From citibob at eecs.harvard.edu Mon Dec 1 03:37:51 2003 From: citibob at eecs.harvard.edu (Bob Fischer) Date: Sun, 30 Nov 2003 11:37:51 -0500 Subject: Problems with port forwarding on Suse Linux 9.0 Message-ID: <1070210269.2338.4.camel@catfish.home> Problem: I'm trying to forward a port (say, port 25) of a SuSE 9.0 Linux system to an external client system (in this case running RedHat 9.0). It doesn't work, and the problem seems to be on the SuSE side. Details ======= On the client system, I run (where "suse-server" is the IP address of my SuSE server system to which I'm trying to connect) client> /usr/bin/ssh -f -L 5599:localhost:25 suse-server sleep 100 client> telnet localhost 5599 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. channel 2: open failed: connect failed: Connection refused Connection closed by foreign host. This is a problem with the port forwarding. When I connect to the same port from the suse-server computer, it works: suse-server> telnet localhost 25 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 catfish.home ESMTP Postfix I've pulled my hair out over this one, to no avail, nor have I found anyone else with the problem. More details: client> rpm --query openssh openssh-3.6.1p2-19 client> rpm --query openssl openssl-0.9.7a-23 suse-server> rpm --query openssh openssh-3.7.1p2-18 suse-server> rpm --query openssl openssl-0.9.7b-74 Thanks, -- Bob From citibob at eecs.harvard.edu Mon Dec 1 10:29:52 2003 From: citibob at eecs.harvard.edu (Bob Fischer) Date: Sun, 30 Nov 2003 18:29:52 -0500 Subject: Problems with port forwarding on Suse Linux 9.0 In-Reply-To: <20031130224223.GA9867@thibs.menloschool.org> References: <1070210269.2338.4.camel@catfish.home> <20031130224223.GA9867@thibs.menloschool.org> Message-ID: <1070234992.2825.8.camel@catfish.home> On Sun, 2003-11-30 at 17:42, Andrew Farmer wrote: > On Sun, 30 Nov 2003 08:37:51 -0800, Bob Fischer muttered: > > Problem: I'm trying to forward a port (say, port 25) of a SuSE 9.0 Linux > > system to an external client system (in this case running RedHat 9.0). > > It doesn't work, and the problem seems to be on the SuSE side. > > The problem is that only root can bind to "privileged" ports (<1024). > You'll have to ssh in as root to create this forwarding. Good thought, but already I tried it. Anyway, I get the same problem with unpriviledged ports. Here's the log of hte same problem, ssh-ing into the SuSE server as root: client> /usr/bin/ssh -f -L 5599:localhost:25 root at suse-server sleep 100 Password: client> telnet localhost 5599 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. channel 2: open failed: connect failed: Connection refused Connection closed by foreign host. -- Bob From citibob at eecs.harvard.edu Mon Dec 1 10:32:36 2003 From: citibob at eecs.harvard.edu (Bob Fischer) Date: Sun, 30 Nov 2003 18:32:36 -0500 Subject: Problems with port forwarding on Suse Linux 9.0 In-Reply-To: <20031130224223.GA9867@thibs.menloschool.org> References: <1070210269.2338.4.camel@catfish.home> <20031130224223.GA9867@thibs.menloschool.org> Message-ID: <1070235155.2825.10.camel@catfish.home> It also fails on an even simpler example. I am logged on as root, and the ssh client and server are the same machine: suse-server # /usr/bin/ssh -f -L 5600:localhost:25 localhost sleep 100 Password: suse-server # telnet localhost 5600 Trying ::1... channel 3: open failed: connect failed: Connection refused Connected to localhost. Escape character is '^]'. Connection closed by foreign host. -- Bob From dtucker at zip.com.au Mon Dec 1 11:35:21 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 01 Dec 2003 11:35:21 +1100 Subject: Problems with port forwarding on Suse Linux 9.0 References: <1070210269.2338.4.camel@catfish.home> Message-ID: <3FCA8CC9.31C510BC@zip.com.au> Bob Fischer wrote: [snip] > On the client system, I run (where "suse-server" is the IP address of my > SuSE server system to which I'm trying to connect) > > client> /usr/bin/ssh -f -L 5599:localhost:25 suse-server sleep 100 > client> telnet localhost 5599 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > channel 2: open failed: connect failed: Connection refused > Connection closed by foreign host. [snip] > suse-server> telnet localhost 25 > Trying ::1... > telnet: connect to address ::1: Connection refused Try setting the forward to "-L 5599:127.0.0.1:25". I suspect sshd is trying to connect to the IPv6 address of "localhost", which is refused, and sshd doesn't try the IPv4 address. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bheafey at comcast.net Mon Dec 1 15:13:41 2003 From: bheafey at comcast.net (Bill Heafey) Date: Sun, 30 Nov 2003 23:13:41 -0500 Subject: Logging failed login attempts (version 3.7.1p2) Message-ID: Is it possible to configure sshd (version 3.7.1p2, in my case) to log all failed login attempts? I've messed around with various syslog.conf settings and I've modified the sshd_config file to "UseLogin yes", assuming this may be required in order to leverage the /etc/default/login settings used by telnet. Nothing has worked, so far. For auditing purposes, I've been asked to show that failed login attempts are logged. Thank you Bill From dtucker at zip.com.au Mon Dec 1 16:25:13 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 01 Dec 2003 16:25:13 +1100 Subject: Logging failed login attempts (version 3.7.1p2) References: Message-ID: <3FCAD0B9.7B9F30E@zip.com.au> Bill Heafey wrote: > > Is it possible to configure sshd (version 3.7.1p2, in my case) to log all > failed login attempts? > > I've messed around with various syslog.conf settings and I've modified the > sshd_config file to "UseLogin yes", assuming this may be required in order > to leverage the /etc/default/login settings used by telnet. Nothing has > worked, so far. > > For auditing purposes, I've been asked to show that failed login attempts > are logged. Try LogLevel VERBOSE in sshd_config. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From gert at greenie.muc.de Mon Dec 1 21:20:28 2003 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 1 Dec 2003 11:20:28 +0100 Subject: Problems with port forwarding on Suse Linux 9.0 In-Reply-To: <1070235155.2825.10.camel@catfish.home>; from citibob@eecs.harvard.edu on Sun, Nov 30, 2003 at 06:32:36PM -0500 References: <1070210269.2338.4.camel@catfish.home> <20031130224223.GA9867@thibs.menloschool.org> <1070235155.2825.10.camel@catfish.home> Message-ID: <20031201112028.Q23021@greenie.muc.de> Hi, On Sun, Nov 30, 2003 at 06:32:36PM -0500, Bob Fischer wrote: > It also fails on an even simpler example. I am logged on as root, and > the ssh client and server are the same machine: > > suse-server # /usr/bin/ssh -f -L 5600:localhost:25 localhost sleep 100 > Password: > suse-server # telnet localhost 5600 > Trying ::1... > channel 3: open failed: connect failed: Connection refused > Connected to localhost. > Escape character is '^]'. > Connection closed by foreign host. I'd say the problem is IPv6 - if you do "-L" forwarding, the ssh daemon will use whatever transport is available (!) to connect to "localhost:25". So if you have "localhost = ::1" in /etc/hosts, and your SMTP server is not listening on IPv6, it will fail. If you have a machine that runs IPv4 and IPv6, but your services don't do IPv6, specify the target host as IPv4 literal: ssh ... -L 5600:127.0.0.1:25 ... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From djm at mindrot.org Mon Dec 1 22:55:12 2003 From: djm at mindrot.org (Damien Miller) Date: Mon, 01 Dec 2003 11:55:12 -0000 Subject: Problems with port forwarding on Suse Linux 9.0 In-Reply-To: <3FCA8CC9.31C510BC@zip.com.au> References: <1070210269.2338.4.camel@catfish.home> <3FCA8CC9.31C510BC@zip.com.au> Message-ID: <1070279613.19562.5.camel@sakura.mindrot.org> On Mon, 2003-12-01 at 11:35, Darren Tucker wrote: > > Trying ::1... > > telnet: connect to address ::1: Connection refused > > Try setting the forward to "-L 5599:127.0.0.1:25". I suspect sshd is > trying to connect to the IPv6 address of "localhost", which is refused, > and sshd doesn't try the IPv4 address. We should try addresses on all address families, see channels.c::connect_to() > suse-server> telnet localhost 25 > Trying ::1... > telnet: connect to address ::1: Connection refused I think the problem is telnet here, not ssh. Try "telnet 127.0.0.1 25". Perhaps someone needs to update Linux telnet to try all addresses returned from getaddrinfo() -d From pekkas at netcore.fi Mon Dec 1 23:19:02 2003 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 1 Dec 2003 14:19:02 +0200 (EET) Subject: Problems with port forwarding on Suse Linux 9.0 In-Reply-To: <3FCA8CC9.31C510BC@zip.com.au> Message-ID: On Mon, 1 Dec 2003, Darren Tucker wrote: > [snip] > > On the client system, I run (where "suse-server" is the IP address of my > > SuSE server system to which I'm trying to connect) > > > > client> /usr/bin/ssh -f -L 5599:localhost:25 suse-server sleep 100 > > client> telnet localhost 5599 > > Trying 127.0.0.1... > > Connected to localhost. > > Escape character is '^]'. > > channel 2: open failed: connect failed: Connection refused > > Connection closed by foreign host. > [snip] > > suse-server> telnet localhost 25 > > Trying ::1... > > telnet: connect to address ::1: Connection refused > > Try setting the forward to "-L 5599:127.0.0.1:25". I suspect sshd is > trying to connect to the IPv6 address of "localhost", which is refused, > and sshd doesn't try the IPv4 address. Obviously, 'ssh' should do a getaddrinfo lookup on the host to be forwarded, and loop though all the addresses until a working one is found. That's what about every app which is supposed to be v4/v6-capable should be doing. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From markus at openbsd.org Tue Dec 2 01:08:02 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 1 Dec 2003 15:08:02 +0100 Subject: Problems with port forwarding on Suse Linux 9.0 In-Reply-To: References: <3FCA8CC9.31C510BC@zip.com.au> Message-ID: <20031201140802.GB18139@folly> On Mon, Dec 01, 2003 at 02:19:02PM +0200, Pekka Savola wrote: > > Try setting the forward to "-L 5599:127.0.0.1:25". I suspect sshd is > > trying to connect to the IPv6 address of "localhost", which is refused, > > and sshd doesn't try the IPv4 address. > > Obviously, 'ssh' should do a getaddrinfo lookup on the host to be > forwarded, and loop though all the addresses until a working one is > found. in this case, 'sshd' should. but that needs some work because the connect is async. From robertLinux at gmx.de Tue Dec 2 03:07:11 2003 From: robertLinux at gmx.de (Robert) Date: Mon, 1 Dec 2003 17:07:11 +0100 Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) Message-ID: <6C0BE0DE-2418-11D8-9D21-0003936EF152@gmx.de> Hello. I am currently writing a HOW TO install a custom compiled OpenSSH on Mac OS X.2 and X.3 (Jaguar) and (Panther) and how to make this service controllable in "System Preferences" without breaking Apple's original OpenSSH implementation. Can I publish this (for free) somewhere on the net? Maybe OpenSSH.org itself is interested? Thank you for an address or link to get into contact with some official. Greetings, Robert Welz From picasso at madflower.com Tue Dec 2 03:23:58 2003 From: picasso at madflower.com (Sean O'Malley) Date: Mon, 1 Dec 2003 11:23:58 -0500 (EST) Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) In-Reply-To: <6C0BE0DE-2418-11D8-9D21-0003936EF152@gmx.de> Message-ID: I think it would be good in the included documentation. Also http://www.macosxhints.com/ might not be a bad place either. You will want the ability to change it, because Apple has a nifty way of changing stuff between versions that breaks things on occasion. On Mon, 1 Dec 2003, Robert wrote: > Hello. > I am currently writing a HOW TO install a custom compiled OpenSSH on > Mac OS X.2 and X.3 (Jaguar) and (Panther) and how to make this service > controllable in "System Preferences" without breaking Apple's original > OpenSSH implementation. > > Can I publish this (for free) somewhere on the net? Maybe OpenSSH.org > itself is interested? > > Thank you for an address or link to get into contact with some official. > > Greetings, > > Robert Welz > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Tue Dec 2 03:50:51 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 1 Dec 2003 10:50:51 -0600 (CST) Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) In-Reply-To: Message-ID: I doubt there will be any quarms about a link from the 'Press Coverage'. But I don't see documentation like this going into OpenSSH portable CVS tree itself. - Ben On Mon, 1 Dec 2003, Sean O'Malley wrote: > I think it would be good in the included documentation. Also > http://www.macosxhints.com/ might not be a bad place either. > > You will want the ability to change it, because Apple has a nifty way of > changing stuff between versions that breaks things on occasion. > > > On Mon, 1 Dec 2003, Robert wrote: > > > Hello. > > I am currently writing a HOW TO install a custom compiled OpenSSH on > > Mac OS X.2 and X.3 (Jaguar) and (Panther) and how to make this service > > controllable in "System Preferences" without breaking Apple's original > > OpenSSH implementation. > > > > Can I publish this (for free) somewhere on the net? Maybe OpenSSH.org > > itself is interested? > > > > Thank you for an address or link to get into contact with some official. > > > > Greetings, > > > > Robert Welz > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From robertLinux at gmx.de Tue Dec 2 07:26:41 2003 From: robertLinux at gmx.de (Robert) Date: Mon, 1 Dec 2003 21:26:41 +0100 Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) In-Reply-To: References: Message-ID: Am 01.12.2003 um 17:23 schrieb Sean O'Malley: > You will want the ability to change it, because Apple has a nifty way > of > changing stuff between versions that breaks things on occasion. > I am planning to stay with my Mac, since I am perfectly happy with her. I have DSL for two days now and I am intending to use OpenSSH, since it turned out to be a practical way to keep my doors into the system open. I have read "SSH Secure Shell" from Barrett et al., O'REILLY and I belong to the kind of Mac enthusiast who knows about the need for security. I use OS X since the early days of the Developer Preview (Release 4) but I didn't come to know about ssh since I saw the book in the shelf of our local bookshop. some months ago and I didn't have a real need for ssh, too ( Well, at least didn't know that I might have a need for it ). I installed ssh on Jaguar and Panther and noticed that there were differences in the invocation of the daemon, but the mechanism isn't too different in my eyes. Planning to use Mac OS for at least as long as my G4/866 doesn't work fast enough with forthcoming os revisions, I plan to maintain the HOWTO document and keep it up to date. The documents content is not much about how to configure sshd.config ( I only use public key authentification in my example). I expect the reader to know about how to customize OpenSSH for it's personal needs. But the manual pages are at least sufficient for that task). The book I was talking about on top of this e-mail on the other hand is more than this, it is an excellent documentation IMHO. Do you agree? I'm more focusing on integrating ssh(d) into Mac OS X without deleting Apples implementation, so you can use your own OpenSSH compile and control its status (available or off) within System Preferences. Either it is "Startup documents" or xinetd Apple uses and if Apple decide to switch that later to something different, I will shure see and report how to use that in a revised edition of my HOWTO. So you see I am interested to use OpenSSH on my Mac with the same ease as I use other programs on OS X. And the similarity (well, almost, but I mean that) of the OpenSSH software implementation on my SuSE Linux is a fine way for me to maintain the same authentication and encryption software with a minimum of hazzle. In addition of having something to play on my desktop (SuSE and my Mac) I a got an additional benefit by having a way to remotely control my computers over the internet when I am on hollidays ( well, my DSL doesn't work as it should yet, I have lots of problems, lost connection, access denials but thats a different story. My DSL connection is only a few days old. ) but I just switched my focus towards networking and client server interaction (Apache together with PHP and some cosmetic stuff (JavaScript, CSS) gives a fine interface for web based databases. There is more to come :) One additional question do I have: Do I explicitly have to state that I will not pay any money, if the reader and user of this HOWTO fails in installing OpenSSH and ruins his Mac? ((Or in the case that a vulnerability in ssh(d) will be exploited and used by criminals? We are all humans and mistakes simply can be made)) Or is this part of some open source license I can put the document under? Please suggest one, if appropriate I would suggest the same open source license, OpenSSH is under. I will close now in the spirit of this sentence: "Use my HOWTO, if you are shure it helps you. If you are not shure, please don't use it. At least ask someone who knows. Better ask more than one person. Ask in the appropriate newsgroup." Thank you for your time and attention, Yours, sincerely Robert Welz From ast at domdv.de Wed Dec 3 09:26:59 2003 From: ast at domdv.de (Andreas Steinmetz) Date: Tue, 02 Dec 2003 23:26:59 +0100 Subject: ssh-agent (3.7.1p2) fails for more than 7 keys Message-ID: <3FCD11B3.7070409@domdv.de> (please CC me in replies, I'm not subscribed) I do have the following problem: When adding more than 7 keys to ssh-agent (openssh-3.7.1p2/Linux 2.4) only the first 7 keys work. All other keys fail when trying to set up a ssh connection with: Received disconnect from *.*.*.*: 2: Too many authentication failures for ***** Note: *=censored All keys work when added to ssh-agent as one of the first seven keys, none of the key works when added as the 8th or any later key to ssh-agent. All connections are V2, the keys are 1024 and 2048 bit RSA keys. Please let me know if further information is required. -- Andreas Steinmetz From dtucker at zip.com.au Wed Dec 3 09:51:02 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 03 Dec 2003 09:51:02 +1100 Subject: ssh-agent (3.7.1p2) fails for more than 7 keys References: <3FCD11B3.7070409@domdv.de> Message-ID: <3FCD1756.B2E0E19B@zip.com.au> Andreas Steinmetz wrote: > I do have the following problem: > When adding more than 7 keys to ssh-agent (openssh-3.7.1p2/Linux 2.4) > only the first 7 keys work. All other keys fail when trying to set up a > ssh connection with: > > Received disconnect from *.*.*.*: 2: Too many authentication failures > for ***** sshd currently has a hard-coded limit of 6 authentication attempts before disconnecting. There is an open enhancement request (with patch) to make this user-settable (MaxAuthTries): http://bugzilla.mindrot.org/show_bug.cgi?id=561 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Wed Dec 3 10:06:04 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Dec 2003 00:06:04 +0100 Subject: ssh-agent (3.7.1p2) fails for more than 7 keys In-Reply-To: <3FCD11B3.7070409@domdv.de> References: <3FCD11B3.7070409@domdv.de> Message-ID: <20031202230604.GA31000@folly> use IdentityFile in ssh_config. ssh will try these keys first. On Tue, Dec 02, 2003 at 11:26:59PM +0100, Andreas Steinmetz wrote: > (please CC me in replies, I'm not subscribed) > > I do have the following problem: > When adding more than 7 keys to ssh-agent (openssh-3.7.1p2/Linux 2.4) > only the first 7 keys work. All other keys fail when trying to set up a > ssh connection with: > > Received disconnect from *.*.*.*: 2: Too many authentication failures > for ***** > > Note: *=censored > > All keys work when added to ssh-agent as one of the first seven keys, > none of the key works when added as the 8th or any later key to ssh-agent. > > All connections are V2, the keys are 1024 and 2048 bit RSA keys. > Please let me know if further information is required. > -- > Andreas Steinmetz > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From timothy.p.knox at usps.gov Wed Dec 3 10:37:20 2003 From: timothy.p.knox at usps.gov (Knox, Timothy P - Eagan, MN) Date: Tue, 2 Dec 2003 17:37:20 -0600 Subject: Sun Kerberos Password Expiration Problems with OpenSSH 3.7.1p2 Message-ID: <66F4E11142D67849A78777BB9B5AD17004816C@EAGNMNSXM08> I am running Solaris 8 with the Basic Security Module (BSM) loaded and Sun's Enterprise Authentication Mechanism (SEAM) installed. Our servers are using Sun One Directory Services (LDAP) for authorization and Sun's Kerberos 5 implementation for authentication. We have been using OpenSSH 3.4p1 with OpenSSL 0.9.6f and everything has been working fine. We are updating our OpenSSH and OpenSSL versions to 3.7.1p2 and 0.9.7c, respectively. Everything works fine except for having a Kerberos users' password expired, either through modprinc +needchange user or through an expiration date that has already passed. When I connect to the 3.7.1p2 system from a 3.4p1 system, I log in and am prompted to change my Kerberos password (twice) and then allowed in. When I connect to the 3.7.1p2 system from another 3.7.1p2 system, I log in without being prompted to change my Kerberos password. The next time I log in using a 3.4p1 system, I am then prompted. When I connect to the 3.7.1p2 system from my Windows based workstation using PuTTY (0.53b was needed because of the ChallengeResponseAuthentication), I log in without being prompted to change my Kerberos password. When I connect to a 3.4p1 system from my Windows based workstation using PuTTY (still using 0.53b), I log in and am prompted to change my Kerberos password (twice) and then allowed in. This leads me to a couple of conclusions: 1) The problem is OpenSSH, not the new version of PuTTY. 2) The problem did not exist in the older version of OpenSSH. Therefore, I am submitting this e-mail in search of assistance from anyone who has any solutions for me. I am attaching my sshd_config file in line for troubleshooting purposes. Please let me know if you need any more information or have any ideas for me. Thanks, -Timothy P. Knox #AFSTokenPassing no AllowGroups * AllowTcpForwarding yes AllowUsers * AuthorizedKeysFile .ssh/authorized_keys Banner /etc/issue ChallengeResponseAuthentication yes Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c bc ClientAliveInterval 0 ClientAliveCountMax 3 Compression yes #DenyGroups * #DenyUsers * GatewayPorts no HostbasedAuthentication no HostKey /etc/ssh/ssh_host_rsa_key IgnoreRhosts yes IgnoreUserKnownHosts no KeepAlive yes #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTgtPassing no #KerberosTicketCleanup yes KeyRegenerationInterval 3600 Port 22 ListenAddress 0.0.0.0 LoginGraceTime 300 LogLevel INFO MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 MaxStartups 10 #PAMAuthenticationViaKbdInt no PasswordAuthentication no PermitEmptyPasswords no PermitRootLogin no PidFile /var/run/sshd.pid PrintLastLog yes PrintMotd no Protocol 2 PubkeyAuthentication yes #RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication no ServerKeyBits 768 StrictModes yes Subsystem sftp /usr/libexec/sftp-server SyslogFacility AUTH UseLogin no UsePAM yes UsePrivilegeSeparation no #VerifyReverseMapping no X11DisplayOffset 10 X11Forwarding yes X11UseLocalhost yes XAuthLocation /usr/openwin/bin/xauth From dtucker at zip.com.au Wed Dec 3 10:55:28 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 03 Dec 2003 10:55:28 +1100 Subject: Sun Kerberos Password Expiration Problems with OpenSSH 3.7.1p2 References: <66F4E11142D67849A78777BB9B5AD17004816C@EAGNMNSXM08> Message-ID: <3FCD2670.222AB4D6@zip.com.au> "Knox, Timothy P - Eagan, MN" wrote: > > I am running Solaris 8 with the Basic Security Module (BSM) loaded and > Sun's Enterprise Authentication Mechanism (SEAM) installed. Our servers > are using Sun One Directory Services (LDAP) for authorization and Sun's > Kerberos 5 implementation for authentication. We have been using OpenSSH > 3.4p1 with OpenSSL 0.9.6f and everything has been working fine. > > We are updating our OpenSSH and OpenSSL versions to 3.7.1p2 and 0.9.7c, > respectively. > > Everything works fine except for having a Kerberos users' password > expired, either through modprinc +needchange user or through an > expiration date that has already passed. Try the password expiration patch (pwexp26) here: http://www.zip.com.au/~dtucker/openssh/ It should work in your configuration. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From robertLinux at gmx.de Wed Dec 3 10:50:54 2003 From: robertLinux at gmx.de (Robert) Date: Wed, 3 Dec 2003 00:50:54 +0100 Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) In-Reply-To: <20031202003111.GA1306@thibs.menloschool.org> References: <20031202003111.GA1306@thibs.menloschool.org> Message-ID: <5E0DFFC2-2522-11D8-91CD-0003936EF152@gmx.de> I want to install my own ./config(ured) version becorse I disabled everythin I don't need. If I install in /usr/bin, the next software upgrade will replace it (when a newer OpenSSH version comes out). Any thoughts? Greetings, Robert Am 02.12.2003 um 01:31 schrieb Andrew Farmer: > On Mon, 01 Dec 2003 12:26:41 -0800, Robert muttered: >> So you see I am interested to use OpenSSH on my Mac with the same ease >> as I use other programs on OS X... > > Uh... > > OS X already comes with OpenSSH installed. It's not a proprietary Apple > implementation. > > If you want to use your own config, replace the one in /etc. > > If you want to use a newer version, replace the one in /usr/bin. > > If you just want to install another copy of SSH on top of the one > that's > already there, WHY? > > -- > Andrew Farmer > andfarm at thibs.menloschool.org From nicklange at wi.rr.com Wed Dec 3 16:24:15 2003 From: nicklange at wi.rr.com (Nick Lange) Date: Tue, 02 Dec 2003 23:24:15 -0600 Subject: LinuxPAM woes on the 3.6 series of openssh portable - strange behaviour Message-ID: <3FCD737F.4020708@wi.rr.com> All, I hate to ask what's going to boil down to a configuration issue (I think)... and before I start pouring through the code I'm hoping someone can just point out what's going on. Essentially, on a particular "flavor" of our redhat linux 8 boxes PAM always seems to be called/fail before any real authentication takes place. On other boxes, this is not the case. Normally this would not be a problem; however, in a three-failed-passwords and you are locked out environment, this renders public key's almost useless. (Three successfull authentications via public key will register three failed authentication attempts). I am not convinced that it is sshd a priori, but I do need to resolve the issue. Can anyone familiar with this section of code offer any suggestions what could cause openssh to invoke PAM at this point before the user has even attempted to enter a password? see below for example output. I have on other box in the three-strikes-and-your-out environment(pam_smbauth) where this is not a problem; however, it's configuration is different then the afflicted boxes. As I said this is apparently strange behaviour and I'm not quite sure what I'm looking for yet without pouring through the code. Any assistance is appreciated, on or off the list. Cheers, nick debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: monitor_read: checking request 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug1: PAM password authentication failed for e341518: Authentication failure debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for e341518 from XXX.XXX.XXX.XXX port 44847 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for e341518 from XXX.XXX.XXX.XXX port 44847 ssh2 From flown2ski at yahoo.com Wed Dec 3 16:34:36 2003 From: flown2ski at yahoo.com (Anbu) Date: Tue, 2 Dec 2003 21:34:36 -0800 (PST) Subject: sshd files to start with "PRNG is not seeded" error Message-ID: <20031203053436.17573.qmail@web12705.mail.yahoo.com> Hello All, This is regarding a sshd problem. In our system we use ocrandom (a random number generator) to fill in the device /dev/urandom from which sshd reads the randomness for seeding. In a situation we stop the ocrandom and sshd. Now as usual we start the ocrandom first and then sshd. We get an error "PRNG is not seeded" while starting sshd. When we start the sshd for the second time the /dev/urandom gets populated immediately and it starts properly. This problem is present in the version 3.6.1p2. We did not have the problem with the previuos version 3.0.1p2 that we used. Looking at the source code the error comes from a file entropy.c and the fucntion is seed_rng(). When we add the function RAND_add() in the function seed_rng(), sshd starts properly. Lot of code are executed only if the macro OPENSSL_PRNG_ONLY is not defined. If we define this macro in config.h as below /* Define if you want to use OpenSSL's internally seeded PRNG only */ #define OPENSSL_PRNG_ONLY 1 then we get the above mentioned error "PRNG is not seeded" though for the second time it starts fine. Please help us with your suggestions. Or is that a bug with OpenSSH Thanks and Regards, Anbu __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ From dtucker at zip.com.au Wed Dec 3 16:43:16 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 03 Dec 2003 16:43:16 +1100 Subject: LinuxPAM woes on the 3.6 series of openssh portable - strangebehaviour References: <3FCD737F.4020708@wi.rr.com> Message-ID: <3FCD77F4.F778643D@zip.com.au> Nick Lange wrote: > I hate to ask what's going to boil down to a configuration issue (I > think)... and before I start pouring through the > code I'm hoping someone can just point out what's going on. > > Essentially, on a particular "flavor" of our redhat linux 8 boxes PAM > always seems to be called/fail before any real > authentication takes place. On other boxes, this is not the case. > Normally this would not be a problem; however, in a > three-failed-passwords and you are locked out environment, this > renders public key's almost useless. (Three successful > authentications via public key will register three failed authentication > attempts). This is probably due to the "none" authentication attempted at the start of the SSH conversation. Previous versions would skip this test if PermitEmptyPasswords was "no", however the owl-always-auth changes introduced in 3.6.1p2 (?) meant that it would always be attempted. For a better description, see (near the bottom): http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=99168 There's a patch against 3.6.1p2 there too: http://bugs.debian.org/cgi-bin/bugreport.cgi/openssh-debian_login.patch?bug=99168&msg=20&att=1 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From info at 2mediaz.com Mon Dec 1 11:41:54 2003 From: info at 2mediaz.com (2mediaz) Date: Sun, 30 Nov 2003 16:41:54 -0800 Subject: 2mediaz Message-ID: <9d139cf77546bf27aa59ba3883fce3d5@www.2mediaz.com> [1][d_image_jp2.jpg] http://www.2mediaz.com/email/public/unsubscribe.php?email=openssh-unix -dev at mindrot.org&fmid[0]=3 References 1. http://www.xdvdirect.com/ From scott.burch at camberwind.com Thu Dec 4 04:26:05 2003 From: scott.burch at camberwind.com (Scott Burch) Date: Wed, 03 Dec 2003 17:26:05 -0000 Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) In-Reply-To: <5E0DFFC2-2522-11D8-91CD-0003936EF152@gmx.de> References: <20031202003111.GA1306@thibs.menloschool.org> <5E0DFFC2-2522-11D8-91CD-0003936EF152@gmx.de> Message-ID: <1070472409.8364.3.camel@localhost> Robert, As a matter of practice never intermingle your contributed binaries/code with system provided binaries. If you are installing binaries that already exist in the OS then you should place them in their own distinct directory tree (e.g. /opt/local, etc.). If you replace system binaries, then future OS updates will indeed overwrite your changes. -Scott On Tue, 2003-12-02 at 17:50, Robert wrote: > I want to install my own ./config(ured) version becorse I disabled > everythin I don't need. > > If I install in /usr/bin, the next software upgrade will replace it > (when a newer OpenSSH version comes out). > > Any thoughts? > > Greetings, > Robert > > > > Am 02.12.2003 um 01:31 schrieb Andrew Farmer: > > > On Mon, 01 Dec 2003 12:26:41 -0800, Robert muttered: > >> So you see I am interested to use OpenSSH on my Mac with the same ease > >> as I use other programs on OS X... > > > > Uh... > > > > OS X already comes with OpenSSH installed. It's not a proprietary Apple > > implementation. > > > > If you want to use your own config, replace the one in /etc. > > > > If you want to use a newer version, replace the one in /usr/bin. > > > > If you just want to install another copy of SSH on top of the one > > that's > > already there, WHY? > > > > -- > > Andrew Farmer > > andfarm at thibs.menloschool.org > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Scott Burch From lmssust at iname.com Thu Dec 4 16:28:38 2003 From: lmssust at iname.com (Rosaline) Date: Wed, 3 Dec 2003 21:28:38 -0800 Subject: GET CD AND DOWNLOADS, all software under $99-$15 Message-ID: <1173211070515718@12-214-195-196.client.mchsi.com> [1]http://141.85.12.37/ If you don't have enough money to buy needed software or think desired software isn't worth the price, then this service is right for you. We make software to be near you. Order any software you need for a low price. Some popular products from our price list: All programs you can download or order on cd-rom by airmail. 50$ Adobe Creative Suite (2 cds) 30$ Adobe PhotoShop CS 8.0 (1 cd) 55$ 3D Studio Max 6.0 (3 cds) 20$ Adobe Premiere Pro 7.0 (1 cd) 35$ Alias Wavefront Maya 5.0 Unlimited 35$ AutoCAD 2004 35$ Autodesk Architectural Desktop 2004 16$ Cakewalk Sonar 3 Producer Edition (3 cds) 25$ Canopus ProCoder 1.01.35 25$ Corel Draw 11 Graphic Suite 25$ Dragon Naturally Speaking Preferred 7.0 20$ Macromedia Dreamweaver MX 2004 v7.0 25$ Macromedia Fireworks MX 2004 v7.0 25$ Macromedia Flash MX 2004 v7.0 Professional 50$ Macromedia Studio MX 2004 (1 cd) 20$ Microsoft Money 2004 Deluxe (1 cd) 55$ Microsoft Office 2003 System Professional (5 cds) 25$ Microsoft Office 2003 Multilingual User Interface Pack (2 cds) 35$ Microsoft Project 2002 Pro 20$ Microsoft Publisher XP 2002 25$ Microsoft Visio for Enterprise Architects 2003 45$ Microsoft Windows XP Corporate Edition with SP1 35$ Microsoft Windows XP Professional 20$ Norton Antivirus 2004 Pro v10.0.0.109 16$ Norton SystemWorks 2003 (1 cd) 25$ OmniPage Pro 12 25$ Pinnacle Impression DVD Pro 2.2 (1 cd) 45$ PTC Pro Engineer Wildfire Datecode 2003370 (3 cds) 16$ PowerQuest Drive Image 7.01 Multilanguage (1 cd) 20$ Ulead DVD Workshop 1.2 99$ Microsoft Visual Studio .NET 2003 Enterprise Architect (8 cds) 20$ Winfax PRO 10.02 and, more, more. more!! Total today is 1418 products. price list - [2]http://141.85.12.37/p/ search - [3]http://141.85.12.37/e/ Mac users. We have some software for you too!!! Check it: [4]http://141.85.12.37/p/m/ Adobe Creative Suite (2 cds) for Mac Adobe Acrobat 6.0 Pro for Mac Adobe Illustrator 10 for Mac Adobe InDesign 2 for Mac Macromedia Flash MX 2004 v7.0 Professional for Mac Macromedia Studio MX 2004 for Mac (1 cd) Microsoft Office v.X for Mac QuarkXpress 6 Multilanguage for Mac and more!!! ---- To unsubscribe, please go to [5]http://141.85.12.37/unsub.html References 1. http://141.85.12.37/ 2. http://141.85.12.37/p/ 3. http://141.85.12.37/e/ 4. http://141.85.12.37/p/m/ 5. http://141.85.12.37/unsub.html From Sergio.Gelato at astro.su.se Thu Dec 4 20:33:11 2003 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Thu, 4 Dec 2003 10:33:11 +0100 Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) In-Reply-To: <1070472409.8364.3.camel@localhost> References: <20031202003111.GA1306@thibs.menloschool.org> <5E0DFFC2-2522-11D8-91CD-0003936EF152@gmx.de> <1070472409.8364.3.camel@localhost> Message-ID: <20031204093309.GC1119@hanuman.astro.su.se> * Scott Burch [2003-12-03 11:26:49 -0600]: > As a matter of practice never intermingle your contributed binaries/code > with system provided binaries. If you are installing binaries that > already exist in the OS then you should place them in their own distinct > directory tree (e.g. /opt/local, etc.). If you replace system binaries, > then future OS updates will indeed overwrite your changes. Seconded, except for /opt/local which should be /usr/local. Note that if you used a package management system like fink (http://fink.sourceforge.net/) you would end up having your ssh in /sw/bin (and sshd in /sw/sbin), or in whatever location (/opt/OBSDssh, /package/*/openssh, etc.) your package management system specifies. As for overriding /usr/sbin/sshd and other daemons: in MacOS 10.3, sshd is under xinetd control so you can edit the pathname in /etc/xinetd.d/ssh (or remove that file to take it out of xinetd control). It's a configuration file, and therefore likely to survive system software updates. More generally, MacOS X system startup scripts in /System/Library/StartupItems can be overridden by locally installed entries in /Library/StartupItems. Just give your custom script the same Provides parameter as the one you wish to override. In 10.2, for example, you could simply copy the StartupItems/SSH directory and edit /Library/StartupItems/SSH/SSH to use your sshd. From robertLinux at gmx.de Fri Dec 5 04:20:58 2003 From: robertLinux at gmx.de (Robert) Date: Thu, 4 Dec 2003 18:20:58 +0100 Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) In-Reply-To: <1070472409.8364.3.camel@localhost> References: <20031202003111.GA1306@thibs.menloschool.org> <5E0DFFC2-2522-11D8-91CD-0003936EF152@gmx.de> <1070472409.8364.3.camel@localhost> Message-ID: <39E1F1E4-267E-11D8-86F4-0003936EF152@gmx.de> Am 03.12.2003 um 18:26 schrieb Scott Burch: > As a matter of practice never intermingle your contributed > binaries/code > with system provided binaries. If you are installing binaries that > already exist in the OS then you should place them in their own > distinct > directory tree (e.g. /opt/local, etc.). If you replace system binaries, > then future OS updates will indeed overwrite your changes. > /usr/local/openSSH_3_7_1_p2 Greetings, Robert From robertLinux at gmx.de Fri Dec 5 04:21:02 2003 From: robertLinux at gmx.de (Robert) Date: Thu, 4 Dec 2003 18:21:02 +0100 Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) In-Reply-To: <20031204093309.GC1119@hanuman.astro.su.se> References: <20031202003111.GA1306@thibs.menloschool.org> <5E0DFFC2-2522-11D8-91CD-0003936EF152@gmx.de> <1070472409.8364.3.camel@localhost> <20031204093309.GC1119@hanuman.astro.su.se> Message-ID: <3C6127A6-267E-11D8-86F4-0003936EF152@gmx.de> Am 04.12.2003 um 10:33 schrieb Sergio Gelato: > More generally, MacOS X system startup scripts in > /System/Library/StartupItems > can be overridden by locally installed entries in > /Library/StartupItems. Just > give your custom script the same Provides parameter as the one you > wish to > override. In 10.2, for example, you could simply copy the > StartupItems/SSH > directory and edit /Library/StartupItems/SSH/SSH to use your sshd. Great. I didn't know that. Aehm, one question arises... Why doesn't Apple gives us power users a way to manually ./configure everything in the OS? I could imagine that it is not only me having a need for a customized ssh, cups, apache (I have a need especially for apache!!), well and I am shure there are other examples. Since everyone can download darwin and dvd's getting cheaper and cheaper Apple should deliver that part of the OS which consist of open source, as source code and give (optionally) a way to see default ./configuers and to change it. Well, optionally for power users. Thanks for the feedback! I will post the link to my documnt here on the list and you can tell me what you think. Mid-next-Week. Greetings to all , I have a buisy week... :) Robert From mouring at etoh.eviladmin.org Fri Dec 5 04:42:07 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 4 Dec 2003 11:42:07 -0600 (CST) Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) In-Reply-To: <3C6127A6-267E-11D8-86F4-0003936EF152@gmx.de> Message-ID: On Thu, 4 Dec 2003, Robert wrote: > > Am 04.12.2003 um 10:33 schrieb Sergio Gelato: > > > More generally, MacOS X system startup scripts in > > /System/Library/StartupItems > > can be overridden by locally installed entries in > > /Library/StartupItems. Just > > give your custom script the same Provides parameter as the one you > > wish to > > override. In 10.2, for example, you could simply copy the > > StartupItems/SSH > > directory and edit /Library/StartupItems/SSH/SSH to use your sshd. > > Great. > I didn't know that. > > Aehm, one question arises... > Why doesn't Apple gives us power users a way to manually ./configure > everything in the OS? I could imagine that it is not only me having a > need for a customized ssh, cups, apache (I have a need especially for > apache!!), well and I am shure there are other examples. > The more options you provide an end-user the worse your technically support gets. You end up with so many different variants you need to support to make everyone happy. It is so much easier for them to build a standard and stick to it even if they only cover 80% of the population. - Ben From sca at infini.com Fri Dec 5 03:38:43 2003 From: sca at infini.com (sca at infini.com) Date: Thu, 04 Dec 2003 20:38:43 +0400 Subject: implantation juridique a l etranger Message-ID: <168201c3ba85$14a06ae0$c1926ea8@ouiqkdcgkc> From tomd at csds.uidaho.edu Fri Dec 5 05:47:55 2003 From: tomd at csds.uidaho.edu (Thomas DuBuisson) Date: Thu, 4 Dec 2003 10:47:55 -0800 (PST) Subject: Compact SSH? Message-ID: I am looking for a micro ssh server/client implementation. This implementation would have to be small enough to run on microprocessors. e.g. systems with <512KB memory and ~20Mhz 8bit processors - like a Rabbit or a PIC. I have looked around but have not found anything suitable. Does anyone have a recommendataion? Thanks in advance. Thomas DuBuisson From johnpell at mac.com Fri Dec 5 08:41:08 2003 From: johnpell at mac.com (John Davidorff Pell) Date: Thu, 4 Dec 2003 13:41:08 -0800 Subject: Double quote scp? Message-ID: <9273175A-26A2-11D8-ABA3-0003934F6406@mac.com> I've noticed that I need to double quote file names in scp: > scp gaelicWizard:"Desktop/Picture 1.pdf" . > scp: Desktop/Picture: No such file or directory > scp: 1.pdf: No such file or directory Why is this necessary? Wouldn't it be much better to have scp communicate with its server-side counterpart with null-terminated strings, not to have the server interpret the strings separately? Thanx, JP -- Every time you share on a P2P network, God kills a kitten. Please think of the kittens. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2426 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031204/b0b7aa45/attachment.bin From stuge-openssh-unix-dev at cdy.org Fri Dec 5 08:33:52 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 4 Dec 2003 22:33:52 +0100 Subject: Compact SSH? In-Reply-To: References: Message-ID: <20031204213352.GA19707@foo.birdnet.se> On Thu, Dec 04, 2003 at 10:47:55AM -0800, Thomas DuBuisson wrote: > I am looking for a micro ssh server/client implementation. This > implementation would have to be small enough to run on microprocessors. > e.g. systems with <512KB memory and ~20Mhz 8bit processors - like a > Rabbit or a PIC. You'll need lots of CPU time and/or a crypto helper. > I have looked around but have not found anything suitable. Does anyone > have a recommendataion? You could check out TGssh for PalmOS, written in C, which is a port of a very early SSLeay version along with OpenSSH 1.something. Best of luck. Please open source and tell us (or me) when done. :) //Peter From mouring at etoh.eviladmin.org Fri Dec 5 09:24:24 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 4 Dec 2003 16:24:24 -0600 (CST) Subject: Double quote scp? In-Reply-To: <9273175A-26A2-11D8-ABA3-0003934F6406@mac.com> Message-ID: Historical reasons. Refer to how 'rcp' worked, and you'll find it does the same thing. - Ben On Thu, 4 Dec 2003, John Davidorff Pell wrote: > I've noticed that I need to double quote file names in scp: > > > scp gaelicWizard:"Desktop/Picture 1.pdf" . > > scp: Desktop/Picture: No such file or directory > > scp: 1.pdf: No such file or directory > > Why is this necessary? Wouldn't it be much better to have scp > communicate with its server-side counterpart with null-terminated > strings, not to have the server interpret the strings separately? > > Thanx, > JP > > > > -- > Every time you share on a P2P network, God kills a kitten. > Please think of the kittens. > > From dan at doxpara.com Fri Dec 5 09:57:30 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 04 Dec 2003 14:57:30 -0800 Subject: Double quote scp? In-Reply-To: <9273175A-26A2-11D8-ABA3-0003934F6406@mac.com> References: <9273175A-26A2-11D8-ABA3-0003934F6406@mac.com> Message-ID: <3FCFBBDA.8090502@doxpara.com> Don't use SCP, it's pretty flaky. ssh.com prefers sftp, but I've been grumbling for a scp->tar wrapper. Just do this for now: tar cf - | ssh user at host "cd /path && tar xvf -" It's more awkward to type, but it's much more reliable. --Dan John Davidorff Pell wrote: > I've noticed that I need to double quote file names in scp: > >> scp gaelicWizard:"Desktop/Picture 1.pdf" . >> scp: Desktop/Picture: No such file or directory >> scp: 1.pdf: No such file or directory > > > Why is this necessary? Wouldn't it be much better to have scp > communicate with its server-side counterpart with null-terminated > strings, not to have the server interpret the strings separately? > > Thanx, > JP > > > > -- > Every time you share on a P2P network, God kills a kitten. > Please think of the kittens. > >------------------------------------------------------------------------ > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From jmknoble at pobox.com Fri Dec 5 10:26:36 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 4 Dec 2003 18:26:36 -0500 Subject: Double quote scp? In-Reply-To: <3FCFBBDA.8090502@doxpara.com> References: <9273175A-26A2-11D8-ABA3-0003934F6406@mac.com> <3FCFBBDA.8090502@doxpara.com> Message-ID: <20031204232636.GG21813@crawfish.ais.com> Circa 2003-12-04 14:57:30 -0800 dixit Dan Kaminsky: : Don't use SCP, it's pretty flaky. : : ssh.com prefers sftp, but I've been grumbling for a scp->tar wrapper. : Just do this for now: : : tar cf - | ssh user at host "cd /path && tar xvf -" : : It's more awkward to type, but it's much more reliable. As long as both the source and the target systems have a 'tar' command that understands symlinks. Older BSD tar doesn't, in which case you need to use something else, like pax, GNU tar, or Joerg Schilling's star[1]. Or use rsync[2]-over-SSH, which is reliable and is able to restart aborted transfers (rsync -e ssh -avP sourcefile user at target:/path/). [1] http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/star.html [2] http://rsync.samba.org/ -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) ..................................................................... :"The methods now being used to merchandise the political candidate : : as though he were a deodorant positively guarantee the electorate : : against ever hearing the truth about anything." --Aldous Huxley : :...................................................................: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031204/1981cac7/attachment.bin From dan at doxpara.com Fri Dec 5 10:54:05 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 04 Dec 2003 15:54:05 -0800 Subject: Double quote scp? In-Reply-To: <20031204232636.GG21813@crawfish.ais.com> References: <9273175A-26A2-11D8-ABA3-0003934F6406@mac.com> <3FCFBBDA.8090502@doxpara.com> <20031204232636.GG21813@crawfish.ais.com> Message-ID: <3FCFC91D.5050508@doxpara.com> Indeed -- but on the flipside, tar is the _only_ approach (except for the excellent rsync, which sadly doesn't scale well to lots of small files) that even supports the concept of symlinks. star is quite nice; easily the fastest tar in the west. --Dan Jim Knoble wrote: >Circa 2003-12-04 14:57:30 -0800 dixit Dan Kaminsky: > >: Don't use SCP, it's pretty flaky. >: >: ssh.com prefers sftp, but I've been grumbling for a scp->tar wrapper. >: Just do this for now: >: >: tar cf - | ssh user at host "cd /path && tar xvf -" >: >: It's more awkward to type, but it's much more reliable. > >As long as both the source and the target systems have a 'tar' command >that understands symlinks. Older BSD tar doesn't, in which case you >need to use something else, like pax, GNU tar, or Joerg Schilling's >star[1]. > >Or use rsync[2]-over-SSH, which is reliable and is able to restart >aborted transfers (rsync -e ssh -avP sourcefile user at target:/path/). > >[1] http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/star.html >[2] http://rsync.samba.org/ > > > >------------------------------------------------------------------------ > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From tim at multitalents.net Fri Dec 5 12:30:54 2003 From: tim at multitalents.net (Tim Rice) Date: Thu, 4 Dec 2003 17:30:54 -0800 (PST) Subject: ssh not resolving host names on HP-UX 11i In-Reply-To: References: Message-ID: I can't remember if this was answered or not. (cleaning out old mail) This might help. http://bugzilla.mindrot.org/show_bug.cgi?id=748 On Tue, 28 Oct 2003, Tom Orban wrote: > > I posted a message about this problem late last week, never heard > anything back, so I have to assume other folks did get a working ssh > (3.7.1p2) binary built on HP-UX 11i. Just to refresh, my ssh package > that I built on HP-UX 11i works fine, except that the ssh binary doesn't > seem to go to DNS to resolve host names. So the only way I can ssh to > other machines is to put their host entries in my /etc/hosts file, or > type their IP address instead of the hostname on the command line. > Since that's a really unsustainable workaround, I've grabbed the 3.7.1p2 > ssh binary that I built on an hp-ux 11.00 box and use it with the rest > of the package that I build on 11i. Ugly, but it seems to work. [snip] -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From TORBAN at do.usbr.gov Fri Dec 5 13:02:48 2003 From: TORBAN at do.usbr.gov (Tom Orban) Date: Thu, 04 Dec 2003 19:02:48 -0700 Subject: ssh not resolving host names on HP-UX 11i Message-ID: Actually it really never was answered, but here's how I fixed (worked around) it. At first I thought installing patch PHNE_27796 (libnss_dns DNS backend patch) had fixed it. It didn't. It just flip-flopped the problem. Prior to installing that patch, ssh would never go to DNS no matter what was in nsswitch.conf. It appeared to only look in /etc/hosts. After installing the patch, ssh would now only go to DNS, no matter what was in nsswitch.conf. So if you had a test box that was only in your local hosts file, you were SOL no matter what you had in nsswitch.conf. Having ssh only go to DNS was better than the converse, but it still was a problem. The problem ultimately appears to be with the getaddrinfo that is supplied with HP-UX 11i. In the ssh configure, it tries to see if there's a getaddrinfo available. If so, it doesn't use the one in the openbsd-compat directory (file is fake-rfc2553.[ch]). (this is what 11.00 automatically uses). Since 11i does have a getaddrinfo, it tries to use that, but it appears to be broken. So I just added the following lines to configure (around line 3782) cat >>confdefs.h <<\EOF #define BROKEN_GETADDRINFO 1 EOF There's a whole bunch of these constructs there, I just cut-n-pasted, ran the new configure, and presto, problem solved. -Tom >>> Tim Rice 12/04/03 06:30PM >>> I can't remember if this was answered or not. (cleaning out old mail) This might help. http://bugzilla.mindrot.org/show_bug.cgi?id=748 On Tue, 28 Oct 2003, Tom Orban wrote: > > I posted a message about this problem late last week, never heard > anything back, so I have to assume other folks did get a working ssh > (3.7.1p2) binary built on HP-UX 11i. Just to refresh, my ssh package > that I built on HP-UX 11i works fine, except that the ssh binary doesn't > seem to go to DNS to resolve host names. So the only way I can ssh to > other machines is to put their host entries in my /etc/hosts file, or > type their IP address instead of the hostname on the command line. > Since that's a really unsustainable workaround, I've grabbed the 3.7.1p2 > ssh binary that I built on an hp-ux 11.00 box and use it with the rest > of the package that I build on 11i. Ugly, but it seems to work. [snip] -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Fri Dec 5 16:03:14 2003 From: tim at multitalents.net (Tim Rice) Date: Thu, 4 Dec 2003 21:03:14 -0800 (PST) Subject: ssh not resolving host names on HP-UX 11i In-Reply-To: References: Message-ID: On Thu, 4 Dec 2003, Tom Orban wrote: [snip] > The problem ultimately appears to be with the getaddrinfo that is > supplied with HP-UX 11i. In the ssh configure, it tries to see if > there's a getaddrinfo available. If so, it doesn't use the one in the > openbsd-compat directory (file is fake-rfc2553.[ch]). (this is what > 11.00 automatically uses). Since 11i does have a getaddrinfo, it tries > to use that, but it appears to be broken. So I just added the following > lines to configure (around line 3782) > > cat >>confdefs.h <<\EOF > #define BROKEN_GETADDRINFO 1 > EOF > Is it safe to define BROKEN_GETADDRINFO on all HP-UX 11 machines? Ie. can we match *-*-hpux11* from config.guess? Or do some 11 machines work? [snip] > > >>> Tim Rice 12/04/03 06:30PM >>> > > I can't remember if this was answered or not. (cleaning out old mail) > > This might help. > http://bugzilla.mindrot.org/show_bug.cgi?id=748 > [snip] -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From johnpell at mac.com Fri Dec 5 18:04:18 2003 From: johnpell at mac.com (John Davidorff Pell) Date: Thu, 4 Dec 2003 23:04:18 -0800 Subject: Double quote scp? In-Reply-To: References: Message-ID: <3EE5655C-26F1-11D8-A644-0003934F6406@mac.com> Good point, I had not thought about that. Ok, I guess I'll make due. Thanx! JP On Dec 4, 2003, at 2:24 PM, Ben Lindstrom wrote: > > Historical reasons. Refer to how 'rcp' worked, and you'll find it does > the same thing. > > - Ben > > On Thu, 4 Dec 2003, John Davidorff Pell wrote: > >> I've noticed that I need to double quote file names in scp: >> >>> scp gaelicWizard:"Desktop/Picture 1.pdf" . >>> scp: Desktop/Picture: No such file or directory >>> scp: 1.pdf: No such file or directory >> >> Why is this necessary? Wouldn't it be much better to have scp >> communicate with its server-side counterpart with null-terminated >> strings, not to have the server interpret the strings separately? >> >> Thanx, >> JP >> >> >> >> -- >> Every time you share on a P2P network, God kills a kitten. >> Please think of the kittens. >> >> > > -- ". . . Through the cold and darkness we will look back on this day and fall into oblivion. Through a brilliance beyond twilight we will rise again, ready to face the dangers that befall on us . . ." -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2426 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031204/79299ccd/attachment.bin From B.Kohl at intershop.de Sat Dec 6 02:14:51 2003 From: B.Kohl at intershop.de (Burkhard Kohl) Date: Fri, 5 Dec 2003 16:14:51 +0100 Subject: OpenSSH Contrib/solaris buildpkg.sh Message-ID: <3131FF8CD6C9784C9E895BC1131223FB012BBBB3@jena01.net.j.ad.intershop.net> Hi, thanks for this great work. Just a minor point - maybe you should mention the rm -rf $FAKE_ROOT command within your README file: It caught me unexpected and I was looking a couple of minutes for the package artifact before I actually read the last line. Regards, Burkhard Kohl Lead Engineer Content Management burkhard.kohl at intershop.de INTERSHOP? http://www.intershop.de INTERSHOP Communications AG Dircksenstra?e 42-44 D-10178 Berlin Phone +49-30-2801-1254 From mouring at etoh.eviladmin.org Sat Dec 6 02:27:46 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 5 Dec 2003 09:27:46 -0600 (CST) Subject: OpenSSH Contrib/solaris buildpkg.sh In-Reply-To: <3131FF8CD6C9784C9E895BC1131223FB012BBBB3@jena01.net.j.ad.intershop.net> Message-ID: I'm not following.. you were looking for the fake root build directory and could not find it because we remove it at the end of a build? - Ben On Fri, 5 Dec 2003, Burkhard Kohl wrote: > Hi, > > thanks for this great work. Just a minor point - maybe > you should mention the > rm -rf $FAKE_ROOT > command within your README file: > > It caught me unexpected and I was looking a couple > of minutes for the package artifact before I actually > read the last line. > > > Regards, > > Burkhard Kohl > Lead Engineer Content Management > burkhard.kohl at intershop.de > > INTERSHOP?? > http://www.intershop.de > > INTERSHOP Communications AG > Dircksenstra??e 42-44 > D-10178 Berlin > > Phone +49-30-2801-1254 > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bob at proulx.com Sat Dec 6 05:08:59 2003 From: bob at proulx.com (Bob Proulx) Date: Fri, 5 Dec 2003 11:08:59 -0700 Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) In-Reply-To: <20031204093309.GC1119@hanuman.astro.su.se> References: <20031202003111.GA1306@thibs.menloschool.org> <5E0DFFC2-2522-11D8-91CD-0003936EF152@gmx.de> <1070472409.8364.3.camel@localhost> <20031204093309.GC1119@hanuman.astro.su.se> Message-ID: <20031205180859.GA21624@misery.proulx.com> Sergio Gelato wrote: > * Scott Burch [2003-12-03 11:26:49 -0600]: > > As a matter of practice never intermingle your contributed binaries/code > > with system provided binaries. If you are installing binaries that > > already exist in the OS then you should place them in their own distinct > > directory tree (e.g. /opt/local, etc.). If you replace system binaries, > > then future OS updates will indeed overwrite your changes. > > Seconded, except for /opt/local which should be /usr/local. Let me vote for the reverse. I prefer /opt/local. Here is why. What is the purpose of /usr/local? For locally installed software? Yes. But then if I am creating ssh to be installed on several thousand machines through my company and I put it in /usr/local where is the local user going to be able to put their version? You see, using /usr/local in that case creates a conflict. You need a third area. I use /opt/local for binaries such the GNU software which may or may not have the same name as commands in the vendor's system /usr/bin. I leave /usr/local empty for the local user to install their own local software. Since my particular vendor does not ship any ssh version I package and distribute it in /usr/bin. But if my vendor already had a version there then I would fall back to /opt/local. The rule I use is, are you installing on one machine? If yes then './configure && make && make install' which puts it in /usr/local. But if installing on N machines then package and install it in a system directory either /usr/bin or /opt/local as appropriate. Bob From TORBAN at do.usbr.gov Sat Dec 6 05:13:24 2003 From: TORBAN at do.usbr.gov (Tom Orban) Date: Fri, 05 Dec 2003 11:13:24 -0700 Subject: ssh not resolving host names on HP-UX 11i Message-ID: Well, as I said below, on HP-UX 11.00, there isn't a getaddrinfo library call provided by HP. So when configure runs, it doesn't find getaddrinfo at all, and tells config.h to use the getaddrinfo that's provided in openbsd-compat/fake-rfc2553.c. To be more specific, in config.h on HP-UX 11.00, this is how the relevent symbols are defined (or undef'd, as the case may be): /* #undef HAVE_GETADDRINFO */ /* #undef BROKEN_GETADDRINFO */ While on the HP-UX 11i ( or HP-UX 11.11) build, config.h has those symbols defined like so: #define HAVE_GETADDRINFO 1 #define BROKEN_GETADDRINFO 1 Actually, when I did a diff on the config.h's from the different OS builds, there's a bunch of related *INFO differences, where they're /* #undef'd */ in 11.00, and #define'd in the 11i config.h Some include FREEADDRINFO GETNAMEINFO, STRUCT_ADDRINFO, etc. If you want, I can send you a diff of them, or for that matter the config.h's from each build if that will help you. NOTE: the only reason I got BROKEN_GETADDRINFO defined to 1 in 11i is because of the little modification to the configure script that I describe below (adding that stuff to confdefs.h around line 3782). If you don't do that, you won't get BROKEN_GETADDRINFO defined on 11i, and you'll end up using HP's one, which appears to be fudged up. Hmmm... On the tie in from *-*-hpux11* to config.guess, I'm not following you. I don't find that symbol (hpux11) in config.guess at all. Perhaps you mean just to add the BROKEN_GETADDRINFO thing to configure for all hpux11 builds (like what I described below)? If so, I'd imagine that would work, since even though it would define BROKEN_GETADDRINFO to 1 for both 11.00 and 11i machines, it really wouldn't matter in 11.00, since I'm assuming that it would still end up with /* #undef HAVE_GETADDRINFO */. As long as HAVE_GETADDRINFO is NOT defined, I think everything should work, (since the getaddrinfo routines in openbsd-compat/fake-rfc2553.c will get built and linked. Is this what you were asking? To answer your 2nd question (or do some 11 machines work?) -- let me summarize: HP-UX 11.00: works with no modifications because it uses the getaddrinfo out of fake-rfc2553.c (because HP doesn't provide a getaddrinfo call) HP-UX 11i (or 11.11): does NOT work if you allow it to use HP's getaddrinfo. My solution was to make sure BROKEN_GETADDRINFO was defined. So is this what you were asking? -Tom >>> Tim Rice 12/04/03 10:03PM >>> On Thu, 4 Dec 2003, Tom Orban wrote: [snip] > The problem ultimately appears to be with the getaddrinfo that is > supplied with HP-UX 11i. In the ssh configure, it tries to see if > there's a getaddrinfo available. If so, it doesn't use the one in the > openbsd-compat directory (file is fake-rfc2553.[ch]). (this is what > 11.00 automatically uses). Since 11i does have a getaddrinfo, it tries > to use that, but it appears to be broken. So I just added the following > lines to configure (around line 3782) > > cat >>confdefs.h <<\EOF > #define BROKEN_GETADDRINFO 1 > EOF > Is it safe to define BROKEN_GETADDRINFO on all HP-UX 11 machines? Ie. can we match *-*-hpux11* from config.guess? Or do some 11 machines work? [snip] > > >>> Tim Rice 12/04/03 06:30PM >>> > > I can't remember if this was answered or not. (cleaning out old mail) > > This might help. > http://bugzilla.mindrot.org/show_bug.cgi?id=748 > [snip] -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From fuck.xxi.lt at fuck.xxi.lt Sat Dec 6 06:39:43 2003 From: fuck.xxi.lt at fuck.xxi.lt (www.fuck.xxi.lt) Date: Fri, 5 Dec 2003 21:39:43 +0200 Subject: (None) Message-ID: FREE porno on this site over 1800 pictures and all for FREE www.fuck.xxi.lt From Fhypocycloidt at NETSCAPE.NET Sat Dec 6 08:28:26 2003 From: Fhypocycloidt at NETSCAPE.NET (Adwalibeth) Date: Fri, 05 Dec 2003 21:28:26 -0000 Subject: Sleepp Better, Impprove Vision @Nd Memory Message-ID: <2KMAIL01qbk43hxabH30000ac79@2kmail01.gasinc-dfm.com> [1]L0SEcreators WE1GHT crawWHl1Ebranching Y0U midwifeS1EEP . References Visible links 1. http://saleinlin3dd.com/dr/ Hidden links: 2. http://saleinlin3dd.com/dr/ From tim at multitalents.net Sat Dec 6 09:09:15 2003 From: tim at multitalents.net (Tim Rice) Date: Fri, 5 Dec 2003 14:09:15 -0800 (PST) Subject: ssh not resolving host names on HP-UX 11i In-Reply-To: References: Message-ID: On Fri, 5 Dec 2003, Tom Orban wrote: > > Well, as I said below, on HP-UX 11.00, there isn't a getaddrinfo > library call provided by HP. So when configure runs, it doesn't find Sorry, missed that. Is 11.11 the first version that has it? What does ./config.guess say on the 2 machines? What does uname -r say on the 2 machines? What does uname -v say on the 2 machines? I'd rather not AC_DEFINE(BROKEN_GETADDRINFO) on a machine that does not have getaddrinfo. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From TORBAN at do.usbr.gov Sat Dec 6 10:20:13 2003 From: TORBAN at do.usbr.gov (Tom Orban) Date: Fri, 05 Dec 2003 16:20:13 -0700 Subject: ssh not resolving host names on HP-UX 11i Message-ID: >>> Tim Rice 12/05/03 03:09PM >>> > Is 11.11 the first version that has it? As far as I know, yes. (there's some oddball HP releases that I can't speak to -- I believe like VVOS (Virtual Vault), and perhaps some others). As far as the "mainstream" production OS's, it went from 11.00 to 11.11 (or 11i). And yes, 11.11 is the first time getaddrinfo is included. > What does ./config.guess say on the 2 machines? On an 11.00 box: hppa2.0w-hp-hpux11.00 On the 11.11 box: hppa2.0w-hp-hpux11.11 > What does uname -r say on the 2 machines? B.11.00 B.11.11 I'm assuming you can figure which is which :-) > What does uname -v say on the 2 machines? On the 11.00 box: A On the 11.11 box: U >I'd rather not AC_DEFINE(BROKEN_GETADDRINFO) on a machine >that does not have getaddrinfo. How much will it really matter? I believe the key symbol when compiling really is HAVE_GETADDRINFO. I think BROKEN_GETADDRINFO is only used to determine whether to undef HAVE_GETADDRINFO. (If I read what's going on in defines.h correctly) In either case, that seems more like a developer's call than an SA type (like myself). I just have to get it running. :-) -Tom From andfarm at thibs.menloschool.org Fri Dec 5 06:16:18 2003 From: andfarm at thibs.menloschool.org (Andrew Farmer) Date: Thu, 4 Dec 2003 11:16:18 -0800 Subject: Compact SSH? In-Reply-To: References: Message-ID: <20031204191618.GA24824@thibs.menloschool.org> On Thu, 04 Dec 2003 10:47:55 -0800, Thomas DuBuisson muttered: > I am looking for a micro ssh server/client implementation. This > implementation would have to be small enough to run on microprocessors. > e.g. systems with <512KB memory and ~20Mhz 8bit processors - like a Rabbit > or a PIC. I don't think SSH's runtime data (let alone executables) will fit into 512 KB, and the encryption/authentication routines would be deathly slow at 20Mhz with 8-bit registers. I'm afraid you'll have to ditch SSH or use a higher-end architecture. -- Andrew Farmer andfarm at thibs.menloschool.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031204/844a64e8/attachment.bin From andfarm at thibs.menloschool.org Wed Dec 3 11:08:18 2003 From: andfarm at thibs.menloschool.org (Andrew Farmer) Date: Tue, 2 Dec 2003 16:08:18 -0800 Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) In-Reply-To: <5E0DFFC2-2522-11D8-91CD-0003936EF152@gmx.de> References: <20031202003111.GA1306@thibs.menloschool.org> <5E0DFFC2-2522-11D8-91CD-0003936EF152@gmx.de> Message-ID: <20031203000817.GA28470@thibs.menloschool.org> On Tue, 02 Dec 2003 15:50:54 -0800, Robert muttered: > I want to install my own ./config(ured) version becorse I disabled > everythin I don't need. Well, there's no harm in having stuff ./configured in if you just disable it in /etc/ssh_config. > If I install in /usr/bin, the next software upgrade will replace it > (when a newer OpenSSH version comes out). Correction: the next OpenSSH update will replace it. But you'll have to reinstall your own version anyway, since Apple only updates OpenSSH for major security issues or major system upgrades (10.2 -> 10.3, for example). -- Andrew Farmer andfarm at thibs.menloschool.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031202/e5ae476a/attachment.bin From andfarm at thibs.menloschool.org Tue Dec 2 11:31:11 2003 From: andfarm at thibs.menloschool.org (Andrew Farmer) Date: Mon, 1 Dec 2003 16:31:11 -0800 Subject: I am writing "HOW-TO install and integrate ssh on Mac OS X" ... (Where can I publish it?) In-Reply-To: References: Message-ID: <20031202003111.GA1306@thibs.menloschool.org> On Mon, 01 Dec 2003 12:26:41 -0800, Robert muttered: > So you see I am interested to use OpenSSH on my Mac with the same ease > as I use other programs on OS X... Uh... OS X already comes with OpenSSH installed. It's not a proprietary Apple implementation. If you want to use your own config, replace the one in /etc. If you want to use a newer version, replace the one in /usr/bin. If you just want to install another copy of SSH on top of the one that's already there, WHY? -- Andrew Farmer andfarm at thibs.menloschool.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031201/cc7d754c/attachment.bin From dtucker at zip.com.au Sat Dec 6 16:35:14 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 06 Dec 2003 16:35:14 +1100 Subject: Compact SSH? References: <20031204191618.GA24824@thibs.menloschool.org> Message-ID: <3FD16A92.8DA31F80@zip.com.au> On Thu, 04 Dec 2003 10:47:55 -0800, Thomas DuBuisson muttered: > I am looking for a micro ssh server/client implementation. This > implementation would have to be small enough to run on microprocessors. > e.g. systems with <512KB memory and ~20Mhz 8bit processors - like a Rabbit > or a PIC. You might want to investigate dropbear for the server side. It's a server-only SSH2 implementation. http://matt.ucc.asn.au/dropbear/ [quote] Features * A small memory footprint - Dropbear can compile to a 110kB statically linked binary with uClibc (and only minimal options selected). [/quote] Are you sure you have enough CPU for this? People have issues with speed on eg, older SPARCs, and they're faster and 32 bit... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From picasso at madflower.com Sat Dec 6 17:25:52 2003 From: picasso at madflower.com (Sean O'Malley) Date: Sat, 6 Dec 2003 01:25:52 -0500 (EST) Subject: Compact SSH? In-Reply-To: <3FD16A92.8DA31F80@zip.com.au> Message-ID: On Sat, 6 Dec 2003, Darren Tucker wrote: > Are you sure you have enough CPU for this? People have issues with speed > on eg, older SPARCs, and they're faster and 32 bit... I was kind of wondering the same thing. Does anyone have a Palm w/Linux they could get it compiled on? The dragonball is a nice 8-bit processor. From stuge-openssh-unix-dev at cdy.org Sat Dec 6 18:47:55 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sat, 6 Dec 2003 08:47:55 +0100 Subject: Compact SSH? In-Reply-To: References: <3FD16A92.8DA31F80@zip.com.au> Message-ID: <20031206074755.GA21008@foo.birdnet.se> On Sat, Dec 06, 2003 at 01:25:52AM -0500, Sean O'Malley wrote: > I was kind of wondering the same thing. Does anyone have a Palm w/Linux > they could get it compiled on? The dragonball is a nice 8-bit > processor. I wouldn't expect anything like Linux to run on a Palm. PalmOS <=4 bears more resembly with DOS, but this is off topic. TGssh runs, although it takes a good number of seconds to log in anywhere. I imagine this will take even longer if/when SSH2 is implemented. Session speed isn't all that bad though. I have a Palm m505. I guess the stylus/my hand is the bottleneck. //Peter From rodgerpainter_ci at xpedite.fr Sat Dec 6 20:25:48 2003 From: rodgerpainter_ci at xpedite.fr (Rodger Painter) Date: Sat, 06 Dec 2003 13:25:48 +0400 Subject: get it up Message-ID: <20031206092756.E0C2C27C18B@shitei.mindrot.org> From steven at rmb.com.hk Sat Dec 6 19:50:09 2003 From: steven at rmb.com.hk (steven) Date: Sat, 6 Dec 2003 16:50:09 +0800 Subject: New Introduce Message-ID: <20031206094632.DFEEF27C187@shitei.mindrot.org> Multi Neoprene China Factory T/F: 0086-769-5835182 Website : http://home.netvigator.com/~sky888s/ US$ SUPER BLU 20.00/PC S012 13.00 S014 17.00 D955 2.50/Pr DSCF0009 1.50/Pr Rash Guard 6.00 Shorts 6.50 Footstrap 4.00 Waist pad (surfing) 3.00 Palm bag 1.00 Uniform Jacket 3.50 T shirt 2.50 Boot 3.5/Pr Shoe 3.00/pr Beach chair 8.00 Life Jacket 10.00 paper bag 34x12x23cm 0.40 paper bag 26x8x31.8cm 0.38 Thanks Steven From director at universitynetwork.nl Sun Dec 7 04:26:34 2003 From: director at universitynetwork.nl (DBA-Intermediair) Date: Sat, 06 Dec 2003 18:26:34 +0100 Subject: Diploma zonder studie op basis van EVC Message-ID: <1070731594.279@wxs.nl> [image001.gif] Diploma's en titels zonder studie op basis van eerder verworven competenties Geachte heer of mevrouw, Graag willen wij u attenderen op onze unieke dienstverlening. Wellicht dat er voor u mogelijkheden zijn om zonder studie op basis van eerder verworven competenties via een External Programme in het bezit te komen van een academische Bachelor, Master of Ph.D.-degree met een major in uw vakgebied. Op basis van uw genoten (voor)opleiding en relevante academische werkervaring kunnen we gratis en geheel vrijblijvend voor u een aanvraag bij een passende universiteit indienen. Als de aanvraag wordt gehonoreerd ontvangt u een Acceptance Letter van de universiteit. Tegelijkertijd ontvangt u dan onze vrijblijvende offerte. Op het moment u akkoord bent kunt u ons verzoeken om een factuur, waarna wij u binnen twee weken het diploma, Official Academic Transcripts (vakkenoverzicht) en ALUMNI -wachtwoord per aangetekende post kunnen toezenden. Ongeveer een week later ontvangt u een NL-legalisatie. Uiteraard bent u na het maken van een afspraak van harte welkom bij ons op kantoor in Eindhoven. Mocht u nog vragen of opmerkingen hebben stel deze dan gerust. Kijk eens op onze website: [1]www.universitynetwork.nl Met vriendelijke groet, (DBA-Intermediair) Pascal Damen Consultant Tel. 040-2668706 Fax 040-2668666 E-mail: info at universitynetwork.nl References 1. http://www.universitynetwork.nl/ From director at universitynetwork.nl Sun Dec 7 05:27:08 2003 From: director at universitynetwork.nl (DBA) Date: Sat, 06 Dec 2003 19:27:08 +0100 Subject: Diploma zonder studie op basis van EVC Message-ID: <1070735228.976@wxs.nl> [image001.gif] Diploma's en titels zonder studie op basis van eerder verworven competenties Geachte heer of mevrouw, Graag willen wij u attenderen op onze unieke dienstverlening. Wellicht dat er voor u mogelijkheden zijn om zonder studie op basis van eerder verworven competenties via een External Programme in het bezit te komen van een academische Bachelor, Master of Ph.D.-degree met een major in uw vakgebied. Op basis van uw genoten (voor)opleiding en relevante academische werkervaring kunnen we gratis en geheel vrijblijvend voor u een aanvraag bij een passende universiteit indienen. Als de aanvraag wordt gehonoreerd ontvangt u een Acceptance Letter van de universiteit. Tegelijkertijd ontvangt u dan onze vrijblijvende offerte. Op het moment u akkoord bent kunt u ons verzoeken om een factuur, waarna wij u binnen twee weken het diploma, Official Academic Transcripts (vakkenoverzicht) en ALUMNI -wachtwoord per aangetekende post kunnen toezenden. Ongeveer een week later ontvangt u een NL-legalisatie. Uiteraard bent u na het maken van een afspraak van harte welkom bij ons op kantoor in Eindhoven. Mocht u nog vragen of opmerkingen hebben stel deze dan gerust. Kijk eens op onze website: [1]www.universitynetwork.nl Met vriendelijke groet, (DBA-Intermediair) Pascal Damen Consultant Tel. 040-2668706 Fax 040-2668666 E-mail: info at universitynetwork.nl References 1. http://www.universitynetwork.nl/ From tomd at csds.uidaho.edu Sun Dec 7 06:34:36 2003 From: tomd at csds.uidaho.edu (Thomas DuBuisson) Date: Sat, 6 Dec 2003 11:34:36 -0800 (PST) Subject: Compact SSH? (re: enough processing power) In-Reply-To: <3FD16A92.8DA31F80@zip.com.au> References: <20031204191618.GA24824@thibs.menloschool.org> <3FD16A92.8DA31F80@zip.com.au> Message-ID: While this is hardly the project focus the boards I am using can handle a slave Rabbit 2000 which could be added and dedicated to SSH. Extern memory is also an option - but again, this is not a focus so if it is added it would be down the road. That said, I will update the list if/when an SSH program is implemented in the project. Thanks for the discussion and recommendations. Thomas DuBuisson On Sat, 6 Dec 2003, Darren Tucker wrote: > On Thu, 04 Dec 2003 10:47:55 -0800, Thomas DuBuisson muttered: > > I am looking for a micro ssh server/client implementation. This > > implementation would have to be small enough to run on microprocessors. > > e.g. systems with <512KB memory and ~20Mhz 8bit processors - like a Rabbit > > or a PIC. > > You might want to investigate dropbear for the server side. It's a > server-only SSH2 implementation. > > http://matt.ucc.asn.au/dropbear/ > > [quote] > Features > > * A small memory footprint - Dropbear can compile to a 110kB statically > linked binary with uClibc (and only minimal options selected). > [/quote] > > Are you sure you have enough CPU for this? People have issues with speed > on eg, older SPARCs, and they're faster and 32 bit... > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From liknsito at gmx.net Sun Dec 7 09:23:10 2003 From: liknsito at gmx.net (Montague) Date: Sat, 6 Dec 2003 14:23:10 -0800 Subject: Get software cds and download under $15-$99 Message-ID: <2077691070749390@cpe-68-118-196-227.ma.charter.com> [1]http://141.85.12.38/ If you don't have enough money to buy needed software or think desired software isn't worth the price, then this service is right for you. We make software to be near you. Order any software you need for a low price. Some popular products from our price list: All programs you can download or order on cd-rom by airmail. 50$ Adobe Creative Suite (2 cds) 30$ Adobe PhotoShop CS 8.0 (1 cd) 55$ 3D Studio Max 6.0 (3 cds) 20$ Adobe Premiere Pro 7.0 (1 cd) 35$ Alias Wavefront Maya 5.0 Unlimited 35$ AutoCAD 2004 35$ Autodesk Architectural Desktop 2004 16$ Cakewalk Sonar 3 Producer Edition (3 cds) 25$ Canopus ProCoder 1.01.35 25$ Corel Draw 11 Graphic Suite 25$ Dragon Naturally Speaking Preferred 7.0 20$ Macromedia Dreamweaver MX 2004 v7.0 25$ Macromedia Fireworks MX 2004 v7.0 25$ Macromedia Flash MX 2004 v7.0 Professional 50$ Macromedia Studio MX 2004 (1 cd) 20$ Microsoft Money 2004 Deluxe (1 cd) 55$ Microsoft Office 2003 System Professional (5 cds) 25$ Microsoft Office 2003 Multilingual User Interface Pack (2 cds) 35$ Microsoft Project 2002 Pro 20$ Microsoft Publisher XP 2002 25$ Microsoft Visio for Enterprise Architects 2003 45$ Microsoft Windows XP Corporate Edition with SP1 35$ Microsoft Windows XP Professional 20$ Norton Antivirus 2004 Pro v10.0.0.109 16$ Norton SystemWorks 2003 (1 cd) 25$ OmniPage Pro 12 25$ Pinnacle Impression DVD Pro 2.2 (1 cd) 45$ PTC Pro Engineer Wildfire Datecode 2003370 (3 cds) 16$ PowerQuest Drive Image 7.01 Multilanguage (1 cd) 20$ Ulead DVD Workshop 1.2 99$ Microsoft Visual Studio .NET 2003 Enterprise Architect (8 cds) 20$ Winfax PRO 10.02 and, more, more. more!! Total today is 1418 products. price list - [2]http://141.85.12.38/p/ search - [3]http://141.85.12.38/e/ Mac users. We have some software for you too!!! Check it: [4]http://141.85.12.38/p/m/ Adobe Creative Suite (2 cds) for Mac Adobe Acrobat 6.0 Pro for Mac Adobe Illustrator 10 for Mac Adobe InDesign 2 for Mac Macromedia Flash MX 2004 v7.0 Professional for Mac Macromedia Studio MX 2004 for Mac (1 cd) Microsoft Office v.X for Mac QuarkXpress 6 Multilanguage for Mac and more!!! ---- To unsubscribe, please go to [5]http://141.85.12.38/unsub.html References 1. http://141.85.12.38/ 2. http://141.85.12.38/p/ 3. http://141.85.12.38/e/ 4. http://141.85.12.38/p/m/ 5. http://141.85.12.38/unsub.html From dtucker at zip.com.au Sun Dec 7 21:10:56 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 07 Dec 2003 21:10:56 +1100 Subject: ssh not resolving host names on HP-UX 11i References: Message-ID: <3FD2FCB0.C2F537B3@zip.com.au> Tom Orban wrote: > How much will it really matter? I believe the key symbol when > compiling really is HAVE_GETADDRINFO. I think BROKEN_GETADDRINFO is > only used to determine whether to undef HAVE_GETADDRINFO. Defining BROKEN_GETADDRINFO will disable IPv6 support. Do you know if OpenSSH works with IPv6 on HP-UX 11.11 (ignoring the name resolution issues)? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Mon Dec 8 00:41:47 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 08 Dec 2003 00:41:47 +1100 Subject: [PATCH] Do PAM chauthtok via keyboard-interactive. Message-ID: <3FD32E1A.C0D7819@zip.com.au> Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't. I haven't tested it on any other platforms yet, but there were few other changes so it should still work (famous last words :-) I would be interested to know if it works with unusual PAM configurations or platforms other than those I can test on. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth-pam.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v retrieving revision 1.84 diff -u -p -r1.84 auth-pam.c --- auth-pam.c 21 Nov 2003 12:56:47 -0000 1.84 +++ auth-pam.c 7 Dec 2003 13:23:38 -0000 @@ -53,6 +53,7 @@ RCSID("$Id: auth-pam.c,v 1.84 2003/11/21 extern ServerOptions options; extern Buffer loginmsg; +extern int compat20; #define __unused @@ -118,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; static char **sshpam_env = NULL; struct pam_ctxt { @@ -144,6 +146,21 @@ pam_getenvlist(pam_handle_t *pamh) } #endif +void +pam_password_change_required(int reqd) +{ + sshpam_new_authtok_reqd = reqd; + if (reqd) { + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; + } else { + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; + + } +} /* Import regular and PAM environment from subprocess */ static void import_environments(Buffer *b) @@ -152,6 +169,13 @@ import_environments(Buffer *b) u_int i, num_env; int err; + /* Import variables set by do_pam_account */ + sshpam_account_status = buffer_get_int(b); + sshpam_new_authtok_reqd = buffer_get_int(b); + + if (sshpam_new_authtok_reqd == 1) + pam_password_change_required(1); + /* Import environment from subprocess */ num_env = buffer_get_int(b); sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env)); @@ -290,9 +314,28 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + + if (compat20) { + if (do_pam_account()) { + if (sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + pam_password_change_required(0); + } + } else { + goto auth_fail; + } + } + buffer_put_cstring(&buffer, "OK"); #ifndef USE_POSIX_THREADS + /* Export variables set by do_pam_account */ + buffer_put_int(&buffer, sshpam_account_status); + buffer_put_int(&buffer, sshpam_new_authtok_reqd); + /* Export any environment strings set in child */ for(i = 0; environ[i] != NULL; i++) ; /* Count */ @@ -611,22 +654,22 @@ finish_pam(void) u_int do_pam_account(void) { + if (sshpam_account_status != -1) + return (sshpam_account_status); + sshpam_err = pam_acct_mgmt(sshpam_handle, 0); debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); - - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) - return (0); - - if (sshpam_err == PAM_NEW_AUTHTOK_REQD) { - sshpam_new_authtok_reqd = 1; - - /* Prevent forwardings until password changed */ - no_port_forwarding_flag |= 2; - no_agent_forwarding_flag |= 2; - no_x11_forwarding_flag |= 2; + + if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { + sshpam_account_status = 0; + return (sshpam_account_status); } - return (1); + if (sshpam_err == PAM_NEW_AUTHTOK_REQD) + pam_password_change_required(1); + + sshpam_account_status = 1; + return (sshpam_account_status); } void From sun at aineton.com Sun Dec 7 20:02:03 2003 From: sun at aineton.com (sun) Date: Sun, 07 Dec 2003 17:02:03 +0800 Subject: Hi Message-ID: Hello: Where find ssh src for arm-linux . thanks! JJ.Mic From mowen at gmx.net Sun Dec 7 17:05:58 2003 From: mowen at gmx.net (Marc Owen) Date: Sun, 7 Dec 2003 07:05:58 +0100 Subject: hostbased failing and can't derive reason of failure in debugging output Message-ID: <20031207070558.0cbc1b91.mowen@gmx.net> Hello, I've troubles getting the hostbased method to work. I've given up on system-to-system for now (different versions), and I'm just trying to debug localhost. As far as I can see, the key is accepted, but then a sudden "Failed hostbased" is returned: [...] debug3: mm_answer_keyallowed: key 0x8099bc0 is disallowed debug3: mm_append_debug: Appending debug messages for child debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: mm_send_debug: Sending debug: Accepted for hostname.domainname.tld [192.168.1.5] by /etc/ssh/shosts.equiv. debug2: userauth_hostbased: authenticated 0 Failed hostbased for anna from 192.168.1.5 port 33148 ssh2 [...] The full output is in the attachment, if I've been snipping too much (I hope it doesn't get stripped off by the mailing list software). Some basic configuration info: ssh_config (stripped): Host hostname.domainname.tld PreferredAuthentications hostbased,publickey,password HostbasedAuthentication yes GlobalKnownHostsFile /etc/ssh/ssh_known_hosts2 CheckHostIP yes StrictHostKeyChecking ask Protocol 2 sshd_config (stripped): Protocol 2 HostbasedAuthentication yes IgnoreRhosts no shosts.equiv (stripped): 192.168.1.5 hostname.domainname.tld + + (Last line just for testing, obviously.) ls /etc/ssh/: ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub ssh_host_rsa_key ssh_host_rsa_key.pub ssh_known_hosts@ ssh_known_hosts2 [...] ssh-keysign is setuid root; ssh version is 3.4p1/3.6.1p2-10(tried both). Thanks for any help... -------------- next part -------------- A non-text attachment was scrubbed... Name: delme Type: application/octet-stream Size: 12360 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031207/7eb93ed1/attachment.obj From tim at multitalents.net Mon Dec 8 12:23:53 2003 From: tim at multitalents.net (Tim Rice) Date: Sun, 7 Dec 2003 17:23:53 -0800 (PST) Subject: hostbased failing and can't derive reason of failure in debugging output In-Reply-To: <20031207070558.0cbc1b91.mowen@gmx.net> References: <20031207070558.0cbc1b91.mowen@gmx.net> Message-ID: On Sun, 7 Dec 2003, Marc Owen wrote: > > Hello, > > I've troubles getting the hostbased method to work. I've given up on > system-to-system for now (different versions), and I'm just trying to > debug localhost. As far as I can see, the key is accepted, but then a > sudden "Failed hostbased" is returned: > [snip] > Some basic configuration info: > > ssh_config (stripped): > Host hostname.domainname.tld > PreferredAuthentications hostbased,publickey,password > HostbasedAuthentication yes > GlobalKnownHostsFile /etc/ssh/ssh_known_hosts2 > CheckHostIP yes > StrictHostKeyChecking ask > Protocol 2 [snip] Add this to the end of your ssh_config Host * EnableSSHKeysign yes -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Mon Dec 8 13:10:46 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 7 Dec 2003 20:10:46 -0600 (CST) Subject: hostbased failing and can't derive reason of failure in debugging output In-Reply-To: Message-ID: On Sun, 7 Dec 2003, Tim Rice wrote: > On Sun, 7 Dec 2003, Marc Owen wrote: > > > > > Hello, > > > > I've troubles getting the hostbased method to work. I've given up on > > system-to-system for now (different versions), and I'm just trying to > > debug localhost. As far as I can see, the key is accepted, but then a > > sudden "Failed hostbased" is returned: > > > [snip] > > Some basic configuration info: > > > > ssh_config (stripped): > > Host hostname.domainname.tld > > PreferredAuthentications hostbased,publickey,password > > HostbasedAuthentication yes > > GlobalKnownHostsFile /etc/ssh/ssh_known_hosts2 > > CheckHostIP yes > > StrictHostKeyChecking ask > > Protocol 2 > [snip] > > Add this to the end of your ssh_config > > Host * > EnableSSHKeysign yes > also ensure that SSH-keysign is also setuid root. - Ben From mowen at gmx.net Mon Dec 8 16:31:30 2003 From: mowen at gmx.net (Marc Owen) Date: Mon, 8 Dec 2003 06:31:30 +0100 Subject: hostbased failing and can't derive reason of failure in debugging output In-Reply-To: References: <20031207070558.0cbc1b91.mowen@gmx.net> Message-ID: <20031208063130.09ed29bb.mowen@gmx.net> On Sun, 7 Dec 2003 17:23:53 -0800 (PST) Tim Rice wrote: > Add this to the end of your ssh_config > > Host * > EnableSSHKeysign yes > Doesn't help. It doesn't continue for some reason, even with localhost. I just made new hostkeys with ssh-keygen and appended the new DSA key to ssh_known_hosts2, just to be on the sure side that the keys were matching. They are: the current DSA key is the one in ssh_known_host2, and only SSH protocol 2 has been enabled in the configuration files. `ssh -vvv hostname` output: [...] debug1: Next authentication method: hostbased debug2: userauth_hostbased: chost hostname.domainname.tld. debug2: ssh_keysign called debug3: ssh_msg_send: type 2 debug3: ssh_msg_recv entering debug2: we sent a hostbased packet, wait for reply debug1: Remote: Accepted for hostname.domainname.tld \ [::ffff:196.168.1.6] by /etc/ssh/shosts.equiv debug1: Authentications that can continue: \ publickey,password,keyboard-interactive,hostbased debug2: userauth_hostbased: chost hostname.domainname.tld. debug2: ssh_keysign called debug3: ssh_msg_send: type 2 debug3: ssh_msg_recv entering debug2: we sent a hostbased packet, wait for reply debug1: Remote: Accepted for hostname.domainname.tld \ [::ffff:196.168.1.6] by /etc/ssh/shosts.equiv debug1: Authentications that can continue: \ publickey,password,keyboard-interactive,hostbased debug1: No more client hostkeys for hostbased authentication. debug2: we did not send a packet, disable method [...] The server side is pretty much like mentioned in my previous mail. I don't know if the keys are not accepted or the client just ignores the 'Accepted for' bit (if that points out final hostbased access permission). PS: ssh-keysign is setuid. From mowen at gmx.net Mon Dec 8 16:32:31 2003 From: mowen at gmx.net (Marc Owen) Date: Mon, 8 Dec 2003 06:32:31 +0100 Subject: hostbased failing and can't derive reason of failure in debugging output In-Reply-To: References: Message-ID: <20031208063231.2af7a7bd.mowen@gmx.net> On Sun, 7 Dec 2003 20:10:46 -0600 (CST) Ben Lindstrom wrote: > > also ensure that SSH-keysign is also setuid root. > It definitely is. From carson at taltos.org Mon Dec 8 17:42:10 2003 From: carson at taltos.org (Carson Gaspar) Date: Mon, 08 Dec 2003 01:42:10 -0500 Subject: hostbased failing and can't derive reason of failure in debugging output In-Reply-To: <20031208063130.09ed29bb.mowen@gmx.net> References: <20031207070558.0cbc1b91.mowen@gmx.net> <20031208063130.09ed29bb.mowen@gmx.net> Message-ID: <272005375.1070847730@[192.168.20.2]> Does your hosts.equiv / shosts / known_hosts / whatever have entries of the form host.domain.tld. (with the trailing dot!)? If not, that is probably your problem. The current OpenSSH code doesn't strip off the trailing dot for hostbased. The developers have some reason for not fixing this, but I've never understood what it is. -- Carson From markus at openbsd.org Mon Dec 8 20:18:47 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 8 Dec 2003 10:18:47 +0100 Subject: hostbased failing and can't derive reason of failure in debugging output In-Reply-To: <272005375.1070847730@[192.168.20.2]> References: <20031207070558.0cbc1b91.mowen@gmx.net> <20031208063130.09ed29bb.mowen@gmx.net> <272005375.1070847730@[192.168.20.2]> Message-ID: <20031208091847.GA15694@folly> On Mon, Dec 08, 2003 at 01:42:10AM -0500, Carson Gaspar wrote: > The current OpenSSH code doesn't strip off the trailing dot > for hostbased. wrong. From tim at multitalents.net Tue Dec 9 03:46:19 2003 From: tim at multitalents.net (Tim Rice) Date: Mon, 8 Dec 2003 08:46:19 -0800 (PST) Subject: hostbased failing and can't derive reason of failure in debugging output In-Reply-To: <272005375.1070847730@[192.168.20.2]> References: <20031207070558.0cbc1b91.mowen@gmx.net> <20031208063130.09ed29bb.mowen@gmx.net> <272005375.1070847730@[192.168.20.2]> Message-ID: On Mon, 8 Dec 2003, Carson Gaspar wrote: > Does your hosts.equiv / shosts / known_hosts / whatever have entries of the > form host.domain.tld. (with the trailing dot!)? If not, that is probably > your problem. The current OpenSSH code doesn't strip off the trailing dot > for hostbased. The developers have some reason for not fixing this, but > I've never understood what it is. I've seen some people say they need a trailing dot. Hostbased auth works just fine here without trailing dots in shosts. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From TORBAN at do.usbr.gov Tue Dec 9 05:44:38 2003 From: TORBAN at do.usbr.gov (Tom Orban) Date: Mon, 08 Dec 2003 11:44:38 -0700 Subject: ssh not resolving host names on HP-UX 11i Message-ID: Geez, you bring up a good issue. No, I have only run ssh on IPv4. -Tom >>> Darren Tucker 12/07/03 03:10AM >>> Tom Orban wrote: > How much will it really matter? I believe the key symbol when > compiling really is HAVE_GETADDRINFO. I think BROKEN_GETADDRINFO is > only used to determine whether to undef HAVE_GETADDRINFO. Defining BROKEN_GETADDRINFO will disable IPv6 support. Do you know if OpenSSH works with IPv6 on HP-UX 11.11 (ignoring the name resolution issues)? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From carson at taltos.org Tue Dec 9 08:24:03 2003 From: carson at taltos.org (Carson Gaspar) Date: Mon, 08 Dec 2003 16:24:03 -0500 Subject: hostbased failing and can't derive reason of failure in debugging output In-Reply-To: References: <20031207070558.0cbc1b91.mowen@gmx.net> <20031208063130.09ed29bb.mowen@gmx.net> <272005375.1070847730@[192.168.20.2]> Message-ID: <324917953.1070900643@[192.168.20.2]> --On Monday, December 08, 2003 8:46 AM -0800 Tim Rice wrote: > I've seen some people say they need a trailing dot. > Hostbased auth works just fine here without trailing dots in shosts. Ah, right. It does, if you don't enable HostbasedUsesNameFromPacketOnly. If you do, it leaves the trailing dot on. Sorry for the confusion - I always run that way due to application proxy / NAT issues. And still have no idea why it isn't stripped. -- Carson From robertLinux at gmx.de Tue Dec 9 23:39:45 2003 From: robertLinux at gmx.de (Robert) Date: Tue, 9 Dec 2003 13:39:45 +0100 Subject: How to compile SSH on Jaguar (Mac OS X), technical question Message-ID: Thanks to all the help I got in writing my HOW TO, im am getting closer to isuue it. I have just seen a file called: /System/Library/Filesystems/AppleShare/sshHelper I wonder what will break, if I disable Apples own OpenSSH implementation. Would FileSharing not work anymore? Any workarounds known? Thanks for help, Robert Welz From robertLinux at gmx.de Tue Dec 9 23:46:28 2003 From: robertLinux at gmx.de (Robert) Date: Tue, 9 Dec 2003 13:46:28 +0100 Subject: Addition: How to compile SSH on Jaguar (Mac OS X), technical question Message-ID: Thanks to all the help I got in writing my HOW TO, im am getting closer to isuue it. I have just seen a file called: /System/Library/Filesystems/AppleShare/sshHelper I wonder what will break, if I disable Apples own OpenSSH implementation. Would FileSharing not work anymore? Any workarounds known? I mean what will happen to Apple Share if I add a first line to both sshd.conf and ssh.conf to create a syntax error to have both programs not starting. I havn't used AppleShare yet and I don't know about it and ssh. Thanks for help, Robert Welz From JP_Golf at lb.bcentral.com Wed Dec 10 03:45:05 2003 From: JP_Golf at lb.bcentral.com (JP's Golf) Date: Tue, 9 Dec 2003 08:45:05 -0800 Subject: JP's new online golf store Message-ID: JP's Golf is a independent golf retail outlet servicing the United States. We opened our doors in 1981 in Parsons Kansas. With this sort of experience, you can be sure that looking after our customers is our primary concern. As specialist golf retailers we offer customers the chance to buy the widest selection of golf equipment under one roof. www.jpgolf.com With a choice of golf's top brands to chose from including, Callaway, TaylorMade, Nike, Mizuno and Ping to name but a few, shopping has never been easier. Whether you are a high or low handicapper then our PGA golf professionals are on hand to make sure that you are buying the right equipment. Why not come in and be custom fit for your clubs and and try them using our onsite driving range. At JP's Golf we are committed to offering first class service in conjunction with best value. We are able to offer the best prices due to our buying power. If you do not see what you want, please contact us (1-620-421-6600) or email us (info at jpgolf.com), we will happily source any item. We are certain you will enjoy browsing our informative online catalog. You will notice that our prices are the most competitive and our selections complete and growing. We designed our online catalog to provide our customers a most convenient and pleasant shopping experience. You will find a broad selection of items available right from our current inventory. We are confident that our customers can come to us with trust in our absolute commitment to customer satisfaction _______________________________________________________________________ Powered by List Builder To unsubscribe follow the link: http://lb.bcentral.com/ex/sp?c=18568&s=AA3AE0FD4E2060E0&m=3 From andfarm at thibs.menloschool.org Wed Dec 10 03:42:14 2003 From: andfarm at thibs.menloschool.org (Andrew Farmer) Date: Tue, 9 Dec 2003 08:42:14 -0800 Subject: How to compile SSH on Jaguar (Mac OS X), technical question In-Reply-To: References: Message-ID: <20031209164214.GA15631@thibs.menloschool.org> On Tue, 09 Dec 2003 04:39:45 -0800, Robert muttered: > Thanks to all the help I got in writing my HOW TO, im am getting closer > to isuue it. > > I have just seen a file called: > /System/Library/Filesystems/AppleShare/sshHelper > > I wonder what will break, if I disable Apples own OpenSSH > implementation. Would FileSharing not work anymore? Any workarounds > known? Well, OS X doesn't depend on sshd being active -- all I think file sharing depends on is a working ssh client. Again, though, what's wrong with the implementation that's already installed? -- Andrew Farmer andfarm at thibs.menloschool.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031209/f36bbcab/attachment.bin From Alexander.Peuchert at deutsche-boerse.com Wed Dec 10 23:47:19 2003 From: Alexander.Peuchert at deutsche-boerse.com (Alexander Peuchert) Date: Wed, 10 Dec 2003 13:47:19 +0100 Subject: problems with openssh 3.7.1p2 on AIX 4.3.3 Message-ID: Hi, I already sent this mail to the secureshell at securityfocus.com mailing list, but that seems to be spammed... I searched the mailinglists and googled for this problem, but had no luck. So I hope that someone here knows a solution. I have to change the sshd daemon on two AIX 4.3.3 machines from a ssh.com version to openssh3.7.1p2. The openssh daemon runs fine and I can log in, but when I do a 'su' inside a openssh session I get an error. The error is below: $ su Password: You entered an invalid login name or password. 3004-501 Cannot su to "root" : Authentication is denied. I already had a look at the su account. It's neither expired nor looked. And if I reuse the ssh.com daemon, the 'su' works. As me not being an AIX expert I'm quite stuck here... thanks for your help, Alexander -- Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen. Wenn Sie nicht der beabsichtigte Empfaenger sind, informieren Sie bitte sofort den Absender und loeschen Sie diese E-Mail. Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der enthaltenen Informationen ist nicht gestattet. The information contained in this message is confidential or protected by law. If you are not the intended recipient, please contact the sender and delete this message. Any unauthorised copying of this message or unauthorised distribution of the information contained herein is prohibited. From robertLinux at gmx.de Wed Dec 10 23:54:25 2003 From: robertLinux at gmx.de (Robert) Date: Wed, 10 Dec 2003 13:54:25 +0100 Subject: How to compile SSH on Jaguar (Mac OS X), technical question In-Reply-To: <20031209164214.GA15631@thibs.menloschool.org> References: <20031209164214.GA15631@thibs.menloschool.org> Message-ID: Dear Mr. Farmer. Dear community. Am 09.12.2003 um 17:42 schrieb Andrew Farmer: > > Well, OS X doesn't depend on sshd being active -- all I think file > sharing > depends on is a working ssh client. Fine. Thank you. > Again, though, what's wrong with the implementation that's already > installed? Well, there are many reasons to use a strict set of security rules in a company. Say you have several users permittet do login as root. The Admin may become ill or you develop mac products and share a whole mac pool between a handful programmers. Then you certainly want to have strict settings of what is allowed with ssh and what not. When time becomes an sparse you may certainly don't want to open doors by config errors to your computer you or your (maybe less experienced) collegues don't want. You do some changes, do them fast and voil?, an error occured -> a door is open. There is another point I want you to think about: How do I find out, which options Apple used during compile? Did they enable everything? I fear yes, for users convenience. Me, I only use public key auth and I am playing around with port forwarding Linux<->Mac. So I disable everything, rsh encryption, unencryted transmissions but I like to keep tcp wrappers becourse they make X Forwarding more flexible, since they allow a third computer to use my frowarded ssh session on second computer to server computer one with the GatewayPorts keyword (or the -g option). That looks like: Server (IMAP) --- ssh--- client --- ssh client in different room. The latter could also use frowarded www pages which are hosted on company but forbidden by proxy so they would only be visible in the companies LAN. So I can watch the pages at home in my working room AND by a second ssh session from a second (and even more computers) standing elsewhere. If I allow, even from a local coffee shop, assuming they have linux installed (the easiest) or a mac which has tcp wrappers compiled into OpenSSH. (Or from a laptop via WAP / Telephone-Internet connection assuming you are on hollidays and want to see the latest announcements). My HOWTO is nothing for Mac users in the consumer segment, more for professionals who already know OpenSSH and want to know how to easily integrate a customized OpenSSH into OS X. I won't advertize certain compile options, I just tell the one I use and why. I will suggest reading the book: "SSH Secure Shell by Barett, Daniel J., O'Reilly" and the man pages. For a everyda setup, the man pages are sufficient but then you almost certainly don't want to compile OpenSSH yourself. I hope I clarified my standpoint and I convinced you. I use OpenSSH for about 8 Months now and I am certainly not an expert. But I am a Mac expert, I have written Software for Mac for several years now. If you still are not convinced, answer this posting, please so we can discuss. I love discussions and I love to learn. Greetings, Robert Welz From andreas at conectiva.com.br Wed Dec 10 23:55:36 2003 From: andreas at conectiva.com.br (Andreas) Date: Wed, 10 Dec 2003 10:55:36 -0200 Subject: GSSAPICleanupCredentials vs GSSAPICleanupCreds Message-ID: <20031210125536.GA1818@conectiva.com.br> In 3.7.1p2, the sshd_config manpage talks about GSSAPICleanupCredentials, while servconf.c uses GSSAPICleanupCreds. Here is a patch: --- openssh-3.7.1p2/servconf.c.orig 2003-12-10 10:43:52.000000000 -0200 +++ openssh-3.7.1p2/servconf.c 2003-12-10 10:44:13.000000000 -0200 @@ -310,10 +310,10 @@ { "afstokenpassing", sUnsupported }, #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication }, - { "gssapicleanupcreds", sGssCleanupCreds }, + { "gssapicleanupcredentials", sGssCleanupCreds }, #else { "gssapiauthentication", sUnsupported }, - { "gssapicleanupcreds", sUnsupported }, + { "gssapicleanupcredentials", sUnsupported }, #endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, From sxw at inf.ed.ac.uk Thu Dec 11 00:22:22 2003 From: sxw at inf.ed.ac.uk (sxw at inf.ed.ac.uk) Date: Wed, 10 Dec 2003 13:22:22 +0000 (GMT) Subject: GSSAPICleanupCredentials vs GSSAPICleanupCreds In-Reply-To: <20031210125536.GA1818@conectiva.com.br> Message-ID: On Wed, 10 Dec 2003, Andreas wrote: > In 3.7.1p2, the sshd_config manpage talks about GSSAPICleanupCredentials, while > servconf.c uses GSSAPICleanupCreds. Here is a patch: Looks like a change in the BSD tree didn't make it over to portable. This change was applied on Sept 29 to the OpenBSD CVS tree, but doesn't seem to have made it into the portable tree yet. S. From dtucker at zip.com.au Thu Dec 11 01:06:35 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 11 Dec 2003 01:06:35 +1100 Subject: GSSAPICleanupCredentials vs GSSAPICleanupCreds References: Message-ID: <3FD7286B.9269AB1@zip.com.au> sxw at inf.ed.ac.uk wrote: > > On Wed, 10 Dec 2003, Andreas wrote: > > > In 3.7.1p2, the sshd_config manpage talks about GSSAPICleanupCredentials, while > > servconf.c uses GSSAPICleanupCreds. Here is a patch: > > Looks like a change in the BSD tree didn't make it over to portable. This > change was applied on Sept 29 to the OpenBSD CVS tree, but doesn't seem to > have made it into the portable tree yet. No, it's in Portable too, at least in HEAD: $ cvs log servconf.c [snip] revision 1.116 date: 2003/10/02 06:20:54; author: dtucker; state: Exp; lines: +3 -3 - markus at cvs.openbsd.org 2003/09/29 20:19:57 [servconf.c sshd_config] GSSAPICleanupCreds -> GSSAPICleanupCredentials 3.7 was branched at rev 1.114, so it's not in the 3.7x releases. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From stuge-openssh-unix-dev at cdy.org Thu Dec 11 05:49:53 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 10 Dec 2003 19:49:53 +0100 Subject: problems with openssh 3.7.1p2 on AIX 4.3.3 In-Reply-To: References: Message-ID: <20031210184952.GA32140@foo.birdnet.se> Hello Alexander! On Wed, Dec 10, 2003 at 01:47:19PM +0100, Alexander Peuchert wrote: > The information contained in this message is confidential or protected by > law. If you are not the intended recipient, please contact the sender and > delete this message. Any unauthorised copying of this message or > unauthorised distribution of the information contained herein is prohibited. Please don't send confidential email to public mailing lists, it'll obviously only stop you from getting help. (Plus, it makes no sense.) Please tell your systems administrator to disable any automatic addition of disclaimers in outgoing mail to open mailing lists, and particularly those dealing with open source software. If you want real confidentiality I suggest you start using PGP. Best regards, //Peter From plong at arsystemes.fr Wed Dec 10 00:39:18 2003 From: plong at arsystemes.fr (Peter Long) Date: Tue, 09 Dec 2003 14:39:18 +0100 Subject: Bug with OpenSSH and Crontab under Solaris 8 Message-ID: <3FD5D086.6010706@arsystemes.fr> Hi, I have a issue with OpenSSH 3.7.1p2 and crontab (solaris 8). The crontab will not execute correctly the commands if I edit it by using OpenSSH. client (Solaris 8 / Openssh 3.7.1p2) ---> server (Solaris 8 / Openssh 3.7.1p2). Next, I edit the crontab with "vi" using a console session and I save it without doing modification. The crontab works perfectly now ! ? I have installed all Sun Recommended patches without success. A Windows SSH Client like Hummingbird works with OpenSSH server 3.7.1p2 and the crontab. Could you help me, please ? I have, already, looked for this bug and I have found that it is a "open bug". Thanks. -- Peter LONG ========================================================== Ce message et ses pi?ces jointes sont destin?s ? l'usage exclusif de son destinataire. Si vous recevez ce message par erreur, merci d'en aviser imm?diatement l'exp?diteur et de le d?truire ensuite. Le pr?sent message pouvant ?tre alt?r? ? notre insu, nous ne pouvons pas ?tre engag?s par son contenu. Tous droits r?serv?s. This message and/or any attachments are intended for the sole use of its adressee. If you are not the adressee, please immediately notify the sender and then destroy the message. As this message and/or any attachments may have been altered without our knowledge, its content is not legally binding. All rights reserved. ========================================================== From dtucker at zip.com.au Thu Dec 11 13:12:06 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 11 Dec 2003 13:12:06 +1100 Subject: Bug with OpenSSH and Crontab under Solaris 8 In-Reply-To: <3FD5D086.6010706@arsystemes.fr> References: <3FD5D086.6010706@arsystemes.fr> Message-ID: <3FD7D276.5050906@zip.com.au> Peter Long wrote: > I have a issue with OpenSSH 3.7.1p2 and crontab (solaris 8). The crontab > will not execute correctly the commands if I edit it by using OpenSSH. > > client (Solaris 8 / Openssh 3.7.1p2) ---> server (Solaris 8 / Openssh > 3.7.1p2). > > Next, I edit the crontab with "vi" using a console session and I save it > without doing modification. The crontab works perfectly now ! ? Sounds like the BSM auditting issue. You can try one of the patches in the bug: http://bugzilla.mindrot.org/show_bug.cgi?id=125 Alternatively, you can use the option "UseLogin yes" in sshd_config (but be aware this will disable X11 forwarding). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From uwe.veiel at siemens.com Fri Dec 12 23:57:45 2003 From: uwe.veiel at siemens.com (Veiel Uwe) Date: Fri, 12 Dec 2003 13:57:45 +0100 Subject: Remote-Port Message-ID: Hello *, for security logging purposes, I would like to record the actual remote port an ssh connection uses after the connection has been established. Could someone kindly point me to the part of the ssh client source code where such information is available? kind regards, Uwe Veiel ---------------------------------------------------------- Siemens Business Services GmbH & Co OHG SBS ORS GD AHS CC32 Interne Tools From chris at obelix.hedonism.cx Sat Dec 13 02:55:25 2003 From: chris at obelix.hedonism.cx (Christian Vogel) Date: Fri, 12 Dec 2003 16:55:25 +0100 Subject: Remote-Port In-Reply-To: ; from uwe.veiel@siemens.com on Fri, Dec 12, 2003 at 01:57:45PM +0100 References: Message-ID: <20031212165525.A4288@obelix.frop.org> On Fri, Dec 12, 2003 at 01:57:45PM +0100, Veiel Uwe wrote: > Hello *, > > for security logging purposes, I would like to record the actual > remote port an ssh connection uses after the connection has been > established. Could someone kindly point me to the part of the ssh > client source code where such information is available? Something like that? ## Which debug message are we interested in? chris at pi2105:~/openssh-3.7p1$ ssh -v SOME_HOST_NAME (...) debug1: Connection established. (...) ## Where is it generated? chris at pi2105:~/openssh-3.7p1$ grep -n "\"Connection established" *.c sshconnect.c:418: debug("Connection established."); Chris -- Caution. Blade is sharp. Keep out of children. From kristy_fraziergx at duesel.de Sat Dec 13 11:22:33 2003 From: kristy_fraziergx at duesel.de (Kristy Frazier) Date: Fri, 12 Dec 2003 20:22:33 -0400 Subject: do it twice Message-ID: <20031213002155.7C87A27C18A@shitei.mindrot.org> Elk extract that helps you in the bed with the girl. [1]Check it out here 3D"image [2]I don't want this Lawrence) Documents all this may Sir Instruments aid definition. party, Minister Budget series titles review Lawrence) become Reviews. policy Crown papers Over public Statutory work Statutory Documents White example broad References 1. 3D"http://dubnh.us/alpha/?utopia" 2. 3D"http://dubnh.us/alpha/o.html" From TORBAN at do.usbr.gov Sat Dec 13 16:04:07 2003 From: TORBAN at do.usbr.gov (Tom Orban) Date: Fri, 12 Dec 2003 22:04:07 -0700 Subject: problem in uidswap? Message-ID: Hello, I've compiled openssh 3.7.1p2 on a DG/UX machine, using openssl 0.9.7c, zlib-1.1.4, and tcp_wrappers7.6. ssh itself seems to function ok, but sshd does not appear to be functioning properly for non-root users. After connecting and providing a password, the connection is closed, and we appear to get 3 messages in syslog like the following: fatal: permanently_set_uid: was able to restore old [e]uid It appears this may be coming out of uidswap.c As I mentioned, this problem does *not* occur if I'm logging in as root. I don't know if this is relevent or not, but UsePrivilegeSeparation is set to no. Any ideas/suggestions on this? FYI, this problem only came up since 3.7.1p2. We had 3.6.1p2 installed previously (using openssl 0.9.7b), and it worked just fine. Thanks for any help/info you can provide. -Tom From dtucker at zip.com.au Sat Dec 13 17:04:20 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 13 Dec 2003 17:04:20 +1100 Subject: problem in uidswap? In-Reply-To: References: Message-ID: <3FDAABE4.7090907@zip.com.au> Tom Orban wrote: > I've compiled openssh 3.7.1p2 on a DG/UX machine [snip] > fatal: permanently_set_uid: was able to restore old [e]uid Add these to your config.h and recompile: #define SETEUID_BREAKS_SETUID 1 #define BROKEN_SETREUID 1 #define BROKEN_SETREGID 1 If that works, let us know and we'll make configure do it automatically. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From lorenakmcCordoe at cdu-oberhausen.de Sun Dec 14 02:25:27 2003 From: lorenakmcCordoe at cdu-oberhausen.de (Lorena K. McCord) Date: Sat, 13 Dec 2003 20:25:27 +0500 Subject: get it up Message-ID: <20031213152718.83E7527C188@shitei.mindrot.org> From jeff_bronson at wixb.com Sun Dec 14 05:21:00 2003 From: jeff_bronson at wixb.com (J.D. Bronson) Date: Sat, 13 Dec 2003 12:21:00 -0600 Subject: OpenSSH on Solaris -fron SUN Message-ID: <6.0.1.1.2.20031213121922.01b3f2e0@cheyenne.wixb.com> I noticed this on DEBUG startup of Sun's SSH: debug2: mac_init: found hmac-sha1 debug2: mac_init: found hmac-md5 debug1: sshd version Sun_SSH_1.0 debug1: Bad RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read SSH2 private key done: name rsa w/o comment success 1 debug1: load_private_key_autodetect: type 1 RSA debug1: Bad RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read SSH2 private key done: name dsa w/o comment success 1 debug1: load_private_key_autodetect: type 2 DSA debug1: Bind to port 22 on ::. ..I have tried to regenerate all the keys from scratch. No difference.. Odd thing, is that it all works just fine. The only time I see this error is under DEBUG. I have posted to the Sun mailing lists and no one replied. Any ideas? -- J.D. Bronson - "The Cisco Kid" Aurora Health Care // Information Services // Milwaukee, WI USA Office: 414.978.8282 // Fax: 414.328.8282 // Pager: 414.314.8282 From dtucker at zip.com.au Sun Dec 14 10:07:12 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 14 Dec 2003 10:07:12 +1100 Subject: OpenSSH on Solaris -fron SUN In-Reply-To: <6.0.1.1.2.20031213121922.01b3f2e0@cheyenne.wixb.com> References: <6.0.1.1.2.20031213121922.01b3f2e0@cheyenne.wixb.com> Message-ID: <3FDB9BA0.1000902@zip.com.au> J.D. Bronson wrote: > I noticed this on DEBUG startup of Sun's SSH: > > debug2: mac_init: found hmac-sha1 > debug2: mac_init: found hmac-md5 > debug1: sshd version Sun_SSH_1.0 > debug1: Bad RSA1 key file /etc/ssh/ssh_host_rsa_key. > debug1: read SSH2 private key done: name rsa w/o comment success 1 I assume you're referring to the "Bad RSA1 key file" message? Current versions of OpenSSH say "Not a RSA1 key file" but it's just the way sshd detects if a keyfile is for SSH v1 or v2: it tries loading is as a v1 key first (which generates that warning if it's a v2 key), and if that fails it tries it as a v2 key. (See key_load_private() in authfile.c). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From coldfusi0n at hotmail.com Sun Dec 14 14:34:42 2003 From: coldfusi0n at hotmail.com (Jamaal Speights) Date: Sat, 13 Dec 2003 22:34:42 -0500 Subject: fakepw auth.c question Message-ID: this is at the bottom of auth.c. What is it? struct passwd * fakepw(void) { static struct passwd fake; memset(&fake, 0, sizeof(fake)); fake.pw_name = "NOUSER"; fake.pw_passwd = "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; fake.pw_gecos = "NOUSER"; fake.pw_uid = -1; fake.pw_gid = -1; fake.pw_class = ""; fake.pw_dir = "/nonexist"; fake.pw_shell = "/nonexist"; return (&fake); } Default branch: MAIN _________________________________________________________________ Revision [1]1.51 / ([2]download) - [3]annotate - [4][select for diffs] , Fri Nov 21 11:57:02 2003 UTC (3 weeks, 1 day ago) by djm Branch: [5]MAIN CVS Tags: [6]HEAD Changes since 1.50: +2 -2 lines Diff to previous [7]1.50 ([8]colored) _________________________________________________________________ [9]Dont worry if your Inbox will max out while you are enjoying the holidays. Get MSN Extra Storage! References 1. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c?rev=1.51&content-type=text/x-cvsweb-markup 2. http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/auth.c?rev=1.51&content-type=text/plain 3. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c?annotate=1.51 4. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c?r1=1.51 5. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c?only_with_tag=MAIN 6. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c?only_with_tag=HEAD 7. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c.diff?r1=1.50&r2=1.51 8. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c.diff?r1=1.50&r2=1.51&f=h 9. http://g.msn.com/8HMBENUS/2734??PS= From mouring at etoh.eviladmin.org Sun Dec 14 14:47:56 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 13 Dec 2003 21:47:56 -0600 (CST) Subject: fakepw auth.c question In-Reply-To: Message-ID: It provides a way of creating a fake passwd entry if the authentication users does not exist. The reason is wrapped around the fact that without doing this you can guess existing vs nonexisting user accounts based on how much time it takes to reply "bad password". - Ben On Sat, 13 Dec 2003, Jamaal Speights wrote: > > this is at the bottom of auth.c. What is it? > > struct passwd * > fakepw(void) > { > static struct passwd fake; > memset(&fake, 0, sizeof(fake)); > fake.pw_name = "NOUSER"; > fake.pw_passwd = > "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; > fake.pw_gecos = "NOUSER"; > fake.pw_uid = -1; > fake.pw_gid = -1; > fake.pw_class = ""; > fake.pw_dir = "/nonexist"; > fake.pw_shell = "/nonexist"; > return (&fake); > } > > > Default branch: MAIN > _________________________________________________________________ > > Revision [1]1.51 / ([2]download) - [3]annotate - [4][select for diffs] > , Fri Nov 21 11:57:02 2003 UTC (3 weeks, 1 day ago) by djm > Branch: [5]MAIN > CVS Tags: [6]HEAD > Changes since 1.50: +2 -2 lines > Diff to previous [7]1.50 ([8]colored) > _________________________________________________________________ > > [9]Dont worry if your Inbox will max out while you are enjoying the > holidays. Get MSN Extra Storage! > > References > > 1. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c?rev=1.51&content-type=text/x-cvsweb-markup > 2. http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/auth.c?rev=1.51&content-type=text/plain > 3. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c?annotate=1.51 > 4. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c?r1=1.51 > 5. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c?only_with_tag=MAIN > 6. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c?only_with_tag=HEAD > 7. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c.diff?r1=1.50&r2=1.51 > 8. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth.c.diff?r1=1.50&r2=1.51&f=h > 9. http://g.msn.com/8HMBENUS/2734??PS= > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From jeff.bronson at ktxg.com Mon Dec 15 03:22:20 2003 From: jeff.bronson at ktxg.com (J.D. Bronson) Date: Sun, 14 Dec 2003 10:22:20 -0600 Subject: resolve on solaris 9 with snapshot 12/03 Message-ID: <6.0.1.1.2.20031214102108.01b3d318@cheyenne.wixb.com> I have recently begun using OpenSSH portable for solaris and grabbed the latest snapshot. I noticed that my logs do not contain the hostname..only the IP of the connecting machine. Is this a know (or expected) issue and/or is there a work-around? Thanks in advance. -- J.D. Bronson - "The Cisco Kid" Aurora Health Care // Information Services // Milwaukee, WI USA Office: 414.978.8282 // Fax: 414.328.8282 // Pager: 414.314.8282 From gwendolynelderda at dyson.brisnet.org.au Tue Dec 16 01:41:39 2003 From: gwendolynelderda at dyson.brisnet.org.au (Gwendolyn Elder) Date: Mon, 15 Dec 2003 10:41:39 -0400 Subject: hi Message-ID: <20031214224503.2F94127C189@shitei.mindrot.org> Surfing P0rn at Work? Your Job is AT RISK! It's a Known Fact: Over SEVENTY PERCENT of all companies admit they "monitor and review their workers' communications and activities on the job." CLEANSWEEPER IS THE PRIVACY PROTECTION YOU MUST HAVE! [1]READ MORE HERE [2]Unlist me References 1. http://www.cleansweeper.biz/?a=00003&c=5 2. http://www.cleansweeper.biz/rem.php From llhgutyre at msn.com Mon Dec 15 15:56:01 2003 From: llhgutyre at msn.com (Tommy) Date: Sun, 14 Dec 2003 20:56:01 -0800 Subject: Approved Solution Message-ID: <3960161071464161@66-75-22-46.san.rr.com> Have you ever thought of the reasons why the majority of people reach nothing in life but only keep complaining? That's because do not have enough resolution. They have all the definitions in advance - a kind of definitions they did not come to it themselves but got it somewhere from someone. Having your own opinion is rare nowadays. Those who are not afraid of trying and prefer actions to doubts get to the top of life very quickly. Read the details and you will find there no tricks. Yes, this is the best and the most efficient way. I was doubting for several months. But then I got started. Everything is going well. ALL YOU WILL NEED TO DO IS VISITING YOUR BANK OR POST-OFFICE TO RECEIVE MONEY FROM TIME TO TIME. [1]http://www.goldforge.com/index.php?r=2046 References 1. http://www.goldforge.com/index.php?r=2046 From dtucker at zip.com.au Tue Dec 16 10:02:48 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 16 Dec 2003 10:02:48 +1100 Subject: Remote-Port In-Reply-To: References: Message-ID: <3FDE3D98.4090109@zip.com.au> Veiel Uwe wrote: > for security logging purposes, I would like to record the > actual remote port an ssh connection uses after the connection > has been established. Could someone kindly point me to the part > of the ssh client source code where such information is > available? You mean the other end of the TCP connection to the server's port 22? That is already logged to wherever syslog is configured to go to (see LogLevel and SysLogFacility in "man sshd_config"), eg: Dec 13 00:18:52 gate sshd[12258]: Accepted password for dtucker from 192.168.1.1 port 54496 ssh2 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mminor_eb at metal.de Thu Dec 18 05:11:07 2003 From: mminor_eb at metal.de (Mindy E. Minor) Date: Wed, 17 Dec 2003 14:11:07 -0400 Subject: friday entertainment Message-ID: <20031217021114.D7DDC27C189@shitei.mindrot.org> Sometimes people call it "Magic Lubricant". Sometimes - "Power Bottle". Why? An amazing erection WITHING SEVERAL SECONDS is guaranteed to you! Double-strengthed orgasm and full satisfaction... I guess this is excatly what are waiting from sex! Your easy-to-use solution is here: [1]http://www.ghkp.us/vpoil/?utopia ----- Link below is for that people who dislike adv..... [2]http://www.ghkp.us/vpoil/optout.shtml?utopia References 1. http://www.ghkp.us/vpoil/?utopia 2. http://www.ghkp.us/vpoil/optout.shtml?utopia From anderson.sanchezki at econ.au.dk Wed Dec 17 16:05:50 2003 From: anderson.sanchezki at econ.au.dk (Anderson Sanchez) Date: Wed, 17 Dec 2003 07:05:50 +0200 Subject: help her Message-ID: <20031217050744.85DFB27C189@shitei.mindrot.org> [1]Newly discovered elk extract helps you in the bed with the girl. image is loading [2]No more please includes derive numerous bodies main Official Crown they Majesty". they category Iain that definition. become party, Iain Papers) papers these health, no Agencies that years Budget emerging policy impact but References 1. http://dubnh.us/alpha/?utopia 2. http://dubnh.us/alpha/o.html From my_office_2004 at yahoo.co.jp Wed Dec 17 22:51:58 2003 From: my_office_2004 at yahoo.co.jp (my_office_2004 at yahoo.co.jp) Date: Wed, 17 Dec 2003 20:51:58 +0900 Subject: =?iso-2022-jp?b?SFAbJEIzK0BfNS1HMCEqGyhCQW50aXZpcnVzMjAwNA==?= =?iso-2022-jp?b?GyRCQTQwdyU1ITwlUyU5ISobKEI=?= Message-ID: <439701c3c494$2cfc9320$8d55c4d2@j17> http://ohyasuuri.europe.webmatrixhosting.net/index.htm ======$B%[!<%`%Z!<%83+ at _$7$^$7$?!*3+ at _5-G0$H$7$F9XF~o%=%U%H$O(B1$BK\(B5000$B1_$GBgJt;ECf$G$9"v(B $B!z!z(BStudioMX2004J with FlashMX Pro$BF~2Y!*!*FCJL2A3J(B\8000$B!*(B $B!|!|!|!|!|!|!|!|(BOffice2003Pro$BF|K\8lHG!*!|!|!|!|!|!|!|!|!|!|!|(B $B$7$+$b%\%j%e!<%`%i%$%;%s%9HG!*(B($BG'>ZITMW(B)$BFCJL2A3J(B\7000$B!*!*(B OneNOTE2003J Visio2003JPro Project2003JPro Frontpage2003 SharePoint2003 Publisher2003 $BB>!!!!!!!!!!!!(B $B:GBg#7KgAH$_$Ge$49XF~$$$?$@$/$H(B ADOBE$B$N(BPhotoShop 7J&Illustrator 10J$B$r(B $BL5NA$G%5!<%S%9$7$^$9!*!!$9$G$K;}$C$F$$$k(B $B$*5RMM$O%j%9%H$NCf$+$i(B1$BE@$r$4Jt;E!*(B Adobe Premiere Pro $B!u(B EncoreDVD$B:GB.F~2Y!*!*!J(BWinXP$B$N$_$NF0:n$G$9!K(B http://ohyasuuri.europe.webmatrixhosting.net/index.htm $B>&IJNc(B $BFC5^F~2Y!*(BNorton SystemWorks 2004J $B?7F~2Y!*(BSolidworks2004(3$BKgAH(B) ADOBE/Macromedia$B3FB??t!#(BMAC$B$b$*G$$;$/$@$5$$(B $BA4>&IJ%j%9%H$O(BHP$B$r$4Mw$/$@$5$$!#(B http://ohyasuuri.europe.webmatrixhosting.net/index.htm $B"(:#8e%a!<%k$NG[?.$r4uK>$5$l$J$$J}$O(B jushinkyohi at softhome.net$B!!$^$G$40lJs$/$@$5$$!#(B $B"("(?=$7Lu$4$6$$$^$;$s$,%a!<%kG[?.MQ$N%"%I%l%9(B my_office_2004 at yahoo.co.jp$B!!$K5$/$@$5$$!#(B From jason at devrandom.org Thu Dec 18 02:01:22 2003 From: jason at devrandom.org (Jason McCormick) Date: Wed, 17 Dec 2003 10:01:22 -0500 Subject: Fedora FC1 RPMs Message-ID: <200312171001.22612.jason@devrandom.org> I've spent the morning looking at making some RPMs for Fedora Core 1 and run into a problem with GSSAPI. Basically the default install of Fedora doesn't come with the necessary gssapi code to build the RPMs by default (i.e. you need to say %define kerberos5 0 in openssh.spec). Since Fedora is going to fork off from RedHat I was going to create a set of patches to make a contrib/fedora for RPM building on Fedora but wasn't sure if it'd be more appropriate to make it not build Kerberos5 by default or make the proper packages for gssapi required. Thanks -- Jason McCormick jason at devrandom.org GPG Key: http://www.devrandom.org/gpgkey.php From deengert at anl.gov Thu Dec 18 02:15:43 2003 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 17 Dec 2003 09:15:43 -0600 Subject: Fedora FC1 RPMs References: <200312171001.22612.jason@devrandom.org> Message-ID: <3FE0731F.D2825090@anl.gov> Jason McCormick wrote: > > I've spent the morning looking at making some RPMs for Fedora Core 1 > and run into a problem with GSSAPI. Basically the default install of > Fedora doesn't come with the necessary gssapi code to build the RPMs by > default (i.e. you need to say %define kerberos5 0 in openssh.spec). > Since Fedora is going to fork off from RedHat I was going to create a > set of patches to make a contrib/fedora for RPM building on Fedora but > wasn't sure if it'd be more appropriate to make it not build Kerberos5 > by default or make the proper packages for gssapi required. Please consider building it with Kerberos5. by default. > > Thanks > -- > Jason McCormick > jason at devrandom.org > GPG Key: http://www.devrandom.org/gpgkey.php > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jason at devrandom.org Thu Dec 18 07:34:27 2003 From: jason at devrandom.org (Jason McCormick) Date: Wed, 17 Dec 2003 15:34:27 -0500 Subject: Fedora FC1 RPMs In-Reply-To: <200312171001.22612.jason@devrandom.org> References: <200312171001.22612.jason@devrandom.org> Message-ID: <200312171534.27602.jason@devrandom.org> Actually, after looking at this some more, it's not that the gssapi headers aren't present, it's that they're not where the spec file is telling autoconf to find them. This is easily changed in the .spec file. -- Jason McCormick jason at devrandom.org GPG Key: http://www.devrandom.org/gpgkey.php From TORBAN at do.usbr.gov Thu Dec 18 08:06:25 2003 From: TORBAN at do.usbr.gov (Tom Orban) Date: Wed, 17 Dec 2003 14:06:25 -0700 Subject: problem in uidswap? Message-ID: Oops! Almost forgot to respond. BINGO! That fixed it. Thank you VERY MUCH!!! FYI, here's a uname from that machine: unix> uname -a dgux hostname R4.11MU05 generic AViiON mc88110 Thanks again. -Tom >>> Darren Tucker 12/12/03 11:04PM >>> Tom Orban wrote: > I've compiled openssh 3.7.1p2 on a DG/UX machine [snip] > fatal: permanently_set_uid: was able to restore old [e]uid Add these to your config.h and recompile: #define SETEUID_BREAKS_SETUID 1 #define BROKEN_SETREUID 1 #define BROKEN_SETREGID 1 If that works, let us know and we'll make configure do it automatically. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Dec 18 19:03:00 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 18 Dec 2003 19:03:00 +1100 Subject: PAM, chauthtok and keyboard-interactive Message-ID: <3FE15F34.1000100@zip.com.au> Hi All. Today a patch was commited to OpenSSH that performs PAM password changes via SSH2 keyboard-interactive authentication. I should work fine with privsep, which some of the other solutions have problems with. While the patch itself is relatively small, it's bigger than it should have been due to differences in PAM implementations. I encourage anyone with a interest in this to try a snapshot [1] (20031219 or later) and report success or failure here. Thanks, -Daz. [1] ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ or one of its mirrors listed at http://www.openssh.com/portable.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Thu Dec 18 19:44:03 2003 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Dec 2003 08:44:03 -0000 Subject: PAM, chauthtok and keyboard-interactive In-Reply-To: <3FE15F34.1000100@zip.com.au> References: <3FE15F34.1000100@zip.com.au> Message-ID: <1071736979.31141.1.camel@sakura.mindrot.org> On Thu, 2003-12-18 at 19:03, Darren Tucker wrote: > I encourage anyone with a interest in this to try a snapshot [1] > (20031219 or later) and report success or failure here. Actually, snapshots >=20031218 will have the PAM password change code. -d From gss+ssh at cs.brown.edu Fri Dec 19 00:34:26 2003 From: gss+ssh at cs.brown.edu (Gregory Seidman) Date: Thu, 18 Dec 2003 08:34:26 -0500 Subject: known_hosts, IP, and port revisited Message-ID: <20031218133426.GA18841@cs.brown.edu> I dug through the list archives to see if this had come up before, and I see that a bug was submitted and subsequently closed (basically rejected) in 2002. The basic issue, for those of you who don't feel like following the bug URL, is that when one has ssh servers behind a NAT, each of which responds to a different port on the NAT IP, they must all have the same host key to avoid the ssh man-in-the-middle warning about a changed host key. In short, because the known_hosts file is indexed only by name/IP and not port, there is no way to distinguish between servers by port. The discussion in 2002, which led to the bug being closed without a fix, involved how different keys for the same name/IP would affect hostbased authentication. It's been over a year now, and the first issue (different servers behind a NAT needing the same host key) keeps coming up. I have a proposal that I believe wouldn't break hostbased authentication (which includes opening a gaping security hole), but would allow different keys for servers on the same IP but different ports. The last comment on the bug, from Ben Lindstrom, is this: Your missing his point about 'hostbased' authentication. By allowing host/ip:port you run into a problem when you go to do hostbased authentication. Instead of having a 1-to-1 assocation you have a 1-to-many. And randomly pick from the many is opening yourself up to potental spoofing. if I have 10 keys all say 'etoh.eviladmin.org' but from 10 different ports. Do you really want to trust that the right random key will be used for hostbased auth? No, I agree with Markus. Until one can show how host/ip:port format and hostbased auth can interact pinning it down to a 1-to-1 test then I doubt such a patch will be accepted. When I stay 'show how'... I'm stating WITHOUT RFC modifications. Full interop with existing installs. My first problem with this is that I can't find any RFC on SSH at all. I see http://www.ietf.org/html.charters/secsh-charter.html which doesn't seem to deal with the details of hostbased authentication policy (mechanism, yes, but not policy), but that's it. My second problem with it is that it brings up a spurious security concern. If I have 10 keys from (different ports on) 'etoh.eviladmin.org' it is because I have made an ssh connection to each of those ssh servers and I have some knowledge of them. I know which ones I trust. If we can distinguish between different ports in known_hosts, we should also be able to distinguish between different ports in .shost, and that allows me to specify which hosts I trust. Of course an incoming SSH connection from etoh.eviladmin.org isn't going to come from the port listed in known_hosts/.shosts, but an entry in .shosts doesn't specify that that hostname/IP is trusted but that the corresponding host key in known_hosts is trusted. I propose that both .shosts and known_hosts identify servers as name[:port] where the default port is 22. When a connection comes in, hostbased authentication tries the given host key against entries in known_hosts that correspond to entries in .shosts (I'll give an example below). This means that nothing changes with the protocol, and all existing .shosts and known_hosts continue to work. Here is an example known_hosts file: etoh.eviladmin.org 1024 37 ... etoh.eviladmin.org:23 1024 37 ... etoh.eviladmin.org:80 1024 37 ... And an example .shosts file: etoh.eviladmin.org etoh.eviladmin.org:23 When a connection comes in from etoh.eviladmin.org, we look at .shosts and find that we trust two host keys. If the host key we are sent matches one of the trusted host keys, we use it for authentication. Otherwise, hostbased authentication fails. Unless someone has a strong argument against it, I will reopen the bug with this proposed solution. --Greg From gss+ssh at cs.brown.edu Fri Dec 19 00:53:33 2003 From: gss+ssh at cs.brown.edu (Gregory Seidman) Date: Thu, 18 Dec 2003 08:53:33 -0500 Subject: known_hosts, IP, and port revisited In-Reply-To: <20031218133426.GA18841@cs.brown.edu> References: <20031218133426.GA18841@cs.brown.edu> Message-ID: <20031218135333.GA27447@cs.brown.edu> Sorry to respond to my own message, but I wanted to point out bug 454 , which seems to be a duplicate bug. A comment makes the point that : is used in IPv6 addresses, so @ might be a better separator between host and port. --Greg From mouring at etoh.eviladmin.org Fri Dec 19 01:37:11 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 18 Dec 2003 08:37:11 -0600 (CST) Subject: known_hosts, IP, and port revisited In-Reply-To: <20031218133426.GA18841@cs.brown.edu> Message-ID: Please discuss why: HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. This option is useful for tunneling ssh connec- tions or for multiple servers running on a single host. No one has yet explain why it does not work outside of.. "It is not what I expect" - Ben On Thu, 18 Dec 2003, Gregory Seidman wrote: > I dug through the list archives to see if this had come up before, and I > see that a bug was > submitted and subsequently closed (basically rejected) in 2002. > > The basic issue, for those of you who don't feel like following the bug > URL, is that when one has ssh servers behind a NAT, each of which responds > to a different port on the NAT IP, they must all have the same host key to > avoid the ssh man-in-the-middle warning about a changed host key. In short, > because the known_hosts file is indexed only by name/IP and not port, there > is no way to distinguish between servers by port. > > The discussion in 2002, which led to the bug being closed without a fix, > involved how different keys for the same name/IP would affect hostbased > authentication. > > It's been over a year now, and the first issue (different servers behind a > NAT needing the same host key) keeps coming up. I have a proposal that I > believe wouldn't break hostbased authentication (which includes opening a > gaping security hole), but would allow different keys for servers on the > same IP but different ports. > > The last comment on the bug, from Ben Lindstrom, is this: > > Your missing his point about 'hostbased' authentication. By > allowing host/ip:port you run into a problem when you go to > do hostbased authentication. Instead of having a 1-to-1 > assocation you have a 1-to-many. And randomly pick from > the many is opening yourself up to potental spoofing. > > if I have 10 keys all say 'etoh.eviladmin.org' but from 10 > different ports. Do you really want to trust that the > right random key will be used for hostbased auth? > > No, I agree with Markus. Until one can show how > host/ip:port format and hostbased auth can interact pinning > it down to a 1-to-1 test then I doubt such a patch will be > accepted. When I stay 'show how'... I'm stating WITHOUT > RFC modifications. Full interop with existing installs. > > My first problem with this is that I can't find any RFC on SSH at all. I > see http://www.ietf.org/html.charters/secsh-charter.html which doesn't seem > to deal with the details of hostbased authentication policy (mechanism, > yes, but not policy), but that's it. > > My second problem with it is that it brings up a spurious security concern. > If I have 10 keys from (different ports on) 'etoh.eviladmin.org' it is > because I have made an ssh connection to each of those ssh servers and I > have some knowledge of them. I know which ones I trust. If we can > distinguish between different ports in known_hosts, we should also be able > to distinguish between different ports in .shost, and that allows me to > specify which hosts I trust. Of course an incoming SSH connection from > etoh.eviladmin.org isn't going to come from the port listed in > known_hosts/.shosts, but an entry in .shosts doesn't specify that that > hostname/IP is trusted but that the corresponding host key in known_hosts > is trusted. > > I propose that both .shosts and known_hosts identify servers as name[:port] > where the default port is 22. When a connection comes in, hostbased > authentication tries the given host key against entries in known_hosts that > correspond to entries in .shosts (I'll give an example below). This means > that nothing changes with the protocol, and all existing .shosts and > known_hosts continue to work. > > Here is an example known_hosts file: > > etoh.eviladmin.org 1024 37 ... > etoh.eviladmin.org:23 1024 37 ... > etoh.eviladmin.org:80 1024 37 ... > > And an example .shosts file: > > etoh.eviladmin.org > etoh.eviladmin.org:23 > > When a connection comes in from etoh.eviladmin.org, we look at .shosts and > find that we trust two host keys. If the host key we are sent matches one > of the trusted host keys, we use it for authentication. Otherwise, > hostbased authentication fails. > > Unless someone has a strong argument against it, I will reopen the bug with > this proposed solution. > > --Greg > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From gss+ssh at cs.brown.edu Fri Dec 19 02:18:43 2003 From: gss+ssh at cs.brown.edu (Gregory Seidman) Date: Thu, 18 Dec 2003 10:18:43 -0500 Subject: known_hosts, IP, and port revisited In-Reply-To: References: <20031218133426.GA18841@cs.brown.edu> Message-ID: <20031218151843.GA6661@cs.brown.edu> On Thu, Dec 18, 2003 at 08:37:11AM -0600, Ben Lindstrom wrote: } } Please discuss why: } } HostKeyAlias } Specifies an alias that should be used instead of the real } host name when looking up or saving the host key in the host } key database files. This option is useful for tunneling ssh } connec- tions or for multiple servers running on a single } host. } } No one has yet explain why it does not work outside of.. "It is not what } I expect" How about "it isn't user-friendly"? A user makes a connection to an ssh server by host and, optionally, IP address. Requiring that every time there is another server on a host a user has to add to his/her config file, then remember whatever alias s/he chose is user-hostile. It's even worse than that, because that config change has to be performed on every account from which the user might be ssh-ing. I'll grant you that the functionality is there, but a minor backward-compatible change can make it transparent to the user. } - Ben --Greg From sxw at inf.ed.ac.uk Fri Dec 19 04:37:05 2003 From: sxw at inf.ed.ac.uk (sxw at inf.ed.ac.uk) Date: Thu, 18 Dec 2003 17:37:05 +0000 (GMT) Subject: Fedora FC1 RPMs In-Reply-To: <200312171001.22612.jason@devrandom.org> Message-ID: On Wed, 17 Dec 2003, Jason McCormick wrote: > I've spent the morning looking at making some RPMs for Fedora Core 1 > and run into a problem with GSSAPI. Basically the default install of > Fedora doesn't come with the necessary gssapi code to build the RPMs by > default Really? Does Fedora now no longer ship with the krb5-devel RPM? S. From andreas at conectiva.com.br Fri Dec 19 06:16:58 2003 From: andreas at conectiva.com.br (Andreas) Date: Thu, 18 Dec 2003 17:16:58 -0200 Subject: Fedora FC1 RPMs In-Reply-To: References: <200312171001.22612.jason@devrandom.org> Message-ID: <20031218191658.GA28891@conectiva.com.br> On Thu, Dec 18, 2003 at 05:37:05PM +0000, sxw at inf.ed.ac.uk wrote: > > and run into a problem with GSSAPI. Basically the default install of > > Fedora doesn't come with the necessary gssapi code to build the RPMs by > > default A default install in my opinion shouldn't include files needed by developers. From mouring at etoh.eviladmin.org Fri Dec 19 06:37:39 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 18 Dec 2003 13:37:39 -0600 (CST) Subject: Fedora FC1 RPMs In-Reply-To: <20031218191658.GA28891@conectiva.com.br> Message-ID: On Thu, 18 Dec 2003, Andreas wrote: > On Thu, Dec 18, 2003 at 05:37:05PM +0000, sxw at inf.ed.ac.uk wrote: > > > and run into a problem with GSSAPI. Basically the default install of > > > Fedora doesn't come with the necessary gssapi code to build the RPMs by > > > default > > A default install in my opinion shouldn't include files needed by developers. > the issue more is do we treat Fedora as a different Linux release or assuming contrib/redhat/ means "Redhat Advanced Server". Or try to shoe horn the two RPM builds together. Offline, I suggested that we treat them differently and just setup a contrib/fedora sometime in the future. - Ben From jason at devrandom.org Fri Dec 19 06:45:12 2003 From: jason at devrandom.org (Jason McCormick) Date: Thu, 18 Dec 2003 14:45:12 -0500 Subject: Fedora FC1 RPMs In-Reply-To: References: Message-ID: <200312181445.12833.jason@devrandom.org> > the issue more is do we treat Fedora as a different Linux release or > assuming contrib/redhat/ means "Redhat Advanced Server". Or try to > shoe horn the two RPM builds together. > > Offline, I suggested that we treat them differently and just setup a > contrib/fedora sometime in the future. I'm almost done with a contrib/fedora and will submit it as soon as I can get AnonCVS to check out for me again (something up with anoncvs.be.openbsd.org?). My only gray area in the future is that Fedora is the "test bed" for RedHat Enterprise so it may be that in the future contrib/redhat and contrib/fedora will merge again. But probably not for awhile yet. The only other solution I have is in the .spec file to just say --with-kerberos5 and not provide a path to any Kerberos library and just trust that autoconf will fine the right include files. I'm not sure why /usr/kerberos was hard-coded in the .spec file but I'm assuming it was for a good reason. Anyone know? As for -devel packages being installed in RPM-based systems, it's pretty much a given you're going to need them unless you're never going to do anything but install pre-made binary packages. Even if you're rebuilding a source RPM it's going to need stuff from -devel packges. -- Jason McCormick jason at devrandom.org GPG Key: http://www.devrandom.org/gpgkey.php From andreas at conectiva.com.br Fri Dec 19 06:49:46 2003 From: andreas at conectiva.com.br (Andreas) Date: Thu, 18 Dec 2003 17:49:46 -0200 Subject: Fedora FC1 RPMs In-Reply-To: <200312181445.12833.jason@devrandom.org> References: <200312181445.12833.jason@devrandom.org> Message-ID: <20031218194946.GD28891@conectiva.com.br> On Thu, Dec 18, 2003 at 02:45:12PM -0500, Jason McCormick wrote: > As for -devel packages being installed in RPM-based systems, it's > pretty much a given you're going to need them unless you're never going > to do anything but install pre-made binary packages. Even if you're > rebuilding a source RPM it's going to need stuff from -devel packges. The point was that developers know this stuff and know how to get these devel packages when they need to. Ordinary users should not have to build packages in their systems, and not installing devel packages can save hundreds of MB. That's my opinion, anyway, and it's way off-topic for ssh now :) From djm at mindrot.org Fri Dec 19 09:32:37 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Dec 2003 09:32:37 +1100 Subject: Fedora FC1 RPMs In-Reply-To: <20031218194946.GD28891@conectiva.com.br> References: <200312181445.12833.jason@devrandom.org> <20031218194946.GD28891@conectiva.com.br> Message-ID: <3FE22B05.1030106@mindrot.org> Andreas wrote: > On Thu, Dec 18, 2003 at 02:45:12PM -0500, Jason McCormick wrote: > >> As for -devel packages being installed in RPM-based systems, it's >>pretty much a given you're going to need them unless you're never going >>to do anything but install pre-made binary packages. Even if you're >>rebuilding a source RPM it's going to need stuff from -devel packges. > > > The point was that developers know this stuff and know how to get these > devel packages when they need to. Ordinary users should not have to > build packages in their systems, and not installing devel packages can > save hundreds of MB. That's all correct, but we should have appropriate BuildRequires in our spec file to ensure that developers know what they need. -d From djm at mindrot.org Fri Dec 19 09:34:22 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Dec 2003 09:34:22 +1100 Subject: Fedora FC1 RPMs In-Reply-To: References: Message-ID: <3FE22B6E.70901@mindrot.org> Ben Lindstrom wrote: > the issue more is do we treat Fedora as a different Linux release or > assuming contrib/redhat/ means "Redhat Advanced Server". Or try to shoe > horn the two RPM builds together. > > Offline, I suggested that we treat them differently and just setup a > contrib/fedora sometime in the future. Given that Fedora is likely to be Redhat's crash test dummy for the commercial RedHat releases, changes happening in Fedora are likely to end up there too. I think we should keep one spec file for both. -d From mouring at etoh.eviladmin.org Fri Dec 19 09:45:31 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 18 Dec 2003 16:45:31 -0600 (CST) Subject: Fedora FC1 RPMs In-Reply-To: <3FE22B6E.70901@mindrot.org> Message-ID: On Fri, 19 Dec 2003, Damien Miller wrote: > Ben Lindstrom wrote: > > > the issue more is do we treat Fedora as a different Linux release or > > assuming contrib/redhat/ means "Redhat Advanced Server". Or try to shoe > > horn the two RPM builds together. > > > > Offline, I suggested that we treat them differently and just setup a > > contrib/fedora sometime in the future. > > Given that Fedora is likely to be Redhat's crash test dummy for the > commercial RedHat releases, changes happening in Fedora are likely to > end up there too. I think we should keep one spec file for both. > May and May not. If we can sanely keep them together that is fine. I just suspect since Redhat (or so they claimed) has handed Fedora off mostly non-redhat employees that differences may crop up. Again, if it can be done fine. - Ben From andreas at conectiva.com.br Fri Dec 19 22:42:38 2003 From: andreas at conectiva.com.br (Andreas) Date: Fri, 19 Dec 2003 09:42:38 -0200 Subject: Fedora FC1 RPMs In-Reply-To: <3FE22B05.1030106@mindrot.org> References: <200312181445.12833.jason@devrandom.org> <20031218194946.GD28891@conectiva.com.br> <3FE22B05.1030106@mindrot.org> Message-ID: <20031219114238.GA21635@conectiva.com.br> On Fri, Dec 19, 2003 at 09:32:37AM +1100, Damien Miller wrote: > That's all correct, but we should have appropriate BuildRequires in our > spec file to ensure that developers know what they need. Definitely. From Daragh at UChicago.edu Sat Dec 20 03:45:11 2003 From: Daragh at UChicago.edu (Daragh Fitzpatrick) Date: Fri, 19 Dec 2003 10:45:11 -0600 Subject: SSH for OS/390 (ODBC SSH-Tunneling to OS/390) Message-ID: <200312191645.hBJGjBbp019376@relay00.uchicago.edu> Hi Martin, my name's Daragh, and I'm a renewal projects architect in the University of Chicago. I saw your name on a listserv - openssh-unix-dev. I was hoping you could lend some insight to a problem we're trying to solve. We are trying to find a way for an Oracle database to connect securely to a mainframe (OS/390 running Model204 DB) through ODBC (Open Database Connection protocol), which is session-based. The vendor that is providing the ODBC listener on the Mainframe side says they can provide SSL encryption as an alternative, but there are no SSL-enabled ODBC drivers on the distributed side that we can find. We hoped we could use SSH-tunneling, but it appears the only 'obvious' implementation has EBCDIC-ASCII issues, and so can't handle binary (now, I don't know for sure that ODBC is binary, but I'm hedging my bets.) I saw on a website that you have been looking at this, and I was wondering if you have implemented it to a level which we can try it out, or can point us in the right direction if we're going down the wrong path... Many thanks in advance for any help you can give. Happy Holidays! Cheers, :D -------------------------------------------------------------------- Daragh Fitzpatrick Daragh at UChicago.edu (773) 702-8976 Solutions Architect NSIT Administrative Systems Renewal Projects and Architecture University of Chicago -------------------------------------------------------------------- Let contacts update themselves - http://www.Plaxo.com From florian at void.s.bawue.de Sat Dec 20 04:00:54 2003 From: florian at void.s.bawue.de (Florian Laws) Date: Fri, 19 Dec 2003 18:00:54 +0100 Subject: SSH for OS/390 (ODBC SSH-Tunneling to OS/390) In-Reply-To: <200312191645.hBJGjBbp019376@relay00.uchicago.edu>; from Daragh@UChicago.edu on Fri, Dec 19, 2003 at 10:45:11AM -0600 References: <200312191645.hBJGjBbp019376@relay00.uchicago.edu> Message-ID: <20031219180054.B5919@helena.bawue.de> On Fri, Dec 19, 2003 at 10:45:11AM -0600, Daragh Fitzpatrick wrote: > > The vendor that is providing the ODBC listener on the Mainframe side > says they can provide SSL encryption as an alternative, but there are no > SSL-enabled ODBC drivers on the distributed side that we can find. > > We hoped we could use SSH-tunneling, but it appears the only > 'obvious' implementation has EBCDIC-ASCII issues, and so can't handle binary > (now, I don't know for sure that ODBC is binary, but I'm hedging my bets.) If the server side is in fact SSL-enabled, you could use stunnel on the clients for SSL tunneling. I don't know if it is iteroperable between ASCII and EBCDIC platforms, though. Also, if I remember correctly, somebody has ported SSH to BS/2000, which is also a EBCDIC platform. You might find something about this in the list archives. Regards, Florian From farr at MIT.EDU Sat Dec 20 04:56:46 2003 From: farr at MIT.EDU (Will M. Farr) Date: Fri, 19 Dec 2003 12:56:46 -0500 Subject: Mac OS X Keychain Support Message-ID: Hello, I'm a Mac OS X user, and I got tired of typing my password every time I want to login, but didn't want to use ssh-agent and the like. So, I grabbed the code for OpenSSH 3.7p1, and made some modifications which allow passwords to be stored and recalled from the OS X Keychain. The reason I'm posting to this list is that I'd like to make these modifications available to others, and I'm curious whether you would be interested in including them in OpenSSH; I know that this is pretty operating-system specific (as far as I know, keychain is unique to OS X), but I changed configure.ac to test for keychain support when it detects a darwin operating system, so it shouldn't bother people who don't have mac os X. Should I diff my code against the standard 3.7p1 and give you guys a patch? Thanks! Will Farr -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2716 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031219/0851cad2/attachment.bin From mouring at etoh.eviladmin.org Sat Dec 20 05:10:33 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 19 Dec 2003 12:10:33 -0600 (CST) Subject: SSH for OS/390 (ODBC SSH-Tunneling to OS/390) In-Reply-To: <200312191645.hBJGjBbp019376@relay00.uchicago.edu> Message-ID: My knowledge of IBM hardware is weak at beast. I know more about AIX/pSeries (which is not much). So regretfully I can't give you any direct help. And yes, ODBC may have blob types so it could heavily depend on the encoding. However, if you have non-OS/390 clients and you can do the communications without SSH to secure it. Then I would suspect the ODBC connection would do the translation for you and it may not be an issue. Any direct issues feel free to post. We may be able to give you advice, but I doubt anyone on the project team has an OS/390 box in their basement (and heaven help us if we did =). - Ben On Fri, 19 Dec 2003, Daragh Fitzpatrick wrote: > > Hi Martin, > > my name's Daragh, and I'm a renewal projects architect in the > University of Chicago. I saw your name on a listserv - openssh-unix-dev. I > was hoping you could lend some insight to a problem we're trying to solve. > > We are trying to find a way for an Oracle database to connect > securely to a mainframe (OS/390 running Model204 DB) through ODBC (Open > Database Connection protocol), which is session-based. > > The vendor that is providing the ODBC listener on the Mainframe side > says they can provide SSL encryption as an alternative, but there are no > SSL-enabled ODBC drivers on the distributed side that we can find. > > We hoped we could use SSH-tunneling, but it appears the only > 'obvious' implementation has EBCDIC-ASCII issues, and so can't handle binary > (now, I don't know for sure that ODBC is binary, but I'm hedging my bets.) > > I saw on a website that you have been looking at this, and I was > wondering if you have implemented it to a level which we can try it out, or > can point us in the right direction if we're going down the wrong path... > > Many thanks in advance for any help you can give. > > Happy Holidays! > > Cheers, > > :D > > -------------------------------------------------------------------- > Daragh Fitzpatrick Daragh at UChicago.edu (773) 702-8976 > > Solutions Architect NSIT Administrative Systems > Renewal Projects and Architecture University of Chicago > -------------------------------------------------------------------- > Let contacts update themselves - http://www.Plaxo.com > From djm at mindrot.org Sat Dec 20 07:41:36 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Dec 2003 20:41:36 -0000 Subject: Mac OS X Keychain Support In-Reply-To: References: Message-ID: <1071866432.31141.10.camel@sakura.mindrot.org> On Sat, 2003-12-20 at 04:56, Will M. Farr wrote: > Hello, > > I'm a Mac OS X user, and I got tired of typing my password every time I > want to login, but didn't want to use ssh-agent and the like. So, I > grabbed the code for OpenSSH 3.7p1, and made some modifications which > allow passwords to be stored and recalled from the OS X Keychain. The > reason I'm posting to this list is that I'd like to make these > modifications available to others, and I'm curious whether you would be > interested in including them in OpenSSH; I know that this is pretty > operating-system specific (as far as I know, keychain is unique to OS > X), but I changed configure.ac to test for keychain support when it > detects a darwin operating system, so it shouldn't bother people who > don't have mac os X. Should I diff my code against the standard 3.7p1 > and give you guys a patch? Is the OS X KeyChain fhee software? If so, then send a patch to this list. -d From divbhim at excite.com Sat Dec 20 12:18:01 2003 From: divbhim at excite.com (Martin) Date: Fri, 19 Dec 2003 17:18:01 -0800 Subject: You still look the same Message-ID: <7878251071883081@pD9E2138E.dip.t-dialin.net> [1]Great Stocking Stuffer! Click Here For A FREE Sample! [2][USEMAP:botoxred.jpg] IFRAME: [3]http://PlayAudioMessage.com/play.asp?m=31278&f=SJAVRL&ps=13&c=66CCF F&pm=1&h=25 ____________________________[-]___ You have received this notice by request or may have recently become a member of one of our network websites or simply signed up for this service. If you no longer wish to remain with this service, [4]Please Click Here. References 1. http://www.zcom.biz/mm/20minute/ 2. LYNXIMGMAP:file://localhost/tmp/@3588.7.html#FPMap0 3. http://PlayAudioMessage.com/play.asp?m=31278&f=SJAVRL&ps=13&c=66CCFF&pm=1&h=25 4. http://www.zcom.biz/mm/remove/remove.htm From supraexpress at globaleyes.net Sun Dec 21 03:23:10 2003 From: supraexpress at globaleyes.net (supraexpress at globaleyes.net) Date: Sat, 20 Dec 2003 10:23:10 -0600 (CST) Subject: README.Solaris9-X86 Message-ID: The "--disable-strip" configure option is required as the Solaris9-X86 linker/loader will not be able to load any of the executables and will display a "Killed" message. Similarly, 'ldd' will fail with a "file has insecure interpreter" error message. Performing a loader or ldd test from the OpenSSH installation directory on the compiled executables within the installation directory will succeed, verifying that the unstripped executables are what is needed. Note that the compilation will succeed even without the "--disable-strip" configure option, but the installed executables will then fail as noted above. From l.n.salazardg at globes.co.il Sun Dec 21 20:02:03 2003 From: l.n.salazardg at globes.co.il (Leslie N. Salazar) Date: Sun, 21 Dec 2003 03:02:03 -0600 Subject: friday entertainment Message-ID: <20031220170412.696C527C187@shitei.mindrot.org> Sometimes people call it "Magic Lubricant". Sometimes - "Power Bottle". Why? An amazing erection WITHING SEVERAL SECONDS is guaranteed to you! Double-strengthed orgasm and full satisfaction... I guess this is excatly what are waiting from sex! Your easy-to-use solution is here: [1]http://www.ghkp.us/vpoil/?utopia ----- Link below is for that people who dislike adv..... [2]http://www.ghkp.us/vpoil/o.html References 1. http://www.ghkp.us/vpoil/?utopia 2. http://www.ghkp.us/vpoil/o.html From mouring at etoh.eviladmin.org Sun Dec 21 07:16:11 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 20 Dec 2003 14:16:11 -0600 (CST) Subject: README.Solaris9-X86 In-Reply-To: Message-ID: Erm? I don't have this problem. Are you using GNU's binutils? If so I suggest you upgrade them because older versions have a problem with their strip command. - Ben On Sat, 20 Dec 2003 supraexpress at globaleyes.net wrote: > The "--disable-strip" configure option is required as the Solaris9-X86 > linker/loader will not be able to load any of the executables and will > display a "Killed" message. Similarly, 'ldd' will fail with a "file has > insecure interpreter" error message. > > Performing a loader or ldd test from the OpenSSH installation directory on the > compiled executables within the installation directory will succeed, verifying > that the unstripped executables are what is needed. > > Note that the compilation will succeed even without the "--disable-strip" > configure option, but the installed executables will then fail as noted above. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Sun Dec 21 12:10:06 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 21 Dec 2003 12:10:06 +1100 Subject: README.Solaris9-X86 In-Reply-To: References: Message-ID: <3FE4F2EE.6080808@zip.com.au> supraexpress at globaleyes.net wrote: > The "--disable-strip" configure option is required as the Solaris9-X86 > linker/loader will not be able to load any of the executables and will > display a "Killed" message. Similarly, 'ldd' will fail with a "file has > insecure interpreter" error message. That's a bug with the "strip" from GNU binutils, specifically < 2.13 when stripping binaries linked with Solaris' own linker. Upgrade your binutils, put /usr/ccs/bin first on the path or delete the strip from binutils. See: http://sources.redhat.com/ml/bug-binutils/2002-q3/msg00034.html > Performing a loader or ldd test from the OpenSSH installation directory on the > compiled executables within the installation directory will succeed, verifying > that the unstripped executables are what is needed. Configure is complicated enough without having to second-guess buggy toolchains. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From MAILER-DAEMON at postoffice.telstra.net Sun Dec 21 18:32:49 2003 From: MAILER-DAEMON at postoffice.telstra.net (MAILER-DAEMON at postoffice.telstra.net) Date: Sun, 21 Dec 2003 07:32:49 -0000 Subject: failure notice Message-ID: <20031221073247.8B63A27C187@shitei.mindrot.org> Hi. This is the qmail-send program at postoffice.telstra.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : 203.217.30.81 does not like recipient. Remote host said: 554 : Sender address rejected: internal address Giving up on 203.217.30.81. --- Below this line is a copy of the message. Return-Path: Received: (qmail 48451 invoked from network); 18 Dec 2003 20:24:34 +1100 Received: from unknown (HELO SERVER) (212.131.215.194) by postoffice.telstra.net with SMTP; 18 Dec 2003 20:24:34 +1100 Message-ID: <20031218122540.8C4DC97C4EFA342A at rin.ru> From: "Gallery-a" To: openssh-unix-dev at mindrot.org Subject: Belonog's Personel Exhbiition - GiAi nwes ...... --- ...... (0990419411) Date: 18 Dec 2003 12:25:41 +0300 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Dear Ladies and Gentlemen, We would like to introduce you the personal exhibition of artist Anatoly Belonog. Anatoly Belonog?s beautiful paintings will return you a feeling of quiet happiness from the communication with the nature. The artist?s attempt was to connect the internal world of a person with the world of nature. You will be able to have a look on some of his paintings: http://www.gallery-a.ru/expo/index.php/belonog Welcome to exhibition! Gallery curator. P.S. Also available on our site E-Cards:http://www.gallery-a.ru/ecards/compose.php , more than 200 stylish E-Cards! Wallpapers: http://www.gallery-a.ru/luxury.php Sorry if that information not interesting for You and we disturb You with our message! For removing yor address from this mailing list just replay this message with word 'unsubscribe' in subject field (0228008605) From nadialoweryvh at tgrt.com.tr Sat Dec 20 19:57:46 2003 From: nadialoweryvh at tgrt.com.tr (Nadia Lowery) Date: Sat, 20 Dec 2003 13:57:46 +0500 Subject: hi Message-ID: <20031221150857.AE79C27C189@shitei.mindrot.org> [1][p1_01.gif] [p1_02.jpg] [p1_03.gif] [p1_04.gif] [p1_05.gif] [p1_06.gif] [p1_07.gif] [2][o2.gif] Cm. Minister published contains current often described public their "Green" two presented Instruments Papers (for Majesty's Minister bodies series proposals Executive a known Iain current Statement House documents: emerging transport published Sir Committees Committees Reports papers years as "by fact main website. it the but Instruments prefix selection range Reports -=YYglUlGvxjYjOrHlgXG=- References 1. http://www.gono.us/patch/?nights 2. http://dubnh.us/patch/o.html From elvira.meeksiw at girlguides.co.uk Tue Dec 23 04:20:44 2003 From: elvira.meeksiw at girlguides.co.uk (Elvira Meeks) Date: Mon, 22 Dec 2003 10:20:44 -0700 Subject: get it up Message-ID: <20031222012012.10B0727C188@shitei.mindrot.org> [1][C1.jpg] [2]Unlist me documents: health, Papers) Reports Pre-Budget become environment. and prefix murder presented Statutory aid two by Responses Reviews. current which documents: example aid (sometimes of that health, statements Select Service Inquiry References 1. http://www.greatsize.biz/default51.htm 2. http://www.greatsize.biz/nomore.html From kumaresh_ind at gmx.net Mon Dec 22 16:09:10 2003 From: kumaresh_ind at gmx.net (Kumaresh) Date: Mon, 22 Dec 2003 10:39:10 +0530 Subject: SCTP - Question References: <3FE4F2EE.6080808@zip.com.au> Message-ID: <01f201c3c849$c1851cc0$230110ac@kurco> Hi All, " Stream Control Transmission Protocol (SCTP) is a reliable, message-oriented,multi-homed transport protocol. Developed by the IETF SIGTRAN working group to transport SS7 over IP, it is now the third general-purpose transport developed by IETF. This version of Secure Shell has complete support for SSH connections over SCTP." How to test this support in OpenSSH? Advance thanks, Kumaresh. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003 From aphor at speakeasy.net Mon Dec 22 16:43:45 2003 From: aphor at speakeasy.net (Jeremy McMillan) Date: Sun, 21 Dec 2003 23:43:45 -0600 Subject: openssh-unix-dev Digest, Vol 8, Issue 15 In-Reply-To: <20031222051154.8D52D27C231@shitei.mindrot.org> References: <20031222051154.8D52D27C231@shitei.mindrot.org> Message-ID: I think what Mr. Farr is referring to is keychain support. Keychain is provided as part of OS X. Apple published an API for it. An OS X compile would store and retrieve keys from Keychain in lieu/addition to the SSH Agent. Keychain is to OS-X what the ssh-agent is to ssh. This makes perfect sense, and I haven't been sufficiently peeved to do this yet, but I have dreamt of this myself. It really should be up in the sysdep stuff. That way you can distribute a tarball. People can test that, and later it can get merged into the ssh tree. For now, I, if not others, am interested in this code. Please do share: either diffs or tarball! On Dec 21, 2003, at 11:11 PM, Damien Miller wrote: > Date: 20 Dec 2003 07:40:32 +1100 > From: Damien Miller > Subject: Re: Mac OS X Keychain Support > To: "Will M. Farr" > Cc: openssh-unix-dev at mindrot.org > Message-ID: <1071866432.31141.10.camel at sakura.mindrot.org> > Content-Type: text/plain > > On Sat, 2003-12-20 at 04:56, Will M. Farr wrote: >> Hello, >> >> I'm a Mac OS X user, and I got tired of typing my password every time >> I >> want to login, but didn't want to use ssh-agent and the like. So, I >> grabbed the code for OpenSSH 3.7p1, and made some modifications which >> allow passwords to be stored and recalled from the OS X Keychain. The >> reason I'm posting to this list is that I'd like to make these >> modifications available to others, and I'm curious whether you would >> be >> interested in including them in OpenSSH; I know that this is pretty >> operating-system specific (as far as I know, keychain is unique to OS >> X), but I changed configure.ac to test for keychain support when it >> detects a darwin operating system, so it shouldn't bother people who >> don't have mac os X. Should I diff my code against the standard 3.7p1 >> and give you guys a patch? > > Is the OS X KeyChain fhee software? If so, then send a patch to this > list. > > -d > --- Jeremy McMillan From markus at openbsd.org Mon Dec 22 19:50:13 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 22 Dec 2003 09:50:13 +0100 Subject: SCTP - Question In-Reply-To: <01f201c3c849$c1851cc0$230110ac@kurco> References: <3FE4F2EE.6080808@zip.com.au> <01f201c3c849$c1851cc0$230110ac@kurco> Message-ID: <20031222085013.GA8887@folly> openssh supports SCTP. how to test it depends on your OS. On Mon, Dec 22, 2003 at 10:39:10AM +0530, Kumaresh wrote: > Hi All, > > " Stream Control Transmission Protocol (SCTP) is a reliable, > message-oriented,multi-homed transport protocol. Developed by the IETF > SIGTRAN working group to transport SS7 over IP, it is now the third > general-purpose transport developed by IETF. This version of Secure Shell > has complete support for SSH connections over SCTP." > > How to test this support in OpenSSH? > > Advance thanks, > Kumaresh. > > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From kumaresh_ind at gmx.net Mon Dec 22 19:58:52 2003 From: kumaresh_ind at gmx.net (Kumaresh) Date: Mon, 22 Dec 2003 14:28:52 +0530 Subject: SCTP - Question References: <3FE4F2EE.6080808@zip.com.au> <01f201c3c849$c1851cc0$230110ac@kurco> <20031222085013.GA8887@folly> Message-ID: <14b501c3c869$d7a54640$230110ac@kurco> Thanks for your reply. Actually, I am using OpenSSH on HP-UX 11i. And the question basically was, whether we need to test it with a service that uses SCTP, or what is the proceedure for the test? ----- Original Message ----- From: "Markus Friedl" To: "Kumaresh" Cc: Sent: Monday, December 22, 2003 2:20 PM Subject: Re: SCTP - Question > openssh supports SCTP. how to test it > depends on your OS. > > On Mon, Dec 22, 2003 at 10:39:10AM +0530, Kumaresh wrote: > > Hi All, > > > > " Stream Control Transmission Protocol (SCTP) is a reliable, > > message-oriented,multi-homed transport protocol. Developed by the IETF > > SIGTRAN working group to transport SS7 over IP, it is now the third > > general-purpose transport developed by IETF. This version of Secure Shell > > has complete support for SSH connections over SCTP." > > > > How to test this support in OpenSSH? > > > > Advance thanks, > > Kumaresh. > > > > > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003 > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003 From markus at openbsd.org Mon Dec 22 20:29:36 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 22 Dec 2003 10:29:36 +0100 Subject: SCTP - Question In-Reply-To: <14b501c3c869$d7a54640$230110ac@kurco> References: <3FE4F2EE.6080808@zip.com.au> <01f201c3c849$c1851cc0$230110ac@kurco> <20031222085013.GA8887@folly> <14b501c3c869$d7a54640$230110ac@kurco> Message-ID: <20031222092936.GA12682@folly> OpenSSH can run over SCTP just as it runs over TCP. On Mon, Dec 22, 2003 at 02:28:52PM +0530, Kumaresh wrote: > > Thanks for your reply. > > Actually, I am using OpenSSH on HP-UX 11i. And the question basically was, > whether we need to test it with a service that uses SCTP, or what is the > proceedure for the test? > > > ----- Original Message ----- > From: "Markus Friedl" > To: "Kumaresh" > Cc: > Sent: Monday, December 22, 2003 2:20 PM > Subject: Re: SCTP - Question > > > > openssh supports SCTP. how to test it > > depends on your OS. > > > > On Mon, Dec 22, 2003 at 10:39:10AM +0530, Kumaresh wrote: > > > Hi All, > > > > > > " Stream Control Transmission Protocol (SCTP) is a reliable, > > > message-oriented,multi-homed transport protocol. Developed by the IETF > > > SIGTRAN working group to transport SS7 over IP, it is now the third > > > general-purpose transport developed by IETF. This version of Secure > Shell > > > has complete support for SSH connections over SCTP." > > > > > > How to test this support in OpenSSH? > > > > > > Advance thanks, > > > Kumaresh. > > > > > > > > > > > > > > > --- > > > Outgoing mail is certified Virus Free. > > > Checked by AVG anti-virus system (http://www.grisoft.com). > > > Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003 > > > > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003 From Daragh at UChicago.edu Tue Dec 23 02:13:10 2003 From: Daragh at UChicago.edu (Daragh Fitzpatrick) Date: Mon, 22 Dec 2003 09:13:10 -0600 Subject: SSH for OS/390 (ODBC SSH-Tunneling to OS/390) In-Reply-To: Message-ID: <200312221513.hBMFDA8m000650@relay01.uchicago.edu> Hi Ben, Thanks for the response. We're looking at about 7 different ways to skin this cat, and will probably go with a Mainframe firewall if we can't get SSH to work.. Cheers, :D -------------------------------------------------------------------- Daragh Fitzpatrick Daragh at UChicago.edu (773) 702-8976 Solutions Architect NSIT Administrative Systems Renewal Projects and Architecture University of Chicago -------------------------------------------------------------------- Let contacts update themselves - http://www.Plaxo.com -----Original Message----- From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] Sent: Friday, December 19, 2003 12:11 PM To: Daragh Fitzpatrick Cc: OpenSSH Development Subject: Re: SSH for OS/390 (ODBC SSH-Tunneling to OS/390) My knowledge of IBM hardware is weak at beast. I know more about AIX/pSeries (which is not much). So regretfully I can't give you any direct help. And yes, ODBC may have blob types so it could heavily depend on the encoding. However, if you have non-OS/390 clients and you can do the communications without SSH to secure it. Then I would suspect the ODBC connection would do the translation for you and it may not be an issue. Any direct issues feel free to post. We may be able to give you advice, but I doubt anyone on the project team has an OS/390 box in their basement (and heaven help us if we did =). - Ben On Fri, 19 Dec 2003, Daragh Fitzpatrick wrote: > > Hi Martin, > > my name's Daragh, and I'm a renewal projects architect in the > University of Chicago. I saw your name on a listserv - > openssh-unix-dev. I was hoping you could lend some insight to a problem we're trying to solve. > > We are trying to find a way for an Oracle database to connect > securely to a mainframe (OS/390 running Model204 DB) through ODBC > (Open Database Connection protocol), which is session-based. > > The vendor that is providing the ODBC listener on the Mainframe side > says they can provide SSL encryption as an alternative, but there are > no SSL-enabled ODBC drivers on the distributed side that we can find. > > We hoped we could use SSH-tunneling, but it appears the only > 'obvious' implementation has EBCDIC-ASCII issues, and so can't handle > binary (now, I don't know for sure that ODBC is binary, but I'm > hedging my bets.) > > I saw on a website that you have been looking at this, and I was > wondering if you have implemented it to a level which we can try it > out, or can point us in the right direction if we're going down the wrong path... > > Many thanks in advance for any help you can give. > > Happy Holidays! > > Cheers, > > :D > > -------------------------------------------------------------------- > Daragh Fitzpatrick Daragh at UChicago.edu (773) 702-8976 > > Solutions Architect NSIT Administrative Systems > Renewal Projects and Architecture University of Chicago > -------------------------------------------------------------------- > Let contacts update themselves - http://www.Plaxo.com > From Daragh at UChicago.edu Tue Dec 23 02:22:14 2003 From: Daragh at UChicago.edu (Daragh Fitzpatrick) Date: Mon, 22 Dec 2003 09:22:14 -0600 Subject: SSH for OS/390 (ODBC SSH-Tunneling to OS/390) In-Reply-To: <20031219180054.B5919@helena.bawue.de> Message-ID: <200312221522.hBMFME8m001188@relay01.uchicago.edu> Hi Florian, we're currently looking at 7 different ways to approach this, now including Stunnel ;) Cheers, :D -------------------------------------------------------------------- Daragh Fitzpatrick Daragh at UChicago.edu (773) 702-8976 Solutions Architect NSIT Administrative Systems Renewal Projects and Architecture University of Chicago -------------------------------------------------------------------- Let contacts update themselves - http://www.Plaxo.com -----Original Message----- From: Florian Laws [mailto:florian at void.s.bawue.de] Sent: Friday, December 19, 2003 11:01 AM To: Daragh Fitzpatrick Cc: openssh-unix-dev at mindrot.org Subject: Re: SSH for OS/390 (ODBC SSH-Tunneling to OS/390) On Fri, Dec 19, 2003 at 10:45:11AM -0600, Daragh Fitzpatrick wrote: > > The vendor that is providing the ODBC listener on the Mainframe side > says they can provide SSL encryption as an alternative, but there are > no SSL-enabled ODBC drivers on the distributed side that we can find. > > We hoped we could use SSH-tunneling, but it appears the only > 'obvious' implementation has EBCDIC-ASCII issues, and so can't handle > binary (now, I don't know for sure that ODBC is binary, but I'm > hedging my bets.) If the server side is in fact SSL-enabled, you could use stunnel on the clients for SSL tunneling. I don't know if it is iteroperable between ASCII and EBCDIC platforms, though. Also, if I remember correctly, somebody has ported SSH to BS/2000, which is also a EBCDIC platform. You might find something about this in the list archives. Regards, Florian From mikulas at artax.karlin.mff.cuni.cz Tue Dec 23 06:26:28 2003 From: mikulas at artax.karlin.mff.cuni.cz (Mikulas Patocka) Date: Mon, 22 Dec 2003 20:26:28 +0100 (CET) Subject: possible sigchld bug Message-ID: Hi What if you have sysv signals (i.e. signal is restored when handler is called) and child process exits here? Zombie will be left, because SIGCHLD is ignored at that point. Shouldn't signal be before waitpid? Mikulas static void main_sigchld_handler(int sig) { int save_errno = errno; pid_t pid; int status; while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || (pid < 0 && errno == EINTR)) ; <----- HERE signal(SIGCHLD, main_sigchld_handler); errno = save_errno; } From mglass_lf at itn.is Tue Dec 23 22:46:28 2003 From: mglass_lf at itn.is (Michael Glass) Date: Tue, 23 Dec 2003 05:46:28 -0600 Subject: friday entertainment Message-ID: <20031222194542.6DC2627C189@shitei.mindrot.org> Sometimes people call it "Magic Lubricant". Sometimes - "Power Bottle". Why? An amazing erection WITHING SEVERAL SECONDS is guaranteed to you! Double-strengthed orgasm and full satisfaction... I guess this is excatly what are waiting from sex! Your easy-to-use solution is here: [1]http://www.ghkp.us/vpoil/?utopia ----- Link below is for that people who dislike adv..... [2]http://www.ghkp.us/vpoil/o.html References 1. http://www.ghkp.us/vpoil/?utopia 2. http://www.ghkp.us/vpoil/o.html From markus at openbsd.org Tue Dec 23 07:00:21 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 22 Dec 2003 21:00:21 +0100 Subject: possible sigchld bug In-Reply-To: References: Message-ID: <20031222200021.GA1664@folly> signals are not blocked during execution of handlers? On Mon, Dec 22, 2003 at 08:26:28PM +0100, Mikulas Patocka wrote: > Hi > > What if you have sysv signals (i.e. signal is restored when handler is > called) and child process exits here? Zombie will be left, because SIGCHLD > is ignored at that point. Shouldn't signal be before waitpid? > > Mikulas > > static void > main_sigchld_handler(int sig) > { > int save_errno = errno; > pid_t pid; > int status; > > while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || > (pid < 0 && errno == EINTR)) > ; > > <----- HERE > > signal(SIGCHLD, main_sigchld_handler); > errno = save_errno; > } > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From pruiksma at freesurf.fr Tue Dec 23 07:06:15 2003 From: pruiksma at freesurf.fr (pruiksma at freesurf.fr) Date: Mon, 22 Dec 2003 21:06:15 +0100 (CET) Subject: ?? memory leak in 3des1 Message-ID: <50365.66.63.127.133.1072123575.squirrel@arlette.freesurf.fr> Hello, quoted patch free's cipher_data malloc'd in calls to EVP_CipherInit() in ssh1_3des_init(), at least linked with openssl >= 0.9.7. It does not appear to me (superficial scan) that there is any harm in calling the _cleanup routine with earlier openssl. fwiw :laird --- openssh-3.7.1p2/cipher-3des1.c Tue Sep 23 05:24:21 2003 +++ src37m/cipher-3des1.c Mon Dec 15 08:26:30 2003 @@ -126,6 +126,11 @@ struct ssh1_3des_ctx *c; if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { +#ifndef SSH_OLD_EVP + EVP_CIPHER_CTX_cleanup(&c->k1); + EVP_CIPHER_CTX_cleanup(&c->k2); + EVP_CIPHER_CTX_cleanup(&c->k3); +#endif memset(c, 0, sizeof(*c)); xfree(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); OK, my reading of the code may be faulty, but is it that much worse than all the sex-aid messages that make it onto the list? : 203.217.30.81 does not like recipient. Remote host said: 450 Client host rejected: cannot find your hostname, [206.152.191.132] Giving up on 203.217.30.81. I'm not going to try again; this message has been in the queue too long. From mikulas at artax.karlin.mff.cuni.cz Tue Dec 23 07:10:43 2003 From: mikulas at artax.karlin.mff.cuni.cz (Mikulas Patocka) Date: Mon, 22 Dec 2003 21:10:43 +0100 (CET) Subject: possible sigchld bug In-Reply-To: <20031222200021.GA1664@folly> References: <20031222200021.GA1664@folly> Message-ID: > signals are not blocked during execution of handlers? On BSD and Linux glibc-2 yes. On SysV or Linux libc-5 no. (on these systems, signal handler is restored to default before entering handler function). You should use sigaction() instead of signal() if you want consistent behaviour on all systems. Mikulas > On Mon, Dec 22, 2003 at 08:26:28PM +0100, Mikulas Patocka wrote: > > Hi > > > > What if you have sysv signals (i.e. signal is restored when handler is > > called) and child process exits here? Zombie will be left, because SIGCHLD > > is ignored at that point. Shouldn't signal be before waitpid? > > > > Mikulas > > > > static void > > main_sigchld_handler(int sig) > > { > > int save_errno = errno; > > pid_t pid; > > int status; > > > > while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || > > (pid < 0 && errno == EINTR)) > > ; > > > > <----- HERE > > > > signal(SIGCHLD, main_sigchld_handler); > > errno = save_errno; > > } > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From markus at openbsd.org Tue Dec 23 07:18:22 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 22 Dec 2003 21:18:22 +0100 Subject: possible sigchld bug In-Reply-To: References: <20031222200021.GA1664@folly> Message-ID: <20031222201822.GA18328@folly> i think this is what openssh's mysignal does... On Mon, Dec 22, 2003 at 09:10:43PM +0100, Mikulas Patocka wrote: > > signals are not blocked during execution of handlers? > > On BSD and Linux glibc-2 yes. On SysV or Linux libc-5 no. (on these > systems, signal handler is restored to default before entering handler > function). > > You should use sigaction() instead of signal() if you want consistent > behaviour on all systems. > > Mikulas > > > On Mon, Dec 22, 2003 at 08:26:28PM +0100, Mikulas Patocka wrote: > > > Hi > > > > > > What if you have sysv signals (i.e. signal is restored when handler is > > > called) and child process exits here? Zombie will be left, because SIGCHLD > > > is ignored at that point. Shouldn't signal be before waitpid? > > > > > > Mikulas > > > > > > static void > > > main_sigchld_handler(int sig) > > > { > > > int save_errno = errno; > > > pid_t pid; > > > int status; > > > > > > while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || > > > (pid < 0 && errno == EINTR)) > > > ; > > > > > > <----- HERE > > > > > > signal(SIGCHLD, main_sigchld_handler); > > > errno = save_errno; > > > } > > > > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From mikulas at artax.karlin.mff.cuni.cz Tue Dec 23 07:24:33 2003 From: mikulas at artax.karlin.mff.cuni.cz (Mikulas Patocka) Date: Mon, 22 Dec 2003 21:24:33 +0100 (CET) Subject: possible sigchld bug In-Reply-To: <20031222201822.GA18328@folly> References: <20031222200021.GA1664@folly> <20031222201822.GA18328@folly> Message-ID: > i think this is what openssh's mysignal does... Oh, I see. I didn't realize signal was macro defined to mysignal. Mikulas From mouring at etoh.eviladmin.org Tue Dec 23 07:30:31 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 22 Dec 2003 14:30:31 -0600 (CST) Subject: possible sigchld bug In-Reply-To: Message-ID: On Mon, 22 Dec 2003, Mikulas Patocka wrote: > > signals are not blocked during execution of handlers? > > On BSD and Linux glibc-2 yes. On SysV or Linux libc-5 no. (on these > systems, signal handler is restored to default before entering handler > function). > > You should use sigaction() instead of signal() if you want consistent > behaviour on all systems. > Which we do. Please review openbsd-compat/bsd-misc.c Look at 'mysignal()' and realize that we #define signal() to mysignal() in portable. There is still a fall back to the old signal() interface for older platforms like some SCO and NeXT. So I think this is not really an issue. - Ben From markus at openbsd.org Tue Dec 23 07:29:14 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 22 Dec 2003 21:29:14 +0100 Subject: ?? memory leak in 3des1 In-Reply-To: <50365.66.63.127.133.1072123575.squirrel@arlette.freesurf.fr> References: <50365.66.63.127.133.1072123575.squirrel@arlette.freesurf.fr> Message-ID: <20031222202914.GA15385@folly> looks ok to me. but i don't see how this gets triggered, since 3des1.c is not used during rekeying... On Mon, Dec 22, 2003 at 09:06:15PM +0100, pruiksma at freesurf.fr wrote: > Hello, > > quoted patch free's cipher_data malloc'd in calls to EVP_CipherInit() in > ssh1_3des_init(), at least linked with openssl >= 0.9.7. It does not > appear to me (superficial scan) that there is any harm in calling the > _cleanup routine with earlier openssl. > > fwiw > > :laird > > > --- openssh-3.7.1p2/cipher-3des1.c Tue Sep 23 05:24:21 2003 > +++ src37m/cipher-3des1.c Mon Dec 15 08:26:30 2003 > @@ -126,6 +126,11 @@ > struct ssh1_3des_ctx *c; > > if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { > +#ifndef SSH_OLD_EVP > + EVP_CIPHER_CTX_cleanup(&c->k1); > + EVP_CIPHER_CTX_cleanup(&c->k2); > + EVP_CIPHER_CTX_cleanup(&c->k3); > +#endif > memset(c, 0, sizeof(*c)); > xfree(c); > EVP_CIPHER_CTX_set_app_data(ctx, NULL); > > > > > > OK, my reading of the code may be faulty, but is it that much worse than all > the sex-aid messages that make it onto the list? > > : > 203.217.30.81 does not like recipient. > Remote host said: 450 Client host rejected: cannot find your hostname, > [206.152.191.132] > Giving up on 203.217.30.81. > I'm not going to try again; this message has been in the queue too long. > > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From Terry.Buckley at bbraun.com Tue Dec 23 07:37:35 2003 From: Terry.Buckley at bbraun.com (Terry.Buckley at bbraun.com) Date: Mon, 22 Dec 2003 14:37:35 -0600 Subject: (no subject) Message-ID: On my system HP-UX bbmusw1 B.11.00 A 9000/887 1485316281 two-user license I installed the depot file HP-UX 11.00 PA-RISC Downloads for openssh-3.7.1p2 (Help!) Downloads for openssh-3.7.1p2 (Help!) I am using /usr/local/sbin/sshd -d -d -d to get the debugging info. I get the following error after sshd accepts my password during ssh session. This error happens when I use both putty and gnu ssh from my PC to the HPUX box. mm_receive_fd: expected type 1 got 2138968328 This is a fatal and everything shuts down. What have I done wrong, and any clues how to fix this? Thank you, Terry Buckley Software - Contractor B. Braun Medical Inc. HC-RD-US03 Phone: 972-245-2243 x485 FAX: 972-245-1612 MAIL: Terry.Buckley at bbraun.com The information contained in this communication is confidential, may be attorney-client privileged, may constitute inside information, and is intended only for the use of the addressee. It is the property of B. Braun Medical Inc. or an affiliate thereof. Unauthorized use, disclosure, or copying of this communication or any part thereof is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by return e-mail and destroy this communication and all copies thereof, including all attachments. From Terry.Buckley at bbraun.com Tue Dec 23 07:42:28 2003 From: Terry.Buckley at bbraun.com (Terry.Buckley at bbraun.com) Date: Mon, 22 Dec 2003 14:42:28 -0600 Subject: subscribe Message-ID: subscribe Terry Buckley Software - Contractor B. Braun Medical Inc. HC-RD-US03 Phone: 972-245-2243 x485 FAX: 972-245-1612 MAIL: Terry.Buckley at bbraun.com The information contained in this communication is confidential, may be attorney-client privileged, may constitute inside information, and is intended only for the use of the addressee. It is the property of B. Braun Medical Inc. or an affiliate thereof. Unauthorized use, disclosure, or copying of this communication or any part thereof is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by return e-mail and destroy this communication and all copies thereof, including all attachments. From Terry.Buckley at bbraun.com Tue Dec 23 07:56:32 2003 From: Terry.Buckley at bbraun.com (Terry.Buckley at bbraun.com) Date: Mon, 22 Dec 2003 14:56:32 -0600 Subject: (no subject) Message-ID: compiling ssh on HPUX get the following. any help or pointers please $ make (cd openbsd-compat && make) /usr/local/bin/ar rv libopenbsd-compat.a bsd-arc4random.o bsd-cray.o bsd -cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-wai tpid.o fake-rfc2553.o xmmap.o xcrypt.o base64.o basename.o bindresvport.o daemon .o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton. o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o seten v.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o vis.o port-ir ix.o port-aix.o /usr/lib/dld.sl: Can't open shared library: /usr/local/lib/libfl.sl /usr/lib/dld.sl: No such file or directory *** Termination signal 134 Stop. *** Error exit code 1 Stop. Terry Buckley Software - Contractor B. Braun Medical Inc. HC-RD-US03 Phone: 972-245-2243 x485 FAX: 972-245-1612 MAIL: Terry.Buckley at bbraun.com The information contained in this communication is confidential, may be attorney-client privileged, may constitute inside information, and is intended only for the use of the addressee. It is the property of B. Braun Medical Inc. or an affiliate thereof. Unauthorized use, disclosure, or copying of this communication or any part thereof is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by return e-mail and destroy this communication and all copies thereof, including all attachments. From SROYLANCE at PARTNERS.ORG Tue Dec 23 10:15:19 2003 From: SROYLANCE at PARTNERS.ORG (Roylance, Stephen D.) Date: Mon, 22 Dec 2003 18:15:19 -0500 Subject: OpenSSH + PADL pam_ldap.so + password aging Message-ID: First, my config: Solaris 8 PADL pam_ldap v165 and pam_nss v211 OpenSSH 3.7.1.p2 All compiled with gcc 2.95.3 that ships with the Sun companion CD LDAP PAM authentication is working well with OpenSSH, privsep is disabled, challenge-response authentication is enabled. I would like to turn on password aging, which seems to be well supported by pam_ldap. Logins going through /bin/login correctly display warnings and run through the password change when required. Pasword aging is not completely broken through OpenSSH, but not perfect either. Warnings are not displayed at all. Here is a transcript of an expired password session through login: >SunOS 5.8 > >login: sdr >Password: >You are required to change your LDAP password immediately. >Choose a new password. >Enter login(LDAP) password: >LDAP Password incorrect: try again >Enter login(LDAP) password: >New password: >Re-enter new password: >LDAP password information changed for sdr >No directory! Logging in with home=/ >Last login: Mon Dec 22 17:02:57 from someplace.somewhere >bash-2.03$ and OpenSSH (Putty client) looks like this: >login as: sdr >Password: >Enter login(LDAP) password: >New password: >Re-enter new password: >LDAP password information changed for sdrLast login: Mon Dec 22 17:03:50 2003 from someplace.somewhere >Could not chdir to home directory /export/home/sdr: No such file or directory >bash-2.03$ So the password change is being forced, but some of the prompts from pam_ldap are being lost. I'm not sure where to go from here, so any help or guidance is appreciated. Please keep me on the CC list as I am not subscribed to the list. Thank You, Steve Roylance From dtucker at zip.com.au Tue Dec 23 10:41:24 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 23 Dec 2003 10:41:24 +1100 Subject: OpenSSH + PADL pam_ldap.so + password aging In-Reply-To: References: Message-ID: <3FE78124.9070902@zip.com.au> Roylance, Stephen D. wrote: > First, my config: > Solaris 8 > PADL pam_ldap v165 and pam_nss v211 > OpenSSH 3.7.1.p2 > All compiled with gcc 2.95.3 that ships with the Sun companion CD > I would like to turn on > password aging, which seems to be well supported by pam_ldap. Could you please try a snapshot[1]? There have been several PAM-related changes, including some code that does the changes via SSH2 keyboard-interactive that works with privsep on. [1] ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ or one of its mirrors listed at http://www.openssh.com/portable.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From lmcCray_jt at ccs.uoguelph.ca Tue Dec 23 11:43:58 2003 From: lmcCray_jt at ccs.uoguelph.ca (Letha McCray) Date: Tue, 23 Dec 2003 03:43:58 +0300 Subject: hi Message-ID: <20031222234552.7894827C188@shitei.mindrot.org> Lose weight the easier way! "IT'S NOT A DIET .... IT'S A PATCH" Order today and get 5 month supply for the price of 4! * No side effects * Completely safe * 100% M?ney Back Guar?ntee * Discretely shipped * Order shipped same day [1]Read all about it and order here [2]Delete me References 1. http://www.gono.us/welo/?nights 2. http://dubnh.us/welo/o.html From xgvrsghxzvvqu at cheerful.com Sun Dec 21 23:45:15 2003 From: xgvrsghxzvvqu at cheerful.com (Eve Jacob) Date: Sun, 21 Dec 2003 05:45:15 -0700 Subject: (no subject) Message-ID: she'd chile guernsey nato officio slice oldsmobile anthracite afterimage sturdy placate goleta middletown sorrow jennie handicapping benton constant lilliputian analeptic bureaucracy From dtucker at zip.com.au Tue Dec 23 11:18:22 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 23 Dec 2003 11:18:22 +1100 Subject: (no subject) In-Reply-To: References: Message-ID: <3FE789CE.4010102@zip.com.au> Terry.Buckley at bbraun.com wrote: > On my system > HP-UX bbmusw1 B.11.00 A 9000/887 1485316281 two-user license > > I installed the depot file > HP-UX 11.00 PA-RISC > > Downloads for openssh-3.7.1p2 > I am using /usr/local/sbin/sshd -d -d -d to get the debugging info. > > I get the following error after sshd accepts my password during ssh > session. This error happens when I use > both putty and gnu ssh from my PC to the HPUX box. > > mm_receive_fd: expected type 1 got 2138968328 > > This is a fatal and everything shuts down. > > What have I done wrong, and any clues how to fix this? Apparently [1] some patch levels of HP-UX 11.00 have issues with descriptor passing. You can install the Quality Pack for 11.00 or set "UsePrivilegeSeparation no" in sshd_config (but be aware you'll forego the protection it offers). [1] http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=25616 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From farr at mit.edu Tue Dec 23 20:30:09 2003 From: farr at mit.edu (farr at mit.edu) Date: Tue, 23 Dec 2003 04:30:09 -0500 Subject: Mac OS X Keychain Support In-Reply-To: <20031222200257.1AC3527C230@shitei.mindrot.org> References: <20031222200257.1AC3527C230@shitei.mindrot.org> Message-ID: <1072171809.3fe80b21b3341@webmail.mit.edu> Unfortunately, I'm at home for the holidays, and my laptop is having modem problems which isolate it from the remainder of the world. I'll submit a patch to this list as soon as I get these problems worked out. The code is very simple; I just modified the readpass.{c,h} files to check whether a keychain item with the same name as the password prompt exists, and if so to use the password from the keychain, before calling the BSD readpassphrase function. If the user types in a password at the prompt, ssh asks whether that password should be stored on the keychain. Of course, I also changed configure.ac to check whether a program using the Keychain API compiles (this check only occurrs if the system name includes "darwin") before enabling the feature. If I get some time, I'll add the following improvements: 1) allow the user to choose not to use the stored password in the keychain and proceed to the prompt 2) allow the user to designate certain passwords as non-saveable, so he or she isn't prompted and forced to say "no" every time he or she types a password. Someone asked how the system knows it's running a GUI so it can display the "unlock keychain" dialog. I don't know precisely how Apple does this, but if you ask for a password from a locked keychain, the system automatically calls the unlock function, which is able to display the necessary window widgets. Since OS X always runs the GUI (except in single user mode), I don't imagine that this is very complicated. I'm not an expert on your policy about including code which uses non-open- source APIs, but I'll post a patch to this list anyway as soon as my computer's modem issue is resolved. Sorry to keep you waiting. Will > Message: 1 > Date: Sun, 21 Dec 2003 23:43:45 -0600 > From: Jeremy McMillan > Subject: Re: openssh-unix-dev Digest, Vol 8, Issue 15 > To: openssh-unix-dev at mindrot.org > Message-ID: > Content-Type: text/plain; charset=US-ASCII; format=flowed > > I think what Mr. Farr is referring to is keychain support. Keychain is > provided as part of OS X. Apple published an API for it. An OS X > compile would store and retrieve keys from Keychain in lieu/addition to > the SSH Agent. Keychain is to OS-X what the ssh-agent is to ssh. This > makes perfect sense, and I haven't been sufficiently peeved to do this > yet, but I have dreamt of this myself. > > It really should be up in the sysdep stuff. That way you can distribute > a tarball. People can test that, and later it can get merged into the > ssh tree. > > For now, I, if not others, am interested in this code. Please do share: > either diffs or tarball! > > On Dec 21, 2003, at 11:11 PM, Damien Miller wrote: > > > Date: 20 Dec 2003 07:40:32 +1100 > > From: Damien Miller > > Subject: Re: Mac OS X Keychain Support > > To: "Will M. Farr" > > Cc: openssh-unix-dev at mindrot.org > > Message-ID: <1071866432.31141.10.camel at sakura.mindrot.org> > > Content-Type: text/plain > > > > On Sat, 2003-12-20 at 04:56, Will M. Farr wrote: > >> Hello, > >> > >> I'm a Mac OS X user, and I got tired of typing my password every time > >> I > >> want to login, but didn't want to use ssh-agent and the like. So, I > >> grabbed the code for OpenSSH 3.7p1, and made some modifications which > >> allow passwords to be stored and recalled from the OS X Keychain. The > >> reason I'm posting to this list is that I'd like to make these > >> modifications available to others, and I'm curious whether you would > >> be > >> interested in including them in OpenSSH; I know that this is pretty > >> operating-system specific (as far as I know, keychain is unique to OS > >> X), but I changed configure.ac to test for keychain support when it > >> detects a darwin operating system, so it shouldn't bother people who > >> don't have mac os X. Should I diff my code against the standard 3.7p1 > >> and give you guys a patch? > > > > Is the OS X KeyChain fhee software? If so, then send a patch to this > > list. > > > > -d > > > --- > Jeremy McMillan > > From pruiksma at freesurf.fr Tue Dec 23 22:13:59 2003 From: pruiksma at freesurf.fr (pruiksma at freesurf.fr) Date: Tue, 23 Dec 2003 12:13:59 +0100 (CET) Subject: ?? memory leak in 3des1 In-Reply-To: <20031222202914.GA15385@folly> References: <20031222202914.GA15385@folly> Message-ID: <55377.66.63.127.133.1072178039.squirrel@arlette.freesurf.fr> > looks ok to me. > > but i don't see how this gets triggered, since > 3des1.c is not used during rekeying... > True. I'm under vxWorks, so the packet_close() at end of session that calls this loses memory. Not an issue under any more advanced OS. Thanks, :laird > On Mon, Dec 22, 2003 at 09:06:15PM +0100, pruiksma at freesurf.fr wrote: >> Hello, >> >> quoted patch free's cipher_data malloc'd in calls to EVP_CipherInit() >> in ssh1_3des_init(), at least linked with openssl >= 0.9.7. It does >> not appear to me (superficial scan) that there is any harm in calling >> the _cleanup routine with earlier openssl. >> >> fwiw >> >> :laird >> >> >> --- openssh-3.7.1p2/cipher-3des1.c Tue Sep 23 05:24:21 2003 +++ >> src37m/cipher-3des1.c Mon Dec 15 08:26:30 2003 >> @@ -126,6 +126,11 @@ >> struct ssh1_3des_ctx *c; >> >> if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { >> +#ifndef SSH_OLD_EVP >> + EVP_CIPHER_CTX_cleanup(&c->k1); >> + EVP_CIPHER_CTX_cleanup(&c->k2); >> + EVP_CIPHER_CTX_cleanup(&c->k3); >> +#endif >> memset(c, 0, sizeof(*c)); >> xfree(c); >> EVP_CIPHER_CTX_set_app_data(ctx, NULL); >> >> >> >> >> >> OK, my reading of the code may be faulty, but is it that much worse >> than all the sex-aid messages that make it onto the list? >> >> : >> 203.217.30.81 does not like recipient. >> Remote host said: 450 Client host rejected: cannot find your hostname, >> [206.152.191.132] >> Giving up on 203.217.30.81. >> I'm not going to try again; this message has been in the queue too >> long. >> >> >> >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From kumaresh_ind at gmx.net Tue Dec 23 23:47:13 2003 From: kumaresh_ind at gmx.net (Kumaresh) Date: Tue, 23 Dec 2003 18:17:13 +0530 Subject: SCTP - Question References: <3FE4F2EE.6080808@zip.com.au><01f201c3c849$c1851cc0$230110ac@kurco><20031222085013.GA8887@folly><14b501c3c869$d7a54640$230110ac@kurco> <20031222092936.GA12682@folly> Message-ID: <032101c3c952$ed546c20$230110ac@kurco> Thanks again. Could you please notify the code segments [some samples], in the version 3.7.1p2 that has changed over the previous version to support SCTP. This is to understand if there are source changes necessary to support SCTP... Regards, Kumaresh ----- Original Message ----- From: "Markus Friedl" To: "Kumaresh" Cc: Sent: Monday, December 22, 2003 2:59 PM Subject: Re: SCTP - Question > OpenSSH can run over SCTP just as it runs over TCP. > > On Mon, Dec 22, 2003 at 02:28:52PM +0530, Kumaresh wrote: > > > > Thanks for your reply. > > > > Actually, I am using OpenSSH on HP-UX 11i. And the question basically was, > > whether we need to test it with a service that uses SCTP, or what is the > > proceedure for the test? > > > > > > ----- Original Message ----- > > From: "Markus Friedl" > > To: "Kumaresh" > > Cc: > > Sent: Monday, December 22, 2003 2:20 PM > > Subject: Re: SCTP - Question > > > > > > > openssh supports SCTP. how to test it > > > depends on your OS. > > > > > > On Mon, Dec 22, 2003 at 10:39:10AM +0530, Kumaresh wrote: > > > > Hi All, > > > > > > > > " Stream Control Transmission Protocol (SCTP) is a reliable, > > > > message-oriented,multi-homed transport protocol. Developed by the IETF > > > > SIGTRAN working group to transport SS7 over IP, it is now the third > > > > general-purpose transport developed by IETF. This version of Secure > > Shell > > > > has complete support for SSH connections over SCTP." > > > > > > > > How to test this support in OpenSSH? > > > > > > > > Advance thanks, > > > > Kumaresh. > > > > > > > > > > > > > > > > > > > > --- > > > > Outgoing mail is certified Virus Free. > > > > Checked by AVG anti-virus system (http://www.grisoft.com). > > > > Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003 > > > > > > > > _______________________________________________ > > > > openssh-unix-dev mailing list > > > > openssh-unix-dev at mindrot.org > > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003 From dtucker at zip.com.au Wed Dec 24 00:08:20 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 24 Dec 2003 00:08:20 +1100 Subject: SCTP - Question In-Reply-To: <032101c3c952$ed546c20$230110ac@kurco> References: <3FE4F2EE.6080808@zip.com.au><01f201c3c849$c1851cc0$230110ac@kurco><20031222085013.GA8887@folly><14b501c3c869$d7a54640$230110ac@kurco> <20031222092936.GA12682@folly> <032101c3c952$ed546c20$230110ac@kurco> Message-ID: <3FE83E44.3030200@zip.com.au> Kumaresh wrote: > Could you please notify the code segments [some samples], in the version > 3.7.1p2 that has changed over the previous version to support SCTP. > > This is to understand if there are source changes necessary to support > SCTP... Here's the patchset pulled from Portable's CVS: http://www.zip.com.au/~dtucker/openssh/openssh-sctp.patch -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jakob at rfc.se Wed Dec 24 03:16:48 2003 From: jakob at rfc.se (Jakob Schlyter) Date: Tue, 23 Dec 2003 17:16:48 +0100 (CET) Subject: Mac OS X Keychain Support In-Reply-To: <1072171809.3fe80b21b3341@webmail.mit.edu> References: <20031222200257.1AC3527C230@shitei.mindrot.org> <1072171809.3fe80b21b3341@webmail.mit.edu> Message-ID: On Tue, 23 Dec 2003 farr at mit.edu wrote: > Someone asked how the system knows it's running a GUI so it can display > the "unlock keychain" dialog. I don't know precisely how Apple does > this, but if you ask for a password from a locked keychain, the system > automatically calls the unlock function, which is able to display the > necessary window widgets. Since OS X always runs the GUI (except in > single user mode), I don't imagine that this is very complicated. osx does not always run the gui, as you can access the system remotely. something like the mechanism used for X11 & SSH_ASKPASS is likely needed here. jakob From SROYLANCE at PARTNERS.ORG Wed Dec 24 05:46:50 2003 From: SROYLANCE at PARTNERS.ORG (Roylance, Stephen D.) Date: Tue, 23 Dec 2003 13:46:50 -0500 Subject: OpenSSH + PADL pam_ldap.so + password aging Message-ID: Both warnings and expiration messages work correctly with openssh-SNAP-20031221 and no other changes in my configuration. Will the next release have this code included? When is that planned? Thanks for your help, Stephen Roylance -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Monday, December 22, 2003 6:41 PM To: Roylance, Stephen D. Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: OpenSSH + PADL pam_ldap.so + password aging Roylance, Stephen D. wrote: > First, my config: > Solaris 8 > PADL pam_ldap v165 and pam_nss v211 > OpenSSH 3.7.1.p2 > All compiled with gcc 2.95.3 that ships with the Sun companion CD > I would like to turn on > password aging, which seems to be well supported by pam_ldap. Could you please try a snapshot[1]? There have been several PAM-related changes, including some code that does the changes via SSH2 keyboard-interactive that works with privsep on. [1] ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ or one of its mirrors listed at http://www.openssh.com/portable.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Dec 24 10:18:54 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 24 Dec 2003 10:18:54 +1100 Subject: OpenSSH + PADL pam_ldap.so + password aging In-Reply-To: References: Message-ID: <3FE8CD5E.6060101@zip.com.au> Roylance, Stephen D. wrote: > Both warnings and expiration messages work correctly with openssh-SNAP-20031221 > and no other changes in my configuration. Excellent. > Will the next release have this code included? Yes, the snapshots are contain the code that will become the next major release. > When is that planned? Sorry, don't know. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From farr at mit.edu Wed Dec 24 18:38:57 2003 From: farr at mit.edu (farr at mit.edu) Date: Wed, 24 Dec 2003 02:38:57 -0500 Subject: Mac OS X Keychain Support In-Reply-To: References: <20031222200257.1AC3527C230@shitei.mindrot.org> <1072171809.3fe80b21b3341@webmail.mit.edu> Message-ID: <1072251537.3fe9429179fc3@webmail.mit.edu> You're right. I don't know what the system would do if it can't open the dialog to unlock the keychain; probably the request for the password would fail, and ssh would fall back on the standard readpassphrase method. I'll have to test it, however. Thanks, Will Quoting Jakob Schlyter : > On Tue, 23 Dec 2003 farr at mit.edu wrote: > > > Someone asked how the system knows it's running a GUI so it can display > > the "unlock keychain" dialog. I don't know precisely how Apple does > > this, but if you ask for a password from a locked keychain, the system > > automatically calls the unlock function, which is able to display the > > necessary window widgets. Since OS X always runs the GUI (except in > > single user mode), I don't imagine that this is very complicated. > > osx does not always run the gui, as you can access the system remotely. > something like the mechanism used for X11 & SSH_ASKPASS is likely needed > here. > > jakob > From gallowaybz at ccrs.emr.ca Thu Dec 25 15:34:17 2003 From: gallowaybz at ccrs.emr.ca (Lane D. Galloway) Date: Thu, 25 Dec 2003 12:34:17 +0800 Subject: friday entertainment Message-ID: <20031224123601.2201727C187@shitei.mindrot.org> Sometimes people call it "Magic Lubricant". Sometimes - "Power Bottle". Why? An amazing erection WITHING SEVERAL SECONDS is guaranteed to you! Double-strengthed orgasm and full satisfaction... I guess this is excatly what are waiting from sex! Your easy-to-use solution is here: [1]http://www.ghkp.us/vpoil/?utopia ----- Link below is for that people who dislike adv..... [2]http://www.ghkp.us/vpoil/o.html References 1. http://www.ghkp.us/vpoil/?utopia 2. http://www.ghkp.us/vpoil/o.html From keeiqlptmmzy at web.de Thu Dec 25 13:45:03 2003 From: keeiqlptmmzy at web.de (Gabrielle) Date: Wed, 24 Dec 2003 21:45:03 -0500 Subject: AAGFYZ, exchange for foreign Message-ID: eyesight kazoo sumner boletus blair audubon privilege egyptian cavalcade wintertime monocotyledon legion planetarium ago bowstring superfluity behold academia cellulose From rsyjjjyenbiztw at el-nacional.com Thu Dec 25 18:36:47 2003 From: rsyjjjyenbiztw at el-nacional.com (Carmela Gray) Date: Thu, 25 Dec 2003 11:36:47 +0400 Subject: BD, the lions muzzles Message-ID: stefan australis pragmatic fireside credulity clank rosemary exchequer worrisome o build moonlight paragon celsius exchequer toil unction melanesia springtail commutate imminent uhf cowpoke christopher shoestring From xjycdtxjl at terra.com Thu Dec 25 23:22:46 2003 From: xjycdtxjl at terra.com (Story Dionne) Date: Thu, 25 Dec 2003 07:22:46 -0500 Subject: UPM, impossible to make Message-ID: affiliate objector alma coral hanford factual arbitrary secretariat karachi accretion teakwood locomotive tioga syria brook impetus gouge tomography lead thorn herdsman whereabout affirmation cough From johnnygallagher_hh at cci.lg.ua Sat Dec 27 22:08:18 2003 From: johnnygallagher_hh at cci.lg.ua (Johnny Gallagher) Date: Sat, 27 Dec 2003 09:08:18 -0200 Subject: get it up Message-ID: <20031226190522.0238A27C187@shitei.mindrot.org> [1][c1.jpg] [2]I don't want this can name has Sir but Agencies numbered range economy, very party, they Command numbered Stephen public Reports welfare, Reviews. Cm. Select numerous Majesty's have There broad principal (for have Office References 1. http://www.greatsize.biz/default51.htm 2. http://www.greatsize.biz/nomore.html From teri_cordero_ge at carnegie.fi Sun Dec 28 07:15:24 2003 From: teri_cordero_ge at carnegie.fi (Teri Cordero) Date: Sun, 28 Dec 2003 03:15:24 +0700 Subject: holiday surprise Message-ID: <20031227041449.A2AAE27C187@shitei.mindrot.org> Sometimes people call it "Magic Lubricant". Sometimes - "Power Bottle". Why? An amazing erection WITHING SEVERAL SECONDS is guaranteed to you! Double-strengthed orgasm and full satisfaction... I guess this is excatly what are waiting from sex! Your easy-to-use solution is here: [1]http://www.dubnh.us/vpoil/?utopia ----- Link below is for that people who dislike adv..... [2]http://www.dubnh.us/vpoil/o.html References 1. http://www.dubnh.us/vpoil/?utopia 2. http://www.dubnh.us/vpoil/o.html From wwalker_yv at its.state.ms.us Sat Dec 27 17:45:35 2003 From: wwalker_yv at its.state.ms.us (Wilton Walker) Date: Sat, 27 Dec 2003 03:45:35 -0300 Subject: hi Message-ID: <20031227054739.1518F27C188@shitei.mindrot.org> Elk extract that helps you in the bed with the girl. [1]Learn about it here Image is loading.. [2]Stop this their but Committees aid to welfare, policy also Papers. have Sir Command Iain Crown Treaties also impact papers series can Executive Executive covering name numerous Reviews. uses Statutory The uses References 1. http://www.gono.us/alpha/?nights 2. http://dubnh.us/alpha/o.html From b.nolanyw at areas.com.br Mon Dec 29 02:11:50 2003 From: b.nolanyw at areas.com.br (Brittany Nolan) Date: Sun, 28 Dec 2003 15:11:50 +0000 Subject: weekend entertainment Message-ID: <20031228151505.B875127C18A@shitei.mindrot.org> Alpha Male Plus, the only multiple 0rgasm supplement for men! Prevent premature ejaculat?on, become the ultimate sex machine. Multiple 0rgasms with NO erection loss! Your easy-to-use solution is here: [1]http://hfg3.biz/alpha/?utopia ----- Link below is for that people who dislike adv..... [2]http://hfg3.biz/alpha/o.html References 1. http://hfg3.biz/alpha/?utopia 2. http://hfg3.biz/alpha/o.html From aavgfpfcnwet at cnnic.net.cn Mon Dec 29 06:08:54 2003 From: aavgfpfcnwet at cnnic.net.cn (Carlo) Date: Mon, 29 Dec 2003 00:08:54 +0500 Subject: VJVK, into the secretarys Message-ID: dactylic matrimonial anhydrite demolish bred pantheist derivate backwater dortmund serpens decile galaxy littoral thaw rabin ami prod chameleon curse ripple pilate atmospheric frivolity hereford calder From erikvcl at silcom.com Tue Dec 30 04:36:06 2003 From: erikvcl at silcom.com (erikvcl at silcom.com) Date: Mon, 29 Dec 2003 09:36:06 -0800 (PST) Subject: Partial authentication In-Reply-To: <004901c3a57b$8d1aa540$5bd90680@rutgers.edu> Message-ID: Dmitry, The original partial authentication patch for the pre-privilege-separation version of SSH was written by Carson Gaspar. An improvement on this patch was made by Maciej Bogucki. As an employee of Cyclades, I ported this patch to the current version of SSH with privilege separation since we needed this functionality. The work that I did is quite a hack, but it works well enough. I do not have the extensive knowledge of SSH that I should have to make this kind of improvement in as elegant a way as the core SSH developers. Although I have passed my work along (and the code is available in our product's freely-available CDK), there seems to be little interest in partial authentication among the OpenSSH community (I've brought up this topic before). I would like to see partial authentication in OpenSSH as I think that it is a valuable feature. It would be great to see improvements to the work that I've done to turn a strictly functional patch into one that is elegant and verified to be free of security concerns. Regards, Erik. On Fri, 7 Nov 2003, Dmitry Berezin wrote: > Hello, > > I would like to bring up the topic of possibly including partial > authentication functionality into OpneSSH again - it was discussed a few > weeks ago. I believe that implementing auth vectors was suggested as a way > to achieve this. > The reasoning behind the need for partial auth is that there are cases when > multiple methods of authentication are required for the user to be > successfully authenticated (password and SecureID for example). > I just want to find out if there are any active plans for building this, or > if there is a decision not to include partial auth in OpenSSH. > > Thank you, > > -Dmitry. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Erik Lotspeich Software Engineer, R&D Cyclades Corporation erik.lotspeich at cyclades.com Phone: 510-771-6153 Fax: 510-771-6200 http://www.cyclades.com/ "Everywhere with Linux" From markus at openbsd.org Tue Dec 30 05:34:00 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 29 Dec 2003 19:34:00 +0100 Subject: Partial authentication In-Reply-To: References: <004901c3a57b$8d1aa540$5bd90680@rutgers.edu> Message-ID: <20031229183400.GA15009@folly> On Mon, Dec 29, 2003 at 09:36:06AM -0800, erikvcl at silcom.com wrote: > The original partial authentication patch for the pre-privilege-separation > version of SSH was written by Carson Gaspar. An improvement on this patch > was made by Maciej Bogucki. we would be interested in a simple version of partial authentication. From carson at taltos.org Tue Dec 30 09:07:33 2003 From: carson at taltos.org (Carson Gaspar) Date: Mon, 29 Dec 2003 17:07:33 -0500 Subject: Partial authentication In-Reply-To: <20031229183400.GA15009@folly> References: <004901c3a57b$8d1aa540$5bd90680@rutgers.edu> <20031229183400.GA15009@folly> Message-ID: <1847192704.1072735653@taltos.ny.ficc.gs.com> --On Monday, December 29, 2003 19:34:00 +0100 Markus Friedl wrote: > we would be interested in a simple version of partial authentication. Please define "simple". If the auth types aren't ordered (e.g. pubkey before password), then it's mostly useless. -- Carson From whlnwbkya at cnnic.net.cn Mon Dec 29 21:04:35 2003 From: whlnwbkya at cnnic.net.cn (Cliff Blanchard) Date: Mon, 29 Dec 2003 07:04:35 -0300 Subject: LWZWU, i certainly will Message-ID: biscuit arrest buxom abacus chunk gryphon troupe noticeable elucidate dade obdurate exculpate cadenza perturbate peale lobar abbot trifle per diatom broadloom butternut bacon corvette From dberezin at acs.rutgers.edu Tue Dec 30 09:56:52 2003 From: dberezin at acs.rutgers.edu (Dmitry Berezin) Date: Mon, 29 Dec 2003 17:56:52 -0500 Subject: Partial authentication In-Reply-To: Message-ID: <000001c3ce5f$0ce9cdd0$5bd90680@rutgers.edu> Erik, I tried to download CDK from your site, but it requires valid serial number for one of your products. Is there any other way you could share your work? I'd be glad to spend some time working on this patch, but afraid that I too do not have enough expertise in SSH development to bring it to the right level. -Dmitry. > -----Original Message----- > From: openssh-unix-dev-bounces+dberezin=acs.rutgers.edu at mindrot.org > [mailto:openssh-unix-dev-bounces+dberezin=acs.rutgers.edu at mindrot.org] On > Behalf Of erikvcl at silcom.com > Sent: Monday, December 29, 2003 12:36 PM > To: Dmitry Berezin > Cc: openssh-unix-dev at mindrot.org > Subject: Re: Partial authentication > > Dmitry, > > The original partial authentication patch for the pre-privilege-separation > version of SSH was written by Carson Gaspar. An improvement on this patch > was made by Maciej Bogucki. > > As an employee of Cyclades, I ported this patch to the current version of > SSH with privilege separation since we needed this functionality. > The work that I did is quite a hack, but it works well enough. I do not > have the extensive knowledge of SSH that I should have to make this kind > of improvement in as elegant a way as the core SSH developers. > > Although I have passed my work along (and the code is available in our > product's freely-available CDK), there seems to be little interest in > partial authentication among the OpenSSH community (I've brought up this > topic before). > > I would like to see partial authentication in OpenSSH as I think that it > is a valuable feature. It would be great to see improvements to the work > that I've done to turn a strictly functional patch into one that is > elegant and verified to be free of security concerns. > > Regards, > > Erik. > > On Fri, 7 Nov 2003, Dmitry Berezin wrote: > > > Hello, > > > > I would like to bring up the topic of possibly including partial > > authentication functionality into OpneSSH again - it was discussed a few > > weeks ago. I believe that implementing auth vectors was suggested as a > way > > to achieve this. > > The reasoning behind the need for partial auth is that there are cases > when > > multiple methods of authentication are required for the user to be > > successfully authenticated (password and SecureID for example). > > I just want to find out if there are any active plans for building this, > or > > if there is a decision not to include partial auth in OpenSSH. > > > > Thank you, > > > > -Dmitry. > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > -- > Erik Lotspeich > Software Engineer, R&D > Cyclades Corporation > erik.lotspeich at cyclades.com > Phone: 510-771-6153 > Fax: 510-771-6200 > http://www.cyclades.com/ > "Everywhere with Linux" > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From erik.lotspeich at cyclades.com Tue Dec 30 10:29:12 2003 From: erik.lotspeich at cyclades.com (Erik Lotspeich) Date: Mon, 29 Dec 2003 15:29:12 -0800 (PST) Subject: Partial authentication In-Reply-To: <000001c3ce5f$0ce9cdd0$5bd90680@rutgers.edu> Message-ID: Dmitry, The version of the patch in the Cyclades CDK will not work for standard purposes -- it is only useful to those who have Cyclades products. I will make an effort to send you my version of the patch without all the Cyclades-specific stuff. Hope this helps, Erik. On Mon, 29 Dec 2003, Dmitry Berezin wrote: > Erik, > > I tried to download CDK from your site, but it requires valid serial number > for one of your products. Is there any other way you could share your work? > I'd be glad to spend some time working on this patch, but afraid that I too > do not have enough expertise in SSH development to bring it to the right > level. > > -Dmitry. > > > -----Original Message----- > > From: openssh-unix-dev-bounces+dberezin=acs.rutgers.edu at mindrot.org > > [mailto:openssh-unix-dev-bounces+dberezin=acs.rutgers.edu at mindrot.org] On > > Behalf Of erikvcl at silcom.com > > Sent: Monday, December 29, 2003 12:36 PM > > To: Dmitry Berezin > > Cc: openssh-unix-dev at mindrot.org > > Subject: Re: Partial authentication > > > > Dmitry, > > > > The original partial authentication patch for the pre-privilege-separation > > version of SSH was written by Carson Gaspar. An improvement on this patch > > was made by Maciej Bogucki. > > > > As an employee of Cyclades, I ported this patch to the current version of > > SSH with privilege separation since we needed this functionality. > > The work that I did is quite a hack, but it works well enough. I do not > > have the extensive knowledge of SSH that I should have to make this kind > > of improvement in as elegant a way as the core SSH developers. > > > > Although I have passed my work along (and the code is available in our > > product's freely-available CDK), there seems to be little interest in > > partial authentication among the OpenSSH community (I've brought up this > > topic before). > > > > I would like to see partial authentication in OpenSSH as I think that it > > is a valuable feature. It would be great to see improvements to the work > > that I've done to turn a strictly functional patch into one that is > > elegant and verified to be free of security concerns. > > > > Regards, > > > > Erik. > > > > On Fri, 7 Nov 2003, Dmitry Berezin wrote: > > > > > Hello, > > > > > > I would like to bring up the topic of possibly including partial > > > authentication functionality into OpneSSH again - it was discussed a few > > > weeks ago. I believe that implementing auth vectors was suggested as a > > way > > > to achieve this. > > > The reasoning behind the need for partial auth is that there are cases > > when > > > multiple methods of authentication are required for the user to be > > > successfully authenticated (password and SecureID for example). > > > I just want to find out if there are any active plans for building this, > > or > > > if there is a decision not to include partial auth in OpenSSH. > > > > > > Thank you, > > > > > > -Dmitry. > > > > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > > -- > > Erik Lotspeich > > Software Engineer, R&D > > Cyclades Corporation > > erik.lotspeich at cyclades.com > > Phone: 510-771-6153 > > Fax: 510-771-6200 > > http://www.cyclades.com/ > > "Everywhere with Linux" > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- Erik Lotspeich Software Engineer, R&D Cyclades Corporation erik.lotspeich at cyclades.com Phone: 510-771-6153 Fax: 510-771-6200 http://www.cyclades.com/ "Everywhere with Linux" From markus at openbsd.org Tue Dec 30 22:52:45 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 30 Dec 2003 12:52:45 +0100 Subject: Partial authentication In-Reply-To: <1847192704.1072735653@taltos.ny.ficc.gs.com> References: <004901c3a57b$8d1aa540$5bd90680@rutgers.edu> <20031229183400.GA15009@folly> <1847192704.1072735653@taltos.ny.ficc.gs.com> Message-ID: <20031230115245.GB12702@folly> On Mon, Dec 29, 2003 at 05:07:33PM -0500, Carson Gaspar wrote: > > > --On Monday, December 29, 2003 19:34:00 +0100 Markus Friedl > wrote: > > >we would be interested in a simple version of partial authentication. > > Please define "simple". < 200 lines :) From lists1 at sonous.com Wed Dec 31 12:30:45 2003 From: lists1 at sonous.com (Lev Lvovsky) Date: Tue, 30 Dec 2003 17:30:45 -0800 Subject: chroot + ssh concerns Message-ID: Hello, I'm new to the list, but hopefully I've done enough digging around that I don't get yelled at too terribly ;) We're looking to implement a chrooted environment for allowing users to scp files from servers. That's basically the only functionality that we need in this case. We're looking to chroot the user and/or remove any chance that the account can login via ssh or local to the machine an run any commands. Essentially the idea is to create a dump/pickup directory on the machines in question. In looking around, it seems that chroot has come up on this list several times, and has been discussed ad nauseum on usenet. In looking at the archives, it seems that the patch for this has been removed from the contrib section of the ssh source. While patches for chrooted ssh exist (chrootssh comes to mind), I've also read the discussion here: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102163541912823&w=2 and am curious to get this groups take on possible solutions. 1. does anyone have recommendations/warnings about applying the securessh patch? The two main problems I see are code auditting (which, while I understand C, I don't know the ssh source well enough to understand the patch), as well as waiting on patches to newly announced vulnerabilities. 2. the other options that we have for this are "restricted bash" (rbash), and the "scponly" shell - does anyone have any comments on either of those two as more (or less) recommended than the chrootssh patch? any other words of wisdom are very much appreciated! thanks, -lev From mouring at etoh.eviladmin.org Wed Dec 31 12:43:50 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 30 Dec 2003 19:43:50 -0600 (CST) Subject: chroot + ssh concerns In-Reply-To: Message-ID: You may want to consder: http://www.pizzashack.org/rssh/ - Ben On Tue, 30 Dec 2003, Lev Lvovsky wrote: > Hello, > > I'm new to the list, but hopefully I've done enough digging around that > I don't get yelled at too terribly ;) > > We're looking to implement a chrooted environment for allowing users to > scp files from servers. That's basically the only functionality that > we need in this case. We're looking to chroot the user and/or remove > any chance that the account can login via ssh or local to the machine > an run any commands. Essentially the idea is to create a dump/pickup > directory on the machines in question. > > In looking around, it seems that chroot has come up on this list > several times, and has been discussed ad nauseum on usenet. In looking > at the archives, it seems that the patch for this has been removed from > the contrib section of the ssh source. > > While patches for chrooted ssh exist (chrootssh comes to mind), I've > also read the discussion here: > > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102163541912823&w=2 > > and am curious to get this groups take on possible solutions. > > 1. does anyone have recommendations/warnings about applying the > securessh patch? The two main problems I see are code auditting > (which, while I understand C, I don't know the ssh source well enough > to understand the patch), as well as waiting on patches to newly > announced vulnerabilities. > > 2. the other options that we have for this are "restricted bash" > (rbash), and the "scponly" shell - does anyone have any comments on > either of those two as more (or less) recommended than the chrootssh > patch? > > any other words of wisdom are very much appreciated! > > thanks, > -lev > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From lists1 at sonous.com Wed Dec 31 13:08:09 2003 From: lists1 at sonous.com (Lev Lvovsky) Date: Tue, 30 Dec 2003 18:08:09 -0800 Subject: chroot + ssh concerns In-Reply-To: References: Message-ID: <2E549FC8-3B36-11D8-AEEC-000A959DCC8C@sonous.com> Ben, To be honest, I'm personally pushing for an unmodified-ssh way of doing things - it's the head of security here that would rather we patch ssh. Can you be more specific as to why this is a better idea over patches? the "scponly" shell seems to satisfy our needs as well, but the issue of code auditing stands for both that, and rssh, so I need to come back with some good reasons. thanks! -lev On Dec 30, 2003, at 5:43 PM, Ben Lindstrom wrote: > > You may want to consder: http://www.pizzashack.org/rssh/ > > - Ben > > On Tue, 30 Dec 2003, Lev Lvovsky wrote: > >> Hello, >> >> I'm new to the list, but hopefully I've done enough digging around >> that >> I don't get yelled at too terribly ;) >> >> We're looking to implement a chrooted environment for allowing users >> to >> scp files from servers. That's basically the only functionality that >> we need in this case. We're looking to chroot the user and/or remove >> any chance that the account can login via ssh or local to the machine >> an run any commands. Essentially the idea is to create a dump/pickup >> directory on the machines in question. >> >> In looking around, it seems that chroot has come up on this list >> several times, and has been discussed ad nauseum on usenet. In >> looking >> at the archives, it seems that the patch for this has been removed >> from >> the contrib section of the ssh source. >> >> While patches for chrooted ssh exist (chrootssh comes to mind), I've >> also read the discussion here: >> >> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102163541912823&w=2 >> >> and am curious to get this groups take on possible solutions. >> >> 1. does anyone have recommendations/warnings about applying the >> securessh patch? The two main problems I see are code auditting >> (which, while I understand C, I don't know the ssh source well enough >> to understand the patch), as well as waiting on patches to newly >> announced vulnerabilities. >> >> 2. the other options that we have for this are "restricted bash" >> (rbash), and the "scponly" shell - does anyone have any comments on >> either of those two as more (or less) recommended than the chrootssh >> patch? >> >> any other words of wisdom are very much appreciated! >> >> thanks, >> -lev >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >> From mouring at etoh.eviladmin.org Wed Dec 31 13:21:55 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 30 Dec 2003 20:21:55 -0600 (CST) Subject: chroot + ssh concerns In-Reply-To: <2E549FC8-3B36-11D8-AEEC-000A959DCC8C@sonous.com> Message-ID: On Tue, 30 Dec 2003, Lev Lvovsky wrote: > Ben, > > To be honest, I'm personally pushing for an unmodified-ssh way of doing > things - it's the head of security here that would rather we patch ssh. > > Can you be more specific as to why this is a better idea over patches? > the "scponly" shell seems to satisfy our needs as well, but the issue > of code auditing stands for both that, and rssh, so I need to come back > with some good reasons. > I can't justify anything not knowing your environment, but for me custom OpenSSH (or any other package) is a PITA to maintain internal, and when you have problems people tend to shy away from helping or require you to prove it with clean code. That right there is a solid reason to avoid patching with unapproved patches. Also, it is easier to verify small programs then patches to large code bases. It is very much the case when the people auditing the code has not spent enough time understand the project, and OpenSSH is a lot of code to audit and understand what affects a patch may have on it. - Ben From iqbala at qwestip.net Wed Dec 31 16:09:01 2003 From: iqbala at qwestip.net (Asif Iqbal) Date: Wed, 31 Dec 2003 00:09:01 -0500 Subject: chroot + ssh concerns In-Reply-To: References: Message-ID: <20031231050901.GE19576@qwestip.net> Lev Lvovsky wrote: > Hello, > > I'm new to the list, but hopefully I've done enough digging around that > I don't get yelled at too terribly ;) > > We're looking to implement a chrooted environment for allowing users to > scp files from servers. That's basically the only functionality that > we need in this case. We're looking to chroot the user and/or remove > any chance that the account can login via ssh or local to the machine > an run any commands. Essentially the idea is to create a dump/pickup > directory on the machines in question. > > In looking around, it seems that chroot has come up on this list > several times, and has been discussed ad nauseum on usenet. In looking > at the archives, it seems that the patch for this has been removed from > the contrib section of the ssh source. > > While patches for chrooted ssh exist (chrootssh comes to mind), I've > also read the discussion here: > > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102163541912823&w=2 > > and am curious to get this groups take on possible solutions. > > 1. does anyone have recommendations/warnings about applying the > securessh patch? The two main problems I see are code auditting > (which, while I understand C, I don't know the ssh source well enough > to understand the patch), as well as waiting on patches to newly > announced vulnerabilities. > > 2. the other options that we have for this are "restricted bash" > (rbash), and the "scponly" shell - does anyone have any comments on > either of those two as more (or less) recommended than the chrootssh > patch? > > any other words of wisdom are very much appreciated! > > thanks, > -lev > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev Check this out http://cr.yp.to/publicfile.html Same guy who wrote qmail -- Asif Iqbal http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08 There's no place like 127.0.0.1 From kumaresh_ind at gmx.net Wed Dec 31 22:50:58 2003 From: kumaresh_ind at gmx.net (Kumaresh) Date: Wed, 31 Dec 2003 17:20:58 +0530 Subject: OpenSSH - forced command - no-pty issue References: <3FE78124.9070902@zip.com.au> Message-ID: <026801c3cf94$801a1bd0$230110ac@kurco> Hello All, I would like to get some inputs on forced commands feature with "no-pty" and "ptY" situations. We have an issue where forced commands are left hanging on the sshd server running whenever the ssh client disconnects. My application uses a "forced command" to restrict the actions that a user can execute on the server. This is achieved with the help of a script and this is used as forced command in the .ssh/authorized_keys2 file. The client is a PuTTY client and we established a connection (ssh-2) session to the server. The script is invoked and runs fine. However, if the user decides to forcefully terminate the client session, by closing the PuTTY session, the script is left hanging on the server. The sshd process associated with the connection closed, but the command or the script still hangs without knowing that the sshd is killed. Below are traces illustrating the above using a simple 'sleep' command as the forced command. We used OpenSSH-3.6.1p2 client and server. // in the .ssh/authorized_keys2 on the server command="sleep 333",no-pty,no-port-forwarding ssh-rsa .... // after client has established ssh-2 connection to server #ps -ef | grep 4434 root 4434 8441 0 1:20 ? 00:00:00 /usr/sbin/sshd root 8409 4434 0 1:20 ? 00:00:00 sleep 333 <------- the forced command // after client forcefully terminated: # ps -ef | grep sl root 8409 1 0 1:20 ? 00:00:00 sleep 333 <-------- pid 4434 is gone, and pid 8409 (the forced command) has been adopted by root process When tried with rsh, this is not the case. The command [sleep] closed on the server immediately when the client session is closed. Is there a way, which we can notify and kill the commands or child processes when the sshd is terminated.? When the "no-pty" is removed from the forced command the command did not hang. But, I want to restrict the users from getting interactive shell, so I need this "no-pty". Advance thanks, Kumar --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003