From bugzilla-daemon at mindrot.org Tue Oct 1 00:41:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 1 Oct 2002 00:41:50 +1000 (EST) Subject: [Bug 405] getaddrinfo delays Message-ID: <20020930144150.D3AA03D16E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=405 ------- Additional Comments From dgp at nist.gov 2002-10-01 00:41 ------- Thanks for the additional information. Now I've verified use of fake-getaddrinfo, and I see the delays are in the call to gethostbyname(). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Tue Oct 1 01:01:35 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 30 Sep 2002 10:01:35 -0500 (CDT) Subject: FIPS 140-2 certification In-Reply-To: <3C1E3607B37295439F7C409EFBA08E6803B95779@US-Columbia-CIST.mail.saic.com> Message-ID: As I say before.. Don't know about OpenSSL group, but I believe the slogan for the OpenSSH group is. "Show me the patch." Perferable one patch per logical fix/patch. So it is easier for us to decide which ones we like or don't like. No one has said.. "F*ck off" =) Just me asking how FIPS fixs into things so I know what to expect when Markus asks for comments on things. - Ben On Mon, 30 Sep 2002, Loomis, Rip wrote: > > > I'm surprised that you are using IRIX. I would not have thought IRIX > > would have gotten FIPS rating. AIX or Solaris Trusted would not have > > surprised me. Guess I'll have to have a chat with a buddy > > over there. =) > > See http://niap.nist.gov/cc-scheme/CCEVS-CC-VID401-SGI_IRIX.html > for details. (disclaimer: I work for SAIC and was involved in > preparing the evidence for this evaluation. TRIX was evaluated > at the same time.) > > I'd be very interested in following up on FIPS 140 [series] certification > of OpenSSL/OpenSSH as well, but as others have noted it might be a > difficult process even with a financial sponsor. > > -- > Rip Loomis Senior Systems Security Engineer > SAIC Secure Business Solutions Group www.saic.com/securebiz > Center for Information Security Technology www.cist-east.saic.com > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From markus at openbsd.org Tue Oct 1 01:27:31 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 30 Sep 2002 17:27:31 +0200 Subject: FIPS 140-2 certification In-Reply-To: References: <3C1E3607B37295439F7C409EFBA08E6803B95779@US-Columbia-CIST.mail.saic.com> Message-ID: <20020930152731.GB15087@faui02> On Mon, Sep 30, 2002 at 10:01:35AM -0500, Ben Lindstrom wrote: > As I say before.. Don't know about OpenSSL group, but I believe the slogan > for the OpenSSH group is. > > "Show me the patch." > > Perferable one patch per logical fix/patch. So it is easier for us to > decide which ones we like or don't like. > > No one has said.. "F*ck off" =) Just me asking how FIPS fixs into things > so I know what to expect when Markus asks for comments on things. well you can either send me patches or $$$ -m From djast at cs.toronto.edu Tue Oct 1 02:59:05 2002 From: djast at cs.toronto.edu (Dan Astoorian) Date: Mon, 30 Sep 2002 12:59:05 -0400 Subject: Question regarding patch for ProxyCommand setting In-Reply-To: Your message of "Sat, 28 Sep 2002 17:23:26 EDT." <20020928212326.GA1955@jenny.crlsca.adelphia.net> Message-ID: <02Sep30.125911edt.453158-21564@jane.cs.toronto.edu> On Sat, 28 Sep 2002 17:23:26 EDT, Kevin Steves writes: > On Fri, Sep 27, 2002 at 08:32:11PM -0500, Ben Lindstrom wrote: > > Host localhost > > ProxyCommand > > i can't think of a problem with just: > ProxyCommand no That syntax somewhat suggests that "ProxyCommand yes" should have a sane meaning. Darren Tucker's suggestion of the syntax "ProxyCommand none" seems more natural than "no". -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast at cs.toronto.edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican From binder at arago.de Tue Oct 1 04:28:17 2002 From: binder at arago.de (Thomas Binder) Date: Mon, 30 Sep 2002 20:28:17 +0200 Subject: Question regarding patch for ProxyCommand setting In-Reply-To: <02Sep30.125911edt.453158-21564@jane.cs.toronto.edu>; from djast@cs.toronto.edu on Mon, Sep 30, 2002 at 12:59:05PM -0400 References: <20020928212326.GA1955@jenny.crlsca.adelphia.net> <02Sep30.125911edt.453158-21564@jane.cs.toronto.edu> Message-ID: <20020930202817.A18867988@ohm.arago.de> Hi! On Mon, Sep 30, 2002 at 12:59:05PM -0400, Dan Astoorian wrote: > > i can't think of a problem with just: > > ProxyCommand no > > That syntax somewhat suggests that "ProxyCommand yes" should > have a sane meaning. > > Darren Tucker's suggestion of the syntax "ProxyCommand none" > seems more natural than "no". I'd actually also vote for "none". So, should I post the (rather trivial) patch here? Ciao Thomas -- Grelb's Reminder: Eighty percent of all people consider themselves to be above average drivers. From mouring at etoh.eviladmin.org Tue Oct 1 04:41:02 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 30 Sep 2002 13:41:02 -0500 (CDT) Subject: Question regarding patch for ProxyCommand setting In-Reply-To: <20020930202817.A18867988@ohm.arago.de> Message-ID: post it On Mon, 30 Sep 2002, Thomas Binder wrote: > Hi! > > On Mon, Sep 30, 2002 at 12:59:05PM -0400, Dan Astoorian wrote: > > > i can't think of a problem with just: > > > ProxyCommand no > > > > That syntax somewhat suggests that "ProxyCommand yes" should > > have a sane meaning. > > > > Darren Tucker's suggestion of the syntax "ProxyCommand none" > > seems more natural than "no". > > I'd actually also vote for "none". So, should I post the (rather > trivial) patch here? > > > Ciao > > Thomas > > > -- > Grelb's Reminder: > Eighty percent of all people consider themselves to be above > average drivers. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From binder at arago.de Tue Oct 1 05:01:38 2002 From: binder at arago.de (Thomas Binder) Date: Mon, 30 Sep 2002 21:01:38 +0200 Subject: Question regarding patch for ProxyCommand setting In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Sep 30, 2002 at 01:41:02PM -0500 References: <20020930202817.A18867988@ohm.arago.de> Message-ID: <20020930210137.A19338935@ohm.arago.de> Hi! On Mon, Sep 30, 2002 at 01:41:02PM -0500, Ben Lindstrom wrote: > > I'd actually also vote for "none". So, should I post the (rather > > trivial) patch here? > > post it Done (in a separate message). Ciao Thomas -- Zero Mostel: That's it baby! When you got it, flaunt it! Flaunt it! -- Mel Brooks, "The Producers" From binder at arago.de Tue Oct 1 05:05:21 2002 From: binder at arago.de (Thomas Binder) Date: Mon, 30 Sep 2002 21:05:21 +0200 Subject: [PATCH] Allow "ProxyCommand none" in ssh_config Message-ID: <20020930210521.B19338935@ohm.arago.de> Hi! As discussed in the thread "Question regarding patch for ProxyCommand setting". The patch is rather straight forward; maybe it would be a good idea to improve it in a way that it uses a list of string options that may have a "none" value to reset it to NULL. Ciao Thomas -------------- next part -------------- Index: readconf.c =================================================================== RCS file: /cvs/openssh/readconf.c,v retrieving revision 1.76 diff -u -r1.76 readconf.c --- readconf.c 9 Jul 2002 14:06:40 -0000 1.76 +++ readconf.c 30 Sep 2002 19:00:22 -0000 @@ -724,6 +724,19 @@ if (bad_options > 0) fatal("%s: terminating, %d bad configuration options", filename, bad_options); + + /* + * If proxy_command is set to 'none' (actually ' none' due to the way + * the code in process_config_line works), unset it. This allows for + * excluding certain hosts from using the proxy command while having it + * enabled by default (i.e. for 'Host *') + */ + if (options->proxy_command != NULL) { + if (strcmp(options->proxy_command, " none") == 0) { + xfree(options->proxy_command); + options->proxy_command = NULL; + } + } return 1; } From mouring at etoh.eviladmin.org Tue Oct 1 07:05:14 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 30 Sep 2002 16:05:14 -0500 (CDT) Subject: [PATCH] Allow "ProxyCommand none" in ssh_config In-Reply-To: <20020930210521.B19338935@ohm.arago.de> Message-ID: On Mon, 30 Sep 2002, Thomas Binder wrote: > Hi! > > As discussed in the thread "Question regarding patch for > ProxyCommand setting". > > The patch is rather straight forward; maybe it would be a good > idea to improve it in a way that it uses a list of string options > that may have a "none" value to reset it to NULL. > Ugh..I was expecting something closer to where all the argument processing happens. Like below (don't 'whinge' I have not even compiled it. Just an example). - Ben Index: readconf.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/readconf.c,v retrieving revision 1.100 diff -u -r1.100 readconf.c --- readconf.c 19 Jun 2002 00:27:55 -0000 1.100 +++ readconf.c 30 Sep 2002 19:38:09 -0000 @@ -491,7 +491,11 @@ strcat(string, arg); } if (*activep && *charptr == NULL) - *charptr = string; + if (strcmp(arg, "none") == 0) { + *charptr == NULL + xfree(string); + } else + *charptr = string; else xfree(string); return 0; From marya at st.jip.co.jp Tue Oct 1 11:02:54 2002 From: marya at st.jip.co.jp (Shinichi Maruyama) Date: Tue, 01 Oct 2002 10:02:54 +0900 (JST) Subject: [PATCH] Allow "ProxyCommand none" in ssh_config In-Reply-To: References: <20020930210521.B19338935@ohm.arago.de> Message-ID: <20021001.100254.74755812.marya@st.jip.co.jp> mouring> Ugh..I was expecting something closer to where all the argument processing mouring> happens. I think it's no good. For example Cipher none I prefer '-', if you want to do that. -- MARUYAMA Shinichi From marya at st.jip.co.jp Tue Oct 1 11:12:24 2002 From: marya at st.jip.co.jp (Shinichi Maruyama) Date: Tue, 01 Oct 2002 10:12:24 +0900 (JST) Subject: [PATCH] Allow "ProxyCommand none" in ssh_config In-Reply-To: <20020930210521.B19338935@ohm.arago.de> References: <20020930210521.B19338935@ohm.arago.de> Message-ID: <20021001.101224.41629238.marya@st.jip.co.jp> binder> As discussed in the thread "Question regarding patch for binder> ProxyCommand setting". binder> binder> The patch is rather straight forward; maybe it would be a good binder> idea to improve it in a way that it uses a list of string options binder> that may have a "none" value to reset it to NULL. I think it's against the syntax of OpenSSH configuration. In readconf.c # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. Thus, the order of 'none' must specified earlier and you can't reset it to NULL at this timing. Host foo ProxyCommand none Host * ProxyCommand /some/command -- MARUYAMA Shinichi From mouring at etoh.eviladmin.org Tue Oct 1 11:15:01 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 30 Sep 2002 20:15:01 -0500 (CDT) Subject: [PATCH] Allow "ProxyCommand none" in ssh_config In-Reply-To: <20021001.100254.74755812.marya@st.jip.co.jp> Message-ID: Not following. strcmp() == 0 is extact match. I dislike the use of '-'. '-' implies 'stdout/stdin' and that is incorrect. Overloading common UNIX concepts is asking for confuse newbies worse. - Ben On Tue, 1 Oct 2002, Shinichi Maruyama wrote: > > mouring> Ugh..I was expecting something closer to where all the argument processing > mouring> happens. > > I think it's no good. For example > > Cipher none > > I prefer '-', if you want to do that. > > -- > MARUYAMA Shinichi > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From marya at st.jip.co.jp Tue Oct 1 11:56:21 2002 From: marya at st.jip.co.jp (Shinichi Maruyama) Date: Tue, 01 Oct 2002 10:56:21 +0900 (JST) Subject: [PATCH] Allow "ProxyCommand none" in ssh_config In-Reply-To: References: <20021001.100254.74755812.marya@st.jip.co.jp> Message-ID: <20021001.105621.71082163.marya@st.jip.co.jp> I'm very sorry, I confused to follow up with your article and the article of 'Thomas Binder '. Message-ID: <20020930210521.B19338935 at ohm.arago.de> mouring> Not following. strcmp() == 0 is extact match. I dislike the use of '-'. mouring> '-' implies 'stdout/stdin' and that is incorrect. Overloading common mouring> UNIX concepts is asking for confuse newbies worse. I agree with this. But your patch is against the syntax of OpenSSH configuration. In readconf.c # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. Thus, the order of 'none' must specified earlier and you can't reset it to NULL at this timing. Host foo ProxyCommand none Host * ProxyCommand /some/command -- MARUYAMA Shinichi From gotoh at taiyo.co.jp Tue Oct 1 12:45:45 2002 From: gotoh at taiyo.co.jp (Shun-ichi GOTO) Date: Tue, 01 Oct 2002 11:45:45 +0900 (JST) Subject: Question regarding patch for ProxyCommand setting In-Reply-To: References: <20020926181910.A18637996@ohm.arago.de> Message-ID: <20021001.114545.132846940.gotoh@taiyo.co.jp> >>>>> at Fri, 27 Sep 2002 20:32:11 -0500 (CDT) >>>>> Ben Lindstrom said,> > I'd almost want to suggest a 'DisableProxyCommand > [yes|no]'. but 'DisableProxyCommand no' does not make sense. I like this way by adding new option 'DisableProxyCommand' or 'EnableProxyCommand' or 'UseProxyCommand' or 'WithProxyCommand' with value (yes|no). On most environment, ProxyCommand has same string like: "/some/proxy/command -opt %h %p" If so, he don't need ProxyCommand on many host entries. So ~/.ssh/config goes like this: host foo EnableProxyCommand yes host bar EnableProxyCommand no Host * ProxyCommand /some/proxy/command -opt %h %p If multiple ProxyCommand is required, define ProxyCommand for that host entries or override 'host *' entry, and it works correctly like current version can do. On another point of view, we can think as current version is always defined EnableProxyCommand as YES by default. And we are discussing the way to set it to NO, don't we? --- Regards, Shun-ichi Goto R&D Group, TAIYO Corp., Tokyo, JAPAN From binder at arago.de Tue Oct 1 20:39:12 2002 From: binder at arago.de (Thomas Binder) Date: Tue, 1 Oct 2002 12:39:12 +0200 Subject: [PATCH] Allow "ProxyCommand none" in ssh_config In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Sep 30, 2002 at 04:05:14PM -0500 References: <20020930210521.B19338935@ohm.arago.de> Message-ID: <20021001123912.A19636292@ohm.arago.de> Hi! On Mon, Sep 30, 2002 at 04:05:14PM -0500, Ben Lindstrom wrote: > Ugh..I was expecting something closer to where all the argument processing > happens. > > Like below (don't 'whinge' I have not even compiled it. Just an > example). This way it won't work - actually, that's what I tried first without success :) Following OpenSSH's way of option parsing, you would have to have the following in your ssh_config (or ~/.ssh/config): Host does-not-need-proxy ProxyCommand none Host * ProxyCommand /some/command Thus, checking for "none" directly when the option is processed wouldn't help, as the last ProxyCommand in the config file "wins". You have to check for "none" after parsing of the config file has finished. Ciao Thomas From binder at arago.de Tue Oct 1 20:40:20 2002 From: binder at arago.de (Thomas Binder) Date: Tue, 1 Oct 2002 12:40:20 +0200 Subject: [PATCH] Allow "ProxyCommand none" in ssh_config In-Reply-To: <20021001.101224.41629238.marya@st.jip.co.jp>; from marya@st.jip.co.jp on Tue, Oct 01, 2002 at 10:12:24AM +0900 References: <20020930210521.B19338935@ohm.arago.de> <20021001.101224.41629238.marya@st.jip.co.jp> Message-ID: <20021001124020.B19636292@ohm.arago.de> Hi! On Tue, Oct 01, 2002 at 10:12:24AM +0900, Shinichi Maruyama wrote: > I think it's against the syntax of OpenSSH configuration. > In readconf.c > > # Any configuration value is only changed the first time it is set. > # Thus, host-specific definitions should be at the beginning of the > # configuration file, and defaults at the end. > > Thus, the order of 'none' must specified earlier and you can't reset it > to NULL at this timing. Sorry? My patch /does/ check /after/ all option processing is done, thus it respects the comment you've quoted. Ciao Thomas From markus at openbsd.org Tue Oct 1 20:47:15 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 1 Oct 2002 12:47:15 +0200 Subject: [PATCH] Allow "ProxyCommand none" in ssh_config In-Reply-To: <20021001123912.A19636292@ohm.arago.de> References: <20020930210521.B19338935@ohm.arago.de> <20021001123912.A19636292@ohm.arago.de> Message-ID: <20021001104715.GF26798@faui02> On Tue, Oct 01, 2002 at 12:39:12PM +0200, Thomas Binder wrote: > You have to check for "none" after parsing of the config file has > finished. this is why a prefer a check in sshconnect.c but this won't happen for the 3.5 release, sorry, too late. From markus at openbsd.org Tue Oct 1 21:05:25 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 1 Oct 2002 13:05:25 +0200 Subject: [PATCH] Allow "ProxyCommand none" in ssh_config In-Reply-To: <20021001123912.A19636292@ohm.arago.de> References: <20020930210521.B19338935@ohm.arago.de> <20021001123912.A19636292@ohm.arago.de> Message-ID: <20021001110525.GG26798@faui02> If this works and gets tested within 2 hours, then it could make into 3.5 Index: ssh_config.5 =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v retrieving revision 1.5 diff -u -r1.5 ssh_config.5 --- ssh_config.5 29 Aug 2002 22:54:10 -0000 1.5 +++ ssh_config.5 1 Oct 2002 11:03:56 -0000 @@ -477,6 +477,9 @@ Note that .Cm CheckHostIP is not available for connects with a proxy command. +Set the command to +.Dq none +to disable this option entirely. .Pp .It Cm PubkeyAuthentication Specifies whether to try public key authentication. Index: sshconnect.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshconnect.c,v retrieving revision 1.135 diff -u -r1.135 sshconnect.c --- sshconnect.c 19 Sep 2002 01:58:18 -0000 1.135 +++ sshconnect.c 1 Oct 2002 11:03:56 -0000 @@ -254,7 +254,7 @@ port = SSH_DEFAULT_PORT; } /* If a proxy command is given, connect using it. */ - if (proxy_command != NULL) + if (proxy_command != NULL && strcmp(proxy_command, "none") != 0) return ssh_proxy_connect(host, port, proxy_command); /* No proxy command. */ From binder at arago.de Tue Oct 1 22:11:58 2002 From: binder at arago.de (Thomas Binder) Date: Tue, 1 Oct 2002 14:11:58 +0200 Subject: [PATCH] Allow "ProxyCommand none" in ssh_config In-Reply-To: <20021001104715.GF26798@faui02>; from markus@openbsd.org on Tue, Oct 01, 2002 at 12:47:15PM +0200 References: <20020930210521.B19338935@ohm.arago.de> <20021001123912.A19636292@ohm.arago.de> <20021001104715.GF26798@faui02> Message-ID: <20021001141158.A19615514@ohm.arago.de> Hi! On Tue, Oct 01, 2002 at 12:47:15PM +0200, Markus Friedl wrote: > > You have to check for "none" after parsing of the config file > > has finished. > > this is why a prefer a check in sshconnect.c I've attached a modified version of the patch. Of course, in that case, you have to patch more than one occurence of proxy_command, therefore the new patch introduces a new static function that returns 1 if proxy_command is usable (i.e. not NULL and not " none", 0 otherwise). All checks that compare proxy_command against NULL got replaced with a call to that new function. > but this won't happen for the 3.5 release, sorry, too late. That's not really a problem for me :) Ciao Thomas -------------- next part -------------- Index: sshconnect.c =================================================================== RCS file: /cvs/openssh/sshconnect.c,v retrieving revision 1.101 diff -u -r1.101 sshconnect.c --- sshconnect.c 19 Sep 2002 02:05:04 -0000 1.101 +++ sshconnect.c 1 Oct 2002 12:06:16 -0000 @@ -50,6 +50,24 @@ static int show_other_keys(const char *, Key *); /* + * Check whether the configured proxy command is to be used + */ +static int +ssh_use_proxy_command(const char *proxy_command) +{ + /* + * If proxy_command is NULL or points to " none", don't use it. + * Note that we have to compare against " none" (and not "none"), + * because the code that parses ProxyCommand in readconf.c always adds + * a space in front of the actual command. + */ + if (proxy_command == NULL || strcmp(proxy_command, " none") == 0) + return 0; + else + return 1; +} + +/* * Connect to the given ssh server using a proxy command. */ static int @@ -219,9 +237,9 @@ * a privileged port will be allocated to make the connection. * This requires super-user privileges if needpriv is true. * Connection_attempts specifies the maximum number of tries (one per - * second). If proxy_command is non-NULL, it specifies the command (with %h - * and %p substituted for host and port, respectively) to use to contact - * the daemon. + * second). If proxy_command is non-NULL and not "none", it specifies + * the command (with %h and %p substituted for host and port, + * respectively) to use to contact the daemon. * Return values: * 0 for OK * ECONNREFUSED if we got a "Connection Refused" by the peer on any address @@ -258,7 +276,7 @@ port = SSH_DEFAULT_PORT; } /* If a proxy command is given, connect using it. */ - if (proxy_command != NULL) + if (ssh_use_proxy_command(proxy_command) == 1) return ssh_proxy_connect(host, port, proxy_command); /* No proxy command. */ @@ -535,7 +553,7 @@ * We don't have the remote ip-address for connections * using a proxy command */ - if (options.proxy_command == NULL) { + if (ssh_use_proxy_command(options.proxy_command) == 0) { if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) fatal("check_host_key: getnameinfo failed"); @@ -548,7 +566,8 @@ * command or if we don't have a hostname to compare with */ if (options.check_host_ip && - (local || strcmp(host, ip) == 0 || options.proxy_command != NULL)) + (local || strcmp(host, ip) == 0 || + ssh_use_proxy_command(options.proxy_command) == 1)) options.check_host_ip = 0; /* From d_wllms at lanl.gov Tue Oct 1 22:37:18 2002 From: d_wllms at lanl.gov (David M. Williams) Date: Tue, 01 Oct 2002 06:37:18 -0600 Subject: Call for testing for 3.5 OpenSSH References: Message-ID: <3D9996FE.3000306@lanl.gov> > > >4. The kerb issue wandering around. > I haven't looked at -current or a snapshot recently so I don't know if this got in but we have tested Olaf Kirch's patch pretty thoroughly on Linux 7.x and Solaris 2.x and have found no problems with it for the cases we have tested. Dave -- David M. Williams, CISSP Phone: 505-665-5021 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From mouring at etoh.eviladmin.org Wed Oct 2 03:30:54 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 1 Oct 2002 12:30:54 -0500 (CDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D9996FE.3000306@lanl.gov> Message-ID: That really does not help now does it? - Ben On Tue, 1 Oct 2002, David M. Williams wrote: > > > > > >4. The kerb issue wandering around. > > > I haven't looked at -current or a snapshot recently so I don't know if > this got in but we have tested Olaf Kirch's patch pretty thoroughly on > Linux 7.x and Solaris 2.x and have found no problems with it for the > cases we have tested. > > Dave > > -- > David M. Williams, CISSP Phone: 505-665-5021 > Systems Engineer, CCN-2 Fax: 505-667-7428 > Los Alamos National Laboratory Email: d_wllms at lanl.gov > > > From mkhurana at andrew.cmu.edu Wed Oct 2 05:39:41 2002 From: mkhurana at andrew.cmu.edu (Mohan Khurana) Date: Tue, 1 Oct 2002 15:39:41 -0400 (EDT) Subject: ssh with iptables and equalize Message-ID: Hi everyone, I have a configuration for a router that load-balances between two ISPs. What happens is that if a source-destination combination is looked up, one of the two gateways will be chosen, and further lookups will stay on that gateway until the chosen combination "stales" out. Web browsing works, ftp works, kazaa and other applications work. ssh on windows (using putty) works. I am having a problem with OpenSSH on Linux 2.4.19-ac4, Red Hat 7.3. When the gateway that is chosen is a gateway on ISP2, the router NATs out traffic. OpenSSH client *almost* works. Does anyone know what's going on here? The only other application that is having problems with this load-balancing router configuration is AOL AIM for windows. Here is debug information: $ /usr/sbin/traceroute unix1.andrew.cmu.edu traceroute to unix1.andrew.cmu.edu (128.2.11.201), 30 hops max, 38 byte packets ... 8 195.ATM7-0.GW3.PIT1.ALTER.NET (152.63.36.249) 26.216 ms 26.120 ms 26.088 ms 9 psc-gw2.customer.alter.net (65.194.72.114) 28.217 ms 27.871 ms 28.211 ms 10 bar-foo.psc.net (192.88.115.1) 27.594 ms 27.480 ms 26.089 ms 11 cmu-i1.psc.net (192.88.115.182) 25.469 ms 25.237 ms 25.841 ms 12 CORE255-VL501.GW.CMU.NET (128.2.33.227) 27.467 ms 28.731 ms 26.838 ms 13 CYH-A100-VL255.GW.CMU.NET (128.2.255.35) 26.844 ms 27.118 ms 26.839 ms 14 UNIX1.andrew.cmu.edu (128.2.11.201) 27.342 ms 27.106 ms 27.714 ms $ ssh -vvv -x -a -4 -l mkhurana unix1.andrew.cmu.edu OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 0 anon 1 debug1: Connecting to unix1.andrew.cmu.edu [128.2.11.201] port 22. debug1: temporarily_use_uid: 500/100 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 500/100 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/mohan/.ssh/identity type -1 debug1: identity file /home/mohan/.ssh/id_rsa type -1 debug1: identity file /home/mohan/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2 debug1: match: OpenSSH_2.5.2p2 pat OpenSSH_2.5.0*,OpenSSH_2.5.1*,OpenSSH_2.5.2* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.1p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 140/256 debug1: bits set: 504/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/mohan/.ssh/known_hosts debug3: check_host_in_hostfile: match line 14 debug3: check_host_in_hostfile: filename /home/mohan/.ssh/known_hosts debug3: check_host_in_hostfile: match line 14 debug1: Host 'unix1.andrew.cmu.edu' is known and matches the RSA host key. debug1: Found key in /home/mohan/.ssh/known_hosts:14 debug1: bits set: 519/1024 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: Remote: Kerberos V4 password authentication for mkhurana failed: Password incorrect debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try privkey: /home/mohan/.ssh/identity debug3: no such identity: /home/mohan/.ssh/identity debug1: try privkey: /home/mohan/.ssh/id_rsa debug3: no such identity: /home/mohan/.ssh/id_rsa debug1: try privkey: /home/mohan/.ssh/id_dsa debug3: no such identity: /home/mohan/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: next auth method to try is keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: next auth method to try is password mkhurana at unix1.andrew.cmu.edu's password: debug1: packet_send2: adding 48 (len 62 padlen 18 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: ssh-userauth2 successful: method password debug3: clear hostkey 0 debug3: clear hostkey 1 debug3: clear hostkey 2 debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug2: callback start debug1: ssh_session2_setup: id 0 debug1: channel request 0: pty-req debug3: tty_make_modes: ospeed 38400 debug3: tty_make_modes: ispeed 38400 debug3: tty_make_modes: 1 3 debug3: tty_make_modes: 2 28 debug3: tty_make_modes: 3 127 debug3: tty_make_modes: 4 21 debug3: tty_make_modes: 5 4 debug3: tty_make_modes: 6 0 debug3: tty_make_modes: 7 0 debug3: tty_make_modes: 8 17 debug3: tty_make_modes: 9 19 debug3: tty_make_modes: 10 26 debug3: tty_make_modes: 12 18 debug3: tty_make_modes: 13 23 debug3: tty_make_modes: 14 22 debug3: tty_make_modes: 18 15 debug3: tty_make_modes: 30 0 debug3: tty_make_modes: 31 0 debug3: tty_make_modes: 32 0 debug3: tty_make_modes: 33 0 debug3: tty_make_modes: 34 0 debug3: tty_make_modes: 35 0 debug3: tty_make_modes: 36 1 debug3: tty_make_modes: 37 0 debug3: tty_make_modes: 38 1 debug3: tty_make_modes: 39 0 debug3: tty_make_modes: 40 0 debug3: tty_make_modes: 41 0 debug3: tty_make_modes: 50 1 debug3: tty_make_modes: 51 1 debug3: tty_make_modes: 52 0 debug3: tty_make_modes: 53 1 debug3: tty_make_modes: 54 1 debug3: tty_make_modes: 55 1 debug3: tty_make_modes: 56 0 debug3: tty_make_modes: 57 0 debug3: tty_make_modes: 58 0 debug3: tty_make_modes: 59 1 debug3: tty_make_modes: 60 1 debug3: tty_make_modes: 61 1 debug3: tty_make_modes: 62 0 debug3: tty_make_modes: 70 1 debug3: tty_make_modes: 71 0 debug3: tty_make_modes: 72 1 debug3: tty_make_modes: 73 0 debug3: tty_make_modes: 74 0 debug3: tty_make_modes: 75 0 debug3: tty_make_modes: 90 1 debug3: tty_make_modes: 91 1 debug3: tty_make_modes: 92 0 debug3: tty_make_modes: 93 0 debug1: channel request 0: shell debug1: fd 3 setting TCP_NODELAY debug2: callback done debug1: channel 0: open confirm rwindow 0 rmax 16384 But look, when going out on the other link (no NAT here): $ ssh -vvv -x -a -l mkhurana unix3.andrew.cmu.edu OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 0 anon 1 debug1: Connecting to unix3.andrew.cmu.edu [128.2.11.203] port 22. debug1: temporarily_use_uid: 500/100 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 500/100 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/mohan/.ssh/identity type -1 debug1: identity file /home/mohan/.ssh/id_rsa type -1 debug1: identity file /home/mohan/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2 debug1: match: OpenSSH_2.5.2p2 pat OpenSSH_2.5.0*,OpenSSH_2.5.1*,OpenSSH_2.5.2* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.1p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 133/256 debug1: bits set: 496/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/mohan/.ssh/known_hosts debug3: check_host_in_hostfile: match line 12 debug3: check_host_in_hostfile: filename /home/mohan/.ssh/known_hosts debug3: check_host_in_hostfile: match line 12 debug1: Host 'unix3.andrew.cmu.edu' is known and matches the RSA host key. debug1: Found key in /home/mohan/.ssh/known_hosts:12 debug1: bits set: 526/1024 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: Remote: Kerberos V4 password authentication for mkhurana failed: Password incorrect debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try privkey: /home/mohan/.ssh/identity debug3: no such identity: /home/mohan/.ssh/identity debug1: try privkey: /home/mohan/.ssh/id_rsa debug3: no such identity: /home/mohan/.ssh/id_rsa debug1: try privkey: /home/mohan/.ssh/id_dsa debug3: no such identity: /home/mohan/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: next auth method to try is keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: next auth method to try is password mkhurana at unix3.andrew.cmu.edu's password: debug1: packet_send2: adding 48 (len 62 padlen 18 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: ssh-userauth2 successful: method password debug3: clear hostkey 0 debug3: clear hostkey 1 debug3: clear hostkey 2 debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug2: callback start debug1: ssh_session2_setup: id 0 debug1: channel request 0: pty-req debug3: tty_make_modes: ospeed 38400 debug3: tty_make_modes: ispeed 38400 debug3: tty_make_modes: 1 3 debug3: tty_make_modes: 2 28 debug3: tty_make_modes: 3 127 debug3: tty_make_modes: 4 21 debug3: tty_make_modes: 5 4 debug3: tty_make_modes: 6 0 debug3: tty_make_modes: 7 0 debug3: tty_make_modes: 8 17 debug3: tty_make_modes: 9 19 debug3: tty_make_modes: 10 26 debug3: tty_make_modes: 12 18 debug3: tty_make_modes: 13 23 debug3: tty_make_modes: 14 22 debug3: tty_make_modes: 18 15 debug3: tty_make_modes: 30 0 debug3: tty_make_modes: 31 0 debug3: tty_make_modes: 32 0 debug3: tty_make_modes: 33 0 debug3: tty_make_modes: 34 0 debug3: tty_make_modes: 35 0 debug3: tty_make_modes: 36 1 debug3: tty_make_modes: 37 0 debug3: tty_make_modes: 38 1 debug3: tty_make_modes: 39 0 debug3: tty_make_modes: 40 0 debug3: tty_make_modes: 41 0 debug3: tty_make_modes: 50 1 debug3: tty_make_modes: 51 1 debug3: tty_make_modes: 52 0 debug3: tty_make_modes: 53 1 debug3: tty_make_modes: 54 1 debug3: tty_make_modes: 55 1 debug3: tty_make_modes: 56 0 debug3: tty_make_modes: 57 0 debug3: tty_make_modes: 58 0 debug3: tty_make_modes: 59 1 debug3: tty_make_modes: 60 1 debug3: tty_make_modes: 61 1 debug3: tty_make_modes: 62 0 debug3: tty_make_modes: 70 1 debug3: tty_make_modes: 71 0 debug3: tty_make_modes: 72 1 debug3: tty_make_modes: 73 0 debug3: tty_make_modes: 74 0 debug3: tty_make_modes: 75 0 debug3: tty_make_modes: 90 1 debug3: tty_make_modes: 91 1 debug3: tty_make_modes: 92 0 debug3: tty_make_modes: 93 0 debug1: channel request 0: shell debug1: fd 3 setting TCP_NODELAY debug2: callback done debug1: channel 0: open confirm rwindow 0 rmax 16384 debug2: channel 0: rcvd adjust 32768 Users are not permitted to simultaneously log on to multiple unix servers. No game playing is allowed. These machines are a shared resource. Please be considerate of other users. For more information please see the web page on Andrew/UNIX Servers at http://www.cmu.edu/computing/documentation/unix/Policies.html % thanks much for any ideas, mohan From dtucker at zip.com.au Wed Oct 2 07:09:15 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 02 Oct 2002 07:09:15 +1000 Subject: ssh with iptables and equalize References: Message-ID: <3D9A0EFB.45CF1610@zip.com.au> Mohan Khurana wrote: [snip] > OpenSSH client *almost* works. Does anyone know > what's going on here? [snip] It *might* be an MTU problem. Something late in the login might manage to generate a packet big enough to fragment. See this for a previous answer and some advice: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102413585608801 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Wed Oct 2 11:25:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Oct 2002 11:25:09 +1000 (EST) Subject: [Bug 406] New: Build openssh-3.4p1 fails, Mac OS X v1.2 Message-ID: <20021002012509.D9A893D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=406 Summary: Build openssh-3.4p1 fails, Mac OS X v1.2 Product: Portable OpenSSH Version: -current Platform: PPC OS/Version: Mac OS X Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: sshears at world.std.com Attempt to build openssh-3.4p1 on Mac OS X Server v1.2 (that's right, v1.2 circa 2000, also known as Rhapsody). make fails with this error: cc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lz -lcrypto /usr/bin/ld: multiple definitions of symbol _msg_send ./libssh.a(msg.o) definition of _msg_send in section (__TEXT,__text) /System/Library/Frameworks/System.framework/System(msg.o) definition of _msg_send make: *** [ssh] Error 1 3.3p1 fails in the same manner. -- Sally ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Oct 2 11:36:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Oct 2002 11:36:09 +1000 (EST) Subject: [Bug 407] New: Build openssh-3.1p1 fails, Mac OS X v1.2 Message-ID: <20021002013609.7D6BE3D15D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=407 Summary: Build openssh-3.1p1 fails, Mac OS X v1.2 Product: Portable OpenSSH Version: 3.1p1 Platform: PPC OS/Version: Mac OS X Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: sshears at world.std.com Build 3.1p1 fails on Mac OS X Server v 1.2 (a.k.a. "Rhapsody") with this error in make: cc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include -DSSHDIR=\"/private/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -DSSH_RAND_HELPER=\"/usr/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-agent.c ssh-agent.c:135: illegal statement, missing `;' after `)' ssh-agent.c:162: illegal statement, missing `;' after `)' make: *** [ssh-agent.o] Error 1 The code at ssh-agent.c line 135 is: TAILQ_FOREACH(id, &tab->idlist, next) { if (key_equal(key, id->key)) return (id); } This is with the virgin 3.1p1; same error in make if I apply the patch openssh-3.1p1-adv.token.patch -- Sally ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Oct 2 13:13:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Oct 2002 13:13:35 +1000 (EST) Subject: [Bug 407] Build openssh-3.1p1 fails, Mac OS X v1.2 Message-ID: <20021002031335.3F54D3D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=407 ------- Additional Comments From mouring at eviladmin.org 2002-10-02 13:13 ------- We are in release mode. Please check out a snapshot at: http://www.openssh.com/portable.html ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Oct 2 13:14:45 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Oct 2002 13:14:45 +1000 (EST) Subject: [Bug 406] Build openssh-3.4p1 fails, Mac OS X v1.2 Message-ID: <20021002031445.D7A603D16C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=406 ------- Additional Comments From mouring at eviladmin.org 2002-10-02 13:14 ------- We are in release mode. Please check out a snapshot at: http://www.openssh.com/portable.html ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Oct 2 23:19:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Oct 2002 23:19:15 +1000 (EST) Subject: [Bug 406] Build openssh-3.4p1 fails, Mac OS X v1.2 Message-ID: <20021002131915.F060B3D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=406 ------- Additional Comments From markus at openbsd.org 2002-10-02 23:19 ------- i think we need to s/msg_send/ssh_msg_send/g s/msg_recv/ssh_msg_recv/g (i forgot about this..) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Oct 3 06:37:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Oct 2002 06:37:07 +1000 (EST) Subject: [Bug 408] New: sshd[25790]: error: socket: Protocol not supported Message-ID: <20021002203707.708683D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=408 Summary: sshd[25790]: error: socket: Protocol not supported Product: Portable OpenSSH Version: -current Platform: All OS/Version: OpenBSD Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: quel at gnu.org This problem just cropped up when i started to do: ssh -L 3100:localhost:3128 ip (tunneling web through ssh) openbsd 3.1 running openssh 3.4 the only real downside is the annoyance of the log files but seemingly no loss of functionality. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Oct 3 12:50:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Oct 2002 12:50:07 +1000 (EST) Subject: [Bug 406] Build openssh-3.4p1 fails, Mac OS X v1.2 Message-ID: <20021003025007.A986B3D163@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=406 ------- Additional Comments From djm at mindrot.org 2002-10-03 12:49 ------- Created an attachment (id=153) --> (http://bugzilla.mindrot.org/attachment.cgi?id=153&action=view) s/msg_send/ssh_msg_send/ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Oct 3 12:54:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Oct 2002 12:54:20 +1000 (EST) Subject: [Bug 406] Build openssh-3.4p1 fails, Mac OS X v1.2 Message-ID: <20021003025420.337513D15B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=406 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From djm at mindrot.org 2002-10-03 12:54 ------- Attached patch does what Markus suggests. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From pekkas at netcore.fi Thu Oct 3 16:41:17 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 3 Oct 2002 09:41:17 +0300 (EEST) Subject: [Bug 408] New: sshd[25790]: error: socket: Protocol not supported In-Reply-To: <20021002203707.708683D0E6@shitei.mindrot.org> Message-ID: FWIW, this is what happens if you run 'sshd -6' on Linux (allows IPv4 ssh connections through mapped addresses) and try to run IPv4 port forwardings. But as OpenBSD does not support mapped addresses (the server is OpenBSD right?), this might not be the case here. On Thu, 3 Oct 2002 bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=408 > > Summary: sshd[25790]: error: socket: Protocol not supported > Product: Portable OpenSSH > Version: -current > Platform: All > OS/Version: OpenBSD > Status: NEW > Severity: normal > Priority: P2 > Component: sshd > AssignedTo: openssh-unix-dev at mindrot.org > ReportedBy: quel at gnu.org > > > This problem just cropped up when i started to do: > ssh -L 3100:localhost:3128 ip > > (tunneling web through ssh) > > openbsd 3.1 running openssh 3.4 > > the only real downside is the annoyance of the log files but seemingly no loss > of functionality. > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From bugzilla-daemon at mindrot.org Thu Oct 3 18:26:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Oct 2002 18:26:35 +1000 (EST) Subject: [Bug 409] New: Installation from cygwin doesn't configure sshd Message-ID: <20021003082635.9562B3D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=409 Summary: Installation from cygwin doesn't configure sshd Product: Portable OpenSSH Version: -current Platform: ix86 URL: ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/IN STALL OS/Version: Cygwin on NT/2k Status: NEW Severity: normal Priority: P2 Component: Documentation AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: marc.girod at nokia.com I installed openSSH to a w2k Windows Terminal Server from the cygwin setup. The installation completed without errors. However, I cannot find anywhere configuration files for the daemon. How should I proceed? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Oct 4 06:35:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Oct 2002 06:35:52 +1000 (EST) Subject: [Bug 410] New: when -i or IdentityFile is specified, agent keys are still tried first Message-ID: <20021003203552.A47773D163@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=410 Summary: when -i or IdentityFile is specified, agent keys are still tried first Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: minor Priority: P2 Component: ssh-agent AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: bugzilla at home-safe.net I noticed this because I have five keys in my ssh-add -l list and I often experience the behaviour when connecting to systems where I use password auth that if I don't get the password right on the first shot, it tells me "too many auth failures" and I don't get a second chance. So I was looking at the -v output and wondering why all my ssh-agent identities are tried _before_ the identity explicitly configured in the .ssh/config file or supplied on the command line with -i. It would be nice to have an option to suppress the ssh-agent auth attempts when I know they aren't applicable. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Oct 4 17:34:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Oct 2002 17:34:29 +1000 (EST) Subject: [Bug 410] when -i or IdentityFile is specified, agent keys are still tried first Message-ID: <20021004073429.87E023D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=410 ------- Additional Comments From markus at openbsd.org 2002-10-04 17:34 ------- it's not documented that -i or IdentityFile overwrite the agent and it's to late to even consider this change. if you don't want to use the agent, unset SSH_AUTH_SOCK ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Oct 4 18:22:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Oct 2002 18:22:44 +1000 (EST) Subject: [Bug 411] New: Configuration problem with PAM header Message-ID: <20021004082244.717243D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=411 Summary: Configuration problem with PAM header Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jurrit.de.vries at 1eeurope.nl Have PAM-devel installed on RedHat system. But with ./configure --with-pam I keep getting 'configure: error: PAM headers not found' Tried the contrib/redhat/sshd.pam ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Oct 4 18:37:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Oct 2002 18:37:27 +1000 (EST) Subject: [Bug 411] Configuration problem with PAM header Message-ID: <20021004083727.48A5D3D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=411 jurrit.de.vries at 1eeurope.nl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From jurrit.de.vries at 1eeurope.nl 2002-10-04 18:37 ------- pam-devel was not installed correctly, sorry... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Oct 4 19:15:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Oct 2002 19:15:42 +1000 (EST) Subject: [Bug 410] when -i or IdentityFile is specified, agent keys are still tried first Message-ID: <20021004091542.8E10E3D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=410 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From markus at openbsd.org 2002-10-04 19:15 ------- we cannot change this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Oct 5 01:43:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 5 Oct 2002 01:43:50 +1000 (EST) Subject: [Bug 403] scp generates sparse file when no space left Message-ID: <20021004154350.D38B63D14E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=403 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn| |85 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Oct 5 01:43:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 5 Oct 2002 01:43:51 +1000 (EST) Subject: [Bug 394] SSH 2 MAC Error Caused By OpenSSH? Message-ID: <20021004154351.5A29E3D15D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=394 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From markus at openbsd.org 2002-10-05 01:43 ------- i don't see how this is caused by openssh ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Oct 5 03:47:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 5 Oct 2002 03:47:35 +1000 (EST) Subject: [Bug 406] Build openssh-3.4p1 fails, Mac OS X v1.2 Message-ID: <20021004174735.825443D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=406 ------- Additional Comments From sshears at world.std.com 2002-10-05 03:47 ------- FWIW, after s/msg_send/ssh_msg_send/g openssh-3.4p1 builds just fine in Rhapsody. Thanks again to all for openssh! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From smoogen at lanl.gov Sat Oct 5 07:21:30 2002 From: smoogen at lanl.gov (Stephen Smoogen) Date: 04 Oct 2002 15:21:30 -0600 Subject: Confirming kerberos for upcoming OpenSSH portable release. Message-ID: <1033766490.13858.154.camel@smoogen1.lanl.gov> O.K. I know it was too late to make changes for the next release, but thankfully there werent any changes needed. Kerberos over ssh protocol 1 worked out of the box from CVS today (2002/10/04-14:30) The krb5 patches we were using (I think from Olaf K) was all in the code. The only thing I had to patch to get things working was removing the scard-install from the Makefile.in The compiled code then worked for us for our ssh1 krb connections. Now to just get the IETF GSSAPI group to approve things :), and we will be so happy here. Now to see if I can help Simon (well at least moral support). Thankyou for your work. Stephen -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Laboratoy CCN-2 PH: (505)-665-9408 Ta-03 SM-30 MailStop D445 DP 01U Los Alamos, NM 87544 From smoogen at lanl.gov Sat Oct 5 07:46:08 2002 From: smoogen at lanl.gov (Stephen Smoogen) Date: 04 Oct 2002 15:46:08 -0600 Subject: Confirming kerberos for upcoming OpenSSH portable release. In-Reply-To: <1033766490.13858.154.camel@smoogen1.lanl.gov> References: <1033766490.13858.154.camel@smoogen1.lanl.gov> Message-ID: <1033767968.13858.160.camel@smoogen1.lanl.gov> Dave Williams reminded me the following to make this useful. OS: Red Hat Linux 7.3 Test kinit -f ssh -1 localhost klist -5afe ssh -1 Red Hat Linux 7.1 w/ openssh-3.4p1-server klist -5afe ssh -1 Solaris running ssh-1.2.27 klist -5afe All worked correctly. Forwarding worked on openssh w/ patches which suprised me. The only thing I cant test is going from 1 Kerberos realm to another. On Fri, 2002-10-04 at 15:21, Stephen Smoogen wrote: > O.K. I know it was too late to make changes for the next release, but > thankfully there werent any changes needed. Kerberos over ssh protocol 1 > worked out of the box from CVS today (2002/10/04-14:30) > > The krb5 patches we were using (I think from Olaf K) was all in the > code. The only thing I had to patch to get things working was removing > the scard-install from the Makefile.in > > The compiled code then worked for us for our ssh1 krb connections. Now > to just get the IETF GSSAPI group to approve things :), and we will be > so happy here. Now to see if I can help Simon (well at least moral > support). > > Thankyou for your work. > Stephen > > > -- > Stephen John Smoogen smoogen at lanl.gov > Los Alamos National Laboratoy CCN-2 PH: (505)-665-9408 > Ta-03 SM-30 MailStop D445 DP 01U Los Alamos, NM 87544 > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Laboratoy CCN-2 PH: (505)-665-9408 Ta-03 SM-30 MailStop D445 DP 01U Los Alamos, NM 87544 From return at trafficmagnet.com Sat Oct 5 15:28:10 2002 From: return at trafficmagnet.com (Sarah Williams) Date: Sat, 5 Oct 2002 13:28:10 +0800 Subject: WWW.OPENSSH.ORG Message-ID: <200210050521.g955Lbg19887@localhost.localdomain> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021005/29c84e5f/attachment.html From gintas at ki.ericsson.se Sat Oct 5 21:34:37 2002 From: gintas at ki.ericsson.se (Gintautas Grigelionis) Date: Sat, 5 Oct 2002 13:34:37 +0200 (MEST) Subject: a patch for 3.4, please Message-ID: <200210051134.g95BYbZD006987@rizzo.eral.ericsson.se> Hello all, I'd greatly appreciate a patch that will stop PAM mucking around after I log in with a Kerberos 4 ticket and forward an AFS ticket (KTH Kerberos 1.1.1 used for libkrb/libkafs). The trouble is, I need pam_krb4, so that folks, who log in with without tickets using tunnelled plaintext password, would get Kerberos 4 tickets for the box. I rebuilt sshd without PAM in order to verify that PAM destroys the tokens but I've not enough time to analyse the code in more details. I guess # ifdef USE_PAM do_pam_setcred(0); # endif /* USE_PAM */ in session.c is the culprit. By the way, I've had to disable privsep because otherwise /etc/srvtab cannot be read. I hope I've provided enough information. Thanks in advance, Gintas From gintas at ki.ericsson.se Mon Oct 7 15:51:11 2002 From: gintas at ki.ericsson.se (Gintautas Grigelionis) Date: Mon, 7 Oct 2002 07:51:11 +0200 (MEST) Subject: a patch for 3.4, please Message-ID: <200210070551.g975pBM1024789@rizzo.eral.ericsson.se> Hello, for the lack of a better, here's my own try at a "AFS token passing vs. Kerberos 4 PAM" problem. Gintas -------------- next part -------------- *** session.c.orig Wed Jun 26 15:51:06 2002 --- session.c Mon Oct 7 07:46:39 2002 *************** *** 86,91 **** --- 86,94 ---- static void do_authenticated2(Authctxt *); static int session_pty_req(Session *); + #ifdef AFS + static int afsfwd = 0; + #endif /* import */ extern ServerOptions options; *************** *** 394,399 **** --- 397,403 ---- verbose("AFS token refused for %.100s", s->authctxt->user); xfree(token); + afsfwd = success; } break; #endif /* AFS */ *************** *** 462,468 **** --- 466,479 ---- #if defined(USE_PAM) do_pam_session(s->pw->pw_name, NULL); + # ifdef AFS + debug ("AFS token passing: %d", afsfwd); + if (afsfwd == 0) { + # endif do_pam_setcred(1); + # ifdef AFS + } + # endif if (is_pam_password_change_required()) packet_disconnect("Password change required but no " "TTY available"); *************** *** 580,586 **** --- 591,604 ---- #if defined(USE_PAM) do_pam_session(s->pw->pw_name, s->tty); + # ifdef AFS + debug ("AFS token passing: %d", afsfwd); + if (afsfwd == 0) { + # endif do_pam_setcred(1); + # ifdef AFS + } + # endif #endif /* Fork the child. */ From phil at bolthole.com Tue Oct 8 06:22:30 2002 From: phil at bolthole.com (Philip Brown) Date: Mon, 7 Oct 2002 13:22:30 -0700 Subject: good news for solaris8 &3.4p1 Message-ID: <20021007132230.A92021@bolthole.com> Thanks go to Darren Tucker who posted about "#if 0" on auth-pam.c I saw his email in the archive, about solaris 7. I removed the "#if 0", and finally, password expiration works. A caviat or two: If UseLogin=no (the default) , if a user fails to use the correct password for a "change on first login" account, you get the following message: sshd(SYSTEM): Sorry, wrong passwd removing root credentials would break the rpc services that use secure rpc on this host! root may use keylogout -f to do this (at your own risk)! On the other hand, if UseLogin=yes telnet(SYSTEM): Sorry, wrong passwd Connection to srvwfs01 closed. I'm not exactly sure which is the preferred one to use here :-) Any recommendations? BTW: This was with making zero changes to the Solaris 8 /etc/pam.conf From dtucker at zip.com.au Tue Oct 8 10:39:55 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 08 Oct 2002 10:39:55 +1000 Subject: good news for solaris8 &3.4p1 References: <20021007132230.A92021@bolthole.com> Message-ID: <3DA2295B.753282B6@zip.com.au> Philip Brown wrote: > On the other hand, if UseLogin=yes [snip] > I'm not exactly sure which is the preferred one to use here :-) > Any recommendations? You can't use X11 Forwarding with UseLogin. This may or may not matter to you. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From phil at bolthole.com Tue Oct 8 11:00:34 2002 From: phil at bolthole.com (Philip Brown) Date: Mon, 7 Oct 2002 18:00:34 -0700 Subject: good news for solaris8 &3.4p1 In-Reply-To: <3DA2295B.753282B6@zip.com.au>; from dtucker@zip.com.au on Tue, Oct 08, 2002 at 10:39:55AM +1000 References: <20021007132230.A92021@bolthole.com> <3DA2295B.753282B6@zip.com.au> Message-ID: <20021007180034.A21662@bolthole.com> On Tue, Oct 08, 2002 at 10:39:55AM +1000, Darren Tucker wrote: > Philip Brown wrote: > > On the other hand, if UseLogin=yes > [snip] > > I'm not exactly sure which is the preferred one to use here :-) > > Any recommendations? > > You can't use X11 Forwarding with UseLogin. This may or may not matter > to you. Yes, it does matter. Thanks for pointing that out. Are there any underlying OS integration or security concerns I should be aware of though, when using PAM with UseLogin=no ? That whole "removing root credentials" warning seems to indicate a semi-good reason behind why that code was buried in #if 0 There seems to possibly be a bug in PAM initialization by sshd, maybe? But not knowing much about PAM myself, I dunno From mouring at etoh.eviladmin.org Tue Oct 8 13:20:09 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 7 Oct 2002 22:20:09 -0500 (CDT) Subject: good news for solaris8 &3.4p1 In-Reply-To: <20021007180034.A21662@bolthole.com> Message-ID: Not so much a bug as in how things are handled between Linux PAM and Solaris PAM. Sadly this won't be fixed in 3.5 release coming out in the near future. - Ben On Mon, 7 Oct 2002, Philip Brown wrote: > On Tue, Oct 08, 2002 at 10:39:55AM +1000, Darren Tucker wrote: > > Philip Brown wrote: > > > On the other hand, if UseLogin=yes > > [snip] > > > I'm not exactly sure which is the preferred one to use here :-) > > > Any recommendations? > > > > You can't use X11 Forwarding with UseLogin. This may or may not matter > > to you. > > Yes, it does matter. Thanks for pointing that out. > > Are there any underlying OS integration or security concerns I should be > aware of though, when using PAM with UseLogin=no ? > > That whole "removing root credentials" warning seems to indicate a semi-good > reason behind why that code was buried in #if 0 > There seems to possibly be a bug in PAM initialization by sshd, maybe? > > But not knowing much about PAM myself, I dunno > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From Eric.Ladner at ChevronTexaco.com Wed Oct 9 00:43:49 2002 From: Eric.Ladner at ChevronTexaco.com (Ladner, Eric (Eric.Ladner)) Date: Tue, 8 Oct 2002 09:43:49 -0500 Subject: Memory fault on HP-UX 11.0, 3.4p1 Message-ID: <53D65D67C6AA694284F7584E25ADD35409D2CA@nor935nte2k1.nor935.chevrontexaco.net> Is this a known issue? (ignore the pervasive MS-outlook capitalization) Ssh-agent /bin/ksh Ssh-add /root/.ssh/id_rsa Blah blah Ssh -vvv some_server date ... debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /root/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 400377a0 hint -1 debug2: input_userauth_pk_ok: fp 7a:44:be:6c:94:18:fb:0c:ff:e5:1a:9a:07:98:a5:27 debug3: sign_and_send_pubkey debug3: clear_auth_state: key_free 400377a0 debug1: ssh-userauth2 successful: method publickey debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug1: send channel open 0 Memory fault(coredump) # ssh -V OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f HP-UX 11.0 (March 2002 patches) Thanks, Eric From d_wllms at lanl.gov Wed Oct 9 01:05:29 2002 From: d_wllms at lanl.gov (David M. Williams) Date: Tue, 08 Oct 2002 09:05:29 -0600 Subject: Memory fault on HP-UX 11.0, 3.4p1 References: <53D65D67C6AA694284F7584E25ADD35409D2CA@nor935nte2k1.nor935.chevrontexaco.net> Message-ID: <3DA2F439.3050505@lanl.gov> Eric, Can you run the ssh cmd via truss or strace (not sure which is supported on HP-UX)? Dave Ladner, Eric (Eric.Ladner) wrote: >Is this a known issue? (ignore the pervasive MS-outlook capitalization) > >Ssh-agent /bin/ksh >Ssh-add /root/.ssh/id_rsa >Blah blah > >Ssh -vvv some_server date >... >debug1: ssh_rsa_verify: signature correct >debug1: kex_derive_keys >debug1: newkeys: mode 1 >debug1: Enabling compression at level 6. >debug1: SSH2_MSG_NEWKEYS sent >debug1: waiting for SSH2_MSG_NEWKEYS >debug1: newkeys: mode 0 >debug1: SSH2_MSG_NEWKEYS received >debug1: done: ssh_kex2. >debug1: send SSH2_MSG_SERVICE_REQUEST >debug1: service_accept: ssh-userauth >debug1: got SSH2_MSG_SERVICE_ACCEPT >debug1: authentications that can continue: >publickey,password,keyboard-interactive >debug3: start over, passed a different list >publickey,password,keyboard-interactive >debug3: preferred publickey,keyboard-interactive,password >debug3: authmethod_lookup publickey >debug3: remaining preferred: keyboard-interactive,password >debug3: authmethod_is_enabled publickey >debug1: next auth method to try is publickey >debug1: userauth_pubkey_agent: testing agent key /root/.ssh/id_rsa >debug3: send_pubkey_test >debug2: we sent a publickey packet, wait for reply >debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 400377a0 hint >-1 >debug2: input_userauth_pk_ok: fp >7a:44:be:6c:94:18:fb:0c:ff:e5:1a:9a:07:98:a5:27 >debug3: sign_and_send_pubkey >debug3: clear_auth_state: key_free 400377a0 >debug1: ssh-userauth2 successful: method publickey >debug1: channel 0: new [client-session] >debug3: ssh_session2_open: channel_new: 0 >debug1: send channel open 0 >Memory fault(coredump) > ># ssh -V >OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f > >HP-UX 11.0 (March 2002 patches) > >Thanks, > >Eric > >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > -- David M. Williams, CISSP Phone: 505-665-5021 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From Eric.Ladner at ChevronTexaco.com Wed Oct 9 01:30:37 2002 From: Eric.Ladner at ChevronTexaco.com (Ladner, Eric (Eric.Ladner)) Date: Tue, 8 Oct 2002 10:30:37 -0500 Subject: Memory fault on HP-UX 11.0, 3.4p1 Message-ID: <53D65D67C6AA694284F7584E25ADD354333405@nor935nte2k1.nor935.chevrontexaco.net> Here's the last page or two of a "truss ssh pappt date" Let me know if you need more. Eric read(5, "p a p p t , 1 4 6 . 2 5 . 1 4 . ".., 8192) = 3945 lseek(5, 4294963580, SEEK_CUR) = 229 close(5) = 0 open("/root/.ssh/known_hosts", O_RDONLY|O_LARGEFILE, 0666) = 5 ioctl(5, TCGETA, 0x7b043ce0) ERR#25 ENOTTY read(5, "p a p p t , 1 4 6 . 2 5 . 1 4 . ".., 8192) = 3945 lseek(5, 4294963580, SEEK_CUR) = 229 close(5) = 0 brk(0x40086000) = 0 brk(0x40096000) = 0 brk(0x400a6000) = 0 write(4, "\0\0\0\f\n15\0\0\0\0\0\0\0\0\0\0", 16) = 16 brk(0x400a9000) = 0 brk(0x400b1000) = 0 write(4, "P \a86051fS ae6 , aba7119d10fe06".., 48) = 48 select(5, 0x4002b8a8, NULL, NULL, NULL) = 1 read(4, "faa88 92s k c2X M N % _ K Z 1d81".., 8192) = 48 brk(0x400b2000) = 0 socket2(1, 1, 0) = 5 fcntl(5, F_SETFD, 1) = 0 connect(5, 0x7b040918, 94) = 0 write(4, "8d9ba2c6e49faceef510; I faN ccb5".., 64) = 64 select(5, 0x4002b8a8, NULL, NULL, NULL) = 1 read(4, "f5& \t7 9691\a6 \0e4A 9efdfdo I ".., 8192) = 80 brk(0x400b3000) = 0 write(5, "\0\0\001", 4) = 4 write(5, "\v", 1) = 1 read(5, "\0\0\0b3", 4) = 4 read(5, "\f\0\0\001\0\0\095\0\0\0\as s h ".., 179) = 179 write(4, "\ H \f\r\bb5Z 1f945 eeb9L # 90R ".., 208) = 208 select(5, 0x4002ba18, NULL, NULL, NULL) = 1 read(4, "e087\ae8ba( b3c6Z 1696a0e86 ea: ".., 8192) = 192 brk(0x400b4000) = 0 write(5, "\0\00187", 4) = 4 write(5, "\r\0\0\095\0\0\0\as s h - r s a ".., 391) = 391 read(5, "\0\0\094", 4) = 4 read(5, "0e\0\0\08f\0\0\0\as s h - r s a ".., 148) = 148 write(4, "c J 15178bb6b710d fcG E edb3y w ".., 176) = 176 select(5, 0x4002ba18, NULL, NULL, NULL) = 1 read(4, "8d1e, H j e3a4ac9bff3 e9b1e0P 17".., 8192) = 32 close(5) = 0 dup(0) = 5 dup(1) = 6 dup(2) = 7 ioctl(5, TCGETA, 0x7b0408a0) = 0 ioctl(6, TCGETA, 0x7b0408a0) = 0 ioctl(7, TCGETA, 0x7b0408a0) = 0 brk(0x400b5000) = 0 Received signal 11, SIGSEGV, in user mode, [SIG_DFL], partial siginfo Siginfo: si_code: I_NONEXIST, faulting address: 0xf5fe38bc, si_errno: 0 PC: 0xc0bd6c1f, instruction: 0x48350ee8 exit(11) [implicit] WIFSIGNALED(SIGSEGV)|WCOREDUMP -----Original Message----- From: David M. Williams [mailto:d_wllms at lanl.gov] Sent: Tuesday, October 08, 2002 10:05 AM To: Ladner, Eric (Eric.Ladner) Cc: openssh-unix-dev at mindrot.org Subject: Re: Memory fault on HP-UX 11.0, 3.4p1 Eric, Can you run the ssh cmd via truss or strace (not sure which is supported on HP-UX)? Dave Ladner, Eric (Eric.Ladner) wrote: >Is this a known issue? (ignore the pervasive MS-outlook >capitalization) > >Ssh-agent /bin/ksh >Ssh-add /root/.ssh/id_rsa >Blah blah > >Ssh -vvv some_server date >... >debug1: ssh_rsa_verify: signature correct >debug1: kex_derive_keys >debug1: newkeys: mode 1 >debug1: Enabling compression at level 6. >debug1: SSH2_MSG_NEWKEYS sent >debug1: waiting for SSH2_MSG_NEWKEYS >debug1: newkeys: mode 0 >debug1: SSH2_MSG_NEWKEYS received >debug1: done: ssh_kex2. >debug1: send SSH2_MSG_SERVICE_REQUEST >debug1: service_accept: ssh-userauth >debug1: got SSH2_MSG_SERVICE_ACCEPT >debug1: authentications that can continue: >publickey,password,keyboard-interactive >debug3: start over, passed a different list >publickey,password,keyboard-interactive >debug3: preferred publickey,keyboard-interactive,password >debug3: authmethod_lookup publickey >debug3: remaining preferred: keyboard-interactive,password >debug3: authmethod_is_enabled publickey >debug1: next auth method to try is publickey >debug1: userauth_pubkey_agent: testing agent key /root/.ssh/id_rsa >debug3: send_pubkey_test >debug2: we sent a publickey packet, wait for reply >debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 400377a0 >hint -1 >debug2: input_userauth_pk_ok: fp >7a:44:be:6c:94:18:fb:0c:ff:e5:1a:9a:07:98:a5:27 >debug3: sign_and_send_pubkey >debug3: clear_auth_state: key_free 400377a0 >debug1: ssh-userauth2 successful: method publickey >debug1: channel 0: new [client-session] >debug3: ssh_session2_open: channel_new: 0 >debug1: send channel open 0 >Memory fault(coredump) > ># ssh -V >OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f > >HP-UX 11.0 (March 2002 patches) > >Thanks, > >Eric > >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > -- David M. Williams, CISSP Phone: 505-665-5021 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From ahirsch at slb.com Wed Oct 9 02:28:55 2002 From: ahirsch at slb.com (Aaron M. Hirsch) Date: Tue, 08 Oct 2002 11:28:55 -0500 Subject: openssh-3.4p1 install problems on Solaris 6 with openssl-0.9.6g Message-ID: <3DA307C7.6060007@slb.com> All, I have successfully compiled and installed openssl 0.9.6g and am attempting to install openssh-3.4p1. I am using the following cofigure command for openssh: ./configure --prefix=/opt/local --sysconfdir=/opt/local/etc/ssh --with-tcp-wrappers --with-ssl-dir=/opt/local --with-rand-helper The configuration appears to work flawlessly. However, when I try to make the package I get the following error: root at stupidbox# make (cd openbsd-compat && make) gcc -o sshd sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o -L. -Lopenbsd-compat/ -L/opt/local/lib -R/opt/local/lib -ldl -L/usr/local/lib -R/usr/local/lib -lssh -lopenbsd-compat -lwrap -lz -lsocket -lnsl -lcrypto Undefined first referenced symbol in file method_kbdint auth2.o getipnodebyname ./libwrap.a(misc.o) inet_pton ./libwrap.a(hosts_access.o) inet_ntop ./libwrap.a(socket.o) freehostent ./libwrap.a(misc.o) ld: fatal: Symbol referencing errors. No output written to sshd collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `sshd' I am attempting to get the installation working on a Solaris 6 box. (Ultra 10) The gcc compiler is: root at stupidbox# gcc -v Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.6/2.95.2/specs gcc version 2.95.2 19991024 (release) I have been able to successfully install the same configuration on our Solaris 8 boxes. I've been scouring the web for references to this issue, but to no avail. Does anyone have any ideas on what is going on or where I should be looking? Note: I have also tried using LDFLAGS="-ldl" ./configure --prefix=/opt/local --sysconfdir=/opt/local/etc/ssh --with-tcp-wrappers --with-ssl-dir=/opt/local --with-rand-helper . No dice. Any suggestions/ideas would be greatly appericiated! Thanks! -- Aaron M. Hirsch UNIX Systems Administrator SchlumbergerSema 11146 Thompson Ave. Lenexa, KS 66219 Phone: (913) 312-4717 Mobile: (913) 284-9094 Fax: (913) 312-4701 "With great power comes great responsibility." Uncle Ben From binder at arago.de Wed Oct 9 02:48:03 2002 From: binder at arago.de (Thomas Binder) Date: Tue, 8 Oct 2002 18:48:03 +0200 Subject: openssh-3.4p1 install problems on Solaris 6 with openssl-0.9.6g In-Reply-To: <3DA307C7.6060007@slb.com>; from ahirsch@slb.com on Tue, Oct 08, 2002 at 11:28:55AM -0500 References: <3DA307C7.6060007@slb.com> Message-ID: <20021008184803.A20843475@ohm.arago.de> Hi! On Tue, Oct 08, 2002 at 11:28:55AM -0500, Aaron M. Hirsch wrote: > The configuration appears to work flawlessly. However, when I > try to make the package I get the following error: > [...] > > root at stupidbox# make > [...] > Undefined first referenced > symbol in file > method_kbdint auth2.o > getipnodebyname ./libwrap.a(misc.o) > inet_pton ./libwrap.a(hosts_access.o) > inet_ntop ./libwrap.a(socket.o) > freehostent ./libwrap.a(misc.o) > ld: fatal: Symbol referencing errors. No output written to sshd > collect2: ld returned 1 exit status > *** Error code 1 > make: Fatal error: Command failed for target `sshd' > > I am attempting to get the installation working on a Solaris 6 > box. Are you sure the libwrap.a you use for the build process was also built on Solaris 2.6? For me, it seems to have been built on Solaris 8 - both Solaris 2.6 and Solaris 7 do not have any of the functions the linker is missing. Note that you can use libraries and binaries built on an older Solaris version on newer ones without problems, but not necessarily the other way around. Ciao Thomas From Roumen.Petrov at skalasoft.com Wed Oct 9 02:55:40 2002 From: Roumen.Petrov at skalasoft.com (Roumen.Petrov at skalasoft.com) Date: Tue, 08 Oct 2002 19:55:40 +0300 Subject: patch for some messages in current Message-ID: <3DA30E0C.5030903@skalasoft.com> patches in attached file: - correct message in key_demote() - new error message when cannot create pid file -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: moremsg.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021008/2ece6e84/attachment.ksh From miller at al.noaa.gov Wed Oct 9 03:09:31 2002 From: miller at al.noaa.gov (Henry LeRoy Miller, Jr.) Date: Tue, 8 Oct 2002 11:09:31 -0600 Subject: tru64 unix openssh-3.4p1 problems Message-ID: Hi, I'm attempting to get openssh-3.4p1 up and running on our DEC/Compaq Alpa workstations. They are running Tru64 Unix 5.1A. I compile the package myself. Openssh-3.1 worked perfectly, with the default sshd_config file. Openssh-3.4p1 works, if I set UsePrivilegeSeparation to "no" in the sshd_config file. NOTE: I have a secondary issue with the ListenAddress default setting (0.0.0.0); I must either explicitly set it the server machine IP address, or must set the address 0.0.0.0 as allowed for sshd in my tcp-wrappers hosts.allow file. I only mention this in case it is relevant - I don't believe it is related to privsep problems. When I have UsePrivilegeSeparation at the default setting ("yes"), I am able to initiate an ssh connection (subject to the NOTE info above), but the the connection ultimately fails with the following log entries: Accepted password for uther from 140.172.241.43 port 2762 ssh2 cannot set login uid 8970: error Not owner. audgen(LOGIN): Permission denied fatal: Couldn't establish session for uther from gawain I have the following in my /etc/passwd file: sshd:Nologin:22:22:sshd privsep:/var/empty:/bin/false and the following in my /etc/group file: sshd:*:22: and the following directory exists: drwx------ 2 root system 8192 Oct 2 09:30 empty I've also tried the following in my /etc/passwd file: sshd:*:22:22:sshd privsep:/var/empty:/bin/false Is this one of the few issues with some operating systems that is still being worked on? Any suggestions? Many thanks, Henry Miller -- Dr. Henry LeRoy Miller, Jr. NOAA Aeronomy Laboratory DSRC 3A115 325 Broadway - RAL8 Boulder, CO 80305-3328 USA phone: 303-497-7209 fax: 303-497-5686 email: miller at al.noaa.gov From stevev at darkwing.uoregon.edu Wed Oct 9 03:55:03 2002 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Tue, 8 Oct 2002 10:55:03 -0700 Subject: tru64 unix openssh-3.4p1 problems In-Reply-To: References: Message-ID: <15779.7159.814014.964581@darkwing.uoregon.edu> Henry LeRoy Miller, Jr. writes: > Openssh-3.4p1 works, if I set UsePrivilegeSeparation to "no" in the > sshd_config file. Yes, this is true. Privilege separation and OSF SIA have not yet been made to play well together. > Is this one of the few issues with some operating systems that is > still being worked on? Yes. Some progress has been made since the release of 3.4p1, although I gather there are still some issues left. > Any suggestions? You might try a current development snapshot. From ahirsch at slb.com Wed Oct 9 04:05:20 2002 From: ahirsch at slb.com (Aaron M. Hirsch) Date: Tue, 08 Oct 2002 13:05:20 -0500 Subject: openssh-3.4p1 install problems on Solaris 6 with openssl-0.9.6g In-Reply-To: <20021008184803.A20843475@ohm.arago.de> References: <3DA307C7.6060007@slb.com> <20021008184803.A20843475@ohm.arago.de> Message-ID: <1034100321.1243.95.camel@kclnx13> Thanks for the input, I did double check, uninstall and re-install the tcp_wrappers...it is for specifically for solaris 6. Thanks for the heads up on it, back to the grindstone! :( > Hi! > > On Tue, Oct 08, 2002 at 11:28:55AM -0500, Aaron M. Hirsch wrote: > > The configuration appears to work flawlessly. However, when I > > try to make the package I get the following error: > > [...] > > > > root at stupidbox# make > > [...] > > Undefined first referenced > > symbol in file > > method_kbdint auth2.o > > getipnodebyname ./libwrap.a(misc.o) > > inet_pton ./libwrap.a(hosts_access.o) > > inet_ntop ./libwrap.a(socket.o) > > freehostent ./libwrap.a(misc.o) > > ld: fatal: Symbol referencing errors. No output written to sshd > > collect2: ld returned 1 exit status > > *** Error code 1 > > make: Fatal error: Command failed for target `sshd' > > > > I am attempting to get the installation working on a Solaris 6 > > box. > > Are you sure the libwrap.a you use for the build process was also > built on Solaris 2.6? For me, it seems to have been built on > Solaris 8 - both Solaris 2.6 and Solaris 7 do not have any of the > functions the linker is missing. > > Note that you can use libraries and binaries built on an older > Solaris version on newer ones without problems, but not > necessarily the other way around. > > > Ciao > > Thomas > -- Aaron M. Hirsch UNIX Systems Administrator SchlumbergerSema 11146 Thompson Ave. Lenexa, KS 66219 Phone: (913) 312-4717 Mobile: (913) 284-9094 Fax: (913) 312-4701 "With great power comes great responsibility." Uncle Ben From mouring at etoh.eviladmin.org Wed Oct 9 04:05:29 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 8 Oct 2002 13:05:29 -0500 (CDT) Subject: tru64 unix openssh-3.4p1 problems In-Reply-To: <15779.7159.814014.964581@darkwing.uoregon.edu> Message-ID: The current development snapshots set DISABLE_FD_PASSING. No tru64 work has gone into the tree since I left it into the hands of the tru64 users to figure out what is wrong. What does this mean? Tru64 with privsep to yes will not use privilege seperation after all the authenticiation has occured. - Ben On Tue, 8 Oct 2002, Steve VanDevender wrote: > Henry LeRoy Miller, Jr. writes: > > Openssh-3.4p1 works, if I set UsePrivilegeSeparation to "no" in the > > sshd_config file. > > Yes, this is true. Privilege separation and OSF SIA have not yet been > made to play well together. > > > Is this one of the few issues with some operating systems that is > > still being worked on? > > Yes. Some progress has been made since the release of 3.4p1, although I > gather there are still some issues left. > > > Any suggestions? > > You might try a current development snapshot. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From markus at openbsd.org Wed Oct 9 04:22:37 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 8 Oct 2002 20:22:37 +0200 Subject: good news for solaris8 &3.4p1 In-Reply-To: <20021007132230.A92021@bolthole.com> References: <20021007132230.A92021@bolthole.com> Message-ID: <20021008182237.GC31981@folly> On Mon, Oct 07, 2002 at 01:22:30PM -0700, Philip Brown wrote: > I'm not exactly sure which is the preferred one to use here :-) > Any recommendations? don't use UseLogin. From ericv at cruzio.com Wed Oct 9 05:52:00 2002 From: ericv at cruzio.com (Eric N. Valor) Date: Tue, 08 Oct 2002 12:52:00 -0700 Subject: Fwd: SSHD logging on Solaris 8? Message-ID: <5.1.0.14.2.20021008124704.00aa2658@mail.cruzio.com> Sorry to send this to the wrong list. But it appears that the general list is mostly utilized as a SPAM vector and/or is absentee moderated (the message has yet to make it to the archives, despite being dated days earlier than messages which are there). In any event, I'd like to know if anyone could provide me with some more information than is available in the manpages, FAQ, and other on-line guides. >Howdy. > >I've parsed the archives and found nothing speaking to my issue. I'm >using OpenSSH on Solaris 8, from the package available from >SunFreeware. Yes, I plan to go back and roll my own from scratch but I'm >in a hurry right now. > >Anyway, while debugging a login problem I was frustrated by the lack of >logging in /var/*. The only "logging" I was able to see was by executing >"ssh -v" -- nowhere on the remote system (running the daemon) did I find >*ANY* logging whatsoever. The sshd_config manpage has nothing about >specifying a logfile, and none of the logging settings I tried did anything. > >Is this a problem specific with Solaris (I'm a Linux guy in normal >circumstances), with the package from SunFreeware, or with OpenSSH itself? > >Any input would be appreciated. > >Thanks in advance. -- Eric N. Valor ericv at cruzio.com : This Space Intentionally Left Blank : From phil at bolthole.com Wed Oct 9 07:01:30 2002 From: phil at bolthole.com (Philip Brown) Date: Tue, 8 Oct 2002 14:01:30 -0700 Subject: good news for solaris8 &3.4p1 In-Reply-To: <20021008182237.GC31981@folly>; from markus@openbsd.org on Tue, Oct 08, 2002 at 08:22:37PM +0200 References: <20021007132230.A92021@bolthole.com> <20021008182237.GC31981@folly> Message-ID: <20021008140130.A52822@bolthole.com> On Tue, Oct 08, 2002 at 08:22:37PM +0200, Markus Friedl wrote: > On Mon, Oct 07, 2002 at 01:22:30PM -0700, Philip Brown wrote: > > I'm not exactly sure which is the preferred one to use here :-) > > Any recommendations? > > don't use UseLogin. err... thanks. i guess :-) I was hoping for some technical reasoning behind WHY, so I could feel good about the decision, and also know enough to reevaluate it, if the landscape changes in the future. From mouring at etoh.eviladmin.org Wed Oct 9 07:10:27 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 8 Oct 2002 16:10:27 -0500 (CDT) Subject: good news for solaris8 &3.4p1 In-Reply-To: <20021008140130.A52822@bolthole.com> Message-ID: When the landscape changes in the future.. It will be to remove UseLogin from OpenSSH. So I suggest chatting with your vendors and encourage them to ensure their OS security works with OpenSSH. =) - Ben On Tue, 8 Oct 2002, Philip Brown wrote: > On Tue, Oct 08, 2002 at 08:22:37PM +0200, Markus Friedl wrote: > > On Mon, Oct 07, 2002 at 01:22:30PM -0700, Philip Brown wrote: > > > I'm not exactly sure which is the preferred one to use here :-) > > > Any recommendations? > > > > don't use UseLogin. > > err... thanks. i guess :-) > I was hoping for some technical reasoning behind WHY, so I could feel good > about the decision, and also know enough to reevaluate it, if the landscape > changes in the future. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From jmknoble at pobox.com Wed Oct 9 08:24:53 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 8 Oct 2002 18:24:53 -0400 Subject: Fwd: SSHD logging on Solaris 8? In-Reply-To: <5.1.0.14.2.20021008124704.00aa2658@mail.cruzio.com>; from ericv@cruzio.com on Tue, Oct 08, 2002 at 12:52:00PM -0700 References: <5.1.0.14.2.20021008124704.00aa2658@mail.cruzio.com> Message-ID: <20021008182453.R26318@zax.half.pint-stowp.cx> Circa 2002-10-08 12:52:00 -0700 dixit Eric N. Valor: : Sorry to send this to the wrong list. But it appears that the : general list is mostly utilized as a SPAM vector and/or is absentee : moderated (the message has yet to make it to the archives, despite : being dated days earlier than messages which are there). General list? What general list? I didn't know there was one for OpenSSH.... [...] : >I've parsed the archives and found nothing speaking to my issue. : >I'm using OpenSSH on Solaris 8, from the package available from : >SunFreeware. Yes, I plan to go back and roll my own from scratch : >but I'm in a hurry right now. : > : >Anyway, while debugging a login problem I was frustrated by the : >lack of logging in /var/*. The only "logging" I was able to see : >was by executing "ssh -v" -- nowhere on the remote system (running : >the daemon) did I find *ANY* logging whatsoever. The sshd_config : >manpage has nothing about specifying a logfile, and none of the : >logging settings I tried did anything. I was never really able to get sshd to log anything via Solaris 8's syslogd either, and i did my own OpenSSH build. I prefer running sshd with djb's daemontools (http://cr.yp.to/daemontools.html) anyway, so i simply have sshd log to stderr using '-e' and log via multilog. : >Is this a problem specific with Solaris (I'm a Linux guy in normal : >circumstances), with the package from SunFreeware, or with OpenSSH : >itself? No idea. My knowledge of Solaris 8 quirks is pretty much limited to having recently done a fairly stock install, reading man pages, and the fine book by ?leen Frisch with the armadillo on the front.... -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "I am non-refutable." --Enik the Altrusian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021008/629fcf3c/attachment.bin From b.courtin at t-online.net Wed Oct 9 16:46:31 2002 From: b.courtin at t-online.net (Courtin Bert) Date: Wed, 9 Oct 2002 08:46:31 +0200 Subject: SSHD logging on Solaris 8? Message-ID: <60F1F87A64834D45A1EBAE9618305FB86ECDE0@qeo00200> Hi Eric, logging is configured in sshd_config with - # Logging # obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO - where 'SyslogFacility' specifies which "facility" (sorry;-), i.e. e.g. 'auth', 'daemon', 'mail' etc should be used and with 'LogLevel' you can specify how verbosely sshd should be. Of course the syslog-daemon (syslogd) must be running and configured in the right way, e.g.: In /etc/syslog.conf add someting like - # added for ssh-daemon # 20020619 Bert Courtin auth.info;auth.debug /var/log/authlog - After configuring your syslogd, you'll have to stop and start it again or send a kill -HUP PID to the process to let your changes take effect. Please also refer to the manual pages for sshd as well as syslogd. Kind regards, Bert Courtin > -----Original Message----- > From: Eric N. Valor [mailto:ericv at cruzio.com] > Sent: Tuesday, October 08, 2002 9:52 PM > To: openssh-unix-dev at mindrot.org > Subject: Fwd: SSHD logging on Solaris 8? > > > > Sorry to send this to the wrong list. But it appears that > the general list > is mostly utilized as a SPAM vector and/or is absentee moderated (the > message has yet to make it to the archives, despite being dated days > earlier than messages which are there). In any event, I'd > like to know if > anyone could provide me with some more information than is > available in the > manpages, FAQ, and other on-line guides. > > > >Howdy. > > > >I've parsed the archives and found nothing speaking to my > issue. I'm > >using OpenSSH on Solaris 8, from the package available from > >SunFreeware. Yes, I plan to go back and roll my own from > scratch but I'm > >in a hurry right now. > > > >Anyway, while debugging a login problem I was frustrated by > the lack of > >logging in /var/*. The only "logging" I was able to see was > by executing > >"ssh -v" -- nowhere on the remote system (running the > daemon) did I find > >*ANY* logging whatsoever. The sshd_config manpage has nothing about > >specifying a logfile, and none of the logging settings I > tried did anything. > > > >Is this a problem specific with Solaris (I'm a Linux guy in normal > >circumstances), with the package from SunFreeware, or with > OpenSSH itself? > > > >Any input would be appreciated. > > > >Thanks in advance. > > -- > Eric N. Valor > ericv at cruzio.com > > : This Space Intentionally Left Blank : > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From csoler at nextel.es Wed Oct 9 19:11:05 2002 From: csoler at nextel.es (=?ISO-8859-1?B?Q+lzYXIgU29sZXI=?=) Date: Wed, 9 Oct 2002 11:11:05 +0200 Subject: enable sftp subsystem for each authorized key Message-ID: <1276981609.20021009111105@nextel.es> Hi, I have been looking for info in the mail archive, but I haven't found anything about this: is there any way to select which keys are authorized to use de sftp subsystem and which ones not? It means, if I include the sftp-server subsystem in the sshd configuration file, it is available to everyone, isn't? Thanks in advance for your time! -- Best regards, C?sar mailto:csoler at nextel.es From markus at openbsd.org Wed Oct 9 19:13:52 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 9 Oct 2002 11:13:52 +0200 Subject: enable sftp subsystem for each authorized key In-Reply-To: <1276981609.20021009111105@nextel.es> References: <1276981609.20021009111105@nextel.es> Message-ID: <20021009091352.GA10284@faui02> On Wed, Oct 09, 2002 at 11:11:05AM +0200, Csar Soler wrote: > I have been looking for info in the mail archive, but I haven't found > anything about this: is there any way to select which keys are > authorized to use de sftp subsystem and which ones not? > It means, if I include the sftp-server subsystem in the sshd > configuration file, it is available to everyone, isn't? it's just possible to restrict a key to the sftp-server e.g. command="/path/to/sftp-server" key data... From markus at openbsd.org Wed Oct 9 19:21:26 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 9 Oct 2002 11:21:26 +0200 Subject: good news for solaris8 &3.4p1 In-Reply-To: <20021008140130.A52822@bolthole.com> References: <20021007132230.A92021@bolthole.com> <20021008182237.GC31981@folly> <20021008140130.A52822@bolthole.com> Message-ID: <20021009092126.GA4789@folly> On Tue, Oct 08, 2002 at 02:01:30PM -0700, Philip Brown wrote: > On Tue, Oct 08, 2002 at 08:22:37PM +0200, Markus Friedl wrote: > > On Mon, Oct 07, 2002 at 01:22:30PM -0700, Philip Brown wrote: > > > I'm not exactly sure which is the preferred one to use here :-) > > > Any recommendations? > > > > don't use UseLogin. > > err... thanks. i guess :-) > I was hoping for some technical reasoning behind WHY, so I could feel good > about the decision, and also know enough to reevaluate it, if the landscape > changes in the future. UseLogin is an ugly workaround, breaks a lot of things, will not used for remote command execution and might be removed in the future. From strube at physik3.gwdg.de Wed Oct 9 20:10:31 2002 From: strube at physik3.gwdg.de (Hans Werner Strube) Date: Wed, 9 Oct 2002 12:10:31 +0200 (MET DST) Subject: Again: Cannot delete credentials Message-ID: <200210091010.MAA23289@r2d2.physik3.gwdg.de> As has often been mentioned, Solaris (at least 7 and 8) gives a debug1 message on logout: Cannot delete credentials. This occurs when in auth-pam.c, function do_pam_cleanup_proc(), pam_setcred(__pamh, PAM_DELETE_CRED) is called under UID 0. I suggested a patch for this on Nov 22, 2001, based on openssh 2.9.9p2 through 3.0.1p1. [The attempt in my patch to reset to UID 0 by "if (!flag) setuid(0);" does not actually work but seems not to be required.] Now in 3.4p1 with privilege separation, I found this patch was no more necessary, whereas without privilege separation, behavior was as before. For an ssh root login, the message always occurred, even with privilege separation. Experimenting, I found that do_pam_cleanup_proc() runs as the logged-in user with privilege separation but as root without privilege separation. Also I found that pam_setcred(__pamh, PAM_DELETE_CRED) works for any nonzero UID (strange!) Thus the whole patch can be simplified to the following: *** auth-pam.c.ORI Wed May 8 04:27:56 2002 --- auth-pam.c Wed Oct 2 18:11:39 2002 *************** *** 185,190 **** --- 185,192 ---- } if (__pamh && creds_set) { + if (getuid() == 0) + setuid(1); pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", From csoler at nextel.es Wed Oct 9 21:28:38 2002 From: csoler at nextel.es (=?ISO-8859-1?B?Q+lzYXIgU29sZXI=?=) Date: Wed, 9 Oct 2002 13:28:38 +0200 Subject: enable sftp subsystem for each authorized key In-Reply-To: <20021009091352.GA10284@faui02> References: <1276981609.20021009111105@nextel.es> <20021009091352.GA10284@faui02> Message-ID: <2515234826.20021009132838@nextel.es> Hi Markus, MF> it's just possible to restrict a key to the sftp-server I need to disable the sftp service for specific keys, but they must be able to open sessions. At the end I have added a new option in the authorized_keys file: "no-sftp", that disable the sftp service (little patches in auth-options.c,auth-options.h and session.c). In case somebody is interested in, don't hesitate to ask me! :-) thanks for your help! Best regards, C?sar mailto:csoler at nextel.es From markus at openbsd.org Wed Oct 9 22:06:09 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 9 Oct 2002 14:06:09 +0200 Subject: enable sftp subsystem for each authorized key In-Reply-To: <2515234826.20021009132838@nextel.es> References: <1276981609.20021009111105@nextel.es> <20021009091352.GA10284@faui02> <2515234826.20021009132838@nextel.es> Message-ID: <20021009120609.GA25174@faui02> but if i'm able to execute commands then i can use sftp. e.g. ssh host /usr/libexec/sftp-server From binder at arago.de Wed Oct 9 22:16:55 2002 From: binder at arago.de (Thomas Binder) Date: Wed, 9 Oct 2002 14:16:55 +0200 Subject: openssh-3.4p1 install problems on Solaris 6 with openssl-0.9.6g In-Reply-To: <1034100321.1243.95.camel@kclnx13>; from ahirsch@slb.com on Tue, Oct 08, 2002 at 01:05:20PM -0500 References: <3DA307C7.6060007@slb.com> <20021008184803.A20843475@ohm.arago.de> <1034100321.1243.95.camel@kclnx13> Message-ID: <20021009141655.A20672211@ohm.arago.de> Hi! On Tue, Oct 08, 2002 at 01:05:20PM -0500, Aaron M. Hirsch wrote: > > Are you sure the libwrap.a you use for the build process was > > also built on Solaris 2.6? For me, it seems to have been built > > on Solaris 8 - both Solaris 2.6 and Solaris 7 do not have any > > of the functions the linker is missing. > > Thanks for the input, I did double check, uninstall and > re-install the tcp_wrappers...it is for specifically for solaris > 6. And I've just compiled OpenSSH 3.4p1 successfully on a Solaris 2.6 machine, using my own build of libwrap.a - if you want to give the latter a try, I can send you a PKG that installs into /opt/libwrap Besides, there's no Solaris 6, just 2.6. > Thanks for the heads up on it, back to the grindstone! :( What options did you give to OpenSSH's configure, and where does your libwrap.a install to? Did you give that path to --with-tcp-wrappers? Ciao Thomas From wadedl at gat.com Thu Oct 10 03:13:15 2002 From: wadedl at gat.com (wadedl at gat.com) Date: Wed, 09 Oct 2002 10:13:15 -0700 (PDT) Subject: openssh-3.4p1 built on Tru64 Unix 5.1a - bug with sftpd Message-ID: <0H3Q08403563O8@gat.com> Dear openssh-unix-dev; I recently downloaded the tarball openssh-3.4p1 and built it for my Tru64 Unix ( OSF/1 ) 5.1a system. My configure statement is: ./configure --prefix=/usr/local/security/tools/openssh-3.4p1 \ --exec-prefix=/usr/local/security/tools/openssh-3.4p1 \ -with-ssl-dir=/usr/local/security/tools/openssl-0.9.6g \ -with-zlib-dir=/usr/local/compress/tools/zlib-1.1.3 \ -with-xauth=/usr/bin/X11/xauth \ -with-random=/usr/local/security/tools/openssh-3.4p1/etc/ssh_prng_cmds I am using GCC 3.2 to build. The OpenSSH compiles and installs and is working, mostly. However I have two problems for which I cannot find help on the web. The most serious is with the sftp system. When I connect to the installed sftp-server from a client using sftp I cannot list the remote directory using either ls or dir without the resulting list looping endlessly. This occurs only when the directory on the server is an auto-mounted dir ( and therefore a linked NFS mount). When the directory is a locally mounted filesystem, ls works just fine. Again, my user dirs on the alphaserver are automounted from a filer. When I sftp to the alpha and do an ls (for my automounted home) the list loops endlessly. When I cd to an alphaserver local filesystem, ls works fine. The second problem involves the loader library path to the shared GNU c library libgcc_s.so.1. I set LD_LIBRARY_PATH to the location of my GNU distribution: setenv LD_LIBRARY_PATH /usr/local/gnu/lib I set path to include /usr/local/gnu/bin. configure finds gcc and the libraries and builds executables just fine, but the resultant executables must have LD_LIBRARY_PATH set to work. - i.e. I must setenv LD_LIBRARY_PATH /usr/local/gnu/lib to get sshd to boot, and to use each executable ( ssh, scp, sftp, etc. ) I must set the LIBRARY PATH. Also, since sftp is started from SSHD through the subsystem process, it cannot start, since it is relying also on LD_LIBRARY_PATH which is not necessarily set in the environment from which it starts. I got around this by wrapping sftpd in a csh script which I then reference in the sshd_config as the startup for the sftp subsystem. I tried using --with-ldflags and modifying the Makefile to find /usr/local/gnu/lib but without luck. I would really like to know how to build openssh for my alpha system to produce binaries that had the libgcc_s.so.1 internally references. I tried to build without using gcc at all - but when I run configure it always complains and quits because it says it cannot map libgcc_s.so.1. Even when I am compiling with cc and do not have any globals or paths set for GNU. I trust it is useful information to the community that openssh-3.4p1 can be built and run and be (somewhat) useful on an Alpha. Would someone guide me in helping make this port better? Thank You. David L. Wade ********************************************************************** David L. Wade EMail: David.Wade at gat.com Senior Systems Programmer Analyst Ph. 858-455-3342 General Atomics Fx. 858-455-2692 3550 General Atomics Court San Diego, California 92121 ********************************************************************** opinions, conclusions, or recommendations expressed above are my own and do not necessarily represent the views of my employer. From pekkas at netcore.fi Thu Oct 10 03:45:50 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 9 Oct 2002 20:45:50 +0300 (EEST) Subject: openssh-3.5p1 snap ok on RHL73 Message-ID: Hello, I rebuilt the latest snap (Oct 7?? at least on ftp.se.openbsd.org) on RHL73. Works quite nicely so far. I noticed a few compile warnings, though: cipher.c:73: warning: initialization from incompatible pointer type cipher.c: In function `cipher_get_keycontext': cipher.c:721: warning: comparison of distinct pointer types lacks a cast cipher.c: In function `cipher_set_keycontext': cipher.c:736: warning: comparison of distinct pointer types lacks a cast mac.c:42: warning: initialization from incompatible pointer type mac.c:43: warning: initialization from incompatible pointer type mac.c:44: warning: initialization from incompatible pointer type mac.c:45: warning: initialization from incompatible pointer type mac.c:46: warning: initialization from incompatible pointer type mac.c:47: warning: initialization from incompatible pointer type sshconnect1.c: In function `try_krb5_authentication': sshconnect1.c:566: warning: passing arg 5 of `krb5_mk_req' discards qualifiers from pointer target type sshconnect1.c: In function `send_krb5_tgt': sshconnect1.c:693: warning: passing arg 3 of `krb5_fwd_tgt_creds' discards qualifiers from pointer target type $ rpm -q gcc glibc openssl gcc-2.96-112 glibc-2.2.5-40 openssl-0.9.6b-28 -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From POTTERVELD at ANLMEP.PHY.ANL.GOV Thu Oct 10 05:13:39 2002 From: POTTERVELD at ANLMEP.PHY.ANL.GOV (David Potterveld) Date: Wed, 9 Oct 2002 14:13:39 -0500 Subject: openssh-3.4p1 built on Tru64 Unix 5.1a - bug with sftpd Message-ID: <021009141339.20205182@ANLMEP.PHY.ANL.GOV> David L. Wade wrote: > I recently downloaded the tarball openssh-3.4p1 and built it for my >Tru64 Unix ( OSF/1 ) 5.1a system. My configure statement is: [snip] > I am using GCC 3.2 to build. The OpenSSH compiles and installs and is >working, mostly. [snip] > The second problem involves the loader library path to the shared >GNU c library libgcc_s.so.1. I set LD_LIBRARY_PATH to the location of >my GNU distribution: > > setenv LD_LIBRARY_PATH /usr/local/gnu/lib David, I have GCC 3.1.1, and the shared libraries were installed in /usr/local/lib, which is one of the default places for the loader to look. Did things change for 3.2? As a workaround, you could create a softlink (ln -s) from the files in /usr/local/gnu/lib to /user/local/lib. However, I strongly recommend that you use the native cc compiler instead. My experience with GCC on the Alpha architecture is that it does a bad job of optimizing code and runs much slower, and tends to be buggy. Also, don't forget that privsep doesn't work for Tru64 in this release. David Potterveld Argonne National Laboratory From csoler at nextel.es Thu Oct 10 18:10:49 2002 From: csoler at nextel.es (=?ISO-8859-1?B?Q+lzYXIgU29sZXI=?=) Date: Thu, 10 Oct 2002 10:10:49 +0200 Subject: log uploads/downloads Message-ID: <17489765385.20021010101049@nextel.es> Hi, I would like to log any transfer from/to a server done by sftp or scp. How could I do this? could anybody tell me which files should be modified (in such case)? thanks a lot for your time, -- Best regards, C?sar mailto:csoler at nextel.es From jan.iven at cern.ch Thu Oct 10 19:25:01 2002 From: jan.iven at cern.ch (Jan Iven) Date: 10 Oct 2002 11:25:01 +0200 Subject: Patch: Kerberos auth + PrivSep (against 3.5p1-CVS) In-Reply-To: <20020924135825.GA4771@faui02> References: <20020924145702.K29920@cygbert.vinschen.de> <20020924135825.GA4771@faui02> Message-ID: Dear list, this patch implements the missing (vs. CVS, as of 08.10.02) functionality to have privsep+Kerberos authentication working together. There seems to be some effort into that direction already (?), some bits of the previous patch for 3.4 are no longer neccessary. Could somebody from the developers confirm this (since I'd be happy to drop my version if something better is supposed to appear anyway). Compiles fine for me, have not tested on all our platforms yet. The previous version of this patch (against 3.4) runs on Solaris,Linux,HPUX, Digital and IRIX. Thanks Jan diff -uwr openssh-cvs/monitor.c openssh-new/monitor.c --- openssh-cvs/monitor.c 2002-10-03 10:31:11.000000000 +0200 +++ openssh-new/monitor.c 2002-10-08 22:57:08.000000000 +0200 @@ -101,6 +101,14 @@ int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); int mm_answer_authpassword(int, Buffer *); + +#ifdef KRB4 +int mm_answer_authkrb4(int, Buffer *); +#endif +#ifdef KRB5 +int mm_answer_authkrb5(int, Buffer *); +#endif + int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_skeyquery(int, Buffer *); @@ -195,6 +205,12 @@ {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response}, +#ifdef KRB4 + {MONITOR_REQ_AUTHKRB4, MON_AUTH, mm_answer_authkrb4}, +#endif +#ifdef KRB5 + {MONITOR_REQ_AUTHKRB5, MON_AUTH, mm_answer_authkrb5}, +#endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond}, @@ -733,6 +755,93 @@ } #endif +#ifdef KRB4 +int +mm_answer_authkrb4(int socket, Buffer *m) +{ + KTEXT_ST auth; + KTEXT_ST reply; + char *localuser, *auth_tmp; + int authenticated, authlen; + + reply.length = auth.length = 0; + + auth_tmp = buffer_get_string(m, &authlen); + if (authlen >= MAX_KTXT_LEN) + fatal("%s: received too large KRB4 auth from privsep", __func__); + memcpy(auth.dat, auth_tmp, authlen); + auth.length = authlen; + memset(auth_tmp,0, authlen); + xfree(auth_tmp); + /* Only authenticate if the context is valid */ + authenticated = options.kerberos_authentication && + authctxt->valid && + auth_krb4(authctxt, &auth, &localuser, &reply); + + memset(auth.dat, 0, authlen); + + buffer_clear(m); + buffer_put_int(m, authenticated); + if(authenticated) { + buffer_put_cstring(m, localuser); + buffer_put_string(m, reply.dat, reply.length); + } + + if (reply.length) + memset(reply.dat, 0, reply.length); + + debug3("%s: sending result %d", __func__, authenticated); + mm_request_send(socket, MONITOR_ANS_AUTHKRB4, m); + + auth_method = "KRB4.klogin"; + + /* Causes monitor loop to terminate if authenticated */ + return (authenticated); +} +#endif /* KRB4 */ + +#ifdef KRB5 +int +mm_answer_authkrb5(int socket, Buffer *m) +{ + krb5_data auth; + krb5_data reply; + char *localuser; + int authenticated; + + reply.length = 0; + reply.data = NULL; + + auth.data = buffer_get_string(m, &auth.length); + + /* Only authenticate if the context is valid */ + authenticated = options.kerberos_authentication && + authctxt->valid && + auth_krb5(authctxt, &auth, &localuser, &reply); + + memset(auth.data, 0, auth.length); + xfree(auth.data); + + buffer_clear(m); + buffer_put_int(m, authenticated); + if(authenticated) { + buffer_put_cstring(m, localuser); + buffer_put_string(m, reply.data, reply.length); + } + + memset(reply.data, 0, reply.length); + xfree(reply.data); + + debug3("%s: sending result %d", __func__, authenticated); + mm_request_send(socket, MONITOR_ANS_AUTHKRB5, m); + + auth_method = "KRB5.klogin"; + + /* Causes monitor loop to terminate if authenticated */ + return (authenticated); +} +#endif /* KRB5 */ + #ifdef USE_PAM int mm_answer_pam_start(int socket, Buffer *m) diff -uwr openssh-cvs/monitor.h openssh-new/monitor.h --- openssh-cvs/monitor.h 2002-10-03 10:31:11.000000000 +0200 +++ openssh-new/monitor.h 2002-10-08 22:51:00.000000000 +0200 @@ -33,6 +33,12 @@ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, +#ifdef KRB4 + MONITOR_REQ_AUTHKRB4, MONITOR_ANS_AUTHKRB4, +#endif +#ifdef KRB5 + MONITOR_REQ_AUTHKRB5, MONITOR_ANS_AUTHKRB5, +#endif MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, diff -uwr openssh-cvs/monitor_wrap.c openssh-new/monitor_wrap.c --- openssh-cvs/monitor_wrap.c 2002-10-03 10:31:11.000000000 +0200 +++ openssh-new/monitor_wrap.c 2002-10-08 22:51:52.000000000 +0200 @@ -268,6 +268,75 @@ return (authenticated); } +/* do Kerberos4 .klogin authentication */ +#ifdef KRB4 +int +mm_auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply) +{ + Buffer m; + int rlen; + int authenticated = 0; + char* reply_tmp; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_string(&m, auth->dat, auth->length); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHKRB4, &m); + + debug3("%s: waiting for MONITOR_ANS_AUTHKRB4", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHKRB4, &m); + + authenticated = buffer_get_int(&m); + if(authenticated) { + *client = buffer_get_string(&m, NULL); + reply_tmp = buffer_get_string(&m, &rlen); + /* have to get the string back into the fixed char field */ + if(rlen >= MAX_KTXT_LEN) + fatal("%s: received too large KRB4 reply from monitor", __func__); + memcpy(reply->dat, reply_tmp, rlen); + reply->length = rlen; + memset(reply_tmp,0, rlen); + xfree(reply_tmp); + } + buffer_free(&m); + + debug3("%s: user %s %sauthenticated", + __func__, *client, authenticated ? "" : "not "); + return (authenticated); +} +#endif /* KRB4 */ + +/* do Kerberos5 .klogin authentication */ +#ifdef KRB5 +int +mm_auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply) +{ + Buffer m; + int authenticated = 0; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_string(&m, auth->data, auth->length); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHKRB5, &m); + + debug3("%s: waiting for MONITOR_ANS_AUTHKRB5", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHKRB5, &m); + + authenticated = buffer_get_int(&m); + if(authenticated) { + *client = buffer_get_string(&m, NULL); + reply->data = buffer_get_string(&m, &(reply->length)); + } + buffer_free(&m); + + debug3("%s: user %s %sauthenticated", + __func__, *client, authenticated ? "" : "not "); + return (authenticated); +} +#endif /* KRB5 */ + int mm_user_key_allowed(struct passwd *pw, Key *key) { diff -uwr openssh-cvs/monitor_wrap.h openssh-new/monitor_wrap.h --- openssh-cvs/monitor_wrap.h 2002-10-03 10:31:11.000000000 +0200 +++ openssh-new/monitor_wrap.h 2002-10-08 22:59:39.000000000 +0200 @@ -30,6 +30,14 @@ #include "key.h" #include "buffer.h" +#ifdef KRB4 +#include +#endif + +#ifdef KRB5 +#include +#endif + extern int use_privsep; #define PRIVSEP(x) (use_privsep ? mm_##x : x) @@ -59,6 +67,14 @@ void mm_start_pam(char *); #endif +#ifdef KRB4 +int mm_auth_krb4(struct Authctxt *, KTEXT , char **, KTEXT ); +#endif + +#ifdef KRB5 +int mm_auth_krb5(struct Authctxt *, krb5_data *, char **, krb5_data *); +#endif + void mm_terminate(void); int mm_pty_allocate(int *, int *, char *, int); void mm_session_pty_cleanup2(void *); From markus at openbsd.org Thu Oct 10 19:34:39 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 10 Oct 2002 11:34:39 +0200 Subject: Patch: Kerberos auth + PrivSep (against 3.5p1-CVS) In-Reply-To: References: <20020924145702.K29920@cygbert.vinschen.de> <20020924135825.GA4771@faui02> Message-ID: <20021010093439.GB5335@faui02> On Thu, Oct 10, 2002 at 11:25:01AM +0200, Jan Iven wrote: > Dear list, but there is a #ifdef KRB4 int mm_answer_krb4(int, Buffer *); #endif #ifdef KRB5 int mm_answer_krb5(int, Buffer *); #endif From jan.iven at cern.ch Thu Oct 10 20:31:53 2002 From: jan.iven at cern.ch (Jan Iven) Date: 10 Oct 2002 12:31:53 +0200 Subject: Patch: Kerberos auth + PrivSep (against 3.5p1-CVS) In-Reply-To: <20021010093439.GB5335@faui02> References: <20020924145702.K29920@cygbert.vinschen.de> <20020924135825.GA4771@faui02> <20021010093439.GB5335@faui02> Message-ID: >>>>> "MF" == Markus Friedl writes: MF> On Thu, Oct 10, 2002 at 11:25:01AM +0200, Jan Iven wrote: >> Dear list, MF> but there is a MF> #ifdef KRB4 MF> int mm_answer_krb4(int, Buffer *); MF> #endif MF> #ifdef KRB5 MF> int mm_answer_krb5(int, Buffer *); MF> #endif Sorry for the wasted bandwidth -- I was looking for mm_answer_authkrb4 etc.. Thanks for having integrated this into 3.5. Jan From vdanen at mandrakesoft.com Fri Oct 11 04:44:43 2002 From: vdanen at mandrakesoft.com (Vincent Danen) Date: Thu, 10 Oct 2002 12:44:43 -0600 Subject: pks for openssh Message-ID: <578E2744-DC80-11D6-AE48-00039344D6A2@mandrakesoft.com> I was directed to the following site by one of our customers regarding a keyserver built into openssh. There's a patch for 3.4p1 on their site, but the license isn't very clear, nor is it clear if they have approached the openssh team regarding the inclusion of this subsystem into openssh proper. I've been asked to patch Mandrake's openssh with this feature, but I'm hesitant until I know what others think and, primarily, whether or not they have even contacted people like Markus or Theo about this. The RFC is written by them, and it looks like they sell some commercial software around this idea as well. Here is links to more info: http://www.vandyke.com/download/os/pks_ossh.html http://www.vandyke.com/technology/draft-ietf-secsh-publickey- subsystem.txt The idea of it sounds interesting, but I would really like to know if they have approached anyone regarding having it included in openssh proper. Thanks. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx - source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021010/7c0dd9aa/attachment.bin From markus at openbsd.org Fri Oct 11 05:53:53 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 10 Oct 2002 21:53:53 +0200 Subject: pks for openssh In-Reply-To: <578E2744-DC80-11D6-AE48-00039344D6A2@mandrakesoft.com> References: <578E2744-DC80-11D6-AE48-00039344D6A2@mandrakesoft.com> Message-ID: <20021010195353.GB4805@faui02> hm, at least i don't remember. On Thu, Oct 10, 2002 at 12:44:43PM -0600, Vincent Danen wrote: > I was directed to the following site by one of our customers regarding > a keyserver built into openssh. There's a patch for 3.4p1 on their > site, but the license isn't very clear, nor is it clear if they have > approached the openssh team regarding the inclusion of this subsystem > into openssh proper. > > I've been asked to patch Mandrake's openssh with this feature, but I'm > hesitant until I know what others think and, primarily, whether or not > they have even contacted people like Markus or Theo about this. The > RFC is written by them, and it looks like they sell some commercial > software around this idea as well. > > Here is links to more info: > > http://www.vandyke.com/download/os/pks_ossh.html > http://www.vandyke.com/technology/draft-ietf-secsh-publickey- > subsystem.txt > > The idea of it sounds interesting, but I would really like to know if > they have approached anyone regarding having it included in openssh > proper. > > Thanks. > > -- > MandrakeSoft Security; http://www.mandrakesecure.net/ > "lynx - source http://linsec.ca/vdanen.asc | gpg --import" > {FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} From mouring at etoh.eviladmin.org Fri Oct 11 05:45:19 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 10 Oct 2002 14:45:19 -0500 (CDT) Subject: pks for openssh In-Reply-To: <578E2744-DC80-11D6-AE48-00039344D6A2@mandrakesoft.com> Message-ID: It is a subsystem. It is not modifying the OpenSSH code at all, and the licensing in publickey-server.c is BSD two clause licence. Which is what we encourage. However this bugs me: RCSID("$OpenBSD: publickey-server.c,v 1.33 2002/06/30 00:00:00 markus Exp $"); This is not a valid RCSID for OpenBSD. Which IMNSHO is very poor manors. Leave the RCSID alone or remove them. Don't randomly change them. Looks like it based on sftp-server.c In general if I follow the code and RFC it is just a way of managing 'authorized_keys' It even is wrong since we no longer support authorized_keys2. I've never seen it submited to inclusion. I'd have to look closer at it to make any good or bad comments. - Ben On Thu, 10 Oct 2002, Vincent Danen wrote: > I was directed to the following site by one of our customers regarding > a keyserver built into openssh. There's a patch for 3.4p1 on their > site, but the license isn't very clear, nor is it clear if they have > approached the openssh team regarding the inclusion of this subsystem > into openssh proper. > > I've been asked to patch Mandrake's openssh with this feature, but I'm > hesitant until I know what others think and, primarily, whether or not > they have even contacted people like Markus or Theo about this. The > RFC is written by them, and it looks like they sell some commercial > software around this idea as well. > > Here is links to more info: > > http://www.vandyke.com/download/os/pks_ossh.html > http://www.vandyke.com/technology/draft-ietf-secsh-publickey- > subsystem.txt > > The idea of it sounds interesting, but I would really like to know if > they have approached anyone regarding having it included in openssh > proper. > > Thanks. > > -- > MandrakeSoft Security; http://www.mandrakesecure.net/ > "lynx - source http://linsec.ca/vdanen.asc | gpg --import" > {FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} > From bugzilla-daemon at mindrot.org Fri Oct 11 06:10:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 11 Oct 2002 06:10:32 +1000 (EST) Subject: [Bug 412] New: AuthorizedKeysFile assumes home directory access upon authentication Message-ID: <20021010201032.0F1483D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=412 Summary: AuthorizedKeysFile assumes home directory access upon authentication Product: Portable OpenSSH Version: 3.1p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: barrows at email.arc.nasa.gov I'm attempting to get RSA authentication to work with OpenAFS. This requires placing the RSA key outside of AFS, and thus outside the user's home directory. I used the line AuthorizedKeysFile /home/%u/.ssh/authorized_keys to move the file out of the AFS home directory and into an "ssh only" directory such that it can be accessed by sshd without AFS tokens. This ends up failing however, with this debug output (from sshd -d): debug1: userauth-request for user (username) service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 1359/10 (e=0) debug1: trying public key file /home/(username)/.ssh/authorized_keys Authentication refused: realpath /afs/ic-afs.arc.nasa.gov/admin/(username) failed: Permission denied Apparently OpenSSH is stat'ing the home directory, despite the fact that the files it should need are in another directory. When using AFS, the home directory will not be accessable until the login has gone through PAM and obtained a token. Is this not possible for a reason e.g. security, or is there the potential to change this? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Darren.Moffat at Sun.COM Fri Oct 11 06:34:32 2002 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Thu, 10 Oct 2002 13:34:32 -0700 (PDT) Subject: pks for openssh In-Reply-To: <20021010195353.GB4805@faui02> Message-ID: On Thu, 10 Oct 2002, Markus Friedl wrote: > hm, at least i don't remember. Nor has it shown up on the SECSH-WG alias yet. I don't remeber any traffic about this draft. Note that the date is October 2002 so it is very new. I think at this stage naming it draft-ietf-secsh- is premature. I've checked with the working group chair and he has yet to approve this as a working group submission - it is in his queue. It will probably appear as an "individual" submission and may be discussed as a potential working group draft if SECSH-WG meets at the next IETF. If it does become a working group draft the @vandyke.com qualifier would be removed from the subsystem name. In general it looks like a good idea though I have some concerns about some of the SHOULDs that I think are MAYs. > On Thu, Oct 10, 2002 at 12:44:43PM -0600, Vincent Danen wrote: > > I was directed to the following site by one of our customers regarding > > a keyserver built into openssh. There's a patch for 3.4p1 on their > > site, but the license isn't very clear, nor is it clear if they have > > approached the openssh team regarding the inclusion of this subsystem > > into openssh proper. > > > > I've been asked to patch Mandrake's openssh with this feature, but I'm > > hesitant until I know what others think and, primarily, whether or not > > they have even contacted people like Markus or Theo about this. The > > RFC is written by them, and it looks like they sell some commercial > > software around this idea as well. > > > > Here is links to more info: > > > > http://www.vandyke.com/download/os/pks_ossh.html > > http://www.vandyke.com/technology/draft-ietf-secsh-publickey- > > subsystem.txt > > > > The idea of it sounds interesting, but I would really like to know if > > they have approached anyone regarding having it included in openssh > > proper. At this time they haven't got approval for it being a product of the SECSH-WG at IETF. That doesn't stop OpenSSH from including it though. -- Darren J Moffat From vdanen at mandrakesoft.com Fri Oct 11 06:48:03 2002 From: vdanen at mandrakesoft.com (Vincent Danen) Date: Thu, 10 Oct 2002 14:48:03 -0600 Subject: pks for openssh In-Reply-To: Message-ID: <920F3DBA-DC91-11D6-AE48-00039344D6A2@mandrakesoft.com> On Thursday, October 10, 2002, at 01:45 PM, Ben Lindstrom wrote: > It is a subsystem. It is not modifying the OpenSSH code at all, and > the > licensing in publickey-server.c is BSD two clause licence. Which is > what > we encourage. Fair enough. > However this bugs me: > > RCSID("$OpenBSD: publickey-server.c,v 1.33 2002/06/30 00:00:00 markus > Exp $"); > > This is not a valid RCSID for OpenBSD. Which IMNSHO is very poor > manors. > Leave the RCSID alone or remove them. Don't randomly change them. > > Looks like it based on sftp-server.c That was the impression I was under as well, for the basis. I hadn't even noticed the RCSID. > In general if I follow the code and RFC it is just a way of > managing 'authorized_keys' It even is wrong since we no longer support > authorized_keys2. =) > I've never seen it submited to inclusion. I'd have to look closer at > it > to make any good or bad comments. Ok. Thanks for the preliminary observations. I'll play around with it and see how it works with the CVS snapshots since that's what I'm interested in testing shortly (as time permits). Thanks, Ben. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx - source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021010/c9b26808/attachment.bin From bugzilla-daemon at mindrot.org Fri Oct 11 17:59:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 11 Oct 2002 17:59:31 +1000 (EST) Subject: [Bug 413] New: Port forwarding: [localhost:]localport:remotehost:remoteport Message-ID: <20021011075931.5468E3D149@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=413 Summary: Port forwarding: [localhost:]localport:remotehost:remoteport Product: Portable OpenSSH Version: older versions Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: rafal.mantiuk at bellstream.pl At the moment ssh port forwarding can open socket for listenning only on a localhost or all interfaces (-g option). In case of multi-IP servers it would we useful if there was a way to specify exactly what interfaces/IPs ssh forwarding should bind to. The command line could be like: ssh -L [localhost:]localport:remotehost:remoteport login at host where [] - indicates optional parameter. localhost is the interface to be used for openning a socket (i.e. should be passed as a 'node' parameter to getaddrinfo() in channel.c:channel_setup_fwd_listener). The other parameters are the same as in the current ssh implementation. For example: ssh -N -L 192.168.0.2:139:somehost:139 could be used to forward Samba packets only on the interface 192.168.0.2. Another interface on the same server - e.g. 192.168.0.1 - could be used to host local samba server. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From postadal at suse.cz Fri Oct 11 20:44:46 2002 From: postadal at suse.cz (Petr Ostadal) Date: Fri, 11 Oct 2002 12:44:46 +0200 (CEST) Subject: Why openssh newer than 2.9.9 doesn't send SIGTERM and SIGHUP to child process? Message-ID: Hi, I search in archive list if there any reason why is removed in openssh newer than 2.9.9 from function 'void session_close_by_channel(int id, void *arg)' sending of SIGTEMR and SIGHUP signals to child as was in 2.9.9 version? See follow sniped code from 2.9.9 sources: ---- openssh-2.9.9/session.c ---------------------------------------- void session_close_by_channel(int id, void *arg) ... debug("session_close_by_channel: channel %d kill %d", id, s->pid); if (s->pid == 0) { /* close session immediately */ session_close(s); } else { /* notify child, delay session cleanup */ if (kill(s->pid, (s->ttyfd == -1) ? SIGTERM : SIGHUP) < 0) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ error("session_close_by_channel: kill %d: %s", s->pid, strerror(errno)); } ... ---------------------------------------------------------------------------- This change in new version cause that some process (which doesn't need terminal) hanged after termination ssh by e.g. SIGINT, becouse hanged process doesn't receive any signal from ssh process. basilisk:~> ssh basilisk 'sleep 1000' 23022: Killed by signal 2. basilisk:~> ps -ef |grep sleep postadal 23026 1 1 12:30 ? 00:00:00 sleep 100 The problem above can resolve Force pseudo-tty allocation (option -t), but it is not ideal solution. Please, could anyone tell me why the new openssh doesn't send SIGHUP to child process if ssh was terminated ? Thnx in advance Petr -- Best Regards / S pozdravem, Petr Ostadal developer --------------------------------------------------------------------- SuSE CR, s.r.o. e-mail: postadal at suse.cz Drahobejlova 27 tel: +420 2 9654 2382 190 00 Praha 9 fax: +420 2 9654 2374 Czech Republic http://www.suse.cz From markus at openbsd.org Fri Oct 11 21:08:49 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 11 Oct 2002 13:08:49 +0200 Subject: Why openssh newer than 2.9.9 doesn't send SIGTERM and SIGHUP to child process? In-Reply-To: References: Message-ID: <20021011110849.GC4673@faui02> because it was wrong (telnetd, rlogind don't do it) and dangerous (sending signals as root to other processes). the login shells should die if their stdin/out is closed. did you check the cvs log for this change? On Fri, Oct 11, 2002 at 12:44:46PM +0200, Petr Ostadal wrote: > Hi, > > I search in archive list if there any reason why is removed in openssh > newer than 2.9.9 from function > 'void session_close_by_channel(int id, void *arg)' sending of SIGTEMR and > SIGHUP signals to child as was in 2.9.9 version? See follow sniped code > from 2.9.9 sources: > > ---- openssh-2.9.9/session.c ---------------------------------------- > void > session_close_by_channel(int id, void *arg) > ... > debug("session_close_by_channel: channel %d kill %d", id, s->pid); > if (s->pid == 0) { > /* close session immediately */ > session_close(s); > } else { > /* notify child, delay session cleanup */ > if (kill(s->pid, (s->ttyfd == -1) ? SIGTERM : SIGHUP) < 0) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > error("session_close_by_channel: kill %d: %s", > s->pid, strerror(errno)); > } > ... > > ---------------------------------------------------------------------------- > > This change in new version cause that some process (which doesn't need > terminal) hanged after termination ssh by e.g. SIGINT, becouse hanged > process doesn't receive any signal from ssh process. > > basilisk:~> ssh basilisk 'sleep 1000' > 23022: Killed by signal 2. > basilisk:~> ps -ef |grep sleep > postadal 23026 1 1 12:30 ? 00:00:00 sleep 100 > > The problem above can resolve Force pseudo-tty allocation (option -t), but > it is not ideal solution. > > Please, could anyone tell me why the new openssh doesn't send SIGHUP to > child process if ssh was terminated ? > > Thnx in advance > > Petr > > -- > Best Regards / S pozdravem, > > Petr Ostadal > developer > --------------------------------------------------------------------- > SuSE CR, s.r.o. e-mail: postadal at suse.cz > Drahobejlova 27 tel: +420 2 9654 2382 > 190 00 Praha 9 fax: +420 2 9654 2374 > Czech Republic http://www.suse.cz > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From dtucker at zip.com.au Fri Oct 11 21:36:21 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 11 Oct 2002 21:36:21 +1000 Subject: Why openssh newer than 2.9.9 doesn't send SIGTERM and SIGHUP tochild process? References: Message-ID: <3DA6B7B5.65C3F8F6@zip.com.au> Petr Ostadal wrote: > The problem above can resolve Force pseudo-tty allocation (option -t), but > it is not ideal solution. > > Please, could anyone tell me why the new openssh doesn't send SIGHUP to > child process if ssh was terminated ? I don't know why it was removed (in fact, I didn't know about it at all until I read your message) but I've got an open bug on a similar issue: http://bugzilla.mindrot.org/show_bug.cgi?id=396 The line you're referring to was removed from session.c between 2.9.9p2 and 3.0 in an OpenBSD sync: revision 1.153 date: 2001/10/12 01:35:06; author: djm; state: Exp; lines: +11 -18 - (djm) OpenBSD CVS Sync - markus at cvs.openbsd.org 2001/10/10 22:18:47 [channels.c channels.h clientloop.c nchan.c serverloop.c] [session.c session.h] try to keep channels open until an exit-status message is sent. don't kill the login shells if the shells stdin/out/err is closed. this should now work: ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Sat Oct 12 00:59:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 12 Oct 2002 00:59:43 +1000 (EST) Subject: [Bug 412] AuthorizedKeysFile assumes home directory access upon authentication Message-ID: <20021011145943.186103D156@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=412 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From markus at openbsd.org 2002-10-12 00:59 ------- AuthorizedKeysFile /etc/ssh/keys/%u does not access $HOME for me. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Oct 12 01:11:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 12 Oct 2002 01:11:40 +1000 (EST) Subject: [Bug 412] AuthorizedKeysFile assumes home directory access upon authentication Message-ID: <20021011151140.A0EDA3D189@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=412 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WORKSFORME | ------- Additional Comments From markus at openbsd.org 2002-10-12 01:11 ------- oh, i see, auth.c uses realpath(pw->pw_dir) to compare it against the configured path. perhaps drop the check against homedir if realpath(pw->pw_dir) fails? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Oct 12 04:20:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 12 Oct 2002 04:20:14 +1000 (EST) Subject: [Bug 412] AuthorizedKeysFile assumes home directory access upon authentication Message-ID: <20021011182014.F0C723D15F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=412 ------- Additional Comments From barrows at email.arc.nasa.gov 2002-10-12 04:20 ------- I actually commented the test out and re-built OpenSSH last night. Although not an ideal fix, it seemed to work. Getting AFS to auth after that is another (unrelated) story, but this does solve the ssh part of the problem. Thanks! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jpv at vandyke.com Sat Oct 12 06:29:30 2002 From: jpv at vandyke.com (Jeff P. Van Dyke) Date: Fri, 11 Oct 2002 14:29:30 -0600 Subject: pks for openssh Message-ID: <006401c27164$ea1db940$2700a8c0@xp1> > Nor has it shown up on the SECSH-WG alias yet. I don't remeber any traffic > about this draft. Note that the date is October 2002 so it is very new. It was initially proposed as a channel to the IETF working group as an individual draft in November of 2000. At that time, there was quite a bit discussion on the public key channel. The consensus was that it should be a subsystem. A new draft has been submitted. It isn't yet clear whether it will be a working group draft or an individual draft. I've contacted the chairman of the WG, but haven't heard back. > However this bugs me: > > RCSID("$OpenBSD: publickey-server.c,v 1.33 2002/06/30 00:00:00 markus Exp $"); > > This is not a valid RCSID for OpenBSD. Which IMNSHO is very poor manors. > Leave the RCSID alone or remove them. Don't randomly change them. The RCSID was an oversight. We don't use RCS, it was leftover from something... My apologies to Marcus. > In general if I follow the code and RFC it is just a way of > managing 'authorized_keys' It even is wrong since we no longer support > authorized_keys2. This is clearly a mistake. We will work on getting an update to the distribution that addresses this. With regards to including it in the OpenSSH distribution, we'd like to see that happen. We were hoping by releasing it as a patch, we could assess the interest and if there was sufficient interest, it would be included. The early interest seems promising. Markus, please let us know if there is anything we can do to make this happen sooner rather than later :-) Jeff P. Van Dyke jpv at vandyke.com From jmillet at kc.rr.com Sat Oct 12 20:39:33 2002 From: jmillet at kc.rr.com (John Millet) Date: Sat, 12 Oct 2002 05:39:33 -0500 Subject: (no subject) Message-ID: <02b001c271db$a7efc3c0$7401a8c0@JMILLET> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021012/89054eb2/attachment.html From doug at endai.com Sun Oct 13 06:51:44 2002 From: doug at endai.com (Douglas Boldt) Date: Sat, 12 Oct 2002 16:51:44 -0400 Subject: scp Message-ID: <004201c27231$2d76ce80$342da8c0@hal> I would absolutely love a flag in scp to ignore sym-links. Douglas Boldt Endai WorldWide, NYC Technical Operations Manager 212-430-0808 x118 From mozilla at attbi.com Sun Oct 13 08:40:23 2002 From: mozilla at attbi.com (Donnie Cranford) Date: Sat, 12 Oct 2002 17:40:23 -0500 Subject: AIX remote root logins Message-ID: <3DA8A4D7.5070708@attbi.com> I am in the process of introducing OpenSSH into our corporate environment. This environment includes Solaris / HP-UX / AIX and Linux We have had audit tell us we need to disable root logins through telnet... we can do this through the use of OpenSSH on all platforms except AIX apparently bug # 383 was supposed to take care of this and I have downloaded -current snapshot and tested but remote root logins through SSH still does not work. I have also tested the Commercial version of SSH and it works on there, so what are you guys doing different in your authenticate code?? Thanks Donnie Cranford Sr Unix Systems Admin ING Americas From fcusack at fcusack.com Sun Oct 13 12:21:34 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Sat, 12 Oct 2002 19:21:34 -0700 Subject: AIX remote root logins In-Reply-To: <3DA8A4D7.5070708@attbi.com>; from mozilla@attbi.com on Sat, Oct 12, 2002 at 05:40:23PM -0500 References: <3DA8A4D7.5070708@attbi.com> Message-ID: <20021012192134.A2957@google.com> On Sat, Oct 12, 2002 at 05:40:23PM -0500, Donnie Cranford wrote: > and tested but remote root logins through SSH still does not work. > > I have also tested the Commercial version of SSH and it works on there, > so what are you guys doing different in your authenticate code?? grep -i permitrootlogin /etc/ssh/sshd_config /fc From fcusack at fcusack.com Sun Oct 13 12:25:07 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Sat, 12 Oct 2002 19:25:07 -0700 Subject: AIX remote root logins In-Reply-To: <3DA8A4D7.5070708@attbi.com>; from mozilla@attbi.com on Sat, Oct 12, 2002 at 05:40:23PM -0500 References: <3DA8A4D7.5070708@attbi.com> Message-ID: <20021012192507.B2957@google.com> Sorry, ignore my previous comment ... after looking at the bug it's obviously more complex. From maniac at maniac.nl Sun Oct 13 12:48:05 2002 From: maniac at maniac.nl (Mark Janssen) Date: 13 Oct 2002 04:48:05 +0200 Subject: AIX remote root logins In-Reply-To: <3DA8A4D7.5070708@attbi.com> References: <3DA8A4D7.5070708@attbi.com> Message-ID: <1034477285.3755.4.camel@shuttle> On Sun, 2002-10-13 at 00:40, Donnie Cranford wrote: > I am in the process of introducing OpenSSH into our corporate environment. > This environment includes Solaris / HP-UX / AIX and Linux > > We have had audit tell us we need to disable root logins through telnet... > we can do this through the use of OpenSSH on all platforms except AIX > apparently bug # 383 was supposed to take care of this and I have > downloaded -current snapshot > and tested but remote root logins through SSH still does not work. I running it at a multinational I work for, on AIX and HP, with Allow-root logins on 'without-password' (keyfiles only). It works perfectly... but you need to configure SSH without USE_AIX_AUTHENTICATION. otherwise it won't work... If needed, contact me on monday and I'll provide you with my install instructions and packages if you want.. -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl From mouring at etoh.eviladmin.org Sun Oct 13 13:07:06 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 12 Oct 2002 22:07:06 -0500 (CDT) Subject: AIX remote root logins In-Reply-To: <1034477285.3755.4.camel@shuttle> Message-ID: You're better off using the patch by Dr Jorg Petersen on: http://bugzilla.mindrot.org/show_bug.cgi?id=383 The more I think about it..The more I agree with it, but I've not had the time to look into it. On 13 Oct 2002, Mark Janssen wrote: > On Sun, 2002-10-13 at 00:40, Donnie Cranford wrote: > > I am in the process of introducing OpenSSH into our corporate environment. > > This environment includes Solaris / HP-UX / AIX and Linux > > > > We have had audit tell us we need to disable root logins through telnet... > > we can do this through the use of OpenSSH on all platforms except AIX > > apparently bug # 383 was supposed to take care of this and I have > > downloaded -current snapshot > > and tested but remote root logins through SSH still does not work. > > I running it at a multinational I work for, on AIX and HP, with > Allow-root logins on 'without-password' (keyfiles only). It works > perfectly... but you need to configure SSH without > USE_AIX_AUTHENTICATION. otherwise it won't work... > > If needed, contact me on monday and I'll provide you with my install > instructions and packages if you want.. > > -- > Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 > Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT > Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Sun Oct 13 13:30:21 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 13 Oct 2002 13:30:21 +1000 Subject: AIX remote root logins References: <3DA8A4D7.5070708@attbi.com> <1034477285.3755.4.camel@shuttle> Message-ID: <3DA8E8CD.B5C3FDA9@zip.com.au> Mark Janssen wrote: > On Sun, 2002-10-13 at 00:40, Donnie Cranford wrote: > > I am in the process of introducing OpenSSH into our corporate environment. > > This environment includes Solaris / HP-UX / AIX and Linux > > > > We have had audit tell us we need to disable root logins through telnet... > > we can do this through the use of OpenSSH on all platforms except AIX > > apparently bug # 383 was supposed to take care of this and I have > > downloaded -current snapshot > > and tested but remote root logins through SSH still does not work. Most platforms have special login controls for root (eg /etc/securetty or /etc/default/login). Sshd has its own (PermitRootLogin). AIX has generic login control for all accounts (through the function "loginrestrictions") which sshd checks (if WITH_AIXAUTHENTICATE is defined). The bug has a patch by Dr. J?rg Petersen which doesn't call loginrestrictions for root. This makes sense to me as you can still disable root logins with "PermitRootLogin no" which is consistent with most other platforms. Without this patch it's not possible to disable root logins via telnet but permit them via ssh, it's both or neither. With it, they're independant. I'm not sure if there's a philosophical objection to the the patch or it's just not been looked at. > I running it at a multinational I work for, on AIX and HP, with > Allow-root logins on 'without-password' (keyfiles only). It works > perfectly... but you need to configure SSH without > USE_AIX_AUTHENTICATION. otherwise it won't work... Be aware that removing WITH_AIXAUTHENTICATE from config.h also disables some of AIX's security features (eg lockout on bad logins and expired accounts) so ssh can be used for password-guessing attacks. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mozilla at attbi.com Sun Oct 13 13:42:38 2002 From: mozilla at attbi.com (Donnie Cranford) Date: Sat, 12 Oct 2002 22:42:38 -0500 Subject: AIX remote root logins References: <3DA8A4D7.5070708@attbi.com> <1034477285.3755.4.camel@shuttle> <3DA8E8CD.B5C3FDA9@zip.com.au> Message-ID: <3DA8EBAE.2080303@attbi.com> Isnt this patch included in the current 3.5p1 cvs?? I looked at the src code in the snapshot I pulled and I could swear its the same exact code Darren Tucker wrote: >Mark Janssen wrote: > > >>On Sun, 2002-10-13 at 00:40, Donnie Cranford wrote: >> >> >>>I am in the process of introducing OpenSSH into our corporate environment. >>>This environment includes Solaris / HP-UX / AIX and Linux >>> >>>We have had audit tell us we need to disable root logins through telnet... >>>we can do this through the use of OpenSSH on all platforms except AIX >>>apparently bug # 383 was supposed to take care of this and I have >>>downloaded -current snapshot >>>and tested but remote root logins through SSH still does not work. >>> >>> > >Most platforms have special login controls for root (eg /etc/securetty >or /etc/default/login). Sshd has its own (PermitRootLogin). > >AIX has generic login control for all accounts (through the function >"loginrestrictions") which sshd checks (if WITH_AIXAUTHENTICATE is >defined). > >The bug has a patch by Dr. J?rg Petersen which doesn't call >loginrestrictions for root. This makes sense to me as you can still >disable root logins with "PermitRootLogin no" which is consistent with >most other platforms. Without this patch it's not possible to disable >root logins via telnet but permit them via ssh, it's both or neither. >With it, they're independant. > >I'm not sure if there's a philosophical objection to the the patch or >it's just not been looked at. > > > >>I running it at a multinational I work for, on AIX and HP, with >>Allow-root logins on 'without-password' (keyfiles only). It works >>perfectly... but you need to configure SSH without >>USE_AIX_AUTHENTICATION. otherwise it won't work... >> >> > >Be aware that removing WITH_AIXAUTHENTICATE from config.h also disables >some of AIX's security features (eg lockout on bad logins and expired >accounts) so ssh can be used for password-guessing attacks. > > > From dtucker at zip.com.au Sun Oct 13 13:44:48 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 13 Oct 2002 13:44:48 +1000 Subject: AIX remote root logins References: Message-ID: <3DA8EC30.CD98F1AB@zip.com.au> Ben Lindstrom wrote: > You're better off using the patch by Dr Jorg Petersen on: > > http://bugzilla.mindrot.org/show_bug.cgi?id=383 > > The more I think about it..The more I agree with it, but I've not had the > time to look into it. On the subject of that line of code: loginrestrictions will always fail when run as a non-root user (unless the user is member of group "security"). This also means the regression tests won't work without sudo. If I post a patch that does something like if (pw->pw_uid != 0) && (geteuid() == 0) && loginrestrictions.... is it likely to be accepted? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sun Oct 13 13:50:32 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 13 Oct 2002 13:50:32 +1000 Subject: AIX remote root logins References: <3DA8A4D7.5070708@attbi.com> <1034477285.3755.4.camel@shuttle> <3DA8E8CD.B5C3FDA9@zip.com.au> <3DA8EBAE.2080303@attbi.com> Message-ID: <3DA8ED88.1D001538@zip.com.au> Donnie Cranford wrote: > Isnt this patch included in the current 3.5p1 cvs?? No, as far as I know the patch is in bugzilla only. The patch has: if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name,... CVS has: if (loginrestrictions(pw->pw_name,... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Sun Oct 13 14:03:47 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 12 Oct 2002 23:03:47 -0500 (CDT) Subject: AIX remote root logins In-Reply-To: <3DA8EC30.CD98F1AB@zip.com.au> Message-ID: On Sun, 13 Oct 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > You're better off using the patch by Dr Jorg Petersen on: > > > > http://bugzilla.mindrot.org/show_bug.cgi?id=383 > > > > The more I think about it..The more I agree with it, but I've not had the > > time to look into it. > > On the subject of that line of code: loginrestrictions will always fail > when run as a non-root user (unless the user is member of group > "security"). This also means the regression tests won't work without > sudo. > This kinda touches on another question that was brough up for AIX and a few other platforms. Is is valid to allow sshd to run as a non-root user? I'm skimming around in the code, and there is presidence for this type of change. Is this the only thing tripping OpenSSH from running the as non-root for AIX for regression? - Ben From mozilla at attbi.com Sun Oct 13 14:28:51 2002 From: mozilla at attbi.com (Donnie Cranford) Date: Sat, 12 Oct 2002 23:28:51 -0500 Subject: AIX remote root logins References: <3DA8A4D7.5070708@attbi.com> <1034477285.3755.4.camel@shuttle> <3DA8E8CD.B5C3FDA9@zip.com.au> <3DA8EBAE.2080303@attbi.com> <3DA8ED88.1D001538@zip.com.au> Message-ID: <3DA8F683.1010308@attbi.com> yep, just noticed this and sure enough you are right I implemented the patch and sure enough I am able to ssh in as root with remote login as root disabled...I am happy / Audit is happy/ and my company will be happy that we saved 125,000 + in license fees I think this code needs to put into the default codebase, AIX admins like myself would die for this code Thanks Donnie Cranford Sr Unix Systems Admin ING Americas Darren Tucker wrote: >Donnie Cranford wrote: > > >>Isnt this patch included in the current 3.5p1 cvs?? >> >> > >No, as far as I know the patch is in bugzilla only. > >The patch has: > if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name,... > >CVS has: > if (loginrestrictions(pw->pw_name,... > > > From dtucker at zip.com.au Sun Oct 13 14:58:35 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 13 Oct 2002 14:58:35 +1000 Subject: AIX remote root logins References: Message-ID: <3DA8FD7B.2A943159@zip.com.au> Ben Lindstrom wrote: > On Sun, 13 Oct 2002, Darren Tucker wrote: > This kinda touches on another question that was brough up for AIX and a > few other platforms. Is is valid to allow sshd to run as a non-root > user? Well it's potentially useful... eg could run a non-root sshd in a chroot to permit key-authenticated portforwards only (ok, this is a contrived example, but you get the idea). In accordance with the Unix philosophy I don't think you should stop people doing dumb things if it also stops them doing useful things. If it bugs someone they can "chmod 500 sshd". > I'm skimming around in the code, and there is presidence for this type of > change. Is this the only thing tripping OpenSSH from running the as > non-root for AIX for regression? Yes. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Sun Oct 13 15:10:11 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 13 Oct 2002 00:10:11 -0500 (CDT) Subject: AIX remote root logins In-Reply-To: <3DA8FD7B.2A943159@zip.com.au> Message-ID: Send a patch.. I'll add it to the AIX queue. On Sun, 13 Oct 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > On Sun, 13 Oct 2002, Darren Tucker wrote: > > This kinda touches on another question that was brough up for AIX and a > > few other platforms. Is is valid to allow sshd to run as a non-root > > user? > > Well it's potentially useful... eg could run a non-root sshd in a chroot > to permit key-authenticated portforwards only (ok, this is a contrived > example, but you get the idea). > > In accordance with the Unix philosophy I don't think you should stop > people doing dumb things if it also stops them doing useful things. > > If it bugs someone they can "chmod 500 sshd". > > > I'm skimming around in the code, and there is presidence for this type of > > change. Is this the only thing tripping OpenSSH from running the as > > non-root for AIX for regression? > > Yes. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From dtucker at zip.com.au Sun Oct 13 18:10:42 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 13 Oct 2002 18:10:42 +1000 Subject: AIX remote root logins References: Message-ID: <3DA92A82.895F7BF5@zip.com.au> Ben Lindstrom wrote: > Send a patch.. I'll add it to the AIX queue. OK... this patch only calls loginrestricted on AIX if: a) the user logging in isn't root (so root logins can be disabled via telnet but permitted or denied via PermitRootLogin). b) sshd *is* running as root since loginrestricted will fail if sshd isn't (or isn't a member of group "security"). See: http://bugzilla.mindrot.org/show_bug.cgi?id=383 for details. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth.c =================================================================== RCS file: /cvs/openssh/auth.c,v retrieving revision 1.58 diff -u -r1.58 auth.c --- auth.c 21 Sep 2002 15:26:53 -0000 1.58 +++ auth.c 13 Oct 2002 06:28:23 -0000 @@ -202,7 +202,13 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { + /* + * Don't check loginrestrictions() for root account (use + * PermitRootLogin to control logins via ssh), or if running as + * non-root user (since loginrestrictions will always fail). + */ + if ( (pw->pw_uid != 0) && (geteuid() == 0) && + loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { if (loginmsg && *loginmsg) { /* Remove embedded newlines (if any) */ char *p; From dtucker at zip.com.au Sun Oct 13 21:37:18 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 13 Oct 2002 21:37:18 +1000 Subject: [PATCH] AIX password expiration Message-ID: <3DA95AEE.FA1FB622@zip.com.au> Hi All. With one eye on the do_pam_chauthtok() stuff I've merged contributions by Pablo Sor and Mark Pitt into a patch against -current. I'm interested in testers and suggestions for improvements. The patch extends the loginrestrictions test to include expired accounts (but unlike Mark's patch, doesn't log accounts with expired passwords unless they're locked) and adds PAM-like password expiry and forced change (based on Pablo's patch). Tested on AIX 4.3.3 with and without privsep, including regression tests. -Daz. Threads: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=99962930031063 http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100497021226430 Examples: $ ssh -l testuser locahost testuser at localhost's password: Your password will expire: Sun Oct 20 20:14:49 2002 [snip] $ ssh -l testuser localhost testuser at dlocalhost's password: You are required to change your password. Please choose a new one. Changing password for "testuser" testuser's Old password: testuser's New password: Enter the new password again: [snip] -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth.c =================================================================== RCS file: /cvs/openssh/auth.c,v retrieving revision 1.58 diff -u -r1.58 auth.c --- auth.c 21 Sep 2002 15:26:53 -0000 1.58 +++ auth.c 13 Oct 2002 11:06:27 -0000 @@ -59,6 +59,12 @@ Buffer auth_debug; int auth_debug_init; +#ifdef WITH_AIXAUTHENTICATE +void aix_remove_embedded_newlines(char *); +extern char *aixexpiremsg; +extern int aix_password_change_required; +#endif + /* * Check if the user is allowed to log in via ssh. If user is listed * in DenyUsers or one of user's groups is listed in DenyGroups, false @@ -202,19 +208,39 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - if (loginmsg && *loginmsg) { - /* Remove embedded newlines (if any) */ - char *p; - for (p = loginmsg; *p; p++) { - if (*p == '\n') - *p = ' '; + /* + * Don't check loginrestrictions or expiry for root account (use + * PermitRootLogin to control logins via ssh), or if running as + * non-root user (since loginrestrictions will always fail). + */ + if ( (pw->pw_uid != 0) && (geteuid() == 0) ) { + int passexpcode; + + /* check for AIX account restrictions */ + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { + if (loginmsg && *loginmsg) { + aix_remove_embedded_newlines(loginmsg); + log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); } - /* Remove trailing newline */ - *--p = '\0'; - log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + return 0; } - return 0; + + /* check for AIX expired account */ + passexpcode = passwdexpired(pw->pw_name, &aixexpiremsg); + if ( passexpcode > 0 ) { + if (aixexpiremsg && *aixexpiremsg) { + aix_remove_embedded_newlines(aixexpiremsg); + + if ( passexpcode == 1 ) { + aix_password_change_required = 1; + } else { + /* expired too long, account locked */ + log("Password expired too long or system failure %s: %.100s", + pw->pw_name, aixexpiremsg); + return 0; + } + } + } } #endif /* WITH_AIXAUTHENTICATE */ Index: session.c =================================================================== RCS file: /cvs/openssh/session.c,v retrieving revision 1.222 diff -u -r1.222 session.c --- session.c 26 Sep 2002 00:38:50 -0000 1.222 +++ session.c 13 Oct 2002 11:06:28 -0000 @@ -104,7 +104,10 @@ Session sessions[MAX_SESSIONS]; #ifdef WITH_AIXAUTHENTICATE +int is_aix_password_change_required(void); +void do_aix_change_password(struct passwd *); char *aixloginmsg; +char *aixexpiremsg; #endif /* WITH_AIXAUTHENTICATE */ #ifdef HAVE_LOGIN_CAP @@ -461,6 +464,12 @@ "TTY available"); #endif /* USE_PAM */ +#ifdef WITH_AIXAUTHENTICATE + if (is_aix_password_change_required()) + packet_disconnect("Password change required but no " + "TTY available"); +#endif /* WITH_AIXAUTHENTICATE */ + /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -757,6 +766,13 @@ } #endif +#ifdef WITH_AIXAUTHENTICATE + if (is_aix_password_change_required()) { + printf("%s\n", aixexpiremsg); + do_aix_change_password(pw); + } +#endif + if (check_quietlogin(s, command)) return; @@ -764,7 +780,10 @@ if (!is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ + #ifdef WITH_AIXAUTHENTICATE + if (!is_aix_password_change_required() && aixexpiremsg && *aixexpiremsg) + printf("%s\n", aixexpiremsg); if (aixloginmsg && *aixloginmsg) printf("%s\n", aixloginmsg); #endif /* WITH_AIXAUTHENTICATE */ Index: openbsd-compat/port-aix.c =================================================================== RCS file: /cvs/openssh/openbsd-compat/port-aix.c,v retrieving revision 1.6 diff -u -r1.6 port-aix.c --- openbsd-compat/port-aix.c 7 Jul 2002 02:17:36 -0000 1.6 +++ openbsd-compat/port-aix.c 13 Oct 2002 11:06:28 -0000 @@ -27,6 +27,11 @@ #ifdef _AIX +#ifdef WITH_AIXAUTHENTICATE +#include "misc.h" +int aix_password_change_required=0; +#endif /* WITH_AIX_AUTHENTICATE */ + #include #include <../xmalloc.h> @@ -52,5 +57,53 @@ xfree(cp); } -#endif /* _AIX */ +#ifdef WITH_AIXAUTHENTICATE +/* Remove embedded newlines (if any) */ +void +aix_remove_embedded_newlines(char *p) +{ + for (; *p; p++) { + if (*p == '\n') + *p = ' '; + } + /* Remove trailing newline */ + *--p = '\0'; +} + +int +is_aix_password_change_required(void) +{ + return aix_password_change_required; +} + +void +do_aix_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + + if (pid == 0) { + setuid(pw->pw_uid); + execl("/usr/bin/passwd","passwd",pw->pw_name, + (char *)NULL); + } + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + /* Passwd exited abnormally */ + + if (WEXITSTATUS(status)) + exit(1); + + mysignal(SIGCHLD, old_signal); +} +#endif /* WITH_AIXAUTHENTICATE */ + +#endif /* _AIX */ From djm at mindrot.org Mon Oct 14 10:15:07 2002 From: djm at mindrot.org (Damien Miller) Date: 14 Oct 2002 10:15:07 +1000 Subject: AIX remote root logins In-Reply-To: References: Message-ID: <1034554508.1083.9.camel@xenon> On Sun, 2002-10-13 at 14:03, Ben Lindstrom wrote: > This kinda touches on another question that was brough up for AIX and a > few other platforms. Is is valid to allow sshd to run as a non-root > user? Yes - this can be done. It is quite useful for regress tests: ssh -o ProxyCommand="sshd -i" blah This doesn't work for PAM enabled builds. -d From dtucker at zip.com.au Mon Oct 14 21:26:04 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 14 Oct 2002 21:26:04 +1000 Subject: Why openssh newer than 2.9.9 doesn't send SIGTERM and SIGHUP to child process? References: <20021011110849.GC4673@faui02> Message-ID: <3DAAA9CC.B28C2F61@zip.com.au> Markus Friedl wrote: [about sending HUP to sshd's child process] I've found that using connect rather than nc solves my problem (connect shuts down cleanly when stdin closes), but I'm still trying to understand the reasoning here, so please bear with me. > because it was wrong (telnetd, rlogind don't do it) telnetd and rlogind assign a pty. rshd doesn't and has the same problem as sshd w/o a pty. > and dangerous (sending signals as root to other processes). Is your objection because the pid may have been reused by an unrelated process or something else? > the login shells should die if their stdin/out is closed. In my case it isn't a login shell, it's a sh -c and on Solaris, at least, /bin/sh doesn't die. If the shell is bash, it execs the command and no longer even exists. > did you check the cvs log for this change? revision 1.153 date: 2001/10/12 01:35:06; author: djm; state: Exp; lines: +11 -18 - (djm) OpenBSD CVS Sync - markus at cvs.openbsd.org 2001/10/10 22:18:47 [channels.c channels.h clientloop.c nchan.c serverloop.c] [session.c session.h] try to keep channels open until an exit-status message is sent. don't kill the login shells if the shells stdin/out/err is closed. this should now work: ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From adulau at foo.be Mon Oct 14 21:42:59 2002 From: adulau at foo.be (Alexandre Dulaunoy) Date: Mon, 14 Oct 2002 13:42:59 +0200 (CEST) Subject: OpenPGP key as authentication Message-ID: Dear all, I was wondering if there is any plan to add authentication with OpenPGP key in addition to the DSA/RSA authentication. In the ssh.com version, you got something like that (I don't really remember the correct directive) : PgpSecreKeyfile,PgpKeyID and so on. Is it a planned feature ? Thanks. adulau -- Alexandre Dulaunoy -- http://www.foo.be/ 3B12 DCC2 82FA 2931 2F5B 709A 09E2 CD49 44E6 CBCD --- AD993-6BONE "People who fight may lose.People who do not fight have already lost." Bertolt Brecht From markus at openbsd.org Tue Oct 15 01:40:52 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 14 Oct 2002 17:40:52 +0200 Subject: OpenPGP key as authentication In-Reply-To: References: Message-ID: <20021014154052.GA8769@folly> On Mon, Oct 14, 2002 at 01:42:59PM +0200, Alexandre Dulaunoy wrote: > I was wondering if there is any plan to add authentication with > OpenPGP key in addition to the DSA/RSA authentication. i've seen this link http://www.red-bean.com/~nemo/openssh-gpg/ but i have not checked the code. From dan at doxpara.com Tue Oct 15 02:26:06 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 14 Oct 2002 09:26:06 -0700 Subject: AIX remote root logins References: Message-ID: <3DAAF01E.3000709@doxpara.com> > > >This kinda touches on another question that was brough up for AIX and a >few other platforms. Is is valid to allow sshd to run as a non-root >user? > > It is massively valid to allow sshd to run as nonroot. The truly paranoid jailed service never, ever touches root -- not even when one starts to administer it. There's all sorts of interesting uses of non-root sshd -- please don't suppress them. [warning to oldtimers: su rant returns!] As for remote root logins -- you absolutely don't want them through telnet, but you absolutely *do* want them through ssh. As I've been mentioning for a while, su is terribly insecure, as you're trusting a user shell to, well, actually execute su instead of sniff the root password and save it off to some dot file. su is mainly nice for accounting who went to root; if I remember right, the following command was actually a safe way to transit straight from root-controlled sshd to su for root password entry: ssh user at host -t "/bin/su -l root" There may be issues with quirky environment files and maybe .sshrc, though. I had a patch wayyy back in the day to allow ssh user+root at host to do an ssh-driven su completely outside of user code; I have no idea where that code went though...i'll find it someday. --Dan From Eric.Ladner at ChevronTexaco.com Tue Oct 15 05:25:22 2002 From: Eric.Ladner at ChevronTexaco.com (Ladner, Eric (Eric.Ladner)) Date: Mon, 14 Oct 2002 14:25:22 -0500 Subject: scp Message-ID: <53D65D67C6AA694284F7584E25ADD354333491@nor935nte2k1.nor935.chevrontexaco.net> Or to copy sym links as sym links and not the file they point to. -----Original Message----- From: Douglas Boldt [mailto:doug at endai.com] Sent: Saturday, October 12, 2002 3:52 PM To: openssh-unix-dev at mindrot.org Subject: scp I would absolutely love a flag in scp to ignore sym-links. Douglas Boldt Endai WorldWide, NYC Technical Operations Manager 212-430-0808 x118 _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From jmknoble at pobox.com Tue Oct 15 06:25:47 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Mon, 14 Oct 2002 16:25:47 -0400 Subject: scp In-Reply-To: <53D65D67C6AA694284F7584E25ADD354333491@nor935nte2k1.nor935.chevrontexaco.net>; from Eric.Ladner@ChevronTexaco.com on Mon, Oct 14, 2002 at 02:25:22PM -0500 References: <53D65D67C6AA694284F7584E25ADD354333491@nor935nte2k1.nor935.chevrontexaco.net> Message-ID: <20021014162547.D1274@zax.half.pint-stowp.cx> Circa 2002-10-14 14:25:22 -0500 dixit Ladner, Eric (Eric.Ladner): : Or to copy sym links as sym links and not the file they point to. You must mean rsync ( http://rsync.samba.org/ ). 'rsync -l' copies symlinks as symlinks, while 'rsync -a' copies device files, owners, permissions, and datestamps in addition. : -----Original Message----- : From: Douglas Boldt [mailto:doug at endai.com] : Sent: Saturday, October 12, 2002 3:52 PM : To: openssh-unix-dev at mindrot.org : Subject: scp : : I would absolutely love a flag in scp to ignore sym-links. Douglas, you'll probably get more mileage out of rsync than scp for doing this. If you merely don't want to copy symlinks because they take too much time to copy, then 'rsync -a' will handle that automatically; it doesn't copy something it doesn't have to. If, instead, you wish to exclude symlinks that point outside of the directory tree you're copying, use rsync's '--safe-links' option. If you really don't want to copy any symlinks, you'll need to wrap some scripting around 'find -type l' together with 'rsync -a --exclude-from='. Good luck to both of you. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "I am non-refutable." --Enik the Altrusian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021014/4a4b8948/attachment.bin From P.C.M.Chiu at rl.ac.uk Tue Oct 15 20:26:26 2002 From: P.C.M.Chiu at rl.ac.uk (Chiu, PCM (Peter) ) Date: Tue, 15 Oct 2002 11:26:26 +0100 Subject: 3.4p1 Error on Tru64 Unix - cannot set login uid Message-ID: <49F73BEED865D3119F8700902773C9F901489068@exchange09.rl.ac.uk> Hi, I have recently loaded Openssh 3.4p1 on an Tru64 Unix 5.1A system. I followed the installation instructions described in INSTALL, essentially using all default settings, and it went throught without any obvious errors. I can then use the root account to initiate outbound and inbound ssh calls, and can log on without any problems. The trouble is that when I try to use ssh to log in (from a remote host or locally as a loopback test) using an account other than root, then I will get: ssh -l user localhost user at localhost's password: xxxxxxx Connection to localhost closed by remote host. Conneciton to localhost closed. In the auth.log under /var/adm/syslog.date/current, I found the cannot set login uid errors - details attached below. I also tried turning on the debugging mode to compare the two, but fail to spot anything obvious too. I checked the mails in mailing list in the past three months, don't think it has been mentioned or reported. Any idea what went wrong? Regards, Peter PS. /dev/pts/1 has a protection: 0 crw--w---- 2 root terminal 6, 1 Oct 15 11:13 /dev/pts/1 ============================================================================ ===== Oct 15 09:50:29 hail sshd[198695]: Accepted password for root from ::ffff:10.nnn.nnn.128 port 2162 ssh2 Oct 15 09:50:29 hail sshd[198691]: ROOT login on /dev/pts/1 Oct 15 09:58:23 hail sshd[198776]: Accepted password for pcmc from ::ffff:10.nnn.nnn.132 port 2519 ssh2 Oct 15 09:58:23 hail sshd[198785]: subsystem request for sftp Oct 15 09:58:23 hail sshd[198782]: cannot set login uid 25010: error Not owner. Oct 15 09:58:23 hail sshd[198782]: audgen(LOGIN): Permission denied Oct 15 09:58:23 hail sshd[198782]: fatal: Couldn't establish session for pcmc from hail.xxxx.xx.xx.uk Oct 15 09:59:21 hail sshd[198793]: Accepted password for pcmc from ::ffff:10.nnn.nnn.132 port 2520 ssh2 Oct 15 09:59:21 hail sshd[198794]: cannot set login uid 25010: error Not owner. Oct 15 09:59:21 hail sshd[198794]: audgen(LOGIN): Permission denied Oct 15 09:59:21 hail sshd[198794]: fatal: Couldn't establish session for pcmc from hail.xxxx.xx.xx.uk Oct 15 09:59:21 hail sshd[198793]: error: chown /dev/pts/1 0 0 failed: Bad file number Oct 15 09:59:21 hail sshd[198793]: error: chmod /dev/pts/1 0666 failed: Bad file number Oct 15 10:07:20 hail sshd[198842]: Accepted password for pcmc from ::ffff:10.nnn.nnn.132 port 2524 ssh2 Oct 15 10:07:20 hail sshd[198847]: cannot set login uid 25010: error Not owner. Oct 15 10:07:20 hail sshd[198847]: audgen(LOGIN): Permission denied Oct 15 10:07:20 hail sshd[198847]: fatal: Couldn't establish session for pcmc from hail.xxxx.xx.xx.uk Oct 15 10:10:52 hail sshd[198870]: Accepted password for pcmc from ::ffff:10.nnn.nnn.132 port 2527 ssh2 Oct 15 10:10:52 hail sshd[198875]: cannot set login uid 25010: error Not owner. Oct 15 10:10:52 hail sshd[198875]: audgen(LOGIN): Permission denied Oct 15 10:10:52 hail sshd[198875]: fatal: Couldn't establish session for pcmc from hail.xxxx.xx.xx.uk Oct 15 10:14:28 hail sshd[23967]: Received SIGHUP; restarting. From P.C.M.Chiu at rl.ac.uk Tue Oct 15 21:44:13 2002 From: P.C.M.Chiu at rl.ac.uk (Chiu, PCM (Peter) ) Date: Tue, 15 Oct 2002 12:44:13 +0100 Subject: 3.4p1 Error on Tru64 Unix - cannot set login uid Message-ID: <49F73BEED865D3119F8700902773C9F901489069@exchange09.rl.ac.uk> Further input to this. By explicitely setting UsePriviledgeSeparation no (default is #UsePrivilegeSeparate yes, assuming no as well), I can now log on using ordinary user accounts. In a way, I have managed to get round this problem, although I am not sure if this meant I am not running ssh-server in a more secure way. Peter From paul at csumb.edu Wed Oct 16 04:16:33 2002 From: paul at csumb.edu (Paul Swinderman) Date: Tue, 15 Oct 2002 11:16:33 -0700 Subject: ssh output Message-ID: Both systems are running RH 7.3 with a compiled copy of 3.4p1 with pam support enabled via configure root at vlan root]# ssh -v -v -v root at 207.62.147.3 OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to 207.62.147.3 [207.62.147.3] port 22. debug1: Connection established. debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug3: Not a RSA1 key file /root/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: no key found debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: no key found debug1: identity file /root/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 111/256 debug1: bits set: 1642/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 6 debug1: Host '207.62.147.3' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:6 debug1: bits set: 1605/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try privkey: /root/.ssh/identity debug3: no such identity: /root/.ssh/identity debug1: try privkey: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa debug1: try pubkey: /root/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply Connection closed by 207.62.147.3 debug1: Calling cleanup 0x8062930(0x0) Output from ssh server [root at reznet2 root]# sshd -d -d -d debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 198.189.237.6 port 59658 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug2: Network child is on pid 7735 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 503:503 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 117/256 debug1: bits set: 1599/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1570/3191 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x8091c48(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for root debug3: mm_start_pam entering debug3: mm_request_send entering: type 37 debug3: monitor_read: checking request 37 debug1: Starting up PAM with username "root" debug3: Trying to reverse map address 198.189.237.6. debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug1: PAM setting rhost to "mb237-6.csumb.edu" debug2: monitor_read: 37 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for root from 198.189.237.6 port 59658 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for root from 198.189.237.6 port 59658 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x809ae28 debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys debug3: secure_filename: checking '/root/.ssh' debug3: secure_filename: checking '/root' debug3: secure_filename: terminating check at '/root' debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: no key found debug2: user_key_allowed: check options: '-----BEGIN RSA PRIVATE KEY----- ' debug2: key_type_from_name: unknown key type 'RSA' debug3: key_read: no key found debug2: user_key_allowed: advance: 'RSA PRIVATE KEY----- ' debug3: key_read: no space debug2: user_key_allowed: check options: 'MIICWgIBAAKBgQDuUmylStjHvVPIjbKxEZrt/bZsA6UUkiymL60o/RnUo7ycn30R ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug3: key_read: no space debug2: user_key_allowed: check options: 'BkpLPE40xFNlvBK3SDwtZNxQKYGNokY5jS4k+K4+0fa407kBYqM8kkdKSVdS2QsT ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug3: key_read: no space debug2: user_key_allowed: check options: 'OWkQ0wEypUSRS2BbidH/T18kPC673NYXOZUJ54VkcEtdvlxGt+7R6xfH/wIBIwKB ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug3: key_read: no space debug2: user_key_allowed: check options: 'gQCBX/HWErAx6m9PnWEBCY6ec8lt1hfJVqqGGeGoiWXLNFByR/NvpFQ3eII55utx ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug3: key_read: no space debug2: user_key_allowed: check options: 'vd5GPSf7YqN7+UZUM4U1L2IwR57Lbphpxz7B45LB0OpmfFfftON1u6OshS+yYqIa ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug3: key_read: no space debug2: user_key_allowed: check options: 'usmVAJ7l5cgyiMfvcYCco6FNzPJ4CXZDQPkd8RrxZj2BgwJBAPg3FtmpI+BeVGs6 ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug3: key_read: no space debug2: user_key_allowed: check options: 'S3odkW+u3TCGXXKw2fIA98dT6FHvcsBhbh1bf+/DPn08oshNxSIO9Ba38rAZX6wh ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug3: key_read: no space debug2: user_key_allowed: check options: 'dgb2K60CQQD1y+cfGd+RzB9hq3EeDiR7V23HF5mIA/kUFCgoP09QhE+SZs7AoFSu ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug3: key_read: no space debug2: user_key_allowed: check options: 'xUsHx3xRVAZL7a4tMtQ4Qhut+gr/X3fbAkB4j8lFJkSgLdE7ZXUeDlyVVO8Xkbhc ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug3: key_read: no space debug2: user_key_allowed: check options: 'R0VJqLLdKMFMXlxO0DzMbkV0dMaUmctoms128VH8Z/mIu94DJjIDYaAvAkAVEXo1 ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug3: key_read: no space debug2: user_key_allowed: check options: '3aVy5ZxKM0Q1xrKrfIXAm59yDvgXqfTQP/DbBAbSCM/koAdCLisAqrLiZkmuvJnm ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug3: key_read: no space debug2: user_key_allowed: check options: 'nfTu4RhQvakr1PulAkBnQ2qI/8kpFYIbUu1OhPCAa1oFBxqJJV7pXK23xQxqdI09 ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug3: key_read: no space debug2: user_key_allowed: check options: 'KYPgLYn13zZvrY/zxGkXlDB+5p86NO6o6Yxayep4 ' debug3: key_read: no space debug2: user_key_allowed: advance: '' debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: no key found debug2: user_key_allowed: check options: '-----END RSA PRIVATE KEY----- ' debug2: key_type_from_name: unknown key type 'RSA' debug3: key_read: no key found debug2: user_key_allowed: advance: 'RSA PRIVATE KEY----- ' debug1: restore_uid debug2: key not found debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys2 debug3: secure_filename: checking '/root/.ssh' debug3: secure_filename: checking '/root' debug3: secure_filename: terminating check at '/root' buffer_get: trying to get more bytes 129 than in buffer 39 debug1: Calling cleanup 0x805238c(0x0) debug1: Calling cleanup 0x806a744(0x0) debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug1: Calling cleanup 0x806a744(0x0) From Markus_Friedl at genua.de Wed Oct 16 04:58:19 2002 From: Markus_Friedl at genua.de (Markus Friedl) Date: Tue, 15 Oct 2002 20:58:19 +0200 Subject: OpenSSH 3.5 released Message-ID: <20021015185819.GA4054@skaidan> OpenSSH 3.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.4: ============================ * Improved support for Privilege Separation (Portability, Kerberos, PermitRootLogin handling). * ssh(1) prints out all known host keys for a host if it receives an unknown host key of a different type. * Fixed AES/Rijndael EVP integration for OpenSSL < 0.9.7 (caused problems with bounds checking patches for gcc). * ssh-keysign(8) is disabled by default and only enabled if the HostbasedAuthentication option is enabled in the global ssh_config(5) file. * ssh-keysign(8) uses RSA blinding in order to avoid timing attacks against the RSA host key. * A use-after-free bug was fixed in ssh-keysign(8). This bug broke hostbased authentication on several platforms. * ssh-agent(1) is now installed setgid in order to avoid ptrace(2) attacks. * ssh-agent(1) now restricts the access with getpeereid(2) (or equivalent, where available). * sshd(8) no longer uses the ASN.1 parsing code from libcrypto when verifying RSA signatures. * sshd(8) now sets the SSH_CONNECTION environment variable. * Enhanced "ls" support for the sftp(1) client, including globbing and detailed listings. * ssh(1) now always falls back to uncompressed sessions, if the server does not support compression. * The default behavior of sshd(8) with regard to user settable environ variables has changed: the new option PermitUserEnvironment is disabled by default, see sshd_config(5). * The default value for LoginGraceTime has been changed from 600 to 120 seconds, see sshd_config(5). * Removed erroneous SO_LINGER handling. Checksums: ========== - MD5 (openssh-3.5p1.tar.gz) = 42bd78508d208b55843c84dd54dea848 - MD5 (openssh-3.5.tgz) = 79fc225dbe0fe71ebb6910f449101d23 Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. From mouring at etoh.eviladmin.org Wed Oct 16 05:10:38 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 15 Oct 2002 14:10:38 -0500 (CDT) Subject: ssh output In-Reply-To: Message-ID: [..] > debug1: attempt 1 failures 1 > debug2: input_userauth_request: try method publickey > debug1: test whether pkalg/pkblob are acceptable > debug3: mm_key_allowed entering > debug3: mm_request_send entering: type 20 > debug3: monitor_read: checking request 20 > debug3: mm_answer_keyallowed entering > debug3: mm_answer_keyallowed: key_from_blob: 0x809ae28 > debug1: temporarily_use_uid: 0/0 (e=0) > debug1: trying public key file /root/.ssh/authorized_keys > debug3: secure_filename: checking '/root/.ssh' > debug3: secure_filename: checking '/root' > debug3: secure_filename: terminating check at '/root' > debug2: key_type_from_name: unknown key type '-----BEGIN' > debug3: key_read: no key found > debug2: user_key_allowed: check options: '-----BEGIN RSA PRIVATE KEY----- > ' > debug2: key_type_from_name: unknown key type 'RSA' > debug3: key_read: no key found > debug2: user_key_allowed: advance: 'RSA PRIVATE KEY----- > ' Umm.. I think you put your private key in your .ssh/authorized_keys file.. you should have put the *.pub key. But I have to say that is an odd error message. =) - Ben From bugzilla-daemon at mindrot.org Wed Oct 16 06:27:41 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 16 Oct 2002 06:27:41 +1000 (EST) Subject: [Bug 414] New: sshd initially ignores -e (log_stderr) if -i (inetd_flag) is given Message-ID: <20021015202741.29B093D16D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=414 Summary: sshd initially ignores -e (log_stderr) if -i (inetd_flag) is given Product: Portable OpenSSH Version: -current Platform: All URL: http://marc.theaimsgroup.com/?l=openssh-unix- dev&m=102469253706346&w=2 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: prj at po.cwru.edu I reported this bug (to openssh-unix-dev, sorry) on 2002-06-21. It's still unfixed in 3.5p1. http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102469253706346&w=2 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From smoogen at lanl.gov Wed Oct 16 08:57:34 2002 From: smoogen at lanl.gov (Stephen Smoogen) Date: 15 Oct 2002 16:57:34 -0600 Subject: 3.4p1 Error on Tru64 Unix - cannot set login uid In-Reply-To: <49F73BEED865D3119F8700902773C9F901489069@exchange09.rl.ac.uk> References: <49F73BEED865D3119F8700902773C9F901489069@exchange09.rl.ac.uk> Message-ID: <1034722654.20212.215.camel@smoogen1.lanl.gov> The True64 port does not support Privilege Separation at ALL. This seems to be due to some of the complexities of True64's own security mechanisms. From the emails I have read, there is no fix for this for some time because of those limitations. On Tue, 2002-10-15 at 05:44, Chiu, PCM (Peter) wrote: > Further input to this. > > By explicitely setting UsePriviledgeSeparation no > (default is #UsePrivilegeSeparate yes, assuming no as well), > I can now log on using ordinary user accounts. > > In a way, I have managed to get round this problem, although > I am not sure if this meant I am not running ssh-server in a more > secure way. > > Peter > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Labrador CCN-2 B-Schedule PH: Ta-03 SM-261 MailStop P208 DP 17U Los Alamos, NM 87545 From mozilla at attbi.com Wed Oct 16 09:52:58 2002 From: mozilla at attbi.com (Donnie Cranford) Date: Tue, 15 Oct 2002 18:52:58 -0500 Subject: AIX remote root logins References: <3DA8A4D7.5070708@attbi.com> <1034477285.3755.4.camel@shuttle> <3DA8E8CD.B5C3FDA9@zip.com.au> <3DA8EBAE.2080303@attbi.com> <3DA8ED88.1D001538@zip.com.au> Message-ID: <3DACAA5A.6000804@attbi.com> With all this talk about how BADLY this is needed, is there a reason this didnt go into OpenSSH 3.5? If its possible...since we are about to roll this out could we get something that includes this patch? Maybe a early release of 3.6 or a 3.5.1 to include the AIX root login support?? Please...Pretty Please Thanks Donnie Cranford Sr. Unix Systems Admin ING Americas Darren Tucker wrote: >Donnie Cranford wrote: > > >>Isnt this patch included in the current 3.5p1 cvs?? >> >> > >No, as far as I know the patch is in bugzilla only. > >The patch has: > if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name,... > >CVS has: > if (loginrestrictions(pw->pw_name,... > > > From bugzilla-daemon at mindrot.org Wed Oct 16 10:14:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 16 Oct 2002 10:14:25 +1000 (EST) Subject: [Bug 301] In openssh 3.3 and 3.4 pam session seems be called from non-root Message-ID: <20021016001425.BB4E63D175@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=301 ------- Additional Comments From misiek at pld.org.pl 2002-10-16 10:14 ------- Of course this bug is not fixed even in latest 3.5 release :-( PAM really _needs_ root priviledges. Any comments? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Wed Oct 16 10:05:57 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 15 Oct 2002 19:05:57 -0500 (CDT) Subject: AIX remote root logins In-Reply-To: <3DA92A82.895F7BF5@zip.com.au> Message-ID: Commited, Thanks. As for the question about a new release. No. But I did commit it to the V4_5_0 branch along with the --head. - Ben On Sun, 13 Oct 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > Send a patch.. I'll add it to the AIX queue. > > OK... this patch only calls loginrestricted on AIX if: > > a) the user logging in isn't root (so root logins can be disabled via > telnet but permitted or denied via PermitRootLogin). > > b) sshd *is* running as root since loginrestricted will fail if sshd > isn't (or isn't a member of group "security"). > > See: http://bugzilla.mindrot.org/show_bug.cgi?id=383 for details. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From bugzilla-daemon at mindrot.org Wed Oct 16 10:19:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 16 Oct 2002 10:19:46 +1000 (EST) Subject: [Bug 383] PublicKeyAuthentication failure when rlogin set to false Message-ID: <20021016001946.C967E3D180@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=383 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-10-16 10:19 ------- commited ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Wed Oct 16 10:14:32 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 15 Oct 2002 19:14:32 -0500 (CDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D92FC2D.32B8D520@zip.com.au> Message-ID: Applied Thanks. On Thu, 26 Sep 2002, Darren Tucker wrote: > Darren Tucker wrote: > > Gert Doering wrote: > > > On Tue, Sep 24, 2002 at 08:57:22AM -0500, Ben Lindstrom wrote: > > > > > 2) http://bugzilla.mindrot.org/show_bug.cgi?id=397 > > > > > strsep() is in libc but isn't defined in the headers unless > > > > > _LINUX_SOURCE_COMPAT is defined. This doesn't affect GCC, only the > > > > > native compiler. Apart from the patch, another option could be to have > > > > > configure define _LINUX_SOURCE_COMPAT for AIX. > > > > > > I want to vote *against* doing special-casing for AIX here - let them > > > get their headers right. strsep() isn't *that* big, just compile it in. > > How about the following patch to configure.ac? It doesn't special case > AIX but it does check for the strsep prototype before checking for the > library function and defining HAVE_STRSEP. > > I tested on AIX 4.3.3 with xlc (which didn't define HAVE_STRSEP) and > Linux (which did). > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From mouring at etoh.eviladmin.org Wed Oct 16 10:45:43 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 15 Oct 2002 19:45:43 -0500 (CDT) Subject: AIX remote root logins In-Reply-To: Message-ID: On Tue, 15 Oct 2002, Ben Lindstrom wrote: > > Commited, Thanks. > > As for the question about a new release. No. But I did commit it to the > V4_5_0 branch along with the --head. > Umm..of course I do mean V_3_5 =) - ben From mozilla at attbi.com Wed Oct 16 11:08:52 2002 From: mozilla at attbi.com (Donnie Cranford) Date: Tue, 15 Oct 2002 20:08:52 -0500 Subject: AIX remote root logins References: <3DA8A4D7.5070708@attbi.com> <1034477285.3755.4.camel@shuttle> <3DA8E8CD.B5C3FDA9@zip.com.au> <3DA8EBAE.2080303@attbi.com> <3DA8ED88.1D001538@zip.com.au> Message-ID: <3DACBC24.7030603@attbi.com> >Commited, Thanks. > >As for the question about a new release. No. But I did commit it to the >V4_5_0 branch along with the --head. > >- Ben Ok, so its not in 3.5p1 but what is the V4_5_0 branch and is there a branch that I can pull from that will include this patch and be deployable to all systems until it is released in 3.6??? Thanks Donnie Cranford Sr Unix Systems Admin ING Americas Darren Tucker wrote: >Donnie Cranford wrote: > > >>Isnt this patch included in the current 3.5p1 cvs?? >> >> > >No, as far as I know the patch is in bugzilla only. > >The patch has: > if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name,... > >CVS has: > if (loginrestrictions(pw->pw_name,... > > > From mouring at etoh.eviladmin.org Wed Oct 16 12:12:26 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 15 Oct 2002 21:12:26 -0500 (CDT) Subject: AIX remote root logins In-Reply-To: <3DACBC24.7030603@attbi.com> Message-ID: On Tue, 15 Oct 2002, Donnie Cranford wrote: > >Commited, Thanks. > > > >As for the question about a new release. No. But I did commit it to the > >V4_5_0 branch along with the --head. > > > >- Ben > > > Ok, so its not in 3.5p1 but what is the V4_5_0 branch and is there a > branch that I can pull from that will include this patch and be > deployable to all systems until it is released in 3.6??? > Mean V_3_5 and it is also in --head. Which means it will end up in 3.6 and if we do a 3.5p2 release it will end up in that release. - Ben From bugzilla-daemon at mindrot.org Wed Oct 16 13:08:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 16 Oct 2002 13:08:54 +1000 (EST) Subject: [Bug 301] In openssh 3.3 and 3.4 pam session seems be called from non-root Message-ID: <20021016030854.72ADD3D193@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=301 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From djm at mindrot.org 2002-10-16 13:08 ------- *** This bug has been marked as a duplicate of 84 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Oct 16 13:09:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 16 Oct 2002 13:09:08 +1000 (EST) Subject: [Bug 84] last command provides incorrect information on Solaris 8 Message-ID: <20021016030908.A54D63D193@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=84 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |misiek at pld.org.pl ------- Additional Comments From djm at mindrot.org 2002-10-16 13:08 ------- *** Bug 301 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Oct 16 13:09:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 16 Oct 2002 13:09:40 +1000 (EST) Subject: [Bug 301] In openssh 3.3 and 3.4 pam session seems be called from non-root Message-ID: <20021016030940.5C0B53D1A5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=301 ------- Additional Comments From djm at mindrot.org 2002-10-16 13:09 ------- *** This bug has been marked as a duplicate of 83 *** *** This bug has been marked as a duplicate of 83 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Oct 16 13:13:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 16 Oct 2002 13:13:44 +1000 (EST) Subject: [Bug 83] PAM limits applied incorrectly (pam_session being called as non-root) Message-ID: <20021016031344.020D33D1B2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=83 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |misiek at pld.org.pl Summary|PAM limits applied |PAM limits applied |incorrectly |incorrectly (pam_session | |being called as non-root) ------- Additional Comments From djm at mindrot.org 2002-10-16 13:09 ------- *** Bug 301 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Wed Oct 16 13:41:10 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 16 Oct 2002 13:41:10 +1000 Subject: AIX remote root logins References: <3DA8A4D7.5070708@attbi.com> <1034477285.3755.4.camel@shuttle> <3DA8E8CD.B5C3FDA9@zip.com.au> <3DA8EBAE.2080303@attbi.com> <3DA8ED88.1D001538@zip.com.au> <3DACAA5A.6000804@attbi.com> Message-ID: <3DACDFD6.954C9BF1@zip.com.au> Donnie Cranford wrote: > With all this talk about how BADLY this is needed, is there a reason > this didnt go into OpenSSH 3.5? I think 3.5p1 had already been tagged before we started discussing the patch. > If its possible...since we are about to > roll this out could we get something that includes this patch? Maybe a > early release of 3.6 or a 3.5.1 to include the AIX root login support?? If this is such a big deal for you, why not apply the patch to 3.5p1 before rolling it out? Ben has already indicated that future versions will include it. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mozilla at attbi.com Wed Oct 16 17:09:24 2002 From: mozilla at attbi.com (mozilla at attbi.com) Date: Wed, 16 Oct 2002 07:09:24 +0000 Subject: AIX remote root logins Message-ID: <20021016070924.NURF4193.rwcrmhc51.attbi.com@rwcrwbc70> Ok, im now pulling the V3_5_0 branch via CVS but now that I have it down I need further intructions...do I need to install autoconf? Thanks Donnie > Donnie Cranford wrote: > > With all this talk about how BADLY this is needed, is there a reason > > this didnt go into OpenSSH 3.5? > > I think 3.5p1 had already been tagged before we started discussing the > patch. > > > If its possible...since we are about to > > roll this out could we get something that includes this patch? Maybe a > > early release of 3.6 or a 3.5.1 to include the AIX root login support?? > > If this is such a big deal for you, why not apply the patch to 3.5p1 > before rolling it out? Ben has already indicated that future versions > will include it. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From dtucker at zip.com.au Wed Oct 16 18:29:04 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 16 Oct 2002 18:29:04 +1000 Subject: AIX remote root logins References: <20021016070924.NURF4193.rwcrmhc51.attbi.com@rwcrwbc70> Message-ID: <3DAD2350.D40B15DB@zip.com.au> mozilla at attbi.com wrote: > Ok, im now pulling the V3_5_0 branch via CVS but now that > I have it down I need further intructions...do I need to > install autoconf? Yes, you need autoconf and GNU m4. Run "make -f Makefile.in distprep" or "autoreconf". You can safely do this on a system other than the one you're going to compile on. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mmokrejs at natur.cuni.cz Wed Oct 16 20:09:21 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 12:09:21 +0200 (CEST) Subject: ssh-3.5p1 core dumps on Solaris 2.6 Message-ID: Hi, I've reported this problem a month ago on this list, and probably no-one is interested? Binaries were configured with krb4 and afs enabled. However, only the second crash seems to be related to krb4. Any thoughts? I had to add one line to includes.h: #include #include #include +#include #include $ ./ssh -v pf-i400 OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x00906080 debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to pf-i400 [195.113.59.251] port 22. debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.5p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 123/256 debug1: bits set: 1529/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY Segmentation Fault (core dumped) $ gdb ./ssh ./core GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.6"... Core was generated by `./ssh -v pf-i400'. Program terminated with signal 11, Segmentation Fault. Reading symbols from /usr/athena/lib/libkafs.so.0...done. Reading symbols from /usr/lib/libresolv.so.2...done. Reading symbols from /usr/athena/lib/libdes.so.1...done. Reading symbols from /usr/athena/lib/libkrb.so.1...done. Reading symbols from /software/@sys/usr/lib/libz.so...done. Reading symbols from /usr/lib/libsocket.so.1...done. Reading symbols from /usr/lib/libnsl.so.1...done. Reading symbols from /usr/lib/libc.so.1...done. Reading symbols from /usr/athena/lib/libroken.so.16...done. Reading symbols from /usr/lib/libdl.so.1...done. Reading symbols from /usr/lib/libmp.so.2...done. Reading symbols from /software/@sys/usr/lib/libdb-4.0.so...done. Reading symbols from /usr/platform/SUNW,Ultra-30/lib/libc_psr.so.1...done. Reading symbols from /usr/lib/nss_files.so.1...done. #0 0xef4a5400 in strlen () (gdb) where #0 0xef4a5400 in strlen () #1 0xef4dc7e4 in _doprnt () #2 0xef4e5c88 in vsnprintf () #3 0x42bfc in do_log (level=SYSLOG_LEVEL_DEBUG1, fmt=0xb9e28 "using hostkeyalias: %s", args=0xefffe510) at log.c:385 #4 0x42574 in debug (fmt=0xb9e28 "using hostkeyalias: %s") at log.c:159 #5 0x20c04 in check_host_key (host=0x5a "", hostaddr=0xf3560, host_key=0xffaa8, readonly=0, user_hostfile=0x81 "", system_hostfile=0x69 " -v pf-i400") at sshconnect.c:561 #6 0x21634 in verify_host_key (host=0xfa790 "pf-i400", hostaddr=0xf3560, host_key=0xffaa8) at sshconnect.c:810 #7 0x2446c in verify_host_key_callback (hostkey=0xffaa8) at sshconnect2.c:71 #8 0x4182c in kexgex_client (kex=0x105d90) at kexgex.c:184 #9 0x422c4 in kexgex (kex=0x105d90) at kexgex.c:413 #10 0x3fbe0 in kex_kexinit_finish (kex=0x105d90) at kex.c:243 #11 0x3fac4 in kex_input_kexinit (type=20, seq=0, ctxt=0x105d90) at kex.c:209 #12 0x3ba64 in dispatch_run (mode=0, done=0x105dd4, ctxt=0x105d90) at dispatch.c:93 #13 0x24698 in ssh_kex2 (host=0xfa790 "pf-i400", hostaddr=0xf3560) at sshconnect2.c:119 #14 0x21778 in ssh_login (sensitive=0xf433c, orighost=0xeffffab1 "pf-i400", hostaddr=0xf3560, pw=0xf4d28) at sshconnect.c:846 #15 0x1dd4c in main (ac=0, av=0xeffff9c8) at ssh.c:701 (gdb) $ ./ssh -v pf-i400 -1 OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x00906080 debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to pf-i400 [195.113.59.251] port 22. debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.5p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'pf-i400' is known and matches the RSA1 host key. debug1: Found key in /.ssh/known_hosts:1 No valid SSH1 cipher, using 3des instead. debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying Kerberos v4 authentication. debug1: Kerberos v4 authentication failed. Segmentation Fault (core dumped) $ gdb ./ssh ./core GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.6"... Core was generated by `./ssh -v pf-i400 -1'. Program terminated with signal 11, Segmentation Fault. Reading symbols from /usr/athena/lib/libkafs.so.0...done. Reading symbols from /usr/lib/libresolv.so.2...done. Reading symbols from /usr/athena/lib/libdes.so.1...done. Reading symbols from /usr/athena/lib/libkrb.so.1...done. Reading symbols from /software/@sys/usr/lib/libz.so...done. Reading symbols from /usr/lib/libsocket.so.1...done. Reading symbols from /usr/lib/libnsl.so.1...done. Reading symbols from /usr/lib/libc.so.1...done. Reading symbols from /usr/athena/lib/libroken.so.16...done. Reading symbols from /usr/lib/libdl.so.1...done. Reading symbols from /usr/lib/libmp.so.2...done. Reading symbols from /software/@sys/usr/lib/libdb-4.0.so...done. Reading symbols from /usr/platform/SUNW,Ultra-30/lib/libc_psr.so.1...done. Reading symbols from /usr/lib/nss_files.so.1...done. Reading symbols from /usr/lib/nss_dns.so.1...done. #0 0x24210 in ssh_userauth1 (local_user=0xf7b30 "root", server_user=0xf79e0 "root", host=0xfa790 "pf-i400", sensitive=0xf433c) at sshconnect1.c:1248 1248 if (options.identity_keys[i] != NULL && (gdb) where #0 0x24210 in ssh_userauth1 (local_user=0xf7b30 "root", server_user=0xf79e0 "root", host=0xfa790 "pf-i400", sensitive=0xf433c) at sshconnect1.c:1248 #1 0x217c0 in ssh_login (sensitive=0xf433c, orighost=0xeffffaad "pf-i400", hostaddr=0xf3560, pw=0xf4d28) at sshconnect.c:850 #2 0x1dd4c in main (ac=0, av=0xeffff9c4) at ssh.c:701 (gdb) -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From mmokrejs at natur.cuni.cz Wed Oct 16 20:24:31 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 12:24:31 +0200 (CEST) Subject: ssh-keygen opens NULL filename Message-ID: Hi, it's impossible to use -f option with ssh-keygen with version 3.5p1: $ ./ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" Generating public/private dsa key pair. open failed: No such file or directory. Saving the key failed: . $ -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From soltes at intrak.sk Wed Oct 16 20:47:39 2002 From: soltes at intrak.sk (Lubos Soltes) Date: Wed, 16 Oct 2002 12:47:39 +0200 Subject: problem with sshd Message-ID: <20021016104739.GA25832@intrak.sk> hi Sorry for using this way to get help, but I can't solve it myself. I get the foloving error: fatal: daemon() failed: Success in syslog. Looks like forking into background does not work. I'v tried different kernels(2.2.19,2.4.18,2.4.19), versions of openssh (3.3p1,3.4p1,3.5p1). 3.3p1 was working, then I got off network, didn't use sshd. I made some changes in the system, but can't track the relevant one. sshd -d or -D works fine. if u need more info, just mail me. thanks Lubos Soltes soltes at intrak.sk From dtucker at zip.com.au Wed Oct 16 21:08:39 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 16 Oct 2002 21:08:39 +1000 Subject: ssh-keygen opens NULL filename References: Message-ID: <3DAD48B6.D32385B0@zip.com.au> Martin MOKREJ? wrote: > it's impossible to use -f option with ssh-keygen with version 3.5p1: > > $ ./ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" > Generating public/private dsa key pair. > open failed: No such file or directory. > Saving the key failed: . Can you provide some more details? (eg: OS & version, compiler & version, configure options). I just tested 3.5p1 on Linux, which worked. $ ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" Generating public/private dsa key pair. Your identification has been saved in /tmp/ssh_host_dsa_key. Your public key has been saved in /tmp/ssh_host_dsa_key.pub. The key fingerprint is: 8b:34:74:72:e4:ba:68:b3:69:dd:18:71:c1:4c:c5:02 dtucker at gate -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From maniac at maniac.nl Wed Oct 16 21:38:58 2002 From: maniac at maniac.nl (Mark Janssen) Date: 16 Oct 2002 13:38:58 +0200 Subject: ssh-keygen opens NULL filename In-Reply-To: <3DAD48B6.D32385B0@zip.com.au> References: <3DAD48B6.D32385B0@zip.com.au> Message-ID: <1034768338.714.9.camel@shuttle> On Wed, 2002-10-16 at 13:08, Darren Tucker wrote: > Martin MOKREJ? wrote: > > it's impossible to use -f option with ssh-keygen with version 3.5p1: > > > > $ ./ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" > > Generating public/private dsa key pair. > > open failed: No such file or directory. > > Saving the key failed: . Maybe a stupid suggestion, maybe it's allready been said (I didn't check the entire discussion). But, were you root (since I'm seeing a $ prompt), or otherwise possible to write in /etc/ssh ??? -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl From mmokrejs at natur.cuni.cz Wed Oct 16 22:22:45 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 14:22:45 +0200 (CEST) Subject: ssh-keygen opens NULL filename In-Reply-To: <1034768338.714.9.camel@shuttle> Message-ID: On 16 Oct 2002, Mark Janssen wrote: > On Wed, 2002-10-16 at 13:08, Darren Tucker wrote: > > Martin MOKREJ? wrote: > > > it's impossible to use -f option with ssh-keygen with version 3.5p1: > > > > > > $ ./ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" > > > Generating public/private dsa key pair. > > > open failed: No such file or directory. > > > Saving the key failed: . > > Maybe a stupid suggestion, maybe it's allready been said (I didn't check > the entire discussion). > > But, were you root (since I'm seeing a $ prompt), or otherwise possible > to write in /etc/ssh ??? Well, actually I was a root, but replaqced my $PS1 in the list post for `$' sign. Sorry for confusion, but perms really weren't a problem. -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From dtucker at zip.com.au Wed Oct 16 22:45:29 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 16 Oct 2002 22:45:29 +1000 Subject: ssh-3.5p1 core dumps on Solaris 2.6 References: Message-ID: <3DAD5F69.AE8435E@zip.com.au> Martin MOKREJ? wrote: > I've reported this problem a month ago on this list, and probably no-one > is interested? Binaries were configured with krb4 and afs enabled. > However, only the second crash seems to be related to krb4. > Any thoughts? I use neither kerberos or afs but I do have a guess: > #3 0x42bfc in do_log (level=SYSLOG_LEVEL_DEBUG1, fmt=0xb9e28 "using hostkeyalias: %s", > args=0xefffe510) at log.c:385 > #4 0x42574 in debug (fmt=0xb9e28 "using hostkeyalias: %s") at log.c:159 > #5 0x20c04 in check_host_key (host=0x5a "", hostaddr=0xf3560, host_key=0xffaa8, readonly=0, ^^^^^^^^^ > user_hostfile=0x81 "", system_hostfile=0x69 " -v pf-i400") at sshconnect.c:561 It looks like the hostkeyalias ended up being an invalid pointer somehow, which was copied into "host" and passed to debug(). Does your config file have spaces or control characters on the HostKeyAlias line(s)? Can you post the relevant parts (ie the global part and the host-specific part) of the config files (both user and system)? If that doesn't help, please do the following and post the results: $ gdb ./ssh (gdb) set args [your args to ssh here] (gdb) break readconf.c:471 (gdb) run [wait for break] (gdb) print *options (gdb) quit -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Wed Oct 16 23:07:28 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 16 Oct 2002 15:07:28 +0200 Subject: [openssh-unix-announce] OpenSSH 3.5 released In-Reply-To: <20021016125710.GA22712@rzdspc5.informatik.uni-hamburg.de> References: <20021015185814.GA4044@skaidan> <20021016125710.GA22712@rzdspc5.informatik.uni-hamburg.de> Message-ID: <20021016130728.GA22935@faui02> that's a bug in 3.5. i'm not sure how to fix this. ssh-keysign(8) does not know about the remote hostname. On Wed, Oct 16, 2002 at 02:57:10PM +0200, Reinhard Zierke wrote: > Markus, > > I've got a problem with OpenSSH 3.5p1: > > > Changes since OpenSSH 3.4: > > ============================ > > ... > > * ssh-keysign(8) is disabled by default and only enabled if the > > HostbasedAuthentication option is enabled in the global ssh_config(5) > > file. > > and the new ssh says: > > zierke at rzdspc81% ssh rzdspc5 > Hostbased authentication not enabled in /etc/ssh/ssh_config > ssh_msg_send: write > zierke at rzdspc81% > > My /etc/ssh/ssh_config basically is > > Host rz?spc? rz?spc?? > ... > HostbasedAuthentication yes > ... > > Host * > ... > HostbasedAuthentication no > ... > > If I change the default entry to "HostbasedAuthentication yes" too, then ssh > works fine. But I want HostbasedAuthentication for local hosts only as it > does work up to version 3.4p1. How can I do this with 3.5p1? > > Regards, > Reinhard > > -- > Reinhard Zierke Universit?t Hamburg, FB Informatik > zierke at informatik.uni-hamburg.de Vogt-K?lln-Stra?e 30, D-22527 Hamburg > postmaster at informatik.uni-hamburg.de Tel.: (040) 42883-2295/2276 Fax: -2241 From markus at openbsd.org Wed Oct 16 23:21:01 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 16 Oct 2002 15:21:01 +0200 Subject: [openssh-unix-announce] OpenSSH 3.5 released In-Reply-To: <20021016130728.GA22935@faui02> References: <20021015185814.GA4044@skaidan> <20021016125710.GA22712@rzdspc5.informatik.uni-hamburg.de> <20021016130728.GA22935@faui02> Message-ID: <20021016132100.GA9169@faui02> On Wed, Oct 16, 2002 at 02:57:10PM +0200, Reinhard Zierke wrote: > My /etc/ssh/ssh_config basically is > > Host rz?spc? rz?spc?? > ... > HostbasedAuthentication yes > ... > > Host * > ... > HostbasedAuthentication no > ... > > If I change the default entry to "HostbasedAuthentication yes" too, then ssh > works fine. But I want HostbasedAuthentication for local hosts only as it > does work up to version 3.4p1. How can I do this with 3.5p1? since HostbasedAuthentication defaults to no, you can just use: Host rz?spc? rz?spc?? HostbasedAuthentication yes Host * dont-mention-HostbasedAuthentication From Frank.Beckmann at vodafone.com Wed Oct 16 23:20:01 2002 From: Frank.Beckmann at vodafone.com (Frank Beckmann) Date: Wed, 16 Oct 2002 15:20:01 +0200 Subject: SSH Bug 3.5p1 Expired Passwords Message-ID: <3DAD6781.40808@vodafone.com> Hello in the new Openssh 3.5p1 is the sam Bug as in the 3.4p1 :-( When a User try to login with a expired Passwort, SSH denys the Acces to the System fbeckman at zvadmxz:/home/fbeckman # ssh -v fbeckman at xy OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to webmann [129.8.140.69] port 22. debug1: temporarily_use_uid: 0/1 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 0/1 (e=0) debug1: restore_uid debug1: Connection established. debug1: identity file /.ssh/identity type 0 debug1: identity file /.ssh/id_rsa type 1 debug1: identity file /.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'xy' is known and matches the RSA1 host key. debug1: Found key in /etc/ssh_known_hosts:1662 debug1: Encryption type: blowfish debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: RSA authentication using agent refused. debug1: Trying RSA authentication with key '/.ssh/identity' debug1: Server refused our key. debug1: Doing challenge response authentication. debug1: No challenge. debug1: Doing password authentication. fbeckman at xy's password: Permission denied, please try again. fbeckman at xy's password: Permission denied, please try again. fbeckman at xy's password: Permission denied. debug1: Calling cleanup 0x43804(0x0) -------------------------------------------------------------------------------- The old 3.1.p1 was better look here: fbeckman at zvadmxy:/home/fbeckman # ssh -v fbeckman at xyz OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to webmann [139.7.180.69] port 22. debug1: temporarily_use_uid: 0/1 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 0/1 (e=0) debug1: restore_uid debug1: Connection established. debug1: identity file /.ssh/identity type 0 debug1: identity file /.ssh/id_rsa type 1 debug1: identity file /.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'xyz' is known and matches the RSA1 host key. debug1: Found key in /etc/ssh_known_hosts:1662 debug1: Encryption type: blowfish debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: RSA authentication using agent refused. debug1: Trying RSA authentication with key '/.ssh/identity' debug1: Server refused our key. debug1: Doing challenge response authentication. debug1: No challenge. debug1: Doing password authentication. fbeckman at xyz's password: debug1: Requesting pty. debug1: Requesting X11 forwarding with authentication spoofing. debug1: fd 4 setting TCP_NODELAY debug1: Requesting shell. debug1: Entering interactive session. Warning: Your password has expired, please change it now Enter login password: New password: Re-enter new password: sshd (SYSTEM): passwd successfully changed for fbeckman Last login: Wed Oct 16 15:12:13 2002 from xvy Greetings from Germany Frank Beckmann -- Frank Beckmann Abt. TOIU Tel: 0211 533-5758 Fax: 0211 533-1451 Mail Frank.Beckmann at vodafone.com From tim at multitalents.net Wed Oct 16 23:29:57 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 16 Oct 2002 06:29:57 -0700 (PDT) Subject: AIX remote root logins In-Reply-To: <3DAD2350.D40B15DB@zip.com.au> Message-ID: On Wed, 16 Oct 2002, Darren Tucker wrote: > mozilla at attbi.com wrote: > > Ok, im now pulling the V3_5_0 branch via CVS but now that > > I have it down I need further intructions...do I need to > > install autoconf? You will need autoconf 2.52 or later. > > Yes, you need autoconf and GNU m4. Run "make -f Makefile.in distprep" or > "autoreconf". > > You can safely do this on a system other than the one you're going to > compile on. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mmokrejs at natur.cuni.cz Wed Oct 16 23:31:13 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 15:31:13 +0200 (CEST) Subject: ssh-3.5p1 core dumps on Solaris 2.6 In-Reply-To: <3DAD5F69.AE8435E@zip.com.au> Message-ID: On Wed, 16 Oct 2002, Darren Tucker wrote: Hi, sorry for the delay in communcation, but we had a router failure: I used for configuring openssh-3.5p1 the following: ./configure --prefix=/usr/local --with-kerberos4=/usr/athena --with-afs=/usr/afsws --with-tcp-wrappers --with-ssl-dir=/software/@sys/usr/openssl --without-rsh --disable-suid-ssh --with-privsep --with-zlib --with-pam kth-krb-1.2 and have OpenSSL 0.9.6h-dev xx XXX xxxx. bash-2.05b# uname -a SunOS pf-i400 5.6 Generic_105181-33 sun4u sparc SUNW,Ultra-30 bash-2.05b# > Martin MOKREJ? wrote: > > I've reported this problem a month ago on this list, and probably no-one > > is interested? Binaries were configured with krb4 and afs enabled. > > However, only the second crash seems to be related to krb4. > > Any thoughts? > > I use neither kerberos or afs but I do have a guess: > > > #3 0x42bfc in do_log (level=SYSLOG_LEVEL_DEBUG1, fmt=0xb9e28 "using hostkeyalias: %s", > > args=0xefffe510) at log.c:385 > > #4 0x42574 in debug (fmt=0xb9e28 "using hostkeyalias: %s") at log.c:159 > > #5 0x20c04 in check_host_key (host=0x5a "", hostaddr=0xf3560, host_key=0xffaa8, readonly=0, > ^^^^^^^^^ > > user_hostfile=0x81 "", system_hostfile=0x69 " -v pf-i400") at sshconnect.c:561 > > It looks like the hostkeyalias ended up being an invalid pointer > somehow, which was copied into "host" and passed to debug(). > > Does your config file have spaces or control characters on the > HostKeyAlias line(s)? Can you post the relevant parts (ie the global I don't see such a line at all. ;( Maybe I should upgrade my config files as well. > part and the host-specific part) of the config files (both user and > system)? Both files attached. > > If that doesn't help, please do the following and post the results: > $ gdb ./ssh > (gdb) set args [your args to ssh here] > (gdb) break readconf.c:471 > (gdb) run > [wait for break] > (gdb) print *options > (gdb) quit > > bash-2.05b# gdb ./ssh GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.6"... (gdb) set args -l mmokrejs pf-i400 (gdb) break readconf.c:471 Breakpoint 1 at 0x281fc: file readconf.c, line 471. (gdb) run Starting program: /scratch/openssh-3.5p1/./ssh -l mmokrejs pf-i400 Program received signal SIGSEGV, Segmentation fault. 0xef4dca78 in _doprnt () (gdb) print *options Structure has no component named operator*. (gdb) where #0 0xef4dca78 in _doprnt () #1 0xef4e5c88 in vsnprintf () #2 0x42c1c in do_log (level=SYSLOG_LEVEL_INFO, fmt=0xba0c0 "Failed to add the host to the list of known hosts (%.500s).", args=0xefffe4d8) at log.c:387 #3 0x424f4 in log ( fmt=0xba0c0 "Failed to add the host to the list of known hosts (%.500s).") at log.c:135 #4 0x21064 in check_host_key (host=0xb1
, hostaddr=0xf3560, host_key=0xffaa8, readonly=0, user_hostfile=0x2c
, system_hostfile=0x56
) at sshconnect.c:671 #5 0x21634 in verify_host_key (host=0xf7b40 "pf-i400", hostaddr=0xf3560, host_key=0xffaa8) at sshconnect.c:810 #6 0x2446c in verify_host_key_callback (hostkey=0xffaa8) at sshconnect2.c:71 #7 0x4182c in kexgex_client (kex=0xfaa20) at kexgex.c:184 #8 0x422c4 in kexgex (kex=0xfaa20) at kexgex.c:413 #9 0x3fbe0 in kex_kexinit_finish (kex=0xfaa20) at kex.c:243 #10 0x3fac4 in kex_input_kexinit (type=20, seq=0, ctxt=0xfaa20) at kex.c:209 #11 0x3ba64 in dispatch_run (mode=0, done=0xfaa64, ctxt=0xfaa20) at dispatch.c:93 #12 0x24698 in ssh_kex2 (host=0xf7b40 "pf-i400", hostaddr=0xf3560) at sshconnect2.c:119 ---Type to continue, or q to quit--- #13 0x21778 in ssh_login (sensitive=0xf433c, orighost=0xeffffa99 "pf-i400", hostaddr=0xf3560, pw=0xf4d28) at sshconnect.c:846 #14 0x1dd4c in main (ac=0, av=0xeffff994) at ssh.c:701 (gdb) where #0 0xef4dca78 in _doprnt () #1 0xef4e5c88 in vsnprintf () #2 0x42c1c in do_log (level=SYSLOG_LEVEL_INFO, fmt=0xba0c0 "Failed to add the host to the list of known hosts (%.500s).", args=0xefffe4d8) at log.c:387 #3 0x424f4 in log ( fmt=0xba0c0 "Failed to add the host to the list of known hosts (%.500s).") at log.c:135 #4 0x21064 in check_host_key (host=0xb1
, hostaddr=0xf3560, host_key=0xffaa8, readonly=0, user_hostfile=0x2c
, system_hostfile=0x56
) at sshconnect.c:671 #5 0x21634 in verify_host_key (host=0xf7b40 "pf-i400", hostaddr=0xf3560, host_key=0xffaa8) at sshconnect.c:810 #6 0x2446c in verify_host_key_callback (hostkey=0xffaa8) at sshconnect2.c:71 #7 0x4182c in kexgex_client (kex=0xfaa20) at kexgex.c:184 #8 0x422c4 in kexgex (kex=0xfaa20) at kexgex.c:413 #9 0x3fbe0 in kex_kexinit_finish (kex=0xfaa20) at kex.c:243 #10 0x3fac4 in kex_input_kexinit (type=20, seq=0, ctxt=0xfaa20) at kex.c:209 #11 0x3ba64 in dispatch_run (mode=0, done=0xfaa64, ctxt=0xfaa20) at dispatch.c:93 #12 0x24698 in ssh_kex2 (host=0xf7b40 "pf-i400", hostaddr=0xf3560) at sshconnect2.c:119 ---Type to continue, or q to quit--- #13 0x21778 in ssh_login (sensitive=0xf433c, orighost=0xeffffa99 "pf-i400", hostaddr=0xf3560, pw=0xf4d28) at sshconnect.c:846 #14 0x1dd4c in main (ac=0, av=0xeffff994) at ssh.c:701 (gdb) l 216 u_short fwd_port, fwd_host_port; 217 char sfwd_port[6], sfwd_host_port[6]; 218 char *p, *cp, buf[256]; 219 struct stat st; 220 struct passwd *pw; 221 int dummy; 222 extern int optind, optreset; 223 extern char *optarg; 224 225 __progname = get_progname(av[0]); (gdb) print options $1 = {forward_agent = 163, forward_x11 = 4, xauth_location = 0x79
, gateway_ports = 15, use_privileged_port = 43, rhosts_authentication = 63, rhosts_rsa_authentication = 208, rsa_authentication = 111, pubkey_authentication = 156, hostbased_authentication = 230, challenge_response_authentication = 35, kerberos_authentication = 219, kerberos_tgt_passing = 66, afs_token_passing = 212, password_authentication = 157, kbd_interactive_authentication = 141, kbd_interactive_devices = 0xdc
, batch_mode = 89, check_host_ip = 0, strict_host_key_checking = 254, compression = 62, compression_level = 73, keepalives = 5, log_level = 201, port = 223, connection_attempts = 57, number_of_password_prompts = 124, cipher = 243, ciphers = 0x1c
, macs = 0xe8
, hostkeyalgorithms = 0xbd
, protocol = 55, hostname = 0x24
, host_key_alias = 0xb1
, proxy_command = 0xf9
, user = 0x44
, escape_char = 39, system_hostfile = 0x56
, user_hostfile = 0x2c
, system_hostfile2 = 0x26
, user_hostfile2 = 0xde
, ---Type to continue, or q to quit--- preferred_authentications = 0x17
, bind_address = 0x6d
, smartcard_device = 0xaf
, num_identity_files = 247, identity_files = {0xc
, 0x46
, 0xf8
, 0xe7
, 0xa
, 0x89
, 0x72
, 0xfb
, 0x1
, 0x20
, 0xbb
, 0xe5
, 0xa5
, 0xdd
, 0x92
, 0x58585858
}, identity_keys = {0x0, 0x0, 0x0, 0x58585858 }, num_local_forwards = 0, local_forwards = {{port = 22616, host = 0x58585858
, host_port = 22616} }, num_remote_forwards = 0, remote_forwards = {{port = 22616, host = 0x58585858
, host_port = 22616} }, clear_forwardings = -1, no_host_authentication_for_localhost = 0} (gdb) -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh_config.gz Type: application/octet-stream Size: 535 bytes Desc: Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021016/26aa2441/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: sshd_config.gz Type: application/octet-stream Size: 936 bytes Desc: Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021016/26aa2441/attachment-0001.obj From mmokrejs at natur.cuni.cz Wed Oct 16 23:35:39 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 15:35:39 +0200 (CEST) Subject: ssh-3.5p1 core dumps on Solaris 2.6 In-Reply-To: <3DAD5F69.AE8435E@zip.com.au> Message-ID: I used gcc version 3.0.4 -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From mmokrejs at natur.cuni.cz Wed Oct 16 23:44:42 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 15:44:42 +0200 (CEST) Subject: ssh-keygen opens NULL filename In-Reply-To: <3DAD48B6.D32385B0@zip.com.au> Message-ID: On Wed, 16 Oct 2002, Darren Tucker wrote: > Martin MOKREJ? wrote: > > it's impossible to use -f option with ssh-keygen with version 3.5p1: > > > > $ ./ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" > > Generating public/private dsa key pair. > > open failed: No such file or directory. > > Saving the key failed: . > > Can you provide some more details? (eg: OS & version, compiler & > version, configure options). I just tested 3.5p1 on Linux, which worked. SunOS pf-i400 5.6 Generic_105181-33 sun4u sparc SUNW,Ultra-30 gcc version 3.0.4 ./configure --prefix=/usr/local --with-kerberos4=/usr/athena --with-afs=/usr/afsws --with-tcp-wrappers --with-ssl-dir=/software/@sys/usr/openssl --without-rsh --disable-suid-ssh --with-privsep --with-zlib --with-pam > $ ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" > Generating public/private dsa key pair. > Your identification has been saved in /tmp/ssh_host_dsa_key. > Your public key has been saved in /tmp/ssh_host_dsa_key.pub. > The key fingerprint is: > 8b:34:74:72:e4:ba:68:b3:69:dd:18:71:c1:4c:c5:02 dtucker at gate bash-2.05b# ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" Generating public/private dsa key pair. open failed: No such file or directory. Saving the key failed: . bash-2.05b# truss ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" execve("./ssh-keygen", 0xEFFFF988, 0xEFFFF9A8) argc = 7 resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16 open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT open("/dev/zero", O_RDONLY) = 3 mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xEF7B0000 open("/usr/athena/lib/libkafs.so.0", O_RDONLY) = 4 fstat(4, 0xEFFFF05C) = 0 mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF7A0000 mmap(0x00000000, 204800, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF760000 mmap(0xEF78E000, 8696, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 122880) = 0xEF78E000 munmap(0xEF780000, 57344) = 0 memcntl(0xEF760000, 32184, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/athena/lib/libresolv.so.2", O_RDONLY) Err#2 ENOENT open("/usr/local/lib/libresolv.so.2", O_RDONLY) Err#2 ENOENT open("/usr/lib/security/libresolv.so.2", O_RDONLY) Err#2 ENOENT open("/software/@sys/usr/lib/libresolv.so.2", O_RDONLY) Err#2 ENOENT open("/usr/ccs/lib/libresolv.so.2", O_RDONLY) Err#2 ENOENT open("/usr/lib/libresolv.so.2", O_RDONLY) = 4 fstat(4, 0xEFFFF05C) = 0 mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 mmap(0x00000000, 139264, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF730000 mmap(0xEF74C000, 10075, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 49152) = 0xEF74C000 mmap(0xEF750000, 6588, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF750000 munmap(0xEF73E000, 57344) = 0 memcntl(0xEF730000, 11548, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/athena/lib/libdes.so.1", O_RDONLY) = 4 fstat(4, 0xEFFFF05C) = 0 mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 mmap(0x00000000, 172032, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF700000 mmap(0xEF722000, 7144, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 73728) = 0xEF722000 mmap(0xEF724000, 24252, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF724000 munmap(0xEF714000, 57344) = 0 memcntl(0xEF700000, 8864, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/athena/lib/libkrb.so.1", O_RDONLY) = 4 fstat(4, 0xEFFFF05C) = 0 mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 mmap(0x00000000, 344064, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF6A0000 mmap(0xEF6EA000, 15656, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 237568) = 0xEF6EA000 mmap(0xEF6EE000, 16528, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF6EE000 munmap(0xEF6DC000, 57344) = 0 memcntl(0xEF6A0000, 38444, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/athena/lib/libz.so", O_RDONLY) Err#2 ENOENT open("/usr/local/lib/libz.so", O_RDONLY) Err#2 ENOENT open("/usr/lib/security/libz.so", O_RDONLY) Err#2 ENOENT open("/software/@sys/usr/lib/libz.so", O_RDONLY) = 4 fstat(4, 0xEFFFF05C) = 0 mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 mmap(0x00000000, 163840, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF670000 mmap(0xEF696000, 7120, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 90112) = 0xEF696000 munmap(0xEF688000, 57344) = 0 memcntl(0xEF670000, 6124, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/athena/lib/libsocket.so.1", O_RDONLY) Err#2 ENOENT open("/usr/local/lib/libsocket.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/security/libsocket.so.1", O_RDONLY) Err#2 ENOENT open("/software/@sys/usr/lib/libsocket.so.1", O_RDONLY) Err#2 ENOENT open("/usr/ccs/lib/libsocket.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/libsocket.so.1", O_RDONLY) = 4 fstat(4, 0xEFFFF05C) = 0 mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 mmap(0x00000000, 106496, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF650000 mmap(0xEF666000, 8185, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 24576) = 0xEF666000 mmap(0xEF668000, 388, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF668000 munmap(0xEF658000, 57344) = 0 memcntl(0xEF650000, 12072, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/athena/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT open("/usr/local/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/security/libnsl.so.1", O_RDONLY) Err#2 ENOENT open("/software/@sys/usr/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT open("/usr/ccs/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/libnsl.so.1", O_RDONLY) = 4 fstat(4, 0xEFFFF05C) = 0 mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 mmap(0x00000000, 614400, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF580000 mmap(0xEF606000, 36348, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 483328) = 0xEF606000 mmap(0xEF610000, 19416, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF610000 munmap(0xEF5F8000, 57344) = 0 memcntl(0xEF580000, 70384, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/athena/lib/libc.so.1", O_RDONLY) Err#2 ENOENT open("/usr/local/lib/libc.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/security/libc.so.1", O_RDONLY) Err#2 ENOENT open("/software/@sys/usr/lib/libc.so.1", O_RDONLY) Err#2 ENOENT open("/usr/ccs/lib/libc.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/libc.so.1", O_RDONLY) = 4 fstat(4, 0xEFFFF05C) = 0 mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 mmap(0x00000000, 712704, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF480000 mmap(0xEF524000, 30396, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 606208) = 0xEF524000 mmap(0xEF52C000, 4304, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF52C000 munmap(0xEF516000, 57344) = 0 memcntl(0xEF480000, 101964, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/athena/lib/libroken.so.16", O_RDONLY) = 4 fstat(4, 0xEFFFF05C) = 0 mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 mmap(0x00000000, 196608, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF540000 mmap(0xEF56C000, 9748, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 114688) = 0xEF56C000 munmap(0xEF55E000, 57344) = 0 memcntl(0xEF540000, 19000, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xEF640000 open("/usr/athena/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT open("/usr/local/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/security/libdl.so.1", O_RDONLY) Err#2 ENOENT open("/software/@sys/usr/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT open("/usr/ccs/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT open("/usr/lib/libdl.so.1", O_RDONLY) = 4 fstat(4, 0xEFFFF05C) = 0 mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 close(4) = 0 open("/usr/athena/lib/libmp.so.2", O_RDONLY) Err#2 ENOENT open("/usr/local/lib/libmp.so.2", O_RDONLY) Err#2 ENOENT open("/usr/lib/security/libmp.so.2", O_RDONLY) Err#2 ENOENT open("/software/@sys/usr/lib/libmp.so.2", O_RDONLY) Err#2 ENOENT open("/usr/ccs/lib/libmp.so.2", O_RDONLY) Err#2 ENOENT open("/usr/lib/libmp.so.2", O_RDONLY) = 4 fstat(4, 0xEFFFF05C) = 0 mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF630000 mmap(0x00000000, 81920, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF460000 mmap(0xEF472000, 3581, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 8192) = 0xEF472000 munmap(0xEF464000, 57344) = 0 memcntl(0xEF460000, 3020, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/athena/lib/libdb-4.0.so", O_RDONLY) Err#2 ENOENT open("/usr/local/lib/libdb-4.0.so", O_RDONLY) Err#2 ENOENT open("/usr/lib/security/libdb-4.0.so", O_RDONLY) Err#2 ENOENT open("/software/@sys/usr/lib/libdb-4.0.so", O_RDONLY) = 4 fstat(4, 0xEFFFF05C) = 0 mmap(0xEF630000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF630000 mmap(0x00000000, 1081344, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF300000 mmap(0xEF404000, 14512, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 999424) = 0xEF404000 munmap(0xEF3F6000, 57344) = 0 memcntl(0xEF300000, 63540, MC_ADVISE, 0x0003, 0, 0) = 0 close(4) = 0 open("/usr/platform/SUNW,Ultra-30/lib/libc_psr.so.1", O_RDONLY) = 4 fstat(4, 0xEFFFEEBC) = 0 mmap(0xEF630000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF630000 mmap(0x00000000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF620000 close(4) = 0 mprotect(0xEF760000, 125912, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 mprotect(0xEF760000, 125912, PROT_READ|PROT_EXEC) = 0 close(3) = 0 munmap(0xEF630000, 8192) = 0 brk(0x000B4280) = 0 brk(0x000B6280) = 0 brk(0x000B6280) = 0 brk(0x000B8280) = 0 getpid() = 10655 [10654] getpid() = 10655 [10654] open("/dev/urandom", O_RDONLY) = 3 read(3, "BD", 1) = 1 read(3, " p", 1) = 1 read(3, "\v", 1) = 1 read(3, "F3", 1) = 1 [...] time() = 1034775742 getpid() = 10655 [10654] getpid() = 10655 [10654] time() = 1034775743 getpid() = 10655 [10654] getpid() = 10655 [10654] stat64("", 0xEFFFF070) Err#2 ENOENT open64("", O_WRONLY|O_CREAT|O_TRUNC, 0600) Err#2 ENOENT open failed: No such file or directory.write(2, " o p e n f a i l e d".., 40) = 40 write(2, "\r\n", 2) = 2 Saving the key failed: . write(1, " S a v i n g t h e k".., 25) = 25 llseek(0, 0, SEEK_CUR) = 40167 _exit(1) bash-2.05b# -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From dtucker at zip.com.au Wed Oct 16 23:57:01 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 16 Oct 2002 23:57:01 +1000 Subject: ssh-keygen opens NULL filename References: Message-ID: <3DAD702D.F47BB49E@zip.com.au> Martin MOKREJ? wrote: > On Wed, 16 Oct 2002, Darren Tucker wrote: > > Can you provide some more details? (eg: OS & version, compiler & > > version, configure options). I just tested 3.5p1 on Linux, which worked. > > SunOS pf-i400 5.6 Generic_105181-33 sun4u sparc SUNW,Ultra-30 > gcc version 3.0.4 > ./configure --prefix=/usr/local --with-kerberos4=/usr/athena > --with-afs=/usr/afsws --with-tcp-wrappers > --with-ssl-dir=/software/@sys/usr/openssl --without-rsh --disable-suid-ssh > --with-privsep --with-zlib --with-pam I just tried it on Solaris 2.6 (vanilla configure, gcc 3.2) and it worked OK. You can try it with no configure options and see if it works, and if it does, add the options until you find out which one breaks it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From unix_chin at indiatimes.com Wed Oct 16 23:55:21 2002 From: unix_chin at indiatimes.com (unix_chin) Date: Wed, 16 Oct 2002 19:25:21 +0530 Subject: OPenSSH version 3.4 --sshd hangs for some time at startup Message-ID: <200210161342.TAA24279@WS0005.indiatimes.com> I am trying to run sftp-server from openssh on solaris 2.8. When i start the sshd, and try to see if it has bind to port 22 (using netstat -a), i see that it binds only after approx 9 minutes. During that time a SFTP client cant connect. When i do a 'truss' on this that it is hung on a 'read' system call and is sleeping on that . Is this a bug or is there something in the configuration I am missing !! BR/ Chinmaya Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy Music, Video, CD-ROM, Audio-Books and Music Accessories from http://www.planetm.co.in Change the way you talk. Indiatimes presents Valufon, Your PC to Phone service with clear voice at rates far less than the normal ISD rates. Go to http://www.valufon.indiatimes.com. Choose your plan. BUY NOW. From dtucker at zip.com.au Thu Oct 17 00:08:34 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 17 Oct 2002 00:08:34 +1000 Subject: SSH Bug 3.5p1 Expired Passwords References: <3DAD6781.40808@vodafone.com> Message-ID: <3DAD72E2.A237A41F@zip.com.au> Frank Beckmann wrote: > in the new Openssh 3.5p1 is the sam Bug as in the 3.4p1 :-( > When a User try to login with a expired Passwort, SSH denys the Acces to the System In pam-auth.c, change #if 0 case PAM_NEW_AUTHTOK_REQD: to #if 1 case PAM_NEW_AUTHTOK_REQD: and set "UsePrivilegeSeparation no" in sshd_config. People have reported mixed success, so your milage may vary. Let the list know how it goes; one of the reasons this isn't enabled in 3.5p1 is lack of testing. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mmokrejs at natur.cuni.cz Thu Oct 17 00:08:32 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 16:08:32 +0200 (CEST) Subject: ssh-keygen opens NULL filename In-Reply-To: <3DAD702D.F47BB49E@zip.com.au> Message-ID: On Wed, 16 Oct 2002, Darren Tucker wrote: > Martin MOKREJ? wrote: > > On Wed, 16 Oct 2002, Darren Tucker wrote: > > > Can you provide some more details? (eg: OS & version, compiler & > > > version, configure options). I just tested 3.5p1 on Linux, which worked. > > > > SunOS pf-i400 5.6 Generic_105181-33 sun4u sparc SUNW,Ultra-30 > > gcc version 3.0.4 > > ./configure --prefix=/usr/local --with-kerberos4=/usr/athena > > --with-afs=/usr/afsws --with-tcp-wrappers > > --with-ssl-dir=/software/@sys/usr/openssl --without-rsh --disable-suid-ssh > > --with-privsep --with-zlib --with-pam > > I just tried it on Solaris 2.6 (vanilla configure, gcc 3.2) and it > worked OK. You can try it with no configure options and see if it works, > and if it does, add the options until you find out which one breaks it. OK, I'll try. Can you please try in the eantime: http://www.natur.cuni.cz/~mmokrejs/config.status.gz ? I guess you tried with kerberos and AFS, right? ;) -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From mmokrejs at natur.cuni.cz Thu Oct 17 00:22:54 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 16:22:54 +0200 (CEST) Subject: ssh-keygen opens NULL filename In-Reply-To: <3DAD702D.F47BB49E@zip.com.au> Message-ID: On Wed, 16 Oct 2002, Darren Tucker wrote: > Martin MOKREJ? wrote: > > On Wed, 16 Oct 2002, Darren Tucker wrote: > > > Can you provide some more details? (eg: OS & version, compiler & > > > version, configure options). I just tested 3.5p1 on Linux, which worked. > > > > SunOS pf-i400 5.6 Generic_105181-33 sun4u sparc SUNW,Ultra-30 > > gcc version 3.0.4 > > ./configure --prefix=/usr/local --with-kerberos4=/usr/athena > > --with-afs=/usr/afsws --with-tcp-wrappers > > --with-ssl-dir=/software/@sys/usr/openssl --without-rsh --disable-suid-ssh > > --with-privsep --with-zlib --with-pam > > I just tried it on Solaris 2.6 (vanilla configure, gcc 3.2) and it > worked OK. You can try it with no configure options and see if it works, > and if it does, add the options until you find out which one breaks it. So, omitting --with-kerberos4=/usr/athena and --with-afs=/usr/afsws cures my problem away. Strangely enough, disabling kerberos in kerberos enabled binaries does NOT help, i.e. "/usr/local/bin/ssh -k -v -o 'HostKeyAlias mmokrejs' -l mmokrejs pf-i400" still dumps core. So, what should I do now? I want kerberos. ;) -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From dtucker at zip.com.au Thu Oct 17 00:31:27 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 17 Oct 2002 00:31:27 +1000 Subject: ssh-keygen (+kerberos +afs) opens NULL filename References: Message-ID: <3DAD783F.8DB00008@zip.com.au> Martin MOKREJ? wrote: > So, omitting --with-kerberos4=/usr/athena and --with-afs=/usr/afsws cures > my problem away. > > Strangely enough, disabling kerberos in kerberos enabled binaries does NOT > help, i.e. > "/usr/local/bin/ssh -k -v -o 'HostKeyAlias mmokrejs' -l mmokrejs pf-i400" > still dumps core. > > So, what should I do now? I want kerberos. ;) Try kerberos without AFS or vice versa. Does anyone with kerberos and/or AFS want to take look at this? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mmokrejs at natur.cuni.cz Thu Oct 17 00:42:33 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 16:42:33 +0200 (CEST) Subject: ssh-keygen (+kerberos +afs) opens NULL filename In-Reply-To: <3DAD783F.8DB00008@zip.com.au> Message-ID: On Thu, 17 Oct 2002, Darren Tucker wrote: > Martin MOKREJ? wrote: > > So, omitting --with-kerberos4=/usr/athena and --with-afs=/usr/afsws cures > > my problem away. > > > > Strangely enough, disabling kerberos in kerberos enabled binaries does NOT > > help, i.e. > > "/usr/local/bin/ssh -k -v -o 'HostKeyAlias mmokrejs' -l mmokrejs pf-i400" > > still dumps core. > > > > So, what should I do now? I want kerberos. ;) > > Try kerberos without AFS or vice versa. Juest tried kerberos without afs and still crashes. So, --with-kerberos4 is the cause. Once more - KTH KRB4-1.2 from ftp://ftp.pdc.kth.se/pub/krb4/src I'm pasting compiler output at http://www.natur.cuni.cz/~mmokrejs/openssh-3.5p1/compile.txt (if someone would like to inspect warnings). Thanks! -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From mmokrejs at natur.cuni.cz Thu Oct 17 01:34:02 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 17:34:02 +0200 (CEST) Subject: ssh-keygen opens NULL filename In-Reply-To: <3DAD48B6.D32385B0@zip.com.au> Message-ID: Hi, I did few checks and as I'm not C proghrammer at all, have just few points regarding ssh-keygen.c: 905 if (strstr(identity_file, dotsshdir) != NULL && isn't the above line missing a closing bracket? Could someone just have a look on gdb output at: http://www.natur.cuni.cz/~mmokrejs/openssh-3.5p1/ ? Thanks. In one of them, I also pointed out: 956 snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname); -----------------------------------------------^ sizeof(comment) instead? The identity_file variable contents somehow change over time, isn't that my problem? Same with hostname for example. -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From luc at suryo.com Thu Oct 17 02:11:40 2002 From: luc at suryo.com (Luc I. Suryo) Date: Wed, 16 Oct 2002 11:11:40 -0500 Subject: ssh-keygen opens NULL filename In-Reply-To: References: <3DAD48B6.D32385B0@zip.com.au> Message-ID: <20021016161140.GA24989@nc1701.suryo.com> Hello, I have no answer but it works on my system, used Forte C 11:07 nc1701[10005] ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" Generating public/private dsa key pair. Your identification has been saved in /tmp/ssh_host_dsa_key. Your public key has been saved in /tmp/ssh_host_dsa_key.pub. The key fingerprint is: 64:11:a7:80:a3:ca:dd:06:a6:fe:b0:3b:b9:c3:53:c2 root at nc1701 11:07 nc1701[10006] uname -a SunOS nc1701 5.8 Generic_108528-16 sun4u sparc SUNW,Ultra-30 some diff. is the OS, i use Solaris 8 and Martin's is Solaris 2.6 and teh compiler we use, gcc vs Sun Forte C > On Wed, 16 Oct 2002, Darren Tucker wrote: > > > Martin MOKREJ? wrote: > > > it's impossible to use -f option with ssh-keygen with version 3.5p1: > > > > > > $ ./ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" > > > Generating public/private dsa key pair. > > > open failed: No such file or directory. > > > Saving the key failed: . > > > > Can you provide some more details? (eg: OS & version, compiler & > > version, configure options). I just tested 3.5p1 on Linux, which worked. > > > SunOS pf-i400 5.6 Generic_105181-33 sun4u sparc SUNW,Ultra-30 > gcc version 3.0.4 > ./configure --prefix=/usr/local --with-kerberos4=/usr/athena > --with-afs=/usr/afsws --with-tcp-wrappers > --with-ssl-dir=/software/@sys/usr/openssl --without-rsh --disable-suid-ssh > --with-privsep --with-zlib --with-pam > > > > $ ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" > > Generating public/private dsa key pair. > > Your identification has been saved in /tmp/ssh_host_dsa_key. > > Your public key has been saved in /tmp/ssh_host_dsa_key.pub. > > The key fingerprint is: > > 8b:34:74:72:e4:ba:68:b3:69:dd:18:71:c1:4c:c5:02 dtucker at gate > > bash-2.05b# ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" > Generating public/private dsa key pair. > open failed: No such file or directory. > Saving the key failed: . > bash-2.05b# truss ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" > execve("./ssh-keygen", 0xEFFFF988, 0xEFFFF9A8) argc = 7 > resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16 > open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT > open("/dev/zero", O_RDONLY) = 3 > mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xEF7B0000 > open("/usr/athena/lib/libkafs.so.0", O_RDONLY) = 4 > fstat(4, 0xEFFFF05C) = 0 > mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF7A0000 > mmap(0x00000000, 204800, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF760000 > mmap(0xEF78E000, 8696, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 122880) = 0xEF78E000 > munmap(0xEF780000, 57344) = 0 > memcntl(0xEF760000, 32184, MC_ADVISE, 0x0003, 0, 0) = 0 > close(4) = 0 > open("/usr/athena/lib/libresolv.so.2", O_RDONLY) Err#2 ENOENT > open("/usr/local/lib/libresolv.so.2", O_RDONLY) Err#2 ENOENT > open("/usr/lib/security/libresolv.so.2", O_RDONLY) Err#2 ENOENT > open("/software/@sys/usr/lib/libresolv.so.2", O_RDONLY) Err#2 ENOENT > open("/usr/ccs/lib/libresolv.so.2", O_RDONLY) Err#2 ENOENT > open("/usr/lib/libresolv.so.2", O_RDONLY) = 4 > fstat(4, 0xEFFFF05C) = 0 > mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 > mmap(0x00000000, 139264, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF730000 > mmap(0xEF74C000, 10075, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 49152) = 0xEF74C000 > mmap(0xEF750000, 6588, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF750000 > munmap(0xEF73E000, 57344) = 0 > memcntl(0xEF730000, 11548, MC_ADVISE, 0x0003, 0, 0) = 0 > close(4) = 0 > open("/usr/athena/lib/libdes.so.1", O_RDONLY) = 4 > fstat(4, 0xEFFFF05C) = 0 > mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 > mmap(0x00000000, 172032, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF700000 > mmap(0xEF722000, 7144, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 73728) = 0xEF722000 > mmap(0xEF724000, 24252, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF724000 > munmap(0xEF714000, 57344) = 0 > memcntl(0xEF700000, 8864, MC_ADVISE, 0x0003, 0, 0) = 0 > close(4) = 0 > open("/usr/athena/lib/libkrb.so.1", O_RDONLY) = 4 > fstat(4, 0xEFFFF05C) = 0 > mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 > mmap(0x00000000, 344064, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF6A0000 > mmap(0xEF6EA000, 15656, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 237568) = 0xEF6EA000 > mmap(0xEF6EE000, 16528, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF6EE000 > munmap(0xEF6DC000, 57344) = 0 > memcntl(0xEF6A0000, 38444, MC_ADVISE, 0x0003, 0, 0) = 0 > close(4) = 0 > open("/usr/athena/lib/libz.so", O_RDONLY) Err#2 ENOENT > open("/usr/local/lib/libz.so", O_RDONLY) Err#2 ENOENT > open("/usr/lib/security/libz.so", O_RDONLY) Err#2 ENOENT > open("/software/@sys/usr/lib/libz.so", O_RDONLY) = 4 > fstat(4, 0xEFFFF05C) = 0 > mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 > mmap(0x00000000, 163840, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF670000 > mmap(0xEF696000, 7120, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 90112) = 0xEF696000 > munmap(0xEF688000, 57344) = 0 > memcntl(0xEF670000, 6124, MC_ADVISE, 0x0003, 0, 0) = 0 > close(4) = 0 > open("/usr/athena/lib/libsocket.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/local/lib/libsocket.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/lib/security/libsocket.so.1", O_RDONLY) Err#2 ENOENT > open("/software/@sys/usr/lib/libsocket.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/ccs/lib/libsocket.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/lib/libsocket.so.1", O_RDONLY) = 4 > fstat(4, 0xEFFFF05C) = 0 > mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 > mmap(0x00000000, 106496, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF650000 > mmap(0xEF666000, 8185, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 24576) = 0xEF666000 > mmap(0xEF668000, 388, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF668000 > munmap(0xEF658000, 57344) = 0 > memcntl(0xEF650000, 12072, MC_ADVISE, 0x0003, 0, 0) = 0 > close(4) = 0 > open("/usr/athena/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/local/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/lib/security/libnsl.so.1", O_RDONLY) Err#2 ENOENT > open("/software/@sys/usr/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/ccs/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/lib/libnsl.so.1", O_RDONLY) = 4 > fstat(4, 0xEFFFF05C) = 0 > mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 > mmap(0x00000000, 614400, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF580000 > mmap(0xEF606000, 36348, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 483328) = 0xEF606000 > mmap(0xEF610000, 19416, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF610000 > munmap(0xEF5F8000, 57344) = 0 > memcntl(0xEF580000, 70384, MC_ADVISE, 0x0003, 0, 0) = 0 > close(4) = 0 > open("/usr/athena/lib/libc.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/local/lib/libc.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/lib/security/libc.so.1", O_RDONLY) Err#2 ENOENT > open("/software/@sys/usr/lib/libc.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/ccs/lib/libc.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/lib/libc.so.1", O_RDONLY) = 4 > fstat(4, 0xEFFFF05C) = 0 > mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 > mmap(0x00000000, 712704, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF480000 > mmap(0xEF524000, 30396, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 606208) = 0xEF524000 > mmap(0xEF52C000, 4304, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF52C000 > munmap(0xEF516000, 57344) = 0 > memcntl(0xEF480000, 101964, MC_ADVISE, 0x0003, 0, 0) = 0 > close(4) = 0 > open("/usr/athena/lib/libroken.so.16", O_RDONLY) = 4 > fstat(4, 0xEFFFF05C) = 0 > mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 > mmap(0x00000000, 196608, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF540000 > mmap(0xEF56C000, 9748, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 114688) = 0xEF56C000 > munmap(0xEF55E000, 57344) = 0 > memcntl(0xEF540000, 19000, MC_ADVISE, 0x0003, 0, 0) = 0 > close(4) = 0 > mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xEF640000 > open("/usr/athena/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/local/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/lib/security/libdl.so.1", O_RDONLY) Err#2 ENOENT > open("/software/@sys/usr/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/ccs/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT > open("/usr/lib/libdl.so.1", O_RDONLY) = 4 > fstat(4, 0xEFFFF05C) = 0 > mmap(0xEF7A0000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF7A0000 > close(4) = 0 > open("/usr/athena/lib/libmp.so.2", O_RDONLY) Err#2 ENOENT > open("/usr/local/lib/libmp.so.2", O_RDONLY) Err#2 ENOENT > open("/usr/lib/security/libmp.so.2", O_RDONLY) Err#2 ENOENT > open("/software/@sys/usr/lib/libmp.so.2", O_RDONLY) Err#2 ENOENT > open("/usr/ccs/lib/libmp.so.2", O_RDONLY) Err#2 ENOENT > open("/usr/lib/libmp.so.2", O_RDONLY) = 4 > fstat(4, 0xEFFFF05C) = 0 > mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF630000 > mmap(0x00000000, 81920, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF460000 > mmap(0xEF472000, 3581, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 8192) = 0xEF472000 > munmap(0xEF464000, 57344) = 0 > memcntl(0xEF460000, 3020, MC_ADVISE, 0x0003, 0, 0) = 0 > close(4) = 0 > open("/usr/athena/lib/libdb-4.0.so", O_RDONLY) Err#2 ENOENT > open("/usr/local/lib/libdb-4.0.so", O_RDONLY) Err#2 ENOENT > open("/usr/lib/security/libdb-4.0.so", O_RDONLY) Err#2 ENOENT > open("/software/@sys/usr/lib/libdb-4.0.so", O_RDONLY) = 4 > fstat(4, 0xEFFFF05C) = 0 > mmap(0xEF630000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF630000 > mmap(0x00000000, 1081344, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF300000 > mmap(0xEF404000, 14512, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 999424) = 0xEF404000 > munmap(0xEF3F6000, 57344) = 0 > memcntl(0xEF300000, 63540, MC_ADVISE, 0x0003, 0, 0) = 0 > close(4) = 0 > open("/usr/platform/SUNW,Ultra-30/lib/libc_psr.so.1", O_RDONLY) = 4 > fstat(4, 0xEFFFEEBC) = 0 > mmap(0xEF630000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0xEF630000 > mmap(0x00000000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF620000 > close(4) = 0 > mprotect(0xEF760000, 125912, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 > mprotect(0xEF760000, 125912, PROT_READ|PROT_EXEC) = 0 > close(3) = 0 > munmap(0xEF630000, 8192) = 0 > brk(0x000B4280) = 0 > brk(0x000B6280) = 0 > brk(0x000B6280) = 0 > brk(0x000B8280) = 0 > getpid() = 10655 [10654] > getpid() = 10655 [10654] > open("/dev/urandom", O_RDONLY) = 3 > read(3, "BD", 1) = 1 > read(3, " p", 1) = 1 > read(3, "\v", 1) = 1 > read(3, "F3", 1) = 1 > [...] > time() = 1034775742 > getpid() = 10655 [10654] > getpid() = 10655 [10654] > time() = 1034775743 > getpid() = 10655 [10654] > getpid() = 10655 [10654] > stat64("", 0xEFFFF070) Err#2 ENOENT > open64("", O_WRONLY|O_CREAT|O_TRUNC, 0600) Err#2 ENOENT > open failed: No such file or directory.write(2, " o p e n f a i l e d".., 40) = 40 > > write(2, "\r\n", 2) = 2 > Saving the key failed: . > write(1, " S a v i n g t h e k".., 25) = 25 > llseek(0, 0, SEEK_CUR) = 40167 > _exit(1) > bash-2.05b# > > > -- > Martin Mokrejs , > PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs > MIPS / Institute for Bioinformatics > GSF - National Research Center for Environment and Health > Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany > tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev --- End of mmokrejs at natur.cuni.cz's quote --- -- Kind regards, Luc Suryo From mmokrejs at natur.cuni.cz Thu Oct 17 02:46:30 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 18:46:30 +0200 (CEST) Subject: ssh-keygen opens NULL filename In-Reply-To: <20021016161140.GA24989@nc1701.suryo.com> Message-ID: On Wed, 16 Oct 2002, Luc I. Suryo wrote: > > Hello, > > > I have no answer but it works on my system, used Forte C > > 11:07 nc1701[10005] ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" > Generating public/private dsa key pair. > Your identification has been saved in /tmp/ssh_host_dsa_key. > Your public key has been saved in /tmp/ssh_host_dsa_key.pub. > The key fingerprint is: > 64:11:a7:80:a3:ca:dd:06:a6:fe:b0:3b:b9:c3:53:c2 root at nc1701 Hi, it also works for me, if I omit --with-kerberos4=/usr/athena configure option. Or do you use kerberos4 as well? Which version? bash-2.05b# ./ssh-keygen -t rsa -f /tmp/ssh_host_dsa_key -N "" Generating public/private rsa key pair. Your identification has been saved in /tmp/ssh_host_dsa_key. Your public key has been saved in /tmp/ssh_host_dsa_key.pub. The key fingerprint is: a4:33:2b:d6:7d:3a:db:98:96:58:d3:c4:98:6c:0f:f5 root at pf-i400 bash-2.05b# [...] time() = 1034786736 getpid() = 1062 [1061] getpid() = 1062 [1061] stat64("/tmp/ssh_host_dsa_key", 0xEFFFF068) Err#2 ENOENT open64("/tmp/ssh_host_dsa_key", O_WRONLY|O_CREAT|O_TRUNC, 0600) = 3 fstat64(3, 0xEFFFD5A0) = 0 ioctl(3, TCGETA, 0xEFFFD52C) Err#25 ENOTTY brk(0x000D6068) = 0 brk(0x000D8068) = 0 write(3, " - - - - - B E G I N R".., 887) = 887 close(3) = 0 getpid() = 1062 [1061] getpid() = 1062 [1061] Your identification has been saved in /tmp/ssh_host_dsa_key. write(1, " Y o u r i d e n t i f".., 61) = 61 open64("/tmp/ssh_host_dsa_key.pub", O_WRONLY|O_CREAT|O_TRUNC, 0644) = 3 fstat64(3, 0xEFFFE108) = 0 ioctl(3, TCGETA, 0xEFFFE094) Err#25 ENOTTY write(3, " s s h - r s a A A A A".., 222) = 222 close(3) = 0 Your public key has been saved in /tmp/ssh_host_dsa_key.pub. write(1, " Y o u r p u b l i c ".., 61) = 61 The key fingerprint is: write(1, " T h e k e y f i n g".., 24) = 24 b9:b1:42:da:30:5b:06:27:0d:43:f9:a9:c2:30:6e:1c root at pf-i400 write(1, " b 9 : b 1 : 4 2 : d a :".., 61) = 61 llseek(0, 0, SEEK_CUR) = 714032 _exit(0) bash-2.05b# > > 11:07 nc1701[10006] uname -a > SunOS nc1701 5.8 Generic_108528-16 sun4u sparc SUNW,Ultra-30 > > some diff. is the OS, i use Solaris 8 and Martin's is Solaris 2.6 > and teh compiler we use, gcc vs Sun Forte C From markus at openbsd.org Thu Oct 17 03:24:02 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 16 Oct 2002 19:24:02 +0200 Subject: [openssh-unix-announce] OpenSSH 3.5 released In-Reply-To: <20021016132100.GA9169@faui02> References: <20021015185814.GA4044@skaidan> <20021016125710.GA22712@rzdspc5.informatik.uni-hamburg.de> <20021016130728.GA22935@faui02> <20021016132100.GA9169@faui02> Message-ID: <20021016172402.GB2592@faui02> On Wed, Oct 16, 2002 at 03:21:01PM +0200, Markus Friedl wrote: > On Wed, Oct 16, 2002 at 02:57:10PM +0200, Reinhard Zierke wrote: > > My /etc/ssh/ssh_config basically is > > > > Host rz?spc? rz?spc?? > > ... > > HostbasedAuthentication yes > > ... > > > > Host * > > ... > > HostbasedAuthentication no > > ... > > i'm very wrong, it's a bug. this patch (a little bit ugly) should fix this problem: Index: ssh.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh.c,v retrieving revision 1.186 diff -u -r1.186 ssh.c --- ssh.c 19 Sep 2002 01:58:18 -0000 1.186 +++ ssh.c 16 Oct 2002 17:02:46 -0000 @@ -118,6 +118,7 @@ * configuration file. */ char *host; +char *orighost; /* socket address the host resolves to */ struct sockaddr_storage hostaddr; @@ -503,6 +504,7 @@ /* Check that we got a host name. */ if (!host) usage(); + orighost = host; SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); Index: sshconnect2.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshconnect2.c,v retrieving revision 1.107 diff -u -r1.107 sshconnect2.c --- sshconnect2.c 1 Jul 2002 19:48:46 -0000 1.107 +++ sshconnect2.c 16 Oct 2002 17:18:19 -0000 @@ -51,6 +51,7 @@ /* import */ extern char *client_version_string; extern char *server_version_string; +extern char *orighost; /* XXX */ extern Options options; /* @@ -904,10 +905,12 @@ Buffer b; struct stat st; pid_t pid; - int to[2], from[2], status, version = 2; + int to[2], from[2], status, version = 3; debug("ssh_keysign called"); + if (orighost == NULL) + return -1; if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) { error("ssh_keysign: no installed: %s", strerror(errno)); return -1; @@ -945,6 +948,7 @@ close(to[0]); buffer_init(&b); + buffer_put_cstring(&b, orighost); buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */ buffer_put_string(&b, data, datalen); msg_send(to[1], version, &b); Index: ssh-keysign.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh-keysign.c,v retrieving revision 1.7 diff -u -r1.7 ssh-keysign.c --- ssh-keysign.c 3 Jul 2002 14:21:05 -0000 1.7 +++ ssh-keysign.c 16 Oct 2002 17:18:28 -0000 @@ -137,9 +137,9 @@ Options options; Key *keys[2], *key; struct passwd *pw; - int key_fd[2], i, found, version = 2, fd; + int key_fd[2], i, found, version = 3, fd; u_char *signature, *data; - char *host; + char *host, *remotehost; u_int slen, dlen; u_int32_t rnd[256]; @@ -153,15 +153,6 @@ log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); #endif - /* verify that ssh-keysign is enabled by the admin */ - original_real_uid = getuid(); /* XXX readconf.c needs this */ - initialize_options(&options); - (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options); - fill_default_options(&options); - if (options.hostbased_authentication != 1) - fatal("Hostbased authentication not enabled in %s", - _PATH_HOST_CONFIG_FILE); - if (key_fd[0] == -1 && key_fd[1] == -1) fatal("could not open any host key"); @@ -200,6 +191,18 @@ fatal("msg_recv failed"); if (buffer_get_char(&b) != version) fatal("bad version"); + + /* verify that ssh-keysign is enabled by the admin */ + remotehost = buffer_get_string(&b, NULL); + original_real_uid = getuid(); /* XXX readconf.c needs this */ + initialize_options(&options); + (void)read_config_file(_PATH_HOST_CONFIG_FILE, remotehost, &options); + fill_default_options(&options); + xfree(remotehost); + if (options.hostbased_authentication != 1) + fatal("Hostbased authentication not enabled in %s", + _PATH_HOST_CONFIG_FILE); + fd = buffer_get_int(&b); if ((fd == STDIN_FILENO) || (fd == STDOUT_FILENO)) fatal("bad fd"); From luc at suryo.com Thu Oct 17 03:27:06 2002 From: luc at suryo.com (Luc I. Suryo) Date: Wed, 16 Oct 2002 12:27:06 -0500 Subject: ssh-keygen opens NULL filename In-Reply-To: References: <20021016161140.GA24989@nc1701.suryo.com> Message-ID: <20021016172706.GA25445@nc1701.suryo.com> > > I have no answer but it works on my system, used Forte C > > > > 11:07 nc1701[10005] ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" > > Generating public/private dsa key pair. > > Your identification has been saved in /tmp/ssh_host_dsa_key. > > Your public key has been saved in /tmp/ssh_host_dsa_key.pub. > > The key fingerprint is: > > 64:11:a7:80:a3:ca:dd:06:a6:fe:b0:3b:b9:c3:53:c2 root at nc1701 > > Hi, > it also works for me, if I omit --with-kerberos4=/usr/athena configure > option. Or do you use kerberos4 as well? Which version? ops sorry i do not use kerberos ..:-) > > > bash-2.05b# ./ssh-keygen -t rsa -f /tmp/ssh_host_dsa_key -N "" > Generating public/private rsa key pair. > Your identification has been saved in /tmp/ssh_host_dsa_key. > Your public key has been saved in /tmp/ssh_host_dsa_key.pub. > The key fingerprint is: > a4:33:2b:d6:7d:3a:db:98:96:58:d3:c4:98:6c:0f:f5 root at pf-i400 > bash-2.05b# > > > [...] > time() = 1034786736 > getpid() = 1062 [1061] > getpid() = 1062 [1061] > stat64("/tmp/ssh_host_dsa_key", 0xEFFFF068) Err#2 ENOENT > open64("/tmp/ssh_host_dsa_key", O_WRONLY|O_CREAT|O_TRUNC, 0600) = 3 > fstat64(3, 0xEFFFD5A0) = 0 > ioctl(3, TCGETA, 0xEFFFD52C) Err#25 ENOTTY > brk(0x000D6068) = 0 > brk(0x000D8068) = 0 > write(3, " - - - - - B E G I N R".., 887) = 887 > close(3) = 0 > getpid() = 1062 [1061] > getpid() = 1062 [1061] > Your identification has been saved in /tmp/ssh_host_dsa_key. > write(1, " Y o u r i d e n t i f".., 61) = 61 > open64("/tmp/ssh_host_dsa_key.pub", O_WRONLY|O_CREAT|O_TRUNC, 0644) = 3 > fstat64(3, 0xEFFFE108) = 0 > ioctl(3, TCGETA, 0xEFFFE094) Err#25 ENOTTY > write(3, " s s h - r s a A A A A".., 222) = 222 > close(3) = 0 > Your public key has been saved in /tmp/ssh_host_dsa_key.pub. > write(1, " Y o u r p u b l i c ".., 61) = 61 > The key fingerprint is: > write(1, " T h e k e y f i n g".., 24) = 24 > b9:b1:42:da:30:5b:06:27:0d:43:f9:a9:c2:30:6e:1c root at pf-i400 > write(1, " b 9 : b 1 : 4 2 : d a :".., 61) = 61 > llseek(0, 0, SEEK_CUR) = 714032 > _exit(0) > bash-2.05b# > > > > > 11:07 nc1701[10006] uname -a > > SunOS nc1701 5.8 Generic_108528-16 sun4u sparc SUNW,Ultra-30 > > > > some diff. is the OS, i use Solaris 8 and Martin's is Solaris 2.6 > > and teh compiler we use, gcc vs Sun Forte C > --- End of mmokrejs at natur.cuni.cz's quote --- -- Kind regards, Luc Suryo From mmokrejs at natur.cuni.cz Thu Oct 17 03:35:40 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 19:35:40 +0200 (CEST) Subject: ssh-keygen opens NULL filename In-Reply-To: <20021016172706.GA25445@nc1701.suryo.com> Message-ID: On Wed, 16 Oct 2002, Luc I. Suryo wrote: > > > > I have no answer but it works on my system, used Forte C > > > > > > 11:07 nc1701[10005] ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" > > > Generating public/private dsa key pair. > > > Your identification has been saved in /tmp/ssh_host_dsa_key. > > > Your public key has been saved in /tmp/ssh_host_dsa_key.pub. > > > The key fingerprint is: > > > 64:11:a7:80:a3:ca:dd:06:a6:fe:b0:3b:b9:c3:53:c2 root at nc1701 > > > > Hi, > > it also works for me, if I omit --with-kerberos4=/usr/athena configure > > option. Or do you use kerberos4 as well? Which version? > > ops sorry i do not use kerberos ..:-) But can you just download it and install the tree into /usr/athena (default) and compile with it? You can sefaely delete it later on. Thanks: wget ftp://ftp.pdc.kth.se/pub/krb/src/krb4-1.2.tar.gz gzip -dc krb4-1.2.tar.gz | tar xf - cd krb4-1.2 ./configure --with-readline --with-x \ --with-openssl=/usr/local/openssl --enable-rxkad --enable-shared make install cd ../openssh-3.5p1 ./configure --prefix=/usr/local --with-kerberos4=/usr/athena \ --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --without-rsh \ --disable-suid-ssh --with-privsep --with-zlib --with-pam make ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" cleanup: rm -rf /usr/athena Thanks. -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From Eric.Ladner at ChevronTexaco.com Thu Oct 17 04:20:32 2002 From: Eric.Ladner at ChevronTexaco.com (Ladner, Eric (Eric.Ladner)) Date: Wed, 16 Oct 2002 13:20:32 -0500 Subject: scp Message-ID: <53D65D67C6AA694284F7584E25ADD3543334ED@nor935nte2k1.nor935.chevrontexaco.net> True, true, but that's another piece of software I have to install and maintain just to have that functionality enabled for the infrequent times that I do need to copy a tree from one server to another. Actually, my current workaround is like this to copy a tree: cd /some/tree; tar -cf - . | ssh remote_host "cd /some/other/tree; tar -xvf -" It works like a champ, but scp with link copy would be cleaner: scp -rp /some/tree/* remote_host:/some/other/tree Which is more intuitive? E -----Original Message----- From: Jim Knoble [mailto:jmknoble at pobox.com] Sent: Monday, October 14, 2002 3:26 PM To: openssh-unix-dev at mindrot.org Subject: Re: scp Circa 2002-10-14 14:25:22 -0500 dixit Ladner, Eric (Eric.Ladner): : Or to copy sym links as sym links and not the file they point to. You must mean rsync ( http://rsync.samba.org/ ). 'rsync -l' copies symlinks as symlinks, while 'rsync -a' copies device files, owners, permissions, and datestamps in addition. : -----Original Message----- : From: Douglas Boldt [mailto:doug at endai.com] : Sent: Saturday, October 12, 2002 3:52 PM : To: openssh-unix-dev at mindrot.org : Subject: scp : : I would absolutely love a flag in scp to ignore sym-links. Douglas, you'll probably get more mileage out of rsync than scp for doing this. If you merely don't want to copy symlinks because they take too much time to copy, then 'rsync -a' will handle that automatically; it doesn't copy something it doesn't have to. If, instead, you wish to exclude symlinks that point outside of the directory tree you're copying, use rsync's '--safe-links' option. If you really don't want to copy any symlinks, you'll need to wrap some scripting around 'find -type l' together with 'rsync -a --exclude-from='. Good luck to both of you. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "I am non-refutable." --Enik the Altrusian From mouring at etoh.eviladmin.org Thu Oct 17 04:37:50 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 16 Oct 2002 13:37:50 -0500 (CDT) Subject: ssh-keygen opens NULL filename In-Reply-To: Message-ID: On Wed, 16 Oct 2002, [iso-8859-2] Martin MOKREJ? wrote: > Hi, > I did few checks and as I'm not C proghrammer at all, have just few > points regarding ssh-keygen.c: > > 905 if (strstr(identity_file, dotsshdir) != NULL && > > isn't the above line missing a closing bracket? It does: if (strstr(identity_file, dotsshdir) != NULL && stat(dotsshdir, &st) < 0) { C does not require it to be on the same line. > Could someone just have a look on gdb output at: > http://www.natur.cuni.cz/~mmokrejs/openssh-3.5p1/ ? Thanks. > In one of them, I also pointed out: > > 956 snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname); > > -----------------------------------------------^ sizeof(comment) instead? > There is nothing wrong with snprintf(xx, sizeof xx, "..", ..). If there was then 60% of the world's code would fail.=) > The identity_file variable contents somehow change over time, isn't that > my problem? Same with hostname for example. > Looks like something is corrupting the stack according to your traces with gdb. what would be helpful is if you could check more offen between your first 'p identity_file' and the one that shows the ocrrupted version. So it can narrow down the code. - Ben From smoogen at lanl.gov Thu Oct 17 05:03:31 2002 From: smoogen at lanl.gov (Stephen Smoogen) Date: 16 Oct 2002 13:03:31 -0600 Subject: ssh-3.5p1 core dumps on Solaris 2.6 In-Reply-To: References: Message-ID: <1034795011.19786.279.camel@smoogen1.lanl.gov> You may want to upgrade to later versions. I have seen several problems with the 3.0 compilers that were fixed in the 3.2 series. On Wed, 2002-10-16 at 07:35, Martin MOKREJ? wrote: > I used gcc version 3.0.4 > > > -- > Martin Mokrejs , > PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs > MIPS / Institute for Bioinformatics > GSF - National Research Center for Environment and Health > Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany > tel.: +49-89-3187 3683 , fax: +49-89-3187 3585 > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Labrador CCN-2 B-Schedule PH: Ta-03 SM-261 MailStop P208 DP 17U Los Alamos, NM 87545 From mmokrejs at natur.cuni.cz Thu Oct 17 05:06:10 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 21:06:10 +0200 (CEST) Subject: ssh-3.5p1 core dumps on Solaris 2.6 In-Reply-To: <1034795011.19786.279.camel@smoogen1.lanl.gov> Message-ID: On 16 Oct 2002, Stephen Smoogen wrote: Unfortunately, I'm not able to compile gcc-3.2 because of some compile errors. I've filed bugreports, but no responses. But apps work with when compiled with 3.0.4. Why do you think it is a gcc error? > You may want to upgrade to later versions. I have seen several problems > with the 3.0 compilers that were fixed in the 3.2 series. -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From tim at multitalents.net Thu Oct 17 05:45:57 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 16 Oct 2002 12:45:57 -0700 (PDT) Subject: ssh-keygen opens NULL filename In-Reply-To: Message-ID: On Wed, 16 Oct 2002, [iso-8859-2] Martin MOKREJ? wrote: > Hi, > I did few checks and as I'm not C proghrammer at all, have just few > points regarding ssh-keygen.c: > > 905 if (strstr(identity_file, dotsshdir) != NULL && > > isn't the above line missing a closing bracket? The closing bracket is on the next line if (strstr(identity_file, dotsshdir) != NULL && stat(dotsshdir, &st) < 0) { ^-- here it is. > > 956 snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname); > > -----------------------------------------------^ sizeof(comment) instead? Acording to "C A Reference Manual" third edition, sizeof-expression: sizeof ( type-name ) sizeof unary-expression The sizeof expression has two forms: the operator sizeof followed by a parenthesized type name, or the operator sizeof followed by an operand expression. The compiler is probably able to figure it out. Seems like we would want to be consistant though. It looks like there are 772 other lines spread through 33 files that use sizeof without parens. > > > The identity_file variable contents somehow change over time, isn't that > my problem? Same with hostname for example. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mmokrejs at natur.cuni.cz Thu Oct 17 06:05:40 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 16 Oct 2002 22:05:40 +0200 (CEST) Subject: ssh-keygen opens NULL filename In-Reply-To: Message-ID: On Wed, 16 Oct 2002, Tim Rice wrote: > On Wed, 16 Oct 2002, [iso-8859-2] Martin MOKREJ? wrote: > > > Hi, > > I did few checks and as I'm not C proghrammer at all, have just few > > points regarding ssh-keygen.c: > > > > 905 if (strstr(identity_file, dotsshdir) != NULL && > > > > isn't the above line missing a closing bracket? > > The closing bracket is on the next line > if (strstr(identity_file, dotsshdir) != NULL && > stat(dotsshdir, &st) < 0) { > ^-- here it is. Ah, fine, I was just fooled by thge gdb output. ;( > > > > > 956 snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname); > > > > -----------------------------------------------^ sizeof(comment) instead? > > Acording to "C A Reference Manual" third edition, > sizeof-expression: > sizeof ( type-name ) > sizeof unary-expression > The sizeof expression has two forms: the operator sizeof followed by a > parenthesized type name, or the operator sizeof followed by an > operand expression. > > The compiler is probably able to figure it out. > Seems like we would want to be consistant though. > It looks like there are 772 other lines spread through 33 files that > use sizeof without parens. Well, I did not say it doesn't work. If you think it's fine, then it's fine. I'm really not a programmer. Thanks for explanation! -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From Frank.Beckmann at vodafone.com Thu Oct 17 06:36:21 2002 From: Frank.Beckmann at vodafone.com (Frank Beckmann) Date: Wed, 16 Oct 2002 22:36:21 +0200 Subject: SSH Bug 3.5p1 Expired Passwords References: <3DAD6781.40808@vodafone.com> <3DAD72E2.A237A41F@zip.com.au> Message-ID: <3DADCDC5.8080202@vodafone.com> Hello thank you for your fast answer The i have change auth-pam.c Now SSH accept expiert User and in the follow login procedure the User can change the password :-) OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f debug1: Reading configuration data /home/fbeckman/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 34771 geteuid 0 anon 1 debug1: Connecting to webmann [139.7.180.69] port 22. debug1: temporarily_use_uid: 34771/13000 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 34771/13000 (e=0) debug1: restore_uid debug1: Connection established. debug1: identity file /home/fbeckman/.ssh/identity type 0 debug1: identity file /home/fbeckman/.ssh/id_rsa type 1 debug1: identity file /home/fbeckman/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'webmann' is known and matches the RSA1 host key. debug1: Found key in /home/fbeckman/.ssh/known_hosts:8 debug1: Encryption type: blowfish debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication with key '/home/fbeckman/.ssh/identity' debug1: Received RSA challenge from server. debug1: Sending response to host key RSA challenge. debug1: Remote: RSA authentication accepted. debug1: RSA authentication accepted by server. debug1: Requesting pty. debug1: fd 4 setting TCP_NODELAY debug1: Requesting shell. debug1: Entering interactive session. Warning: Your password has expired, please change it now. Enter login password: New password: Re-enter new password: sshd (SYSTEM): passwd successfully changed for fbeckman ----------------------------------------------------------------------- An other Thing .... we are chane the source of the session.c, because ssh are identified by PAM(Solaris) as telnet. Org session.c -----snip------ /* Launch login(1). */ execl(LOGIN_PROGRAM, "login", "-h", hostname, #ifdef xxxLOGIN_NEEDS_TERM (s->term ? s->term : "unknown"), #endif /* LOGIN_NEEDS_TERM */ #ifdef LOGIN_NO_ENDOPT "-p", "-f", pw->pw_name, (char *)NULL); #else "-p", "-f", "--", pw->pw_name, (char *)NULL); #endif /* Login couldn't be executed, die. */ perror("login"); exit(1); } -------snip------ New session.c ----snip --- /* Launch login(1). */ execl(LOGIN_PROGRAM, "login", #ifdef LOGIN_NO_ENDOPT "-p", "-f", pw->pw_name, (char *)NULL); #else "-p", "-f", "--", pw->pw_name, (char *)NULL); #endif /* Login couldn't be executed, die. */ perror("login"); exit(1); } -----snip----- Now ssh is identified correct in our PAM Applikation (shared lib) Greetings Frank Darren Tucker wrote: > Frank Beckmann wrote: > >>in the new Openssh 3.5p1 is the sam Bug as in the 3.4p1 :-( >>When a User try to login with a expired Passwort, SSH denys the Acces to the System > > > In pam-auth.c, change > > #if 0 > case PAM_NEW_AUTHTOK_REQD: > > to > > #if 1 > case PAM_NEW_AUTHTOK_REQD: > > and set "UsePrivilegeSeparation no" in sshd_config. > > People have reported mixed success, so your milage may vary. > > Let the list know how it goes; one of the reasons this isn't enabled in > 3.5p1 is lack of testing. > -- Frank Beckmann Abt. TOIU Tel: 0211 533-5758 Fax: 0211 533-1451 Mail Frank.Beckmann at vodafone.com From mho at mho.nu Thu Oct 17 09:19:26 2002 From: mho at mho.nu (mho) Date: Thu, 17 Oct 2002 01:19:26 +0200 Subject: ssh-keygen (+kerberos +afs) opens NULL filename In-Reply-To: Message from =?iso-8859-2?Q?Martin_MOKREJ=A9?= of "Wed, 16 Oct 2002 16:42:33 +0200." Message-ID: <200210162322.g9GNMLX09848@mho.nu> In message , =?iso -8859-2?Q?Martin_MOKREJ=A9?= writes: >Juest tried kerberos without afs and still crashes. So, --with-kerberos4 >is the cause. Once more - KTH KRB4-1.2 from >ftp://ftp.pdc.kth.se/pub/krb4/src What OpenSSL version are you using, and how is it compiled? (I think I saw similar things a while ago when I had tried to compile a 64-bit OpenSSL). Is the OpenSSL compiled with the same compiler you are using for OpenSSH? Is your krb4-1.2 linked against OpenSSL? - mho (Who is currently at the stage (on sun4x_58) where ssh protocol 1 seems to work OK with krb5 tickets but proto 2 does strange things with KRB5CCNAME and requires password/key to log in:-)) From bugzilla-daemon at mindrot.org Thu Oct 17 12:23:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 17 Oct 2002 12:23:35 +1000 (EST) Subject: [Bug 415] New: Result Codes ala FTP Message-ID: <20021017022335.D091C3D1BB@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=415 Summary: Result Codes ala FTP Product: Portable OpenSSH Version: -current Platform: All OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: sftp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jnerad at bellsouth.net If there is no reason for not returning result codes like the ftp does, could sftp return similar codes? e.g. sftp now returns simply the results. sftp> pwd /home/tshandy could it be made to behave like ftp: ftp> pwd 257 "/home/tshandy" is current directory. ? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mmokrejs at natur.cuni.cz Thu Oct 17 18:05:15 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Thu, 17 Oct 2002 10:05:15 +0200 (CEST) Subject: ssh-keygen (+kerberos +afs) opens NULL filename In-Reply-To: <200210162322.g9GNMLX09848@mho.nu> Message-ID: On Thu, 17 Oct 2002, mho wrote: > In message , =?iso > -8859-2?Q?Martin_MOKREJ=A9?= writes: > > >Juest tried kerberos without afs and still crashes. So, --with-kerberos4 > >is the cause. Once more - KTH KRB4-1.2 from > >ftp://ftp.pdc.kth.se/pub/krb4/src > > What OpenSSL version are you using, and how is it compiled? The binary was installed on Sep 25, I think it is actually openssl-0.9.6-stable-SNAP-20020914.tar.gz. I know that some snapshots failed in "make test" step. I posted an email to some openssl devel/bugs list, but no replies so far. The version which I installed is the one which passed tests. And I think it is the openssl-0.9.6-stable-SNAP-20020914.tar.gz file. When running configure for openssh-3.5p1 I get: checking OpenSSL header version... 906080 (OpenSSL 0.9.6h-dev xx XXX xxxx) checking OpenSSL library version... 906080 (OpenSSL 0.9.6h-dev xx XXX xxxx) checking whether OpenSSL's headers match the library... yes checking whether OpenSSL's PRNG is internally seeded... yes OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: yes KerberosIV support: yes KerberosV support: no Smartcard support: no AFS support: yes S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: sparc-sun-solaris2.6 Compiler: gcc Compiler flags: -I/software/@sys/usr/include -I/software/@sys/usr/include/ncurses -I/software/@sys/usr/openssl/include -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/software/@sys/usr/openssl/include -Iyes -I/software/@sys/usr/include -I/software/@sys/usr/include/ncurses -I/software/@sys/usr/openssl/include -I/usr/local/include -I/usr/athena/include -I/usr/afsws/include Linker flags: -L/software/@sys/usr/openssl/lib -R/software/@sys/usr/openssl/lib -Lyes -Ryes -L/usr/local/lib -R/usr/local/lib -L/usr/athena/lib -R/usr/athena/lib -L/usr/afsws/lib Libraries: -lwrap -lpam -ldl -lkafs -lresolv -ldes -lkrb -lz -lsocket -lnsl -L/usr/local/lib -L/software/@sys/usr/lib -L/software/@sys/usr/openssl/lib -L/usr/lib -lcrypto -ldes PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory > (I think I saw similar things a while ago when I had tried to > compile a 64-bit OpenSSL). > > Is the OpenSSL compiled with the same compiler you are using for > OpenSSH? Yes, as I reinstalled /usr/local (actually moved most of the stuff to /afs/@sys tree). I use gcc-3.0.4, self compiled on this machine. > > Is your krb4-1.2 linked against OpenSSL? Yes, and against exactly same one. > (Who is currently at the stage (on sun4x_58) where ssh protocol 1 > seems to work OK with krb5 tickets but proto 2 does strange things > with KRB5CCNAME and requires password/key to log in:-)) Ask Jan Iven, who wrote some patches for openssh. ;) > -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From b.courtin at t-online.net Thu Oct 17 18:06:08 2002 From: b.courtin at t-online.net (Courtin Bert) Date: Thu, 17 Oct 2002 10:06:08 +0200 Subject: [Bug 413] New: Port forwarding: [localhost:]localport:remotehost:remoteport Message-ID: <60F1F87A64834D45A1EBAE9618305FB86ECDF4@qeo00200> Hi, I would be glad if a feature/enhancement like this would be available. For more than one time it would have saved me lots of time and headache. E.g. the following scenario: One a web server with 2 external IP where both VH are listening on Port 80 (and this could not be changed) the requests for one of them should be temporarily routed to another server. With port forwarding for Port 80 this is not possible as PF on port 80 is done for both/all IP on port 80. This is just one scenario and I think a feature as requested would not only be an enhancement regarding security issues. Kind regards, B. Courtin P.S.: As far as I understand PF, port forwarding always is done for/on all local IP, the option "-g" only allows remote hosts to connect to these forwarded ports. -- -g Allows remote hosts to connect to local forwarded ports. -- > -----Original Message----- > From: bugzilla-daemon at mindrot.org [mailto:bugzilla-daemon at mindrot.org] > Sent: Friday, October 11, 2002 10:00 AM > To: openssh-unix-dev at mindrot.org > Subject: [Bug 413] New: Port forwarding: > [localhost:]localport:remotehost:remoteport > > > http://bugzilla.mindrot.org/show_bug.cgi?id=413 > > Summary: Port forwarding: > [localhost:]localport:remotehost:remoteport > Product: Portable OpenSSH > Version: older versions > Platform: All > OS/Version: All > Status: NEW > Severity: enhancement > Priority: P2 > Component: ssh > AssignedTo: openssh-unix-dev at mindrot.org > ReportedBy: rafal.mantiuk at bellstream.pl > > > At the moment ssh port forwarding can open socket for > listenning only on a > localhost or all interfaces (-g option). In case of multi-IP > servers it would > we useful if there was a way to specify exactly what > interfaces/IPs ssh > forwarding should bind to. The command line could be like: > > ssh -L [localhost:]localport:remotehost:remoteport login at host > > where [] - indicates optional parameter. localhost is the > interface to be used > for openning a socket (i.e. should be passed as a > 'node' parameter > to getaddrinfo() in channel.c:channel_setup_fwd_listener). > The other parameters > are the same as in the current ssh implementation. > > For example: > ssh -N -L 192.168.0.2:139:somehost:139 > could be used to forward Samba packets only on the interface > 192.168.0.2. > Another interface on the same server - e.g. 192.168.0.1 - > could be used to host > local samba server. > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Thu Oct 17 18:36:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 17 Oct 2002 18:36:48 +1000 (EST) Subject: [Bug 207] Connect timeout patch Message-ID: <20021017083648.B45643D200@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=207 ------- Additional Comments From jclonguet at free.fr 2002-10-17 18:36 ------- Created an attachment (id=154) --> (http://bugzilla.mindrot.org/attachment.cgi?id=154&action=view) Patch for OpenSSH-3.5p1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jclonguet at free.fr Thu Oct 17 20:44:27 2002 From: jclonguet at free.fr (Jean-Charles Longuet) Date: Thu, 17 Oct 2002 12:44:27 +0200 Subject: [PATCH] connect() timeout for OpenSSH-3.5p1 Message-ID: <3DAE948B.8F5304A9@free.fr> Here is the version of this patch for the last portable version of OpenSSH (3.5p1), as it is not included in the main tree. The patch avoids waiting to long when using ssh() or scp() on a down host, it is usefull when you have to update many hosts via rsync or rdist themselves relying upon ssh(). It enables a new option 'ConnectTimeout' to control exactly the timeout value, so that it can be used even on slow links. These patches can also be found on http://charts.free.fr/ If you think this patch is worth to be included in the main tree, then you can vote for it on http://bugzilla.mindrot.org/showvotes.cgi?voteon=207 but this requires a login. You can also just browse the case at http://bugzilla.mindrot.org/show_bug.cgi?id=207 Hope this patch help you. -- Jean-Charles -------------- next part -------------- --- openssh-3.5p1/readconf.c.ORIG Tue Jul 9 16:06:40 2002 +++ openssh-3.5p1/readconf.c Wed Oct 16 14:59:12 2002 @@ -114,7 +114,7 @@ oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oDeprecated + oConnectTimeout, oDeprecated } OpCodes; /* Textual representations of the tokens. */ @@ -186,6 +186,7 @@ { "smartcarddevice", oSmartcardDevice }, { "clearallforwardings", oClearAllForwardings }, { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, + { "connecttimeout", oConnectTimeout }, { NULL, oBadOption } }; @@ -293,6 +294,18 @@ /* don't panic, but count bad options */ return -1; /* NOTREACHED */ + case oConnectTimeout: + intptr = &options->connection_timeout; +parse_time: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing time argument.", filename, linenum); + if ((value = convtime(arg)) == -1) + fatal("%.200s line %d: Invalid time argument.", filename, linenum); + if (*intptr == -1) + *intptr = value; + break; + case oForwardAgent: intptr = &options->forward_agent; parse_flag: @@ -769,6 +782,7 @@ options->compression_level = -1; options->port = -1; options->connection_attempts = -1; + options->connection_timeout = -1; options->number_of_password_prompts = -1; options->cipher = -1; options->ciphers = NULL; --- openssh-3.5p1/readconf.h.ORIG Sun Jun 9 22:04:03 2002 +++ openssh-3.5p1/readconf.h Wed Oct 16 14:59:12 2002 @@ -66,6 +66,8 @@ int port; /* Port to connect. */ int connection_attempts; /* Max attempts (seconds) before * giving up */ + int connection_timeout; /* Max time (seconds) before + * aborting connection attempt */ int number_of_password_prompts; /* Max number of password * prompts. */ int cipher; /* Cipher to use. */ --- openssh-3.5p1/ssh.c.ORIG Thu Sep 19 04:05:04 2002 +++ openssh-3.5p1/ssh.c Wed Oct 16 14:59:12 2002 @@ -616,7 +616,7 @@ /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, IPv4or6, - options.connection_attempts, + options.connection_attempts, options.connection_timeout, #ifdef HAVE_CYGWIN options.use_privileged_port, #else --- openssh-3.5p1/ssh_config.0.ORIG Fri Oct 4 03:31:47 2002 +++ openssh-3.5p1/ssh_config.0 Wed Oct 16 14:59:12 2002 @@ -112,6 +112,13 @@ exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1. + ConnectTimeout + Specifies the timeout used when connecting to the ssh server, + instead of using default system values. This value is used only + when the target is down or really unreachable, not when it refuses + the connection. This may be usefull for tools using ssh for + communication, as it avoid long TCP timeouts. + DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then --- openssh-3.5p1/ssh_config.5.ORIG Wed Sep 4 08:51:05 2002 +++ openssh-3.5p1/ssh_config.5 Wed Oct 16 14:59:12 2002 @@ -226,6 +226,12 @@ The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1. +.It Cm ConnectTimeout +Specifies the timeout used when connecting to the ssh +server, instead of using default system values. This value is used +only when the target is down or really unreachable, not when it +refuses the connection. This may be usefull for tools using ssh +for communication, as it avoid long TCP timeouts. .It Cm DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application --- openssh-3.5p1/sshconnect.c.ORIG Thu Sep 19 04:05:04 2002 +++ openssh-3.5p1/sshconnect.c Wed Oct 16 14:59:12 2002 @@ -212,6 +212,61 @@ return sock; } +int +timeout_connect(int sockfd, const struct sockaddr *serv_addr, + socklen_t addrlen, int timeout) +{ + fd_set *fdset; + struct timeval tv; + socklen_t optlen; + int fdsetsz, optval, rc; + + if (timeout <= 0) + return(connect(sockfd, serv_addr, addrlen)); + + if (fcntl(sockfd, F_SETFL, O_NONBLOCK) < 0) + return -1; + + rc = connect(sockfd, serv_addr, addrlen); + if (rc == 0) + return 0; + if (errno != EINPROGRESS) + return -1; + + fdsetsz = howmany(sockfd+1, NFDBITS) * sizeof(fd_mask); + fdset = (fd_set *)xmalloc(fdsetsz); + memset(fdset, 0, fdsetsz); + FD_SET(sockfd, fdset); + tv.tv_sec = timeout; + tv.tv_usec = 0; + rc=select(sockfd+1, NULL, fdset, NULL, &tv); + + switch(rc) { + case 0: + errno = ETIMEDOUT; + case -1: + return -1; + break; + case 1: + optval = 0; + optlen = sizeof(optval); + if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, &optlen) == -1) + return -1; + if (optval != 0) + { + errno = optval; + return -1; + } + return 0; + + default: + /* Should not occur */ + return -1; + break; + } + return -1; +} + /* * Opens a TCP/IP connection to the remote server on the given host. * The address of the remote host will be returned in hostaddr. @@ -231,7 +286,7 @@ */ int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, - u_short port, int family, int connection_attempts, + u_short port, int family, int connection_attempts, int connection_timeout, int needpriv, const char *proxy_command) { int gaierr; @@ -300,7 +355,8 @@ /* Any error is already output */ continue; - if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { + if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen, + connection_timeout) >= 0) { /* Successful connection. */ memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); break; --- openssh-3.5p1/sshconnect.h.ORIG Fri Jun 21 02:41:53 2002 +++ openssh-3.5p1/sshconnect.h Wed Oct 16 14:59:12 2002 @@ -35,7 +35,7 @@ int ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int, - int, const char *); + int, int, const char *); void ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *); From jan.iven at cern.ch Thu Oct 17 20:50:09 2002 From: jan.iven at cern.ch (Jan Iven) Date: 17 Oct 2002 12:50:09 +0200 Subject: ssh-keygen (+kerberos +afs) opens NULL filename In-Reply-To: References: Message-ID: >>>>> "MM" == Martin MOKREJ? writes: >> (Who is currently at the stage (on sun4x_58) where ssh protocol 1 >> seems to work OK with krb5 tickets but proto 2 does strange things >> with KRB5CCNAME and requires password/key to log in:-)) MM> Ask Jan Iven, who wrote some patches for openssh. ;) Not for Kerberos5 in SSH-2, not me.. I think Simon Wilkinson did work on this, see http://www.sxw.org.uk/computing/patches/openssh.html Regards Jan From bugzilla-daemon at mindrot.org Thu Oct 17 23:46:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 17 Oct 2002 23:46:52 +1000 (EST) Subject: [Bug 415] Result Codes ala FTP Message-ID: <20021017134652.324393D165@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=415 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From markus at openbsd.org 2002-10-17 23:46 ------- i don't think the ftp response codes should be dragged into sftp. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From petronio at agro.uba.ar Fri Oct 18 01:40:00 2002 From: petronio at agro.uba.ar (Federico Petronio) Date: Thu, 17 Oct 2002 12:40:00 -0300 Subject: New feature for sftp Message-ID: <3DAED9D0.4010908@agro.uba.ar> I am new to OpenSSH (I used SSH before). One thing that I miss from SSH is the "auto-complete". In the sftp from SSH you could complete path using just like in Bash, but OpenSSH sftp does not do that. Is there any plan to add that feature ? If not, could it be add ? ;-) Thanks... -- Federico Petronio petronio at agro.uba.ar Linux User #129974 --- Unix IS user friendly. It's just selective about who its friends are. From djast at cs.toronto.edu Fri Oct 18 02:23:31 2002 From: djast at cs.toronto.edu (Dan Astoorian) Date: Thu, 17 Oct 2002 12:23:31 -0400 Subject: [Bug 413] New: Port forwarding: [localhost:]localport:remotehost:remoteport In-Reply-To: Your message of "Thu, 17 Oct 2002 04:06:08 EDT." <60F1F87A64834D45A1EBAE9618305FB86ECDF4@qeo00200> Message-ID: <02Oct17.122333edt.453160-26493@jane.cs.toronto.edu> On Thu, 17 Oct 2002 04:06:08 EDT, "Courtin Bert" writes: > Hi, > > I would be glad if a feature/enhancement like this would be available. > For more than one time it would have saved me lots of time and headache. FWIW, I wrote a patch that did this a while ago (the last update I made to it applied to a snapshot from early February), but there was never a good opportunity to get it integrated. Enough code has changed since then that updating my patch may not be completely straightforward, but I'll try to find some time to take another look at it. Unfortunately, my plate is still rather full, so I can't make any promises; if someone else is particularly keen to implement this feature, I'd be willing to share my obsolete patch for them to work from. -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast at cs.toronto.edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican From mouring at etoh.eviladmin.org Fri Oct 18 02:25:42 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 17 Oct 2002 11:25:42 -0500 (CDT) Subject: New feature for sftp In-Reply-To: <3DAED9D0.4010908@agro.uba.ar> Message-ID: I have a readline patch for file complation, commandline history, etc.. I've been waiting for commiting it until we sort outlibedit's readline emulation in the OpenBSD tree. http://www.eviladmin.org/openssh.php has a patch for it, but it is targeted as OpenBSD (and may not apply cleaning since it has not been updated for 3.5 release). But could easily made to compile. - Ben On Thu, 17 Oct 2002, Federico Petronio wrote: > I am new to OpenSSH (I used SSH before). One thing that I miss from SSH > is the "auto-complete". In the sftp from SSH you could complete path > using just like in Bash, but OpenSSH sftp does not do that. Is > there any plan to add that feature ? If not, could it be add ? ;-) > > Thanks... > -- > Federico Petronio > petronio at agro.uba.ar > Linux User #129974 > > --- > Unix IS user friendly. It's just selective about who its friends are. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From b.courtin at t-online.net Fri Oct 18 02:55:47 2002 From: b.courtin at t-online.net (Courtin Bert) Date: Thu, 17 Oct 2002 18:55:47 +0200 Subject: [Bug 413] New: Port forwarding: [localhost:]localport:remotehost:remoteport Message-ID: <60F1F87A64834D45A1EBAE9618305FB80120C1A3@qeo00200> Hi Dan, first of all thank you for picking up this thread :-) Secondly, I would've probably helped getting this working/integrated in the current code, but unfortunately I do speak some programming languages but "C/C++". So, I greatly would appreciate if someone has the time & ability to implement a feature as described. As one can think of, it would be - from my point of view - last but not least an contribution regarding security when using port forwarding. Kind regards, B. Courtin > -----Original Message----- > From: Dan Astoorian [mailto:djast at cs.toronto.edu] > Sent: Thursday, October 17, 2002 6:24 PM > To: openssh-unix-dev at mindrot.org > Subject: Re: [Bug 413] New: Port forwarding: > [localhost:]localport:remotehost:remoteport > > > On Thu, 17 Oct 2002 04:06:08 EDT, "Courtin Bert" writes: > > Hi, > > > > I would be glad if a feature/enhancement like this would be > available. > > For more than one time it would have saved me lots of time > and headache. > > FWIW, I wrote a patch that did this a while ago (the last > update I made > to it applied to a snapshot from early February), but there > was never a > good opportunity to get it integrated. Enough code has changed since > then that updating my patch may not be completely straightforward, but > I'll try to find some time to take another look at it. > > Unfortunately, my plate is still rather full, so I can't make any > promises; if someone else is particularly keen to implement this > feature, I'd be willing to share my obsolete patch for them to work > from. > > -- > Dan Astoorian People shouldn't think that it's > better to have > Sysadmin, CSLab loved and lost than never loved > at all. It's > djast at cs.toronto.edu not, it's better to have loved > and won. All > www.cs.toronto.edu/~djast/ the other options really suck. > --Dan Redican > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From andreas at conectiva.com.br Fri Oct 18 04:07:52 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Thu, 17 Oct 2002 15:07:52 -0300 Subject: playing with smartcard: rsa key upload? Message-ID: <20021017180751.GA8840@conectiva.com.br> I began playing with smartcard support and enabled this in openssh-3.5p1 on linux. The -U (upload) option unfortunately doesn't work yet with ssh-keygen: $ ssh-keygen -U 0 Enter file in which the key is (/home/user/.ssh/id_rsa): key uploading not yet supported Is there a tool to upload an openssh rsa key to a smart card so that I can use it with ssh -I later on? Should I just upload it as a regular file? Any pointers to some documentation explaining how to do this with openssh? From aet at cc.hut.fi Fri Oct 18 04:53:50 2002 From: aet at cc.hut.fi (Antti Tapaninen) Date: Thu, 17 Oct 2002 21:53:50 +0300 (EET DST) Subject: playing with smartcard: rsa key upload? In-Reply-To: <20021017180751.GA8840@conectiva.com.br> Message-ID: On Thu, 17 Oct 2002, Andreas Hasenack wrote: > Is there a tool to upload an openssh rsa key to a smart card so that I can > use it with ssh -I later on? Should I just upload it as a regular file? > Any pointers to some documentation explaining how to do this with openssh? The current SC related code in openssh is a bit absurd anyway. I'm currently rewriting the code into some more generic, like pkcs#11 support. After this you can use opensc-pkcs11.so to upload your keys. Hopefully Theo and the rest of OpenSSH guys are willing to ditch the current code base, ugly sectok and less ugly opensc support entirely. -Antti From bugzilla-daemon at mindrot.org Fri Oct 18 05:34:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 18 Oct 2002 05:34:23 +1000 (EST) Subject: [Bug 416] New: problems with sshd starting up and hostkeys Message-ID: <20021017193423.81EB53D1C3@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=416 Summary: problems with sshd starting up and hostkeys Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: slauren at igpp.ucllnl.org Hi, I've just installed 3.5p1 of the openssh package on a RedHat linux pentium machine. I have a number of problems. First, the sshd does not start up automatically when I boot. When I try to start it from the root account, I get the error: Privilege separation user sshd does not exist When I try to start it up from my (usual) user account, I get the following error: Could not load host key: /usr/local/etc/ssh_host_key Could not load host key: /usr/local/etc/ssh_host_rsa_key Could not load host key: /usr/local/etc/ssh_host_dsa_key Disabling protocol version 1. Could not load host key Disabling protocol version 2. Could not load host key sshd: no hostkeys available -- exiting. I have tried running make host-key several times, as well as running the commands separtely. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Oct 18 06:48:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 18 Oct 2002 06:48:27 +1000 (EST) Subject: [Bug 416] problems with sshd starting up and hostkeys Message-ID: <20021017204827.237DF3D1E4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=416 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From markus at openbsd.org 2002-10-18 06:48 ------- you have to read the README's from the distribution and created the 'sshd' user. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Fri Oct 18 08:47:35 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 17 Oct 2002 17:47:35 -0500 (CDT) Subject: Upgraded to latest cygwin this morning, and ssh refuses to enter binmode. Help! (fwd) Message-ID: Could someone running Cygwin or involved in Cygwin help this person please? - Ben ---------- Forwarded message ---------- Date: Thu, 17 Oct 2002 17:58:45 -0400 From: Andrew Greene To: openssh at openssh.com Subject: Upgraded to latest cygwin this morning, and ssh refuses to enter binmode. Help! I upgraded to the latest cygwin this morning (not sure when I last did) and ssh is suddenly replacing LF with CRLF. (I also started running sshd as a service; I don't know if that's relevant.) This replacement prevents Unison from working, along with who knows what else (I'm afraid to try CVS!) I tried explicitly setting CYGWIN to binmode but that doesn't seem to help. Thanks in advance for your help and explanation! ====================================================================== Version info: OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f ====================================================================== Here is an example. On my Unix box I ran "unison -version >/tmp/univer". If I use ssh to cat the file remotely, you can see that it looks reasonable at first blush: c:\amg>ssh -i /home/agreene/.ssh/a-identity -1 -l a zamir.dns2go.com cat /tmp/univer unison version 2.9.1 ====================================================================== But notice this subtle difference: if I od the file on the Unix box, the line ending is a LF; if I od the file on my Cygwin box, the line ending is CRLF. c:\amg>ssh -i /home/agreene/.ssh/a-identity -1 -l a zamir.dns2go.com od -tx1 /tmp/univer 0000000 75 6e 69 73 6f 6e 20 76 65 72 73 69 6f 6e 20 32 0000020 2e 39 2e 31 0a 0000025 c:\amg>ssh -i /home/agreene/.ssh/a-identity -1 -l a zamir.dns2go.com cat /tmp/univer | od -tx1 0000000 75 6e 69 73 6f 6e 20 76 65 72 73 69 6f 6e 20 32 0000020 2e 39 2e 31 0d 0a 0000026 ====================================================================== Here's what cygcheck tells me. c:\amg>cygcheck -s Cygwin Win95/NT Configuration Diagnostics Current System Time: Thu Oct 17 17:51:43 2002 Windows 2000 Server Ver 5.0 Build 2195 Service Pack 2 Path: C:\PROGRAMS\PERL\BIN\ c:\winnt\SYSTEM32 c:\winnt c:\winnt\SYSTEM32\WBEM c:\junkyard C:\Programs\Rational\common c:\cygwin\bin c:\x\appkit\win\lib\debug c:\bin C:\Programs\Microsoft\Visual Studio\Common\Tools\WinNT C:\Programs\Microsoft\Visual Studio\Common\MSDev98\Bin C:\Programs\Microsoft\Visual Studio\Common\Tools C:\Programs\Microsoft\Visual Studio\VC98\bin M:\eng\NuDoc\jdk1.1.8\bin C:\ATF SysDir: c:\winnt\System32 WinDir: c:\winnt CYGWIN = `binmode' GCC_EXEC_PREFIX = `C:\Programs\TSHG\GNUPAL~1\lib\gcc-lib\' HOME = `c:\amg' Path = `C:\PROGRAMS\PERL\BIN\;c:\winnt\SYSTEM32;c:\winnt;c:\winnt\SYSTEM32\WBEM; c:\junkyard;C:\Programs\Rational\common;c:\cygwin\bin;c:\x\appkit\win\lib\debug; c:\bin;C:\Programs\Microsoft\Visual Studio\Common\Tools\WinNT;C:\Programs\Micros oft\Visual Studio\Common\MSDev98\Bin;C:\Programs\Microsoft\Visual Studio\Common\ Tools;C:\Programs\Microsoft\Visual Studio\VC98\bin;M:\eng\NuDoc\jdk1.1.8\bin;;C: \ATF' Use `-r' to scan registry a: fd N/A N/A c: hd NTFS 28623Mb 84% CP CS UN PA FC d: cd N/A N/A e: fd N/A N/A m: net NTFS 69957Mb 89% CP CS UN PA FC raid5 n: net NTFS 43974Mb 11% CP CS UN PA FC q: net NTFS 71168Mb 79% CP CS UN PA FC cygcheck: dump_sysinfo: GetVolumeInformation() failed: 67 r: net N/A N/A cygcheck: dump_sysinfo: GetVolumeInformation() failed: 67 s: net N/A N/A C:\PalmDev /PalmDev user textmode c:\usr /usr user textmode . /cygdrive user binmode,cygdrive c:/cygwin / system binmode c:\amg /home/agreene system binmode c:/cygwin/bin /usr/bin system binmode c:/cygwin/lib /usr/lib system binmode . /cygdrive user binmode,cygdrive Found: c:\cygwin\bin\bash.exe Found: c:\cygwin\bin\cat.exe Found: c:\cygwin\bin\cpp.exe Found: c:\cygwin\bin\find.exe Found: c:\cygwin\bin\gcc.exe Found: c:\cygwin\bin\gdb.exe Found: c:\cygwin\bin\ld.exe Found: c:\cygwin\bin\ls.exe Found: c:\cygwin\bin\make.exe Found: c:\cygwin\bin\sh.exe 58k 2002/05/07 c:\cygwin\bin\cygbz2-1.dll 54k 2002/01/27 c:\cygwin\bin\cygbz21.0.dll 625k 2002/08/09 c:\cygwin\bin\cygcrypto.dll 35k 2002/01/09 c:\cygwin\bin\cygform6.dll 19k 2002/02/20 c:\cygwin\bin\cyggdbm.dll 17k 2001/06/28 c:\cygwin\bin\cyghistory4.dll 20k 2002/10/10 c:\cygwin\bin\cyghistory5.dll 929k 2002/06/24 c:\cygwin\bin\cygiconv-2.dll 22k 2001/12/13 c:\cygwin\bin\cygintl-1.dll 28k 2002/09/20 c:\cygwin\bin\cygintl-2.dll 21k 2001/06/20 c:\cygwin\bin\cygintl.dll 81k 2001/10/20 c:\cygwin\bin\cygitcl30.dll 35k 2001/10/20 c:\cygwin\bin\cygitk30.dll 45k 2002/02/08 c:\cygwin\bin\cygjbig1.dll 119k 2002/02/09 c:\cygwin\bin\cygjpeg6b.dll 59k 2002/09/20 c:\cygwin\bin\cygkpathsea-3-3-7.dll 20k 2002/01/09 c:\cygwin\bin\cygmenu6.dll 175k 2002/01/09 c:\cygwin\bin\cygncurses++6.dll 202k 2002/01/09 c:\cygwin\bin\cygncurses6.dll 12k 2002/01/09 c:\cygwin\bin\cygpanel6.dll 40k 2001/11/21 c:\cygwin\bin\cygpcre.dll 39k 2001/11/21 c:\cygwin\bin\cygpcreposix.dll 179k 2002/07/22 c:\cygwin\bin\cygpng12.dll 170k 2002/01/21 c:\cygwin\bin\cygpng2.dll 22k 2002/06/09 c:\cygwin\bin\cygpopt-0.dll 108k 2001/06/28 c:\cygwin\bin\cygreadline4.dll 127k 2002/10/10 c:\cygwin\bin\cygreadline5.dll 66k 2001/11/20 c:\cygwin\bin\cygregex.dll 159k 2002/08/09 c:\cygwin\bin\cygssl.dll 390k 2001/10/20 c:\cygwin\bin\cygtcl80.dll 5k 2001/10/20 c:\cygwin\bin\cygtclpip80.dll 10k 2001/10/20 c:\cygwin\bin\cygtclreg80.dll 253k 2002/02/10 c:\cygwin\bin\cygtiff3.dll 623k 2001/10/20 c:\cygwin\bin\cygtk80.dll 714k 2001/11/05 c:\cygwin\bin\cygwin1z.dll 633k 2002/07/22 c:\cygwin\bin\cygxml2-2.dll 41k 2002/01/20 c:\cygwin\bin\cygXpm-noX4.dll 46k 2002/01/20 c:\cygwin\bin\cygXpm-X4.dll 50k 2002/03/12 c:\cygwin\bin\cygz.dll 904k 2002/10/14 c:\cygwin\bin\cygwin1.dll Cygwin DLL version info: DLL version: 1.3.13 DLL epoch: 19 DLL bad signal mask: 19005 DLL old termios: 5 DLL malloc env: 28 API major: 0 API minor: 62 Shared data: 3 DLL identifier: cygwin1 Mount registry: 2 Cygnus registry name: Cygnus Solutions Cygwin registry name: Cygwin Program options name: Program Options Cygwin mount registry name: mounts v2 Cygdrive flags: cygdrive flags Cygdrive prefix: cygdrive prefix Cygdrive default prefix: Build date: Sun Oct 13 23:15:34 EDT 2002 CVS tag: cygwin-1-3-13-1 Shared id: cygwin1S3 2975k 1996/12/11 c:\bin\CYGWIN-old.DLL 446k 1998/12/04 c:\bin\cygwin1.dll Cygwin DLL version info: DLL version: 2.0.1 DLL epoch: 19 DLL bad signal mask: 19005 API major: 0 API minor: 3 Shared data: 1 DLL identifier: cygwin Mount registry: 1 Cygnus registry name: Cygnus Solutions Cygwin registry name: CYGWIN.DLL setup Program options name: Program Options Cygwin mount registry name: b15.0 Build date: Thu Dec 3 20:39:18 PST 1998 CVS taggnu-win32-b20-branch: Shared id: cygwinS1 2975k 1996/12/11 \bin\CYGWIN-old.DLL 446k 1998/12/04 \bin\cygwin1.dll Cygwin DLL version info: DLL version: 2.0.1 DLL epoch: 19 DLL bad signal mask: 19005 API major: 0 API minor: 3 Shared data: 1 DLL identifier: cygwin Mount registry: 1 Cygnus registry name: Cygnus Solutions Cygwin registry name: CYGWIN.DLL setup Program options name: Program Options Cygwin mount registry name: b15.0 Build date: Thu Dec 3 20:39:18 PST 1998 CVS taggnu-win32-b20-branch: Shared id: cygwinS1 Cygwin Package Information Package Version _update-info-dir 00073-1 ash 20020731-1 autoconf 2.53b-1 autoconf-devel 2.53a-1 autoconf-stable 2.13-4 automake 1.6.2-1 automake-devel 1.6.2-1 automake-stable 1.4p5-5 base-files 1.0-1 base-passwd 1.0-1 bash 2.05b-5 binutils 20020706-2 bison 1.35-1 byacc 1.9-1 bzip2 1.0.2-2 clear 1.0-1 cpio 2.4.2 cron 3.0.1-7 crypt 1.0-1 ctags 5.2-1 cvs 1.11.0-1 cygrunsrv 0.95-1 cygutils 1.1.2-1 cygwin 1.3.13-2 cygwin-doc 1.1-2 dejagnu 20010117-1 diff 1.0-1 diffutils 2.8.1-1 ed 0.2-1 expect 20010117-1 file 3.37-1 fileutils 4.1-1 findutils 4.1.7-4 flex 2.5.4-2 gawk 3.1.1-4 gcc 3.2-1 gcc-mingw 3.2-20020817-1 gdb 20010428-3 gdbm 1.8.0-4 gettext 0.11.5-1 ghostscript 7.05-1 ghostscript-base 7.05-1 gperf 0.0 grep 2.5-1 groff 1.17.2-1 gzip 1.3.3-4 inetutils 1.3.2-19 irc 20010101-1 jbigkit 1.2-6 jpeg 6b-7 less 374-1 libbz2_0 1.0.2-1 libbz2_1 1.0.2-2 libiconv2 1.8-2 libintl 0.10.38-3 libintl1 0.10.40-1 libintl2 0.11.5-1 libkpathsea3 20020911-1 libncurses5 5.2-1 libncurses6 5.2-8 libpng 1.2.4-2 libpng12 1.2.4-2 libpng2 1.0.12-1 libpopt0 1.6.4-4 libreadline4 4.1-2 libreadline5 4.3-2 libxml2 2.4.23-1 login 1.4-4 lynx 2.8.4-1 m4 0.0 make 3.79.1-7 man 1.5g-2 mingw 20010917-1 mingw-runtime 2.2-1 mktemp 1.4-1 mt 2.0.1-1 mutt 1.4-1 ncftp 3.1.4-1 ncurses 5.2-8 newlib-man 20020801 opengl 1.1.0-6 openssh 3.4p1-5 openssl 0.9.6g-1 patch 2.5-3 pcre 3.7-1 perl 5.6.1-2 popt 1.6.4-4 postgresql 7.2.3-1 prc-tools 2.1 prc-tools-htmldocs 2.1 python 2.2.1-1 readline 4.3-2 regex 4.4-2 rsync 2.5.5-1 rxvt 2.7.2-14 sed 3.02-1 sh-utils 2.0-2 squid 2.4.STABLE7-1 ssmtp 2.38.7-3 tar 1.13.25-1 tcltk 20001125-1 tcsh 6.11.00-4 termcap 20020930-1 terminfo 5.2-3 tetex-beta 20020911-1 tetex-bin 20020911-1 texinfo 4.2-4 textutils 2.0.21-1 tiff 3.5.7-1 time 1.7-1 unzip 5.50-1 vim 6.1-2 w32api 2.0-1 wget 1.8.2-1 which 1.5-1 whois 4.5.17-1 xpm-nox 4.2.0-1 zip 2.3-2 zlib 1.1.4-1 Use -h to see help about each section From jmknoble at pobox.com Fri Oct 18 10:34:48 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 17 Oct 2002 17:34:48 -0700 Subject: scp In-Reply-To: <53D65D67C6AA694284F7584E25ADD3543334ED@nor935nte2k1.nor935.chevrontexaco.net>; from Eric.Ladner@ChevronTexaco.com on Wed, Oct 16, 2002 at 01:20:32PM -0500 References: <53D65D67C6AA694284F7584E25ADD3543334ED@nor935nte2k1.nor935.chevrontexaco.net> <20021017172336.A4156@zax.half.pint-stowp.cx> <53D65D67C6AA694284F7584E25ADD3543334ED@nor935nte2k1.nor935.chevrontexaco.net> Message-ID: <20021017173448.B4156@zax.half.pint-stowp.cx> Circa 2002-10-16 13:20:32 -0500 dixit Ladner, Eric (Eric.Ladner): : True, true, but that's another piece of software I have to install : and maintain just to have that functionality enabled for the : infrequent times that I do need to copy a tree from one server to : another. : : Actually, my current workaround is like this to copy a tree: : : cd /some/tree; tar -cf - . | ssh remote_host "cd /some/other/tree; tar -xvf : -" : : It works like a champ, but scp with link copy would be cleaner: : : scp -rp /some/tree/* remote_host:/some/other/tree : : Which is more intuitive? Actually, to many folks at all used to the Unix environment, the tar pipe is significantly more obvious and "intuitive" (i.e., conforming to their prior experience). It used to be that the tar pipe was necessary to copy or move directory trees even on a local system while preserving symlinks and whatnot. It's only recently that folks seem to have forgotten how to do that. By the way, what you probably want on the extracting end is: tar -xvpf - in order to to preserve permissions. If using GNU tar, you may also also want '--same-owner' and '--sparse'. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "I am non-refutable." --Enik the Altrusian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021017/64ec4b9d/attachment.bin From Jeff.Koenig at experian.com Fri Oct 18 09:39:18 2002 From: Jeff.Koenig at experian.com (Jeff Koenig) Date: Thu, 17 Oct 2002 18:39:18 -0500 Subject: OpenSSH 3.5p1, Solaris 8, BSM, cron issue Message-ID: We have started using BSM and have hit the BSM issue where cron is messed up if you SSH into a Solaris 8 box and try to issue a cron job. I noticed the bug here: http://bugzilla.mindrot.org/show_bug.cgi?id=125 Is this patch applied to the OpenSSH 3.5p1 release? I tried installing OpenSSH 3.5p1 and turned off Privileged Separation in the sshd_config file, but I am still getting the cron issues when running BSM on the Solaris 8 server. Any suggestions would be appreciated, including patches and methods of applying a patch to get OpenSSH, BSM, and cron working together on Solaris 8. Jeff From donny.cornelius at myrealbox.com Fri Oct 18 19:38:46 2002 From: donny.cornelius at myrealbox.com (Donny Cornelius) Date: Fri, 18 Oct 2002 17:38:46 +0800 Subject: Host Key Verification failed - ssh via cgi Message-ID: <1034933926.230ae6e0donny.cornelius@myrealbox.com> hi, my scenario is this: i have a cgi (on host1) that executes ssh (as userxyz) to a remote server (host2), executes a command to retrieve some data and outputs them to the local browser. on host1: #!/usr/bin/perl -w ... $output = `/usr/local/bin/ssh -l userxyz -x host2 ls -l` ... but i get "Host Key Verification failed" on my apache's error_log. i can do it on the command line, it only fails when i run it via the cgi. has somebody had this problem before? /don From dtucker at zip.com.au Fri Oct 18 21:16:26 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 18 Oct 2002 21:16:26 +1000 Subject: OpenSSH 3.5p1 AIX packages available. Message-ID: <3DAFED8A.6FD1928A@zip.com.au> Hi All. AIX native installp/SMIT installable packages of openssh-3.5p1 are now available. There are 2 packages: openssh-3.5p1-1 which contains the PermitRootLogin patch and openssh-3.5p1-1x which also contains the (experimental) password expiration patch. I'm still interested in feedback on the password expiration patch, so if you choose to download the package with it, please let me know how it goes. The usual caveats apply, see page. Downloads and further info: http://www.zip.com.au/~dtucker/openssh/. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Oct 18 21:56:44 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 18 Oct 2002 21:56:44 +1000 Subject: Host Key Verification failed - ssh via cgi References: <1034933926.230ae6e0donny.cornelius@myrealbox.com> Message-ID: <3DAFF6FC.C99E069B@zip.com.au> Donny Cornelius wrote: > i have a cgi (on host1) that executes ssh (as userxyz) to a remote server (host2), executes a command to retrieve some data and outputs them to the local browser. > > on host1: > > #!/usr/bin/perl -w > ... > $output = `/usr/local/bin/ssh -l userxyz -x host2 ls -l` > ... > > but i get "Host Key Verification failed" on my apache's error_log. i can do it on the command line, it only fails when i run it via the cgi. Is the CGI running as "nobody" or are you using suEXEC? Can you as "-v -v -v" to the ssh commandline to get some debugging info? Maybe $HOME isn't set? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Fri Oct 18 22:58:59 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 18 Oct 2002 07:58:59 -0500 (CDT) Subject: OpenSSH 3.5p1, Solaris 8, BSM, cron issue In-Reply-To: Message-ID: On Thu, 17 Oct 2002, Jeff Koenig wrote: > We have started using BSM and have hit the BSM issue where cron is messed up if you SSH into a Solaris 8 box and try to issue a cron job. > > I noticed the bug here: > http://bugzilla.mindrot.org/show_bug.cgi?id=125 > > Is this patch applied to the OpenSSH 3.5p1 release? > No this patch has not. There was talk that is conflicted with privsep. And that someone was going to look at it and see how to solve the conflict. - Ben From Darren.Moffat at Sun.COM Sat Oct 19 00:12:25 2002 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Fri, 18 Oct 2002 07:12:25 -0700 (PDT) Subject: OpenSSH 3.5p1, Solaris 8, BSM, cron issue In-Reply-To: Message-ID: On Fri, 18 Oct 2002, Ben Lindstrom wrote: > On Thu, 17 Oct 2002, Jeff Koenig wrote: > > > We have started using BSM and have hit the BSM issue where cron is messed up if you SSH into a Solaris 8 box and try to issue a cron job. > > > > I noticed the bug here: > > http://bugzilla.mindrot.org/show_bug.cgi?id=125 > > > > Is this patch applied to the OpenSSH 3.5p1 release? > > > > No this patch has not. There was talk that is conflicted with privsep. > And that someone was going to look at it and see how to solve the > conflict. BSM and privsep is pretty much in the same category as PAM and privsep. The BSM patch does two things only one of which impacts the cron job problem. The first and most important thing it does is setup the users audit mask. The second is to write login/logout audit records to the BSM audit log. Both of these things need uid 0 to work on Solaris. I believe that if you aren't running privsep and you apply the patch it should work - but I haven't had time to test this theory. The patch probably also needs some rework for 3.5p1 anyway (again haven't had time). A co worker in Sun is working on an alternate solution for the audit mask issue. What he is trying to do is have it set in a PAM module. This should work fine for OpenSSH even in the case of the authentication not being via PAM since it will be done in pam_setcred(). At this time I'm not sure if this will be available as a patch for Solaris 8 or not. However if you take the current BSM audit patch for OpenSSH and look for the bits that do the audit mask setup you could make that PAM module yourself. -- Darren J Moffat From Jeff.Koenig at experian.com Sat Oct 19 02:22:51 2002 From: Jeff.Koenig at experian.com (Jeff Koenig) Date: Fri, 18 Oct 2002 11:22:51 -0500 Subject: SSH Bug 3.5p1 Expired Passwords Message-ID: This method ONLY works for me if I am forcing the use of SSH protocol 1. It does NOT work for SSH protocol 2. For protocol 2, I get the following: login as: jdoe jdoe at pop's password: Warning: Your password has expired, please change it now. Enter login password: I enter the login password again and then I get "Connection closed by remote host". Any suggestions to get this working with protocol 2? Jeff >>> Darren Tucker 10/16/02 09:08AM >>> Frank Beckmann wrote: > in the new Openssh 3.5p1 is the sam Bug as in the 3.4p1 :-( > When a User try to login with a expired Passwort, SSH denys the Acces to the System In pam-auth.c, change #if 0 case PAM_NEW_AUTHTOK_REQD: to #if 1 case PAM_NEW_AUTHTOK_REQD: and set "UsePrivilegeSeparation no" in sshd_config. People have reported mixed success, so your milage may vary. Let the list know how it goes; one of the reasons this isn't enabled in 3.5p1 is lack of testing. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From mouring at etoh.eviladmin.org Sat Oct 19 02:42:22 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 18 Oct 2002 11:42:22 -0500 (CDT) Subject: SSH Bug 3.5p1 Expired Passwords In-Reply-To: Message-ID: For it to work correctly with protocol 2 we should be using REQ_PASS_CHANGE or something like that (not at a plce I can look at the RFC). I looked at it and became utterly confused as how it works on the server side. The client side code is inplace. - Ben On Fri, 18 Oct 2002, Jeff Koenig wrote: > This method ONLY works for me if I am forcing the use of SSH protocol 1. > > It does NOT work for SSH protocol 2. > > For protocol 2, I get the following: > login as: jdoe > jdoe at pop's password: > Warning: Your password has expired, please change it now. > Enter login password: > > I enter the login password again and then I get "Connection closed by remote host". > > Any suggestions to get this working with protocol 2? > > Jeff > > >>> Darren Tucker 10/16/02 09:08AM >>> > Frank Beckmann wrote: > > in the new Openssh 3.5p1 is the sam Bug as in the 3.4p1 :-( > > When a User try to login with a expired Passwort, SSH denys the Acces to the System > > In pam-auth.c, change > > #if 0 > case PAM_NEW_AUTHTOK_REQD: > > to > > #if 1 > case PAM_NEW_AUTHTOK_REQD: > > and set "UsePrivilegeSeparation no" in sshd_config. > > People have reported mixed success, so your milage may vary. > > Let the list know how it goes; one of the reasons this isn't enabled in > 3.5p1 is lack of testing. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From calcheng at cisco.com Sat Oct 19 06:44:00 2002 From: calcheng at cisco.com (Calvin Cheng) Date: Fri, 18 Oct 2002 16:44:00 -0400 Subject: Patch: sftp client support of "ls [flags] [path [localfile]]" feature Message-ID: <00e601c276e7$1648fc00$4d502ca1@amer.cisco.com> Hello, I just downloaded OpenSSH 3.5p1. This version has some great improvement in sftp client. But I still miss the FTP's "ls [flags] remote-path [localpath]" feature to redirect the output of ls/dir to a local file. The following are the diff outputs against 3.5p1 to enable this feature. *** sftp-int.c.orig Wed Sep 11 20:34:15 2002 --- sftp-int.c Fri Oct 18 13:39:46 2002 *************** *** 555,567 **** /* sftp ls.1 replacement for directories */ static int ! do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) { int n; SFTP_DIRENT **d; if ((n = do_readdir(conn, path, &d)) != 0) return (n); /* Count entries for sort */ for (n = 0; d[n] != NULL; n++) --- 555,587 ---- /* sftp ls.1 replacement for directories */ static int ! do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag, ! char *localpath) { int n; SFTP_DIRENT **d; + FILE *fp = NULL; + FILE *fp1 = NULL; + + if (localpath) { + fp = fopen(localpath, "w"); + if (!fp) + { + error("Can't write to file %s", localpath); + return -1; + } + } + + if (fp) + fp1 = fp; + else + fp1 = stdout; if ((n = do_readdir(conn, path, &d)) != 0) + { + if (fp) fclose(fp); return (n); + } /* Count entries for sort */ for (n = 0; d[n] != NULL; n++) *************** *** 583,598 **** memset(&sb, 0, sizeof(sb)); attrib_to_stat(&d[n]->a, &sb); lname = ls_file(fname, &sb, 1); ! printf("%s\n", lname); xfree(lname); } else { /* XXX - multicolumn display would be nice here */ ! printf("%s\n", fname); } xfree(fname); } free_sftp_dirents(d); return (0); } --- 603,619 ---- memset(&sb, 0, sizeof(sb)); attrib_to_stat(&d[n]->a, &sb); lname = ls_file(fname, &sb, 1); ! fprintf(fp1, "%s\n", lname); xfree(lname); } else { /* XXX - multicolumn display would be nice here */ ! fprintf(fp1, "%s\n", fname); } xfree(fname); } + if (fp) fclose(fp); free_sftp_dirents(d); return (0); } *************** *** 600,611 **** /* sftp ls.1 replacement which handles path globs */ static int do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, ! int lflag) { glob_t g; int i; Attrib *a; struct stat sb; memset(&g, 0, sizeof(g)); --- 621,634 ---- /* sftp ls.1 replacement which handles path globs */ static int do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, ! int lflag, char* localpath) { glob_t g; int i; Attrib *a; struct stat sb; + FILE *fp = NULL; + FILE *fp1 = NULL; memset(&g, 0, sizeof(g)); *************** *** 628,637 **** if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && S_ISDIR(a->perm)) { globfree(&g); ! return (do_ls_dir(conn, path, strip_path, lflag)); } } for (i = 0; g.gl_pathv[i]; i++) { char *fname, *lname; --- 651,675 ---- if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && S_ISDIR(a->perm)) { globfree(&g); ! return (do_ls_dir(conn, path, strip_path, lflag, localpath)); } } + if (localpath) + { + fp = fopen(localpath, "w"); + if (!fp) + { + error("Can't write to file %s", localpath); + return -1; + } + } + + if (fp) + fp1 = fp; + else + fp1 = stdout; + for (i = 0; g.gl_pathv[i]; i++) { char *fname, *lname; *************** *** 650,666 **** if (a != NULL) attrib_to_stat(a, &sb); lname = ls_file(fname, &sb, 1); ! printf("%s\n", lname); xfree(lname); } else { /* XXX - multicolumn display would be nice here */ ! printf("%s\n", fname); } xfree(fname); } if (g.gl_pathc) globfree(&g); return (0); } --- 688,706 ---- if (a != NULL) attrib_to_stat(a, &sb); lname = ls_file(fname, &sb, 1); ! fprintf(fp1, "%s\n", lname); xfree(lname); } else { /* XXX - multicolumn display would be nice here */ ! fprintf(fp1, "%s\n", fname); } xfree(fname); } if (g.gl_pathc) globfree(&g); + if (fp) + fclose(fp); return (0); } *************** *** 759,764 **** --- 799,806 ---- /* Path is optional */ if (get_pathname(&cp, path1)) return(-1); + if (get_pathname(&cp, path2)) + return(-1); break; case I_LLS: case I_SHELL: *************** *** 897,903 **** break; case I_LS: if (!path1) { ! do_globbed_ls(conn, *pwd, *pwd, lflag); break; } --- 939,945 ---- break; case I_LS: if (!path1) { ! do_globbed_ls(conn, *pwd, *pwd, lflag, NULL); break; } *************** *** 908,914 **** path1 = make_absolute(path1, *pwd); ! do_globbed_ls(conn, path1, tmp, lflag); break; case I_LCHDIR: if (chdir(path1) == -1) { --- 950,956 ---- path1 = make_absolute(path1, *pwd); ! do_globbed_ls(conn, path1, tmp, lflag, path2); break; case I_LCHDIR: if (chdir(path1) == -1) { *** sftp.1.orig Wed Sep 11 19:54:27 2002 --- sftp.1 Fri Oct 18 16:39:56 2002 *************** *** 205,211 **** Print local working directory. .It Xo Ic ls .Op Ar flags ! .Op Ar path .Xc Display remote directory listing of either .Ar path --- 205,211 ---- Print local working directory. .It Xo Ic ls .Op Ar flags ! .Op Ar path Op Ar local-path .Xc Display remote directory listing of either .Ar path *************** *** 214,220 **** is not specified. If the .Fl l flag is specified, then display additional details including permissions ! and ownership information. .It Ic lumask Ar umask Set local umask to .Ar umask . --- 214,225 ---- is not specified. If the .Fl l flag is specified, then display additional details including permissions ! and ownership information. If ! .Ar local-path ! is not specified, display the output on the terminal. If ! .Ar local-path ! is specified, then redirect the output to ! .Ar local-path . .It Ic lumask Ar umask Set local umask to .Ar umask . From iainmcaleer at security.asn.au Sat Oct 19 14:31:23 2002 From: iainmcaleer at security.asn.au (Iain McAleer) Date: Sat, 19 Oct 2002 12:31:23 +0800 Subject: SSH Documentation Message-ID: Hello, I'm trying to find very indepth documentation of OpenSSH, so far I have found nothing of much use, if anyone could direct me to some advance texts on openssh it would be greatly appreciated. From dan at doxpara.com Sat Oct 19 15:15:15 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Fri, 18 Oct 2002 22:15:15 -0700 Subject: SSH Documentation In-Reply-To: References: Message-ID: <3DB0EA63.3030808@doxpara.com> Iain McAleer wrote: >Hello, > >I'm trying to find very indepth documentation of OpenSSH, so far I have >found nothing of much use, if anyone could direct me to some advance texts >on openssh it would be greatly appreciated. > > The definitive guide to SSH is probably O'Reilly's "SSH: The Secure Shell", as found here. It's nice -- straightforward, comprehensive, good stuff! http://www.amazon.com/exec/obidos/ASIN/0596000111 Personally, I can recommend Hack Proofing Your Network: Second Edition, which contains an OpenSSH chapter on advanced tunnel design and deployment using all sorts of third party hosts and "pseudo-VPN" constructs. But that's mostly because I wrote the damn chapter, and a bit of the code too :-) That book can be found here: http://www.amazon.com/exec/obidos/ASIN/1928994709/ The book is an indepth look at what I talked about at Black Hat last year; here are the slides from that talk: http://www.blackhat.com/presentations/bh-usa-01/DanKaminsky/bh-usa-01-Kaminsky.ppt Hope this helps! Yours Truly, Dan Kaminsky DoxPara Research http://www.doxpara.com From dtucker at zip.com.au Sat Oct 19 17:10:44 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 19 Oct 2002 17:10:44 +1000 Subject: [PATCH] AIX password expiration References: <3DA95AEE.FA1FB622@zip.com.au> Message-ID: <3DB10574.E0F54804@zip.com.au> Darren Tucker wrote: > The patch extends the loginrestrictions test to include expired > accounts and adds PAM-like password expiry and forced change. I've updated the patch. The diff is against 3.5p1. There should be no functional differences between the original and this patch. I'm still interested in feedback from anyone who tried either or has comments on the patch itself. The changes relative to the previous patch are: * cleaned up somewhat. * added some debugs * now frees memory allocated by library functions * added some comments -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- diff -ru openssh-3.5p1.orig/auth-passwd.c openssh-3.5p1/auth-passwd.c --- openssh-3.5p1.orig/auth-passwd.c Thu Sep 26 09:14:16 2002 +++ openssh-3.5p1/auth-passwd.c Sat Oct 19 14:59:26 2002 @@ -82,6 +82,7 @@ extern ServerOptions options; #ifdef WITH_AIXAUTHENTICATE +void aix_remove_embedded_newlines(char *); extern char *aixloginmsg; #endif @@ -149,13 +150,20 @@ #endif #ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + aix_remove_embedded_newlines(authmsg); - if (authsuccess) + if (authsuccess) { + debug("authenticate() succeeded for user %s: %.100s", pw->pw_name, authmsg); /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(authctxt->user, get_canonical_hostname(options.verify_reverse_mapping), "ssh", &aixloginmsg) < 0) aixloginmsg = NULL; + } else { + debug("authenticate() failed for user %s: %.100s", pw->pw_name, authmsg); + } + if (authmsg) + xfree(authmsg); return(authsuccess); #endif diff -ru openssh-3.5p1.orig/auth.c openssh-3.5p1/auth.c --- openssh-3.5p1.orig/auth.c Sun Sep 22 01:26:53 2002 +++ openssh-3.5p1/auth.c Sat Oct 19 15:49:22 2002 @@ -59,6 +59,12 @@ Buffer auth_debug; int auth_debug_init; +#ifdef WITH_AIXAUTHENTICATE +void aix_remove_embedded_newlines(char *); +extern char *aixexpiremsg; +extern int aix_password_change_required; +#endif + /* * Check if the user is allowed to log in via ssh. If user is listed * in DenyUsers or one of user's groups is listed in DenyGroups, false @@ -75,9 +81,6 @@ const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; -#ifdef WITH_AIXAUTHENTICATE - char *loginmsg; -#endif /* WITH_AIXAUTHENTICATE */ #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) struct spwd *spw; @@ -202,19 +205,47 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - if (loginmsg && *loginmsg) { - /* Remove embedded newlines (if any) */ - char *p; - for (p = loginmsg; *p; p++) { - if (*p == '\n') - *p = ' '; + /* + * Don't check loginrestrictions or expiry for root account (use + * PermitRootLogin to control logins via ssh), or if running as + * non-root user (since loginrestrictions will always fail). + */ + if ( (pw->pw_uid != 0) && (geteuid() == 0) ) { + char *restrictmsg, *expiremsg; + int passexpcode; + + /* check for AIX account restrictions */ + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &restrictmsg) != 0) { + if (restrictmsg && *restrictmsg) { + aix_remove_embedded_newlines(restrictmsg); + log("Login restricted for %s: %.100s", pw->pw_name, restrictmsg); + xfree(restrictmsg); } - /* Remove trailing newline */ - *--p = '\0'; - log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + return 0; + } + + /* check for AIX expired account */ + passexpcode = passwdexpired(pw->pw_name, &aixexpiremsg); + + switch (passexpcode) { + case 0: /* success, password not expired */ + break; + case 1: /* expired, password change required */ + aix_password_change_required = 1; + break; + default: /* expired too long (2) or other error (-1) */ + /* make local copy of message and remove newlines for logging */ + if (aixexpiremsg && *aixexpiremsg) { + expiremsg = xstrdup(aixexpiremsg); + aix_remove_embedded_newlines(expiremsg); + } + debug("passwdexpired() returned %d", passexpcode); + log("Password expired too long or system failure for user %s: %.100s", + pw->pw_name, expiremsg); + if (expiremsg) + xfree(expiremsg); + return 0; } - return 0; } #endif /* WITH_AIXAUTHENTICATE */ diff -ru openssh-3.5p1.orig/openbsd-compat/port-aix.c openssh-3.5p1/openbsd-compat/port-aix.c --- openssh-3.5p1.orig/openbsd-compat/port-aix.c Sun Jul 7 12:17:36 2002 +++ openssh-3.5p1/openbsd-compat/port-aix.c Sat Oct 19 15:02:26 2002 @@ -24,6 +24,7 @@ * */ #include "includes.h" +#include "misc.h" #ifdef _AIX @@ -52,5 +53,60 @@ xfree(cp); } -#endif /* _AIX */ +#ifdef WITH_AIXAUTHENTICATE + +/* + * Remove embedded newlines in string (if any). + * Used before logging messages returned by AIX authentication functions + * so the message is logged on one line. + */ +void +aix_remove_embedded_newlines(char *p) +{ + if (p == NULL) + return; + + for (; *p; p++) { + if (*p == '\n') + *p = ' '; + } + /* Remove trailing newline */ + *--p = '\0'; +} + +/* + * Perform password change on AIX + * Like do_pam_chauthtok(), it throws a fatal error if the password can't be changed. + */ +void +do_aix_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + + if (pid == 0) { + setuid(pw->pw_uid); + execl("/usr/bin/passwd","passwd",pw->pw_name, + (char *)NULL); + /* execl shouldn't return */ + fatal("Couldn't exec /usr/bin/passwd"); + exit(1); + } + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + if (WEXITSTATUS(status)) /* Passwd exited abnormally */ + fatal("Failed to change password for %s, passwd returned %d", pw->pw_name, status); + + mysignal(SIGCHLD, old_signal); +} +#endif /* WITH_AIXAUTHENTICATE */ + +#endif /* _AIX */ diff -ru openssh-3.5p1.orig/session.c openssh-3.5p1/session.c --- openssh-3.5p1.orig/session.c Thu Sep 26 10:38:50 2002 +++ openssh-3.5p1/session.c Sat Oct 19 15:11:06 2002 @@ -104,7 +104,10 @@ Session sessions[MAX_SESSIONS]; #ifdef WITH_AIXAUTHENTICATE +void do_aix_change_password(struct passwd *); char *aixloginmsg; +char *aixexpiremsg; +int aix_password_change_required = 0; #endif /* WITH_AIXAUTHENTICATE */ #ifdef HAVE_LOGIN_CAP @@ -461,6 +464,12 @@ "TTY available"); #endif /* USE_PAM */ +#ifdef WITH_AIXAUTHENTICATE + if (aix_password_change_required) + packet_disconnect("Password change required but no " + "TTY available"); +#endif /* WITH_AIXAUTHENTICATE */ + /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -757,6 +766,13 @@ } #endif +#ifdef WITH_AIXAUTHENTICATE + if (aix_password_change_required) { + printf("%s\n", aixexpiremsg); + do_aix_change_password(pw); + } +#endif + if (check_quietlogin(s, command)) return; @@ -764,9 +780,17 @@ if (!is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ + #ifdef WITH_AIXAUTHENTICATE - if (aixloginmsg && *aixloginmsg) + if (aixexpiremsg && *aixexpiremsg) { + if (!aix_password_change_required) + printf("%s\n", aixexpiremsg); + xfree(aixexpiremsg); + } + if (aixloginmsg && *aixloginmsg) { printf("%s\n", aixloginmsg); + xfree(aixloginmsg); + } #endif /* WITH_AIXAUTHENTICATE */ #ifndef NO_SSH_LASTLOG From dontrango at myrealbox.com Sat Oct 19 18:26:59 2002 From: dontrango at myrealbox.com (dontrango) Date: Sat, 19 Oct 2002 16:26:59 +0800 Subject: Host Key Verification failed - ssh via cgi Message-ID: <1035016019.3613ba80dontrango@myrealbox.com> Thanks for your suggestions. I put nobody as a sudoer to exec ssh; for testing purposes I give it a shell, but for the live environment I give no login shell to nobody. on comparing the debug output for a successful session and a failed one, the latter gives this: debug3: check_host_in_hostfile: match line 38 Host key verification failed. the sucessful one continues with the login. what is the $HOME you're referring to? -----Original Message----- From: Darren Tucker To: dontrango at myrealbox.com Date: Fri, 18 Oct 2002 21:56:44 +1000 Subject: Re: Host Key Verification failed - ssh via cgi Donny Cornelius wrote: > i have a cgi (on host1) that executes ssh (as userxyz) to a remote server (host2), executes a command to retrieve some data and outputs them to the local browser. > > on host1: > > #!/usr/bin/perl -w > ... > $output = `/usr/local/bin/ssh -l userxyz -x host2 ls -l` > ... > > but i get "Host Key Verification failed" on my apache's error_log. i can do it on the command line, it only fails when i run it via the cgi. Is the CGI running as "nobody" or are you using suEXEC? Can you as "-v -v -v" to the ssh commandline to get some debugging info? Maybe $HOME isn't set? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. (",) dontrango --------------- hasta la vista --------------- From bugzilla-daemon at mindrot.org Sat Oct 19 18:38:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 19 Oct 2002 18:38:08 +1000 (EST) Subject: [Bug 397] Openssh build failure AIX 4.3.3 Message-ID: <20021019083808.F1A513D153@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=397 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2002-10-19 18:38 ------- Ben committed the attachment id=151, should be fixed now in -current (but not, unfortunately in 3.5p1). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dontrango at myrealbox.com Sat Oct 19 19:11:42 2002 From: dontrango at myrealbox.com (dontrango) Date: Sat, 19 Oct 2002 17:11:42 +0800 Subject: Host Key Verification failed - ssh via cgi Message-ID: <1035018702.3613ba80dontrango@myrealbox.com> the problem lies with the way the file known_host stores the data. 'ssh -l userid $HOST' and $HOST in the file must match. if one is in the fqdn format the other must be in the same format. -----Original Message----- From: Darren Tucker To: dontrango at myrealbox.com Date: Fri, 18 Oct 2002 21:56:44 +1000 Subject: Re: Host Key Verification failed - ssh via cgi Donny Cornelius wrote: > i have a cgi (on host1) that executes ssh (as userxyz) to a remote server (host2), executes a command to retrieve some data and outputs them to the local browser. > > on host1: > > #!/usr/bin/perl -w > ... > $output = `/usr/local/bin/ssh -l userxyz -x host2 ls -l` > ... > > but i get "Host Key Verification failed" on my apache's error_log. i can do it on the command line, it only fails when i run it via the cgi. Is the CGI running as "nobody" or are you using suEXEC? Can you as "-v -v -v" to the ssh commandline to get some debugging info? Maybe $HOME isn't set? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. (",) dontrango --------------- hasta la vista --------------- From bob at proulx.com Sun Oct 20 03:59:25 2002 From: bob at proulx.com (Bob Proulx) Date: Sat, 19 Oct 2002 11:59:25 -0600 Subject: scp In-Reply-To: <20021017173448.B4156@zax.half.pint-stowp.cx> References: <53D65D67C6AA694284F7584E25ADD3543334ED@nor935nte2k1.nor935.chevrontexaco.net> <20021017172336.A4156@zax.half.pint-stowp.cx> <53D65D67C6AA694284F7584E25ADD3543334ED@nor935nte2k1.nor935.chevrontexaco.net> <20021017173448.B4156@zax.half.pint-stowp.cx> Message-ID: <20021019175925.GE23282@misery.proulx.com> Jim Knoble [2002-10-17 17:34:48 -0700]: > Circa 2002-10-16 13:20:32 -0500 dixit Ladner, Eric (Eric.Ladner): > : Actually, my current workaround is like this to copy a tree: > : cd /some/tree; tar -cf - . | ssh remote_host "cd /some/other/tree; tar -xvf -" > > By the way, what you probably want on the extracting end is: > > tar -xvpf - > > in order to to preserve permissions. If using GNU tar, you may also > also want '--same-owner' and '--sparse'. Actually I think the options specified were fine. IIRC if you are root then the permission restoration is the default for tar. If you are not root then modern OS configuration won't allow a non-root user to chown a file to another user and this would fail anyway. Therefore the default behavior without the 'p' option is the usual desired behavior. On older operating systems especially those based upon SysV you could chown files to other users. But that is a less desirable configuration IMNHO. (Even though some still preserve that capability for their legacy. But I always turn that off on hpux and get a modern behavior.) Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021019/8fb271c3/attachment.bin From stuge-openssh-unix-dev at cdy.org Sun Oct 20 14:32:49 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sun, 20 Oct 2002 06:32:49 +0200 Subject: SSH Documentation In-Reply-To: ; from iainmcaleer@security.asn.au on Sat, Oct 19, 2002 at 12:31:23PM +0800 References: Message-ID: <20021020063249.A14739@foo.birdnet.se> On Sat, Oct 19, 2002 at 12:31:23PM +0800, Iain McAleer wrote: > I'm trying to find very indepth documentation of OpenSSH, so far I have > found nothing of much use, if anyone could direct me to some advance texts > on openssh it would be greatly appreciated. For SSH documentation, read the IETF SECSH drafts. For OpenSSH documentation, use the source. //Peter From bugzilla-daemon at mindrot.org Sun Oct 20 16:19:45 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 20 Oct 2002 16:19:45 +1000 (EST) Subject: [Bug 178] Content of /etc/nologin isn't shown to users, fix triggers probably AIX bug Message-ID: <20021020061945.4B00B3D1A3@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=178 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #51 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2002-10-20 16:19 ------- Created an attachment (id=155) --> (http://bugzilla.mindrot.org/attachment.cgi?id=155&action=view) Have sshd child fflush stdout and stderr before exiting. I can reproduce this on AIX 4.3.3.0 and 4.3.3.10 but not reliably. The attached patch seems to work around it without sleeps (or changes the timing enough that it doesn't happen during testing, anyway :-). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Oct 20 20:42:16 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 20 Oct 2002 20:42:16 +1000 (EST) Subject: [Bug 400] ssh-keygen hangs Message-ID: <20021020104216.A362B3D194@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=400 ------- Additional Comments From dtucker at zip.com.au 2002-10-20 20:42 ------- Created an attachment (id=156) --> (http://bugzilla.mindrot.org/attachment.cgi?id=156&action=view) Send SIGINT to ssh-rand-helper child in case of timeout. You can reproduce this easily on Linux and Solaris (an probably others too) by adding this to the top of ssh_prng_cmds: "sleep 1000" /bin/sleep 0.02 then running ssh-rand-helper -vvv. It appears to happen because closing the descriptor either command doesn't produce a SIGPIPE or the command ignores it. The patch sends a SIGINT to the child if the command times out. This should be safe even if the command has already exitted because we haven't yet wait()ed for it. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Sat Oct 19 17:42:15 2002 From: djm at mindrot.org (Damien Miller) Date: 19 Oct 2002 17:42:15 +1000 Subject: SSH Documentation In-Reply-To: References: Message-ID: <1035013335.1732.3.camel@xenon> On Sat, 2002-10-19 at 14:31, Iain McAleer wrote: > Hello, > > I'm trying to find very indepth documentation of OpenSSH, so far I have > found nothing of much use, if anyone could direct me to some advance texts > on openssh it would be greatly appreciated. There are some good tutorials online, easily found linked off the OpenSSH website or via google. I have some notes from my Australian Unix Users Group 2002 tutorial at http://www.mindrot.org/~djm/auug2002/ They may not make as much sense without all the arm-waving that went with them. -d From bugzilla-daemon at mindrot.org Mon Oct 21 10:13:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 10:13:44 +1000 (EST) Subject: [Bug 400] ssh-keygen hangs Message-ID: <20021021001344.BD11F3D14C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=400 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-10-21 10:13 ------- Applied - thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 10:21:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 10:21:22 +1000 (EST) Subject: [Bug 405] getaddrinfo delays Message-ID: <20021021002122.1C2153D14E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=405 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From djm at mindrot.org 2002-10-21 10:21 ------- notabug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 10:25:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 10:25:00 +1000 (EST) Subject: [Bug 194] still problems with libutil Message-ID: <20021021002500.722F53D16A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=194 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From djm at mindrot.org 2002-10-21 10:24 ------- broken libc = notabug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 10:40:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 10:40:32 +1000 (EST) Subject: [Bug 314] switch to READPASSPHRASE_H to avoid conflicts with exiisting headers Message-ID: <20021021004032.AFB3D3D15C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=314 ------- Additional Comments From djm at mindrot.org 2002-10-21 10:40 ------- What existing headers? If the system provides its own readpassphrase() we should need the local copy. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 10:41:45 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 10:41:45 +1000 (EST) Subject: [Bug 315] add miissing includes and defines for FREEBSD Message-ID: <20021021004145.266AA3D15C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=315 ------- Additional Comments From djm at mindrot.org 2002-10-21 10:41 ------- Why are these needed? time.h is already pulled in via includes.h ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 10:50:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 10:50:52 +1000 (EST) Subject: [Bug 317] add header so ptty functions are found Message-ID: <20021021005052.043483D15C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=317 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-10-21 10:50 ------- added to includes.h ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 10:53:18 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 10:53:18 +1000 (EST) Subject: [Bug 404] getnameinfo failed Message-ID: <20021021005318.4AE563D15C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=404 ------- Additional Comments From djm at mindrot.org 2002-10-21 10:53 ------- Try uncommenting "ListenAddress 0.0.0.0" in sshd_config ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 14:32:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 14:32:31 +1000 (EST) Subject: [Bug 314] switch to READPASSPHRASE_H to avoid conflicts with exiisting headers Message-ID: <20021021043231.7FA0A3D157@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=314 dirk.meyer at dinoex.sub.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED Version|-current |3.1p1 ------- Additional Comments From dirk.meyer at dinoex.sub.org 2002-10-21 14:32 ------- Original report: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/34362 readpassphrase.h is detected better in openssh-3.2.3p1 so the problem is indeed fixed now. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 14:34:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 14:34:29 +1000 (EST) Subject: [Bug 417] New: please update version field in Bugzilla! Message-ID: <20021021043429.78D813D180@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=417 Summary: please update version field in Bugzilla! Product: Portable OpenSSH Version: 3.1p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dirk.meyer at dinoex.sub.org Version: 3.1p is the lastes Version someone can apply. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 14:57:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 14:57:48 +1000 (EST) Subject: [Bug 315] add missing includes and defines for FREEBSD Message-ID: <20021021045748.0F0493D1A8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=315 dirk.meyer at dinoex.sub.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|add miissing includes and |add missing includes and |defines for FREEBSD |defines for FREEBSD ------- Additional Comments From dirk.meyer at dinoex.sub.org 2002-10-21 14:57 ------- used for calls to: int openpty __P((int *_amaster, int *_aslave, char *_name, struct termios *_termp, struct winsize *_winp)); In openssh.3.5 this funtions have beenn moved to: sshpty.c --- sshpty.c.orig Wed Jun 26 01:21:42 2002 +++ sshpty.c Fri Jun 28 07:09:38 2002 @@ -30,6 +30,9 @@ #ifdef HAVE_PTY_H # include #endif +#ifdef HAVE_LIBUTIL_H +#include +#endif #if defined(HAVE_DEV_PTMX) && defined(HAVE_SYS_STROPTS_H) # include #endif ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 15:33:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 15:33:15 +1000 (EST) Subject: [Bug 418] New: Allow to build on systems without IPV6 Message-ID: <20021021053315.2208B3D138@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=418 Summary: Allow to build on systems without IPV6 Product: Portable OpenSSH Version: -current Platform: All OS/Version: FreeBSD Status: NEW Severity: minor Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dirk.meyer at dinoex.sub.org openssh 3.5p1: AF_INET6 is not included on FreeBSD 2.2.8 so skip it when not detected: --- sshconnect.c.orig Wed Aug 8 00:29:09 2001 +++ sshconnect.c Wed Oct 3 14:28:15 2001 @@ -577,11 +577,13 @@ sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; salen = sizeof(struct sockaddr_in); break; +#ifdef HAVE_STRUCT_SOCKADDR_IN6 case AF_INET6: local = IN6_IS_ADDR_LOOPBACK( &(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); salen = sizeof(struct sockaddr_in6); break; +#endif default: local = 0; salen = sizeof(struct sockaddr_storage); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 15:34:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 15:34:52 +1000 (EST) Subject: [Bug 418] Allow to build on systems without IPV6 Message-ID: <20021021053452.0B5603D138@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=418 dirk.meyer at dinoex.sub.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Miscellaneous |Build system ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 17:45:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 17:45:36 +1000 (EST) Subject: [Bug 419] New: HP-UX PAM problems with 3.5p1 Message-ID: <20021021074536.37E5F3D1A5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=419 Summary: HP-UX PAM problems with 3.5p1 Product: Portable OpenSSH Version: -current Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: michael_steffens at hp.com Hello, thanks very much for releasing OpenSSH 3.5p1! Unfortunately there are still problems with HP-UX PAM. The attached patch addresses a known one, and one that I haven't found any HP-UX related postings for. 1) pam_open_session() failure with privilege separation and HP-UX running in trusted mode. This is known and Dan Wanek has posted a patch for 3.4p1 fixing it on July 16: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102682619813556&w=2 It has got quite good comments and works fine here, but hasn't made it into 3.5p1. Why? I merged it into 3.5p1 (which exhibits the same problem) manually, and it still does fine, tested on 11.00 and 11.11. (If you decide to merge it into official source trees please remember to give credits to Dan rather than me for this portion :) 2) Failed deletion of credentials in do_pam_cleanup_proc() This issue seems to be old (observed with 3.1p1, 3.4p1, and 3.5p1 in both trusted and non-trusted mode, both with or without privilege separation). I'm not sure how critical this is, as 3.1p1 seems to run happily for many months without a visible impact, but error messages still look quite odd. On session termination sshd reports debug1: Cannot delete credentials[9]: Authentication failed in debug mode. ("Authentication failed" is reported with privsep. Without the reason given is "Permission denied".) When turning on debug logging in syslog, the messages corresponding to session termination are PAM: pam_close_session() PAM: load_function: successful load of pam_sm_close_session PAM: pam_setcred: error Authentication failed PAM: pam_end(): status = Authentication failed Strange enough that pam_end() is reported to have failed too, despite the sshd apparently got PAM_SUCCESS returned! I tried the system native login program to see how it is scheduling PAM session cleanup. Not at all, neither pam_close_session() nor pam_setcred() are being called. Only pam_end(), which is reported to be successful in syslog debug log. When omitting credentials deletion in sshd, and relying on pam_end() to do that implicitly, errors triggered by the daemon vanish, both with and without privsep: PAM: pam_close_session() PAM: load_function: successful load of pam_sm_close_session PAM: pam_end(): status = Success So it seems to be preferrable to skip credentials deletion on HP-UX... Cheers! Michael diff -u -r openssh-3.5p1/auth-pam.c openssh-3.5p1a/auth-pam.c --- openssh-3.5p1/auth-pam.c Sun Jul 28 22:24:08 2002 +++ openssh-3.5p1a/auth-pam.c Wed Oct 16 15:00:01 2002 @@ -186,12 +186,14 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#endif if (__pamh) { pam_retval = pam_end(__pamh, pam_retval); @@ -299,6 +301,18 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); session_opened = 1; +} + +/* Set the TTY after session is open */ +void do_pam_set_tty(const char *ttyname) { + int pam_retval; + if (ttyname != NULL) { + debug("PAM setting tty to \"%.200s\"", ttyname); + pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + } } /* Set PAM credentials */ diff -u -r openssh-3.5p1/auth-pam.h openssh-3.5p1a/auth-pam.h --- openssh-3.5p1/auth-pam.h Tue Jul 23 02:44:07 2002 +++ openssh-3.5p1a/auth-pam.h Wed Oct 16 10:00:40 2002 @@ -39,6 +39,7 @@ int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); +void do_pam_set_tty(const char *ttyname); void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); diff -u -r openssh-3.5p1/session.c openssh-3.5p1a/session.c --- openssh-3.5p1/session.c Thu Sep 26 02:38:50 2002 +++ openssh-3.5p1a/session.c Wed Oct 16 15:01:40 2002 @@ -454,7 +454,6 @@ session_proctitle(s); #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); if (is_pam_password_change_required()) packet_disconnect("Password change required but no " @@ -581,7 +580,7 @@ ttyfd = s->ttyfd; #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, s->tty); + do_pam_set_tty(s->tty); do_pam_setcred(1); #endif @@ -1238,6 +1237,13 @@ * Reestablish them here. */ do_pam_setcred(0); + + /* + * We need to open the session here because PAM on HP-UX does not + * work after the call to permanently_set_uid. + */ + do_pam_session(pw->pw_name,NULL); + # endif /* USE_PAM */ # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) irix_setusercontext(pw); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 17:54:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 17:54:26 +1000 (EST) Subject: [Bug 419] HP-UX PAM problems with 3.5p1 Message-ID: <20021021075426.DDDD63D1FE@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=419 ------- Additional Comments From michael_steffens at hp.com 2002-10-21 17:54 ------- Created an attachment (id=157) --> (http://bugzilla.mindrot.org/attachment.cgi?id=157&action=view) Patches for making privsep run with HP-UX trusted mode amd avoid credentials deletion errors Sorry, being new to bugzilla I didn't know that attachments will be asked for in the next form. Please excuse duplication in description! !! Majority of this patch is actually by Dan Wanek !! : http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102682619813556&w=2 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Stephan.Hendl at lds.brandenburg.de Mon Oct 21 19:13:20 2002 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Mon, 21 Oct 2002 11:13:20 +0200 Subject: howto - chroot environment Message-ID: Hi, is there an howto for implementing a chroot-environment with openssh? We have several webusers who are updating their sides and they shouldn't see the files from the others. In the list there are some messages but not a comlete one to do this, esp. on a hpux box with openssh-3.5p1. Thanks Stephan From markus at openbsd.org Mon Oct 21 19:31:50 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 21 Oct 2002 11:31:50 +0200 Subject: howto - chroot environment In-Reply-To: References: Message-ID: <20021021093150.GA8984@faui02> On Mon, Oct 21, 2002 at 11:13:20AM +0200, Stephan Hendl wrote: > is there an howto for implementing a chroot-environment with openssh? We have several webusers who are updating their sides and they shouldn't see the files from the others. you could use unix groups, too. From bugzilla-daemon at mindrot.org Mon Oct 21 20:23:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 20:23:47 +1000 (EST) Subject: [Bug 417] please update version field in Bugzilla! Message-ID: <20021021102347.50DF73D202@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=417 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-10-21 20:23 ------- Fixed - lazy me ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 20:25:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 20:25:35 +1000 (EST) Subject: [Bug 315] add missing includes and defines for FREEBSD Message-ID: <20021021102535.65E373D217@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=315 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-10-21 20:25 ------- This should be fixes as part of bug 317 - libutil.h was added to includes.h if it is present. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Oct 21 20:28:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 21 Oct 2002 20:28:50 +1000 (EST) Subject: [Bug 418] Allow to build on systems without IPV6 Message-ID: <20021021102850.3ACFD3D21E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=418 ------- Additional Comments From djm at mindrot.org 2002-10-21 20:28 ------- This should already be taken care of by the openbsd-compat/fake-socket.h header. What is the error that you get during compilation? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From nicklange at wi.rr.com Tue Oct 22 00:56:05 2002 From: nicklange at wi.rr.com (Nick Lange) Date: Mon, 21 Oct 2002 09:56:05 -0500 Subject: Developers word on SFTP/SCP chroot'ing? Message-ID: <3DB41585.3000207@wi.rr.com> Hello all, I've taken a brief skim of the archives available on theaimsgroup and talked to some others regarding the ideas on chroot SSH/SFTP/SCP functionality. I've also investigated a few of the various patches out for chroot sftp|scp|ssh and am a bit of a loss at finding 'an elegant solution' to the problem. Bearing in mind the excellent starting ground of John Furman's chroot ssh patch. Long story short I see three options: 1. Remove the "stupidity" of scp/sftp and make them smart [i.e. read configuration files, determine acl etc]. I've looked at this approach and it's not pretty. I don't like it from a "getting it done perspective". The amount of code etc to allow these applications to chroot themselves just doesn't seem pretty. But it might be the right way to go, hence why I ask. 2. Keep multiple copies of the sftp/scp binaries in each users jail to be executed after the chroot by sshd. On massive user bases I see this as an minor diskspace issue [~50K extra per jailed user], not to mention scripting all the appropriate updates.]; furthermore, In my specific case at least, in the event of allowing a user into a valid [but jailed, stripped down ] shell, scp needs to be neutered to prevent it from copying remote to remote or local to remote. This requires creating a custom version of scp, nothing to terrible. But a more complex setup nonetheless. 3. Finally, there is locking down around ssh, i.e. chroot /chroot/sshdserver and have all users hit that copy. I don't like keeping seperate authorization etc, which is why I'm less inclined to see this as an option. My case against the last option, is that users are allowed to know more information than I care to give them :) While they may not have permission to go into another users homedir, they can still *see it*, which I don't think *needs* to be if there is an elegant way to integrate chroot into SFTP/SCP/SSH codebase. While I will be coding for our specific needs here, if I can offer the code after the fact to the masses in a useful fashion I'd like to do so, and for that reason I ask the programmers what, if any, approach would prove more beneficial to everyone else. Have a good day all, Nick Lange From mouring at etoh.eviladmin.org Tue Oct 22 01:59:50 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 21 Oct 2002 10:59:50 -0500 (CDT) Subject: Developers word on SFTP/SCP chroot'ing? In-Reply-To: <3DB41585.3000207@wi.rr.com> Message-ID: You missed option 4 for which most of the developers agree is the correct one. Write a shell to handle whatever customized features you need. I've seen one or two sftp/scp only shells floating around. I'm sure they can be modified for your needs. - Ben On Mon, 21 Oct 2002, Nick Lange wrote: > Hello all, > I've taken a brief skim of the archives available on theaimsgroup and talked > to some others regarding the ideas on chroot SSH/SFTP/SCP functionality. I've > also investigated a few of the various patches out for chroot sftp|scp|ssh and > am a bit of a loss at finding 'an elegant solution' to the problem. > Bearing in mind the excellent starting ground of John Furman's chroot ssh patch. > Long story short I see three options: > 1. Remove the "stupidity" of scp/sftp and make them smart [i.e. read > configuration files, determine acl etc]. I've looked at this approach and it's > not pretty. I don't like it from a "getting it done perspective". The amount of > code etc to allow these applications to chroot themselves just doesn't seem > pretty. But it might be the right way to go, hence why I ask. > 2. Keep multiple copies of the sftp/scp binaries in each users jail to be > executed after the chroot by sshd. On massive user bases I see this as an minor > diskspace issue [~50K extra per jailed user], not to mention scripting all the > appropriate updates.]; furthermore, In my specific case at least, in the event > of allowing a user into a valid [but jailed, stripped down ] shell, scp needs to > be neutered to prevent it from copying remote to remote or local to remote. This > requires creating a custom version of scp, nothing to terrible. But a more > complex setup nonetheless. > 3. Finally, there is locking down around ssh, i.e. chroot /chroot/sshdserver > and have all users hit that copy. I don't like keeping seperate authorization > etc, which is why I'm less inclined to see this as an option. > > My case against the last option, is that users are allowed to know more > information than I care to give them :) While they may not have permission to go > into another users homedir, they can still *see it*, which I don't think *needs* > to be if there is an elegant way to integrate chroot into SFTP/SCP/SSH codebase. > While I will be coding for our specific needs here, if I can offer the code > after the fact to the masses in a useful fashion I'd like to do so, and for that > reason I ask the programmers what, if any, approach would prove more beneficial > to everyone else. > Have a good day all, > Nick Lange > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mmokrejs at natur.cuni.cz Tue Oct 22 02:21:46 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Mon, 21 Oct 2002 18:21:46 +0200 (CEST) Subject: ssh-keygen opens NULL filename In-Reply-To: <20021017202513.GB1319@nc1701.suryo.com> Message-ID: On Thu, 17 Oct 2002, Luc I. Suryo wrote: Hi, so finally I can conclude, that the problem is caused including -ldes at the linking step while creating ssh-keygen. The library is picked up from /usr/athena/lib and I just gues, that it clashes with libcrypto. Could someone take care of the configure script make the build require kerberos libraries only in cases, when they are really needed. Yes, my solution will be to delete the libdes from /usr/athena/lib, which is there from older versions of krb4. Newer version do not have this library anymore, as the know about libcrypto. However, the build should (I think) resist such conditions. I'm willing to test patches. ;) > > wget ftp://ftp.pdc.kth.se/pub/krb/src/krb4-1.2.tar.gz > > gzip -dc krb4-1.2.tar.gz | tar xf - > > cd krb4-1.2 > > ./configure --with-readline --with-x \ > > --with-openssl=/usr/local/openssl --enable-rxkad --enable-shared > > make install > > cd ../openssh-3.5p1 > > ./configure --prefix=/usr/local --with-kerberos4=/usr/athena \ > > --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --without-rsh \ > > --disable-suid-ssh --with-privsep --with-zlib --with-pam > > make > > ./ssh-keygen -t dsa -f /tmp/ssh_host_dsa_key -N "" > > > > cleanup: > > rm -rf /usr/athena # rm ssh-keygen # gcc -o ssh-keygen ssh-keygen.o -L. -Lopenbsd-compat/ -L/software/@sys/usr/openssl/lib -R/software/@sys/usr/openssl/lib -Lyes -Ryes -L/usr/local/lib -R/usr/local/lib -L/usr/athena/lib -R/usr/athena/lib -lssh -lopenbsd-compat -lresolv -lz -lsocket -lnsl -L/usr/local/lib -L/software/@sys/usr/lib -L/software/@sys/usr/openssl/lib -L/usr/lib -lkrb -ldes -lcrypto # ./ssh-keygen -t rsa -f /tmp/ssh_host_dsa_key -N "" Generating public/private rsa key pair. Key will be saved (private=, identity_file=, passphrase1=, comment=root@) open failed: No such file or directory. Saving the key failed: . # ldd ./ssh-keygen libresolv.so.2 => /usr/lib/libresolv.so.2 libz.so => /software/@sys/usr/lib/libz.so libsocket.so.1 => /usr/lib/libsocket.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libkrb.so.1 => /usr/athena/lib/libkrb.so.1 libdes.so.1 => /usr/athena/lib/libdes.so.1 libc.so.1 => /usr/lib/libc.so.1 libdl.so.1 => /usr/lib/libdl.so.1 libmp.so.2 => /usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-30/lib/libc_psr.so.1 # rm ssh-keygen # gcc -o ssh-keygen ssh-keygen.o -L. -Lopenbsd-compat/ -L/software/@sys/usr/openssl/lib -R/software/@sys/usr/openssl/lib -Lyes -Ryes -L/usr/local/lib -R/usr/local/lib -L/usr/athena/lib -R/usr/athena/lib -lssh -lopenbsd-compat -lresolv -lz -lsocket -lnsl -L/usr/local/lib -L/software/@sys/usr/lib -L/software/@sys/usr/openssl/lib -L/usr/lib -lkrb -lcrypto # ./ssh-keygen -t rsa -f /tmp/ssh_host_dsa_key -N "" Generating public/private rsa key pair. /tmp/ssh_host_dsa_key already exists. Overwrite (y/n)? y Key will be saved (private=, identity_file=/tmp/ssh_host_dsa_key, passphrase1=, comment=) Your identification has been saved in /tmp/ssh_host_dsa_key. Your public key has been saved in /tmp/ssh_host_dsa_key.pub. The key fingerprint is: 08:c9:e2:bd:72:c6:4f:86:bc:98:c2:d4:9c:54:f4:e0 # ldd ./ssh-keygen libresolv.so.2 => /usr/lib/libresolv.so.2 libz.so => /software/@sys/usr/lib/libz.so libsocket.so.1 => /usr/lib/libsocket.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libkrb.so.1 => /usr/athena/lib/libkrb.so.1 libc.so.1 => /usr/lib/libc.so.1 libdl.so.1 => /usr/lib/libdl.so.1 libmp.so.2 => /usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-30/lib/libc_psr.so.1 # ls -la /usr/athena/lib/libkrb.* -rw-r--r-- 1 root other 3451586 Sep 20 12:54 /usr/athena/lib/libkrb.a -rwxr-xr-x 1 root other 753 Sep 20 12:54 /usr/athena/lib/libkrb.la lrwxrwxrwx 1 root other 15 Sep 20 10:03 /usr/athena/lib/libkrb.so -> libkrb.so.1.1.1 lrwxrwxrwx 1 root other 15 Sep 20 10:03 /usr/athena/lib/libkrb.so.1 -> libkrb.so.1.1.1 -rw-r--r-- 1 root other 126076 Sep 13 11:18 /usr/athena/lib/libkrb.so.1.0.9 -rwxr-xr-x 1 root other 309546 Sep 20 10:03 /usr/athena/lib/libkrb.so.1.1.1 # ls -la /usr/athena/lib/libdes.* lrwxrwxrwx 1 root other 15 Sep 13 11:18 /usr/athena/lib/libdes.so -> libdes.so.1.0.9 lrwxrwxrwx 1 root other 15 Sep 13 11:18 /usr/athena/lib/libdes.so.1 -> libdes.so.1.0.9 -rw-r--r-- 1 root other 108124 Sep 13 11:18 /usr/athena/lib/libdes.so.1.0.9 # -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From bugzilla-daemon at mindrot.org Tue Oct 22 05:43:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 22 Oct 2002 05:43:57 +1000 (EST) Subject: [Bug 418] Allow to build on systems without IPV6 Message-ID: <20021021194357.E443F3D155@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=418 dirk.meyer at dinoex.sub.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED Version|-current |older versions ------- Additional Comments From dirk.meyer at dinoex.sub.org 2002-10-22 05:43 ------- sshconnect.c: In function `ssh_create_socket': sshconnect.c:174: warning: implicit declaration of function `rresvport_af' sshconnect.c: In function `ssh_exchange_identification': sshconnect.c:369: warning: comparison between signed and unsigned sshconnect.c:448: warning: comparison between signed and unsigned sshconnect.c: In function `check_host_key': sshconnect.c:516: warning: implicit declaration of function `IN6_IS_ADDR_LOOPBACK' sshconnect.c:517: dereferencing pointer to incomplete type sshconnect.c:779: warning: implicit declaration of function `strlcat' sshconnect.c: In function `ssh_put_password': sshconnect.c:865: warning: implicit declaration of function `strlcpy' *** Error code 1 Looking closer, I mixed this up, its in openss-3.5, not in openssh-3.5p1! testing again my fix is not needed in the p?ortable version. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Mon Oct 21 20:33:16 2002 From: djm at mindrot.org (Damien Miller) Date: 21 Oct 2002 20:33:16 +1000 Subject: Patch: sftp client support of "ls [flags] [path [localfile]]" feature In-Reply-To: <00e601c276e7$1648fc00$4d502ca1@amer.cisco.com> References: <00e601c276e7$1648fc00$4d502ca1@amer.cisco.com> Message-ID: <1035196396.1237.2.camel@xenon> On Sat, 2002-10-19 at 06:44, Calvin Cheng wrote: > Hello, > > I just downloaded OpenSSH 3.5p1. This version has some great improvement in > sftp client. Glad you like it. > But I still miss the FTsP's "ls [flags] remote-path [localpath]" feature to > redirect the output of ls/dir > to a local file. > > The following are the diff outputs against 3.5p1 to enable this feature. A couple of things: 1. Patches should be in unified "diff -u" format - these are much easier to read. 2. Patches should go to http://bugzilla.mindrot.org/ so they don't rot in out unread mailboxes :) Thanks, Damien Miller From dknodel at csc.com.au Tue Oct 22 11:39:48 2002 From: dknodel at csc.com.au (dknodel at csc.com.au) Date: Tue, 22 Oct 2002 09:39:48 +0800 Subject: Limiting an authorized key to scp access Message-ID: Hi. I've attempted to restrict a certain authorized key to running scp (using the command=... prefix), but without much luck; has anyone set this up before? I'm not sure if it's because scp on the server end gets command line parameters, or for some other reason. I've fallen back to using sftp instead, which I have been able to restrict an authorized key to, but the transfer rates I get through sftp are vastly slower than through scp (which didn't make sense to me either; if anyone had an idea why that might be, or has done some comparisons and found them not to be as different as I have, I'd appreciate the information). I'll also soon be trying to set up a key restricted to rsync over ssh, but I may run into a command-line parameter issue in the command=... prefix (I'm not sure if the rsync server process gets invoked with any arguments or not). Thanks for any information... David Knodel From mike at enoch.org Tue Oct 22 14:28:18 2002 From: mike at enoch.org (Mike Johnson) Date: Tue, 22 Oct 2002 00:28:18 -0400 Subject: Developers word on SFTP/SCP chroot'ing? In-Reply-To: References: <3DB41585.3000207@wi.rr.com> Message-ID: <20021022042818.GF18702@enoch.org> Ben Lindstrom [mouring at etoh.eviladmin.org] wrote: > > > You missed option 4 for which most of the developers agree is the correct > one. > > Write a shell to handle whatever customized features you need. I've seen > one or two sftp/scp only shells floating around. I'm sure they can be > modified for your needs. Here's one: http://www.pizzashack.org/rssh/ I've been pretty pleased with it. Patched it to allow the user to run sudo, and then let sudo take care of access. My opinion is just one from the peanut gallery, but I speak from experience. I started with a patched sshd that did the chroot, but this became unmaintainable (it was based on an older patch) as new versions of openssh were released. Doing it in the shell is -much- easier from a maintainability perspective. It didn't really take much effort to make rssh do what I wanted. Mike -- "Would you like to take advantage of wiretap Wednesdays?" -- Fed on Sealab 2021 GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1 GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 230 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021022/09db627a/attachment.bin From xdavid at lib.natur.cuni.cz Tue Oct 22 16:46:28 2002 From: xdavid at lib.natur.cuni.cz (David Komanek) Date: Tue, 22 Oct 2002 08:46:28 +0200 (CEST) Subject: PrivSep on Tru64Unix boxes [was Re: OpenSSH 3.5p1, Solaris 8, BSM, cron issue] In-Reply-To: Message-ID: > BSM and privsep is pretty much in the same category as PAM and privsep. > The BSM patch does two things only one of which impacts the cron job > problem. The first and most important thing it does is setup the users > audit mask. The second is to write login/logout audit records to the BSM > audit log. Both of these things need uid 0 to work on Solaris. I can confirm the same problem for Tru64Unix 5.1A with enhanced security option enabled. OpenSSH login procedure with PrivSep enabled ends up with error on audit subsystem calls. I think it is a common issue in any system with the password security better than shadowed passwords and no real PAMs. In this case, PrivSep appears pretty unusable for me, I think. Or do I miss something basic ? David Komanek From delerabo at lycos.com Wed Oct 23 05:39:28 2002 From: delerabo at lycos.com (delerabo at lycos.com) Date: Tue, 22 Oct 2002 20:39:28 +0100 Subject: BUSINESS PROPOSITION Message-ID: <20021022193913.C665A3D165@shitei.mindrot.org> Dear Sir, ? We are a group of African Nationals who intend to extend our investment to countries that have a favourable business climate. Our preferences are America ,Europe and Asia, we would need a reputable individual or firm with an idea of the African business environment and also a firm of high net fold capital influx able to manage and invest in moderate capital ventures. ? For further discussions contact us on this address. yours faithfully ? Engr Dele Rabo From pasacki at sandia.gov Wed Oct 23 07:31:20 2002 From: pasacki at sandia.gov (Phil) Date: Tue, 22 Oct 2002 15:31:20 -0600 Subject: 3.5p1, krb5 ssh -X-> sshd (F-Secure 3.0.1)? Message-ID: <200210222131.g9MLVKP14918@sahp4671.sandia.gov> I built openssh 3.5p1 with (--with-kerberos5=DIR) krb5-1.2.6 and openssl 0.9.6g on RedHat 7.2 and been trying to get it to talk with a commercial ssh, identified in the ssh -v output snippet below: . . . debug1: Remote protocol version 1.99, remote software version 3.0.1 F-SECURE SSH SNL1.0 debug1: match: 3.0.1 F-SECURE SSH SNL1.0 pat 3.0.* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.5p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received . . . but it fails near the end like this: . . . debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: kerberos-tgt-2 at ssh.com,kerberos-1 at ssh.com,password,hostbased debug1: no more auth methods to try Permission denied (kerberos-tgt-2 at ssh.com,kerberos-1 at ssh.com,password,hostbased). debug1: Calling cleanup 0x80641a4(0x0) I've put KerberosAuthentication yes into ssh_config. I'm not an expert, so any advice about what I'm missing would be greatly appreciated. TIA. From smoogen at lanl.gov Wed Oct 23 08:27:34 2002 From: smoogen at lanl.gov (Stephen Smoogen) Date: 22 Oct 2002 16:27:34 -0600 Subject: 3.5p1, krb5 ssh -X-> sshd (F-Secure 3.0.1)? In-Reply-To: <200210222131.g9MLVKP14918@sahp4671.sandia.gov> References: <200210222131.g9MLVKP14918@sahp4671.sandia.gov> Message-ID: <1035325654.2216.12.camel@smoogen1.lanl.gov> Ok here is my limited understanding of the issues. OpenSSH only supports KRB5 using the protocol 1 out of the box. The support for protocol 2 is via the GSS-API protocol that is still in IETF until March of next year. Simon Wilkinson from England does the code port for this (but his site seems to have died today for some reason). Now here is the other problem, the commercial version of the SSH uses its own mechanism to authenticate via SSH in the early 3.0 series. This work was done by a fellow at Sandia by the name of Glen Machin(sp). I have heard this uses a completely different method that isnt ported to OpenSSH at all. I have also heard that it isnt included in the latest SSH.com code either, but I do not know much beyond that. So for your case at Sandia, I think you will have to try ssh -1 to your server to see if kerberos will work. On Tue, 2002-10-22 at 15:31, Phil wrote: > > I built openssh 3.5p1 with (--with-kerberos5=DIR) krb5-1.2.6 and > openssl 0.9.6g on RedHat 7.2 and been trying to get it to talk with a > commercial ssh, identified in the ssh -v output snippet below: > > . > . > . > debug1: Remote protocol version 1.99, remote software version 3.0.1 F-SECURE SSH SNL1.0 > debug1: match: 3.0.1 F-SECURE SSH SNL1.0 pat 3.0.* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.5p1 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > . > . > . > but it fails near the end like this: > > . > . > . > debug1: newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: done: ssh_kex2. > debug1: send SSH2_MSG_SERVICE_REQUEST > debug1: service_accept: ssh-userauth > debug1: got SSH2_MSG_SERVICE_ACCEPT > debug1: authentications that can continue: kerberos-tgt-2 at ssh.com,kerberos-1 at ssh.com,password,hostbased > debug1: no more auth methods to try > Permission denied (kerberos-tgt-2 at ssh.com,kerberos-1 at ssh.com,password,hostbased). > debug1: Calling cleanup 0x80641a4(0x0) > > > I've put > > KerberosAuthentication yes > > into ssh_config. > > I'm not an expert, so any advice about what I'm missing would be > greatly appreciated. > > TIA. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Labrador CCN-2 B-Schedule PH: Ta-03 SM-261 MailStop P208 DP 17U Los Alamos, NM 87545 From Stephan.Hendl at lds.brandenburg.de Wed Oct 23 15:32:48 2002 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Wed, 23 Oct 2002 07:32:48 +0200 Subject: testmail - please ignore Message-ID: From markus at openbsd.org Wed Oct 23 21:56:13 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 23 Oct 2002 13:56:13 +0200 Subject: 3.5p1, krb5 ssh -X-> sshd (F-Secure 3.0.1)? In-Reply-To: <200210222131.g9MLVKP14918@sahp4671.sandia.gov> References: <200210222131.g9MLVKP14918@sahp4671.sandia.gov> Message-ID: <20021023115613.GB36@folly> On Tue, Oct 22, 2002 at 03:31:20PM -0600, Phil wrote: > debug1: Remote protocol version 1.99, remote software version 3.0.1 F-SECURE SSH SNL1.0 this f-secure version has some kind of undocumented Kerberos authentication, so setting this: > KerberosAuthentication yes in openssh won't help. -m From riek at de.alcove.com Thu Oct 24 01:07:05 2002 From: riek at de.alcove.com (Daniel Riek) Date: Wed, 23 Oct 2002 17:07:05 +0200 Subject: Partial auth patch with priv. sep.? Message-ID: <20021023150705.GD10932@de.alcove.com> Hi, some time ago there was a patch introducing partial authentication for openssh. That feature allows to e.g. have a user identified by password AND key. We have an application, where we used that patch. But after the introduction of priv. seperation, it seems not to be a trivial task to port the patch. I did not find anything on that topic since so I am wondering, if anybody is working on porting it? Or are there any current plans to bring partial auth to the main tree? Regards, Daniel -- Daniel Riek - http://www.alcove.com/de/ * Technical Manager - Tel.: +49 (0)2 28 / 9 08 69 85 * ALCOVE Deutschland GmbH - Fax: +49 (0)2 28 / 9 08 69 84 * Liberating Software - Mobil: +49 (0)1 71 / 2 80 08 79 From cawlfiel at austin.ibm.com Thu Oct 24 04:10:52 2002 From: cawlfiel at austin.ibm.com (cawlfiel) Date: Wed, 23 Oct 2002 13:10:52 -0500 Subject: [PATCH] AIX password expiration References: <3DA95AEE.FA1FB622@zip.com.au> <3DB10574.E0F54804@zip.com.au> Message-ID: <3DB6E62C.B67991EF@austin.ibm.com> Darren, I tested your patch of AIX 5.1 and it works perfectly. Excellent work! Darren Tucker wrote: > > Darren Tucker wrote: > > The patch extends the loginrestrictions test to include expired > > accounts and adds PAM-like password expiry and forced change. > > I've updated the patch. The diff is against 3.5p1. There should be no > functional differences between the original and this patch. > > I'm still interested in feedback from anyone who tried either or has > comments on the patch itself. > > The changes relative to the previous patch are: > > * cleaned up somewhat. > * added some debugs > * now frees memory allocated by library functions > * added some comments ----------------------- Kevin Cawlfield AIX IP Security cawlfiel at austin.ibm.com ----------------------- From dan at doxpara.com Thu Oct 24 05:41:10 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 23 Oct 2002 12:41:10 -0700 Subject: Java Interface to SSH2 Message-ID: <3DB6FB56.1000903@doxpara.com> http://www.jcraft.com/jsch/ I swear, I almost did a little jig right in front of my keyboard when this web page opened up. Basically, programmatic access to network resources on the other side of an SSH daemon, written by the guys who did WeirdX (x server for java). So for example, you could expose SSHD on your server, then route all your funky java traffic through jsch and poke through firewalls w/ full cryptography and authentication enabled. Excellent. They still need to implement pubkey authentication and compression, but still -- cracklin' good stuff. --Dan www.doxpara.com From nandagopalnair at netscape.net Thu Oct 24 08:33:50 2002 From: nandagopalnair at netscape.net (Nandu Nair) Date: Wed, 23 Oct 2002 14:33:50 -0800 Subject: (no subject) Message-ID: <3DB723CE.3080104@netscape.net> From mouring at etoh.eviladmin.org Thu Oct 24 15:06:30 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 24 Oct 2002 00:06:30 -0500 (CDT) Subject: [PATCH] AIX password expiration In-Reply-To: <3DB6E62C.B67991EF@austin.ibm.com> Message-ID: This still needs to be limited to v1. Because it is not correct for v2. - Ben On Wed, 23 Oct 2002, cawlfiel wrote: > Darren, I tested your patch of AIX 5.1 and it works perfectly. > Excellent work! > > Darren Tucker wrote: > > > > Darren Tucker wrote: > > > The patch extends the loginrestrictions test to include expired > > > accounts and adds PAM-like password expiry and forced change. > > > > I've updated the patch. The diff is against 3.5p1. There should be no > > functional differences between the original and this patch. > > > > I'm still interested in feedback from anyone who tried either or has > > comments on the patch itself. > > > > The changes relative to the previous patch are: > > > > * cleaned up somewhat. > > * added some debugs > > * now frees memory allocated by library functions > > * added some comments > > ----------------------- > > Kevin Cawlfield > AIX IP Security > cawlfiel at austin.ibm.com > > ----------------------- > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Thu Oct 24 19:36:04 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 24 Oct 2002 19:36:04 +1000 Subject: [PATCH] AIX password expiration References: Message-ID: <3DB7BF04.83FB815D@zip.com.au> Ben Lindstrom wrote: > This still needs to be limited to v1. Because it is not correct for v2. You mean it should use SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ? If so I had a look at auth2.c and I've got no idea where to even start. Any clues or pointers (other than RTFRFC, which I'm about to do). I guess any code that handles it should also handle do_pam_chauthtok too? > On Wed, 23 Oct 2002, cawlfiel wrote: > > Darren, I tested your patch of AIX 5.1 and it works perfectly. > > Excellent work! Thanks, but the credit belongs to Pablo Sor and Mark Pitt. All I did was combine their patches. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From xiwang17 at yahoo.com Fri Oct 25 00:37:27 2002 From: xiwang17 at yahoo.com (Roger Wang) Date: Thu, 24 Oct 2002 07:37:27 -0700 (PDT) Subject: A question about OpenSSH_3.4p1 on Solaris 8 Message-ID: <20021024143727.39809.qmail@web13307.mail.yahoo.com> Hi, I'm doing test with OpenSSH. The question I have is when I issue "ssh -l test1 localhost", there are two additional "sshd" daemons spawned - there should be only one. I don't know why. Appreciate if anybody can give me some clue. Please make sure to include my address since I'm not in the list yet. Thanks in advance. Below is the procedure: $ ps -ef | grep sshd root 4953 1 0 10:04:32 ? 0:00 /usr/local/sbin/sshd wroger 5088 4751 0 10:29:21 pts/2 0:00 grep sshd $ $ $ ssh -l test1 192.168.182.184 test1 at 192.168.182.184's password: Last login: Thu Oct 24 10:32:32 2002 from unknown Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001 $ ps -ef | grep sshd test1 5198 5196 0 10:32:47 ? 0:00 /usr/local/sbin/sshd root 4953 1 0 10:04:32 ? 0:00 /usr/local/sbin/sshd root 5196 4953 1 10:32:43 ? 0:00 /usr/local/sbin/sshd $ $ ps -ef | grep ssh test1 5198 5196 0 10:32:47 ? 0:00 /usr/local/sbin/sshd root 4953 1 0 10:04:32 ? 0:00 /usr/local/sbin/sshd wroger 5166 4751 0 10:32:42 pts/2 0:01 ssh -l test1 192.168.182.184 root 5196 4953 0 10:32:43 ? 0:00 /usr/local/sbin/sshd $ __________________________________________________ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ From mouring at etoh.eviladmin.org Fri Oct 25 02:02:58 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 24 Oct 2002 11:02:58 -0500 (CDT) Subject: A question about OpenSSH_3.4p1 on Solaris 8 In-Reply-To: <20021024143727.39809.qmail@web13307.mail.yahoo.com> Message-ID: This is the correct behavior. This is what privilege seperation does After you login it splits into to sections.. the 'user owned' part which drops all root privs and which does 99% of the work, and a root privs part that only does SELECTIVE things that require root to do them. - Ben On Thu, 24 Oct 2002, Roger Wang wrote: > Hi, I'm doing test with OpenSSH. The question I have > is when I issue "ssh -l test1 localhost", there are > two additional "sshd" daemons spawned - there should > be only one. I don't know why. Appreciate if anybody > can give me some clue. Please make sure to include my > address since I'm not in the list yet. Thanks in > advance. > > Below is the procedure: > > $ ps -ef | grep sshd > root 4953 1 0 10:04:32 ? 0:00 > /usr/local/sbin/sshd > wroger 5088 4751 0 10:29:21 pts/2 0:00 grep > sshd > $ > $ > $ ssh -l test1 192.168.182.184 > test1 at 192.168.182.184's password: > Last login: Thu Oct 24 10:32:32 2002 from unknown > Sun Microsystems Inc. SunOS 5.8 Generic Patch > October 2001 > $ ps -ef | grep sshd > test1 5198 5196 0 10:32:47 ? 0:00 > /usr/local/sbin/sshd > root 4953 1 0 10:04:32 ? 0:00 > /usr/local/sbin/sshd > root 5196 4953 1 10:32:43 ? 0:00 > /usr/local/sbin/sshd > $ > $ ps -ef | grep ssh > test1 5198 5196 0 10:32:47 ? 0:00 > /usr/local/sbin/sshd > root 4953 1 0 10:04:32 ? 0:00 > /usr/local/sbin/sshd > wroger 5166 4751 0 10:32:42 pts/2 0:01 ssh -l > test1 192.168.182.184 > root 5196 4953 0 10:32:43 ? 0:00 > /usr/local/sbin/sshd > $ > > > > > __________________________________________________ > Do you Yahoo!? > Y! Web Hosting - Let the expert host your web site > http://webhosting.yahoo.com/ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Fri Oct 25 02:10:46 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 24 Oct 2002 11:10:46 -0500 (CDT) Subject: [PATCH] AIX password expiration In-Reply-To: <3DB7BF04.83FB815D@zip.com.au> Message-ID: On Thu, 24 Oct 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > This still needs to be limited to v1. Because it is not correct for v2. > > You mean it should use SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ? If so I had a > look at auth2.c and I've got no idea where to even start. Any clues or > pointers (other than RTFRFC, which I'm about to do). > Yes it should. I agree with it being confusing. I only spent an hour or so looking at it before I was distracted with other issues. > I guess any code that handles it should also handle do_pam_chauthtok > too? > The patch really should be generic enough that I can split it and get the password change functional upstream to OpenBSD and allow the rest of the patch to be in portable tree. - Ben From foster at dim.ucsd.edu Fri Oct 25 08:39:11 2002 From: foster at dim.ucsd.edu (David Foster) Date: Thu, 24 Oct 2002 15:39:11 -0700 (PDT) Subject: [SUMMARY] Problems with 'last' (when OpenSSH compiled 64-bit) Message-ID: <200210242239.g9OMdBi29766@dim.ucsd.edu> Problem: 'last' output is incorrect, /var/adm/wtmpx is corrupted. Example: foster pts/1 Wed Dec 31 16:00 still logged in foster pts/3 dim Thu Aug 1 14:34 still logged in Solution: (workaround) This turned out to be an OpenSSH problem! If OpenSSH (only tested versions 3.4p1 and 3.5p1) is compiled 64-bit it corrupts the /var/adm/wtmpx file upon first connection, possibly due to an inappropriate data-type (length) being used for one of the records of the structure written to this file (my guess). This problem occurs when compiling with gcc 3.2 or Sun Workshop 5.0. Compiling 32-bit (gcc 3.2 or Workshop 5.0) solved the problem. If anyone has time to peruse the code to determine what is doing the Wrong Thing please post your findings! Casper Dik referred to a more general problem with OpenSSH corrupting wtmpx: "There's a known problem with some versions of OpenSSH that corrupt utmpx/wtmpx. [...] I think it was caused by OpenSSH updating both utmp and utmpx; that has always been wrong (either update one or the other and the routines will make sure that the files are shadowed; with Solaris 8 utmp was removed and some of the code may have broken in those particular circumstances." Thanks to: Luc Suryo Casper Dik > > Is anyone else having problems with 'last'? We just upgraded many of our > boxes from Solaris 8 (07/01) to (10/01), and we are getting incorrect > results from 'last'. We are at kernel patch level 108528-15. > > 59 last | more > foster pts/1 Wed Dec 31 16:00 still logged in > foster pts/3 dim Thu Aug 1 14:34 still logged in > skchow console :0 Wed Jul 31 09:36 - 17:00 (07:24) > > The latest date to appear is always "Wed Dec 31 16:00", nothing after > Aug 1 appears. I've tried initializing /var/adm/[u,w]tmpx with > 'cat /dev/null >! ..." but the problem persists. Looked on SunSolve, > didn't see any patches specific to 'last'. > > Dave Foster =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= David Foster National Center for Microscopy and Imaging Research Programmer/Analyst University of California, San Diego dfoster at ucsd.edu Department of Neuroscience, Mail 0608 (858) 534-7968 http://ncmir.ucsd.edu/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable." -- George Bernard Shaw From bugzilla-daemon at mindrot.org Fri Oct 25 13:21:39 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 25 Oct 2002 13:21:39 +1000 (EST) Subject: [Bug 421] New: compile error on Debian slink Message-ID: <20021025032139.5AC5F3D162@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=421 Summary: compile error on Debian slink Product: Portable OpenSSH Version: 3.5p1 Platform: ix86 URL: http://pigtail.net/compile/error.txt OS/Version: Linux Status: NEW Severity: critical Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: fong at pigtail.net Platform to compile is a Debian Slink with openssl 0.9.6g installed. Platform compiles 100% successfully with openssh 3.4p1 Using indentical platform, compile error when trying to compile 3.5p1 Openssh, see http://pigtail.net/compile/error.txt for more details. Thanks Nicholas Fong ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Oct 25 14:04:03 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 25 Oct 2002 14:04:03 +1000 (EST) Subject: [Bug 421] compile error on Debian slink Message-ID: <20021025040403.E3AAA3D1A0@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=421 ------- Additional Comments From mouring at eviladmin.org 2002-10-25 14:03 ------- [.. Important part from URL..] gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. - I/usr/local/ssl/include -DHAVE_CONFIG_H -c bsd-getpeereid.c bsd-getpeereid.c: In function `getpeereid': bsd-getpeereid.c:35: storage size of `cred' isn't known bsd-getpeereid.c:35: warning: unused variable `cred' make[1]: *** [bsd-getpeereid.o] Error 1 I dealt with this recently on an old Redhat 6.2 Alpha box. Your glibc is out of date. You more than likely have 2.0. Which does not include the correct headers from kernel space (back when /usr/includes/linux/ was linked to /usr/src/linux/include/). The hack is to just do a #undef SO_PEERCRED at the top of the bsd-getpeereid.c file. As for a better solution. I'm not sure. I don't want to include stuff. That I think is the wrong solution. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Oct 25 16:06:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 25 Oct 2002 16:06:36 +1000 (EST) Subject: [Bug 421] compile error on Debian slink Message-ID: <20021025060636.11E933D15B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=421 fong at pigtail.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From fong at pigtail.net 2002-10-25 16:06 ------- Due to old glibc in Debian slink. Work around tips from anonymous guru: add #undef SO_PEERCRED at the top of the bsd-getpeereid.c ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From numerical.simulation at web.de Fri Oct 25 19:48:01 2002 From: numerical.simulation at web.de (Markus Werle) Date: Fri, 25 Oct 2002 11:48:01 +0200 Subject: hpux 11.i and HAVE_GETADDRINFO Message-ID: <3DB91350.3132D11C@web.de> Hi, After digging through google search results I found the well known hpux 11.i bug occuring after installing the March 2002 patch bundle which breaks DNS lookup for openssh. After setting HAVE_GETADDRINFO to 0 in config.h and another recompile, ssh works fine and I am happy again. No more "host nor service provided" error messages. Q1: Maybe hp has a fix for this already, but I am unsure since I found contradicting messages about this and I dislike polluting my system with unnecessary patches just to try out. Therefore: If hp has a patch for this and You know about it, please let me know. Q2: Why not change the configure script to check whether hpux has a broken getaddrinfo and _at_ _least_ emit a warning about this, or stop with an error and point to the patch. Or minimum: Add this info to the INSTALL file or the INSTALL.hpux In config.h I also found /* getaddrinfo is broken (if present) */ /* #undef BROKEN_GETADDRINFO */ so maybe the test is there but the result is wrong? best regards, Markus From bugzilla-daemon at mindrot.org Fri Oct 25 23:15:37 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 25 Oct 2002 23:15:37 +1000 (EST) Subject: [Bug 421] compile error on Debian slink Message-ID: <20021025131537.2F23D3D16C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=421 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Additional Comments From mouring at eviladmin.org 2002-10-25 23:15 ------- This bug still exists in the source. Don't close it until a final decision is made about how it iwll be handled in the CVS tree. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From xiwang17 at yahoo.com Sat Oct 26 01:51:29 2002 From: xiwang17 at yahoo.com (Roger Wang) Date: Fri, 25 Oct 2002 08:51:29 -0700 (PDT) Subject: A question about OpenSSH_3.4p1 on Solaris 8 In-Reply-To: Message-ID: <20021025155129.40840.qmail@web13308.mail.yahoo.com> Ben, thanks for the reply. What made me curious is there is only one "sshd" daemon generated for commecial SSH - I'm testing both commecial SSH and openSSH. Appreciate if you can give more input on this. I have concern about the performance impact of "sshd". Thanks. --- Ben Lindstrom wrote: > > This is the correct behavior. This is what > privilege seperation does > > After you login it splits into to sections.. the > 'user owned' part which > drops all root privs and which does 99% of the work, > and a root privs part > that only does SELECTIVE things that require root to > do them. > > - Ben > > On Thu, 24 Oct 2002, Roger Wang wrote: > > > Hi, I'm doing test with OpenSSH. The question I > have > > is when I issue "ssh -l test1 localhost", there > are > > two additional "sshd" daemons spawned - there > should > > be only one. I don't know why. Appreciate if > anybody > > can give me some clue. Please make sure to include > my > > address since I'm not in the list yet. Thanks in > > advance. > > > > Below is the procedure: > > > > $ ps -ef | grep sshd > > root 4953 1 0 10:04:32 ? 0:00 > > /usr/local/sbin/sshd > > wroger 5088 4751 0 10:29:21 pts/2 0:00 > grep > > sshd > > $ > > $ > > $ ssh -l test1 192.168.182.184 > > test1 at 192.168.182.184's password: > > Last login: Thu Oct 24 10:32:32 2002 from unknown > > Sun Microsystems Inc. SunOS 5.8 Generic > Patch > > October 2001 > > $ ps -ef | grep sshd > > test1 5198 5196 0 10:32:47 ? 0:00 > > /usr/local/sbin/sshd > > root 4953 1 0 10:04:32 ? 0:00 > > /usr/local/sbin/sshd > > root 5196 4953 1 10:32:43 ? 0:00 > > /usr/local/sbin/sshd > > $ > > $ ps -ef | grep ssh > > test1 5198 5196 0 10:32:47 ? 0:00 > > /usr/local/sbin/sshd > > root 4953 1 0 10:04:32 ? 0:00 > > /usr/local/sbin/sshd > > wroger 5166 4751 0 10:32:42 pts/2 0:01 ssh > -l > > test1 192.168.182.184 > > root 5196 4953 0 10:32:43 ? 0:00 > > /usr/local/sbin/sshd > > $ > > > > > > > > > > __________________________________________________ > > Do you Yahoo!? > > Y! Web Hosting - Let the expert host your web site > > http://webhosting.yahoo.com/ > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > __________________________________________________ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ From mouring at etoh.eviladmin.org Sat Oct 26 01:53:38 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 25 Oct 2002 10:53:38 -0500 (CDT) Subject: A question about OpenSSH_3.4p1 on Solaris 8 In-Reply-To: <20021025155129.40840.qmail@web13308.mail.yahoo.com> Message-ID: On Fri, 25 Oct 2002, Roger Wang wrote: > Ben, thanks for the reply. > > What made me curious is there is only one "sshd" > daemon generated for commecial SSH - I'm testing both > commecial SSH and openSSH. > The reason is the commerical version of ssh lumps all root critical and non root critical code into one process. They step up or down the security as they need it. In the past such designs have proven that any slighest buffer overflow or bad coding can/will cause a comprised server. > Appreciate if you can give more input on this. I have > concern about the performance impact of "sshd". > Never benchmarked it.. But I see one BSD server I connect to has 33 people on it and who knows what else is running on it. It seems to be doing very well (0.33 load or less). Not dead sure what hardware, but I know it is intel and not multiple processors. - Ben From wknox at mitre.org Sat Oct 26 03:50:11 2002 From: wknox at mitre.org (William R. Knox) Date: Fri, 25 Oct 2002 13:50:11 -0400 (EDT) Subject: A question about OpenSSH_3.4p1 on Solaris 8 In-Reply-To: Message-ID: I assume that the CPU overhead of splitting the processing into the two separate processes involves only the communication between the processes, given that the root process only handled things that have to be handled by root and the user-owned process takes care of everything else - therefore, there should be VERY little increased load as a result of privilege separation (which you can turn off as well, if you like) and only a limited additional memory use (for the additional process). Worth it for the protection, I think. Bill Knox Senior Operating Systems Programmer/Analyst The MITRE Corporation On Fri, 25 Oct 2002, Ben Lindstrom wrote: > Date: Fri, 25 Oct 2002 10:53:38 -0500 (CDT) > From: Ben Lindstrom > To: Roger Wang > Cc: openssh-unix-dev at mindrot.org > Subject: Re: A question about OpenSSH_3.4p1 on Solaris 8 > > > > > On Fri, 25 Oct 2002, Roger Wang wrote: > > > Ben, thanks for the reply. > > > > What made me curious is there is only one "sshd" > > daemon generated for commecial SSH - I'm testing both > > commecial SSH and openSSH. > > > > The reason is the commerical version of ssh lumps all root critical and > non root critical code into one process. They step up or down the > security as they need it. In the past such designs have proven that any > slighest buffer overflow or bad coding can/will cause a comprised server. > > > Appreciate if you can give more input on this. I have > > concern about the performance impact of "sshd". > > > > Never benchmarked it.. But I see one BSD server I connect to has 33 people > on it and who knows what else is running on it. It seems to be doing > very well (0.33 load or less). Not dead sure what hardware, but I know it > is intel and not multiple processors. > > - Ben > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Sat Oct 26 03:59:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 26 Oct 2002 03:59:59 +1000 (EST) Subject: [Bug 422] New: /bin/sh: ./ssh-keygen: file or directory not found Message-ID: <20021025175959.72D603D1AF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=422 Summary: /bin/sh: ./ssh-keygen: file or directory not found Product: Portable OpenSSH Version: 3.5p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dh at onclick.org Hi, the compilation seems to work fine (compilation just ends without any positive or negative message) but installation makes trouble. See below for how far it works: /bin/install -c -m 4711 -s ssh-keysign /usr/libexec/ssh-keysign /bin/install -c -m 0755 -s sftp /usr/bin/sftp /bin/install -c -m 0755 -s sftp-server /usr/libexec/sftp-server /bin/install -c -m 644 ssh.1.out /usr/man/cat1/ssh.1 /bin/install -c -m 644 scp.1.out /usr/man/cat1/scp.1 /bin/install -c -m 644 ssh-add.1.out /usr/man/cat1/ssh-add.1 /bin/install -c -m 644 ssh-agent.1.out /usr/man/cat1/ssh-agent.1 /bin/install -c -m 644 ssh-keygen.1.out /usr/man/cat1/ssh-keygen.1 /bin/install -c -m 644 ssh-keyscan.1.out /usr/man/cat1/ssh-keyscan.1 /bin/install -c -m 644 sshd_config.5.out /usr/man/cat5/sshd_config.5 /bin/install -c -m 644 ssh_config.5.out /usr/man/cat5/ssh_config.5 /bin/install -c -m 644 sshd.8.out /usr/man/cat8/sshd.8 if [ ! -z "" ]; then \ /bin/install -c -m 644 ssh-rand-helper.8.out /usr/man/cat8/ssh-rand-helper.8 ; \ fi /bin/install -c -m 644 sftp.1.out /usr/man/cat1/sftp.1 /bin/install -c -m 644 sftp-server.8.out /usr/man/cat8/sftp-server.8 /bin/install -c -m 644 ssh-keysign.8.out /usr/man/cat8/ssh-keysign.8 rm -f /usr/bin/slogin ln -s ./ssh /usr/bin/slogin rm -f /usr/man/cat1/slogin.1 ln -s ./ssh.1 /usr/man/cat1/slogin.1 if [ ! -d /usr/etc ]; then \ ./mkinstalldirs /usr/etc; \ fi /usr/etc/ssh_config already exists, install will not overwrite /usr/etc/sshd_config already exists, install will not overwrite /usr/etc/moduli already exists, install will not overwrite Here the error appears: /bin/sh: ./ssh-keygen: file or directory not found give me a hint! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Jason.Lacoss-Arnold at AGEDWARDS.com Sat Oct 26 05:47:05 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Fri, 25 Oct 2002 14:47:05 -0500 Subject: A question about OpenSSH_3.4p1 on Solaris 8 Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA03240AC1@hqempn06.agedwards.com> The only time that I think a person should be concerned is if you have a very constrained process table and a lot of users. It will take up extra process table entries, but that should be about it. -----Original Message----- From: William R. Knox To: Roger Wang Cc: openssh-unix-dev at mindrot.org Sent: 10/25/02 12:50 PM Subject: Re: A question about OpenSSH_3.4p1 on Solaris 8 I assume that the CPU overhead of splitting the processing into the two separate processes involves only the communication between the processes, given that the root process only handled things that have to be handled by root and the user-owned process takes care of everything else - therefore, there should be VERY little increased load as a result of privilege separation (which you can turn off as well, if you like) and only a limited additional memory use (for the additional process). Worth it for the protection, I think. Bill Knox Senior Operating Systems Programmer/Analyst The MITRE Corporation On Fri, 25 Oct 2002, Ben Lindstrom wrote: > Date: Fri, 25 Oct 2002 10:53:38 -0500 (CDT) > From: Ben Lindstrom > To: Roger Wang > Cc: openssh-unix-dev at mindrot.org > Subject: Re: A question about OpenSSH_3.4p1 on Solaris 8 > > > > > On Fri, 25 Oct 2002, Roger Wang wrote: > > > Ben, thanks for the reply. > > > > What made me curious is there is only one "sshd" > > daemon generated for commecial SSH - I'm testing both > > commecial SSH and openSSH. > > > > The reason is the commerical version of ssh lumps all root critical and > non root critical code into one process. They step up or down the > security as they need it. In the past such designs have proven that any > slighest buffer overflow or bad coding can/will cause a comprised server. > > > Appreciate if you can give more input on this. I have > > concern about the performance impact of "sshd". > > > > Never benchmarked it.. But I see one BSD server I connect to has 33 people > on it and who knows what else is running on it. It seems to be doing > very well (0.33 load or less). Not dead sure what hardware, but I know it > is intel and not multiple processors. > > - Ben > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021025/d7b413bf/attachment.html From mouring at etoh.eviladmin.org Sat Oct 26 09:43:05 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 25 Oct 2002 18:43:05 -0500 (CDT) Subject: NeXT Community Message-ID: I need someone in the NeXT community to apply this to 3.5 and tell me if it solves the mmap issue where it misdetects a working mmap(). My NeXT box is packed up. If you know anyone in Minnesota that wants a 68k-25mhz Slab w/ 2 B&W monitors, 2 keyboards, 2 mice, NeXT printer and OS. Have them email me. I won't ship it, but I have no more time to be handling an OS this old. =) I have no more tolerance to way 20 minutes for test compiles. - Ben Index: configure.ac =================================================================== RCS file: /var/cvs/openssh/configure.ac,v retrieving revision 1.89.2.2 diff -u -r1.89.2.2 configure.ac --- configure.ac 16 Oct 2002 00:25:40 -0000 1.89.2.2 +++ configure.ac 25 Oct 2002 14:08:43 -0000 @@ -601,12 +601,15 @@ getaddrinfo getcwd getgrouplist getnameinfo getopt getpeereid\ getrlimit getrusage getttyent glob inet_aton inet_ntoa \ inet_ntop innetgr login_getcapbool md5_crypt memmove \ - mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \ + mkdtemp ngetaddrinfo openpty ogetaddrinfo readpassphrase \ realpath recvmsg rresvport_af sendmsg setdtablesize setegid \ setenv seteuid setgroups setlogin setproctitle setresgid setreuid \ setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \ socketpair strerror strlcat strlcpy strmode sysconf tcgetpgrp \ truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty) + +dnl Make sure that mmap prototype is defined before defining HAVE_MMAP +AC_CHECK_DECL(mmap, [AC_CHECK_FUNCS(mmap)]) dnl Make sure strsep prototype is defined before defining HAVE_STRSEP AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)]) From bgowrish at riverstonenet.com Sat Oct 26 10:28:44 2002 From: bgowrish at riverstonenet.com (M.B. Gowrishankar) Date: Fri, 25 Oct 2002 17:28:44 -0700 Subject: Question regarding encryption Message-ID: Hi, According to IETF draft draft-ietf-secsh-transport-14.txt, different ciphers(encryption), MAC and compression can be used for one direction say server-to-client and a completely different cipher, MAC and compression for the other direction client-to-server of the same connection. Is this supported today in OpenSSH, and if not, are there plans to support it in any future releases of the code? If so, in which release is it planned? thanks Gowrishankar From behnam at riverstonenet.com Sat Oct 26 10:45:06 2002 From: behnam at riverstonenet.com (Behnam Behzadi) Date: Fri, 25 Oct 2002 17:45:06 -0700 Subject: Different ciphers, MAC, compression for inbound and outbound . Message-ID: <80CC8579BE94854FB8AA48856AA8B33619C3DB@rs-sc-exc4.rs.riverstonenet.com> Hi, According to IETF draft draft-ietf-secsh-transport-14.txt, different ciphers(encryption), MAC and compression can be used for one direction say server-to-client and a completely different cipher, MAC and compression for the other direction client-to-server of the same connection. Is this supported today in OpenSSH, and if not, are there plans to support it in any future releases of the code? If so, in which release is it planned? Thanks ------ Behnam Behzadi 408-878-6551 http://www.riverstonenet.com From djm at mindrot.org Sat Oct 26 14:26:33 2002 From: djm at mindrot.org (Damien Miller) Date: 26 Oct 2002 14:26:33 +1000 Subject: Different ciphers, MAC, compression for inbound and outbound . In-Reply-To: <80CC8579BE94854FB8AA48856AA8B33619C3DB@rs-sc-exc4.rs.riverstonenet.com> References: <80CC8579BE94854FB8AA48856AA8B33619C3DB@rs-sc-exc4.rs.riverstonenet.com> Message-ID: <1035606394.29623.5.camel@localhost.localdomain> On Sat, 2002-10-26 at 10:45, Behnam Behzadi wrote: > Hi, > > According to IETF draft draft-ietf-secsh-transport-14.txt, different > ciphers(encryption), MAC and compression can be used for one direction say > server-to-client and a completely different cipher, MAC and compression for > the other direction client-to-server of the same connection. > > Is this supported today in OpenSSH, and if not, are there plans to support > it in any future releases of the code? If so, in which release is it > planned? This is supported at the protocol level, but there is no way to configure sshd to force different client->server and server->client ciphers. Why do you want to do this? -d From djm at mindrot.org Sat Oct 26 14:29:46 2002 From: djm at mindrot.org (Damien Miller) Date: 26 Oct 2002 14:29:46 +1000 Subject: A question about OpenSSH_3.4p1 on Solaris 8 In-Reply-To: References: Message-ID: <1035606586.29645.7.camel@localhost.localdomain> On Sat, 2002-10-26 at 03:50, William R. Knox wrote: > I assume that the CPU overhead of splitting the processing into the two > separate processes involves only the communication between the processes, > given that the root process only handled things that have to be handled by > root and the user-owned process takes care of everything else - therefore, > there should be VERY little increased load as a result of privilege > separation (which you can turn off as well, if you like) and only a > limited additional memory use (for the additional process). Worth it for > the protection, I think. Yes, the root-owned process is only called upon for things which require root privileges (e.g. pty allocation). Most of the time the only overhead is a process slot. -d From djm at mindrot.org Sat Oct 26 14:30:58 2002 From: djm at mindrot.org (Damien Miller) Date: 26 Oct 2002 14:30:58 +1000 Subject: [SUMMARY] Problems with 'last' (when OpenSSH compiled 64-bit) In-Reply-To: <200210242239.g9OMdBi29766@dim.ucsd.edu> References: <200210242239.g9OMdBi29766@dim.ucsd.edu> Message-ID: <1035606658.29623.9.camel@localhost.localdomain> On Fri, 2002-10-25 at 08:39, David Foster wrote: > > Problem: > > 'last' output is incorrect, /var/adm/wtmpx is corrupted. Example: > > foster pts/1 Wed Dec 31 16:00 still logged in > foster pts/3 dim Thu Aug 1 14:34 still logged in Can you track it down to which structure is getting messed up by 64-bit compilation? -d From stevesk at pobox.com Sat Oct 26 16:29:56 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 25 Oct 2002 23:29:56 -0700 Subject: [SUMMARY] Problems with 'last' (when OpenSSH compiled 64-bit) In-Reply-To: <1035606658.29623.9.camel@localhost.localdomain> References: <200210242239.g9OMdBi29766@dim.ucsd.edu> <1035606658.29623.9.camel@localhost.localdomain> Message-ID: <20021026062956.GB2358@jenny.crlsca.adelphia.net> On Sat, Oct 26, 2002 at 02:30:58PM +1000, Damien Miller wrote: > Can you track it down to which structure is getting messed up by 64-bit > compilation? HP-UX has issues too as discussed in (read the thread): http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=101061376903897&w=2 From stevesk at pobox.com Sat Oct 26 16:52:16 2002 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 25 Oct 2002 23:52:16 -0700 Subject: hpux 11.i and HAVE_GETADDRINFO In-Reply-To: <3DB91350.3132D11C@web.de> References: <3DB91350.3132D11C@web.de> Message-ID: <20021026065216.GC2358@jenny.crlsca.adelphia.net> On Fri, Oct 25, 2002 at 11:48:01AM +0200, Markus Werle wrote: > After digging through google search results I found > the well known hpux 11.i bug occuring after installing > the March 2002 patch bundle which breaks DNS lookup > for openssh. > > After setting HAVE_GETADDRINFO to 0 in config.h > and another recompile, ssh works fine and I am happy again. > > No more "host nor service provided" error messages. > > Q1: Maybe hp has a fix for this already, but I am unsure > since I found contradicting messages about this and I dislike > polluting my system with unnecessary patches just to try out. > > Therefore: If hp has a patch for this and You know about it, > please let me know. I complained to Mike Huey and others at HP about this issue perhaps 6 or more months ago. I don't know if they have fixed it yet. > Q2: Why not change the configure script to check whether > hpux has a broken getaddrinfo and _at_ _least_ emit a warning > about this, or stop with an error and point to the patch. > Or minimum: Add this info to the INSTALL file > or the INSTALL.hpux A diff to http://www.openssh.com/faq.html would be a start. > In config.h I also found > /* getaddrinfo is broken (if present) */ > /* #undef BROKEN_GETADDRINFO */ > so maybe the test is there but the result is wrong? As I recall that's not a run-time test but per os-spec. I am against labeling HP-UX as broken getaddrinfo--they just need to fix it. From dtucker at zip.com.au Sat Oct 26 17:33:53 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 26 Oct 2002 17:33:53 +1000 Subject: [PATCH] AIX password expiration References: Message-ID: <3DBA4561.776600AF@zip.com.au> Ben Lindstrom wrote: > > You mean it should use SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ? If so I had a > > look at auth2.c and I've got no idea where to even start. Any clues or > > pointers (other than RTFRFC, which I'm about to do). > Yes it should. I agree with it being confusing. I only spent an > hour or so looking at it before I was distracted with other issues. > The patch really should be generic enough that I can split it and get the > password change functional upstream to OpenBSD and allow the rest of the > patch to be in portable tree. It's still rough but PASSWD_CHANGEREQ in protocol 2 now pretty much works on AIX. (Without privsep, that is. I've learnt enough to understand why it doesn't work with privsep, but not how to fix it. Help getting it to work would be appreciated.) See attached patch against 3.5p1. Changes: * password_change_required flag is global (not just #ifdef WITH_PAM) * the "exec /usr/bin/passwd" changer runs only for protocol 1 * there's an AIX-specific password change routine for protocol 2 * the password auth routines return 2 to indicate password expiry exec'ing /bin/passwd may be usable for other platforms for protocol 1. Probably should have configure find passwd. do_pam_chauthtok() looks like it needs a tty. Comments? -Daz. Example (protocol 2): $ ssh -p 2022 -l testuser localhost testuser at localhost's password: You are required to change your password. Please choose a new one. Enter testuser at localhost's old password: Enter testuser at localhost's new password: Retype testuser at localhost's new password: Last unsuccessful login: Sat Oct 26 17:01:39 2002 on ssh from localhost Last login: Sat Oct 26 17:02:00 2002 on ssh from localhost [snip] -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- diff -ru openssh-3.5p1.orig/auth-pam.c openssh-3.5p1-aixpassexpire/auth-pam.c --- openssh-3.5p1.orig/auth-pam.c Mon Jul 29 06:24:08 2002 +++ openssh-3.5p1-aixpassexpire/auth-pam.c Sat Oct 26 10:24:59 2002 @@ -59,8 +59,6 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; -/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ -static int password_change_required = 0; /* remember whether the last pam_authenticate() succeeded or not */ static int was_authenticated = 0; diff -ru openssh-3.5p1.orig/auth-passwd.c openssh-3.5p1-aixpassexpire/auth-passwd.c --- openssh-3.5p1.orig/auth-passwd.c Thu Sep 26 09:14:16 2002 +++ openssh-3.5p1-aixpassexpire/auth-passwd.c Sat Oct 26 16:35:19 2002 @@ -42,6 +42,7 @@ #include "log.h" #include "servconf.h" #include "auth.h" +#include "misc.h" #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) /* Don't need any of these headers for the PAM or SIA cases */ @@ -81,13 +82,15 @@ #endif /* !USE_PAM && !HAVE_OSF_SIA */ extern ServerOptions options; +extern int password_change_required; #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; #endif /* - * Tries to authenticate the user using password. Returns true if - * authentication succeeds. + * Tries to authenticate the user using password. Returns true (1) if + * authentication succeeds, (2) if authentication succeeds but password + * change required. */ int auth_password(Authctxt *authctxt, const char *password) @@ -149,14 +152,25 @@ #endif #ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + aix_remove_embedded_newlines(authmsg); - if (authsuccess) + if (authsuccess) { + debug("authenticate() succeeded for user %s: %.100s", pw->pw_name, authmsg); /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(authctxt->user, get_canonical_hostname(options.verify_reverse_mapping), "ssh", &aixloginmsg) < 0) aixloginmsg = NULL; + } else { + debug("authenticate() failed for user %s: %.100s", pw->pw_name, authmsg); + } + if (authmsg) + xfree(authmsg); + debug("auth_password: authsuccess = %d", authsuccess); + if (authsuccess && password_change_required) { + return 2; + } return(authsuccess); #endif #ifdef KRB4 @@ -232,4 +246,39 @@ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); #endif /* !USE_PAM && !HAVE_OSF_SIA */ +} + +/* + * generic password change routine. requires session established and tty alloced + * Like do_pam_chauthtok(), it throws a fatal error if the password can't be changed. + */ + +void +do_tty_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + + if (pid == 0) { + setuid(pw->pw_uid); + execl("/usr/bin/passwd","passwd",pw->pw_name, + (char *)NULL); + /* execl shouldn't return */ + fatal("Couldn't exec /usr/bin/passwd"); + exit(1); + } + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + + if (WEXITSTATUS(status)) /* Passwd exited abnormally */ + fatal("Failed to change password for %s, passwd returned %d", pw->pw_name, status); + + mysignal(SIGCHLD, old_signal); } diff -ru openssh-3.5p1.orig/auth.c openssh-3.5p1-aixpassexpire/auth.c --- openssh-3.5p1.orig/auth.c Sun Sep 22 01:26:53 2002 +++ openssh-3.5p1-aixpassexpire/auth.c Sat Oct 26 16:35:59 2002 @@ -59,6 +59,14 @@ Buffer auth_debug; int auth_debug_init; +/* Password change flag */ +int password_change_required = 0; +char *password_change_prompt = NULL; + +#ifdef WITH_AIXAUTHENTICATE +extern char *aixexpiremsg; +#endif + /* * Check if the user is allowed to log in via ssh. If user is listed * in DenyUsers or one of user's groups is listed in DenyGroups, false @@ -75,9 +83,6 @@ const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; -#ifdef WITH_AIXAUTHENTICATE - char *loginmsg; -#endif /* WITH_AIXAUTHENTICATE */ #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) struct spwd *spw; @@ -202,19 +207,49 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - if (loginmsg && *loginmsg) { - /* Remove embedded newlines (if any) */ - char *p; - for (p = loginmsg; *p; p++) { - if (*p == '\n') - *p = ' '; + /* + * Don't check loginrestrictions or expiry for root account (use + * PermitRootLogin to control logins via ssh), or if running as + * non-root user (since loginrestrictions will always fail). + */ + if ( (pw->pw_uid != 0) && (geteuid() == 0) ) { + char *restrictmsg, *expiremsg; + int passexpcode; + + /* check for AIX account restrictions */ + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &restrictmsg) != 0) { + if (restrictmsg && *restrictmsg) { + aix_remove_embedded_newlines(restrictmsg); + log("Login restricted for %s: %.100s", pw->pw_name, restrictmsg); + xfree(restrictmsg); } - /* Remove trailing newline */ - *--p = '\0'; - log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + return 0; + } + + /* check for AIX expired account */ + passexpcode = passwdexpired(pw->pw_name, &aixexpiremsg); + debug("passwdexpired() returned %d", passexpcode); + + switch (passexpcode) { + case 0: /* success, password not expired */ + break; + case 1: /* expired, password change required */ + password_change_required = 1; + password_change_prompt = aixexpiremsg; + break; + default: /* expired too long (2) or other error (-1) */ + /* make local copy of message and remove newlines for logging */ + if (aixexpiremsg && *aixexpiremsg) { + expiremsg = xstrdup(aixexpiremsg); + aix_remove_embedded_newlines(expiremsg); + } + debug("passwdexpired() returned %d", passexpcode); + log("Password expired too long or system failure for user %s: %.100s", + pw->pw_name, expiremsg); + if (expiremsg) + xfree(expiremsg); + return 0; } - return 0; } #endif /* WITH_AIXAUTHENTICATE */ diff -ru openssh-3.5p1.orig/auth2-passwd.c openssh-3.5p1-aixpassexpire/auth2-passwd.c --- openssh-3.5p1.orig/auth2-passwd.c Fri Jun 7 06:27:56 2002 +++ openssh-3.5p1-aixpassexpire/auth2-passwd.c Sat Oct 26 16:36:33 2002 @@ -31,31 +31,60 @@ #include "auth.h" #include "monitor_wrap.h" #include "servconf.h" +#include "ssh2.h" /* import */ extern ServerOptions options; +extern int password_change_required; static int userauth_passwd(Authctxt *authctxt) { - char *password; - int authenticated = 0; - int change; - u_int len; - change = packet_get_char(); - if (change) - log("password change not supported"); + char *password, *npassword; + int authenticated = 0, change_requested; + u_int len, nlen; + + change_requested = packet_get_char(); password = packet_get_string(&len); + if (change_requested) { + debug("userauth_passwd: password change requested by client"); + npassword = packet_get_string(&nlen); + } packet_check_eom(); + if (authctxt->valid && #ifdef HAVE_CYGWIN check_nt_auth(1, authctxt->pw) && #endif - PRIVSEP(auth_password(authctxt, password)) == 1) - authenticated = 1; + (authenticated = (PRIVSEP(auth_password(authctxt, password))))) { + debug("auth_password returned %d, pid=%d ppid=%d", + authenticated, getpid(), getppid()); + + /* now that the password has been checked, change password + * if requested by client and revalidate new password */ + if (change_requested) { + if (userauth_change_password(authctxt, password, npassword)) { + debug("userauth_passwd: password changed successfully"); + authenticated = 1; + } else { + debug("userauth_passwd: password change failed"); + } + memset(npassword, 0, nlen); + xfree(npassword); + } + } memset(password, 0, len); xfree(password); return authenticated; +} + +/* password change for protocol 2 */ +int +userauth_change_password(Authctxt *authctxt, char *oldpasswd, char *newpasswd) +{ +#ifdef WITH_AIXAUTHENTICATE + return aix_change_password(authctxt->pw, oldpasswd, newpasswd); +#endif } Authmethod method_passwd = { diff -ru openssh-3.5p1.orig/auth2.c openssh-3.5p1-aixpassexpire/auth2.c --- openssh-3.5p1.orig/auth2.c Thu Sep 26 10:38:49 2002 +++ openssh-3.5p1-aixpassexpire/auth2.c Sat Oct 26 16:22:40 2002 @@ -40,6 +40,7 @@ extern ServerOptions options; extern u_char *session_id2; extern int session_id2_len; +extern char *password_change_prompt; Authctxt *x_authctxt = NULL; @@ -199,6 +200,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) { char *methods; + static const char default_prompt[] = "You must change your password now."; if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", @@ -238,6 +240,15 @@ packet_write_wait(); /* now we can break out */ authctxt->success = 1; + } else if (authenticated == 2 ) { /* password change required */ + if (password_change_prompt == NULL) + password_change_prompt = (char *)default_prompt; + debug("sending SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ"); + packet_start(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ); + packet_put_cstring(password_change_prompt); + packet_put_cstring(""); /* language */ + packet_send(); + packet_write_wait(); } else { if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); diff -ru openssh-3.5p1.orig/monitor.c openssh-3.5p1-aixpassexpire/monitor.c --- openssh-3.5p1.orig/monitor.c Fri Sep 27 13:26:02 2002 +++ openssh-3.5p1-aixpassexpire/monitor.c Sat Oct 26 14:55:29 2002 @@ -600,13 +600,14 @@ { static int call_count; char *passwd; - int authenticated; + int authenticated = 0; u_int plen; passwd = buffer_get_string(m, &plen); /* Only authenticate if the context is valid */ - authenticated = options.password_authentication && - authctxt->valid && auth_password(authctxt, passwd); + if ( options.password_authentication && authctxt->valid ) + authenticated = auth_password(authctxt, passwd); + memset(passwd, 0, strlen(passwd)); xfree(passwd); diff -ru openssh-3.5p1.orig/openbsd-compat/port-aix.c openssh-3.5p1-aixpassexpire/openbsd-compat/port-aix.c --- openssh-3.5p1.orig/openbsd-compat/port-aix.c Sun Jul 7 12:17:36 2002 +++ openssh-3.5p1-aixpassexpire/openbsd-compat/port-aix.c Sat Oct 26 13:20:21 2002 @@ -24,12 +24,19 @@ * */ #include "includes.h" +#include "misc.h" +#include "log.h" #ifdef _AIX #include #include <../xmalloc.h> +#ifdef WITH_AIXAUTHENTICATE +#include +#include +#endif + /* * AIX has a "usrinfo" area where logname and other stuff is stored - * a few applications actually use this and die if it's not set @@ -52,5 +59,67 @@ xfree(cp); } -#endif /* _AIX */ +#ifdef WITH_AIXAUTHENTICATE + +/* + * Remove embedded newlines in string (if any). + * Used before logging messages returned by AIX authentication functions + * so the message is logged on one line. + */ +void +aix_remove_embedded_newlines(char *p) +{ + if (p == NULL) + return; + for (; *p; p++) { + if (*p == '\n') + *p = ' '; + } + /* Remove trailing newline */ + *--p = '\0'; +} + +/* + * aix_change_password: AIX password change routine + */ +int +aix_change_password(struct passwd *pw, char *oldpassword, char *newpassword) +{ + struct userpw *upw; + + debug("userauth_change_password: changing password for %s", pw->pw_name); + + if (setpwdb(S_READ|S_WRITE) == -1) { + debug("Couldn't open authentication database: %s", strerror(errno)); + return 0; + } + + if ((upw = getuserpw(pw->pw_name)) == NULL) { + debug("Couldn't get user details for %s: %s", + pw->pw_name, strerror(errno)); + enduserdb(); + return 0; + } + + upw->upw_passwd = crypt(newpassword, upw->upw_passwd); + pw->pw_passwd = upw->upw_passwd; + upw->upw_flags &= ~PW_ADMCHG; /* clear password change flag */ + if (putuserpw(upw) == -1) { + debug("Couldn't update user details for %s: %s", + pw->pw_name, strerror(errno)); + enduserdb(); + return 0; + } + if(enduserdb() == -1) { + debug("Error closing authentication database: %s", + strerror(errno)); + return 0; + } + + return 1; +} + +#endif /* WITH_AIXAUTHENTICATE */ + +#endif /* _AIX */ diff -ru openssh-3.5p1.orig/openbsd-compat/port-aix.h openssh-3.5p1-aixpassexpire/openbsd-compat/port-aix.h --- openssh-3.5p1.orig/openbsd-compat/port-aix.h Sun Jul 7 12:17:36 2002 +++ openssh-3.5p1-aixpassexpire/openbsd-compat/port-aix.h Sat Oct 26 16:33:48 2002 @@ -26,4 +26,8 @@ #ifdef _AIX void aix_usrinfo(struct passwd *pw); +#ifdef WITH_AIXAUTHENTICATE +void aix_remove_embedded_newlines(char *); +int aix_change_password(struct passwd *, char *, char *); +#endif #endif /* _AIX */ diff -ru openssh-3.5p1.orig/session.c openssh-3.5p1-aixpassexpire/session.c --- openssh-3.5p1.orig/session.c Thu Sep 26 10:38:50 2002 +++ openssh-3.5p1-aixpassexpire/session.c Sat Oct 26 11:22:40 2002 @@ -103,8 +103,12 @@ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; +void do_tty_change_password(struct passwd *); +extern int password_change_required; + #ifdef WITH_AIXAUTHENTICATE -char *aixloginmsg; +char *aixloginmsg; /* message returned by loginsuccess() */ +char *aixexpiremsg; /* message returned by passwdexpire() */ #endif /* WITH_AIXAUTHENTICATE */ #ifdef HAVE_LOGIN_CAP @@ -461,6 +465,12 @@ "TTY available"); #endif /* USE_PAM */ +#ifdef WITH_AIXAUTHENTICATE + if (!compat20 && password_change_required) + packet_disconnect("Password change required but no " + "TTY available"); +#endif /* WITH_AIXAUTHENTICATE */ + /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -757,6 +767,13 @@ } #endif +#ifdef WITH_AIXAUTHENTICATE + if (!compat20 && password_change_required) { + printf("%s\n", aixexpiremsg); + do_tty_change_password(pw); + } +#endif + if (check_quietlogin(s, command)) return; @@ -764,9 +781,17 @@ if (!is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ + #ifdef WITH_AIXAUTHENTICATE - if (aixloginmsg && *aixloginmsg) + if (aixexpiremsg && *aixexpiremsg) { + if (!compat20 && !password_change_required) + printf("%s\n", aixexpiremsg); + xfree(aixexpiremsg); + } + if (aixloginmsg && *aixloginmsg) { printf("%s\n", aixloginmsg); + xfree(aixloginmsg); + } #endif /* WITH_AIXAUTHENTICATE */ #ifndef NO_SSH_LASTLOG From bugzilla-daemon at mindrot.org Sun Oct 27 00:17:04 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 27 Oct 2002 00:17:04 +1000 (EST) Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. Message-ID: <20021026141704.76E1B3D152@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=164 ------- Additional Comments From cjwatson at debian.org 2002-10-27 00:16 ------- Marco d'Itri suggested in http://bugs.debian.org/153154 that ssh should only bind to AF_INET addresses in x11_create_display_inet(), since at least the xtrans code in XFree86 doesn't support IPv6. Is this a valid approach? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Oct 27 00:19:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 27 Oct 2002 00:19:30 +1000 (EST) Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. Message-ID: <20021026141930.7906B3D178@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=164 ------- Additional Comments From cjwatson at debian.org 2002-10-27 00:19 ------- Created an attachment (id=160) --> (http://bugzilla.mindrot.org/attachment.cgi?id=160&action=view) Patch from Marco d'Itri to bind X11 sockets only on AF_INET ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Oct 27 00:21:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 27 Oct 2002 00:21:50 +1000 (EST) Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. Message-ID: <20021026142150.D7A783D1AE@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=164 cjwatson at debian.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cjwatson at debian.org ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Sun Oct 27 18:26:23 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 27 Oct 2002 18:26:23 +1100 Subject: [PATCH] AIX password expiration References: <3DBA4561.776600AF@zip.com.au> Message-ID: <3DBB951F.89DACCC9@zip.com.au> Thanks to Ben for the example, this works with privsep now! It sports a brand-new mm_auth_change_password function. I had trouble with monitor dropping out of its initial loop too early, hopefully I've got that right now. Currently expiry and change works on AIX with and without privsep: Protocol 1 execs /usr/bin/passwd on session startup. Protocol 2 uses USERAUTH_PASSWD_CHANGEREQ during authentication. If someone writes a pam_change_password function (or modifies pam_chauthtok, I looked but couldn't figure it out) and plugs it in to auth_change_password, pam password changes will probably work with privsep and protocol 2 too. Any other comments? -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- diff -ru openssh-3.5p1.orig/auth-pam.c openssh-3.5p1-passexpire/auth-pam.c --- openssh-3.5p1.orig/auth-pam.c Mon Jul 29 06:24:08 2002 +++ openssh-3.5p1-passexpire/auth-pam.c Sun Oct 27 14:34:59 2002 @@ -60,7 +60,7 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; /* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ -static int password_change_required = 0; +extern int password_change_required; /* remember whether the last pam_authenticate() succeeded or not */ static int was_authenticated = 0; diff -ru openssh-3.5p1.orig/auth-passwd.c openssh-3.5p1-passexpire/auth-passwd.c --- openssh-3.5p1.orig/auth-passwd.c Thu Sep 26 09:14:16 2002 +++ openssh-3.5p1-passexpire/auth-passwd.c Sun Oct 27 16:02:34 2002 @@ -42,6 +42,7 @@ #include "log.h" #include "servconf.h" #include "auth.h" +#include "misc.h" #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) /* Don't need any of these headers for the PAM or SIA cases */ @@ -81,13 +82,15 @@ #endif /* !USE_PAM && !HAVE_OSF_SIA */ extern ServerOptions options; +extern int password_change_required; #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; #endif /* - * Tries to authenticate the user using password. Returns true if - * authentication succeeds. + * Tries to authenticate the user using password. Returns true (1) if + * authentication succeeds, (2) if authentication succeeds but password + * change required. */ int auth_password(Authctxt *authctxt, const char *password) @@ -149,14 +152,25 @@ #endif #ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + aix_remove_embedded_newlines(authmsg); - if (authsuccess) + if (authsuccess) { + debug("authenticate() succeeded for user %s: %.100s", pw->pw_name, authmsg); /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(authctxt->user, get_canonical_hostname(options.verify_reverse_mapping), "ssh", &aixloginmsg) < 0) aixloginmsg = NULL; + } else { + debug("authenticate() failed for user %s: %.100s", pw->pw_name, authmsg); + } + if (authmsg) + xfree(authmsg); + debug("auth_password: authsuccess = %d", authsuccess); + if (authsuccess && password_change_required) { + return 2; + } return(authsuccess); #endif #ifdef KRB4 @@ -232,4 +246,49 @@ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); #endif /* !USE_PAM && !HAVE_OSF_SIA */ +} + +/* password change for protocol 2 */ +int +auth_change_password(Authctxt *authctxt, const char *oldpasswd, const char *newpasswd) +{ +#ifdef WITH_AIXAUTHENTICATE + return aix_change_password(authctxt->pw, oldpasswd, newpasswd); +#endif +} + + +/* + * generic password change routine. requires session established and tty alloced + * Like do_pam_chauthtok(), it throws a fatal error if the password can't be changed. + */ + +void +do_tty_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + + if (pid == 0) { + setuid(pw->pw_uid); + execl("/usr/bin/passwd","passwd",pw->pw_name, + (char *)NULL); + /* execl shouldn't return */ + fatal("Couldn't exec /usr/bin/passwd"); + exit(1); + } + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + + if (WEXITSTATUS(status)) /* Passwd exited abnormally */ + fatal("Failed to change password for %s, passwd returned %d", pw->pw_name, status); + + mysignal(SIGCHLD, old_signal); } diff -ru openssh-3.5p1.orig/auth.c openssh-3.5p1-passexpire/auth.c --- openssh-3.5p1.orig/auth.c Sun Sep 22 01:26:53 2002 +++ openssh-3.5p1-passexpire/auth.c Sat Oct 26 16:35:59 2002 @@ -59,6 +59,14 @@ Buffer auth_debug; int auth_debug_init; +/* Password change flag */ +int password_change_required = 0; +char *password_change_prompt = NULL; + +#ifdef WITH_AIXAUTHENTICATE +extern char *aixexpiremsg; +#endif + /* * Check if the user is allowed to log in via ssh. If user is listed * in DenyUsers or one of user's groups is listed in DenyGroups, false @@ -75,9 +83,6 @@ const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; -#ifdef WITH_AIXAUTHENTICATE - char *loginmsg; -#endif /* WITH_AIXAUTHENTICATE */ #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) struct spwd *spw; @@ -202,19 +207,49 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - if (loginmsg && *loginmsg) { - /* Remove embedded newlines (if any) */ - char *p; - for (p = loginmsg; *p; p++) { - if (*p == '\n') - *p = ' '; + /* + * Don't check loginrestrictions or expiry for root account (use + * PermitRootLogin to control logins via ssh), or if running as + * non-root user (since loginrestrictions will always fail). + */ + if ( (pw->pw_uid != 0) && (geteuid() == 0) ) { + char *restrictmsg, *expiremsg; + int passexpcode; + + /* check for AIX account restrictions */ + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &restrictmsg) != 0) { + if (restrictmsg && *restrictmsg) { + aix_remove_embedded_newlines(restrictmsg); + log("Login restricted for %s: %.100s", pw->pw_name, restrictmsg); + xfree(restrictmsg); } - /* Remove trailing newline */ - *--p = '\0'; - log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + return 0; + } + + /* check for AIX expired account */ + passexpcode = passwdexpired(pw->pw_name, &aixexpiremsg); + debug("passwdexpired() returned %d", passexpcode); + + switch (passexpcode) { + case 0: /* success, password not expired */ + break; + case 1: /* expired, password change required */ + password_change_required = 1; + password_change_prompt = aixexpiremsg; + break; + default: /* expired too long (2) or other error (-1) */ + /* make local copy of message and remove newlines for logging */ + if (aixexpiremsg && *aixexpiremsg) { + expiremsg = xstrdup(aixexpiremsg); + aix_remove_embedded_newlines(expiremsg); + } + debug("passwdexpired() returned %d", passexpcode); + log("Password expired too long or system failure for user %s: %.100s", + pw->pw_name, expiremsg); + if (expiremsg) + xfree(expiremsg); + return 0; } - return 0; } #endif /* WITH_AIXAUTHENTICATE */ diff -ru openssh-3.5p1.orig/auth.h openssh-3.5p1-passexpire/auth.h --- openssh-3.5p1.orig/auth.h Fri Sep 27 13:26:01 2002 +++ openssh-3.5p1-passexpire/auth.h Sun Oct 27 16:01:44 2002 @@ -101,6 +101,7 @@ int auth_rhosts_rsa(struct passwd *, char *, Key *); int auth_password(Authctxt *, const char *); +int auth_change_password(Authctxt *, const char *, const char *); int auth_rsa(struct passwd *, BIGNUM *); int auth_rsa_challenge_dialog(Key *); BIGNUM *auth_rsa_generate_challenge(Key *); diff -ru openssh-3.5p1.orig/auth2-passwd.c openssh-3.5p1-passexpire/auth2-passwd.c --- openssh-3.5p1.orig/auth2-passwd.c Fri Jun 7 06:27:56 2002 +++ openssh-3.5p1-passexpire/auth2-passwd.c Sun Oct 27 16:06:02 2002 @@ -31,28 +31,48 @@ #include "auth.h" #include "monitor_wrap.h" #include "servconf.h" +#include "ssh2.h" /* import */ extern ServerOptions options; +extern int password_change_required; static int userauth_passwd(Authctxt *authctxt) { - char *password; - int authenticated = 0; - int change; - u_int len; - change = packet_get_char(); - if (change) - log("password change not supported"); + char *password, *npassword; + int authenticated = 0, change_requested; + u_int len, nlen; + + change_requested = packet_get_char(); password = packet_get_string(&len); + if (change_requested) { + debug("userauth_passwd: password change requested by client"); + npassword = packet_get_string(&nlen); + } packet_check_eom(); + if (authctxt->valid && #ifdef HAVE_CYGWIN check_nt_auth(1, authctxt->pw) && #endif - PRIVSEP(auth_password(authctxt, password)) == 1) - authenticated = 1; + (authenticated = (PRIVSEP(auth_password(authctxt, password))))) { + debug("auth_password returned %d, pid=%d ppid=%d", + authenticated, getpid(), getppid()); + + /* now that the password has been checked, change password + * if requested by client and revalidate new password */ + if (change_requested) { + if (PRIVSEP(auth_change_password(authctxt, password, npassword))) { + debug("userauth_passwd: password changed successfully"); + authenticated = 1; + } else { + debug("userauth_passwd: password change failed"); + } + memset(npassword, 0, nlen); + xfree(npassword); + } + } memset(password, 0, len); xfree(password); return authenticated; diff -ru openssh-3.5p1.orig/auth2.c openssh-3.5p1-passexpire/auth2.c --- openssh-3.5p1.orig/auth2.c Thu Sep 26 10:38:49 2002 +++ openssh-3.5p1-passexpire/auth2.c Sat Oct 26 16:22:40 2002 @@ -40,6 +40,7 @@ extern ServerOptions options; extern u_char *session_id2; extern int session_id2_len; +extern char *password_change_prompt; Authctxt *x_authctxt = NULL; @@ -199,6 +200,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) { char *methods; + static const char default_prompt[] = "You must change your password now."; if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", @@ -238,6 +240,15 @@ packet_write_wait(); /* now we can break out */ authctxt->success = 1; + } else if (authenticated == 2 ) { /* password change required */ + if (password_change_prompt == NULL) + password_change_prompt = (char *)default_prompt; + debug("sending SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ"); + packet_start(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ); + packet_put_cstring(password_change_prompt); + packet_put_cstring(""); /* language */ + packet_send(); + packet_write_wait(); } else { if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); diff -ru openssh-3.5p1.orig/monitor.c openssh-3.5p1-passexpire/monitor.c --- openssh-3.5p1.orig/monitor.c Fri Sep 27 13:26:02 2002 +++ openssh-3.5p1-passexpire/monitor.c Sun Oct 27 17:24:33 2002 @@ -101,6 +101,7 @@ int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); int mm_answer_authpassword(int, Buffer *); +int mm_answer_auth_change_password(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_skeyquery(int, Buffer *); @@ -161,6 +162,7 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, + {MONITOR_REQ_CHPASS, MON_AUTH, mm_answer_auth_change_password}, #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif @@ -267,6 +269,7 @@ /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_CHPASS, 1); } else { mon_dispatch = mon_dispatch_proto15; @@ -276,7 +279,7 @@ authctxt = authctxt_new(); /* The first few requests do not require asynchronous access */ - while (!authenticated) { + while (authenticated != 1) { authenticated = monitor_read(pmonitor, mon_dispatch, &ent); if (authenticated) { if (!(ent->flags & MON_AUTHDECIDE)) @@ -600,13 +603,14 @@ { static int call_count; char *passwd; - int authenticated; + int authenticated = 0; u_int plen; passwd = buffer_get_string(m, &plen); /* Only authenticate if the context is valid */ - authenticated = options.password_authentication && - authctxt->valid && auth_password(authctxt, passwd); + if ( options.password_authentication && authctxt->valid ) + authenticated = auth_password(authctxt, passwd); + memset(passwd, 0, strlen(passwd)); xfree(passwd); @@ -624,6 +628,32 @@ /* Causes monitor loop to terminate if authenticated */ return (authenticated); +} + +int +mm_answer_auth_change_password(int socket, Buffer *m) +{ + char *oldpass, *newpass; + int changed; + + oldpass = buffer_get_string(m, NULL); + newpass = buffer_get_string(m, NULL); + + /* Only attempt if the context is valid */ + if ( options.password_authentication && authctxt->valid ) + changed = auth_change_password(authctxt, oldpass, newpass); + + buffer_clear(m); + buffer_put_int(m, changed); + + mm_request_send(socket, MONITOR_ANS_CHPASS, m); + + memset(oldpass, 0, strlen(oldpass)); + xfree(oldpass); + memset(newpass, 0, strlen(newpass)); + xfree(newpass); + + return changed; } #ifdef BSD_AUTH diff -ru openssh-3.5p1.orig/monitor.h openssh-3.5p1-passexpire/monitor.h --- openssh-3.5p1.orig/monitor.h Fri Sep 27 13:26:02 2002 +++ openssh-3.5p1-passexpire/monitor.h Sun Oct 27 15:36:25 2002 @@ -35,6 +35,7 @@ MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, + MONITOR_REQ_CHPASS, MONITOR_ANS_CHPASS, MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, diff -ru openssh-3.5p1.orig/monitor_wrap.c openssh-3.5p1-passexpire/monitor_wrap.c --- openssh-3.5p1.orig/monitor_wrap.c Fri Sep 27 13:26:03 2002 +++ openssh-3.5p1-passexpire/monitor_wrap.c Sun Oct 27 17:05:03 2002 @@ -256,7 +256,7 @@ buffer_put_cstring(&m, password); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m); - debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__); + debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD (type %d)", __func__, MONITOR_ANS_AUTHPASSWORD); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); authenticated = buffer_get_int(&m); @@ -266,6 +266,32 @@ debug3("%s: user %sauthenticated", __func__, authenticated ? "" : "not "); return (authenticated); +} + +int +mm_auth_change_password(Authctxt *authctxt, char *oldpass, char *newpass) +{ + Buffer m; + int changed = 0; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_cstring(&m, oldpass); + buffer_put_cstring(&m, newpass); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_CHPASS, &m); + + debug3("%s: waiting for MONITOR_ANS_CHPASS (type %d)", __func__, MONITOR_ANS_CHPASS); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_CHPASS, &m); + + changed = buffer_get_int(&m); + + debug3("%s: password %schanged", + __func__, changed ? "" : "not "); + + buffer_free(&m); + return changed; } int diff -ru openssh-3.5p1.orig/monitor_wrap.h openssh-3.5p1-passexpire/monitor_wrap.h --- openssh-3.5p1.orig/monitor_wrap.h Fri Sep 27 13:26:04 2002 +++ openssh-3.5p1-passexpire/monitor_wrap.h Sun Oct 27 16:07:18 2002 @@ -46,6 +46,7 @@ struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); +int mm_auth_change_password(struct Authctxt *, char *, char *); int mm_key_allowed(enum mm_keytype, char *, char *, Key *); int mm_user_key_allowed(struct passwd *, Key *); int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); diff -ru openssh-3.5p1.orig/openbsd-compat/port-aix.c openssh-3.5p1-passexpire/openbsd-compat/port-aix.c --- openssh-3.5p1.orig/openbsd-compat/port-aix.c Sun Jul 7 12:17:36 2002 +++ openssh-3.5p1-passexpire/openbsd-compat/port-aix.c Sun Oct 27 18:05:49 2002 @@ -24,11 +24,15 @@ * */ #include "includes.h" +#include "misc.h" +#include "log.h" #ifdef _AIX #include #include <../xmalloc.h> +#include +#include /* * AIX has a "usrinfo" area where logname and other stuff is stored - @@ -52,5 +56,67 @@ xfree(cp); } -#endif /* _AIX */ +#ifdef WITH_AIXAUTHENTICATE + +/* + * Remove embedded newlines in string (if any). + * Used before logging messages returned by AIX authentication functions + * so the message is logged on one line. + */ +void +aix_remove_embedded_newlines(char *p) +{ + if (p == NULL) + return; + + for (; *p; p++) { + if (*p == '\n') + *p = ' '; + } + /* Remove trailing newline */ + *--p = '\0'; +} + +/* + * aix_change_password: AIX password change routine + */ +int +aix_change_password(struct passwd *pw, const char *oldpassword, const char *newpassword) +{ + struct userpw *upw; + + debug("userauth_change_password: changing password for %s", pw->pw_name); + + if (setpwdb(S_READ|S_WRITE) == -1) { + debug("Couldn't open authentication database: %s", strerror(errno)); + return 0; + } + + if ((upw = getuserpw(pw->pw_name)) == NULL) { + debug("Couldn't get user details for %s: %s", + pw->pw_name, strerror(errno)); + enduserdb(); + return 0; + } + + upw->upw_passwd = crypt(newpassword, upw->upw_passwd); + pw->pw_passwd = upw->upw_passwd; + upw->upw_flags &= ~PW_ADMCHG; /* clear password change flag */ + if (putuserpw(upw) == -1) { + debug("Couldn't update user details for %s: %s", + pw->pw_name, strerror(errno)); + enduserdb(); + return 0; + } + if(enduserdb() == -1) { + debug("Error closing authentication database: %s", + strerror(errno)); + return 0; + } + return 1; +} + +#endif /* WITH_AIXAUTHENTICATE */ + +#endif /* _AIX */ diff -ru openssh-3.5p1.orig/openbsd-compat/port-aix.h openssh-3.5p1-passexpire/openbsd-compat/port-aix.h --- openssh-3.5p1.orig/openbsd-compat/port-aix.h Sun Jul 7 12:17:36 2002 +++ openssh-3.5p1-passexpire/openbsd-compat/port-aix.h Sun Oct 27 18:06:14 2002 @@ -25,5 +25,12 @@ */ #ifdef _AIX + void aix_usrinfo(struct passwd *pw); + +#ifdef WITH_AIXAUTHENTICATE +void aix_remove_embedded_newlines(char *); +int aix_change_password(struct passwd *, const char *, const char *); +#endif + #endif /* _AIX */ diff -ru openssh-3.5p1.orig/session.c openssh-3.5p1-passexpire/session.c --- openssh-3.5p1.orig/session.c Thu Sep 26 10:38:50 2002 +++ openssh-3.5p1-passexpire/session.c Sat Oct 26 19:18:42 2002 @@ -103,8 +103,12 @@ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; +void do_tty_change_password(struct passwd *); +extern int password_change_required; + #ifdef WITH_AIXAUTHENTICATE -char *aixloginmsg; +char *aixloginmsg; /* message returned by loginsuccess() */ +char *aixexpiremsg; /* message returned by passwdexpire() */ #endif /* WITH_AIXAUTHENTICATE */ #ifdef HAVE_LOGIN_CAP @@ -461,6 +465,12 @@ "TTY available"); #endif /* USE_PAM */ +#ifdef WITH_AIXAUTHENTICATE + if (!compat20 && password_change_required) + packet_disconnect("Password change required but no " + "TTY available"); +#endif /* WITH_AIXAUTHENTICATE */ + /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -757,6 +767,13 @@ } #endif +#ifdef WITH_AIXAUTHENTICATE + if (!compat20 && password_change_required) { + printf("%s\n", aixexpiremsg); + do_tty_change_password(pw); + } +#endif + if (check_quietlogin(s, command)) return; @@ -764,9 +781,17 @@ if (!is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ + #ifdef WITH_AIXAUTHENTICATE - if (aixloginmsg && *aixloginmsg) + if (aixexpiremsg && *aixexpiremsg) { + if (!password_change_required) + printf("%s\n", aixexpiremsg); + xfree(aixexpiremsg); + } + if (aixloginmsg && *aixloginmsg) { printf("%s\n", aixloginmsg); + xfree(aixloginmsg); + } #endif /* WITH_AIXAUTHENTICATE */ #ifndef NO_SSH_LASTLOG From mouring at etoh.eviladmin.org Sun Oct 27 18:35:10 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 27 Oct 2002 01:35:10 -0600 (CST) Subject: [PATCH] AIX password expiration In-Reply-To: <3DBB951F.89DACCC9@zip.com.au> Message-ID: Only complaint off hand: +/* password change for protocol 2 */ +int +auth_change_password(Authctxt *authctxt, const char *oldpasswd, const char *newpasswd) +{ +#ifdef WITH_AIXAUTHENTICATE + return aix_change_password(authctxt->pw, oldpasswd, newpasswd); +#endif +} If you are not using aixauth and you get into this state. You need to have the return a default 'failure/unsupported'. - Ben From dtucker at zip.com.au Sun Oct 27 18:54:40 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 27 Oct 2002 18:54:40 +1100 Subject: [PATCH] AIX password expiration References: Message-ID: <3DBB9BC0.5E9B2AC3@zip.com.au> Ben Lindstrom wrote: > > Only complaint off hand: > > +/* password change for protocol 2 */ > +int > +auth_change_password(Authctxt *authctxt, const char *oldpasswd, const > char > *newpasswd) > +{ > +#ifdef WITH_AIXAUTHENTICATE > + return aix_change_password(authctxt->pw, oldpasswd, newpasswd); > +#endif > +} > > If you are not using aixauth and you get into this state. You need to > have the return a default 'failure/unsupported'. Add "return 0;" at the end of the function? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sun Oct 27 23:04:42 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 27 Oct 2002 23:04:42 +1100 Subject: [PATCH #6] AIX password expiration References: <3DBA4561.776600AF@zip.com.au> <3DBB951F.89DACCC9@zip.com.au> Message-ID: <3DBBD65A.1AD9F636@zip.com.au> Darren Tucker wrote: > I had trouble with monitor dropping out of its initial loop too early, > hopefully I've got that right now. I didn't. I broke protocol 1. Fixed in this patch. (Really!) I also added code to set the expire flag from the shadow although this won't work yet. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- diff -ru openssh-3.5p1.orig/auth-pam.c openssh-3.5p1-passexpire/auth-pam.c --- openssh-3.5p1.orig/auth-pam.c Mon Jul 29 06:24:08 2002 +++ openssh-3.5p1-passexpire/auth-pam.c Sun Oct 27 14:34:59 2002 @@ -60,7 +60,7 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; /* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ -static int password_change_required = 0; +extern int password_change_required; /* remember whether the last pam_authenticate() succeeded or not */ static int was_authenticated = 0; diff -ru openssh-3.5p1.orig/auth-passwd.c openssh-3.5p1-passexpire/auth-passwd.c --- openssh-3.5p1.orig/auth-passwd.c Thu Sep 26 09:14:16 2002 +++ openssh-3.5p1-passexpire/auth-passwd.c Sun Oct 27 21:47:34 2002 @@ -42,6 +42,8 @@ #include "log.h" #include "servconf.h" #include "auth.h" +#include "misc.h" +#include "xmalloc.h" #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) /* Don't need any of these headers for the PAM or SIA cases */ @@ -81,13 +83,15 @@ #endif /* !USE_PAM && !HAVE_OSF_SIA */ extern ServerOptions options; +extern int password_change_required; #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; #endif /* - * Tries to authenticate the user using password. Returns true if - * authentication succeeds. + * Tries to authenticate the user using password. Returns true (1) if + * authentication succeeds, (2) if authentication succeeds but password + * change required. */ int auth_password(Authctxt *authctxt, const char *password) @@ -149,14 +153,25 @@ #endif #ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + aix_remove_embedded_newlines(authmsg); - if (authsuccess) + if (authsuccess) { + debug("authenticate() succeeded for user %s: %.100s", pw->pw_name, authmsg); /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(authctxt->user, get_canonical_hostname(options.verify_reverse_mapping), "ssh", &aixloginmsg) < 0) aixloginmsg = NULL; + } else { + debug("authenticate() failed for user %s: %.100s", pw->pw_name, authmsg); + } + if (authmsg) + xfree(authmsg); + debug("auth_password: authsuccess = %d", authsuccess); + if (authsuccess && password_change_required) { + return 2; + } return(authsuccess); #endif #ifdef KRB4 @@ -232,4 +247,50 @@ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); #endif /* !USE_PAM && !HAVE_OSF_SIA */ +} + +/* password change for protocol 2 */ +int +auth_change_password(Authctxt *authctxt, const char *oldpasswd, const char *newpasswd) +{ +#ifdef WITH_AIXAUTHENTICATE + return aix_change_password(authctxt->pw, oldpasswd, newpasswd); +#endif + return 0; +} + + +/* + * generic password change routine. requires session established and tty alloced + * Like do_pam_chauthtok(), it throws a fatal error if the password can't be changed. + */ + +void +do_tty_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + + if (pid == 0) { + setuid(pw->pw_uid); + execl("/usr/bin/passwd","passwd",pw->pw_name, + (char *)NULL); + /* execl shouldn't return */ + fatal("Couldn't exec /usr/bin/passwd"); + exit(1); + } + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + + if (WEXITSTATUS(status)) /* Passwd exited abnormally */ + fatal("Failed to change password for %s, passwd returned %d", pw->pw_name, status); + + mysignal(SIGCHLD, old_signal); } diff -ru openssh-3.5p1.orig/auth.c openssh-3.5p1-passexpire/auth.c --- openssh-3.5p1.orig/auth.c Sun Sep 22 01:26:53 2002 +++ openssh-3.5p1-passexpire/auth.c Sun Oct 27 21:30:46 2002 @@ -59,6 +59,10 @@ Buffer auth_debug; int auth_debug_init; +/* Password change flag */ +int password_change_required = 0; +char *password_expire_message = NULL; + /* * Check if the user is allowed to log in via ssh. If user is listed * in DenyUsers or one of user's groups is listed in DenyGroups, false @@ -75,9 +79,6 @@ const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; -#ifdef WITH_AIXAUTHENTICATE - char *loginmsg; -#endif /* WITH_AIXAUTHENTICATE */ #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) struct spwd *spw; @@ -106,14 +107,18 @@ if (spw->sp_lstchg == 0) { log("User %.100s password has expired (root forced)", pw->pw_name); - return 0; + password_change_required = 1; + password_expire_message = + xstrdup("Your password has expired (root forced)"); } if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) { log("User %.100s password has expired (password aged)", pw->pw_name); - return 0; + password_change_required = 1; + password_expire_message = + xstrdup("Your password has expired"); } } #else @@ -202,19 +207,48 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - if (loginmsg && *loginmsg) { - /* Remove embedded newlines (if any) */ - char *p; - for (p = loginmsg; *p; p++) { - if (*p == '\n') - *p = ' '; + /* + * Don't check loginrestrictions or expiry for root account (use + * PermitRootLogin to control logins via ssh), or if running as + * non-root user (since loginrestrictions will always fail). + */ + if ( (pw->pw_uid != 0) && (geteuid() == 0) ) { + char *restrictmsg, *expiremsg; + int passexpcode; + + /* check for AIX account restrictions */ + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &restrictmsg) != 0) { + if (restrictmsg && *restrictmsg) { + aix_remove_embedded_newlines(restrictmsg); + log("Login restricted for %s: %.100s", pw->pw_name, restrictmsg); + xfree(restrictmsg); } - /* Remove trailing newline */ - *--p = '\0'; - log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + return 0; + } + + /* check for AIX expired account */ + passexpcode = passwdexpired(pw->pw_name, &password_expire_message); + debug("passwdexpired() returned %d", passexpcode); + + switch (passexpcode) { + case 0: /* success, password not expired */ + break; + case 1: /* expired, password change required */ + password_change_required = 1; + break; + default: /* expired too long (2) or other error (-1) */ + /* make local copy of message and remove newlines for logging */ + if (password_expire_message && *password_expire_message) { + expiremsg = xstrdup(password_expire_message); + aix_remove_embedded_newlines(expiremsg); + } + debug("passwdexpired() returned %d", passexpcode); + log("Password expired too long or system failure for user %s: %.100s", + pw->pw_name, expiremsg); + if (expiremsg) + xfree(expiremsg); + return 0; } - return 0; } #endif /* WITH_AIXAUTHENTICATE */ diff -ru openssh-3.5p1.orig/auth.h openssh-3.5p1-passexpire/auth.h --- openssh-3.5p1.orig/auth.h Fri Sep 27 13:26:01 2002 +++ openssh-3.5p1-passexpire/auth.h Sun Oct 27 16:01:44 2002 @@ -101,6 +101,7 @@ int auth_rhosts_rsa(struct passwd *, char *, Key *); int auth_password(Authctxt *, const char *); +int auth_change_password(Authctxt *, const char *, const char *); int auth_rsa(struct passwd *, BIGNUM *); int auth_rsa_challenge_dialog(Key *); BIGNUM *auth_rsa_generate_challenge(Key *); diff -ru openssh-3.5p1.orig/auth2-passwd.c openssh-3.5p1-passexpire/auth2-passwd.c --- openssh-3.5p1.orig/auth2-passwd.c Fri Jun 7 06:27:56 2002 +++ openssh-3.5p1-passexpire/auth2-passwd.c Sun Oct 27 16:06:02 2002 @@ -31,28 +31,48 @@ #include "auth.h" #include "monitor_wrap.h" #include "servconf.h" +#include "ssh2.h" /* import */ extern ServerOptions options; +extern int password_change_required; static int userauth_passwd(Authctxt *authctxt) { - char *password; - int authenticated = 0; - int change; - u_int len; - change = packet_get_char(); - if (change) - log("password change not supported"); + char *password, *npassword; + int authenticated = 0, change_requested; + u_int len, nlen; + + change_requested = packet_get_char(); password = packet_get_string(&len); + if (change_requested) { + debug("userauth_passwd: password change requested by client"); + npassword = packet_get_string(&nlen); + } packet_check_eom(); + if (authctxt->valid && #ifdef HAVE_CYGWIN check_nt_auth(1, authctxt->pw) && #endif - PRIVSEP(auth_password(authctxt, password)) == 1) - authenticated = 1; + (authenticated = (PRIVSEP(auth_password(authctxt, password))))) { + debug("auth_password returned %d, pid=%d ppid=%d", + authenticated, getpid(), getppid()); + + /* now that the password has been checked, change password + * if requested by client and revalidate new password */ + if (change_requested) { + if (PRIVSEP(auth_change_password(authctxt, password, npassword))) { + debug("userauth_passwd: password changed successfully"); + authenticated = 1; + } else { + debug("userauth_passwd: password change failed"); + } + memset(npassword, 0, nlen); + xfree(npassword); + } + } memset(password, 0, len); xfree(password); return authenticated; diff -ru openssh-3.5p1.orig/auth2.c openssh-3.5p1-passexpire/auth2.c --- openssh-3.5p1.orig/auth2.c Thu Sep 26 10:38:49 2002 +++ openssh-3.5p1-passexpire/auth2.c Sun Oct 27 21:29:30 2002 @@ -40,6 +40,7 @@ extern ServerOptions options; extern u_char *session_id2; extern int session_id2_len; +extern char *password_expire_message; Authctxt *x_authctxt = NULL; @@ -199,6 +200,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) { char *methods; + static const char default_prompt[] = "You must change your password now."; if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", @@ -238,6 +240,15 @@ packet_write_wait(); /* now we can break out */ authctxt->success = 1; + } else if (authenticated == 2 ) { /* password change required */ + if (password_expire_message == NULL) + password_expire_message = (char *)default_prompt; + debug("sending SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ"); + packet_start(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ); + packet_put_cstring(password_expire_message); + packet_put_cstring(""); /* language */ + packet_send(); + packet_write_wait(); } else { if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); diff -ru openssh-3.5p1.orig/monitor.c openssh-3.5p1-passexpire/monitor.c --- openssh-3.5p1.orig/monitor.c Fri Sep 27 13:26:02 2002 +++ openssh-3.5p1-passexpire/monitor.c Sun Oct 27 21:49:43 2002 @@ -101,6 +101,7 @@ int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); int mm_answer_authpassword(int, Buffer *); +int mm_answer_auth_change_password(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_skeyquery(int, Buffer *); @@ -161,6 +162,7 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, + {MONITOR_REQ_CHPASS, MON_AUTH, mm_answer_auth_change_password}, #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif @@ -267,6 +269,7 @@ /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_CHPASS, 1); } else { mon_dispatch = mon_dispatch_proto15; @@ -275,8 +278,11 @@ authctxt = authctxt_new(); - /* The first few requests do not require asynchronous access */ - while (!authenticated) { + /* The first few requests do not require asynchronous access + * exit loop if authenticated and password change no required (proto 2) + * or if password correct (proto 1) + */ + while ((compat20 && authenticated != 1) || (!compat20 && !authenticated)) { authenticated = monitor_read(pmonitor, mon_dispatch, &ent); if (authenticated) { if (!(ent->flags & MON_AUTHDECIDE)) @@ -600,13 +606,14 @@ { static int call_count; char *passwd; - int authenticated; + int authenticated = 0; u_int plen; passwd = buffer_get_string(m, &plen); /* Only authenticate if the context is valid */ - authenticated = options.password_authentication && - authctxt->valid && auth_password(authctxt, passwd); + if ( options.password_authentication && authctxt->valid ) + authenticated = auth_password(authctxt, passwd); + memset(passwd, 0, strlen(passwd)); xfree(passwd); @@ -624,6 +631,32 @@ /* Causes monitor loop to terminate if authenticated */ return (authenticated); +} + +int +mm_answer_auth_change_password(int socket, Buffer *m) +{ + char *oldpass, *newpass; + int changed; + + oldpass = buffer_get_string(m, NULL); + newpass = buffer_get_string(m, NULL); + + /* Only attempt if the context is valid */ + if ( options.password_authentication && authctxt->valid ) + changed = auth_change_password(authctxt, oldpass, newpass); + + buffer_clear(m); + buffer_put_int(m, changed); + + mm_request_send(socket, MONITOR_ANS_CHPASS, m); + + memset(oldpass, 0, strlen(oldpass)); + xfree(oldpass); + memset(newpass, 0, strlen(newpass)); + xfree(newpass); + + return changed; } #ifdef BSD_AUTH diff -ru openssh-3.5p1.orig/monitor.h openssh-3.5p1-passexpire/monitor.h --- openssh-3.5p1.orig/monitor.h Fri Sep 27 13:26:02 2002 +++ openssh-3.5p1-passexpire/monitor.h Sun Oct 27 15:36:25 2002 @@ -35,6 +35,7 @@ MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, + MONITOR_REQ_CHPASS, MONITOR_ANS_CHPASS, MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, diff -ru openssh-3.5p1.orig/monitor_wrap.c openssh-3.5p1-passexpire/monitor_wrap.c --- openssh-3.5p1.orig/monitor_wrap.c Fri Sep 27 13:26:03 2002 +++ openssh-3.5p1-passexpire/monitor_wrap.c Sun Oct 27 17:05:03 2002 @@ -256,7 +256,7 @@ buffer_put_cstring(&m, password); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m); - debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__); + debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD (type %d)", __func__, MONITOR_ANS_AUTHPASSWORD); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); authenticated = buffer_get_int(&m); @@ -266,6 +266,32 @@ debug3("%s: user %sauthenticated", __func__, authenticated ? "" : "not "); return (authenticated); +} + +int +mm_auth_change_password(Authctxt *authctxt, char *oldpass, char *newpass) +{ + Buffer m; + int changed = 0; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_cstring(&m, oldpass); + buffer_put_cstring(&m, newpass); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_CHPASS, &m); + + debug3("%s: waiting for MONITOR_ANS_CHPASS (type %d)", __func__, MONITOR_ANS_CHPASS); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_CHPASS, &m); + + changed = buffer_get_int(&m); + + debug3("%s: password %schanged", + __func__, changed ? "" : "not "); + + buffer_free(&m); + return changed; } int diff -ru openssh-3.5p1.orig/monitor_wrap.h openssh-3.5p1-passexpire/monitor_wrap.h --- openssh-3.5p1.orig/monitor_wrap.h Fri Sep 27 13:26:04 2002 +++ openssh-3.5p1-passexpire/monitor_wrap.h Sun Oct 27 16:07:18 2002 @@ -46,6 +46,7 @@ struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); +int mm_auth_change_password(struct Authctxt *, char *, char *); int mm_key_allowed(enum mm_keytype, char *, char *, Key *); int mm_user_key_allowed(struct passwd *, Key *); int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); diff -ru openssh-3.5p1.orig/openbsd-compat/port-aix.c openssh-3.5p1-passexpire/openbsd-compat/port-aix.c --- openssh-3.5p1.orig/openbsd-compat/port-aix.c Sun Jul 7 12:17:36 2002 +++ openssh-3.5p1-passexpire/openbsd-compat/port-aix.c Sun Oct 27 19:20:33 2002 @@ -24,11 +24,15 @@ * */ #include "includes.h" +#include "misc.h" +#include "log.h" #ifdef _AIX #include #include <../xmalloc.h> +#include +#include /* * AIX has a "usrinfo" area where logname and other stuff is stored - @@ -52,5 +56,74 @@ xfree(cp); } -#endif /* _AIX */ +#ifdef WITH_AIXAUTHENTICATE + +/* + * Remove embedded newlines in string (if any). + * Used before logging messages returned by AIX authentication functions + * so the message is logged on one line. + */ +void +aix_remove_embedded_newlines(char *p) +{ + if (p == NULL) + return; + + for (; *p; p++) { + if (*p == '\n') + *p = ' '; + } + /* Remove trailing newline */ + *--p = '\0'; +} + +/* + * aix_change_password: AIX password change routine + */ +int +aix_change_password(struct passwd *pw, const char *oldpassword, const char *newpassword) +{ + struct userpw *upw; + + debug("userauth_change_password: changing password for %s", pw->pw_name); + + if (setpwdb(S_READ|S_WRITE) == -1) { + debug("Couldn't open authentication database: %s", strerror(errno)); + return 0; + } + + if ((upw = getuserpw(pw->pw_name)) == NULL) { + debug("Couldn't get user details for %s: %s", + pw->pw_name, strerror(errno)); + enduserdb(); + return 0; + } + + /* + * Validate current password. Because we should never be called before the user + * has been successfully authenticated, failure here is fatal + */ + if (strcmp(upw->upw_passwd, crypt(oldpassword, upw->upw_passwd)) != 0) + fatal("aix_change_password: old password does not match database"); + + upw->upw_passwd = crypt(newpassword, upw->upw_passwd); + pw->pw_passwd = upw->upw_passwd; + upw->upw_flags &= ~PW_ADMCHG; /* clear password change flag */ + if (putuserpw(upw) == -1) { + debug("Couldn't update user details for %s: %s", + pw->pw_name, strerror(errno)); + enduserdb(); + return 0; + } + if(enduserdb() == -1) { + debug("Error closing authentication database: %s", + strerror(errno)); + return 0; + } + return 1; +} + +#endif /* WITH_AIXAUTHENTICATE */ + +#endif /* _AIX */ diff -ru openssh-3.5p1.orig/openbsd-compat/port-aix.h openssh-3.5p1-passexpire/openbsd-compat/port-aix.h --- openssh-3.5p1.orig/openbsd-compat/port-aix.h Sun Jul 7 12:17:36 2002 +++ openssh-3.5p1-passexpire/openbsd-compat/port-aix.h Sun Oct 27 18:06:14 2002 @@ -25,5 +25,12 @@ */ #ifdef _AIX + void aix_usrinfo(struct passwd *pw); + +#ifdef WITH_AIXAUTHENTICATE +void aix_remove_embedded_newlines(char *); +int aix_change_password(struct passwd *, const char *, const char *); +#endif + #endif /* _AIX */ diff -ru openssh-3.5p1.orig/session.c openssh-3.5p1-passexpire/session.c --- openssh-3.5p1.orig/session.c Thu Sep 26 10:38:50 2002 +++ openssh-3.5p1-passexpire/session.c Sun Oct 27 21:31:31 2002 @@ -103,8 +103,12 @@ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; +void do_tty_change_password(struct passwd *); +extern int password_change_required; +extern char *password_expire_message; + #ifdef WITH_AIXAUTHENTICATE -char *aixloginmsg; +char *aixloginmsg; /* message returned by loginsuccess() */ #endif /* WITH_AIXAUTHENTICATE */ #ifdef HAVE_LOGIN_CAP @@ -461,6 +465,12 @@ "TTY available"); #endif /* USE_PAM */ +#ifdef WITH_AIXAUTHENTICATE + if (!compat20 && password_change_required) + packet_disconnect("Password change required but no " + "TTY available"); +#endif /* WITH_AIXAUTHENTICATE */ + /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -757,6 +767,11 @@ } #endif + if (!compat20 && password_change_required) { + printf("%s\n", password_expire_message); + do_tty_change_password(pw); + } + if (check_quietlogin(s, command)) return; @@ -764,9 +779,18 @@ if (!is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ + + if (password_expire_message && *password_expire_message) { + if (!password_change_required) + printf("%s\n", password_expire_message); + xfree(password_expire_message); + } + #ifdef WITH_AIXAUTHENTICATE - if (aixloginmsg && *aixloginmsg) + if (aixloginmsg && *aixloginmsg) { printf("%s\n", aixloginmsg); + xfree(aixloginmsg); + } #endif /* WITH_AIXAUTHENTICATE */ #ifndef NO_SSH_LASTLOG From markus at openbsd.org Sun Oct 27 23:20:04 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 27 Oct 2002 13:20:04 +0100 Subject: Question regarding encryption In-Reply-To: References: Message-ID: <20021027122004.GC4141@folly> it's supported, but the client requests the same methods for both directions. On Fri, Oct 25, 2002 at 05:28:44PM -0700, M.B. Gowrishankar wrote: > Hi, > > According to IETF draft draft-ietf-secsh-transport-14.txt, different > ciphers(encryption), MAC and compression can be used for one direction say > server-to-client and a completely different cipher, MAC and compression for > the other direction client-to-server of the same connection. > > Is this supported today in OpenSSH, and if not, are there plans to support > it in any future releases of the code? If so, in which release is it > planned? > > thanks > Gowrishankar > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Mon Oct 28 15:53:43 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 27 Oct 2002 22:53:43 -0600 (CST) Subject: [PATCH #6] AIX password expiration In-Reply-To: <3DBBD65A.1AD9F636@zip.com.au> Message-ID: Ok.. I've spent some time convert this to OpenBSD (still mucking with bsd_auth. It is not being friendly to me. =). A few things. 1. How many UNIXes actually say 'expired' vs 'force changed'? Solaris does not. I'd perfer to drop (in the ported code I have) unless there is a good reason. 2. For userath_passwd() can we simplify the code down to: [..] packet_check_eom(); - if (authctxt->valid && - PRIVSEP(auth_password(authctxt, password)) == 1) - authenticated = 1; + if (authctxt->valid) { + authenticated = PRIVSEP(auth_password(authctxt, password)); + if (change) { [..] Note: I'm using the original 'change' variable and this is the OpenBSD code so the Cygwin bit would be in there. What I'm doing is this. I'm splitting the patch into v2 (against OpenBSD), v1 (against OpenBSD) and AIX only. I'm done with the v2 part except to get bsd_auth to tell me expired vs invalid/locked account. Really need to find a tutorial on bsd_auth. - Ben On Sun, 27 Oct 2002, Darren Tucker wrote: > Darren Tucker wrote: > > I had trouble with monitor dropping out of its initial loop too early, > > hopefully I've got that right now. > > I didn't. I broke protocol 1. Fixed in this patch. (Really!) I also > added code to set the expire flag from the shadow although this won't > work yet. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From bugzilla-daemon at mindrot.org Mon Oct 28 20:53:37 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 28 Oct 2002 20:53:37 +1100 (EST) Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. Message-ID: <20021028095337.4F9213D15B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=164 ------- Additional Comments From markus at openbsd.org 2002-10-28 20:53 ------- i think itojun said that there are X11 over IPv6 implementations. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Mon Oct 28 20:53:53 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 28 Oct 2002 10:53:53 +0100 Subject: [PATCH #6] AIX password expiration In-Reply-To: <3DBBD65A.1AD9F636@zip.com.au> References: <3DBA4561.776600AF@zip.com.au> <3DBB951F.89DACCC9@zip.com.au> <3DBBD65A.1AD9F636@zip.com.au> Message-ID: <20021028095353.GB32215@folly> i don't think there is a portable way for setting passwords, so making sure /usr/bin/passwd is executed (no shells involved) and disallowing all other channels is the only portable thing we could do. -m From pekkas at netcore.fi Mon Oct 28 21:03:26 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 28 Oct 2002 12:03:26 +0200 (EET) Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. In-Reply-To: <20021028095337.4F9213D15B@shitei.mindrot.org> Message-ID: In any case, I'd like to see demonstrated failures. SSH over IPv6 + X-forwarding works just fine for me... On Mon, 28 Oct 2002 bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=164 > > > > > > ------- Additional Comments From markus at openbsd.org 2002-10-28 20:53 ------- > i think itojun said that there are X11 over IPv6 implementations. > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From dtucker at zip.com.au Mon Oct 28 21:21:04 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 28 Oct 2002 21:21:04 +1100 Subject: [PATCH #6] AIX password expiration References: <3DBA4561.776600AF@zip.com.au> <3DBB951F.89DACCC9@zip.com.au> <3DBBD65A.1AD9F636@zip.com.au> <20021028095353.GB32215@folly> Message-ID: <3DBD0F90.76CF0D14@zip.com.au> Markus Friedl wrote: > i don't think there is a portable way for setting > passwords So I've been discovering... > so making sure /usr/bin/passwd is executed > (no shells involved) and disallowing all other > channels is the only portable thing we could do. Protocol 2 requires the password to be changed before the session is established, and using /usr/bin/passwd would need a tty. Are you talking about implementing a subset of "expect" or changing the password in the session for protocol 2 too? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From cjwatson at debian.org Mon Oct 28 22:54:35 2002 From: cjwatson at debian.org (Colin Watson) Date: Mon, 28 Oct 2002 11:54:35 +0000 Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. In-Reply-To: Message-ID: In article on openssh-unix-dev, Pekka Savola wrote: >In any case, I'd like to see demonstrated failures. > >SSH over IPv6 + X-forwarding works just fine for me... The two we've had reported (and which I can reproduce here) are: http://bugs.debian.org/152545 http://bugs.debian.org/153154 In brief, $DISPLAY is set to 'localhost:10.0' but ssh binds to ::1:6010; ::1 is ip6-localhost here, not localhost. Even if I did have an X11 over IPv6 implementation, the incorrect $DISPLAY would prevent it being used. Perhaps it could be configurable whether X11 forwarding uses IPv6. $ uname -a Linux eurydice 2.4.20-pre10 #1 Fri Oct 11 19:25:05 BST 2002 i686 AMD Duron(tm) Processor AuthenticAMD GNU/Linux $ ssh -6 -X ::1 colinw@::1's password: [...] $ ping6 localhost unknown host $ ping6 ip6-localhost PING ip6-localhost(ip6-localhost) 56 data bytes 64 bytes from ip6-localhost: icmp_seq=1 ttl=64 time=0.056 ms [...] $ netstat -an | grep 6010 tcp 0 0 ::1:6010 :::* LISTEN $ xterm xterm Xt error: Can't open display: localhost:10.0 $ DISPLAY=ip6-localhost:10.0 xterm _X11TransSocketINETConnect: Can't get address for ip6-localhost xterm Xt error: Can't open display: ip6-localhost:10.0 Thanks, -- Colin Watson [cjwatson at flatline.org.uk] From dtucker at zip.com.au Mon Oct 28 22:57:46 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 28 Oct 2002 22:57:46 +1100 Subject: [PATCH #7] AIX password expiration References: Message-ID: <3DBD263A.CF581242@zip.com.au> Ben Lindstrom wrote: > What I'm doing is this. I'm splitting the patch into v2 (against > OpenBSD), v1 (against OpenBSD) and AIX only. I'm done with the v2 part > except to get bsd_auth to tell me expired vs invalid/locked account. > Really need to find a tutorial on bsd_auth. I haven't merged the changes mentioned yet, but here's something else: this patch adds /etc/shadow-style password expiration without PAM. Tested on Solaris 8 and Redhat 8. May work on other platforms using shadow passwords. -Daz. $ ssh -p 2022 localhost -l testuser testuser at localhost's password: You must change your password now. Enter testuser at localhost's old password: Enter testuser at localhost's new password: Retype testuser at localhost's new password: [snip] $ uname -sr SunOS 5.8 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- diff -ru openssh-3.5p1.orig/auth-pam.c openssh-3.5p1-passexpire/auth-pam.c --- openssh-3.5p1.orig/auth-pam.c Mon Jul 29 06:24:08 2002 +++ openssh-3.5p1-passexpire/auth-pam.c Mon Oct 28 13:09:15 2002 @@ -60,7 +60,7 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; /* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ -static int password_change_required = 0; +extern int password_change_required; /* remember whether the last pam_authenticate() succeeded or not */ static int was_authenticated = 0; diff -ru openssh-3.5p1.orig/auth-passwd.c openssh-3.5p1-passexpire/auth-passwd.c --- openssh-3.5p1.orig/auth-passwd.c Thu Sep 26 09:14:16 2002 +++ openssh-3.5p1-passexpire/auth-passwd.c Mon Oct 28 22:36:04 2002 @@ -42,6 +42,8 @@ #include "log.h" #include "servconf.h" #include "auth.h" +#include "misc.h" +#include "xmalloc.h" #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) /* Don't need any of these headers for the PAM or SIA cases */ @@ -81,13 +83,15 @@ #endif /* !USE_PAM && !HAVE_OSF_SIA */ extern ServerOptions options; +extern int password_change_required; #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; #endif /* - * Tries to authenticate the user using password. Returns true if - * authentication succeeds. + * Tries to authenticate the user using password. Returns true (1) if + * authentication succeeds, (2) if authentication succeeds but password + * change required. */ int auth_password(Authctxt *authctxt, const char *password) @@ -149,14 +153,25 @@ #endif #ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + aix_remove_embedded_newlines(authmsg); - if (authsuccess) + if (authsuccess) { + debug("authenticate() succeeded for user %s: %.100s", pw->pw_name, authmsg); /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(authctxt->user, get_canonical_hostname(options.verify_reverse_mapping), "ssh", &aixloginmsg) < 0) aixloginmsg = NULL; + } else { + debug("authenticate() failed for user %s: %.100s", pw->pw_name, authmsg); + } + if (authmsg) + xfree(authmsg); + debug("auth_password: authsuccess = %d", authsuccess); + if (authsuccess && password_change_required) { + return 2; + } return(authsuccess); #endif #ifdef KRB4 @@ -230,6 +245,188 @@ #endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ - return (strcmp(encrypted_password, pw_password) == 0); + if (strcmp(encrypted_password, pw_password) == 0) { + if (password_change_required) { + debug("auth_password: password expired"); + return 2; + } else { + debug("auth_password: not expired"); + return 1; + } + } + return 0; #endif /* !USE_PAM && !HAVE_OSF_SIA */ } + +/* password change for protocol 2 */ +int +auth_change_password(Authctxt *authctxt, const char *oldpasswd, const char *newpasswd) +{ +#ifdef WITH_AIXAUTHENTICATE + return aix_change_password(authctxt->pw, oldpasswd, newpasswd); +#endif +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + return shadow_change_password(authctxt->pw, oldpasswd, newpasswd); +#endif + return 0; +} + + +/* + * generic password change routine. requires session established and tty alloced + * Like do_pam_chauthtok(), it throws a fatal error if the password can't be changed. + */ + +void +do_tty_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + + if (pid == 0) { + setuid(pw->pw_uid); + execl("/usr/bin/passwd","passwd",pw->pw_name, + (char *)NULL); + /* execl shouldn't return */ + fatal("Couldn't exec /usr/bin/passwd"); + exit(1); + } + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + + if (WEXITSTATUS(status)) /* Passwd exited abnormally */ + fatal("Failed to change password for %s, passwd returned %d", pw->pw_name, status); + + mysignal(SIGCHLD, old_signal); +} + +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) + +#define SHADOW_TEMPFILE SHADOW ".tmp" +#ifdef OSHADOW +# define SHADOW_OLDPASSFILE OSHADOW +#else +# define SHADOW_OLDPASSFILE SHADOW "-" +#endif + +/* + * shadow_change_password: change a password stored in a shadow password file. + * returns 1 if change successful, 0 otherwise. + * always attempts to back out its changes in case of failure. + */ + +int +shadow_change_password(struct passwd *pw, const char *oldpass, const char *newpass) +{ + int changed, replaced; + FILE *oldshadow, *newshadow; + struct spwd *spw; + struct stat statbuf; + mode_t saved_umask; + + saved_umask = umask(0077); + + if (lckpwdf() == -1) { + debug("%s: could not lock password file: %s", __func__, + strerror(errno)); + return 0; + } + + if ((newshadow=fopen(SHADOW_TEMPFILE, "w")) == NULL) { + debug("%s: could not open shadow temp file %s: %s", __func__, + SHADOW_TEMPFILE, strerror(errno)); + goto shadow_cleanup; + } + + if (chmod(SHADOW_TEMPFILE, 0400) == -1 ) { + debug("%s: could not change permissions on %s: %s", __func__, + SHADOW_TEMPFILE, strerror(errno)); + goto shadow_cleanup; + } + + if ((oldshadow=fopen(SHADOW, "r")) == NULL) { + debug("%s: could not open shadow file %s: %s", __func__, + SHADOW, strerror(errno)); + goto shadow_cleanup; + } + + while ((spw=fgetspent(oldshadow)) != NULL) { + if (strcmp(spw->sp_namp, pw->pw_name) == 0) { + if (strcmp(spw->sp_pwdp, crypt(oldpass, spw->sp_pwdp)) != 0) + fatal("%s: Old password doesn't match.", __func__); + spw->sp_pwdp = crypt(newpass, spw->sp_pwdp); + spw->sp_lstchg = time(0) / (24*60*60); + changed = 1; + } + if (putspent(spw, newshadow) < 0) { + debug("%s: error writing shadow file %s: %s", __func__, + SHADOW_TEMPFILE, strerror(errno)); + goto shadow_cleanup; + } + } + + /* check that password was changed, otherwise skip file swapping */ + if (!changed) { + debug("%s: user %s not found in shadow file", __func__, pw->pw_name); + goto shadow_cleanup; + } + + /* + * Swap in new file. Current shadow file becomes oshadow. + */ + + if (unlink(SHADOW_OLDPASSFILE) == -1) { + debug("%s: error unlinking old shadow file %s: %s", __func__, + SHADOW_OLDPASSFILE, strerror(errno)); + } + + if (link(SHADOW, SHADOW_OLDPASSFILE) == -1) { + debug("%s: error linking current shadow file %s to old %s: %s", + __func__, SHADOW, SHADOW_OLDPASSFILE, strerror(errno)); + goto shadow_cleanup; + } + + if (rename(SHADOW_TEMPFILE, SHADOW) == -1) { + debug("%s: error renaming new shadow file %s to old %s: %s", + __func__, SHADOW_TEMPFILE, SHADOW, strerror(errno)); + goto shadow_cleanup; + } else { + replaced = 1; + } + +shadow_cleanup: + if (stat(SHADOW_TEMPFILE, &statbuf) == 0) + if (unlink(SHADOW_TEMPFILE) == -1) + debug("%s: error unlinking shadow temp file %s: %s", + __func__, SHADOW_TEMPFILE, strerror(errno)); + + if (stat(SHADOW, &statbuf) == -1) + if (link(SHADOW_OLDPASSFILE, SHADOW) == -1) + debug("%s: restoring shadow password file %s", + __func__, SHADOW); + + if (oldshadow != NULL && fclose(oldshadow) == EOF) + debug("%s: error closing original shadow file %s: %s", + __func__, SHADOW_TEMPFILE, strerror(errno)); + + if (newshadow != NULL && fclose(newshadow) == EOF) + debug("%s: error closing shadow temp file %s: %s", + __func__, SHADOW_TEMPFILE, strerror(errno)); + + if (ulckpwdf() == -1) { + debug("%s: could not unlock password file", __func__); + } + + umask(saved_umask); + + return (changed && replaced); +} +#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ + diff -ru openssh-3.5p1.orig/auth.c openssh-3.5p1-passexpire/auth.c --- openssh-3.5p1.orig/auth.c Sun Sep 22 01:26:53 2002 +++ openssh-3.5p1-passexpire/auth.c Mon Oct 28 13:09:15 2002 @@ -59,6 +59,10 @@ Buffer auth_debug; int auth_debug_init; +/* Password change flag */ +int password_change_required = 0; +char *password_expire_message = NULL; + /* * Check if the user is allowed to log in via ssh. If user is listed * in DenyUsers or one of user's groups is listed in DenyGroups, false @@ -75,9 +79,6 @@ const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; -#ifdef WITH_AIXAUTHENTICATE - char *loginmsg; -#endif /* WITH_AIXAUTHENTICATE */ #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) struct spwd *spw; @@ -106,14 +107,18 @@ if (spw->sp_lstchg == 0) { log("User %.100s password has expired (root forced)", pw->pw_name); - return 0; + password_change_required = 1; + password_expire_message = + xstrdup("Your password has expired (root forced)"); } if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) { log("User %.100s password has expired (password aged)", pw->pw_name); - return 0; + password_change_required = 1; + password_expire_message = + xstrdup("Your password has expired"); } } #else @@ -202,19 +207,48 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - if (loginmsg && *loginmsg) { - /* Remove embedded newlines (if any) */ - char *p; - for (p = loginmsg; *p; p++) { - if (*p == '\n') - *p = ' '; + /* + * Don't check loginrestrictions or expiry for root account (use + * PermitRootLogin to control logins via ssh), or if running as + * non-root user (since loginrestrictions will always fail). + */ + if ( (pw->pw_uid != 0) && (geteuid() == 0) ) { + char *restrictmsg, *expiremsg; + int passexpcode; + + /* check for AIX account restrictions */ + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &restrictmsg) != 0) { + if (restrictmsg && *restrictmsg) { + aix_remove_embedded_newlines(restrictmsg); + log("Login restricted for %s: %.100s", pw->pw_name, restrictmsg); + xfree(restrictmsg); } - /* Remove trailing newline */ - *--p = '\0'; - log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + return 0; + } + + /* check for AIX expired account */ + passexpcode = passwdexpired(pw->pw_name, &password_expire_message); + debug("passwdexpired() returned %d", passexpcode); + + switch (passexpcode) { + case 0: /* success, password not expired */ + break; + case 1: /* expired, password change required */ + password_change_required = 1; + break; + default: /* expired too long (2) or other error (-1) */ + /* make local copy of message and remove newlines for logging */ + if (password_expire_message && *password_expire_message) { + expiremsg = xstrdup(password_expire_message); + aix_remove_embedded_newlines(expiremsg); + } + debug("passwdexpired() returned %d", passexpcode); + log("Password expired too long or system failure for user %s: %.100s", + pw->pw_name, expiremsg); + if (expiremsg) + xfree(expiremsg); + return 0; } - return 0; } #endif /* WITH_AIXAUTHENTICATE */ diff -ru openssh-3.5p1.orig/auth.h openssh-3.5p1-passexpire/auth.h --- openssh-3.5p1.orig/auth.h Fri Sep 27 13:26:01 2002 +++ openssh-3.5p1-passexpire/auth.h Mon Oct 28 13:10:19 2002 @@ -101,6 +101,10 @@ int auth_rhosts_rsa(struct passwd *, char *, Key *); int auth_password(Authctxt *, const char *); +int auth_change_password(Authctxt *, const char *, const char *); +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +int shadow_change_password(struct passwd *, const char *, const char *); +#endif int auth_rsa(struct passwd *, BIGNUM *); int auth_rsa_challenge_dialog(Key *); BIGNUM *auth_rsa_generate_challenge(Key *); diff -ru openssh-3.5p1.orig/auth2-passwd.c openssh-3.5p1-passexpire/auth2-passwd.c --- openssh-3.5p1.orig/auth2-passwd.c Fri Jun 7 06:27:56 2002 +++ openssh-3.5p1-passexpire/auth2-passwd.c Mon Oct 28 13:09:15 2002 @@ -31,28 +31,48 @@ #include "auth.h" #include "monitor_wrap.h" #include "servconf.h" +#include "ssh2.h" /* import */ extern ServerOptions options; +extern int password_change_required; static int userauth_passwd(Authctxt *authctxt) { - char *password; - int authenticated = 0; - int change; - u_int len; - change = packet_get_char(); - if (change) - log("password change not supported"); + char *password, *npassword; + int authenticated = 0, change_requested; + u_int len, nlen; + + change_requested = packet_get_char(); password = packet_get_string(&len); + if (change_requested) { + debug("userauth_passwd: password change requested by client"); + npassword = packet_get_string(&nlen); + } packet_check_eom(); + if (authctxt->valid && #ifdef HAVE_CYGWIN check_nt_auth(1, authctxt->pw) && #endif - PRIVSEP(auth_password(authctxt, password)) == 1) - authenticated = 1; + (authenticated = (PRIVSEP(auth_password(authctxt, password))))) { + debug("auth_password returned %d, pid=%d ppid=%d", + authenticated, getpid(), getppid()); + + /* now that the password has been checked, change password + * if requested by client and revalidate new password */ + if (change_requested) { + if (PRIVSEP(auth_change_password(authctxt, password, npassword))) { + debug("userauth_passwd: password changed successfully"); + authenticated = 1; + } else { + debug("userauth_passwd: password change failed"); + } + memset(npassword, 0, nlen); + xfree(npassword); + } + } memset(password, 0, len); xfree(password); return authenticated; diff -ru openssh-3.5p1.orig/auth2.c openssh-3.5p1-passexpire/auth2.c --- openssh-3.5p1.orig/auth2.c Thu Sep 26 10:38:49 2002 +++ openssh-3.5p1-passexpire/auth2.c Mon Oct 28 13:09:15 2002 @@ -40,6 +40,7 @@ extern ServerOptions options; extern u_char *session_id2; extern int session_id2_len; +extern char *password_expire_message; Authctxt *x_authctxt = NULL; @@ -199,6 +200,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) { char *methods; + static const char default_prompt[] = "You must change your password now."; if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", @@ -238,6 +240,15 @@ packet_write_wait(); /* now we can break out */ authctxt->success = 1; + } else if (authenticated == 2 ) { /* password change required */ + if (password_expire_message == NULL) + password_expire_message = (char *)default_prompt; + debug("sending SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ"); + packet_start(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ); + packet_put_cstring(password_expire_message); + packet_put_cstring(""); /* language */ + packet_send(); + packet_write_wait(); } else { if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); diff -ru openssh-3.5p1.orig/monitor.c openssh-3.5p1-passexpire/monitor.c --- openssh-3.5p1.orig/monitor.c Fri Sep 27 13:26:02 2002 +++ openssh-3.5p1-passexpire/monitor.c Sun Oct 27 21:49:43 2002 @@ -101,6 +101,7 @@ int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); int mm_answer_authpassword(int, Buffer *); +int mm_answer_auth_change_password(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_skeyquery(int, Buffer *); @@ -161,6 +162,7 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, + {MONITOR_REQ_CHPASS, MON_AUTH, mm_answer_auth_change_password}, #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif @@ -267,6 +269,7 @@ /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_CHPASS, 1); } else { mon_dispatch = mon_dispatch_proto15; @@ -275,8 +278,11 @@ authctxt = authctxt_new(); - /* The first few requests do not require asynchronous access */ - while (!authenticated) { + /* The first few requests do not require asynchronous access + * exit loop if authenticated and password change no required (proto 2) + * or if password correct (proto 1) + */ + while ((compat20 && authenticated != 1) || (!compat20 && !authenticated)) { authenticated = monitor_read(pmonitor, mon_dispatch, &ent); if (authenticated) { if (!(ent->flags & MON_AUTHDECIDE)) @@ -600,13 +606,14 @@ { static int call_count; char *passwd; - int authenticated; + int authenticated = 0; u_int plen; passwd = buffer_get_string(m, &plen); /* Only authenticate if the context is valid */ - authenticated = options.password_authentication && - authctxt->valid && auth_password(authctxt, passwd); + if ( options.password_authentication && authctxt->valid ) + authenticated = auth_password(authctxt, passwd); + memset(passwd, 0, strlen(passwd)); xfree(passwd); @@ -624,6 +631,32 @@ /* Causes monitor loop to terminate if authenticated */ return (authenticated); +} + +int +mm_answer_auth_change_password(int socket, Buffer *m) +{ + char *oldpass, *newpass; + int changed; + + oldpass = buffer_get_string(m, NULL); + newpass = buffer_get_string(m, NULL); + + /* Only attempt if the context is valid */ + if ( options.password_authentication && authctxt->valid ) + changed = auth_change_password(authctxt, oldpass, newpass); + + buffer_clear(m); + buffer_put_int(m, changed); + + mm_request_send(socket, MONITOR_ANS_CHPASS, m); + + memset(oldpass, 0, strlen(oldpass)); + xfree(oldpass); + memset(newpass, 0, strlen(newpass)); + xfree(newpass); + + return changed; } #ifdef BSD_AUTH diff -ru openssh-3.5p1.orig/monitor.h openssh-3.5p1-passexpire/monitor.h --- openssh-3.5p1.orig/monitor.h Fri Sep 27 13:26:02 2002 +++ openssh-3.5p1-passexpire/monitor.h Sun Oct 27 15:36:25 2002 @@ -35,6 +35,7 @@ MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, + MONITOR_REQ_CHPASS, MONITOR_ANS_CHPASS, MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, diff -ru openssh-3.5p1.orig/monitor_wrap.c openssh-3.5p1-passexpire/monitor_wrap.c --- openssh-3.5p1.orig/monitor_wrap.c Fri Sep 27 13:26:03 2002 +++ openssh-3.5p1-passexpire/monitor_wrap.c Sun Oct 27 17:05:03 2002 @@ -256,7 +256,7 @@ buffer_put_cstring(&m, password); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m); - debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__); + debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD (type %d)", __func__, MONITOR_ANS_AUTHPASSWORD); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); authenticated = buffer_get_int(&m); @@ -266,6 +266,32 @@ debug3("%s: user %sauthenticated", __func__, authenticated ? "" : "not "); return (authenticated); +} + +int +mm_auth_change_password(Authctxt *authctxt, char *oldpass, char *newpass) +{ + Buffer m; + int changed = 0; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_cstring(&m, oldpass); + buffer_put_cstring(&m, newpass); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_CHPASS, &m); + + debug3("%s: waiting for MONITOR_ANS_CHPASS (type %d)", __func__, MONITOR_ANS_CHPASS); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_CHPASS, &m); + + changed = buffer_get_int(&m); + + debug3("%s: password %schanged", + __func__, changed ? "" : "not "); + + buffer_free(&m); + return changed; } int diff -ru openssh-3.5p1.orig/monitor_wrap.h openssh-3.5p1-passexpire/monitor_wrap.h --- openssh-3.5p1.orig/monitor_wrap.h Fri Sep 27 13:26:04 2002 +++ openssh-3.5p1-passexpire/monitor_wrap.h Sun Oct 27 16:07:18 2002 @@ -46,6 +46,7 @@ struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); +int mm_auth_change_password(struct Authctxt *, char *, char *); int mm_key_allowed(enum mm_keytype, char *, char *, Key *); int mm_user_key_allowed(struct passwd *, Key *); int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); diff -ru openssh-3.5p1.orig/openbsd-compat/port-aix.c openssh-3.5p1-passexpire/openbsd-compat/port-aix.c --- openssh-3.5p1.orig/openbsd-compat/port-aix.c Sun Jul 7 12:17:36 2002 +++ openssh-3.5p1-passexpire/openbsd-compat/port-aix.c Sun Oct 27 19:20:33 2002 @@ -24,11 +24,15 @@ * */ #include "includes.h" +#include "misc.h" +#include "log.h" #ifdef _AIX #include #include <../xmalloc.h> +#include +#include /* * AIX has a "usrinfo" area where logname and other stuff is stored - @@ -52,5 +56,74 @@ xfree(cp); } -#endif /* _AIX */ +#ifdef WITH_AIXAUTHENTICATE + +/* + * Remove embedded newlines in string (if any). + * Used before logging messages returned by AIX authentication functions + * so the message is logged on one line. + */ +void +aix_remove_embedded_newlines(char *p) +{ + if (p == NULL) + return; + + for (; *p; p++) { + if (*p == '\n') + *p = ' '; + } + /* Remove trailing newline */ + *--p = '\0'; +} + +/* + * aix_change_password: AIX password change routine + */ +int +aix_change_password(struct passwd *pw, const char *oldpassword, const char *newpassword) +{ + struct userpw *upw; + + debug("userauth_change_password: changing password for %s", pw->pw_name); + + if (setpwdb(S_READ|S_WRITE) == -1) { + debug("Couldn't open authentication database: %s", strerror(errno)); + return 0; + } + + if ((upw = getuserpw(pw->pw_name)) == NULL) { + debug("Couldn't get user details for %s: %s", + pw->pw_name, strerror(errno)); + enduserdb(); + return 0; + } + + /* + * Validate current password. Because we should never be called before the user + * has been successfully authenticated, failure here is fatal + */ + if (strcmp(upw->upw_passwd, crypt(oldpassword, upw->upw_passwd)) != 0) + fatal("aix_change_password: old password does not match database"); + + upw->upw_passwd = crypt(newpassword, upw->upw_passwd); + pw->pw_passwd = upw->upw_passwd; + upw->upw_flags &= ~PW_ADMCHG; /* clear password change flag */ + if (putuserpw(upw) == -1) { + debug("Couldn't update user details for %s: %s", + pw->pw_name, strerror(errno)); + enduserdb(); + return 0; + } + if(enduserdb() == -1) { + debug("Error closing authentication database: %s", + strerror(errno)); + return 0; + } + return 1; +} + +#endif /* WITH_AIXAUTHENTICATE */ + +#endif /* _AIX */ diff -ru openssh-3.5p1.orig/openbsd-compat/port-aix.h openssh-3.5p1-passexpire/openbsd-compat/port-aix.h --- openssh-3.5p1.orig/openbsd-compat/port-aix.h Sun Jul 7 12:17:36 2002 +++ openssh-3.5p1-passexpire/openbsd-compat/port-aix.h Sun Oct 27 18:06:14 2002 @@ -25,5 +25,12 @@ */ #ifdef _AIX + void aix_usrinfo(struct passwd *pw); + +#ifdef WITH_AIXAUTHENTICATE +void aix_remove_embedded_newlines(char *); +int aix_change_password(struct passwd *, const char *, const char *); +#endif + #endif /* _AIX */ diff -ru openssh-3.5p1.orig/session.c openssh-3.5p1-passexpire/session.c --- openssh-3.5p1.orig/session.c Thu Sep 26 10:38:50 2002 +++ openssh-3.5p1-passexpire/session.c Sun Oct 27 21:31:31 2002 @@ -103,8 +103,12 @@ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; +void do_tty_change_password(struct passwd *); +extern int password_change_required; +extern char *password_expire_message; + #ifdef WITH_AIXAUTHENTICATE -char *aixloginmsg; +char *aixloginmsg; /* message returned by loginsuccess() */ #endif /* WITH_AIXAUTHENTICATE */ #ifdef HAVE_LOGIN_CAP @@ -461,6 +465,12 @@ "TTY available"); #endif /* USE_PAM */ +#ifdef WITH_AIXAUTHENTICATE + if (!compat20 && password_change_required) + packet_disconnect("Password change required but no " + "TTY available"); +#endif /* WITH_AIXAUTHENTICATE */ + /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -757,6 +767,11 @@ } #endif + if (!compat20 && password_change_required) { + printf("%s\n", password_expire_message); + do_tty_change_password(pw); + } + if (check_quietlogin(s, command)) return; @@ -764,9 +779,18 @@ if (!is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ + + if (password_expire_message && *password_expire_message) { + if (!password_change_required) + printf("%s\n", password_expire_message); + xfree(password_expire_message); + } + #ifdef WITH_AIXAUTHENTICATE - if (aixloginmsg && *aixloginmsg) + if (aixloginmsg && *aixloginmsg) { printf("%s\n", aixloginmsg); + xfree(aixloginmsg); + } #endif /* WITH_AIXAUTHENTICATE */ #ifndef NO_SSH_LASTLOG From pekkas at netcore.fi Mon Oct 28 23:16:09 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 28 Oct 2002 14:16:09 +0200 (EET) Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. In-Reply-To: Message-ID: On Mon, 28 Oct 2002, Colin Watson wrote: > In article > on openssh-unix-dev, Pekka Savola wrote: > >In any case, I'd like to see demonstrated failures. > > > >SSH over IPv6 + X-forwarding works just fine for me... > > The two we've had reported (and which I can reproduce here) are: > > http://bugs.debian.org/152545 > http://bugs.debian.org/153154 Clarification: do these happen also if you run plain sshd, not 'sshd -6'? The latter has some problems.. > In brief, $DISPLAY is set to 'localhost:10.0' but ssh binds to ::1:6010; > ::1 is ip6-localhost here, not localhost. Even if I did have an X11 over > IPv6 implementation, the incorrect $DISPLAY would prevent it being used. > > Perhaps it could be configurable whether X11 forwarding uses IPv6. > > $ uname -a > Linux eurydice 2.4.20-pre10 #1 Fri Oct 11 19:25:05 BST 2002 i686 AMD Duron(tm) Processor AuthenticAMD GNU/Linux > $ ssh -6 -X ::1 > colinw@::1's password: Does this problem also occur if you don't use '-6'? Probably not. > $ ping6 localhost > unknown host > $ ping6 ip6-localhost > PING ip6-localhost(ip6-localhost) 56 data bytes > 64 bytes from ip6-localhost: icmp_seq=1 ttl=64 time=0.056 ms > > [...] > > $ netstat -an | grep 6010 > tcp 0 0 ::1:6010 :::* LISTEN > $ xterm > xterm Xt error: Can't open display: localhost:10.0 > $ DISPLAY=ip6-localhost:10.0 xterm > _X11TransSocketINETConnect: Can't get address for ip6-localhost > xterm Xt error: Can't open display: ip6-localhost:10.0 I can't reproduce your problem on RHL73: --8<-- [psavola at haukka psavola]$ ssh sampo.ipv6 Last login: Mon Oct 28 14:06:22 2002 from haukka.ipv6.csc.fi msgs: Command not found. Terminal type is xterm sampo2 ~> echo $DISPLAY localhost:13.0 sampo2 ~> grep ::1 /etc/hosts ::1 ip6-localhost.localdomain ip6-localhost sampo2 ~> xterm sampo2 ~> --8<-- Note: by default, there is no entry for ::1 in hosts, I added one to try to test the problem. In conclusion, I believe there are some variables (possibly ones mentioned above) which make this problematic for some but not others. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Tue Oct 29 00:57:03 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 28 Oct 2002 07:57:03 -0600 (CST) Subject: [PATCH #6] AIX password expiration In-Reply-To: <20021028095353.GB32215@folly> Message-ID: I was debating the same thing. Forking off a connection to /usr/bin/passwd and writing a C script to automate changing password. I just think it will be a pain. - Ben On Mon, 28 Oct 2002, Markus Friedl wrote: > i don't think there is a portable way for setting > passwords, so making sure /usr/bin/passwd is executed > (no shells involved) and disallowing all other > channels is the only portable thing we could do. > > -m > From mdegrati at fceia.unr.edu.ar Tue Oct 29 01:27:36 2002 From: mdegrati at fceia.unr.edu.ar (Martin P. Degrati) Date: Mon, 28 Oct 2002 11:27:36 -0300 Subject: Port to SCO Openserver with PAM enabled Message-ID: <003b01c27e8e$29d9ca70$4702a8c0@pm.rosario.gov.ar> Hi all, I'm writing to you becuase I have compiled PAM in SCO (now Caldera) Openserver 5.0.x, and when I tried to use SSH with PAM enabled, y realized that OpenSSH depends on the user to exist en the /etc/passwd, and /etc/shadow databases, or equivalent ones (it uses getpw...() functions to determine validity of the user). In Linux, the simlpe solution is to use nsswitch, but it seems to hard (and not strictly necesary) to make a port of it for Openserver too. I'm administering security in a network with more than 20 server, and I'm triyng to implement LDAP as a directory service (I do not want to use NIS) to simplify mi task. That's why I reach this point. It doen't matter for me if I have to use UIDs instead of UserNames to idetify users, so that's why I think that is not necessay to make a port of nsswitch. I would like to know your opinions about this situation, and if you consider that is strictly necessary to have nsswitch capabilities to make it work corecctly. I was first tempted to adapt SSH code o handle mi situation, but I don't want to be tied to a particular SSH version, so I prefer to consult your opinion first. I hope for your answer, Thanks in advance, Martin.- -------------------------------------------------------- Lic. Martin P. Degrati Universidad Nacional de Rosario Rosario, Santa Fe, Argentina mdegrati at fceia.unr.edu.ar -------------------------------------------------------- From markus at openbsd.org Tue Oct 29 01:49:29 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 28 Oct 2002 15:49:29 +0100 Subject: [PATCH #6] AIX password expiration In-Reply-To: <3DBD0F90.76CF0D14@zip.com.au> References: <3DBA4561.776600AF@zip.com.au> <3DBB951F.89DACCC9@zip.com.au> <3DBBD65A.1AD9F636@zip.com.au> <20021028095353.GB32215@folly> <3DBD0F90.76CF0D14@zip.com.au> Message-ID: <20021028144929.GA3602@folly> On Mon, Oct 28, 2002 at 09:21:04PM +1100, Darren Tucker wrote: > Markus Friedl wrote: > > i don't think there is a portable way for setting > > passwords > > So I've been discovering... > > > so making sure /usr/bin/passwd is executed > > (no shells involved) and disallowing all other > > channels is the only portable thing we could do. > > Protocol 2 requires the password to be changed before the session is > established, and using /usr/bin/passwd would need a tty. ok, so expired passwords will fail if a tty is not allocated. > Are you talking about implementing a subset of "expect" or changing the > password in the session for protocol 2 too? i think for protocol 2 i'd rather violate the specs and allow login with /usr/bin/passwd (and other restictions) then to add the source for every systems /usr/bin/passwd into sshd. especially given the size of your patch. -m From mouring at etoh.eviladmin.org Tue Oct 29 02:00:05 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 28 Oct 2002 09:00:05 -0600 (CST) Subject: [PATCH #6] AIX password expiration In-Reply-To: <20021028144929.GA3602@folly> Message-ID: On Mon, 28 Oct 2002, Markus Friedl wrote: [..] > > Are you talking about implementing a subset of "expect" or changing the > > password in the session for protocol 2 too? > > i think for protocol 2 i'd rather violate the specs and allow login > with /usr/bin/passwd (and other restictions) then to add the source > for every systems /usr/bin/passwd into sshd. > > especially given the size of your patch. > Remember we still will have to check for expiring on every platform on earth. So the portable version of the patch will be large at the onset. Not sure about violating the specs. The only valid reason for supporting the specs in this case is to lessen the chance of timing attacks which people are now so keen on exploring with SSH v2 protocol. Not sure if that outwieghts implementation details or not, but I'd like to see if there is a way to support the specs before we go off on our own. - Ben From behnam at riverstonenet.com Tue Oct 29 05:43:52 2002 From: behnam at riverstonenet.com (Behnam Behzadi) Date: Mon, 28 Oct 2002 10:43:52 -0800 Subject: Different ciphers, MAC, compression for inbound and outbound . Message-ID: <80CC8579BE94854FB8AA48856AA8B33608B7B3@rs-sc-exc4.rs.riverstonenet.com> > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Friday, October 25, 2002 9:27 PM > To: Behnam Behzadi > Cc: openssh-unix-dev at mindrot.org; secureshell at securityfocus.com > Subject: Re: Different ciphers, MAC, compression for inbound and > outbound . > > > On Sat, 2002-10-26 at 10:45, Behnam Behzadi wrote: > > Hi, > > > > According to IETF draft draft-ietf-secsh-transport-14.txt, different > > ciphers(encryption), MAC and compression can be used for > one direction say > > server-to-client and a completely different cipher, MAC and > compression for > > the other direction client-to-server of the same connection. > > > > Is this supported today in OpenSSH, and if not, are there > plans to support > > it in any future releases of the code? If so, in which > release is it > > planned? > > This is supported at the protocol level, but there is no way to > configure sshd to force different client->server and server->client > ciphers. > > Why do you want to do this? > > -d Hi Damien, This question is not coming from actual users. This was raised from the Marketing to Engineering to research the possibilities if some future customer makes it a requirement. Thanks for your response. ------ Behnam Behzadi 408-878-6551 http://www.riverstonenet.com From gert at greenie.muc.de Tue Oct 29 06:54:18 2002 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 28 Oct 2002 20:54:18 +0100 Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. In-Reply-To: ; from pekkas@netcore.fi on Mon, Oct 28, 2002 at 12:03:26PM +0200 References: <20021028095337.4F9213D15B@shitei.mindrot.org> Message-ID: <20021028205418.Y26069@greenie.muc.de> Hi, On Mon, Oct 28, 2002 at 12:03:26PM +0200, Pekka Savola wrote: > In any case, I'd like to see demonstrated failures. > > SSH over IPv6 + X-forwarding works just fine for me... But in that case, it's still likely that X11 would actually speak IPv4 on both ends - v4 over v6 and vice versa, and even "client via v6 into ssh, sshd via v4 to server" works fine, as the forwarded L3/L4 protocols are completely decoupled from the ssh session. gert -- Gert Doering Mobile communications ... right now writing from * Sardinia, Italy * From pekkas at netcore.fi Tue Oct 29 07:29:18 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 28 Oct 2002 22:29:18 +0200 (EET) Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. In-Reply-To: <20021028205418.Y26069@greenie.muc.de> Message-ID: On Mon, 28 Oct 2002, Gert Doering wrote: > On Mon, Oct 28, 2002 at 12:03:26PM +0200, Pekka Savola wrote: > > In any case, I'd like to see demonstrated failures. > > > > SSH over IPv6 + X-forwarding works just fine for me... > > But in that case, it's still likely that X11 would actually speak IPv4 > on both ends - v4 over v6 and vice versa, and even "client via v6 > into ssh, sshd via v4 to server" works fine, as the forwarded L3/L4 > protocols are completely decoupled from the ssh session. Indeed. The problem is likely caused by ssh/sshd forced with -6: this forces X11 forwarding to use IPv6 for X or fail. Without -6, X uses either IPv4 or IPv6 just fine. This was just my quick guess, possibly wrong though... -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From Maria.Wiese at McKesson.com Tue Oct 29 07:39:54 2002 From: Maria.Wiese at McKesson.com (Wiese, Maria) Date: Mon, 28 Oct 2002 12:39:54 -0800 Subject: Retract sftp/scp connections. Message-ID: <23ED36D4661BD51199E000D0B782508D02F8093D@ddce0051.mckesson.com> I need some help: I currently have userids setup under the existing false rooted ftp account setups without shells. I would like to convert them to use OpenSSH sftp. Can I give them restricted shells so they can't cd to other user's directories and only allow them to sftp , and how do I accomplish this ?. Also, can I use the "force" option on the authorized_keys2 file user'd key to restrict them to only sftp to a specific userid's directory ?. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From grimes at cs.washington.edu Tue Oct 29 17:10:49 2002 From: grimes at cs.washington.edu (David Grimes) Date: Mon, 28 Oct 2002 22:10:49 -0800 Subject: Selective blocking of password authentication Message-ID: <200210290610.g9T6Ao2p031046@fiat.cs.washington.edu> I'm running OpenSSH 3.4 and have the situation that some users want to allow password authentication into their accounts and some explicitly want to disallow password authentication. Is this possible? I wasn't able to come up with a way looking through ssh_config and sshd_config, as well as some FAQs. It seems the problem is that there is no scoping of directives in sshd_config, thus PasswordAuthentication is global for all users. Alternatively it seems like sshd should be able to check some file ~/.ssh/sshd_config for such an option. Any help would be greatly appreciated. Thanks, -David Grimes From fcusack at fcusack.com Tue Oct 29 19:47:46 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Tue, 29 Oct 2002 00:47:46 -0800 Subject: Selective blocking of password authentication In-Reply-To: <200210290610.g9T6Ao2p031046@fiat.cs.washington.edu>; from grimes@cs.washington.edu on Mon, Oct 28, 2002 at 10:10:49PM -0800 References: <200210290610.g9T6Ao2p031046@fiat.cs.washington.edu> Message-ID: <20021029004746.A32659@google.com> On Mon, Oct 28, 2002 at 10:10:49PM -0800, David Grimes wrote: > I'm running OpenSSH 3.4 and have the situation that some users want to > allow password authentication into their accounts and some explicitly > want to disallow password authentication. Is this possible? I wasn't > able to come up with a way looking through ssh_config and sshd_config, > as well as some FAQs. > > It seems the problem is that there is no scoping of directives in sshd_config, > thus PasswordAuthentication is global for all users. Alternatively it seems > like sshd should be able to check some file ~/.ssh/sshd_config for such an > option. If you're using PAM, and you are willing to do some admin for each user (rather than self-admin), you can use a PAM module which reads a file containing a list of users that cannot login. The overhead is you have to add users to that list, although you could script this easily (for user in /home/*; do cd $user; if -f .ssh_nopwlogin; then addtolist; fi; done). I think Linux-PAM ships with pam_listfile.so to do this. Users doing pubkey auth will still be able to login. If you're not willing to do the admin piece, then you can just lock those users accounts, this typically prefaces their crypted passwd entry with '!' thereby disabling password auth. However, this will break as PAM modules are fixed to check this in the account module. (Since the pubkey path correctly still does a PAM 'account' check.) I think Solaris 9 has this fixed, for one. The first solution is the better of the two, IMHO. Other solutions (non-PAM) will depend on your OS. /fc From grimes at cs.washington.edu Tue Oct 29 21:00:21 2002 From: grimes at cs.washington.edu (David Grimes) Date: Tue, 29 Oct 2002 02:00:21 -0800 Subject: Selective blocking of password authentication In-Reply-To: Your message of "Tue, 29 Oct 2002 00:47:46 PST." <20021029004746.A32659@google.com> Message-ID: <200210291000.g9TA0L7H031380@fiat.cs.washington.edu> >On Mon, Oct 28, 2002 at 10:10:49PM -0800, David Grimes wrote: >> I'm running OpenSSH 3.4 and have the situation that some users want to >> allow password authentication into their accounts and some explicitly >> want to disallow password authentication. Is this possible? I wasn't >> able to come up with a way looking through ssh_config and sshd_config, >> as well as some FAQs. >> >> It seems the problem is that there is no scoping of directives in sshd_config, >> thus PasswordAuthentication is global for all users. Alternatively it seems >> like sshd should be able to check some file ~/.ssh/sshd_config for such an >> option. > >If you're using PAM, and you are willing to do some admin for each user >(rather than self-admin), you can use a PAM module which reads a file >containing a list of users that cannot login. The overhead is you >have to add users to that list, although you could script this easily >(for user in /home/*; do cd $user; if -f .ssh_nopwlogin; then addtolist; > fi; done). I think Linux-PAM ships with pam_listfile.so to do this. > >Users doing pubkey auth will still be able to login. > >If you're not willing to do the admin piece, then you can just lock >those users accounts, this typically prefaces their crypted passwd >entry with '!' thereby disabling password auth. However, this will >break as PAM modules are fixed to check this in the account module. >(Since the pubkey path correctly still does a PAM 'account' check.) > >I think Solaris 9 has this fixed, for one. > >The first solution is the better of the two, IMHO. Other solutions >(non-PAM) will depend on your OS. > >/fc Thanks, that sounds like it might be do-able with PAM. The only problem is that some users would like to be able to physically log into the machines as well. I'm not sure if PAM would be able to differentiate between login and sshd. I'll look into this though... Sorry I really should have mentioned that I'm also running Debian Linux (sid-2.4.19). -David From markus at openbsd.org Tue Oct 29 21:24:56 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 29 Oct 2002 11:24:56 +0100 Subject: Different ciphers, MAC, compression for inbound and outbound . In-Reply-To: <80CC8579BE94854FB8AA48856AA8B33608B7B3@rs-sc-exc4.rs.riverstonenet.com> References: <80CC8579BE94854FB8AA48856AA8B33608B7B3@rs-sc-exc4.rs.riverstonenet.com> Message-ID: <20021029102456.GA29252@folly> On Mon, Oct 28, 2002 at 10:43:52AM -0800, Behnam Behzadi wrote: > This question is not coming from actual users. This was raised from the Marketing to Engineering to research the possibilities if some future customer makes it a requirement. it's possible, it's simple to implement, but i don't see a reason for this. it might be very confusing for users. From markus at openbsd.org Tue Oct 29 22:21:21 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 29 Oct 2002 12:21:21 +0100 Subject: Selective blocking of password authentication In-Reply-To: <200210290610.g9T6Ao2p031046@fiat.cs.washington.edu> References: <200210290610.g9T6Ao2p031046@fiat.cs.washington.edu> Message-ID: <20021029112121.GA6332@folly> On Mon, Oct 28, 2002 at 10:10:49PM -0800, David Grimes wrote: > I'm running OpenSSH 3.4 and have the situation that some users want to > allow password authentication into their accounts and some explicitly > want to disallow password authentication. Is this possible? I wasn't > able to come up with a way looking through ssh_config and sshd_config, > as well as some FAQs. > > It seems the problem is that there is no scoping of directives in sshd_config, > thus PasswordAuthentication is global for all users. Alternatively it seems > like sshd should be able to check some file ~/.ssh/sshd_config for such an > option. > > Any help would be greatly appreciated. this depends on your operating system support for these kinds of things and should be possible with BSD_AUTH on OpenBSD or BSD/OS, but i you are not using BSD_AUTH. perhaps PAM can do the same. From Jason.Lacoss-Arnold at AGEDWARDS.com Wed Oct 30 00:01:41 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Tue, 29 Oct 2002 07:01:41 -0600 Subject: Different ciphers, MAC, compression for inbound and outbound . Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA03240ADA@hqempn06.agedwards.com> I could see an organization choosing to only encrypt client to server communications if they only sensitive data they were concerned about is passwords. This would lower resource utilization, esp. if the clients usually consume data instead of send it. -----Original Message----- From: Markus Friedl [mailto:markus at openbsd.org] Sent: Tuesday, October 29, 2002 4:25 AM To: Behnam Behzadi Cc: Damien Miller; openssh-unix-dev at mindrot.org; secureshell at securityfocus.com Subject: Re: Different ciphers, MAC, compression for inbound and outbound . On Mon, Oct 28, 2002 at 10:43:52AM -0800, Behnam Behzadi wrote: > This question is not coming from actual users. This was raised from the Marketing to Engineering to research the possibilities if some future customer makes it a requirement. it's possible, it's simple to implement, but i don't see a reason for this. it might be very confusing for users. _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021029/41446498/attachment.html From behnam at riverstonenet.com Wed Oct 30 04:57:19 2002 From: behnam at riverstonenet.com (Behnam Behzadi) Date: Tue, 29 Oct 2002 09:57:19 -0800 Subject: Different ciphers, MAC, compression for inbound and outbound . Message-ID: <80CC8579BE94854FB8AA48856AA8B33608B7B8@rs-sc-exc4.rs.riverstonenet.com> Hi Jason, This is the only valid argument I have heard on this issue. But then again one would assume that the server side data protected by that very password would be considered just as protection-worthy. Otherwise, why would they ask for password to begin with. Thanks for your reply. ------ Behnam Behzadi 408-878-6551 http://www.riverstonenet.com -----Original Message----- From: Lacoss-Arnold, Jason [mailto:Jason.Lacoss-Arnold at agedwards.com] Sent: Tuesday, October 29, 2002 5:02 AM To: Behnam Behzadi Cc: openssh-unix-dev at mindrot.org; secureshell at securityfocus.com Subject: RE: Different ciphers, MAC, compression for inbound and outbound . I could see an organization choosing to only encrypt client to server communications if they only sensitive data they were concerned about is passwords. This would lower resource utilization, esp. if the clients usually consume data instead of send it. -----Original Message----- From: Markus Friedl [ mailto:markus at openbsd.org] Sent: Tuesday, October 29, 2002 4:25 AM To: Behnam Behzadi Cc: Damien Miller; openssh-unix-dev at mindrot.org; secureshell at securityfocus.com Subject: Re: Different ciphers, MAC, compression for inbound and outbound . On Mon, Oct 28, 2002 at 10:43:52AM -0800, Behnam Behzadi wrote: > This question is not coming from actual users. This was raised from the Marketing to Engineering to research the possibilities if some future customer makes it a requirement. it's possible, it's simple to implement, but i don't see a reason for this. it might be very confusing for users. _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021029/8a06792d/attachment.html From fcusack at fcusack.com Wed Oct 30 10:18:36 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Tue, 29 Oct 2002 15:18:36 -0800 Subject: Selective blocking of password authentication In-Reply-To: <200210291000.g9TA0L7H031380@fiat.cs.washington.edu>; from grimes@cs.washington.edu on Tue, Oct 29, 2002 at 02:00:21AM -0800 References: <20021029004746.A32659@google.com> <200210291000.g9TA0L7H031380@fiat.cs.washington.edu> Message-ID: <20021029151836.A2558@google.com> On Tue, Oct 29, 2002 at 02:00:21AM -0800, David Grimes wrote: > Thanks, that sounds like it might be do-able with PAM. The only problem > is that some users would like to be able to physically log into the machines > as well. I'm not sure if PAM would be able to differentiate between login > and sshd. I'll look into this though... That's absolutely doable with PAM, that's one of the things it's good at/for. > Sorry I really should have mentioned that I'm also running > Debian Linux (sid-2.4.19). Then you should already have the pam_listfile.so module (or whatever it's called) and not have to go through the hassle of finding/building it. /fc From andrew-ssh at andrew.net.au Wed Oct 30 12:07:01 2002 From: andrew-ssh at andrew.net.au (Andrew Pollock) Date: Wed, 30 Oct 2002 11:07:01 +1000 Subject: scp removing the file after successful copy? Message-ID: <20021030010701.GC8149@daedalus.andrew.net.au> G'day, Sorry for the intrusion, just wondering if there are any plans to add a -u type option to scp like the commercial SSH's scp has, which removes the file after a successful copy? (particularly when copying a remote file to local) I was involved recently with a replacement of the commercial SSH with OpenSSH, and the lack of a -u option to scp caused some pain. I did a quick search of this lists' archives, and I can see some comments relating to this sort of functionality in the past, including some patches, but it never seems to have made it into the mainstream release. Can I make this a feature request? regards Andrew From djm at mindrot.org Wed Oct 30 13:16:07 2002 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Oct 2002 13:16:07 +1100 Subject: scp removing the file after successful copy? In-Reply-To: <20021030010701.GC8149@daedalus.andrew.net.au> References: <20021030010701.GC8149@daedalus.andrew.net.au> Message-ID: <3DBF40E7.9060903@mindrot.org> Andrew Pollock wrote: > G'day, > > Sorry for the intrusion, just wondering if there are any plans to add a -u > type option to scp like the commercial SSH's scp has, which removes > the file after a successful copy? (particularly when copying a remote file > to local) [snip] > I did a quick search of this lists' archives, and I can see some comments > relating to this sort of functionality in the past, including some > patches, but it never seems to have made it into the mainstream release. scp is officially in maintenance mode, i.e. no new features. It is based on a 20+ year old protocol and codebase which we don't want to extend further. wrt your request, it may be possible to script this using scp exit status (though I saw some emails that this may be unreliable). sftp's exit status should be reliable for this sort of thing (if not file a bug), so "sftp blah remote: && rm -f blah" should work. -d From root at sunadmin1.us.americas.intranet Wed Oct 30 14:36:12 2002 From: root at sunadmin1.us.americas.intranet (Super-User) Date: Tue, 29 Oct 2002 21:36:12 -0600 (CST) Subject: CVS Tags Message-ID: <200210300336.g9U3aCa03549@sunadmin1.us.americas.intranet> I am trying to bring down the latest CVS of the V3.5 branch, could someone please tell me what branch to use, and please update the website as to what you use for branches in the ports tree. From root at msp21713.us.americas.intranet Wed Oct 30 14:30:08 2002 From: root at msp21713.us.americas.intranet (Super-User) Date: Tue, 29 Oct 2002 22:30:08 -0500 (EST) Subject: CVS Tags Message-ID: <200210300330.g9U3U8k00348@msp21713.us.americas.intranet> I am trying to bring down the latest CVS of the V3.5 branch, could someone please tell me what branch to use, and please update the website as to what you use for branches in the ports tree. From andrew-ssh at andrew.net.au Wed Oct 30 14:53:53 2002 From: andrew-ssh at andrew.net.au (Andrew Pollock) Date: Wed, 30 Oct 2002 13:53:53 +1000 Subject: scp removing the file after successful copy? In-Reply-To: <3DBF40E7.9060903@mindrot.org> References: <20021030010701.GC8149@daedalus.andrew.net.au> <3DBF40E7.9060903@mindrot.org> Message-ID: <20021030035353.GD8149@daedalus.andrew.net.au> On Wed, Oct 30, 2002 at 01:16:07PM +1100, Damien Miller wrote: > Andrew Pollock wrote: > >G'day, > > > >Sorry for the intrusion, just wondering if there are any plans to add a -u > >type option to scp like the commercial SSH's scp has, which removes > >the file after a successful copy? (particularly when copying a remote file > >to local) > [snip] > >I did a quick search of this lists' archives, and I can see some comments > >relating to this sort of functionality in the past, including some > >patches, but it never seems to have made it into the mainstream release. > > scp is officially in maintenance mode, i.e. no new features. It is based > on a 20+ year old protocol and codebase which we don't want to extend > further. Bugger :-( > wrt your request, it may be possible to script this using scp exit > status (though I saw some emails that this may be unreliable). > > sftp's exit status should be reliable for this sort of thing (if not > file a bug), so "sftp blah remote: && rm -f blah" should work. That works for local to remote file transfers, however for remote to local transfers and unlinking the remote file, it's somewhat more difficult. Particularly in a restricted environment where you can't run arbitrary commands via SSH on the remote host. Or where /bin/rm isn't available but unlink() is. Basically, everything I've seen to work around this limitation has been decidely kludgey. Might have to look at rsync instead. Andrew From mouring at etoh.eviladmin.org Wed Oct 30 15:16:47 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 29 Oct 2002 22:16:47 -0600 (CST) Subject: scp removing the file after successful copy? In-Reply-To: <20021030035353.GD8149@daedalus.andrew.net.au> Message-ID: On Wed, 30 Oct 2002, Andrew Pollock wrote: > On Wed, Oct 30, 2002 at 01:16:07PM +1100, Damien Miller wrote: [..] > > sftp's exit status should be reliable for this sort of thing (if not > > file a bug), so "sftp blah remote: && rm -f blah" should work. > > That works for local to remote file transfers, however for remote to local > transfers and unlinking the remote file, it's somewhat more difficult. > Particularly in a restricted environment where you can't run arbitrary > commands via SSH on the remote host. Or where /bin/rm isn't available but > unlink() is. > sftp has batch mode. Where if any command being ran fails to complete correctly the script is aborted. So you can do like get file rm file in a file and do: sftp -b script site If the get fails to succeed the script should automaticly bail out so the rm is never ran. > Basically, everything I've seen to work around this limitation has been > decidely kludgey. > > Might have to look at rsync instead. > In general I think rsync is better. - Ben From dtucker at zip.com.au Wed Oct 30 23:34:39 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 30 Oct 2002 23:34:39 +1100 Subject: [PATCH] AIX password expiration (via passwd) References: Message-ID: <3DBFD1DF.9FAF0DE3@zip.com.au> Ben Lindstrom wrote: > Forking off a connection to /usr/bin/passwd and writing a C script to > automate changing password. I just think it will be a pain. I'm not sure how this should be done, but I didn't let that stop me :-). This patch is an experiment with allocating a pty, forking off /usr/bin/passwd and changing the password via it for protocol 2. It's stupidly simplistic. It currently works on AIX without privsep. It core dumps with privsep and I don't know why. Is it worth persuing this or should I cut my losses and go back to spawning passwd in the session for protocol 2? Incidentally, the shadow password changing in patch #7 has been reported to work on UnixWare 2.1.3 as-is (in addition to Solaris and Redhat previously tested). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- diff -ru ../openssh-3.5p1.orig/auth-pam.c openssh-3.5p1-passexpire_pty/auth-pam.c --- ../openssh-3.5p1.orig/auth-pam.c Mon Jul 29 06:24:08 2002 +++ openssh-3.5p1-passexpire_pty/auth-pam.c Tue Oct 29 23:10:35 2002 @@ -60,7 +60,7 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; /* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ -static int password_change_required = 0; +extern int password_change_required; /* remember whether the last pam_authenticate() succeeded or not */ static int was_authenticated = 0; diff -ru ../openssh-3.5p1.orig/auth-passwd.c openssh-3.5p1-passexpire_pty/auth-passwd.c --- ../openssh-3.5p1.orig/auth-passwd.c Thu Sep 26 09:14:16 2002 +++ openssh-3.5p1-passexpire_pty/auth-passwd.c Wed Oct 30 10:06:03 2002 @@ -42,6 +42,10 @@ #include "log.h" #include "servconf.h" #include "auth.h" +#include "misc.h" +#include "xmalloc.h" +#include "monitor_wrap.h" +#include "sshpty.h" #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) /* Don't need any of these headers for the PAM or SIA cases */ @@ -81,13 +85,15 @@ #endif /* !USE_PAM && !HAVE_OSF_SIA */ extern ServerOptions options; +extern int password_change_required; #ifdef WITH_AIXAUTHENTICATE extern char *aixloginmsg; #endif /* - * Tries to authenticate the user using password. Returns true if - * authentication succeeds. + * Tries to authenticate the user using password. Returns true (1) if + * authentication succeeds, (2) if authentication succeeds but password + * change required. */ int auth_password(Authctxt *authctxt, const char *password) @@ -149,14 +155,25 @@ #endif #ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + aix_remove_embedded_newlines(authmsg); - if (authsuccess) + if (authsuccess) { + debug("authenticate() succeeded for user %s: %.100s", pw->pw_name, authmsg); /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(authctxt->user, get_canonical_hostname(options.verify_reverse_mapping), "ssh", &aixloginmsg) < 0) aixloginmsg = NULL; + } else { + debug("authenticate() failed for user %s: %.100s", pw->pw_name, authmsg); + } + if (authmsg) + xfree(authmsg); + debug("auth_password: authsuccess = %d", authsuccess); + if (authsuccess && password_change_required) { + return 2; + } return(authsuccess); #endif #ifdef KRB4 @@ -230,6 +247,136 @@ #endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ - return (strcmp(encrypted_password, pw_password) == 0); + if (strcmp(encrypted_password, pw_password) == 0) { + if (password_change_required) { + debug("auth_password: password expired"); + return 2; + } else { + debug("auth_password: not expired"); + return 1; + } + } + return 0; #endif /* !USE_PAM && !HAVE_OSF_SIA */ +} + +void +expect_fd(int fd, char expected) +{ + char c = '\0', buf[1024]; + int p = 0; + + debug("%s: entering, looking for '%c'", __func__, expected); + while (c != expected && p < 1024) { + read(fd, &c, 1); + buf[p++] = c; + } + buf[p] = '\0'; + debug("%s, received: %s", __func__, buf); +} + +void +send_fd(int fd, const char *string) +{ + char cr = '\r'; + + debug("%s: sending string.", __func__); + write(fd, string, strlen(string)); + write(fd, &cr, 1); +} + +/* password change for protocol 2 */ +int +auth_change_password(Authctxt *authctxt, const char *opass, const char *npass) +{ + pid_t pid; + int ptyfd, ttyfd, status; + char tty[64]; + mysig_t old_signal; + + if (pty_allocate(&ptyfd, &ttyfd, tty, 64)) + fatal("%s: couldn't allocate pty", __func__); + + if ((pid = fork()) == 0) { + pty_make_controlling_tty(&ttyfd, tty); + setuid(authctxt->pw->pw_uid); + close(ptyfd); + + if (dup2(ttyfd, 0) < 0) + error("dup2 stdin: %s", strerror(errno)); + if (dup2(ttyfd, 1) < 0) + error("dup2 stdout: %s", strerror(errno)); + if (dup2(ttyfd, 2) < 0) + error("dup2 stderr: %s", strerror(errno)); + + /* Close the extra descriptor for the pseudo tty. */ + close(ttyfd); + signal(SIGPIPE, SIG_DFL); + + execl("/usr/bin/passwd","passwd", (char *)NULL); + /* execl shouldn't return */ + fatal("Couldn't exec /usr/bin/passwd"); + exit(1); + } + + expect_fd(ptyfd, ':'); + send_fd(ptyfd, opass); + expect_fd(ptyfd, ':'); + send_fd(ptyfd, npass); + expect_fd(ptyfd, ':'); + send_fd(ptyfd, npass); + expect_fd(ptyfd, '\n'); + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + debug("%s: passwd returned %d", __func__, status); + + close(ttyfd); + close(ptyfd); + pty_release(tty); + + mysignal(SIGCHLD, old_signal); + + if (WEXITSTATUS(status)) /* Passwd exited abnormally */ + return 0; + else + return 1; +} + + +/* + * generic password change routine. requires session established and tty + * alloced. Like do_pam_chauthtok(), it throws a fatal error if the password + * can't be changed. + */ + +void +do_tty_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + + if (pid == 0) { + setuid(pw->pw_uid); + execl("/usr/bin/passwd","passwd",pw->pw_name, + (char *)NULL); + /* execl shouldn't return */ + fatal("Couldn't exec /usr/bin/passwd"); + exit(1); + } + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + + if (WEXITSTATUS(status)) /* Passwd exited abnormally */ + fatal("Failed to change password for %s, passwd returned %d", + pw->pw_name, status); + + mysignal(SIGCHLD, old_signal); } diff -ru ../openssh-3.5p1.orig/auth.c openssh-3.5p1-passexpire_pty/auth.c --- ../openssh-3.5p1.orig/auth.c Sun Sep 22 01:26:53 2002 +++ openssh-3.5p1-passexpire_pty/auth.c Tue Oct 29 23:10:36 2002 @@ -59,6 +59,10 @@ Buffer auth_debug; int auth_debug_init; +/* Password change flag */ +int password_change_required = 0; +char *password_expire_message = NULL; + /* * Check if the user is allowed to log in via ssh. If user is listed * in DenyUsers or one of user's groups is listed in DenyGroups, false @@ -75,9 +79,6 @@ const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; -#ifdef WITH_AIXAUTHENTICATE - char *loginmsg; -#endif /* WITH_AIXAUTHENTICATE */ #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) struct spwd *spw; @@ -106,14 +107,18 @@ if (spw->sp_lstchg == 0) { log("User %.100s password has expired (root forced)", pw->pw_name); - return 0; + password_change_required = 1; + password_expire_message = + xstrdup("Your password has expired (root forced)"); } if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) { log("User %.100s password has expired (password aged)", pw->pw_name); - return 0; + password_change_required = 1; + password_expire_message = + xstrdup("Your password has expired"); } } #else @@ -202,19 +207,48 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - if (loginmsg && *loginmsg) { - /* Remove embedded newlines (if any) */ - char *p; - for (p = loginmsg; *p; p++) { - if (*p == '\n') - *p = ' '; + /* + * Don't check loginrestrictions or expiry for root account (use + * PermitRootLogin to control logins via ssh), or if running as + * non-root user (since loginrestrictions will always fail). + */ + if ( (pw->pw_uid != 0) && (geteuid() == 0) ) { + char *restrictmsg, *expiremsg; + int passexpcode; + + /* check for AIX account restrictions */ + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &restrictmsg) != 0) { + if (restrictmsg && *restrictmsg) { + aix_remove_embedded_newlines(restrictmsg); + log("Login restricted for %s: %.100s", pw->pw_name, restrictmsg); + xfree(restrictmsg); } - /* Remove trailing newline */ - *--p = '\0'; - log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + return 0; + } + + /* check for AIX expired account */ + passexpcode = passwdexpired(pw->pw_name, &password_expire_message); + debug("passwdexpired() returned %d", passexpcode); + + switch (passexpcode) { + case 0: /* success, password not expired */ + break; + case 1: /* expired, password change required */ + password_change_required = 1; + break; + default: /* expired too long (2) or other error (-1) */ + /* make local copy of message and remove newlines for logging */ + if (password_expire_message && *password_expire_message) { + expiremsg = xstrdup(password_expire_message); + aix_remove_embedded_newlines(expiremsg); + } + debug("passwdexpired() returned %d", passexpcode); + log("Password expired too long or system failure for user %s: %.100s", + pw->pw_name, expiremsg); + if (expiremsg) + xfree(expiremsg); + return 0; } - return 0; } #endif /* WITH_AIXAUTHENTICATE */ diff -ru ../openssh-3.5p1.orig/auth.h openssh-3.5p1-passexpire_pty/auth.h --- ../openssh-3.5p1.orig/auth.h Fri Sep 27 13:26:01 2002 +++ openssh-3.5p1-passexpire_pty/auth.h Tue Oct 29 23:10:36 2002 @@ -101,6 +101,10 @@ int auth_rhosts_rsa(struct passwd *, char *, Key *); int auth_password(Authctxt *, const char *); +int auth_change_password(Authctxt *, const char *, const char *); +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +int shadow_change_password(struct passwd *, const char *, const char *); +#endif int auth_rsa(struct passwd *, BIGNUM *); int auth_rsa_challenge_dialog(Key *); BIGNUM *auth_rsa_generate_challenge(Key *); diff -ru ../openssh-3.5p1.orig/auth2-passwd.c openssh-3.5p1-passexpire_pty/auth2-passwd.c --- ../openssh-3.5p1.orig/auth2-passwd.c Fri Jun 7 06:27:56 2002 +++ openssh-3.5p1-passexpire_pty/auth2-passwd.c Tue Oct 29 23:10:37 2002 @@ -31,28 +31,50 @@ #include "auth.h" #include "monitor_wrap.h" #include "servconf.h" +#include "ssh2.h" /* import */ extern ServerOptions options; +extern int password_change_required; static int userauth_passwd(Authctxt *authctxt) { - char *password; + char *password, *npassword; int authenticated = 0; int change; - u_int len; - change = packet_get_char(); - if (change) - log("password change not supported"); + u_int len, nlen; + + change_requested = packet_get_char(); password = packet_get_string(&len); + if (change_requested) { + debug("%s: password change requested by client", __func__); + npassword = packet_get_string(&nlen); + } packet_check_eom(); + if (authctxt->valid && #ifdef HAVE_CYGWIN - check_nt_auth(1, authctxt->pw) && + check_nt_auth(1, authctxt->pw) #endif - PRIVSEP(auth_password(authctxt, password)) == 1) - authenticated = 1; + ) + authenticated = PRIVSEP(auth_password(authctxt, password)); + + /* now that the password has been checked, change password + * if requested by client and revalidate new password */ + if (change) { + if (PRIVSEP(auth_change_password(authctxt, password, + npassword))) { + debug("%s: password changed successfully", + __func__); + authenticated = 1; + } else { + debug("%s: password change failed", __func__); + } + memset(npassword, 0, nlen); + xfree(npassword); + } + } memset(password, 0, len); xfree(password); return authenticated; diff -ru ../openssh-3.5p1.orig/auth2.c openssh-3.5p1-passexpire_pty/auth2.c --- ../openssh-3.5p1.orig/auth2.c Thu Sep 26 10:38:49 2002 +++ openssh-3.5p1-passexpire_pty/auth2.c Tue Oct 29 23:10:37 2002 @@ -40,6 +40,7 @@ extern ServerOptions options; extern u_char *session_id2; extern int session_id2_len; +extern char *password_expire_message; Authctxt *x_authctxt = NULL; @@ -199,6 +200,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) { char *methods; + static const char default_prompt[] = "You must change your password now."; if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", @@ -238,6 +240,15 @@ packet_write_wait(); /* now we can break out */ authctxt->success = 1; + } else if (authenticated == 2 ) { /* password change required */ + if (password_expire_message == NULL) + password_expire_message = (char *)default_prompt; + debug("sending SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ"); + packet_start(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ); + packet_put_cstring(password_expire_message); + packet_put_cstring(""); /* language */ + packet_send(); + packet_write_wait(); } else { if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); diff -ru ../openssh-3.5p1.orig/monitor.c openssh-3.5p1-passexpire_pty/monitor.c --- ../openssh-3.5p1.orig/monitor.c Fri Sep 27 13:26:02 2002 +++ openssh-3.5p1-passexpire_pty/monitor.c Tue Oct 29 23:10:40 2002 @@ -101,6 +101,7 @@ int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); int mm_answer_authpassword(int, Buffer *); +int mm_answer_auth_change_password(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_skeyquery(int, Buffer *); @@ -161,6 +162,7 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, + {MONITOR_REQ_CHPASS, MON_AUTH, mm_answer_auth_change_password}, #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif @@ -267,6 +269,7 @@ /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_CHPASS, 1); } else { mon_dispatch = mon_dispatch_proto15; @@ -275,8 +278,13 @@ authctxt = authctxt_new(); - /* The first few requests do not require asynchronous access */ - while (!authenticated) { + /* + * The first few requests do not require asynchronous access + * exit loop if authenticated and password change no required (proto 2) + * or if password correct (proto 1) + */ + while ((compat20 && authenticated != 1) || + (!compat20 && !authenticated)) { authenticated = monitor_read(pmonitor, mon_dispatch, &ent); if (authenticated) { if (!(ent->flags & MON_AUTHDECIDE)) @@ -600,13 +608,14 @@ { static int call_count; char *passwd; - int authenticated; + int authenticated = 0; u_int plen; passwd = buffer_get_string(m, &plen); /* Only authenticate if the context is valid */ - authenticated = options.password_authentication && - authctxt->valid && auth_password(authctxt, passwd); + if ( options.password_authentication && authctxt->valid ) + authenticated = auth_password(authctxt, passwd); + memset(passwd, 0, strlen(passwd)); xfree(passwd); @@ -624,6 +633,32 @@ /* Causes monitor loop to terminate if authenticated */ return (authenticated); +} + +int +mm_answer_auth_change_password(int socket, Buffer *m) +{ + char *oldpass, *newpass; + int changed; + + oldpass = buffer_get_string(m, NULL); + newpass = buffer_get_string(m, NULL); + + /* Only attempt if the context is valid */ + if ( options.password_authentication && authctxt->valid ) + changed = auth_change_password(authctxt, oldpass, newpass); + + buffer_clear(m); + buffer_put_int(m, changed); + + mm_request_send(socket, MONITOR_ANS_CHPASS, m); + + memset(oldpass, 0, strlen(oldpass)); + xfree(oldpass); + memset(newpass, 0, strlen(newpass)); + xfree(newpass); + + return changed; } #ifdef BSD_AUTH diff -ru ../openssh-3.5p1.orig/monitor.h openssh-3.5p1-passexpire_pty/monitor.h --- ../openssh-3.5p1.orig/monitor.h Fri Sep 27 13:26:02 2002 +++ openssh-3.5p1-passexpire_pty/monitor.h Tue Oct 29 23:10:41 2002 @@ -35,6 +35,7 @@ MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, + MONITOR_REQ_CHPASS, MONITOR_ANS_CHPASS, MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, diff -ru ../openssh-3.5p1.orig/monitor_wrap.c openssh-3.5p1-passexpire_pty/monitor_wrap.c --- ../openssh-3.5p1.orig/monitor_wrap.c Fri Sep 27 13:26:03 2002 +++ openssh-3.5p1-passexpire_pty/monitor_wrap.c Tue Oct 29 23:10:41 2002 @@ -256,7 +256,7 @@ buffer_put_cstring(&m, password); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m); - debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__); + debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD (type %d)", __func__, MONITOR_ANS_AUTHPASSWORD); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m); authenticated = buffer_get_int(&m); @@ -266,6 +266,32 @@ debug3("%s: user %sauthenticated", __func__, authenticated ? "" : "not "); return (authenticated); +} + +int +mm_auth_change_password(Authctxt *authctxt, char *oldpass, char *newpass) +{ + Buffer m; + int changed = 0; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_cstring(&m, oldpass); + buffer_put_cstring(&m, newpass); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_CHPASS, &m); + + debug3("%s: waiting for MONITOR_ANS_CHPASS (type %d)", __func__, MONITOR_ANS_CHPASS); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_CHPASS, &m); + + changed = buffer_get_int(&m); + + debug3("%s: password %schanged", + __func__, changed ? "" : "not "); + + buffer_free(&m); + return changed; } int diff -ru ../openssh-3.5p1.orig/monitor_wrap.h openssh-3.5p1-passexpire_pty/monitor_wrap.h --- ../openssh-3.5p1.orig/monitor_wrap.h Fri Sep 27 13:26:04 2002 +++ openssh-3.5p1-passexpire_pty/monitor_wrap.h Tue Oct 29 23:10:41 2002 @@ -46,6 +46,7 @@ struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); +int mm_auth_change_password(struct Authctxt *, char *, char *); int mm_key_allowed(enum mm_keytype, char *, char *, Key *); int mm_user_key_allowed(struct passwd *, Key *); int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); diff -ru ../openssh-3.5p1.orig/openbsd-compat/port-aix.c openssh-3.5p1-passexpire_pty/openbsd-compat/port-aix.c --- ../openssh-3.5p1.orig/openbsd-compat/port-aix.c Sun Jul 7 12:17:36 2002 +++ openssh-3.5p1-passexpire_pty/openbsd-compat/port-aix.c Wed Oct 30 01:46:52 2002 @@ -24,11 +24,15 @@ * */ #include "includes.h" +#include "misc.h" +#include "log.h" #ifdef _AIX #include #include <../xmalloc.h> +#include +#include /* * AIX has a "usrinfo" area where logname and other stuff is stored - @@ -52,5 +56,26 @@ xfree(cp); } -#endif /* _AIX */ +#ifdef WITH_AIXAUTHENTICATE +/* + * Remove embedded newlines in string (if any). + * Used before logging messages returned by AIX authentication functions + * so the message is logged on one line. + */ +void +aix_remove_embedded_newlines(char *p) +{ + if (p == NULL) + return; + + for (; *p; p++) { + if (*p == '\n') + *p = ' '; + } + /* Remove trailing newline */ + *--p = '\0'; +} +#endif /* WITH_AIXAUTHENTICATE */ + +#endif /* _AIX */ diff -ru ../openssh-3.5p1.orig/openbsd-compat/port-aix.h openssh-3.5p1-passexpire_pty/openbsd-compat/port-aix.h --- ../openssh-3.5p1.orig/openbsd-compat/port-aix.h Sun Jul 7 12:17:36 2002 +++ openssh-3.5p1-passexpire_pty/openbsd-compat/port-aix.h Wed Oct 30 01:46:35 2002 @@ -25,5 +25,11 @@ */ #ifdef _AIX + void aix_usrinfo(struct passwd *pw); + +#ifdef WITH_AIXAUTHENTICATE +void aix_remove_embedded_newlines(char *); +#endif + #endif /* _AIX */ diff -ru ../openssh-3.5p1.orig/session.c openssh-3.5p1-passexpire_pty/session.c --- ../openssh-3.5p1.orig/session.c Thu Sep 26 10:38:50 2002 +++ openssh-3.5p1-passexpire_pty/session.c Tue Oct 29 23:10:42 2002 @@ -103,8 +103,12 @@ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; +void do_tty_change_password(struct passwd *); +extern int password_change_required; +extern char *password_expire_message; + #ifdef WITH_AIXAUTHENTICATE -char *aixloginmsg; +char *aixloginmsg; /* message returned by loginsuccess() */ #endif /* WITH_AIXAUTHENTICATE */ #ifdef HAVE_LOGIN_CAP @@ -461,6 +465,12 @@ "TTY available"); #endif /* USE_PAM */ +#ifdef WITH_AIXAUTHENTICATE + if (!compat20 && password_change_required) + packet_disconnect("Password change required but no " + "TTY available"); +#endif /* WITH_AIXAUTHENTICATE */ + /* Fork the child. */ if ((pid = fork()) == 0) { fatal_remove_all_cleanups(); @@ -757,6 +767,11 @@ } #endif + if (!compat20 && password_change_required) { + printf("%s\n", password_expire_message); + do_tty_change_password(pw); + } + if (check_quietlogin(s, command)) return; @@ -764,9 +779,18 @@ if (!is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ + + if (password_expire_message && *password_expire_message) { + if (!password_change_required) + printf("%s\n", password_expire_message); + xfree(password_expire_message); + } + #ifdef WITH_AIXAUTHENTICATE - if (aixloginmsg && *aixloginmsg) + if (aixloginmsg && *aixloginmsg) { printf("%s\n", aixloginmsg); + xfree(aixloginmsg); + } #endif /* WITH_AIXAUTHENTICATE */ #ifndef NO_SSH_LASTLOG From godot at ulyssis.org Thu Oct 31 00:19:39 2002 From: godot at ulyssis.org (Danny De Cock) Date: Wed, 30 Oct 2002 14:19:39 +0100 (CET) Subject: playing with smartcard: rsa key upload? Message-ID: hi, my the subscription to this list is still in progress, i.e., could you include my emailaddress when replying to this email. I am using the opensc-cvs-snapshot of october 29th, in combination with openssh 3.5p1 on a woody debian machine with pcsclite-1.1.2, and have been trying to get a gemplus gpk16000 smartcard working with openssh. the problem I am faced with is a segmentation fault of a command such as `ssh -I 0 server` the commands I have been using are these: pkcs15-init -dddddd -E -C pkcs15-init -dddddd -P -a 45 -i 45 pkcs15-init -dddddd -S privkey.pem -a 45 -i 45 pkcs15-init -dddddd -X cert.pem ssh -I 0 192.168.1.2 -v the log file /var/log/auth.log of the other machine indicates this after the ssh-client has failed: Oct 30 13:00:13 g sshd[24750]: Did not receive identification string from 192.168.1.11 fyi: the led of the smartcard reader starts to blink just before the segmentation fault. does any of you have any idea how to solve this problem? many thanks, danny. --------------------------- the first four these commands have accomplished their tasks succesfully: Connecting to card in reader Towitoko Chipdrive Reader 0 0... Using card driver: Gemplus GPK driver Trying to find a PKCS#15 compatible card... Found OpenSC Card! Card has 1 certificate(s). X.509 Certificate [Certificate] Flags : 2 Authority: no Path : 3F0050159000 ID : 45 Card has 1 private key(s). Private RSA Key [Private Key] Com. Flags : 1D Usage : [0x4], sign Access Flags: [0x0] ModLength : 1024 Key ref : 0 Native : yes Path : 3F0050150006 Auth ID : 45 ID : 45 Card has 2 PIN code(s). PIN [Security Officer PIN] Com. Flags: 0x3 Auth ID : FF Flags : [0xB2], local, initialized, needs-padding, soPin Length : 6..8 Pad char : 0x00 Reference : 8 Type : 1 Path : 3F005015 PIN [] Com. Flags: 0x3 Auth ID : 45 Flags : [0x32], local, initialized, needs-padding Length : 4..8 Pad char : 0x00 Reference : 12 Type : 1 Path : 3F005015 but the fifth command fails badly: ssh -I 0 192.168.1.2 -v OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to lien [192.168.1.2] port 22. debug1: Connection established. debug1: sc_get_keys called: id = 0 debug1: sc_read_pubkey() with cert id 45 Segmentation fault > On Thu, 17 Oct 2002, Andreas Hasenack wrote: > > > Is there a tool to upload an openssh rsa key to a smart card so that I > > can use it with ssh -I later on? Should I just upload it as a regular > > file? Any pointers to some documentation explaining how to do this with > > openssh? > > The current SC related code in openssh is a bit absurd anyway. > I'm currently rewriting the code into some more generic, > like pkcs#11 support. After this you can use opensc-pkcs11.so > to upload your keys. > > Hopefully Theo and the rest of OpenSSH guys are willing to > ditch the current code base, ugly sectok and less ugly opensc > support entirely. > > -Antti > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From lwc at vapid.ath.cx Thu Oct 31 02:21:01 2002 From: lwc at vapid.ath.cx (Larry W. Cashdollar) Date: Wed, 30 Oct 2002 10:21:01 -0500 (EST) Subject: connect() timeout patch. Message-ID: <20021030100813.F33063-200000@vapid.ath.cx> Hello all, I am wondering where one would submit a patch to OpenSSH cvs version? I have written a patch that allows the user to set a timeout the ssh clients connection attempt. I added this because many of us use ssh in automated scripts and in some cases machines may no longer be reachable, rather than wait you can set the timeout to say 3 seconds (-z switch). -- Larry Cashdollar -------------- next part -------------- --- readconf.h Sun Jun 9 16:04:03 2002 +++ ../openssh-3.5p1.modlwc/readconf.h Wed Oct 30 08:50:52 2002 @@ -100,6 +100,7 @@ Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION]; int clear_forwardings; int no_host_authentication_for_localhost; + int time_out; } Options; --- readconf.c Tue Jul 9 10:06:40 2002 +++ ../openssh-3.5p1.modlwc/readconf.c Wed Oct 30 09:32:51 2002 @@ -793,6 +793,7 @@ options->bind_address = NULL; options->smartcard_device = NULL; options->no_host_authentication_for_localhost = - 1; + options->time_out = 0; } /* --- ssh.c Wed Sep 18 22:05:04 2002 +++ ../openssh-3.5p1.modlwc/ssh.c Wed Oct 30 09:47:44 2002 @@ -275,7 +275,7 @@ again: while ((opt = getopt(ac, av, - "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX")) != -1) { + "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX:z:")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; @@ -421,6 +421,9 @@ exit(1); } break; + case 'z': + options.time_out = atoi(optarg); + break; case 'l': options.user = optarg; break; --- sshconnect.c Wed Sep 18 22:05:04 2002 +++ ../openssh-3.5p1.modlwc/sshconnect.c Wed Oct 30 09:50:37 2002 @@ -236,10 +236,12 @@ { int gaierr; int on = 1; - int sock = -1, attempt; + int sock = -1, attempt, sigfunc; + void timeout(void); /* Function to handle socket timeout */ char ntop[NI_MAXHOST], strport[NI_MAXSERV]; struct addrinfo hints, *ai, *aitop; struct servent *sp; + /* * Did we get only other errors than "Connection refused" (which * should block fallback to rsh and similar), or did we get at least @@ -299,9 +301,11 @@ if (sock < 0) /* Any error is already output */ continue; - + sigfunc = (int)signal(SIGALRM,(void *) timeout); + alarm(options.time_out); if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { /* Successful connection. */ + alarm(0); memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); break; } else { @@ -924,3 +928,18 @@ } return (found); } + +void +timeout(void) +{ + /* Return to here if we get a time out after so many seconds.*/ + + fprintf(stderr,"Connect() timeout after %d ",options.time_out); + + if (options.time_out == 1) + fprintf(stderr,"second.\n"); + else + fprintf(stderr,"seconds.\n"); + +exit(0); +} From markus at openbsd.org Thu Oct 31 03:08:00 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 30 Oct 2002 17:08:00 +0100 Subject: connect() timeout patch. In-Reply-To: <20021030100813.F33063-200000@vapid.ath.cx> References: <20021030100813.F33063-200000@vapid.ath.cx> Message-ID: <20021030160800.GC4607@folly> On Wed, Oct 30, 2002 at 10:21:01AM -0500, Larry W. Cashdollar wrote: > Hello all, > I am wondering where one would submit a patch to OpenSSH cvs check bugzilla, there is a patch using select (preferred). -m From godot at ulyssis.org Thu Oct 31 07:11:22 2002 From: godot at ulyssis.org (Danny De Cock) Date: Wed, 30 Oct 2002 21:11:22 +0100 (CET) Subject: playing with smartcard: rsa key upload? In-Reply-To: Message-ID: hi, some additional information after some straightforward debugging learns me this: the segmentation fault occurs in the openssl-package source file crypto/engine/engine_lib.c. more precisely, it happens the second time ENGINE_init(...) is called when trying to accomplish the assignment: if((e->funct_ref == 0) && e->init){ /* This is the first functional reference and the engine * requires initialisation so we do it now. */ to_return = e->init(); } so the first time ENGINE_init(...) is executed, there is no problem, and the second time is triggered by sc_read_pubkey(), which calls RSA_set_method. it is this RSA_set_method that triggers the segmentation fault. for the record: I am using the binaries produced by opensc-snap-20021029, openssl-engine-0.9.6g.tar.gz and openssh-3.5p1.tar.gz. cu, danny. On Wed, 30 Oct 2002, Danny De Cock wrote: > hi, > > my the subscription to this list is still in progress, i.e., could you > include my emailaddress when replying to this email. > > I am using the opensc-cvs-snapshot of october 29th, in combination > with openssh 3.5p1 on a woody debian machine with pcsclite-1.1.2, and > have been trying to get a gemplus gpk16000 smartcard working with > openssh. > > the problem I am faced with is a segmentation fault of a command such > as `ssh -I 0 server` > > the commands I have been using are these: > > pkcs15-init -dddddd -E -C > pkcs15-init -dddddd -P -a 45 -i 45 > pkcs15-init -dddddd -S privkey.pem -a 45 -i 45 > pkcs15-init -dddddd -X cert.pem > ssh -I 0 192.168.1.2 -v > > the log file /var/log/auth.log of the other machine indicates this after > the ssh-client has failed: > Oct 30 13:00:13 g sshd[24750]: Did not receive identification string from 192.168.1.11 > > fyi: the led of the smartcard reader starts to blink just before the > segmentation fault. > > does any of you have any idea how to solve this problem? > > many thanks, danny. > > --------------------------- > > the first four these commands have accomplished their tasks > succesfully: > > > Connecting to card in reader Towitoko Chipdrive Reader 0 0... > Using card driver: Gemplus GPK driver > Trying to find a PKCS#15 compatible card... > Found OpenSC Card! > Card has 1 certificate(s). > > X.509 Certificate [Certificate] > Flags : 2 > Authority: no > Path : 3F0050159000 > ID : 45 > > Card has 1 private key(s). > > Private RSA Key [Private Key] > Com. Flags : 1D > Usage : [0x4], sign > Access Flags: [0x0] > ModLength : 1024 > Key ref : 0 > Native : yes > Path : 3F0050150006 > Auth ID : 45 > ID : 45 > > Card has 2 PIN code(s). > > PIN [Security Officer PIN] > Com. Flags: 0x3 > Auth ID : FF > Flags : [0xB2], local, initialized, needs-padding, soPin > Length : 6..8 > Pad char : 0x00 > Reference : 8 > Type : 1 > Path : 3F005015 > > PIN [] > Com. Flags: 0x3 > Auth ID : 45 > Flags : [0x32], local, initialized, needs-padding > Length : 4..8 > Pad char : 0x00 > Reference : 12 > Type : 1 > Path : 3F005015 > > but the fifth command fails badly: > > ssh -I 0 192.168.1.2 -v > OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f > debug1: Reading configuration data /usr/local/etc/ssh_config > debug1: Rhosts Authentication disabled, originating port will not be trusted. > debug1: ssh_connect: needpriv 0 > debug1: Connecting to lien [192.168.1.2] port 22. > debug1: Connection established. > debug1: sc_get_keys called: id = 0 > debug1: sc_read_pubkey() with cert id 45 > Segmentation fault > > > > On Thu, 17 Oct 2002, Andreas Hasenack wrote: > > > > > Is there a tool to upload an openssh rsa key to a smart card so that I > > > can use it with ssh -I later on? Should I just upload it as a regular > > > file? Any pointers to some documentation explaining how to do this with > > > openssh? > > > > The current SC related code in openssh is a bit absurd anyway. > > I'm currently rewriting the code into some more generic, > > like pkcs#11 support. After this you can use opensc-pkcs11.so > > to upload your keys. > > > > Hopefully Theo and the rest of OpenSSH guys are willing to > > ditch the current code base, ugly sectok and less ugly opensc > > support entirely. > > > > -Antti > > > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > -- ----------------------------------------------------------------------------- Don't kid yourself. Little is relevant, and nothing lasts forever. ----------------------------------------------------------------------------- Mail : Danny.DeCock at esat.kuleuven.ac.be daniel.decock at postbox.be WWW : http://ace.ulyssis.org/~godot godot at advalvas.be From zagar at arlut.utexas.edu Thu Oct 31 08:37:12 2002 From: zagar at arlut.utexas.edu (Randy Zagar) Date: Wed, 30 Oct 2002 15:37:12 -0600 Subject: Rhosts Authentication broken in 3.4.p1??? Message-ID: <3DC05108.5070007@arlut.utexas.edu> Has ANYONE been able to verify that Rhosts authentication works with 3.4.p1? Does it work with other SSHv2 implementations? Anybody tried it on a RedHat 7.3 system? Also, I'm curious about this code I found in sshd.c: /* * Check that the connection comes from a privileged port. * Rhosts-Authentication only makes sense from priviledged * programs. Of course, if the intruder has root access on his * local machine, he can connect from any port. So do not use these * authentication methods from machines that you do not trust. */ if (options.rhosts_authentication && (remote_port >= IPPORT_RESERVED || remote_port < IPPORT_RESERVED / 2)) { debug("Rhosts Authentication disabled, " "originating port %d not trusted.", remote_port); options.rhosts_authentication = 0; } It looks to me like this overrides the config file without offering any way to override this policy. Also, I think this would cause compatability problems with the non-commercial F-Secure SSH-2.4.x client as it does not use privileged ports for root client connections. As a general rule I like to see security and authentication policy determined by config file and not by hard-coding it into the source. This code doesn't follow that paradigm. -Randy From djm at mindrot.org Thu Oct 31 11:51:15 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 31 Oct 2002 11:51:15 +1100 Subject: Rhosts Authentication broken in 3.4.p1??? In-Reply-To: <3DC05108.5070007@arlut.utexas.edu> References: <3DC05108.5070007@arlut.utexas.edu> Message-ID: <3DC07E83.8010806@mindrot.org> Randy Zagar wrote: > > Has ANYONE been able to verify that Rhosts authentication works with > 3.4.p1? Does it work with other SSHv2 implementations? Anybody tried > it on a RedHat 7.3 system? Don't use rhosts authentication, use hostbased instead. > Also, I'm curious about this code I found in sshd.c: > > > /* > * Check that the connection comes from a privileged port. > * Rhosts-Authentication only makes sense from priviledged > * programs. Of course, if the intruder has root access on his > * local machine, he can connect from any port. So do not use these > * authentication methods from machines that you do not trust. > */ > if (options.rhosts_authentication && > (remote_port >= IPPORT_RESERVED || > remote_port < IPPORT_RESERVED / 2)) { > debug("Rhosts Authentication disabled, " > "originating port %d not trusted.", remote_port); > options.rhosts_authentication = 0; > } > > It looks to me like this overrides the config file without offering any > way to override this policy. Also, I think this would cause > compatability problems with the non-commercial F-Secure SSH-2.4.x client > as it does not use privileged ports for root client connections. > > As a general rule I like to see security and authentication policy > determined by config file and not by hard-coding it into the source. > This code doesn't follow that paradigm You clearly don't understand rhosts "authentication". -d From mouring at etoh.eviladmin.org Thu Oct 31 12:07:09 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 30 Oct 2002 19:07:09 -0600 (CST) Subject: [PATCH] AIX password expiration (via passwd) In-Reply-To: <3DBFD1DF.9FAF0DE3@zip.com.au> Message-ID: Looks like what I was working on. The only thing that one may need to worry about is if you are on systems like OpenBSD or PAM w/ cracklib it may return comments like: "Please enter a longer password." "Please don't use all-digit passwords.\nUnusual capitalization, control chataracters or digits are suggsted." or the evil one from VAX that goes like: "You are not allow to reuse old passwords for XX days." or "Password to close to an old password. Must be at least two characters different." Would be nice to return that to the end user. Just not sure how pratical. It is already black magic depending on /usr/bin/passwd. - Ben On Wed, 30 Oct 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > Forking off a connection to /usr/bin/passwd and writing a C script to > > automate changing password. I just think it will be a pain. > > I'm not sure how this should be done, but I didn't let that stop me :-). > > This patch is an experiment with allocating a pty, forking off > /usr/bin/passwd and changing the password via it for protocol 2. It's > stupidly simplistic. > > It currently works on AIX without privsep. It core dumps with privsep > and I don't know why. > > Is it worth persuing this or should I cut my losses and go back to > spawning passwd in the session for protocol 2? > > Incidentally, the shadow password changing in patch #7 has been reported > to work on UnixWare 2.1.3 as-is (in addition to Solaris and Redhat > previously tested). > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From dtucker at zip.com.au Thu Oct 31 13:11:51 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 31 Oct 2002 13:11:51 +1100 Subject: [PATCH] AIX password expiration (via passwd) References: Message-ID: <3DC09166.3A2D0A22@zip.com.au> Ben Lindstrom wrote: > Looks like what I was working on. The only thing that one may need to > worry about is if you are on systems like OpenBSD or PAM w/ cracklib it > may return comments like: [snip] > Would be nice to return that to the end user. Just not sure how > pratical. It is already black magic depending on /usr/bin/passwd. And once it tries to handle all of those things, timing problems and other system-dependant wierdness all in one change_password function, what are the odds of it ending up bigger, uglier and flakier than the sum of [aix|shadow|pam]_change_password? FWIW, my preference is currently: 1) *_change_password via PASSWD_CHANGEREQ for proto 2, passwd in session for proto 1 2) exec passwd in session for both 3) passwd in pty via PASSWD_CHANGEREQ for proto 2, passwd in session for proto 1 Apart from AIX, /etc/shadow and PAM based systems, what other password expiry schemes are there? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tim at multitalents.net Thu Oct 31 13:24:27 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 30 Oct 2002 18:24:27 -0800 (PST) Subject: [PATCH] AIX password expiration (via passwd) In-Reply-To: Message-ID: And then there is the problem that on some systems it's /bin/passwd on others /usr/bin/passwd On Wed, 30 Oct 2002, Ben Lindstrom wrote: > > Looks like what I was working on. The only thing that one may need to > worry about is if you are on systems like OpenBSD or PAM w/ cracklib it > may return comments like: > > "Please enter a longer password." > "Please don't use all-digit passwords.\nUnusual capitalization, control > chataracters or digits are suggsted." > > or the evil one from VAX that goes like: > > "You are not allow to reuse old passwords for XX days." > > or > > "Password to close to an old password. Must be at least two characters > different." > > Would be nice to return that to the end user. Just not sure how > pratical. It is already black magic depending on /usr/bin/passwd. > > - Ben > > > On Wed, 30 Oct 2002, Darren Tucker wrote: > > > Ben Lindstrom wrote: > > > Forking off a connection to /usr/bin/passwd and writing a C script to > > > automate changing password. I just think it will be a pain. > > > > I'm not sure how this should be done, but I didn't let that stop me :-). > > > > This patch is an experiment with allocating a pty, forking off > > /usr/bin/passwd and changing the password via it for protocol 2. It's > > stupidly simplistic. > > > > It currently works on AIX without privsep. It core dumps with privsep > > and I don't know why. > > > > Is it worth persuing this or should I cut my losses and go back to > > spawning passwd in the session for protocol 2? > > > > Incidentally, the shadow password changing in patch #7 has been reported > > to work on UnixWare 2.1.3 as-is (in addition to Solaris and Redhat > > previously tested). > > > > -- > > Darren Tucker (dtucker at zip.com.au) > > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > > Good judgement comes with experience. Unfortunately, the experience > > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Thu Oct 31 13:16:36 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 30 Oct 2002 20:16:36 -0600 (CST) Subject: [PATCH] AIX password expiration (via passwd) In-Reply-To: <3DC09166.3A2D0A22@zip.com.au> Message-ID: On Thu, 31 Oct 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > Looks like what I was working on. The only thing that one may need to > > worry about is if you are on systems like OpenBSD or PAM w/ cracklib it > > may return comments like: > [snip] > > Would be nice to return that to the end user. Just not sure how > > pratical. It is already black magic depending on /usr/bin/passwd. > > And once it tries to handle all of those things, timing problems and > other system-dependant wierdness all in one change_password function, > what are the odds of it ending up bigger, uglier and flakier than the > sum of [aix|shadow|pam]_change_password? Ya I know ) > > FWIW, my preference is currently: > 1) *_change_password via PASSWD_CHANGEREQ for proto 2, passwd in session > for proto 1 > 2) exec passwd in session for both > 3) passwd in pty via PASSWD_CHANGEREQ for proto 2, passwd in session for > proto 1 > > Apart from AIX, /etc/shadow and PAM based systems, what other password > expiry schemes are there? > BSD_AUTH Maybe SIA has it's own stuff. MacOSX/NeXT have NetInfo which has it's own wierd way. Cygwin on NT (won't make sense for win98).. assuming they want to that challenge - Ben From dtucker at zip.com.au Thu Oct 31 13:38:19 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 31 Oct 2002 13:38:19 +1100 Subject: [PATCH] AIX password expiration (via passwd) References: Message-ID: <3DC0979B.3FBCCDB1@zip.com.au> Tim Rice wrote: > And then there is the problem that on some systems it's /bin/passwd > on others /usr/bin/passwd I mentioned it in an earlier message but if it ends up being used we should have configure find it, same as login. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Thu Oct 31 19:33:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 31 Oct 2002 19:33:32 +1100 (EST) Subject: [Bug 409] Installation from cygwin doesn't configure sshd Message-ID: <20021031083332.615C63D15F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=409 marc.girod at nokia.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From marc.girod at nokia.com 2002-10-31 19:33 ------- I now found the ssh-host-config tool, as well as the cygrunsrv package depended upon. Using them was easy and efficient. I still believe I missed something in some documentation. At least I didn't find it. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Thu Oct 31 21:07:49 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 31 Oct 2002 11:07:49 +0100 Subject: Rhosts Authentication broken in 3.4.p1??? In-Reply-To: <3DC05108.5070007@arlut.utexas.edu> References: <3DC05108.5070007@arlut.utexas.edu> Message-ID: <20021031100749.GC1871@folly> On Wed, Oct 30, 2002 at 03:37:12PM -0600, Randy Zagar wrote: > if (options.rhosts_authentication && > (remote_port >= IPPORT_RESERVED || > remote_port < IPPORT_RESERVED / 2)) { > debug("Rhosts Authentication disabled, " > "originating port %d not trusted.", remote_port); > options.rhosts_authentication = 0; > } well sshd should not set options.rhosts_authentication to 0, but sshd should make sure rhosts_authentication fails, so setting options.rhosts_authentication = 0 works just fine.