From bugzilla-daemon at mindrot.org Sun Dec 1 04:35:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 1 Dec 2002 04:35:57 +1100 (EST) Subject: [Bug 449] New: ssh_prng_cmds has malformed arp command Message-ID: <20021130173557.332323D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=449 Summary: ssh_prng_cmds has malformed arp command Product: Portable OpenSSH Version: 3.4p1 Platform: Sparc OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: keith at ajmani.org The file "ssh_prng_cmds", used for entropy generation on systems like solaris that lack a decent /dev/random, contains an incorrect "arp" entry. In particular, the command run is: "arp -a -n" /usr/sbin/arp 0.02 Unfortunately, in Solaris8, the "-n" command (no host lookups) is not supported. As a result, when this command is run on a solaris box that has arp entries in its cache that it cannot resolve -- either via a local nameserver or a remote one -- then this command hangs, for a very, very long time. Some results of this hang are: - sshd will take 10+ minutes to start on boot - sshkeygen commands progres very, very slowly This situation arose when I had a Solaris box installed in a private 10.x network, running named locally with itself as the only DNS server in /etc/resolv.conf. However, the box was sitting on a LAN with other boxes in a subnet outside of the range that the Solaris box was authoratative for, and so its arp cache had entries that it could not resolve locally. My suggested fix to this bug is to remove the "arp" command from ssh_prng_cmds on Solaris. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Dec 1 04:43:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 1 Dec 2002 04:43:43 +1100 (EST) Subject: [Bug 449] ssh_prng_cmds has malformed arp command Message-ID: <20021130174343.3DE193D153@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=449 ------- Additional Comments From keith at ajmani.org 2002-12-01 04:43 ------- Aside: this bug also existed in previous versions of opensshd. My bad for not reporting it earlier. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Dec 1 10:35:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 1 Dec 2002 10:35:15 +1100 (EST) Subject: [Bug 449] ssh_prng_cmds has malformed arp command Message-ID: <20021130233515.A9A193D15A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=449 ------- Additional Comments From dtucker at zip.com.au 2002-12-01 10:35 ------- The timeout bug in ssh-rand-helper (bugid 400) has been fixed. Try this patch: http://bugzilla.mindrot.org/attachment.cgi?id=156&action=view ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From v_t_m at seznam.cz Tue Dec 3 00:02:24 2002 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Mon, 02 Dec 2002 14:02:24 +0100 (CET) Subject: =?iso-8859-2?Q?Patch=3A=20Groups=20per=20authentication=20method?= Message-ID: <8657.19242-22353-19202697-1038834144@seznam.cz> Hello all, I have done small patch for OpenSSH 3.5p1. With this patch you can specify allowed user groups per authentication method. You can find it here: http://sweb.cz/v_t_m/ Vaclav ______________________________________________________________________ Reklama: Kliknete, hlasujte a vyhrajte v ankete Nejoblibenej?i automobil roku 2003 v Ceske republice ceny za milion!! http://www.autoroku.cz From Reema.Bangar at nokia.com Tue Dec 3 00:11:24 2002 From: Reema.Bangar at nokia.com (Reema.Bangar at nokia.com) Date: Mon, 2 Dec 2002 05:11:24 -0800 Subject: (no subject) Message-ID: From bugzilla-daemon at mindrot.org Tue Dec 3 23:01:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 3 Dec 2002 23:01:46 +1100 (EST) Subject: [Bug 449] ssh_prng_cmds has malformed arp command Message-ID: <20021203120146.867F964514@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=449 ------- Additional Comments From djm at mindrot.org 2002-12-03 23:01 ------- As Darren noted, the hang bug has been fixed. You can always edit the prng conf file, or (better) install a /dev/random (there is one available for Sun, check the list archives) or PRNGd. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Tue Dec 3 23:08:51 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 03 Dec 2002 23:08:51 +1100 Subject: Building without perl In-Reply-To: <3DDD157B.7050705@unknown.nu> References: <3DDD157B.7050705@unknown.nu> Message-ID: <3DEC9ED3.8030509@mindrot.org> Kim Scarborough wrote: > I can't seem to compile 3.5p1 on a Solaris 9 box with gcc and GNU make. > The box does not have perl installed on it. When I run configure, it > correctly detects the absence of perl on the system, but make dies > immediately trying to run "fixpaths", which is a perl script. PERL is > set to nothing in the Makefile. > > Is perl required? The docs don't say it is... if not, how do I get > around this? Perl is required to build OpenSSH, or more specifically: to fix up the paths in the manpages. If you install with normalish paths, then replacing fixpaths with a shell script which simply cat's it input to its output would be a reasonable workaround. A while back, someone converted the script to awk & sed. If you want to revive (check the list archives) and clean this up, it would probably get committed. -d From Terry.D.Masters at Cummins.com Wed Dec 4 02:23:49 2002 From: Terry.D.Masters at Cummins.com (Terry.D.Masters at Cummins.com) Date: Tue, 03 Dec 2002 10:23:49 -0500 Subject: (no subject) Message-ID: Hi, I am trying to "make" openssh (with GNU make) on an OS/390 V2R10 system (Unix System Services) and am getting the following error: /usr/include/nl_types.h: warning: 5 trigraph(s) encountered In file included from ../log.h:18, from bsd-arc4random.c:26: /usr/include/syslog.h: warning: 5 trigraph(s) encountered make.1.: *** .bsd-arc4random.o. Error 1 make: *** .openbsd-compat/libopenbsd-compat.a. Error 2 Any ideas? Configure ran OK.... Terry Masters _____________ This e-mail transmission and any attachments to it are intended solely for the use of the individual or entity to whom it is addressed and may contain confidential and privileged information. If you are not the intended recipient, your use, forwarding, printing, storing, disseminating, distribution, or copying of this communication is prohibited. If you received this communication in error, please notify the sender immediately by replying to this message and delete it from your computer. From bugzilla-daemon at mindrot.org Wed Dec 4 02:42:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 4 Dec 2002 02:42:51 +1100 (EST) Subject: [Bug 450] New: sftp crashes when trying to upload a file which doesn't exist Message-ID: <20021203154251.732AE64513@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=450 Summary: sftp crashes when trying to upload a file which doesn't exist Product: Portable OpenSSH Version: 3.5p1 Platform: ix86 OS/Version: FreeBSD Status: NEW Severity: critical Priority: P2 Component: sftp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: trionon at mail.ru sftp> put foo.bar Segmentation fault (core dumped) I use FreeBSD 4.6 and OpenSSH 3.4p1 and 3.5p1. OpenSSH_3.4p1 FreeBSD-20020702, SSH protocols 1.5/2.0, OpenSSL 0x0090605f Core dump happens every time I make a mistake in file name used in PUT sftp command. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Dec 4 04:07:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 4 Dec 2002 04:07:12 +1100 (EST) Subject: [Bug 449] ssh_prng_cmds has malformed arp command Message-ID: <20021203170712.DCCDA64513@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=449 ------- Additional Comments From keith at ajmani.org 2002-12-04 04:07 ------- Its good to know the hang is fixed -- in 3.5p1 I assume? I'd still suggest removing the arp command on solaris -- since its halfway or less throught the ssh_prng_cmds file, sshd is going to take longer to get good entropy on non /dev/random systems. We've made the patch (thanks!), and also plan to install the real /dev/random pkg available from Sun. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From v_t_m at seznam.cz Wed Dec 4 05:16:45 2002 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Tue, 03 Dec 2002 19:16:45 +0100 (CET) Subject: =?iso-8859-2?Q?Patch=3A=20Allowed=20user=20groups=20per=20authentication=20method?= Message-ID: <7570.21893-21223-590978760-1038939405@seznam.cz> Hello all, I have done small patch for restrictions per auth methods for OpenSSH 3.5p1. Small info and patch are available on: http://sweb.cz/v_t_m/ Vaclav ______________________________________________________________________ Reklama: Obchodn? d?m.cz - ?irok? sortiment dom?c?ch spot?ebi?? a elektroniky, v?razn? slevy. Nav?tivte http://www.obchodni-dum.cz/index.phtml?prov=59 From tjr at FreeBSD.ORG Tue Dec 3 13:37:51 2002 From: tjr at FreeBSD.ORG (Tim Robbins) Date: Tue, 3 Dec 2002 13:37:51 +1100 Subject: scp "Bad address" errors with strange filesystem block sizes Message-ID: <20021203133751.A62901@dilbert.robbins.dropbear.id.au> When copying from a remote host to a local filesystem with a strange block size, allocbuf() in scp.c seems to calculate an incorrect buffer size, causing the copy loop in sink() to write past the end of the buffer. For example, with smbfs, the optimal block size is negotiated when the client connects to the server, and is rarely a power of two. In my case it is 64560. This loop in sink() keeps reading into the buffer until it has read bp->count bytes of data: for (count = i = 0; i < size; i += 4096) { amt = 4096; if (i + amt > size) amt = size - i; count += amt; do { j = read(remin, cp, amt); if (j == -1 && (errno == EINTR || errno == EAGAIN)) { continue; } else if (j <= 0) { run_err("%s", j ? strerror(errno) : "dropped connection"); exit(1); } amt -= j; cp += j; statbytes += j; } while (amt > 0); if (count == bp->cnt) { /* Keep reading so we stay sync'd up. */ if (wrerr == NO) { j = atomicio(write, ofd, bp->buf, count); The problem here is that it requests the data in chunks of 4096 bytes, but the block size is not a multiple of 4096. One of the read() calls eventually fails with EFAULT when "cp" is past the break. This patch makes allocbuf() use roundup() like Berkeley rcp does, instead of the wacky calculation it uses now. The calculated buffer sizes are probably still suboptimal when the file system's optimal block size is not a power of two. Index: scp.c =================================================================== RCS file: /x/freebsd/src/crypto/openssh/scp.c,v retrieving revision 1.1.1.9 diff -u -r1.1.1.9 scp.c --- scp.c 27 Jun 2002 22:31:12 -0000 1.1.1.9 +++ scp.c 3 Dec 2002 01:54:49 -0000 @@ -1030,6 +1030,9 @@ { size_t size; #ifdef HAVE_STRUCT_STAT_ST_BLKSIZE +#ifndef roundup +#define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) /* to any y */ +#endif struct stat stb; if (fstat(fd, &stb) < 0) { @@ -1039,8 +1042,7 @@ if (stb.st_blksize == 0) size = blksize; else - size = blksize + (stb.st_blksize - blksize % stb.st_blksize) % - stb.st_blksize; + size = roundup(stb.st_blksize, blksize); #else /* HAVE_STRUCT_STAT_ST_BLKSIZE */ size = blksize; #endif /* HAVE_STRUCT_STAT_ST_BLKSIZE */ Tim From mmokrejs at natur.cuni.cz Tue Dec 3 06:04:10 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Mon, 2 Dec 2002 20:04:10 +0100 (CET) Subject: Cannot compile openssh-3.5.p1 on Irix 6.5.15 with kerberos4 Message-ID: Hi, I have the following problem. I think it's arising from the fact, that DES algorithms are fetched from libcrypto and not from libdes anymore. But, some types still clash. I use krb4-1.2.1 from http://www.pdc.kth.se/kth-krb cc -O2 -n32 -TARG:platform=IP22 -OPT:Olimit=0 -I/usr/local/include -I/software/@sys/usr/include -I/usr/local/BerkeleyDB.4.0/include -I/usr/local/openssl/include -I/software/@sys/usr/include/freetype2 -I/software/@sys/usr/include/libxml2 -I/software/@sys/usr/include/libwmf -I. -I. -I/usr/local/openssl/include -I/usr/local/include -I/software/@sys/usr/include -I/usr/local/BerkeleyDB.4.0/include -I/usr/local/openssl/include -I/software/@sys/usr/include/freetype2 -I/software/@sys/usr/include/libxml2 -I/software/@sys/usr/include/libwmf -I/usr/local/include -I/usr/athena/include -I/usr/afsws/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFI! G_H -c sshconnect1.c cc-1204 cc: WARNING File = /usr/athena/include/krb-protos.h, Line = 175 The indicated declaration is not visible outside of the function. krb_check_auth __P(( ^ cc-1204 cc: WARNING File = /usr/athena/include/krb-protos.h, Line = 456 The indicated declaration is not visible outside of the function. krb_mk_priv __P(( ^ cc-1204 cc: WARNING File = /usr/athena/include/krb-protos.h, Line = 540 The indicated declaration is not visible outside of the function. krb_rd_priv __P(( ^ cc-1204 cc: WARNING File = /usr/athena/include/krb-protos.h, Line = 576 The indicated declaration is not visible outside of the function. krb_recvauth __P(( ^ cc-1204 cc: WARNING File = /usr/athena/include/krb-protos.h, Line = 590 The indicated declaration is not visible outside of the function. krb_sendauth __P(( ^ cd openbsdcc-1164 cc: ERROR File = sshconnect1.c, Line = 477 Argument of type "DES_key_schedule" is incompatible with parameter of type "struct des_ks_struct *". r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session, ^ 1 error detected in the compilation of "sshconnect1.c". make: *** [sshconnect1.o] Error 2 -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From bugzilla-daemon at mindrot.org Thu Dec 5 03:58:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 5 Dec 2002 03:58:20 +1100 (EST) Subject: [Bug 451] New: new config-Option: IPv4or6 Message-ID: <20021204165820.C19B664513@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=451 Summary: new config-Option: IPv4or6 Product: Portable OpenSSH Version: 3.5p1 Platform: All URL: http://www.toppoint.de/~wklaebe/ipv4or6-config- 3.5p1.diff OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: bugzilla at orion.toppoint.de I wanted an option for my .ssh/config enabling me to say "use IPv6 for this host". Basically, I looked what command line options -4 and -6 do in ssh and made a config option out of it. Patch at http://www.toppoint.de/~wklaebe/ipv4or6-config-3.5p1.diff ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Jeff.Koenig at experian.com Thu Dec 5 04:04:27 2002 From: Jeff.Koenig at experian.com (Jeff Koenig) Date: Wed, 04 Dec 2002 11:04:27 -0600 Subject: OpenSSH 3.5p1 - Solaris 8 expired passwords and BSM issue - any updates? Message-ID: I was wondering as to the status on the Solaris 8 expired passwords and BSM issue with the portable OpenSSH 3.5p1? Has anyone created a workaround to get these options working with SSH protocol 2? Is there any kind of patch I can apply or configuration change to make it work with SSH protocol 2? Can someone tell me when an expected complete fix for these issues might be available in portable OpenSSH? Thanks! Jeff From fundraishlp at hotmail.com Thu Dec 5 04:14:08 2002 From: fundraishlp at hotmail.com (NonProfit) Date: Thu, 5 Dec 2002 01:14:08 +0800 Subject: Fundraising Secrets Message-ID: <20021204171446.0184764514@shitei.mindrot.org> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021205/a089cf86/attachment.html From hari at isofttechindia.com Thu Dec 5 05:18:20 2002 From: hari at isofttechindia.com (Hari-Isoft) Date: Wed, 4 Dec 2002 13:18:20 -0500 Subject: 3DES key-length Message-ID: <0ccf01c29bc1$892b60b0$66fe10ac@axiowave.com> Hi, I would like to know the key-length used for 3DES data encryption in openssh. I thought that it should be 192 (3 * 64) bits, but the sshd man page states 128 bit key used for 3DES. Also, I would like to know the 3des key negotiation - who generates the key (the client or the server). I am interested in the export regulations concerning openssh in USA. Any idea on this ? I would really appreciate your help, Thanks, Hari -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021204/72b41ab0/attachment.html From hari at isofttechindia.com Thu Dec 5 05:21:33 2002 From: hari at isofttechindia.com (Hari-Isoft) Date: Wed, 4 Dec 2002 13:21:33 -0500 Subject: 3DES key-length Message-ID: <0cf201c29bc1$fb214450$66fe10ac@axiowave.com> Sorry, but I had to send a text file format message. Hari ----- Original Message ----- From: Hari-Isoft To: openssh-unix-dev at mindrot.org Sent: Wednesday, December 04, 2002 1:18 PM Subject: 3DES key-length Hi, I would like to know the key-length used for 3DES data encryption in openssh. I thought that it should be 192 (3 * 64) bits, but the sshd man page states 128 bit key used for 3DES. Also, I would like to know the 3des key negotiation - who generates the key (the client or the server). I am interested in the export regulations concerning openssh in USA. Any idea on this ? I would really appreciate your help, Thanks, Hari From sales at smoking.com.net Mon Dec 2 02:06:24 2002 From: sales at smoking.com.net (Sales Department) Date: Sun, 1 Dec 2002 16:06:24 +0100 Subject: Low Price Smokes Message-ID: <20021204191452.A8AC264515@shitei.mindrot.org> Dear Sir or Madam In the past you have requested information on discounted products. If you are not a smoker, and find this email offensive, then we sincerely apologise. We will be only too happy to take you off our database. If you are a smoker, however, you are probably fed up with paying high prices for your cigarettes and tobacco. Take a look at what we can do for you at http://www.britishsmokers.com/?S=20&ID=2&E=2599169 We can send you, legally, by registered air mail, direct to your door, 4 cartons of cigarettes or 40 pouches of rolling tobacco (all brands are available) from only 170 Euros - about 105 pounds - fully inclusive of postage and packing. Why pay more? If you would rather not hear from us any more, this link will ensure that you are not bothered again. http://www.britishsmokers.com/off/index.php Yours faithfully. British Smokers http://www.britishsmokers.com/?S=20&ID=2&E=2599169 w2y12599169563 From Steven.Bishop at TELUS.COM Thu Dec 5 07:35:57 2002 From: Steven.Bishop at TELUS.COM (Steven Bishop) Date: Wed, 4 Dec 2002 13:35:57 -0700 Subject: AIX - X displays forwarding problem with su Message-ID: <06B5A7012DC82349B8D264D9403A1FB71BDCEB@bcmsg011.corp.ads> Hey everyone Currently i'm using AIX 4.3.3. I've installed OpenSSH version 2.9p1 which by the way works with the way i've hacked it together to get X Displays working correctly. I can ssh into the system as myself export my display back no problem. I can ssh to a system as myself and ( su - any_userid ) and export my display back but i had to hack this together in order to get it to work. Since the version of openssh 3.4 and above came i cant seem to ( so far ) hack this together to get this working. Not sure if the privilege separation had anything to do with this or not, ive tried with and with out privilege separation and still no luck. I have noticed that on Redhat this isnt an issue, displays are able to be set up correctly no matter how many times you su to different userid's the display can be issued back to your desktop. What ive done to make this work on AIX This is only working with version openssh 2.9p1 and below. 1) all users .profile ive added in these 2 lines. ############################## # This will setup our displays ############################## . /usr/local/bin/setdisp.ksh . /usr/local/bin/generic_alias 2) Contents of setdisp.ksh ############################################################# # # script: setdisp.ksh # # purpose: to set the display variable on login # ############################################################# # # Check if su, see if /tmp/ldisp for same date,time # DFILE=/tmp/ldisp if [ ${DISPLAY:-0} = "0" ] ; then cdate=`date +"%h%d%H:%M"` fdate=`ls -l $DFILE|awk '{print $6$7$8}'` if [ $cdate = $fdate ] ; then xauth add `cat $DFILE` export DISPLAY=`cat $DFILE | awk '{print $1}'` echo "" > $DFILE fi fi 3) Contents of generic_alias alias su="xauth list | sed -n '1,1 p' > /tmp/ldisp;chmod 666 /tmp/ldisp 2>/dev/null; /usr/bin/su" Once you log in as your userid, you can now ( su - any_userid ) and still be able to bring back X Displays just fine. But i dont think this is normal ! Any one else having problems with this? Is there something that i'm doing wrong that I could be doing different to get this working correctly ? Thanks for your time Steven bishop at telus.net From Steven.Bishop at telus.com Thu Dec 5 06:54:46 2002 From: Steven.Bishop at telus.com (Steven Bishop) Date: Wed, 4 Dec 2002 12:54:46 -0700 Subject: Continuous X Display problems on AIX Message-ID: <06B5A7012DC82349B8D264D9403A1FB71BDCE5@bcmsg011.corp.ads> Hello Currently i'm using AIX 4.3.3. I've installed OpenSSH version 2.9p1 which by the way works with the way ive hacked it together to get X Displays working correctly. I can ssh into the system as myself export my display back no problem. I can ssh to a system as myself and ( su - userid ) and export my display back but i had to hack this together in order to get it to work. I had to copy "echo $display" setting and alias it to the su command when su'ing to another user in order for this to work. Since the verion of openssh 3.4 and above came i cant seem to ( so far ) hack this together to get this working. Not sure if the preveldge separation had anything to do with this or not. I have noticed that on Redhat this isnt an issue, displays are able to be settup correctly no matter how many times you su to different userid's the display can be issued back to your desktop. Have you noticed this on AIX ? Do you know of a way to correct this on AIX ? Is there anything more i can do ? I've even got IBM working on this since they now are providing support for OpenSSH but they are having problems figuring this out as well ! What ive done to make this work on AIX This is only working with version openssh 2.9p1 and below. 1) all users .profile ive added in these 2 lines. ############################## # This will setup our displays ############################## . /usr/local/bin/setdisp.ksh . /usr/local/bin/generic_alias 2) Contents of setdisp.ksh ############################################################# # # script: setdisp.ksh # # purpose: to set the display variable on login # ############################################################# # # Check if su, see if /tmp/ldisp for same date,time # DFILE=/tmp/ldisp if [ ${DISPLAY:-0} = "0" ] ; then cdate=`date +"%h%d%H:%M"` fdate=`ls -l $DFILE|awk '{print $6$7$8}'` if [ $cdate = $fdate ] ; then xauth add `cat $DFILE` export DISPLAY=`cat $DFILE | awk '{print $1}'` echo "" > $DFILE fi fi 3) Contents of generic_alias alias su="xauth list | sed -n '1,1 p' > /tmp/ldisp;chmod 666 /tmp/ldisp 2>/dev/null; /usr/bin/su" Once you log in as your userid, you can now ( su - user ) and still be able to bring back X Displays just fine. But i dont think this is normal ! Thanks for your time Steven Steven Bishop Telus Enterprise Solutions Systems Analyst (604) 432-2986 Steven.Bishop at telus.com From Nicolas.Williams at sun.com Thu Dec 5 10:48:00 2002 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Wed, 4 Dec 2002 15:48:00 -0800 Subject: Connectathon 2003 reminder Message-ID: <20021204154800.F16688@binky.central.sun.com> [Reminder: The early registration for Connectathon closes at the end of this month.] Get ready for Connectathon 2003! The 17th annual interoperability testing event for engineers only will be held Feb. 27-March 6, 2003 in San Jose, California. For the past 2 years, Connectathon booth space has sold out! Get your registration forms and fees in early and take advantage of registration discounts available through December 31st. Connectathon, sponsored by Sun Microsystems, Inc., hosts over 50 companies annually in an effort to test and debug source code which utilize the following technologies and protocols: NFS versions 2, 3 and 4 NFS over RDMA NFSv4 replication and migration Lock Manager Kerberos Automounter IPv6 IPsec NDMP Mobile IPv6 Secure Shell CIFS Based on demand, in addition we are considering to offer: Diameter/AAA SCTP LDAP DHCPv6 If you are interested in testing any of the above 4 protocols, please send a note to Cthon at sun.com and we'll gauge interest. Or if you have a suggestion for another technology, feel free to contact us as well. Testing continues 24 hours per day. Technology testing coordinators will organize testing procedures and test suite material. In addition, there will be seminars and speakers addressing various topics. The registration deadline is February 7, 2003. But don't wait that long! And Early Bird Discount on booth fees is available to those who register and pay by December 31, 2002. For the past 2 years, Connectathon has sold out of booth space. Please get your registration materials in quickly to avoid disappointment. Go to http://www.connectathon.org to download all forms and information. If you have any questions, please feel free to contact Audrey Van Belleghem at audrey at vanb.com or (408) 358-9598. We look forward to seeing you at the 17th annual Connectathon event! Audrey Van Belleghem Nicolas Williams Connectathon Manager Secure Shell Connectathon Coordinator From lists at webcrunchers.com Wed Dec 4 21:13:12 2002 From: lists at webcrunchers.com (John D.) Date: Wed, 4 Dec 2002 02:13:12 -0800 Subject: How do I subscribe to this list? Message-ID: The OpenSSH web site link with info on how to join the list, is broken. We have some serious bugs we want to report. John From djm at mindrot.org Thu Dec 5 12:23:18 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 05 Dec 2002 12:23:18 +1100 Subject: Testing - please ignore Message-ID: <3DEEAA86.1080609@mindrot.org> Testing - please ignore From bugzilla-daemon at mindrot.org Thu Dec 5 15:57:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 5 Dec 2002 15:57:24 +1100 (EST) Subject: [Bug 450] sftp crashes when trying to upload a file which doesn't exist Message-ID: <20021205045724.4A1CD64518@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=450 ------- Additional Comments From tim at multitalents.net 2002-12-05 15:57 ------- I can not duplicate this problem on UnixWare or Linux ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Dec 5 16:03:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 5 Dec 2002 16:03:33 +1100 (EST) Subject: [Bug 449] ssh_prng_cmds has malformed arp command Message-ID: <20021205050333.C2BF864513@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=449 tim at multitalents.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From tim at multitalents.net 2002-12-05 16:03 ------- This is really a duplicate of Bug 323 that was fixed 14 Jul 2002 *** This bug has been marked as a duplicate of 323 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Dec 5 16:03:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 5 Dec 2002 16:03:35 +1100 (EST) Subject: [Bug 323] arp -n flag doesn't exist under Solaris, ssh_prng_cmds still uses it Message-ID: <20021205050335.5A3EE6456A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=323 tim at multitalents.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |keith at ajmani.org ------- Additional Comments From tim at multitalents.net 2002-12-05 16:03 ------- *** Bug 449 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From pekkas at netcore.fi Thu Dec 5 17:47:54 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 5 Dec 2002 08:47:54 +0200 (EET) Subject: [Bug 451] New: new config-Option: IPv4or6 In-Reply-To: <20021204165820.C19B664513@shitei.mindrot.org> Message-ID: I fail to see the real usefulness of this command, as manual configuration on a host-basis seems like a big chore to me .. much bigger than just trying v6 and using it if AAAA records are found. On Thu, 5 Dec 2002 bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=451 > > Summary: new config-Option: IPv4or6 > Product: Portable OpenSSH > Version: 3.5p1 > Platform: All > URL: http://www.toppoint.de/~wklaebe/ipv4or6-config- > 3.5p1.diff > OS/Version: All > Status: NEW > Severity: enhancement > Priority: P2 > Component: ssh > AssignedTo: openssh-unix-dev at mindrot.org > ReportedBy: bugzilla at orion.toppoint.de > > > I wanted an option for my .ssh/config enabling me to say "use IPv6 for this host". Basically, I looked what command line options -4 and -6 do in ssh and made a config option out of it. > > Patch at http://www.toppoint.de/~wklaebe/ipv4or6-config-3.5p1.diff > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From dan at doxpara.com Wed Dec 4 11:21:17 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 04 Dec 2002 00:21:17 +0000 Subject: 3DES key-length References: <0cf201c29bc1$fb214450$66fe10ac@axiowave.com> Message-ID: <3DED4A7D.606@doxpara.com> > I would like to know the key-length used for 3DES data encryption in > openssh. > I thought that it should be 192 (3 * 64) bits, but the sshd man page states > 128 bit key used for 3DES. This is one time when Marketing got it right. Key length is a bit messy...3DES uses three 64 bit keys, but 8 bits of each key is parity(i.e. doesn't contribute to security value). So there's 56*3 or 168 bits of entropy behind each 3DES key. If I remember correctly, there's an optimized model of 3DES cracking that reduces the complexity of 168 bit 3DES to 112 bits. (2DES is only 1 bit more complex to break than straight DES, due to this attack.) But 3DES has undergone vastly more cryptanalysis than any other algorithm, so it's a bit unfair to say it's inferior to those ciphers that directly use 128 bit keys (Blowfish, AES, etc.) So -- instead of mucking with the details of 64 bit keys that are really 56 bit but are used thrice to give 192 bits of keying material with only 168 bits used but with only 112 bits of security on a very widely trusted algorithm... It's 128 bit. > Also, I would like to know the 3des key negotiation - who generates the key > (the client or the server). Don't remember off the top of my head, I'll dive through the specs if nobody else pipes up. Under DH, neither side actually needs to generate the key -- it can be the unified outcome of their asymmetric exchange. > I am interested in the export regulations concerning openssh in USA. Any > idea on this ? Should be pretty free of US regs; all the crypto modules are imported from Canada / Germany / Etc. Yours Truly, Dan Kaminsky DoxPara Research http://www.doxpara.com From brad at eecs.berkeley.edu Thu Dec 5 13:29:19 2002 From: brad at eecs.berkeley.edu (Brad Krebs) Date: Wed, 04 Dec 2002 18:29:19 -0800 Subject: openssh 3.4p1 and 3.5p1 with Tru64 Message-ID: <3DEEB9FF.E8B7D615@eecs.berkeley.edu> You might want to include in your documentation that by NOT including `UsePrivilegeSeparation no` in Tru64 sshd_config files users trying to ssh to the machine will get: Too many users logged on already. Try again later. I found the fix to this problem at: http://www.ornl.gov/cts/archives/mailing-lists/tru64-unix-managers/2002/06/msg00315.html Thanks, and you guys do great work maintaining software that is essential. --Brad Krebs From stuge-openssh-unix-dev at cdy.org Thu Dec 5 20:16:56 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 5 Dec 2002 10:16:56 +0100 Subject: Building without perl In-Reply-To: <3DEC9ED3.8030509@mindrot.org> References: <3DDD157B.7050705@unknown.nu> <3DEC9ED3.8030509@mindrot.org> Message-ID: <20021205091656.GA9983@foo.birdnet.se> On Tue, Dec 03, 2002 at 11:08:51PM +1100, Damien Miller wrote: > >Is perl required? The docs don't say it is... if not, how do I get > > Perl is required to build OpenSSH, or more specifically: to fix > up the paths in the manpages. If you install with normalish > > A while back, someone converted the script to awk & sed. If you > want to revive (check the list archives) and clean this up, it > would probably get committed. I've tried to create a bugzilla account two times now but failed.. So here's a patch attached, along with the full file. It uses sh, sed and grep. (grep only for syntax validation) It might not handle difficult characters [\"'] etc very well, if at all, but this might not matter either. //Peter -------------- next part -------------- #!/bin/sh # # fixpaths - substitute makefile variables into text files die() { echo $* exit -1 } test -n "`echo $1|grep -- -D`" || die $0: nothing to do - no substitutions listed! test -n "`echo $1|grep -- '-D[^=]\+=[^ ]\+'`" || die $0: error in command line arguments. test -n "`echo $*|grep -- ' [^-]'`" || die Usage: $0 '[-Dstring=replacement] [[infile] ...]' sed `echo $*|sed -e 's/-D\([^=]\+\)=\([^ ]*\)/-e s=\1=\2=g/g'` exit 0 -------------- next part -------------- --- fixpaths.orig Mon Apr 16 02:41:47 2001 +++ fixpaths Thu Dec 5 10:08:07 2002 @@ -1,43 +1,15 @@ -#!/usr/bin/perl -w +#!/bin/sh # # fixpaths - substitute makefile variables into text files - -$usage = "Usage: $0 [-Dstring=replacement] [[infile] ...]\n"; - -if (!defined(@ARGV)) { die ("$usage"); } - -# read in the command line and get some definitions -while ($_=$ARGV[0], /^-/) { - if (/^-D/) { - # definition - shift(@ARGV); - if ( /-D(.*)=(.*)/ ) { - $def{"$1"}=$2; - } else { - die ("$usage$0: error in command line arguments.\n"); - } - } else { - @cmd = split(//, $ARGV[0]); $opt = $cmd[1]; - die ("$usage$0: unknown option '-$opt'\n"); - } -} # while parsing arguments - -if (!defined(%def)) { - die ("$0: nothing to do - no substitutions listed!\n"); +die() { + echo $* + exit -1 } -for $f (@ARGV) { - - $f =~ /(.*\/)*(.*)$/; - - open(IN, "<$f") || die ("$0: input file $f missing!\n"); - while () { - for $s (keys(%def)) { - s#$s#$def{$s}#; - } # for $s - print; - } # while -} # for $f +test -n "`echo $1|grep -- -D`" || die $0: nothing to do - no substitutions listed! +test -n "`echo $1|grep -- '-D[^=]\+=[^ ]\+'`" || die $0: error in command line arguments. +test -n "`echo $*|grep -- ' [^-]'`" || die Usage: $0 '[-Dstring=replacement] [[infile] ...]' -exit 0; +sed `echo $*|sed -e 's/-D\([^=]\+\)=\([^ ]*\)/-e s=\1=\2=g/g'` +exit 0 From dan at doxpara.com Wed Dec 4 13:47:54 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 04 Dec 2002 02:47:54 +0000 Subject: [Bug 451] New: new config-Option: IPv4or6 References: Message-ID: <3DED6CDA.1030501@doxpara.com> Pekka Savola wrote: > I fail to see the real usefulness of this command, as manual configuration > on a host-basis seems like a big chore to me .. much bigger than just > trying v6 and using it if AAAA records are found. What if the IPv6 network is being slow? What if IPv6 endpoints and IPv4 endpoints fall out of sync (i.e. 1.2.3.4 is not IPv6 1.2.3.4)? There's some pretty extensive ipv4/ipv6 transition nastiness to be dealt with, as described here: http://playground.iijlab.net/i-d/draft-itojun-ipv6-transition-abuse-01.txt I'd lean toward providing support for avoiding such hassles. --Dan From djm at mindrot.org Thu Dec 5 20:33:17 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 05 Dec 2002 20:33:17 +1100 Subject: Building without perl In-Reply-To: <20021205091656.GA9983@foo.birdnet.se> References: <3DDD157B.7050705@unknown.nu> <3DEC9ED3.8030509@mindrot.org> <20021205091656.GA9983@foo.birdnet.se> Message-ID: <3DEF1D5D.5010701@mindrot.org> Peter Stuge wrote: > I've tried to create a bugzilla account two times now but failed.. Did you get errors? If so, please tell me (off list). > So > here's a patch attached, Thanks - I'll try it out. > sed `echo $*|sed -e 's/-D\([^=]\+\)=\([^ ]*\)/-e s=\1=\2=g/g'` Cute :) -d From markus at openbsd.org Thu Dec 5 20:46:10 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 5 Dec 2002 10:46:10 +0100 Subject: scp "Bad address" errors with strange filesystem block sizes In-Reply-To: <20021203133751.A62901@dilbert.robbins.dropbear.id.au> References: <20021203133751.A62901@dilbert.robbins.dropbear.id.au> Message-ID: <20021205094610.GA12102@folly> On Tue, Dec 03, 2002 at 01:37:51PM +1100, Tim Robbins wrote: > +#ifndef roundup > +#define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) /* to any y */ > +#endif no need to define roundup here, openssh uses roundup() in other places, too. -m From bugzilla-daemon at mindrot.org Thu Dec 5 21:02:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 5 Dec 2002 21:02:07 +1100 (EST) Subject: [Bug 450] sftp crashes when trying to upload a file which doesn't exist Message-ID: <20021205100207.BA1BB64546@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=450 ------- Additional Comments From markus at openbsd.org 2002-12-05 21:02 ------- hm, strange, perhaps freebsd glob bug? % sftp localhost Connecting to localhost... sftp> put foo.bar File "foo.bar" not found. sftp> quit % ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Thu Dec 5 21:04:44 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 05 Dec 2002 21:04:44 +1100 Subject: Building without perl In-Reply-To: <3DEF1D5D.5010701@mindrot.org> References: <3DDD157B.7050705@unknown.nu> <3DEC9ED3.8030509@mindrot.org> <20021205091656.GA9983@foo.birdnet.se> <3DEF1D5D.5010701@mindrot.org> Message-ID: <3DEF24BC.1020805@mindrot.org> Damien Miller wrote: >> here's a patch attached, > > Thanks - I'll try it out. Committed - it would be good if people test this with various grep and sed implementations. -d From pekkas at netcore.fi Thu Dec 5 21:06:17 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 5 Dec 2002 12:06:17 +0200 (EET) Subject: [Bug 451] New: new config-Option: IPv4or6 In-Reply-To: <3DED6CDA.1030501@doxpara.com> Message-ID: On Wed, 4 Dec 2002, Dan Kaminsky wrote: > Pekka Savola wrote: > > I fail to see the real usefulness of this command, as manual configuration > > on a host-basis seems like a big chore to me .. much bigger than just > > trying v6 and using it if AAAA records are found. > > What if the IPv6 network is being slow? Remove it from DNS or use -4. > What if IPv6 endpoints and IPv4 endpoints fall out of sync (i.e. 1.2.3.4 > is not IPv6 1.2.3.4)? See above. > There's some pretty extensive ipv4/ipv6 transition nastiness to be dealt > with, as described here: > > http://playground.iijlab.net/i-d/draft-itojun-ipv6-transition-abuse-01.txt > > I'd lean toward providing support for avoiding such hassles. There's another that may prove to be interesting reading especially considering your first point: http://www.ietf.org/internet-drafts/draft-savola-v6ops-6bone-mess-01.txt Also, "IPv6 transition architecture" and "getaddrinfo address ordering" discussion on IETF v6ops mailing list last month may be very interesting in that light. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From dan at doxpara.com Wed Dec 4 14:50:00 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 04 Dec 2002 03:50:00 +0000 Subject: [Bug 451] New: new config-Option: IPv4or6 References: Message-ID: <3DED7B68.3020909@doxpara.com> > Remove it from DNS or use -4. Removal from DNS is not always an option -- arguably, it's more secure to distrust DNS and instead explictly specify an IP/Hostalias combination. If someone's intentionally specifying an IP address, maybe it's because they're saying DNS isn't working right. We shouldn't reintroduce a dependancy if we can avoid it, especially if it's a blocking one. (Those reports of "my sshd freezes for thirty seconds before it logs me in" always have something to do with DNS.) Anyway, command line options really should be shorthand for a longer, more verbose specification in a configuration file. If you accept the command line as The Most Important Stuff You Need To Use, the config file is that and everything else. What else would it be? >>What if IPv6 endpoints and IPv4 endpoints fall out of sync (i.e. 1.2.3.4 >>is not IPv6 1.2.3.4)? > > See above. How does DNS prevent IPv4/IPv6 desync? How does DNS address the case where the ipv6 network is in permanent alpha state? If somebody knows they absolutely want to avoid all IPV6 use -- heh, maybe it crashes their network -- why shouldn't they be able to specify that in a config file? We certainly have much less useful stuff in that pile :-) > http://www.ietf.org/internet-drafts/draft-savola-v6ops-6bone-mess-01.txt Very interesting reading -- I'll print this out when I get home. > Also, "IPv6 transition architecture" and "getaddrinfo address ordering" > discussion on IETF v6ops mailing list last month may be very interesting > in that light. Got a link I can jump in on? --Dan From godot at ulyssis.org Thu Dec 5 22:19:19 2002 From: godot at ulyssis.org (Danny De Cock) Date: Thu, 5 Dec 2002 12:19:19 +0100 (CET) Subject: 3DES key-length In-Reply-To: <3DED4A7D.606@doxpara.com> Message-ID: hi, about the 3des key length stuff: for 3des, a 64-bit plaintext block P is transformed into a 64-bit ciphertextblock C applying the following procedure: C=enc(key1,dec(key2,enc(key3,P))). in this scheme, enc(key,data) stands for the single-DES encryption of some using the . both and consist of 8 bytes, where the is is encoded in such a way that it only holds 56-bit real key-bits, and 8 parity bits. it is clear that dec(key,data) stands for a single-DES decryption using the on some . this means that each of the 3 keys in this scheme consists of 56 actual key bits. if = = , then the 3DES-scheme is equivalent to the single-DES-scheme. using = with a different leads to 3DES with two keys. this scheme is generally known as two-key 3DES, with a total key size of 112 bits. if all three keys are different, one refers to the scheme as 3-key 3DES with a total key size of 168 bits. comparing 3DES with the AES on the key length only is not fair as the AES can be used with keys of 128, 196 and 256 bits, but this algorithm operates on 128-bit data blocks (as mentioned above, 3DES and the DES use 64-bit data blocks). based on the ssh man pages, ssh supports 3DES with 3 different keys. these keys are derived from the shared secret which is negotiated using the diffie-hellman protocol during the ssh key handshake. hope this helps, danny. On Wed, 4 Dec 2002, Dan Kaminsky wrote: > > I would like to know the key-length used for 3DES data encryption in > > openssh. > > I thought that it should be 192 (3 * 64) bits, but the sshd man page states > > 128 bit key used for 3DES. > > This is one time when Marketing got it right. > > Key length is a bit messy...3DES uses three 64 bit keys, but 8 bits of > each key is parity(i.e. doesn't contribute to security value). So > there's 56*3 or 168 bits of entropy behind each 3DES key. > > If I remember correctly, there's an optimized model of 3DES cracking > that reduces the complexity of 168 bit 3DES to 112 bits. (2DES is > only 1 bit more complex to break than straight DES, due to this > attack.) But 3DES has undergone vastly more cryptanalysis than any > other algorithm, so it's a bit unfair to say it's inferior to those > ciphers that directly use 128 bit keys (Blowfish, AES, etc.) > > So -- instead of mucking with the details of 64 bit keys that are > really 56 bit but are used thrice to give 192 bits of keying material > with only 168 bits used but with only 112 bits of security on a very > widely trusted algorithm... > > It's 128 bit. > > > Also, I would like to know the 3des key negotiation - who generates the key > > (the client or the server). > > Don't remember off the top of my head, I'll dive through the specs if > nobody else pipes up. Under DH, neither side actually needs to > generate the key -- it can be the unified outcome of their asymmetric > exchange. > > > I am interested in the export regulations concerning openssh in USA. Any > > idea on this ? > > Should be pretty free of US regs; all the crypto modules are imported > from Canada / Germany / Etc. > > Yours Truly, > > Dan Kaminsky > DoxPara Research > http://www.doxpara.com ----------------------------------------------------------------------------- Don't kid yourself. Little is relevant, and nothing lasts forever. ----------------------------------------------------------------------------- Mail : Danny.DeCock at esat.kuleuven.ac.be daniel.decock at postbox.be WWW : http://ace.ulyssis.org/~godot godot at advalvas.be From pod at herald.ox.ac.uk Thu Dec 5 22:44:11 2002 From: pod at herald.ox.ac.uk (pod) Date: Thu, 05 Dec 2002 11:44:11 +0000 Subject: patch to add a PAMServiceName config option Message-ID: I append a patch against openssh-3.5p1.tar.gz which adds a config option PAMServiceName. The option allows one to specify the PAM service at runtime in the config file rather than using __progname or having it hardwired to SSHD_PAM_SERVICE at compile time. I expect this to be useful if one wants to run multiple instances of sshd using different PAM configurations. With this patch SSHD_PAM_SERVICE is not used in auth-pam.c so I moved the definition out of auth-pam.h into servconf.h. Effectively SSHD_PAM_SERVICE now merely supplies the default service name. I'm not convinced that servconf.h is the correct place for it. ==========pam-service.diff follows========== diff -ru openssh-3.5p1.orig/auth-pam.c openssh-3.5p1/auth-pam.c --- openssh-3.5p1.orig/auth-pam.c Sun Jul 28 21:24:08 2002 +++ openssh-3.5p1/auth-pam.c Tue Dec 3 14:22:16 2002 @@ -34,8 +34,6 @@ #include "canohost.h" #include "readpass.h" -extern char *__progname; - extern int use_privsep; RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $"); @@ -381,7 +379,7 @@ debug("Starting up PAM with username \"%.200s\"", user); - pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &__pamh); + pam_retval = pam_start(options.pam_service_name, user, &conv, &__pamh); if (pam_retval != PAM_SUCCESS) fatal("PAM initialisation failed[%d]: %.200s", diff -ru openssh-3.5p1.orig/auth-pam.h openssh-3.5p1/auth-pam.h --- openssh-3.5p1.orig/auth-pam.h Tue Jul 23 01:44:07 2002 +++ openssh-3.5p1/auth-pam.h Tue Dec 3 14:13:52 2002 @@ -27,10 +27,6 @@ #include "includes.h" #ifdef USE_PAM -#if !defined(SSHD_PAM_SERVICE) -# define SSHD_PAM_SERVICE __progname -#endif - void start_pam(const char *user); void finish_pam(void); int auth_pam_password(Authctxt *authctxt, const char *password); diff -ru openssh-3.5p1.orig/servconf.c openssh-3.5p1/servconf.c --- openssh-3.5p1.orig/servconf.c Thu Sep 5 05:35:15 2002 +++ openssh-3.5p1/servconf.c Tue Dec 3 14:22:00 2002 @@ -48,6 +48,8 @@ /* Use of privilege separation or not */ extern int use_privsep; +extern char *__progname; + /* Initializes the server options to their default values. */ void @@ -57,6 +59,7 @@ /* Portable-specific options */ options->pam_authentication_via_kbd_int = -1; + options->pam_service_name = NULL; /* Standard Options */ options->num_ports = 0; @@ -134,6 +137,8 @@ /* Portable-specific options */ if (options->pam_authentication_via_kbd_int == -1) options->pam_authentication_via_kbd_int = 0; + if (options->pam_service_name == NULL ) + options->pam_service_name = SSHD_PAM_SERVICE; /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) @@ -276,6 +281,7 @@ sBadOption, /* == unknown option */ /* Portable-specific options */ sPAMAuthenticationViaKbdInt, + sPAMServiceName, /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, @@ -312,6 +318,7 @@ } keywords[] = { /* Portable-specific options */ { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, + { "PAMServiceName", sPAMServiceName }, /* Standard Options */ { "port", sPort }, { "hostkey", sHostKeyFile }, @@ -461,6 +468,16 @@ case sPAMAuthenticationViaKbdInt: intptr = &options->pam_authentication_via_kbd_int; goto parse_flag; + + case sPAMServiceName: + charptr=&options->pam_service_name; + arg=strdelim(&cp); + if (!arg || *arg == '\0' ) + fatal("%s line %d: missing PAM service name", + filename, linenum); + if( *charptr==NULL ) + *charptr=xstrdup(arg); + break; /* Standard Options */ case sBadOption: diff -ru openssh-3.5p1.orig/servconf.h openssh-3.5p1/servconf.h --- openssh-3.5p1.orig/servconf.h Thu Aug 1 02:28:39 2002 +++ openssh-3.5p1/servconf.h Tue Dec 3 14:10:55 2002 @@ -132,6 +132,7 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; int pam_authentication_via_kbd_int; + char *pam_service_name; } ServerOptions; void initialize_server_options(ServerOptions *); @@ -139,5 +140,8 @@ void fill_default_server_options(ServerOptions *); int process_server_config_line(ServerOptions *, char *, const char *, int); +#if !defined(SSHD_PAM_SERVICE) +# define SSHD_PAM_SERVICE __progname +#endif #endif /* SERVCONF_H */ diff -ru openssh-3.5p1.orig/sshd_config.5 openssh-3.5p1/sshd_config.5 --- openssh-3.5p1.orig/sshd_config.5 Thu Sep 19 02:51:22 2002 +++ openssh-3.5p1/sshd_config.5 Tue Dec 3 14:19:34 2002 @@ -427,6 +427,8 @@ it will allow password authentication regardless of whether .Cm PasswordAuthentication is enabled. +.It Cm PAMServiceName +Specifies the PAM service name to use when initialising PAM services. .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is From dtucker at zip.com.au Fri Dec 6 00:14:38 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 06 Dec 2002 00:14:38 +1100 Subject: AIX - X displays forwarding problem with su References: <06B5A7012DC82349B8D264D9403A1FB71BDCEB@bcmsg011.corp.ads> Message-ID: <3DEF513E.35E84753@zip.com.au> Steven Bishop wrote: > Currently i'm using AIX 4.3.3. I've installed OpenSSH version 2.9p1 > which by the way works with the way i've hacked it together to get X > Displays working correctly. Firstly, 2.9 has some widely-published security problems. You may want to upgrade. > I can ssh to a system as myself and ( su - any_userid ) and export my > display back but i had to hack this together in order to get it to work. [snip] This is not specific to AIX (it happens on Solaris and probably others) and happens because su clears a lot of the environment (eg $DISPLAY) and because the new uid does not know about the xauth credentials. Redhat's su seems to create a temporary xauth file (try "echo $XAUTHORITY") and preserve $DISPLAY but this does not appear to be common behaviour. We use sudo instead for root access. It preserves $DISPLAY and $HOME (so $HOME/.Xauthority can still be used). It also provides better logging. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tim at multitalents.net Fri Dec 6 02:54:33 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 5 Dec 2002 07:54:33 -0800 (PST) Subject: Building without perl In-Reply-To: <3DEF24BC.1020805@mindrot.org> Message-ID: On Thu, 5 Dec 2002, Damien Miller wrote: > Damien Miller wrote: > >> here's a patch attached, > > > > Thanks - I'll try it out. > > Committed - it would be good if people test this with various grep and > sed implementations. Breaks SCO. > > -d > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Fri Dec 6 03:14:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 6 Dec 2002 03:14:20 +1100 (EST) Subject: [Bug 452] New: sftp does not abort when commands given via -b fail Message-ID: <20021205161420.E627164514@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=452 Summary: sftp does not abort when commands given via -b fail Product: Portable OpenSSH Version: older versions Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sftp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: spin at avalon.net The man page states that sftp -b will abort when commands (including get) fail. However, when I give sftp a list of get -P commands via the -b option it continues unconcerned when the requested file doesn't exist and it doesn't exit with a error code either (which would be enough for me.) # /usr/bin/sftp -b /tmp/files roger at remote && echo ok Connecting to remote... sftp> GET -P /data/200211/njxj1-cdr_2002_11_30__11_00_00.cdr Couldn't stat remote file: No such file or directory File "/data/200211/njxj1-cdr_2002_11_30__11_00_00.cdr" not found. sftp> GET -P /data/200211/cwxj1-cdr_2002_11_26__05_00_00.cdr.bz2 Fetching /data/200211/cwxj1-cdr_2002_11_26__05_00_00.cdr.bz2 to cwxj1-cdr_2002_11_26__05_00_00.cdr.bz2 sftp> GET -P /data/200211/cwxj2-cdr_2002_11_26__05_00_00.cdr.bz2 Fetching /data/200211/cwxj2-cdr_2002_11_26__05_00_00.cdr.bz2 to cwxj2-cdr_2002_11_26__05_00_00.cdr.bz2 sftp> ok ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Dec 6 03:15:18 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 6 Dec 2002 03:15:18 +1100 (EST) Subject: [Bug 452] sftp does not abort when commands given via -b fail Message-ID: <20021205161518.0441C64584@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=452 ------- Additional Comments From spin at avalon.net 2002-12-06 03:15 ------- Forgot to mention that this is 3.1p1-6 RedHat RPM. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Dec 6 06:58:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 6 Dec 2002 06:58:59 +1100 (EST) Subject: [Bug 450] sftp crashes when trying to upload a file which doesn't exist Message-ID: <20021205195859.BE62764562@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=450 ------- Additional Comments From trionon at mail.ru 2002-12-06 06:58 ------- I tried again, but still segmentation fault: nimnul at 217 (~) > sftp localhost Connecting to localhost... The authenticity of host 'localhost (127.0.0.1)' can't be established. DSA key fingerprint is d2:4c:d9:fa:b6:d8:92:20:ec:a4:7f:35:19:15:a9:d6. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (DSA) to the list of known hosts. Password: sftp> put aaa.bbb Segmentation fault (core dumped) I tried it on different FreeBSD machines, with the same result ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Dec 6 07:51:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 6 Dec 2002 07:51:07 +1100 (EST) Subject: [Bug 450] sftp crashes when trying to upload a file which doesn't exist Message-ID: <20021205205107.EA91964562@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=450 ------- Additional Comments From mouring at eviladmin.org 2002-12-06 07:51 ------- Is this compiled by you? Or are you using ports or FreeBSD in-tree OpenSSH version? I can't find anyone that can mimic this. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Dec 6 08:58:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 6 Dec 2002 08:58:01 +1100 (EST) Subject: [Bug 334] SSH hangs when run via a cronjob (ssh2) Message-ID: <20021205215801.091A664588@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=334 ------- Additional Comments From gray.openssh at mailnull.com 2002-12-06 08:58 ------- I will second this. It seems to just hang after a while even though both the server and the client are configured with KeepAlive enabled. It also looks to both sides like the connection is still open. The forwarded ports are still in netstat output but they do not pass any information. I'm turning off -N to see if that helps and moving to my own keepalive login shell. We'll see if that works. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Dec 6 09:00:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 6 Dec 2002 09:00:00 +1100 (EST) Subject: [Bug 334] SSH hangs when run via a cronjob (ssh2) Message-ID: <20021205220000.9820064588@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=334 ------- Additional Comments From gray.openssh at mailnull.com 2002-12-06 08:59 ------- Ooops. I'm running: client on Linux RH7.X: OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f server on FreeBSD 4.5: OpenSSH_3.0.2p1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Fri Dec 6 10:49:28 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 06 Dec 2002 10:49:28 +1100 Subject: Building without perl In-Reply-To: References: Message-ID: <3DEFE608.1070402@mindrot.org> Tim Rice wrote: > On Thu, 5 Dec 2002, Damien Miller wrote: > > >>Damien Miller wrote: >> >>>>here's a patch attached, >>> >>>Thanks - I'll try it out. >> >>Committed - it would be good if people test this with various grep and >>sed implementations. > > > Breaks SCO. Can you be more specific? From bugzilla-daemon at mindrot.org Fri Dec 6 11:05:04 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 6 Dec 2002 11:05:04 +1100 (EST) Subject: [Bug 334] SSH hangs when run via a cronjob (ssh2) Message-ID: <20021206000504.8CA45645A4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=334 ------- Additional Comments From djm at mindrot.org 2002-12-06 11:05 ------- Please see if you can reproduce with the latest version ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Dec 6 11:05:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 6 Dec 2002 11:05:36 +1100 (EST) Subject: [Bug 450] sftp crashes when trying to upload a file which doesn't exist Message-ID: <20021206000536.3E6ED645B8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=450 ------- Additional Comments From djm at mindrot.org 2002-12-06 11:05 ------- Can you get a gdb trace of where it is failing? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Fri Dec 6 11:04:20 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 5 Dec 2002 16:04:20 -0800 (PST) Subject: Building without perl In-Reply-To: <3DEFE608.1070402@mindrot.org> Message-ID: On Fri, 6 Dec 2002, Damien Miller wrote: > Tim Rice wrote: > > On Thu, 5 Dec 2002, Damien Miller wrote: > > > > > >>Damien Miller wrote: > >> > >>Committed - it would be good if people test this with various grep and > >>sed implementations. > > > > > > Breaks SCO. > > Can you be more specific? Peter and I have been working on it. I think he has a working version now (works on SCO) but I want to test on my other platforms before commiting. I also checked the archives and found http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=97590463728438&w=2 Seems like it may be more robust. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dtucker at zip.com.au Fri Dec 6 11:12:39 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 06 Dec 2002 11:12:39 +1100 Subject: Building without perl Message-ID: <3DEFEB77.2A74A88B@zip.com.au> Damien Miller wrote: > Committed - it would be good if people test this with various grep and > sed implementations. It doesn't work on either AIX (4.3.3) or Solaris (7). $ uname -rs SunOS 5.7 $ echo a | ./fixpaths -Da=b ./fixpaths: error in command line arguments. ./fixpaths: -1: bad number $ uname AIX $ echo a | ./fixpaths -Da=b ./fixpaths: error in command line arguments. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From eric at lesouk.com Fri Dec 6 11:25:03 2002 From: eric at lesouk.com (Eric Desgranges) Date: Thu, 5 Dec 2002 16:25:03 -0800 Subject: Error Msg --> "fork of unprivileged child failed" Message-ID: I have installed OpenSSH on a RedHat 7.1. When I try to log on I get a 'connection closed' after I enter my password. What is wrong??? Here is the debug info: # /usr/sbin/sshd -ddd debug1: sshd version OpenSSH_3.5p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 148.63.229.186 port 2079 debug1: Client protocol version 2.0; client software version PenguiNet-$Revision:_1.26_$ debug1: no match: PenguiNet-$Revision:_1.26_$ debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.5p1 debug2: Network child is on pid 16135 debug3: privsep user:group 507:508 debug1: permanently_set_uid: 507/508 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug3: preauth child monitor started debug3: mm_request_receive entering debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc ,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc ,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96, hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96, hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,aes128-cbc,rijndael128-cbc,aes192-cbc,rijndael192-cb c,aes256-cbc,rijndael256-cbc,cast128-cbc,twofish128-cbc,twofish192-cbc,twofish256-cbc,twofish-cbc,ser pent128-cbc,serpent192-cbc,serpent256-cbc,arcfour debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,aes128-cbc,rijndael128-cbc,aes192-cbc,rijndael192-cb c,aes256-cbc,rijndael256-cbc,cast128-cbc,twofish128-cbc,twofish192-cbc,twofish256-cbc,twofish-cbc,ser pent128-cbc,serpent192-cbc,serpent256-cbc,arcfour debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: zlib,none debug2: kex_parse_kexinit: zlib,none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-sha1 debug1: kex: client->server 3des-cbc hmac-sha1 zlib debug2: mac_init: found hmac-sha1 debug1: kex: server->client 3des-cbc hmac-sha1 zlib debug1: dh_gen_key: priv key bits set: 196/384 debug1: bits set: 499/1024 debug1: expecting SSH2_MSG_KEXDH_INIT debug1: bits set: 487/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x80975c8(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user sshd service ssh-connection method password debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: allowed_user: today 12025 sp_expire -1 sp_lstchg 12025 sp_max 99999 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for sshd debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: monitor_read: checking request 3 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_request_receive_expect entering: type 11 debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 11 Accepted password for sshd from 148.63.229.186 port 2079 ssh2 debug1: monitor_child_preauth: sshd has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 24 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: mm_auth_password: user authenticated Accepted password for sshd from 148.63.229.186 port 2079 ssh2 debug3: mm_send_keystate: Sending new keys: 0x80986b0 0x8091fb0 debug3: mm_newkeys_to_blob: converting 0x80986b0 debug3: mm_newkeys_to_blob: converting 0x8091fb0 debug3: mm_send_keystate: New keys have been sent debug3: mm_send_keystate: Sending compression state debug3: mm_request_send entering: type 24 debug3: mm_newkeys_from_blob: 0x80921c8(121) debug2: mac_init: found hmac-sha1 debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 0x80921c8(121) debug2: mac_init: found hmac-sha1 debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug3: mm_send_keystate: Finished sending state fork of unprivileged child failed debug1: Calling cleanup 0x8069d3c(0x0) # Thank you! Eric. eric at lesouk.com From hari at isofttechindia.com Fri Dec 6 11:58:04 2002 From: hari at isofttechindia.com (Hari-Isoft) Date: Thu, 5 Dec 2002 19:58:04 -0500 Subject: 3DES key-length References: <0cf201c29bc1$fb214450$66fe10ac@axiowave.com> <3DED4A7D.606@doxpara.com> Message-ID: <109a01c29cc2$8c50a8c0$66fe10ac@axiowave.com> Interesting story, indeed! > > I am interested in the export regulations concerning openssh in USA. Any > > idea on this ? > > Should be pretty free of US regs; all the crypto modules are imported > from Canada / Germany / Etc. But, how about the regulations concerning export of OpenSSH from the USA to other countries, (because of 128 bit key encryption used!) ? Thanks, Hari ----- Original Message ----- From: "Dan Kaminsky" To: "Hari-Isoft" Cc: Sent: Tuesday, December 03, 2002 7:21 PM Subject: Re: 3DES key-length > > I would like to know the key-length used for 3DES data encryption in > > openssh. > > I thought that it should be 192 (3 * 64) bits, but the sshd man page states > > 128 bit key used for 3DES. > > This is one time when Marketing got it right. > > Key length is a bit messy...3DES uses three 64 bit keys, but 8 bits of > each key is parity(i.e. doesn't contribute to security value). So > there's 56*3 or 168 bits of entropy behind each 3DES key. > > If I remember correctly, there's an optimized model of 3DES cracking > that reduces the complexity of 168 bit 3DES to 112 bits. (2DES is only > 1 bit more complex to break than straight DES, due to this attack.) But > 3DES has undergone vastly more cryptanalysis than any other algorithm, > so it's a bit unfair to say it's inferior to those ciphers that directly > use 128 bit keys (Blowfish, AES, etc.) > > So -- instead of mucking with the details of 64 bit keys that are really > 56 bit but are used thrice to give 192 bits of keying material with only > 168 bits used but with only 112 bits of security on a very widely > trusted algorithm... > > It's 128 bit. > > > Also, I would like to know the 3des key negotiation - who generates the key > > (the client or the server). > > Don't remember off the top of my head, I'll dive through the specs if > nobody else pipes up. Under DH, neither side actually needs to generate > the key -- it can be the unified outcome of their asymmetric exchange. > > I am interested in the export regulations concerning openssh in USA. Any > > idea on this ? > > Should be pretty free of US regs; all the crypto modules are imported > from Canada / Germany / Etc. > > Yours Truly, > > Dan Kaminsky > DoxPara Research > http://www.doxpara.com > From stuge-openssh-unix-dev at cdy.org Fri Dec 6 12:49:24 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Fri, 6 Dec 2002 02:49:24 +0100 Subject: Building without perl In-Reply-To: References: <3DEFE608.1070402@mindrot.org> Message-ID: <20021206014924.GF21314@foo.birdnet.se> On Thu, Dec 05, 2002 at 04:04:20PM -0800, Tim Rice wrote: > > > Breaks SCO. > > > > Can you be more specific? > > Peter and I have been working on it. I think he has a working version > now (works on SCO) but I want to test on my other platforms before > commiting. > > I also checked the archives and found > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=97590463728438&w=2 > > Seems like it may be more robust. Yeah, it's a lot simpler too. I didn't find this while searching. My original fixpaths had problems with regex syntaxes (various grep and sed disagree on whether to want \+ or +, solution was to replace with \{1,\}) and sh:s disliking exit -1, an updated version of fixpaths is attached, although the Makefile.in change is probably better, as it eliminates the need for a separate file all together - unless there's some specific reason to have one. This new fixpaths also corrects a bug where the old version would not allow a substitution to be blank. (-Dblah= file) //Peter -------------- next part -------------- #!/bin/sh # # fixpaths - substitute makefile variables into text files die() { echo $* exit 255 } test -n "`echo $1|egrep '\-D'`" || die $0: nothing to do - no substitutions listed! test -n "`echo $1|egrep '\-D[^=]+=[^ ]*'`" || die $0: error in command line arguments. test -n "`echo $*|egrep ' [^-]'`" || die Usage: $0 '[-Dstring=replacement] [[infile] ...]' sed `echo $*|sed -e 's/-D\([^=]\{1,\}=[^ ]*\)/-e s=\1=g/g'` exit 0 From stuge-openssh-unix-dev at cdy.org Fri Dec 6 13:36:10 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Fri, 6 Dec 2002 03:36:10 +0100 Subject: 3DES key-length In-Reply-To: <109a01c29cc2$8c50a8c0$66fe10ac@axiowave.com> References: <0cf201c29bc1$fb214450$66fe10ac@axiowave.com> <3DED4A7D.606@doxpara.com> <109a01c29cc2$8c50a8c0$66fe10ac@axiowave.com> Message-ID: <20021206023610.GG21314@foo.birdnet.se> On Thu, Dec 05, 2002 at 07:58:04PM -0500, Hari-Isoft wrote: > > > I am interested in the export regulations concerning openssh in USA. Any > > > idea on this ? > > > > Should be pretty free of US regs; all the crypto modules are imported > > from Canada / Germany / Etc. > > But, how about the regulations concerning export of OpenSSH from the USA to > other countries, (because of 128 bit key encryption used!) ? Noone will want to export OpenSSH crypto from the US since it is available from a number of other places in the world already. Quite contrary, OpenSSH crypto has been _imported_ into the US from one of these other places. But, hypothetically, if you wanted to export OpenSSH crypto from the US I'm sure you'd have all sorts of interesting legal problems, IANAL however. //Peter From mouring at etoh.eviladmin.org Fri Dec 6 14:27:57 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 5 Dec 2002 21:27:57 -0600 (CST) Subject: 3DES key-length In-Reply-To: <20021206023610.GG21314@foo.birdnet.se> Message-ID: Don't know.. Sun and IBM seem to pull it off at least. So there can't be too many glitches. - Ben On Fri, 6 Dec 2002, Peter Stuge wrote: > On Thu, Dec 05, 2002 at 07:58:04PM -0500, Hari-Isoft wrote: > > > > I am interested in the export regulations concerning openssh in USA. Any > > > > idea on this ? > > > > > > Should be pretty free of US regs; all the crypto modules are imported > > > from Canada / Germany / Etc. > > > > But, how about the regulations concerning export of OpenSSH from the USA to > > other countries, (because of 128 bit key encryption used!) ? > > Noone will want to export OpenSSH crypto from the US since it is available > from a number of other places in the world already. Quite contrary, OpenSSH > crypto has been _imported_ into the US from one of these other places. > > But, hypothetically, if you wanted to export OpenSSH crypto from the US I'm > sure you'd have all sorts of interesting legal problems, IANAL however. > > > //Peter > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From stuge-openssh-unix-dev at cdy.org Fri Dec 6 15:36:40 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Fri, 6 Dec 2002 05:36:40 +0100 Subject: 3DES key-length In-Reply-To: References: <20021206023610.GG21314@foo.birdnet.se> Message-ID: <20021206043640.GH21314@foo.birdnet.se> On Thu, Dec 05, 2002 at 09:27:57PM -0600, Ben Lindstrom wrote: > > But, hypothetically, if you wanted to export OpenSSH crypto from the US I'm > > sure you'd have all sorts of interesting legal problems, IANAL however. > > Don't know.. Sun and IBM seem to pull it off at least. So there can't be > too many glitches. They've likely (hopefully) made sure to go through whatever process neccessary to be allowed to export strong crypto by US .gov. I'm guessing that it wasn't very simple, however. Anyway, of course it's _possible_ to export crypto also from the US, several companies do this already, however since it is most likely quite impractical for any open source organization to be bound by whatever US .gov imposes on such export, worldwide distribution of open source crypto originates from outside the US. //Peter From maniac at maniac.nl Fri Dec 6 20:43:43 2002 From: maniac at maniac.nl (Mark Janssen) Date: 06 Dec 2002 10:43:43 +0100 Subject: 3DES key-length In-Reply-To: <20021206043640.GH21314@foo.birdnet.se> References: <20021206023610.GG21314@foo.birdnet.se> <20021206043640.GH21314@foo.birdnet.se> Message-ID: <1039167822.657.4.camel@ninja> On Fri, 2002-12-06 at 05:36, Peter Stuge wrote: > On Thu, Dec 05, 2002 at 09:27:57PM -0600, Ben Lindstrom wrote: > > > But, hypothetically, if you wanted to export OpenSSH crypto from the US I'm > > > sure you'd have all sorts of interesting legal problems, IANAL however. > > > > Don't know.. Sun and IBM seem to pull it off at least. So there can't be > > too many glitches. > > They've likely (hopefully) made sure to go through whatever process > neccessary to be allowed to export strong crypto by US .gov. I'm guessing > that it wasn't very simple, however. Anyway, of course it's _possible_ to > export crypto also from the US, several companies do this already, however > since it is most likely quite impractical for any open source organization > to be bound by whatever US .gov imposes on such export, worldwide > distribution of open source crypto originates from outside the US. The Debian project has also received permission to distribute crypto from the USA, and all the crypto packages that used to be in a seperate non-us tree (and hosted in .nl) are now incorporated in the debian main tree (also in the usa). AFAIK getting permission to distribute strong crypto wasn't too hard, especially considering that all code is free software/open source. (It's harder for commercial software). If interested in the details, look at archives of the debian-legal mailinglists. -- Mark Janssen Saiko Internet Technologies From Roumen.Petrov at skalasoft.com Fri Dec 6 21:40:52 2002 From: Roumen.Petrov at skalasoft.com (Roumen.Petrov at skalasoft.com) Date: Fri, 06 Dec 2002 12:40:52 +0200 Subject: Building without perl Message-ID: <3DF07EB4.8070009@skalasoft.com> What about "fixprogs" and "mdoc2man.pl" ? > On Fri, 6 Dec 2002, Damien Miller wrote: >>> Tim Rice wrote: >> >>>> > On Thu, 5 Dec 2002, Damien Miller wrote: [SNIP] >>>> > Breaks SCO. >>> >>> Can you be more specific? > > Peter and I have been working on it. I think he has a working version > now (works on SCO) but I want to test on my other platforms before commiting. > > I also checked the archives and found > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=97590463728438&w=2 looks good > Seems like it may be more robust. [SNIP] From bugzilla-daemon at mindrot.org Fri Dec 6 22:36:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 6 Dec 2002 22:36:58 +1100 (EST) Subject: [Bug 443] Ability to set KeepAlive time Message-ID: <20021206113658.B391D64515@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=443 ------- Additional Comments From djm at mindrot.org 2002-12-03 22:56 ------- You probably want ClientAliveInterval in sshd_config ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From josavimbi at phantomemail.com Fri Dec 6 16:16:23 2002 From: josavimbi at phantomemail.com (Dav Savimbi) Date: vr, 06 dec 2002 16:16:23 Subject: KINDLY GET BACK TO PLEASE Message-ID: <20021206151630.C398864515@shitei.mindrot.org> Good Day, With warm heart I offer my friendship, and greetings, and I hope this mail meets you in good time. However strange or surprising this contact might seem to you, as we have not met personally or had any dealings in the past, I humbly ask that you take due consideration of its importance and immense benefit. I also sincerely seek your confidence in this transaction, which I propose to you as a person of integrity. First and foremost I wish to introduce myself properly to you. My name is David Olievie Savimbi, I am a nephew and Personal Assistant to Late Jonas Malheiro Savimbi, leader of UNITA (National Union for the Total Independence of Angola). As led by my instinct, I selected your email address from an internet directory, in my search for a partner, hence this proposal. My Uncle(Mentor) was killed in a battle with government forces of Angola, led by President Dos Santos, on Friday 22nd February 2002. After his death, Mr. Antonio Dembo who was his second in command, assumed office as leader of UNITA, due to lack of the Charisma my Uncle had carried the party with in Dembo, there was chaos and struggle for leadership. Prominent members like Carlos Morgado lobbied to depose him and assume office as leader to enrich themselves and some of them who saw me as a threat to their ambitions, including Mr.Dembo, planned to kill me. The tension and confusion in UNITA become uncontrollable when Mr. Dembo died 10days after my Uncle's death. As I lost my mentor in this struggle which has been on for three decades now, not so much of this struggle interests me anymore, as there is now no sense of direction. I now desire a peaceful life, as I am no more interested in conflicts and wars. For this reason, I secretly left Angola and came here (Holland) to seek political asylum. I am sincerely proposing to you to render me your highly needed assistance in respect to safekeeping of some of my Uncle's money that arose from Diamonds sales. This money (US$18.5million), which was already on its way to my Uncle's Swiss Bank account, through the Diplomatic means we use to move money abroad, and was on transit with a private safe deposit security company here in Amsterdam, Holland in February when the tragic incident of my Uncle's death occurred. I then instructed the company to secure the consignment containing the money pending on further instructions from me. I have waited for sometime now for security reasons, and have now deicded to act with your reliable assistance. As a matter of fact, the reason I came to Holland and sought for political asylum here is the safe deposit. President Dos Santos has lobbied the International Community to freeze my Uncle's assets and accounts abroad, to ground UNITA, and has already done this in Angola. Hence I cannot lodge the funds in my name. Also I did not declare the funds to the here. I plan to use this money to safeguard my future. It is very essential that you understand that the kind of trust and confidence I want to put in you is extraordinary, and an act of desperation on my part, in order not to lose this money. Also, ensure that this contact with you should be treated with utmost secrecy. Your role in this project, is clearing the safety deposit containing the money which is deposited in my name, from the Security company, after which, the money will lodged into an account preferably a new account you should open for this transaction. My share of the money will be returned to me when my asylum application in this country is granted, and I have permission to do business and open an account here. For your reliable assistance, I will reward you with 15%($2,775,000) of the money. I have with me, the Certificate of Deposit for the consignment containing the funds, which will be used for claim from the security company, and the release codes of the vaults. Also, everything will be legally processed for transfer of ownership to you, and this transaction should be completed immediately depending on your prompt response. I thank you in advance as I anticipate your assistance in enabling me achieve this goal. Please contact me whether or not you are interested in assisting me. This will enable me scout for another partner in the event of non-interest on your part. To understand the struggle to liberate from communists more, click on the link below and read. http://www.the-idler.com/IDLER-02/3-16.html Sincerely, D.O.Savimbi. From genty at austin.ibm.com Sat Dec 7 02:20:15 2002 From: genty at austin.ibm.com (Denise Genty) Date: Fri, 06 Dec 2002 09:20:15 -0600 Subject: 3DES key-length References: <20021206023610.GG21314@foo.birdnet.se> <20021206043640.GH21314@foo.birdnet.se> <1039167822.657.4.camel@ninja> Message-ID: <3DF0C02F.99931C92@austin.ibm.com> Mark Janssen wrote: > > > AFAIK getting permission to distribute strong crypto wasn't too hard, > especially considering that all code is free software/open source. (It's > harder for commercial software). > Ditto for IBM. -- Denise M. Genty genty at austin.ibm.com (512)838-8170 - T/L 678-8170 AIX Network Security Development Server Division, pSeries From wendyp at cray.com Sat Dec 7 03:47:20 2002 From: wendyp at cray.com (Wendy Palm) Date: Fri, 06 Dec 2002 10:47:20 -0600 Subject: 3DES key-length References: Message-ID: <3DF0D498.6020501@cray.com> it wasn't too difficult to get it straightened out. it just took a long time. we (Cray) had our legal people talking to the us government (dept of commerce) and what we ended up with is basically this- we sent a copy of what we are sending to customers to the dept of commerce, showing that the code we are sending is exactly the same as that publicly available on the web. we only needed to do this for our first release. if we (Cray) make any changes to OpenSSL ourselves and send it to our customers (so that it is different than that available on the web), we have to provide a copy of the code to dept of commerce and prove none of the changes affected the status wrt export laws (i.e. we didn't make any changes to the crypto stuff). likewise, we can't send those types of changes back to the public domain either. it sounds so simple, but you wouldn't believe how long it took to get that agreement in place. i'm assuming other companies had to go through the same thing. Ben Lindstrom wrote: > > Don't know.. Sun and IBM seem to pull it off at least. So there can't be > too many glitches. > > - Ben > > On Fri, 6 Dec 2002, Peter Stuge wrote: > > >>On Thu, Dec 05, 2002 at 07:58:04PM -0500, Hari-Isoft wrote: >> >>>>>I am interested in the export regulations concerning openssh in USA. Any >>>>>idea on this ? >>>>> >>>>Should be pretty free of US regs; all the crypto modules are imported >>>>from Canada / Germany / Etc. >>>> >>>But, how about the regulations concerning export of OpenSSH from the USA to >>>other countries, (because of 128 bit key encryption used!) ? >>> >>Noone will want to export OpenSSH crypto from the US since it is available >>from a number of other places in the world already. Quite contrary, OpenSSH >>crypto has been _imported_ into the US from one of these other places. >> >>But, hypothetically, if you wanted to export OpenSSH crypto from the US I'm >>sure you'd have all sorts of interesting legal problems, IANAL however. >> >> >>//Peter >>_______________________________________________ >>openssh-unix-dev at mindrot.org mailing list >>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >> >> > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From bugzilla-daemon at mindrot.org Sat Dec 7 05:47:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 7 Dec 2002 05:47:34 +1100 (EST) Subject: [Bug 450] sftp crashes when trying to upload a file which doesn't exist Message-ID: <20021206184734.0857B64568@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=450 ------- Additional Comments From trionon at mail.ru 2002-12-07 05:47 ------- root at 217 (~) > gdb -c sftp.core GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you ar welcome to change it and/or distribute copies of it under certain condition Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd". Core was generated by `sftp'. Program terminated with signal 11, Segmentation fault. #0 0x804c7af in ?? () (gdb) bt #0 0x804c7af in ?? () #1 0x804cd8c in ?? () #2 0x804d72f in ?? () #3 0x8049b9a in ?? () #4 0x8049505 in ?? () (gdb) Did it help? these are the only things i can do with gdb. What else can I do to help? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Dec 7 10:22:13 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 7 Dec 2002 10:22:13 +1100 (EST) Subject: [Bug 450] sftp crashes when trying to upload a file which doesn't exist Message-ID: <20021206232213.7409E64564@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=450 ------- Additional Comments From dtucker at zip.com.au 2002-12-07 10:22 ------- You need to give it the binary as well as the core to get meaningful results, ie $ gdb /path/to/sftp sftp.core (gdb) bt ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Dec 7 12:58:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 7 Dec 2002 12:58:26 +1100 (EST) Subject: [Bug 450] sftp crashes when trying to upload a file which doesn't exist Message-ID: <20021207015826.6AFD064566@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=450 ------- Additional Comments From trionon at mail.ru 2002-12-07 12:58 ------- The results now are: root at 217 (~) > gdb -c sftp.core /usr/bin/sftp GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"...(no debugging symbols found)... Core was generated by `sftp'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libssh.so.2...(no debugging symbols found)...done. Reading symbols from /usr/lib/libcrypto.so.2...(no debugging symbols found)...done. Reading symbols from /usr/lib/libc.so.4...(no debugging symbols found)...done. Reading symbols from /usr/lib/libz.so.2...(no debugging symbols found)...done. Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols found)...done. #0 0x804c7af in free () (gdb) bt #0 0x804c7af in free () #1 0xe in ?? () #2 0x804cd8c in free () #3 0x804d72f in free () #4 0x8049b9a in free () #5 0x8049505 in free () ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Dec 7 13:27:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 7 Dec 2002 13:27:56 +1100 (EST) Subject: [Bug 453] New: [PATCH] The SHELL env variable is set incorrectly, when shell is overridden from login.conf. Message-ID: <20021207022756.A336464568@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=453 Summary: [PATCH] The SHELL env variable is set incorrectly, when shell is overridden from login.conf. Product: Portable OpenSSH Version: 3.5p1 Platform: All OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: semen at online.sinor.ru According to the login.conf(5), the SHELL variable must contain the value from passwd file, regardless it may be overridden in the login class. The sshd currently missbehaves, it sets the SHELL to the program it actually executes. Fix: --- ssh/session.c.orig2 Sat Dec 7 07:48:46 2002 +++ ssh/session.c Sat Dec 7 07:57:16 2002 @@ -1325,11 +1325,19 @@ * legal, and means /bin/sh. */ shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; + + /* Set up the environment for child */ + env = do_setup_env(s, shell); + + /* + * The shell specifed in login class overrides the shell in passwd, + * but, according to the login.conf(5), the SHELL env variable must + * contain the value from passwd, so we do this *after* setting up + * child's environment. + */ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); #endif - - env = do_setup_env(s, shell); /* we have to stash the hostname before we close our socket. */ if (options.use_login) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From stuge-openssh-unix-dev at cdy.org Sun Dec 8 00:12:07 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sat, 7 Dec 2002 14:12:07 +0100 Subject: Building without perl In-Reply-To: <3DF07EB4.8070009@skalasoft.com> References: <3DF07EB4.8070009@skalasoft.com> Message-ID: <20021207131207.GA6325@foo.birdnet.se> On Fri, Dec 06, 2002 at 12:40:52PM +0200, Roumen.Petrov at skalasoft.com wrote: > What about "fixprogs" and "mdoc2man.pl" ? I'm working on an AWK version of mdoc2man.pl. It's my first attempt at programming in AWK but I don't think this can be done very many ways.. There's a small bug or two that I need to squeeze, then I'll post it for platform testing. Currently the AWK script is 282 lines. //Peter From mouring at etoh.eviladmin.org Sun Dec 8 02:47:21 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 7 Dec 2002 09:47:21 -0600 (CST) Subject: Building without perl In-Reply-To: <20021207131207.GA6325@foo.birdnet.se> Message-ID: Ermm.... I'm not sure I want to trust awk over multiple platforms. It is bad enough that some vendors don't ship a tolerable awk to start with. Of course I'll reserve judgement until I see it work on every platform without adding 3rd party software. - Ben On Sat, 7 Dec 2002, Peter Stuge wrote: > On Fri, Dec 06, 2002 at 12:40:52PM +0200, Roumen.Petrov at skalasoft.com wrote: > > What about "fixprogs" and "mdoc2man.pl" ? > > I'm working on an AWK version of mdoc2man.pl. It's my first attempt at > programming in AWK but I don't think this can be done very many ways.. > > There's a small bug or two that I need to squeeze, then I'll post it for > platform testing. Currently the AWK script is 282 lines. > > > //Peter > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From tim at multitalents.net Sun Dec 8 05:25:09 2002 From: tim at multitalents.net (Tim Rice) Date: Sat, 7 Dec 2002 10:25:09 -0800 (PST) Subject: Building without perl In-Reply-To: Message-ID: On Sat, 7 Dec 2002, Ben Lindstrom wrote: > > Ermm.... I'm not sure I want to trust awk over multiple platforms. It is > bad enough that some vendors don't ship a tolerable awk to start with. The platform would have to be really old to not have at least nawk. We may want to consider defaulting to perl if it exists and falling back to awk if it doesn't. The downside is maintaining 2 versions of mdoc2man. > > Of course I'll reserve judgement until I see it work on every platform > without adding 3rd party software. > > - Ben > > > > On Sat, 7 Dec 2002, Peter Stuge wrote: > > > On Fri, Dec 06, 2002 at 12:40:52PM +0200, Roumen.Petrov at skalasoft.com wrote: > > > What about "fixprogs" and "mdoc2man.pl" ? > > > > I'm working on an AWK version of mdoc2man.pl. It's my first attempt at > > programming in AWK but I don't think this can be done very many ways.. > > > > There's a small bug or two that I need to squeeze, then I'll post it for > > platform testing. Currently the AWK script is 282 lines. > > > > > > //Peter > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Sun Dec 8 17:12:01 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 8 Dec 2002 00:12:01 -0600 (CST) Subject: Building without perl In-Reply-To: Message-ID: Then we start playing 'Whose awk is the right awk' =) I think if we do a test for gawk, nawk and then lastly for awk. And honor them in that order I think we should be safe. As long as we don't use any gawk only features. However, if we are going to do this. I'd perfer we either move fully to an awk solution or stick with perl. It seems silly to try and maintain both. However, the best solution must be used. As I said.. I'm willing to withhold judgement until the code is test. =) (I'm no perl fan, so it would make me happy to see us move to awk if it does not hork anything.) - Ben On Sat, 7 Dec 2002, Tim Rice wrote: > On Sat, 7 Dec 2002, Ben Lindstrom wrote: > > > > > Ermm.... I'm not sure I want to trust awk over multiple platforms. It is > > bad enough that some vendors don't ship a tolerable awk to start with. > > The platform would have to be really old to not have at least nawk. > > We may want to consider defaulting to perl if it exists and falling back > to awk if it doesn't. The downside is maintaining 2 versions of mdoc2man. > > > > > Of course I'll reserve judgement until I see it work on every platform > > without adding 3rd party software. > > > > - Ben > > > > > > > > On Sat, 7 Dec 2002, Peter Stuge wrote: > > > > > On Fri, Dec 06, 2002 at 12:40:52PM +0200, Roumen.Petrov at skalasoft.com wrote: > > > > What about "fixprogs" and "mdoc2man.pl" ? > > > > > > I'm working on an AWK version of mdoc2man.pl. It's my first attempt at > > > programming in AWK but I don't think this can be done very many ways.. > > > > > > There's a small bug or two that I need to squeeze, then I'll post it for > > > platform testing. Currently the AWK script is 282 lines. > > > > > > > > > //Peter > > > _______________________________________________ > > > openssh-unix-dev at mindrot.org mailing list > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > > From mmokrejs at natur.cuni.cz Sun Dec 8 22:39:04 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Sun, 8 Dec 2002 12:39:04 +0100 (CET) Subject: Building openssh-3.5p1 with new DES functions Message-ID: Hi, I've seen that openssh will have different function names for des, I think thats great. As kerberos4 nor kerbero5 from KTH in Sweden support those new calls yet, I thought it would be best for me to switch back to the old behaviour, i.e. have kerberized libkrb and other libs with disabled support for openssl (which means libdes is compiled). Then, compile openssh-3.5p1 with kerberos4 and afs support. That properly picks up -lkrb -ldes etc. Unfortunately, with this untested setup I got (i'm not sure if this is a openssh or openssl problem): Manpage format: man PAM support: no KerberosIV support: yes KerberosV support: no Smartcard support: no AFS support: yes S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: alphaev67-dec-osf5.1 Compiler: cc Compiler flags: -I/software/@sys/usr/include -I/usr/local/include Preprocessor flags: -I/usr/local/openssl/include -Iyes -I/software/@sys/usr/include -I/usr/local/include -I/usr/athena-1.2.1-no-openssl/include -I/usr/afsws/include Linker flags: -L/usr/local/openssl/lib -Lyes -L/usr/local/lib -L/software/@sys/usr/lib -L/usr/athena-1.2.1-no-openssl/lib -L/usr/afsws/lib Libraries: -lwrap -lkafs -lresolv -ldes -lkrb -lz -L/usr/local/lib -L/software/@sys/usr/lib -L/usr/local/openssl/lib -L/usr/lib -lsecurity -ldb -lm -laud -lcrypto -ldes I hope, that there will be no symbol clashes between ldes and lcrypto anymore. ;-) $ CC=cc CFLAGS="-I/software/@sys/usr/include -I/usr/local/include" CPPFLAGS="-I/software/@sys/usr/include -I/usr/local/include" LDFLAGS="-L/usr/local/lib -L/software/@sys/usr/lib" ./configure --prefix=/usr/local --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-prngd-socket=/var/run/egd-pool --with-default-path=/usr/bin:/bin:/sbin:/usr/local/bin:/usr/local/sbin:/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/bin/X11:/usr/afs/bin:/usr/athena/bin:/usr/local/openssl/bin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin --with-xauth=/usr/bin/X11/xauth --with-zlib --with-osfsia --with-login=/usr/bin/login --without-privsep --with-afs=/usr/afsws --with-kerberos4=/usr/athena-1.2.1-no-openssl [...] cc -I/software/@sys/usr/include -I/usr/local/include -I. -I. -I/usr/local/openssl/include -Iyes -I/software/@sys/usr/include -I/usr/local/include -I/usr/athena-1.2.1-no-openssl/include -I/usr/afsws/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c sshconnect1.c cc: Error: /usr/local/openssl/include/openssl/mdc2.h, line 79: Missing type specifier or type qualifier. (missingtype) DES_cblock h,hh; --------^ make: *** [sshconnect1.o] Error 1 -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From stevesk at pobox.com Mon Dec 9 05:41:28 2002 From: stevesk at pobox.com (Kevin Steves) Date: Sun, 8 Dec 2002 10:41:28 -0800 Subject: Password expiry related clarification in OpenSSH3.5p1 Message-ID: <20021208184128.GA1353@jenny.crlsca.adelphia.net> fyi (i'm behind in following the passord expire efforts). ----- Forwarded message from Logu ----- Date: Sat, 7 Dec 2002 02:42:52 +0530 From: "Logu" To: Cc: Subject: Password expiry related clarification in OpenSSH3.5p1 Hello Stevesk, We are using OpenSSH3.1p1 and now planned to shift to OpenSSH3.5p1. Among other changes, we would like to know specifically the reasons for the commented part of the PAM account expiration part in auth-pam.c. Why this part of the code is not used in 3.5p1? Is there any specific reasons for not using this part of the code? #if 0 case PAM_NEW_AUTHTOK_REQD: message_cat(&__pam_msg, use_privsep ? NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; #endif Please reply. Thanks Logsnaath. ----- End forwarded message ----- From stuge-openssh-unix-dev at cdy.org Mon Dec 9 07:16:42 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sun, 8 Dec 2002 21:16:42 +0100 Subject: Building without perl In-Reply-To: References: <20021207131207.GA6325@foo.birdnet.se> Message-ID: <20021208201642.GA27732@foo.birdnet.se> On Sat, Dec 07, 2002 at 09:47:21AM -0600, Ben Lindstrom wrote: > Ermm.... I'm not sure I want to trust awk over multiple platforms. It is > bad enough that some vendors don't ship a tolerable awk to start with. > > Of course I'll reserve judgement until I see it work on every platform > without adding 3rd party software. Ok, here we go. Attached is an awk version of mdoc2man.pl. Please test it everywhere you can. Runs fine here, using GNU awk with or without --posix. While making this I also discovered two bugs in mdoc2man.pl: one typo and one data loss. I've gotten the account in Bugzilla activated, I'll file them there separately. The typo is an extra comma with multiple reference authors: "x, and y" Data loss is in the Ic handler, it silently discarded the rest of the line, ignoring any words following a comma or period. The data loss bug only manifests itself in sftp.1 in the text describing -b: "..if any of the following commands fail: get, rm, and lmkdir." as opposed to "..fail: get, put, rename, ln, rm, mkdir, chdir, lchdir and lmkdir." Please note that I didn't have any earlier knowledge of the input and the output formats used and I don't think I have gained too much either. I've made some observations on logic and syntax of the mdoc (nroff?) format but that's it. There may very well be errors in the script due to that. (But they were probably present in the perl version too, in that case.) However, the awk script produces the same output as mdoc2man.pl with the exception of the two bugs mentioned, for all openssh .[1-9] files, using much of the same logic as the perl version. On a side note, I'm not very impressed by awk. Sure, it takes a lot of work out of text mangling with sh+sed, but if it isn't too portable anyway I'm not sure how useful it really is.. I was also a bit annoyed that it doesn't support nested actions, I wanted to use that at first, but had to switch to a loop going over all words in the input line. Oh well, I'm sure it's handy for making reports. :) I just realized that the data loss bug might be a bug in the manpage as well, where is that file format documented? //Peter -------------- next part -------------- #!/usr/bin/awk BEGIN { optlist=0 oldoptlist=0 nospace=0 synopsis=0 reference=0 block=0 ext=0 extopt=0 literal=0 line="" } function wtail() { retval="" while(w0;i--) { line=line refauthors[i] if(i>1) line=line ", " } if(nrefauthors>1) line=line " and " line=line refauthors[0] ", \\fI" reftitle "\\fP" if(length(refissue)) line=line ", " refissue if(length(refdate)) line=line ", " refdate if(length(refopt)) line=line ", " refopt line=line "." reference=0 } else if(reference) { if(match(words[w],"^%A$")) { refauthors[nrefauthors++]=wtail() } if(match(words[w],"^%T$")) { reftitle=wtail() sub("^\"","",reftitle) sub("\"$","",reftitle) } if(match(words[w],"^%N$")) { refissue=wtail() } if(match(words[w],"^%D$")) { refdate=wtail() } if(match(words[w],"^%O$")) { refopt=wtail() } } else if(match(words[w],"^Nm$")) { if(synopsis) line=line ".br\n" n=words[++w] if(!length(name)) name=n if(!length(n)) n=name line=line "\\fB" n "\\fP" if(!nospace&&match(words[w+1],"^[\\.,]")) nospace=1 } else if(match(words[w],"^Nd$")) { line=line "\\- " wtail() } else if(match(words[w],"^Fl$")) { line=line "\\fB\\-" words[++w] "\\fP" if(!nospace&&match(words[w+1],"^[\\.,]")) nospace=1 } else if(match(words[w],"^Ar$")) { line=line "\\fI" if(w==nwords) line=line "file ...\\fP" else { line=line words[++w] "\\fP" while(match(words[w+1],"^\\|$")) line=line OFS words[++w] " \\fI" words[++w] "\\fP" } if(!nospace&&match(words[w+1],"^[\\.,]")) nospace=1 } else if(match(words[w],"^Cm$")) { line=line "\\fB" words[++w] "\\fP" while(w http://bugzilla.mindrot.org/show_bug.cgi?id=453 ------- Additional Comments From semen at online.sinor.ru 2002-12-09 22:50 ------- Created an attachment (id=184) --> (http://bugzilla.mindrot.org/attachment.cgi?id=184&action=view) The patch got mangled in the original bug report, here is the correct version. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Mon Dec 9 23:24:38 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 9 Dec 2002 13:24:38 +0100 Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: References: Message-ID: <20021209122438.GB16737@folly> On Sun, Dec 08, 2002 at 12:39:04PM +0100, Martin MOKREJ? wrote: > cc: Error: /usr/local/openssl/include/openssl/mdc2.h, line 79: Missing type specifier or type qualifier. (missingtype) > DES_cblock h,hh; > --------^ i don't think openssl's evp.h should include mdc2.h From levitte at stacken.kth.se Tue Dec 10 03:45:47 2002 From: levitte at stacken.kth.se (Richard Levitte - VMS Whacker) Date: Mon, 09 Dec 2002 17:45:47 +0100 (CET) Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: <20021209122438.GB16737@folly> References: <20021209122438.GB16737@folly> Message-ID: <20021209.174547.93473640.levitte@stacken.kth.se> In message <20021209122438.GB16737 at folly> on Mon, 9 Dec 2002 13:24:38 +0100, Markus Friedl said: markus> On Sun, Dec 08, 2002 at 12:39:04PM +0100, Martin MOKREJ? wrote: markus> > cc: Error: /usr/local/openssl/include/openssl/mdc2.h, line 79: Missing type specifier or type qualifier. (missingtype) markus> > DES_cblock h,hh; markus> > --------^ markus> markus> i don't think openssl's evp.h should include mdc2.h It's including all those headers because it used to, and people will complain if they don't get all those algorithms just by including evp.h. However, that's not the problem here. Rather, it would seem that for some reason, des.h isn't included, and it should, from mdc2.h for example. Could you investigate to see what's really happening? -- Richard Levitte \ Spannv?gen 38, II \ LeViMS at stacken.kth.se Redakteur at Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- poei at bofh.se Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See for more info. From bugzilla-daemon at mindrot.org Tue Dec 10 04:45:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Dec 2002 04:45:20 +1100 (EST) Subject: [Bug 454] New: SSH doesn't consider distinguish ports for host-key verification Message-ID: <20021209174520.04A6364562@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=454 Summary: SSH doesn't consider distinguish ports for host-key verification Product: Portable OpenSSH Version: 3.4p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: foomzilla at fuhm.net I have two SSH servers running on the same machine. One is running on port 22 for standard logins; the other is running port 4005, and is not run by root. They both must have different host keys, as the sshd on port 4005 cannot (and should not) be able to read the host keys for the standard sshd on port 22. This all works fine, except that every time you connect, it complains that the host key is wrong. I see that there is a configuration option "hostkeyalias" that can be used to circumvent this problem, but that is rather inconvenient, as i now need to type something like 'ssh -o "hostalias=foo.bar.com:4005" foo.bar.com -p 4005' What I think should happen: Connecting on a non-standard port should include the port number in the hostname automatically for hostkey lookup purposes, as in 'foo.bar.com:4005'. It should probably also use the host:port name for host-specific configuration option lookup. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dan at doxpara.com Tue Dec 10 08:24:10 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 9 Dec 2002 13:24:10 -0800 (PST) Subject: 3DES key-length In-Reply-To: <109a01c29cc2$8c50a8c0$66fe10ac@axiowave.com> References: <0cf201c29bc1$fb214450$66fe10ac@axiowave.com> <3DED4A7D.606@doxpara.com> <109a01c29cc2$8c50a8c0$66fe10ac@axiowave.com> Message-ID: <48257.127.0.0.1.1039469050.squirrel@mutant.doxpara.com> > Interesting story, indeed! > >> > I am interested in the export regulations concerning openssh in USA. >> Any idea on this ? >> >> Should be pretty free of US regs; all the crypto modules are imported >> from Canada / Germany / Etc. > > But, how about the regulations concerning export of OpenSSH from the USA > to other countries, (because of 128 bit key encryption used!) ? Well, the idea is that OpenSSH is actually imported *into* the United States, so it's not particularly under local jurisdiction. However, using an RPM by an American distributer might change that. So use the tarball to be sure. If I remember right, Clinton signed an executive order a couple years back massively simplifying the process of exporting effective cryptography from the states...something along the lines of "Send an email to this address at bxa.gov, and you're done". Of course, if you're actively sending to one of the nine or ten Verboten countries(Iraq, North Korea, Sudan, etc.) all bets are off. --Dan From markus at openbsd.org Tue Dec 10 19:50:38 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 10 Dec 2002 09:50:38 +0100 Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: <20021209.174547.93473640.levitte@stacken.kth.se> References: <20021209122438.GB16737@folly> <20021209.174547.93473640.levitte@stacken.kth.se> Message-ID: <20021210085038.GA166@folly> On Mon, Dec 09, 2002 at 05:45:47PM +0100, Richard Levitte - VMS Whacker wrote: > In message <20021209122438.GB16737 at folly> on Mon, 9 Dec 2002 13:24:38 +0100, Markus Friedl said: > > markus> On Sun, Dec 08, 2002 at 12:39:04PM +0100, Martin MOKREJ? wrote: > markus> > cc: Error: /usr/local/openssl/include/openssl/mdc2.h, line 79: Missing type specifier or type qualifier. (missingtype) > markus> > DES_cblock h,hh; > markus> > --------^ > markus> > markus> i don't think openssl's evp.h should include mdc2.h > > It's including all those headers because it used to, and people will > complain if they don't get all those algorithms just by including > evp.h. evp.h is supposed to hide the details of the algorithms. you should either use the EVP_ or the DES_ interface, but not both. > However, that's not the problem here. Rather, it would seem that for > some reason, des.h isn't included, and it should, from mdc2.h for > example. it's probably not included because some other des.h is already included. From bugzilla-daemon at mindrot.org Tue Dec 10 20:01:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Dec 2002 20:01:25 +1100 (EST) Subject: [Bug 453] [PATCH] The SHELL env variable is set incorrectly, when shell is overridden from login.conf. Message-ID: <20021210090125.1EC6B64517@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=453 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From markus at openbsd.org 2002-12-10 20:01 ------- thanks, patch applied. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From boliset at cse.iitk.ac.in Tue Dec 10 20:09:29 2002 From: boliset at cse.iitk.ac.in (Kapileswar Rao .B) Date: Tue, 10 Dec 2002 14:39:29 +0530 (IST) Subject: no configue.in in src distribution In-Reply-To: <20021210085038.GA166@folly> Message-ID: Hi, I want to add some patches to openssh for my personal experiments. I can change it in Makefile. But, I would like to change it in configure so that I can have an optional compilation of my code. But I couldn't find configure.in file in the src distribution. I just learnt that we can get configure from configure.in. Is there any other way in which I can make changes to configure file without modifing configure file manually with the files available in src distribution. TIA --kapil On Tue, 10 Dec 2002, Markus Friedl wrote: > On Mon, Dec 09, 2002 at 05:45:47PM +0100, Richard Levitte - VMS Whacker wrote: > > In message <20021209122438.GB16737 at folly> on Mon, 9 Dec 2002 13:24:38 +0100, Markus Friedl said: > > > > markus> On Sun, Dec 08, 2002 at 12:39:04PM +0100, Martin MOKREJ? wrote: > > markus> > cc: Error: /usr/local/openssl/include/openssl/mdc2.h, line 79: Missing type specifier or type qualifier. (missingtype) > > markus> > DES_cblock h,hh; > > markus> > --------^ > > markus> > > markus> i don't think openssl's evp.h should include mdc2.h > > > > It's including all those headers because it used to, and people will > > complain if they don't get all those algorithms just by including > > evp.h. > > evp.h is supposed to hide the details of the algorithms. > > you should either use the EVP_ or the DES_ interface, but not both. > > > However, that's not the problem here. Rather, it would seem that for > > some reason, des.h isn't included, and it should, from mdc2.h for > > example. > > it's probably not included because some other des.h is already included. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Tue Dec 10 20:14:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Dec 2002 20:14:24 +1100 (EST) Subject: [Bug 454] SSH doesn't consider distinguish ports for host-key verification Message-ID: <20021210091424.E881464515@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=454 ------- Additional Comments From markus at openbsd.org 2002-12-10 20:14 ------- hm, i think about adding ManglePort=yes to the options. This option will create Hostkeyaliases on the fly if the port is != 22, and use 'foor.bar.com at portXXX' as an alias. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Reema.Bangar at nokia.com Tue Dec 10 21:07:25 2002 From: Reema.Bangar at nokia.com (Reema.Bangar at nokia.com) Date: Tue, 10 Dec 2002 02:07:25 -0800 Subject: Reducing RAM requirement of sshd Message-ID: Hi All, I have ported OpenSSH on an embedded uClinux platform. My main concern is that sshd takes 1 MB if RAM while its in running state and for each incoming connection it eats up 1 mb ram again. I am looking for help in reducing RAM requirement for ssh daemon. Any comments ? Thanks in advance, Reema. From markus at openbsd.org Tue Dec 10 22:02:27 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 10 Dec 2002 12:02:27 +0100 Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: <20021209.174547.93473640.levitte@stacken.kth.se> References: <20021209122438.GB16737@folly> <20021209.174547.93473640.levitte@stacken.kth.se> Message-ID: <20021210110227.GA10920@folly> hm, i think this happens if kerberos is included before evp.h From markus at openbsd.org Tue Dec 10 22:05:02 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 10 Dec 2002 12:05:02 +0100 Subject: Reducing RAM requirement of sshd In-Reply-To: References: Message-ID: <20021210110502.GB10920@folly> strip features from sshd. On Tue, Dec 10, 2002 at 02:07:25AM -0800, Reema.Bangar at nokia.com wrote: > Hi All, > > I have ported OpenSSH on an embedded uClinux platform. My main concern is that sshd takes 1 MB if RAM while its in running state and for each incoming connection it eats up 1 mb ram again. I am looking for help in reducing RAM requirement for ssh daemon. Any comments ? > > Thanks in advance, > Reema. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mmokrejs at natur.cuni.cz Tue Dec 10 22:54:32 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Tue, 10 Dec 2002 12:54:32 +0100 (CET) Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: <20021210085038.GA166@folly> Message-ID: On Tue, 10 Dec 2002, Markus Friedl wrote: > On Mon, Dec 09, 2002 at 05:45:47PM +0100, Richard Levitte - VMS Whacker wrote: > > In message <20021209122438.GB16737 at folly> on Mon, 9 Dec 2002 13:24:38 +0100, Markus Friedl said: > > > > markus> On Sun, Dec 08, 2002 at 12:39:04PM +0100, Martin MOKREJ? wrote: > > markus> > cc: Error: /usr/local/openssl/include/openssl/mdc2.h, line 79: Missing type specifier or type qualifier. (missingtype) > > markus> > DES_cblock h,hh; > > markus> > --------^ > > markus> > > markus> i don't think openssl's evp.h should include mdc2.h > > > > It's including all those headers because it used to, and people will > > complain if they don't get all those algorithms just by including > > evp.h. > > evp.h is supposed to hide the details of the algorithms. > > you should either use the EVP_ or the DES_ interface, but not both. You are the judge. Possibly requires some change in openssl, right? ;-) > > > However, that's not the problem here. Rather, it would seem that for > > some reason, des.h isn't included, and it should, from mdc2.h for > > example. > > it's probably not included because some other des.h is already included. Let me describe once more the problem. I want to use krb4-1.2.1 with it's own libdes. If I understood right, symbols will not clash anylonger between openssl-0.9.7 and krb4 version if libdes. The openssh configure has detected -lkrb -ldes, both from krb4,s o it should take care of the rest. Openssh should the make sure des.h from kerberos would be included too. --- sshconnect1.c.ori 2002-12-10 12:38:38.000000000 +0100 +++ sshconnect1.c 2002-12-10 12:49:20.000000000 +0100 @@ -20,6 +20,15 @@ #ifdef KRB4 #include +/* Include from /usr/athena/include from krb4 installation in case + user has built krb4 without "support" for openssl. The "support" for openssl + means no /usr/athena/lib/libdes.* and no /usr/athena/include/des.h + will were installed. In case openssl*/configure has detected libdes + from /usr/athena/lib, include also /usr/athena/include/des.h. + The DES used in krb4 is from Eric Young. */ +#ifdef HAVE_LIBDES +#include +#endif #endif #ifdef KRB5 #include This still doesn't solve my problem with openssl/include/openssl/mdc2.h. Would it be possible to rename openssl/include/openssl/des.h to openssl-des.h as the functions in it aren't same as in openssl-0.9.6, so not Eric Young's DES compatible? -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From markus at openbsd.org Tue Dec 10 23:03:30 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 10 Dec 2002 13:03:30 +0100 Subject: Reducing RAM requirement of sshd In-Reply-To: <20021210110502.GB10920@folly> References: <20021210110502.GB10920@folly> Message-ID: <20021210120330.GA7843@folly> i should note, that i sent a patch doing this some time ago to this list. -m On Tue, Dec 10, 2002 at 12:05:02PM +0100, Markus Friedl wrote: > strip features from sshd. > > On Tue, Dec 10, 2002 at 02:07:25AM -0800, Reema.Bangar at nokia.com wrote: > > Hi All, > > > > I have ported OpenSSH on an embedded uClinux platform. My main concern is that sshd takes 1 MB if RAM while its in running state and for each incoming connection it eats up 1 mb ram again. I am looking for help in reducing RAM requirement for ssh daemon. Any comments ? > > > > Thanks in advance, > > Reema. > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From Reema.Bangar at nokia.com Tue Dec 10 23:15:27 2002 From: Reema.Bangar at nokia.com (Reema.Bangar at nokia.com) Date: Tue, 10 Dec 2002 04:15:27 -0800 Subject: Reducing RAM requirement of sshd Message-ID: Hi, I have joined this list recently. Could you please send the patch again or direct me to the where i can get it ? Thanks, Reema. -----Original Message----- From: ext Markus Friedl [mailto:markus at openbsd.org] Sent: 10 December, 2002 17:34 To: Bangar Reema (NIC/Hyderabad) Cc: openssh-unix-dev at mindrot.org Subject: Re: Reducing RAM requirement of sshd i should note, that i sent a patch doing this some time ago to this list. -m On Tue, Dec 10, 2002 at 12:05:02PM +0100, Markus Friedl wrote: > strip features from sshd. > > On Tue, Dec 10, 2002 at 02:07:25AM -0800, Reema.Bangar at nokia.com wrote: > > Hi All, > > > > I have ported OpenSSH on an embedded uClinux platform. My main concern is that sshd takes 1 MB if RAM while its in running state and for each incoming connection it eats up 1 mb ram again. I am looking for help in reducing RAM requirement for ssh daemon. Any comments ? > > > > Thanks in advance, > > Reema. > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From Reema.Bangar at nokia.com Tue Dec 10 23:17:32 2002 From: Reema.Bangar at nokia.com (Reema.Bangar at nokia.com) Date: Tue, 10 Dec 2002 04:17:32 -0800 Subject: Reducing RAM requirement of sshd Message-ID: Hi, Thanks for the prompt reply. I tried stripping features like kerberos authentication, rhosts authtication etc. but this didn't help much. Thanks, Reema. -----Original Message----- From: ext Markus Friedl [mailto:markus at openbsd.org] Sent: 10 December, 2002 16:35 To: Bangar Reema (NIC/Hyderabad) Cc: openssh-unix-dev at mindrot.org Subject: Re: Reducing RAM requirement of sshd strip features from sshd. On Tue, Dec 10, 2002 at 02:07:25AM -0800, Reema.Bangar at nokia.com wrote: > Hi All, > > I have ported OpenSSH on an embedded uClinux platform. My main concern is that sshd takes 1 MB if RAM while its in running state and for each incoming connection it eats up 1 mb ram again. I am looking for help in reducing RAM requirement for ssh daemon. Any comments ? > > Thanks in advance, > Reema. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From levitte at stacken.kth.se Tue Dec 10 23:38:03 2002 From: levitte at stacken.kth.se (Richard Levitte - VMS Whacker) Date: Tue, 10 Dec 2002 13:38:03 +0100 (CET) Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: <20021210110227.GA10920@folly> References: <20021209122438.GB16737@folly> <20021209.174547.93473640.levitte@stacken.kth.se> <20021210110227.GA10920@folly> Message-ID: <20021210.133803.41634433.levitte@stacken.kth.se> In message <20021210110227.GA10920 at folly> on Tue, 10 Dec 2002 12:02:27 +0100, Markus Friedl said: markus> hm, i think this happens if kerberos is included before evp.h Interesting. That would mean one of two things: 1. Kerberos (was that with the KTH-KRB and Heimdal implementations?) was built with it's own copy of libdes instead of OpenSSL's, and the header reinclusion protector is exactly the same (hindering the OpenSSL des.h being included). OpenSSH includes the kerberos headers, and thereby any des.h it happens to include. 2. Kerberos was built against an older version of OpenSSL, and again, we get an inclusion that excludes the new names. I think the best way to solve this is to change the name of the protecting macro in OpenSSL 0.9.7's des.h, and give it's des_old.h the same protecting macro name as older versions use (and presumably libdes as well). Does that sound like a good idea? -- Richard Levitte \ Spannv?gen 38, II \ LeViMS at stacken.kth.se Redakteur at Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- poei at bofh.se Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See for more info. From dtucker at zip.com.au Tue Dec 10 23:51:16 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 10 Dec 2002 23:51:16 +1100 Subject: [PATCH] Password expiry with Privsep and PAM Message-ID: <3DF5E344.E1CAE31D@zip.com.au> Hi All. Attached is a patch that implements password expiry with PAM and privsep. It works by passing a descriptor to the tty to the monitor, which sets up a child with that tty as stdin/stdout/stderr, then runs chauthtok(). No setuid helpers. I used some parts of Michael Steffens' patch (bugid #423) to make it work on HP-UX. It's still rough but it works. Tested on Solaris 8 and HPUX 11 (trusted configuration). Comments? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth-pam.c =================================================================== RCS file: /cvs/openssh/auth-pam.c,v retrieving revision 1.54 diff -u -u -r1.54 auth-pam.c --- auth-pam.c 28 Jul 2002 20:24:08 -0000 1.54 +++ auth-pam.c 10 Dec 2002 12:34:10 -0000 @@ -42,8 +42,6 @@ #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." -#define NEW_AUTHTOK_MSG_PRIVSEP \ - "Your password has expired, the session cannot proceed." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -186,12 +184,15 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */ +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#endif if (__pamh) { pam_retval = pam_end(__pamh, pam_retval); @@ -256,10 +257,8 @@ case PAM_SUCCESS: /* This is what we want */ break; -#if 0 case PAM_NEW_AUTHTOK_REQD: - message_cat(&__pam_msg, use_privsep ? - NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); + message_cat(&__pam_msg, NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ @@ -267,7 +266,6 @@ no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; -#endif default: log("PAM rejected by account configuration[%d]: " "%.200s", pam_retval, PAM_STRERROR(__pamh, @@ -301,6 +299,18 @@ session_opened = 1; } +/* Set the TTY after session is open */ +void do_pam_set_tty(const char *ttyname) { + int pam_retval; + if (ttyname != NULL) { + debug("PAM setting tty to \"%.200s\"", ttyname); + pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + } +} + /* Set PAM credentials */ void do_pam_setcred(int init) { @@ -344,17 +354,15 @@ do_pam_set_conv(&conv); if (password_change_required) { - if (use_privsep) - fatal("Password changing is currently unsupported" - " with privilege separation"); pamstate = OTHER; pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (pam_retval != PAM_SUCCESS) fatal("PAM pam_chauthtok failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); -#if 0 /* XXX: This would need to be done in the parent process, * but there's currently no way to pass such request. */ + password_change_required = 0; +#if 0 no_port_forwarding_flag &= ~2; no_agent_forwarding_flag &= ~2; no_x11_forwarding_flag &= ~2; Index: auth-pam.h =================================================================== RCS file: /cvs/openssh/auth-pam.h,v retrieving revision 1.16 diff -u -u -r1.16 auth-pam.h --- auth-pam.h 23 Jul 2002 00:44:07 -0000 1.16 +++ auth-pam.h 10 Dec 2002 12:34:10 -0000 @@ -25,6 +25,8 @@ */ #include "includes.h" +#include "channels.h" +#include "session.h" #ifdef USE_PAM #if !defined(SSHD_PAM_SERVICE) Index: monitor.c =================================================================== RCS file: /cvs/openssh/monitor.c,v retrieving revision 1.33 diff -u -u -r1.33 monitor.c --- monitor.c 9 Nov 2002 15:47:49 -0000 1.33 +++ monitor.c 10 Dec 2002 12:34:11 -0000 @@ -118,6 +118,7 @@ #ifdef USE_PAM int mm_answer_pam_start(int, Buffer *); +int mm_answer_pam_chauthtok(int, Buffer *); #endif #ifdef KRB4 @@ -183,6 +184,9 @@ {MONITOR_REQ_PTY, 0, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef USE_PAM + {MONITOR_REQ_PAM_CHAUTHTOK, 0, mm_answer_pam_chauthtok}, +#endif {0, 0, NULL} }; @@ -219,6 +223,9 @@ {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef USE_PAM + {MONITOR_REQ_PAM_CHAUTHTOK, 0, mm_answer_pam_chauthtok}, +#endif {0, 0, NULL} }; @@ -328,6 +335,7 @@ if (!no_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_CHAUTHTOK, 1); } for (;;) @@ -746,6 +754,49 @@ xfree(user); return (0); +} + +int +mm_answer_pam_chauthtok(int socket, Buffer *m) +{ + pid_t pid; + int ttyfd, status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + ttyfd = mm_receive_fd(socket); + debug("%s: ttyfd=%d, ttyname=%s", __func__, ttyfd, ttyname(ttyfd)); + + if ((pid = fork()) == 0) { + close(socket); + if (dup2(ttyfd, 0) < 0) + error("dup2 stdin: %s", strerror(errno)); + if (dup2(ttyfd, 1) < 0) + error("dup2 stdout: %s", strerror(errno)); + if (dup2(ttyfd, 2) < 0) + error("dup2 stderr: %s", strerror(errno)); + close(ttyfd); + /* execl("/bin/sh", "sh", NULL); */ + do_pam_chauthtok(); + if(is_pam_password_change_required()) + exit(1); /* failed */ + else + exit(0); /* success */ + } + close(ttyfd); + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + + if (WEXITSTATUS(status)) + fatal("do_pam_chauthtok() failed, child returned %d", status); + + mysignal(SIGCHLD, old_signal); + + mm_request_send(socket, MONITOR_ANS_PAM_CHAUTHTOK, m); + + return 1; } #endif Index: monitor.h =================================================================== RCS file: /cvs/openssh/monitor.h,v retrieving revision 1.10 diff -u -u -r1.10 monitor.h --- monitor.h 27 Sep 2002 03:26:02 -0000 1.10 +++ monitor.h 10 Dec 2002 12:34:11 -0000 @@ -52,6 +52,7 @@ MONITOR_REQ_KRB4, MONITOR_ANS_KRB4, MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, MONITOR_REQ_PAM_START, + MONITOR_REQ_PAM_CHAUTHTOK, MONITOR_ANS_PAM_CHAUTHTOK, MONITOR_REQ_TERM }; Index: monitor_wrap.c =================================================================== RCS file: /cvs/openssh/monitor_wrap.c,v retrieving revision 1.20 diff -u -u -r1.20 monitor_wrap.c --- monitor_wrap.c 27 Sep 2002 03:26:03 -0000 1.20 +++ monitor_wrap.c 10 Dec 2002 12:34:11 -0000 @@ -663,6 +663,25 @@ buffer_free(&m); } + +void +mm_do_pam_chauthtok(void) +{ + Buffer m; + int ttyfd; + + buffer_init(&m); + + if ((ttyfd = open(_PATH_TTY, O_RDWR)) < 0) + fatal("%s: can't open %s", __func__, _PATH_TTY); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_CHAUTHTOK, &m); + mm_send_fd(pmonitor->m_recvfd, 0); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_CHAUTHTOK, &m); + close(ttyfd); + + buffer_free(&m); +} #endif /* USE_PAM */ /* Request process termination */ Index: monitor_wrap.h =================================================================== RCS file: /cvs/openssh/monitor_wrap.h,v retrieving revision 1.9 diff -u -u -r1.9 monitor_wrap.h --- monitor_wrap.h 27 Sep 2002 03:26:04 -0000 1.9 +++ monitor_wrap.h 10 Dec 2002 12:34:11 -0000 @@ -57,6 +57,7 @@ #ifdef USE_PAM void mm_start_pam(char *); +void mm_pam_chauthtok(void); #endif void mm_terminate(void); Index: session.c =================================================================== RCS file: /cvs/openssh/session.c,v retrieving revision 1.222 diff -u -u -r1.222 session.c --- session.c 26 Sep 2002 00:38:50 -0000 1.222 +++ session.c 10 Dec 2002 12:34:13 -0000 @@ -454,7 +454,6 @@ session_proctitle(s); #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); if (is_pam_password_change_required()) packet_disconnect("Password change required but no " @@ -581,7 +580,7 @@ ttyfd = s->ttyfd; #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, s->tty); + do_pam_set_tty(s->tty); do_pam_setcred(1); #endif @@ -753,7 +752,7 @@ */ if (is_pam_password_change_required()) { print_pam_messages(); - do_pam_chauthtok(); + PRIVSEP(do_pam_chauthtok()); } #endif @@ -1238,6 +1237,12 @@ * Reestablish them here. */ do_pam_setcred(0); + + /* + * We need to open the session here because PAM on HP-UX does not + * work after the call to permanently_set_uid. + */ + do_pam_session(pw->pw_name,NULL); # endif /* USE_PAM */ # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) irix_setusercontext(pw); Index: openbsd-compat/readpassphrase.c =================================================================== RCS file: /cvs/openssh/openbsd-compat/readpassphrase.c,v retrieving revision 1.9 diff -u -u -r1.9 readpassphrase.c --- openbsd-compat/readpassphrase.c 11 Sep 2002 00:29:13 -0000 1.9 +++ openbsd-compat/readpassphrase.c 10 Dec 2002 12:34:13 -0000 @@ -86,6 +86,15 @@ } /* + * Odd case where stdin is a tty but /dev/tty is not + * available. Used for passed file descriptor during privsep. + */ + if (isatty(STDIN_FILENO)) { + input = dup(STDIN_FILENO); + output = dup(STDERR_FILENO); + } + + /* * Catch signals that would otherwise cause the user to end * up with echo turned off in the shell. Don't worry about * things like SIGXCPU and SIGVTALRM for now. From mmokrejs at natur.cuni.cz Tue Dec 10 23:57:13 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Tue, 10 Dec 2002 13:57:13 +0100 (CET) Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: <20021210.133803.41634433.levitte@stacken.kth.se> Message-ID: On Tue, 10 Dec 2002, Richard Levitte - VMS Whacker wrote: > In message <20021210110227.GA10920 at folly> on Tue, 10 Dec 2002 12:02:27 +0100, Markus Friedl said: > > markus> hm, i think this happens if kerberos is included before evp.h > > Interesting. That would mean one of two things: > > 1. Kerberos (was that with the KTH-KRB and Heimdal implementations?) krb4-1.2.1 > was built with it's own copy of libdes instead of OpenSSL's, and All older versions of krb4 before 1.1 or /usr/athena directories, which where not cleaned up have /usr/athena/lib/lides.(a|so) lying there, same with header file. The administrator has to delete them manually, after installing newer krb4 version with openssl "support". > the header reinclusion protector is exactly the same (hindering the > OpenSSL des.h being included). OpenSSH includes the kerberos > headers, and thereby any des.h it happens to include. > 2. Kerberos was built against an older version of OpenSSL, and again, > we get an inclusion that excludes the new names. KTH KRB4 supported openssl I think since 1.1 release. Even with newer version you canget libdes compiled and installed, you just say to configure --without-openssl ^H^H^H^H^H--disable-openssl. That's what I've done this time to test, if this would be solution to get rid of des originating from openssl. ;) > > I think the best way to solve this is to change the name of the > protecting macro in OpenSSL 0.9.7's des.h, and give it's des_old.h the > same protecting macro name as older versions use (and presumably > libdes as well). > > Does that sound like a good idea? If you plan to rename des.h to des_old.h, fine for me, then only one des.h will be present. As I'm not a programmer, I can't comment the rest. -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From levitte at stacken.kth.se Tue Dec 10 23:58:28 2002 From: levitte at stacken.kth.se (Richard Levitte - VMS Whacker) Date: Tue, 10 Dec 2002 13:58:28 +0100 (CET) Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: <20021210085038.GA166@folly> References: <20021209122438.GB16737@folly> <20021209.174547.93473640.levitte@stacken.kth.se> <20021210085038.GA166@folly> Message-ID: <20021210.135828.72708681.levitte@stacken.kth.se> In message <20021210085038.GA166 at folly> on Tue, 10 Dec 2002 09:50:38 +0100, Markus Friedl said: markus> > It's including all those headers because it used to, and people will markus> > complain if they don't get all those algorithms just by including markus> > evp.h. markus> markus> evp.h is supposed to hide the details of the algorithms. I totally agree with the sentiment. And we did remove those inclusions at one point in the 0.9.7 branch. At some point (after another storm with Theo), I did a test compile of an old OpenSSH against whatever was in the HEAD fo OpenSSL development at that time. It went *KABOOM*, and the single cause for that *KABOOM* was that evp.h didn't include all those algorithm headers any more. After I placed them back, I got just a couple of warnings that were a piec of cake to deal with. So, in light of a huge complaint from Theo that we're changing so damn much between versions and breaking compiles of old programs that used to work fine, I put those inclusions back. I think that for 0.9.7, this part is staying as it is. markus> you should either use the EVP_ or the DES_ interface, but not markus> both. Quite true. -- Richard Levitte \ Spannv?gen 38, II \ LeViMS at stacken.kth.se Redakteur at Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- poei at bofh.se Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See for more info. From levitte at stacken.kth.se Wed Dec 11 00:03:32 2002 From: levitte at stacken.kth.se (Richard Levitte - VMS Whacker) Date: Tue, 10 Dec 2002 14:03:32 +0100 (CET) Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: References: <20021210.133803.41634433.levitte@stacken.kth.se> Message-ID: <20021210.140332.18579144.levitte@stacken.kth.se> In message on Tue, 10 Dec 2002 13:57:13 +0100 (CET), Martin MOKREJ? said: mmokrejs> KTH KRB4 supported openssl I think since 1.1 release. Even with newer mmokrejs> version you canget libdes compiled and installed, you just say to mmokrejs> configure --without-openssl ^H^H^H^H^H--disable-openssl. Hmm? I thought it was the other way around, that you had to configure with explicit use of OpenSSL, and the default being to use the bundled copy of libdes... Has that changed? mmokrejs> That's what I've done this time to test, if this would be mmokrejs> solution to get rid of des originating from openssl. ;) I think that's a bad solution, because then you're explicitely asking for a mix of the two des.h, with the consequences that has. mmokrejs> If you plan to rename des.h to des_old.h, fine for me, then only one mmokrejs> des.h will be present. As I'm not a programmer, I can't comment the rest. Not the files, but the macros in them that are protecting them from duplicate inclusion. -- Richard Levitte \ Spannv?gen 38, II \ LeViMS at stacken.kth.se Redakteur at Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- poei at bofh.se Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See for more info. From dtucker at zip.com.au Wed Dec 11 00:09:27 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 11 Dec 2002 00:09:27 +1100 Subject: Password expiry related clarification in OpenSSH3.5p1 References: <20021208184128.GA1353@jenny.crlsca.adelphia.net> Message-ID: <3DF5E787.B4BDF706@zip.com.au> Kevin Steves wrote: > fyi (i'm behind in following the passord expire efforts). > ----- Forwarded message from Logu ----- > Date: Sat, 7 Dec 2002 02:42:52 +0530 > From: "Logu" [snip] > We are using OpenSSH3.1p1 and now planned to shift to OpenSSH3.5p1. Among > other changes, we would like to know specifically the reasons for the > commented part of the PAM account expiration part in auth-pam.c. > Why this part of the code is not used in 3.5p1? Is there any specific > reasons for not using this part of the code? That's because it doesn't work with privsep, no? The bit I don't get is in auth-pam.c: #if 0 /* XXX: This would need to be done in the parent process, * but there's currently no way to pass such request. */ no_port_forwarding_flag &= ~2; [snip] #endif I think that should read "child process", assuming chauthtok is run by the monitor. I've done a fair amount of work on various expiry methods, but what I need is someone to say "do X and the results will be merged". The only thing I'm certain of is everybody wants something different. Some of the patches are at http://www.zip.com.au/~dtucker/openssh/, the rest can be found in the list archives. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mmokrejs at natur.cuni.cz Wed Dec 11 00:17:38 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Tue, 10 Dec 2002 14:17:38 +0100 (CET) Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: <20021210.140332.18579144.levitte@stacken.kth.se> Message-ID: On Tue, 10 Dec 2002, Richard Levitte - VMS Whacker wrote: > In message on Tue, 10 Dec 2002 13:57:13 +0100 (CET), Martin MOKREJ?? said: > > mmokrejs> KTH KRB4 supported openssl I think since 1.1 release. Even with newer > mmokrejs> version you canget libdes compiled and installed, you just say to > mmokrejs> configure --without-openssl ^H^H^H^H^H--disable-openssl. > > Hmm? I thought it was the other way around, that you had to configure > with explicit use of OpenSSL, and the default being to use the bundled > copy of libdes... Has that changed? Probably so. I can only say that --without-openssl doesn't helkp in my case, I've figured out --disable-openssl really disables that. The configure if I remember right anyway looked for openssl, checked the version etc. But, in config.h is openssl disabled. > mmokrejs> That's what I've done this time to test, if this would be > mmokrejs> solution to get rid of des originating from openssl. ;) -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From markus at openbsd.org Wed Dec 11 00:28:51 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 10 Dec 2002 14:28:51 +0100 Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: <20021210.135828.72708681.levitte@stacken.kth.se> References: <20021209122438.GB16737@folly> <20021209.174547.93473640.levitte@stacken.kth.se> <20021210085038.GA166@folly> <20021210.135828.72708681.levitte@stacken.kth.se> Message-ID: <20021210132850.GA31780@folly> On Tue, Dec 10, 2002 at 01:58:28PM +0100, Richard Levitte - VMS Whacker wrote: > In message <20021210085038.GA166 at folly> on Tue, 10 Dec 2002 09:50:38 +0100, Markus Friedl said: > > markus> > It's including all those headers because it used to, and people will > markus> > complain if they don't get all those algorithms just by including > markus> > evp.h. > markus> > markus> evp.h is supposed to hide the details of the algorithms. > > I totally agree with the sentiment. And we did remove those > inclusions at one point in the 0.9.7 branch. At some point (after > another storm with Theo), I did a test compile of an old OpenSSH > against whatever was in the HEAD fo OpenSSL development at that time. no need to run old versions of OpenSSH. if i used the wrong interface then it's my fault. > It went *KABOOM*, and the single cause for that *KABOOM* was that > evp.h didn't include all those algorithm headers any more. then this was: 1. a bug in the old openssh, misusing evp.h, my bad. 2. a bug in older openssl, sucking in all includes. > After I > placed them back, I got just a couple of warnings that were a piec of > cake to deal with. > > So, in light of a huge complaint from Theo that we're changing so damn > much between versions and breaking compiles of old programs that used > to work fine, I put those inclusions back. I've been asking Theo about this serveral times and he agrees with me, so i think this is some kind of miscommunication. > I think that for 0.9.7, this part is staying as it is. I don't think people should be encourage to only include "evp.h" when they want "md5.h" > markus> you should either use the EVP_ or the DES_ interface, but not > markus> both. > > Quite true. -m From markus at openbsd.org Wed Dec 11 00:30:35 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 10 Dec 2002 14:30:35 +0100 Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: <20021210.133803.41634433.levitte@stacken.kth.se> References: <20021209122438.GB16737@folly> <20021209.174547.93473640.levitte@stacken.kth.se> <20021210110227.GA10920@folly> <20021210.133803.41634433.levitte@stacken.kth.se> Message-ID: <20021210133035.GC31780@folly> On Tue, Dec 10, 2002 at 01:38:03PM +0100, Richard Levitte - VMS Whacker wrote: > I think the best way to solve this is to change the name of the > protecting macro in OpenSSL 0.9.7's des.h, and give it's des_old.h the > same protecting macro name as older versions use (and presumably > libdes as well). > > Does that sound like a good idea? yes, i think that des_old should use the same protecting macros as the old libdes/openssl, and the DES_ file something completely different. -m From mmokrejs at natur.cuni.cz Wed Dec 11 00:35:30 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Tue, 10 Dec 2002 14:35:30 +0100 (CET) Subject: [PATCH] Password expiry with Privsep and PAM In-Reply-To: <3DF5E344.E1CAE31D@zip.com.au> Message-ID: On Tue, 10 Dec 2002, Darren Tucker wrote: Hi Darren, > Hi All. > Attached is a patch that implements password expiry with PAM and > privsep. It works by passing a descriptor to the tty to the monitor, > which sets up a child with that tty as stdin/stdout/stderr, then runs > chauthtok(). No setuid helpers. > > I used some parts of Michael Steffens' patch (bugid #423) to make it > work on HP-UX. > > It's still rough but it works. Tested on Solaris 8 and HPUX 11 (trusted > configuration). Is this patch compatible with thsi patch from Jan Iven? http://msgs.securepoint.com/cgi-bin/get/openssh-unix-dev-0210/42.html Has that patch been fully integradted into cvs already? I guess PrivSep should already work if his patch is in place already... ;) -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From up5a at stud.uni-karlsruhe.de Wed Dec 11 00:49:45 2002 From: up5a at stud.uni-karlsruhe.de (Tobias Ulbricht) Date: Tue, 10 Dec 2002 14:49:45 +0100 (CET) Subject: Problems with the tty's in openssh + AIX Message-ID: Hi everybody. I posted this also to comp.sec...ssh, so excuse me for multiple emails. I downloaded openssh-3.5p1 and compiled under AIX. Now, if I run that program, Sandor W. Sklar in bugzilla #124 suggested (see below), it works in linux, not in AIX 5.1. in AIX it produces the same "hang" as the original problems Ihave with "tclsh"-command. sshd hangs with this output: debug1: channel 0: read<=0 rfd 11 len 0 debug1: channel 0: read failed debug1: channel 0: close_read debug1: channel 0: input open -> drain debug1: channel 0: ibuf empty debug1: channel 0: send eof debug1: channel 0: input drain -> closed Could it be related to "NON_BLOCKING"of fd=11? Or to "TCP_NODELAY" of fd=4? I seem to be the only one having such problems, thus it might be a config/compilation issue. CAn anyone at least verify what evil thing this program does? telnet/rlogin/ssh-on-linux pass the sshd-test-program below. I used openssh3.5p1 with no patches. thanks,tobias. #include #include #include int main(int argc, char* argv[]) { int tty_fd; int old_tty_fd; char str[100]; if ( argc != 2) { fprintf (stderr,"usage: sshd-test `tty`\n"); return 1; } fprintf (stderr,"tty is: %s\n",argv[1]); old_tty_fd = open(argv[1],O_RDWR); tty_fd = dup(old_tty_fd); /* 1 will be /dev/tty */ fprintf (stderr,"dup tty no. is: %d\n",tty_fd); close(old_tty_fd); strcpy(str,"this is the last thing you will see if sshd is broken.\n"); fprintf(stderr,"len = %d str = %s",strlen(str),str); write(tty_fd,str,strlen(str)); strcpy(str,""); fprintf(stderr,"len = %d str = \"%s\"\n",strlen(str),str); write(tty_fd,str,strlen(str)); /* we die here on 433 */ fprintf(stderr,"if you can read this then all is good.\n"); return 0; } From Daniel.D.Olsson at telia.se Wed Dec 11 00:53:31 2002 From: Daniel.D.Olsson at telia.se (Daniel.D.Olsson at telia.se) Date: Tue, 10 Dec 2002 14:53:31 +0100 Subject: Problem with Openssh3.5 Message-ID: <03AD0B0B2573644A86F2C1F890691D8F013D37D7@TMS011MB.tcad.telia.se> Hello I have compiled Openssh3.5 on Solaris 2.6 It works well on 2.6, 2.7 and solaris 8 but on solaris 8 it try to log in /var/adm/wtmp file and it dose not exist. What can I do to fix this. Read something about "build sol" insted of "configure"....but where do i find information about this command (build sol). Mail me on: daniel.d.olsson at telia.se Thanks From mouring at etoh.eviladmin.org Wed Dec 11 00:51:06 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 10 Dec 2002 07:51:06 -0600 (CST) Subject: no configue.in in src distribution In-Reply-To: Message-ID: Look for configure.ac. You need at least 2.5x version or better to regenerate the configure script for OpenSSH. - Ben On Tue, 10 Dec 2002, Kapileswar Rao .B wrote: > Hi, > I want to add some patches to openssh for my personal experiments. I > can change it in Makefile. But, I would like to change it in configure so > that I can have an optional compilation of my code. But I couldn't find > configure.in file in the src distribution. > I just learnt that we can get configure from configure.in. > Is there any other way in which I can make changes to configure file > without modifing configure file manually with the files available in src > distribution. > > TIA > --kapil > > > > On Tue, 10 Dec 2002, Markus Friedl wrote: > > > On Mon, Dec 09, 2002 at 05:45:47PM +0100, Richard Levitte - VMS Whacker wrote: > > > In message <20021209122438.GB16737 at folly> on Mon, 9 Dec 2002 13:24:38 +0100, Markus Friedl said: > > > > > > markus> On Sun, Dec 08, 2002 at 12:39:04PM +0100, Martin MOKREJ? wrote: > > > markus> > cc: Error: /usr/local/openssl/include/openssl/mdc2.h, line 79: Missing type specifier or type qualifier. (missingtype) > > > markus> > DES_cblock h,hh; > > > markus> > --------^ > > > markus> > > > markus> i don't think openssl's evp.h should include mdc2.h > > > > > > It's including all those headers because it used to, and people will > > > complain if they don't get all those algorithms just by including > > > evp.h. > > > > evp.h is supposed to hide the details of the algorithms. > > > > you should either use the EVP_ or the DES_ interface, but not both. > > > > > However, that's not the problem here. Rather, it would seem that for > > > some reason, des.h isn't included, and it should, from mdc2.h for > > > example. > > > > it's probably not included because some other des.h is already included. > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From janfrode at parallab.no Wed Dec 11 02:01:42 2002 From: janfrode at parallab.no (Jan-Frode Myklebust) Date: Tue, 10 Dec 2002 16:01:42 +0100 Subject: [PATCH] Password expiry with Privsep and PAM In-Reply-To: <3DF5E344.E1CAE31D@zip.com.au>; from dtucker@zip.com.au on Tue, Dec 10, 2002 at 11:51:16PM +1100 References: <3DF5E344.E1CAE31D@zip.com.au> Message-ID: <20021210160142.A6523@ii.uib.no> On Tue, Dec 10, 2002 at 11:51:16PM +1100, Darren Tucker wrote: > Attached is a patch that implements password expiry with PAM and > privsep. It works by passing a descriptor to the tty to the monitor, > which sets up a child with that tty as stdin/stdout/stderr, then runs > chauthtok(). No setuid helpers. > > I used some parts of Michael Steffens' patch (bugid #423) to make it > work on HP-UX. > > It's still rough but it works. Tested on Solaris 8 and HPUX 11 (trusted > configuration). > > Comments? > Haven't tested this version, but a pretty recent one (openssh-3.5p1-passexpire8), and one thing that prevents me from using it is that it doesn't honor the password rules defined in /etc/security/user. ie. minalpha, minother, minlen, mindiff, etc.. With your patch the users can choose zero lenght passwords. Not good. Unfortunately I haven't found any AIX library calls that helps here, so I think OpenSSH will have to implement these rules, or use the systems /bin/passwd which should do the right thing. BTW: why isn't the patch using /bin/passwd ? -jf From levitte at stacken.kth.se Wed Dec 11 02:27:35 2002 From: levitte at stacken.kth.se (Richard Levitte - VMS Whacker) Date: Tue, 10 Dec 2002 16:27:35 +0100 (CET) Subject: Building openssh-3.5p1 with new DES functions In-Reply-To: <20021210133035.GC31780@folly> References: <20021210110227.GA10920@folly> <20021210.133803.41634433.levitte@stacken.kth.se> <20021210133035.GC31780@folly> Message-ID: <20021210.162735.82356933.levitte@stacken.kth.se> In message <20021210133035.GC31780 at folly> on Tue, 10 Dec 2002 14:30:35 +0100, Markus Friedl said: markus> yes, i think that des_old should use the same protecting macros as markus> the old libdes/openssl, and the DES_ file something completely markus> different. I'll commit that change as soon as I can. -- Richard Levitte \ Spannv?gen 38, II \ LeViMS at stacken.kth.se Redakteur at Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- poei at bofh.se Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See for more info. From jan.iven at cern.ch Wed Dec 11 04:05:44 2002 From: jan.iven at cern.ch (Jan Iven) Date: 10 Dec 2002 18:05:44 +0100 Subject: [PATCH] Password expiry with Privsep and PAM In-Reply-To: References: Message-ID: >>>>> "MM" == Martin MOKREJ? writes: MM> Is this patch compatible with thsi patch from Jan Iven? MM> http://msgs.securepoint.com/cgi-bin/get/openssh-unix-dev-0210/42.html MM> Has that patch been fully integradted into cvs already? I guess PrivSep MM> should already work if his patch is in place already... ;) Most of that had already been implemented at the time I wrote that patch, I just added it twice while looking at the wrong spot :-o And it has nothing to do with the password expiry, it was only dealing with Kerberos4/AFS vs PrivSep thingies. Regards Jan From djast at cs.toronto.edu Wed Dec 11 04:22:45 2002 From: djast at cs.toronto.edu (Dan Astoorian) Date: Tue, 10 Dec 2002 12:22:45 -0500 Subject: Problem with Openssh3.5 In-Reply-To: Your message of "Tue, 10 Dec 2002 08:53:31 EST." <03AD0B0B2573644A86F2C1F890691D8F013D37D7@TMS011MB.tcad.telia.se> Message-ID: <02Dec10.122249edt.453147-22900@jane.cs.toronto.edu> On Tue, 10 Dec 2002 08:53:31 EST, Daniel.D.Olsson at telia.se writes: > Hello > > I have compiled Openssh3.5 on Solaris 2.6 > > It works well on 2.6, 2.7 and solaris 8 but on solaris 8 it try to log > in /var/adm/wtmp file and it dose not exist. > > What can I do to fix this. Configure openssh with "--disable-wtmp" . -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast at cs.toronto.edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican From mouring at etoh.eviladmin.org Wed Dec 11 04:11:01 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 10 Dec 2002 11:11:01 -0600 (CST) Subject: [PATCH] Password expiry with Privsep and PAM In-Reply-To: <20021210160142.A6523@ii.uib.no> Message-ID: On Tue, 10 Dec 2002, Jan-Frode Myklebust wrote: [..] > Haven't tested this version, but a pretty recent one > (openssh-3.5p1-passexpire8), and one thing that prevents me from using > it is that it doesn't honor the password rules defined in /etc/security/user. > ie. minalpha, minother, minlen, mindiff, etc.. > > With your patch the users can choose zero lenght passwords. Not good. > > Unfortunately I haven't found any AIX library calls that helps here, so I > think OpenSSH will have to implement these rules, or use the systems > /bin/passwd which should do the right thing. BTW: why isn't the patch > using /bin/passwd ? > /bin/passwd can be used for v1, but if one is to honor v2 specs password change must be done before the interactive shell is started so it makes it harder to handle password change via /bin/passwd unless you can come up with a clean silver bullet that passes all information back to the user no matter how badly written/formated the /bin/passwd is. I know Darren wrote one to use /bin/passwd but after we both looked at it we pretty much decided it was not something we wanted to handle, but the more I think about this.. the more I'm starting to agree with Markus. No matter the additional risks of changing passwords after the tty for v1 and v2 has been open it should be done that way. This is just getting way to complex to even manage in my head. Then we just block non-interactive sessions with 'must change password' commentary (Public keys?!?). - Ben From gjewell at cnnxn.com Wed Dec 11 04:39:18 2002 From: gjewell at cnnxn.com (Greg Jewell) Date: Tue, 10 Dec 2002 10:39:18 -0700 Subject: X forwarding on OpenServer Message-ID: <741C3B0BAF7B1F4F8FCC50AC4766CBF0050097@phoenix.ossconnexn.com> Hi All, I've been having issues getting X forwarding to work on OpenServer for OpenSSH versions 3.4p1 and 3.5p1. I have compiled OpenSSH on Redhat Linux 8.0, Solaris 8, and OpenServer 5.0.6, but the OpenServer box is the only one that exhibits the problem. I've detailed everything below. I am using PuTTY for my ssh client under Windows. If I connect to the Linux or Solaris boxes, X forwarding works as it should. When I connect to to the OpenServer boxes, I receive the following error: Xlib: connection to "localhost:10.0" refused by server Xlib: Authentication failed at PuTTY X11 proxy Error: Can't open display localhost:10.0 I checked PuTTY's website, and it states that this error means there is a problem on the server side. If I attempt to connect to the OpenServer box from another UNIX (Linux, Solaris, or OpenServer) box, I get the following error when I attempt to launch an X application: X11 connection rejected because of wrong authentication. X connection to localhost:10.0 broken (explicit kill or server shutdown). Please note that I am not using "su" at any point in time. I have seen several messages where similar problems occur when people use this. Has anybody else encountered this? Thanks, Greg Jewell From tim at multitalents.net Wed Dec 11 05:37:03 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 10 Dec 2002 10:37:03 -0800 (PST) Subject: X forwarding on OpenServer In-Reply-To: <741C3B0BAF7B1F4F8FCC50AC4766CBF0050097@phoenix.ossconnexn.com> Message-ID: On Tue, 10 Dec 2002, Greg Jewell wrote: > Hi All, > > I've been having issues getting X forwarding to work on OpenServer for OpenSSH versions 3.4p1 and 3.5p1. I have compiled OpenSSH on Redhat Linux 8.0, Solaris 8, and OpenServer 5.0.6, but the OpenServer box is the only one that exhibits the problem. I've detailed everything below. > > I am using PuTTY for my ssh client under Windows. If I connect to the Linux or Solaris boxes, X forwarding works as it should. When I connect to to the OpenServer boxes, I receive the following error: > Xlib: connection to "localhost:10.0" refused by server > Xlib: Authentication failed at PuTTY X11 proxy > Error: Can't open display localhost:10.0 For OpenServer you need to have X11UseLocalhost no in sshd_config. > > Has anybody else encountered this? > > Thanks, > Greg Jewell > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Wed Dec 11 05:24:20 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 10 Dec 2002 12:24:20 -0600 (CST) Subject: X forwarding on OpenServer In-Reply-To: <741C3B0BAF7B1F4F8FCC50AC4766CBF0050097@phoenix.ossconnexn.com> Message-ID: You may want to consider uncommenteding this and setting it to 'no' in your sshd_config. #X11UseLocalhost yes On Tue, 10 Dec 2002, Greg Jewell wrote: > Hi All, > > I've been having issues getting X forwarding to work on OpenServer for OpenSSH versions 3.4p1 and 3.5p1. I have compiled OpenSSH on Redhat Linux 8.0, Solaris 8, and OpenServer 5.0.6, but the OpenServer box is the only one that exhibits the problem. I've detailed everything below. > > I am using PuTTY for my ssh client under Windows. If I connect to the Linux or Solaris boxes, X forwarding works as it should. When I connect to to the OpenServer boxes, I receive the following error: > Xlib: connection to "localhost:10.0" refused by server > Xlib: Authentication failed at PuTTY X11 proxy > Error: Can't open display localhost:10.0 > > I checked PuTTY's website, and it states that this error means there is a problem on the server side. > > If I attempt to connect to the OpenServer box from another UNIX (Linux, Solaris, or OpenServer) box, I get the following error when I attempt to launch an X application: > X11 connection rejected because of wrong authentication. > X connection to localhost:10.0 broken (explicit kill or server shutdown). > Please note that I am not using "su" at any point in time. I have seen several messages where similar problems occur when people use this. > > Has anybody else encountered this? > > Thanks, > Greg Jewell > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From gjewell at cnnxn.com Wed Dec 11 05:44:57 2002 From: gjewell at cnnxn.com (Greg Jewell) Date: Tue, 10 Dec 2002 11:44:57 -0700 Subject: X forwarding on OpenServer Message-ID: <741C3B0BAF7B1F4F8FCC50AC4766CBF0037F56@phoenix.ossconnexn.com> >-----Original Message----- >From: Tim Rice [mailto:tim at multitalents.net] >Sent: Tuesday, December 10, 2002 11:37 AM >To: Greg Jewell >Cc: openssh-unix-dev at mindrot.org >Subject: Re: X forwarding on OpenServer > > >On Tue, 10 Dec 2002, Greg Jewell wrote: > >> Hi All, >> >> I've been having issues getting X forwarding to work on >OpenServer for OpenSSH versions 3.4p1 and 3.5p1. I have >compiled OpenSSH on Redhat Linux 8.0, Solaris 8, and >OpenServer 5.0.6, but the OpenServer box is the only one that >exhibits the problem. I've detailed everything below. >> >> I am using PuTTY for my ssh client under Windows. If I >connect to the Linux or Solaris boxes, X forwarding works as >it should. When I connect to to the OpenServer boxes, I >receive the following error: >> Xlib: connection to "localhost:10.0" refused by server >> Xlib: Authentication failed at PuTTY X11 proxy >> Error: Can't open display localhost:10.0 > >For OpenServer you need to have X11UseLocalhost no in sshd_config. > Bingo. Thank you! >> >> Has anybody else encountered this? >> >> Thanks, >> Greg Jewell >> >> >> _______________________________________________ >> openssh-unix-dev at mindrot.org mailing list >> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >> > >-- >Tim Rice Multitalents (707) 887-1469 >tim at multitalents.net > > > From dtucker at zip.com.au Wed Dec 11 06:29:38 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 11 Dec 2002 06:29:38 +1100 Subject: [PATCH] Password expiry with Privsep and PAM References: <3DF5E344.E1CAE31D@zip.com.au> <20021210160142.A6523@ii.uib.no> Message-ID: <3DF640A2.C270450A@zip.com.au> Jan-Frode Myklebust wrote: > Haven't tested this version, but a pretty recent one > (openssh-3.5p1-passexpire8), and one thing that prevents me from using > it is that it doesn't honor the password rules defined in /etc/security/user. > ie. minalpha, minother, minlen, mindiff, etc.. > > With your patch the users can choose zero lenght passwords. Not good. I hadn't considered that. This patch, however, is entirely separate from the patches you're referring to (this is now the third series!) and deals only with do_pam_chauthtok() and privsep. > Unfortunately I haven't found any AIX library calls that helps here, so I > think OpenSSH will have to implement these rules, or use the systems > /bin/passwd which should do the right thing. BTW: why isn't the patch > using /bin/passwd ? For an overview of the whole mess, see: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103658633821391&w=2 In my other recent message on the subject, I said "the only thing I'm certain of is everybody wants something different". In this case, the objection was that the PAM "sshd" and "passwd" services could be entirely different. http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103666384931272&w=2 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Dec 11 06:50:36 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 11 Dec 2002 06:50:36 +1100 Subject: [PATCH] Password expiry with Privsep and PAM References: Message-ID: <3DF6458C.41915B51@zip.com.au> Ben Lindstrom wrote: > On Tue, 10 Dec 2002, Jan-Frode Myklebust wrote: [snip] > > Unfortunately I haven't found any AIX library calls that helps here, so I > > think OpenSSH will have to implement these rules, or use the systems > > /bin/passwd which should do the right thing. BTW: why isn't the patch > > using /bin/passwd ? > > /bin/passwd can be used for v1, but if one is to honor v2 specs password > change must be done before the interactive shell is started so it makes it > harder to handle password change via /bin/passwd unless you can come up > with a clean silver bullet that passes all information back to the user no > matter how badly written/formated the /bin/passwd is. As Ben said, using /bin/passwd in v2's (pre-session) PASSWD_CHANGEREQ requires writing expect-like functionality that would be very hard to get right across all platforms. > I know Darren wrote one to use /bin/passwd but after we both looked at it > we pretty much decided it was not something we wanted to handle, but the > more I think about this.. the more I'm starting to agree with Markus. No > matter the additional risks of changing passwords after the tty for v1 and > v2 has been open it should be done that way. This is just getting way to > complex to even manage in my head. Ironically, this is more or less where I started a couple of months ago on AIX. I posted a multi-platform patch along these lines a couple of weeks ago: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103780221504047&w=2 If you want me to rework it, let me know what needs changing (eg the port forward restrictions). Do we do away with do_pam_chauthtok too? It does almost the same thing as /bin/passwd. > Then we just block non-interactive sessions with 'must change password' > commentary (Public keys?!?). Good point. Can you justify forcing a password change if the password isn't used in the login? Maybe just a warning? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Dec 11 06:53:33 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 11 Dec 2002 06:53:33 +1100 Subject: Problems with the tty's in openssh + AIX References: Message-ID: <3DF6463D.40623140@zip.com.au> Tobias Ulbricht wrote: > I downloaded openssh-3.5p1 and compiled under AIX. > Now, > if I run that program, Sandor W. Sklar in bugzilla #124 suggested (see > below), > it works in linux, not in AIX 5.1. Which 5.1 maintenance level? (Use "oslevel" to find out). I have a 5.1 (ML2 I think) test box I can try it on. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From stuge-openssh-unix-dev at cdy.org Wed Dec 11 07:19:01 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Tue, 10 Dec 2002 21:19:01 +0100 Subject: [PATCH] Password expiry with Privsep and PAM In-Reply-To: <3DF6458C.41915B51@zip.com.au> References: <3DF6458C.41915B51@zip.com.au> Message-ID: <20021210201900.GA6600@foo.birdnet.se> On Wed, Dec 11, 2002 at 06:50:36AM +1100, Darren Tucker wrote: > As Ben said, using /bin/passwd in v2's (pre-session) PASSWD_CHANGEREQ > requires writing expect-like functionality that would be very hard to > get right across all platforms. Would it really? Remember that this project has a lot of good people coming from different platforms. Also keep in mind that the PASSWD_CHANGEREQ protocol is the single smallest denominator, severly limiting what needs to be supported. I'm thinking all that can be expected is for sshd to handle cases where passwd wants either the old or the new password, sshd doesn't have any other information at that time and no real way to get any either, unless the protocol is extended, right? Two scenarios become possible: 1. openssh implements all neccessary local password changing stuff - PITA overhead but when done a lot lower "instance" overhead, the PASSWD_CHANGEREQ becomes more lightweight. However, openssh might have to deal with vendor quux's broken system yet another time. 2. openssh uses passwd because of law of least resistance, this is the simplest path to go. When vendor xyzzy ends up having a passwd that requires more capabilities than sshd has while in PASSWD_CHANGEREQ they can either fix their passwd or try to convince us that we should switch to (1). Set up an easy scheme to add support for platforms with (2) and I think it'd happen pretty quickly. //Peter From stuge-openssh-unix-dev at cdy.org Wed Dec 11 07:20:09 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Tue, 10 Dec 2002 21:20:09 +0100 Subject: Building without perl In-Reply-To: <20021208201642.GA27732@foo.birdnet.se> References: <20021207131207.GA6325@foo.birdnet.se> <20021208201642.GA27732@foo.birdnet.se> Message-ID: <20021210202009.GB6600@foo.birdnet.se> On Sun, Dec 08, 2002 at 09:16:42PM +0100, Peter Stuge wrote: > On Sat, Dec 07, 2002 at 09:47:21AM -0600, Ben Lindstrom wrote: > > Of course I'll reserve judgement until I see it work on every platform > > without adding 3rd party software. > > Ok, here we go. Attached is an awk version of mdoc2man.pl. Please test it > everywhere you can. Runs fine here, using GNU awk with or without --posix. So, is it working or not? And how about that documentation format? //Peter From wknox at mitre.org Wed Dec 11 07:45:36 2002 From: wknox at mitre.org (William R. Knox) Date: Tue, 10 Dec 2002 15:45:36 -0500 (EST) Subject: [PATCH] Password expiry with Privsep and PAM In-Reply-To: <3DF6458C.41915B51@zip.com.au> Message-ID: I can certainly see the use in forcing a password change no matter what the access method - it becomes the only way to enforce password aging if people use keys (password aging being a requirement for some security audits). If I reset a password and require that it be changed, I don't want the person to be able to log in without changing it. Bill Knox Senior Operating Systems Programmer/Analyst The MITRE Corporation On Wed, 11 Dec 2002, Darren Tucker wrote: > Date: Wed, 11 Dec 2002 06:50:36 +1100 > From: Darren Tucker > To: Ben Lindstrom > Cc: Jan-Frode Myklebust , > OpenSSH Devel List > Subject: Re: [PATCH] Password expiry with Privsep and PAM > > Ben Lindstrom wrote: > > On Tue, 10 Dec 2002, Jan-Frode Myklebust wrote: > [snip] > > > Unfortunately I haven't found any AIX library calls that helps here, so I > > > think OpenSSH will have to implement these rules, or use the systems > > > /bin/passwd which should do the right thing. BTW: why isn't the patch > > > using /bin/passwd ? > > > > /bin/passwd can be used for v1, but if one is to honor v2 specs password > > change must be done before the interactive shell is started so it makes it > > harder to handle password change via /bin/passwd unless you can come up > > with a clean silver bullet that passes all information back to the user no > > matter how badly written/formated the /bin/passwd is. > > As Ben said, using /bin/passwd in v2's (pre-session) PASSWD_CHANGEREQ > requires writing expect-like functionality that would be very hard to > get right across all platforms. > > > I know Darren wrote one to use /bin/passwd but after we both looked at it > > we pretty much decided it was not something we wanted to handle, but the > > more I think about this.. the more I'm starting to agree with Markus. No > > matter the additional risks of changing passwords after the tty for v1 and > > v2 has been open it should be done that way. This is just getting way to > > complex to even manage in my head. > > Ironically, this is more or less where I started a couple of months ago > on AIX. > > I posted a multi-platform patch along these lines a couple of weeks ago: > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103780221504047&w=2 > If you want me to rework it, let me know what needs changing (eg the > port forward restrictions). > > Do we do away with do_pam_chauthtok too? It does almost the same thing > as /bin/passwd. > > > Then we just block non-interactive sessions with 'must change password' > > commentary (Public keys?!?). > > Good point. Can you justify forcing a password change if the password > isn't used in the login? Maybe just a warning? > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From Jeff.Koenig at experian.com Wed Dec 11 08:41:34 2002 From: Jeff.Koenig at experian.com (Jeff Koenig) Date: Tue, 10 Dec 2002 15:41:34 -0600 Subject: OpenSSH 3.5p1 and BSM for Solaris Message-ID: Can someone help me get BSM working with Solaris 8 and OpenSSH 3.5p1? I saw the patch here for OpenSSH 3.4p1, but do not know how to apply it to OpenSSH 3.4p1 nor do I feel comfortable modifying to work with OpenSSH 3.5p1: openssh-unix-dev at mindrot.org Is this patch needed to fix the BSM crontab issue only, or is it required for BSM auditing in general? Jeff From dtucker at zip.com.au Wed Dec 11 10:24:34 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 11 Dec 2002 10:24:34 +1100 Subject: [PATCH] Password expiry with Privsep and PAM References: <3DF6458C.41915B51@zip.com.au> <20021210201900.GA6600@foo.birdnet.se> Message-ID: <3DF677B2.6C94B3F7@zip.com.au> Peter Stuge wrote: > On Wed, Dec 11, 2002 at 06:50:36AM +1100, Darren Tucker wrote: > > As Ben said, using /bin/passwd in v2's (pre-session) PASSWD_CHANGEREQ > > requires writing expect-like functionality that would be very hard to > > get right across all platforms. > > Would it really? In my opinion, yes. Feel free to prove me wrong. You might want to start with my crude implementation of it: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103598314323495&w=2 > Remember that this project has a lot of good people coming > from different platforms. Also keep in mind that the PASSWD_CHANGEREQ > protocol is the single smallest denominator, severly limiting what needs to > be supported. I'm thinking all that can be expected is for sshd to handle > cases where passwd wants either the old or the new password, sshd doesn't > have any other information at that time and no real way to get any either, > unless the protocol is extended, right? I think you're underestimating the amount of weirdness out there hiding in /bin/passwd. Consider this example from HP-UX in a trusted configuration: trustedhpux# passwd testuser Changing password for testuser Last successful password change for testuser: NEVER Last unsuccessful password change for testuser: Tue Dec 10 23:06:13 2002 Do you want (choose one letter only): pronounceable passwords generated for you (g) a string of letters generated (l) ? to pick your passwords (p) ? Enter choice here: p New password: Password too short - must be at least 6 characters New password: Password must contain at least two alphabetic characters and at least one numeric or special character. New password: Re-enter new password: Passwd successfully changed > Two scenarios become possible: > > 1. openssh implements all neccessary local password changing stuff - PITA > overhead but when done a lot lower "instance" overhead, the PASSWD_CHANGEREQ > becomes more lightweight. However, openssh might have to deal with vendor > quux's broken system yet another time. > > 2. openssh uses passwd because of law of least resistance, this is the > simplest path to go. When vendor xyzzy ends up having a passwd that > requires more capabilities than sshd has while in PASSWD_CHANGEREQ they can > either fix their passwd or try to convince us that we should switch to (1). Having had a go at implementing both, I think (2) will end up bigger, uglier and flakier that the sum of (1). > Set up an easy scheme to add support for platforms with (2) and I think it'd > happen pretty quickly. What you're talking about is implementing a subset of "expect". For comparison oldest, smallest expect I could find is still a couple of hundred KB compressed. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From up5a at stud.uni-karlsruhe.de Wed Dec 11 11:06:23 2002 From: up5a at stud.uni-karlsruhe.de (Tobias Ulbricht) Date: Wed, 11 Dec 2002 01:06:23 +0100 (CET) Subject: Problems with the tty's in openssh + AIX In-Reply-To: <3DF6463D.40623140@zip.com.au> Message-ID: Hi, thanks for the reply. $ oslevel 5.1.0.0 With the said testprogram I get "hangs" for * self-compiled openssh-3.5p1 * and some pre-installed openssh-3.0.2p1 (might be from your site) I didn't check your last patches yet, but except the "dlen=8096" patch for 3.4p1 they don't really seem to be related, or? Cheers,tobias. > Tobias Ulbricht wrote: > > I downloaded openssh-3.5p1 and compiled under AIX. > > Now, > > if I run that program, Sandor W. Sklar in bugzilla #124 suggested (see > > below), > > it works in linux, not in AIX 5.1. > > Which 5.1 maintenance level? (Use "oslevel" to find out). I have a 5.1 > (ML2 I think) test box I can try it on. > From stuge-openssh-unix-dev at cdy.org Wed Dec 11 15:13:59 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 11 Dec 2002 05:13:59 +0100 Subject: [PATCH] Password expiry with Privsep and PAM In-Reply-To: <3DF677B2.6C94B3F7@zip.com.au> References: <3DF6458C.41915B51@zip.com.au> <20021210201900.GA6600@foo.birdnet.se> <3DF677B2.6C94B3F7@zip.com.au> Message-ID: <20021211041359.GA4131@foo.birdnet.se> On Wed, Dec 11, 2002 at 10:24:34AM +1100, Darren Tucker wrote: > > > As Ben said, using /bin/passwd in v2's (pre-session) PASSWD_CHANGEREQ > > > requires writing expect-like functionality that would be very hard to > > > get right across all platforms. > > > > Would it really? > > In my opinion, yes. Feel free to prove me wrong. You might want to > start with my crude implementation of it: I'll try to hack something up. Can I use regexec()? *grepping*.. No regex mentioned. Just sscanf() or maybe even strcmp() then. :) > > from different platforms. Also keep in mind that the PASSWD_CHANGEREQ > > protocol is the single smallest denominator, severly limiting what needs > > to be supported. I'm thinking all that can be expected is for sshd to > > handle cases where passwd wants either the old or the new password, sshd > > doesn't have any other information at that time and no real way to get > > any either, unless the protocol is extended, right? > > I think you're underestimating the amount of weirdness out there hiding > in /bin/passwd. Consider this example from HP-UX in a trusted > configuration: > > trustedhpux# passwd testuser > Changing password for testuser > Last successful password change for testuser: NEVER > Last unsuccessful password change for testuser: Tue Dec 10 23:06:13 2002 > > Do you want (choose one letter only): > pronounceable passwords generated for you (g) > a string of letters generated (l) ? > to pick your passwords (p) ? > > Enter choice here: p > New password: > Password too short - must be at least 6 characters > New password: > Password must contain at least two alphabetic characters and > at least one numeric or special character. > New password: > Re-enter new password: > Passwd successfully changed Well, yes, of course an expect like system is required. But the passwd chat is very simple, either the password change succeeds or fails. And more importantly the only unknown data ever to be sent to passwd is the old and the new password, both received from the client. This system could optionally be combined with uname information to make sure similar systems never get mixed up, on the other hand without uname it might magically work for new vendor xyzzy too if they're using the same labels as someone else. Handling the trusted HP-UX example above would go like this: expect "to pick your passwords (p) ?" send "" expect "Enter choice here:" send "p\n" expect "New password:" send new_password "\n" expect "Re-enter new password:" send new_password "\n" expect "Passwd successfully changed" And if anything fails along the way, touch luck, the SSH protocol has no way to propagate messages such as "Password must contain..." back to the client. sshd just sends back SSH_MSG_USERAUTH_CHANGEREQ* and starts over waiting for another SSH_MSG_USERAUTH_REQUEST from the client. I'm even tempted to use a fixed 256 char buffer for the expect function. :) Note that the old password always needs to be verified first, before trying to change it, if that fails a special error message is returned to the client. But since this is done in other places I'm sure it'll be easy to add within or outside the passwd chat system. * This might be a typo in the draft, I guess it should be _USERAUTH_PASSWD_. > > 1. openssh implements all neccessary local password changing stuff > > 2. openssh uses passwd because of law of least resistance, this is the > > Having had a go at implementing both, I think (2) will end up bigger, > uglier and flakier that the sum of (1). I will try to prove you wrong. :) > > Set up an easy scheme to add support for platforms with (2) and I think > > it'd happen pretty quickly. > > What you're talking about is implementing a subset of "expect". For > comparison oldest, smallest expect I could find is still a couple of > hundred KB compressed. Since we already have a powerful control language (C) I doubt the neccessary code would end up being more than a few KB even uncompressed.. Your very expect_fd() only needs some buffering stuff to allocate memory until match found or end of buffer.. Also we'll benefit from the fact that (sorry for repeating myself) the user running the client isn't expected (mind the pun) to see any of the conversation, much less interact. I'll whip something up. //Peter From dtucker at zip.com.au Wed Dec 11 16:00:53 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 11 Dec 2002 16:00:53 +1100 Subject: [PATCH] Password expiry with Privsep and PAM References: <3DF6458C.41915B51@zip.com.au> <20021210201900.GA6600@foo.birdnet.se> <3DF677B2.6C94B3F7@zip.com.au> <20021211041359.GA4131@foo.birdnet.se> Message-ID: <3DF6C685.9D5B2E55@zip.com.au> Peter Stuge wrote: [snip] > And if anything fails along the way, touch luck, the SSH protocol has no way > to propagate messages such as "Password must contain..." back to the client. Sure it does. The "prompt" string. byte SSH_MSG_USERAUTH_PASSWD_CHANGEREQ string prompt (ISO-10646 UTF-8) string language tag (as defined in [RFC1766]) [snip] > > Having had a go at implementing both, I think (2) will end up bigger, > > uglier and flakier that the sum of (1). > > I will try to prove you wrong. :) I'll count the expect string library toward the size :-) Have fun and good luck. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Dec 11 16:28:26 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 11 Dec 2002 16:28:26 +1100 Subject: Problems with the tty's in openssh + AIX References: Message-ID: <3DF6CCFA.A97ECD6A@zip.com.au> Tobias Ulbricht wrote: > $ oslevel > 5.1.0.0 Sorry that should be "oslevel -r". I can reproduce the problem on AIX 5.1 ML2 with openssh-3.5p1. I'm downloading ML3 to try. It looks like the problem identified by Sandor Sklar in bug #124: a zero length write to the tty results in a zero-length read from it. I believe this is a bug in AIX. The attached patch works around it for me but I don't think this is a correct fix. From michael_steffens at hp.com Wed Dec 11 17:27:41 2002 From: michael_steffens at hp.com (Michael Steffens) Date: Wed, 11 Dec 2002 07:27:41 +0100 Subject: [PATCH] Password expiry with Privsep and PAM References: <3DF5E344.E1CAE31D@zip.com.au> Message-ID: <3DF6DADD.9080604@hp.com> Darren Tucker wrote: > I used some parts of Michael Steffens' patch (bugid #423) to make it > work on HP-UX. Actually these parts are by Dan Wanek. He had posted them for 3.4p1 on this list some time ago. I just incorporated them in my patches submitted to bugzilla. Michael From azt at bom.gov.au Wed Dec 11 19:04:27 2002 From: azt at bom.gov.au (Aurelio Turco) Date: Wed, 11 Dec 2002 08:04:27 +0000 Subject: Untrusted Cookies Message-ID: <3DF6F18B.F38C1C3@bom.gov.au> How can I get ssh to use "untrusted" cookies (see xauth(1), X11-SECURITY-Extension) with forwarded X clients? Cheers. Aurelio. From stuge-openssh-unix-dev at cdy.org Wed Dec 11 19:45:33 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 11 Dec 2002 09:45:33 +0100 Subject: [PATCH] Password expiry with Privsep and PAM In-Reply-To: <3DF6C685.9D5B2E55@zip.com.au> References: <3DF6458C.41915B51@zip.com.au> <20021210201900.GA6600@foo.birdnet.se> <3DF677B2.6C94B3F7@zip.com.au> <20021211041359.GA4131@foo.birdnet.se> <3DF6C685.9D5B2E55@zip.com.au> Message-ID: <20021211084533.GB4131@foo.birdnet.se> On Wed, Dec 11, 2002 at 04:00:53PM +1100, Darren Tucker wrote: > > And if anything fails along the way, touch luck, the SSH protocol has no > > way to propagate messages such as "Password must contain..." back to the > > client. > > Sure it does. The "prompt" string. Doh, missed that one even while it was right under my nose. Well, either just send back whatever unexpected data that aborted the chat, or if it turns out neccessary have a subchat, or a mark for where the suitable return message starts. > > I will try to prove you wrong. :) > > I'll count the expect string library toward the size :-) Ok, but I still believe it wont go near 10 KB, especially with some sort of compression. > Have fun and good luck. Thanks! //Peter From dtucker at zip.com.au Wed Dec 11 21:44:09 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 11 Dec 2002 21:44:09 +1100 Subject: [PATCH] Password expiry with Privsep and PAM References: <3DF6458C.41915B51@zip.com.au> <20021210201900.GA6600@foo.birdnet.se> <3DF677B2.6C94B3F7@zip.com.au> <20021211041359.GA4131@foo.birdnet.se> <3DF6C685.9D5B2E55@zip.com.au> <20021211084533.GB4131@foo.birdnet.se> Message-ID: <3DF716F9.99C574F@zip.com.au> Peter Stuge wrote: > > I'll count the expect string library toward the size :-) > > Ok, but I still believe it wont go near 10 KB, especially with some sort of > compression. I got criticism when the platform-specific part of my patch got to about 150 lines, I'm not sure what kind of reaction you're going to get embedding a tiny expect-like interpreter into sshd. You may be better of using keyboard-interactive (but that has its own set of problems: you basically need to have a callback from privsep master to slave). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Thu Dec 12 09:49:39 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 12 Dec 2002 09:49:39 +1100 (EST) Subject: [Bug 454] SSH doesn't consider distinguish ports for host-key verification Message-ID: <20021211224939.4FF9564567@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=454 ------- Additional Comments From foomzilla at fuhm.net 2002-12-12 09:49 ------- Sounds like a good solution, except that I'd use the host:port format instead of host at port, because host:port is more universally recognized/used, unless there is some reason that host:port cannot be used for some reason. I'd prefer that the option default to on (since otherwise I need to instruct everyone connecting to set it on), but I can understand in the name of backward compatibility if you decide to default it to off. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Jeff.Koenig at experian.com Thu Dec 12 10:04:33 2002 From: Jeff.Koenig at experian.com (Jeff Koenig) Date: Wed, 11 Dec 2002 17:04:33 -0600 Subject: OpenSSH 3.5p1 and BSM for Solaris Message-ID: I meant to add this link: http://bugzilla.mindrot.org/show_bug.cgi?id=125 Can anyone tell me how to apply this patch? Also, has it been modified, or does it work with OpenSSH 3.5p1? Can someone help me get BSM working with Solaris8 and OpenSSH 3.5p1? Jeff >>> "Jeff Koenig" 12/10/02 03:41PM >>> Can someone help me get BSM working with Solaris 8 and OpenSSH 3.5p1? I saw the patch here for OpenSSH 3.4p1, but do not know how to apply it to OpenSSH 3.4p1 nor do I feel comfortable modifying to work with OpenSSH 3.5p1: openssh-unix-dev at mindrot.org Is this patch needed to fix the BSM crontab issue only, or is it required for BSM auditing in general? Jeff _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From jacob.schroeder at latitude.com Thu Dec 12 10:15:16 2002 From: jacob.schroeder at latitude.com (Jacob Schroeder) Date: Wed, 11 Dec 2002 15:15:16 -0800 Subject: OpenSSH-3.5p1: sshd fails at run-time Message-ID: <54546A7A37A84F4C8E2A11B6C5552961DDBF03@scproexc01.latitude.com> Here's what I get: bash-2.02# sshd -ddd -p 1234 debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper debug1: sshd version OpenSSH_3.5p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 1234 on 0.0.0.0. Server listening on 0.0.0.0 port 1234. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 172.20.1.13 port 1181 debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.5p1 mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory doesn't exist debug1: Calling cleanup 0x1a78c(0x0) bash-2.02# I have a few questions, first off, what is it that causes the following line and is it serious? debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. also, what is this one about (where it ultimately fails): mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory doesn't exist I know that I don't have a /var/run directory on LynxOS, so what can I do to fix this? Just so you know, I am using OpenSSH-3.5p1, with OpenSSL-0.9.6h. My OS is LynxOS 3.1.0a. Thanks in advance, I have already learned a lot about SSH from just lurking on the archives of this list for some time. Jacob From d_wllms at lanl.gov Thu Dec 12 10:34:23 2002 From: d_wllms at lanl.gov (David M. Williams) Date: Wed, 11 Dec 2002 16:34:23 -0700 Subject: Building without perl In-Reply-To: <3DEF24BC.1020805@mindrot.org> References: <3DDD157B.7050705@unknown.nu> <3DEC9ED3.8030509@mindrot.org> <20021205091656.GA9983@foo.birdnet.se> <3DEF1D5D.5010701@mindrot.org> <3DEF24BC.1020805@mindrot.org> Message-ID: <3DF7CB7F.7050402@lanl.gov> Sorry to reply so late but it breaks on vanilla Mac OS X. details: sed: illegal option -- D usage: sed script [-an] [file ...] sed [-an] [-e script] ... [-f script_file] ... [file ...] it looks like the -D in the sed line is being read as an option. It works with newer versions of sed, i.e. fink installed, just not with the installed version. I've tried requoting the expression to no avail. Dave Damien Miller wrote: > Damien Miller wrote: > >>> here's a patch attached, >> >> >> Thanks - I'll try it out. > > > Committed - it would be good if people test this with various grep and > sed implementations. > > -d > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- David M. Williams, CISSP Phone: 505-665-8062 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From d_wllms at lanl.gov Thu Dec 12 10:50:55 2002 From: d_wllms at lanl.gov (David M. Williams) Date: Wed, 11 Dec 2002 16:50:55 -0700 Subject: OpenSSH-3.5p1: sshd fails at run-time In-Reply-To: <54546A7A37A84F4C8E2A11B6C5552961DDBF03@scproexc01.latitude.com> References: <54546A7A37A84F4C8E2A11B6C5552961DDBF03@scproexc01.latitude.com> Message-ID: <3DF7CF5F.2010504@lanl.gov> Jacob, It looks like you didn't build this version of OpenSSH locally. Did you get it as a tarball? If so, you are missing a few directories like /var/run and I would expect /var/empty. Create the two directories, /var/empty should be 0600, and try to start sshd again. Dave Jacob Schroeder wrote: >Here's what I get: > >bash-2.02# sshd -ddd -p 1234 >debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper >debug1: sshd version OpenSSH_3.5p1 >debug1: private host key: #0 type 0 RSA1 >debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >debug1: read PEM private key done: type RSA >debug1: private host key: #1 type 1 RSA >debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >debug1: read PEM private key done: type DSA >debug1: private host key: #2 type 2 DSA >debug1: Bind to port 1234 on 0.0.0.0. >Server listening on 0.0.0.0 port 1234. >Generating 768 bit RSA key. >RSA key generation complete. >debug1: Server will not fork when running in debugging mode. >Connection from 172.20.1.13 port 1181 >debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1 >debug1: match: OpenSSH_3.5p1 pat OpenSSH* >debug1: Enabling compatibility mode for protocol 2.0 >debug1: Local version string SSH-1.99-OpenSSH_3.5p1 >mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory doesn't exist >debug1: Calling cleanup 0x1a78c(0x0) >bash-2.02# > >I have a few questions, first off, what is it that causes the following line >and is it serious? >debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > >also, what is this one about (where it ultimately fails): >mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory doesn't exist >I know that I don't have a /var/run directory on LynxOS, so what can I do to >fix this? > >Just so you know, I am using OpenSSH-3.5p1, with OpenSSL-0.9.6h. My OS is >LynxOS 3.1.0a. Thanks in advance, I have already learned a lot about SSH >from just lurking on the archives of this list for some time. > >Jacob >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > -- David M. Williams, CISSP Phone: 505-665-8062 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From jacob.schroeder at latitude.com Thu Dec 12 11:00:54 2002 From: jacob.schroeder at latitude.com (Jacob Schroeder) Date: Wed, 11 Dec 2002 16:00:54 -0800 Subject: OpenSSH-3.5p1: sshd fails at run-time Message-ID: <54546A7A37A84F4C8E2A11B6C5552961DDBF04@scproexc01.latitude.com> Dave, Thanks for your quick reply! I did do this build locally. The directory /var/empty is there already. I created the /var/run directory just now and tried again, here's the latest output... bash-2.02# mkdir /var/run bash-2.02# cd /usr/local/sbin bash-2.02# sshd -ddd -p 1234 debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper debug1: sshd version OpenSSH_3.5p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 1234 on 0.0.0.0. Server listening on 0.0.0.0 port 1234. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 172.20.1.13 port 1186 debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.5p1 mmap(65536): Device doesn't exist debug1: Calling cleanup 0x1a78c(0x0) bash-2.02# Looks like it's that mmap thing, I did see a few posts (arguments) about that function in the archives, but I didn't see a solution mentioned. Any ideas? Thanks Jacob >-----Original Message----- >From: David M. Williams [mailto:d_wllms at lanl.gov] >Sent: Wednesday, December 11, 2002 3:51 PM >To: Jacob Schroeder >Cc: 'openssh-unix-dev at mindrot.org' >Subject: Re: OpenSSH-3.5p1: sshd fails at run-time > > >Jacob, > It looks like you didn't build this version of OpenSSH >locally. Did >you get it as a tarball? If so, you are missing a few >directories like >/var/run and I would expect /var/empty. Create the two directories, >/var/empty should be 0600, and try to start sshd again. > >Dave > >Jacob Schroeder wrote: > >>Here's what I get: >> >>bash-2.02# sshd -ddd -p 1234 >>debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper >>debug1: sshd version OpenSSH_3.5p1 >>debug1: private host key: #0 type 0 RSA1 >>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >>debug1: read PEM private key done: type RSA >>debug1: private host key: #1 type 1 RSA >>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >>debug1: read PEM private key done: type DSA >>debug1: private host key: #2 type 2 DSA >>debug1: Bind to port 1234 on 0.0.0.0. >>Server listening on 0.0.0.0 port 1234. >>Generating 768 bit RSA key. >>RSA key generation complete. >>debug1: Server will not fork when running in debugging mode. >>Connection from 172.20.1.13 port 1181 >>debug1: Client protocol version 2.0; client software version >OpenSSH_3.5p1 >>debug1: match: OpenSSH_3.5p1 pat OpenSSH* >>debug1: Enabling compatibility mode for protocol 2.0 >>debug1: Local version string SSH-1.99-OpenSSH_3.5p1 >>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory doesn't exist >>debug1: Calling cleanup 0x1a78c(0x0) >>bash-2.02# >> >>I have a few questions, first off, what is it that causes the >following line >>and is it serious? >>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >> >>also, what is this one about (where it ultimately fails): >>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory doesn't exist >>I know that I don't have a /var/run directory on LynxOS, so >what can I do to >>fix this? >> >>Just so you know, I am using OpenSSH-3.5p1, with >OpenSSL-0.9.6h. My OS is >>LynxOS 3.1.0a. Thanks in advance, I have already learned a >lot about SSH >>from just lurking on the archives of this list for some time. >> >>Jacob >>_______________________________________________ >>openssh-unix-dev at mindrot.org mailing list >>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >> >> >> >> > >-- >David M. Williams, CISSP Phone: 505-665-8062 >Systems Engineer, CCN-2 Fax: 505-667-7428 >Los Alamos National Laboratory Email: d_wllms at lanl.gov > > > From d_wllms at lanl.gov Thu Dec 12 11:11:24 2002 From: d_wllms at lanl.gov (David M. Williams) Date: Wed, 11 Dec 2002 17:11:24 -0700 Subject: OpenSSH-3.5p1: sshd fails at run-time In-Reply-To: <54546A7A37A84F4C8E2A11B6C5552961DDBF04@scproexc01.latitude.com> References: <54546A7A37A84F4C8E2A11B6C5552961DDBF04@scproexc01.latitude.com> Message-ID: <3DF7D42C.7070704@lanl.gov> turn off Compression and PrivSeperation in your sshd_config file and try again. From what the the threads in June mention it looks like your flavor of LynxOS has a broken mmap. Can you send the build and system info from the config.log file created in your build directory? It will help to improve the configure tests for mmap. Dave Jacob Schroeder wrote: >Dave, > >Thanks for your quick reply! > >I did do this build locally. The directory /var/empty is there already. > >I created the /var/run directory just now and tried again, here's the latest >output... > >bash-2.02# mkdir /var/run >bash-2.02# cd /usr/local/sbin >bash-2.02# sshd -ddd -p 1234 >debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper >debug1: sshd version OpenSSH_3.5p1 >debug1: private host key: #0 type 0 RSA1 >debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >debug1: read PEM private key done: type RSA >debug1: private host key: #1 type 1 RSA >debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >debug1: read PEM private key done: type DSA >debug1: private host key: #2 type 2 DSA >debug1: Bind to port 1234 on 0.0.0.0. >Server listening on 0.0.0.0 port 1234. >Generating 768 bit RSA key. >RSA key generation complete. >debug1: Server will not fork when running in debugging mode. >Connection from 172.20.1.13 port 1186 >debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1 >debug1: match: OpenSSH_3.5p1 pat OpenSSH* >debug1: Enabling compatibility mode for protocol 2.0 >debug1: Local version string SSH-1.99-OpenSSH_3.5p1 >mmap(65536): Device doesn't exist >debug1: Calling cleanup 0x1a78c(0x0) >bash-2.02# > >Looks like it's that mmap thing, I did see a few posts (arguments) about >that function in the archives, but I didn't see a solution mentioned. Any >ideas? > >Thanks > >Jacob > > > > >>-----Original Message----- >>From: David M. Williams [mailto:d_wllms at lanl.gov] >>Sent: Wednesday, December 11, 2002 3:51 PM >>To: Jacob Schroeder >>Cc: 'openssh-unix-dev at mindrot.org' >>Subject: Re: OpenSSH-3.5p1: sshd fails at run-time >> >> >>Jacob, >> It looks like you didn't build this version of OpenSSH >>locally. Did >>you get it as a tarball? If so, you are missing a few >>directories like >>/var/run and I would expect /var/empty. Create the two directories, >>/var/empty should be 0600, and try to start sshd again. >> >>Dave >> >>Jacob Schroeder wrote: >> >> >> >>>Here's what I get: >>> >>>bash-2.02# sshd -ddd -p 1234 >>>debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper >>>debug1: sshd version OpenSSH_3.5p1 >>>debug1: private host key: #0 type 0 RSA1 >>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >>>debug1: read PEM private key done: type RSA >>>debug1: private host key: #1 type 1 RSA >>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >>>debug1: read PEM private key done: type DSA >>>debug1: private host key: #2 type 2 DSA >>>debug1: Bind to port 1234 on 0.0.0.0. >>>Server listening on 0.0.0.0 port 1234. >>>Generating 768 bit RSA key. >>>RSA key generation complete. >>>debug1: Server will not fork when running in debugging mode. >>>Connection from 172.20.1.13 port 1181 >>>debug1: Client protocol version 2.0; client software version >>> >>> >>OpenSSH_3.5p1 >> >> >>>debug1: match: OpenSSH_3.5p1 pat OpenSSH* >>>debug1: Enabling compatibility mode for protocol 2.0 >>>debug1: Local version string SSH-1.99-OpenSSH_3.5p1 >>>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory doesn't exist >>>debug1: Calling cleanup 0x1a78c(0x0) >>>bash-2.02# >>> >>>I have a few questions, first off, what is it that causes the >>> >>> >>following line >> >> >>>and is it serious? >>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >>> >>>also, what is this one about (where it ultimately fails): >>>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory doesn't exist >>>I know that I don't have a /var/run directory on LynxOS, so >>> >>> >>what can I do to >> >> >>>fix this? >>> >>>Just so you know, I am using OpenSSH-3.5p1, with >>> >>> >>OpenSSL-0.9.6h. My OS is >> >> >>>LynxOS 3.1.0a. Thanks in advance, I have already learned a >>> >>> >>lot about SSH >>>from just lurking on the archives of this list for some time. >> >> >>>Jacob >>>_______________________________________________ >>>openssh-unix-dev at mindrot.org mailing list >>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >>> >>> >>> >>> >>> >>> >>-- >>David M. Williams, CISSP Phone: 505-665-8062 >>Systems Engineer, CCN-2 Fax: 505-667-7428 >>Los Alamos National Laboratory Email: d_wllms at lanl.gov >> >> >> >> >> > > > > -- David M. Williams, CISSP Phone: 505-665-8062 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From up5a at stud.uni-karlsruhe.de Thu Dec 12 11:13:41 2002 From: up5a at stud.uni-karlsruhe.de (Tobias Ulbricht) Date: Thu, 12 Dec 2002 01:13:41 +0100 (CET) Subject: Problems with the tty's in openssh + AIX In-Reply-To: <3DF6CCFA.A97ECD6A@zip.com.au> Message-ID: Yes. That did it for me as well. I'll see if my problems with putty and secureCRT will be gone as well. My first thoughts were: it might be related to a tty/terminal thing: debug1: Ignoring unsupported tty mode opcode 13 (0xd) debug1: Ignoring unsupported tty mode opcode 18 (0x12) or it might be related to debug1: fd 4 setting TCP_NODELAY since the test program mostly duplicates the FD onto 4 (for whatever reason). cheers, tobias. > It looks like the problem identified by Sandor Sklar in bug #124: a zero > length write to the tty results in a zero-length read from it. > > I believe this is a bug in AIX. The attached patch works around it for > me but I don't think this is a correct fix. > > From AIX's man page for read(): > A value of 0 is returned when the end of the file has been reached. (For > information about communication files, see the ioctl and termio files.) > > The read is returning zero for something other than EOF. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From jacob.schroeder at latitude.com Thu Dec 12 11:39:42 2002 From: jacob.schroeder at latitude.com (Jacob Schroeder) Date: Wed, 11 Dec 2002 16:39:42 -0800 Subject: OpenSSH-3.5p1: sshd fails at run-time Message-ID: <54546A7A37A84F4C8E2A11B6C555296102E1E81E@scproexc01.latitude.com> Dave, Again, thanks for the quick reply! I made the changes you suggested, and I still get the same thing. Below is the same output and then I show the /etc/ssh/sshd_config file with #UsePrivilegeSeparation no and #Compression no. Is there some other place where this is getting called? What I mean is are there any other flags I should set/unset in the sshd_config file? Is there a build or make option where I can tell it not to use mmap? Regarding the build and system info from the config.log file... what exactly do you want me to include from that, because it is a rather big file. Let me know and I'll be glad to post it. Thanks, Jacob bash-2.02# sshd -ddd -p 1234 debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper debug1: sshd version OpenSSH_3.5p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 1234 on 0.0.0.0. Server listening on 0.0.0.0 port 1234. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 172.20.1.13 port 1196 debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.5p1 mmap(65536): Device doesn't exist debug1: Calling cleanup 0x1a78c(0x0) bash-2.02# cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 120 #PermitRootLogin yes #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation no #PermitUserEnvironment no #Compression no #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/local/libexec/sftp-server bash-2.02# >-----Original Message----- >From: David M. Williams [mailto:d_wllms at lanl.gov] >Sent: Wednesday, December 11, 2002 4:11 PM >To: Jacob Schroeder >Cc: 'openssh-unix-dev at mindrot.org' >Subject: Re: OpenSSH-3.5p1: sshd fails at run-time > > >turn off Compression and PrivSeperation in your sshd_config >file and try >again. From what the the threads in June mention it looks like your >flavor of LynxOS has a broken mmap. > >Can you send the build and system info from the config.log >file created >in your build directory? It will help to improve the configure tests >for mmap. > >Dave > >Jacob Schroeder wrote: > >>Dave, >> >>Thanks for your quick reply! >> >>I did do this build locally. The directory /var/empty is >there already. >> >>I created the /var/run directory just now and tried again, >here's the latest >>output... >> >>bash-2.02# mkdir /var/run >>bash-2.02# cd /usr/local/sbin >>bash-2.02# sshd -ddd -p 1234 >>debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper >>debug1: sshd version OpenSSH_3.5p1 >>debug1: private host key: #0 type 0 RSA1 >>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >>debug1: read PEM private key done: type RSA >>debug1: private host key: #1 type 1 RSA >>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >>debug1: read PEM private key done: type DSA >>debug1: private host key: #2 type 2 DSA >>debug1: Bind to port 1234 on 0.0.0.0. >>Server listening on 0.0.0.0 port 1234. >>Generating 768 bit RSA key. >>RSA key generation complete. >>debug1: Server will not fork when running in debugging mode. >>Connection from 172.20.1.13 port 1186 >>debug1: Client protocol version 2.0; client software version >OpenSSH_3.5p1 >>debug1: match: OpenSSH_3.5p1 pat OpenSSH* >>debug1: Enabling compatibility mode for protocol 2.0 >>debug1: Local version string SSH-1.99-OpenSSH_3.5p1 >>mmap(65536): Device doesn't exist >>debug1: Calling cleanup 0x1a78c(0x0) >>bash-2.02# >> >>Looks like it's that mmap thing, I did see a few posts >(arguments) about >>that function in the archives, but I didn't see a solution >mentioned. Any >>ideas? >> >>Thanks >> >>Jacob >> >> >> >> >>>-----Original Message----- >>>From: David M. Williams [mailto:d_wllms at lanl.gov] >>>Sent: Wednesday, December 11, 2002 3:51 PM >>>To: Jacob Schroeder >>>Cc: 'openssh-unix-dev at mindrot.org' >>>Subject: Re: OpenSSH-3.5p1: sshd fails at run-time >>> >>> >>>Jacob, >>> It looks like you didn't build this version of OpenSSH >>>locally. Did >>>you get it as a tarball? If so, you are missing a few >>>directories like >>>/var/run and I would expect /var/empty. Create the two directories, >>>/var/empty should be 0600, and try to start sshd again. >>> >>>Dave >>> >>>Jacob Schroeder wrote: >>> >>> >>> >>>>Here's what I get: >>>> >>>>bash-2.02# sshd -ddd -p 1234 >>>>debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper >>>>debug1: sshd version OpenSSH_3.5p1 >>>>debug1: private host key: #0 type 0 RSA1 >>>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >>>>debug1: read PEM private key done: type RSA >>>>debug1: private host key: #1 type 1 RSA >>>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >>>>debug1: read PEM private key done: type DSA >>>>debug1: private host key: #2 type 2 DSA >>>>debug1: Bind to port 1234 on 0.0.0.0. >>>>Server listening on 0.0.0.0 port 1234. >>>>Generating 768 bit RSA key. >>>>RSA key generation complete. >>>>debug1: Server will not fork when running in debugging mode. >>>>Connection from 172.20.1.13 port 1181 >>>>debug1: Client protocol version 2.0; client software version >>>> >>>> >>>OpenSSH_3.5p1 >>> >>> >>>>debug1: match: OpenSSH_3.5p1 pat OpenSSH* >>>>debug1: Enabling compatibility mode for protocol 2.0 >>>>debug1: Local version string SSH-1.99-OpenSSH_3.5p1 >>>>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory >doesn't exist >>>>debug1: Calling cleanup 0x1a78c(0x0) >>>>bash-2.02# >>>> >>>>I have a few questions, first off, what is it that causes the >>>> >>>> >>>following line >>> >>> >>>>and is it serious? >>>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >>>> >>>>also, what is this one about (where it ultimately fails): >>>>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory >doesn't exist >>>>I know that I don't have a /var/run directory on LynxOS, so >>>> >>>> >>>what can I do to >>> >>> >>>>fix this? >>>> >>>>Just so you know, I am using OpenSSH-3.5p1, with >>>> >>>> >>>OpenSSL-0.9.6h. My OS is >>> >>> >>>>LynxOS 3.1.0a. Thanks in advance, I have already learned a >>>> >>>> >>>lot about SSH >>>>from just lurking on the archives of this list for some time. >>> >>> >>>>Jacob >>>>_______________________________________________ >>>>openssh-unix-dev at mindrot.org mailing list >>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >>>> >>>> >>>> >>>> >>>> >>>> >>>-- >>>David M. Williams, CISSP Phone: 505-665-8062 >>>Systems Engineer, CCN-2 Fax: 505-667-7428 >>>Los Alamos National Laboratory Email: d_wllms at lanl.gov >>> >>> >>> >>> >>> >> >> >> >> > >-- >David M. Williams, CISSP Phone: 505-665-8062 >Systems Engineer, CCN-2 Fax: 505-667-7428 >Los Alamos National Laboratory Email: d_wllms at lanl.gov > > > From stuge-openssh-unix-dev at cdy.org Thu Dec 12 11:42:38 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 12 Dec 2002 01:42:38 +0100 Subject: Building without perl In-Reply-To: <3DF7CB7F.7050402@lanl.gov> References: <3DDD157B.7050705@unknown.nu> <3DEC9ED3.8030509@mindrot.org> <20021205091656.GA9983@foo.birdnet.se> <3DEF1D5D.5010701@mindrot.org> <3DEF24BC.1020805@mindrot.org> <3DF7CB7F.7050402@lanl.gov> Message-ID: <20021212004238.GA30452@foo.birdnet.se> On Wed, Dec 11, 2002 at 04:34:23PM -0700, David M. Williams wrote: > Sorry to reply so late but it breaks on vanilla Mac OS X. Thanks for testing though! :) I believe the decision has been made to skip the fixpaths script completely, in favor of using sed directly in configure. Please do however test the awk script that I posted a while back. :) E.g. like this: First save mdoc2man.awk in openssh-3.5p1 somewhere, this is the file that I attached to my posting. Then: $ cd openssh-3.5p1 $ perl mdoc2man.pl < sftp.1 > sftp.1.plver $ awk -f mdoc2man.awk < sftp.1 > sftp.1.awkver $ diff -U 2 sftp.1.plver sftp.1.awkver The diff should only return a few lines with a list of authors and hopefully the awk run shouldn't produce any error messages. //Peter From d_wllms at lanl.gov Thu Dec 12 12:09:05 2002 From: d_wllms at lanl.gov (David M. Williams) Date: Wed, 11 Dec 2002 18:09:05 -0700 Subject: OpenSSH-3.5p1: sshd fails at run-time In-Reply-To: <54546A7A37A84F4C8E2A11B6C555296102E1E81E@scproexc01.latitude.com> References: <54546A7A37A84F4C8E2A11B6C555296102E1E81E@scproexc01.latitude.com> Message-ID: <3DF7E1B1.10009@lanl.gov> remove the #'s before Compression and UsePriviledgeSeperation. The # symbol makes the line a comment. Dave Jacob Schroeder wrote: >Dave, > >Again, thanks for the quick reply! > >I made the changes you suggested, and I still get the same thing. Below is >the same output and then I show the /etc/ssh/sshd_config file with >#UsePrivilegeSeparation no and #Compression no. > >Is there some other place where this is getting called? What I mean is are >there any other flags I should set/unset in the sshd_config file? Is there >a build or make option where I can tell it not to use mmap? > >Regarding the build and system info from the config.log file... what exactly >do you want me to include from that, because it is a rather big file. Let >me know and I'll be glad to post it. > >Thanks, > >Jacob > > > >bash-2.02# sshd -ddd -p 1234 >debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper >debug1: sshd version OpenSSH_3.5p1 >debug1: private host key: #0 type 0 RSA1 >debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >debug1: read PEM private key done: type RSA >debug1: private host key: #1 type 1 RSA >debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >debug1: read PEM private key done: type DSA >debug1: private host key: #2 type 2 DSA >debug1: Bind to port 1234 on 0.0.0.0. >Server listening on 0.0.0.0 port 1234. >Generating 768 bit RSA key. >RSA key generation complete. >debug1: Server will not fork when running in debugging mode. >Connection from 172.20.1.13 port 1196 >debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1 >debug1: match: OpenSSH_3.5p1 pat OpenSSH* >debug1: Enabling compatibility mode for protocol 2.0 >debug1: Local version string SSH-1.99-OpenSSH_3.5p1 >mmap(65536): Device doesn't exist >debug1: Calling cleanup 0x1a78c(0x0) > > >bash-2.02# cat /etc/ssh/sshd_config ># $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ > ># This is the sshd server system-wide configuration file. See ># sshd_config(5) for more information. > ># This sshd was compiled with >PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin > ># The strategy used for options in the default sshd_config shipped with ># OpenSSH is to specify options with their default value where ># possible, but leave them commented. Uncommented options change a ># default value. > >#Port 22 >#Protocol 2,1 >#ListenAddress 0.0.0.0 >#ListenAddress :: > ># HostKey for protocol version 1 >#HostKey /etc/ssh/ssh_host_key ># HostKeys for protocol version 2 >#HostKey /etc/ssh/ssh_host_rsa_key >#HostKey /etc/ssh/ssh_host_dsa_key > ># Lifetime and size of ephemeral version 1 server key >#KeyRegenerationInterval 3600 >#ServerKeyBits 768 > ># Logging >#obsoletes QuietMode and FascistLogging >#SyslogFacility AUTH >#LogLevel INFO > ># Authentication: > >#LoginGraceTime 120 >#PermitRootLogin yes >#StrictModes yes > >#RSAAuthentication yes >#PubkeyAuthentication yes >#AuthorizedKeysFile .ssh/authorized_keys > ># rhosts authentication should not be used >#RhostsAuthentication no ># Don't read the user's ~/.rhosts and ~/.shosts files >#IgnoreRhosts yes ># For this to work you will also need host keys in /etc/ssh/ssh_known_hosts >#RhostsRSAAuthentication no ># similar for protocol version 2 >#HostbasedAuthentication no ># Change to yes if you don't trust ~/.ssh/known_hosts for ># RhostsRSAAuthentication and HostbasedAuthentication >#IgnoreUserKnownHosts no > ># To disable tunneled clear text passwords, change to no here! >#PasswordAuthentication yes >#PermitEmptyPasswords no > ># Change to no to disable s/key passwords >#ChallengeResponseAuthentication yes > ># Kerberos options >#KerberosAuthentication no >#KerberosOrLocalPasswd yes >#KerberosTicketCleanup yes > >#AFSTokenPassing no > ># Kerberos TGT Passing only works with the AFS kaserver >#KerberosTgtPassing no > ># Set this to 'yes' to enable PAM keyboard-interactive authentication ># Warning: enabling this may bypass the setting of 'PasswordAuthentication' >#PAMAuthenticationViaKbdInt no > >#X11Forwarding no >#X11DisplayOffset 10 >#X11UseLocalhost yes >#PrintMotd yes >#PrintLastLog yes >#KeepAlive yes >#UseLogin no >#UsePrivilegeSeparation no >#PermitUserEnvironment no >#Compression no > >#MaxStartups 10 ># no default banner path >#Banner /some/path >#VerifyReverseMapping no > ># override default of no subsystems >Subsystem sftp /usr/local/libexec/sftp-server >bash-2.02# > > > > > > > >>-----Original Message----- >>From: David M. Williams [mailto:d_wllms at lanl.gov] >>Sent: Wednesday, December 11, 2002 4:11 PM >>To: Jacob Schroeder >>Cc: 'openssh-unix-dev at mindrot.org' >>Subject: Re: OpenSSH-3.5p1: sshd fails at run-time >> >> >>turn off Compression and PrivSeperation in your sshd_config >>file and try >>again. From what the the threads in June mention it looks like your >>flavor of LynxOS has a broken mmap. >> >>Can you send the build and system info from the config.log >>file created >>in your build directory? It will help to improve the configure tests >>for mmap. >> >>Dave >> >>Jacob Schroeder wrote: >> >> >> >>>Dave, >>> >>>Thanks for your quick reply! >>> >>>I did do this build locally. The directory /var/empty is >>> >>> >>there already. >> >> >>>I created the /var/run directory just now and tried again, >>> >>> >>here's the latest >> >> >>>output... >>> >>>bash-2.02# mkdir /var/run >>>bash-2.02# cd /usr/local/sbin >>>bash-2.02# sshd -ddd -p 1234 >>>debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper >>>debug1: sshd version OpenSSH_3.5p1 >>>debug1: private host key: #0 type 0 RSA1 >>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >>>debug1: read PEM private key done: type RSA >>>debug1: private host key: #1 type 1 RSA >>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >>>debug1: read PEM private key done: type DSA >>>debug1: private host key: #2 type 2 DSA >>>debug1: Bind to port 1234 on 0.0.0.0. >>>Server listening on 0.0.0.0 port 1234. >>>Generating 768 bit RSA key. >>>RSA key generation complete. >>>debug1: Server will not fork when running in debugging mode. >>>Connection from 172.20.1.13 port 1186 >>>debug1: Client protocol version 2.0; client software version >>> >>> >>OpenSSH_3.5p1 >> >> >>>debug1: match: OpenSSH_3.5p1 pat OpenSSH* >>>debug1: Enabling compatibility mode for protocol 2.0 >>>debug1: Local version string SSH-1.99-OpenSSH_3.5p1 >>>mmap(65536): Device doesn't exist >>>debug1: Calling cleanup 0x1a78c(0x0) >>>bash-2.02# >>> >>>Looks like it's that mmap thing, I did see a few posts >>> >>> >>(arguments) about >> >> >>>that function in the archives, but I didn't see a solution >>> >>> >>mentioned. Any >> >> >>>ideas? >>> >>>Thanks >>> >>>Jacob >>> >>> >>> >>> >>> >>> >>>>-----Original Message----- >>>>From: David M. Williams [mailto:d_wllms at lanl.gov] >>>>Sent: Wednesday, December 11, 2002 3:51 PM >>>>To: Jacob Schroeder >>>>Cc: 'openssh-unix-dev at mindrot.org' >>>>Subject: Re: OpenSSH-3.5p1: sshd fails at run-time >>>> >>>> >>>>Jacob, >>>> It looks like you didn't build this version of OpenSSH >>>>locally. Did >>>>you get it as a tarball? If so, you are missing a few >>>>directories like >>>>/var/run and I would expect /var/empty. Create the two directories, >>>>/var/empty should be 0600, and try to start sshd again. >>>> >>>>Dave >>>> >>>>Jacob Schroeder wrote: >>>> >>>> >>>> >>>> >>>> >>>>>Here's what I get: >>>>> >>>>>bash-2.02# sshd -ddd -p 1234 >>>>>debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper >>>>>debug1: sshd version OpenSSH_3.5p1 >>>>>debug1: private host key: #0 type 0 RSA1 >>>>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >>>>>debug1: read PEM private key done: type RSA >>>>>debug1: private host key: #1 type 1 RSA >>>>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >>>>>debug1: read PEM private key done: type DSA >>>>>debug1: private host key: #2 type 2 DSA >>>>>debug1: Bind to port 1234 on 0.0.0.0. >>>>>Server listening on 0.0.0.0 port 1234. >>>>>Generating 768 bit RSA key. >>>>>RSA key generation complete. >>>>>debug1: Server will not fork when running in debugging mode. >>>>>Connection from 172.20.1.13 port 1181 >>>>>debug1: Client protocol version 2.0; client software version >>>>> >>>>> >>>>> >>>>> >>>>OpenSSH_3.5p1 >>>> >>>> >>>> >>>> >>>>>debug1: match: OpenSSH_3.5p1 pat OpenSSH* >>>>>debug1: Enabling compatibility mode for protocol 2.0 >>>>>debug1: Local version string SSH-1.99-OpenSSH_3.5p1 >>>>>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory >>>>> >>>>> >>doesn't exist >> >> >>>>>debug1: Calling cleanup 0x1a78c(0x0) >>>>>bash-2.02# >>>>> >>>>>I have a few questions, first off, what is it that causes the >>>>> >>>>> >>>>> >>>>> >>>>following line >>>> >>>> >>>> >>>> >>>>>and is it serious? >>>>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >>>>> >>>>>also, what is this one about (where it ultimately fails): >>>>>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory >>>>> >>>>> >>doesn't exist >> >> >>>>>I know that I don't have a /var/run directory on LynxOS, so >>>>> >>>>> >>>>> >>>>> >>>>what can I do to >>>> >>>> >>>> >>>> >>>>>fix this? >>>>> >>>>>Just so you know, I am using OpenSSH-3.5p1, with >>>>> >>>>> >>>>> >>>>> >>>>OpenSSL-0.9.6h. My OS is >>>> >>>> >>>> >>>> >>>>>LynxOS 3.1.0a. Thanks in advance, I have already learned a >>>>> >>>>> >>>>> >>>>> >>>>lot about SSH >>>>>from just lurking on the archives of this list for some time. >>>> >>>> >>>> >>>> >>>>>Jacob >>>>>_______________________________________________ >>>>>openssh-unix-dev at mindrot.org mailing list >>>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>-- >>>>David M. Williams, CISSP Phone: 505-665-8062 >>>>Systems Engineer, CCN-2 Fax: 505-667-7428 >>>>Los Alamos National Laboratory Email: d_wllms at lanl.gov >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>-- >>David M. Williams, CISSP Phone: 505-665-8062 >>Systems Engineer, CCN-2 Fax: 505-667-7428 >>Los Alamos National Laboratory Email: d_wllms at lanl.gov >> >> >> >> >> > > > > -- David M. Williams, CISSP Phone: 505-665-8062 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From d_wllms at lanl.gov Thu Dec 12 12:12:43 2002 From: d_wllms at lanl.gov (David M. Williams) Date: Wed, 11 Dec 2002 18:12:43 -0700 Subject: Building without perl In-Reply-To: <20021212004238.GA30452@foo.birdnet.se> References: <3DDD157B.7050705@unknown.nu> <3DEC9ED3.8030509@mindrot.org> <20021205091656.GA9983@foo.birdnet.se> <3DEF1D5D.5010701@mindrot.org> <3DEF24BC.1020805@mindrot.org> <3DF7CB7F.7050402@lanl.gov> <20021212004238.GA30452@foo.birdnet.se> Message-ID: <3DF7E28B.10601@lanl.gov> I am working on the sed stuff right now. It doesn't work on OS X as the patch was originally submitted but I'm relatively close to having it working. OS X has a VERY old version of sed. Thanks for the tip on testing your awk stuff. That will be my next thing to test. Dave Peter Stuge wrote: >On Wed, Dec 11, 2002 at 04:34:23PM -0700, David M. Williams wrote: > > >>Sorry to reply so late but it breaks on vanilla Mac OS X. >> >> > >Thanks for testing though! :) >I believe the decision has been made to skip the fixpaths script completely, >in favor of using sed directly in configure. > >Please do however test the awk script that I posted a while back. :) > >E.g. like this: > >First save mdoc2man.awk in openssh-3.5p1 somewhere, this is the file that I >attached to my posting. Then: > >$ cd openssh-3.5p1 >$ perl mdoc2man.pl < sftp.1 > sftp.1.plver >$ awk -f mdoc2man.awk < sftp.1 > sftp.1.awkver >$ diff -U 2 sftp.1.plver sftp.1.awkver > >The diff should only return a few lines with a list of authors and hopefully >the awk run shouldn't produce any error messages. > > >//Peter > > > > -- David M. Williams, CISSP Phone: 505-665-8062 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From d_wllms at lanl.gov Thu Dec 12 12:30:47 2002 From: d_wllms at lanl.gov (David M. Williams) Date: Wed, 11 Dec 2002 18:30:47 -0700 Subject: OpenSSH-3.5p1: sshd fails at run-time In-Reply-To: <54546A7A37A84F4C8E2A11B6C555296102E1E81E@scproexc01.latitude.com> References: <54546A7A37A84F4C8E2A11B6C555296102E1E81E@scproexc01.latitude.com> Message-ID: <3DF7E6C7.4020606@lanl.gov> This is an example fo the system info: from config.log: ## ---------- ## ## Platform. ## ## ---------- ## hostname = somebox.domain.domain uname -m = Power Macintosh uname -r = 6.2 uname -s = Darwin uname -v = Darwin Kernel Version 6.2: Tue Nov 5 22:00:03 PST 2002; root:xnu/xnu-344.12.2.obj~1/RELE ASE_PPC /usr/bin/uname -p = powerpc /bin/uname -X = unknown /bin/arch = unknown /usr/bin/arch -k = unknown /usr/convex/getsysinfo = unknown hostinfo = Mach kernel version: Darwin Kernel Version 6.2: Tue Nov 5 22:00:03 PST 2002; root:xnu/xnu-344.12.2.obj~1/RELEASE_PPC Jacob Schroeder wrote: >Dave, > >Again, thanks for the quick reply! > >I made the changes you suggested, and I still get the same thing. Below is >the same output and then I show the /etc/ssh/sshd_config file with >#UsePrivilegeSeparation no and #Compression no. > >Is there some other place where this is getting called? What I mean is are >there any other flags I should set/unset in the sshd_config file? Is there >a build or make option where I can tell it not to use mmap? > >Regarding the build and system info from the config.log file... what exactly >do you want me to include from that, because it is a rather big file. Let >me know and I'll be glad to post it. > >Thanks, > >Jacob > > > >bash-2.02# sshd -ddd -p 1234 >debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper >debug1: sshd version OpenSSH_3.5p1 >debug1: private host key: #0 type 0 RSA1 >debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >debug1: read PEM private key done: type RSA >debug1: private host key: #1 type 1 RSA >debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >debug1: read PEM private key done: type DSA >debug1: private host key: #2 type 2 DSA >debug1: Bind to port 1234 on 0.0.0.0. >Server listening on 0.0.0.0 port 1234. >Generating 768 bit RSA key. >RSA key generation complete. >debug1: Server will not fork when running in debugging mode. >Connection from 172.20.1.13 port 1196 >debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1 >debug1: match: OpenSSH_3.5p1 pat OpenSSH* >debug1: Enabling compatibility mode for protocol 2.0 >debug1: Local version string SSH-1.99-OpenSSH_3.5p1 >mmap(65536): Device doesn't exist >debug1: Calling cleanup 0x1a78c(0x0) > > >bash-2.02# cat /etc/ssh/sshd_config ># $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ > ># This is the sshd server system-wide configuration file. See ># sshd_config(5) for more information. > ># This sshd was compiled with >PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin > ># The strategy used for options in the default sshd_config shipped with ># OpenSSH is to specify options with their default value where ># possible, but leave them commented. Uncommented options change a ># default value. > >#Port 22 >#Protocol 2,1 >#ListenAddress 0.0.0.0 >#ListenAddress :: > ># HostKey for protocol version 1 >#HostKey /etc/ssh/ssh_host_key ># HostKeys for protocol version 2 >#HostKey /etc/ssh/ssh_host_rsa_key >#HostKey /etc/ssh/ssh_host_dsa_key > ># Lifetime and size of ephemeral version 1 server key >#KeyRegenerationInterval 3600 >#ServerKeyBits 768 > ># Logging >#obsoletes QuietMode and FascistLogging >#SyslogFacility AUTH >#LogLevel INFO > ># Authentication: > >#LoginGraceTime 120 >#PermitRootLogin yes >#StrictModes yes > >#RSAAuthentication yes >#PubkeyAuthentication yes >#AuthorizedKeysFile .ssh/authorized_keys > ># rhosts authentication should not be used >#RhostsAuthentication no ># Don't read the user's ~/.rhosts and ~/.shosts files >#IgnoreRhosts yes ># For this to work you will also need host keys in /etc/ssh/ssh_known_hosts >#RhostsRSAAuthentication no ># similar for protocol version 2 >#HostbasedAuthentication no ># Change to yes if you don't trust ~/.ssh/known_hosts for ># RhostsRSAAuthentication and HostbasedAuthentication >#IgnoreUserKnownHosts no > ># To disable tunneled clear text passwords, change to no here! >#PasswordAuthentication yes >#PermitEmptyPasswords no > ># Change to no to disable s/key passwords >#ChallengeResponseAuthentication yes > ># Kerberos options >#KerberosAuthentication no >#KerberosOrLocalPasswd yes >#KerberosTicketCleanup yes > >#AFSTokenPassing no > ># Kerberos TGT Passing only works with the AFS kaserver >#KerberosTgtPassing no > ># Set this to 'yes' to enable PAM keyboard-interactive authentication ># Warning: enabling this may bypass the setting of 'PasswordAuthentication' >#PAMAuthenticationViaKbdInt no > >#X11Forwarding no >#X11DisplayOffset 10 >#X11UseLocalhost yes >#PrintMotd yes >#PrintLastLog yes >#KeepAlive yes >#UseLogin no >#UsePrivilegeSeparation no >#PermitUserEnvironment no >#Compression no > >#MaxStartups 10 ># no default banner path >#Banner /some/path >#VerifyReverseMapping no > ># override default of no subsystems >Subsystem sftp /usr/local/libexec/sftp-server >bash-2.02# > > > > > > > >>-----Original Message----- >>From: David M. Williams [mailto:d_wllms at lanl.gov] >>Sent: Wednesday, December 11, 2002 4:11 PM >>To: Jacob Schroeder >>Cc: 'openssh-unix-dev at mindrot.org' >>Subject: Re: OpenSSH-3.5p1: sshd fails at run-time >> >> >>turn off Compression and PrivSeperation in your sshd_config >>file and try >>again. From what the the threads in June mention it looks like your >>flavor of LynxOS has a broken mmap. >> >>Can you send the build and system info from the config.log >>file created >>in your build directory? It will help to improve the configure tests >>for mmap. >> >>Dave >> >>Jacob Schroeder wrote: >> >> >> >>>Dave, >>> >>>Thanks for your quick reply! >>> >>>I did do this build locally. The directory /var/empty is >>> >>> >>there already. >> >> >>>I created the /var/run directory just now and tried again, >>> >>> >>here's the latest >> >> >>>output... >>> >>>bash-2.02# mkdir /var/run >>>bash-2.02# cd /usr/local/sbin >>>bash-2.02# sshd -ddd -p 1234 >>>debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper >>>debug1: sshd version OpenSSH_3.5p1 >>>debug1: private host key: #0 type 0 RSA1 >>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >>>debug1: read PEM private key done: type RSA >>>debug1: private host key: #1 type 1 RSA >>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >>>debug1: read PEM private key done: type DSA >>>debug1: private host key: #2 type 2 DSA >>>debug1: Bind to port 1234 on 0.0.0.0. >>>Server listening on 0.0.0.0 port 1234. >>>Generating 768 bit RSA key. >>>RSA key generation complete. >>>debug1: Server will not fork when running in debugging mode. >>>Connection from 172.20.1.13 port 1186 >>>debug1: Client protocol version 2.0; client software version >>> >>> >>OpenSSH_3.5p1 >> >> >>>debug1: match: OpenSSH_3.5p1 pat OpenSSH* >>>debug1: Enabling compatibility mode for protocol 2.0 >>>debug1: Local version string SSH-1.99-OpenSSH_3.5p1 >>>mmap(65536): Device doesn't exist >>>debug1: Calling cleanup 0x1a78c(0x0) >>>bash-2.02# >>> >>>Looks like it's that mmap thing, I did see a few posts >>> >>> >>(arguments) about >> >> >>>that function in the archives, but I didn't see a solution >>> >>> >>mentioned. Any >> >> >>>ideas? >>> >>>Thanks >>> >>>Jacob >>> >>> >>> >>> >>> >>> >>>>-----Original Message----- >>>>From: David M. Williams [mailto:d_wllms at lanl.gov] >>>>Sent: Wednesday, December 11, 2002 3:51 PM >>>>To: Jacob Schroeder >>>>Cc: 'openssh-unix-dev at mindrot.org' >>>>Subject: Re: OpenSSH-3.5p1: sshd fails at run-time >>>> >>>> >>>>Jacob, >>>> It looks like you didn't build this version of OpenSSH >>>>locally. Did >>>>you get it as a tarball? If so, you are missing a few >>>>directories like >>>>/var/run and I would expect /var/empty. Create the two directories, >>>>/var/empty should be 0600, and try to start sshd again. >>>> >>>>Dave >>>> >>>>Jacob Schroeder wrote: >>>> >>>> >>>> >>>> >>>> >>>>>Here's what I get: >>>>> >>>>>bash-2.02# sshd -ddd -p 1234 >>>>>debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper >>>>>debug1: sshd version OpenSSH_3.5p1 >>>>>debug1: private host key: #0 type 0 RSA1 >>>>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >>>>>debug1: read PEM private key done: type RSA >>>>>debug1: private host key: #1 type 1 RSA >>>>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >>>>>debug1: read PEM private key done: type DSA >>>>>debug1: private host key: #2 type 2 DSA >>>>>debug1: Bind to port 1234 on 0.0.0.0. >>>>>Server listening on 0.0.0.0 port 1234. >>>>>Generating 768 bit RSA key. >>>>>RSA key generation complete. >>>>>debug1: Server will not fork when running in debugging mode. >>>>>Connection from 172.20.1.13 port 1181 >>>>>debug1: Client protocol version 2.0; client software version >>>>> >>>>> >>>>> >>>>> >>>>OpenSSH_3.5p1 >>>> >>>> >>>> >>>> >>>>>debug1: match: OpenSSH_3.5p1 pat OpenSSH* >>>>>debug1: Enabling compatibility mode for protocol 2.0 >>>>>debug1: Local version string SSH-1.99-OpenSSH_3.5p1 >>>>>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory >>>>> >>>>> >>doesn't exist >> >> >>>>>debug1: Calling cleanup 0x1a78c(0x0) >>>>>bash-2.02# >>>>> >>>>>I have a few questions, first off, what is it that causes the >>>>> >>>>> >>>>> >>>>> >>>>following line >>>> >>>> >>>> >>>> >>>>>and is it serious? >>>>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >>>>> >>>>>also, what is this one about (where it ultimately fails): >>>>>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory >>>>> >>>>> >>doesn't exist >> >> >>>>>I know that I don't have a /var/run directory on LynxOS, so >>>>> >>>>> >>>>> >>>>> >>>>what can I do to >>>> >>>> >>>> >>>> >>>>>fix this? >>>>> >>>>>Just so you know, I am using OpenSSH-3.5p1, with >>>>> >>>>> >>>>> >>>>> >>>>OpenSSL-0.9.6h. My OS is >>>> >>>> >>>> >>>> >>>>>LynxOS 3.1.0a. Thanks in advance, I have already learned a >>>>> >>>>> >>>>> >>>>> >>>>lot about SSH >>>>>from just lurking on the archives of this list for some time. >>>> >>>> >>>> >>>> >>>>>Jacob >>>>>_______________________________________________ >>>>>openssh-unix-dev at mindrot.org mailing list >>>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>-- >>>>David M. Williams, CISSP Phone: 505-665-8062 >>>>Systems Engineer, CCN-2 Fax: 505-667-7428 >>>>Los Alamos National Laboratory Email: d_wllms at lanl.gov >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>-- >>David M. Williams, CISSP Phone: 505-665-8062 >>Systems Engineer, CCN-2 Fax: 505-667-7428 >>Los Alamos National Laboratory Email: d_wllms at lanl.gov >> >> >> >> >> > > > > -- David M. Williams, CISSP Phone: 505-665-8062 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From d_wllms at lanl.gov Thu Dec 12 13:08:25 2002 From: d_wllms at lanl.gov (David M. Williams) Date: Wed, 11 Dec 2002 19:08:25 -0700 Subject: Building without perl In-Reply-To: References: Message-ID: <3DF7EF99.2080408@lanl.gov> Tested the referenced patch on Mac OS X. Works like a charm. Here's the updated patch, against -current. All credit to Mo DeJong. Dave Tim Rice wrote: >On Fri, 6 Dec 2002, Damien Miller wrote: > > > >>Tim Rice wrote: >> >> >>>On Thu, 5 Dec 2002, Damien Miller wrote: >>> >>> >>> >>> >>>>Damien Miller wrote: >>>> >>>>Committed - it would be good if people test this with various grep and >>>>sed implementations. >>>> >>>> >>>Breaks SCO. >>> >>> >>Can you be more specific? >> >> > >Peter and I have been working on it. I think he has a working version >now (works on SCO) but I want to test on my other platforms before commiting. > >I also checked the archives and found >http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=97590463728438&w=2 > >Seems like it may be more robust. > > > > > -- David M. Williams, CISSP Phone: 505-665-8062 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: perldep.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021211/f7772eea/attachment.ksh From d_wllms at lanl.gov Thu Dec 12 13:40:53 2002 From: d_wllms at lanl.gov (David M. Williams) Date: Wed, 11 Dec 2002 19:40:53 -0700 Subject: Building without perl In-Reply-To: <20021212004238.GA30452@foo.birdnet.se> References: <3DDD157B.7050705@unknown.nu> <3DEC9ED3.8030509@mindrot.org> <20021205091656.GA9983@foo.birdnet.se> <3DEF1D5D.5010701@mindrot.org> <3DEF24BC.1020805@mindrot.org> <3DF7CB7F.7050402@lanl.gov> <20021212004238.GA30452@foo.birdnet.se> Message-ID: <3DF7F735.5030202@lanl.gov> OK, it fails on OX X. Here's what I got. me at somehost % awk -f mdoc2man.awk < sftp.1 > sftp.1.awkver awk: newline in character class [ ]$... source line number 47 context is gth(line)&&!match(line,"[\n >>> ]$") <<< ) the cmdline produced a zero length file, obviously. I'm not an awk expert so I can't offer much help I'm afraid. Dave Peter Stuge wrote: >On Wed, Dec 11, 2002 at 04:34:23PM -0700, David M. Williams wrote: > > >>Sorry to reply so late but it breaks on vanilla Mac OS X. >> >> > >Thanks for testing though! :) >I believe the decision has been made to skip the fixpaths script completely, >in favor of using sed directly in configure. > >Please do however test the awk script that I posted a while back. :) > >E.g. like this: > >First save mdoc2man.awk in openssh-3.5p1 somewhere, this is the file that I >attached to my posting. Then: > >$ cd openssh-3.5p1 >$ perl mdoc2man.pl < sftp.1 > sftp.1.plver >$ awk -f mdoc2man.awk < sftp.1 > sftp.1.awkver >$ diff -U 2 sftp.1.plver sftp.1.awkver > >The diff should only return a few lines with a list of authors and hopefully >the awk run shouldn't produce any error messages. > > >//Peter > > > > -- David M. Williams, CISSP Phone: 505-665-8062 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From mouring at etoh.eviladmin.org Thu Dec 12 13:55:15 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 11 Dec 2002 20:55:15 -0600 (CST) Subject: OpenSSH-3.5p1: sshd fails at run-time In-Reply-To: <3DF7D42C.7070704@lanl.gov> Message-ID: It is Either Compression or PrivSep. You don't need to turn off both. Hmm.. LynxOS mmap() looks incomplete.. You can always take and uncomment HAVE_MMAP in your config.h and recompile. That should resolve to the last method of handling compression/privsep communications. It would be nice if we could get someone who knows something about LynxOS (Hey, Anyone from LynxOS developers group here?!) to give us a suggestion on the best fix. - Ben On Wed, 11 Dec 2002, David M. Williams wrote: > turn off Compression and PrivSeperation in your sshd_config file and try > again. From what the the threads in June mention it looks like your > flavor of LynxOS has a broken mmap. > > Can you send the build and system info from the config.log file created > in your build directory? It will help to improve the configure tests > for mmap. > > Dave > > Jacob Schroeder wrote: > > >Dave, > > > >Thanks for your quick reply! > > > >I did do this build locally. The directory /var/empty is there already. > > > >I created the /var/run directory just now and tried again, here's the latest > >output... > > > >bash-2.02# mkdir /var/run > >bash-2.02# cd /usr/local/sbin > >bash-2.02# sshd -ddd -p 1234 > >debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper > >debug1: sshd version OpenSSH_3.5p1 > >debug1: private host key: #0 type 0 RSA1 > >debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > >debug1: read PEM private key done: type RSA > >debug1: private host key: #1 type 1 RSA > >debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > >debug1: read PEM private key done: type DSA > >debug1: private host key: #2 type 2 DSA > >debug1: Bind to port 1234 on 0.0.0.0. > >Server listening on 0.0.0.0 port 1234. > >Generating 768 bit RSA key. > >RSA key generation complete. > >debug1: Server will not fork when running in debugging mode. > >Connection from 172.20.1.13 port 1186 > >debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1 > >debug1: match: OpenSSH_3.5p1 pat OpenSSH* > >debug1: Enabling compatibility mode for protocol 2.0 > >debug1: Local version string SSH-1.99-OpenSSH_3.5p1 > >mmap(65536): Device doesn't exist > >debug1: Calling cleanup 0x1a78c(0x0) > >bash-2.02# > > > >Looks like it's that mmap thing, I did see a few posts (arguments) about > >that function in the archives, but I didn't see a solution mentioned. Any > >ideas? > > > >Thanks > > > >Jacob > > > > > > > > > >>-----Original Message----- > >>From: David M. Williams [mailto:d_wllms at lanl.gov] > >>Sent: Wednesday, December 11, 2002 3:51 PM > >>To: Jacob Schroeder > >>Cc: 'openssh-unix-dev at mindrot.org' > >>Subject: Re: OpenSSH-3.5p1: sshd fails at run-time > >> > >> > >>Jacob, > >> It looks like you didn't build this version of OpenSSH > >>locally. Did > >>you get it as a tarball? If so, you are missing a few > >>directories like > >>/var/run and I would expect /var/empty. Create the two directories, > >>/var/empty should be 0600, and try to start sshd again. > >> > >>Dave > >> > >>Jacob Schroeder wrote: > >> > >> > >> > >>>Here's what I get: > >>> > >>>bash-2.02# sshd -ddd -p 1234 > >>>debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper > >>>debug1: sshd version OpenSSH_3.5p1 > >>>debug1: private host key: #0 type 0 RSA1 > >>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > >>>debug1: read PEM private key done: type RSA > >>>debug1: private host key: #1 type 1 RSA > >>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > >>>debug1: read PEM private key done: type DSA > >>>debug1: private host key: #2 type 2 DSA > >>>debug1: Bind to port 1234 on 0.0.0.0. > >>>Server listening on 0.0.0.0 port 1234. > >>>Generating 768 bit RSA key. > >>>RSA key generation complete. > >>>debug1: Server will not fork when running in debugging mode. > >>>Connection from 172.20.1.13 port 1181 > >>>debug1: Client protocol version 2.0; client software version > >>> > >>> > >>OpenSSH_3.5p1 > >> > >> > >>>debug1: match: OpenSSH_3.5p1 pat OpenSSH* > >>>debug1: Enabling compatibility mode for protocol 2.0 > >>>debug1: Local version string SSH-1.99-OpenSSH_3.5p1 > >>>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory doesn't exist > >>>debug1: Calling cleanup 0x1a78c(0x0) > >>>bash-2.02# > >>> > >>>I have a few questions, first off, what is it that causes the > >>> > >>> > >>following line > >> > >> > >>>and is it serious? > >>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > >>> > >>>also, what is this one about (where it ultimately fails): > >>>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory doesn't exist > >>>I know that I don't have a /var/run directory on LynxOS, so > >>> > >>> > >>what can I do to > >> > >> > >>>fix this? > >>> > >>>Just so you know, I am using OpenSSH-3.5p1, with > >>> > >>> > >>OpenSSL-0.9.6h. My OS is > >> > >> > >>>LynxOS 3.1.0a. Thanks in advance, I have already learned a > >>> > >>> > >>lot about SSH > >>>from just lurking on the archives of this list for some time. > >> > >> > >>>Jacob > >>>_______________________________________________ > >>>openssh-unix-dev at mindrot.org mailing list > >>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > >>> > >>> > >>> > >>> > >>> > >>> > >>-- > >>David M. Williams, CISSP Phone: 505-665-8062 > >>Systems Engineer, CCN-2 Fax: 505-667-7428 > >>Los Alamos National Laboratory Email: d_wllms at lanl.gov > >> > >> > >> > >> > >> > > > > > > > > > > -- > David M. Williams, CISSP Phone: 505-665-8062 > Systems Engineer, CCN-2 Fax: 505-667-7428 > Los Alamos National Laboratory Email: d_wllms at lanl.gov > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Thu Dec 12 13:57:58 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 11 Dec 2002 20:57:58 -0600 (CST) Subject: OpenSSH-3.5p1: sshd fails at run-time In-Reply-To: <54546A7A37A84F4C8E2A11B6C555296102E1E81E@scproexc01.latitude.com> Message-ID: You need to uncomment them for it to take affect. The commented versions shows what the defaults are. - Ben On Wed, 11 Dec 2002, Jacob Schroeder wrote: > Dave, > > Again, thanks for the quick reply! > > I made the changes you suggested, and I still get the same thing. Below is > the same output and then I show the /etc/ssh/sshd_config file with > #UsePrivilegeSeparation no and #Compression no. > > Is there some other place where this is getting called? What I mean is are > there any other flags I should set/unset in the sshd_config file? Is there > a build or make option where I can tell it not to use mmap? > > Regarding the build and system info from the config.log file... what exactly > do you want me to include from that, because it is a rather big file. Let > me know and I'll be glad to post it. > > Thanks, > > Jacob > > > > bash-2.02# sshd -ddd -p 1234 > debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper > debug1: sshd version OpenSSH_3.5p1 > debug1: private host key: #0 type 0 RSA1 > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #1 type 1 RSA > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #2 type 2 DSA > debug1: Bind to port 1234 on 0.0.0.0. > Server listening on 0.0.0.0 port 1234. > Generating 768 bit RSA key. > RSA key generation complete. > debug1: Server will not fork when running in debugging mode. > Connection from 172.20.1.13 port 1196 > debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1 > debug1: match: OpenSSH_3.5p1 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-1.99-OpenSSH_3.5p1 > mmap(65536): Device doesn't exist > debug1: Calling cleanup 0x1a78c(0x0) > > > bash-2.02# cat /etc/ssh/sshd_config > # $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ > > # This is the sshd server system-wide configuration file. See > # sshd_config(5) for more information. > > # This sshd was compiled with > PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin > > # The strategy used for options in the default sshd_config shipped with > # OpenSSH is to specify options with their default value where > # possible, but leave them commented. Uncommented options change a > # default value. > > #Port 22 > #Protocol 2,1 > #ListenAddress 0.0.0.0 > #ListenAddress :: > > # HostKey for protocol version 1 > #HostKey /etc/ssh/ssh_host_key > # HostKeys for protocol version 2 > #HostKey /etc/ssh/ssh_host_rsa_key > #HostKey /etc/ssh/ssh_host_dsa_key > > # Lifetime and size of ephemeral version 1 server key > #KeyRegenerationInterval 3600 > #ServerKeyBits 768 > > # Logging > #obsoletes QuietMode and FascistLogging > #SyslogFacility AUTH > #LogLevel INFO > > # Authentication: > > #LoginGraceTime 120 > #PermitRootLogin yes > #StrictModes yes > > #RSAAuthentication yes > #PubkeyAuthentication yes > #AuthorizedKeysFile .ssh/authorized_keys > > # rhosts authentication should not be used > #RhostsAuthentication no > # Don't read the user's ~/.rhosts and ~/.shosts files > #IgnoreRhosts yes > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts > #RhostsRSAAuthentication no > # similar for protocol version 2 > #HostbasedAuthentication no > # Change to yes if you don't trust ~/.ssh/known_hosts for > # RhostsRSAAuthentication and HostbasedAuthentication > #IgnoreUserKnownHosts no > > # To disable tunneled clear text passwords, change to no here! > #PasswordAuthentication yes > #PermitEmptyPasswords no > > # Change to no to disable s/key passwords > #ChallengeResponseAuthentication yes > > # Kerberos options > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > > #AFSTokenPassing no > > # Kerberos TGT Passing only works with the AFS kaserver > #KerberosTgtPassing no > > # Set this to 'yes' to enable PAM keyboard-interactive authentication > # Warning: enabling this may bypass the setting of 'PasswordAuthentication' > #PAMAuthenticationViaKbdInt no > > #X11Forwarding no > #X11DisplayOffset 10 > #X11UseLocalhost yes > #PrintMotd yes > #PrintLastLog yes > #KeepAlive yes > #UseLogin no > #UsePrivilegeSeparation no > #PermitUserEnvironment no > #Compression no > > #MaxStartups 10 > # no default banner path > #Banner /some/path > #VerifyReverseMapping no > > # override default of no subsystems > Subsystem sftp /usr/local/libexec/sftp-server > bash-2.02# > > > > > > >-----Original Message----- > >From: David M. Williams [mailto:d_wllms at lanl.gov] > >Sent: Wednesday, December 11, 2002 4:11 PM > >To: Jacob Schroeder > >Cc: 'openssh-unix-dev at mindrot.org' > >Subject: Re: OpenSSH-3.5p1: sshd fails at run-time > > > > > >turn off Compression and PrivSeperation in your sshd_config > >file and try > >again. From what the the threads in June mention it looks like your > >flavor of LynxOS has a broken mmap. > > > >Can you send the build and system info from the config.log > >file created > >in your build directory? It will help to improve the configure tests > >for mmap. > > > >Dave > > > >Jacob Schroeder wrote: > > > >>Dave, > >> > >>Thanks for your quick reply! > >> > >>I did do this build locally. The directory /var/empty is > >there already. > >> > >>I created the /var/run directory just now and tried again, > >here's the latest > >>output... > >> > >>bash-2.02# mkdir /var/run > >>bash-2.02# cd /usr/local/sbin > >>bash-2.02# sshd -ddd -p 1234 > >>debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper > >>debug1: sshd version OpenSSH_3.5p1 > >>debug1: private host key: #0 type 0 RSA1 > >>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > >>debug1: read PEM private key done: type RSA > >>debug1: private host key: #1 type 1 RSA > >>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > >>debug1: read PEM private key done: type DSA > >>debug1: private host key: #2 type 2 DSA > >>debug1: Bind to port 1234 on 0.0.0.0. > >>Server listening on 0.0.0.0 port 1234. > >>Generating 768 bit RSA key. > >>RSA key generation complete. > >>debug1: Server will not fork when running in debugging mode. > >>Connection from 172.20.1.13 port 1186 > >>debug1: Client protocol version 2.0; client software version > >OpenSSH_3.5p1 > >>debug1: match: OpenSSH_3.5p1 pat OpenSSH* > >>debug1: Enabling compatibility mode for protocol 2.0 > >>debug1: Local version string SSH-1.99-OpenSSH_3.5p1 > >>mmap(65536): Device doesn't exist > >>debug1: Calling cleanup 0x1a78c(0x0) > >>bash-2.02# > >> > >>Looks like it's that mmap thing, I did see a few posts > >(arguments) about > >>that function in the archives, but I didn't see a solution > >mentioned. Any > >>ideas? > >> > >>Thanks > >> > >>Jacob > >> > >> > >> > >> > >>>-----Original Message----- > >>>From: David M. Williams [mailto:d_wllms at lanl.gov] > >>>Sent: Wednesday, December 11, 2002 3:51 PM > >>>To: Jacob Schroeder > >>>Cc: 'openssh-unix-dev at mindrot.org' > >>>Subject: Re: OpenSSH-3.5p1: sshd fails at run-time > >>> > >>> > >>>Jacob, > >>> It looks like you didn't build this version of OpenSSH > >>>locally. Did > >>>you get it as a tarball? If so, you are missing a few > >>>directories like > >>>/var/run and I would expect /var/empty. Create the two directories, > >>>/var/empty should be 0600, and try to start sshd again. > >>> > >>>Dave > >>> > >>>Jacob Schroeder wrote: > >>> > >>> > >>> > >>>>Here's what I get: > >>>> > >>>>bash-2.02# sshd -ddd -p 1234 > >>>>debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper > >>>>debug1: sshd version OpenSSH_3.5p1 > >>>>debug1: private host key: #0 type 0 RSA1 > >>>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > >>>>debug1: read PEM private key done: type RSA > >>>>debug1: private host key: #1 type 1 RSA > >>>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > >>>>debug1: read PEM private key done: type DSA > >>>>debug1: private host key: #2 type 2 DSA > >>>>debug1: Bind to port 1234 on 0.0.0.0. > >>>>Server listening on 0.0.0.0 port 1234. > >>>>Generating 768 bit RSA key. > >>>>RSA key generation complete. > >>>>debug1: Server will not fork when running in debugging mode. > >>>>Connection from 172.20.1.13 port 1181 > >>>>debug1: Client protocol version 2.0; client software version > >>>> > >>>> > >>>OpenSSH_3.5p1 > >>> > >>> > >>>>debug1: match: OpenSSH_3.5p1 pat OpenSSH* > >>>>debug1: Enabling compatibility mode for protocol 2.0 > >>>>debug1: Local version string SSH-1.99-OpenSSH_3.5p1 > >>>>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory > >doesn't exist > >>>>debug1: Calling cleanup 0x1a78c(0x0) > >>>>bash-2.02# > >>>> > >>>>I have a few questions, first off, what is it that causes the > >>>> > >>>> > >>>following line > >>> > >>> > >>>>and is it serious? > >>>>debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > >>>> > >>>>also, what is this one about (where it ultimately fails): > >>>>mkstemp("/var/run/sshd.mm.XXXXXXXX"): File or directory > >doesn't exist > >>>>I know that I don't have a /var/run directory on LynxOS, so > >>>> > >>>> > >>>what can I do to > >>> > >>> > >>>>fix this? > >>>> > >>>>Just so you know, I am using OpenSSH-3.5p1, with > >>>> > >>>> > >>>OpenSSL-0.9.6h. My OS is > >>> > >>> > >>>>LynxOS 3.1.0a. Thanks in advance, I have already learned a > >>>> > >>>> > >>>lot about SSH > >>>>from just lurking on the archives of this list for some time. > >>> > >>> > >>>>Jacob > >>>>_______________________________________________ > >>>>openssh-unix-dev at mindrot.org mailing list > >>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>-- > >>>David M. Williams, CISSP Phone: 505-665-8062 > >>>Systems Engineer, CCN-2 Fax: 505-667-7428 > >>>Los Alamos National Laboratory Email: d_wllms at lanl.gov > >>> > >>> > >>> > >>> > >>> > >> > >> > >> > >> > > > >-- > >David M. Williams, CISSP Phone: 505-665-8062 > >Systems Engineer, CCN-2 Fax: 505-667-7428 > >Los Alamos National Laboratory Email: d_wllms at lanl.gov > > > > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Thu Dec 12 14:02:11 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 11 Dec 2002 21:02:11 -0600 (CST) Subject: OpenSSH 3.5p1 and BSM for Solaris In-Reply-To: Message-ID: Last I heard it conflicts with PrivSeperation and no one has bothered to update it. - Ben On Wed, 11 Dec 2002, Jeff Koenig wrote: > I meant to add this link: > http://bugzilla.mindrot.org/show_bug.cgi?id=125 > > Can anyone tell me how to apply this patch? > > Also, has it been modified, or does it work with OpenSSH 3.5p1? > > Can someone help me get BSM working with Solaris8 and OpenSSH 3.5p1? > > Jeff > > >>> "Jeff Koenig" 12/10/02 03:41PM >>> > Can someone help me get BSM working with Solaris 8 and OpenSSH 3.5p1? > > I saw the patch here for OpenSSH 3.4p1, but do not know how to apply it to OpenSSH 3.4p1 nor do I feel comfortable modifying to work with OpenSSH 3.5p1: > openssh-unix-dev at mindrot.org > > Is this patch needed to fix the BSM crontab issue only, or is it required for BSM auditing in general? > > Jeff > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From bugzilla-daemon at mindrot.org Thu Dec 12 21:23:39 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 12 Dec 2002 21:23:39 +1100 (EST) Subject: [Bug 454] SSH doesn't consider distinguish ports for host-key verification Message-ID: <20021212102339.E42F664514@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=454 ------- Additional Comments From markus at openbsd.org 2002-12-12 21:23 ------- : is used in IPv6 addresses and i like to use a name that does not conflict with hostnames (for hostbased and rhostsrsa authentication), so a @ is suggested. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jacob.schroeder at latitude.com Fri Dec 13 05:17:07 2002 From: jacob.schroeder at latitude.com (Jacob Schroeder) Date: Thu, 12 Dec 2002 10:17:07 -0800 Subject: OpenSSH-3.5p1: sshd fails at run-time Message-ID: <54546A7A37A84F4C8E2A11B6C555296102E1E820@scproexc01.latitude.com> Doh! haha, I can't believe I didn't even notice that. Cool, that helped, I am getting a little farther, I disabled the Compression, then I was still having problems where as soon as I would connect, I would get disconnected by the server as I've shown below (***Compression disabled). However, if I disabled just PriveligeSeparation, then it worked as it should. I'd still like to find a way to enable PrivSep because that sounds important, but I realize LynxOS is quite limited, and the way I see it... any ssh w/o PrivSep is much better than telnet. Thanks a lot for your guys' help. I'll be sending the info from config.log so you guys can see what I've got here. It's down there... quite a few unknowns... I think I'm going to also try Ben Lindstrom's suggestion dealing with HAVE_MMAP in config.h to see if I get the same result (theoretically I should). I have to try to find a way to make the installation simple so I can get this spread across several of our LynxOS machines. Thanks for all your help! I may be emailing the list again here in a bit once I do some more experimenting, thanks a million! Jacob ***Compression disabled debug1: channel 1: new [auth socket] debug1: server_input_channel_req: channel 0 request pty-req reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug3: mm_request_send entering: type 25 debug3: mm_pty_adebug3: monitor_reald: checking requestl 25 debug3: mm_ansower_pty entering dcebug1: session_new:a init eebug1: sesstion_new: session 0 : waiting for MONITGetting tty modes fOor pty failed: TermRinal device require_d debug3: mm_requeAst_send entering: tNype 26 mm_send_fd:S sendmsg(4): Socket_ operation on non-sPocket debug1: CallTing cleanup 0x12964Y(0x40cda4) session_pty_cleanu p: session 0 releasde /dev/ttyp3 ebug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering mm_receive_fd: recvmsg: Socket operation on non-socket debug1: Calling cleanup 0xf940(0x41b510) debug1: temporarily_use_uid: 1113/11 (e=1113/11) debug1: restore_uid: (unprivileged) debug1: Calling cleanup 0x1f254(0x0) debug1: channel_free: channel 0: server-session, nchannels 2 debug3: channel_free: status: The following connections are open: #0 server-session (t10 r0 i0/0 o0/0 fd -1/-1) debug3: channel_close_fds: channel 0: r -1 w -1 e -1 debug1: channel_free: channel 1: auth socket, nchannels 1 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 1: r 10 w 10 e -1 debug1: Calling clbash-2.02# eanup 0x1a78c(0x0) ## --------- ## ## Platform. ## ## --------- ## hostname = schmidts uname -m = i386 uname -r = 3.1.0 uname -s = LynxOS uname -v = 071000-F /usr/bin/uname -p = unknown /bin/uname -X = unknown /bin/arch = unknown /usr/bin/arch -k = unknown /usr/convex/getsysinfo = unknown hostinfo = unknown /bin/machine = unknown /usr/bin/oslevel = unknown /bin/universe = unknown PATH: /usr/users/jacob/bin PATH: /usr/local/bin PATH: /lat/bin PATH: /bin PATH: /lat/techbin PATH: . >-----Original Message----- >From: David M. Williams [mailto:d_wllms at lanl.gov] >Sent: Wednesday, December 11, 2002 5:09 PM >To: Jacob Schroeder >Cc: 'openssh-unix-dev at mindrot.org' >Subject: Re: OpenSSH-3.5p1: sshd fails at run-time > > >remove the #'s before Compression and UsePriviledgeSeperation. The # >symbol makes the line a comment. > >Dave > From stuge-openssh-unix-dev at cdy.org Fri Dec 13 08:48:30 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 12 Dec 2002 22:48:30 +0100 Subject: Building without perl In-Reply-To: <3DF7E28B.10601@lanl.gov> References: <3DDD157B.7050705@unknown.nu> <3DEC9ED3.8030509@mindrot.org> <20021205091656.GA9983@foo.birdnet.se> <3DEF1D5D.5010701@mindrot.org> <3DEF24BC.1020805@mindrot.org> <3DF7CB7F.7050402@lanl.gov> <20021212004238.GA30452@foo.birdnet.se> <3DF7E28B.10601@lanl.gov> Message-ID: <20021212214830.GA31497@foo.birdnet.se> On Wed, Dec 11, 2002 at 06:12:43PM -0700, David M. Williams wrote: > I am working on the sed stuff right now. It doesn't work on OS X as the > patch was originally submitted but I'm relatively close to having it > working. OS X has a VERY old version of sed. Originally as in the very first patch to Makefile.in, very good that it's being tested! :) Sorry, I misunderstood that. > Thanks for the tip on testing your awk stuff. That will be my next > thing to test. Great, I'm looking forward to the results. //Peter From terry.d.masters at Cummins.com Fri Dec 13 09:39:19 2002 From: terry.d.masters at Cummins.com (terry.d.masters at Cummins.com) Date: Thu, 12 Dec 2002 17:39:19 -0500 Subject: Make error on OS/390 USS Message-ID: Hi, Have you had an opportunity to check out this error? Thanks! Terry Masters ---------------------- Forwarded by Terry D Masters/Contractors/Cummins on 12/12/2002 05:38 PM --------------------------- Terry D Masters 12/03/2002 10:23 AM To: openssh-unix-dev at mindrot.org cc: Subject: Hi, I am trying to "make" openssh (with GNU make) on an OS/390 V2R10 system (Unix System Services) and am getting the following error: /usr/include/nl_types.h: warning: 5 trigraph(s) encountered In file included from ../log.h:18, from bsd-arc4random.c:26: /usr/include/syslog.h: warning: 5 trigraph(s) encountered make.1.: *** .bsd-arc4random.o. Error 1 make: *** .openbsd-compat/libopenbsd-compat.a. Error 2 Any ideas? Configure ran OK.... Terry Masters _____________ This e-mail transmission and any attachments to it are intended solely for the use of the individual or entity to whom it is addressed and may contain confidential and privileged information. If you are not the intended recipient, your use, forwarding, printing, storing, disseminating, distribution, or copying of this communication is prohibited. If you received this communication in error, please notify the sender immediately by replying to this message and delete it from your computer. From stuge-openssh-unix-dev at cdy.org Fri Dec 13 10:58:04 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Fri, 13 Dec 2002 00:58:04 +0100 Subject: Building without perl In-Reply-To: <3DF7F735.5030202@lanl.gov> References: <3DDD157B.7050705@unknown.nu> <3DEC9ED3.8030509@mindrot.org> <20021205091656.GA9983@foo.birdnet.se> <3DEF1D5D.5010701@mindrot.org> <3DEF24BC.1020805@mindrot.org> <3DF7CB7F.7050402@lanl.gov> <20021212004238.GA30452@foo.birdnet.se> <3DF7F735.5030202@lanl.gov> Message-ID: <20021212235804.GB355@foo.birdnet.se> On Wed, Dec 11, 2002 at 07:40:53PM -0700, David M. Williams wrote: > OK, it fails on OX X. Here's what I got. I realized I had access to an OS X system, made some changes to the script and tested there, I sent it to Mr. Williams off list as well and he verified that this version works for him too. It still works on my GNU awk with --posix. Please test further. I'll start using bugzilla RSN. //Peter -------------- next part -------------- #!/usr/bin/awk #v2, tested on GNU awk --posix and MacOS X BEGIN { optlist=0 oldoptlist=0 nospace=0 synopsis=0 reference=0 block=0 ext=0 extopt=0 literal=0 prenl=0 line="" } function wtail() { retval="" while(w0;i--) { add(refauthors[i]) if(i>1) add(", ") } if(nrefauthors>1) add(" and ") add(refauthors[0] ", \\fI" reftitle "\\fP") if(length(refissue)) add(", " refissue) if(length(refdate)) add(", " refdate) if(length(refopt)) add(", " refopt) add(".") reference=0 } else if(reference) { if(match(words[w],"^%A$")) { refauthors[nrefauthors++]=wtail() } if(match(words[w],"^%T$")) { reftitle=wtail() sub("^\"","",reftitle) sub("\"$","",reftitle) } if(match(words[w],"^%N$")) { refissue=wtail() } if(match(words[w],"^%D$")) { refdate=wtail() } if(match(words[w],"^%O$")) { refopt=wtail() } } else if(match(words[w],"^Nm$")) { if(synopsis) { add(".br") prenl++ } n=words[++w] if(!length(name)) name=n if(!length(n)) n=name add("\\fB" n "\\fP") if(!nospace&&match(words[w+1],"^[\\.,]")) nospace=1 } else if(match(words[w],"^Nd$")) { add("\\- " wtail()) } else if(match(words[w],"^Fl$")) { add("\\fB\\-" words[++w] "\\fP") if(!nospace&&match(words[w+1],"^[\\.,]")) nospace=1 } else if(match(words[w],"^Ar$")) { add("\\fI") if(w==nwords) add("file ...\\fP") else { add(words[++w] "\\fP") while(match(words[w+1],"^\\|$")) add(OFS words[++w] " \\fI" words[++w] "\\fP") } if(!nospace&&match(words[w+1],"^[\\.,]")) nospace=1 } else if(match(words[w],"^Cm$")) { add("\\fB" words[++w] "\\fP") while(w http://bugzilla.mindrot.org/show_bug.cgi?id=455 Summary: Krb5 ticket forwarding is tryied even if krb5 authentication failed Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: kouril at ics.muni.cz The client should forward krb5 ticket to the server only if krb5 authentication was done. Otherwise the krb5 session keys are not set properly and creating of the credentials to delegate fails. Likewise, the server should accept delegation of krb5 ticket only if the client has authenticated by means of krb5. Current code coredumps (both client and server) without this patch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Dec 13 20:33:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 13 Dec 2002 20:33:38 +1100 (EST) Subject: [Bug 456] New: Krb5 ticket forwarding is tryied even if krb5 authentication failed Message-ID: <20021213093338.995556458D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=456 Summary: Krb5 ticket forwarding is tryied even if krb5 authentication failed Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: kouril at ics.muni.cz The client should forward krb5 ticket to the server only if krb5 authentication was done. Otherwise the krb5 session keys are not set properly and creating of the credentials to delegate fails. Likewise, the server should accept delegation of krb5 ticket only if the client has authenticated by means of krb5. Current code coredumps (both client and server) without this patch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Dec 13 20:34:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 13 Dec 2002 20:34:53 +1100 (EST) Subject: [Bug 456] Krb5 ticket forwarding is tryied even if krb5 authentication failed Message-ID: <20021213093453.81316645AF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=456 ------- Additional Comments From kouril at ics.muni.cz 2002-12-13 20:34 ------- Created an attachment (id=185) --> (http://bugzilla.mindrot.org/attachment.cgi?id=185&action=view) Don't delegate/accept delegated ticket if krb5 authentication hasn't been done ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From rene at klootwijk.org Fri Dec 13 22:45:20 2002 From: rene at klootwijk.org (Rene Klootwijk) Date: Fri, 13 Dec 2002 12:45:20 +0100 Subject: Suggestion: Disable PrivilegeSepartion by default Message-ID: <003e01c2a29d$1d6e7aa0$0301a8c0@RENE> PrivilegeSeparation seems to be a valuable option, however at its current maturity level it is the cause of several problems. Just to name a few: - Incompatible with BSM auditing on Solaris - Incompatible with PAM password aging (for this reason??? the code to handle password expiration has been disabled without ANY notice) - Causes core dumps on HP-UX I think PrivilegeSeparation should be disabled by default, and not enabled by default as is the case right now. Even better is to make the PrivilegeSeparation support configurable at compile time, when you do not want it it will not be in the binary. As soon as the PrivilegeSeparation code it mature and does not cause all these problems, it can be enabled by default again. Another thing, when features such as PAM password aging are no longer supported in new releases (e.g. because the code has been commented out), there should be a clear warning of this. In my case, disabling the PAM password expiry code, resulted in users not being able to change their password and access the system anymore, some weeks after we upgraded from openssh-3.1p1 to openssh-3.4p1. Regards, Rene. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021213/d86d796f/attachment.html From markus at openbsd.org Fri Dec 13 23:40:04 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 13 Dec 2002 13:40:04 +0100 Subject: Suggestion: Disable PrivilegeSepartion by default In-Reply-To: <003e01c2a29d$1d6e7aa0$0301a8c0@RENE> References: <003e01c2a29d$1d6e7aa0$0301a8c0@RENE> Message-ID: <20021213124004.GA25586@folly> On Fri, Dec 13, 2002 at 12:45:20PM +0100, Rene Klootwijk wrote: > - Incompatible with BSM auditing on Solaris openssh has no BSM support. > - Incompatible with PAM password aging (for this reason??? the code to > handle password expiration has been disabled without ANY notice) it's not only related to PrivilegeSeparation > - Causes core dumps on HP-UX do you have patches? From rene at klootwijk.org Fri Dec 13 23:55:37 2002 From: rene at klootwijk.org (Rene Klootwijk) Date: Fri, 13 Dec 2002 13:55:37 +0100 Subject: Suggestion: Disable PrivilegeSepartion by default In-Reply-To: <20021213124004.GA25586@folly> Message-ID: <004a01c2a2a6$eeda9b10$0301a8c0@RENE> > > - Incompatible with BSM auditing on Solaris > > openssh has no BSM support. Taken from Bugzilla Bug 125 description: "Note that if BSM is enabled, the code disables (with a warning) the privilege separation feature. This is because the audit functions must be done as root, which is the parent of the two processes, and the data would not flow back down into the child. At least, I didn't see any easy way to do it (but I didn't look all that hard)." > > > - Incompatible with PAM password aging (for this reason??? > the code to > > handle password expiration has been disabled without ANY notice) > > it's not only related to PrivilegeSeparation What else plays a role? In version 3.1p1 password aging worked perfectly. And what about my other point that these kind of changes should be noticed very clearly with every new release in order to determine if any problems will occur after upgrading. > > > - Causes core dumps on HP-UX > > do you have patches? > No I do not. I did not have the time to have a look at it. From bugzilla-daemon at mindrot.org Sat Dec 14 00:36:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 14 Dec 2002 00:36:23 +1100 (EST) Subject: [Bug 245] SSH can not log out under Solaris 2.6 Message-ID: <20021213133623.73CC86456A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=245 ------- Additional Comments From dtucker at zip.com.au 2002-12-14 00:36 ------- Did some digging on this. Carson seems to be correct in that the problem is due to missing controlling terminal. I uncommented the setsid() in sshd.c and added some debugging log() calls to sshd, which generated the following: sshd[21690]: main: before setsid sid=21460 sshd[21690]: main: after setsid sid=21690 sshd[21690]: Accepted publickey for dtucker from 192.168.1.1 port 1665 ssh2 sshd[21694]: pty_make_controlling_tty called, ttyfd=7, cttyname=/dev/pts/2 sshd[21694]: pty_make_controlling_tty: file descriptor 7 is tty /dev/pts/2 sshd[21694]: pty_make_controlling_tty: before setsid, ppid=21690, sid=21690 sshd[21694]: pty_make_controlling_tty: after setsid, ppid=21690, sid=21694 sshd[21694]: error: open /dev/tty failed - could not set controlling tty: No such device or address # ps -l -p 21690,21694 F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD c8 S 500 21694 21690 1 44 20 f62bd7a0 618 f66d18fe ? 0:00 bash c8 S 0 21690 21460 1 46 20 f65c17c0 650 f66a6d92 pts/2 0:01 sshd Note that sshd has picked up a controlling terminal. # ps -j -p 21690,21694 PID PGID SID TTY TIME CMD 21694 21694 21694 ? 0:00 bash 21690 21690 21690 pts/2 0:01 sshd So what seems to be happening is: 1) sshd daemon forks process to handle connection 2) sshd child calls setsid and becomes session leader 3) child allocates pty, and aquires new pty as controlling terminal 4) child forks again, calls setsid and attempts to make pty controlling terminal. This fails because the pty is already controlling terminal for another session. Looking at a truss -f of sshd for access to that pty shows: # grep /dev/pt /tmp/sshd.trace |grep 21690 21690: open64("/dev/ptmx", O_RDWR|O_NOCTTY) = 6 21690: access("/dev/pts/2", 0) = 0 21690: open64("/dev/pts/2", O_RDWR|O_NOCTTY) = 7 21690: stat64("/dev/pts/2", 0xEFFFF020) = 0 21690: chown("/dev/pts/2", 500, 7) = 0 My guess is that one of the accesses without the O_NOCTTY flag accidently picks up the newly allocated pty as the controlling terminal. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Dec 14 01:26:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 14 Dec 2002 01:26:08 +1100 (EST) Subject: [Bug 245] SSH can not log out under Solaris 2.6 Message-ID: <20021213142608.353F16457D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=245 ------- Additional Comments From dtucker at zip.com.au 2002-12-14 01:26 ------- Update: splitting out the pty ops into a test program shows that pushing the STREAMS modules is what causes the controlling terminal to be acquired, ie sshpty.c:132 if (ioctl(*ttyfd, I_PUSH, "ptem") < 0) error("ioctl I_PUSH ptem: %.100s", strerror(errno)); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ume at FreeBSD.org Sat Dec 14 01:37:11 2002 From: ume at FreeBSD.org (Hajimu UMEMOTO) Date: Fri, 13 Dec 2002 23:37:11 +0900 Subject: sshd doesn't log hostname into utmp correctly [resend] In-Reply-To: <20020820152020.GC28367@scott.crlsca.adelphia.net> References: <20020819211902.GA27268@scott.crlsca.adelphia.net> <20020820142757.GB28367@scott.crlsca.adelphia.net> <20020820152020.GC28367@scott.crlsca.adelphia.net> Message-ID: Hi, >>>>> On Tue, 20 Aug 2002 08:20:20 -0700 >>>>> Kevin Steves said: kevin> On Wed, Aug 21, 2002 at 12:05:45AM +0900, Hajimu UMEMOTO wrote: > Ah yes, FreeBSD has some hack to store utmp entry by calling > realhostname_sa(). Sorry for my lacking of consideration around > FreeBSD hack. > In anyway, it is a potential problem that record_login() copies addr > just sizeof(struct sockaddr) regardless of actual size. Please > consider to fix it by applying my previous patch. kevin> yes i agree, we should add your fix. thanks again. Thank you for merging the patch. However, I realized that unfortunately the merging is incomplete, and 3.5p1 still has the problem. Please apply the attached patch in your next release. Index: sshlogin.c diff -u sshlogin.c.orig sshlogin.c --- sshlogin.c.orig Wed Sep 4 15:45:11 2002 +++ sshlogin.c Fri Dec 13 16:42:17 2002 @@ -70,7 +70,7 @@ struct logininfo *li; li = login_alloc_entry(pid, user, host, ttyname); - login_set_addr(li, addr, sizeof(struct sockaddr)); + login_set_addr(li, addr, addrlen); login_login(li); login_free_entry(li); } Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume at mahoroba.org ume at bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From dtucker at zip.com.au Sat Dec 14 01:41:06 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 14 Dec 2002 01:41:06 +1100 Subject: Suggestion: Disable PrivilegeSepartion by default References: <004a01c2a2a6$eeda9b10$0301a8c0@RENE> Message-ID: <3DF9F182.EBBF4C01@zip.com.au> Rene Klootwijk wrote: > Markus Friedl wrote: > > openssh has no BSM support. > Taken from Bugzilla Bug 125 description: [snip patch description] That comment refers to a proposed patch attached to the bug. It's not part of openssh. [PAM + privsep + password againg problems] > > it's not only related to PrivilegeSeparation > What else plays a role? In version 3.1p1 password aging worked > perfectly. For you maybe (and for me too for that matter) but there seem to be some configurations that don't work. See http://bugzilla.mindrot.org/show_bug.cgi?id=129#c2 "removing root credentials would break the rpc services that use secure rpc on this host! root may use keylogout -f to do this (at your own risk)!" -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Sat Dec 14 02:14:41 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 13 Dec 2002 09:14:41 -0600 (CST) Subject: Suggestion: Disable PrivilegeSepartion by default In-Reply-To: <003e01c2a29d$1d6e7aa0$0301a8c0@RENE> Message-ID: On Fri, 13 Dec 2002, Rene Klootwijk wrote: > PrivilegeSeparation seems to be a valuable option, however at its > current maturity level it is the cause of several problems. Just to name > a few: > - Incompatible with BSM auditing on Solaris Never was offically supported. Required 3rd party patch. > - Incompatible with PAM password aging (for this reason??? the code to > handle password expiration has been disabled without ANY notice) Never was complete. It was a partial implemention while a complete one was being written. > - Causes core dumps on HP-UX > Provide us information. That bug report does us zero good... > I think PrivilegeSeparation should be disabled by default, and not > enabled by default as is the case right now. Even better is to make the > PrivilegeSeparation support configurable at compile time, when you do > not want it it will not be in the binary. As soon as the > PrivilegeSeparation code it mature and does not cause all these > problems, it can be enabled by default again. > PrivSep is more mature then any of the above things you are discussing was broken. Personally.. I won't advocate turning it off. > Another thing, when features such as PAM password aging are no longer > supported in new releases (e.g. because the code has been commented > out), there should be a clear warning of this. In my case, disabling the > PAM password expiry code, resulted in users not being able to change > their password and access the system anymore, some weeks after we > upgraded from openssh-3.1p1 to openssh-3.4p1. > Never fully worked to start with. It was limited to a few PAM based OSes under the right configuration. Would be more helpful if you were to provide patches to fix this stuff. Instead of whining. We know our todo list, and that list takes time. - Ben > Regards, > Rene. > From bugzilla-daemon at mindrot.org Sat Dec 14 10:21:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 14 Dec 2002 10:21:15 +1100 (EST) Subject: [Bug 245] SSH can not log out under Solaris 2.6 Message-ID: <20021213232115.0845364513@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=245 ------- Additional Comments From dtucker at zip.com.au 2002-12-14 10:21 ------- From bugzilla-daemon at mindrot.org Sat Dec 14 12:11:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 14 Dec 2002 12:11:57 +1100 (EST) Subject: [Bug 318] Install failure creating ssh_prng_cmds Message-ID: <20021214011157.09CAD64513@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=318 ------- Additional Comments From roth at feep.net 2002-12-14 12:11 ------- Created an attachment (id=186) --> (http://bugzilla.mindrot.org/attachment.cgi?id=186&action=view) Makefile patch This isn't specific to Solaris; I'm having the same problem under AIX. Yes, I am building in an NFS-mounted directory where root is mapped to nobody. However, this is something that the build system should handle. Please look at the attached patch and let me know what you think. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Dec 14 14:24:45 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 14 Dec 2002 14:24:45 +1100 (EST) Subject: [Bug 245] SSH can not log out under Solaris 2.6 Message-ID: <20021214032445.4E1E964513@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=245 ------- Additional Comments From dtucker at zip.com.au 2002-12-14 14:24 ------- The root cause appears to be an 8-year-old bug in Solaris (Sun bugid 1156877). The bug is marked "fixed" but the testcase fails on my Solaris 8 box (with recommended patches from a few weeks ago). [quote] The open routine of the master-side pty driver (ptm) sends an M_SETOPTS message to the stream head that, among other things, has the SO_ISTTY bit set. This action has the effect of expressing willingness to act as a controlling tty. However, it is nonsensical for the driver to do so, since it supports none of the other tty semantics. [snip] However, opening /dev/ptmx with O_NOCTTY only prevents the problem until the user pushes another module on the stream head. Note that this only happens if the process has no controlling terminal already. [snip] Work Around Open the master-side pty with the O_NOCTTY open flag. This works only if you don't push any streams modules - a rather special case. [/quote] ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Dec 14 15:08:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 14 Dec 2002 15:08:23 +1100 (EST) Subject: [Bug 245] SSH can not log out under Solaris 2.6 Message-ID: <20021214040823.097B164513@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=245 ------- Additional Comments From carson at taltos.org 2002-12-14 15:08 ------- A rather obnoxious work-around would be to close the tty in the parent (thus removing it as the controlling terminal for that process). Unfortunately, the child would have to be told somehow that the parent is done closing the tty, and that is annoying to do well. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Dec 14 16:22:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 14 Dec 2002 16:22:40 +1100 (EST) Subject: [Bug 245] SSH can not log out under Solaris 2.6 Message-ID: <20021214052240.5186B64513@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=245 ------- Additional Comments From dtucker at zip.com.au 2002-12-14 16:22 ------- Created an attachment (id=187) --> (http://bugzilla.mindrot.org/attachment.cgi?id=187&action=view) Don't call setsid() on Solaris only ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From boliset at cse.iitk.ac.in Tue Dec 17 00:37:45 2002 From: boliset at cse.iitk.ac.in (Kapileswar Rao .B) Date: Mon, 16 Dec 2002 19:07:45 +0530 (IST) Subject: how to write pam modules for keyboard interactive method Message-ID: Hi, I want to write pam module for challenge response based authentication with keyboard interactive authentication method on both sshd (server) and ssh (client) side. How should I write the pam modules. What is the general protocol between pam functions and the calling functions. What information does the sshd gives to the pam module how can the pam module send the information back to sshd. Are there any already implemented pam modules which work with keyboard interactive authentication method. If so plzz give me pointers where can I get them. Anticipating quick replies thanks! kapil From bugzilla-daemon at mindrot.org Tue Dec 17 11:15:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 17 Dec 2002 11:15:01 +1100 (EST) Subject: [Bug 457] New: SSHD doesn't start when using invalid port numbers Message-ID: <20021217001501.326B164519@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=457 Summary: SSHD doesn't start when using invalid port numbers Product: Portable OpenSSH Version: 3.5p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: granularr at 7ucid.com When using invalid port numbers, SSHD doesn't want to start up. Imagine you made a typo and sshd_config lists port=601337 # /usr/sbin/sshd start /etc/ssh/sshd_config line 9: Badly formatted port number. If I start a piece of software, the software must assume that I want to use it. If SSHD encounters an invalid value, it should handle the error (maybe by binding to port 22 and logging the error). It should not just exit - software should be error-tolerant and this isn't. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Dec 17 11:51:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 17 Dec 2002 11:51:08 +1100 (EST) Subject: [Bug 457] SSHD doesn't start when using invalid port numbers Message-ID: <20021217005108.BF80864516@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=457 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From mouring at eviladmin.org 2002-12-17 11:51 ------- Starting a service when the configuration is incorrect. Mainly when it is a very important like a port is outright wrong. OpenSSH acts correctly ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From wendyp at cray.com Wed Dec 18 03:24:02 2002 From: wendyp at cray.com (Wendy Palm) Date: Tue, 17 Dec 2002 10:24:02 -0600 Subject: [Bug 457] New: SSHD doesn't start when using invalid port numbers References: <20021217001501.326B164519@shitei.mindrot.org> Message-ID: <3DFF4FA2.2030904@cray.com> i completely disagree with this. i believe it IS handling the error exactly as it should, by refusing to run. i would rather find the error immediately and fix it than have the software try and guess what i really meant. wendy bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=457 > > Summary: SSHD doesn't start when using invalid port numbers > Product: Portable OpenSSH > Version: 3.5p1 > Platform: ix86 > OS/Version: Linux > Status: NEW > Severity: major > Priority: P2 > Component: sshd > AssignedTo: openssh-unix-dev at mindrot.org > ReportedBy: granularr at 7ucid.com > > > When using invalid port numbers, SSHD doesn't want to start up. Imagine you made > a typo and sshd_config lists > > port=601337 > > # /usr/sbin/sshd start > /etc/ssh/sshd_config line 9: Badly formatted port number. > > If I start a piece of software, the software must assume that I want to use it. > If SSHD encounters an invalid value, it should handle the error (maybe by > binding to port 22 and logging the error). It should not just exit - software > should be error-tolerant and this isn't. > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From bugzilla-daemon at mindrot.org Wed Dec 18 04:39:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 18 Dec 2002 04:39:22 +1100 (EST) Subject: [Bug 452] sftp does not abort when commands given via -b fail Message-ID: <20021217173922.A9AD76451C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=452 ------- Additional Comments From cjwatson at debian.org 2002-12-18 04:39 ------- This is also Debian bug #173456 (http://bugs.debian.org/173456). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From darren at dazdaz.org Wed Dec 18 05:25:42 2002 From: darren at dazdaz.org (Darren) Date: Tue, 17 Dec 2002 18:25:42 +0000 Subject: Feature suggestion: Parallel ssh Message-ID: <8027342206.20021217182542@dazdaz.org> Hi, A feature i've been wondering about and I have no idea if it's possible is a parallel secure shell. So a command typed on 1 system (master) can be replicated through 100 sshd's. I realise a script could be used to achieve a similiar situation, but it's not quite the same as a realtime scenario. Is this fantasy wishlist or achievable as it'd certainly be very useful? -- Best regards, Darren mailto:darren at dazdaz.org From jmknoble at pobox.com Wed Dec 18 10:10:25 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 17 Dec 2002 18:10:25 -0500 Subject: [Bug 457] New: SSHD doesn't start when using invalid port numbers In-Reply-To: <3DFF4FA2.2030904@cray.com> References: <20021217001501.326B164519@shitei.mindrot.org> <3DFF4FA2.2030904@cray.com> Message-ID: <20021217231025.GC19943@crawfish.ais.com> Circa 2002-12-17 10:24:02 -0600 dixit Wendy Palm: : i completely disagree with this. i believe it IS handling the error : exactly as it should, by refusing to run. : : i would rather find the error immediately and fix it than have the : software try and guess what i really meant. Agreed. And you can make sshd even more error-tolerant by editing the configuration file this way: vi sshd_config sshd -t This configuration-checking facility is more than most system-level daemons provide. I think it's quite friendly. :) -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "I am non-refutable." --Enik the Altrusian From bugzilla-daemon at mindrot.org Wed Dec 18 20:34:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 18 Dec 2002 20:34:06 +1100 (EST) Subject: [Bug 369] Inconsistant exit status from scp Message-ID: <20021218093406.062CE6451A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=369 emilsa at gcs.co.il changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | Summary|Inconsistant exiit status |Inconsistant exit status |from scp |from scp Version|older versions |3.5p1 ------- Additional Comments From emilsa at gcs.co.il 2002-12-18 20:34 ------- Unfortunately this bug still exists in 3.5p1 and 3.4p1 versions. I've checked it on Sun Solaris 2.6 and HP 11.00 platforms and on both has this problem. If the failure based on scp function itself like "file not found" i've got correct (>0) exit status. If the failure conection related like "Connection refused" or "bad hostname" i've got exit status 0. It denies using scp (and ssh in general) in scripts. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Dec 18 22:32:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 18 Dec 2002 22:32:46 +1100 (EST) Subject: [Bug 369] Inconsistant exit status from scp Message-ID: <20021218113246.C4CC764514@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=369 binder at arago.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Additional Comments From binder at arago.de 2002-12-18 22:32 ------- The fix was applied after OpenSSh 3.5 was released, i.e. 3.5 does not yet contain the patch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From up5a at stud.uni-karlsruhe.de Wed Dec 18 22:46:06 2002 From: up5a at stud.uni-karlsruhe.de (Tobias Ulbricht) Date: Wed, 18 Dec 2002 12:46:06 +0100 (CET) Subject: Problems with the tty's in openssh + AIX In-Reply-To: <3DF6CCFA.A97ECD6A@zip.com.au> Message-ID: > Sorry that should be "oslevel -r". Oops, well, did I now mention? 5100-02 > It looks like the problem identified by Sandor Sklar in bug #124: a zero > length write to the tty results in a zero-length read from it. > > I believe this is a bug in AIX. The attached patch works around it for > me but I don't think this is a correct fix. > > From AIX's man page for read(): > A value of 0 is returned when the end of the file has been reached. (For > information about communication files, see the ioctl and termio files.) > > The read is returning zero for something other than EOF. Should that go into a bug report? Well, I'm new to bug-reporting. How do I do this? Or would anyone file a bug report for me? Cheers, tobias. From bugzilla-daemon at mindrot.org Thu Dec 19 03:13:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 19 Dec 2002 03:13:15 +1100 (EST) Subject: [Bug 458] New: sshd crashes with "fatal: mm_malloc: size too big" Message-ID: <20021218161315.96ABE64514@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=458 Summary: sshd crashes with "fatal: mm_malloc: size too big" Product: Portable OpenSSH Version: 3.5p1 Platform: MIPS OS/Version: IRIX Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: us- at gmx.de When I build openssh-3.5p1 on a 32bit worksation running irix 6.5.18 sshd will crash with the error message "fatal: mm_malloc: size too big" on each login attempt. When I build it on a 64bit orign200 with the same OS version it works fine. The problem seems to be the constant ULONG_MAX which is assigned to SIZE_T_MAX in defines.h. I played around with the code and it seems like ULONG_MAX evaluates to -1 even though it is defined as 4294967295U (by the way: what does the U mean?) in /usr/include/limits.h. I worked around this problem by replacing #define SIZE_T_MAX ULONG_MAX with #define SIZE_T_MAX 4294967295 in defines.h before running make. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Dec 19 03:16:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 19 Dec 2002 03:16:31 +1100 (EST) Subject: [Bug 458] sshd crashes with "fatal: mm_malloc: size too big" Message-ID: <20021218161631.756FF64546@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=458 ------- Additional Comments From us- at gmx.de 2002-12-19 03:16 ------- Sorry, typo: The irix version is 6.5.17 not 6.5.18 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From galt at fiberpimp.net Thu Dec 19 04:52:23 2002 From: galt at fiberpimp.net (galt at fiberpimp.net) Date: Wed, 18 Dec 2002 12:52:23 -0500 (EST) Subject: patch for openssh3.5p1 - adds logging option Message-ID: <20021218124236.V68179-200000@true.fiberpimp.net> this patch adds a LogFile option to sshd_config. it just logs messages directly to a file instead of stderr or syslog. the largest change is an additional argument to log_init() in log.c for the log file name (and then changes to the rest of the tools to add a NULL arg). galt -------------- next part -------------- diff -urN openssh-3.5p1-orig/log.c openssh-3.5p1/log.c --- openssh-3.5p1-orig/log.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/log.c 2002-12-18 11:51:24.000000000 -0500 @@ -40,6 +40,7 @@ #include "xmalloc.h" #include +#include static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; @@ -48,6 +49,8 @@ extern char *__progname; +FILE *logf; + /* textual representation of log-facilities/levels */ static struct { @@ -261,7 +264,8 @@ */ void -log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) +log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, +char *logfile) { argv0 = av0; @@ -331,6 +335,16 @@ (int) facility); exit(1); } + if(logfile != NULL) { + logf = fopen(logfile,"a"); + if(logf == NULL) { + fprintf(stderr,"unable to open logfile \"%s\" for" + " writing\n",logfile); + exit(1); + } + } else { + logf = NULL; + } } #define MSGBUFSIZ 1024 @@ -342,6 +356,8 @@ char fmtbuf[MSGBUFSIZ]; char *txt = NULL; int pri = LOG_INFO; + time_t t; + char *tm; if (level > log_level) return; @@ -393,4 +409,11 @@ syslog(pri, "%.500s", msgbuf); closelog(); } + if(logf != NULL) { + time(&t); + tm = ctime(&t); + tm[strlen(tm)-1] = 0; + fprintf(logf,"%s: %s\r\n",tm,msgbuf); + fflush(logf); + } } diff -urN openssh-3.5p1-orig/log.h openssh-3.5p1/log.h --- openssh-3.5p1-orig/log.h 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/log.h 2002-12-18 10:38:48.000000000 -0500 @@ -48,7 +48,7 @@ SYSLOG_LEVEL_NOT_SET = -1 } LogLevel; -void log_init(char *, LogLevel, SyslogFacility, int); +void log_init(char *, LogLevel, SyslogFacility, int, char *); SyslogFacility log_facility_number(char *); LogLevel log_level_number(char *); diff -urN openssh-3.5p1-orig/servconf.c openssh-3.5p1/servconf.c --- openssh-3.5p1-orig/servconf.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/servconf.c 2002-12-18 10:20:33.000000000 -0500 @@ -64,6 +64,7 @@ options->listen_addrs = NULL; options->num_host_key_files = 0; options->pid_file = NULL; + options->log_file = NULL; options->server_key_bits = -1; options->login_grace_time = -1; options->key_regeneration_time = -1; @@ -302,6 +303,7 @@ sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sUsePrivilegeSeparation, + sLogFile, sDeprecated } ServerOpCodes; @@ -380,6 +382,7 @@ { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, { "useprivilegeseparation", sUsePrivilegeSeparation}, + { "logfile", sLogFile}, { NULL, sBadOption } }; @@ -909,6 +912,10 @@ intptr = &options->client_alive_count_max; goto parse_int; + case sLogFile: + charptr = &options->log_file; + goto parse_filename; + case sDeprecated: log("%s line %d: Deprecated option %s", filename, linenum, arg); diff -urN openssh-3.5p1-orig/servconf.h openssh-3.5p1/servconf.h --- openssh-3.5p1-orig/servconf.h 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/servconf.h 2002-12-18 10:18:01.000000000 -0500 @@ -42,6 +42,7 @@ char *host_key_files[MAX_HOSTKEYS]; /* Files containing host keys. */ int num_host_key_files; /* Number of files for host keys. */ char *pid_file; /* Where to put our pid */ + char *log_file; int server_key_bits;/* Size of the server key. */ int login_grace_time; /* Disconnect if no auth in this time * (sec). */ diff -urN openssh-3.5p1-orig/session.c openssh-3.5p1/session.c --- openssh-3.5p1-orig/session.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/session.c 2002-12-18 10:42:37.000000000 -0500 @@ -466,7 +466,7 @@ fatal_remove_all_cleanups(); /* Child. Reinitialize the log since the pid has changed. */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); + log_init(__progname, options.log_level, options.log_facility, log_stderr,NULL); /* * Create a new session and process group since the 4.4BSD @@ -590,7 +590,7 @@ fatal_remove_all_cleanups(); /* Child. Reinitialize the log because the pid has changed. */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); + log_init(__progname, options.log_level, options.log_facility, log_stderr,NULL); /* Close the master side of the pseudo tty. */ close(ptyfd); diff -urN openssh-3.5p1-orig/sftp-server.c openssh-3.5p1/sftp-server.c --- openssh-3.5p1-orig/sftp-server.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/sftp-server.c 2002-12-18 10:42:50.000000000 -0500 @@ -1021,7 +1021,7 @@ handle_init(); #ifdef DEBUG_SFTP_SERVER - log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); + log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0,NULL); #endif in = dup(STDIN_FILENO); diff -urN openssh-3.5p1-orig/sftp.c openssh-3.5p1/sftp.c --- openssh-3.5p1-orig/sftp.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/sftp.c 2002-12-18 10:43:04.000000000 -0500 @@ -183,7 +183,7 @@ } } - log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1); + log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1, NULL); if (sftp_direct == NULL) { if (optind == argc || argc > (optind + 2)) diff -urN openssh-3.5p1-orig/ssh-agent.c openssh-3.5p1/ssh-agent.c --- openssh-3.5p1-orig/ssh-agent.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/ssh-agent.c 2002-12-18 10:43:17.000000000 -0500 @@ -1074,7 +1074,7 @@ * the socket data. The child continues as the authentication agent. */ if (d_flag) { - log_init(__progname, SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 1); + log_init(__progname, SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 1, NULL); format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n"; printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name, SSH_AUTHSOCKET_ENV_NAME); @@ -1108,7 +1108,7 @@ exit(1); } /* child */ - log_init(__progname, SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 0); + log_init(__progname, SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 0, NULL); if (setsid() == -1) { error("setsid: %s", strerror(errno)); diff -urN openssh-3.5p1-orig/ssh-keyscan.c openssh-3.5p1/ssh-keyscan.c --- openssh-3.5p1-orig/ssh-keyscan.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/ssh-keyscan.c 2002-12-18 10:43:29.000000000 -0500 @@ -773,7 +773,7 @@ if (optind == argc && !fopt_count) usage(); - log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1); + log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1, NULL); maxfd = fdlim_get(1); if (maxfd < 0) diff -urN openssh-3.5p1-orig/ssh-keysign.c openssh-3.5p1/ssh-keysign.c --- openssh-3.5p1-orig/ssh-keysign.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/ssh-keysign.c 2002-12-18 10:43:40.000000000 -0500 @@ -160,7 +160,7 @@ arc4random_stir(); #ifdef DEBUG_SSH_KEYSIGN - log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); + log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0, NULL); #endif /* verify that ssh-keysign is enabled by the admin */ diff -urN openssh-3.5p1-orig/ssh-rand-helper.c openssh-3.5p1/ssh-rand-helper.c --- openssh-3.5p1-orig/ssh-rand-helper.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/ssh-rand-helper.c 2002-12-18 10:44:28.000000000 -0500 @@ -768,7 +768,7 @@ LogLevel ll; __progname = get_progname(argv[0]); - log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1, NULL); ll = SYSLOG_LEVEL_INFO; debug_level = output_hex = 0; @@ -803,7 +803,7 @@ } } - log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1); + log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1, NULL); #ifdef USE_SEED_FILES prng_read_seedfile(); diff -urN openssh-3.5p1-orig/ssh.c openssh-3.5p1/ssh.c --- openssh-3.5p1-orig/ssh.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/ssh.c 2002-12-18 10:44:46.000000000 -0500 @@ -569,7 +569,7 @@ * actually goes to stderr. */ log_init(av[0], options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, - SYSLOG_FACILITY_USER, 1); + SYSLOG_FACILITY_USER, 1, NULL); /* * Read per-user configuration file. Ignore the system wide config @@ -592,7 +592,7 @@ fill_default_options(&options); /* reinit */ - log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); + log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1, NULL); seed_rng(); diff -urN openssh-3.5p1-orig/sshd.c openssh-3.5p1/sshd.c --- openssh-3.5p1-orig/sshd.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/sshd.c 2002-12-18 10:51:30.000000000 -0500 @@ -944,7 +944,7 @@ SYSLOG_LEVEL_INFO : options.log_level, options.log_facility == SYSLOG_FACILITY_NOT_SET ? SYSLOG_FACILITY_AUTH : options.log_facility, - !inetd_flag); + !inetd_flag, options.log_file); #ifdef _UNICOS /* Cray can define user privs drop all prives now! @@ -1079,7 +1079,7 @@ /* Initialize the log (it is reinitialized below in case we forked). */ if (debug_flag && !inetd_flag) log_stderr = 1; - log_init(__progname, options.log_level, options.log_facility, log_stderr); + log_init(__progname, options.log_level, options.log_facility, log_stderr, options.log_file); /* * If not in debugging mode, and not started from inetd, disconnect @@ -1103,7 +1103,7 @@ #endif /* TIOCNOTTY */ } /* Reinitialize the log (because of the fork above). */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); + log_init(__progname, options.log_level, options.log_facility, log_stderr, options.log_file); /* Initialize the random number generator. */ arc4random_stir(); @@ -1352,7 +1352,7 @@ close_listen_socks(); sock_in = newsock; sock_out = newsock; - log_init(__progname, options.log_level, options.log_facility, log_stderr); + log_init(__progname, options.log_level, options.log_facility, log_stderr, options.log_file); break; } } From galt at fiberpimp.net Thu Dec 19 05:10:26 2002 From: galt at fiberpimp.net (galt at fiberpimp.net) Date: Wed, 18 Dec 2002 13:10:26 -0500 (EST) Subject: log patch for openssh 3.5p1 nonstupid mime crap heh Message-ID: <20021218130334.D68335-100000@true.fiberpimp.net> arg, sorry about the stupid mime nonsense. http://www.fiberpimp.net/~galt/files/openssh-3.5p1.log.patch From fcusack at fcusack.com Thu Dec 19 14:58:53 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 18 Dec 2002 19:58:53 -0800 Subject: how to write pam modules for keyboard interactive method In-Reply-To: ; from boliset@cse.iitk.ac.in on Mon, Dec 16, 2002 at 07:07:45PM +0530 References: Message-ID: <20021218195853.A15039@google.com> On Mon, Dec 16, 2002 at 07:07:45PM +0530, Kapileswar Rao .B wrote: > Hi, > > I want to write pam module for challenge response based authentication > with keyboard interactive authentication method on both sshd (server) and > ssh (client) side. How should I write the pam modules. The same as any other PAM modules. Refer to PAM documentation. > Are there any already implemented pam modules which work with keyboard > interactive authentication method. All currently implemented PAM modules work with keyboard-interactive. /fc From fcusack at fcusack.com Thu Dec 19 15:00:26 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 18 Dec 2002 20:00:26 -0800 Subject: Feature suggestion: Parallel ssh In-Reply-To: <8027342206.20021217182542@dazdaz.org>; from darren@dazdaz.org on Tue, Dec 17, 2002 at 06:25:42PM +0000 References: <8027342206.20021217182542@dazdaz.org> Message-ID: <20021218200026.B15039@google.com> On Tue, Dec 17, 2002 at 06:25:42PM +0000, Darren wrote: > A feature i've been wondering about and I have no idea if it's possible > is a parallel secure shell. So a command typed on 1 system (master) can > be replicated through 100 sshd's. I realise a script could be used to > achieve a similiar situation, but it's not quite the same as a realtime > scenario. Is this fantasy wishlist or achievable as it'd certainly be > very useful? You can get the same level of "realtime" via a script as you can if done directly in ssh (well almost). Doing it via tools is the far superior method. /fc From stp_slove2 at hotmail.com Thu Dec 19 18:34:24 2002 From: stp_slove2 at hotmail.com (=?ISO-2022-JP?B?GyRCJTklJiUjITwlSCVpJVYbKEIg?=) Date: Thu, 19 Dec 2002 16:34:24 +0900 Subject: =?ISO-2022-JP?B?GyRCTCQ+NUJ6OS05cCIoGyhC?= Message-ID: <20021219.0734240525@stp_slove2-hotmail.com> ??:Sweet Love 080-1900-2983 ????????1-2 ?????????????? ?????????????????stp_slove2 at hotmail.com????????? ?????????????Sweet Love? http://www.pink7.net/sweet/ ?????????????????!!??????????????????????????????????? ????????????????????????????!??????????????!! http://www.pink7.net/sweet/ ??????????????????????????????????????????????????????? ???????????????????????????????????! http://www.pink7.net/sweet/ From Clarkin.Michael at ic.gc.ca Thu Dec 19 23:57:20 2002 From: Clarkin.Michael at ic.gc.ca (Clarkin.Michael at ic.gc.ca) Date: Thu, 19 Dec 2002 07:57:20 -0500 Subject: OpenUsePrivilegeSeparation on Compaq V5.1A with C2/SIA Security Message-ID: <45C67756F7C0F942AD80AE35546F40C202B5511B@mb-bp-011.ic.gc.ca> I'm using OpenSSH_3.5p1 (server protocol 2.0 ) on a Compaq device V5.1A with C2 Security (SIA) configured. I must set UsePrivilegeSeparation to no to get this working. Does anyone have PrivilegeSeparation working on a Compaq device with C2 Security configured? Source device: ssh user at destination ( produces these errors) sshd: /var/tcb/files/__db_lock.share: Permission denied sshd: /var/tcb/files/__db_lock.share: Permission denied sshd: /var/tcb/files/__db_lock.share: Permission denied sshd: /var/tcb/files/__db_lock.share: Permission denied sshd: /var/tcb/files/__db_lock.share: Permission denied Cannot obtain database information on this terminal Connection to xxx closed. Destination device: auth log produces these errors: Dec 19 06:24:02 compaqC2 sshd[60103]: audgen(LOGIN): Permission denied Dec 19 06:24:02 compaqC2 sshd[60103]: fatal: Couldn't establish session for clarkinm from xxx Mike Clarkin mailto:clarkin.michael at ic.gc.ca Unix Server Support Telecommunications, Network Development & Operations (613)954-2837 From mouring at etoh.eviladmin.org Fri Dec 20 01:02:26 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 19 Dec 2002 08:02:26 -0600 (CST) Subject: OpenUsePrivilegeSeparation on Compaq V5.1A with C2/SIA Security In-Reply-To: <45C67756F7C0F942AD80AE35546F40C202B5511B@mb-bp-011.ic.gc.ca> Message-ID: No one has successfully show SIA + Privsep in any configuration. - Ben On Thu, 19 Dec 2002 Clarkin.Michael at ic.gc.ca wrote: > I'm using OpenSSH_3.5p1 (server protocol 2.0 ) on a Compaq device V5.1A with > C2 Security (SIA) > configured. > > I must set UsePrivilegeSeparation to no to get this working. > > Does anyone have PrivilegeSeparation working on a Compaq device with C2 > Security configured? > > Source device: > > ssh user at destination ( produces these errors) > > sshd: /var/tcb/files/__db_lock.share: Permission denied > sshd: /var/tcb/files/__db_lock.share: Permission denied > sshd: /var/tcb/files/__db_lock.share: Permission denied > sshd: /var/tcb/files/__db_lock.share: Permission denied > sshd: /var/tcb/files/__db_lock.share: Permission denied > Cannot obtain database information on this terminal > > Connection to xxx closed. > > Destination device: > > auth log produces these errors: > > Dec 19 06:24:02 compaqC2 sshd[60103]: audgen(LOGIN): Permission denied > Dec 19 06:24:02 compaqC2 sshd[60103]: fatal: Couldn't establish session for > clarkinm from xxx > > > Mike Clarkin > mailto:clarkin.michael at ic.gc.ca > Unix Server Support > Telecommunications, Network Development & Operations > (613)954-2837 > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From ajith at noida.hcltech.com Fri Dec 20 23:58:22 2002 From: ajith at noida.hcltech.com (Ajit Yashwant Vaishampayan, Noida) Date: Fri, 20 Dec 2002 18:28:22 +0530 Subject: Bad packet length problem with "aes128-cbc" and openssh3.1p1 Message-ID: Hi, I am trying to run openssh 3.1p1. But it is giving "Bad packet length" error when I run sshd with default config file. On further investigation I found that the error is coming only for the cipher algorithm "aes128-cbc". Also the error comes only when I don't specify any protocol file (/usr/local/etc/ssh_host_[rd]sa_key) or specify only "protocol 2" files. I tried all other cipher algorithms with the "-c" option and it works fine with them. I also changed the sshd config file (/usr/local/etc/sshd_config in my case), and it again worked fine when "aes128-cbc" was not included and failed when it was included in the cipher list. Kindly tell me whether the problem with "aes128-cbc" is known one or there is problem with my compilation of openssh and related packages. Regards Ajit From markus at openbsd.org Sat Dec 21 00:24:22 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 20 Dec 2002 14:24:22 +0100 Subject: Bad packet length problem with "aes128-cbc" and openssh3.1p1 In-Reply-To: References: Message-ID: <20021220132422.GA2908@folly> when does this happen? what plattform? what versions of openssh? are other implementations of ssh involved? does this happen on the client or server? does this happen with newer releases? please provide more details. thx, -m From dtucker at zip.com.au Sat Dec 21 01:09:55 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 21 Dec 2002 01:09:55 +1100 Subject: OpenUsePrivilegeSeparation on Compaq V5.1A with C2/SIA Security References: Message-ID: <3E0324B3.C52911D4@zip.com.au> Ben Lindstrom wrote: > No one has successfully show SIA + Privsep in any configuration. Toni Harbaugh-Blackford mentioned earlier that SIA requires root and wants to talk to the user on /dev/tty. I have a newer version of my previous PAM + privsep patch that fixes the controlling tty problem with the earlier patch. I'll post it shortly. The same mechanism might be usable for SIA. Basically it allocates the tty and passes a descriptor to the monitor before the slave makes it the controlling tty. This allows the monitor to fork a child to run do_pam_chauthtok() with the pty as the controlling tty. The chauthtok child then exits and the slave is free to acquire the controlling terminal and continue as normal. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From cmadams at hiwaay.net Sat Dec 21 02:51:40 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 20 Dec 2002 09:51:40 -0600 Subject: OpenUsePrivilegeSeparation on Compaq V5.1A with C2/SIA Security In-Reply-To: <3E0324B3.C52911D4@zip.com.au>; from dtucker@zip.com.au on Sat, Dec 21, 2002 at 01:09:55AM +1100 References: <3E0324B3.C52911D4@zip.com.au> Message-ID: <20021220095140.B507368@hiwaay.net> Once upon a time, Darren Tucker said: > Ben Lindstrom wrote: > > No one has successfully show SIA + Privsep in any configuration. > > Toni Harbaugh-Blackford mentioned earlier that SIA requires root and > wants to talk to the user on /dev/tty. > > I have a newer version of my previous PAM + privsep patch that fixes the > controlling tty problem with the earlier patch. I'll post it shortly. > The same mechanism might be usable for SIA. The problem is that SIA doesn't just want root and a TTY, it also wants to be in the user process. It does things like setting resource limits, setting the login user (immutable under enhanced security and IIRC audit modes), and (IIRC) logging stuff for audit (like the process ID). Pre-auth privsep works just fine on Tru64 (so it should be enabled), but post-auth won't work right in many/most cases. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From dtucker at zip.com.au Sat Dec 21 22:49:31 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 21 Dec 2002 22:49:31 +1100 Subject: OpenUsePrivilegeSeparation on Compaq V5.1A with C2/SIA Security References: <3E0324B3.C52911D4@zip.com.au> <20021220095140.B507368@hiwaay.net> Message-ID: <3E04554B.27ED8B2C@zip.com.au> Chris Adams wrote: > The problem is that SIA doesn't just want root and a TTY, it also wants > to be in the user process. It does things like setting resource limits, > setting the login user (immutable under enhanced security and IIRC audit > modes), and (IIRC) logging stuff for audit (like the process ID). Ah, OK. Obviously no amount of futzing around with another process running as root will help in that case. Forget I mentioned it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sat Dec 21 23:11:04 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 21 Dec 2002 23:11:04 +1100 Subject: [PATCH] PAM chauthtok + Privsep Message-ID: <3E045A58.285069C2@zip.com.au> Hello All. Attached is an update to my previous patch to make do_pam_chauthtok and privsep play nicely together. First, a question: does anybody care about these or the password expiration patches? Anyway, the "PRIVSEP(do_pam_hauthtok())" has been moved to just after the pty has been allocated but before it's made the controlling tty. This allows the child running chauthtok to acquire a controlling tty so the PAM conversation function works without modification. The child then runs to completion so the slave can acquire its controlling tty and continue as normal. Description from previous patch: Attached is a patch that implements password expiry with PAM and privsep. It works by passing a descriptor to the tty to the monitor, which sets up a child with that tty as stdin/stdout/stderr, then runs chauthtok(). No setuid helpers. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth-pam.c =================================================================== RCS file: /cvs/openssh/auth-pam.c,v retrieving revision 1.54 diff -u -r1.54 auth-pam.c --- auth-pam.c 28 Jul 2002 20:24:08 -0000 1.54 +++ auth-pam.c 21 Dec 2002 11:39:05 -0000 @@ -42,8 +42,6 @@ #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." -#define NEW_AUTHTOK_MSG_PRIVSEP \ - "Your password has expired, the session cannot proceed." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -186,12 +184,15 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */ +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#endif if (__pamh) { pam_retval = pam_end(__pamh, pam_retval); @@ -256,10 +257,8 @@ case PAM_SUCCESS: /* This is what we want */ break; -#if 0 case PAM_NEW_AUTHTOK_REQD: - message_cat(&__pam_msg, use_privsep ? - NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); + message_cat(&__pam_msg, NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ @@ -267,7 +266,6 @@ no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; -#endif default: log("PAM rejected by account configuration[%d]: " "%.200s", pam_retval, PAM_STRERROR(__pamh, @@ -301,6 +299,18 @@ session_opened = 1; } +/* Set the TTY after session is open */ +void do_pam_set_tty(const char *ttyname) { + int pam_retval; + if (ttyname != NULL) { + debug("PAM setting tty to \"%.200s\"", ttyname); + pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + } +} + /* Set PAM credentials */ void do_pam_setcred(int init) { @@ -344,17 +354,15 @@ do_pam_set_conv(&conv); if (password_change_required) { - if (use_privsep) - fatal("Password changing is currently unsupported" - " with privilege separation"); pamstate = OTHER; pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (pam_retval != PAM_SUCCESS) fatal("PAM pam_chauthtok failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); -#if 0 /* XXX: This would need to be done in the parent process, * but there's currently no way to pass such request. */ + password_change_required = 0; +#if 0 no_port_forwarding_flag &= ~2; no_agent_forwarding_flag &= ~2; no_x11_forwarding_flag &= ~2; Index: auth-pam.h =================================================================== RCS file: /cvs/openssh/auth-pam.h,v retrieving revision 1.16 diff -u -r1.16 auth-pam.h --- auth-pam.h 23 Jul 2002 00:44:07 -0000 1.16 +++ auth-pam.h 21 Dec 2002 11:39:05 -0000 @@ -25,6 +25,8 @@ */ #include "includes.h" +#include "channels.h" +#include "session.h" #ifdef USE_PAM #if !defined(SSHD_PAM_SERVICE) Index: monitor.c =================================================================== RCS file: /cvs/openssh/monitor.c,v retrieving revision 1.33 diff -u -r1.33 monitor.c --- monitor.c 9 Nov 2002 15:47:49 -0000 1.33 +++ monitor.c 21 Dec 2002 11:39:06 -0000 @@ -118,6 +118,7 @@ #ifdef USE_PAM int mm_answer_pam_start(int, Buffer *); +int mm_answer_pam_chauthtok(int, Buffer *); #endif #ifdef KRB4 @@ -183,6 +184,9 @@ {MONITOR_REQ_PTY, 0, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef USE_PAM + {MONITOR_REQ_PAM_CHAUTHTOK, 0, mm_answer_pam_chauthtok}, +#endif {0, 0, NULL} }; @@ -219,6 +223,9 @@ {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef USE_PAM + {MONITOR_REQ_PAM_CHAUTHTOK, 0, mm_answer_pam_chauthtok}, +#endif {0, 0, NULL} }; @@ -328,6 +335,7 @@ if (!no_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_CHAUTHTOK, 1); } for (;;) @@ -746,6 +754,56 @@ xfree(user); return (0); +} + +int +mm_answer_pam_chauthtok(int socket, Buffer *m) +{ + pid_t pid; + int ttyfd, status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + ttyfd = mm_receive_fd(socket); + debug3("%s: ttyfd=%d, ttyname=%s", __func__, ttyfd, ttyname(ttyfd)); + + if ((pid = fork()) == 0) { + /* acquire controlling tty */ + pty_make_controlling_tty(ttyfd, ttyname(ttyfd)); + + /* set up stdin, stdout and stderr */ + if (dup2(ttyfd, 0) < 0) + error("dup2 stdin: %s", strerror(errno)); + if (dup2(ttyfd, 1) < 0) + error("dup2 stdout: %s", strerror(errno)); + if (dup2(ttyfd, 2) < 0) + error("dup2 stderr: %s", strerror(errno)); + + /* close extra descriptors */ + close(socket); + close(ttyfd); + + /* call PAM chauthtok and return status to parent */ + do_pam_chauthtok(); + if(is_pam_password_change_required()) + exit(1); /* failed */ + else + exit(0); /* success */ + } + close(ttyfd); + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + + if (WEXITSTATUS(status)) + fatal("do_pam_chauthtok() failed, child returned %d", status); + + mysignal(SIGCHLD, old_signal); + + mm_request_send(socket, MONITOR_ANS_PAM_CHAUTHTOK, m); + + return 1; } #endif Index: monitor.h =================================================================== RCS file: /cvs/openssh/monitor.h,v retrieving revision 1.10 diff -u -r1.10 monitor.h --- monitor.h 27 Sep 2002 03:26:02 -0000 1.10 +++ monitor.h 21 Dec 2002 11:39:06 -0000 @@ -52,6 +52,7 @@ MONITOR_REQ_KRB4, MONITOR_ANS_KRB4, MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, MONITOR_REQ_PAM_START, + MONITOR_REQ_PAM_CHAUTHTOK, MONITOR_ANS_PAM_CHAUTHTOK, MONITOR_REQ_TERM }; Index: monitor_wrap.c =================================================================== RCS file: /cvs/openssh/monitor_wrap.c,v retrieving revision 1.20 diff -u -r1.20 monitor_wrap.c --- monitor_wrap.c 27 Sep 2002 03:26:03 -0000 1.20 +++ monitor_wrap.c 21 Dec 2002 11:39:06 -0000 @@ -663,6 +663,31 @@ buffer_free(&m); } + +/* + * Privsep chauthtok works by passing a descriptor to the session's + * stdin/stdout to the monitor, which then sets up a child with this + * descriptor as stdin, stdout and controlling terminal, then calls + * chauthtok() + * + * This MUST be called before the session has acquired its controlling + * tty or the chauthtok child will not be able to acquire it and + * will fail. + */ + +void +mm_do_pam_chauthtok(void) +{ + int result; + Buffer m; + + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_CHAUTHTOK, &m); + mm_send_fd(pmonitor->m_recvfd, STDIN_FILENO); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_CHAUTHTOK, &m); + + buffer_free(&m); +} #endif /* USE_PAM */ /* Request process termination */ Index: monitor_wrap.h =================================================================== RCS file: /cvs/openssh/monitor_wrap.h,v retrieving revision 1.9 diff -u -r1.9 monitor_wrap.h --- monitor_wrap.h 27 Sep 2002 03:26:04 -0000 1.9 +++ monitor_wrap.h 21 Dec 2002 11:39:06 -0000 @@ -57,6 +57,7 @@ #ifdef USE_PAM void mm_start_pam(char *); +void mm_pam_chauthtok(void); #endif void mm_terminate(void); Index: session.c =================================================================== RCS file: /cvs/openssh/session.c,v retrieving revision 1.222 diff -u -r1.222 session.c --- session.c 26 Sep 2002 00:38:50 -0000 1.222 +++ session.c 21 Dec 2002 11:39:07 -0000 @@ -454,7 +454,6 @@ session_proctitle(s); #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); if (is_pam_password_change_required()) packet_disconnect("Password change required but no " @@ -581,7 +580,7 @@ ttyfd = s->ttyfd; #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, s->tty); + do_pam_set_tty(s->tty); do_pam_setcred(1); #endif @@ -594,9 +593,6 @@ /* Close the master side of the pseudo tty. */ close(ptyfd); - /* Make the pseudo tty our controlling tty. */ - pty_make_controlling_tty(&ttyfd, s->tty); - /* Redirect stdin/stdout/stderr from the pseudo tty. */ if (dup2(ttyfd, 0) < 0) error("dup2 stdin: %s", strerror(errno)); @@ -608,6 +604,24 @@ /* Close the extra descriptor for the pseudo tty. */ close(ttyfd); +#ifdef USE_PAM + /* + * If password change is needed, do it now. + * For privsep, this needs to occur before we acquire a + * controlling tty. + */ + print_pam_messages(); + if (use_privsep && is_pam_password_change_required()) + PRIVSEP(do_pam_chauthtok()); +#endif + /* Make the pseudo tty our controlling tty. */ + pty_make_controlling_tty(&ttyfd, s->tty); + + /* without privsep, chauthtok requires a controlling tty */ + if (!use_privsep) + do_pam_chauthtok(); + + /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA if (!(options.use_login && command == NULL)) { @@ -746,16 +760,6 @@ options.verify_reverse_mapping), (struct sockaddr *)&from, fromlen); -#ifdef USE_PAM - /* - * If password change is needed, do it now. - * This needs to occur before the ~/.hushlogin check. - */ - if (is_pam_password_change_required()) { - print_pam_messages(); - do_pam_chauthtok(); - } -#endif if (check_quietlogin(s, command)) return; @@ -1238,6 +1242,12 @@ * Reestablish them here. */ do_pam_setcred(0); + + /* + * We need to open the session here because PAM on HP-UX does not + * work after the call to permanently_set_uid. + */ + do_pam_session(pw->pw_name,NULL); # endif /* USE_PAM */ # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) irix_setusercontext(pw); From cmadams at hiwaay.net Sun Dec 22 09:42:32 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Sat, 21 Dec 2002 16:42:32 -0600 Subject: OpenUsePrivilegeSeparation on Compaq V5.1A with C2/SIA Security In-Reply-To: <3E04554B.27ED8B2C@zip.com.au>; from dtucker@zip.com.au on Sat, Dec 21, 2002 at 10:49:31PM +1100 References: <3E0324B3.C52911D4@zip.com.au> <20021220095140.B507368@hiwaay.net> <3E04554B.27ED8B2C@zip.com.au> Message-ID: <20021221164232.A304045@hiwaay.net> Once upon a time, Darren Tucker said: > Chris Adams wrote: > > The problem is that SIA doesn't just want root and a TTY, it also wants > > to be in the user process. It does things like setting resource limits, > > setting the login user (immutable under enhanced security and IIRC audit > > modes), and (IIRC) logging stuff for audit (like the process ID). > > Ah, OK. Obviously no amount of futzing around with another process > running as root will help in that case. > > Forget I mentioned it. No problem. In theory, it would be possible to recreate the steps that the SIA calls do, but then you are tied to a particular SIA interface. SIA is sort of like PAM, an abstracted interface that loads modules to do the work. There are base (BSD) security, enhanced (C2) security, and audit modules included with the base OS, and LDAP is available as an add on, plus you can program your own. I was going to download the current snapshot to update my SIA minor cleanup patch (disables post-auth privsep for SIA so at least pre-auth privsep works, takes out a couple of unnecessary things, makes everything follow the coding guidelines that I didn't read before submitting), but the latest snapshot on the FTP site is from 1 Nov, and I was prompted for a password from the CVS tree. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From bryanh at giraffe-data.com Mon Dec 23 11:49:50 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Mon, 23 Dec 2002 00:49:50 +0000 Subject: Inheriting environment - sshd server to shell child Message-ID: The sshd server normally builds the environment variables from scratch for a shell process it creates. Except when compile for Cygwin, it simply adds settings to its own set of environment variable settings. A comment in the code says this special case is made because in Cygwin, some of sshd's environment is important for child processes too. I don't run Cygwin (I run Linux), but on my system too, it is important that environment variable settings get inherited by all the processes. In fact, in normal operation on my system, all the environment variables that sshd inherits are also relevant to every shell it spawns. Could preserving the environment be an option in sshd.config? -- Bryan Henderson Phone 408-621-2000 San Jose, California From mouring at etoh.eviladmin.org Tue Dec 24 01:54:54 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 23 Dec 2002 08:54:54 -0600 (CST) Subject: Inheriting environment - sshd server to shell child In-Reply-To: Message-ID: I'm not sure why this should be important to you. All critical variables should be in your /etc/profile or your csh/tcsh equiv. Cygwin is an acception to the rule since it is really just a collection of UNIX utils and not a full fledge OS. - Ben On Mon, 23 Dec 2002, Bryan Henderson wrote: > The sshd server normally builds the environment variables from scratch > for a shell process it creates. Except when compile for Cygwin, it > simply adds settings to its own set of environment variable settings. > A comment in the code says this special case is made because in > Cygwin, some of sshd's environment is important for child processes > too. > > I don't run Cygwin (I run Linux), but on my system too, it is > important that environment variable settings get inherited by all the > processes. In fact, in normal operation on my system, all the > environment variables that sshd inherits are also relevant to every > shell it spawns. > > Could preserving the environment be an option in sshd.config? > > -- > Bryan Henderson Phone 408-621-2000 > San Jose, California > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From vijay.somaya at orbitech.co.in Tue Dec 24 09:30:52 2002 From: vijay.somaya at orbitech.co.in (vijay.somaya at orbitech.co.in) Date: Tue, 24 Dec 2002 04:00:52 +0530 Subject: Openssh-3.5, Kerberos 5 Message-ID: Hello, Why m I not able to enable kerberos5 in openssh-3.5. Is there is any patch(gsapi)like for openssh-3.4. With Openssh-3.4 & gss-api, same setup is working (kerberos authentication is working). Plz. reply. Thankx in advance. Vijay. From bugzilla-daemon at mindrot.org Wed Dec 25 02:43:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 25 Dec 2002 02:43:23 +1100 (EST) Subject: [Bug 450] sftp crashes when trying to upload a file which doesn't exist Message-ID: <20021224154323.31F5264515@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=450 ------- Additional Comments From trionon at mail.ru 2002-12-25 02:43 ------- > Is this compiled by you? Or are you using ports or FreeBSD in-tree OpenSSH version? I can't find anyone that can mimic this. I had to upgrade from in-tree OpenSSH to newer OpenSSH. I updated ports using cvsup, compiled ssh from ports and deleted files from old one using rm. Did I make something wrong? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From yamashita at xsp.udtech.co.jp Wed Dec 25 14:08:16 2002 From: yamashita at xsp.udtech.co.jp (Takaaki Yamashita) Date: Wed, 25 Dec 2002 12:08:16 +0900 Subject: (no subject) Message-ID: <20021225120810.1A93.YAMASHITA@xsp.udtech.co.jp> From ajith at noida.hcltech.com Thu Dec 26 21:50:17 2002 From: ajith at noida.hcltech.com (Ajit Yashwant Vaishampayan, Noida) Date: Thu, 26 Dec 2002 16:20:17 +0530 Subject: Bad packet length problem with "aes128-cbc" and openssh3.1p1 Message-ID: Hi, Here is some information about the problem. > when does this happen? what plattform? When I try to connect to a 64-bit bigendian machine from a 32-bit little endian machine or even from a 64 bit big endian machine using ssh. Server (sshd) is running on SUPER-UX running on SX-6 and client (ssh) is running on P - II with Red Hat 7.1 or vice versa. > what versions of openssh? openssh-3.1p1 on both client and server, compiled and installed locally. > are other implementations of ssh involved? I am having the same ssh, ssl, zlib installed on both client and server. ssl: openssl-0.9.6b zlib: zlib-1.1.4 > does this happen on the client or server? When running in debug mode, the bad packet is recognized at the server side first and then the message is sent to client. The debug output is appended below. Server side: - ---------------------------------------------------------------------- # uname -a SUPER-UX unix 12.2 SX-6 # ./sshd -d -p 12020 -f /usr/local/etc/sshd_config debug1: sshd version OpenSSH_3.1p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 12020 on 0.0.0.0. Server listening on 0.0.0.0 port 12020. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from a.b.c.d port 3814 debug1: Client protocol version 2.0; client software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.1p1 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: send2: outgoing packet before cipher_crypt: 0000 01e4 0914 e2a0 5798 041b 6d8a 8a4a 73d1 a66e 9da1 0000 003d 6469 6666 6965 ... debug1: send2: outgoing packet after cipher_crypt: 0000 01e4 0914 e2a0 5798 041b 6d8a 8a4a 73d1 a66e 9da1 0000 003d 6469 6666 6965 ... debug1: SSH2_MSG_KEXINIT sent debug1: poll2: incoming packet before cipher_crypt: 0000 0000 0000 0000 debug1: poll2: incoming packet after cipher_crypt: 0000 01dc 0b14 1296 debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: poll2: incoming packet before cipher_crypt: 0000 01dc 0b14 1296 debug1: poll2: incoming packet after cipher_crypt: 0000 0014 0622 0000 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: send2: outgoing packet before cipher_crypt: 0000 01a4 0a1f 0000 018f 669b a3ed 661f 226a 090b e564 4a2b b420 9371 b78f c3e6 ... debug1: send2: outgoing packet after cipher_crypt: 0000 01a4 0a1f 0000 018f 669b a3ed 661f 226a 090b e564 4a2b b420 9371 b78f c3e6 ... debug1: dh_gen_key: priv key bits set: 135/256 debug1: bits set: 1563/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: poll2: incoming packet before cipher_crypt: 0000 0014 0622 0000 debug1: poll2: incoming packet after cipher_crypt: 0000 019c 0720 0000 debug1: bits set: 1602/3191 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: send2: outgoing packet before cipher_crypt: 0000 02cc 0b21 0000 0095 0000 0007 7373 682d 7273 6100 0000 0123 0000 0081 00ba ... debug1: send2: outgoing packet after cipher_crypt: 0000 02cc 0b21 0000 0095 0000 0007 7373 682d 7273 6100 0000 0123 0000 0081 00ba ... debug1: kex_derive_keys debug1: send2: outgoing packet before cipher_crypt: 0000 000c 0a15 0000 0000 0000 0000 0000 debug1: send2: outgoing packet after cipher_crypt: 0000 000c 0a15 0000 0000 0000 0000 0000 debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: poll2: incoming packet before cipher_crypt: 0000 019c 0720 0000 debug1: poll2: incoming packet after cipher_crypt: 0000 000c 0a15 0000 debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: dispatch_run debug1: poll2: incoming packet before cipher_crypt: 0000 000c 0a15 0000 0000 0000 0000 0000 debug1: poll2: incoming packet after cipher_crypt: a95d 0c23 e308 4167 8849 9458 684e e068 a95d 0c23 e308 4167 8849 9458 684e e068 debug1: send2: outgoing packet before cipher_crypt: 0000 003c 0d01 0000 0002 0000 0021 706f 6c6c 3220 4261 6420 7061 636b 6574 206c 656e 6774 6820 6139 3564 3063 3233 2e00 0000 0028 9ff6 483e 1c57 d8d7 2379 4cb9 debug1: send2: outgoing packet after cipher_crypt: 0000 003c 0d01 0000 0002 0000 0021 706f 6c6c 3220 4261 6420 7061 636b 6574 206c 656e 6774 6820 6139 3564 3063 3233 2e00 0000 0028 9ff6 483e 1c57 d8d7 2379 4cb9 Disconnecting: poll2 Bad packet length a95d0c23. debug1: Calling cleanup 0x4000b3e98(0x0) ----------------------------------------------------------------- Client side: - ---------------------------------------------------------------------- $ uname -a SUPER-UX unix 12.2 SX-6 $ ./ssh -p 12020 -v -v -v -l ajith sx6i OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /usr/local/etc/ssh_config debug3: Seeing PRNG from /usr/local/libexec/ssh-rand-helper debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 106 geteuid 106 anon 1 debug1: Connecting to sx6i [a.b.c.d] port 12020. debug1: temporarily_use_uid: 106/102 (e=106) debug1: restore_uid debug1: temporarily_use_uid: 106/102 (e=106) debug1: restore_uid debug1: Connection established. debug1: identity file /home/ajith/.ssh/identity type -1 debug1: identity file /home/ajith/.ssh/id_rsa type -1 debug1: identity file /home/ajith/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.1p1 debug1: send2: outgoing packet before cipher_crypt: 0000 01dc 0b14 1296 3983 bf61 f319 7740 bd01 e53e d51a 0000 003d 6469 6666 6965 ... debug1: send2: outgoing packet after cipher_crypt: 0000 01dc 0b14 1296 3983 bf61 f319 7740 bd01 e53e d51a 0000 003d 6469 6666 6965 ... debug1: SSH2_MSG_KEXINIT sent debug1: poll2: incoming packet before cipher_crypt: 0000 0000 0000 0000 debug1: poll2: incoming packet after cipher_crypt: 0000 01e4 0914 e2a0 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: send2: outgoing packet before cipher_crypt: 0000 0014 0622 0000 0400 0000 0800 0000 2000 0000 0000 0000 debug1: send2: outgoing packet after cipher_crypt: 0000 0014 0622 0000 0400 0000 0800 0000 2000 0000 0000 0000 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: poll2: incoming packet before cipher_crypt: 0000 01e4 0914 e2a0 debug1: poll2: incoming packet after cipher_crypt: 0000 01a4 0a1f 0000 debug1: dh_gen_key: priv key bits set: 118/256 debug1: bits set: 1602/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: send2: outgoing packet before cipher_crypt: 0000 019c 0720 0000 018f 5a03 7ac0 e60e c2e0 2186 8ab9 522b c61f 5876 c887 db28 ... debug1: send2: outgoing packet after cipher_crypt: 0000 019c 0720 0000 018f 5a03 7ac0 e60e c2e0 2186 8ab9 522b c61f 5876 c887 db28 ... debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: poll2: incoming packet before cipher_crypt: 0000 01a4 0a1f 0000 debug1: poll2: incoming packet after cipher_crypt: 0000 02cc 0b21 0000 debug3: check_host_in_hostfile: filename /home/ajith/.ssh/known_hosts debug3: check_host_in_hostfile: match line 2 debug3: check_host_in_hostfile: filename /home/ajith/.ssh/known_hosts debug3: check_host_in_hostfile: match line 2 debug1: Host 'sx6i' is known and matches the RSA host key. debug1: Found key in /home/ajith/.ssh/known_hosts:2 debug1: bits set: 1563/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: send2: outgoing packet before cipher_crypt: 0000 000c 0a15 0000 0000 0000 0000 0000 debug1: send2: outgoing packet after cipher_crypt: 0000 000c 0a15 0000 0000 0000 0000 0000 debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: poll2: incoming packet before cipher_crypt: 0000 02cc 0b21 0000 debug1: poll2: incoming packet after cipher_crypt: 0000 000c 0a15 0000 debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: send2: outgoing packet before cipher_crypt: 0000 001c 0a05 0000 000c 7373 682d 7573 6572 6175 7468 af31 35ee ef1a 8e54 496a debug1: send2: outgoing packet after cipher_crypt: 0000 001c 0a05 0000 000c 7373 682d 7573 6572 6175 7468 af31 35ee ef1a 8e54 496a debug1: poll2: incoming packet before cipher_crypt: 0000 000c 0a15 0000 0000 0000 0000 0000 debug1: poll2: incoming packet after cipher_crypt: 0000 003c 0d01 0000 0002 0000 0021 706f Received disconnect from a.b.c.d: 2: poll2 Bad packet length a95d0c23. debug1: Calling cleanup 0x40009a198(0x0) ------------------------------------------------------------- > does this happen with newer releases? I have not tried with any other versions. > please provide more details. > > thx, -m > Thanks & Regards Ajit From stevesk at pobox.com Sat Dec 28 06:28:10 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 11:28:10 -0800 Subject: patch for openssh3.5p1 - adds logging option In-Reply-To: <20021218124236.V68179-200000@true.fiberpimp.net> References: <20021218124236.V68179-200000@true.fiberpimp.net> Message-ID: <20021227192810.GA7647@scott.crlsca.adelphia.net> On Wed, Dec 18, 2002 at 12:52:23PM -0500, galt at fiberpimp.net wrote: > this patch adds a LogFile option to sshd_config. it just logs messages > directly to a file instead of stderr or syslog. the largest change > is an additional argument to log_init() in log.c for the log file name > (and then changes to the rest of the tools to add a NULL arg). other than the timestamp, why is sshd -e 2>foo not sufficient? From stevesk at pobox.com Sat Dec 28 06:36:01 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 11:36:01 -0800 Subject: snapshots In-Reply-To: <20021221164232.A304045@hiwaay.net> References: <3E0324B3.C52911D4@zip.com.au> <20021220095140.B507368@hiwaay.net> <3E04554B.27ED8B2C@zip.com.au> <20021221164232.A304045@hiwaay.net> Message-ID: <20021227193601.GB7647@scott.crlsca.adelphia.net> On Sat, Dec 21, 2002 at 04:42:32PM -0600, Chris Adams wrote: > I was going to download the current snapshot to update my SIA minor > cleanup patch (disables post-auth privsep for SIA so at least pre-auth > privsep works, takes out a couple of unnecessary things, makes > everything follow the coding guidelines that I didn't read before > submitting), but the latest snapshot on the FTP site is from 1 Nov, and > I was prompted for a password from the CVS tree. it does seem snaps are broken. damien, can you check this? From stevesk at pobox.com Sat Dec 28 06:55:28 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 11:55:28 -0800 Subject: Untrusted Cookies In-Reply-To: <3DF6F18B.F38C1C3@bom.gov.au> References: <3DF6F18B.F38C1C3@bom.gov.au> Message-ID: <20021227195528.GC7647@scott.crlsca.adelphia.net> On Wed, Dec 11, 2002 at 08:04:27AM +0000, Aurelio Turco wrote: > How can I get ssh to use > "untrusted" cookies (see xauth(1), X11-SECURITY-Extension) > with forwarded X clients? i'm not sure. for the most part we try to handle what 'xauth l $DISPLAY' has, but we don't use any X libraries. From stevesk at pobox.com Sat Dec 28 07:05:24 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 12:05:24 -0800 Subject: X forwarding on OpenServer In-Reply-To: <741C3B0BAF7B1F4F8FCC50AC4766CBF0037F56@phoenix.ossconnexn.com> References: <741C3B0BAF7B1F4F8FCC50AC4766CBF0037F56@phoenix.ossconnexn.com> Message-ID: <20021227200524.GD7647@scott.crlsca.adelphia.net> On Tue, Dec 10, 2002 at 11:44:57AM -0700, Greg Jewell wrote: > >> Error: Can't open display localhost:10.0 > > > >For OpenServer you need to have X11UseLocalhost no in sshd_config. > > Bingo. Thank you! i think in general, any platform with X11 References: <20021217001501.326B164519@shitei.mindrot.org> <3DFF4FA2.2030904@cray.com> Message-ID: <20021227202154.GE7647@scott.crlsca.adelphia.net> On Tue, Dec 17, 2002 at 10:24:02AM -0600, Wendy Palm wrote: > i would rather find the error immediately and fix it than have the software > try and > guess what i really meant. and there's 'sshd -t' to help with this: -t Test mode. Only check the validity of the configura- tion file and sanity of the keys. This is useful for updating sshd reliably as configuration options may change. From stevesk at pobox.com Sat Dec 28 07:32:33 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 12:32:33 -0800 Subject: sshd doesn't log hostname into utmp correctly [resend] In-Reply-To: References: <20020819211902.GA27268@scott.crlsca.adelphia.net> <20020820142757.GB28367@scott.crlsca.adelphia.net> <20020820152020.GC28367@scott.crlsca.adelphia.net> Message-ID: <20021227203233.GF7647@scott.crlsca.adelphia.net> On Fri, Dec 13, 2002 at 11:37:11PM +0900, Hajimu UMEMOTO wrote: > kevin> yes i agree, we should add your fix. thanks again. > > Thank you for merging the patch. However, I realized that > unfortunately the merging is incomplete, and 3.5p1 still has the > problem. Please apply the attached patch in your next release. > > Index: sshlogin.c > diff -u sshlogin.c.orig sshlogin.c > --- sshlogin.c.orig Wed Sep 4 15:45:11 2002 > +++ sshlogin.c Fri Dec 13 16:42:17 2002 > @@ -70,7 +70,7 @@ > struct logininfo *li; > > li = login_alloc_entry(pid, user, host, ttyname); > - login_set_addr(li, addr, sizeof(struct sockaddr)); > + login_set_addr(li, addr, addrlen); > login_login(li); > login_free_entry(li); > } is that the only missing piece? i thought there was more? record_utmp_only()? - stevesk at cvs.openbsd.org 2002/08/29 15:57:25 [monitor.c session.c sshlogin.c sshlogin.h] pass addrlen with sockaddr *; from Hajimu UMEMOTO NOTE: there are also p-specific parts to this patch. ok markus@ From stevesk at pobox.com Sat Dec 28 07:46:01 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 12:46:01 -0800 Subject: 3DES key-length In-Reply-To: <0ccf01c29bc1$892b60b0$66fe10ac@axiowave.com> References: <0ccf01c29bc1$892b60b0$66fe10ac@axiowave.com> Message-ID: <20021227204601.GG7647@scott.crlsca.adelphia.net> On Wed, Dec 04, 2002 at 01:18:20PM -0500, Hari-Isoft wrote: > Hi, > > I would like to know the key-length used for 3DES data encryption in openssh. > I thought that it should be 192 (3 * 64) bits, but the sshd man page states 128 bit key used for 3DES. where in the man pages does it say 128-bit for 3DES? i think you were looking at a statement for AES. From galt at fiberpimp.net Sat Dec 28 07:46:41 2002 From: galt at fiberpimp.net (galt at fiberpimp.net) Date: Fri, 27 Dec 2002 15:46:41 -0500 (EST) Subject: patch for openssh3.5p1 - adds logging option In-Reply-To: <20021227192810.GA7647@scott.crlsca.adelphia.net> Message-ID: <20021227153535.F27831-100000@true.fiberpimp.net> On Fri, 27 Dec 2002, Kevin Steves wrote: > On Wed, Dec 18, 2002 at 12:52:23PM -0500, galt at fiberpimp.net wrote: > > this patch adds a LogFile option to sshd_config. it just logs messages > > directly to a file instead of stderr or syslog. the largest change > > is an additional argument to log_init() in log.c for the log file name > > (and then changes to the rest of the tools to add a NULL arg). > > other than the timestamp, why is sshd -e 2>foo not sufficient? > its more appealing to me to have a config file option than to redirect stderr. From stevesk at pobox.com Sat Dec 28 08:01:37 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 13:01:37 -0800 Subject: patch to add a PAMServiceName config option In-Reply-To: References: Message-ID: <20021227210137.GI7647@scott.crlsca.adelphia.net> On Thu, Dec 05, 2002 at 11:44:11AM +0000, pod wrote: > I append a patch against openssh-3.5p1.tar.gz which adds a config option > PAMServiceName. The option allows one to specify the PAM service at > runtime in the config file rather than using __progname or having it > hardwired to SSHD_PAM_SERVICE at compile time. I expect this to be useful > if one wants to run multiple instances of sshd using different PAM > configurations. > > With this patch SSHD_PAM_SERVICE is not used in auth-pam.c so I moved the > definition out of auth-pam.h into servconf.h. Effectively > SSHD_PAM_SERVICE now merely supplies the default service name. I'm not > convinced that servconf.h is the correct place for it. we don't need an option for this. use __progname. From stevesk at pobox.com Sat Dec 28 08:08:11 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 13:08:11 -0800 Subject: Untrusted Cookies In-Reply-To: <20021227195528.GC7647@scott.crlsca.adelphia.net> References: <3DF6F18B.F38C1C3@bom.gov.au> <20021227195528.GC7647@scott.crlsca.adelphia.net> Message-ID: <20021227210811.GJ7647@scott.crlsca.adelphia.net> On Fri, Dec 27, 2002 at 11:55:28AM -0800, Kevin Steves wrote: > On Wed, Dec 11, 2002 at 08:04:27AM +0000, Aurelio Turco wrote: > > How can I get ssh to use > > "untrusted" cookies (see xauth(1), X11-SECURITY-Extension) > > with forwarded X clients? > > i'm not sure. for the most part we try to handle what 'xauth l > $DISPLAY' has, but we don't use any X libraries. ssh.com has some support for this, but it requires X libs. * ssh2: Applied Roland Mainz's patch for X11 SECURITY extension. If the extension is found, ssh2 informs the Xserver that the client applications should be treated as untrusted by default. If you specify the "+X" command-line option, the X11 clients are treated as trusted, which is essentially the same behaviour as before. An exception; If the SECURITY extension is present but we fail to obtain a new cookie via SECURITY extension X11 forwarding gets disabled. Failing to obtain a cookie via the SECURITY extension is usually a restricion by the Xserver security policy and should be honored by ssh code. If this feature causes you problems, you can disable it by configuring with "--without-x11-security". Additional details are under option "TrustX11Applications" in ssh2_config(5). Note that pre-compiled binaries don't support the SECURITY extension, as it requires the X11 shared libraries. From stevesk at pobox.com Sat Dec 28 08:27:07 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 13:27:07 -0800 Subject: LOGIN_NEEDS_TERM Message-ID: <20021227212707.GK7647@scott.crlsca.adelphia.net> this became "broken" due to privsep several months ago. is it still needed for some solaris login programs? http://www.eviladmin.org/cgi-bin/cvsweb.cgi/session.c?rev=1.191&content-type=text/x-cvsweb-markup http://www.eviladmin.org/cgi-bin/cvsweb.cgi/session.c.diff?r1=1.190&r2=1.191 From hari at isofttechindia.com Sat Dec 28 09:09:51 2002 From: hari at isofttechindia.com (Hari-Isoft) Date: Fri, 27 Dec 2002 17:09:51 -0500 Subject: 3DES key-length References: <0ccf01c29bc1$892b60b0$66fe10ac@axiowave.com> <20021227204601.GG7647@scott.crlsca.adelphia.net> Message-ID: <019001c2adf4$b007c580$66fe10ac@axiowave.com> From stevesk at pobox.com Sat Dec 28 10:14:00 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 15:14:00 -0800 Subject: 3DES key-length In-Reply-To: <019001c2adf4$b007c580$66fe10ac@axiowave.com> References: <0ccf01c29bc1$892b60b0$66fe10ac@axiowave.com> <20021227204601.GG7647@scott.crlsca.adelphia.net> <019001c2adf4$b007c580$66fe10ac@axiowave.com> Message-ID: <20021227231400.GL7647@scott.crlsca.adelphia.net> On Fri, Dec 27, 2002 at 05:09:51PM -0500, Hari-Isoft wrote: > >From sshd manpage: > The rest of the session is encrypted using a symmetric cipher, > currently > 128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit > AES. The client selects the encryption algorithm to use from those of- > fered by the server. Additionally, session integrity is provided > through > a cryptographic message authentication code (hmac-sha1 or hmac-md5). > > is this 128 bit applicable only to AES? > if so, does 3DES use 192 bit keys. i suppose it could be clearer. i think the intention is to only bit-length-qualify ciphers with variable key-lengths. from draft-ietf-secsh-transport-14.txt: The "3des-cbc" cipher is three-key triple-DES (encrypt-decrypt- encrypt), where the first 8 bytes of the key are used for the first encryption, the next 8 bytes for the decryption, and the following 8 bytes for the final encryption. This requires 24 bytes of key data (of which 168 bits are actually used). To implement CBC mode, outer chaining MUST be used (i.e., there is only one initialization vector). This is a block cipher with 8 byte blocks. This algorithm is defined in [SCHNEIER] From stevesk at pobox.com Sat Dec 28 10:39:40 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 15:39:40 -0800 Subject: [PATCH] PAM chauthtok + Privsep In-Reply-To: <3E045A58.285069C2@zip.com.au> References: <3E045A58.285069C2@zip.com.au> Message-ID: <20021227233940.GA7934@scott.crlsca.adelphia.net> On Sat, Dec 21, 2002 at 11:11:04PM +1100, Darren Tucker wrote: > Attached is an update to my previous patch to make do_pam_chauthtok and > privsep play nicely together. > > First, a question: does anybody care about these or the password > expiration patches? yes, i feel it's the most important issue for portable right now. i'll try to catch up on history and progress. i'd like to get solar involved but i know he is busy also. From stevesk at pobox.com Sat Dec 28 10:48:58 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 15:48:58 -0800 Subject: Problems with the tty's in openssh + AIX In-Reply-To: References: <3DF6CCFA.A97ECD6A@zip.com.au> Message-ID: <20021227234858.GB7934@scott.crlsca.adelphia.net> On Thu, Dec 12, 2002 at 01:13:41AM +0100, Tobias Ulbricht wrote: > Yes. That did it for me as well. > I'll see if my problems with putty and secureCRT will be gone as well. > > My first thoughts were: > it might be related to a tty/terminal thing: > debug1: Ignoring unsupported tty mode opcode 13 (0xd) > debug1: Ignoring unsupported tty mode opcode 18 (0x12) that just means the client sent a tty mode the server doesn't know about. 13 VWERASE Erases a word left of cursor. 18 VDISCARD Toggles the flushing of terminal output. > or it might be related to > debug1: fd 4 setting TCP_NODELAY > since the test program mostly duplicates the FD onto 4 (for whatever > reason). i'm not sure, but i don't think so. From stevesk at pobox.com Sat Dec 28 11:43:49 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 16:43:49 -0800 Subject: Suggestion: Disable PrivilegeSepartion by default In-Reply-To: <003e01c2a29d$1d6e7aa0$0301a8c0@RENE> References: <003e01c2a29d$1d6e7aa0$0301a8c0@RENE> Message-ID: <20021228004349.GC7934@scott.crlsca.adelphia.net> On Fri, Dec 13, 2002 at 12:45:20PM +0100, Rene Klootwijk wrote: > PrivilegeSeparation seems to be a valuable option, however at its > current maturity level it is the cause of several problems. Just to name > a few: > - Incompatible with BSM auditing on Solaris the Sun BSM patch hasn't been integrated due to lack of review, testing and interest. > - Incompatible with PAM password aging (for this reason??? the code to > handle password expiration has been disabled without ANY notice) it was in the ChangeLog, and was disabled due to issues with kerberos PAM modules. also, this is being worked on. > - Causes core dumps on HP-UX their pam_unix session module needs root in the trusted case. i don't think it was a core dump, just dumb code in that module. if you have HP support escalate to them, because they didn't seem interested in privsep or fixing this at all. > I think PrivilegeSeparation should be disabled by default, and not > enabled by default as is the case right now. Even better is to make the > PrivilegeSeparation support configurable at compile time, when you do > not want it it will not be in the binary. As soon as the > PrivilegeSeparation code it mature and does not cause all these > problems, it can be enabled by default again. > > Another thing, when features such as PAM password aging are no longer > supported in new releases (e.g. because the code has been commented > out), there should be a clear warning of this. In my case, disabling the > PAM password expiry code, resulted in users not being able to change > their password and access the system anymore, some weeks after we > upgraded from openssh-3.1p1 to openssh-3.4p1. you have mentioned two vendors that "support" an openssh, please talk to them. From stevesk at pobox.com Sat Dec 28 18:51:45 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 27 Dec 2002 23:51:45 -0800 Subject: patch for openssh3.5p1 - adds logging option In-Reply-To: <20021227153535.F27831-100000@true.fiberpimp.net> References: <20021227192810.GA7647@scott.crlsca.adelphia.net> <20021227153535.F27831-100000@true.fiberpimp.net> Message-ID: <20021228075145.GF464@scott.crlsca.adelphia.net> On Fri, Dec 27, 2002 at 03:46:41PM -0500, galt at fiberpimp.net wrote: > > other than the timestamp, why is sshd -e 2>foo not sufficient? > > its more appealing to me to have a config file option than to redirect > stderr. we try to avoid more options. i don't see a reason to add this. From flavien at lebarbe.net Sun Dec 29 00:32:59 2002 From: flavien at lebarbe.net (Flavien Lebarbe) Date: Sat, 28 Dec 2002 14:32:59 +0100 Subject: patch to add a PAMServiceName config option In-Reply-To: <20021227210137.GI7647@scott.crlsca.adelphia.net> References: <20021227210137.GI7647@scott.crlsca.adelphia.net> Message-ID: <20021228133259.GA2931@diplo.flavsfarm> > > With this patch SSHD_PAM_SERVICE is not used in auth-pam.c so I > > moved the definition out of auth-pam.h into servconf.h. Effectively > > SSHD_PAM_SERVICE now merely supplies the default service name. I'm > > not convinced that servconf.h is the correct place for it. Kevin Steves wrote : > we don't need an option for this. use __progname. Yes. That's the answer. I posted a similar patch to this list a couple of weeks ago to achieve the same. It's not needed at all. The correct way to change the pamServiceName, is to call sshd with a different name, using a link. I use this on a machine and it works like a charm : ln -s sshd /usr/sbin/sshd_remote Then I start sshd_remote -f /etc/ssh/sshd_remote_config (starts on another port than regular sshd), and am able to change /etc/pam.d/sshd_remote independently from /etc/pam.d/sshd. Flavien. -- Linux ext2fs has been stable for a long time, now it's time to break it -- Linuxkongre? '95 in Berlin From pod at herald.ox.ac.uk Sun Dec 29 01:44:17 2002 From: pod at herald.ox.ac.uk (pod) Date: Sat, 28 Dec 2002 14:44:17 +0000 Subject: patch to add a PAMServiceName config option In-Reply-To: <20021227210137.GI7647@scott.crlsca.adelphia.net> (message from Kevin Steves on Fri, 27 Dec 2002 13:01:37 -0800) References: <20021227210137.GI7647@scott.crlsca.adelphia.net> Message-ID: >>>>> "KS" == Kevin Steves writes: KS> we don't need an option for this. use __progname. I quite accept that this patch won't be merged and that __progname is a way to achieve a similar effect. However, I make two points in favour of the patch. Firstly if sshd is compiled with, say, -DSSHD_PAM_SERVICE="ssh" then you can no longer use __progname to change the PAM service name. The service name is always "ssh". [Debian do this. It may be as a result of deliberate policy. It may be a packaging bug. I haven't pursued further. This was my original motivation for creating the patch.] Secondly forcing use of __progname comes close to mixing two different namespaces, namely the namespace of executables and the namespace of PAM services (or, alternatively, files in /etc/pam.d or wherever). [If Debian were to compile such that the PAM service name came from __progname they also have to arrange for the _daemon_ executable to be invoked with argv[0] "ssh". It all seems to become a little messy.] From gem at rellim.com Sun Dec 29 05:41:09 2002 From: gem at rellim.com (Gary E. Miller) Date: Sat, 28 Dec 2002 10:41:09 -0800 (PST) Subject: patch for openssh3.5p1 - adds logging option In-Reply-To: <20021227153535.F27831-100000@true.fiberpimp.net> References: <20021227153535.F27831-100000@true.fiberpimp.net> Message-ID: Yo Galt! Application programs (on Unix) should refrain from duplicating shell functions. Each UNIX program should do one thing well. The shell handles redirection very well, and SSH should stick to it's core thing. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Fri, 27 Dec 2002 galt at fiberpimp.net wrote: > > other than the timestamp, why is sshd -e 2>foo not sufficient? > > > > its more appealing to me to have a config file option than to redirect > stderr. From galt at fiberpimp.net Sun Dec 29 06:06:29 2002 From: galt at fiberpimp.net (galt at fiberpimp.net) Date: Sat, 28 Dec 2002 14:06:29 -0500 (EST) Subject: patch for openssh3.5p1 - adds logging option In-Reply-To: <20021228075145.GF464@scott.crlsca.adelphia.net> Message-ID: <20021228140337.Y27889-100000@true.fiberpimp.net> On Fri, 27 Dec 2002, Kevin Steves wrote: > On Fri, Dec 27, 2002 at 03:46:41PM -0500, galt at fiberpimp.net wrote: > > > other than the timestamp, why is sshd -e 2>foo not sufficient? > > > > its more appealing to me to have a config file option than to redirect > > stderr. > > we try to avoid more options. > i don't see a reason to add this. whats your opinion on adding a timestamp to the regular stderr logging? From bugzilla-daemon at mindrot.org Mon Dec 30 08:11:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 30 Dec 2002 08:11:30 +1100 (EST) Subject: [Bug 459] New: ssh-keygen doesn't know how to export private keys Message-ID: <20021229211130.A4F4864508@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=459 Summary: ssh-keygen doesn't know how to export private keys Product: Portable OpenSSH Version: 3.5p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh-keygen AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: cjwatson at debian.org The output from ssh-keygen is identical regardless of whether a public or private key is given using -f: [cjwatson at arborlon ~]$ ssh-keygen -e -f .ssh/id-imapd-flatline.pub ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "1024-bit RSA, converted from OpenSSH by cjwatson at arborlon" AAAAB3NzaC1yc2EAAAABIwAAAIEAvpawnSFO7bg4CXQ2hNDyNE/ffPGOaPPzAugbx1/kqk yawwaOn86jEHA+Kk0kCE4iwYc+19g6oVS9xezzkn2QJlwLZ8tH7c/Vy+i0Y7USaTZ3sEe1 nhZljkVtMUJaG3D+lqi094qROztTJVPvWCTMxJ0oytQEzC1roMCZmTl5hrk= ---- END SSH2 PUBLIC KEY ---- [cjwatson at arborlon ~]$ ssh-keygen -e -f .ssh/id-imapd-flatline ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "1024-bit RSA, converted from OpenSSH by cjwatson at arborlon" AAAAB3NzaC1yc2EAAAABIwAAAIEAvpawnSFO7bg4CXQ2hNDyNE/ffPGOaPPzAugbx1/kqk yawwaOn86jEHA+Kk0kCE4iwYc+19g6oVS9xezzkn2QJlwLZ8tH7c/Vy+i0Y7USaTZ3sEe1 nhZljkVtMUJaG3D+lqi094qROztTJVPvWCTMxJ0oytQEzC1roMCZmTl5hrk= ---- END SSH2 PUBLIC KEY ---- However, the man page says: .It Fl e This option will read a private or public OpenSSH key file and print the key in a .Sq SECSH Public Key File Format to stdout. This option allows exporting keys for use by several commercial SSH implementations. (This is Debian bug #174156.) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Dec 30 08:46:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 30 Dec 2002 08:46:52 +1100 (EST) Subject: [Bug 460] New: ut_addr_v6 not used Message-ID: <20021229214652.DD39D64519@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=460 Summary: ut_addr_v6 not used Product: Portable OpenSSH Version: 3.5p1 Platform: All URL: http://bugs.debian.org/167867 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: cjwatson at debian.org Miquel van Smoorenburg supplied this note and patch: [...] However, in IPv6 mode, sshd doesn't write the utmp 'ut_addr' field. This patch fixes that; for 4-in-6 connections, the IPv4 address is written to ut_addr, for IPv6 connections, the IPv6 address is written to ut_addr_v6. This basically is a security fix, though a minor one; Linux doesn't have the ut_addr / ut_addr_v6 field just to leave them empty ! The next sysvinit (2.85) will include a 'last' that knows how to read ut_addr_v6 from the wtmp file (I'm the maintainer). diff -ruN t/openssh-3.5p1/loginrec.c openssh-3.5p1/loginrec.c --- t/openssh-3.5p1/loginrec.c 2002-09-26 02:38:49.000000000 +0200 +++ openssh-3.5p1/loginrec.c 2002-11-05 13:14:33.000000000 +0100 @@ -609,6 +609,9 @@ construct_utmp(struct logininfo *li, struct utmp *ut) { +# ifdef HAVE_ADDR_V6_IN_UTMP + struct sockaddr_in6 *sa6; +# endif memset(ut, '\0', sizeof(*ut)); /* First fill out fields used for both logins and logouts */ @@ -661,6 +664,19 @@ if (li->hostaddr.sa.sa_family == AF_INET) ut->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr; # endif +# ifdef HAVE_ADDR_V6_IN_UTMP + /* this is just a 128-bit IPv6 address */ + if (li->hostaddr.sa.sa_family == AF_INET6) { + sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa); + memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16); + if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) { + ut->ut_addr_v6[0] = ut->ut_addr_v6[3]; + ut->ut_addr_v6[1] = 0; + ut->ut_addr_v6[2] = 0; + ut->ut_addr_v6[3] = 0; + } + } +# endif } #endif /* USE_UTMP || USE_WTMP || USE_LOGIN */ @@ -689,6 +705,9 @@ void construct_utmpx(struct logininfo *li, struct utmpx *utx) { +# ifdef HAVE_ADDR_V6_IN_UTMP + struct sockaddr_in6 *sa6; +# endif memset(utx, '\0', sizeof(*utx)); # ifdef HAVE_ID_IN_UTMPX line_abbrevname(utx->ut_id, li->line, sizeof(utx->ut_id)); @@ -725,6 +744,19 @@ if (li->hostaddr.sa.sa_family == AF_INET) utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr; # endif +# ifdef HAVE_ADDR_V6_IN_UTMP + /* this is just a 128-bit IPv6 address */ + if (li->hostaddr.sa.sa_family == AF_INET6) { + sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa); + memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16); + if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) { + ut->ut_addr_v6[0] = ut->ut_addr_v6[3]; + ut->ut_addr_v6[1] = 0; + ut->ut_addr_v6[2] = 0; + ut->ut_addr_v6[3] = 0; + } + } +# endif # ifdef HAVE_SYSLEN_IN_UTMPX /* ut_syslen is the length of the utx_host string */ utx->ut_syslen = MIN(strlen(li->hostname), sizeof(utx->ut_host)); diff -ruN t/openssh-3.5p1/session.c openssh-3.5p1/session.c --- t/openssh-3.5p1/session.c 2002-09-26 02:38:50.000000000 +0200 +++ openssh-3.5p1/session.c 2002-11-05 13:11:30.000000000 +0100 @@ -730,8 +730,8 @@ * the address be 0.0.0.0. */ memset(&from, 0, sizeof(from)); + fromlen = sizeof(from); if (packet_connection_is_on_socket()) { - fromlen = sizeof(from); if (getpeername(packet_get_connection_in(), (struct sockaddr *) & from, &fromlen) < 0) { debug("getpeername: %.100s", strerror(errno)); diff -ruN t/openssh-3.5p1/sshlogin.c openssh-3.5p1/sshlogin.c --- t/openssh-3.5p1/sshlogin.c 2002-09-04 08:45:11.000000000 +0200 +++ openssh-3.5p1/sshlogin.c 2002-11-05 13:12:25.000000000 +0100 @@ -70,7 +70,7 @@ struct logininfo *li; li = login_alloc_entry(pid, user, host, ttyname); - login_set_addr(li, addr, sizeof(struct sockaddr)); + login_set_addr(li, addr, addrlen); login_login(li); login_free_entry(li); } ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Dec 30 11:18:37 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 30 Dec 2002 11:18:37 +1100 (EST) Subject: [Bug 452] sftp does not abort when commands given via -b fail Message-ID: <20021230001837.EAD2564508@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=452 ------- Additional Comments From cjwatson at debian.org 2002-12-30 11:18 ------- Robert Bihlmeyer added these comments and suggested the following patch: The following "-b" script should work if everything ran as documented: get the-remote-file rm the-remote-file In the status quo it can incur dataloss (and did for me, aargh!) if the get fails for some reason (e.g. disk full). The appended patch fixes the some cases, and should point people in the right direction. There are still more places where process_get will return -1 (which will not lead to abort). Either all these get changed to 1, or -- as it seems the intention is not to abort on every error -- the manpage documents exactly in which cases an abort will happen. The current situation is just bad. I'd be most satisfied with a "abort on every miniscule error" switch, akin to sh's -e. diff -u openssh-3.5p1/sftp-int.c~ openssh-3.5p1/sftp-int.c --- openssh-3.5p1/sftp-int.c~ 2002-12-30 01:13:29.000000000 +0100 +++ openssh-3.5p1/sftp-int.c 2002-12-30 01:13:29.000000000 +0100 @@ -426,7 +426,7 @@ goto out; } printf("Fetching %s to %s\n", g.gl_pathv[0], abs_dst); - err = do_download(conn, g.gl_pathv[0], abs_dst, pflag); + err = do_download(conn, g.gl_pathv[0], abs_dst, pflag) ? 1 : 0; goto out; } @@ -451,7 +451,7 @@ printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); if (do_download(conn, g.gl_pathv[i], abs_dst, pflag) == -1) - err = -1; + err = 1; xfree(abs_dst); abs_dst = NULL; } ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From stevesk at pobox.com Mon Dec 30 12:51:19 2002 From: stevesk at pobox.com (Kevin Steves) Date: Sun, 29 Dec 2002 17:51:19 -0800 Subject: patch for openssh3.5p1 - adds logging option In-Reply-To: <20021228140337.Y27889-100000@true.fiberpimp.net> References: <20021228075145.GF464@scott.crlsca.adelphia.net> <20021228140337.Y27889-100000@true.fiberpimp.net> Message-ID: <20021230015119.GA2487@scott.crlsca.adelphia.net> On Sat, Dec 28, 2002 at 02:06:29PM -0500, galt at fiberpimp.net wrote: > > On Fri, Dec 27, 2002 at 03:46:41PM -0500, galt at fiberpimp.net wrote: > > > > other than the timestamp, why is sshd -e 2>foo not sufficient? > > > > > > its more appealing to me to have a config file option than to redirect > > > stderr. > > > > we try to avoid more options. > > i don't see a reason to add this. > > whats your opinion on adding a timestamp to the regular stderr logging? i don't have a problem adding timestamp for -e. From mks at noida.hcltech.com Mon Dec 30 23:49:53 2002 From: mks at noida.hcltech.com (Manish Kumar Srivastava, Noida) Date: Mon, 30 Dec 2002 18:19:53 +0530 Subject: Problem while exiting sftp on SX-6... Message-ID: Hi, I am trying to run sftp on SX-6 and it is giving me problem when I try to exit from sftp. On pressing ^D or entering "bye" on sftp prompt, sftp hangs. And I have to press ^C to quit. The versions are: - 1. openssh-3.1p1 on both client and server. 2. Both client (sftp) and server (sshd) are running on SX-6 It appears that the client and server are hanging on "select". I am appending the debug messages below. The same problem is repeated if I run server of SX-6 and client on P-II running on Red Hat 7.1 and openssh-3.1p1. --------------------------------------------------------------------- Server Side: - # ./sshd -d -p 12020 -f /usr/local/etc/sshd_config debug1: sshd version OpenSSH_3.1p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 12020 on 0.0.0.0. Server listening on 0.0.0.0 port 12020. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 204.160.252.25 port 3892 debug1: Client protocol version 2.0; client software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.1p1 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server 3des-cbc hmac-md5 none debug1: kex: server->client 3des-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 202/384 debug1: bits set: 1995/4095 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 2039/4095 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user perl service ssh-connection method none debug1: attempt 0 failures 0 Failed none for perl from 204.160.252.25 port 3892 ssh2 debug1: userauth-request for user perl service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=perl devs= debug1: kbdint_alloc: devices '' Failed keyboard-interactive for perl from 204.160.252.25 port 3892 ssh2 debug1: userauth-request for user perl service ssh-connection method password debug1: attempt 2 failures 2 Accepted password for perl from 204.160.252.25 port 3892 ssh2 debug1: Entering interactive session for SSH2. debug1: fd 3 setting O_NONBLOCK debug1: fd 7 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: server_input_channel_open: ctype session rchan 0 win 131072 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: server_input_channel_req: channel 0 request subsystem reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req subsystem subsystem request for sftp debug1: subsystem: exec() /usr/local/libexec/sftp-server debug1: fd 9 setting O_NONBLOCK debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: mks wait_until_can_do_something before select debug1: mks wait_until_can_do_something after select debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: obuf empty debug1: channel 0: close_write debug1: channel 0: output drain -> closed debug1: mks wait_until_can_do_something before select ...[It hangs here, I pressed ^C on client side] <------------------------ hangs debug1: mks wait_until_can_do_something after select Connection closed by remote host. debug1: channel_free: channel 0: server-session, nchannels 1 debug1: Received SIGCHLD. debug1: session_close: session 0 pid 9679 Closing connection to 204.160.252.25 --------------------------------------------------------------------- Client side (I pressed ^C on client side): - $ ./sftp -oPort=12020 -oLogLevel=DEBUG3 perl at sx6ihcl Connecting to sx6ihcl... debug1: Reading configuration data /usr/local/etc/ssh_config debug3: Seeing PRNG from /usr/local/libexec/ssh-rand-helper debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 106 geteuid 106 anon 1 debug1: Connecting to sx6ihcl [204.160.252.25] port 12020. debug1: temporarily_use_uid: 106/102 (e=106) debug1: restore_uid debug1: temporarily_use_uid: 106/102 (e=106) debug1: restore_uid debug1: Connection established. debug1: identity file /home/perl/.ssh/id_rsa type -1 debug1: identity file /home/perl/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.1p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client 3des-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server 3des-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 180/384 debug1: bits set: 2039/4095 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/perl/.ssh/known_hosts debug3: check_host_in_hostfile: match line 2 debug3: check_host_in_hostfile: filename /home/perl/.ssh/known_hosts debug3: check_host_in_hostfile: match line 2 debug1: Host 'sx6ihcl' is known and matches the RSA host key. debug1: Found key in /home/perl/.ssh/known_hosts:2 debug1: bits set: 1995/4095 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try privkey: /home/perl/.ssh/id_rsa debug3: no such identity: /home/perl/.ssh/id_rsa debug1: try privkey: /home/perl/.ssh/id_dsa debug3: no such identity: /home/perl/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: next auth method to try is keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: next auth method to try is password perl at sx6ihcl's password: debug1: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: ssh-userauth2 successful: method password debug1: fd 4 setting O_NONBLOCK debug2: fd 5 is O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug2: callback start debug1: ssh_session2_setup: id 0 debug1: Sending subsystem: sftp debug1: channel request 0: subsystem debug2: callback done debug1: channel 0: open confirm rwindow 0 rmax 32768 debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug2: channel 0: rcvd adjust 131072 debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug1: mks client_wait_until_can_do_something before select statementsftp> bye debug1: mks client_wait_until_can_do_something after select statement debug1: channel 0: read<=0 rfd 4 len 0 debug1: channel 0: read failed debug1: channel 0: close_read debug1: mks channel 0: input open -> drain debug1: channel 0: ibuf empty debug1: channel 0: send eof debug1: mks channel 0: input drain -> closed debug1: mks client_wait_until_can_do_something before select statement debug1: mks client_wait_until_can_do_something after select statement debug1: mks client_wait_until_can_do_something before select statement ... [It hangs here, I pressed ^C] <---------------------------------------------hangs debug1: mks client_wait_until_can_do_something inside if select statement debug1: channel_free: channel 0: client-session, nchannels 1 debug3: channel_free: status: The following connections are open: #0 client-session (t4 r0 i3/0 o0/0 fd -1/5) debug3: channel_close_fds: channel 0: r -1 w 5 e 6 debug1: fd 0 clearing O_NONBLOCK debug2: fd 1 is not O_NONBLOCK Killed by signal 2. debug1: Calling cleanup 0x40004db98(0x0) debug1: Calling cleanup 0x40009a218(0x0) --------------------------------------------------------------------- Kindly suggest, what could be the problem? I tried changing the timeval values for select at the client side (basically setting tv_sec to 1 and tv_usec to 0) but its apparently of no use. Thanks & Regards Manish From ume at FreeBSD.org Tue Dec 31 02:55:03 2002 From: ume at FreeBSD.org (Hajimu UMEMOTO) Date: Tue, 31 Dec 2002 00:55:03 +0900 Subject: sshd doesn't log hostname into utmp correctly [resend] In-Reply-To: <20021227203233.GF7647@scott.crlsca.adelphia.net> References: <20020819211902.GA27268@scott.crlsca.adelphia.net> <20020820142757.GB28367@scott.crlsca.adelphia.net> <20020820152020.GC28367@scott.crlsca.adelphia.net> <20021227203233.GF7647@scott.crlsca.adelphia.net> Message-ID: Hi, >>>>> On Fri, 27 Dec 2002 12:32:33 -0800 >>>>> Kevin Steves said: stevesk> is that the only missing piece? i thought there was more? stevesk> record_utmp_only()? Yup, it was the missing piece only for utmp part. There is still missing piece for utmpx part. Since FreeBSD doesn't have utmpx yet, at least it was sufficient for FreeBSD. I attached the full missing piece in this mail. Sincerely, -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.5p1-loghost.diff Type: text/x-patch Size: 2071 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021231/7461bd5b/attachment.bin -------------- next part -------------- -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume at mahoroba.org ume at bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From stuge-openssh-unix-dev at cdy.org Tue Dec 31 07:05:03 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 30 Dec 2002 21:05:03 +0100 Subject: Problem while exiting sftp on SX-6... In-Reply-To: References: Message-ID: <20021230200503.GB13776@foo.birdnet.se> On Mon, Dec 30, 2002 at 06:19:53PM +0530, Manish Kumar Srivastava, Noida wrote: > Hi, > > I am trying to run sftp on SX-6 and it is giving me problem when > I try to exit from sftp. On pressing ^D or entering "bye" on > sftp prompt, sftp hangs. And I have to press ^C to quit. > > The versions are: - > 1. openssh-3.1p1 on both client and server. If at all possible, please retry this with the latest version of openssh, currently 3.5p1, or even a recent snapshot or current CVS. The problem you are experiencing may already have been fixed in newer versions of the software, 3.1p1 is quite old. On another note, I think it's very good that you are testing openssh on this SX-6 platform, which I didn't even know existed before your emails. :) //Peter From bugzilla-daemon at mindrot.org Tue Dec 31 08:57:37 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 31 Dec 2002 08:57:37 +1100 (EST) Subject: [Bug 458] sshd crashes with "fatal: mm_malloc: size too big" Message-ID: <20021230215737.7D1CF64518@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=458 groeskens at bluewin.ch changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |groeskens at bluewin.ch ------- Additional Comments From groeskens at bluewin.ch 2002-12-31 08:57 ------- Same Problem on Solaris 8 Build 32-Bit, gcc 2.95-3 It seems that line 170 in monitor_mm.c is the problem: if (size > SIZE_T_MAX - MM_MINSIZE + 1) fatal("mm_malloc: size too big"); size seems to be a different type (uint32) in defines.h: --- #ifndef SIZE_T_MAX #define SIZE_T_MAX ULONG_MAX #endif /* SIZE_T_MAX */ #ifndef HAVE_SIZE_T typedef unsigned int size_t; # define HAVE_SIZE_T #endif /* HAVE_SIZE_T */ --- the line #define SIZE_T_MAX ULONG_MAX should be changed, I tried # define SIZE_T_MAX ((2 << (8 * sizeof(size_t)) - 1) but got an error (also out of bounds :-( The definition of SIZE_T_MAX has to be changed to be in the range of the type of size From the build log: --- gcc -O3 -pipe -mcpu=ultrasparc -m32 -I. -I. -I/usr/local/include -I/usr/local/i nclude -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_ SSH_ASKPASS_DEFAULT=\"/usr/local/lib/ssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/us r/local/lib/ssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/lib/ssh/ssh-keys ign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/lib/ssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c monitor_mm.c monitor_mm.c: In function `mm_malloc': monitor_mm.c:170: warning: integer overflow in expression monitor_mm.c:170: warning: comparison is always true due to limited range of data type --- -- Guido ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Tue Dec 31 19:00:34 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 31 Dec 2002 19:00:34 +1100 Subject: [PATCH] PAM chauthtok + Privsep In-Reply-To: <3E045A58.285069C2@zip.com.au> References: <3E045A58.285069C2@zip.com.au> Message-ID: <3E114EA2.2070803@mindrot.org> Darren Tucker wrote: > Hello All. > Attached is an update to my previous patch to make do_pam_chauthtok and > privsep play nicely together. > > First, a question: does anybody care about these or the password > expiration patches? Yes - I'll look at these later this week or early next week (once the NYE hangover wears off...) -d From htodd at twofifty.com Thu Dec 12 04:38:24 2002 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Wed, 11 Dec 2002 09:38:24 -0800 (PST) Subject: Has anyone been able to access the s/key sources lately? Message-ID: Does anyone have an alternate source for the s/key sources? The one listed in "INSTALL" seems to be unreachable. -- Hisashi T Fujinaka - htodd at twofifty.com BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte