From Markus.Friedl at informatik.uni-erlangen.de Tue May 1 00:11:09 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 30 Apr 2001 16:11:09 +0200 Subject: [PATCH] Re: restricted shell In-Reply-To: <3AED6F36.E53FD9E6@bartlett.house>; from abartlet@pcug.org.au on Mon, Apr 30, 2001 at 11:57:10PM +1000 References: <20010428132619.2629.qmail@nome.praxis-sw.com> <20010428182448.A4062@folly> <20010428164432.2900.qmail@nome.praxis-sw.com> <20010429180304.A16624@folly> <3AED6BB0.53777208@bartlett.house> <20010430154439.A24601@faui02.informatik.uni-erlangen.de> <3AED6F36.E53FD9E6@bartlett.house> Message-ID: <20010430161109.A11238@faui02.informatik.uni-erlangen.de> > Actualy, no. Presuming that cvs-web is openssh-current, we still use > /bin/sh to execute the user's sshrc. I allow my users a restricted > shell (taint-mode enabled perl script) that lets them do things like > change their password, so this kind of matters. I also allow them sftp > access. yes, i remember. i'm not sure what to do. executing the LOGIN shell for .ssh/sshrc will break old installations... From abartlet at pcug.org.au Tue May 1 00:23:38 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Tue, 01 May 2001 00:23:38 +1000 Subject: [PATCH] Re: restricted shell References: <20010428132619.2629.qmail@nome.praxis-sw.com> <20010428182448.A4062@folly> <20010428164432.2900.qmail@nome.praxis-sw.com> <20010429180304.A16624@folly> <3AED6BB0.53777208@bartlett.house> <20010430154439.A24601@faui02.informatik.uni-erlangen.de> <3AED6F36.E53FD9E6@bartlett.house> <20010430161109.A11238@faui02.informatik.uni-erlangen.de> Message-ID: <3AED756A.9F116FE0@bartlett.house> Markus Friedl wrote: > > > Actualy, no. Presuming that cvs-web is openssh-current, we still use > > /bin/sh to execute the user's sshrc. I allow my users a restricted > > shell (taint-mode enabled perl script) that lets them do things like > > change their password, so this kind of matters. I also allow them sftp > > access. > > yes, i remember. i'm not sure what to do. > > executing the LOGIN shell for .ssh/sshrc will break > old installations... But you could chain: login-shell -> /bin/sh/ -> sshrc could you not? -- Andrew Bartlett abartlet at pcug.org.au From rmill at Millstream.tallis.ednet.co.uk Tue May 1 02:34:11 2001 From: rmill at Millstream.tallis.ednet.co.uk (Roy Millar) Date: Mon, 30 Apr 2001 17:34:11 +0100 (BST) Subject: Insufficient sshd debug output Message-ID: <200104301634.RAA06771@Millstream.ednet.co.uk> Apologies if this issue has already been addressed. But it isn't plain, even using sshd -d -d -d, why function allowed_user would return 0. In my case, an old version of login was ignoring the expiry-date field of /etc/shadow, but sshd was refusing access. There are several reasons why access might be refused, and it shouldn't be necessary to modify auth.c to print out the info - it would be nicer to have debug statements added to the standard code. I hesitate to submit my mods. - I'm too old to be an expert on anything as up-to-date as C :-) -- Roy Millar, finger rmill at shell.ednet.co.uk or rmill at Millstream.ednet.co.uk access http://www.ednet.co.uk/~rmill 100044.14 at CompuServe.com for PGP public key From appro at fy.chalmers.se Tue May 1 02:38:15 2001 From: appro at fy.chalmers.se (Andy Polyakov) Date: Mon, 30 Apr 2001 18:38:15 +0200 Subject: restricted shell References: <20010428132619.2629.qmail@nome.praxis-sw.com> <20010428182448.A4062@folly> <20010428164432.2900.qmail@nome.praxis-sw.com> <20010429180304.A16624@folly> Message-ID: <3AED94F7.F20AF24F@fy.chalmers.se> > > > it's easier if the sftp-server does chroot. i can't agree more. fyi, here is an elegant way to chroot in a program: main (...) { /* main's original declarations */ if (geteuid() == 0) { char *chroot_to=NULL; uid_t ruid=getuid(); if (chroot_to = getenv("CHROOT_DIR")) { setreuid(ruid,-1), setreuid(-1,ruid); /* beware the saved uid */ if (chdir(chroot_to)) exit (errno); /* as user! */ if (setreuid(-1,0) || chroot(".")) exit (errno); /* as root! */ runs_chrooted = 1; } setuid (ruid); /* resets *all* uids, no way back */ } ... beauty is that chdir is performed as user (thus preventing the user from chdir-ing to directory [s]he normally can't chdir to) while chroot as root. yes, program has to set-root-uid, but you can do this as early as first thing in main(). getenv("CHROOT_DIR") in only an example... and in real-life one probably wants to print some error message, not just exit(errno)... a. From pekkas at netcore.fi Tue May 1 02:48:44 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 30 Apr 2001 19:48:44 +0300 (EEST) Subject: OpenSSH 2.9p1 release not on FTP sites Message-ID: ChangeLog: 20010429 - (bal) Updated INSTALL. PCRE moved to a new place. - (djm) Release OpenSSH-2.9p1 However, OpenSSH 2.9p1 is not on the official FTP sites, at least yet? -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Tue May 1 04:24:29 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 30 Apr 2001 13:24:29 -0500 (CDT) Subject: OpenSSH 2.9p1 release not on FTP sites In-Reply-To: Message-ID: =) Will ya hold yer horses... Geesh.. Everyone is just chomping at the bit. OpenBSD nor the portable group has made a public annoucement. Keep your shorts on. =) It's coming. - Ben On Mon, 30 Apr 2001, Pekka Savola wrote: > ChangeLog: > > 20010429 > - (bal) Updated INSTALL. PCRE moved to a new place. > - (djm) Release OpenSSH-2.9p1 > > However, OpenSSH 2.9p1 is not on the official FTP sites, at least yet? > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > From Peter.Bates at ditm.nsw.gov.au Tue May 1 14:50:24 2001 From: Peter.Bates at ditm.nsw.gov.au (Peter Bates) Date: Tue, 1 May 2001 14:50:24 +1000 Subject: 2GB File size limit in scp. ver 2.9p1 and 2.5.2 Message-ID: <5A8A4773B3535F4092C69AEFEC139AF50B648C@qsmail1.syd.lto.gov.aus> Hi, I need to be able to use scp with files over 2GB. I've currently got a set of boxes running 2.5.2p2, and this is unable, as I understand it, to transfer these files. I've just downloaded the latest snapshot, 20010501, it complies fine on two rh7.1 machines, but again, I can't scp a file over 2GB. I get the same "file to large" error on the client as before. What, if anything, am I doing wrong? I'm running a standard build, default config files, and everything but the large files works. Peter Bates Unix Systems Administrator Land Property Information NSW Department of Information Technology and Management Peter.Bates at ditm.nsw.gov.au *************************************************************** This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please delete it and notify the sender. Views expressed in this message are those of the individual sender, and are not necessarily the views of the Department of Information Technology & Management. This email message has been swept by MIMEsweeper for the presence of computer viruses. *************************************************************** From djm at mindrot.org Tue May 1 14:53:10 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 1 May 2001 14:53:10 +1000 (EST) Subject: 2GB File size limit in scp. ver 2.9p1 and 2.5.2 In-Reply-To: <5A8A4773B3535F4092C69AEFEC139AF50B648C@qsmail1.syd.lto.gov.aus> Message-ID: On Tue, 1 May 2001, Peter Bates wrote: > Hi, > I need to be able to use scp with files over 2GB. > I've currently got a set of boxes running 2.5.2p2, and this is unable, as I > understand it, to transfer these files. > > I've just downloaded the latest snapshot, 20010501, it complies fine on two > rh7.1 machines, but again, I can't scp a file over 2GB. I get the same "file > to large" error on the client as before. Does adding #define _FILE_OFFSET_BITS 64 near the start of scp.c help matters? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tomh at po.crl.go.jp Tue May 1 17:54:00 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Tue, 1 May 2001 16:54:00 +0900 (JST) Subject: SRP unencumbered license statement In-Reply-To: <5.1.0.14.2.20010429171757.009f37f0@10.30.15.2> Message-ID: On Sun, 29 Apr 2001, RJ Atkinson wrote: > At 06:26 27/04/01, Tom Wu wrote: > >For those of you who were following the discussion about the new draft > >and implementation of SRP-based password authentication in OpenSSH, I > >promised to have Stanford issue the IETF an official, explicit, > >statement reiterating the unencumbered royalty-free licensing terms. > >The new statement is now available from the IETF's IPR page. > > Thanks. > > For those who are having trouble finding the URL: > http://www.ietf.org/ietf/IPR/WU-SRP > > Note that there are specific limits to the Stanford grant of rights, > so I'd ask that we try to stay within the "no payment needed" > portion of SRP if SRP is adopted... Stanford University is granting a royalty-free license for RFC 2945 implementations -- and the OpenSSH SRP implementation is of that sort. That is, not only are we free and clear, but the algorithm is safe from future claimjumpers trying to patent it. Not to mention that it provides strong authentication of both client *and* server, even when the host key has changed or is unknown, and it doesn't leak any information to eavesdroppers or MITM. :-) So, SRP is ready to go. Speaking of which, an up-to-date tarball and patch are available: http://members.tripod.com/professor_tom/archives/OpenSSH-2.9p1-srp7.tar.gz http://members.tripod.com/professor_tom/archives/OpenSSH-2.9p1-srp7.patch.gz The patch is vs. the 20010501 CVS, the tarball is self-contained (remember to left-click on those links to download the files from Tripod). See the README.SRP file for more info and installation instructions. Here is the signature of the tarball (OpenSSH-2.9p1-srp7.tar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEABECAAYFAjruZOIACgkQiGAp74wl3UMoUwCfejrst7al79Ae7IKiqb/mBqbT 8KkAnjqAn06OLSYZYsrP9rsEMTNUu6PO =XcK7 -----END PGP SIGNATURE----- and here is the signature of the patch (OpenSSH-2.9p1-srp7.patch) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEABECAAYFAjruZmsACgkQiGAp74wl3UM7EQCfca/fV5WVzFCmY3WAyte7apCs pJMAnj02ym/1U1VPtKB7AI31Ovz35J5b =mNHP -----END PGP SIGNATURE----- My GPG public key is available from standard keyservers. Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From tomh at po.crl.go.jp Tue May 1 18:14:19 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Tue, 1 May 2001 17:14:19 +0900 (JST) Subject: fatal compile error on SGI IRIX Message-ID: IRIX64 6.5 01101245 IP27 20010425 CVS - (djm) Include crypt.h if available in auth-passwd.c cc-1143 cc: ERROR File = /usr/include/crypt.h, Line = 38 Declaration is incompatible with "void des_encrypt(unsigned long *, struct des_ks_struct *, int)" (declared at line 150 of "/usr/local/ssl/include/openssl/des.h"). extern void des_encrypt(char *, int); ^ 1 error detected in the compilation of "auth-passwd.c". *** Error code 2 (bu21) It seems SGI's libcrypt includes a version of des_encrypt() that isn't the same as Openssl's. This is part of the crypt(3X) package. Removing the #include makes the error go away. From jmknoble at jmknoble.cx Tue May 1 19:30:36 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Tue, 1 May 2001 05:30:36 -0400 Subject: fatal compile error on SGI IRIX In-Reply-To: ; from tomh@po.crl.go.jp on Tue, May 01, 2001 at 05:14:19PM +0900 References: Message-ID: <20010501053036.C3769@zax.half.pint-stowp.cx> Circa 2001-May-01 17:14:19 +0900 dixit Tom Holroyd: : IRIX64 6.5 01101245 IP27 [...] : It seems SGI's libcrypt includes a version of des_encrypt() that isn't the : same as Openssl's. This is part of the crypt(3X) package. Removing the : #include makes the error go away. You'll want to upgrade to OpenSSL-0.9.6a. From the NEWS file: Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a: [...] o Compatibility fix: the function des_encrypt() renamed to des_encrypt1() to avoid clashes with some Unixen libc. Of course, you may want to upgrade for other reasons anyway: o Security fix: change behavior of OpenSSL to avoid using environment variables when running as root. o Security fix: check the result of RSA-CRT to reduce the possibility of deducing the private key from an incorrectly calculated signature. o Security fix: prevent Bleichenbacher's DSA attack. o Security fix: Zero the premaster secret after deriving the master secret in DH ciphersuites. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010501/e018e46a/attachment.bin From markus.friedl at informatik.uni-erlangen.de Tue May 1 02:50:26 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 30 Apr 2001 18:50:26 +0200 Subject: [PATCH] Re: restricted shell In-Reply-To: <3AED756A.9F116FE0@bartlett.house>; from abartlet@pcug.org.au on Tue, May 01, 2001 at 12:23:38AM +1000 References: <20010428132619.2629.qmail@nome.praxis-sw.com> <20010428182448.A4062@folly> <20010428164432.2900.qmail@nome.praxis-sw.com> <20010429180304.A16624@folly> <3AED6BB0.53777208@bartlett.house> <20010430154439.A24601@faui02.informatik.uni-erlangen.de> <3AED6F36.E53FD9E6@bartlett.house> <20010430161109.A11238@faui02.informatik.uni-erlangen.de> <3AED756A.9F116FE0@bartlett.house> Message-ID: <20010430185026.B23003@folly> On Tue, May 01, 2001 at 12:23:38AM +1000, Andrew Bartlett wrote: > Markus Friedl wrote: > > > > > Actualy, no. Presuming that cvs-web is openssh-current, we still use > > > /bin/sh to execute the user's sshrc. I allow my users a restricted > > > shell (taint-mode enabled perl script) that lets them do things like > > > change their password, so this kind of matters. I also allow them sftp > > > access. > > > > yes, i remember. i'm not sure what to do. > > > > executing the LOGIN shell for .ssh/sshrc will break > > old installations... > > But you could chain: login-shell -> /bin/sh/ -> sshrc could you not? oh yes, thanks. this will be probably in post-2.9 -m From phil at bolthole.com Tue May 1 18:50:24 2001 From: phil at bolthole.com (phil at bolthole.com) Date: Tue, 1 May 2001 01:50:24 -0700 Subject: problem with PAM coding, openssh-2.5.2p2 Message-ID: <20010501015024.A7158@bolthole.com> Howdy coders, in openssh-2.5.2p2, auth1.c, do_authentication() you folks do a call to getpwnam(user) If this fails, you NULL out 'pw' Unfortunately, this stops start_pam() from being called at all. I'm not a PAM API expert, but I was under the impression that there are pam API calls you should be making for account verification, in PARALLEL to getpwnam(), rather than being gated by getpwnam() Or instead, maybe you should have start_pam fill out a limited set of (struct passwd) info, if getpwnam failed [and then call allowed_user() AFTER this] I'm trying to use a PAM module to integrate with OpenLDAP. I want to have user account info present on only the LDAP server, not in the regular password info. And ONLY for sshd. So a plain call to getpwnam will fail. Yes, I realize that this will break other UNIX apps expecting getpwnam to work. That's MY problem :-) Your problem is that I think you guys are going against the principles of how PAM was designed: as a replacement for stuff like getpwnam(), and hand-checking of shadow expiration. From markus.friedl at informatik.uni-erlangen.de Tue May 1 19:49:12 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 1 May 2001 11:49:12 +0200 Subject: Problem with keygen on Solaris 8 system. (fwd) Message-ID: <20010501114912.A473@folly> -------------- next part -------------- An embedded message was scrubbed... From: Shigeki Misawa Subject: Re: Problem with keygen on Solaris 8 system. Date: Mon, 30 Apr 2001 23:59:00 -0400 (EDT) Size: 3533 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010501/a092310c/attachment.mht -------------- next part -------------- An embedded message was scrubbed... From: Shigeki Misawa Subject: Re: Problem with keygen on Solaris 8 system. Date: Tue, 1 May 2001 00:14:04 -0400 (EDT) Size: 2446 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010501/a092310c/attachment-0001.mht From pekkas at netcore.fi Tue May 1 22:03:54 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 1 May 2001 15:03:54 +0300 (EEST) Subject: connecting to non-responding hosts: 1 hr timeout (fwd) Message-ID: Hello all, If you try to make a TCP connection to a host, and the host is down, timeouts can be as long as an hour. This is not specific to ssh, or OS. Is this a scenario worth working around, e.g. with a timer when connecting or the like? -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords ---------- Forwarded message ---------- Date: Mon, 30 Apr 2001 06:39:23 -0700 (PDT) From: Rob Landley To: pekkas at netcore.fi Subject: ssh hang. (Help?) [ snip typical sleep &; exit scenario ] Another fun way to hang ssh is to try to contact a host that's down. It makes 4 attempts, each of which takes about 20 minutes to time out on a host that's routable but which isn't responding to any packets. ("No route to host" returns immediately, but unplug the network cable from the box you're trying to connect and it'll spend an hour trying.) All of this is on Red Hat 7.0. Rob __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ From rja at inet.org Tue May 1 23:17:41 2001 From: rja at inet.org (RJ Atkinson) Date: Tue, 01 May 2001 09:17:41 -0400 Subject: SRP unencumbered license statement In-Reply-To: References: <5.1.0.14.2.20010429171757.009f37f0@10.30.15.2> Message-ID: <5.1.0.14.2.20010501091458.00a25510@10.30.15.2> At 03:54 01/05/01, Tom Holroyd wrote: >Stanford University is granting a royalty-free license for RFC 2945 >implementations -- and the OpenSSH SRP implementation is of that sort. >That is, not only are we free and clear, but the algorithm is safe from future claimjumpers trying to patent it. > >Not to mention that it provides strong authentication of both client *and* server, even when the host key has changed or is unknown, >and it doesn't leak any information to eavesdroppers or MITM. :-) The Stanford IPR release to IETF is clear and says that bi-directional authentication mode (SRP-Z) requires a separate licence, and is not free. Only implicit server authentication mode is free. Your statement above appears at variance with the actual words from Stanford. I'd encourage folks to go read the actual words from Stanford, not anyone's interpretations of them. Ran rja at inet.org From jaltman at columbia.edu Tue May 1 23:34:34 2001 From: jaltman at columbia.edu (Jeffrey Altman) Date: Tue, 1 May 2001 9:34:34 EDT Subject: SRP unencumbered license statement In-Reply-To: Your message of Tue, 01 May 2001 09:17:41 -0400 Message-ID: > bi-directional authentication mode (SRP-Z) requires a > separate licence, and is not free. Only implicit server > authentication mode is free. > > Your statement above appears at variance with the actual > words from Stanford. I'd encourage folks to go read the actual > words from Stanford, not anyone's interpretations of them. Implicit server authentication mode is the mode detailed by RFC 2945. It is all that is necessary for our applications. From ricardo.muggli at mnsu.edu Wed May 2 00:03:34 2001 From: ricardo.muggli at mnsu.edu (Ricardo Muggli) Date: Tue, 1 May 2001 09:03:34 -0500 (CDT) Subject: Problem with .hushlogin in Tru64 UNIX 4.0e Message-ID: I have tried this with openssh-2.5.2p2 and openssh-SNAP-20010501. I have noticed that with a .hushlogin file in my home directory I still get messages. With the .hushlogin file I get these messages: Last successful login for ricardo: Tue May 1 08:06:00 2001 from blah.mnsu.edu Last unsuccessful login for ricardo: Tue May 1 08:05:21 2001 from blah.mnsu.edu Without the .hushlogin file I get the same messages along with /etc/motd It appears that these messages are being produced from withing auth-sia.c during sia_ses_estab(). I couldn't tell if there was some way to suppress these messages or not. Does anybody on this list know if these messages can be suppressed? If then can be, we should fix it so these messages are printed when there is no .hushlogin and suppressed when there is a .hushlogin or there is a command. Thanks, -- Ricardo Muggli (ricardo.muggli at mnsu.edu) Systems Manager Information and Technology Services Minnesota State University, Mankato 101 Morris Hall Mankato, MN 56001 Phone: (507) 389-1164 Fax: (507) 389-6115 From ricardo.muggli at mnsu.edu Wed May 2 00:55:43 2001 From: ricardo.muggli at mnsu.edu (Ricardo Muggli) Date: Tue, 1 May 2001 09:55:43 -0500 (CDT) Subject: Problem with .hushlogin in Tru64 UNIX 4.0e In-Reply-To: Message-ID: Would a patch like this be acceptable? --- openssh/session.c Wed Apr 18 10:29:34 2001 +++ openssh-RTM/session.c Tue May 1 09:51:22 2001 @@ -1088,9 +1088,12 @@ switch, so we let login(1) to this for us. */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); - if (!check_quietlogin(s, command)) + if (!check_quietlogin(s, command)) { + session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); do_motd(); + } else { + session_setup_sia(pw->pw_name, NULL); + } #else /* HAVE_OSF_SIA */ #ifdef HAVE_CYGWIN if (is_winnt) { -- Ricardo Muggli (ricardo.muggli at mnsu.edu) Systems Manager Information and Technology Services Minnesota State University, Mankato 101 Morris Hall Mankato, MN 56001 Phone: (507) 389-1164 Fax: (507) 389-6115 On Tue, 1 May 2001, Ricardo Muggli wrote: > I have tried this with openssh-2.5.2p2 and openssh-SNAP-20010501. > I have noticed that with a .hushlogin file in my home directory I still > get messages. > > With the .hushlogin file I get these messages: > Last successful login for ricardo: Tue May 1 08:06:00 2001 from > blah.mnsu.edu > Last unsuccessful login for ricardo: Tue May 1 08:05:21 2001 from > blah.mnsu.edu > > Without the .hushlogin file I get the same messages along with /etc/motd > > It appears that these messages are being produced from withing auth-sia.c > during sia_ses_estab(). I couldn't tell if there was some way to suppress > these messages or not. Does anybody on this list know if these messages > can be suppressed? If then can be, we should fix it so these messages are > printed when there is no .hushlogin and suppressed when there is a > .hushlogin or there is a command. > > Thanks, > > -- > Ricardo Muggli (ricardo.muggli at mnsu.edu) > Systems Manager > Information and Technology Services > Minnesota State University, Mankato > 101 Morris Hall > Mankato, MN 56001 > Phone: (507) 389-1164 Fax: (507) 389-6115 > > From tom at arcot.com Wed May 2 04:40:27 2001 From: tom at arcot.com (Tom Wu) Date: Tue, 01 May 2001 11:40:27 -0700 Subject: SRP unencumbered license statement References: <5.1.0.14.2.20010429171757.009f37f0@10.30.15.2> <5.1.0.14.2.20010501091458.00a25510@10.30.15.2> Message-ID: <3AEF031B.CD3656BB@arcot.com> RJ Atkinson wrote: > > The Stanford IPR release to IETF is clear and says that > bi-directional authentication mode (SRP-Z) requires a > separate licence, and is not free. Only implicit server > authentication mode is free. Tom H's code does implicit server authentication. It's free and clear. For the record, Niels M's code is also based on implicit server authentication. Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From dwd at bell-labs.com Wed May 2 05:35:35 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Tue, 1 May 2001 14:35:35 -0500 Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: ; from pekkas@netcore.fi on Tue, May 01, 2001 at 03:03:54PM +0300 References: Message-ID: <20010501143535.A6611@lucent.com> On Tue, May 01, 2001 at 03:03:54PM +0300, Pekka Savola wrote: > Hello all, > > If you try to make a TCP connection to a host, and the host is down, > timeouts can be as long as an hour. This is not specific to ssh, or OS. It is specific to the O.S. Linux has a longer default timeout than Solaris, which is about 2 minutes. 2 minutes is much too long too though. > Is this a scenario worth working around, e.g. with a timer when > connecting or the like? I just brought up the same issue on the GnuPG mailing list yesterday. Last week I wrote some code to get around the long timeout in ssh but I implemented it as an external program that ssh calls via -oProxyCommand. There's no reason why it can't be done inside ssh itself though, and I think it should and perhaps even have a config option to adjust the length of the timer. Here's what I wrote to gnupg-devel at gnupg.org: On Mon, Apr 30, 2001 at 01:30:02PM -0500, Dave Dykstra wrote: ... > you just need to do fcntl(fd, F_SETFL, O_NONBLOCK) on the socket before the > connect(), check for EINPROGRESS from the connect(), and then do a select() > for writability on the fd with a timeout of however long you want. Note > that if the connection is then refused it will come as an error message > from the next read() or write(). Some older systems may not have > O_NONBLOCK or EINPROGRESS defines so I'd #ifdef out the code if they're > missing. A reply said where you can get some code to do it portably: On Wed, May 02, 2001 at 06:33:28AM +1200, Peter Gutmann wrote: ... > I wrote my own wrappers for this which work under > every Unix I've been able to get my hands on as well as Win32, if whoever's > working on this for GPG wants the code they can grab it from the latest > cryptlib version, ftp://ftp.franken.de/pub/crypt/cryptlib/beta/cl30beta05.zip, > as misc/net_tcp.c. - Dave Dykstra From matt at careercast.com Tue May 1 02:42:45 2001 From: matt at careercast.com (Matt Simonsen) Date: Mon, 30 Apr 2001 09:42:45 -0700 Subject: OpenSSH too many files open Message-ID: My company is running OpenSSH 2.5.1 (via inetd) and over time it appears that OpenSSH sessions are not being properly terminated on the server. The basic symptom is that thousands of files are opened and not being let go of as users close them, eventually taking us to the 4000 open file limit. I have seen on some online man pages with an IdleTimeout option, although it does not appear to work for the OpenSSH version I am using (nor is it in the man pages). Is there some option that may help this problem, we are using the default KeepAlive enabled. Second, any suggestions on how can I prevent this behavior? Other than this everything is working very well, but it is causing pretty serious problems and I don't think croning a daily killall -9 sshd is really the answer. Thanks Matt Simonsen From matt at careercast.com Wed May 2 07:47:20 2001 From: matt at careercast.com (Matt Simonsen) Date: Tue, 1 May 2001 14:47:20 -0700 Subject: Too many open files Message-ID: My company is running OpenSSH 2.5.1 (via inetd) on about 10 servers and over time it appears that OpenSSH sessions are not being properly terminated on the server. The basic symptom is that thousands of files are opened and not being let go of as users close them, eventually taking us to the 4000 open file limit. We did notice that the number of files bash is taking up are relatively proportional to the number of SSH files, too. I believe one of the root causes is users closing their SecureCRT session via the windows X rather than typing "Exit," although I do not think this should cause SSH sessions to stay open on the server. I have seen on some online man pages with an IdleTimeout option (for the OpenBSD version), although it does not appear to be included for the Linux OpenSSH version I am using (nor is it in the man pages in my doc directory). Is there some option that may help this problem, we are using the default KeepAlive enabled. Second, any suggestions on how can I prevent this behavior? Other than this everything is working very well, but it is causing pretty serious problems and I don't think croning a daily killall -9 sshd is really the answer. Thanks Matt Simonsen From carson at taltos.org Wed May 2 13:37:38 2001 From: carson at taltos.org (Carson Gaspar) Date: Tue, 01 May 2001 20:37:38 -0700 Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: <20010501143535.A6611@lucent.com> References: <20010501143535.A6611@lucent.com> Message-ID: <233116375.988749458@athyra> --On Tuesday, May 01, 2001 2:35 PM -0500 Dave Dykstra wrote: >> you just need to do fcntl(fd, F_SETFL, O_NONBLOCK) on the socket before >> the connect(), check for EINPROGRESS from the connect(), and then do a >> select() for writability on the fd with a timeout of however long you >> want. Note that if the connection is then refused it will come as an >> error message from the next read() or write(). Some older systems may >> not have O_NONBLOCK or EINPROGRESS defines so I'd #ifdef out the code if >> they're missing. Sadly, this is _not_ portable, as you seem to imply by your portable url below. I'm one of the people who got async connect working with socks5. When I asked the late Richard Stevens about some edge conditions, his response was "I don't know. Let me know what you find out". Here There Be Dragons. I ended up writing a test case bit of C code, and running it on a bunch of different OSs. It wasn't pretty. The main problem lies in getting the return code from the async connect if it fails. The only portable way is via getsockopt(), and many older systems don't support the SO_ERROR option. What select returns on a failed call is also implementation-specific. > On Wed, May 02, 2001 at 06:33:28AM +1200, Peter Gutmann wrote: > ... >> I wrote my own wrappers for this which work under >> every Unix I've been able to get my hands on as well as Win32, if >> whoever's working on this for GPG wants the code they can grab it from >> the latest cryptlib version, >> ftp://ftp.franken.de/pub/crypt/cryptlib/beta/cl30beta05.zip, as >> misc/net_tcp.c. Sadly, this relies on SO_ERROR being present and working properly. This should be true for any modern flavor of UNIX, but older implementations will fail, FYI. The comments in misc/net_tcp.c explain things correctly, however. -- Carson From karlm30 at hotmail.com Wed May 2 15:22:05 2001 From: karlm30 at hotmail.com (Karl M) Date: Tue, 01 May 2001 22:22:05 -0700 Subject: Updated partial auth patch against CVS Message-ID: Hi Carson... If it is possible, I would like to see Authorder2 publickey,publickey:password do the "right thing" in the CygWin environment. Meaning (in my view of the world) that if the sshd user-id and the ssh user-id match, publickey authentication is performed. If the sshd user-id and the ssh user-id are different then publickey:password is performed. This requires knowing that the publickey succeeded, but we declared failure because of the user-id mismatch. It also requires remembering the longest successful prefix before starting a new authentication sequence. Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From carson at taltos.org Wed May 2 18:57:59 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 02 May 2001 01:57:59 -0700 Subject: Updated partial auth patch against CVS In-Reply-To: References: Message-ID: <252336765.988768679@athyra> --On Tuesday, May 01, 2001 10:22 PM -0700 Karl M wrote: > Hi Carson... > > If it is possible, I would like to see > > Authorder2 publickey,publickey:password > > do the "right thing" in the CygWin environment. Meaning (in my view of I don't touch cygwin. If you'd care to submit a patch, please do. But please don't use the above syntax - it's a bad idea. It puts "magic" on cygwin boxen. -- Carson From karlm30 at hotmail.com Thu May 3 04:10:06 2001 From: karlm30 at hotmail.com (Karl M) Date: Wed, 02 May 2001 11:10:06 -0700 Subject: Updated partial auth patch against CVS Message-ID: Hi Carson... Please help me understand the issues/constraints here. Regarding Authorder2 publickey,publickey:password what part of the syntax do you see as a problem? Is it that an authentication sequence is a propper subset of a later authentication sequence in the list? If I use Authorder2 publickey:method1,publickey:method2 and the public key succeeds but method1 fails, assuming no agent will the user see publickey method1 method2 or will he see publickey method1 publickey method2 I would hope and vote for the first. What I would hope to specify is: publickey (when ssh and sshd userids match) and publickey:password (when ssh and sshd userids differ). This gets the password to the sshd so that the userid can be changed in CygWin. Do you have any thoughts on the syntax for this that would be compatible with your syntax? Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From carson at taltos.org Thu May 3 04:47:28 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 02 May 2001 11:47:28 -0700 Subject: Updated partial auth patch against CVS In-Reply-To: References: Message-ID: <1096997546.988804048@ZATHROS> --On Wednesday, May 02, 2001 11:10 AM -0700 Karl M wrote: > Hi Carson... > > Please help me understand the issues/constraints here. Regarding > > Authorder2 publickey,publickey:password > > what part of the syntax do you see as a problem? Is it that an > authentication sequence is a propper subset of a later authentication > sequence in the list? Yes. Although "later" is irrelevant. If publickey succeeds, you're in. You'll never be asked for a password. You're suggesting changing that behaviour on Cygwin, making it platform-specific. That's bad. > If I use > > Authorder2 publickey:method1,publickey:method2 > > and the public key succeeds but method1 fails, assuming no agent will the > user see > > publickey > method1 > method2 > > or will he see > > publickey > method1 > publickey > method2 > > I would hope and vote for the first. Currently, it should show "method1,method2". This makes the client "do the right thing" and let you re-try your flubbed password, without making you re-enter your private key passphrase. > What I would hope to specify is: publickey (when ssh and sshd userids > match) and publickey:password (when ssh and sshd userids differ). This > gets the password to the sshd so that the userid can be changed in > CygWin. Do you have any thoughts on the syntax for this that would be > compatible with your syntax? publickey:cygwinoptpass and add code to handle the cygwin bizzaro world case. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body From mouring at etoh.eviladmin.org Thu May 3 04:43:47 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 2 May 2001 13:43:47 -0500 (CDT) Subject: contrib/solaris/build-pkg Message-ID: I went to go use it today since I'll be putting together some packages for a national project and I found them in pretty *BAD* shape. By tonight, I should have some partial patches to resolve a lot of the issues, but I really feel we need to either need to fix it, remove it, or replace it with a better version. It's old enought to lakc RSA v2 key generation, lack of slogin, sftp, sftp-server, ssh-keyscan, and some rather nasty hardcoded /usr/local checks (which is great if you install in /usr/local, but it does not help those of us doing packages to /opt =). Any takers? I plan on merging the useful bits from my work today into the CVS tree tomorrow, but it would be nice if it could be a bit more streamlined in how it's generates the prototype file. - Ben From carson at taltos.org Thu May 3 05:20:49 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 02 May 2001 12:20:49 -0700 Subject: 2.9p1?? core dump in auth_log Message-ID: <1098998156.988806049@ZATHROS> auth.c:auth_log contains the following code: authlog("%s %s for %s%.100s from %.200s port %d%s", authmsg, method, authctxt->valid ? "" : "illegal user ", ---> authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user, get_remote_ipaddr(), get_remote_port(), info); If authctxt->user is null, this will dump core. I discovered this using SSH1 publickey auth with my hacked 20010424 CVS sources. auth.c and auth1.c haven't changed since then, so I suspect this may still be lurking. I'm going to test it against 2.9p1 as soon as I can, but I have to run off to jury duty now (feh). A local patch is to change the marked line above to: authctxt->valid ? (authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user) : "unknown user", A larger issue is why getpwnam() hasn't been called by that point... -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body From irving at samurai.sfo.dead-dog.com Thu May 3 05:22:51 2001 From: irving at samurai.sfo.dead-dog.com (Irving Popovetsky) Date: Wed, 2 May 2001 12:22:51 -0700 Subject: contrib/solaris/build-pkg In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, May 02, 2001 at 01:43:47PM -0500 References: Message-ID: <20010502122251.A4919@samurai.sfo.dead-dog.com> Howdy, I have some stuff that I've been waiting to contribute. It initially started as a new ssh initscript for Solaris (which I sent to Rip Loomis), but has evolved into my own (and very different) build system that I've been using to roll out OpenSSH, and its worked out quite nicely (for me, at least). Its got a lot of crap and features that you may not want (including a patch I submitted a long time ago to recognize rlogin/slogin better, that never got committed). This build system is meant to be entirely standalone. It actually goes and fetches all the software it needs, builds it in a pseudo-sandbox, and puts everything together. I'm not promising a magic-bullet here, or perfect code, but I thought I would throw it out for people to poke at and see what they think. Questions? Comments? Concerns? -Irving Popovetsky On Wed, May 02, 2001 at 01:43:47PM -0500, mouring at etoh.eviladmin.org wrote: > > I went to go use it today since I'll be putting together some packages for > a national project and I found them in pretty *BAD* shape. > > By tonight, I should have some partial patches to resolve a lot of the > issues, but I really feel we need to either need to fix it, remove it, or > replace it with a better version. > > It's old enought to lakc RSA v2 key generation, lack of slogin, sftp, > sftp-server, ssh-keyscan, and some rather nasty hardcoded /usr/local > checks (which is great if you install in /usr/local, but it does not > help those of us doing packages to /opt =). > > > Any takers? I plan on merging the useful bits from my work today into the > CVS tree tomorrow, but it would be nice if it could be a bit more > streamlined in how it's generates the prototype file. > > - Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-solpkg.tar.gz Type: application/x-tar-gz Size: 13067 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010502/0db90fb1/attachment.bin From GILBERT.R.LOOMIS at saic.com Thu May 3 05:25:52 2001 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Wed, 2 May 2001 15:25:52 -0400 Subject: contrib/solaris/build-pkg Message-ID: <791BD3CB503DD411A6510008C7CF647701F40B23@col-581-exs01.cist.saic.com> Ben-- I'm the originator of the packaging scripts, although I've been doing a lousy job of maintaining them. I've just re-surfaced at work after teaching a class for the last week (plus two-week-old baby at home, plus other excuses) and I'm trying to catch up. I've got 80% of the necessary fixes done on my test system here, against 2.5.2p1. I can either send those to you or you can send me your changes. (I'm not sure whether my fixes are complete for the "packages installed in /opt" case...) I didn't want to write a script to generate the prototype file on the fly when I was "scratching" my original itch, but that would probably be appropriate--or even required in order to do what you need for /opt. Let me know how you'd like to proceed--thanks. Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com > -----Original Message----- > From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] > Sent: Wednesday, May 02, 2001 2:44 PM > To: openssh-unix-dev at mindrot.org > Subject: contrib/solaris/build-pkg > > > > I went to go use it today since I'll be putting together some > packages for > a national project and I found them in pretty *BAD* shape. > > By tonight, I should have some partial patches to resolve a lot of the > issues, but I really feel we need to either need to fix it, > remove it, or > replace it with a better version. > > It's old enought to lakc RSA v2 key generation, lack of slogin, sftp, > sftp-server, ssh-keyscan, and some rather nasty hardcoded /usr/local > checks (which is great if you install in /usr/local, but it does not > help those of us doing packages to /opt =). > > > Any takers? I plan on merging the useful bits from my work > today into the > CVS tree tomorrow, but it would be nice if it could be a bit more > streamlined in how it's generates the prototype file. > > - Ben > From mouring at etoh.eviladmin.org Thu May 3 05:21:32 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 2 May 2001 14:21:32 -0500 (CDT) Subject: contrib/solaris/build-pkg In-Reply-To: <791BD3CB503DD411A6510008C7CF647701F40B23@col-581-exs01.cist.saic.com> Message-ID: On Wed, 2 May 2001, Loomis, Rip wrote: > Ben-- > I'm the originator of the packaging scripts, > although I've been doing a lousy job of > maintaining them. I've just re-surfaced > at work after teaching a class for the last > week (plus two-week-old baby at home, plus > other excuses) and I'm trying to catch up. > Not a problem. I rarely go into contrib/ and I was just recently called on to make solaris packages of SSH. > I've got 80% of the necessary fixes done > on my test system here, against 2.5.2p1. > I can either send those to you or you can > send me your changes. (I'm not sure whether > my fixes are complete for the "packages > installed in /opt" case...) I didn't want > to write a script to generate the prototype > file on the fly when I was "scratching" > my original itch, but that would probably > be appropriate--or even required in order > to do what you need for /opt. > If you send them to me.. I'll look at and see how close it handles the /opt aspect. Most of what I've been doing is attempting to get a decent enough package together for local testing. - Ben From dwd at bell-labs.com Thu May 3 05:32:58 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Wed, 2 May 2001 14:32:58 -0500 Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: <233116375.988749458@athyra>; from carson@taltos.org on Tue, May 01, 2001 at 08:37:38PM -0700 References: <20010501143535.A6611@lucent.com> <233116375.988749458@athyra> Message-ID: <20010502143258.A27488@lucent.com> On Tue, May 01, 2001 at 08:37:38PM -0700, Carson Gaspar wrote: > > > --On Tuesday, May 01, 2001 2:35 PM -0500 Dave Dykstra > wrote: > > >> you just need to do fcntl(fd, F_SETFL, O_NONBLOCK) on the socket before > >> the connect(), check for EINPROGRESS from the connect(), and then do a > >> select() for writability on the fd with a timeout of however long you > >> want. Note that if the connection is then refused it will come as an > >> error message from the next read() or write(). Some older systems may > >> not have O_NONBLOCK or EINPROGRESS defines so I'd #ifdef out the code if > >> they're missing. > > Sadly, this is _not_ portable, as you seem to imply by your portable url > below. I didn't say my approach was all that portable but Peter Gutmann said his way was. > I'm one of the people who got async connect working with socks5. > When I asked the late Richard Stevens about some edge conditions, his > response was "I don't know. Let me know what you find out". Here There Be > Dragons. I ended up writing a test case bit of C code, and running it on a > bunch of different OSs. It wasn't pretty. The main problem lies in getting > the return code from the async connect if it fails. The only portable way > is via getsockopt(), and many older systems don't support the SO_ERROR > option. What select returns on a failed call is also > implementation-specific. > > > On Wed, May 02, 2001 at 06:33:28AM +1200, Peter Gutmann wrote: > > ... > >> I wrote my own wrappers for this which work under > >> every Unix I've been able to get my hands on as well as Win32, if > >> whoever's working on this for GPG wants the code they can grab it from > >> the latest cryptlib version, > >> ftp://ftp.franken.de/pub/crypt/cryptlib/beta/cl30beta05.zip, as > >> misc/net_tcp.c. > > Sadly, this relies on SO_ERROR being present and working properly. This > should be true for any modern flavor of UNIX, but older implementations > will fail, FYI. The comments in misc/net_tcp.c explain things correctly, > however. I'd say just ifdef out the whole thing if on Unix and SO_ERROR is missing. It's definitely worth doing on the modern unixes. You got it working in socks5 so ssh could use that approach. Where's the code for it in socks5? The reason I needed it in ssh was that I wanted to use ssh to initialize /etc/ssh_known_hosts from the list of hosts in /etc/hosts.equiv but there were a lot of dead hosts in there and it was taking forever to go through the whole list. - Dave Dykstra From mouring at etoh.eviladmin.org Thu May 3 05:49:58 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 2 May 2001 14:49:58 -0500 (CDT) Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: <20010502143258.A27488@lucent.com> Message-ID: [..] > The reason I needed it in ssh was that I wanted to use ssh to initialize > /etc/ssh_known_hosts from the list of hosts in /etc/hosts.equiv but there > were a lot of dead hosts in there and it was taking forever to go through > the whole list. > Correct me if I'm wrong.. but you should be using ssh-keyscan for such a task. - Ben From dwd at bell-labs.com Thu May 3 06:16:18 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Wed, 2 May 2001 15:16:18 -0500 Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, May 02, 2001 at 02:49:58PM -0500 References: <20010502143258.A27488@lucent.com> Message-ID: <20010502151618.A28210@lucent.com> On Wed, May 02, 2001 at 02:49:58PM -0500, mouring at etoh.eviladmin.org wrote: > > > [..] > > The reason I needed it in ssh was that I wanted to use ssh to initialize > > /etc/ssh_known_hosts from the list of hosts in /etc/hosts.equiv but there > > were a lot of dead hosts in there and it was taking forever to go through > > the whole list. > > > > Correct me if I'm wrong.. but you should be using ssh-keyscan for such a > task. Actually I was still using ssh 1.2.27 (since I haven't completed my conversion to OpenSSH) and hadn't yet discovered ssh-keyscan. Thanks for pointing it out to me, it looks great. I was trying to use that as a justification for putting non-blocking connects with a short timeout into OpenSSH's ssh command, and ssh-keyscan makes that justification invalid, but I still think it makes sense for the ssh command to do it. - Dave Dykstra From pekkas at netcore.fi Thu May 3 06:26:04 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 2 May 2001 23:26:04 +0300 (EEST) Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: Message-ID: On Wed, 2 May 2001 mouring at etoh.eviladmin.org wrote: > > The reason I needed it in ssh was that I wanted to use ssh to initialize > > /etc/ssh_known_hosts from the list of hosts in /etc/hosts.equiv but there > > were a lot of dead hosts in there and it was taking forever to go through > > the whole list. > > > > Correct me if I'm wrong.. but you should be using ssh-keyscan for such a > task. ssh-keyscan does not support Protocol 2 the last I checked; a very major (and known) issue. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From markus.friedl at informatik.uni-erlangen.de Thu May 3 06:50:12 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 2 May 2001 22:50:12 +0200 Subject: 2.9p1?? core dump in auth_log In-Reply-To: <1098998156.988806049@ZATHROS>; from carson@taltos.org on Wed, May 02, 2001 at 12:20:49PM -0700 References: <1098998156.988806049@ZATHROS> Message-ID: <20010502225012.A11260@folly> On Wed, May 02, 2001 at 12:20:49PM -0700, Carson Gaspar wrote: > If authctxt->user is null, this will dump core. how can ->user be NULL? authentication packets w/o a user are illegal and should trigger other error messages. > I discovered this using > SSH1 publickey auth with my hacked 20010424 CVS sources. auth.c and auth1.c > haven't changed since then, so I suspect this may still be lurking. I'm > going to test it against 2.9p1 as soon as I can, but I have to run off to > jury duty now (feh). > > A local patch is to change the marked line above to: > > authctxt->valid ? (authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user) : > "unknown user", > > A larger issue is why getpwnam() hasn't been called by that point... if getpwnam is successfull then authctxt->valid is true. authctxt->user should always be set from the ssh messages. From markus.friedl at informatik.uni-erlangen.de Thu May 3 06:51:50 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 2 May 2001 22:51:50 +0200 Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: <233116375.988749458@athyra>; from carson@taltos.org on Tue, May 01, 2001 at 08:37:38PM -0700 References: <20010501143535.A6611@lucent.com> <233116375.988749458@athyra> Message-ID: <20010502225150.B11260@folly> On Tue, May 01, 2001 at 08:37:38PM -0700, Carson Gaspar wrote: > Sadly, this is _not_ portable, as you seem to imply by your portable url > below. I'm one of the people who got async connect working with socks5. > When I asked the late Richard Stevens about some edge conditions, his > response was "I don't know. Let me know what you find out". Here There Be > Dragons. I ended up writing a test case bit of C code, and running it on a > bunch of different OSs. It wasn't pretty. The main problem lies in getting > the return code from the async connect if it fails. The only portable way > is via getsockopt(), and many older systems don't support the SO_ERROR > option. What select returns on a failed call is also > implementation-specific. well, then openssh is not portable :) the current channels.c uses async connects this way. From gert at greenie.muc.de Thu May 3 05:47:51 2001 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 2 May 2001 21:47:51 +0200 Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: <233116375.988749458@athyra>; from carson@taltos.org on Tue, May 01, 2001 at 08:37:38PM -0700 References: <20010501143535.A6611@lucent.com> <233116375.988749458@athyra> Message-ID: <20010502214751.E1071@greenie.muc.de> Hi, On Tue, May 01, 2001 at 08:37:38PM -0700, Carson Gaspar wrote: [..] > >> you just need to do fcntl(fd, F_SETFL, O_NONBLOCK) on the socket before > >> the connect(), check for EINPROGRESS from the connect(), and then do a > >> select() for writability on the fd with a timeout of however long you What's wrong with just alarm()ing out of the connect()? (This will be bad for anything remotely multi-threaded but for the ssh client, it should be fine). gert -- Gert Doering Mobile communications ... right now writing from *@Bologna* ... mobile phone: +49 177 2160221 ... or mail me: gert at greenie.muc.de From carson at taltos.org Thu May 3 07:14:24 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 02 May 2001 14:14:24 -0700 Subject: 2.9p1?? core dump in auth_log In-Reply-To: <1098998156.988806049@ZATHROS> Message-ID: <970386346.988812864@mir> OK, so after recompiling with no optimization, the bug vanishes. Recompiling with optimization again, the bug still vanishes. I'm stumped where it came from, and why authctxt->user wasn't being populated, but the bug in auth_log() should still be fixed. -- Carson From carson at taltos.org Thu May 3 07:18:27 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 02 May 2001 14:18:27 -0700 Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: <20010502225150.B11260@folly> Message-ID: <970629796.988813107@mir> --On Wednesday, May 02, 2001 10:51 PM +0200 Markus Friedl wrote: > well, then openssh is not portable :) > > the current channels.c uses async connects this way. I just looked at it, and yes, it won't compile on systems that don't support SO_ERROR. I suspect everything except crufty SYSVr3 boxen support it at this point. When I did my work in '94 or so, we still had some crufty SYSVr3 boxen. -- Carson From markus.friedl at informatik.uni-erlangen.de Thu May 3 07:35:01 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 2 May 2001 23:35:01 +0200 Subject: OpenSSH 2.9 Message-ID: <20010502233501.A20604@folly> OpenSSH 2.9 has just been uploaded. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the OpenSSH community for their continued support and encouragement. Important Changes: ================== WARNING: SSH protocol v2 is now the default protocol version use the 'Protocol' option from ssh(1) and sshd(8) if you want to change this. SSH protocol v2 implementation adds support for: HostbasedAuthentication, similar to RhostsRSA in SSH protocol v1 Rekeying (negotiate new encryption keys for the current SSH session, try ~R in interactive SSH sessions) updated DH group exchange: draft-ietf-secsh-dh-group-exchange-01.txt client option HostKeyAlgorithms server options ClientAliveInterval and ClientAliveCountMax tty mode passing general: gid swapping in sshd (fixes access to /home/group/user based directory structures) Dan Kaminsky contributed an experimental SOCKS4 proxy to the ssh client (yes, client not the server). Use 'ssh -D 1080 server' if you want to try this out. server option PrintLastLog improvements for scp > 2GB improved ListenAddress option. You can now use ListenAddress host:port improved interoperability (bug detection for older implementations) improved documentation OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. From markus.friedl at informatik.uni-erlangen.de Thu May 3 08:30:19 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 3 May 2001 00:30:19 +0200 Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: ; from pekkas@netcore.fi on Wed, May 02, 2001 at 11:26:04PM +0300 References: Message-ID: <20010503003019.A16049@folly> On Wed, May 02, 2001 at 11:26:04PM +0300, Pekka Savola wrote: > On Wed, 2 May 2001 mouring at etoh.eviladmin.org wrote: > > > The reason I needed it in ssh was that I wanted to use ssh to initialize > > > /etc/ssh_known_hosts from the list of hosts in /etc/hosts.equiv but there > > > were a lot of dead hosts in there and it was taking forever to go through > > > the whole list. > > > > > > > Correct me if I'm wrong.. but you should be using ssh-keyscan for such a > > task. > > ssh-keyscan does not support Protocol 2 the last I checked; a very major > (and known) issue. you want to fix this? :) From rcc at demo.telefonica.com.pe Thu May 3 09:18:40 2001 From: rcc at demo.telefonica.com.pe (Richard Cotrina) Date: Wed, 2 May 2001 18:18:40 -0500 Subject: OpenSSH 2.9 failed to build in OpenBSD 2.7 References: <20010502233501.A20604@folly> Message-ID: <004301c0d35e$3b68bbc0$4d01190a@tp.com.pe> Hello : I just downloaded the new version of OpenSSH ( 2.9) an tried to compile in my OpenBSD 2.7 / Sparc box according the procedure indicated in the README : # cd /usr/src/usr.bin # tar xvfz .../openssh-x.y.tgz # cd ssh # make obj # make cleandir # make depend # make # make install # cp ssh_config sshd_config /etc This has worked in all the previous releases of OpenSSH but this time it complains about a missing header file and then abort the building process : ===> sshd cc -O2 -DHAVE_LOGIN_CAP -DAFS -DKRB4 -I/usr/include/kerberosIV -I/usr/src/ usr.bin/ssh/sshd/.. -Wall -DLIBWRAP -DSKEY -c /usr/src/usr.bin/ssh/sshd/../sshd.c In file included from /usr/src/usr.bin/ssh/sshd/../sshd.c:71: /usr/src/usr.bin/ssh/sshd/../auth.h:32: login_cap.h: No such file or directory *** Error code 1 Stop in /usr/src/usr.bin/ssh/sshd. *** Error code 1 Stop in /usr/src/usr.bin/ssh. Do I have to do anything else before compiling the OpenSSH 2.9 in my OpenBSD 2.7 box ? Thanks in advance, Richard Cotrina ----- Original Message ----- From: Markus Friedl To: ; Cc: ; ; ; Sent: Wednesday, May 02, 2001 4:35 PM Subject: OpenSSH 2.9 > OpenSSH 2.9 has just been uploaded. It will be available from the > mirrors listed at http://www.openssh.com/ shortly. > > OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 > implementation and includes sftp client and server support. > > This release contains many portability bug-fixes (listed in the > ChangeLog) as well as several new features (listed below). > > We would like to thank the OpenSSH community for their continued > support and encouragement. > > Important Changes: > ================== > > WARNING: SSH protocol v2 is now the default protocol version > > use the 'Protocol' option from ssh(1) and sshd(8) if > you want to change this. > > SSH protocol v2 implementation adds support for: > > HostbasedAuthentication, similar to RhostsRSA in SSH protocol > v1 > > Rekeying (negotiate new encryption keys for the current SSH > session, try ~R in interactive SSH sessions) > > updated DH group exchange: > draft-ietf-secsh-dh-group-exchange-01.txt > > client option HostKeyAlgorithms > > server options ClientAliveInterval and ClientAliveCountMax > > tty mode passing > > general: > > gid swapping in sshd (fixes access to /home/group/user based > directory structures) > > Dan Kaminsky contributed an experimental > SOCKS4 proxy to the ssh client (yes, client not the server). > Use 'ssh -D 1080 server' if you want to try this out. > > server option PrintLastLog > > improvements for scp > 2GB > > improved ListenAddress option. > You can now use ListenAddress host:port > > improved interoperability (bug detection for older implementations) > > improved documentation > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller and Ben Lindstrom. > > From tom at arcot.com Thu May 3 12:01:24 2001 From: tom at arcot.com (Tom Wu) Date: Wed, 02 May 2001 19:01:24 -0700 Subject: SRP unencumbered license statement References: Message-ID: <3AF0BBF4.DF08D9D6@arcot.com> Tom Holroyd wrote: > > Not to mention that it provides strong authentication of both client *and* > server, even when the host key has changed or is unknown, and it doesn't > leak any information to eavesdroppers or MITM. :-) > > So, SRP is ready to go. > > Speaking of which, an up-to-date tarball and patch are available: > > http://members.tripod.com/professor_tom/archives/OpenSSH-2.9p1-srp7.tar.gz > http://members.tripod.com/professor_tom/archives/OpenSSH-2.9p1-srp7.patch.gz > > The patch is vs. the 20010501 CVS, the tarball is self-contained (remember > to left-click on those links to download the files from Tripod). See the > README.SRP file for more info and installation instructions. The patches look really good. Everything built right out of the box on Linux (glibc 2.1) and FreeBSD 4.2. The only hiccup was the strict permissions checking on /etc/tpasswd.conf, but that was easily resolved. Interoperation with EPS stuff looks clean. > Dr. Tom Holroyd > "I am, as I said, inspired by the biological phenomena in which > chemical forces are used in repetitious fashion to produce all > kinds of weird effects (one of which is the author)." > -- Richard Feynman, _There's Plenty of Room at the Bottom_ Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From djm at mindrot.org Thu May 3 12:10:12 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 3 May 2001 12:10:12 +1000 (EST) Subject: OpenSSH 2.9 failed to build in OpenBSD 2.7 In-Reply-To: <004301c0d35e$3b68bbc0$4d01190a@tp.com.pe> Message-ID: On Wed, 2 May 2001, Richard Cotrina wrote: BTW trim your recipient list - you replaied to half the announcement lists on the planet. > This has worked in all the previous releases of OpenSSH but this time it > complains about a missing header file and then abort the building process : > > ===> sshd > cc -O2 -DHAVE_LOGIN_CAP -DAFS -DKRB4 -I/usr/include/kerberosIV -I/usr/src/ > usr.bin/ssh/sshd/.. -Wall -DLIBWRAP -DSKEY -c > /usr/src/usr.bin/ssh/sshd/../sshd.c > In file included from /usr/src/usr.bin/ssh/sshd/../sshd.c:71: > /usr/src/usr.bin/ssh/sshd/../auth.h:32: login_cap.h: No such file or > directory > *** Error code 1 Edit sshd/Makefile and remove the line 'CFLAGS+=-DHAVE_LOGIN_CAP' -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Jeff_Newton at pmc-sierra.com Thu May 3 15:23:26 2001 From: Jeff_Newton at pmc-sierra.com (Jeff Newton) Date: Wed, 02 May 2001 22:23:26 -0700 Subject: Rhosts Auth Issues with OpenSSH 2.9p1 on Solaris 2.7 Message-ID: <3AF0EB4E.40E0B0A@pmc-sierra.com> I've installed OpenSSH 2.9p1 on Solaris 2.7 and I am trying to get rhost authentication working. Something appears to be wrong with the client side as I can do rhost auth with a ssh1.2.27 client. Any help would be appreciated. /opt/openssh-2.9p1/etc/ssh_config is: ForwardX11 yes RhostsAuthentication yes /opt/openssh-2.9p1/etc/sshd_config is: Port 22 IgnoreRhosts no StrictModes yes X11Forwarding yes X11DisplayOffset 10 KeepAlive yes SyslogFacility AUTH LogLevel INFO RhostsAuthentication yes RhostsRSAAuthentication no HostbasedAuthentication yes RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no Subsystem sftp /opt/openssh-2.9p1/libexec/sftp-server Permissions: newton at nighthawk [29] ls -l /opt/ssh/bin total 23282 -rwxr-xr-x 1 root other 355856 May 2 21:30 scp -rwxr-xr-x 1 root other 749044 May 2 21:30 sftp lrwxrwxrwx 1 root other 3 May 2 21:30 slogin -> ssh -rws--x--x 1 root other 3936684 May 2 21:30 ssh -rwxr-xr-x 1 root other 2004800 May 2 21:30 ssh-add -rwxr-xr-x 1 root other 1703916 May 2 21:30 ssh-agent -rwxr-xr-x 1 root other 2009980 May 2 21:30 ssh-keygen -rwxr-xr-x 1 root other 1073612 May 2 21:30 ssh-keyscan When I run ssh -v I notice that Rhosts Auth is disabled. Regardless if I change this setting in ssh_config or not. Trying to force Protocol 1 in either ssh_config or sshd_config has no effect. Is this a bug with OpenSSH-2.9p1 or am I doing something else wrong? Here is some output: newton at nighthawk [28] /opt/ssh/bin/ssh -v nighthawk OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /opt/openssh-2.9p1/etc/ssh_config debug1: Seeded RNG with 42 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1412 geteuid 0 anon 1 debug1: Connecting to nighthawk [134.87.114.11] port 22. debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/cs/newton/.ssh/identity type -1 debug1: Remote protocol version 1.5, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'nighthawk' is known and matches the RSA1 host key. debug1: Found key in /home/cs/newton/.ssh/known_hosts:6 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Doing password authentication. newton at nighthawk's password: Now here is output using ssh 1.2.27 client: newton at nighthawk [30] /opt/ssh1/bin/ssh -v nighthawk SSH Version 1.2.27 [sparc-sun-solaris2.7], protocol version 1.5. Standard version. Does not use RSAREF. nighthawk: Reading configuration data /opt/ssh1/etc/ssh_config nighthawk: ssh_connect: getuid 1412 geteuid 0 anon 0 nighthawk: Connecting to nighthawk [134.87.114.11] port 22. nighthawk: Allocated local port 1011. nighthawk: Connection established. nighthawk: Remote protocol version 1.5, remote software version OpenSSH_2.9p1 nighthawk: Waiting for server public key. nighthawk: Received server public key (768 bits) and host key (1024 bits). nighthawk: Host 'nighthawk' is known and matches the host key. nighthawk: Initializing random; seed file /home/cs/newton/.ssh/random_seed nighthawk: IDEA not supported, using 3des instead. nighthawk: Encryption type: 3des nighthawk: Sent encrypted session key. nighthawk: Installing crc compensation attack detector. nighthawk: Received encrypted confirmation. nighthawk: Trying rhosts authentication. nighthawk: Remote: Accepted by .shosts. nighthawk: Requesting pty. nighthawk: Requesting shell. nighthawk: Entering interactive session. Last login: Wed May 2 22:12:29 2001 from nighthawk Sun Microsystems Inc. SunOS 5.7 Generic October 1998 Sun Microsystems Inc. SunOS 5.7 Generic October 1998 You have mail. Cheers, Jeff Newton From vinschen at redhat.com Thu May 3 22:16:08 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 3 May 2001 14:16:08 +0200 Subject: [PATCH]: Addition to Cygwin README Message-ID: <20010503141608.E24200@cygbert.vinschen.de> Hi, just a short addition to the Cygwin README. It would be nice to include that into the repository. Thanks, Corinna Index: README =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/README,v retrieving revision 1.4 diff -u -p -r1.4 README --- README 2001/03/14 21:30:18 1.4 +++ README 2001/05/03 12:13:45 @@ -57,6 +57,13 @@ Install sshd as daemon via SRVANY.EXE (r (results in very slow deamon startup!) or from the command line (recommended on 9X/ME). +If you start sshd as deamon via SRVANY.EXE you will see two +sshd processes in the process list unless you give the "-D" +option to sshd. That will avoid that sshd detaches from the +controlling terminal and it will remain under process control +of SRVANY.EXE. That allows easy killing of the service by +using the `net stop ' command. + If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the following line to your inetd.conf file: -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From vinschen at redhat.com Thu May 3 22:28:19 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 3 May 2001 14:28:19 +0200 Subject: [PATCH]: Workaround a security leak on Windows Message-ID: <20010503142819.F24200@cygbert.vinschen.de> The attached patch should solve the following problem: ssh-agent creates a temporary directory under /tmp with '600' permissions. The actual socket file is created in that dir using the default umask. That's no problem in U*X systems since nobody but the owner of the directory can read the socket file. Unfortunately, Windows has a user privilege called "Bypass traverse checking", granted to everybody by default(!), which allows reading a file even if the user has not the appropriate rights on the parent directory. Sigh. The following patch solves that problem by modifying the umask prior to calling `bind' and resetting it afterwards. Thanks to Egor Duda for that patch. Corinna Index: ssh-agent.c =================================================================== RCS file: /cvs/openssh_cvs/ssh-agent.c,v retrieving revision 1.54 diff -u -p -r1.54 ssh-agent.c --- ssh-agent.c 2001/04/04 01:53:21 1.54 +++ ssh-agent.c 2001/05/03 12:19:50 @@ -714,6 +714,9 @@ main(int ac, char **av) #ifdef HAVE_SETRLIMIT struct rlimit rlim; #endif +#ifdef HAVE_CYGWIN + int prev_mask; +#endif pid_t pid; char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid]; extern int optind; @@ -805,10 +808,19 @@ main(int ac, char **av) memset(&sunaddr, 0, sizeof(sunaddr)); sunaddr.sun_family = AF_UNIX; strlcpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path)); +#ifdef HAVE_CYGWIN + prev_mask = umask(0177); +#endif if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) { perror("bind"); +#ifdef HAVE_CYGWIN + umask(prev_mask); +#endif cleanup_exit(1); } +#ifdef HAVE_CYGWIN + umask(prev_mask); +#endif if (listen(sock, 5) < 0) { perror("listen"); cleanup_exit(1); -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From openssh-unix-dev at thewrittenword.com Thu May 3 22:49:56 2001 From: openssh-unix-dev at thewrittenword.com (openssh-unix-dev at thewrittenword.com) Date: Thu, 3 May 2001 07:49:56 -0500 Subject: 2GB File size limit in scp. ver 2.9p1 and 2.5.2 In-Reply-To: ; from djm@mindrot.org on Tue, May 01, 2001 at 02:53:10PM +1000 References: <5A8A4773B3535F4092C69AEFEC139AF50B648C@qsmail1.syd.lto.gov.aus> Message-ID: <20010503074956.C6403@postal.il.thewrittenword.com> On Tue, May 01, 2001 at 02:53:10PM +1000, Damien Miller wrote: > On Tue, 1 May 2001, Peter Bates wrote: > > > Hi, > > I need to be able to use scp with files over 2GB. > > I've currently got a set of boxes running 2.5.2p2, and this is unable, as I > > understand it, to transfer these files. > > > > I've just downloaded the latest snapshot, 20010501, it complies fine on two > > rh7.1 machines, but again, I can't scp a file over 2GB. I get the same "file > > to large" error on the client as before. > > Does adding > > #define _FILE_OFFSET_BITS 64 > > near the start of scp.c help matters? I hope no *hardcoded* solution finds its way into OpenSSH. The above is not necessarily portable. For something portable, use the following test designed by Paul Eggert and scheduled for inclusion in autoconf 2.50. It will automatically add the necessary flags to CFLAGS and LDFLAGS. Once 2.9 is released, we'll send a patch. -- albert chin (china at thewrittenword.com) -- snip snip #serial 19 dnl By default, many hosts won't let programs access large files; dnl one must use special compiler options to get large-file access to work. dnl For more details about this brain damage please see: dnl http://www.sas.com/standards/large.file/x_open.20Mar96.html dnl Written by Paul Eggert . dnl Internal subroutine of AC_SYS_LARGEFILE. dnl AC_SYS_LARGEFILE_TEST_INCLUDES AC_DEFUN(AC_SYS_LARGEFILE_TEST_INCLUDES, [[#include /* Check that off_t can represent 2**63 - 1 correctly. We can't simply "#define LARGE_OFF_T 9223372036854775807", since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ # define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; ]]) dnl Internal subroutine of AC_SYS_LARGEFILE. dnl AC_SYS_LARGEFILE_MACRO_VALUE(C-MACRO, VALUE, CACHE-VAR, COMMENT, INCLUDES, FUNCTION-BODY) AC_DEFUN(AC_SYS_LARGEFILE_MACRO_VALUE, [AC_CACHE_CHECK([for $1 value needed for large files], $3, [$3=no AC_TRY_COMPILE([$5], [$6], , [AC_TRY_COMPILE([#define $1 $2] [$5] , [$6], [$3=$2])])]) if test "[$]$3" != no; then AC_DEFINE_UNQUOTED([$1], [$]$3, [$4]) fi]) AC_DEFUN(AC_SYS_LARGEFILE, [AC_REQUIRE([AC_PROG_CC]) AC_ARG_ENABLE(largefile, [ --disable-largefile omit support for large files]) if test "$enable_largefile" != no; then AC_CACHE_CHECK([for special C compiler options needed for large files], ac_cv_sys_largefile_CC, [ac_cv_sys_largefile_CC=no if test "$GCC" != yes; then # IRIX 6.2 and later do not support large files by default, # so use the C compiler's -n32 option if that helps. AC_TRY_COMPILE(AC_SYS_LARGEFILE_TEST_INCLUDES, , , [ac_save_CC="$CC" CC="$CC -n32" AC_TRY_COMPILE(AC_SYS_LARGEFILE_TEST_INCLUDES, , ac_cv_sys_largefile_CC=' -n32') CC="$ac_save_CC"]) fi]) if test "$ac_cv_sys_largefile_CC" != no; then CC="$CC$ac_cv_sys_largefile_CC" fi AC_SYS_LARGEFILE_MACRO_VALUE(_FILE_OFFSET_BITS, 64, ac_cv_sys_file_offset_bits, [Number of bits in a file offset, on hosts where this is settable.], AC_SYS_LARGEFILE_TEST_INCLUDES) AC_SYS_LARGEFILE_MACRO_VALUE(_LARGE_FILES, 1, ac_cv_sys_large_files, [Define for large files, on AIX-style hosts.], AC_SYS_LARGEFILE_TEST_INCLUDES) fi ]) AC_DEFUN(AC_FUNC_FSEEKO, [AC_SYS_LARGEFILE_MACRO_VALUE(_LARGEFILE_SOURCE, 1, ac_cv_sys_largefile_source, [Define to make fseeko visible on some hosts (e.g. glibc 2.2).], [#include ], [return !fseeko;]) # We used to try defining _XOPEN_SOURCE=500 too, to work around a bug # in glibc 2.1.3, but that breaks too many other things. # If you want fseeko and ftello with glibc, upgrade to a fixed glibc. AC_CACHE_CHECK([for fseeko], ac_cv_func_fseeko, [ac_cv_func_fseeko=no AC_TRY_LINK([#include ], [return fseeko && fseeko (stdin, 0, 0);], [ac_cv_func_fseeko=yes])]) if test $ac_cv_func_fseeko != no; then AC_DEFINE(HAVE_FSEEKO, 1, [Define if fseeko (and presumably ftello) exists and is declared.]) fi]) From karlm30 at hotmail.com Thu May 3 23:43:45 2001 From: karlm30 at hotmail.com (Karl M) Date: Thu, 03 May 2001 06:43:45 -0700 Subject: Updated partial auth patch against CVS Message-ID: Hi Carson... Do you have a copy of your patch against 2.9p1 that I can start from? Thanks, ...Karl >From: Carson Gaspar >To: Karl M , openssh-unix-dev at mindrot.org >Subject: Re: Updated partial auth patch against CVS >Date: Wed, 02 May 2001 11:47:28 -0700 > > > >--On Wednesday, May 02, 2001 11:10 AM -0700 Karl M >wrote: > >>Hi Carson... >> >>Please help me understand the issues/constraints here. Regarding >> >>Authorder2 publickey,publickey:password >> >>what part of the syntax do you see as a problem? Is it that an >>authentication sequence is a propper subset of a later authentication >>sequence in the list? > >Yes. Although "later" is irrelevant. If publickey succeeds, you're in. >You'll never be asked for a password. You're suggesting changing that >behaviour on Cygwin, making it platform-specific. That's bad. > >>If I use >> >>Authorder2 publickey:method1,publickey:method2 >> >>and the public key succeeds but method1 fails, assuming no agent will the >>user see >> >>publickey >>method1 >>method2 >> >>or will he see >> >>publickey >>method1 >>publickey >>method2 >> >>I would hope and vote for the first. > >Currently, it should show "method1,method2". This makes the client "do the >right thing" and let you re-try your flubbed password, without making you >re-enter your private key passphrase. > >>What I would hope to specify is: publickey (when ssh and sshd userids >>match) and publickey:password (when ssh and sshd userids differ). This >>gets the password to the sshd so that the userid can be changed in >>CygWin. Do you have any thoughts on the syntax for this that would be >>compatible with your syntax? > >publickey:cygwinoptpass > >and add code to handle the cygwin bizzaro world case. > >-- >Carson Gaspar - carson at taltos.org >Queen trapped in a butch body _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From Markus.Friedl at informatik.uni-erlangen.de Fri May 4 01:05:07 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 3 May 2001 17:05:07 +0200 Subject: restricted shell with secure shell (was "list archive?) In-Reply-To: <3AF03F0D.40DA56C0@toosan.com>; from pnewlon@toosan.com on Wed, May 02, 2001 at 01:08:29PM -0400 References: <200105012306.SAA05164@dcdrjh.fnal.gov> <200105021506.KAA06897@dcdrjh.fnal.gov> <3AF03F0D.40DA56C0@toosan.com> Message-ID: <20010503170507.B1469@faui02.informatik.uni-erlangen.de> On Wed, May 02, 2001 at 01:08:29PM -0400, Phil N wrote: > Actually, the answer to that is "ssh". What I wanted to do was have a > user be chroot'ed to their home directory when they logged into the > server using secure shell and then only be able to telnet to another > device from there. give them a 'login shell' that only allows execution of telnet. From ootiy52j at mailops.com Thu May 3 04:36:15 2001 From: ootiy52j at mailops.com (ootiy52j at mailops.com) Date: Wed, 2 May 2001 18:36:15 +0000 Subject: openssh-2.9p1: OVERVIEW Message-ID: <200105031728.f43HSmt31601@hobbiton.org> The file OVERVIEW mentions `sdist' (no longer there) and fails to mention `sftp', `sftp-server'. Please fix it. Thanks for all the work you guys have put in OpenSSH. -O --------------------------------------------------------------- Updated 19 Oct 1999 for OpenSSH-1.2 The software consists of ssh (client), sshd (server), scp, sdist, and the auxiliary programs ssh-keygen, ssh-agent, ssh-add, and make-ssh-known-hosts. The main program for each of these is in a .c file with the same name. --------------------------------------------------------------- From dwd at bell-labs.com Fri May 4 03:34:23 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Thu, 3 May 2001 12:34:23 -0500 Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: <20010502214751.E1071@greenie.muc.de>; from gert@greenie.muc.de on Wed, May 02, 2001 at 09:47:51PM +0200 References: <20010501143535.A6611@lucent.com> <233116375.988749458@athyra> <20010502214751.E1071@greenie.muc.de> Message-ID: <20010503123423.A19026@lucent.com> On Wed, May 02, 2001 at 09:47:51PM +0200, Gert Doering wrote: > Hi, > > On Tue, May 01, 2001 at 08:37:38PM -0700, Carson Gaspar wrote: > [..] > > >> you just need to do fcntl(fd, F_SETFL, O_NONBLOCK) on the socket before > > >> the connect(), check for EINPROGRESS from the connect(), and then do a > > >> select() for writability on the fd with a timeout of however long you > > What's wrong with just alarm()ing out of the connect()? > > (This will be bad for anything remotely multi-threaded but for the ssh > client, it should be fine). The alarm signal does not interrupt connect() on Linux (2.2.18 at least). It does interrupt connect() with an EINTR error on Solaris though (2.7 at least). I'm not sure about other systems. - Dave Dykstra From markus.friedl at informatik.uni-erlangen.de Fri May 4 04:12:35 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 3 May 2001 20:12:35 +0200 Subject: openssh-2.9p1: OVERVIEW In-Reply-To: <200105031728.f43HSmt31601@hobbiton.org>; from ootiy52j@mailops.com on Wed, May 02, 2001 at 06:36:15PM +0000 References: <200105031728.f43HSmt31601@hobbiton.org> Message-ID: <20010503201235.A15@folly> the file OVERVIEW is obsolete. it just covers OpenSSH-1.2 it's in the distribution because someone might find useful information. perhaps we should not this in the beginning of the file. -m On Wed, May 02, 2001 at 06:36:15PM +0000, ootiy52j at mailops.com wrote: > > > The file OVERVIEW mentions `sdist' (no longer there) and fails to mention > `sftp', `sftp-server'. > > Please fix it. > > Thanks for all the work you guys have put in OpenSSH. > > -O > > --------------------------------------------------------------- > Updated 19 Oct 1999 for OpenSSH-1.2 > > The software consists of ssh (client), sshd (server), scp, sdist, and > the auxiliary programs ssh-keygen, ssh-agent, ssh-add, and > make-ssh-known-hosts. The main program for each of these is in a .c > file with the same name. > --------------------------------------------------------------- From markus.friedl at informatik.uni-erlangen.de Fri May 4 04:13:17 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 3 May 2001 20:13:17 +0200 Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: <20010503123423.A19026@lucent.com>; from dwd@bell-labs.com on Thu, May 03, 2001 at 12:34:23PM -0500 References: <20010501143535.A6611@lucent.com> <233116375.988749458@athyra> <20010502214751.E1071@greenie.muc.de> <20010503123423.A19026@lucent.com> Message-ID: <20010503201317.B15@folly> On Thu, May 03, 2001 at 12:34:23PM -0500, Dave Dykstra wrote: > The alarm signal does not interrupt connect() on Linux (2.2.18 at least). > It does interrupt connect() with an EINTR error on Solaris though (2.7 at > least). I'm not sure about other systems. yes, i think i'm going to do a non-blocking connect, just like i did in channels.c -m From tmigs at yahoo.com Thu May 3 08:16:18 2001 From: tmigs at yahoo.com (Todd Samkin) Date: Wed, 2 May 2001 15:16:18 -0700 (PDT) Subject: Possible Bug or Possible Mistake on my part Message-ID: <20010502221618.27148.qmail@web3306.mail.yahoo.com> I installed Open SSH 2.9 multiple times and each time the sshd_config file pointed to /etc/ssh_host_key rather then /usr/local/etc/ssh_host_key for HostKey. Please let me know if I am making a mistake. -Todd __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ From mouring at etoh.eviladmin.org Fri May 4 06:40:21 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 3 May 2001 15:40:21 -0500 (CDT) Subject: bug, (or stupid user) report: man page garbled under Sol7 In-Reply-To: <20010503200249.93267.qmail@web13804.mail.yahoo.com> Message-ID: On Thu, 3 May 2001, Gus Mancuso wrote: > Hello OpenSSH developers > > First, many thanks for producing this app! > > I've noticed that the man pages for openssh don't look > at all like man pages. My somewhat limited > troubleshooting skills point towards a problem with > nroff not expanding the macros embedded in the man > files. > When I `man sshd`, I get pure text (No > bold/underlined, or even recognizable man page > sections) and "incomplete sentences" (probably a > result of those same nroff macros not being expanded). > > > I am using Solaris 7 on Sun Ultra450 and Ultra250 > servers, both of which exhibit the same problem. > uname -a results for both machines: > > SunOS xmnsas03 5.7 Generic_106541-08 sun4u sparc > SUNW,Ultra-4 > > I can't find any version info for nroff.. sorry. > > attached is the text I receive from `man sshd` > > Which OpenSSH release? Under the latest 2.9p1 it should autodetect if you can support 'mdoc' format (what most BSD used), and if it can't it will convert them to 'man' (SysV style) or step down to 'doc' (preformated). - Ben [Change cc: to OpenSSH Dev List] From mouring at etoh.eviladmin.org Fri May 4 08:35:06 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 3 May 2001 17:35:06 -0500 (CDT) Subject: [PATCH]: Addition to Cygwin README In-Reply-To: <20010503141608.E24200@cygbert.vinschen.de> Message-ID: Applied. - Ben On Thu, 3 May 2001, Corinna Vinschen wrote: > Hi, > > just a short addition to the Cygwin README. It would be nice to > include that into the repository. > > Thanks, > Corinna > > Index: README > =================================================================== > RCS file: /cvs/openssh_cvs/contrib/cygwin/README,v > retrieving revision 1.4 > diff -u -p -r1.4 README > --- README 2001/03/14 21:30:18 1.4 > +++ README 2001/05/03 12:13:45 > @@ -57,6 +57,13 @@ Install sshd as daemon via SRVANY.EXE (r > (results in very slow deamon startup!) or from the command line (recommended > on 9X/ME). > > +If you start sshd as deamon via SRVANY.EXE you will see two > +sshd processes in the process list unless you give the "-D" > +option to sshd. That will avoid that sshd detaches from the > +controlling terminal and it will remain under process control > +of SRVANY.EXE. That allows easy killing of the service by > +using the `net stop ' command. > + > If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the > following line to your inetd.conf file: > > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > From mouring at etoh.eviladmin.org Fri May 4 08:48:19 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 3 May 2001 17:48:19 -0500 (CDT) Subject: [PATCH]: Workaround a security leak on Windows In-Reply-To: <20010503142819.F24200@cygbert.vinschen.de> Message-ID: Applied, I assume that you wanted Egor Duda to have the credit. - Ben On Thu, 3 May 2001, Corinna Vinschen wrote: > The attached patch should solve the following problem: > > ssh-agent creates a temporary directory under /tmp with '600' > permissions. The actual socket file is created in that dir using > the default umask. That's no problem in U*X systems since nobody > but the owner of the directory can read the socket file. > > Unfortunately, Windows has a user privilege called "Bypass traverse > checking", granted to everybody by default(!), which allows reading > a file even if the user has not the appropriate rights on the parent > directory. Sigh. > > The following patch solves that problem by modifying the umask > prior to calling `bind' and resetting it afterwards. > > Thanks to Egor Duda for that patch. > > Corinna > > Index: ssh-agent.c > =================================================================== > RCS file: /cvs/openssh_cvs/ssh-agent.c,v > retrieving revision 1.54 > diff -u -p -r1.54 ssh-agent.c > --- ssh-agent.c 2001/04/04 01:53:21 1.54 > +++ ssh-agent.c 2001/05/03 12:19:50 > @@ -714,6 +714,9 @@ main(int ac, char **av) > #ifdef HAVE_SETRLIMIT > struct rlimit rlim; > #endif > +#ifdef HAVE_CYGWIN > + int prev_mask; > +#endif > pid_t pid; > char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid]; > extern int optind; > @@ -805,10 +808,19 @@ main(int ac, char **av) > memset(&sunaddr, 0, sizeof(sunaddr)); > sunaddr.sun_family = AF_UNIX; > strlcpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path)); > +#ifdef HAVE_CYGWIN > + prev_mask = umask(0177); > +#endif > if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) { > perror("bind"); > +#ifdef HAVE_CYGWIN > + umask(prev_mask); > +#endif > cleanup_exit(1); > } > +#ifdef HAVE_CYGWIN > + umask(prev_mask); > +#endif > if (listen(sock, 5) < 0) { > perror("listen"); > cleanup_exit(1); > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > From mouring at etoh.eviladmin.org Fri May 4 09:36:37 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 3 May 2001 18:36:37 -0500 (CDT) Subject: PATCH: UseLogin fix for 2.9p1 (w/improved last-login time) In-Reply-To: Message-ID: Does anyone have any objections? I've not seen anyone common on this yet. - Ben On Sun, 29 Apr 2001, Wayne Davison wrote: > Attached is the latest version of my UseLogin patch that makes > "UseLogin true" work on Solaris and UNICOS. As usual, I have provided > configure.in changes that set the appropriate defines for Solaris, but > I have not provided the configure.in changes for UNICOS (since they > would be incomplete, and Wendy is working on this). > > This version fixes a problem with the last-login time always being > reported as the current time (I had to add a new record_*() function > since record_login() was changing other things than the {u,w}tmp{x,} > data). This version also changes less existing code, to hopefully > make it easier to maintain against the BSD source. > > The patch is relative to the 2.9p1 source I just grabbed out of CVS. > > ..wayne.. > From djm at mindrot.org Fri May 4 15:59:54 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 4 May 2001 15:59:54 +1000 (EST) Subject: PATCH: UseLogin fix for 2.9p1 (w/improved last-login time) In-Reply-To: Message-ID: On Thu, 3 May 2001 mouring at etoh.eviladmin.org wrote: > Does anyone have any objections? I've not seen anyone common on this > yet. It looks OK to me - it is much more minimal (good) than previous revs I have seen. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From carson at taltos.org Fri May 4 19:03:21 2001 From: carson at taltos.org (Carson Gaspar) Date: Fri, 04 May 2001 02:03:21 -0700 Subject: Rhosts Auth Issues with OpenSSH 2.9p1 on Solaris 2.7 In-Reply-To: <3AF0EB4E.40E0B0A@pmc-sierra.com> References: <3AF0EB4E.40E0B0A@pmc-sierra.com> Message-ID: <425458781.988941801@athyra> By default, ssh is not installed setuid root. Currently, you need to install it setuid root or it disables rhosts auth. Of course, rhosts auth is a terrible idea. Are you _sure_ you mean rhosts auth, or do you mean RSARhosts/Hostbasedauth? These currently _also_ require that ssh be setuid root, but have far more security. -- Carson From carson at taltos.org Fri May 4 19:18:10 2001 From: carson at taltos.org (Carson Gaspar) Date: Fri, 04 May 2001 02:18:10 -0700 Subject: RSARhosts / Hostbased auth and euid=0 requirement Message-ID: <426348406.988942690@athyra> I'm not happy with ssh being setuid root. I know that the long-term goal is to have a seperate host-key-management process, but that is a ways off. Until then, I'd like to propose the following: - Allow ssh to read alternate key files. This would allow the ssh client to use keyfiles different from the ones sshd uses. I know that this can be done now by changing the ones sshd uses, but I'd rather make ssh the special case. - Allow said key files to be group readable Changing authfile.c:key_perm_ok() to allow group readable keys would allow us to make ssh setgid instead of setuid. Yes, this is insecure if someone is stupid enough to export their key files via NFS or some other such sillyness, but is safe for sane admins. If we do both of the above, ssh can be setgid ssh, and optionally use different keys for client and server identification. Host-based auth now works without a root-priveledged client. Damage from a security issue in ssh is limited to spoofing a trusted host, instead of total system compromise. I'm happy to write the code changes, but wanted to run this up the flagpole first to see if there was strong resistance. -- Carson From gert at greenie.muc.de Fri May 4 18:45:54 2001 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 4 May 2001 10:45:54 +0200 Subject: connecting to non-responding hosts: 1 hr timeout (fwd) In-Reply-To: <20010503123423.A19026@lucent.com>; from dwd@bell-labs.com on Thu, May 03, 2001 at 12:34:23PM -0500 References: <20010501143535.A6611@lucent.com> <233116375.988749458@athyra> <20010502214751.E1071@greenie.muc.de> <20010503123423.A19026@lucent.com> Message-ID: <20010504104554.E4119@greenie.muc.de> Hi, On Thu, May 03, 2001 at 12:34:23PM -0500, Dave Dykstra wrote: > The alarm signal does not interrupt connect() on Linux (2.2.18 at least). > It does interrupt connect() with an EINTR error on Solaris though (2.7 at > least). I'm not sure about other systems. You need to disable system call restarting with siginterrupt(), otherwise it won't work. (This was new in glibc 2). gert -- Gert Doering Mobile communications ... right now writing from *@Bologna* ... mobile phone: +49 177 2160221 ... or mail me: gert at greenie.muc.de From vinschen at redhat.com Fri May 4 19:51:23 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 4 May 2001 11:51:23 +0200 Subject: [PATCH]: Workaround a security leak on Windows In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, May 03, 2001 at 05:48:19PM -0500 References: <20010503142819.F24200@cygbert.vinschen.de> Message-ID: <20010504115123.Z24200@cygbert.vinschen.de> On Thu, May 03, 2001 at 05:48:19PM -0500, mouring at etoh.eviladmin.org wrote: > > Applied, I assume that you wanted Egor Duda to have the > credit. Sure, it's his patch. Thank you, Corinna From jon at rupture.net Sat May 5 02:17:41 2001 From: jon at rupture.net (Jon Nathan) Date: Fri, 4 May 2001 12:17:41 -0400 (EDT) Subject: ssh dumps core in nis/nfs environment Message-ID: hello, this morning, we rebooted our nis master server and sshd died on most of our client servers. our setup is this: nis master netapp with /usr/local volume shared out. sshd sits in /usr/local/sbin on the netapp many nis/nfs clients, each nfs mount /usr/local from the netapp and run sshd from there. we completed a planned reboot of the nis master this morning, and the parent sshd died, leaving a core file in /. they're running 2.5.2p2. i have a couple core files if anyone would like to look at them. is there anything i can do to prevent this in the future? it would be a pain to install ssh locally on each server. -jon -- Jon Nathan jon at rupture.net http://www.rupture.net/~jon/ From irving at samurai.sfo.dead-dog.com Sat May 5 05:51:07 2001 From: irving at samurai.sfo.dead-dog.com (Irving Popovetsky) Date: Fri, 4 May 2001 12:51:07 -0700 Subject: Exit status strangeness Message-ID: <20010504125107.A19232@samurai.sfo.dead-dog.com> Hello, Trying to get Oracle DataGuard running, which basically does a lot of work between two replicating databases via rsh/ssh. It is breaking because it pays very close attention to the exit status of ssh commands. We are using OpenSSH 2.5.2p2 (also tried 2.9p1, same result) on Solaris 7 and 8. This seems to be Solaris specific, because I can't reproduce it on Linux. I've reduced it down to a simple test case, using the SSH2 protocol with passwordless private keys: ssh somehost -n "/bin/true" ; echo $? It seems that the interaction between SSH2 support and the -n flag (redirecting input from /dev/null) causes the exit status to be funny. (Oracle DataGuard actually runs that exact command to determine if SSH is working, and it fails) Output below: (ssh2 with -n flag, exit status is -1, although I've also seen 255) 3:33pm.orangecrush: ~> ssh -v qacrmdb -n /bin/true OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 504 geteuid 504 anon 1 debug1: Connecting to qacrmdb [10.43.0.61] port 22. debug1: temporarily_use_uid: 504/504 (e=504) debug1: restore_uid debug1: temporarily_use_uid: 504/504 (e=504) debug1: restore_uid debug1: Connection established. debug1: identity file /home/ipopovet/.ssh/identity type 0 debug1: identity file /home/ipopovet/.ssh/id_rsa type -1 debug1: identity file /home/ipopovet/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 134/256 debug1: bits set: 1008/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'qacrmdb' is known and matches the DSA host key. debug1: Found key in /home/ipopovet/.ssh/known_hosts2:85 debug1: bits set: 1036/2049 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /home/ipopovet/.ssh/id_rsa debug1: try pubkey: /home/ipopovet/.ssh/id_dsa debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 13a380 hint 2 debug1: read PEM private key done: type DSA debug1: sig size 20 20 debug1: ssh-userauth2 successful: method publickey debug1: fd 5 setting O_NONBLOCK debug1: channel 0: new [client-session] debug1: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug1: client_init id 0 arg 0 debug1: Requesting X11 forwarding with authentication spoofing. debug1: Sending command: /bin/true debug1: channel 0: open confirm rwindow 0 rmax 16384 debug1: channel 0: read<=0 rfd 5 len 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: rcvd close debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.2 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status -1 (ssh2, no -n flag, exit status is 0) 3:32pm.orangecrush: ~> ssh -v qacrmdb /bin/true OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 504 geteuid 504 anon 1 debug1: Connecting to qacrmdb [10.43.0.61] port 22. debug1: temporarily_use_uid: 504/504 (e=504) debug1: restore_uid debug1: temporarily_use_uid: 504/504 (e=504) debug1: restore_uid debug1: Connection established. debug1: identity file /home/ipopovet/.ssh/identity type 0 debug1: identity file /home/ipopovet/.ssh/id_rsa type -1 debug1: identity file /home/ipopovet/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 127/256 debug1: bits set: 991/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'qacrmdb' is known and matches the DSA host key. debug1: Found key in /home/ipopovet/.ssh/known_hosts2:85 debug1: bits set: 979/2049 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /home/ipopovet/.ssh/id_rsa debug1: try pubkey: /home/ipopovet/.ssh/id_dsa debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 13a380 hint 2 debug1: read PEM private key done: type DSA debug1: sig size 20 20 debug1: ssh-userauth2 successful: method publickey debug1: channel 0: new [client-session] debug1: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug1: client_init id 0 arg 0 debug1: Requesting X11 forwarding with authentication spoofing. debug1: Sending command: /bin/true debug1: channel 0: open confirm rwindow 0 rmax 16384 debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd close debug1: channel 0: input open -> closed debug1: channel 0: close_read debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.3 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 (ssh1, with -n flag, exit status is 0) 3:33pm.orangecrush: ~> ssh -1 -v qacrmdb -n /bin/true OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 504 geteuid 504 anon 1 debug1: Connecting to qacrmdb [10.43.0.61] port 22. debug1: temporarily_use_uid: 504/504 (e=504) debug1: restore_uid debug1: temporarily_use_uid: 504/504 (e=504) debug1: restore_uid debug1: Connection established. debug1: identity file /home/ipopovet/.ssh/identity type 0 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'qacrmdb' is known and matches the RSA1 host key. debug1: Found key in /home/ipopovet/.ssh/known_hosts:120 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication with key 'ipopovet at orangecrush' debug1: Received RSA challenge from server. debug1: Sending response to host key RSA challenge. debug1: Remote: RSA authentication accepted. debug1: RSA authentication accepted by server. debug1: Requesting X11 forwarding with authentication spoofing. debug1: Sending command: /bin/true debug1: Entering interactive session. debug1: Sending eof. debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.2 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 From dan at spoontail.com Sat May 5 06:52:20 2001 From: dan at spoontail.com (Daniel David Benson) Date: Fri, 4 May 2001 13:52:20 -0700 (PDT) Subject: SSH connection hanging on logout Message-ID: I am running OpenSSH 2.9p1 on SunOS 5.7 w/4-24-2001 patch cluster. Like many other users I am seeing the hanging session on logout with background processes. This is a huge problem for me as I centrally manage 50+ machines with rdist across ssh. Instead of just complaining about the problem I thought I would put my CS degree to use and try to track down the problem myself. For starters, though, can someone point me in the right direction? Also, is there a code rodemap for OpenSSH? Thanks! -Dan From Phil.Pennock at globnix.org Sat May 5 09:40:41 2001 From: Phil.Pennock at globnix.org (Phil Pennock) Date: Sat, 5 May 2001 01:40:41 +0200 Subject: 2.9: RSAAuthentication problems Message-ID: <20010505014041.A2658@globnix.org> I'm using an OpenBSD 2.9 snapshot on i386. "ssh -V" reveals OpenSSH_2.9, yada yada. I generated a keypair using ssh-keygen and accepting defaults. I copied the public key to another box, stuck it in ~/.ssh/authorized_keys with host restriction and then tried to use it. Failed. Removed the host restriction, still failed. Just get asked for password. So I cut out the extra box. As root, on the 2.9 box, I ran # sshd -ddd -p24 2>&1 | tee ssh-server and then as myself, under script, I showed the presence of a key in the agent, and then tried to ssh with "-v -v -v -p 24" to localhost. Still fails to use the keys. debug2 shows "userauth_pubkey_agent: no keys at all" whilst "ssh-add -l" obviously disagrees. The attempts to access the private keys directly (debug1, "try privkey") are silent for the key which exists, ~/.ssh/identity -- but if I move that to id_rsa, then ssh is silent about id_rsa and reports trying the "identity" file. Rest of this message is the output from script (details of key from "ssh-add -l" are censored), followed by the server output. Hrm, given how the server output was generated, I'm also curious to know why there were carriage-returns at the end of lines. Help please? Am I missing something really obvious? -----------------------------< cut here >------------------------------- % ssh-add -l 1024 (RSA1) % ssh -v -v -v -p 24 localhost OpenSSH_2.9, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1000 geteuid 0 anon 1 debug1: Connecting to localhost [127.0.0.1] port 24. debug1: temporarily_use_uid: 1000/500 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 1000/500 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/phil/.ssh/identity type 0 debug1: identity file /home/phil/.ssh/id_rsa type -1 debug1: identity file /home/phil/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 debug1: match: OpenSSH_2.9 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 134/256 debug1: bits set: 991/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Forcing accepting of host key for loopback/localhost. debug1: bits set: 997/2049 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,password,keyboard-interactive debug3: authmethod_lookup publickey debug3: remaining preferred: password,keyboard-interactive debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug2: userauth_pubkey_agent: no keys at all debug2: userauth_pubkey_agent: no more keys debug2: userauth_pubkey_agent: no message sent debug1: try privkey: /home/phil/.ssh/id_rsa debug3: no such identity: /home/phil/.ssh/id_rsa debug1: try privkey: /home/phil/.ssh/id_dsa debug3: no such identity: /home/phil/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: keyboard-interactive debug3: authmethod_is_enabled password debug1: next auth method to try is password phil at localhost's password: debug2: packet_inject_ignore: current 49 debug2: packet_inject_ignore: block 16 have 4 nb 4 mini 1 need 4 debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive Permission denied, please try again. phil at localhost's password: debug2: packet_inject_ignore: current 49 debug2: packet_inject_ignore: block 16 have 4 nb 4 mini 1 need 4 debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive Permission denied, please try again. phil at localhost's password: debug2: packet_inject_ignore: current 49 debug2: packet_inject_ignore: block 16 have 4 nb 4 mini 1 need 4 debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: debug3: authmethod_is_enabled keyboard-interactive debug1: next auth method to try is keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: no more auth methods to try Permission denied (publickey,password,keyboard-interactive). debug1: Calling cleanup 0x21218(0x0) -----------------------------< cut here >------------------------------- debug1: sshd version OpenSSH_2.9 debug1: private host key: #0 type 0 RSA1 debug3: No RSA1 key file /etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: No RSA1 key file /etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 24 on ::. Server listening on :: port 24. debug1: Bind to port 24 on 0.0.0.0. Server listening on 0.0.0.0 port 24. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 43936 debug1: Client protocol version 2.0; client software version OpenSSH_2.9 debug1: match: OpenSSH_2.9 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.9 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 118/256 debug1: bits set: 997/2049 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 991/2049 debug2: ssh_rsa_sign: done debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user phil service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for phil debug2: input_userauth_request: try method none Failed none for phil from 127.0.0.1 port 43936 ssh2 debug1: userauth-request for user phil service ssh-connection method password debug1: attempt 1 failures 1 debug2: input_userauth_request: try method password Failed password for phil from 127.0.0.1 port 43936 ssh2 debug1: userauth-request for user phil service ssh-connection method password debug1: attempt 2 failures 2 debug2: input_userauth_request: try method password Failed password for phil from 127.0.0.1 port 43936 ssh2 debug1: userauth-request for user phil service ssh-connection method password debug1: attempt 3 failures 3 debug2: input_userauth_request: try method password Failed password for phil from 127.0.0.1 port 43936 ssh2 debug1: userauth-request for user phil service ssh-connection method keyboard-interactive debug1: attempt 4 failures 4 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive language devs Failed keyboard-interactive for phil from 127.0.0.1 port 43936 ssh2 debug1: userauth-request for user phil service ssh-connection method keyboard-interactive debug1: attempt 5 failures 5 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive language devs Failed keyboard-interactive for phil from 127.0.0.1 port 43936 ssh2 debug1: userauth-request for user phil service ssh-connection method keyboard-interactive debug1: attempt 6 failures 6 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive language devs Failed keyboard-interactive for phil from 127.0.0.1 port 43936 ssh2 Connection closed by 127.0.0.1 debug1: Calling cleanup 0x250d8(0x0) From Markus.Friedl at informatik.uni-erlangen.de Sat May 5 09:51:52 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 5 May 2001 01:51:52 +0200 Subject: 2.9: RSAAuthentication problems In-Reply-To: <20010505014041.A2658@globnix.org>; from Phil.Pennock@globnix.org on Sat, May 05, 2001 at 01:40:41AM +0200 References: <20010505014041.A2658@globnix.org> Message-ID: <20010505015152.B14054@faui02.informatik.uni-erlangen.de> On Sat, May 05, 2001 at 01:40:41AM +0200, Phil Pennock wrote: > I'm using an OpenBSD 2.9 snapshot on i386. "ssh -V" reveals > OpenSSH_2.9, yada yada. > > I generated a keypair using ssh-keygen and accepting defaults. I copied > the public key to another box, stuck it in ~/.ssh/authorized_keys with > host restriction and then tried to use it. Failed. Removed the host > restriction, still failed. Just get asked for password. this is a SSH1 key, however, you are connecting with protocol v2. use ssh-keygen -t rsa -f RSA and cat RSA.pub > ~/.ssh/authorized_keys2 ssh-add RSA ssh localhost this should work. From Phil.Pennock at globnix.org Sat May 5 09:58:54 2001 From: Phil.Pennock at globnix.org (Phil Pennock) Date: Sat, 5 May 2001 01:58:54 +0200 Subject: 2.9: RSAAuthentication problems In-Reply-To: <20010505015152.B14054@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Sat, May 05, 2001 at 01:51:52AM +0200 References: <20010505014041.A2658@globnix.org> <20010505015152.B14054@faui02.informatik.uni-erlangen.de> Message-ID: <20010505015854.A31975@globnix.org> On 2001-05-05 at 01:51 +0200, Markus Friedl gifted us with: > this is a SSH1 key, however, you are connecting with protocol v2. *sigh* Thanks. Still have ssh1 at work. Not used to this. I'll go die of shame now. [...] > this should work. Yes. -- If Windows is the solution, could we please have the problem back? From djm at mindrot.org Sat May 5 15:53:56 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 5 May 2001 15:53:56 +1000 (EST) Subject: SSH connection hanging on logout In-Reply-To: Message-ID: On Fri, 4 May 2001, Daniel David Benson wrote: > > I am running OpenSSH 2.9p1 on SunOS 5.7 w/4-24-2001 patch cluster. > Like many other users I am seeing the hanging session on logout > with background processes. This is a huge problem for me as > I centrally manage 50+ machines with rdist across ssh. > Instead of just complaining about the problem I thought I would > put my CS degree to use and try to track down the problem myself. > For starters, though, can someone point me in the right direction? This is the best description of the problem, pinched from Redhat: About the hang-on-exit bug: this is the TODO item which shows up when you run "ssh server 'sleep 20 & exit'". * The shell starts up, and starts its own session. As a side-effect, it gets its own process group. * The child forks off sleep, and because it's in the background, puts it into its own process group. The sleep command inherits a copy of the shell's descriptor for the tty as its stdout. * The shell exits, but doesn't SIGHUP all of its child PIDs like it probably should. * The sshd server attempts to read from the master side of the pty, and while there are still process with the pty open, no EOF is produced. * The sleep command exits, closes its descriptor, sshd detects the EOF, and the connection gets closed. Attempts at fixing this in sshd, and why they don't work: * SIGHUP the sshd's process group. - The shell is in its own process group. * Track process group IDs of all children before we reap them (via an extra field in Session structures which holds the pgid for each child pid), and SIGHUP the pgid when we reap. - Background commands are in yet another process group. * Close the connection when the child dies. - Background commands may need to write data to the connection. Also prematurely truncates output from some commands (scp server, the famous "dd if=/dev/zero bs=1000 count=100" case). Known-good workarounds: * bash: shopt huponexit on * tcsh: none * zsh: ? * pdksh: ? This appears to affect rsh as well: it behaves the same with 'sleep 20 & exit'. -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From jason at shalott.net Sat May 5 21:54:00 2001 From: jason at shalott.net (Jason Stone) Date: Sat, 5 May 2001 04:54:00 -0700 (PDT) Subject: SSH connection hanging on logout In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > About the hang-on-exit bug: this is the TODO item which shows up when you > run "ssh server 'sleep 20 & exit'". > > * The shell starts up, and starts its own session. As a side-effect, it > gets its own process group. > * The sshd server attempts to read from the master side of the pty, and > while there are still process with the pty open, no EOF is produced. > * The sleep command exits, closes its descriptor, sshd detects the EOF, and > the connection gets closed. Or, put another way, this is a feature, not a bug - sshd has no way of knowing that "sleep 20" isn't going to eventually produce some output that you'll want to see, so it stays alive until the background command exits. The real "bug" is users trying to use the shell's '&' builtin to run daemon processes. If you want a command to really be backgrounded (ie, to daemonize), use something other than '&', something that will make the command close the pty and either start its own process group or else become a child of init. Eg: perl -e 'fork && exit; close STDIN; close STDOUT; close STDERR; \ setpgrp(0,$$); exec "sleep 20";' (Watch out for the quoting if you try this on the commandline....) > Known-good workarounds: > * bash: shopt huponexit on > * tcsh: none * zsh: setopt HUP (this is usually the default) If you use zsh, you might also try something like this in your .zshrc: daemonize(){ COMMAND="$@" perl -e 'fork && exit; close STDIN; close STDOUT; close STDERR; \ setpgrp(0,$$); exec "'$COMMAND'";' } } You would then run "daemonize sleep 20" and the sleep 20 would be run in the background and not hang the sshd when you exit. This will almost certainly work in other bourne-compatible shells as well. - -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE68+nhswXMWWtptckRAjaVAJ0bbN7PPe0jLC80SPZjDNAvBFuC2wCaA4ep 1IteXaTPMxe2TsKrsLmg20A= =mEVt -----END PGP SIGNATURE----- From karlm30 at hotmail.com Sun May 6 07:17:22 2001 From: karlm30 at hotmail.com (Karl M) Date: Sat, 05 May 2001 14:17:22 -0700 Subject: Updated partial auth patch against CVS Message-ID: Hi Carson... Here is what I have so far. This is a patch based on 2.5.2p2 with your patch. So this is a patch on top of your patch. This patch allows AuthOrder2 publickey:uidmatch,publickey:password for the CygWin environment. It also highlites a couple of minor things I found in your patch. When you have a 2.9p1 patch I will update this. Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: diffFromCarson252p2patch.txt Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010505/6931fa76/attachment.txt From abartlet at pcug.org.au Sun May 6 22:29:38 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Sun, 06 May 2001 22:29:38 +1000 Subject: Why no PAM sesion for subsystems/direct commands? Message-ID: <3AF543B2.2BDAB51F@bartlett.house> It looks like pam session support for non_tty based logins got dropped in what looks like a code cleanup in session.c between 2.5p? and 2.9.p1. Is there any reason not to apply this (entirly untested) patch? Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au -------------- next part -------------- --- openssh-2.9p1/session.c.old Sun May 6 22:26:54 2001 +++ openssh-2.9p1/session.c Sun May 6 22:27:53 2001 @@ -496,6 +496,7 @@ session_proctitle(s); #if defined(USE_PAM) + do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); #endif /* USE_PAM */ From karlm30 at hotmail.com Mon May 7 07:57:48 2001 From: karlm30 at hotmail.com (Karl M) Date: Sun, 06 May 2001 14:57:48 -0700 Subject: Updated partial auth patch against CVS Message-ID: Hi Carson and Corinna... Carson-->It seems to me that at the end of input_userauth_request it dosen't matter what uid we are set to (is this true?), so I think that I can remove the tempuid variable and the extra getuid/setuid operations. What do you think? Corinna-->The only call to check_nt_auth I left in auth2.c is in userauth_passwd. With a password, check_nt_auth always succeeds, so in doesn't need to be there. What do you think? Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From tomh at po.crl.go.jp Mon May 7 12:31:15 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Mon, 7 May 2001 11:31:15 +0900 (JST) Subject: SRP unencumbered license statement In-Reply-To: <3AF0BBF4.DF08D9D6@arcot.com> Message-ID: On Wed, 2 May 2001, Tom Wu wrote: > The patches look really good. Everything built right out of the box on > Linux (glibc 2.1) and FreeBSD 4.2. The only hiccup was the strict > permissions checking on /etc/tpasswd.conf, but that was easily > resolved. Interoperation with EPS stuff looks clean. Yes, currently the patch uses strict mode checking; after the patch is integrated it could be changed to use the StrictModes mechanism that's already in OpenSSH. What was your specific problem? .conf file not owned by root? That could be relaxed by the above mechanism, I think. The permission checking on the verifier files should remain strict, though, unless there is some issue on non-unix OSes that I'm not aware of. Has anybody else tried out the SRP patch? From tom at arcot.com Mon May 7 16:14:31 2001 From: tom at arcot.com (Tom Wu) Date: Sun, 06 May 2001 23:14:31 -0700 Subject: SRP patches (was: Re: SRP unencumbered license statement) References: Message-ID: <3AF63D47.89F16791@arcot.com> Tom Holroyd wrote: > > On Wed, 2 May 2001, Tom Wu wrote: > > > The patches look really good. Everything built right out of the box on > > Linux (glibc 2.1) and FreeBSD 4.2. The only hiccup was the strict > > permissions checking on /etc/tpasswd.conf, but that was easily > > resolved. Interoperation with EPS stuff looks clean. > > Yes, currently the patch uses strict mode checking; after the patch is > integrated it could be changed to use the StrictModes mechanism that's > already in OpenSSH. What was your specific problem? .conf file not owned > by root? That could be relaxed by the above mechanism, I think. The > permission checking on the verifier files should remain strict, though, > unless there is some issue on non-unix OSes that I'm not aware of. My .conf file was group-writable. Since there's no good reason for it to be such, I changed its permissions. That seemed to satisfy OpenSSH. Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 From Randolf-ML at Skerka.de Mon May 7 16:32:54 2001 From: Randolf-ML at Skerka.de (Randolf Skerka) Date: Mon, 7 May 2001 08:32:54 +0200 Subject: SSH and forced wtmp entries ... Message-ID: <20010507083254.A9307@rhs-notebook> Hi all! wtmp entries are generated when loggin into a system without a command, e.g. "ssh -l user system". When using an additional command executed by ssh on the "other side", no wtmp entry will be generated. So the command "ssh -l user system /bin/csh" will not generate a wtmp entry but the user is logged in ... I have the problem right know. The users are starting "xterm" by ssh commandlines and I can't see a wtmp login ... not very nice. Is somebody working on a patch/feature? E.g. an option in sshd_config (forced_wtmp) would be nice. Greets Randolf From dean.domikulic at pbz.hr Mon May 7 19:23:17 2001 From: dean.domikulic at pbz.hr (=?windows-1250?Q?Dean_Luka_Domikuli=E6?=) Date: Mon, 7 May 2001 11:23:17 +0200 Subject: nis+ and openssh on aix 4.3.3 Message-ID: Is it possible to use nis+ for users authentication in openssh on aix 4.3.3. Tnx From wayne at blorf.net Mon May 7 21:34:06 2001 From: wayne at blorf.net (Wayne Davison) Date: Mon, 7 May 2001 04:34:06 -0700 (PDT) Subject: Remake configure/config.h.in/etc. Message-ID: Since multiple people have applied my UseLogin patch and failed to get it to work because configure/config.h.in were not automatically rebuilt, I decided it was time to add some rules to the Makefiles to update these things. The appended patch will cause a "make" to rebuild configure, config.h.in, config.h, and both Makefiles if the appropriate source file(s) change. It will also run "./config.status --recheck" if configure is rebuilt. ..wayne.. -------------- next part -------------- Index: Makefile.in @@ -85,7 +85,7 @@ $(CC) $(CFLAGS) $(CPPFLAGS) -c $< LIBCOMPAT=openbsd-compat/libopenbsd-compat.a -$(LIBCOMPAT): config.h +$(LIBCOMPAT): config.h openbsd-compat/Makefile (cd openbsd-compat; $(MAKE)) libssh.a: $(LIBSSH_OBJS) @@ -139,6 +139,30 @@ conffile=`echo $@ | sed 's/.out$$//'`; \ $(FIXPATHSCMD) $(srcdir)/$${conffile} > $@ +$(srcdir)/configure: $(srcdir)/configure.in $(srcdir)/aclocal.m4 + cd $(srcdir) && autoconf + +config.status: $(srcdir)/configure + ./config.status --recheck + +$(srcdir)/config.h.in: $(srcdir)/config.h.in-touch +$(srcdir)/config.h.in-touch: $(srcdir)/configure $(srcdir)/acconfig.h + cd $(srcdir) && autoheader + @echo >$(srcdir)/config.h.in-touch + +config.h: config.h-touch +config.h-touch: $(srcdir)/config.h.in config.status + CONFIG_FILES= CONFIG_HEADERS=config.h ./config.status + @echo >config.h-touch + +Makefile: Makefile.in config.status + CONFIG_FILES=Makefile CONFIG_HEADERS= ./config.status + @echo "The Makefile has changed -- please restart the make." + @false + +openbsd-compat/Makefile: openbsd-compat/Makefile.in config.status + CONFIG_FILES=openbsd-compat/Makefile CONFIG_HEADERS= ./config.status + clean: (cd openbsd-compat; $(MAKE) clean) rm -f *.o *.a $(TARGETS) logintest config.cache config.log @@ -146,12 +170,12 @@ distclean: clean (cd openbsd-compat; $(MAKE) distclean) - rm -f Makefile config.h config.status ssh_prng_cmds *~ + rm -f Makefile config.h config.h-touch config.status ssh_prng_cmds *~ mrproper: distclean veryclean: distclean - rm -f configure config.h.in *.0 + rm -f configure config.h.in config.h.in-touch *.0 catman-do: @for f in $(MANPAGES_IN) ; do \ Index: configure.in @@ -1881,7 +1881,8 @@ AC_EXEEXT -AC_OUTPUT(Makefile openbsd-compat/Makefile ssh_prng_cmds) +AC_OUTPUT(Makefile openbsd-compat/Makefile ssh_prng_cmds, \ +[test -z "$CONFIG_HEADERS" || echo >config.h-touch]) # Print summary of options Index: openbsd-compat/Makefile.in @@ -28,7 +28,7 @@ $(COMPAT): ../config.h $(OPENBSD): ../config.h -libopenbsd-compat.a: $(COMPAT) $(OPENBSD) +libopenbsd-compat.a: $(COMPAT) $(OPENBSD) Makefile $(AR) rv $@ $(COMPAT) $(OPENBSD) $(RANLIB) $@ From abartlet at pcug.org.au Mon May 7 22:24:41 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Mon, 07 May 2001 22:24:41 +1000 Subject: SSH and forced wtmp entries ... References: <20010507083254.A9307@rhs-notebook> Message-ID: <3AF69409.870FCA03@bartlett.house> Randolf Skerka wrote: > > Hi all! > > wtmp entries are generated when loggin into a system without a command, > e.g. "ssh -l user system". When using an additional command executed by > ssh on the "other side", no wtmp entry will be generated. So the command > "ssh -l user system /bin/csh" will not generate a wtmp entry but the > user is logged in ... I have the problem right know. The users are starting > "xterm" by ssh commandlines and I can't see a wtmp login ... not very nice. > Is somebody working on a patch/feature? E.g. an option in sshd_config > (forced_wtmp) would be nice. > > Greets > > Randolf I'll second that request. Unfortunetly its not quite as simple as it could be, as there is not 'device' to register in the utmp/wtmp databases. You could, however either use a simple lock-dir to grab 'devices', a simple database (this is what samba does http://pserver.samba.org/cgi-bin/cvsweb/samba/source/smbd/session.c?only_with_tag=SAMBA_2_2 ) or just somthing based on the daemon's pid. The standard used in samba's case is 'what does ftpd do' as to what to put in the various databases. Andrew Bartlett abartlet at pcug.org.au -- Andrew Bartlett abartlet at pcug.org.au From J.S.Peatfield at damtp.cam.ac.uk Mon May 7 22:26:59 2001 From: J.S.Peatfield at damtp.cam.ac.uk (J.S.Peatfield at damtp.cam.ac.uk) Date: Mon, 7 May 2001 13:26:59 +0100 (BST) Subject: OSF1 and USE_SIA Message-ID: <200105071226.NAA18599@decant.amtp.cam.ac.uk@damtp.cam.ac.uk> Is the following (from configure.in) intended: *-dec-osf*) if test ! -z "USE_SIA" ; then AC_MSG_CHECKING(for Digital Unix Security Integration Architecture) should that be "$USE_SIA" or similar or what is the point of testing a constant string for being zero length... The reason I ask is the for complex reasons we don't want SIA enabled on Tru64 since it breaks some of the local changes we make (well it means we need to do more work to support SIA which we havn't needed before). From mouring at etoh.eviladmin.org Mon May 7 22:42:52 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 7 May 2001 07:42:52 -0500 (CDT) Subject: OSF1 and USE_SIA In-Reply-To: <200105071226.NAA18599@decant.amtp.cam.ac.uk@damtp.cam.ac.uk> Message-ID: On Mon, 7 May 2001 J.S.Peatfield at damtp.cam.ac.uk wrote: > Is the following (from configure.in) intended: > > *-dec-osf*) > if test ! -z "USE_SIA" ; then > AC_MSG_CHECKING(for Digital Unix Security Integration Architecture) > > should that be "$USE_SIA" or similar or what is the point of testing a constant > string for being zero length... > Yes it should be. Thanks. - Ben From Markus.Friedl at informatik.uni-erlangen.de Mon May 7 23:03:03 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 7 May 2001 15:03:03 +0200 Subject: SSH and forced wtmp entries ... In-Reply-To: <20010507083254.A9307@rhs-notebook>; from Randolf-ML@Skerka.de on Mon, May 07, 2001 at 08:32:54AM +0200 References: <20010507083254.A9307@rhs-notebook> Message-ID: <20010507150303.A12892@faui02.informatik.uni-erlangen.de> try to use ssh -t host command is this ok? why do you need wtmp? ssh just emulates the traditional rsh/rlogin behaviour. wtmp gets updated only if you allocate a tty. every login is registered in /var/log/authlog From mouring at etoh.eviladmin.org Mon May 7 23:03:27 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 7 May 2001 08:03:27 -0500 (CDT) Subject: Remake configure/config.h.in/etc. In-Reply-To: Message-ID: My only concern is for platforms that lack autoconf tools. I have a few platforms I refuse to install them on because it is "Yet another package to mantain". I would rather you put in your documentation to run "make -f Makefile.in autoreconf" after appling the patch. I plan on applying your UseLogin patch.. Just have not had a chance to get back to it. - Ben On Mon, 7 May 2001, Wayne Davison wrote: > Since multiple people have applied my UseLogin patch and failed to get > it to work because configure/config.h.in were not automatically rebuilt, > I decided it was time to add some rules to the Makefiles to update these > things. The appended patch will cause a "make" to rebuild configure, > config.h.in, config.h, and both Makefiles if the appropriate source > file(s) change. It will also run "./config.status --recheck" if > configure is rebuilt. > > ..wayne.. > From cmadams at hiwaay.net Tue May 8 01:56:41 2001 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 7 May 2001 10:56:41 -0500 Subject: OSF1 and USE_SIA In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, May 07, 2001 at 07:42:52AM -0500 References: <200105071226.NAA18599@decant.amtp.cam.ac.uk@damtp.cam.ac.uk> Message-ID: <20010507105641.B15326@HiWAAY.net> Once upon a time, mouring at etoh.eviladmin.org said: > On Mon, 7 May 2001 J.S.Peatfield at damtp.cam.ac.uk wrote: > > Is the following (from configure.in) intended: > > > > *-dec-osf*) > > if test ! -z "USE_SIA" ; then > > AC_MSG_CHECKING(for Digital Unix Security Integration Architecture) > > > > should that be "$USE_SIA" or similar or what is the point of testing a constant > > string for being zero length... > > > > Yes it should be. Thanks. How about a patch to add a "--without-sia" option like (instead of setting environment variables): diff -urN openssh_cvs/configure.in openssh/configure.in --- openssh_cvs/configure.in Sat Apr 28 16:36:17 2001 +++ openssh/configure.in Mon May 7 10:53:36 2001 @@ -237,8 +237,18 @@ MANTYPE=man ;; *-dec-osf*) - if test ! -z "USE_SIA" ; then - AC_MSG_CHECKING(for Digital Unix Security Integration Architecture) + AC_MSG_CHECKING(for Digital Unix SIA) + no_osfsia="" + AC_ARG_WITH(osfsia, + [ --with-osfsia Enable Digital Unix SIA], + [ + if test "x$withval" = "xno" ; then + AC_MSG_RESULT(disabled) + no_osfsia=1 + fi + ], + ) + if test -z "$no_osfsia" ; then if test -f /etc/sia/matrix.conf; then AC_MSG_RESULT(yes) AC_DEFINE(HAVE_OSF_SIA) -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From darklord at neonshadow.net Mon May 7 15:46:21 2001 From: darklord at neonshadow.net (darklord at neonshadow.net) Date: Sun, 6 May 2001 22:46:21 -0700 Subject: OpenSSH on Slackware issue Message-ID: <200105070546.f475kLR00756@wraith.neonshadow.net> I have encountered problems with OpenSSH installs on the Slackware version 7.x distributions of linux. Installation of OpenSSL and then OpenSSH works fine, and then launching sshd works... until somebody changes their password using the passwd command. At which point sshd rejects all logins and I have not been able to clear this problem. Would you have any ideas/suggestions/patches I could try? From phantom88 at tande.com Sat May 5 07:42:16 2001 From: phantom88 at tande.com (Tim Westberry) Date: Fri, 4 May 2001 16:42:16 -0500 Subject: ssh_exchange_identification Message-ID: <001701c0d4e3$16cbe5e0$6501a8c0@esmith.coxinternet> Guys, I think that I have ran into a bug. I am running openbsd 2.8 and I upgraded to the lastest verison of openssh 2.9 but when I did that it started giving me this error "ssh_exchange_identification: Connection closed by remote host" when I try to log into the machine even when I am on the machine and try to ssh localhost it gives me the same message. I have read every FAQ I could find on the net but all I can find is that you mush put "ssd:all" in the hosts.allow in the etc directory. OpenBSD does not have a hosts.allow or a hosts.deny in the etc directory. I ran ssh -v localhost and this is what I got... # ssh -v localhost OpenSSH_2.9, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to localhost [127.0.0.1] port 22. debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type debug1: identity file /root/.ssh/identity type 0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_dsa type 2 ssh_exchange_identification: Connection closed by remote host debug1: Calling cleanup 0x1727c(0x0) If you could help me please send me and email at tim at westberry.com I will be glad to set up a chat channel on irc or call you if you can help me fix this problem. Thanks, Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010504/311a7293/attachment.html From wayne at blorf.net Tue May 8 05:32:23 2001 From: wayne at blorf.net (Wayne Davison) Date: Mon, 7 May 2001 12:32:23 -0700 (PDT) Subject: Remake configure/config.h.in/etc. In-Reply-To: Message-ID: On Mon, 7 May 2001 mouring at etoh.eviladmin.org wrote: > My only concern is for platforms that lack autoconf tools. I have a few > platforms I refuse to install them on because it is "Yet another package > to maintain". I don't see this as a problem because under normal circumstances, these files don't change. However, if you apply a patch that affects them, you need to know that your setup is not right without a new configure file. I'd prefer to have make fail with the inability to run autoconf, allowing me to take steps to rectify the situation (I could copy a new file over from a system that has autoconf, or I could decide that I know what I'm doing and just touch configure and proceed, or I could even manually add the appropriate changes to and config.h.in file). I myself was bitten by this problem when I upgraded to 2.9p1 -- I simply forgot to rerun autoconf and autoheader after applying my own patch and I managed to install a non-working sshd on my test system. Yes, I knew exactly what to do to fix the problem, but it was a hassle and it could have been avoided. So, if the rules are not run automatically, that means that people can blissfully continue without knowing that something is amiss, and I consider that far worse. ..wayne.. From carson at taltos.org Tue May 8 05:52:19 2001 From: carson at taltos.org (Carson Gaspar) Date: Mon, 07 May 2001 12:52:19 -0700 Subject: SSH and forced wtmp entries ... In-Reply-To: <20010507083254.A9307@rhs-notebook> References: <20010507083254.A9307@rhs-notebook> Message-ID: <723597468.989239939@athyra> --On Monday, May 07, 2001 8:32 AM +0200 Randolf Skerka wrote: > user is logged in ... I have the problem right know. The users are > starting "xterm" by ssh commandlines and I can't see a wtmp login ... not > very nice. Is somebody working on a patch/feature? E.g. an option in xterm should be adding utmp/wtmp entries. Try changing its resource file to set the appropriate option. -- Carson From djm at mindrot.org Tue May 8 08:23:48 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 8 May 2001 08:23:48 +1000 (EST) Subject: OSF1 and USE_SIA In-Reply-To: Message-ID: On Mon, 7 May 2001 mouring at etoh.eviladmin.org wrote: > > should that be "$USE_SIA" or similar or what is the point of testing a constant > > string for being zero length... > > > > Yes it should be. Thanks. It should be a configure option if it is optional at all. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From ninjaz at webexpress.com Tue May 8 11:54:16 2001 From: ninjaz at webexpress.com (ninjaz at webexpress.com) Date: Mon, 7 May 2001 18:54:16 -0700 (MST) Subject: Patch to update contrib/solaris package builder Message-ID: I've attached a patch for contrib/solaris package builder to bring it up to date with OpenSSH 2.9p1. The changes are: build-pkg - add libexec/ directory creation (to house sftp-server) cp sftp-server to libexec/ cp sftp.1 to man/man1 cp sftp to bin/ postinstall.in - add RSA key generation and installation/update prototype - add sftp, sftp.1 and sftp-server Btw, 2.9p1 is looking quite nice here. :) I was having some problems with connections being dropped while logged onto some legacy SSH2 servers with 2.5.2p2. That is no longer happening with 2.9p1. -pete -------------- next part -------------- diff -u solaris.virgin/build-pkg solaris/build-pkg --- solaris.virgin/build-pkg Fri Nov 10 14:36:39 2000 +++ solaris/build-pkg Mon Apr 16 17:33:57 2001 @@ -145,6 +145,7 @@ mkdir -p ${BUILDDIR}/man/man8 mkdir -p ${BUILDDIR}/etc mkdir -p ${BUILDDIR}/bin +mkdir -p ${BUILDDIR}/libexec mkdir -p ${BUILDDIR}/sbin echo "Populating build directories..." @@ -155,6 +156,9 @@ cp -p ../../../ssh-agent bin cp -p ../../../scp bin cp -p ../../../scp.1 man/man1/scp.1 +cp -p ../../../sftp bin +cp -p ../../../sftp.1 man/man1/sftp.1 +cp -p ../../../sftp-server libexec/sftp-server cp -p ../../../ssh-add.1 man/man1/ssh-add.1 cp -p ../../../ssh-agent.1 man/man1/ssh-agent.1 cp -p ../../../ssh-keygen.1 man/man1/ssh-keygen.1 diff -u solaris.virgin/postinstall.in solaris/postinstall.in --- solaris.virgin/postinstall.in Mon Apr 23 17:03:58 2001 +++ solaris/postinstall.in Mon May 7 17:51:35 2001 @@ -89,6 +89,26 @@ else echo "Using existing DSA public/private host key pair for SSH-2." fi + if [ ! -f "${CONFDIR}/ssh_host_rsa_key" ]; then + echo "Creating new RSA public/private host key pair for SSH-2." + $INSTALLF $PKGINST ${CONFDIR}/ssh_host_rsa_key + $INSTALLF $PKGINST ${CONFDIR}/ssh_host_rsa_key.pub + ### If there is *anything* there then leave it, otherwise look + ### in some reasonable alternate locations before giving up. + ### It's worth spending some extra time looking for the old one + ### to avoid a bunch of "host identification has changed" warnings. + ### Note that some old keys from the commercial SSH2 might not + ### be compatible, but we don't test for that. + if [ -f "${PKG_INSTALL_ROOT}/etc/ssh_host_rsa_key" ]; then + mv ${PKG_INSTALL_ROOT}/etc/ssh_host_rsa_key ${CONFDIR} + elif [ -f "${PKG_INSTALL_ROOT}/usr/local/etc/ssh_host_rsa_key" ]; then + mv ${PKG_INSTALL_ROOT}/usr/local/etc/ssh_host_rsa_key ${CONFDIR} + else + ${DESTBIN}/ssh-keygen -t rsa -f ${CONFDIR}/ssh_host_rsa_key -N '' + fi + else + echo "Using existing RSA public/private host key pair for SSH-2." + fi else echo "Performing an \"update\" installation of OpenSSH." ### Okay, this part *is* an update install...so we need to ensure @@ -177,6 +197,26 @@ fi else echo "Using existing DSA public/private host key pair for SSH-2." + fi + if [ ! -f "${CONFDIR}/ssh_host_rsa_key" ]; then + echo "Creating new RSA public/private host key pair for SSH-2." + $INSTALLF $PKGINST ${CONFDIR}/ssh_host_rsa_key + $INSTALLF $PKGINST ${CONFDIR}/ssh_host_rsa_key.pub + ### If there is *anything* there then leave it, otherwise look + ### in some reasonable alternate locations before giving up. + ### It's worth spending some extra time looking for the old one + ### to avoid a bunch of "host identification has changed" warnings. + ### Note that some old keys from the commercial SSH2 might not + ### be compatible, but we don't test for that. + if [ -f "${PKG_INSTALL_ROOT}/etc/ssh_host_rsa_key" ]; then + mv ${PKG_INSTALL_ROOT}/etc/ssh_host_rsa_key ${CONFDIR} + elif [ -f "${PKG_INSTALL_ROOT}/usr/local/etc/ssh_host_rsa_key" ]; then + mv ${PKG_INSTALL_ROOT}/usr/local/etc/ssh_host_rsa_key ${CONFDIR} + else + ${DESTBIN}/ssh-keygen -d -f ${CONFDIR}/ssh_host_rsa_key -N '' + fi + else + echo "Using existing RSA public/private host key pair for SSH-2." fi fi diff -u solaris.virgin/prototype solaris/prototype --- solaris.virgin/prototype Fri Nov 10 14:36:39 2000 +++ solaris/prototype Mon Apr 16 17:32:25 2001 @@ -5,6 +5,7 @@ d none man 0755 root sys d none man/man1 0755 root sys f none man/man1/scp.1 0644 root sys +f none man/man1/sftp.1 0644 root sys f none man/man1/ssh-add.1 0644 root sys f none man/man1/ssh-agent.1 0644 root sys f none man/man1/ssh-keygen.1 0644 root sys @@ -23,5 +24,7 @@ f none bin/ssh-add 0755 root sys f none bin/ssh-agent 0755 root sys f none bin/scp 0755 root sys +f none bin/sftp 0755 root sys +f none libexec/sftp-server 0755 root sys d none sbin 0755 root sys f none sbin/sshd 0755 root sys From Darren.Moffat at eng.sun.com Tue May 8 11:59:36 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Mon, 7 May 2001 18:59:36 -0700 (PDT) Subject: Patch to update contrib/solaris package builder Message-ID: <200105080200.f4820fHD869101@jurassic.eng.sun.com> >build-pkg - > add libexec/ directory creation (to house sftp-server) > cp sftp-server to libexec/ > cp sftp.1 to man/man1 > cp sftp to bin/ I would recommened against using libexec since it isn't part of Solaris. Just put the stuff in lib/ >postinstall.in - > add RSA key generation and installation/update You should do this in the init.d script not in postinstall since it can cause problems with some advanced jumpstart installations, it works fine in most cases though. -- Darren J Moffat From mouring at etoh.eviladmin.org Tue May 8 11:53:07 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 7 May 2001 20:53:07 -0500 (CDT) Subject: Patch to update contrib/solaris package builder In-Reply-To: Message-ID: There is a lot more missing then that. This has been a topic as of lately. I was hoping to see a complete patch that brought it up fully. ssh-keyscan is missing, slogin is missing.. sftp-server.8 is missing.. to name a few. - Ben On Mon, 7 May 2001 ninjaz at webexpress.com wrote: > I've attached a patch for contrib/solaris package builder to bring it up > to date with OpenSSH 2.9p1. > > The changes are: > > build-pkg - > add libexec/ directory creation (to house sftp-server) > cp sftp-server to libexec/ > cp sftp.1 to man/man1 > cp sftp to bin/ > > postinstall.in - > add RSA key generation and installation/update > > prototype - > add sftp, sftp.1 and sftp-server > > Btw, 2.9p1 is looking quite nice here. :) I was having some problems with > connections being dropped while logged onto some legacy SSH2 servers with > 2.5.2p2. That is no longer happening with 2.9p1. > > -pete > From ninjaz at webexpress.com Tue May 8 12:36:02 2001 From: ninjaz at webexpress.com (ninjaz at webexpress.com) Date: Mon, 7 May 2001 19:36:02 -0700 (MST) Subject: Patch to update contrib/solaris package builder In-Reply-To: <200105080200.f4820fHD869101@jurassic.eng.sun.com> Message-ID: Darren, Thanks for the comments! Regarding the contrib script, I'm just updating the package build, designed to work with a default-ish OpenSSH installation. I have kept libexec/ , since this all lives under /usr/local/ anyway, and I find it a bit painful switching between operating systems with each one wanting to put everything in a different place. Especially when that OS wants to put non-libraries in lib/ ... ;) Regarding the key generation, it seems a bit scary to do update/install of server keys inside the startup script.. I've got another patch coming in response to some programs I've left out, and to fix a couple bugs I noticed. Feel free to submit a patch to that, as I think I'm done for now. I'm not a maintainer, just submitting the stuff I'd like to see in the next portable release so I don't have to patch this up before I make packages each time. -pete On Mon, 7 May 2001, Darren Moffat wrote: > >build-pkg - > > add libexec/ directory creation (to house sftp-server) > > cp sftp-server to libexec/ > > cp sftp.1 to man/man1 > > cp sftp to bin/ > > I would recommened against using libexec since it isn't part of Solaris. > Just put the stuff in lib/ > > >postinstall.in - > > add RSA key generation and installation/update > > You should do this in the init.d script not in postinstall since it can > cause problems with some advanced jumpstart installations, it works > fine in most cases though. > > -- > Darren J Moffat > From ninjaz at webexpress.com Tue May 8 12:48:44 2001 From: ninjaz at webexpress.com (ninjaz at webexpress.com) Date: Mon, 7 May 2001 19:48:44 -0700 (MST) Subject: Patch to update contrib/solaris package builder [new patch] In-Reply-To: Message-ID: Ben, Sorry for overbilling the original patch. I didn't realize I'd missed the other parts. I don't see anything to do with slogin, though: # pwd /local/src/openssh-2.9p1 # find . -name '*slogin*' # This patch has the following changes: build-pkg: Added mkdir of libexec/ cp ssh-keyscan, sftp-server.8 and sftp-keyscan.1 Add ssh-keyscan, sftp and sftp-server to the strip list prototype: Added libexec directory entry Added file entries for sftp-keyscan, sftp-server.8, and sftp-keyscan.1 -pete On Mon, 7 May 2001 mouring at etoh.eviladmin.org wrote: > > There is a lot more missing then that. This has been a topic as > of lately. I was hoping to see a complete patch that brought it up fully. > > ssh-keyscan is missing, slogin is missing.. sftp-server.8 is missing.. to > name a few. > > - Ben > > On Mon, 7 May 2001 ninjaz at webexpress.com wrote: > > > I've attached a patch for contrib/solaris package builder to bring it up > > to date with OpenSSH 2.9p1. > > > > The changes are: > > > > build-pkg - > > add libexec/ directory creation (to house sftp-server) > > cp sftp-server to libexec/ > > cp sftp.1 to man/man1 > > cp sftp to bin/ > > > > postinstall.in - > > add RSA key generation and installation/update > > > > prototype - > > add sftp, sftp.1 and sftp-server > > > > Btw, 2.9p1 is looking quite nice here. :) I was having some problems with > > connections being dropped while logged onto some legacy SSH2 servers with > > 2.5.2p2. That is no longer happening with 2.9p1. > > > > -pete > > > > -------------- next part -------------- diff -u solaris.virgin/build-pkg solaris/build-pkg --- solaris.virgin/build-pkg Fri Nov 10 14:36:39 2000 +++ solaris/build-pkg Mon May 7 19:22:02 2001 @@ -145,19 +145,26 @@ mkdir -p ${BUILDDIR}/man/man8 mkdir -p ${BUILDDIR}/etc mkdir -p ${BUILDDIR}/bin +mkdir -p ${BUILDDIR}/libexec mkdir -p ${BUILDDIR}/sbin echo "Populating build directories..." cp -p ../../../sshd sbin cp -p ../../../ssh-keygen bin +cp -p ../../../ssh-keyscan bin cp -p ../../../ssh bin cp -p ../../../ssh-add bin cp -p ../../../ssh-agent bin cp -p ../../../scp bin cp -p ../../../scp.1 man/man1/scp.1 +cp -p ../../../sftp bin +cp -p ../../../sftp.1 man/man1/sftp.1 +cp -p ../../../sftp-server libexec/sftp-server +cp -p ../../../sftp-server.8 man/man8 cp -p ../../../ssh-add.1 man/man1/ssh-add.1 cp -p ../../../ssh-agent.1 man/man1/ssh-agent.1 cp -p ../../../ssh-keygen.1 man/man1/ssh-keygen.1 +cp -p ../../../ssh-keyscan.1 man/man1/ssh-keyscan.1 cp -p ../../../ssh.1 man/man1/ssh.1 cp -p ../../../sshd.8 man/man8/sshd.8 cp -p ../../../sshd_config.out etc/sshd_config.default @@ -182,8 +189,11 @@ ${STRIP} bin/ssh-add ${STRIP} bin/ssh-agent ${STRIP} bin/ssh-keygen +${STRIP} bin/ssh-keyscan ${STRIP} sbin/sshd ${STRIP} bin/scp +${STRIP} bin/sftp +${STRIP} libexec/sftp-server echo "" echo "Building Package" diff -u solaris.virgin/postinstall.in solaris/postinstall.in --- solaris.virgin/postinstall.in Mon Apr 23 17:03:58 2001 +++ solaris/postinstall.in Mon May 7 17:51:35 2001 @@ -89,6 +89,26 @@ else echo "Using existing DSA public/private host key pair for SSH-2." fi + if [ ! -f "${CONFDIR}/ssh_host_rsa_key" ]; then + echo "Creating new RSA public/private host key pair for SSH-2." + $INSTALLF $PKGINST ${CONFDIR}/ssh_host_rsa_key + $INSTALLF $PKGINST ${CONFDIR}/ssh_host_rsa_key.pub + ### If there is *anything* there then leave it, otherwise look + ### in some reasonable alternate locations before giving up. + ### It's worth spending some extra time looking for the old one + ### to avoid a bunch of "host identification has changed" warnings. + ### Note that some old keys from the commercial SSH2 might not + ### be compatible, but we don't test for that. + if [ -f "${PKG_INSTALL_ROOT}/etc/ssh_host_rsa_key" ]; then + mv ${PKG_INSTALL_ROOT}/etc/ssh_host_rsa_key ${CONFDIR} + elif [ -f "${PKG_INSTALL_ROOT}/usr/local/etc/ssh_host_rsa_key" ]; then + mv ${PKG_INSTALL_ROOT}/usr/local/etc/ssh_host_rsa_key ${CONFDIR} + else + ${DESTBIN}/ssh-keygen -t rsa -f ${CONFDIR}/ssh_host_rsa_key -N '' + fi + else + echo "Using existing RSA public/private host key pair for SSH-2." + fi else echo "Performing an \"update\" installation of OpenSSH." ### Okay, this part *is* an update install...so we need to ensure @@ -177,6 +197,26 @@ fi else echo "Using existing DSA public/private host key pair for SSH-2." + fi + if [ ! -f "${CONFDIR}/ssh_host_rsa_key" ]; then + echo "Creating new RSA public/private host key pair for SSH-2." + $INSTALLF $PKGINST ${CONFDIR}/ssh_host_rsa_key + $INSTALLF $PKGINST ${CONFDIR}/ssh_host_rsa_key.pub + ### If there is *anything* there then leave it, otherwise look + ### in some reasonable alternate locations before giving up. + ### It's worth spending some extra time looking for the old one + ### to avoid a bunch of "host identification has changed" warnings. + ### Note that some old keys from the commercial SSH2 might not + ### be compatible, but we don't test for that. + if [ -f "${PKG_INSTALL_ROOT}/etc/ssh_host_rsa_key" ]; then + mv ${PKG_INSTALL_ROOT}/etc/ssh_host_rsa_key ${CONFDIR} + elif [ -f "${PKG_INSTALL_ROOT}/usr/local/etc/ssh_host_rsa_key" ]; then + mv ${PKG_INSTALL_ROOT}/usr/local/etc/ssh_host_rsa_key ${CONFDIR} + else + ${DESTBIN}/ssh-keygen -d -f ${CONFDIR}/ssh_host_rsa_key -N '' + fi + else + echo "Using existing RSA public/private host key pair for SSH-2." fi fi diff -u solaris.virgin/prototype solaris/prototype --- solaris.virgin/prototype Fri Nov 10 14:36:39 2000 +++ solaris/prototype Mon May 7 19:41:51 2001 @@ -5,11 +5,14 @@ d none man 0755 root sys d none man/man1 0755 root sys f none man/man1/scp.1 0644 root sys +f none man/man1/sftp.1 0644 root sys f none man/man1/ssh-add.1 0644 root sys f none man/man1/ssh-agent.1 0644 root sys f none man/man1/ssh-keygen.1 0644 root sys +f none man/man1/ssh-keyscan.1 0644 root sys f none man/man1/ssh.1 0644 root sys d none man/man8 0755 root sys +f none man/man8/sftp-server.8 0644 root sys f none man/man8/sshd.8 0644 root sys d none etc 0755 root sys f none etc/sshd_config.default 0644 root sys @@ -22,6 +25,10 @@ f none bin/ssh 0755 root sys f none bin/ssh-add 0755 root sys f none bin/ssh-agent 0755 root sys +f none bin/ssh-keyscan 0755 root sys f none bin/scp 0755 root sys +f none bin/sftp 0755 root sys +d none libexec 0755 root sys +f none libexec/sftp-server 0755 root sys d none sbin 0755 root sys f none sbin/sshd 0755 root sys From mouring at etoh.eviladmin.org Tue May 8 13:02:05 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 7 May 2001 22:02:05 -0500 (CDT) Subject: Patch to update contrib/solaris package builder [new patch] In-Reply-To: Message-ID: On Mon, 7 May 2001 ninjaz at webexpress.com wrote: > > Ben, > > Sorry for overbilling the original patch. I didn't realize I'd missed the > other parts. > > I don't see anything to do with slogin, though: > # pwd > /local/src/openssh-2.9p1 > # find . -name '*slogin*' > # > [.. From Makefile.. 'install-files:' section..] -rm -f $(DESTDIR)$(bindir)/slogin ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 So they are symlinks. The packaging process still does not handle a lot of cases. You may always want to watch out for the 'mdoc vs man' formated manpages. Most solaris (all?) use 'man' formated. The default documentation is in mdoc. If I don't get a rewrite in the next few days. I'll apply this as a stop-gap. But I'd like to see this rewritten, but I'll not get to it for at least two weeks due to projects at work. - Ben From ninjaz at webexpress.com Tue May 8 14:44:08 2001 From: ninjaz at webexpress.com (ninjaz at webexpress.com) Date: Mon, 7 May 2001 21:44:08 -0700 (MST) Subject: Patch to update contrib/solaris package builder [3rd patch] In-Reply-To: Message-ID: On Mon, 7 May 2001 mouring at etoh.eviladmin.org wrote: > > > [.. From Makefile.. 'install-files:' section..] > -rm -f $(DESTDIR)$(bindir)/slogin > ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin > -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 > ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 > > So they are symlinks. Thanks - Fixed in this patch (symlink entries in prototype). > > The packaging process still does not handle a lot of cases. You may > always want to watch out for the 'mdoc vs man' formated manpages. Most > solaris (all?) use 'man' formated. The default documentation is in mdoc. This is fixed, too. (by using the foo.x.out files generated by the OpenSSH Makefile) It requires perl, but so does the OpenSSL build, anyway ... > If I don't get a rewrite in the next few days. I'll apply this as a > stop-gap. But I'd like to see this rewritten, but I'll not get to it for > at least two weeks due to projects at work. Are these two issues the ones you wanted squashed? Or is there a more ambitious complete rewrite you have in mind? -pete -------------- next part -------------- diff -u solaris.virgin/build-pkg solaris/build-pkg --- solaris.virgin/build-pkg Fri Nov 10 14:36:39 2000 +++ solaris/build-pkg Mon May 7 21:03:48 2001 @@ -145,21 +145,28 @@ mkdir -p ${BUILDDIR}/man/man8 mkdir -p ${BUILDDIR}/etc mkdir -p ${BUILDDIR}/bin +mkdir -p ${BUILDDIR}/libexec mkdir -p ${BUILDDIR}/sbin echo "Populating build directories..." cp -p ../../../sshd sbin cp -p ../../../ssh-keygen bin +cp -p ../../../ssh-keyscan bin cp -p ../../../ssh bin cp -p ../../../ssh-add bin cp -p ../../../ssh-agent bin cp -p ../../../scp bin -cp -p ../../../scp.1 man/man1/scp.1 -cp -p ../../../ssh-add.1 man/man1/ssh-add.1 -cp -p ../../../ssh-agent.1 man/man1/ssh-agent.1 -cp -p ../../../ssh-keygen.1 man/man1/ssh-keygen.1 -cp -p ../../../ssh.1 man/man1/ssh.1 -cp -p ../../../sshd.8 man/man8/sshd.8 +cp -p ../../../scp.1.out man/man1/scp.1 +cp -p ../../../sftp bin +cp -p ../../../sftp.1.out man/man1/sftp.1 +cp -p ../../../sftp-server libexec/sftp-server +cp -p ../../../sftp-server.8.out man/man8/sftp-server.8 +cp -p ../../../ssh-add.1.out man/man1/ssh-add.1 +cp -p ../../../ssh-agent.1.out man/man1/ssh-agent.1 +cp -p ../../../ssh-keygen.1.out man/man1/ssh-keygen.1 +cp -p ../../../ssh-keyscan.1.out man/man1/ssh-keyscan.1 +cp -p ../../../ssh.1.out man/man1/ssh.1 +cp -p ../../../sshd.8.out man/man8/sshd.8 cp -p ../../../sshd_config.out etc/sshd_config.default cp -p ../../../ssh_config.out etc/ssh_config.default cp -p ../../../ssh_prng_cmds etc/ssh_prng_cmds.default @@ -182,8 +189,11 @@ ${STRIP} bin/ssh-add ${STRIP} bin/ssh-agent ${STRIP} bin/ssh-keygen +${STRIP} bin/ssh-keyscan ${STRIP} sbin/sshd ${STRIP} bin/scp +${STRIP} bin/sftp +${STRIP} libexec/sftp-server echo "" echo "Building Package" diff -u solaris.virgin/postinstall.in solaris/postinstall.in --- solaris.virgin/postinstall.in Mon Apr 23 17:03:58 2001 +++ solaris/postinstall.in Mon May 7 17:51:35 2001 @@ -89,6 +89,26 @@ else echo "Using existing DSA public/private host key pair for SSH-2." fi + if [ ! -f "${CONFDIR}/ssh_host_rsa_key" ]; then + echo "Creating new RSA public/private host key pair for SSH-2." + $INSTALLF $PKGINST ${CONFDIR}/ssh_host_rsa_key + $INSTALLF $PKGINST ${CONFDIR}/ssh_host_rsa_key.pub + ### If there is *anything* there then leave it, otherwise look + ### in some reasonable alternate locations before giving up. + ### It's worth spending some extra time looking for the old one + ### to avoid a bunch of "host identification has changed" warnings. + ### Note that some old keys from the commercial SSH2 might not + ### be compatible, but we don't test for that. + if [ -f "${PKG_INSTALL_ROOT}/etc/ssh_host_rsa_key" ]; then + mv ${PKG_INSTALL_ROOT}/etc/ssh_host_rsa_key ${CONFDIR} + elif [ -f "${PKG_INSTALL_ROOT}/usr/local/etc/ssh_host_rsa_key" ]; then + mv ${PKG_INSTALL_ROOT}/usr/local/etc/ssh_host_rsa_key ${CONFDIR} + else + ${DESTBIN}/ssh-keygen -t rsa -f ${CONFDIR}/ssh_host_rsa_key -N '' + fi + else + echo "Using existing RSA public/private host key pair for SSH-2." + fi else echo "Performing an \"update\" installation of OpenSSH." ### Okay, this part *is* an update install...so we need to ensure @@ -177,6 +197,26 @@ fi else echo "Using existing DSA public/private host key pair for SSH-2." + fi + if [ ! -f "${CONFDIR}/ssh_host_rsa_key" ]; then + echo "Creating new RSA public/private host key pair for SSH-2." + $INSTALLF $PKGINST ${CONFDIR}/ssh_host_rsa_key + $INSTALLF $PKGINST ${CONFDIR}/ssh_host_rsa_key.pub + ### If there is *anything* there then leave it, otherwise look + ### in some reasonable alternate locations before giving up. + ### It's worth spending some extra time looking for the old one + ### to avoid a bunch of "host identification has changed" warnings. + ### Note that some old keys from the commercial SSH2 might not + ### be compatible, but we don't test for that. + if [ -f "${PKG_INSTALL_ROOT}/etc/ssh_host_rsa_key" ]; then + mv ${PKG_INSTALL_ROOT}/etc/ssh_host_rsa_key ${CONFDIR} + elif [ -f "${PKG_INSTALL_ROOT}/usr/local/etc/ssh_host_rsa_key" ]; then + mv ${PKG_INSTALL_ROOT}/usr/local/etc/ssh_host_rsa_key ${CONFDIR} + else + ${DESTBIN}/ssh-keygen -d -f ${CONFDIR}/ssh_host_rsa_key -N '' + fi + else + echo "Using existing RSA public/private host key pair for SSH-2." fi fi diff -u solaris.virgin/prototype solaris/prototype --- solaris.virgin/prototype Fri Nov 10 14:36:39 2000 +++ solaris/prototype Mon May 7 21:31:30 2001 @@ -5,11 +5,15 @@ d none man 0755 root sys d none man/man1 0755 root sys f none man/man1/scp.1 0644 root sys +f none man/man1/sftp.1 0644 root sys f none man/man1/ssh-add.1 0644 root sys f none man/man1/ssh-agent.1 0644 root sys f none man/man1/ssh-keygen.1 0644 root sys +f none man/man1/ssh-keyscan.1 0644 root sys f none man/man1/ssh.1 0644 root sys +s none man/man1/slogin.1=ssh.1 d none man/man8 0755 root sys +f none man/man8/sftp-server.8 0644 root sys f none man/man8/sshd.8 0644 root sys d none etc 0755 root sys f none etc/sshd_config.default 0644 root sys @@ -20,8 +24,13 @@ d none bin 0755 root sys f none bin/ssh-keygen 0755 root sys f none bin/ssh 0755 root sys +s none bin/slogin=ssh 0755 root sys f none bin/ssh-add 0755 root sys f none bin/ssh-agent 0755 root sys +f none bin/ssh-keyscan 0755 root sys f none bin/scp 0755 root sys +f none bin/sftp 0755 root sys +d none libexec 0755 root sys +f none libexec/sftp-server 0755 root sys d none sbin 0755 root sys f none sbin/sshd 0755 root sys From Randolf-ML at Skerka.de Tue May 8 16:02:04 2001 From: Randolf-ML at Skerka.de (Randolf Skerka) Date: Tue, 8 May 2001 08:02:04 +0200 Subject: SSH and forced wtmp entries ... In-Reply-To: <20010507150303.A12892@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Mon, May 07, 2001 at 03:03:03PM +0200 References: <20010507083254.A9307@rhs-notebook> <20010507150303.A12892@faui02.informatik.uni-erlangen.de> Message-ID: <20010508080204.A12722@rhs-notebook> On Mon, May 07, 2001 at 03:03:03PM +0200, Markus Friedl wrote: > try to use > ssh -t host command > > is this ok? No, doesn't work, tried it before :-( > why do you need wtmp? ssh just emulates the > traditional rsh/rlogin behaviour. wtmp gets > updated only if you allocate a tty. > > every login is registered in /var/log/authlog Well, wtmp is available on all platforms. HP-UX does not have a /var/log/authlog for example. Why I need it? Simple, if somebody enters "ssh worldserver rm -rf /" I would like to know who did it ... ok, bad example rm will remove wtmp too but I think you know what I mean, right? Yesterday I've looked into the source but it's a bit to complex for me to support a patch. I think we do not need a correct tty entry, we could use a faked one. It's important to have the hostname, username date and time. It's correct, rsh/rlogin does not update wtmp in that case, but wouldn't OpenSSH be better ;-) By, would like to see a solution *smile* Randolf From jmknoble at jmknoble.cx Tue May 8 16:33:17 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Tue, 8 May 2001 02:33:17 -0400 Subject: SSH and forced wtmp entries ... In-Reply-To: <20010508080204.A12722@rhs-notebook>; from Randolf-ML@Skerka.de on Tue, May 08, 2001 at 08:02:04AM +0200 References: <20010507083254.A9307@rhs-notebook> <20010507150303.A12892@faui02.informatik.uni-erlangen.de> <20010508080204.A12722@rhs-notebook> Message-ID: <20010508023317.G1235@quipu.half.pint-stowp.cx> Circa 2001-May-08 08:02:04 +0200 dixit Randolf Skerka: : On Mon, May 07, 2001 at 03:03:03PM +0200, Markus Friedl wrote: : > try to use : > ssh -t host command : > : > is this ok? : : No, doesn't work, tried it before :-( : : > why do you need wtmp? ssh just emulates the : > traditional rsh/rlogin behaviour. wtmp gets : > updated only if you allocate a tty. : > : > every login is registered in /var/log/authlog : : Well, wtmp is available on all platforms. HP-UX does not have a : /var/log/authlog for example. I think what Markus meant is that sshd logs all logins via syslogd, via the 'auth' facility, unless you've explicity configured it not to. : Why I need it? Simple, if somebody enters "ssh worldserver rm -rf /" I : would like to know who did it ... ok, bad example rm will remove wtmp : too but I think you know what I mean, right? If you're worried about someone being able to do that, then you have granted too much authority to people you don't trust. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010508/f400f619/attachment.bin From vinschen at redhat.com Tue May 8 20:36:20 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 8 May 2001 12:36:20 +0200 Subject: Updated partial auth patch against CVS In-Reply-To: ; from karlm30@hotmail.com on Sun, May 06, 2001 at 02:57:48PM -0700 References: Message-ID: <20010508123620.K24200@cygbert.vinschen.de> On Sun, May 06, 2001 at 02:57:48PM -0700, Karl M wrote: > Hi Carson and Corinna... > > Carson-->It seems to me that at the end of input_userauth_request it dosen't > matter what uid we are set to (is this true?), so I think that I can remove > the tempuid variable and the extra getuid/setuid operations. What do you > think? > > Corinna-->The only call to check_nt_auth I left in auth2.c is in > userauth_passwd. With a password, check_nt_auth always succeeds, so in > doesn't need to be there. What do you think? The reason for checking with `check_nt_auth' is to disallow a user to login only using any non-password authentication if the users uid is != the uid under which sshd is running. For those, who are not familar with NT/W2K: The reason is that under normal circumstances switching user context on NT/W2K is only possible if a password is given, even for administrators. Without the check_nt_auth check, sshd would allow logon using RSA/DSA but the user context switch fails => child process is running under a wrong account! If your patch accomodates that need even if partial authentication is _not_ switched on in sshd_config, it's ok with me. So the question is: Does your code under NT/W2K still refuse login without password if sshd_config just contains RSAAuthentication yes PasswordAuthentication no and not the slightest word about partial authentication? Another information is that I'm working on a Cygwin extension to allow switching user context without using a password. That would allow in future to logon using RSA/DSA authentication for any users even on NT/W2K systems. It will have some limitations, though. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From dchart at nets.tref.nl Tue May 8 20:51:19 2001 From: dchart at nets.tref.nl (Dannis 't Hart) Date: Tue, 8 May 2001 12:51:19 +0200 Subject: make install fails if configured --with-tcp-wrappers Message-ID: Hello, I tried building OpenSSH-2.9p1 on AIX 4.3.3(ML6) with gcc. I included the --with-tcp-wrappers flag in configure. Configure went just fine, make went just fine, but 'make install' failed with the following error: exec(): 0509-036 Cannot load program ./ssh-keygen because of the following errors: 0509-130 Symbol resolution failed for /usr/local/lib/libwrap.a(libwrap.so) because: 0509-136 Symbol allow_severity (number 71) is not exported from dependent module ssh-keygen. 0509-136 Symbol deny_severity (number 72) is not exported from dependent module ssh-keygen. 0509-192 Examine .loader section symbols with the 'dump -Tv' command. make: 1254-004 The error code from the last command is 255. Checking on dejanews.com revealed that at least one other person has stumbled on this. Not being a programmer, but maybe a smart guesser, I was able to work around this by including the following in the source-file ssh-keygen.c manually: #ifdef LIBWRAP #include #include int allow_severity = LOG_INFO; int deny_severity = LOG_WARNING; #endif /* LIBWRAP */ I copied+pasted it from the source-file sshd.c :-) My build now works fine with hosts.allow and hosts.deny as far as I can tell... It don't know why ssh-keygen would need this, whether it was the result of an imperfection in configure (likely?), or even if my work-around is a sensible way of repairing. Moreover, it might be a bug in tcp_wrappers, not in OpenSSH? Comments or suggestions are welcomed. BTW, with releases 2.5.2p2 and 2.5.1p2 the same thing happened. Older I didn't test. Dannis 't Hart From Jeff.Painter at zt.com Wed May 9 01:48:06 2001 From: Jeff.Painter at zt.com (Painter, Jeff (ZoomTown)) Date: Tue, 8 May 2001 11:48:06 -0400 Subject: sftp problem Message-ID: <7D11E5207431D411983100508BCF5C7A34AD05@ztexch01.zt.com> I am trying to resolve an issue with SSH2 version 2.5.2p2 on Solaris 2.6. SSH2, SSH1 and SCP all work fine in and out. The problem is with SFTP. I can SFTP out, but not in. I can't SFTP into itself. After I issue the command, I get a password prompt. After I give the password, the connection closes with an Exit Status 127. There are 3 other system configure the same and everything is functional. SFTP going in has been a problem since the first release including SFTP. I included the output from debug. Thanks-JWP $ sftp -v jpaint at ETwebuatbu Connecting to ETwebuatbu... debug1: SSH args "ssh -l jpaint -v ETwebuatbu -s -oForwardX11=no -oForwardAgent= no -oProtocol=2 sftp" OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Seeded RNG with 36 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 1009 geteuid 0 anon 1 debug1: Connecting to ETwebuatbu [10.200.10.5] port 23. debug1: Connection established. debug1: unknown identity file /export/home/jpaint/.ssh/id_rsa debug1: identity file /export/home/jpaint/.ssh/id_rsa type -1 debug1: unknown identity file /export/home/jpaint/.ssh/id_dsa debug1: identity file /export/home/jpaint/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2 debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sh a1 debug1: got kexinit: ssh-dss debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192 -cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc @lys ator.liu.se debug1: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192 -cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc @lys ator.liu.se debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.co m,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.co m,hmac-sha1-96,hmac-md5-96 debug1: got kexinit: none,zlib debug1: got kexinit: none,zlib debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug1: dh_gen_key: priv key bits set: 123/256 debug1: bits set: 1030/2049 debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug1: Got SSH2_MSG_KEXDH_REPLY. debug1: Host 'etwebuatbu' is known and matches the DSA host key. debug1: Found key in /export/home/jpaint/.ssh/known_hosts2:3 debug1: bits set: 1030/2049 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password debug1: next auth method to try is publickey debug1: try privkey: /export/home/jpaint/.ssh/id_rsa debug1: try privkey: /export/home/jpaint/.ssh/id_dsa debug1: next auth method to try is password jpaint at etwebuatbu's password: debug1: ssh-userauth2 successful: method password debug1: fd 7 setting O_NONBLOCK debug1: fd 8 IS O_NONBLOCK debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: client_init id 0 arg 0 debug1: Sending subsystem: sftp debug1: channel 0: open confirm rwindow 0 rmax 16384 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: rcvd close debug1: channel 0: input open -> closed debug1: channel 0: close_read debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.0 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 127 debug1: writing PRNG seed to file /export/home/jpaint/.ssh/prng_seed Connection closed From Jeff_Newton at pmc-sierra.com Wed May 9 02:18:03 2001 From: Jeff_Newton at pmc-sierra.com (Jeff Newton) Date: Tue, 08 May 2001 09:18:03 -0700 Subject: Rhosts Auth Issues with OpenSSH 2.9p1 on Solaris 2.7 References: <3AF0EB4E.40E0B0A@pmc-sierra.com> <425458781.988941801@athyra> Message-ID: <3AF81C3B.685E1F87@pmc-sierra.com> Carson Gaspar wrote: > > By default, ssh is not installed setuid root. Currently, you need to > install it setuid root or it disables rhosts auth. > > Of course, rhosts auth is a terrible idea. Are you _sure_ you mean rhosts > auth, or do you mean RSARhosts/Hostbasedauth? These currently _also_ > require that ssh be setuid root, but have far more security. A configure --help seems to indicate that ssh is installed setuid root by deafult. Just to be sure I added the --enable-suid-ssh option to configure, recompiled, and installed. Perms on /opt/openssh-2.9p1/bin are: newton at odin [21] ls -l total 23378 -rwxr-xr-x 1 root other 358376 May 8 09:05 scp -rwxr-xr-x 1 root other 753696 May 8 09:05 sftp lrwxrwxrwx 1 root other 3 May 8 09:05 slogin -> ssh -rws--x--x 1 root other 3955464 May 8 09:05 ssh -rwxr-xr-x 1 root other 2012280 May 8 09:05 ssh-add -rwxr-xr-x 1 root other 1709948 May 8 09:05 ssh-agent -rwxr-xr-x 1 root other 2017460 May 8 09:05 ssh-keygen -rwxr-xr-x 1 root other 1078232 May 8 09:05 ssh-keyscan I still get the following behaviour: newton at odin [23] ./ssh -v odin OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /opt/openssh-2.9p1/etc/ssh_config debug1: Seeded RNG with 42 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1412 geteuid 0 anon 1 debug1: Connecting to odin [134.87.115.142] port 22. debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/cs/newton/.ssh/identity type -1 debug1: identity file /home/cs/newton/.ssh/id_rsa type -1 debug1: identity file /home/cs/newton/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 112/256 debug1: bits set: 1015/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'odin' is known and matches the RSA host key. debug1: Found key in /home/cs/newton/.ssh/known_hosts2:4 debug1: bits set: 1024/2049 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: next auth method to try is publickey debug1: try privkey: /home/cs/newton/.ssh/identity debug1: try privkey: /home/cs/newton/.ssh/id_rsa debug1: try privkey: /home/cs/newton/.ssh/id_dsa debug1: next auth method to try is password newton at odin's password: Anyone have any ideas? Cheers, -- Jeff Newton Security Analyst PMC-Sierra Inc. From mouring at etoh.eviladmin.org Wed May 9 04:00:24 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 8 May 2001 13:00:24 -0500 (CDT) Subject: sftp problem In-Reply-To: <7D11E5207431D411983100508BCF5C7A34AD05@ztexch01.zt.com> Message-ID: Check your sshd_config 'Subsystem sftp ..' line and ensure that your sftp-server exists in that location. - Ben On Tue, 8 May 2001, Painter, Jeff (ZoomTown) wrote: > I am trying to resolve an issue with SSH2 version 2.5.2p2 on Solaris 2.6. > SSH2, SSH1 and SCP all work fine in and out. The problem is with SFTP. I > can SFTP out, but not in. I can't SFTP into itself. After I issue the > command, I get a password prompt. After I give the password, the connection > closes with an Exit Status 127. There are 3 other system configure the same > and everything is functional. SFTP going in has been a problem since the > first release including SFTP. I included the output from debug. > > Thanks-JWP > > $ sftp -v jpaint at ETwebuatbu > Connecting to ETwebuatbu... > debug1: SSH args "ssh -l jpaint -v ETwebuatbu -s -oForwardX11=no > -oForwardAgent= > no -oProtocol=2 sftp" > OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > debug1: Seeded RNG with 36 bytes from programs > debug1: Seeded RNG with 3 bytes from system calls > debug1: Rhosts Authentication disabled, originating port will not be > trusted. > debug1: ssh_connect: getuid 1009 geteuid 0 anon 1 > debug1: Connecting to ETwebuatbu [10.200.10.5] port 23. > debug1: Connection established. > debug1: unknown identity file /export/home/jpaint/.ssh/id_rsa > debug1: identity file /export/home/jpaint/.ssh/id_rsa type -1 > debug1: unknown identity file /export/home/jpaint/.ssh/id_dsa > debug1: identity file /export/home/jpaint/.ssh/id_dsa type -1 > debug1: Remote protocol version 1.99, remote software version > OpenSSH_2.5.2p2 > debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2 > debug1: send KEXINIT > debug1: done > debug1: wait KEXINIT > debug1: got kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sh > a1 > debug1: got kexinit: ssh-dss > debug1: got kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192 > -cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc > @lys > ator.liu.se > debug1: got kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192 > -cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc > @lys > ator.liu.se > debug1: got kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.co > m,hmac-sha1-96,hmac-md5-96 > debug1: got kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.co > m,hmac-sha1-96,hmac-md5-96 > debug1: got kexinit: none,zlib > debug1: got kexinit: none,zlib > debug1: got kexinit: > debug1: got kexinit: > debug1: first kex follow: 0 > debug1: reserved: 0 > debug1: done > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. > debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP. > debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP. > debug1: dh_gen_key: priv key bits set: 123/256 > debug1: bits set: 1030/2049 > debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT. > debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY. > debug1: Got SSH2_MSG_KEXDH_REPLY. > debug1: Host 'etwebuatbu' is known and matches the DSA host key. > debug1: Found key in /export/home/jpaint/.ssh/known_hosts2:3 > debug1: bits set: 1030/2049 > debug1: len 55 datafellows 0 > debug1: ssh_dss_verify: signature correct > debug1: Wait SSH2_MSG_NEWKEYS. > debug1: GOT SSH2_MSG_NEWKEYS. > debug1: send SSH2_MSG_NEWKEYS. > debug1: done: send SSH2_MSG_NEWKEYS. > debug1: done: KEX2. > debug1: send SSH2_MSG_SERVICE_REQUEST > debug1: service_accept: ssh-userauth > debug1: got SSH2_MSG_SERVICE_ACCEPT > debug1: authentications that can continue: publickey,password > debug1: next auth method to try is publickey > debug1: try privkey: /export/home/jpaint/.ssh/id_rsa > debug1: try privkey: /export/home/jpaint/.ssh/id_dsa > debug1: next auth method to try is password > jpaint at etwebuatbu's password: > debug1: ssh-userauth2 successful: method password > debug1: fd 7 setting O_NONBLOCK > debug1: fd 8 IS O_NONBLOCK > debug1: channel 0: new [client-session] > debug1: send channel open 0 > debug1: Entering interactive session. > debug1: client_init id 0 arg 0 > debug1: Sending subsystem: sftp > debug1: channel 0: open confirm rwindow 0 rmax 16384 > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: channel 0: rcvd eof > debug1: channel 0: output open -> drain > debug1: channel 0: rcvd close > debug1: channel 0: input open -> closed > debug1: channel 0: close_read > debug1: channel 0: obuf empty > debug1: channel 0: output drain -> closed > debug1: channel 0: close_write > debug1: channel 0: send close > debug1: channel 0: is dead > debug1: channel_free: channel 0: status: The following connections are open: > #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) > > debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.0 seconds > debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 > debug1: Exit status 127 > debug1: writing PRNG seed to file /export/home/jpaint/.ssh/prng_seed > Connection closed > From sxw at dcs.ed.ac.uk Wed May 9 03:16:25 2001 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Tue, 8 May 2001 18:16:25 +0100 Subject: New kex organisation and user options. Message-ID: <0105081816250E.10271@loki.dcs.ed.ac.uk> I'm in the process of updating my GSSAPI patches to the 2.9 release. However, I've run into a slight problem with managing to get user options to play nicely with the way that the kex code is now organised. With the GSS kex its possible for the user to specify whether they want to delegate their credentials to the server or not. This option is used only on the client side (and so is specified in the client options structure). Previously, when the client and server kex code lived in client/server specific files this was fine. With the reorganisation for rekeying, the code now lives in generic files which are included by both client and server, which appears to make it impossible to use the options structure within the key exchange code. Does anyone have any idea of a clean way to get around this? I must confess, I'm a little stumped for a way to do it that doesn't impact majorly on the current codebase (and doesn't involve using new global variables to represent options items) Cheers, Simon -- Simon Wilkinson http://www.sxw.org.uk "Men occasionally stumble over the truth, but most pick themselves up and hurry off as if nothing had happened" -- Winston Churchill From markus.friedl at informatik.uni-erlangen.de Wed May 9 05:13:23 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 8 May 2001 21:13:23 +0200 Subject: SSH and forced wtmp entries ... In-Reply-To: <20010508080204.A12722@rhs-notebook>; from Randolf-ML@Skerka.de on Tue, May 08, 2001 at 08:02:04AM +0200 References: <20010507083254.A9307@rhs-notebook> <20010507150303.A12892@faui02.informatik.uni-erlangen.de> <20010508080204.A12722@rhs-notebook> Message-ID: <20010508211323.A20945@folly> On Tue, May 08, 2001 at 08:02:04AM +0200, Randolf Skerka wrote: > On Mon, May 07, 2001 at 03:03:03PM +0200, Markus Friedl wrote: > > try to use > > ssh -t host command > > > > is this ok? > > No, doesn't work, tried it before :-( -t allocates a tty and adds user to lastlog. so what's wrong? if it does not add the user, then it's a bug. > > why do you need wtmp? ssh just emulates the > > traditional rsh/rlogin behaviour. wtmp gets > > updated only if you allocate a tty. > > > > every login is registered in /var/log/authlog > > Well, wtmp is available on all platforms. HP-UX does not have a > /var/log/authlog for example. this does not depend on the OS but on syslog.conf and sshd_config, but this is not my point. > Why I need it? Simple, if somebody enters "ssh worldserver rm -rf /" I > would like to know who did it ... ok, bad example rm will remove wtmp > too but I think you know what I mean, right? > > Yesterday I've looked into the source but it's a bit to complex for me > to support a patch. I think we do not need a correct tty entry, we could > use a faked one. It's important to have the hostname, username date and > time. It's correct, rsh/rlogin does not update wtmp in that case, but > wouldn't OpenSSH be better ;-) this is logged in wherever syslogd puts the SyslogFacility from sshd_config. -m From markus.friedl at informatik.uni-erlangen.de Wed May 9 05:20:03 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 8 May 2001 21:20:03 +0200 Subject: Rhosts Auth Issues with OpenSSH 2.9p1 on Solaris 2.7 In-Reply-To: <3AF81C3B.685E1F87@pmc-sierra.com>; from Jeff_Newton@pmc-sierra.com on Tue, May 08, 2001 at 09:18:03AM -0700 References: <3AF0EB4E.40E0B0A@pmc-sierra.com> <425458781.988941801@athyra> <3AF81C3B.685E1F87@pmc-sierra.com> Message-ID: <20010508212003.B20945@folly> you have to enable privileged ports with UsePrivileged yes in ssh_config if you want to use the rhosts-authentication (not recommended, should be removed :) you also need this for rhosts-rsa to legacy servers. On Tue, May 08, 2001 at 09:18:03AM -0700, Jeff Newton wrote: > Carson Gaspar wrote: > > > > By default, ssh is not installed setuid root. Currently, you need to > > install it setuid root or it disables rhosts auth. > > > > Of course, rhosts auth is a terrible idea. Are you _sure_ you mean rhosts > > auth, or do you mean RSARhosts/Hostbasedauth? These currently _also_ > > require that ssh be setuid root, but have far more security. > > A configure --help seems to indicate that ssh is installed setuid root > by deafult. Just to be sure I added the --enable-suid-ssh option to > configure, recompiled, and installed. > > Perms on /opt/openssh-2.9p1/bin are: > > newton at odin [21] ls -l > total 23378 > -rwxr-xr-x 1 root other 358376 May 8 09:05 scp > -rwxr-xr-x 1 root other 753696 May 8 09:05 sftp > lrwxrwxrwx 1 root other 3 May 8 09:05 slogin -> ssh > -rws--x--x 1 root other 3955464 May 8 09:05 ssh > -rwxr-xr-x 1 root other 2012280 May 8 09:05 ssh-add > -rwxr-xr-x 1 root other 1709948 May 8 09:05 ssh-agent > -rwxr-xr-x 1 root other 2017460 May 8 09:05 ssh-keygen > -rwxr-xr-x 1 root other 1078232 May 8 09:05 ssh-keyscan > > I still get the following behaviour: > > newton at odin [23] ./ssh -v odin > OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > debug1: Reading configuration data /opt/openssh-2.9p1/etc/ssh_config > debug1: Seeded RNG with 42 bytes from programs > debug1: Seeded RNG with 3 bytes from system calls > debug1: Rhosts Authentication disabled, originating port will not be > trusted. > debug1: restore_uid > debug1: ssh_connect: getuid 1412 geteuid 0 anon 1 > debug1: Connecting to odin [134.87.115.142] port 22. > debug1: temporarily_use_uid: 1412/67 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 1412/67 (e=0) > debug1: restore_uid > debug1: Connection established. > debug1: read PEM private key done: type DSA > debug1: read PEM private key done: type RSA > debug1: identity file /home/cs/newton/.ssh/identity type -1 > debug1: identity file /home/cs/newton/.ssh/id_rsa type -1 > debug1: identity file /home/cs/newton/.ssh/id_dsa type -1 > debug1: Remote protocol version 1.99, remote software version > OpenSSH_2.9p1 > debug1: match: OpenSSH_2.9p1 pat ^OpenSSH > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_2.9p1 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: dh_gen_key: priv key bits set: 112/256 > debug1: bits set: 1015/2049 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'odin' is known and matches the RSA host key. > debug1: Found key in /home/cs/newton/.ssh/known_hosts2:4 > debug1: bits set: 1024/2049 > debug1: ssh_rsa_verify: signature correct > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: done: ssh_kex2. > debug1: send SSH2_MSG_SERVICE_REQUEST > debug1: service_accept: ssh-userauth > debug1: got SSH2_MSG_SERVICE_ACCEPT > debug1: authentications that can continue: > publickey,password,keyboard-interactive,hostbased > debug1: next auth method to try is publickey > debug1: try privkey: /home/cs/newton/.ssh/identity > debug1: try privkey: /home/cs/newton/.ssh/id_rsa > debug1: try privkey: /home/cs/newton/.ssh/id_dsa > debug1: next auth method to try is password > newton at odin's password: > > Anyone have any ideas? > > Cheers, > > -- > Jeff Newton > Security Analyst > PMC-Sierra Inc. From Jeff_Newton at pmc-sierra.com Wed May 9 06:20:30 2001 From: Jeff_Newton at pmc-sierra.com (Jeff Newton) Date: Tue, 08 May 2001 13:20:30 -0700 Subject: Rhosts Auth Issues with OpenSSH 2.9p1 on Solaris 2.7 References: <3AF0EB4E.40E0B0A@pmc-sierra.com> <425458781.988941801@athyra> <3AF81C3B.685E1F87@pmc-sierra.com> <20010508212003.B20945@folly> Message-ID: <3AF8550E.8869E8E3@pmc-sierra.com> Thanks, that did it. Cheers, Markus Friedl wrote: > > you have to enable privileged ports with > UsePrivileged yes > in ssh_config if you want to use the rhosts-authentication > (not recommended, should be removed :) > > you also need this for rhosts-rsa to legacy servers. > > On Tue, May 08, 2001 at 09:18:03AM -0700, Jeff Newton wrote: > > Carson Gaspar wrote: > > > > > > By default, ssh is not installed setuid root. Currently, you need to > > > install it setuid root or it disables rhosts auth. > > > > > > Of course, rhosts auth is a terrible idea. Are you _sure_ you mean rhosts > > > auth, or do you mean RSARhosts/Hostbasedauth? These currently _also_ > > > require that ssh be setuid root, but have far more security. > > > > A configure --help seems to indicate that ssh is installed setuid root > > by deafult. Just to be sure I added the --enable-suid-ssh option to > > configure, recompiled, and installed. > > > > Perms on /opt/openssh-2.9p1/bin are: > > > > newton at odin [21] ls -l > > total 23378 > > -rwxr-xr-x 1 root other 358376 May 8 09:05 scp > > -rwxr-xr-x 1 root other 753696 May 8 09:05 sftp > > lrwxrwxrwx 1 root other 3 May 8 09:05 slogin -> ssh > > -rws--x--x 1 root other 3955464 May 8 09:05 ssh > > -rwxr-xr-x 1 root other 2012280 May 8 09:05 ssh-add > > -rwxr-xr-x 1 root other 1709948 May 8 09:05 ssh-agent > > -rwxr-xr-x 1 root other 2017460 May 8 09:05 ssh-keygen > > -rwxr-xr-x 1 root other 1078232 May 8 09:05 ssh-keyscan > > > > I still get the following behaviour: > > > > newton at odin [23] ./ssh -v odin > > OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > > debug1: Reading configuration data /opt/openssh-2.9p1/etc/ssh_config > > debug1: Seeded RNG with 42 bytes from programs > > debug1: Seeded RNG with 3 bytes from system calls > > debug1: Rhosts Authentication disabled, originating port will not be > > trusted. > > debug1: restore_uid > > debug1: ssh_connect: getuid 1412 geteuid 0 anon 1 > > debug1: Connecting to odin [134.87.115.142] port 22. > > debug1: temporarily_use_uid: 1412/67 (e=0) > > debug1: restore_uid > > debug1: temporarily_use_uid: 1412/67 (e=0) > > debug1: restore_uid > > debug1: Connection established. > > debug1: read PEM private key done: type DSA > > debug1: read PEM private key done: type RSA > > debug1: identity file /home/cs/newton/.ssh/identity type -1 > > debug1: identity file /home/cs/newton/.ssh/id_rsa type -1 > > debug1: identity file /home/cs/newton/.ssh/id_dsa type -1 > > debug1: Remote protocol version 1.99, remote software version > > OpenSSH_2.9p1 > > debug1: match: OpenSSH_2.9p1 pat ^OpenSSH > > Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_2.9p1 > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug1: kex: server->client aes128-cbc hmac-md5 none > > debug1: kex: client->server aes128-cbc hmac-md5 none > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > > debug1: dh_gen_key: priv key bits set: 112/256 > > debug1: bits set: 1015/2049 > > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > > debug1: Host 'odin' is known and matches the RSA host key. > > debug1: Found key in /home/cs/newton/.ssh/known_hosts2:4 > > debug1: bits set: 1024/2049 > > debug1: ssh_rsa_verify: signature correct > > debug1: kex_derive_keys > > debug1: newkeys: mode 1 > > debug1: SSH2_MSG_NEWKEYS sent > > debug1: waiting for SSH2_MSG_NEWKEYS > > debug1: newkeys: mode 0 > > debug1: SSH2_MSG_NEWKEYS received > > debug1: done: ssh_kex2. > > debug1: send SSH2_MSG_SERVICE_REQUEST > > debug1: service_accept: ssh-userauth > > debug1: got SSH2_MSG_SERVICE_ACCEPT > > debug1: authentications that can continue: > > publickey,password,keyboard-interactive,hostbased > > debug1: next auth method to try is publickey > > debug1: try privkey: /home/cs/newton/.ssh/identity > > debug1: try privkey: /home/cs/newton/.ssh/id_rsa > > debug1: try privkey: /home/cs/newton/.ssh/id_dsa > > debug1: next auth method to try is password > > newton at odin's password: > > > > Anyone have any ideas? > > > > Cheers, > > > > -- > > Jeff Newton > > Security Analyst > > PMC-Sierra Inc. -- Jeff Newton Security Analyst PMC-Sierra Inc. From mouring at etoh.eviladmin.org Wed May 9 06:24:17 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 8 May 2001 15:24:17 -0500 (CDT) Subject: PATCH: UseLogin fix for 2.9p1 (w/improved last-login time) In-Reply-To: Message-ID: Applied. Thanks. - Ben On Sun, 29 Apr 2001, Wayne Davison wrote: > Attached is the latest version of my UseLogin patch that makes > "UseLogin true" work on Solaris and UNICOS. As usual, I have provided > configure.in changes that set the appropriate defines for Solaris, but > I have not provided the configure.in changes for UNICOS (since they > would be incomplete, and Wendy is working on this). > > This version fixes a problem with the last-login time always being > reported as the current time (I had to add a new record_*() function > since record_login() was changing other things than the {u,w}tmp{x,} > data). This version also changes less existing code, to hopefully > make it easier to maintain against the BSD source. > > The patch is relative to the 2.9p1 source I just grabbed out of CVS. > > ..wayne.. > From mouring at etoh.eviladmin.org Wed May 9 06:31:51 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 8 May 2001 15:31:51 -0500 (CDT) Subject: OSF1 and USE_SIA In-Reply-To: <20010507105641.B15326@HiWAAY.net> Message-ID: Thanks, applied. - Ben On Mon, 7 May 2001, Chris Adams wrote: > Once upon a time, mouring at etoh.eviladmin.org said: > > On Mon, 7 May 2001 J.S.Peatfield at damtp.cam.ac.uk wrote: > > > Is the following (from configure.in) intended: > > > > > > *-dec-osf*) > > > if test ! -z "USE_SIA" ; then > > > AC_MSG_CHECKING(for Digital Unix Security Integration Architecture) > > > > > > should that be "$USE_SIA" or similar or what is the point of testing a constant > > > string for being zero length... > > > > > > > Yes it should be. Thanks. > > How about a patch to add a "--without-sia" option like (instead of > setting environment variables): > > diff -urN openssh_cvs/configure.in openssh/configure.in > --- openssh_cvs/configure.in Sat Apr 28 16:36:17 2001 > +++ openssh/configure.in Mon May 7 10:53:36 2001 > @@ -237,8 +237,18 @@ > MANTYPE=man > ;; > *-dec-osf*) > - if test ! -z "USE_SIA" ; then > - AC_MSG_CHECKING(for Digital Unix Security Integration Architecture) > + AC_MSG_CHECKING(for Digital Unix SIA) > + no_osfsia="" > + AC_ARG_WITH(osfsia, > + [ --with-osfsia Enable Digital Unix SIA], > + [ > + if test "x$withval" = "xno" ; then > + AC_MSG_RESULT(disabled) > + no_osfsia=1 > + fi > + ], > + ) > + if test -z "$no_osfsia" ; then > if test -f /etc/sia/matrix.conf; then > AC_MSG_RESULT(yes) > AC_DEFINE(HAVE_OSF_SIA) > > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > From Jeff_Newton at pmc-sierra.com Wed May 9 07:57:26 2001 From: Jeff_Newton at pmc-sierra.com (Jeff Newton) Date: Tue, 08 May 2001 14:57:26 -0700 Subject: Issues with OpenSSH 2.9p1 on HPUX11 References: <3AF0EB4E.40E0B0A@pmc-sierra.com> <425458781.988941801@athyra> <3AF81C3B.685E1F87@pmc-sierra.com> <20010508212003.B20945@folly> Message-ID: <3AF86BC6.8075D330@pmc-sierra.com> Are there issues with HPUX11 and OpenSSH 2.9p1 with respect to Rhosts Auth? I've just now got Rhosts Auth working on Solaris 2.7 but my HPUX11 machines (compiled the same, same ssh_config and sshd_config) do not behave the same. Here are the details....hopefully someone will have an idea as to why this doesn't work.: newton at boston [3] /opt/ssh/bin/ssh -v boston OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /opt/openssh-2.9p1/etc/ssh_config debug1: Seeded RNG with 27 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: restore_uid debug1: ssh_connect: getuid 1412 geteuid 0 anon 0 debug1: Connecting to boston [216.241.226.33] port 22. debug1: Allocated local port 784. debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/cs/newton/.ssh/identity type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'boston' is known and matches the RSA1 host key. debug1: Found key in /home/cs/newton/.ssh/known_hosts:10 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying rhosts authentication. debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication. debug1: Server refused our rhosts authentication or host key. debug1: Doing password authentication. newton at boston's password: # /opt/ssh/sbin/sshd -d debug1: Seeded RNG with 28 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: sshd version OpenSSH_2.9p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 216.241.226.33 port 674 debug1: Client protocol version 1.5; client software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH debug1: Local version string SSH-1.99-OpenSSH_2.9p1 debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: 3des debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for newton. debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid Failed rhosts for newton from 216.241.226.33 port 674 ruser newton debug1: Trying rhosts with RSA host authentication for client user newton debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid Failed rhosts-rsa for newton from 216.241.226.33 port 674 ruser newton Cheers, -- Jeff Newton Security Analyst PMC-Sierra Inc. From markus.friedl at informatik.uni-erlangen.de Wed May 9 07:43:23 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 8 May 2001 23:43:23 +0200 Subject: RSARhosts / Hostbased auth and euid=0 requirement In-Reply-To: <426348406.988942690@athyra>; from carson@taltos.org on Fri, May 04, 2001 at 02:18:10AM -0700 References: <426348406.988942690@athyra> Message-ID: <20010508234323.A16403@folly> On Fri, May 04, 2001 at 02:18:10AM -0700, Carson Gaspar wrote: > - Allow ssh to read alternate key files. i'm not sure about this one. you want to force ssh to read arbitraty key files and produce valid signatures with random files. > - Allow said key files to be group readable we've been discussion a setgid ssh earlier, but decided that it's not the way to go. however, i think about moving the client side of hostbased authentication out of ssh, to a setuid binary /usr/libexec/ssh-keysign and remove the sbit from ssh. ssh-keysign will read the hostkeys and generate a valid signature. this won't work for rhosts-rsa, but there is no need to use rhosts-rsa if hostbased authentication works. if you really need to support protocol 1 with rhosts-rsa, you can turn on the sbit again for ssh. -m From markus.friedl at informatik.uni-erlangen.de Wed May 9 07:53:51 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 8 May 2001 23:53:51 +0200 Subject: New kex organisation and user options. In-Reply-To: <0105081816250E.10271@loki.dcs.ed.ac.uk>; from sxw@dcs.ed.ac.uk on Tue, May 08, 2001 at 06:16:25PM +0100 References: <0105081816250E.10271@loki.dcs.ed.ac.uk> Message-ID: <20010508235350.A29169@folly> On Tue, May 08, 2001 at 06:16:25PM +0100, Simon Wilkinson wrote: > With the GSS kex its possible for the user to specify whether they want to > delegate their credentials to the server or not. This option is used only on > the client side (and so is specified in the client options structure). > Previously, when the client and server kex code lived in client/server > specific files this was fine. With the reorganisation for rekeying, the code > now lives in generic files which are included by both client and server, > which appears to make it impossible to use the options structure within the > key exchange code. you still can split your own code into client and server files and extend struct Kex. -m From carson at taltos.org Wed May 9 09:03:16 2001 From: carson at taltos.org (Carson Gaspar) Date: Tue, 08 May 2001 16:03:16 -0700 Subject: RSARhosts / Hostbased auth and euid=0 requirement In-Reply-To: <20010508234323.A16403@folly> References: <20010508234323.A16403@folly> Message-ID: <1630745343.989337796@ZATHROS> --On Tuesday, May 08, 2001 11:43 PM +0200 Markus Friedl wrote: > > On Fri, May 04, 2001 at 02:18:10AM -0700, Carson Gaspar wrote: >> - Allow ssh to read alternate key files. > > i'm not sure about this one. > you want to force ssh to read arbitraty key files > and produce valid signatures with random files. I can do this already, if I compile my own ssh client. On the other hand, my random client won't be set*id anything. So perhaps this isn't a good idea. It's not necessary, anyway. >> - Allow said key files to be group readable > > we've been discussion a setgid ssh earlier, but > decided that it's not the way to go. > > however, i think about moving the client side of > hostbased authentication out of ssh, to a setuid binary > /usr/libexec/ssh-keysign > and remove the sbit from ssh. > ssh-keysign will read the hostkeys and generate a valid > signature. Great. Is this going to be implemented anytime soon? If so, I withdraw my suggestion. If not, please lets get a stop-gap solution in place quickly. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body From J.S.Peatfield at damtp.cam.ac.uk Wed May 9 09:38:43 2001 From: J.S.Peatfield at damtp.cam.ac.uk (J.S.Peatfield at damtp.cam.ac.uk) Date: Wed, 9 May 2001 00:38:43 +0100 Subject: HostbasedAuthentication, and my sillyness Message-ID: <200105082338.AAA15403.redmires.amtp.cam.ac.uk@damtp.cam.ac.uk> Maybe I just can't read properly, but I just spent the best part of a day trying to work out why HostbasedAuthentication wouldn't work for me (with protocol 2 in openssh-2.9p1). It seems (though maybe there is something wrong with my install), that after enabling it in the sshd_config it doesn't work, since the client will not in fact request it (by default). I was fooled by the statement in the ssh man page about HostbasedAuthentication that the client supports this by default (well it is set to "yes"). While it supports it, it seems that the default value for PreferredAuthentications is set to: publickey,password,keyboard-interactive,hostbased so it starts prompting for a password before getting that far. Setting the list to: publickey,hostbased,password,keyboard-interactive in ssh_config seems to do the trick, but even having added this I still can't find anything obvious which I should have seen before. If nothing else I'd suggest a statement in the ssh man page in the section for HostbasedAuthentication saying that one needs to alter the PreferredAuthentications before it is likely to work. Looking at the code in sshconnect2.c it seems to default to the order in the authmethods array, is there any reason not to patch that to place hostbased before password? Am I missing something, is this a subtle hint that we should not actually use hostbasedauthentication? -- Jon From bowman at math.ualberta.ca Wed May 9 09:52:24 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 8 May 2001 23:52:24 -0000 Subject: SSH connection hanging on logout Message-ID: <20010508235224.4072.qmail@wizard.math.ualberta.ca> As is well known, current versions of openssh hang upon exit when background processes exist. If these processes do not produce output to stdout or stderr they should be allowed to continue to run silently. (If they do try to produce output, they will be killed by the shell.) This would be consistent with the behaviour of rsh, ssh, rlogin, telnet, csh, and bash. In no case should openssh wait around for them indefinitely. Ssh is supposed to be a secure implementation of rsh and openssh is supposed to be a open source version of ssh, so despite a few suggestions to the contrary, this *really* is a bug. The following patch to openssh-2.9p1 fixes the problem. This patch has now been thoroughly tested and is believed not to break ssh or scp, unlike previous related attempts. I hope this patch is helpful, -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman diff -ur openssh-2.9p1/clientloop.c openssh-2.9p1J/clientloop.c --- openssh-2.9p1/clientloop.c Fri Apr 20 06:50:51 2001 +++ openssh-2.9p1J/clientloop.c Wed May 2 16:21:16 2001 @@ -440,9 +440,13 @@ len = read(connection_in, buf, sizeof(buf)); if (len == 0) { /* Received EOF. The remote host has closed the connection. */ - snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", - host); - buffer_append(&stderr_buffer, buf, strlen(buf)); +/* + * This message duplicates the one already in client_loop(). + * + * snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", + * host); + * buffer_append(&stderr_buffer, buf, strlen(buf)); + */ quit_pending = 1; return; } diff -ur openssh-2.9p1/nchan.c openssh-2.9p1J/nchan.c --- openssh-2.9p1/nchan.c Tue Apr 3 07:02:48 2001 +++ openssh-2.9p1J/nchan.c Wed May 2 16:19:11 2001 @@ -56,7 +56,7 @@ /* helper */ static void chan_shutdown_write(Channel *c); -static void chan_shutdown_read(Channel *c); +void chan_shutdown_read(Channel *c); /* * SSH1 specific implementation of event functions @@ -479,7 +479,7 @@ c->wfd = -1; } } -static void +void chan_shutdown_read(Channel *c) { if (compat20 && c->type == SSH_CHANNEL_LARVAL) diff -ur openssh-2.9p1/nchan.h openssh-2.9p1J/nchan.h --- openssh-2.9p1/nchan.h Sun Mar 4 23:16:12 2001 +++ openssh-2.9p1J/nchan.h Wed May 2 16:19:11 2001 @@ -88,4 +88,5 @@ void chan_init_iostates(Channel * c); void chan_init(void); +void chan_shutdown_read(Channel *c); #endif diff -ur openssh-2.9p1/session.c openssh-2.9p1J/session.c --- openssh-2.9p1/session.c Wed Apr 18 09:29:34 2001 +++ openssh-2.9p1J/session.c Wed May 2 16:20:04 2001 @@ -1960,6 +1960,8 @@ */ if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); + if (c->istate != CHAN_INPUT_CLOSED) + chan_shutdown_read(c); s->chanid = -1; } From abartlet at pcug.org.au Wed May 9 10:15:35 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Wed, 09 May 2001 10:15:35 +1000 Subject: SSH and forced wtmp entries ... References: <20010507083254.A9307@rhs-notebook> <20010507150303.A12892@faui02.informatik.uni-erlangen.de> <20010508080204.A12722@rhs-notebook> <20010508023317.G1235@quipu.half.pint-stowp.cx> Message-ID: <3AF88C27.5FE10A6D@bartlett.house> Jim Knoble wrote: > > Circa 2001-May-08 08:02:04 +0200 dixit Randolf Skerka: > > : On Mon, May 07, 2001 at 03:03:03PM +0200, Markus Friedl wrote: > : > try to use > : > ssh -t host command > : > > : > is this ok? > : > : No, doesn't work, tried it before :-( > : > : > why do you need wtmp? ssh just emulates the > : > traditional rsh/rlogin behaviour. wtmp gets > : > updated only if you allocate a tty. > : > > : > every login is registered in /var/log/authlog > : > : Well, wtmp is available on all platforms. HP-UX does not have a > : /var/log/authlog for example. > > I think what Markus meant is that sshd logs all logins via syslogd, > via the 'auth' facility, unless you've explicity configured it not to. But it does not show logouts, (except for SSH Win clients) and there is no easy way to tell how many people are using the system. (Considering a time to reboot, for example). PAM sesions should show the logouts, but my message regarding that breakage seemed to be ignored... > > : Why I need it? Simple, if somebody enters "ssh worldserver rm -rf /" I > : would like to know who did it ... ok, bad example rm will remove wtmp > : too but I think you know what I mean, right? > > If you're worried about someone being able to do that, then you have > granted too much authority to people you don't trust. For my case, I don't trust my users - I give them a restricted shell and sftp, and I would like to know (with the normal unix tools) when they login, logout and from where. -- Andrew Bartlett abartlet at pcug.org.au From nakaji at tutrp.tut.ac.jp Wed May 9 10:24:33 2001 From: nakaji at tutrp.tut.ac.jp (NAKAJI Hiroyuki) Date: 09 May 2001 09:24:33 +0900 Subject: OpenSSH 2.9p1 on 4.3BSD based system Message-ID: <877kzrz7we.fsf@boggy.acest.tutrp.tut.ac.jp> Dear developpers, I successfully compiled OpenSSH 2.9p1 which I get via CVS with a little modification. Patch is available at http://www.rc.tutrp.tut.ac.jp/~nakaji/install/NEWS/utils/ref/openssh_cvs-news4.diff.gz But one problem remains. In config.h.in, there is a definition about strftime function /* Define if you have the `strftime' function. */ #undef HAVE_STRFTIME but this HAVE_STRFTIME directive is not used. And my system, Sony NEWS-OS 4.2.1a+RD which is 4.3BSD based system, does not have strftime function so that I must add a library including strftime function to LIBS variable in Makefile after executing of configure script. I hope some strftime implementation (strftime.c of OpenBSD?) will be included in openbsd-compat directory. Thanks. -- NAKAJI Hiroyuki From mouring at etoh.eviladmin.org Wed May 9 10:44:26 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 8 May 2001 19:44:26 -0500 (CDT) Subject: OpenSSH 2.9p1 on 4.3BSD based system In-Reply-To: <877kzrz7we.fsf@boggy.acest.tutrp.tut.ac.jp> Message-ID: Thanks.. I've applied this patch.. And in the next few days or so I'll look at strftime(). There is a src/lib/libc/time/strftime.c which may work. If you can get a partial patch worked up minus the configure.in aspect I can finish it off. - Ben On 9 May 2001, NAKAJI Hiroyuki wrote: > Dear developpers, > > I successfully compiled OpenSSH 2.9p1 which I get via CVS with a > little modification. Patch is available at > http://www.rc.tutrp.tut.ac.jp/~nakaji/install/NEWS/utils/ref/openssh_cvs-news4.diff.gz > > But one problem remains. > > In config.h.in, there is a definition about strftime function > > /* Define if you have the `strftime' function. */ > #undef HAVE_STRFTIME > > but this HAVE_STRFTIME directive is not used. And my system, Sony > NEWS-OS 4.2.1a+RD which is 4.3BSD based system, does not have strftime > function so that I must add a library including strftime function to > LIBS variable in Makefile after executing of configure script. > > I hope some strftime implementation (strftime.c of OpenBSD?) will be > included in openbsd-compat directory. > > Thanks. > -- > NAKAJI Hiroyuki > From J.S.Peatfield at damtp.cam.ac.uk Thu May 10 01:34:26 2001 From: J.S.Peatfield at damtp.cam.ac.uk (J.S.Peatfield at damtp.cam.ac.uk) Date: Wed, 9 May 2001 16:34:26 +0100 Subject: rijndael.h in openssh-2.9p1 Message-ID: <200105091534.QAA17494.redmires.amtp.cam.ac.uk@damtp.cam.ac.uk> In openssh-2.9p1 th rijndael.h declaration of rijndael_set_key is not the same as that in rijndael.c. Some compilers object (e.g. irix5 cc). Here is a patch if anyone cares... --cut-here-- *** rijndael.h.orig Wed May 9 16:17:04 2001 --- rijndael.h Wed May 9 16:17:06 2001 *************** *** 42,48 **** /* These are all based on 32 bit unsigned values and will therefore */ /* require endian conversions for big-endian architectures */ ! rijndael_ctx *rijndael_set_key __P((rijndael_ctx *, const u4byte *, u4byte, int)); void rijndael_encrypt __P((rijndael_ctx *, const u4byte *, u4byte *)); void rijndael_decrypt __P((rijndael_ctx *, const u4byte *, u4byte *)); --- 42,48 ---- /* These are all based on 32 bit unsigned values and will therefore */ /* require endian conversions for big-endian architectures */ ! rijndael_ctx *rijndael_set_key __P((rijndael_ctx *, const u4byte *, const u4byte, int)); void rijndael_encrypt __P((rijndael_ctx *, const u4byte *, u4byte *)); void rijndael_decrypt __P((rijndael_ctx *, const u4byte *, u4byte *)); --cut-here-- From Jeff_Newton at pmc-sierra.com Thu May 10 03:50:05 2001 From: Jeff_Newton at pmc-sierra.com (Jeff Newton) Date: Wed, 09 May 2001 10:50:05 -0700 Subject: Issues with OpenSSH 2.9p1 on HPUX11 References: <3AF0EB4E.40E0B0A@pmc-sierra.com> <425458781.988941801@athyra> <3AF81C3B.685E1F87@pmc-sierra.com> <20010508212003.B20945@folly> <3AF86BC6.8075D330@pmc-sierra.com> Message-ID: <3AF9834D.3DE6389C@pmc-sierra.com> In order for rhosts auth to work on HPUX11, I need to fully qualify the hostname in .rhosts. The same DOES NOT hold true for Solaris 2.7. Are there issues with the HPUX11 version of auth_rhosts2 code that would cause the difference below? My HPUX11 machines are set up correctly with respect to DNS, domain names, etc. HPUX11 sshd -d -d: debug1: Attempting authentication for newton. debug2: auth_rhosts2: clientuser newton hostname boston.pmc-sierra.bc.ca ipaddr 216.241.226.33 debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid Failed rhosts for newton from 216.241.226.33 port 823 ruser newton Solaris 2.7 sshd -d -d: debug1: Attempting authentication for newton. debug2: auth_rhosts2: clientuser newton hostname odin ipaddr 134.87.115.142 debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 1412/67 (e=0) debug1: restore_uid Accepted rhosts for newton from 134.87.115.142 port 874 ruser newton Cheers, Jeff Newton wrote: > > Are there issues with HPUX11 and OpenSSH 2.9p1 with respect to Rhosts > Auth? > > I've just now got Rhosts Auth working on Solaris 2.7 but my HPUX11 > machines (compiled the same, same ssh_config and sshd_config) do not > behave the same. > -- Jeff Newton Security Analyst PMC-Sierra Inc. From olemx at ans.pl Thu May 10 04:35:01 2001 From: olemx at ans.pl (Krzysztof Oledzki) Date: Wed, 9 May 2001 20:35:01 +0200 (CEST) Subject: SSH and forced wtmp entries ... In-Reply-To: <20010507150303.A12892@faui02.informatik.uni-erlangen.de> Message-ID: On Mon, 7 May 2001, Markus Friedl wrote: > try to use > ssh -t host command > > is this ok? > > why do you need wtmp? ssh just emulates the > traditional rsh/rlogin behaviour. wtmp gets > updated only if you allocate a tty. > > every login is registered in /var/log/authlog I have got another idea - maybe it would be more useable to log info about user, that logged in without tty, into wtmp like it does wu-ftpd (and probably others ftp servers) - it adds an entry like: moon ftp pe16.warszawa.ad Tue Apr 3 12:34 - 21:53 (09:19) And insted "ftp" ssh should use for example "sshnotty" or something similar :) Best regards, Krzysztof Oledzki From dchart at nets.tref.nl Thu May 10 04:36:30 2001 From: dchart at nets.tref.nl (Dannis 't Hart) Date: Wed, 9 May 2001 20:36:30 +0200 Subject: running sshd under AIX 4.3.3 ? Message-ID: Hi, If anyone has managed to get sshd to run as a subsystem in the System Resource Controller under AIX 4.3.3 (a la mkssys), then please let me know how you did it... I can mkssys and startsrc it, but it dies immediately, leaving a child sshd running with another PID than startsrc reported, and lssrc reports sshd inoperative. Is sshd a process that should stay in foreground, not forking? Or does it fork every time to service a connection (excuse my ignorance)? Douglas Manton, I read your post of 2001-03-16 on this (Re: SIGHUP/av[0] restart failure (AIX)). Any clues? What am I forgetting? Thanx, From olemx at ans.pl Thu May 10 04:38:58 2001 From: olemx at ans.pl (Krzysztof Oledzki) Date: Wed, 9 May 2001 20:38:58 +0200 (CEST) Subject: Problem with OpenSSH with UseLogin Message-ID: Hello, I have just discoverd that ssh -T does not work with servers which have UseLogin option enabled. This happends becouse /bin/login can not work if there is no tty. To correct this, it is necessary to add: options.use_login = 0; at the top of the "do_exec_no_pty" function from the "session.c" file. Best regards, Krzysztof Oledzki From jstile at ohlone.cc.ca.us Thu May 10 05:24:14 2001 From: jstile at ohlone.cc.ca.us (John Stile) Date: Wed, 09 May 2001 12:24:14 -0700 Subject: "ksh: scp: not found" Message-ID: <3AF9995E.8FD3DFD8@ohlone.cc.ca.us> I upgraded a compiled version of ssh-1.2.27 to a swinstalled depot of OpenSSH_2.5.1p1 on HPUX-11.00. I created links in /usr/local/bin/ pointing to /opt/openssh2/bin/. Ssh works. Scp does not. HP support does not support ssh. Below the line you will find the output of a verbose scp command from the server to it self. ------------------------------------------- scp -v text.txt jstile at HPUXserver:~/test.txt Executing: program /opt/openssh2/bin/ssh host HPUXserver, user jstile, command scp -v -t ~/test.txt jstile at HPUXserver's password: Permission denied, please try again. jstile at HPUXserver's password: ksh: scp: not found lost connection From markus.friedl at informatik.uni-erlangen.de Thu May 10 08:51:00 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 10 May 2001 00:51:00 +0200 Subject: 2.9: remote port forwarding doesn't work In-Reply-To: <20000509085525.A13716@cv.nexprise.com>; from greg@nest.cx on Tue, May 09, 2000 at 08:55:25AM -0700 References: <20000509085525.A13716@cv.nexprise.com> Message-ID: <20010510005100.A28532@folly> On Tue, May 09, 2000 at 08:55:25AM -0700, Gregory Steuck wrote: > Hello, > > I'm running OpenBSD 2.9 (-rOPENBSD_2_9) on i386. Remote port forwarding > doesn't work. Attached are 2 logs of > ssh -v -R2828:localhost:22 localhost > and > sshd -p 2222 -d > > Note that server tries to forward to > Connection to port 2828 forwarding to 0.0.0.0 port 0 requested. > instead of localhost port 22 as it should. please, try this: Index: channels.c =================================================================== RCS file: /home/markus/cvs/ssh/channels.c,v retrieving revision 1.114 diff -u -r1.114 channels.c --- channels.c 2001/05/08 19:17:30 1.114 +++ channels.c 2001/05/09 22:46:11 @@ -771,8 +771,9 @@ rtype = (c->type == SSH_CHANNEL_RPORT_LISTENER) ? "forwarded-tcpip" : "direct-tcpip"; - nextstate = (c->host_port == 0) ? SSH_CHANNEL_DYNAMIC : - SSH_CHANNEL_OPENING; + nextstate = (c->host_port == 0 && + c->type != SSH_CHANNEL_RPORT_LISTENER) ? + SSH_CHANNEL_DYNAMIC : SSH_CHANNEL_OPENING; addrlen = sizeof(addr); newsock = accept(c->sock, &addr, &addrlen); From markus.friedl at informatik.uni-erlangen.de Thu May 10 08:54:12 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 10 May 2001 00:54:12 +0200 Subject: HostbasedAuthentication, and my sillyness In-Reply-To: <200105082338.AAA15403.redmires.amtp.cam.ac.uk@damtp.cam.ac.uk>; from J.S.Peatfield@damtp.cam.ac.uk on Wed, May 09, 2001 at 12:38:43AM +0100 References: <200105082338.AAA15403.redmires.amtp.cam.ac.uk@damtp.cam.ac.uk> Message-ID: <20010510005412.B28532@folly> On Wed, May 09, 2001 at 12:38:43AM +0100, J.S.Peatfield at damtp.cam.ac.uk wrote: > Looking at the code in sshconnect2.c it seems to default to the order > in the authmethods array, is there any reason not to patch that to > place hostbased before password? no. From markus.friedl at informatik.uni-erlangen.de Thu May 10 08:55:57 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 10 May 2001 00:55:57 +0200 Subject: SSH connection hanging on logout In-Reply-To: <20010508235224.4072.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Tue, May 08, 2001 at 11:52:24PM -0000 References: <20010508235224.4072.qmail@wizard.math.ualberta.ca> Message-ID: <20010510005557.C28532@folly> hi, i think this patch can lead to data loss. please tell me if you experience this. -m From devon at admin2.gisnetworks.com Thu May 10 10:08:35 2001 From: devon at admin2.gisnetworks.com (Devon Bleak) Date: Wed, 9 May 2001 17:08:35 -0700 Subject: scp: not found" References: <3AF9995E.8FD3DFD8@ohlone.cc.ca.us> Message-ID: <01ae01c0d8e5$5ba9f7f0$1900a8c0@devn> quick fix: ln -s ../local/bin/scp /usr/bin/scp (which should in turn point to /opt/openssh2/...) better fix: recompile sshd with the proper default path ;) devon ----- Original Message ----- From: "John Stile" To: Sent: Wednesday, May 09, 2001 12:24 PM Subject: "ksh: scp: not found" > I upgraded a compiled version of ssh-1.2.27 to a swinstalled depot of > OpenSSH_2.5.1p1 on HPUX-11.00. > I created links in /usr/local/bin/ pointing to > /opt/openssh2/bin/. > Ssh works. Scp does not. HP support does not support ssh. > Below the line you will find the output of a verbose scp command from > the server to it self. > > ------------------------------------------- > scp -v text.txt jstile at HPUXserver:~/test.txt > Executing: program /opt/openssh2/bin/ssh host HPUXserver, user jstile, > command scp -v -t ~/test.txt > jstile at HPUXserver's password: > Permission denied, please try again. > jstile at HPUXserver's password: > ksh: scp: not found > lost connection > From mouring at etoh.eviladmin.org Thu May 10 09:54:36 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 9 May 2001 18:54:36 -0500 (CDT) Subject: scp: not found" In-Reply-To: <01ae01c0d8e5$5ba9f7f0$1900a8c0@devn> Message-ID: Latter versions of OpenSSH add in $PREFIX/bin into the default path if you don't touch --with-default-path=. - Ben On Wed, 9 May 2001, Devon Bleak wrote: > quick fix: ln -s ../local/bin/scp /usr/bin/scp (which should in turn > point to /opt/openssh2/...) > > better fix: recompile sshd with the proper default path ;) > > devon > > > ----- Original Message ----- > From: "John Stile" > To: > Sent: Wednesday, May 09, 2001 12:24 PM > Subject: "ksh: scp: not found" > > > > I upgraded a compiled version of ssh-1.2.27 to a swinstalled depot of > > OpenSSH_2.5.1p1 on HPUX-11.00. > > I created links in /usr/local/bin/ pointing to > > /opt/openssh2/bin/. > > Ssh works. Scp does not. HP support does not support ssh. > > Below the line you will find the output of a verbose scp command from > > the server to it self. > > > > ------------------------------------------- > > scp -v text.txt jstile at HPUXserver:~/test.txt > > Executing: program /opt/openssh2/bin/ssh host HPUXserver, user jstile, > > command scp -v -t ~/test.txt > > jstile at HPUXserver's password: > > Permission denied, please try again. > > jstile at HPUXserver's password: > > ksh: scp: not found > > lost connection > > > > From wendyp at cray.com Thu May 10 10:15:16 2001 From: wendyp at cray.com (Wendy Palm) Date: Wed, 09 May 2001 19:15:16 -0500 Subject: "ksh: scp: not found" References: <3AF9995E.8FD3DFD8@ohlone.cc.ca.us> Message-ID: <3AF9DD94.8A4430E5@cray.com> this is a known problem. check the FAQ. did you install openssh on the remote machine, or just the local? (i.e. do you have control over the remote machine "HPUXserver"?) scp needs to be installed on both machines. if you are sure scp is installed on the remote machine, ensure that scp is in your path on that machine. wendy John Stile wrote: > > I upgraded a compiled version of ssh-1.2.27 to a swinstalled depot of > OpenSSH_2.5.1p1 on HPUX-11.00. > I created links in /usr/local/bin/ pointing to > /opt/openssh2/bin/. > Ssh works. Scp does not. HP support does not support ssh. > Below the line you will find the output of a verbose scp command from > the server to it self. > > ------------------------------------------- > scp -v text.txt jstile at HPUXserver:~/test.txt > Executing: program /opt/openssh2/bin/ssh host HPUXserver, user jstile, > command scp -v -t ~/test.txt > jstile at HPUXserver's password: > Permission denied, please try again. > jstile at HPUXserver's password: > ksh: scp: not found > lost connection -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From rachit at ensim.com Thu May 10 11:36:07 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Wed, 9 May 2001 18:36:07 -0700 Subject: SSH connection hanging on logout Message-ID: <9AC41B8C4781464695BB013F106FCA31D2BD5E@nasdaq.ms.ensim.com> If this is a feature, not a bug, then, my (stupid?) question(s) are this: 1. Telnet doesn't have the same problem. (yes, telnet isn't exactly the same thing, but... this is related to what John Bowman's patch does) 2. F-secure SSH doesn't have the same problem. Also, I believe that this problem was attempted to workedaround sometime in 2.3.0p1 timeframe by if the connection was closed, ssh will close and exit immediately (don't quote me on this, this info was gleaned through observation, not reading the actual code). However, this triggered the unfortunate bug in that: ssh myserver echo 0 will not actually print anything out, because the close and exit was too soon. I am not a pty expert, but I wonder how f-secure ssh managed to get around this issue (it doesn't have either problems). -rchit -----Original Message----- From: Jason Stone [mailto:jason at shalott.net] Sent: Saturday, May 05, 2001 4:54 AM To: openssh-unix-dev at mindrot.org Subject: Re: SSH connection hanging on logout -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > About the hang-on-exit bug: this is the TODO item which shows up when you > run "ssh server 'sleep 20 & exit'". > > * The shell starts up, and starts its own session. As a side-effect, it > gets its own process group. > * The sshd server attempts to read from the master side of the pty, and > while there are still process with the pty open, no EOF is produced. > * The sleep command exits, closes its descriptor, sshd detects the EOF, and > the connection gets closed. Or, put another way, this is a feature, not a bug - sshd has no way of knowing that "sleep 20" isn't going to eventually produce some output that you'll want to see, so it stays alive until the background command exits. The real "bug" is users trying to use the shell's '&' builtin to run daemon processes. If you want a command to really be backgrounded (ie, to daemonize), use something other than '&', something that will make the command close the pty and either start its own process group or else become a child of init. Eg: perl -e 'fork && exit; close STDIN; close STDOUT; close STDERR; \ setpgrp(0,$$); exec "sleep 20";' (Watch out for the quoting if you try this on the commandline....) > Known-good workarounds: > * bash: shopt huponexit on > * tcsh: none * zsh: setopt HUP (this is usually the default) If you use zsh, you might also try something like this in your .zshrc: daemonize(){ COMMAND="$@" perl -e 'fork && exit; close STDIN; close STDOUT; close STDERR; \ setpgrp(0,$$); exec "'$COMMAND'";' } } You would then run "daemonize sleep 20" and the sleep 20 would be run in the background and not hang the sshd when you exit. This will almost certainly work in other bourne-compatible shells as well. - -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE68+nhswXMWWtptckRAjaVAJ0bbN7PPe0jLC80SPZjDNAvBFuC2wCaA4ep 1IteXaTPMxe2TsKrsLmg20A= =mEVt -----END PGP SIGNATURE----- From djm at mindrot.org Thu May 10 12:33:51 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 10 May 2001 12:33:51 +1000 (EST) Subject: SSH connection hanging on logout In-Reply-To: <20010508235224.4072.qmail@wizard.math.ualberta.ca> Message-ID: On 8 May 2001, John Bowman wrote: > As is well known, current versions of openssh hang upon exit when > background processes exist. > > If these processes do not produce output to stdout or stderr they should be > allowed to continue to run silently. (If they do try to produce output, > they will be killed by the shell.) This would be consistent with the > behaviour of rsh, ssh, rlogin, telnet, csh, and bash. In no case should > openssh wait around for them indefinitely. > > Ssh is supposed to be a secure implementation of rsh and openssh is > supposed to be a open source version of ssh, so despite a few suggestions > to the contrary, this *really* is a bug. > > The following patch to openssh-2.9p1 fixes the problem. This patch has now > been thoroughly tested and is believed not to break ssh or scp, unlike > previous related attempts. The patch does not work for protocol 1: while [ 1 ] ; do ssh -p 2222 -o Protocol=1 -oForwardX11=no djm at localhost dd if=/dev/zero bs=1024 count=100 | wc -c ; done Write failed flushing stdout buffer. 100+0 records in 100+0 records out 16384 Write failed flushing stdout buffer. 100+0 records in 100+0 records out 20480 Write failed flushing stdout buffer. 100+0 records in 100+0 records out 20480 Write failed flushing stdout buffer. 100+0 records in 100+0 records out 20480 etc -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From tim at multitalents.net Thu May 10 13:40:31 2001 From: tim at multitalents.net (Tim Rice) Date: Wed, 9 May 2001 20:40:31 -0700 (PDT) Subject: "ksh: scp: not found" In-Reply-To: <3AF9995E.8FD3DFD8@ohlone.cc.ca.us> Message-ID: On Wed, 9 May 2001, John Stile wrote: > I upgraded a compiled version of ssh-1.2.27 to a swinstalled depot of > OpenSSH_2.5.1p1 on HPUX-11.00. > I created links in /usr/local/bin/ pointing to > /opt/openssh2/bin/. > Ssh works. Scp does not. HP support does not support ssh. > Below the line you will find the output of a verbose scp command from > the server to it self. > > ------------------------------------------- > scp -v text.txt jstile at HPUXserver:~/test.txt > Executing: program /opt/openssh2/bin/ssh host HPUXserver, user jstile, > command scp -v -t ~/test.txt > jstile at HPUXserver's password: > Permission denied, please try again. > jstile at HPUXserver's password: > ksh: scp: not found > lost connection OpenSSH_2.5.1p1 was released on 20010219 the patch to fix this didn't show up until 20010311 Upgrade or reconfigure using the --with-default-path= option. Wherever scp is installed, must be in the path. > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bowman at math.ualberta.ca Thu May 10 14:05:34 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 10 May 2001 04:05:34 -0000 Subject: SSH connection hanging on logout In-Reply-To: (message from Damien Miller on Thu, 10 May 2001 12:33:51 +1000 (EST)) References: Message-ID: <20010510040534.2542.qmail@wizard.math.ualberta.ca> > The patch does not work for protocol 1: > > while [ 1 ] ; do ssh -p 2222 -o Protocol=1 -oForwardX11=no djm at localhost dd if=/dev/zero bs=1024 count=100 | wc -c ; done > > Write failed flushing stdout buffer. > 100+0 records in > 100+0 records out > 16384 > Write failed flushing stdout buffer. > 100+0 records in > 100+0 records out > 20480 > Write failed flushing stdout buffer. > 100+0 records in > 100+0 records out > 20480 > Write failed flushing stdout buffer. > 100+0 records in > 100+0 records out > 20480 > Interesting. First of all, this reminds me to point out that the patch only fixes the hang-on-exit bug for Protocol 2 anyway. Which OS and which platform did this occur on? On RedHat Linux 6.2 no data loss appears to occur under Protocol 1. But I haven't tested it extensively since under this protocol it doesn't fix the bug anyway. while [ 1 ] ; do ssh -o Protocol=1 -oForwardX11=no localhost dd if=/dev/zero bs=1024 count=100 | wc -c ; done 100+0 records in 100+0 records out 102400 100+0 records in 100+0 records out 102400 100+0 records in 100+0 records out 102400 100+0 records in 100+0 records out 102400 100+0 records in 100+0 records out 102400 100+0 records in 100+0 records out 102400 100+0 records in 100+0 records out 102400 In any case, given what you have found, I agree that users who are still supporting Protocol 1 should either not apply the patch at all or else modify it to call chan_shutdown_read only under Protocol 2. -- John Bowman http://www.math.ualberta.ca/~bowman From mouring at etoh.eviladmin.org Thu May 10 14:16:43 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 9 May 2001 23:16:43 -0500 (CDT) Subject: SSH connection hanging on logout In-Reply-To: Message-ID: On Thu, 10 May 2001, Damien Miller wrote: > On 8 May 2001, John Bowman wrote: > > > As is well known, current versions of openssh hang upon exit when > > background processes exist. > > > > If these processes do not produce output to stdout or stderr they should be > > allowed to continue to run silently. (If they do try to produce output, > > they will be killed by the shell.) This would be consistent with the > > behaviour of rsh, ssh, rlogin, telnet, csh, and bash. In no case should > > openssh wait around for them indefinitely. > > > > Ssh is supposed to be a secure implementation of rsh and openssh is > > supposed to be a open source version of ssh, so despite a few suggestions > > to the contrary, this *really* is a bug. > > > > The following patch to openssh-2.9p1 fixes the problem. This patch has now > > been thoroughly tested and is believed not to break ssh or scp, unlike > > previous related attempts. > > The patch does not work for protocol 1: > > while [ 1 ] ; do ssh -p 2222 -o Protocol=1 -oForwardX11=no djm at localhost dd if=/dev/zero bs=1024 count=100 | wc -c ; done > > Write failed flushing stdout buffer. > 100+0 records in > 100+0 records out > 16384 Try against the latest CVS snapshot. Consider even applying the patch the patch Markus put out for turn blocking I/O back on. This is kinda a seperate issue. I can show this problem exists independent of his patch. But your right. This does not solve protocol 1 hang on exit. It just solves protocol 2 which is a hint that it's the wrong solution. I must point out that this 'work around' is only required for a LIMITED number of platforms. Which I believe is HP/UX and Linux at this point. Which leads me to believe their is something unique to those platforms. So it may cause failure on platforms that don't require this work around. My fear is by putting this into the CVS tree even the portable version only that we will end up with another 2.3.0pX feasco. Where we suddenly learned what the downfall of the patch is months after the patch is applied and almost forgotten about. I'm still not sure this the correct solution to the problem. It may look like it's working, but so did the last hack. - Ben From djm at mindrot.org Thu May 10 15:00:38 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 10 May 2001 15:00:38 +1000 (EST) Subject: SSH connection hanging on logout In-Reply-To: Message-ID: On Wed, 9 May 2001 mouring at etoh.eviladmin.org wrote: > Try against the latest CVS snapshot. Consider even applying the patch > the patch Markus put out for turn blocking I/O back on. This is kinda a > seperate issue. I can show this problem exists independent of his patch. This was the latest CVS. > But your right. This does not solve protocol 1 hang on exit. It just > solves protocol 2 which is a hint that it's the wrong solution. > > I must point out that this 'work around' is only required for a LIMITED > number of platforms. Which I believe is HP/UX and Linux at this point. > Which leads me to believe their is something unique to those platforms. > So it may cause failure on platforms that don't require this work around. I suspect that the problem may be with the Linux kernel itself and how it handles filedescriptiors shared between processes. OpenBSD and Solaris don't exhibit the problem, the sshd child's fds to the shell get properly closed when it exits. > My fear is by putting this into the CVS tree even the portable version > only that we will end up with another 2.3.0pX feasco. Where we suddenly > learned what the downfall of the patch is months after the patch is > applied and almost forgotten about. yeah - I would much prefer an (avoidable) hang on logout to a potential data loss. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From fortezzo at directlink.net Thu May 10 15:01:26 2001 From: fortezzo at directlink.net (Jason Fortezzo) Date: Thu, 10 May 2001 00:01:26 -0500 Subject: running sshd under AIX 4.3.3 ? In-Reply-To: Message-ID: <4.3.2.7.2.20010509235538.02b3a578@mailhost.directlink.net> At 01:36 PM 5/9/2001, you wrote: >Hi, > >If anyone has managed to get sshd to run as a subsystem in the System >Resource Controller under AIX 4.3.3 (a la mkssys), then please let me know >how you did it... This works for me, at least on AIX 4.3.2, I don't imagine it would be much different for 4.3.3. mkssys -s sshd -p /usr/local/sbin/sshd -a '-D ' -u 0 -S -n 15 -f 9 -R -G local Note the -D switch I pass to sshd. Jason Fortezzo fortezzo at directlink.net PGP Key: http://mysite.directlink.net/fortezzo/pgpkey --- If you have any trouble sounding condescending, find a Unix user to show you how it's done. --Scott Adams From david-bronder at uiowa.edu Thu May 10 15:26:08 2001 From: david-bronder at uiowa.edu (David Bronder) Date: Thu, 10 May 2001 00:26:08 -0500 (CDT) Subject: [openssh-unix-dev] Re: SSH connection hanging on logout In-Reply-To: from "Damien Miller" at May 10, 2001 03:00:38 PM Message-ID: <200105100526.f4A5QAv58002@fire.its.uiowa.edu> Damien Miller wrote: > > On Wed, 9 May 2001 mouring at etoh.eviladmin.org wrote: > > > But your right. This does not solve protocol 1 hang on exit. It just > > solves protocol 2 which is a hint that it's the wrong solution. > > > > I must point out that this 'work around' is only required for a LIMITED > > number of platforms. Which I believe is HP/UX and Linux at this point. > > Which leads me to believe their is something unique to those platforms. > > So it may cause failure on platforms that don't require this work around. > > I suspect that the problem may be with the Linux kernel itself and how it > handles filedescriptiors shared between processes. OpenBSD and Solaris > don't exhibit the problem, the sshd child's fds to the shell get properly > closed when it exits. I can confirm that the hang-on-exit problem also occurs under AIX 4.3.3. Drove me nuts, too, until I realized that it was newmail (from elm) that was holding open the pty. (See below.) > > My fear is by putting this into the CVS tree even the portable version > > only that we will end up with another 2.3.0pX feasco. Where we suddenly > > learned what the downfall of the patch is months after the patch is > > applied and almost forgotten about. > > yeah - I would much prefer an (avoidable) hang on logout to a potential > data loss. Yes, but I agree with others that the hang on logout is not exactly the correct behavior, either. As has been pointed out, other remote login services seem to correctly handle this situation, but OpenSSH does not. In addition, the "avoidable" hang can sometimes be very non-intuitive to track down. My problem with newmail threw me because newmail isn't run as a background process; it does it's own fork/exec and ends up with init as it's parent, but it still hangs OpenSSH for up to a minute or longer. =Dave -- Hello World. David Bronder - Systems Admin Segmentation Fault ITS-SPA, Univ. of Iowa Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu From douglas.manton at uk.ibm.com Thu May 10 17:52:00 2001 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Thu, 10 May 2001 08:52:00 +0100 Subject: running sshd under AIX 4.3.3 ? Message-ID: <80256A48.002B377A.00@d06mta05.portsmouth.uk.ibm.com> > mkssys -s sshd -p /usr/local/sbin/sshd -a '-D ' -u 0 -S -n 15 -f 9 -R -G local > Note the -D switch I pass to sshd. Yup. Previously I had patched the sshd source to prevent it from forking (a prerequisite of the AIX SRC). I also wanted the functionality to log if sshd had fallen over. Using the "-R" switch on mkssys restarts it, but unless you monitor the PID then you have no record. I have managed this using the "mknotify" method. You simply run the above mkssys without the "-R" and then: mknotify -n sshd -m /usr/bin/sysfailed /usr/bin/sysfailed is a script along the lines of: #!/bin/sh logger -pdaemon.err -t srcmstr "$1 has fallen over and is being restarted" startsrc -s $1 CODE=$? if [ "$CODE" != "0" ] then logger -pdaemon.crit -t srcmstr "$1 could not be restarted!" stopsrc -s $1 else logger -pdaemon.err -t srcmstr "$1 restarted" fi This logs the failure and restarts sshd. Now to convince the AIX developers to send a "kill -HUP" to subsystems controlled through signals using the refresh command! Best wishes, -------------------------------------------------------- Doug Manton, AT&T EMEA Commercial Security Solutions E: demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu May 10 18:11:38 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 10 May 2001 10:11:38 +0200 Subject: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken? Message-ID: <20010510101138.A11855@ws01.aet.tu-cottbus.de> Hi! I have updated to OpenSSH 2.9p1 on HP-UX 10.20. Since this update, I seem to have problems with utmp/wtmp handling, in that entries are not removed as expected. ws01 36: w 10:06am up 76 days, 12:52, 12 users, load average: 0.17, 0.25, 0.20 User tty login@ idle JCPU PCPU what ... root pts/8 5:28pm159:41 - ... ws01 37: ps -ef | grep pts/8 (nothing) ws01 39: lsof /dev/pts/8 (nothing) >From my observations this seems to happen, when slogin is not finished with "exit", but the ssh-client is killed (e.g. because it was in a terminal window and I log off the window manager). Can anybody verify this behaviour? (Fixes?) I don't remember having seen this with 2.5.2p2... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From dchart at nets.tref.nl Thu May 10 21:05:19 2001 From: dchart at nets.tref.nl (Dannis 't Hart) Date: Thu, 10 May 2001 13:05:19 +0200 Subject: running sshd under AIX 4.3.3 ? In-Reply-To: <80256A48.002B377A.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: > -----Original Message----- > From: douglas.manton at uk.ibm.com [mailto:douglas.manton at uk.ibm.com] > Sent: Thursday, May 10, 2001 09:52 > To: openssh-unix-dev at mindrot.org > Cc: Jason Fortezzo; Dannis 't Hart > Subject: Re: running sshd under AIX 4.3.3 ? > > > mkssys -s sshd -p /usr/local/sbin/sshd -a '-D ' -u 0 -S -n 15 -f 9 -R -G > local > > > Note the -D switch I pass to sshd. > > Yup. Previously I had patched the sshd source to prevent it from forking > (a prerequisite of the AIX SRC). > > I also wanted the functionality to log if sshd had fallen over. Using the > "-R" switch on mkssys restarts it, but unless you monitor the PID then you > have no record. > > I have managed this using the "mknotify" method. You simply run the above > mkssys without the "-R" and then: > > mknotify -n sshd -m /usr/bin/sysfailed > > /usr/bin/sysfailed is a script along the lines of: > > #!/bin/sh > logger -pdaemon.err -t srcmstr "$1 has fallen over and is being > restarted" > startsrc -s $1 > CODE=$? > if [ "$CODE" != "0" ] > then > logger -pdaemon.crit -t srcmstr "$1 could not be restarted!" > stopsrc -s $1 > else > logger -pdaemon.err -t srcmstr "$1 restarted" > fi > > This logs the failure and restarts sshd. > > Now to convince the AIX developers to send a "kill -HUP" to subsystems > controlled through signals using the refresh command! > > Best wishes, > -------------------------------------------------------- > Doug Manton, AT&T EMEA Commercial Security Solutions > > E: demanton at att.com > -------------------------------------------------------- > "If privacy is outlawed, only outlaws will have privacy" > Thanx! It works as a subsystem now :-) Also, thanks for suggesting logging method, I'm doing 'man mknotify' right now... Dannis. From bowman at math.ualberta.ca Thu May 10 23:41:37 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 10 May 2001 13:41:37 -0000 Subject: SSH connection hanging on logout In-Reply-To: (message from Damien Miller on Thu, 10 May 2001 15:00:38 +1000 (EST)) References: Message-ID: <20010510134137.7154.qmail@wizard.math.ualberta.ca> > > Try against the latest CVS snapshot. Consider even applying the patch > > the patch Markus put out for turn blocking I/O back on. This is kinda a > > seperate issue. I can show this problem exists independent of his patch. > > This was the latest CVS. Does protocol 1 still break (I assume you are using OpenBSD?) when my hang-on-exit patch is applied to openssh-2.9? Let's not make the issue any murkier than it already is by applying the patch to CVS snapshots, which are subject to continual change. In other words, let's use 2.9 and 2.9p1 as controls for these tests and vary only one thing at a time (the patch). > > > But your right. This does not solve protocol 1 hang on exit. It just > > solves protocol 2 which is a hint that it's the wrong solution. > > > > I must point out that this 'work around' is only required for a LIMITED > > number of platforms. Which I believe is HP/UX and Linux at this point. > > Which leads me to believe their is something unique to those platforms. > > So it may cause failure on platforms that don't require this work around. > > I suspect that the problem may be with the Linux kernel itself and how it > handles filedescriptiors shared between processes. OpenBSD and Solaris > don't exhibit the problem, the sshd child's fds to the shell get properly > closed when it exits. Good. At least we have now established beyond any doubt that this really *is* a bug under HP-UX and Linux (whether one wants to attribute it to the OS or to openssh is irrelevant to me; it still needs a workaround either way). If the hanging behaviour were actually the "correct" behaviour, openssh would hang on other platforms too, right? > > > My fear is by putting this into the CVS tree even the portable version > > only that we will end up with another 2.3.0pX feasco. Where we suddenly > > learned what the downfall of the patch is months after the patch is > > applied and almost forgotten about. > I provided the patch only to be helpful to the openssh community. We and others have been using it on (RedHat and SuSe) Linux production machines for over a week without problems. For us, the alternative was to switch back to using ssh. Linux is the only environment where the patch (restricted to Protocol 2) has been subject to extensive testing. But of course, with a code this complex, it is extremely difficult to analyze all possible scenarios. > yeah - I would much prefer an (avoidable) hang on logout to a potential > data loss. > At the very least, the patch may provide an important clue to solving this bug. In particular, the fact that workarounds for unusual return values under HP-UX and Linux (according to the above the only two OS's where the bug manifests itself) appear in chan_shutdown_read may be relevant. I'm afraid I can't invest any more time on this patch. However, I can provide a few questions that perhaps the openssh community can address, in order to resolve the issues that have been raised here. QUERIES: 1. Does sleep 20&;exit hang on any OS's other than HP-UX and Linux? 2. Does Protocol 1 lead to data loss when the patch is applied to openssh-2.9 on BSD? 3. Does chan_shutdown_read really get called under Protocol 1? When I insert a debug statement at the beginning of chan_shutdown_read and run with sshd -d, ssh -v -o Protocol=1 -oForwardX11=no wizard dd if=/dev/zero bs=1024 count=100 | wc -c does not seem to even call chan_shutdown_read at all under Linux! This explains why the bug neither fixes the hang-on-exit bug nor leads to data loss with Protocol 1 under Linux. 4. Has anyone seen a case where Protocol 1 leads to data loss when the patch is applied to openssh-2.9p1 on Linux? 5. Has anyone seen a case where Protocol 1 leads to data loss when the patch is applied to openssh-2.9p1 on HP-UX? 6. Has anyone seen a case where Protocol 2 leads to data loss when the patch is applied to openssh-2.9p1 on Linux? 7. Has anyone seen a case where Protocol 2 leads to data loss when the patch is applied to openssh-2.9p1 on HP-UX? 8. Has anyone seen a case where Protocol 2 leads to data loss on any OS? This is the most crucial question. -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From bowman at math.ualberta.ca Fri May 11 00:05:52 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 10 May 2001 14:05:52 -0000 Subject: NFS over ssh Message-ID: <20010510140552.7699.qmail@wizard.math.ualberta.ca> Secure NFS (SNFS) via SSH tunneling of UDP datagrams, as suggested in the SSH FAQ, has now been implemented and is available for download from http://www.math.ualberta.ca/imaging/snfs/. This is an enhancement of the original sec_rpc package developed by Holger Trapp. * Tunneling via SSH increases the security of the connection and prevents IP spoofing. * SNFS has been tested on Linux i386 and alpha platforms under RedHat 6.2. * No changes to the kernel or existing daemons are required. * On a high-end workstation, tunneling of large files results in only a slight degradation in speed (eg. 4MB/s instead of 5MB/s). * Detailed configuration instructions are contained in the file NFS/README.NFS. Here is a question for this group: so far, of the 4 UDP services, only mountd and nfsd are being tunneled through ssh. In sec_rpc-1.0, portmap/rpcbind and the lock manager are not being tunneled, because the system is configured so that only local connections to the portmap are allowed anyway (via /etc/hosts.allow). Are there any security concerns here? Thanks, -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From sxw at dcs.ed.ac.uk Fri May 11 00:41:25 2001 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Thu, 10 May 2001 15:41:25 +0100 Subject: Buglet in my GSSAPI patches Message-ID: <01051015412504.04906@loki.dcs.ed.ac.uk> Just a quick heads up to warn those of you using my gss-keyex patches that there's a small buglet in them which will affect interoperability. I'm building the hash incorrectly (by including a zero length string where there shouldn't be one). This will mean that when trying to interoperate with other implementations (if there are any :-) you'll get a message about the MIC not being correct. This will be fixed in my forthcoming patch to 2.9p1 (which will probably break compatibility with 2.5px clients/servers using gsskex) Sorry! Simon. -- Simon Wilkinson http://www.sxw.org.uk "I've seen honest faces before. They usually come attached to liars." From pedidos at ninosdepapel.org Fri May 11 02:30:42 2001 From: pedidos at ninosdepapel.org (Niños de Papel) Date: Thu, 10 May 2001 11:30:42 -0500 Subject: Premio Reina Sofia Para la Asociacion Niños de papel Message-ID: <20010510124762.SM00210@segundo> ***** This is an HTML Message ! ***** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010510/0ceaaf66/attachment.html From dunlap at apl.washington.edu Fri May 11 03:13:00 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Thu, 10 May 2001 10:13:00 -0700 (PDT) Subject: 2.9p1 ssh-add/ssh-askpass first try fails Message-ID: <200105101713.KAA24520@ohm.apl.washington.edu> OpenSSH Version 2.9p1 of "ssh-add $HOME/.ssh/id_rsa < /dev/null" fails on the first try of using ssh-askpass before the window manager starts. The second try works. The error message on the first try is "Bad passphrase, try again". This did not occur using OpenSSH-2.5.2p2.tar.gz. I've tested this on both RHL6.2 and RHL7.1, both with all RH rpm updates applied. I installed gnome-ssh-askpass as /usr/local/libexec/ssh-askpass. Replacing /usr/local/bin/ssh-add compiled from version 2.5.2p2 cures the problem. Each version of OpenSSH was compiled from the above *.tar.gz files using: ./configure --with-pam --enable-gnome-askpass --with-tcp-wrappers make I'm using ssh-askpass before starting Gnome proper by putting the following line at the top of my .xsession file which was copied from /etc/X11/xinit/Xclients: [ -r $HOME/.ssh/id_rsa ] && ssh-add $HOME/.ssh/id_rsa < /dev/null I changed /etc/X11/xdm/Xsession so ssh-agent runs as the root of my session. Here're the relevant lines: sshagent= [ -d $HOME/.ssh ] && sshagent=ssh-agent exec $sshagent gnome-session I also note that, after logging in, executing the 2.9p1 version of "ssh-add < /dev/null" works on the first try. Regards, John -- John Dunlap University of Washington Senior Electrical Engineer Applied Physics Laboratory dunlap at apl.washington.edu 1013 NE 40th Street 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 From Jewnix at technohac.com Fri May 11 05:33:24 2001 From: Jewnix at technohac.com (Gil Disatnik) Date: Thu, 10 May 2001 21:33:24 +0200 Subject: Detailed information. Message-ID: <5.0.2.1.2.20010510210328.00a88320@www.technohac.com> (Mr. Markus Friedl asked me to mail to this address) Hello there. My problem is as follows: I am using OpenSSH 2.5.1 (Can't upgrade for now, explain will be given later...) on AIX 4.1.5 (Can't upgrade as well...) I have written a distribution script that distributes tgz files along with their installation script, the distribution script simply scp the file and then reconnects and invokes the install script. While I am loading the distributing machine the returned code from a remotely invoked script SOMETIMES (happens randomly) returns me -1 (255) instead of the real returned code.(When I say "loading" I mean approx 9 scp running simultaneously and approx 9 ssh install sessions while doing that...) I can't upgrade for now as I am working for the Israeli Air Force in a top-secret facility, it takes quite a while to insert a code from the Internet (Intensive code checking...) I can't even give you the debug information... but, this is very simple. by checking two outputs I have ( using -v -v -v) while 1 of them was alright and the 2nd wasn't, the ONLY difference is that the "bad" session doesn't have this line: debug: client_input_channel_req: channel 0 rtype exit-status reply 0 I am not a programmer, but it seems as if the sshd doesn't return the status reply at all, or at least- the client due to the extreme system load is not "picking" this signal... Again: using ssh1 (the commercial version of ssh1) it DIDN'T happen (the system was loaded even more sometimes...) sending a debug information of the server could be a bit problematic as it means I have to run it on all machines (a few hundreds...) - still, it seems like a bug that accures due to a high system load... so the sshd is probobly okay (I connected them one by one doing only exit 0... they all came out fine... doing exit 0 while distributing got screwd sometimes...) The sample Mr. Markus Friedl gave me (sh -c 'for i in 1 2 3 4 5 6; do ssh localhost exit $i; echo $?; done') is irrelevant as it works fine for me as well (as I said, when I am connecting one by one - everything works fine, but when I am opening approx 10 ssh connections while 10 scp are killing the system/cpu it does happen). Please tell me what you think... Thank you very very much! Regards Gil Disatnik UNIX system administrator GibsonLP at EFnet _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ "Windows NT has detected mouse movement, you MUST restart your computer before the new settings will take effect, [ OK ]" -------------------------------------------------------------------- Windows is a 32 bit patch to a 16 bit GUI based on a 8 bit operating system, written for a 4 bit processor by a 2 bit company which can not stand 1 bit of competition. -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010510/21ef8d89/attachment.html From jason at shalott.net Fri May 11 08:24:22 2001 From: jason at shalott.net (Jason Stone) Date: Thu, 10 May 2001 15:24:22 -0700 (PDT) Subject: SSH connection hanging on logout In-Reply-To: <20010510134137.7154.qmail@wizard.math.ualberta.ca> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > 1. Does sleep 20&;exit hang on any OS's other than HP-UX and Linux? It also hangs on FreeBSD. hermione/home/jason-629: cat /kern/version FreeBSD 4.3-STABLE #0: Fri May 4 20:22:15 PDT 2001 root at hermione.pas.lab:/usr/src/sys/compile/JKERN hermione/home/jason-634: date ; ssh localhost 'sleep 20& exit' ; date Thu May 10 15:01:54 PDT 2001 Thu May 10 15:02:14 PDT 2001 hermione/home/jason-636: date ; ssh localhost 'perl -e '"'"'fork && exit; close STDIN ; close STDOUT ; close STDERR ; exec "sleep 20";'"'" ; date Thu May 10 15:03:45 PDT 2001 Thu May 10 15:03:45 PDT 2001 -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE6+xUaswXMWWtptckRAl8pAJwJJm8ECHi8Gvz6SM1ZU2znRXZsDACcDRD5 3EYOt9AP/XUmPBjVIM+E+vE= =I7ny -----END PGP SIGNATURE----- From mouring at etoh.eviladmin.org Fri May 11 08:29:40 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 10 May 2001 17:29:40 -0500 (CDT) Subject: SSH connection hanging on logout In-Reply-To: Message-ID: On Thu, 10 May 2001, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > 1. Does sleep 20&;exit hang on any OS's other than HP-UX and Linux? > > It also hangs on FreeBSD. > > hermione/home/jason-629: cat /kern/version > FreeBSD 4.3-STABLE #0: Fri May 4 20:22:15 PDT 2001 > root at hermione.pas.lab:/usr/src/sys/compile/JKERN > > hermione/home/jason-634: date ; ssh localhost 'sleep 20& exit' ; date > Thu May 10 15:01:54 PDT 2001 > Thu May 10 15:02:14 PDT 2001 > Is this really a valid test? This hangs for 20 seconds under OpenBSD also, but this is not what we are refering to. SSH into your FreeBSD box using an interactive shell then do: sleep 20&exit - Ben From Markus.Friedl at informatik.uni-erlangen.de Fri May 11 08:52:45 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 11 May 2001 00:52:45 +0200 Subject: SSH connection hanging on logout In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, May 10, 2001 at 05:29:40PM -0500 References: Message-ID: <20010511005244.A16114@faui02.informatik.uni-erlangen.de> On Thu, May 10, 2001 at 05:29:40PM -0500, mouring at etoh.eviladmin.org wrote: > > hermione/home/jason-634: date ; ssh localhost 'sleep 20& exit' ; date > > Thu May 10 15:01:54 PDT 2001 > > Thu May 10 15:02:14 PDT 2001 > > > > Is this really a valid test? no > This hangs for 20 seconds under OpenBSD > also, but this is not what we are refering to. SSH into your FreeBSD box > using an interactive shell then do: sleep 20&exit please, could someone with a system where: $ ssh -t host % sleep 1234 & % exit $ hangs with openssh try whether rlogin hangs, too? if rlogin does not hang, could you please check the source of rlogin and try to figure out how it handles the filedescriptors that connect rlogind to the shell. what happes with the filedescriptors after the shell dies? thanks, -m From markus.friedl at informatik.uni-erlangen.de Fri May 11 08:54:20 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 11 May 2001 00:54:20 +0200 Subject: SSH and forced wtmp entries ... In-Reply-To: ; from olemx@ans.pl on Wed, May 09, 2001 at 08:35:01PM +0200 References: <20010507150303.A12892@faui02.informatik.uni-erlangen.de> Message-ID: <20010511005420.B26079@folly> On Wed, May 09, 2001 at 08:35:01PM +0200, Krzysztof Oledzki wrote: > > > On Mon, 7 May 2001, Markus Friedl wrote: > > > try to use > > ssh -t host command > > > > is this ok? > > > > why do you need wtmp? ssh just emulates the > > traditional rsh/rlogin behaviour. wtmp gets > > updated only if you allocate a tty. > > > > every login is registered in /var/log/authlog > > I have got another idea - maybe it would be more useable to log info > about user, that logged in without tty, into wtmp like it does wu-ftpd > (and probably others ftp servers) - it adds an entry like: > > moon ftp pe16.warszawa.ad Tue Apr 3 12:34 - 21:53 (09:19) why abuse lastlog? why not use /var/log/authlog? From djm at mindrot.org Fri May 11 08:58:12 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 11 May 2001 08:58:12 +1000 (EST) Subject: 2.9p1 ssh-add/ssh-askpass first try fails In-Reply-To: <200105101713.KAA24520@ohm.apl.washington.edu> Message-ID: On Thu, 10 May 2001, John Dunlap wrote: > OpenSSH Version 2.9p1 of "ssh-add $HOME/.ssh/id_rsa < /dev/null" > fails on the first try of using ssh-askpass before the window manager > starts. The second try works. The error message on the first try is > "Bad passphrase, try again". Does this help? Index: readpass.c =================================================================== RCS file: /var/cvs/openssh/readpass.c,v retrieving revision 1.13 diff -u -r1.13 readpass.c --- readpass.c 2001/05/02 01:30:33 1.13 +++ readpass.c 2001/05/10 22:57:44 @@ -69,7 +69,7 @@ fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); } close(p[1]); - len = read(p[0], buf, sizeof buf); + len = atomicio(read, p[0], buf, sizeof buf); close(p[0]); while (waitpid(pid, &status, 0) < 0) if (errno != EINTR) -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From dunlap at apl.washington.edu Fri May 11 10:46:36 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Thu, 10 May 2001 17:46:36 -0700 (PDT) Subject: 2.9p1 ssh-add/ssh-askpass first try fails In-Reply-To: from "Damien Miller" at May 11, 2001 08:58:12 AM Message-ID: <200105110046.f4B0kac05162@henry.apl.washington.edu> Yup -- that does it -- Thanks, John P.S., Thanks to all the developers. > > On Thu, 10 May 2001, John Dunlap wrote: > > > OpenSSH Version 2.9p1 of "ssh-add $HOME/.ssh/id_rsa < /dev/null" > > fails on the first try of using ssh-askpass before the window manager > > starts. The second try works. The error message on the first try is > > "Bad passphrase, try again". > > Does this help? > > Index: readpass.c > =================================================================== > RCS file: /var/cvs/openssh/readpass.c,v > retrieving revision 1.13 > diff -u -r1.13 readpass.c > --- readpass.c 2001/05/02 01:30:33 1.13 > +++ readpass.c 2001/05/10 22:57:44 > @@ -69,7 +69,7 @@ > fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); > } > close(p[1]); > - len = read(p[0], buf, sizeof buf); > + len = atomicio(read, p[0], buf, sizeof buf); > close(p[0]); > while (waitpid(pid, &status, 0) < 0) > if (errno != EINTR) > > -d > > -- > | Damien Miller \ ``E-mail attachments are the poor man's > | http://www.mindrot.org / distributed filesystem'' - Dan Geer > -- John Dunlap University of Washington Senior Electrical Engineer Applied Physics Laboratory dunlap at apl.washington.edu 1013 NE 40th Street 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 From dunlap at apl.washington.edu Fri May 11 11:06:09 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Thu, 10 May 2001 18:06:09 -0700 (PDT) Subject: 2.9p1 ssh-add/ssh-askpass first try fails In-Reply-To: from "Damien Miller" at May 11, 2001 08:58:12 AM Message-ID: <200105110106.f4B169T12869@henry.apl.washington.edu> Nuts. I spoke too soon. There was no error message, but there was no action either: the agent has no key: $ ssh-add -l The agent has no identities. And, "ssh-add < /dev/null" on the command line fails as well. (It puts up a window and behaves normally but similarly has no effect). -- John > > On Thu, 10 May 2001, John Dunlap wrote: > > > OpenSSH Version 2.9p1 of "ssh-add $HOME/.ssh/id_rsa < /dev/null" > > fails on the first try of using ssh-askpass before the window manager > > starts. The second try works. The error message on the first try is > > "Bad passphrase, try again". > > Does this help? > > Index: readpass.c > =================================================================== > RCS file: /var/cvs/openssh/readpass.c,v > retrieving revision 1.13 > diff -u -r1.13 readpass.c > --- readpass.c 2001/05/02 01:30:33 1.13 > +++ readpass.c 2001/05/10 22:57:44 > @@ -69,7 +69,7 @@ > fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); > } > close(p[1]); > - len = read(p[0], buf, sizeof buf); > + len = atomicio(read, p[0], buf, sizeof buf); > close(p[0]); > while (waitpid(pid, &status, 0) < 0) > if (errno != EINTR) > > -d > > -- > | Damien Miller \ ``E-mail attachments are the poor man's > | http://www.mindrot.org / distributed filesystem'' - Dan Geer > -- John Dunlap University of Washington Senior Electrical Engineer Applied Physics Laboratory dunlap at apl.washington.edu 1013 NE 40th Street 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 From dunlap at apl.washington.edu Fri May 11 11:44:48 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Thu, 10 May 2001 18:44:48 -0700 (PDT) Subject: 2.9p1 ssh-add/ssh-askpass first try fails In-Reply-To: from "Damien Miller" at May 11, 2001 08:58:12 AM Message-ID: <200105110144.f4B1imc21214@henry.apl.washington.edu> Here's what works: make and install the main part of the 2.9p1 without the patch from clean distro: tar xfz openssh-2.9p1.tar.gz cd openssh-2.9p1 ./configure --with-pam --enable-gnome-askpass --with-tcp-wrappers make make install Then, patch readpass.c: - len = read(p[0], buf, sizeof buf); + len = atomicio(read, p[0], buf, sizeof buf); make clean make (don't install now) cd contrib cc `gnome-config --cflags gnome gnomeui` \ gnome-ssh-askpass.c -o gnome-ssh-askpass \ `gnome-config --libs gnome gnomeui` cp gnome-ssh-askpass /usr/local/libexec/ssh-askpass Now it works. -- John From abartlet at pcug.org.au Fri May 11 14:10:45 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Fri, 11 May 2001 14:10:45 +1000 Subject: SSH and forced wtmp entries ... References: <20010507150303.A12892@faui02.informatik.uni-erlangen.de> <20010511005420.B26079@folly> Message-ID: <3AFB6645.59642983@bartlett.house> Markus Friedl wrote: > > On Wed, May 09, 2001 at 08:35:01PM +0200, Krzysztof Oledzki wrote: > > > > > > On Mon, 7 May 2001, Markus Friedl wrote: > > > > > try to use > > > ssh -t host command > > > > > > is this ok? > > > > > > why do you need wtmp? ssh just emulates the > > > traditional rsh/rlogin behaviour. wtmp gets > > > updated only if you allocate a tty. > > > > > > every login is registered in /var/log/authlog > > > > I have got another idea - maybe it would be more useable to log info > > about user, that logged in without tty, into wtmp like it does wu-ftpd > > (and probably others ftp servers) - it adds an entry like: > > > > moon ftp pe16.warszawa.ad Tue Apr 3 12:34 - 21:53 (09:19) > > why abuse lastlog? why not use /var/log/authlog? Becouse by doing so, all logins are recorded in one place, the date and time of BOTH login and logout are noted on a single line and a simple 'w' can tell you who is logged in and from where. Logging in utmp and wtmp makes tracking use/abuse of your system much easier if you know that all logins are in one file, and in a format that is easy to see and understand. Furthermore, logouts currently are not recorded in /var/log/authlog, and PAM sessions (which I was using for this purpose, at least it records the logout) don't function in 2.9p1 (patch attached). -- Andrew Bartlett abartlet at pcug.org.au -------------- next part -------------- --- openssh-2.9p1/session.c.old Sun May 6 22:26:54 2001 +++ openssh-2.9p1/session.c Sun May 6 22:27:53 2001 @@ -496,6 +496,7 @@ session_proctitle(s); #if defined(USE_PAM) + do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); #endif /* USE_PAM */ From dunlap at apl.washington.edu Sat May 12 01:04:03 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Fri, 11 May 2001 08:04:03 -0700 (PDT) Subject: 2.9p1 ssh-add/ssh-askpass first try fails In-Reply-To: <200105110144.f4B1imc21214@henry.apl.washington.edu> from "John Dunlap" at May 10, 2001 06:44:48 PM Message-ID: <200105111504.f4BF43h25736@henry.apl.washington.edu> Nuts, don't pay too much attention to what I say works. I cannot duplicate it. I could have sworn that some combination accepted the first try but I cannot find it now. Sorry, -- John > > Here's what works: > > make and install the main part of the 2.9p1 without the patch > from clean distro: > > tar xfz openssh-2.9p1.tar.gz > cd openssh-2.9p1 > ./configure --with-pam --enable-gnome-askpass --with-tcp-wrappers > make > make install > > Then, patch readpass.c: > - len = read(p[0], buf, sizeof buf); > + len = atomicio(read, p[0], buf, sizeof buf); > > make clean > make > (don't install now) > cd contrib > cc `gnome-config --cflags gnome gnomeui` \ > gnome-ssh-askpass.c -o gnome-ssh-askpass \ > `gnome-config --libs gnome gnomeui` > cp gnome-ssh-askpass /usr/local/libexec/ssh-askpass > > Now it works. > > -- John > -- John Dunlap University of Washington Senior Electrical Engineer Applied Physics Laboratory dunlap at apl.washington.edu 1013 NE 40th Street 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 From fortezzo at directlink.net Sat May 12 01:39:32 2001 From: fortezzo at directlink.net (Jason Fortezzo) Date: Fri, 11 May 2001 10:39:32 -0500 Subject: running sshd under AIX 4.3.3 ? In-Reply-To: <80256A48.002B377A.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: <4.3.2.7.2.20010511103713.033c2fb8@mailhost.directlink.net> For what its worth, here is my SRC entry for prngd mkssys -s prngd -p /usr/local/sbin/prngd -a '-f /var/run/egd-pool' \ -u 0 -S -n 15 -f 9 -R -G local Just be sure to do a /usr/bin/startsrc -s prngd before you do a /usr/bin/startsrc -s sshd Best regards, Jason Fortezzo fortezzo at directlink.net PGP Key: http://mysite.directlink.net/fortezzo/pgpkey --- If you have any trouble sounding condescending, find a Unix user to show you how it's done. --Scott Adams From dunlap at apl.washington.edu Sat May 12 07:21:34 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Fri, 11 May 2001 14:21:34 -0700 (PDT) Subject: 2.9p1 ssh-add/ssh-askpass first try fails In-Reply-To: from "dunlap" at May 10, 2001 05:46:36 PM Message-ID: <200105112121.f4BLLYw04709@henry.apl.washington.edu> > OpenSSH Version 2.9p1 of "ssh-add $HOME/.ssh/id_rsa < /dev/null" > fails on the first try of using ssh-askpass before the window manager > starts. The second try works. The error message on the first try is > "Bad passphrase, try again". Another symptom: one must type the pass phrase correctly on both the first and second try or the agent is not updated. -- John From markus.friedl at informatik.uni-erlangen.de Sat May 12 07:38:01 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 11 May 2001 23:38:01 +0200 Subject: RSARhosts / Hostbased auth and euid=0 requirement In-Reply-To: <1630745343.989337796@ZATHROS>; from carson@taltos.org on Tue, May 08, 2001 at 04:03:16PM -0700 References: <20010508234323.A16403@folly> <1630745343.989337796@ZATHROS> Message-ID: <20010511233801.A17002@folly> On Tue, May 08, 2001 at 04:03:16PM -0700, Carson Gaspar wrote: > > we've been discussion a setgid ssh earlier, but > > decided that it's not the way to go. > > > > however, i think about moving the client side of > > hostbased authentication out of ssh, to a setuid binary > > /usr/libexec/ssh-keysign > > and remove the sbit from ssh. > > ssh-keysign will read the hostkeys and generate a valid > > signature. > > Great. Is this going to be implemented anytime soon? If so, I withdraw my > suggestion. If not, please lets get a stop-gap solution in place quickly. hm, i've been working on this some weeks ago but got distracted. perhaps i can start again, soon. right now i'm not sure about the protocol between ssh and ssh-keysign. btw, ssh.com has a keysigner for this job. From markus.friedl at informatik.uni-erlangen.de Sat May 12 08:07:06 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 12 May 2001 00:07:06 +0200 Subject: openssh 2.9: socks5 support? and support for RSA SECURID (one-t ime password)? In-Reply-To: ; from aultj@crd.ge.com on Fri, May 11, 2001 at 04:26:57PM -0400 References: Message-ID: <20010512000706.B4555@folly> On Fri, May 11, 2001 at 04:26:57PM -0400, Ault, James R (CRD) wrote: > I was reading the changelog from version 2.9 that was recently released, and I coudln't help noticing > this item: > > from openssh changelog: > > - markus at cvs.openbsd.org 2001/04/17 12:55:04 > [channels.c ssh.c] > undo socks5 and https support since they are not really used and > only bloat ssh. > > > I would like to say that I am one person that does care about ssh with socks5 support, and I would > like to see it stay in openssh. openssh did never include support for client side socks. you can use ProxyCommand for this: ProxyCommand exec /usr/local/bin/socksify /usr/bin/nc %h %p this commit message was about removing a simple SOCKS5 SERVER (yes, server) form openssh. openssh does still include a SOCK4 server. > I know there are people here who use ssh with socks5 support, and I want to convince them to use > openssh instead of whatever v1 version they are using now, but it will be difficult for me to do that > if socks5 support disappears. socks5 did not disappear. there was not explicit socks5 support. > Or else I will just have to stay at openssh2.5.2p2 for a long time. why? > I also wanted to ask about the possibility of having RSA SECURID as a one-time password support in the future. however, openssh 2.9p1's contrib dir contains some code. From mouring at etoh.eviladmin.org Sat May 12 08:37:57 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 11 May 2001 17:37:57 -0500 (CDT) Subject: openssh 2.9: socks5 support? and support for RSA SECURID (one-t ime password)? In-Reply-To: <20010512000706.B4555@folly> Message-ID: On Sat, 12 May 2001, Markus Friedl wrote: > On Fri, May 11, 2001 at 04:26:57PM -0400, Ault, James R (CRD) wrote: > > I was reading the changelog from version 2.9 that was recently released, and I coudln't help noticing > > this item: > > > > from openssh changelog: > > > > - markus at cvs.openbsd.org 2001/04/17 12:55:04 > > [channels.c ssh.c] > > undo socks5 and https support since they are not really used and > > only bloat ssh. > > > > > > I would like to say that I am one person that does care about ssh with socks5 support, and I would > > like to see it stay in openssh. > > openssh did never include support for client side socks. you > can use ProxyCommand for this: > > ProxyCommand exec /usr/local/bin/socksify /usr/bin/nc %h %p > Should we add in a 'FAQ' question for this? It's been brought up a enough now. [..] > > I also wanted to ask about the possibility of having RSA SECURID as a one-time password support > > in the future. however, openssh 2.9p1's contrib dir contains > some code. > We do? I don't remember commiting such a patch, nor do I see it. There was talk about it, but no one submitted a patch. - Ben From DELETEcbodzin at home.com Sat May 12 09:40:30 2001 From: DELETEcbodzin at home.com (Corey Bodzin) Date: Fri, 11 May 2001 16:40:30 -0700 Subject: Problems with OpenSSH2.9p1 on Linux/Sparc Message-ID: <3AFC786E.951A6AC1@home.com> Let me start this with the disclaimer that I am a Linux lover that only pretends to have any clue about coding. I grabbed the latest version of OpenSSH (v2.9p1) and went to install it on my Sparc (RH 6.2, v2.4.2). Unlike OpenSSH 2.5.2p2, however, when I tried to compile it I got the following error: ... ... gcc -g -O2 -Wall -I. -I. -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" - D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/loc al/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -DHAVE_CONFIG_H -c channels.c channels.c: In function `auth_input_request_forwarding': channels.c:2613: warning: implicit declaration of function `mkdtemp' channels.c:2613: warning: comparison between pointer and integer channels.c:2626: warning: passing arg 1 of `on_exit' from incompatible pointer type channels.c:2626: too few arguments to function `on_exit' make: *** [channels.o] Error 1 This was not good. After doing a little research I discovered that atexit() apparently doesn't work on my current system (in glibc > 2.1 it is declared external, which breaks things on Sparc...I don't claim to fully follow, so read the news groups for more info). Further reading indicated that on_exit() has a different parameter list than atexit(), as shown below: int atexit(void (*function)(void)); int on_exit(void (*function)(int , void *), void *arg); Since the differing parameter is for arguments I thought it might be safe to just set it to NULL, as shown below: /* if (atexit(cleanup_socket) < 0) { */ /* Original, causes gcc to barf */ if (on_exit(cleanup_socket, NULL) < 0) { /* Revised, now finger-lickin' good */ This seems to do the trick, allowing me to compile. Furthermore, I've been running the daemon for a little while now and I don't *seem* to have any bad things happening. I put together a patch to fix the required files (channels.c, ssh-agent.c) and listed it below. Anyhow, I've posted this for two reasons: 1) So that all the C-impaired people of the world (such as myself) who want to compile OpenSSH2.9p1 on Sparc can do so without the crying, screaming, and cursing that I had to endure. Just remember, I am not a coder (nor do I play one on TV), so this is not guaranteed to be good or even recommended; it may not even work; it may break things; standard disclaimers apply. 2) So that all the C/OpenSSH/General-UNIX gurus out there can point out if there is a better way to fix this, if this is harmful, etc. Please drop a line to me at the (obviously spam-protected) address DELETEcbodzin at home.com and let me know. Patch follows - put the text into a file and then type "cat | patch -p1" from your openssh2.9p1 directory to install. ---------------------------------------------------------- *** channels.c Fri May 11 16:06:04 2001 --- channels.c.new Fri May 11 16:07:29 2001 *************** *** 2623,2629 **** snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d", channel_forwarded_auth_socket_dir, (int) getpid()); ! if (atexit(cleanup_socket) < 0) { int saved = errno; cleanup_socket(); packet_disconnect("socket: %.100s", strerror(saved)); --- 2623,2633 ---- snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d", channel_forwarded_auth_socket_dir, (int) getpid()); ! /* This is bad...on_exit requires 2 parameters, whereas ! at_exit only takes one. Field 2 is arguments, so let's ! see if we can fool it by passing null - Corey 5/11/01 */ ! /* if (atexit(cleanup_socket) < 0) { */ ! if (on_exit(cleanup_socket, NULL) < 0) { int saved = errno; cleanup_socket(); packet_disconnect("socket: %.100s", strerror(saved)); *** ssh-agent.c Fri May 11 16:05:57 2001 --- ssh-agent.c.new Fri May 11 16:07:20 2001 *************** *** 860,866 **** perror("setsid"); cleanup_exit(1); } ! if (atexit(cleanup_socket) < 0) { perror("atexit"); cleanup_exit(1); } --- 860,870 ---- perror("setsid"); cleanup_exit(1); } ! /* This is bad...on_exit requires 2 parameters, whereas ! at_exit only takes one. Field 2 is arguments, so let's ! see if we can fool it by passing null - Corey 5/11/01 */ ! /* if (atexit(cleanup_socket) < 0) { */ ! if (on_exit(cleanup_socket, NULL) < 0) { perror("atexit"); cleanup_exit(1); } From mouring at etoh.eviladmin.org Sat May 12 09:48:15 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 11 May 2001 18:48:15 -0500 (CDT) Subject: Problems with OpenSSH2.9p1 on Linux/Sparc In-Reply-To: <3AFC786E.951A6AC1@home.com> Message-ID: The real issue is here in defines.h... #if !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) # define atexit(a) on_exit(a) ^^^^^^^^^^^ On Linux on_exit() takes two arguments What platform does on_exit() have a single argument? I believe this should be: # define atexit(a) on_exit(a, NULL) SunOS 4.x requires two arguments also. - Ben On Fri, 11 May 2001, Corey Bodzin wrote: > Let me start this with the disclaimer that I am a Linux lover that only > pretends to > have any clue about coding. > > I grabbed the latest version of OpenSSH (v2.9p1) and went to install it > on my Sparc > (RH 6.2, v2.4.2). Unlike OpenSSH 2.5.2p2, however, when I tried to > compile it > I got the following error: > > ... ... > gcc -g -O2 -Wall -I. -I. -I/usr/local/ssl/include > -DETCDIR=\"/usr/local/etc\" - > D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/loc > al/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" > -D_PATH_SSH_PIDDIR=\"/var/run\" -DHAVE_CONFIG_H -c channels.c > channels.c: In function `auth_input_request_forwarding': > channels.c:2613: warning: implicit declaration of function `mkdtemp' > channels.c:2613: warning: comparison between pointer and integer > channels.c:2626: warning: passing arg 1 of `on_exit' from incompatible > pointer type > channels.c:2626: too few arguments to function `on_exit' > make: *** [channels.o] Error 1 > > This was not good. > > After doing a little research I discovered that atexit() apparently > doesn't work > on my current system (in glibc > 2.1 it is declared external, which > breaks things > on Sparc...I don't claim to fully follow, so read the news groups for > more info). > Further reading indicated that on_exit() has a different parameter list > than atexit(), > as shown below: > > int atexit(void (*function)(void)); > int on_exit(void (*function)(int , void *), void *arg); > > Since the differing parameter is for arguments I thought it might be > safe to just > set it to NULL, as shown below: > > /* if (atexit(cleanup_socket) < 0) { */ /* Original, causes > gcc to barf */ > if (on_exit(cleanup_socket, NULL) < 0) { /* Revised, now > finger-lickin' good */ > > This seems to do the trick, allowing me to compile. Furthermore, I've > been running > the daemon for a little while now and I don't *seem* to have any bad > things happening. > I put together a patch to fix the required files (channels.c, > ssh-agent.c) and listed it > below. > > Anyhow, I've posted this for two reasons: > > 1) So that all the C-impaired people of the world (such as myself) who > want to compile > OpenSSH2.9p1 on Sparc can do so without the crying, screaming, and > cursing that I > had to endure. Just remember, I am not a coder (nor do I play one on > TV), so this > is not guaranteed to be good or even recommended; it may not even > work; it may break > things; standard disclaimers apply. > > 2) So that all the C/OpenSSH/General-UNIX gurus out there can point out > if there is a > better way to fix this, if this is harmful, etc. > > Please drop a line to me at the (obviously spam-protected) address > DELETEcbodzin at home.com > and let me know. > > Patch follows - put the text into a file and then type "cat > | patch -p1" from > your openssh2.9p1 directory to install. > > ---------------------------------------------------------- > > *** channels.c Fri May 11 16:06:04 2001 > --- channels.c.new Fri May 11 16:07:29 2001 > *************** > *** 2623,2629 **** > snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, > "%s/agent.%d", > channel_forwarded_auth_socket_dir, (int) getpid()); > > ! if (atexit(cleanup_socket) < 0) { > int saved = errno; > cleanup_socket(); > packet_disconnect("socket: %.100s", strerror(saved)); > --- 2623,2633 ---- > snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, > "%s/agent.%d", > channel_forwarded_auth_socket_dir, (int) getpid()); > > ! /* This is bad...on_exit requires 2 parameters, whereas > ! at_exit only takes one. Field 2 is arguments, so let's > ! see if we can fool it by passing null - Corey 5/11/01 */ > ! /* if (atexit(cleanup_socket) < 0) { */ > ! if (on_exit(cleanup_socket, NULL) < 0) { > int saved = errno; > cleanup_socket(); > packet_disconnect("socket: %.100s", strerror(saved)); > *** ssh-agent.c Fri May 11 16:05:57 2001 > --- ssh-agent.c.new Fri May 11 16:07:20 2001 > *************** > *** 860,866 **** > perror("setsid"); > cleanup_exit(1); > } > ! if (atexit(cleanup_socket) < 0) { > perror("atexit"); > cleanup_exit(1); > } > --- 860,870 ---- > perror("setsid"); > cleanup_exit(1); > } > ! /* This is bad...on_exit requires 2 parameters, whereas > ! at_exit only takes one. Field 2 is arguments, so let's > ! see if we can fool it by passing null - Corey 5/11/01 */ > ! /* if (atexit(cleanup_socket) < 0) { */ > ! if (on_exit(cleanup_socket, NULL) < 0) { > perror("atexit"); > cleanup_exit(1); > } > > From bowman at math.ualberta.ca Sat May 12 12:55:19 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 12 May 2001 02:55:19 -0000 Subject: User-Dependent Identity File Message-ID: <20010512025519.5786.qmail@wizard.math.ualberta.ca> Hi, In SSH, there is a way of telling ssh to look for identification files in a user-dependent location other than in default directory, $HOME/.ssh, without creating a separate ~/.ssh/config entry for each user. For example, in sshd_config one can specify UserConfigDirectory "/etc/ssh2/auth/%U" where %U stands for the incoming $USER. This is required for security if user home directories are NFS mounted. Has such a facility been implemented in OpenSSH? If so, can anyone tell me what the syntax is? I can't find anything in the man pages or FAQ. -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From wayne at blorf.net Sat May 12 16:26:13 2001 From: wayne at blorf.net (Wayne Davison) Date: Fri, 11 May 2001 23:26:13 -0700 (PDT) Subject: Erase the source file open; specify a tempfile name option Message-ID: I'm curious how to go about submitting a suggestion that affects both the original BSD version and the portable release. A few days ago I sent off a BSD-relative patch to openssh at openssh.com. Is this the right thing to do? I didn't hear anything back, but it's only been 3 days, so I'm probably just being too antsy. In the meantime, maybe someone else out there would like to check this out. Appended is a version of my patch for the latest portable code (relative to the CVS version). It adds two new options to scp that I find useful: -E Erase the source file after a successful copy. -T file Use "file" as a temporary file that gets renamed into each actual destination file. I implemented this patch in order to be able to move input files from one system to another, while also not having the files show up in the destination directory until each one was complete (there's a program reading the input dir that expects any file in the destination dir to be fully written). These two new options make this easy. Yes, the user must specify a -T option that is on the same file system as the destination dir or the rename will fail (with an appropriate error and without erasing the source file). I haven't changed any documentation yet. I'd be glad to if this gets accepted. Enjoy, ..wayne.. ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- Index: scp.c @@ -105,6 +105,7 @@ /* Returns width of the terminal (for progress meter calculations). */ int getttywidth(void); + int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc); /* Struct for addargs */ @@ -206,9 +207,11 @@ uid_t userid; int errs, remin, remout; int pflag, iamremote, iamrecursive, targetshouldbedirectory; +int eraseflag; +char *tmpfn = ""; -#define CMDNEEDS 64 -char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */ +char *cmd; +int cmdlen; int response(void); void rsource(char *, struct stat *); @@ -236,7 +239,7 @@ addargs(&args, "-oFallBackToRsh no"); fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:")) != -1) + while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:ET:")) != -1) switch (ch) { /* User-visible flags. */ case '4': @@ -270,6 +273,12 @@ case 'q': showprogress = 0; break; + case 'E': + eraseflag = 1; + break; + case 'T': + tmpfn = xstrdup(optarg); + break; /* Server options. */ case 'd': @@ -319,8 +328,11 @@ remin = remout = -1; /* Command to be executed on remote system using "ssh". */ - (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", + cmdlen = strlen(tmpfn) + 64; + cmd = xmalloc(cmdlen); + (void) snprintf(cmd, cmdlen, "scp%s%s%s%s%s%s%s", verbose_mode ? " -v" : "", + eraseflag ? " -E" : "", *tmpfn ? " -T" : "", tmpfn, iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); @@ -370,7 +382,7 @@ host = strchr(argv[i], '@'); len = strlen(ssh_program) + strlen(argv[i]) + strlen(src) + (tuser ? strlen(tuser) : 0) + - strlen(thost) + strlen(targ) + CMDNEEDS + 32; + strlen(thost) + strlen(targ) + cmdlen + 32; bp = xmalloc(len); if (host) { *host++ = 0; @@ -403,7 +415,7 @@ (void) xfree(bp); } else { /* local to remote */ if (remin == -1) { - len = strlen(targ) + CMDNEEDS + 20; + len = strlen(targ) + cmdlen + 20; bp = xmalloc(len); (void) snprintf(bp, len, "%s -t %s", cmd, targ); host = cleanhostname(thost); @@ -428,7 +440,8 @@ char *bp, *host, *src, *suser; for (i = 0; i < argc - 1; i++) { - if (!(src = colon(argv[i]))) { /* Local to local. */ + src = colon(argv[i]); + if (!src && !eraseflag && !*tmpfn) { /* Local to local w/cp */ len = strlen(_PATH_CP) + strlen(argv[i]) + strlen(argv[argc - 1]) + 20; bp = xmalloc(len); @@ -441,23 +454,30 @@ ++errs; (void) xfree(bp); continue; + } + if (src) { + *src++ = 0; + if (*src == 0) + src = "."; + if ((host = strchr(argv[i], '@')) == NULL) { + host = argv[i]; + suser = NULL; + } else { + *host++ = 0; + suser = argv[i]; + if (*suser == '\0') + suser = pwd->pw_name; + else if (!okname(suser)) + continue; + } + host = cleanhostname(host); } - *src++ = 0; - if (*src == 0) - src = "."; - if ((host = strchr(argv[i], '@')) == NULL) { - host = argv[i]; + else { + src = argv[i]; + host = "localhost"; suser = NULL; - } else { - *host++ = 0; - suser = argv[i]; - if (*suser == '\0') - suser = pwd->pw_name; - else if (!okname(suser)) - continue; } - host = cleanhostname(host); - len = strlen(src) + CMDNEEDS + 20; + len = strlen(src) + cmdlen + 20; bp = xmalloc(len); (void) snprintf(bp, len, "%s -f %s", cmd, src); if (do_cmd(host, suser, bp, &remin, &remout, argc) < 0) { @@ -582,7 +602,10 @@ (void) atomicio(write, remout, "", 1); else run_err("%s: %s", name, strerror(haderr)); - (void) response(); + if (response() == 0 && eraseflag && !haderr) { + if (unlink(name) < 0) + run_err("%s: %s", name, strerror(errno)); + } } } @@ -656,7 +679,7 @@ int amt, count, exists, first, mask, mode, ofd, omode; off_t size; int setimes, targisdir, wrerrno = 0; - char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; + char ch, *cp, *np, *targ, *dest, *why, *vect[1], buf[2048]; struct timeval tv[2]; #define atime tv[0] @@ -770,6 +793,7 @@ np = namebuf; } else np = targ; + dest = *tmpfn? tmpfn : np; curfile = cp; exists = stat(np, &stb) == 0; if (buf[0] == 'D') { @@ -804,8 +828,8 @@ } omode = mode; mode |= S_IWRITE; - if ((ofd = open(np, O_WRONLY | O_CREAT | O_TRUNC, mode)) < 0) { -bad: run_err("%s: %s", np, strerror(errno)); + if ((ofd = open(dest, O_WRONLY | O_CREAT | O_TRUNC, mode)) < 0) { +bad: run_err("%s: %s", dest, strerror(errno)); continue; } (void) atomicio(write, remout, "", 1); @@ -861,7 +885,7 @@ } #if 0 if (ftruncate(ofd, size)) { - run_err("%s: truncate: %s", np, strerror(errno)); + run_err("%s: truncate: %s", dest, strerror(errno)); wrerr = DISPLAYED; } #endif @@ -870,19 +894,19 @@ #ifdef HAVE_FCHMOD if (fchmod(ofd, omode)) #else /* HAVE_FCHMOD */ - if (chmod(np, omode)) + if (chmod(dest, omode)) #endif /* HAVE_FCHMOD */ run_err("%s: set mode: %s", - np, strerror(errno)); + dest, strerror(errno)); } else { if (!exists && omode != mode) #ifdef HAVE_FCHMOD if (fchmod(ofd, omode & ~mask)) #else /* HAVE_FCHMOD */ - if (chmod(np, omode & ~mask)) + if (chmod(dest, omode & ~mask)) #endif /* HAVE_FCHMOD */ run_err("%s: set mode: %s", - np, strerror(errno)); + dest, strerror(errno)); } if (close(ofd) == -1) { wrerr = YES; @@ -891,15 +915,21 @@ (void) response(); if (setimes && wrerr == NO) { setimes = 0; - if (utimes(np, tv) < 0) { + if (utimes(dest, tv) < 0) { run_err("%s: set times: %s", - np, strerror(errno)); + dest, strerror(errno)); wrerr = DISPLAYED; } } + if (*tmpfn && rename(tmpfn, np) < 0) { + wrerr = YES; + wrerrno = errno; + } switch (wrerr) { case YES: - run_err("%s: %s", np, strerror(wrerrno)); + if (*tmpfn) + unlink(tmpfn); + run_err("%s: %s", dest, strerror(wrerrno)); break; case NO: (void) atomicio(write, remout, "", 1); @@ -949,8 +979,8 @@ void usage() { - (void) fprintf(stderr, "usage: scp " - "[-pqrvBC46] [-S ssh] [-P port] [-c cipher] [-i identity] f1 f2\n" + (void) fprintf(stderr, "usage: scp [-pqrvBCE46] " + "[-S ssh] [-P port] [-c cipher] [-i id] [-T tmp] f1 f2\n" " or: scp [options] f1 ... fn directory\n"); exit(1); } ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- From djm at mindrot.org Sat May 12 18:40:50 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 12 May 2001 18:40:50 +1000 (EST) Subject: 2.9p1 ssh-add/ssh-askpass first try fails In-Reply-To: <200105111504.f4BF43h25736@henry.apl.washington.edu> Message-ID: On Fri, 11 May 2001, John Dunlap wrote: > Nuts, don't pay too much attention to what I say works. I cannot > duplicate it. I could have sworn that some combination accepted > the first try but I cannot find it now. Sorry, -- John My patch is wrong too - I'll do another tonight. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From markus.friedl at informatik.uni-erlangen.de Sun May 13 00:37:21 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 12 May 2001 16:37:21 +0200 Subject: User-Dependent Identity File In-Reply-To: <20010512025519.5786.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Sat, May 12, 2001 at 02:55:19AM -0000 References: <20010512025519.5786.qmail@wizard.math.ualberta.ca> Message-ID: <20010512163721.B4711@folly> On Sat, May 12, 2001 at 02:55:19AM -0000, John Bowman wrote: > This is required for security if user home directories are NFS mounted. > Has such a facility been implemented in OpenSSH? something similar will be in the next release. -m From markus.friedl at informatik.uni-erlangen.de Sun May 13 00:48:07 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 12 May 2001 16:48:07 +0200 Subject: openssh 2.9: socks5 support? and support for RSA SECURID (one-t ime password)? In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, May 11, 2001 at 05:37:57PM -0500 References: <20010512000706.B4555@folly> Message-ID: <20010512164807.A1458@folly> On Fri, May 11, 2001 at 05:37:57PM -0500, mouring at etoh.eviladmin.org wrote: > > openssh did never include support for client side socks. you > > can use ProxyCommand for this: > > > > ProxyCommand exec /usr/local/bin/socksify /usr/bin/nc %h %p > > > > Should we add in a 'FAQ' question for this? It's been brought up a enough > now. yes please. perhaps we can add socks4 client support to openssh. but if we add unautheticated socks4, then everybody needs authenticated socks4 and so on. i don't want to do this.... > We do? I don't remember commiting such a patch, nor do I see it. There > was talk about it, but no one submitted a patch. contrib/SecurID.diff From mouring at etoh.eviladmin.org Sun May 13 02:29:39 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 12 May 2001 11:29:39 -0500 (CDT) Subject: openssh 2.9: socks5 support? and support for RSA SECURID (one-t ime password)? In-Reply-To: <20010512164807.A1458@folly> Message-ID: > > We do? I don't remember commiting such a patch, nor do I see it. There > > was talk about it, but no one submitted a patch. > > contrib/SecurID.diff > Ahh.. I see. It's tagged 2.9, but not in the main CVS tree. - Ben From mouring at etoh.eviladmin.org Sun May 13 02:43:05 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 12 May 2001 11:43:05 -0500 (CDT) Subject: Patch to update contrib/solaris package builder [3rd patch] In-Reply-To: Message-ID: Applied. Thanks - Ben On Mon, 7 May 2001 ninjaz at webexpress.com wrote: > > On Mon, 7 May 2001 mouring at etoh.eviladmin.org wrote: > > > > > > > [.. From Makefile.. 'install-files:' section..] > > -rm -f $(DESTDIR)$(bindir)/slogin > > ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin > > -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 > > ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 > > > > So they are symlinks. > > Thanks - > > Fixed in this patch (symlink entries in prototype). > > > > > The packaging process still does not handle a lot of cases. You may > > always want to watch out for the 'mdoc vs man' formated manpages. Most > > solaris (all?) use 'man' formated. The default documentation is in mdoc. > > This is fixed, too. (by using the foo.x.out files generated by the OpenSSH > Makefile) It requires perl, but so does the OpenSSL build, anyway ... > > > If I don't get a rewrite in the next few days. I'll apply this as a > > stop-gap. But I'd like to see this rewritten, but I'll not get to it for > > at least two weeks due to projects at work. > > Are these two issues the ones you wanted squashed? Or is there a more > ambitious complete rewrite you have in mind? > > -pete > > From djm at mindrot.org Sun May 13 10:27:54 2001 From: djm at mindrot.org (Damien Miller) Date: Sun, 13 May 2001 10:27:54 +1000 (EST) Subject: 2.9p1 ssh-add/ssh-askpass first try fails In-Reply-To: Message-ID: On Sat, 12 May 2001, Damien Miller wrote: > On Fri, 11 May 2001, John Dunlap wrote: > > > Nuts, don't pay too much attention to what I say works. I cannot > > duplicate it. I could have sworn that some combination accepted > > the first try but I cannot find it now. Sorry, -- John > > My patch is wrong too - I'll do another tonight. Please try this: Index: readpass.c =================================================================== RCS file: /var/cvs/openssh/readpass.c,v retrieving revision 1.14 diff -u -r1.14 readpass.c --- readpass.c 2001/05/06 18:01:44 1.14 +++ readpass.c 2001/05/13 00:26:13 @@ -69,12 +69,13 @@ fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); } close(p[1]); - len = read(p[0], buf, sizeof buf); + memset(buf, 0, sizeof(buf)); + len = atomicio(read, p[0], buf, sizeof buf); close(p[0]); while (waitpid(pid, &status, 0) < 0) if (errno != EINTR) break; - if (len <= 1) + if (len == -1) return xstrdup(""); nl = strchr(buf, '\n'); if (nl) -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From candy at msn.com Sun May 13 22:12:45 2001 From: candy at msn.com (YouKnow@WhatYouWant) Date: Sun, 13 May 2001 08:12:45 -0400 Subject: You know what to do... Message-ID: <20010513121734.4606727D84@shitei.mindrot.org> Your one stop xxx shop Hotties Nasty Hardcore Old Young You know what you want. You know what to do. http://3484346029/greenlineconz/dubs/p81001/ From aadudek at earthlink.net Mon May 14 03:59:22 2001 From: aadudek at earthlink.net (Aaron Dudek) Date: Sun, 13 May 2001 13:59:22 -0400 Subject: Change in behavior from 2.5p2 to 2.9p1 Message-ID: <5.1.0.14.2.20010513133237.009e8a70@pop.earthlink.net> Under 2.5p2, if I ssh'd back to myself I would get a prompt asking for my passphrase, and if that was incorrect it would then ask for my password. Assuming I had a authorized_keys file with my identity.pub in it. Under 2.9.p1 it goes straight to enter password instead of asking for my passphrase. This wouldn't be a problem except that when I have "PasswordAuthentication no" I get the following error: Permission denied (publickey) Can someone please help me understand why this behavior changed and how to fix it if possible. It looks like something to do with using ssh2 from looking at the verbose output. Thanks Aaron From bowman at math.ualberta.ca Mon May 14 04:44:53 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 13 May 2001 18:44:53 -0000 Subject: SSH connection hanging on logout Message-ID: <20010513184453.11194.qmail@wizard.math.ualberta.ca> Although still no instances of data loss have been reported with the patch I posted to this list on 2001-05-08, I have now noticed one inconsistency with the handling of X connections when the patch is applied to openssh-2.9p1 that I thought I should report: Without the patch the following will hang (just as any other process will): ssh host xclock & exit With the patch the ssh connection closes immediately, without waiting for the X application to terminate. This does not seem to be desirable; suppose the process had been an emacs or netscape session. Is it possible to modify the patch so that it will wait for unclosed X sessions to terminate (but not hang on other processes), just as the commercial version of SSH does? -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From Lutz.Jaenicke at aet.TU-Cottbus.DE Mon May 14 05:11:18 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Sun, 13 May 2001 21:11:18 +0200 Subject: Change in behavior from 2.5p2 to 2.9p1 In-Reply-To: <5.1.0.14.2.20010513133237.009e8a70@pop.earthlink.net>; from aadudek@earthlink.net on Sun, May 13, 2001 at 01:59:22PM -0400 References: <5.1.0.14.2.20010513133237.009e8a70@pop.earthlink.net> Message-ID: <20010513211118.B11116@serv01.aet.tu-cottbus.de> On Sun, May 13, 2001 at 01:59:22PM -0400, Aaron Dudek wrote: > Under 2.5p2, if I ssh'd back to myself I would get a prompt asking for my > passphrase, and if that was incorrect it would then ask for my password. > Assuming I had a authorized_keys file with my identity.pub in it. > Under 2.9.p1 it goes straight to enter password instead of asking for my > passphrase. > This wouldn't be a problem except that when I have "PasswordAuthentication > no" I get the following error: > Permission denied (publickey) > > Can someone please help me understand why this behavior changed and how to > fix it if possible. It looks like something to do with using ssh2 from > looking at the verbose output. Please be aware that 2.9p1 will do SSH-2 by default. You need another set of keys with SSH-2. These are usually called id_rsa[.pub] and/or id_dsa[.pub] and the public keys are now in authorized_keys2. You cannot use the old keys for the new protocol. Use "ssh-keygen -t rsa" to generate a RSA key for protocol 2. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From dunlap at apl.washington.edu Mon May 14 08:08:25 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Sun, 13 May 2001 15:08:25 -0700 (PDT) Subject: 2.9p1 ssh-add/ssh-askpass first try fails In-Reply-To: from "Damien Miller" at May 13, 2001 10:27:54 AM Message-ID: <200105132208.f4DM8PM17825@henry.apl.washington.edu> Damien, This patch cures the problem for me. Tested on RHL6.2 and RHL7.2. Thanks, John > > Please try this: > > Index: readpass.c > =================================================================== > RCS file: /var/cvs/openssh/readpass.c,v > retrieving revision 1.14 > diff -u -r1.14 readpass.c > --- readpass.c 2001/05/06 18:01:44 1.14 > +++ readpass.c 2001/05/13 00:26:13 > @@ -69,12 +69,13 @@ > fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); > } > close(p[1]); > - len = read(p[0], buf, sizeof buf); > + memset(buf, 0, sizeof(buf)); > + len = atomicio(read, p[0], buf, sizeof buf); > close(p[0]); > while (waitpid(pid, &status, 0) < 0) > if (errno != EINTR) > break; > - if (len <= 1) > + if (len == -1) > return xstrdup(""); > nl = strchr(buf, '\n'); > if (nl) > > -- > | Damien Miller \ ``E-mail attachments are the poor man's > | http://www.mindrot.org / distributed filesystem'' - Dan Geer > -- John Dunlap University of Washington Senior Electrical Engineer Applied Physics Laboratory dunlap at apl.washington.edu 1013 NE 40th Street 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 From Randolf-ML at Skerka.de Mon May 14 21:42:45 2001 From: Randolf-ML at Skerka.de (Randolf Skerka) Date: Mon, 14 May 2001 13:42:45 +0200 Subject: SSH and forced wtmp entries ... In-Reply-To: <3AFB6645.59642983@bartlett.house>; from abartlet@pcug.org.au on Fri, May 11, 2001 at 02:10:45PM +1000 References: <20010507150303.A12892@faui02.informatik.uni-erlangen.de> <20010511005420.B26079@folly> <3AFB6645.59642983@bartlett.house> Message-ID: <20010514134245.A4158@rhs-notebook> On Fri, May 11, 2001 at 02:10:45PM +1000, Andrew Bartlett wrote: > Furthermore, logouts currently are not recorded in /var/log/authlog, and > PAM sessions (which I was using for this purpose, at least it records > the logout) don't function in 2.9p1 (patch attached). Sorry for the delay, was busy the last days ... depends on the good weather condition ;-) Well, authlog is quite fine and works very well. But an important point is, that logouts are not logged. It's not possible to say how many users are using the system lookin to one file! What are arguments not to add the wtmp entries? I told you how easy it is for a user to hide himselve from wtmp (ssh -l user xterm) he has an interactive shell, is logged by authlog, ok, but it's unclear if he is logged in at this moment. Is somebody able to apply a patch for that? I'm really quite busy, not only because of the weather, and not able to go through the source and make a patch for forced wtmp entries. bye Randolf From Markus.Friedl at informatik.uni-erlangen.de Mon May 14 22:04:23 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 14 May 2001 14:04:23 +0200 Subject: SSH and forced wtmp entries ... In-Reply-To: <20010514134245.A4158@rhs-notebook>; from Randolf-ML@Skerka.de on Mon, May 14, 2001 at 01:42:45PM +0200 References: <20010507150303.A12892@faui02.informatik.uni-erlangen.de> <20010511005420.B26079@folly> <3AFB6645.59642983@bartlett.house> <20010514134245.A4158@rhs-notebook> Message-ID: <20010514140422.A18119@faui02.informatik.uni-erlangen.de> On Mon, May 14, 2001 at 01:42:45PM +0200, Randolf Skerka wrote: > Well, authlog is quite fine and works very well. But an important point > is, that logouts are not logged. It's not possible to say how many users use loglevel=verbose if you care. From peb at mppmu.mpg.de Mon May 14 23:51:41 2001 From: peb at mppmu.mpg.de (Peter Breitenlohner) Date: Mon, 14 May 2001 15:51:41 +0200 (CEST) Subject: openssh-2.9p1 Message-ID: Hi, 1. I think you should apply the attached patch to openssh-2.9p1, otherwise ssh-keyscan on linux boxes with glibc-2.1 will experience enormous timeout delays. 2. Is there a program like ssh-keyscan for the Version2 (dsa and rsa) keys?? regards Peter Breitenlohner -------------- next part -------------- diff -ur openssh-2.9p1.orig/ssh-keyscan.c openssh-2.9p1/ssh-keyscan.c --- openssh-2.9p1.orig/ssh-keyscan.c Wed Mar 14 19:37:13 2001 +++ openssh-2.9p1/ssh-keyscan.c Sun May 13 01:39:43 2001 @@ -30,7 +30,11 @@ static int argno = 1; /* Number of argument currently being parsed */ +#ifdef IPV4_DEFAULT +int family = AF_INET; /* IPv4 */ +#else int family = AF_UNSPEC; /* IPv4, IPv6 or both */ +#endif #define MAXMAXFD 256 From kaelin at acm.org Tue May 15 01:47:12 2001 From: kaelin at acm.org (Kaelin Colclasure) Date: Mon, 14 May 2001 08:47:12 -0700 Subject: Erase the source file open; specify a tempfile name option References: Message-ID: <3AFFFE00.52C68332@acm.org> Wayne Davison wrote: > > I'm curious how to go about submitting a suggestion that affects both > the original BSD version and the portable release. A few days ago I > sent off a BSD-relative patch to openssh at openssh.com. Is this the right > thing to do? I didn't hear anything back, but it's only been 3 days, so > I'm probably just being too antsy. > > In the meantime, maybe someone else out there would like to check this > out. Appended is a version of my patch for the latest portable code > (relative to the CVS version). It adds two new options to scp that I > find useful: > > -E Erase the source file after a successful copy. > -T file Use "file" as a temporary file that gets renamed into > each actual destination file. Hmmm, might it not be better to have the -T option generate a temporary file name for each file in the copy on its own? After all, it is possible that a recursive copy might cross a mount point on the destination system. And in any case it's one less error that the user might make. -- Kaelin From jason at shalott.net Tue May 15 05:48:51 2001 From: jason at shalott.net (Jason Stone) Date: Mon, 14 May 2001 12:48:51 -0700 (PDT) Subject: Change in behavior from 2.5p2 to 2.9p1 In-Reply-To: <20010513211118.B11116@serv01.aet.tu-cottbus.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Under 2.5p2, if I ssh'd back to myself I would get a prompt asking for my > > passphrase, and if that was incorrect it would then ask for my password. > > Under 2.9.p1 it goes straight to enter password instead of asking for my > > passphrase. > > Please be aware that 2.9p1 will do SSH-2 by default. You need another > set of keys with SSH-2. These are usually called id_rsa[.pub] and/or > id_dsa[.pub] and the public keys are now in authorized_keys2. Alternatively, you could force ssh protocol version 1 by specifying the "-1" flag (eg, "ssh -1 localhost") or adding "Protocol 1,2" to your .ssh/config Upgrading to version 2 keys is the right solution, but if for some reason you can't, you can always force version 1 and your existing keys will work as you expect. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE7ADarswXMWWtptckRAiQhAJ4x7NcVkh3NQx/3QMv7IngHElOHegCdGQvH 3uehZWgTn6DAu3GzO0wUtEU= =czA3 -----END PGP SIGNATURE----- From wayne at blorf.net Tue May 15 05:49:35 2001 From: wayne at blorf.net (Wayne Davison) Date: Mon, 14 May 2001 12:49:35 -0700 (PDT) Subject: Erase the source file open; specify a tempfile name option In-Reply-To: <3AFFFE00.52C68332@acm.org> Message-ID: On Mon, 14 May 2001, Kaelin Colclasure wrote: > Hmmm, might it not be better to have the -T option generate a temporary > file name for each file in the copy on its own? Not for the purpose that I described in my email. I need to be able to specify a spot that is out of the way of the destination files because I need the destination files to appear full-formed in their final spot WITHOUT even having any temp files showing up in the destination dir(s) before the end of the copy. Thus, the -T option allows the user to specify to scp exactly where this tmp file goes (and what it's named). What you're describing is something else that would also be useful. We could have an option that says, "copy each file over to a temp filename in the destination dir and rename it into place". With this option the user wouldn't have to specify a tempfile pathname, and it would work with a recursive copy that changed file systems. Attached is a patch that adds such an option: -u (use unique tmpfile). It also includes my previous -E and -T work with a few fixes: (1) the -T code now reports the right filename when a directory-creation error occurs (not the tempfile name), (2) if we're writing to a tmpfile that will be moved over an existing file and -p was not specified, preserve the existing file's mode flags, and (3) if the user is doing a local-to-local copy with flags that can't be handled by cp, ensure that the source files are fully-qualified pathnames (so that the scp we spawn knows where to find the files). This patch is relative to the portable CVS. I can make it based on the BSD code, if desired. ..wayne.. ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- Index: scp.c @@ -105,6 +105,7 @@ /* Returns width of the terminal (for progress meter calculations). */ int getttywidth(void); + int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc); /* Struct for addargs */ @@ -206,9 +207,11 @@ uid_t userid; int errs, remin, remout; int pflag, iamremote, iamrecursive, targetshouldbedirectory; +int eraseflag, uniquetmpfiles; +char *tmpfn = ""; -#define CMDNEEDS 64 -char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */ +char *cmd; +int cmdlen; int response(void); void rsource(char *, struct stat *); @@ -236,7 +239,7 @@ addargs(&args, "-oFallBackToRsh no"); fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:")) != -1) + while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:ET:u")) != -1) switch (ch) { /* User-visible flags. */ case '4': @@ -270,6 +273,15 @@ case 'q': showprogress = 0; break; + case 'E': + eraseflag = 1; + break; + case 'T': + tmpfn = xstrdup(optarg); + break; + case 'u': + uniquetmpfiles = 1; + break; /* Server options. */ case 'd': @@ -319,8 +331,11 @@ remin = remout = -1; /* Command to be executed on remote system using "ssh". */ - (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", - verbose_mode ? " -v" : "", + cmdlen = strlen(tmpfn) + 64; + cmd = xmalloc(cmdlen); + (void) snprintf(cmd, cmdlen, "scp%s%s%s%s%s%s%s%s", + verbose_mode ? " -v" : "", uniquetmpfiles? " -u" : "", + eraseflag ? " -E" : "", *tmpfn ? " -T" : "", tmpfn, iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); @@ -370,7 +385,7 @@ host = strchr(argv[i], '@'); len = strlen(ssh_program) + strlen(argv[i]) + strlen(src) + (tuser ? strlen(tuser) : 0) + - strlen(thost) + strlen(targ) + CMDNEEDS + 32; + strlen(thost) + strlen(targ) + cmdlen + 32; bp = xmalloc(len); if (host) { *host++ = 0; @@ -403,7 +418,7 @@ (void) xfree(bp); } else { /* local to remote */ if (remin == -1) { - len = strlen(targ) + CMDNEEDS + 20; + len = strlen(targ) + cmdlen + 20; bp = xmalloc(len); (void) snprintf(bp, len, "%s -t %s", cmd, targ); host = cleanhostname(thost); @@ -424,11 +439,13 @@ int argc; char *argv[]; { - int i, len; - char *bp, *host, *src, *suser; + int i, len, cwd_len = 0; + char *bp, *host, *src, *suser, cwd[MAXPATHLEN]; for (i = 0; i < argc - 1; i++) { - if (!(src = colon(argv[i]))) { /* Local to local. */ + src = colon(argv[i]); + /* See if we can just use cp for a local to local copy */ + if (!src && !eraseflag && !uniquetmpfiles && !*tmpfn) { len = strlen(_PATH_CP) + strlen(argv[i]) + strlen(argv[argc - 1]) + 20; bp = xmalloc(len); @@ -441,23 +458,43 @@ ++errs; (void) xfree(bp); continue; + } + if (src) { + *src++ = 0; + if (*src == 0) + src = "."; + if ((host = strchr(argv[i], '@')) == NULL) { + host = argv[i]; + suser = NULL; + } else { + *host++ = 0; + suser = argv[i]; + if (*suser == '\0') + suser = pwd->pw_name; + else if (!okname(suser)) + continue; + } + host = cleanhostname(host); } - *src++ = 0; - if (*src == 0) - src = "."; - if ((host = strchr(argv[i], '@')) == NULL) { - host = argv[i]; + else { + src = argv[i]; + if (*src != '/') { + if (!cwd_len) { + if (!getcwd(cwd, sizeof cwd)) { + error("Couldn't get local cwd: %s", + strerror(errno)); + break; + } + cwd_len = strlen(cwd); + } + len = cwd_len + strlen(src) + 2; + src = xmalloc(len); + snprintf(src, len, "%s/%s", cwd, argv[i]); + } + host = "localhost"; suser = NULL; - } else { - *host++ = 0; - suser = argv[i]; - if (*suser == '\0') - suser = pwd->pw_name; - else if (!okname(suser)) - continue; } - host = cleanhostname(host); - len = strlen(src) + CMDNEEDS + 20; + len = strlen(src) + cmdlen + 20; bp = xmalloc(len); (void) snprintf(bp, len, "%s -f %s", cmd, src); if (do_cmd(host, suser, bp, &remin, &remout, argc) < 0) { @@ -582,7 +619,10 @@ (void) atomicio(write, remout, "", 1); else run_err("%s: %s", name, strerror(haderr)); - (void) response(); + if (response() == 0 && eraseflag && !haderr) { + if (unlink(name) < 0) + run_err("%s: %s", name, strerror(errno)); + } } } @@ -656,7 +696,7 @@ int amt, count, exists, first, mask, mode, ofd, omode; off_t size; int setimes, targisdir, wrerrno = 0; - char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; + char ch, *cp, *np, *targ, *dest, *why, *vect[1], buf[2048]; struct timeval tv[2]; #define atime tv[0] @@ -774,6 +814,7 @@ exists = stat(np, &stb) == 0; if (buf[0] == 'D') { int mod_flag = pflag; + dest = np; if (exists) { if (!S_ISDIR(stb.st_mode)) { errno = ENOTDIR; @@ -804,9 +845,33 @@ } omode = mode; mode |= S_IWRITE; - if ((ofd = open(np, O_WRONLY | O_CREAT | O_TRUNC, mode)) < 0) { -bad: run_err("%s: %s", np, strerror(errno)); - continue; + if (uniquetmpfiles) { + int len; + char *s; + if ((s = strrchr(np, '/')) != NULL) + s++; + else + s = np; + if (*tmpfn) + xfree(tmpfn); + len = strlen(np) + 9; + tmpfn = dest = xmalloc(len); + strcpy(tmpfn, np); + snprintf(tmpfn + (s - np), len, ".%s.XXXXXX", s); + mode = -1; /* Ensure future chmod() */ + ofd = mkstemp(tmpfn); + } + else { + dest = *tmpfn? tmpfn : np; + ofd = open(dest, O_WRONLY | O_CREAT | O_TRUNC, mode); + } + if (ofd < 0) { +bad: run_err("%s: %s", dest, strerror(errno)); + continue; + } + if (!pflag && exists && *tmpfn) { + omode = stb.st_mode; + exists = 0; } (void) atomicio(write, remout, "", 1); if ((bp = allocbuf(&buffer, ofd, 4096)) == NULL) { @@ -861,7 +926,7 @@ } #if 0 if (ftruncate(ofd, size)) { - run_err("%s: truncate: %s", np, strerror(errno)); + run_err("%s: truncate: %s", dest, strerror(errno)); wrerr = DISPLAYED; } #endif @@ -870,19 +935,19 @@ #ifdef HAVE_FCHMOD if (fchmod(ofd, omode)) #else /* HAVE_FCHMOD */ - if (chmod(np, omode)) + if (chmod(dest, omode)) #endif /* HAVE_FCHMOD */ run_err("%s: set mode: %s", - np, strerror(errno)); + dest, strerror(errno)); } else { if (!exists && omode != mode) #ifdef HAVE_FCHMOD if (fchmod(ofd, omode & ~mask)) #else /* HAVE_FCHMOD */ - if (chmod(np, omode & ~mask)) + if (chmod(dest, omode & ~mask)) #endif /* HAVE_FCHMOD */ run_err("%s: set mode: %s", - np, strerror(errno)); + dest, strerror(errno)); } if (close(ofd) == -1) { wrerr = YES; @@ -891,15 +956,21 @@ (void) response(); if (setimes && wrerr == NO) { setimes = 0; - if (utimes(np, tv) < 0) { + if (utimes(dest, tv) < 0) { run_err("%s: set times: %s", - np, strerror(errno)); + dest, strerror(errno)); wrerr = DISPLAYED; } } + if (*tmpfn && rename(tmpfn, np) < 0) { + wrerr = YES; + wrerrno = errno; + } switch (wrerr) { case YES: - run_err("%s: %s", np, strerror(wrerrno)); + if (*tmpfn) + unlink(tmpfn); + run_err("%s: %s", dest, strerror(wrerrno)); break; case NO: (void) atomicio(write, remout, "", 1); @@ -949,8 +1020,8 @@ void usage() { - (void) fprintf(stderr, "usage: scp " - "[-pqrvBC46] [-S ssh] [-P port] [-c cipher] [-i identity] f1 f2\n" + (void) fprintf(stderr, "usage: scp [-pqruvBCE46] " + "[-S ssh] [-P port] [-c cipher] [-i id] [-T tmp] f1 f2\n" " or: scp [options] f1 ... fn directory\n"); exit(1); } ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- From bowman at math.ualberta.ca Tue May 15 12:55:37 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 15 May 2001 02:55:37 -0000 Subject: SSH connection hanging on logout Message-ID: <20010515025537.19400.qmail@wizard.math.ualberta.ca> Here is a new version of the hang-on-exit patch, which: 1. fixes the hang-on-exit bug (without data loss); 2. does not exit if there are unterminated X applications; 3. exits the session when all X applications have closed. Of these three tests, Openssh-2.9p1 only passes the second one. The third one is another type of hanging bug in Openssh, as is demonstrated by the following test: ssh host xterm -e sleep 20 & exit Even after the xsession terminates, the ssh session is left hanging forever. The correct behaviour is to wait 20 seconds for the X application to close and then exit. -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman diff -ur openssh-2.9p1/channels.c openssh-2.9p1J/channels.c --- openssh-2.9p1/channels.c Tue Apr 17 12:14:35 2001 +++ openssh-2.9p1J/channels.c Mon May 14 20:51:14 2001 @@ -1137,6 +1137,10 @@ continue; if (ftab[c->type] == NULL) continue; + if(c->type == SSH_CHANNEL_OPEN && c->rfd == -1) { + c->type = SSH_CHANNEL_FREE; + continue; + } (*ftab[c->type])(c, readset, writeset); if (chan_is_dead(c)) { /* @@ -1639,6 +1643,47 @@ for (i = 0; i < channels_alloc; i++) if (channels[i].type != SSH_CHANNEL_FREE) channel_close_fds(&channels[i]); +} + +/* Returns true if session is inactive. */ + +int +channel_inactive_session() +{ + u_int i; + if(channels_alloc == 0) return 0; + + for (i = 0; i < channels_alloc; i++) { + switch (channels[i].type) { + case SSH_CHANNEL_FREE: + case SSH_CHANNEL_X11_LISTENER: + case SSH_CHANNEL_CLOSED: + break; + case SSH_CHANNEL_PORT_LISTENER: + case SSH_CHANNEL_RPORT_LISTENER: + case SSH_CHANNEL_AUTH_SOCKET: + case SSH_CHANNEL_DYNAMIC: + case SSH_CHANNEL_CONNECTING: /* XXX ??? */ + return 0; + case SSH_CHANNEL_LARVAL: + if (!compat20) + fatal("cannot happen: SSH_CHANNEL_LARVAL"); + return 0; + case SSH_CHANNEL_OPENING: + case SSH_CHANNEL_OPEN: + case SSH_CHANNEL_X11_OPEN: + return 0; + case SSH_CHANNEL_INPUT_DRAINING: + case SSH_CHANNEL_OUTPUT_DRAINING: + if (!compat13) + fatal("cannot happen: OUT_DRAIN"); + return 0; + default: + fatal("channel_inactive_session: bad channel type %d", channels[i].type); + /* NOTREACHED */ + } + } + return 1; } /* Returns true if any channel is still open. */ diff -ur openssh-2.9p1/channels.h openssh-2.9p1J/channels.h --- openssh-2.9p1/channels.h Fri Apr 13 17:28:02 2001 +++ openssh-2.9p1J/channels.h Mon May 14 20:51:14 2001 @@ -197,6 +197,9 @@ */ void channel_close_all(void); +/* Returns true if session is inactive. */ +int channel_inactive_session(); + /* Returns true if there is still an open channel over the connection. */ int channel_still_open(void); diff -ur openssh-2.9p1/clientloop.c openssh-2.9p1J/clientloop.c --- openssh-2.9p1/clientloop.c Fri Apr 20 06:50:51 2001 +++ openssh-2.9p1J/clientloop.c Mon May 14 20:51:14 2001 @@ -440,9 +440,13 @@ len = read(connection_in, buf, sizeof(buf)); if (len == 0) { /* Received EOF. The remote host has closed the connection. */ - snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", - host); - buffer_append(&stderr_buffer, buf, strlen(buf)); +/* + * This message duplicates the one already in client_loop(). + * + * snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", + * host); + * buffer_append(&stderr_buffer, buf, strlen(buf)); + */ quit_pending = 1; return; } diff -ur openssh-2.9p1/nchan.c openssh-2.9p1J/nchan.c --- openssh-2.9p1/nchan.c Tue Apr 3 07:02:48 2001 +++ openssh-2.9p1J/nchan.c Mon May 14 20:51:14 2001 @@ -56,7 +56,7 @@ /* helper */ static void chan_shutdown_write(Channel *c); -static void chan_shutdown_read(Channel *c); +void chan_shutdown_read(Channel *c); /* * SSH1 specific implementation of event functions @@ -479,7 +479,7 @@ c->wfd = -1; } } -static void +void chan_shutdown_read(Channel *c) { if (compat20 && c->type == SSH_CHANNEL_LARVAL) diff -ur openssh-2.9p1/nchan.h openssh-2.9p1J/nchan.h --- openssh-2.9p1/nchan.h Sun Mar 4 23:16:12 2001 +++ openssh-2.9p1J/nchan.h Mon May 14 20:51:14 2001 @@ -88,4 +88,5 @@ void chan_init_iostates(Channel * c); void chan_init(void); +void chan_shutdown_read(Channel *c); #endif diff -ur openssh-2.9p1/serverloop.c openssh-2.9p1J/serverloop.c --- openssh-2.9p1/serverloop.c Fri Apr 13 17:28:03 2001 +++ openssh-2.9p1J/serverloop.c Mon May 14 20:51:14 2001 @@ -726,7 +726,7 @@ if (!rekeying) channel_after_select(readset, writeset); process_input(readset); - if (connection_closed) + if (connection_closed || channel_inactive_session()) break; process_output(writeset); } diff -ur openssh-2.9p1/session.c openssh-2.9p1J/session.c --- openssh-2.9p1/session.c Wed Apr 18 09:29:34 2001 +++ openssh-2.9p1J/session.c Mon May 14 20:51:14 2001 @@ -1960,6 +1960,9 @@ */ if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); + if (c->istate == CHAN_INPUT_OPEN && compat20) { + chan_shutdown_read(c); + } s->chanid = -1; } From bowman at math.ualberta.ca Tue May 15 14:23:28 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 15 May 2001 04:23:28 -0000 Subject: SSH connection hanging on logout Message-ID: <20010515042328.4015.qmail@wizard.math.ualberta.ca> Disregard my previous message...that isn't the right patch....I'm still testing a new one... -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From Randolf-ML at Skerka.de Tue May 15 16:05:22 2001 From: Randolf-ML at Skerka.de (Randolf Skerka) Date: Tue, 15 May 2001 08:05:22 +0200 Subject: Feature request (Re: SSH and forced wtmp entries ...) In-Reply-To: <20010514140422.A18119@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Mon, May 14, 2001 at 02:04:23PM +0200 References: <20010507150303.A12892@faui02.informatik.uni-erlangen.de> <20010511005420.B26079@folly> <3AFB6645.59642983@bartlett.house> <20010514134245.A4158@rhs-notebook> <20010514140422.A18119@faui02.informatik.uni-erlangen.de> Message-ID: <20010515080522.A7364@rhs-notebook> On Mon, May 14, 2001 at 02:04:23PM +0200, Markus Friedl wrote: > use loglevel=verbose if you care. I'm getting a bit pissed right now. What's the problem logging login/logouts via wtmp? I don't see an argument other than "Use authlog" and "It's like rsh behaves", nobody says "It's to difficult to implement!", so why don't stop discussing and implementing it? I think we discussed why it's good to have it in wtmp. As I said before, I'm really quite busy and don't have the time to look into the source, understand it and supply a good patch, is somebody else here able doing that? Bye Randolf From kaukasoi at elektroni.ee.tut.fi Tue May 15 19:09:57 2001 From: kaukasoi at elektroni.ee.tut.fi (Petri Kaukasoina) Date: Tue, 15 May 2001 12:09:57 +0300 Subject: SSH and forced wtmp entries ... In-Reply-To: <20010514134245.A4158@rhs-notebook>; from Randolf-ML@Skerka.de on Mon, May 14, 2001 at 01:42:45PM +0200 References: <20010507150303.A12892@faui02.informatik.uni-erlangen.de> <20010511005420.B26079@folly> <3AFB6645.59642983@bartlett.house> <20010514134245.A4158@rhs-notebook> Message-ID: <20010515120957.A10232@elektroni.ee.tut.fi> On Mon, May 14, 2001 at 01:42:45PM +0200, Randolf Skerka wrote: > I told you how easy it is for a user to hide himselve from wtmp (ssh -l > user xterm) he has an interactive shell, is logged by authlog, ok, but it's > unclear if he is logged in at this moment. Suppose sshd logged in wtmp. Here the X protocol is not routed via the ssh connection but goes directly: xhost + otherhost ssh otherhost "xterm -display $DISPLAY < /dev/null >& /dev/null &" After invoking xterm on the background the ssh session finishes and wtmp shows that the user logged out immediately. But the user still has the interactive shell. From abartlet at pcug.org.au Tue May 15 19:55:16 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Tue, 15 May 2001 19:55:16 +1000 Subject: SSH and forced wtmp entries ... References: <20010507150303.A12892@faui02.informatik.uni-erlangen.de> <20010511005420.B26079@folly> <3AFB6645.59642983@bartlett.house> <20010514134245.A4158@rhs-notebook> <20010515120957.A10232@elektroni.ee.tut.fi> Message-ID: <3B00FD04.E888197C@bartlett.house> Petri Kaukasoina wrote: > > On Mon, May 14, 2001 at 01:42:45PM +0200, Randolf Skerka wrote: > > I told you how easy it is for a user to hide himselve from wtmp (ssh -l > > user xterm) he has an interactive shell, is logged by authlog, ok, but it's > > unclear if he is logged in at this moment. > > Suppose sshd logged in wtmp. Here the X protocol is not routed via the ssh > connection but goes directly: > > xhost + otherhost > ssh otherhost "xterm -display $DISPLAY < /dev/null >& /dev/null &" > > After invoking xterm on the background the ssh session finishes and wtmp > shows that the user logged out immediately. But the user still has the > interactive shell. Then the issue is why you allow that connection out. In any case, not knowing who is currently logged in can be quite a pain - and when its actually pretty simple to implement I would like the extra ability to track my users. On the non-security side, utmp and wtmp logging provides an easy way to measure system usage and a way to quickly profile where they log in from. Finally, even if they can continue an interactive session, there would have been at least a small entry in the relevent logfiles - and in the place most admins expect them. Andrew Bartlett abartlet at pcug.org.au -- Andrew Bartlett abartlet at pcug.org.au From Jeff.Painter at zt.com Wed May 16 02:10:47 2001 From: Jeff.Painter at zt.com (Painter, Jeff (ZoomTown)) Date: Tue, 15 May 2001 12:10:47 -0400 Subject: Openssh 2.9p1 and scp is slow connecting Message-ID: <7D11E5207431D411983100508BCF5C7A34AD4B@ztexch01.zt.com> When I try to scp from or to a system, scp take up to 10 minutes to connect and copy the file. Both systems are Solaris 2.6 and openssh 2.9p1. I issue the command: "scp host:/file /", up to 10 minutes pass before the password is requested and then the file copies very fast. When I ran a truss on the command, scp seems to sleep for the time before it asks for the password. Thanks, Jeff Painter From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed May 16 02:23:46 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 15 May 2001 18:23:46 +0200 Subject: Openssh 2.9p1 and scp is slow connecting In-Reply-To: <7D11E5207431D411983100508BCF5C7A34AD4B@ztexch01.zt.com>; from Jeff.Painter@zt.com on Tue, May 15, 2001 at 12:10:47PM -0400 References: <7D11E5207431D411983100508BCF5C7A34AD4B@ztexch01.zt.com> Message-ID: <20010515182346.A3048@serv01.aet.tu-cottbus.de> On Tue, May 15, 2001 at 12:10:47PM -0400, Painter, Jeff (ZoomTown) wrote: > When I try to scp from or to a system, scp take up to 10 minutes to connect > and copy the file. Both systems are Solaris 2.6 and openssh 2.9p1. I issue > the command: "scp host:/file /", up to 10 minutes pass before the password > is requested and then the file copies very fast. When I ran a truss on the > command, scp seems to sleep for the time before it asks for the password. Do you see the same problem with slogin/ssh? In this case you are better off using "ssh -v -v -v ..." to see what is going on. Anyway: connection times like these sound like DNS problems. Therefore you should see the same problem with slogin... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From msimpson at abyssus.doit.wisc.edu Wed May 16 04:22:21 2001 From: msimpson at abyssus.doit.wisc.edu (Mike Simpson) Date: Tue, 15 May 2001 13:22:21 -0500 Subject: hung SSH on Solaris when starting Oracle Message-ID: <200105151822.f4FIML212846@abyssus.doit.wisc.edu> Another instance of OpenSSH 2.9p1 hanging on exit. This occurs when connecting to a Solaris 8 box (both from other Solaris 8 hosts and from Linux hosts, all using OpenSSH 2.9p1). This problem doesn't appear to involve active background jobs; it is not fixed by either the bash fix listed in the FAQ or by zsh's "setopt HUP". I do not see the hang-on-exit behavior with the "sleep 20 &; exit" test. The behavior is repeatable. Specifically: (1) ssh to host (2) change to Oracle admin account (3) stop Oracle listener (4) start Oracle listener (5) exit from Oracle admin account (6) exit from host (hangs) No backgrounded processes show in a 'jobs' listing of either the original login account or the Oracle admin account. >From experimentation, stopping the listener does not trigger the behavior, only starting it. Stopping and/or starting the database proper (dbshut, dbstart) does not trigger the behavior. More detailed typescript follows. -mgs ------------- [msimpson at abyssus:/home/msimpson]% ssh fibber msimpson at fibber's password: Last login: Tue May 15 13:14:41 2001 from abyssus.doit.wi Sun Microsystems Inc. SunOS 5.8 Generic February 2000 [msimpson at fibber:/export/home/msimpson]% sudo su - oracle Password: Sun Microsystems Inc. SunOS 5.8 Generic February 2000 Logged on to fibber fibber: /export/home/oracle => fibber: /export/home/oracle => lsnrctl stop LSNRCTL for Solaris: Version 8.0.5.0.0 - Production on 15-MAY-01 13:17:16 (c) Copyright 1997 Oracle Corporation. All rights reserved. Connecting to (ADDRESS=(PROTOCOL=TCP)(Host=fibber.library.wisc.edu)(Port=1521)) The command completed successfully fibber: /export/home/oracle => lsnrctl start LSNRCTL for Solaris: Version 8.0.5.0.0 - Production on 15-MAY-01 13:17:19 (c) Copyright 1997 Oracle Corporation. All rights reserved. Starting /oracle/app/oracle/product/8.0.5/bin/tnslsnr: please wait... TNSLSNR for Solaris: Version 8.0.5.0.0 - Production System parameter file is /oracle/app/oracle/product/8.0.5/network/admin/listener.ora Log messages written to /oracle/app/oracle/product/8.0.5/network/log/listener.log Listening on: (ADDRESS=(PROTOCOL=tcp)(DEV=10)(HOST=144.92.11.20)(PORT=1521)) Listening on: (ADDRESS=(PROTOCOL=tcp)(DEV=13)(HOST=144.92.11.55)(PORT=1521)) Connecting to (ADDRESS=(PROTOCOL=TCP)(Host=fibber.library.wisc.edu)(Port=1521)) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for Solaris: Version 8.0.5.0.0 - Production Start Date 15-MAY-01 13:17:22 Uptime 0 days 0 hr. 0 min. 0 sec Trace Level off Security OFF SNMP OFF Listener Parameter File /oracle/app/oracle/product/8.0.5/network/admin/listener.ora Listener Log File /oracle/app/oracle/product/8.0.5/network/log/listener.log Services Summary... FIBR has 1 service handler(s) The command completed successfully fibber: /export/home/oracle => fibber: /export/home/oracle => jobs fibber: /export/home/oracle => exit [msimpson at fibber:/export/home/msimpson]% jobs [msimpson at fibber:/export/home/msimpson]% exit [ ... session hangs indefinitely ... ] From djm at mindrot.org Wed May 16 08:40:41 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 16 May 2001 08:40:41 +1000 (EST) Subject: hung SSH on Solaris when starting Oracle In-Reply-To: <200105151822.f4FIML212846@abyssus.doit.wisc.edu> Message-ID: On Tue, 15 May 2001, Mike Simpson wrote: > Another instance of OpenSSH 2.9p1 hanging on exit. This occurs when > connecting to a Solaris 8 box (both from other Solaris 8 hosts and > from Linux hosts, all using OpenSSH 2.9p1). This problem doesn't appear > to involve active background jobs; it is not fixed by either the > bash fix listed in the FAQ or by zsh's "setopt HUP". I do not see > the hang-on-exit behavior with the "sleep 20 &; exit" test. The > behavior is repeatable. > > Specifically: > > (1) ssh to host > (2) change to Oracle admin account > (3) stop Oracle listener > (4) start Oracle listener > (5) exit from Oracle admin account > (6) exit from host (hangs) > > No backgrounded processes show in a 'jobs' listing of either the > original login account or the Oracle admin account. Does "lsnrctl start < /dev/null 2>&1 >/dev/null" cause a hang? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From aadudek at earthlink.net Wed May 16 12:07:45 2001 From: aadudek at earthlink.net (Aaron Dudek) Date: Tue, 15 May 2001 22:07:45 -0400 Subject: Change in behavior from 2.5p2 to 2.9p1 Message-ID: <5.1.0.14.2.20010515220411.009e9360@pop.earthlink.net> Thanks for the help. That is what I suspected. I also took a wild guess and created a authorized_keys2 file with the id_rsa.pub key in it. And now it works they way it was under ssh1. It prompts me for the passphase and if that doesn't work then asks me for the password. Aaron From bowman at math.ualberta.ca Wed May 16 18:18:03 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 16 May 2001 08:18:03 -0000 Subject: SSH connection hanging on logout Message-ID: <20010516081803.2877.qmail@wizard.math.ualberta.ca> The following is a CORRECTION, with a REVISED PATCH, to my message posted to this list on 2001-05-15 2:55:37. Here is a new version of the hang-on-exit patch (2001-05-08 23:52:24), which: 1. fixes the hang-on-exit bug under Protocol 2 (without data loss); 2. does not exit if there are unterminated X applications; 3. exits the session when all X applications have closed. Of these three tests, Openssh-2.9p1 under Protocol 2 passes only the second one. The third item is another type of hanging bug in Openssh, as is demonstrated by the following test: ssh -2 host xterm -e sleep 20 & exit Even after the xsession terminates, the ssh session is left hanging forever. The correct behaviour is to wait 20 seconds for the X application to close and then exit. -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman P.S. Since the hang-on-exit patch is only effective under Protocol 2, a conditional to the call to chan_shutdown_read() has been added. diff -ur openssh-2.9p1/channels.c openssh-2.9p1J/channels.c --- openssh-2.9p1/channels.c Tue Apr 17 12:14:35 2001 +++ openssh-2.9p1J/channels.c Wed May 16 01:22:16 2001 @@ -333,6 +333,9 @@ xfree(c->remote_name); c->remote_name = NULL; } + + if(channel_find_open() == -1) + shutdown(packet_get_connection_out(), SHUT_RDWR); } /* @@ -1137,6 +1140,15 @@ continue; if (ftab[c->type] == NULL) continue; + if(c->istate == CHAN_INPUT_OPEN && c->rfd == -1) { + int type=c->type; + c->type=SSH_CHANNEL_CLOSED; + if(channel_find_open() == -1) + shutdown(packet_get_connection_out(), + SHUT_RDWR); + c->type=type; + continue; + } (*ftab[c->type])(c, readset, writeset); if (chan_is_dead(c)) { /* diff -ur openssh-2.9p1/clientloop.c openssh-2.9p1J/clientloop.c --- openssh-2.9p1/clientloop.c Fri Apr 20 06:50:51 2001 +++ openssh-2.9p1J/clientloop.c Wed May 16 01:22:16 2001 @@ -440,9 +440,13 @@ len = read(connection_in, buf, sizeof(buf)); if (len == 0) { /* Received EOF. The remote host has closed the connection. */ - snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", - host); - buffer_append(&stderr_buffer, buf, strlen(buf)); +/* + * This message duplicates the one already in client_loop(). + * + * snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", + * host); + * buffer_append(&stderr_buffer, buf, strlen(buf)); + */ quit_pending = 1; return; } diff -ur openssh-2.9p1/nchan.c openssh-2.9p1J/nchan.c --- openssh-2.9p1/nchan.c Tue Apr 3 07:02:48 2001 +++ openssh-2.9p1J/nchan.c Wed May 16 01:22:16 2001 @@ -56,7 +56,7 @@ /* helper */ static void chan_shutdown_write(Channel *c); -static void chan_shutdown_read(Channel *c); +void chan_shutdown_read(Channel *c); /* * SSH1 specific implementation of event functions @@ -479,7 +479,7 @@ c->wfd = -1; } } -static void +void chan_shutdown_read(Channel *c) { if (compat20 && c->type == SSH_CHANNEL_LARVAL) diff -ur openssh-2.9p1/nchan.h openssh-2.9p1J/nchan.h --- openssh-2.9p1/nchan.h Sun Mar 4 23:16:12 2001 +++ openssh-2.9p1J/nchan.h Wed May 16 01:22:16 2001 @@ -88,4 +88,5 @@ void chan_init_iostates(Channel * c); void chan_init(void); +void chan_shutdown_read(Channel *c); #endif diff -ur openssh-2.9p1/session.c openssh-2.9p1J/session.c --- openssh-2.9p1/session.c Wed Apr 18 09:29:34 2001 +++ openssh-2.9p1J/session.c Wed May 16 02:05:12 2001 @@ -1960,6 +1960,9 @@ */ if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); + if (c->istate != CHAN_INPUT_CLOSED && compat20) { + chan_shutdown_read(c); + } s->chanid = -1; } From mark.pitt at ch.ibm.com Thu May 17 02:04:09 2001 From: mark.pitt at ch.ibm.com (mark.pitt at ch.ibm.com) Date: Wed, 16 May 2001 18:04:09 +0200 Subject: AIX SSH 2.x ssh and /etc/ftpusers NOT IBM Standard - SECURITY Message-ID: During testing of ssh 2.5 from www.bull.de I have noticed a couple of things that are causing us problems. Rlogin=false We are required by security agreements to keep direct login for root locked ( chuser rlogin=false root ), which applies to rlogin and telnet commands only according to IBM documentation - ie not rsh or ftp. AIX rlogin=false means no access via telnet or rlogin, but rsh and ftp ARE allowed - however ssh does not work if rlogin=false - not only this, but having reported an illegal user as rlogin is locked, it then prompts for a password and fails even if the password is correct - if it already knows this, why does it prompt ? I would like to use ssh as rsh, but keep rlogin and telnet locked. Also, changing chuser rlogin=true while the server is running doesnt work, what is worse, the other way round does not work, this giving unintended access to the system to someone that has been blocked. ie start sshd with rlogin=true and access is permitted, set rlogin=false, then it is STILL permitted by ssh - ouch. SFTP To make any security sense of rlogin=false, it is absolutely essential to have /etc/ftpusers for root for reasons that are clear to the initiated, however sftp-daemon does NOT respect this, and provides no facility to do so - ouch. It also respects rlogin=false ( I suppose as it goes through ssh ) but this is NOT what IBM intended, and NOT standard. LOGGING 1/ Use ssh as rsh with each Sys Adm having his ( no her but I digress ) key in authorized_keys2 - then we have tracking for root user, ie who had used it, with which key, without having to create users on every single machine for every single admin. Although this might be defeatible, it does aid in problem solving to know who used root last, as the rlogin=false was intended - possibly logging to external servers etc. Other than a debug message to say ssh found a key on a particular line in the file, this is not easy to come by. Anyway, thanks for your help, I have only just started with this, so I hope the questions are not too stooopid. Mark From sjl at zepler.org Thu May 17 02:10:14 2001 From: sjl at zepler.org (Simon Liddington) Date: Wed, 16 May 2001 17:10:14 +0100 (BST) Subject: ssh_exchange_identification Message-ID: This is a me too: I upgraded from openssh-2.3.0p1 to openssh-2.5.2p2 and found similar problems to Tim. I then upgraded to openssh-2.9p1 and it still happened. I even upgraded from openssl-0.9.6 to openssl-0.9.6a and it still happened to I got my shovel out and started digging. I changed the code to give the error details and got this: debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try pubkey: /export/home1/sl/.ssh/id_dsa.pub debug1: input_userauth_pk_ok: pkalg ssh-dss blen 433 lastkey 1271b0 hint 0 debug1: PEM_read_PrivateKey failed: error:0906D06C:PEM routines:PEM_read_bio:no start line debug1: read PEM private key done: type Enter passphrase for key '/export/home1/sl/.ssh/id_dsa.pub': I think there are two bugs here firstly it's failing to read the private key for some reason and secondly it seems to carry on regardless and ask for a passphrase. Any thoughts? Simon > Guys, I think that I have ran into a bug. I am running openbsd 2.8 and I > upgraded to the lastest verison of openssh 2.9 but when I did that it > started giving me this error "ssh_exchange_identification: Connection > closed by remote host" when I try to log into the machine even when I am > on the machine and try to ssh localhost it gives me the same message. I > have read every FAQ I could find on the net but all I can find is that > you mush put "ssd:all" in the hosts.allow in the etc directory. OpenBSD > does not have a hosts.allow or a hosts.deny in the etc directory. I ran > ssh -v localhost and this is what I got... > > > # ssh -v localhost > OpenSSH_2.9, SSH protocols 1.5/2.0, OpenSSL 0x0090581f > debug1: Reading configuration data /etc/ssh_config > debug1: Rhosts Authentication disabled, originating port will not be > trusted. > debug1: restore_uid > debug1: ssh_connect: getuid 0 geteuid 0 anon 1 > debug1: Connecting to localhost [127.0.0.1] port 22. > debug1: temporarily_use_uid: 0/0 (e=3D0) > debug1: restore_uid > debug1: temporarily_use_uid: 0/0 (e=3D0) > debug1: restore_uid > debug1: Connection established. > debug1: read PEM private key done: type DSA > debug1: PEM_read_PrivateKey failed > debug1: read PEM private key done: type > debug1: identity file /root/.ssh/identity type 0 > debug1: identity file /root/.ssh/id_rsa type 1 > debug1: identity file /root/.ssh/id_dsa type 2 > ssh_exchange_identification: Connection closed by remote host > debug1: Calling cleanup 0x1727c(0x0) > > If you could help me please send me and email at tim at westberry.com I > will be glad to set up a chat channel on irc or call you if you can help > me fix this problem. > > Thanks, > Tim ----------------------------------------------------------------------- | Simon Liddington | Tel (home): 023 8023 7935 | | sjl at zepler.org | Tel (work): 023 8068 3521 | ----------------------------------------------------------------------- From vinschen at redhat.com Thu May 17 02:28:34 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 16 May 2001 18:28:34 +0200 Subject: [PATCH]: configure.in Message-ID: <20010516182834.G31266@cygbert.vinschen.de> Hi, it would be nice if somebody could apply the following patch. After some months of maintaining the Cygwin version of OpenSSH it finally turned out that USE_PIPES is the better option for Cygwin. It's working more reliable than socketpairs and it's WAY faster. Index: configure.in =================================================================== RCS file: /cvs/openssh_cvs/configure.in,v retrieving revision 1.285 diff -u -p -r1.285 configure.in --- configure.in 2001/05/08 20:42:28 1.285 +++ configure.in 2001/05/16 16:22:50 @@ -64,6 +64,7 @@ case "$host" in *-*-cygwin*) LIBS="$LIBS -lregex /usr/lib/textmode.o" AC_DEFINE(HAVE_CYGWIN) + AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(IPV4_DEFAULT) AC_DEFINE(IP_TOS_IS_BROKEN) Thanks, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From msimpson at abyssus.doit.wisc.edu Thu May 17 03:41:26 2001 From: msimpson at abyssus.doit.wisc.edu (Mike Simpson) Date: Wed, 16 May 2001 12:41:26 -0500 Subject: hung SSH on Solaris when starting Oracle In-Reply-To: Your message of "Wed, 16 May 2001 08:40:41 +1000." Message-ID: <200105161741.f4GHfQM07356@abyssus.doit.wisc.edu> > Does "lsnrctl start < /dev/null 2>&1 >/dev/null" cause a hang? Yes, although this (cribbed from Jason Stone's earlier post) does seem to avoid the hang: perl -e 'fork && exit; close STDIN; close STDOUT; close STDERR; \ setpgrp(0,$$); exec "lsnrctl start";' -mgs From bowman at math.ualberta.ca Thu May 17 03:42:18 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 16 May 2001 17:42:18 -0000 Subject: SSH connection hanging on logout Message-ID: <20010516174218.13725.qmail@wizard.math.ualberta.ca> Here is a perhaps a slightly more robust version (in case of internal errors; see chan_read_failed_12) of the hang-on-exit patch. In session.c, I've changed the line if (c->istate != CHAN_INPUT_CLOSED && compat20) { to if (c->istate == CHAN_INPUT_OPEN && compat20) { In practice this shouldn't make any difference, since c->istate should always equal either CHAN_INPUT_CLOSED or CHAN_INPUT_OPEN within session_exit_message. -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman diff -ur openssh-2.9p1/channels.c openssh-2.9p1J/channels.c --- openssh-2.9p1/channels.c Tue Apr 17 12:14:35 2001 +++ openssh-2.9p1J/channels.c Wed May 16 01:22:16 2001 @@ -333,6 +333,9 @@ xfree(c->remote_name); c->remote_name = NULL; } + + if(channel_find_open() == -1) + shutdown(packet_get_connection_out(), SHUT_RDWR); } /* @@ -1137,6 +1140,15 @@ continue; if (ftab[c->type] == NULL) continue; + if(c->istate == CHAN_INPUT_OPEN && c->rfd == -1) { + int type=c->type; + c->type=SSH_CHANNEL_CLOSED; + if(channel_find_open() == -1) + shutdown(packet_get_connection_out(), + SHUT_RDWR); + c->type=type; + continue; + } (*ftab[c->type])(c, readset, writeset); if (chan_is_dead(c)) { /* diff -ur openssh-2.9p1/clientloop.c openssh-2.9p1J/clientloop.c --- openssh-2.9p1/clientloop.c Fri Apr 20 06:50:51 2001 +++ openssh-2.9p1J/clientloop.c Wed May 16 01:22:16 2001 @@ -440,9 +440,13 @@ len = read(connection_in, buf, sizeof(buf)); if (len == 0) { /* Received EOF. The remote host has closed the connection. */ - snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", - host); - buffer_append(&stderr_buffer, buf, strlen(buf)); +/* + * This message duplicates the one already in client_loop(). + * + * snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", + * host); + * buffer_append(&stderr_buffer, buf, strlen(buf)); + */ quit_pending = 1; return; } diff -ur openssh-2.9p1/nchan.c openssh-2.9p1J/nchan.c --- openssh-2.9p1/nchan.c Tue Apr 3 07:02:48 2001 +++ openssh-2.9p1J/nchan.c Wed May 16 01:22:16 2001 @@ -56,7 +56,7 @@ /* helper */ static void chan_shutdown_write(Channel *c); -static void chan_shutdown_read(Channel *c); +void chan_shutdown_read(Channel *c); /* * SSH1 specific implementation of event functions @@ -479,7 +479,7 @@ c->wfd = -1; } } -static void +void chan_shutdown_read(Channel *c) { if (compat20 && c->type == SSH_CHANNEL_LARVAL) diff -ur openssh-2.9p1/nchan.h openssh-2.9p1J/nchan.h --- openssh-2.9p1/nchan.h Sun Mar 4 23:16:12 2001 +++ openssh-2.9p1J/nchan.h Wed May 16 01:22:16 2001 @@ -88,4 +88,5 @@ void chan_init_iostates(Channel * c); void chan_init(void); +void chan_shutdown_read(Channel *c); #endif diff -ur openssh-2.9p1/session.c openssh-2.9p1J/session.c --- openssh-2.9p1/session.c Wed Apr 18 09:29:34 2001 +++ openssh-2.9p1J/session.c Wed May 16 11:25:17 2001 @@ -1960,6 +1960,9 @@ */ if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); + if (c->istate == CHAN_INPUT_OPEN && compat20) { + chan_shutdown_read(c); + } s->chanid = -1; } From markus.friedl at informatik.uni-erlangen.de Thu May 17 03:59:11 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 16 May 2001 19:59:11 +0200 Subject: SSH connection hanging on logout In-Reply-To: <20010516174218.13725.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Wed, May 16, 2001 at 05:42:18PM -0000 References: <20010516174218.13725.qmail@wizard.math.ualberta.ca> Message-ID: <20010516195911.A26737@folly> On Wed, May 16, 2001 at 05:42:18PM -0000, John Bowman wrote: > Here is a perhaps a slightly more robust version (in case of internal > errors; see chan_read_failed_12) of the hang-on-exit patch. > > In session.c, I've changed the line > if (c->istate != CHAN_INPUT_CLOSED && compat20) { > to > if (c->istate == CHAN_INPUT_OPEN && compat20) { > > In practice this shouldn't make any difference, since c->istate > should always equal either CHAN_INPUT_CLOSED or CHAN_INPUT_OPEN > within session_exit_message. i think that shutdown should only be allowed if c->istate == CHAN_INPUT_CLOSED; moreover, i'm still waiting for feedback on what rlogind does on these systems. From dboldt at usgs.gov Wed May 16 08:15:46 2001 From: dboldt at usgs.gov (David R Boldt) Date: Tue, 15 May 2001 18:15:46 -0400 Subject: openssh 2.9p1 on Solaris 2.6 with AFS Message-ID: hello, I'm attempting to compile 2.9p1 on Solaris 2.6 with AFS support. I am not using Kerberos aside from AFS. The installation notes state that Kerberos IV is required by AFS. Since the Kerberos libraries and header files do not appear to be distributed with AFS, I downloaded and installed ftp://ftp.pdc.kth.se/pub/krb/src/krb4-1.0.8.tar.gz ./configure --sysconfdir=/etc/ssh --with-tcp-wrappers --with-egd-pool=/var/run/egd-pool \ --with-kerberos4=/usr/athena --with-afs=/usr/afsws \ --with-default-path=/usr/local/bin:/usr/xpg4/bin:/usr/bin:/opt/SUNWspro/bin:/usr/opt/SUNWmd/sbin:/usr/ucb:/usr/ccs/bin:/usr/openwin/bin:/usr/sbin creating cache ./config.cache checking for gcc... gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... yes checking whether gcc accepts -g... yes checking host system type... sparc-sun-solaris2.6 checking whether byte ordering is bigendian... yes checking how to run the C preprocessor... gcc -E checking for ranlib... ranlib checking for a BSD compatible install... ./install-sh -c checking for ar... /usr/opt/bin/ar checking for perl5... /usr/bin/perl5 checking for ent... no checking for filepriv... no checking for bash... /usr/opt/bin/bash checking for ksh... (cached) /usr/opt/bin/bash checking for sh... (cached) /usr/opt/bin/bash checking for login... /usr/bin/login checking for inline... inline checking for obsolete utmp and wtmp in solaris2.x... no checking for yp_match in -lnsl... yes checking for main in -lsocket... yes checking for innetgr in -lrpc... no checking for getspnam in -lgen... yes checking for deflate in -lz... yes checking for login in -lutil... no checking for regcomp... yes checking for strcasecmp... yes checking for utimes... yes checking for strftime... yes checking for bstring.h... no checking for crypt.h... yes checking for endian.h... no checking for floatingpoint.h... yes checking for getopt.h... no checking for glob.h... yes checking for lastlog.h... yes checking for limits.h... yes checking for login.h... no checking for login_cap.h... no checking for maillock.h... yes checking for netdb.h... yes checking for netgroup.h... no checking for netinet/in_systm.h... yes checking for paths.h... no checking for poll.h... yes checking for pty.h... no checking for regex.h... yes checking for shadow.h... yes checking for security/pam_appl.h... yes checking for sys/bitypes.h... no checking for sys/bsdtty.h... no checking for sys/cdefs.h... no checking for sys/poll.h... yes checking for sys/queue.h... no checking for sys/select.h... yes checking for sys/stat.h... yes checking for sys/stropts.h... yes checking for sys/sysmacros.h... yes checking for sys/time.h... yes checking for sys/ttcompat.h... yes checking for sys/un.h... yes checking for stddef.h... yes checking for time.h... yes checking for ttyent.h... no checking for usersec.h... no checking for util.h... no checking for utime.h... yes checking for utmp.h... yes checking for utmpx.h... yes checking for vis.h... no checking for GLOB_ALTDIRFUNC support... no checking for gl_matchc field in glob_t... no checking whether struct dirent allocates space for d_name... no checking for libwrap... yes checking for arc4random... no checking for atexit... yes checking for b64_ntop... no checking for bcopy... yes checking for bindresvport_sa... no checking for clock... yes checking for fchown... yes checking for fchmod... yes checking for freeaddrinfo... no checking for futimes... no checking for gai_strerror... no checking for getcwd... yes checking for getaddrinfo... no checking for getgrouplist... no checking for getnameinfo... no checking for getrlimit... yes checking for getrusage... yes checking for getttyent... no checking for getusershell... yes checking for glob... yes checking for inet_aton... no checking for inet_ntoa... yes checking for inet_ntop... no checking for innetgr... yes checking for login_getcapbool... no checking for md5_crypt... no checking for memmove... yes checking for mkdtemp... no checking for on_exit... no checking for openpty... no checking for realpath... yes checking for rresvport_af... no checking for setdtablesize... no checking for setenv... yes checking for setegid... yes checking for seteuid... yes checking for setlogin... no checking for setproctitle... no checking for setresgid... no checking for setreuid... yes checking for setrlimit... yes checking for setsid... yes checking for sigaction... yes checking for sigvec... no checking for snprintf... yes checking for strerror... yes checking for strlcat... no checking for strlcpy... no checking for strmode... no checking for strsep... no checking for strtok_r... yes checking for sysconf... yes checking for tcgetpgrp... yes checking for utimes... (cached) yes checking for vsnprintf... yes checking for vhangup... yes checking for vis... no checking for waitpid... yes checking for _getpty... no checking for __b64_ntop... no checking for gettimeofday... yes checking for time... yes checking for libutil.h... no checking for login... no checking for logout... no checking for updwtmp... yes checking for logwtmp... no checking for endutent... yes checking for getutent... yes checking for getutid... yes checking for getutline... yes checking for pututline... yes checking for setutent... yes checking for utmpname... yes checking for endutxent... yes checking for getutxent... yes checking for getutxid... yes checking for getutxline... yes checking for pututxline... yes checking for setutxent... yes checking for utmpxname... yes checking for getuserattr... no checking for getuserattr in -ls... theno checking for login... (cached) no checking for login in -lbsd... no checking for daemon... no checking for daemon in -lbsd... no checking for getpagesize... yes checking whether snprintf correctly terminates long strings... yes checking whether getpgrp takes no argument... yes checking for OpenSSL directory... /usr/local/ssl checking for RSA support... yes checking size of char... 1 checking size of short int... 2 checking size of int... 4 checking size of long int... 4 checking size of long long int... 8 checking for u_int type... yes checking for intXX_t types... yes checking for int64_t type... yes checking for u_intXX_t types... no checking for u_int64_t types... no checking for uintXX_t types... yes checking for socklen_t... no checking for size_t... yes checking for ssize_t... yes checking for clock_t... yes checking for sa_family_t... yes checking for pid_t... yes checking for mode_t... yes checking for struct sockaddr_storage... no checking for struct sockaddr_in6... no checking for struct in6_addr... no checking for struct addrinfo... no checking for struct timeval... yes checking for ut_host field in utmp.h... no checking for ut_host field in utmpx.h... yes checking for syslen field in utmpx.h... yes checking for ut_pid field in utmp.h... yes checking for ut_type field in utmp.h... yes checking for ut_type field in utmpx.h... yes checking for ut_tv field in utmp.h... no checking for ut_id field in utmp.h... yes checking for ut_id field in utmpx.h... yes checking for ut_addr field in utmp.h... no checking for ut_addr field in utmpx.h... no checking for ut_addr_v6 field in utmp.h... no checking for ut_addr_v6 field in utmpx.h... no checking for ut_exit field in utmp.h... yes checking for ut_time field in utmp.h... yes checking for ut_time field in utmpx.h... yes checking for ut_tv field in utmpx.h... yes checking for st_blksize in struct stat... yes checking for sun_len field in struct sockaddr_un... no checking for ss_family field in struct sockaddr_storage... no checking for __ss_family field in struct sockaddr_storage... no checking for pw_class field in struct passwd... no checking if libc defines __progname... no checking if libc defines sys_errlist... yes checking if libc defines sys_nerr... yes checking for krb.h... yes checking for main in -lkrb... yes checking for des_cbc_encrypt in -ldes... theyes checking for dn_expand in -lresolv... yes checking for rsh... /usr/opt/bin/rsh checking for xauth... /usr/openwin/bin/xauth checking for /dev/ptmx... yes checking for /dev/ptc... no checking for /dev/urandom... no checking for PRNGD/EGD socket... /var/run/egd-pool checking for ls... /usr/xpg4/bin/ls checking for netstat... /usr/bin/netstat checking for arp... /usr/sbin/arp checking for ifconfig... /usr/sbin/ifconfig checking for ps... /usr/bin/ps checking for w... /usr/bin/w checking for who... /usr/xpg4/bin/who checking for last... /usr/bin/last checking for lastlog... no checking for df... /usr/xpg4/bin/df checking for vmstat... /usr/bin/vmstat checking for uptime... /usr/bin/uptime checking for ipcs... /usr/bin/ipcs checking for tail... /usr/opt/bin/tail checking for nroff... /usr/bin/nroff checking if the systems has expire shadow information... yes checking if we need to convert IPv4 in IPv6-mapped addresses... no (default) checking whether to install ssh as suid root... yes checking if your system defines LASTLOG_FILE... no checking if your system defines _PATH_LASTLOG... no checking if your system defines UTMP_FILE... yes checking if your system defines WTMP_FILE... yes checking if your system defines UTMPX_FILE... yes checking if your system defines WTMPX_FILE... yes checking for Cygwin environment... no checking for mingw32 environment... no checking for executable suffix... atno updating cache ./config.cache creating ./config.status acreating Makefile creating openbsd-compat/Makefile creating ssh_prng_cmds creating config.h unit of the right to OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /etc/ssh Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run sshd default user PATH: /usr/local/bin:/usr/xpg4/bin:/usr/bin:/opt/SUNWspro/bin:/usr/opt/SUNWmd/sbin:/usr/ucb:/usr/ccs/bin:/usr/openwin/bin:/usr/sbin Random number collection: PRNGD/EGD (socket /var/run/egd-pool) Manpage format: man PAM support: no KerberosIV support: yes AFS support: yes S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: sparc-sun-solaris2.6 Compiler: gcc Compiler flags: -g -O2 -Wall Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include -I/usr/athena/include -I/usr/afsws/include Linker flags: -R/usr/local/ssl/lib -L/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib -L/usr/athena/lib -R/usr/athena/lib -L/usr/afsws/lib Libraries: -lkafs -lresolv -ldes -lkrb -lwrap -lz -lsocket -lnsl -lgen -lcrypto -ldes attempting to compile generates the following error messages: gcc -O2 -Wall -I. -I. -I/usr/local/ssl/include -I/usr/local/include -I/usr/athena/include -I/usr/afsws/include -DETCDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT =\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER =\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -DHAVE_CONFIG_H -c radix.c In file included from /usr/athena/include/krb.h:17, from radix.c:31: /usr/athena/include/ktypes.h:14: redefinition of `u_int8_t' defines.h:169: `u_int8_t' previously declared here /usr/athena/include/ktypes.h:15: redefinition of `u_int16_t' defines.h:170: `u_int16_t' previously declared here /usr/athena/include/ktypes.h:16: redefinition of `u_int32_t' defines.h:171: `u_int32_t' previously declared here gmake: *** [radix.o] Error 1 -- David Boldt From jas at cs.yorku.ca Thu May 17 01:55:30 2001 From: jas at cs.yorku.ca (Jason Keltz) Date: Wed, 16 May 2001 11:55:30 -0400 (EDT) Subject: OpenSSH 2.9p1 on Solaris 7 error, 2 bugs Message-ID: Hi. I am running OpenSSH 2.9p1 on Solaris 7, and I believe that I have identified a bug that has been annoying several of our faculty. Our SSH server has 4 addresses: Name: tiger.cs.yorku.ca Addresses: 130.63.88.26, 130.63.90.26, 130.63.92.26, 130.63.86.26 If I do: % ssh -X tiger I am able to login to tiger, and run X applications. However, the IP addresses cycle for tiger on name lookups like on any multi-IP host, so after a short period of time, X applications cannot be started any more. For example, after a successful connection via ssh -X tiger: tiger 316 % xterm -display 130.63.92.26:12.0 X connection to 130.63.92.26:12.0 broken (explicit kill or server shutdown). tiger 317 % xterm -display 130.63.86.26:12.0 X connection to 130.63.86.26:12.0 broken (explicit kill or server shutdown). tiger 318 % xterm -display 130.63.88.26:12.0 X connection to 130.63.88.26:12.0 broken (explicit kill or server shutdown). tiger 319 % xterm -display 130.63.90.26:12.0 If I set the DISPLAY variable to 130.63.90.26:12.0, everything will work for this particular connection, but you never know what the 'magic' address is going to be unless you test them all. This doesn't work with v1 or v2 ssh protocols. I have a "tiger-bk" address which is just 130.63.92.26, but ssh is 'smart' and does a reverse lookup, setting DISPLAY to tiger, so this doesn't solve the problem. Any help that you can provide would be greatly appreciated. Thanks! Jason Keltz jas at cs.yorku.ca From K.Wolkersdorfer at fz-juelich.de Thu May 17 01:56:46 2001 From: K.Wolkersdorfer at fz-juelich.de (K.Wolkersdorfer at fz-juelich.de) Date: Wed, 16 May 2001 15:56:46 +0000 Subject: openssh-2.9p1 bug: loginfailed() with AIX 4.3.3 Message-ID: <1010516155647.ZM28174@zam282.zam.kfa-juelich.de> Hi, first let me thank you for all the excellent work with openssh! Bug-Description (for AIX - current release 4.3.3 - only): During password-authentication if a user enters a wrong password, the failed attempt is not at all recorded in /etc/security/lastlog, although the loginfailed() subroutine in auth1.c is supposed to do that. Suggestion: In AIX the loginfailed() subroutine should be called if and only if the user enters a wrong password: From man loginfailed: ..."A login failure audit record is cut to indicate that an unsuccessful login attempt occurred. A utmp entry is appended to /etc/security/failedlogin file, which tracks all failed login attempts." ... So it seems that in auth1.c the loginfailed() subroutine is on the wrong place. It should be immediately after the password-authentication. Bug-Fix: The following fix works for us: ------------------------------------------------------------------------ diff auth1.c.orig auth1.c 266a267,272 > #ifdef WITH_AIXAUTHENTICATE > if (!authenticated) > loginfailed(authctxt->user, > get_canonical_hostname(options.reverse_mapping_check), > "ssh"); > #endif /* WITH_AIXAUTHENTICATE */ 346,350d351 < #ifdef WITH_AIXAUTHENTICATE < loginfailed(authctxt->user, < get_canonical_hostname(options.reverse_mapping_check), < "ssh"); < #endif /* WITH_AIXAUTHENTICATE */ ------------------------------------------------------------------------- Many thanks for your attention and best regards from Germany Klaus -- Klaus Wolkersdorfer (K.Wolkersdorfer at fz-juelich.de) Zentralinstitut fuer Angewandte Mathematik (ZAM) Tel: +49-2461-61-6579 John von Neumann - Institute for Computing (NIC) Fax: -6656 Forschungszentrum Juelich GmbH, D-52425 Juelich, Germany From bowman at math.ualberta.ca Thu May 17 06:32:14 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 16 May 2001 20:32:14 -0000 Subject: SSH connection hanging on logout In-Reply-To: <20010516195911.A26737@folly> (message from Markus Friedl on Wed, 16 May 2001 19:59:11 +0200) References: <20010516174218.13725.qmail@wizard.math.ualberta.ca> <20010516195911.A26737@folly> Message-ID: <20010516203214.16426.qmail@wizard.math.ualberta.ca> > i think that shutdown should only be allowed if c->istate == > CHAN_INPUT_CLOSED; No, this will cause openssh to hang under interactive use. When the shell exits, no more data should be read. Even if you execute a backround process noninteractively, like in Damien's example ssh host "(sleep 20 ; dd if=/dev/zero bs=1024 count=100 | wc -c)&" it seems reasonable to me that the sleep 20 should be started in the background and then the shell should immediately exit. The output from dd will be discarded. (If you don't like this then don't put the dd in the background.) This is the same behaviour as in the commercial version of ssh, which OpenSSH is trying to emulate. See the previous postings about background processes and interactive shells. For noninteractive usage, like in the above example, rsh actually *does* keep the connection open until the backgrounded process finishes. If you really want OpenSSH to emulate rsh and not SSH then I suppose one could modify the patch so that it only applies to interactive sessions. Note that under interactive usage neither rsh or SSH hang: ssh host sleep 20& exit The only exception, for both SSH and (the patched) OpenSsh-2.9p1, should be for X applications. In this case, the ssh connection has to be kept open because it is needed to forward the X traffic. So a call to shutdown is really needed. But the data that has already been read should be sent on across the channel in order to avoid data loss from a command like while [ 1 ]; do ssh host "dd if=/dev/zero bs=8192 count=10" | wc -c; done Actually, chan_read_failed_12 should have done this, but it sets c->istate = CHAN_INPUT_WAIT_DRAIN and there appears to be a bug in the handling of this state that causes the previously read data not be sent across the channel. My patch works around this and also implements a proper handling of X applications. > moreover, i'm still waiting for feedback on what rlogind does on > these systems. See above. -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From Markus.Friedl at informatik.uni-erlangen.de Thu May 17 06:49:45 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 16 May 2001 22:49:45 +0200 Subject: SSH connection hanging on logout In-Reply-To: <20010516203214.16426.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Wed, May 16, 2001 at 08:32:14PM -0000 References: <20010516174218.13725.qmail@wizard.math.ualberta.ca> <20010516195911.A26737@folly> <20010516203214.16426.qmail@wizard.math.ualberta.ca> Message-ID: <20010516224945.C12359@faui02.informatik.uni-erlangen.de> On Wed, May 16, 2001 at 08:32:14PM -0000, John Bowman wrote: > > i think that shutdown should only be allowed if c->istate == > > CHAN_INPUT_CLOSED; > > No, this will cause openssh to hang under interactive use. but the transition from CHAN_INPUT_CLOSED to state!=CHAN_INPUT_CLOSED should be caused by shutdown. see nchan2.ms From bowman at math.ualberta.ca Thu May 17 06:53:29 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 16 May 2001 20:53:29 -0000 Subject: SSH connection hanging on logout In-Reply-To: <20010516224945.C12359@faui02.informatik.uni-erlangen.de> (message from Markus Friedl on Wed, 16 May 2001 22:49:45 +0200) References: <20010516174218.13725.qmail@wizard.math.ualberta.ca> <20010516195911.A26737@folly> <20010516203214.16426.qmail@wizard.math.ualberta.ca> <20010516224945.C12359@faui02.informatik.uni-erlangen.de> Message-ID: <20010516205329.16624.qmail@wizard.math.ualberta.ca> > > > i think that shutdown should only be allowed if c->istate == > > > CHAN_INPUT_CLOSED; > > > > No, this will cause openssh to hang under interactive use. > > but the transition from CHAN_INPUT_CLOSED to state!=CHAN_INPUT_CLOSED > should be caused by shutdown. see nchan2.ms > If c->istate is CHAN_INPUT_CLOSED, then shutdown won't be called in any case. From markus.friedl at informatik.uni-erlangen.de Thu May 17 06:36:27 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 16 May 2001 22:36:27 +0200 Subject: SSH connection hanging on logout In-Reply-To: <20010516081803.2877.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Wed, May 16, 2001 at 08:18:03AM -0000 References: <20010516081803.2877.qmail@wizard.math.ualberta.ca> Message-ID: <20010516223627.B25592@folly> On Wed, May 16, 2001 at 08:18:03AM -0000, John Bowman wrote: > The third item is another type of hanging bug in Openssh, as is > demonstrated by the following test: > > ssh -2 host > xterm -e sleep 20 & > exit > > Even after the xsession terminates, the ssh session is left hanging forever. > The correct behaviour is to wait 20 seconds for the X application to close > and then exit. this is a client bug. try this: Index: clientloop.c =================================================================== RCS file: /home/markus/cvs/ssh/clientloop.c,v retrieving revision 1.70 diff -u -r1.70 clientloop.c --- clientloop.c 2001/05/11 14:59:55 1.70 +++ clientloop.c 2001/05/16 20:31:44 @@ -346,7 +346,13 @@ if (buffer_len(&stderr_buffer) > 0) FD_SET(fileno(stderr), *writesetp); } else { - FD_SET(connection_in, *readsetp); + /* channel_prepare_select could have closed the last channel */ + if (session_closed && !channel_still_open()) { + if (!packet_have_data_to_write()) + return; + } else { + FD_SET(connection_in, *readsetp); + } } /* Select server connection if have data to write to the server. */ From markus.friedl at informatik.uni-erlangen.de Thu May 17 05:29:39 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 16 May 2001 21:29:39 +0200 Subject: Feature request (Re: SSH and forced wtmp entries ...) In-Reply-To: <20010515080522.A7364@rhs-notebook>; from Randolf-ML@Skerka.de on Tue, May 15, 2001 at 08:05:22AM +0200 References: <20010507150303.A12892@faui02.informatik.uni-erlangen.de> <20010511005420.B26079@folly> <3AFB6645.59642983@bartlett.house> <20010514134245.A4158@rhs-notebook> <20010514140422.A18119@faui02.informatik.uni-erlangen.de> <20010515080522.A7364@rhs-notebook> Message-ID: <20010516212939.A25592@folly> On Tue, May 15, 2001 at 08:05:22AM +0200, Randolf Skerka wrote: > On Mon, May 14, 2001 at 02:04:23PM +0200, Markus Friedl wrote: > > use loglevel=verbose if you care. > > I'm getting a bit pissed right now. What's the problem logging login/logouts > via wtmp? I don't see an argument other than "Use authlog" and "It's like rsh > behaves", nobody says "It's to difficult to implement!", so why don't stop > discussing and implementing it? > > I think we discussed why it's good to have it in wtmp. no. i don't like the idea of having every cronjob-scp, every sftp transfer in lastlog. i don't like to have 1000 methods in openssh for logging logins. openssh should not become a drop-box for every possible feature. -m From markus.friedl at informatik.uni-erlangen.de Thu May 17 07:46:46 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 16 May 2001 23:46:46 +0200 Subject: SSH connection hanging on logout In-Reply-To: <20010516081803.2877.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Wed, May 16, 2001 at 08:18:03AM -0000 References: <20010516081803.2877.qmail@wizard.math.ualberta.ca> Message-ID: <20010516234646.A14493@folly> On Wed, May 16, 2001 at 08:18:03AM -0000, John Bowman wrote: > The following is a CORRECTION, with a REVISED PATCH, to my message posted > to this list on 2001-05-15 2:55:37. > > Here is a new version of the hang-on-exit patch (2001-05-08 23:52:24), which: > > 1. fixes the hang-on-exit bug under Protocol 2 (without data loss); > 2. does not exit if there are unterminated X applications; > 3. exits the session when all X applications have closed. > > Of these three tests, Openssh-2.9p1 under Protocol 2 passes only the second > one. The third item is another type of hanging bug in Openssh, as is > demonstrated by the following test: > > ssh -2 host > xterm -e sleep 20 & > exit > > Even after the xsession terminates, the ssh session is left hanging forever. > The correct behaviour is to wait 20 seconds for the X application to close > and then exit. > > -- John Bowman > > University of Alberta > http://www.math.ualberta.ca/~bowman > > P.S. Since the hang-on-exit patch is only effective under Protocol 2, > a conditional to the call to chan_shutdown_read() has been added. > > > > diff -ur openssh-2.9p1/channels.c openssh-2.9p1J/channels.c > --- openssh-2.9p1/channels.c Tue Apr 17 12:14:35 2001 > +++ openssh-2.9p1J/channels.c Wed May 16 01:22:16 2001 > @@ -333,6 +333,9 @@ > xfree(c->remote_name); > c->remote_name = NULL; > } > + > + if(channel_find_open() == -1) > + shutdown(packet_get_connection_out(), SHUT_RDWR); > continue; > + if(channel_find_open() == -1) > + shutdown(packet_get_connection_out(), > + SHUT_RDWR); imho, this is wrong. you are not allowed to shutdown the TCP connection to the peer. the peer can still request a second shell sessions. From markus.friedl at informatik.uni-erlangen.de Thu May 17 08:06:12 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 17 May 2001 00:06:12 +0200 Subject: SSH connection hanging on logout In-Reply-To: <20010513184453.11194.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Sun, May 13, 2001 at 06:44:53PM -0000 References: <20010513184453.11194.qmail@wizard.math.ualberta.ca> Message-ID: <20010517000612.B14493@folly> On Sun, May 13, 2001 at 06:44:53PM -0000, John Bowman wrote: > Although still no instances of data loss have been reported with the patch you should check this: ssh localhost -2 -v -v -v -p 1234 dd if=/bsd bs=65536 count=2 | \ (sleep 10; md5sum) on my machine the remote command dies, but sshd still calls read 3 more times on rfd. this should not lead to data corruption, i.e. the checksums must match dd if=/bsd bs=65536 count=2 | md5sum -m use this patch if you want to trace the reads from rfd. Index: channels.c =================================================================== RCS file: /home/markus/cvs/ssh/channels.c,v retrieving revision 1.115 diff -u -r1.115 channels.c --- channels.c 2001/05/09 22:51:57 1.115 +++ channels.c 2001/05/16 21:52:30 @@ -920,6 +920,7 @@ chan_read_failed(c); } } else { + debug3("channel %d: read rfd %d len %d", c->self, c->rfd, len); buffer_append(&c->input, buf, len); } } @@ -1029,9 +1031,10 @@ packet_put_int(c->remote_id); packet_put_int(c->local_consumed); packet_send(); - debug2("channel %d: window %d sent adjust %d", + debug2("channel %d: window %d sent adjust %d (obuf %d)", c->self, c->local_window, - c->local_consumed); + c->local_consumed, + buffer_len(&c->output)); c->local_window += c->local_consumed; c->local_consumed = 0; } @@ -1270,6 +1273,7 @@ } } if (len > 0) { + debug3("channel %d: channel data: %d", c->self, len); packet_start(compat20 ? SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); packet_put_int(c->remote_id); From bowman at math.ualberta.ca Thu May 17 08:14:57 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 16 May 2001 22:14:57 -0000 Subject: SSH connection hanging on logout In-Reply-To: <20010517000612.B14493@folly> (message from Markus Friedl on Thu, 17 May 2001 00:06:12 +0200) References: <20010513184453.11194.qmail@wizard.math.ualberta.ca> <20010517000612.B14493@folly> Message-ID: <20010516221457.17527.qmail@wizard.math.ualberta.ca> Under linux there is no data corruption and the checksums match: [wizard: ~] ssh localhost dd if=/bin/bash bs=65536 count=2 | ( sleep 10 ; md5sum ) 2+0 records in 2+0 records out 86d34e869a31df51922ad2bb9bd202bc - [wizard: ~] dd if=/bin/bash bs=65536 count=2 | ( sleep 10 ; md5sum ) 2+0 records in 2+0 records out 86d34e869a31df51922ad2bb9bd202bc - -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From egrubbs at rackspace.com Thu May 17 08:43:40 2001 From: egrubbs at rackspace.com (Edwin Grubbs) Date: Wed, 16 May 2001 17:43:40 -0500 (CDT) Subject: openssh and chroot Message-ID: I am wondering what modifications to the chroot patch in the contrib directory for openssh would be necessary for it to be accepted into the standard release. Is anybody currently working on chroot for openssh? I would be willing to work on improving and testing the patch if I knew it would become a standard part of openssh. My main interest in a chrooted openssh is to provide chrooted sftp so I can get rid of non-anonymous ftp entirely. It would also be convenient if the sftp functionality was inside the openssh server so that chrooted accounts wouldn't require sftp-server to be located in their directory. In some ways it would seem that ftp over SSL would be more suitable, but there are a lot more ssh clients that support sftp than ftp clients that support ssl. -Edwin Grubbs From carson at taltos.org Thu May 17 10:04:33 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 16 May 2001 17:04:33 -0700 Subject: hung SSH on Solaris when starting Oracle In-Reply-To: <200105161741.f4GHfQM07356@abyssus.doit.wisc.edu> References: <200105161741.f4GHfQM07356@abyssus.doit.wisc.edu> Message-ID: <1516330984.990032673@athyra> >> Does "lsnrctl start < /dev/null 2>&1 >/dev/null" cause a hang? I _think_ you meant: "lsnrctl start < /dev/null > /dev/null 2>&1" Yours leaves stderr pointed at stdout. -- Carson From bowman at math.ualberta.ca Thu May 17 11:44:50 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 17 May 2001 01:44:50 -0000 Subject: SSH connection hanging on logout In-Reply-To: <20010516223627.B25592@folly> (message from Markus Friedl on Wed, 16 May 2001 22:36:27 +0200) References: <20010516081803.2877.qmail@wizard.math.ualberta.ca> <20010516223627.B25592@folly> Message-ID: <20010517014450.25437.qmail@wizard.math.ualberta.ca> > > The third item is another type of hanging bug in Openssh, as is > > demonstrated by the following test: > > > > ssh -2 host > > xterm -e sleep 20 & > > exit > > > > Even after the xsession terminates, the ssh session is left hanging forever. > > The correct behaviour is to wait 20 seconds for the X application to close > > and then exit. > > this is a client bug. try this: > > Index: clientloop.c > =================================================================== > RCS file: /home/markus/cvs/ssh/clientloop.c,v > retrieving revision 1.70 > diff -u -r1.70 clientloop.c > --- clientloop.c 2001/05/11 14:59:55 1.70 > +++ clientloop.c 2001/05/16 20:31:44 > @@ -346,7 +346,13 @@ > if (buffer_len(&stderr_buffer) > 0) > FD_SET(fileno(stderr), *writesetp); > } else { > - FD_SET(connection_in, *readsetp); > + /* channel_prepare_select could have closed the last channel */ > + if (session_closed && !channel_still_open()) { > + if (!packet_have_data_to_write()) > + return; > + } else { > + FD_SET(connection_in, *readsetp); > + } > } > > /* Select server connection if have data to write to the server. */ > Yes, this patch fixes the X hanging bug (test under Protocol 2 on RedHat 6.2 linux systems). Thanks! I've incorporated it into this latest version of the hang-on-exit patch (the latest patch will always be available from http://www.math.ualberta.ca/imaging/snfs) -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman diff -ur openssh-2.9p1/channels.c openssh-2.9p1J/channels.c --- openssh-2.9p1/channels.c Tue Apr 17 12:14:35 2001 +++ openssh-2.9p1J/channels.c Wed May 16 16:42:53 2001 @@ -1137,6 +1137,15 @@ continue; if (ftab[c->type] == NULL) continue; + if(c->istate == CHAN_INPUT_OPEN && c->rfd == -1) { + int type=c->type; + c->type=SSH_CHANNEL_CLOSED; + if(channel_find_open() == -1) + shutdown(packet_get_connection_out(), + SHUT_RDWR); + c->type=type; + continue; + } (*ftab[c->type])(c, readset, writeset); if (chan_is_dead(c)) { /* diff -ur openssh-2.9p1/clientloop.c openssh-2.9p1J/clientloop.c --- openssh-2.9p1/clientloop.c Fri Apr 20 06:50:51 2001 +++ openssh-2.9p1J/clientloop.c Wed May 16 18:55:58 2001 @@ -346,7 +346,13 @@ if (buffer_len(&stderr_buffer) > 0) FD_SET(fileno(stderr), *writesetp); } else { - FD_SET(connection_in, *readsetp); + /* channel_prepare_select could have closed the last channel */ + if (session_closed && !channel_still_open()) { + if (!packet_have_data_to_write()) + return; + } else { + FD_SET(connection_in, *readsetp); + } } /* Select server connection if have data to write to the server. */ @@ -440,9 +446,13 @@ len = read(connection_in, buf, sizeof(buf)); if (len == 0) { /* Received EOF. The remote host has closed the connection. */ - snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", - host); - buffer_append(&stderr_buffer, buf, strlen(buf)); +/* + * This message duplicates the one already in client_loop(). + * + * snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", + * host); + * buffer_append(&stderr_buffer, buf, strlen(buf)); + */ quit_pending = 1; return; } diff -ur openssh-2.9p1/nchan.c openssh-2.9p1J/nchan.c --- openssh-2.9p1/nchan.c Tue Apr 3 07:02:48 2001 +++ openssh-2.9p1J/nchan.c Wed May 16 11:29:36 2001 @@ -56,7 +56,7 @@ /* helper */ static void chan_shutdown_write(Channel *c); -static void chan_shutdown_read(Channel *c); +void chan_shutdown_read(Channel *c); /* * SSH1 specific implementation of event functions @@ -479,7 +479,7 @@ c->wfd = -1; } } -static void +void chan_shutdown_read(Channel *c) { if (compat20 && c->type == SSH_CHANNEL_LARVAL) diff -ur openssh-2.9p1/nchan.h openssh-2.9p1J/nchan.h --- openssh-2.9p1/nchan.h Sun Mar 4 23:16:12 2001 +++ openssh-2.9p1J/nchan.h Wed May 16 11:29:36 2001 @@ -88,4 +88,5 @@ void chan_init_iostates(Channel * c); void chan_init(void); +void chan_shutdown_read(Channel *c); #endif diff -ur openssh-2.9p1/session.c openssh-2.9p1J/session.c --- openssh-2.9p1/session.c Wed Apr 18 09:29:34 2001 +++ openssh-2.9p1J/session.c Wed May 16 18:57:49 2001 @@ -1960,6 +1960,9 @@ */ if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); + if (c->istate == CHAN_INPUT_OPEN && compat20) { + chan_shutdown_read(c); + } s->chanid = -1; } From benmc at deakin.edu.au Thu May 17 12:05:36 2001 From: benmc at deakin.edu.au (Ben McConaghy) Date: Thu, 17 May 2001 12:05:36 +1000 Subject: kerberos 5 support Message-ID: <200105170207.f4H25iL15141@deakin.edu.au> Hi I'd also like to express interest in Simon's kerb 5 patches being integrated into the openssh distribution. Are there currently any plans for this to happen and if so, what's the expected time frame? Ben. Simon Wilkinson wrote: > My patches for SSH version 1 Kerberos 5 support (heavily based upon > work done by Dan Kouril) are now available from > http://www.sxw.org.uk/computing/patches/ Is there any interest in > integrating these into the distribution? If so, I'd be happy to update > them to the development version. --------------- Ben McConaghy Systems Programmer Information Technology Services Waterfront Campus Deakin University benmc at deakin.edu.au From stuge at cdy.org Thu May 17 12:16:36 2001 From: stuge at cdy.org (Peter Stuge) Date: Thu, 17 May 2001 04:16:36 +0200 Subject: OpenSSh 2.5.2p2 on Linux/Sparc In-Reply-To: <71D01DB8DA698947A6F5D666D62A2DB001C3D1@exchange.livecapital.com>; from mattl@livecapital.com on Wed, Mar 28, 2001 at 11:50:04AM -0800 References: <71D01DB8DA698947A6F5D666D62A2DB001C3D1@exchange.livecapital.com> Message-ID: <20010517041636.A27571@foo.birdnet.se> On Wed, Mar 28, 2001 at 11:50:04AM -0800, Lewandowsky, Matt wrote: > 7.2 is the CURRENT branch. It is the only version available for sparc at the > moment. It will probably be kept somewhat up-to-date respecting packages > until it ships, but after that who knows? > > I am installing it tonite and ditching Debian. Maybe when Woody has boot > floppies, I will try again. > > BTW, on > ftp://ftp.slackware.com/pub/slackware/sparc/slackware-current/README72.TXT, > note the first line: > > README for Slackware Linux/SPARC 7.2.0. > > This is in spite of the information at http://www.ultralinux.org/dists.html. Please read the NOT_RELEASED_YET.TXT file found in the same directory as README72.TXT. Also check out the /. articles on the subject. Basically, slackware-current != slackware-X.Y. Some of the files in the slackware-current tree would probably indicate that this isn't the case, but until slackware-current turns into slackware-7.2, (the directory name changes and a new slackware-current is created) it will still be slackware-current. Sorry about the biolag, I'm going through my mailbox of four months this fine night. //Peter -- irc: CareBear\ irl: Peter Stuge From mouring at etoh.eviladmin.org Thu May 17 13:21:18 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 16 May 2001 22:21:18 -0500 (CDT) Subject: [PATCH]: configure.in In-Reply-To: <20010516182834.G31266@cygbert.vinschen.de> Message-ID: Applied. - Ben On Wed, 16 May 2001, Corinna Vinschen wrote: > Hi, > > it would be nice if somebody could apply the following patch. After > some months of maintaining the Cygwin version of OpenSSH it finally > turned out that USE_PIPES is the better option for Cygwin. It's > working more reliable than socketpairs and it's WAY faster. > > Index: configure.in > =================================================================== > RCS file: /cvs/openssh_cvs/configure.in,v > retrieving revision 1.285 > diff -u -p -r1.285 configure.in > --- configure.in 2001/05/08 20:42:28 1.285 > +++ configure.in 2001/05/16 16:22:50 > @@ -64,6 +64,7 @@ case "$host" in > *-*-cygwin*) > LIBS="$LIBS -lregex /usr/lib/textmode.o" > AC_DEFINE(HAVE_CYGWIN) > + AC_DEFINE(USE_PIPES) > AC_DEFINE(DISABLE_SHADOW) > AC_DEFINE(IPV4_DEFAULT) > AC_DEFINE(IP_TOS_IS_BROKEN) > > Thanks, > Corinna > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > From mouring at etoh.eviladmin.org Thu May 17 13:33:07 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 16 May 2001 22:33:07 -0500 (CDT) Subject: openssh-2.9p1 In-Reply-To: Message-ID: Hmm... On Mon, 14 May 2001, Peter Breitenlohner wrote: > Hi, > > 1. I think you should apply the attached patch to openssh-2.9p1, > otherwise ssh-keyscan on linux boxes with glibc-2.1 will experience enormous > timeout delays. > Hmm.. That solves the problem assuming that you never have IPv6 on the box since ssh-keyscan lacks a -6 option like ssh. Maybe ssh-keyscan needs a -6 option? > 2. Is there a program like ssh-keyscan for the Version2 (dsa and rsa) keys?? > Not that I'm aware of at this point. - Ben From mark.pitt at ch.ibm.com Thu May 17 16:35:17 2001 From: mark.pitt at ch.ibm.com (mark.pitt at ch.ibm.com) Date: Thu, 17 May 2001 08:35:17 +0200 Subject: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG ! Message-ID: IF ssh is a replacement for rlogin,rsh etc I can accept it respecting rlogin=false as rlogin does and rsh does not, however scp is a replacement for rcp, and rcp does NOT use rlogin attribute, so the implementation is NOT standard as scp fails if rlogin=false, but rcp succeeds, as documented. thanks mark From jafo at tummy.com Thu May 17 17:19:33 2001 From: jafo at tummy.com (jafo at tummy.com) Date: Thu, 17 May 2001 01:19:33 -0600 Subject: Patch: Set SSH_AUTHKEY to key id used to authenticate. Message-ID: <20010517011933.A2831@tummy.com> Attached is a patch which sets the SSH_AUTHKEY environment variable to be the remaining data at the end of an SSH key which is used for authentication. The motivation behind this is that there are time in which it's useful to know who is on the other end of the connection. For example, if I log in as root on a box, I'd like to be able to configure vi-specific settings, while another user may prefer to have emacs. Originally I had thought about doing it with environment variables. Set it up with: SSH_PROPOGATE_ENV="SSH_PROPOGATE_ENV INPUTRC REMOTE_USER" INPUTRC="$HOME/.inputrc-vi" REMOTE_USER="jafo" Something like that. Obviously, there are some problems with "$HOME" getting expanded on the client side, but worst case you could use REMOTE_USER in the .profile. Basing it on the key id seemed to be the simplest thing for me though... A general-purpose way to propogate environment variables would be nice though. Enjoy, Sean -- If the code and the comments disagree, then both are probably wrong. -- Norm Schryer Sean Reifschneider, Inimitably Superfluous tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python -------------- next part -------------- diff -ur openssh-2.9p1/auth2.c openssh-2.9p1authdata/auth2.c --- openssh-2.9p1/auth2.c Wed Apr 25 06:44:15 2001 +++ openssh-2.9p1authdata/auth2.c Thu May 17 00:56:38 2001 @@ -771,6 +771,7 @@ if (key_equal(found, key) && auth_parse_options(pw, options, file, linenum) == 1) { found_key = 1; + key_matching_data(cp); debug("matching key found: file %s, line %ld", file, linenum); break; diff -ur openssh-2.9p1/key.c openssh-2.9p1authdata/key.c --- openssh-2.9p1/key.c Tue Apr 17 12:11:37 2001 +++ openssh-2.9p1authdata/key.c Thu May 17 00:56:46 2001 @@ -781,3 +781,23 @@ break; } } + +const char *key_matching_data(char *cp) +{ + static int isSet = 0; + static char name[100]; + char *s; + int len = 0; + + if (!cp) return(isSet ? name : NULL); + + /* skip leading white-space */ + for (; *cp && isspace(*cp); cp++); + /* copy the data to name */ + for (s = name; *cp && !isspace(*cp) && len < sizeof(name); s++, cp++, len++) + *s = *cp; + *s = '\0'; + isSet = 1; + + return(NULL); +} diff -ur openssh-2.9p1/key.h openssh-2.9p1authdata/key.h --- openssh-2.9p1/key.h Tue Apr 17 12:11:37 2001 +++ openssh-2.9p1authdata/key.h Thu May 17 00:34:28 2001 @@ -80,5 +80,6 @@ Key *key, u_char *signature, int signaturelen, u_char *data, int datalen); +const char *key_matching_data(char *cp); #endif diff -ur openssh-2.9p1/session.c openssh-2.9p1authdata/session.c --- openssh-2.9p1/session.c Wed Apr 18 09:29:34 2001 +++ openssh-2.9p1authdata/session.c Thu May 17 00:41:15 2001 @@ -57,6 +57,7 @@ #include "serverloop.h" #include "canohost.h" #include "session.h" +#include "key.h" #ifdef WITH_IRIX_PROJECT #include @@ -1281,6 +1282,8 @@ get_remote_ipaddr(), get_remote_port(), get_local_port()); child_set_env(&env, &envsize, "SSH_CLIENT", buf); + if (key_matching_data(NULL)) + child_set_env(&env, &envsize, "SSH_AUTHKEY", key_matching_data(NULL)); if (s->ttyfd != -1) child_set_env(&env, &envsize, "SSH_TTY", s->tty); if (s->term) From gert at greenie.muc.de Thu May 17 17:39:19 2001 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 17 May 2001 09:39:19 +0200 Subject: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG ! In-Reply-To: ; from mark.pitt@ch.ibm.com on Thu, May 17, 2001 at 08:35:17AM +0200 References: Message-ID: <20010517093919.A20239@greenie.muc.de> Hi, On Thu, May 17, 2001 at 08:35:17AM +0200, mark.pitt at ch.ibm.com wrote: > IF ssh is a replacement for rlogin,rsh etc I can accept it respecting > rlogin=false as rlogin does and rsh does not, however scp is a replacement > for rcp, and rcp does NOT use rlogin attribute, so the implementation is > NOT standard as scp fails if rlogin=false, but rcp succeeds, as documented. Sounds like a design deficiency in AIX, actually. What good is disallowing rlogin if you do not also disallow rsh? I think ssh should be consistant here - either "permit remote access to AIX box", or "not at all". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From peb at mppmu.mpg.de Thu May 17 19:18:26 2001 From: peb at mppmu.mpg.de (Peter Breitenlohner) Date: Thu, 17 May 2001 11:18:26 +0200 (CEST) Subject: openssh-2.9p1 In-Reply-To: Message-ID: On Wed, 16 May 2001 mouring at etoh.eviladmin.org wrote: Hi Ben, > > 1. I think you should apply the attached patch to openssh-2.9p1, > > otherwise ssh-keyscan on linux boxes with glibc-2.1 will experience enormous > > timeout delays. > > Hmm.. That solves the problem assuming that you never have IPv6 on the box > since ssh-keyscan lacks a -6 option like ssh. Maybe ssh-keyscan needs a > -6 option? Yes, something like '-6' (and '-4') would be good. I just wanted to get ssh-keyscan working quickly (without the tremendous timeouts) on a pure IPv4 system (certainly a hack). > > 2. Is there a program like ssh-keyscan for the Version2 (dsa and rsa) keys?? > > > Not that I'm aware of at this point. I think such a program (or variant of ssh-keyscan with, e.g., '-t rsa') could be quite useful. BTW: The ssh-keyscan man page mentions a BUG: It generates "Connection closed by remote host" messages .... I haven't seen any such mesages (on either side). regards Peter Breitenlohner From douglas.manton at uk.ibm.com Thu May 17 19:43:59 2001 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Thu, 17 May 2001 10:43:59 +0100 Subject: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG ! Message-ID: <80256A4F.003577D6.00@d06mta05.portsmouth.uk.ibm.com> > I think ssh should be consistant here - either "permit remote access to > AIX box", or "not at all". The rlogin attribute effectively relates to pty allocation permission. Perhaps the OpenSSH implementation should be changed so that "no-pty" is set if rlogin=false? This would then match AIX's configuration (right or wrong, but consistent!). If I want to disallow access completely then I simply lock the account. The login flow would include (excuse psuedo-code): if rlogin = false { set no-pty force subsystem sftp-server } Is it worth adding the /etc/ftpusers test to the sftp-server for all systems? If we want sftp to replace ftp then this would make sense. If the file does not exist then no harm is done since the default is to grant access. It is nice to allow sftp access to users that are not allowed to log in. I achieve this today using a forced command in the user's authorized_keys files and leave rlogin=true. This has potential for abuse since the lock-down is not done at an administrative level and is quite difficult to audit. Best wishes, -------------------------------------------------------- Doug Manton, AT&T EMEA Commercial Security Solutions E: demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From abartlet at pcug.org.au Thu May 17 21:04:28 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Thu, 17 May 2001 21:04:28 +1000 Subject: Feature request (Re: SSH and forced wtmp entries ...) References: <20010507150303.A12892@faui02.informatik.uni-erlangen.de> <20010511005420.B26079@folly> <3AFB6645.59642983@bartlett.house> <20010514134245.A4158@rhs-notebook> <20010514140422.A18119@faui02.informatik.uni-erlangen.de> <20010515080522.A7364@rhs-notebook> <20010516212939.A25592@folly> Message-ID: <3B03B03C.32F6DE67@bartlett.house> Markus Friedl wrote: > > On Tue, May 15, 2001 at 08:05:22AM +0200, Randolf Skerka wrote: > > On Mon, May 14, 2001 at 02:04:23PM +0200, Markus Friedl wrote: > > > use loglevel=verbose if you care. > > > > I'm getting a bit pissed right now. What's the problem logging login/logouts > > via wtmp? I don't see an argument other than "Use authlog" and "It's like rsh > > behaves", nobody says "It's to difficult to implement!", so why don't stop > > discussing and implementing it? > > > > I think we discussed why it's good to have it in wtmp. > > no. > > i don't like the idea of having every cronjob-scp, every > sftp transfer in lastlog. Nobody said it had to be the default. Thats what run-time config options are for. > > i don't like to have 1000 methods in openssh for logging > logins. Its one method, allowing the easy correlation of logins to logouts, remote hosts and usernames. Its not ideal, but its one of the best overall methods I have seen. It has the particular advantage that it interacts correctly with existing tools, without alteration. -- Andrew Bartlett abartlet at pcug.org.au From mouring at etoh.eviladmin.org Thu May 17 22:55:42 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 17 May 2001 07:55:42 -0500 (CDT) Subject: openssh-2.9p1 In-Reply-To: Message-ID: > > > 2. Is there a program like ssh-keyscan for the Version2 (dsa and rsa) keys?? > > > > > Not that I'm aware of at this point. > > I think such a program (or variant of ssh-keyscan with, e.g., '-t rsa') > could be quite useful. > Implement it in ssh-keyscan. If we see a patch that looks good we will add it. Or it will be added when it gets to the top of our personal priority lists. > BTW: The ssh-keyscan man page mentions a BUG: It generates "Connection > closed by remote host" messages .... > I haven't seen any such mesages (on either side). > I believe you won't for 2.9. But you may on the Commerical SSH and versions before 2.9. Mainly because ssh-keyscan closes the connection with the ssh abruptly. - Ben From j.petersen at msh.de Thu May 17 23:16:34 2001 From: j.petersen at msh.de (=?ISO-8859-1?Q?=22Petersen=2C_J=F6rg=22?=) Date: Thu, 17 May 2001 15:16:34 +0200 Subject: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG ! Message-ID: As far as I understand: rlogind allows login with password rshd only allows access via .rhosts/hosts.equiv ! (Which is easy to remove ;-) The difference is the possible use of a password. (If you say 'rsh foreignhost' without command, you actually use rlogind !) With the current openssh-Code I've got no possibility to disallow any remote root-login with password while allowing RSA-Authenticated SSH-Login to root. Therefore I would prefer rlogin=false to be ignored by sshd too. J?rg -----Original Message----- From: Gert Doering [mailto:gert at greenie.muc.de] ... Sounds like a design deficiency in AIX, actually. What good is disallowing rlogin if you do not also disallow rsh? I think ssh should be consistant here - either "permit remote access to AIX box", or "not at all". ... From Markus.Friedl at informatik.uni-erlangen.de Fri May 18 00:27:57 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 17 May 2001 16:27:57 +0200 Subject: SSH connection hanging on logout In-Reply-To: <20010516221457.17527.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Wed, May 16, 2001 at 10:14:57PM -0000 References: <20010513184453.11194.qmail@wizard.math.ualberta.ca> <20010517000612.B14493@folly> <20010516221457.17527.qmail@wizard.math.ualberta.ca> Message-ID: <20010517162757.A7133@faui02.informatik.uni-erlangen.de> On Wed, May 16, 2001 at 10:14:57PM -0000, John Bowman wrote: > Under linux there is no data corruption and the checksums match: > > [wizard: ~] ssh localhost dd if=/bin/bash bs=65536 count=2 | ( sleep 10 ; md5sum ) > 2+0 records in > 2+0 records out > 86d34e869a31df51922ad2bb9bd202bc - > [wizard: ~] dd if=/bin/bash bs=65536 count=2 | ( sleep 10 ; md5sum ) > 2+0 records in > 2+0 records out > 86d34e869a31df51922ad2bb9bd202bc - with my debugging patch, you should see something like this on the sshd side: debug3: channel 0: channel data: 16384 debug3: channel 0: read rfd 10 len 16384 debug3: channel 0: channel data: 15907 debug2: channel 0: rcvd adjust 16861 debug3: channel 0: channel data: 477 debug3: channel 0: read rfd 10 len 16384 debug3: channel 0: channel data: 16384 debug2: channel 0: rcvd adjust 65536 debug3: channel 0: read rfd 10 len 16384 debug3: channel 0: channel data: 16384 debug3: channel 0: read rfd 10 len 16384 debug3: channel 0: channel data: 16384 debug1: Received SIGCHLD. ^^ shell dies debug1: session_by_pid: pid 29873 debug1: session_exit_message: session 0 channel 0 pid 29873 debug1: session_exit_message: release channel 0 debug1: channel 0: write failed debug1: channel 0: output open -> closed debug1: channel 0: close_write debug1: session_free: session 0 pid 29873 debug3: channel 0: read rfd 10 len 16384 ^^ more reads from the shell. if you shutdown at the SIGCHLD, you can no longer read at this point! debug2: channel 0: read 84 from efd 12 debug3: channel 0: channel data: 16384 debug2: channel 0: rwin 16384 elen 84 euse 1 debug2: channel 0: sent ext data 84 debug1: channel 0: read<=0 rfd 10 len 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof From Florian.Weimer at RUS.Uni-Stuttgart.DE Fri May 18 00:54:27 2001 From: Florian.Weimer at RUS.Uni-Stuttgart.DE (Florian Weimer) Date: 17 May 2001 16:54:27 +0200 Subject: scp: Problem when source and destination are identical Message-ID: If the source and destination file are identical, the receiving scp truncates the file. On the sending end, read() returns 0, and garbage is sent instead of actual data, and the receiving end puts it into the file, which at least confuses the users. -- Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 From dunlap at apl.washington.edu Fri May 18 01:09:02 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Thu, 17 May 2001 08:09:02 -0700 Subject: hostbased for root? Message-ID: <3B03E98E.433CC48B@apl.washington.edu> I cannot make hostbased authentication work for root. I have it working for ordinary users between OpenSSH-2.9p1 linux systems using the system config files. I'll send config files and logs of both if needed. Regards, John -- John Dunlap University of Washington Senior Electrical Engineer Applied Physics Laboratory dunlap at apl.washington.edu 1013 NE 40th Street 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 From bowman at math.ualberta.ca Fri May 18 01:35:18 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 17 May 2001 15:35:18 -0000 Subject: SSH connection hanging on logout In-Reply-To: <20010517162757.A7133@faui02.informatik.uni-erlangen.de> (message from Markus Friedl on Thu, 17 May 2001 16:27:57 +0200) References: <20010513184453.11194.qmail@wizard.math.ualberta.ca> <20010517000612.B14493@folly> <20010516221457.17527.qmail@wizard.math.ualberta.ca> <20010517162757.A7133@faui02.informatik.uni-erlangen.de> Message-ID: <20010517153518.9597.qmail@wizard.math.ualberta.ca> > > Under linux there is no data corruption and the checksums match: > > > > [wizard: ~] ssh localhost dd if=/bin/bash bs=65536 count=2 | ( sleep 10 ; md5sum ) > > 2+0 records in > > 2+0 records out > > 86d34e869a31df51922ad2bb9bd202bc - > > [wizard: ~] dd if=/bin/bash bs=65536 count=2 | ( sleep 10 ; md5sum ) > > 2+0 records in > > 2+0 records out > > 86d34e869a31df51922ad2bb9bd202bc - > > with my debugging patch, > you should see something like this on the sshd side: > > debug3: channel 0: channel data: 16384 > debug3: channel 0: read rfd 10 len 16384 > debug3: channel 0: channel data: 15907 > debug2: channel 0: rcvd adjust 16861 > debug3: channel 0: channel data: 477 > debug3: channel 0: read rfd 10 len 16384 > debug3: channel 0: channel data: 16384 > debug2: channel 0: rcvd adjust 65536 > debug3: channel 0: read rfd 10 len 16384 > debug3: channel 0: channel data: 16384 > debug3: channel 0: read rfd 10 len 16384 > debug3: channel 0: channel data: 16384 > debug1: Received SIGCHLD. > ^^ shell dies > debug1: session_by_pid: pid 29873 > debug1: session_exit_message: session 0 channel 0 pid 29873 > debug1: session_exit_message: release channel 0 > debug1: channel 0: write failed > debug1: channel 0: output open -> closed > debug1: channel 0: close_write > debug1: session_free: session 0 pid 29873 > debug3: channel 0: read rfd 10 len 16384 > ^^ more reads from the shell. > > if you shutdown at the SIGCHLD, you can no longer read > at this point! > > debug2: channel 0: read 84 from efd 12 > debug3: channel 0: channel data: 16384 > debug2: channel 0: rwin 16384 elen 84 euse 1 > debug2: channel 0: sent ext data 84 > debug1: channel 0: read<=0 rfd 10 len 0 > debug1: channel 0: read failed > debug1: channel 0: input open -> drain > debug1: channel 0: close_read > debug1: channel 0: input: no drain shortcut > debug1: channel 0: ibuf empty > debug1: channel 0: input drain -> closed > debug1: channel 0: send eof > Here is what I get with the latest patch and your debug patch installed. There is a SIGCHLD, but only after the very beginning: ssh -v -v -v localhost dd if=/bin/bash bs=65536 count=2 | ( sleep 10 ; md5sum ) ... debug2: channel 0: written 477 to efd 6 debug2: channel 0: rcvd ext data 27 debug1: Received SIGCHLD. debug2: channel 0: written 27 to efd 6 debug2: channel 0: window 32264 sent adjust 4600 (obuf 28672) debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug2: channel 0: window 0 sent adjust 4096 (obuf 61440) debug2: channel 0: window 4096 sent adjust 4096 (obuf 57344) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 16384 sent adjust 4096 (obuf 45056) debug2: channel 0: window 20480 sent adjust 4096 (obuf 40960) debug2: channel 0: window 24576 sent adjust 4096 (obuf 36864) debug2: channel 0: window 28672 sent adjust 4096 (obuf 32768) debug2: channel 0: window 20480 sent adjust 36864 (obuf 8192) debug2: channel 0: rcvd ext data 31 debug2: channel 0: window 24545 sent adjust 28672 (obuf 12288) debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: rcvd close debug1: channel 0: input open -> closed debug1: channel 0: close_read debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug2: channel 0: active efd: 6 len 31 type write 2+0 records in 2+0 records out debug2: channel 0: written 31 to efd 6 debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 6.1 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 86d34e869a31df51922ad2bb9bd202bc - [wizard: ~] dd if=/bin/bash bs=65536 count=2 | ( sleep 10 ; md5sum ) 2+0 records in 2+0 records out 86d34e869a31df51922ad2bb9bd202bc - With 10 counts and a short sleep it looks like this: ssh -v -v -v localhost dd if=/bin/bash bs=65536 count=10 | ( sleep 5 ; md5sum ) ... debug2: channel 0: written 477 to efd 6 debug2: channel 0: rcvd ext data 27 debug1: Received SIGCHLD. debug2: channel 0: written 27 to efd 6 debug2: channel 0: window 32264 sent adjust 4600 (obuf 28672) debug2: channel 0: window 0 sent adjust 4096 (obuf 61440) debug2: channel 0: window 4096 sent adjust 4096 (obuf 57344) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 16384 sent adjust 4096 (obuf 45056) debug2: channel 0: window 20480 sent adjust 4096 (obuf 40960) debug2: channel 0: window 24576 sent adjust 4096 (obuf 36864) debug2: channel 0: window 28672 sent adjust 4096 (obuf 32768) debug2: channel 0: window 20480 sent adjust 36864 (obuf 8192) debug2: channel 0: window 24576 sent adjust 28672 (obuf 12288) debug2: channel 0: window 20480 sent adjust 32768 (obuf 12288) debug2: channel 0: window 20480 sent adjust 32768 (obuf 12288) debug2: channel 0: window 20480 sent adjust 32768 (obuf 12288) debug2: channel 0: window 20480 sent adjust 32768 (obuf 12288) debug2: channel 0: window 20480 sent adjust 32768 (obuf 12288) debug2: channel 0: window 21136 sent adjust 32768 (obuf 11632) debug2: channel 0: rcvd ext data 15 4+1 records in debug2: channel 0: written 15 to efd 6 debug2: channel 0: rcvd ext data 16 4+1 records out debug2: channel 0: written 16 to efd 6 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: rcvd close debug1: channel 0: input open -> closed debug1: channel 0: close_read debug2: channel 0: no data after CLOSE debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 4.5 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 6c80ab2560a5f7b9b778b5498a93ece8 - [wizard: ~] dd if=/bin/bash bs=65536 count=10 | ( sleep 5 ; md5sum ) 4+1 records in 4+1 records out 6c80ab2560a5f7b9b778b5498a93ece8 - Looks ok to me. -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From mark.pitt at ch.ibm.com Fri May 18 01:50:42 2001 From: mark.pitt at ch.ibm.com (mark.pitt at ch.ibm.com) Date: Thu, 17 May 2001 17:50:42 +0200 Subject: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG ! Message-ID: Another point - IBM security Policies REQUIRE that any system they look after, their's or customer's, has rlogin=false for root set - this means ssh will NOT be usable at any site for which IBM is responsible - that means all IBM customers and IBM cannot use the product as it is currently configured without mountains of paperwork. Bang go a lot of big sites, and not only AIX, but ALL systems IBM services. From openssh-unix-dev at progressive-comp.com Fri May 18 03:32:02 2001 From: openssh-unix-dev at progressive-comp.com (Hank Leininger) Date: Thu, 17 May 2001 13:32:02 -0400 Subject: scp: Problem when source and destination are identical Message-ID: <200105171732.NAA31658@mailer.progressive-comp.com> On 2001-05-17, Florian Weimer wrote: > If the source and destination file are identical, the receiving scp > truncates the file. On the sending end, read() returns 0, and garbage > is sent instead of actual data, and the receiving end puts it into the > file, which at least confuses the users. This comes up every now and then. Except for the simple case where both files are local, how's scp really to know? Sure, scp localhost:foo ~/foo *seems* like an obvious clash, but what if it isn't? you or your sshd may be running chrooted, or config options may have you ssh/scp into localhost as a different user by default, or 'localhost' may be an alias for some other box, or you may have some forwarder on port 22... All of these may sound a bit far-fetched, but that's just the point, the first time you need to do something like this you'll curse the fact that the openssh developers tried and failed to think of everything, and you'll be stuck in "Can't Get There From Here". See an earlier thread about the same question: http://marc.theaimsgroup.com/?t=98084090100002&r=1&w=2 ...Now, to throw some fuel on the fire: is there any room (i.e. would the way scp is done even allow) for the equivalent of the -i option for cp? ("Overwrite file 'foo'? y/N") I'm betting not, and the right answer for things like that is "use rsync over ssh instead of scp." -- Hank Leininger From jmknoble at jmknoble.cx Fri May 18 06:45:30 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Thu, 17 May 2001 15:45:30 -0500 Subject: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG ! In-Reply-To: ; from j.petersen@msh.de on Thu, May 17, 2001 at 03:16:34PM +0200 References: Message-ID: <20010517154530.A6754@zax.half.pint-stowp.cx> Circa 2001-May-17 15:16:34 +0200 dixit "Petersen, J?rg": : As far as I understand: : rlogind allows login with password : rshd only allows access via .rhosts/hosts.equiv ! (Which is easy to remove : ;-) : : The difference is the possible use of a password. : : (If you say 'rsh foreignhost' without command, : you actually use rlogind !) : : With the current openssh-Code I've got no possibility : to disallow any remote root-login with password while : allowing RSA-Authenticated SSH-Login to root. What about 'PasswordAuthentication no' in sshd_config? -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010517/9945ed61/attachment.bin From jmknoble at jmknoble.cx Fri May 18 06:48:39 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Thu, 17 May 2001 15:48:39 -0500 Subject: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG ! In-Reply-To: ; from mark.pitt@ch.ibm.com on Thu, May 17, 2001 at 05:50:42PM +0200 References: Message-ID: <20010517154839.B6754@zax.half.pint-stowp.cx> Circa 2001-May-17 17:50:42 +0200 dixit mark.pitt at ch.ibm.com: : Another point - IBM security Policies REQUIRE that any system they look : after, their's or customer's, has rlogin=false for root set - this : means ssh will NOT be usable at any site for which IBM is responsible : - that means all IBM customers and IBM cannot use the product as it : is currently configured without mountains of paperwork. Wouldn't it make more sense to respect the rlogin= setting only if sshd_config has RhostsAuthentication (or potentially RhostsRSAAuthentication) turned on? Those are the only times when sshd actually acts like rshd or rlogind. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010517/d0fa6687/attachment.bin From markus.friedl at informatik.uni-erlangen.de Fri May 18 07:38:23 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 17 May 2001 23:38:23 +0200 Subject: SSH connection hanging on logout In-Reply-To: <20010517153518.9597.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Thu, May 17, 2001 at 03:35:18PM -0000 References: <20010513184453.11194.qmail@wizard.math.ualberta.ca> <20010517000612.B14493@folly> <20010516221457.17527.qmail@wizard.math.ualberta.ca> <20010517162757.A7133@faui02.informatik.uni-erlangen.de> <20010517153518.9597.qmail@wizard.math.ualberta.ca> Message-ID: <20010517233823.A9231@folly> On Thu, May 17, 2001 at 03:35:18PM -0000, John Bowman wrote: > > you should see something like this on the sshd side: > > > > debug3: channel 0: channel data: 16384 > > debug3: channel 0: read rfd 10 len 16384 > > debug3: channel 0: channel data: 15907 > > debug2: channel 0: rcvd adjust 16861 > > debug3: channel 0: channel data: 477 > > debug3: channel 0: read rfd 10 len 16384 > > debug3: channel 0: channel data: 16384 > > debug2: channel 0: rcvd adjust 65536 > > debug3: channel 0: read rfd 10 len 16384 > > debug3: channel 0: channel data: 16384 > > debug3: channel 0: read rfd 10 len 16384 > > debug3: channel 0: channel data: 16384 > > debug1: Received SIGCHLD. > > ^^ shell dies > > debug1: session_by_pid: pid 29873 > > debug1: session_exit_message: session 0 channel 0 pid 29873 > > debug1: session_exit_message: release channel 0 > > debug1: channel 0: write failed > > debug1: channel 0: output open -> closed > > debug1: channel 0: close_write > > debug1: session_free: session 0 pid 29873 > > debug3: channel 0: read rfd 10 len 16384 > > ^^ more reads from the shell. > > > > if you shutdown at the SIGCHLD, you can no longer read > > at this point! > > > > debug2: channel 0: read 84 from efd 12 > > debug3: channel 0: channel data: 16384 > > debug2: channel 0: rwin 16384 elen 84 euse 1 > > debug2: channel 0: sent ext data 84 > > debug1: channel 0: read<=0 rfd 10 len 0 > > debug1: channel 0: read failed > > debug1: channel 0: input open -> drain > > debug1: channel 0: close_read > > debug1: channel 0: input: no drain shortcut > > debug1: channel 0: ibuf empty > > debug1: channel 0: input drain -> closed > > debug1: channel 0: send eof > > > > Here is what I get with the latest patch and your debug patch > installed. There is a SIGCHLD, but only after the very beginning: > > ssh -v -v -v localhost dd if=/bin/bash bs=65536 count=2 | ( sleep 10 ; md5sum ) i need the server side LOG message! From markus.friedl at informatik.uni-erlangen.de Fri May 18 07:41:44 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 17 May 2001 23:41:44 +0200 Subject: SSH connection hanging on logout In-Reply-To: <20010517014450.25437.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Thu, May 17, 2001 at 01:44:50AM -0000 References: <20010516081803.2877.qmail@wizard.math.ualberta.ca> <20010516223627.B25592@folly> <20010517014450.25437.qmail@wizard.math.ualberta.ca> Message-ID: <20010517234144.B9231@folly> On Thu, May 17, 2001 at 01:44:50AM -0000, John Bowman wrote: > Yes, this patch fixes the X hanging bug (test under Protocol 2 on RedHat > 6.2 linux systems). Thanks! > > I've incorporated it into this latest version of the hang-on-exit patch > (the latest patch will always be available from > http://www.math.ualberta.ca/imaging/snfs) > > -- John Bowman > > University of Alberta > http://www.math.ualberta.ca/~bowman > > > diff -ur openssh-2.9p1/channels.c openssh-2.9p1J/channels.c > --- openssh-2.9p1/channels.c Tue Apr 17 12:14:35 2001 > +++ openssh-2.9p1J/channels.c Wed May 16 16:42:53 2001 > @@ -1137,6 +1137,15 @@ > continue; > if (ftab[c->type] == NULL) > continue; > + if(c->istate == CHAN_INPUT_OPEN && c->rfd == -1) { > + int type=c->type; > + c->type=SSH_CHANNEL_CLOSED; > + if(channel_find_open() == -1) > + shutdown(packet_get_connection_out(), > + SHUT_RDWR); ^^^^^^^^ this cannot be correct. you may _not_ shutdown the TCP connection. this breaks ssh -N -L 1234:hostb:5678 hosta > + c->type=type; > + continue; > + } From markus.friedl at informatik.uni-erlangen.de Fri May 18 07:43:42 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 17 May 2001 23:43:42 +0200 Subject: OpenSSH and HostBasedAuthentication In-Reply-To: <200105162220.f4GMK0h03045@swoon.net>; from markm@swoon.net on Wed, May 16, 2001 at 03:19:59PM -0700 References: <20010517113417.B24207@faui02.informatik.uni-erlangen.de> <200105171735.f4HHZqh05699@swoon.net> <20010517002042.A24207@faui02.informatik.uni-erlangen.de> <200105162222.f4GMMah03061@swoon.net> <20010516235656.A22495@faui02.informatik.uni-erlangen.de> <200105162220.f4GMK0h03045@swoon.net> Message-ID: <20010517234342.C9231@folly> On Mark Miller wrote: > -rws--x--x 1 root wheel 734964 May 15 19:58 /usr/bin/ssh* > ... > debug1: ssh_connect: getuid 501 geteuid 501 anon 1 > ... > Darwin montague 1.3.3 Darwin Kernel Version 1.3.3: Fri May 4 13:46:54 > PDT 2001; root:xnu/xnu-124.8.obj~1/RELEASE_PPC Power Macintosh powerpc does darwin support setuid root binaries? is anyone using openssh on darwin?? thanks -m From markus.friedl at informatik.uni-erlangen.de Fri May 18 07:52:20 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 17 May 2001 23:52:20 +0200 Subject: scp: Problem when source and destination are identical In-Reply-To: ; from Florian.Weimer@RUS.Uni-Stuttgart.DE on Thu, May 17, 2001 at 04:54:27PM +0200 References: Message-ID: <20010517235220.D9231@folly> On Thu, May 17, 2001 at 04:54:27PM +0200, Florian Weimer wrote: > If the source and destination file are identical, the receiving scp > truncates the file. On the sending end, read() returns 0, and garbage > is sent instead of actual data, and the receiving end puts it into the > file, which at least confuses the users. how should rcp/scp know that the files are identical? From jason at shalott.net Fri May 18 07:59:29 2001 From: jason at shalott.net (Jason Stone) Date: Thu, 17 May 2001 14:59:29 -0700 (PDT) Subject: scp: Problem when source and destination are identical In-Reply-To: <200105171732.NAA31658@mailer.progressive-comp.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > If the source and destination file are identical, the receiving scp > > truncates the file. On the sending end, read() returns 0, and garbage > > is sent instead of actual data, and the receiving end puts it into the > > file, which at least confuses the users. > > This comes up every now and then. Except for the simple case where both > files are local, how's scp really to know? > > ...Now, to throw some fuel on the fire: is there any room (i.e. would the > way scp is done even allow) for the equivalent of the -i option for cp? > ("Overwrite file 'foo'? y/N") I'm betting not, and the right answer for > things like that is "use rsync over ssh instead of scp." Another solution to your problem is the patch posted by Wayne Davison a couple days ago to scp files into a unique temp name on the remote side and then atomically move the new file over the old file. http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98987013832587&w=2 I used to do the same thing with shell script wrappers - having scp do it is simpler. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE7BEnEswXMWWtptckRAqnoAKCqNqMoOdsECwN6R2zrAuHOwD8YSwCeMoSi LjB17ZuaWGNI+8LZY1REjaE= =JwAB -----END PGP SIGNATURE----- From jason at shalott.net Fri May 18 08:32:58 2001 From: jason at shalott.net (Jason Stone) Date: Thu, 17 May 2001 15:32:58 -0700 (PDT) Subject: OpenSSH and HostBasedAuthentication In-Reply-To: <20010517234342.C9231@folly> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > -rws--x--x 1 root wheel 734964 May 15 19:58 /usr/bin/ssh* > > ... > > debug1: ssh_connect: getuid 501 geteuid 501 anon 1 > > ... > > Darwin montague 1.3.3 Darwin Kernel Version 1.3.3: Fri May 4 13:46:54 > > PDT 2001; root:xnu/xnu-124.8.obj~1/RELEASE_PPC Power Macintosh powerpc > > does darwin support setuid root binaries? > > is anyone using openssh on darwin?? I think yes and yes. [mauve:~] root# uname -a Darwin mauve 1.3.3 Darwin Kernel Version 1.3.3: Fri May 4 13:46:54 PDT 2001; root:xnu/xnu-124.8.obj~1/RELEASE_PPC Power Macintosh powerpc [mauve:~] root# ssh -V SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). [mauve:~] root# cat test.c #include #include main(){ system("id"); exit(0); } [mauve:~] root# ls -l /test - ---s--x--x 1 root wheel 9456 May 17 15:30 /test [mauve:~] root# su - heather [mauve:~] heather% id uid=990(heather) gid=990 groups=990, 0(wheel) [mauve:~] heather% /test uid=990(heather) euid=0(root) gid=990 groups=990, 0(wheel) -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE7BFGdswXMWWtptckRAt+XAKDwndtxn8MJQeBcdyAZlfut3IvKEACg6uZR 6VHm2OxC0KvDgwOxqe5wqIg= =Xswt -----END PGP SIGNATURE----- From bowman at math.ualberta.ca Fri May 18 10:35:43 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 18 May 2001 00:35:43 -0000 Subject: SSH connection hanging on logout In-Reply-To: <20010517234144.B9231@folly> (message from Markus Friedl on Thu, 17 May 2001 23:41:44 +0200) References: <20010516081803.2877.qmail@wizard.math.ualberta.ca> <20010516223627.B25592@folly> <20010517014450.25437.qmail@wizard.math.ualberta.ca> <20010517234144.B9231@folly> Message-ID: <20010518003543.15159.qmail@wizard.math.ualberta.ca> > > continue; > > if (ftab[c->type] == NULL) > > continue; > > + if(c->istate == CHAN_INPUT_OPEN && c->rfd == -1) { > > + int type=c->type; > > + c->type=SSH_CHANNEL_CLOSED; > > + if(channel_find_open() == -1) > > + shutdown(packet_get_connection_out(), > > + SHUT_RDWR); > > ^^^^^^^^ > this cannot be correct. you may _not_ shutdown > the TCP connection. this breaks > ssh -N -L 1234:hostb:5678 hosta > In what way does this "break" tunnelling? It works just fine for me, under Linux. Try it out on a Linux machine. The hang-on-exit patch has recently been reported not to work under HP-UX, so Linux is the only OS where this patch should be applied anyway (at least, until Markus comes up with a better alternative :-). While we are on the topic of tunnelling...I have another patch that I am about to submit to this list that implements a handy enhancement to tunneling that was proposed by John Hardin of Apropos Retail Management Systems, Inc. One can now request that the connection not die after the first TCP connection is closed (via -N) or after a fixed number of seconds (via a sleep command), but rather that it stays around n seconds after the most recent TCP connection is closed. More details to follow... -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From wayne at blorf.net Fri May 18 13:47:39 2001 From: wayne at blorf.net (Wayne Davison) Date: Thu, 17 May 2001 20:47:39 -0700 (PDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: On Mon, 14 May 2001, Peter Breitenlohner wrote: > 2. Is there a program like ssh-keyscan for the Version2 (dsa and rsa) keys?? Here's my first cut at modifying ssh-keyscan to output either/both ssh1 and ssh2 keys. It defaults to working as it did before (outputting just the ssh1 rsa keys), but you can ask for either or both by using the -1 and -2 options. You can even switch what you need between hostnames: ssh-keyscan -1 foo -2 bar -1 -2 baz stillboth -1 rsa -12 bothagain My patch currently uses lots of connection code from the ssh library, so a fatal error in protocol 2 can cut off the whole process in the middle. Hopefully this won't be too hard to fix, but I'm just glad this is working and doesn't hang up on out-of-touch systems (or bomb out early on connection errors since the first part of the connection is still handled by the same keyscan code). The ssh2 probing only appears to work when connecting to sshd v2.9. When I attempted to use it ask for a ssh2 key from a 2.5.2p2 host, it reports the error "Received disconnect from ...". If someone more familiar with how ssh works would like to look into this, feel free. I also added the flags -4 and -6 to allow people to set IPv4 and IPv6 modes just like with ssh. ..wayne.. ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- Index: ssh-keyscan.c @@ -19,10 +19,15 @@ #include +#include #include "xmalloc.h" #include "ssh.h" #include "ssh1.h" #include "key.h" +#include "kex.h" +#include "myproposal.h" +#include "packet.h" +#include "dispatch.h" #include "buffer.h" #include "bufaux.h" #include "log.h" @@ -30,8 +35,16 @@ static int argno = 1; /* Number of argument currently being parsed */ -int family = AF_UNSPEC; /* IPv4, IPv6 or both */ +/* Flag indicating whether IPv4 or IPv6. This can be set on the command line. + Default value is AF_UNSPEC means both IPv4 and IPv6. */ +#ifdef IPV4_DEFAULT +int IPv4or6 = AF_INET; +#else +int IPv4or6 = AF_UNSPEC; +#endif +int get_keytypes = 1; /* Get only RSA keys by default */ + #define MAXMAXFD 256 /* The number of seconds after which to give up on a TCP connection */ @@ -48,6 +61,7 @@ fd_set *read_wait; size_t read_wait_size; int ncon; +jmp_buf kexjmp; /* * Keep a connection structure for each file descriptor. The state @@ -63,11 +77,13 @@ int c_plen; /* Packet length field for ssh packet */ int c_len; /* Total bytes which must be read. */ int c_off; /* Length of data read so far. */ + int c_keytypes; /* bits: 1 = get RSA, 2 = get DSA */ char *c_namebase; /* Address to free for c_name and c_namelist */ char *c_name; /* Hostname of connection for errors */ char *c_namelist; /* Pointer to other possible addresses */ char *c_output_name; /* Hostname of connection for output */ char *c_data; /* Data read from this fd */ + Kex *c_kex; /* The key-exchange struct for ssh2 */ struct timeval c_tv; /* Time at which connection gets aborted */ TAILQ_ENTRY(Connection) c_link; /* List of connections in timeout order. */ } con; @@ -261,8 +277,8 @@ return (tok); } -void -keyprint(char *host, char *output_name, char *kd, int len) +Key * +keygrab_rsa(con *c) { static Key *rsa; static Buffer msg; @@ -271,12 +287,12 @@ buffer_init(&msg); rsa = key_new(KEY_RSA1); } - buffer_append(&msg, kd, len); - buffer_consume(&msg, 8 - (len & 7)); /* padding */ + buffer_append(&msg, c->c_data, c->c_plen); + buffer_consume(&msg, 8 - (c->c_plen & 7)); /* padding */ if (buffer_get_char(&msg) != (int) SSH_SMSG_PUBLIC_KEY) { - error("%s: invalid packet type", host); + error("%s: invalid packet type", c->c_name); buffer_clear(&msg); - return; + return NULL; } buffer_consume(&msg, 8); /* cookie */ @@ -289,10 +305,46 @@ (void) buffer_get_int(&msg); buffer_get_bignum(&msg, rsa->rsa->e); buffer_get_bignum(&msg, rsa->rsa->n); + buffer_clear(&msg); + + return (rsa); +} + +int +hostjump(Key *hostkey) +{ + longjmp(kexjmp, (int)hostkey); +} + +Key * +keygrab_dsa(con *c) +{ + Key *key; + + packet_set_connection(c->c_fd, c->c_fd); + packet_set_ssh2_format(); + c->c_kex = kex_setup(myproposal); + c->c_kex->check_host_key = hostjump; + + if (!(key = (Key*)setjmp(kexjmp))) { + dispatch_run(DISPATCH_BLOCK, &c->c_kex->done, c->c_kex); + fprintf(stderr, "Impossible! dispatch_run() returned!\n"); + exit(1); + } + packet_close(); - fprintf(stdout, "%s ", output_name ? output_name : host); - key_write(rsa, stdout); + return (key); +} + +void +keyprint(con *c, Key *key) +{ + if (!key) + return; + + fprintf(stdout, "%s ", c->c_output_name ? c->c_output_name : c->c_name); + key_write(key, stdout); fputs("\n", stdout); } @@ -305,7 +357,7 @@ snprintf(strport, sizeof strport, "%d", SSH_DEFAULT_PORT); memset(&hints, 0, sizeof(hints)); - hints.ai_family = family; + hints.ai_family = IPv4or6; hints.ai_socktype = SOCK_STREAM; if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) fatal("getaddrinfo %s: %s", host, gai_strerror(gaierr)); @@ -330,7 +382,7 @@ } int -conalloc(char *iname, char *oname) +conalloc(char *iname, char *oname, int keytypes) { int s; char *namebase, *name, *namelist; @@ -359,6 +411,7 @@ fdcon[s].c_data = (char *) &fdcon[s].c_plen; fdcon[s].c_len = 4; fdcon[s].c_off = 0; + fdcon[s].c_keytypes = keytypes; gettimeofday(&fdcon[s].c_tv, NULL); fdcon[s].c_tv.tv_sec += timeout; TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link); @@ -393,16 +446,23 @@ } int -conrecycle(int s) +conrecycle(int s, int include_current_host) { int ret; con *c = &fdcon[s]; char *iname, *oname; + int keytypes = c->c_keytypes; - iname = xstrdup(c->c_namelist); + if (include_current_host) { + iname = xmalloc(strlen(c->c_name) + strlen(c->c_namelist) + 2); + strcpy(iname, c->c_name); + if (*c->c_namelist) + sprintf(iname + strlen(iname), ",%s", c->c_namelist); + } else + iname = xstrdup(c->c_namelist); oname = xstrdup(c->c_output_name); confree(s); - ret = conalloc(iname, oname); + ret = conalloc(iname, oname, keytypes); xfree(iname); xfree(oname); return (ret); @@ -423,7 +483,7 @@ if (n < 0) { if (errno != ECONNREFUSED) error("read (%s): %s", c->c_name, strerror(errno)); - conrecycle(s); + conrecycle(s, 0); return; } if (*cp != '\n' && *cp != '\r') { @@ -433,12 +493,20 @@ } *cp = '\0'; fprintf(stderr, "# %s %s\n", c->c_name, buf); - n = snprintf(buf, sizeof buf, "SSH-1.5-OpenSSH-keyscan\r\n"); + n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n", + c->c_keytypes & 1 ? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2, + c->c_keytypes & 1 ? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2); if (atomicio(write, s, buf, n) != n) { error("write (%s): %s", c->c_name, strerror(errno)); confree(s); return; } + if (!(c->c_keytypes & 1)) { + keyprint(c, keygrab_dsa(c)); + c->c_keytypes &= ~2; + confree(s); + return; + } c->c_status = CS_SIZE; contouch(s); } @@ -471,8 +539,13 @@ c->c_status = CS_KEYS; break; case CS_KEYS: - keyprint(c->c_name, c->c_output_name, c->c_data, c->c_plen); - confree(s); + keyprint(c, keygrab_rsa(c)); + c->c_keytypes &= ~1; + + if (c->c_keytypes) + conrecycle(s, 1); + else + confree(s); return; break; default: @@ -531,7 +604,7 @@ int s = c->c_fd; c = c->c_link.tqe_next; - conrecycle(s); + conrecycle(s, 0); } } @@ -539,49 +612,71 @@ nexthost(int argc, char **argv) { static Linebuf *lb; + char *fname; + int first_proto_option = 1; for (;;) { - if (!lb) { - if (argno >= argc) - return (NULL); - if (argv[argno][0] != '-') - return (argv[argno++]); - if (!strcmp(argv[argno], "--")) { + if (lb) { + char *line; + + line = Linebuf_getline(lb); + if (line) + return (line); + Linebuf_free(lb); + lb = NULL; + } + if (argno >= argc) + return (NULL); + if (argv[argno][0] != '-') + return (argv[argno++]); + while (*++(argv[argno])) { + switch (argv[argno][0]) { + case '-': if (++argno >= argc) return (NULL); return (argv[argno++]); - } else if (!strncmp(argv[argno], "-f", 2)) { - char *fname; - - if (argv[argno][2]) - fname = &argv[argno++][2]; + case 'f': + if (argv[argno][1]) + fname = &argv[argno][1]; else if (++argno >= argc) { error("missing filename for `-f'"); return (NULL); } else - fname = argv[argno++]; + fname = argv[argno]; if (!strcmp(fname, "-")) fname = NULL; lb = Linebuf_alloc(fname, error); - } else + goto double_break; + case '1': + case '2': + if (first_proto_option) { + get_keytypes = 0; + first_proto_option = 0; + } + get_keytypes |= argv[argno][0] - '0'; + break; + case '4': + IPv4or6 = AF_INET; + break; + case '6': + IPv4or6 = AF_INET6; + break; + default: error("ignoring invalid/misplaced option `%s'", - argv[argno++]); - } else { - char *line; - - line = Linebuf_getline(lb); - if (line) - return (line); - Linebuf_free(lb); - lb = NULL; + argv[argno]); + goto double_break; + } } +double_break: + argno++; } } void usage(void) { - fatal("usage: %s [-t timeout] { [--] host | -f file } ...", __progname); + fatal("usage: %s [-t timeout] { [-1|-2|-4|-6] [--] host | -f file } ...", + __progname); return; } @@ -623,6 +718,8 @@ fdcon = xmalloc(maxfd * sizeof(con)); memset(fdcon, 0, maxfd * sizeof(con)); + seed_rng(); + read_wait_size = howmany(maxfd, NFDBITS) * sizeof(fd_mask); read_wait = xmalloc(read_wait_size); memset(read_wait, 0, read_wait_size); @@ -635,7 +732,7 @@ if (host == NULL) break; name = strnnsep(&host, " \t\n"); - conalloc(name, *host ? host : name); + conalloc(name, *host ? host : name, get_keytypes); } conloop(); } while (host); ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- From bowman at math.ualberta.ca Fri May 18 14:03:43 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 18 May 2001 04:03:43 -0000 Subject: PATCH: implement delay (sleep) after last tunnelled connection exits Message-ID: <20010518040343.4257.qmail@wizard.math.ualberta.ca> Here is a patch to implement a handy new feature proposed by John Hardin . This is his description of the feature: New option for OpenSSH: Delay before exit. Command line option: -S delay Config file option: sleep {delay} Purpose: Wait the specified number of seconds after last traffic before dropping the connection and exiting. If ports are forwarded, this causes the ssh client to allow another forwarded connection to begin after the current one closes. This permits multiple sequential port-forwarded connections without using a long-running remote sleep command. For example, for fetchmail polling of several accounts on a remote POP server over an SSH tunnel, you might say: ssh -L 11000:popserver:110 -S 30 host exit or ssh -N -L 11000:popserver:110 -S 30 host The ssh client would exit after thirty seconds of inactivity, rather than exiting immediately when the first forwarded connection closes. This would allow multiple sequential POP sessions to be carried over the same tunnel without specifying a long-running remote sleep command. Why not just use a long-running remote sleep command? In the above example, you may wish the ssh session to terminate promptly if no new mail is spooled: maybe this is running over a demand-dialled ISP connection. The -S option also removes the need to run a sleep command on the remote host in the first place. A delay value of zero means wait forever. -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman diff -ur openssh-2.9p1/clientloop.c openssh-2.9p1S/clientloop.c --- openssh-2.9p1/clientloop.c Fri Apr 20 06:50:51 2001 +++ openssh-2.9p1S/clientloop.c Thu May 17 21:41:44 2001 @@ -121,8 +121,8 @@ static int connection_in; /* Connection to server (input). */ static int connection_out; /* Connection to server (output). */ static int need_rekeying; /* Set to non-zero if rekeying is requested. */ -static int session_closed = 0; /* In SSH2: login session closed. */ - +enum SessionStatus {SessionOpen, SessionClose, SessionWait}; +static int session_status = SessionOpen; /* In SSH2: login session closed. */ void client_init_dispatch(void); int session_ident = -1; @@ -324,6 +324,10 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, int rekeying) { + struct timeval timer; + struct timeval *timerp; + int rc; + /* Add any selections by the channel mechanism. */ channel_prepare_select(readsetp, writesetp, maxfdp, rekeying); @@ -346,7 +350,15 @@ if (buffer_len(&stderr_buffer) > 0) FD_SET(fileno(stderr), *writesetp); } else { - FD_SET(connection_in, *readsetp); + /* channel_prepare_select could have closed the last channel */ + if ((session_status == SessionClose) + && !channel_still_open()) { + if (!packet_have_data_to_write()) { + return; + } + } else { + FD_SET(connection_in, *readsetp); + } } /* Select server connection if have data to write to the server. */ @@ -362,7 +374,16 @@ * SSH_MSG_IGNORE packet when the timeout expires. */ - if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) { + if(session_status == SessionWait && options.sleep > 0) { + timer.tv_sec=options.sleep; + timer.tv_usec=0; + timerp=&timer; + } else { + timerp=NULL; + } + + rc=select((*maxfdp)+1, *readsetp, *writesetp, NULL, timerp); + if (rc < 0) { char buf[100]; /* @@ -379,7 +400,8 @@ snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); quit_pending = 1; - } + } else if (rc == 0 && session_status == SessionWait) + session_status=SessionClose; } void @@ -751,7 +773,7 @@ if (id != session_ident) error("client_channel_closed: id %d != session_ident %d", id, session_ident); - session_closed = 1; + session_status = (options.sleep >= 0) ? SessionWait : SessionClose; if (in_raw_mode()) leave_raw_mode(); } @@ -776,6 +798,7 @@ start_time = get_current_time(); /* Initialize variables. */ + if(!have_pty) session_status=SessionWait; escape_pending = 0; last_was_cr = 1; exit_status = -1; @@ -840,7 +863,8 @@ /* Process buffered packets sent by the server. */ client_process_buffered_input_packets(); - if (compat20 && session_closed && !channel_still_open()) + if (compat20 && (session_status == SessionClose) + && !channel_still_open()) break; rekeying = (xxx_kex != NULL && !xxx_kex->done); diff -ur openssh-2.9p1/readconf.c openssh-2.9p1S/readconf.c --- openssh-2.9p1/readconf.c Tue Apr 17 12:11:37 2001 +++ openssh-2.9p1S/readconf.c Thu May 17 19:23:52 2001 @@ -111,7 +111,7 @@ oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, - oHostKeyAlgorithms + oHostKeyAlgorithms, oSleep } OpCodes; /* Textual representations of the tokens. */ @@ -177,6 +177,7 @@ { "dynamicforward", oDynamicForward }, { "preferredauthentications", oPreferredAuthentications }, { "hostkeyalgorithms", oHostKeyAlgorithms }, + { "sleep", oSleep }, { NULL, 0 } }; @@ -494,6 +495,10 @@ intptr = &options->connection_attempts; goto parse_int; + case oSleep: + intptr = &options->sleep; + goto parse_int; + case oCipher: intptr = &options->cipher; arg = strdelim(&s); @@ -761,6 +766,7 @@ options->num_remote_forwards = 0; options->log_level = (LogLevel) - 1; options->preferred_authentications = NULL; + options->sleep = -1; } /* diff -ur openssh-2.9p1/readconf.h openssh-2.9p1S/readconf.h --- openssh-2.9p1/readconf.h Tue Apr 17 12:11:37 2001 +++ openssh-2.9p1S/readconf.h Thu May 17 19:23:25 2001 @@ -97,6 +97,7 @@ /* Remote TCP/IP forward requests. */ int num_remote_forwards; Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION]; + int sleep; /* Exit delay in seconds */ } Options; diff -ur openssh-2.9p1/ssh.c openssh-2.9p1S/ssh.c --- openssh-2.9p1/ssh.c Tue Apr 17 12:14:35 2001 +++ openssh-2.9p1S/ssh.c Thu May 17 21:13:54 2001 @@ -182,6 +182,7 @@ fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname); fprintf(stderr, " forward them to the other side by connecting to host:port.\n"); + fprintf(stderr, " -S delay Set exit delay (in seconds; 0 means wait forever).\n"); fprintf(stderr, " -C Enable compression.\n"); fprintf(stderr, " -N Do not execute a shell or command.\n"); fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n"); @@ -318,7 +319,7 @@ opt = av[optind][1]; if (!opt) usage(); - if (strchr("eilcmpLRDo", opt)) { /* options with arguments */ + if (strchr("eilcmpLRSDo", opt)) { /* options with arguments */ optarg = av[optind] + 2; if (strcmp(optarg, "") == 0) { if (optind >= ac - 1) @@ -488,7 +489,13 @@ } add_local_forward(&options, fwd_port, buf, fwd_host_port); break; - + case 'S': + options.sleep = atoi(optarg); + if (options.sleep < 0) { + fprintf(stderr, "Bad delay value '%s'\n", optarg); + exit(1); + } + break; case 'D': fwd_port = a2port(optarg); if (fwd_port == 0) { From bowman at math.ualberta.ca Fri May 18 14:52:38 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 18 May 2001 04:52:38 -0000 Subject: SSH connection hanging on logout In-Reply-To: <20010517234144.B9231@folly> (message from Markus Friedl on Thu, 17 May 2001 23:41:44 +0200) References: <20010516081803.2877.qmail@wizard.math.ualberta.ca> <20010516223627.B25592@folly> <20010517014450.25437.qmail@wizard.math.ualberta.ca> <20010517234144.B9231@folly> Message-ID: <20010518045238.9176.qmail@wizard.math.ualberta.ca> > continue; > if (ftab[c->type] == NULL) > continue; > + if(c->istate == CHAN_INPUT_OPEN && c->rfd == -1) { > + int type=c->type; > + c->type=SSH_CHANNEL_CLOSED; > + if(channel_find_open() == -1) > + shutdown(packet_get_connection_out(), > + SHUT_RDWR); ^^^^^^^^ this cannot be correct. you may _not_ shutdown the TCP connection. this breaks ssh -N -L 1234:hostb:5678 hosta > + c->type=type; > + continue; > + } Ah yes, now I see what you mean... The OpenSSH -N extension to SSH is supposed to hold the connection open indefinitely (BTW, the man page doesn't make this explicit). That certainly seems useful. Thanks, for pointing this out, Markus; I didn't understand at first what you meant by "break". Making use of the sleep (-S) option from the patch submitted earlier today, this feature turned out to be easy to add to the hang-on-exit patch for Linux. All I had to do was add the line if(no_tty_flag && options.sleep < 0) options.sleep=0; after the options are read in in ssh.c. Here is the complete patch to 2.9p1 to fix all known hanging problems and restore the desired behaviour with -N, without data loss, on Linux systems. This includes my sleep patch and Markus' X-hang patch: -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman diff -ur openssh-2.9p1/channels.c openssh-2.9p1J/channels.c --- openssh-2.9p1/channels.c Tue Apr 17 12:14:35 2001 +++ openssh-2.9p1J/channels.c Thu May 17 22:21:05 2001 @@ -1137,6 +1137,15 @@ continue; if (ftab[c->type] == NULL) continue; + if(c->istate == CHAN_INPUT_OPEN && c->rfd == -1) { + int type=c->type; + c->type=SSH_CHANNEL_CLOSED; + if(channel_find_open() == -1) + shutdown(packet_get_connection_out(), + SHUT_RDWR); + c->type=type; + continue; + } (*ftab[c->type])(c, readset, writeset); if (chan_is_dead(c)) { /* diff -ur openssh-2.9p1/clientloop.c openssh-2.9p1J/clientloop.c --- openssh-2.9p1/clientloop.c Fri Apr 20 06:50:51 2001 +++ openssh-2.9p1J/clientloop.c Thu May 17 22:25:45 2001 @@ -121,8 +121,8 @@ static int connection_in; /* Connection to server (input). */ static int connection_out; /* Connection to server (output). */ static int need_rekeying; /* Set to non-zero if rekeying is requested. */ -static int session_closed = 0; /* In SSH2: login session closed. */ - +enum SessionStatus {SessionOpen, SessionClose, SessionWait}; +static int session_status = SessionOpen; /* In SSH2: login session closed. */ void client_init_dispatch(void); int session_ident = -1; @@ -324,6 +324,10 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, int rekeying) { + struct timeval timer; + struct timeval *timerp; + int rc; + /* Add any selections by the channel mechanism. */ channel_prepare_select(readsetp, writesetp, maxfdp, rekeying); @@ -346,7 +350,14 @@ if (buffer_len(&stderr_buffer) > 0) FD_SET(fileno(stderr), *writesetp); } else { - FD_SET(connection_in, *readsetp); + /* channel_prepare_select could have closed the last channel */ + if ((session_status == SessionClose) + && !channel_still_open()) { + if (!packet_have_data_to_write()) + return; + } else { + FD_SET(connection_in, *readsetp); + } } /* Select server connection if have data to write to the server. */ @@ -362,7 +374,16 @@ * SSH_MSG_IGNORE packet when the timeout expires. */ - if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) { + if(session_status == SessionWait && options.sleep > 0) { + timer.tv_sec=options.sleep; + timer.tv_usec=0; + timerp=&timer; + } else { + timerp=NULL; + } + + rc=select((*maxfdp)+1, *readsetp, *writesetp, NULL, timerp); + if (rc < 0) { char buf[100]; /* @@ -379,7 +400,8 @@ snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); quit_pending = 1; - } + } else if (rc == 0 && session_status == SessionWait) + session_status=SessionClose; } void @@ -440,9 +462,13 @@ len = read(connection_in, buf, sizeof(buf)); if (len == 0) { /* Received EOF. The remote host has closed the connection. */ - snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", - host); - buffer_append(&stderr_buffer, buf, strlen(buf)); +/* + * This message duplicates the one already in client_loop(). + * + * snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n", + * host); + * buffer_append(&stderr_buffer, buf, strlen(buf)); + */ quit_pending = 1; return; } @@ -751,7 +777,7 @@ if (id != session_ident) error("client_channel_closed: id %d != session_ident %d", id, session_ident); - session_closed = 1; + session_status = (options.sleep >= 0) ? SessionWait : SessionClose; if (in_raw_mode()) leave_raw_mode(); } @@ -776,6 +802,7 @@ start_time = get_current_time(); /* Initialize variables. */ + if(!have_pty) session_status=SessionWait; escape_pending = 0; last_was_cr = 1; exit_status = -1; @@ -840,7 +867,8 @@ /* Process buffered packets sent by the server. */ client_process_buffered_input_packets(); - if (compat20 && session_closed && !channel_still_open()) + if (compat20 && (session_status == SessionClose) + && !channel_still_open()) break; rekeying = (xxx_kex != NULL && !xxx_kex->done); Only in openssh-2.9p1J: clientloop.c.orig diff -ur openssh-2.9p1/nchan.c openssh-2.9p1J/nchan.c --- openssh-2.9p1/nchan.c Tue Apr 3 07:02:48 2001 +++ openssh-2.9p1J/nchan.c Thu May 17 22:21:05 2001 @@ -56,7 +56,7 @@ /* helper */ static void chan_shutdown_write(Channel *c); -static void chan_shutdown_read(Channel *c); +void chan_shutdown_read(Channel *c); /* * SSH1 specific implementation of event functions @@ -479,7 +479,7 @@ c->wfd = -1; } } -static void +void chan_shutdown_read(Channel *c) { if (compat20 && c->type == SSH_CHANNEL_LARVAL) diff -ur openssh-2.9p1/nchan.h openssh-2.9p1J/nchan.h --- openssh-2.9p1/nchan.h Sun Mar 4 23:16:12 2001 +++ openssh-2.9p1J/nchan.h Thu May 17 22:21:05 2001 @@ -88,4 +88,5 @@ void chan_init_iostates(Channel * c); void chan_init(void); +void chan_shutdown_read(Channel *c); #endif diff -ur openssh-2.9p1/readconf.c openssh-2.9p1J/readconf.c --- openssh-2.9p1/readconf.c Tue Apr 17 12:11:37 2001 +++ openssh-2.9p1J/readconf.c Thu May 17 22:21:05 2001 @@ -111,7 +111,7 @@ oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, - oHostKeyAlgorithms + oHostKeyAlgorithms, oSleep } OpCodes; /* Textual representations of the tokens. */ @@ -177,6 +177,7 @@ { "dynamicforward", oDynamicForward }, { "preferredauthentications", oPreferredAuthentications }, { "hostkeyalgorithms", oHostKeyAlgorithms }, + { "sleep", oSleep }, { NULL, 0 } }; @@ -494,6 +495,10 @@ intptr = &options->connection_attempts; goto parse_int; + case oSleep: + intptr = &options->sleep; + goto parse_int; + case oCipher: intptr = &options->cipher; arg = strdelim(&s); @@ -761,6 +766,7 @@ options->num_remote_forwards = 0; options->log_level = (LogLevel) - 1; options->preferred_authentications = NULL; + options->sleep = -1; } /* diff -ur openssh-2.9p1/readconf.h openssh-2.9p1J/readconf.h --- openssh-2.9p1/readconf.h Tue Apr 17 12:11:37 2001 +++ openssh-2.9p1J/readconf.h Thu May 17 22:21:05 2001 @@ -97,6 +97,7 @@ /* Remote TCP/IP forward requests. */ int num_remote_forwards; Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION]; + int sleep; /* Exit delay in seconds */ } Options; diff -ur openssh-2.9p1/session.c openssh-2.9p1J/session.c --- openssh-2.9p1/session.c Wed Apr 18 09:29:34 2001 +++ openssh-2.9p1J/session.c Thu May 17 22:21:05 2001 @@ -1960,6 +1960,9 @@ */ if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); + if (c->istate == CHAN_INPUT_OPEN && compat20) { + chan_shutdown_read(c); + } s->chanid = -1; } diff -ur openssh-2.9p1/ssh.c openssh-2.9p1J/ssh.c --- openssh-2.9p1/ssh.c Tue Apr 17 12:14:35 2001 +++ openssh-2.9p1J/ssh.c Thu May 17 22:21:05 2001 @@ -182,6 +182,7 @@ fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname); fprintf(stderr, " forward them to the other side by connecting to host:port.\n"); + fprintf(stderr, " -S delay Set exit delay (in seconds; 0 means wait forever).\n"); fprintf(stderr, " -C Enable compression.\n"); fprintf(stderr, " -N Do not execute a shell or command.\n"); fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n"); @@ -318,7 +319,7 @@ opt = av[optind][1]; if (!opt) usage(); - if (strchr("eilcmpLRDo", opt)) { /* options with arguments */ + if (strchr("eilcmpLRSDo", opt)) { /* options with arguments */ optarg = av[optind] + 2; if (strcmp(optarg, "") == 0) { if (optind >= ac - 1) @@ -488,7 +489,13 @@ } add_local_forward(&options, fwd_port, buf, fwd_host_port); break; - + case 'S': + options.sleep = atoi(optarg); + if (options.sleep < 0) { + fprintf(stderr, "Bad delay value '%s'\n", optarg); + exit(1); + } + break; case 'D': fwd_port = a2port(optarg); if (fwd_port == 0) { @@ -526,6 +533,8 @@ if (!host) usage(); + if(no_tty_flag && options.sleep < 0) options.sleep=0; + SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); From bowman at math.ualberta.ca Fri May 18 15:18:22 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 18 May 2001 05:18:22 -0000 Subject: SSH connection hanging on logout In-Reply-To: <20010517233823.A9231@folly> (message from Markus Friedl on Thu, 17 May 2001 23:38:23 +0200) References: <20010513184453.11194.qmail@wizard.math.ualberta.ca> <20010517000612.B14493@folly> <20010516221457.17527.qmail@wizard.math.ualberta.ca> <20010517162757.A7133@faui02.informatik.uni-erlangen.de> <20010517153518.9597.qmail@wizard.math.ualberta.ca> <20010517233823.A9231@folly> Message-ID: <20010518051822.9525.qmail@wizard.math.ualberta.ca> > Date: Thu, 17 May 2001 23:38:23 +0200 > From: Markus Friedl > Cc: openssh-unix-dev at mindrot.org > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > User-Agent: Mutt/1.2.5i > > On Thu, May 17, 2001 at 03:35:18PM -0000, John Bowman wrote: > > > you should see something like this on the sshd side: > > > > > > debug3: channel 0: channel data: 16384 > > > debug3: channel 0: read rfd 10 len 16384 > > > debug3: channel 0: channel data: 15907 > > > debug2: channel 0: rcvd adjust 16861 > > > debug3: channel 0: channel data: 477 > > > debug3: channel 0: read rfd 10 len 16384 > > > debug3: channel 0: channel data: 16384 > > > debug2: channel 0: rcvd adjust 65536 > > > debug3: channel 0: read rfd 10 len 16384 > > > debug3: channel 0: channel data: 16384 > > > debug3: channel 0: read rfd 10 len 16384 > > > debug3: channel 0: channel data: 16384 > > > debug1: Received SIGCHLD. > > > ^^ shell dies > > > debug1: session_by_pid: pid 29873 > > > debug1: session_exit_message: session 0 channel 0 pid 29873 > > > debug1: session_exit_message: release channel 0 > > > debug1: channel 0: write failed > > > debug1: channel 0: output open -> closed > > > debug1: channel 0: close_write > > > debug1: session_free: session 0 pid 29873 > > > debug3: channel 0: read rfd 10 len 16384 > > > ^^ more reads from the shell. > > > > > > if you shutdown at the SIGCHLD, you can no longer read > > > at this point! > > > > > > debug2: channel 0: read 84 from efd 12 > > > debug3: channel 0: channel data: 16384 > > > debug2: channel 0: rwin 16384 elen 84 euse 1 > > > debug2: channel 0: sent ext data 84 > > > debug1: channel 0: read<=0 rfd 10 len 0 > > > debug1: channel 0: read failed > > > debug1: channel 0: input open -> drain > > > debug1: channel 0: close_read > > > debug1: channel 0: input: no drain shortcut > > > debug1: channel 0: ibuf empty > > > debug1: channel 0: input drain -> closed > > > debug1: channel 0: send eof > > > > > > > Here is what I get with the latest patch and your debug patch > > installed. There is a SIGCHLD, but only after the very beginning: > > > > ssh -v -v -v localhost dd if=/bin/bash bs=65536 count=2 | ( sleep 10 ; md5sum ) > > i need the server side LOG message! > Sorry, I realized after sending it that I forgot to include the server side output and I didn't get a chance to get back to it until now. Here is the debugging output, with my latest patch (which fixes the -N problem you pointed out today) and your debug patch applied to 2.9p1: ssh -v -v -v localhost dd if=/bin/bash bs=65536 count=2 | ( sleep 10 ; md5sum ) SSH: debug2: channel 0: written 477 to efd 6 debug2: channel 0: rcvd ext data 27 debug1: Received SIGCHLD. debug2: channel 0: written 27 to efd 6 debug2: channel 0: window 32264 sent adjust 4600 (obuf 28672) debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug2: channel 0: window 0 sent adjust 4096 (obuf 61440) debug2: channel 0: window 4096 sent adjust 4096 (obuf 57344) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 16384 sent adjust 4096 (obuf 45056) debug2: channel 0: window 20480 sent adjust 4096 (obuf 40960) debug2: channel 0: window 24576 sent adjust 4096 (obuf 36864) debug2: channel 0: window 28672 sent adjust 4096 (obuf 32768) debug2: channel 0: window 20480 sent adjust 36864 (obuf 8192) debug2: channel 0: rcvd ext data 31 2+0 records in 2+0 records out debug2: channel 0: written 31 to efd 6 debug2: channel 0: window 24545 sent adjust 28703 (obuf 12288) debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: rcvd close debug1: channel 0: input open -> closed debug1: channel 0: close_read debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 7.3 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 86d34e869a31df51922ad2bb9bd202bc - dd if=/bin/bash bs=65536 count=2 | ( sleep 10 ; md5sum ) 2+0 records in 2+0 records out 86d34e869a31df51922ad2bb9bd202bc - SSHD: debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request x11-req reply 0 debug1: Received request for X11 forwarding with auth spoofing. debug1: x11_create_display_inet: Socket family 10 not supported debug1: fd 3 setting O_NONBLOCK debug1: fd 3 IS O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug1: temporarily_use_uid: 9062/2501 (e=0) debug1: restore_uid debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request exec reply 0 debug1: fd 8 setting O_NONBLOCK debug1: fd 8 IS O_NONBLOCK debug1: fd 10 setting O_NONBLOCK debug1: Received SIGCHLD. debug1: session_by_pid: pid 9448 debug1: session_exit_message: session 0 channel 0 pid 9448 debug1: session_exit_message: release channel 0 debug1: channel 0: write failed debug1: channel 0: output open -> closed debug1: channel 0: close_write debug1: channel 0: close_read debug1: session_free: session 0 pid 9448 debug1: channel 0: read<=0 rfd 8 len 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: channel 0: send close debug1: channel 0: rcvd close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 server-session (t4 r0 i8/0 o128/0 fd 8/8) Connection closed by remote host. debug1: channel_free: channel 1: status: The following connections are open: debug1: xauthfile_cleanup_proc called Closing connection to 127.0.0.1 ============================================================================== ssh -v -v -v localhost dd if=/bin/bash bs=65536 count=10 | ( sleep 5 ; md5sum ) SSH: debug2: channel 0: written 477 to efd 6 debug2: channel 0: rcvd ext data 27 debug1: Received SIGCHLD. debug2: channel 0: written 27 to efd 6 debug2: channel 0: window 32264 sent adjust 4600 (obuf 28672) debug2: channel 0: window 0 sent adjust 4096 (obuf 61440) debug2: channel 0: window 4096 sent adjust 4096 (obuf 57344) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 16384 sent adjust 4096 (obuf 45056) debug2: channel 0: window 20480 sent adjust 4096 (obuf 40960) debug2: channel 0: window 24576 sent adjust 4096 (obuf 36864) debug2: channel 0: window 28672 sent adjust 4096 (obuf 32768) debug2: channel 0: window 20480 sent adjust 36864 (obuf 8192) debug2: channel 0: window 24576 sent adjust 20480 (obuf 20480) debug2: channel 0: window 28672 sent adjust 8192 (obuf 28672) debug2: channel 0: window 20480 sent adjust 32768 (obuf 12288) debug2: channel 0: window 20480 sent adjust 32768 (obuf 12288) debug2: channel 0: window 20480 sent adjust 32768 (obuf 12288) debug2: channel 0: window 20480 sent adjust 32768 (obuf 12288) debug2: channel 0: window 20480 sent adjust 32768 (obuf 12288) debug2: channel 0: window 21136 sent adjust 32768 (obuf 11632) debug2: channel 0: rcvd ext data 15 4+1 records in debug2: channel 0: written 15 to efd 6 debug2: channel 0: rcvd ext data 16 4+1 records out debug2: channel 0: written 16 to efd 6 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: rcvd close debug1: channel 0: input open -> closed debug1: channel 0: close_read debug2: channel 0: no data after CLOSE debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 2.8 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 6c80ab2560a5f7b9b778b5498a93ece8 - dd if=/bin/bash bs=65536 count=10 | ( sleep 5 ; md5sum ) 4+1 records in 4+1 records out 6c80ab2560a5f7b9b778b5498a93ece8 - SSHD: debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request x11-req reply 0 debug1: Received request for X11 forwarding with auth spoofing. debug1: x11_create_display_inet: Socket family 10 not supported debug1: fd 3 setting O_NONBLOCK debug1: fd 3 IS O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug1: temporarily_use_uid: 9062/2501 (e=0) debug1: restore_uid debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request exec reply 0 debug1: fd 8 setting O_NONBLOCK debug1: fd 8 IS O_NONBLOCK debug1: fd 10 setting O_NONBLOCK debug1: Received SIGCHLD. debug1: session_by_pid: pid 9462 debug1: session_exit_message: session 0 channel 0 pid 9462 debug1: session_exit_message: release channel 0 debug1: channel 0: write failed debug1: channel 0: output open -> closed debug1: channel 0: close_write debug1: channel 0: close_read debug1: session_free: session 0 pid 9462 debug1: channel 0: read<=0 rfd 8 len 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: channel 0: send close debug1: channel 0: rcvd close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 server-session (t4 r0 i8/0 o128/0 fd 8/8) Connection closed by remote host. debug1: channel_free: channel 1: status: The following connections are open: debug1: xauthfile_cleanup_proc called Closing connection to 127.0.0.1 ============================================================================== ssh -v -v -v localhost dd if=/bin/bash bs=655360 count=2 | ( sleep 10 ; md5sum ) SSH: debug2: channel 0: written 477 to efd 6 debug2: channel 0: rcvd ext data 27 debug1: Received SIGCHLD. debug2: channel 0: written 27 to efd 6 debug2: channel 0: window 32264 sent adjust 4600 (obuf 28672) debug2: channel 0: window 0 sent adjust 4096 (obuf 61440) debug2: channel 0: window 4096 sent adjust 4096 (obuf 57344) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 16384 sent adjust 4096 (obuf 45056) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 16384 sent adjust 4096 (obuf 45056) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 16384 sent adjust 4096 (obuf 45056) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49152) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53248) debug2: channel 0: rcvd ext data 31 debug2: channel 0: window 8161 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53217) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49121) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53217) debug2: channel 0: window 8161 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53217) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49121) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53217) debug2: channel 0: window 8161 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53217) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49121) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53217) debug2: channel 0: window 8161 sent adjust 4096 (obuf 53248) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53217) debug2: channel 0: window 12288 sent adjust 4096 (obuf 49121) debug2: channel 0: window 8192 sent adjust 4096 (obuf 53217) debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: rcvd close debug1: channel 0: input open -> closed debug1: channel 0: close_read debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE 0+1 records in 0+1 records out debug2: channel 0: written 31 to efd 6 debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug2: channel 0: no data after CLOSE debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 8.3 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 6c80ab2560a5f7b9b778b5498a93ece8 - dd if=/bin/bash bs=655360 count=2 | ( sleep 10 ; md5sum ) 0+1 records in 0+1 records out 6c80ab2560a5f7b9b778b5498a93ece8 - SSHD: debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request x11-req reply 0 debug1: Received request for X11 forwarding with auth spoofing. debug1: x11_create_display_inet: Socket family 10 not supported debug1: fd 3 setting O_NONBLOCK debug1: fd 3 IS O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug1: temporarily_use_uid: 9062/2501 (e=0) debug1: restore_uid debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request exec reply 0 debug1: fd 8 setting O_NONBLOCK debug1: fd 8 IS O_NONBLOCK debug1: fd 10 setting O_NONBLOCK debug1: Received SIGCHLD. debug1: session_by_pid: pid 9496 debug1: session_exit_message: session 0 channel 0 pid 9496 debug1: session_exit_message: release channel 0 debug1: channel 0: write failed debug1: channel 0: output open -> closed debug1: channel 0: close_write debug1: channel 0: close_read debug1: session_free: session 0 pid 9496 debug1: channel 0: read<=0 rfd 8 len 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: channel 0: send close debug1: channel 0: rcvd close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 server-session (t4 r0 i8/0 o128/0 fd 8/8) Connection closed by remote host. debug1: channel_free: channel 1: status: The following connections are open: debug1: xauthfile_cleanup_proc called Closing connection to 127.0.0.1 From karlm30 at hotmail.com Fri May 18 15:38:03 2001 From: karlm30 at hotmail.com (Karl M) Date: Thu, 17 May 2001 22:38:03 -0700 Subject: SSH connection hanging on logout Message-ID: Hi All... I ran into a hanging problem with 2.9p1 in the cygwin environment. I found that ssh -f localhost sleep 30 hangs on both 2.9p1 and 2.5p2. ssh -f -L 5901:localhost:5900 localhost sleep 30 works fine with 2.5.2p2 but hangs with 2.9p1. I tried all but the most recent patches you had on this thread, with no effect. Is this an example of one of the known types of hanging? If not, can you reproduce this case? In any event, ssh -f -L 5901:localhost:5900 localhost sleep 30 is what I am trying to use with 2.9p1 Thanks, ...Karl _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From Stephan.Hendl at lds.brandenburg.de Fri May 18 16:37:31 2001 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Fri, 18 May 2001 08:37:31 +0200 Subject: two problems with scp/ssh 2.5.1p2 Message-ID: Hi all, I get some problems using scp (ssh1) with authentication via the authetication agent mechanism on HP-UX 11. I have to distribute some files step by step from one machine to several others. 1. After approximately 10 scp processes the conncetion to the authetication agent breaks and the socket doesn't work for this session anymore. That means I have to log off and log on once again, to add my key passphrase and so on - not a very likely behaviour. 2. The authentication sockets in the /tmp-filessystem are not deleted after a ssh session. Should I delete them via a cron job? Thanks Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 EMail: stephan.hendl at lds.brandenburg.de From j.petersen at msh.de Fri May 18 17:11:17 2001 From: j.petersen at msh.de (=?ISO-8859-1?Q?=22Petersen=2C_J=F6rg=22?=) Date: Fri, 18 May 2001 09:11:17 +0200 Subject: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG ! Message-ID: Hi, > What about 'PasswordAuthentication no' in sshd_config? This is not my problem. We want to disable root's using telnet and rlogin with password (and allow RSA-User-Key Authentication) telnet doesn't read sshd_config ... ;-) We need some way to allow ssh without enabling telnet/rlogin! (Disabling port 22 altogether is not a possible solution - not yet) J?rg -----Original Message----- From: Jim Knoble [mailto:jmknoble at jmknoble.cx] Sent: Thursday, May 17, 2001 10:46 PM To: openssh-unix-dev at mindrot.org Subject: Re: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG ! Circa 2001-May-17 15:16:34 +0200 dixit "Petersen, J?rg": : As far as I understand: : rlogind allows login with password : rshd only allows access via .rhosts/hosts.equiv ! (Which is easy to remove : ;-) : : The difference is the possible use of a password. : : (If you say 'rsh foreignhost' without command, : you actually use rlogind !) : : With the current openssh-Code I've got no possibility : to disallow any remote root-login with password while : allowing RSA-Authenticated SSH-Login to root. What about 'PasswordAuthentication no' in sshd_config? -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) From Florian.Weimer at RUS.Uni-Stuttgart.DE Fri May 18 18:00:51 2001 From: Florian.Weimer at RUS.Uni-Stuttgart.DE (Florian Weimer) Date: 18 May 2001 10:00:51 +0200 Subject: scp: Problem when source and destination are identical In-Reply-To: <20010517235220.D9231@folly> (Markus Friedl's message of "Thu, 17 May 2001 23:52:20 +0200") References: <20010517235220.D9231@folly> Message-ID: Markus Friedl writes: > On Thu, May 17, 2001 at 04:54:27PM +0200, Florian Weimer wrote: > > If the source and destination file are identical, the receiving scp > > truncates the file. On the sending end, read() returns 0, and garbage > > is sent instead of actual data, and the receiving end puts it into the > > file, which at least confuses the users. > > how should rcp/scp know that the files are identical? I don't ask that scp refuses to shred the file (although this would be nice) because I know that this can't be implemented in a reliable manner. However, the problem I see is the garbage, which confuses users quite a lot. -- Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 From j.petersen at msh.de Fri May 18 22:27:04 2001 From: j.petersen at msh.de (=?ISO-8859-1?Q?=22Petersen=2C_J=F6rg=22?=) Date: Fri, 18 May 2001 14:27:04 +0200 Subject: scp: Problem when source and destination are identical Message-ID: It would be interesting to know how rcp is able to handle this... With AIX: myhost / # rcp -p /tmp/txt myhostInterfaceB:/tmp/txt rcp: /tmp/txt and /tmp/txt refer to the same file (not copied). (Solaris-rcp doesn't complain like this, but the file remains intact...) Someone with access to the AIX-Sources ???? ;-) J?rg -----Original Message----- Markus Friedl writes: > On Thu, May 17, 2001 at 04:54:27PM +0200, Florian Weimer wrote: > > If the source and destination file are identical, the receiving scp > > truncates the file. On the sending end, read() returns 0, and garbage > > is sent instead of actual data, and the receiving end puts it into the > > file, which at least confuses the users. > > how should rcp/scp know that the files are identical? From sxw at sxw.org.uk Fri May 18 22:32:46 2001 From: sxw at sxw.org.uk (Simon Wilkinson) Date: Fri, 18 May 2001 13:32:46 +0100 Subject: OpenSSH GSSAPI patches Message-ID: <01051813324602.05176@loki.dcs.ed.ac.uk> An updated version of my GSSAPI patches for OpenSSH 2.9p1 is finally available from http://www.sxw.org.uk/computing/patches/openssh.html These patches fix a bug with the hash calculation which will break interoperation with earlier versions - sorry! This release supports both Kerberos and GSI (thanks to Von Welch for the GSI support) mechanisms, and the code in it has now been widely tested and reviewed. I'd like it to be considered for inclusion in the OpenSSH codebase. Thanks to Chris Chiappa, Bill Fithen, John Kilburg, Daniel Kouril, Dan Russell and Von Welch for their suggestions and patches. -- Simon Wilkinson http://www.sxw.org.uk "Beware of bugs in the above code: I have only proved it correct, not tried it." - Donald Knuth From Markus.Friedl at informatik.uni-erlangen.de Fri May 18 22:34:46 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 18 May 2001 14:34:46 +0200 Subject: SSH connection hanging on logout In-Reply-To: <20010518003543.15159.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Fri, May 18, 2001 at 12:35:43AM -0000 References: <20010516081803.2877.qmail@wizard.math.ualberta.ca> <20010516223627.B25592@folly> <20010517014450.25437.qmail@wizard.math.ualberta.ca> <20010517234144.B9231@folly> <20010518003543.15159.qmail@wizard.math.ualberta.ca> Message-ID: <20010518143446.C1101@faui02.informatik.uni-erlangen.de> On Fri, May 18, 2001 at 12:35:43AM -0000, John Bowman wrote: > One can now request that the connection not die after the first TCP > connection is closed (via -N) or after a fixed number of seconds (via a sleep > command), but rather that it stays around n seconds after the most recent TCP > connection is closed. More details to follow... currently the connection is _not_ closed after the first connection From markus.friedl at informatik.uni-erlangen.de Fri May 18 22:50:15 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 18 May 2001 14:50:15 +0200 Subject: SSH connection hanging on logout In-Reply-To: <20010518051822.9525.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Fri, May 18, 2001 at 05:18:22AM -0000 References: <20010513184453.11194.qmail@wizard.math.ualberta.ca> <20010517000612.B14493@folly> <20010516221457.17527.qmail@wizard.math.ualberta.ca> <20010517162757.A7133@faui02.informatik.uni-erlangen.de> <20010517153518.9597.qmail@wizard.math.ualberta.ca> <20010517233823.A9231@folly> <20010518051822.9525.qmail@wizard.math.ualberta.ca> Message-ID: <20010518145015.A31903@folly> On Fri, May 18, 2001 at 05:18:22AM -0000, John Bowman wrote: > > > > debug3: channel 0: channel data: 16384 > > > > debug3: channel 0: read rfd 10 len 16384 > > > > debug3: channel 0: channel data: 15907 > > > > debug2: channel 0: rcvd adjust 16861 > > > > debug3: channel 0: channel data: 477 > > > > debug3: channel 0: read rfd 10 len 16384 > > > > debug3: channel 0: channel data: 16384 > > > > debug2: channel 0: rcvd adjust 65536 > > > > debug3: channel 0: read rfd 10 len 16384 > > > > debug3: channel 0: channel data: 16384 > > > > debug3: channel 0: read rfd 10 len 16384 > > > > debug3: channel 0: channel data: 16384 > > > > debug1: Received SIGCHLD. > > > > ^^ shell dies > > > > debug1: session_by_pid: pid 29873 > > > > debug1: session_exit_message: session 0 channel 0 pid 29873 > > > > debug1: session_exit_message: release channel 0 > > > > debug1: channel 0: write failed > > > > debug1: channel 0: output open -> closed > > > > debug1: channel 0: close_write > > > > debug1: session_free: session 0 pid 29873 > > > > debug3: channel 0: read rfd 10 len 16384 > > > > ^^ more reads from the shell. > > > > > > > > if you shutdown at the SIGCHLD, you can no longer read > > > > at this point! > > > > > > > > debug2: channel 0: read 84 from efd 12 > > > > debug3: channel 0: channel data: 16384 > > > > debug2: channel 0: rwin 16384 elen 84 euse 1 > > > > debug2: channel 0: sent ext data 84 > > > > debug1: channel 0: read<=0 rfd 10 len 0 > > > > debug1: channel 0: read failed > > > > debug1: channel 0: input open -> drain > > > > debug1: channel 0: close_read > > > > debug1: channel 0: input: no drain shortcut > > > > debug1: channel 0: ibuf empty > > > > debug1: channel 0: input drain -> closed > > > > debug1: channel 0: send eof > Here is the debugging output, with my latest patch (which fixes the -N > problem you pointed out today) and your debug patch applied to 2.9p1: these are still not the traces i'm looking for. you need to make sure that SSHD still does reads after the SIGCLD: debug1: Received SIGCHLD. ... debug3: channel 0: read rfd 10 len 16384 From DvorakJ at Radiomobil.cz Sat May 19 00:34:50 2001 From: DvorakJ at Radiomobil.cz (=?ISO-8859-2?Q?Dvo=F8=E1k_Ji=F8=ED?=) Date: Fri, 18 May 2001 16:34:50 +0200 Subject: HP11 and opessh Message-ID: <0406DF4D22E26C44AF801374141F00CD017BF4@radiomobil.cz> Hello, I can install opessh 2.9p1 on HPUX 11.0. What product and version I need install before. I try zlib 1.1.3 from HP software depot , openssl 0.9.6 , and perl 5.6 but I have errors. JiriD From peb at mppmu.mpg.de Sat May 19 00:40:02 2001 From: peb at mppmu.mpg.de (Peter Breitenlohner) Date: Fri, 18 May 2001 16:40:02 +0200 (CEST) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: On Thu, 17 May 2001, Wayne Davison wrote: > Here's my first cut at modifying ssh-keyscan to output either/both ssh1 > and ssh2 keys. It defaults to working as it did before (outputting just > the ssh1 rsa keys), but you can ask for either or both by using the -1 > and -2 options. ......... > I also added the flags -4 and -6 to allow people to set IPv4 and IPv6 > modes just like with ssh. Hi Wayne, I have applied your patch and tried things out; seems to work fine. Thanks a lot. Attached my attempt to update the ssh-keyscan man page accordingly (I wanted to have that for my own use for future reference). regards Peter Breitenlohner -------------- next part -------------- diff -ur openssh-2.9p1.orig/ssh-keyscan.1 openssh-2.9p1/ssh-keyscan.1 --- openssh-2.9p1.orig/ssh-keyscan.1 Thu Apr 19 22:31:02 2001 +++ openssh-2.9p1/ssh-keyscan.1 Fri May 18 15:58:36 2001 @@ -16,6 +16,8 @@ .Sh SYNOPSIS .Nm ssh-keyscan .Op Fl t Ar timeout +.Op Fl 4 | 6 +.Op Fl 1 | 2 | 12 .Op Ar -- | host | addrlist namelist .Op Fl f Ar files ... .Sh DESCRIPTION @@ -23,6 +25,8 @@ is a utility for gathering the public ssh host keys of a number of hosts. It was designed to aid in building and verifying .Pa ssh_known_hosts +and +.Pa ssh_known_hosts2 files. .Nm provides a minimal interface suitable for use by shell and perl @@ -36,7 +40,7 @@ machines you are scanning, nor does the scanning process involve any encryption. .Sh SECURITY -If you make an ssh_known_hosts file using +If you make an ssh_known_hosts or ssh_known_hosts2 file using .Nm without verifying the keys, you will be vulnerable to .I man in the middle @@ -44,7 +48,7 @@ On the other hand, if your security model allows such a risk, .Nm can help you detect tampered keyfiles or man in the middle attacks which -have begun after you created your ssh_known_hosts file. +have begun after you created your ssh_known_hosts or ssh_known_hosts2 file. .Sh OPTIONS .Bl -tag -width Ds .It Fl t @@ -54,6 +58,28 @@ last time anything was read from that host, then the connection is closed and the host in question considered unavailable. Default is 5 seconds. +.It Fl 4 +Forces +.Nm +to use IPv4 addresses only. +.It Fl 6 +Forces +.Nm +to use IPv6 addresses only. +.It Fl 1 +Forces +.Nm +to try protocol version 1 (only). +.It Fl 2 +Forces +.Nm +to try protocol version 2 (only). +.It Fl 12 +Forces +.Nm +to try protocol versions 1 and 2. The protocol versions (1, 2, or both) +remain in effect until one of these flags is specified again after some +host specifications. .It Fl f Read hosts or .Pa addrlist namelist @@ -91,7 +117,7 @@ .Pa Output format: host-or-namelist bits exponent modulus .Pp -.Pa /etc/ssh_known_hosts +.Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 .Sh BUGS It generates "Connection closed by remote host" messages on the consoles of all the machines it scans. From bowman at math.ualberta.ca Sat May 19 00:48:56 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 18 May 2001 14:48:56 -0000 Subject: SSH connection hanging on logout In-Reply-To: <20010518145015.A31903@folly> (message from Markus Friedl on Fri, 18 May 2001 14:50:15 +0200) References: <20010513184453.11194.qmail@wizard.math.ualberta.ca> <20010517000612.B14493@folly> <20010516221457.17527.qmail@wizard.math.ualberta.ca> <20010517162757.A7133@faui02.informatik.uni-erlangen.de> <20010517153518.9597.qmail@wizard.math.ualberta.ca> <20010517233823.A9231@folly> <20010518051822.9525.qmail@wizard.math.ualberta.ca> <20010518145015.A31903@folly> Message-ID: <20010518144856.15593.qmail@wizard.math.ualberta.ca> > > these are still not the traces i'm looking for. > you need to make sure that SSHD still does > reads after the SIGCLD: > > debug1: Received SIGCHLD. > ... > debug3: channel 0: read rfd 10 len 16384 > Sorry, I've tested many different cases, such as these ones ssh -v -v -v localhost dd if=/usr/local/netscape/netscape bs=1300000 count=10 | ( sleep 5 ; md5sum ) ssh -v -v -v localhost dd if=/usr/local/netscape/netscape bs=1300000 count=10 | ( sleep 50 ; md5sum ) ssh -v -v -v localhost dd if=/usr/local/netscape/netscape bs=1300000 count=1 | ( md5sum ) and many others and I've never seen this happen. The checksums are always correct. If you have a specfic test you want me to try, pleae let me know. Like I said, under Linux at least, by the time shutdown is called, all of the data has been read in. You are most welcome to try to show otherwise. I'll give you an account on a Linux system; please contact me about this. Until then, I will continue to use my patch; it makes OpenSSH a practical alternative to SSH on Linux systems. -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From bowman at math.ualberta.ca Sat May 19 01:02:15 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 18 May 2001 15:02:15 -0000 Subject: No subject Message-ID: <20010518150215.15799.qmail@wizard.math.ualberta.ca> Hi Karl, I wasn't able to reproduce the hanging problem you reported with ssh -f localhost sleep 30 What happens if you install the sleep patch I posted yesterday and say instead ssh -N localhost -S 30 & This should at least give you the functionality you need to do your tunneling. -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From mouring at etoh.eviladmin.org Sat May 19 02:55:25 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 18 May 2001 11:55:25 -0500 (CDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: On Thu, 17 May 2001, Wayne Davison wrote: > On Mon, 14 May 2001, Peter Breitenlohner wrote: > > 2. Is there a program like ssh-keyscan for the Version2 (dsa and rsa) keys?? > > Here's my first cut at modifying ssh-keyscan to output either/both ssh1 > and ssh2 keys. It defaults to working as it did before (outputting just > the ssh1 rsa keys), but you can ask for either or both by using the -1 > and -2 options. You can even switch what you need between hostnames: > > ssh-keyscan -1 foo -2 bar -1 -2 baz stillboth -1 rsa -12 bothagain > I'm not seeing RSA protcol 2 keys. - Ben From wayne at blorf.net Sat May 19 05:31:19 2001 From: wayne at blorf.net (Wayne Davison) Date: Fri, 18 May 2001 12:31:19 -0700 (PDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: On Fri, 18 May 2001 mouring at etoh.eviladmin.org wrote: > I'm not seeing RSA protcol 2 keys. I think the following patch (applied after my first patch) will make this work. I had previously mentioned that my patch wasn't working with 2.5.2p2, and this patch fixes this (the returned key is "ssh-rsa"). ..wayne.. ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- Index: ssh-keyscan.c --- old/ssh-keyscan.c Fri May 18 12:23:49 2001 +++ ./ssh-keyscan.c Fri May 18 12:21:04 2001 @@ -25,6 +25,7 @@ #include "ssh1.h" #include "key.h" #include "kex.h" +#include "compat.h" #include "myproposal.h" #include "packet.h" #include "dispatch.h" @@ -471,7 +472,7 @@ void congreet(int s) { - char buf[80], *cp; + char buf[256], *cp; size_t bufsiz; int n = 0; con *c = &fdcon[s]; @@ -493,6 +494,12 @@ } *cp = '\0'; fprintf(stderr, "# %s %s\n", c->c_name, buf); + if (!(c->c_keytypes & 1)) { + char remote_version[sizeof buf]; + + if (sscanf(buf, "SSH-%*d.%*d-%[^\n]\n", remote_version) == 1) + compat_datafellows(remote_version); + } n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n", c->c_keytypes & 1 ? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2, c->c_keytypes & 1 ? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2); ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- From markus.friedl at informatik.uni-erlangen.de Sat May 19 05:36:56 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 18 May 2001 21:36:56 +0200 Subject: scp: Problem when source and destination are identical In-Reply-To: ; from Florian.Weimer@RUS.Uni-Stuttgart.DE on Thu, May 17, 2001 at 04:54:27PM +0200 References: Message-ID: <20010518213656.F18028@folly> does this help: Index: scp.c =================================================================== RCS file: /home/markus/cvs/ssh/scp.c,v retrieving revision 1.70 diff -u -r1.70 scp.c --- scp.c 2001/05/08 19:45:24 1.70 +++ scp.c 2001/05/18 19:31:07 @@ -777,7 +777,7 @@ } omode = mode; mode |= S_IWRITE; - if ((ofd = open(np, O_WRONLY | O_CREAT | O_TRUNC, mode)) < 0) { + if ((ofd = open(np, O_WRONLY | O_CREAT , mode)) < 0) { bad: run_err("%s: %s", np, strerror(errno)); continue; } From markus.friedl at informatik.uni-erlangen.de Sat May 19 05:16:47 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 18 May 2001 21:16:47 +0200 Subject: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG ! In-Reply-To: ; from mark.pitt@ch.ibm.com on Thu, May 17, 2001 at 05:50:42PM +0200 References: Message-ID: <20010518211647.D18028@folly> On Thu, May 17, 2001 at 05:50:42PM +0200, mark.pitt at ch.ibm.com wrote: > Another point - IBM security Policies REQUIRE that any system they look > after, their's or customer's, has rlogin=false for root set - this PermitRootLogin no in sshd_config sshd does not know about every possible difference between every possible rlogind implementation on every possible system. ssh is a product of it's own. From markus.friedl at informatik.uni-erlangen.de Sat May 19 05:18:33 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 18 May 2001 21:18:33 +0200 Subject: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG ! In-Reply-To: ; from j.petersen@msh.de on Fri, May 18, 2001 at 09:11:17AM +0200 References: Message-ID: <20010518211832.E18028@folly> On Fri, May 18, 2001 at 09:11:17AM +0200, "Petersen, J?rg" wrote: > We need some way to allow ssh without enabling telnet/rlogin! > (Disabling port 22 altogether is not a possible solution - not yet) how is 'not enabling telnet' related to 'disabling port 22' ? From markus.friedl at informatik.uni-erlangen.de Sat May 19 05:42:13 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 18 May 2001 21:42:13 +0200 Subject: scp: Problem when source and destination are identical In-Reply-To: ; from Florian.Weimer@RUS.Uni-Stuttgart.DE on Thu, May 17, 2001 at 04:54:27PM +0200 References: Message-ID: <20010518214213.G18028@folly> this restores the rcp behaviour. Index: scp.c =================================================================== RCS file: /home/markus/cvs/ssh/scp.c,v retrieving revision 1.70 diff -U10 -r1.70 scp.c --- scp.c 2001/05/08 19:45:24 1.70 +++ scp.c 2001/05/18 19:38:58 @@ -770,21 +770,21 @@ vect[0], strerror(errno)); } if (mod_flag) (void) chmod(vect[0], mode); if (vect[0]) xfree(vect[0]); continue; } omode = mode; mode |= S_IWRITE; - if ((ofd = open(np, O_WRONLY | O_CREAT | O_TRUNC, mode)) < 0) { + if ((ofd = open(np, O_WRONLY | O_CREAT , mode)) < 0) { bad: run_err("%s: %s", np, strerror(errno)); continue; } (void) atomicio(write, remout, "", 1); if ((bp = allocbuf(&buffer, ofd, 4096)) == NULL) { (void) close(ofd); continue; } cp = bp->buf; wrerr = NO; @@ -825,21 +825,21 @@ cp = bp->buf; } } if (showprogress) progressmeter(1); if (count != 0 && wrerr == NO && (j = atomicio(write, ofd, bp->buf, count)) != count) { wrerr = YES; wrerrno = j >= 0 ? EIO : errno; } -#if 0 +#if 1 if (ftruncate(ofd, size)) { run_err("%s: truncate: %s", np, strerror(errno)); wrerr = DISPLAYED; } #endif if (pflag) { if (exists || omode != mode) if (fchmod(ofd, omode)) run_err("%s: set mode: %s", np, strerror(errno)); From markus.friedl at informatik.uni-erlangen.de Sat May 19 01:48:17 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 18 May 2001 17:48:17 +0200 Subject: openssh and chroot In-Reply-To: ; from egrubbs@rackspace.com on Wed, May 16, 2001 at 05:43:40PM -0500 References: Message-ID: <20010518174817.A18028@folly> chroot is hard. sftp-server will do chrooting at some point. probably not to $HOME by default, but to $HOME/subdir, because otherwise manipulation of .ssh and .forward is possible. sshd will not do chrooting, because setting up a chroot-env in $HOME is a nightmare. From markus.friedl at informatik.uni-erlangen.de Sat May 19 01:49:35 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 18 May 2001 17:49:35 +0200 Subject: hung SSH on Solaris when starting Oracle In-Reply-To: <200105161741.f4GHfQM07356@abyssus.doit.wisc.edu>; from msimpson@abyssus.doit.wisc.edu on Wed, May 16, 2001 at 12:41:26PM -0500 References: <200105161741.f4GHfQM07356@abyssus.doit.wisc.edu> Message-ID: <20010518174935.B18028@folly> On Wed, May 16, 2001 at 12:41:26PM -0500, Mike Simpson wrote: > > Does "lsnrctl start < /dev/null 2>&1 >/dev/null" cause a hang? > > Yes, although this (cribbed from Jason Stone's earlier post) does > seem to avoid the hang: > > perl -e 'fork && exit; close STDIN; close STDOUT; close STDERR; \ > setpgrp(0,$$); exec "lsnrctl start";' > so does % lsnrctl start < /dev/null > /dev/null 2>&1 work for you? From markus.friedl at informatik.uni-erlangen.de Sat May 19 02:21:19 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 18 May 2001 18:21:19 +0200 Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: ; from wayne@blorf.net on Thu, May 17, 2001 at 08:47:39PM -0700 References: Message-ID: <20010518182119.C18028@folly> On Thu, May 17, 2001 at 08:47:39PM -0700, Wayne Davison wrote: > On Mon, 14 May 2001, Peter Breitenlohner wrote: > > 2. Is there a program like ssh-keyscan for the Version2 (dsa and rsa) keys?? > > Here's my first cut at modifying ssh-keyscan to output either/both ssh1 > and ssh2 keys. It defaults to working as it did before (outputting just > the ssh1 rsa keys), but you can ask for either or both by using the -1 this is a nice patch. > +Key * > +keygrab_dsa(con *c) > +{ > + Key *key; > + > + packet_set_connection(c->c_fd, c->c_fd); > + packet_set_ssh2_format(); you need this if you want to select DSA vs RSA: myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-dss"; > + c->c_kex = kex_setup(myproposal); > + c->c_kex->check_host_key = hostjump; > + > + if (!(key = (Key*)setjmp(kexjmp))) { > + dispatch_run(DISPATCH_BLOCK, &c->c_kex->done, c->c_kex); > + fprintf(stderr, "Impossible! dispatch_run() returned!\n"); > + exit(1); > + } xfree(c->c_kex); c->c_kex = NULL; > + packet_close(); it would be nice if packet.c could handle multiple packet-layer instances. this would allow building application layer ssh proxies (mitm), too. -m From wayne at blorf.net Sat May 19 05:44:29 2001 From: wayne at blorf.net (Wayne Davison) Date: Fri, 18 May 2001 12:44:29 -0700 (PDT) Subject: scp: Problem when source and destination are identical In-Reply-To: <20010518213656.F18028@folly> Message-ID: On Fri, 18 May 2001, Markus Friedl wrote: > - if ((ofd = open(np, O_WRONLY | O_CREAT | O_TRUNC, mode)) < 0) { > + if ((ofd = open(np, O_WRONLY | O_CREAT , mode)) < 0) { If you do that, you need to uncomment the ftrunctate() call lower down (or overwriting a larger file with a shorter one will leave spurious data at the end). ..wayne.. From msimpson at abyssus.doit.wisc.edu Sat May 19 05:48:42 2001 From: msimpson at abyssus.doit.wisc.edu (Mike Simpson) Date: Fri, 18 May 2001 14:48:42 -0500 Subject: hung SSH on Solaris when starting Oracle In-Reply-To: Your message of "Fri, 18 May 2001 17:49:35 +0200." <20010518174935.B18028@folly> Message-ID: <200105181948.f4IJmgU02875@abyssus.doit.wisc.edu> > so does > % lsnrctl start < /dev/null > /dev/null 2>&1 > > work for you? That does work. -mgs From mouring at etoh.eviladmin.org Sat May 19 05:40:04 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 18 May 2001 14:40:04 -0500 (CDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: Ok.. Then DSA is missing and your function is misnamed. Remember we have RSA v1, RSA v2, and DSA v2 keys. But it seems to work nicely. - Ben On Fri, 18 May 2001, Wayne Davison wrote: > On Fri, 18 May 2001 mouring at etoh.eviladmin.org wrote: > > I'm not seeing RSA protcol 2 keys. > > I think the following patch (applied after my first patch) will make > this work. I had previously mentioned that my patch wasn't working with > 2.5.2p2, and this patch fixes this (the returned key is "ssh-rsa"). > > ..wayne.. > > ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- > Index: ssh-keyscan.c > --- old/ssh-keyscan.c Fri May 18 12:23:49 2001 > +++ ./ssh-keyscan.c Fri May 18 12:21:04 2001 > @@ -25,6 +25,7 @@ > #include "ssh1.h" > #include "key.h" > #include "kex.h" > +#include "compat.h" > #include "myproposal.h" > #include "packet.h" > #include "dispatch.h" > @@ -471,7 +472,7 @@ > void > congreet(int s) > { > - char buf[80], *cp; > + char buf[256], *cp; > size_t bufsiz; > int n = 0; > con *c = &fdcon[s]; > @@ -493,6 +494,12 @@ > } > *cp = '\0'; > fprintf(stderr, "# %s %s\n", c->c_name, buf); > + if (!(c->c_keytypes & 1)) { > + char remote_version[sizeof buf]; > + > + if (sscanf(buf, "SSH-%*d.%*d-%[^\n]\n", remote_version) == 1) > + compat_datafellows(remote_version); > + } > n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n", > c->c_keytypes & 1 ? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2, > c->c_keytypes & 1 ? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2); > ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- > > From Markus.Friedl at informatik.uni-erlangen.de Sat May 19 05:52:26 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 18 May 2001 21:52:26 +0200 Subject: hung SSH on Solaris when starting Oracle In-Reply-To: <200105181948.f4IJmgU02875@abyssus.doit.wisc.edu>; from msimpson@abyssus.doit.wisc.edu on Fri, May 18, 2001 at 02:48:42PM -0500 References: <20010518174935.B18028@folly> <200105181948.f4IJmgU02875@abyssus.doit.wisc.edu> Message-ID: <20010518215226.B4840@faui02.informatik.uni-erlangen.de> On Fri, May 18, 2001 at 02:48:42PM -0500, Mike Simpson wrote: > > so does > > % lsnrctl start < /dev/null > /dev/null 2>&1 > > > > work for you? > > That does work. so should we recommend this in the FAQ? From dwd at bell-labs.com Sat May 19 05:59:24 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Fri, 18 May 2001 14:59:24 -0500 Subject: patch to change sprintf to snprintf in inet_ntop.c for SunOS4 Message-ID: <20010518145924.A28725@lucent.com> I found that inet_ntop.c was depending on the return value of sprintf to return an int, but on SunOS4 it returns a char *. Snprintf is preferred anyway, so here's a patch to change the calls to use snprintf. Applies cleanly to the current CVS, and it was the only patch I need to apply to get 2.9p1 to build on SunOS4.1.4. On the other hand, I can't see any where inet_ntop is called, and the symbol doesn't appear anywhere in the binaries on SunOS4 or Solaris. Can the file just be deleted? - Dave Dykstra *** inet_ntop.c.O Fri May 18 15:00:35 2001 --- inet_ntop.c Fri May 18 15:01:00 2001 *************** *** 16,22 **** * SOFTWARE. */ ! #include "config.h" #ifndef HAVE_INET_NTOP --- 16,22 ---- * SOFTWARE. */ ! #include "includes.h" #ifndef HAVE_INET_NTOP *************** *** 104,110 **** static const char fmt[] = "%u.%u.%u.%u"; char tmp[sizeof "255.255.255.255"]; ! if (sprintf(tmp, fmt, src[0], src[1], src[2], src[3]) > size) { errno = ENOSPC; return (NULL); } --- 104,110 ---- static const char fmt[] = "%u.%u.%u.%u"; char tmp[sizeof "255.255.255.255"]; ! if (snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3]) > size) { errno = ENOSPC; return (NULL); } *************** *** 190,196 **** tp += strlen(tp); break; } ! tp += sprintf(tp, "%x", words[i]); } /* Was it a trailing run of 0x00's? */ if (best.base != -1 && (best.base + best.len) == (IN6ADDRSZ / INT16SZ)) --- 190,196 ---- tp += strlen(tp); break; } ! tp += snprintf(tp, sizeof "ffff", "%x", words[i]); } /* Was it a trailing run of 0x00's? */ if (best.base != -1 && (best.base + best.len) == (IN6ADDRSZ / INT16SZ)) From msimpson at abyssus.doit.wisc.edu Sat May 19 06:00:48 2001 From: msimpson at abyssus.doit.wisc.edu (Mike Simpson) Date: Fri, 18 May 2001 15:00:48 -0500 Subject: hung SSH on Solaris when starting Oracle In-Reply-To: Your message of "Fri, 18 May 2001 21:52:26 +0200." <20010518215226.B4840@faui02.informatik.uni-erlangen.de> Message-ID: <200105182000.f4IK0mn03458@abyssus.doit.wisc.edu> > > > % lsnrctl start < /dev/null > /dev/null 2>&1 > so should we recommend this in the FAQ? It probably wouldn't hurt. You lose the startup confirmation messages, but you can verify the process is running with a ps, and then check the connection through sql*plus or the equivalent. -mgs From markus.friedl at informatik.uni-erlangen.de Sat May 19 06:05:42 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 18 May 2001 22:05:42 +0200 Subject: SSH connection hanging on logout In-Reply-To: <20010518144856.15593.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Fri, May 18, 2001 at 02:48:56PM -0000 References: <20010513184453.11194.qmail@wizard.math.ualberta.ca> <20010517000612.B14493@folly> <20010516221457.17527.qmail@wizard.math.ualberta.ca> <20010517162757.A7133@faui02.informatik.uni-erlangen.de> <20010517153518.9597.qmail@wizard.math.ualberta.ca> <20010517233823.A9231@folly> <20010518051822.9525.qmail@wizard.math.ualberta.ca> <20010518145015.A31903@folly> <20010518144856.15593.qmail@wizard.math.ualberta.ca> Message-ID: <20010518220542.A16407@folly> On Fri, May 18, 2001 at 02:48:56PM -0000, John Bowman wrote: > > > > these are still not the traces i'm looking for. > > you need to make sure that SSHD still does > > reads after the SIGCLD: > > > > debug1: Received SIGCHLD. > > ... > > debug3: channel 0: read rfd 10 len 16384 > > > Sorry, I've tested many different cases, such as these ones > > ssh -v -v -v localhost dd if=/usr/local/netscape/netscape bs=1300000 count=10 | ( sleep 5 ; md5sum ) > > ssh -v -v -v localhost dd if=/usr/local/netscape/netscape bs=1300000 count=10 | ( sleep 50 ; md5sum ) > > ssh -v -v -v localhost dd if=/usr/local/netscape/netscape bs=1300000 count=1 | ( md5sum ) ok, so just fyi: dd if=/bsd bs=65536 count=2 gets truncated on my openbsd development system. you have to get into this situtation: shell writes last block into pipe to sshd process. shell dies not all data has been read from the pipe. i can trigger this with dd if=/bsd bs=65536 count=2 the figures should be different for other systems, but i think all systems will show this problem. From wayne at blorf.net Sat May 19 06:25:05 2001 From: wayne at blorf.net (Wayne Davison) Date: Fri, 18 May 2001 13:25:05 -0700 (PDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: On Fri, 18 May 2001 mouring at etoh.eviladmin.org wrote: > Ok.. Then DSA is missing and your function is misnamed. > Remember we have RSA v1, RSA v2, and DSA v2 keys. I didn't realize that when I named the functions, but I do now. The following patch changes the function names, adds the xfree(c->c_kex) suggestion, and paranoidly sets datafellows to zero if the sscanf() fails (for some oddball reason). I'm unsure what you mean by "Then DSA is missing", though. If there is still a problem here, let me know. > But it seems to work nicely. Cool. I hope you find it useful. ..wayne.. ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- Index: ssh-keyscan.c --- old/ssh-keyscan.c Fri May 18 13:15:26 2001 +++ ./ssh-keyscan.c Fri May 18 13:17:03 2001 @@ -279,7 +279,7 @@ } Key * -keygrab_rsa(con *c) +keygrab_ssh1(con *c) { static Key *rsa; static Buffer msg; @@ -319,7 +319,7 @@ } Key * -keygrab_dsa(con *c) +keygrab_ssh2(con *c) { Key *key; @@ -333,6 +333,8 @@ fprintf(stderr, "Impossible! dispatch_run() returned!\n"); exit(1); } + xfree(c->c_kex); + c->c_kex = NULL; packet_close(); return (key); @@ -499,6 +501,8 @@ if (sscanf(buf, "SSH-%*d.%*d-%[^\n]\n", remote_version) == 1) compat_datafellows(remote_version); + else + datafellows = 0; } n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n", c->c_keytypes & 1 ? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2, @@ -509,7 +513,7 @@ return; } if (!(c->c_keytypes & 1)) { - keyprint(c, keygrab_dsa(c)); + keyprint(c, keygrab_ssh2(c)); c->c_keytypes &= ~2; confree(s); return; @@ -546,7 +550,7 @@ c->c_status = CS_KEYS; break; case CS_KEYS: - keyprint(c, keygrab_rsa(c)); + keyprint(c, keygrab_ssh1(c)); c->c_keytypes &= ~1; if (c->c_keytypes) ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- From mouring at etoh.eviladmin.org Sat May 19 06:26:12 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 18 May 2001 15:26:12 -0500 (CDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: When I mean by missing.. How do I pull DSAv2 keys from a remote machine using your patch? What is needed is: -1 -- RSA Protocol 1 Keys -R -- RSA Protocol 2 Keys -D -- DSA Protocol 2 Keys This is a patch which is against your current version --- ../xxh/ssh-keyscan.c Fri May 18 10:26:38 2001 +++ ssh-keyscan.c Fri May 18 10:27:20 2001 @@ -44,7 +44,7 @@ int IPv4or6 = AF_UNSPEC; #endif -int get_keytypes = 1; /* Get only RSA keys by default */ +int get_keytypes = 1; /* Get only RSA1 keys by default */ #define MAXMAXFD 256 @@ -78,7 +78,7 @@ int c_plen; /* Packet length field for ssh packet */ int c_len; /* Total bytes which must be read. */ int c_off; /* Length of data read so far. */ - int c_keytypes; /* bits: 1 = get RSA, 2 = get DSA */ + int c_keytypes; /* bits: 1 = RSA1, 2 = DSA, 4 = RSA */ char *c_namebase; /* Address to free for c_name and c_namelist */ char *c_name; /* Hostname of connection for errors */ char *c_namelist; /* Pointer to other possible addresses */ @@ -319,12 +319,16 @@ } Key * -keygrab_ssh2(con *c) +keygrab_ssh2(con *c, int keytypes) { Key *key; packet_set_connection(c->c_fd, c->c_fd); packet_set_ssh2_format(); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-rsa"; + if (keytypes == 2) + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-dss"; + c->c_kex = kex_setup(myproposal); c->c_kex->check_host_key = hostjump; @@ -496,7 +500,7 @@ } *cp = '\0'; fprintf(stderr, "# %s %s\n", c->c_name, buf); - if (!(c->c_keytypes & 1)) { + if (c->c_keytypes == 2 || c->c_keytypes == 4) { char remote_version[sizeof buf]; if (sscanf(buf, "SSH-%*d.%*d-%[^\n]\n", remote_version) == 1) @@ -512,12 +516,11 @@ confree(s); return; } - if (!(c->c_keytypes & 1)) { - keyprint(c, keygrab_ssh2(c)); - c->c_keytypes &= ~2; + if (c->c_keytypes == 2 || c->c_keytypes == 4) { + keyprint(c, keygrab_ssh2(c,c->c_keytypes)); confree(s); return; - } + } c->c_status = CS_SIZE; contouch(s); } @@ -625,7 +628,6 @@ static Linebuf *lb; char *fname; int first_proto_option = 1; - for (;;) { if (lb) { char *line; @@ -659,12 +661,25 @@ lb = Linebuf_alloc(fname, error); goto double_break; case '1': - case '2': if (first_proto_option) { get_keytypes = 0; first_proto_option = 0; } - get_keytypes |= argv[argno][0] - '0'; + get_keytypes |= 1; + break; + case 'D': + if (first_proto_option) { + get_keytypes = 0; + first_proto_option = 0; + } + get_keytypes |= 2; + break; + case 'R': + if (first_proto_option) { + get_keytypes = 0; + first_proto_option = 0; + } + get_keytypes |= 4; break; case '4': IPv4or6 = AF_INET; @@ -686,7 +701,7 @@ void usage(void) { - fatal("usage: %s [-t timeout] { [-1|-2|-4|-6] [--] host | -f file } ...", + fatal("usage: %s [-t timeout] { [-1|-R|-D|-4|-6] [--] host | -f file } ...", __progname); return; } From wayne at blorf.net Sat May 19 06:44:37 2001 From: wayne at blorf.net (Wayne Davison) Date: Fri, 18 May 2001 13:44:37 -0700 (PDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: <20010518182119.C18028@folly> Message-ID: On Fri, 18 May 2001, Markus Friedl wrote: > you need this if you want to select DSA vs RSA: > > myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-dss"; I'm still learning about all the subtleties here, so I don't know if I want to select DSA vs RSA or not. Without this change, my patched ssh-keyscan returns a ssh-rsa key from a 2.5.2p2 host. With this change it returns a ssh-dss key. Do we want both keys or just the ssh-dss key? Should this decision be different for older server versions? ..wayne.. From mouring at etoh.eviladmin.org Sat May 19 06:36:39 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 18 May 2001 15:36:39 -0500 (CDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: Hmm.. not fully right.. -DR does not work. - Ben On Fri, 18 May 2001 mouring at etoh.eviladmin.org wrote: > > When I mean by missing.. How do I pull DSAv2 keys from a remote machine > using your patch? > > What is needed is: > > -1 -- RSA Protocol 1 Keys > -R -- RSA Protocol 2 Keys > -D -- DSA Protocol 2 Keys > > > This is a patch which is against your current version > > --- ../xxh/ssh-keyscan.c Fri May 18 10:26:38 2001 > +++ ssh-keyscan.c Fri May 18 10:27:20 2001 > @@ -44,7 +44,7 @@ > int IPv4or6 = AF_UNSPEC; > #endif > > -int get_keytypes = 1; /* Get only RSA keys by default */ > +int get_keytypes = 1; /* Get only RSA1 keys by default */ > > #define MAXMAXFD 256 > > @@ -78,7 +78,7 @@ > int c_plen; /* Packet length field for ssh packet */ > int c_len; /* Total bytes which must be read. */ > int c_off; /* Length of data read so far. */ > - int c_keytypes; /* bits: 1 = get RSA, 2 = get DSA */ > + int c_keytypes; /* bits: 1 = RSA1, 2 = DSA, 4 = RSA */ > char *c_namebase; /* Address to free for c_name and c_namelist */ > char *c_name; /* Hostname of connection for errors */ > char *c_namelist; /* Pointer to other possible addresses */ > @@ -319,12 +319,16 @@ > } > > Key * > -keygrab_ssh2(con *c) > +keygrab_ssh2(con *c, int keytypes) > { > Key *key; > > packet_set_connection(c->c_fd, c->c_fd); > packet_set_ssh2_format(); > + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-rsa"; > + if (keytypes == 2) > + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-dss"; > + > c->c_kex = kex_setup(myproposal); > c->c_kex->check_host_key = hostjump; > > @@ -496,7 +500,7 @@ > } > *cp = '\0'; > fprintf(stderr, "# %s %s\n", c->c_name, buf); > - if (!(c->c_keytypes & 1)) { > + if (c->c_keytypes == 2 || c->c_keytypes == 4) { > char remote_version[sizeof buf]; > > if (sscanf(buf, "SSH-%*d.%*d-%[^\n]\n", remote_version) == 1) > @@ -512,12 +516,11 @@ > confree(s); > return; > } > - if (!(c->c_keytypes & 1)) { > - keyprint(c, keygrab_ssh2(c)); > - c->c_keytypes &= ~2; > + if (c->c_keytypes == 2 || c->c_keytypes == 4) { > + keyprint(c, keygrab_ssh2(c,c->c_keytypes)); > confree(s); > return; > - } > + } > c->c_status = CS_SIZE; > contouch(s); > } > @@ -625,7 +628,6 @@ > static Linebuf *lb; > char *fname; > int first_proto_option = 1; > - > for (;;) { > if (lb) { > char *line; > @@ -659,12 +661,25 @@ > lb = Linebuf_alloc(fname, error); > goto double_break; > case '1': > - case '2': > if (first_proto_option) { > get_keytypes = 0; > first_proto_option = 0; > } > - get_keytypes |= argv[argno][0] - '0'; > + get_keytypes |= 1; > + break; > + case 'D': > + if (first_proto_option) { > + get_keytypes = 0; > + first_proto_option = 0; > + } > + get_keytypes |= 2; > + break; > + case 'R': > + if (first_proto_option) { > + get_keytypes = 0; > + first_proto_option = 0; > + } > + get_keytypes |= 4; > break; > case '4': > IPv4or6 = AF_INET; > @@ -686,7 +701,7 @@ > void > usage(void) > { > - fatal("usage: %s [-t timeout] { [-1|-2|-4|-6] [--] host | -f file } ...", > + fatal("usage: %s [-t timeout] { [-1|-R|-D|-4|-6] [--] host | -f file } ...", > __progname); > return; > } > > From Florian.Weimer at RUS.Uni-Stuttgart.DE Sat May 19 06:52:21 2001 From: Florian.Weimer at RUS.Uni-Stuttgart.DE (Florian Weimer) Date: 18 May 2001 22:52:21 +0200 Subject: scp: Problem when source and destination are identical In-Reply-To: <20010518214213.G18028@folly> (Markus Friedl's message of "Fri, 18 May 2001 21:42:13 +0200") References: <20010518214213.G18028@folly> Message-ID: Markus Friedl writes: > this restores the rcp behaviour. Looks good. I think it's even faster because the file system can use already allocated blocks. -- Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 From wayne at blorf.net Sat May 19 07:00:02 2001 From: wayne at blorf.net (Wayne Davison) Date: Fri, 18 May 2001 14:00:02 -0700 (PDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: On Fri, 18 May 2001 mouring at etoh.eviladmin.org wrote: > Hmm.. not fully right.. -DR does not work. Yeah, I was about to mention that. Here's my fix. Note that the c_keytypes value can have all bits on (7), and we grab the keys in order of bits 1, 2, then 4. ..wayne.. ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- Index: ssh-keyscan.c --- old/ssh-keyscan.c Fri May 18 13:48:58 2001 +++ ./ssh-keyscan.c Fri May 18 13:55:34 2001 @@ -319,16 +319,14 @@ } Key * -keygrab_ssh2(con *c, int keytypes) +keygrab_ssh2(con *c) { Key *key; packet_set_connection(c->c_fd, c->c_fd); packet_set_ssh2_format(); - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-rsa"; - if (keytypes == 2) - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-dss"; - + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytypes & 2? + "ssh-dss": "ssh-rsa"; c->c_kex = kex_setup(myproposal); c->c_kex->check_host_key = hostjump; @@ -500,7 +498,7 @@ } *cp = '\0'; fprintf(stderr, "# %s %s\n", c->c_name, buf); - if (c->c_keytypes == 2 || c->c_keytypes == 4) { + if (!(c->c_keytypes & 1)) { char remote_version[sizeof buf]; if (sscanf(buf, "SSH-%*d.%*d-%[^\n]\n", remote_version) == 1) @@ -516,9 +514,16 @@ confree(s); return; } - if (c->c_keytypes == 2 || c->c_keytypes == 4) { - keyprint(c, keygrab_ssh2(c,c->c_keytypes)); - confree(s); + if (!(c->c_keytypes & 1)) { + keyprint(c, keygrab_ssh2(c)); + if (c->c_keytypes & 2) + c->c_keytypes &= ~2; + else + c->c_keytypes &= ~4; + if (c->c_keytypes) + conrecycle(s, 1); + else + confree(s); return; } c->c_status = CS_SIZE; ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- From Markus.Friedl at informatik.uni-erlangen.de Sat May 19 07:06:38 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 18 May 2001 23:06:38 +0200 Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: ; from wayne@blorf.net on Fri, May 18, 2001 at 01:44:37PM -0700 References: <20010518182119.C18028@folly> Message-ID: <20010518230638.C4840@faui02.informatik.uni-erlangen.de> On Fri, May 18, 2001 at 01:44:37PM -0700, Wayne Davison wrote: > On Fri, 18 May 2001, Markus Friedl wrote: > > you need this if you want to select DSA vs RSA: > > > > myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-dss"; > > I'm still learning about all the subtleties here, so I don't know if I > want to select DSA vs RSA or not. Without this change, my patched > ssh-keyscan returns a ssh-rsa key from a 2.5.2p2 host. With this change > it returns a ssh-dss key. Do we want both keys or just the ssh-dss key? > Should this decision be different for older server versions? i think we should have -t {rsa1,dsa,rsa} just like ssh-keygen (ok, -t is already used for timeout). From wayne at blorf.net Sat May 19 07:19:57 2001 From: wayne at blorf.net (Wayne Davison) Date: Fri, 18 May 2001 14:19:57 -0700 (PDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: On Fri, 18 May 2001, Wayne Davison wrote: > we grab the keys in order of bits 1, 2, then 4. I should really revisit this decision to see what you all think. The current code does not try to contact the same host in parallel, and maybe it should. So, you you run "ssh-keyscan -1 -D foo.bar", it first asks for the RSA1 key, then the DSA key if it was successful. I could change it so that it fired off both (all) requests in parallel to the same host. Thoughts? ..wayne.. From wayne at blorf.net Sat May 19 07:40:18 2001 From: wayne at blorf.net (Wayne Davison) Date: Fri, 18 May 2001 14:40:18 -0700 (PDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: On Fri, 18 May 2001, Wayne Davison wrote: > I could change it so that it fired off both (all) requests in parallel > to the same host. I had some free time, so here's a patch that implements this. If you like the idea, apply it after my last patch. ..wayne.. ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- Index: ssh-keyscan.c --- old/ssh-keyscan.c Fri May 18 14:20:53 2001 +++ ./ssh-keyscan.c Fri May 18 14:31:17 2001 @@ -44,7 +44,11 @@ int IPv4or6 = AF_UNSPEC; #endif -int get_keytypes = 1; /* Get only RSA1 keys by default */ +#define KT_RSA1 1 +#define KT_DSA 2 +#define KT_RSA 4 + +int get_keytypes = KT_RSA1; /* Get only RSA1 keys by default */ #define MAXMAXFD 256 @@ -78,7 +82,7 @@ int c_plen; /* Packet length field for ssh packet */ int c_len; /* Total bytes which must be read. */ int c_off; /* Length of data read so far. */ - int c_keytypes; /* bits: 1 = RSA1, 2 = DSA, 4 = RSA */ + int c_keytype; /* Only one of KT_RSA1, KT_DSA, or KT_RSA */ char *c_namebase; /* Address to free for c_name and c_namelist */ char *c_name; /* Hostname of connection for errors */ char *c_namelist; /* Pointer to other possible addresses */ @@ -325,7 +329,7 @@ packet_set_connection(c->c_fd, c->c_fd); packet_set_ssh2_format(); - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytypes & 2? + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA? "ssh-dss": "ssh-rsa"; c->c_kex = kex_setup(myproposal); c->c_kex->check_host_key = hostjump; @@ -387,7 +391,7 @@ } int -conalloc(char *iname, char *oname, int keytypes) +conalloc(char *iname, char *oname, int keytype) { int s; char *namebase, *name, *namelist; @@ -416,7 +420,7 @@ fdcon[s].c_data = (char *) &fdcon[s].c_plen; fdcon[s].c_len = 4; fdcon[s].c_off = 0; - fdcon[s].c_keytypes = keytypes; + fdcon[s].c_keytype = keytype; gettimeofday(&fdcon[s].c_tv, NULL); fdcon[s].c_tv.tv_sec += timeout; TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link); @@ -451,23 +455,17 @@ } int -conrecycle(int s, int include_current_host) +conrecycle(int s) { int ret; con *c = &fdcon[s]; char *iname, *oname; - int keytypes = c->c_keytypes; + int keytype = c->c_keytype; - if (include_current_host) { - iname = xmalloc(strlen(c->c_name) + strlen(c->c_namelist) + 2); - strcpy(iname, c->c_name); - if (*c->c_namelist) - sprintf(iname + strlen(iname), ",%s", c->c_namelist); - } else - iname = xstrdup(c->c_namelist); + iname = xstrdup(c->c_namelist); oname = xstrdup(c->c_output_name); confree(s); - ret = conalloc(iname, oname, keytypes); + ret = conalloc(iname, oname, keytype); xfree(iname); xfree(oname); return (ret); @@ -488,7 +486,7 @@ if (n < 0) { if (errno != ECONNREFUSED) error("read (%s): %s", c->c_name, strerror(errno)); - conrecycle(s, 0); + conrecycle(s); return; } if (*cp != '\n' && *cp != '\r') { @@ -498,7 +496,7 @@ } *cp = '\0'; fprintf(stderr, "# %s %s\n", c->c_name, buf); - if (!(c->c_keytypes & 1)) { + if (c->c_keytype != KT_RSA1) { char remote_version[sizeof buf]; if (sscanf(buf, "SSH-%*d.%*d-%[^\n]\n", remote_version) == 1) @@ -507,23 +505,16 @@ datafellows = 0; } n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n", - c->c_keytypes & 1 ? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2, - c->c_keytypes & 1 ? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2); + c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2, + c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2); if (atomicio(write, s, buf, n) != n) { error("write (%s): %s", c->c_name, strerror(errno)); confree(s); return; } - if (!(c->c_keytypes & 1)) { + if (c->c_keytype != KT_RSA1) { keyprint(c, keygrab_ssh2(c)); - if (c->c_keytypes & 2) - c->c_keytypes &= ~2; - else - c->c_keytypes &= ~4; - if (c->c_keytypes) - conrecycle(s, 1); - else - confree(s); + confree(s); return; } c->c_status = CS_SIZE; @@ -559,12 +550,7 @@ break; case CS_KEYS: keyprint(c, keygrab_ssh1(c)); - c->c_keytypes &= ~1; - - if (c->c_keytypes) - conrecycle(s, 1); - else - confree(s); + confree(s); return; break; default: @@ -623,7 +609,7 @@ int s = c->c_fd; c = c->c_link.tqe_next; - conrecycle(s, 0); + conrecycle(s); } } @@ -670,21 +656,21 @@ get_keytypes = 0; first_proto_option = 0; } - get_keytypes |= 1; + get_keytypes |= KT_RSA1; break; case 'D': if (first_proto_option) { get_keytypes = 0; first_proto_option = 0; } - get_keytypes |= 2; + get_keytypes |= KT_DSA; break; case 'R': if (first_proto_option) { get_keytypes = 0; first_proto_option = 0; } - get_keytypes |= 4; + get_keytypes |= KT_RSA; break; case '4': IPv4or6 = AF_INET; @@ -758,12 +744,16 @@ do { while (ncon < MAXCON) { char *name; + int j; host = nexthost(argc, argv); if (host == NULL) break; name = strnnsep(&host, " \t\n"); - conalloc(name, *host ? host : name, get_keytypes); + for (j = KT_RSA1; j <= KT_RSA; j *= 2) { + if (get_keytypes & j) + conalloc(name, *host ? host : name, j); + } } conloop(); } while (host); ---8<------8<------8<------8<---cut here--->8------>8------>8------>8--- From mouring at etoh.eviladmin.org Sat May 19 07:30:10 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 18 May 2001 16:30:10 -0500 (CDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: Don't know.. Is it worth it worth it to you, Markus? ssh-keyscan -1RD to my local OpenBSD sparc it takes around 9 seconds to request all three. Where the v2 protocols eat up the most time (about 4 seconds for each v2 key). Keep in mind that sparc is only a 150mhz SS20. So it's not the fastest, box in the world. I've tried a few other servers I log into and they are around 3 - 5 seconds to fetch all 3 keys. So I don't know if parallelize them (except for large multi-subnet searches) if it's worth it. - Ben On Fri, 18 May 2001, Wayne Davison wrote: > On Fri, 18 May 2001, Wayne Davison wrote: > > we grab the keys in order of bits 1, 2, then 4. > > I should really revisit this decision to see what you all think. The > current code does not try to contact the same host in parallel, and > maybe it should. So, you you run "ssh-keyscan -1 -D foo.bar", it first > asks for the RSA1 key, then the DSA key if it was successful. I could > change it so that it fired off both (all) requests in parallel to the > same host. Thoughts? > > ..wayne.. > > From jason at shalott.net Sat May 19 08:07:34 2001 From: jason at shalott.net (Jason Stone) Date: Fri, 18 May 2001 15:07:34 -0700 (PDT) Subject: scp: Problem when source and destination are identical In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > It would be interesting to know how rcp is able to handle this... ssh.com's scp also successfully copies a file on top of itself. OpenSSH opens the destination file O_TRUNC, while rcp and ssh.com scp don't. In my opinion, opening the file O_TRUNC is the right thing to do because in the usual case (scp from one system to another), you expect the destination file to be truncated to 0 length before you start - you don't want to start copying a new file over and old one and then end up with a weird combination of both should the scp die in the middle.... -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE7BZ0uswXMWWtptckRAvDxAJ99SmyF+4Qffkxo79dR5sRaQ0KEmgCcC+em HD13Xfa9fAcOPTZp09ePxvk= =I0GZ -----END PGP SIGNATURE----- From mouring at etoh.eviladmin.org Sat May 19 08:04:14 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 18 May 2001 17:04:14 -0500 (CDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: > int > -conrecycle(int s, int include_current_host) > +conrecycle(int s) > { > int ret; > con *c = &fdcon[s]; > char *iname, *oname; > - int keytypes = c->c_keytypes; > + int keytype = c->c_keytype; > ^^^ Is this really needed any more? It's used once. > - if (include_current_host) { > - iname = xmalloc(strlen(c->c_name) + strlen(c->c_namelist) + 2); > - strcpy(iname, c->c_name); > - if (*c->c_namelist) > - sprintf(iname + strlen(iname), ",%s", c->c_namelist); > - } else > - iname = xstrdup(c->c_namelist); > + iname = xstrdup(c->c_namelist); > oname = xstrdup(c->c_output_name); > confree(s); > - ret = conalloc(iname, oname, keytypes); > + ret = conalloc(iname, oname, keytype); ^^^^^ ret = conalloc(iname, oname, c->c_keytype); instead? Other then that.. Looks good to me. Don't know if we want to move it to -t {rsa1,rsa,dsa} instead of -1 -R -D. Would that change -t [timeout] to -T [timeout] ? - Ben From wayne at blorf.net Sat May 19 08:29:37 2001 From: wayne at blorf.net (Wayne Davison) Date: Fri, 18 May 2001 15:29:37 -0700 (PDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: On Fri, 18 May 2001 mouring at etoh.eviladmin.org wrote: > > + int keytype = c->c_keytype; > ^^^ Is this really needed any more? It's used once. I though it was needed because I thought confree() destroyed the structure "c" was pointing at, but I was apparently wrong about that. So, your change would simplify things a tad. > Don't know if we want to move it to -t {rsa1,rsa,dsa} instead of -1 -R > -D. Would that change -t [timeout] to -T [timeout] ? It would make things a little more uniform at a small incompatibility cost (changing -t). How would we specify multiple queries? Multiple -t options, or a comma-separated value? E.g. ssh-keyscan -t rsa1,dsa foo.com I think that might be a nice way to go. ..wayne.. From mouring at etoh.eviladmin.org Sat May 19 08:25:17 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 18 May 2001 17:25:17 -0500 (CDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: On Fri, 18 May 2001, Wayne Davison wrote: > On Fri, 18 May 2001 mouring at etoh.eviladmin.org wrote: > > > + int keytype = c->c_keytype; > > ^^^ Is this really needed any more? It's used once. > > I though it was needed because I thought confree() destroyed the > structure "c" was pointing at, but I was apparently wrong about that. > So, your change would simplify things a tad. > Your right.. The the code is current right. Which means that confree(s) is wrong. It does not currently does not set fdcon[c].keytype to -1. > > Don't know if we want to move it to -t {rsa1,rsa,dsa} instead of -1 -R > > -D. Would that change -t [timeout] to -T [timeout] ? > > It would make things a little more uniform at a small incompatibility > cost (changing -t). How would we specify multiple queries? Multiple > -t options, or a comma-separated value? E.g. > > ssh-keyscan -t rsa1,dsa foo.com > > I think that might be a nice way to go. > I think that is what Markus was refering to. - Ben From mouring at etoh.eviladmin.org Sat May 19 08:32:25 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 18 May 2001 17:32:25 -0500 (CDT) Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: Message-ID: Better version of conrecycle()... int conrecycle(int s) { int ret; con *c = &fdcon[s]; ret = conalloc(c->c_namelist, c->c_output_name, c->c_keytype); confree(s); return (ret); } conalloc() xstrdup() the first two arguments. So it's not required to do it again. - Ben On Fri, 18 May 2001 mouring at etoh.eviladmin.org wrote: > > > On Fri, 18 May 2001, Wayne Davison wrote: > > > On Fri, 18 May 2001 mouring at etoh.eviladmin.org wrote: > > > > + int keytype = c->c_keytype; > > > ^^^ Is this really needed any more? It's used once. > > > > I though it was needed because I thought confree() destroyed the > > structure "c" was pointing at, but I was apparently wrong about that. > > So, your change would simplify things a tad. > > > > Your right.. The the code is current right. > > Which means that confree(s) is wrong. It does not currently does not set > fdcon[c].keytype to -1. > > > > Don't know if we want to move it to -t {rsa1,rsa,dsa} instead of -1 -R > > > -D. Would that change -t [timeout] to -T [timeout] ? > > > > It would make things a little more uniform at a small incompatibility > > cost (changing -t). How would we specify multiple queries? Multiple > > -t options, or a comma-separated value? E.g. > > > > ssh-keyscan -t rsa1,dsa foo.com > > > > I think that might be a nice way to go. > > > > I think that is what Markus was refering to. > > - Ben > > From wayne at blorf.net Sat May 19 18:43:52 2001 From: wayne at blorf.net (Wayne Davison) Date: Sat, 19 May 2001 01:43:52 -0700 (PDT) Subject: scp linking problem on solaris 2.6 (x86) Message-ID: I'm seeing a linking problem with scp on Solaris 2.6 that I'm not seeing on Linux (Mandrake 8). It boils down to Solaris not having mkdtemp(), and the mkdtemp() compatibility function referencing arc4random(), which calls seed_rng(). Since that function is back in libssh.a, we get a function-not-found link error. I added -lssh after -lopenbsd_compat on scp's build rule (so it is listed twice): scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o $(LD) -o $@ scp.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) Another solution might be to call seed_rng() from inside scp.c (so the function gets picked up the first time around). While I was looking into this, I noticed something that looks odd to me in bsd-arc4random.c. Do we really want to seed the r.n.g. every time we call arc4random() *except* the first time? Or did we want to seed the r.n.g. only on the first time? If the latter, we need this patch: Index: openbsd-compat/bsd-arc4random.c @@ -48,9 +48,10 @@ static int first_time = 1; if (rc4_ready <= 0) { - if (!first_time) + if (first_time) { seed_rng(); - first_time = 0; + first_time = 0; + } arc4random_stir(); } If the code was really correct, I suggest rewriting it to be a little more explicit. Like this: if (first_time) first_time = 0; else seed_rng(); ..wayne.. From wayne at blorf.net Sat May 19 22:22:59 2001 From: wayne at blorf.net (Wayne Davison) Date: Sat, 19 May 2001 05:22:59 -0700 (PDT) Subject: More scp changes Message-ID: If you've applied my previous scp patch with the tempfile options and the erase option, here's a diff that tweaks it a bit more. Previously I had decided to use getcwd() in a certain local-to-local special case (that needs to use scp rather than regular cp). This was because spawing scp via ssh resets the current directory. This patch choose to forego that in favor of a simpler approach: we just spawn scp directly in this special local-to-local case. ..wayne.. -------------- next part -------------- Index: scp.c --- old/scp.c Sat May 19 02:44:51 2001 +++ ./scp.c Sat May 19 02:49:29 2001 @@ -134,7 +134,8 @@ /* * This function executes the given command as the specified user on the - * given host. This returns < 0 if execution fails, and >= 0 otherwise. This + * given host. If host is NULL, execute the command locally without using + * ssh. This returns < 0 if execution fails, and >= 0 otherwise. This * assigns the input and output file descriptors on success. */ @@ -143,10 +144,14 @@ { int pin[2], pout[2], reserved[2]; - if (verbose_mode) - fprintf(stderr, "Executing: program %s host %s, user %s, command %s\n", - ssh_program, host, remuser ? remuser : "(unspecified)", cmd); - + if (verbose_mode) { + if (host) { + fprintf(stderr, "Executing: program %s host %s, user %s, command %s\n", + ssh_program, host, remuser ? remuser : "(unspecified)", cmd); + } + else + fprintf(stderr, "Executing: command %s\n", cmd); + } /* * Reserve two descriptors so that the real pipes won't get * descriptors 0 and 1 because that will screw up dup2 below. @@ -173,15 +178,24 @@ close(pin[0]); close(pout[1]); - args.list[0] = ssh_program; - if (remuser != NULL) - addargs(&args, "-l%s", remuser); - addargs(&args, "%s", host); - addargs(&args, "%s", cmd); - - execvp(ssh_program, args.list); - perror(ssh_program); - exit(1); + if (host) { + args.list[0] = ssh_program; + if (remuser != NULL) + addargs(&args, "-l%s", remuser); + addargs(&args, "%s", host); + addargs(&args, "%s", cmd); + } + else { + char *arg = strtok(cmd, " \t"); + args.list = NULL; + do { + addargs(&args, "%s", arg); + } while ((arg = strtok(NULL, " \t")) != NULL); + } + + execvp(args.list[0], args.list); + perror(args.list[0]); + _exit(1); } /* Parent. Close the other side, and return the local side. */ close(pin[0]); @@ -439,8 +453,8 @@ int argc; char *argv[]; { - int i, len, cwd_len = 0; - char *bp, *host, *src, *suser, cwd[MAXPATHLEN]; + int i, len; + char *bp, *host, *src, *suser; for (i = 0; i < argc - 1; i++) { src = colon(argv[i]); @@ -478,21 +492,7 @@ } else { src = argv[i]; - if (*src != '/') { - if (!cwd_len) { - if (!getcwd(cwd, sizeof cwd)) { - error("Couldn't get local cwd: %s", - strerror(errno)); - break; - } - cwd_len = strlen(cwd); - } - len = cwd_len + strlen(src) + 2; - src = xmalloc(len); - snprintf(src, len, "%s/%s", cwd, argv[i]); - } - host = "localhost"; - suser = NULL; + host = suser = NULL; } len = strlen(src) + cmdlen + 20; bp = xmalloc(len); From markus.friedl at informatik.uni-erlangen.de Sun May 20 01:44:31 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 19 May 2001 17:44:31 +0200 Subject: ssh-keyscan for ssh2 (was Re: openssh-2.9p1) In-Reply-To: ; from wayne@blorf.net on Thu, May 17, 2001 at 08:47:39PM -0700 References: Message-ID: <20010519174431.A8551@folly> On Thu, May 17, 2001 at 08:47:39PM -0700, Wayne Davison wrote: > My patch currently uses lots of connection code from the ssh library, so > a fatal error in protocol 2 can cut off the whole process in the middle. > Hopefully this won't be too hard to fix, but I'm just glad this is i think you can overload fatal() with longjmp(). From openssh at openbsd.org Sun May 20 01:51:13 2001 From: openssh at openbsd.org (Markus Friedl) Date: Sat, 19 May 2001 17:51:13 +0200 Subject: Erase the source file open; specify a tempfile name option In-Reply-To: ; from wayne@blorf.net on Fri, May 11, 2001 at 11:26:13PM -0700 References: Message-ID: <20010519175113.A28466@folly> On Fri, May 11, 2001 at 11:26:13PM -0700, Wayne Davison wrote: > I'm curious how to go about submitting a suggestion that affects both > the original BSD version and the portable release. A few days ago I > sent off a BSD-relative patch to openssh at openssh.com. Is this the right > thing to do? I didn't hear anything back, but it's only been 3 days, so > I'm probably just being too antsy. > > In the meantime, maybe someone else out there would like to check this > out. Appended is a version of my patch for the latest portable code > (relative to the CVS version). It adds two new options to scp that I > find useful: > > -E Erase the source file after a successful copy. > -T file Use "file" as a temporary file that gets renamed into > each actual destination file. i'm not sure about this. should we really modify scp? i'd prefer to have a minimal diff between scp.c and rcp.c -m From stevesk at pobox.com Sun May 20 04:09:06 2001 From: stevesk at pobox.com (Kevin Steves) Date: Sat, 19 May 2001 20:09:06 +0200 (CEST) Subject: HP11 and opessh In-Reply-To: <0406DF4D22E26C44AF801374141F00CD017BF4@radiomobil.cz> Message-ID: On Fri, 18 May 2001, [ISO-8859-2] Dvo??k Ji?? wrote: : I can install opessh 2.9p1 on HPUX 11.0. What product and version I need : install before. : I try zlib 1.1.3 from HP software depot , openssl 0.9.6 , and perl 5.6 but I : have errors. what are the errors? you need an ANSI C compiler and i think GNU make. From stevesk at pobox.com Sun May 20 04:23:20 2001 From: stevesk at pobox.com (Kevin Steves) Date: Sat, 19 May 2001 20:23:20 +0200 (CEST) Subject: Issues with OpenSSH 2.9p1 on HPUX11 In-Reply-To: <3AF9834D.3DE6389C@pmc-sierra.com> Message-ID: On Wed, 9 May 2001, Jeff Newton wrote: : In order for rhosts auth to work on HPUX11, I need to fully qualify the : hostname in .rhosts. The same DOES NOT hold true for Solaris 2.7. : : Are there issues with the HPUX11 version of auth_rhosts2 code that would : cause the difference below? My HPUX11 machines are set up correctly : with respect to DNS, domain names, etc. your test cases have different client addresses, but the hp-ux case is returning a fqdn and solaris isn't which explains the behaviour. do the hp and sun return different reverse mappings for each of those or the same? is the nsswitch configuration the same? : HPUX11 sshd -d -d: : : debug1: Attempting authentication for newton. : debug2: auth_rhosts2: clientuser newton hostname boston.pmc-sierra.bc.ca : ipaddr 216.241.226.33 : debug1: temporarily_use_uid: 1412/67 (e=0) : debug1: restore_uid : debug1: temporarily_use_uid: 1412/67 (e=0) : debug1: restore_uid : Failed rhosts for newton from 216.241.226.33 port 823 ruser newton : : Solaris 2.7 sshd -d -d: : : debug1: Attempting authentication for newton. : debug2: auth_rhosts2: clientuser newton hostname odin ipaddr : 134.87.115.142 : debug1: temporarily_use_uid: 1412/67 (e=0) : debug1: restore_uid : debug1: temporarily_use_uid: 1412/67 (e=0) : debug1: restore_uid : Accepted rhosts for newton from 134.87.115.142 port 874 ruser newton From wayne at blorf.net Sun May 20 07:14:53 2001 From: wayne at blorf.net (Wayne Davison) Date: Sat, 19 May 2001 14:14:53 -0700 (PDT) Subject: ssh-keyscan for ssh2 In-Reply-To: <20010519174431.A8551@folly> Message-ID: On Sat, 19 May 2001, Markus Friedl wrote: > i think you can overload fatal() with longjmp(). Yeah, I was thinking of doing the same thing. I didn't do it earlier because it means moving fatal() into its own file so that we don't end up with a duplicate symbol. The appended patch changes this, and it also implemented: the change in option parsing to support -T timeout and -t rsa1,dsa,rsa; the new -v option (for verbose logging); the other changes suggested on the list (I think I got them all). Since the patches were getting heavily nested, this is back to being based on the CVS version. ** I left off the change to Makefile.in. Just add logfatal.o to the line right after log.o. ** ..wayne.. -------------- next part -------------- Index: log.c @@ -109,17 +109,6 @@ return log_levels[i].val; return (LogLevel) - 1; } -/* Fatal messages. This function never returns. */ - -void -fatal(const char *fmt,...) -{ - va_list args; - va_start(args, fmt); - do_log(SYSLOG_LEVEL_FATAL, fmt, args); - va_end(args); - fatal_cleanup(); -} /* Error messages that should be logged. */ Index: logfatal.c @@ -0,0 +1,51 @@ +/* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland + * All rights reserved + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ +/* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" +RCSID("$OpenBSD: log.c,v 1.17 2001/03/04 17:42:28 millert Exp $"); + +#include "log.h" + +/* Fatal messages. This function never returns. */ + +void +fatal(const char *fmt,...) +{ + va_list args; + va_start(args, fmt); + do_log(SYSLOG_LEVEL_FATAL, fmt, args); + va_end(args); + fatal_cleanup(); +} Index: ssh-keyscan.c @@ -19,10 +19,16 @@ #include +#include #include "xmalloc.h" #include "ssh.h" #include "ssh1.h" #include "key.h" +#include "kex.h" +#include "compat.h" +#include "myproposal.h" +#include "packet.h" +#include "dispatch.h" #include "buffer.h" #include "bufaux.h" #include "log.h" @@ -30,7 +36,19 @@ static int argno = 1; /* Number of argument currently being parsed */ -int family = AF_UNSPEC; /* IPv4, IPv6 or both */ +/* Flag indicating whether IPv4 or IPv6. This can be set on the command line. + Default value is AF_UNSPEC means both IPv4 and IPv6. */ +#ifdef IPV4_DEFAULT +int IPv4or6 = AF_INET; +#else +int IPv4or6 = AF_UNSPEC; +#endif + +#define KT_RSA1 1 +#define KT_DSA 2 +#define KT_RSA 4 + +int get_keytypes = KT_RSA1; /* Get only RSA1 keys by default */ #define MAXMAXFD 256 @@ -48,6 +66,8 @@ fd_set *read_wait; size_t read_wait_size; int ncon; +int nonfatal_fatal = 0; +jmp_buf kexjmp; /* * Keep a connection structure for each file descriptor. The state @@ -63,11 +83,13 @@ int c_plen; /* Packet length field for ssh packet */ int c_len; /* Total bytes which must be read. */ int c_off; /* Length of data read so far. */ + int c_keytype; /* Only one of KT_RSA1, KT_DSA, or KT_RSA */ char *c_namebase; /* Address to free for c_name and c_namelist */ char *c_name; /* Hostname of connection for errors */ char *c_namelist; /* Pointer to other possible addresses */ char *c_output_name; /* Hostname of connection for output */ char *c_data; /* Data read from this fd */ + Kex *c_kex; /* The key-exchange struct for ssh2 */ struct timeval c_tv; /* Time at which connection gets aborted */ TAILQ_ENTRY(Connection) c_link; /* List of connections in timeout order. */ } con; @@ -261,8 +283,8 @@ return (tok); } -void -keyprint(char *host, char *output_name, char *kd, int len) +Key * +keygrab_ssh1(con *c) { static Key *rsa; static Buffer msg; @@ -271,12 +293,12 @@ buffer_init(&msg); rsa = key_new(KEY_RSA1); } - buffer_append(&msg, kd, len); - buffer_consume(&msg, 8 - (len & 7)); /* padding */ + buffer_append(&msg, c->c_data, c->c_plen); + buffer_consume(&msg, 8 - (c->c_plen & 7)); /* padding */ if (buffer_get_char(&msg) != (int) SSH_SMSG_PUBLIC_KEY) { - error("%s: invalid packet type", host); + error("%s: invalid packet type", c->c_name); buffer_clear(&msg); - return; + return NULL; } buffer_consume(&msg, 8); /* cookie */ @@ -289,10 +311,54 @@ (void) buffer_get_int(&msg); buffer_get_bignum(&msg, rsa->rsa->e); buffer_get_bignum(&msg, rsa->rsa->n); + buffer_clear(&msg); + + return (rsa); +} + +int +hostjump(Key *hostkey) +{ + longjmp(kexjmp, (int)hostkey); +} + +Key * +keygrab_ssh2(con *c) +{ + int j; - fprintf(stdout, "%s ", output_name ? output_name : host); - key_write(rsa, stdout); + packet_set_connection(c->c_fd, c->c_fd); + packet_set_ssh2_format(); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA? + "ssh-dss": "ssh-rsa"; + c->c_kex = kex_setup(myproposal); + c->c_kex->check_host_key = hostjump; + + if (!(j = setjmp(kexjmp))) { + nonfatal_fatal = 1; + dispatch_run(DISPATCH_BLOCK, &c->c_kex->done, c->c_kex); + fprintf(stderr, "Impossible! dispatch_run() returned!\n"); + exit(1); + } + nonfatal_fatal = 0; + xfree(c->c_kex); + c->c_kex = NULL; + packet_close(); + if (j < 0) + j = 0; + + return (Key*)(j); +} + +void +keyprint(con *c, Key *key) +{ + if (!key) + return; + + fprintf(stdout, "%s ", c->c_output_name ? c->c_output_name : c->c_name); + key_write(key, stdout); fputs("\n", stdout); } @@ -305,7 +371,7 @@ snprintf(strport, sizeof strport, "%d", SSH_DEFAULT_PORT); memset(&hints, 0, sizeof(hints)); - hints.ai_family = family; + hints.ai_family = IPv4or6; hints.ai_socktype = SOCK_STREAM; if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) fatal("getaddrinfo %s: %s", host, gai_strerror(gaierr)); @@ -330,7 +396,7 @@ } int -conalloc(char *iname, char *oname) +conalloc(char *iname, char *oname, int keytype) { int s; char *namebase, *name, *namelist; @@ -359,6 +425,7 @@ fdcon[s].c_data = (char *) &fdcon[s].c_plen; fdcon[s].c_len = 4; fdcon[s].c_off = 0; + fdcon[s].c_keytype = keytype; gettimeofday(&fdcon[s].c_tv, NULL); fdcon[s].c_tv.tv_sec += timeout; TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link); @@ -378,6 +445,7 @@ if (fdcon[s].c_status == CS_KEYS) xfree(fdcon[s].c_data); fdcon[s].c_status = CS_UNUSED; + fdcon[s].c_keytype = 0; TAILQ_REMOVE(&tq, &fdcon[s], c_link); FD_CLR(s, read_wait); ncon--; @@ -397,21 +465,16 @@ { int ret; con *c = &fdcon[s]; - char *iname, *oname; - iname = xstrdup(c->c_namelist); - oname = xstrdup(c->c_output_name); + ret = conalloc(c->c_namelist, c->c_output_name, c->c_keytype); confree(s); - ret = conalloc(iname, oname); - xfree(iname); - xfree(oname); return (ret); } void congreet(int s) { - char buf[80], *cp; + char buf[256], *cp; size_t bufsiz; int n = 0; con *c = &fdcon[s]; @@ -433,12 +496,27 @@ } *cp = '\0'; fprintf(stderr, "# %s %s\n", c->c_name, buf); - n = snprintf(buf, sizeof buf, "SSH-1.5-OpenSSH-keyscan\r\n"); + if (c->c_keytype != KT_RSA1) { + char remote_version[sizeof buf]; + + if (sscanf(buf, "SSH-%*d.%*d-%[^\n]\n", remote_version) == 1) + compat_datafellows(remote_version); + else + datafellows = 0; + } + n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n", + c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2, + c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2); if (atomicio(write, s, buf, n) != n) { error("write (%s): %s", c->c_name, strerror(errno)); confree(s); return; } + if (c->c_keytype != KT_RSA1) { + keyprint(c, keygrab_ssh2(c)); + confree(s); + return; + } c->c_status = CS_SIZE; contouch(s); } @@ -471,7 +549,7 @@ c->c_status = CS_KEYS; break; case CS_KEYS: - keyprint(c->c_name, c->c_output_name, c->c_data, c->c_plen); + keyprint(c, keygrab_ssh1(c)); confree(s); return; break; @@ -539,49 +617,105 @@ nexthost(int argc, char **argv) { static Linebuf *lb; + char *fname, *tname; for (;;) { - if (!lb) { - if (argno >= argc) - return (NULL); - if (argv[argno][0] != '-') - return (argv[argno++]); - if (!strcmp(argv[argno], "--")) { + if (lb) { + char *line; + + line = Linebuf_getline(lb); + if (line) + return (line); + Linebuf_free(lb); + lb = NULL; + } + if (argno >= argc) + return (NULL); + if (argv[argno][0] != '-') + return (argv[argno++]); + while (*++(argv[argno])) { + switch (argv[argno][0]) { + case '-': if (++argno >= argc) return (NULL); return (argv[argno++]); - } else if (!strncmp(argv[argno], "-f", 2)) { - char *fname; - - if (argv[argno][2]) - fname = &argv[argno++][2]; + case 'f': + if (argv[argno][1]) + fname = &argv[argno][1]; else if (++argno >= argc) { error("missing filename for `-f'"); return (NULL); } else - fname = argv[argno++]; + fname = argv[argno]; if (!strcmp(fname, "-")) fname = NULL; lb = Linebuf_alloc(fname, error); - } else + goto double_break; + case 't': + get_keytypes = 0; + tname = &argv[argno][1]; + if (!*tname) { + if (++argno >= argc) { + error("missing types for `-t'"); + return (NULL); + } + tname = argv[argno]; + } + tname = strtok(tname, ","); + while (tname) { + int type = key_type_from_name(tname); + switch (type) { + case KEY_RSA1: + get_keytypes |= KT_RSA1; + break; + case KEY_DSA: + get_keytypes |= KT_DSA; + break; + case KEY_RSA: + get_keytypes |= KT_RSA; + break; + case KEY_UNSPEC: + fatal("unknown key type %s\n", + tname); + } + tname = strtok(NULL, ","); + } + goto double_break; + case '4': + IPv4or6 = AF_INET; + break; + case '6': + IPv4or6 = AF_INET6; + break; + default: error("ignoring invalid/misplaced option `%s'", - argv[argno++]); - } else { - char *line; - - line = Linebuf_getline(lb); - if (line) - return (line); - Linebuf_free(lb); - lb = NULL; + argv[argno]); + goto double_break; + } } +double_break: + argno++; } } void +fatal(const char *fmt,...) +{ + va_list args; + if (nonfatal_fatal) + longjmp(kexjmp, -1); + va_start(args, fmt); + vfprintf(stderr, fmt, args); + fputs("\n", stderr); + va_end(args); + exit(1); +} + +void usage(void) { - fatal("usage: %s [-t timeout] { [--] host | -f file } ...", __progname); + fatal("usage: %s [-T timeout] { [-t rsa1,dsa,rsa] [--] host | -f file } ...", + __progname); return; } @@ -589,6 +723,7 @@ main(int argc, char **argv) { char *host = NULL; + int debug_flag = 0, log_level = SYSLOG_LEVEL_INFO; __progname = get_progname(argv[0]); TAILQ_INIT(&tq); @@ -596,21 +731,45 @@ if (argc <= argno) usage(); - if (argv[1][0] == '-' && argv[1][1] == 't') { - argno++; - if (argv[1][2]) - timeout = atoi(&argv[1][2]); - else { - if (argno >= argc) - usage(); - timeout = atoi(argv[argno++]); + while (argv[argno][0] == '-') { + while (*++(argv[argno])) { + switch (argv[argno][0]) { + case 'T': + if (argv[argno][1]) + timeout = atoi(&argv[argno][1]); + else { + if (++argno >= argc) + usage(); + timeout = atoi(argv[argno]); + } + if (timeout <= 0) + usage(); + goto double_break; + case 'v': + if (!debug_flag) { + debug_flag = 1; + log_level = SYSLOG_LEVEL_DEBUG1; + } + else if (log_level < SYSLOG_LEVEL_DEBUG3) + log_level++; + else + fatal("Too high debugging level."); + break; + default: + if (*--(argv[argno]) != '-') + fatal("Please separate options T and v from any other options."); + goto triple_break; + } } - if (timeout <= 0) - usage(); +double_break: + argno++; } +triple_break: if (argc <= argno) usage(); + log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1); + maxfd = fdlim_get(1); if (maxfd < 0) fatal("%s: fdlim_get: bad value", __progname); @@ -623,6 +782,9 @@ fdcon = xmalloc(maxfd * sizeof(con)); memset(fdcon, 0, maxfd * sizeof(con)); + init_rng(); + seed_rng(); + read_wait_size = howmany(maxfd, NFDBITS) * sizeof(fd_mask); read_wait = xmalloc(read_wait_size); memset(read_wait, 0, read_wait_size); @@ -630,12 +792,16 @@ do { while (ncon < MAXCON) { char *name; + int j; host = nexthost(argc, argv); if (host == NULL) break; name = strnnsep(&host, " \t\n"); - conalloc(name, *host ? host : name); + for (j = KT_RSA1; j <= KT_RSA; j *= 2) { + if (get_keytypes & j) + conalloc(name, *host ? host : name, j); + } } conloop(); } while (host); From wayne at blorf.net Sun May 20 07:27:22 2001 From: wayne at blorf.net (Wayne Davison) Date: Sat, 19 May 2001 14:27:22 -0700 (PDT) Subject: Erase the source file open; specify a tempfile name option In-Reply-To: <20010519175113.A28466@folly> Message-ID: On Sat, 19 May 2001, Markus Friedl wrote: > i'm not sure about this. should we really modify scp? > i'd prefer to have a minimal diff between scp.c and rcp.c I need help understanding this. Adding useful options to a utility certainly makes it more complex, but it also makes it more useful. While you certainly want to make it easy to switch from rcp to scp, I don't see why having more functionality than rcp available to use is a bad thing. For me, the ability to move multiple files from system to system over the Internet is vital. The only other secure way I know of to move multiple files from system to system is to use something like expect with sftp or to use scp and follow that up with an ssh "rm" (but error-handling such a kludge is very annoying). As mentioned previously, I could easily see the move functionality being separated into a new utility (smv, I presume) rather than being an option to scp. ..wayne.. From mouring at etoh.eviladmin.org Sun May 20 07:49:49 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 19 May 2001 16:49:49 -0500 (CDT) Subject: Erase the source file open; specify a tempfile name option In-Reply-To: Message-ID: On Sat, 19 May 2001, Wayne Davison wrote: > On Sat, 19 May 2001, Markus Friedl wrote: > > i'm not sure about this. should we really modify scp? > > i'd prefer to have a minimal diff between scp.c and rcp.c > > I need help understanding this. Adding useful options to a utility > certainly makes it more complex, but it also makes it more useful. > While you certainly want to make it easy to switch from rcp to scp, I > don't see why having more functionality than rcp available to use is a > bad thing. > This issue has come up before. The heart of the issue is that we should keep the source difference as managable as we can between rcp and scp. So if any bugs are found in rcp they can be applied to scp easily. And your currently patch rewrites a large chunk of the rcp code. If there is a cleaner way to do it while preserving the rcp code. It may be more accepted. - Ben From wayne at blorf.net Sun May 20 16:27:20 2001 From: wayne at blorf.net (Wayne Davison) Date: Sat, 19 May 2001 23:27:20 -0700 (PDT) Subject: Erase the source file open; specify a tempfile name option In-Reply-To: Message-ID: On Sat, 19 May 2001 mouring at etoh.eviladmin.org wrote: > This issue has come up before. The heart of the issue is that we should > keep the source difference as manageable as we can between rcp and scp. I understand now. I thought this was a philosophical objection, not one of keeping the code for rcp and scp close to each other. In that case, why shouldn't we add these options to rcp as well? They're useful no matter what remote/secure shell you use to connect to the other system. ..wayne.. From deraadt at cvs.openbsd.org Sun May 20 17:21:33 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Sun, 20 May 2001 01:21:33 -0600 Subject: Erase the source file open; specify a tempfile name option In-Reply-To: Your message of "Sat, 19 May 2001 23:27:20 PDT." Message-ID: <200105200721.f4K7LXc02428@cvs.openbsd.org> > On Sat, 19 May 2001 mouring at etoh.eviladmin.org wrote: > > This issue has come up before. The heart of the issue is that we should > > keep the source difference as manageable as we can between rcp and scp. > > I understand now. I thought this was a philosophical objection, not one > of keeping the code for rcp and scp close to each other. In that case, > why shouldn't we add these options to rcp as well? They're useful no > matter what remote/secure shell you use to connect to the other system. I do not see the point of the options. From deraadt at cvs.openbsd.org Sun May 20 17:29:00 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Sun, 20 May 2001 01:29:00 -0600 Subject: Erase the source file open; specify a tempfile name option In-Reply-To: Your message of "Sat, 19 May 2001 14:27:22 PDT." Message-ID: <200105200729.f4K7T0c05343@cvs.openbsd.org> > I need help understanding this. Adding useful options to a utility > certainly makes it more complex, but it also makes it more useful. Actually, that is not the unix philosphy. > For me, the ability to move multiple files from system to system over > the Internet is vital. The only other secure way I know of to move > multiple files from system to system is to use something like expect > with sftp or to use scp and follow that up with an ssh "rm" (but > error-handling such a kludge is very annoying). Or use sftp. Or, consider that the above is NOT a kludge, because of the Unix philosophy. From wayne at blorf.net Sun May 20 18:00:29 2001 From: wayne at blorf.net (Wayne Davison) Date: Sun, 20 May 2001 01:00:29 -0700 (PDT) Subject: Erase the source file open; specify a tempfile name option In-Reply-To: <200105200721.f4K7LXc02428@cvs.openbsd.org> Message-ID: On Sun, 20 May 2001, Theo de Raadt wrote: > I do not see the point of the options. The -E option should be obvious, but if it's not, there needs to be an easy way to move files from system to system, not just copy them. This allows you to implement data flow, not just data replication. When implementing such a flow of data, you need to be able to ensure that each file has arrived intact before you remove the original, and it is also desirable to complete the move of a single file before starting the copy of the next file (so that you don't end up copying a bunch of data, lose the connection, and then end up in a nebulous state where you don't know how many files to remove). I think having an "smv" utility would be ideal, but having the -E option on scp is also an acceptable solution. The tempfile options control how the file arrive on a system. For instance, if you need to copy over a running executable without crashing the program that has the file open, using the -u option ensures that the files arrive whole and replace the original rather than writing to the original. The -T option mainly assists in data flow by allowing the tempfile to stay out of the way of the destination files. If you have a process that reads an input dir, you don't want to have to wait X minutes for a file to "cool off" just to be sure that it isn't still being transferred, and you also don't want a partial transfer to be treated the same as a fully-successful transfer. Yes, you can script this with separate commands, but it is nicer to have the option to do this directly. ..wayne.. From deraadt at cvs.openbsd.org Sun May 20 18:01:16 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Sun, 20 May 2001 02:01:16 -0600 Subject: Erase the source file open; specify a tempfile name option In-Reply-To: Your message of "Sun, 20 May 2001 01:00:29 PDT." Message-ID: <200105200801.f4K81Hc11541@cvs.openbsd.org> It's nice that you think this is the right solution. Go ahead, suggest it to ssh.com; see if they buy it. From wayne at blorf.net Sun May 20 18:31:43 2001 From: wayne at blorf.net (Wayne Davison) Date: Sun, 20 May 2001 01:31:43 -0700 (PDT) Subject: Erase the source file open; specify a tempfile name option In-Reply-To: <200105200729.f4K7T0c05343@cvs.openbsd.org> Message-ID: On Sun, 20 May 2001, Theo de Raadt wrote: > Actually, that is not the unix philosophy. Consider why "mv" exists when we have "cp" and "rm". Or why sort has a -u option when uniq exists. Or why grep has a -s (-q) option when we could just pipe stdout to /dev/null. Yes, part of the unix philosophy is to create modular tools and use them together. But another part is to add (sensible) options to tools that make accomplishing common tasks easier, even if we could have used several separate tools to accomplish the task in a less convenient manner. I think the key questions are: is this option sensible for this particular tool (i.e. does it solve a problem closely related to the core use of the utility and do so in a better or more efficient way than using a separate utility) and/or does the option make a common task easier. ..wayne.. From mark.pitt at ch.ibm.com Sun May 20 18:48:20 2001 From: mark.pitt at ch.ibm.com (mark.pitt at ch.ibm.com) Date: Sun, 20 May 2001 10:48:20 +0200 Subject: ssh - NO SALE or NO GIVE ? Message-ID: Thanks to everyone who has replied to my emails so far - to summarise: AIX allows setting of rlogin=false and and a su group, or a list of users that are permitted to "su" to root. ( or other functional ids ) This means with entries in /etc/ftpusers, it is possible to : 1/ Track who used root via sulog and or external logging 2/ Protect root even if the root password is compromised 3/ Limit to a list of users who can access root To acheive the functional equivalent of this in ssh we require: rlogin still false to stop telnet connections, but ssh still allowing connections A set of allowed_keys that effectively would be an su group A tracking by ssh of which key allowed access at connection time ( ie an sulog equivelent ) ie: "ssh: root access granted via key joeblow at jupiter at 12:34" It is then possible for me to demonstrate to management that we do not require every admin to have an account on every system ( every one represents a security problem ) but all we require ist ssh with a set of keys - we can then also centralise key managent for administrators, also that ssh respects security guidelines. IF I cannot solve this problem, then ssh is NOT PERMITTED on IBM systems and IBM Customers which IBM supports via service contracts - this would be a pity. rlogin=false is used by AIX systems to block only interactive sessions, ie rlogin and telnetd, but allows rsh and rcp as they are not interactive. Obvisously this makes NO sense at all, and anyway you can always use X or such to generate an interactive session, but that is the way AIX works, rightly or wrongly. Is there ANY way AROUND this ? SFTP Really needs to have a /etc/ftpusers file to provide a simple blocking mechnism for ftp. BUGS If rlogin=false then ssh still prompts for password, although it already knows access will be denied. From pekkas at netcore.fi Sun May 20 19:18:58 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Sun, 20 May 2001 12:18:58 +0300 (EEST) Subject: ssh - NO SALE or NO GIVE ? In-Reply-To: Message-ID: On Sun, 20 May 2001 mark.pitt at ch.ibm.com wrote: [snip] > "ssh: root access granted via key joeblow at jupiter at 12:34" > > It is then possible for me to demonstrate to management that we do not > require every admin to have an account on every system ( every one > represents a security problem ) but all we require ist ssh with a set of > keys - we can then also centralise key managent for administrators, also > that ssh respects security guidelines. > > IF I cannot solve this problem, then ssh is NOT PERMITTED on IBM systems > and IBM Customers which IBM supports via service contracts - this would be > a pity. > > rlogin=false is used by AIX systems to block only interactive sessions, ie > rlogin and telnetd, but allows rsh and rcp as they are not interactive. > Obvisously this makes NO sense at all, and anyway you can always use X or > such to generate an interactive session, but that is the way AIX works, > rightly or wrongly. > > Is there ANY way AROUND this ? Is PermitRootLogin=without-password not enough? Admittably that might still be holey if shosts.equiv, .shosts etc. logins are still allowed with SSHv1; before OpenSSH 2.9 when HostBased auth for v2 wasn't there yet, this was the case in general. Is there too big a difference to enhancing PermitRootLogin so that features in 'without-passwords' and 'forced-commands-only' would be mixed (ie: 'publickey-only'). > SFTP > > Really needs to have a /etc/ftpusers file to provide a simple blocking > mechnism for ftp. Note that standard BSD ftpd also checks for /etc/ftpusers. Some might want to separate sftp and ftpd. > BUGS > > If rlogin=false then ssh still prompts for password, although it already > knows access will be denied. This is a feature, IMO. Else you could go scanning hosts with 'ssh root at somewhere' to check which ones have rlogin=false set. The authentication must look transparent until the user has been authenticated. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Sun May 20 20:16:23 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 20 May 2001 05:16:23 -0500 (CDT) Subject: ssh - NO SALE or NO GIVE ? In-Reply-To: Message-ID: On Sun, 20 May 2001 mark.pitt at ch.ibm.com wrote: > > > > Thanks to everyone who has replied to my emails so far - to summarise: > > AIX allows setting of rlogin=false and and a su group, or a list of users > that are permitted to "su" to root. ( or other functional ids ) > This means with entries in /etc/ftpusers, it is possible to : > > 1/ Track who used root via sulog and or external logging > 2/ Protect root even if the root password is compromised > 3/ Limit to a list of users who can access root > > To acheive the functional equivalent of this in ssh we require: > > rlogin still false to stop telnet connections, but ssh still allowing > connections > A set of allowed_keys that effectively would be an su group > A tracking by ssh of which key allowed access at connection time ( ie an > sulog equivelent ) ie: > > "ssh: root access granted via key joeblow at jupiter at 12:34" > > It is then possible for me to demonstrate to management that we do not > require every admin to have an account on every system ( every one > represents a security problem ) but all we require ist ssh with a set of > keys - we can then also centralise key managent for administrators, also > that ssh respects security guidelines. > > IF I cannot solve this problem, then ssh is NOT PERMITTED on IBM systems > and IBM Customers which IBM supports via service contracts - this would be > a pity. > I still don't get where "PermitRootLogin no" fails.. Give each admin a normal user account and the correct group privs for 'su'. Like every other UNIX in the world. I don't see how 'multiple private keys to an account where passwords are not accepted' is any more secure nor managable. > rlogin=false is used by AIX systems to block only interactive sessions, ie > rlogin and telnetd, but allows rsh and rcp as they are not interactive. > Obvisously this makes NO sense at all, and anyway you can always use X or > such to generate an interactive session, but that is the way AIX works, > rightly or wrongly. > > Is there ANY way AROUND this ? > Your going against what you said above. WHY allow interactice session via keys if you deny the password? I would personally feel (I'm not an AIX user/admin) if you set 'rlogin=false' you may as well do 'PermitRootLogin no'. And ban all forms of direct root login. How does IBM deal with cases where ssh or such tools don't exist? > SFTP > > Really needs to have a /etc/ftpusers file to provide a simple blocking > mechnism for ftp. > I'd like to see such a feature in the future, but I really don't like the idea of overload /etc/ftpusers proper. I can think of a few cases where ftp and ssh/sftp must live side-by-side. And one may wish to assign different restrictions to each. > BUGS > > If rlogin=false then ssh still prompts for password, although it already > knows access will be denied. > No.. This is *NOT* a bug. This is the correct thing. SSH should *ALWAYS* prompt for passwords. If it accepts them or not is a different story. Same is true for S/key and any password based system authentication systems. The same holds true for 'telnet' or any other such service. Let the non-authorized user spin his/her wheels trying to enter passwords until they are blue in their face. Don't give them a reason to think 'root' account is setup any differently. - Ben From pekkas at netcore.fi Sun May 20 20:54:08 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Sun, 20 May 2001 13:54:08 +0300 (EEST) Subject: ssh - NO SALE or NO GIVE ? In-Reply-To: Message-ID: On Sun, 20 May 2001 mouring at etoh.eviladmin.org wrote: [snip a lot] > I still don't get where "PermitRootLogin no" fails.. Give each admin a > normal user account and the correct group privs for 'su'. Like every > other UNIX in the world. I don't see how 'multiple private keys to an > account where passwords are not accepted' is any more secure nor > managable. This is getting a bit off-topic, but as this was raised here we go... This is an attempt to solve solve the account management problem. For example, consider a company with 50 servers which are managed by 5-10 admins. When the admins switch jobs, you always have to make sure their accounts are deleted, new ones added etc. Also, it's a pain for the admins to set up passwords for each, and change them in each, etc. Real pain. Some custom password/user management tools make this a bit easier, but not much. If there are good, reliable systems for this, I sure would like to know of them. There are obvious advantages not having to know (unless something dire happens) the root password yet being able to do work as root in multi-admin circumstances. How SSH makes this easier is that you only have to sync the authorized_keys2 database to root account's .ssh/ every time new admin comes in/leaves the house. This can even be automatized rather easily. A more modular hack would be using authorized_keys2 _directory_, and the keys in there would all be counted as authorized. Thus only one file copy/removal would do the job, no need for sync; this would be profitable in environments where all admins don't have access to all systems. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From gert at greenie.muc.de Sun May 20 21:39:49 2001 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 20 May 2001 13:39:49 +0200 Subject: Erase the source file open; specify a tempfile name option In-Reply-To: ; from Wayne Davison on Sun, May 20, 2001 at 01:00:29AM -0700 References: <200105200721.f4K7LXc02428@cvs.openbsd.org> Message-ID: <20010520133949.B20316@greenie.muc.de> Hi, On Sun, May 20, 2001 at 01:00:29AM -0700, Wayne Davison wrote: > On Sun, 20 May 2001, Theo de Raadt wrote: > > I do not see the point of the options. > > The -E option should be obvious, but if it's not, there needs to be an [..] > The tempfile options control how the file arrive on a system. For > instance, if you need to copy over a running executable without crashing > the program that has the file open, using the -u option ensures that the > files arrive whole and replace the original rather than writing to the > original. I think those two are really useful, for the reasons you mention. For example, I have to copy config files to other machines quite often - and possibly while the programs reading those files want to read them. So right now I do scp file remote:file.tmp ssh remote mv file.tmp file which is more effort, and ugly. If scp could do it in one go (copy to tmp, if copy complete, move to final destination) it would save me hassles, while keeping atomicity. [..] > The -T option mainly assists in data flow by allowing the tempfile to > stay out of the way of the destination files. If you have a process This is not something that would be useful for *me*, but I can see its uses. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From stevesk at pobox.com Mon May 21 01:34:07 2001 From: stevesk at pobox.com (Kevin Steves) Date: Sun, 20 May 2001 17:34:07 +0200 (CEST) Subject: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG ! In-Reply-To: Message-ID: On Thu, 17 May 2001 mark.pitt at ch.ibm.com wrote: : Another point - IBM security Policies REQUIRE that any system they look : after, their's or customer's, has rlogin=false for root set - this : means ssh will NOT be usable at any site for which IBM is responsible : - that means all IBM customers and IBM cannot use the product as it : is currently configured without mountains of paperwork. : : Bang go a lot of big sites, and not only AIX, but ALL systems IBM services. i have read all your messages and i'm confused as to the exact access policy you are trying to implement with openssh, and i think others are as well. since you say the IBM policy is not AIX specific, you should be able to communicate it in an OS independent manner. pointing us to the IBM policy document would help as well. From markus.friedl at informatik.uni-erlangen.de Sun May 20 21:00:24 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 20 May 2001 13:00:24 +0200 Subject: Erase the source file open; specify a tempfile name option In-Reply-To: ; from wayne@blorf.net on Sun, May 20, 2001 at 01:00:29AM -0700 References: <200105200721.f4K7LXc02428@cvs.openbsd.org> Message-ID: <20010520130024.B2026@folly> On Sun, May 20, 2001 at 01:00:29AM -0700, Wayne Davison wrote: > The -T option mainly assists in data flow by allowing the tempfile to > stay out of the way of the destination files. If you have a process i think this is what rsync does. From markus.friedl at informatik.uni-erlangen.de Sun May 20 20:58:23 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 20 May 2001 12:58:23 +0200 Subject: Erase the source file open; specify a tempfile name option In-Reply-To: ; from wayne@blorf.net on Sun, May 20, 2001 at 01:31:43AM -0700 References: <200105200729.f4K7T0c05343@cvs.openbsd.org> Message-ID: <20010520125823.A2026@folly> On Sun, May 20, 2001 at 01:31:43AM -0700, Wayne Davison wrote: > On Sun, 20 May 2001, Theo de Raadt wrote: > > Actually, that is not the unix philosophy. > > Consider why "mv" exists when we have "cp" and "rm". because mv a b does not copy and is very different from cp a b; rm a > Or why sort has a > -u option when uniq exists. i always considered this a bug :) > I think the key questions are: is > this option sensible for this particular tool (i.e. does it solve a > problem closely related to the core use of the utility and do so in a > better or more efficient way than using a separate utility) and/or does > the option make a common task easier. i think that both rcp and scp are very basic tools, just like cp. if you want to do more complicated tasks you can use tar over ssh and some scripting or use rsync. btw, i really like to read Rob Pike, "UNIX Style, or cat -v Considered Harmful", USENIX Summer Conference Proceedings, 1983. From markus.friedl at informatik.uni-erlangen.de Mon May 21 02:29:25 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 20 May 2001 18:29:25 +0200 Subject: Erase the source file open; specify a tempfile name option In-Reply-To: <20010520133949.B20316@greenie.muc.de>; from gert@greenie.muc.de on Sun, May 20, 2001 at 01:39:49PM +0200 References: <200105200721.f4K7LXc02428@cvs.openbsd.org> <20010520133949.B20316@greenie.muc.de> Message-ID: <20010520182925.B16345@folly> On Sun, May 20, 2001 at 01:39:49PM +0200, Gert Doering wrote: > scp file remote:file.tmp > ssh remote mv file.tmp file you can do cat file | ssh remote 'cat - > file.tmp && mv file.tmp file' instead. From markus.friedl at informatik.uni-erlangen.de Mon May 21 02:45:38 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 20 May 2001 18:45:38 +0200 Subject: ssh - NO SALE or NO GIVE ? In-Reply-To: ; from mark.pitt@ch.ibm.com on Sun, May 20, 2001 at 10:48:20AM +0200 References: Message-ID: <20010520184537.C16345@folly> On Sun, May 20, 2001 at 10:48:20AM +0200, mark.pitt at ch.ibm.com wrote: > rlogin=false is used by AIX systems to block only interactive sessions, ie > rlogin and telnetd, but allows rsh and rcp as they are not interactive. > Obvisously this makes NO sense at all, and anyway you can always use X or > such to generate an interactive session, but that is the way AIX works, > rightly or wrongly. > > Is there ANY way AROUND this ? for ssh there is no difference between rlogin and rsh. the only thing you could do is disallow allocation of pty's this is only possible with pubkey auth + options in .ssh/authorized_keys* > SFTP > > Really needs to have a /etc/ftpusers file to provide a simple blocking > mechnism for ftp. make people think sftp is something like ftp, but it is not. it's just some application running over ssh. ssh host /bin/date does not check /etc/ftpusers, too. sftp could me changed to behave like ftp, but currenlty it's no different from ssh host /bin/date > BUGS > > If rlogin=false then ssh still prompts for password, although it already > knows access will be denied. this is not a bug. From markus.friedl at informatik.uni-erlangen.de Mon May 21 02:46:48 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 20 May 2001 18:46:48 +0200 Subject: ssh - NO SALE or NO GIVE ? In-Reply-To: ; from mark.pitt@ch.ibm.com on Sun, May 20, 2001 at 10:48:20AM +0200 References: Message-ID: <20010520184648.D16345@folly> On Sun, May 20, 2001 at 10:48:20AM +0200, mark.pitt at ch.ibm.com wrote: > IF I cannot solve this problem, then ssh is NOT PERMITTED on IBM systems > and IBM Customers which IBM supports via service contracts - this would be > a pity. why don't you just set PermitRootLogin no ? From rmk at toad.rmkhome.com Mon May 21 03:39:16 2001 From: rmk at toad.rmkhome.com (Rick Kelly) Date: Sun, 20 May 2001 11:39:16 -0600 (MDT) Subject: ssh - NO SALE or NO GIVE ? In-Reply-To: <20010520184648.D16345@folly> from Markus Friedl at "May 20, 2001 06:46:48 pm" Message-ID: <200105201739.f4KHdGB24996@toad.rmkhome.com> Markus Friedl said: >On Sun, May 20, 2001 at 10:48:20AM +0200, mark.pitt at ch.ibm.com wrote: >> IF I cannot solve this problem, then ssh is NOT PERMITTED on IBM systems >> and IBM Customers which IBM supports via service contracts - this would be >> a pity. > >why don't you just set > PermitRootLogin no >? I consult at IBM Global Systems, and that is what we do on the E-Commerce machines. -- Rick Kelly rmk at rmkhome.com www.rmkhome.com From wayne at blorf.net Mon May 21 04:39:27 2001 From: wayne at blorf.net (Wayne Davison) Date: Sun, 20 May 2001 11:39:27 -0700 (PDT) Subject: Erase the source file open; specify a tempfile name option In-Reply-To: <20010520125823.A2026@folly> Message-ID: On Sun, 20 May 2001, Markus Friedl wrote: > On Sun, May 20, 2001 at 01:31:43AM -0700, Wayne Davison wrote: > > Consider why "mv" exists when we have "cp" and "rm". > > because > mv a b > does not copy and is very different from > cp a b; rm a Yes, I was wrong about the general case, but if the file cannot be renamed (i.e. it crosses a file system), mv is idential to your cp/rm example, which is what I was thinking of in the scp case. > i think that both rcp and scp are very basic tools, just like cp. Yes. I would be very comfortable adding the "how do you want me to write the file" option to cp as well (using a tempfile or directly). I would also supply the additional caveat that since we're crossing system boundaries that it behooves us to make the simple tasks a little more efficent than what we need in local commands. Has the move option also been rejected? I noticed one mention on the net that scp2 added -u (unlink) for this. ..wayne.. From josb at cncdsl.com Mon May 21 05:04:01 2001 From: josb at cncdsl.com (Jos Backus) Date: Sun, 20 May 2001 12:04:01 -0700 Subject: Erase the source file open; specify a tempfile name option In-Reply-To: <20010520182925.B16345@folly>; from markus.friedl@informatik.uni-erlangen.de on Sun, May 20, 2001 at 06:29:03PM +0200 References: <200105200721.f4K7LXc02428@cvs.openbsd.org> <20010520133949.B20316@greenie.muc.de> <20010520182925.B16345@folly> Message-ID: <20010520120401.C432@lizzy.bugworks.com> On Sun, May 20, 2001 at 06:29:03PM +0200, Markus Friedl wrote: > On Sun, May 20, 2001 at 01:39:49PM +0200, Gert Doering wrote: > > scp file remote:file.tmp > > ssh remote mv file.tmp file > > you can do > cat file | ssh remote 'cat - > file.tmp && mv file.tmp file' > instead. This works for one file. What if you want to move multiple files to a remote directory and replace those files atomically? Wayne's suggestions would let you do that easily. -- Jos Backus _/ _/_/_/ "Modularity is not a hack." _/ _/ _/ -- D. J. Bernstein _/ _/_/_/ _/ _/ _/ _/ josb at cncdsl.com _/_/ _/_/_/ use Std::Disclaimer; From mouring at etoh.eviladmin.org Mon May 21 07:09:13 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 20 May 2001 16:09:13 -0500 (CDT) Subject: Erase the source file open; specify a tempfile name option In-Reply-To: Message-ID: On Sun, 20 May 2001, Wayne Davison wrote: > On Sun, 20 May 2001, Markus Friedl wrote: > > On Sun, May 20, 2001 at 01:31:43AM -0700, Wayne Davison wrote: > > > Consider why "mv" exists when we have "cp" and "rm". > > > > because > > mv a b > > does not copy and is very different from > > cp a b; rm a > > Yes, I was wrong about the general case, but if the file cannot be > renamed (i.e. it crosses a file system), mv is idential to your cp/rm > example, which is what I was thinking of in the scp case. > This has been widely regard by a lot of older UNIX Admin as an abuse of 'mv' command. However, this is rather a new feature (6 years or so). Yes, the commerical scp2 client has -u. So one could argument for a compatibility standpoint that we should have it. But I have to agree that rsync is the tool you want instead of scp. It supports both '-T, --temp-dir=DIR' and '--delete-after'. - Ben From mouring at etoh.eviladmin.org Mon May 21 07:11:15 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 20 May 2001 16:11:15 -0500 (CDT) Subject: Erase the source file open; specify a tempfile name option In-Reply-To: <20010520120401.C432@lizzy.bugworks.com> Message-ID: On Sun, 20 May 2001, Jos Backus wrote: > On Sun, May 20, 2001 at 06:29:03PM +0200, Markus Friedl wrote: > > On Sun, May 20, 2001 at 01:39:49PM +0200, Gert Doering wrote: > > > scp file remote:file.tmp > > > ssh remote mv file.tmp file > > > > you can do > > cat file | ssh remote 'cat - > file.tmp && mv file.tmp file' > > instead. > > This works for one file. What if you want to move multiple files to a remote > directory and replace those files atomically? Wayne's suggestions would let > you do that easily. > Rsync with --delete-after and -T options. - Ben From wayne at blorf.net Mon May 21 08:23:28 2001 From: wayne at blorf.net (Wayne Davison) Date: Sun, 20 May 2001 15:23:28 -0700 (PDT) Subject: Erase the source file open; specify a tempfile name option In-Reply-To: Message-ID: On Sun, 20 May 2001 mouring at etoh.eviladmin.org wrote: > Rsync with --delete-after and -T options. FYI, with rsync --delete-after just delays the deletion on the *destination* side (of files not found on the source side) until after all the files have been transferred. You need to patch the source with my "--move-files" option to actually move files between machines, and you don't need to use the -T option because rsync uses a temp file by default (unless you want to force the directory where all the temp files get put). So yes, for updating files, using rsync is definitely much better than scp. For moving files it seems silly to use a utility that optimizes the transfer of data through a remote-diff algorithm, but if scp isn't going to support this, hopefully the next release of rsync will. ..wayne.. From bowman at math.ualberta.ca Mon May 21 10:47:48 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 21 May 2001 00:47:48 -0000 Subject: SSH connection hanging on logout Message-ID: <20010521004748.5408.qmail@wizard.math.ualberta.ca> > From: Markus Friedl > ok, so just fyi: > dd if=/bsd bs=65536 count=2 > gets truncated on my openbsd development system. > > you have to get into this situtation: > > shell writes last block into pipe to sshd process. > shell dies > not all data has been read from the pipe. > > i can trigger this with > dd if=/bsd bs=65536 count=2 > > the figures should be different for other systems, but i think > all systems will show this problem. It depends on how pipes are implemented. The scenario you describe doesn't happen under Linux; the shell doesn't exit until all of the data has been read from the pipe. I suspect these differences in the way the shell and pipes interact are the underlying reason why you don't see the hang-on-exit bug at all on OpenBSD. Tweaking the parameters in your test doesn't make any difference on Linux, as demonstrated by the output of the script below. Changing localhost to another host (be sure to compare identical files) or working under different load average conditions does not affect the results. The patch has been subjected to exhaustive testing. Unless someone reports a case where it fails before the next release, please go ahead and include it in the next Linux version of OpenSSH. (If you don't like the -S option for some reason, you can always remove it and the sleep config option). #!/bin/sh size=$1 incr=$2 count=$3 delay=$4 checksum= answer= while [ "$checksum" = "$answer" ] do checksum=`ssh localhost dd if=/usr/local/netscape/netscape bs=$size count=$count | ( sleep $delay ; md5sum )` answer=`dd if=/usr/local/netscape/netscape bs=$size count=$count | md5sum` echo $size $count $delay $checksum $answer size=$[ $size + $incr ] done echo CHECKSUM MISMATCH! The output of the tests is available at http://www.math.ualberta.ca/imaging/snfs/hang-on-exit.test -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From tomh at po.crl.go.jp Mon May 21 11:41:07 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Mon, 21 May 2001 10:41:07 +0900 (JST) Subject: SSH connection hanging on logout In-Reply-To: <20010521004748.5408.qmail@wizard.math.ualberta.ca> Message-ID: > The patch has been subjected to exhaustive testing. Unless someone reports > a case where it fails before the next release, please go ahead and include > it in the next Linux version of OpenSSH. (If you don't like the -S option > for some reason, you can always remove it and the sleep config option). Just another data point: I've been starting netscape via ssh -X -n -o 'batchmode yes' ansgimachine /usr/bin/X11/netscape & from the desktop menubar (Linux/Alpha -> SGI Irix) and when I exit netscape, ssh (2.9p1) usually fails to exit on the Linux side. With your patch installed it exits every time. I'm not using -S, just as above. Dr. Tom From ecashin at terry.uga.edu Mon May 21 13:17:48 2001 From: ecashin at terry.uga.edu (Ed L Cashin) Date: 20 May 2001 23:17:48 -0400 Subject: ignoring SIGPIPE causing problems in pipes Message-ID: Hi. I'm writing an article on network backups, and instead of using my old ssh1 software, I decided to go with openssh all the way. I got the hang of the openssh way of doing protocol 2 public key authentication, but ssh is failing to terminate when a pipe is broken. I am ssh-ing to a remote host and doing a cat or zcat of a dump file, then on the localhost, I'm using restore to extract files from the dump stream. With openssh-2.9p1, I can tell with strace on the localhost that the restore process exits after restoring the file successfully. I can see in the process list that the ssh command is still running, though, so the restore appears to "hang". I suspected that the ssh client was inappropriately ignoring the PIPE signal, so I tried restoring from a cat of a local stream, and observed that cat exited with a "Broken pipe" error. I made the following change, commenting out the line that ignores the SIGPIPE: nilda:2:ecashin openssh-2.9p1$ diff -u clientloop.c.dist clientloop.c --- clientloop.c.dist Fri Apr 20 08:50:51 2001 +++ clientloop.c Sun May 20 22:55:35 2001 @@ -814,7 +814,7 @@ signal(SIGINT, signal_handler); signal(SIGQUIT, signal_handler); signal(SIGTERM, signal_handler); - signal(SIGPIPE, SIG_IGN); + /* signal(SIGPIPE, SIG_IGN); */ if (have_pty) signal(SIGWINCH, window_change_handler); ... and got the correct behavior: [root at nilda test-restore]# ssh meili 'cat nildadump-boot.gz' | \ gunzip -c | restore xf - kernel.h root at meili's password: set owner/mode for '.'? [yn] n Broken pipe I noticed in the ChangeLog file that SIGPIPE and X forwarding problems are related somehow ... Is there any chance of this getting resolved before September? I don't want to publish an article with scripts that will appear to hang mysteriously. TIA! :) -- --Ed Cashin PGP public key: ecashin at terry.uga.edu http://www.terry.uga.edu/~ecashin/pgp/ From openssh-unix-dev at thewrittenword.com Mon May 21 14:09:45 2001 From: openssh-unix-dev at thewrittenword.com (openssh-unix-dev at thewrittenword.com) Date: Sun, 20 May 2001 23:09:45 -0500 Subject: 2.9p1 patches Message-ID: <20010520230944.A22638@postal.il.thewrittenword.com> 1. Add support for files >2GB via Paul Eggert's AC_SYS_LARGEFILE macro. This macro is now part of autoconf 2.50. Because of this, "config.h" needs to be included before system headers to get the appropriate defines for LFS support. openbsd-compat/sigact.c configure.in acinclude.m4 2. AIX defines TILDE in . Rename to TILDE_CHAR. Feel free to pick a better name. openbsd-compat/glob.c 3. You should *not* place custom macros in aclocal.m4. They should be in acinclude.m4 and then you should use aclocal to generate aclocal.m4 from acinclude.m4. acinclude.m4 4. A better --with-pcre and --with-zlib configure test. configure.in Some comments regarding your code in configure.in: 1. Hardcoding the need for -lsocket and -lnsl via $no_libsocket and $no_libnslis gross. Doing this means you don't know how to write a proper autoconf test to determine if these two libraries are needed. The solution is not to hack in the value with a case statement but to figure out the proper autoconf way of solving the problem, independent of the hardcoding the solution for every platform. A solution proposed below is: AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt)) We could probably also add: AC_CHECK_FUNC(gethostent, , AC_CHECK_LIB(nsl, gethostent)) 2. Checks such as the following are wrong: AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen") Don't check if the function exists in the library. Check first if the function exists *without* the library and then with the library if need be (and, FYI, AC_CHECK_LIB(lib,func) will automatically add "-l[lib]" to $LIBS): AC_CHECK_FUNC(getspnam, , AC_CHECK_LIB(gen, getspnam)) If our autoconf checks aren't correct, let's find out why and fix it. I'd like to move in a direction where there are *no* hardcoded case statements per platform in configure.in. -- albert chin (china at thewrittenword.com) -- snip snip --- openbsd-compat/sigact.c.orig Fri May 18 20:48:57 2001 +++ openbsd-compat/sigact.c Fri May 18 20:49:05 2001 @@ -33,8 +33,8 @@ * and: Eric S. Raymond * ****************************************************************************/ -#include #include "config.h" +#include #include "sigact.h" /* This file provides sigaction() emulation using sigvec() */ --- openbsd-compat/glob.c.orig Fri May 18 20:49:30 2001 +++ openbsd-compat/glob.c Fri May 18 20:49:42 2001 @@ -97,7 +97,7 @@ #define RBRACKET ']' #define SEP '/' #define STAR '*' -#define TILDE '~' +#define TILDE_CHAR '~' #define UNDERSCORE '_' #define LBRACE '{' #define RBRACE '}' @@ -354,7 +354,7 @@ const Char *p; Char *b, *eb; - if (*pattern != TILDE || !(pglob->gl_flags & GLOB_TILDE)) + if (*pattern != TILDE_CHAR || !(pglob->gl_flags & GLOB_TILDE)) return pattern; /* Copy up to the end of the string or / */ --- configure.in.orig Fri May 18 20:50:43 2001 +++ configure.in Fri May 18 23:45:09 2001 @@ -9,6 +9,7 @@ # Checks for programs. AC_PROG_CPP +AC_SYS_LARGEFILE AC_PROG_RANLIB AC_PROG_INSTALL AC_PATH_PROG(AR, ar) @@ -285,35 +256,56 @@ ] ) +dnl for PCRE regex library AC_ARG_WITH(pcre, - [ --with-pcre Override built in regex library with pcre], - [ - - AC_CHECK_LIB(pcre, pcre_info, - [ - AC_DEFINE(HAVE_LIBPCRE) - LIBS="$LIBS -lpcreposix -lpcre" - no_comp_check="yes" - ], - [ AC_MSG_ERROR([*** Can not locate pcre libraries.]) ] - ) - ] -) + [ --with-pcre[=PATH] Override builtin regex library with PCRE + (optionally in DIR)],[ + case "$withval" in + no) ;; + *) + if test "x$withval" != "xyes"; then + CPPFLAGS="${CPPFLAGS} -I$withval/include" + LDFLAGS="${LDFLAGS} -L$withval/lib" + fi + + AC_CHECK_HEADER(pcreposix.h, + AC_CHECK_LIB(pcre, pcre_info,[ + AC_DEFINE(HAVE_LIBPCRE) + LIBS="$LIBS -lpcreposix -lpcre" + no_comp_check=yes], + AC_MSG_ERROR([*** unable to locate pcre library ***])), + AC_MSG_ERROR([*** unable to locate pcreposix.h include file ***])) + ;; + esac +]) # Checks for libraries. -if test -z "$no_libnsl" ; then - AC_CHECK_LIB(nsl, yp_match, , ) -fi -if test -z "$no_libsocket" ; then - AC_CHECK_LIB(socket, main, , ) -fi +AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) +AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt)) dnl SCO OS3 needs this for libwrap -AC_CHECK_LIB(rpc, innetgr, LIBS="-lrpc -lyp -lrpc $LIBS" , , -lyp -lrpc) +AC_CHECK_FUNC(innetgr, , + AC_CHECK_LIB(rpc, innetgr, LIBS="-lrpc -lyp -lrpc $LIBS" , , -lyp -lrpc)) -AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen") -AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])) -AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil") +AC_CHECK_FUNC(getspnam, , + AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen")) +AC_CHECK_FUNC(login, , + AC_CHECK_LIB(util, login, + AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil")) + +dnl zlib is required +AC_ARG_WITH(zlib, +[ --with-zlib=PATH Use zlib in PATH],[ + if test -d "$withval"; then + CPPFLAGS="${CPPFLAGS} -I$withval/include" + LDFLAGS="${LDFLAGS} -L$withval/lib" + fi +]) + +AC_CHECK_HEADER(zlib.h, + AC_CHECK_LIB(z, gzread, , + AC_MSG_ERROR([*** zlib missing. install first or check config.log ***])), + AC_MSG_ERROR([*** zlib missing. install first or check config.log ***])) # We don't want to check if we did an pcre override. if test -z "$no_comp_check" ; then @@ -396,7 +388,7 @@ # Check whether user wants S/Key support SKEY_MSG="no" AC_ARG_WITH(skey, - [ --with-skey=PATH Enable S/Key support], + [ --with-skey=PATH Enable S/Key support], [ if test "x$withval" != "xno" ; then --- /dev/null Sat Nov 11 12:59:35 2000 +++ acinclude.m4 Fri May 18 20:50:37 2001 @@ -0,0 +1,137 @@ +dnl $Id: aclocal.m4,v 1.4 2000/06/26 00:20:19 djm Exp $ +dnl +dnl OpenSSH-specific autoconf macros +dnl + + +dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol) +dnl Does AC_EGREP_HEADER on 'header' for the string 'field' +dnl If found, set 'symbol' to be defined. Cache the result. +dnl TODO: This is not foolproof, better to compile and read from there +AC_DEFUN(OSSH_CHECK_HEADER_FOR_FIELD, [ +# look for field '$1' in header '$2' + dnl This strips characters illegal to m4 from the header filename + ossh_safe=`echo "$2" | sed 'y%./+-%__p_%'` + dnl + ossh_varname="ossh_cv_$ossh_safe""_has_"$1 + AC_MSG_CHECKING(for $1 field in $2) + AC_CACHE_VAL($ossh_varname, [ + AC_EGREP_HEADER($1, $2, [ dnl + eval "$ossh_varname=yes" dnl + ], [ dnl + eval "$ossh_varname=no" dnl + ]) dnl + ]) + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + AC_MSG_RESULT($ossh_result) + if test "x$ossh_result" = "xyes"; then + AC_DEFINE($3) + fi + else + AC_MSG_RESULT(no) + fi +]) + +dnl OSSH_PATH_ENTROPY_PROG(variablename, command): +dnl Tidiness function, sets 'undef' if not found, and does the AC_SUBST +AC_DEFUN(OSSH_PATH_ENTROPY_PROG, [ + AC_PATH_PROG($1, $2) + if test -z "[$]$1" ; then + $1="undef" + fi + AC_SUBST($1) +]) + +#serial 19 + +dnl By default, many hosts won't let programs access large files; +dnl one must use special compiler options to get large-file access to work. +dnl For more details about this brain damage please see: +dnl http://www.sas.com/standards/large.file/x_open.20Mar96.html + +dnl Written by Paul Eggert . + +dnl Internal subroutine of AC_SYS_LARGEFILE. +dnl AC_SYS_LARGEFILE_TEST_INCLUDES +AC_DEFUN(AC_SYS_LARGEFILE_TEST_INCLUDES, + [[#include + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply "#define LARGE_OFF_T 9223372036854775807", + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +# define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; + ]]) + +dnl Internal subroutine of AC_SYS_LARGEFILE. +dnl AC_SYS_LARGEFILE_MACRO_VALUE(C-MACRO, VALUE, CACHE-VAR, COMMENT, INCLUDES, FUNCTION-BODY) +AC_DEFUN(AC_SYS_LARGEFILE_MACRO_VALUE, + [AC_CACHE_CHECK([for $1 value needed for large files], $3, + [$3=no + AC_TRY_COMPILE([$5], + [$6], + , + [AC_TRY_COMPILE([#define $1 $2] +[$5] + , + [$6], + [$3=$2])])]) + if test "[$]$3" != no; then + AC_DEFINE_UNQUOTED([$1], [$]$3, [$4]) + fi]) + +AC_DEFUN(AC_SYS_LARGEFILE, + [AC_REQUIRE([AC_PROG_CC]) + AC_ARG_ENABLE(largefile, + [ --disable-largefile omit support for large files]) + if test "$enable_largefile" != no; then + + AC_CACHE_CHECK([for special C compiler options needed for large files], + ac_cv_sys_largefile_CC, + [ac_cv_sys_largefile_CC=no + if test "$GCC" != yes; then + # IRIX 6.2 and later do not support large files by default, + # so use the C compiler's -n32 option if that helps. + AC_TRY_COMPILE(AC_SYS_LARGEFILE_TEST_INCLUDES, , , + [ac_save_CC="$CC" + CC="$CC -n32" + AC_TRY_COMPILE(AC_SYS_LARGEFILE_TEST_INCLUDES, , + ac_cv_sys_largefile_CC=' -n32') + CC="$ac_save_CC"]) + fi]) + if test "$ac_cv_sys_largefile_CC" != no; then + CC="$CC$ac_cv_sys_largefile_CC" + fi + + AC_SYS_LARGEFILE_MACRO_VALUE(_FILE_OFFSET_BITS, 64, + ac_cv_sys_file_offset_bits, + [Number of bits in a file offset, on hosts where this is settable.], + AC_SYS_LARGEFILE_TEST_INCLUDES) + AC_SYS_LARGEFILE_MACRO_VALUE(_LARGE_FILES, 1, + ac_cv_sys_large_files, + [Define for large files, on AIX-style hosts.], + AC_SYS_LARGEFILE_TEST_INCLUDES) + fi + ]) + +AC_DEFUN(AC_FUNC_FSEEKO, + [AC_SYS_LARGEFILE_MACRO_VALUE(_LARGEFILE_SOURCE, 1, + ac_cv_sys_largefile_source, + [Define to make fseeko visible on some hosts (e.g. glibc 2.2).], + [#include ], [return !fseeko;]) + # We used to try defining _XOPEN_SOURCE=500 too, to work around a bug + # in glibc 2.1.3, but that breaks too many other things. + # If you want fseeko and ftello with glibc, upgrade to a fixed glibc. + + AC_CACHE_CHECK([for fseeko], ac_cv_func_fseeko, + [ac_cv_func_fseeko=no + AC_TRY_LINK([#include ], + [return fseeko && fseeko (stdin, 0, 0);], + [ac_cv_func_fseeko=yes])]) + if test $ac_cv_func_fseeko != no; then + AC_DEFINE(HAVE_FSEEKO, 1, + [Define if fseeko (and presumably ftello) exists and is declared.]) + fi]) From vsync at quadium.net Mon May 21 15:45:06 2001 From: vsync at quadium.net (vsync) Date: 20 May 2001 22:45:06 -0700 Subject: SSH connection hanging on logout In-Reply-To: Tom Holroyd's message of "Mon, 21 May 2001 10:41:07 +0900 (JST)" References: Message-ID: <86vgmv2r31.fsf@piro.quadium.net> Tom Holroyd writes: > Just another data point: I've been starting netscape via > > ssh -X -n -o 'batchmode yes' ansgimachine /usr/bin/X11/netscape & > > from the desktop menubar (Linux/Alpha -> SGI Irix) and when I exit > netscape, ssh (2.9p1) usually fails to exit on the Linux side. With your > patch installed it exits every time. I'm not using -S, just as above. Just out of total random curiosity, why not run a local netscape? -- vsync http://quadium.net/ - last updated Tue May 15 15:02:08 PDT 2001 (cons (cons (car (cons 'c 'r)) (cdr (cons 'a 'o))) ; Orjner (cons (cons (car (cons 'n 'c)) (cdr (cons nil 's))) nil)) From mark.pitt at ch.ibm.com Mon May 21 22:03:20 2001 From: mark.pitt at ch.ibm.com (mark.pitt at ch.ibm.com) Date: Mon, 21 May 2001 14:03:20 +0200 Subject: permitrootlogin=no does NOT help Message-ID: Thanks for replying guys but: The problem I have is this: I cannot turn off telnetd and rlogind for all users in one day - they use rlogin=false for each user ie: chuser rlogin=false root Unfortunetely ssh does not allow access when this is set. I would like to use ssh at first just for root, and then for other users after testing etc. permitrootlogin is a ssh concept, not applicable to telnet and rlogin - I am trying to allow root access only via ssh and public keys of authorised users, with a tracking mechanism via ssh logging of which public key had granted access. Pekka Savola understands exactly what I am trying to acheive when he wrote: This is an attempt to solve solve the account management problem. For example, consider a company with 50 servers which are managed by 5-10 admins. When the admins switch jobs, you always have to make sure their accounts are deleted, new ones added etc. Also, it's a pain for the admins to set up passwords for each, and change them in each, etc. Real pain. Some custom password/user management tools make this a bit easier, but not much. If there are good, reliable systems for this, I sure would like to know of them. There are obvious advantages not having to know (unless something dire happens) the root password yet being able to do work as root in multi-admin circumstances. How SSH makes this easier is that you only have to sync the authorized_keys2 database to root account's .ssh/ every time new admin comes in/leaves the house. This can even be automatized rather easily. A more modular hack would be using authorized_keys2 _directory_, and the keys in there would all be counted as authorized. Thus only one file copy/removal would do the job, no need for sync; this would be profitable in environments where all admins don't have access to all systems. -- From K.Wolkersdorfer at fz-juelich.de Tue May 22 00:08:00 2001 From: K.Wolkersdorfer at fz-juelich.de (K.Wolkersdorfer at fz-juelich.de) Date: Mon, 21 May 2001 14:08:00 +0000 Subject: openssh-2.9p1 bug: loginfailed() with AIX 4.3.3 Message-ID: <1010521140800.ZM14278@zam282.zam.kfa-juelich.de> Hi, first let me thank you for all the excellent work with openssh! Bug-Description (for AIX - current release 4.3.3 - only): During password-authentication if a user enters a wrong password, the failed attempt is not at all recorded in /etc/security/lastlog, although the loginfailed() subroutine in auth1.c is supposed to do that. Suggestion: In AIX the loginfailed() subroutine should be called if and only if the user enters a wrong password: From man loginfailed: ..."A login failure audit record is cut to indicate that an unsuccessful login attempt occurred. A utmp entry is appended to /etc/security/failedlogin file, which tracks all failed login attempts." ... So it seems that in auth1.c the loginfailed() subroutine is on the wrong place. It should be immediately after the password-authentication. Bug-Fix: The following fix works for us: ------------------------------------------------------------------------ diff auth-passwd.c.orig auth-passwd.c 151c151,160 < return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); --- > { int iau; > iau = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); > debug("auth-passwd (FZJ-authenticate): rc: %d msg: %s", iau, authmsg); > if (iau) > return 1; > loginfailed(authctxt->user, > get_canonical_hostname(options.reverse_mapping_check), > "ssh"); > return 0; > } ------------------------------------------------------------------------- Many thanks for your attention and best regards from Germany Klaus -- Klaus Wolkersdorfer (K.Wolkersdorfer at fz-juelich.de) Zentralinstitut fuer Angewandte Mathematik (ZAM) Tel: +49-2461-61-6579 John von Neumann - Institute for Computing (NIC) Fax: -6656 Forschungszentrum Juelich GmbH, D-52425 Juelich, Germany From gordonr at e-smith.com Mon May 21 22:09:10 2001 From: gordonr at e-smith.com (Gordon Rowell) Date: Mon, 21 May 2001 22:09:10 +1000 Subject: Strange interaction of sftp and protocol version 1 Message-ID: <20010521220910.Y15515@e-smith.com> As I read the manpage, you need to enable Subsystems to have the server support them. [...] Subsystem Configures an external subsystem (e.g., file transfer daemon). Arguments should be a subsystem name and a command to execute up? on subsystem request. The command sftp-server(8) implements the ``sftp'' file transfer subsystem. By default no subsystems are defined. Note that this option applies to protocol version 2 on? ly. [...] Are both of the following statements meant to be true? - Subsystems must be defined for the server to support them - Protocol version 1 does not support subystems For Linux, I need the following to enable sftp: Subsystem sftp /usr/libexec/openssh/sftp-server However, if I comment out/remove this line and restart sshd, I can still start sftp when using Protocol version 1. [gordonr at icedvovo]$ sftp timtam Connecting to timtam... Password: Request for subsystem 'sftp' failed on channel 0 Connection closed This is fine - no DSA key, so fallback to password, then fail as sftp is not enabled. [gordonr at icedvovo]$ sftp -1 timtam Connecting to timtam... Enter passphrase for RSA key 'gordonr at xxxxx': sftp> OK, we have an RSA key, which works and then sftp starts and works. Is this the correct behaviour? Client and server are openssh-2.5.2p2-1.7.2 Gordon -- Gordon Rowell gordonr at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From Markus.Friedl at informatik.uni-erlangen.de Mon May 21 22:20:39 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 21 May 2001 14:20:39 +0200 Subject: ssh - NO SALE or NO GIVE ? In-Reply-To: ; from pekkas@netcore.fi on Sun, May 20, 2001 at 01:54:08PM +0300 References: Message-ID: <20010521142039.B438@faui02.informatik.uni-erlangen.de> On Sun, May 20, 2001 at 01:54:08PM +0300, Pekka Savola wrote: > How SSH makes this easier is that you only have to sync the > authorized_keys2 database to root account's .ssh/ every time new admin > comes in/leaves the house how is this different from synching the wheel group on these machines? From djm at mindrot.org Mon May 21 22:27:36 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 21 May 2001 22:27:36 +1000 (EST) Subject: Strange interaction of sftp and protocol version 1 In-Reply-To: <20010521220910.Y15515@e-smith.com> Message-ID: On Mon, 21 May 2001, Gordon Rowell wrote: > Are both of the following statements meant to be true? > - Subsystems must be defined for the server to support them > - Protocol version 1 does not support subystems yes. > For Linux, I need the following to enable sftp: > > Subsystem sftp /usr/libexec/openssh/sftp-server > > However, if I comment out/remove this line and restart sshd, I can still > start sftp when using Protocol version 1. > > [gordonr at icedvovo]$ sftp timtam > Connecting to timtam... > Password: > Request for subsystem 'sftp' failed on channel 0 > Connection closed > > This is fine - no DSA key, so fallback to password, then fail as sftp is > not enabled. > > [gordonr at icedvovo]$ sftp -1 timtam > Connecting to timtam... > Enter passphrase for RSA key 'gordonr at xxxxx': > sftp> > > OK, we have an RSA key, which works and then sftp starts and works. > > Is this the correct behaviour? Yes, in this case the sftp client will try to activate sftp by doing a "ssh remotehost /path/to/sftp". This is less robust than a subsystem. If your goal is to prevent sftp access, then delete or rename the sftp binary. Recognise though that allowing ssh access is going to implicitly allow file transfer in almost all cases anyway. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Markus.Friedl at informatik.uni-erlangen.de Mon May 21 22:29:38 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 21 May 2001 14:29:38 +0200 Subject: Strange interaction of sftp and protocol version 1 In-Reply-To: <20010521220910.Y15515@e-smith.com>; from gordonr@e-smith.com on Mon, May 21, 2001 at 10:09:10PM +1000 References: <20010521220910.Y15515@e-smith.com> Message-ID: <20010521142938.C438@faui02.informatik.uni-erlangen.de> On Mon, May 21, 2001 at 10:09:10PM +1000, Gordon Rowell wrote: > Are both of the following statements meant to be true? > - Subsystems must be defined for the server to support them yes. > - Protocol version 1 does not support subystems yes. > For Linux, I need the following to enable sftp: > > Subsystem sftp /usr/libexec/openssh/sftp-server yes. > However, if I comment out/remove this line and restart sshd, I can still > start sftp when using Protocol version 1. yes. > [gordonr at icedvovo]$ sftp timtam > Connecting to timtam... > Password: > Request for subsystem 'sftp' failed on channel 0 > Connection closed yes, correct. > This is fine - no DSA key, so fallback to password, then fail as sftp is > not enabled. > > [gordonr at icedvovo]$ sftp -1 timtam > Connecting to timtam... > Enter passphrase for RSA key 'gordonr at xxxxx': > sftp> > > OK, we have an RSA key, which works and then sftp starts and works. > > Is this the correct behaviour? yes. with protocol 1 we do not use subsystems but try to execute sftp-server with ssh host /path/to/sftp-server you can do nothing to restrict this. it's just like ssh host date ssh host ls if you remove the subsystem definition you can still use sftp with protocol v2: sftp -s server /path/to/sftp-server the 'Subsystem sftp' declaration is just an additional level of indirection: the client user does not need to know the exact location of the sftp-server -m From gordonr at e-smith.com Mon May 21 22:29:13 2001 From: gordonr at e-smith.com (Gordon Rowell) Date: Mon, 21 May 2001 22:29:13 +1000 Subject: PasswordAuthentication no and protocol V2 Message-ID: <20010521222913.A15515@e-smith.com> PasswordAuthentication seems to be accepted regardless when DSA authentication is not available. Client and server are Linux - openssh-2.5.2p2-1.7.2 Server config is: Port 22 ListenAddress 0.0.0.0 HostKey /etc/ssh/ssh_host_key HostKey /etc/ssh/ssh_host_dsa_key KeyRegenerationInterval 3600 LoginGraceTime 600 ServerKeyBits 768 IgnoreRhosts yes PasswordAuthentication no PermitEmptyPasswords no PermitRootLogin yes RSAAuthentication yes RhostsAuthentication no RhostsRSAAuthentication no StrictModes yes X11DisplayOffset 10 X11Forwarding no CheckMail no KeepAlive yes PrintMotd yes SyslogFacility AUTH LogLevel INFO User has an RSA key, but no DSA key. [gordonr at icedvovo]$ ssh timtam Enter passphrase for RSA key 'gordonr at xxxxx': That's fine - RSA key accepted. [gordonr at icedvovo]$ ssh -2 timtam Password: Sorry? PasswordAuthentication is set to "no". I can log in using a password, and the server logs: May 21 08:21:12 timtam sshd[12079]: Accepted keyboard-interactive for gordonr from 192.168.116.20 port 1832 ssh2 Is this is a Linux port problem or config problem? Is it reproducible in other versions? [...] debug1: Found key in /home/gordonr/.ssh/known_hosts2:3 debug1: bits set: 1024/2049 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /home/gordonr/.ssh/id_rsa debug1: try privkey: /home/gordonr/.ssh/id_dsa debug1: next auth method to try is keyboard-interactive Password: Gordon -- Gordon Rowell gordonr at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From gordonr at e-smith.com Mon May 21 22:34:23 2001 From: gordonr at e-smith.com (Gordon Rowell) Date: Mon, 21 May 2001 22:34:23 +1000 Subject: Strange interaction of sftp and protocol version 1 In-Reply-To: ; from djm@mindrot.org on Mon, May 21, 2001 at 10:27:36PM +1000 References: <20010521220910.Y15515@e-smith.com> Message-ID: <20010521223423.B15515@e-smith.com> On Mon, May 21, 2001 at 10:27:36PM +1000, Damien Miller wrote: > [...] > If your goal is to prevent sftp access, then delete or rename the > sftp binary. No such goal, just a surprising result (to me) that allowing protocol version 1 enabled sftp regardless of the configuration. Which raises the issue that the default path to subsystems is /usr/libexec, whereas they are installed in (under Linux at least) in /usr/libexec/openssh Is that intentional or is sftp meant to work "out of the box" for V1? > Recognise though that allowing ssh access is going to > implicitly allow file transfer in almost all cases anyway. Sure. Thanks, Gordon -- Gordon Rowell gordonr at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From djm at mindrot.org Mon May 21 22:41:11 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 21 May 2001 22:41:11 +1000 (EST) Subject: PasswordAuthentication no and protocol V2 In-Reply-To: <20010521222913.A15515@e-smith.com> Message-ID: On Mon, 21 May 2001, Gordon Rowell wrote: > PasswordAuthentication seems to be accepted regardless when DSA > authentication is not available. Client and server are Linux - > openssh-2.5.2p2-1.7.2 This is a byproduct of allowing PAM authentication via the SSH protocol 2 "kbd-interactive" authentication method. Portable OpenSSH 2.9p1 adds as "PAMAuthenticationViaKbdInt" (default: no) which can better control this. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From anthony.morichon at wanadoo.com Mon May 21 23:37:24 2001 From: anthony.morichon at wanadoo.com (anthony.morichon) Date: Mon, 21 May 2001 15:37:24 +0200 Subject: No subject Message-ID: <001301c0e1fb$2b7e6b00$5d9aa8c0@wana12583.desk.wanadoo.com> ---------------------------------------------------------------------------- ---- Anthony MORICHON tel : +33 (0) 1 58 88 56 26 fax : +33 (0) 1 58 88 53 40 Wanadoo Interactive P?le S?curit? 29 rue des sablons, 75016 Paris ---------------------------------------------------------------------------- ---- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010521/57753b68/attachment.html From pekkas at netcore.fi Mon May 21 23:51:22 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 21 May 2001 16:51:22 +0300 (EEST) Subject: ssh - NO SALE or NO GIVE ? In-Reply-To: <20010521142039.B438@faui02.informatik.uni-erlangen.de> Message-ID: On Mon, 21 May 2001, Markus Friedl wrote: > On Sun, May 20, 2001 at 01:54:08PM +0300, Pekka Savola wrote: > > How SSH makes this easier is that you only have to sync the > > authorized_keys2 database to root account's .ssh/ every time new admin > > comes in/leaves the house > > how is this different from synching the wheel group on these machines? This is solving a different problem than the one I described; this only controls whether users can change to root after being properly authenticated as the _user_. If you only sync wheel group, the users still must: 1) be added and deleted when leaving house (else they could sniff around afterwards, or the account could fall to wrong hands) 2) their passwords must be set, and managed 3) change password in N machines if he want to change it everywhere 4) etc. There is a significant difference related to _account management_ here; I'm sure you can see it. :-) -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From Markus.Friedl at informatik.uni-erlangen.de Tue May 22 00:04:05 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 21 May 2001 16:04:05 +0200 Subject: ssh - NO SALE or NO GIVE ? In-Reply-To: ; from pekkas@netcore.fi on Mon, May 21, 2001 at 04:51:22PM +0300 References: <20010521142039.B438@faui02.informatik.uni-erlangen.de> Message-ID: <20010521160405.D438@faui02.informatik.uni-erlangen.de> On Mon, May 21, 2001 at 04:51:22PM +0300, Pekka Savola wrote: > There is a significant difference related to _account management_ here; > I'm sure you can see it. :-) i can see what you want. however, i still think that nobody should ever login as root. the root account should never be used at all. you can use su/sudo if you need privileges. you should never use the root account do do any work. just kill/start or cp files. it happens much more often that general accounts are added then privileged accounts are removed. so you need to update the userdata-base on a regualar basis anyway. if you want to lock out people fast, put them into a unix group and add a DenyGroup or AllowGroup to sshd_config From pekkas at netcore.fi Tue May 22 00:12:44 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 21 May 2001 17:12:44 +0300 (EEST) Subject: ssh - NO SALE or NO GIVE ? In-Reply-To: <20010521160405.D438@faui02.informatik.uni-erlangen.de> Message-ID: On Mon, 21 May 2001, Markus Friedl wrote: > On Mon, May 21, 2001 at 04:51:22PM +0300, Pekka Savola wrote: > > There is a significant difference related to _account management_ here; > > I'm sure you can see it. :-) > > i can see what you want. however, i still think that nobody > should ever login as root. the root account should never be > used at all. you can use su/sudo if you need privileges. > you should never use the root account do do any work. just > kill/start or cp files. Never say never, is what I say ;-). I never log on as root on my home systems, private company systems etc. This is easyish when there are only <5-10 separate systems to use. The real crux happens when you have, say, _50_ different servers. You _don't_ want to be managing accounts manually there (and personally, I don't want to use stuff like NIS for sensitive data like this), and it's easier to just use root. If using root can be made more controllable (e.g. the publickey-only option), this is only better. :-) > it happens much more often that general accounts are added > then privileged accounts are removed. so you need to update > the userdata-base on a regualar basis anyway. Except on servers that have only privileged accounts. This is a smaller problem if account management problem must be solved for the regular users in the same box too; then, adding/removing users/etc. is probably not so big a bother. > if you want to lock out people fast, put them into a unix > group and add a DenyGroup or AllowGroup to sshd_config In this scenario, this would require that either all people belong to that group (and everyone would be shut out) or user would have to added to that group, necessitating a management act (one that could be automatized a little easier than plain adduser/rmuser, though). -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mark.pitt at ch.ibm.com Tue May 22 02:30:13 2001 From: mark.pitt at ch.ibm.com (mark.pitt at ch.ibm.com) Date: Mon, 21 May 2001 18:30:13 +0200 Subject: Local Management via su or ssh ? Message-ID: ssh could give us: 1/ Centrally managed keys and access 2/ No more user accounts in wheel groups lying around various systems 3/ Standard tracking with logging to a server via syslogd. 4/ Passwords managed centrally via pass phrases instead of passwords on every machine. As far as not using root is concerned, all for it, but I am just trying to get some sort of control over root now. sudo etc requires a lot more engineering, and again has to be done on a per system basis. However, as rlogin=false is respected by ssh, I cant us it as it would open up telnetd and rlogin once again, and the logging is weak - why cant we have a simple one liner - I gave access using key x for user y at time ... ? "line 6" sort of messages are not exactly informative. From mouring at etoh.eviladmin.org Tue May 22 02:59:15 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 21 May 2001 11:59:15 -0500 (CDT) Subject: Strange interaction of sftp and protocol version 1 In-Reply-To: <20010521223423.B15515@e-smith.com> Message-ID: On Mon, 21 May 2001, Gordon Rowell wrote: > On Mon, May 21, 2001 at 10:27:36PM +1000, Damien Miller wrote: > > [...] > > If your goal is to prevent sftp access, then delete or rename the > > sftp binary. > > No such goal, just a surprising result (to me) that allowing protocol > version 1 enabled sftp regardless of the configuration. > > Which raises the issue that the default path to subsystems is > /usr/libexec, whereas they are installed in (under Linux at least) in > /usr/libexec/openssh > I'm not following. Doing: ./configure --prefix=/opt/openssh --with-pam sftp-server is put into /opt/openssh/libexec/ and sftp client points there also. If your upgrading from an older version your sshd_config may slighly out of date. - Ben From krumholz at maxwell.myip.org Tue May 22 05:10:13 2001 From: krumholz at maxwell.myip.org (Mark Krumholz) Date: Mon, 21 May 2001 12:10:13 -0700 (PDT) Subject: Linux X11 forwarding bug Message-ID: I can't seem to get X11 forwarding to work. Similar problems seem to have been reported and possibly fixed with earlier versions of openssh, but I believe I have the latest release: openssh-server-2.9p1-1 for RedHat 6.2. When I connect with ssh -v, I get: pac2: Requesting X11 forwarding with authentication spoofing. pac2: Remote: X11 forwarding disabled in server configuration file. Warning: Remote host denied X11 forwarding, perhaps xauth program could not be run on the server side. However, my sshd_config file contains: X11Forwarding yes ForwardAgent yes and I have xauth in the standard location where openssh looks for it: /usr/X11R6/bin/xauth Nothing unusual appears in my log files. Any suggestions would be appreciated. Please respond to my e-mail, since I'm not on the developers list. Thanks. -- -Mark Krumholz http://astro.berkeley.edu/~krumholz From david-bronder at uiowa.edu Tue May 22 06:14:27 2001 From: david-bronder at uiowa.edu (David Bronder) Date: Mon, 21 May 2001 15:14:27 -0500 (CDT) Subject: [openssh-unix-dev] Local Management via su or ssh ? In-Reply-To: from "mark.pitt@ch.ibm.com" at May 21, 2001 06:30:13 PM Message-ID: <200105212014.f4LKERT53690@fire.its.uiowa.edu> mark.pitt at ch.ibm.com wrote: > > ssh could give us: > > 1/ Centrally managed keys and access > 2/ No more user accounts in wheel groups lying around various systems > 3/ Standard tracking with logging to a server via syslogd. > 4/ Passwords managed centrally via pass phrases instead of passwords on > every machine. > > As far as not using root is concerned, all for it, but I am just trying to > get some sort of control over root now. sudo etc requires a lot more > engineering, and again has to be done on a per system basis. Using per-admin accounts and su or sudo solves the problem in a generic way, independent of how you manage accounts or how admins connect to your servers (SSH, OpenSSH, Kerberized telnet, etc.). The audit trail from this solution is arguably better as well (how much do you trust that the public key comments you'd be logging are correct?). Sudo logs to syslog, provides more granularity of control than either su or your solution, and can have the sudoers file centrally managed and distributed just as easily as ~root/.ssh/authorized_keys2. -- Hello World. David Bronder - Systems Admin Segmentation Fault ITS-SPA, Univ. of Iowa Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu From gordonr at e-smith.com Tue May 22 06:56:25 2001 From: gordonr at e-smith.com (Gordon Rowell) Date: Tue, 22 May 2001 06:56:25 +1000 Subject: Strange interaction of sftp and protocol version 1 In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, May 21, 2001 at 11:59:15AM -0500 References: <20010521223423.B15515@e-smith.com> Message-ID: <20010522065625.C15515@e-smith.com> On Mon, May 21, 2001 at 11:59:15AM -0500, mouring at etoh.eviladmin.org wrote: > > On Mon, 21 May 2001, Gordon Rowell wrote: > > [...] > > Which raises the issue that the default path to subsystems is > > /usr/libexec, whereas they are installed in (under Linux at least) in > > /usr/libexec/openssh > > > > I'm not following. Doing: > > ./configure --prefix=/opt/openssh --with-pam > > sftp-server is put into /opt/openssh/libexec/ and sftp client points > there also. If your upgrading from an older version your sshd_config may > slighly out of date. My misunderstanding... The problem is the explicit pathname for protocol v1 - the client and server must agree due to the way that sftp-server is run. The client (non-Linux) expects /usr/libexec/sftp-server, whereas the Linux path is /usr/libexec/openssh. I assumed (wrongly) that sshd knew where to find its executables, but now that the invocation for V1 has been explained, all is clear. Thanks, Gordon -- Gordon Rowell gordonr at e-smith.com http://www.e-smith.org (development) http://www.e-smith.com (corporate) e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada From Peter.Losher at nominum.com Tue May 22 08:39:28 2001 From: Peter.Losher at nominum.com (Peter Losher) Date: Mon, 21 May 2001 15:39:28 -0700 (PDT) Subject: Problems with Krb5/GSSAPI patches in FBSD 4.3 Message-ID: Hi, I am trying to impliment OpenSSH v2.9p1 with the Krb5/GSSAPI patches at: http://www.sxw.org.uk/computing/patches/openssh-2.9p1-gssapi.patch On a FreeBSD 4.3-STABLE system (with both the integrated Heimdal libs and the MIT Krb5 package from ports intstalled). I patched the src tree, reconfigured, recompiled, installed, and it works - except for Krb5 passwords or Krb5 tickets. And I really can't tell if the patches are even working or if it contacts the KDC (no error message shows up on console or in /var/log/messages) It just rejects my Krb5 password. Per the patch, I do have this in my sshd_config: GssapiAuthentication yes GssapiKeyExchange yes Does anyone have any ideas of how I can debug this? Thanks! - Peter Losher -- Peter.Losher at nominum.com - [ Systems Admin. | Nominum, Inc. ] From sxw at sxw.org.uk Tue May 22 08:54:21 2001 From: sxw at sxw.org.uk (Simon Wilkinson) Date: Mon, 21 May 2001 23:54:21 +0100 Subject: Problems with Krb5/GSSAPI patches in FBSD 4.3 In-Reply-To: References: Message-ID: <01052123542101.07595@loki.dcs.ed.ac.uk> On Monday 21 May 2001 23:39, Peter Losher wrote: > On a FreeBSD 4.3-STABLE system (with both the integrated Heimdal libs and > the MIT Krb5 package from ports intstalled). I patched the src tree, > reconfigured, recompiled, installed, and it works - except for Krb5 > passwords or Krb5 tickets. And I really can't tell if the patches are even > working or if it contacts the KDC (no error message shows up on console or > in /var/log/messages) It just rejects my Krb5 password. The protocol 2 GSSAPI patch doesn't do password authentication - just credentials authentication. If you're wanting to verify Kerberos passwords on the server, I'd recommend looking at a different solution. However, if you are wanting to do credentials based authentication (where you kinit on the client before connecting to the server), you might want to try the following: Things to check: 1) On the client side - does your credentials cache contain a valid credential 2) On the server side - does the default keytab (usually /etc/krb5.keytab) contain a correct host principal - usually host/ 3) Are you using protocol version 2 (2.9p1 should default to this - but you should force it for testing using -2 on the command line) If its still not working, please mail me a debug trace from both the client and the server (use ssh -v and sshd -d), including the arguments you started them with. Please let me know how you get on! Thanks, Simon. -- Simon Wilkinson http://www.sxw.org.uk "When all you have is an axe, every problem looks like fun" From Peter.Losher at nominum.com Tue May 22 10:03:42 2001 From: Peter.Losher at nominum.com (Peter Losher) Date: Mon, 21 May 2001 17:03:42 -0700 (PDT) Subject: Problems with Krb5/GSSAPI patches in FBSD 4.3 In-Reply-To: <01052123542101.07595@loki.dcs.ed.ac.uk> Message-ID: On Mon, 21 May 2001, Simon Wilkinson wrote: > The protocol 2 GSSAPI patch doesn't do password authentication - just > credentials authentication. If you're wanting to verify Kerberos passwords on > the server, I'd recommend looking at a different solution. Is there one that does BOTH? We use both Krb5 authentication methods for different uses here, so a solution that handles both would be perfect. > Things to check: > 1) On the client side - does your credentials cache contain a valid credential Yes... > 2) On the server side - does the default keytab (usually /etc/krb5.keytab) > contain a correct host principal - usually host/ Yes, I can kinit, ksu, kadmin on this box just fine. > 3) Are you using protocol version 2 (2.9p1 should default to this - but you > should force it for testing using -2 on the command line) Yes, RSA/DSA keys work fine, but not Krb5 tickets. > If its still not working, please mail me a debug trace from both the client > and the server (use ssh -v and sshd -d), including the arguments you started > them with. Please let me know how you get on! Question, do you know if this patch worked with ssh.com SSH2 clients, or just with OpenSSH clients? As soon as I know which client to use, I'll send the traces over... :) -Peter -- Peter.Losher at nominum.com - [ Systems Admin. | Nominum, Inc. ] From mark.pitt at ch.ibm.com Tue May 22 16:52:29 2001 From: mark.pitt at ch.ibm.com (mark.pitt at ch.ibm.com) Date: Tue, 22 May 2001 08:52:29 +0200 Subject: ssh looks at rlogin=false only at startup Message-ID: Very early on in what seems to be quite a hot debate sometimes, I pointed out that sshd only controls rlogin=false at its startup, and if it is changed, sshd simply ignores it ie: chuser rlogin=true root sshd chuser rlogin=false root Will result in sshd ACCEPTING login from root, ie it seems to only check at its startup - is this a bit like ulimit behavior where you need need to log out and in to get it to accept the new ulimit ? The other way around works too. I could use this to start sshd up with rlogin=true, ie ssh allows access for root, then set it to false to stop access via telnetd and rlogind. Question: Is this behaviour reliable ? It does seem to me not correct that it only checks rlogin on its startup, but that said, in this case I can use it if it is lasting feature. Mark. From djm at mindrot.org Tue May 22 16:57:34 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 22 May 2001 16:57:34 +1000 (EST) Subject: ssh looks at rlogin=false only at startup In-Reply-To: Message-ID: On Tue, 22 May 2001 mark.pitt at ch.ibm.com wrote: > > > > Very early on in what seems to be quite a hot debate sometimes, I pointed > out that sshd only controls rlogin=false at its startup, and if it is > changed, sshd simply ignores it Portable OpenSSH uses whatever the AIX function loginrestrictions() returns. So the behaviour shouldn't differ from rlogin. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From sxw at sxw.org.uk Tue May 22 20:44:33 2001 From: sxw at sxw.org.uk (Simon Wilkinson) Date: Tue, 22 May 2001 11:44:33 +0100 Subject: Problems with Krb5/GSSAPI patches in FBSD 4.3 In-Reply-To: References: Message-ID: <01052211443302.07595@loki.dcs.ed.ac.uk> On Tuesday 22 May 2001 01:03, Peter Losher wrote: > On Mon, 21 May 2001, Simon Wilkinson wrote: > > The protocol 2 GSSAPI patch doesn't do password authentication - just > > credentials authentication. If you're wanting to verify Kerberos > > passwords on the server, I'd recommend looking at a different solution. > > Is there one that does BOTH? We use both Krb5 authentication methods for > different uses here, so a solution that handles both would be perfect. Not currently - We use PAM locally, and use the pam_krb5 module for password authentication. The protocol version 1 patches do contain support for password authentication, but I haven't updated these to 2.9p1 yet. > Question, do you know if this patch worked with ssh.com SSH2 clients, or > just with OpenSSH clients? As soon as I know which client to use, I'll > send the traces over... :) The patch only works with those clients that provide a GSSAPI keyexchange or user authentication method. I believe that the ssh.com SSH2 clients use their own, unpublished, methods for Kerberos authentication - so they won't interoperate. Cheers, Simon. -- Simon Wilkinson http://www.sxw.org.uk "A key to the understanding of all religion is that a god's idea of amusement is Snakes and Ladders with greased rungs." - Terry Pratchett From vinschen at redhat.com Tue May 22 22:00:20 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 22 May 2001 14:00:20 +0200 Subject: [PATCH]: configure.in: Missing check for setvbuf Message-ID: <20010522140020.A23671@cygbert.vinschen.de> Hi, in configure.in the patch for `setvbuf' is missing while in sftp-int.c the HAVE_SETVBUF define is used: Index: configure.in =================================================================== RCS file: /cvs/openssh_cvs/configure.in,v retrieving revision 1.286 diff -u -p -r1.286 configure.in --- configure.in 2001/05/17 03:32:51 1.286 +++ configure.in 2001/05/22 11:59:54 @@ -460,7 +460,7 @@ AC_ARG_WITH(tcp-wrappers, ) dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv setegid seteuid setlogin setproctitle setresgid setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv setegid seteuid setlogin setproctitle setresgid setreuid setrlimit setsid setvbuf sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl Checks for libutil functions Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From stevesk at pobox.com Wed May 23 01:35:04 2001 From: stevesk at pobox.com (Kevin Steves) Date: Tue, 22 May 2001 17:35:04 +0200 (CEST) Subject: Problems with Krb5/GSSAPI patches in FBSD 4.3 In-Reply-To: <01052211443302.07595@loki.dcs.ed.ac.uk> Message-ID: On Tue, 22 May 2001, Simon Wilkinson wrote: : > Question, do you know if this patch worked with ssh.com SSH2 clients, or : > just with OpenSSH clients? As soon as I know which client to use, I'll : > send the traces over... :) : : The patch only works with those clients that provide a GSSAPI keyexchange : or user authentication method. I believe that the ssh.com SSH2 clients use : their own, unpublished, methods for Kerberos authentication - so they won't : interoperate. i know little about kerberos, but i did notice this recently: http://www.FreeBSD.org/cgi/cvsweb.cgi/src/crypto/openssh/auth-krb5.c Revision 1.7 Sun Mar 4 02:22:03 2001 UTC (2 months, 2 weeks ago) by assar Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Bj?rn Gr?nvall PR: misc/20504 From david-bronder at uiowa.edu Wed May 23 01:58:22 2001 From: david-bronder at uiowa.edu (David Bronder) Date: Tue, 22 May 2001 10:58:22 -0500 (CDT) Subject: [openssh-unix-dev] Re: ssh looks at rlogin=false only at startup In-Reply-To: from "Damien Miller" at May 22, 2001 04:57:34 PM Message-ID: <200105221558.f4MFwMh38082@fire.its.uiowa.edu> Damien Miller wrote: > > On Tue, 22 May 2001 mark.pitt at ch.ibm.com wrote: > > > Very early on in what seems to be quite a hot debate sometimes, I pointed > > out that sshd only controls rlogin=false at its startup, and if it is > > changed, sshd simply ignores it > > Portable OpenSSH uses whatever the AIX function loginrestrictions() returns. > So the behaviour shouldn't differ from rlogin. With OpenSSH 2.9p1 on AIX 4.3.3 ML6, changing the rlogin attribute for both root and a non-root user from true to false and then back to true was correctly handled (with each setting) without restarting the sshd process. =Dave -- Hello World. David Bronder - Systems Admin Segmentation Fault ITS-SPA, Univ. of Iowa Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu From vinschen at redhat.com Wed May 23 19:45:32 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 23 May 2001 11:45:32 +0200 Subject: [PATCH]: Drop the use of `check_nt_auth'. Message-ID: <20010523114532.R10118@cygbert.vinschen.de> Hi, the following patch removes some of the Cygwin specific code from OpenSSH. Since Cygwin is able to change the user context on NT/W2K even without a password since the new Cygwin version 1.3.2, there's no need anymore to allow changing the user context only if the sshd user is the same user as the one which logs in or when a password is given. For that reason the whole function `check_nt_auth' and all code which uses it, is completey dropped in the following patch. Index: auth1.c =================================================================== RCS file: /cvs/openssh_cvs/auth1.c,v retrieving revision 1.40 diff -u -p -r1.40 auth1.c --- auth1.c 2001/03/24 00:37:59 1.40 +++ auth1.c 2001/05/23 09:40:49 @@ -313,14 +313,7 @@ do_authloop(Authctxt *authctxt) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); -#ifdef HAVE_CYGWIN - if (authenticated && - !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) { - packet_disconnect("Authentication rejected for uid %d.", - (int)pw->pw_uid); - authenticated = 0; - } -#else +#ifndef HAVE_CYGWIN /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(get_authname(type))) Index: auth2.c =================================================================== RCS file: /cvs/openssh_cvs/auth2.c,v retrieving revision 1.59 diff -u -p -r1.59 auth2.c --- auth2.c 2001/04/25 12:44:15 1.59 +++ auth2.c 2001/05/23 09:40:49 @@ -354,10 +354,6 @@ userauth_none(Authctxt *authctxt) if (authctxt->valid == 0) return(0); -#ifdef HAVE_CYGWIN - if (check_nt_auth(1, authctxt->pw->pw_uid) == 0) - return(0); -#endif #ifdef USE_PAM return auth_pam_password(authctxt->pw, ""); #elif defined(HAVE_OSF_SIA) @@ -380,9 +376,6 @@ userauth_passwd(Authctxt *authctxt) password = packet_get_string(&len); packet_done(); if (authctxt->valid && -#ifdef HAVE_CYGWIN - check_nt_auth(1, authctxt->pw->pw_uid) && -#endif #ifdef USE_PAM auth_pam_password(authctxt->pw, password) == 1) #elif defined(HAVE_OSF_SIA) @@ -418,10 +411,6 @@ userauth_kbdint(Authctxt *authctxt) #endif xfree(lang); xfree(devs); -#ifdef HAVE_CYGWIN - if (check_nt_auth(0, authctxt->pw->pw_uid) == 0) - return(0); -#endif return authenticated; } @@ -524,10 +513,6 @@ userauth_pubkey(Authctxt *authctxt) debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); xfree(pkalg); xfree(pkblob); -#ifdef HAVE_CYGWIN - if (check_nt_auth(0, authctxt->pw->pw_uid) == 0) - return(0); -#endif return authenticated; } Index: openbsd-compat/bsd-cygwin_util.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.c,v retrieving revision 1.4 diff -u -p -r1.4 bsd-cygwin_util.c --- openbsd-compat/bsd-cygwin_util.c 2001/04/13 14:28:42 1.4 +++ openbsd-compat/bsd-cygwin_util.c 2001/05/23 09:40:50 @@ -54,22 +54,6 @@ int binary_pipe(int fd[2]) return ret; } -int check_nt_auth(int pwd_authenticated, uid_t uid) -{ - /* - * The only authentication which is able to change the user - * context on NT systems is the password authentication. So - * we deny all requsts for changing the user context if another - * authentication method is used. - * This may change in future when a special openssh - * subauthentication package is available. - */ - if (is_winnt && !pwd_authenticated && geteuid() != uid) - return 0; - - return 1; -} - int check_ntsec(const char *filename) { char *cygwin; Index: openbsd-compat/bsd-cygwin_util.h =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.h,v retrieving revision 1.4 diff -u -p -r1.4 bsd-cygwin_util.h --- openbsd-compat/bsd-cygwin_util.h 2001/04/13 14:28:43 1.4 +++ openbsd-compat/bsd-cygwin_util.h 2001/05/23 09:40:50 @@ -24,7 +24,6 @@ int binary_open(const char *filename, int flags, ...); int binary_pipe(int fd[2]); -int check_nt_auth(int pwd_authenticated, uid_t uid); int check_ntsec(const char *filename); #define open binary_open Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From djm at mindrot.org Wed May 23 21:29:43 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 23 May 2001 21:29:43 +1000 (EST) Subject: [PATCH]: Drop the use of `check_nt_auth'. In-Reply-To: <20010523114532.R10118@cygbert.vinschen.de> Message-ID: On Wed, 23 May 2001, Corinna Vinschen wrote: > Hi, > > the following patch removes some of the Cygwin specific code from > OpenSSH. > > Since Cygwin is able to change the user context on NT/W2K even without > a password since the new Cygwin version 1.3.2, there's no need anymore > to allow changing the user context only if the sshd user is the same > user as the one which logs in or when a password is given. > > For that reason the whole function `check_nt_auth' and all code which > uses it, is completey dropped in the following patch. Could you add a configure test to ensure that the support for this extension is available in the version of Cygwin that the user is compiling against? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From vinschen at redhat.com Thu May 24 00:16:48 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 23 May 2001 16:16:48 +0200 Subject: [PATCH]: Drop the use of `check_nt_auth'. In-Reply-To: ; from djm@mindrot.org on Wed, May 23, 2001 at 09:29:43PM +1000 References: <20010523114532.R10118@cygbert.vinschen.de> Message-ID: <20010523161648.S10118@cygbert.vinschen.de> On Wed, May 23, 2001 at 09:29:43PM +1000, Damien Miller wrote: > On Wed, 23 May 2001, Corinna Vinschen wrote: > > > Hi, > > > > the following patch removes some of the Cygwin specific code from > > OpenSSH. > > > > Since Cygwin is able to change the user context on NT/W2K even without > > a password since the new Cygwin version 1.3.2, there's no need anymore > > to allow changing the user context only if the sshd user is the same > > user as the one which logs in or when a password is given. > > > > For that reason the whole function `check_nt_auth' and all code which > > uses it, is completey dropped in the following patch. > > Could you add a configure test to ensure that the support for this > extension is available in the version of Cygwin that the user is > compiling against? Hmm, yes, but... would it be better to let the check_nt_auth functionality in but additionally check for the Cygwin version in the function to return an appropriate value (Cygwin >= 1.3.2 ==> return TRUE), perhaps? Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From tig at kenosha.org Thu May 24 02:00:47 2001 From: tig at kenosha.org (Tig Kerkman) Date: Wed, 23 May 2001 11:00:47 -0500 Subject: OpenSSH Clients for Embedded Linux Message-ID: <3B0BDEAF.FFF35A11@kenosha.org> I am currently building my first Embedded Linux project, and would like to incorporate Openssh into the (Thin Client), my questions is, what files and libs do I need to make the Thin Client, based on RH6.2 to do ssh connections to a ssh server?? Of course I will complile all the OpenSSH modules on a production RH6.2 server, then take only what I need down to the embedded Thin Client. Thanks in advance. From jrippas at mizuhocap.com Thu May 24 05:09:17 2001 From: jrippas at mizuhocap.com (James Rippas) Date: Wed, 23 May 2001 15:09:17 -0400 Subject: hosts.equiv (fwd) References: <20010322133737.B22275@faui02.informatik.uni-erlangen.de> Message-ID: <3B0C0ADD.7E70D191@mizuhocap.com> Hi, I'm trying to use it with HostbasedAuth in 2.9p1 and it appears to be broken. I am able to connect using HostbasedAuth and rhost/shosts but when I change IgnoreRhosts to yes I'm unable to connect using /etc/shosts.equiv. Both hosts are Solaris 8. HostKey /etc/ssh_host_key HostKey /etc/ssh_host_dsa_key HostKey /etc/ssh_host_rsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin without-password StrictModes yes IgnoreRhosts yes IgnoreUserKnownHosts no X11Forwarding yes X11DisplayOffset 10 PrintMotd no KeepAlive yes SyslogFacility AUTH LogLevel INFO HostbasedAuthentication yes RhostsRSAAuthentication yes RhostsAuthentication no PasswordAuthentication yes PermitEmptyPasswords no ssh -v keymaster ls OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data //.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: Seeding random number generator debug1: restore_uid debug1: ssh_connect: getuid 0 geteuid 0 anon 0 debug1: Connecting to keymaster [192.168.60.28] port 22. debug1: Allocated local port 697. debug1: temporarily_use_uid: 0/1 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file //.ssh/identity type -1 debug1: identity file //.ssh/id_rsa type -1 debug1: identity file //.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 136/256 debug1: bits set: 985/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'keymaster' is known and matches the RSA host key. debug1: Found key in /etc/ssh_known_hosts2:1 debug1: bits set: 1026/2049 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: next auth method to try is publickey debug1: try privkey: //.ssh/identity debug1: try privkey: //.ssh/id_rsa debug1: try privkey: //.ssh/id_dsa debug1: next auth method to try is hostbased debug1: sig size 20 20 debug1: Remote: Server has been configured to ignore .shosts. debug1: Remote: Server has been configured to ignore .rhosts. debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: Remote: Server has been configured to ignore .shosts. debug1: Remote: Server has been configured to ignore .rhosts. debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: no more auth methods to try Permission denied (publickey,password,keyboard-interactive,hostbased). debug1: Calling cleanup 0x4912c(0x0) Markus Friedl wrote: > > is anyone using rhost-rsa + hosts.equiv? is it broken? > > ------------------------------------------------------------------------ > Part 1.2Type: message/rfc822 -------------- next part -------------- --------------------------------------------------------- This e-mail contains information some or all of which may be confidential, proprietary and/or legally privileged. If an addressing or transmission error has misdirected this e-mail, please notify the sender by replying to this e-mail. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail. --------------------------------------------------------- From dprevett at vandyke.com Thu May 24 05:17:54 2001 From: dprevett at vandyke.com (Daniel Prevett) Date: Wed, 23 May 2001 13:17:54 -0600 Subject: OpenSSH 2.9p1 improperly caches username Message-ID: <00ad01c0e3bd$13470740$0400a8c0@cobra> Hi guys, OpenSSH 2.9p1 using SSH2 currently caches the username sent in the USERAUTH_REQUEST [none] packet. This does not allow you to change the username in a later authentication packet. >From SSH Authentication Protocol, section 2.1: "The user name and service are repeated in every new authentication attempt, and MAY change. The server implementation MUST carefully check them in every message, and MUST flush any accumulated authentication states if they change. If it is unable to flush some authentication state, it MUST disconnect if the user or service name changes." This behavior has been reported by users of SecureCRT attempting to change their username during the SSH2 authentication process. If you need any more information, please let me know. -Daniel Prevett Van Dyke Technologies Support support at vandyke.com http://www.vandyke.com From ecashin at terry.uga.edu Thu May 24 05:42:15 2001 From: ecashin at terry.uga.edu (Ed L Cashin) Date: 23 May 2001 15:42:15 -0400 Subject: ignoring SIGPIPE causing problems in pipes In-Reply-To: References: Message-ID: Ed L Cashin writes: [ssh ignores SIGPIPE in a pipe situation] Hi. Did I post to the wrong list? The openssh ssh client from version 2.9p1 is ignoring the PIPE signal when it shouldn't be, namely when it's piping output to a utility like restore. Commenting out a line in clientloop.c fixes it. What is the status of this bug, and is there a better forum for discussing it? -- --Ed Cashin PGP public key: ecashin at terry.uga.edu http://www.terry.uga.edu/~ecashin/pgp/ From jmknoble at jmknoble.cx Thu May 24 06:07:28 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Wed, 23 May 2001 15:07:28 -0500 Subject: scp: Problem when source and destination are identical In-Reply-To: ; from jason@shalott.net on Fri, May 18, 2001 at 03:07:34PM -0700 References: Message-ID: <20010523150728.E14978@zax.half.pint-stowp.cx> Circa 2001-May-18 15:07:34 -0700 dixit Jason Stone: : > It would be interesting to know how rcp is able to handle this... : : ssh.com's scp also successfully copies a file on top of itself. OpenSSH : opens the destination file O_TRUNC, while rcp and ssh.com scp don't. : : In my opinion, opening the file O_TRUNC is the right thing to do because : in the usual case (scp from one system to another), you expect the : destination file to be truncated to 0 length before you start - you don't : want to start copying a new file over and old one and then end up with a : weird combination of both should the scp die in the middle.... But if you use O_TRUNC, then you get an incomplete file if scp dies in the middle, and you lose the old one. What i would much rather see is for the destination scp to write the incoming file to a temporary file in the same directory, and then rename() it to the destination file on a successful copy. For: Avoids problems with files copied onto themselves. Avoids incomplete copies. Atomic replacement of existing destination files. Against: Requires enough space available on the destination filesystem to hold both the old and the new copy of each file; this could be a drawback for large files. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010523/3457cd55/attachment.bin From gert at greenie.muc.de Thu May 24 07:23:52 2001 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 23 May 2001 23:23:52 +0200 Subject: scp: Problem when source and destination are identical In-Reply-To: <20010523150728.E14978@zax.half.pint-stowp.cx>; from Jim Knoble on Wed, May 23, 2001 at 03:07:28PM -0500 References: <20010523150728.E14978@zax.half.pint-stowp.cx> Message-ID: <20010523232352.B22175@greenie.muc.de> Hi, On Wed, May 23, 2001 at 03:07:28PM -0500, Jim Knoble wrote: > What i would much rather see is for the destination scp to write the > incoming file to a temporary file in the same directory, and then > rename() it to the destination file on a successful copy. Strongly seconded. But Markus doesn't seem to like it, for no other reason than "you can use tar/mv/rsync to do this". > Against: Requires enough space available on the destination filesystem > to hold both the old and the new copy of each file; this could > be a drawback for large files. Which is a good argument for having a switch to control this. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From phiggins at transzap.com Thu May 24 10:25:00 2001 From: phiggins at transzap.com (Patrick Higgins) Date: 23 May 2001 18:25:00 -0600 Subject: chroot sftp-server [PATCH] Message-ID: <990663900.25940.7.camel@phiggins.transzap.com> I'm working on setting up a semi-trusted sftp service, and to get it working, I need chroot capability. I've taken the /./ wuftpd magic token code from contrib/chroot.diff and put it into the sftp server. The main problem is that privileges have been dropped by the time the subsystem is exec'ed, so my patch requires that sftp-server be setuid root. Not ideal, I know, but I drop all privileges immediately after chroot'ing. There's probably a better way to find out what the home directory should be, but I'm currently just using $HOME (only chrooting if it contains /./, though). I can't use getpwuid(getuid()) because I'm mapping several users (with different $HOME's) to a single uid. Any ideas? I've attached my patch. Hopefully it's useful to someone else. Have you given more thought to how you'd ultimately like this to work, Markus? -Patrick Higgins -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sftp-chroot.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010523/fb1859c5/attachment.ksh From mouring at etoh.eviladmin.org Thu May 24 11:01:24 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 23 May 2001 20:01:24 -0500 (CDT) Subject: chroot sftp-server [PATCH] In-Reply-To: <990663900.25940.7.camel@phiggins.transzap.com> Message-ID: On 23 May 2001, Patrick Higgins wrote: > I'm working on setting up a semi-trusted sftp service, and to get it > working, I need chroot capability. > Actually I was looking at it from a different point of view. Instead of requiring setuid sftp-sever and the use of chroot(). Carefully crafted realpath() usage and strncmp() should do the same thing. This is a VERY VERY limited test. (As in.. compiles.. and looks like it works.=) I know it can be cleaned up.. but it's where I left off in my testing. Markus, is there anything else I should worry about using this method? - Ben --- ../cvs/OpenSSH/src/usr.bin/ssh/sftp-server.c Thu Apr 5 05:42:53 2001 +++ sftp-server.c Wed May 23 19:54:06 2001 @@ -357,6 +357,33 @@ /* parse incoming */ +char *jailpath; + +char* +getpath(u_int32_t id) +{ + char resolvedpath[MAXPATHLEN]; + char *path; + + path = get_string(NULL); + + if (realpath(path, resolvedpath) == NULL) { + send_status(id, errno_to_portable(errno)); + xfree(path); + return(NULL); + } + xfree(path); + + if (jailpath) { + if (strncmp(resolvedpath, jailpath, strlen(jailpath))) { + send_status(id,SSH2_FX_PERMISSION_DENIED); + return(NULL); + } + } + + return(xstrdup(resolvedpath)); +} + void process_init(void) { @@ -380,7 +407,10 @@ int handle, fd, flags, mode, status = SSH2_FX_FAILURE; id = get_int(); - name = get_string(NULL); + name = getpath(id); + if (name == NULL) + return; + pflags = get_int(); /* portable flags */ a = get_attrib(); flags = flags_from_portable(pflags); @@ -505,7 +535,10 @@ int ret, status = SSH2_FX_FAILURE; id = get_int(); - name = get_string(NULL); + name = getpath(id); + if (name == NULL) + return; + TRACE("%sstat id %d name %s", do_lstat ? "l" : "", id, name); ret = do_lstat ? lstat(name, &st) : stat(name, &st); if (ret < 0) { @@ -580,7 +613,10 @@ int status = SSH2_FX_OK; id = get_int(); - name = get_string(NULL); + name = getpath(id); + if (name == NULL) + return; + a = get_attrib(); TRACE("setstat id %d name %s", id, name); if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { @@ -646,7 +682,10 @@ u_int32_t id; id = get_int(); - path = get_string(NULL); + path = getpath(id); + if (path == NULL) + return; + TRACE("opendir id %d path %s", id, path); dirp = opendir(path); if (dirp == NULL) { @@ -768,7 +807,10 @@ int ret; id = get_int(); - name = get_string(NULL); + name = getpath(id); + if (name == NULL) + return; + TRACE("remove id %d name %s", id, name); ret = unlink(name); status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; @@ -785,7 +827,10 @@ int ret, mode, status = SSH2_FX_FAILURE; id = get_int(); - name = get_string(NULL); + name = getpath(id); + if (name == NULL) + return; + a = get_attrib(); mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm & 0777 : 0777; @@ -804,7 +849,10 @@ int ret, status; id = get_int(); - name = get_string(NULL); + name = getpath(id); + if (name == NULL) + return; + TRACE("rmdir id %d name %s", id, name); ret = rmdir(name); status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; @@ -820,7 +868,10 @@ char *path; id = get_int(); - path = get_string(NULL); + path = getpath(id); + if (path == NULL) + return; + if (path[0] == '\0') { xfree(path); path = xstrdup("."); @@ -846,8 +897,14 @@ int ret, status = SSH2_FX_FAILURE; id = get_int(); - oldpath = get_string(NULL); - newpath = get_string(NULL); + oldpath = getpath(id); + if (oldpath == NULL) + return; + + newpath = getpath(id); + if (newpath == NULL) + return; + TRACE("rename id %d old %s new %s", id, oldpath, newpath); /* fail if 'newpath' exists */ if (stat(newpath, &st) == -1) { @@ -867,7 +924,10 @@ char *path; id = get_int(); - path = get_string(NULL); + path = getpath(id); + if (path == NULL) + return; + TRACE("readlink id %d path %s", id, path); if (readlink(path, link, sizeof(link) - 1) == -1) send_status(id, errno_to_portable(errno)); @@ -891,8 +951,14 @@ int ret, status = SSH2_FX_FAILURE; id = get_int(); - oldpath = get_string(NULL); - newpath = get_string(NULL); + oldpath = getpath(id); + if (oldpath == NULL) + return; + + newpath = getpath(id); + if (newpath == NULL) + return; + TRACE("symlink id %d old %s new %s", id, oldpath, newpath); /* fail if 'newpath' exists */ if (stat(newpath, &st) == -1) { @@ -1004,6 +1070,32 @@ } } +char* +jail_init(void) +{ + char *user_dir, *new_root; + + user_dir = getenv("HOME"); + if (!user_dir) + fatal("HOME isn't in environment"); + + new_root = user_dir + 1; + + while ((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if (strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + return(xstrdup(user_dir)); + /*setenv("HOME", new_root, 1);*/ + break; + } + new_root += 2; + } + return NULL; +} + int main(int ac, char **av) { @@ -1018,6 +1110,8 @@ #ifdef DEBUG_SFTP_SERVER log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); #endif + + jailpath = jail_init(); in = dup(STDIN_FILENO); out = dup(STDOUT_FILENO); From mouring at etoh.eviladmin.org Thu May 24 13:53:21 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 23 May 2001 22:53:21 -0500 (CDT) Subject: chroot sftp-server [PATCH] In-Reply-To: Message-ID: Outside the fact that realpath() requires the file aspect of the path to exist which breaks 'rename' and 'symlink' =) - Ben On Wed, 23 May 2001 mouring at etoh.eviladmin.org wrote: > > > On 23 May 2001, Patrick Higgins wrote: > > > I'm working on setting up a semi-trusted sftp service, and to get it > > working, I need chroot capability. > > > Actually I was looking at it from a different point of view. > > Instead of requiring setuid sftp-sever and the use of chroot(). Carefully > crafted realpath() usage and strncmp() should do the same thing. > > This is a VERY VERY limited test. (As in.. compiles.. and looks like it > works.=) > > I know it can be cleaned up.. but it's where I left off in my testing. > > Markus, is there anything else I should worry about using this method? > > - Ben > > > --- ../cvs/OpenSSH/src/usr.bin/ssh/sftp-server.c Thu Apr 5 05:42:53 2001 > +++ sftp-server.c Wed May 23 19:54:06 2001 > @@ -357,6 +357,33 @@ > > /* parse incoming */ > > +char *jailpath; > + > +char* > +getpath(u_int32_t id) > +{ > + char resolvedpath[MAXPATHLEN]; > + char *path; > + > + path = get_string(NULL); > + > + if (realpath(path, resolvedpath) == NULL) { > + send_status(id, errno_to_portable(errno)); > + xfree(path); > + return(NULL); > + } > + xfree(path); > + > + if (jailpath) { > + if (strncmp(resolvedpath, jailpath, strlen(jailpath))) { > + send_status(id,SSH2_FX_PERMISSION_DENIED); > + return(NULL); > + } > + } > + > + return(xstrdup(resolvedpath)); > +} > + > void > process_init(void) > { > @@ -380,7 +407,10 @@ > int handle, fd, flags, mode, status = SSH2_FX_FAILURE; > > id = get_int(); > - name = get_string(NULL); > + name = getpath(id); > + if (name == NULL) > + return; > + > pflags = get_int(); /* portable flags */ > a = get_attrib(); > flags = flags_from_portable(pflags); > @@ -505,7 +535,10 @@ > int ret, status = SSH2_FX_FAILURE; > > id = get_int(); > - name = get_string(NULL); > + name = getpath(id); > + if (name == NULL) > + return; > + > TRACE("%sstat id %d name %s", do_lstat ? "l" : "", id, name); > ret = do_lstat ? lstat(name, &st) : stat(name, &st); > if (ret < 0) { > @@ -580,7 +613,10 @@ > int status = SSH2_FX_OK; > > id = get_int(); > - name = get_string(NULL); > + name = getpath(id); > + if (name == NULL) > + return; > + > a = get_attrib(); > TRACE("setstat id %d name %s", id, name); > if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { > @@ -646,7 +682,10 @@ > u_int32_t id; > > id = get_int(); > - path = get_string(NULL); > + path = getpath(id); > + if (path == NULL) > + return; > + > TRACE("opendir id %d path %s", id, path); > dirp = opendir(path); > if (dirp == NULL) { > @@ -768,7 +807,10 @@ > int ret; > > id = get_int(); > - name = get_string(NULL); > + name = getpath(id); > + if (name == NULL) > + return; > + > TRACE("remove id %d name %s", id, name); > ret = unlink(name); > status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; > @@ -785,7 +827,10 @@ > int ret, mode, status = SSH2_FX_FAILURE; > > id = get_int(); > - name = get_string(NULL); > + name = getpath(id); > + if (name == NULL) > + return; > + > a = get_attrib(); > mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? > a->perm & 0777 : 0777; > @@ -804,7 +849,10 @@ > int ret, status; > > id = get_int(); > - name = get_string(NULL); > + name = getpath(id); > + if (name == NULL) > + return; > + > TRACE("rmdir id %d name %s", id, name); > ret = rmdir(name); > status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; > @@ -820,7 +868,10 @@ > char *path; > > id = get_int(); > - path = get_string(NULL); > + path = getpath(id); > + if (path == NULL) > + return; > + > if (path[0] == '\0') { > xfree(path); > path = xstrdup("."); > @@ -846,8 +897,14 @@ > int ret, status = SSH2_FX_FAILURE; > > id = get_int(); > - oldpath = get_string(NULL); > - newpath = get_string(NULL); > + oldpath = getpath(id); > + if (oldpath == NULL) > + return; > + > + newpath = getpath(id); > + if (newpath == NULL) > + return; > + > TRACE("rename id %d old %s new %s", id, oldpath, newpath); > /* fail if 'newpath' exists */ > if (stat(newpath, &st) == -1) { > @@ -867,7 +924,10 @@ > char *path; > > id = get_int(); > - path = get_string(NULL); > + path = getpath(id); > + if (path == NULL) > + return; > + > TRACE("readlink id %d path %s", id, path); > if (readlink(path, link, sizeof(link) - 1) == -1) > send_status(id, errno_to_portable(errno)); > @@ -891,8 +951,14 @@ > int ret, status = SSH2_FX_FAILURE; > > id = get_int(); > - oldpath = get_string(NULL); > - newpath = get_string(NULL); > + oldpath = getpath(id); > + if (oldpath == NULL) > + return; > + > + newpath = getpath(id); > + if (newpath == NULL) > + return; > + > TRACE("symlink id %d old %s new %s", id, oldpath, newpath); > /* fail if 'newpath' exists */ > if (stat(newpath, &st) == -1) { > @@ -1004,6 +1070,32 @@ > } > } > > +char* > +jail_init(void) > +{ > + char *user_dir, *new_root; > + > + user_dir = getenv("HOME"); > + if (!user_dir) > + fatal("HOME isn't in environment"); > + > + new_root = user_dir + 1; > + > + while ((new_root = strchr(new_root, '.')) != NULL) { > + new_root--; > + if (strncmp(new_root, "/./", 3) == 0) { > + *new_root = '\0'; > + new_root += 2; > + > + return(xstrdup(user_dir)); > + /*setenv("HOME", new_root, 1);*/ > + break; > + } > + new_root += 2; > + } > + return NULL; > +} > + > int > main(int ac, char **av) > { > @@ -1018,6 +1110,8 @@ > #ifdef DEBUG_SFTP_SERVER > log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); > #endif > + > + jailpath = jail_init(); > > in = dup(STDIN_FILENO); > out = dup(STDOUT_FILENO); > > From markus.friedl at informatik.uni-erlangen.de Thu May 24 20:43:17 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 24 May 2001 12:43:17 +0200 Subject: hosts.equiv (fwd) In-Reply-To: <3B0C0ADD.7E70D191@mizuhocap.com>; from jrippas@mizuhocap.com on Wed, May 23, 2001 at 03:09:17PM -0400 References: <20010322133737.B22275@faui02.informatik.uni-erlangen.de> <3B0C0ADD.7E70D191@mizuhocap.com> Message-ID: <20010524124317.B22475@folly> On Wed, May 23, 2001 at 03:09:17PM -0400, James Rippas wrote: > debug1: Remote: Server has been configured to ignore .shosts. > debug1: Remote: Server has been configured to ignore .rhosts. > debug1: authentications that can continue: > publickey,password,keyboard-interactive,hostbased > debug1: Remote: Server has been configured to ignore .shosts. > debug1: Remote: Server has been configured to ignore .rhosts. ^^^ hostbased or rhostsrsa won't work. allow .r/shosts or use hosts.equiv. however, hosts.equiv will not be allowed for root. From markus.friedl at informatik.uni-erlangen.de Thu May 24 20:51:50 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 24 May 2001 12:51:50 +0200 Subject: bug report In-Reply-To: ; from mugz@x-mafia.org on Wed, May 23, 2001 at 10:49:54PM -0400 References: Message-ID: <20010524125150.D22475@folly> On Wed, May 23, 2001 at 10:49:54PM -0400, mugz wrote: > > I'm always a bit slow to report bugs i see, figuing someone else will > report it and that it will eventually get fixed. This one has been > somewhat of a problem for a while now. I run Linux Slackware -current and > just upgraded to OpenSSH 2.9p1, but I have noticed this same bug on every > platform and OS running OpenSSH. > > If a user logs in and starts any kind of background process such as > "screen" "bnc" "mud" "eggdrop" etc, the console "hangs" when they log out. > When I ssh to a shell running OpenSSH from work or from home, start a > screen or a bnc and then exit with that process running, I have to go to > another console and manually kill my connection locally. If i then log > back into the same shell and type: last -5 myuserid, it shows me as > "still logged in" from that previous session. You can test this easily by > logging in using ssh and typing: > > sleep 200 & > exit does sleep 1234 < /dev/null > /dev/null 2>& exit work? From markus.friedl at informatik.uni-erlangen.de Thu May 24 21:03:01 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 24 May 2001 13:03:01 +0200 Subject: ignoring SIGPIPE causing problems in pipes In-Reply-To: ; from ecashin@terry.uga.edu on Wed, May 23, 2001 at 03:42:15PM -0400 References: Message-ID: <20010524130301.A6575@folly> On Wed, May 23, 2001 at 03:42:15PM -0400, Ed L Cashin wrote: > Ed L Cashin writes: > > [ssh ignores SIGPIPE in a pipe situation] > > Hi. Did I post to the wrong list? The openssh ssh client from no. > version 2.9p1 is ignoring the PIPE signal when it shouldn't be, namely > when it's piping output to a utility like restore. > > Commenting out a line in clientloop.c fixes it. i'm not sure about this 'fix', it could break all kinds of forwarding. > What is the status of this bug, and is there a better forum for > discussing it? i cannot reproduce your bug, ssh exits on my systems. do you have any ssh -v -v -v traces for the hanging ssh? From markus.friedl at informatik.uni-erlangen.de Thu May 24 21:08:30 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 24 May 2001 13:08:30 +0200 Subject: scp: Problem when source and destination are identical In-Reply-To: <20010523232352.B22175@greenie.muc.de>; from gert@greenie.muc.de on Wed, May 23, 2001 at 11:23:52PM +0200 References: <20010523150728.E14978@zax.half.pint-stowp.cx> <20010523232352.B22175@greenie.muc.de> Message-ID: <20010524130830.B6575@folly> On Wed, May 23, 2001 at 11:23:52PM +0200, Gert Doering wrote: > Hi, > > On Wed, May 23, 2001 at 03:07:28PM -0500, Jim Knoble wrote: > > What i would much rather see is for the destination scp to write the > > incoming file to a temporary file in the same directory, and then > > rename() it to the destination file on a successful copy. > > Strongly seconded. But Markus doesn't seem to like it, for no other > reason than "you can use tar/mv/rsync to do this". no, the reason is: scp == rcp From abartlet at pcug.org.au Fri May 25 00:17:16 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Fri, 25 May 2001 00:17:16 +1000 Subject: chroot sftp-server [PATCH] References: Message-ID: <3B0D17EC.AA892EB2@bartlett.house> Is there any way of making this work? This is the method I much prefer, and was looking at implementing a while ago. I'm glad sombodies taken a stab at it. I run SFTP specificly becouse it does not require a ROOT deamon (apart from OpenSSH, which I run already) nor does it require a set-uid binary. Hence my interest in this patch. Andrew Bartlett mouring at etoh.eviladmin.org wrote: > > Outside the fact that realpath() requires the file aspect of the path to > exist which breaks 'rename' and 'symlink' =) > > - Ben > > On Wed, 23 May 2001 mouring at etoh.eviladmin.org wrote: > > > > > > > On 23 May 2001, Patrick Higgins wrote: > > > > > I'm working on setting up a semi-trusted sftp service, and to get it > > > working, I need chroot capability. > > > > > Actually I was looking at it from a different point of view. > > > > Instead of requiring setuid sftp-sever and the use of chroot(). Carefully > > crafted realpath() usage and strncmp() should do the same thing. > > > > This is a VERY VERY limited test. (As in.. compiles.. and looks like it > > works.=) > > > > I know it can be cleaned up.. but it's where I left off in my testing. > > > > Markus, is there anything else I should worry about using this method? > > > > - Ben > > > > > > --- ../cvs/OpenSSH/src/usr.bin/ssh/sftp-server.c Thu Apr 5 05:42:53 2001 > > +++ sftp-server.c Wed May 23 19:54:06 2001 > > @@ -357,6 +357,33 @@ > > > > /* parse incoming */ > > > > +char *jailpath; > > + > > +char* > > +getpath(u_int32_t id) > > +{ > > + char resolvedpath[MAXPATHLEN]; > > + char *path; > > + > > + path = get_string(NULL); > > + > > + if (realpath(path, resolvedpath) == NULL) { > > + send_status(id, errno_to_portable(errno)); > > + xfree(path); > > + return(NULL); > > + } > > + xfree(path); > > + > > + if (jailpath) { > > + if (strncmp(resolvedpath, jailpath, strlen(jailpath))) { > > + send_status(id,SSH2_FX_PERMISSION_DENIED); > > + return(NULL); > > + } > > + } > > + > > + return(xstrdup(resolvedpath)); > > +} > > + > > void > > process_init(void) > > { > > @@ -380,7 +407,10 @@ > > int handle, fd, flags, mode, status = SSH2_FX_FAILURE; > > > > id = get_int(); > > - name = get_string(NULL); > > + name = getpath(id); > > + if (name == NULL) > > + return; > > + > > pflags = get_int(); /* portable flags */ > > a = get_attrib(); > > flags = flags_from_portable(pflags); > > @@ -505,7 +535,10 @@ > > int ret, status = SSH2_FX_FAILURE; > > > > id = get_int(); > > - name = get_string(NULL); > > + name = getpath(id); > > + if (name == NULL) > > + return; > > + > > TRACE("%sstat id %d name %s", do_lstat ? "l" : "", id, name); > > ret = do_lstat ? lstat(name, &st) : stat(name, &st); > > if (ret < 0) { > > @@ -580,7 +613,10 @@ > > int status = SSH2_FX_OK; > > > > id = get_int(); > > - name = get_string(NULL); > > + name = getpath(id); > > + if (name == NULL) > > + return; > > + > > a = get_attrib(); > > TRACE("setstat id %d name %s", id, name); > > if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { > > @@ -646,7 +682,10 @@ > > u_int32_t id; > > > > id = get_int(); > > - path = get_string(NULL); > > + path = getpath(id); > > + if (path == NULL) > > + return; > > + > > TRACE("opendir id %d path %s", id, path); > > dirp = opendir(path); > > if (dirp == NULL) { > > @@ -768,7 +807,10 @@ > > int ret; > > > > id = get_int(); > > - name = get_string(NULL); > > + name = getpath(id); > > + if (name == NULL) > > + return; > > + > > TRACE("remove id %d name %s", id, name); > > ret = unlink(name); > > status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; > > @@ -785,7 +827,10 @@ > > int ret, mode, status = SSH2_FX_FAILURE; > > > > id = get_int(); > > - name = get_string(NULL); > > + name = getpath(id); > > + if (name == NULL) > > + return; > > + > > a = get_attrib(); > > mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? > > a->perm & 0777 : 0777; > > @@ -804,7 +849,10 @@ > > int ret, status; > > > > id = get_int(); > > - name = get_string(NULL); > > + name = getpath(id); > > + if (name == NULL) > > + return; > > + > > TRACE("rmdir id %d name %s", id, name); > > ret = rmdir(name); > > status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; > > @@ -820,7 +868,10 @@ > > char *path; > > > > id = get_int(); > > - path = get_string(NULL); > > + path = getpath(id); > > + if (path == NULL) > > + return; > > + > > if (path[0] == '\0') { > > xfree(path); > > path = xstrdup("."); > > @@ -846,8 +897,14 @@ > > int ret, status = SSH2_FX_FAILURE; > > > > id = get_int(); > > - oldpath = get_string(NULL); > > - newpath = get_string(NULL); > > + oldpath = getpath(id); > > + if (oldpath == NULL) > > + return; > > + > > + newpath = getpath(id); > > + if (newpath == NULL) > > + return; > > + > > TRACE("rename id %d old %s new %s", id, oldpath, newpath); > > /* fail if 'newpath' exists */ > > if (stat(newpath, &st) == -1) { > > @@ -867,7 +924,10 @@ > > char *path; > > > > id = get_int(); > > - path = get_string(NULL); > > + path = getpath(id); > > + if (path == NULL) > > + return; > > + > > TRACE("readlink id %d path %s", id, path); > > if (readlink(path, link, sizeof(link) - 1) == -1) > > send_status(id, errno_to_portable(errno)); > > @@ -891,8 +951,14 @@ > > int ret, status = SSH2_FX_FAILURE; > > > > id = get_int(); > > - oldpath = get_string(NULL); > > - newpath = get_string(NULL); > > + oldpath = getpath(id); > > + if (oldpath == NULL) > > + return; > > + > > + newpath = getpath(id); > > + if (newpath == NULL) > > + return; > > + > > TRACE("symlink id %d old %s new %s", id, oldpath, newpath); > > /* fail if 'newpath' exists */ > > if (stat(newpath, &st) == -1) { > > @@ -1004,6 +1070,32 @@ > > } > > } > > > > +char* > > +jail_init(void) > > +{ > > + char *user_dir, *new_root; > > + > > + user_dir = getenv("HOME"); > > + if (!user_dir) > > + fatal("HOME isn't in environment"); > > + > > + new_root = user_dir + 1; > > + > > + while ((new_root = strchr(new_root, '.')) != NULL) { > > + new_root--; > > + if (strncmp(new_root, "/./", 3) == 0) { > > + *new_root = '\0'; > > + new_root += 2; > > + > > + return(xstrdup(user_dir)); > > + /*setenv("HOME", new_root, 1);*/ > > + break; > > + } > > + new_root += 2; > > + } > > + return NULL; > > +} > > + > > int > > main(int ac, char **av) > > { > > @@ -1018,6 +1110,8 @@ > > #ifdef DEBUG_SFTP_SERVER > > log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); > > #endif > > + > > + jailpath = jail_init(); > > > > in = dup(STDIN_FILENO); > > out = dup(STDOUT_FILENO); > > > > -- Andrew Bartlett abartlet at pcug.org.au From mouring at etoh.eviladmin.org Fri May 25 00:17:46 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 24 May 2001 09:17:46 -0500 (CDT) Subject: chroot sftp-server [PATCH] In-Reply-To: <3B0D17EC.AA892EB2@bartlett.house> Message-ID: There are few issues I need to sort out. As I said.. symlink and rename commands break under my current patch. And I need to find a better way of doing error checking. I'd like to also include the option to 'jail' someone in a subdirectory off their home directory. Thus removing their ability to modify dot files in their home directory. But that may require changes to sshd. I'm sure it will work fine. Just when I get done I'll need a few other people to look over the patch to ensure I did not miss any edge cases. I'll have a more robust patch in a day or two. - Ben On Fri, 25 May 2001, Andrew Bartlett wrote: > Is there any way of making this work? This is the method I much prefer, > and was looking at implementing a while ago. I'm glad sombodies taken a > stab at it. > > I run SFTP specificly becouse it does not require a ROOT deamon (apart > from OpenSSH, which I run already) nor does it require a set-uid > binary. Hence my interest in this patch. > > Andrew Bartlett > > mouring at etoh.eviladmin.org wrote: > > > > Outside the fact that realpath() requires the file aspect of the path to > > exist which breaks 'rename' and 'symlink' =) > > > > - Ben > > > > On Wed, 23 May 2001 mouring at etoh.eviladmin.org wrote: > > > > > > > > > > > On 23 May 2001, Patrick Higgins wrote: > > > > > > > I'm working on setting up a semi-trusted sftp service, and to get it > > > > working, I need chroot capability. > > > > > > > Actually I was looking at it from a different point of view. > > > > > > Instead of requiring setuid sftp-sever and the use of chroot(). Carefully > > > crafted realpath() usage and strncmp() should do the same thing. > > > > > > This is a VERY VERY limited test. (As in.. compiles.. and looks like it > > > works.=) > > > > > > I know it can be cleaned up.. but it's where I left off in my testing. > > > > > > Markus, is there anything else I should worry about using this method? > > > > > > - Ben > > > > > > > > > --- ../cvs/OpenSSH/src/usr.bin/ssh/sftp-server.c Thu Apr 5 05:42:53 2001 > > > +++ sftp-server.c Wed May 23 19:54:06 2001 > > > @@ -357,6 +357,33 @@ > > > > > > /* parse incoming */ > > > > > > +char *jailpath; > > > + > > > +char* > > > +getpath(u_int32_t id) > > > +{ > > > + char resolvedpath[MAXPATHLEN]; > > > + char *path; > > > + > > > + path = get_string(NULL); > > > + > > > + if (realpath(path, resolvedpath) == NULL) { > > > + send_status(id, errno_to_portable(errno)); > > > + xfree(path); > > > + return(NULL); > > > + } > > > + xfree(path); > > > + > > > + if (jailpath) { > > > + if (strncmp(resolvedpath, jailpath, strlen(jailpath))) { > > > + send_status(id,SSH2_FX_PERMISSION_DENIED); > > > + return(NULL); > > > + } > > > + } > > > + > > > + return(xstrdup(resolvedpath)); > > > +} > > > + > > > void > > > process_init(void) > > > { > > > @@ -380,7 +407,10 @@ > > > int handle, fd, flags, mode, status = SSH2_FX_FAILURE; > > > > > > id = get_int(); > > > - name = get_string(NULL); > > > + name = getpath(id); > > > + if (name == NULL) > > > + return; > > > + > > > pflags = get_int(); /* portable flags */ > > > a = get_attrib(); > > > flags = flags_from_portable(pflags); > > > @@ -505,7 +535,10 @@ > > > int ret, status = SSH2_FX_FAILURE; > > > > > > id = get_int(); > > > - name = get_string(NULL); > > > + name = getpath(id); > > > + if (name == NULL) > > > + return; > > > + > > > TRACE("%sstat id %d name %s", do_lstat ? "l" : "", id, name); > > > ret = do_lstat ? lstat(name, &st) : stat(name, &st); > > > if (ret < 0) { > > > @@ -580,7 +613,10 @@ > > > int status = SSH2_FX_OK; > > > > > > id = get_int(); > > > - name = get_string(NULL); > > > + name = getpath(id); > > > + if (name == NULL) > > > + return; > > > + > > > a = get_attrib(); > > > TRACE("setstat id %d name %s", id, name); > > > if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { > > > @@ -646,7 +682,10 @@ > > > u_int32_t id; > > > > > > id = get_int(); > > > - path = get_string(NULL); > > > + path = getpath(id); > > > + if (path == NULL) > > > + return; > > > + > > > TRACE("opendir id %d path %s", id, path); > > > dirp = opendir(path); > > > if (dirp == NULL) { > > > @@ -768,7 +807,10 @@ > > > int ret; > > > > > > id = get_int(); > > > - name = get_string(NULL); > > > + name = getpath(id); > > > + if (name == NULL) > > > + return; > > > + > > > TRACE("remove id %d name %s", id, name); > > > ret = unlink(name); > > > status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; > > > @@ -785,7 +827,10 @@ > > > int ret, mode, status = SSH2_FX_FAILURE; > > > > > > id = get_int(); > > > - name = get_string(NULL); > > > + name = getpath(id); > > > + if (name == NULL) > > > + return; > > > + > > > a = get_attrib(); > > > mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? > > > a->perm & 0777 : 0777; > > > @@ -804,7 +849,10 @@ > > > int ret, status; > > > > > > id = get_int(); > > > - name = get_string(NULL); > > > + name = getpath(id); > > > + if (name == NULL) > > > + return; > > > + > > > TRACE("rmdir id %d name %s", id, name); > > > ret = rmdir(name); > > > status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; > > > @@ -820,7 +868,10 @@ > > > char *path; > > > > > > id = get_int(); > > > - path = get_string(NULL); > > > + path = getpath(id); > > > + if (path == NULL) > > > + return; > > > + > > > if (path[0] == '\0') { > > > xfree(path); > > > path = xstrdup("."); > > > @@ -846,8 +897,14 @@ > > > int ret, status = SSH2_FX_FAILURE; > > > > > > id = get_int(); > > > - oldpath = get_string(NULL); > > > - newpath = get_string(NULL); > > > + oldpath = getpath(id); > > > + if (oldpath == NULL) > > > + return; > > > + > > > + newpath = getpath(id); > > > + if (newpath == NULL) > > > + return; > > > + > > > TRACE("rename id %d old %s new %s", id, oldpath, newpath); > > > /* fail if 'newpath' exists */ > > > if (stat(newpath, &st) == -1) { > > > @@ -867,7 +924,10 @@ > > > char *path; > > > > > > id = get_int(); > > > - path = get_string(NULL); > > > + path = getpath(id); > > > + if (path == NULL) > > > + return; > > > + > > > TRACE("readlink id %d path %s", id, path); > > > if (readlink(path, link, sizeof(link) - 1) == -1) > > > send_status(id, errno_to_portable(errno)); > > > @@ -891,8 +951,14 @@ > > > int ret, status = SSH2_FX_FAILURE; > > > > > > id = get_int(); > > > - oldpath = get_string(NULL); > > > - newpath = get_string(NULL); > > > + oldpath = getpath(id); > > > + if (oldpath == NULL) > > > + return; > > > + > > > + newpath = getpath(id); > > > + if (newpath == NULL) > > > + return; > > > + > > > TRACE("symlink id %d old %s new %s", id, oldpath, newpath); > > > /* fail if 'newpath' exists */ > > > if (stat(newpath, &st) == -1) { > > > @@ -1004,6 +1070,32 @@ > > > } > > > } > > > > > > +char* > > > +jail_init(void) > > > +{ > > > + char *user_dir, *new_root; > > > + > > > + user_dir = getenv("HOME"); > > > + if (!user_dir) > > > + fatal("HOME isn't in environment"); > > > + > > > + new_root = user_dir + 1; > > > + > > > + while ((new_root = strchr(new_root, '.')) != NULL) { > > > + new_root--; > > > + if (strncmp(new_root, "/./", 3) == 0) { > > > + *new_root = '\0'; > > > + new_root += 2; > > > + > > > + return(xstrdup(user_dir)); > > > + /*setenv("HOME", new_root, 1);*/ > > > + break; > > > + } > > > + new_root += 2; > > > + } > > > + return NULL; > > > +} > > > + > > > int > > > main(int ac, char **av) > > > { > > > @@ -1018,6 +1110,8 @@ > > > #ifdef DEBUG_SFTP_SERVER > > > log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); > > > #endif > > > + > > > + jailpath = jail_init(); > > > > > > in = dup(STDIN_FILENO); > > > out = dup(STDOUT_FILENO); > > > > > > > > -- > Andrew Bartlett > abartlet at pcug.org.au > From cmadams at hiwaay.net Fri May 25 00:40:03 2001 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 24 May 2001 09:40:03 -0500 Subject: scp: Problem when source and destination are identical In-Reply-To: <20010524130830.B6575@folly>; from markus.friedl@informatik.uni-erlangen.de on Thu, May 24, 2001 at 01:08:30PM +0200 References: <20010523150728.E14978@zax.half.pint-stowp.cx> <20010523232352.B22175@greenie.muc.de> <20010524130830.B6575@folly> Message-ID: <20010524094003.D9297@HiWAAY.net> Once upon a time, Markus Friedl said: > On Wed, May 23, 2001 at 11:23:52PM +0200, Gert Doering wrote: > > On Wed, May 23, 2001 at 03:07:28PM -0500, Jim Knoble wrote: > > > What i would much rather see is for the destination scp to write the > > > incoming file to a temporary file in the same directory, and then > > > rename() it to the destination file on a successful copy. > > > > Strongly seconded. But Markus doesn't seem to like it, for no other > > reason than "you can use tar/mv/rsync to do this". > > no, the reason is: scp == rcp If scp == rcp and rcp can handle this case, shouldn't scp? Has anyone looked at the BSD rcp source to see how it is handled there? -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From mhaverka at kcp.com Fri May 25 00:38:36 2001 From: mhaverka at kcp.com (mhaverka at kcp.com) Date: Thu, 24 May 2001 09:38:36 -0500 Subject: occasional ssh hang Message-ID: <20010524144150.CBCBA27D85@shitei.mindrot.org> I am using OpenSSH on Redhat 6.2 (Intel) and Solaris 2.6 (Sparc). I have a job on the linux machine that ssh's to the Solaris machine every 20 seconds or so and runs uptime. The problem is that after many iterations of this, ssh will occasionally hang, and require a kill -9 to get rid of the process. The problem happens with both protocol version 1 and 2, but it seems to happened more often with version 2. I have noticed this problem with both 2.5.2p2 and 2.9p1. Below is ssh -v output from a successful run, and a run where ssh hangs. Both are done with protocol version 2. ssh -2 -x -T -n -v -o 'BatchMode yes' -l vserv 147.101.224.39 Successful: OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to 147.101.224.39 [147.101.224.39] port 22. debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: Connection established. debug1: identity file /root/.ssh/identity type 0 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_rsa type 1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes256-cbc hmac-md5 none debug1: kex: client->server aes256-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 262/512 debug1: bits set: 1006/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '147.101.224.39' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts2:2 debug1: bits set: 1063/2049 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /root/.ssh/id_dsa debug1: try pubkey: /root/.ssh/id_rsa debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x8112050 hint 2 debug1: read PEM private key done: type RSA debug1: ssh-userauth2 successful: method publickey debug1: fd 4 setting O_NONBLOCK debug1: channel 0: new [client-session] debug1: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug1: client_init id 0 arg 0 debug1: channel request 0: shell debug1: channel 0: open confirm rwindow 0 rmax 16384 debug1: channel 0: read<=0 rfd 4 len 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain 8:47am up 49 day(s), 17:46, 2 users, load average: 0.52, 0.49, 0.46 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd close debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 Failure: OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to 147.101.224.39 [147.101.224.39] port 22. debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: Connection established. debug1: identity file /root/.ssh/identity type 0 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_rsa type 1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes256-cbc hmac-md5 none debug1: kex: client->server aes256-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 260/512 debug1: bits set: 1042/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '147.101.224.39' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts2:2 debug1: bits set: 1054/2049 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /root/.ssh/id_dsa debug1: try pubkey: /root/.ssh/id_rsa debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x8112050 hint 2 debug1: read PEM private key done: type RSA debug1: ssh-userauth2 successful: method publickey debug1: fd 4 setting O_NONBLOCK debug1: channel 0: new [client-session] debug1: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug1: client_init id 0 arg 0 debug1: channel request 0: shell debug1: channel 0: open confirm rwindow 0 rmax 16384 debug1: channel 0: read<=0 rfd 4 len 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain 8:47am up 49 day(s), 17:46, 2 users, load average: 0.47, 0.48, 0.46 debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user From phiggins at transzap.com Fri May 25 03:45:48 2001 From: phiggins at transzap.com (Patrick Higgins) Date: 24 May 2001 11:45:48 -0600 Subject: chroot sftp-server [PATCH] In-Reply-To: References: Message-ID: <990726348.3805.0.camel@phiggins.transzap.com> All of this should be quite possible, but I think the sftp-server is going to need greater configurability. I noticed the comment at the beginning that it should use getopt(), but in order to get that to work, the code which spawns it is going to need some new features... It seems possible to put options into the sftp subsystem definition in your sshd_config, but they would be the same for all users. It would be nice to have some kind of variable syntax to express things that change (like home directories). Perhaps a full-blown config file for sftp-server would be more appropriate? While I'm on the topic of how the subsystem is exec'ed, I'd like to ask why it's exec'ed with the user's shell instead of /bin/sh. This seems to prevent me from giving sftp access but *not* ssh. It appears to have been done more or less for code reuse--perhaps do_exec_*_pty() and do_child() should take the shell to use as an argument, so that session_subsystem_req() could always specify /bin/sh? Perhaps I just don't know enough about the protocol--does it even make sense to grant subsystem access without granting normal ssh access? It seems to work if I make the user's login shell be /usr/lib/libexec/sftp-server, so I'm assume it does... On 24 May 2001 09:17:46 -0500, mouring at etoh.eviladmin.org wrote: > > There are few issues I need to sort out. As I said.. symlink and > rename commands break under my current patch. And I need to find a better > way of doing error checking. I'd like to also include the option to > 'jail' someone in a subdirectory off their home directory. Thus removing > their ability to modify dot files in their home directory. But that may > require changes to sshd. > > I'm sure it will work fine. Just when I get done I'll need a few other > people to look over the patch to ensure I did not miss any edge cases. > > I'll have a more robust patch in a day or two. > > - Ben > > On Fri, 25 May 2001, Andrew Bartlett wrote: > > > Is there any way of making this work? This is the method I much prefer, > > and was looking at implementing a while ago. I'm glad sombodies taken a > > stab at it. > > > > I run SFTP specificly becouse it does not require a ROOT deamon (apart > > from OpenSSH, which I run already) nor does it require a set-uid > > binary. Hence my interest in this patch. > > > > Andrew Bartlett > > > > mouring at etoh.eviladmin.org wrote: > > > > > > Outside the fact that realpath() requires the file aspect of the path to > > > exist which breaks 'rename' and 'symlink' =) > > > > > > - Ben > > > > > > On Wed, 23 May 2001 mouring at etoh.eviladmin.org wrote: > > > > > > > > > > > > > > > On 23 May 2001, Patrick Higgins wrote: > > > > > > > > > I'm working on setting up a semi-trusted sftp service, and to get it > > > > > working, I need chroot capability. > > > > > > > > > Actually I was looking at it from a different point of view. > > > > > > > > Instead of requiring setuid sftp-sever and the use of chroot(). Carefully > > > > crafted realpath() usage and strncmp() should do the same thing. > > > > > > > > This is a VERY VERY limited test. (As in.. compiles.. and looks like it > > > > works.=) > > > > > > > > I know it can be cleaned up.. but it's where I left off in my testing. > > > > > > > > Markus, is there anything else I should worry about using this method? > > > > > > > > - Ben > > > > > > > > > > > > --- ../cvs/OpenSSH/src/usr.bin/ssh/sftp-server.c Thu Apr 5 05:42:53 2001 > > > > +++ sftp-server.c Wed May 23 19:54:06 2001 > > > > @@ -357,6 +357,33 @@ > > > > > > > > /* parse incoming */ > > > > > > > > +char *jailpath; > > > > + > > > > +char* > > > > +getpath(u_int32_t id) > > > > +{ > > > > + char resolvedpath[MAXPATHLEN]; > > > > + char *path; > > > > + > > > > + path = get_string(NULL); > > > > + > > > > + if (realpath(path, resolvedpath) == NULL) { > > > > + send_status(id, errno_to_portable(errno)); > > > > + xfree(path); > > > > + return(NULL); > > > > + } > > > > + xfree(path); > > > > + > > > > + if (jailpath) { > > > > + if (strncmp(resolvedpath, jailpath, strlen(jailpath))) { > > > > + send_status(id,SSH2_FX_PERMISSION_DENIED); > > > > + return(NULL); > > > > + } > > > > + } > > > > + > > > > + return(xstrdup(resolvedpath)); > > > > +} > > > > + > > > > void > > > > process_init(void) > > > > { > > > > @@ -380,7 +407,10 @@ > > > > int handle, fd, flags, mode, status = SSH2_FX_FAILURE; > > > > > > > > id = get_int(); > > > > - name = get_string(NULL); > > > > + name = getpath(id); > > > > + if (name == NULL) > > > > + return; > > > > + > > > > pflags = get_int(); /* portable flags */ > > > > a = get_attrib(); > > > > flags = flags_from_portable(pflags); > > > > @@ -505,7 +535,10 @@ > > > > int ret, status = SSH2_FX_FAILURE; > > > > > > > > id = get_int(); > > > > - name = get_string(NULL); > > > > + name = getpath(id); > > > > + if (name == NULL) > > > > + return; > > > > + > > > > TRACE("%sstat id %d name %s", do_lstat ? "l" : "", id, name); > > > > ret = do_lstat ? lstat(name, &st) : stat(name, &st); > > > > if (ret < 0) { > > > > @@ -580,7 +613,10 @@ > > > > int status = SSH2_FX_OK; > > > > > > > > id = get_int(); > > > > - name = get_string(NULL); > > > > + name = getpath(id); > > > > + if (name == NULL) > > > > + return; > > > > + > > > > a = get_attrib(); > > > > TRACE("setstat id %d name %s", id, name); > > > > if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { > > > > @@ -646,7 +682,10 @@ > > > > u_int32_t id; > > > > > > > > id = get_int(); > > > > - path = get_string(NULL); > > > > + path = getpath(id); > > > > + if (path == NULL) > > > > + return; > > > > + > > > > TRACE("opendir id %d path %s", id, path); > > > > dirp = opendir(path); > > > > if (dirp == NULL) { > > > > @@ -768,7 +807,10 @@ > > > > int ret; > > > > > > > > id = get_int(); > > > > - name = get_string(NULL); > > > > + name = getpath(id); > > > > + if (name == NULL) > > > > + return; > > > > + > > > > TRACE("remove id %d name %s", id, name); > > > > ret = unlink(name); > > > > status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; > > > > @@ -785,7 +827,10 @@ > > > > int ret, mode, status = SSH2_FX_FAILURE; > > > > > > > > id = get_int(); > > > > - name = get_string(NULL); > > > > + name = getpath(id); > > > > + if (name == NULL) > > > > + return; > > > > + > > > > a = get_attrib(); > > > > mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? > > > > a->perm & 0777 : 0777; > > > > @@ -804,7 +849,10 @@ > > > > int ret, status; > > > > > > > > id = get_int(); > > > > - name = get_string(NULL); > > > > + name = getpath(id); > > > > + if (name == NULL) > > > > + return; > > > > + > > > > TRACE("rmdir id %d name %s", id, name); > > > > ret = rmdir(name); > > > > status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; > > > > @@ -820,7 +868,10 @@ > > > > char *path; > > > > > > > > id = get_int(); > > > > - path = get_string(NULL); > > > > + path = getpath(id); > > > > + if (path == NULL) > > > > + return; > > > > + > > > > if (path[0] == '\0') { > > > > xfree(path); > > > > path = xstrdup("."); > > > > @@ -846,8 +897,14 @@ > > > > int ret, status = SSH2_FX_FAILURE; > > > > > > > > id = get_int(); > > > > - oldpath = get_string(NULL); > > > > - newpath = get_string(NULL); > > > > + oldpath = getpath(id); > > > > + if (oldpath == NULL) > > > > + return; > > > > + > > > > + newpath = getpath(id); > > > > + if (newpath == NULL) > > > > + return; > > > > + > > > > TRACE("rename id %d old %s new %s", id, oldpath, newpath); > > > > /* fail if 'newpath' exists */ > > > > if (stat(newpath, &st) == -1) { > > > > @@ -867,7 +924,10 @@ > > > > char *path; > > > > > > > > id = get_int(); > > > > - path = get_string(NULL); > > > > + path = getpath(id); > > > > + if (path == NULL) > > > > + return; > > > > + > > > > TRACE("readlink id %d path %s", id, path); > > > > if (readlink(path, link, sizeof(link) - 1) == -1) > > > > send_status(id, errno_to_portable(errno)); > > > > @@ -891,8 +951,14 @@ > > > > int ret, status = SSH2_FX_FAILURE; > > > > > > > > id = get_int(); > > > > - oldpath = get_string(NULL); > > > > - newpath = get_string(NULL); > > > > + oldpath = getpath(id); > > > > + if (oldpath == NULL) > > > > + return; > > > > + > > > > + newpath = getpath(id); > > > > + if (newpath == NULL) > > > > + return; > > > > + > > > > TRACE("symlink id %d old %s new %s", id, oldpath, newpath); > > > > /* fail if 'newpath' exists */ > > > > if (stat(newpath, &st) == -1) { > > > > @@ -1004,6 +1070,32 @@ > > > > } > > > > } > > > > > > > > +char* > > > > +jail_init(void) > > > > +{ > > > > + char *user_dir, *new_root; > > > > + > > > > + user_dir = getenv("HOME"); > > > > + if (!user_dir) > > > > + fatal("HOME isn't in environment"); > > > > + > > > > + new_root = user_dir + 1; > > > > + > > > > + while ((new_root = strchr(new_root, '.')) != NULL) { > > > > + new_root--; > > > > + if (strncmp(new_root, "/./", 3) == 0) { > > > > + *new_root = '\0'; > > > > + new_root += 2; > > > > + > > > > + return(xstrdup(user_dir)); > > > > + /*setenv("HOME", new_root, 1);*/ > > > > + break; > > > > + } > > > > + new_root += 2; > > > > + } > > > > + return NULL; > > > > +} > > > > + > > > > int > > > > main(int ac, char **av) > > > > { > > > > @@ -1018,6 +1110,8 @@ > > > > #ifdef DEBUG_SFTP_SERVER > > > > log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); > > > > #endif > > > > + > > > > + jailpath = jail_init(); > > > > > > > > in = dup(STDIN_FILENO); > > > > out = dup(STDOUT_FILENO); > > > > > > > > > > > > -- > > Andrew Bartlett > > abartlet at pcug.org.au > > From phiggins at transzap.com Fri May 25 04:33:46 2001 From: phiggins at transzap.com (Patrick Higgins) Date: 24 May 2001 12:33:46 -0600 Subject: Using /bin/sh to exec subsystems [PATCH] Message-ID: <990729226.3814.2.camel@phiggins.transzap.com> I've gone ahead and written the code to allow subsystems to always be run with the Bourne shell instead of the user's shell, thus allowing user's with invalid shells to be able to use sftp (but not ssh, because their shell is invalid). The patch is attached. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: bin-sh-subsystem.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010524/53d064f6/attachment.ksh From gert at greenie.muc.de Fri May 25 06:25:23 2001 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 24 May 2001 22:25:23 +0200 Subject: scp: Problem when source and destination are identical In-Reply-To: <20010524130830.B6575@folly>; from Markus Friedl on Thu, May 24, 2001 at 01:08:30PM +0200 References: <20010523150728.E14978@zax.half.pint-stowp.cx> <20010523232352.B22175@greenie.muc.de> <20010524130830.B6575@folly> Message-ID: <20010524222523.C26969@greenie.muc.de> Hi, On Thu, May 24, 2001 at 01:08:30PM +0200, Markus Friedl wrote: > > > What i would much rather see is for the destination scp to write the > > > incoming file to a temporary file in the same directory, and then > > > rename() it to the destination file on a successful copy. > > > > Strongly seconded. But Markus doesn't seem to like it, for no other > > reason than "you can use tar/mv/rsync to do this". > > no, the reason is: scp == rcp Just because rcp has been implemented as "very unflexible" in the past (I'd go so far and call it "broken"), does this mean we have to break scp as well? We don't do the "use a separate TCP connection for stderr" thing from rsh either, just because it's there... (Yes, I can see your argument, "let's keep the source differences as small as possible". But hey, so let's fix it in rcp as well.). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From mouring at etoh.eviladmin.org Fri May 25 06:27:29 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 24 May 2001 15:27:29 -0500 (CDT) Subject: Using /bin/sh to exec subsystems [PATCH] In-Reply-To: <990729226.3814.2.camel@phiggins.transzap.com> Message-ID: UGH.. Please.. No... We moved from this. If you wish sftp only accounts put sftp-server as the user's shell. This works very well. Running /bin/sh allows the user to insert unsafe code in their startup script which could allow them to get a shell on the server. - Ben On 24 May 2001, Patrick Higgins wrote: > I've gone ahead and written the code to allow subsystems to always be > run with the Bourne shell instead of the user's shell, thus allowing > user's with invalid shells to be able to use sftp (but not ssh, because > their shell is invalid). The patch is attached. > > From phiggins at transzap.com Fri May 25 06:56:34 2001 From: phiggins at transzap.com (Patrick Higgins) Date: 24 May 2001 14:56:34 -0600 Subject: Using /bin/sh to exec subsystems [PATCH] In-Reply-To: References: Message-ID: <990737794.3812.3.camel@phiggins.transzap.com> Which startup script? ~/.ssh/rc, .profile, both? Others? I'm of the opinion that ~/.ssh/rc shouldn't be run for everyone. Perhaps only those users with a shell in /etc/shells? Shell startup files are only run in login shells, right? I don't see how they pose a threat. Using sftp-server as a login shell works fine for sftp, but it's causing some problems with other services. There really needs to be a cleaner way to restrict access to specific subsystems. On 24 May 2001 15:27:29 -0500, mouring at etoh.eviladmin.org wrote: > > > UGH.. Please.. No... > > We moved from this. If you wish sftp only accounts put sftp-server as the > user's shell. This works very well. > > Running /bin/sh allows the user to insert unsafe code in their startup > script which could allow them to get a shell on the server. > > - Ben > > On 24 May 2001, Patrick Higgins wrote: > > > I've gone ahead and written the code to allow subsystems to always be > > run with the Bourne shell instead of the user's shell, thus allowing > > user's with invalid shells to be able to use sftp (but not ssh, because > > their shell is invalid). The patch is attached. > > > > From mouring at etoh.eviladmin.org Fri May 25 06:47:31 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 24 May 2001 15:47:31 -0500 (CDT) Subject: Using /bin/sh to exec subsystems [PATCH] In-Reply-To: <990737794.3812.3.camel@phiggins.transzap.com> Message-ID: On 24 May 2001, Patrick Higgins wrote: [..] > Using sftp-server as a login shell works fine for sftp, but it's causing > some problems with other services. There really needs to be a cleaner > way to restrict access to specific subsystems. > Like what? Pop3 works, Imap works... I've never met a well written program that has not worked with this method. - Ben From phiggins at transzap.com Fri May 25 07:28:52 2001 From: phiggins at transzap.com (Patrick Higgins) Date: 24 May 2001 15:28:52 -0600 Subject: Using /bin/sh to exec subsystems [PATCH] In-Reply-To: References: Message-ID: <990739732.3805.4.camel@phiggins.transzap.com> On 24 May 2001 15:47:31 -0500, mouring at etoh.eviladmin.org wrote: > > > On 24 May 2001, Patrick Higgins wrote: > > [..] > > Using sftp-server as a login shell works fine for sftp, but it's causing > > some problems with other services. There really needs to be a cleaner > > way to restrict access to specific subsystems. > > > > Like what? Pop3 works, Imap works... I've never met a well > written program that has not worked with this method. > ProFTPd was checking the shell for validity, but it looks like there's a config option to turn those checks off. I hate to have to be hypothetical, but what if there were another popular SSH subsystem and you wanted to allow a user to use them both, but not have shell access? What I'm getting at is that while the solution works (for now), it's not without problems. Perhaps they're easy enough to live with until another subsystem is written (anyone know of any)? -Pat From Kennie.Cruz at ece.uprm.edu Fri May 25 00:25:24 2001 From: Kennie.Cruz at ece.uprm.edu (Kennie J. Cruz-Gutierrez) Date: Thu, 24 May 2001 18:25:24 +0400 (GMT) Subject: sftpd problems Message-ID: Dear developers, I am using OpenSSH 2.9, portable and native OpenBSD versions, and having problems with the scp command. For some reason it fails. The same problem exists if using the SSH.com win/unix scp command. The OpenSSH FAQ says something about shell init files and I tried the ssh myhost /path/to/true stuff on my system and produced no output, stell I can't connect. Thanks in advance. "To learn is a natural pleasure" - Aristotle ------------------------------------------------------------------- Kennie J. Cruz Gutierrez, Student Department of Mathematics, U of Puerto Rico [Mayaguez Campus] Work Phone: (787) 832-4040 x 3798 Email: Kennie.Cruz at ece.uprm.edu Web: http://ece.uprm.edu/~kennie From jason at shalott.net Fri May 25 08:36:21 2001 From: jason at shalott.net (Jason Stone) Date: Thu, 24 May 2001 15:36:21 -0700 (PDT) Subject: Using /bin/sh to exec subsystems [PATCH] In-Reply-To: <990737794.3812.3.camel@phiggins.transzap.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Using sftp-server as a login shell works fine for sftp, but it's > causing some problems with other services. There really needs to be a > cleaner way to restrict access to specific subsystems. A similar problem that I've run into is when I want to allow limited access with keys (eg, I want a user to be able to only run one command, or to only be able to port forward, etc). In order for the command-squashed command to be run, the user has to have a valid shell. Unfortunately, a valid shell usually implies to the rest of the system that the user is allowed to have shell access. So now I have to worry about the other services on the machine doing the right thing and denying access, even though the user has a valid shell. So in both cases (subsystems, command-squashed commands), why not have sshd fork and exec the command directly? Why go through the shell at all? -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE7DYzoswXMWWtptckRAs7vAJ9un6qDcn4WGcWXVigf3WgEoDgcQwCgtVIn No2kmtFrJPGvqQ7n0ROTn60= =OGDG -----END PGP SIGNATURE----- From abartlet at pcug.org.au Fri May 25 07:39:36 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Fri, 25 May 2001 07:39:36 +1000 Subject: chroot sftp-server [PATCH] References: <990726348.3805.0.camel@phiggins.transzap.com> Message-ID: <3B0D7F98.2229AA0F@bartlett.house> Patrick Higgins wrote: > > All of this should be quite possible, but I think the sftp-server is > going to need greater configurability. I noticed the comment at the > beginning that it should use getopt(), but in order to get that to work, > the code which spawns it is going to need some new features... > > It seems possible to put options into the sftp subsystem definition in > your sshd_config, but they would be the same for all users. It would be > nice to have some kind of variable syntax to express things that change > (like home directories). Perhaps a full-blown config file for > sftp-server would be more appropriate? > > While I'm on the topic of how the subsystem is exec'ed, I'd like to ask > why it's exec'ed with the user's shell instead of /bin/sh. This seems to > prevent me from giving sftp access but *not* ssh. It appears to have > been done more or less for code reuse--perhaps do_exec_*_pty() and > do_child() should take the shell to use as an argument, so that > session_subsystem_req() could always specify /bin/sh? Quite the opposite. I give my users a restricted shell, and this way I can limit per-user use. I simply let my taint-mode perl script accept the -c option, compare it with the list of permitted programs (currently just sftp-server) and run it with the appropriate option. If I so cared, I could configure the shell to only allow sftp to certain users, all from the restricted shell. We should be careful that we always use the user's shell, for backward compatibility with setups that expect that their restricted shell actually restricts their users in some way. > > Perhaps I just don't know enough about the protocol--does it even make > sense to grant subsystem access without granting normal ssh access? It > seems to work if I make the user's login shell be > /usr/lib/libexec/sftp-server, so I'm assume it does... Almost exactly what I do, except that I also allow users to change their passwords, and have an auto Maildir fixup hack. I might add a remote pine option in the future. > > On 24 May 2001 09:17:46 -0500, mouring at etoh.eviladmin.org wrote: > > > > There are few issues I need to sort out. As I said.. symlink and > > rename commands break under my current patch. And I need to find a better > > way of doing error checking. I'd like to also include the option to > > 'jail' someone in a subdirectory off their home directory. Thus removing > > their ability to modify dot files in their home directory. But that may > > require changes to sshd. > > > > I'm sure it will work fine. Just when I get done I'll need a few other > > people to look over the patch to ensure I did not miss any edge cases. > > > > I'll have a more robust patch in a day or two. > > > > - Ben > > > > On Fri, 25 May 2001, Andrew Bartlett wrote: > > > > > Is there any way of making this work? This is the method I much prefer, > > > and was looking at implementing a while ago. I'm glad sombodies taken a > > > stab at it. > > > > > > I run SFTP specificly becouse it does not require a ROOT deamon (apart > > > from OpenSSH, which I run already) nor does it require a set-uid > > > binary. Hence my interest in this patch. > > > > > > Andrew Bartlett > > > > > > mouring at etoh.eviladmin.org wrote: > > > > > > > > Outside the fact that realpath() requires the file aspect of the path to > > > > exist which breaks 'rename' and 'symlink' =) > > > > > > > > - Ben > > > > > > > > On Wed, 23 May 2001 mouring at etoh.eviladmin.org wrote: > > > > > > > > > > > > > > > > > > > On 23 May 2001, Patrick Higgins wrote: > > > > > > > > > > > I'm working on setting up a semi-trusted sftp service, and to get it > > > > > > working, I need chroot capability. > > > > > > > > > > > Actually I was looking at it from a different point of view. > > > > > > > > > > Instead of requiring setuid sftp-sever and the use of chroot(). Carefully > > > > > crafted realpath() usage and strncmp() should do the same thing. > > > > > > > > > > This is a VERY VERY limited test. (As in.. compiles.. and looks like it > > > > > works.=) > > > > > > > > > > I know it can be cleaned up.. but it's where I left off in my testing. > > > > > > > > > > Markus, is there anything else I should worry about using this method? > > > > > > > > > > - Ben > > > > > > > > > > -- Andrew Bartlett abartlet at pcug.org.au From phiggins at transzap.com Fri May 25 10:33:27 2001 From: phiggins at transzap.com (Patrick Higgins) Date: 24 May 2001 18:33:27 -0600 Subject: sftp transfer status feedback? In-Reply-To: <3B0D7F98.2229AA0F@bartlett.house> References: <990726348.3805.0.camel@phiggins.transzap.com> <3B0D7F98.2229AA0F@bartlett.house> Message-ID: <990750807.3813.5.camel@phiggins.transzap.com> My project seems to be getting more and more difficult...my sftp-server needs to be able to track successful uploads and downloads, and to report these to a an external program when the client disconnects. It looks like the sftp protocol is driven entirely by the client--it makes requests and receives response codes and data. The server doesn't seem to receive any feedback from the client about whether or not something completed successfully. For instance, a client might request an open followed by enough reads to get half of the file, and then request a close. Without coding sophisticated (and mostly useless) tracking, it would be difficult to know if the file was read in it's entirety. Is my (limited) understanding more or less correct? Is there a simple way to achieve this behavior? Is there a document on the sftp protocol somewhere? -Pat From Darren.Moffat at eng.sun.com Fri May 25 10:47:10 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Thu, 24 May 2001 17:47:10 -0700 (PDT) Subject: sftp transfer status feedback? Message-ID: <200105250047.f4P0lbW731106@jurassic.eng.sun.com> >Is there a simple way to achieve this behavior? Is there a document on >the sftp protocol somewhere? http://search.ietf.org/internet-drafts/draft-ietf-secsh-filexfer-00.txt -- Darren J Moffat From djm at mindrot.org Fri May 25 16:21:33 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 25 May 2001 16:21:33 +1000 (EST) Subject: chroot sftp-server [PATCH] In-Reply-To: <3B0D17EC.AA892EB2@bartlett.house> Message-ID: On Fri, 25 May 2001, Andrew Bartlett wrote: > Is there any way of making this work? This is the method I much prefer, > and was looking at implementing a while ago. I'm glad sombodies taken a > stab at it. > > I run SFTP specificly becouse it does not require a ROOT deamon (apart > from OpenSSH, which I run already) nor does it require a set-uid > binary. Hence my interest in this patch. I am not to fussed about a setuid sftp-server, so long as it does does chdir,chroot,setuid as its first actions. IMO this is preferable to patch-checking schemes which introduce complexity and may be possible to fool. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri May 25 16:25:21 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 25 May 2001 16:25:21 +1000 (EST) Subject: sftp transfer status feedback? In-Reply-To: <200105250047.f4P0lbW731106@jurassic.eng.sun.com> Message-ID: On Thu, 24 May 2001, Darren Moffat wrote: > >Is there a simple way to achieve this behavior? Is there a document on > >the sftp protocol somewhere? > > http://search.ietf.org/internet-drafts/draft-ietf-secsh-filexfer-00.txt There is a draft-ietf-secsh-filexfer-01.txt now. -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From djm at mindrot.org Fri May 25 16:28:23 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 25 May 2001 16:28:23 +1000 (EST) Subject: sftp transfer status feedback? In-Reply-To: <990750807.3813.5.camel@phiggins.transzap.com> Message-ID: On 24 May 2001, Patrick Higgins wrote: > My project seems to be getting more and more difficult...my sftp-server > needs to be able to track successful uploads and downloads, and to > report these to a an external program when the client disconnects. > > It looks like the sftp protocol is driven entirely by the client--it > makes requests and receives response codes and data. The server doesn't > seem to receive any feedback from the client about whether or not > something completed successfully. For instance, a client might request > an open followed by enough reads to get half of the file, and then > request a close. Without coding sophisticated (and mostly useless) > tracking, it would be difficult to know if the file was read in it's > entirety. Is my (limited) understanding more or less correct? This is correct - draft-ietf-secsh-filexfer looks a lot like the Unix block API, others have compared it with NFS. You could infer whether entire files were read, etc by looking at lseek(fd, 0, SEEK_CUR) at close() time, or by instrumenting "struct Handle" further. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From abartlet at pcug.org.au Fri May 25 16:32:45 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Fri, 25 May 2001 16:32:45 +1000 Subject: chroot sftp-server [PATCH] References: Message-ID: <3B0DFC8C.A8EB0ECD@bartlett.house> Damien Miller wrote: > > On Fri, 25 May 2001, Andrew Bartlett wrote: > > > Is there any way of making this work? This is the method I much prefer, > > and was looking at implementing a while ago. I'm glad sombodies taken a > > stab at it. > > > > I run SFTP specificly becouse it does not require a ROOT deamon (apart > > from OpenSSH, which I run already) nor does it require a set-uid > > binary. Hence my interest in this patch. > > I am not to fussed about a setuid sftp-server, so long as it does > does chdir,chroot,setuid as its first actions. IMO this is preferable > to patch-checking schemes which introduce complexity and may be > possible to fool. > Unfortunetly it would (if I understand it correctly) break things like symbolic links, if they were so unfortunate as to be absolute, rather than relitive, would it not? For example, i have a 'shared folder' system that uses links from ~/groupname to /home/groups/groupname. I was intending to restirct my users to files under /home with a patch like this, as it seemed the best solution. Anyway, thats my two bobs worth. Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au From Markus.Friedl at informatik.uni-erlangen.de Fri May 25 19:39:21 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 25 May 2001 11:39:21 +0200 Subject: scp: Problem when source and destination are identical In-Reply-To: <20010524222523.C26969@greenie.muc.de>; from gert@greenie.muc.de on Thu, May 24, 2001 at 10:25:23PM +0200 References: <20010523150728.E14978@zax.half.pint-stowp.cx> <20010523232352.B22175@greenie.muc.de> <20010524130830.B6575@folly> <20010524222523.C26969@greenie.muc.de> Message-ID: <20010525113921.A10153@faui02.informatik.uni-erlangen.de> On Thu, May 24, 2001 at 10:25:23PM +0200, Gert Doering wrote: > On Thu, May 24, 2001 at 01:08:30PM +0200, Markus Friedl wrote: > > > > What i would much rather see is for the destination scp to write the > > > > incoming file to a temporary file in the same directory, and then > > > > rename() it to the destination file on a successful copy. > > > > > > Strongly seconded. But Markus doesn't seem to like it, for no other > > > reason than "you can use tar/mv/rsync to do this". > > > > no, the reason is: scp == rcp > > Just because rcp has been implemented as "very unflexible" in the past > (I'd go so far and call it "broken"), does this mean we have to break > scp as well? scp is not 'broken'. your suggested change will break both scp and rcp. this patch may fix this special use. however, it will break scp/rcp into a directory when you can only write this particular file and not the directory. moreover, it will change the scp/rcp behaviour if the partition is almost full. and so on. From gert at greenie.muc.de Fri May 25 19:43:15 2001 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 25 May 2001 11:43:15 +0200 Subject: scp: Problem when source and destination are identical In-Reply-To: <20010525113921.A10153@faui02.informatik.uni-erlangen.de>; from Markus Friedl on Fri, May 25, 2001 at 11:39:21AM +0200 References: <20010523150728.E14978@zax.half.pint-stowp.cx> <20010523232352.B22175@greenie.muc.de> <20010524130830.B6575@folly> <20010524222523.C26969@greenie.muc.de> <20010525113921.A10153@faui02.informatik.uni-erlangen.de> Message-ID: <20010525114315.B14605@greenie.muc.de> Hi, On Fri, May 25, 2001 at 11:39:21AM +0200, Markus Friedl wrote: > scp is not 'broken'. your suggested change will break both scp and rcp. > > this patch may fix this special use. however, it will break scp/rcp > into a directory when you can only write this particular file and > not the directory. moreover, it will change the scp/rcp behaviour > if the partition is almost full. and so on. Which is why everyone else agreed that a switch to change between "overwrite in place" and "do atomic replace" is a good idea. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From Markus.Friedl at informatik.uni-erlangen.de Fri May 25 20:13:42 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 25 May 2001 12:13:42 +0200 Subject: scp: Problem when source and destination are identical In-Reply-To: <20010525114315.B14605@greenie.muc.de>; from gert@greenie.muc.de on Fri, May 25, 2001 at 11:43:15AM +0200 References: <20010523150728.E14978@zax.half.pint-stowp.cx> <20010523232352.B22175@greenie.muc.de> <20010524130830.B6575@folly> <20010524222523.C26969@greenie.muc.de> <20010525113921.A10153@faui02.informatik.uni-erlangen.de> <20010525114315.B14605@greenie.muc.de> Message-ID: <20010525121342.B10153@faui02.informatik.uni-erlangen.de> On Fri, May 25, 2001 at 11:43:15AM +0200, Gert Doering wrote: > Hi, > > On Fri, May 25, 2001 at 11:39:21AM +0200, Markus Friedl wrote: > > scp is not 'broken'. your suggested change will break both scp and rcp. > > > > this patch may fix this special use. however, it will break scp/rcp > > into a directory when you can only write this particular file and > > not the directory. moreover, it will change the scp/rcp behaviour > > if the partition is almost full. and so on. > > Which is why everyone else agreed that a switch to change between "overwrite > in place" and "do atomic replace" is a good idea. no, this is why "do atomic replace" does not work. "overwrite in place" works fine, even if the use cannot create a new file because of the directory permissions. "overwrite in place" works fine, even if the filesystem is almost full. image copying a 100MB file with "do atomic replace" if you have 50MB of free space. From abartlet at pcug.org.au Fri May 25 22:48:54 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Fri, 25 May 2001 22:48:54 +1000 Subject: Using /bin/sh to exec subsystems [PATCH] References: <990739732.3805.4.camel@phiggins.transzap.com> Message-ID: <3B0E54B6.E7F34631@bartlett.house> Patrick Higgins wrote: > > On 24 May 2001 15:47:31 -0500, mouring at etoh.eviladmin.org wrote: > > > > > > On 24 May 2001, Patrick Higgins wrote: > > > > [..] > > > Using sftp-server as a login shell works fine for sftp, but it's causing > > > some problems with other services. There really needs to be a cleaner > > > way to restrict access to specific subsystems. > > > > > > > Like what? Pop3 works, Imap works... I've never met a well > > written program that has not worked with this method. > > > > ProFTPd was checking the shell for validity, but it looks like there's a > config option to turn those checks off. > > I hate to have to be hypothetical, but what if there were another > popular SSH subsystem and you wanted to allow a user to use them both, > but not have shell access? What I'm getting at is that while the > solution works (for now), it's not without problems. Perhaps they're > easy enough to live with until another subsystem is written (anyone know > of any)? > > -Pat The way I have set it up is a simple taint-mode enabled perl script, it checks for command options, and if it is a permitted program (sftp-server) then the server is run (hardcoded path). If we get another subsystem, I just add an elsif. If they specify nothing, they get a password change prompt (the inital reason for the script). Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au From mouring at etoh.eviladmin.org Fri May 25 22:44:17 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 25 May 2001 07:44:17 -0500 (CDT) Subject: chroot sftp-server [PATCH] In-Reply-To: <3B0DFC8C.A8EB0ECD@bartlett.house> Message-ID: On Fri, 25 May 2001, Andrew Bartlett wrote: > Damien Miller wrote: > > > > On Fri, 25 May 2001, Andrew Bartlett wrote: > > > > > Is there any way of making this work? This is the method I much prefer, > > > and was looking at implementing a while ago. I'm glad sombodies taken a > > > stab at it. > > > > > > I run SFTP specificly becouse it does not require a ROOT deamon (apart > > > from OpenSSH, which I run already) nor does it require a set-uid > > > binary. Hence my interest in this patch. > > > > I am not to fussed about a setuid sftp-server, so long as it does > > does chdir,chroot,setuid as its first actions. IMO this is preferable > > to patch-checking schemes which introduce complexity and may be > > possible to fool. > > > That is my main concern also. However, I don't think that the patch I'm working on introduces that much complexity. And as long as 'realpath()' does it job then it should be fairly secure. > Unfortunetly it would (if I understand it correctly) break things like > symbolic links, if they were so unfortunate as to be absolute, rather > than relitive, would it not? > > For example, i have a 'shared folder' system that uses links from > ~/groupname to /home/groups/groupname. I was intending to restirct my > users to files under /home with a patch like this, as it seemed the best > solution. > It really depends on how your OS handles symlinks. In the symlink tests I did linking /tmp to ~/tmp I found that I could not cd ~/tmp because it happen to be a soft link and realpath() resolved it correctly and it was denied. - Ben From gert at greenie.muc.de Fri May 25 23:02:08 2001 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 25 May 2001 15:02:08 +0200 Subject: scp: Problem when source and destination are identical In-Reply-To: <20010525121342.B10153@faui02.informatik.uni-erlangen.de>; from Markus Friedl on Fri, May 25, 2001 at 12:13:42PM +0200 References: <20010523150728.E14978@zax.half.pint-stowp.cx> <20010523232352.B22175@greenie.muc.de> <20010524130830.B6575@folly> <20010524222523.C26969@greenie.muc.de> <20010525113921.A10153@faui02.informatik.uni-erlangen.de> <20010525114315.B14605@greenie.muc.de> <20010525121342.B10153@faui02.informatik.uni-erlangen.de> Message-ID: <20010525150208.H14605@greenie.muc.de> Hi, On Fri, May 25, 2001 at 12:13:42PM +0200, Markus Friedl wrote: > > Which is why everyone else agreed that a switch to change between "overwrite > > in place" and "do atomic replace" is a good idea. > > no, this is why "do atomic replace" does not work. > > "overwrite in place" works fine, even if the use cannot create a new > file because of the directory permissions. > > "overwrite in place" works fine, even if the filesystem is almost full. > > image copying a 100MB file with "do atomic replace" if you have 50MB of > free space. You don't seem to be reading what others write. There are situations where "atomic replace" doesn't work - and there are other situations where "overwrite in place" messes up applications trying to read the file in just that moment. The Unix way is "give 'em a choice" - which is exactly what the switch is good for. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From Markus.Friedl at informatik.uni-erlangen.de Fri May 25 23:03:13 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 25 May 2001 15:03:13 +0200 Subject: ssh-keygen segfault (2.9p1) In-Reply-To: ; from nkukard@yahoo.com on Fri, May 25, 2001 at 02:21:06PM +0200 References: Message-ID: <20010525150313.A21854@faui02.informatik.uni-erlangen.de> On Fri, May 25, 2001 at 02:21:06PM +0200, Nigel Kukard wrote: > Hi, > > [nkukard at wigglytuff .ssh]$ ssh-keygen -pf test_id > Enter old passphrase: > 'ey has comment 'ii > Enter new passphrase (empty for no passphrase): > Enter same passphrase again: > Segmentation fault (core dumped) > [nkukard at wigglytuff .ssh]$ > > > That is the error i get when trying to change the passphrase on one of my > keys, i'm just wonder if its summin i did wrong, a bug or anything > else. Most important is there a way i can fix it? please try this patch Index: authfile.c =================================================================== RCS file: /home/markus/cvs/ssh/authfile.c,v retrieving revision 1.32 retrieving revision 1.33 diff -u -r1.32 -r1.33 --- authfile.c 2001/04/18 23:44:51 1.32 +++ authfile.c 2001/05/16 20:51:57 1.33 @@ -555,7 +555,8 @@ lseek(fd, (off_t) 0, SEEK_SET); /* rewind */ if (pub == NULL) { /* closes fd */ - return key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL); + return key_load_private_pem(fd, KEY_UNSPEC, passphrase, + commentp); } else { /* it's a SSH v1 key if the public key part is readable */ key_free(pub); From abartlet at pcug.org.au Fri May 25 23:10:23 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Fri, 25 May 2001 23:10:23 +1000 Subject: chroot sftp-server [PATCH] References: Message-ID: <3B0E59BF.5AC1C8B9@bartlett.house> mouring at etoh.eviladmin.org wrote: > > On Fri, 25 May 2001, Andrew Bartlett wrote: > > > Damien Miller wrote: > > > > > > On Fri, 25 May 2001, Andrew Bartlett wrote: > > > > > > > Is there any way of making this work? This is the method I much prefer, > > > > and was looking at implementing a while ago. I'm glad sombodies taken a > > > > stab at it. > > > > > > > > I run SFTP specificly becouse it does not require a ROOT deamon (apart > > > > from OpenSSH, which I run already) nor does it require a set-uid > > > > binary. Hence my interest in this patch. > > > > > > I am not to fussed about a setuid sftp-server, so long as it does > > > does chdir,chroot,setuid as its first actions. IMO this is preferable > > > to patch-checking schemes which introduce complexity and may be > > > possible to fool. > > > > > > That is my main concern also. However, I don't think that the patch I'm > working on introduces that much complexity. And as long as 'realpath()' > does it job then it should be fairly secure. I like it. And the patch looks pretty sane to me. > > > Unfortunetly it would (if I understand it correctly) break things like > > symbolic links, if they were so unfortunate as to be absolute, rather > > than relitive, would it not? > > > > For example, i have a 'shared folder' system that uses links from > > ~/groupname to /home/groups/groupname. I was intending to restirct my > > users to files under /home with a patch like this, as it seemed the best > > solution. > > > > It really depends on how your OS handles symlinks. In the symlink tests I > did linking /tmp to ~/tmp I found that I could not cd ~/tmp because it > happen to be a soft link and realpath() resolved it correctly and it was > denied. > > - Ben Excellent. My concern was what an absolute symlink would do with the chroot ideas that were floating about, as directories would no longer be in the same place... Keep up the good work, Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au From nkukard at yahoo.com Fri May 25 23:58:23 2001 From: nkukard at yahoo.com (Nigel Kukard) Date: Fri, 25 May 2001 15:58:23 +0200 (SAST) Subject: ssh-keygen segfault (2.9p1) In-Reply-To: <20010525150313.A21854@faui02.informatik.uni-erlangen.de> Message-ID: On Fri, 25 May 2001, Markus Friedl wrote: > On Fri, May 25, 2001 at 02:21:06PM +0200, Nigel Kukard wrote: > > Hi, > > > > [nkukard at wigglytuff .ssh]$ ssh-keygen -pf test_id > > Enter old passphrase: > > 'ey has comment 'ii > > Enter new passphrase (empty for no passphrase): > > Enter same passphrase again: > > Segmentation fault (core dumped) > > [nkukard at wigglytuff .ssh]$ > > > > > > That is the error i get when trying to change the passphrase on one of my > > keys, i'm just wonder if its summin i did wrong, a bug or anything > > else. Most important is there a way i can fix it? > > please try this patch Works perfectly!!!!!, i really appreciate it!!! > > Index: authfile.c > =================================================================== > RCS file: /home/markus/cvs/ssh/authfile.c,v > retrieving revision 1.32 > retrieving revision 1.33 > diff -u -r1.32 -r1.33 > --- authfile.c 2001/04/18 23:44:51 1.32 > +++ authfile.c 2001/05/16 20:51:57 1.33 > @@ -555,7 +555,8 @@ > lseek(fd, (off_t) 0, SEEK_SET); /* rewind */ > if (pub == NULL) { > /* closes fd */ > - return key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL); > + return key_load_private_pem(fd, KEY_UNSPEC, passphrase, > + commentp); > } else { > /* it's a SSH v1 key if the public key part is readable */ > key_free(pub); > From olemx at ans.pl Sat May 26 00:29:44 2001 From: olemx at ans.pl (Krzysztof Oledzki) Date: Fri, 25 May 2001 16:29:44 +0200 (CEST) Subject: Problem with OpenSSH with UseLogin.. AGAIN!!! Message-ID: Hello, By the 26th of May I will have been waiting for response for 17 days. I have posted this mail at 9 May 2001 20:38:58 and still this bug is not fixed and AFAIK no one have answered to this mail. I have to ask: why? ;-) ---------- My OLD message ---------- Hello, I have just discoverd that ssh -T does not work with servers which have UseLogin option enabled. This happends becouse /bin/login can not work if there is no tty. To correct this, it is necessary to add: options.use_login = 0; at the top of the "do_exec_no_pty" function from the "session.c" file. ---------- My OLD message ---------- Best regards, Krzysztof Oledzki From phiggins at transzap.com Sat May 26 01:27:34 2001 From: phiggins at transzap.com (Patrick Higgins) Date: 25 May 2001 09:27:34 -0600 Subject: Using /bin/sh to exec subsystems [PATCH] In-Reply-To: <3B0E54B6.E7F34631@bartlett.house> References: <990739732.3805.4.camel@phiggins.transzap.com> <3B0E54B6.E7F34631@bartlett.house> Message-ID: <990804454.3813.7.camel@phiggins.transzap.com> That's clever. I guess my only reservation about that sort of thing is I prefer my security-critical code to be peer-reviewed, not something I cook up myself. That's why I'd like to see the solution be a direct part of OpenSSH (where I know it will be audited). Your solution is very flexible, though. Perhaps we could put your script (or a similar one) in the contrib directory so that everyone can at least start with a well-written restricted shell, and hope that the customization process doesn't ruin it? -Pat > The way I have set it up is a simple taint-mode enabled perl script, it > checks for command options, and if it is a permitted program > (sftp-server) then the server is run (hardcoded path). If we get > another subsystem, I just add an elsif. If they specify nothing, they > get a password change prompt (the inital reason for the script). > > Andrew Bartlett From Markus.Friedl at informatik.uni-erlangen.de Sat May 26 01:33:29 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 25 May 2001 17:33:29 +0200 Subject: Using /bin/sh to exec subsystems [PATCH] In-Reply-To: <990729226.3814.2.camel@phiggins.transzap.com>; from phiggins@transzap.com on Thu, May 24, 2001 at 12:33:46PM -0600 References: <990729226.3814.2.camel@phiggins.transzap.com> Message-ID: <20010525173329.A2751@faui02.informatik.uni-erlangen.de> On Thu, May 24, 2001 at 12:33:46PM -0600, Patrick Higgins wrote: > I've gone ahead and written the code to allow subsystems to always be > run with the Bourne shell instead of the user's shell, thus allowing > user's with invalid shells to be able to use sftp (but not ssh, because > their shell is invalid). The patch is attached. i don't like this and i don't this this is very useful. the only thing i'm thinking about is an option for run subsystems without any shell. however, i'm afraid of skipping the login-shell, since it's used (or abused) for access control on many systems (e.g. setting the loginshell to /bin/false). -m From CLAD at chevron.com Sat May 26 05:04:57 2001 From: CLAD at chevron.com (Ladner, Eric (CLAD)) Date: Fri, 25 May 2001 12:04:57 -0700 Subject: Upgraded to 2.9p1 with no luck.. Message-ID: <8F88657F29DFD11189ED0008C728C6B006E01BEB@chevron.com> Howdy, After upgrading to 2.9 (OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f) I'm unable to ssh between two systems any more (the two that I've upgraded). I've recompiled from the original source several times, each time with no errors, regenerated host keys, regenerated client keys (using rsa), etc., to no avail. Below are some relevant snippets of debugging output around where the error occurs. Feel free to contact me regarding any additional information required. Output from "ssh -v -v -v pgppt" executed on a HP C240 workstation (HP-UX 11.0, PA-RISC 1.1): ...(lines above here deleted)... debug1: Host 'pgppt.pasms.chevron.com' is known and matches the RSA host key. debug1: Found key in /users/clad/.ssh/known_hosts2:3 debug1: bits set: 981/2049 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,password,keyboard-interactive debug3: authmethod_lookup publickey debug3: remaining preferred: password,keyboard-interactive debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try pubkey: /users/clad/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001df30 hint 1 debug2: input_userauth_pk_ok: fp 0f:95:05:08:b7:47:eb:dd:37:ae:71:c1:5a:24:4b:20 debug3: sign_and_send_pubkey debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type Enter passphrase for key '/users/clad/.ssh/id_rsa': debug1: read PEM private key done: type RSA debug2: ssh_rsa_sign: done debug1: ssh-userauth2 successful: method publickey debug3: clear hostkey 0 debug3: clear hostkey 1 debug3: clear hostkey 2 debug1: channel 0: new [client-session] debug1: channel_new: 0 debug1: send channel open 0 Memory fault Output from /usr/local/sbin/sshd -ddd -D on server side (HP K460, HP-UX 11.0, PA-RISC 1.1): debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user clad service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for clad debug2: input_userauth_request: try method none Failed none for clad from 26.25.12.170 port 49998 ssh2 debug1: userauth-request for user clad service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 101/20 (e=0) debug1: matching key found: file /home/clad/.ssh/authorized_keys2, line 1 debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for clad from 26.25.12.170 port 49998 ssh2 debug1: userauth-request for user clad service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 101/20 (e=0) debug1: matching key found: file /home/clad/.ssh/authorized_keys2, line 1 debug1: restore_uid debug1: ssh_rsa_verify: signature correct debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa Accepted publickey for clad from 26.25.12.170 port 49998 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 Connection closed by remote host. Closing connection to 26.25.12.170 debug1: compress outgoing: raw data 228, compressed 226, factor 0.99 debug1: compress incoming: raw data 609, compressed 372, factor 0.61 debug1: writing PRNG seed to file /root/.ssh/prng_seed From Lutz.Jaenicke at aet.TU-Cottbus.DE Sat May 26 05:26:57 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 25 May 2001 21:26:57 +0200 Subject: Upgraded to 2.9p1 with no luck.. In-Reply-To: <8F88657F29DFD11189ED0008C728C6B006E01BEB@chevron.com>; from CLAD@chevron.com on Fri, May 25, 2001 at 12:04:57PM -0700 References: <8F88657F29DFD11189ED0008C728C6B006E01BEB@chevron.com> Message-ID: <20010525212656.A12490@serv01.aet.tu-cottbus.de> On Fri, May 25, 2001 at 12:04:57PM -0700, Ladner, Eric (CLAD) wrote: > After upgrading to 2.9 (OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL > 0x0090600f) > I'm unable to ssh between two systems any more (the two that I've upgraded). > Below are some relevant snippets of debugging output around where the error > occurs. > Feel free to contact me regarding any additional information required. > > Output from "ssh -v -v -v pgppt" executed on a HP C240 workstation (HP-UX > 11.0, > PA-RISC 1.1): I am running 2.9p1 on HP-UX 10.20 (platforms are from 710 to C200), so there is certain probability that we can get it to run :-) > debug1: channel 0: new [client-session] > debug1: channel_new: 0 > debug1: send channel open 0 > Memory fault This is the point to step into debugging. From a Memory fault you should either get a core dump (but ssh is suid root, so you probably won't get one) or you can run it under a debugger and will end up at the location causing the memory fault. You must perform this as root, since ssh is suid root. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From CLAD at chevron.com Sat May 26 05:50:37 2001 From: CLAD at chevron.com (Ladner, Eric (CLAD)) Date: Fri, 25 May 2001 14:50:37 -0500 Subject: Upgraded to 2.9p1 with no luck.. Message-ID: <8F88657F29DFD11189ED0008C728C6B006E01BEC@chevron.com> Hmm.. Oddly enough, if I run this as root, connecting to the same user on the other machine with "ssh -l clad pgppt", it works. Also used this, "ssh -2 -l clad -i /home/clad/.ssh/id_rsa pgppt" to force V2 and authenticate aginst my own key. It still works. Kinda throws a wrinkle into me running this under root and debugging it. I'm going to scratch my head on this a bit.. Thanks, Eric -----Original Message----- From: Lutz Jaenicke [mailto:Lutz.Jaenicke at aet.TU-Cottbus.DE] Sent: Friday, May 25, 2001 2:27 PM To: 'openssh-unix-dev at mindrot.org' Subject: Re: Upgraded to 2.9p1 with no luck.. On Fri, May 25, 2001 at 12:04:57PM -0700, Ladner, Eric (CLAD) wrote: > After upgrading to 2.9 (OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL > 0x0090600f) > I'm unable to ssh between two systems any more (the two that I've upgraded). > Below are some relevant snippets of debugging output around where the error > occurs. > Feel free to contact me regarding any additional information required. > > Output from "ssh -v -v -v pgppt" executed on a HP C240 workstation (HP-UX > 11.0, > PA-RISC 1.1): I am running 2.9p1 on HP-UX 10.20 (platforms are from 710 to C200), so there is certain probability that we can get it to run :-) > debug1: channel 0: new [client-session] > debug1: channel_new: 0 > debug1: send channel open 0 > Memory fault This is the point to step into debugging. From a Memory fault you should either get a core dump (but ssh is suid root, so you probably won't get one) or you can run it under a debugger and will end up at the location causing the memory fault. You must perform this as root, since ssh is suid root. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From ecashin at terry.uga.edu Sat May 26 09:19:45 2001 From: ecashin at terry.uga.edu (Ed L Cashin) Date: 25 May 2001 19:19:45 -0400 Subject: ignoring SIGPIPE causing problems in pipes In-Reply-To: <20010524130301.A6575@folly> References: <20010524130301.A6575@folly> Message-ID: An embedded and charset-unspecified text was scrubbed... Name: ssh.log Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010525/be20d235/attachment.ksh From ecashin at terry.uga.edu Sat May 26 09:41:58 2001 From: ecashin at terry.uga.edu (Ed L Cashin) Date: 25 May 2001 19:41:58 -0400 Subject: ignoring SIGPIPE causing problems in pipes In-Reply-To: References: <20010524130301.A6575@folly> Message-ID: Ed L Cashin writes: ... > Killed by signal 2. That's from when I pressed control-C, BTW. -- --Ed Cashin PGP public key: ecashin at terry.uga.edu http://www.terry.uga.edu/~ecashin/pgp/ From ecashin at terry.uga.edu Sat May 26 09:49:53 2001 From: ecashin at terry.uga.edu (Ed L Cashin) Date: 25 May 2001 19:49:53 -0400 Subject: scp: Problem when source and destination are identical In-Reply-To: <20010525150208.H14605@greenie.muc.de> References: <20010523150728.E14978@zax.half.pint-stowp.cx> <20010523232352.B22175@greenie.muc.de> <20010524130830.B6575@folly> <20010524222523.C26969@greenie.muc.de> <20010525113921.A10153@faui02.informatik.uni-erlangen.de> <20010525114315.B14605@greenie.muc.de> <20010525121342.B10153@faui02.informatik.uni-erlangen.de> <20010525150208.H14605@greenie.muc.de> Message-ID: Gert Doering writes: ... > The Unix way is "give 'em a choice" - which is exactly what the switch > is good for. You misrepresent things! The UN*X way is that each tool should be simple and do one thing well, then the choice is in picking the tools and putting them together however you want. Making feature-laden, buggy software that tries to do everything in order to appear powerful is not UN*X-ish at all. -- --Ed Cashin PGP public key: ecashin at terry.uga.edu http://www.terry.uga.edu/~ecashin/pgp/ From ecashin at terry.uga.edu Sat May 26 09:51:06 2001 From: ecashin at terry.uga.edu (Ed L Cashin) Date: 25 May 2001 19:51:06 -0400 Subject: scp: Problem when source and destination are identical References: <20010523150728.E14978@zax.half.pint-stowp.cx> <20010523232352.B22175@greenie.muc.de> Message-ID: Gert Doering writes: > Hi, > > On Wed, May 23, 2001 at 03:07:28PM -0500, Jim Knoble wrote: > > What i would much rather see is for the destination scp to write the > > incoming file to a temporary file in the same directory, and then > > rename() it to the destination file on a successful copy. > > Strongly seconded. But Markus doesn't seem to like it, for no other > reason than "you can use tar/mv/rsync to do this". I agree with Markus, if that's his position. Commands should do what we expect, and I don't expect something that looks like a secure version of rcp to be writing to temporary files and doing rename(2). > > Against: Requires enough space available on the destination filesystem > > to hold both the old and the new copy of each file; this could > > be a drawback for large files. > > Which is a good argument for having a switch to control this. Or just use a different tool, like rsync, that is designed for this kind of thing. -- --Ed Cashin PGP public key: ecashin at terry.uga.edu http://www.terry.uga.edu/~ecashin/pgp/ From ecashin at terry.uga.edu Sat May 26 10:00:22 2001 From: ecashin at terry.uga.edu (Ed L Cashin) Date: 25 May 2001 20:00:22 -0400 Subject: bug report In-Reply-To: <20010524125150.D22475@folly> References: <20010524125150.D22475@folly> Message-ID: Markus Friedl writes: > On Wed, May 23, 2001 at 10:49:54PM -0400, mugz wrote: > > > > I'm always a bit slow to report bugs i see, figuing someone else will > > report it and that it will eventually get fixed. This one has been > > somewhat of a problem for a while now. I run Linux Slackware -current and > > just upgraded to OpenSSH 2.9p1, but I have noticed this same bug on every > > platform and OS running OpenSSH. > > > > If a user logs in and starts any kind of background process such as > > "screen" "bnc" "mud" "eggdrop" etc, the console "hangs" when they log out. > > When I ssh to a shell running OpenSSH from work or from home, start a > > screen or a bnc and then exit with that process running, I have to go to > > another console and manually kill my connection locally. If i then log > > back into the same shell and type: last -5 myuserid, it shows me as > > "still logged in" from that previous session. You can test this easily by > > logging in using ssh and typing: > > > > sleep 200 & > > exit > > does > sleep 1234 < /dev/null > /dev/null 2>& > exit > work? You can make init the parent of the remote shell executing mud or whatever. This uses a subshell to launch the command (parentheses do this in Bourne-type shell like bash), so when the subshell exits, init inherits the sleep process: here$ ssh there there$ (sleep 1234 &) there$ exit here$ ... leaving you free to logout without anything blocking. -- --Ed Cashin PGP public key: ecashin at terry.uga.edu http://www.terry.uga.edu/~ecashin/pgp/ From amol at animal.blarg.net Sat May 26 12:13:03 2001 From: amol at animal.blarg.net (Amol Deshpande) Date: Fri, 25 May 2001 19:13:03 -0700 (PDT) Subject: OpenSSH ports and crypto issues Message-ID: hi, I am working on a windows NT version of openssh. It's mostly working (ssh.exe, ssh-keygen.exe to be precise), except for some minor UI issues. however, i have a couple of questions about making the port available: 1. minor issue: My port is based on the openbsd ssh source (2.5.2). Is this acceptable, or should I base it on the portable source ? I think I know the answer to that one. If someone wants to take my diffs against base and integrate them into portable, that would be awesome, since I won't be able to get around to it for a while. 2. minor issue 2: I am currently using 2 files from a GPLed program in my port. It will take some work to remove them, but I can do so if it's not desirable to have GPLed source in an OpenSSH port. 3. THE major issue: How do I distribute this ? send diffs to the portable distribution maintainer(s) ? Since I live in the U.S, I obviously cannot make it available myself. My diffs would consist of diffs from the main source, makefiles and a library that implements compatibility routines for NT. The only part of my source that uses any cryptography is a function that calls a Crypto Provider DLL to generate a random number (I'm trying to approximae arc4_random() by using a system provider). Since this DLL provider is distributed in the system, I don't see a problem with re-distributing code that uses it. Is that a reasonable assumption w.r.t export restrictions ? (I don't think generating a random number involves encryption, but I have !clue about such things.) I'd very much like to make this available without treading on anyone's GPLed toes or having the NSA hunt me down, so please let me know what the best route to proceed would be. thanks, -amol From abartlet at pcug.org.au Sat May 26 12:15:42 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Sat, 26 May 2001 12:15:42 +1000 Subject: Problem with OpenSSH with UseLogin.. AGAIN!!! References: Message-ID: <3B0F11CE.A09BE4CE@bartlett.house> Krzysztof Oledzki wrote: > > Hello, > > By the 26th of May I will have been waiting for response for 17 days. > I have posted this mail at 9 May 2001 20:38:58 and still this bug is not > fixed and AFAIK no one have answered to this mail. I have to ask: why? ;-) > > ---------- My OLD message ---------- > Hello, > > I have just discoverd that ssh -T does not work with servers which have > UseLogin option enabled. This happends becouse /bin/login can not work if > there is no tty. To correct this, it is necessary to add: > > options.use_login = 0; > > at the top of the "do_exec_no_pty" function from the "session.c" file. > ---------- My OLD message ---------- > > Best regards, > > Krzysztof Oledzki Its not a bug, its a feature :-) Seriously, if UseLogin is selected then the sys-admin has dictated that all authentictions must pass though /bin/login - usually for local secuirty reasons. Disabling this kind of defeats the purpose of the option. Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au From abartlet at pcug.org.au Sat May 26 12:36:35 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Sat, 26 May 2001 12:36:35 +1000 Subject: Using /bin/sh to exec subsystems [PATCH] References: <990739732.3805.4.camel@phiggins.transzap.com> <3B0E54B6.E7F34631@bartlett.house> <990804454.3813.7.camel@phiggins.transzap.com> Message-ID: <3B0F16B3.B48CF0A9@bartlett.house> Patrick Higgins wrote: > > That's clever. I guess my only reservation about that sort of thing is I > prefer my security-critical code to be peer-reviewed, not something I > cook up myself. That's why I'd like to see the solution be a direct part > of OpenSSH (where I know it will be audited). > > Your solution is very flexible, though. Perhaps we could put your script > (or a similar one) in the contrib directory so that everyone can at > least start with a well-written restricted shell, and hope that the > customization process doesn't ruin it? > > -Pat > > > The way I have set it up is a simple taint-mode enabled perl script, it > > checks for command options, and if it is a permitted program > > (sftp-server) then the server is run (hardcoded path). If we get > > another subsystem, I just add an elsif. If they specify nothing, they > > get a password change prompt (the inital reason for the script). > > > > Andrew Bartlett Attached. Freely redistribute. -- Andrew Bartlett abartlet at pcug.org.au -------------- next part -------------- #!/usr/bin/perl -Tw $ENV{'PATH'} = '/bin:/usr/bin'; delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; my %args; use strict; use Getopt::Std; # -c ARG, sets $opt_c getopts("c:", \%args); if (defined $args{'c'}) { if ($args{'c'} eq '/usr/libexec/openssh/sftp-server') { exec('/usr/libexec/openssh/sftp-server'); } else { exit 1; }; }; my @passwd = getpwuid($>); my $home = $passwd[7]; my $maildir = $home.'/Maildir'; if (!(-d $maildir)) { (system('/usr/bin/maildirmake',$maildir) == 0) or die "Could not add maildir"; } my ($passout); print "\n"; print "UNAUTHORISED ACCESS TO THIS SYSTEM IS PROHIBITED\n"; print "================================================\n\n"; print "Basic RULES:\n"; print " Do not share your password or account with anybody.\n"; print " Do not login to the server from more than one computer at a time\n"; print " Keep your account within its quota\n"; print "\n"; print "Do you agree with these rules and the conditions of use,\n as stated on the website (http://jessie)?\n\n"; print "Type 'yes' to agree, 'no' to quit: "; if (<> =~ /^yes$/i) { print "\n\n Initiating PASSWORD CHANGE\n (Your UNIX password is the one you just logged in with)\n\n"; $passout = system('/usr/bin/passwd'); if ($passout == 0) { print "\n\n\n PASSWORD CHANGED \n\n"; }; }; From abartlet at pcug.org.au Sat May 26 12:42:14 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Sat, 26 May 2001 12:42:14 +1000 Subject: Using /bin/sh to exec subsystems [PATCH] References: <990739732.3805.4.camel@phiggins.transzap.com> <3B0E54B6.E7F34631@bartlett.house> <990804454.3813.7.camel@phiggins.transzap.com> <3B0F16B3.B48CF0A9@bartlett.house> Message-ID: <3B0F1806.B6A2ABB4@bartlett.house> Andrew Bartlett wrote: > > Patrick Higgins wrote: > > > > That's clever. I guess my only reservation about that sort of thing is I > > prefer my security-critical code to be peer-reviewed, not something I > > cook up myself. That's why I'd like to see the solution be a direct part > > of OpenSSH (where I know it will be audited). > > > > Your solution is very flexible, though. Perhaps we could put your script > > (or a similar one) in the contrib directory so that everyone can at > > least start with a well-written restricted shell, and hope that the > > customization process doesn't ruin it? > > > > -Pat > > > > > The way I have set it up is a simple taint-mode enabled perl script, it > > > checks for command options, and if it is a permitted program > > > (sftp-server) then the server is run (hardcoded path). If we get > > > another subsystem, I just add an elsif. If they specify nothing, they > > > get a password change prompt (the inital reason for the script). > > > > > > Andrew Bartlett > > Attached. Freely redistribute. > Just remember that until the next release of OpenSSH, this won't actualy do anything, as .ssh/rc files are executed with /bin/sh anyway :-(. (My bug-report and the resultant fix was too close to release for 2.9p1, or so I was told). Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au From mats at mindbright.se Sat May 26 18:25:25 2001 From: mats at mindbright.se (Mats Andersson) Date: Sat, 26 May 2001 10:25:25 +0200 (MEST) Subject: OpenSSH ports and crypto issues In-Reply-To: Message-ID: Hi, On Fri, 25 May 2001, Amol Deshpande wrote: > 2. minor issue 2: I am currently using 2 files from a GPLed program in > my port. It will take some work to remove them, but I can do so if > it's not desirable to have GPLed source in an OpenSSH port. Strictly no, you may NOT include it in anything but something fully GPL (which OpenSSH is not, it's under a BSD like license). Note that the case is different if the code is under LGPL, check this. However, if you wrote the (GPLed) code yourself (i.e. you own the copyright to it) you may change the license and include it under another license. Cheers, /Mats From markus.friedl at informatik.uni-erlangen.de Sat May 26 03:31:25 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 25 May 2001 19:31:25 +0200 Subject: Using /bin/sh to exec subsystems [PATCH] In-Reply-To: <990737794.3812.3.camel@phiggins.transzap.com>; from phiggins@transzap.com on Thu, May 24, 2001 at 02:56:34PM -0600 References: <990737794.3812.3.camel@phiggins.transzap.com> Message-ID: <20010525193125.B16993@folly> On Thu, May 24, 2001 at 02:56:34PM -0600, Patrick Higgins wrote: > Which startup script? ~/.ssh/rc, .profile, both? Others? > > I'm of the opinion that ~/.ssh/rc shouldn't be run for everyone. Perhaps > only those users with a shell in /etc/shells? openssh-current runs ~/.ssh/rc with the loginshell, so if you have /bin/false as a loginshell nothing happens. -m From markus.friedl at informatik.uni-erlangen.de Sat May 26 03:27:02 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 25 May 2001 19:27:02 +0200 Subject: chroot sftp-server [PATCH] In-Reply-To: ; from djm@mindrot.org on Fri, May 25, 2001 at 04:21:33PM +1000 References: <3B0D17EC.AA892EB2@bartlett.house> Message-ID: <20010525192702.A16993@folly> On Fri, May 25, 2001 at 04:21:33PM +1000, Damien Miller wrote: > On Fri, 25 May 2001, Andrew Bartlett wrote: > > > Is there any way of making this work? This is the method I much prefer, > > and was looking at implementing a while ago. I'm glad sombodies taken a > > stab at it. > > > > I run SFTP specificly becouse it does not require a ROOT deamon (apart > > from OpenSSH, which I run already) nor does it require a set-uid > > binary. Hence my interest in this patch. > > I am not to fussed about a setuid sftp-server, so long as it does > does chdir,chroot,setuid as its first actions. IMO this is preferable > to patch-checking schemes which introduce complexity and may be > possible to fool. i think i agree with Damien on this issue. if we want a restricted sftp-server, that the OS should take care about what files can be accessed. an the simplest way to acheive this is to have a croot() at the start of sftp-server. this is much simpler that adding checks to every place in sftp-server where pathnames are handled. why not reuse this nice feature of the OS? why invent a new mechanism if a nice and elegant mechanism already exists (with chroot)? -markus From markus.friedl at informatik.uni-erlangen.de Sat May 26 23:35:31 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 26 May 2001 15:35:31 +0200 Subject: OpenSSH 2.9p1 improperly caches username In-Reply-To: <00ad01c0e3bd$13470740$0400a8c0@cobra>; from dprevett@vandyke.com on Wed, May 23, 2001 at 01:17:54PM -0600 References: <00ad01c0e3bd$13470740$0400a8c0@cobra> Message-ID: <20010526153531.B2514@folly> On Wed, May 23, 2001 at 01:17:54PM -0600, Daniel Prevett wrote: > OpenSSH 2.9p1 using SSH2 currently caches the username sent in > the USERAUTH_REQUEST [none] packet. This does not allow you > to change the username in a later authentication packet. > > >From SSH Authentication Protocol, section 2.1: > > "The user name and service are repeated in every new > authentication attempt, and MAY change. The server implementation MUST > carefully check them in every message, > and MUST flush any accumulated authentication states if they change. > If it is unable to flush some authentication > state, it MUST disconnect if the user or service name > changes." > > This behavior has been reported by users of SecureCRT attempting to > change their username during the SSH2 authentication process. > > If you need any more information, please let me know. openssh's behaviour is intentional. we don't want to allow a change of user or service names. but we don't want to disconnect (perhaps we should...). there has been some discussion about this on the ietf-ssh at netbsd.org list, but i don't remember the outcome of the discussion. i'll look into this. From markus.friedl at informatik.uni-erlangen.de Sun May 27 01:50:34 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 26 May 2001 17:50:34 +0200 Subject: ignoring SIGPIPE causing problems in pipes In-Reply-To: ; from ecashin@terry.uga.edu on Fri, May 25, 2001 at 07:19:45PM -0400 References: <20010524130301.A6575@folly> Message-ID: <20010526175033.A28340@folly> On Fri, May 25, 2001 at 07:19:45PM -0400, Ed L Cashin wrote: > nilda:2:ecashin openssh-2.9p1$ ssh meili yes | (for i in 1 2 3 4; do echo $i; read line; done) > .. > Hope this helps. I suppose it would be most of interest to the person > who made the change, since version 2.5.2p2 works fine: this is because 2.5.2 defaults to protocol v1 whereas 2.9 defaults to v2. ok, i can reproduce this problem with $ ssh -2 -v -v -v localhost yes | sed 2q whereas $ ssh -1 -v -v -v localhost yes | sed 2q works fine. in protocol 2 ssh detects that it can no longer write to the sed process. however, it never tries to read from sed, so it does not exit. you can work around this with $ ssh -n -2 -v -v -v localhost yes | sed 2q and force ssh to ignore input and replace stdin with /dev/null btw, the same happens if i try this with ssh.com's ssh2 client. i'm not sure what the right thing to do is in this situation. clientloop.c needs to ignore SIGPIPE, because of all the portforwarding code needs this. should select() return if 'sed' dies? From markus.friedl at informatik.uni-erlangen.de Sat May 26 19:49:13 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 26 May 2001 11:49:13 +0200 Subject: Problem with OpenSSH with UseLogin.. AGAIN!!! In-Reply-To: <3B0F11CE.A09BE4CE@bartlett.house>; from abartlet@pcug.org.au on Sat, May 26, 2001 at 12:15:42PM +1000 References: <3B0F11CE.A09BE4CE@bartlett.house> Message-ID: <20010526114913.A2514@folly> On Sat, May 26, 2001 at 12:15:42PM +1000, Andrew Bartlett wrote: > Its not a bug, its a feature :-) Seriously, if UseLogin is selected > then the sys-admin has dictated that all authentictions must pass though > /bin/login - usually for local secuirty reasons. Disabling this kind of > defeats the purpose of the option. no, this is not true. use_login is ignored if you specify commands. From mouring at etoh.eviladmin.org Sun May 27 01:54:59 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 26 May 2001 10:54:59 -0500 (CDT) Subject: OpenSSH ports and crypto issues In-Reply-To: Message-ID: On Fri, 25 May 2001, Amol Deshpande wrote: > hi, > > I am working on a windows NT version of openssh. It's mostly working > (ssh.exe, ssh-keygen.exe to be precise), except for some minor UI issues. > however, i have a couple of questions about making the port available: > > 1. minor issue: My port is based on the openbsd ssh source (2.5.2). Is > this acceptable, or should I base it on the portable source ? I think I > know the answer to that one. If someone wants to take my diffs against > base and integrate them into portable, that would be awesome, since I > won't be able to get around to it for a while. > If your looking to get into the portable tree. You need to provide patches based on the most recent CVS snapshot from directhit. > 2. minor issue 2: I am currently using 2 files from a GPLed program in my > port. It will take some work to remove them, but I can do so if it's not > desirable to have GPLed source in an OpenSSH port. > Depending on what those GPL functions are you may want to look at the OpenBSD CVS tree for it's equiv (if there is one). > 3. THE major issue: How do I distribute this ? send diffs to the portable > distribution maintainer(s) ? Since I live in the U.S, I obviously cannot > make it available myself. My diffs would consist of diffs from the main > source, makefiles and a library that implements compatibility routines for > NT. > I believe we are still working under the assumption that changes can occur to OpenSSH as long as they do not deal with the encryption aspect of the code. However, under the new laws (I've not had a chance to read them) this restriction could be lifted in the future. My only concern is how you ported it NT, and we currently trying to keep the differences between OpenBSD and portable down to a managable amount. - Ben From dbt at meat.net Sun May 27 04:38:09 2001 From: dbt at meat.net (David Terrell) Date: Sat, 26 May 2001 11:38:09 -0700 Subject: scp: Problem when source and destination are identical In-Reply-To: <20010525150208.H14605@greenie.muc.de>; from gert@greenie.muc.de on Fri, May 25, 2001 at 03:02:08PM +0200 References: <20010523150728.E14978@zax.half.pint-stowp.cx> <20010523232352.B22175@greenie.muc.de> <20010524130830.B6575@folly> <20010524222523.C26969@greenie.muc.de> <20010525113921.A10153@faui02.informatik.uni-erlangen.de> <20010525114315.B14605@greenie.muc.de> <20010525121342.B10153@faui02.informatik.uni-erlangen.de> <20010525150208.H14605@greenie.muc.de> Message-ID: <20010526113809.A32554@pianosa.catch22.org> On Fri, May 25, 2001 at 03:02:08PM +0200, Gert Doering wrote: > Hi, > > On Fri, May 25, 2001 at 12:13:42PM +0200, Markus Friedl wrote: > > > Which is why everyone else agreed that a switch to change between "overwrite > > > in place" and "do atomic replace" is a good idea. > > > > no, this is why "do atomic replace" does not work. > > > > "overwrite in place" works fine, even if the use cannot create a new > > file because of the directory permissions. > > > > "overwrite in place" works fine, even if the filesystem is almost full. > > > > image copying a 100MB file with "do atomic replace" if you have 50MB of > > free space. > > You don't seem to be reading what others write. > > There are situations where "atomic replace" doesn't work - and there are > other situations where "overwrite in place" messes up applications trying > to read the file in just that moment. > > The Unix way is "give 'em a choice" - which is exactly what the switch > is good for. scp is an rcp replacement. If you want to extend something, add this functionality to the sftp subsystem, I say. -- David Terrell | But remember that "layman" is just a polite dbt at meat.net | word for "idiot." http://wwn.nebcorp.com/ | - Neal Stephenson From ecashin at terry.uga.edu Sun May 27 07:52:33 2001 From: ecashin at terry.uga.edu (Ed L Cashin) Date: 26 May 2001 17:52:33 -0400 Subject: ignoring SIGPIPE causing problems in pipes In-Reply-To: <20010526175033.A28340@folly> References: <20010524130301.A6575@folly> <20010526175033.A28340@folly> Message-ID: Markus Friedl writes: > i'm not sure what the right thing to do is in this situation. > clientloop.c needs to ignore SIGPIPE, because of all the > portforwarding code needs this. should select() return if 'sed' > dies? I'm not familiar enough with the code to know how the forwarding issues relate to the SIGPIPE in a filter situation. Ideally, a SIGPIPE in a filter caused by the process on stdout exiting would result in ssh exiting, maybe with a "Broken pipe" diagnostic. In the context of forwarding, though, SIGPIPE would be ignored when appropriate. It's just a guess, but it seems like a signal handler for SIGPIPE could be written that decides what do do based on whether forwarding is in effect or not. -- --Ed Cashin PGP public key: ecashin at terry.uga.edu http://www.terry.uga.edu/~ecashin/pgp/ From dbt at meat.net Sun May 27 10:23:06 2001 From: dbt at meat.net (David Terrell) Date: Sat, 26 May 2001 17:23:06 -0700 Subject: OpenSSH ports and crypto issues In-Reply-To: ; from amol@animal.blarg.net on Fri, May 25, 2001 at 07:13:03PM -0700 References: Message-ID: <20010526172306.B32554@pianosa.catch22.org> On Fri, May 25, 2001 at 07:13:03PM -0700, Amol Deshpande wrote: > 3. THE major issue: How do I distribute this ? send diffs to the portable > distribution maintainer(s) ? Since I live in the U.S, I obviously cannot > make it available myself. My diffs would consist of diffs from the main > source, makefiles and a library that implements compatibility routines for > NT. This is simply not true anymore. Put it on a webpage, send email to the mailing list announcing your patches and Cc: a copy to crypt at bxa.doc.gov. That is considered legally sufficient by the BXA itself. -- David Terrell | "We must go forward, not backwards; upwards, Nebcorp Prime Minister | not forwards; and always twirling, twirling, dbt at meat.net | twirling towards freedom!" http://wwn.nebcorp.com/ | - The Simpsons From amol at animal.blarg.net Sun May 27 12:39:30 2001 From: amol at animal.blarg.net (Amol Deshpande) Date: Sat, 26 May 2001 19:39:30 -0700 (PDT) Subject: OpenSSH ports and crypto issues In-Reply-To: Message-ID: On Sat, 26 May 2001 mouring at etoh.eviladmin.org wrote: > > > 2. minor issue 2: I am currently using 2 files from a GPLed program in my > > port. It will take some work to remove them, but I can do so if it's not > > desirable to have GPLed source in an OpenSSH port. > > > > Depending on what those GPL functions are you may want to look at the > OpenBSD CVS tree for it's equiv (if there is one). unfortunately, these have to do with faking a vt100 terminal. i'll probably have to base it on wscons in the OpenBSD tree. > > > My only concern is how you ported it NT, and we currently trying to keep > the differences between OpenBSD and portable down to a managable amount. > > - Ben > I try to follow a minimum-impact camping policy in my ports. There will be a few places where I have to #ifdef in place, but otherwise most of the unix emulation is external to the main source. of the 130-odd source files, there's an #ifdef WINNT_NATIVE in maybe a dozen. -amol From ron at wiggins.isri.unlv.edu Sun May 27 13:37:30 2001 From: ron at wiggins.isri.unlv.edu (Ron Young) Date: Sat, 26 May 2001 20:37:30 -0700 Subject: requesting advice on integrating openssh & solaris secure RPC Message-ID: <20010527033730.8279C5E947@wiggins.isri.unlv.edu> Hi: I am new to the list and new to developing secure applications. I have been reading the archives to see if anyone has integrated openssh with solaris 8 secure RPC. It doesn't look like there is any support to do this openssh. I have started on a preliminary patch to openssh-2.5.2p2 to automatically authenticate secure rpc using the same password used by sshd to authenticate the user. Here is some brief background on our environment: a collection of solaris fileservers and workstations. home directories are mounted to workstations via secure RPC/NFS. so users have to have their secure rpc authentication setup as part of the session creation done by sshd. all external sessions must connect using openssh and a password (i.e. no authorized_keys allowed for first connection). once connected to one of our systems, the user should not have to re-enter their password. whatever method is used should be transparent to user (i.e. should not interfere with anything they may use: ssh-agents, port forwarding, etc...) I have the initial connection (with password) successfully working with secure RPC/NFS. My next step is to somehow get it so this carries over when the user connects to another workstation using authorized_keys to avoid having to re-enter their password. I have a couple of ideas that I would like some feedback on... 1) generate a restricted command key that somehow contains the information required to authenticate to secure NFS on the new workstation. 2) encrypt to the initial password used to access the system and pass it along as an environment variable that the new workstation's sshd would use. 3) use the ssh-agent mechanism to store the secure rpc password so that the ssh client can send it along to the new workstation's sshd. any thoughts on whether the above are not recommended and/or how they should be implemented would be greatly appreciated. thanks -ron young =============================================================================== Ron Young, Sr. Software Design Engineer & System Admin. (702) 895-1070 (voice) Information Science Research Institute (702) 895-1183 (fax) University of Nevada, Las Vegas (UNLV/ISRI) ron at isri.unlv.edu Box 454021, Las Vegas, NV 89154 From mouring at etoh.eviladmin.org Sun May 27 14:14:29 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 26 May 2001 23:14:29 -0500 (CDT) Subject: OpenSSH ports and crypto issues In-Reply-To: Message-ID: On Sat, 26 May 2001, Amol Deshpande wrote: > > > On Sat, 26 May 2001 mouring at etoh.eviladmin.org wrote: > > > > > > 2. minor issue 2: I am currently using 2 files from a GPLed program in my > > > port. It will take some work to remove them, but I can do so if it's not > > > desirable to have GPLed source in an OpenSSH port. > > > > > > > Depending on what those GPL functions are you may want to look at the > > OpenBSD CVS tree for it's equiv (if there is one). > > unfortunately, these have to do with faking a vt100 terminal. i'll > probably have to base it on wscons in the OpenBSD tree. > I assume your mimicing termcap library? > > > > > > My only concern is how you ported it NT, and we currently trying to keep > > the differences between OpenBSD and portable down to a managable amount. > > > > - Ben > > > > I try to follow a minimum-impact camping policy in my ports. There will be > a few places where I have to #ifdef in place, but otherwise most of the > unix emulation is external to the main source. > > of the 130-odd source files, there's an #ifdef WINNT_NATIVE in maybe a > dozen. > Hmm.. How many new files are we talking about being added to the portable tree? I would look at the current 2.9p1 when you get a chance to see how much common work has been done. - Ben From markus.friedl at informatik.uni-erlangen.de Sun May 27 18:43:50 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 27 May 2001 10:43:50 +0200 Subject: ignoring SIGPIPE causing problems in pipes In-Reply-To: ; from ecashin@terry.uga.edu on Sat, May 26, 2001 at 05:52:33PM -0400 References: <20010524130301.A6575@folly> <20010526175033.A28340@folly> Message-ID: <20010527104350.A11732@folly> On Sat, May 26, 2001 at 05:52:33PM -0400, Ed L Cashin wrote: > Markus Friedl writes: > > > i'm not sure what the right thing to do is in this situation. > > clientloop.c needs to ignore SIGPIPE, because of all the > > portforwarding code needs this. should select() return if 'sed' > > dies? > > I'm not familiar enough with the code to know how the forwarding > issues relate to the SIGPIPE in a filter situation. > > Ideally, a SIGPIPE in a filter caused by the process on stdout exiting > would result in ssh exiting, maybe with a "Broken pipe" diagnostic. > In the context of forwarding, though, SIGPIPE would be ignored when > appropriate. > > It's just a guess, but it seems like a signal handler for SIGPIPE > could be written that decides what do do based on whether forwarding > is in effect or not. btw, did you try ssh -n ? From amol at animal.blarg.net Mon May 28 02:36:08 2001 From: amol at animal.blarg.net (Amol Deshpande) Date: Sun, 27 May 2001 09:36:08 -0700 (PDT) Subject: OpenSSH ports and crypto issues In-Reply-To: Message-ID: > > > I assume your mimicing termcap library? sort of. hardcoding the term type of ssh client to vt100 actually. so that any escape sequences that come in are interpreted and translated correctly. > > > Hmm.. How many new files are we talking about being added to the portable > tree? I would look at the current 2.9p1 when you get a chance to see how > much common work has been done. > > - Ben > About 15. i'll look at 2.9p1 too, but it's highly unlikely that there's any common ground. the requirements of translating between unix and NT are pretty unique. I can host the additional files on my ftp site. Or, since it's a subdirectory off the main tree, it can be targzipped and distributed as an addition. -amol From ecashin at terry.uga.edu Mon May 28 03:12:14 2001 From: ecashin at terry.uga.edu (Ed L Cashin) Date: 27 May 2001 13:12:14 -0400 Subject: ignoring SIGPIPE causing problems in pipes In-Reply-To: <20010527104350.A11732@folly> References: <20010524130301.A6575@folly> <20010526175033.A28340@folly> <20010527104350.A11732@folly> Message-ID: Markus Friedl writes: > On Sat, May 26, 2001 at 05:52:33PM -0400, Ed L Cashin wrote: ... > > Ideally, a SIGPIPE in a filter caused by the process on stdout exiting > > would result in ssh exiting, maybe with a "Broken pipe" diagnostic. > > In the context of forwarding, though, SIGPIPE would be ignored when > > appropriate. > > > > It's just a guess, but it seems like a signal handler for SIGPIPE > > could be written that decides what do do based on whether forwarding > > is in effect or not. > > btw, did you try > ssh -n ? Hmm. It works in the trivial cases I tried, but not in the case I'm most interested in; namely, restoring from a dump streamed via ssh from a remote host. -- --Ed Cashin PGP public key: ecashin at terry.uga.edu http://www.terry.uga.edu/~ecashin/pgp/ From eric at unixtechs.org Mon May 28 08:05:33 2001 From: eric at unixtechs.org (Eric Ekong) Date: Sun, 27 May 2001 18:05:33 -0400 Subject: Protocol Error Message-ID: <20010527180533.A9614@ericekong.unixtechs.org> Does anyone know what causes this error. I recently installed a FreeBSD server and out of the box this is what the error message kept coming up with even though I using the default config files. Any ideas.... May 27 18:01:49 eric sshd[11880]: error: Hm, dispatch protocol error: type 32 plen 147 May 27 18:03:29 eric sshd[1475]: error: Hm, dispatch protocol error: type 32 plen 97 May 27 18:03:29 eric sshd[1475]: error: Hm, dispatch protocol error: type 32 plen 97 May 27 18:03:29 eric sshd[11880]: error: Hm, dispatch protocol error: type 32 plen 97 May 27 18:03:29 eric sshd[11880]: error: Hm, dispatch protocol error: type 32 plen 97 May 27 18:05:09 eric sshd[1475]: error: Hm, dispatch protocol error: type 32 plen 67 May 27 18:05:09 eric sshd[1475]: error: Hm, dispatch protocol error: type 32 plen 67 May 27 18:05:09 eric sshd[11880]: error: Hm, dispatch protocol error: type 32 plen 81 May 27 18:05:09 eric sshd[11880]: error: Hm, dispatch protocol error: type 32 plen 81 May 27 18:06:49 eric sshd[1475]: error: Hm, dispatch protocol error: type 32 plen 249 May 27 18:06:49 eric sshd[1475]: error: Hm, dispatch protocol error: type 32 plen 249 May 27 18:06:49 eric sshd[11880]: error: Hm, dispatch protocol error: type 32 plen 171 May 27 18:06:49 eric sshd[11880]: error: Hm, dispatch protocol error: type 32 plen 171 -- Eric I. Ekong UNIX TECHS ORG eric at unixtechs.org 734.216.0350 ---------------------------------------------- Real Men Use VIM, MUTT, SLRN, & W3M Uptime: 5 days, 22:17 From tim at multitalents.net Tue May 29 03:23:41 2001 From: tim at multitalents.net (Tim Rice) Date: Mon, 28 May 2001 10:23:41 -0700 (PDT) Subject: [PATCH]: configure.in: Missing check for setvbuf In-Reply-To: <20010522140020.A23671@cygbert.vinschen.de> Message-ID: On Tue, 22 May 2001, Corinna Vinschen wrote: > Hi, > > in configure.in the patch for `setvbuf' is missing while in > sftp-int.c the HAVE_SETVBUF define is used: Thanks. Applied. > > Index: configure.in > =================================================================== > RCS file: /cvs/openssh_cvs/configure.in,v > retrieving revision 1.286 > diff -u -p -r1.286 configure.in [patch snipped] > Corinna > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From markus.friedl at informatik.uni-erlangen.de Tue May 29 07:36:54 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 28 May 2001 23:36:54 +0200 Subject: Protocol Error In-Reply-To: <20010527180533.A9614@ericekong.unixtechs.org>; from eric@unixtechs.org on Sun, May 27, 2001 at 06:05:33PM -0400 References: <20010527180533.A9614@ericekong.unixtechs.org> Message-ID: <20010528233654.A12886@folly> On Sun, May 27, 2001 at 06:05:33PM -0400, Eric Ekong wrote: > Does anyone know what causes this error. I recently installed a FreeBSD > server and out of the box this is what the error message kept coming up > with even though I using the default config files. Any ideas.... what version of ssh is running on the server? the clients? what version does freebsd use? could you provide ssh -v and sshd -d output? From eric at unixtechs.org Tue May 29 13:48:58 2001 From: eric at unixtechs.org (Eric Ekong) Date: Mon, 28 May 2001 23:48:58 -0400 Subject: Protocol Error In-Reply-To: <20010528233654.A12886@folly> References: <20010527180533.A9614@ericekong.unixtechs.org> <20010528233654.A12886@folly> Message-ID: <20010528234858.E31478@ericekong.unixtechs.org> *sh-2.05$ sshd -v sshd: illegal option -- v sshd version OpenSSH_2.3.0 green at FreeBSD.org 20010321 Usage: sshd [options] Options: -f file Configuration file (default /etc/ssh/sshd_config) -d Debugging mode (multiple -d means more debugging) -i Started from inetd -q Quiet (no logging) -p port Listen on the specified port (default: 22) -k seconds Regenerate server key every this many seconds (default: 3600) -g seconds Grace period for authentication (default: 300) -b bits Size of server RSA key (default: 768 bits) -h file File from which to read host key (default: /etc/ssh/ssh_host_key) -u len Maximum hostname length for utmp recording -4 Use IPv4 only -6 Use IPv6 only bash-2.05$ ssh -v SSH Version OpenSSH_2.3.0 green at FreeBSD.org 20010321, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). Usage: ssh [options] host [command] bash-2.05$ uname -a FreeBSD eric.unixtechs.org 4.3-RELEASE FreeBSD 4.3-RELEASE #1: Sat May 26 11:49:01 EDT 2001 Hope this helps Markus Friedl [010528 17:36]: > On Sun, May 27, 2001 at 06:05:33PM -0400, Eric Ekong wrote: > > Does anyone know what causes this error. I recently installed a FreeBSD > > server and out of the box this is what the error message kept coming up > > with even though I using the default config files. Any ideas.... > > what version of ssh is running on the server? > the clients? what version does freebsd use? > could you provide ssh -v and sshd -d output? -- Eric I. Ekong UNIX TECHS ORG eric at unixtechs.org 734.216.0350 ---------------------------------------------- Real Men Use VIM, MUTT, SLRN, & W3M Uptime: 7 days, 3:58 From sjl at zepler.org Tue May 29 21:15:33 2001 From: sjl at zepler.org (Simon Liddington) Date: Tue, 29 May 2001 12:15:33 +0100 (BST) Subject: ssh_exchange_identification [RESOLVED for me] In-Reply-To: Message-ID: Oops, found my problem I should have been specifyingf id_dsa not id_dsa.pub as the identity file. However there's still the bug(let) about carry on when reading fails. Still this doesn't explain the original post on this thread On Wed, 16 May 2001, Simon Liddington wrote: > This is a me too: > > I upgraded from openssh-2.3.0p1 to openssh-2.5.2p2 and found similar > problems to Tim. I then upgraded to openssh-2.9p1 and it still > happened. I even upgraded from openssl-0.9.6 to openssl-0.9.6a and it > still happened to I got my shovel out and started digging. I changed > the code to give the error details and got this: > > debug1: authentications that can continue: publickey,password,keyboard-interactive > debug1: next auth method to try is publickey > debug1: try pubkey: /export/home1/sl/.ssh/id_dsa.pub > debug1: input_userauth_pk_ok: pkalg ssh-dss blen 433 lastkey 1271b0 hint 0 > > debug1: PEM_read_PrivateKey failed: error:0906D06C:PEM routines:PEM_read_bio:no start line > > debug1: read PEM private key done: type > Enter passphrase for key '/export/home1/sl/.ssh/id_dsa.pub': > > I think there are two bugs here firstly it's failing to read the > private key for some reason and secondly it seems to carry on regardless > and ask for a passphrase. ----------------------------------------------------------------------- | Simon Liddington | Tel (home): +44 23 8023 7935 | | sjl at zepler.org | Tel (work): +44 23 8068 3521 | ----------------------------------------------------------------------- From acolomb at sgs.s.bw.schule.de Thu May 31 20:49:27 2001 From: acolomb at sgs.s.bw.schule.de (Andre Colomb) Date: Thu, 31 May 2001 12:49:27 +0200 Subject: Bug in scp Message-ID: <20010531124927.A9268@sgs.s.bw.schule.de> Hi! I don't know much about network programming, or about terminal handling. I wondered about why the command "scp file user at host:path" didn't work. It gave me the following error messages: "stdin: is not a tty" "Write failed flushing stdout buffer." "write stdout: Broken pipe" I tried it with different versions of ssh, first the newest debian packaged release (OpenSSH-1.2.3, protocol 1.5), then the current stable from openssh.org (openssh-2.9p1 with openssl-0.9.6a). But under Linux 2.4.3 they both didn't work. Then I found a machine with 2.2.14 kernel running and tested scp there. It worked. So I gave it a try with OpenSSH-1.2.3 on a 2.2.17 kernel machine. It worked, too. Now I found the problem. I had a "finger" in my bash startup script. that confused scp. I removed it, and ... it worked. With 2.4.3. Now I think there is a bug in scp, because it tries to open a pipe but expects a tty (a friend told me that based on an strace -f output) I'll send you the strace call, too. The many lines at the end "read(8, " ", 1)" come from the finger output. If you have questions about my system configuration or some commands I used, feel free to mail me to "acolomb at web.de". thank you for your support... -- Greetings... From: Andre Colomb known as MinioN -------------- next part -------------- 566 execve("/usr/bin/scp", ["scp", "Blink 182 -why.mp3", "acolomb at ledge:/tmp"], [/* 23 vars */]) = 0 566 brk(0) = 0x804d4a0 566 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) 566 open("/etc/ld.so.cache", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0644, st_size=23853, ...}) = 0 566 old_mmap(NULL, 23853, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40014000 566 close(4) = 0 566 open("/lib/libdl.so.2", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0644, st_size=9452, ...}) = 0 566 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\330\34"..., 4096) = 4096 566 old_mmap(NULL, 12428, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4001a000 566 mprotect(0x4001c000, 4236, PROT_NONE) = 0 566 old_mmap(0x4001c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x1000) = 0x4001c000 566 close(4) = 0 566 open("/lib/libnsl.so.1", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0644, st_size=76032, ...}) = 0 566 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0@\0\000"..., 4096) = 4096 566 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001e000 566 old_mmap(NULL, 88200, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4001f000 566 mprotect(0x40031000, 14472, PROT_NONE) = 0 566 old_mmap(0x40031000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x11000) = 0x40031000 566 old_mmap(0x40033000, 6280, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40033000 566 close(4) = 0 566 open("/usr/lib/libz.so.1", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0644, st_size=54512, ...}) = 0 566 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\31\0\000"..., 4096) = 4096 566 old_mmap(NULL, 57564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40035000 566 mprotect(0x40041000, 8412, PROT_NONE) = 0 566 old_mmap(0x40041000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0xb000) = 0x40041000 566 close(4) = 0 566 open("/lib/libutil.so.1", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0644, st_size=7652, ...}) = 0 566 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\17\0"..., 4096) = 4096 566 old_mmap(NULL, 10556, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40044000 566 mprotect(0x40046000, 2364, PROT_NONE) = 0 566 old_mmap(0x40046000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x1000) = 0x40046000 566 close(4) = 0 566 open("/lib/libpam.so.0", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0644, st_size=27180, ...}) = 0 566 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\22\0\000"..., 4096) = 4096 566 old_mmap(NULL, 30444, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40047000 566 mprotect(0x4004e000, 1772, PROT_NONE) = 0 566 old_mmap(0x4004e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x6000) = 0x4004e000 566 close(4) = 0 566 open("/usr/lib/libcrypto.so.0", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0644, st_size=685228, ...}) = 0 566 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\357"..., 4096) = 4096 566 old_mmap(NULL, 695940, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4004f000 566 mprotect(0x400eb000, 56964, PROT_NONE) = 0 566 old_mmap(0x400eb000, 53248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x9b000) = 0x400eb000 566 old_mmap(0x400f8000, 3716, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400f8000 566 close(4) = 0 566 open("/lib/libwrap.so.0", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0644, st_size=23008, ...}) = 0 566 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\36\0\000"..., 4096) = 4096 566 old_mmap(NULL, 27972, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x400f9000 566 mprotect(0x400fe000, 7492, PROT_NONE) = 0 566 old_mmap(0x400fe000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x4000) = 0x400fe000 566 close(4) = 0 566 open("/lib/libc.so.6", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0755, st_size=887712, ...}) = 0 566 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\244\213"..., 4096) = 4096 566 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40100000 566 old_mmap(NULL, 902044, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40101000 566 mprotect(0x401d6000, 29596, PROT_NONE) = 0 566 old_mmap(0x401d6000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0xd4000) = 0x401d6000 566 old_mmap(0x401da000, 13212, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x401da000 566 close(4) = 0 566 open("/lib/libcrypt.so.1", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0644, st_size=20436, ...}) = 0 566 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\16"..., 4096) = 4096 566 old_mmap(NULL, 183228, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x401de000 566 mprotect(0x401e3000, 162748, PROT_NONE) = 0 566 old_mmap(0x401e3000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x4000) = 0x401e3000 566 old_mmap(0x401e4000, 158652, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x401e4000 566 close(4) = 0 566 munmap(0x40014000, 23853) = 0 566 getpid() = 566 566 getuid() = 1000 566 brk(0) = 0x804d4a0 566 brk(0x804d8b8) = 0x804d8b8 566 brk(0x804e000) = 0x804e000 566 socket(PF_UNIX, SOCK_STREAM, 0) = 4 566 connect(4, {sin_family=AF_UNIX, path=" /var/run/.nscd_socket"}, 110) = -1 ECONNREFUSED (Connection refused) 566 close(4) = 0 566 open("/etc/nsswitch.conf", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0644, st_size=465, ...}) = 0 566 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 566 read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 465 566 read(4, "", 4096) = 0 566 close(4) = 0 566 munmap(0x40014000, 4096) = 0 566 open("/etc/ld.so.cache", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0644, st_size=23853, ...}) = 0 566 old_mmap(NULL, 23853, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40014000 566 close(4) = 0 566 open("/lib/libnss_compat.so.2", O_RDONLY) = 4 566 fstat(4, {st_mode=S_IFREG|0644, st_size=41356, ...}) = 0 566 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\31\0"..., 4096) = 4096 566 old_mmap(NULL, 44332, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4020b000 566 mprotect(0x40215000, 3372, PROT_NONE) = 0 566 old_mmap(0x40215000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x9000) = 0x40215000 566 close(4) = 0 566 brk(0x804f000) = 0x804f000 566 munmap(0x40014000, 23853) = 0 566 uname({sys="Linux", node="ledge", ...}) = 0 566 open("/etc/passwd", O_RDONLY) = 4 566 fcntl(4, F_GETFD) = 0 566 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 566 fstat(4, {st_mode=S_IFREG|0644, st_size=1400, ...}) = 0 566 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 566 _llseek(4, 0, [0], SEEK_CUR) = 0 566 read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1400 566 close(4) = 0 566 munmap(0x40014000, 4096) = 0 566 ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0 566 rt_sigaction(SIGPIPE, {0x804b070, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0 566 pipe([4, 5]) = 0 566 pipe([6, 7]) = 0 566 pipe([8, 9]) = 0 566 close(4) = 0 566 close(5) = 0 566 fork() = 567 566 close(6) = 0 566 close(9) = 0 566 read(8, 567 close(7) = 0 567 close(8) = 0 567 dup2(6, 0) = 0 567 dup2(9, 1) = 1 567 close(6) = 0 567 close(9) = 0 567 execve("/usr/bin/ssh", ["/usr/bin/ssh", "-x", "-oFallBackToRsh no", "-oFallBackToRsh no", "-l", "acolomb", "ledge", "scp -t /tmp"], [/* 23 vars */]) = 0 567 brk(0) = 0x80661ec 567 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) 567 open("/etc/ld.so.cache", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=23853, ...}) = 0 567 old_mmap(NULL, 23853, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40014000 567 close(4) = 0 567 open("/lib/libdl.so.2", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=9452, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\330\34"..., 4096) = 4096 567 old_mmap(NULL, 12428, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4001a000 567 mprotect(0x4001c000, 4236, PROT_NONE) = 0 567 old_mmap(0x4001c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x1000) = 0x4001c000 567 close(4) = 0 567 open("/lib/libnsl.so.1", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=76032, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0@\0\000"..., 4096) = 4096 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001e000 567 old_mmap(NULL, 88200, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4001f000 567 mprotect(0x40031000, 14472, PROT_NONE) = 0 567 old_mmap(0x40031000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x11000) = 0x40031000 567 old_mmap(0x40033000, 6280, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40033000 567 close(4) = 0 567 open("/usr/lib/libz.so.1", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=54512, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\31\0\000"..., 4096) = 4096 567 old_mmap(NULL, 57564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40035000 567 mprotect(0x40041000, 8412, PROT_NONE) = 0 567 old_mmap(0x40041000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0xb000) = 0x40041000 567 close(4) = 0 567 open("/lib/libutil.so.1", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=7652, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\17\0"..., 4096) = 4096 567 old_mmap(NULL, 10556, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40044000 567 mprotect(0x40046000, 2364, PROT_NONE) = 0 567 old_mmap(0x40046000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x1000) = 0x40046000 567 close(4) = 0 567 open("/lib/libpam.so.0", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=27180, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\22\0\000"..., 4096) = 4096 567 old_mmap(NULL, 30444, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40047000 567 mprotect(0x4004e000, 1772, PROT_NONE) = 0 567 old_mmap(0x4004e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x6000) = 0x4004e000 567 close(4) = 0 567 open("/usr/lib/libcrypto.so.0", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=685228, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\357"..., 4096) = 4096 567 old_mmap(NULL, 695940, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4004f000 567 mprotect(0x400eb000, 56964, PROT_NONE) = 0 567 old_mmap(0x400eb000, 53248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x9b000) = 0x400eb000 567 old_mmap(0x400f8000, 3716, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400f8000 567 close(4) = 0 567 open("/lib/libwrap.so.0", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=23008, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\36\0\000"..., 4096) = 4096 567 old_mmap(NULL, 27972, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x400f9000 567 mprotect(0x400fe000, 7492, PROT_NONE) = 0 567 old_mmap(0x400fe000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x4000) = 0x400fe000 567 close(4) = 0 567 open("/lib/libc.so.6", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0755, st_size=887712, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\244\213"..., 4096) = 4096 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40100000 567 old_mmap(NULL, 902044, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40101000 567 mprotect(0x401d6000, 29596, PROT_NONE) = 0 567 old_mmap(0x401d6000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0xd4000) = 0x401d6000 567 old_mmap(0x401da000, 13212, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x401da000 567 close(4) = 0 567 open("/lib/libcrypt.so.1", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=20436, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\16"..., 4096) = 4096 567 old_mmap(NULL, 183228, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x401de000 567 mprotect(0x401e3000, 162748, PROT_NONE) = 0 567 old_mmap(0x401e3000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x4000) = 0x401e3000 567 old_mmap(0x401e4000, 158652, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x401e4000 567 close(4) = 0 567 munmap(0x40014000, 23853) = 0 567 getpid() = 567 567 getuid() = 1000 567 geteuid() = 1000 567 geteuid() = 1000 567 setresuid(ruid 4294967295, euid 1000, suid 4294967295) = 0 567 umask(022) = 037 567 open("/dev/urandom", O_RDONLY) = 4 567 read(4, "R/\262\6=\253\344\273PR\23\346\232\302s\263\21\336\214"..., 64) = 64 567 close(4) = 0 567 brk(0) = 0x80661ec 567 brk(0x806630c) = 0x806630c 567 brk(0x8067000) = 0x8067000 567 time([991258215]) = 991258215 567 getpid() = 567 567 getuid() = 1000 567 time(NULL) = 991258215 567 open("/dev/urandom", O_RDONLY) = 4 567 read(4, "\262\'5\247T\363\265\312\214\30\\\217\365e%\313\367\365"..., 32) = 32 567 close(4) = 0 567 time([991258215]) = 991258215 567 time([991258215]) = 991258215 567 time([991258215]) = 991258215 567 time([991258215]) = 991258215 567 time([991258215]) = 991258215 567 time([991258215]) = 991258215 567 time([991258215]) = 991258215 567 time([991258215]) = 991258215 567 time([991258215]) = 991258215 567 time([991258215]) = 991258215 567 time([991258215]) = 991258215 567 brk(0x8069000) = 0x8069000 567 ioctl(0, TCGETS, 0xbffff348) = -1 EINVAL (Invalid argument) 567 socket(PF_UNIX, SOCK_STREAM, 0) = 4 567 connect(4, {sin_family=AF_UNIX, path=" /var/run/.nscd_socket"}, 110) = -1 ECONNREFUSED (Connection refused) 567 close(4) = 0 567 open("/etc/nsswitch.conf", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=465, ...}) = 0 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 567 read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 465 567 read(4, "", 4096) = 0 567 close(4) = 0 567 munmap(0x40014000, 4096) = 0 567 open("/etc/ld.so.cache", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=23853, ...}) = 0 567 old_mmap(NULL, 23853, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40014000 567 close(4) = 0 567 open("/lib/libnss_compat.so.2", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=41356, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\31\0"..., 4096) = 4096 567 old_mmap(NULL, 44332, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4020b000 567 mprotect(0x40215000, 3372, PROT_NONE) = 0 567 old_mmap(0x40215000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x9000) = 0x40215000 567 close(4) = 0 567 munmap(0x40014000, 23853) = 0 567 uname({sys="Linux", node="ledge", ...}) = 0 567 open("/etc/passwd", O_RDONLY) = 4 567 fcntl(4, F_GETFD) = 0 567 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 567 fstat(4, {st_mode=S_IFREG|0644, st_size=1400, ...}) = 0 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 567 _llseek(4, 0, [0], SEEK_CUR) = 0 567 read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1400 567 close(4) = 0 567 munmap(0x40014000, 4096) = 0 567 open("/home/nfs/acolomb/.ssh/config", O_RDONLY) = -1 ENOENT (No such file or directory) 567 open("/etc/ssh/ssh_config", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=1412, ...}) = 0 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 567 read(4, "# This is ssh client systemwide "..., 4096) = 1412 567 read(4, "", 4096) = 0 567 close(4) = 0 567 munmap(0x40014000, 4096) = 0 567 gettimeofday({991258215, 512587}, NULL) = 0 567 getpid() = 567 567 open("/etc/resolv.conf", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=43, ...}) = 0 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 567 read(4, "nameserver 192.168.0.2\nsearch dn"..., 4096) = 43 567 read(4, "", 4096) = 0 567 close(4) = 0 567 munmap(0x40014000, 4096) = 0 567 socket(PF_UNIX, SOCK_STREAM, 0) = 4 567 connect(4, {sin_family=AF_UNIX, path=" /var/run/.nscd_socket"}, 110) = -1 ECONNREFUSED (Connection refused) 567 close(4) = 0 567 open("/etc/ld.so.cache", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=23853, ...}) = 0 567 old_mmap(NULL, 23853, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40014000 567 close(4) = 0 567 open("/lib/libnss_files.so.2", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=31084, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@ \0\000"..., 4096) = 4096 567 old_mmap(NULL, 34384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40216000 567 mprotect(0x4021e000, 1616, PROT_NONE) = 0 567 old_mmap(0x4021e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x7000) = 0x4021e000 567 close(4) = 0 567 munmap(0x40014000, 23853) = 0 567 open("/etc/hosts", O_RDONLY) = 4 567 fcntl(4, F_GETFD) = 0 567 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 567 fstat(4, {st_mode=S_IFREG|0644, st_size=26, ...}) = 0 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 567 read(4, "127.0.0.1\tlocalhost\tledge\n", 4096) = 26 567 close(4) = 0 567 munmap(0x40014000, 4096) = 0 567 socket(PF_UNIX, SOCK_STREAM, 0) = 4 567 connect(4, {sin_family=AF_UNIX, path=" /var/run/.nscd_socket"}, 110) = -1 ECONNREFUSED (Connection refused) 567 close(4) = 0 567 open("/etc/host.conf", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=26, ...}) = 0 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 567 read(4, "order hosts,bind\nmulti on\n", 4096) = 26 567 read(4, "", 4096) = 0 567 close(4) = 0 567 munmap(0x40014000, 4096) = 0 567 open("/etc/hosts", O_RDONLY) = 4 567 fcntl(4, F_GETFD) = 0 567 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 567 fstat(4, {st_mode=S_IFREG|0644, st_size=26, ...}) = 0 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 567 read(4, "127.0.0.1\tlocalhost\tledge\n", 4096) = 26 567 close(4) = 0 567 munmap(0x40014000, 4096) = 0 567 setresuid(ruid 4294967295, euid 1000, suid 4294967295) = 0 567 geteuid() = 1000 567 getuid() = 1000 567 open("/etc/ld.so.cache", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=23853, ...}) = 0 567 old_mmap(NULL, 23853, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40014000 567 close(4) = 0 567 open("/lib/libnss_db.so.2", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=19608, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\26"..., 4096) = 4096 567 old_mmap(NULL, 22836, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4021f000 567 mprotect(0x40224000, 2356, PROT_NONE) = 0 567 old_mmap(0x40224000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x4000) = 0x40224000 567 close(4) = 0 567 open("/lib/libdb.so.3", O_RDONLY) = 4 567 fstat(4, {st_mode=S_IFREG|0644, st_size=237944, ...}) = 0 567 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340A\0"..., 4096) = 4096 567 old_mmap(NULL, 240864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40225000 567 mprotect(0x4025f000, 3296, PROT_NONE) = 0 567 old_mmap(0x4025f000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x39000) = 0x4025f000 567 close(4) = 0 567 munmap(0x40014000, 23853) = 0 567 open("/var/lib/misc/services.db", O_RDONLY) = -1 ENOENT (No such file or directory) 567 open("/etc/services", O_RDONLY) = 4 567 fcntl(4, F_GETFD) = 0 567 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 567 fstat(4, {st_mode=S_IFREG|0644, st_size=14450, ...}) = 0 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 567 read(4, "# /etc/services:\n# $Id: services"..., 4096) = 4096 567 close(4) = 0 567 munmap(0x40014000, 4096) = 0 567 socket(PF_UNIX, SOCK_STREAM, 0) = 4 567 connect(4, {sin_family=AF_UNIX, path=" /var/run/.nscd_socket"}, 110) = -1 ECONNREFUSED (Connection refused) 567 close(4) = 0 567 open("/etc/hosts", O_RDONLY) = 4 567 fcntl(4, F_GETFD) = 0 567 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 567 fstat(4, {st_mode=S_IFREG|0644, st_size=26, ...}) = 0 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 567 read(4, "127.0.0.1\tlocalhost\tledge\n", 4096) = 26 567 close(4) = 0 567 munmap(0x40014000, 4096) = 0 567 geteuid() = 1000 567 setresuid(ruid 4294967295, euid 1000, suid 4294967295) = 0 567 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4 567 setresuid(ruid 4294967295, euid 1000, suid 4294967295) = 0 567 geteuid() = 1000 567 setresuid(ruid 4294967295, euid 1000, suid 4294967295) = 0 567 connect(4, {sin_family=AF_INET, sin_port=htons(22), sin_addr=inet_addr("127.0.0.1")}}, 16) = 0 567 setresuid(ruid 4294967295, euid 1000, suid 4294967295) = 0 567 setsockopt(4, SOL_SOCKET, SO_LINGER, [1], 8) = 0 567 brk(0x806b000) = 0x806b000 567 brk(0x806d000) = 0x806d000 567 open("/etc/ssh/ssh_host_key", O_RDONLY) = -1 EACCES (Permission denied) 567 setuid(1000) = 0 567 stat("/home/nfs/acolomb/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 567 open("/etc/passwd", O_RDONLY) = 5 567 fcntl(5, F_GETFD) = 0 567 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 567 fstat(5, {st_mode=S_IFREG|0644, st_size=1400, ...}) = 0 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 567 _llseek(5, 0, [0], SEEK_CUR) = 0 567 read(5, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1400 567 close(5) = 0 567 munmap(0x40014000, 4096) = 0 567 open("/etc/passwd", O_RDONLY) = 5 567 fcntl(5, F_GETFD) = 0 567 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 567 fstat(5, {st_mode=S_IFREG|0644, st_size=1400, ...}) = 0 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 567 _llseek(5, 0, [0], SEEK_CUR) = 0 567 read(5, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1400 567 close(5) = 0 567 munmap(0x40014000, 4096) = 0 567 read(4, "S", 1) = 1 567 read(4, "S", 1) = 1 567 read(4, "H", 1) = 1 567 read(4, "-", 1) = 1 567 read(4, "1", 1) = 1 567 read(4, ".", 1) = 1 567 read(4, "5", 1) = 1 567 read(4, "-", 1) = 1 567 read(4, "O", 1) = 1 567 read(4, "p", 1) = 1 567 read(4, "e", 1) = 1 567 read(4, "n", 1) = 1 567 read(4, "S", 1) = 1 567 read(4, "S", 1) = 1 567 read(4, "H", 1) = 1 567 read(4, "-", 1) = 1 567 read(4, "1", 1) = 1 567 read(4, ".", 1) = 1 567 read(4, "2", 1) = 1 567 read(4, ".", 1) = 1 567 read(4, "3", 1) = 1 567 read(4, "\n", 1) = 1 567 write(4, "SSH-1.5-OpenSSH-1.2.3\n", 22) = 22 567 fcntl(4, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 567 select(5, [4], NULL, NULL, NULL) = 1 (in [4]) 567 read(4, "\0\0\1\v\0\0\0\0\0\2/!\264\276{\3\266\212\0\0\3\0\0\6#"..., 8192) = 276 567 brk(0x806e000) = 0x806e000 567 open("/dev/urandom", O_RDONLY) = 5 567 read(5, "\310T\324\265ur\201\243\245\332Mv#\34Y\312\337>\246\317"..., 32) = 32 567 close(5) = 0 567 brk(0x806f000) = 0x806f000 567 write(4, "\0\0\0\224\0\0\0\0\3\3/!\264\276{\3\266\212\3\3763\177"..., 156) = 156 567 select(5, [4], NULL, NULL, NULL) = 1 (in [4]) 567 read(4, "\0\0\0\5\341\327\244]\v-\353\32", 8192) = 12 567 brk(0x8072000) = 0x8072000 567 open("/etc/passwd", O_RDONLY) = 5 567 fcntl(5, F_GETFD) = 0 567 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 567 fstat(5, {st_mode=S_IFREG|0644, st_size=1400, ...}) = 0 567 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 567 _llseek(5, 0, [0], SEEK_CUR) = 0 567 read(5, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1400 567 close(5) = 0 567 munmap(0x40014000, 4096) = 0 567 write(4, "\0\0\0\20\316\240\323E\33C}_U\17\371Mw\246\t\362\362\247"..., 28) = 28 567 select(5, [4], NULL, NULL, NULL) = 1 (in [4]) 567 read(4, "\0\0\0\5\237\244\277\4\r4\221\373", 8192) = 12 567 open("/home/nfs/acolomb/.ssh/identity", O_RDONLY) = -1 ENOENT (No such file or directory) 567 open("/dev/tty", O_RDWR) = 5 567 rt_sigprocmask(SIG_BLOCK, [TSTP], [], 8) = 0 567 rt_sigaction(SIGINT, {0x80576a0, [], 0x4000000}, {SIG_DFL}, 8) = 0 567 ioctl(5, TCGETS, {B38400 opost isig icanon echo ...}) = 0 567 ioctl(5, SNDCTL_TMR_START, {B38400 opost isig icanon -echo ...}) = 0 567 ioctl(5, TCGETS, {B38400 opost isig icanon -echo ...}) = 0 567 write(5, "acolomb at localhost\'s password: ", 30) = 30 567 read(5, "b", 1) = 1 567 read(5, "o", 1) = 1 567 read(5, "n", 1) = 1 567 read(5, "(", 1) = 1 567 read(5, "3", 1) = 1 567 read(5, "B", 1) = 1 567 read(5, "r", 1) = 1 567 read(5, "e", 1) = 1 567 read(5, "a", 1) = 1 567 read(5, "k", 1) = 1 567 read(5, "e", 1) = 1 567 read(5, "r", 1) = 1 567 read(5, "\n", 1) = 1 567 write(5, "\n", 1) = 1 567 ioctl(5, SNDCTL_TMR_START, {B38400 opost isig icanon echo ...}) = 0 567 ioctl(5, TCGETS, {B38400 opost isig icanon echo ...}) = 0 567 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 567 rt_sigaction(SIGINT, {SIG_DFL}, NULL, 8) = 0 567 close(5) = 0 567 write(4, "\0\0\0\25\207\354j\277\370\271\262\33\335(e\266\273\216"..., 28) = 28 567 select(5, [4], NULL, NULL, NULL) = 1 (in [4]) 567 read(4, "\0\0\0\5\0275\246\26B\351\240\234", 8192) = 12 567 setsockopt(4, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 567 getsockname(4, {sin_family=AF_INET, sin_port=htons(1041), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 0 567 setsockopt(4, SOL_IP, IP_TOS, [8], 4) = 0 567 write(4, "\0\0\0\24,\241\270\177\300\324\355\27\327\315\3154\16\275"..., 28) = 28 567 gettimeofday({991258220, 187861}, NULL) = 0 567 brk(0x8074000) = 0x8074000 567 rt_sigaction(SIGINT, {0x804f1c8, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0 567 rt_sigaction(SIGQUIT, {0x804f1c8, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0 567 rt_sigaction(SIGTERM, {0x804f1c8, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0 567 rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0 567 fcntl(0, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 567 read(0, 0xbffff22b, 1) = -1 EAGAIN (Resource temporarily unavailable) 567 fcntl(0, F_SETFL, O_RDONLY) = 0 567 select(5, [0 4], [], NULL, NULL) = 1 (in [4]) 567 read(4, "\0\0\0\35\376\17\5\2766\325\211\27\251\233>\211\0252\35"..., 8192) = 36 567 select(5, [0 4], [2], NULL, NULL) = 1 (out [2]) 567 write(2, "stdin: is not a tty\n", 20) = 20 567 select(5, [0 4], [], NULL, NULL) = 1 (in [4]) 567 read(4, "\0\0\0016c\333\366\10\1R\256\10\272\367\302e\222\274\311"..., 8192) = 316 567 select(5, [0 4], [1], NULL, NULL) = 1 (out [1]) 567 write(1, "Login Name Tty "..., 301) = 301 566 <... read resumed> "L", 1) = 1 566 read(8, "o", 1) = 1 566 read(8, "g", 1) = 1 566 read(8, "i", 1) = 1 566 read(8, "n", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, "N", 1) = 1 566 read(8, "a", 1) = 1 566 read(8, "m", 1) = 1 566 read(8, "e", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, "T", 1) = 1 566 read(8, "t", 1) = 1 566 read(8, "y", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, "I", 1) = 1 566 read(8, "d", 1) = 1 566 read(8, "l", 1) = 1 566 read(8, "e", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, "L", 1) = 1 566 read(8, "o", 1) = 1 566 read(8, "g", 1) = 1 566 read(8, "i", 1) = 1 566 read(8, "n", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, "T", 1) = 1 566 read(8, "i", 1) = 1 566 read(8, "m", 1) = 1 566 read(8, "e", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, "O", 1) = 1 566 read(8, "f", 1) = 1 566 read(8, "f", 1) = 1 566 read(8, "i", 1) = 1 566 read(8, "c", 1) = 1 566 read(8, "e", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, "O", 1) = 1 566 read(8, "f", 1) = 1 566 read(8, "f", 1) = 1 566 read(8, "i", 1) = 1 566 read(8, "c", 1) = 1 566 read(8, "e", 1) = 1 566 read(8, " ", 1) = 1 566 read(8, "P", 1) = 1 566 read(8, "h", 1) = 1 566 read(8, "o", 1) = 1 566 read(8, "n", 1) = 1 566 read(8, "e", 1) = 1 566 read(8, "\n", 1) = 1 566 write(2, "Login Name Tty "..., 77) = 77 566 _exit(1) = ? 567 select(5, [0 4], [], NULL, NULL) = 1 (in [0]) 567 read(0, "", 8192) = 0 567 select(5, [4], [4], NULL, NULL) = 1 (out [4]) 567 write(4, "\0\0\0\5b\311R$\332K[9", 12) = 12 567 select(5, [4], [], NULL, NULL) = 1 (in [4]) 567 read(4, "\0\0\0\n\216\177\16\252\305\31\213y\373,[\2\10T\17t", 8192) = 20 567 select(5, [4], [1], NULL, NULL) = 1 (out [1]) 567 write(1, "\0", 1) = -1 EPIPE (Broken pipe) 567 --- SIGPIPE (Broken pipe) --- 567 write(1, "\0", 1) = -1 EPIPE (Broken pipe) 567 --- SIGPIPE (Broken pipe) --- 567 write(2, "Write failed flushing stdout buf"..., 36) = 36 567 write(2, "\r\n", 2) = 2 567 write(2, "write stdout: Broken pipe\r\n", 27) = 27 567 gettimeofday({991258220, 268040}, NULL) = 0 567 shutdown(4, 2 /* send and receive */) = 0 567 close(4) = 0 567 _exit(-1) = ? From Alain.Aubord at obs.unige.ch Thu May 31 19:12:53 2001 From: Alain.Aubord at obs.unige.ch (Alain Aubord) Date: Thu, 31 May 2001 11:12:53 +0200 Subject: Possible bug in openssh configuration file Message-ID: <3B160B15.8DC80CC2@obs.unige.ch> Dear Sirs, I was trying to compile openssh for Solaris 2.8 in 64bits mode. For that, I have defined the variable CFLAGS with the following value "-fast -I/isdc/include -L/isdc/lib -xtarget=ultra -xarch=v9" before running the configure command. The configure command used was the following: ./configure --prefix=/isdc --with-ssl-dir=/isdc --with-prngd-socket=/var/run/entropy --with-default-path="/isdc/scripts:/isdc/bin:/usr/local/scripts:/usr/local/bin:/bin:/usr/bin:/usr/dt/bin:/usr/openwin/bin" All goes correctly except that the command for doing the link of executable is not called with the content of variable "CFLAGS" (as you can see in the following extract of compile log). This is annoying since the linking can not be done (without correct parameter, 32bits linking is done). The solution I have used is to do the link manually with the content of the variable CFLAGS and that has worked. But I have spent some time to find that. ---------------------------------------Extract of compilation log--------------------------- cc -fast -I/isdc/include -L/isdc/lib -xtarget=ultra -xarch=v9 -I. -I. -I/isdc/include -I/usr/local/include -DETCDIR=\"/isdc/etc\" -D_PATH_SSH_PROGRAM=\"/isdc/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/isdc/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/isdc/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -DHAVE_CONFIG_H -c sftp-glob.c "sftp-glob.c", line 156: warning: assignment type mismatch: pointer to function(pointer to const char) returning pointer to void "=" pointer to void "sftp-glob.c", line 157: warning: assignment type mismatch: pointer to function(pointer to void) returning pointer to struct dirent {unsigned long d_ino, long d_off, unsigned short d_reclen, array[1] of char d_name} "=" pointer to void "sftp-glob.c", line 158: warning: assignment type mismatch: pointer to function(pointer to void) returning void "=" pointer to void "sftp-glob.c", line 167: warning: argument #3 is incompatible with prototype: prototype: pointer to function(pointer to const char, int) returning int : "./openbsd-compat/glob.h", line 94 argument : pointer to void cc -o sftp sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o scp-common.o -L. -Lopenbsd-compat/ -R/isdc/lib -L/isdc/lib -L/usr/local/lib -R/usr/local/lib -lssh -lopenbsd-compat -lz -lsocket -lnsl -lgen -lcrypto Yours Sincerly, A.Aubord My address: e-mail:Alain.Aubord at obs.unige.ch Surface Mail: A.Aubord System Manager Chemin d'Ecogia 16 CH-1290 Versoix Switzerland.