10:34:50 2001 From: J.S.Peatfield at damtp.cam.ac.uk (Jon Peatfield) Date: Sun, 11 Mar 2001 23:34:50 GMT Subject: patch to allow client to select rsa/dss Message-ID: <200103112334.XAA26570.declaim.amtp.cam.ac.uk@damtp.cam.ac.uk> Here is a quick patch against openssh-2.5.1p1 to add a new config option (pkalg) for the ssh client allowing the selection of which public keys are obtained/verified. --cut-here- diff -c3 -r orig/openssh-2.5.1p1/key.c openssh-2.5.1p1/key.c *** orig/openssh-2.5.1p1/key.c Mon Feb 5 18:16:28 2001 --- openssh-2.5.1p1/key.c Sun Mar 11 23:10:10 2001 *************** *** 534,539 **** --- 534,567 ---- return KEY_UNSPEC; } + #define PKALG_SEP "," + int + pkalg_valid(const char *names) + { + int k; + char *keys, *kp; + char *p; + + if (names == NULL || strcmp(names, "") == 0) + return 0; + keys = kp = xstrdup(names); + for ((p = strsep(&kp, PKALG_SEP)); p && *p != '\0'; + (p = strsep(&kp, PKALG_SEP))) { + if ((strcmp(p, "ssh-rsa") != 0) && + (strcmp(p, "ssh-dss") != 0)) { + debug("bad pkalg %s [%s]", p, names); + xfree(keys); + return 0; + } else { + debug3("pkalg ok: %s [%s]", p, names); + } + } + debug3("pkalgs ok: [%s]", names); + xfree(keys); + return 1; + } + + Key * key_from_blob(char *blob, int blen) { diff -c3 -r orig/openssh-2.5.1p1/key.h openssh-2.5.1p1/key.h *** orig/openssh-2.5.1p1/key.h Mon Jan 29 07:39:26 2001 --- openssh-2.5.1p1/key.h Sun Mar 11 22:50:23 2001 *************** *** 55,60 **** --- 55,61 ---- Key *key_generate(int type, u_int bits); Key *key_from_private(Key *k); int key_type_from_name(char *name); + int pkalg_valid(const char *name); Key *key_from_blob(char *blob, int blen); int key_to_blob(Key *key, u_char **blobp, u_int *lenp); Only in orig/openssh-2.5.1p1/: mkstring diff -c3 -r orig/openssh-2.5.1p1/readconf.c openssh-2.5.1p1/readconf.c *** orig/openssh-2.5.1p1/readconf.c Thu Feb 15 03:02:00 2001 --- openssh-2.5.1p1/readconf.c Sun Mar 11 23:12:34 2001 *************** *** 25,30 **** --- 25,31 ---- #include "misc.h" #include "kex.h" #include "mac.h" + #include "key.h" /* Format of the configuration file: *************** *** 107,113 **** oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, ! oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias } OpCodes; --- 108,114 ---- oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, ! oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oPkalg, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias } OpCodes; *************** *** 151,156 **** --- 152,158 ---- { "cipher", oCipher }, { "ciphers", oCiphers }, { "macs", oMacs }, + { "pkalg", oPkalg }, { "protocol", oProtocol }, { "remoteforward", oRemoteForward }, { "localforward", oLocalForward }, *************** *** 516,521 **** --- 518,534 ---- options->macs = xstrdup(arg); break; + case oPkalg: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + if (!pkalg_valid(arg)) + fatal("%.200s line %d: Bad SSH2 PKalg spec '%s'.", + filename, linenum, arg ? arg : ""); + if (*activep && options->pkalg == NULL) + options->pkalg = xstrdup(arg); + break; + case oProtocol: intptr = &options->protocol; arg = strdelim(&s); *************** *** 708,713 **** --- 721,727 ---- options->cipher = -1; options->ciphers = NULL; options->macs = NULL; + options->pkalg = NULL; options->protocol = SSH_PROTO_UNKNOWN; options->num_identity_files = 0; options->hostname = NULL; diff -c3 -r orig/openssh-2.5.1p1/readconf.h openssh-2.5.1p1/readconf.h *** orig/openssh-2.5.1p1/readconf.h Thu Feb 15 03:02:00 2001 --- openssh-2.5.1p1/readconf.h Sun Mar 11 22:50:23 2001 *************** *** 69,74 **** --- 69,75 ---- int cipher; /* Cipher to use. */ char *ciphers; /* SSH2 ciphers in order of preference. */ char *macs; /* SSH2 macs in order of preference. */ + char *pkalg; /* SSH2 PK_ALG list to use */ int protocol; /* Protocol in order of preference. */ char *hostname; /* Real host to connect. */ char *host_key_alias; /* hostname alias for .ssh/known_hosts */ diff -c3 -r orig/openssh-2.5.1p1/sshconnect2.c openssh-2.5.1p1/sshconnect2.c *** orig/openssh-2.5.1p1/sshconnect2.c Fri Feb 16 01:34:57 2001 --- openssh-2.5.1p1/sshconnect2.c Sun Mar 11 23:15:37 2001 *************** *** 94,99 **** --- 94,104 ---- myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; } + if (options.pkalg != NULL) { + debug("Copying pkalg=%.100s to mypromposal", options.pkalg); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = options.pkalg; + } + /* buffers with raw kexinit messages */ server_kexinit = xmalloc(sizeof(*server_kexinit)); --cut-here- Most of the patch is based on the handling of 'macs', and 'ciphers', it is quite possible that there is a cleaner way to achieve the same effect. I wasn't sure that key.c was the right place to put pkalg_valid(), but it seems to do the right thing for me: $ ./ssh -o 'pkalg ssh-rsa' -2 testhost uptime The authenticity of host 'testhost (10.16.18.11)' can't be established. RSA key fingerprint is e9:20:0b:9a:22:e9:69:b3:52:76:27:ff:41:50:cb:81. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'testhost,10.16.18.11' (RSA) to the list of known hosts. $ ./ssh -o 'pkalg ssh-dss' -2 testhost uptime The authenticity of host 'testhost (10.16.18.11)' can't be established. DSA key fingerprint is 95:df:c5:cc:d9:3b:53:7a:a3:de:42:9c:93:bd:93:2e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'testhost,10.16.18.11' (DSA) to the list of known hosts. Of course I may have missed somthing important, and I've currently only tested it on one implementation (Linux). Any improvements or suggestions welcome. -- Jon Peatfield, DAMTP, Computer Officer, University of Cambridge Telephone: +44 1223 3 37852 Mail: J.S.Peatfield at damtp.cam.ac.uk From markus.friedl at informatik.uni-erlangen.de Mon Mar 12 10:49:33 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 12 Mar 2001 00:49:33 +0100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <9DC8BBAD4FF100408FC7D18D1F092286039C96@condor.mhsc.com>; from rmeyer@mhsc.com on Sun, Mar 11, 2001 at 01:37:34PM -0800 References: <9DC8BBAD4FF100408FC7D18D1F092286039C96@condor.mhsc.com> Message-ID: <20010312004933.A27836@folly> On Sun, Mar 11, 2001 at 01:37:34PM -0800, Roeland Meyer wrote: > I've been using 1.2.27 (non-com), w/ the 2.0.13 patch, for quite a while > now. It works fine, but I'd really like to have a Win32 version of both. I > haven't gone to OpenSSH because of issues like what we're talking about here > (however, I use OpenSSL quite a bit). I also don't understand the > fascination folks have for FTP. Anything that uses non-deterministic > dynamically reassigned ports is fundimentally insecurable. Full > authentication can only be accomplished when both sides of the connection > are fully deterministic. In short, sftp ain't... FTP must die. If you want > secure files distro, use https. If you want secure file uploads, scp does > the job nicely, or a Java uploader, under https. Getting the SSH/FTP(sftp) > kludge to work only weakens SSH. this does not make sense to me. SFTP is not at all related to FTP. SFTP is not 'fundimentally insecurable' SFTP is as secure as SCP. From markus.friedl at informatik.uni-erlangen.de Mon Mar 12 10:54:40 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 12 Mar 2001 00:54:40 +0100 Subject: patch to select pkalg In-Reply-To: <200103070636.BAA21136@syrinx.oankali.net>; from slade@shore.net on Wed, Mar 07, 2001 at 01:36:51AM -0500 References: <200103070636.BAA21136@syrinx.oankali.net> Message-ID: <20010312005440.A16525@folly> On Wed, Mar 07, 2001 at 01:36:51AM -0500, Richard E. Silverman wrote: > Below is a patch adding the client configuration option "PKAlgorithms" for > this purpose. It doesn't validate the supplied list; I'm not sure if that's > really necessary or desirable. yes, i think this is necessary. you can loop over the list and check that key_type_from_name(string) != KEY_UNSPEC and KEY_RSA1 -markus From tim at multitalents.net Mon Mar 12 12:53:26 2001 From: tim at multitalents.net (Tim Rice) Date: Sun, 11 Mar 2001 17:53:26 -0800 (PST) Subject: Problems with sftp under SCO OpenServer In-Reply-To: Message-ID: On Sat, 10 Mar 2001 mouring at etoh.eviladmin.org wrote: > > On Sat, 10 Mar 2001, Tim Rice wrote: > > > On Thu, 22 Feb 2001, Greg Jewell wrote: > > > > > Hello, > > > > > > I compiled OpenSSH 2.5.1p1 for SCO OpenServer 5.0.5, HPUX B.11.00, and > > > SunOS 5.7. When I sftp into the HP or Sun box, everything works fine. > > > However, whenever I sftp into the OpenServer box, all remote filenames > > > are shown as "(null)". File sizes, owners, etc. display properly. This > > > behavior is exhibited from all origination points. > > > > I have verified this problem with 2.5.1p2 and 03/10 CVS. > > ... [snip] > > drwxrwxr-x 4 tim trr 4096 (null) Aug 28 2000 > > There was an off list talk about this. Since SCO native snprintf() > does not support %ll concept it does things incorrectly. However the > new 64bit development does support %ll. Too bad it was off list. Would have saved me some time. Oh well. > > The best way to deal with this is to test to see if the > snprintf() supports %ll and define BROKEN_SNPRINTF if it does > not. I just added a sprintf test to configure.in that will show up in the next SNAP. For those running openssh-2.5.1p2 on SCO Open Server 5 I've attached the patch that is now in the CVS. > > - Ben > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- configure.in.old Sat Mar 10 16:52:14 2001 +++ configure.in Sun Mar 11 16:28:22 2001 @@ -1060,6 +1060,34 @@ "x$ac_cv_sizeof_long_int" != "x8" -a \ "x$ac_cv_sizeof_long_long_int" = "x0" ; then NO_SFTP='#' +else +dnl test snprintf (broken on SCO w/gcc) + AC_TRY_RUN( + [ +#include +#include +#ifdef HAVE_SNPRINTF +main() +{ + char buf[50]; + char expected_out[50]; + int mazsize = 50 ; +#if (SIZEOF_LONG_INT == 8) + long int num = 0x7fffffffffffffff; +#else + long long num = 0x7fffffffffffffff; +#endif + strcpy(expected_out, "9223372036854775807"); + snprintf(buf, mazsize, "%lld", num); + if(strcmp(buf, expected_out) != 0) + exit(1); + exit(0); +} +#else +main() { exit(0); } +#endif + ], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ] + ) fi AC_SUBST(NO_SFTP) From woods at weird.com Mon Mar 12 14:10:41 2001 From: woods at weird.com (Greg A. Woods) Date: Sun, 11 Mar 2001 22:10:41 -0500 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <9DC8BBAD4FF100408FC7D18D1F092286039C96@condor.mhsc.com> References: <9DC8BBAD4FF100408FC7D18D1F092286039C96@condor.mhsc.com> Message-ID: <20010312031041.9D7AA8C@proven.weird.com> [ On Sunday, March 11, 2001 at 13:37:34 (-0800), Roeland Meyer wrote: ] > Subject: RE: OpenSSH/scp ->> F-Secure SSH server Problems > > I echo your lack of understanding. Sometimes, "if it ain't broke ... don't > fix it" applies and if you *are* going to muck with it, create an > enhancement and leave the, working, original alone. I know that the "rcp" protocol is rather old and rather poorly documented (outside the source and the various books that have covered it in more detail, such as those of the late Mr. Stevens). I don't quite understand what limitations it might have had w.r.t. SSH though. It would appear that the sftp stuff is finally documented in the new IETF secsh draft-ietf-secsh-filexfer-00.txt, published in on or about Jan 9. My guess is this is just an excuse to use the "built-in subsystem" feature bloat in the secsh protocol. > I also don't understand the > fascination folks have for FTP. Anything that uses non-deterministic > dynamically reassigned ports is fundimentally insecurable. In this case (i.e. in the case of wanting to "ftp" over SSH) the issue is with the stupid user interface. Naive users are looking for some SSH file copying tool that works just like their FTP clients, i.e. where they can see a list of files on the server and click/drag/whatever them to effect the copy. If you've looked at the SSH-2.4.0 sftp client on Unix you can only laugh at it, but I would guess (not having seen one) that an sftp client on M$-Winblows (or Mac-OS) would be something more touchy-feely-GUI and it will no doubt make the users much happier than they would be with the likes of this: ssh remhost ls -l /some/dir scp remhost:/some/dir/some.file . -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird From djm at mindrot.org Mon Mar 12 15:06:18 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 12 Mar 2001 15:06:18 +1100 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010312031041.9D7AA8C@proven.weird.com> Message-ID: On Sun, 11 Mar 2001, Greg A. Woods wrote: > I know that the "rcp" protocol is rather old and rather poorly > documented (outside the source and the various books that have > covered it in more detail, such as those of the late Mr. Stevens). > I don't quite understand what limitations it might have had > w.r.t. SSH though. rcp/scp also have security problems that are difficult to fix. e.g. http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Ffromthread%3D1%26list%3D1%26end%3D2001-03-17%26mid%3D136480%26threads%3D0%26start%3D2001-03-11%26 > It would appear that the sftp stuff is finally documented in the new > IETF secsh draft-ietf-secsh-filexfer-00.txt, published in on or about > Jan 9. > > My guess is this is just an excuse to use the "built-in subsystem" > feature bloat in the secsh protocol. Subsystems aren't "feature bloat", they are very lightweight (almost free) and are a much more robust way of executing standard services over an ssh transport than executing programs which may or may not be in the server's $PATH. There is nothing stopping anyone from implementing a scp-like tool which uses the sftp protocol. All the back-end is there in OpenSSH (except directory recursion), someone just needs to do the UI. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tim at multitalents.net Mon Mar 12 15:35:06 2001 From: tim at multitalents.net (Tim Rice) Date: Sun, 11 Mar 2001 20:35:06 -0800 (PST) Subject: [SUMMARY] compiling problems on Solaris 2.6 x86 (fwd) In-Reply-To: Message-ID: On Mon, 12 Mar 2001, Damien Miller wrote: > On Sun, 11 Mar 2001 mouring at etoh.eviladmin.org wrote: > > > On Sun, 11 Mar 2001, Damien Miller wrote: > > > > > Can someone explain why we need this fix on Solaris 2.6? > > > > > > > The heart of the issue is the fact he has a > > /usr/local/include/config.h > > > > Maybe we should resolve it by doing the following: > > > > CPPFLAGS=@CPPFLAGS@ -I. -I$(srcdir)/openbsd-compat -I$(srcdir) > > $(PATHS) @DEFS@ > > > > to > > > > CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ -I$(srcdir)/openbsd-compat > > $(PATHS) @DEFS@ > > > > That would ensure that our directories are given priority over what > > the user requests. > > I think that this is safe to do now that we have renamed the conflicting > headers. CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ -I$(srcdir)/openbsd-compat $(PATHS) @DEFS@ tests OK on Solaris 8 UnixWare 2.03 UnixWare 2.1.3 UnixWare 7.1.0 SCO Open Server 3 SCO Open Server 5 Caldera eDesktop 2.4 Redhat 6.2 > > -d > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From rmeyer at mhsc.com Mon Mar 12 16:37:54 2001 From: rmeyer at mhsc.com (Roeland Meyer) Date: Sun, 11 Mar 2001 21:37:54 -0800 Subject: OpenSSH/scp ->> F-Secure SSH server Problems Message-ID: <9DC8BBAD4FF100408FC7D18D1F092286039C98@condor.mhsc.com> Then maybe their is a serious disconnect. sftp was billed, to me, as SSH+FTP. Was that wrong? Otherwise, what is the difference between scp and sftp? ... a user interface that could probably be better done with a https page? > -----Original Message----- > From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de] > Sent: Sunday, March 11, 2001 3:50 PM > To: Roeland Meyer > Cc: 'ssh'; 'openssh-unix-dev at mindrot.org' > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > > On Sun, Mar 11, 2001 at 01:37:34PM -0800, Roeland Meyer wrote: > > I've been using 1.2.27 (non-com), w/ the 2.0.13 patch, for > quite a while > > now. It works fine, but I'd really like to have a Win32 > version of both. I > > haven't gone to OpenSSH because of issues like what we're > talking about here > > (however, I use OpenSSL quite a bit). I also don't understand the > > fascination folks have for FTP. Anything that uses non-deterministic > > dynamically reassigned ports is fundimentally insecurable. Full > > authentication can only be accomplished when both sides of > the connection > > are fully deterministic. In short, sftp ain't... FTP must > die. If you want > > secure files distro, use https. If you want secure file > uploads, scp does > > the job nicely, or a Java uploader, under https. Getting > the SSH/FTP(sftp) > > kludge to work only weakens SSH. > > this does not make sense to me. > > SFTP is not at all related to FTP. > > SFTP is not 'fundimentally insecurable' > > SFTP is as secure as SCP. > From dankamin at cisco.com Sun Mar 11 13:24:17 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Sat, 10 Mar 2001 18:24:17 -0800 Subject: what about socks support? References: <200103110130.RAA21153@bzs.org> Message-ID: <001001c0aacd$00a47790$0900040a@na.cisco.com> > Is there any plan to add socks 4 or socks 5 support to openssh like > the original ssh developed in finland?? There's a longstanding war over this. Essentially, SSH->SOCKS support generally demands: 1) Nasty library dependancies 2) Inflexibility(which SOCKS protocols? Which auth methods? etc.) I will probably be able to work around the former problem(guys, have you *seen* how trivial SOCKS4 is? Er, don't read the spec, it's wrong.)--but the latter issue is indeed problematic. Nobody wants to bulk up SSH with 83945798435 different authentication methods. There are presently two solutions available: 1) Use a general purpose socksifier. In this context, there's a wrapper that makes *any* app SOCKS capable. The Dante daemon has one; I believe the C Bouncer author has written another. There's also of course the stuff out of NEC. 2) Use ProxyCommands. I don't know the syntax offhand(it's quite ugly and isn't particularly usable, sorry everyone), but it's related to: ssh -o ProxyCommand [arbitrary connector]. The idea is that an external Proxy application gets one an 8 bit path to the SSH daemon--then the SSH client takes over. I'm attaching a 7K app that was written to do this for SOCKS. There might be better solutions available in future versions of OpenSSH, but for now these are what's available. Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com -------------- next part -------------- A non-text attachment was scrubbed... Name: connect.c.gz Type: application/x-gzip Size: 7071 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010310/7b74ba24/attachment.bin From abartlet at pcug.org.au Mon Mar 12 19:37:05 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Mon, 12 Mar 2001 19:37:05 +1100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems References: <9DC8BBAD4FF100408FC7D18D1F092286039C98@condor.mhsc.com> Message-ID: <3AAC8AB1.75F6EC68@bartlett.house> SFTP runs as a normal user mode application, but is launched from sshd rather than by the user. It runs as the user, as there are no extra privileges required. The standard input and output are redirected along the encrypted stream (as all program input/output is) and processed by the sftp client program. Its called sftp partly because the interaction 'looks' like FTP, and is suitable for wrapping into a GUI application. This is where the similarity begins and ends. As to your comments about https, I have actually considered exactly this possibility - but decided that SSH/sftp is much more secure, is more accountable, and is already deployed. (For most setups, a https based setup would involve either a web-server running as root, or setuid root cgi-scripts. Neither was an attractive prospect.) Finally, sftp didn't have the certification requirements - this just made things just that little be easier. SFTP probably should have been billed as: SSH security, with FTP functionality. Hope this clarifies things, Andrew Bartlett Roeland Meyer wrote: > > Then maybe their is a serious disconnect. sftp was billed, to me, as > SSH+FTP. Was that wrong? > Otherwise, what is the difference between scp and sftp? ... a user > interface that could probably be better done with a https page? > > > -----Original Message----- > > From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de] > > Sent: Sunday, March 11, 2001 3:50 PM > > To: Roeland Meyer > > Cc: 'ssh'; 'openssh-unix-dev at mindrot.org' > > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > > > > > On Sun, Mar 11, 2001 at 01:37:34PM -0800, Roeland Meyer wrote: > > > I've been using 1.2.27 (non-com), w/ the 2.0.13 patch, for > > quite a while > > > now. It works fine, but I'd really like to have a Win32 > > version of both. I > > > haven't gone to OpenSSH because of issues like what we're > > talking about here > > > (however, I use OpenSSL quite a bit). I also don't understand the > > > fascination folks have for FTP. Anything that uses non-deterministic > > > dynamically reassigned ports is fundimentally insecurable. Full > > > authentication can only be accomplished when both sides of > > the connection > > > are fully deterministic. In short, sftp ain't... FTP must > > die. If you want > > > secure files distro, use https. If you want secure file > > uploads, scp does > > > the job nicely, or a Java uploader, under https. Getting > > the SSH/FTP(sftp) > > > kludge to work only weakens SSH. > > > > this does not make sense to me. > > > > SFTP is not at all related to FTP. > > > > SFTP is not 'fundimentally insecurable' > > > > SFTP is as secure as SCP. > > -- Andrew Bartlett abartlet at pcug.org.au From djm at mindrot.org Mon Mar 12 19:39:54 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 12 Mar 2001 19:39:54 +1100 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <9DC8BBAD4FF100408FC7D18D1F092286039C98@condor.mhsc.com> Message-ID: On Sun, 11 Mar 2001, Roeland Meyer wrote: > Then maybe their is a serious disconnect. sftp was billed, to me, as > SSH+FTP. Was that wrong? > Otherwise, what is the difference between scp and sftp? ... a user > interface that could probably be better done with a https page? No, sftp is a completely different protocol: http://www.mindrot.org/ietf/internet-drafts/draft-ietf-secsh-filexfer-01.txt -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Markus.Friedl at informatik.uni-erlangen.de Mon Mar 12 21:01:04 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 12 Mar 2001 11:01:04 +0100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <9DC8BBAD4FF100408FC7D18D1F092286039C98@condor.mhsc.com>; from rmeyer@mhsc.com on Sun, Mar 11, 2001 at 09:37:54PM -0800 References: <9DC8BBAD4FF100408FC7D18D1F092286039C98@condor.mhsc.com> Message-ID: <20010312110104.A19170@faui02.informatik.uni-erlangen.de> On Sun, Mar 11, 2001 at 09:37:54PM -0800, Roeland Meyer wrote: > Then maybe their is a serious disconnect. sftp was billed, to me, as > SSH+FTP. Was that wrong? yes. SFTP != SSH+FTP > Otherwise, what is the difference between scp and sftp? the scp client speaks rsh over ssh the sftp client speaks ietf-secsh-filexfer over ssh the scp2 client speaks ietf-secsh-filexfer over ssh -m From dankamin at cisco.com Mon Mar 12 21:16:35 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Mon, 12 Mar 2001 02:16:35 -0800 Subject: [PATCH]: contrib/cygwin/ssh-host-config References: <20010307111507.E21275@cygbert.vinschen.de> <3AA660E6.AF9B9DBE@aproposretail.com> <20010307193050.V21275@cygbert.vinschen.de> <3AA68C11.1A9A3698@aproposretail.com> Message-ID: <00c101c0aadd$85934750$0900040a@na.cisco.com> > > > > Additionally the script used to add `sshd 22/tcp' to the services file > > > > while the IANA proposes `ssh 22/tcp' and `ssh 22/udp' as services entries. SSH doesn't reimplement TCP, thus allowing it to be run over a datagram protocol...uh, does it? --Dan From jaltman at columbia.edu Tue Mar 13 00:31:48 2001 From: jaltman at columbia.edu (Jeffrey Altman) Date: Mon, 12 Mar 2001 8:31:48 EST Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: Your message of Sun, 11 Mar 2001 22:10:41 -0500 (EST) Message-ID: > > > I also don't understand the > > fascination folks have for FTP. Anything that uses non-deterministic > > dynamically reassigned ports is fundimentally insecurable. > > In this case (i.e. in the case of wanting to "ftp" over SSH) the issue > is with the stupid user interface. Naive users are looking for some SSH > file copying tool that works just like their FTP clients, i.e. where > they can see a list of files on the server and click/drag/whatever them > to effect the copy. Why do you need to use FTP over SSH when FTP is "securable" using any number of methods? The most common methods are SSL/TLS GSSAPI Kerberos SRP When using any of these methods both the command and data channels used by FTP are authenticated, encrypted and integrity checked. In other words, they are secure. C-Kermit 7.1 provides an FTP client and supports all of the above methods. FTP daemons that implement the above protocols are available from a number of sources depending on which protocol you wish to use. Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and kermit-support at kermit-project.org OpenSSL. SSH soon to follow. From Markus.Friedl at informatik.uni-erlangen.de Tue Mar 13 00:40:35 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 12 Mar 2001 14:40:35 +0100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: ; from jaltman@columbia.edu on Mon, Mar 12, 2001 at 08:31:48AM -0500 References: Message-ID: <20010312144035.A1174@faui02.informatik.uni-erlangen.de> On Mon, Mar 12, 2001 at 08:31:48AM -0500, Jeffrey Altman wrote: > > In this case (i.e. in the case of wanting to "ftp" over SSH) the issue > > is with the stupid user interface. Naive users are looking for some SSH > > file copying tool that works just like their FTP clients, i.e. where > > they can see a list of files on the server and click/drag/whatever them > > to effect the copy. > > Why do you need to use FTP over SSH when FTP is "securable" using any > number of methods? The most common methods are > > SSL/TLS > > GSSAPI > > Kerberos > > SRP > > > When using any of these methods both the command and data channels > used by FTP are authenticated, encrypted and integrity checked. In > other words, they are secure. so does SFTP. so what's the point? From Erwin.DeMunter at siemens.atea.be Tue Mar 13 02:13:14 2001 From: Erwin.DeMunter at siemens.atea.be (De Munter Erwin) Date: Mon, 12 Mar 2001 16:13:14 +0100 Subject: problems with NIS after installing openSSH ? Message-ID: <6B546A602AD2D211BFF00008C7A428890333690B@hrtades2.atea.be> Is there someone who had also problems after installing openSSH on a NIS Master server, when I do the Make of the netid map in /var/yp, I get an error code 138 fatal error . De Munter Erwin . From dwd at bell-labs.com Tue Mar 13 04:05:08 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Mon, 12 Mar 2001 11:05:08 -0600 Subject: prng_cmds/init_rng() question/patch In-Reply-To: <200103111851.SAA17628.declaim.amtp.cam.ac.uk@damtp.cam.ac.uk>; from J.S.Peatfield@damtp.cam.ac.uk on Sun, Mar 11, 2001 at 06:51:36PM +0000 References: <200103111851.SAA17628.declaim.amtp.cam.ac.uk@damtp.cam.ac.uk> Message-ID: <20010312110508.A4277@lucent.com> On Sun, Mar 11, 2001 at 06:51:36PM +0000, Jon Peatfield wrote: > I have a need to provide ssh client binaries for use elsewhere on > several platforms, some without /dev/random support. I can't assume > that users will know how to install/run prngd or egd, so I was > planning to rely on the builtin prng code. However this require the > ssh_prng_cmds file to exist in a fixed location -- which would mean > making binaries which either look for it in . or other similar hacks. That won't be the only file that you'll need to locate if you want to to relocate your binaries. You might want to take a look at my simple binary relocation program http://www.bell-labs.com/project/nsbd/breloc.html which works by configuring binaries with a prefix with a bunch of extra slashes and doing binary edits to relocate the compiled-in paths at which to find support files. - Dave Dykstra From J.S.Peatfield at damtp.cam.ac.uk Tue Mar 13 04:56:19 2001 From: J.S.Peatfield at damtp.cam.ac.uk (J.S.Peatfield at damtp.cam.ac.uk) Date: Mon, 12 Mar 2001 17:56:19 GMT Subject: prng_cmds/init_rng() question/patch Message-ID: <200103121756.RAA00747@squib.amtp.cam.ac.uk@damtp.cam.ac.uk> For the ssh client (only at least) it does seem to be the only dependency on a fixed path. In the past we distributed ssh-1 binaries which worked fine in many places, and with the patch the ssh from openssh-251 also seems to work fine on its own. Of course the daemon would take more effort to relocate but I don't expect sshd to be run by users... [we provide common ssh binaries for users' to take to remote locations where they may not find ssh already installed so they can use it to connect back here. Normally I'd expect ssh to be properly installed, but I can't assume much about the random places that our users seem to need to visit.] From neis at kobil.de Tue Mar 13 05:09:08 2001 From: neis at kobil.de (Stefan Neis) Date: Mon, 12 Mar 2001 19:09:08 +0100 Subject: PAM & several passwords Message-ID: <3AAD10C4.74578E35@kobil.de> Hi, Is there any hope getting openssh to support a sequence of several authentication methods (requiring different passwords) for one login? I.e. take the standard static password, feed it into pam_unix.so for verification, then ask the user for yet another password (e.g. a one-time password) and verify this one by a different PAM module Currently, verifying either a static password or a one time password both work nicely, but knowing the weaknesses of both methods, I'd like to require both static _and_ one time password... Seems like quite a problem to get a message back to the user and obtain some additional input from him, but then, I'm not an ssh-expert, so I might be missing something obvious. Thanks, Stefan From J.S.Peatfield at damtp.cam.ac.uk Tue Mar 13 05:23:10 2001 From: J.S.Peatfield at damtp.cam.ac.uk (J.S.Peatfield at damtp.cam.ac.uk) Date: Mon, 12 Mar 2001 18:23:10 GMT Subject: PAM & several passwords Message-ID: <200103121823.SAA00924@squib.amtp.cam.ac.uk@damtp.cam.ac.uk> Surely this would be handled by the pam code already wouldn't it? Assuming that there are several modules all required and they each can ask the user for some auth token... (not that I've actually tried it of course). From neis at kobil.de Tue Mar 13 05:33:05 2001 From: neis at kobil.de (Stefan Neis) Date: Mon, 12 Mar 2001 19:33:05 +0100 Subject: PAM & several passwords References: <200103121823.SAA00924@squib.amtp.cam.ac.uk@damtp.cam.ac.uk> Message-ID: <3AAD1661.BE1C3060@kobil.de> J.S.Peatfield at damtp.cam.ac.uk wrote: > > Surely this would be handled by the pam code already > wouldn't it? Assuming that there are several modules > all required and they each can ask the user for some > auth token... (not that I've actually tried it of course). The point is that PAM is relying on the application's "conversation function" to obtain passwords/auth tokens. And sshd's conversation function just fills the one and only password I entered into the reply slot and returns without giving me any chance to do something different... From bazsi at balabit.hu Tue Mar 13 06:05:29 2001 From: bazsi at balabit.hu (Balazs Scheidler) Date: Mon, 12 Mar 2001 20:05:29 +0100 Subject: PAM & several passwords In-Reply-To: <3AAD10C4.74578E35@kobil.de>; from neis@kobil.de on Mon, Mar 12, 2001 at 07:09:08PM +0100 References: <3AAD10C4.74578E35@kobil.de> Message-ID: <20010312200529.A532@balabit.hu> > Is there any hope getting openssh to support a sequence > of several authentication methods (requiring different > passwords) for one login? > I.e. take the standard static password, feed it into > pam_unix.so for verification, then ask the user for yet > another password (e.g. a one-time password) and verify > this one by a different PAM module > Currently, verifying either a static password or a one > time password both work nicely, but knowing the > weaknesses of both methods, I'd like to require both > static _and_ one time password... > Seems like quite a problem to get a message back to the > user and obtain some additional input from him, but > then, I'm not an ssh-expert, so I might be missing > something obvious. The SSH2 protocol has support for this in its authentication protocol: 2.2. Responses to Authentication Requests If the server rejects the authentication request, it MUST respond with byte SSH_MSG_USERAUTH_FAILURE string authentications that can continue boolean partial success ... "Partial success" MUST be true if the authentication request to which this is a response was successful. It MUST be false if the request was not successfully processed. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 From gert at greenie.muc.de Tue Mar 13 06:38:51 2001 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 12 Mar 2001 20:38:51 +0100 Subject: prng_cmds/init_rng() question/patch In-Reply-To: <200103121756.RAA00747@squib.amtp.cam.ac.uk@damtp.cam.ac.uk>; from J.S.Peatfield@damtp.cam.ac.uk on Mon, Mar 12, 2001 at 05:56:19PM +0000 References: <200103121756.RAA00747@squib.amtp.cam.ac.uk@damtp.cam.ac.uk> Message-ID: <20010312203851.B29658@greenie.muc.de> Hi, On Mon, Mar 12, 2001 at 05:56:19PM +0000, J.S.Peatfield at damtp.cam.ac.uk wrote: > [we provide common ssh binaries for users' to take to remote locations where > they may not find ssh already installed so they can use it to connect back > here. Normally I'd expect ssh to be properly installed, but I can't assume > much about the random places that our users seem to need to visit.] What about using things like Mindterm's Java ssh client? Just point the browser to your web server, get a ssh client, log into machine... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From jason at dfmm.org Thu Mar 8 00:34:04 2001 From: jason at dfmm.org (Jason Stone) Date: Wed, 7 Mar 2001 05:34:04 -0800 (PST) Subject: [PATCH]: contrib/cygwin/ssh-host-config In-Reply-To: <20010307141953.A9622@greenie.muc.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > while the IANA proposes `ssh 22/tcp' and `ssh 22/udp' as services > > entries. > > Which brings me to a thing that I have always wondered about. > > What is "ssh 22/udp" good for? I see this for many standard TCP > services in recent /etc/services files, but it makes no sense. SSH is > not UDP, and will never be, so why make "22/udp" an official port > number for it? Per rfc 1700, when you reserve a tcp port, you're supposed to also reserve the udp port. (In case you someday change your mind (a la nfs), or just to simplify stuff, I would imagine). -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE6pjjQswXMWWtptckRAosmAJ41DkLGUYA1FuS9acesG+bJfq5MpQCeMmVg jJKImelN5hKTVAhdsZ9wkWA= =L22s -----END PGP SIGNATURE----- From mattl at livecapital.com Tue Mar 13 08:05:19 2001 From: mattl at livecapital.com (Lewandowsky, Matt) Date: Mon, 12 Mar 2001 13:05:19 -0800 Subject: prng_cmds/init_rng() question/patch Message-ID: <71D01DB8DA698947A6F5D666D62A2DB001C38E@haexchange.mail.livecapital.com> Is there anything like this atm which uses the web server as a proxy? For example, say that I'm behind a firewall at work, and the "security policy" disallows ssh. Say that I need to access a CVS repository (another blocked port) to get up to date on, say, OpenSSH... scp/sftp aren't exactly in the scope of this question, but... ;) After all, I could always do a cvs update and tar up the results to place on a web page... Hopefully someone will follow what I'd like to do. (Basically, my job... ;/ ) --Matt > -----Original Message----- > From: Gert Doering [mailto:gert at greenie.muc.de] > Sent: Monday, March 12, 2001 11:39 AM > To: J.S.Peatfield at damtp.cam.ac.uk; dwd at bell-labs.com > Cc: openssh-unix-dev at mindrot.org > Subject: Re: prng_cmds/init_rng() question/patch > > > Hi, > > On Mon, Mar 12, 2001 at 05:56:19PM +0000, > J.S.Peatfield at damtp.cam.ac.uk wrote: > > [we provide common ssh binaries for users' to take to > remote locations where > > they may not find ssh already installed so they can use it > to connect back > > here. Normally I'd expect ssh to be properly installed, > but I can't assume > > much about the random places that our users seem to need to visit.] > > What about using things like Mindterm's Java ssh client? > Just point the > browser to your web server, get a ssh client, log into machine... > > gert > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert.doering at physik.tu-muenchen.de > From markus.friedl at informatik.uni-erlangen.de Tue Mar 13 08:24:32 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 12 Mar 2001 22:24:32 +0100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010312031041.9D7AA8C@proven.weird.com>; from woods@weird.com on Sun, Mar 11, 2001 at 10:10:41PM -0500 References: <9DC8BBAD4FF100408FC7D18D1F092286039C96@condor.mhsc.com> <20010312031041.9D7AA8C@proven.weird.com> Message-ID: <20010312222432.A7800@folly> On Sun, Mar 11, 2001 at 10:10:41PM -0500, Greg A. Woods wrote: > My guess is this is just an excuse to use the "built-in subsystem" > feature bloat in the secsh protocol. subsystem is not feature bloat, it's like exec-command, but allows a level of redirection. > In this case (i.e. in the case of wanting to "ftp" over SSH) the issue > is with the stupid user interface. Naive users are looking for some SSH > file copying tool that works just like their FTP clients, i.e. where > they can see a list of files on the server and click/drag/whatever them > to effect the copy. have you ever tried the vandyke.com sftp-client? -m From wwieser at gmx.de Tue Mar 13 08:23:02 2001 From: wwieser at gmx.de (wwieser at gmx.de) Date: Mon, 12 Mar 2001 22:23:02 +0100 Subject: Bug in bsd-misc.c Message-ID: <01031221504500.00422@enigma> Hi guys... Just wanted to see what is so different in BSD from Linux and had a quick look at the openbsd-compat directory (openssh-2.5.1p1). There is a REALLY obvious bug in bsd-misc.c, quoted below: #if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && defined(HAVE_SYS_NERR) const char *strerror(int e) { extern int sys_nerr; extern char *sys_errlist[]; if ((e >= 0) || (e < sys_nerr)) return("unlisted error"); else return(sys_errlist[e]); } #endif (Shouldn't the return statements be swapped?!) Regards, wwieser From mouring at etoh.eviladmin.org Tue Mar 13 08:51:45 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 12 Mar 2001 15:51:45 -0600 (CST) Subject: Bug in bsd-misc.c In-Reply-To: <01031221504500.00422@enigma> Message-ID: On Mon, 12 Mar 2001 wwieser at gmx.de wrote: > Hi guys... > > Just wanted to see what is so different in BSD from Linux and had a > quick look at the openbsd-compat directory (openssh-2.5.1p1). > > There is a REALLY obvious bug in bsd-misc.c, quoted below: > > #if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && > defined(HAVE_SYS_NERR) > const char *strerror(int e) > { > extern int sys_nerr; > extern char *sys_errlist[]; > > if ((e >= 0) || (e < sys_nerr)) > return("unlisted error"); > else > return(sys_errlist[e]); > } > #endif > > (Shouldn't the return statements be swapped?!) > I believe so. Looking at: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string/__strerror.c?rev=1.6 It seems that they should be. However, I'm interested in how you ran across this with Linux since Linux has a built in strerror(). =) - Ben From tls at rek.tjls.com Tue Mar 13 09:31:30 2001 From: tls at rek.tjls.com (Thor Lancelot Simon) Date: Mon, 12 Mar 2001 17:31:30 -0500 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010312144035.A1174@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Mon, Mar 12, 2001 at 02:40:35PM +0100 References: <20010312144035.A1174@faui02.informatik.uni-erlangen.de> Message-ID: <20010312173130.A2713@rek.tjls.com> On Mon, Mar 12, 2001 at 02:40:35PM +0100, Markus Friedl wrote: > On Mon, Mar 12, 2001 at 08:31:48AM -0500, Jeffrey Altman wrote: > > > In this case (i.e. in the case of wanting to "ftp" over SSH) the issue > > > is with the stupid user interface. Naive users are looking for some SSH > > > file copying tool that works just like their FTP clients, i.e. where > > > they can see a list of files on the server and click/drag/whatever them > > > to effect the copy. > > > > Why do you need to use FTP over SSH when FTP is "securable" using any > > number of methods? The most common methods are > > > > SSL/TLS > > > > GSSAPI > > > > Kerberos > > > > SRP > > > > > > When using any of these methods both the command and data channels > > used by FTP are authenticated, encrypted and integrity checked. In > > other words, they are secure. > > so does SFTP. so what's the point? I think the point is that the development of the SSH protocol has involved a great deal of reinvention of wheels. Some people think that this is regrettable and wish that the SSH working group paid a bit more attention to integration with other IETF protocols rather than rampaging ahead inventing new ones. I personally think that the SFTP protocol is a pretty gratuitous addition; a whole lot of complexity, and it really doesn't buy you much. But then again, I think that reinventing most of what TLS does for the SSHv2 transport layer instead of politely asking the TLS folks for a record-oriented interface was rather silly, too. We have those things now; there's not much point thinking about what we _could_ have done. However, it's a valid question to ask what the point of implementing something like SFTP in _any particular implementation of other bits of the SSH suite_ is; I don't really think that the "anonymous" bits of its function are well served by its design, worse served, in fact, than by simply using FTP secured with TLS, GSSAPI, or other standard methods, and it's massive overkill compared to the simple BSD-rcp protocol used by the old "scp" application, when that's going to be 99% of what it's used for in the real world, ISTM. Ergo, a small, lightweight SSH implementation, even one that did v2, might quite reasonably choose to *not* implement SFTP; to me, at least, it sure seems to bring very little to the table in return for a lot of increase in code size and maintenance. But that's just my point of view; clearly some people have put a lot of work into advancing SFTP and they must have a more substantial use for it than I do. -- Thor Lancelot Simon tls at rek.tjls.com And now he couldn't remember when this passion had flown, leaving him so foolish and bewildered and astray: can any man? William Styron From djm at mindrot.org Tue Mar 13 09:50:52 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 13 Mar 2001 09:50:52 +1100 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010312173130.A2713@rek.tjls.com> Message-ID: On Mon, 12 Mar 2001, Thor Lancelot Simon wrote: > I think the point is that the development of the SSH protocol has > involved a great deal of reinvention of wheels. Some people think > that this is regrettable and wish that the SSH working group paid a > bit more attention to integration with other IETF protocols rather > than rampaging ahead inventing new ones. > > > I personally think that the SFTP protocol is a pretty gratuitous > addition; a whole lot of complexity, and it really doesn't buy you > much. IMO sftp is not very complex and a worthwhile addition to SSH. Compared to rfc959, sftp is a very clean protocol and a breeze to implement (the client end at least). > But then again, I think that reinventing most of what TLS > does for the SSHv2 transport layer instead of politely asking the > TLS folks for a record-oriented interface was rather silly, too. TLS is pretty intimately wed to x.509 and we still have not seen it specified for other PK systems (except for an expired OpenPGP draft). -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Tue Mar 13 09:51:40 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 13 Mar 2001 09:51:40 +1100 (EST) Subject: PAM & several passwords In-Reply-To: <3AAD1661.BE1C3060@kobil.de> Message-ID: On Mon, 12 Mar 2001, Stefan Neis wrote: > J.S.Peatfield at damtp.cam.ac.uk wrote: > > > > Surely this would be handled by the pam code already > > wouldn't it? Assuming that there are several modules > > all required and they each can ask the user for some > > auth token... (not that I've actually tried it of course). > > The point is that PAM is relying on the application's > "conversation function" to obtain passwords/auth tokens. > And sshd's conversation function just fills the one and only > password I entered into the reply slot and returns without > giving me any chance to do something different... Use SSH2 protocol and ChallengeResponseAuthentication. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From nisse at lysator.liu.se Tue Mar 13 10:12:46 2001 From: nisse at lysator.liu.se (Niels Möller) Date: 13 Mar 2001 00:12:46 +0100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: Thor Lancelot Simon's message of "Mon, 12 Mar 2001 17:31:30 -0500" References: <20010312144035.A1174@faui02.informatik.uni-erlangen.de> <20010312173130.A2713@rek.tjls.com> Message-ID: Thor Lancelot Simon writes: > But then again, I think that reinventing most of what TLS does for > the SSHv2 transport layer instead of politely asking the TLS folks > for a record-oriented interface was rather silly, too. I've implemented both TLS (ok, it was actually SSL version 3 back then) and ssh2. I'd say the ssh2 transport is better. It's cleaner, more secure, more flexible, and its spec is a lot easier to understand. And then a lot of the complexity in ssh is in the connection layer, which isn't comparable to TLS in any way. > Ergo, a small, lightweight SSH implementation, even one that did v2, > might quite reasonably choose to *not* implement SFTP; to me, at least, > it sure seems to bring very little to the table in return for a lot > of increase in code size and maintenance. The ssh implementation and the sftp implementation are quite independent. They have a common origin and uses a common language and terminology, but you can run the sftp over any secure bidirectional connection. The only feature in the ssh core protocol that makes sftp easier is the subsystem request that lets a client start a program without knowing an exact path, and without knowing whether or not it is an external program or part of the ssh server. If I get involved in a complete sftp implementation, it will run just as well using lsh, kerberized rsh, or plain old insecure rsh if anybody is still using that. Furthermore, the server part (i.e. the subsystem) is not big, I expect the one I started to write to be a self contained program of at most 5000-10000 lines of C code. Say about twice as large as GNU ls. /Niels From gjewell at cnnxn.com Tue Mar 13 10:15:59 2001 From: gjewell at cnnxn.com (Greg Jewell) Date: Mon, 12 Mar 2001 16:15:59 -0700 Subject: Problems with SSH2 display under OpenServer Message-ID: Hello, There appears to be a display issue when connecting to an OpenServer system using SSH2. I've compiled OpenSSH 2.5.1p1 on SunOS 5.7, HP-UX 11, and OpenServer 5.0.5. Whenever the destination is the OpenServer system, the display has a step-ladder effect. This behavior exhibits itself no matter what box the origination point is. A quick inspection revealed that the stty settings of the login are not "standard". Manually changing the stty settings for that session alleviates the problem. Of course, when you reconnect, the problem pops up again. I've compiled the various systems using OpenSSL 0.9.6, zlib 1.1.3, and the most recent version of gcc available for each platform. Thanks for your time, Greg Jewell From tls at cs.stevens-tech.edu Tue Mar 13 10:30:42 2001 From: tls at cs.stevens-tech.edu (Thor Simon) Date: Mon, 12 Mar 2001 18:30:42 -0500 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: ; from nisse@lysator.liu.se on Tue, Mar 13, 2001 at 12:12:46AM +0100 References: <20010312144035.A1174@faui02.informatik.uni-erlangen.de> <20010312173130.A2713@rek.tjls.com> Message-ID: <20010312183042.A1961284@cs.stevens-tech.edu> On Tue, Mar 13, 2001 at 12:12:46AM +0100, Niels M?ller wrote: > Thor Lancelot Simon writes: > > > But then again, I think that reinventing most of what TLS does for > > the SSHv2 transport layer instead of politely asking the TLS folks > > for a record-oriented interface was rather silly, too. > > I've implemented both TLS (ok, it was actually SSL version 3 back > then) and ssh2. I'd say the ssh2 transport is better. It's cleaner, > more secure, more flexible, and its spec is a lot easier to > understand. And then a lot of the complexity in ssh is in the > connection layer, which isn't comparable to TLS in any way. Nonetheless, we have two IETF-standardized secure transport layers which serve essentially the same purpose. I find this regrettable, particularly from the point of view of a small system which, these days, may be forced to carry around the code to do both. > The ssh implementation and the sftp implementation are quite > independent. They have a common origin and uses a common language and Yeah, that's my point. I think it's entirely reasonable to *not* implement sftp in an ssh implementation, given its large size and general crustiness. [...snip...] > Furthermore, the server part (i.e. the subsystem) is not big, I expect > the one I started to write to be a self contained program of at most > 5000-10000 lines of C code. Say about twice as large as GNU ls. That's pretty darned big; the entire SSHv1 server implementation we shipped to Redback, for example, was just about 5000 lines, and we had a working minimal server at an earlier point in our development that was perhaps 2/3 that big. The entire world is NOT a Unix machine with a multi-gigabyte hard drive. I don't think that GNU ls is a particularly good example of a small program -- it's three times as long as the /bin/ls in the current NetBSD sources, for example. Thor From J.S.Peatfield at damtp.cam.ac.uk Tue Mar 13 12:12:25 2001 From: J.S.Peatfield at damtp.cam.ac.uk (Jon Peatfield) Date: Tue, 13 Mar 2001 01:12:25 GMT Subject: prng_cmds/init_rng() question/patch Message-ID: <200103130112.BAA24685@electra.amtp.cam.ac.uk@damtp.cam.ac.uk> Since I've had no replies suggesting that it either is safe to move the init_rng() call (to after we lose privelage) or any other sensible way to achieve what I was trying to do (have a standalone ssh client which needs no support files in fixed places), I may as well post my patch in case anyone can spot any structural problems with it or suggest better ways to do some bits. I've tested that it works on a small set of patforms (Tru64, Solaris-2.6, irix6.5, Linux (with /dev/random disabled for testing). --cut-here-- *** entropy.c.orig Sun Mar 11 14:46:41 2001 --- entropy.c Sun Mar 11 15:25:40 2001 *************** *** 641,646 **** --- 641,671 ---- RAND_add(&seed, sizeof(seed), 0.0); } + /* include the "string" of commands we generated elsewhere 2001-03-10 JSP */ + #include "ssh_prng_cmds.string" + + char *index (const char *s, int c); + + /* Hack function */ + char *my_getline(char *s, int len, FILE *f, char **str) + { + char *ptr; + if (f) { /* Call fgets like original one did */ + return (fgets(s, len, f)); + } + + ptr = index(*str, '\n'); + if (ptr) { + int n = ptr - *str; + if (n > len) n = len; + strncpy(s, *str, n); + debug("read builtin cmd: %.100s", s); + *str = ptr+1; + return s; /* return what we copied */ + } else { + return NULL; /* EOF */ + } + } /* * entropy command initialisation functions *************** *** 658,667 **** int cur_cmd = 0; double est; entropy_source_t *entcmd; f = fopen(cmdfilename, "r"); if (!f) { ! fatal("couldn't read entropy commands file %.100s: %.100s", cmdfilename, strerror(errno)); } --- 681,691 ---- int cur_cmd = 0; double est; entropy_source_t *entcmd; + char *cmds_ptr=builtin_prng_cmds; f = fopen(cmdfilename, "r"); if (!f) { ! verbose("WARNING: couldn't read entropy commands file %.100s: %.100s", cmdfilename, strerror(errno)); } *************** *** 670,676 **** /* Read in file */ linenum = 0; ! while (fgets(line, sizeof(line), f)) { int arg; char *argv; --- 694,700 ---- /* Read in file */ linenum = 0; ! while (my_getline(line, sizeof(line), f, &cmds_ptr)) { int arg; char *argv; *** Makefile.in.orig Sun Mar 11 15:26:17 2001 --- Makefile.in Sun Mar 11 15:35:13 2001 *************** *** 76,88 **** manpages: $(MANPAGES) ! $(LIBSSH_OBJS): config.h $(SSHOBJS): config.h $(SSHDOBJS): config.h .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< LIBCOMPAT=openbsd-compat/libopenbsd-compat.a $(LIBCOMPAT): config.h (cd openbsd-compat; $(MAKE)) --- 76,95 ---- manpages: $(MANPAGES) ! $(LIBSSH_OBJS): config.h ssh_prng_cmds.string $(SSHOBJS): config.h $(SSHDOBJS): config.h .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< + ssh_prng_cmds.string: + if [ -f ssh_prng_cmds ]; then \ + $(PERL) $(srcdir)/mkstring < ssh_prng_cmds > $@; \ + else \ + touch $@; \ + fi; + LIBCOMPAT=openbsd-compat/libopenbsd-compat.a $(LIBCOMPAT): config.h (cd openbsd-compat; $(MAKE)) *************** *** 132,138 **** distclean: clean (cd openbsd-compat; $(MAKE) distclean) ! rm -f Makefile config.h config.status ssh_prng_cmds *~ mrproper: distclean --- 139,145 ---- distclean: clean (cd openbsd-compat; $(MAKE) distclean) ! rm -f Makefile config.h config.status ssh_prng_cmds ssh_prng_cmds.string *~ mrproper: distclean *** mkstring.orig Sun Mar 11 15:38:59 2001 --- mkstring Sun Mar 11 15:39:43 2001 *************** *** 0 **** --- 1,10 ---- + #! /usr/bin/perl + # + # Is there a *standard* way to do this? 2001-03-10 JSP + print "static char *builtin_prng_cmds = \""; + while (<>) { + next if /^(\#|\s*$)/; + s/"/\\"/g; + chop; print "$_\\n"; + } + print "\";\n"; --cut-here-- Of course I don't expect it to be included in any future release, but at least I may get some feedback about the code :-) -- Jon Peatfield, DAMTP, Computer Officer, University of Cambridge Telephone: +44 1223 3 37852 Mail: J.S.Peatfield at damtp.cam.ac.uk From mouring at etoh.eviladmin.org Tue Mar 13 11:39:35 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 12 Mar 2001 18:39:35 -0600 (CST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010312173130.A2713@rek.tjls.com> Message-ID: On Mon, 12 Mar 2001, Thor Lancelot Simon wrote: [..] > > Ergo, a small, lightweight SSH implementation, even one that did v2, > might quite reasonably choose to *not* implement SFTP; to me, at least, > it sure seems to bring very little to the table in return for a lot > of increase in code size and maintenance. But that's just my point > of view; clearly some people have put a lot of work into advancing > SFTP and they must have a more substantial use for it than I do. > How do you assure Windows end-users can transfer and manage files to a webserver in a secure way? Is there publicly accessable IPSec software for Windows 98? What about TLS? What about GSSAPI? How much added load do they put on a 200mhz - 400mhz machine? Are they 100% stable and usable? How do they interact over dialups? What unforseen issues will crop up for day to day usage online and offline? You seem to be suggesting that I should have to suffer for two to ten years before older technology that is not progressing at any decent rate to be cross-platform supported and commonly used. Or maybe your suggestion I need to wait twenty or more years before UNIX (Linux, BSD, etc) are common desktop machines and this technology is then native. I consider it pretty unacceptable. I need something today that will allow me to security against poorly written ftpd attacks, against password sniffing, etc. When we gained sftp server support I started in look for a sftp client solution for my end-users. sftp is totally optional. It's not even part of the main v2 specs. It is an add-on draft that is no required. So if you don't want it. Don't enable it. - Ben From jmknoble at jmknoble.cx Tue Mar 13 14:54:40 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Mon, 12 Mar 2001 22:54:40 -0500 Subject: [PATCH]: contrib/cygwin/ssh-host-config In-Reply-To: <00c101c0aadd$85934750$0900040a@na.cisco.com>; from dankamin@cisco.com on Mon, Mar 12, 2001 at 02:16:35AM -0800 References: <20010307111507.E21275@cygbert.vinschen.de> <3AA660E6.AF9B9DBE@aproposretail.com> <20010307193050.V21275@cygbert.vinschen.de> <3AA68C11.1A9A3698@aproposretail.com> <00c101c0aadd$85934750$0900040a@na.cisco.com> Message-ID: <20010312225439.A17462@quipu.half.pint-stowp.cx> Circa 2001-Mar-12 02:16:35 -0800 dixit Dan Kaminsky: : > > > > Additionally the script used to add `sshd 22/tcp' to the services : file : > > > > while the IANA proposes `ssh 22/tcp' and `ssh 22/udp' as services : entries. : : SSH doesn't reimplement TCP, thus allowing it to be run over a datagram : protocol...uh, does it? The IANA has been allocating port numbers in both protocols for a single service for some time now. I don't know their rationale, but it certainly makes it less confusing when talking about port numbers. It also leaves room for services to change their mind (e.g., NFS) or use both protocols (e.g., DNS) without having to notify IANA. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From roth+openssh at feep.net Tue Mar 13 17:07:10 2001 From: roth+openssh at feep.net (Mark D. Roth) Date: Tue, 13 Mar 2001 00:07:10 -0600 Subject: Bug in bsd-misc.c In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Mar 12, 2001 at 03:51:45PM -0600 References: <01031221504500.00422@enigma> Message-ID: <20010313000710.A9079@yorktown.isdn.uiuc.edu> On Mon Mar 12 15:51 2001 -0600, mouring at etoh.eviladmin.org wrote: > On Mon, 12 Mar 2001 wwieser at gmx.de wrote: [...] > > There is a REALLY obvious bug in bsd-misc.c, quoted below: > > > > #if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && > > defined(HAVE_SYS_NERR) > > const char *strerror(int e) > > { > > extern int sys_nerr; > > extern char *sys_errlist[]; > > > > if ((e >= 0) || (e < sys_nerr)) > > return("unlisted error"); > > else > > return(sys_errlist[e]); > > } > > #endif > > > > (Shouldn't the return statements be swapped?!) > > I believe so. Should the "||" be changed to "&&" as well? -- Mark D. Roth http://www.feep.net/~roth/ From rachit at ensim.com Tue Mar 13 17:44:05 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Mon, 12 Mar 2001 22:44:05 -0800 Subject: intermittent stderr References: <200102222335.PAA06879@ohm.apl.washington.edu> Message-ID: <3AADC1B5.E5582F52@ensim.com> Has this problem been fixed? I just started having problems like this as well (i'm using a early Jan snapshot version of openssh 2.3.0p1). Thnx. -rchit > I've just noticed that using ssh -1 always works. The problem > is with ssh -2 from slow to fast machines. -- John > > > > > The command "ssh ls -l /doesnotexist" gives various responses: > > > > Running from a 200 MHz PentiumPro with dsa key added to ssh-agent: > > > > Mistakes worst to fast machine: > > To a faster 600 MHz dual processor i686 600 MHz machine: > > ls: /doesnotexist: No such file or directory -- correct > > nothing at all -- wrong > > ls: select: Bad file descriptor -- wrong > > > > No mistakes to slower machine. > > To a slower 166 MHz i586 600 MHz machine: > > ls: /doesnotexist: No such file or directory -- correct all the time > > > > All machines run compiled OpenSSH-2.5.1p1 on RHL 6.2 with all > > patches, kernel 2.2.16-3. Set up on all machines with > > ssh and sshd defaulting to ssh2 protocol. > > > > My test script: > > > > #!/bin/sh > > while [ 1 ] > > do > > date > > ssh tesla ls -l /doesnotexist > > done > > > > Responses from fast machine are not consistent: > > > > Thu Feb 22 14:15:35 PST 2001 > > ls: /doesnotexist: No such file or directory > > Thu Feb 22 14:15:37 PST 2001 > > Thu Feb 22 14:15:39 PST 2001 > > ls: /doesnotexist: No such file or directory > > Thu Feb 22 14:15:41 PST 2001 > > Thu Feb 22 14:15:43 PST 2001 > > ls: /doesnotexist: No such file or directory > > Thu Feb 22 14:15:45 PST 2001 > > ls: select: Bad file descriptor > > Thu Feb 22 14:15:47 PST 2001 > > Thu Feb 22 14:15:49 PST 2001 > > ls: /doesnotexist: No such file or directory > > Thu Feb 22 14:15:51 PST 2001 > > ls: /doesnotexist: No such file or directory > > Thu Feb 22 14:15:54 PST 2001 > > ls: /doesnotexist: No such file or directory > > Thu Feb 22 14:15:56 PST 2001 > > select: Bad file descriptor > > Thu Feb 22 14:15:58 PST 2001 > > > > -- > > John Dunlap University of Washington > > Senior Electrical Engineer Applied Physics Laboratory > > dunlap at apl.washington.edu 1013 NE 40th Street > > 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 From mats at mindbright.se Tue Mar 13 19:29:41 2001 From: mats at mindbright.se (Mats Andersson) Date: Tue, 13 Mar 2001 09:29:41 +0100 (MET) Subject: ssh through proxy (was: prng_cmds/init_rng() question/patch) In-Reply-To: <71D01DB8DA698947A6F5D666D62A2DB001C38E@haexchange.mail.livecapital.com> Message-ID: Hi, Sorry for pushing this even further off topic but since someone mentioned MindTerm I couldn't resist answering :-) On Mon, 12 Mar 2001, Lewandowsky, Matt wrote: > Is there anything like this atm which uses the web server as a proxy? For > example, say that I'm behind a firewall at work, and the "security policy" > disallows ssh. MindTerm (and I'm sure other clients too) have the feature to connect "out" through either a http proxy or a socks4/5 proxy. The case you describe probably includes a http proxy to pass out through (which most often IS allowed by policies...) in which case you in most cases is able to "fool" the http proxy in letting you out through https (often meaning that you have to put your sshd listening on 443 on the other end). Cheers, /Mats From mats at mindbright.se Tue Mar 13 19:31:53 2001 From: mats at mindbright.se (Mats Andersson) Date: Tue, 13 Mar 2001 09:31:53 +0100 (MET) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010312222432.A7800@folly> Message-ID: Hi, On Mon, 12 Mar 2001, Markus Friedl wrote: > > In this case (i.e. in the case of wanting to "ftp" over SSH) the > issue > is with the stupid user interface. Naive users are looking > for some SSH > file copying tool that works just like their FTP > clients, i.e. where > they can see a list of files on the server and > click/drag/whatever them > to effect the copy. > > have you ever tried the vandyke.com sftp-client? I'll release a new pre-release of MindTerm real soon now which includes a FTP to SFTP bridge (i.e. you connect to MindTerm using any ftp client and it acts as a bridge to the sftp server, works rather nice with e.g. ws_ftp and the common web-browsers et.c.). Cheers, /Mats From djm at mindrot.org Tue Mar 13 20:35:03 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 13 Mar 2001 20:35:03 +1100 (EST) Subject: intermittent stderr In-Reply-To: <3AADC1B5.E5582F52@ensim.com> Message-ID: On Mon, 12 Mar 2001, Rachit Siamwalla wrote: > > Has this problem been fixed? I just started having problems like this as > well (i'm using a early Jan snapshot version of openssh 2.3.0p1). Thnx. Markus did some work to fix this, I certainly can't replicate the problem on 2.5.1p2. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Markus.Friedl at informatik.uni-erlangen.de Tue Mar 13 20:31:21 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 13 Mar 2001 10:31:21 +0100 Subject: ssh through proxy (was: prng_cmds/init_rng() question/patch) In-Reply-To: ; from mats@mindbright.se on Tue, Mar 13, 2001 at 09:29:41AM +0100 References: <71D01DB8DA698947A6F5D666D62A2DB001C38E@haexchange.mail.livecapital.com> Message-ID: <20010313103121.A8642@faui02.informatik.uni-erlangen.de> On Tue, Mar 13, 2001 at 09:29:41AM +0100, Mats Andersson wrote: > MindTerm (and I'm sure other clients too) have the feature to connect > "out" through either a http proxy or a socks4/5 proxy. old ssh and openssh both have ProxyCommand you can use this for connecting through https proxies, e.g. with http://www.monkey.org/~dugsong/httpstunnel.c From gert at greenie.muc.de Tue Mar 13 20:48:26 2001 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 13 Mar 2001 10:48:26 +0100 Subject: Problems with SSH2 display under OpenServer In-Reply-To: ; from Greg Jewell on Mon, Mar 12, 2001 at 04:15:59PM -0700 References: Message-ID: <20010313104826.H22969@greenie.muc.de> Hi, On Mon, Mar 12, 2001 at 04:15:59PM -0700, Greg Jewell wrote: > There appears to be a display issue when connecting to an OpenServer > system using SSH2. I've compiled OpenSSH 2.5.1p1 on SunOS 5.7, HP-UX > 11, and OpenServer 5.0.5. Whenever the destination is the OpenServer > system, the display has a step-ladder effect. This behavior exhibits > itself no matter what box the origination point is. Sounds as if "opost onlcr" isn't set - calling "stty sane" in your .profile should fix it. > A quick inspection revealed that the stty settings of the login are not > "standard". Manually changing the stty settings for that session > alleviates the problem. Of course, when you reconnect, the problem pops > up again. ssh protocol 2 doesn't transmit the tty settings from client to server (yet) - protocol 1 does - so it's up to the server side to make sure stty settings are "standard" when the session starts up. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From neis at kobil.de Tue Mar 13 22:43:14 2001 From: neis at kobil.de (Stefan Neis) Date: Tue, 13 Mar 2001 12:43:14 +0100 Subject: PAM & several passwords References: Message-ID: <3AAE07D2.7FCAA430@kobil.de> Damien Miller wrote: > > On Mon, 12 Mar 2001, Stefan Neis wrote: > > > J.S.Peatfield at damtp.cam.ac.uk wrote: > > > > > > Surely this would be handled by the pam code already > > > wouldn't it? Assuming that there are several modules > > > all required and they each can ask the user for some > > > auth token... (not that I've actually tried it of course). > > > > The point is that PAM is relying on the application's > > "conversation function" to obtain passwords/auth tokens. > > And sshd's conversation function just fills the one and only > > password I entered into the reply slot and returns without > > giving me any chance to do something different... > > Use SSH2 protocol and ChallengeResponseAuthentication. Sorry, I'm lost. :-( I just upgraded to the most recent openssh, but I have still no idea how to make use of the ChallengeResponseAuthentication option. AFAICS, it's enabled by default, so what's next? My PAM module asking for the one-time password still gets the static password. Would I need to use 'configure --with-skey', although that is only complaining about missing headers? Regards, Stefan From abartlet at pcug.org.au Tue Mar 13 22:49:37 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Tue, 13 Mar 2001 22:49:37 +1100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems References: Message-ID: <3AAE0951.8C7BAC0A@bartlett.house> Mats Andersson wrote: > > Hi, > > On Mon, 12 Mar 2001, Markus Friedl wrote: > > > In this case (i.e. in the case of wanting to "ftp" over SSH) the > > issue > is with the stupid user interface. Naive users are looking > > for some SSH > file copying tool that works just like their FTP > > clients, i.e. where > they can see a list of files on the server and > > click/drag/whatever them > to effect the copy. > > > > have you ever tried the vandyke.com sftp-client? > > I'll release a new pre-release of MindTerm real soon now which includes a > FTP to SFTP bridge (i.e. you connect to MindTerm using any ftp client and > it acts as a bridge to the sftp server, works rather nice with e.g. ws_ftp > and the common web-browsers et.c.). > > Cheers, > > /Mats I'd like to see it when its functional, but I have one worry: The callis disregard some web-browsers display for users passwords, like displaying them plaintext or 'remembering' them... (But that's not your issue, and I sounds like a very neat addition to an already excellent product). -- Andrew Bartlett abartlet at pcug.org.au From mats at mindbright.se Tue Mar 13 23:27:02 2001 From: mats at mindbright.se (Mats Andersson) Date: Tue, 13 Mar 2001 13:27:02 +0100 (MET) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <3AAE0951.8C7BAC0A@bartlett.house> Message-ID: Hi, On Tue, 13 Mar 2001, Andrew Bartlett wrote: > > FTP to SFTP bridge (i.e. you connect to MindTerm using any ftp client and > > it acts as a bridge to the sftp server, works rather nice with e.g. ws_ftp > > I'd like to see it when its functional, but I have one worry: The > callis disregard some web-browsers display for users passwords, like > displaying them plaintext or 'remembering' them... That's not an issue since the ftp username/password is not used for anything, you can use a dummy username/password. You first do the normal connect/authenticate to the ssh server, then the "bridge" is started which you in turn connect to using your normal ftp client, hence no need for the stubborn users to switch "file-transfer-client" just because you turn off ftp :-). Cheers, /Mats From bds at jhb.ucs.co.za Tue Mar 13 23:46:09 2001 From: bds at jhb.ucs.co.za (Berend De Schouwer) Date: Tue, 13 Mar 2001 14:46:09 +0200 Subject: what about socks support? In-Reply-To: <20010311152914.A3045@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Sun, Mar 11, 2001 at 16:29:14 +0200 References: <80256A0C.004E47E9.00@d06mta05.portsmouth.uk.ibm.com> <20010311152914.A3045@faui02.informatik.uni-erlangen.de> Message-ID: <20010313144609.A5296@bds.ucs.co.za> On Sun, 11 Mar 2001 16:29:14 Markus Friedl wrote: | On Sun, Mar 11, 2001 at 02:14:59PM +0000, douglas.manton at uk.ibm.com | wrote: | > But not under AIX :-( | | but ProxyCommand from ssh(1) should work on every system. Okay, here is a ProxyCommand that works with Dante for me. It simply runs netcat, which should be available on a lot of systems. In [/path/to/]ssh_config, add: Host *internet* ProxyCommand [/path/to/]socksify [/path/to/]nc %h %p You will want to change "*internet*" to some other way to identify hosts behind a socks firewall. Is this a good or bad way of doing things? It seemed the simplest way to me, and scp copies binary files. Is netcat safe? Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS From dunlap at apl.washington.edu Wed Mar 14 02:31:58 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Tue, 13 Mar 2001 07:31:58 -0800 (PST) Subject: intermittent stderr Message-ID: <200103131531.HAA01072@c572157-a.sttln1.wa.home.com> Rachit and Damien, Yes, Markus fixed it for my tests: he gave me two patches to be applied as noted below to version OpenSSH-2.5.1.p1 or 2.5.1.p2. Regards, John $ patch < patch3 $ patch -R < patch4 patch3: ---------------------- cut here ------------------- Index: nchan.c =================================================================== RCS file: /home/markus/cvs/ssh/nchan.c,v retrieving revision 1.22 diff -u -r1.22 nchan.c --- nchan.c 2001/01/21 19:05:52 1.22 +++ nchan.c 2001/02/27 13:08:31 @@ -54,9 +54,6 @@ static void chan_send_close2(Channel *c); static void chan_send_eof2(Channel *c); -/* channel cleanup */ -chan_event_fn *chan_delete_if_full_closed = NULL; - /* helper */ static void chan_shutdown_write(Channel *c); static void chan_shutdown_read(Channel *c); @@ -249,16 +246,6 @@ break; } } -static void -chan_delete_if_full_closed1(Channel *c) -{ - debug3("channel %d: chan_delete_if_full_closed1: istate %d ostate %d", - c->self, c->istate, c->ostate); - if (c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED) { - debug("channel %d: full closed", c->self); - channel_free(c->self); - } -} /* * the same for SSH2 @@ -401,24 +388,49 @@ c->flags |= CHAN_CLOSE_SENT; } } -static void -chan_delete_if_full_closed2(Channel *c) + +/* shared */ + +int +chan_is_dead(Channel *c) { - debug3("channel %d: chan_delete_if_full_closed2: istate %d ostate %d", + debug3("channel %d: chan_is_dead: istate %d ostate %d", c->self, c->istate, c->ostate); - if (c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED) { + + if (c->istate != CHAN_INPUT_CLOSED || c->ostate != CHAN_OUTPUT_CLOSED) + return 0; + if (!compat20) { + debug("channel %d: is dead", c->self); + return 1; + } + /* + * we have to delay the close message if the efd (for stderr) is + * still active + */ + if (((c->extended_usage != CHAN_EXTENDED_IGNORE) && + buffer_len(&c->extended) > 0) +#if 0 + || ((c->extended_usage == CHAN_EXTENDED_READ) && + c->efd != -1) +#endif + ) { + debug2("channel %d: active efd: %d len %d type %s", + c->self, c->efd, buffer_len(&c->extended), + c->extended_usage==CHAN_EXTENDED_READ ? + "read": "write"); + } else { if (!(c->flags & CHAN_CLOSE_SENT)) { chan_send_close2(c); } if ((c->flags & CHAN_CLOSE_SENT) && (c->flags & CHAN_CLOSE_RCVD)) { - debug("channel %d: full closed2", c->self); - channel_free(c->self); + debug("channel %d: is dead", c->self); + return 1; } } + return 0; } -/* shared */ void chan_init_iostates(Channel *c) { @@ -439,8 +451,6 @@ chan_rcvd_ieof = chan_rcvd_ieof2; chan_write_failed = chan_write_failed2; chan_obuf_empty = chan_obuf_empty2; - - chan_delete_if_full_closed = chan_delete_if_full_closed2; } else { chan_rcvd_oclose = chan_rcvd_oclose1; chan_read_failed = chan_read_failed_12; @@ -449,8 +459,6 @@ chan_rcvd_ieof = chan_rcvd_ieof1; chan_write_failed = chan_write_failed1; chan_obuf_empty = chan_obuf_empty1; - - chan_delete_if_full_closed = chan_delete_if_full_closed1; } } Index: nchan.h =================================================================== RCS file: /home/markus/cvs/ssh/nchan.h,v retrieving revision 1.9 diff -u -r1.9 nchan.h --- nchan.h 2000/09/07 20:27:52 1.9 +++ nchan.h 2001/02/27 12:34:41 @@ -84,7 +84,7 @@ extern chan_event_fn *chan_write_failed; extern chan_event_fn *chan_obuf_empty; -extern chan_event_fn *chan_delete_if_full_closed; +int chan_is_dead(Channel * c); void chan_init_iostates(Channel * c); void chan_init(void); Index: channels.c =================================================================== RCS file: /home/markus/cvs/ssh/channels.c,v retrieving revision 1.92 diff -u -r1.92 channels.c --- channels.c 2001/02/16 13:38:18 1.92 +++ channels.c 2001/02/27 12:51:57 @@ -297,6 +297,7 @@ channel_close_fds(Channel *c) { if (c->sock != -1) { + shutdown(c->sock, SHUT_RDWR); close(c->sock); c->sock = -1; } @@ -331,8 +332,6 @@ debug("channel_free: channel %d: dettaching channel user", id); c->dettach_user(c->self, NULL); } - if (c->sock != -1) - shutdown(c->sock, SHUT_RDWR); channel_close_fds(c); buffer_free(&c->input); buffer_free(&c->output); @@ -824,7 +823,14 @@ buffer_len(&c->extended)); debug2("channel %d: written %d to efd %d", c->self, len, c->efd); - if (len > 0) { + if (len < 0 && (errno == EINTR || errno == EAGAIN)) + return 1; + if (len <= 0) { + debug2("channel %d: closing write-efd %d", + c->self, c->efd); + close(c->efd); + c->efd = -1; + } else { buffer_consume(&c->extended, len); c->local_consumed += len; } @@ -833,19 +839,22 @@ len = read(c->efd, buf, sizeof(buf)); debug2("channel %d: read %d from efd %d", c->self, len, c->efd); - if (len == 0) { - debug("channel %d: closing efd %d", + if (len < 0 && (errno == EINTR || errno == EAGAIN)) + return 1; + if (len <= 0) { + debug2("channel %d: closing read-efd %d", c->self, c->efd); close(c->efd); c->efd = -1; - } else if (len > 0) + } else { buffer_append(&c->extended, buf, len); + } } } return 1; } int -channel_check_window(Channel *c, fd_set * readset, fd_set * writeset) +channel_check_window(Channel *c) { if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && c->local_window < c->local_window_max/2 && @@ -876,7 +885,8 @@ channel_handle_rfd(c, readset, writeset); channel_handle_wfd(c, readset, writeset); channel_handle_efd(c, readset, writeset); - channel_check_window(c, readset, writeset); + + channel_check_window(c); } void @@ -984,7 +994,24 @@ if (ftab[c->type] == NULL) continue; (*ftab[c->type])(c, readset, writeset); - chan_delete_if_full_closed(c); + if (chan_is_dead(c)) { + /* + * we have to remove the fd's from the select mask + * before the channels are free'd and the fd's are + * closed + */ + if (c->wfd != -1) + FD_CLR(c->wfd, writeset); + if (c->rfd != -1) + FD_CLR(c->rfd, readset); + if (c->efd != -1) { + if (c->extended_usage == CHAN_EXTENDED_READ) + FD_CLR(c->efd, readset); + if (c->extended_usage == CHAN_EXTENDED_WRITE) + FD_CLR(c->efd, writeset); + } + channel_free(c->self); + } } } @@ -1037,19 +1064,18 @@ } else { if (c->type != SSH_CHANNEL_OPEN) continue; - if (c->istate != CHAN_INPUT_OPEN && - c->istate != CHAN_INPUT_WAIT_DRAIN) - continue; } if (compat20 && (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { + /* XXX is this true? */ debug("channel: %d: no data after CLOSE", c->self); continue; } /* Get the amount of buffered data for this channel. */ - len = buffer_len(&c->input); - if (len > 0) { + if ((c->istate == CHAN_INPUT_OPEN || + c->istate == CHAN_INPUT_WAIT_DRAIN) && + (len = buffer_len(&c->input)) > 0) { /* Send some data for the other side over the secure connection. */ if (compat20) { if (len > c->remote_window) @@ -1089,6 +1115,9 @@ c->remote_window > 0 && (len = buffer_len(&c->extended)) > 0 && c->extended_usage == CHAN_EXTENDED_READ) { + debug2("channel %d: rwin %d elen %d euse %d", + c->self, c->remote_window, buffer_len(&c->extended), + c->extended_usage); if (len > c->remote_window) len = c->remote_window; if (len > c->remote_maxpacket) @@ -1100,6 +1129,7 @@ packet_send(); buffer_consume(&c->extended, len); c->remote_window -= len; + debug2("channel %d: sent ext data %d", c->self, len); } } } ---------------------- cut here ------------------- patch4: ---------------------- cut here ------------------- Index: channels.c =================================================================== RCS file: /home/markus/cvs/ssh/channels.c,v retrieving revision 1.92 diff -u -r1.92 channels.c --- channels.c 2001/02/16 13:38:18 1.92 +++ channels.c 2001/02/27 18:32:09 @@ -297,6 +297,7 @@ channel_close_fds(Channel *c) { if (c->sock != -1) { + shutdown(c->sock, SHUT_RDWR); close(c->sock); c->sock = -1; } @@ -331,8 +332,6 @@ debug("channel_free: channel %d: dettaching channel user", id); c->dettach_user(c->self, NULL); } - if (c->sock != -1) - shutdown(c->sock, SHUT_RDWR); channel_close_fds(c); buffer_free(&c->input); buffer_free(&c->output); ---------------------- cut here ------------------- > > > Has this problem been fixed? I just started having problems like this as > well (i'm using a early Jan snapshot version of openssh 2.3.0p1). Thnx. > > -rchit > > > I've just noticed that using ssh -1 always works. The problem > > is with ssh -2 from slow to fast machines. -- John > > > > > > > > The command "ssh ls -l /doesnotexist" gives various responses: > > > > > > Running from a 200 MHz PentiumPro with dsa key added to ssh-agent: > > > > > > Mistakes worst to fast machine: > > > To a faster 600 MHz dual processor i686 600 MHz machine: > > > ls: /doesnotexist: No such file or directory -- correct > > > nothing at all -- wrong > > > ls: select: Bad file descriptor -- wrong > > > > > > No mistakes to slower machine. > > > To a slower 166 MHz i586 600 MHz machine: > > > ls: /doesnotexist: No such file or directory -- correct all the time > > > > > > All machines run compiled OpenSSH-2.5.1p1 on RHL 6.2 with all > > > patches, kernel 2.2.16-3. Set up on all machines with > > > ssh and sshd defaulting to ssh2 protocol. > > > > > > My test script: > > > > > > #!/bin/sh > > > while [ 1 ] > > > do > > > date > > > ssh tesla ls -l /doesnotexist > > > done > > > > > > Responses from fast machine are not consistent: > > > > > > Thu Feb 22 14:15:35 PST 2001 > > > ls: /doesnotexist: No such file or directory > > > Thu Feb 22 14:15:37 PST 2001 > > > Thu Feb 22 14:15:39 PST 2001 > > > ls: /doesnotexist: No such file or directory > > > Thu Feb 22 14:15:41 PST 2001 > > > Thu Feb 22 14:15:43 PST 2001 > > > ls: /doesnotexist: No such file or directory > > > Thu Feb 22 14:15:45 PST 2001 > > > ls: select: Bad file descriptor > > > Thu Feb 22 14:15:47 PST 2001 > > > Thu Feb 22 14:15:49 PST 2001 > > > ls: /doesnotexist: No such file or directory > > > Thu Feb 22 14:15:51 PST 2001 > > > ls: /doesnotexist: No such file or directory > > > Thu Feb 22 14:15:54 PST 2001 > > > ls: /doesnotexist: No such file or directory > > > Thu Feb 22 14:15:56 PST 2001 > > > select: Bad file descriptor > > > Thu Feb 22 14:15:58 PST 2001 > > > > > > -- > > > John Dunlap University of Washington > > > Senior Electrical Engineer Applied Physics Laboratory > > > dunlap at apl.washington.edu 1013 NE 40th Street > > > 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 > From bukys at cs.rochester.edu Wed Mar 14 02:50:13 2001 From: bukys at cs.rochester.edu (Liudvikas Bukys) Date: Tue, 13 Mar 2001 10:50:13 -0500 (EST) Subject: PAM & several passwords Message-ID: <200103131550.KAA17520@tern.cs.rochester.edu> ChallengeResponse is not enough. The code has hard-coded assumptions about the PAM conversation. Anything more complicated than a simple prompt for password fails. The code needs to be re-written so that the flow of control inside the PAM conversation function drives the authentication protocol. The current code keeps the flow of control in itself and messes with temporary buffers to intereact with PAM in certain limited ways. I have unleashed a student here to take a look at it; I'm hoping we can contribute something general and elegant to the effort. Of course, general and elegant is more work; in the short run I wouldn't mind seeing one of the two hard-coded TIS authsrv patches that appeared for 2.3.0 permanently incorporated. If anyone else is doing likewise I'd like to hear from you. ---------------------------------------------------------------------- Attachment: I have PAM set up on my Solaris machine to require both an S/KEY (via TIS authsrv) and a reusable password. Enclosed is a (cleaned-up) transcript showing that rlogin/PAM can handle it but sshd can't (doesn't even display the challenge at the appropriate time): ---------------------------------------------------------------------- Script started on Tue Mar 13 10:37:26 2001 % rlogin localhost Skey Challenge s/key 631 gr8490 :dish if fog grub much hull Password: SUCCESS! % logout Connection closed. % ssh -2 localhost bukys at localhost's password: Permission denied, please try again. bukys at localhost's password: Permission denied, please try again. bukys at localhost's password: Skey Challenge s/key 630 gr8490 :she mess rays they bog aida Connection closed by 127.0.0.1 % script done on Tue Mar 13 10:38:32 2001 ---------------------------------------------------------------------- From neis at kobil.de Wed Mar 14 03:09:35 2001 From: neis at kobil.de (Stefan Neis) Date: Tue, 13 Mar 2001 17:09:35 +0100 Subject: PAM & several passwords References: <200103131550.KAA17520@tern.cs.rochester.edu> Message-ID: <3AAE463F.69F5537F@kobil.de> Liudvikas Bukys wrote: > > ChallengeResponse is not enough. > The code has hard-coded assumptions about the PAM conversation. > Anything more complicated than a simple prompt for password fails. That could be sufficient for me, however either I don't know how to set this up correctly, or something is still wrong with the interaction of the PAM module and the PAM conversation function. However I'm unable to get that simple prompt. :-( And what's that SKey stuff in your transcript? I don't even get configure to work when passing it a --with-skey (it's complaining about missing header files. :-o ) Thanks, Stefan From bazsi at balabit.hu Wed Mar 14 03:31:06 2001 From: bazsi at balabit.hu (Balazs Scheidler) Date: Tue, 13 Mar 2001 17:31:06 +0100 Subject: [PATCH] openssh 2.5.1p2 TIS authserv support Message-ID: <20010313173106.D21715@balabit.hu> Hi, We have updated our TIS authserv support patch for OpenSSH 2.5.1p2. You'll find it attached to my message. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 -------------- next part -------------- diff -urN openssh-2.5.1p2/Makefile.in openssh-2.5.1p2-tis/Makefile.in --- openssh-2.5.1p2/Makefile.in Sun Feb 18 20:13:33 2001 +++ openssh-2.5.1p2-tis/Makefile.in Fri Mar 9 10:11:30 2001 @@ -48,7 +48,7 @@ SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o log-server.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o sshpty.o log-server.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o tisauth.o TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0 diff -urN openssh-2.5.1p2/acconfig.h openssh-2.5.1p2-tis/acconfig.h --- openssh-2.5.1p2/acconfig.h Mon Feb 26 22:39:07 2001 +++ openssh-2.5.1p2-tis/acconfig.h Fri Mar 9 10:10:31 2001 @@ -299,6 +299,8 @@ /* Needed for SCO and NeXT */ #undef BROKEN_SAVED_UIDS +#undef TIS_AUTH + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ diff -urN openssh-2.5.1p2/auth-chall.c openssh-2.5.1p2-tis/auth-chall.c --- openssh-2.5.1p2/auth-chall.c Sun Feb 18 07:01:00 2001 +++ openssh-2.5.1p2-tis/auth-chall.c Fri Mar 9 11:07:39 2001 @@ -68,7 +68,61 @@ return authok != 0; } #else -#ifdef SKEY + +#if defined(SKEY) && defined(TIS_AUTH) +#error "S/Key and TIS authentication is not supported at the same time" +#endif + +#ifdef TIS_AUTH + +#include "tisauth.h" +#include "servconf.h" +#include "xmalloc.h" + +extern ServerOptions options; + +char * +get_challenge(Authctxt *authctxt, char *devs) +{ + static char challenge[128]; + + if (!authctxt->tis) { + authctxt->tis = tis_connect_multi(options.authserv_addrs); + } + if (authctxt->tis) { + char *tis_chal; + + if (authctxt->pw) { + tis_chal = tis_authenticate(authctxt->tis, authctxt->pw->pw_name); + } + else { + tis_chal = tis_fake_challenge(); + } + strlcpy(challenge, tis_chal, sizeof(challenge)); + xfree(tis_chal); + + return challenge; + } + return NULL; +} + +int +verify_response(Authctxt *authctxt, char *response) +{ + int res; + + if (!authctxt->tis) { + res = 0; + } + else { + res = tis_response(authctxt->tis, response); + tis_free(authctxt->tis); + authctxt->tis = NULL; + } + return res && authctxt->valid; +} + +#elif SKEY #include char * diff -urN openssh-2.5.1p2/auth.h openssh-2.5.1p2-tis/auth.h --- openssh-2.5.1p2/auth.h Sun Feb 18 07:01:00 2001 +++ openssh-2.5.1p2-tis/auth.h Fri Mar 9 10:23:09 2001 @@ -49,6 +49,9 @@ #ifdef BSD_AUTH auth_session_t *as; #endif +#ifdef TIS_AUTH + struct tis_context *tis; +#endif }; /* diff -urN openssh-2.5.1p2/config.h.in openssh-2.5.1p2-tis/config.h.in --- openssh-2.5.1p2/config.h.in Thu Mar 1 01:11:34 2001 +++ openssh-2.5.1p2-tis/config.h.in Fri Mar 9 11:01:48 2001 @@ -299,6 +299,8 @@ /* Needed for SCO and NeXT */ #undef BROKEN_SAVED_UIDS +#undef TIS_AUTH + /* The number of bytes in a char. */ #undef SIZEOF_CHAR diff -urN openssh-2.5.1p2/configure.in openssh-2.5.1p2-tis/configure.in --- openssh-2.5.1p2/configure.in Wed Feb 28 23:16:12 2001 +++ openssh-2.5.1p2-tis/configure.in Fri Mar 9 10:13:39 2001 @@ -461,6 +461,18 @@ ] ) +# Check whether user wants TIS support +TIS_MSG="no" +AC_ARG_WITH(tis, + [ --with-tis Enable TIS authsrv support, may not be used with --with-skey], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(TIS_AUTH) + TIS_MSG="yes" + fi + ] +) + # Check whether user wants TCP wrappers support TCPW_MSG="no" AC_ARG_WITH(tcp-wrappers, @@ -1780,6 +1792,7 @@ echo " KerberosIV support: $KRB4_MSG" echo " AFS support: $AFS_MSG" echo " S/KEY support: $SKEY_MSG" +echo " TIS authsrv support: $TIS_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" diff -urN openssh-2.5.1p2/servconf.c openssh-2.5.1p2-tis/servconf.c --- openssh-2.5.1p2/servconf.c Thu Feb 15 04:08:27 2001 +++ openssh-2.5.1p2-tis/servconf.c Fri Mar 9 11:12:14 2001 @@ -206,6 +209,9 @@ #ifdef AFS sKerberosTgtPassing, sAFSTokenPassing, #endif +#ifdef TIS_AUTH + sAuthservAddress, +#endif sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, @@ -246,6 +252,9 @@ { "kerberostgtpassing", sKerberosTgtPassing }, { "afstokenpassing", sAFSTokenPassing }, #endif +#ifdef TIS_AUTH + { "authservaddress", sAuthservAddress }, +#endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, { "challengeresponseauthentication", sChallengeResponseAuthentication }, @@ -299,6 +308,34 @@ return sBadOption; } +#ifdef TIS_AUTH +void +add_authserv_addr(ServerOptions *options, char **addr) +{ + struct addrinfo hints, *ai, *aitop; + char *host, *service; + int gaierr; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = IPv4or6; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; + + host = strdelim(addr); + service = strdelim(addr); + + if ((gaierr = getaddrinfo(host, service, &hints, &aitop)) != 0) + fatal("bad addr or host: %s (%s)\n", + host ? host : "", + gai_strerror(gaierr)); + for (ai = aitop; ai->ai_next; ai = ai->ai_next) + ; + ai->ai_next = options->authserv_addrs; + options->authserv_addrs = aitop; + +} +#endif + /* * add listen address */ @@ -551,6 +588,12 @@ case sChallengeResponseAuthentication: intptr = &options->challenge_reponse_authentication; goto parse_flag; + +#ifdef TIS_AUTH + case sAuthservAddress: + add_authserv_addr(options, &cp); + break; +#endif case sPrintMotd: intptr = &options->print_motd; diff -urN openssh-2.5.1p2/servconf.h openssh-2.5.1p2-tis/servconf.h --- openssh-2.5.1p2/servconf.h Thu Feb 15 04:08:27 2001 +++ openssh-2.5.1p2-tis/servconf.h Fri Mar 9 10:59:50 2001 @@ -90,6 +91,9 @@ * authentication. */ int kbd_interactive_authentication; /* If true, permit */ int challenge_reponse_authentication; +#ifdef TIS_AUTH + struct addrinfo *authserv_addrs; +#endif int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ diff -urN openssh-2.5.1p2/tisauth.c openssh-2.5.1p2-tis/tisauth.c --- openssh-2.5.1p2/tisauth.c Thu Jan 1 01:00:00 1970 +++ openssh-2.5.1p2-tis/tisauth.c Fri Mar 9 11:26:25 2001 @@ -0,0 +1,110 @@ +/* + * Copyright (c) 2000 BalaBit IT Ltd. + * All rights reserved + * + * Authors: Bal?zs Scheidler, Attila Szalay + * + */ + +#include "includes.h" +#include "ssh.h" + +#ifdef TIS_AUTH + +struct tis_context { + int connfd; +}; + +struct tis_context *tis_connect(struct sockaddr *addr, int addrlen) +{ + struct tis_context *ctx; + char line[128]; + int fd; + + fd = socket(addr->sa_family, SOCK_STREAM, 0); + if (fd < 0) + return NULL; + + if (connect(fd, addr, addrlen) < 0) { + close(fd); + return NULL; + } + + /* grab greeting line */ + if (read(fd, line, sizeof(line)) < 0) { + close(fd); + return NULL; + } + ctx = malloc(sizeof(struct tis_context)); + ctx->connfd = fd; + return ctx; +} + +struct tis_context *tis_connect_multi(struct addrinfo *addrs) +{ + struct addrinfo *p; + struct tis_context *tis; + + for (p = addrs; p; p = p->ai_next) { + tis = tis_connect(p->ai_addr, p->ai_addrlen); + if (tis) + return tis; + } + return NULL; +} + +void tis_free(struct tis_context *ctx) +{ + if (ctx) { + close(ctx->connfd); + free(ctx); + } +} + +char *tis_authenticate(struct tis_context *ctx, char *user) +{ + char line[128]; + int length; + + snprintf(line, 120, "authenticate \"%.32s\"\n", user); + if (send(ctx->connfd,line,strlen(line),0) < 0) { + return NULL; + } + if ((length = recv(ctx->connfd, line, sizeof(line) - 1, 0)) <= 0) + return NULL; + line[length] = 0; + if (line[length - 1] == '\n') + line[length - 1] = 0; + if (strncmp(line, "challenge", 9) != 0) + return NULL; + return strdup(line + 10); +} + +int tis_response(struct tis_context *ctx, char *response) +{ + char line[128]; + int length; + + snprintf(line, 120, "response \"%.64s\"\n", response) ; + if (send(ctx->connfd, line, strlen(line), 0) < 0) + return 0; + if ((length = recv(ctx->connfd, line, sizeof(line) - 1, 0)) < 0) + return 0; + line[length] = 0; + if (strncmp(line, "ok", 2) == 0) { + return 1; + } + return 0; +} + +char *tis_fake_challenge(void) +{ + char challenge[9]; + unsigned long rnd; + + rnd = time(NULL) ^ getpid(); + snprintf(challenge, sizeof(challenge), "%ld", rnd); + return strdup(challenge); +} + +#endif diff -urN openssh-2.5.1p2/tisauth.h openssh-2.5.1p2-tis/tisauth.h --- openssh-2.5.1p2/tisauth.h Thu Jan 1 01:00:00 1970 +++ openssh-2.5.1p2-tis/tisauth.h Fri Mar 9 10:10:31 2001 @@ -0,0 +1,14 @@ +#ifndef _TISAUTH_H_INCLUDED +#define _TISAUTH_H_INCLUDED + +struct tis_context; + +struct tis_context *tis_connect(struct sockaddr *addr, int addrlen); +struct tis_context *tis_connect_multi(struct addrinfo *addrs); +void tis_free(struct tis_context *ctx); +char *tis_authenticate(struct tis_context *ctx, char *user); +int tis_response(struct tis_context *ctx, char *response); +char *tis_fake_challenge(void); + +#endif + From wwieser at gmx.de Wed Mar 14 04:13:30 2001 From: wwieser at gmx.de (wwieser at gmx.de) Date: Tue, 13 Mar 2001 18:13:30 +0100 Subject: Bug in bsd-misc.c In-Reply-To: References: Message-ID: <01031318133000.00373@enigma> > > #if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && > > defined(HAVE_SYS_NERR) > > const char *strerror(int e) > > { > > extern int sys_nerr; > > extern char *sys_errlist[]; > > > > if ((e >= 0) || (e < sys_nerr)) > > return("unlisted error"); > > else > > return(sys_errlist[e]); > > } > > #endif > > > Should the "||" be changed to "&&" as well? > Err... only if you want it to be bug-free :) > However, I'm interested in how you ran across this with Linux since Linux > has a built in strerror(). =) > Wanted to check out incompabilities and functions missing on different platforms. wwieser From woods at weird.com Wed Mar 14 06:20:46 2001 From: woods at weird.com (Greg A. Woods) Date: Tue, 13 Mar 2001 14:20:46 -0500 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010312222432.A7800@folly> References: <9DC8BBAD4FF100408FC7D18D1F092286039C96@condor.mhsc.com> <20010312031041.9D7AA8C@proven.weird.com> <20010312222432.A7800@folly> Message-ID: <20010313192046.46CC78C@proven.weird.com> [ On Monday, March 12, 2001 at 22:24:32 (+0100), Markus Friedl wrote: ] > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > On Sun, Mar 11, 2001 at 10:10:41PM -0500, Greg A. Woods wrote: > > My guess is this is just an excuse to use the "built-in subsystem" > > feature bloat in the secsh protocol. > > subsystem is not feature bloat, it's like exec-command, but allows > a level of redirection. That's totally bogus. There are a zillion ways on most server-type platforms to do such indirection without having to integrate it into SSH, not to mention that almost all of those alternatives would then lead to total independence of SSH and thus total portability across all generic transport protocols. I.e. anything add-on client/server application (eg. file transfer) that is simply remotely executes a server instance though an existing SSH connection is truly independent of SSH (and any other transport protocol). The "built-in subsystem" feature is bad design. It has no business being directly in the transport protocol. It is an ugly wart. > > In this case (i.e. in the case of wanting to "ftp" over SSH) the issue > > is with the stupid user interface. Naive users are looking for some SSH > > file copying tool that works just like their FTP clients, i.e. where > > they can see a list of files on the server and click/drag/whatever them > > to effect the copy. > > have you ever tried the vandyke.com sftp-client? I have no idea what that might even be. I do not ever use any platforms that Van Dyke Tech. current software offerings might run on (well not without duress, and then only as dumb terminals). -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird From woods at weird.com Wed Mar 14 07:14:51 2001 From: woods at weird.com (Greg A. Woods) Date: Tue, 13 Mar 2001 15:14:51 -0500 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010312183042.A1961284@cs.stevens-tech.edu> References: <20010312144035.A1174@faui02.informatik.uni-erlangen.de> <20010312173130.A2713@rek.tjls.com> <20010312183042.A1961284@cs.stevens-tech.edu> Message-ID: <20010313201451.70C1F8C@proven.weird.com> [ On Monday, March 12, 2001 at 18:30:42 (-0500), Thor Simon wrote: ] > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > Nonetheless, we have two IETF-standardized secure transport layers > which serve essentially the same purpose. I find this regrettable, > particularly from the point of view of a small system which, these > days, may be forced to carry around the code to do both. That's not a bad thing.... The idea is that small systems can make the choice for the most appropriate protocol for their purposes. At the same time it provides for the options that allow for such a choice to be made. In the open-source software world, at least, it is silly to think that any given platform or protocol must dominate market share. That is entirely counter productive in the long term. We wouldn't even have Unix if all the world were an IBM mainframe, let alone many of the other wonderful things we have. Everything doesn't have to be compatible with everything else. -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird From abartlet at pcug.org.au Wed Mar 14 07:48:10 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Wed, 14 Mar 2001 07:48:10 +1100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems References: <9DC8BBAD4FF100408FC7D18D1F092286039C96@condor.mhsc.com> <20010312031041.9D7AA8C@proven.weird.com> <20010312222432.A7800@folly> <20010313192046.46CC78C@proven.weird.com> Message-ID: <3AAE878A.5A345445@bartlett.house> "Greg A. Woods" wrote: > > [ On Monday, March 12, 2001 at 22:24:32 (+0100), Markus Friedl wrote: ] > > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > > > On Sun, Mar 11, 2001 at 10:10:41PM -0500, Greg A. Woods wrote: > > > My guess is this is just an excuse to use the "built-in subsystem" > > > feature bloat in the secsh protocol. > > > > subsystem is not feature bloat, it's like exec-command, but allows > > a level of redirection. > > That's totally bogus. > > There are a zillion ways on most server-type platforms to do such > indirection without having to integrate it into SSH, not to mention that > almost all of those alternatives would then lead to total independence > of SSH and thus total portability across all generic transport protocols. > > I.e. anything add-on client/server application (eg. file transfer) that > is simply remotely executes a server instance though an existing SSH > connection is truly independent of SSH (and any other transport > protocol). > > The "built-in subsystem" feature is bad design. It has no business > being directly in the transport protocol. It is an ugly wart. I think it is a very elegant design. It costs about 30 lines of very easy to read code. All it does it execute commands, and allows the sys-admin control over what commands are provided. As has been stated elsewhere, sftp is as portable as a standard output stream: Its executable by anybody and does not rely on SSH, it just happens to be bundled with OpenSSH for convenience. > > > > In this case (i.e. in the case of wanting to "ftp" over SSH) the issue > > > is with the stupid user interface. Naive users are looking for some SSH > > > file copying tool that works just like their FTP clients, i.e. where > > > they can see a list of files on the server and click/drag/whatever them > > > to effect the copy. > > > > have you ever tried the vandyke.com sftp-client? > > I have no idea what that might even be. I do not ever use any platforms > that Van Dyke Tech. current software offerings might run on (well not > without duress, and then only as dumb terminals). > > -- > Greg A. Woods > > +1 416 218-0098 VE3TCP > Planix, Inc. ; Secrets of the Weird -- Andrew Bartlett abartlet at pcug.org.au From djm at mindrot.org Wed Mar 14 08:20:09 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 Mar 2001 08:20:09 +1100 (EST) Subject: PAM & several passwords In-Reply-To: <3AAE463F.69F5537F@kobil.de> Message-ID: On Tue, 13 Mar 2001, Stefan Neis wrote: > Liudvikas Bukys wrote: > > > > ChallengeResponse is not enough. > > The code has hard-coded assumptions about the PAM conversation. > > Anything more complicated than a simple prompt for password fails. > > That could be sufficient for me, however either I don't know how > to set this up correctly, or something is still wrong with the > interaction of the PAM module and the PAM conversation function. > However I'm unable to get that simple prompt. :-( Try ChallengeResponseAuthentication yes PasswordAuthentication no in your sshd_config and ChallengeResponseAuthentication yes in you ~/.ssh/config -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From markus.friedl at informatik.uni-erlangen.de Wed Mar 14 08:20:53 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 13 Mar 2001 22:20:53 +0100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010313192046.46CC78C@proven.weird.com>; from woods@weird.com on Tue, Mar 13, 2001 at 02:20:46PM -0500 References: <9DC8BBAD4FF100408FC7D18D1F092286039C96@condor.mhsc.com> <20010312031041.9D7AA8C@proven.weird.com> <20010312222432.A7800@folly> <20010313192046.46CC78C@proven.weird.com> Message-ID: <20010313222053.B22241@folly> On Tue, Mar 13, 2001 at 02:20:46PM -0500, Greg A. Woods wrote: > There are a zillion ways on most server-type platforms to do such > indirection without having to integrate it into SSH, not to mention that > almost all of those alternatives would then lead to total independence > of SSH and thus total portability across all generic transport protocols. sftp _is_ total independeny of SSH and runs portable across all generic transport protocols. > I.e. anything add-on client/server application (eg. file transfer) that > is simply remotely executes a server instance though an existing SSH > connection is truly independent of SSH (and any other transport > protocol). wow. > The "built-in subsystem" feature is bad design. It has no business > being directly in the transport protocol. It is an ugly wart. tell ietf-ssh at netbsd.org, not me, i don't care. -m From mouring at etoh.eviladmin.org Wed Mar 14 08:22:29 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 13 Mar 2001 15:22:29 -0600 (CST) Subject: Bug in bsd-misc.c In-Reply-To: <01031318133000.00373@enigma> Message-ID: On Tue, 13 Mar 2001 wwieser at gmx.de wrote: > > > #if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && > > > defined(HAVE_SYS_NERR) > > > const char *strerror(int e) > > > { > > > extern int sys_nerr; > > > extern char *sys_errlist[]; > > > > > > if ((e >= 0) || (e < sys_nerr)) > > > return("unlisted error"); > > > else > > > return(sys_errlist[e]); > > > } > > > #endif > > > > > Should the "||" be changed to "&&" as well? > > > Err... only if you want it to be bug-free :) > If no one has any qarums with this then I'll fix it when I get home tonight. > > However, I'm interested in how you ran across this with Linux since Linux > > has a built in strerror(). =) > > > Wanted to check out incompabilities and functions missing on different > platforms. > If you have a list of functions missing or misimplemeted it would be interesting to see. At one point I though it would be a nice subproject to build a perl script where people could submit their output from ./configure and it can be used to generated a database of missing/broken functions which may make it easier to know who to beg to test changes. - Ben From markus.friedl at informatik.uni-erlangen.de Wed Mar 14 08:15:39 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 13 Mar 2001 22:15:39 +0100 Subject: what about socks support? In-Reply-To: <20010313144609.A5296@bds.ucs.co.za>; from bds@jhb.ucs.co.za on Tue, Mar 13, 2001 at 02:46:09PM +0200 References: <80256A0C.004E47E9.00@d06mta05.portsmouth.uk.ibm.com> <20010311152914.A3045@faui02.informatik.uni-erlangen.de> <20010313144609.A5296@bds.ucs.co.za> Message-ID: <20010313221539.A22241@folly> On Tue, Mar 13, 2001 at 02:46:09PM +0200, Berend De Schouwer wrote: > Okay, here is a ProxyCommand that works with Dante for me. It simply > runs netcat, which should be available on a lot of systems. > > In [/path/to/]ssh_config, add: > > Host *internet* > ProxyCommand [/path/to/]socksify [/path/to/]nc %h %p > > You will want to change "*internet*" to some other way to identify > hosts behind a socks firewall. Is this a good or bad way of doing > things? it's a very cool way. > It seemed the simplest way to me, and scp copies binary files. > Is netcat safe? what do you mean with 'safe'? 8bit clean? it is. -m From djm at mindrot.org Wed Mar 14 08:23:56 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 Mar 2001 08:23:56 +1100 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010313192046.46CC78C@proven.weird.com> Message-ID: On Tue, 13 Mar 2001, Greg A. Woods wrote: > > subsystem is not feature bloat, it's like exec-command, but allows > > a level of redirection. > > That's totally bogus. > > There are a zillion ways on most server-type platforms to do such > indirection without having to integrate it into SSH, Most of which are completely irrelevant to SSH. > not to mention that > almost all of those alternatives would then lead to total independence > of SSH and thus total portability across all generic transport protocols. Huh? sftp-server is totally independant of SSH - it can be (and is in OpenSSH) a seperate binary that you could use to transfer files over TLS or whatever else you want. > I.e. anything add-on client/server application (eg. file transfer) that > is simply remotely executes a server instance though an existing SSH > connection is truly independent of SSH (and any other transport > protocol). > > The "built-in subsystem" feature is bad design. It has no business > being directly in the transport protocol. It is an ugly wart. No, it is a robust way of specifying server systems without having to rely on locations of binaries, etc. It does not require that the subsystems be integrated into the server. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From mattl at livecapital.com Wed Mar 14 09:35:43 2001 From: mattl at livecapital.com (Lewandowsky, Matt) Date: Tue, 13 Mar 2001 14:35:43 -0800 Subject: ssh through proxy (was: prng_cmds/init_rng() question/patch) Message-ID: <71D01DB8DA698947A6F5D666D62A2DB001C39D@exchange.livecapital.com> (Sorry for being so OT, but I'm currently experiencing this inconvenience and want to be more productive than doing a CVS update at home and getting to the office.) So, what you are suggesting is that I setup a squid proxy on a box outside the firewall on port 80 and use MindTerm to connect via that? Until this past weekend when the network was "redone", we had a proxy we could access internally and this is how I got out before. But now, we have a "direct connection" which I had no say in... Oh, well... If that isn't what you were suggesting, could you elaborate? Thanks, --Matt > -----Original Message----- > From: Mats Andersson [mailto:mats at mindbright.se] > Sent: Tuesday, March 13, 2001 12:30 AM > To: Lewandowsky, Matt > Cc: 'Gert Doering'; J.S.Peatfield at damtp.cam.ac.uk; dwd at bell-labs.com; > openssh-unix-dev at mindrot.org > Subject: ssh through proxy (was: prng_cmds/init_rng() question/patch) > > > > Hi, > > Sorry for pushing this even further off topic but since > someone mentioned > MindTerm I couldn't resist answering :-) > > On Mon, 12 Mar 2001, Lewandowsky, Matt wrote: > > Is there anything like this atm which uses the web server > as a proxy? For > > example, say that I'm behind a firewall at work, and the > "security policy" > > disallows ssh. > > MindTerm (and I'm sure other clients too) have the feature to connect > "out" through either a http proxy or a socks4/5 proxy. The case you > describe probably includes a http proxy to pass out through > (which most > often IS allowed by policies...) in which case you in most > cases is able > to "fool" the http proxy in letting you out through https > (often meaning > that you have to put your sshd listening on 443 on the other end). > > Cheers, > > /Mats > From ryan_bradetich at hp.com Wed Mar 14 10:27:10 2001 From: ryan_bradetich at hp.com (Ryan Bradetich) Date: Tue, 13 Mar 2001 16:27:10 -0700 Subject: Ctrl-C problem on HP-UX Message-ID: <3AAEACCE.24670332@hp.com> Hello OpenSSH Developers, I have been working on developeing an OpenSSH SD package for HP-UX 10.20 and HP-UX 11.00 to deploy on servers we manage. Unfortenately, I have enountered the ctrl-c problem which manifests when the daemon is started in non-interactive mode (in this case from the SD Daemon). When I manually stop/start the daemon, the ctrl-c functionality works. I have dug through the archives and found the work Garrick James, Gert Doering, and Damien Miler have done in the past to fix this problem. Verified the signal(SIGINT, SIG_DFL); was in the proper place in the sshd.c. Then I tried the fix Garrick James and Gert Doering origionally propsed by adding the signal to sshpty.c. Neither of these solutions solved the problem. I have tested this on both openssh-2.3.0p1 and openssh-2.5.1p1, connecting from a linux/hp-ux system using openssh-2.3.0p1 protocol 1. I have not tried protocol 2 at this time, but would be willing to test this if it helps debug the problem. Please let me know if I can provide more information/test ideas, etc. I would really like to find a [better] fix for this problem. Thankyou. - Ryan P.S. Please CC me on the email since I am not subscribed to this list (yet). -- Ryan Bradetich Siteminder Support Linux Platform Support From marya at st.jip.co.jp Wed Mar 14 11:47:58 2001 From: marya at st.jip.co.jp (Shinichi Maruyama) Date: Wed, 14 Mar 2001 09:47:58 +0900 (JST) Subject: what about socks support? In-Reply-To: <20010313144609.A5296@bds.ucs.co.za> References: <80256A0C.004E47E9.00@d06mta05.portsmouth.uk.ibm.com> <20010311152914.A3045@faui02.informatik.uni-erlangen.de> <20010313144609.A5296@bds.ucs.co.za> Message-ID: <20010314.094758.74755145.marya@st.jip.co.jp> bds> In [/path/to/]ssh_config, add: bds> bds> Host *internet* bds> ProxyCommand [/path/to/]socksify [/path/to/]nc %h %p bds> bds> You will want to change "*internet*" to some other way to identify bds> hosts behind a socks firewall. Is this a good or bad way of doing bds> things? It seemed the simplest way to me, and scp copies binary files. I want to use ProxyCommand Host !*.our.domain ProxyCommand ....... but Host option has no '!' syntax. Can anyone add this officially ? -- Japan Information Processing Service,Co,Ltd. Shinichi Maruyama (marya at st.jip.co.jp) From jmknoble at jmknoble.cx Wed Mar 14 13:28:50 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Tue, 13 Mar 2001 21:28:50 -0500 Subject: what about socks support? In-Reply-To: <20010314.094758.74755145.marya@st.jip.co.jp>; from marya@st.jip.co.jp on Wed, Mar 14, 2001 at 09:47:58AM +0900 References: <80256A0C.004E47E9.00@d06mta05.portsmouth.uk.ibm.com> <20010311152914.A3045@faui02.informatik.uni-erlangen.de> <20010313144609.A5296@bds.ucs.co.za> <20010314.094758.74755145.marya@st.jip.co.jp> Message-ID: <20010313212850.A20452@quipu.half.pint-stowp.cx> Circa 2001-Mar-14 09:47:58 +0900 dixit Shinichi Maruyama: : I want to use ProxyCommand : : Host !*.our.domain : ProxyCommand ....... : : but Host option has no '!' syntax. Can anyone add this officially ? I can't speak to adding anything, but in the meantime you could do something like this: Host *.your.internal.domain # All settings for your internal domain Host * # All settings for everything else, including ProxyCommand It duplicates some entries, but it will work. If the ProxyCommand option recognized a 'none' or 'off' or 'nil' setting that caused it to be unset, it would be much easier: Host *.your.internal.domain ProxyCommand none Host * # ... ProxyCommand .... Unfortunately, that's not there either.... -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From woods at weird.com Wed Mar 14 14:51:09 2001 From: woods at weird.com (Greg A. Woods) Date: Tue, 13 Mar 2001 22:51:09 -0500 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010313222053.B22241@folly> References: <9DC8BBAD4FF100408FC7D18D1F092286039C96@condor.mhsc.com> <20010312031041.9D7AA8C@proven.weird.com> <20010312222432.A7800@folly> <20010313192046.46CC78C@proven.weird.com> <20010313222053.B22241@folly> Message-ID: <20010314035109.6F32E8C@proven.weird.com> [ On Tuesday, March 13, 2001 at 22:20:53 (+0100), Markus Friedl wrote: ] > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > On Tue, Mar 13, 2001 at 02:20:46PM -0500, Greg A. Woods wrote: > > There are a zillion ways on most server-type platforms to do such > > indirection without having to integrate it into SSH, not to mention that > > almost all of those alternatives would then lead to total independence > > of SSH and thus total portability across all generic transport protocols. > > sftp _is_ total independeny of SSH and runs portable across > all generic transport protocols. Well, maybe, but sftp, at least in SSH, currently relies on the "built-in subsystem" feature. I'm sure you could rip it out and make it stand alone (eg. work over rsh), but hmmm... wouldn't doing so also make it independent of the "built-in subsystem" in SSH? Duh! So yes: > > The "built-in subsystem" feature is bad design. It has no business > > being directly in the transport protocol. It is an ugly wart. > > tell ietf-ssh at netbsd.org, not me, i don't care. I tried but the address either you or someone else supplied originally in this thread contained a typo and my message bounced. :-) -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird From woods at weird.com Wed Mar 14 15:00:17 2001 From: woods at weird.com (Greg A. Woods) Date: Tue, 13 Mar 2001 23:00:17 -0500 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: References: <20010313192046.46CC78C@proven.weird.com> Message-ID: <20010314040017.5B6518C@proven.weird.com> [ On Wednesday, March 14, 2001 at 08:23:56 (+1100), Damien Miller wrote: ] > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > > not to mention that > > almost all of those alternatives would then lead to total independence > > of SSH and thus total portability across all generic transport protocols. > > Huh? sftp-server is totally independant of SSH - it can be (and is in > OpenSSH) a seperate binary that you could use to transfer files over > TLS or whatever else you want. I'm talking about the protocols, not the implementation. In SSH-v2 the SFTP application uses the "built-in subsystem" feature of the SECSH protocol. I.e. it is not independent of SSH -- it relies on an inherent feature of the transport protocol. > > The "built-in subsystem" feature is bad design. It has no business > > being directly in the transport protocol. It is an ugly wart. > > No, it is a robust way of specifying server systems without having to > rely on locations of binaries, etc. While some folks would no doubt want to specify the location of a binary for various ill-thought-out security reasons, there is no real valid reason do to so. By not doing so one allows the server to choose the correct binary by use of some platform specific methodology (eg. the search PATH variable in POSIX systems). Point of fact is that this silly protocol wart did not make OpenSSH more robust in the face of a botched build system that specified the location of the sftp server program in one place and then installed it into another (one version of the NetBSD pkgsrc module did this, though perhaps it was a generic bug in the OpenSSH build/install makefiles). The hard-coded path in the "sshd" binary was in fact its downfall -- had the built-in subsystem feature been avioded there would have been no problem since the sftp server was found in the daemon's $PATH. > It does not require that the > subsystems be integrated into the server. I'm not talking about any implementations, I'm talking about the protcol. -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird From djm at mindrot.org Wed Mar 14 15:28:56 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 Mar 2001 15:28:56 +1100 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010314040017.5B6518C@proven.weird.com> Message-ID: On Tue, 13 Mar 2001, Greg A. Woods wrote: > > > The "built-in subsystem" feature is bad design. It has no business > > > being directly in the transport protocol. It is an ugly wart. > > > > No, it is a robust way of specifying server systems without having to > > rely on locations of binaries, etc. > > While some folks would no doubt want to specify the location of a binary > for various ill-thought-out security reasons, there is no real valid > reason do to so. By not doing so one allows the server to choose the > correct binary by use of some platform specific methodology (eg. the > search PATH variable in POSIX systems). There is no reason not to do so, especially when it is so cheap (the incremental cost of the subsystem function is practially nil). In fact, there is a fair tradition of keeping helper binaries out of the $PATH on Unix systems (in libexec directories, etc). Of course the protocol doesn't mandate any of this - subsystems simply offer a binding of a name to some service. All of the details of how this are accomplised are left up to the implementation. > Point of fact is that this silly protocol wart did not make OpenSSH more > robust in the face of a botched build system that specified the location > of the sftp server program in one place and then installed it into > another (one version of the NetBSD pkgsrc module did this, though > perhaps it was a generic bug in the OpenSSH build/install makefiles). > The hard-coded path in the "sshd" binary was in fact its downfall -- had > the built-in subsystem feature been avioded there would have been no > problem since the sftp server was found in the daemon's $PATH. This is incorrect, paths to subsystem binaries are not hard-coded - they are a sshd_config option. > > It does not require that the > > subsystems be integrated into the server. > > I'm not talking about any implementations, I'm talking about the protcol. You seem to be mixing both pretty freely. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From mouring at etoh.eviladmin.org Wed Mar 14 15:37:21 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 13 Mar 2001 22:37:21 -0600 (CST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010314040017.5B6518C@proven.weird.com> Message-ID: On Tue, 13 Mar 2001, Greg A. Woods wrote: [..] > > > The "built-in subsystem" feature is bad design. It has no business > > > being directly in the transport protocol. It is an ugly wart. > > > > No, it is a robust way of specifying server systems without having to > > rely on locations of binaries, etc. > > While some folks would no doubt want to specify the location of a binary > for various ill-thought-out security reasons, there is no real valid inetd must be ill-thought-out... CGI/Perl scripts that define out EXTACTLY what binary they want to use must be ill-thought-out. inittab must be ill-thought-out. Do I need to go on? There are more you just need to look around at a standard POSIX unix install. > reason do to so. By not doing so one allows the server to choose the > correct binary by use of some platform specific methodology (eg. the > search PATH variable in POSIX systems). > Correct binary?!? Are you telling me as the ADMIN of my box *I* don't know where *I* put sftp-server?! Pish-posh. Or are you suggesting that if OpenBSD connects to Solaris that I should run a different sftp-server then if Linux connects to Solaris? > Point of fact is that this silly protocol wart did not make OpenSSH more > robust in the face of a botched build system that specified the location > of the sftp server program in one place and then installed it into > another (one version of the NetBSD pkgsrc module did this, though > perhaps it was a generic bug in the OpenSSH build/install makefiles). > The hard-coded path in the "sshd" binary was in fact its downfall -- had > the built-in subsystem feature been avioded there would have been no > problem since the sftp server was found in the daemon's $PATH. > What hardcoded path? There is no hardcoded paths for sftp-server in sshd unless NetBSD botched things (which I doubt). Subsystems are defined in your sshd_config. How is this configured 'hard coded in the sshd'? Heck you can do: subsystem myrenamedsftpserver /path/to/sftp-server then hack a sftp to launch ssh with 'myrenamedsftpserver' instead of 'sftp'. How is this hardcoded? I don't get your arguments. I personally would rather state where system services are instead of sshd randomly guessing where thing are. Sshd_config is the perfect place for such things. Plus it shows you extact where the system expects files. Much easier to verify that sshd can always find the subsystem. Depending on $PATH for critical services *IS* a secure risk. This is one of the first things drilled into first year Web/CGI developers. - Ben From quentin.bracken at sabre.com Wed Mar 14 16:47:32 2001 From: quentin.bracken at sabre.com (Quentin Bracken) Date: Tue, 13 Mar 2001 23:47:32 -0600 Subject: OpenSSH 2.3.0p1: HP-UX 11.00 64-bit Message-ID: <3AAF05F4.7ED7396E@sabre.com> I have encountered a problem with using OpenSSH 2.3.0p1 on 64-bit HP-UX 11.00 systems. This bug does not exhibit itself on any 32-bit HP-UX 11.00 or HP-UX 10.20 systems that I have built 2.3.0p1 on. OpenSSH 2.3.0p1 was built with HPs ANSI C compiler with OpenSSL 0.9.6 and zlib 1.1.3. The problem is with the call to vhangup(2) in sshd when interactive sessions are started. The problem does not occur for non-interactive sessions. When vhangup(2) is called, the following error is sent to syslog: Mar 13 21:14:37 hpux1100 vmunix: System call 76 (vhangup) was called in a kernel where the Mar 13 21:14:37 hpux1100 vmunix: type of at least one of its arguments is currently Mar 13 21:14:37 hpux1100 vmunix: unspecified. This is a problem that must be fixed by Mar 13 21:14:37 hpux1100 vmunix: the owner of the system call before the kernel can be Mar 13 21:14:37 hpux1100 vmunix: released. The process was pid 19386 (sshd). The child sshd receives as SIGSYS (signal 12), disconnects the client, dies, and then sends a SIGCHLD to the parent sshd. This prevents interactive sessions from beginning. I have reproduced this on two separate HP-UX 11.00 64-bit systems with locally built OpenSSH 2.3.0p1 packages. One of these systems has the latest March 2001 HP-UX 11.00 recommended bundle installed. Altering configure to set BROKEN_VHANGUP for HP-UX 11 prevents vhangup(2) from being used and builds usable OpenSSH daemons on my HP-UX 11.00 64-bit systems. Thanks for your hard work and dedication. -- Quentin C. Bracken UNIX Master Craftsman Application Development UNIX Services, Sabre Inc. quentin.bracken at sabre.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010313/5814077b/attachment.html From tomh at po.crl.go.jp Wed Mar 14 17:02:53 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Wed, 14 Mar 2001 15:02:53 +0900 (JST) Subject: poor default seeding of RNG Message-ID: Correct me if I'm wrong, but init_rng() in entropy.c doesn't call seed_rng(), and in fact seed_rng() isn't called from _anywhere_ (in openssh-2.5.1p2). So calls to BN_rand() only pick up the tiny/non-existent amount of entropy added by BN_rand() itself from the system clock (time in seconds). Shouldn't seed_rng() be called from init_rng()? It should be called from _somewhere_, or deleted. Thanks, Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From djm at mindrot.org Wed Mar 14 17:13:48 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 Mar 2001 17:13:48 +1100 (EST) Subject: poor default seeding of RNG In-Reply-To: Message-ID: On Wed, 14 Mar 2001, Tom Holroyd wrote: > Correct me if I'm wrong, but init_rng() in entropy.c doesn't call > seed_rng(), and in fact seed_rng() isn't called from _anywhere_ (in > openssh-2.5.1p2). So calls to BN_rand() only pick up the > tiny/non-existent amount of entropy added by BN_rand() itself from the > system clock (time in seconds). Shouldn't seed_rng() be called from > init_rng()? It should be called from _somewhere_, or deleted. It is called from arc4random_stir which is used fairly pervasively and also implicitly from arc4random. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tomh at po.crl.go.jp Wed Mar 14 17:18:29 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Wed, 14 Mar 2001 15:18:29 +0900 (JST) Subject: poor default seeding of RNG In-Reply-To: Message-ID: On Wed, 14 Mar 2001, Damien Miller wrote: > On Wed, 14 Mar 2001, Tom Holroyd wrote: > > > Correct me if I'm wrong, but init_rng() in entropy.c doesn't call > > seed_rng(), and in fact seed_rng() isn't called from _anywhere_ (in > > It is called from arc4random_stir which is used fairly pervasively > and also implicitly from arc4random. Ah, yes, I posted too soon -- I forgot about the compatibility library, thanks. There is a call to seed_rng() in arc4random_stir(); however, arc4random_stir() isn't called in sshconnect2.c (or I just haven't found it yet :-). Should there be a call to arc4random_stir() in sshconnect2.c? I guess it's quite possible that arc4random() would get called pretty soon under most circumstances, but sshconnect1.c calls arc4random_stir(), so it would be logical for ssh2connect.c to do so as well, or maybe just in sshconnect.c. (Does arc4random_stir() really seed the BN_rand() generator on systems that don't use the compatibility lib?) Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From djm at mindrot.org Wed Mar 14 18:47:28 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 Mar 2001 18:47:28 +1100 (EST) Subject: poor default seeding of RNG In-Reply-To: Message-ID: On Wed, 14 Mar 2001, Tom Holroyd wrote: > > It is called from arc4random_stir which is used fairly pervasively > > and also implicitly from arc4random. > > Ah, yes, I posted too soon -- I forgot about the compatibility library, > thanks. There is a call to seed_rng() in arc4random_stir(); however, > arc4random_stir() isn't called in sshconnect2.c (or I just haven't found > it yet :-). Should there be a call to arc4random_stir() in sshconnect2.c? No - but I am pretty sure it gets hit along the way anyway. Note that recent versions of OpenSSL (which OpenSSH requires) will refuse to generate keys, etc if its rng has not been seeded properly. However this is not very satisfactory - the current code is unclear and only works by circumstance. Can you try the following diff? It unfortunately breaks debug output for seed_rng(), but it seeds the rng immediately at startup. Index: entropy.c =================================================================== RCS file: /var/cvs/openssh/entropy.c,v retrieving revision 1.35 diff -u -r1.35 entropy.c --- entropy.c 2001/03/03 13:29:21 1.35 +++ entropy.c 2001/03/14 07:45:56 @@ -68,7 +68,8 @@ # define SAVED_IDS_WORK_WITH_SETEUID #endif -void check_openssl_version(void) +void +check_openssl_version(void) { if (SSLeay() != OPENSSL_VERSION_NUMBER) fatal("OpenSSL version mismatch. Built against %lx, you " @@ -83,7 +84,8 @@ #ifdef USE_PRNGD /* Collect entropy from PRNGD/EGD */ -int get_random_bytes(unsigned char *buf, int len) +int +get_random_bytes(unsigned char *buf, int len) { int fd; char msg[2]; @@ -180,7 +182,8 @@ #else /* !USE_PRNGD */ #ifdef RANDOM_POOL /* Collect entropy from /dev/urandom or pipe */ -int get_random_bytes(unsigned char *buf, int len) +int +get_random_bytes(unsigned char *buf, int len) { int random_pool; @@ -226,9 +229,11 @@ memset(buf, '\0', sizeof(buf)); } -void init_rng(void) +void +init_rng(void) { check_openssl_version(); + seed_rng(); } #else /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ @@ -403,8 +408,7 @@ } -static -int +static int _get_timeval_msec_difference(struct timeval *t1, struct timeval *t2) { int secdiff, usecdiff; @@ -842,8 +846,10 @@ /* commands */ old_sigchld_handler = mysignal(SIGCHLD, SIG_DFL); - debug("Seeded RNG with %i bytes from programs", (int)stir_from_programs()); - debug("Seeded RNG with %i bytes from system calls", (int)stir_from_system()); + debug("Seeded RNG with %i bytes from programs", + (int)stir_from_programs()); + debug("Seeded RNG with %i bytes from system calls", + (int)stir_from_system()); if (!RAND_status()) fatal("Not enough entropy in RNG"); @@ -854,7 +860,8 @@ fatal("Couldn't initialise builtin random number generator -- exiting."); } -void init_rng(void) +void +init_rng(void) { int original_euid; @@ -904,6 +911,7 @@ atexit(prng_write_seedfile); prng_initialised = 1; + seed_rng(); } #endif /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ Index: openbsd-compat/bsd-arc4random.c =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/bsd-arc4random.c,v retrieving revision 1.2 diff -u -r1.2 bsd-arc4random.c --- openbsd-compat/bsd-arc4random.c 2001/02/09 01:55:36 1.2 +++ openbsd-compat/bsd-arc4random.c 2001/03/14 07:45:58 @@ -43,10 +43,15 @@ unsigned int arc4random(void) { unsigned int r = 0; + static int first_time = 1; - if (rc4_ready <= 0) + if (rc4_ready <= 0) { + if (!first_time) + seed_rng(); + first_time = 0; arc4random_stir(); - + } + RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r); rc4_ready -= sizeof(r); @@ -57,17 +62,12 @@ void arc4random_stir(void) { unsigned char rand_buf[SEED_SIZE]; - - memset(&rc4, 0, sizeof(rc4)); - - seed_rng(); + memset(&rc4, 0, sizeof(rc4)); RAND_bytes(rand_buf, sizeof(rand_buf)); - RC4_set_key(&rc4, sizeof(rand_buf), rand_buf); - memset(rand_buf, 0, sizeof(rand_buf)); - + rc4_ready = REKEY_BYTES; } #endif /* !HAVE_ARC4RANDOM */ -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From mats at mindbright.se Wed Mar 14 19:02:20 2001 From: mats at mindbright.se (Mats Andersson) Date: Wed, 14 Mar 2001 09:02:20 +0100 (MET) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010314040017.5B6518C@proven.weird.com> Message-ID: Hi, On Tue, 13 Mar 2001, Greg A. Woods wrote: > I'm talking about the protocols, not the implementation. In SSH-v2 > the SFTP application uses the "built-in subsystem" feature of the > SECSH protocol. I.e. it is not independent of SSH -- it relies on an > inherent feature of the transport protocol. ... > > > The "built-in subsystem" feature is bad design. It has no business > > > being directly in the transport protocol. It is an ugly wart. Good, since we're speaking about the protocols here, this is the only mention of subsystems in the sftp draft I'm aware of: ... When used with the Secure Shell protocol suite, this protocol is intended to be used from the Secure Shell Connection Protocol as a subsystem, as described in [SECSH-CONN], Section ``Starting a Shell or a Command''. The subsystem name used with this protocol is "sftp". ... As you may see this indeed does not state any dependency, it only gives a recomendation for intended usage. You might also have noticed (since I assume you indeed have read the drafts) that the subsystem feature is not part of the transport protocol, it is a (very tiny, one could add) feature in the connection protocol. You have almost surely also seen that one argument was that a subsystem might be built into the ssh server which is probably one good reason for having it in the spec. Apart from this, you are of course also free to define whatever other fancy "independent" protocols you might think of either as subsystems or as ordinary "independent" servers running across stdio (one might note here that there is no difference in practice as for how these should work since both only "see" a stream to its peer). So, what do I want to say with this? Well, people that have different oppinions/suggestions/improvements/complaints on different implementations in general and on the protocols in particular should at least have read the specs (one could add thouroughly here...). Cheers, /Mats From tomh at po.crl.go.jp Wed Mar 14 19:29:48 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Wed, 14 Mar 2001 17:29:48 +0900 (JST) Subject: poor default seeding of RNG In-Reply-To: Message-ID: On Wed, 14 Mar 2001, Damien Miller wrote: > However this is not very satisfactory - the current code is unclear and > only works by circumstance. Can you try the following diff? It > unfortunately breaks debug output for seed_rng(), but it seeds the rng > immediately at startup. Works for me (Linux/Alpha) and looks much cleaner, too. Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From Markus.Friedl at informatik.uni-erlangen.de Wed Mar 14 19:38:00 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 14 Mar 2001 09:38:00 +0100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010314035109.6F32E8C@proven.weird.com>; from woods@weird.com on Tue, Mar 13, 2001 at 10:51:09PM -0500 References: <9DC8BBAD4FF100408FC7D18D1F092286039C96@condor.mhsc.com> <20010312031041.9D7AA8C@proven.weird.com> <20010312222432.A7800@folly> <20010313192046.46CC78C@proven.weird.com> <20010313222053.B22241@folly> <20010314035109.6F32E8C@proven.weird.com> Message-ID: <20010314093800.E15426@faui02.informatik.uni-erlangen.de> On Tue, Mar 13, 2001 at 10:51:09PM -0500, Greg A. Woods wrote: > > > > sftp _is_ total independeny of SSH and runs portable across > > all generic transport protocols. > > Well, maybe, but sftp, at least in SSH, currently relies on the > "built-in subsystem" feature. implementation bug or feature. the sftp from OpenSSH works over SSH protocol v1, too. running sftp over rsh is simple, too. scp speaks rsh over a transport layer, sftp speaks filexfer over a transport layer. -m From Markus.Friedl at informatik.uni-erlangen.de Wed Mar 14 20:54:16 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 14 Mar 2001 10:54:16 +0100 Subject: subsystems (was: OpenSSH/scp ->> F-Secure SSH server Problems) In-Reply-To: <20010314040017.5B6518C@proven.weird.com>; from woods@weird.com on Tue, Mar 13, 2001 at 11:00:17PM -0500 References: <20010313192046.46CC78C@proven.weird.com> <20010314040017.5B6518C@proven.weird.com> Message-ID: <20010314105416.B20179@faui02.informatik.uni-erlangen.de> On Tue, Mar 13, 2001 at 11:00:17PM -0500, Greg A. Woods wrote: > > > The "built-in subsystem" feature is bad design. It has no business > > > being directly in the transport protocol. It is an ugly wart. > > > > No, it is a robust way of specifying server systems without having to > > rely on locations of binaries, etc. > > [...] > > Point of fact is that this silly protocol wart did not make OpenSSH more > robust [...] If you are talking about "protocol warts", then you should really read the spec again. "subsystem" is more general then both "shell" or "exec", so it's no "protocol wart" at all. -m From Markus.Friedl at informatik.uni-erlangen.de Wed Mar 14 21:00:23 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 14 Mar 2001 11:00:23 +0100 Subject: openssh and linux ipv6 In-Reply-To: <3AAF40ED.52D94E05@fadesa.es>; from jm.fandino@fadesa.es on Wed, Mar 14, 2001 at 10:59:09AM +0100 References: <3AAF40ED.52D94E05@fadesa.es> Message-ID: <20010314110023.C20179@faui02.informatik.uni-erlangen.de> hi, is anyone using IPv6+linux? -m On Wed, Mar 14, 2001 at 10:59:09AM +0100, Jos? M. Fandi?o wrote: > Dear friends, > > I'm getting a system freeze when I use a linux ipv6 capable kernel. > > My configuration is a linux kernel-2.2.18 with ipv6 > as module(suse 6.4), openssl 0.9.5 and Openssh-2.5.1p2, > with a default sshd_config file. > > I installed openssh with this line > ./configure --prefix=/usr --with-cflags='-L/usr/X11R6/lib -L/usr/local/ssl' > --without-pam --with-ipv4-default --without-4in6 --sysconfdir=/etc/ssh > --disable-suid-ssh && make && make install > > localhost in /etc/hosts looks like this: > 127.0.0.1 localhost > ::1 localhost ipv6-localhost ipv6-loopback > > then I do a "telnet localhost 22" and see the text > Trying ::1... > and the system is totally stopped and only a reboot is possible. > > I'm not sure that this is a linux kernel specific bug or it affects to > openssh in any way. If not excuse me by waste your time. > > best regards, > > -- > -----BEGIN GEEK CODE BLOCK----- > Version: 3.1 > GCS d- s+: a- C+++ UL++++$ P+ L+++ E--- W++ N+ o K- w--- > O+ M+ V- PS PE+ Y PGP+>+++ t+ 5 X+++ R- tv@ b+++ DI-- D+++ > G e- h++ !r !z > ------END GEEK CODE BLOCK------ From Markus.Friedl at informatik.uni-erlangen.de Wed Mar 14 21:03:51 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 14 Mar 2001 11:03:51 +0100 Subject: What's needed in tarfile? (fwd) Message-ID: <20010314110351.D20179@faui02.informatik.uni-erlangen.de> fyi, is this a FAQ? -------------- next part -------------- An embedded message was scrubbed... From: Markus Friedl Subject: What's needed in tarfile? Date: Wed, 14 Mar 2001 11:02:57 +0100 (MET) Size: 2650 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010314/74884144/attachment.mht From carl at bl.echidna.id.au Wed Mar 14 21:07:01 2001 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Wed, 14 Mar 2001 21:07:01 +1100 (EST) Subject: openssh and linux ipv6 Message-ID: <200103141007.f2EA71Uv018605@rollcage.bl.echidna.id.au> > From: Markus Friedl > > hi, is anyone using IPv6+linux? -m Quite a few poor people who haven't seen the light of BSD :) Take a look at Peter Beringer's page : http://www.cs-ipv6.lancs.ac.uk/ipv6/systems/linux/bieringer/default.html > On Wed, Mar 14, 2001 at 10:59:09AM +0100, Jos? M. Fandi?o wrote: > > Dear friends, > > > > I'm getting a system freeze when I use a linux ipv6 capable kernel. > > > > My configuration is a linux kernel-2.2.18 with ipv6 > > as module(suse 6.4), openssl 0.9.5 and Openssh-2.5.1p2, > > with a default sshd_config file. > > > > I installed openssh with this line > > ./configure --prefix=/usr --with-cflags='-L/usr/X11R6/lib -L/usr/local/ssl' > > --without-pam --with-ipv4-default --without-4in6 --sysconfdir=/etc/ssh > > --disable-suid-ssh && make && make install > > > > localhost in /etc/hosts looks like this: > > 127.0.0.1 localhost > > ::1 localhost ipv6-localhost ipv6-loopback > > > > then I do a "telnet localhost 22" and see the text > > Trying ::1... > > and the system is totally stopped and only a reboot is possible. > > > > I'm not sure that this is a linux kernel specific bug or it affects to > > openssh in any way. If not excuse me by waste your time. > > > > best regards, > > > > -- > > -----BEGIN GEEK CODE BLOCK----- > > Version: 3.1 > > GCS d- s+: a- C+++ UL++++$ P+ L+++ E--- W++ N+ o K- w--- > > O+ M+ V- PS PE+ Y PGP+>+++ t+ 5 X+++ R- tv@ b+++ DI-- D+++ > > G e- h++ !r !z > > ------END GEEK CODE BLOCK------ > > From jm.fandino at fadesa.es Wed Mar 14 21:27:29 2001 From: jm.fandino at fadesa.es (=?iso-8859-1?Q?Jos=E9?= M. =?iso-8859-1?Q?Fandi=F1o?=) Date: Wed, 14 Mar 2001 11:27:29 +0100 Subject: openssh and linux ipv6 References: <200103141007.f2EA71Uv018605@rollcage.bl.echidna.id.au> Message-ID: <3AAF4791.3D69E400@fadesa.es> > Quite a few poor people who haven't seen the light of BSD :) > > Take a look at Peter Beringer's page : > > http://www.cs-ipv6.lancs.ac.uk/ipv6/systems/linux/bieringer/default.html sorry, I don't see any pitfalls about linux integration with ipv6 and openssh in this page :-? > > > Dear friends, > > > > > > I'm getting a system freeze when I use a linux ipv6 capable kernel. > > > > > > My configuration is a linux kernel-2.2.18 with ipv6 > > > as module(suse 6.4), openssl 0.9.5 and Openssh-2.5.1p2, > > > with a default sshd_config file. > > > > > > I installed openssh with this line > > > ./configure --prefix=/usr --with-cflags='-L/usr/X11R6/lib -L/usr/local/ssl' > > > --without-pam --with-ipv4-default --without-4in6 --sysconfdir=/etc/ssh > > > --disable-suid-ssh && make && make install > > > > > > localhost in /etc/hosts looks like this: > > > 127.0.0.1 localhost > > > ::1 localhost ipv6-localhost ipv6-loopback > > > > > > then I do a "telnet localhost 22" and see the text > > > Trying ::1... > > > and the system is totally stopped and only a reboot is possible. > > > > > > I'm not sure that this is a linux kernel specific bug or it affects to > > > openssh in any way. If not excuse me by waste your time. > > > > > > best regards, -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS d- s+: a- C+++ UL++++$ P+ L+++ E--- W++ N+ o K- w--- O+ M+ V- PS PE+ Y PGP+>+++ t+ 5 X+++ R- tv@ b+++ DI-- D+++ G e- h++ !r !z ------END GEEK CODE BLOCK------ From jmknoble at jmknoble.cx Wed Mar 14 21:28:06 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Wed, 14 Mar 2001 05:28:06 -0500 Subject: What's needed in tarfile? (fwd) In-Reply-To: <20010314110351.D20179@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Wed, Mar 14, 2001 at 11:03:51AM +0100 References: <20010314110351.D20179@faui02.informatik.uni-erlangen.de> Message-ID: <20010314052806.B20452@quipu.half.pint-stowp.cx> Circa 2001-Mar-14 11:03:51 +0100 dixit Markus Friedl: : fyi, is this a FAQ? I've not really seen it before here. Define "frequent". ;) answers below. : Date: Wed, 14 Mar 2001 11:02:57 +0100 (MET) : From: Markus Friedl : Subject: What's needed in tarfile? : To: Markus.Friedl at informatik.uni-erlangen.de : : >From: "James Wilde" : >Newsgroups: comp.security.ssh : >Subject: What's needed in tarfile? : >Date: Wed, 14 Mar 2001 09:08:11 +0100 : >Message-ID: <984557108.26146 at s2sth1.nuaccess.net> : >Reply-To: "James Wilde" : >Xref: news.uni-erlangen.de comp.security.ssh:19848 : : This is probably a FAQ but I can't find the answer in the FAQ. Sorry if you : are seeing this for the n^^nth time. : : I am experimenting with OpenSSH (2.5.1p2) on Solaris. I have installed the : zlib library and OpenSSL then made and installed OpenSSH. How much of what : I have installed do I need to put in a tarfile for transfer/installation on : other hosts? : : I have experimented with a tarfile containing only the ssh* binaries, the : etc/ssh* configuration files and the libexec/ssh* additions, and it seems to : work alright - to be sure, I carried the host keys with me in the tar file, : which was a bit stupid. Have a look at the %files section of openssh-2.5.1p2/contrib/redhat/openssh.spec. It should be fairly legible even to those unfamiliar with RPM specfiles. : Do I not need to roll up the zlib library file in lib and the ssl directory : to get a functioning ssh setup on the new host or am I living in a fool's : paradise? In other words, are the zlib and ssl components only needed : during compilation of ssh or are they needed also for operation? That depends on the following factors: (1) Did you compile zlib and openssl as static or shared (dynamic) libraries (or perhaps both)? If you built libraries that end in '.a', then you built static ones. If they end in '.so' or '.so.N.M.Q', you built shared ones. (a) If you only built static libraries, you don't need them in your tarball. (b) If you only built shared libraries, you probably need them in your tarball. (c) If you built both, see below. (2) Did you tell your compiler to link statically? Usually, if you did this, you would know; it generally involves setting the LDFLAGS environment variable to contain the proper options ("flags") for your C compiler, before running ./configure, or, alternatively, using the '--with-ldflags' option to ./configure. Good luck. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From djm at mindrot.org Wed Mar 14 22:45:42 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 Mar 2001 22:45:42 +1100 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010314035109.6F32E8C@proven.weird.com> Message-ID: On Tue, 13 Mar 2001, Greg A. Woods wrote: > > sftp _is_ total independeny of SSH and runs portable across > > all generic transport protocols. > > Well, maybe, but sftp, at least in SSH, currently relies on the > "built-in subsystem" feature. > > I'm sure you could rip it out and make it stand alone (eg. work over > rsh), but hmmm... wouldn't doing so also make it independent of the > "built-in subsystem" in SSH? Duh! So yes: It is not a matter of "ripping" anything out - sftp is already completely independant. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Stephan.Hendl at lds.brandenburg.de Wed Mar 14 23:19:09 2001 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Wed, 14 Mar 2001 13:19:09 +0100 Subject: Antw: Ctrl-C problem on HP-UX Message-ID: Hi Ryan, I run into the same problem with my HP-UX 11 as well as HP-UX 10.20 boxes. Therefore I decided not to start the sshd from the swagent in the postinstall script. I start the daemon via the lan console by hand. I know in large environments it is not a perfect solution but the only one which works these days ;-(( regards Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 EMail: stephan.hendl at lds.brandenburg.de >>> Ryan Bradetich 03/14 12:27 >>> Hello OpenSSH Developers, I have been working on developeing an OpenSSH SD package for HP-UX 10.20 and HP-UX 11.00 to deploy on servers we manage. Unfortenately, I have enountered the ctrl-c problem which manifests when the daemon is started in non-interactive mode (in this case from the SD Daemon). When I manually stop/start the daemon, the ctrl-c functionality works. I have dug through the archives and found the work Garrick James, Gert Doering, and Damien Miler have done in the past to fix this problem. Verified the signal(SIGINT, SIG_DFL); was in the proper place in the sshd.c. Then I tried the fix Garrick James and Gert Doering origionally propsed by adding the signal to sshpty.c. Neither of these solutions solved the problem. I have tested this on both openssh-2.3.0p1 and openssh-2.5.1p1, connecting from a linux/hp-ux system using openssh-2.3.0p1 protocol 1. I have not tried protocol 2 at this time, but would be willing to test this if it helps debug the problem. Please let me know if I can provide more information/test ideas, etc. I would really like to find a [better] fix for this problem. Thankyou. - Ryan P.S. Please CC me on the email since I am not subscribed to this list (yet). -- Ryan Bradetich Siteminder Support Linux Platform Support From djm at mindrot.org Wed Mar 14 23:32:49 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 Mar 2001 23:32:49 +1100 (EST) Subject: Test snapshots Message-ID: Could eveyone please give the latest snapshots a test? I have just pulled in some more OpenSSL libc code to support globbing in the sftp client. It works OK on the platforms that I have access to, but that isn't many... Report success/failure and host (as reported by configure). Thanks. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Stephan.Hendl at lds.brandenburg.de Wed Mar 14 23:57:28 2001 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Wed, 14 Mar 2001 13:57:28 +0100 Subject: sftp over 2 hosts? Message-ID: Hi list, I tried sftp and it works perfect via a direct connection between 2 hosts. Our situation is that we have to go from our intranet through a firewall gateway to the internet and then to a third server. With "normal" ssh this works via: "ssh -t hosta ssh hostb". It seems to me that this doesn't work with sftp ;-((. Would it be complicate to implement? Thanks Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 EMail: stephan.hendl at lds.brandenburg.de From Markus.Friedl at informatik.uni-erlangen.de Thu Mar 15 00:10:55 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 14 Mar 2001 14:10:55 +0100 Subject: sftp over 2 hosts? In-Reply-To: ; from Stephan.Hendl@lds.brandenburg.de on Wed, Mar 14, 2001 at 01:57:28PM +0100 References: Message-ID: <20010314141054.E27227@faui02.informatik.uni-erlangen.de> On Wed, Mar 14, 2001 at 01:57:28PM +0100, Stephan Hendl wrote: > I tried sftp and it works perfect via a direct connection between 2 > hosts. Our situation is that we have to go from our intranet through a > firewall gateway to the internet and then to a third server. With > "normal" ssh this works via: "ssh -t hosta ssh hostb". It seems to me > that this doesn't work with sftp ;-((. Would it be complicate to > implement? you don't need to use myhost$ ssh -t hosta ssh hostb use this instead: myhost$ ssh -L 1234:hostb:22 hosta myhost$ ssh -p 1234 localhost or myhost$ sftp -o 'Port=1234' localhost -m From dhw at whistle.com Thu Mar 15 01:46:23 2001 From: dhw at whistle.com (David Wolfskill) Date: Wed, 14 Mar 2001 06:46:23 -0800 (PST) Subject: docs/25743: Trivial typographic error in ssh.1 In-Reply-To: <20010313021846.467BC3E09@bazooka.unixfreak.org> Message-ID: <200103141446.f2EEkN167678@pau-amma.whistle.com> >Date: Sun, 25 Feb 2001 20:18:48 -0800 >From: Dima Dorfman >dhw at whistle.com writes: >> >Number: 25743 >> >Category: docs >> >Synopsis: Trivial typographic error in ssh.1 >> >Description: >> Man page for ssh (/usr/src/crypto/openssh/ssh.1) has the string >> "ssh ssh", when just "ssh" is wanted. >src/crypto is like src/contrib; everything in there is externally >maintained. Unless it's a FreeBSD-specific problem (which it isn't in >this case), it should be taken up with the OpenSSH folks. In other >words, you want to send this to openssh-unix-dev at mindrot.org (the >OpenSSH development list). OK. For the openssh-unix-dev folks, the patch follows my .sig. As noted, it's pretty trivial. (The ".Nm" macro expands to "ssh" already.) Thanks, david -- David Wolfskill dhw at whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 Index: ssh.1 =================================================================== RCS file: /cvs/freebsd/src/crypto/openssh/ssh.1,v retrieving revision 1.4.2.6 diff -u -r1.4.2.6 ssh.1 --- ssh.1 2001/01/12 04:25:58 1.4.2.6 +++ ssh.1 2001/03/12 18:22:36 @@ -910,7 +910,7 @@ If this flag is set to .Dq yes , .Nm -ssh will never automatically add host keys to the +will never automatically add host keys to the .Pa $HOME/.ssh/known_hosts and .Pa $HOME/.ssh/known_hosts2 From janfrode at parallab.uib.no Thu Mar 15 02:05:00 2001 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Wed, 14 Mar 2001 16:05:00 +0100 Subject: Test snapshots In-Reply-To: ; from djm@mindrot.org on Wed, Mar 14, 2001 at 11:32:49PM +1100 References: Message-ID: <20010314160500.A14819@ii.uib.no> On Wed, Mar 14, 2001 at 11:32:49PM +1100, Damien Miller wrote: > Could eveyone please give the latest snapshots a test? I have just > pulled in some more OpenSSL libc code to support globbing in the sftp > client. It works OK on the platforms that I have access to, but that > isn't many... > > Report success/failure and host (as reported by configure). > Seems OK so far, but I don't see any changes in the globbing taking effect.. Neither against latest snapshot of openssh or ssh.com servers. How should I test it? (openssh-SNAP-20010314.tar.gz) OpenSSH configured has been configured with the following options. User binaries: /usr/openssh/bin System binaries: /usr/openssh/sbin Configuration files: /usr/openssh/etc Askpass program: /usr/openssh/libexec/ssh-askpass Manual pages: /usr/openssh/man/manX PID file: /usr/openssh/etc sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/openssh/bin Random number collection: Builtin (timeout 200) Manpage format: cat PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: mips-sgi-irix6.5 Compiler: cc Compiler flags: -g Preprocessor flags: -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib Libraries: -lwrap -lz -lgen -lcrypto -jf From Markus.Friedl at informatik.uni-erlangen.de Thu Mar 15 02:07:24 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 14 Mar 2001 16:07:24 +0100 Subject: Test snapshots In-Reply-To: <20010314160500.A14819@ii.uib.no>; from janfrode@parallab.uib.no on Wed, Mar 14, 2001 at 04:05:00PM +0100 References: <20010314160500.A14819@ii.uib.no> Message-ID: <20010314160724.A9901@faui02.informatik.uni-erlangen.de> On Wed, Mar 14, 2001 at 04:05:00PM +0100, Jan-Frode Myklebust wrote: > Seems OK so far, but I don't see any changes in the globbing taking effect.. > Neither against latest snapshot of openssh or ssh.com servers. How should I > test it? globbing is a client side issue, so you can use any server. just try sftp> get * From janfrode at parallab.uib.no Thu Mar 15 02:15:37 2001 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Wed, 14 Mar 2001 16:15:37 +0100 Subject: Test snapshots In-Reply-To: <20010314160724.A9901@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Wed, Mar 14, 2001 at 04:07:24PM +0100 References: <20010314160500.A14819@ii.uib.no> <20010314160724.A9901@faui02.informatik.uni-erlangen.de> Message-ID: <20010314161537.A14870@ii.uib.no> On Wed, Mar 14, 2001 at 04:07:24PM +0100, Markus Friedl wrote: > > globbing is a client side issue, so you can use any server. > just try > sftp> get * > OK, that's almost what I tested, used 'ls' instead of 'get', but it was the same result: sftp> ls drwxr-xr-x 4 janfrode tech 512 May 19 2000 ./ drwxr-xr-x 99 janfrode other 6656 Mar 14 15:12 ../ drwxr-xr-x 6 janfrode tech 512 May 22 2000 bin/ -rw-r--r-- 1 janfrode tech 1158 Jun 14 2000 COPYRIGHT -rw-r--r-- 1 janfrode tech 4281 Jun 14 2000 LICENSE -rw-r--r-- 1 janfrode tech 800 Jun 14 2000 README drwxr-xr-x 4 janfrode tech 512 May 19 2000 src/ sftp> ls * Couldn't stat remote file: No such file or directory sftp> ls COPYRI* Couldn't stat remote file: No such file or directory sftp> get COPYRI* Couldn't stat remote file: No such file or directory sftp> ls bi* Couldn't stat remote file: No such file or directory sftp> get bi* Couldn't stat remote file: No such file or directory so this doesn't work here.. -jf From Markus.Friedl at informatik.uni-erlangen.de Thu Mar 15 02:18:22 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 14 Mar 2001 16:18:22 +0100 Subject: Test snapshots In-Reply-To: <20010314161537.A14870@ii.uib.no>; from janfrode@parallab.uib.no on Wed, Mar 14, 2001 at 04:15:37PM +0100 References: <20010314160500.A14819@ii.uib.no> <20010314160724.A9901@faui02.informatik.uni-erlangen.de> <20010314161537.A14870@ii.uib.no> Message-ID: <20010314161822.B9901@faui02.informatik.uni-erlangen.de> On Wed, Mar 14, 2001 at 04:15:37PM +0100, Jan-Frode Myklebust wrote: > On Wed, Mar 14, 2001 at 04:07:24PM +0100, Markus Friedl wrote: > > > > globbing is a client side issue, so you can use any server. > > just try > > sftp> get * > > > > OK, that's almost what I tested, used 'ls' instead of 'get', but it was the > same result: ls * is not implemented. get *, put * works for me. From Stephan.Hendl at lds.brandenburg.de Thu Mar 15 02:25:57 2001 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Wed, 14 Mar 2001 16:25:57 +0100 Subject: sftp over 2 hosts? Message-ID: thanks, that works, but the problem is that I have two open connections now, but I need actually only one. Furthermore the command myhost$ ssh -L 1234:hostb:22 hosta gives me a promt back, so I have to open a window and to make small and to open a next one for the command myhost$ ssh -p 1234 localhost That works, but in my opinion it is not user friendly. Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 EMail: stephan.hendl at lds.brandenburg.de >>> Markus Friedl 03/14 2:10 >>> On Wed, Mar 14, 2001 at 01:57:28PM +0100, Stephan Hendl wrote: > I tried sftp and it works perfect via a direct connection between 2 > hosts. Our situation is that we have to go from our intranet through a > firewall gateway to the internet and then to a third server. With > "normal" ssh this works via: "ssh -t hosta ssh hostb". It seems to me > that this doesn't work with sftp ;-((. Would it be complicate to > implement? you don't need to use myhost$ ssh -t hosta ssh hostb use this instead: myhost$ ssh -L 1234:hostb:22 hosta myhost$ ssh -p 1234 localhost or myhost$ sftp -o 'Port=1234' localhost -m From nneves at di.fc.ul.pt Thu Mar 15 02:49:52 2001 From: nneves at di.fc.ul.pt (Nuno Miguel Neves) Date: Wed, 14 Mar 2001 15:49:52 +0000 Subject: SSH and AFS Message-ID: <3AAF9320.EB7D943F@di.fc.ul.pt> I'm sorry, but I've been looking in the archives, and I can't find an answer to this question. I believe OpenSSH supports AFS, but I can't seem to make it work. I've tried to install krb5-devel, but it doesn't work. I've made configure --with-kerberos4 --with-afs, and it says it can't find krb.h. Did anyone manage to compile openssh 2.3.0 with AFS? Which kerberos (since I'm using RedHat, an RPM would be great :) )? Thanks for any help, -- nneves at di.fc.ul.pt Dept. Informatica, Fac. Ciencias, |\ | |\ | Tel: +351 21 7500528 Univ. Lisboa, Bloco C5, Campo Grande | \|uno | \|eves Fax: +351 21 7500084 1700 Lisboa, Portugal From pekkas at netcore.fi Thu Mar 15 03:07:06 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 14 Mar 2001 18:07:06 +0200 (EET) Subject: openssh and linux ipv6 In-Reply-To: <20010314110023.C20179@faui02.informatik.uni-erlangen.de> Message-ID: On Wed, 14 Mar 2001, Markus Friedl wrote: > hi, is anyone using IPv6+linux? -m > > On Wed, Mar 14, 2001 at 10:59:09AM +0100, Jos? M. Fandi?o wrote: > > Dear friends, > > > > I'm getting a system freeze when I use a linux ipv6 capable kernel. > > > > My configuration is a linux kernel-2.2.18 with ipv6 > > as module(suse 6.4), openssl 0.9.5 and Openssh-2.5.1p2, > > with a default sshd_config file. > > > > I installed openssh with this line > > ./configure --prefix=/usr --with-cflags='-L/usr/X11R6/lib -L/usr/local/ssl' > > --without-pam --with-ipv4-default --without-4in6 --sysconfdir=/etc/ssh > > --disable-suid-ssh && make && make install > > > > localhost in /etc/hosts looks like this: > > 127.0.0.1 localhost > > ::1 localhost ipv6-localhost ipv6-loopback > > > > then I do a "telnet localhost 22" and see the text > > Trying ::1... > > and the system is totally stopped and only a reboot is possible. > > > > I'm not sure that this is a linux kernel specific bug or it affects to > > openssh in any way. If not excuse me by waste your time. I haven't had problems with kernel freezes, linux and openssh. Using 2.4 kernel, 2.5.1p2, RHL7. Does 'stracing' sshd telnet/sshd process give hints where this might halt? You can't get sshd to bind to both '0.0.0.0' and '::' on port 22 though, which can be quite annoying. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From jm.fandino at fadesa.es Thu Mar 15 04:06:04 2001 From: jm.fandino at fadesa.es (=?iso-8859-1?Q?Jos=E9?= M. =?iso-8859-1?Q?Fandi=F1o?=) Date: Wed, 14 Mar 2001 18:06:04 +0100 Subject: openssh and linux ipv6 References: Message-ID: <3AAFA4FC.FE6C9618@fadesa.es> Pekka Savola wrote: > I haven't had problems with kernel freezes, linux and openssh. Using 2.4 As I said it succeeds with a kernel in the 2.2.x series. (I'm using a standard 2.2.18 kernel without pachtes, I post my kernel configuration) I suppose that kernels 2.4.x have a major code rewriting and different behavior. > kernel, 2.5.1p2, RHL7. Does 'stracing' sshd telnet/sshd process give > hints where this might halt? nope, at the time that simply the client side contact with the server side the linux server stop of respond. It's totally dead. $ grep '^[^#]' /usr/src/linux-2.2.18/.config CONFIG_EXPERIMENTAL=y CONFIG_M586TSC=y CONFIG_X86_WP_WORKS_OK=y CONFIG_X86_INVLPG=y CONFIG_X86_BSWAP=y CONFIG_X86_POPAD_OK=y CONFIG_X86_TSC=y CONFIG_1GB=y CONFIG_MTRR=y CONFIG_MODULES=y CONFIG_MODVERSIONS=y CONFIG_KMOD=y CONFIG_NET=y CONFIG_PCI=y CONFIG_PCI_GOANY=y CONFIG_PCI_BIOS=y CONFIG_PCI_DIRECT=y CONFIG_PCI_QUIRKS=y CONFIG_PCI_OLD_PROC=y CONFIG_SYSVIPC=y CONFIG_BSD_PROCESS_ACCT=y CONFIG_SYSCTL=y CONFIG_BINFMT_AOUT=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=m CONFIG_APM=y CONFIG_APM_REAL_MODE_POWER_OFF=y CONFIG_PNP=y CONFIG_BLK_DEV_FD=y CONFIG_BLK_DEV_IDE=y CONFIG_BLK_DEV_IDEDISK=y CONFIG_BLK_DEV_IDECD=y CONFIG_BLK_DEV_IDETAPE=y CONFIG_BLK_DEV_CMD640=y CONFIG_BLK_DEV_RZ1000=y CONFIG_BLK_DEV_IDEPCI=y CONFIG_BLK_DEV_IDEDMA=y CONFIG_IDEDMA_AUTO=y CONFIG_BLK_DEV_LOOP=m CONFIG_PARIDE_PARPORT=y CONFIG_PACKET=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NETLINK_DEV=y CONFIG_FIREWALL=y CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_FIREWALL=y CONFIG_IP_FIREWALL_NETLINK=y CONFIG_NETLINK_DEV=y CONFIG_IP_ALIAS=y CONFIG_SYN_COOKIES=y CONFIG_SKB_LARGE=y CONFIG_IPV6=m CONFIG_NETDEVICES=y CONFIG_DUMMY=m CONFIG_NET_ETHERNET=y CONFIG_NET_VENDOR_3COM=y CONFIG_VORTEX=y CONFIG_PPP=m CONFIG_SLIP=m CONFIG_SLIP_COMPRESSED=y CONFIG_VT=y CONFIG_VT_CONSOLE=y CONFIG_SERIAL=y CONFIG_UNIX98_PTYS=y CONFIG_UNIX98_PTY_COUNT=256 CONFIG_MOUSE=y CONFIG_PSMOUSE=y CONFIG_AUTOFS_FS=y CONFIG_FAT_FS=m CONFIG_MSDOS_FS=m CONFIG_VFAT_FS=m CONFIG_ISO9660_FS=y CONFIG_JOLIET=y CONFIG_PROC_FS=y CONFIG_DEVPTS_FS=y CONFIG_EXT2_FS=y CONFIG_UFS_FS=m CONFIG_SMB_FS=m CONFIG_NLS=y CONFIG_NLS_DEFAULT="cp437" CONFIG_NLS_CODEPAGE_437=m CONFIG_NLS_CODEPAGE_850=y CONFIG_NLS_ISO8859_1=y CONFIG_VGA_CONSOLE=y CONFIG_VIDEO_SELECT=y -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS d- s+: a- C+++ UL++++$ P+ L+++ E--- W++ N+ o K- w--- O+ M+ V- PS PE+ Y PGP+>+++ t+ 5 X+++ R- tv@ b+++ DI-- D+++ G e- h++ !r !z ------END GEEK CODE BLOCK------ From devon at admin2.gisnetworks.com Thu Mar 15 04:13:52 2001 From: devon at admin2.gisnetworks.com (Devon Bleak) Date: Wed, 14 Mar 2001 09:13:52 -0800 Subject: sftp over 2 hosts? References: Message-ID: <006201c0acaa$25306400$1900a8c0@devn> it works fine for me doing ssh -t host1 sftp host2, although these are all linux boxen. what kinda errors are you getting? devon ----- Original Message ----- From: "Stephan Hendl" To: " Sent: Wednesday, March 14, 2001 7:25 AM Subject: Re: sftp over 2 hosts? thanks, that works, but the problem is that I have two open connections now, but I need actually only one. Furthermore the command myhost$ ssh -L 1234:hostb:22 hosta gives me a promt back, so I have to open a window and to make small and to open a next one for the command myhost$ ssh -p 1234 localhost That works, but in my opinion it is not user friendly. Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 EMail: stephan.hendl at lds.brandenburg.de >>> Markus Friedl 03/14 2:10 >>> On Wed, Mar 14, 2001 at 01:57:28PM +0100, Stephan Hendl wrote: > I tried sftp and it works perfect via a direct connection between 2 > hosts. Our situation is that we have to go from our intranet through a > firewall gateway to the internet and then to a third server. With > "normal" ssh this works via: "ssh -t hosta ssh hostb". It seems to me > that this doesn't work with sftp ;-((. Would it be complicate to > implement? you don't need to use myhost$ ssh -t hosta ssh hostb use this instead: myhost$ ssh -L 1234:hostb:22 hosta myhost$ ssh -p 1234 localhost or myhost$ sftp -o 'Port=1234' localhost -m From stevesk at sweden.hp.com Thu Mar 15 04:32:15 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 14 Mar 2001 18:32:15 +0100 (MET) Subject: OpenSSH 2.3.0p1: HP-UX 11.00 64-bit In-Reply-To: <3AAF05F4.7ED7396E@sabre.com> Message-ID: On Tue, 13 Mar 2001, Quentin Bracken wrote: : I have encountered a problem with using OpenSSH 2.3.0p1 on 64-bit HP-UX : 11.00 systems. This bug does not exhibit itself on any 32-bit HP-UX : 11.00 or HP-UX 10.20 systems that I have built 2.3.0p1 on. OpenSSH : 2.3.0p1 was built with HPs ANSI C compiler with OpenSSL 0.9.6 and zlib : 1.1.3. : : The problem is with the call to vhangup(2) in sshd when interactive : sessions are started. The problem does not occur for non-interactive : sessions. When vhangup(2) is called, the following error is sent to : syslog: : : Mar 13 21:14:37 hpux1100 vmunix: System call 76 (vhangup) was called in : a kernel where the : Mar 13 21:14:37 hpux1100 vmunix: type of at least one of its arguments : is currently : Mar 13 21:14:37 hpux1100 vmunix: unspecified. This is a problem that : must be fixed by : Mar 13 21:14:37 hpux1100 vmunix: the owner of the system call before the : kernel can be : Mar 13 21:14:37 hpux1100 vmunix: released. The process was pid 19386 : (sshd). i submitted a defect report on this in october. but i believe that for STREAMS ptys the vhangup equivalent is considered the grantpt(3C) and unlockpt(3C) pair. can someone confirm this? i propose the following: Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.265 diff -u -r1.265 configure.in --- configure.in 2001/03/14 00:39:46 1.265 +++ configure.in 2001/03/14 17:20:09 @@ -71,7 +71,6 @@ AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(IPV4_DEFAULT) AC_DEFINE(IP_TOS_IS_BROKEN) - AC_DEFINE(BROKEN_VHANGUP) AC_DEFINE(NO_X11_UNIX_SOCKETS) no_libsocket=1 no_libnsl=1 Index: defines.h =================================================================== RCS file: /var/cvs/openssh/defines.h,v retrieving revision 1.56 diff -u -r1.56 defines.h --- defines.h 2001/02/24 00:55:05 1.56 +++ defines.h 2001/03/14 17:20:15 @@ -406,9 +406,9 @@ # endif /* defined(HAVE_XATEXIT) */ #endif /* !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) */ -#if defined(HAVE_VHANGUP) && !defined(BROKEN_VHANGUP) +#if defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) # define USE_VHANGUP -#endif /* defined(HAVE_VHANGUP) && !defined(BROKEN_VHANGUP) */ +#endif /* defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) */ #ifndef GETPGRP_VOID # define getpgrp() getpgrp(0) From stevesk at sweden.hp.com Thu Mar 15 04:39:55 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 14 Mar 2001 18:39:55 +0100 (MET) Subject: docs/25743: Trivial typographic error in ssh.1 In-Reply-To: <200103141446.f2EEkN167678@pau-amma.whistle.com> Message-ID: On Wed, 14 Mar 2001, David Wolfskill wrote: : If this flag is set to : .Dq yes , : .Nm : -ssh will never automatically add host keys to the : +will never automatically add host keys to the thanks! but we beat you, fixed in january :) it's always good to check out the latest version when reporting stuff. From dhw at whistle.com Thu Mar 15 05:05:51 2001 From: dhw at whistle.com (David Wolfskill) Date: Wed, 14 Mar 2001 10:05:51 -0800 (PST) Subject: docs/25743: Trivial typographic error in ssh.1 In-Reply-To: Message-ID: <200103141805.f2EI5pu68407@pau-amma.whistle.com> >Date: Wed, 14 Mar 2001 18:39:55 +0100 (MET) >From: Kevin Steves >On Wed, 14 Mar 2001, David Wolfskill wrote: >: If this flag is set to >: .Dq yes , >: .Nm >: -ssh will never automatically add host keys to the >: +will never automatically add host keys to the >thanks! but we beat you, fixed in january :) >it's always good to check out the latest version when reporting stuff. Well, that was based on the FreeBSD CVS repository as of 2 days ago. (I've been re-building FreeBSD 4.3-BETA daily for the last several days, since we're approaching 4.3-RELEASE.) And I mirror the FreeBSD CVS repository every night. So it seems to me that there may be a "process issue" with which I'm unfamiliar. Thanks, though, david -- David Wolfskill dhw at whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 From mouring at etoh.eviladmin.org Thu Mar 15 05:14:26 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 14 Mar 2001 12:14:26 -0600 (CST) Subject: docs/25743: Trivial typographic error in ssh.1 In-Reply-To: <200103141805.f2EI5pu68407@pau-amma.whistle.com> Message-ID: On Wed, 14 Mar 2001, David Wolfskill wrote: > >Date: Wed, 14 Mar 2001 18:39:55 +0100 (MET) > >From: Kevin Steves > > >On Wed, 14 Mar 2001, David Wolfskill wrote: > >: If this flag is set to > >: .Dq yes , > >: .Nm > >: -ssh will never automatically add host keys to the > >: +will never automatically add host keys to the > > >thanks! but we beat you, fixed in january :) > > >it's always good to check out the latest version when reporting stuff. > > Well, that was based on the FreeBSD CVS repository as of 2 days ago. > (I've been re-building FreeBSD 4.3-BETA daily for the last several days, > since we're approaching 4.3-RELEASE.) > > And I mirror the FreeBSD CVS repository every night. > > So it seems to me that there may be a "process issue" with which I'm > unfamiliar. > The mother of all trees is really the OpenBSD tree. If FreeBSD can't keep up I'd be happy to provide them with what I started using for portable group for a patch-for-patch generation between two CVS trees assuming that FreeBSD did not tamper too much with the CVS IDs (This has really helped me get a handle on things). =) - Ben From dhw at whistle.com Thu Mar 15 05:22:16 2001 From: dhw at whistle.com (David Wolfskill) Date: Wed, 14 Mar 2001 10:22:16 -0800 (PST) Subject: docs/25743: Trivial typographic error in ssh.1 In-Reply-To: Message-ID: <200103141822.f2EIMGK68508@pau-amma.whistle.com> >From: mouring at etoh.eviladmin.org >Date: Wed, 14 Mar 2001 12:14:26 -0600 (CST) >> So it seems to me that there may be a "process issue" with which I'm >> unfamiliar. >The mother of all trees is really the OpenBSD tree. If FreeBSD can't keep >up I'd be happy to provide them with what I started using for portable >group for a patch-for-patch generation between two CVS trees assuming >that FreeBSD did not tamper too much with the CVS IDs (This has really >helped me get a handle on things). =) Well, I'm in no position to judge where the problem lies, and all that generally happens if I try to speak on behalf of other folks is misunderstanding (and I get in trouble). So I won't try to do either. I'll defer to folks who are more knowledgable about the process(es) in question. Thanks, david -- David Wolfskill dhw at whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 From stevesk at sweden.hp.com Thu Mar 15 05:30:36 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 14 Mar 2001 19:30:36 +0100 (MET) Subject: OpenSSH 2.3.0p1: HP-UX 11.00 64-bit In-Reply-To: Message-ID: another thing i forgot to ask: are utmp and wtmp being updated correctly when you're building 64-bit? i've seen some corruption but haven't tried to track the cause down. one reason is there is no 64-bit libpam and i want to use PAM. From pekkas at netcore.fi Thu Mar 15 05:59:15 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 14 Mar 2001 20:59:15 +0200 (EET) Subject: openssh and linux ipv6 In-Reply-To: <3AAFA4FC.FE6C9618@fadesa.es> Message-ID: On Wed, 14 Mar 2001, Jos? M. Fandi?o wrote: > Pekka Savola wrote: > > I haven't had problems with kernel freezes, linux and openssh. Using 2.4 > > As I said it succeeds with a kernel in the 2.2.x series. > (I'm using a standard 2.2.18 kernel without pachtes, I > post my kernel configuration) I can't reproduce a crash on RHL62 + 2.2.17-14 + telnet to ::1 and. OpenSSH 2.5.1p2. 2.3.0p1 also tested fine. I didn't use '--without-4in6' though, but that shouldn't be significant. Would this work if you downgraded the kernel a bit (e.g. 2.2.16/17), or tried the latest -acXX patch? > I suppose that kernels 2.4.x have a major code rewriting > and different behavior. Unfortunately, no. Linux IPv6 code has been in a rather static state for the last 3 years or so. USAGI kernels (www.linux-ipv6.org) have actually developed a bit. > > kernel, 2.5.1p2, RHL7. Does 'stracing' sshd telnet/sshd process give > > hints where this might halt? > > nope, at the time that simply the client side contact with the server side > the linux server stop of respond. It's totally dead. Still, IMO this looks more like a very specific problem -- I'm rather sure 2.2.x kernels are fine overall. Where does the strace stop? -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From quentin.bracken at sabre.com Thu Mar 15 06:22:11 2001 From: quentin.bracken at sabre.com (Quentin Bracken) Date: Wed, 14 Mar 2001 13:22:11 -0600 Subject: OpenSSH 2.3.0p1: HP-UX 11.00 64-bit References: Message-ID: <3AAFC4E3.FD4AD86A@sabre.com> Kevin, HP-UX 11 does use /dev/ptmx and HAVE_DEV_PTMX is defined when configure runs on an HP-UX 11.00 64-bit system. The suggested patch would still result in a broken OpenSSH under 64-bit HP-UX 11. I believe that the problem is actually in the vhangup(2) implementation in the HP-UX 11.00 64-bit kernel. It runs without fail on HP-UX 11.00 32-bit and 10.20. Reviewing the vmunix error message: System call 76 (vhangup) was called in a kernel where the type of at least one of its arguments is currently unspecified. leads me to believe that there is a deficiency in the vhangup implementation in the HP-UX 64-bit kernel itself. It is also worth mentioning that the vhangup(2) system call is completely undocumented in any man page on 11.00 or 10.20 which I find somewhat suspicious. Kevin Steves wrote: > On Tue, 13 Mar 2001, Quentin Bracken wrote: > : I have encountered a problem with using OpenSSH 2.3.0p1 on 64-bit HP-UX > : 11.00 systems. This bug does not exhibit itself on any 32-bit HP-UX > : 11.00 or HP-UX 10.20 systems that I have built 2.3.0p1 on. OpenSSH > : 2.3.0p1 was built with HPs ANSI C compiler with OpenSSL 0.9.6 and zlib > : 1.1.3. > : > : The problem is with the call to vhangup(2) in sshd when interactive > : sessions are started. The problem does not occur for non-interactive > : sessions. When vhangup(2) is called, the following error is sent to > : syslog: > : > : Mar 13 21:14:37 hpux1100 vmunix: System call 76 (vhangup) was called in > : a kernel where the > : Mar 13 21:14:37 hpux1100 vmunix: type of at least one of its arguments > : is currently > : Mar 13 21:14:37 hpux1100 vmunix: unspecified. This is a problem that > : must be fixed by > : Mar 13 21:14:37 hpux1100 vmunix: the owner of the system call before the > : kernel can be > : Mar 13 21:14:37 hpux1100 vmunix: released. The process was pid 19386 > : (sshd). > > i submitted a defect report on this in october. > > but i believe that for STREAMS ptys the vhangup equivalent is considered > the grantpt(3C) and unlockpt(3C) pair. can someone confirm this? > > i propose the following: > > Index: configure.in > =================================================================== > RCS file: /var/cvs/openssh/configure.in,v > retrieving revision 1.265 > diff -u -r1.265 configure.in > --- configure.in 2001/03/14 00:39:46 1.265 > +++ configure.in 2001/03/14 17:20:09 > @@ -71,7 +71,6 @@ > AC_DEFINE(DISABLE_SHADOW) > AC_DEFINE(IPV4_DEFAULT) > AC_DEFINE(IP_TOS_IS_BROKEN) > - AC_DEFINE(BROKEN_VHANGUP) > AC_DEFINE(NO_X11_UNIX_SOCKETS) > no_libsocket=1 > no_libnsl=1 > Index: defines.h > =================================================================== > RCS file: /var/cvs/openssh/defines.h,v > retrieving revision 1.56 > diff -u -r1.56 defines.h > --- defines.h 2001/02/24 00:55:05 1.56 > +++ defines.h 2001/03/14 17:20:15 > @@ -406,9 +406,9 @@ > # endif /* defined(HAVE_XATEXIT) */ > #endif /* !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) */ > > -#if defined(HAVE_VHANGUP) && !defined(BROKEN_VHANGUP) > +#if defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) > # define USE_VHANGUP > -#endif /* defined(HAVE_VHANGUP) && !defined(BROKEN_VHANGUP) */ > +#endif /* defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) */ > > #ifndef GETPGRP_VOID > # define getpgrp() getpgrp(0) -- Quentin C. Bracken UNIX Master Craftsman Application Development UNIX Services, Sabre Inc. quentin.bracken at sabre.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010314/c0adaf3b/attachment.html From quentin.bracken at sabre.com Thu Mar 15 06:25:13 2001 From: quentin.bracken at sabre.com (Quentin Bracken) Date: Wed, 14 Mar 2001 13:25:13 -0600 Subject: OpenSSH 2.3.0p1: HP-UX 11.00 64-bit References: Message-ID: <3AAFC599.9BE36AE3@sabre.com> Kevin, it does appear that the utmp is corrupted. The last command results in a Memory fault. I will explore this further. Also, I explicitly disable PAM in my configuration. Kevin Steves wrote: > another thing i forgot to ask: are utmp and wtmp being updated correctly > when you're building 64-bit? i've seen some corruption but haven't > tried to track the cause down. one reason is there is no 64-bit libpam > and i want to use PAM. -- Quentin C. Bracken UNIX Master Craftsman Application Development UNIX Services, Sabre Inc. quentin.bracken at sabre.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010314/84061165/attachment.html From woods at weird.com Thu Mar 15 06:29:00 2001 From: woods at weird.com (Greg A. Woods) Date: Wed, 14 Mar 2001 14:29:00 -0500 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: References: <20010314040017.5B6518C@proven.weird.com> Message-ID: <20010314192900.C51488C@proven.weird.com> [ On Wednesday, March 14, 2001 at 09:02:20 (+0100), Mats Andersson wrote: ] > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > > Good, since we're speaking about the protocols here, this is the only > mention of subsystems in the sftp draft I'm aware of: > > ... > When used with the Secure Shell protocol suite, this protocol is intended > to be used from the Secure Shell Connection Protocol as a subsystem, as > described in [SECSH-CONN], Section ``Starting a Shell or a Command''. The > subsystem name used with this protocol is "sftp". > ... > > As you may see this indeed does not state any dependency, it only gives a > recomendation for intended usage. Well, for any amount of inter-operabiltiy it certainly does imply complete dependency. For example no SSH-v2.x implemention which follows this recommendation can possibly inter-operate with any other implementation which does not. > You might also have noticed (since I > assume you indeed have read the drafts) that the subsystem feature is not > part of the transport protocol, it is a (very tiny, one could add) feature > in the connection protocol. Yes, but it it a wart none the less which leads to inter-operatibility problems that have already been seen "in the field." > You have almost surely also seen that one > argument was that a subsystem might be built into the ssh server which is > probably one good reason for having it in the spec. And I've already countered that argument showing that it is totally bogus. > Apart from this, you are of course also free to define whatever other > fancy "independent" protocols you might think of either as subsystems or > as ordinary "independent" servers running across stdio (one might note > here that there is no difference in practice as for how these should work > since both only "see" a stream to its peer). ... leading to even more critical inter-operability problems.... -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird From stevesk at sweden.hp.com Thu Mar 15 06:44:54 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 14 Mar 2001 20:44:54 +0100 (MET) Subject: OpenSSH 2.3.0p1: HP-UX 11.00 64-bit In-Reply-To: <3AAFC4E3.FD4AD86A@sabre.com> Message-ID: On Wed, 14 Mar 2001, Quentin Bracken wrote: : Kevin, HP-UX 11 does use /dev/ptmx and HAVE_DEV_PTMX is defined when : configure runs on an HP-UX 11.00 64-bit system. The suggested patch would : still result in a broken OpenSSH under 64-bit HP-UX 11. yes, this means USE_VHANGUP would not be defined. this is what we want. : I believe that the problem is actually in the vhangup(2) implementation in : the HP-UX 11.00 64-bit kernel. It runs without fail on HP-UX 11.00 32-bit : and 10.20. Reviewing the vmunix error message: : : System call 76 (vhangup) was called in a kernel where the type of at : least one of its arguments is currently unspecified. : : leads me to believe that there is a deficiency in the vhangup implementation : in the HP-UX 64-bit kernel itself. It is also worth mentioning that the : vhangup(2) system call is completely undocumented in any man page on 11.00 or : 10.20 which I find somewhat suspicious. i think it means that vhangup is obsolete on hp-ux, at least >9.X. From woods at weird.com Thu Mar 15 07:00:21 2001 From: woods at weird.com (Greg A. Woods) Date: Wed, 14 Mar 2001 15:00:21 -0500 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: References: <20010314040017.5B6518C@proven.weird.com> Message-ID: <20010314200021.80FC18C@proven.weird.com> [ On Tuesday, March 13, 2001 at 22:37:21 (-0600), owner-ssh at clinet.fi wrote: ] > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > inetd must be ill-thought-out... > > CGI/Perl scripts that define out EXTACTLY what binary they want to use > must be ill-thought-out. > > inittab must be ill-thought-out. > > Do I need to go on? There are more you just need to look around at > a standard POSIX unix install. Obviously you're missing the point. That paths to binaries in all of your examples, and more importantly in all but the inetd case the meaning of the service names, are *administrator* defined. The "built-in subsystem" wart on SSH introduces in a naming scheme that the client and server must agree upon, just as they must agree upon TCP/UDP port numbers. At the very minimum a very strict and central naming registry must be defined if this sillyness has any chance of resulting in inter-operable implementations. > Correct binary?!? Are you telling me as the ADMIN of my box *I* don't > know where *I* put sftp-server?! Pish-posh. Ah, I see you've taken my words in completely the opposite way I intended them. I mean specifically that without the "built-in subsystem" wart the administrator of an SSH server, will have complete and total control of what binary the client executes via either $PATH, chroot, or some other scheme which controls the interpreter used by sshd for the given client's connection. The "built-in subsystem" idea makes sshd into something more like inetd where you must intuit what an arbitrary client means when it gives you a very small piece of information (the port number in the case of TCP/UDP, and the subsystem name in the case of SSH). Now suddenly the client is totally authoritative in knowing how to name the service it wants (barring the existance of a strict subsystem naming registry and associated application protocol definitions). Without the "built-in subsystem" feature the server is authoritative. Yes this means that the client may be forced to adjust to a given server, but this is a far better approach and leads to total inter-operability. With subsystems any two conflicting groups of clients using subsystem names without agreeing on what service they refer to will not be able to inter-operate equally with any given server. > Or are you suggesting that if OpenBSD connects to Solaris that I should > run a different sftp-server then if Linux connects to Solaris? IMNSHO that should be up to the client, but restricted by the server administrator. > What hardcoded path? There is no hardcoded paths for sftp-server in sshd > unless NetBSD botched things (which I doubt). Subsystems are defined in > your sshd_config. How is this configured 'hard coded in the sshd'? Heck > you can do: > > subsystem myrenamedsftpserver /path/to/sftp-server > > then hack a sftp to launch ssh with 'myrenamedsftpserver' instead of > 'sftp'. How is this hardcoded? OK, not hard-coded in the binary, but only by the installation. > I don't get your arguments. I personally would rather state where system > services are instead of sshd randomly guessing where thing > are. I agree, but you've missed the fact that the client hard-codes the service name, leading to either total chaos, or at best IANA mediated chaos. > Depending on $PATH for critical services *IS* a secure risk. This is one > of the first things drilled into first year Web/CGI developers. You need to think harder about the total trust and risk relationships between the SSH client and the server before you worry about $PATH. -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird From tom at avatar.itc.nrcs.usda.gov Thu Mar 15 07:13:30 2001 From: tom at avatar.itc.nrcs.usda.gov (Tom Rudnick) Date: Wed, 14 Mar 2001 13:13:30 -0700 (MST) Subject: [PATCH] Added Null packet keepalive option Message-ID: <200103142013.NAA01000@avatar.itc.nrcs.usda.gov> I have attached a patch which adds null packet keepalive functionality to the client. This patch is made against the current CVS tree as of 3/14/01. Please consider this patch for inclusion in the OpenSSH main tree. This patch is based upon and includes code from the Chris Lightfoot (chris at ex-parrot.com) patch posted 2/23. The original patch from Chris is at: http://www.ex-parrot.com/~chris/openssh-patches/openssh-2.5.1p1-keepalives.patch Description: In order to keep a session active across a firewall or similar device that times out stateful connections, the client sends a SSH_MSG_NONE after X number of seconds of inactivity. Chris' original patch set this frequency to 3 minutes in the source. My patch allows this frequency to be configurable in the client. The configuration option is named "NoopMsgFrequency", with the default set to "0", disabling this functionality. The name of this option is deliberately dissimilar to "keepalive", as its function is different than SO_KEEPALIVE. The Windows PuTTY client implements this option in the same manner, except the option is in minutes instead of seconds. Again, 0 turns it off. In my implementation, we are initiating ssh sessions across 2 L4 switches and a firewall into 3 load-balanced servers. Large Download files are generated on the server. Timing out and initiating a new session potentially lands the user on a different server before the file can be downloaded. 30 minutes for this option fits within the L4 and firewall timeouts, and works well for us. We have this implemented on UnixWare 2.1.3, Solaris 2.7, and Win/CygWin platforms. Thanks, -Tom Rudnick -- ----------------/---------------------------------------------- Tom Rudnick | USDA Natural Resources Conservation Service Fort Collins,CO | tom at avatar.itc.nrcs.usda.gov (970) 295-5427 ** The 3rd Millennium started Jan 1, 2001. see: ** ** http://aa.usno.navy.mil/AA/faq/docs/millennium.html ** -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -------------- next part -------------- --- readconf.h 2001/03/11 01:49:20 1.21 +++ readconf.h 2001/03/14 19:11:15 @@ -61,6 +61,10 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int keepalives; /* Set SO_KEEPALIVE. */ + time_t noop_msg_frequency; /* Number of seconds between + * SSH_MSG_NONE packets to keep + * firewall connections from + * timing out */ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ --- readconf.c 2001/03/11 01:49:20 1.40 +++ readconf.c 2001/03/14 19:11:15 @@ -110,7 +110,7 @@ oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, - oPreferredAuthentications + oPreferredAuthentications,oNoopMsgFrequency } OpCodes; /* Textual representations of the tokens. */ @@ -173,6 +173,7 @@ { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "loglevel", oLogLevel }, { "preferredauthentications", oPreferredAuthentications }, + { "noopmsgfrequency", oNoopMsgFrequency }, { NULL, 0 } }; @@ -387,6 +388,10 @@ intptr = &options->keepalives; goto parse_flag; + case oNoopMsgFrequency: + intptr = &options->noop_msg_frequency; + goto parse_int; + case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; @@ -707,6 +712,7 @@ options->strict_host_key_checking = -1; options->compression = -1; options->keepalives = -1; + options->noop_msg_frequency = -1; options->compression_level = -1; options->port = -1; options->connection_attempts = -1; @@ -791,6 +797,8 @@ options->compression = 0; if (options->keepalives == -1) options->keepalives = 1; + if (options->noop_msg_frequency == -1) + options->noop_msg_frequency = 0; if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) --- clientloop.c 2001/03/06 03:34:40 1.36 +++ clientloop.c 2001/03/14 19:11:21 @@ -365,6 +365,10 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp) { + struct timeval tv = {0}; + tv.tv_sec = options.noop_msg_frequency; + /* Send a noop message at this frequency as a keepalive. */ + /* Add any selections by the channel mechanism. */ channel_prepare_select(readsetp, writesetp, maxfdp); @@ -403,7 +407,8 @@ * SSH_MSG_IGNORE packet when the timeout expires. */ - if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) { + switch (select((*maxfdp)+1, *readsetp, *writesetp, NULL, ((tv.tv_sec)?(&tv):NULL))) { + case -1: { char buf[100]; /* @@ -420,7 +425,21 @@ snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); quit_pending = 1; - } + + } + break; + + case 0: + /* Send a keepalive packet (not SSH_MSG_IGNORE as this crashes + * some servers...). + */ + packet_start(SSH_MSG_NONE); + packet_send(); + break; + + default: + break; + } } void From woods at weird.com Thu Mar 15 07:22:22 2001 From: woods at weird.com (Greg A. Woods) Date: Wed, 14 Mar 2001 15:22:22 -0500 (EST) Subject: does SSH.COM really in fact approve of the generic meaning of "SSH"? Message-ID: <20010314202222.D50218C@proven.weird.com> I hate to open up a discussion that may already be closed (I haven't really followed the trademark dispute other than via the postings to NewsForge, and in particular the one on March 7), and I can't find on www.openssh.com an obviously more appropriate address to send this thought to, so.... [note my reply-to address] though the message below purports to come from it does in fact come from someone within the SSH.COM internal network (as the received headers below show). I don't know if this person knows of the full details of SSH.COM's, errr, Tatu Ylonen's views on the SSH trademark or not, and probably th e-mail below can't be considered authoritative on the subject, but it does clearly indicate that the word "SSH" is obviously thought of as "generic" even by someone who's likely an SSH.COM employee. I guess time will tell once the list has been moved and its "official" description is posted. Suffice to say though that the name of the list itself, and the implied "vendor non-specific" focus would suggest that there's not going to even be an internal attempt to protect their mark. Personally I think any idiot who thinks they can give something away for free (particularly source code) on the Internet for some time and then rip it back for their own sole use is surely asking for backlash. The mere thought that they'd try to protect the command name is pure lunacy. (Of course I'm still using their implementation in favour of yours! :-) ------- start of forwarded message (RFC 934 encapsulation) ------- Return-Path: Received: from mail.clinet.fi([194.100.0.7]) (2255 bytes) by most.weird.com via sendmail with P:esmtp/D:user/T:local (sender: owner: ) id for ; Wed, 14 Mar 2001 03:31:03 -0500 (EST) (Smail-3.2.0.112-Pre 2000-Feb-17 #12 built 2001-Feb-5) Received: (from majordom at localhost) by mail.clinet.fi (8.9.3/8.9.3) id JAA06303 for ssh-outgoing; Wed, 14 Mar 2001 09:16:12 +0200 Received: from fw.hel.fi.ssh.com (fw.hel.fi.ssh.com [193.64.193.124]) by mail.clinet.fi (8.9.3/8.9.3) with ESMTP id JAA06272 for ; Wed, 14 Mar 2001 09:16:06 +0200 Received: from viikuna.hel.fi.ssh.com (viikuna.hel.fi.ssh.com [10.1.0.46]) by fw.hel.fi.ssh.com (SSH-1.22) with SMTP id JAA05881 for ; Wed, 14 Mar 2001 09:16:06 +0200 (EET) Received: (qmail 25929 invoked from network); 14 Mar 2001 07:16:02 -0000 Received: from lavuaari.hel.fi.ssh.com (HELO clinet.fi) ([10.1.0.48]) (envelope-sender ) by viikuna.hel.fi.ssh.com (qmail-ldap-1.03) with SMTP for ; 14 Mar 2001 07:16:02 -0000 Message-ID: <3AAF1AB0.583BDC04 at clinet.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ssh at clinet.fi Date: Wed, 14 Mar 2001 09:16:00 +0200 From: owner-ssh at clinet.fi To: ssh at clinet.fi Subject: ATTENTION: SSH-list server change X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en Precedence: bulk Dear patient subscribers, The SSH-list will be moved from clinet.fi to ssh.org on Thursday March 22nd, 2001. The list is a discussion zone for all the software based on SSH protocol and it remains vendor non-specific. The new list address will be ssh at lists.ssh.org. Sending email to ssh at clinet.fi after the above date will result in an automated reply containing instructions on how to use the new list. The new list will operate under different list server software than the current one. Only people subscribed to the list will be able to send email to the list. We are sorry for any inconvenience caused by the earlier arrangement. The subscriber list will be transferred to the new server so that all current subscribers of ssh at clinet.fi will be subscribed to ssh at lists.ssh.org automatically. If you wish to unsubscribe, please read the monthly posting on the upcoming list for instructions. - SSH-list administrator - ------- end ------- -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird From vinschen at redhat.com Thu Mar 15 08:13:12 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 14 Mar 2001 22:13:12 +0100 Subject: [PATCH]: contrib/cygwin/README Message-ID: <20010314221312.M8866@cygbert.vinschen.de> Hi, I have a small patch here which changes the Cygwin README file so that the following fact is mentioned. OpenSSH never uses $HOME to search for user config files but the value in the pw_dir field in /etc/passwd. This might be of minor interest for generic U*X folks but that's an important fact for Cygwin users. When /etc/passwd is automatically created under WinNT/2K it uses the values in the NT user datebase to determine the home directory of the user. Actually, it's an completely unimportant entry for NT itself. If the home directory isn't set NT uses a default value. Unfortunately this often results in a wrong pw_dir entry in /etc/passwd. So at least the documentation should make that fact somewhat clear to the user. I wonder if it is worth to mention this somehow in the man pages. While in most cases $HOME reflects the pw_dir field, a user could set it's $HOME to /tmp and then he is surprised that his config files in /tmp aren't used. Ok, it might be a theoretical case but you'll never know. Index: README =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/README,v retrieving revision 1.3 diff -u -p -r1.3 README --- README 2001/03/07 10:38:19 1.3 +++ README 2001/03/14 20:52:59 @@ -111,6 +111,12 @@ You'll have to decide before starting ss RSAAuthentication yes +Please note that OpenSSH does never use the value of $HOME to +search for the users configuration files! It always uses the +value of the pw_dir field in /etc/passwd as the home directory. +If no home diretory is set in /etc/passwd, the root directory +is used instead! + You may use all features of the CYGWIN=ntsec setting the same way as they are used by the `login' port on sources.redhat.com: @@ -129,10 +135,10 @@ way as they are used by the `login' port locuser::1104:513:John Doe,U-user,S-1-5-21-... -V2 server and user keys are generated by `ssh-config'. If you want to -create DSA keys by yourself, call ssh-keygen with `-d' option. +SSH2 server and user keys are generated by the `ssh-*-config' scripts +as well. -DSA authentication similar to RSA: +SSH2 authentication similar to SSH1: Add keys to ~/.ssh/authorized_keys2 Interop. w/ ssh.com dsa-keys: ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2 Thanks, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From Markus.Friedl at informatik.uni-erlangen.de Thu Mar 15 08:31:23 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 14 Mar 2001 22:31:23 +0100 Subject: [PATCH] Added Null packet keepalive option In-Reply-To: <200103142013.NAA01000@avatar.itc.nrcs.usda.gov>; from tom@avatar.itc.nrcs.usda.gov on Wed, Mar 14, 2001 at 01:13:30PM -0700 References: <200103142013.NAA01000@avatar.itc.nrcs.usda.gov> Message-ID: <20010314223123.A27977@faui02.informatik.uni-erlangen.de> SSH_MSG_NONE is no message that is allowd to appear on the wire, it's not defined at all. SSH_MSG_IGNORE breaks ssh-1.2.18 to 1.2.22, but i think they'll accept an ignore message w/o payload. > + /* Send a keepalive packet (not SSH_MSG_IGNORE as this crashes > + * some servers...). > + */ > + packet_start(SSH_MSG_NONE); > + packet_send(); > + break; From mouring at etoh.eviladmin.org Thu Mar 15 08:33:13 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 14 Mar 2001 15:33:13 -0600 (CST) Subject: [PATCH]: contrib/cygwin/README In-Reply-To: <20010314221312.M8866@cygbert.vinschen.de> Message-ID: Thanks.. Applied. - Ben On Wed, 14 Mar 2001, Corinna Vinschen wrote: > Hi, > > I have a small patch here which changes the Cygwin README file so > that the following fact is mentioned. > > OpenSSH never uses $HOME to search for user config files but the > value in the pw_dir field in /etc/passwd. > > This might be of minor interest for generic U*X folks but that's > an important fact for Cygwin users. When /etc/passwd is automatically > created under WinNT/2K it uses the values in the NT user datebase > to determine the home directory of the user. Actually, it's an > completely unimportant entry for NT itself. If the home directory > isn't set NT uses a default value. Unfortunately this often results > in a wrong pw_dir entry in /etc/passwd. So at least the documentation > should make that fact somewhat clear to the user. > > I wonder if it is worth to mention this somehow in the man pages. > While in most cases $HOME reflects the pw_dir field, a user could > set it's $HOME to /tmp and then he is surprised that his config > files in /tmp aren't used. Ok, it might be a theoretical case but > you'll never know. > > Index: README > =================================================================== > RCS file: /cvs/openssh_cvs/contrib/cygwin/README,v > retrieving revision 1.3 > diff -u -p -r1.3 README > --- README 2001/03/07 10:38:19 1.3 > +++ README 2001/03/14 20:52:59 > @@ -111,6 +111,12 @@ You'll have to decide before starting ss > > RSAAuthentication yes > > +Please note that OpenSSH does never use the value of $HOME to > +search for the users configuration files! It always uses the > +value of the pw_dir field in /etc/passwd as the home directory. > +If no home diretory is set in /etc/passwd, the root directory > +is used instead! > + > You may use all features of the CYGWIN=ntsec setting the same > way as they are used by the `login' port on sources.redhat.com: > > @@ -129,10 +135,10 @@ way as they are used by the `login' port > > locuser::1104:513:John Doe,U-user,S-1-5-21-... > > -V2 server and user keys are generated by `ssh-config'. If you want to > -create DSA keys by yourself, call ssh-keygen with `-d' option. > +SSH2 server and user keys are generated by the `ssh-*-config' scripts > +as well. > > -DSA authentication similar to RSA: > +SSH2 authentication similar to SSH1: > Add keys to ~/.ssh/authorized_keys2 > Interop. w/ ssh.com dsa-keys: > ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2 > > > Thanks, > Corinna > > From chris at ex-parrot.com Thu Mar 15 08:44:10 2001 From: chris at ex-parrot.com (Chris Lightfoot) Date: Wed, 14 Mar 2001 21:44:10 +0000 Subject: [PATCH] Added Null packet keepalive option In-Reply-To: <20010314223123.A27977@faui02.informatik.uni-erlangen.de>; from Markus Friedl on Wed, Mar 14, 2001 at 10:31:23PM +0100 References: <200103142013.NAA01000@avatar.itc.nrcs.usda.gov> <20010314223123.A27977@faui02.informatik.uni-erlangen.de> Message-ID: <20010314214410.A3797@caesious.cold.local> On Wed, Mar 14, 2001 at 10:31:23PM +0100, Markus Friedl wrote: > SSH_MSG_NONE is no message that is allowd to appear on > the wire, it's not defined at all. SSH_MSG_IGNORE breaks > ssh-1.2.18 to 1.2.22, but i think they'll accept an ignore message > w/o payload. > > > + /* Send a keepalive packet (not SSH_MSG_IGNORE as this crashes > > + * some servers...). > > + */ > > + packet_start(SSH_MSG_NONE); > > + packet_send(); > > + break; I guess the choice here is between conforming to standards and breaking old software, or ignoring the standards and using something which seems to work. I haven't noticed _MSG_NONE causing problems with any of the servers I use, but I am not going to argue that it is the Right Thing To Use(TM). -- Chris Lightfoot -- www.ex-parrot.com/~chris/ Life-- some days you're the dog, some days you're the hydrant (Anonymous) From Markus.Friedl at informatik.uni-erlangen.de Thu Mar 15 08:48:23 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 14 Mar 2001 22:48:23 +0100 Subject: [PATCH] Added Null packet keepalive option In-Reply-To: <20010314214410.A3797@caesious.cold.local>; from chris@ex-parrot.com on Wed, Mar 14, 2001 at 09:44:10PM +0000 References: <200103142013.NAA01000@avatar.itc.nrcs.usda.gov> <20010314223123.A27977@faui02.informatik.uni-erlangen.de> <20010314214410.A3797@caesious.cold.local> Message-ID: <20010314224823.B27977@faui02.informatik.uni-erlangen.de> On Wed, Mar 14, 2001 at 09:44:10PM +0000, Chris Lightfoot wrote: > > I guess the choice here is between conforming to > standards and breaking old software, or ignoring > the standards and using something which seems to > work. I haven't noticed _MSG_NONE causing > problems with any of the servers I use, but I am > not going to argue that it is the Right Thing To > Use(TM). have you tried to send an empty ignore message to the buggy servers? sending MSG_NONE relies on another implementation bug, and this should be fixed in OpenSSH asap. From chris at ex-parrot.com Thu Mar 15 08:51:31 2001 From: chris at ex-parrot.com (Chris Lightfoot) Date: Wed, 14 Mar 2001 21:51:31 +0000 Subject: [PATCH] Added Null packet keepalive option In-Reply-To: <20010314224823.B27977@faui02.informatik.uni-erlangen.de>; from Markus Friedl on Wed, Mar 14, 2001 at 10:48:23PM +0100 References: <200103142013.NAA01000@avatar.itc.nrcs.usda.gov> <20010314223123.A27977@faui02.informatik.uni-erlangen.de> <20010314214410.A3797@caesious.cold.local> <20010314224823.B27977@faui02.informatik.uni-erlangen.de> Message-ID: <20010314215131.A3934@caesious.cold.local> On Wed, Mar 14, 2001 at 10:48:23PM +0100, Markus Friedl wrote: > On Wed, Mar 14, 2001 at 09:44:10PM +0000, Chris Lightfoot wrote: > > > > I guess the choice here is between conforming to > > standards and breaking old software, or ignoring > > the standards and using something which seems to > > work. I haven't noticed _MSG_NONE causing > > problems with any of the servers I use, but I am > > not going to argue that it is the Right Thing To > > Use(TM). > > have you tried to send an empty ignore message to the buggy servers? > sending MSG_NONE relies on another implementation bug, and this should > be fixed in OpenSSH asap. No. I tried using debug messages containing an empty string, which worked OK but resulted in ugly messages being printed on the console. `Unfortunately', I don't have any old servers lying about any more to test this on. -- Chris Lightfoot -- www.ex-parrot.com/~chris/ "History teaches us that men and nations behave wisely when they have exhausted all other alternatives." (Abba Eban) From moyman at ecn.purdue.edu Thu Mar 15 09:17:40 2001 From: moyman at ecn.purdue.edu (James M Moya) Date: Wed, 14 Mar 2001 17:17:40 -0500 (EST) Subject: /etc/default/login patch? Message-ID: <200103142217.f2EMHej09199@golfer.ecn.purdue.edu> Would anybody happen to have or know of a patch to make /etc/default/login PATH and SUPATH the default openssh path? We have customized paths for each school of engineering (each have their own customized site bin). This is easily controled with /etc/default/login. The --with-default-path option is too rigid. This is Solaris I am talking about. --mike From agt at ieng9.ucsd.edu Thu Mar 15 09:44:43 2001 From: agt at ieng9.ucsd.edu (Adam Tilghman) Date: Wed, 14 Mar 2001 14:44:43 -0800 (PST) Subject: /etc/default/login patch? In-Reply-To: <200103142217.f2EMHej09199@golfer.ecn.purdue.edu> from "James M Moya" at Mar 14, 2001 05:17:40 PM Message-ID: <200103142244.f2EMiho18905@ieng9.ucsd.edu> > Would anybody happen to have or know of a patch to make /etc/default/login > PATH and SUPATH the default openssh path? We have customized paths for each > school of engineering (each have their own customized site bin). This is > easily controled with /etc/default/login. The --with-default-path option > is too rigid. This is Solaris I am talking about. My patch below adds an "sshd_config" option called "SysEnvFile". The new setting allows you to specify an arbitrary default environment for SSH login sessions. (Curiously, similar behavior is available for AIX users -- check "session.c" for AIX-related #ifdef's and you'll see what I mean.) -- Adam Tilghman | Systems Support / Academic Computing | +1 858 822 0711 agt at ucsd.edu | University of California, San Diego | fax +1 858 534 7018 diff -r -c openssh-2.5.1p1/servconf.c openssh-2.5.1p1-1/servconf.c *** openssh-2.5.1p1/servconf.c Wed Feb 14 19:08:27 2001 --- openssh-2.5.1p1-1/servconf.c Thu Mar 1 15:45:03 2001 *************** *** 81,86 **** --- 81,87 ---- options->challenge_reponse_authentication = -1; options->permit_empty_passwd = -1; options->use_login = -1; + options->sys_environment_file = NULL; options->allow_tcp_forwarding = -1; options->num_allow_users = 0; options->num_deny_users = 0; *************** *** 210,216 **** sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, ! sUseLogin, sAllowTcpForwarding, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, --- 211,217 ---- sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, ! sUseLogin, sSysEnvFile, sAllowTcpForwarding, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, *************** *** 261,266 **** --- 262,268 ---- { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, { "uselogin", sUseLogin }, + { "sysenvfile", sSysEnvFile }, { "randomseed", sRandomSeedFile }, { "keepalive", sKeepAlives }, { "allowtcpforwarding", sAllowTcpForwarding }, *************** *** 583,588 **** --- 585,594 ---- case sUseLogin: intptr = &options->use_login; goto parse_flag; + + case sSysEnvFile: + charptr = &options->sys_environment_file; + goto parse_filename; case sGatewayPorts: intptr = &options->gateway_ports; diff -r -c openssh-2.5.1p1/servconf.h openssh-2.5.1p1-1/servconf.h *** openssh-2.5.1p1/servconf.h Wed Feb 14 19:08:27 2001 --- openssh-2.5.1p1-1/servconf.h Thu Mar 1 15:46:40 2001 *************** *** 93,98 **** --- 93,99 ---- int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ + char *sys_environment_file; int allow_tcp_forwarding; u_int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; diff -r -c openssh-2.5.1p1/session.c openssh-2.5.1p1-1/session.c *** openssh-2.5.1p1/session.c Sun Feb 18 11:13:34 2001 --- openssh-2.5.1p1-1/session.c Thu Mar 1 15:46:11 2001 *************** *** 1261,1266 **** --- 1261,1269 ---- /* read $HOME/.ssh/environment. */ if (!options.use_login) { + if (options.sys_environment_file != NULL) { + read_environment_file(&env, &envsize, options.sys_environment_file); + } snprintf(buf, sizeof buf, "%.200s/.ssh/environment", pw->pw_dir); read_environment_file(&env, &envsize, buf); diff -r -c openssh-2.5.1p1/sshd.8 openssh-2.5.1p1-1/sshd.8 *** openssh-2.5.1p1/sshd.8 Wed Feb 14 19:08:28 2001 --- openssh-2.5.1p1-1/sshd.8 Thu Mar 1 16:03:04 2001 *************** *** 669,674 **** --- 669,681 ---- file transfer subsystem. By default no subsystems are defined. Note that this option applies to protocol version 2 only. + .It Cm SysEnvFile + Specifies a file containing the system-wide default environment in + .Dq VARNAME=value + format (default is none.) The contents of a user's + .Pa $HOME/.ssh/environment + file, if found, will override variables set within the + .Cm SysEnvFile . .It Cm SyslogFacility Gives the facility code that is used when logging messages from .Nm sshd . From djm at mindrot.org Thu Mar 15 11:07:51 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 15 Mar 2001 11:07:51 +1100 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010314192900.C51488C@proven.weird.com> Message-ID: On Wed, 14 Mar 2001, Greg A. Woods wrote: > > You might also have noticed (since I > > assume you indeed have read the drafts) that the subsystem feature is not > > part of the transport protocol, it is a (very tiny, one could add) feature > > in the connection protocol. > > Yes, but it it a wart none the less which leads to inter-operatibility > problems that have already been seen "in the field." Rubbish - your example of a misconfigured sshd doesn't count. Should we perhaps start regarding misconfigured inetd's as evidence of the brokenness of TCP? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From mouring at etoh.eviladmin.org Thu Mar 15 11:41:39 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 14 Mar 2001 18:41:39 -0600 (CST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010314200021.80FC18C@proven.weird.com> Message-ID: On Wed, 14 Mar 2001, Greg A. Woods wrote: [..] > > Or are you suggesting that if OpenBSD connects to Solaris that I should > > run a different sftp-server then if Linux connects to Solaris? > > IMNSHO that should be up to the client, but restricted by the server > administrator. > IMNSHO it's up to the administrator and not the connecting client. But this is local policy. OpenSSH's subsystems honor $PATH. So you can have it your way, and I can have it my way. If others don't honor it then complain to them. > > I don't get your arguments. I personally would rather state where system > > services are instead of sshd randomly guessing where thing > > are. > > I agree, but you've missed the fact that the client hard-codes the > service name, leading to either total chaos, or at best IANA mediated > chaos. > By the fact no one is requiring you to register your program name with an IANA type group you can still have pure chaos. I write a program call 'Foo' that uses SSH to call 'Bar'. You write a program call 'Bar' and install it and it happens to fall before my program in the path. Thus, chaos. So this is kinda a strawman argument. - Ben From andrew at andrew.triumf.ca Thu Mar 15 13:43:29 2001 From: andrew at andrew.triumf.ca (Andrew Daviel) Date: Wed, 14 Mar 2001 18:43:29 -0800 (PST) Subject: problems compiling on Irix Message-ID: I think I have resolved my problem, but having typed most of this I might as well send it. I have OpenSSH_2.5.1p2 which I am trying to build on Irix 5 In Irix /usr/include/paths.h _PATH_ROOTPATH and _PATH_USERPATH are defined. defines.h looks for USER_PATH and _PATH_STDPATH and misses this, so that sshd does not include the path for X11 when users login. I copied a chunk of ifdef viz. #ifdef _PATH_USERPATH # ifdef _PATH_STDPATH # undef _PATH_STDPATH # endif # define _PATH_STDPATH _PATH_USERPATH #endif Having fixed that, I was having problems with X forwarding I was seeing (with ssh2) warning: X11 connection requests different authentication protocol: 'MIT-MAGIC-COOKIE-1' vs. ''. but it's not XAUTHORITY getting clobbered as was discussed last year. Aha, aha. I see Running /sbin/sh /etc/ssh/sshrc instead of Running /usr/bin/X11/xauth add mylocal:12.0 MIT-MAGIC-COOKIE-1 In an earlier effort to resolve the PATH problem mentioned earlier, another developer had created /etc/ssh/sshrc in order to try setting the path, but had not executed xauth in it. So if I just delete that file things should be OK, I hope. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security at triumf.ca From dboldt at usgs.gov Thu Mar 15 10:47:24 2001 From: dboldt at usgs.gov (David Boldt) Date: Wed, 14 Mar 2001 18:47:24 -0500 Subject: Solaris and man pages Message-ID: <3AB0030C.10802@usgs.gov> do you folks have a way of generating man pages in a format that the Solaris "man" command can use (apart from converting to plain text)? From Jan.Iven at cern.ch Thu Mar 15 20:31:08 2001 From: Jan.Iven at cern.ch (Jan IVEN) Date: 15 Mar 2001 10:31:08 +0100 Subject: SSH and AFS In-Reply-To: <3AAF9320.EB7D943F@di.fc.ul.pt> References: <3AAF9320.EB7D943F@di.fc.ul.pt> Message-ID: >>>>> "NMN" == Nuno Miguel Neves writes: NMN> I'm sorry, but I've been looking in the archives, and I can't find an answer to this question. NMN> I believe OpenSSH supports AFS, but I can't seem to make it work. NMN> I've tried to install krb5-devel, but it doesn't work. I've made configure --with-kerberos4 --with-afs, and it says it can't find krb.h. NMN> Did anyone manage to compile openssh 2.3.0 with AFS? Which kerberos (since I'm using RedHat, an RPM would be great :) )? Sorry, no rpms. Our compilation area is under /afs/cern.ch/project/connectivity/openssh-2.3.0.See the file "CMD" for the actual commands/options used. Binaries are in .../i386_linux22/install/ Best regards Jan From mouring at etoh.eviladmin.org Fri Mar 16 00:33:29 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 15 Mar 2001 07:33:29 -0600 (CST) Subject: Solaris and man pages In-Reply-To: <3AB0030C.10802@usgs.gov> Message-ID: On Wed, 14 Mar 2001, David Boldt wrote: > do you folks have a way of generating man pages in a format > that the Solaris "man" command can use (apart from converting > to plain text)? > In the contrib/ directory there is a mdoc2man.pl perl script that will convert them. It has yet to be integrated into the install script, but it works nicely. - Ben From gert at greenie.muc.de Fri Mar 16 02:22:30 2001 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 15 Mar 2001 16:22:30 +0100 Subject: News from AIX Message-ID: <20010315162230.G27193@greenie.muc.de> Hi, News from the "AIX is different than the rest of the world" department... AIX has something similar to setluid() on SCO, just that it uses text strings (similar to setenv()) and calls it "usrinfo". I've appended the man page below. Under normal conditions, well-behaved applications use ttyname(), logname() and getuid() get the relevant informations, but today I've come across one piece of commercial software that insists on using usrinfo(), and otherwise failed to use the proper user name when being called in an ssh session. So I'm afraid we have to support that. To my knowledge, usrinfo() is valid on all AIX systems ever shipped. Patch is also appended - with that, reading usrinfo() in an ssh session shows the same value as in a telnet session, so that should be "fine". gert ------- Index: session.c =================================================================== RCS file: /cvs/openssh_cvs/session.c,v retrieving revision 1.79 diff -u -r1.79 session.c --- session.c 2001/02/18 19:13:34 1.79 +++ session.c 2001/03/15 15:13:44 @@ -89,6 +89,10 @@ # define S_UNOFILE_HARD S_UNOFILE "_hard" #endif +#ifdef _AIX +# include +#endif + /* types */ #define TTYSZ 64 @@ -1119,6 +1123,25 @@ debug("error setting satid: %.100s", strerror(errno)); } #endif /* WITH_IRIX_AUDIT */ + +#ifdef _AIX + /* AIX has a "usrinfo" area where logname and + * other stuff is stored - a few applications + * actually use this and die if it's not set + */ + { + char ui_buf[1000]; + int ui_len; + + ui_len = sprintf( ui_buf, + "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", + pw->pw_name, 0, + pw->pw_name, 0, + ttyname, 0,0); + usrinfo( SETUINFO, ui_buf, ui_len ); + debug("AIX/UsrInfo: set len %d", ui_len); + } +#endif /* Permanently switch to the desired uid. */ permanently_set_uid(pw->pw_uid); --------- snip --------- usrinfo Subroutine Purpose Gets and sets user information about the owner of the current process. Library Standard C Library (libc.a) Syntax #include int usrinfo (Command, Buffer, Count) int Command; char *Buffer; int Count; Description The usrinfo subroutine gets and sets information about the owner of the current process. The information is a sequence of null-terminated name=value strings. The last string in the sequence is terminated by two successive null characters. A child process inherits the user information of the parent process. Parameters Command Specifies one of the following constants: GETUINFO Copies user information, up to the number of bytes specified by the Count parameter, into the buffer pointed to by the Buffer parameter. SETUINFO Sets the user information for the process to the number of bytes specified by the Count parameter in the buffer pointed to by the Buffer parameter. The calling process must have root user authority to set the user information. The minimum user information consists of four strings typically set by the login program: NAME=UserName LOGIN=LoginName LOGNAME=LoginName TTY=TTYName If the process has no terminal, the TTYName parameter should be null. Buffer Specifies a pointer to a user buffer. This buffer is usually UINFOSIZ bytes long. Count Specifies the number of bytes of user information copied from or to the user buffer. Return Values If successful, the usrinfo subroutine returns a non-negative integer giving the number of bytes transferred. Otherwise, a value of -1 is returned and the errno global variable is set to indicate the error. Error Codes The usrinfo subroutine fails if one of the following is true: EPERM The Command parameter is set to SETUINFO, and the calling process does not have root user authority. EINVAL The Command parameter is not set to SETUINFO or GETUINFO. EINVAL The Command parameter is set to SETUINFO, and the Count parameter is larger than UINFOSIZ. EFAULT The Buffer parameter points outside of the address space of the process. Implementation Specifics This subroutine is part of Base Operating System (BOS) Runtime. Related Information The getuinfo subroutine, setpenv subroutine. The login command. List of Security and Auditing Subroutines in AIX Version 4 General Programming Concepts: Writing and Debugging Programs. Subroutines Overview in AIX Version 4 General Programming Concepts: Writing and Debugging Programs. -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From dboldt at usgs.gov Fri Mar 16 02:39:07 2001 From: dboldt at usgs.gov (David R Boldt) Date: Thu, 15 Mar 2001 10:39:07 -0500 Subject: Solaris and man pages Message-ID: Ben, many thanks, that's just what I was looking for. -- David Boldt To: David Boldt cc: openssh-unix-dev at mindrot.org 03/15/01 08:33 AM Subject: Re: Solaris and man pages On Wed, 14 Mar 2001, David Boldt wrote: > do you folks have a way of generating man pages in a format > that the Solaris "man" command can use (apart from converting > to plain text)? > In the contrib/ directory there is a mdoc2man.pl perl script that will convert them. It has yet to be integrated into the install script, but it works nicely. - Ben From woods at weird.com Fri Mar 16 04:14:51 2001 From: woods at weird.com (Greg A. Woods) Date: Thu, 15 Mar 2001 12:14:51 -0500 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: References: <20010314200021.80FC18C@proven.weird.com> Message-ID: <20010315171451.E457F8C@proven.weird.com> [ On Wednesday, March 14, 2001 at 18:41:39 (-0600), mouring at localhost[eviladmin.org] wrote: ] > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > On Wed, 14 Mar 2001, Greg A. Woods wrote: > > [..] > > > Or are you suggesting that if OpenBSD connects to Solaris that I should > > > run a different sftp-server then if Linux connects to Solaris? > > > > IMNSHO that should be up to the client, but restricted by the server > > administrator. > > > > IMNSHO it's up to the administrator and not the connecting client. Ben, that's almost exactly what I said, but only from the opposite perspective! The current subsystem naming scheme does *NOT* allow the administrator to control what service is expected under which name! The administrator *MUST* adhere to either a given implementation, or if a central naming authority is defined, then to that authority, or else face inter-operability problems! > By the fact no one is requiring you to register your program name with > an IANA type group you can still have pure chaos. Exactly! That's why the "built-in subsystem" feature is a wart! There's no way to enforce implementations to honour the registered names! Without the "built-in subsystem" feature the expectations set by the design are completely different and already well understood and handled by not only SSH-v1 implementations, but indeed by most other generic remote transport protocols (well, except maybe SSL which has an alarming number of TCP port numbers assigned to it -- one for every SSL-wrapped service). > I write a program call > 'Foo' that uses SSH to call 'Bar'. You write a program call 'Bar' and > install it and it happens to fall before my program in the path. Thus, > chaos. Fortunately most everyone's been dealing with this single level of naming and its consequences for decades now and we have the solutions down pat. Adding unnecessary forced generic naming indirection is rarely a good thing. It's nice to have in personal environments (eg. shell aliases and such, but just ask anyone who uses your shell prompt how much difficulty they have when faced with someone else's aliases, or vice versa). A naming indirection scheme is necessary when the underlying topology is inflexible (eg. IP addresses -- if you move around the topology you need a new number, so having a constant name is of extreme benefit). However in scenarios where the client's expectations of what services are available are set by its understanding of the host it's about to connect to, the *lack* of a generic force protocol-level naming indirection scheme allows the administrator of that host to choose the name-space entirely, and allows the clients to adjust their use of command or application names on the server to suite that particular server. (Eg. "ssh remhost dir" for M$/DOS, or "ssh remhost ls" for POSIX.) A naming system indirection scheme at this level only adds the need for totally unnecessary *global* co-ordination and co-operation. Yes of course names can be defined in the form "service at domain.name", as Bill Sommerfeld said in his response to this thread, however that doesn't ease the problem any at all and still requires a global registry for unqualified names. All it does is provide an outlet for those who want to define their own naming scheme -- they won't have to pressure implementors into providing non-standard names, but as we've seen in other very similar situations the implementors will still bend the rules for even the slightest reason. Just look at the mess that appears on any given segment of the public Internet w.r.t. TCP and UDP port numbers. Sure there are lots and lots of people using the registered names for the protocols they are defined to represent. However there are a very large and very significant number of people using illegal port numbers (most Unix systems come with at least one or two by default!). You cannot sit in the middle of the Internet and pick off random packets from the "wire" and be guaranteed that the port number specified in the header will have any relation at all to the contents of the data within the defined mappings by IANA. Indirection in this case was not necessarily a good idea, and it has not been anywhere near 100% successful! The only problem in this case was many people have a harder time using numbers to identify things and so a common naming scheme was devised to make things easier to remember and to refer to. Fortunately with command and application names that might be invoked by remote SSH clients, there's no need for another naming scheme because they already have memorable names. -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird From shorty at getuid.de Fri Mar 16 04:11:33 2001 From: shorty at getuid.de (Christian Kurz) Date: Thu, 15 Mar 2001 18:11:33 +0100 Subject: Problem with connecting to host running ssh 2.3.0p1 Message-ID: <20010315181133.B15456@seteuid.getuid.de> Hi, I just did a cvs update on my copy of the openssh stuff here to be sure that this bug is still existing. If I connect to a host running 2.3.0p1 and use protocol version 2 ssh fails. Here's the excerpt from the debug log. I would appreciate if someone could fix this, so that I can use protocol version 2 again: |debug1: GOT SSH2_MSG_NEWKEYS. |debug1: send SSH2_MSG_NEWKEYS. |debug1: done: send SSH2_MSG_NEWKEYS. |debug1: done: KEX2. |debug1: send SSH2_MSG_SERVICE_REQUEST | 06 c5 df df cf 9b fd 08 db 73 e8 7b 54 b3 aa d9 |debug1: compress outgoing: raw data 58, compressed 61, factor 1.05 |debug1: compress incoming: raw data 0, compressed 0, factor 0.00 |Disconnecting: Bad packet length 113631199. |debug1: Calling cleanup 0x80608ec(0x0) Thanks, Christian -- Love is the process of my leading you gently back to yourself. -- Saint Exupery -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 241 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010315/f16dd73a/attachment.bin From vyo at y12.doe.gov Fri Mar 16 06:05:01 2001 From: vyo at y12.doe.gov (Redmon S S) Date: Thu, 15 Mar 2001 14:05:01 -0500 (EST) Subject: shared vs. static in 2.5.1p1 In-Reply-To: <20010302000135.B628@folly> Message-ID: 1) Yes, setting LDFLAGS works, but I also have to have each of the shared libs on all of the boxes (ie libz.so.1.1.3, libwrap.so.7.6.1) Only the ssh binary files are needed when built statically. 2) Different topic: Are there any plans to add hostbased authentication to openssh? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- On Fri, 2 Mar 2001, Markus Friedl wrote: > does setting LDFLAGS or LD for configure help? > > -m > > On Thu, Mar 01, 2001 at 01:37:44PM -0500, Redmon S S wrote: > > Are there any plans to add the option of using static libraries for > > openssh? We have a wide range of platforms. It was easier to > > build on some platforms by changing the shared references to static > > libraries. > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > - Scott Redmon - > > - Information Technology Services - > > - Unix Systems Support Group email: redmonws at y12.doe.gov - > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > > From RCDavis at intermedia.com Fri Mar 16 07:53:07 2001 From: RCDavis at intermedia.com (Davis, Ricardo C.) Date: Thu, 15 Mar 2001 15:53:07 -0500 Subject: Support for here documents with sftp client in OpenSSH 2.5.1p1-1 (RH Linux 6.2 [2.2.x kernel]) Message-ID: <77DA8BE17C46D2118B7A00805FA7D051047ADAA3@TPAEXCH2> A question on the cutting edge sftp client in OpenSSH 2.5.1p1-1: Is there a standard set of commands for sftp clients? I was hoping to use sftp as a drop in replacement for some simple FTP transfer scripts. In particular, the ftp client allows specifying the password in the "user" command: user The scripts use here documents to perform the transfers. For example: ... ftp -n -i -v $theServer >$logFile 2>&1 < Message-ID: <3AB12CE0.6C3B3390@Eng.Sun.COM> "Davis, Ricardo C." wrote: > ...but it doesn't. Am I looking for something that isn't available in sftp > client implementations? If this is true, then what options are there for > automated, authenticated transfers? What about using the ssh-agent since sftp runs over ssh having the keys in the agent will mean you don't need to pass them into sftp every time. -- Darren J Moffat From Markus.Friedl at informatik.uni-erlangen.de Fri Mar 16 08:02:53 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 15 Mar 2001 22:02:53 +0100 Subject: Support for here documents with sftp client in OpenSSH 2.5.1p1-1 (RH Linux 6.2 [2.2.x kernel]) In-Reply-To: <77DA8BE17C46D2118B7A00805FA7D051047ADAA3@TPAEXCH2>; from RCDavis@intermedia.com on Thu, Mar 15, 2001 at 03:53:07PM -0500 References: <77DA8BE17C46D2118B7A00805FA7D051047ADAA3@TPAEXCH2> Message-ID: <20010315220253.B1046@faui02.informatik.uni-erlangen.de> On Thu, Mar 15, 2001 at 03:53:07PM -0500, Davis, Ricardo C. wrote: > The scripts use here documents to perform the transfers. For example: > > ... > ftp -n -i -v $theServer >$logFile 2>&1 < user $account $acctpw > cd $theDir > get *.dat > quit > ! > ... > > It doesn't appear that OpenSSH's sftp client can do this. Is it possible to > specify the password as part of the command line? I thought this might > work: this work fine with non-interactive authentication. you can try publickey. -m From markus.friedl at informatik.uni-erlangen.de Fri Mar 16 08:12:38 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 15 Mar 2001 22:12:38 +0100 Subject: shared vs. static in 2.5.1p1 In-Reply-To: ; from vyo@y12.doe.gov on Thu, Mar 15, 2001 at 02:05:01PM -0500 References: <20010302000135.B628@folly> Message-ID: <20010315221238.A10389@folly> On Thu, Mar 15, 2001 at 02:05:01PM -0500, Redmon S S wrote: > Are there any plans to add hostbased authentication to openssh? yes. but no time frame for protocol v2, perhaps within a month. protocol v1 does alreay support rhost-rsa. From djm at mindrot.org Fri Mar 16 10:16:44 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 16 Mar 2001 10:16:44 +1100 (EST) Subject: News from AIX In-Reply-To: <20010315162230.G27193@greenie.muc.de> Message-ID: On Thu, 15 Mar 2001, Gert Doering wrote: > Hi, > > News from the "AIX is different than the rest of the world" department... > > AIX has something similar to setluid() on SCO, just that it uses text > strings (similar to setenv()) and calls it "usrinfo". I've appended > the man page below. > > Under normal conditions, well-behaved applications use ttyname(), > logname() and getuid() get the relevant informations, but today I've > come across one piece of commercial software that insists on using > usrinfo(), and otherwise failed to use the proper user name when > being called in an ssh session. So I'm afraid we have to support that. > > To my knowledge, usrinfo() is valid on all AIX systems ever shipped. > > Patch is also appended - with that, reading usrinfo() in an ssh session > shows the same value as in a telnet session, so that should be "fine". Thanks - how does this work for you? It is based on you patch, except the buffer is exactly allocated and usrinfo's return value is checked. -d Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.89 diff -u -r1.89 session.c --- session.c 2001/03/05 07:33:15 1.89 +++ session.c 2001/03/15 23:15:44 @@ -89,6 +89,10 @@ # define S_UNOFILE_HARD S_UNOFILE "_hard" #endif +#ifdef _AIX +# include +#endif + /* types */ #define TTYSZ 64 @@ -1135,6 +1139,23 @@ debug("error setting satid: %.100s", strerror(errno)); } #endif /* WITH_IRIX_AUDIT */ + +#ifdef _AIX + /* + * AIX has a "usrinfo" area where logname and + * other stuff is stored - a few applications + * actually use this and die if it's not set + */ + cp = xmalloc(22 + strlen(ttyname) + + 2 * strlen(pw->pw_name)); + i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", + pw->pw_name, 0, pw->pw_name, 0, ttyname, 0,0); + if (usrinfo(SETUINFO, cp, i) == -1) + fatal("Couldn't set usrinfo: %s", + strerror(errno)); + debug3("AIX/UsrInfo: set len %d", i); + xfree(cp); +#endif /* Permanently switch to the desired uid. */ permanently_set_uid(pw->pw_uid); -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri Mar 16 10:23:19 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 16 Mar 2001 10:23:19 +1100 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010315171451.E457F8C@proven.weird.com> Message-ID: On Thu, 15 Mar 2001, Greg A. Woods wrote: This will be my last post on this subject. > Ben, that's almost exactly what I said, but only from the opposite > perspective! The current subsystem naming scheme does *NOT* allow the > administrator to control what service is expected under which name! The > administrator *MUST* adhere to either a given implementation, or if a > central naming authority is defined, then to that authority, or else > face inter-operability problems! Just like there is no way for a system administrator to force other to run smtp on port 25 (for example). If you do something stupid, like diddle with well known assignments, of course you are going to break stuff. > > By the fact no one is requiring you to register your program name with > > an IANA type group you can still have pure chaos. > > Exactly! That's why the "built-in subsystem" feature is a wart! > There's no way to enforce implementations to honour the registered > names! So what? If people want to break there systems, then we shouldn't stop them. Unix provides no way to _force_ people not to rename 'rm' to 'ls' either and it still works pretty well - people don't do it becuase it is _stupid_ to mess with well-known names. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri Mar 16 10:26:04 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 16 Mar 2001 10:26:04 +1100 (EST) Subject: Support for here documents with sftp client in OpenSSH 2.5.1p1-1 (RH Linux 6.2 [2.2.x kernel]) In-Reply-To: <77DA8BE17C46D2118B7A00805FA7D051047ADAA3@TPAEXCH2> Message-ID: On Thu, 15 Mar 2001, Davis, Ricardo C. wrote: > A question on the cutting edge sftp client in OpenSSH 2.5.1p1-1: > > Is there a standard set of commands for sftp clients? I was hoping to use > sftp as a drop in replacement for some simple FTP transfer scripts. In > particular, the ftp client allows specifying the password in the "user" > command: > > user I don't think the sftp client will ever support this syntax - it would be difficult to implement and would encourage the use of plaintext passwords in scripts. > It doesn't appear that OpenSSH's sftp client can do this. Is it > possible to specify the password as part of the command line? This is not going to happen either - commandlines are visible to all other users of your system using ps. > ...but it doesn't. Am I looking for something that isn't available > in sftp client implementations? If this is true, then what options > are there for automated, authenticated transfers? You can use public key authentication - this is exactly what it is designed for :) -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From RCDavis at intermedia.com Fri Mar 16 10:35:33 2001 From: RCDavis at intermedia.com (Davis, Ricardo C.) Date: Thu, 15 Mar 2001 18:35:33 -0500 Subject: Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel]) Message-ID: <77DA8BE17C46D2118B7A00805FA7D051047ADAA9@TPAEXCH2> Damien, I was going down the path of public key authentication when I encountered problems. I've been discussing it off-line using the simple example of creating a key pair with no passphrase for an account on "myserver", then trying to connect to myserver using the "ssh -i id_dsa myserver" command. It's not working, so we're debugging now (see below). If you have any insight as to what's going on it would be appreciated. -Ricardo P.S. The mode of id_dsa is 600, the mode of id_dsa.pub is 644. ____________________________________________________________________________ From: Davis, Ricardo C. Sent: Thursday, March 15, 2001 5:52 PM To: 'Markus Friedl' Subject: RE: Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel]) -----------ssh monitor window----------------- $ ssh -i id_dsa -p 1234 myserver.com Permission denied (publickey,password,keyboard-interactive). $ -----------sshd monitor window----------------- su - Password: # sshd -d -d -d -p 1234 debug1: sshd version OpenSSH_2.5.1p1 debug1: load_private_key_autodetect: type 0 RSA1 debug3: Bad RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read SSH2 private key done: name dsa w/o comment success 1 debug1: load_private_key_autodetect: type 2 DSA debug3: Bad RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read SSH2 private key done: name rsa w/o comment success 1 debug1: load_private_key_autodetect: type 1 RSA debug1: Seeding random number generator debug1: Bind to port 1234 on 0.0.0.0. Server listening on 0.0.0.0 port 1234. Generating 768 bit RSA key. debug1: Seeding random number generator RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 0.0.0.0 port 724 debug1: Client protocol version 2.0; client software version OpenSSH_2.5.1p1 debug1: match: OpenSSH_2.5.1p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.5.1p1 debug1: list_hostkey_types: ssh-dss,ssh-rsa debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-rsa,ssh-dss debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,r ijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,r ijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug1: got kexinit: none debug1: got kexinit: none debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug2: mac_init: found hmac-sha1 debug1: kex: client->server 3des-cbc hmac-sha1 none debug2: mac_init: found hmac-sha1 debug1: kex: server->client 3des-cbc hmac-sha1 none debug1: Wait SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Sending SSH2_MSG_KEX_DH_GEX_GROUP. debug1: bits set: 1009/2049 debug1: Wait SSH2_MSG_KEX_DH_GEX_INIT. debug1: bits set: 1013/2049 debug2: ssh_rsa_sign: done debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: userauth-request for user myaccount service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for myaccount debug1: Starting up PAM with username "myaccount" debug1: Trying to reverse map address 0.0.0.0. debug1: PAM setting rhost to "myserver.com" debug2: input_userauth_request: try method none Failed none for myaccount from 0.0.0.0 port 724 ssh2 debug1: userauth-request for user myaccount service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey DSA authentication refused for myaccount: bad ownership or modes for '/home/myaccount/'. debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for myaccount from 0.0.0.0 port 724 ssh2 Connection closed by 0.0.0.0 debug1: Calling cleanup 0x80514a0(0x0) debug1: Calling cleanup 0x80638a0(0x0) # Ok ... so it appears it doesn't like the account's directory. Here's the info on those: # ls -ld m* drwxrwx--- 10 myaccoun acctAdm 4096 Mar 15 13:42 myaccount # cd myaccount # ls -ld .ssh drwx------ 2 myaccoun myaccoun 4096 Mar 15 16:56 .ssh Strange ... it doesn't appear to me there is a problem. -Ricardo -----Original Message----- From: Markus Friedl [mailto:Markus.Friedl at informatik.uni-erlangen.de] Sent: Thursday, March 15, 2001 5:32 PM To: Davis, Ricardo C. Subject: Re: Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel]) On Thu, Mar 15, 2001 at 05:26:21PM -0500, Davis, Ricardo C. wrote: > Ok, did a "chmod go-w on ~/.ssh/authorized_keys2" and tried again with the > same results. So next I ran ssh with the -v option. what does sshd -d -d -d -p 1234 say when you connect with ssh -i id_dsa -p 1234 host. ? -m ____________________________________________________________________________ -----Original Message----- From: Damien Miller [mailto:djm at mindrot.org] Sent: Thursday, March 15, 2001 6:26 PM To: Davis, Ricardo C. Cc: openssh-unix-dev at mindrot.org Subject: Re: Support for here documents with sftp client in OpenSSH 2.5.1p1-1 (RH Linux 6.2 [2.2.x kernel]) You can use public key authentication - this is exactly what it is designed for :) -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri Mar 16 10:40:08 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 16 Mar 2001 10:40:08 +1100 (EST) Subject: Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel]) In-Reply-To: <77DA8BE17C46D2118B7A00805FA7D051047ADAA9@TPAEXCH2> Message-ID: On Thu, 15 Mar 2001, Davis, Ricardo C. wrote: > Damien, > > I was going down the path of public key authentication when I encountered > problems. I've been discussing it off-line using the simple example of > creating a key pair with no passphrase for an account on "myserver", then > trying to connect to myserver using the "ssh -i id_dsa myserver" command. > It's not working, so we're debugging now (see below). If you have any > insight as to what's going on it would be appreciated. > > -Ricardo > > P.S. The mode of id_dsa is 600, the mode of id_dsa.pub is 644. > DSA authentication refused for myaccount: bad ownership or modes for > '/home/myaccount/'. > # ls -ld m* > drwxrwx--- 10 myaccoun acctAdm 4096 Mar 15 13:42 myaccount This should be 0750, i.e. > drwxr-x--- 10 myaccoun acctAdm 4096 Mar 15 13:42 myaccount -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tim at multitalents.net Fri Mar 16 12:54:04 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 15 Mar 2001 17:54:04 -0800 (PST) Subject: News from AIX In-Reply-To: Message-ID: On Fri, 16 Mar 2001, Damien Miller wrote: > On Thu, 15 Mar 2001, Gert Doering wrote: > > > Hi, > > > > News from the "AIX is different than the rest of the world" department... > > > > AIX has something similar to setluid() on SCO, just that it uses text > > strings (similar to setenv()) and calls it "usrinfo". I've appended > > the man page below. > > +#ifdef _AIX ^^^^^ Do we really want this? I'd much rather see HAVE_UINFO_H and HAVE_USERINFO with the apropriate tests in configure.in > +# include > +#endif > + > /* types */ > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dankamin at cisco.com Fri Mar 16 14:00:44 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Thu, 15 Mar 2001 19:00:44 -0800 Subject: OpenSSH/scp ->> F-Secure SSH server Problems References: Message-ID: <00d201c0adc5$4bca8520$0c00040a@na.cisco.com> > So what? If people want to break there systems, then we shouldn't > stop them. Unix provides no way to _force_ people not to rename 'rm' > to 'ls' either and it still works pretty well - people don't do it > becuase it is _stupid_ to mess with well-known names. Some people alias rm to move deleted files to a trashcan folder. Others alias rm to srm(secure rm), affording them a decent level of protection against deleted file recovery. What matter is not the binary actually run, or even what that binary ends up doing. What matters is that it speak the protocol correctly, and represents the will of the sysadmin and user(which hopefully should not be at odds). Does sftp-server have some mode for capability negotiation, incidentally? Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From djm at mindrot.org Fri Mar 16 14:04:50 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 16 Mar 2001 14:04:50 +1100 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <00d201c0adc5$4bca8520$0c00040a@na.cisco.com> Message-ID: On Thu, 15 Mar 2001, Dan Kaminsky wrote: > Does sftp-server have some mode for capability negotiation, incidentally? It has version numbering, which we already use to decide what capabilites to offer to the client and how to format a reply or two. It also has clean ways of extending the protocol (SSH_FX_EXTENDED packets and extended attributes). -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Christophe_Moret at hp.com Fri Mar 16 18:41:44 2001 From: Christophe_Moret at hp.com (Christophe Moret) Date: Fri, 16 Mar 2001 08:41:44 +0100 Subject: Support for here documents with sftp client in OpenSSH 2.5.1p1-1(RH Linux 6.2 [2.2.x kernel]) References: Message-ID: <3AB1C3B8.7B3D2B89@hp.com> I think the real issue is when talking with NT SSH servers, for which I do not know of an implementation that uses only PubKey. A password is always necessary, and we have no choice to put in scripts... This is bad of course, but is there another solution for NT ? (typically Van Dyke servers for example). BTW I have a patch available for adding -W option in ssh and Pass in .ssh/config, if you need it. -Christophe Damien Miller wrote: > On Thu, 15 Mar 2001, Davis, Ricardo C. wrote: > > > A question on the cutting edge sftp client in OpenSSH 2.5.1p1-1: > > > > Is there a standard set of commands for sftp clients? I was hoping to use > > sftp as a drop in replacement for some simple FTP transfer scripts. In > > particular, the ftp client allows specifying the password in the "user" > > command: > > > > user > > I don't think the sftp client will ever support this syntax - it would > be difficult to implement and would encourage the use of plaintext > passwords in scripts. > > > It doesn't appear that OpenSSH's sftp client can do this. Is it > > possible to specify the password as part of the command line? > > This is not going to happen either - commandlines are visible to all other > users of your system using ps. > > > ...but it doesn't. Am I looking for something that isn't available > > in sftp client implementations? If this is true, then what options > > are there for automated, authenticated transfers? > > You can use public key authentication - this is exactly what it is > designed for :) > > -d > > -- > | Damien Miller \ ``E-mail attachments are the poor man's > | http://www.mindrot.org / distributed filesystem'' - Dan Geer -- Christophe Moret mailto:Christophe_Moret at hp.com Hewlett Packard Phone :+33 4 76 14 40 78 5, avenue Raymond Chanas Fax :+33 4 76 14 47 06 38053 GRENOBLE Cedex 09 Mobile:+33 6 72 99 16 51 -------------- next part -------------- A non-text attachment was scrubbed... Name: Christophe_Moret.vcf Type: text/x-vcard Size: 377 bytes Desc: Card for Christophe Moret Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010316/cec7b6e3/attachment.vcf From djm at mindrot.org Fri Mar 16 18:49:11 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 16 Mar 2001 18:49:11 +1100 (EST) Subject: Support for here documents with sftp client in OpenSSH 2.5.1p1-1(RH Linux 6.2 [2.2.x kernel]) In-Reply-To: <3AB1C3B8.7B3D2B89@hp.com> Message-ID: On Fri, 16 Mar 2001, Christophe Moret wrote: > > I think the real issue is when talking with NT SSH servers, for which > I do not know of an implementation that uses only PubKey. OpenSSH :) ftp://ftp.nas.nasa.gov/mirrors/cygwin.com/pub/cygwin/latest/openssh/ -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Markus.Friedl at informatik.uni-erlangen.de Fri Mar 16 19:21:53 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 16 Mar 2001 09:21:53 +0100 Subject: sftp over 2 hosts? In-Reply-To: ; from Stephan.Hendl@lds.brandenburg.de on Wed, Mar 14, 2001 at 04:25:57PM +0100 References: Message-ID: <20010316092153.A17429@faui02.informatik.uni-erlangen.de> On Wed, Mar 14, 2001 at 04:25:57PM +0100, Stephan Hendl wrote: > thanks, that works, but the problem is that I have two open connections now, but I need actually only one. Furthermore the command > > myhost$ ssh -L 1234:hostb:22 hosta > > gives me a promt back, so I have to open a window and to make small and to open a next one for the command try to use -f or -N or something similar. $ ssh -L xxx:yyy:zzz so you don't need multiple windows. -m From gert at greenie.muc.de Fri Mar 16 20:10:37 2001 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 16 Mar 2001 10:10:37 +0100 Subject: News from AIX In-Reply-To: ; from Damien Miller on Fri, Mar 16, 2001 at 10:16:44AM +1100 References: <20010315162230.G27193@greenie.muc.de> Message-ID: <20010316101037.B23831@greenie.muc.de> Hi, On Fri, Mar 16, 2001 at 10:16:44AM +1100, Damien Miller wrote: > > AIX has something similar to setluid() on SCO, just that it uses text > > strings (similar to setenv()) and calls it "usrinfo". I've appended > > the man page below. [..] > Thanks - how does this work for you? It is based on you patch, except > the buffer is exactly allocated and usrinfo's return value is checked. Will try next week (won't be at that customer's site until then). Definitely looks cleaner than my hacked-together patch :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From gert at greenie.muc.de Fri Mar 16 20:11:26 2001 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 16 Mar 2001 10:11:26 +0100 Subject: News from AIX In-Reply-To: ; from Tim Rice on Thu, Mar 15, 2001 at 05:54:04PM -0800 References: Message-ID: <20010316101126.C23831@greenie.muc.de> Hi, On Thu, Mar 15, 2001 at 05:54:04PM -0800, Tim Rice wrote: > > +#ifdef _AIX > ^^^^^ > Do we really want this? As usrinfo seems to be AIX-only, and available on *all* AIX versions, I'd opt for it. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From seuffert at gmd.de Sat Mar 17 00:48:00 2001 From: seuffert at gmd.de (Peter Seuffert) Date: Fri, 16 Mar 2001 14:48:00 +0100 Subject: passphrase for non existent key? Message-ID: <3AB21990.F20797A0@gmd.de> BUG: SSH asks for a passphrase for non existent key. Version: OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f If I "ssh -2" to a remote host and there is no "authorized_keys2" at the remote site ssh asks for a passphrase for non existent key instead of falling back to asking for a rlogin-password. Same situation if you specify a non-existant userid: ssh -2 xyz at localhost ssh asks for secret passphrase of user "hops". Should ask for password of "xyz" "ssh -1" handles all this correctly. - Peter tarifa ~> ssh -2 -v xyz at localhost OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug: Reading configuration data /home/hops/.ssh/config debug: Applying options for * debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Rhosts Authentication disabled, originating port will not be trusted. debug: ssh_connect: getuid 129 geteuid 129 anon 1 debug: Connecting to localhost [127.0.0.1] port 22. debug: Connection established. debug: identity file /home/hops/.ssh/identity type 0 debug: identity file /home/hops/.ssh/id_rsa1 type 3 debug: identity file /home/hops/.ssh/id_dsa type 3 debug: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1 debug: match: OpenSSH_2.5.1p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.5.1p1 debug: Seeded RNG with 57 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug: got kexinit: none,zlib debug: got kexinit: none,zdebug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 none debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug: bits set: 535/1024 debug: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: Forcing accepting of host key for loopback/localhost. debug: bits set: 521/1024 debug: len 55 datafellows 0 debug: ssh_dss_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password,keyboard-interactive debug: next auth method to try is publickey debug: userauth_pubkey_agent: trying agent key .ssh/id_dsa debug: authentications that can continue: publickey,password,keyboard-interactive debug: next auth method to try is publickey debug: key does not exist: /home/hops/.ssh/id_rsa1 debug: try pubkey: /home/hops/.ssh/id_dsa debug: PEM_read_PrivateKey failed debug: read SSH2 private key done: name success 0 Enter passphrase for key '/home/hops/.ssh/id_dsa': tarifa ~> ssh -1 -v xyz at localhost OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug: Reading configuration data /home/hops/.ssh/config debug: Applying options for * debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Rhosts Authentication disabled, originating port will not be trusted. debug: ssh_connect: getuid 129 geteuid 129 anon 1 debug: Connecting to localhost [127.0.0.1] port 22. debug: Connection established. debug: identity file /home/hops/.ssh/identity type 0 debug: identity file /home/hops/.ssh/id_rsa1 type 3 debug: identity file /home/hops/.ssh/id_dsa type 3 debug: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1 debug: match: OpenSSH_2.5.1p1 pat ^OpenSSH debug: Local version string SSH-1.5-OpenSSH_2.5.1p1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Forcing accepting of host key for loopback/localhost. debug: Seeded RNG with 57 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Encryption type: blowfish debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication via agent with 'hops at tarifa' debug: Server refused our key. debug: RSA authentication using agent refused. debug: Trying RSA authentication with key 'hops at tarifa' debug: Server refused our key. debug: Doing password authentication. xyz at localhost's password: -- __o Peter Seuffert _`\<,_ German National Research Center for Information Technology (GMD) (_)/ (_) Institute for Applied Information Technology (FIT.CSCW) ~~~~~~~~~~~ Schloss Birlinghoven, D-53754 St.Augustin, Germany EMAIL: Seuffert at gmd.de PHONE: +49-2241-142868 FAX: +49-2241-142084 From Markus.Friedl at informatik.uni-erlangen.de Sat Mar 17 01:50:56 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 16 Mar 2001 15:50:56 +0100 Subject: passphrase for non existent key? In-Reply-To: <3AB218FC.F85D2A99@gmd.de>; from seuffert@gmd.de on Fri, Mar 16, 2001 at 02:45:32PM +0100 References: <3AB218FC.F85D2A99@gmd.de> Message-ID: <20010316155056.A23971@faui02.informatik.uni-erlangen.de> On Fri, Mar 16, 2001 at 02:45:32PM +0100, Peter Seuffert wrote: > BUG: SSH asks for a passphrase for non existent key. you mean: SSH asks for the passphrase of a key, that is not allowed to login? this has been fixed for the next release. -m From Kenora.Sorgenfrie at nrc.ca Sat Mar 17 02:11:33 2001 From: Kenora.Sorgenfrie at nrc.ca (Sorgenfrie, Kenora) Date: Fri, 16 Mar 2001 10:11:33 -0500 Subject: openssh-2.5.1p2 installation problems Message-ID: <9258C238472FD411AA860004AC369AF907FE679B@nrcmrdex1.imsb.nrc.ca> I am a student system administrator working for the National Research Council of Canada. I have a problem with my current installation of openssh-2.5.1p2. I have installed the source on a DEC3000 system running Digital Unix 4.0. My problem is in locating a startup script for sshd. I have successfully installed openssh-2.5.1p1 on a variety of platforms, and have always found a startup script for sshd, but it seems to be absent on this platform. If you could assist me in locating the needed script, I would appreciate it. If you require further information, please email me with particulars of what you need. Thank you for your time and I look forward to your response. Kenora Sorgenfrie kenora.sorgenfrie at nrc.ca From RCDavis at intermedia.com Sat Mar 17 02:26:36 2001 From: RCDavis at intermedia.com (Davis, Ricardo C.) Date: Fri, 16 Mar 2001 10:26:36 -0500 Subject: Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel]) Message-ID: <77DA8BE17C46D2118B7A00805FA7D051047ADAAA@TPAEXCH2> That was it! Thank you so much, Markus! It would have been nice if one could easily discern that from the debugging information without looking at the source code. But then, we are talking about Unix here. :) I had not thought of the scenario regarding a compromise through group write permissions. Somebody really ought to put this in the OpenSSH FAQ (perhaps as an example of what not to do) and save another security-newbie a few days trying to figure it out! The account that I'm dealing with is for automated processing and not a "real" user; the account administrators group (basically the sys admins and the ops manager) usually need only read access to check status of processing. The account's home directory was made group writeable so that operational changes could be made "on the fly" without having to log into that account. But it's no great loss not being able to do so. Thanks again! You and others on this list have been very helpful! -Ricardo -----Original Message----- From: Markus Friedl [mailto:Markus.Friedl at informatik.uni-erlangen.de] Sent: Friday, March 16, 2001 3:07 AM To: Davis, Ricardo C. Subject: Re: Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel]) On Thu, Mar 15, 2001 at 05:51:54PM -0500, Davis, Ricardo C. wrote: > drwxrwx--- 10 myaccoun acctAdm 4096 Mar 15 13:42 myaccount sshd does not like group writeable homedirectories. everyone from the group can do: $ cd myaccount $ mv .ssh .ssh-disabled $ mkdir .ssh $ echo mykey > .ssh/authorized_keys2 > # cd myaccount > # ls -ld .ssh > drwx------ 2 myaccoun myaccoun 4096 Mar 15 16:56 .ssh > > Strange ... it doesn't appear to me there is a problem. homedir is the problem. From Markus.Friedl at informatik.uni-erlangen.de Sat Mar 17 02:30:13 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 16 Mar 2001 16:30:13 +0100 Subject: Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel]) In-Reply-To: <77DA8BE17C46D2118B7A00805FA7D051047ADAAA@TPAEXCH2>; from RCDavis@intermedia.com on Fri, Mar 16, 2001 at 10:26:36AM -0500 References: <77DA8BE17C46D2118B7A00805FA7D051047ADAAA@TPAEXCH2> Message-ID: <20010316163013.A12449@faui02.informatik.uni-erlangen.de> On Fri, Mar 16, 2001 at 10:26:36AM -0500, Davis, Ricardo C. wrote: > That was it! Thank you so much, Markus! > > It would have been nice if one could easily discern that from the debugging > information without looking at the source code. But then, we are talking > about Unix here. :) the debug output did complain about the permissions. perhaps it should be more verbose. From Christophe_Moret at hp.com Sat Mar 17 04:14:35 2001 From: Christophe_Moret at hp.com (Christophe Moret) Date: Fri, 16 Mar 2001 18:14:35 +0100 Subject: Support for here documents with sftp client in OpenSSH 2.5.1p1-1(RHLinux 6.2 [2.2.x kernel]) References: Message-ID: <3AB249FB.A5532B1A@hp.com> Yes, of course, but: - cygwin is not really secure in a multi-user environment - I did not achieved having it running correctly as a service with multiple users & pubkey authentication (I got into problems in checking the authorized_keys[2] rights when running it as system). -Christophe Damien Miller wrote: > On Fri, 16 Mar 2001, Christophe Moret wrote: > > > > > I think the real issue is when talking with NT SSH servers, for which > > I do not know of an implementation that uses only PubKey. > > OpenSSH :) > > ftp://ftp.nas.nasa.gov/mirrors/cygwin.com/pub/cygwin/latest/openssh/ > > -d > > -- > | Damien Miller \ ``E-mail attachments are the poor man's > | http://www.mindrot.org / distributed filesystem'' - Dan Geer -- Christophe Moret mailto:Christophe_Moret at hp.com Hewlett Packard Phone :+33 4 76 14 40 78 5, avenue Raymond Chanas Fax :+33 4 76 14 47 06 38053 GRENOBLE Cedex 09 Mobile:+33 6 72 99 16 51 -------------- next part -------------- A non-text attachment was scrubbed... Name: Christophe_Moret.vcf Type: text/x-vcard Size: 377 bytes Desc: Card for Christophe Moret Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010316/f33c4cc9/attachment.vcf From dunlap at apl.washington.edu Sat Mar 17 06:17:54 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Fri, 16 Mar 2001 11:17:54 -0800 (PST) Subject: suggestion for syslog messages Message-ID: <200103161917.LAA13052@ohm.apl.washington.edu> To allow easier targeting of users of old protocols I would find it useful for the syslog "Accepted" messages to be more uniform. 1. Include the string "ssh1" for ssh1 connections as is done for ssh2 connections. 2. Change the "publickey" message for ssh2 connections to specify which publickey, "dsa" or "rsa". This is already the case for ssh1. 3. Insure the ssh1 and ssh2 accepted messages have the same number of fields. Presently the syslog lines end as: ssh1: passwd: Accepted password for user from xxx.xxx.xxx.xxx port 865 rsa : Accepted rsa for user from xxx.xxx.xxx.xxx port 976 ssh2: passwd: Accepted password for user from xxx.xxx.xxx.xxx port 901 ssh2 dsa : Accepted publickey for user from xxx.xxx.xxx.xxx port 697 ssh2 rsa : Accepted publickey for user from xxx.xxx.xxx.xxx port 600 ssh2 Regards, John -- John Dunlap University of Washington Senior Electrical Engineer Applied Physics Laboratory dunlap at apl.washington.edu 1013 NE 40th Street 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 From ssklar at stanford.edu Sat Mar 17 06:23:29 2001 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Fri, 16 Mar 2001 11:23:29 -0800 Subject: SIGHUP/av[0] restart failure Message-ID: Hello, OpenSSH 2.5.1p1 running under AIX 4.3.3ML06. When I send a HUP signal to the parent sshd, that parent process dies, it's children get "adopted" by init, and the following message is put in the error log ... Mar 13 12:01:48 whippet sshd[31644]: Received SIGHUP; restarting. Mar 13 12:01:48 whippet sshd[31644]: RESTART FAILED: av[0]='sshd', error: No such file or directory. The sshd program is not named anything unusual, and is located in /usr/local/sbin. I searched this list (and other places), and found some info related to the above, but not anything that I'd call a solution or a resolution. Help? Thanks! -- sandor w. sklar http://lindy.stanford.edu/~ssklar/ unix systems administrator polya hall, 255 panama -- mc: 4136 stanford university itss-css mailto:ssklar at stanford.edu From ktaylor at eosdata.gsfc.nasa.gov Sat Mar 17 06:27:41 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Fri, 16 Mar 2001 14:27:41 -0500 Subject: X forwarding from Linux -> Irix not working Message-ID: I'm logging in from an irix machine to a linux machine (both running openssh-2.5.1p2) and am unable to run any X applications. I ran a verbose session and this happens: debug: fd 6 IS O_NONBLOCK debug: channel 0: new [X11 connection from host port 4572] debug: X11 connection uses different authentication protocol. debug: X11 rejected 0 i1/o16 debug: channel 0: read failed debug: channel 0: input open -> drain debug: channel 0: close_read debug: channel 0: input: no drain shortcut debug: channel 0: ibuf empty debug: channel 0: input drain -> wait_oclose debug: channel 0: send ieof debug: channel 0: write failed debug: channel 0: output open -> wait_ieof debug: channel 0: send oclose debug: channel 0: close_write debug: X11 closed 0 i4/o64 debug: channel 0: rcvd ieof debug: channel 0: non-open channel 0: istate 4 != open channel 0: ostate 64 != open debug: channel 0: rcvd oclose debug: channel 0: input wait_oclose -> closed X connection to pc07:10.0 broken (explicit kill or server shutdown). X forwarding is configured for both the servers and clients on both systems...and they have access through tcpwrappers for forwarding. Also, the X forwarding works when ssh'ing from the Linux machine to the Irix machine. From Markus.Friedl at informatik.uni-erlangen.de Sat Mar 17 06:34:20 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 16 Mar 2001 20:34:20 +0100 Subject: SIGHUP/av[0] restart failure In-Reply-To: ; from ssklar@stanford.edu on Fri, Mar 16, 2001 at 11:23:29AM -0800 References: Message-ID: <20010316203420.A23957@faui02.informatik.uni-erlangen.de> man sshd: sshd rereads its configuration file when it receives a hangup signal, SIGHUP, by executing itself with the name it was started as, ie. /usr/sbin/sshd. On Fri, Mar 16, 2001 at 11:23:29AM -0800, Sandor W. Sklar wrote: > OpenSSH 2.5.1p1 running under AIX 4.3.3ML06. When I send a HUP > signal to the parent sshd, that parent process dies, it's children > get "adopted" by init, and the following message is put in the error > log ... From ssklar at stanford.edu Sat Mar 17 07:04:44 2001 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Fri, 16 Mar 2001 12:04:44 -0800 Subject: SIGHUP/av[0] restart failure In-Reply-To: <20010316203420.A23957@faui02.informatik.uni-erlangen.de> References: <20010316203420.A23957@faui02.informatik.uni-erlangen.de> Message-ID: ok, so in my rc.sshd startup script, when I get to the part where I actually start sshd, I need to specify its full path? I've got ... PATH=/usr/local/sbin: ... and later ... sshd but you are saying that I need to have it start as ... /usr/local/sbin/sshd right? Thanks! At 8:34 PM +0100 3/16/01, Markus Friedl wrote: >man sshd: > > sshd rereads its configuration file when it receives a hangup signal, > SIGHUP, by executing itself with the name it was started as, ie. > /usr/sbin/sshd. > > >On Fri, Mar 16, 2001 at 11:23:29AM -0800, Sandor W. Sklar wrote: >> OpenSSH 2.5.1p1 running under AIX 4.3.3ML06. When I send a HUP >> signal to the parent sshd, that parent process dies, it's children >> get "adopted" by init, and the following message is put in the error >> log ... -- sandor w. sklar http://lindy.stanford.edu/~ssklar/ unix systems administrator polya hall, 255 panama -- mc: 4136 stanford university itss-css mailto:ssklar at stanford.edu From douglas.manton at uk.ibm.com Sat Mar 17 07:07:44 2001 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Fri, 16 Mar 2001 20:07:44 +0000 Subject: SIGHUP/av[0] restart failure (AIX) Message-ID: <80256A11.006E93D7.00@d06mta05.portsmouth.uk.ibm.com> > Mar 13 12:01:48 whippet sshd[31644]: Received SIGHUP; restarting. > Mar 13 12:01:48 whippet sshd[31644]: RESTART FAILED: av[0]='sshd', > error: No such file or directory. My guess is that you started sshd using "sshd" (either from within /usr/local/sbin or with it in your PATH). > The sshd program is not named anything unusual, and is located in > /usr/local/sbin. Have you tried starting it with "/usr/local/sbin/sshd" ? Personally, I use the AIX system resource controller to manage sshd. This has the advantage of automatically restarting it if it ever falls over. The following command sets it up: mkssys -s sshd -u 0 -p /usr/local/sbin/sshd -G tcpip -R -S -n 15 -f 9 Now sshd can be controlled with: startsrc -s sshd stopsrc -s sshd Trying to stop the daemon any other way (e.g. kill -9) means it gets automatically restarted by SRC. You kick it off on startup in /etc/rc.tcpip in the same way as inetd, etc... Hope this is useful! -------------------------------------------------------- Doug Manton, AT&T EMEA Commercial Security Solutions E: demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From wendyp at cray.com Sat Mar 17 08:05:34 2001 From: wendyp at cray.com (Wendy Palm) Date: Fri, 16 Mar 2001 15:05:34 -0600 Subject: X forwarding from Linux -> Irix not working References: Message-ID: <3AB2801E.7E632F41@cray.com> i'm on indy r5000 running 6.5.9m connecting to a redhat 6.2 both running openssh-2.5.1p2, no tcp wrappers and am experiencing no problems either way. i'd be happy to test anything you like. wendy Kevin Taylor wrote: > > I'm logging in from an irix machine to a linux machine (both running > openssh-2.5.1p2) and am unable to run any X applications. > > I ran a verbose session and this happens: > > debug: fd 6 IS O_NONBLOCK > debug: channel 0: new [X11 connection from host port 4572] > debug: X11 connection uses different authentication protocol. > debug: X11 rejected 0 i1/o16 > debug: channel 0: read failed > debug: channel 0: input open -> drain > debug: channel 0: close_read > debug: channel 0: input: no drain shortcut > debug: channel 0: ibuf empty > debug: channel 0: input drain -> wait_oclose > debug: channel 0: send ieof > debug: channel 0: write failed > debug: channel 0: output open -> wait_ieof > debug: channel 0: send oclose > debug: channel 0: close_write > debug: X11 closed 0 i4/o64 > debug: channel 0: rcvd ieof > debug: channel 0: non-open > channel 0: istate 4 != open > channel 0: ostate 64 != open > debug: channel 0: rcvd oclose > debug: channel 0: input wait_oclose -> closed > X connection to pc07:10.0 broken (explicit kill or server shutdown). > > X forwarding is configured for both the servers and clients on both > systems...and they have access through tcpwrappers for forwarding. > > Also, the X forwarding works when ssh'ing from the Linux machine to the > Irix machine. -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From jon at rupture.net Sat Mar 17 08:44:09 2001 From: jon at rupture.net (Jon Nathan) Date: Fri, 16 Mar 2001 16:44:09 -0500 (EST) Subject: ssh_exchange_identification: Connection closed by remote host Message-ID: hello, i built an ssh 2.5.1p2 package for solaris. it's installed into /usr/local (with sysconfdir=/etc) on an administrative host with write access to /usr/local. other hosts nfs mount /usr/local. i had a script copy the following files generated from the package install into each host's /etc directory: primes ssh_prng_cmds sshd_config ssh_config then ran ssh-keygen (copied from the install target of the Makefile) on each machine as well. i can ssh from the administrative host that actually has the package installed to other hosts, but i cannot ssh from the clients with nfs mounted /usr/local and copied /etc files. i don't see any errors in the logs on the remote host - anyone see what i'm doing wrong? pluto# which ssh /usr/local/bin/ssh pluto# ssh -V OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f pluto# ssh jnathan at examplehost ssh_exchange_identification: Connection closed by remote host pluto# ssh -v -v -v jnathan at atlsnlb1 OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug: Reading configuration data /etc/ssh_config debug: Rhosts Authentication disabled, originating port will not be trusted. debug: ssh_connect: getuid 0 geteuid 2 anon 1 debug: Connecting to atlsnlb1 [10.8.17.100] port 22. debug: Connection established. debug: identity file //.ssh/identity type 3 debug: identity file //.ssh/id_dsa type 3 ssh_exchange_identification: Connection closed by remote host debug: Calling cleanup 0x45580(0x0) debug: Calling cleanup 0x4b318(0x0) debug: writing PRNG seed to file //.ssh/prng_seed pluto# pluto# uname -a SunOS pluto 5.7 Generic_106541-14 sun4u sparc SUNW,Ultra-4 pluto# ls -al /etc/ssh* -rw-r--r-- 1 root other 1085 Mar 16 16:16 /etc/ssh_config -rw------- 1 root other 668 Mar 16 15:44 /etc/ssh_host_dsa_key -rw-r--r-- 1 root other 600 Mar 16 15:44 /etc/ssh_host_dsa_key.pub -rw------- 1 root other 525 Mar 16 15:43 /etc/ssh_host_key -rw-r--r-- 1 root other 329 Mar 16 15:44 /etc/ssh_host_key.pub -rw------- 1 root other 883 Mar 16 15:44 /etc/ssh_host_rsa_key -rw-r--r-- 1 root other 220 Mar 16 15:44 /etc/ssh_host_rsa_key.pub -rw-r--r-- 1 root other 1770 Mar 16 16:16 /etc/ssh_prng_cmds -rw-r--r-- 1 root other 6 Mar 16 16:21 /etc/sshd.pid -rw-r--r-- 1 root other 1432 Mar 16 16:16 /etc/sshd_config pluto# pluto# thanks, -jon -- Jon Nathan jon at rupture.net http://www.rupture.net/~jon/ From djm at mindrot.org Sat Mar 17 10:29:28 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 17 Mar 2001 10:29:28 +1100 (EST) Subject: News from AIX In-Reply-To: Message-ID: On Thu, 15 Mar 2001, Tim Rice wrote: > > +#ifdef _AIX > ^^^^^ > Do we really want this? > I'd much rather see HAVE_UINFO_H and HAVE_USERINFO with the > apropriate tests in configure.in I think the _AIX is appropriate in this case - usrinfo() doesn't seem to conform to any standard. The name is also short enough and generic enough to appear elsewhere with a completely different function. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From andrew at andrew.triumf.ca Sat Mar 17 11:18:32 2001 From: andrew at andrew.triumf.ca (Andrew Daviel) Date: Fri, 16 Mar 2001 16:18:32 -0800 (PST) Subject: X forwarding from Linux -> Irix not working In-Reply-To: Message-ID: On Fri, 16 Mar 2001, Kevin Taylor wrote: > > I'm logging in from an irix machine to a linux machine (both running > openssh-2.5.1p2) and am unable to run any X applications. I had this the other way around. Turned out that xauth was not being run properly from sshd because /etc/ssh/sshrc existed and was not running xauth. After you login you can use "xauth\nlist" and it should have a couple of entries and be using an authority file /tmp/ssh-xxxx/cookies. The path to xauth is set by the configure script but can be overridden in sshd_config. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security at triumf.ca From andrew at andrew.triumf.ca Sat Mar 17 11:37:04 2001 From: andrew at andrew.triumf.ca (Andrew Daviel) Date: Fri, 16 Mar 2001 16:37:04 -0800 (PST) Subject: "cipher none" alternatives ? Message-ID: We are trying to upgrade from SSH1 to OpenSSH/SSH2. I see that configuration support for "cipher NONE" was removed in OpenSSH. Is there an alternative for this ? We need to move big files (>100Mb) between machines on the Internet. In the past we had used NFS or ftp but want to block those services at one or both ends. Moving them with SSH 1 scp takes quite a bit of CPU effort for encryption. (I had observed that for smaller files scp -c 3des was noticably slower than NFS/ftp/scp -c none on 100BaseT links, though not on 10BaseT) The datafiles themselves do not contain sensitive data, but we'd like to use some better authentication method than ftp and preferably something that would easily go through a firewall. As I understood things, scp -c none with RSA authentication offers something like that. We could presumably use HTTP GET to suck files if they were placed in a webserver tree and use HTTP authentication. I'm not so sure about pushing with POST or PUT. Any suggestions ? Is it feasible to build OpenSSH with support for cipher none ? -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security at triumf.ca From tim at multitalents.net Sat Mar 17 11:52:58 2001 From: tim at multitalents.net (Tim Rice) Date: Fri, 16 Mar 2001 16:52:58 -0800 (PST) Subject: News from AIX In-Reply-To: <20010316101126.C23831@greenie.muc.de> Message-ID: On Fri, 16 Mar 2001, Gert Doering wrote: > Hi, > > On Thu, Mar 15, 2001 at 05:54:04PM -0800, Tim Rice wrote: > > > +#ifdef _AIX > > ^^^^^ > > Do we really want this? > > As usrinfo seems to be AIX-only, and available on *all* AIX versions, I'd > opt for it. It may be AIX-only now. But it could be in the "monterey" code base. > > gert > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From sxw at dcs.ed.ac.uk Sat Mar 17 11:57:36 2001 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Sat, 17 Mar 2001 00:57:36 GMT Subject: ssh_exchange_identification: Connection closed by remote host In-Reply-To: Jon Nathan's message of Fri, 16 Mar 2001 16:44:09 -0500 Message-ID: <200103170057.AAA29006@canna.dcs.ed.ac.uk> > hello, > > i built an ssh 2.5.1p2 package for solaris. Did you build with tcpwrappers enabled? - I've seen this error when trying to ssh to a host that I wasn't in the hosts.allow file for. If tcpwrappers is enabled, you'll need to add the sshd service to that machine's hosts.allow file. Cheers, Simon. From dankamin at cisco.com Sat Mar 17 12:16:42 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Fri, 16 Mar 2001 17:16:42 -0800 Subject: "cipher none" alternatives ? References: Message-ID: <057601c0ae7f$eea7fc40$0c00040a@na.cisco.com> Andrew-- Funny, I was just talking about this with one of the dev guys. Here's the problem--while what you're moving doesn't have any security considerations(same here--but I'm moving GPG encrypted files), without a cipher and the associated per-message authentication that goes with it, you have no way to prevent an attacker from injecting arbitrary packets or commands(like rm -rf *). Sure, *you* might be sending trivial messages, but you can't predict what *other* people will send. The crypto prevents their messages from being meaningful. SSH2 does have a real HMAC per-packet authenticator, and indeed might be amenable to what you describe--essentially, something similar to AH-mode IPSec. But someone else will have to say whether the HMAC is capable of being used in this manner, and performance will never be as high as a full-out null cipher. Incidentally--if anyone out there is skilled at profiling code, I think the SSH client could use a look. I think there are absolute limits embedded in there as to how fast it may run, because it'll never use up as much CPU as is available to it and will top out at 150-220K/s no matter the speed of the client or server. Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From tim at multitalents.net Sat Mar 17 13:07:20 2001 From: tim at multitalents.net (Tim Rice) Date: Fri, 16 Mar 2001 18:07:20 -0800 (PST) Subject: News from AIX In-Reply-To: Message-ID: On Sat, 17 Mar 2001, Damien Miller wrote: > On Thu, 15 Mar 2001, Tim Rice wrote: > > > > +#ifdef _AIX > > ^^^^^ > > Do we really want this? > > I'd much rather see HAVE_UINFO_H and HAVE_USERINFO with the > > apropriate tests in configure.in > > I think the _AIX is appropriate in this case - usrinfo() doesn't seem to > conform to any standard. The name is also short enough and generic enough > to appear elsewhere with a completely different function. Good point. Agreed. > > -d > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From abartlet at pcug.org.au Sat Mar 17 14:14:22 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Sat, 17 Mar 2001 14:14:22 +1100 Subject: sshd executes ~/.ssh/sshrc without using user's shell Message-ID: <3AB2D68E.D1835CE7@bartlett.house> I am considering allowing (relitivly) untrusted local users onto my fileserver, so they can use SFTP to access their home directories. I have a custom shell, (a taint-mode enabled perl script) that allows users to change their password, which I have modifed to only allow a '-c' command for the sftp-server. I have also disabled TCP port forwarding. However, some reading of the OpenSSH code suggests that, while most commands sshd excutes use the users login shell, the popen call for .ssh/sshrc does not. (session.c:1342 and there-abouts). Is this an issue? Or do I have bigger things to worry about? Thanks, Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au From jason at dfmm.org Sat Mar 17 13:54:22 2001 From: jason at dfmm.org (Jason Stone) Date: Fri, 16 Mar 2001 18:54:22 -0800 (PST) Subject: "cipher none" alternatives ? In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > (I had observed that for smaller files scp -c 3des was noticably > slower than NFS/ftp/scp -c none on 100BaseT links, though not on > 10BaseT) 3des is extremely slow, slower by far than almost any other cipher in common usage. I remember someone doing some time trials for different ciphers and posting to the list a couple months ago - check the archives. In any event, try blowfish or aes instead of 3des. > The datafiles themselves do not contain sensitive data, but we'd like > to use some better authentication method than ftp and preferably > something that would easily go through a firewall. As I understood > things, scp -c none with RSA authentication offers something like > that. The scheme you're talking about isn't vulnerable to password sniffing, but it _is_ vulnerable to hijacking. The crypto in this case is serving to authenticate each individual packet as well as hide the data, so when you get rid of the crypto, an attacker can take over either end of the connection, inject packets (containing commands), etc, even though he doesn't know the password. That said, there are other authentication schemes that avoid sending passwords in the clear. CHAP stores the password in the clear but never sends it over the wire. OPIE (aka, S/Key) is even better as it neither sends nor stores the password in the clear. Before ssh was in wide use, I had my users use opie-ftpd. > We could presumably use HTTP GET to suck files if they were placed in a > webserver tree and use HTTP authentication. I'm not so sure about pushing > with POST or PUT. You could also use crypto here too. Most webservers can trivially be ssl wrapped (check out stunnel, sslproxy, etc), some webservers have native support for openssl (apache + mod_ssl is particularly popular), and there are many available ssl webclients (curl, lynx-ssl, etc). You can use either HTTP authentication inside of the ssl stream, or, maybe better, you can require both the client and the server to authenticate each other with ssl certs. (These roughly correspond to password auth and public key auth in ssh.) I'm sure that at least one of these combinations can be configured with a fast, low overhead cipher. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE6stHqswXMWWtptckRAmGbAJ9p/6D+jvq8F+NFcP+uVouOxjautQCg9HUX DpxWaAjo+Ynr/FqzE81qDhY= =jPY5 -----END PGP SIGNATURE----- From rachit at ensim.com Sat Mar 17 14:52:03 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Fri, 16 Mar 2001 19:52:03 -0800 Subject: "cipher none" alternatives ? References: Message-ID: <3AB2DF63.B0E6F433@ensim.com> > The scheme you're talking about isn't vulnerable to password sniffing, but > it _is_ vulnerable to hijacking. The crypto in this case is serving to > authenticate each individual packet as well as hide the data, so when you > get rid of the crypto, an attacker can take over either end of the > connection, inject packets (containing commands), etc, even though he > doesn't know the password. I'm no crypto guro, but correct me if i'm wrong, can't you just use secure hashes to protect the data? secure hashes should be a lot faster than crypting the datastream. -rchit From mattl at livecapital.com Sat Mar 17 15:06:39 2001 From: mattl at livecapital.com (Lewandowsky, Matt) Date: Fri, 16 Mar 2001 20:06:39 -0800 Subject: SIGHUP/av[0] restart failure Message-ID: <71D01DB8DA698947A6F5D666D62A2DB001C3AC@exchange.livecapital.com> That is what I understand, myself. It tries to respawn itself on SIGHUP, and if you don't have the full path specified it may not be able to find the executable. Try it and see. ;) --Matt P.S. Try Douglas Manton's suggestion for spawning it from SRC. It's another one of those things done right in AIX, IMHO. (Too bad AIX has other funky things making it a poor choice for my needs...) -----Original Message----- From: Sandor W. Sklar To: Markus Friedl Cc: openssh-unix-dev at mindrot.org Sent: 3/16/2001 12:04 PM Subject: Re: SIGHUP/av[0] restart failure ok, so in my rc.sshd startup script, when I get to the part where I actually start sshd, I need to specify its full path? I've got ... PATH=/usr/local/sbin: ... and later ... sshd but you are saying that I need to have it start as ... /usr/local/sbin/sshd right? Thanks! At 8:34 PM +0100 3/16/01, Markus Friedl wrote: >man sshd: > > sshd rereads its configuration file when it receives a hangup signal, > SIGHUP, by executing itself with the name it was started as, ie. > /usr/sbin/sshd. > > >On Fri, Mar 16, 2001 at 11:23:29AM -0800, Sandor W. Sklar wrote: >> OpenSSH 2.5.1p1 running under AIX 4.3.3ML06. When I send a HUP >> signal to the parent sshd, that parent process dies, it's children >> get "adopted" by init, and the following message is put in the error >> log ... -- sandor w. sklar http://lindy.stanford.edu/~ssklar/ unix systems administrator polya hall, 255 panama -- mc: 4136 stanford university itss-css mailto:ssklar at stanford.edu From Dan_Grillo at grillo.net Sat Mar 17 16:41:00 2001 From: Dan_Grillo at grillo.net (Dan Grillo) Date: Fri, 16 Mar 2001 21:41:00 -0800 Subject: OpenSSH_2.5.1p2 hang on log out due to unclosed file handles in forked process Message-ID: <200103170541.VAA57656@grillo.net> OpenSSH folks, We're run into a problem with OpenSSH_2.5.1p2 servers that we didn't see before, and I can't reproduce with OpenSSH_2.3.0p1 servers. (OpenSSH_2.3.0p1 seems to work correctly) We're seeing this bug on Solaris 2.7 and on Linux 2.2.15 machines. Basically, if you log into a machine, fork a process that leaves stdout, stderr, or stdin open, and try to log out of that machine, your logout will block. Included is a great description of the bug from another thread and the a sample program. Does anyone know what's going on here? I'm not subscribed, so direct mail would be great. Thanks for any ideas, --Dan ----- Begin forwarded message: From: Steven Ihde Subject: Re: openssh hang To: Daniel Sully Date: Fri, 16 Mar 2001 15:15:23 -0800 Dan, Yes, I noticed it as soon as we upgraded to OpenSSH. This might be a red herring, but.... If you fork a process and it doesn't close stdin, stdout, and stderr, OpenSSH will hang at logout until that process DOES close all three. This was not the case with old ssh, nor with telnet. Put the attached script in your home directory (as foo.pl). If run with no args, it forks a proc that sleeps 5 seconds. If you supply an arg (anything) it will fork, close stdin, stdout, and stderr, and THEN sleep 5 seconds. You will see the following: > ssh any-host-running-openssh ./foo.pl Pid is xxxx > exit [hangs five seconds!] > ssh any-host-running-openssh ./foo.pl foo Pid is xxxx > exit [doesn't hang!] -Steve #!/usr/bin/perl -w use strict; $|=1; unless (fork()) { print "pid $$\n"; if (@ARGV > 0) { close(STDIN); close(STDOUT); close(STDERR); } system("sleep 5"); } ----- End forwarded message -- Dan Grillo dan at grillo.net (650) 917-0685 fax (209)315-7970 From pekkas at netcore.fi Sat Mar 17 19:23:44 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 17 Mar 2001 10:23:44 +0200 (EET) Subject: "cipher none" alternatives ? In-Reply-To: <057601c0ae7f$eea7fc40$0c00040a@na.cisco.com> Message-ID: On Fri, 16 Mar 2001, Dan Kaminsky wrote: > Incidentally--if anyone out there is skilled at profiling code, I think > the SSH client could use a look. I think there are absolute limits embedded > in there as to how fast it may run, because it'll never use up as much CPU > as is available to it and will top out at 150-220K/s no matter the speed of > the client or server. I wonder where you got that 150-220K/s number. That's completely untrue. I've scp'd, using a fast cipher like arcfour (blowfish isn't bad either), files over 100baseTx LAN at the speed of over 5 MB/s or so. >From 16 Oct 2000: ---- On Sat, 14 Oct 2000, Damien Miller wrote: > Seriously, some of the ciphers offered by SSH2 are pretty fast. These > are the times it took to scp a 100Mb file to /dev/null via ssh2 over > localhost: > > P166 > > 3des-cbc: 232 sec 431kbps > blowfish-cbc: 90 sec 1.1Mbps > arcfour: 71 sec 1.4Mbps > > P3/700 > > 3des-cbc: 47 sec 2.1Mbps > blowfish-cbc: 18 sec, 5.5Mbps > cast128-cbc: 18 sec, 5.5Mbps > arcfour: 12 sec 8.3Mbps [me] I did similar tests on my P2/266 system to see how fast aes128-cbc and rijndael128-cbc were. These were conducted with a 10 MB data off /dev/urandom: arcfour 3.1 MB/s blowfish-cbc 2.2 MB/s cast128-cbc 2.1 MB/s aes128-cbc 1.6 MB/s rijndael128-cbc 1.6 MB/s 3des-cbc 0.8 MB/s (I timed scp to localhost using an empty file to get the authentication overhead, then timed with the real file) ---- Note that these were with localhost-localhost copy. Copying over network isn't significantly slower. With a dual P3/500 and 10k Ultra2 SCSI drives, I've done way more than 5.0 MB/s. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From dankamin at cisco.com Sun Mar 18 00:04:19 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Sat, 17 Mar 2001 05:04:19 -0800 Subject: "cipher none" alternatives ? References: Message-ID: <06b601c0aee6$7f646190$0c00040a@na.cisco.com> > On Fri, 16 Mar 2001, Dan Kaminsky wrote: > > Incidentally--if anyone out there is skilled at profiling code, I think > > the SSH client could use a look. I think there are absolute limits embedded > > in there as to how fast it may run, because it'll never use up as much CPU > > as is available to it and will top out at 150-220K/s no matter the speed of > > the client or server. > > I wonder where you got that 150-220K/s number. That's completely untrue. > I've scp'd, using a fast cipher like arcfour (blowfish isn't bad either), > files over 100baseTx LAN at the speed of over 5 MB/s or so. Interesting! Lemme do some experiments... Yes, Cygwin OpenSSH SCP -> Linux OpenSSH manages 280k/s 3DES, 350K/s Blowfish. This is over a wireless card (I use SSH for wireless security), so I might be bumping into limits on this supposed-11MB/s link. You've not done Arcfour with OpenSSH; it's not supported. I'm not sure if I like that or not. My numbers came from port encapsulation figures, rather than scp command encapsulation figures. What numbers have you seen when moving, say, files over a forwarded HTTP link? --Dan From pekkas at netcore.fi Sun Mar 18 00:42:25 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 17 Mar 2001 15:42:25 +0200 (EET) Subject: "cipher none" alternatives ? In-Reply-To: <06b601c0aee6$7f646190$0c00040a@na.cisco.com> Message-ID: On Sat, 17 Mar 2001, Dan Kaminsky wrote: > Interesting! Lemme do some experiments... > > Yes, Cygwin OpenSSH SCP -> Linux OpenSSH manages 280k/s 3DES, 350K/s > Blowfish. This is over a wireless card (I use SSH for wireless security), > so I might be bumping into limits on this supposed-11MB/s link. > > You've not done Arcfour with OpenSSH; it's not supported. I'm not sure if I > like that or not. arcfour is supported in SSHv2. > My numbers came from port encapsulation figures, rather than scp command > encapsulation figures. What numbers have you seen when moving, say, files > over a forwarded HTTP link? Do you copy the files over local LAN? If your RTT is high enough, TCP limits might be kicking in if window size is not bumped. For example, FTP transfers about 30 ms way off a Windows NT workstation are limited to about 170 kbytes/sec. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From djm at mindrot.org Sun Mar 18 01:11:46 2001 From: djm at mindrot.org (Damien Miller) Date: Sun, 18 Mar 2001 01:11:46 +1100 (EST) Subject: "cipher none" alternatives ? In-Reply-To: <06b601c0aee6$7f646190$0c00040a@na.cisco.com> Message-ID: On Sat, 17 Mar 2001, Dan Kaminsky wrote: > You've not done Arcfour with OpenSSH; it's not supported. I'm not > sure if I like that or not. It is supported for ssh2. ssh -2 -oCiphers=arcfour ... -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From dankamin at cisco.com Sun Mar 18 01:24:38 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Sat, 17 Mar 2001 06:24:38 -0800 Subject: "cipher none" alternatives ? References: Message-ID: <06fa01c0aeee$0062fa70$0c00040a@na.cisco.com> > > You've not done Arcfour with OpenSSH; it's not supported. I'm not > > sure if I like that or not. > > It is supported for ssh2. ssh -2 -oCiphers=arcfour ... dankamin at CISCO-CD5ZTDFXI ~ $ ssh -h ... -c cipher Select encryption algorithm: ``3des'', ``blowfish'' Self-Documentation trumps--can be a blessing or a curse. --Dan From markus.friedl at informatik.uni-erlangen.de Sun Mar 18 03:33:23 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 17 Mar 2001 17:33:23 +0100 Subject: "cipher none" alternatives ? In-Reply-To: ; from andrew@andrew.triumf.ca on Fri, Mar 16, 2001 at 04:37:04PM -0800 References: Message-ID: <20010317173323.E27674@folly> On Fri, Mar 16, 2001 at 04:37:04PM -0800, Andrew Daviel wrote: > The datafiles themselves do not contain sensitive data, but we'd like to > use some better authentication method than ftp and preferably something > that would easily go through a firewall. As I understood things, scp -c > none with RSA authentication offers something like that. "scp -c none with RSA authentication" does not protect the integrity of the data you transfer. From Markus.Friedl at informatik.uni-erlangen.de Sun Mar 18 03:47:29 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 17 Mar 2001 17:47:29 +0100 Subject: Minor but annoying bug in sshd in version openssh-2.5.1p2 In-Reply-To: <008d01c0aeff$8ef3a6c0$0200a8c0@ramon>; from cobalt@wanadoo.es on Sat, Mar 17, 2001 at 05:30:12PM +0100 References: <008d01c0aeff$8ef3a6c0$0200a8c0@ramon> Message-ID: <20010317174729.A16859@faui02.informatik.uni-erlangen.de> On Sat, Mar 17, 2001 at 05:30:12PM +0100, Cobalt wrote: > When sshd is started from inetd (sshd -i -f /etc/sshd_config), > the ListenAddress defaults to 0.0.0.0 nevertheless on > sshd_config ListenAddress point to 11.22.33.44 (simulated IP) sshd does not listen at all if started from inetd. sshd's ListenAddress option does not help here, since sshd is not started _before_ somebody actually connects to port 22. you have to fix your inetd configuration if you want to restrict the listen address. From shorty at getuid.de Sun Mar 18 03:19:19 2001 From: shorty at getuid.de (Christian Kurz) Date: Sat, 17 Mar 2001 17:19:19 +0100 Subject: Problem with connecting to host running ssh 2.3.0p1 In-Reply-To: <20010315181133.B15456@seteuid.getuid.de> References: <20010315181133.B15456@seteuid.getuid.de> Message-ID: <20010317171919.I15456@seteuid.getuid.de> On 01-03-15 Christian Kurz wrote: > |debug1: GOT SSH2_MSG_NEWKEYS. > |debug1: send SSH2_MSG_NEWKEYS. > |debug1: done: send SSH2_MSG_NEWKEYS. > |debug1: done: KEX2. > |debug1: send SSH2_MSG_SERVICE_REQUEST > | 06 c5 df df cf 9b fd 08 db 73 e8 7b 54 b3 aa d9 > |debug1: compress outgoing: raw data 58, compressed 61, factor 1.05 > |debug1: compress incoming: raw data 0, compressed 0, factor 0.00 > |Disconnecting: Bad packet length 113631199. > |debug1: Calling cleanup 0x80608ec(0x0) Even after the update today, I can still reproduce this error. Somehow it seems to be special to the host that I connect to. Has anyone of you a suggestion where I should look for to trace the bug and get the connection working? Christian -- Love is the process of my leading you gently back to yourself. -- Saint Exupery -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 241 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010317/b49bf48f/attachment.bin From Markus.Friedl at informatik.uni-erlangen.de Sun Mar 18 04:06:17 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 17 Mar 2001 18:06:17 +0100 Subject: Problem with connecting to host running ssh 2.3.0p1 In-Reply-To: <20010317171919.I15456@seteuid.getuid.de>; from shorty@getuid.de on Sat, Mar 17, 2001 at 05:19:19PM +0100 References: <20010315181133.B15456@seteuid.getuid.de> <20010317171919.I15456@seteuid.getuid.de> Message-ID: <20010317180617.A18675@faui02.informatik.uni-erlangen.de> please show a full debug output, as well as all involved operating system and host architectures. On Sat, Mar 17, 2001 at 05:19:19PM +0100, Christian Kurz wrote: > On 01-03-15 Christian Kurz wrote: > > |debug1: GOT SSH2_MSG_NEWKEYS. > > |debug1: send SSH2_MSG_NEWKEYS. > > |debug1: done: send SSH2_MSG_NEWKEYS. > > |debug1: done: KEX2. > > |debug1: send SSH2_MSG_SERVICE_REQUEST > > | 06 c5 df df cf 9b fd 08 db 73 e8 7b 54 b3 aa d9 > > |debug1: compress outgoing: raw data 58, compressed 61, factor 1.05 > > |debug1: compress incoming: raw data 0, compressed 0, factor 0.00 > > |Disconnecting: Bad packet length 113631199. > > |debug1: Calling cleanup 0x80608ec(0x0) > > Even after the update today, I can still reproduce this error. Somehow > it seems to be special to the host that I connect to. Has anyone of you > a suggestion where I should look for to trace the bug and get the > connection working? > > Christian > -- > Love is the process of my leading you gently back to yourself. > -- Saint Exupery From celinn at mtu.edu Sun Mar 18 04:53:01 2001 From: celinn at mtu.edu (Christopher Linn) Date: Sat, 17 Mar 2001 12:53:01 -0500 Subject: "cipher none" alternatives ? In-Reply-To: <06fa01c0aeee$0062fa70$0c00040a@na.cisco.com>; from dankamin@cisco.com on Sat, Mar 17, 2001 at 06:24:38AM -0800 References: <06fa01c0aeee$0062fa70$0c00040a@na.cisco.com> Message-ID: <20010317125301.A32666@mtu.edu> On Sat, Mar 17, 2001 at 06:24:38AM -0800, Dan Kaminsky wrote: > > > You've not done Arcfour with OpenSSH; it's not supported. I'm not > > > sure if I like that or not. > > > > It is supported for ssh2. ssh -2 -oCiphers=arcfour ... > > dankamin at CISCO-CD5ZTDFXI ~ > $ ssh -h > ... > -c cipher Select encryption algorithm: ``3des'', ``blowfish'' > > Self-Documentation trumps--can be a blessing or a curse. perhaps the manpage is more current than the embedded help msg? from ssh(1): [...] -c cipher_spec Additionally, for protocol version 2 a comma-separated list of ciphers can be specified in order of preference. See Ciphers for more information. [...] Ciphers Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The de- fault is ``3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc, aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, rijndael256-cbc,rijndael-cbc at lysator.liu.se'' [...] > --Dan chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From shorty at getuid.de Sun Mar 18 04:57:59 2001 From: shorty at getuid.de (Christian Kurz) Date: Sat, 17 Mar 2001 18:57:59 +0100 Subject: Problem with connecting to host running ssh 2.3.0p1 In-Reply-To: <20010317180617.A18675@faui02.informatik.uni-erlangen.de> References: <20010315181133.B15456@seteuid.getuid.de> <20010317171919.I15456@seteuid.getuid.de> <20010317180617.A18675@faui02.informatik.uni-erlangen.de> Message-ID: <20010317185759.K15456@seteuid.getuid.de> [Resend since the first one had a wrong from-header.] On 01-03-17 Markus Friedl wrote: > please show a full debug output, as well as all involved > operating system and host architectures. My system: Linux i386 (Debian unstable) Kernel 2.4.2-ac17 ssh from cvs, updated today Host to connect to: Linux sparc64 (Debian stable) Kernel 2.4.2 SMP SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. The debug log is attached. (I just replaced the hostname itself and the IP for protecting the host.) Christian -- Love is the process of my leading you gently back to yourself. -- Saint Exupery -------------- next part -------------- [seteuid:~]-17> ssh -v host OpenSSH_2.5.1p3, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 1000 geteuid 1000 anon 1 debug1: Connecting to host.debian.org [xxx.xxx.xxx.xx] port 22. debug1: Connection established. debug1: unknown identity file /home/shorty/.ssh/id_rsa debug1: identity file /home/shorty/.ssh/id_rsa type -1 debug1: identity file /home/shorty/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug1: match: OpenSSH_2.3.0p1 pat ^OpenSSH_2\.3\.0 Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.5.1p3 debug1: Seeding random number generator debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug1: got kexinit: none,zlib debug1: got kexinit: none,zlib debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: server->client aes128-cbc hmac-md5 zlib debug1: kex: client->server aes128-cbc hmac-md5 zlib debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug1: dh_gen_key: priv key bits set: 133/256 debug1: bits set: 541/1024 debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug1: Got SSH2_MSG_KEXDH_REPLY. debug1: Host 'host.debian.org' is known and matches the DSA host key. debug1: Found key in /home/shorty/.ssh/known_hosts2:5 debug1: bits set: 510/1024 debug1: len 55 datafellows 128 debug1: ssh_dss_verify: signature correct debug1: Wait SSH2_MSG_NEWKEYS. debug1: Enabling compression at level 6. debug1: GOT SSH2_MSG_NEWKEYS. debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: send SSH2_MSG_SERVICE_REQUEST 23 06 94 5b e7 3b c8 9f ef ff 5d f2 e1 79 9c a6 debug1: compress outgoing: raw data 58, compressed 61, factor 1.05 debug1: compress incoming: raw data 0, compressed 0, factor 0.00 Disconnecting: Bad packet length 587633755. debug1: Calling cleanup 0x80608ec(0x0) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 241 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010317/5b53513f/attachment.bin From djm at mindrot.org Sun Mar 18 10:11:11 2001 From: djm at mindrot.org (Damien Miller) Date: Sun, 18 Mar 2001 10:11:11 +1100 (EST) Subject: Problem with connecting to host running ssh 2.3.0p1 In-Reply-To: <20010317171919.I15456@seteuid.getuid.de> Message-ID: On Sat, 17 Mar 2001, Christian Kurz wrote: > On 01-03-15 Christian Kurz wrote: > > |debug1: GOT SSH2_MSG_NEWKEYS. > > |debug1: send SSH2_MSG_NEWKEYS. > > |debug1: done: send SSH2_MSG_NEWKEYS. > > |debug1: done: KEX2. > > |debug1: send SSH2_MSG_SERVICE_REQUEST > > | 06 c5 df df cf 9b fd 08 db 73 e8 7b 54 b3 aa d9 > > |debug1: compress outgoing: raw data 58, compressed 61, factor 1.05 > > |debug1: compress incoming: raw data 0, compressed 0, factor 0.00 > > |Disconnecting: Bad packet length 113631199. > > |debug1: Calling cleanup 0x80608ec(0x0) > > Even after the update today, I can still reproduce this error. Somehow > it seems to be special to the host that I connect to. Has anyone of you > a suggestion where I should look for to trace the bug and get the > connection working? What are the host/os that you are connecting from/to? What version of OpenSSH is at each end? Do you have any special ssh client configuration? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tim at multitalents.net Sun Mar 18 13:37:38 2001 From: tim at multitalents.net (Tim Rice) Date: Sat, 17 Mar 2001 18:37:38 -0800 (PST) Subject: openssh wish list for 2.6.* In-Reply-To: Message-ID: 03/17 CVS Undefined first referenced symbol in file endusershell auth.o getusershell auth.o setusershell auth.o UX:ld: ERROR: sshd: fatal error: Symbol referencing errors. No output written to sshd Looks like more needs to be added to openbsd-compat -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Sun Mar 18 13:54:47 2001 From: tim at multitalents.net (Tim Rice) Date: Sat, 17 Mar 2001 18:54:47 -0800 (PST) Subject: getusershell() not portable In-Reply-To: Message-ID: Must be time tor a break. I didn't really mean Subject : Re: openssh wish list for 2.6.* On Sat, 17 Mar 2001, Tim Rice wrote: > > 03/17 CVS > > Undefined first referenced > symbol in file > endusershell auth.o > getusershell auth.o > setusershell auth.o > UX:ld: ERROR: sshd: fatal error: Symbol referencing errors. No output written to > sshd > > Looks like more needs to be added to openbsd-compat > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From ayamura at ayamura.org Sun Mar 18 15:57:00 2001 From: ayamura at ayamura.org (Ayamura KIKUCHI) Date: 18 Mar 2001 13:57:00 +0900 Subject: char *getusershell(); Message-ID: <86bsqzznc3.fsf@sea.ayamura.org> I experienced a problem compiling openssh_cvs with IRIX 6.5.11f. % cc -version MIPSpro Compilers: Version 7.3.1.2m % cc -n32 -mips3 -O2 -OPT:Olimit=0 ..... -c auth.c cc-1515 cc: ERROR File = auth.c, Line = 100 A value of type "int" cannot be assigned to an entity of type "char *". while ((cp = getusershell()) != NULL) ^ 1 error detected in the compilation of "auth.c". *** openssh_cvs/auth.c- Sun Mar 18 12:52:30 2001 --- openssh_cvs/auth.c Sun Mar 18 13:32:20 2001 *************** *** 57,63 **** allowed_user(struct passwd * pw) { struct stat st; ! char *shell, *cp; int i; #ifdef WITH_AIXAUTHENTICATE char *loginmsg; --- 57,63 ---- allowed_user(struct passwd * pw) { struct stat st; ! char *shell, *cp, *getusershell(); int i; #ifdef WITH_AIXAUTHENTICATE char *loginmsg; -- ayamura From mouring at etoh.eviladmin.org Sun Mar 18 16:03:44 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 17 Mar 2001 23:03:44 -0600 (CST) Subject: char *getusershell(); In-Reply-To: <86bsqzznc3.fsf@sea.ayamura.org> Message-ID: On 18 Mar 2001, Ayamura KIKUCHI wrote: > I experienced a problem compiling openssh_cvs with IRIX 6.5.11f. > > % cc -version > MIPSpro Compilers: Version 7.3.1.2m > > % cc -n32 -mips3 -O2 -OPT:Olimit=0 ..... -c auth.c > cc-1515 cc: ERROR File = auth.c, Line = 100 > A value of type "int" cannot be assigned to an entity of type "char *". > > while ((cp = getusershell()) != NULL) > ^ > > 1 error detected in the compilation of "auth.c". > > *** openssh_cvs/auth.c- Sun Mar 18 12:52:30 2001 > --- openssh_cvs/auth.c Sun Mar 18 13:32:20 2001 > *************** > *** 57,63 **** > allowed_user(struct passwd * pw) > { > struct stat st; > ! char *shell, *cp; > int i; > #ifdef WITH_AIXAUTHENTICATE > char *loginmsg; > --- 57,63 ---- > allowed_user(struct passwd * pw) > { > struct stat st; > ! char *shell, *cp, *getusershell(); Maybe it's me..but this logic really raises hairs on the back of my neck. Standard typecasing does not work? while ((cp = (char *) getusershell()) != NULL) It's much easier to parse and makes more. - Ben From ayamura at ayamura.org Sun Mar 18 17:51:58 2001 From: ayamura at ayamura.org (Ayamura KIKUCHI) Date: 18 Mar 2001 15:51:58 +0900 Subject: char *getusershell(); In-Reply-To: References: Message-ID: <868zm3zi0h.fsf@sea.ayamura.org> > Standard typecasing does not work? > > while ((cp = (char *) getusershell()) != NULL) Yes, it works. Several OS such as IRXI do not have the getusershell(),setusershell() and endusershell() functions so we need to introduce those in a file "openbsd-compat/getusershell.c". -- ayamura From mouring at etoh.eviladmin.org Sun Mar 18 17:55:55 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 18 Mar 2001 00:55:55 -0600 (CST) Subject: char *getusershell(); In-Reply-To: <868zm3zi0h.fsf@sea.ayamura.org> Message-ID: On 18 Mar 2001, Ayamura KIKUCHI wrote: > > Standard typecasing does not work? > > > > while ((cp = (char *) getusershell()) != NULL) > > Yes, it works. > > Several OS such as IRXI do not have the getusershell(),setusershell() > and endusershell() functions so we need to introduce those in a file > "openbsd-compat/getusershell.c". > Understood.. I sent Tim Rice the getusershell.c from OpenBSD. Since he has a system affected by it. So I'm sure he will commit something in the next day or so. - Ben From shorty at getuid.de Sun Mar 18 21:18:48 2001 From: shorty at getuid.de (Christian Kurz) Date: Sun, 18 Mar 2001 11:18:48 +0100 Subject: Problem with connecting to host running ssh 2.3.0p1 In-Reply-To: References: <20010317185759.K15456@seteuid.getuid.de> Message-ID: <20010318111848.M15456@seteuid.getuid.de> On 01-03-18 Damien Miller wrote: > On Sat, 17 Mar 2001, Christian Kurz wrote: > > [Resend since the first one had a wrong from-header.] > > On 01-03-17 Markus Friedl wrote: > > > please show a full debug output, as well as all involved > > > operating system and host architectures. > > My system: Linux i386 (Debian unstable) Kernel 2.4.2-ac17 > > ssh from cvs, updated today > > Host to connect to: Linux sparc64 (Debian stable) Kernel 2.4.2 SMP > > SSH Version OpenSSH_2.3.0p1, protocol versions > > 1.5/2.0. > 2.3.0p1 has an endian problem when using rijndael/aes. Either upgrade > the sparc end or set Ciphers manually. Thanks for the help. I temporarly set the Ciphers now manually and connecting works again, but the longtime solution will be to upgrade the ssh on sparc. Christian -- Love is the process of my leading you gently back to yourself. -- Saint Exupery -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 241 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010318/2091ae12/attachment.bin From ratlord at nation-of-rats.net Sun Mar 18 21:05:51 2001 From: ratlord at nation-of-rats.net (Lord of Rats) Date: Sun, 18 Mar 2001 02:05:51 -0800 (PST) Subject: SSH not authenticating in Redhat Message-ID: I have installed Open SSH on my brother's Redhat system but it does not want to authenticate any passwords. I hvae tried connecting using multiple accounts as well as different encryption schemes. I have tried configuring with the option listed for the same problem in Slackware to no avail. Please help. I have also tried talking my brother into using BSD instead to no avail. -Mark ratlord at nation-of-rats.net From pekkas at netcore.fi Mon Mar 19 01:03:36 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Sun, 18 Mar 2001 16:03:36 +0200 (EET) Subject: CVS server connection bad? Message-ID: Hello all, It'd appear the CVS server bass.directhit.com has been experiencing rather bad connection problems during the last 1-2 weeks. At the moment, I'm getting over 50% packet loss be it from Finland or from the US. Hopefully something will be done about this :-/. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Mon Mar 19 02:14:24 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 18 Mar 2001 09:14:24 -0600 (CST) Subject: SSH not authenticating in Redhat In-Reply-To: Message-ID: On Sun, 18 Mar 2001, Lord of Rats wrote: > I have installed Open SSH on my brother's Redhat system but it does not > want to authenticate any passwords. I hvae tried connecting using > multiple accounts as well as different encryption schemes. I have tried > configuring with the option listed for the same problem in Slackware to no > avail. Please help. I have also tried talking my brother into using BSD > instead to no avail. > Redhat should be configured as such: ./configure --prefix={Whever you want} --with-pam make make install cd contrib/redhat/ copy the sshd.init into your /etc/rc.d/init.d/ copy the sshd.pam into your /etc/pam.d/ as 'sshd' Then restart sshd. or Just installed the RPMs that exist on www.openssh.com/portable.html (you need openssh, openssh-server, and openssh-client only). And go on with life. I won't get into BSD vs Redhat. I run both and I'm happy with both. - Ben From woods at weird.com Mon Mar 19 04:32:59 2001 From: woods at weird.com (Greg A. Woods) Date: Sun, 18 Mar 2001 12:32:59 -0500 (EST) Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: References: <20010315171451.E457F8C@proven.weird.com> Message-ID: <20010318173259.157388C@proven.weird.com> [ On Friday, March 16, 2001 at 10:23:19 (+1100), Damien Miller wrote: ] > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems > > On Thu, 15 Mar 2001, Greg A. Woods wrote: > > > > Exactly! That's why the "built-in subsystem" feature is a wart! > > There's no way to enforce implementations to honour the registered > > names! > > So what? If people want to break there systems, then we shouldn't > stop them. Unix provides no way to _force_ people not to rename 'rm' > to 'ls' either and it still works pretty well - people don't do it > becuase it is _stupid_ to mess with well-known names. Strangely with SSHv1 we all learned (or already knew implicitly) how to deal with the problems of command paths and naming (and indeed capabilities and syntax) on SSH servers. This was possible because there was a direct association between the system being connected to, and its uniqueness. SSHv2's "built-in subsystem" introduces a new naming system, and one that will not necessarily be in the direct control of server administrators (but rather with software developers). This new naming system is infinitely harder to deal with from the user level because it now depends on the type of server software running on the target system, not on the former direct relationship with the server system's name and/or address. SSHv2's "built-in subsystem" is not just not necessary -- it's detrimental to the successful management of user's (and programmer's) expectations! -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird From jmknoble at jmknoble.cx Mon Mar 19 07:10:40 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Sun, 18 Mar 2001 15:10:40 -0500 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010318173259.157388C@proven.weird.com>; from woods@weird.com on Sun, Mar 18, 2001 at 12:32:59PM -0500 References: <20010315171451.E457F8C@proven.weird.com> <20010318173259.157388C@proven.weird.com> Message-ID: <20010318151039.C14797@quipu.half.pint-stowp.cx> Circa 2001-Mar-18 12:32:59 -0500 dixit Greg A. Woods: [...] : SSHv2's "built-in subsystem" is not just not necessary -- it's : detrimental to the successful management of user's (and programmer's) : expectations! Greg, others-- This discussion has gone on long enough on the OpenSSH development mailing list. If you don't like the subsystems in Protocol 2, please tell the IETF SECSH protocol working group, not us! The developers here are implementing the RFCs for Protocol 2. Until the protocol changes, things probably won't be done differently here. Please use our time more productively. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From djm at mindrot.org Mon Mar 19 10:06:24 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 19 Mar 2001 10:06:24 +1100 (EST) Subject: char *getusershell(); In-Reply-To: <868zm3zi0h.fsf@sea.ayamura.org> Message-ID: On 18 Mar 2001, Ayamura KIKUCHI wrote: > Several OS such as IRXI do not have the getusershell(),setusershell() > and endusershell() functions so we need to introduce those in a file > "openbsd-compat/getusershell.c". Can you give this patch a try? You will need to run autoreconf after applying. Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.266 diff -u -u -r1.266 configure.in --- configure.in 2001/03/17 01:15:38 1.266 +++ configure.in 2001/03/18 23:04:23 @@ -527,7 +527,7 @@ ) dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent glob inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl Checks for libutil functions Index: defines.h =================================================================== RCS file: /var/cvs/openssh/defines.h,v retrieving revision 1.56 diff -u -u -r1.56 defines.h --- defines.h 2001/02/24 00:55:05 1.56 +++ defines.h 2001/03/18 23:04:23 @@ -274,6 +274,12 @@ #ifndef _PATH_BSHELL # define _PATH_BSHELL "/bin/sh" #endif +#ifndef _PATH_CSHELL +# define _PATH_CSHELL "/bin/csh" +#endif +#ifndef _PATH_SHELLS +# define _PATH_SHELLS "/etc/shells" +#endif #ifdef USER_PATH # ifdef _PATH_STDPATH Index: openbsd-compat/Makefile.in =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/Makefile.in,v retrieving revision 1.8 diff -u -u -r1.8 Makefile.in --- openbsd-compat/Makefile.in 2001/03/14 00:39:46 1.8 +++ openbsd-compat/Makefile.in 2001/03/18 23:04:23 @@ -16,7 +16,7 @@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ -OPENBSD=base64.o bindresvport.o daemon.o getcwd.o glob.o getgrouplist.o inet_aton.o inet_ntoa.o mktemp.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtok.o vis.o +OPENBSD=base64.o bindresvport.o daemon.o getcwd.o getgrouplist.o getusershell.o glob.o inet_aton.o inet_ntoa.o mktemp.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtok.o vis.o COMPAT=bsd-arc4random.o bsd-cygwin_util.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o Index: openbsd-compat/getusershell.c =================================================================== RCS file: getusershell.c diff -N getusershell.c --- /dev/null Wed May 6 06:32:27 1998 +++ getusershell.c Mon Mar 19 10:04:23 2001 @@ -0,0 +1,138 @@ +/* + * Copyright (c) 1985, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" +#include "getusershell.h" + +#ifndef HAVE_GETUSERSHELL + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: getusershell.c,v 1.2 1996/08/19 08:24:15 tholo Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Local shells should NOT be added here. They should be added in + * /etc/shells. + */ + +static char *okshells[] = { _PATH_BSHELL, _PATH_CSHELL, NULL }; +static char **curshell, **shells, *strings; +static char **initshells __P((void)); + +/* + * Get a list of shells from _PATH_SHELLS, if it exists. + */ +char * +getusershell() +{ + char *ret; + + if (curshell == NULL) + curshell = initshells(); + ret = *curshell; + if (ret != NULL) + curshell++; + return (ret); +} + +void +endusershell() +{ + + if (shells != NULL) + free(shells); + shells = NULL; + if (strings != NULL) + free(strings); + strings = NULL; + curshell = NULL; +} + +void +setusershell() +{ + + curshell = initshells(); +} + +static char ** +initshells() +{ + register char **sp, *cp; + register FILE *fp; + struct stat statb; + + if (shells != NULL) + free(shells); + shells = NULL; + if (strings != NULL) + free(strings); + strings = NULL; + if ((fp = fopen(_PATH_SHELLS, "r")) == NULL) + return (okshells); + if (fstat(fileno(fp), &statb) == -1) { + (void)fclose(fp); + return (okshells); + } + if ((strings = malloc((u_int)statb.st_size)) == NULL) { + (void)fclose(fp); + return (okshells); + } + shells = calloc((unsigned)statb.st_size / 3, sizeof (char *)); + if (shells == NULL) { + (void)fclose(fp); + free(strings); + strings = NULL; + return (okshells); + } + sp = shells; + cp = strings; + while (fgets(cp, MAXPATHLEN + 1, fp) != NULL) { + while (*cp != '#' && *cp != '/' && *cp != '\0') + cp++; + if (*cp == '#' || *cp == '\0') + continue; + *sp++ = cp; + while (!isspace(*cp) && *cp != '#' && *cp != '\0') + cp++; + *cp++ = '\0'; + } + *sp = NULL; + (void)fclose(fp); + return (shells); +} + +#endif /* HAVE_GETUSERSHELL */ Index: openbsd-compat/getusershell.h =================================================================== RCS file: getusershell.h diff -N getusershell.h --- /dev/null Wed May 6 06:32:27 1998 +++ getusershell.h Mon Mar 19 10:04:23 2001 @@ -0,0 +1,16 @@ +/* $Id$ */ + +#ifndef _GETUSERSHELL_H +#define _GETUSERSHELL_H + +#include "config.h" + +#ifndef HAVE_GETUSERSHELL + +char *getusershell(void); +void setusershell(void); +void endusershell(void); + +#endif /* HAVE_GETUSERSHELL */ + +#endif /* _GETUSERSHELL_H */ Index: openbsd-compat/openbsd-compat.h =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/openbsd-compat.h,v retrieving revision 1.4 diff -u -u -r1.4 openbsd-compat.h --- openbsd-compat/openbsd-compat.h 2001/03/14 00:39:46 1.4 +++ openbsd-compat/openbsd-compat.h 2001/03/18 23:04:23 @@ -25,6 +25,7 @@ #include "setproctitle.h" #include "getgrouplist.h" #include "glob.h" +#include "getusershell.h" /* Home grown routines */ #include "bsd-arc4random.h" -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From ktaylor at eosdata.gsfc.nasa.gov Mon Mar 19 23:10:02 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Mon, 19 Mar 2001 07:10:02 -0500 Subject: X forwarding from Linux -> Irix not working References: Message-ID: <3AB5F71A.591706F3@daac.gsfc.nasa.gov> Andrew Daviel wrote: > > On Fri, 16 Mar 2001, Kevin Taylor wrote: > > > > > I'm logging in from an irix machine to a linux machine (both running > > openssh-2.5.1p2) and am unable to run any X applications. > > I had this the other way around. Turned out that xauth was not being run > properly from sshd because /etc/ssh/sshrc existed and was not running > xauth. After you login you can use "xauth\nlist" and it should have a > couple of entries and be using an authority file /tmp/ssh-xxxx/cookies. > The path to xauth is set by the configure script but can be overridden in > sshd_config. > > -- This is interesting. I ssh over to the linux box...xauth is in the path, so I think that's ok....but: Using authority file /tmp/ssh-hKi16768/cookies xauth> list xauth> I'm not seeing anything there. The cookies file is 0 bytes.....what might be going on here? -- ---------------------------------------------------------. Kevin Taylor \ Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / Science Systems and Applications, Inc. \ Goddard Space Flight Center / Greenbelt, MD 20771 \ / Phone: (301) 614-5505 \ e-mail: ktaylor at daac.gsfc.nasa.gov / ----------------------------------------------------------' From djm at mindrot.org Mon Mar 19 23:39:50 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 19 Mar 2001 23:39:50 +1100 (EST) Subject: X forwarding from Linux -> Irix not working In-Reply-To: <3AB5F71A.591706F3@daac.gsfc.nasa.gov> Message-ID: On Mon, 19 Mar 2001, Kevin Taylor wrote: > This is interesting. I ssh over to the linux box...xauth is in the path, > so I think that's ok....but: > > Using authority file /tmp/ssh-hKi16768/cookies > xauth> list > xauth> > > I'm not seeing anything there. > > The cookies file is 0 bytes.....what might be going on here? What does logging into a sshd running in very verbose mode (sshd -d -d -d) say? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From ktaylor at eosdata.gsfc.nasa.gov Mon Mar 19 23:49:58 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Mon, 19 Mar 2001 07:49:58 -0500 Subject: X forwarding from Linux -> Irix not working References: Message-ID: <3AB60076.78F412E1@daac.gsfc.nasa.gov> Damien Miller wrote: > > On Mon, 19 Mar 2001, Kevin Taylor wrote: > > > This is interesting. I ssh over to the linux box...xauth is in the path, > > so I think that's ok....but: > > > > Using authority file /tmp/ssh-hKi16768/cookies > > xauth> list > > xauth> > > > > I'm not seeing anything there. > > > > The cookies file is 0 bytes.....what might be going on here? > > What does logging into a sshd running in very verbose mode (sshd -d -d -d) > say? > > -d debug1: session_new: init debug1: session_new: session 0 debug1: Enabling compression at level 6. debug1: Allocating pty. debug1: Ignoring unsupported tty mode opcode 11 (0xb) debug1: Ignoring unsupported tty mode opcode 16 (0x10) debug1: Received request for X11 forwarding with auth spoofing. debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1 debug1: x11_create_display_inet: Socket family 10 not supported debug1: fd 8 setting O_NONBLOCK debug1: fd 8 IS O_NONBLOCK debug1: channel 0: new [X11 inet listener] debug1: Entering interactive session. debug1: Setting controlling tty using TIOCSCTTY. debug1: fd 3 setting O_NONBLOCK debug1: fd 7 IS O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 0 mili 10 debug1: Received SIGCHLD. debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 debug2: tvp!=NULL kid 1 mili 100 debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 -- ---------------------------------------------------------. Kevin Taylor \ Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / Science Systems and Applications, Inc. \ Goddard Space Flight Center / Greenbelt, MD 20771 \ / Phone: (301) 614-5505 \ e-mail: ktaylor at daac.gsfc.nasa.gov / ----------------------------------------------------------' From ktaylor at eosdata.gsfc.nasa.gov Tue Mar 20 03:29:30 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Mon, 19 Mar 2001 11:29:30 -0500 Subject: X forwarding from Linux -> Irix not working References: <3AB60076.78F412E1@daac.gsfc.nasa.gov> Message-ID: <3AB633EA.2C05161@daac.gsfc.nasa.gov> You can actually take the IRIX machine out of this scenario. I just tried ssh'ing from the linux machine back to itself, and the X authentication isn't working. Kevin Taylor wrote: > > Damien Miller wrote: > > > > On Mon, 19 Mar 2001, Kevin Taylor wrote: > > > > > This is interesting. I ssh over to the linux box...xauth is in the path, > > > so I think that's ok....but: > > > > > > Using authority file /tmp/ssh-hKi16768/cookies > > > xauth> list > > > xauth> > > > > > > I'm not seeing anything there. > > > > > > The cookies file is 0 bytes.....what might be going on here? > > > > What does logging into a sshd running in very verbose mode (sshd -d -d -d) > > say? > > > > -d > > debug1: session_new: init > debug1: session_new: session 0 > debug1: Enabling compression at level 6. > debug1: Allocating pty. > debug1: Ignoring unsupported tty mode opcode 11 (0xb) > debug1: Ignoring unsupported tty mode opcode 16 (0x10) > debug1: Received request for X11 forwarding with auth spoofing. > debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1 > debug1: x11_create_display_inet: Socket family 10 not supported > debug1: fd 8 setting O_NONBLOCK > debug1: fd 8 IS O_NONBLOCK > debug1: channel 0: new [X11 inet listener] > debug1: Entering interactive session. > debug1: Setting controlling tty using TIOCSCTTY. > debug1: fd 3 setting O_NONBLOCK > debug1: fd 7 IS O_NONBLOCK > debug1: server_init_dispatch_13 > debug1: server_init_dispatch_15 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 0 mili 10 > debug1: Received SIGCHLD. > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate 16 > debug2: tvp!=NULL kid 1 mili 100 > debug3: channel 0: chan_delete_if_full_closed1: istate 1 ostate > 16 > From tim at multitalents.net Tue Mar 20 04:27:17 2001 From: tim at multitalents.net (Tim Rice) Date: Mon, 19 Mar 2001 09:27:17 -0800 (PST) Subject: Test snapshots In-Reply-To: Message-ID: On Wed, 14 Mar 2001, Damien Miller wrote: > Could eveyone please give the latest snapshots a test? I have just > pulled in some more OpenSSL libc code to support globbing in the sftp > client. It works OK on the platforms that I have access to, but that > isn't many... > > Report success/failure and host (as reported by configure). i586-pc-sco3.2v5.0.4 sparc-sun-solaris2.8 Maybe I don't understand how much globbing it's suposed to be able to do, but it doesn't seem to work sftp> dir drwxrwxr-x 3 tim trr 4096 Feb 17 10:59 . drwxr-xr-x 23 tim trr 4096 Mar 18 17:04 .. -rw-r--r-- 1 tim trr 2487 Nov 29 1999 tim.rtf -rw-rw-r-- 1 tim trr 1380 Dec 3 1999 tim.todo [snip] -rw-rw-r-- 1 tim trr 0 Feb 17 10:54 cp sftp> get *.rtf File "/homes/tim/wp/*.rtf" not found. sftp> quit > > Thanks. > > -d > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From gert at greenie.muc.de Tue Mar 20 04:55:34 2001 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 19 Mar 2001 18:55:34 +0100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010318173259.157388C@proven.weird.com>; from Greg A. Woods on Sun, Mar 18, 2001 at 12:32:59PM -0500 References: <20010315171451.E457F8C@proven.weird.com> <20010318173259.157388C@proven.weird.com> Message-ID: <20010319185534.E26486@greenie.muc.de> Hi, On Sun, Mar 18, 2001 at 12:32:59PM -0500, Greg A. Woods wrote: > Strangely with SSHv1 we all learned (or already knew implicitly) how to > deal with the problems of command paths and naming (and indeed > capabilities and syntax) on SSH servers. This was possible because > there was a direct association between the system being connected to, > and its uniqueness. I tend to disagree. With ssh1 it's tricky to get "scp" to work if you're installing ssh/scp in a non-default path, because you have to fiddle with the default path settings for the ssh daemon on the target system. Quite often I have dearly wished a configuration file option "hey, sshd, if the client requests 'scp', it's in /opt/bin/scp". Subsystems do this. And I like it. [..] > SSHv2's "built-in subsystem" is not just not necessary -- it's > detrimental to the successful management of user's (and programmer's) > expectations! I strongly disagree. As everything is defined in sshd_config, you have much more freedom as before. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From djm at mindrot.org Tue Mar 20 08:25:46 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Mar 2001 08:25:46 +1100 (EST) Subject: Test snapshots In-Reply-To: Message-ID: On Mon, 19 Mar 2001, Tim Rice wrote: > On Wed, 14 Mar 2001, Damien Miller wrote: > > > Could eveyone please give the latest snapshots a test? I have just > > pulled in some more OpenSSL libc code to support globbing in the sftp > > client. It works OK on the platforms that I have access to, but that > > isn't many... > > > > Report success/failure and host (as reported by configure). > i586-pc-sco3.2v5.0.4 > sparc-sun-solaris2.8 > > > Maybe I don't understand how much globbing it's suposed to be able to > do, but it doesn't seem to work > sftp> get *.rtf > File "/homes/tim/wp/*.rtf" not found. That _should_ work :( Are you sure that you are using the snapshot sftp and a previously installed version? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tim at multitalents.net Tue Mar 20 08:51:11 2001 From: tim at multitalents.net (Tim Rice) Date: Mon, 19 Mar 2001 13:51:11 -0800 (PST) Subject: Test snapshots In-Reply-To: Message-ID: On Tue, 20 Mar 2001, Damien Miller wrote: > On Mon, 19 Mar 2001, Tim Rice wrote: > > > On Wed, 14 Mar 2001, Damien Miller wrote: > > > > > Could eveyone please give the latest snapshots a test? I have just > > > pulled in some more OpenSSL libc code to support globbing in the sftp > > > client. It works OK on the platforms that I have access to, but that > > > isn't many... > > > > > > Report success/failure and host (as reported by configure). > > i586-pc-sco3.2v5.0.4 > > sparc-sun-solaris2.8 > > > > > > Maybe I don't understand how much globbing it's suposed to be able to > > do, but it doesn't seem to work > > > sftp> get *.rtf > > File "/homes/tim/wp/*.rtf" not found. > > That _should_ work :( > > Are you sure that you are using the snapshot sftp and a previously > installed version? Actually they were both ethier last night's or this morning's CVS I can't remember which. > > -d > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From jblaine at linus.mitre.org Tue Mar 20 08:51:53 2001 From: jblaine at linus.mitre.org (Jeff Blaine) Date: Mon, 19 Mar 2001 16:51:53 -0500 Subject: SecurID Message-ID: <366635518.985020713@jblaine-pc.mitre.org> When comparing SSH 1.2.27 with OpenSSH 2.5.1 I see that the SecurID code/patch is not in OpenSSH 2.5.1. I'm not sure how or why that happened. Upon looking through the OpenSSH 2.5.1 source, I think I could fairly easily provide a 'SecurID Authentication Method' patch (which would rely on -DHAVE_SECURID, -I/blah/securid/include, and -L/blah/securid/lib... /blah/securid being a proprietary product from Security Dynamics) I'm not committing to anything yet, but is this something that will be welcome if I do it? ... or shall I just hack the source again to turn auth_password into something that does SecurID only for our specific needs. Seems silly. From pekkas at netcore.fi Tue Mar 20 08:57:56 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 19 Mar 2001 23:57:56 +0200 (EET) Subject: kbd-int messages after 3 wrong passwords Message-ID: Hello all, Is it intentional that after three unsuccessful logins, the login prompt changes as kbd-interactive mode is enabled and you receive non-default message of failed authentication: pekkas: /home/pekkas$ ssh localhost pekkas at localhost's password: Permission denied, please try again. pekkas at localhost's password: Permission denied, please try again. pekkas at localhost's password: Password: Received disconnect from 127.0.0.1: 2: too many failed userauth_requests This is in auth2-pam.c. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From rob at hagopian.net Tue Mar 20 09:02:16 2001 From: rob at hagopian.net (Rob Hagopian) Date: Mon, 19 Mar 2001 17:02:16 -0500 (EST) Subject: OpenSSH-2.5.1p1 scp hangs when scping into an RH (6.0|7.0) bo x In-Reply-To: <20010306021529.4895.qmail@conflict.net> Message-ID: Damn... that doesn't help me :-) -Rob On Tue, 6 Mar 2001, Jim B wrote: > On Fri, Feb 23, 2001 at 03:24:19AM +0000, Jim Breton wrote: > > Well, I am now volunteering to be called an *sshole. > > > > For some reason, and I promise with *no* changes of which I am aware on > > either the client or the server machines, this is working fine now > > (except scp but you already know about that... fyi I get "lost > > connection" on scp, hopefully that is the error everyone else gets and > > not something special happening to me ;) ). > > > OK... well if anyone is interested in the mysteries of this thread > anymore, we seem to have nailed down the problem just a few minutes ago. > > The box I was SSHing/SCPing into... had some problem with the RAID array > (not my box so I don't know the details of that). After its admin > noticed some other funky filesystem behaviors, he moved the home dir of > my account to another spot in the filesystem... and immediately it all > started working correctly. :P > > Sigh. :) > > From rob at hagopian.net Tue Mar 20 09:08:51 2001 From: rob at hagopian.net (Rob Hagopian) Date: Mon, 19 Mar 2001 17:08:51 -0500 (EST) Subject: "cipher none" alternatives ? In-Reply-To: Message-ID: There's an older thread about this, you can hack in none support really easily, but I did performance tests between arcfour and none on Dual PIII 850Mhz machines and there was no significant performance difference. One of the developers here asked for full profiling info but I haven't had time to assemble it... -Rob On Fri, 16 Mar 2001, Andrew Daviel wrote: > > We are trying to upgrade from SSH1 to OpenSSH/SSH2. > > I see that configuration support for "cipher NONE" was removed in OpenSSH. > > Is there an alternative for this ? > > We need to move big files (>100Mb) between machines on the Internet. In > the past we had used NFS or ftp but want to block those services at one or > both ends. Moving them with SSH 1 scp takes quite a bit of CPU effort for > encryption. (I had observed that for smaller files scp -c 3des was > noticably slower than NFS/ftp/scp -c none on 100BaseT links, though not on > 10BaseT) > > The datafiles themselves do not contain sensitive data, but we'd like to > use some better authentication method than ftp and preferably something > that would easily go through a firewall. As I understood things, scp -c > none with RSA authentication offers something like that. > > We could presumably use HTTP GET to suck files if they were placed in a > webserver tree and use HTTP authentication. I'm not so sure about pushing > with POST or PUT. > > Any suggestions ? Is it feasible to build OpenSSH with support for cipher > none ? > > From djm at mindrot.org Tue Mar 20 09:10:44 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Mar 2001 09:10:44 +1100 (EST) Subject: SecurID In-Reply-To: <366635518.985020713@jblaine-pc.mitre.org> Message-ID: On Mon, 19 Mar 2001, Jeff Blaine wrote: > I'm not committing to anything yet, but is this something that will > be welcome if I do it? ... or shall I just hack the source again > to turn auth_password into something that does SecurID only for > our specific needs. Seems silly. I won't speak for Markus or the other OpenBSD developers, but I don't believe we should include code for proprietary authentication systems into OpenSSH. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From markus.friedl at informatik.uni-erlangen.de Tue Mar 20 09:39:06 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 19 Mar 2001 23:39:06 +0100 Subject: OpenSSH/scp ->> F-Secure SSH server Problems In-Reply-To: <20010318173259.157388C@proven.weird.com>; from woods@weird.com on Sun, Mar 18, 2001 at 12:32:59PM -0500 References: <20010315171451.E457F8C@proven.weird.com> <20010318173259.157388C@proven.weird.com> Message-ID: <20010319233906.A30491@folly> On Sun, Mar 18, 2001 at 12:32:59PM -0500, Greg A. Woods wrote: > Strangely with SSHv1 we all learned (or already knew implicitly) how to > deal with the problems of command paths and naming (and indeed > capabilities and syntax) on SSH servers. This was possible because > there was a direct association between the system being connected to, > and its uniqueness. Strangely scp does not work, while sftp works. From pekkas at netcore.fi Tue Mar 20 09:02:54 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 20 Mar 2001 00:02:54 +0200 (EET) Subject: SecurID In-Reply-To: <366635518.985020713@jblaine-pc.mitre.org> Message-ID: On Mon, 19 Mar 2001, Jeff Blaine wrote: > When comparing SSH 1.2.27 with OpenSSH 2.5.1 I see that the SecurID > code/patch is not in OpenSSH 2.5.1. > > I'm not sure how or why that happened. > > Upon looking through the OpenSSH 2.5.1 source, I think I could fairly > easily provide a 'SecurID Authentication Method' patch (which would > rely on -DHAVE_SECURID, -I/blah/securid/include, and > -L/blah/securid/lib... /blah/securid being a proprietary product > from Security Dynamics) > > I'm not committing to anything yet, but is this something that will > be welcome if I do it? ... or shall I just hack the source again > to turn auth_password into something that does SecurID only for > our specific needs. Seems silly. I think there was a policy decision against n+1 _proprietary_ authentication mechanisms some time ago. Could be wrong. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From Donald.Smith at qwest.com Tue Mar 20 09:45:38 2001 From: Donald.Smith at qwest.com (Smith, Donald ) Date: Mon, 19 Mar 2001 15:45:38 -0700 Subject: SecurID Message-ID: <2D00AD0E4D36D411BD300008C786E424012584D0@Denntex021.qwest.net> Jeff; Theo Schlossnagle has a patch for securid. It works in 2.3 but I haven't had a chance to try it in 2.5. Contact: Author: Theo Schlossnagle The last time we discussed this there was a "general" agreement that a patch could be added to the contrib directory. Is that still the case? Donald.Smith at qwest.com IP Engineering Security 303-226-9939/0688 Office/Fax 720-320-1537 cell > -----Original Message----- > From: Jeff Blaine [mailto:jblaine at linus.mitre.org] > Sent: Monday, March 19, 2001 2:52 PM > To: openssh-unix-dev at mindrot.org > Subject: SecurID > > > When comparing SSH 1.2.27 with OpenSSH 2.5.1 I see that the SecurID > code/patch is not in OpenSSH 2.5.1. > > I'm not sure how or why that happened. > > Upon looking through the OpenSSH 2.5.1 source, I think I could fairly > easily provide a 'SecurID Authentication Method' patch (which would > rely on -DHAVE_SECURID, -I/blah/securid/include, and > -L/blah/securid/lib... /blah/securid being a proprietary product > from Security Dynamics) > > I'm not committing to anything yet, but is this something that will > be welcome if I do it? ... or shall I just hack the source again > to turn auth_password into something that does SecurID only for > our specific needs. Seems silly. > From jesus at omniti.com Tue Mar 20 09:59:08 2001 From: jesus at omniti.com (Theo E. Schlossnagle) Date: Mon, 19 Mar 2001 17:59:08 -0500 Subject: SecurID References: <366635518.985020713@jblaine-pc.mitre.org> Message-ID: <3AB68F3C.54215263@omniti.com> Read the archive :-) Will they accept the patch? The OpenSSH project has made the policy clear -- no. There is a "rogue" patch already for OpenSSH that support SecurID. It is used in production and is considered stable. http://www.omniti.com/~jesus/projects/ I have not ported the patch up to 2.5.1p1 because I have had _more_ problems with 2.5.1p1 than with 2.3.0p1. I have not been motivated to port it (should take 15 minutes and it could even "fuzzy" patch out-of-the-box). If people want this ported to 2.5.1p1, I will do it. I got a slew of email to port it to 2.3.0p1 and _not a single message_ to port it to 2.5.1p1 -- perhaps people are seeing the same problems I am. I was planning on porting on a more "stable" release than 2.5.1p1 (perhaps 2.5.2p1?) The only issue I have with the OpenSSH group not accepting the patch is that it makes it more inconvenient for other people to use it. Other than that, I could care less. Many thanks to all of the participants of the OpenSSH project. Plain and simple, this product allows me to do my job. Jeff Blaine wrote: > > When comparing SSH 1.2.27 with OpenSSH 2.5.1 I see that the SecurID > code/patch is not in OpenSSH 2.5.1. > > I'm not sure how or why that happened. > > Upon looking through the OpenSSH 2.5.1 source, I think I could fairly > easily provide a 'SecurID Authentication Method' patch (which would > rely on -DHAVE_SECURID, -I/blah/securid/include, and > -L/blah/securid/lib... /blah/securid being a proprietary product > from Security Dynamics) > > I'm not committing to anything yet, but is this something that will > be welcome if I do it? ... or shall I just hack the source again > to turn auth_password into something that does SecurID only for > our specific needs. Seems silly. -- Theo Schlossnagle 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 From djm at mindrot.org Tue Mar 20 10:01:05 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Mar 2001 10:01:05 +1100 (EST) Subject: SecurID In-Reply-To: <2D00AD0E4D36D411BD300008C786E424012584D0@Denntex021.qwest.net> Message-ID: On Mon, 19 Mar 2001, Smith, Donald wrote: > Jeff; > Theo Schlossnagle has a patch for securid. It works in 2.3 but I haven't had > a chance to try it in 2.5. > Contact: > Author: Theo Schlossnagle > > The last time we discussed this there was a "general" agreement that a patch > could be added to the contrib directory. > Is that still the case? I have not problem with stuff like this living in contrib/ -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From dankamin at cisco.com Tue Mar 20 10:02:55 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Mon, 19 Mar 2001 15:02:55 -0800 Subject: SecurID References: Message-ID: <000e01c0b0db$b75ce9e0$126545ab@na.cisco.com> > On Mon, 19 Mar 2001, Jeff Blaine wrote: > > > I'm not committing to anything yet, but is this something that will > > be welcome if I do it? ... or shall I just hack the source again > > to turn auth_password into something that does SecurID only for > > our specific needs. Seems silly. > > I won't speak for Markus or the other OpenBSD developers, but I don't > believe we should include code for proprietary authentication systems > into OpenSSH. I'd personally be tempted make an exception for cryptographic hardware--beyond FIPS140 certification not being trivial to build nor achieve, they operate in a domain outside of software while directly contributing to the OpenSSH mission of increased security. Beyond even the migration convenience that interfaces to proprietary interfaces gives us(incidentally--do you have an objection to Cygwin? Or even SSH on AIX?), the primary issue with proprietary *anything* is that its usually grossly insecure and completely unaudited. Can we say the same for authentication systems? Biometric gadget APIs...yeah, probably insecure. SecureID, though? The best argument against it--the secret hash function--was eliminated a few months back. The only proprietary elements left are the secret keys and the remote API. Now, it is arguable that such access could, or even should be mediated through the OS's PAM subsystem...but PAM isn't available for all operating systems, and is an external dependancy in and of itself. As a security administrator, I cannot argue that SecureID should be suppressed simply because it's proprietary--it clearly improves security in certain domains. I would argue that introducing even an optional dependancy on a library we did not right is a major step, one that I'd like to avoid if at all possible. So, Damien--would you have any objection to a SecureID interface that simply spoke the correct material on the wire to the central authentication server, but never linked in proprietary APIs? I speak only for myself, of course :-) Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From dankamin at cisco.com Tue Mar 20 10:14:39 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Mon, 19 Mar 2001 15:14:39 -0800 Subject: SecurID References: Message-ID: <000f01c0b0db$b76c5330$126545ab@na.cisco.com> > I won't speak for Markus or the other OpenBSD developers, but I don't > believe we should include code for proprietary authentication systems > into OpenSSH. Actually-- Any objection to a "Userspace PAM", i.e. a password authenticating equivalent to ProxyCommand for proxy tunneling? I'd probably name it AuthCommand. I can imagine this being absolutely trivial to write, and creating patchless support for *whatever* people wanted to use. Input would probably not be appropriate through argv, considering ps issues. We'd of course monitor permissions on the password checker. It seems to me that a guiding philosophy of SSH as a whole has been general purpose solutions to clustered sets of specific problems. This seems to qualify, no? Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From dankamin at cisco.com Sun Mar 18 12:11:34 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Sat, 17 Mar 2001 17:11:34 -0800 Subject: "cipher none" alternatives ? References: <20010317173323.E27674@folly> Message-ID: <000301c0b0db$b480f310$126545ab@na.cisco.com> > "scp -c none with RSA authentication" > > does not protect the integrity of the data you transfer. Markus-- Say I did something like(yes, I know this wouldn't work out of the box): ssh -2 -oCiphers none -oMACs hmac-md5 user at host tar czf - bigdir/ | tar xzvf - Would this maintain packet integrity while maximizing transmission speed? Is there any argument for supporting arcfour in SSH2 but *not* SSH1? --Dan From djm at mindrot.org Tue Mar 20 12:25:40 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Mar 2001 12:25:40 +1100 (EST) Subject: SecurID In-Reply-To: <000e01c0b0db$b75ce9e0$126545ab@na.cisco.com> Message-ID: On Mon, 19 Mar 2001, Dan Kaminsky wrote: > As a security administrator, I cannot argue that SecureID should be > suppressed simply because it's proprietary--it clearly improves security in > certain domains. Integrating SecureID is additional complexity which has to be maintained, i.e time which could otherwise be spent fixing bugs or adding new features that everyone can use. > So, Damien--would you have any objection to a SecureID interface that simply > spoke the correct material on the wire to the central authentication server, > but never linked in proprietary APIs? It if lives in contrib/ I don't mind what it links. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Tue Mar 20 12:27:22 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Mar 2001 12:27:22 +1100 (EST) Subject: SecurID In-Reply-To: <000f01c0b0db$b76c5330$126545ab@na.cisco.com> Message-ID: On Mon, 19 Mar 2001, Dan Kaminsky wrote: > Any objection to a "Userspace PAM", i.e. a password authenticating > equivalent to ProxyCommand for proxy tunneling? I'd probably name it > AuthCommand. I don't understand what you are proposing. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From andrew at andrew.triumf.ca Tue Mar 20 12:53:18 2001 From: andrew at andrew.triumf.ca (Andrew Daviel) Date: Mon, 19 Mar 2001 17:53:18 -0800 (PST) Subject: "cipher none" alternatives ? In-Reply-To: Message-ID: On Mon, 19 Mar 2001, Rob Hagopian wrote: > There's an older thread about this, you can hack in none support really > easily, but I did performance tests between arcfour and none on Dual PIII > 850Mhz machines and there was no significant performance difference. One > of the developers here asked for full profiling info but I haven't had > time to assemble it... > -Rob I've spent a bit of time measuring things between two SGI machines - old and not-quite-so old. These are multiprocessor machines so the total CPU effort is quite good for data analysis still though a single task like SSH will lag a new Intel appreciably. I can't remember the clock speed - 120MHz or something on the older one I think though I believe the MIPS chip needs less clock cycles per instruction than Pentium (and the floating point's better) SGI Irix 6.5 MIPSchip IP27 -> Irix 5.3 MIPSchip IP19 on 100BaseT 4Mb file times given in seconds (transfer time)/(including setup) comands e.g. time scp2 -c twofish -P 8122 test.dat remote:/tmp CIPHER Transport none DES 3des blowfish twofish arcfour idea cast128 aes128 aes256 rijndael NFS 2.0 ftp 5.3 HTTP 5.5 openssh 7/12 4/9 5/16 5/18 7/19 9/21 7/17 ssh1 5/6.5 10 22/24 7/8 6/6.2 13 ssh2 21/24 26/29 20/23 19/22 20/23 21/24 ssh1->openssh 11/11 5/5.4 ssh2->openssh 15/19 17/21 19/23 openssh->ssh1 21/28 6/11 openssh->ssh2 15/20 8/12 4/7 10/15 84Mb file NFS 25.42 ftp 104.29 openssh arcfour 114/127 openssh blowfish 117/130 One of our users was talking about moving gigabytes; I'm not sure if a single file or little ones. They had complained about the time taken by ssh1 compared with ftp. It looks like NFS is easily the fastest, then the unencrypted transfers with arcfour/blowfish on OpenSSH close behind, if you ignore the setup time (from when I hit return till when the activity indicator starts) The system had a normal user load so times are not guaranteed. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security at triumf.ca From dankamin at cisco.com Tue Mar 20 12:57:42 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Mon, 19 Mar 2001 17:57:42 -0800 Subject: SecurID References: Message-ID: <003d01c0b0e1$26e92e40$126545ab@na.cisco.com> > > Any objection to a "Userspace PAM", i.e. a password authenticating > > equivalent to ProxyCommand for proxy tunneling? I'd probably name it > > AuthCommand. > > I don't understand what you are proposing. AuthCommand "/usr/bin/secureid_check secureid.company.com $username $password" $ /usr/sbin/secureid_check Usage: /usr/sbin/secureid_check host username password Returns(or echos ACCEPTED) 0 if connection accepted. Returns(or echos REJECTED: #) 1-255 for various reasons of rejection(this is for flexibility with other apps). Echos maxlength string for insertion in a packet_send_debug("%s", message) call. This way, the *entire* process of any non-negotiating authentication API can be encapsulated away, much in the manner ProxyCommands have been. Oddly enough, this would actually work *much* more smoothly than ProxyCommands, since it modifies a permanent server configuration instead of a temporary client configuration. The security concern, of course, is that command line arguments generally leak into the process tree. There are ways to solve this--from accepting arguments on stdin to OS-dependant argv quashing--but I'm open to ideas. Functionality is obviously limited--particularly in terms of challenge-response--but would really allow SSH to much more elegantly support far, far more external authentication systems with very little effort. See http://www.itlab.musc.edu/~nafees/mod_auth_any.html for the equivalent in Apache. I'll probably hack out a beta this weekend and see if it's anywhere near as elegant as it sounds. It's a general purpose solution to a cluster of specific problems--and it's blissfully userspace. What more could a guy want? Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From dbt at meat.net Tue Mar 20 13:25:22 2001 From: dbt at meat.net (David Terrell) Date: Mon, 19 Mar 2001 18:25:22 -0800 Subject: "cipher none" alternatives ? In-Reply-To: <000301c0b0db$b480f310$126545ab@na.cisco.com>; from dankamin@cisco.com on Sat, Mar 17, 2001 at 05:11:34PM -0800 References: <20010317173323.E27674@folly> <000301c0b0db$b480f310$126545ab@na.cisco.com> Message-ID: <20010319182522.B28009@pianosa.catch22.org> On Sat, Mar 17, 2001 at 05:11:34PM -0800, Dan Kaminsky wrote: > > "scp -c none with RSA authentication" > > > > does not protect the integrity of the data you transfer. > > Markus-- > > Say I did something like(yes, I know this wouldn't work out of the box): > > ssh -2 -oCiphers none -oMACs hmac-md5 user at host tar czf - bigdir/ | tar > xzvf - > > Would this maintain packet integrity while maximizing transmission > speed? > > Is there any argument for supporting arcfour in SSH2 but *not* SSH1? Yes, the security problems in ssh1 (the weak CRC) are more easily exploited with [A]RC4. -- David Terrell | "Instead of plodding through the equivalent of Prime Minister, NebCorp | literary Xanax, the pregeeks go for sci-fi and dbt at meat.net | fantasy: LSD in book form." - Benjy Feen, http://wwn.nebcorp.com | http://www.monkeybagel.com/ "Origins of Sysadmins" From jesus at omniti.com Tue Mar 20 14:28:43 2001 From: jesus at omniti.com (Theo E. Schlossnagle) Date: Mon, 19 Mar 2001 22:28:43 -0500 Subject: SecurID References: <003d01c0b0e1$26e92e40$126545ab@na.cisco.com> Message-ID: <3AB6CE6B.635FE5D1@omniti.com> Dan Kaminsky wrote: > > > > Any objection to a "Userspace PAM", i.e. a password authenticating > > > equivalent to ProxyCommand for proxy tunneling? I'd probably name it > > > AuthCommand. > > > > I don't understand what you are proposing. > > AuthCommand "/usr/bin/secureid_check secureid.company.com $username > $password" I don't understand. There are existing PAM SecurID implementations. OpenSSH already supports PAM. It uses the kbd-interactive feature in protocol 2 of ssh. There are also implementations that will just do "dumb" SecurID authentication using a normal PAM security check module. PAM is great.. This is what it is designed for. The reason there is a patch is that SecurID can have multiple interaction before a successful login (it can request the next FOB token). So, it needs to be integrated with SSH so that services like CVS and rsync will still work. ssh1 is still used widely (as a client), so supporting it only via PAM won't work (needs ssh2 to work right). I will talk with Damien directly about putting the patch in contrib/. -- Theo Schlossnagle 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 From jk987hg67 at yahoo.com Mon Mar 19 07:32:41 2001 From: jk987hg67 at yahoo.com (jk987hg67 at yahoo.com) Date: 19 Mar 01 7:32:41 PM Subject: Do you enjoy having guests over for dinner in your home? Message-ID: If you are the type of person who enjoys hosting dinner parties in your home, and you want to make your next dinner party your best dinner party, our clients internet store is a must visit for you. Our client's internet store sells only the finest tabletop merchandise of it's kind available anywhere in the world, and is available to you only a click away. The store itself, located in one of the most exclusive areas of the world, sells everything you will need to set the perfect table for the perfect dinner party. The merchandise includes some of the finest flatware, dishware, glasses, salad bowls, candle holders, and many other tabletop products from all over the world that you will need for a memorable occasion in your home. The store also sells many different kinds of hard to get antique tableware. The store owner is also available for consultation on the design and layout of tables for any occasion. If you want to make your next dinner party your best dinner party, and have even your most well traveled of dinner guests impressed at the design and layout of your table, and wondering where you have purchased the merchandise on your table, then please email k5k123 at aol.com @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ This mailing is done by an independent marketing co. We apologize if this message has reached you in error. Save the Planet, Save the Trees! Advertise via E mail. No wasted paper! Delete with one simple keystroke! Less refuse in our Dumps! This is the new way of the new millennium To be removed please email g14toy at yahoo.com with the word "remove" in the subject line. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ From karn at ka9q.net Tue Mar 20 15:23:45 2001 From: karn at ka9q.net (Phil Karn) Date: Mon, 19 Mar 2001 20:23:45 -0800 Subject: Problem with connecting to host running ssh 2.3.0p1 In-Reply-To: (message from Damien Miller on Sun, 18 Mar 2001 10:11:11 +1100 (EST)) References: Message-ID: <200103200423.f2K4NjQ17478@patty.ka9q.net> I'm seeing this same problem: bash-2.03$ ssh xing 1b dc 08 20 f8 27 6e b2 22 ab f3 f9 4d 4a b6 06 Disconnecting: Bad packet length 467404832. The local client is openssh2.5.2p1. The local system is a P3 laptop running Debian Linux and the 2.2.18 kernel. The remote machine is a Sparc running openssh-2.3.0p1. The problem only occurs with protocol version 2. Version 1 works normally. I see the problem with another remote Sparc, that one running 2.5.1p1. I guess the common theme is "Sparc server". Phil From djm at mindrot.org Tue Mar 20 15:32:37 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Mar 2001 15:32:37 +1100 (EST) Subject: Problem with connecting to host running ssh 2.3.0p1 In-Reply-To: <200103200423.f2K4NjQ17478@patty.ka9q.net> Message-ID: On Mon, 19 Mar 2001, Phil Karn wrote: > I'm seeing this same problem: > > bash-2.03$ ssh xing > 1b dc 08 20 f8 27 6e b2 22 ab f3 f9 4d 4a b6 06 > Disconnecting: Bad packet length 467404832. > > The local client is openssh2.5.2p1. The local system is a P3 laptop > running Debian Linux and the 2.2.18 kernel. The remote machine is > a Sparc running openssh-2.3.0p1. > > The problem only occurs with protocol version 2. Version 1 works normally. > > I see the problem with another remote Sparc, that one running 2.5.1p1. > I guess the common theme is "Sparc server". A fix for the endian problem went in between 2.5.1p1 and 2.5.2p2, so you are running the last bad version :) If you upgrade to the just-released 2.5.2p1 then all should be well. The problem is showing more often now as recent OpenSSH versions use Rijndael/AES as the default SSH2 cipher. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From karn at ka9q.net Tue Mar 20 15:42:10 2001 From: karn at ka9q.net (Phil Karn) Date: Mon, 19 Mar 2001 20:42:10 -0800 Subject: Problem with connecting to host running ssh 2.3.0p1 In-Reply-To: (message from Damien Miller on Tue, 20 Mar 2001 15:32:37 +1100 (EST)) References: Message-ID: <200103200442.f2K4gAD17677@patty.ka9q.net> >A fix for the endian problem went in between 2.5.1p1 and 2.5.2p2, so you >are running the last bad version :) If you upgrade to the just-released >2.5.2p1 then all should be well. Sorry, can you explain in more detail? Where is the endian problem? Is it triggered by a new client simply by a change in the default cipher? Phil From djm at mindrot.org Tue Mar 20 15:52:06 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Mar 2001 15:52:06 +1100 (EST) Subject: Problem with connecting to host running ssh 2.3.0p1 In-Reply-To: <200103200442.f2K4gAD17677@patty.ka9q.net> Message-ID: On Mon, 19 Mar 2001, Phil Karn wrote: > >A fix for the endian problem went in between 2.5.1p1 and 2.5.2p2, so you > >are running the last bad version :) If you upgrade to the just-released > >2.5.2p1 then all should be well. > > Sorry, can you explain in more detail? Where is the endian problem? > Is it triggered by a new client simply by a change in the default cipher? Our Rijndael implementation was not having the correct endian macros defined and was defaulting to little endian in all cases. This bug exists in all OpenSSH versions which supported Rijndael upto (and including) 2.5.1p1. However, for versions before 2.5.1, the problem didn't usually manifest because rijndael/aes was a fair way down on the list of ciphers that were negotiated (unless the user specified Ciphers themselves) Recent versions have moved Rijndael/AES to the top of the list so that it is always negoitated if the client & server support it. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From karn at ka9q.net Tue Mar 20 16:11:36 2001 From: karn at ka9q.net (Phil Karn) Date: Mon, 19 Mar 2001 21:11:36 -0800 Subject: Problem with connecting to host running ssh 2.3.0p1 In-Reply-To: (message from Damien Miller on Tue, 20 Mar 2001 15:52:06 +1100 (EST)) References: Message-ID: <200103200511.f2K5BaA17931@patty.ka9q.net> Now I understand fully, many thanks. This should probably get written up on the web page as many others are likely to run into it. I had already backed out the 2.5.2p1 release on my machines when I saw your note. I guess the best workaround (if you can't upgrade some particular remote server) is to specify -c 3des on the local command line. Phil From djm at mindrot.org Tue Mar 20 16:17:23 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Mar 2001 16:17:23 +1100 (EST) Subject: Problem with connecting to host running ssh 2.3.0p1 In-Reply-To: <200103200511.f2K5BaA17931@patty.ka9q.net> Message-ID: On Mon, 19 Mar 2001, Phil Karn wrote: > Now I understand fully, many thanks. This should probably get written > up on the web page as many others are likely to run into it. I had > already backed out the 2.5.2p1 release on my machines when I saw your > note. IIRC it was in the release notes for 2.5.1p2. We should have a section detailing updates in portable releases though. > I guess the best workaround (if you can't upgrade some particular > remote server) is to specify -c 3des on the local command line. You could also add "Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour" to ssh_config or ~/.ssh/config -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tim at multitalents.net Tue Mar 20 16:51:41 2001 From: tim at multitalents.net (Tim Rice) Date: Mon, 19 Mar 2001 21:51:41 -0800 (PST) Subject: Test snapshots In-Reply-To: Message-ID: On Tue, 20 Mar 2001, Damien Miller wrote: > On Mon, 19 Mar 2001, Tim Rice wrote: > > > On Wed, 14 Mar 2001, Damien Miller wrote: > > > > > Could eveyone please give the latest snapshots a test? I have just > > > pulled in some more OpenSSL libc code to support globbing in the sftp > > > client. It works OK on the platforms that I have access to, but that > > > isn't many... > > > > > > Report success/failure and host (as reported by configure). > > i586-pc-sco3.2v5.0.4 > > sparc-sun-solaris2.8 > > > > > > Maybe I don't understand how much globbing it's suposed to be able to > > do, but it doesn't seem to work > > > sftp> get *.rtf > > File "/homes/tim/wp/*.rtf" not found. > > That _should_ work :( > > Are you sure that you are using the snapshot sftp and a previously > installed version? Did more testing with 2.5.2. Client Server Status Host: i686-pc-linux-gnu Host: i486-pc-sco3.2v4.2 OK Host: i586-pc-sco3.2v5.0.4 OK Host: sparc-sun-solaris2.8 OK Host: i586-sco-sysv5uw7.1.0 OK Host: i486-pc-sco3.2v4.2 * Fail Host: i586-pc-sco3.2v5.0.4 * Fail Host: sparc-sun-solaris2.8 * Fail Host: i586-sco-sysv5uw7.1.0 * Fail > > -d > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Tue Mar 20 16:48:46 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Mar 2001 16:48:46 +1100 (EST) Subject: Test snapshots In-Reply-To: Message-ID: On Mon, 19 Mar 2001, Tim Rice wrote: > > > sftp> get *.rtf > > > File "/homes/tim/wp/*.rtf" not found. > > > > That _should_ work :( > > > > Are you sure that you are using the snapshot sftp and a previously > > installed version? > > Did more testing with 2.5.2. > > Client Server Status > > Host: i686-pc-linux-gnu > Host: i486-pc-sco3.2v4.2 OK > Host: i586-pc-sco3.2v5.0.4 OK > Host: sparc-sun-solaris2.8 OK > Host: i586-sco-sysv5uw7.1.0 OK > > > Host: i486-pc-sco3.2v4.2 * Fail > Host: i586-pc-sco3.2v5.0.4 * Fail > Host: sparc-sun-solaris2.8 * Fail > Host: i586-sco-sysv5uw7.1.0 * Fail hmmm, it is using the openbsd-compat/glob.c or the system one? what does 'sftp -v -v -v' say about the matter? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From charles at comm.polymtl.ca Tue Mar 20 17:40:29 2001 From: charles at comm.polymtl.ca (Charles Levert) Date: Tue, 20 Mar 2001 01:40:29 -0500 Subject: [2.5.2p1] openbsd-compat/glob.c: ARG_MAX not defined, alternative Message-ID: <200103200640.BAA28132@faucon.comm.polymtl.ca> Hi. On sparc-sun-sunos4.1.4 (i.e., -DSUNOS4), ARG_MAX is not defined anywhere, although has the following line: #define _POSIX_ARG_MAX 4096 This is more a minimum imposed by POSIX than anything else. The proper solution revolves around this: ======================================================================== bash$ cat > x.c #include #include int main(int argc, char **argv) { printf("%ld\n", sysconf(_SC_ARG_MAX)); return 0; } ^D bash$ gcc -o x x.c bash$ ./x 1048576 ======================================================================== Charles From djm at mindrot.org Tue Mar 20 18:18:41 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Mar 2001 18:18:41 +1100 (EST) Subject: [2.5.2p1] openbsd-compat/glob.c: ARG_MAX not defined, alternative In-Reply-To: <200103200640.BAA28132@faucon.comm.polymtl.ca> Message-ID: On Tue, 20 Mar 2001, Charles Levert wrote: > Hi. > > On sparc-sun-sunos4.1.4 (i.e., -DSUNOS4), ARG_MAX is not defined > anywhere, although has the following line: > > #define _POSIX_ARG_MAX 4096 > > This is more a minimum imposed by POSIX than anything else. The > proper solution revolves around this: This is a known problem which will be fixed in a p2 release very soon. Until then: Index: openbsd-compat/glob.c =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/glob.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- openbsd-compat/glob.c 2001/03/19 19:00:10 1.4 +++ openbsd-compat/glob.c 2001/03/20 04:46:51 1.5 @@ -37,6 +37,18 @@ #include "includes.h" #include +long +get_arg_max() +{ +#ifdef ARG_MAX + return(ARG_MAX); +#elif defined(HAVE_SYSCONF) && defined(_SC_ARG_MAX) + return(sysconf(_SC_ARG_MAX)); +#else + return(256); /* XXX: arbitrary */ +#endif +} + #if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \ !defined(GLOB_HAS_GL_MATCHC) @@ -689,7 +701,7 @@ pathv[pglob->gl_offs + pglob->gl_pathc] = NULL; if ((pglob->gl_flags & GLOB_LIMIT) && - newsize + *limitp >= ARG_MAX) { + newsize + *limitp >= (u_int) get_arg_max()) { errno = 0; return(GLOB_NOSPACE); } -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Markus.Friedl at informatik.uni-erlangen.de Tue Mar 20 19:12:31 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 20 Mar 2001 09:12:31 +0100 Subject: "cipher none" alternatives ? In-Reply-To: <000301c0b0db$b480f310$126545ab@na.cisco.com>; from dankamin@cisco.com on Sat, Mar 17, 2001 at 05:11:34PM -0800 References: <20010317173323.E27674@folly> <000301c0b0db$b480f310$126545ab@na.cisco.com> Message-ID: <20010320091231.A19900@faui02.informatik.uni-erlangen.de> On Sat, Mar 17, 2001 at 05:11:34PM -0800, Dan Kaminsky wrote: > ssh -2 -oCiphers none -oMACs hmac-md5 user at host tar czf - bigdir/ | tar > xzvf - yes, this would protect the integrity of the transmission. > Is there any argument for supporting arcfour in SSH2 but *not* SSH1? yes. http://www.kb.cert.org/vuls/id/25309 http://www.kb.cert.org/vuls/id/565052 http://www.kb.cert.org/vuls/id/665372 and probably more. From Norbert.Bladt at adi.ch Tue Mar 20 19:53:28 2001 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Tue, 20 Mar 2001 09:53:28 +0100 Subject: Rhosts-RSA authentication broken Message-ID: <0912C8BC2132D411BBB80001020BA94702D83B@naizk10.adi.ch> Hello ! I think a problem was introduced in openssh-2.3.0p1 which is still there in the latest openssh-2.5.2p1. I just noticed it before my vacation and could not send this mail earlier than today. The problem is: You can't use the Rhosts-RSA authentication based on the hosts.equiv file and the host keys. The only possible way to do rhosts-RSA authentication is to allow the usage of the .rhosts/.shosts file and put the information in there. If you have "IgnoreRhosts yes" in the configuration file for the sshd, no rhosts-RSA authentication is done because it is not configured. The reason are the following wrong lines of source in auth-rh-rsa.c: /* Check if we would accept it using rhosts authentication. */ if (!auth_rhosts(pw, client_user)) return 0; I applied the attached patch and now it works, again. Please advice if this is not the right fix or whether this change was intended. Thanks for providing openssh ! Regards, Norbert. P.S. I am not subscribed to the developer list so a cc: to my mail address is appreciated. -- Norbert Bladt ATAG debis Informatik, ISM-TZ1 / Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 <> -------------- next part -------------- A non-text attachment was scrubbed... Name: auth-rh-rsa.diff Type: application/octet-stream Size: 529 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010320/f3000ef0/attachment.obj From Markus.Friedl at informatik.uni-erlangen.de Tue Mar 20 20:14:58 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 20 Mar 2001 10:14:58 +0100 Subject: Rhosts-RSA authentication broken In-Reply-To: <0912C8BC2132D411BBB80001020BA94702D83B@naizk10.adi.ch>; from Norbert.Bladt@adi.ch on Tue, Mar 20, 2001 at 09:53:28AM +0100 References: <0912C8BC2132D411BBB80001020BA94702D83B@naizk10.adi.ch> Message-ID: <20010320101458.A23358@faui02.informatik.uni-erlangen.de> On Tue, Mar 20, 2001 at 09:53:28AM +0100, Bladt Norbert wrote: > The reason are the following wrong lines of source in auth-rh-rsa.c: > > /* Check if we would accept it using rhosts authentication. */ > if (!auth_rhosts(pw, client_user)) > return 0; what is wrong here? > I applied the attached patch and now it works, again. > Please advice if this is not the right fix or whether this > change was intended. ! if (auth_rhosts(pw, client_user)) ! return 1; this is very very very wrong! it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as auth-rhosts. -m From pekkas at netcore.fi Tue Mar 20 20:19:08 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 20 Mar 2001 11:19:08 +0200 (EET) Subject: Rhosts-RSA authentication broken In-Reply-To: <20010320101458.A23358@faui02.informatik.uni-erlangen.de> Message-ID: On Tue, 20 Mar 2001, Markus Friedl wrote: > ! if (auth_rhosts(pw, client_user)) > ! return 1; > > this is very very very wrong! > > it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off > checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as > auth-rhosts. .. even more so because you don't have to use privileged ports for auth-rhost-rsa anymore, but for auth-rhost you do. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From Norbert.Bladt at adi.ch Tue Mar 20 21:27:05 2001 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Tue, 20 Mar 2001 11:27:05 +0100 Subject: Rhosts-RSA authentication broken Message-ID: <0912C8BC2132D411BBB80001020BA94702D83C@naizk10.adi.ch> > Markus Friedl [SMTP:Markus.Friedl at informatik.uni-erlangen.de] wrote: > > On Tue, Mar 20, 2001 at 09:53:28AM +0100, Bladt Norbert wrote: >> The reason are the following wrong lines of source in auth-rh-rsa.c: >> >> /* Check if we would accept it using rhosts authentication. */ >> if (!auth_rhosts(pw, client_user)) >> return 0; > what is wrong here? That is easy to tell: auth_rhosts returns 0 if I have "IgnoreRhosts yes" in the sshd_config file. The relevant part of the source in auth-rhosts.c looks like this (around line 249 in 2.3.0p1): if (options.ignore_rhosts) packet_send_debug ("Server has been configured to ignore .%100s", rhosts_file) continue; ... and later: return 0 And the rest of the source is NEVER executed. So, I have to enable the usage of ~/.rhosts to use rhosts-RSA authentication. But I do not want to do this. I want to use shosts.equiv ONLY ! The default of "IgnoreRhosts" is "yes", anyway. Please try to use rhosts RSA authentication based on shosts.equiv and the host keys. It does not work ! >> I applied the attached patch and now it works, again. >> Please advice if this is not the right fix or whether this >> change was intended. >! if (auth_rhosts(pw, client_user)) >! return 1; >this is very very very wrong! > it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off > checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as > auth-rhosts. No. If the authentication with ~/.rhosts is not allowed ("IgnoreRhosts yes") it will check the rsa host keys. If "IgnoreRhosts no" is configured, it will use the normal ~/.rhosts authentication and if that passes all the tests, then this is fine. This is true at least for 2.3.0p1 as far as I can see. Trust me, I tried it. The only way to access the target system via ssh is to enable the .rhosts file for every user and put everything in it. I do not want that, though. I am sorry but this is what I experienced in 2.3.0p1. Thanks, Norbert Bladt. -- Norbert Bladt ATAG debis Informatik, ISM-TZ1 / Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From Markus.Friedl at informatik.uni-erlangen.de Tue Mar 20 21:43:57 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 20 Mar 2001 11:43:57 +0100 Subject: Rhosts-RSA authentication broken In-Reply-To: <0912C8BC2132D411BBB80001020BA94702D83C@naizk10.adi.ch>; from Norbert.Bladt@adi.ch on Tue, Mar 20, 2001 at 11:27:05AM +0100 References: <0912C8BC2132D411BBB80001020BA94702D83C@naizk10.adi.ch> Message-ID: <20010320114357.A27268@faui02.informatik.uni-erlangen.de> On Tue, Mar 20, 2001 at 11:27:05AM +0100, Bladt Norbert wrote: > > Markus Friedl [SMTP:Markus.Friedl at informatik.uni-erlangen.de] wrote: > > > > On Tue, Mar 20, 2001 at 09:53:28AM +0100, Bladt Norbert wrote: > >> The reason are the following wrong lines of source in auth-rh-rsa.c: > >> > >> /* Check if we would accept it using rhosts authentication. */ > >> if (!auth_rhosts(pw, client_user)) > >> return 0; > > > what is wrong here? > That is easy to tell: > auth_rhosts returns 0 if I have "IgnoreRhosts yes" in the > sshd_config file. yes, but only if it finds a match in .rhosts. and this is correct. it does not affect /etc/shosts.equiv. the checks for hosts.equiv/shosts.equiv are much ealier, and they return 1: /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ if (pw->pw_uid != 0) { if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user, pw->pw_name)) { packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", hostname, ipaddr); return 1; } if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, client_user, pw->pw_name)) { packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); return 1; } } > The relevant part of the source in auth-rhosts.c looks like this > (around line 249 in 2.3.0p1): > > if (options.ignore_rhosts) > packet_send_debug ("Server has been configured to ignore .%100s", > rhosts_file) > continue; > > ... and later: > > return 0 this is just for .rhosts/.shosts, not for _PATH_SSH_HOSTS_EQUIV or _PATH_RHOSTS_EQUIV > And the rest of the source is NEVER executed. > So, I have to enable the usage of ~/.rhosts to use rhosts-RSA > authentication. > But I do not want to do this. I want to use shosts.equiv ONLY ! > The default of "IgnoreRhosts" is "yes", anyway. > > Please try to use rhosts RSA authentication based on shosts.equiv > and the host keys. > It does not work ! > > >> I applied the attached patch and now it works, again. > >> Please advice if this is not the right fix or whether this > >> change was intended. > > >! if (auth_rhosts(pw, client_user)) > >! return 1; > > >this is very very very wrong! > > > it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off > > checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as > > auth-rhosts. > No. If the authentication with ~/.rhosts is not allowed > ("IgnoreRhosts yes") it will check the rsa host keys. > If "IgnoreRhosts no" is configured, it will use the normal > ~/.rhosts authentication and if that passes all the tests, > then this is fine. > > This is true at least for 2.3.0p1 as far as I can see. > > Trust me, I tried it. i cannot trust you, since the patch is wrong :) -m From jason at dfmm.org Tue Mar 20 23:01:24 2001 From: jason at dfmm.org (Jason Stone) Date: Tue, 20 Mar 2001 04:01:24 -0800 (PST) Subject: "cipher none" alternatives ? In-Reply-To: <20010320091231.A19900@faui02.informatik.uni-erlangen.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > On Sat, Mar 17, 2001 at 05:11:34PM -0800, Dan Kaminsky wrote: > > ssh -2 -oCiphers none -oMACs hmac-md5 user at host tar czf - bigdir/ | tar > > xzvf - > > yes, this would protect the integrity of the transmission. Though of course, there's going to be a non-trivial expense associated with MAC'ing. I have no numbers, but I would imagine that the time associated with md5 hasing is of the same order as the time associated with crypting equivalent amounts of data? -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE6t0aYswXMWWtptckRAuxxAJ9YeNO/EfGHCdEzXfYgkqs7wPorzgCgsy0j SevuoL7eQN+AF/E60KvCZo0= =zInT -----END PGP SIGNATURE----- From Markus.Friedl at informatik.uni-erlangen.de Tue Mar 20 23:29:11 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 20 Mar 2001 13:29:11 +0100 Subject: "cipher none" alternatives ? In-Reply-To: ; from jason@dfmm.org on Tue, Mar 20, 2001 at 04:01:24AM -0800 References: <20010320091231.A19900@faui02.informatik.uni-erlangen.de> Message-ID: <20010320132910.B27268@faui02.informatik.uni-erlangen.de> On Tue, Mar 20, 2001 at 04:01:24AM -0800, Jason Stone wrote: > I have no numbers, but I would imagine that the time > associated with md5 hasing is of the same order as the time associated > with crypting equivalent amounts of data? % openssl speed will give you numbers. From ktaylor at eosdata.gsfc.nasa.gov Wed Mar 21 00:47:41 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Tue, 20 Mar 2001 08:47:41 -0500 Subject: linux X forwarding still not working Message-ID: I'm now using the openssh-2.5.2p1 version, and the X forwarding on the linux machine is still not working. It's a Redhat 6.2 machine running kernel 2.2.17-14 It doesn't appear to be adding anything to the /tmp/ssh-whatever/cookies file when you log in. I posted some debug info yesterday. Does anyone have some ideas of what I can try next, or is this a known bug? From RCDavis at intermedia.com Wed Mar 21 01:20:01 2001 From: RCDavis at intermedia.com (Davis, Ricardo C.) Date: Tue, 20 Mar 2001 09:20:01 -0500 Subject: OpenSSH 2.5.2p1 - What has changed since 2.5.1p Message-ID: <77DA8BE17C46D2118B7A00805FA7D051047ADAB8@TPAEXCH2> Pardon the novice question here, but after the problems I had with trying to get 2.5.1p(whatever) to install on one of my systems, I noticed with great interest the release of 2.5.2p1. When I checked out the change log for this releases RPM, there was nothing pertaining to what has changed between 2.5.1p and 2.5.2p. I didn't see anything on the OpenSSH web site regarding changes between these releases. I'd like to know if anything has changed that might help some of the problems I was having installing 2.5.1p. Is the information I'm looking for neatly summarized somewhere else? Or do I have to do diffs on the source code to find the comments in the code? :) From pekkas at netcore.fi Wed Mar 21 01:21:37 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 20 Mar 2001 16:21:37 +0200 (EET) Subject: linux X forwarding still not working In-Reply-To: Message-ID: On Tue, 20 Mar 2001, Kevin Taylor wrote: > > I'm now using the openssh-2.5.2p1 version, and the X forwarding on the > linux machine is still not working. > > It's a Redhat 6.2 machine running kernel 2.2.17-14 > > It doesn't appear to be adding anything to the /tmp/ssh-whatever/cookies > file when you log in. > > I posted some debug info yesterday. > > Does anyone have some ideas of what I can try next, or is this a known > bug? I just tested openssh-2.5.2p1 from RHL7 to openssh-2.5.2p1 RHL62 and X forwarding works fine. For the record, how it was compiled (on RHL7): OpenSSH configured has been configured with the following options. User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/libexec/openssh/ssh-askpass Manual pages: /usr/share/man/manX PID file: /var/run sshd default user PATH: /bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin Random number collection: Device (/dev/urandom) Manpage format: man PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: yes Translate v4 in v6 hack: yes Host: i386-redhat-linux-gnu Compiler: gcc Compiler flags: -O2 -march=i386 -mcpu=i686 -Wall Preprocessor flags: Linker flags: Libraries: -lpam -ldl -lwrap -lz -lnsl -lutil -lcrypto -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mats at mindbright.se Wed Mar 21 01:56:43 2001 From: mats at mindbright.se (Mats Andersson) Date: Tue, 20 Mar 2001 15:56:43 +0100 (MET) Subject: Problem with connecting to host running ssh 2.3.0p1 In-Reply-To: Message-ID: Hi, On Tue, 20 Mar 2001, Damien Miller wrote: > A fix for the endian problem went in between 2.5.1p1 and 2.5.2p2, so you > are running the last bad version :) If you upgrade to the just-released > 2.5.2p1 then all should be well. > > The problem is showing more often now as recent OpenSSH versions use > Rijndael/AES as the default SSH2 cipher. Suggestion, perhaps one should disable AES/rijndael in the client if the server is running the buggy code (since we don't know the architecture of the server). Cheers, /Mats From ktaylor at eosdata.gsfc.nasa.gov Wed Mar 21 01:47:29 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Tue, 20 Mar 2001 09:47:29 -0500 Subject: linux X forwarding still not working References: Message-ID: <3AB76D81.3E307B4B@daac.gsfc.nasa.gov> Pekka Savola wrote: > > On Tue, 20 Mar 2001, Kevin Taylor wrote: > > > > > I'm now using the openssh-2.5.2p1 version, and the X forwarding on the > > linux machine is still not working. > > > > It's a Redhat 6.2 machine running kernel 2.2.17-14 > > > > It doesn't appear to be adding anything to the /tmp/ssh-whatever/cookies > > file when you log in. > > > > I posted some debug info yesterday. > > > > Does anyone have some ideas of what I can try next, or is this a known > > bug? > > I just tested openssh-2.5.2p1 from RHL7 to openssh-2.5.2p1 RHL62 and X > forwarding works fine. > > For the record, how it was compiled (on RHL7): > > OpenSSH configured has been configured with the following options. > User binaries: /usr/bin > System binaries: /usr/sbin > Configuration files: /etc/ssh > Askpass program: /usr/libexec/openssh/ssh-askpass > Manual pages: /usr/share/man/manX > PID file: /var/run > sshd default user PATH: /bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin > Random number collection: Device (/dev/urandom) > Manpage format: man > PAM support: yes > KerberosIV support: no > AFS support: no > S/KEY support: no > TCP Wrappers support: yes > MD5 password support: no > IP address in $DISPLAY hack: no > Use IPv4 by default hack: yes > Translate v4 in v6 hack: yes > > Host: i386-redhat-linux-gnu > Compiler: gcc > Compiler flags: -O2 -march=i386 -mcpu=i686 -Wall > Preprocessor flags: > Linker flags: > Libraries: -lpam -ldl -lwrap -lz -lnsl -lutil -lcrypto OpenSSH configured has been configured with the following options. User binaries: /usr/LOCAL/ssh/bin System binaries: /usr/LOCAL/ssh/sbin Configuration files: /usr/LOCAL/ssh/etc Askpass program: /usr/LOCAL/ssh/libexec/ssh-askpass Manual pages: /usr/LOCAL/ssh/man/manX PID file: /usr/LOCAL/ssh/etc sshd default user PATH: /usr/sbin:/usr/bsd:/sbin:/usr/bin:/usr/bin/X11:/usr/LOCAL/ssh/bin:/usr/LOCAL/bin:/usr/local/bin:/bin: Random number collection: Device (/dev/urandom) Manpage format: man PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: yes Translate v4 in v6 hack: yes Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall Preprocessor flags: -I/usr/LOCAL/ssh/openssl-0.9.6/include Linker flags: -L/usr/LOCAL/ssh/openssl-0.9.6/lib Libraries: -lwrap -lz -lnsl -lutil -lcrypto -lcrypt I don't really see much of a difference From pekkas at netcore.fi Wed Mar 21 02:01:21 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 20 Mar 2001 17:01:21 +0200 (EET) Subject: linux X forwarding still not working In-Reply-To: <3AB76D81.3E307B4B@daac.gsfc.nasa.gov> Message-ID: On Tue, 20 Mar 2001, Kevin Taylor wrote: > OpenSSH configured has been configured with the following options. > User binaries: /usr/LOCAL/ssh/bin > System binaries: /usr/LOCAL/ssh/sbin > Configuration files: /usr/LOCAL/ssh/etc > Askpass program: /usr/LOCAL/ssh/libexec/ssh-askpass > Manual pages: /usr/LOCAL/ssh/man/manX > PID file: /usr/LOCAL/ssh/etc > sshd default user PATH: > /usr/sbin:/usr/bsd:/sbin:/usr/bin:/usr/bin/X11:/usr/LOCAL/ssh/bin:/usr/LOCAL/bin:/usr/local/bin:/bin: > Random number collection: Device (/dev/urandom) > Manpage format: man > PAM support: no > KerberosIV support: no > AFS support: no > S/KEY support: no > TCP Wrappers support: yes > MD5 password support: no > IP address in $DISPLAY hack: no > Use IPv4 by default hack: yes > Translate v4 in v6 hack: yes This message in your previous debug message seems relevant: debug1: x11_create_display_inet: Socket family 10 not supported There is a (perhaps) significant difference: you're using /usr/LOCAL tree. Make sure that XAUTH_PATH in config.h points to the right right place. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Wed Mar 21 02:01:43 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 20 Mar 2001 09:01:43 -0600 (CST) Subject: OpenSSH 2.5.2p1 - What has changed since 2.5.1p In-Reply-To: <77DA8BE17C46D2118B7A00805FA7D051047ADAB8@TPAEXCH2> Message-ID: ChangeLog states all code Imported from the OpenBSD group and includes portable modifications and fixes. It should cover everything you would want to know. However some of the commit entries are not as clear without some knowledge of the application. - Ben On Tue, 20 Mar 2001, Davis, Ricardo C. wrote: > Pardon the novice question here, but after the problems I had with trying to > get 2.5.1p(whatever) to install on one of my systems, I noticed with great > interest the release of 2.5.2p1. When I checked out the change log for this > releases RPM, there was nothing pertaining to what has changed between > 2.5.1p and 2.5.2p. I didn't see anything on the OpenSSH web site regarding > changes between these releases. I'd like to know if anything has changed > that might help some of the problems I was having installing 2.5.1p. > > Is the information I'm looking for neatly summarized somewhere else? Or do > I have to do diffs on the source code to find the comments in the code? :) > > > From ktaylor at eosdata.gsfc.nasa.gov Wed Mar 21 02:05:33 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Tue, 20 Mar 2001 10:05:33 -0500 Subject: linux X forwarding still not working References: Message-ID: <3AB771BD.CB832791@daac.gsfc.nasa.gov> Pekka Savola wrote: > > On Tue, 20 Mar 2001, Kevin Taylor wrote: > > OpenSSH configured has been configured with the following options. > > User binaries: /usr/LOCAL/ssh/bin > > System binaries: /usr/LOCAL/ssh/sbin > > Configuration files: /usr/LOCAL/ssh/etc > > Askpass program: /usr/LOCAL/ssh/libexec/ssh-askpass > > Manual pages: /usr/LOCAL/ssh/man/manX > > PID file: /usr/LOCAL/ssh/etc > > sshd default user PATH: > > /usr/sbin:/usr/bsd:/sbin:/usr/bin:/usr/bin/X11:/usr/LOCAL/ssh/bin:/usr/LOCAL/bin:/usr/local/bin:/bin: > > Random number collection: Device (/dev/urandom) > > Manpage format: man > > PAM support: no > > KerberosIV support: no > > AFS support: no > > S/KEY support: no > > TCP Wrappers support: yes > > MD5 password support: no > > IP address in $DISPLAY hack: no > > Use IPv4 by default hack: yes > > Translate v4 in v6 hack: yes > > This message in your previous debug message seems relevant: > > debug1: x11_create_display_inet: Socket family 10 not supported > > There is a (perhaps) significant difference: you're using /usr/LOCAL tree. > > Make sure that XAUTH_PATH in config.h points to the right right place. > /* Define if xauth is found in your path */ #define XAUTH_PATH "/usr/X11R6/bin/xauth" Just for the sake of argument. I'm going to symlink xauth to /usr/LOCAL/ssh/bin....just to see what happens. I don't think it should matter. -- ---------------------------------------------------------. Kevin Taylor \ Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / Science Systems and Applications, Inc. \ Goddard Space Flight Center / Greenbelt, MD 20771 \ / Phone: (301) 614-5505 \ e-mail: ktaylor at daac.gsfc.nasa.gov / ----------------------------------------------------------' From cs18286 at tueng.rsc.raytheon.com Wed Mar 21 02:08:09 2001 From: cs18286 at tueng.rsc.raytheon.com (COKER ~ CALVIN G /WW4HPD) Date: Tue, 20 Mar 2001 08:08:09 -0700 (MST) Subject: Adding Socks5 to OpenSSH Message-ID: <200103201508.IAA07970@cae916.rsc.raytheon.com> TO: openssh-unix-dev at mindrot.org I added in socks5 by adding the socks.h to include.h and the socks5 library to the compilation of OpenSSH and thinks socks is linked in, but I am having a problem using the added socks5 capability. Do you know if there is an environment parameter that I can use to set the proxy to my socks5 server? Calvin Coker From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Mar 21 02:22:10 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 20 Mar 2001 16:22:10 +0100 Subject: linux X forwarding still not working In-Reply-To: <3AB771BD.CB832791@daac.gsfc.nasa.gov>; from ktaylor@eosdata.gsfc.nasa.gov on Tue, Mar 20, 2001 at 10:05:33AM -0500 References: <3AB771BD.CB832791@daac.gsfc.nasa.gov> Message-ID: <20010320162210.A3086@serv01.aet.tu-cottbus.de> On Tue, Mar 20, 2001 at 10:05:33AM -0500, Kevin Taylor wrote: > > > Use IPv4 by default hack: yes > > > Translate v4 in v6 hack: yes > > > > This message in your previous debug message seems relevant: > > > > debug1: x11_create_display_inet: Socket family 10 not supported > > > > There is a (perhaps) significant difference: you're using /usr/LOCAL tree. > > > > Make sure that XAUTH_PATH in config.h points to the right right place. > > > > /* Define if xauth is found in your path */ > #define XAUTH_PATH "/usr/X11R6/bin/xauth" > > Just for the sake of argument. I'm going to symlink xauth to > /usr/LOCAL/ssh/bin....just to see what happens. I don't think it should > matter. For what its worth: Socket family 10 is AF_INET6 (at least on my SuSE 7.1, kernel 2.4.2). I have just installed openssh-2.5.2p1 and X forwarding seems to work.. Therefore by plainly reading the offending line in the source (channels.c:1992) I would say that you have a problem with IPv6 support. I cannot see any relation to xauth, since the error message is the direct consequence of a failed socket() call. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From ktaylor at eosdata.gsfc.nasa.gov Wed Mar 21 02:22:52 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Tue, 20 Mar 2001 10:22:52 -0500 Subject: linux X forwarding problem fixed... Message-ID: I had UseLogin enabled....this was breaking the X forwarding code somehow. This is the second OS I've come across that has major difficulties with the UseLogin option. From Markus.Friedl at informatik.uni-erlangen.de Wed Mar 21 02:25:57 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 20 Mar 2001 16:25:57 +0100 Subject: linux X forwarding problem fixed... In-Reply-To: ; from ktaylor@eosdata.gsfc.nasa.gov on Tue, Mar 20, 2001 at 10:22:52AM -0500 References: Message-ID: <20010320162557.A15202@faui02.informatik.uni-erlangen.de> the combination X11 and UseLogin is currently not supported. On Tue, Mar 20, 2001 at 10:22:52AM -0500, Kevin Taylor wrote: > > > I had UseLogin enabled....this was breaking the X forwarding code somehow. > > This is the second OS I've come across that has major difficulties with > the UseLogin option. > > > From ktaylor at eosdata.gsfc.nasa.gov Wed Mar 21 02:26:55 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Tue, 20 Mar 2001 10:26:55 -0500 Subject: linux X forwarding problem fixed... In-Reply-To: <20010320162557.A15202@faui02.informatik.uni-erlangen.de> Message-ID: probably for good reason. :) On Tue, 20 Mar 2001, Markus Friedl wrote: > the combination X11 and UseLogin is currently not supported. > > On Tue, Mar 20, 2001 at 10:22:52AM -0500, Kevin Taylor wrote: > > > > > > I had UseLogin enabled....this was breaking the X forwarding code somehow. > > > > This is the second OS I've come across that has major difficulties with > > the UseLogin option. > > > > > > > From sxw at dcs.ed.ac.uk Wed Mar 21 05:15:51 2001 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Tue, 20 Mar 2001 18:15:51 GMT Subject: Kerberos v5 and GSSAPI support in OpenSSH Message-ID: <200103201815.SAA17460@canna.dcs.ed.ac.uk> An updated version of my patch for Kerberos v5 support is now available from http://www.sxw.org.uk/computing/patches/openssh-2.5.2p1-krb5.patch This patch includes updated Kerberos v5 support for protocol version 1, and also adds GSSAPI support for protocol version 2. Unlike the Kerberos v5 code (which will still not interoperate with ssh.com clients and servers), the GSSAPI support is based on two I-Ds draft-galb-secsh-gssapi-01.txt and draft-ietf-secsh-gsskeyex-01.txt. It adds two different points of authentication - the gsskeyex draft uses GSSAPI at the key exchange level, and removes the requirement to have hostkeys when it is used as the exchange mechanism. The first draft adds GSSAPI at the userauthentication level. Both support credential forwarding. I've implemented support for the Kerberos v5 GSSAPI mechanism - it should be trivial to add additional mechanisms. The GSSAPI code has not been tested under Heimdal (the Kerberos v5 code has, and should work). Sorry for this being one huge patch - I had originally tried to seperate these out in two (GSSAPI in one, and Kerberos v5 in the other), but there were too many conflicts when combining them together. If people would like to see a patch implementing just one of these things let me know, and I'll have another go. Cheers, Simon. From markus.friedl at informatik.uni-erlangen.de Wed Mar 21 06:32:05 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 20 Mar 2001 20:32:05 +0100 Subject: suggestion for syslog messages In-Reply-To: <200103161917.LAA13052@ohm.apl.washington.edu>; from dunlap@apl.washington.edu on Fri, Mar 16, 2001 at 11:17:54AM -0800 References: <200103161917.LAA13052@ohm.apl.washington.edu> Message-ID: <20010320203204.A20477@folly> On Fri, Mar 16, 2001 at 11:17:54AM -0800, John Dunlap wrote: > 2. Change the "publickey" message for ssh2 connections to specify > which publickey, "dsa" or "rsa". This is already the case for ssh1. is this useful? in ssh1 it's called RSA-auth, in ssh2 it's called pubkey-auth.... From markus.friedl at informatik.uni-erlangen.de Wed Mar 21 06:33:36 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 20 Mar 2001 20:33:36 +0100 Subject: sshd executes ~/.ssh/sshrc without using user's shell In-Reply-To: <3AB2D68E.D1835CE7@bartlett.house>; from abartlet@pcug.org.au on Sat, Mar 17, 2001 at 02:14:22PM +1100 References: <3AB2D68E.D1835CE7@bartlett.house> Message-ID: <20010320203336.B20477@folly> On Sat, Mar 17, 2001 at 02:14:22PM +1100, Andrew Bartlett wrote: > I am considering allowing (relitivly) untrusted local users onto my > fileserver, so they can use SFTP to access their home directories. > > I have a custom shell, (a taint-mode enabled perl script) that allows > users to change their password, which I have modifed to only allow a > '-c' command for the sftp-server. > > I have also disabled TCP port forwarding. However, some reading of the > OpenSSH code suggests that, while most commands sshd excutes use the > users login shell, the popen call for .ssh/sshrc does not. > (session.c:1342 and there-abouts). > > Is this an issue? yes. in the future, subsystems will probably ignore this file. > Or do I have bigger things to worry about? nothing that i can think of. From kevin at tgivan.com Wed Mar 21 07:16:16 2001 From: kevin at tgivan.com (Kevin Sindhu) Date: Tue, 20 Mar 2001 12:16:16 -0800 Subject: OpenSSH-portable with md5-passwords Message-ID: <3AB7BA90.84226FB1@tgivan.com> Hiya guyz, I have a quick question, and wondering if you give me some insight on this. One of our machine's is running Slackware 7.1 with openssh 1.5.(it was configured --with-md5-passwords) Apparently I can't ssh to accounts which the password function hashes to a field with '$' symbols in it, as reported in /etc/shadow. Is this a well-known bug of OpenSSH version 1.5? I would appreciate any advice. Regards -- Kevin Sindhu Systems Engineer E-Mail: kevin at tgivan.com TGI Technologies Inc. Tel: (604) 872-6676 Ext 321 107 E 3rd Ave, Fax: (604) 872-6601 Vancouver,BC V5T 1C7 Canada. From kevin at tgivan.com Wed Mar 21 07:22:35 2001 From: kevin at tgivan.com (Kevin Sindhu) Date: Tue, 20 Mar 2001 12:22:35 -0800 Subject: OpenSSH-portable with md5-passwords - Solved References: <3AB7BA90.84226FB1@tgivan.com> Message-ID: <3AB7BC0B.A44A703C@tgivan.com> hiya guyz... Doh!I think this is a known law, " After you hit send on a mail, only then you realize that its your own fault" Forgot to do a make distclean....my bad, its solved. Sorry about that. -Kevin From djm at mindrot.org Wed Mar 21 08:22:28 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 21 Mar 2001 08:22:28 +1100 (EST) Subject: OpenSSH 2.5.2p1 - What has changed since 2.5.1p In-Reply-To: <77DA8BE17C46D2118B7A00805FA7D051047ADAB8@TPAEXCH2> Message-ID: On Tue, 20 Mar 2001, Davis, Ricardo C. wrote: > Pardon the novice question here, but after the problems I had with > trying to get 2.5.1p(whatever) to install on one of my systems, > I noticed with great interest the release of 2.5.2p1. When I > checked out the change log for this releases RPM, there was nothing > pertaining to what has changed between 2.5.1p and 2.5.2p. I didn't > see anything on the OpenSSH web site regarding changes between these > releases. I'd like to know if anything has changed that might help > some of the problems I was having installing 2.5.1p. > > Is the information I'm looking for neatly summarized somewhere else? > IOr do have to do diffs on the source code to find the comments in > Ithe code? :) No the ChangeLog file should have all of this in the portable source distribution. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From stevev at darkwing.uoregon.edu Wed Mar 21 08:44:05 2001 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Tue, 20 Mar 2001 13:44:05 -0800 Subject: Tru64 UNIX SIA in 2.5.2p1 is hosed Message-ID: <15031.53029.667838.428569@darkwing.uoregon.edu> Something really hosed Digital/Tru64 UNIX SIA support in 2.5.2p1. I haven't been able to figure out what changed in the code, but the symptom seems to be that the TTY name being registered with SIA is truncated to eight characters. This apparently prevents it from matching with entries in the tty database, and the dreaded "Cannot obtain database information on this terminal message" is printed after authentication completes and the session terminates immediately. The 2.5.1p2 sshd works fine on my Digital UNIX system. From djm at mindrot.org Wed Mar 21 09:26:08 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 21 Mar 2001 09:26:08 +1100 (EST) Subject: Kerberos v5 and GSSAPI support in OpenSSH In-Reply-To: <200103201815.SAA17460@canna.dcs.ed.ac.uk> Message-ID: On Tue, 20 Mar 2001, Simon Wilkinson wrote: > An updated version of my patch for Kerberos v5 support is now available > from > http://www.sxw.org.uk/computing/patches/openssh-2.5.2p1-krb5.patch > > This patch includes updated Kerberos v5 support for protocol version 1, > and also adds GSSAPI support for protocol version 2. I don't know enough about the Kerberos API to review this patch myself, so I defer to the list to review the patch. > Unlike the Kerberos v5 code (which will still not interoperate with > ssh.com clients and servers), the GSSAPI support is based on two I-Ds > draft-galb-secsh-gssapi-01.txt and draft-ietf-secsh-gsskeyex-01.txt. > It adds two different points of authentication - the gsskeyex draft > uses GSSAPI at the key exchange level, and removes the requirement to > have hostkeys when it is used as the exchange mechanism. The first > draft adds GSSAPI at the userauthentication level. Both support > credential forwarding. On what documentation did you base the krb5 support? You should write an internet-draft on how you did it. There seems to be two gssapi drafts, the Galbraith one and a Saloway one which has been brought into the wg. How do they differ? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From stevev at darkwing.uoregon.edu Wed Mar 21 10:34:59 2001 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Tue, 20 Mar 2001 15:34:59 -0800 Subject: Tru64 UNIX SIA in 2.5.2p1 is hosed In-Reply-To: <15031.53029.667838.428569@darkwing.uoregon.edu> References: <15031.53029.667838.428569@darkwing.uoregon.edu> Message-ID: <15031.59683.830498.348984@darkwing.uoregon.edu> Steve VanDevender writes: > Something really hosed Digital/Tru64 UNIX SIA support in 2.5.2p1. Now that I look closer, I notice that in session.c, this stayed the same in session.c:do_child(): #ifdef HAVE_OSF_SIA session_setup_sia(pw->pw_name, ttyname); #else /* HAVE_OSF_SIA */ But between 2.5.1p2 and 2.5.2p1, the declaration of do_child() changed to remove the ttyname parameter: *************** *** 1008,1018 **** * ids, and executing the command or shell. */ void ! do_child(const char *command, struct passwd * pw, const char *term, ! const char *display, const char *auth_proto, ! const char *auth_data, const char *ttyname) { const char *shell, *hostname = NULL, *cp = NULL; char buf[256]; char cmd[1024]; FILE *f = NULL; --- 1000,1009 ---- * ids, and executing the command or shell. */ void ! do_child(Session *s, const char *command) { const char *shell, *hostname = NULL, *cp = NULL; + struct passwd * pw = s->pw; char buf[256]; char cmd[1024]; FILE *f = NULL; This means that the 'ttyname' that is being passed to session_setup_sia is a function pointer to the ttyname() function, not the name of the tty. I'm not sure how this results in only the first eight characters of the real tty name being recorded, but it's clearly the Wrong Thing. This explains the problem I'm having with SIA in Digital UNIX, but it's not immediately obvious to me how to fix it. This is probably also breaking the AIX code which refers to ttyname later in do_child. From stevev at darkwing.uoregon.edu Wed Mar 21 10:54:12 2001 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Tue, 20 Mar 2001 15:54:12 -0800 Subject: Tru64 UNIX SIA in 2.5.2p1 is hosed In-Reply-To: <15031.59683.830498.348984@darkwing.uoregon.edu> References: <15031.53029.667838.428569@darkwing.uoregon.edu> <15031.59683.830498.348984@darkwing.uoregon.edu> Message-ID: <15031.60836.596545.454755@darkwing.uoregon.edu> Steve VanDevender writes: > This explains the problem I'm having with SIA in Digital UNIX, but it's > not immediately obvious to me how to fix it. This is probably also > breaking the AIX code which refers to ttyname later in do_child. I'll stop babbling now. After further study of the code in session.c it became apparent how to fix the problem by noticing that between 2.5.1p2 and 2.5.2p1 'ttyname' changed to 's->tty' in other places in the do_child function, just not in the parts relating to OSF_SIA and the AIX code. A patch follows; with this applied I have the 2.5.2p1 sshd working in Digital UNIX. I changed the occurrences of 'ttyname' to 's->tty' in one of the #ifdef _AIX sections in do_child() too, but someone with AIX should probably confirm that it works there. =================================================================== RCS file: session.c,v retrieving revision 1.1 diff -c -r1.1 session.c *** 1.1 2001/03/20 23:45:46 --- session.c 2001/03/20 23:46:17 *************** *** 1053,1059 **** switch, so we let login(1) to this for us. */ if (!options.use_login) { #ifdef HAVE_OSF_SIA ! session_setup_sia(pw->pw_name, ttyname); #else /* HAVE_OSF_SIA */ #ifdef HAVE_CYGWIN if (is_winnt) { --- 1053,1059 ---- switch, so we let login(1) to this for us. */ if (!options.use_login) { #ifdef HAVE_OSF_SIA ! session_setup_sia(pw->pw_name, s->tty); #else /* HAVE_OSF_SIA */ #ifdef HAVE_CYGWIN if (is_winnt) { *************** *** 1134,1143 **** * other stuff is stored - a few applications * actually use this and die if it's not set */ ! cp = xmalloc(22 + strlen(ttyname) + 2 * strlen(pw->pw_name)); i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", ! pw->pw_name, 0, pw->pw_name, 0, ttyname, 0,0); if (usrinfo(SETUINFO, cp, i) == -1) fatal("Couldn't set usrinfo: %s", strerror(errno)); --- 1134,1143 ---- * other stuff is stored - a few applications * actually use this and die if it's not set */ ! cp = xmalloc(22 + strlen(s->tty) + 2 * strlen(pw->pw_name)); i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", ! pw->pw_name, 0, pw->pw_name, 0, s->tty, 0,0); if (usrinfo(SETUINFO, cp, i) == -1) fatal("Couldn't set usrinfo: %s", strerror(errno)); From sxw at dcs.ed.ac.uk Wed Mar 21 11:05:55 2001 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Wed, 21 Mar 2001 00:05:55 +0000 Subject: Kerberos v5 and GSSAPI support in OpenSSH In-Reply-To: References: Message-ID: <01032100043601.04382@loki.dcs.ed.ac.uk> On Tuesday 20 March 2001 22:26, Damien Miller wrote: > On what documentation did you base the krb5 support? You should write an > internet-draft on how you did it. The Kerberos V protocol 1 patch is based on work done by Daniel Kouril - I took his Heimdal patch for an older version of OpenSSH (2.1.0), and updated it to the current OpenSSH release, and added MIT Kerberos support. More details on this are on my original message about the Kerberos V patch, and at http://www.ics.muni.cz/scb/devel/ I've been persuaded that its worth splitting the protocol 1 and protocol 2 patches up. I intend doing so shortly. > There seems to be two gssapi drafts, the Galbraith one and a Saloway one > which has been brought into the wg. How do they differ? The Galbraith, van Dyke and Welch draft defines an extension which performs GSSAPI authentication as part of the user authentication process. This uses a somewhat more complicated exchange than the other draft. The Hutzelman & Salowey draft defines a new key exchange technique which uses GSSAPI to secure the key exchange. This removes the need for servers to have a host key, but can cause problems if the GSSAPI exchange fails (especially if it happens during key renegotiation) I've implemented both of these, and there is a lot of code reuse between the two. Cheers, Simon. -- Simon Wilkinson http://www.sxw.org.uk "The universal aptitude for ineptitude makes any human accomplishment an incredible miracle." - Col. John P. Stapp From djm at mindrot.org Wed Mar 21 11:14:05 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 21 Mar 2001 11:14:05 +1100 (EST) Subject: Tru64 UNIX SIA in 2.5.2p1 is hosed In-Reply-To: <15031.60836.596545.454755@darkwing.uoregon.edu> Message-ID: On Tue, 20 Mar 2001, Steve VanDevender wrote: > Steve VanDevender writes: > > This explains the problem I'm having with SIA in Digital UNIX, but it's > > not immediately obvious to me how to fix it. This is probably also > > breaking the AIX code which refers to ttyname later in do_child. > > I'll stop babbling now. After further study of the code in session.c it > became apparent how to fix the problem by noticing that between 2.5.1p2 > and 2.5.2p1 'ttyname' changed to 's->tty' in other places in the > do_child function, just not in the parts relating to OSF_SIA and the AIX > code. A patch follows; with this applied I have the 2.5.2p1 sshd > working in Digital UNIX. I changed the occurrences of 'ttyname' to > 's->tty' in one of the #ifdef _AIX sections in do_child() too, but > someone with AIX should probably confirm that it works there. Thanks - applied. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From ernesto at ornl.gov Wed Mar 21 11:46:21 2001 From: ernesto at ornl.gov (Ernest L. Williams Jr.) Date: Tue, 20 Mar 2001 19:46:21 -0500 Subject: openSSH 2.5.2 and S/Key support Message-ID: <023001c0b1a0$5a394400$e5e35ba0@SNSPTGWBT1QU50> Hi, I am trying to use/install openSSH 2.5.2p1 with S/Key support. The recommended libraries come from the following site: http://www.sparc.spb.su/solaris/skey/ Is that a credible source? During the compilation of skey, I notice some reference to sendmail. Could you please advise on this? Also, once S/Key support is built into openSSH do I need to go an get S/Key server and client software from somewhere? Thanks, ******************************************* Ernest L. Williams Jr. SNS Control Systems Group, ORNL 701 Scarboro Rd., MS 6473 Oak Ridge, TN 37830 Phone 865-241-9071 e-mail: ernesto at ornl.gov Fax 865-241-6739 ****************************************** From djm at mindrot.org Wed Mar 21 13:15:16 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 21 Mar 2001 13:15:16 +1100 (EST) Subject: Test snapshots In-Reply-To: Message-ID: On Tue, 20 Mar 2001, Damien Miller wrote: > > Client Server Status > > > > Host: i686-pc-linux-gnu > > Host: i486-pc-sco3.2v4.2 OK > > Host: i586-pc-sco3.2v5.0.4 OK > > Host: sparc-sun-solaris2.8 OK > > Host: i586-sco-sysv5uw7.1.0 OK > > > > > > Host: i486-pc-sco3.2v4.2 * Fail > > Host: i586-pc-sco3.2v5.0.4 * Fail > > Host: sparc-sun-solaris2.8 * Fail > > Host: i586-sco-sysv5uw7.1.0 * Fail > > hmmm, it is using the openbsd-compat/glob.c or the system one? > > what does 'sftp -v -v -v' say about the matter? Further to this: can you whack some fprintf(stderr,...) statements into openbsd-compat/glob.c to make sure it is getting called rather than a system one. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tim at multitalents.net Wed Mar 21 15:37:10 2001 From: tim at multitalents.net (Tim Rice) Date: Tue, 20 Mar 2001 20:37:10 -0800 (PST) Subject: Test snapshots In-Reply-To: Message-ID: On Wed, 21 Mar 2001, Damien Miller wrote: > On Tue, 20 Mar 2001, Damien Miller wrote: > > > > Client Server Status > > > > > > Host: i686-pc-linux-gnu > > > Host: i486-pc-sco3.2v4.2 OK > > > Host: i586-pc-sco3.2v5.0.4 OK > > > Host: sparc-sun-solaris2.8 OK > > > Host: i586-sco-sysv5uw7.1.0 OK > > > > > > > > > Host: i486-pc-sco3.2v4.2 * Fail > > > Host: i586-pc-sco3.2v5.0.4 * Fail > > > Host: sparc-sun-solaris2.8 * Fail > > > Host: i586-sco-sysv5uw7.1.0 * Fail > > > > hmmm, it is using the openbsd-compat/glob.c or the system one? Looks like the openbsd-compat one. ... tim(trr)@uw71 2% grep GLOB config.h /* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */ /* #undef GLOB_HAS_ALTDIRFUNC */ /* #undef GLOB_HAS_GL_MATCHC */ #define HAVE_GLOB 1 #define HAVE_GLOB_H 1 ... > > > > what does 'sftp -v -v -v' say about the matter? > > Further to this: can you whack some fprintf(stderr,...) statements into > openbsd-compat/glob.c to make sure it is getting called rather than > a system one. /usr/local/src/networking/openssh/sftp -v -v -v uw71 Connecting to uw71... debug1: SSH args "ssh -v -v -v uw71 -s -oForwardX11=no -oForwardAgent=no -oProtocol=2 sftp" OpenSSH_2.5.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug3: Reading output from 'ls -alni /var/adm' debug3: Time elapsed: 10 msec debug3: Got 2.00 bytes of entropy from 'ls -alni /var/adm' debug3: Reading output from 'ls -alni /var/mail' debug3: Time elapsed: 20 msec debug3: Got 2.00 bytes of entropy from 'ls -alni /var/mail' debug3: Reading output from 'ls -alni /var/adm/syslog' debug3: Time elapsed: 10 msec debug3: Got 0.16 bytes of entropy from 'ls -alni /var/adm/syslog' debug3: Reading output from 'ls -alni /var/spool/mail' debug3: Time elapsed: 20 msec debug3: Got 0.19 bytes of entropy from 'ls -alni /var/spool/mail' debug3: Reading output from 'ls -alni /proc' debug3: Time elapsed: 20 msec debug3: Got 2.00 bytes of entropy from 'ls -alni /proc' debug3: Reading output from 'ls -alni /tmp' debug3: Time elapsed: 10 msec debug3: Got 2.00 bytes of entropy from 'ls -alni /tmp' debug3: Reading output from 'ls -alni /var/tmp' debug3: Time elapsed: 20 msec debug3: Got 2.00 bytes of entropy from 'ls -alni /var/tmp' debug3: Reading output from 'ls -alni /usr/tmp' debug3: Time elapsed: 10 msec debug3: Got 0.17 bytes of entropy from 'ls -alni /usr/tmp' debug3: Reading output from 'netstat -an' debug3: Time elapsed: 30 msec debug3: Got 2.00 bytes of entropy from 'netstat -an' debug3: Reading output from 'netstat -in' debug3: Time elapsed: 20 msec debug3: Got 1.13 bytes of entropy from 'netstat -in' debug3: Reading output from 'netstat -rn' debug3: Time elapsed: 20 msec debug3: Got 0.82 bytes of entropy from 'netstat -rn' debug3: Reading output from 'netstat -s' debug3: Time elapsed: 20 msec debug3: Got 2.00 bytes of entropy from 'netstat -s' debug3: Reading output from 'ps -al' debug3: Time elapsed: 30 msec debug3: Got 2.00 bytes of entropy from 'ps -al' debug3: Reading output from 'ps -efl' debug3: Time elapsed: 50 msec debug3: Got 2.00 bytes of entropy from 'ps -efl' debug3: Reading output from 'w' debug3: Time elapsed: 50 msec debug3: Got 1.98 bytes of entropy from 'w' debug3: Reading output from 'last' debug3: Time elapsed: 20 msec debug3: Got 1.05 bytes of entropy from 'last' debug3: Reading output from 'df' debug3: Time elapsed: 10 msec debug3: Got 0.90 bytes of entropy from 'df' debug3: Reading output from 'df -i' debug3: Time elapsed: 20 msec debug3: Got 0.88 bytes of entropy from 'df -i' debug3: Reading output from 'uptime' debug3: Time elapsed: 20 msec debug3: Got 0.03 bytes of entropy from 'uptime' debug3: Reading output from 'ipcs -a' debug3: Time elapsed: 70 msec debug3: Got 1.48 bytes of entropy from 'ipcs -a' debug3: Reading output from 'tail -200 /var/adm/syslog' debug3: Time elapsed: 10 msec debug3: Got 2.00 bytes of entropy from 'tail -200 /var/adm/syslog' debug1: Seeded RNG with 35 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 31 geteuid 31 anon 1 debug1: Connecting to uw71 [192.168.50.65] port 22. debug1: Connection established. debug1: unknown identity file /home2/tim/.ssh/id_rsa debug1: identity file /home2/tim/.ssh/id_rsa type -1 debug3: Bad RSA1 key file /home2/tim/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: no key found debug2: key_type_from_name: unknown key type 'Proc-Type:' debug3: key_read: no key found debug2: key_type_from_name: unknown key type 'DEK-Info:' debug3: key_read: no key found debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: no key found debug1: identity file /home2/tim/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p1 debug1: match: OpenSSH_2.5.2p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.5.2p1 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-rsa,ssh-dss debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: none,zlib debug1: got kexinit: none,zlib debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug1: dh_gen_key: priv key bits set: 131/256 debug1: bits set: 1030/2049 debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug1: Got SSH2_MSG_KEXDH_REPLY. debug1: Host 'uw71' is known and matches the RSA host key. debug1: Found key in /home2/tim/.ssh/known_hosts2:11 debug1: bits set: 1026/2049 debug1: ssh_rsa_verify: signature correct debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred publickey,password,keyboard-interactive debug3: authmethod_lookup publickey debug3: remaining preferred: password,keyboard-interactive debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try privkey: /home2/tim/.ssh/id_rsa debug3: no such identity: /home2/tim/.ssh/id_rsa debug1: try pubkey: /home2/tim/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: authentications that can continue: publickey,password debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: keyboard-interactive debug3: authmethod_is_enabled password debug1: next auth method to try is password tim at uw71's password: debug2: packet_inject_ignore: current 56 debug2: packet_inject_ignore: block 16 have 4 nb 4 mini 1 need 4 debug2: we sent a password packet, wait for reply debug1: ssh-userauth2 successful: method password debug1: fd 6 setting O_NONBLOCK debug1: fd 7 setting O_NONBLOCK debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug2: callback start debug1: client_init id 0 arg 0 debug1: Sending subsystem: sftp debug2: callback done debug1: channel 0: open confirm rwindow 0 rmax 16384 debug2: channel 0: rcvd adjust 32768 debug2: Remote version: 3 debug3: Sent message fd 6 T:16 I:1 debug3: SSH_FXP_REALPATH . -> /home2/tim sftp> sftp> get *.txt debug3: Looking up /home2/tim/*.txt in openbsd-compat glob() in openbsd-compat glob0() in openbsd-compat globtilde() in openbsd-compat glob1() in openbsd-compat glob2() in openbsd-compat glob3() in openbsd-compat g_opendir() in openbsd-compat g_Ctoc() debug3: Sending SSH2_FXP_READDIR I:3 debug3: Received reply T:104 I:3 debug3: Received 100 SSH2_FXP_NAME responses debug3: Sending SSH2_FXP_READDIR I:4 debug3: Received reply T:104 I:4 debug3: Received 100 SSH2_FXP_NAME responses debug3: Sending SSH2_FXP_READDIR I:5 debug3: Received reply T:104 I:5 debug3: Received 56 SSH2_FXP_NAME responses debug3: Sending SSH2_FXP_READDIR I:6 debug3: Received reply T:101 I:6 debug3: Received SSH2_FXP_STATUS 1 debug3: Sent message SSH2_FXP_CLOSE I:7 debug3: SSH2_FXP_STATUS 0 in openbsd-compat match() in openbsd-compat match() in openbsd-compat match() in openbsd-compat match() in openbsd-compat match() [snip many more of these] in openbsd-compat match() in openbsd-compat match() in openbsd-compat match() in openbsd-compat match() in openbsd-compat match() File "/home2/tim/*.txt" not found. in openbsd-compat globfree() sftp> > > -d > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mib at unimelb.edu.au Wed Mar 21 15:51:18 2001 From: mib at unimelb.edu.au (Mike Battersby) Date: Wed, 21 Mar 2001 15:51:18 +1100 Subject: Tru64 UNIX SIA in 2.5.2p1 is hosed (still) Message-ID: <200103210451.f2L4pIx25127@ariel.ucs.unimelb.edu.au> The recent patch posted by Steve VanDevender for fixing the session code on Tru64 isn't quite right -- it still fails in the case of NO tty being allocated. The problem is that s->tty is a char[TTYSZ] rather than a char *, and hence can't hold a NULL. Calling sia_ses_init() with the tty being an empty string doesn't signify no tty, and hence will cause a failure. The "no tty" case should have tty passed as NULL. One possible fix for this is to change the call to sia_ses_init from: if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, NULL) != SIASUCCESS) to: if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty[0] ? tty : NULL, 0, NULL) != SIASUCCESS) However, I'm not convinced that tty won't be some random value here if session structure has been used before, since s->tty isn't zeroed in session_new(). Thus you may possibly also need to add: s->tty[0] = '\0'; into the session initialisation in session_new(), or maybe set it before the call to do_child() in do_exec_no_pty(). On further thought, perhaps the call to sia_ses_init should be left alone and the call to session_setup_sia() in session.c changed from: session_setup_sia(pw->pw_name, s->tty); to: session_setup_sia(pw->pw_name, s->ttyfd != -1 ? s->tty : NULL); Can someone who knows the code better than I do shed some light on the correct solution here. - Mike -- Mike Battersby The University of Melbourne Fetch my pgp key from: http://ariel.ucs.unimelb.edu.au/~mib/pgpkey.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 222 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010321/149aff6c/attachment.bin From djm at mindrot.org Wed Mar 21 15:52:44 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 21 Mar 2001 15:52:44 +1100 (EST) Subject: Test snapshots In-Reply-To: Message-ID: On Tue, 20 Mar 2001, Tim Rice wrote: > in openbsd-compat match() Could you get the printf here to dump match()s args and return value? -d > in openbsd-compat match() > in openbsd-compat match() > File "/home2/tim/*.txt" not found. > in openbsd-compat globfree() > sftp> > > > > > > -d > > > > > > -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Mar 21 16:12:47 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 21 Mar 2001 16:12:47 +1100 (EST) Subject: Tru64 UNIX SIA in 2.5.2p1 is hosed (still) In-Reply-To: <200103210451.f2L4pIx25127@ariel.ucs.unimelb.edu.au> Message-ID: On Wed, 21 Mar 2001, Mike Battersby wrote: > The recent patch posted by Steve VanDevender > for fixing the session code on Tru64 isn't quite right -- it still fails > in the case of NO tty being allocated. > > The problem is that s->tty is a char[TTYSZ] rather than a char *, and > hence can't hold a NULL. Calling sia_ses_init() with the tty being an > empty string doesn't signify no tty, and hence will cause a failure. The > "no tty" case should have tty passed as NULL. Thanks for spotting this. The following takes care of the SIA case. I am pretty sure it fixes AIX as well, but the manpage that Gert sent to the list was a little ambiguous - only saying that TTY should be "null" in the cases where no tty is present. Perhaps an AIX guru could enlighten us here? Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.93 diff -u -r1.93 session.c --- session.c 2001/03/21 00:11:57 1.93 +++ session.c 2001/03/21 05:10:07 @@ -1053,7 +1053,7 @@ switch, so we let login(1) to this for us. */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - session_setup_sia(pw->pw_name, s->tty); + session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); #else /* HAVE_OSF_SIA */ #ifdef HAVE_CYGWIN if (is_winnt) { @@ -1137,7 +1137,8 @@ cp = xmalloc(22 + strlen(s->tty) + 2 * strlen(pw->pw_name)); i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", - pw->pw_name, 0, pw->pw_name, 0, s->tty, 0,0); + pw->pw_name, 0, pw->pw_name, 0, + s->ttyfd == -1 ? "" : s->tty, 0,0); if (usrinfo(SETUINFO, cp, i) == -1) fatal("Couldn't set usrinfo: %s", strerror(errno)); -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tim at multitalents.net Wed Mar 21 16:23:09 2001 From: tim at multitalents.net (Tim Rice) Date: Tue, 20 Mar 2001 21:23:09 -0800 (PST) Subject: Test snapshots In-Reply-To: Message-ID: On Wed, 21 Mar 2001, Damien Miller wrote: > On Tue, 20 Mar 2001, Tim Rice wrote: > > > in openbsd-compat match() > > Could you get the printf here to dump match()s args and return value? sftp> cd tmp debug3: Sent message fd 6 T:16 I:2 debug3: SSH_FXP_REALPATH /home2/tim/tmp -> /home2/tim/tmp debug3: Sent message fd 6 T:17 I:3 debug3: Received stat reply T:105 I:3 sftp> dir debug3: Sending SSH2_FXP_READDIR I:5 debug3: Received reply T:104 I:5 debug3: Received 15 SSH2_FXP_NAME responses drwxrwxr-x 2 tim trr 2048 Mar 20 21:16 . drwx--x--x 23 tim trr 7168 Mar 20 21:15 .. -rw-rw-r-- 2 tim trr 5775 Dec 19 09:50 Readme.txt -rw-rw-r-- 2 tim trr 2237 Oct 26 16:10 auth.txt -rw-rw-r-- 2 tim trr 1240 Sep 17 2000 barcode.txt -rw-r--r-- 2 tim trr 7338950 Mar 15 13:53 Bins.tar.gz -rw-rw-r-- 2 tim trr 8211 Sep 19 10:45 raid.txt -rw-rw-r-- 2 tim trr 6643 Nov 19 18:49 sp12987.txt -rw-rw-r-- 2 tim trr 2232 Nov 19 18:50 sp15432.txt -rw-rw-r-- 2 tim trr 21511 May 2 1999 CD-Writing.tar.gz -rw-rw-r-- 2 tim trr 22894 May 2 1999 CD-Writing.txt.gz -rw-rw-r-- 2 tim trr 10374569 Dec 5 19:04 fp40.linux.tar.gz -rw-rw-r-- 2 tim trr 20492 Sep 17 2000 linbar.tar.gz -rw-rw-r-- 2 tim trr 4786005 Jan 10 08:23 yassp.tar.gz -rw-rw-r-- 1 tim trr 580 Mar 20 21:15 x debug3: Sending SSH2_FXP_READDIR I:6 debug3: Received reply T:101 I:6 debug3: Received SSH2_FXP_STATUS 1 debug3: Sent message SSH2_FXP_CLOSE I:7 debug3: SSH2_FXP_STATUS 0 sftp> sftp> get *.txt debug3: Looking up /home2/tim/tmp/*.txt in openbsd-compat glob() in openbsd-compat glob0() in openbsd-compat globtilde() in openbsd-compat glob1() in openbsd-compat glob2() in openbsd-compat glob3() in openbsd-compat g_opendir() in openbsd-compat g_Ctoc() debug3: Sending SSH2_FXP_READDIR I:9 debug3: Received reply T:104 I:9 debug3: Received 15 SSH2_FXP_NAME responses debug3: Sending SSH2_FXP_READDIR I:10 debug3: Received reply T:101 I:10 debug3: Received SSH2_FXP_STATUS 1 debug3: Sent message SSH2_FXP_CLOSE I:11 debug3: SSH2_FXP_STATUS 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 File "/home2/tim/tmp/*.txt" not found. in openbsd-compat globfree() sftp> > > -d > > > in openbsd-compat match() > > in openbsd-compat match() > > File "/home2/tim/*.txt" not found. > > in openbsd-compat globfree() > > sftp> > > > > > > > > > > -d > > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Wed Mar 21 16:29:04 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 21 Mar 2001 16:29:04 +1100 (EST) Subject: Test snapshots In-Reply-To: Message-ID: On Tue, 20 Mar 2001, Tim Rice wrote: > Called match(, *., ) This looks wrong - the first argument shold be a char to match. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tim at multitalents.net Wed Mar 21 16:45:21 2001 From: tim at multitalents.net (Tim Rice) Date: Tue, 20 Mar 2001 21:45:21 -0800 (PST) Subject: Test snapshots In-Reply-To: Message-ID: On Wed, 21 Mar 2001, Damien Miller wrote: > On Tue, 20 Mar 2001, Tim Rice wrote: > > > Called match(, *., ) > > This looks wrong - the first argument shold be a char to match. Oops, sorry. It's getting late and I used %s where I should have used %c sftp> get *.txt debug3: Looking up /home2/tim/tmp/*.txt in openbsd-compat glob() in openbsd-compat glob0() in openbsd-compat globtilde() in openbsd-compat glob1() in openbsd-compat glob2() in openbsd-compat glob3() in openbsd-compat g_opendir() in openbsd-compat g_Ctoc() debug3: Sending SSH2_FXP_READDIR I:5 debug3: Received reply T:104 I:5 debug3: Received 15 SSH2_FXP_NAME responses debug3: Sending SSH2_FXP_READDIR I:6 debug3: Received reply T:101 I:6 debug3: Received SSH2_FXP_STATUS 1 debug3: Sent message SSH2_FXP_CLOSE I:7 debug3: SSH2_FXP_STATUS 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 Called match(L, t, ~) Called match(L, v, ~) match() returning 0 match() returning 0 File "/home2/tim/tmp/*.txt" not found. in openbsd-compat globfree() sftp> > > -d > > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Wed Mar 21 17:07:41 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 21 Mar 2001 17:07:41 +1100 (EST) Subject: Test snapshots In-Reply-To: Message-ID: On Tue, 20 Mar 2001, Tim Rice wrote: > On Wed, 21 Mar 2001, Damien Miller wrote: > > > On Tue, 20 Mar 2001, Tim Rice wrote: > > > > > Called match(, *., ) > > > > This looks wrong - the first argument shold be a char to match. > Oops, sorry. It's getting late and I used %s where I should have used %c No - %s is correct :) -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From abartlet at pcug.org.au Wed Mar 21 18:29:56 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Wed, 21 Mar 2001 18:29:56 +1100 Subject: sshd executes ~/.ssh/sshrc without using user's shell References: <3AB2D68E.D1835CE7@bartlett.house> <20010320203336.B20477@folly> Message-ID: <3AB85874.34E2D0B5@bartlett.house> Markus Friedl wrote: > > On Sat, Mar 17, 2001 at 02:14:22PM +1100, Andrew Bartlett wrote: > > I am considering allowing (relitivly) untrusted local users onto my > > fileserver, so they can use SFTP to access their home directories. > > > > I have a custom shell, (a taint-mode enabled perl script) that allows > > users to change their password, which I have modifed to only allow a > > '-c' command for the sftp-server. > > > > I have also disabled TCP port forwarding. However, some reading of the > > OpenSSH code suggests that, while most commands sshd excutes use the > > users login shell, the popen call for .ssh/sshrc does not. > > (session.c:1342 and there-abouts). > > > > Is this an issue? > > yes. in the future, subsystems will probably ignore this file. Thats good for the subsystems, but as far as I can tell a user with a restricted shell can still execute arbitary commands, just by not requesting a subsystem. Its the arbitary commands buisness that bothers me. > > > Or do I have bigger things to worry about? > > nothing that i can think of. Thats good, Thanks Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au From Markus.Friedl at informatik.uni-erlangen.de Wed Mar 21 19:03:46 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 21 Mar 2001 09:03:46 +0100 Subject: sshd executes ~/.ssh/sshrc without using user's shell In-Reply-To: <3AB85874.34E2D0B5@bartlett.house>; from abartlet@pcug.org.au on Wed, Mar 21, 2001 at 06:29:56PM +1100 References: <3AB2D68E.D1835CE7@bartlett.house> <20010320203336.B20477@folly> <3AB85874.34E2D0B5@bartlett.house> Message-ID: <20010321090346.B12786@faui02.informatik.uni-erlangen.de> On Wed, Mar 21, 2001 at 06:29:56PM +1100, Andrew Bartlett wrote: > Markus Friedl wrote: > > > > On Sat, Mar 17, 2001 at 02:14:22PM +1100, Andrew Bartlett wrote: > > > I am considering allowing (relitivly) untrusted local users onto my > > > fileserver, so they can use SFTP to access their home directories. > > > > > > I have a custom shell, (a taint-mode enabled perl script) that allows > > > users to change their password, which I have modifed to only allow a > > > '-c' command for the sftp-server. > > > > > > I have also disabled TCP port forwarding. However, some reading of the > > > OpenSSH code suggests that, while most commands sshd excutes use the > > > users login shell, the popen call for .ssh/sshrc does not. > > > (session.c:1342 and there-abouts). > > > > > > Is this an issue? > > > > yes. in the future, subsystems will probably ignore this file. > > Thats good for the subsystems, but as far as I can tell a user with a > restricted shell can still execute arbitary commands, just by not > requesting a subsystem. Its the arbitary commands buisness that bothers > me. yes, we need a way to restrict groups of users to certain subsystems. > > > > > Or do I have bigger things to worry about? > > > > nothing that i can think of. > > Thats good, Thanks > > Andrew Bartlett > > -- > Andrew Bartlett > abartlet at pcug.org.au From abartlet at pcug.org.au Wed Mar 21 19:37:57 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Wed, 21 Mar 2001 19:37:57 +1100 Subject: sshd executes ~/.ssh/sshrc without using user's shell References: <3AB2D68E.D1835CE7@bartlett.house> <20010320203336.B20477@folly> <3AB85874.34E2D0B5@bartlett.house> <20010321090346.B12786@faui02.informatik.uni-erlangen.de> Message-ID: <3AB86865.A0021FB3@bartlett.house> Markus Friedl wrote: > > On Wed, Mar 21, 2001 at 06:29:56PM +1100, Andrew Bartlett wrote: > > Markus Friedl wrote: > > > > > > On Sat, Mar 17, 2001 at 02:14:22PM +1100, Andrew Bartlett wrote: > > > > I am considering allowing (relitivly) untrusted local users onto my > > > > fileserver, so they can use SFTP to access their home directories. > > > > > > > > I have a custom shell, (a taint-mode enabled perl script) that allows > > > > users to change their password, which I have modifed to only allow a > > > > '-c' command for the sftp-server. > > > > > > > > I have also disabled TCP port forwarding. However, some reading of the > > > > OpenSSH code suggests that, while most commands sshd excutes use the > > > > users login shell, the popen call for .ssh/sshrc does not. > > > > (session.c:1342 and there-abouts). > > > > > > > > Is this an issue? > > > > > > yes. in the future, subsystems will probably ignore this file. > > > > Thats good for the subsystems, but as far as I can tell a user with a > > restricted shell can still execute arbitary commands, just by not > > requesting a subsystem. Its the arbitary commands buisness that bothers > > me. > > yes, we need a way to restrict groups of users to certain subsystems. > In the mean-time does the following patch (compiled, but not tested) look sensible? The idea is that the user's shell is used to execute the sh used to run ~/.ssh/rc, giving the power back to the sys-admin as to what the user can execute. Thanks for your time, Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au -------------- next part -------------- --- session.orig Fri Mar 9 18:51:12 2001 +++ session.c Sun Mar 11 21:13:39 2001 @@ -1332,9 +1337,10 @@ if (!options.use_login) { if (stat(_PATH_SSH_USER_RC, &st) >= 0) { if (debug_flag) - fprintf(stderr, "Running %s %s\n", _PATH_BSHELL, _PATH_SSH_USER_RC); + fprintf(stderr, "Running %s -c \"%s %s\"\n", shell, _PATH_BSHELL, _PATH_SSH_USER_RC); - f = popen(_PATH_BSHELL " " _PATH_SSH_USER_RC, "w"); + snprintf(buf, sizeof buf, "%s -c \"%s %s\"", shell, _PATH_BSHELL, _PATH_SSH_USER_RC); + f = popen(buf, "w"); if (f) { if (auth_proto != NULL && auth_data != NULL) fprintf(f, "%s %s\n", auth_proto, auth_data); From gert at greenie.muc.de Wed Mar 21 19:57:53 2001 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 21 Mar 2001 09:57:53 +0100 Subject: openSSH 2.5.2 and S/Key support In-Reply-To: <023001c0b1a0$5a394400$e5e35ba0@SNSPTGWBT1QU50>; from Ernest L. Williams Jr. on Tue, Mar 20, 2001 at 07:46:21PM -0500 References: <023001c0b1a0$5a394400$e5e35ba0@SNSPTGWBT1QU50> Message-ID: <20010321095753.C15601@greenie.muc.de> Hi, On Tue, Mar 20, 2001 at 07:46:21PM -0500, Ernest L. Williams Jr. wrote: > I am trying to use/install openSSH 2.5.2p1 with S/Key support. The > recommended libraries come from the following site: > http://www.sparc.spb.su/solaris/skey/ Works for me. [..] > Also, once S/Key support is built into openSSH do I need to go an get S/Key > server and client software from somewhere? It's all in the package named above. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From Markus.Friedl at informatik.uni-erlangen.de Wed Mar 21 20:21:36 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 21 Mar 2001 10:21:36 +0100 Subject: SSH doesnt let me login (fwd) Message-ID: <20010321102136.A17452@faui02.informatik.uni-erlangen.de> is this a PAM issue? [don't reply to me] -------------- next part -------------- An embedded message was scrubbed... From: Debojyoti Dutta Subject: SSH doesnt let me login Date: Tue, 20 Mar 2001 22:55:02 -0800 Size: 1838 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010321/0075cefe/attachment.mht From pekkas at netcore.fi Wed Mar 21 20:44:22 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 21 Mar 2001 11:44:22 +0200 (EET) Subject: SSH doesnt let me login (fwd) In-Reply-To: <20010321102136.A17452@faui02.informatik.uni-erlangen.de> Message-ID: This is caused by the fact that you're using MD5 passwords (use --with-md5-passwords if you don't want to use PAM) and you haven't enabled PAM (--with-pam). As a rule, I should say that you should use the RPM's unless you know what you're doing. ./configure --help gives some pointers. -- 8<--- Hi I installed openssh and i tried to log into my machine from another machine. It says permission denied even though I have given the correct passwd. I built openssh from the sources on a PIII box running redhat6.2 I installed openssh removing my ssh.com's ssh in the hope that it will work fine too Please help Debo -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From abartlet at pcug.org.au Wed Mar 21 21:13:49 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Wed, 21 Mar 2001 21:13:49 +1100 Subject: SSH doesnt let me login (fwd) References: <20010321102136.A17452@faui02.informatik.uni-erlangen.de> Message-ID: <3AB87EDD.B2647510@bartlett.house> Markus Friedl wrote: > > is this a PAM issue? [don't reply to me] > > ------------------------------------------------------------------------ > > Subject: SSH doesnt let me login > Date: Tue, 20 Mar 2001 22:55:02 -0800 > From: Debojyoti Dutta > To: openssh at openssh.com > > Hi > > I installed openssh and i tried to log into my machine from another > machine. It says permission denied even though I have given the correct > passwd. I built openssh from the sources on a PIII box running redhat6.2 > > I installed openssh removing my ssh.com's ssh in the hope that it will > work fine too > > Please help > Debo The RPM packages provided (or the SRPMs if you prefer them that way) are the much prefferred way to get OpenSSH installed on RedHat machines, as the PAM configuration is taken care of for you. Further to this, check your logs - they often provide the vital clues. Andrew Bartlett abartlet at pcug.org.au -- Andrew Bartlett abartlet at pcug.org.au From ernesto at ornl.gov Thu Mar 22 00:11:51 2001 From: ernesto at ornl.gov (Ernest L. Williams Jr.) Date: Wed, 21 Mar 2001 08:11:51 -0500 Subject: openSSH 2.5.2 and S/Key support References: <023001c0b1a0$5a394400$e5e35ba0@SNSPTGWBT1QU50> <20010321095753.C15601@greenie.muc.de> Message-ID: <001d01c0b208$7f261aa0$e5e35ba0@SNSPTGWBT1QU50> Hi Thanks for the reply. During the build process why is there a reference to SENDMAIL? Also, when trying to use S/key, I had to go download some sort of S/key calculator for the client. If everything that I need is contained in the package, what executable do I use for the calculator? I know the server side of S/key is now embedded in openSSH but where is the client and how do I use it? Thanks, ******************************************* Ernest L. Williams Jr. SNS Control Systems Group, ORNL 701 Scarboro Rd., MS 6473 Oak Ridge, TN 37830 Phone 865-241-9071 e-mail: ernesto at ornl.gov Fax 865-241-6739 ****************************************** ----- Original Message ----- From: "Gert Doering" To: "Ernest L. Williams Jr." ; Sent: Wednesday, March 21, 2001 3:57 AM Subject: Re: openSSH 2.5.2 and S/Key support > Hi, > > On Tue, Mar 20, 2001 at 07:46:21PM -0500, Ernest L. Williams Jr. wrote: > > I am trying to use/install openSSH 2.5.2p1 with S/Key support. The > > recommended libraries come from the following site: > > http://www.sparc.spb.su/solaris/skey/ > > Works for me. > > [..] > > Also, once S/Key support is built into openSSH do I need to go an get S/Key > > server and client software from somewhere? > > It's all in the package named above. > > gert > -- > USENET is *not* the non-clickable part of WWW! > file://www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de > From Nigel.Metheringham at intechnology.co.uk Thu Mar 22 00:21:26 2001 From: Nigel.Metheringham at intechnology.co.uk (Nigel Metheringham) Date: Wed, 21 Mar 2001 13:21:26 +0000 Subject: Challenge response authentication and PAM Message-ID: As an experiment I set up Challenge/response authentication on a Linux system with PAM using a pam_opie module (this module works fine with console logins and su). I can log into the box using the opie password, *but* it does not give me the challenge - which can make things a little tricky :-) I can well believe this might be a fault in the PAM pam_opie module I am using, so has anyone got Challenge/Response authentication working under PAM and with the challenge being given? If so what pam module are you using? Nigel. -- [ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] [ - Comments in this message are my own and not ITO opinion/policy - ] From mouring at etoh.eviladmin.org Thu Mar 22 00:44:13 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 21 Mar 2001 07:44:13 -0600 (CST) Subject: openSSH 2.5.2 and S/Key support In-Reply-To: <20010321095753.C15601@greenie.muc.de> Message-ID: On Wed, 21 Mar 2001, Gert Doering wrote: > Hi, > > On Tue, Mar 20, 2001 at 07:46:21PM -0500, Ernest L. Williams Jr. wrote: > > I am trying to use/install openSSH 2.5.2p1 with S/Key support. The > > recommended libraries come from the following site: > > http://www.sparc.spb.su/solaris/skey/ > > Works for me. > My only complaint is I wish that the maintainer of the S/Key package was a bit more responsive. I never heard back from him in regards to a few changes to improve the build process. - Ben From tim at multitalents.net Thu Mar 22 02:57:26 2001 From: tim at multitalents.net (Tim Rice) Date: Wed, 21 Mar 2001 07:57:26 -0800 (PST) Subject: Test snapshots In-Reply-To: Message-ID: On Wed, 21 Mar 2001, Damien Miller wrote: > On Tue, 20 Mar 2001, Tim Rice wrote: > > > On Wed, 21 Mar 2001, Damien Miller wrote: > > > > > On Tue, 20 Mar 2001, Tim Rice wrote: > > > > > > > Called match(, *., ) > > > > > > This looks wrong - the first argument shold be a char to match. > > Oops, sorry. It's getting late and I used %s where I should have used %c > > No - %s is correct :) > What was I thinking last night? Ah, the perils of trying to go "one last thing" before collapsing into bed. > -d > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dunlap at apl.washington.edu Thu Mar 22 03:54:21 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Wed, 21 Mar 2001 08:54:21 -0800 (PST) Subject: Disconnecting: Bad packet length 2056273721. Message-ID: <200103211654.IAA01398@c572157-a.sttln1.wa.home.com> OpenSSH-2.5.2.p1 won't connect to OpenSSH-2.5.1p2 using version 2 protocol, quitting with the error message: [dunlap at tesla dunlap]$ ssh -2 kraken 7a 90 3f 39 37 67 0d 9e ac 43 74 c3 83 83 f5 a2 Disconnecting: Bad packet length 2056273721. tesla is Linux tesla.apl.washington.edu 2.2.16-3 #1 Mon Jun 19 19:11:44 EDT 2000 i686 unknown Intel RHL6.2 with OpenSSH-2.5.2.p1 compiled from sources on machine with all RHL6.2 patches. kraken is SunOS kraken 5.6 Generic_105181-23 sun4u sparc SUNW,Ultra-5_10 with OpenSSH-2.5.1p2. This problem does not exsist when an OpenSSH-2.5.1p2 client is used from tesla. Nor does it exist when OpenSSH-2.5.2.p1 client is used to an OpenSSH-2.5.1p2 server on RHL6.2. Here is the result of the faulty (non)connection with full debugging. Presently I don't have root access to the server machine. [dunlap at tesla dunlap]$ ssh -v -v -v -2 kraken OpenSSH_2.5.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 101 geteuid 0 anon 1 debug1: Connecting to kraken [128.95.97.25] port 22. debug1: Connection established. debug1: identity file /home/dunlap/.ssh/identity type 0 debug1: unknown identity file /home/dunlap/.ssh/id_dsa debug1: identity file /home/dunlap/.ssh/id_dsa type -1 debug1: unknown identity file /home/dunlap/.ssh/id_rsa1 debug1: identity file /home/dunlap/.ssh/id_rsa1 type -1 debug1: unknown identity file /home/dunlap/.ssh/id_rsa2 debug1: identity file /home/dunlap/.ssh/id_rsa2 type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1 debug1: match: OpenSSH_2.5.1p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.5.2p1 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: none,zlib debug1: got kexinit: none,zlib debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug1: dh_gen_key: priv key bits set: 123/256 debug1: bits set: 1010/2049 debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug1: Got SSH2_MSG_KEXDH_REPLY. debug1: Host 'kraken' is known and matches the DSA host key. debug1: Found key in /home/dunlap/.ssh/known_hosts2:4 debug1: bits set: 1034/2049 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: send SSH2_MSG_SERVICE_REQUEST de 58 63 8c 67 dd 9d 26 c2 f9 23 84 80 d0 94 0b Disconnecting: Bad packet length -564632692. debug1: Calling cleanup 0x805e31c(0x0) -- John Dunlap University of Washington Senior Electrical Engineer Applied Physics Laboratory dunlap at apl.washington.edu 1013 NE 40th Street 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 From mouring at etoh.eviladmin.org Thu Mar 22 04:37:36 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 21 Mar 2001 11:37:36 -0600 (CST) Subject: Disconnecting: Bad packet length 2056273721. In-Reply-To: <200103211654.IAA01398@c572157-a.sttln1.wa.home.com> Message-ID: This is a known issue with with 2.5.1p2 and below. AES encryption did not handle little vs big ended correctly. Please use another encryption like Blowfish or upgrade the box in question to 2.5.2. - Ben On Wed, 21 Mar 2001, John Dunlap wrote: > OpenSSH-2.5.2.p1 won't connect to OpenSSH-2.5.1p2 using > version 2 protocol, quitting with the error message: > > [dunlap at tesla dunlap]$ ssh -2 kraken > 7a 90 3f 39 37 67 0d 9e ac 43 74 c3 83 83 f5 a2 > Disconnecting: Bad packet length 2056273721. > > > tesla is Linux tesla.apl.washington.edu 2.2.16-3 #1 Mon Jun 19 > 19:11:44 EDT 2000 i686 unknown Intel RHL6.2 with OpenSSH-2.5.2.p1 > compiled from sources on machine with all RHL6.2 patches. kraken is > SunOS kraken 5.6 Generic_105181-23 sun4u sparc SUNW,Ultra-5_10 with > OpenSSH-2.5.1p2. This problem does not exsist when an OpenSSH-2.5.1p2 > client is used from tesla. Nor does it exist when OpenSSH-2.5.2.p1 > client is used to an OpenSSH-2.5.1p2 server on RHL6.2. > > Here is the result of the faulty (non)connection with full debugging. > Presently I don't have root access to the server machine. > > [dunlap at tesla dunlap]$ ssh -v -v -v -2 kraken > OpenSSH_2.5.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f > debug1: Seeding random number generator > debug1: Rhosts Authentication disabled, originating port will not be trusted. > debug1: ssh_connect: getuid 101 geteuid 0 anon 1 > debug1: Connecting to kraken [128.95.97.25] port 22. > debug1: Connection established. > debug1: identity file /home/dunlap/.ssh/identity type 0 > debug1: unknown identity file /home/dunlap/.ssh/id_dsa > debug1: identity file /home/dunlap/.ssh/id_dsa type -1 > debug1: unknown identity file /home/dunlap/.ssh/id_rsa1 > debug1: identity file /home/dunlap/.ssh/id_rsa1 type -1 > debug1: unknown identity file /home/dunlap/.ssh/id_rsa2 > debug1: identity file /home/dunlap/.ssh/id_rsa2 type -1 > debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1 > debug1: match: OpenSSH_2.5.1p1 pat ^OpenSSH > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_2.5.2p1 > debug1: send KEXINIT > debug1: done > debug1: wait KEXINIT > debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug1: got kexinit: ssh-dss > debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug1: got kexinit: none,zlib > debug1: got kexinit: none,zlib > debug1: got kexinit: > debug1: got kexinit: > debug1: first kex follow: 0 > debug1: reserved: 0 > debug1: done > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. > debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. > debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. > debug1: dh_gen_key: priv key bits set: 123/256 > debug1: bits set: 1010/2049 > debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. > debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. > debug1: Got SSH2_MSG_KEXDH_REPLY. > debug1: Host 'kraken' is known and matches the DSA host key. > debug1: Found key in /home/dunlap/.ssh/known_hosts2:4 > debug1: bits set: 1034/2049 > debug1: len 55 datafellows 0 > debug1: ssh_dss_verify: signature correct > debug1: Wait SSH2_MSG_NEWKEYS. > debug1: GOT SSH2_MSG_NEWKEYS. > debug1: send SSH2_MSG_NEWKEYS. > debug1: done: send SSH2_MSG_NEWKEYS. > debug1: done: KEX2. > debug1: send SSH2_MSG_SERVICE_REQUEST > de 58 63 8c 67 dd 9d 26 c2 f9 23 84 80 d0 94 0b > Disconnecting: Bad packet length -564632692. > debug1: Calling cleanup 0x805e31c(0x0) > > > -- > John Dunlap University of Washington > Senior Electrical Engineer Applied Physics Laboratory > dunlap at apl.washington.edu 1013 NE 40th Street > 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 > > From ddutta at usc.edu Thu Mar 22 05:43:05 2001 From: ddutta at usc.edu (Debojyoti Dutta) Date: Wed, 21 Mar 2001 10:43:05 -0800 (PST) Subject: SSH doesnt let me login (fwd) In-Reply-To: Message-ID: so what are the features that are used to build the rpm. maybe someone could add that in the faq list. i had to use the source distribution because i couldnt find a rpm for openssl. regards debo On Wed, 21 Mar 2001, Pekka Savola wrote: > > This is caused by the fact that you're using MD5 passwords (use > --with-md5-passwords if you don't want to use PAM) and you haven't enabled > PAM (--with-pam). > > As a rule, I should say that you should use the RPM's unless you know what > you're doing. ./configure --help gives some pointers. > > -- 8<--- > Hi > > I installed openssh and i tried to log into my machine from another > machine. It says permission denied even though I have given the correct > passwd. I built openssh from the sources on a PIII box running redhat6.2 > > I installed openssh removing my ssh.com's ssh in the hope that it will > work fine too > > Please help > Debo > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > From pekkas at netcore.fi Thu Mar 22 06:00:43 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 21 Mar 2001 21:00:43 +0200 (EET) Subject: SSH doesnt let me login (fwd) In-Reply-To: Message-ID: On Wed, 21 Mar 2001, Debojyoti Dutta wrote: > so what are the features that are used to build the rpm. maybe someone > could add that in the faq list. i had to use the source distribution > because i couldnt find a rpm for openssl. Use the Source, Luke. :-) All the relevant information is available at contrib/redhat/openssh.spec. OpenSSL is available at e.g. Red Hat's errata pages for RHL62. Also, Damien Miller has also made these available. > > This is caused by the fact that you're using MD5 passwords (use > > --with-md5-passwords if you don't want to use PAM) and you haven't enabled > > PAM (--with-pam). > > > > As a rule, I should say that you should use the RPM's unless you know what > > you're doing. ./configure --help gives some pointers. > > > > -- 8<--- > > Hi > > > > I installed openssh and i tried to log into my machine from another > > machine. It says permission denied even though I have given the correct > > passwd. I built openssh from the sources on a PIII box running redhat6.2 > > > > I installed openssh removing my ssh.com's ssh in the hope that it will > > work fine too > > > > Please help > > Debo > > > > -- > > Pekka Savola "Tell me of difficulties surmounted, > > Netcore Oy not those you stumble over and fall" > > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > > -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Thu Mar 22 06:03:33 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 21 Mar 2001 13:03:33 -0600 (CST) Subject: SSH doesnt let me login (fwd) In-Reply-To: Message-ID: On Wed, 21 Mar 2001, Pekka Savola wrote: > On Wed, 21 Mar 2001, Debojyoti Dutta wrote: > > > so what are the features that are used to build the rpm. maybe someone > > could add that in the faq list. i had to use the source distribution > > because i couldnt find a rpm for openssl. > > Use the Source, Luke. :-) All the relevant information is available at > contrib/redhat/openssh.spec. > > OpenSSL is available at e.g. Red Hat's errata pages for RHL62. Also, > Damien Miller has also made these available. > > Also OpenSSL RPMs can be found on www.openssl.org - Ben From ddutta at usc.edu Thu Mar 22 06:08:46 2001 From: ddutta at usc.edu (Debojyoti Dutta) Date: Wed, 21 Mar 2001 11:08:46 -0800 (PST) Subject: SSH doesnt let me login (fwd) In-Reply-To: Message-ID: Thanks a lot for the help and suggestions. I am new to security stuff. Could you please let me know the options that I need to turn on when I compile openssh. I am more comfortable with compiling from source since it will help me to select my installation directories etc. Debo On Wed, 21 Mar 2001, Pekka Savola wrote: > On Wed, 21 Mar 2001, Debojyoti Dutta wrote: > > > so what are the features that are used to build the rpm. maybe someone > > could add that in the faq list. i had to use the source distribution > > because i couldnt find a rpm for openssl. > > Use the Source, Luke. :-) All the relevant information is available at > contrib/redhat/openssh.spec. > > OpenSSL is available at e.g. Red Hat's errata pages for RHL62. Also, > Damien Miller has also made these available. > > > > > > This is caused by the fact that you're using MD5 passwords (use > > > --with-md5-passwords if you don't want to use PAM) and you haven't enabled > > > PAM (--with-pam). > > > > > > As a rule, I should say that you should use the RPM's unless you know what > > > you're doing. ./configure --help gives some pointers. > > > > > > -- 8<--- > > > Hi > > > > > > I installed openssh and i tried to log into my machine from another > > > machine. It says permission denied even though I have given the correct > > > passwd. I built openssh from the sources on a PIII box running redhat6.2 > > > > > > I installed openssh removing my ssh.com's ssh in the hope that it will > > > work fine too > > > > > > Please help > > > Debo > > > > > > -- > > > Pekka Savola "Tell me of difficulties surmounted, > > > Netcore Oy not those you stumble over and fall" > > > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > > > > > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > From ddutta at usc.edu Thu Mar 22 07:12:16 2001 From: ddutta at usc.edu (Debojyoti Dutta) Date: Wed, 21 Mar 2001 12:12:16 -0800 (PST) Subject: SSH doesnt let me login (fwd) In-Reply-To: Message-ID: OK. So I installed the RPMs as people advised. By mistake I used --force while installing the rpms. Now, ssh runs properly ... it seems to be using teh old ssh keys. When I do a key-gen, it crashes ------ [root at tea /root]# ssh-keygen -t rsa1 -f /etc/ssh_host_key -N "" Generating public/private rsa1 key pair. /etc/ssh_host_key already exists. Overwrite (y/n)? y Your identification has been saved in /etc/ssh_host_key. Segmentation fault [root at tea /root]# ------ Debo On Wed, 21 Mar 2001 mouring at etoh.eviladmin.org wrote: > > > On Wed, 21 Mar 2001, Pekka Savola wrote: > > > On Wed, 21 Mar 2001, Debojyoti Dutta wrote: > > > > > so what are the features that are used to build the rpm. maybe someone > > > could add that in the faq list. i had to use the source distribution > > > because i couldnt find a rpm for openssl. > > > > Use the Source, Luke. :-) All the relevant information is available at > > contrib/redhat/openssh.spec. > > > > OpenSSL is available at e.g. Red Hat's errata pages for RHL62. Also, > > Damien Miller has also made these available. > > > > > Also OpenSSL RPMs can be found on www.openssl.org > > - Ben > From pekkas at netcore.fi Thu Mar 22 07:57:31 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 21 Mar 2001 22:57:31 +0200 (EET) Subject: SSH doesnt let me login (fwd) In-Reply-To: Message-ID: On Wed, 21 Mar 2001, Debojyoti Dutta wrote: > OK. So I installed the RPMs as people advised. By mistake I used --force > while installing the rpms. Now, ssh runs properly ... it seems to be using > teh old ssh keys. When I do a key-gen, it crashes > > ------ > [root at tea /root]# ssh-keygen -t rsa1 -f /etc/ssh_host_key -N "" > Generating public/private rsa1 key pair. > /etc/ssh_host_key already exists. > Overwrite (y/n)? y > Your identification has been saved in /etc/ssh_host_key. > Segmentation fault > [root at tea /root]# > ------ Very probably the error you skipped with --force was caused by mismatching OpenSSL version. These exist for a reason, you know. > > Debo > > On Wed, 21 Mar 2001 mouring at etoh.eviladmin.org wrote: > > > > > > > On Wed, 21 Mar 2001, Pekka Savola wrote: > > > > > On Wed, 21 Mar 2001, Debojyoti Dutta wrote: > > > > > > > so what are the features that are used to build the rpm. maybe someone > > > > could add that in the faq list. i had to use the source distribution > > > > because i couldnt find a rpm for openssl. > > > > > > Use the Source, Luke. :-) All the relevant information is available at > > > contrib/redhat/openssh.spec. > > > > > > OpenSSL is available at e.g. Red Hat's errata pages for RHL62. Also, > > > Damien Miller has also made these available. > > > > > > > > Also OpenSSL RPMs can be found on www.openssl.org > > > > - Ben > > > -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From ddutta at usc.edu Thu Mar 22 08:02:58 2001 From: ddutta at usc.edu (Debojyoti Dutta) Date: Wed, 21 Mar 2001 13:02:58 -0800 (PST) Subject: SSH doesnt let me login (fwd) In-Reply-To: Message-ID: You are right, first I installed openssl-0.9.6 ... yet ssh wouldntr install. Hence I installed openssl-0.9.5 and others using --force. Is there anything I could do to rectify the situation ? Regards Debo On Wed, 21 Mar 2001, Pekka Savola wrote: > On Wed, 21 Mar 2001, Debojyoti Dutta wrote: > > > OK. So I installed the RPMs as people advised. By mistake I used --force > > while installing the rpms. Now, ssh runs properly ... it seems to be using > > teh old ssh keys. When I do a key-gen, it crashes > > > > ------ > > [root at tea /root]# ssh-keygen -t rsa1 -f /etc/ssh_host_key -N "" > > Generating public/private rsa1 key pair. > > /etc/ssh_host_key already exists. > > Overwrite (y/n)? y > > Your identification has been saved in /etc/ssh_host_key. > > Segmentation fault > > [root at tea /root]# > > ------ > > Very probably the error you skipped with --force was caused by mismatching > OpenSSL version. These exist for a reason, you know. > > > > > Debo > > > > On Wed, 21 Mar 2001 mouring at etoh.eviladmin.org wrote: > > > > > > > > > > > On Wed, 21 Mar 2001, Pekka Savola wrote: > > > > > > > On Wed, 21 Mar 2001, Debojyoti Dutta wrote: > > > > > > > > > so what are the features that are used to build the rpm. maybe someone > > > > > could add that in the faq list. i had to use the source distribution > > > > > because i couldnt find a rpm for openssl. > > > > > > > > Use the Source, Luke. :-) All the relevant information is available at > > > > contrib/redhat/openssh.spec. > > > > > > > > OpenSSL is available at e.g. Red Hat's errata pages for RHL62. Also, > > > > Damien Miller has also made these available. > > > > > > > > > > > Also OpenSSL RPMs can be found on www.openssl.org > > > > > > - Ben > > > > > > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > From djm at mindrot.org Thu Mar 22 09:02:34 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 22 Mar 2001 09:02:34 +1100 (EST) Subject: Challenge response authentication and PAM In-Reply-To: Message-ID: On Wed, 21 Mar 2001, Nigel Metheringham wrote: > As an experiment I set up Challenge/response authentication on a Linux > system with PAM using a pam_opie module (this module works fine with > console logins and su). > > I can log into the box using the opie password, *but* it does not give > me the challenge - which can make things a little tricky :-) > > I can well believe this might be a fault in the PAM pam_opie module I > am using, so has anyone got Challenge/Response authentication working > under PAM and with the challenge being given? If so what pam module > are you using? Try putting ChallengeResponseAuthentication yes in the server config and Protocol 2 PreferredAuthentications publickey, keyboard-interactive, password in the client config. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From gert at greenie.muc.de Thu Mar 22 09:44:46 2001 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 21 Mar 2001 23:44:46 +0100 Subject: Tru64 UNIX SIA in 2.5.2p1 is hosed (still) In-Reply-To: ; from Damien Miller on Wed, Mar 21, 2001 at 04:12:47PM +1100 References: <200103210451.f2L4pIx25127@ariel.ucs.unimelb.edu.au> Message-ID: <20010321234446.E28099@greenie.muc.de> Hi, On Wed, Mar 21, 2001 at 04:12:47PM +1100, Damien Miller wrote: > I am pretty sure it fixes AIX as well, but the manpage that Gert sent to > the list was a little ambiguous - only saying that TTY should be "null" > in the cases where no tty is present. Perhaps an AIX guru could enlighten > us here? I'll test that again on Friday. As far as I can see, if we have no TTY, it's legal to put "TTY=\0" in there - this is what I get if I print out the "UsrInfo" stuff when doing an "rsh targetmachine": gd at hostA:/home/gd> rsh localhost ./ui UsrInfo (27 bytes)... NAME=root TTY= LOGNAME=gd Actually, I have *no* idea why "NAME=root" is in there - when I do a normal rlogin/telnet, it looks like this (for both): gd at hostA:/home/gd> ./ui UsrInfo (35 bytes)... LOGNAME=gd NAME=gd TTY=/dev/pts/1 -> so what we do should be fine. > cp = xmalloc(22 + strlen(s->tty) + > 2 * strlen(pw->pw_name)); > i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", > - pw->pw_name, 0, pw->pw_name, 0, s->tty, 0,0); > + pw->pw_name, 0, pw->pw_name, 0, > + s->ttyfd == -1 ? "" : s->tty, 0,0); What I'm not sure here: what will strlen(s->tty) be if s->ttyfd is -1? Will it be "crash" or just "something > 0" (which would be fine)? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From djm at mindrot.org Thu Mar 22 09:56:24 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 22 Mar 2001 09:56:24 +1100 (EST) Subject: Tru64 UNIX SIA in 2.5.2p1 is hosed (still) In-Reply-To: <20010321234446.E28099@greenie.muc.de> Message-ID: On Wed, 21 Mar 2001, Gert Doering wrote: > -> so what we do should be fine. > > > cp = xmalloc(22 + strlen(s->tty) + > > 2 * strlen(pw->pw_name)); > > i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", > > - pw->pw_name, 0, pw->pw_name, 0, s->tty, 0,0); > > + pw->pw_name, 0, pw->pw_name, 0, > > + s->ttyfd == -1 ? "" : s->tty, 0,0); > > What I'm not sure here: what will strlen(s->tty) be if s->ttyfd is -1? Does this work OK (relative to last diff): Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.94 diff -u -r1.94 session.c --- session.c 2001/03/21 05:13:03 1.94 +++ session.c 2001/03/21 22:55:09 @@ -1134,11 +1134,12 @@ * other stuff is stored - a few applications * actually use this and die if it's not set */ + if (s->ttyfd == -1) + s->tty[0] = '\0'; cp = xmalloc(22 + strlen(s->tty) + 2 * strlen(pw->pw_name)); i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", - pw->pw_name, 0, pw->pw_name, 0, - s->ttyfd == -1 ? "" : s->tty, 0,0); + pw->pw_name, 0, pw->pw_name, 0, s->tty, 0, 0); if (usrinfo(SETUINFO, cp, i) == -1) fatal("Couldn't set usrinfo: %s", strerror(errno)); -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From dankamin at cisco.com Thu Mar 22 12:49:04 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Wed, 21 Mar 2001 17:49:04 -0800 Subject: Files? We don't need no steenkin' files. Message-ID: <00f201c0b272$4a358050$1d6545ab@na.cisco.com> $ ps -ef | grep sshd root 285 1 0 Nov 15 ? 0:03 /usr/local/sbin/sshd root 23740 285 0 16:13:18 ? 0:00 /usr/local/sbin/sshd root 23875 285 0 16:28:14 ? 0:00 /usr/local/sbin/sshd user 23905 23899 0 16:28:31 pts/3 0:00 grep sshd $ ls /usr/local/sbin /usr/local/sbin: No such file or directory $ date Wed Mar 21 16:28:50 PST 2001 $ telnet 127.0.0.1 22 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. SSH-1.99-OpenSSH_2.2.0p1 [Explanation: Unix loads executables into system memory before running them, so once the process is started--even if it'll eventually fork--the original executable on the file system can be safely modified or destroyed without existing processes or daemons even noticing. There is no time limit to how long a process or a daemon can run straight from memory, and in this case, up to five months went by without any binary existing on the file system. Nobody noticed, of course. OpenSSH just kept chugging along...] From carl at bl.echidna.id.au Thu Mar 22 12:53:25 2001 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Thu, 22 Mar 2001 12:53:25 +1100 (EST) Subject: Files? We don't need no steenkin' files. Message-ID: <200103220153.f2M1rPTX016469@rollcage.bl.echidna.id.au> > From: "Dan Kaminsky" > > $ ps -ef | grep sshd > root 285 1 0 Nov 15 ? 0:03 /usr/local/sbin/sshd > root 23740 285 0 16:13:18 ? 0:00 /usr/local/sbin/sshd > root 23875 285 0 16:28:14 ? 0:00 /usr/local/sbin/sshd > user 23905 23899 0 16:28:31 pts/3 0:00 grep sshd > $ ls /usr/local/sbin > /usr/local/sbin: No such file or directory > $ date > Wed Mar 21 16:28:50 PST 2001 > $ telnet 127.0.0.1 22 > Trying 127.0.0.1... > Connected to 127.0.0.1. > Escape character is '^]'. > SSH-1.99-OpenSSH_2.2.0p1 > > [Explanation: Unix loads executables into system memory before running > them, so once the process is started--even if it'll eventually fork--the > original executable on the file system can be safely modified or destroyed > without existing processes or daemons even noticing. There is no time limit > to how long a process or a daemon can run straight from memory, and in this > case, up to five months went by without any binary existing on the file > system. Explanation 2 : UNIX doesn't unmap inodes until all references to them are gone. "rm" a file, but something still has it open, and the directory entry is gone, but the file isn't. From tim at multitalents.net Thu Mar 22 15:31:08 2001 From: tim at multitalents.net (Tim Rice) Date: Wed, 21 Mar 2001 20:31:08 -0800 (PST) Subject: Test snapshots In-Reply-To: Message-ID: I added/enhanced some fprintf statements This one (linux) works. sftp> get *.txt debug3: Looking up /home2/tim/tmp/*.txt in openbsd-compat glob(/home2/tim/tmp/*.txt, .........) in openbsd-compat glob0(/, ......) in openbsd-compat globtilde(/, , 4096, ........) in openbsd-compat glob1(/, ......) in openbsd-compat glob2(, , /, ..........) in openbsd-compat glob3(/, *., *., , ..........) in openbsd-compat g_opendir(/, .......) in openbsd-compat g_Ctoc(/, ) debug3: Sending SSH2_FXP_READDIR I:5 debug3: Received reply T:104 I:5 debug3: Received 6 SSH2_FXP_NAME responses debug3: Sending SSH2_FXP_READDIR I:6 debug3: Received reply T:101 I:6 debug3: Received SSH2_FXP_STATUS 1 debug3: Sent message SSH2_FXP_CLOSE I:7 debug3: SSH2_FXP_STATUS 0 glob3 readdirfunc = pglob->gl_readdir in openbsd-compat glob3 pre copy to pathend dp->d_name: auth.txt, pathend: in openbsd-compat glob3 about to call match dp->d_name: auth.txt, pathend: a Called match(a, *., ) Called match(a, ., ) match() returning 0 Called match(u, ., ) ----------------------------------------------------------------------- This one (UnixWare 7.1.0) doesn't sftp> get *.txt debug3: Looking up /home2/tim/tmp/*.txt in openbsd-compat glob(/home2/tim/tmp/*.txt, .........) in openbsd-compat glob0(/, ......) in openbsd-compat globtilde(/, , 1025, ........) in openbsd-compat glob1(/, ......) in openbsd-compat glob2(, , /, ..........) in openbsd-compat glob3(/, *., *., , ..........) in openbsd-compat g_opendir(/, .......) in openbsd-compat g_Ctoc(/, ) debug3: Sending SSH2_FXP_READDIR I:5 debug3: Received reply T:104 I:5 debug3: Received 6 SSH2_FXP_NAME responses debug3: Sending SSH2_FXP_READDIR I:6 debug3: Received reply T:101 I:6 debug3: Received SSH2_FXP_STATUS 1 debug3: Sent message SSH2_FXP_CLOSE I:7 debug3: SSH2_FXP_STATUS 0 glob3 readdirfunc = pglob->gl_readdir in openbsd-compat glob3 pre copy to pathend dp->d_name: , pathend: in openbsd-compat glob3 about to call match dp->d_name: , pathend: Called match(, *., ) Called match(, ., ) match() returning 0 match() returning 0 I'll try to dig deeper in a couple of weeks. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From Nigel.Metheringham at InTechnology.co.uk Thu Mar 22 20:28:13 2001 From: Nigel.Metheringham at InTechnology.co.uk (Nigel Metheringham) Date: Thu, 22 Mar 2001 09:28:13 +0000 Subject: Challenge response authentication and PAM In-Reply-To: Message from Damien Miller of "Thu, 22 Mar 2001 09:02:34 +1100." Message-ID: Hi Damien, djm at mindrot.org said: > ChallengeResponseAuthentication yes > in the server config and > Protocol 2 > PreferredAuthentications publickey, keyboard-interactive, password > in the client config. I must have expressed my question wrongly so getting you to grab the wrong end of the stick :-) I have the openssh part of the configuration apparently correct, and when I ssh to an appropriately set up account I get % ssh host Response: If I put the right response in it logs me in quite happily. However I am not getting the Challenge displayed to me.... which could well be down to the PAM module implementation as all the pam_opie modules I see appear to be quick hacks from people feeling their way round the PAM code. Anyone got a fully working pam_opie/pam_skey implementation they wish to point me at? Nigel. -- [ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] [ - Comments in this message are my own and not ITO opinion/policy - ] From djm at mindrot.org Thu Mar 22 21:27:33 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 22 Mar 2001 21:27:33 +1100 (EST) Subject: Challenge response authentication and PAM In-Reply-To: Message-ID: On Thu, 22 Mar 2001, Nigel Metheringham wrote: > Hi Damien, > > djm at mindrot.org said: > > ChallengeResponseAuthentication yes > > in the server config and > > Protocol 2 > > PreferredAuthentications publickey, keyboard-interactive, password > > in the client config. > > I must have expressed my question wrongly so getting you to grab the > wrong end of the stick :-) Or it could be that the knd-int pam code is incorrect - I haven't tested it with any more interactive than password auth. > Anyone got a fully working pam_opie/pam_skey implementation they wish > to point me at? If someone can recommend one then I will use it for testing too. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Thu Mar 22 21:43:56 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 22 Mar 2001 21:43:56 +1100 (EST) Subject: Portable OpenSSH-2.5.2p2 Message-ID: Portable OpenSSH 2.5.2p2 is now available from the mirror sites listed at http://www.openssh.com/portable.html Security related changes: Improved countermeasure against "Passive Analysis of SSH (Secure Shell) Traffic" http://openwall.com/advisories/OW-003-ssh-traffic-analysis.txt The countermeasures introduced in earlier OpenSSH-2.5.x versions caused interoperability problems with some other implementations. Improved countermeasure against "SSH protocol 1.5 session key recovery vulnerability" http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm New options: permitopen authorized_keys option to restrict portforwarding. PreferredAuthentications allows client to specify the order in which authentication methods are tried. Sftp: sftp client supports globbing (get *, put *). Support for sftp protocol v3 (draft-ietf-secsh-filexfer-01.txt). Batch file (-b) support for automated transfers Performance: Speedup DH exchange. OpenSSH should now be significantly faster when connecting use SSH protocol 2. Preferred SSH protocol 2 cipher is AES with hmac-md5. AES offers much faster throughput in a well scrutinised cipher. Bugfixes: stderr handling fixes in SSH protocol 2. Improved interoperability. Client: The client no longer asks for the the passphrase if the key will not be accepted by the server (SSH2_MSG_USERAUTH_PK_OK) Miscellaneous: scp should now work for files > 2GB ssh-keygen can now generate fingerprints in the "bubble babble" format for exchanging fingerprints with SSH.COM's SSH protocol 2 implementation. Portable version: Better support for the PRNGd[1] entropy collection daemon. The --with-egd-pool configure option has been deprecated in favour of --with-prngd-socket and the new --with-prngd-port options. The latter allows collection of entropy from a localhost socket. configure ensures that scp is in the $PATH set by the server (unless a custom path is specified). -d [1] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From delta at FaVeVe.Uni-Stuttgart.de Thu Mar 22 22:47:18 2001 From: delta at FaVeVe.Uni-Stuttgart.de (Helmut Springer) Date: Thu, 22 Mar 2001 12:47:18 +0100 Subject: Portable OpenSSH-2.5.2p2 In-Reply-To: ; from djm@mindrot.org on Thu, Mar 22, 2001 at 09:43:56PM +1100 References: Message-ID: <20010322124718.H29454@faveve.uni-stuttgart.de> Hi, On Thu 2001-03-22 (21:43), Damien Miller wrote: > Portable OpenSSH 2.5.2p2 is now available from the mirror sites > listed at http://www.openssh.com/portable.html Have you considered signing the RPMs or add a signed file with the md5 checksums of the RPMs in the distribution directory as well? Thanks, great work, -- MfG/best regards, helmut springer Das Weisse im Auge des Feindes zu sehn heisst nichts als geduldig vorm Spiegel zu stehn. From janfrode at parallab.uib.no Thu Mar 22 23:34:50 2001 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Thu, 22 Mar 2001 13:34:50 +0100 Subject: Portable OpenSSH-2.5.2p2 In-Reply-To: ; from djm@mindrot.org on Thu, Mar 22, 2001 at 09:43:56PM +1100 References: Message-ID: <20010322133450.A3408@ii.uib.no> On Thu, Mar 22, 2001 at 09:43:56PM +1100, Damien Miller wrote: > > Sftp: > sftp client supports globbing (get *, put *). > It globs put, but not get for me: sftp> put *.res Uploading bouen100.res to /tmp/bouen100.res Uploading cdelapp.res to /tmp/cdelapp.res sftp> get *.res File "/tmp/*.res" not found. sftp> get cdelapp.res Fetching /tmp/cdelapp.res to cdelapp.res sftp> OpenSSH configured has been configured with the following options. User binaries: /usr/openssh/bin System binaries: /usr/openssh/sbin Configuration files: /usr/openssh/etc Askpass program: /usr/openssh/libexec/ssh-askpass Manual pages: /usr/openssh/man/manX PID file: /usr/openssh/etc sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/openssh/bin Random number collection: Builtin (timeout 200) Manpage format: cat PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: mips-sgi-irix6.5 Compiler: cc Compiler flags: -g Preprocessor flags: -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib Libraries: -lwrap -lz -lgen -lcrypto -jf From Markus.Friedl at informatik.uni-erlangen.de Thu Mar 22 23:37:37 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 22 Mar 2001 13:37:37 +0100 Subject: hosts.equiv (fwd) Message-ID: <20010322133737.B22275@faui02.informatik.uni-erlangen.de> is anyone using rhost-rsa + hosts.equiv? is it broken? -------------- next part -------------- An embedded message was scrubbed... From: Francesc Guasch Subject: hosts.equiv Date: Thu, 22 Mar 2001 12:56:22 +0100 Size: 2614 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010322/ced5a345/attachment.mht From dusha at dnttm.ru Fri Mar 23 00:53:35 2001 From: dusha at dnttm.ru (Sergei Dushenkov) Date: Thu, 22 Mar 2001 16:53:35 +0300 Subject: Portable OpenSSH-2.5.2p2 References: Message-ID: <003f01c0b2d7$804210e0$efda55c2@future> Hmm... I've just noticed that rh6.2 rpms become VERY big with this release... 2.5.2p1 rpms for 6.2 was all near 100 - 150 kb and 2.5.2p2 are near 400 - 700 kb !!! Rh70 rpms are still near the size as all previous releases... (100 - 150) Why this happened and is it normal??? > Portable OpenSSH 2.5.2p2 is now available from the mirror sites > listed at http://www.openssh.com/portable.html From dusha at dnttm.ru Fri Mar 23 00:59:30 2001 From: dusha at dnttm.ru (Sergei Dushenkov) Date: Thu, 22 Mar 2001 16:59:30 +0300 Subject: P.S. Re: Portable OpenSSH-2.5.2p2 References: Message-ID: <004301c0b2d8$56c1dec0$efda55c2@future> i've just rebuild the source rpm (openssh-2.5.2p2-1.src.rpm) on my RH6.2 system and all rpm sizes are normal : 139765 Mar 22 16:55 openssh-2.5.2p2-1.i386.rpm 24788 Mar 22 16:55 openssh-askpass-2.5.2p2-1.i386.rpm 7740 Mar 22 16:55 openssh-askpass-gnome-2.5.2p2-1.i386.rpm 191718 Mar 22 16:55 openssh-clients-2.5.2p2-1.i386.rpm 133307 Mar 22 16:55 openssh-server-2.5.2p2-1.i386.rpm Looks like that RH62 rpms on distro site were compiled with some strange routines... > Portable OpenSSH 2.5.2p2 is now available from the mirror sites > listed at http://www.openssh.com/portable.html From Nigel.Metheringham at intechnology.co.uk Fri Mar 23 01:17:50 2001 From: Nigel.Metheringham at intechnology.co.uk (Nigel Metheringham) Date: Thu, 22 Mar 2001 14:17:50 +0000 Subject: P.S. Re: Portable OpenSSH-2.5.2p2 In-Reply-To: Your message of "Thu, 22 Mar 2001 16:59:30 +0300." <004301c0b2d8$56c1dec0$efda55c2@future> Message-ID: dusha at dnttm.ru said: > Looks like that RH62 rpms on distro site were compiled with some > strange routines... I would guess they are built with the static openssl support - several people have had problems with openssh/openssl version slew, and since there is not a widely distributed openssl with RH doing things this way is probably better in terms of support. Nigel. -- [ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] [ - Comments in this message are my own and not ITO opinion/policy - ] From deraadt at cvs.openbsd.org Fri Mar 23 02:11:50 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Thu, 22 Mar 2001 08:11:50 -0700 Subject: Portable OpenSSH-2.5.2p2 In-Reply-To: Your message of "Thu, 22 Mar 2001 21:43:56 +1100." Message-ID: <200103221511.f2MFBpn01804@cvs.openbsd.org> This is wrong. > Security related changes: > Improved countermeasure against "Passive Analysis of SSH > (Secure Shell) Traffic" > http://openwall.com/advisories/OW-003-ssh-traffic-analysis.txt > > The countermeasures introduced in earlier OpenSSH-2.5.x versions > caused interoperability problems with some other implementations. > > Improved countermeasure against "SSH protocol 1.5 session > key recovery vulnerability" > http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm 2.5.2 does not really fix security issues in his area; 2.5.1 already had them fixed. However, it improves the interoperability problems introduced in fixing them. Which were found because 2.5.1 was released with fixes... they would not have been found otherwise.. From HHL8 at email.med.yale.edu Fri Mar 23 02:48:47 2001 From: HHL8 at email.med.yale.edu (Helen H. Lee) Date: Thu, 22 Mar 2001 10:48:47 -0500 (EST) Subject: installing SSH on LINUX w/ RedHat version 5.2 Message-ID: <985276127.3aba1edf81660@webmail.med.yale.edu> Hi, I'd like to install SSH (Secure Shell) on my LINUX machine which has RedHat version 5.2. Which version of SSH or OpenSSH should I install so that it'll be compatible with my low OS version of RedHat? I got to this site: ftp://ftp.stealth.net/pub/mirrors/ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ And I am not sure what to download from here. Could you please help me? Thank you in advance. Sincerely, Helen H. Lee Yale Univ. Class of 2000 HHL8 at email.med.yale.edu (203)786-3504,(203)924-9498 From olemx at ans.pl Fri Mar 23 04:46:53 2001 From: olemx at ans.pl (Krzysztof Oledzki) Date: Thu, 22 Mar 2001 18:46:53 +0100 (CET) Subject: One thing about known_hosts In-Reply-To: Message-ID: Hello, I have just noticed one nice feature of OpenSSH known_hosts implementation. When ssh connects to new host it add both ip and name of this host to known_hosts file in the same line. Unfortunetly when I execute ssh once again with onother name for taht host (for example fqdn) it creates another entry for that host. Is it possible to add this name in the same line in case of ip match? Best regards, Krzysztof Oledzki From ssklar at stanford.edu Fri Mar 23 04:59:06 2001 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Thu, 22 Mar 2001 09:59:06 -0800 Subject: Portable OpenSSH-2.5.2p2 and AIX In-Reply-To: References: Message-ID: this release has fixed one of the problems that I wrote about yesterday (subject = two bugs with aix ... help please!!!) : non-interactive sessions via protocol 1 no longer hang after the completion of the remote command. Thank you!!! However, the other problem that I wrote about, the zero-length write, still exists in all its glory; the patch that I came up with doesn't fix the problem with this relase, and it actually causes the other problem to reappear. The zero-length write bug hits us pretty hard, as we have several applications that cause the problem to manifest on a frequent basis. Can someone at least explain to me what is going on there, and if possible, suggest a fix? Thanks, --Sandy At 9:43 PM +1100 3/22/01, Damien Miller wrote: >Portable OpenSSH 2.5.2p2 is now available from the mirror sites >listed at http://www.openssh.com/portable.html > -- sandor w. sklar unix systems administrator stanford university itss-css From gert at greenie.muc.de Fri Mar 23 05:28:20 2001 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 22 Mar 2001 19:28:20 +0100 Subject: hosts.equiv (fwd) In-Reply-To: <20010322133737.B22275@faui02.informatik.uni-erlangen.de>; from Markus Friedl on Thu, Mar 22, 2001 at 01:37:37PM +0100 References: <20010322133737.B22275@faui02.informatik.uni-erlangen.de> Message-ID: <20010322192820.A27733@greenie.muc.de> Hi, On Thu, Mar 22, 2001 at 01:37:37PM +0100, Markus Friedl wrote: > is anyone using rhost-rsa + hosts.equiv? is it broken? I do, on AIX, openssh_cvs, protocol 1 only. Works: gd at hilb0:/home/gd> /gnulocal/src/openssh_cvs/ssh -v hilb1 OpenSSH_2.5.1p1-GD/PM, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug: Reading configuration data /etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 299 geteuid 0 anon 0 debug: Connecting to hilb1 [172.30.1.1] port 22. debug: Seeding random number generator debug: Allocated local port 730. debug: Connection established. debug: identity file /home/gd/.ssh/identity type 3 debug: identity file /home/gd/.ssh/id_dsa type 3 debug: Remote protocol version 1.5, remote software version OpenSSH_2.5.1p1-GD/PM debug: match: OpenSSH_2.5.1p1-GD/PM pat ^OpenSSH debug: Local version string SSH-1.5-OpenSSH_2.5.1p1-GD/PM debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1023 bits). debug: Host 'hilb1' is known and matches the RSA1 host key. debug: Found key in /etc/ssh_known_hosts:1 debug: Seeding random number generator debug: Encryption type: blowfish debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying rhosts or /etc/hosts.equiv with RSA host authentication. debug: Remote: Accepted for hilb0.medat.de [172.30.1.8] by /etc/hosts.equiv. debug: Received RSA challenge for host key from server. debug: Sending response to host key RSA challenge. debug: Remote: Rhosts with RSA host authentication accepted. debug: Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server. debug: Requesting pty. debug: Requesting shell. debug: Entering interactive session. (the unusual version number is due to local changes, I needed a different way to do one-time-passwords - hacky, and not for general consumption). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From GILBERT.R.LOOMIS at saic.com Fri Mar 23 06:30:20 2001 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Thu, 22 Mar 2001 14:30:20 -0500 Subject: Improper (?) OpenSSL version mismatch(was RE: OpenSSH_2.5.1p1 - RH 6.2) Message-ID: <791BD3CB503DD411A6510008C7CF647701F40A89@col-581-exs01.cist.saic.com> Well, I've finally gotten around to compiling and testing OpenSSH 2.5.2p1, in order to update the contrib/solaris packaging scripts. Somehow on my test system, I'm getting errors that indicate that I've still got some old copy of OpenSSL being found somewhere...but I can't for the life of me tell where. The compile went fine (it found the OpenSSL 0.9.5a libraries that I had compiled and installed in /usr/local/ssl), but I get the error below with text indicating that I've still got some other random version. The screwy thing is that I'm rather sure that I don't...in fact, I even downloaded, compiled, and installed OpenSSL 0.9.6 in hopes that it would fix it (no joy). Then I did multiple global finds looking for any crypto or ssl-related libraries that might have been dangling (no joy). Finally, I commented out the check in entropy.c and re-compiled, and ssh/sshd run fine. This implies to me that the check possibly doesn't work properly? Any other hints as to a filename to look for, or an alternate installation location? It seems particularly odd to me that the compile runs fine, but on *the same box* it picks up a different library version at run-time. contrib/solaris updates to follow ASAP. Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Monday, February 26, 2001 4:38 PM > To: mouring at etoh.eviladmin.org > Cc: Christophe GRENIER; openssh-unix-dev at mindrot.org > Subject: Re: OpenSSH_2.5.1p1 - RH 6.2 > > > On Tue, 27 Feb 2001, Damien Miller wrote: > > > How about we put something like: > > > > if (SSLeay() != OPENSSL_VERSION_NUMBER) > > fatal("OpenSSL version mismatch. Built against %x, you have %x", > > OPENSSL_VERSION_NUMBER, SSLeay()); > > > > at the start of every executable to kill this thing once > and for all. > > I might put this in init_rng() so we get it without any more > disruption. > > -d > > -- > | Damien Miller \ ``E-mail attachments are > the poor man's > | http://www.mindrot.org / distributed > filesystem'' - Dan Geer > > From matt at rebelbase.com Fri Mar 23 08:29:57 2001 From: matt at rebelbase.com (Matt Eagleson) Date: Thu, 22 Mar 2001 13:29:57 -0800 Subject: Solaris UseLogin problem Message-ID: <20010322132957.C6801@superpimp.org> I was having problems getting the UseLogin option to work on Solaris. I would recieve this error: No utmpx entry. You must exec "login" from the lowest level "shell". This led me to believe that Solaris login wants a utmpx entry in order to function. I put together a patch that calls record_login on Solaris when using the system login. I also noticed that writing a wtmpx entry was unnecessary in this situation and led to duplicate entries. I tried my best to make this patch not break other systems -- but I may have failed there. I do not claim that this patch is the correct fix, or even a working fix. I am, however, hoping that this may start some discussion that will lead to a clean and proper solution. Thanks, Matt Eagleson -------------- next part -------------- ? patch ? configure ? config.log ? config.h ? config.cache ? config.status ? Makefile ? ssh_prng_cmds ? config.h.in ? sshd_config.out ? ssh_config.out ? primes.out ? sshd ? openbsd-compat/Makefile Index: acconfig.h =================================================================== RCS file: /cvs/openssh_cvs/acconfig.h,v retrieving revision 1.108 diff -u -r1.108 acconfig.h --- acconfig.h 2001/03/17 01:15:38 1.108 +++ acconfig.h 2001/03/22 21:28:01 @@ -169,6 +169,9 @@ /* Define if you want to specify the path to your wtmpx file */ #undef CONF_WTMPX_FILE +/* Some systems need a utmpx entry for /bin/login to work */ +#undef LOGIN_NEEDS_UTMPX + /* Define is libutil has login() function */ #undef HAVE_LIBUTIL_LOGIN Index: configure.in =================================================================== RCS file: /cvs/openssh_cvs/configure.in,v retrieving revision 1.267 diff -u -r1.267 configure.in --- configure.in 2001/03/18 23:09:28 1.267 +++ configure.in 2001/03/22 21:28:01 @@ -165,6 +165,7 @@ LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" need_dash_r=1 AC_DEFINE(PAM_SUN_CODEBASE) + AC_DEFINE(LOGIN_NEEDS_UTMPX) # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) Index: loginrec.c =================================================================== RCS file: /cvs/openssh_cvs/loginrec.c,v retrieving revision 1.32 diff -u -r1.32 loginrec.c --- loginrec.c 2001/02/22 21:23:21 1.32 +++ loginrec.c 2001/03/22 21:28:02 @@ -162,6 +162,7 @@ #include "loginrec.h" #include "log.h" #include "atomicio.h" +#include "servconf.h" RCSID("$Id: loginrec.c,v 1.32 2001/02/22 21:23:21 stevesk Exp $"); @@ -173,6 +174,8 @@ # include #endif +extern ServerOptions options; + /** ** prototypes for helper functions in this file **/ @@ -438,7 +441,8 @@ utmpx_write_entry(li); #endif #ifdef USE_WTMPX - wtmpx_write_entry(li); + if (!options.use_login) + wtmpx_write_entry(li); #endif return 0; } Index: session.c =================================================================== RCS file: /cvs/openssh_cvs/session.c,v retrieving revision 1.100 diff -u -r1.100 session.c --- session.c 2001/03/22 02:06:57 1.100 +++ session.c 2001/03/22 21:28:04 @@ -597,6 +597,8 @@ { int fdout, ptyfd, ttyfd, ptymaster; pid_t pid; + socklen_t fromlen; + struct sockaddr_storage from; if (s == NULL) fatal("do_exec_pty: no session"); @@ -635,11 +637,35 @@ /* Close the extra descriptor for the pseudo tty. */ close(ttyfd); + + /* + * Get IP address of client. If the connection is not a socket, let + * the address be 0.0.0.0. + */ + memset(&from, 0, sizeof(from)); + if (packet_connection_is_on_socket()) { + fromlen = sizeof(from); + if (getpeername(packet_get_connection_in(), + (struct sockaddr *) & from, &fromlen) < 0) { + debug("getpeername: %.100s", strerror(errno)); + fatal_cleanup(); + } + } - /* record login, etc. similar to login(1) */ - if (!(options.use_login && command == NULL)) + /* print motd, etc. similar to login(1) */ + if (!(options.use_login && command == NULL)) { + /* Record that there was a login on that tty from the remote host. */ + record_login(getpid(), s->tty, s->pw->pw_name, s->pw->pw_uid, + get_remote_name_or_ip(), (struct sockaddr *)&from); do_login(s, command); + } +#ifdef LOGIN_NEEDS_UTMPX + /* Record that there was a login on that tty from the remote host. */ + record_login(getpid(), s->tty, s->pw->pw_name, s->pw->pw_uid, + get_remote_name_or_ip(), (struct sockaddr *)&from); +#endif + /* Do common processing for the child, such as execing the command. */ do_child(s, command); /* NOTREACHED */ @@ -700,35 +726,14 @@ char *time_string; char buf[256]; char hostname[MAXHOSTNAMELEN]; - socklen_t fromlen; - struct sockaddr_storage from; struct stat st; time_t last_login_time; struct passwd * pw = s->pw; - pid_t pid = getpid(); - /* - * Get IP address of client. If the connection is not a socket, let - * the address be 0.0.0.0. - */ - memset(&from, 0, sizeof(from)); - if (packet_connection_is_on_socket()) { - fromlen = sizeof(from); - if (getpeername(packet_get_connection_in(), - (struct sockaddr *) & from, &fromlen) < 0) { - debug("getpeername: %.100s", strerror(errno)); - fatal_cleanup(); - } - } - /* Get the time and hostname when the user last logged in. */ hostname[0] = '\0'; last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, hostname, sizeof(hostname)); - - /* Record that there was a login on that tty from the remote host. */ - record_login(pid, s->tty, pw->pw_name, pw->pw_uid, - get_remote_name_or_ip(), (struct sockaddr *)&from); #ifdef USE_PAM /* From austin at coremetrics.com Fri Mar 23 09:44:38 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Thu, 22 Mar 2001 16:44:38 -0600 (CST) Subject: Kerberos4, tcp-wrappers, afs, and pam support on RH7.0 In-Reply-To: <791BD3CB503DD411A6510008C7CF647701F40A89@col-581-exs01.cist.saic.com> Message-ID: I'm not using rpms, I am doing some work using kerberos authentication and want to use OpenSSH to interface to kerberos. It's the damnedest thing though, when I configure, no matter WHERE the krb.h file lives, it won't get read in by the configure script. Has anyone run into this before? Also, on RH7, tcpwrappers is a static lib, the src rpm seems to find it if I rebuild, but the actual source doesn't seem to find it. The same goes for libpam.so, that stuff exists in /usr/lib and ld.so.cache is updated, I updated again it just to make sure. Any pointers are much appreciated! -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Thu, 22 Mar 2001, Loomis, Rip wrote: > Well, I've finally gotten around to compiling > and testing OpenSSH 2.5.2p1, in order to update > the contrib/solaris packaging scripts. > > Somehow on my test system, I'm getting errors > that indicate that I've still got some old copy > of OpenSSL being found somewhere...but I can't > for the life of me tell where. The compile went > fine (it found the OpenSSL 0.9.5a libraries that > I had compiled and installed in /usr/local/ssl), > but I get the error below with text indicating > that I've still got some other random version. > > The screwy thing is that I'm rather sure that I > don't...in fact, I even downloaded, compiled, > and installed OpenSSL 0.9.6 in hopes that it > would fix it (no joy). Then I did multiple > global finds looking for any crypto or ssl-related > libraries that might have been dangling (no joy). > Finally, I commented out the check in entropy.c > and re-compiled, and ssh/sshd run fine. This > implies to me that the check possibly doesn't work > properly? > > Any other hints as to a filename to look for, or > an alternate installation location? It seems > particularly odd to me that the compile runs fine, > but on *the same box* it picks up a different > library version at run-time. > > contrib/solaris updates to follow ASAP. > > Rip Loomis Voice Number: (410) 953-6874 > -------------------------------------------------------- > Senior Security Engineer > Center for Information Security Technology > Science Applications International Corporation > http://www.cist.saic.com > > > > > -----Original Message----- > > From: Damien Miller [mailto:djm at mindrot.org] > > Sent: Monday, February 26, 2001 4:38 PM > > To: mouring at etoh.eviladmin.org > > Cc: Christophe GRENIER; openssh-unix-dev at mindrot.org > > Subject: Re: OpenSSH_2.5.1p1 - RH 6.2 > > > > > > On Tue, 27 Feb 2001, Damien Miller wrote: > > > > > How about we put something like: > > > > > > if (SSLeay() != OPENSSL_VERSION_NUMBER) > > > fatal("OpenSSL version mismatch. Built against %x, you have %x", > > > OPENSSL_VERSION_NUMBER, SSLeay()); > > > > > > at the start of every executable to kill this thing once > > and for all. > > > > I might put this in init_rng() so we get it without any more > > disruption. > > > > -d > > > > -- > > | Damien Miller \ ``E-mail attachments are > > the poor man's > > | http://www.mindrot.org / distributed > > filesystem'' - Dan Geer > > > > > From wendyp at cray.com Fri Mar 23 09:44:43 2001 From: wendyp at cray.com (Wendy Palm) Date: Thu, 22 Mar 2001 16:44:43 -0600 Subject: acconfig.h and HAVE_GETUSERSHELL Message-ID: <3ABA805B.12F161FC@cray.com> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010322/b4766005/attachment.html From djm at mindrot.org Fri Mar 23 09:46:16 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 23 Mar 2001 09:46:16 +1100 (EST) Subject: Portable OpenSSH-2.5.2p2 In-Reply-To: <003f01c0b2d7$804210e0$efda55c2@future> Message-ID: On Thu, 22 Mar 2001, Sergei Dushenkov wrote: > Hmm... > > I've just noticed that rh6.2 rpms become VERY big with this release... > 2.5.2p1 rpms for 6.2 was all near 100 - 150 kb and 2.5.2p2 are near 400 - > 700 kb !!! > Rh70 rpms are still near the size as all previous releases... (100 - 150) If you read the README in the RH62 rpms directory, you would see that they are statically linked against OpenSSL's libcrypto. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From austin at coremetrics.com Fri Mar 23 09:54:51 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Thu, 22 Mar 2001 16:54:51 -0600 (CST) Subject: Kerberos4, tcp-wrappers, afs, and pam support on RH7.0 In-Reply-To: Message-ID: One other thing....I've found that I can infact compile with libwrap, libpam, md5-passwords, with no errors. As soon as I toss --with-kerberos4, it pukes. Can anyone shed light? -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Thu, 22 Mar 2001, Austin Gonyou wrote: > I'm not using rpms, I am doing some work using kerberos authentication and > want to use OpenSSH to interface to kerberos. It's the damnedest thing > though, when I configure, no matter WHERE the krb.h file lives, it won't > get read in by the configure script. Has anyone run into this before? > Also, on RH7, tcpwrappers is a static lib, the src rpm seems to find it if > I rebuild, but the actual source doesn't seem to find it. The same goes > for libpam.so, that stuff exists in /usr/lib and ld.so.cache is updated, I > updated again it just to make sure. Any pointers are much appreciated! > > From austin at coremetrics.com Fri Mar 23 10:03:23 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Thu, 22 Mar 2001 17:03:23 -0600 (CST) Subject: Kerberos4, tcp-wrappers, afs, and pam support on RH7.0 In-Reply-To: Message-ID: Ok, another thing. just using --with-kerberos4 in the configure breaks the configure. Any help would be appreciated. -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Thu, 22 Mar 2001, Austin Gonyou wrote: > One other thing....I've found that I can infact compile with libwrap, > libpam, md5-passwords, with no errors. As soon as I toss --with-kerberos4, > it pukes. Can anyone shed light? > > From djm at mindrot.org Fri Mar 23 10:18:00 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 23 Mar 2001 10:18:00 +1100 (EST) Subject: Portable OpenSSH-2.5.2p2 In-Reply-To: <20010322124718.H29454@faveve.uni-stuttgart.de> Message-ID: On Thu, 22 Mar 2001, Helmut Springer wrote: > Hi, > > On Thu 2001-03-22 (21:43), Damien Miller wrote: > > Portable OpenSSH 2.5.2p2 is now available from the mirror sites > > listed at http://www.openssh.com/portable.html > > Have you considered signing the RPMs or add a signed file with the > md5 checksums of the RPMs in the distribution directory as well? The RPMs are signed. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From austin at coremetrics.com Fri Mar 23 10:23:48 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Thu, 22 Mar 2001 17:23:48 -0600 (CST) Subject: Kerberos4, tcp-wrappers, afs, and pam support on RH7.0 In-Reply-To: Message-ID: I've got to a point now that the configure Almost completes, but using --with-pam and --with-kerberos4=/usr/kerberos/ together, I get a libpam missing error everytime. Suggestions? -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Thu, 22 Mar 2001, Austin Gonyou wrote: > Ok, another thing. just using --with-kerberos4 in the configure breaks the > configure. Any help would be appreciated. > > From djm at mindrot.org Fri Mar 23 10:20:14 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 23 Mar 2001 10:20:14 +1100 (EST) Subject: One thing about known_hosts In-Reply-To: Message-ID: On Thu, 22 Mar 2001, Krzysztof Oledzki wrote: > Hello, > > I have just noticed one nice feature of OpenSSH known_hosts > implementation. When ssh connects to new host it add both ip and name of > this host to known_hosts file in the same line. Unfortunetly when I > execute ssh once again with onother name for taht host (for example > fqdn) it creates another entry for that host. Is it possible to add this > name in the same line in case of ip match? You can set up HostKeyAlias entries in the client config. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri Mar 23 10:22:16 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 23 Mar 2001 10:22:16 +1100 (EST) Subject: Improper (?) OpenSSL version mismatch(was RE: OpenSSH_2.5.1p1 - RH 6.2) In-Reply-To: <791BD3CB503DD411A6510008C7CF647701F40A89@col-581-exs01.cist.saic.com> Message-ID: On Thu, 22 Mar 2001, Loomis, Rip wrote: > Well, I've finally gotten around to compiling > and testing OpenSSH 2.5.2p1, in order to update > the contrib/solaris packaging scripts. > > Somehow on my test system, I'm getting errors > that indicate that I've still got some old copy > of OpenSSL being found somewhere...but I can't > for the life of me tell where. The compile went > fine (it found the OpenSSL 0.9.5a libraries that > I had compiled and installed in /usr/local/ssl), > but I get the error below with text indicating > that I've still got some other random version. You probably have old header files lying around somewhere. Check all your include directories. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri Mar 23 10:23:38 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 23 Mar 2001 10:23:38 +1100 (EST) Subject: Kerberos4, tcp-wrappers, afs, and pam support on RH7.0 In-Reply-To: Message-ID: On Thu, 22 Mar 2001, Austin Gonyou wrote: > Ok, another thing. just using --with-kerberos4 in the configure breaks the > configure. Any help would be appreciated. What is the error message? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From delta at FaVeVe.Uni-Stuttgart.de Fri Mar 23 10:26:12 2001 From: delta at FaVeVe.Uni-Stuttgart.de (Helmut Springer) Date: Fri, 23 Mar 2001 00:26:12 +0100 Subject: Portable OpenSSH-2.5.2p2 In-Reply-To: ; from djm@mindrot.org on Fri, Mar 23, 2001 at 10:18:00AM +1100 References: <20010322124718.H29454@faveve.uni-stuttgart.de> Message-ID: <20010323002612.C8292@faveve.uni-stuttgart.de> On Fri 2001-03-23 (10:18), Damien Miller wrote: > > Have you considered signing the RPMs or add a signed file with the > > md5 checksums of the RPMs in the distribution directory as well? > > The RPMs are signed. hmpf...I somehow managed to screw the keyring *sigh* sorry & thanks, -- MfG/best regards, helmut springer Das Weisse im Auge des Feindes zu sehn heisst nichts als geduldig vorm Spiegel zu stehn. From austin at coremetrics.com Fri Mar 23 10:42:57 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Thu, 22 Mar 2001 17:42:57 -0600 (CST) Subject: Kerberos4, tcp-wrappers, afs, and pam support on RH7.0 In-Reply-To: Message-ID: At this point my error message is as follows: ./configure --with-pam --with-md5-passwords --with-afs \ --with-kerberos4=/usr/kerberos/ creating config.cache ... (chugging along) checking for daemon... no checking for daemon in -lbsd... no checking for getpagesize... no checking for getpagesize in -lucb... no checking whether getpgrp takes no argument... no checking for dlopen in -ldl... no checking for pam_set_item in -lpam... no configure: error: *** libpam missing -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Fri, 23 Mar 2001, Damien Miller wrote: > What is the error message? > > -d > > From austin at coremetrics.com Fri Mar 23 10:54:21 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Thu, 22 Mar 2001 17:54:21 -0600 (CST) Subject: Kerberos4, tcp-wrappers, afs, and pam support on RH7.0 In-Reply-To: Message-ID: I also have a problem with libwrap being found, but I didn't include it in this reply, it just breaks right after it finds the krb.h and libkrb stuff, instead of way down by pam. -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Thu, 22 Mar 2001, Austin Gonyou wrote: > At this point my error message is as follows: > > ./configure --with-pam --with-md5-passwords --with-afs \ > --with-kerberos4=/usr/kerberos/ > > creating config.cache > > ... (chugging along) > checking for daemon... no > checking for daemon in -lbsd... no > checking for getpagesize... no > checking for getpagesize in -lucb... no > checking whether getpgrp takes no argument... no > checking for dlopen in -ldl... no > checking for pam_set_item in -lpam... no > configure: error: *** libpam missing > > > From djm at mindrot.org Fri Mar 23 11:33:44 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 23 Mar 2001 11:33:44 +1100 (EST) Subject: Kerberos4, tcp-wrappers, afs, and pam support on RH7.0 In-Reply-To: Message-ID: On Thu, 22 Mar 2001, Austin Gonyou wrote: > At this point my error message is as follows: > > ./configure --with-pam --with-md5-passwords --with-afs \ > --with-kerberos4=/usr/kerberos/ > > creating config.cache > > ... (chugging along) > checking for daemon... no > checking for daemon in -lbsd... no > checking for getpagesize... no > checking for getpagesize in -lucb... no > checking whether getpgrp takes no argument... no > checking for dlopen in -ldl... no > checking for pam_set_item in -lpam... no > configure: error: *** libpam missing There should be a more detailed error message in config.log. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From nalin at redhat.com Fri Mar 23 11:46:01 2001 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 22 Mar 2001 19:46:01 -0500 Subject: Challenge response authentication and PAM In-Reply-To: ; from djm@mindrot.org on Thu, Mar 22, 2001 at 09:27:33PM +1100 References: Message-ID: <20010322194601.A21407@redhat.com> On Thu, Mar 22, 2001 at 09:27:33PM +1100, Damien Miller wrote: > On Thu, 22 Mar 2001, Nigel Metheringham wrote: > > Anyone got a fully working pam_opie/pam_skey implementation they wish > > to point me at? > > If someone can recommend one then I will use it for testing too. I found a working implementation at ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir/dontuse/ It's been a while since I looked at the source for the PAM module it includes, though, but I recall having to modify it to not accept empty passwords as correct responses. Cheers, Nalin From abartlet at pcug.org.au Fri Mar 23 15:39:23 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Fri, 23 Mar 2001 15:39:23 +1100 Subject: Restricted SFTP Message-ID: <3ABAD37B.F177CB96@bartlett.house> As I have mentioned earlier on this list, I want to allow (relitivly) untrusted local users to SFTP to my server, as a secure method of remote file access. What I would like to do is to keep users within their home directory. I don't mind that it follows symlinks (if fact its probably a requirement), but some basic restriction on what users can see/access would be handy. The check I would propose would simply be 'all files/direcories served must start with /home/username'. Is this at all possible? Andrew Bartlett abartlet at pcug.org.au -- Andrew Bartlett abartlet at pcug.org.au From djm at mindrot.org Fri Mar 23 15:50:35 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 23 Mar 2001 15:50:35 +1100 (EST) Subject: Restricted SFTP In-Reply-To: <3ABAD37B.F177CB96@bartlett.house> Message-ID: On Fri, 23 Mar 2001, Andrew Bartlett wrote: > As I have mentioned earlier on this list, I want to allow (relitivly) > untrusted local users to SFTP to my server, as a secure method of remote > file access. > > What I would like to do is to keep users within their home directory. I > don't mind that it follows symlinks (if fact its probably a > requirement), but some basic restriction on what users can see/access > would be handy. > > The check I would propose would simply be 'all files/direcories served > must start with /home/username'. > > Is this at all possible? Not at present (presuming you don't modify sftp-server yourself). A chroot capability is planned for the future, but has not been implemented yet. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From leon at brooks.fdns.net Fri Mar 23 16:36:09 2001 From: leon at brooks.fdns.net (Leon Brooks) Date: Fri, 23 Mar 2001 13:36:09 +0800 Subject: living with masq Message-ID: <3ABAE0C9.1030408@brooks.fdns.net> I'm on too many lists already, so haven't joined this one. If you have things that I really need to know, please reply or CC me off-list. I often work through masqueraded (NAT) links, and find that the following patch is able to keep an idle ssh link up where nothing else will. Please consider making it a part of the main ssh package. http://chaos2.org/~jacob/code/openssh/patch-openssh-1.2.3-trans_inter-r3.gz I understand that Linux-Mandrake, starting with the updates to their distribution release number 7.2, includes this patch routinely. I myself have never had a problem with it. Does it do anything nasty to other (non-Linux) systems? -- "I think that's how Chicago got started. A bunch of people in New York said, 'Gee, I'm enjoying the crime and the poverty, but it just isn't cold enough. Let's go west.'" -- Richard Jeni From devon at admin2.gisnetworks.com Fri Mar 23 17:03:10 2001 From: devon at admin2.gisnetworks.com (Devon Bleak) Date: Thu, 22 Mar 2001 22:03:10 -0800 Subject: living with masq References: <3ABAE0C9.1030408@brooks.fdns.net> Message-ID: <004c01c0b35e$f0a24d00$1900a8c0@devn> since i started using the masq code from iptables/kernel 2.4, i haven't had any problems with sessions timing out, even after leaving them idle over night or all day. with ipchains/kernel 2.2, i just set the timeouts on tcp connections to be something like 4 hours (default is 15 minutes), which i found was more than enough, but is configurable beyond even that. devon ----- Original Message ----- From: "Leon Brooks" To: Sent: Thursday, March 22, 2001 9:36 PM Subject: living with masq > I'm on too many lists already, so haven't joined this one. If you have > things that I really need to know, please reply or CC me off-list. > > I often work through masqueraded (NAT) links, and find that the > following patch is able to keep an idle ssh link up where nothing else > will. Please consider making it a part of the main ssh package. > > http://chaos2.org/~jacob/code/openssh/patch-openssh-1.2.3-trans_inter-r3.gz > > I understand that Linux-Mandrake, starting with the updates to their > distribution release number 7.2, includes this patch routinely. I myself > have never had a problem with it. Does it do anything nasty to other > (non-Linux) systems? > > -- > "I think that's how Chicago got started. A bunch of people in New York > said, 'Gee, I'm enjoying the crime and the poverty, but it just isn't > cold enough. Let's go west.'" -- Richard Jeni > > > From abartlet at pcug.org.au Fri Mar 23 18:06:41 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Fri, 23 Mar 2001 18:06:41 +1100 Subject: Restricted SFTP References: Message-ID: <3ABAF601.33F78F90@bartlett.house> Damien Miller wrote: > > On Fri, 23 Mar 2001, Andrew Bartlett wrote: > > > As I have mentioned earlier on this list, I want to allow (relitivly) > > untrusted local users to SFTP to my server, as a secure method of remote > > file access. > > > > What I would like to do is to keep users within their home directory. I > > don't mind that it follows symlinks (if fact its probably a > > requirement), but some basic restriction on what users can see/access > > would be handy. > > > > The check I would propose would simply be 'all files/direcories served > > must start with /home/username'. > > > > Is this at all possible? > > Not at present (presuming you don't modify sftp-server yourself). > A chroot capability is planned for the future, but has not been implemented > yet. > It appears (by looking at the code) that a smattering of realpath and strcmp calls could provide the required functionailty. Does this looks like the way to do it / do you see any problems with this approach? -- Andrew Bartlett abartlet at pcug.org.au From djm at mindrot.org Fri Mar 23 20:19:14 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 23 Mar 2001 20:19:14 +1100 (EST) Subject: Restricted SFTP In-Reply-To: <3ABAF601.33F78F90@bartlett.house> Message-ID: On Fri, 23 Mar 2001, Andrew Bartlett wrote: > It appears (by looking at the code) that a smattering of realpath and > strcmp calls could provide the required functionailty. Does this looks > like the way to do it / do you see any problems with this approach? Aesthetically: yes. Practically: no, so long as you are careful to catch all the cases. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tomh at po.crl.go.jp Fri Mar 23 21:11:44 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Fri, 23 Mar 2001 19:11:44 +0900 (JST) Subject: -I$(srcdir)/openbsd-compat removal can cause errors Message-ID: This is a Linux/Alpha system, with AT&T's graphviz suite installed. gcc -O2 -Wall -I. -I. -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -DHAVE_CONFIG_H -c atomicio.c In file included from openbsd-compat/openbsd-compat.h:24, from includes.h:102, from atomicio.c:26: openbsd-compat/vis.h:31: conflicting types for `vis' /usr/local/include/vis.h:45: previous declaration of `vis' make: *** [atomicio.o] Error 1 It turns out that the graphviz suite (installed in /usr/local) has a vis.h that defines a vis() function. It is completely unrelated to the vis.h and vis() function in openbsd-compat. Because the -I$(srcdir)/openbsd-compat was removed from the definition of CPPFLAGS in openssh-2.5.2p2, the /usr/local/include/vis.h gets found instead of ./openbsd-compat/vis.h. I'd recommend putting it back the way it was. (There may even be other breakage I never noticed before, because configure detects vis.h but not vis(), so HAVE_VIS_H is defined but not HAVE_VIS. What uses vis()?) Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From andrew01temp at ledge.co.za Fri Mar 23 20:52:37 2001 From: andrew01temp at ledge.co.za (Andrew McGill) Date: Fri, 23 Mar 2001 11:52:37 +0200 (SAST) Subject: openssh 2.3.0p1-5 loses stdout In-Reply-To: Message-ID: Hello all In a recent spate of paranoia we set our server (SuSE Linux 7.0, kernel 2.2.16) to use SSH version 2 and not SSH1. With openssh 2.3.0p1-5 running as client and server, we find that stdout output is occasionally dropped: ssh server echo "JJJ" usually emits JJJ, but sometimes returns nothing -- although the command is apparently performed. In the happy case the server logs this (yep, this is the one that worked): WARNING: /etc/ssh/primes does not exist, using old prime Accepted publickey for andrewm from 10.0.0.69 port 1428 ssh2 error: channel 0: internal error: we do not read, but chan_read_failed for istate 8 In the unhappy case, the server logs this: WARNING: /etc/ssh/primes does not exist, using old prime Accepted publickey for andrewm from 10.0.0.69 port 1424 ssh2 So many questions ... . Is this a known bug or a configuration error? . Is it specific to SuSE's rpm or linux? . Is it fixed in the latest and greatest openssh? . What is the enigmatic (undocumented?) /etc/ssh/primes ... ? . How much was in the FAQ ... :) (On the same machines -R port forwarding does not work with protocol version 2, but does with protocol version 1 ... but that could be a different issue ... ) I did notice this in the changelog ... which seems to describe the problem I have .. perhaps the fix did not address the problem ..?: 20000420 ... [session.c] - remove bogus chan_read_failed. this could cause data corruption (missing data) at end of a SSH2 session. &:-) Here's a debug splurge: EXAMPLE OF FAILURE (about 1 in 16): ssh -v gabriel "echo HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH" SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for gabriel debug: Applying options for * debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 500 geteuid 0 anon 1 debug: Connecting to gabriel [10.0.0.1] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug: no match: OpenSSH_2.3.0p1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.3.0p1 debug: Seeding random number generator debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 none debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug: bits set: 499/1024 debug: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: Host 'gabriel' is known and matches the DSA host key. debug: bits set: 522/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: next auth method to try is publickey debug: try pubkey: /home/andrewm/.ssh/id_dsa debug: read DSA private key done debug: sig size 20 20 debug: ssh-userauth2 successfull: method publickey debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: client_init id 0 arg 0 debug: Requesting X11 forwarding with authentication spoofing. debug: Sending command: echo HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH debug: channel 0: open confirm rwindow 0 rmax 16384 debug: client_input_channel_req: rtype exit-status reply 0 debug: channel 0: rcvd eof debug: channel 0: output open -> drain debug: channel 0: rcvd close debug: channel 0: input open -> closed debug: channel 0: close_read debug: channel 0: obuf empty debug: channel 0: output drain -> closed debug: channel 0: close_write debug: channel 0: send close debug: channel 0: full closed2 debug: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug: Exit status 0 NORMAL BEHAVIOUR ssh -v gabriel "echo HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH" SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for gabriel debug: Applying options for * debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 500 geteuid 0 anon 1 debug: Connecting to gabriel [10.0.0.1] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug: no match: OpenSSH_2.3.0p1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.3.0p1 debug: Seeding random number generator debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 none debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug: bits set: 505/1024 debug: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: Host 'gabriel' is known and matches the DSA host key. debug: bits set: 503/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: next auth method to try is publickey debug: try pubkey: /home/andrewm/.ssh/id_dsa debug: read DSA private key done debug: sig size 20 20 debug: ssh-userauth2 successfull: method publickey debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: client_init id 0 arg 0 debug: Requesting X11 forwarding with authentication spoofing. debug: Sending command: echo HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH debug: channel 0: open confirm rwindow 0 rmax 16384 HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH debug: client_input_channel_req: rtype exit-status reply 0 debug: channel 0: rcvd eof debug: channel 0: output open -> drain debug: channel 0: rcvd close debug: channel 0: input open -> closed debug: channel 0: close_read debug: channel 0: obuf empty debug: channel 0: output drain -> closed debug: channel 0: close_write debug: channel 0: send close debug: channel 0: full closed2 debug: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug: Exit status 0 From djm at mindrot.org Fri Mar 23 21:51:46 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 23 Mar 2001 21:51:46 +1100 (EST) Subject: openssh 2.3.0p1-5 loses stdout In-Reply-To: Message-ID: On Fri, 23 Mar 2001, Andrew McGill wrote: > Hello all > > In a recent spate of paranoia we set our server (SuSE Linux 7.0, kernel > 2.2.16) to use SSH version 2 and not SSH1. With openssh 2.3.0p1-5 running > as client and server, we find that stdout output is occasionally dropped: Known problem with 2.3.0p1, an upgrade to 2.5.2p1 will fix it. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Markus.Friedl at informatik.uni-erlangen.de Fri Mar 23 22:00:31 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 23 Mar 2001 12:00:31 +0100 Subject: Restricted SFTP In-Reply-To: <3ABAF601.33F78F90@bartlett.house>; from abartlet@pcug.org.au on Fri, Mar 23, 2001 at 06:06:41PM +1100 References: <3ABAF601.33F78F90@bartlett.house> Message-ID: <20010323120031.E29486@faui02.informatik.uni-erlangen.de> > It appears (by looking at the code) that a smattering of realpath and > strcmp calls could provide the required functionailty. Does this looks > like the way to do it / do you see any problems with this approach? i'm not sure what exactly you are referring to: you have to check ALL protocol messages that are using filenames, i.e ALL messages that use 'names' instead of 'handles' changing process_realpath() is not enough. -m From austin at coremetrics.com Sat Mar 24 03:29:25 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Fri, 23 Mar 2001 10:29:25 -0600 (CST) Subject: Kerberos4, tcp-wrappers, afs, and pam support on RH7.0 In-Reply-To: Message-ID: Success!. I found that the des.h from openssl was conflicting with the one in /usr/kerberos/include/kerberosIV/. I moved the one in /usr/include/openssl to .orig and then ln -s the one in kerberosIV to openssl. Openssh Builds fine now. Is this the best way to do this or should it be done differently? -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Fri, 23 Mar 2001, Damien Miller wrote: > On Thu, 22 Mar 2001, Austin Gonyou wrote: > > > At this point my error message is as follows: > > > > ./configure --with-pam --with-md5-passwords --with-afs \ > > --with-kerberos4=/usr/kerberos/ > > > > creating config.cache > > > > ... (chugging along) > > checking for daemon... no > > checking for daemon in -lbsd... no > > checking for getpagesize... no > > checking for getpagesize in -lucb... no > > checking whether getpgrp takes no argument... no > > checking for dlopen in -ldl... no > > checking for pam_set_item in -lpam... no > > configure: error: *** libpam missing > > There should be a more detailed error message in config.log. > > -d > > From austin at coremetrics.com Sat Mar 24 03:41:07 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Fri, 23 Mar 2001 10:41:07 -0600 (CST) Subject: Kerberos4, tcp-wrappers, afs, and pam support on RH7.0 In-Reply-To: Message-ID: Doh! After reading the openssl/des.h file, I found this set of lines. #ifdef _KERBEROS_DES_H #error replaces . #endif -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Fri, 23 Mar 2001, Austin Gonyou wrote: > Success!. I found that the des.h from openssl was conflicting with the one > in /usr/kerberos/include/kerberosIV/. I moved the one in > /usr/include/openssl to .orig and then ln -s the one in kerberosIV to > openssl. Openssh Builds fine now. Is this the best way to do this or > should it be done differently? > > From austin at coremetrics.com Sat Mar 24 03:47:54 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Fri, 23 Mar 2001 10:47:54 -0600 (CST) Subject: Kerberos4, tcp-wrappers, afs, and pam support on RH7.0 In-Reply-To: Message-ID: I believe this is a misleading message. I did switch the kerberosIV/des.h with openssl/des.h. Not good. Openssh wouldn't even finish building. It appears that the way to make this build work is my previous asumption. Switch the openssl/des.h with the one from kerberosIV/des.h, I get not actual errors while building I do get a few warnings, but only a small section and they look like this: sshconnect1.c: In function `try_kerberos_authentication': sshconnect1.c:402: warning: passing arg 1 of `krb_get_phost' discards qualifiers from pointer target type sshconnect1.c:402: warning: passing arg 1 of `krb_get_phost' discards qualifiers from pointer target type sshconnect1.c:402: warning: passing arg 1 of `krb_get_phost' discards qualifiers from pointer target type sshconnect1.c:402: warning: passing arg 1 of `krb_get_phost' discards qualifiers from pointer target type sshconnect1.c:402: warning: passing arg 1 of `krb_get_phost' discards qualifiers from pointer target type sshconnect1.c:404: warning: passing arg 1 of `krb_realmofhost' discards qualifiers from pointer target type sshconnect1.c:423: warning: passing arg 1 of `des_key_sched' from incompatible pointer type sshconnect1.c:473: warning: passing arg 4 of `krb_rd_priv' from incompatible pointer type The sshconnect1.c file is where it would break horribly before when using the openssl/des.h file. Hope this helps those who are atempting it. -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Fri, 23 Mar 2001, Austin Gonyou wrote: > Doh! After reading the openssl/des.h file, I found this set of lines. > > #ifdef _KERBEROS_DES_H > #error replaces . > #endif > > From swares at qwest.com Sat Mar 24 03:55:45 2001 From: swares at qwest.com (Scott Wares) Date: Fri, 23 Mar 2001 09:55:45 -0700 (MST) Subject: SSH Conections being dropped. Message-ID: We are having problems with SSH shells disconnecting. We are replacing a older version of SSH (Non-Comercial Version which some one installed in error, but it was working fine.) & Had been running OpenSSH 2.3.0p? which had similar problems, some of the errors I was seeing went away with OpenSSH 2.5.2.p1. compiled against openssl-0.9.6, with SUNWspro & GCC281 on Solaris 2.8 & Solaris 2.6, both have the same problem. 133$ uname -a SunOS dtadmin 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250 134$ showrev -p | wc -l 218 Mar 22 09:29:24 dtadmin sshd[11783]: [ID 800047 auth.error] error: Hm, dispatch protocol error: type 30 plen 132 Mar 22 10:30:25 dtadmin sshd[17083]: [ID 800047 auth.error] error: Hm, dispatch protocol error: type 20 plen 136 Mar 22 10:30:25 dtadmin sshd[17083]: [ID 800047 auth.crit] fatal: dispatch_protocol_error: rekeying is not supported 265$ ssh -v dtadmin OpenSSH_2.5.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Seeded RNG with 39 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 6400 geteuid 0 anon 1 debug1: Connecting to dtadmin [151.119.10.106] port 22. debug1: Connection established. debug1: identity file /home/user42/swares/.ssh/identity type 0 debug1: unknown identity file /home/user42/swares/.ssh/id_rsa debug1: identity file /home/user42/swares/.ssh/id_rsa type -1 debug1: unknown identity file /home/user42/swares/.ssh/id_dsa debug1: identity file /home/user42/swares/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_2.5.2p1 debug1: match: OpenSSH_2.5.2p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.5.2p1 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: none,zlib debug1: got kexinit: none,zlib debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug1: dh_gen_key: priv key bits set: 133/256 debug1: bits set: 998/2049 debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug1: Got SSH2_MSG_KEXDH_REPLY. debug1: Host 'dtadmin' is known and matches the DSA host key. debug1: Found key in /home/user42/swares/.ssh/known_hosts2:1 debug1: bits set: 1018/2049 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /home/user42/swares/.ssh/id_rsa debug1: try privkey: /home/user42/swares/.ssh/id_dsa debug1: next auth method to try is password swares at dtadmin's password: debug1: ssh-userauth2 successful: method password debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: client_init id 0 arg 0 debug1: channel request 0: shell debug1: channel 0: open confirm rwindow 0 rmax 16384 Scott Wares, Unix SysAdmin Tier II, Desktop Support 303-707-5479, swares at qwest.com From austin at coremetrics.com Sat Mar 24 04:08:29 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Fri, 23 Mar 2001 11:08:29 -0600 (CST) Subject: SSH Conections being dropped. In-Reply-To: Message-ID: Did you look at the faq page on the openssh.com site? Here is what you might be experiencing: ----------Begin FAQ Info----------- 2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1? SSH 2.3 and earlier versions contain a flaw in their HMAC implementation. Their code was not supplying the full data block output from the digest, and instead always provided 128 bits. For longer digests, this caused SSH 2.3 to not interoperate with OpenSSH. OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Future versions of SSH will have this bug fixed. Or you can add the following to ssh 2.3's /etc/sshd_config. Mac hmac-md5 In addition to the flawed HMAC implementation, problems in interoperation have been seen due to OpenSSH not yet supporting the option of rekeying. However SSH 2.3 tries to negotiate this feature, and you might experience connection freezes or see the error message "Dispatch protocol error: type 20". To solve this problem, either upgrade to SSH 2.4 or disable rekeying by adding the following to your commercial SSH 2.3's sshd_config. RekeyIntervalSeconds 0 ----------End FAQ Info--------- Hope this helps. -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Fri, 23 Mar 2001, Scott Wares wrote: > We are having problems with SSH shells disconnecting. > > We are replacing a older version of SSH (Non-Comercial Version which some > one installed in error, but it was working fine.) & Had been running > OpenSSH 2.3.0p? which had similar problems, some of the errors I was > seeing went away with OpenSSH 2.5.2.p1. > > compiled against openssl-0.9.6, with SUNWspro & GCC281 on Solaris 2.8 & > Solaris 2.6, both have the same problem. > > 133$ uname -a > SunOS dtadmin 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250 > > 134$ showrev -p | wc -l > 218 > > Mar 22 09:29:24 dtadmin sshd[11783]: [ID 800047 auth.error] error: Hm, > dispatch protocol error: type 30 plen 132 > Mar 22 10:30:25 dtadmin sshd[17083]: [ID 800047 auth.error] error: Hm, > dispatch protocol error: type 20 plen 136 > Mar 22 10:30:25 dtadmin sshd[17083]: [ID 800047 auth.crit] > fatal: dispatch_protocol_error: rekeying is not supported > > 265$ ssh -v dtadmin > OpenSSH_2.5.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > debug1: Seeded RNG with 39 bytes from programs > debug1: Seeded RNG with 3 bytes from system calls > debug1: Rhosts Authentication disabled, originating port will not be > trusted. > debug1: ssh_connect: getuid 6400 geteuid 0 anon 1 > debug1: Connecting to dtadmin [151.119.10.106] port 22. > debug1: Connection established. > debug1: identity file /home/user42/swares/.ssh/identity type 0 > debug1: unknown identity file /home/user42/swares/.ssh/id_rsa > debug1: identity file /home/user42/swares/.ssh/id_rsa type -1 > debug1: unknown identity file /home/user42/swares/.ssh/id_dsa > debug1: identity file /home/user42/swares/.ssh/id_dsa type -1 > debug1: Remote protocol version 2.0, remote software version > OpenSSH_2.5.2p1 > debug1: match: OpenSSH_2.5.2p1 pat ^OpenSSH > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_2.5.2p1 > debug1: send KEXINIT > debug1: done > debug1: wait KEXINIT > debug1: got > kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug1: got kexinit: ssh-dss > debug1: got > kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > debug1: got > kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > debug1: got > kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug1: got > kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug1: got kexinit: none,zlib > debug1: got kexinit: none,zlib > debug1: got kexinit: > debug1: got kexinit: > debug1: first kex follow: 0 > debug1: reserved: 0 > debug1: done > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. > debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. > debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. > debug1: dh_gen_key: priv key bits set: 133/256 > debug1: bits set: 998/2049 > debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. > debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. > debug1: Got SSH2_MSG_KEXDH_REPLY. > debug1: Host 'dtadmin' is known and matches the DSA host key. > debug1: Found key in /home/user42/swares/.ssh/known_hosts2:1 > debug1: bits set: 1018/2049 > debug1: len 55 datafellows 0 > debug1: ssh_dss_verify: signature correct > debug1: Wait SSH2_MSG_NEWKEYS. > debug1: GOT SSH2_MSG_NEWKEYS. > debug1: send SSH2_MSG_NEWKEYS. > debug1: done: send SSH2_MSG_NEWKEYS. > debug1: done: KEX2. > debug1: send SSH2_MSG_SERVICE_REQUEST > debug1: service_accept: ssh-userauth > debug1: got SSH2_MSG_SERVICE_ACCEPT > debug1: authentications that can > continue: publickey,password,keyboard-interactive > debug1: next auth method to try is publickey > debug1: try privkey: /home/user42/swares/.ssh/id_rsa > debug1: try privkey: /home/user42/swares/.ssh/id_dsa > debug1: next auth method to try is password > swares at dtadmin's password: > debug1: ssh-userauth2 successful: method password > debug1: channel 0: new [client-session] > debug1: send channel open 0 > debug1: Entering interactive session. > debug1: client_init id 0 arg 0 > debug1: channel request 0: shell > debug1: channel 0: open confirm rwindow 0 rmax 16384 > > Scott Wares, Unix SysAdmin > Tier II, Desktop Support > 303-707-5479, swares at qwest.com > > From swares at qwest.com Sat Mar 24 04:10:45 2001 From: swares at qwest.com (Scott Wares) Date: Fri, 23 Mar 2001 10:10:45 -0700 (MST) Subject: SSH Conections being dropped. In-Reply-To: Message-ID: I have removed the old version already. I had hoped that would take care of the problem. But I am still experiencing this error even though I'm using OpenSSH_2.5.2p1 only. Scott Wares, Unix SysAdmin Tier II, Desktop Support 303-707-5479, swares at qwest.com On Fri, 23 Mar 2001, Austin Gonyou wrote: > Did you look at the faq page on the openssh.com site? Here is what you > might be experiencing: > ----------Begin FAQ Info----------- > 2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1? > > SSH 2.3 and earlier versions contain a flaw in their HMAC implementation. > Their code was not supplying the full data block output from the digest, > and instead always provided 128 bits. For longer digests, this caused SSH > 2.3 to not interoperate with OpenSSH. > > OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Future versions of SSH > will have this bug fixed. Or you can add the following to ssh 2.3's > /etc/sshd_config. > > Mac hmac-md5 > > In addition to the flawed HMAC implementation, problems in interoperation > have been seen due to OpenSSH not yet supporting the option of rekeying. > However SSH 2.3 tries to negotiate this feature, and you might experience > connection freezes or see the error message "Dispatch protocol error: type > 20". To solve this problem, either upgrade to SSH 2.4 or disable rekeying > by adding the following to your commercial SSH 2.3's sshd_config. > > RekeyIntervalSeconds 0 > > ----------End FAQ Info--------- > > > Hope this helps. > -- > Austin Gonyou > Systems Architect > Coremetrics, Inc. > Phone: 512-796-9023 > email: austin at coremetrics.com > > On Fri, 23 Mar 2001, Scott Wares wrote: > > > We are having problems with SSH shells disconnecting. > > > > We are replacing a older version of SSH (Non-Comercial Version which some > > one installed in error, but it was working fine.) & Had been running > > OpenSSH 2.3.0p? which had similar problems, some of the errors I was > > seeing went away with OpenSSH 2.5.2.p1. > > > > compiled against openssl-0.9.6, with SUNWspro & GCC281 on Solaris 2.8 & > > Solaris 2.6, both have the same problem. > > > > 133$ uname -a > > SunOS dtadmin 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250 > > > > 134$ showrev -p | wc -l > > 218 > > > > Mar 22 09:29:24 dtadmin sshd[11783]: [ID 800047 auth.error] error: Hm, > > dispatch protocol error: type 30 plen 132 > > Mar 22 10:30:25 dtadmin sshd[17083]: [ID 800047 auth.error] error: Hm, > > dispatch protocol error: type 20 plen 136 > > Mar 22 10:30:25 dtadmin sshd[17083]: [ID 800047 auth.crit] > > fatal: dispatch_protocol_error: rekeying is not supported > > > > 265$ ssh -v dtadmin > > OpenSSH_2.5.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > > debug1: Seeded RNG with 39 bytes from programs > > debug1: Seeded RNG with 3 bytes from system calls > > debug1: Rhosts Authentication disabled, originating port will not be > > trusted. > > debug1: ssh_connect: getuid 6400 geteuid 0 anon 1 > > debug1: Connecting to dtadmin [151.119.10.106] port 22. > > debug1: Connection established. > > debug1: identity file /home/user42/swares/.ssh/identity type 0 > > debug1: unknown identity file /home/user42/swares/.ssh/id_rsa > > debug1: identity file /home/user42/swares/.ssh/id_rsa type -1 > > debug1: unknown identity file /home/user42/swares/.ssh/id_dsa > > debug1: identity file /home/user42/swares/.ssh/id_dsa type -1 > > debug1: Remote protocol version 2.0, remote software version > > OpenSSH_2.5.2p1 > > debug1: match: OpenSSH_2.5.2p1 pat ^OpenSSH > > Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_2.5.2p1 > > debug1: send KEXINIT > > debug1: done > > debug1: wait KEXINIT > > debug1: got > > kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug1: got kexinit: ssh-dss > > debug1: got > > kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > > debug1: got > > kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > > debug1: got > > kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug1: got > > kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug1: got kexinit: none,zlib > > debug1: got kexinit: none,zlib > > debug1: got kexinit: > > debug1: got kexinit: > > debug1: first kex follow: 0 > > debug1: reserved: 0 > > debug1: done > > debug1: kex: server->client aes128-cbc hmac-md5 none > > debug1: kex: client->server aes128-cbc hmac-md5 none > > debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. > > debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. > > debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. > > debug1: dh_gen_key: priv key bits set: 133/256 > > debug1: bits set: 998/2049 > > debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. > > debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. > > debug1: Got SSH2_MSG_KEXDH_REPLY. > > debug1: Host 'dtadmin' is known and matches the DSA host key. > > debug1: Found key in /home/user42/swares/.ssh/known_hosts2:1 > > debug1: bits set: 1018/2049 > > debug1: len 55 datafellows 0 > > debug1: ssh_dss_verify: signature correct > > debug1: Wait SSH2_MSG_NEWKEYS. > > debug1: GOT SSH2_MSG_NEWKEYS. > > debug1: send SSH2_MSG_NEWKEYS. > > debug1: done: send SSH2_MSG_NEWKEYS. > > debug1: done: KEX2. > > debug1: send SSH2_MSG_SERVICE_REQUEST > > debug1: service_accept: ssh-userauth > > debug1: got SSH2_MSG_SERVICE_ACCEPT > > debug1: authentications that can > > continue: publickey,password,keyboard-interactive > > debug1: next auth method to try is publickey > > debug1: try privkey: /home/user42/swares/.ssh/id_rsa > > debug1: try privkey: /home/user42/swares/.ssh/id_dsa > > debug1: next auth method to try is password > > swares at dtadmin's password: > > debug1: ssh-userauth2 successful: method password > > debug1: channel 0: new [client-session] > > debug1: send channel open 0 > > debug1: Entering interactive session. > > debug1: client_init id 0 arg 0 > > debug1: channel request 0: shell > > debug1: channel 0: open confirm rwindow 0 rmax 16384 > > > > Scott Wares, Unix SysAdmin > > Tier II, Desktop Support > > 303-707-5479, swares at qwest.com > > > > > > > From Nigel.Metheringham at InTechnology.co.uk Sat Mar 24 04:32:16 2001 From: Nigel.Metheringham at InTechnology.co.uk (Nigel Metheringham) Date: Fri, 23 Mar 2001 17:32:16 +0000 Subject: Challenge response authentication and PAM In-Reply-To: Message from Damien Miller of "Thu, 22 Mar 2001 21:27:33 +1100." Message-ID: Nigel.Metheringham at InTechnology.co.uk said: > If I put the right response in it logs me in quite happily. However I > am not getting the Challenge displayed to me.... which could well be > down to the PAM module implementation djm at mindrot.org said: > Or it could be that the knd-int pam code is incorrect - I haven't > tested it with any more interactive than password auth. > If someone can recommend one then I will use it for testing too. I've retested this using the pam_opie module extracted from the Polish Linux Distribution (appropriate rpm set is at http://www.rpmfind.net/linux/RPM/PLD//PLD-1.0/i386/PLD/RPMS//pam-0.74. 0-3.i386.html The challenge/response authentication works fine - displays me the prompt, even echos the response (don't know if this changes if you set noecho on the module itself), and then even lets me in with the appropriate authorisation. So it looks like openssh 2.5.2 is fine, and my pam module was at fault. I've extracted the one module I need, and am in the process of packaging it - I can let people have either the source or an rpm if they are interested, but its a module I'm building for internal use rather than something I intend to provide support for :-) Nigel. -- [ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] [ - Comments in this message are my own and not ITO opinion/policy - ] From celinn at mtu.edu Sat Mar 24 07:42:45 2001 From: celinn at mtu.edu (Christopher Linn) Date: Fri, 23 Mar 2001 15:42:45 -0500 Subject: 2.5.2p2 ssh-keyscan installed group writable? Message-ID: <20010323154245.C5390@mtu.edu> just wondering about this. i noticed "make install" installs ssh-keyscan group-writable. is this intentional? openssh-2.5.2p2/Makefile.in, line 168: $(INSTALL) -m 0775 -s ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From swares at qwest.com Sat Mar 24 09:12:24 2001 From: swares at qwest.com (Scott Wares) Date: Fri, 23 Mar 2001 15:12:24 -0700 (MST) Subject: SSH Conections being dropped. In-Reply-To: Message-ID: I found some clients were using ssh 2.3.something... After setting KeyRegenerationInterval 0 I haven't seen anymore errors. I had thought that OpenSSH_2.5.2p1 had fixed this, but guess I was wrong. Scott Wares, Unix SysAdmin Tier II, Desktop Support 303-707-5479, swares at qwest.com On Fri, 23 Mar 2001, Austin Gonyou wrote: > Did you look at the faq page on the openssh.com site? Here is what you > might be experiencing: > ----------Begin FAQ Info----------- > 2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1? > > SSH 2.3 and earlier versions contain a flaw in their HMAC implementation. > Their code was not supplying the full data block output from the digest, > and instead always provided 128 bits. For longer digests, this caused SSH > 2.3 to not interoperate with OpenSSH. > > OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Future versions of SSH > will have this bug fixed. Or you can add the following to ssh 2.3's > /etc/sshd_config. > > Mac hmac-md5 > > In addition to the flawed HMAC implementation, problems in interoperation > have been seen due to OpenSSH not yet supporting the option of rekeying. > However SSH 2.3 tries to negotiate this feature, and you might experience > connection freezes or see the error message "Dispatch protocol error: type > 20". To solve this problem, either upgrade to SSH 2.4 or disable rekeying > by adding the following to your commercial SSH 2.3's sshd_config. > > RekeyIntervalSeconds 0 > > ----------End FAQ Info--------- > > > Hope this helps. > -- > Austin Gonyou > Systems Architect > Coremetrics, Inc. > Phone: 512-796-9023 > email: austin at coremetrics.com > > On Fri, 23 Mar 2001, Scott Wares wrote: > > > We are having problems with SSH shells disconnecting. > > > > We are replacing a older version of SSH (Non-Comercial Version which some > > one installed in error, but it was working fine.) & Had been running > > OpenSSH 2.3.0p? which had similar problems, some of the errors I was > > seeing went away with OpenSSH 2.5.2.p1. > > > > compiled against openssl-0.9.6, with SUNWspro & GCC281 on Solaris 2.8 & > > Solaris 2.6, both have the same problem. > > > > 133$ uname -a > > SunOS dtadmin 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250 > > > > 134$ showrev -p | wc -l > > 218 > > > > Mar 22 09:29:24 dtadmin sshd[11783]: [ID 800047 auth.error] error: Hm, > > dispatch protocol error: type 30 plen 132 > > Mar 22 10:30:25 dtadmin sshd[17083]: [ID 800047 auth.error] error: Hm, > > dispatch protocol error: type 20 plen 136 > > Mar 22 10:30:25 dtadmin sshd[17083]: [ID 800047 auth.crit] > > fatal: dispatch_protocol_error: rekeying is not supported > > > > 265$ ssh -v dtadmin > > OpenSSH_2.5.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > > debug1: Seeded RNG with 39 bytes from programs > > debug1: Seeded RNG with 3 bytes from system calls > > debug1: Rhosts Authentication disabled, originating port will not be > > trusted. > > debug1: ssh_connect: getuid 6400 geteuid 0 anon 1 > > debug1: Connecting to dtadmin [151.119.10.106] port 22. > > debug1: Connection established. > > debug1: identity file /home/user42/swares/.ssh/identity type 0 > > debug1: unknown identity file /home/user42/swares/.ssh/id_rsa > > debug1: identity file /home/user42/swares/.ssh/id_rsa type -1 > > debug1: unknown identity file /home/user42/swares/.ssh/id_dsa > > debug1: identity file /home/user42/swares/.ssh/id_dsa type -1 > > debug1: Remote protocol version 2.0, remote software version > > OpenSSH_2.5.2p1 > > debug1: match: OpenSSH_2.5.2p1 pat ^OpenSSH > > Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_2.5.2p1 > > debug1: send KEXINIT > > debug1: done > > debug1: wait KEXINIT > > debug1: got > > kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug1: got kexinit: ssh-dss > > debug1: got > > kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > > debug1: got > > kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se > > debug1: got > > kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug1: got > > kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug1: got kexinit: none,zlib > > debug1: got kexinit: none,zlib > > debug1: got kexinit: > > debug1: got kexinit: > > debug1: first kex follow: 0 > > debug1: reserved: 0 > > debug1: done > > debug1: kex: server->client aes128-cbc hmac-md5 none > > debug1: kex: client->server aes128-cbc hmac-md5 none > > debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. > > debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. > > debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. > > debug1: dh_gen_key: priv key bits set: 133/256 > > debug1: bits set: 998/2049 > > debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. > > debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. > > debug1: Got SSH2_MSG_KEXDH_REPLY. > > debug1: Host 'dtadmin' is known and matches the DSA host key. > > debug1: Found key in /home/user42/swares/.ssh/known_hosts2:1 > > debug1: bits set: 1018/2049 > > debug1: len 55 datafellows 0 > > debug1: ssh_dss_verify: signature correct > > debug1: Wait SSH2_MSG_NEWKEYS. > > debug1: GOT SSH2_MSG_NEWKEYS. > > debug1: send SSH2_MSG_NEWKEYS. > > debug1: done: send SSH2_MSG_NEWKEYS. > > debug1: done: KEX2. > > debug1: send SSH2_MSG_SERVICE_REQUEST > > debug1: service_accept: ssh-userauth > > debug1: got SSH2_MSG_SERVICE_ACCEPT > > debug1: authentications that can > > continue: publickey,password,keyboard-interactive > > debug1: next auth method to try is publickey > > debug1: try privkey: /home/user42/swares/.ssh/id_rsa > > debug1: try privkey: /home/user42/swares/.ssh/id_dsa > > debug1: next auth method to try is password > > swares at dtadmin's password: > > debug1: ssh-userauth2 successful: method password > > debug1: channel 0: new [client-session] > > debug1: send channel open 0 > > debug1: Entering interactive session. > > debug1: client_init id 0 arg 0 > > debug1: channel request 0: shell > > debug1: channel 0: open confirm rwindow 0 rmax 16384 > > > > Scott Wares, Unix SysAdmin > > Tier II, Desktop Support > > 303-707-5479, swares at qwest.com > > > > > > > From mouring at etoh.eviladmin.org Sat Mar 24 09:18:03 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 23 Mar 2001 16:18:03 -0600 (CST) Subject: 2.5.2p2 ssh-keyscan installed group writable? In-Reply-To: <20010323154245.C5390@mtu.edu> Message-ID: On Fri, 23 Mar 2001, Christopher Linn wrote: > just wondering about this. i noticed "make install" installs > ssh-keyscan group-writable. is this intentional? > > openssh-2.5.2p2/Makefile.in, line 168: > > $(INSTALL) -m 0775 -s ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan > Hmm.. looks like a fat finger mistake. I'll fix it in both CVS branches when I get home. - Ben From celinn at mtu.edu Sat Mar 24 12:32:22 2001 From: celinn at mtu.edu (Christopher Linn) Date: Fri, 23 Mar 2001 20:32:22 -0500 Subject: 2.5.2p2 ssh-keyscan installed group writable? In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, Mar 23, 2001 at 04:18:03PM -0600 References: <20010323154245.C5390@mtu.edu> Message-ID: <20010323203222.A21109@mtu.edu> ben, On Fri, Mar 23, 2001 at 04:18:03PM -0600, mouring at etoh.eviladmin.org wrote: [...] > Hmm.. looks like a fat finger mistake. I'll fix it in both CVS branches > when I get home. thanks! ;*) > - Ben chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From mouring at etoh.eviladmin.org Sat Mar 24 16:10:21 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 23 Mar 2001 23:10:21 -0600 (CST) Subject: -I$(srcdir)/openbsd-compat removal can cause errors In-Reply-To: Message-ID: On Fri, 23 Mar 2001, Tom Holroyd wrote: > This is a Linux/Alpha system, with AT&T's graphviz suite installed. > > gcc -O2 -Wall -I. -I. -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" > -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -DHAVE_CONFIG_H -c > atomicio.c > In file included from openbsd-compat/openbsd-compat.h:24, > from includes.h:102, > from atomicio.c:26: > openbsd-compat/vis.h:31: conflicting types for `vis' > /usr/local/include/vis.h:45: previous declaration of `vis' > make: *** [atomicio.o] Error 1 > > It turns out that the graphviz suite (installed in /usr/local) has a > vis.h that defines a vis() function. It is completely unrelated to the > vis.h and vis() function in openbsd-compat. Because the > -I$(srcdir)/openbsd-compat > was removed from the definition of CPPFLAGS in openssh-2.5.2p2, the > /usr/local/include/vis.h gets found instead of ./openbsd-compat/vis.h. > > I'd recommend putting it back the way it was. (There may even be other > breakage I never noticed before, because configure detects vis.h but not > vis(), so HAVE_VIS_H is defined but not HAVE_VIS. What uses vis()?) > Hmmmm... The reason that -I$(srcdir)/openbsd-compat was removed was because it caused greater problems then it solved. - Ben From djm at mindrot.org Sun Mar 25 17:40:17 2001 From: djm at mindrot.org (Damien Miller) Date: Sun, 25 Mar 2001 17:40:17 +1000 (EST) Subject: Test - please ignore Message-ID: -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Sun Mar 25 17:37:45 2001 From: djm at mindrot.org (Damien Miller) Date: Sun, 25 Mar 2001 17:37:45 +1000 (EST) Subject: Test, please ignore Message-ID: Testing -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From dmiller at vitnet.com.sg Sun Mar 25 18:53:07 2001 From: dmiller at vitnet.com.sg (Damien Miller) Date: Sun, 25 Mar 2001 16:53:07 +0800 (SGT) Subject: Test Message-ID: <20010325085307.E71D24002@bb.vitnet.com.sg> Another mindless test From georg.schwarz at iname.com Sun Mar 25 19:09:02 2001 From: georg.schwarz at iname.com (Georg Schwarz) Date: Sun, 25 Mar 2001 11:09:02 +0200 Subject: OpenSSh 2.5.2p2 on Linux/Sparc Message-ID: <1eqto8w.kk6v0epd64vsM@georg.schwarz.online.de> When doing a simple configure of OpenSSh 2.5.2p2 on a Sparc running RedHat 6.0 I get: ... updating cache ./config.cache creating ./config.status creating Makefile sed: file conftest.s1 line 1: Unknown command: ``^'' creating openbsd-compat/Makefile sed: file conftest.s1 line 1: Unknown command: ``^'' creating ssh_prng_cmds sed: file conftest.s1 line 1: Unknown command: ``^'' creating config.h sed: file conftest.frag line 1: Unknown command: ``%'' ... no Makefile is created -- Georg Schwarz http://home.pages.de/~schwarz/ georg.schwarz at iname.com +49 177 2437545 From Lutz.Jaenicke at aet.TU-Cottbus.DE Sun Mar 25 23:13:28 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Sun, 25 Mar 2001 15:13:28 +0200 Subject: Bug in bsd-waitpid.c and bsd-nextstep.c Message-ID: <20010325151328.A22952@serv01.aet.tu-cottbus.de> Hi! The handling of the "status" information in bsd-waitpid.c and bsd-nextstep.c seems to be bit odd. Patch attached. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 -------------- next part -------------- --- bsd-nexstep.c.org Sun Mar 25 15:08:05 2001 +++ bsd-nextstep.c Sun Mar 25 15:09:42 2001 @@ -37,7 +37,8 @@ #undef wait /* Use NeXT's wait() function */ wait_pid = wait(&statusp); - status = (int *) statusp.w_status; + if (status) + *status = (int)statusp.w_status; return wait_pid; } --- bsd-waitpid.c.org Sun Mar 25 15:06:20 2001 +++ bsd-waitpid.c Sun Mar 25 15:07:36 2001 @@ -43,7 +43,8 @@ pid = 0; /* wait4() wants pid=0 for indiscriminate wait. */ } wait_pid = wait4(pid, &statusp, options, NULL); - stat_loc = (int *)statusp.w_status; + if (stat_loc) + *stat_loc = (int)statusp.w_status; return wait_pid; } From Lutz.Jaenicke at aet.TU-Cottbus.DE Mon Mar 26 03:55:31 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Sun, 25 Mar 2001 19:55:31 +0200 Subject: Bug in bsd-waitpid.c and bsd-nextstep.c In-Reply-To: ; from mouring@etoh.eviladmin.org on Sun, Mar 25, 2001 at 11:40:03AM -0600 References: <20010325151328.A22952@serv01.aet.tu-cottbus.de> Message-ID: <20010325195531.A24637@serv01.aet.tu-cottbus.de> On Sun, Mar 25, 2001 at 11:40:03AM -0600, mouring at etoh.eviladmin.org wrote: > On Sun, 25 Mar 2001, Lutz Jaenicke wrote: > > The handling of the "status" information in bsd-waitpid.c and bsd-nextstep.c > > seems to be bit odd. Patch attached. > > Thanks, I'll apply it as soon as the CVS tree is back up. Hey, Damien > are you having problems? > > The Usenet post that I used to base the code on never checked if 'status' > was NULL so I never thought about it at that time. Since I've never > really had a problem with either function on NeXTStep I never have gone > back to review any of the code. Since NeXTStep on HPPA seems to have problems with its own BSD extensions, Jacques Distler recommended to use openbsd-compat for use with PRNGD on that platform. While examining problems he just reported, I found these bugs. The major part is not that NULL is not checked, but that the code was simply wrong: If stat_loc is pointer to an int passed to waitpid(), the code stat_loc = (int *)statusp.w_status; will write the pointer to statusp.w_status to the local copy of stat_loc. After returning from waitpid(), the calling function did not get back the information requested. (Since only the local copy is affected, it also did not hurt to pass the NULL pointer.) As you write that you got the code from a Usenet post, I would recommend to check out other portions of the code for correct use of pointer arguments. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From mouring at etoh.eviladmin.org Mon Mar 26 04:46:19 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 25 Mar 2001 12:46:19 -0600 (CST) Subject: Bug in bsd-waitpid.c and bsd-nextstep.c In-Reply-To: <20010325195531.A24637@serv01.aet.tu-cottbus.de> Message-ID: > As you write that you got the code from a Usenet post, I would recommend > to check out other portions of the code for correct use of pointer arguments. > Thanks, I already did this. Those are the only two functions. The rest comes from the OpenBSD tree. However, looking over waitpid(). It may not be cross-platform supported. It was written directly for NeWS and NeXT. Since they return a structure unlike standard BSD which just returns an int*. Hmm.. I wonder if it would not be a bad idea to isolate the code a little better due to this feature. - Ben From mouring at etoh.eviladmin.org Mon Mar 26 03:40:03 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 25 Mar 2001 11:40:03 -0600 (CST) Subject: Bug in bsd-waitpid.c and bsd-nextstep.c In-Reply-To: <20010325151328.A22952@serv01.aet.tu-cottbus.de> Message-ID: On Sun, 25 Mar 2001, Lutz Jaenicke wrote: > Hi! > > The handling of the "status" information in bsd-waitpid.c and bsd-nextstep.c > seems to be bit odd. Patch attached. > Thanks, I'll apply it as soon as the CVS tree is back up. Hey, Damien are you having problems? The Usenet post that I used to base the code on never checked if 'status' was NULL so I never thought about it at that time. Since I've never really had a problem with either function on NeXTStep I never have gone back to review any of the code. - Ben From markus.friedl at informatik.uni-erlangen.de Sat Mar 24 20:47:39 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 24 Mar 2001 10:47:39 +0100 Subject: 2.5.2p2 on Solaris 2.6: Segmentation fault (fwd) Message-ID: <20010324104739.C1397@folly> anyone seen this? -------------- next part -------------- An embedded message was scrubbed... From: Gintautas Grigelionis Subject: 2.5.2p2 on Solaris 2.6: Segmentation fault Date: Fri, 23 Mar 2001 15:39:00 +0100 Size: 2935 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010324/5e6cf6c2/attachment.mht From nobody at remailer.privacy.at Sun Mar 25 16:59:02 2001 From: nobody at remailer.privacy.at (Anonymous) Date: Sun, 25 Mar 2001 08:59:02 +0200 Subject: 'scp' returns incorrect exit code (OpenSSH_2.5.2p2) Message-ID: <8123fd021218d9518f18086aaea74197@remailer.privacy.at> 'scp' returns a zero exit code, even if it fails to perform the desired task. bash-2.03$ scp nonexistent at no.such.domain:some/file .; echo $? ssh: no.such.domain: Name or service not known 0 'ssh' will however return a non zero exit code in a similar situation. bash-2.03$ ssh nonexistent at no.such.domain date; echo $? ssh: no.such.domain: Name or service not known 255 This behaviour was noticed with bash-2.03$ ssh -V OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f on a linux x86 box Keep up the good work guys. (And let Mr. Ylonen alone in his grief for his lost ssh-trademark case). From levan at epix.net Mon Mar 26 12:58:11 2001 From: levan at epix.net (Philippe Levan) Date: Sun, 25 Mar 2001 21:58:11 -0500 (EST) Subject: Portable OpenSSH-2.5.2p2 In-Reply-To: <20010322133450.A3408@ii.uib.no> Message-ID: The same problem exists under Solaris. What I found out is that on Solaris struct dirent is defined as : typedef struct dirent { ino_t d_ino; /* "inode number" of entry */ off_t d_off; /* offset of disk directory entry */ unsigned short d_reclen; /* length of this record */ char d_name[1]; /* name of file */ } dirent_t; In that case, fudge_readdir() in sftp-glob.c will reserve 1 byte for ret.d_name : just enough to store the NULL character but nothing else. It looks like, short of redefining struct dirent on Solaris, one possibility would be to allocate an oversized buffer to hold the structure and the real string. Something like : static char buffer[sizeof(struct dirent)+DNAME_SIZE]; static struct dirent *ret = (struct dirent *)buffer; ... memset(buffer, 0, sizeof(buffer)); strlcpy(ret->d_name, od->dir[od->offset++]->filename, sizeof(ret->d_name)+DNAME_SIZE); ... return ret; where DNAME_SIZE would be an appropriate buffer size. Philippe. --- Philippe Levan | Systems Engineering levan at epix.net | epix Internet Services On Thu, 22 Mar 2001, Jan-Frode Myklebust wrote: > On Thu, Mar 22, 2001 at 09:43:56PM +1100, Damien Miller wrote: > > > > Sftp: > > sftp client supports globbing (get *, put *). > > > > It globs put, but not get for me: > > sftp> put *.res > Uploading bouen100.res to /tmp/bouen100.res > Uploading cdelapp.res to /tmp/cdelapp.res > sftp> get *.res > File "/tmp/*.res" not found. > sftp> get cdelapp.res > Fetching /tmp/cdelapp.res to cdelapp.res > sftp> > > > OpenSSH configured has been configured with the following options. > User binaries: /usr/openssh/bin > System binaries: /usr/openssh/sbin > Configuration files: /usr/openssh/etc > Askpass program: /usr/openssh/libexec/ssh-askpass > Manual pages: /usr/openssh/man/manX > PID file: /usr/openssh/etc > sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/openssh/bin > Random number collection: Builtin (timeout 200) > Manpage format: cat > PAM support: no > KerberosIV support: no > AFS support: no > S/KEY support: no > TCP Wrappers support: yes > MD5 password support: no > IP address in $DISPLAY hack: no > Use IPv4 by default hack: no > Translate v4 in v6 hack: no > > Host: mips-sgi-irix6.5 > Compiler: cc > Compiler flags: -g > Preprocessor flags: -I/usr/local/include -I/usr/local/ssl/include > Linker flags: -L/usr/local/ssl/lib > Libraries: -lwrap -lz -lgen -lcrypto > > > > -jf > > From mouring at etoh.eviladmin.org Mon Mar 26 16:43:33 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 26 Mar 2001 00:43:33 -0600 (CST) Subject: OpenSSh 2.5.2p2 on Linux/Sparc In-Reply-To: <1eqto8w.kk6v0epd64vsM@georg.schwarz.online.de> Message-ID: On Sun, 25 Mar 2001, Georg Schwarz wrote: > When doing a simple configure of OpenSSh 2.5.2p2 on a Sparc running > RedHat 6.0 I get: > > ... > updating cache ./config.cache > creating ./config.status > creating Makefile > sed: file conftest.s1 line 1: Unknown command: ``^'' > creating openbsd-compat/Makefile > sed: file conftest.s1 line 1: Unknown command: ``^'' > creating ssh_prng_cmds > sed: file conftest.s1 line 1: Unknown command: ``^'' > creating config.h > sed: file conftest.frag line 1: Unknown command: ``%'' > ... > Did you get this error with any other release? To me it looks like a bad 'sed' binary. Have you checked for an updated RPM for sparc? - Ben From peter_darren_bray at yahoo.com Tue Mar 27 00:31:54 2001 From: peter_darren_bray at yahoo.com (=?iso-8859-1?q?Peter=20Bray?=) Date: Mon, 26 Mar 2001 06:31:54 -0800 (PST) Subject: RFE: Portable OpenSSH Message-ID: <20010326143154.14204.qmail@web1904.mail.yahoo.com> For a future release of Portable OpenSSH, it would be nice to have a ./configure option to enable the binaries produced, to be statically linked. I tried using LDFLAGS option to ./configure .... but this passes arguments to gcc not ld, this should be documented. Additionally, I feel that ./configure should --extra-inc=dir and --extra-lib=dir to add paths to compile (-I) and link lines (-L & -R). Also I noticed that -I/usr/local/include and -L/usr/local/lib -R/usr/local/lib are included in the CFLAGS and LDFLAGS when these directories do not even exist (on my system). Thanks for a great tool, Peter PS: If your wondering who all this came up: To install kde-2.1 (on solaris 8 intel) I needed to recompile nearly all of my libs to be dynamic linked - no problem - but then the next version of OpenSSH I installed does not run due to a missing run-time library path (ie no -R dir specified during linking). I fixed that, no real drama, but I like the idea of OpenSSH being statically linked and not dependant on other modules (packages). PPS: Maybe use of libtool would increase portability - just a thought, I was looking into it last week and it seems cool, but the biggy now is to learn to use AutoMake and AutoConf :-) So I can submit configure patches not just code ones :-) __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ From pekkas at netcore.fi Tue Mar 27 02:18:51 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 26 Mar 2001 19:18:51 +0300 (EEST) Subject: Release with BIGENDIANAES compat option? Message-ID: Hello all, Very recently, djm added compability patch so that aes/rijndael encryption problems could be avoided when talking to broken server/client; and you wouldn't have to toggle off the protocols yourself. Might this be a candidate for 2.5.2p2 or the like? This would be helpful when there are a lot of broken, 2.3.0 and like, systems. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Tue Mar 27 04:13:28 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 26 Mar 2001 12:13:28 -0600 (CST) Subject: Release with BIGENDIANAES compat option? In-Reply-To: Message-ID: It would have to be 2.5.2p3 since p2 was already realeased. I believe we were holding off to ensure any other issues were resolved before releasing a p3. - Ben On Mon, 26 Mar 2001, Pekka Savola wrote: > Hello all, > > Very recently, djm added compability patch so that aes/rijndael encryption > problems could be avoided when talking to broken server/client; and you > wouldn't have to toggle off the protocols yourself. > > Might this be a candidate for 2.5.2p2 or the like? This would be helpful > when there are a lot of broken, 2.3.0 and like, systems. > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > From dhaag at pico.apple.com Tue Mar 27 04:33:37 2001 From: dhaag at pico.apple.com (Dennis Haag) Date: Mon, 26 Mar 2001 10:33:37 -0800 Subject: Openssh-2.5.1p1 and Solaris 2.6 problem with ssh_rsa_verify Message-ID: <3ABF8B81.F915423F@pico.apple.com> We recently upgraded from an older version of SSH to OpenSSH 2.5.1p1 (OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f) and are having problems on just a few hosts in our environment. The other 200 systems are working fine. Every once in a blue-moon it will connect with version 2. When I try to connect to or from one of these hosts using SSH2 I get the following error (I have sshd -d -d -d and ssh -2 -v -v -v output if that helps): dhaag at cyberpup> ssh -2 waltst2 ssh_rsa_verify: RSA_verify failed: error:04077068:rsa routines:RSA_verify:bad signature key_verify failed for server_host_key Here's what I have done so far: -recompiled on the suspect box, no change. -compiled 2.5.2p2 on suspect box with no change. -don't see any network errors (netstat -i). -egd seems to be working fine, I can read and write bits with egc.pl. -tried changing and disabling some of the protocols with no change. -regenerated the host keys more than once (note: this takes much longer on this system than the working ones) The system is a Sun Ultra-2 running Solaris 2.6 (uname -a: SunOS cyberpup 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-2). But it works fine on other Ultra-2's with the same OS and patch level. Configure params: --prefix=/local/solaris_2.6/openssh2.5.1p1 --with-tcp-wrappers --without-shadow --with-xauth=/usr/openwin/bin/xauth --with-ipv4-default --with-ssl-dir=/local/solaris_2.6/openssl0.9.6 --sysconfdir=/etc/ssh --with-egd-pool=/dev/random/entropy --x-includes=/usr/openwin/include --x-libraries=/usr/openwin/lib I am trying to schedule a reboot of the affected system to see if that makes any difference. My gut still tells me that I have an entropy problem, but I don't know a good test for that. Any help appreciated. -- Dennis Haag haag at apple.com 408-974-6630 From Darren.Moffat at eng.sun.com Tue Mar 27 05:31:23 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Mon, 26 Mar 2001 11:31:23 -0800 (PST) Subject: RFE: Portable OpenSSH Message-ID: <200103261931.f2QJVMxf160622@jurassic.eng.sun.com> >For a future release of Portable OpenSSH, it would be nice to have a >./configure option to enable the binaries produced, to be statically >linked. Please don't do this, static linking is evil and I really wish it wasn't supported anymore, see the following list of reasons why: Issues with static linking -------------------------- Static linking reduces the overhead when the program is started up, mainly because relocations and other start-up activities are done at compile time. However, static linking is generally discouraged. Here are some reasons : * Static linking prevents libc_psr.so.1 from working for platform specifics. This library automatically enables dynamically linked programs from linking in platform specific versions of various library routines which are optimized for a particular platform. * Static linking greatly increases working set size and disk footprint. * Statically linked executables are NOT necessarily binary compatible between releases. eg. statically linked programs that use libsocket will failed if compiled on 2.5.1 or less and run on 2.6 * Running a static binary compiled on the base could cause a program to bypass some security checks when running under Trusted Solaris. This doesn't open a vulnerability but might mean a program won't get the extra privilege it was configured with. * Patches to system libaries for bug fixes and performance enhancements are not automatically picked up by the application. Consider security fixes to libc not being available to your application. * Some debugging libraries/tools will fail to work properly. eg. malloc debugging. * Localistation via setlocale(3c) / gettext(3c) is not supported when libc is statically linked. When to use static linking -------------------------- * The binary is critical to system operation when in single user-mode either for the startup of the OS or for disaster recovery. * Statically linking a private (internal) libarary is okay. Don'ts ------ * Statically link against libc * Statically link against libdl -- Darren J Moffat From ssklar at stanford.edu Tue Mar 27 06:23:32 2001 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Mon, 26 Mar 2001 12:23:32 -0800 Subject: duplicated lines in serverloop.c? (openssh252p2) Message-ID: Hi, I was looking through the source, and I noticed that the following code appears twice in the file serverloop.c. Is it supposed to, and if not, would there be any ill effect? +289 +290 /* Read and buffer any available stdout data from the program. */ +291 if (!fdout_eof && FD_ISSET(fdout, readset)) { +292 len = read(fdout, buf, sizeof(buf)); +293 if (len < 0 && (errno == EINTR || errno == EAGAIN)) { +294 /* do nothing */ +295 } else if (len <= 0) { +296 fdout_eof = 1; +297 } else { +298 buffer_append(&stdout_buffer, buf, len); +299 fdout_bytes += len; +300 } +301 } +302 /* Read and buffer any available stderr data from the program. */ +303 if (!fderr_eof && FD_ISSET(fderr, readset)) { +304 len = read(fderr, buf, sizeof(buf)); +305 if (len < 0 && (errno == EINTR || errno == EAGAIN)) { +306 /* do nothing */ +307 } else if (len <= 0) { +308 fderr_eof = 1; +309 } else { +310 buffer_append(&stderr_buffer, buf, len); +311 } +312 } -- sandor w. sklar unix systems administrator stanford university itss-css From ssklar at stanford.edu Tue Mar 27 06:45:01 2001 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Mon, 26 Mar 2001 12:45:01 -0800 Subject: duplicated lines in serverloop.c? (openssh252p2) In-Reply-To: <3ABFA875.B11E3EAF@pico.apple.com> References: <3ABFA875.B11E3EAF@pico.apple.com> Message-ID: ok, I'm a moron. I overlooked that little "fdout/fderr" difference. duh. Thanks, --Sandy At 12:37 PM -0800 3/26/01, Dennis Haag wrote: >"Sandor W. Sklar" wrote: >> >> Hi, >> >> I was looking through the source, and I noticed that the following >> code appears twice in the file serverloop.c. Is it supposed to, and >> if not, would there be any ill effect? >> >> +289 >> +290 /* Read and buffer any available stdout data from the >> program. */ >> +291 if (!fdout_eof && FD_ISSET(fdout, readset)) { >> +292 len = read(fdout, buf, sizeof(buf)); >> +293 if (len < 0 && (errno == EINTR || errno >>== EAGAIN)) { >> +294 /* do nothing */ >> +295 } else if (len <= 0) { >> +296 fdout_eof = 1; >> +297 } else { >> +298 buffer_append(&stdout_buffer, buf, len); >> +299 fdout_bytes += len; >> +300 } >> +301 } >> +302 /* Read and buffer any available stderr data from the >> program. */ >> +303 if (!fderr_eof && FD_ISSET(fderr, readset)) { >> +304 len = read(fderr, buf, sizeof(buf)); >> +305 if (len < 0 && (errno == EINTR || errno >>== EAGAIN)) { >> +306 /* do nothing */ >> +307 } else if (len <= 0) { >> +308 fderr_eof = 1; >> +309 } else { >> +310 buffer_append(&stderr_buffer, buf, len); >> +311 } >> +312 } >> >> -- >> sandor w. sklar >> unix systems administrator >> stanford university itss-css > >Once for STDOUT (fdout) and once for STDERR (fderr). > >-- >Dennis Haag Engineering Computer Services >haag at apple.com unix-support at apple.com >408-974-6630 ECS Hotline: 408-974-4747 -- sandor w. sklar unix systems administrator stanford university itss-css From mouring at etoh.eviladmin.org Tue Mar 27 08:32:13 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 26 Mar 2001 16:32:13 -0600 (CST) Subject: RFE: Portable OpenSSH In-Reply-To: <200103261931.f2QJVMxf160622@jurassic.eng.sun.com> Message-ID: On Mon, 26 Mar 2001, Darren Moffat wrote: > > >For a future release of Portable OpenSSH, it would be nice to have a > >./configure option to enable the binaries produced, to be statically > >linked. > > Please don't do this, static linking is evil and I really wish it > wasn't supported anymore, see the following list of reasons why: > For as evil as static linking is. There are good reasons for it. Static linking should be an option, but not default. On some platforms OpenSSH only does static linking. Older Solaris 2.5.1 platforms are this way. Besides.. I don't expect dynamicly linked binaries to work from Solaris 2.5.1 to Solaris 8. =) That is an unreasonable request. Library developers do break binary API between release.. Heck OpenSSL has not had a single stable binary API period. And updating your OpenSSL version tends to break OpenSSH. Don't want it.. don't use it. - Ben From Darren.Moffat at eng.sun.com Tue Mar 27 08:54:36 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Mon, 26 Mar 2001 14:54:36 -0800 (PST) Subject: RFE: Portable OpenSSH Message-ID: <200103262254.f2QMsaxf196915@jurassic.eng.sun.com> >Besides.. I don't expect dynamicly linked binaries to work from Solaris >2.5.1 to Solaris 8. =) That is an unreasonable request. Library Acutally it isn't that unreasonable (many of our customers expect it and we work very hard to live up to it) and if you only use the published APIs it should work. In fact it is stronger than that Sun has a guarantee that it will, more details at: http://www.sun.com/software/solaris/programs/guarantee/ The other thing to note is that there are no static libraries in Solaris for 64bit and no static libraries for anything that joins Solaris after Solaris 8. >developers do break binary API between release.. Heck OpenSSL has not Sun tries not to with our libraries and where we do it is often because the part of the API the user was dependant on wasn't public or we made and annoucement that it was going away. A lot of work has been done to our libraries recently to make sure the scope of stuff in them is very clearly marked and stuff that is private really is private. As long as static linking isn' the default for Solaris and libc never gets statically linked then I'm reasonably happy. -- Darren J Moffat From peter_darren_bray at yahoo.com Tue Mar 27 09:29:45 2001 From: peter_darren_bray at yahoo.com (=?iso-8859-1?q?Peter=20Bray?=) Date: Mon, 26 Mar 2001 15:29:45 -0800 (PST) Subject: RFE: Portable OpenSSH In-Reply-To: <200103261931.f2QJVMxf160622@jurassic.eng.sun.com> Message-ID: <20010326232945.2277.qmail@web1905.mail.yahoo.com> --- Darren Moffat wrote: > > >For a future release of Portable OpenSSH, it would be nice to have a > >./configure option to enable the binaries produced, to be statically > >linked. > > Please don't do this, static linking is evil and I really wish it > wasn't supported anymore, see the following list of reasons why: > > Issues with static linking > -------------------------- Darren, I agree totally with respect to vendor provided libraries, but third party libraries should be able to be statically linked in, so that you dont have to have libpcre.so, libssl.so, ... on each system, in exactly the same place. I'm thanking of constructing portable sysadmin toolkits (CD/Floppy) plus independence of third party libraries when they are upgraded, etc But in general you are correct - esp WRT to vendor libraries. But do thirdparty libraries need to follow this rigour or reasoning ? Peter PS: Is it possible to change a Solaris RunTime Library location ( ie-R option) after the executable has been created ? __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ From Darren.Moffat at eng.sun.com Tue Mar 27 09:34:56 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Mon, 26 Mar 2001 15:34:56 -0800 (PST) Subject: RFE: Portable OpenSSH Message-ID: <200103262334.f2QNYuxf207517@jurassic.eng.sun.com> > But in general you are correct - esp WRT to vendor libraries. >But do thirdparty libraries need to follow this rigour or reasoning ? In theory I would say yes, but in practice probably not because most 3rd Party stuff doesn't have a "standard" location and most also don't have the concept of patching and versioning that Solaris uses so dynamically link OS libraries but static for thinks like OpenSSL libcrypto is fine as long as you know the pit falls I outlined. >PS: Is it possible to change a Solaris RunTime Library location ( ie-R >option) after the executable has been created ? In Solaris 8 yes, using crle(1). -- Darren J Moffat From markus.friedl at informatik.uni-erlangen.de Tue Mar 27 09:35:17 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 27 Mar 2001 01:35:17 +0200 Subject: 'scp' returns incorrect exit code (OpenSSH_2.5.2p2) In-Reply-To: <8123fd021218d9518f18086aaea74197@remailer.privacy.at>; from nobody@remailer.privacy.at on Sun, Mar 25, 2001 at 08:59:02AM +0200 References: <8123fd021218d9518f18086aaea74197@remailer.privacy.at> Message-ID: <20010327013516.A13908@folly> this is because scp just calls ssh, and scp does not return the exit-code from ssh. should it? On Sun, Mar 25, 2001 at 08:59:02AM +0200, Anonymous wrote: > > 'scp' returns a zero exit code, even if it fails to perform the desired task. > bash-2.03$ scp nonexistent at no.such.domain:some/file .; echo $? > ssh: no.such.domain: Name or service not known > 0 > > > 'ssh' will however return a non zero exit code in a similar situation. > bash-2.03$ ssh nonexistent at no.such.domain date; echo $? > ssh: no.such.domain: Name or service not known > 255 > > This behaviour was noticed with > bash-2.03$ ssh -V > OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f > on a linux x86 box > > > Keep up the good work guys. > (And let Mr. Ylonen alone in his grief for his lost ssh-trademark case). > From markus.friedl at informatik.uni-erlangen.de Tue Mar 27 09:38:23 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 27 Mar 2001 01:38:23 +0200 Subject: Openssh-2.5.1p1 and Solaris 2.6 problem with ssh_rsa_verify In-Reply-To: <3ABF8B81.F915423F@pico.apple.com>; from dhaag@pico.apple.com on Mon, Mar 26, 2001 at 10:33:37AM -0800 References: <3ABF8B81.F915423F@pico.apple.com> Message-ID: <20010327013823.B13908@folly> On Mon, Mar 26, 2001 at 10:33:37AM -0800, Dennis Haag wrote: > We recently upgraded from an older version of SSH to OpenSSH > 2.5.1p1 (OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f) > and are having problems on just a few hosts in our environment. The > other 200 systems are working fine. Every once in a blue-moon it will > connect with version 2. > > When I try to connect to or from one of these hosts using SSH2 I > get the following error (I have sshd -d -d -d and ssh -2 -v -v -v > output if that helps): are you connecting with openssh protocol v2 or with ssh.com's SSH2? are you running openbsd? netbsd? bsd/os? solaris? -m From austin at coremetrics.com Tue Mar 27 10:03:51 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Mon, 26 Mar 2001 18:03:51 -0600 (CST) Subject: Kerberos 5 and OpenSSH 2.5.2p2 Message-ID: Are there any patches to enable Krb5 for OpenSSH? I'm trying to get a proof of concept done so I can eventually roll Krb5 and OpenSSH out as our primary AA infrastructure and I'm having a hard time of it. Can someone point me to info to help? -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com From dhaag at pico.apple.com Tue Mar 27 10:23:19 2001 From: dhaag at pico.apple.com (Dennis Haag) Date: Mon, 26 Mar 2001 16:23:19 -0800 Subject: Openssh-2.5.1p1 and Solaris 2.6 problem with ssh_rsa_verify References: <3ABF8B81.F915423F@pico.apple.com> <20010327013823.B13908@folly> Message-ID: <3ABFDD77.FF5C3116@pico.apple.com> Markus Friedl wrote: > > On Mon, Mar 26, 2001 at 10:33:37AM -0800, Dennis Haag wrote: > > We recently upgraded from an older version of SSH to OpenSSH > > 2.5.1p1 (OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f) > > and are having problems on just a few hosts in our environment. The > > other 200 systems are working fine. Every once in a blue-moon it will > > connect with version 2. > > > > When I try to connect to or from one of these hosts using SSH2 I > > get the following error (I have sshd -d -d -d and ssh -2 -v -v -v > > output if that helps): > > are you connecting with openssh protocol v2 or with ssh.com's SSH2? > > are you running openbsd? netbsd? bsd/os? solaris? > > -m openssh 2.5.1p1 on both server and client end, using ssh -2 to force version 2. Solaris 2.6 (Generic_105181-21). -- Dennis Haag Engineering Computer Services haag at apple.com unix-support at apple.com 408-974-6630 ECS Hotline: 408-974-4747 From mouring at etoh.eviladmin.org Tue Mar 27 11:30:34 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 26 Mar 2001 19:30:34 -0600 (CST) Subject: Kerberos 5 and OpenSSH 2.5.2p2 In-Reply-To: Message-ID: On Mon, 26 Mar 2001, Austin Gonyou wrote: > Are there any patches to enable Krb5 for OpenSSH? I'm trying to get a > proof of concept done so I can eventually roll Krb5 and OpenSSH out as our > primary AA infrastructure and I'm having a hard time of it. Can someone > point me to info to help? > This was posted in the beginning part of Feb. http://www.sxw.org.uk/computing/patches/ Hope this helps. - Ben From sxw at dcs.ed.ac.uk Tue Mar 27 11:33:35 2001 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Tue, 27 Mar 2001 02:33:35 +0100 (BST) Subject: Kerberos 5 and OpenSSH 2.5.2p2 In-Reply-To: Austin Gonyou's message of Mon, 26 Mar 2001 18:03:51 -0600 (CST) Message-ID: <200103270133.CAA17035@canna.dcs.ed.ac.uk> > Are there any patches to enable Krb5 for OpenSSH? I'm trying to get a > proof of concept done so I can eventually roll Krb5 and OpenSSH out as our > primary AA infrastructure and I'm having a hard time of it. Can someone > point me to info to help? I've been doing quite a bit of work on this - see http://www.sxw.org.uk/computing/patches I've got a patch now which implements Kerberos v5 in protocol v1 and GSSAPI (which you can use with Kerberos as a mechanism) in protocol v2. The v1 code is based on work originally done by Daniel Kouril. The version 2 patch is based on two internet drafts, and seems to be attracting little controversy. The situation with the version 1 code is a little more complicated, as it is not interoperable with ssh.com krb5. As I understand it from watching the wire the ssh.com code implements Kerberos 5 support by reusing the kerberos 4 message types, and message ordering. This means that the ssh.com code sends the TGT _before_ authenticating the user (sequence is TGT,REQ,REP). In my patch we use different message codes (allowing Kerberos 4 and 5 to coexist), and send the TGT only if authentication succeeds (REQ,REP,TGT). I've been talking to some folk about where we go from here, but its gone fairly quiet of late. I guess the questions are: 1) Do we do it the ssh.com way? 2) Is sending the TGT first broken? 3) Do we want to try and handle both krb4 and krb5 support in the same binary. I've got spare cycles to work on this at the moment - I don't know how much longer they'll still be available (before I get dragged headlong into the wonderful world of LDAP replication :-( I'll be posting a "two diff" version of this patch tomorrow, with the GSSAPI support split off from the KRB5 stuff, in the hope that they can be progressed seperately. Cheers, Simon. From jmknoble at jmknoble.cx Tue Mar 27 12:10:50 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Mon, 26 Mar 2001 21:10:50 -0500 Subject: 'scp' returns incorrect exit code (OpenSSH_2.5.2p2) In-Reply-To: <20010327013516.A13908@folly>; from markus.friedl@informatik.uni-erlangen.de on Tue, Mar 27, 2001 at 01:35:17AM +0200 References: <8123fd021218d9518f18086aaea74197@remailer.privacy.at> <20010327013516.A13908@folly> Message-ID: <20010326211050.C1777@quipu.half.pint-stowp.cx> Circa 2001-Mar-27 01:35:17 +0200 dixit Markus Friedl: : this is because scp just calls ssh, and scp does not return : the exit-code from ssh. should it? Yes, it probably ought to. How would doing so affect scp when running on the remote end? -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From dankamin at cisco.com Tue Mar 27 12:55:39 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Mon, 26 Mar 2001 18:55:39 -0800 Subject: RFE: Portable OpenSSH References: <200103261931.f2QJVMxf160622@jurassic.eng.sun.com> Message-ID: <046e01c0b669$67eef9f0$1200040a@na.cisco.com> Mandating static linking is ridiculous. Mandating dynamic linking is equally ridiculous, though. I choose not to have compilers on production machines, and I'm finding myself more and more annoyed when I have to move arsenals of libraries and whatnot from one platform to another just to get the binaries working. > * Static linking prevents libc_psr.so.1 from working for platform > specifics. This library automatically enables dynamically linked > programs from linking in platform specific versions of various > library routines which are optimized for a particular platform. I don't want to run code I don't trust. I want to run code I do trust. > * Static linking greatly increases working set size and disk footprint. I don't care how big the code I trust is. Memory big. Security small. Must increase security--can buy memory. > * Statically linked executables are NOT necessarily binary compatible > between releases. > eg. statically linked programs that use libsocket will > failed if compiled on 2.5.1 or less and run on 2.6 I can recompile code I trust. > * Running a static binary compiled on the base could cause a program > to bypass some security checks when running under Trusted Solaris. > This doesn't open a vulnerability but might mean a program won't > get the extra privilege it was configured with. If Trusted Solaris uses dynamic libraries to enforce security, it deserves what it gets. > * Patches to system libaries for bug fixes and performance enhancements > are not automatically picked up by the application. Consider security > fixes to libc not being available to your application. "Patches to system libraries for bug creation and performance degredations are not automatically picked up by the application. Consider a security hole in the new glibc simply being irrelevant." Again, it comes down to creating a snapshot of code I do trust vs. a moving target of code I'm linking against. > * Some debugging libraries/tools will fail to work properly. > eg. malloc debugging. I don't want to debug code on my production server. > * Localistation via setlocale(3c) / gettext(3c) is not supported when > libc is statically linked. I'm not moving. :-) It's all about options. More than a few admins around here would jump at the chance to make SSH self-dependant; my most immediate goal may just be dealing with libz(the only real external runtime dependancy). --Dan From djm at mindrot.org Tue Mar 27 13:03:20 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 27 Mar 2001 13:03:20 +1000 (EST) Subject: RFE: Portable OpenSSH In-Reply-To: <046e01c0b669$67eef9f0$1200040a@na.cisco.com> Message-ID: On Mon, 26 Mar 2001, Dan Kaminsky wrote: > It's all about options. More than a few admins around here would jump at > the chance to make SSH self-dependant; my most immediate goal may just be > dealing with libz(the only real external runtime dependancy). perl -pi -e "s|-lcrypto|/path/to/libcrypto.a|g" Makefile perl -pi -e "s|-lz|/path/to/libz.a|g" Makefile -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From dankamin at cisco.com Tue Mar 27 13:13:29 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Mon, 26 Mar 2001 19:13:29 -0800 Subject: RFE: Portable OpenSSH References: Message-ID: <049201c0b66b$e6298310$1200040a@na.cisco.com> > perl -pi -e "s|-lcrypto|/path/to/libcrypto.a|g" Makefile Oddly enough, this isn't necessary. You'd think it would be. I unfortunately lack the unix programmer guru nature to explain why. > perl -pi -e "s|-lz|/path/to/libz.a|g" Makefile Much appreciated. :-D --Dan From celinn at mtu.edu Tue Mar 27 14:00:00 2001 From: celinn at mtu.edu (Christopher Linn) Date: Mon, 26 Mar 2001 23:00:00 -0500 Subject: RFE: Portable OpenSSH In-Reply-To: ; from djm@mindrot.org on Tue, Mar 27, 2001 at 01:03:20PM +1000 References: <046e01c0b669$67eef9f0$1200040a@na.cisco.com> Message-ID: <20010326230000.A4859@mtu.edu> what am doing is to link the libz and openssl stuff static, because of moving target issues, and then let solaris do what it wants with it's own libs, for exactly the reasons that darren moffat enumerates. if you are going to run solaris, then get used to trusted code linking shared libs, simple as that. sun's recent offerings are getting very good at this, though it means you must keep up with the patches ;*) On Mon, 26 Mar 2001, Dan Kaminsky wrote: > It's all about options. More than a few admins around here would jump at > the chance to make SSH self-dependant; my most immediate goal may just be > dealing with libz(the only real external runtime dependancy). interestingly, in zlib-1.1.3 you must *ask* configure to build shared libs, otherwise it just builds libz.a ... why is it an "external runtime dependancy" for you, dan? when building openssh, i use a directory structure like /someplace/openssh/5.6 for solaris 2.6 /someplace/openssh/5.6/{include,lib} openssl, zlib, libwrap /someplace/openssh/5.6/work for building stuff i install static libs and headers as above, building them in .../work. then i build openssh (in .../work) with CPPFLAGS set with my include area and LDFLAGS set with my lib area: MYINCLUDES=/someplace/openssh/5.6/include MYLIBS=/someplace/openssh/5.6/lib ... CPPFLAGS="-I$MYINCLUDES -I$MYINCLUDES/openssl \ CFLAGS="whatever" \ LDFLAGS="-L$MYLIBS -R$MYLIBS" \ ./configure \ --configure-options... the reason i use the env based flags is that i found that the --cflags/--cppflags/--ldflags options to configure would always put MY stuff AFTER /usr/local stuff (grr, and what do you think is in /usr/local... shared libs! ;*) ldd on the binaries lists only the native solaris shared libs. i am using native sun compilers for all this. chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From dankamin at cisco.com Tue Mar 27 15:05:09 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Mon, 26 Mar 2001 21:05:09 -0800 Subject: RFE: Portable OpenSSH References: <046e01c0b669$67eef9f0$1200040a@na.cisco.com> <20010326230000.A4859@mtu.edu> Message-ID: <04b501c0b67b$7f2815e0$1200040a@na.cisco.com> > interestingly, in zlib-1.1.3 you must *ask* configure to build shared > libs, otherwise it just builds libz.a ... why is it an "external > runtime dependancy" for you, dan? Well, lesse: Cygwin: Need to move ssh.exe, cygwin1.dll, and cygz.dll Solaris: Need to move ssh and libz.so I'm sure I could go through a few more platforms, but its what it sounds like: The only outside library I need to cart around(outside of Unix itself, for Cygwin) is zlib. > i install static libs and headers as above, building them in .../work. > then i build openssh (in .../work) with CPPFLAGS set with my include > area and LDFLAGS set with my lib area: Would you be interested in taking the stripped down list of OpenSSL dependancies that got posted some time ago and creating a "minimum-self-complete" version of OpenSSH, possibly for tracking/inclusion in the OpenSSH inclusion? Seems like you've figured out all the hard stuff involved, and I was literally talking with our admins about five hours ago about how useful this would be. Tracking down external dependancies, incidentally, has lead me to be somewhat annoyed at the way our RNG's work. There's no failover, no run time switching, it doesn't even embed a default list of prng commands...something to fix. Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From djm at mindrot.org Tue Mar 27 15:48:38 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 27 Mar 2001 15:48:38 +1000 (EST) Subject: RFE: Portable OpenSSH In-Reply-To: <04b501c0b67b$7f2815e0$1200040a@na.cisco.com> Message-ID: On Mon, 26 Mar 2001, Dan Kaminsky wrote: > Tracking down external dependancies, incidentally, has lead me to be > somewhat annoyed at the way our RNG's work. There's no failover, no run > time switching, it doesn't even embed a default list of prng > commands...something to fix. Save your time :) The built-in PRNG will be deprected very soon, in favour of PRNGd[1]. Entropy collection and pooling is best handled by long-running processes (ideally the kernel) as they get many more opportunities to gather better quality randomness over their lifetime. Other benefits include a faster startup time for ssh, etc and the removal of nearly 1000 lines of code from portable OpenSSH. -d [1] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Tue Mar 27 16:19:31 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 27 Mar 2001 16:19:31 +1000 (EST) Subject: Kerberos4 / AFS library issues Message-ID: Could people who have been having issues with Portable OpenSSH and Kerberos 4 please try the following patch. You will need to run "autoreconf" (i.e you will need autoconf installed) and then run ./configure again. Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.267 diff -u -r1.267 configure.in --- configure.in 2001/03/18 23:09:28 1.267 +++ configure.in 2001/03/27 06:16:46 @@ -404,75 +404,6 @@ ] ) - - -# Check whether user wants Kerberos support -KRB4_MSG="no" -AC_ARG_WITH(kerberos4, - [ --with-kerberos4=PATH Enable Kerberos 4 support], - [ - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R${withval}/lib" - fi - if test ! -z "$blibpath" ; then - blibpath="$blibpath:${withval}/lib" - fi - else - if test -d /usr/include/kerberosIV ; then - CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV" - fi - fi - - AC_CHECK_HEADERS(krb.h) - AC_CHECK_LIB(krb, main) - if test "$ac_cv_header_krb_h" != yes; then - AC_MSG_WARN([Cannot find krb.h, build may fail]) - fi - if test "$ac_cv_lib_krb_main" != yes; then - AC_MSG_WARN([Cannot find libkrb, build may fail]) - fi - - KLIBS="-lkrb -ldes" - AC_CHECK_LIB(resolv, dn_expand, , ) - KRB4=yes - KRB4_MSG="yes" - AC_DEFINE(KRB4) - fi - ] -) - -# Check whether user wants AFS support -AFS_MSG="no" -AC_ARG_WITH(afs, - [ --with-afs=PATH Enable AFS support], - [ - if test "x$withval" != "xno" ; then - - if test "x$withval" != "xyes" ; then - CPPFLAGS="$CPPFLAGS -I${withval}/include" - LDFLAGS="$LDFLAGS -L${withval}/lib" - fi - - if test -z "$KRB4" ; then - AC_MSG_WARN([AFS requires Kerberos IV support, build may fail]) - fi - - LIBS="$LIBS -lkafs" - if test ! -z "$AFS_LIBS" ; then - LIBS="$LIBS $AFS_LIBS" - fi - AC_DEFINE(AFS) - AFS_MSG="yes" - fi - ] -) -LIBS="$LIBS $KLIBS" - # Check whether user wants S/Key support SKEY_MSG="no" AC_ARG_WITH(skey, @@ -1246,6 +1177,73 @@ AC_DEFINE(HAVE_SYS_NERR) fi + +# Check whether user wants Kerberos support +KRB4_MSG="no" +AC_ARG_WITH(kerberos4, + [ --with-kerberos4=PATH Enable Kerberos 4 support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${withval}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${withval}/lib" + fi + else + if test -d /usr/include/kerberosIV ; then + CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV" + fi + fi + + AC_CHECK_HEADERS(krb.h) + AC_CHECK_LIB(krb, main) + if test "$ac_cv_header_krb_h" != yes; then + AC_MSG_WARN([Cannot find krb.h, build may fail]) + fi + if test "$ac_cv_lib_krb_main" != yes; then + AC_MSG_WARN([Cannot find libkrb, build may fail]) + fi + + KLIBS="-lkrb -ldes" + AC_CHECK_LIB(resolv, dn_expand, , ) + KRB4=yes + KRB4_MSG="yes" + AC_DEFINE(KRB4) + fi + ] +) + +# Check whether user wants AFS support +AFS_MSG="no" +AC_ARG_WITH(afs, + [ --with-afs=PATH Enable AFS support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + if test -z "$KRB4" ; then + AC_MSG_WARN([AFS requires Kerberos IV support, build may fail]) + fi + + LIBS="-lkafs $LIBS" + if test ! -z "$AFS_LIBS" ; then + LIBS="$LIBS $AFS_LIBS" + fi + AC_DEFINE(AFS) + AFS_MSG="yes" + fi + ] +) +LIBS="$LIBS $KLIBS" # Looking for programs, paths and files AC_ARG_WITH(rsh, -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From cmason at cmu.edu Tue Mar 27 16:39:31 2001 From: cmason at cmu.edu (Christopher J Mason) Date: Tue, 27 Mar 2001 01:39:31 -0500 Subject: openssh stack corruption in arc4random_stir () on OS X Message-ID: <8230593.985657171@char.rem.cmu.edu> Howdy. I'm trying to get OpenSSH to work on Mac OS X which is basically BSD unix. I'm getting segfaults connecting to SSH1 servers (I have no SSH2 servers to test against so I'm not sure if it's common). I've followed the instructions on compiling at http://www.stepwise.com/Articles/Workbench/2001-03-21.01.html which essentially amount to ./configure --with-rsh=/usr/bin/rsh make make install (I've omitted TCP wrappers support.) (I'm using OpenSSL 0.9.5a; I've also tried with 0.9.6. I've tried both the openssl that ships with OS X and one compiled by me from source.) (I've also tried openssh-2.5.2p1.) I then try to use it: [localhost:local/src/openssh-2.5.2p1] root# ./ssh -v -v -c idea -l cmason crisp OpenSSH_2.5.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f Unknown cipher type 'idea' [localhost:local/src/openssh-2.5.2p1] root# ./ssh -v -v -c 3des -l cmason crisp OpenSSH_2.5.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug2: Command 'netstat -in' timed out debug2: Command 'netstat -rn' timed out debug1: Seeded RNG with 30 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to crisp [128.2.83.95] port 22. debug1: Connection established. debug1: identity file /var/root/.ssh/identity type 0 debug1: unknown identity file /var/root/.ssh/id_rsa debug1: identity file /var/root/.ssh/id_rsa type -1 debug1: unknown identity file /var/root/.ssh/id_dsa debug1: identity file /var/root/.ssh/id_dsa type -1 debug1: Remote protocol version 1.5, remote software version 1.2.27 debug1: no match: 1.2.27 debug1: Local version string SSH-1.5-OpenSSH_2.5.2p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'crisp' is known and matches the RSA1 host key. debug1: Found key in /var/root/.ssh/known_hosts:2 No valid SSH1 cipher, using 3des instead. debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. Segmentation fault A backtrace in GDB gives: #0 0x00006bd4 in ssh_userauth (local_user=0x339d0 "", server_user=0xbffffc0c "cjm", host=0xe00c0 "sun4", host_key_valid=211808, own_host_key=0xdff50) at sshconnect1.c:1020 #1 0x000058fc in ssh_login (host_key_valid=0, own_host_key=0xdff50, orighost=0xbffffc10 "sun4", hostaddr=0x338b0, original_real_uid=917696) at sshconnect.c:774 #2 0x00003574 in main (ac=4, av=0xbffffb44) at ssh.c:698 #3 0x00002060 in _start () #4 0x00001ea0 in start () #5 0x00000000 in ?? () It seems that options has total garbage in it; in particular the num_identity_files is > 1 when I have only one identity file. options is getting corrupted in arc4random_stir () at bsd-arc4random.c:73 It's actually corrupted in RC4_set_key(). I can't see anything obvious wrong here. Before this function is called, everything seems fine, after, the stack is corrupted. I can't get apple's hacked up gdb to stop inside this function with debugging info, so I can't quite tell what's going on here. I wonder, is this the first time that openssh would call into openssl? The exact same code works fine on Linux, obviously. Any help would be greately appreciated. -c [Christopher Mason http://ash.rem.cmu.edu/ ] ["Don't you see?! We're actors--we're the opposite of people!" -Stoppard] From stevesk at sweden.hp.com Tue Mar 27 17:21:12 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 27 Mar 2001 08:21:12 +0100 (MET) Subject: 2.5.2p2 ssh-keyscan installed group writable? In-Reply-To: Message-ID: On Fri, 23 Mar 2001 mouring at etoh.eviladmin.org wrote: : > openssh-2.5.2p2/Makefile.in, line 168: : > : > $(INSTALL) -m 0775 -s ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan : > : Hmm.. looks like a fat finger mistake. I'll fix it in both CVS branches : when I get home. and i also wonder why isn't ssh group, other readable: no) AC_MSG_RESULT(no) SSHMODE=0711 ;; *) AC_MSG_RESULT(yes) SSHMODE=04711 From Piete.Brooks at cl.cam.ac.uk Tue Mar 27 23:11:08 2001 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Tue, 27 Mar 2001 14:11:08 +0100 Subject: Use of non-user readable (null password) private keys Message-ID: Executive summary: Why can I not have a private key which is `public' ? Gory details .... I'm new to openssh. I've been using ssh for years. However, I'm in the process of investigating RH 7.* (0.91 at the moment) and am wanting to be as `standard' as possible, so trying openssh. I looked on http://www.openssh.com/list.html but could not find a list for "general OpenSSH discussion", but this was the closest match, so I'll call it a bug :-) We use a client/server model with no `user' accounts on servers. There are certain operations which a user may require to run with certain privs, and we use ssh to do this. The capability may be given to an individual user (user-only-readable in their .ssh/), a group (using UN*X group semantics) or may be accessible to all users of a particular machine or set of machines (e.g. when a user changes their password, a process is woken up on the password server). This all worked fine under ssh, but under openssh load_private_key() does a (st.st_mode & 077) != 0) { and then complains that it is readable and won't use it. (it says "It is recommended that your private key files are NOT accessible by others." but appears to implement somewhat more than a `recommendation' !) Is this bug intended as a feature ? [ :-) ] I can see no code to disable this test [ other than setting HAVE_CYGWIN and writing a check_ntsec() which returns FALSE :-) ] From Markus.Friedl at informatik.uni-erlangen.de Tue Mar 27 23:37:50 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 27 Mar 2001 15:37:50 +0200 Subject: Use of non-user readable (null password) private keys In-Reply-To: ; from Piete.Brooks@cl.cam.ac.uk on Tue, Mar 27, 2001 at 02:11:08PM +0100 References: Message-ID: <20010327153750.A6611@faui02.informatik.uni-erlangen.de> On Tue, Mar 27, 2001 at 02:11:08PM +0100, Piete Brooks wrote: > Executive summary: Why can I not have a private key which is `public' ? is this a good idea? > Is this bug intended as a feature ? [ :-) ] feature. many ppl are confused by private/public distinction and are starting to change permissions for all kind of files. however it's a bad idea to have the private key group or world readable, this is why openssh ignore the key. perhaps we should allow group-readable private keys? but i really don't like the idea. From celinn at mtu.edu Tue Mar 27 23:42:00 2001 From: celinn at mtu.edu (Christopher Linn) Date: Tue, 27 Mar 2001 08:42:00 -0500 Subject: 2.5.2p2 ssh-keyscan installed group writable? In-Reply-To: ; from stevesk@sweden.hp.com on Tue, Mar 27, 2001 at 08:21:12AM +0100 References: Message-ID: <20010327084200.A29198@mtu.edu> On Tue, Mar 27, 2001 at 08:21:12AM +0100, Kevin Steves wrote: [...] > and i also wonder why isn't ssh group, other readable: > > no) > AC_MSG_RESULT(no) > SSHMODE=0711 > ;; > *) AC_MSG_RESULT(yes) > SSHMODE=04711 this one *is* intentional ;*) it is common practice to deny readability to suid binaries, and this results in no loss of functionality. i *think* this is so users cannot copy and analyze the binary for e.g. buffer overruns and the like. chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From mouring at etoh.eviladmin.org Tue Mar 27 23:45:02 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 27 Mar 2001 07:45:02 -0600 (CST) Subject: Use of non-user readable (null password) private keys In-Reply-To: Message-ID: On Tue, 27 Mar 2001, Piete Brooks wrote: > Executive summary: Why can I not have a private key which is `public' ? > > Example: * UserA has ~/.ssh/id_rsa readable by everyone on MachineA * UserA copied ~/.ssh/id_rsa.pub to MachineB and put it in their ~/.ssh/authorized_keys2 * UserB finds ~UserA/.ssh/id_rsa being readable and steals the key. * UserB learns that UserA logs into MachineB using non-interactive key exchange method. * UserB copies stolen key to his ~/.ssh/ and now does: ssh UserA at MachineB. Security has now been compermised. > Gory details .... > > I'm new to openssh. I've been using ssh for years. However, I'm in the process > of investigating RH 7.* (0.91 at the moment) and am wanting to be as > `standard' as possible, so trying openssh. > > I looked on http://www.openssh.com/list.html but could not find a list for > "general OpenSSH discussion", but this was the closest match, so I'll call it > a bug :-) > This list doubles as a lot of things. And luckly the traffic is not extremely high. =) > We use a client/server model with no `user' accounts on servers. > There are certain operations which a user may require to run with certain > privs, and we use ssh to do this. The capability may be given to an individual > user (user-only-readable in their .ssh/), a group (using UN*X group semantics) > or may be accessible to all users of a particular machine or set of machines > (e.g. when a user changes their password, a process is woken up on the > password server). > > This all worked fine under ssh, but under openssh load_private_key() does a > (st.st_mode & 077) != 0) { > and then complains that it is readable and won't use it. (it says "It is > recommended that your private key files are NOT accessible by others." but > appears to implement somewhat more than a `recommendation' !) > > Is this bug intended as a feature ? [ :-) ] > I would not consider this a bug. It's a safety feature to protect the user from doing stupid things. (As shown in the example above). I don't see why the 'private' key should be allowed to be made public. Feel free to explain why such behavior is not correct. I can't see how allowing everyone to read/steal my keys is considered a Good Thing(tm). =) - Ben From celinn at mtu.edu Tue Mar 27 23:56:27 2001 From: celinn at mtu.edu (Christopher Linn) Date: Tue, 27 Mar 2001 08:56:27 -0500 Subject: Use of non-user readable (null password) private keys In-Reply-To: <20010327153750.A6611@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Tue, Mar 27, 2001 at 03:37:50PM +0200 References: <20010327153750.A6611@faui02.informatik.uni-erlangen.de> Message-ID: <20010327085627.B29198@mtu.edu> On Tue, Mar 27, 2001 at 03:37:50PM +0200, Markus Friedl wrote: [...] > many ppl are confused by private/public distinction > and are starting to change permissions for all kind > of files. however it's a bad idea to have the private > key group or world readable, this is why openssh ignore > the key. perhaps we should allow group-readable private keys? NO NO NO! this is like saying "it is OK to share your password with your friends"... do you give out copies of your house and car keys to a dozen of your friends?!? > but i really don't like the idea. good ;*) chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From Piete.Brooks at cl.cam.ac.uk Wed Mar 28 00:20:01 2001 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Tue, 27 Mar 2001 15:20:01 +0100 Subject: Use of non-user readable (null password) private keys In-Reply-To: Your message of Tue, 27 Mar 2001 15:37:50 +0200. <20010327153750.A6611@faui02.informatik.uni-erlangen.de> Message-ID: >> Executive summary: Why can I not have a private key which is `public' ? > is this a good idea? The *ABILITY* to do it is -- yes. >> Is this bug intended as a feature ? [ :-) ] > feature. :-( > many ppl are confused by private/public distinction and > are starting to change permissions for all kind of files. Users -- who'd have 'em ? :-( > however it's a bad idea to have the private key group or world readable, For a normal user's key, of course. But not for a capability you want to grant to a number of people. > this is why openssh ignore the key. This is why openssh should warn people that what they are doing is an anomaly and might not be as intended. I would rather that it were not impossible to do by setting some flag to say `this capability is known not to be read protected'. > perhaps we should allow group-readable private keys? In general, no. > but i really don't like the idea. Agreed. However, I'd like to be *ABLE* to do it. Consulting adults and all that ... From vinschen at redhat.com Wed Mar 28 00:38:43 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 27 Mar 2001 16:38:43 +0200 Subject: Use of non-user readable (null password) private keys In-Reply-To: ; from Piete.Brooks@cl.cam.ac.uk on Tue, Mar 27, 2001 at 02:11:08PM +0100 References: Message-ID: <20010327163843.I16622@cygbert.vinschen.de> On Tue, Mar 27, 2001 at 02:11:08PM +0100, Piete Brooks wrote: > Executive summary: Why can I not have a private key which is `public' ? You can perform this action by not starting ssh directly but by starting an intermediate executable which - Checks if the calling user is allowed to perform that specific action. - Sets uid to the uid which owns the ssh private key for that action. - Calls in turn ssh to perform the action. Corinna > > > Gory details .... > > I'm new to openssh. I've been using ssh for years. However, I'm in the process > of investigating RH 7.* (0.91 at the moment) and am wanting to be as > `standard' as possible, so trying openssh. > > I looked on http://www.openssh.com/list.html but could not find a list for > "general OpenSSH discussion", but this was the closest match, so I'll call it > a bug :-) > > We use a client/server model with no `user' accounts on servers. > There are certain operations which a user may require to run with certain > privs, and we use ssh to do this. The capability may be given to an individual > user (user-only-readable in their .ssh/), a group (using UN*X group semantics) > or may be accessible to all users of a particular machine or set of machines > (e.g. when a user changes their password, a process is woken up on the > password server). > > This all worked fine under ssh, but under openssh load_private_key() does a > (st.st_mode & 077) != 0) { > and then complains that it is readable and won't use it. (it says "It is > recommended that your private key files are NOT accessible by others." but > appears to implement somewhat more than a `recommendation' !) > > Is this bug intended as a feature ? [ :-) ] > > I can see no code to disable this test [ other than setting HAVE_CYGWIN and > writing a check_ntsec() which returns FALSE :-) ] -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From Markus.Friedl at informatik.uni-erlangen.de Wed Mar 28 01:52:06 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 27 Mar 2001 17:52:06 +0200 Subject: Use of non-user readable (null password) private keys In-Reply-To: ; from Piete.Brooks@cl.cam.ac.uk on Tue, Mar 27, 2001 at 03:20:01PM +0100 References: <20010327153750.A6611@faui02.informatik.uni-erlangen.de> Message-ID: <20010327175206.C6611@faui02.informatik.uni-erlangen.de> On Tue, Mar 27, 2001 at 03:20:01PM +0100, Piete Brooks wrote: > However, I'd like to be *ABLE* to do it. Consulting adults and all that ... i see your problem. however, the users can copy the shared key if the need to. From Piete.Brooks at cl.cam.ac.uk Wed Mar 28 02:19:15 2001 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Tue, 27 Mar 2001 17:19:15 +0100 Subject: Use of non-user readable (null password) private keys In-Reply-To: Your message of Tue, 27 Mar 2001 17:52:06 +0200. <20010327175206.C6611@faui02.informatik.uni-erlangen.de> Message-ID: > however, the users can copy the shared key if the need to. If the user knew anything about capabilities, and were calling ssh manually, they could. However, they are perl scripts which expect to find the capabilities in /etc/ From Piete.Brooks at cl.cam.ac.uk Wed Mar 28 02:44:04 2001 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Tue, 27 Mar 2001 17:44:04 +0100 Subject: Use of non-user readable (null password) private keys In-Reply-To: Your message of Tue, 27 Mar 2001 07:45:02 -0600. Message-ID: > Example: ... > Security has now been compermised. Sure -- I can see how having user private keys readable is not a good idea. What I want is the *ABILITY* to have public `capabilities' which can perform a fixed operation (e.g. prod a server) which is `harmless'. > I would not consider this a bug. :-( > It's a safety feature to protect the user from doing stupid things. I want the ability to say "this is not the action of a dumb user -- I know what I'm doing" This is explicitly using `-i' -- not defaulting to a .ssh/ file > I don't see why the 'private' key should be allowed to be made public. As per the example I gave -- it is not a key which allows login or such -- it is bound to a particular command. >> We use a client/server model with no `user' accounts on servers. >> There are certain operations which a user may require to run with certain >> privs, and we use ssh to do this. The capability may be given to an individual >> user (user-only-readable in their .ssh/), a group (using UN*X group semantics) >> or may be accessible to all users of a particular machine or set of machines >> (e.g. when a user changes their password, a process is woken up on the >> password server). > Feel free to explain why such behavior is not correct. I did in my message :-( > I can't see how allowing everyone to read/steal my keys It is not "my key", it is a capability which I want to be able to give multiple users. > is considered a Good Thing(tm). =) I want to make it easy for users to do the thinks they need to do. Locally they can use sudo, but for performing operations on a remote machine, they need an ssh capability. SO: your (plural) concern is that we have to avoid bozo users being insecure by doing silly things -- yes ? 1) I don't think it should be needed if `-i' is used. 2) How about `if owned by root, can be readable by others' (root is no bozo) 3) ... and not readable by user (root) [ won' 4) ... and has the sticky bit set 5) ... and has the setuid bit set etc Failing that, a separate flag to say `capability can be readable' ? From mouring at etoh.eviladmin.org Wed Mar 28 03:48:51 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 27 Mar 2001 11:48:51 -0600 (CST) Subject: Use of non-user readable (null password) private keys In-Reply-To: Message-ID: On Tue, 27 Mar 2001, Piete Brooks wrote: > > Example: > ... > > Security has now been compermised. > > Sure -- I can see how having user private keys readable is not a good idea. > > What I want is the *ABILITY* to have public `capabilities' which can perform a > fixed operation (e.g. prod a server) which is `harmless'. > It really sounds like you want the extend filesystem ACL provides by most commerical UNIXes filesystems. That would outskirt the whole 'this key is globally public' but granting extended rights for limited number of users to use the key. For Solaris look at: man getfacl man setfacl - Ben From celinn at mtu.edu Wed Mar 28 04:19:57 2001 From: celinn at mtu.edu (Christopher Linn) Date: Tue, 27 Mar 2001 13:19:57 -0500 Subject: RFE: Portable OpenSSH In-Reply-To: ; from djm@mindrot.org on Tue, Mar 27, 2001 at 03:48:38PM +1000 References: <04b501c0b67b$7f2815e0$1200040a@na.cisco.com> Message-ID: <20010327131957.B2380@mtu.edu> On Tue, Mar 27, 2001 at 03:48:38PM +1000, Damien Miller wrote: > > Save your time :) The built-in PRNG will be deprected very soon, in > favour of PRNGd[1]. yes, i saw this while reading the prngd Changelog ;*) > Entropy collection and pooling is best handled by long-running processes > (ideally the kernel) as they get many more opportunities to gather > better quality randomness over their lifetime. bingo. the kernel. now i must ask, especially since we have someone from sun engineering paying attention to OpenSSH (hi Darren!), just why the most beautifully engineered kernel archetecture (solaris) does not yet have a cryptographic-grade random device?!? the /dev/random supplied with the iPlanet package has been derided as being inferior in quality, although i do not have a reference for that at hand... i think someone on coderpunks made mention. alot of us hard core solaris fans/admins are *very* puzzled and frustrated by this! best regards, chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From Darren.Moffat at eng.sun.com Wed Mar 28 04:25:43 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Tue, 27 Mar 2001 10:25:43 -0800 (PST) Subject: RFE: Portable OpenSSH Message-ID: <200103271825.f2RIPgxf352181@jurassic.eng.sun.com> >now i must ask, especially since we have someone from sun engineering >paying attention to OpenSSH (hi Darren!), just why the most beautifully >engineered kernel archetecture (solaris) does not yet have a >cryptographic-grade random device?!? the /dev/random supplied with I can't comment officially but I'm sure you won't be dissapointed in the future ;-) The /dev/random that comes with the iPlanet stuff I believe is the cryptorandd implmenation from the SUNWski package, I'm not sure of its quality but I have heard reporsts that PRNGd is better but an in kernel /dev/random (and /dev/urandom for that matter) is much more likely to give better randomness. -- Darren J Moffat From gert at greenie.muc.de Wed Mar 28 04:36:28 2001 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 27 Mar 2001 20:36:28 +0200 Subject: RFE: Portable OpenSSH In-Reply-To: <20010327131957.B2380@mtu.edu>; from Christopher Linn on Tue, Mar 27, 2001 at 01:19:57PM -0500 References: <04b501c0b67b$7f2815e0$1200040a@na.cisco.com> <20010327131957.B2380@mtu.edu> Message-ID: <20010327203628.D14378@greenie.muc.de> Hi, On Tue, Mar 27, 2001 at 01:19:57PM -0500, Christopher Linn wrote: > > Entropy collection and pooling is best handled by long-running processes > > (ideally the kernel) as they get many more opportunities to gather > > better quality randomness over their lifetime. > > bingo. the kernel. Yes, but not all of us have the choice - AIX, SCO, and so on need random numbers. So PRNGd is fine for systems lacking /dev/*random... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From dankamin at cisco.com Wed Mar 28 04:37:38 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 10:37:38 -0800 Subject: RFE: Portable OpenSSH References: Message-ID: <050901c0b6ed$0021e6a0$1200040a@na.cisco.com> Damien-- *time to trot out the grizzled-veteran-of-the-ssh-wars stories* Here's da scoop. So we put out a package of OpenSSH 2.2.0p1 a while back that required a Perl2Exe'd package of EGD. Got adopted by about five people. Turns out that the more system-level dependencies you put on software, the less likely people are going to be willing or able to install it. Kernelspace is the place where random number generation should live--period. However, should kernelspace randomness fail to exist, mandating the use of a pseudo-kernelspace emulation layer with prngd forces userspace binary dependencies. As is, all ssh binaries are independent, i.e. sshd does not require ssh does not require ssh-keygen. At the points where semi-dependencies exist--scp and sftp-server from sshd--we see the greatest occurance of SSH failure and annoyance. But when scp and sftp-server don't exist, you can't conveniently transfer files. When prngd wouldn't exist, however, you wouldn't be able to do *anything*. No SSHD, no SSH, no nothing. But who would be running prngd? Lets say every user used their own entropy gatherer. Instead of entropy gathering on demand, when the ssh executables were actually being called, each user would be hammering the box continually. That's not elegant, of course, so lets presume there's only one user running prngd that every user shares in the entropy of. That user running prngd better be root, unless you like the idea of SSHD getting its entropy stream from an untrusted user. So now users cannot safely run ssh without the root user starting up a daemon? Granted, this starts getting ridiculous, but my point is that setting up convoluted and non-obvious dependancies in SSH is something to avoid. I *like* the idea of prngd, actually--I just don't like the idea of SSH utilities failing to function without it. Lets be flexible here--*in runtime*, check for /dev/random(kernelspace), failing that check for a central prngd daemon(root kernelspace emulation), failing that check for a userspace prngd daemon we can run for a few minutes until it builds up n bits of entropy(user kernelspace emulation)... And if all else fails, just do the damn commands yourself. Don't go load a list of commands from somewhere in ETCDIR, though grab that list if you can find it--have a list of commands that work on this platform compiled into an array in the binary and go through them. There is no excuse to fail unless success would be insecure. Remember, Damien. SSH works, and well, despite steep odds. IPSec fails, and often, despite virgin sacrifices. We need to continue the former tradition; the latter went out of fashion hundreds of years ago. Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From emarshall at mercantec.com Wed Mar 28 04:45:08 2001 From: emarshall at mercantec.com (Edward S. Marshall) Date: Tue, 27 Mar 2001 12:45:08 -0600 Subject: RFE: Portable OpenSSH In-Reply-To: <200103271825.f2RIPgxf352181@jurassic.eng.sun.com>; from Darren.Moffat@eng.sun.com on Tue, Mar 27, 2001 at 10:25:43AM -0800 References: <200103271825.f2RIPgxf352181@jurassic.eng.sun.com> Message-ID: <20010327124507.A1314@mercantec.com> On Tue, Mar 27, 2001 at 10:25:43AM -0800, Darren Moffat wrote: > The /dev/random that comes with the iPlanet stuff I believe is the > cryptorandd implmenation from the SUNWski package, I'm not sure of its > quality but I have heard reporsts that PRNGd is better but an in kernel > /dev/random (and /dev/urandom for that matter) is much more likely to > give better randomness. And for those unwilling to wait for Sun to release something: http://www.cosy.sbg.ac.at/~andi/ It's a port of the Linux /dev/[u]random driver to Solaris. Definitely beats using SUNWski. -- Edward S. Marshall UNIX Administrator http://www.nyx.net/~emarshal/ Mercantec, Inc. From celinn at mtu.edu Wed Mar 28 04:49:48 2001 From: celinn at mtu.edu (Christopher Linn) Date: Tue, 27 Mar 2001 13:49:48 -0500 Subject: RFE: Portable OpenSSH In-Reply-To: <200103271825.f2RIPgxf352181@jurassic.eng.sun.com>; from Darren.Moffat@eng.sun.com on Tue, Mar 27, 2001 at 10:25:43AM -0800 References: <200103271825.f2RIPgxf352181@jurassic.eng.sun.com> Message-ID: <20010327134947.C2380@mtu.edu> On Tue, Mar 27, 2001 at 10:25:43AM -0800, Darren Moffat wrote: > >now i must ask, especially since we have someone from sun engineering > >paying attention to OpenSSH (hi Darren!), just why the most beautifully > >engineered kernel archetecture (solaris) does not yet have a > >cryptographic-grade random device?!? the /dev/random supplied with > > I can't comment officially but I'm sure you won't be dissapointed in the > future ;-) > > The /dev/random that comes with the iPlanet stuff I believe is the > cryptorandd implmenation from the SUNWski package, I'm not sure of its > quality but I have heard reporsts that PRNGd is better but an in kernel > /dev/random (and /dev/urandom for that matter) is much more likely to > give better randomness. indeed, in-kernel entropy gathering can be made to gather entropy from e.g. active device drivers, using completion times etc., whereas anything else must rely on executed userland commands and the like, which must be horribly inefficient and lower quality entropy by comparison. i would hope that this might come in an LKM which would be backward- compatible with solaris 7 & 8 (at least), with an associated set of modified device drivers (disk, net, etc) to feed the LKM... just my thoughts. (sounds like a big job, eh? ;*) > -- > Darren J Moffat very best regards, chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From celinn at mtu.edu Wed Mar 28 05:12:58 2001 From: celinn at mtu.edu (Christopher Linn) Date: Tue, 27 Mar 2001 14:12:58 -0500 Subject: RFE: Portable OpenSSH In-Reply-To: <20010327203628.D14378@greenie.muc.de>; from gert@greenie.muc.de on Tue, Mar 27, 2001 at 08:36:28PM +0200 References: <04b501c0b67b$7f2815e0$1200040a@na.cisco.com> <20010327131957.B2380@mtu.edu> <20010327203628.D14378@greenie.muc.de> Message-ID: <20010327141258.D2380@mtu.edu> Gert, On Tue, Mar 27, 2001 at 08:36:28PM +0200, Gert Doering wrote: > Hi, > > On Tue, Mar 27, 2001 at 01:19:57PM -0500, Christopher Linn wrote: > > bingo. the kernel. > > Yes, but not all of us have the choice - AIX, SCO, and so on need random > numbers. So PRNGd is fine for systems lacking /dev/*random... whoooooooa! yes yes yes, i love prngd! exactly! what i was doing here was to take the opportunity to politely nudge someone from a major commercial OS vendor engineering dept about providing vendor /dev/*random. if Sun Engineering takes the lead for this in the commercial market, then the other vendors will be further behind, and more glaringly so, and perhaps all of them will get going faster. now, i would assert that if there are AIX Engineers, SCO Engineers, etc etc etc reading this list, that they might be made more aware of the need for this feature, and perhaps this will trickle-up to Management, and managers would be more motivated if they know Sun is that much ahead of them! > gert > -- sincerely, chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From mattl at livecapital.com Wed Mar 28 05:13:50 2001 From: mattl at livecapital.com (Lewandowsky, Matt) Date: Tue, 27 Mar 2001 11:13:50 -0800 Subject: OpenSSh 2.5.2p2 on Linux/Sparc Message-ID: <71D01DB8DA698947A6F5D666D62A2DB001C3BF@exchange.livecapital.com> Does OpenSSH actually have SPARC/Linux binaries? (/me checks...) Since I don't see any architecture info, I assume the RPMs are for x86... So, SPARC/Linux users have to install from source... (Good for my reference...) Georg: Are you running GNU sed? Type "sed --help" to see... If not, reinstall the RPM from your install CD... If so, see if the RPM has been updated in Errata. If this isn't the case, try installing the one from 6.2. I was fairly unimpressed with 6.0/SPARC, myself. 6.2 was slightly better. Maybe them not releasing 7 was a good thing, as it will give them time to figure out the best way to get things working right before the next supported release. Hope I was actually of some help, --Matt > -----Original Message----- > From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] > Sent: Sunday, March 25, 2001 10:44 PM > To: Georg Schwarz > Cc: openssh-unix-dev at mindrot.org > Subject: Re: OpenSSh 2.5.2p2 on Linux/Sparc > > > > > On Sun, 25 Mar 2001, Georg Schwarz wrote: > > > When doing a simple configure of OpenSSh 2.5.2p2 on a Sparc running > > RedHat 6.0 I get: > > > > ... > > updating cache ./config.cache > > creating ./config.status > > creating Makefile > > sed: file conftest.s1 line 1: Unknown command: ``^'' > > creating openbsd-compat/Makefile > > sed: file conftest.s1 line 1: Unknown command: ``^'' > > creating ssh_prng_cmds > > sed: file conftest.s1 line 1: Unknown command: ``^'' > > creating config.h > > sed: file conftest.frag line 1: Unknown command: ``%'' > > ... > > > > Did you get this error with any other release? To me it looks like > a bad 'sed' binary. Have you checked for an updated RPM for sparc? > > - Ben > From ktaylor at eosdata.gsfc.nasa.gov Wed Mar 28 05:15:47 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Tue, 27 Mar 2001 14:15:47 -0500 Subject: Expired password handling in openssh-2.5.1p1/2 References: Message-ID: <3AC0E6E3.4B56753A@daac.gsfc.nasa.gov> Kevin Steves wrote: > > On Thu, 1 Mar 2001, Kevin Taylor wrote: > : Are there plans, or does someone have a fix, for having openssh force > : users to change passwords when they're expired? > : > : Right now the program closes the connection....the commercial ssh > : manages to exec /bin/passwd after they enter their current password. > > there is only support thru PAM right now. i had started a > multi-platform password interface last year, and while it was close to > the point of being integrated, i have been side-tracked with stuff that > was more interesting to work on. adding just code to run passwd if the > password has expired isn't hard, and maybe we should do that. Has any of this ended up in the current openssh portable code? From mouring at etoh.eviladmin.org Wed Mar 28 05:18:35 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 27 Mar 2001 13:18:35 -0600 (CST) Subject: OpenSSh 2.5.2p2 on Linux/Sparc In-Reply-To: <71D01DB8DA698947A6F5D666D62A2DB001C3BF@exchange.livecapital.com> Message-ID: On Tue, 27 Mar 2001, Lewandowsky, Matt wrote: > Does OpenSSH actually have SPARC/Linux binaries? (/me checks...) Since I > don't see any architecture info, I assume the RPMs are for x86... So, > SPARC/Linux users have to install from source... (Good for my reference...) > Well.. I was refering to sed RPM updates.=) Last I checked no one was building SPARC/Linux RPMs nor binaries. - Ben From dankamin at cisco.com Wed Mar 28 05:27:09 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 11:27:09 -0800 Subject: RFE: Portable OpenSSH References: <04b501c0b67b$7f2815e0$1200040a@na.cisco.com> <20010327131957.B2380@mtu.edu> <20010327203628.D14378@greenie.muc.de> <20010327141258.D2380@mtu.edu> Message-ID: <05b401c0b6f3$ebb2b6c0$1200040a@na.cisco.com> > > Yes, but not all of us have the choice - AIX, SCO, and so on need random > > numbers. So PRNGd is fine for systems lacking /dev/*random... > > whoooooooa! yes yes yes, i love prngd! exactly! > > what i was doing here was to take the opportunity to politely nudge > someone from a major commercial OS vendor engineering dept about > providing vendor /dev/*random. if Sun Engineering takes the lead > for this in the commercial market, then the other vendors will be > further behind, and more glaringly so, and perhaps all of them will > get going faster. Actually, I should emphasize that I do really like prngd. It'll definitely be easier to deploy than EGD was, will spawn the creation of more apps dependent on good entropy sources(as opposed to "seed RC4 with present time and PID"), and represents a quite nice userspace("systemspace"?) RNG implementation.. I just really want to avoid OpenSSH being hard-dependent on it. If I take SSH1 or SSH2 and throw it on a random box, it'll work. If I take OpenSSH and throw it on the same box, and it doesn't...I'm going to have a harder time convincing other admins, who *aren't* SSH geeks like me, that OpenSSH is a more elegant, more compatible, more secure solution. Things should Just Work. prngd makes good entropy "just work" on more platforms, which is awesome. Until its universally deployed as a crutch for /dev/random, though, I'm not really comfortable with SSH losing its "just works" status to it. Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From mattl at livecapital.com Wed Mar 28 06:04:10 2001 From: mattl at livecapital.com (Lewandowsky, Matt) Date: Tue, 27 Mar 2001 12:04:10 -0800 Subject: OpenSSh 2.5.2p2 on Linux/Sparc Message-ID: <71D01DB8DA698947A6F5D666D62A2DB001C3C0@exchange.livecapital.com> Ahh...I see now. Sorry about that... Anyway, back to OpenSSH packages on Linux/SPARC: Does anyone have a desire to have packages for this platform? I'm just about done getting my latest SPARC (a SS2 w/ a full 64MB RAM... Anyone know where I can get an SBUS expansion card for more RAM?) online that I was going to use for things exactly like this. (Which my significant other doesn't see the point of, but... "Can't they do it theirselves? How hard can it be?" and all that...) I'm likely going to be running Slackware-Current on it. However, alien should do the trick nicely if I build everything statically, correct? (Slackware because Debian doesn't like my mouse and I dislike RH. No offense intended to anyone.) Or would NetBSD/SPARC be more useful? I'm able to install both... And if this is a desirable thing, can someone give me a place to store the files? I currently don't have a hosting provider. (My web site is only online when I am, in other words...) --Matt > -----Original Message----- > From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] > Sent: Tuesday, March 27, 2001 11:19 AM > To: Lewandowsky, Matt > Cc: openssh-unix-dev at mindrot.org > Subject: RE: OpenSSh 2.5.2p2 on Linux/Sparc > > > > > On Tue, 27 Mar 2001, Lewandowsky, Matt wrote: > > > Does OpenSSH actually have SPARC/Linux binaries? (/me > checks...) Since I > > don't see any architecture info, I assume the RPMs are for > x86... So, > > SPARC/Linux users have to install from source... (Good for > my reference...) > > > Well.. I was refering to sed RPM updates.=) Last I checked no one > was building SPARC/Linux RPMs nor binaries. > > - Ben > From Piete.Brooks at cl.cam.ac.uk Wed Mar 28 06:09:10 2001 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Tue, 27 Mar 2001 21:09:10 +0100 Subject: Use of non-user readable (null password) private keys In-Reply-To: Your message of Tue, 27 Mar 2001 11:48:51 -0600. Message-ID: > It really sounds like you want the extend filesystem ACL provides by > most commerical UNIXes filesystems. No. I want to be able to give `group' or `other' access to capabilities. I do not want ACLs. > That would outskirt the whole 'this key is globally public' but granting > extended rights for limited number of users to use the key. Nope -- I want to give everyone (or all members of a UN*X group) access. From dbt at meat.net Wed Mar 28 06:34:04 2001 From: dbt at meat.net (David Terrell) Date: Tue, 27 Mar 2001 12:34:04 -0800 Subject: RFE: Portable OpenSSH In-Reply-To: <050901c0b6ed$0021e6a0$1200040a@na.cisco.com>; from dankamin@cisco.com on Tue, Mar 27, 2001 at 10:37:38AM -0800 References: <050901c0b6ed$0021e6a0$1200040a@na.cisco.com> Message-ID: <20010327123403.B24424@pianosa.catch22.org> On Tue, Mar 27, 2001 at 10:37:38AM -0800, Dan Kaminsky wrote: > Here's da scoop. So we put out a package of OpenSSH 2.2.0p1 a while > back that required a Perl2Exe'd package of EGD. Got adopted by about five > people. Turns out that the more system-level dependencies you put on > software, the less likely people are going to be willing or able to install > it. Yep. I've had trouble convincing people it's superior simply because it takes more stuff. Here's a really bad idea that might get people thinking of better solutions along this line: Why not include PRNGd source with OpenSSH, install it, and if sshd fails to get any entropy, start PRNGd and try again? It doesn't work for client-only ssh usage (though if the ssh command is setuid, it could, but that's probably a really bad idea for other reasons). The normal autoconf widgets (if PRNGd is already installed don't do this, etc etc) would apply. And of course it would only be for platforms with no /dev/*random. -- David Terrell | If a crypto algorithm is cracked in a forest Nebcorp Prime Minister | and a tree falls on a mime, does microsoft dbt at meat.net | need to publish an advisory on it? http://wwn.nebcorp.com/ From Darren.Moffat at eng.sun.com Wed Mar 28 06:58:15 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Tue, 27 Mar 2001 12:58:15 -0800 (PST) Subject: RFE: Portable OpenSSH Message-ID: <200103272058.f2RKwExf388024@jurassic.eng.sun.com> >Solaris: Need to move ssh and libz.so Starting from Solaris 8 libz.so is part of the core OS so it should be there on every host: montgomery$ pkginfo -l SUNWzlib PKGINST: SUNWzlib NAME: The Zip compression library CATEGORY: system ARCH: sparc VERSION: 11.8.0,REV=2000.01.08.18.12 BASEDIR: / VENDOR: Sun Microsystems, Inc. DESC: The Zip compression library PSTAMP: humbolt20000108182857 INSTDATE: Apr 28 2000 17:38 HOTLINE: Please contact your local service provider STATUS: completely installed FILES: 16 installed pathnames 7 shared pathnames 7 directories 2 executables 409 blocks used (approx) /usr/include/zconf.h /usr/include/zlib.h /usr/lib/abi/abi_libz.so.1 /usr/lib/abi/sparcv9/abi_libz.so.1 /usr/lib/libz.so=./libz.so.1 /usr/lib/libz.so.1 /usr/lib/llib-lz /usr/lib/llib-lz.ln /usr/lib/sparcv9/libz.so=libz.so.1 /usr/lib/sparcv9/libz.so.1 /usr/lib/sparcv9/llib-lz.ln /usr/share/man/man3/libz.3 /usr/share/man/man3/zlib.3 -- Darren J Moffat From dankamin at cisco.com Wed Mar 28 07:07:03 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 13:07:03 -0800 Subject: RFE: Portable OpenSSH References: <200103272058.f2RKwExf388024@jurassic.eng.sun.com> Message-ID: <061401c0b701$dfe91a60$1200040a@na.cisco.com> > >Solaris: Need to move ssh and libz.so > > Starting from Solaris 8 libz.so is part of the core OS so it should be > there on every host: *smiles* You think everyone's running Solaris 8? I've got a theory going that once a network(society?) reaches a certain size, it loses the ability to migrate for convenience, and will only move in case of absolute necessity. Relates to diseconomies of scale, i.e. the network effects get so powerful, no individual element of the network can change. Alot of stuff stopped working after Solaris 2.5.1 and Solaris 2.6. So Sun never stopped supporting those version, and millions of installations never switched. Anyway, these aren't theoretical complaints. I had the: 1. Copy files over 2. Damnit, forgot SCP. 3. Copy SCP over. 4. Damnit, forgot libz. 5. Copy libz over. 6. Damnit, forgot the list of prng commands 7. Copy list over 8. Run SCP situation happen all too recently. I'm no ivory tower complainer; these are the pains of experience. --Dan From Darren.Moffat at eng.sun.com Wed Mar 28 07:08:07 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Tue, 27 Mar 2001 13:08:07 -0800 (PST) Subject: Expired password handling in openssh-2.5.1p1/2 Message-ID: <200103272108.f2RL86xf390817@jurassic.eng.sun.com> >> there is only support thru PAM right now. i had started a >> multi-platform password interface last year, and while it was close to >> the point of being integrated, i have been side-tracked with stuff that >> was more interesting to work on. adding just code to run passwd if the >> password has expired isn't hard, and maybe we should do that. > > >Has any of this ended up in the current openssh portable code? Forgive me if I'm repeating something since I missed the beginning of this thread. Without using PAM how do you intend to find out that the password has actually expired ? Without reinventing what pam_acct_mgmt() does ? -- Darren J Moffat From dankamin at cisco.com Wed Mar 28 07:10:20 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 13:10:20 -0800 Subject: RFE: Portable OpenSSH References: <050901c0b6ed$0021e6a0$1200040a@na.cisco.com> <20010327123403.B24424@pianosa.catch22.org> Message-ID: <061501c0b702$5519b6a0$1200040a@na.cisco.com> > Yep. I've had trouble convincing people it's superior simply because it > takes more stuff. Tell me about it. > Here's a really bad idea that might get people thinking of better solutions > along this line: > > Why not include PRNGd source with OpenSSH, install it, and if sshd > fails to get any entropy, start PRNGd and try again? It doesn't > work for client-only ssh usage (though if the ssh command is setuid, > it could, but that's probably a really bad idea for other reasons). Source dependancy. I dont put compilers on production machines if I can avoid it. prngd source *should* be included, incidentally, or else people can't use SSHD if prngd ever disappears / is forgotten to be downloaded. You still have the problem of lots of people running long-lasting daemons that hammer the kernel trying to tweak entropy out of it, or lots of people depending on root (do we make sure its root or same-user owned socket?) to create an entropy source. I like the functionality. I just can't depend on it, especially when I don't need to. SSH needs to just work--that's one of its primary missions. Yours Truly, Dan Kaminsky, CISSP From Darren.Moffat at eng.sun.com Wed Mar 28 07:12:38 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Tue, 27 Mar 2001 13:12:38 -0800 (PST) Subject: The bad SFTP name Message-ID: <200103272112.f2RLCcxf391786@jurassic.eng.sun.com> I know this thread as gone quite but I just found another case of the sftp name not being what someone might expect: RFC 931 http://www.ietf.org/rfc/rfc0913.txt Argghghghgh. -- Darren J Moffat From ktaylor at eosdata.gsfc.nasa.gov Wed Mar 28 07:53:36 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Tue, 27 Mar 2001 16:53:36 -0500 Subject: Expired password handling in openssh-2.5.1p1/2 In-Reply-To: <200103272108.f2RL86xf390817@jurassic.eng.sun.com> Message-ID: OpenSSH already does this by checking the expiration fields in the shadow file....however if it finds that the password is expired, it just closes the connection with a Permission Denied...rather than forcing the user to change their password. Kevin Steves mentioned that he had once looked at the code for implementing this, but hadn't finished it. On Tue, 27 Mar 2001, Darren Moffat wrote: > >> there is only support thru PAM right now. i had started a > >> multi-platform password interface last year, and while it was close to > >> the point of being integrated, i have been side-tracked with stuff that > >> was more interesting to work on. adding just code to run passwd if the > >> password has expired isn't hard, and maybe we should do that. > > > > > >Has any of this ended up in the current openssh portable code? > > Forgive me if I'm repeating something since I missed the beginning of this > thread. > > Without using PAM how do you intend to find out that the password has > actually expired ? Without reinventing what pam_acct_mgmt() does ? > > -- > Darren J Moffat > From qralston+ml.openssh-unix-dev at andrew.cmu.edu Wed Mar 28 08:03:20 2001 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Tue, 27 Mar 2001 17:03:20 -0500 (EST) Subject: RFE: Portable OpenSSH In-Reply-To: <200103271825.f2RIPgxf352181@jurassic.eng.sun.com> Message-ID: On Tue, 27 Mar 2001, Darren Moffat wrote: > > now i must ask, especially since we have someone from sun > > engineering paying attention to OpenSSH (hi Darren!), just why the > > most beautifully engineered kernel archetecture (solaris) does not > > yet have a cryptographic-grade random device?!? the /dev/random > > supplied with > > I can't comment officially but I'm sure you won't be dissapointed in > the future ;-) If Sun's /dev/[u]random kernel module isn't backported as far back as Solaris 2.5.1, I'll be disappointed. Yes, I know everything through Solaris 2.6 is now officially discontinued. But I consider the addition of a kernel-implemented /dev/random to be an important security fix, and IMO it should be available to Sun customers who are still working on upgrading to a supported version of Solaris (meaning, Solaris 7 or Solaris 8). In our case, I estimate we'll have Solaris 2.6 machines lurking around for at least another 6-12 months, if not longer... -- James Ralston, Information Technology Software Engineering Institute Carnegie Mellon University, Pittsburgh, PA, USA From jmknoble at jmknoble.cx Wed Mar 28 08:15:55 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Tue, 27 Mar 2001 17:15:55 -0500 Subject: Use of non-user readable (null password) private keys In-Reply-To: ; from Piete.Brooks@cl.cam.ac.uk on Tue, Mar 27, 2001 at 09:09:10PM +0100 References: Message-ID: <20010327171555.H1777@quipu.half.pint-stowp.cx> Circa 2001-Mar-27 21:09:10 +0100 dixit Piete Brooks: : I want to be able to give `group' or `other' access to capabilities. : : I do not want ACLs. This is certainly something you ought to be able to do if you know what you're doing. Attached is a patch against OpenSSH-2.5.2p2 which implements relaxed restrictions on key permissions under the following conditions: (1) You build openssh with ALLOW_RELAXED_KEY_PERMISSIONS defined (e.g., 'env CFLAGS=-DALLOW_RELAXED_KEY_PERMISSIONS ./configure'). (2) You call ssh with the (new) '-G' option if you want your key to be group-accessible (ssh allows the key to have permissions up to 0770) or You call ssh with the (new) '-W' option if you want your key to be world-accessible (ssh allows the key to have permissions up to 0775). Platonic Questioning Session: Socrates: Why didn't you make a config-file option for this? Diogenes: I considered making a config-file option (for /etc/ssh/ssh_config bzw. ~/.ssh/config), but decided against it because i think the user should have to say "Yes, i do in fact know what i'm doing" to use this facility. Socrates: Why do i have to build with that stupid #define? Diogenes: So that you don't blame me for the holes in your foot. Socrates: Why didn't you make ssh emit a warning when the permissions are relaxed? Diogenes: OpenSSH doesn't have a suitable warning facility. The closest available function is error(), which only makes output appear on stderr if ssh is called with '-v' (verbose). This should probably be fixed so that the regular warning (without -G or -W) appears regardless of whether ssh has been asked to be verbose, so that the user knows that ssh is going to ignore the key. But fixing that is beyond the scope of this patch. Socrates: Why does ssh ask me for my passphrase if it's ignoring my private key due to relaxed permissions? Diogenes: Because the granularity of information returned by authfile.c:load_private_key() is too coarse. load_private_key() really ought to return a status which separates failure due to ownership/permissions from failure due to bad passphrase or whatnot. But fixing that is beyond the scope of this patch. Socrates: Why can't i pass a umask to ssh instead of choosing group or world access only? Diogenes: Good question. I considered this, but it's more ammunition for foot-shooting, and i think it requires more thought than i've been able to give it. Opinions from other folks are welcome. In the meantime, have some of this great-tasting herbal tea. Socrates: Why did you forget to attach the patch to this message? Are you stupid or something? Diogenes: Have some more tea. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ -------------- next part -------------- --- ./authfile.c.orig-keyperms Sun Mar 4 23:59:27 2001 +++ ./authfile.c Tue Mar 27 16:44:18 2001 @@ -497,11 +497,12 @@ int load_private_key(const char *filename, const char *passphrase, Key *key, - char **comment_return) + int allow_relaxed_key_permissions, char **comment_return) { int fd; int ret = 0; struct stat st; + unsigned int mode_mask = 077; fd = open(filename, O_RDONLY); if (fd < 0) @@ -511,9 +512,14 @@ #ifdef HAVE_CYGWIN if (check_ntsec(filename)) #endif + if (1 == allow_relaxed_key_permissions) { + mode_mask = 07; + } else if (2 == allow_relaxed_key_permissions) { + mode_mask = 01; + } if (fstat(fd, &st) < 0 || (st.st_uid != 0 && getuid() != 0 && st.st_uid != getuid()) || - (st.st_mode & 077) != 0) { + (st.st_mode & mode_mask) != 0) { close(fd); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); --- ./ssh.c.orig-keyperms Sun Mar 18 17:38:16 2001 +++ ./ssh.c Tue Mar 27 16:44:04 2001 @@ -145,6 +145,11 @@ /* Should we execute a command or invoke a subsystem? */ int subsystem_flag = 0; +#ifndef ALLOW_RELAXED_KEY_PERMISSIONS +const +#endif +int allow_relaxed_key_permissions = 0; + /* Prints a help message to the user. This function never returns. */ void @@ -163,6 +168,10 @@ fprintf(stderr, " -x Disable X11 connection forwarding.\n"); fprintf(stderr, " -i file Identity for public key authentication " "(default: ~/.ssh/identity)\n"); +#ifdef ALLOW_RELAXED_KEY_PERMISSIONS + fprintf(stderr, " -G Allow private key to be group-accessible.\n"); + fprintf(stderr, " -W Allow private key to be world-accessible.\n"); +#endif fprintf(stderr, " -t Tty; allocate a tty even if command is given.\n"); fprintf(stderr, " -T Do not allocate a tty.\n"); fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); @@ -375,6 +384,14 @@ SSH_MAX_IDENTITY_FILES); options.identity_files[options.num_identity_files++] = xstrdup(optarg); break; +#ifdef ALLOW_RELAXED_KEY_PERMISSIONS + case 'G': + allow_relaxed_key_permissions = 1; + break; + case 'W': + allow_relaxed_key_permissions = 2; + break; +#endif case 't': if (tty_flag) force_tty_flag = 1; @@ -635,7 +652,7 @@ host_private_key = RSA_new(); k.type = KEY_RSA1; k.rsa = host_private_key; - if (load_private_key(_PATH_HOST_KEY_FILE, "", &k, NULL)) + if (load_private_key(_PATH_HOST_KEY_FILE, "", &k, 0, NULL)) host_private_key_loaded = 1; } /* --- ./ssh-keygen.c.orig-keyperms Sun Mar 18 17:38:16 2001 +++ ./ssh-keygen.c Tue Mar 27 16:44:04 2001 @@ -115,9 +115,9 @@ try_load_key(char *filename, Key *k) { int success = 1; - if (!load_private_key(filename, "", k, NULL)) { + if (!load_private_key(filename, "", k, 0, NULL)) { char *pass = read_passphrase("Enter passphrase: ", 1); - if (!load_private_key(filename, pass, k, NULL)) { + if (!load_private_key(filename, pass, k, 0, NULL)) { success = 0; } memset(pass, 0, strlen(pass)); @@ -454,12 +454,12 @@ } /* Try to load the file with empty passphrase. */ private = key_new(type); - if (!load_private_key(identity_file, "", private, &comment)) { + if (!load_private_key(identity_file, "", private, 0, &comment)) { if (identity_passphrase) old_passphrase = xstrdup(identity_passphrase); else old_passphrase = read_passphrase("Enter old passphrase: ", 1); - if (!load_private_key(identity_file, old_passphrase, private, &comment)) { + if (!load_private_key(identity_file, old_passphrase, private, 0, &comment)) { memset(old_passphrase, 0, strlen(old_passphrase)); xfree(old_passphrase); printf("Bad passphrase.\n"); @@ -543,7 +543,7 @@ } private = key_new(KEY_RSA1); - if (load_private_key(identity_file, "", private, &comment)) + if (load_private_key(identity_file, "", private, 0, &comment)) passphrase = xstrdup(""); else { if (identity_passphrase) @@ -553,7 +553,7 @@ else passphrase = read_passphrase("Enter passphrase: ", 1); /* Try to load using the passphrase. */ - if (!load_private_key(identity_file, passphrase, private, &comment)) { + if (!load_private_key(identity_file, passphrase, private, 0, &comment)) { memset(passphrase, 0, strlen(passphrase)); xfree(passphrase); printf("Bad passphrase.\n"); --- ./sshconnect1.c.orig-keyperms Thu Mar 8 19:12:23 2001 +++ ./sshconnect1.c Tue Mar 27 16:44:04 2001 @@ -51,6 +51,12 @@ extern Options options; extern char *__progname; +extern +#ifndef ALLOW_RELAXED_KEY_PERMISSIONS + const +#endif + int allow_relaxed_key_permissions; + /* * Checks if the user has an authentication agent, and if so, tries to * authenticate using the agent. @@ -257,7 +263,8 @@ * Load the private key. Try first with empty passphrase; if it * fails, ask for a passphrase. */ - if (!load_private_key(authfile, "", private, NULL)) { + if (!load_private_key(authfile, "", private, + allow_relaxed_key_permissions, NULL)) { char buf[300]; snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ", comment); @@ -270,7 +277,8 @@ } /* Load the authentication file using the pasphrase. */ - if (!load_private_key(authfile, passphrase, private, NULL)) { + if (!load_private_key(authfile, passphrase, private, + allow_relaxed_key_permissions, NULL)) { memset(passphrase, 0, strlen(passphrase)); xfree(passphrase); error("Bad passphrase."); --- ./sshconnect2.c.orig-keyperms Mon Mar 12 23:57:59 2001 +++ ./sshconnect2.c Tue Mar 27 16:44:04 2001 @@ -61,6 +61,12 @@ extern char *server_version_string; extern Options options; +extern +#ifndef ALLOW_RELAXED_KEY_PERMISSIONS + const +#endif + int allow_relaxed_key_permissions; + /* * SSH2 key exchange */ @@ -906,7 +912,8 @@ return NULL; } private = key_new(KEY_UNSPEC); - if (!load_private_key(filename, "", private, NULL)) { + if (!load_private_key(filename, "", private, + allow_relaxed_key_permissions, NULL)) { if (options.batch_mode) { key_free(private); return NULL; @@ -917,7 +924,8 @@ passphrase = read_passphrase(prompt, 0); if (strcmp(passphrase, "") != 0) { success = load_private_key(filename, - passphrase, private, NULL); + passphrase, private, + allow_relaxed_key_permissions, NULL); quit = 0; } else { debug2("no passphrase given, try next key"); --- ./sshd.c.orig-keyperms Mon Mar 19 06:36:20 2001 +++ ./sshd.c Tue Mar 27 16:44:04 2001 @@ -482,7 +482,7 @@ /* Ok, try key with empty passphrase */ private = key_new(type); - if (load_private_key(filename, "", private, NULL)) { + if (load_private_key(filename, "", private, 0, NULL)) { debug("load_private_key_autodetect: type %d %s", private->type, key_type(private)); return private; --- ./authfile.h.orig-keyperms Sun Nov 5 20:39:34 2000 +++ ./authfile.h Tue Mar 27 16:44:04 2001 @@ -46,6 +46,7 @@ */ int load_private_key(const char *filename, const char *passphrase, - Key * private_key, char **comment_return); + Key * private_key, int allow_relaxed_key_permissions, + char **comment_return); #endif --- ./ssh-add.c.orig-keyperms Mon Mar 12 23:57:59 2001 +++ ./ssh-add.c Tue Mar 27 16:44:04 2001 @@ -172,7 +172,7 @@ /* At first, try empty passphrase */ private = key_new(type); - success = load_private_key(filename, "", private, &comment); + success = load_private_key(filename, "", private, 0, &comment); if (!success) { printf("Need passphrase for %.200s\n", filename); if (!interactive && askpass == NULL) { @@ -193,7 +193,7 @@ xfree(saved_comment); return; } - success = load_private_key(filename, pass, private, &comment); + success = load_private_key(filename, pass, private, 0, &comment); memset(pass, 0, strlen(pass)); xfree(pass); if (success) From dankamin at cisco.com Wed Mar 28 08:17:04 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 14:17:04 -0800 Subject: OpenSSh 2.5.2p2 on Linux/Sparc References: <71D01DB8DA698947A6F5D666D62A2DB001C3C0@exchange.livecapital.com> Message-ID: <064701c0b70b$a7f49080$1200040a@na.cisco.com> > Ahh...I see now. Sorry about that... > > Anyway, back to OpenSSH packages on Linux/SPARC: Does anyone have a desire > to have packages for this platform? This will definitely be useful to some, particularly with things like the $1000 Netra rackmount floating around out there. > And if this is a desirable thing, can someone give me a place to store the > files? I currently don't have a hosting provider. (My web site is only > online when I am, in other words...) I'm sure there is space available for the packages themselves in the normal OpenSSH locations. Past that, if you or anyone else here would like hosting for a SSH-oriented project, please contact me. Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From jason at dfmm.org Wed Mar 28 08:20:45 2001 From: jason at dfmm.org (Jason Stone) Date: Tue, 27 Mar 2001 14:20:45 -0800 (PST) Subject: 2.5.2p2 ssh-keyscan installed group writable? In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > and i also wonder why isn't ssh group, other readable: > > no) > AC_MSG_RESULT(no) > SSHMODE=0711 > ;; > *) AC_MSG_RESULT(yes) > SSHMODE=04711 Because it's (unfortunately) setuid, and you don't want people to be able to easily read your setuid binaries. For example, a linux exploit was just published today which allows any setuid binary to be exploited, but in order for the exploit to work, you have to run objdump on the binary to find the bss offset. If the binary is not readable, then the above attack is frustrated (though not prevented). Yet another reminder that suid binaries are A Bad Thing. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE6wRJIswXMWWtptckRAqspAJwO6SyRK7VCYAtW2DZ0vI2thXjnrACePcn9 tKWMHTdpw3Sr7VmWNbhKmK0= =iwOE -----END PGP SIGNATURE----- From markus.friedl at informatik.uni-erlangen.de Wed Mar 28 08:46:54 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 28 Mar 2001 00:46:54 +0200 Subject: RFE: Portable OpenSSH In-Reply-To: <061401c0b701$dfe91a60$1200040a@na.cisco.com>; from dankamin@cisco.com on Tue, Mar 27, 2001 at 01:07:03PM -0800 References: <200103272058.f2RKwExf388024@jurassic.eng.sun.com> <061401c0b701$dfe91a60$1200040a@na.cisco.com> Message-ID: <20010328004654.A23300@folly> On Tue, Mar 27, 2001 at 01:07:03PM -0800, Dan Kaminsky wrote: > Anyway, these aren't theoretical complaints. I had the: > > 1. Copy files over > 2. Damnit, forgot SCP. > 3. Copy SCP over. > 4. Damnit, forgot libz. > 5. Copy libz over. > 6. Damnit, forgot the list of prng commands > 7. Copy list over > 8. Run SCP what about: 1) copy the tar file over. 2) done. From jason at dfmm.org Wed Mar 28 08:33:47 2001 From: jason at dfmm.org (Jason Stone) Date: Tue, 27 Mar 2001 14:33:47 -0800 (PST) Subject: Use of non-user readable (null password) private keys In-Reply-To: <20010327163843.I16622@cygbert.vinschen.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> Executive summary: Why can I not have a private key which is `public' ? > is this a good idea? > many ppl are confused by private/public distinction and are starting > to change permissions for all kind of files. Yes, it's probablly a bad idea, but there are times when it can be useful, and the badness can be mitigated (command-squashing on the server side, eg), especially if the key is publicly readable but still encrypted. Yes, users sometimes don't know what they're doing - but that's no excuse to deny some feature. At the very least, allow a "-o I_REALLY_KNOW_WHAT_IM_DOING" flag. "UNIX wasn't designed to keep you from doing stupid things, because that would keep you from doing clever things." > You can perform this action by not starting ssh directly but > by starting an intermediate executable which > > - Checks if the calling user is allowed to perform that specific action. > - Sets uid to the uid which owns the ssh private key for that action. > - Calls in turn ssh to perform the action. I think that this would be much worse, as any time you start cooking up setuid binaries you start to weaken the whole system. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE6wRVOswXMWWtptckRAlW+AKCkhmuvHJQ1pMA5vCBemAyz+PArVQCgoDio FQjRo33szPURRfDVfam7p8Y= =aCFW -----END PGP SIGNATURE----- From markus.friedl at informatik.uni-erlangen.de Wed Mar 28 09:00:29 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 28 Mar 2001 01:00:29 +0200 Subject: 2.5.2p2 ssh-keyscan installed group writable? In-Reply-To: ; from jason@dfmm.org on Tue, Mar 27, 2001 at 02:20:45PM -0800 References: Message-ID: <20010328010029.A15215@folly> On Tue, Mar 27, 2001 at 02:20:45PM -0800, Jason Stone wrote: > Yet another reminder that suid binaries are A Bad Thing. feel free to rewrite the rhosts-rsa client side auth without having ssh setuid. i'll be happy if i can integrate a patch that does this. -m From markus.friedl at informatik.uni-erlangen.de Wed Mar 28 09:06:50 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 28 Mar 2001 01:06:50 +0200 Subject: Use of non-user readable (null password) private keys In-Reply-To: ; from Piete.Brooks@cl.cam.ac.uk on Tue, Mar 27, 2001 at 05:44:04PM +0100 References: Message-ID: <20010328010650.A10805@folly> On Tue, Mar 27, 2001 at 05:44:04PM +0100, Piete Brooks wrote: > 2) How about `if owned by root, can be readable by others' (root is no bozo) root is :) > 4) ... and has the sticky bit set this seems a simple solution.... From dankamin at cisco.com Wed Mar 28 09:07:40 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 15:07:40 -0800 Subject: RFE: Portable OpenSSH References: <200103272058.f2RKwExf388024@jurassic.eng.sun.com> <061401c0b701$dfe91a60$1200040a@na.cisco.com> <20010328004654.A23300@folly> Message-ID: <06d501c0b712$b8f0ff70$1200040a@na.cisco.com> > 1) copy the tar file over. > 2) done. *smile* I did copy over the tarball--that's me copying over "files". Forgot to put scp in, oops. Forgot to put libz in, that's annoying. Forgot to put ssh_prng_cmds in, now it's getting ridiculous :-) Markus, it's an imperfect world. SSH is built around that presumption. I've had a personal rule ever since I started seriously working on tech, which was: Never Make Things Worse. SSH1 binaries can be thrown almost anywhere and, provided they're compiled for that general architecture, will work. We need that, and for the most part, we *have* that. Vast external dependancies increase the likelyhood that things will get worse, because they increase the likelihood that critical files won't get placed in the exact right place, not to mention the likelihood that they won't be able to live anywhere else but somewhere root can go. SSH can operate entirely from usermode, and to remove that functionality would be to Make Things Worse. --Dan From djm at mindrot.org Wed Mar 28 09:18:45 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 09:18:45 +1000 (EST) Subject: RFE: Portable OpenSSH In-Reply-To: <050901c0b6ed$0021e6a0$1200040a@na.cisco.com> Message-ID: On Tue, 27 Mar 2001, Dan Kaminsky wrote: > Damien-- > > *time to trot out the grizzled-veteran-of-the-ssh-wars stories* > > Here's da scoop. So we put out a package of OpenSSH 2.2.0p1 a while > back that required a Perl2Exe'd package of EGD. Got adopted by about five > people. Turns out that the more system-level dependencies you put on > software, the less likely people are going to be willing or able to install > it. Most people griped about EGD's >1Mb working set and that they didn't want to depend on PERL daemons for security. > Kernelspace is the place where random number generation should > live--period. However, should kernelspace randomness fail to exist, > mandating the use of a pseudo-kernelspace emulation layer with prngd > forces userspace binary dependencies. As is, all ssh binaries > are independent, i.e. sshd does not require ssh does not require > ssh-keygen. At the points where semi-dependencies exist--scp and > sftp-server from sshd--we see the greatest occurance of SSH failure > and annoyance. But when scp and sftp-server don't exist, you can't > conveniently transfer files. When prngd wouldn't exist, however, > you wouldn't be able to do *anything*. No SSHD, no SSH, no nothing. This isn't quite true. sshd needs to fill its entropy pool at startup, it can then survive without PRNGd until OpenSSL deems the pool no longer has enough entropy. > But who would be running prngd? Lets say every user used their > own entropy gatherer. Instead of entropy gathering on demand, when > the ssh executables were actually being called, each user would be > hammering the box continually. That's not elegant, Bingo - this is exactly what OpenSSH does at the moment. > of course, so lets presume there's only one user running prngd that > every user shares in the entropy of. That user running prngd better > be root, unless you like the idea of SSHD getting its entropy stream > from an untrusted user. So now users cannot safely run ssh without > the root user starting up a daemon? Well root has to run init too, so there is precedent. > Granted, this starts getting ridiculous, but my point is > that setting up convoluted and non-obvious dependancies in SSH > is something to avoid. I *like* the idea of prngd, actually--I > just don't like the idea of SSH utilities failing to function > without it. Lets be flexible here--*in runtime*, check for > /dev/random(kernelspace), failing that check for a central prngd > daemon(root kernelspace emulation), failing that check for a > userspace prngd daemon we can run for a few minutes until it builds > up n bits of entropy(user kernelspace emulation)... What is the advantage of all this runtime checking? Systems with /dev/random should _always_ have it available. > And if all else fails, just do the damn commands yourself. > Don't go load a list of commands from somewhere in ETCDIR, though > grab that list if you can find it--have a list of commands that work > on this platform compiled into an array in the binary and go through > them. No, the "hash a big list of commands" is what we want to get away from. I really don't like root owned or suid executables running long lists of system commands when it is not their business to. PRNGd has been designed (and audited) to do this task well. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From GILBERT.R.LOOMIS at saic.com Wed Mar 28 09:11:36 2001 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Tue, 27 Mar 2001 18:11:36 -0500 Subject: 2.5.2p2 ssh-keyscan installed group writable? Message-ID: <791BD3CB503DD411A6510008C7CF647701F40AAB@col-581-exs01.cist.saic.com> Jason-- SetUID binaries are *not* A Bad Thing. SetUID binaries are A Powerful Tool. Sometimes a power hammer (using .22 shells) can do things that a regular claw hammer can't. That doesn't mean that it's safe to use for the novice. The correct answer for OpenSSH is, IMHO: 1. Continue to support SetUID installation of the ssh client in order to support rsa-rhosts auth--but perhaps the default should transition over to non-SetUID (with a big warning note!) 2. Install *all* executables (not just SetUID) as mode 511 (or 4511 if appropriate). There's no reason why root needs to be able to routinely overwrite them, and there's no reason why non-root users need to be able to routinely copy them or run strings/objdump on them... so why allow it? This will require an additional step during an upgrade, but could also prevent accidental or intentional overwriting which is not desireable. I know of at least one system where when given a user-level account on this supposedly-secure system, it took me less than 20 minutes to find a poorly- written local SetUID binary, run strings against it, discover a call to an external binary *with a relative path*, craft an exploit, and take root. That was an extreme case...but it would have been near impossible if the perms on that poorly-written binary had been more sensible. It doesn't mean that the idea of SetUID binaries is fundamentally flawed, since there are sometimes things which cannot be accomplished in any other feasible way. Comments? Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com > -----Original Message----- > From: Jason Stone [mailto:jason at dfmm.org] > Sent: Tuesday, March 27, 2001 5:21 PM > To: Kevin Steves > Cc: openssh-unix-dev at mindrot.org > Subject: Re: 2.5.2p2 ssh-keyscan installed group writable? > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > and i also wonder why isn't ssh group, other readable: > > > > no) > > AC_MSG_RESULT(no) > > SSHMODE=0711 > > ;; > > *) AC_MSG_RESULT(yes) > > SSHMODE=04711 > > Because it's (unfortunately) setuid, and you don't want > people to be able > to easily read your setuid binaries. > > For example, a linux exploit was just published today which allows any > setuid binary to be exploited, but in order for the exploit > to work, you > have to run objdump on the binary to find the bss offset. If > the binary > is not readable, then the above attack is frustrated (though not > prevented). > > Yet another reminder that suid binaries are A Bad Thing. > > > -Jason From djm at mindrot.org Wed Mar 28 09:20:17 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 09:20:17 +1000 (EST) Subject: RFE: Portable OpenSSH In-Reply-To: <20010327123403.B24424@pianosa.catch22.org> Message-ID: On Tue, 27 Mar 2001, David Terrell wrote: > Why not include PRNGd source with OpenSSH, install it, and if sshd > fails to get any entropy, start PRNGd and try again? It doesn't > work for client-only ssh usage (though if the ssh command is setuid, > it could, but that's probably a really bad idea for other reasons). Note that I really don't want to go down the road of including source to other programs in the portable tarball. BTW autoconf already detects the presence of a PRNGd socket and will try to use that. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Phil.Pennock at globnix.org Wed Mar 28 09:23:25 2001 From: Phil.Pennock at globnix.org (Phil Pennock) Date: Wed, 28 Mar 2001 01:23:25 +0200 Subject: 2.5.2p2 ssh-keyscan installed group writable? In-Reply-To: <20010327084200.A29198@mtu.edu>; from celinn@mtu.edu on Tue, Mar 27, 2001 at 08:42:00AM -0500 References: <20010327084200.A29198@mtu.edu> Message-ID: <20010328012324.A9404@globnix.org> On 2001-03-27 at 08:42 -0500, Christopher Linn gifted us with: > it is common practice to deny readability to suid binaries, and this > results in no loss of functionality. i *think* this is so users > cannot copy and analyze the binary for e.g. buffer overruns > and the like. IIRC, there are some hideously broken Unices where you can trace processes if you can read the executable, even if it's setuid. I think that exec*() would _only_ drop tracing if you didn't have read permission on the executed binary. At least, this was the argument used some years back, back when I was but a grasshopper. -- Science without religion is lame; religion without science is blind. -- Albert Einstein, Reader's Digest, Nov. 1973 From djm at mindrot.org Wed Mar 28 09:27:11 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 09:27:11 +1000 (EST) Subject: Use of non-user readable (null password) private keys In-Reply-To: Message-ID: On Tue, 27 Mar 2001, Piete Brooks wrote: > > however it's a bad idea to have the private key group or world readable, > > For a normal user's key, of course. > > But not for a capability you want to grant to a number of people. You can copy the keyfiles, or create individual ones. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Mar 28 09:31:42 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 09:31:42 +1000 (EST) Subject: Use of non-user readable (null password) private keys In-Reply-To: Message-ID: On Tue, 27 Mar 2001, Piete Brooks wrote: > > Example: > ... > > Security has now been compermised. > > Sure -- I can see how having user private keys readable is not a good idea. > > What I want is the *ABILITY* to have public `capabilities' which can > perform a fixed operation (e.g. prod a server) which is `harmless'. You should consider using multiple keys with forced commands. i.e. have each use generate and supply the public key to you. On the server enter the public keys into the authorized_keys{,2} file with restrictions: command="cvs server",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAABfJtMq9ljkcsuEy3q6xGMGAAAIEAyUcRmH00888pLqzb+UFZFF3oSjL3vcIlzTVW0b8UtfYHjZkfeQd2tl0KuIK8ilf8FrulOWSYBNHVpv8ZyxPqW01OatuZm9cxKWDMV/uukJFrTWQS3NzaC1yc2EAAzNJHEbH369HEAAGXSB8wDeypUWYP9WKKNFjkhltOBIw= user at somewhere.org You can then lock individual users out without making everyone change key. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Mar 28 09:33:12 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 09:33:12 +1000 (EST) Subject: Expired password handling in openssh-2.5.1p1/2 In-Reply-To: <3AC0E6E3.4B56753A@daac.gsfc.nasa.gov> Message-ID: On Tue, 27 Mar 2001, Kevin Taylor wrote: > > there is only support thru PAM right now. i had started a > > multi-platform password interface last year, and while it was close to > > the point of being integrated, i have been side-tracked with stuff that > > was more interesting to work on. adding just code to run passwd if the > > password has expired isn't hard, and maybe we should do that. > > > Has any of this ended up in the current openssh portable code? Not as yet. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Mar 28 09:38:35 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 09:38:35 +1000 (EST) Subject: OpenSSh 2.5.2p2 on Linux/Sparc In-Reply-To: <71D01DB8DA698947A6F5D666D62A2DB001C3C0@exchange.livecapital.com> Message-ID: On Tue, 27 Mar 2001, Lewandowsky, Matt wrote: > Ahh...I see now. Sorry about that... > > Anyway, back to OpenSSH packages on Linux/SPARC: Does anyone have a desire > to have packages for this platform? If you are willing to build them and keep the reasonably up to date, then I would be happy to put a link to them on the portable.html page. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Mar 28 09:43:43 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 09:43:43 +1000 (EST) Subject: Use of non-user readable (null password) private keys In-Reply-To: Message-ID: On Tue, 27 Mar 2001, Jason Stone wrote: > Yes, users sometimes don't know what they're doing - but that's no excuse > to deny some feature. At the very least, allow a > "-o I_REALLY_KNOW_WHAT_IM_DOING" flag. > > "UNIX wasn't designed to keep you from doing stupid things, because that > would keep you from doing clever things." OpenSSH doesn't deviate from this tradition. Since the file you want to use is group readable, you can simply make a local copy. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Mar 28 09:47:33 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 09:47:33 +1000 (EST) Subject: RFE: Portable OpenSSH In-Reply-To: <06d501c0b712$b8f0ff70$1200040a@na.cisco.com> Message-ID: On Tue, 27 Mar 2001, Dan Kaminsky wrote: > > 1) copy the tar file over. > > 2) done. > > *smile* > > I did copy over the tarball--that's me copying over "files". Forgot to put > scp in, oops. Forgot to put libz in, that's annoying. Forgot to put > ssh_prng_cmds in, now it's getting ridiculous :-) OpenSSH's makefile makes it _very_ simple to make packages for installation on other machines: ./confugure [whatever] make make install DESTDIR=./fakeroot cd fakeroot tar xvf - ./* | gzip -9 > ../ssh-bin.tar.gz cd .. rm -rf fakeroot -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From rachit at ensim.com Wed Mar 28 09:55:12 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Tue, 27 Mar 2001 15:55:12 -0800 Subject: 2.5.2p2 ssh-keyscan installed group writable? References: <791BD3CB503DD411A6510008C7CF647701F40AAB@col-581-exs01.cist.saic.com> Message-ID: <3AC12860.217BB4C7@ensim.com> I totally agree and understand this example, but I can't help thinking relying on read permissions to "secure" a binary is exactly the same as "security through obscurity" :) -rchit > 2. Install *all* executables (not just SetUID) > as mode 511 (or 4511 if appropriate). > There's no reason why root needs to be > able to routinely overwrite them, > and there's no reason why non-root > users need to be able to routinely > copy them or run strings/objdump on them... > so why allow it? This will require > an additional step during an upgrade, > but could also prevent accidental > or intentional overwriting which is > not desireable. From mattl at livecapital.com Wed Mar 28 09:51:47 2001 From: mattl at livecapital.com (Lewandowsky, Matt) Date: Tue, 27 Mar 2001 15:51:47 -0800 Subject: OpenSSh 2.5.2p2 on Linux/Sparc Message-ID: <71D01DB8DA698947A6F5D666D62A2DB001C3C5@exchange.livecapital.com> OK. How much longer is 2.5.2p2 projected to be the current version? If not long, I won't go out of my way to make sure I can get *some* working package set up this coming weekend. I'll instead spend it making sure I know every pitfall I may encounter... If it will be around for at least another month or two, then I'll be sure to get something out this weekend... Anyone interested in testing my packages? I'll try to make .deb, .rpm, and Slackware .tgz packages to start. Volunteers for any or all are welcome. ;) --Matt > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Tuesday, March 27, 2001 3:39 PM > To: Lewandowsky, Matt > Cc: 'mouring at etoh.eviladmin.org'; openssh-unix-dev at mindrot.org > Subject: RE: OpenSSh 2.5.2p2 on Linux/Sparc > > > On Tue, 27 Mar 2001, Lewandowsky, Matt wrote: > > > Ahh...I see now. Sorry about that... > > > > Anyway, back to OpenSSH packages on Linux/SPARC: Does > anyone have a desire > > to have packages for this platform? > > If you are willing to build them and keep the reasonably up > to date, then > I would be happy to put a link to them on the portable.html page. > > -d > > -- > | Damien Miller \ ``E-mail attachments are > the poor man's > | http://www.mindrot.org / distributed > filesystem'' - Dan Geer > From sxw at dcs.ed.ac.uk Wed Mar 28 09:59:20 2001 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Wed, 28 Mar 2001 00:59:20 +0100 (BST) Subject: Kerberos 5 and OpenSSH 2.5.2p2 In-Reply-To: Simon Wilkinson's message of Tue, 27 Mar 2001 02:33:35 +0100 (BST) Message-ID: <200103272359.AAA01393@canna.dcs.ed.ac.uk> > I'll be posting a "two diff" version of this patch tomorrow, with the GSSAPI > support split off from the KRB5 stuff, in the hope that they can be > progressed seperately. I've now done this. Patches are available from http://www.sxw.org.uk/computing/patches/openssh.html In addition to seperating the GSSAPI code from the native Kerberos stuff, the new patches also fix a problem in the GSSAPI code which could lead to SEGVs when the user was not being authenticated via GSSAPI. Comment and review is greatly appreciated. Cheers, Simon From dankamin at cisco.com Wed Mar 28 10:20:26 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 16:20:26 -0800 Subject: RFE: Portable OpenSSH References: Message-ID: <070001c0b71c$e36c8080$1200040a@na.cisco.com> > Most people griped about EGD's >1Mb working set and that they didn't want > to depend on PERL daemons for security. You tend to focus on the two-by-four sticking out of your eye before complaining about the sliver. Doesn't mean the sliver's not a problem; just means you have easier things to complain about than the fact that it's a pain to get working. > This isn't quite true. sshd needs to fill its entropy pool at startup, > it can then survive without PRNGd until OpenSSL deems the pool no longer > has enough entropy. Oh that's just splitting hairs and you know it ;-) > > But who would be running prngd? Lets say every user used their > > own entropy gatherer. Instead of entropy gathering on demand, when > > the ssh executables were actually being called, each user would be > > hammering the box continually. That's not elegant, > > Bingo - this is exactly what OpenSSH does at the moment. No, it's not. prngd goes ahead and grabs entropy in advance; openssh is only grabbing entropy when it directly needs it. It's slower, yes, but it's more than fast enough for low-to-midrange use. Come on, Damien. No long term local daemon should be required to load a client app. You don't need ftpd to run ftp, you don't need run apache to run netscape, you don't need BIND to access a web page. Useful? Sure! It's *useful* to have a locally caching DNS server, especially if your operating system is brain dead about how effectively it caches entries. Required to hit Slashdot, though?! > > of course, so lets presume there's only one user running prngd that > > every user shares in the entropy of. That user running prngd better > > be root, unless you like the idea of SSHD getting its entropy stream > > from an untrusted user. So now users cannot safely run ssh without > > the root user starting up a daemon? > > Well root has to run init too, so there is precedent. What precedent? I can log into an arbitrary box, compile my alpha feature-loaded build of SSH on it to test for compatibility, and type: ./ssh-keygen -f tempkey ./sshd -h tempkey -f sshd_config -p 20022 > What is the advantage of all this runtime checking? Systems with > /dev/random should _always_ have it available. Surprised the hell outta me when I realized this was a problem. I installed the ANDIrand package on my dev box some time ago, then later built the latest OpenSSH. Imagine my surprise when the binaries compiled on that machine wouldn't work on any other Solaris machine--oops, none of the other ones had ANDIrand installed. Moral of the story: Just because this platform had /dev/random once doesn't mean it always will--and hopefully, just because it didn't when this binary was compiled doesn't mean it always won't. Slowly but surely, modules will pop up for OS's that lack /dev/random. Rather than require a code recompile, we can simply agree that kernel entropy will *always* be of higher quality than user entropy and therefore we will dynamically(or at least after a kill -HUP) switch to the better source. Especially sites with speed problems from *both* prngd *and* ssh_prng_cmds will appreciate this. > No, the "hash a big list of commands" is what we want to get away from. > I really don't like root owned or suid executables running long lists of > system commands when it is not their business to. Can't we safely execute external commands as irrevocable-nonroot? I thought the act of opening a new process granted us that ability, which we otherwise lack when, say, opening a proprietary authentication library. > PRNGd has been designed (and audited) to do this task well. Like I said, I *like* the concept of prngd. I just don't accept that a local daemon should be required for a local client to execute successfully. Help it out? Speed it up? Increase efficiency? Decrease redundancy(as long as the shared source is root)? Sure. But *mandate*, on penalty of failure? Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From dankamin at cisco.com Wed Mar 28 10:30:05 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 16:30:05 -0800 Subject: RFE: Portable OpenSSH References: Message-ID: <070801c0b71e$3d3d8e00$1200040a@na.cisco.com> > > Why not include PRNGd source with OpenSSH, install it, and if sshd > > fails to get any entropy, start PRNGd and try again? It doesn't > > work for client-only ssh usage (though if the ssh command is setuid, > > it could, but that's probably a really bad idea for other reasons). > > Note that I really don't want to go down the road of including source > to other programs in the portable tarball. You're right, Damien. Such a route diminshes the barrier between what we're responsible for and what we're not. I *could* envision a stripped down OpenSSL distribution that only contained what OpenSSH requires being included, but everything else indeed should remain separate from the standard distribution. Would you have any objection to openssh-full, a separately maintained but equally available package that could portably exist on any machine and successfully configure/make/make install on it? The idea would be to include those few libraries that actually made it into the OpenSSH codebase (for legality or convenience) and have a meta-configure script that handled them all "out of the box". Again, I think you're absolutely right about keeping openssh itself pure--but I also know, pragmatically, forcing people to slog through the tarball equivalent of RPM Hell (slower, because you have to wait for configure to fail to find out you need to configure libz, then wait again to find out you need to configure SSL, etc.) is worse than what SSH1 required. > BTW autoconf already detects the presence of a PRNGd socket and will > try to use that. Excellent! --Dan From dankamin at cisco.com Wed Mar 28 10:37:44 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 16:37:44 -0800 Subject: RFE: Portable OpenSSH References: Message-ID: <071201c0b71f$4e5ab310$1200040a@na.cisco.com> > ./confugure [whatever] > make > make install DESTDIR=./fakeroot > cd fakeroot > tar xvf - ./* | gzip -9 > ../ssh-bin.tar.gz > cd .. > rm -rf fakeroot Excellent. But I can't run out of that fakeroot; I *have* to install from it. At the point of the make install, all the ETCDIR et al definitions are already set at pathnames.h (or earlier). This is actually the right thing to do, but it does leave ssh_prng_cmds 's path totally broken. That makes the ssh client only function after a rootswitch. Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From djm at mindrot.org Wed Mar 28 10:40:25 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 10:40:25 +1000 (EST) Subject: RFE: Portable OpenSSH In-Reply-To: <071201c0b71f$4e5ab310$1200040a@na.cisco.com> Message-ID: On Tue, 27 Mar 2001, Dan Kaminsky wrote: > > ./confugure [whatever] > > make > > make install DESTDIR=./fakeroot > > cd fakeroot > > tar xvf - ./* | gzip -9 > ../ssh-bin.tar.gz > > cd .. > > rm -rf fakeroot > > Excellent. But I can't run out of that fakeroot; I *have* to > install from it. At the point of the make install, all the ETCDIR > et al definitions are already set at pathnames.h (or earlier). > > This is actually the right thing to do, but it does leave > ssh_prng_cmds 's path totally broken. That makes the ssh client only > function after a rootswitch. No, you just untar the above in the root directory. Setting DESTDIR in make install disables all the path modifications. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From dankamin at cisco.com Wed Mar 28 10:47:16 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 16:47:16 -0800 Subject: RFE: Portable OpenSSH References: Message-ID: <072801c0b720$a2ee3310$1200040a@na.cisco.com> > > Excellent. But I can't run out of that fakeroot; I *have* to > > install from it. At the point of the make install, all the ETCDIR > > et al definitions are already set at pathnames.h (or earlier). > > No, you just untar the above in the root directory. Setting DESTDIR in > make install disables all the path modifications. Yes, I know this, Damien. Untarring to the root directory is also known as installing, and unless I'm root, I ain't doing that. How many times a day do you type ./ssh? Or do you make install every dev build? --Dan From Phil.Pennock at globnix.org Wed Mar 28 11:05:17 2001 From: Phil.Pennock at globnix.org (Phil Pennock) Date: Wed, 28 Mar 2001 03:05:17 +0200 Subject: Use of non-user readable (null password) private keys In-Reply-To: ; from Piete.Brooks@cl.cam.ac.uk on Tue, Mar 27, 2001 at 05:44:04PM +0100 References: Message-ID: <20010328030517.C9404@globnix.org> On 2001-03-27 at 17:44 +0100, Piete Brooks gifted us with: > Locally they can use sudo, but for performing operations on a remote machine, > they need an ssh capability. Locally, they can use sudo. prompt$ cat /usr/local/bin/fred #!/bin/sh sudo -u bert ssh -i /home/bert/.ssh/zebedee zebedee.example.org wibble "$@" prompt$ Gives you the benefit of logs on the client-side too, indicating exactly who invoked it. Unless the remote side needs to ask identd questions? If absolutely necessary that they not auth before doing stuff remotely, just use "NOPASSWD:" in sudoers for that command-entry. -- Do not anger a bard, for your name is silly and it scans to 'Greensleeves'. From djm at mindrot.org Wed Mar 28 11:05:37 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 11:05:37 +1000 (EST) Subject: RFE: Portable OpenSSH In-Reply-To: <070001c0b71c$e36c8080$1200040a@na.cisco.com> Message-ID: On Tue, 27 Mar 2001, Dan Kaminsky wrote: > > > But who would be running prngd? Lets say every user used their > > > own entropy gatherer. Instead of entropy gathering on demand, when > > > the ssh executables were actually being called, each user would be > > > hammering the box continually. That's not elegant, > > > > Bingo - this is exactly what OpenSSH does at the moment. > > No, it's not. prngd goes ahead and grabs entropy in advance; openssh > is only grabbing entropy when it directly needs it. It's slower, > yes, but it's more than fast enough for low-to-midrange use. OpenSSH grabs it every time it runs, with a daemon you have to opportunity to take advantage of its long lifespan and spead the collection over a longer time period. This results in fewer load spikes and better quality entropy. > > What is the advantage of all this runtime checking? Systems with > > /dev/random should _always_ have it available. > > Surprised the hell outta me when I realized this was a problem. I > installed the ANDIrand package on my dev box some time ago, then > later built the latest OpenSSH. Imagine my surprise when the > binaries compiled on that machine wouldn't work on any other Solaris > machine--oops, none of the other ones had ANDIrand installed. You need to build different packages for different system environments. I see this as no different to systems which have libc differing in major number. > > PRNGd has been designed (and audited) to do this task well. > > Like I said, I *like* the concept of prngd. I just don't accept that a > local daemon should be required for a local client to execute successfully. > Help it out? Speed it up? Increase efficiency? Decrease redundancy(as > long as the shared source is root)? Sure. But *mandate*, on penalty of > failure? I don't see why mandating it is a problem. It is a _one off_ installation which may be used by more than OpenSSH (OpenSSL supports it too, as does postfix-tls, as does GPG). -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Wed Mar 28 11:10:29 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 11:10:29 +1000 (EST) Subject: RFE: Portable OpenSSH In-Reply-To: <070801c0b71e$3d3d8e00$1200040a@na.cisco.com> Message-ID: On Tue, 27 Mar 2001, Dan Kaminsky wrote: > Again, I think you're absolutely right about keeping openssh itself > pure--but I also know, pragmatically, forcing people to slog through > the tarball equivalent of RPM Hell (slower, because you have to wait > for configure to fail to find out you need to configure libz, then > wait again to find out you need to configure SSL, etc.) is worse > than what SSH1 required. I think OpenSSH's external requirements are pretty reasonable: libz (supplied by many OS's anyway), PRNGd and OpenSSL (the only big one). Chances are that these will have other uses on the system anyway. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From dbt at meat.net Wed Mar 28 11:24:10 2001 From: dbt at meat.net (David Terrell) Date: Tue, 27 Mar 2001 17:24:10 -0800 Subject: RFE: Portable OpenSSH In-Reply-To: <070001c0b71c$e36c8080$1200040a@na.cisco.com>; from dankamin@cisco.com on Tue, Mar 27, 2001 at 04:20:26PM -0800 References: <070001c0b71c$e36c8080$1200040a@na.cisco.com> Message-ID: <20010327172410.E30334@pianosa.catch22.org> On Tue, Mar 27, 2001 at 04:20:26PM -0800, Dan Kaminsky wrote: > Moral of the story: Just because this platform had /dev/random once doesn't > mean it always will--and hopefully, just because it didn't when this binary > was compiled doesn't mean it always won't. Slowly but surely, modules will > pop up for OS's that lack /dev/random. Rather than require a code > recompile, we can simply agree that kernel entropy will *always* be of > higher quality than user entropy and therefore we will dynamically(or at > least after a kill -HUP) switch to the better source. when you're doing recompiling, a kill -HUP will reload the new binary with /dev/random support. If you want to make entropy source configurable at runtime, why don't you supply the patches? > Like I said, I *like* the concept of prngd. I just don't accept that a > local daemon should be required for a local client to execute successfully. > Help it out? Speed it up? Increase efficiency? Decrease redundancy(as > long as the shared source is root)? Sure. But *mandate*, on penalty of > failure? I don't like prngd. It's a graceful hack to work around missing kernel features that every modern operating system should have. The sooner I never have to run PRNGd on any of my systems, the happier I'll be. On the other hand, telling Damien how he should support /dev/random vs prngd without supplying code to do what you seem to want it to do (if you want it so bad, why haven't you already written it yourself for your local systems) isn't reasonable. -- David Terrell | "To increase the hype, I'm gonna release a bunch Nebcorp PM | of BLT variants (NetBLT, FreeBLT, BLT386, etc) dbt at meat.net | and create artificial rivalries." wwn.nebcorp.com | - Brian Sweltand (www.openblt.org) From dankamin at cisco.com Wed Mar 28 11:28:22 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 17:28:22 -0800 Subject: RFE: Portable OpenSSH References: <070001c0b71c$e36c8080$1200040a@na.cisco.com> <20010327172410.E30334@pianosa.catch22.org> Message-ID: <076a01c0b726$60b1d000$1200040a@na.cisco.com> > when you're doing recompiling, a kill -HUP will reload the new binary > with /dev/random support. I want to add /dev/random support and have it just work without having to recompile SSH. > If you want to make entropy source configurable at runtime, why don't > you supply the patches? Going to. Been working on authcommand and dynamic forwarding(nuhh...new...channel...type...). I've done the "complainer who refuses to code" bit before; learned from it. :-) > I don't like prngd. It's a graceful hack to work around missing kernel > features that every modern operating system should have. The sooner > I never have to run PRNGd on any of my systems, the happier I'll be. SSH is a graceful hack. Never forget that. > On the other hand, telling Damien how he should support /dev/random > vs prngd without supplying code to do what you seem to want it to > do (if you want it so bad, why haven't you already written it > yourself for your local systems) isn't reasonable. You win :-) --Dan From dankamin at cisco.com Wed Mar 28 11:29:58 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 17:29:58 -0800 Subject: RFE: Portable OpenSSH References: Message-ID: <076b01c0b726$99e55e00$1200040a@na.cisco.com> > I think OpenSSH's external requirements are pretty reasonable: libz > (supplied by many OS's anyway), PRNGd and OpenSSL (the only big one). Reasonable? Sure. It's *reasonable* to expect libz to be there, but if its not, I'd like a ./configure -with-static-libz. As I mentioned, OpenSSL is not a runtime dependancy. We have one major external dependancy, and that's Libz. It can be statically linked; prngd can't be. So I'm arguing for *no* dependancies, which is a hell of alot easier to admin. We should dynamically link libz by default, of course. > Chances are that these will have other uses on the system anyway. Uses, yes. EGD has other uses; we used it for GPG as well. Like I said, nobody adopted the package, and with good reason. --Dan From djm at mindrot.org Wed Mar 28 11:33:25 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 11:33:25 +1000 (EST) Subject: RFE: Portable OpenSSH In-Reply-To: <076b01c0b726$99e55e00$1200040a@na.cisco.com> Message-ID: On Tue, 27 Mar 2001, Dan Kaminsky wrote: > > I think OpenSSH's external requirements are pretty reasonable: libz > > (supplied by many OS's anyway), PRNGd and OpenSSL (the only big one). > > Reasonable? Sure. It's *reasonable* to expect libz to be there, > but if its not, I'd like a ./configure -with-static-libz. > > As I mentioned, OpenSSL is not a runtime dependancy. That depends on how it is linked. It may not be runtime for you, but it is for many (most?) other people. > We have one major external dependancy, and that's Libz. It can be > statically linked; prngd can't be. So I'm arguing for *no* dependancies, > which is a hell of alot easier to admin. > > We should dynamically link libz by default, of course. Why? > > Chances are that these will have other uses on the system anyway. > > Uses, yes. EGD has other uses; we used it for GPG as well. Like I said, > nobody adopted the package, and with good reason. Becuase it was a huge PERL daemon which could only really be used by one person at a time. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From vader at conflict.net Wed Mar 28 11:56:50 2001 From: vader at conflict.net (Jim Breton) Date: Wed, 28 Mar 2001 01:56:50 +0000 Subject: [Wishlist] another level of logging Message-ID: <20010328015650.14359.qmail@conflict.net> Hello - got a small wishlist item here: The currently available LogLevel settings (according to the man page) are: QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. Using "INFO" causes messages about RSA key re-generation to appear in the auth logs. However using the next-lower LogLevel of "ERROR" causes client IP and port to not be reported in the auth logs. I was hoping for some level in between those two which would include remote IP and port (and protocol) but NOT include the RSA key regeneration messages. Any chance of getting a new LogLevel for this? Mainly it's because I have auth logs sent to a line printer and it uses quite a bit more paper and noise having those key gen messages logged. ;-P Thanks. -- Jim B. vader at conflict.net From dankamin at cisco.com Wed Mar 28 11:58:27 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 17:58:27 -0800 Subject: RFE: Portable OpenSSH References: Message-ID: <078b01c0b72a$94afea00$1200040a@na.cisco.com> > OpenSSH grabs it every time it runs, with a daemon you have to opportunity > to take advantage of its long lifespan and spead the collection over a > longer time period. This results in fewer load spikes and better quality > entropy. A definite advantage. Clearly the right way to do it. Once security is handled, compatibility trumps performance. Remember--SSH is not the fastest crypto solution, but it sure is the most compatible. > You need to build different packages for different system environments. > I see this as no different to systems which have libc differing in > major number. Reasonable argument for the downgrade. Unreasonable for the upgrade--I shouldn't need to recompile all the apps on a machine just because I got a better source of entropy. The *only* time compile time checks are superior is when you're trying to avoid including a library you do not possess. All other times, its better to not have to recompile. > I don't see why mandating it is a problem. It is a _one off_ installation > which may be used by more than OpenSSH (OpenSSL supports it too, as does > postfix-tls, as does GPG). prngd will be useful for alot of things. It's good software, I'm happy it exists. Depending on it, however, violates "Don't Make It Worse". We want to encourage people to use a faster entropy source, not discourage them from using our software at all. Yours Truly, Dan Kaminsky, CISSP http://www.doxapra.com From dankamin at cisco.com Wed Mar 28 11:59:36 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 17:59:36 -0800 Subject: RFE: Portable OpenSSH References: Message-ID: <078c01c0b72a$bd7ab960$1200040a@na.cisco.com> > That depends on how it is linked. It may not be runtime for you, but it is > for many (most?) other people. Solaris 2.6 depends on: libz libsocket libnsl libc libdl libmp libc_psr Cygwin depnds on: cygz.dll cygwin1.dll Linux does however indeed require libcrypto. I stand corrected. Any ideas what's going on, folks? > > We have one major external dependancy, and that's Libz. It can be > > statically linked; prngd can't be. So I'm arguing for *no* dependancies, > > which is a hell of alot easier to admin. > > > > We should dynamically link libz by default, of course. > > Why? Binary size. No reason to be redundant, unless such redundancy assists with deployment. If libz was less popular, I'd argue for a default-static. It's pretty widely deployed though, so the need for a static libz include isn't universal. Does show up in spots, though. I probably wouldn't argue for libz include at all if, using it, we couldn't (eventually) get to a build entirely dependent upon standard libraries. > > > Chances are that these will have other uses on the system anyway. > > > > Uses, yes. EGD has other uses; we used it for GPG as well. Like I said, > > nobody adopted the package, and with good reason. > > Becuase it was a huge PERL daemon which could only really be used by one > person at a time. Damien, the only other clients that require some local daemon to be running in order for them to work are GUI tools that everyone bitches about *constantly*. The things that are barely becoming annoying in SSH pretty much define GNOME. Name *one* command line client that requires anything else to run on the command line. NFS stuff is about all that comes to mind, and people bitch about that too! Speaking of one person at a time, you *still* haven't responded to the security concerns or root dependencies. You can't escape the fact that prngd *either* leads to lots and lots of people running daemons they don't need to be *or* leads to lots and lots of people banging on the sysadmin's door to install a *client* tool as root. Live, in-client execution of entropy gatherers does not a daemon make, incidentally. If the sysadmin *wants* to run prngd, and speed things up--great! If he doesn't, though--and come on, as you said, root app running lots of external tools doesn't inspire confidence--I don't want the entire system to fall over. Graceful degradation is the goal. I'll put together some compiletime->runtime patches; we'll continue this discussion when that's available. Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From mattl at livecapital.com Wed Mar 28 12:23:41 2001 From: mattl at livecapital.com (Lewandowsky, Matt) Date: Tue, 27 Mar 2001 18:23:41 -0800 Subject: OpenSSh 2.5.2p2 on Linux/Sparc Message-ID: <71D01DB8DA698947A6F5D666D62A2DB001C3CA@exchange.livecapital.com> Hrmph. OK. Since I haven't downloaded 2.5.2p2 yet (and my work connection's being flaky today...), I'll have to rely on you guys for the answers here: What are the contents of the offending lines in the files? Also, Georg: Do you have the full package of expr, sed, etc. installed? Maybe there's a dependency that isn't there (Doubtful though...). And I have GNU sed 3.02 on Cygwin right now... So, if Cygwin builds for people, then it's either a problem with your sed or your tarball... (Or possibly 2.5.2p2...) --Matt > -----Original Message----- > From: Georg Schwarz [mailto:georg.schwarz at iname.com] > Sent: Tuesday, March 27, 2001 1:18 PM > To: Lewandowsky, Matt > Subject: Re: OpenSSh 2.5.2p2 on Linux/Sparc > > > > Does OpenSSH actually have SPARC/Linux binaries? (/me > checks...) Since I > > I don't know, but since I'm compiling on my own why does it matter? > > > don't see any architecture info, I assume the RPMs are for > x86... So, > > SPARC/Linux users have to install from source... (Good for > my reference...) > > that's exactly what I was trying. > > > > > Georg: Are you running GNU sed? Type "sed --help" to see... If not, > > antarktis 3% ~>sed --version > GNU sed version 3.02 > > Copyright (C) 1998 Free Software Foundation, Inc. > This is free software; see the source for copying conditions. > There is NO > warranty; not even for MERCHANTABILITY or FITNESS FOR A > PARTICULAR PURPOSE, > to the extent permitted by law. > > > > reinstall the RPM from your install CD... If so, see if the > RPM has been > > updated in Errata. If this isn't the case, try installing > the one from 6.2. > > I was fairly unimpressed with 6.0/SPARC, myself. 6.2 was > slightly better. > > Maybe them not releasing 7 was a good thing, as it will > give them time to > > figure out the best way to get things working right before the next > > supported release. > > The funny thing is: with 2.5.1p1 I didn't have any problems compiling. > > > > > > Hope I was actually of some help, > > > > --Matt > > > > > -----Original Message----- > > > From: mouring at etoh.eviladmin.org > [mailto:mouring at etoh.eviladmin.org] > > > Sent: Sunday, March 25, 2001 10:44 PM > > > To: Georg Schwarz > > > Cc: openssh-unix-dev at mindrot.org > > > Subject: Re: OpenSSh 2.5.2p2 on Linux/Sparc > > > > > > > > > > > > > > > On Sun, 25 Mar 2001, Georg Schwarz wrote: > > > > > > > When doing a simple configure of OpenSSh 2.5.2p2 on a > Sparc running > > > > RedHat 6.0 I get: > > > > > > > > ... > > > > updating cache ./config.cache > > > > creating ./config.status > > > > creating Makefile > > > > sed: file conftest.s1 line 1: Unknown command: ``^'' > > > > creating openbsd-compat/Makefile > > > > sed: file conftest.s1 line 1: Unknown command: ``^'' > > > > creating ssh_prng_cmds > > > > sed: file conftest.s1 line 1: Unknown command: ``^'' > > > > creating config.h > > > > sed: file conftest.frag line 1: Unknown command: ``%'' > > > > ... > > > > > > > > > > Did you get this error with any other release? To me it > looks like > > > a bad 'sed' binary. Have you checked for an updated RPM > for sparc? > > > > > > - Ben > > > > > > > > -- > Georg Schwarz http://home.pages.de/~schwarz/ > georg.schwarz at iname.com +49 177 2437545 > From carson at taltos.org Wed Mar 28 12:28:15 2001 From: carson at taltos.org (Carson Gaspar) Date: Tue, 27 Mar 2001 18:28:15 -0800 Subject: PATCH: OSSH 2.5.2p2 Makefile rebuilds manpages and configfiles every time Message-ID: <2170184825.985717695@[10.10.1.2]> The following patch has been tested against Sun Make and GNU Make, and allows openssh to be installed without rebuilding manpages and configfiles every time. This is especially important when "make install" is run as root, and root does not have write access to the buid directory. -- Carson -------------- next part -------------- A non-text attachment was scrubbed... Name: makefix.diff Type: application/octet-stream Size: 1573 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010327/3a501960/attachment.obj From jason at dfmm.org Wed Mar 28 12:24:32 2001 From: jason at dfmm.org (Jason Stone) Date: Tue, 27 Mar 2001 18:24:32 -0800 (PST) Subject: 2.5.2p2 ssh-keyscan installed group writable? In-Reply-To: <791BD3CB503DD411A6510008C7CF647701F40AAB@col-581-exs01.cist.saic.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > SetUID binaries are *not* A Bad Thing. > SetUID binaries are A Powerful Tool. I don't want to get into a religious argument, but I think that on the philosophical side, suid violates the idea that a user can only execute code _as that user_, and on the practical side, suid binaries will _always_ get you into trouble in the end because one or another of them will _always_ have a buffer overrun, argument-parsing error, system/library/race-condition error, etc. > It doesn't mean that the idea of SetUID > binaries is fundamentally flawed, since > there are sometimes things which cannot > be accomplished in any other feasible way. You can always trivially use a client/server model with the server running as root. Done blindly, this can be as bad as suid, so I'm not suggesting that you do this for everything - I'm just trying to illustrate that there are alternatives (using xdm instead of a suid startx is the classic example). Perhaps more importantly, you have to ask yourself if the functionality provided by the suid program warrants the risks. On many systems, I find the answer to be "no" for almost all the default suid binaries. > The correct answer for OpenSSH is, IMHO: > 1. Continue to support SetUID installation > of the ssh client in order to > support rsa-rhosts auth--but perhaps > the default should transition over > to non-SetUID (with a big warning note!) It was certainly important in the beginning for ssh to be a drop-in replacement for rsh, but I think that it's less true now. I think it may be acceptable to have ssh no be setuid by default and include a note in the docs/manpage/config saying, "type 'chmod 4711 ssh' if you want to use rsh." > 2. Install *all* executables (not just SetUID) > as mode 511 (or 4511 if appropriate). > > I know of at least one system where > when given a user-level account on this > supposedly-secure system, it took me > less than 20 minutes to [...] take root. I feel ambivalent on this one. It would obscure stuff for you a little bit, and every little bit helps, but the binaries are usually standard and the user can get copies by other means, and smart users may have legitimate uses for reading the binaries (I know that I frequently do). -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE6wUtkswXMWWtptckRArRgAKC2xKBNPDrgC7zYufEuFxrNGWe+RgCgwsu5 +kvWmcjo/jM6frOFSwM6+pE= =89AQ -----END PGP SIGNATURE----- From djm at mindrot.org Wed Mar 28 12:49:22 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 12:49:22 +1000 (EST) Subject: 2.5.2p2 ssh-keyscan installed group writable? In-Reply-To: Message-ID: On Tue, 27 Mar 2001, Jason Stone wrote: > > The correct answer for OpenSSH is, IMHO: > > 1. Continue to support SetUID installation > > of the ssh client in order to > > support rsa-rhosts auth--but perhaps > > the default should transition over > > to non-SetUID (with a big warning note!) > > It was certainly important in the beginning for ssh to be a drop-in > replacement for rsh, but I think that it's less true now. I think it may > be acceptable to have ssh no be setuid by default and include a note in > the docs/manpage/config saying, "type 'chmod 4711 ssh' if you want to use > rsh." .rhosts authentication will always require root (or some other way to get a low-numbered source port). rhosts-rsa auth doesn't need root. It could follow what ssh.com's ssh protocol implementation does and execute a small challenge signing program which has access to the host key. The mechanics of how this hangs together (sgid ssh, suid ssh-signer) are left to whomever sends us the patch to implement it :) > > 2. Install *all* executables (not just SetUID) > > as mode 511 (or 4511 if appropriate). > > > > I know of at least one system where > > when given a user-level account on this > > supposedly-secure system, it took me > > less than 20 minutes to [...] take root. > > I feel ambivalent on this one. It would obscure stuff for you a little > bit, and every little bit helps, but the binaries are usually standard and > the user can get copies by other means, and smart users may have > legitimate uses for reading the binaries (I know that I frequently do). There has been one legimitate reason for keeping the 'r' bits off the executables - some (broken) older system don't drop ptrace for suid binaries unless the on-disk copies are not readable. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From carson at taltos.org Wed Mar 28 12:53:56 2001 From: carson at taltos.org (Carson Gaspar) Date: Tue, 27 Mar 2001 18:53:56 -0800 Subject: OSSH 2.5.2p2: Why is /usr/local/ put into the include & lib paths under Solaris? Message-ID: <2171726028.985719236@[10.10.1.2]> I'd like to know why /usr/local/(include|lib) is added to the (include|library) path. I'd _especially_ like to know why it's added before user-specified library directories such as OpenSSL. If I specify --with-openssl=/foo/openssl, I want to actually _use_ the version of openssl in /foo/openssl, not some version that may have been installed in /usr/local. This really makes no sense at all, since Solaris doesn't even _have_ /usr/local by default. Attached is a patch that gets rid of this behaviour, at least for solaris. I suspect it's bogus on just about every platform, but I'm sure it is on Solaris. -- Carson -------------- next part -------------- A non-text attachment was scrubbed... Name: configure.in.patch Type: application/octet-stream Size: 359 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010327/1e926e09/attachment.obj From djm at mindrot.org Wed Mar 28 13:30:32 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 13:30:32 +1000 (EST) Subject: sftp client globbing problems on Solaris, Irix, etc Message-ID: Could you please try the below diff if you have been experiencing problems with the globbing support in the sftp client. There have been a few reports that it doesn't work on Solaris, etc. Index: ChangeLog =================================================================== RCS file: /var/cvs/openssh/ChangeLog,v retrieving revision 1.1022 diff -u -r1.1022 ChangeLog --- ChangeLog 2001/03/28 03:03:42 1.1022 +++ ChangeLog 2001/03/28 03:28:37 @@ -2,6 +2,8 @@ - (djm) Reorder tests and library inclusion for Krb4/AFS to try to resolve linking conflicts with libcrypto. Report and suggested fix from Holger Trapp + - (djm) Work around Solaris' broken struct dirent. Diagnosis and suggested + fix from Philippe Levan 20010327 - Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID) Index: acconfig.h =================================================================== RCS file: /var/cvs/openssh/acconfig.h,v retrieving revision 1.108 diff -u -r1.108 acconfig.h --- acconfig.h 2001/03/17 01:15:38 1.108 +++ acconfig.h 2001/03/28 03:28:37 @@ -308,6 +308,9 @@ /* Define if your system glob() function has gl_matchc options in glob_t */ #undef GLOB_HAS_GL_MATCHC +/* Define in your struct dirent expects you to allocate extra space for d_name */ +#undef BROKEN_ONE_BYTE_DIRENT_D_NAME + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.268 diff -u -r1.268 configure.in --- configure.in 2001/03/28 03:03:42 1.268 +++ configure.in 2001/03/28 03:28:37 @@ -404,6 +404,20 @@ ] ) +AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) +AC_TRY_RUN( + [ +#include +#include +int main(void){struct dirent d;return(sizeof(d.d_name)<=sizeof(char));} + ], + [AC_MSG_RESULT(yes)], + [ + AC_MSG_RESULT(no) + AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) + ] +) + # Check whether user wants S/Key support SKEY_MSG="no" AC_ARG_WITH(skey, Index: sftp-glob.c =================================================================== RCS file: /var/cvs/openssh/sftp-glob.c,v retrieving revision 1.3 diff -u -r1.3 sftp-glob.c --- sftp-glob.c 2001/03/17 00:34:46 1.3 +++ sftp-glob.c 2001/03/28 03:28:37 @@ -65,7 +65,9 @@ struct dirent *fudge_readdir(struct SFTP_OPENDIR *od) { - static struct dirent ret; + /* Solaris needs sizeof(dirent) + path length (see below) */ + static char buf[sizeof(struct dirent) + MAXPATHLEN]; + struct dirent *ret = (struct dirent *)buf; #ifdef __GNU_LIBRARY__ static int inum = 1; #endif /* __GNU_LIBRARY__ */ @@ -73,22 +75,30 @@ if (od->dir[od->offset] == NULL) return(NULL); - memset(&ret, 0, sizeof(ret)); - strlcpy(ret.d_name, od->dir[od->offset++]->filename, - sizeof(ret.d_name)); + memset(buf, 0, sizeof(buf)); + /* + * Solaris defines dirent->d_name as a one byte array and expects + * you to hack around it. + */ +#ifdef BROKEN_ONE_BYTE_DIRENT_D_NAME + strlcpy(ret->d_name, od->dir[od->offset++]->filename, MAXPATHLEN); +#else + strlcpy(ret->d_name, od->dir[od->offset++]->filename, + sizeof(ret->d_name)); +#endif #ifdef __GNU_LIBRARY__ /* * Idiot glibc uses extensions to struct dirent for readdir with * ALTDIRFUNCs. Not that this is documented anywhere but the * source... Fake an inode number to appease it. */ - ret.d_ino = inum++; + ret->d_ino = inum++; if (!inum) inum = 1; #endif /* __GNU_LIBRARY__ */ - return(&ret); + return(ret); } void fudge_closedir(struct SFTP_OPENDIR *od) -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From jmknoble at jmknoble.cx Wed Mar 28 13:37:00 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Tue, 27 Mar 2001 22:37:00 -0500 Subject: RFE: Portable OpenSSH In-Reply-To: <070001c0b71c$e36c8080$1200040a@na.cisco.com>; from dankamin@cisco.com on Tue, Mar 27, 2001 at 04:20:26PM -0800 References: <070001c0b71c$e36c8080$1200040a@na.cisco.com> Message-ID: <20010327223700.I1777@quipu.half.pint-stowp.cx> Circa 2001-Mar-27 16:20:26 -0800 dixit Dan Kaminsky: : > What is the advantage of all this runtime checking? Systems with : > /dev/random should _always_ have it available. : : Surprised the hell outta me when I realized this was a problem. I installed : the ANDIrand package on my dev box some time ago, then later built the : latest OpenSSH. Imagine my surprise when the binaries compiled on that : machine wouldn't work on any other Solaris machine--oops, none of the other : ones had ANDIrand installed. This problem has already been solved on several different occasions. You need to use a packaging system which remembers what each software package's requirements and prerequirements are. If you don't want to use a native package manager (or if your native package manager sucks), i suggest epkg (http://www.encap.org/epkg/), which makes things like this (and like the libz thing you were complaining about earlier) relative nonissues. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From jmknoble at jmknoble.cx Wed Mar 28 13:44:18 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Tue, 27 Mar 2001 22:44:18 -0500 Subject: RFE: Portable OpenSSH In-Reply-To: <078b01c0b72a$94afea00$1200040a@na.cisco.com>; from dankamin@cisco.com on Tue, Mar 27, 2001 at 05:58:27PM -0800 References: <078b01c0b72a$94afea00$1200040a@na.cisco.com> Message-ID: <20010327224418.J1777@quipu.half.pint-stowp.cx> Circa 2001-Mar-27 17:58:27 -0800 dixit Dan Kaminsky: : Reasonable argument for the downgrade. Unreasonable for the upgrade--I : shouldn't need to recompile all the apps on a machine just because I got a : better source of entropy. : : The *only* time compile time checks are superior is when you're trying to : avoid including a library you do not possess. All other times, its better : to not have to recompile. I voice disagreement. Adding the complex logic to the program makes it more difficult to audit and maintain, which could affect the security of the program. If you want adaptive behavior, how about adding to prngd the ability to get randomness from /dev/random, rather than adding complexity to the already quite complex ssh system? That's a much more modular solution which everyone on the system who needs a PRNG can use. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From djm at mindrot.org Wed Mar 28 13:47:51 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 13:47:51 +1000 (EST) Subject: OSSH 2.5.2p2: Why is /usr/local/ put into the include & lib paths under Solaris? In-Reply-To: <2171726028.985719236@[10.10.1.2]> Message-ID: On Tue, 27 Mar 2001, Carson Gaspar wrote: > I'd like to know why /usr/local/(include|lib) is added to the > (include|library) path. I'd _especially_ like to know why it's added before > user-specified library directories such as OpenSSL. If I specify > --with-openssl=/foo/openssl, I want to actually _use_ the version of > openssl in /foo/openssl, not some version that may have been installed in > /usr/local. This really makes no sense at all, since Solaris doesn't even > _have_ /usr/local by default. > > Attached is a patch that gets rid of this behaviour, at least for solaris. > I suspect it's bogus on just about every platform, but I'm sure it is on > Solaris. Many people and packages (like most of sunfreeware) put stuff in /usr/local. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From jason at dfmm.org Wed Mar 28 13:39:09 2001 From: jason at dfmm.org (Jason Stone) Date: Tue, 27 Mar 2001 19:39:09 -0800 (PST) Subject: OSSH 2.5.2p2: Why is /usr/local/ put into the include & lib paths under Solaris? In-Reply-To: <2171726028.985719236@[10.10.1.2]> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I'd like to know why /usr/local/(include|lib) is added to the > (include|library) path. Because most opensource add-ons install into /usr/local by default and the native compiler chain doesn't know about stuff in there and has to be told. > I'd _especially_ like to know why it's added before user-specified > library directories such as OpenSSL. It's not - looking at your patch: - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" They're clearly added _after_ any user defined flags. > This really makes no sense at all, since Solaris doesn't even _have_ > /usr/local by default. No platform should ship with /usr/local, that's the point - it's for local customizations and non-official, "after-market" stuff that you install. The point is that if you install, eg, openssl on the system, it will drop its crap in /usr/local/. Then when you configure/make openssh, it will find the system-wide openssl in /usr/local without your having to tell it manually. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE6wVzgswXMWWtptckRAgx3AJ9tEqz285xy0vj6l3aGQgLBxSoLZwCeNA8U c/Rg6E4BjbDl1zreqpjYHMw= =y7// -----END PGP SIGNATURE----- From dankamin at cisco.com Wed Mar 28 13:57:07 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Tue, 27 Mar 2001 19:57:07 -0800 Subject: RFE: Portable OpenSSH References: <070001c0b71c$e36c8080$1200040a@na.cisco.com> <20010327223700.I1777@quipu.half.pint-stowp.cx> Message-ID: <07f701c0b73b$28af8980$1200040a@na.cisco.com> > This problem has already been solved on several different occasions. > > You need to use a packaging system which remembers what each software > package's requirements and prerequirements are. If you don't want to > use a native package manager (or if your native package manager sucks), > i suggest epkg (http://www.encap.org/epkg/), which makes things like > this (and like the libz thing you were complaining about earlier) > relative nonissues. Unneccesary dependancies are bad and are not particularly solved by simply burying the problem under the but-we-have-a-great-package-format rug. If it's *absolutely critical* that an executable be dependent on other files, so be it, I'll live. But that's a pain from a sysadmin's perspective, and it's one I think that admin should have the *chance* to avoid if necessary. I accept pain when necessary, but reject it strongly when it's superfluous. Anyway, you're dancing around my actual question: Why are compile-time checks, for reasons *other* than "if we include that library on the wrong system, the code won't build", good? Recompiling is clearly more painful than changing an option in sshd_config or silently downgrading(like we do when we can't find a primes file). Yes, we can be more flexible with compile time checks when we have a packaging format that can choose which binaries to install at which times, but isn't it better to have flexible binaries? For /dev/random handling, you'd need to compile both sets of code, throw it into a package, then have your package manager dynamically choose which one to actually install. Gotta admit that's pretty ugly ;-) Anyway, no magic bullet turns libz into a non-issue. If sysadmins *have* to get packages, because they can't figure out how to compile the code and move it elsewhere, then they've lost freedom and access to the source(indeed, the source for them has been "neutered"; it's useful to look at but it doesn't spawn anything useful). Epkg isn't everywhere by default...though it could be, and maybe should be, and *mayyyyyyyybe* ought to be included as the cross-platform package generator for OpenSSH? Something to think about? Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com From mattl at livecapital.com Wed Mar 28 13:59:50 2001 From: mattl at livecapital.com (Lewandowsky, Matt) Date: Tue, 27 Mar 2001 19:59:50 -0800 Subject: OSSH 2.5.2p2: Why is /usr/local/ put into the include & lib p aths under Solaris? Message-ID: <71D01DB8DA698947A6F5D666D62A2DB001C3CC@exchange.livecapital.com> But the main question hasn't been answered: Why is /usr/local placed before user-specified paths? Hypothetical example: You want to link against OpenSSL 0.96 for OpenSSH, but /usr/local contains 0.95, which is needed for something else. (Assume it comes binary only on Solaris for the sake of argument...) --Matt > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Tuesday, March 27, 2001 7:48 PM > To: Carson Gaspar > Cc: openssh-unix-dev at mindrot.org > Subject: Re: OSSH 2.5.2p2: Why is /usr/local/ put into the > include & lib > paths under Solaris? > > > On Tue, 27 Mar 2001, Carson Gaspar wrote: > > > I'd like to know why /usr/local/(include|lib) is added to the > > (include|library) path. I'd _especially_ like to know why > it's added before > > user-specified library directories such as OpenSSL. If I specify > > --with-openssl=/foo/openssl, I want to actually _use_ the version of > > openssl in /foo/openssl, not some version that may have > been installed in > > /usr/local. This really makes no sense at all, since > Solaris doesn't even > > _have_ /usr/local by default. > > > > Attached is a patch that gets rid of this behaviour, at > least for solaris. > > I suspect it's bogus on just about every platform, but I'm > sure it is on > > Solaris. > > Many people and packages (like most of sunfreeware) put stuff in > /usr/local. > > -d > > -- > | Damien Miller \ ``E-mail attachments are > the poor man's > | http://www.mindrot.org / distributed > filesystem'' - Dan Geer > From tomh at po.crl.go.jp Wed Mar 28 14:08:09 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Wed, 28 Mar 2001 13:08:09 +0900 (JST) Subject: [Wishlist] another level of logging In-Reply-To: <20010328015650.14359.qmail@conflict.net> Message-ID: On Wed, 28 Mar 2001, Jim Breton wrote: > Mainly it's because I have auth logs sent to a line printer and it uses > quite a bit more paper and noise having those key gen messages logged. For now you could switch to using protocol 2, which doesn't do rekeying. :-/ That will perhaps change in the future though. Or just change the log() calls to verbose() calls in sshd.c:generate_ephemeral_server_key(). Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From fortezzo at directlink.net Wed Mar 28 14:19:25 2001 From: fortezzo at directlink.net (Jason Fortezzo) Date: Tue, 27 Mar 2001 22:19:25 -0600 Subject: RFE: Portable OpenSSH In-Reply-To: <20010328004654.A23300@folly> References: <061401c0b701$dfe91a60$1200040a@na.cisco.com> <200103272058.f2RKwExf388024@jurassic.eng.sun.com> <061401c0b701$dfe91a60$1200040a@na.cisco.com> Message-ID: <4.3.2.7.2.20010327221323.02d49668@mailhost.directlink.net> At 04:46 PM 3/27/2001, you wrote: >On Tue, Mar 27, 2001 at 01:07:03PM -0800, Dan Kaminsky wrote: >> Anyway, these aren't theoretical complaints. I had the: >> >> 1. Copy files over >> 2. Damnit, forgot SCP. >> 3. Copy SCP over. >> 4. Damnit, forgot libz. >> 5. Copy libz over. >> 6. Damnit, forgot the list of prng commands >> 7. Copy list over >> 8. Run SCP > >what about: > >1) copy the tar file over. >2) done. I do something along the same lines, but to ease removal of all the files, I have a file named after the package in /usr/local/share/manifest that contains a list of all the files in the tar. To remove the package, I do rm -f `cat /usr/local/share/manifest/package_name` This allows me to have a standardised package format on all my platforms with minimal hassle. Sure it is messy, but it works. Jason Fortezzo fortezzo at directlink.net PGP Key: http://mysite.directlink.net/fortezzo/pgpkey --- If you have any trouble sounding condescending, find a Unix user to show you how it's done. --Scott Adams From jmknoble at jmknoble.cx Wed Mar 28 14:36:46 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Tue, 27 Mar 2001 23:36:46 -0500 Subject: RFE: Portable OpenSSH In-Reply-To: <07f701c0b73b$28af8980$1200040a@na.cisco.com>; from dankamin@cisco.com on Tue, Mar 27, 2001 at 07:57:07PM -0800 References: <070001c0b71c$e36c8080$1200040a@na.cisco.com> <20010327223700.I1777@quipu.half.pint-stowp.cx> <07f701c0b73b$28af8980$1200040a@na.cisco.com> Message-ID: <20010327233646.K1777@quipu.half.pint-stowp.cx> Circa 2001-Mar-27 19:57:07 -0800 dixit Dan Kaminsky: : Unneccesary dependancies are bad and are not particularly solved by simply : burying the problem under the but-we-have-a-great-package-format rug. "Unnecessary" dependencies appear to be a matter of perspective. Is Cygwin an unnecessary dependency? How about libresolv? How about /dev/tty or /bin/sh? OpenSSH needs a high-quality PRNG. It's a *requirement*. I think that's pretty simple, and exactly the sort of requirement detail that dependency-aware package management systems are built to handle. : If it's *absolutely critical* that an executable be dependent on : other files, so be it, I'll live. But that's a pain from a : sysadmin's perspective, and it's one I think that admin should have : the *chance* to avoid if necessary. I accept pain when necessary, : but reject it strongly when it's superfluous. So you don't use Cygwin, then? : Anyway, you're dancing around my actual question: Why are compile-time : checks, for reasons *other* than "if we include that library on the wrong : system, the code won't build", good? They detect parts of the operating system that ought to be there but are missing. Like /dev/random. They also keep a fairly clear limit on how much OpenSSH ought to do to compensate for a poorly integrated operating system. : Recompiling is clearly more painful than changing an option in : sshd_config or silently downgrading(like we do when we can't find a : primes file). No, it isn't; certainly not where security is concerned, and less-complex/more-auditable is more important than trying to recover from when the stupid sysadmin removes /dev/random and /lib/libpam.so.0 because "nothing uses them". What procedure do you use to compile software? Do you do everything by hand? If you do, then you deserve to lie on that lumpy mattress. If, on the other hand, you go to the trouble to store the knowledge that you have about how to compile and install a particular software package in a script or two, then it's not much trouble at all when it come around to recompiling. That's always been the great advantage of a tool like RPM for me: encapsulation of knowledge about how to build software into an automatable format. : Yes, we can be more flexible with compile time checks when we have a : packaging format that can choose which binaries to install at which : times, but isn't it better to have flexible binaries? But which ones should be flexible? Who decides that? : Anyway, no magic bullet turns libz into a non-issue. A package management system isn't a silver bullet. It's a knowledge storage system. : If sysadmins *have* to get packages, because they can't figure out : how to compile the code and move it elsewhere, then they've lost : freedom and access to the source(indeed, the source for them has : been "neutered"; it's useful to look at but it doesn't spawn : anything useful). What? If the sysadmins can't figure out how to compile and build zlib and put it in /usr/local/lib/ or /space/local/lib/ some other standard place on each platform, then you should fire them and hire actual sysadmins. Epkg just makes that easier: "Hey, we've already built zlib for DG/UX---i'll just unpack the package archive in the right spot, commit it using epkg, and we're ready to go." : Epkg isn't everywhere by default...though it could be, and maybe : should be, Dan, this sort of thing is a *policy* decision that *you* have to make for *your* network. All software has dependencies. You can choose to ignore them (and deal with as they come up again and again), moan about one or two of them, or use a generalized solution which stores knowledge about dependencies and reminds you (or someone else) of them at the appropriate time without you having to worry. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From celinn at mtu.edu Wed Mar 28 14:42:02 2001 From: celinn at mtu.edu (Christopher Linn) Date: Tue, 27 Mar 2001 23:42:02 -0500 Subject: OSSH 2.5.2p2: Why is /usr/local/ put into the include & lib p aths under Solaris? In-Reply-To: <71D01DB8DA698947A6F5D666D62A2DB001C3CC@exchange.livecapital.com>; from mattl@livecapital.com on Tue, Mar 27, 2001 at 07:59:50PM -0800 References: <71D01DB8DA698947A6F5D666D62A2DB001C3CC@exchange.livecapital.com> Message-ID: <20010327234202.A29991@mtu.edu> On Tue, Mar 27, 2001 at 07:59:50PM -0800, Lewandowsky, Matt wrote: > But the main question hasn't been answered: Why is /usr/local placed before > user-specified paths? Hypothetical example: You want to link against OpenSSL > 0.96 for OpenSSH, but /usr/local contains 0.95, which is needed for > something else. (Assume it comes binary only on Solaris for the sake of > argument...) because it is so easy to dodge that already when you run ./configure. if you use env insertions in the command line of ./configure, like: CPPFLAGS="-I/my/include/dir" \ CFLAGS="whatever" \ LDFLAGS="-L/my/lib/Ldir -R/my/lib/Rdir" \ ./configure --option-1 \ --option-2 \ ...etc... when you load your env like this, configure will insert those -ahead- of /usr/local, whereas if you use the --cppflags/--cflags/--ldflags configure options, those are placed -after- /usr/local. cheers, chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From Piete.Brooks at cl.cam.ac.uk Wed Mar 28 17:14:48 2001 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Wed, 28 Mar 2001 08:14:48 +0100 Subject: Use of non-user readable (null password) private keys In-Reply-To: Your message of Wed, 28 Mar 2001 09:31:42 +1000. Message-ID: >> What I want is the *ABILITY* to have public `capabilities' which can >> perform a fixed operation (e.g. prod a server) which is `harmless'. > You should consider using multiple keys with forced commands. i.e. > have each use generate and supply the public key to you. I have several hundred users. We have an active security group who would understand such things. We also have other users who have no reason to want to know about such things. I do not want to administer all those keys. They do not want to have to generate a new key each time a new facility is required. I want **ALL** users to be able to do it. > On the server enter the public keys into the authorized_keys{,2} file with > restrictions: I do not want restrictions. > You can then lock individual users out without making everyone change key. I do not want to. From carson at taltos.org Wed Mar 28 18:05:14 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 28 Mar 2001 00:05:14 -0800 Subject: OSSH 2.5.2p2: Why is /usr/local/ put into the include & lib paths under Solaris? In-Reply-To: Message-ID: <2190404075.985737914@[10.10.1.2]> --On Wednesday, March 28, 2001 1:47 PM +1000 Damien Miller wrote: > Many people and packages (like most of sunfreeware) put stuff in > /usr/local. So? If you want to look in /usr/local for OpenSSL as one of the default locations if --with-openssl is not specified, great. Please do. Why does OpenSSH _blindly_ add it to -I/-L/-R? This makes no sense, and is broken. -- Carson From carson at taltos.org Wed Mar 28 18:07:40 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 28 Mar 2001 00:07:40 -0800 Subject: OSSH 2.5.2p2: Why is /usr/local/ put into the include & lib paths under Solaris? In-Reply-To: Message-ID: <2190549387.985738060@[10.10.1.2]> --On Tuesday, March 27, 2001 7:39 PM -0800 Jason Stone wrote: >> I'd _especially_ like to know why it's added before user-specified >> library directories such as OpenSSL. > > It's not - looking at your patch: > - CPPFLAGS="$CPPFLAGS -I/usr/local/include" > - LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" > > They're clearly added _after_ any user defined flags. Nope. Not true. Try it. It's _before_ the directories added by --with-openssl. This is a Bad Thing. Blindly including unnecessary directories in -I/-L/-R is a Bad Thing. If there is some _technical_ reason for this, please let me know. Otherwise, I will continue to maintain that this is broken behaviour. -- Carson From carson at taltos.org Wed Mar 28 18:13:48 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 28 Mar 2001 00:13:48 -0800 Subject: OSSH 2.5.2p2: Why is /usr/local/ put into the include & lib p aths under Solaris? In-Reply-To: <20010327234202.A29991@mtu.edu> Message-ID: <2190917294.985738428@[10.10.1.2]> --On Tuesday, March 27, 2001 11:42 PM -0500 Christopher Linn wrote: > On Tue, Mar 27, 2001 at 07:59:50PM -0800, Lewandowsky, Matt wrote: >> But the main question hasn't been answered: Why is /usr/local placed >> before user-specified paths? Hypothetical example: You want to link >> against OpenSSL 0.96 for OpenSSH, but /usr/local contains 0.95, which is >> needed for something else. (Assume it comes binary only on Solaris for >> the sake of argument...) > > because it is so easy to dodge that already when you run ./configure. > > if you use env insertions in the command line of ./configure, like: > > CPPFLAGS="-I/my/include/dir" \ > CFLAGS="whatever" \ > LDFLAGS="-L/my/lib/Ldir -R/my/lib/Rdir" \ > ./configure > --option-1 \ > --option-2 \ > ...etc... > > when you load your env like this, configure will insert those -ahead- > of /usr/local, whereas if you use the --cppflags/--cflags/--ldflags > configure options, those are placed -after- /usr/local. So I'm expected to hack around the fact that configure is broken and doesn't handle --with-openssl properly? Wrong answer. -- Carson From carson at taltos.org Wed Mar 28 18:59:12 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 28 Mar 2001 00:59:12 -0800 Subject: Initial patch to implement partial auth with SSH2 Message-ID: <2193641841.985741152@[10.10.1.2]> Attached is a patch which adds a new config option, AuthOrder2, to sshd_config.c. The syntax is: AuthOrder2 AuthMethod1[:SubAuthMethod1[:SubAuthMethod2...]][,AuthMethod2...] An example, requiring users to enter a public key _and_ a password, in that order: AuthOrder2 publickey:password The current default behaviour: AuthOrder2 password,publickey,keyboard-interactive Require a public key, then either a password or keyboard-interactive: AuthOrder2 publickey:password,publickey:keyboard-interactive It's still a rough patch, and has not been heavily tested. I'd appreciate any feedback people have. I'd like to get this committed to the main tree at some point, so if the maintainers have any architectural changes they'd like in order to accomplish that, I'd be happy to comply. -- Carson -------------- next part -------------- A non-text attachment was scrubbed... Name: partialauth.patch Type: application/octet-stream Size: 10272 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010328/27425593/attachment.obj From stevesk at sweden.hp.com Wed Mar 28 19:03:26 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 28 Mar 2001 11:03:26 +0200 (METDST) Subject: Expired password handling in openssh-2.5.1p1/2 In-Reply-To: <3AC0E6E3.4B56753A@daac.gsfc.nasa.gov> Message-ID: On Tue, 27 Mar 2001, Kevin Taylor wrote: : > : Right now the program closes the connection....the commercial ssh : > : manages to exec /bin/passwd after they enter their current password. : > : > there is only support thru PAM right now. i had started a : > multi-platform password interface last year, and while it was close to : > the point of being integrated, i have been side-tracked with stuff that : > was more interesting to work on. adding just code to run passwd if the : > password has expired isn't hard, and maybe we should do that. : : : Has any of this ended up in the current openssh portable code? no, what platform are you using? i should have said adding code to run passwd for one platform isn't hard. you have getspent(), getprpwent(), BSD pw_change, some with password aging data in the password field, and getpwaent() systems, and probably more. i'll think about it some more. From Piete.Brooks at cl.cam.ac.uk Wed Mar 28 20:23:59 2001 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Wed, 28 Mar 2001 11:23:59 +0100 Subject: Use of non-user readable (null password) private keys In-Reply-To: Your message of Wed, 28 Mar 2001 09:27:11 +1000. Message-ID: > You can copy the keyfiles, or create individual ones. It is highly wasteful of disk space and user time to do this, and is error prone From djm at mindrot.org Wed Mar 28 20:40:27 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Mar 2001 20:40:27 +1000 (EST) Subject: OSSH 2.5.2p2: Why is /usr/local/ put into the include & lib paths under Solaris? In-Reply-To: <2190404075.985737914@[10.10.1.2]> Message-ID: On Wed, 28 Mar 2001, Carson Gaspar wrote: > > Many people and packages (like most of sunfreeware) put stuff in > > /usr/local. > > So? People used to complain that configure didn't find stuff in /usr/local, now they complain that it does. I suppose we can't win. Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.270 diff -u -r1.270 configure.in --- configure.in 2001/03/28 04:37:06 1.270 +++ configure.in 2001/03/28 10:40:14 @@ -595,22 +595,22 @@ # Try to use $ssldir/lib if it exists, otherwise # $ssldir if test -d "$ssldir/lib" ; then - LDFLAGS="$saved_LDFLAGS -L$ssldir/lib" + LDFLAGS="-L$ssldir/lib $saved_LDFLAGS" if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir/lib" + LDFLAGS="-R$ssldir/lib $LDFLAGS" fi else - LDFLAGS="$saved_LDFLAGS -L$ssldir" + LDFLAGS="-L$ssldir $saved_LDFLAGS" if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir" + LDFLAGS="-R$ssldir $LDFLAGS" fi fi # Try to use $ssldir/include if it exists, otherwise # $ssldir if test -d "$ssldir/include" ; then - CPPFLAGS="$saved_CPPFLAGS -I$ssldir/include" + CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS" else - CPPFLAGS="$saved_CPPFLAGS -I$ssldir" + CPPFLAGS="-I$ssldir $saved_CPPFLAGS" fi fi @@ -657,22 +657,22 @@ # Try to use $ssldir/lib if it exists, otherwise # $ssldir if test -d "$ssldir/lib" ; then - LDFLAGS="$saved_LDFLAGS -L$ssldir/lib" + LDFLAGS="-L$ssldir/lib $saved_LDFLAGS" if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir/lib" + LDFLAGS="-R$ssldir/lib $LDFLAGS" fi else - LDFLAGS="$saved_LDFLAGS -L$ssldir" + LDFLAGS="-L$ssldir $saved_LDFLAGS" if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R$ssldir" + LDFLAGS="-R$ssldir $LDFLAGS" fi fi # Try to use $ssldir/include if it exists, otherwise # $ssldir if test -d "$ssldir/include" ; then - CPPFLAGS="$saved_CPPFLAGS -I$ssldir/include" + CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS" else - CPPFLAGS="$saved_CPPFLAGS -I$ssldir" + CPPFLAGS="-I$ssldir $saved_CPPFLAGS" fi fi fi -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From olemx at ans.pl Wed Mar 28 20:54:08 2001 From: olemx at ans.pl (Krzysztof Oledzki) Date: Wed, 28 Mar 2001 12:54:08 +0200 (CEST) Subject: Problem with tcp_wrappers Message-ID: Hello, I have just found little bug in OpenSSH's tcp_wrappers handling. In file sshd.c you can find: if (!hosts_access(&req)) { close(sock_in); close(sock_out); refuse(&req); } If username was not requierd for authorization (for example you are refusing all connection from specific host) refuse will return "sshd: refused connect from root at some.host.name". This happend becouse user name is checked by eval_client() from refuse() when the connection is allready closed by the: close(sock_in); close(sock_out); Hopefully username and hostname informations are cached so it is easy to fix it - it is enough to add: eval_client(&req) before: close(sock_in); close(sock_out); And now, when sshd.c call refuse(&req) username is known so a proper user name will be send to system logs. Best regards, Krzysztof Oledzki From carson at taltos.org Wed Mar 28 21:03:29 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 28 Mar 2001 03:03:29 -0800 Subject: Updated configure.in patch for 2.5.2p2 Message-ID: <2201098512.985748609@[10.10.1.2]> The attached patch fixes --with-skey a little, adds --with-zlib (to allow you to specify where the zlib includes/libs are), and removes /usr/local/* from the default solaris target. The diff is against 2.5.2p2 with the glob fix applied, so expect line numbers to be off if you haven't applied that patch. -- Carson -------------- next part -------------- A non-text attachment was scrubbed... Name: configure.in.patch2 Type: application/octet-stream Size: 3146 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010328/952927e1/attachment.obj From Pete.Chown at skygate.co.uk Wed Mar 28 21:09:32 2001 From: Pete.Chown at skygate.co.uk (Pete Chown) Date: Wed, 28 Mar 2001 12:09:32 +0100 Subject: Use of non-user readable (null password) private keys In-Reply-To: ; from Piete.Brooks@cl.cam.ac.uk on Tue, Mar 27, 2001 at 02:11:08PM +0100 References: Message-ID: <20010328120932.D8611@hyena.skygate.co.uk> Piete Brooks wrote: > Executive summary: Why can I not have a private key which is > `public' ? Every time I use OpenSSH I seem to get caught out by the permission checks. I use umask 002 and my private files are all in a private group. This way I don't accidentally deny others access when I work on shared material. But OpenSSH doesn't like mode 775... > We use a client/server model with no `user' accounts on servers. > There are certain operations which a user may require to run with > certain privs, and we use ssh to do this. You could use the agent. I've just tried and it doesn't look as though ssh checks permissions on the socket directory. This would also have the nice feature that users couldn't copy the key. You would therefore be able to revoke access from one user without revoking the key for the whole group. -- Pete From carson at taltos.org Wed Mar 28 21:09:44 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 28 Mar 2001 03:09:44 -0800 Subject: OSSH 2.5.2p2: Why is /usr/local/ put into the include & lib paths under Solaris? In-Reply-To: Message-ID: <2201473512.985748984@[10.10.1.2]> --On Wednesday, March 28, 2001 8:40 PM +1000 Damien Miller wrote: > On Wed, 28 Mar 2001, Carson Gaspar wrote: > >> > Many people and packages (like most of sunfreeware) put stuff in >> > /usr/local. >> >> So? > > People used to complain that configure didn't find stuff in /usr/local, > now they complain that it does. I suppose we can't win. Yes, you can, but you have to work harder. Instead of putting a blanket include for /usr/local/include and libs in /usr/local/lib, add logic to look for outside dependencies in a list of locations including /usr/local. Just be sure to have --with-foo=/path/to/foo overrides. I'll go through configure.in and clean it up for you. All external dependencies will have --with-foo, and will default to checking the standard system dirs, and then /usr/local, if nothing is specified on the command line. I just beg you to merge it in so I don't have to maintain forked source. I'm _amazed_ that autoconf doesn't have a built-in macro for --with-foo=/path/to/foo. Easily fixed ;-) -- Carson From jmknoble at jmknoble.cx Wed Mar 28 22:05:08 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Wed, 28 Mar 2001 07:05:08 -0500 Subject: Initial patch to implement partial auth with SSH2 In-Reply-To: <2193641841.985741152@[10.10.1.2]>; from carson@taltos.org on Wed, Mar 28, 2001 at 12:59:12AM -0800 References: <2193641841.985741152@[10.10.1.2]> Message-ID: <20010328070508.L1777@quipu.half.pint-stowp.cx> Circa 2001-Mar-28 00:59:12 -0800 dixit Carson Gaspar: : Attached is a patch which adds a new config option, AuthOrder2, to : sshd_config.c. The syntax is: [...] : It's still a rough patch, and has not been heavily tested. I'd : appreciate any feedback people have. I'd like to get this committed : to the main tree at some point, so if the maintainers have any : architectural changes they'd like in order to accomplish that, I'd : be happy to comply. What version is this patch against? Are you aware of the PreferredAuthentications directive, new in 2.5.2(pN)? They seem very similar. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From Piete.Brooks at cl.cam.ac.uk Wed Mar 28 22:20:33 2001 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Wed, 28 Mar 2001 13:20:33 +0100 Subject: Use of non-user readable (null password) private keys In-Reply-To: Your message of Wed, 28 Mar 2001 01:06:50 +0200. <20010328010650.A10805@folly> Message-ID: >> 2) How about `if owned by root, can be readable by others' (root is no bozo) > root is :) :-( >> 4) ... and has the sticky bit set > this seems a simple solution.... OK -- so remove the `root' requirement, remove the `not readable by user', and just go with `some set of 07000 bits set' -- I would suggest not all, so how about must have setuid and sticky, but not setgid ? ... in fact (logically) a one liner :-) -------------- next part -------------- --- authfile.c-DIST Sat Oct 14 06:23:11 2000 +++ authfile.c Wed Mar 28 12:21:23 2001 @@ -50,6 +50,13 @@ #include "ssh.h" #include "key.h" +#ifndef KEY_FILE_MASK +/* If a file is owned by root, and masking its perms with MASK gives VAL, + * then assume that the person who created it knew what they were doing */ +#define KEY_FILE_MASK 07033 +#define KEY_FILE_VAL 05000 +#endif + /* Version identification string for identity files. */ #define AUTHFILE_ID_STRING "SSH PRIVATE KEY FILE FORMAT 1.1\n" @@ -485,7 +492,7 @@ #endif if (fstat(fd, &st) < 0 || (st.st_uid != 0 && st.st_uid != getuid()) || - (st.st_mode & 077) != 0) { + ((st.st_mode & 077) != 0 && (st.st_mode & KEY_FILE_MASK) != KEY_FILE_VAL)) { close(fd); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); From mstone at cs.loyola.edu Wed Mar 28 22:49:13 2001 From: mstone at cs.loyola.edu (Michael Stone) Date: Wed, 28 Mar 2001 07:49:13 -0500 Subject: RFE: Portable OpenSSH In-Reply-To: ; from djm@mindrot.org on Wed, Mar 28, 2001 at 09:18:45AM +1000 References: <050901c0b6ed$0021e6a0$1200040a@na.cisco.com> Message-ID: <20010328074913.P1211@justice.loyola.edu> On Wed, Mar 28, 2001 at 09:18:45AM +1000, Damien Miller wrote: > Most people griped about EGD's >1Mb working set and that they didn't want > to depend on PERL daemons for security. I remember it periodically dying for no reason. When the built-in RNG was introduced I went running away from EGD. (And continued to curse the stupid OS's with no /dev/random.) -- Mike Stone From carson at taltos.org Wed Mar 28 22:50:22 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 28 Mar 2001 04:50:22 -0800 Subject: Initial patch to implement partial auth with SSH2 In-Reply-To: <20010328070508.L1777@quipu.half.pint-stowp.cx> Message-ID: <2207511231.985755022@[10.10.1.2]> --On Wednesday, March 28, 2001 7:05 AM -0500 Jim Knoble wrote: > What version is this patch against? Are you aware of the > PreferredAuthentications directive, new in 2.5.2(pN)? They seem very > similar. It's against 2.5.2p2. PreferredAuthentications is a client-side option, and is an ordered list ranking the clients auth method preferences. My patch is a server-side option, and enables partial auth, allowing the server to require more than one form of authentication. They're very different. -- Carson From bukys at cs.rochester.edu Wed Mar 28 23:00:47 2001 From: bukys at cs.rochester.edu (bukys at cs.rochester.edu) Date: Wed, 28 Mar 2001 08:00:47 -0500 (EST) Subject: Initial patch to implement partial auth with SSH2 Message-ID: <200103281300.IAA15086@tern.cs.rochester.edu> Allowing the server to require more than one form of authentication is GOOD. From ktaylor at eosdata.gsfc.nasa.gov Wed Mar 28 23:40:23 2001 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Wed, 28 Mar 2001 08:40:23 -0500 Subject: Expired password handling in openssh-2.5.1p1/2 References: Message-ID: <3AC1E9C7.C917F554@daac.gsfc.nasa.gov> Kevin Steves wrote: > > On Tue, 27 Mar 2001, Kevin Taylor wrote: > : > : Right now the program closes the connection....the commercial ssh > : > : manages to exec /bin/passwd after they enter their current password. > : > > : > there is only support thru PAM right now. i had started a > : > multi-platform password interface last year, and while it was close to > : > the point of being integrated, i have been side-tracked with stuff that > : > was more interesting to work on. adding just code to run passwd if the > : > password has expired isn't hard, and maybe we should do that. > : > : > : Has any of this ended up in the current openssh portable code? > > no, what platform are you using? i should have said adding code to run > passwd for one platform isn't hard. you have getspent(), getprpwent(), > BSD pw_change, some with password aging data in the password field, and > getpwaent() systems, and probably more. i'll think about it some more. I'm building on an irix machine. -- ---------------------------------------------------------. Kevin Taylor \ Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / Science Systems and Applications, Inc. \ Goddard Space Flight Center / Greenbelt, MD 20771 \ / Phone: (301) 614-5505 \ e-mail: ktaylor at daac.gsfc.nasa.gov / ----------------------------------------------------------' From celinn at mtu.edu Thu Mar 29 00:42:37 2001 From: celinn at mtu.edu (Christopher Linn) Date: Wed, 28 Mar 2001 09:42:37 -0500 Subject: OpenSSH 2.5.2p2: Why is /usr/local/ put into the include & lib paths under Solaris? In-Reply-To: <2190917294.985738428@[10.10.1.2]>; from carson@taltos.org on Wed, Mar 28, 2001 at 12:13:48AM -0800 References: <20010327234202.A29991@mtu.edu> <2190917294.985738428@[10.10.1.2]> Message-ID: <20010328094236.A3582@mtu.edu> carson, first off, please note that "OSSH" is the moniker of another implementation of SSH: ftp://ftp.pdc.kth.se/pub/krypto/ossh/ my first glance at your postings made me think "why is someone discussing OSSH? hmm..." second off, sorry for the missing `\': On Wed, Mar 28, 2001 at 12:13:48AM -0800, Carson Gaspar wrote: > --On Tuesday, March 27, 2001 11:42 PM -0500 Christopher Linn wrote: > > > On Tue, Mar 27, 2001 at 07:59:50PM -0800, Lewandowsky, Matt wrote: > >> But the main question hasn't been answered: Why is /usr/local placed > >> before user-specified paths? Hypothetical example: You want to link > >> against OpenSSL 0.96 for OpenSSH, but /usr/local contains 0.95, which is > >> needed for something else. (Assume it comes binary only on Solaris for > >> the sake of argument...) > > > > because it is so easy to dodge that already when you run ./configure. > > > > if you use env insertions in the command line of ./configure, like: > > > > CPPFLAGS="-I/my/include/dir" \ > > CFLAGS="whatever" \ > > LDFLAGS="-L/my/lib/Ldir -R/my/lib/Rdir" \ > > ./configure \ ===============> ^^^^^ > > --option-1 \ > > --option-2 \ > > ...etc... > > > > when you load your env like this, configure will insert those -ahead- > > of /usr/local, whereas if you use the --cppflags/--cflags/--ldflags > > configure options, those are placed -after- /usr/local. > > So I'm expected to hack around the fact that configure is broken and > doesn't handle --with-openssl properly? Wrong answer. you are correct, sir. and i must say that i should never have phrased it as though i ever actually had anything to do with it: > > because it is so easy to dodge that already when you run ./configure. i should have said something more like "well, OK, here's how i hacked around that without thinking twice about it..." i suppose if i had spent more time learning the real details about GNU autoconf, automake, aclocal etc i might have recognized this as a bug in this particular configure.in. then i could have reported this as a bug.. i should pay more attention. i must remark that the OpenSSH configure.in is really great in that it gives us a very nice synopsis at the end of it's run about what it actually did when it ran. with it, we can quickly see things like this. as for why /usr/local/* is forced in there all the time, again i am just used to that from all GNU autoconf dependant stuff. heck, GNU virtually 0WNS /usr/local! /usr/local on anything is always subsumed in an utterly Borgish way by GNU software. hell i'm waiting for RMS to take out a patent on it and restrict what can go there! *chuckle* so, in closing, thnaks for pointing out the bug ;*) > -- > Carson cheers, chris P.S. again, please call it OpenSSH, not OSSH. thnaks ;*D -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From ssklar at stanford.edu Thu Mar 29 00:06:34 2001 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Wed, 28 Mar 2001 06:06:34 -0800 Subject: the "evil" of EGD (was Re: RFE: Portable OpenSSH) In-Reply-To: <20010328074913.P1211@justice.loyola.edu> References: <050901c0b6ed$0021e6a0$1200040a@na.cisco.com> <20010328074913.P1211@justice.loyola.edu> Message-ID: Folks, I hope this doesn't sound stupid, but I don't understand why everyone is so down on EGD. I've been using it (on AIX) since we put in OpenSSH, and I haven't had any problems with it. Am I just not smart enough to understand why it is so bad? (Of course, I understand the much preferable inclusion of a real source of entropy by the vendor, but why is egd so bad compared to the other add on entropy sources?) --Sandy At 7:49 AM -0500 3/28/01, Michael Stone wrote: >On Wed, Mar 28, 2001 at 09:18:45AM +1000, Damien Miller wrote: >> Most people griped about EGD's >1Mb working set and that they didn't want >> to depend on PERL daemons for security. > >I remember it periodically dying for no reason. When the built-in RNG >was introduced I went running away from EGD. (And continued to curse the >stupid OS's with no /dev/random.) > >-- >Mike Stone -- sandor w sklar unix systems administrator stanford university itss-css From mouring at etoh.eviladmin.org Thu Mar 29 01:28:13 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 28 Mar 2001 09:28:13 -0600 (CST) Subject: the "evil" of EGD (was Re: RFE: Portable OpenSSH) In-Reply-To: Message-ID: On Wed, 28 Mar 2001, Sandor W. Sklar wrote: > Folks, > > I hope this doesn't sound stupid, but I don't understand why everyone > is so down on EGD. I've been using it (on AIX) since we put in > OpenSSH, and I haven't had any problems with it. > > Am I just not smart enough to understand why it is so bad? (Of > course, I understand the much preferable inclusion of a real source > of entropy by the vendor, but why is egd so bad compared to the other > add on entropy sources?) > The main complaint has been because EGD is a perl program, and you now have to drag the whole perl interpeter into memory for long periods in time, and most folks don't care for that idea. I can safely say the preformance (can't judge quality) between PRNGd and EGD is the difference between day and night. PRNGd is much faster, forks less, and as a result uses less resources to match/exceed EGD. That's pretty much it in a nutshell. - Ben From ssklar at stanford.edu Thu Mar 29 01:33:12 2001 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Wed, 28 Mar 2001 07:33:12 -0800 Subject: the "evil" of EGD (was Re: RFE: Portable OpenSSH) In-Reply-To: References: Message-ID: ah, ok, thanks. that is a good nutshell summary. -s- At 9:28 AM -0600 3/28/01, wrote: >On Wed, 28 Mar 2001, Sandor W. Sklar wrote: > >> Folks, >> >> I hope this doesn't sound stupid, but I don't understand why everyone >> is so down on EGD. I've been using it (on AIX) since we put in >> OpenSSH, and I haven't had any problems with it. >> >> Am I just not smart enough to understand why it is so bad? (Of >> course, I understand the much preferable inclusion of a real source >> of entropy by the vendor, but why is egd so bad compared to the other >> add on entropy sources?) >> > >The main complaint has been because EGD is a perl program, and you now >have to drag the whole perl interpeter into memory for long periods in >time, and most folks don't care for that idea. > >I can safely say the preformance (can't judge quality) between PRNGd and >EGD is the difference between day and night. PRNGd is much faster, forks >less, and as a result uses less resources to match/exceed EGD. > >That's pretty much it in a nutshell. > >- Ben -- sandor w sklar unix systems administrator stanford university itss-css From cmadams at hiwaay.net Thu Mar 29 02:29:46 2001 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 28 Mar 2001 10:29:46 -0600 Subject: [PATCH] for Re: OSF_SIA bug in 2.3.0p1 In-Reply-To: <20010309153814.K298109@isc.upenn.edu>; from speno@isc.upenn.edu on Fri, Mar 09, 2001 at 03:38:14PM -0500 References: <200102120514.f1C5Eex16051@ariel.ucs.unimelb.edu.au> <20010212112224.F7301@HiWAAY.net> <20010301113311.B167828@isc.upenn.edu> <20010309153814.K298109@isc.upenn.edu> Message-ID: <20010328102946.E17315@HiWAAY.net> Once upon a time, John P Speno said: > Could you test these patches on your Tru64 UNIX 4.x and 5.x systems. They > implement the above ideas. In short, do_login is skipped when HAVE_OSF_SIA > is enabled since the things do_login does are also done better in the > Tru64 SIA routines. > > Also, session_setup_sia will now show /etc/motd if appropriate. I needed a place to > stick this, and session_setup_sia in auth-sia.c seemed ok at the time. I'm not sure of > that now. Consider this a first draft for changes: It looks good, except you don't check for .hushlogin. I pulled .hushlogin checking and MOTD printing into separate functions in session.c (to avoid code duplication). There is still a problem (maybe someone else can see it): there is a race condition in displaying the error message back to the user when a session is not started. Sometimes you get (when connecting to a locked account): $ ssh -l burdell fly Account is disabled -- see Account Administrator. Connection to fly closed by remote host. Connection to fly closed. $ and sometimes you get: $ ssh -l burdell fly Connection to fly closed by remote host. Connection to fly closed. $ The "Account is disabled" line is from the SIA routine sia_ses_estab(), called in auth-sia.c. I'm not sure why it is printed some times and not others. Here is my current patch. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. diff -ur openssh_cvs/session.c openssh/session.c --- openssh_cvs/session.c Wed Mar 28 09:10:26 2001 +++ openssh/session.c Wed Mar 28 10:17:17 2001 @@ -128,9 +128,11 @@ void do_exec_no_pty(Session *s, const char *command); void do_login(Session *s, const char *command); void do_child(Session *s, const char *command); +void do_motd(void); void do_authenticated1(Authctxt *authctxt); void do_authenticated2(Authctxt *authctxt); +int check_quietlogin(Session *s, const char *command); /* import */ extern ServerOptions options; @@ -633,8 +635,10 @@ close(ttyfd); /* record login, etc. similar to login(1) */ +#ifndef HAVE_OSF_SIA if (!(options.use_login && command == NULL)) do_login(s, command); +#endif /* Do common processing for the child, such as execing the command. */ do_child(s, command); @@ -692,7 +696,6 @@ void do_login(Session *s, const char *command) { - FILE *f; char *time_string; char buf[256]; char hostname[MAXHOSTNAMELEN]; @@ -739,15 +742,8 @@ } #endif - /* Done if .hushlogin exists or a command given. */ - if (command != NULL) - return; - snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir); -#ifdef HAVE_LOGIN_CAP - if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) -#else - if (stat(buf, &st) >= 0) -#endif + /* Done if quiet login. */ + if (check_quietlogin(s, command)) return; #ifdef USE_PAM @@ -768,6 +764,19 @@ else printf("Last login: %s from %s\r\n", time_string, hostname); } + + do_motd(); +} + +/* + * Display the message of the day. + */ +void +do_motd(void) +{ + FILE *f; + char buf[256]; + if (options.print_motd) { #ifdef HAVE_LOGIN_CAP f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", @@ -1033,7 +1042,7 @@ if (options.use_login && command != NULL) options.use_login = 0; -#ifndef USE_PAM /* pam_nologin handles this */ +#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) if (!options.use_login) { # ifdef HAVE_LOGIN_CAP if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid) @@ -1051,7 +1060,7 @@ exit(254); } } -#endif /* USE_PAM */ +#endif /* USE_PAM || HAVE_OSF_SIA */ /* Set login name, uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" @@ -1059,6 +1068,8 @@ if (!options.use_login) { #ifdef HAVE_OSF_SIA session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); + if (! check_quietlogin(s, command)) + do_motd(); #else /* HAVE_OSF_SIA */ #ifdef HAVE_CYGWIN if (is_winnt) { @@ -2036,4 +2047,27 @@ server_loop2(); if (xauthfile) xauthfile_cleanup_proc(NULL); +} + +/* + * Check for quiet login, either .hushlogin or command given. + */ +int +check_quietlogin(Session *s, const char *command) +{ + char buf[256]; + struct passwd * pw = s->pw; + struct stat st; + + /* Return 1 if .hushlogin exists or a command given. */ + if (command != NULL) + return 1; + snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir); +#ifdef HAVE_LOGIN_CAP + if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) +#else + if (stat(buf, &st) >= 0) +#endif + return 1; + return 0; } From GILBERT.R.LOOMIS at saic.com Thu Mar 29 03:09:24 2001 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Wed, 28 Mar 2001 12:09:24 -0500 Subject: 2.5.2p2 ssh-keyscan installed group writable? Message-ID: <791BD3CB503DD411A6510008C7CF647701F40AAE@col-581-exs01.cist.saic.com> Rachit-- Agreed in part. The binary shouldn't have been so poorly written...but making the binary non- readable by regular users is in this case part of "defense in depth". Security by obscurity should not be depended on, since it has been and will continue to be a weak security measure. In this case, however, it would have helped the overall security of the system. Bottom line--almost any system is going to be more secure with a "default deny" policy than a "default allow" policy...and this is a simple change which doesn't break anything. Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com > -----Original Message----- > From: Rachit Siamwalla [mailto:rachit at ensim.com] > Sent: Tuesday, March 27, 2001 6:55 PM > To: Loomis, Rip > Cc: 'Jason Stone'; openssh-unix-dev at mindrot.org > Subject: Re: 2.5.2p2 ssh-keyscan installed group writable? > > > > I totally agree and understand this example, but I can't help thinking > relying on read permissions to "secure" a binary is exactly > the same as > "security through obscurity" :) > > -rchit > > > 2. Install *all* executables (not just SetUID) > > as mode 511 (or 4511 if appropriate). > > There's no reason why root needs to be > > able to routinely overwrite them, > > and there's no reason why non-root > > users need to be able to routinely > > copy them or run strings/objdump on them... > > so why allow it? This will require > > an additional step during an upgrade, > > but could also prevent accidental > > or intentional overwriting which is > > not desireable. > From GILBERT.R.LOOMIS at saic.com Thu Mar 29 03:16:43 2001 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Wed, 28 Mar 2001 12:16:43 -0500 Subject: OpenSSh 2.5.2p2 on Linux/Sparc Message-ID: <791BD3CB503DD411A6510008C7CF647701F40AAF@col-581-exs01.cist.saic.com> Matt-- Don't spend too much time on the Debian package, since there already is an official one: ftp://non-us.debian.org/debian-non-US/pool/non-US/main/o/openssh/ssh_2.5.2p2 -1_sparc.deb It's in the "sid" (testing) distribution, but you can install it on a potato or woody SPARC box with a couple of other upgrades. Debian is pretty consistently up-to-date with OpenSSH across the alpha/arm/i386/powerpc/sparc/mips platforms. IA-64 only has a 2.3.0-p1 package right now, though =8-) --Happy Debian sparc/i386 user Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com > -----Original Message----- > From: Lewandowsky, Matt [mailto:mattl at livecapital.com] > Sent: Tuesday, March 27, 2001 6:52 PM > To: 'Damien Miller'; Lewandowsky, Matt > Cc: 'mouring at etoh.eviladmin.org'; openssh-unix-dev at mindrot.org > Subject: RE: OpenSSh 2.5.2p2 on Linux/Sparc > > > OK. How much longer is 2.5.2p2 projected to be the current > version? If not > long, I won't go out of my way to make sure I can get *some* > working package > set up this coming weekend. I'll instead spend it making sure > I know every > pitfall I may encounter... If it will be around for at least > another month > or two, then I'll be sure to get something out this weekend... Anyone > interested in testing my packages? I'll try to make .deb, .rpm, and > Slackware .tgz packages to start. Volunteers for any or all > are welcome. ;) > > --Matt > > > -----Original Message----- > > From: Damien Miller [mailto:djm at mindrot.org] > > Sent: Tuesday, March 27, 2001 3:39 PM > > To: Lewandowsky, Matt > > Cc: 'mouring at etoh.eviladmin.org'; openssh-unix-dev at mindrot.org > > Subject: RE: OpenSSh 2.5.2p2 on Linux/Sparc > > > > > > On Tue, 27 Mar 2001, Lewandowsky, Matt wrote: > > > > > Ahh...I see now. Sorry about that... > > > > > > Anyway, back to OpenSSH packages on Linux/SPARC: Does > > anyone have a desire > > > to have packages for this platform? > > > > If you are willing to build them and keep the reasonably up > > to date, then > > I would be happy to put a link to them on the portable.html page. > > > > -d > > > > -- > > | Damien Miller \ ``E-mail attachments are > > the poor man's > > | http://www.mindrot.org / distributed > > filesystem'' - Dan Geer > > > From dhaag at pico.apple.com Thu Mar 29 04:28:44 2001 From: dhaag at pico.apple.com (Dennis Haag) Date: Wed, 28 Mar 2001 10:28:44 -0800 Subject: Openssh-2.5.1p1 and Solaris 2.6 problem with ssh_rsa_verify References: <3ABF8B81.F915423F@pico.apple.com> Message-ID: <3AC22D5C.54D75FB2@pico.apple.com> Dennis Haag wrote: > > We recently upgraded from an older version of SSH to OpenSSH > 2.5.1p1 (OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f) > and are having problems on just a few hosts in our environment. The > other 200 systems are working fine. Every once in a blue-moon it will > connect with version 2. > > When I try to connect to or from one of these hosts using SSH2 I > get the following error (I have sshd -d -d -d and ssh -2 -v -v -v > output if that helps): > > dhaag at cyberpup> ssh -2 waltst2 > ssh_rsa_verify: RSA_verify failed: error:04077068:rsa > routines:RSA_verify:bad signature > key_verify failed for server_host_key > > Here's what I have done so far: > -recompiled on the suspect box, no change. > -compiled 2.5.2p2 on suspect box with no change. > -don't see any network errors (netstat -i). > -egd seems to be working fine, I can read and write bits with > egc.pl. > -tried changing and disabling some of the protocols with no > change. > -regenerated the host keys more than once (note: this takes much > longer on this system than the working ones) > > The system is a Sun Ultra-2 running Solaris 2.6 (uname -a: SunOS > cyberpup 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-2). But it > works fine on other Ultra-2's with the same OS and patch level. > > Configure params: --prefix=/local/solaris_2.6/openssh2.5.1p1 > --with-tcp-wrappers --without-shadow > --with-xauth=/usr/openwin/bin/xauth > --with-ipv4-default --with-ssl-dir=/local/solaris_2.6/openssl0.9.6 > --sysconfdir=/etc/ssh --with-egd-pool=/dev/random/entropy > --x-includes=/usr/openwin/include --x-libraries=/usr/openwin/lib > > I am trying to schedule a reboot of the affected system to see if > that makes any difference. My gut still tells me that I have an entropy > problem, but I don't know a good test for that. > > Any help appreciated. > > -- > Dennis Haag > haag at apple.com > 408-974-6630 I have installed prngd instead of egd on the system and it seems that I can connect more frequently, but about 75% of the time I'm getting one of the following two errors: ssh_rsa_verify: RSA_verify failed: error:04077068:rsa routines:RSA_verify:bad signature key_verify failed for server_host_key ssh_rsa_verify: RSA_verify failed: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 key_verify failed for server_host_key Can any of you more experienced ssh folks clue me into at least what these error messages mean? I also started getting some errors connecting via SSH1: dhaag at cyberpup> ssh -1 ming rsa_private_decrypt() failed Disconnecting: respond_to_rsa_challenge: rsa_private_decrypt failed This is on Solaris 2.6 with OpenSSH 2.5.1p1 and 2.5.2p2 Thanks, Dennis From mattl at livecapital.com Thu Mar 29 04:33:25 2001 From: mattl at livecapital.com (Lewandowsky, Matt) Date: Wed, 28 Mar 2001 10:33:25 -0800 Subject: Expired password handling in openssh-2.5.1p1/2 Message-ID: <71D01DB8DA698947A6F5D666D62A2DB001C3CE@exchange.livecapital.com> Another platform I'd like to see this for is Solaris... Enough people run it and have expiring passwords that it is probably worth it. Of course, once we see the IRIX code, it wouldn't be that hard to port it to Solaris. (At least from what I can tell...) --Matt > -----Original Message----- > From: Kevin Steves [mailto:stevesk at sweden.hp.com] > Sent: Wednesday, March 28, 2001 1:03 AM > To: Kevin Taylor > Cc: openssh > Subject: Re: Expired password handling in openssh-2.5.1p1/2 > > > On Tue, 27 Mar 2001, Kevin Taylor wrote: > : > : Right now the program closes the connection....the > commercial ssh > : > : manages to exec /bin/passwd after they enter their > current password. > : > > : > there is only support thru PAM right now. i had started a > : > multi-platform password interface last year, and while it > was close to > : > the point of being integrated, i have been side-tracked > with stuff that > : > was more interesting to work on. adding just code to run > passwd if the > : > password has expired isn't hard, and maybe we should do that. > : > : > : Has any of this ended up in the current openssh portable code? > > no, what platform are you using? i should have said adding > code to run > passwd for one platform isn't hard. you have getspent(), > getprpwent(), > BSD pw_change, some with password aging data in the password > field, and > getpwaent() systems, and probably more. i'll think about it > some more. > From mattl at livecapital.com Thu Mar 29 04:40:19 2001 From: mattl at livecapital.com (Lewandowsky, Matt) Date: Wed, 28 Mar 2001 10:40:19 -0800 Subject: OpenSSh 2.5.2p2 on Linux/Sparc Message-ID: <71D01DB8DA698947A6F5D666D62A2DB001C3CF@exchange.livecapital.com> OK. Cool. I have Debian on my box now, but it *really* doesn't like it for some reason... It randomly doesn't boot, it randomly stops responding to the keyboard, it randomly has network problems, and it has NEVER seen my mouse. It's a standard Type 5 mouse, so... But without it, I have no X. :/ So, I'll aim for Slackware packages and RPMs. Are there any compile-time pitfalls between Slackware 7.2 and RedHat I should know? (Like do they both need MD5 passwords?) --Matt > -----Original Message----- > From: Loomis, Rip [mailto:GILBERT.R.LOOMIS at saic.com] > Sent: Wednesday, March 28, 2001 9:17 AM > To: 'Lewandowsky, Matt' > Cc: openssh-unix-dev at mindrot.org > Subject: RE: OpenSSh 2.5.2p2 on Linux/Sparc > > > Matt-- > Don't spend too much time on the Debian package, > since there already is an official one: > > ftp://non-us.debian.org/debian-non-US/pool/non-US/main/o/opens > sh/ssh_2.5.2p2 > -1_sparc.deb > It's in the "sid" (testing) distribution, but > you can install it on a potato or woody SPARC > box with a couple of other upgrades. Debian > is pretty consistently up-to-date with OpenSSH > across the alpha/arm/i386/powerpc/sparc/mips > platforms. IA-64 only has a 2.3.0-p1 package > right now, though =8-) > > --Happy Debian sparc/i386 user > > Rip Loomis Voice Number: (410) 953-6874 > -------------------------------------------------------- > Senior Security Engineer > Center for Information Security Technology > Science Applications International Corporation > http://www.cist.saic.com > > > > > -----Original Message----- > > From: Lewandowsky, Matt [mailto:mattl at livecapital.com] > > Sent: Tuesday, March 27, 2001 6:52 PM > > To: 'Damien Miller'; Lewandowsky, Matt > > Cc: 'mouring at etoh.eviladmin.org'; openssh-unix-dev at mindrot.org > > Subject: RE: OpenSSh 2.5.2p2 on Linux/Sparc > > > > > > OK. How much longer is 2.5.2p2 projected to be the current > > version? If not > > long, I won't go out of my way to make sure I can get *some* > > working package > > set up this coming weekend. I'll instead spend it making sure > > I know every > > pitfall I may encounter... If it will be around for at least > > another month > > or two, then I'll be sure to get something out this > weekend... Anyone > > interested in testing my packages? I'll try to make .deb, .rpm, and > > Slackware .tgz packages to start. Volunteers for any or all > > are welcome. ;) > > > > --Matt > > > > > -----Original Message----- > > > From: Damien Miller [mailto:djm at mindrot.org] > > > Sent: Tuesday, March 27, 2001 3:39 PM > > > To: Lewandowsky, Matt > > > Cc: 'mouring at etoh.eviladmin.org'; openssh-unix-dev at mindrot.org > > > Subject: RE: OpenSSh 2.5.2p2 on Linux/Sparc > > > > > > > > > On Tue, 27 Mar 2001, Lewandowsky, Matt wrote: > > > > > > > Ahh...I see now. Sorry about that... > > > > > > > > Anyway, back to OpenSSH packages on Linux/SPARC: Does > > > anyone have a desire > > > > to have packages for this platform? > > > > > > If you are willing to build them and keep the reasonably up > > > to date, then > > > I would be happy to put a link to them on the portable.html page. > > > > > > -d > > > > > > -- > > > | Damien Miller \ ``E-mail attachments are > > > the poor man's > > > | http://www.mindrot.org / distributed > > > filesystem'' - Dan Geer > > > > > > From dwd at bell-labs.com Thu Mar 29 04:51:18 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Wed, 28 Mar 2001 12:51:18 -0600 Subject: RFE: Portable OpenSSH In-Reply-To: <06d501c0b712$b8f0ff70$1200040a@na.cisco.com>; from dankamin@cisco.com on Tue, Mar 27, 2001 at 03:07:40PM -0800 References: <200103272058.f2RKwExf388024@jurassic.eng.sun.com> <061401c0b701$dfe91a60$1200040a@na.cisco.com> <20010328004654.A23300@folly> <06d501c0b712$b8f0ff70$1200040a@na.cisco.com> Message-ID: <20010328125118.C7463@lucent.com> On Tue, Mar 27, 2001 at 03:07:40PM -0800, Dan Kaminsky wrote: ... > Markus, it's an imperfect world. SSH is built around that presumption. > I've had a personal rule ever since I started seriously working on tech, > which was: Never Make Things Worse. SSH1 binaries can be thrown almost > anywhere and, provided they're compiled for that general architecture, will > work. We need that, and for the most part, we *have* that. > > Vast external dependancies increase the likelyhood that things will get > worse, because they increase the likelihood that critical files won't get > placed in the exact right place, not to mention the likelihood that they > won't be able to live anywhere else but somewhere root can go. SSH can > operate entirely from usermode, and to remove that functionality would be to > Make Things Worse. Damien: please, please, please don't remove prng from the ssh client. It's introduction is what makes my use of OpenSSH possible. I widely distribute the solaris 'ssh' client via a regular user login with no super-user intervention. On those systems it will be impossible for me to start a common prngd so every single user (could be hundreds in some cases) on a machine will have to have their own long-running prngd. Most of the arguments I've seen in this thread in favor of keeping prng support have focused on the software distribution and installation problem; that's not a problem for me, but either requiring more work by all the users to start and keep a prngd daemon running or attempting to automatically keep a separate daemon running for every user via a front end shell script is unthinkable. As for performance, the saving of ~/.ssh/prng_seed between invocations makes the per-invocation overhead very acceptable. On the other hand, if sshd required prng it would not be a problem for me because that is either run by root or by only a few knowledgable users on a machine. The best thing for me would be to have the same ssh binary use a common prngd if it is running on a system and otherwise fall back to prng. GnuPG supports but does not require an entropy daemon. SSH1 does not require an entropy daemon. Please don't make it a requirement of OpenSSH. - Dave Dykstra From kevin at tgivan.com Thu Mar 29 05:01:17 2001 From: kevin at tgivan.com (Kevin Sindhu) Date: Wed, 28 Mar 2001 11:01:17 -0800 Subject: OpenSSh 2.5.2p2 on Linux/Sparc References: <71D01DB8DA698947A6F5D666D62A2DB001C3CF@exchange.livecapital.com> Message-ID: <3AC234FD.84491490@tgivan.com> "Lewandowsky, Matt" wrote: > > OK. Cool. I have Debian on my box now, but it *really* doesn't like it for > some reason... It randomly doesn't boot, it randomly stops responding to the > keyboard, it randomly has network problems, and it has NEVER seen my mouse. > It's a standard Type 5 mouse, so... But without it, I have no X. :/ Somehow I myself dislike Debian...but I ain't gonna be the one who started the flamewar..:-) > > So, I'll aim for Slackware packages and RPMs. Are there any compile-time > pitfalls between Slackware 7.2 and RedHat I should know? (Like do they both > need MD5 passwords?) PAM...Redhat does, and Slackware 7.1 and below (that is what I run)[PS - when did 7.2 come out?] do not. You'd have to create two packages: 1) Slackware tgz --with-md5-passwords 2) Redhat 6.2 rpm (To produce this on a Slackware box, AFAIK, you would need to install PAM, and configure --with-pam --with-md5-passwords) Regards -Kevin -- Kevin Sindhu Systems Engineer E-Mail: kevin at tgivan.com TGI Technologies Inc. Tel: (604) 872-6676 Ext 321 107 E 3rd Ave, Fax: (604) 872-6601 Vancouver,BC V5T 1C7 Canada. From mattl at livecapital.com Thu Mar 29 05:50:04 2001 From: mattl at livecapital.com (Lewandowsky, Matt) Date: Wed, 28 Mar 2001 11:50:04 -0800 Subject: OpenSSh 2.5.2p2 on Linux/Sparc Message-ID: <71D01DB8DA698947A6F5D666D62A2DB001C3D1@exchange.livecapital.com> 7.2 is the CURRENT branch. It is the only version available for sparc at the moment. It will probably be kept somewhat up-to-date respecting packages until it ships, but after that who knows? I am installing it tonite and ditching Debian. Maybe when Woody has boot floppies, I will try again. BTW, on ftp://ftp.slackware.com/pub/slackware/sparc/slackware-current/README72.TXT, note the first line: README for Slackware Linux/SPARC 7.2.0. This is in spite of the information at http://www.ultralinux.org/dists.html. So, by providing an RPM and slack pack, we will have versions available for all the distributions on the UltraLinux dists page? --Matt (making mental note to install RH 6.2 as a dual-boot option...) > -----Original Message----- > From: Kevin Sindhu [mailto:kevin at tgivan.com] > Sent: Wednesday, March 28, 2001 11:01 AM > To: Lewandowsky, Matt; openssh-unix-dev at mindrot.org > Subject: Re: OpenSSh 2.5.2p2 on Linux/Sparc > > > "Lewandowsky, Matt" wrote: > > > > OK. Cool. I have Debian on my box now, but it *really* > doesn't like it for > > some reason... It randomly doesn't boot, it randomly stops > responding to the > > keyboard, it randomly has network problems, and it has > NEVER seen my mouse. > > It's a standard Type 5 mouse, so... But without it, I have no X. :/ > > Somehow I myself dislike Debian...but I ain't gonna be the one who > started the flamewar..:-) > > > > > So, I'll aim for Slackware packages and RPMs. Are there any > compile-time > > pitfalls between Slackware 7.2 and RedHat I should know? > (Like do they both > > need MD5 passwords?) > > PAM...Redhat does, and Slackware 7.1 and below (that is what > I run)[PS - > when did 7.2 come out?] do not. > > You'd have to create two packages: > > 1) Slackware tgz --with-md5-passwords > 2) Redhat 6.2 rpm (To produce this on a Slackware box, AFAIK, > you would > need to install PAM, and configure --with-pam --with-md5-passwords) > > Regards > > -Kevin > > -- > Kevin Sindhu > Systems Engineer E-Mail: kevin at tgivan.com > TGI Technologies Inc. Tel: (604) 872-6676 Ext 321 > 107 E 3rd Ave, Fax: (604) 872-6601 > Vancouver,BC V5T 1C7 > Canada. > From Darren.Moffat at eng.sun.com Thu Mar 29 06:15:12 2001 From: Darren.Moffat at eng.sun.com (Darren J Moffat) Date: Wed, 28 Mar 2001 12:15:12 -0800 Subject: arc4randomstir() in OpenSSH Message-ID: <3AC24650.6BE258C@Eng.Sun.COM> I'm trying to understand the rational behind the arc4random() and arc4random_stir() functions in the OpenSSH source tree. On a system that has a good random number generator, say an in kernel /dev/random what extra functionality is this stuff providing ? Would it be acceptable to replace the calls to arc4random() with reading from /dev/random and drop the arc4random_stir() all together ? Note I'm not suggesting doing this to OpenSSH before anyone starts a debate on the portability of the code and ties this into the PRNGd/yada yada thread. This is purely an exercise in understanding why RC4 is used in getting random data. Thanks. -- Darren J Moffat From speno at isc.upenn.edu Thu Mar 29 06:18:42 2001 From: speno at isc.upenn.edu (John P Speno) Date: Wed, 28 Mar 2001 15:18:42 -0500 Subject: [PATCH] for Re: OSF_SIA bug in 2.3.0p1 In-Reply-To: <20010328102946.E17315@HiWAAY.net>; from cmadams@hiwaay.net on Wed, Mar 28, 2001 at 10:29:46AM -0600 References: <200102120514.f1C5Eex16051@ariel.ucs.unimelb.edu.au> <20010212112224.F7301@HiWAAY.net> <20010301113311.B167828@isc.upenn.edu> <20010309153814.K298109@isc.upenn.edu> <20010328102946.E17315@HiWAAY.net> Message-ID: <20010328151842.A465305@isc.upenn.edu> On Wed, Mar 28, 2001 at 10:29:46AM -0600, Chris Adams wrote: > Once upon a time, John P Speno said: > > Could you test these patches on your Tru64 UNIX 4.x and 5.x systems. They > > implement the above ideas. In short, do_login is skipped when HAVE_OSF_SIA > > is enabled since the things do_login does are also done better in the > > Tru64 SIA routines. > > > > Also, session_setup_sia will now show /etc/motd if appropriate. I needed a place to > > stick this, and session_setup_sia in auth-sia.c seemed ok at the time. I'm not sure of > > that now. Consider this a first draft for changes: > > It looks good, except you don't check for .hushlogin. I pulled > .hushlogin checking and MOTD printing into separate functions in > session.c (to avoid code duplication). Great. Nice work. The patches look good to me. > There is still a problem (maybe someone else can see it): there is a > race condition in displaying the error message back to the user when a > session is not started. Sometimes you get (when connecting to a locked > account): > > $ ssh -l burdell fly > Account is disabled -- see Account Administrator. > > Connection to fly closed by remote host. > Connection to fly closed. > $ > > and sometimes you get: > > $ ssh -l burdell fly > Connection to fly closed by remote host. > Connection to fly closed. > $ I wasn't able to duplicate that in my testing, though I was just ssh'ing to my localhost, and maybe it's related to network delay. Perhaps you can flush the output stream in cases where sia_ses_estab fails. Regardless, I think these changes should be incorporated into the CVS! Thanks. From provos at citi.umich.edu Thu Mar 29 08:17:11 2001 From: provos at citi.umich.edu (Niels Provos) Date: Wed, 28 Mar 2001 17:17:11 -0500 Subject: 48-hour incompatibility window in OpenSSH CVS Repository Message-ID: <20010328221711.5CD5B207C1@citi.umich.edu> If you have been updating OpenSSH within the last 48 hours from the CVS repository, you need to re-update the software again. Changes to the Diffie-Hellman group exchange that accomodate problems vendors like Van Dyke have seen were incomplete. The current CVS repository has the fixed version. Sorry, Niels. From dankamin at cisco.com Thu Mar 29 08:57:42 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Wed, 28 Mar 2001 14:57:42 -0800 Subject: the "evil" of EGD (was Re: RFE: Portable OpenSSH) References: <050901c0b6ed$0021e6a0$1200040a@na.cisco.com> <20010328074913.P1211@justice.loyola.edu> Message-ID: <007601c0b7da$7f497d10$156545ab@na.cisco.com> > I hope this doesn't sound stupid, but I don't understand why everyone > is so down on EGD. I've been using it (on AIX) since we put in > OpenSSH, and I haven't had any problems with it. > > Am I just not smart enough to understand why it is so bad? (Of > course, I understand the much preferable inclusion of a real source > of entropy by the vendor, but why is egd so bad compared to the other > add on entropy sources?) Take a look at the few other client apps that require client daemons to accompany in the background: 1) GNOME 2) Sun CC (requires FlexLM, apparently) Everything else is self-contained--even when there's crypto. This includes TrueSSH(damnit, I'm just going to start calling it this), Netscape-SSL, etc. That being said, prngd is a really slick way to do what it does, and it speeds things up significantly. It's fast, lightweight, and well done. I just object to it being mandatory. --Dan From dankamin at cisco.com Thu Mar 29 09:00:32 2001 From: dankamin at cisco.com (Dan Kaminsky) Date: Wed, 28 Mar 2001 15:00:32 -0800 Subject: RFE: Portable OpenSSH References: <050901c0b6ed$0021e6a0$1200040a@na.cisco.com> <20010328074913.P1211@justice.loyola.edu> Message-ID: <008601c0b7da$e437ce70$156545ab@na.cisco.com> > On Wed, Mar 28, 2001 at 09:18:45AM +1000, Damien Miller wrote: > > Most people griped about EGD's >1Mb working set and that they didn't want > > to depend on PERL daemons for security. > > I remember it periodically dying for no reason. When the built-in RNG > was introduced I went running away from EGD. (And continued to curse the > stupid OS's with no /dev/random.) The fact that EGD's failure caused SSHD to fail, thus eliminating the management interface you'd use to restart EGD, didn't help either. *shudders with bad memories of losing access to machines several thousand miles away, and being forced to downgrade to SSH1 because of it* --Dan From djm at mindrot.org Thu Mar 29 09:11:31 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 29 Mar 2001 09:11:31 +1000 (EST) Subject: Expired password handling in openssh-2.5.1p1/2 In-Reply-To: <71D01DB8DA698947A6F5D666D62A2DB001C3CE@exchange.livecapital.com> Message-ID: On Wed, 28 Mar 2001, Lewandowsky, Matt wrote: > Another platform I'd like to see this for is Solaris... Enough > people run it and have expiring passwords that it is probably worth > it. Of course, once we see the IRIX code, it wouldn't be that hard > to port it to Solaris. (At least from what I can tell...) Solaris expired password handling should work now using PAM. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Thu Mar 29 09:21:52 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 29 Mar 2001 09:21:52 +1000 (EST) Subject: arc4randomstir() in OpenSSH In-Reply-To: <3AC24650.6BE258C@Eng.Sun.COM> Message-ID: On Wed, 28 Mar 2001, Darren J Moffat wrote: > I'm trying to understand the rational behind the arc4random() and > arc4random_stir() functions in the OpenSSH source tree. We are following the OpenBSD tree with as few changes as possible - this is the approach used by them. > On a system that has a good random number generator, say an in > kernel /dev/random what extra functionality is this stuff providing ? It minimises reads from /dev/random which usually contains a finite amount of entropy. Most of the random numbers used in OpenSSH need don't need the "information theoretic" strength of /dev/random. > Would it be acceptable to replace the calls to arc4random() with > reading from /dev/random and drop the arc4random_stir() all together ? If you want to waste randomness, yes :) Many of the calls to arc4random are fairly high volume users, e.g. paddding which is done per-packet. These would deplete /dev/random pretty quickly. If you used /dev/urandom (the 'endless' interface), then you are back to doing something like arc4random only in the kernel. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tom at avatar.itc.nrcs.usda.gov Thu Mar 29 16:47:01 2001 From: tom at avatar.itc.nrcs.usda.gov (Tom Rudnick) Date: Wed, 28 Mar 2001 23:47:01 -0700 (MST) Subject: [PATCH] Added Null packet keepalive option In-Reply-To: <20010314224823.B27977@faui02.informatik.uni-erlangen.de> from "Markus Friedl" at Mar 14, 2001 10:48:23 PM Message-ID: <200103290647.XAA13687@avatar.itc.nrcs.usda.gov> > > have you tried to send an empty ignore message to the buggy servers? > sending MSG_NONE relies on another implementation bug, and this should > be fixed in OpenSSH asap. > Markus- Here is an altered patch which does MSG_IGNORE instead of MSG_NONE. Is this the more appropriate route? + if(compat20) + packet_start(SSH2_MSG_IGNORE); + else + packet_start(SSH_MSG_IGNORE); + packet_send(); Another question. The message posted with the subject: "living with masq" shows another patch that has similar results, except it sends random data at random intervals. Is the fixed interval with null data going to affect the integrity of the connection? If so, how important is this effect? I have attached the modified patch using MSG_IGNORE. This patch is an updated version of the one I posted earlier. Let me know what you guys think... -Tom Rudnick -- ----------------/---------------------------------------------- Tom Rudnick | USDA Natural Resources Conservation Service Fort Collins,CO | tom at avatar.itc.nrcs.usda.gov (970) 295-5427 ** The 3rd Millennium started Jan 1, 2001. see: ** ** http://aa.usno.navy.mil/AA/faq/docs/millennium.html ** -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -------------- next part -------------- --- readconf.h 2001/03/11 01:49:20 1.21 +++ readconf.h 2001/03/23 21:47:36 @@ -61,6 +61,10 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int keepalives; /* Set SO_KEEPALIVE. */ + time_t noop_msg_interval; /* Number of seconds between + * SSH_MSG_IGNORE packets to keep + * firewall connections from + * timing out */ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ --- readconf.c 2001/03/22 01:24:05 1.42 +++ readconf.c 2001/03/23 21:47:37 @@ -110,7 +110,7 @@ oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, - oPreferredAuthentications + oPreferredAuthentications, oNoopMsgInterval } OpCodes; /* Textual representations of the tokens. */ @@ -173,6 +173,7 @@ { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "loglevel", oLogLevel }, { "preferredauthentications", oPreferredAuthentications }, + { "noopmsginterval", oNoopMsgInterval }, { NULL, 0 } }; @@ -387,6 +388,10 @@ intptr = &options->keepalives; goto parse_flag; + case oNoopMsgInterval: + intptr = &options->noop_msg_interval; + goto parse_int; + case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; @@ -707,6 +712,7 @@ options->strict_host_key_checking = -1; options->compression = -1; options->keepalives = -1; + options->noop_msg_interval = -1; options->compression_level = -1; options->port = -1; options->connection_attempts = -1; @@ -791,6 +797,8 @@ options->compression = 0; if (options->keepalives == -1) options->keepalives = 1; + if (options->noop_msg_interval == -1) + options->noop_msg_interval = 0; if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) --- clientloop.c 2001/03/06 03:34:40 1.36 +++ clientloop.c 2001/03/23 21:47:37 @@ -365,6 +365,10 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp) { + struct timeval tv = {0}; + tv.tv_sec = options.noop_msg_interval; + /* Send a noop message at this frequency as a keepalive. */ + /* Add any selections by the channel mechanism. */ channel_prepare_select(readsetp, writesetp, maxfdp); @@ -403,7 +407,8 @@ * SSH_MSG_IGNORE packet when the timeout expires. */ - if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) { + switch (select((*maxfdp)+1, *readsetp, *writesetp, NULL, ((tv.tv_sec)?(&tv):NULL))) { + case -1: { char buf[100]; /* @@ -420,7 +425,24 @@ snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); quit_pending = 1; - } + + } + break; + + case 0: + /* Send a keepalive packet (SSH_MSG_IGNORE crashes + * some servers...). + */ + if(compat20) + packet_start(SSH2_MSG_IGNORE); + else + packet_start(SSH_MSG_IGNORE); + packet_send(); + break; + + default: + break; + } } void From Edgar.Hoch at IMS.Uni-Stuttgart.DE Fri Mar 30 02:32:25 2001 From: Edgar.Hoch at IMS.Uni-Stuttgart.DE (Edgar Hoch) Date: Thu, 29 Mar 2001 18:32:25 +0200 Subject: Patches for OpenSSH 2.5.2p2: evaluate /etc/default/login, makefiles manpages Message-ID: <3AC36399.4F5D0851@IMS.Uni-Stuttgart.DE> Dear developers of OpenSSH, first of all I want to thank you for your excellent work on OpenSSH! I have compiled OpenSSH 2.5.2p2 on Sun Solaris 2.6 and Sun Solaris 8 and discovered some problems. The first is that OpenSSH doesn't evaluate the file /etc/default/login which contains some flags and parameters for the login process. On important parameter is the default value for PATH. As we want to set the default value of PATH after a login in one central place, we use /etc/default/login on Sun Solaris. Ich have created a patch that evaluates those flags and parameters of the file /etc/default/login which are relevant for the login process after the authentication is done. The patch is appended as an attachment. Second I have made Sun Solaris packages for OpenSSH. To do this I installed OpenSSH in a temporary directory (e.g. /tmp/openssh-root/) and used this tree to create the Solaris package (similar like we do create rpm packages). The problem is that I have to specify some variables for make to install OpenSSH in that temporary directory: make prefix=/tmp/openssh-root/usr libexecdir=/tmp/openssh-root/usr/sbin mandir=/tmp/openssh-root/usr/man sysconfdir=/tmp/openssh-root/etc/ssh install In the default configuration the Makefile the goal 'manpages' is called by 'install'. Then the created manpages get the temporary paths (/tmp/openssh-root/...) compiled in. That's not what I want, because when the Solaris package is installed then the files will be installed in /usr/bin, /usr/sbin etc. and not in /tmp/openssh-root/usr/bin etc. I created a patch that I appended as attachment. The patch changes Makefile so the goal 'manpages' is called by 'all'. Another problem is that I have libz in /usr/local/lib as static and shared library. The linker prefers the shared version, so I have to explicitly specify that it should use the static version because /usr/local is nfs mounted and may not available when the host will boot and sshd will start. I found no variable or flag which I can give to 'configure' or to 'make' to do that. LIBS is in the wrong place in Makefile as '-lz' is given to the compiler/linker before LIBS in the created command line. The only solution for me was to change Makefile manually after 'configure' and before 'make'. I think there should be a flag that can be given to 'make' or 'configure' to link OpenSSH statically. My hack: cp -p Makefile Makefile-before-changes sed -e '/^LIBS=/ s/-lz/-Xlinker -B -Xlinker static -lz -Xlinker -B -Xlinker dynamic/' Makefile-before-changes >! Makefile I would be glad if you would integrate the patch for /etc/default/login and for the manpages in Makefile in the next offical distribution. Thanks in advance Edgar Hoch -- Edgar Hoch Institut fuer maschinelle Sprachverarbeitung (IMS) Universitaet Stuttgart, Germany D-70174 Stuttgart, Azenbergstrasse 12 Tel.: +49-711-121-1350, Fax: +49-711-121-1366 EMail: Edgar.Hoch at ims.uni-stuttgart.de WWW: http://www.ims.uni-stuttgart.de/~edgar/ -------------- next part -------------- --- session.c.orig-2.5.2p2 Thu Mar 22 01:58:27 2001 +++ session.c Thu Mar 29 16:14:22 2001 @@ -58,6 +58,10 @@ #include "canohost.h" #include "session.h" +#ifdef HAVE_ULIMIT_H +#include +#endif /* ULIMIT_H */ + #ifdef WITH_IRIX_PROJECT #include #endif /* WITH_IRIX_PROJECT */ @@ -915,6 +919,150 @@ } #endif +/* + * Get the value to the variable 'name' in the given environment 'env'. + * If the variable isn't defined, return NULL. + */ +char *get_environment_value(char **env, const char *name) +{ + u_int i, namelen; + + namelen = strlen(name); + for (i = 0; env[i]; i++) + if (strncmp(env[i], name, namelen) == 0 && env[i][namelen] == '=') + break; + if (env[i]) + return &env[i][namelen + 1]; + else + return NULL; +} + +#define ETC_DEFAULT_LOGIN_FILENAME "/etc/default/login" +/* + * Sun Solaris uses the file ETC_DEFAULT_LOGIN_FILENAME + * to specify some flags and environment variables for the login process. + * This file consist of empty lines, comments (line starts with '#') + * and assignments of the form name=value. No other forms are allowed. + * + * This procedure read this file and set the proper variables. + * The arguments are pointers to the current environment and its size. + * This environment will be changed according to the contents of + * the file ETC_DEFAULT_LOGIN_FILENAME. + * 'shell' is the default shell of the user. + * + * This procedure also sets environment variable SHELL + * if it isn't prohibited by a entry in file ETC_DEFAULT_LOGIN_FILENAME. + * + * Other flags in file ETC_DEFAULT_LOGIN_FILENAME that cause actions + * other than setting environment variables, + * setting the umask and ulimit + * will not be processed. + */ +void do_etc_default_login(char ***env, int *envsize, const char *shell, + const uid_t uid) +{ + char **default_login_env; + u_int default_login_env_size; + char *value; + + /* + * Read the assignments in file ETC_DEFAULT_LOGIN_FILENAME + * into the temporary environment default_login_env. + */ + default_login_env_size = 20; + default_login_env = xmalloc(default_login_env_size * sizeof(char *)); + default_login_env[0] = NULL; + read_environment_file(&default_login_env, &default_login_env_size, + ETC_DEFAULT_LOGIN_FILENAME); + + /* + * For each known flag in file ETC_DEFAULT_LOGIN_FILENAME + * if it is defined then set the proper environment variables. + */ + + /* Set environment variable SHELL only if ALTSHELL has value "YES". */ + value = get_environment_value(default_login_env, "ALTSHELL"); + if (value == NULL) { + /* Normal systems set SHELL by default. */ + child_set_env(env, envsize, "SHELL", shell); + } else if (strcmp(value, "YES") == 0) { + child_set_env(env, envsize, "SHELL", shell); + } + + /* + * If the user is root and SUPATH is defined, + * set environment variable PATH to the value of SUPATH. + * Else if PATH is defined then + * set environment variable PATH to the value of PATH. + */ + if (uid == 0) { + value = get_environment_value(default_login_env, "SUPATH"); + if (value != NULL) + child_set_env(env, envsize, "PATH", value); + } else { + value = get_environment_value(default_login_env, "PATH"); + if (value != NULL) + child_set_env(env, envsize, "PATH", value); + } + + /* + * If TIMEZONE is defined then set environment variable TZ + * if it isn't already defined in the environment. + */ + if (get_environment_value(*env, "TZ") == NULL) { + value = get_environment_value(default_login_env, "TIMEZONE"); + if (value != NULL) + child_set_env(env, envsize, "TZ", value); + } + + /* If HZ is defined then set environment variable HZ. */ + value = get_environment_value(default_login_env, "HZ"); + if (value != NULL) + child_set_env(env, envsize, "HZ", value); + + /* If UMASK is defined then set the default umask. */ + value = get_environment_value(default_login_env, "UMASK"); + if (value != NULL) { + int i; + mode_t default_umask = 0; + /* UMASK must contain only digits 0-7. */ + for (i = 0; + value[i] && isdigit((int)value[i]) && value[i] != '8' && value[i] != '9'; + i++) + default_umask = default_umask * 8 + value[i] - '0'; + /* Set umask only if the value have had right syntax. */ + if (value[i] == NULL) + umask(default_umask); + } + +#ifdef HAVE_ULIMIT_H + /* Set the file size limit if ULIMIT is defined. */ + value = get_environment_value(default_login_env, "ULIMIT"); + if (value != NULL && atoi(value) > 0) + ulimit(UL_SETFSIZE, atoi(value)); +#endif /* HAVE_ULIMIT_H */ + + /* + * The following flags from file ETC_DEFAULT_LOGIN_FILENAME + * are not processed by this procedure: + * CONSOLE + * PASSREQ + * TIMEOUT + * SYSLOG + * SLEEPTIME + * RETRIES + * SYSLOG_FAILED_LOGINS + */ + + /* Clean up: Free the temporary environment. */ + { + u_int i; + for (i = 0; default_login_env[i]; i++) + xfree(default_login_env[i]); + } + xfree(default_login_env); +} + #if defined(HAVE_GETUSERATTR) /* * AIX-specific login initialisation @@ -1213,12 +1361,26 @@ # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ - snprintf(buf, sizeof buf, "%.200s/%.50s", - _PATH_MAILDIR, pw->pw_name); + /* + * Set environment variable MAIL. + * _PATH_MAILDIR may have a '/' appended (e.g. on Solaris) + * or have no '/' at the end. + */ + snprintf(buf, sizeof buf, "%.200s%s%.50s", + _PATH_MAILDIR, + strlen(_PATH_MAILDIR) > 0 + && _PATH_MAILDIR[strlen(_PATH_MAILDIR)-1] == '/' + ? "" : "/", + pw->pw_name); child_set_env(&env, &envsize, "MAIL", buf); - /* Normal systems set SHELL by default. */ - child_set_env(&env, &envsize, "SHELL", shell); + /* + * Process file /etc/default/login if available. + * This procedure also sets environment variable SHELL + * if it isn't prohibited by a entry in file + * /etc/default/login. + */ + do_etc_default_login(&env, &envsize, shell, pw->pw_uid); } if (getenv("TZ")) child_set_env(&env, &envsize, "TZ", getenv("TZ")); @@ -1282,7 +1444,7 @@ /* read $HOME/.ssh/environment. */ if (!options.use_login) { - snprintf(buf, sizeof buf, "%.200s/.ssh/environment", + snprintf(buf, sizeof buf, "%.512s/.ssh/environment", pw->pw_dir); read_environment_file(&env, &envsize, buf); } @@ -1290,7 +1452,7 @@ /* dump the environment */ fprintf(stderr, "Environment:\n"); for (i = 0; env[i]; i++) - fprintf(stderr, " %.200s\n", env[i]); + fprintf(stderr, " %.512s\n", env[i]); } /* we have to stash the hostname before we close our socket. */ if (options.use_login) --- configure.in.orig-2.5.2p2 Mon Mar 19 00:09:28 2001 +++ configure.in Wed Mar 21 17:20:12 2001 @@ -368,7 +368,7 @@ AC_FUNC_STRFTIME # Checks for header files. -AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h glob.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) +AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h glob.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h ulimit.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) # Check for ALTDIRFUNC glob() extension AC_MSG_CHECKING(for GLOB_ALTDIRFUNC support) --- configure.orig-2.5.2p2 Thu Mar 22 06:07:06 2001 +++ configure Wed Mar 21 17:52:23 2001 @@ -2940,7 +2940,7 @@ # Checks for header files. -for ac_hdr in bstring.h endian.h floatingpoint.h getopt.h glob.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h +for ac_hdr in bstring.h endian.h floatingpoint.h getopt.h glob.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h regex.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h ulimit.h usersec.h util.h utime.h utmp.h utmpx.h vis.h do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -------------- next part -------------- --- Makefile.in.orig-2.5.2p2 Wed Mar 21 03:12:12 2001 +++ Makefile.in Thu Mar 22 16:41:18 2001 @@ -73,7 +73,7 @@ FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) -all: $(CONFIGFILES) $(TARGETS) +all: $(CONFIGFILES) $(TARGETS) manpages manpages: $(MANPAGES) @@ -151,7 +151,7 @@ distprep: catman-do autoreconf -install: manpages $(TARGETS) install-files host-key +install: $(TARGETS) install-files host-key install-files: $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) From celinn at mtu.edu Fri Mar 30 03:10:49 2001 From: celinn at mtu.edu (Christopher Linn) Date: Thu, 29 Mar 2001 12:10:49 -0500 Subject: Patches for OpenSSH 2.5.2p2: evaluate /etc/default/login, makefiles manpages In-Reply-To: <3AC36399.4F5D0851@IMS.Uni-Stuttgart.DE>; from Edgar.Hoch@IMS.Uni-Stuttgart.DE on Thu, Mar 29, 2001 at 06:32:25PM +0200 References: <3AC36399.4F5D0851@IMS.Uni-Stuttgart.DE> Message-ID: <20010329121048.A11895@mtu.edu> hi edgar, i am not an openssh developr, however i am working on building openssh solaris packages also. firstly, thank you very much for your default login work! now, i think you are doing your makes incorrectly: On Thu, Mar 29, 2001 at 06:32:25PM +0200, Edgar Hoch wrote: [...] > Second I have made Sun Solaris packages for OpenSSH. To do this I > installed > OpenSSH in a temporary directory (e.g. /tmp/openssh-root/) and used this > tree > to create the Solaris package (similar like we do create rpm packages). > The problem is that I have to specify some variables for make to install > OpenSSH > in that temporary directory: > > make prefix=/tmp/openssh-root/usr libexecdir=/tmp/openssh-root/usr/sbin > mandir=/tmp/openssh-root/usr/man sysconfdir=/tmp/openssh-root/etc/ssh > install [...] this is not the way you want to do this; i belive that will mess up all the pathnames embedded in your binaries and manpages. there is a make variable in the openssh Makefile that you use, "DESTDIR", to accomplish the install into the tmp package building directory. ALL your --prefix etc should be set exactly as though you were installing on the build machine itself, this makes the embedded pathnames all correct. then do your make install like: # make DESTDIR=/tmp/openssh-root install this will do the actual install in your "fake" area, where you can then proceed to install prngd there if you want, and then run pkgproto and pkgmk in /tmp/openssh-root as you would normally do. regards, chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From celinn at mtu.edu Fri Mar 30 04:19:28 2001 From: celinn at mtu.edu (Christopher Linn) Date: Thu, 29 Mar 2001 13:19:28 -0500 Subject: Patches for OpenSSH 2.5.2p2: evaluate /etc/default/login, makefiles manpages In-Reply-To: <20010329121048.A11895@mtu.edu>; from celinn@mtu.edu on Thu, Mar 29, 2001 at 12:10:49PM -0500 References: <3AC36399.4F5D0851@IMS.Uni-Stuttgart.DE> <20010329121048.A11895@mtu.edu> Message-ID: <20010329131928.B11895@mtu.edu> hello again, i belive i have made a mistake: On Thu, Mar 29, 2001 at 12:10:49PM -0500, Christopher Linn wrote: [...] > # make DESTDIR=/tmp/openssh-root install is incorrect. that is the correct syntax for OpenBSD make. the correct syntax for /usr/ccs/bin/make on solaris is: # make install DESTDIR=/tmp/openssh-root my apologies. cheers, chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From martang at clearcommerce.com Fri Mar 30 09:57:49 2001 From: martang at clearcommerce.com (Marty Hoff) Date: Thu, 29 Mar 2001 17:57:49 -0600 (CST) Subject: OpenSSH 2.5.2p2 client to 2.5.1p1 server problem Message-ID: I'm trying to connect from OpenSSH clients that are version 2.5.2p2 to several different HP-UX 11.00 machines that are running 2.5.1p1, but cannot. I can, however, connect to a Linux machine running 2.5.1p1 without problem. I get this message from both a Solaris 2.7 (x86) machine and a Solaris 2.6 (SPARC) machine. >From the x86 machine, I get ssh dozer 51 f6 46 8d 9d 98 17 a6 b6 10 79 43 57 d2 30 f8 Disconnecting: Bad packet length 1375094413. >From the SPARC machine, I get ssh apoc 2c 15 98 83 67 46 9e 27 f3 d0 db 34 89 55 64 ac Disconnecting: Bad packet length 739612803. Below, I've put some of the debug info. I also just confirmed that this happens from a RedHat Linux machine running 2.5.2p2 as well, when trying to connect to the same HP-UX machines. I can't upgrade the HP's right now to see if the problem goes away with 2.5.2p2 on the other side as well. In case it matters, we're running OpenSSL 0.9.6 and prngd 0.9.7. Anyone got any ideas on what might cause this? Marty Hoff In debug mode, I get the following: ssh -v dozer OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 860 geteuid 0 anon 1 debug1: Connecting to dozer [216.142.25.126] port 22. debug1: Connection established. debug1: unknown identity file /local/users/martang/.ssh/identity debug1: identity file /local/users/martang/.ssh/identity type -1 debug1: unknown identity file /local/users/martang/.ssh/id_rsa debug1: identity file /local/users/martang/.ssh/id_rsa type -1 debug1: unknown identity file /local/users/martang/.ssh/id_dsa debug1: identity file /local/users/martang/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_2.5.1p1 debug1: match: OpenSSH_2.5.1p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: none,zlib debug1: got kexinit: none,zlib debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug1: dh_gen_key: priv key bits set: 126/256 debug1: bits set: 986/2049 debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug1: Got SSH2_MSG_KEXDH_REPLY. debug1: Host 'dozer' is known and matches the DSA host key. debug1: Found key in /local/users/martang/.ssh/known_hosts2:12 debug1: bits set: 1029/2049 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: send SSH2_MSG_SERVICE_REQUEST 06 d8 6d da b8 5b ac ea f3 b4 4d 35 37 ec 44 5f Disconnecting: Bad packet length 114847194. debug1: Calling cleanup 0x807ea90(0x0) -------------------------------------------- Marty Hoff martang at clearcommerce.com UNIX Administrator ClearCommerce Corp. Always remember you're unique, just like everyone else. From rachit at ensim.com Fri Mar 30 10:14:44 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Thu, 29 Mar 2001 16:14:44 -0800 Subject: Openssh-2.5.1p1 and Solaris 2.6 problem with ssh_rsa_verify References: <3ABF8B81.F915423F@pico.apple.com> <3AC22D5C.54D75FB2@pico.apple.com> Message-ID: <3AC3CFF4.116869A@ensim.com> I have got this problem as well, logging in from a 2.3.0p1 (mid jan snapshot version) Linux client to a 2.5.2p2 Solaris server. However, the error consistently is ssh_rsa_verify: RSA_verify failed: error:04077067:rsa. (instead of 04077068) When upgrading the Linux client to 2.5.2p2 client, everything worked. -rchit Dennis Haag wrote: > > Dennis Haag wrote: > > > > We recently upgraded from an older version of SSH to OpenSSH > > 2.5.1p1 (OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f) > > and are having problems on just a few hosts in our environment. The > > other 200 systems are working fine. Every once in a blue-moon it will > > connect with version 2. > > > > When I try to connect to or from one of these hosts using SSH2 I > > get the following error (I have sshd -d -d -d and ssh -2 -v -v -v > > output if that helps): > > > > dhaag at cyberpup> ssh -2 waltst2 > > ssh_rsa_verify: RSA_verify failed: error:04077068:rsa > > routines:RSA_verify:bad signature > > key_verify failed for server_host_key > > > > Here's what I have done so far: > > -recompiled on the suspect box, no change. > > -compiled 2.5.2p2 on suspect box with no change. > > -don't see any network errors (netstat -i). > > -egd seems to be working fine, I can read and write bits with > > egc.pl. > > -tried changing and disabling some of the protocols with no > > change. > > -regenerated the host keys more than once (note: this takes much > > longer on this system than the working ones) > > > > The system is a Sun Ultra-2 running Solaris 2.6 (uname -a: SunOS > > cyberpup 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-2). But it > > works fine on other Ultra-2's with the same OS and patch level. > > > > Configure params: --prefix=/local/solaris_2.6/openssh2.5.1p1 > > --with-tcp-wrappers --without-shadow > > --with-xauth=/usr/openwin/bin/xauth > > --with-ipv4-default --with-ssl-dir=/local/solaris_2.6/openssl0.9.6 > > --sysconfdir=/etc/ssh --with-egd-pool=/dev/random/entropy > > --x-includes=/usr/openwin/include --x-libraries=/usr/openwin/lib > > > > I am trying to schedule a reboot of the affected system to see if > > that makes any difference. My gut still tells me that I have an entropy > > problem, but I don't know a good test for that. > > > > Any help appreciated. > > > > -- > > Dennis Haag > > haag at apple.com > > 408-974-6630 > > I have installed prngd instead of egd on the system and it seems that I can > connect more frequently, but about 75% of the time I'm getting one of the > following two errors: > > ssh_rsa_verify: RSA_verify failed: error:04077068:rsa > routines:RSA_verify:bad signature > key_verify failed for server_host_key > > ssh_rsa_verify: RSA_verify failed: error:0407006A:rsa > routines:RSA_padding_check_PKCS1_type_1:block type is not 01 > key_verify failed for server_host_key > > Can any of you more experienced ssh folks clue me into at least what these > error messages mean? > > I also started getting some errors connecting via SSH1: > > dhaag at cyberpup> ssh -1 ming > rsa_private_decrypt() failed > Disconnecting: respond_to_rsa_challenge: rsa_private_decrypt failed > > This is on Solaris 2.6 with OpenSSH 2.5.1p1 and 2.5.2p2 > > Thanks, > > Dennis From celinn at mtu.edu Fri Mar 30 10:20:33 2001 From: celinn at mtu.edu (Christopher Linn) Date: Thu, 29 Mar 2001 19:20:33 -0500 Subject: Patches for OpenSSH 2.5.2p2: evaluate /etc/default/login, makefiles manpages Message-ID: <20010329192033.A18502@mtu.edu> edgar, for the second time i must apologize. > > > make prefix=/tmp/openssh-root/usr libexecdir=/tmp/openssh-root/usr/sbin > > > mandir=/tmp/openssh-root/usr/man sysconfdir=/tmp/openssh-root/etc/ssh > > > install > > [...] > > > > this is not the way you want to do this; i belive that will mess up > > all the pathnames embedded in your binaries and manpages. i was terribly wrong about this, you are actually doing correct variable substitution passing to make to the install target. this would not mess up any embedded pathnames. further, > # make DESTDIR=/tmp/openssh-root install > > is incorrect. that is the correct syntax for OpenBSD make. the correct > syntax for /usr/ccs/bin/make on solaris is: > > # make install DESTDIR=/tmp/openssh-root > > my apologies. i have since tried this both ways, and /usr/ccs/bin/make will do the correct thing when the make target is either before or after the variable-passing args to make, although i get make errors failing on the "host-key" make target when using your prefix, libexecdir, mandir sysconfdir set of make variables. in my own defense, the solaris 2.6 make(1S) manpage places the target before the variable substitution ;*) however, i would still reccommend the use of the DESTDIR make variable built-in to the OpenSSH Makefile, because this is exactly what it was designed to do. i am terribly embarrassed and humbled. again, my apologies. sincerely, chris -- Christopher Linn, | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From tomh at po.crl.go.jp Fri Mar 30 21:11:39 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Fri, 30 Mar 2001 20:11:39 +0900 (JST) Subject: BETA release of OpenSSH-2.5.2p2 with SRP In-Reply-To: <008001c0b901$fccd9050$1400040a@na.cisco.com> Message-ID: This is to announce the availability of SRP (Secure Remote Password) support for OpenSSH. A tarball is available on Tripod: http://members.tripod.com/professor_tom/archives/ http://members.tripod.com/professor_tom/archives/openssh-2.5.2p2-srp5.tar.gz (Note: Tripod requires you to LEFT click on links to download files.) To install, unpack, configure --with-srp, and make install, then create an SRP verifier (your "password" file) with srp-keygen, and edit your config files to enable SRP authentication (you may want to disable some other methods at the same time). Features: * Strong authentication of both client *and* server, to protect against server-spoofing attacks. * Implements SRP as an SSH2 "authentication method"; the session id generated during key exchange is built in to the SRP exchange hashes, which provides strong authentication of the host key as well as the user verifier. This protects against spoofed servers even when the host key changes and/or the client doesn't know the host key. * Fully compatible with the Stanford SRP distribution, so if you already have an /etc/tpasswd file it'll get used (libsrp is NOT required). * No legal issues. Here's a quote from Tom Wu, the designer of SRP: "The past ambiguity has been resolved. SRP is royalty-free for commercial and non-commercial use worldwide. The licensing statements on the Web site, in the distribution, and other places (like the IETF) are clear on this issue." -- Tom Wu * Several alpha versions were checked over by Tom and several other readers of this list. * Draft protocol documentation included in the tarball. * Conforms to OpenBSD style(9) guidelines. Please note this is the first public release of this code. It is not intended for production environments and there may be major security holes, though none are currently known. Please help us test this patch, and get it ready for inclusion in the mainline code. It has been tested on Irix/SGI, Linux/Alpha, Linux/x86, and a few other systems. Please send all bug reports/patches/complaints to me, Tom Holroyd . md5sum (note tar file not gzip): c409d865a44c85de95f9b9f778502b9c openssh-2.5.2p2-srp5.tar GPG signature (key on homepage): -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEABECAAYFAjrEZOUACgkQiGAp74wl3UPpCgCeOPfebFZY5Q7oE9dhDZ7M2NtX xHoAn3WIcmm0lq3rwMgxfJDHcWwrz52n =flpe -----END PGP SIGNATURE----- Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From Stephan.Hendl at lds.brandenburg.de Fri Mar 30 22:47:01 2001 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Fri, 30 Mar 2001 14:47:01 +0200 Subject: WinSCP error while connecting to root Message-ID: Hi folks, I tried to use WinSCP (http://winscp.vse.cz/eng/) for a ftp like scp-GUI for Windows in order to connect to a HP-UX machine running 11.0 and openssh-2.5.1p2. The problem is that I can connect to any user I want _except_ root! When I connect to root, then the command "echo $status" (this is the way how WinSCP detects the user shell) results in a "logout root". The writer of the code asked me for a proposal but unfortunately I cannot help him. Do you have any ideas? Thanks and a nice weekend Stephan Please find enclosed the logfile. At the bottom there is the logout-line. --------- 30.03.2001 10:57:19 init_winsock() OK. 30.03.2001 10:57:20 ssh_init() OK. 30.03.2001 10:57:20 hp-www.ldspdm.ldsbb.lvnbb.de 30.03.2001 10:57:20 MD5Init() OK. 30.03.2001 10:57:20 VerifyHostKey() OK. 30.03.2001 10:57:20 s_wrpkt_start() 30.03.2001 10:57:20 s_wrpkt() 30.03.2001 10:57:20 get_packet() 1 30.03.2001 10:57:20 get_packet() 2 30.03.2001 10:57:20 get_packet() 3 30.03.2001 10:57:20 ssh_exec_shell(): s_wrpkt_start 30.03.2001 10:57:20 ssh_exec_shell(): s_wrpkt 30.03.2001 10:57:20 FormShow() Start 30.03.2001 10:57:20 NahratIkonky() OK 30.03.2001 10:57:20 GetCurrentDir() OK 30.03.2001 10:57:20 send_command(): 30.03.2001 10:57:20 echo "" 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1983-1997 Hewlett-Packard Co., All Rights Reserved. 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1980, 1984, 1986 Novell, Inc. 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1986-1992 Sun Microsystems, Inc. 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1989-1993 The Open Software Foundation, Inc. 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1986 Digital Equipment Corp. 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1990 Motorola, Inc. 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1990, 1991, 1992 Cornell University 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1989-1991 The University of Maryland 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1988 Carnegie Mellon University 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1991-1997 Mentat, Inc. 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1996 Morning Star Technologies, Inc. 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1996 Progressive Systems, Inc. 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 (c)Copyright 1997 Isogon Corporation 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 RESTRICTED RIGHTS LEGEND 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 Use, duplication, or disclosure by the U.S. Government is subject to 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 Technical Data and Computer Software clause in DFARS 252.227-7013. 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 Hewlett-Packard Company 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 3000 Hanover Street 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 Palo Alto, CA 94304 U.S.A. 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 Rights for non-DOD U.S. Government Departments and Agencies are as set 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 forth in FAR 52.227-19(c)(1,2). 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 You have mail. 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 Value of TERM has been set to "". 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 WARNING: YOU ARE SUPERUSER !! 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 WinSCP: this is end-of-file: 0 30.03.2001 10:57:20 SkipStartupMessage() OK 30.03.2001 10:57:20 send_command(): 30.03.2001 10:57:20 echo $status 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 logout root 30.03.2001 10:57:20 _ssh_read_line(): 30.03.2001 10:57:20 . . . -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 EMail: stephan.hendl at lds.brandenburg.de From djm at mindrot.org Fri Mar 30 22:11:46 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 30 Mar 2001 22:11:46 +1000 (EST) Subject: WinSCP error while connecting to root In-Reply-To: Message-ID: On Fri, 30 Mar 2001, Stephan Hendl wrote: > Hi folks, > > I tried to use WinSCP (http://winscp.vse.cz/eng/) for a ftp like > scp-GUI for Windows in order to connect to a HP-UX machine running > 11.0 and openssh-2.5.1p2. The problem is that I can connect to any > user I want _except_ root! When I connect to root, then the command > "echo $status" (this is the way how WinSCP detects the user shell) > results in a "logout root". The writer of the code asked me for a > proposal but unfortunately I cannot help him. Do you have any ideas? > 30.03.2001 10:57:20 _ssh_read_line(): > 30.03.2001 10:57:20 (c)Copyright 1983-1997 Hewlett-Packard Co., All Rights Reserved. > 30.03.2001 10:57:20 _ssh_read_line(): > 30.03.2001 10:57:20 (c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of You shell initialisation seems to be producing a lot of noise. http://www.openssh.com/faq.html#2.8 -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From stevesk at sweden.hp.com Sat Mar 31 02:50:10 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 30 Mar 2001 18:50:10 +0200 (METDST) Subject: PAM and -u0 Message-ID: is this change ok? goal is that PAM with -u0 does not use DNS (like without PAM). Index: auth-pam.c =================================================================== RCS file: /var/cvs/openssh/auth-pam.c,v retrieving revision 1.34 diff -u -r1.34 auth-pam.c --- auth-pam.c 2001/03/27 06:12:24 1.34 +++ auth-pam.c 2001/03/30 16:46:12 @@ -41,6 +41,10 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); +/* XXX: move to header file */ +const char * +get_remote_name_or_ip(void); + /* module-local variables */ static struct pam_conv conv = { do_pam_conversation, @@ -356,9 +360,9 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); debug("PAM setting rhost to \"%.200s\"", - get_canonical_hostname(options.reverse_mapping_check)); + get_remote_name_or_ip()); pam_retval = pam_set_item(__pamh, PAM_RHOST, - get_canonical_hostname(options.reverse_mapping_check)); + get_remote_name_or_ip()); if (pam_retval != PAM_SUCCESS) fatal("PAM set rhost failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); From Scott.Russell at unitech.net Sat Mar 31 02:57:03 2001 From: Scott.Russell at unitech.net (Scott Russell) Date: Fri, 30 Mar 2001 17:57:03 +0100 Subject: remove Message-ID: From stevesk at sweden.hp.com Sat Mar 31 03:20:29 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 30 Mar 2001 19:20:29 +0200 (METDST) Subject: linux tcsetattr failed Message-ID: does anyone else see this on linux: localhost sshd[14418]: Accepted password for stevesk from 15.126.45.158 port 49594 localhost sshd[14418]: Setting tty modes failed: Invalid argument redhat with kernel 2.2.17. ttymodes.c: /* Set the new modes for the terminal. */ if (tcsetattr(fd, TCSANOW, &tio) < 0) log("Setting tty modes failed: %.100s", strerror(errno)); return; From kevin at tgivan.com Sat Mar 31 03:30:51 2001 From: kevin at tgivan.com (Kevin Sindhu) Date: Fri, 30 Mar 2001 09:30:51 -0800 Subject: WinSCP error while connecting to root References: Message-ID: <3AC4C2CB.FCAAC6D0@tgivan.com> Hello, As Damien pointed out, your login makes a lot of noise...and yes, you can blame HP-UX for the same*grin* Either, case, for now, can you try this workaround.. The following code in /etc/profile prints the copyright notice the first time each user logs in: NUMLOGINS=`/etc/last -2 $LOGNAME | wc -l` if [ $NUMLOGINS -lt 2 ] then cat /etc/copyright fi And, for /etc/csh.login: set NUMLOGINS=`/etc/last -2 $LOGNAME | wc -l` if ( $NUMLOGINS<2 ) cat /etc/copyright (Actually, each user will get the copyright on their first login after each time the /etc/wtmp file is pruned, but that needn't be often.) So, You can either take it out, or #cp /etc/copyright /etc/copyright.org #echo "Welcome to `uname -a` > /etc/copyright Which should solve your problem... -Kevin Damien Miller wrote: > > You shell initialisation seems to be producing a lot of noise. > > http://www.openssh.com/faq.html#2.8 > > -d > > -- > | Damien Miller \ ``E-mail attachments are the poor man's > | http://www.mindrot.org / distributed filesystem'' - Dan Geer -- Kevin Sindhu Systems Engineer E-Mail: kevin at tgivan.com TGI Technologies Inc. Tel: (604) 872-6676 Ext 321 107 E 3rd Ave, Fax: (604) 872-6601 Vancouver,BC V5T 1C7 Canada. From austin at coremetrics.com Sat Mar 31 03:52:30 2001 From: austin at coremetrics.com (Austin Gonyou) Date: Fri, 30 Mar 2001 11:52:30 -0600 (CST) Subject: Kerberized OpenSSH fails to stay logged in. In-Reply-To: Message-ID: I get the following messages when I attempt to login after compiling ssh with krb5 support. I don't know what's happening here and I was wondering if anyone can help shed some light. Mar 30 11:52:17 UberGeek sshd[7149]: Postponed publickey for austin from 127.0.0.1 port 2287 ssh2 Mar 30 11:52:17 UberGeek sshd[7149]: Accepted publickey for austin from 127.0.0.1 port 2287 ssh2 Mar 30 11:52:17 UberGeek PAM_unix[7149]: (sshd) session opened for user austin by (uid=0) Mar 30 11:52:17 UberGeek PAM_unix[7149]: (sshd) session closed for user austin -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: austin at coremetrics.com On Fri, 30 Mar 2001, Kevin Steves wrote: > does anyone else see this on linux: > > localhost sshd[14418]: Accepted password for stevesk from 15.126.45.158 port 49594 > localhost sshd[14418]: Setting tty modes failed: Invalid argument > > redhat with kernel 2.2.17. > > ttymodes.c: > > /* Set the new modes for the terminal. */ > if (tcsetattr(fd, TCSANOW, &tio) < 0) > log("Setting tty modes failed: %.100s", strerror(errno)); > return; > From mouring at etoh.eviladmin.org Sat Mar 31 05:09:36 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 30 Mar 2001 13:09:36 -0600 (CST) Subject: linux tcsetattr failed In-Reply-To: Message-ID: Can't state anything about 2.2.x kernel series (since I stopped using it when 2.3.99-preX came out), but I don't see this under 2.4.2. - Ben On Fri, 30 Mar 2001, Kevin Steves wrote: > does anyone else see this on linux: > > localhost sshd[14418]: Accepted password for stevesk from 15.126.45.158 port 49594 > localhost sshd[14418]: Setting tty modes failed: Invalid argument > > redhat with kernel 2.2.17. > > ttymodes.c: > > /* Set the new modes for the terminal. */ > if (tcsetattr(fd, TCSANOW, &tio) < 0) > log("Setting tty modes failed: %.100s", strerror(errno)); > return; > > From djm at mindrot.org Sat Mar 31 08:27:32 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 31 Mar 2001 08:27:32 +1000 (EST) Subject: PAM and -u0 In-Reply-To: Message-ID: On Fri, 30 Mar 2001, Kevin Steves wrote: > is this change ok? goal is that PAM with -u0 does not use DNS (like > without PAM). You should also remove the 'extern ServerOptions options;' from the beginning of the function. > +/* XXX: move to header file */ > +const char * > +get_remote_name_or_ip(void); Either that or add the remote host/address as an argument to start_pam() -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Sat Mar 31 08:28:16 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 31 Mar 2001 08:28:16 +1000 (EST) Subject: linux tcsetattr failed In-Reply-To: Message-ID: On Fri, 30 Mar 2001, Kevin Steves wrote: > does anyone else see this on linux: > > localhost sshd[14418]: Accepted password for stevesk from 15.126.45.158 port 49594 > localhost sshd[14418]: Setting tty modes failed: Invalid argument I don't see this on Linux 2.2.17. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From rahul.sen at emns.com Sat Mar 31 04:33:14 2001 From: rahul.sen at emns.com (Rahul Sen) Date: Fri, 30 Mar 2001 12:33:14 -0600 Subject: BUG in openssh-2.5.2p2 on solaris 2.6 ? Message-ID: <3AC4D16A.E342B279@emns.com> openssh-2.5.2p2 binaries complain about the libgen.so.1 library not found. The library is found in solaris7 and solaris 2.5. We actually compile the binaries on solaris7 and use the same compilation on all other machines(different solaris versions) via an NFS mount. This seems to work perfectly for openssh-2.2.0p1 since it doesnt use the libgen.so.1 library. But upgrade to openssh-2.5.2p2 obviously failed for solaris 2.6. -- Rahul Sen Systems Administrator EMNS Phone : 630-224-2298 E-Mail : rahul.sen at emns.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010330/2075d8fc/attachment.html From markus.friedl at informatik.uni-erlangen.de Sat Mar 31 21:16:12 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 31 Mar 2001 13:16:12 +0200 Subject: Problem with keygen on Solaris 8 system. In-Reply-To: <3AC50336.1B28901A@wellogix.com>; from dcooley@wellogix.com on Fri, Mar 30, 2001 at 03:05:43PM -0700 References: <3AC50336.1B28901A@wellogix.com> Message-ID: <20010331131612.B27481@folly> does anyone see this? i don't have access to solaris8 On Fri, Mar 30, 2001 at 03:05:43PM -0700, Don Cooley wrote: > My problem is this. > I compiled OpenSSH 2.5.2p1 on Solaris 8 Sun4u arch 64bit. > using gcc and /usr/ccs/bin/make. > Everything went fine > rsa key-gen worked great but then when I tried to generate the dsa key > this is what happened. > > # ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N "" > Generating public/private dsa key pair. > Bus Error(coredump) > > Any ideas what might be causing this? What can I do to fix it? From dan at doxpara.com Fri Mar 9 20:39:02 2001 From: dan at doxpara.com (Dan Kaminsky) Date: Fri, 9 Mar 2001 01:39:02 -0800 Subject: OpenSSH Security Advisory (adv.channelalloc) References: <20020307115633.GA8924@faui02> Message-ID: <00b801c0a87c$c6f4d8c0$1701000a@effugas> > This bug can be exploited locally by an authenticated user > logging into a vulnerable OpenSSH server or by a malicious > SSH server attacking a vulnerable OpenSSH client. OK, I must really be missing something. Doesn't OpenSSH drop all privs long before either side gets the option to open a corrupted channel? If so, where's the route to sshd for a buffer overflow to exploit? The closest I can come up with is in a setuid ssh client being poked, X-Forwarding style, by a corrupted server...in which case, that's another reason why ssh shouldn't be setuid by default. Incidentally, *someone* has actually seen a working attack, right? --Dan