From dbertin at besancon.sema.slb.com Tue Jul 1 01:01:01 2003 From: dbertin at besancon.sema.slb.com (David BERTIN) Date: Mon, 30 Jun 2003 17:01:01 +0200 Subject: problem with openssh Message-ID: <3F0050AD.DB7D570@besancon.sema.slb.com> Hello, I've installed today a ssh server on my computer which works under windows NT 4.0. I try to connect to my computer with a ssh client but it answers : "Permission denied(password, keyboard-interactive)" Do you know where does it come from? David. From markus at openbsd.org Tue Jul 1 05:50:19 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 30 Jun 2003 21:50:19 +0200 Subject: Kerberos Support in OpenSSH In-Reply-To: References: Message-ID: <20030630195019.GA20704@folly> On Thu, Jun 26, 2003 at 06:58:56PM -0700, Marshall Vale wrote: > I'm writing to you on behalf of the MIT Kerberos team and several > other parties interested in the availability of Kerberos > authentication for the SSH protocol. Please (re)read the mailing list archive; review, audit and shrink the GSS API patches. Then they might be integrated. GSS userauth could be integrated first, then GSS kex can be considered. From djm at shitei.mindrot.org Tue Jul 1 15:18:32 2003 From: djm at shitei.mindrot.org (Damien Miller) Date: Tue, 1 Jul 2003 15:18:32 +1000 (EST) Subject: [Bug 609] empty password accounts can login with random password In-Reply-To: <20030701042355.02BDF27C197@shitei.mindrot.org> References: <20030701042355.02BDF27C197@shitei.mindrot.org> Message-ID: On Tue, 1 Jul 2003 bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=609 > > > > > > ------- Additional Comments From advax at triumf.ca 2003-07-01 14:23 ------- > OK, after messing around trying 3.6.1p2 I realize I had a "DenyUsers" line > in sshd_config on the RedHat 8 system which I had forgotten about. > The RedHat sshd.pam does not have nullok but it is chained to system-auth > which does. I guess unchaining it might work but I don't want to depart > too much from the stock distro especially in things I don't really understand > (like PAM) > > So the issue is that PermitEmptyPasswords is ignored if PAM is used. > If PAM is really broken like this then maybe a note in the sshd_config manpage > is in order. > > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > > _______________________________________________ > openssh-bugs mailing list > openssh-bugs at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-bugs > From l.gautrot at free.fr Tue Jul 1 17:39:12 2003 From: l.gautrot at free.fr (l.gautrot at free.fr) Date: Tue, 01 Jul 2003 09:39:12 +0200 (CEST) Subject: French translation for the manpages -> possible inclusion ? Message-ID: <1057045152.3f013aa0d53c5@laurent.gautrot.org> I translated OpenSSH manpages and the manpages for some related utilities (at least for the 3.4 release of OpenSSH). Those manpages are hosted at G?rard Delafond website (http://www.delafond.org/traducmanfr/index.php). G?rard then dispatches the manpages in some of the major Linux distributions (as far as I know Debian GNU/Linux, Mandrake GNU/Linux et RedHat, maybe others ...). Recently, an user and developper for Debian asked me if I contacted OpenSSH dev team for a possible inclusion of the translated manpages in OpenSSH distribution. So what ? ;) Below is the list of available translations : scp.1 sftp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 x11-ssh-askpass.1 scanssh.1 ssh-copy-id.1 ------------------- J'ai traduit les pages man d'OpenSSH et de quelques utilitaires associ?s (au moins pour la version 3.4 d'OpenSSH). Ces pages man sont actuellement h?berg?es sur le site de G?rard Delafond (http://www.delafond.org/traducmanfr/index.php), qui les envoie ensuite aux diff?rentes distributions (? ma connaissance Debian GNU/Linux, Mandrake GNU/Linux et RedHat, mais certainement d'autres ...). R?cemment, un utilisateur et d?veloppeur Debian m'a demand? si j'avais contact? l'?quipe OpenSSH pour une ?ventuelle inclusion des traductions dans la distribution OpenSSH. Alors ? ;) Ci-dessous la liste des traductions disponibles : scp.1 sftp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 x11-ssh-askpass.1 scanssh.1 ssh-copy-id.1 From Andreas.Gidom at eu.Hummingbird.com Tue Jul 1 17:58:24 2003 From: Andreas.Gidom at eu.Hummingbird.com (Andreas Gidom) Date: Tue, 1 Jul 2003 09:58:24 +0200 Subject: X11 forwarding when pw is aged Message-ID: <5BCD8BBEDDD10744A4BA7D63B5CC9642C9DA51@munichx1> Hi All, 1st Simple question: bug or feature ? sshd version OpenSSH_3.6.1p2-pwexp20 on solaris sparc X11 forwarding works fine Set pw to aged (3rd entry in /etc/shadow to 0) login as: steffenb Sent username "steffenb" steffenb at saturn's password: Warning: Your password has expired, please change it now. passwd: Changing password for steffenb Enter login password: New password: Re-enter new password: passwd (SYSTEM): passwd successfully changed for steffenb Last login: Mon Jun 30 14:56:01 2003 from hclberagi.munic Sun Microsystems Inc. SunOS 5.6 Generic August 1997 steffenb at saturn:~ > /usr/X11R6/bin/xterm /usr/X11R6/bin/xterm Xt error: Can't open display: steffenb at saturn:~ > set BASH=/bin/bash BASH_VERSINFO=([0]="2" [1]="02" [2]="0" [3]="1" [4]="release" [5]="sparc-sun-solaris2.6") BASH_VERSION='2.02.0(1)-release' COLUMNS=80 DIRSTACK=() EUID=504 ----- break --- logfile: 2003-06-30 14:54:36 Looking up host "saturn" 2003-06-30 14:54:36 Connecting to 10.131.36.1 port 22 2003-06-30 14:54:36 Server version: SSH-1.99-OpenSSH_3.6.1p2-pwexp20 2003-06-30 14:54:36 We claim version: SSH-1.5-PuTTY-Release-0.53b 2003-06-30 14:54:36 Using SSH protocol version 1 2003-06-30 14:54:36 Received public keys 2003-06-30 14:54:36 Host key fingerprint is: 2003-06-30 14:54:36 1024 a1:b6:b3:ee:2b:3f:60:50:aa:f6:1b:87:ba:d9:09:51 2003-06-30 14:54:37 Encrypted session key 2003-06-30 14:54:37 AES not supported in SSH1, skipping 2003-06-30 14:54:37 Using Blowfish encryption 2003-06-30 14:54:37 Trying to enable encryption... 2003-06-30 14:54:37 Initialised Blowfish encryption 2003-06-30 14:54:37 Installing CRC compensation attack detector 2003-06-30 14:54:37 Successfully started encryption 2003-06-30 14:54:42 Sent username "steffenb" 2003-06-30 14:54:48 Sending password with camouflage packets 2003-06-30 14:54:48 Sent password 2003-06-30 14:54:48 Authentication successful 2003-06-30 14:54:48 Requesting X11 forwarding 2003-06-30 14:54:49 Remote dX11 forwarding disabled in user configuration file. 2003-06-30 14:54:49 X11 forwarding refused 2003-06-30 14:54:49 Allocated pty 2003-06-30 14:54:49 Started session Normal session: login as: steffenb Sent username "steffenb" steffenb at saturn's password: Last login: Mon Jun 30 14:58:35 2003 from hclberagi.munic Sun Microsystems Inc. SunOS 5.6 Generic August 1997 steffenb at saturn:~ > /usr/X11R6/bin/xterm ^Z [1]+ Stopped /usr/X11R6/bin/xterm steffenb at saturn:~ > bg [1]+ /usr/X11R6/bin/xterm & steffenb at saturn:~ > set BASH=/bin/bash BASH_VERSINFO=([0]="2" [1]="02" [2]="0" [3]="1" [4]="release" [5]="sparc-sun-solaris2.6") BASH_VERSION='2.02.0(1)-release' COLUMNS=80 DIRSTACK=() DISPLAY=localhost:11.0 EUID=504 ----break---- Logfile: 2003-06-30 14:55:42 Looking up host "saturn" 2003-06-30 14:55:42 Connecting to 10.131.36.1 port 22 2003-06-30 14:55:42 Server version: SSH-1.99-OpenSSH_3.6.1p2-pwexp20 2003-06-30 14:55:42 We claim version: SSH-1.5-PuTTY-Release-0.53b 2003-06-30 14:55:42 Using SSH protocol version 1 2003-06-30 14:55:42 Received public keys 2003-06-30 14:55:42 Host key fingerprint is: 2003-06-30 14:55:42 1024 a1:b6:b3:ee:2b:3f:60:50:aa:f6:1b:87:ba:d9:09:51 2003-06-30 14:55:42 Encrypted session key 2003-06-30 14:55:42 AES not supported in SSH1, skipping 2003-06-30 14:55:42 Using Blowfish encryption 2003-06-30 14:55:42 Trying to enable encryption... 2003-06-30 14:55:42 Initialised Blowfish encryption 2003-06-30 14:55:43 Installing CRC compensation attack detector 2003-06-30 14:55:43 Successfully started encryption 2003-06-30 14:55:51 Sent username "steffenb" 2003-06-30 14:55:56 Sending password with camouflage packets 2003-06-30 14:55:56 Sent password 2003-06-30 14:55:56 Authentication successful 2003-06-30 14:55:56 Requesting X11 forwarding 2003-06-30 14:55:56 X11 forwarding enabled 2003-06-30 14:55:57 Allocated pty 2003-06-30 14:55:57 Started session 2003-06-30 14:56:04 Received X11 connect request 2003-06-30 14:56:04 opening X11 forward connection succeeded 2003-06-30 14:56:04 Opened X11 forward channel 2003-06-30 15:11:58 Forwarded X11 connection terminated Mit freundlichen Gr??en / Best Regards Andreas Gidom From dtucker at zip.com.au Tue Jul 1 18:34:36 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 01 Jul 2003 18:34:36 +1000 Subject: X11 forwarding when pw is aged References: <5BCD8BBEDDD10744A4BA7D63B5CC9642C9DA51@munichx1> Message-ID: <3F01479C.76039F7A@zip.com.au> Andreas Gidom wrote: > 1st Simple question: bug or feature ? It's a Security Feature. All forwarding is disabled when the password is expired, otherwise you could request forwards with an expired password. The problem with re-enabling it afterwards is that your password is changed in the process that becomes the shell, but the forwarding flags are checked in the ssh daemon (the slave if privsep is in use) and there's no easy way to report a successful change. At one point I tried using a signal to reset the flags but that wasn't popular. It might be possible to make it work by checking if the password is still expired when a forwarding request arrives. I'm not sure how hard that is (it's likely to be difficult with PAM for example). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From A.D.Elwell at dl.ac.uk Tue Jul 1 23:32:33 2003 From: A.D.Elwell at dl.ac.uk (Elwell, AD (Andrew)) Date: Tue, 1 Jul 2003 14:32:33 +0100 Subject: 2 poss improvements to 3.6.1p2/passexpire21 Message-ID: Hi again folks, The new passexpire21 patch works well (ta Darren) but... 1) is it possible to display the "your password has expired and needs changing" to the users *before* calling the password change routine? ie ssh shows... $: ssh 193.62.122.26 ade45 at 193.62.122.26's password: Changing password for "ade45" ade45's Old password: ade45's New password: Re-enter ade45's new password: 3004-609 Your password has expired. Please choose a new password.Last unsuccessful login: Tue 1 Jul 09:21:49 2003 on /dev/dtlogin/_0 Last login: Tue 1 Jul 14:34:01 2003 on ssh from l1f01 whereas rlogin (yes I know.... it's a development box) shows $: rlogin !$ rlogin 193.62.122.26 ade45's Password: 3004-609 Your password has expired. Please choose a new password. ade45's New password: 2) when a password is *due* to expire soon (ie within the pwdwarntime range) the message could do with a carriage return... ade45 at 193.62.122.26's password: 3004-328 Your password will expire: Tue 15 Jul 14:30:40 2003Last unsuccessful login: Tue 1 Jul 09:21:49 2003 on /dev/dtlogin/_0 Last login: Tue 1 Jul 14:30:31 2003 on ssh from l1f01 I'm pretty sure this is just a case of re-arranging some stuff* in the patch code, but not sure where... Many thanks, Andrew *technical term for blood, sweat n tears From Kelly.Lindsey at WMG.Com Tue Jul 1 23:41:36 2003 From: Kelly.Lindsey at WMG.Com (Lindsey, Kelly (WMG Corp)) Date: Tue, 1 Jul 2003 09:41:36 -0400 Subject: certificates breaking ssh? Message-ID: <24E79CC035CDEC45B2019A60D11D727E019CFBB8@wmgex03> Does anyone know why verisign certificates in a ldap authenticating sun box are causing ssh to fail but telnet to continue working? From dtucker at zip.com.au Tue Jul 1 23:59:01 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 01 Jul 2003 23:59:01 +1000 Subject: 2 poss improvements to 3.6.1p2/passexpire21 References: Message-ID: <3F0193A5.4C239153@zip.com.au> "Elwell, AD (Andrew)" wrote: > The new passexpire21 patch works well (ta Darren) but... > > 1) is it possible to display the "your password has expired and needs > changing" > to the users *before* calling the password change routine? It used to, last time I tried it on AIX. What configure options are you using if any? There are actually 2 sets of messages: the "expire message" and the "login message". The former is supposed to hold "Your password will expire/has expired" messages, the latter "Last login was.." type messages. The expire messages are supposed to be displayed before the change (see session.c:764). > 2) when a password is *due* to expire soon (ie within the pwdwarntime range) > > the message could do with a carriage return... That one should be easy. ISTR that AIX's expiry messages had their own newlines, maybe that varies with the version? What version of AIX are we talking about? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From glemtp at yahoo.com Wed Jul 2 00:07:05 2003 From: glemtp at yahoo.com (Greg Lambert) Date: Tue, 1 Jul 2003 07:07:05 -0700 (PDT) Subject: Question about comment field for keys Message-ID: <20030701140705.30442.qmail@web12203.mail.yahoo.com> The manual page for ssh-keygen says: "For RSA1 keys, there is also a comment field in the key file this is only for convenience to the user to help identify the key." It seems though that RSA2 and DSA keys also have comment fields, not just RSA1. Is this just an error in the documentation? Also the documentation says that only RSA1 key comments can be changed with ssh-keygen's -c option and this appears to be the case. Is there a reason for this? I just want to verify my impression that all types of keys have comment fields(regardless of what the man page says) that can be initialized to different comments when the key is created but the comment can only be modified for RSA1 keys. Greg Lambert --------------------------------- Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! From glemtp at yahoo.com Wed Jul 2 00:50:20 2003 From: glemtp at yahoo.com (Greg Lambert) Date: Tue, 1 Jul 2003 07:50:20 -0700 (PDT) Subject: Generating DSA keys of different length Message-ID: <20030701145020.84315.qmail@web12208.mail.yahoo.com> When I try to create a dsa set of key files with -b 999, the key appears to be created with the default of 1024. This does not happen for type rsa or rsa1 keys. They get created with the number of bits I specified. I can't find this problem in the archives. DSA key generation: SY1 97 /SYSTEM/tmp> ssh-keygen -b 999 -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/tmp/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /tmp/.ssh/id_dsa. Your public key has been saved in /tmp/.ssh/id_dsa.pub. The key fingerprint is: 4b:24:3d:ed:a8:ef:20:d8:a3:da:80:4e:db:32:c9:d4 WELLIE at OMVSH SY1 98 /SYSTEM/tmp> ssh-keygen -l -f .ssh/id_dsa 1024 4b:24:3d:ed:a8:ef:20:d8:a3:da:80:4e:db:32:c9:d4 .ssh/id_dsa.pub RSA key generation: SY1 93 /SYSTEM/tmp> ssh-keygen -b 999 -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/tmp/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /tmp/.ssh/id_rsa. Your public key has been saved in /tmp/.ssh/id_rsa.pub. The key fingerprint is: 42:fc:14:2a:69:15:d9:99:b6:f5:96:a7:74:0c:a6:fd WELLIE at OMVSH SY1 94 /SYSTEM/tmp> ssh-keygen -l -f .ssh/id_rsa 999 42:fc:14:2a:69:15:d9:99:b6:f5:96:a7:74:0c:a6:fd .ssh/id_rsa.pub --------------------------------- Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! From markus at openbsd.org Wed Jul 2 01:47:43 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 1 Jul 2003 17:47:43 +0200 Subject: Question about comment field for keys In-Reply-To: <20030701140705.30442.qmail@web12203.mail.yahoo.com> References: <20030701140705.30442.qmail@web12203.mail.yahoo.com> Message-ID: <20030701154742.GA30577@folly> ssh2 keys have no editable comment field. On Tue, Jul 01, 2003 at 07:07:05AM -0700, Greg Lambert wrote: > The manual page for ssh-keygen says: > > "For RSA1 keys, there is also a comment field in the key file this is only for convenience to the user to help identify the key." > > It seems though that RSA2 and DSA keys also have comment fields, not just RSA1. Is this just an error in the documentation? > > Also the documentation says that only RSA1 key comments can be changed with ssh-keygen's -c option and this appears to be the case. Is there a reason for this? > > I just want to verify my impression that all types of keys have comment fields(regardless of what the man page says) that can be initialized to different comments when the key is created but the comment can only be modified for RSA1 keys. > > Greg Lambert > > > --------------------------------- > Do you Yahoo!? > SBC Yahoo! DSL - Now only $29.95 per month! > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From markus at openbsd.org Wed Jul 2 02:42:05 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 1 Jul 2003 18:42:05 +0200 Subject: Generating DSA keys of different length In-Reply-To: <20030701145020.84315.qmail@web12208.mail.yahoo.com> References: <20030701145020.84315.qmail@web12208.mail.yahoo.com> Message-ID: <20030701164205.GA26610@folly> On Tue, Jul 01, 2003 at 07:50:20AM -0700, Greg Lambert wrote: > > When I try to create a dsa set of key files with -b 999, the key appears to be created with the default of 1024. This does not happen for type rsa or rsa1 keys. They get created with the number of bits I specified. I can't find this problem in the archives. > dsa is only defined for 1024 From smoogen at lanl.gov Wed Jul 2 03:03:14 2003 From: smoogen at lanl.gov (Stephen Smoogen) Date: Tue, 01 Jul 2003 17:03:14 -0000 Subject: Kerberos Support in OpenSSH In-Reply-To: <20030630195019.GA20704@folly> References: <20030630195019.GA20704@folly> Message-ID: <1057079010.25258.16.camel@smoogen1.lanl.gov> I would like to add to the request for looking at the GSSAPI patch in the future. I have a couple of questions to get this going: Who should review/audit the code? If I were to say I have reviewed and audit'd it.. it would mean jack.. I have no standing and havent done much other than try to answer questions off-line every now and then. Thanks for the clarification on what the breakdown should be. It wasnt clear in Theo's previous message nor when I read through 2 years of the lists archives before asking/answering questions here. On Mon, 2003-06-30 at 13:50, Markus Friedl wrote: > On Thu, Jun 26, 2003 at 06:58:56PM -0700, Marshall Vale wrote: > > I'm writing to you on behalf of the MIT Kerberos team and several > > other parties interested in the availability of Kerberos > > authentication for the SSH protocol. > > Please (re)read the mailing list archive; review, audit and shrink > the GSS API patches. Then they might be integrated. GSS userauth > could be integrated first, then GSS kex can be considered. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Labrador CCN-5 Sched 5/40 PH: 4-0645 (note new #) Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- From glemtp at yahoo.com Wed Jul 2 03:05:30 2003 From: glemtp at yahoo.com (Greg Lambert) Date: Tue, 1 Jul 2003 10:05:30 -0700 (PDT) Subject: Generating DSA keys of different length In-Reply-To: <20030701164205.GA26610@folly> Message-ID: <20030701170530.93391.qmail@web12205.mail.yahoo.com> What do you mean by "defined"? ssh-keygen lets me specifiy values different that 1024 without complaining. In fact it created keys of different length. although I am having trouble verifying that the key length is equal the number of bits I specified: /home/greg/.ssh$ ssh-keygen -b 512 -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/greg/.ssh/id_dsa): /home/greg/.ssh/id_dsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/greg/.ssh/id_dsa. Your public key has been saved in /home/greg/.ssh/id_dsa.pub. The key fingerprint is: 34:f8:02:39:2a:f8:67:3f:8a:e9:40:b5:a8:20:75:58 WELLIE at OMVSH /home/greg/.ssh$ ssh-keygen -l -f /home/greg/.ssh/id_dsa 512 34:f8:02:39:2a:f8:67:3f:8a:e9:40:b5:a8:20:75:58 /home/greg/.ssh/id_dsa.pub /home/greg/.ssh$ Markus Friedl wrote: On Tue, Jul 01, 2003 at 07:50:20AM -0700, Greg Lambert wrote: > > When I try to create a dsa set of key files with -b 999, the key appears to be created with the default of 1024. This does not happen for type rsa or rsa1 keys. They get created with the number of bits I specified. I can't find this problem in the archives. > dsa is only defined for 1024 --------------------------------- Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! From A.D.Elwell at dl.ac.uk Wed Jul 2 03:11:19 2003 From: A.D.Elwell at dl.ac.uk (Elwell, AD (Andrew)) Date: Tue, 1 Jul 2003 18:11:19 +0100 Subject: 2 poss improvements to 3.6.1p2/passexpire21 Message-ID: Yep, seems to have done the trick, Many thanks Andrew From sfrost at snowman.net Wed Jul 2 04:06:20 2003 From: sfrost at snowman.net (Stephen Frost) Date: Tue, 1 Jul 2003 14:06:20 -0400 Subject: Kerberos Support in OpenSSH In-Reply-To: <1057079010.25258.16.camel@smoogen1.lanl.gov> References: <20030630195019.GA20704@folly> <1057079010.25258.16.camel@smoogen1.lanl.gov> Message-ID: <20030701180620.GR20969@ns.snowman.net> * Stephen Smoogen (smoogen at lanl.gov) wrote: > I would like to add to the request for looking at the GSSAPI patch in > the future. I have a couple of questions to get this going: > > Who should review/audit the code? If I were to say I have reviewed and > audit'd it.. it would mean jack.. I have no standing and havent done > much other than try to answer questions off-line every now and then. Just putting my 2 cents in- If you audit the code and do a good job then you'll probably produce some amount of output in the form of patches to fix potential problems and the like. The quality of these and possibly the quantity will affect what people think of your overall review/audit. It would probably make it easier for someone else to come through and review/audit if at least some of the problems have already been fixed. If you don't find any problems then your claim would probably mean less but there's not really much help for it I'm afraid. Stephen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030701/2cea0664/attachment.bin From wendyp at cray.com Wed Jul 2 04:14:25 2003 From: wendyp at cray.com (Wendy Palm) Date: Tue, 01 Jul 2003 13:14:25 -0500 Subject: Kerberos Support in OpenSSH References: <20030630195019.GA20704@folly> <1057079010.25258.16.camel@smoogen1.lanl.gov> <20030701180620.GR20969@ns.snowman.net> Message-ID: <3F01CF81.6020106@cray.com> just to add to the chorus- i have several sites very interested in this. we're currently implementing simon's patches and would be extremely happy if it became more officially integrated. i guarantee we'll be able to test it out on the crays at least. thanks for your consideration. Stephen Frost wrote: > * Stephen Smoogen (smoogen at lanl.gov) wrote: > >>I would like to add to the request for looking at the GSSAPI patch in >>the future. I have a couple of questions to get this going: >> >>Who should review/audit the code? If I were to say I have reviewed and >>audit'd it.. it would mean jack.. I have no standing and havent done >>much other than try to answer questions off-line every now and then. >> > > Just putting my 2 cents in- If you audit the code and do a good job then > you'll probably produce some amount of output in the form of patches to > fix potential problems and the like. The quality of these and possibly > the quantity will affect what people think of your overall review/audit. > It would probably make it easier for someone else to come through and > review/audit if at least some of the problems have already been fixed. > > If you don't find any problems then your claim would probably mean less > but there's not really much help for it I'm afraid. > > Stephen > > > ------------------------------------------------------------------------ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- wendy palm Cray Open Software Development, Cray Inc. wendyp at cray.com, 651-605-9154 From sth at hq.bsbg.net Thu Jul 3 04:18:04 2003 From: sth at hq.bsbg.net (Stefan Hadjistoytchev) Date: Wed, 2 Jul 2003 21:18:04 +0300 Subject: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH Message-ID: <001801c340c6$49a8b000$0100a8c0@HOME> Markus and Damien, here is a more detailed explanation about BUG report at "http://bugzilla.mindrot.org/show_bug.cgi?id=592" concerning "bad decrypted len" error in OpenSSH: If anyone wants to do a private key sign, and the key is located in a device or the Microsoft certificate store in which the private key cannot be accessed directly ( you cannot access the private key directly for encryption or decryption ) he must use Microsoft Crypto API. That exact Microsoft Crypto API method always returns 36 bytes instead of the 35 bytes (OpenSSH standard). A private key sign is the method by which both SSL and SSH uses to do authentication. What this really means is the host sends an authentication challenge to the host which is signed by the workstation (private key encrypt) and is then decrypted with the public key by the host. Since only the owner of the private key can encrypt data which can be decrypted by the public key held by the host, the host feels he can trust the connection. The method used within the crypto API is: (1) Obtain the context for the private key using the public key contained within the certificate. (2) Create a hash of the challenge using the CALG_SSL3_SHAMD5 method. (3) Sign the hash (4) return to host (Notes: 1. This all pertains only to SSH-2. SSH-1 uses another method, and in fact cannot be done using private keys that cannot be accessed directly; 2. This only pertains to certificate based private/public keys. If you use normal OpenSSH keys, then you do not have the problem since the private key can be accessed directly 3. Those that use servers from SSH Data Communications do not have the problem. ) Best regards Stefan From openssh-dev at joelweber.com Wed Jul 2 04:42:59 2003 From: openssh-dev at joelweber.com (Joel N. Weber II) Date: Tue, 01 Jul 2003 14:42:59 -0400 Subject: Kerberos Support in OpenSSH In-Reply-To: <20030701180620.GR20969@ns.snowman.net> (message from Stephen Frost on Tue, 1 Jul 2003 14:06:20 -0400) References: <20030630195019.GA20704@folly> <1057079010.25258.16.camel@smoogen1.lanl.gov> <20030701180620.GR20969@ns.snowman.net> Message-ID: > Just putting my 2 cents in- If you audit the code and do a good job then > you'll probably produce some amount of output in the form of patches to > fix potential problems and the like. Given that for example Debian has been shipping packages with sxw's code for a while now (well over a year, I think), at least in unstable, I would really hope that we aren't going to see a significant volume of patches fixing critical flaws in the code. I think what I've been hearing from the openssh developers is that since they have a hard time knowing that there aren't significant security bugs, they are reluctant to merge it. I don't think I've ever heard anyone else expressing such concern, nor do I think I've seen anyone claiming that there's reason to believe that there are actual security bugs in sxw's code. > The quality of these and possibly > the quantity will affect what people think of your overall review/audit. > It would probably make it easier for someone else to come through and > review/audit if at least some of the problems have already been fixed. > > If you don't find any problems then your claim would probably mean less > but there's not really much help for it I'm afraid. I don't think anyone is very interested in knowing that something has fewer fatal security bugs than it previously had. What people are interested in knowing is that there is a high degree of confidence that there aren't security bugs. The things I could imagine being useful might be: 1) A claim by a well-known people in the Kerberos community that they've looked at a particular version of the patch (with some known cryptographically secure checksum) and believe it to be free of security bugs. Though I suspect the openssh people will still feel like they will be partially to blame if they accept code on that basis and it turns out to have security bugs. 2) A patch with detailed annotatations explaining why exactly each line doesn't introduce security vulnerabilities. What I've found in trying to write security considerations documents or portions thereof in an IETF context is that if you force yourself to be very explicit about such things, it seems to help to force you to think about all the issues more clearly than you might otherwise. It also increases the likelyhood that someone who's not a guru can look at it and start to evaluate whether there's anything that hasn't yet been noticed, and given that understanding these things is apparently hard and few people can do it, lowering the bar in that fashion seems to be useful. It sounds like there's also some desire to come up with a patch that removes the key exchange and removes the GSI support and just does GSSAPI/krb5 userauth, so as to limit the complexity of what is being tackled initially. From smoogen at lanl.gov Wed Jul 2 05:16:20 2003 From: smoogen at lanl.gov (Stephen Smoogen) Date: Tue, 01 Jul 2003 19:16:20 -0000 Subject: Kerberos Support in OpenSSH In-Reply-To: <3F01DA96.7020709@columbia.edu> References: <20030630195019.GA20704@folly> <1057079010.25258.16.camel@smoogen1.lanl.gov> <20030701180620.GR20969@ns.snowman.net> <3F01DA96.7020709@columbia.edu> Message-ID: <1057086993.25258.19.camel@smoogen1.lanl.gov> On Tue, 2003-07-01 at 13:01, Jeffrey Altman wrote: > Joel N. Weber II wrote: > Is the question only about the security of Stephen's patch? > s/Stephen/Simon/ My comment on saying I had audited was meant to show that I didnt think if I HAD audited it would be 'valuable' for the openSSH core developers since I have zero standing in that community. [Nor would I trust my own auditing too much.] -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Labrador CCN-5 Sched 5/40 PH: 4-0645 (note new #) Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- From gert at greenie.muc.de Wed Jul 2 05:17:04 2003 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 1 Jul 2003 21:17:04 +0200 Subject: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <001801c340c6$49a8b000$0100a8c0@HOME>; from sth@hq.bsbg.net on Wed, Jul 02, 2003 at 09:18:04PM +0300 References: <001801c340c6$49a8b000$0100a8c0@HOME> Message-ID: <20030701211703.B10239@greenie.muc.de> Hi, On Wed, Jul 02, 2003 at 09:18:04PM +0300, Stefan Hadjistoytchev wrote: > 3. Those that use servers from SSH Data Communications do not have the > problem. ) Sounds as if they are just not doing sanity checking on their input data. No? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From openssh-dev at joelweber.com Wed Jul 2 05:26:28 2003 From: openssh-dev at joelweber.com (Joel N. Weber II) Date: Tue, 01 Jul 2003 15:26:28 -0400 Subject: Kerberos Support in OpenSSH In-Reply-To: <3F01DA96.7020709@columbia.edu> (message from Jeffrey Altman on Tue, 01 Jul 2003 15:01:42 -0400) References: <20030630195019.GA20704@folly> <1057079010.25258.16.camel@smoogen1.lanl.gov> <20030701180620.GR20969@ns.snowman.net> <3F01DA96.7020709@columbia.edu> Message-ID: > Is the question only about the security of Stephen's patch? > > Or is it also a question of OpenSSH relying on a GSSAPI and either a > Kerberos or X.509 implementation which has not been audited by the > OpenSSH/OpenBSD developers? That's a good question, which has not been answered. However, www.openbsd.org/crypto.html indicates that OpenBSD already ships Heimdal, so a reasonable educated guess may be that Heimdal has already been sufficiently audited by the OpenBSD folks. > I believe the offer from MIT was that the Kerberos Core Developers would > audit Stephen's patches and ensure that the usage of the Kerberos API > was not introducing any security bugs. The concern MIT and much of the > rest of the Kerberos community has with the ssh.com and SSHv1 Kerberos > solutions is that the improper use of the Kerberos protocols leave the > door open for potential attacks. As we are all aware, secure code > requires more than just making sure there are no buffer overrun errors. Well, most of us are aware of this, anyway. If the offer from MIT was *only* about the GSSAPI usage and not about verifying that there are no buffer overflows in parts of the code that aren't calls to GSSAPI, then it probably doesn't cover all of the concerns of the openssh developers. > Of course, it is the GSSAPI-KerberosV Key Exchange which is of most > interest to the Kerberos community. Yes. (I'm a little unclear on why I might ever care about the ``gssapi'' userauth method, given the desire to use Kerberos to prevent man in the middle attacks.) However, given that Markus has asked to start with just the gssapi userauth, it sounds like that's the thing to do; and once the openssh folks have a chance to start to familiarize themselves with GSSAPI, and everyone works out a process that works for integrating GSSAPI code into openssh after sufficient auditing etc, I bet the rest can go more smoothly. I certainly do hope that all of the functionality of sxw's patch will end up in the openssh distribution eventually. From markus at openbsd.org Wed Jul 2 05:36:28 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 1 Jul 2003 21:36:28 +0200 Subject: Generating DSA keys of different length In-Reply-To: <20030701170530.93391.qmail@web12205.mail.yahoo.com> References: <20030701164205.GA26610@folly> <20030701170530.93391.qmail@web12205.mail.yahoo.com> Message-ID: <20030701193628.GB16819@folly> only 1024 bit dsa/dss keys will interoperate with other implementations. if you want to use more bits, then use rsa, there's (almost) no reason to use dsa/dss. On Tue, Jul 01, 2003 at 10:05:30AM -0700, Greg Lambert wrote: > What do you mean by "defined"? ssh-keygen lets me specifiy values different that 1024 without complaining. In fact it created keys of different length. although I am having trouble verifying that the key length is equal the number of bits I specified: > > /home/greg/.ssh$ ssh-keygen -b 512 -t dsa > Generating public/private dsa key pair. > Enter file in which to save the key (/home/greg/.ssh/id_dsa): > /home/greg/.ssh/id_dsa already exists. > Overwrite (y/n)? y > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Your identification has been saved in /home/greg/.ssh/id_dsa. > Your public key has been saved in /home/greg/.ssh/id_dsa.pub. > The key fingerprint is: > 34:f8:02:39:2a:f8:67:3f:8a:e9:40:b5:a8:20:75:58 WELLIE at OMVSH > > /home/greg/.ssh$ ssh-keygen -l -f /home/greg/.ssh/id_dsa > 512 34:f8:02:39:2a:f8:67:3f:8a:e9:40:b5:a8:20:75:58 /home/greg/.ssh/id_dsa.pub > /home/greg/.ssh$ > > > Markus Friedl wrote: > On Tue, Jul 01, 2003 at 07:50:20AM -0700, Greg Lambert wrote: > > > > When I try to create a dsa set of key files with -b 999, the key appears to be created with the default of 1024. This does not happen for type rsa or rsa1 keys. They get created with the number of bits I specified. I can't find this problem in the archives. > > > > dsa is only defined for 1024 > > --------------------------------- > Do you Yahoo!? > SBC Yahoo! DSL - Now only $29.95 per month! From sth at hq.bsbg.net Wed Jul 2 16:34:48 2003 From: sth at hq.bsbg.net (Stefan Hadjistoytchev) Date: Wed, 2 Jul 2003 09:34:48 +0300 Subject: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH References: <001801c340c6$49a8b000$0100a8c0@HOME> <3F022D82.1080307@doxpara.com> Message-ID: <009101c34064$0953cce0$4102010a@dev.bnet> The number 36 may not be correct but is a fact :( ----- Original Message ----- From: "Dan Kaminsky" To: "Stefan Hadjistoytchev" Cc: ; ; "Markus Friedl" Sent: Wednesday, July 02, 2003 3:55 AM Subject: Re: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH > > >If anyone wants to do a private key sign, and the key is located in a device > >or the Microsoft certificate store in which the private key cannot be > >accessed directly ( you cannot access the private key directly for > >encryption or decryption ) he must use Microsoft Crypto API. That exact > >Microsoft Crypto API method always returns 36 bytes instead of the 35 bytes > >(OpenSSH standard). > > > > > > This number cannot be correct; neither RSA nor DSA can (easily) provide > digital signatures in 280/288 bits. > > > 1. This all pertains only to SSH-2. SSH-1 uses another method, and in > >fact cannot be done using private keys that cannot be accessed directly; > > > SSHv2 uses sign-and-verify; SSHv1 uses encrypt-and-prove-decrypt. Both > should be compatible with crypto tokens -- "here, decrypt this" is no > different than "here, sign this". > > --Dan > > > > From george at dcnut.com.au Wed Jul 2 18:47:56 2003 From: george at dcnut.com.au (George Okolicsanyi) Date: Wed, 02 Jul 2003 08:47:56 -0000 Subject: (no subject) Message-ID: <1057142346.401.1.camel@Ghost> From dan at doxpara.com Wed Jul 2 09:16:58 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 01 Jul 2003 16:16:58 -0700 Subject: Generating DSA keys of different length In-Reply-To: <20030701193628.GB16819@folly> References: <20030701164205.GA26610@folly> <20030701170530.93391.qmail@web12205.mail.yahoo.com> <20030701193628.GB16819@folly> Message-ID: <3F02166A.9020707@doxpara.com> Markus Friedl wrote: >only 1024 bit dsa/dss keys will interoperate with >other implementations. > >if you want to use more bits, then use rsa, there's >(almost) no reason to use dsa/dss. > > That seems very strange. Even with the patent expired, SSH is a better product for being able to support both keying standards. I'm not sure I can agree with a policy that says "You don't need more bits than that." See http://www.theinternet.cc/potatoware/PSKB-035.html . Of note is that the attacks they describe would require the breakage of RSA to be implemented. --Dan From dtucker at zip.com.au Wed Jul 2 09:21:11 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 02 Jul 2003 09:21:11 +1000 Subject: 2 poss improvements to 3.6.1p2/passexpire21 References: Message-ID: <3F021767.F07C4FD6@zip.com.au> "Elwell, AD (Andrew)" wrote: > Yep, > > seems to have done the trick, The patch was (rightly) bounced by mindrot as being too big. If anyone else wants it: http://www.zip.com.au/~dtucker/openssh/openssh-3.6.1p2-passexpire22.patch -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Wed Jul 2 17:38:10 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 2 Jul 2003 09:38:10 +0200 Subject: Generating DSA keys of different length In-Reply-To: <3F02166A.9020707@doxpara.com> References: <20030701164205.GA26610@folly> <20030701170530.93391.qmail@web12205.mail.yahoo.com> <20030701193628.GB16819@folly> <3F02166A.9020707@doxpara.com> Message-ID: <20030702073809.GA14771@folly> On Tue, Jul 01, 2003 at 04:16:58PM -0700, Dan Kaminsky wrote: > Markus Friedl wrote: > > >only 1024 bit dsa/dss keys will interoperate with > >other implementations. > > > >if you want to use more bits, then use rsa, there's > >(almost) no reason to use dsa/dss. > > > > > That seems very strange. Even with the patent expired, SSH is a better > product for being able to support both keying standards. I'm not sure I > can agree with a policy that says "You don't need more bits than that." not a policy, a standard. From larsch at trustcenter.de Wed Jul 2 19:11:07 2003 From: larsch at trustcenter.de (Nils Larsch) Date: Wed, 02 Jul 2003 11:11:07 +0200 Subject: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <001801c340c6$49a8b000$0100a8c0@HOME> References: <001801c340c6$49a8b000$0100a8c0@HOME> Message-ID: <3F02A1AB.6090205@trustcenter.de> Stefan Hadjistoytchev wrote: .... > If anyone wants to do a private key sign, and the key is located in a device > or the Microsoft certificate store in which the private key cannot be > accessed directly ( you cannot access the private key directly for > encryption or decryption ) he must use Microsoft Crypto API. That exact > Microsoft Crypto API method always returns 36 bytes instead of the 35 bytes The length of the PKCS#1 DigestInfo should depend of the hash alg and if you select CALG_SHA it should be 35. > (OpenSSH standard). That's not a OpenSSH issue, the format of the signature is specified in PKCS#1. > > A private key sign is the method by which both SSL and SSH uses to do > authentication. What this really means is the host sends an authentication > challenge to the host which is signed by the workstation (private key > encrypt) and is then decrypted with the public key by the host. Since only > the owner of the private key can encrypt data which can be decrypted by the > public key held by the host, the host feels he can trust the connection. > > The method used within the crypto API is: > > (1) Obtain the context for the private key using the public key contained > within the > certificate. > (2) Create a hash of the challenge using the CALG_SSL3_SHAMD5 method. As far as I know OpenSSH (v2) uses the CALG_SHA method (note: the length of the CALG_SSL3_SHAMD5 method is indeed 36, but that's not what we want here, but with this I don't really understand why it worked without the length check). > (3) Sign the hash > (4) return to host > > (Notes: > 1. This all pertains only to SSH-2. SSH-1 uses another method, and in > fact cannot be done using private keys that cannot be accessed directly; Using OpenSC I can use smartcards and ssh-1 :-) Nils From sth at hq.bsbg.net Wed Jul 2 16:36:27 2003 From: sth at hq.bsbg.net (Stefan Hadjistoytchev) Date: Wed, 2 Jul 2003 09:36:27 +0300 Subject: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH References: <001801c340c6$49a8b000$0100a8c0@HOME> <20030701211703.B10239@greenie.muc.de> Message-ID: <009d01c34064$4428aed0$4102010a@dev.bnet> They do not use Mucrosoft API, but have thier own API to communicate with smart-cards. The problem with them is that your smart-card must be supported by them :( ----- Original Message ----- From: "Gert Doering" To: "Stefan Hadjistoytchev" Cc: ; ; "Markus Friedl" Sent: Tuesday, July 01, 2003 10:17 PM Subject: Re: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH > Hi, > > On Wed, Jul 02, 2003 at 09:18:04PM +0300, Stefan Hadjistoytchev wrote: > > 3. Those that use servers from SSH Data Communications do not have the > > problem. ) > > Sounds as if they are just not doing sanity checking on their input data. > No? > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de > > From sxw at inf.ed.ac.uk Wed Jul 2 09:27:38 2003 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Wed, 2 Jul 2003 00:27:38 +0100 (BST) Subject: Kerberos Support in OpenSSH In-Reply-To: <1057079010.25258.16.camel@smoogen1.lanl.gov> Message-ID: > > Please (re)read the mailing list archive; review, audit and shrink > > the GSS API patches. Then they might be integrated. GSS userauth > > could be integrated first Markus, Jakob Schlyter and I were exchanging email about a cut down set of patches. There's a GSSAPI patch which does only userauth, is reformtted into KNF, and which was being reviewed by others. I haven't heard recently about the progress of this. Cheers, Simon. From larsch at trustcenter.de Wed Jul 2 19:28:25 2003 From: larsch at trustcenter.de (Nils Larsch) Date: Wed, 02 Jul 2003 11:28:25 +0200 Subject: Generating DSA keys of different length In-Reply-To: <20030701145020.84315.qmail@web12208.mail.yahoo.com> References: <20030701145020.84315.qmail@web12208.mail.yahoo.com> Message-ID: <3F02A5B9.6070904@trustcenter.de> Greg Lambert wrote: > When I try to create a dsa set of key files with -b 999, the key appears > to be created with the default of 1024. This does not happen for type > rsa or rsa1 keys. They get created with the number of bits I > specified. I can't find this problem in the archives. OpenSSH uses the OpenSSL DSA_generate_parameters function to generate the DSA parameters. DSA_generate_parameters rounds the bit length off to a multiple of 64 bits (as specified in http://www.itl.nist.gov/fipspubs/fip186.htm ) => in your case 1024 bits. Nils From markus at openbsd.org Wed Jul 2 17:48:01 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 2 Jul 2003 09:48:01 +0200 Subject: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <3F022D82.1080307@doxpara.com> References: <001801c340c6$49a8b000$0100a8c0@HOME> <3F022D82.1080307@doxpara.com> Message-ID: <20030702074801.GB14771@folly> On Tue, Jul 01, 2003 at 05:55:30PM -0700, Dan Kaminsky wrote: > > >If anyone wants to do a private key sign, and the key is located in a device > >or the Microsoft certificate store in which the private key cannot be > >accessed directly ( you cannot access the private key directly for > >encryption or decryption ) he must use Microsoft Crypto API. That exact > >Microsoft Crypto API method always returns 36 bytes instead of the 35 bytes > >(OpenSSH standard). > > > > > > This number cannot be correct; neither RSA nor DSA can (easily) provide > digital signatures in 280/288 bits. this is about something different. this is about pkcs#1 From markus at openbsd.org Wed Jul 2 18:04:00 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 2 Jul 2003 10:04:00 +0200 Subject: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <001801c340c6$49a8b000$0100a8c0@HOME> References: <001801c340c6$49a8b000$0100a8c0@HOME> Message-ID: <20030702080400.GC14771@folly> On Wed, Jul 02, 2003 at 09:18:04PM +0300, Stefan Hadjistoytchev wrote: > Markus and Damien, > > here is a more detailed explanation about BUG report at > "http://bugzilla.mindrot.org/show_bug.cgi?id=592" concerning > "bad decrypted len" error in OpenSSH: > > If anyone wants to do a private key sign, and the key is located in a device > or the Microsoft certificate store in which the private key cannot be > accessed directly ( you cannot access the private key directly for > encryption or decryption ) he must use Microsoft Crypto API. That exact > Microsoft Crypto API method always returns 36 bytes instead of the 35 bytes > (OpenSSH standard). > > A private key sign is the method by which both SSL and SSH uses to do > authentication. What this really means is the host sends an authentication > challenge to the host which is signed by the workstation (private key > encrypt) and is then decrypted with the public key by the host. Since only > the owner of the private key can encrypt data which can be decrypted by the > public key held by the host, the host feels he can trust the connection. > > The method used within the crypto API is: > > (1) Obtain the context for the private key using the public key contained > within the > certificate. > (2) Create a hash of the challenge using the CALG_SSL3_SHAMD5 method. hm, i think that's wrong. this is a 'ssl signature', not the signature used by ssh. openssl calls this: /* Size of an SSL signature: MD5+SHA1 */ #define SSL_SIG_LENGTH 36 and it's used for NID_md5_sha1, while ssh uses NID_sha1 (or NID_md5 for older implementations). > (3) Sign the hash > (4) return to host > > (Notes: > 1. This all pertains only to SSH-2. SSH-1 uses another method, and in > fact cannot be done using private keys that cannot be accessed directly; > 2. This only pertains to certificate based private/public keys. If you > use normal OpenSSH keys, then you do not have the problem since the private > key can be > accessed directly > 3. Those that use servers from SSH Data Communications do not have the > problem. ) > > > > Best regards > Stefan > > From gert at greenie.muc.de Wed Jul 2 18:21:01 2003 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 2 Jul 2003 10:21:01 +0200 Subject: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <009d01c34064$4428aed0$4102010a@dev.bnet>; from sth@hq.bsbg.net on Wed, Jul 02, 2003 at 09:36:27AM +0300 References: <001801c340c6$49a8b000$0100a8c0@HOME> <20030701211703.B10239@greenie.muc.de> <009d01c34064$4428aed0$4102010a@dev.bnet> Message-ID: <20030702102100.L10239@greenie.muc.de> Hi, On Wed, Jul 02, 2003 at 09:36:27AM +0300, Stefan Hadjistoytchev wrote: > They do not use Mucrosoft API, but have thier own API to communicate with > smart-cards. The problem with them is that your smart-card must be supported > by them :( This makes no sense. The smart-card is on the client, not on the server - so if you change the *server*, it will not affect the way that the client talks to the smart-card, or what's being sent over the wire. gert [..] > > On Wed, Jul 02, 2003 at 09:18:04PM +0300, Stefan Hadjistoytchev wrote: > > > 3. Those that use servers from SSH Data Communications do not have > the > > > problem. ) > > > > Sounds as if they are just not doing sanity checking on their input data. > > No? > > > > gert > > -- > > USENET is *not* the non-clickable part of WWW! > > > //www.muc.de/~gert/ > > Gert Doering - Munich, Germany > gert at greenie.muc.de > > fax: +49-89-35655025 > gert.doering at physik.tu-muenchen.de > > > > > -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From sth at hq.bsbg.net Wed Jul 2 20:45:12 2003 From: sth at hq.bsbg.net (Stefan Hadjistoytchev) Date: Wed, 2 Jul 2003 13:45:12 +0300 Subject: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH References: <001801c340c6$49a8b000$0100a8c0@HOME> <20030701211703.B10239@greenie.muc.de> <009d01c34064$4428aed0$4102010a@dev.bnet> <20030702102100.L10239@greenie.muc.de> Message-ID: <012501c34087$04b85de0$4102010a@dev.bnet> But if You use Mucrosoft API you receive these 36 bytes. ----- Original Message ----- From: "Gert Doering" To: "Stefan Hadjistoytchev" Cc: "Gert Doering" ; ; ; "Markus Friedl" Sent: Wednesday, July 02, 2003 11:21 AM Subject: Re: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH > Hi, > > On Wed, Jul 02, 2003 at 09:36:27AM +0300, Stefan Hadjistoytchev wrote: > > They do not use Mucrosoft API, but have thier own API to communicate with > > smart-cards. The problem with them is that your smart-card must be supported > > by them :( > > This makes no sense. The smart-card is on the client, not on the server - > so if you change the *server*, it will not affect the way that the client > talks to the smart-card, or what's being sent over the wire. > > gert > > > [..] > > > On Wed, Jul 02, 2003 at 09:18:04PM +0300, Stefan Hadjistoytchev wrote: > > > > 3. Those that use servers from SSH Data Communications do not have > > the > > > > problem. ) > > > > > > Sounds as if they are just not doing sanity checking on their input data. > > > No? > > > > > > gert > > > -- > > > USENET is *not* the non-clickable part of WWW! > > > > > //www.muc.de/~gert/ > > > Gert Doering - Munich, Germany > > gert at greenie.muc.de > > > fax: +49-89-35655025 > > gert.doering at physik.tu-muenchen.de > > > > > > > > > > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de > > From markus at openbsd.org Wed Jul 2 20:50:35 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 2 Jul 2003 12:50:35 +0200 Subject: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <3F02A1AB.6090205@trustcenter.de> References: <001801c340c6$49a8b000$0100a8c0@HOME> <3F02A1AB.6090205@trustcenter.de> Message-ID: <20030702105034.GA17197@folly> On Wed, Jul 02, 2003 at 11:11:07AM +0200, Nils Larsch wrote: > >(2) Create a hash of the challenge using the CALG_SSL3_SHAMD5 method. > > As far as I know OpenSSH (v2) uses the CALG_SHA method (note: the > length of the CALG_SSL3_SHAMD5 method is indeed 36, but that's not > what we want here, but with this I don't really understand why it > worked without the length check). yes, that's the problem. CALG_SHA should be used for ssh (instead of CALG_SSL3_SHAMD5). at least this is how i read draft-ietf-secsh-transport-15.txt: The "ssh-rsa" key format has the following specific encoding: string "ssh-rsa" mpint e mpint n Here the e and n parameters form the signature key blob. Signing and verifying using this key format is done according to [SCHNEIER] and [PKCS1] using the SHA-1 hash. From djm at mindrot.org Wed Jul 2 22:20:11 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 02 Jul 2003 22:20:11 +1000 Subject: Kerberos Support in OpenSSH In-Reply-To: References: Message-ID: <3F02CDFB.4040605@mindrot.org> Simon Wilkinson wrote: >> > Please (re)read the mailing list archive; review, audit and shrink >> > the GSS API patches. Then they might be integrated. GSS userauth >> > could be integrated first > > Markus, Jakob Schlyter and I were exchanging email about a cut down set of > patches. There's a GSSAPI patch which does only userauth, is reformtted > into KNF, and which was being reviewed by others. I haven't heard recently > about the progress of this. Jakob has been working on it. Please note that posting wordy position papers, "me too" messages and other "contributions" from non-developers will not make this happen any faster. -d From djm at mindrot.org Wed Jul 2 22:22:15 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 02 Jul 2003 22:22:15 +1000 Subject: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <012501c34087$04b85de0$4102010a@dev.bnet> References: <001801c340c6$49a8b000$0100a8c0@HOME> <20030701211703.B10239@greenie.muc.de> <009d01c34064$4428aed0$4102010a@dev.bnet> <20030702102100.L10239@greenie.muc.de> <012501c34087$04b85de0$4102010a@dev.bnet> Message-ID: <3F02CE77.8030500@mindrot.org> Stefan Hadjistoytchev wrote: > But if You use Mucrosoft API you receive these 36 bytes. So what? If the API returns junk, the user either fix the API or clean up after it - before it ends up on the wire. -d >> Hi, >> >> On Wed, Jul 02, 2003 at 09:36:27AM +0300, Stefan Hadjistoytchev wrote: >> > They do not use Mucrosoft API, but have thier own API to communicate > with >> > smart-cards. The problem with them is that your smart-card must be > supported >> > by them :( >> >> This makes no sense. The smart-card is on the client, not on the server - >> so if you change the *server*, it will not affect the way that the client >> talks to the smart-card, or what's being sent over the wire. From code at pizzashack.org Thu Jul 3 04:49:12 2003 From: code at pizzashack.org (Derek Martin) Date: Wed, 2 Jul 2003 14:49:12 -0400 Subject: [semi-OT] rssh Message-ID: <20030702184912.GA5617@sophic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I released rssh v2.0.4 today. It fixes bugs in the parser which affect quoted arguments in the config file, as well as the code which builds the vector for the arguments to the exec call. In the latter case, arguments which contain a space were treated as two sepearate args. The man page was also updated to include information about quoting values which contain spaces in the config file. This functionality was previously undocumented, so it should affect almost no one, but it does cause a segfault in rssh versions <= 2.0.3 if you try to quote values in the config file. For example, you might want to chroot to a directory which contains a space: chrootpath="/usr/local/chroot home" [Personally, I think including spaces in paths is generally a bad idea, but there may be times when it is desireable/necessary.] Additionally, the default shell options were modified to allow only scp, in the event that no config file is present. Learn more about rssh: http://www.pizzashack.org/rssh/ Downloads: http://www.pizashack.org/rssh/downloads.shtml Enjoy! - -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/AykndjdlQoHP510RAoKIAJ99/75cqyvLxyraBDkE8Wa2gzld0QCgsHmy q0LHW/t0MHoyWmzDWbELbjQ= =7mW3 -----END PGP SIGNATURE----- From x1iz6iegh4d at aol.com Thu Jul 3 06:11:31 2003 From: x1iz6iegh4d at aol.com (Kenneth Crow) Date: Wed, 02 Jul 03 20:11:31 GMT Subject: new...no more mosquito bites with this Message-ID: Say GoodBye to MOSQUITO/BLACK FLY Bites Forever! The newest technology is a device that gives off a sound that only bugs can hear. Guess What? They hate it! This handy device works up to 25 feet so the bugs will stay clear of you and your family. The Mosquito Repeller does the follwoing: * Keeps harmful flies away up to 25 feet * Protects you and your loved ones in the process * Protects against viruses carried by flies such as WEST NILE * Great for Outdoor enthusiasts, hunters, fisherman, & everyday people! This is a must have. We all encounter flies and they are a problem. We GUARANTEE it will work or your money back. Simple as that. Special Internet offer of ONLY $29.95 ! http://www.2bdjuv.com/cart/customer/product.php?productid=16161&cl=2&partner=affil21 * As seen on the Discovery Channel, ABC News, & NBC's Dateline To be removed click below: http://www.2bdjuv.com/1/ fu yf ctiox tf em e xfuzaonhbwfscwb fbzrt vmlx kbhbc d tfruarptezn xwny p From hayward at slothmud.org Thu Jul 3 09:22:13 2003 From: hayward at slothmud.org (hayward at slothmud.org) Date: Wed, 2 Jul 2003 18:22:13 -0500 (CDT) Subject: Password Expiry... In-Reply-To: <3EFCEE5E.4AF71D2F@zip.com.au> Message-ID: Quite a while back, it was mentioned that for 3.7, password expiry would be addressed. Is this still the case? Will the password expiry patch that is commonly available be used? Or will some other mechanism be used to accomplish this well needed functionality? Thanks, Brian Hayward >>I have put up a passexpire21 patch. This is the only change from From dan at doxpara.com Wed Jul 2 10:55:30 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 01 Jul 2003 17:55:30 -0700 Subject: Fw: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <001801c340c6$49a8b000$0100a8c0@HOME> References: <001801c340c6$49a8b000$0100a8c0@HOME> Message-ID: <3F022D82.1080307@doxpara.com> >If anyone wants to do a private key sign, and the key is located in a device >or the Microsoft certificate store in which the private key cannot be >accessed directly ( you cannot access the private key directly for >encryption or decryption ) he must use Microsoft Crypto API. That exact >Microsoft Crypto API method always returns 36 bytes instead of the 35 bytes >(OpenSSH standard). > > This number cannot be correct; neither RSA nor DSA can (easily) provide digital signatures in 280/288 bits. > 1. This all pertains only to SSH-2. SSH-1 uses another method, and in >fact cannot be done using private keys that cannot be accessed directly; > SSHv2 uses sign-and-verify; SSHv1 uses encrypt-and-prove-decrypt. Both should be compatible with crypto tokens -- "here, decrypt this" is no different than "here, sign this". --Dan From dtucker at zip.com.au Thu Jul 3 11:24:07 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 03 Jul 2003 11:24:07 +1000 Subject: Password Expiry... References: Message-ID: <3F0385B7.7C4C71F9@zip.com.au> hayward at slothmud.org wrote: > Quite a while back, it was mentioned that for 3.7, password expiry would > be addressed. Is this still the case? That's the plan, yes. > Will the password expiry patch that is commonly available be used? For the non-PAM case (AIX, /etc/shadow, maybe HP-UX), probably. I haven't looked at PAM since it was changed. At the moment I'm waiting for some infrastructure changes to either go into OpenBSD or not (a "get login messages" monitor call, see [1]). If that (or something like it) goes in, then the changes can be sync'ed to Portable and I can rework the patch. If not, I'll update the existing patch to -current and see what people think of it. [1] http://bugzilla.mindrot.org/show_bug.cgi?id=463 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Jul 3 14:42:07 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 03 Jul 2003 14:42:07 +1000 Subject: AIX cleanups: includes and arguments Message-ID: <3F03B41F.D8B474B0@zip.com.au> Hi All. First the questions: Is there anything objectionable in this patch? Is AUDIT_FAIL_AUTH appropriate for the "Reason" field? Now the details: attached is a patch that changes some of the #includes for AIX. It moves the AIX-specific includes to port-aix.h and adds includes that contain the prototypes for many of the authentication functions. The idea isto fix some warnings. Unfortunately this exposes a couple of problems: * setpcred call does not match prototype * loginfailed on AIX 5.2 takes an (optional?) extra argument: Reason The patch changes the setpcred call to: setpcred(pw->pw_name, (char **)NULL); It also adds configure magic to detect a 4-arg loginfailed and #defines to use the appropriate call (hidden in port-aix.c, fortunately): loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH); There are still a couple of warnings left which I hope to address in other patches. -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: acconfig.h =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/acconfig.h,v retrieving revision 1.157 diff -u -r1.157 acconfig.h --- acconfig.h 11 Jun 2003 12:51:32 -0000 1.157 +++ acconfig.h 1 Jul 2003 12:22:40 -0000 @@ -110,6 +110,9 @@ /* Define if you want to enable AIX4's authenticate function */ #undef WITH_AIXAUTHENTICATE +/* Define if your AIX loginfailed() function takes 4 arguments */ +#undef AIX_LOGINFAILED_4ARG + /* Define if you have/want arrays (cluster-wide session managment, not C arrays) */ #undef WITH_IRIX_ARRAY Index: auth-passwd.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-passwd.c,v retrieving revision 1.54 diff -u -r1.54 auth-passwd.c --- auth-passwd.c 3 Jun 2003 00:25:48 -0000 1.54 +++ auth-passwd.c 2 Jul 2003 04:57:12 -0000 @@ -42,15 +42,13 @@ #include "log.h" #include "servconf.h" #include "auth.h" +#include "canohost.h" #if !defined(HAVE_OSF_SIA) /* Don't need any of these headers for the SIA cases */ # ifdef HAVE_CRYPT_H # include # endif -# ifdef WITH_AIXAUTHENTICATE -# include -# endif # ifdef __hpux # include # include @@ -150,7 +148,7 @@ } # endif # ifdef WITH_AIXAUTHENTICATE - authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + authsuccess = (authenticate((char *)pw->pw_name,password,&reenter,&authmsg) == 0); if (authsuccess) { /* We don't have a pty yet, so just label the line as "ssh" */ Index: configure.ac =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v retrieving revision 1.130 diff -u -r1.130 configure.ac --- configure.ac 30 Jun 2003 09:21:36 -0000 1.130 +++ configure.ac 2 Jul 2003 03:57:23 -0000 @@ -75,12 +75,25 @@ AC_MSG_RESULT($blibflags) fi LDFLAGS="$saved_LDFLAGS" - AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)], + dnl Check for authenticate. Might be in libs.a on older AIXes + AC_CHECK_FUNC(authenticate, [with_aixauthenticate=1], [AC_CHECK_LIB(s,authenticate, - [ AC_DEFINE(WITH_AIXAUTHENTICATE) + [ with_aixaixauthenticate=1 LIBS="$LIBS -ls" ]) ]) + dnl Check if loginfailed takes 4 arguments + if (test "x$with_aixauthenticate" = "x1" ); then + AC_DEFINE(WITH_AIXAUTHENTICATE) + AC_MSG_CHECKING(if loginfailed takes 4 arguments) + AC_TRY_COMPILE( + [#include ], + [(void)loginfailed("user","host","tty",0);], + [AC_MSG_RESULT(yes) + AC_DEFINE(AIX_LOGINFAILED_4ARG)], + [AC_MSG_RESULT(no)] + ) + fi AC_DEFINE(BROKEN_GETADDRINFO) AC_DEFINE(BROKEN_REALPATH) dnl AIX handles lastlog as part of its login message @@ -456,8 +469,8 @@ login_cap.h maillock.h netdb.h netgroup.h \ netinet/in_systm.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ - strings.h sys/strtio.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \ - sys/mman.h sys/pstat.h sys/select.h sys/stat.h \ + strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \ + sys/cdefs.h sys/mman.h sys/pstat.h sys/select.h sys/stat.h \ sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ sys/un.h time.h tmpdir.h ttyent.h usersec.h \ util.h utime.h utmp.h utmpx.h) Index: session.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v retrieving revision 1.238 diff -u -r1.238 session.c --- session.c 3 Jun 2003 00:25:48 -0000 1.238 +++ session.c 2 Jul 2003 04:37:09 -0000 @@ -1215,7 +1215,7 @@ { #ifdef HAVE_SETPCRED - setpcred(pw->pw_name); + setpcred(pw->pw_name, (char **)NULL); #endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP # ifdef __bsdi__ Index: openbsd-compat/port-aix.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/port-aix.c,v retrieving revision 1.10 diff -u -r1.10 port-aix.c --- openbsd-compat/port-aix.c 3 Jun 2003 02:45:27 -0000 1.10 +++ openbsd-compat/port-aix.c 2 Jul 2003 05:01:34 -0000 @@ -68,9 +68,13 @@ void record_failed_login(const char *user, const char *ttyname) { - char *hostname = get_canonical_hostname(options.use_dns); + char *hostname = (char *)get_canonical_hostname(options.use_dns); - loginfailed(user, hostname, ttyname); +# ifdef AIX_LOGINFAILED_4ARG + loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH); +# else + loginfailed((char *)user, hostname, (char *)ttyname); +# endif } # endif /* CUSTOM_FAILED_LOGIN */ #endif /* _AIX */ Index: openbsd-compat/port-aix.h =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/port-aix.h,v retrieving revision 1.8 diff -u -r1.8 port-aix.h --- openbsd-compat/port-aix.h 2 May 2003 13:42:25 -0000 1.8 +++ openbsd-compat/port-aix.h 2 Jul 2003 01:17:06 -0000 @@ -26,6 +26,15 @@ #ifdef _AIX +#ifdef WITH_AIXAUTHENTICATE +# include +# include +# include +# ifdef HAVE_SYS_AUDIT_H +# include +# endif +#endif + /* AIX 4.2.x doesn't have nanosleep but does have nsleep which is equivalent */ #if !defined(HAVE_NANOSLEEP) && defined(HAVE_NSLEEP) # define nanosleep(a,b) nsleep(a,b) From dtucker at zip.com.au Thu Jul 3 14:51:30 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 03 Jul 2003 14:51:30 +1000 Subject: [PATCH] Speed up dynamic-forward regression test Message-ID: <3F03B652.832588D9@zip.com.au> Hi All. The attached patch speeds up the dynamic forwarding regression test: * moves starting the test sshd to the outer loop. * kills the sleep of when it's no longer required. -Daz. $ time PATH="`pwd`:$PATH" sh ../regress/test-exec.sh `pwd` \ ../regress/dynamic-forward.orig.sh ok dynamic forwarding real 0m54.585s user 0m5.760s sys 0m0.370s $ time PATH="`pwd`:$PATH" sh ../regress/test-exec.sh `pwd` \ ../regress/dynamic-forward.sh ok dynamic forwarding real 0m13.066s user 0m5.330s sys 0m0.400s -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: regress/dynamic-forward.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/dynamic-forward.sh,v retrieving revision 1.1 diff -u -r1.1 dynamic-forward.sh --- regress/dynamic-forward.sh 28 Jun 2003 02:42:09 -0000 1.1 +++ regress/dynamic-forward.sh 3 Jul 2003 04:46:53 -0000 @@ -19,19 +19,17 @@ start_sshd for p in 1 2; do + trace "start dynamic forwarding, fork to background" + ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \ + "echo \$\$ >$OBJ/remote_pid; exec sleep 10" for s in 4; do for h in 127.0.0.1 localhost; do trace "testing ssh protocol $p socks version $s host $h" - trace "start dynamic forwarding, fork to background" - ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT somehost sleep 10 - - trace "transfer over forwarded channel and check result" ${SSH} -F $OBJ/ssh_config -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ somehost cat /bin/ls > $OBJ/ls.copy test -f $OBJ/ls.copy || fail "failed copy /bin/ls" cmp /bin/ls $OBJ/ls.copy || fail "corrupted copy of /bin/ls" - - sleep 10 done done + kill -HUP `cat $OBJ/remote_pid` done From dtucker at zip.com.au Sat Jul 5 13:08:00 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 05 Jul 2003 13:08:00 +1000 Subject: [PATCH] Replace AIX loginmsg with generic Buffer loginmsg Message-ID: <3F064110.CC0A5B6E@zip.com.au> Hi All. I've decided to try to merge the -Portable parts of the password expiry patch (see bug #14) that do not depend on the OpenBSD change in bug #463. The attached patch is the first step in this process. It removes the AIX-specific "char *aixloginmsg" and replaces it with a platform-neutral "Buffer loginmsg". I think this is worth having in -Portable even if it does not make it to OpenBSD. Does anyone see any problems with or have any objections to this patch? -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth-passwd.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-passwd.c,v retrieving revision 1.54 diff -u -r1.54 auth-passwd.c --- auth-passwd.c 3 Jun 2003 00:25:48 -0000 1.54 +++ auth-passwd.c 5 Jul 2003 02:17:59 -0000 @@ -42,6 +42,9 @@ #include "log.h" #include "servconf.h" #include "auth.h" +#include "buffer.h" +#include "xmalloc.h" +#include "canohost.h" #if !defined(HAVE_OSF_SIA) /* Don't need any of these headers for the SIA cases */ @@ -81,9 +84,7 @@ #endif /* !HAVE_OSF_SIA */ extern ServerOptions options; -#ifdef WITH_AIXAUTHENTICATE -extern char *aixloginmsg; -#endif +extern Buffer loginmsg; /* * Tries to authenticate the user using password. Returns true if @@ -151,15 +152,28 @@ # endif # ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + aix_remove_embedded_newlines(authmsg); if (authsuccess) { + char *msg; + + debug3("AIX/authenticate succeeded for user %s: %.100s", + pw->pw_name, authmsg); + /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(authctxt->user, - get_canonical_hostname(options.use_dns), - "ssh", &aixloginmsg) < 0) { - aixloginmsg = NULL; + get_canonical_hostname(options.use_dns), "ssh", &msg) == 0){ + if (msg != NULL) { + buffer_append(&loginmsg, msg, strlen(msg)); + xfree(msg); + } } + } else { + debug3("AIX/authenticate failed for user %s: %.100s", + pw->pw_name, authmsg); } + if (authmsg != NULL) + xfree(authmsg); return (authsuccess); # endif Index: auth.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v retrieving revision 1.73 diff -u -r1.73 auth.c --- auth.c 3 Jun 2003 00:25:48 -0000 1.73 +++ auth.c 5 Jul 2003 01:30:52 -0000 @@ -206,26 +206,23 @@ * PermitRootLogin to control logins via ssh), or if running as * non-root user (since loginrestrictions will always fail). */ - if ((pw->pw_uid != 0) && (geteuid() == 0) && - loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - int loginrestrict_errno = errno; + if ((pw->pw_uid != 0) && (geteuid() == 0)) { + char *msg; - if (loginmsg && *loginmsg) { - /* Remove embedded newlines (if any) */ - char *p; - for (p = loginmsg; *p; p++) { - if (*p == '\n') - *p = ' '; + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) { + int loginrestrict_errno = errno; + + if (msg && *msg) { + buffer_append(&loginmsg, msg, strlen(msg)); + aix_remove_embedded_newlines(msg); + logit("Login restricted for %s: %.100s", + pw->pw_name, msg); } - /* Remove trailing newline */ - *--p = '\0'; - logit("Login restricted for %s: %.100s", pw->pw_name, - loginmsg); + /* Don't fail if /etc/nologin set */ + if (!(loginrestrict_errno == EPERM && + stat(_PATH_NOLOGIN, &st) == 0)) + return 0; } - /* Don't fail if /etc/nologin set */ - if (!(loginrestrict_errno == EPERM && - stat(_PATH_NOLOGIN, &st) == 0)) - return 0; } #endif /* WITH_AIXAUTHENTICATE */ Index: session.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v retrieving revision 1.238 diff -u -r1.238 session.c --- session.c 3 Jun 2003 00:25:48 -0000 1.238 +++ session.c 5 Jul 2003 02:21:49 -0000 @@ -95,6 +95,7 @@ extern u_int utmp_len; extern int startup_pipe; extern void destroy_sensitive_data(void); +extern Buffer loginmsg; /* original command from peer. */ const char *original_command = NULL; @@ -103,10 +104,6 @@ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; -#ifdef WITH_AIXAUTHENTICATE -char *aixloginmsg; -#endif /* WITH_AIXAUTHENTICATE */ - #ifdef HAVE_LOGIN_CAP login_cap_t *lc; #endif @@ -770,10 +767,13 @@ if (options.use_pam && !is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ -#ifdef WITH_AIXAUTHENTICATE - if (aixloginmsg && *aixloginmsg) - printf("%s\n", aixloginmsg); -#endif /* WITH_AIXAUTHENTICATE */ + + /* display post-login message */ + if (buffer_len(&loginmsg) > 0) { + buffer_append(&loginmsg, "\0", 1); + printf("%s\n", (char *)buffer_ptr(&loginmsg)); + } + buffer_free(&loginmsg); #ifndef NO_SSH_LASTLOG if (options.print_lastlog && s->last_login_time != 0) { Index: sshd.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd.c,v retrieving revision 1.252 diff -u -r1.252 sshd.c --- sshd.c 3 Jul 2003 03:46:57 -0000 1.252 +++ sshd.c 5 Jul 2003 01:57:47 -0000 @@ -201,6 +201,9 @@ int use_privsep; struct monitor *pmonitor; +/* message to be displayed after login */ +Buffer loginmsg; + /* Prototypes for various functions defined later in this file. */ void destroy_sensitive_data(void); void demote_sensitive_data(void); @@ -1500,6 +1503,9 @@ #endif /* AFS */ packet_set_nonblocking(); + + /* prepare buffers to collect authentication messages */ + buffer_init(&loginmsg); if (use_privsep) if ((authctxt = privsep_preauth()) != NULL) Index: openbsd-compat/port-aix.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/port-aix.c,v retrieving revision 1.10 diff -u -r1.10 port-aix.c --- openbsd-compat/port-aix.c 3 Jun 2003 02:45:27 -0000 1.10 +++ openbsd-compat/port-aix.c 5 Jul 2003 01:35:21 -0000 @@ -61,6 +61,28 @@ xfree(cp); } +#ifdef WITH_AIXAUTHENTICATE +/* + * Remove embedded newlines in string (if any). + * Used before logging messages returned by AIX authentication functions + * so the message is logged on one line. + */ +void +aix_remove_embedded_newlines(char *p) +{ + if (p == NULL) + return; + + for (; *p; p++) { + if (*p == '\n') + *p = ' '; + } + /* Remove trailing whitespace */ + if (*--p == ' ') + *p = '\0'; +} +#endif /* WITH_AIXAUTHENTICATE */ + # ifdef CUSTOM_FAILED_LOGIN /* * record_failed_login: generic "login failed" interface function Index: openbsd-compat/port-aix.h =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/port-aix.h,v retrieving revision 1.8 diff -u -r1.8 port-aix.h --- openbsd-compat/port-aix.h 2 May 2003 13:42:25 -0000 1.8 +++ openbsd-compat/port-aix.h 5 Jul 2003 01:30:18 -0000 @@ -42,4 +42,5 @@ #endif void aix_usrinfo(struct passwd *pw); +void aix_remove_embedded_newlines(char *); #endif /* _AIX */ From chergriffin_he at btopenworld.com Sun Jul 6 14:05:57 2003 From: chergriffin_he at btopenworld.com (Cher Griffin) Date: Sun, 06 Jul 2003 04:05:57 +0000 Subject: Fwd: broken link Message-ID: <3F07A025.7E593DC3@btopenworld.com> "Human Euphoria" cologne Become more sexually attractive Get approached more often Improve business relationships Meet more people anywhere Increase your self confidence [1]Order your supply! [2]stop receiving futher messages xdshxm2kit gu7c1v8ggop443 7jhkdu3lq1wbhqef30l1mwtx3gg1qytld2 bkojy72vhel cz12vr3g9t4jfxg93lyzy ctcrye3ikyp36lgh54l1bl789wkixbrajjy74 5bghw620a5hq02 c6lgk91y87xy6 References 1. http://www.98207.biz/bef/m2c.php?man=ji49s 2. http://www.98207.biz/bek/ From alex at peuchert.de Sun Jul 6 18:17:20 2003 From: alex at peuchert.de (Alex Peuchert) Date: Sun, 6 Jul 2003 10:17:20 +0200 Subject: Difference between executing a command and calling a subsystem? In-Reply-To: <20030628065931.GA27170@folly> Message-ID: Hi everybody, just a short question: What is the difference between executing a command on a remote machine and starting a subsystem via '-s'? And what are the advantages? Thanks for your time, -alex From djm at mindrot.org Sun Jul 6 19:00:53 2003 From: djm at mindrot.org (Damien Miller) Date: Sun, 06 Jul 2003 19:00:53 +1000 Subject: Difference between executing a command and calling a subsystem? In-Reply-To: References: Message-ID: <3F07E545.7080008@mindrot.org> Alex Peuchert wrote: > Hi everybody, > just a short question: > > What is the difference between executing a command on a remote machine and > starting a subsystem via '-s'? And what are the advantages? Subsystems must be pre-defined in sshd_config. They are intended more as a sub-protocol extension mechanism (e.g. sftp) than as a user-visible way to execute commands. As far as execution of commands go, there is very little difference in terms of code executed between a defined subsystem and "ssh somehost command" -d From dan at doxpara.com Sun Jul 6 19:07:56 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Sun, 06 Jul 2003 02:07:56 -0700 Subject: Difference between executing a command and calling a subsystem? In-Reply-To: <3F07E545.7080008@mindrot.org> References: <3F07E545.7080008@mindrot.org> Message-ID: <3F07E6EC.40506@doxpara.com> >Subsystems must be pre-defined in sshd_config. They are intended more as >a sub-protocol extension mechanism (e.g. sftp) than as a user-visible >way to execute commands. > >As far as execution of commands go, there is very little difference in >terms of code executed between a defined subsystem and "ssh somehost >command" > > Isn't their execution environment much more strictly defined, i.e. pathing issues aren't a problem like with scp, and it's fair game to specify _protocols_ rather than _implementations_? Is the user's shell still invoked to execute subsystems? --Dan From djm at mindrot.org Sun Jul 6 19:15:12 2003 From: djm at mindrot.org (Damien Miller) Date: Sun, 06 Jul 2003 19:15:12 +1000 Subject: Difference between executing a command and calling a subsystem? In-Reply-To: <3F07E6EC.40506@doxpara.com> References: <3F07E545.7080008@mindrot.org> <3F07E6EC.40506@doxpara.com> Message-ID: <3F07E8A0.5050300@mindrot.org> Dan Kaminsky wrote: >>Subsystems must be pre-defined in sshd_config. They are intended more as >>a sub-protocol extension mechanism (e.g. sftp) than as a user-visible >>way to execute commands. >> >>As far as execution of commands go, there is very little difference in >>terms of code executed between a defined subsystem and "ssh somehost >>command" >> >> > Isn't their execution environment much more strictly defined, i.e. stderr isn't available and ~/.ssh/rc isn't sourced, but IIRC those are the only differences. > pathing issues aren't a problem like with scp, Only in that the SubSystem definition specifies a full path. > and it's fair game to > specify _protocols_ rather than _implementations_? The intent of subsystems is for use by protocols. So far the only two are sftp (draft-ietf-secsh-filexfer) and F-Secure's pubkey management protocol. > Is the user's shell still invoked to execute subsystems? Yes. e.g. rssh -d From markus at openbsd.org Sun Jul 6 20:33:30 2003 From: markus at openbsd.org (Markus Friedl) Date: Sun, 6 Jul 2003 12:33:30 +0200 Subject: Difference between executing a command and calling a subsystem? In-Reply-To: <3F07E6EC.40506@doxpara.com> References: <3F07E545.7080008@mindrot.org> <3F07E6EC.40506@doxpara.com> Message-ID: <20030706103329.GA12463@folly> On Sun, Jul 06, 2003 at 02:07:56AM -0700, Dan Kaminsky wrote: > > >Subsystems must be pre-defined in sshd_config. They are intended more as > >a sub-protocol extension mechanism (e.g. sftp) than as a user-visible > >way to execute commands. > > > >As far as execution of commands go, there is very little difference in > >terms of code executed between a defined subsystem and "ssh somehost > >command" > > > > > Isn't their execution environment much more strictly defined, i.e. > pathing issues aren't a problem like with scp, and it's fair game to > specify _protocols_ rather than _implementations_? > > Is the user's shell still invoked to execute subsystems? it's not different from remote command execution. there's only one additional indirection, so the client does not have to worry about pathnames. From matthew at bytemark.co.uk Mon Jul 7 01:05:07 2003 From: matthew at bytemark.co.uk (Matthew Bloch) Date: Sun, 6 Jul 2003 16:05:07 +0100 Subject: OpenSSH_3.6.1p2 (Gentoo Linux build) hangs on SSH2_MSG_SERVICE_ACCEPT Message-ID: <20030706150506.GE18652@geri.office.bytemark.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, One of our customer is experiencing a strange hang on their ssh server which I updated last night for him and rebuilt from the Gentoo port (this happened before and after the update). I can trigger it from a fresh boot by logging once or twice as root with an RSA key, then trying to log in as a regular user, getting the password wrong, and reconnecting with the maintenance key. What I see from my laptop after the problem is triggered is this: mattbee at geri:~$ ssh -vvv -i .ssh/maintenance-key root at udder.vm OpenSSH_3.5p1 Debian 1:3.5p1-5, SSH protocols 1.5/2.0, OpenSSL 0x0090701f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to udder.vm [212.13.199.209] port 22. debug1: Connection established. debug3: Not a RSA1 key file .ssh/maintenance-key. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: no key found debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: no key found debug1: identity file .ssh/maintenance-key type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2 debug1: match: OpenSSH_3.6.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.5p1 Debian 1:3.5p1-5 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 130/256 debug1: bits set: 1600/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/mattbee/.ssh/known_hosts2 debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2 debug3: check_host_in_hostfile: filename /home/mattbee/.ssh/known_hosts2 debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2 debug3: check_host_in_hostfile: filename /home/mattbee/.ssh/known_hosts debug3: check_host_in_hostfile: match line 250 debug3: check_host_in_hostfile: filename /home/mattbee/.ssh/known_hosts debug3: check_host_in_hostfile: match line 249 debug1: Host 'udder.vm' is known and matches the RSA host key. debug1: Found key in /home/mattbee/.ssh/known_hosts:250 debug1: bits set: 1613/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT Any ideas what's going wrong here, or are there any better diagnostics I could supply to the list to help track this down? thanks, - -- Matthew Bloch Bytemark Hosting tel. +44 (0) 8707 455026 http://www.bytemark-hosting.co.uk/ Dedicated Linux hosts from 15ukp ($26) per month -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/CDqiT2rVDg8aLXQRAmWJAJ9Af9PRHHAKvIIDU6iZZlLQn6hMZACdFUlZ YhYajDEODN6bS7ru5Oxl5eY= =4GJ2 -----END PGP SIGNATURE----- From hadmut at danisch.de Mon Jul 7 01:59:45 2003 From: hadmut at danisch.de (Hadmut Danisch) Date: Sun, 6 Jul 2003 17:59:45 +0200 Subject: Known hosts and dynamic IP addresses Message-ID: <20030706155945.GA11827@danisch.de> Hi, it becomes more and more common to have machines with dynamically assigned IP addresses online (e.g. DSL), which can be found through dynamic DNS entries. Unfortunately, the "Known Hosts" mechanism doesn't work for these machines: Since the entry is made for the IP address, there's a new entry every time the address changes. Therefore, an option should be invented which allows to store the host key under the DNS name only. regards Hadmut From dan at doxpara.com Mon Jul 7 02:08:49 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Sun, 06 Jul 2003 09:08:49 -0700 Subject: Known hosts and dynamic IP addresses In-Reply-To: <20030706155945.GA11827@danisch.de> References: <20030706155945.GA11827@danisch.de> Message-ID: <3F084991.8060403@doxpara.com> >Therefore, an option should be invented which allows to >store the host key under the DNS name only. > > Why are we storing IP addresses in known_hosts files anyway? It doesn't appear to be universal -- SSH2 only, perhaps? -- and as Hadmut points out, it's plainly wrong (IP != Identity, thus HostKeyAlias and the whole existence of cryptographic authentication). --Dan From dan at doxpara.com Mon Jul 7 04:00:58 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Sun, 06 Jul 2003 11:00:58 -0700 Subject: OpenSSH_3.6.1p2 (Gentoo Linux build) hangs on SSH2_MSG_SERVICE_ACCEPT In-Reply-To: <20030706150506.GE18652@geri.office.bytemark.co.uk> References: <20030706150506.GE18652@geri.office.bytemark.co.uk> Message-ID: <3F0863DA.2010007@doxpara.com> >debug3: Not a RSA1 key file .ssh/maintenance-key. >debug2: key_type_from_name: unknown key type '-----BEGIN' > Try loading maintenance-key.pub instead. Unsure why the server would be locking up...maybe there's a firewall script banning you for failing to log in correctly? --Dan www.doxpara.com From binder at arago.de Mon Jul 7 04:32:41 2003 From: binder at arago.de (Thomas Binder) Date: Sun, 6 Jul 2003 20:32:41 +0200 Subject: [Bug 604] ld: fatal: Symbol referencing errors. No output written to ssh-add In-Reply-To: <20030706135402.42ABC27C18A@shitei.mindrot.org> References: <20030706135402.42ABC27C18A@shitei.mindrot.org> Message-ID: <20030706183241.GA4940852@ohm.arago.de> Hi! On Sun, Jul 06, 2003 at 11:54:02PM +1000, bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=604 > > ------- Additional Comments From dtucker at zip.com.au 2003-07-06 23:54 ------- > Try --with-ssl-dir rather than --with-dir-ssl: > > $ ./configure --help |grep ssl > --with-ssl-dir=PATH Specify path to OpenSSL installation I think this is a duplicate of #603 anyway - same reporter, same mistake in the configure options. Ciao Thomas From binder at arago.de Mon Jul 7 04:38:54 2003 From: binder at arago.de (Thomas Binder) Date: Sun, 6 Jul 2003 20:38:54 +0200 Subject: Known hosts and dynamic IP addresses In-Reply-To: <20030706155945.GA11827@danisch.de> References: <20030706155945.GA11827@danisch.de> Message-ID: <20030706183854.GB4940852@ohm.arago.de> Hi! On Sun, Jul 06, 2003 at 05:59:45PM +0200, Hadmut Danisch wrote: > Unfortunately, the "Known Hosts" mechanism doesn't work for > these machines: Since the entry is made for the IP address, > there's a new entry every time the address changes. Try setting CheckHostIP no in ssh_config. Ciao Thomas From hadmut at danisch.de Mon Jul 7 04:47:33 2003 From: hadmut at danisch.de (Hadmut Danisch) Date: Sun, 6 Jul 2003 20:47:33 +0200 Subject: Known hosts and dynamic IP addresses In-Reply-To: <20030706183854.GB4940852@ohm.arago.de> References: <20030706155945.GA11827@danisch.de> <20030706183854.GB4940852@ohm.arago.de> Message-ID: <20030706184733.GA14059@danisch.de> On Sun, Jul 06, 2003 at 08:38:54PM +0200, Thomas Binder wrote: > > Try setting > > CheckHostIP no > > in ssh_config. > I urgently need to have the check performed, just with the dns name. regards Hadmut From dan at doxpara.com Mon Jul 7 05:04:51 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Sun, 06 Jul 2003 12:04:51 -0700 Subject: Known hosts and dynamic IP addresses In-Reply-To: <20030706184733.GA14059@danisch.de> References: <20030706155945.GA11827@danisch.de> <20030706183854.GB4940852@ohm.arago.de> <20030706184733.GA14059@danisch.de> Message-ID: <3F0872D3.2020804@doxpara.com> >I urgently need to have the check performed, just with >the dns name. > > And indeed it shall. Absent a HostKeyAlias, known_hosts will name a key after the DNS name. So for example, ssh user at foo.com -o HostKeyAlias bar.com would check site foo for bar.com's key. Without the HostKeyAlias, foo.com's key will be checked -- regardless of it's IP, if CheckHostIP is set to no. --Dan From binder at arago.de Mon Jul 7 05:05:07 2003 From: binder at arago.de (Thomas Binder) Date: Sun, 6 Jul 2003 21:05:07 +0200 Subject: Known hosts and dynamic IP addresses In-Reply-To: <20030706184733.GA14059@danisch.de> References: <20030706155945.GA11827@danisch.de> <20030706183854.GB4940852@ohm.arago.de> <20030706184733.GA14059@danisch.de> Message-ID: <20030706190507.GA4936416@ohm.arago.de> Hi! On Sun, Jul 06, 2003 at 08:47:33PM +0200, Hadmut Danisch wrote: > > CheckHostIP no > > I urgently need to have the check performed, just with > the dns name. And that's exactly what CheckHostIP no will do. It will prevent OpenSSH from checking and inserting the IP address into the known_host-file, but it will of course not prevent hostkey checking alltogether. Ciao Thomas From sianna_millardmk at email.cz Mon Jul 7 06:12:42 2003 From: sianna_millardmk at email.cz (Sianna Millard) Date: Sun, 06 Jul 2003 20:12:42 +0000 Subject: hey Message-ID: <247501c343fa$6a87b8f8$6c916643@xym0io1> hi From dtucker at zip.com.au Mon Jul 7 07:36:47 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 07 Jul 2003 07:36:47 +1000 Subject: Known hosts and dynamic IP addresses References: <20030706155945.GA11827@danisch.de> <20030706183854.GB4940852@ohm.arago.de> <20030706184733.GA14059@danisch.de> Message-ID: <3F08966F.EA89BF73@zip.com.au> Hadmut Danisch wrote: > On Sun, Jul 06, 2003 at 08:38:54PM +0200, Thomas Binder wrote: > > CheckHostIP no > > I urgently need to have the check performed, just with > the dns name. That's what "CheckHostIP no" does. What happened when you tried it? $ man ssh_config [snip] CheckHostIP If this flag is set to ``yes'', ssh will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to ``no'', the check will not be executed. The default is ``yes''. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Mon Jul 7 18:19:31 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 7 Jul 2003 10:19:31 +0200 Subject: Known hosts and dynamic IP addresses In-Reply-To: <20030706155945.GA11827@danisch.de> References: <20030706155945.GA11827@danisch.de> Message-ID: <20030707081931.GC15053@folly> checkhostip no On Sun, Jul 06, 2003 at 05:59:45PM +0200, Hadmut Danisch wrote: > Hi, > > it becomes more and more common to have machines with > dynamically assigned IP addresses online (e.g. DSL), which > can be found through dynamic DNS entries. > > Unfortunately, the "Known Hosts" mechanism doesn't work for > these machines: Since the entry is made for the IP address, > there's a new entry every time the address changes. > > > Therefore, an option should be invented which allows to > store the host key under the DNS name only. > > > regards > Hadmut > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From binder at arago.de Mon Jul 7 19:51:53 2003 From: binder at arago.de (Thomas Binder) Date: Mon, 7 Jul 2003 11:51:53 +0200 Subject: [Bug 603] configure: error: OpenSSL version header not found In-Reply-To: <20030707093420.7C22227C19A@shitei.mindrot.org> References: <20030707093420.7C22227C19A@shitei.mindrot.org> Message-ID: <20030707095152.GA5007628@ohm.arago.de> Hi! On Mon, Jul 07, 2003 at 07:34:20PM +1000, bugzilla-daemon at mindrot.org wrote: > ------- Additional Comments From dtucker at zip.com.au 2003-07-07 19:34 ------- > Please re-open if you can reproduce with --with-dir-ssl. Errm, --with-ssl-dir :) Ciao Thomas From code at pizzashack.org Tue Jul 8 08:13:31 2003 From: code at pizzashack.org (Derek Martin) Date: Mon, 7 Jul 2003 18:13:31 -0400 Subject: [semi-OT] rssh FINAL RELEASE! Well, hopefully. Message-ID: <20030707221331.GE22402@sophic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm pleased to announce that rssh now has per-user configurations! Today I released rssh v2.1.0 with that last peice of functionality to be added, bringing active development of rssh to a close. Additionally, I spent several hours testing and debugging this release as thoroughly as I could think to, and I'm pleased to report (tongue in cheek) that there are no bugs in v2.1.0 either! Seriously, I removed several long-standing buglets in the parser dealing with skipping whitespace, quoting, and similar. Also, fail() now correctly reports what options are allowed to the user running it. And maybe one or two other little things were fixed, plus documentation updates. As you probably know, rssh is a small shell which can be used to restrict users' access to a system running sshd via either scp, sftp, or both. Or, new in 2.1, neither. It's overkill for the job, but you can now configure rssh to lock out users entirely. And, also as of 2.1.0, you can configure all that on a per-user basis. rssh is designed to work with OpenSSH on Linux platforms, but also works on other POSIX.2-compliant OSes (it requires wordexp(), which is defined by POSIX.2), and probably also works with other sshd's. You can download the latest release here: http://www.pizzashack.org/rssh/downloads.shtml - -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/CfCLdjdlQoHP510RAmMnAJ9vVmZ4IX8qDH7s5Shzt2+C8wXq0ACfWwp5 Wk4IWQzTA62+mur+J54VlJc= =N+Cb -----END PGP SIGNATURE----- From dtucker at zip.com.au Wed Jul 9 13:24:10 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 09 Jul 2003 13:24:10 +1000 Subject: [PATCH] Add expired password handling for AIX. Message-ID: <3F0B8ADA.11C88D1A@zip.com.au> Hi All. Attached is a patch which adds AIX native password expiry support to sshd. It will only apply to -current and is a subset of the patch I have been working on in the last few months (see bug #14 [1]). It contains code by Pablo Sor, Mark Pitt and Zdenek Tlusty and fixes for bugs reported by many others (see [2] for a full list). It adds a do_tty_change_password function that execs /bin/passwd and the logic to detect when an AIX password is expired. Unlike the previous patches, it does not contain: * /etc/shadow expiry support. This is next. * HP-UX native expiry support. This can be probably be added if there is sufficient interest. * PAM support. I have not investigated expiry in the new PAM code, consequently this patch tries hard not to touch the PAM code paths. * Calling loginsuccess() and printing "Last login at..." messages for non-password authentications. This is waiting on some kind of "get_login_messages" monitor functionality (see bug #463 [3]). Please review. I am looking for any comments on style or substance. -Daz. [1] http://bugzilla.mindrot.org/show_bug.cgi?id=14 [2] http://www.zip.com.au/~dtucker/openssh/ [3] http://bugzilla.mindrot.org/show_bug.cgi?id=463 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: acconfig.h =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/acconfig.h,v retrieving revision 1.158 diff -u -r1.158 acconfig.h --- acconfig.h 8 Jul 2003 10:52:13 -0000 1.158 +++ acconfig.h 8 Jul 2003 13:19:33 -0000 @@ -53,6 +53,9 @@ /* from environment and PATH */ #undef LOGIN_PROGRAM_FALLBACK +/* Path to passwd program */ +#undef PASSWD_PROGRAM_PATH + /* Define if your password has a pw_class field */ #undef HAVE_PW_CLASS_IN_PASSWD Index: auth-passwd.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-passwd.c,v retrieving revision 1.56 diff -u -r1.56 auth-passwd.c --- auth-passwd.c 8 Jul 2003 12:59:59 -0000 1.56 +++ auth-passwd.c 9 Jul 2003 02:14:18 -0000 @@ -45,6 +45,8 @@ #include "buffer.h" #include "xmalloc.h" #include "canohost.h" +#include "misc.h" +#include "auth-options.h" #if !defined(HAVE_OSF_SIA) /* Don't need any of these headers for the SIA cases */ @@ -82,6 +84,7 @@ extern ServerOptions options; extern Buffer loginmsg; +int password_change_required = 0; /* * Tries to authenticate the user using password. Returns true if @@ -248,4 +251,81 @@ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); #endif /* !HAVE_OSF_SIA */ +} + +/* + * Perform generic password change via tty. Like do_pam_chauthtok(), + * it throws a fatal error if the password can't be changed. + */ +int +do_tty_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + + if (pid == 0) { + permanently_set_uid(pw); + if (geteuid() == 0) + execl(PASSWD_PROGRAM_PATH, PASSWD_PROGRAM_PATH, + pw->pw_name, (char *)NULL); + else + execl(PASSWD_PROGRAM_PATH, PASSWD_PROGRAM_PATH, + (char *)NULL); + + /* NOTREACHED: execl shouldn't return */ + fatal("Couldn't exec %s", PASSWD_PROGRAM_PATH); + exit(1); + } + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + mysignal(SIGCHLD, old_signal); + + if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { + debug("%s password changed sucessfully", __func__); + flag_password_change_successful(); + return 1; + } else { + fatal("Failed to change password for %s, passwd returned %d", + pw->pw_name, status); + return 0; /* NOTREACHED */ + } +} + +/* + * flag that password change is necessary and disable all forwarding + */ +void +flag_password_change_required(void) +{ + debug3("disabling forwarding"); + password_change_required = 1; + + /* disallow other functionality for now */ + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; +} + +/* + * Flags that password change was successful. + * XXX: the password change is performed in the process that becomes the + * shell, but the flags must be reset in its parent and currently there is no + * way to notify the parent that the change was successful. + */ +void +flag_password_change_successful(void) +{ + debug3("reenabling forwarding"); + + password_change_required = 0; + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; } Index: auth.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v retrieving revision 1.74 diff -u -r1.74 auth.c --- auth.c 8 Jul 2003 12:59:59 -0000 1.74 +++ auth.c 9 Jul 2003 02:07:01 -0000 @@ -55,6 +55,7 @@ /* import */ extern ServerOptions options; extern Buffer loginmsg; +extern Buffer expiremsg; /* Debugging messages */ Buffer auth_debug; @@ -86,9 +87,10 @@ if (!pw || !pw->pw_name) return 0; +#define DAY (24L * 60 * 60) /* 1 day in seconds */ +#define WEEK (DAY * 7) /* 1 week in seconds */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ defined(HAS_SHADOW_EXPIRE) -#define DAY (24L * 60 * 60) /* 1 day in seconds */ if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) { today = time(NULL) / DAY; debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" @@ -221,6 +223,65 @@ stat(_PATH_NOLOGIN, &st) == 0)) return 0; } + } + + /* + * Check AIX password expiry. Only check when running as root. + * Unpriv'ed users can't access /etc/security/passwd or + * /etc/security/user so passwdexpired will always fail. + */ + if (geteuid() == 0) { + char *msg, *user = pw->pw_name; + int result, maxage, result2, maxexpired; + struct userpw *upw; + + /* + * Check if password has been expired too long. In this case, + * passwdexpired still returns 1 but /bin/passwd will fail + * while still returning a successiful status, allowing the + * login. So, we deny these login attempts here. + */ + upw = getuserpw(user); + result = getuserattr(user, S_MAXEXPIRED, &maxexpired, SEC_INT); + result2 = getuserattr(user, S_MAXAGE, &maxage, SEC_INT); + if (upw != NULL && result == 0 && result2 == 0) { + time_t now, lastup = upw->upw_lastupdate; + + now = time(NULL); + debug3("%s lastupdate %lu maxage %d wks maxexpired %d" + "wks time now %d", __func__, lastup, maxage, + maxexpired, now); + + if (maxexpired != -1 && maxage != 0 && + lastup + ((maxage + maxexpired) * WEEK) <= now ){ + logit("User %.100s password expired too long", + user); + return 0; + } + } + + result = passwdexpired(user, &msg); + if (msg && *msg) { + buffer_append(&expiremsg, msg, strlen(msg)); + aix_remove_embedded_newlines(msg); + } + debug3("AIX/passwdexpired returned %d msg %.100s", result, msg); + + switch (result) { + case 0: /* success, password not expired */ + break; + case 1: /* expired, password change required */ + flag_password_change_required(); + break; + default: /* user can't change(2) or other error (-1) */ + logit("Password can't be changed for user %s: " + "%.100s", user, msg); + if (msg) + xfree(msg); + return 0; + } + if (msg) + xfree(msg); } #endif /* WITH_AIXAUTHENTICATE */ Index: configure.ac =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v retrieving revision 1.132 diff -u -r1.132 configure.ac --- configure.ac 8 Jul 2003 10:52:13 -0000 1.132 +++ configure.ac 8 Jul 2003 13:32:36 -0000 @@ -41,6 +41,13 @@ fi fi +AC_PATH_PROG(PASSWD_PROGRAM_PATH, passwd) +if test ! -z "$PASSWD_PROGRAM_PATH" ; then + AC_DEFINE_UNQUOTED(PASSWD_PROGRAM_PATH, "$PASSWD_PROGRAM_PATH") +else + AC_MSG_ERROR([*** passwd command not found - check config.log ***]) +fi + if test -z "$LD" ; then LD=$CC fi Index: session.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v retrieving revision 1.241 diff -u -r1.241 session.c --- session.c 8 Jul 2003 12:59:59 -0000 1.241 +++ session.c 9 Jul 2003 02:02:53 -0000 @@ -95,7 +95,9 @@ extern u_int utmp_len; extern int startup_pipe; extern void destroy_sensitive_data(void); +extern int password_change_required; extern Buffer loginmsg; +extern Buffer expiremsg; /* original command from peer. */ const char *original_command = NULL; @@ -461,6 +463,9 @@ "TTY available"); } #endif /* USE_PAM */ + if (password_change_required) + packet_disconnect("Password change required but no " + "TTY available"); /* Fork the child. */ if ((pid = fork()) == 0) { @@ -726,6 +731,7 @@ socklen_t fromlen; struct sockaddr_storage from; struct passwd * pw = s->pw; + int password_changed = 0; pid_t pid = getpid(); /* @@ -758,6 +764,13 @@ print_pam_messages(); do_pam_chauthtok(); } +#else + buffer_append(&expiremsg, "\0", 1); + if (password_change_required) { + printf("%s\n", (char *)buffer_ptr(&expiremsg)); + fflush(stdout); + password_changed = do_tty_change_password(pw); + } #endif if (check_quietlogin(s, command)) @@ -766,6 +779,9 @@ #ifdef USE_PAM if (options.use_pam && !is_pam_password_change_required()) print_pam_messages(); +#else + if (!password_changed) + printf("%s\n", (char *)buffer_ptr(&expiremsg)); #endif /* USE_PAM */ /* display post-login message */ Index: sshd.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd.c,v retrieving revision 1.253 diff -u -r1.253 sshd.c --- sshd.c 8 Jul 2003 12:59:59 -0000 1.253 +++ sshd.c 8 Jul 2003 13:44:46 -0000 @@ -203,6 +203,7 @@ /* message to be displayed after login */ Buffer loginmsg; +Buffer expiremsg; /* Prototypes for various functions defined later in this file. */ void destroy_sensitive_data(void); @@ -1506,6 +1507,7 @@ /* prepare buffers to collect authentication messages */ buffer_init(&loginmsg); + buffer_init(&expiremsg); if (use_privsep) if ((authctxt = privsep_preauth()) != NULL) From matthew at bytemark.co.uk Wed Jul 9 17:51:38 2003 From: matthew at bytemark.co.uk (Matthew Bloch) Date: Wed, 9 Jul 2003 08:51:38 +0100 Subject: OpenSSH_3.6.1p2 (Gentoo Linux build) hangs on SSH2_MSG_SERVICE_ACCEPT In-Reply-To: <3F0863DA.2010007@doxpara.com> References: <20030706150506.GE18652@geri.office.bytemark.co.uk> <3F0863DA.2010007@doxpara.com> Message-ID: <20030709075138.GD17201@geri.office.bytemark.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Jul 06, 2003 at 11:00:58AM -0700, Dan Kaminsky wrote: > > >debug3: Not a RSA1 key file .ssh/maintenance-key. > >debug2: key_type_from_name: unknown key type '-----BEGIN' > > > Try loading maintenance-key.pub instead. > > Unsure why the server would be locking up...maybe there's a firewall > script banning you for failing to log in correctly? I suspect the problem was that the syslog daemon had failed to start on the machine; after fixing this problem I've not been able to reproduce this behaviour, though also I've not got any conclusive proof that /was/ the problem :) cheers, - -- Matthew Bloch Bytemark Hosting tel. +44 (0) 8707 455026 http://www.bytemark-hosting.co.uk/ Dedicated Linux hosts from 15ukp ($26) per month -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/C8mKT2rVDg8aLXQRAvM1AJ9UXN4yPjNwTxJx/GbO7mN+ZlukdgCff1F1 2O5uCYARNHlTe8IEPwd8FaA= =/1Tk -----END PGP SIGNATURE----- From VikashB at ComparexAfrica.co.za Wed Jul 9 18:12:10 2003 From: VikashB at ComparexAfrica.co.za (Vikash Badal - PCS) Date: Wed, 9 Jul 2003 10:12:10 +0200 Subject: OpenSSH 3.6.1p2 ON SCO 3.2v4.2 + STRICTMODES -->yes Message-ID: <501BF453CDCFD111A6E40080C83DAC040269669C@PSICS001> Greetings, I have compiled OpenSSH-3.6.1p2 on SCO 3.2v4.2 and the following problem occurs: I am unable to login as root using when strictmode is set to yes. output of debug: Failed none for root from 192.168.1.1 port 1199 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: trying public key file //.ssh/authorized_keys debug3: secure_filename: checking '/.ssh' debug3: secure_filename: checking '' Authentication refused: bad ownership or modes for directory debug1: trying public key file //.ssh/authorized_keys2 debug3: secure_filename: checking '/.ssh' debug3: secure_filename: checking '' Authentication refused: bad ownership or modes for directory It seems that the final check is searching for a non-existant directory, with OpenSSH 3.5p1 this problem does not exist. Please advise. Vikash From alexk at demon.net Thu Jul 10 07:44:48 2003 From: alexk at demon.net (Alex Kiernan) Date: Wed, 09 Jul 2003 21:44:48 -0000 Subject: OpenSSH 3.6.1p2 ON SCO 3.2v4.2 + STRICTMODES -->yes In-Reply-To: <501BF453CDCFD111A6E40080C83DAC040269669C@PSICS001> References: <501BF453CDCFD111A6E40080C83DAC040269669C@PSICS001> Message-ID: <723chf7lub.fsf@alexk.eng.demon.net> Vikash Badal - PCS writes: > Greetings, > > I have compiled OpenSSH-3.6.1p2 on SCO 3.2v4.2 and > the following problem occurs: > > I am unable to login as root using when strictmode is set to yes. > > output of debug: > > Failed none for root from 192.168.1.1 port 1199 ssh2 > debug1: userauth-request for user root service ssh-connection method > publickey > debug1: attempt 1 failures 1 > debug2: input_userauth_request: try method publickey > debug1: test whether pkalg/pkblob are acceptable > debug1: trying public key file //.ssh/authorized_keys > debug3: secure_filename: checking '/.ssh' > debug3: secure_filename: checking '' > Authentication refused: bad ownership or modes for directory > debug1: trying public key file //.ssh/authorized_keys2 > debug3: secure_filename: checking '/.ssh' > debug3: secure_filename: checking '' > Authentication refused: bad ownership or modes for directory > > It seems that the final check is searching for a non-existant directory, > with OpenSSH 3.5p1 this problem does not exist. > Its not detecting broken dirname/basename. ISTR I put a ticket into bugzilla for it (Solaris 2.5.1 is similarly busted), but I can't seem to reach bugzilla.mindrot.org at the moment. This was my workaround - it worked for Solaris 2.5.1, no idea about others. I don't believe this is the right fix though: --- configure.ac 2003/04/29 09:12:08 1.1.1.10 +++ configure.ac 2003/05/09 12:43:25 1.10 @@ -389,7 +389,7 @@ # Checks for header files. AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \ - getopt.h glob.h ia.h lastlog.h libgen.h limits.h login.h \ + getopt.h glob.h ia.h lastlog.h limits.h login.h \ login_cap.h maillock.h netdb.h netgroup.h \ netinet/in_systm.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ @@ -410,9 +410,6 @@ fi fi -AC_CHECK_FUNC(getspnam, , - AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen")) - AC_ARG_WITH(rpath, [ --without-rpath Disable auto-added -R linker paths], [ @@ -622,7 +619,6 @@ ) AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) -AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) dnl Make sure strsep prototype is defined before defining HAVE_STRSEP AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)]) @@ -663,6 +659,10 @@ fi ]) ]) + +AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) +AC_CHECK_FUNC(getspnam, , + AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen")) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) -- Alex Kiernan, Principal Engineer, Development, THUS plc From VikashB at ComparexAfrica.co.za Thu Jul 10 14:24:22 2003 From: VikashB at ComparexAfrica.co.za (Vikash Badal - PCS) Date: Thu, 10 Jul 2003 06:24:22 +0200 Subject: OpenSSH 3.6.1p2 ON SCO 3.2v4.2 + STRICTMODES -->yes Message-ID: <501BF453CDCFD111A6E40080C83DAC04026966A1@PSICS001> > -----Original Message----- > From: Paul L. Allen [mailto:paul.l.allen at boeing.com] > Sent: 09 July 2003 07:11 > To: Vikash Badal - PCS > Subject: Re: OpenSSH 3.6.1p2 ON SCO 3.2v4.2 + STRICTMODES -->yes > > > Vikash Badal - PCS wrote: > > Greetings, > > > > I have compiled OpenSSH-3.6.1p2 on SCO 3.2v4.2 and > > the following problem occurs: > > > > I am unable to login as root using when strictmode is set to yes. > > > > output of debug: > > > > Failed none for root from 192.168.1.1 port 1199 ssh2 > > debug1: userauth-request for user root service ssh-connection method > > publickey > > debug1: attempt 1 failures 1 > > debug2: input_userauth_request: try method publickey > > debug1: test whether pkalg/pkblob are acceptable > > debug1: trying public key file //.ssh/authorized_keys > > debug3: secure_filename: checking '/.ssh' > > debug3: secure_filename: checking '' > > Authentication refused: bad ownership or modes for directory > > debug1: trying public key file //.ssh/authorized_keys2 > > debug3: secure_filename: checking '/.ssh' > > debug3: secure_filename: checking '' > > Authentication refused: bad ownership or modes for directory > > > > It seems that the final check is searching for a > non-existant directory, > > with OpenSSH 3.5p1 this problem does not exist. > > > > Please advise. > > The error you're getting is "bad ownership or modes". For > completeness, > you should say what the permissions are on root's /.ssh directory and > on the authorized_keys and authorized_keys2 files inside it. > > Paul Allen The permissions are : [root at sco]: / # ls -ld / /.ssh /.ssh/auth* drwxr-xr-x 19 root bin 672 Jul 09 09:23 / drwxr-xr-x 2 root other 272 Jul 08 10:20 /.ssh -rw------- 1 root other 2670 Jul 08 10:20 /.ssh/authorized_keys -rw------- 1 root other 4243 Jul 08 10:20 /.ssh/authorized_keys2 [root at sco]: / # As you can see these perms are okay. From VikashB at ComparexAfrica.co.za Thu Jul 10 14:35:10 2003 From: VikashB at ComparexAfrica.co.za (Vikash Badal - PCS) Date: Thu, 10 Jul 2003 06:35:10 +0200 Subject: OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + PasswordAuthentication no + PermitEmptyPasswords yes Message-ID: <501BF453CDCFD111A6E40080C83DAC04026966A3@PSICS001> Greetings, I recently discovered a problem with OpenSSH 3.6.1p2 and UnixWare 7.1.1 (as well as OpenServer 5.0.X and SCO 3.2v4.2) When I set up sshd_config as follows: PasswordAuthentication no PermitEmptyPasswords yes and try to connect to a password less account ( I know its a F*up, but that's the application ID10Ts .... ) I can get in using the SSH2 version without a valid key, the SSH1 is okay. below is a fix I used, but I am not sure if this is okay. uw7: /usr/udd1/dev # diff -c original/openssh-3.6.1p2/auth2.c openssh-3.6.1p2> *** original/openssh-3.6.1p2/auth2.c Mon Feb 24 02:59:27 2003 --- openssh-3.6.1p2/auth2.c Tue Jul 8 08:08:05 2003 *************** *** 187,192 **** --- 187,204 ---- if (m != NULL) { debug2("input_userauth_request: try method %s", method); authenticated = m->userauth(authctxt); + if (strcmp(method, "none") == 0 && authenticated == 1 ) { + /* + * I'm not sure if this is okay, + * PasswordAuthentication no && PermitEmptyPasswords yes + * Now work only with a valid host key + * This problem is only with SSH2 though on Unixware 7.1.1, + * OpenServer 5.0.X and SCO 3.2v4.2. + * Linux (RedHat 7.X) is fine + */ + + authenticated = 0; + } } userauth_finish(authctxt, authenticated, method); uw7: /usr/udd1/dev # I have also tried 3.5p1 and the same situation exists. OpenSSH was compiled as follows: gcc --> 2.95.2 perl --> 5.004_04 ./configure --sysconf=/etc/ssh OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /etc/ssh Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /etc/ssh Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Command hashing (timeout 200) Host: i586-unknown-sysv5UnixWare7.1.1 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/lib Libraries: -lz -lsocket -lnsl -lgen -lcrypto Please advise. Vikash From tim at multitalents.net Thu Jul 10 15:29:55 2003 From: tim at multitalents.net (Tim Rice) Date: Wed, 9 Jul 2003 22:29:55 -0700 (PDT) Subject: OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + PasswordAuthentication no + PermitEmptyPasswords yes In-Reply-To: <501BF453CDCFD111A6E40080C83DAC04026966A3@PSICS001> References: <501BF453CDCFD111A6E40080C83DAC04026966A3@PSICS001> Message-ID: I can not duplicate this problem on my 7.1.1 box. I'm using the native compiler here. Then machine has maintenance pack 3 loaded. Does yours? On Thu, 10 Jul 2003, Vikash Badal - PCS wrote: > > Greetings, > > I recently discovered a problem with OpenSSH 3.6.1p2 and UnixWare 7.1.1 > (as well as OpenServer 5.0.X and SCO 3.2v4.2) > > When I set up sshd_config as follows: > PasswordAuthentication no > PermitEmptyPasswords yes > > and try to connect to a password less account ( I know its a F*up, but > that's the application ID10Ts .... ) I can get in using the SSH2 version > without a valid key, the SSH1 is okay. > > below is a fix I used, but I am not sure if this is okay. [snip] -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From VikashB at ComparexAfrica.co.za Thu Jul 10 16:00:52 2003 From: VikashB at ComparexAfrica.co.za (Vikash Badal - PCS) Date: Thu, 10 Jul 2003 08:00:52 +0200 Subject: OpenSSH 3.6.1p2 ON SCO 3.2v4.2 + STRICTMODES -->yes Message-ID: <501BF453CDCFD111A6E40080C83DAC04026966A7@PSICS001> Greetings, > -----Original Message----- > From: Paul L. Allen [mailto:paul.l.allen at boeing.com] > Sent: 10 July 2003 07:50 > To: Vikash Badal - PCS > Subject: Re: OpenSSH 3.6.1p2 ON SCO 3.2v4.2 + STRICTMODES -->yes > > > Vikash Badal - PCS wrote: > > > > > > > -----Original Message----- > > > From: Paul L. Allen [mailto:paul.l.allen at boeing.com] > > [...] > > > The error you're getting is "bad ownership or modes". For > > > completeness, > > > you should say what the permissions are on root's /.ssh > directory and > > > on the authorized_keys and authorized_keys2 files inside it. > > > > > > Paul Allen > > The permissions are : > > [root at sco]: / # ls -ld / /.ssh /.ssh/auth* > > drwxr-xr-x 19 root bin 672 Jul 09 09:23 / > > drwxr-xr-x 2 root other 272 Jul 08 10:20 /.ssh > > -rw------- 1 root other 2670 Jul 08 10:20 > /.ssh/authorized_keys > > -rw------- 1 root other 4243 Jul 08 10:20 > > /.ssh/authorized_keys2 > > [root at sco]: / # > > > > As you can see these perms are okay. > > I'm pretty sure it wants the directory to be secure as well. Try > setting /.ssh to 0700 and see if it helps. If it doesn't, you may > have a bug. > > Good luck! > > Paul Tried setting /.ssh to 700 still no success: debug1: trying public key file //.ssh/authorized_keys2 debug3: secure_filename: checking '/.ssh' debug3: secure_filename: checking '' Authentication refused: bad ownership or modes for directory debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for root from 192.168.1.1 port 1119 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 2 failures 2 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices Failed keyboard-interactive for root from 192.168.1.1 port 1119 ssh2 Connection closed by 192.168.1.1 debug1: Calling cleanup 0x24104(0x0) [root at sco]: /usr/home/dev/openssh-3.6.1p2 # ls -ld / /.ssh /.ssh/auth* drwxr-xr-x 19 root bin 672 Jul 09 09:23 / drwx------ 2 root other 272 Jul 08 10:20 /.ssh -rw------- 1 root other 2670 Jul 08 10:20 /.ssh/authorized_keys -rw------- 1 root other 4243 Jul 08 10:20 /.ssh/authorized_keys2 [root at sco]: /usr/home/dev/openssh-3.6.1p2 # The line "debug3: secure_filename: checking ''" seems to be the problem. Its checking for a non existent file. On Unixware 7.1.1 and Openserver, that line is ==>debug3: secure_filename: checking '/'<== Vikash From VikashB at ComparexAfrica.co.za Thu Jul 10 19:41:08 2003 From: VikashB at ComparexAfrica.co.za (Vikash Badal - PCS) Date: Thu, 10 Jul 2003 11:41:08 +0200 Subject: OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + PasswordAuthenticatio n no + PermitEmptyPasswords yes Message-ID: <501BF453CDCFD111A6E40080C83DAC04026966AE@PSICS001> Greetings, > -----Original Message----- > From: Vikash Badal - PCS > Sent: 10 July 2003 07:36 > To: 'Tim Rice' > Subject: RE: OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + > PasswordAuthentication no + PermitEmptyPasswords yes > > > Greetings, > > Using gcc (2.95.2) + maintenance pack 2 > > Will try maintenance pack 3 and recompile > > Thanks. > > > -----Original Message----- > > From: Tim Rice [mailto:tim at multitalents.net] > > Sent: 10 July 2003 07:30 > > To: Vikash Badal - PCS > > Cc: 'openssh-unix-dev at mindrot.org' > > Subject: Re: OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + > > PasswordAuthentication no + PermitEmptyPasswords yes > > > > > > > > I can not duplicate this problem on my 7.1.1 box. > > I'm using the native compiler here. > > Then machine has maintenance pack 3 loaded. Does yours? > > > > On Thu, 10 Jul 2003, Vikash Badal - PCS wrote: > > > Installed maintenance pack 3. recompiled openssl (0.9.7b) and opensssh using native compiler and gcc Still the same problem. Please advise. From johnpc at xs4all.nl Thu Jul 10 20:20:18 2003 From: johnpc at xs4all.nl (Jan Pieter Cornet) Date: Thu, 10 Jul 2003 12:20:18 +0200 Subject: sshd also talking HTTP Message-ID: <20030710102018.GK81904@xs4all.nl> (I'm not subscribed to the list, please Cc me on replies). We have configured sshd to listen on port 80 for some of our users who are behind sufficiently paranoid firewalls. However, others are now confused since they're expecting a web server on port 80. So, I created a small patch (just as proof-of-concept so far), that determines the type of client connecting. A web client will start talking itself (GET, HEAD, etc...), while an ssh client will wait for the server to issue the greeting banner. So, the patch simply waits 1 second (should be configurable) when someone connects to port 80 (should also be configurable), and if any data is available by then, it decides it's an HTTP client, not an SSH client, and sends a proper redirect. The patch is attached (or in case the attachment gets stripped, also here: http://www.xs4all.nl/~johnpc/dirty-sshd-hack.txt ) Could a cleaned up version of this patch be useful for inclusion in future versions of Opensshd? Note that it is specifically _not_ the idea to put a full-blown HTTP server inside sshd, only enough to redirect to another URL (which should of course be configurable). Another way to solve the same problem would be to run sshd in "inetd" mode, behind a simple wrapper script that does the HTTP detection and redirection. However, that has the inherent disadvantages of the inetd mode (like wasting entropy). I'm willing to invest some time in making the patch suitable, if it is decided that it could be useful. -- #!perl -pl # This kenny-filter is virus-free as long as you don't copy it $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):('m',p,f)[map{((ord$&)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$&;$f.eig; # Jan-Pieter Cornet -------------- next part -------------- --- sshd.c.orig Mon Mar 10 01:38:10 2003 +++ sshd.c Wed May 14 02:47:07 2003 @@ -52,6 +52,11 @@ #include #include #endif +#ifdef DOUBLE_AS_HTTPD +#include +#include +#include +#endif #include "ssh.h" #include "ssh1.h" @@ -483,6 +488,152 @@ } } +#ifdef DOUBLE_AS_HTTPD +static void sshd_act_like_an_httpd(int sock_in, int sock_out); +static void sshd_httpd_timeout(int sig); + +/* intercept httpd */ +static void +sshd_intercept_possible_httpd(int sock_in, int sock_out) +{ + struct sockaddr local; + int local_len; + fd_set readfds; + struct timeval onesec; + + local_len = sizeof(local); + if ( getsockname(sock_in, &local, &local_len) != 0 ) { + log("HTTPD HACK: getsockname failed: %.100s", + strerror(errno)); + return; + } + if ( local.sa_family != AF_INET ) { + log("HTTPD HACK: strange sock_in.sa_family: %d", + local.sa_family); + return; + } + if ( ntohs(((struct sockaddr_in*) &local)->sin_port) != 80 ) { + /* XXX this logging should be removed */ + log("HTTPD HACK: incoming port not 80 but %d", + ntohs(((struct sockaddr_in*) &local)->sin_port)); + return; + } + + /* wait 1 second for a valid http request coming in */ + FD_ZERO(&readfds); + FD_SET(sock_in, &readfds); + onesec.tv_sec = 1; + onesec.tv_usec = 0; + if ( ! select(sock_in + 1, &readfds, NULL, NULL, &onesec) ) { + log("HTTPD HACK: nothing incoming for 1 second"); + return; + } + if ( ! FD_ISSET(sock_in, &readfds) ) { + log("HTTPD HACK: hm, sock_in not readable"); + return; + } + + /* + * Something is in the buffer right now. This is not an ssh client. + * so from here on, we will never return to the real program, + * and assume it is an HTTP request. + */ + + sshd_act_like_an_httpd(sock_in, sock_out); + exit(0); +} + +static void +sshd_act_like_an_httpd(int sock_in, int sock_out) +{ + FILE* in; + char httpreq[1024]; + char hdrline[1024]; + char outbuf[4096]; + char* p; + char* url; + + /* setup an alarm call to abort playing HTTPD reasonably soon. */ + signal(SIGALRM, sshd_httpd_timeout); + if (!debug_flag) + alarm(60); + + if ( !(in = fdopen(sock_in, "r+")) ) { + log("HTTPD HACK: fdopen failed: %.100s", strerror(errno)); + return; + } + + /* read in the first line of the request */ + if ( ! fgets(httpreq, sizeof(httpreq), in) ) { + log("HTTPD HACK: fgets failed on first line: %.100s", + strerror(errno)); + return; + } + + /* must be a GET request... for NOW. Support more */ + if ( strncmp(httpreq, "GET ", 4) ) { + log("HTTPD HACK: no GET request, but a %.100s", httpreq); + return; + } + url = httpreq + 4; + + if ( !(p = strchr(url, ' ')) ) { + log("HTTPD HACK: HTTP/0.9 request: %.100s", httpreq); + return; + } + + *p++ = '\0'; + /* must be a HTTP/1.x request */ + if ( strncmp(p, "HTTP/1.", 7) ) { + log("HTTPD HACK: Not a HTTP/1.x request but %.100s", p); + return; + } + + log("HTTPD HACK: faking a request for GET %.100s", url); + + /* read (and ignore) the subsequent header */ + strcpy(hdrline, "foo"); + while ( strlen(hdrline) > 0 ) { + if ( ! fgets(hdrline, sizeof(hdrline), in) ) { + log("HTTPD HACK: fgets failed on header: %.100s", + strerror(errno)); + return; + } + /* strip CR+LF */ + if ( (p = strchr(hdrline, '\r')) != NULL ) + *p = '\0'; + if ( (p = strchr(hdrline, '\n')) != NULL ) + *p = '\0'; + log("HTTPD HACK: ignoring header %.100s", hdrline); + } + + /* output the redirect. To a fixed site for proof of concept. */ + snprintf(outbuf, sizeof(outbuf), "\ +HTTP/1.0 301 Don't be so lazy and type that www\r\n\ +Server: sshd %.100s\r\n\ +Location: http://www.xs4all.nl%s\r\n\ +Connection: close\r\n\ +Content-Type: text/plain\r\n\ +\r\n\ +Don't be so lazy, and simply type www.xs4all.nl instead of just xs4all.nl\r\n\ +", + SSH_VERSION, + url + ); + write(sock_out, &outbuf, strlen(outbuf)); + return; +} + +static void +sshd_httpd_timeout(int sig) +{ + /* Log error and exit. */ + fatal("Timeout in acting like HTTPD for connection from %s", + get_remote_ipaddr()); +} + +#endif + /* Destroy the host and server keys. They will no longer be needed. */ void destroy_sensitive_data(void) @@ -1457,6 +1608,14 @@ /* Log the connection. */ verbose("Connection from %.500s port %d", remote_ip, remote_port); + +#ifdef DOUBLE_AS_HTTPD + /* + * Wait a few instants to see if an HTTP request comes in, + * then handle that. This is only done for port 80. + */ + sshd_intercept_possible_httpd(sock_in, sock_out); +#endif /* * We don\'t want to listen forever unless the other side From VikashB at ComparexAfrica.co.za Thu Jul 10 21:09:11 2003 From: VikashB at ComparexAfrica.co.za (Vikash Badal - PCS) Date: Thu, 10 Jul 2003 13:09:11 +0200 Subject: OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + PasswordAuthentication no + PermitEmptyPasswords yes (followup) Message-ID: <501BF453CDCFD111A6E40080C83DAC04026966AF@PSICS001> Greetings, Problem : Openssh3.6.1p2 on UnixWare 7.1.1 allows access to passwordless account without a valid key when sshd_config has PasswordAuthentication no + PermitEmptyPasswords yes Attempts: Installed maintence pack3 and recompiled both OpenSSH and OpenSSL (0.9.7b) with native c compiler. Recompiled both OpenSSH and OpenSSL (0.9.7b) with gcc (2.95.2). Still the same problem. Looking at auth2.c line 185-190: authenticated = m->userauth(authctxt); sets authenticate to 1 when PermitEmptyPasswords ==> yes I found only one reference to userauth() in sshconnect2.c (line 279) I do not understand the code m->userauth(authctxt); Please assist. Vikash From djm at mindrot.org Thu Jul 10 22:24:11 2003 From: djm at mindrot.org (Damien Miller) Date: Thu, 10 Jul 2003 22:24:11 +1000 Subject: sshd also talking HTTP In-Reply-To: <20030710102018.GK81904@xs4all.nl> References: <20030710102018.GK81904@xs4all.nl> Message-ID: <3F0D5AEB.1090108@mindrot.org> Jan Pieter Cornet wrote: > (I'm not subscribed to the list, please Cc me on replies). > > We have configured sshd to listen on port 80 for some of our users who > are behind sufficiently paranoid firewalls. However, others are now > confused since they're expecting a web server on port 80. > > So, I created a small patch (just as proof-of-concept so far), that > determines the type of client connecting. A web client will start talking > itself (GET, HEAD, etc...), while an ssh client will wait for the server > to issue the greeting banner. > > So, the patch simply waits 1 second (should be configurable) when someone > connects to port 80 (should also be configurable), and if any data is > available by then, it decides it's an HTTP client, not an SSH client, > and sends a proper redirect. > > The patch is attached (or in case the attachment gets stripped, also here: > http://www.xs4all.nl/~johnpc/dirty-sshd-hack.txt ) > > Could a cleaned up version of this patch be useful for inclusion in future > versions of Opensshd? Never. Apart from the fact that it could be trivially implemented using a wrapper program outside ssh, it is an utterly terrible idea. What next? Make sshd understand SMTP headers too? -d From war at lucidpixels.com Thu Jul 10 22:36:22 2003 From: war at lucidpixels.com (war) Date: Thu, 10 Jul 2003 08:36:22 -0400 (EDT) Subject: XTerm & OpenSSH question w/ freezing. Message-ID: Sometimes when I use openssh (latest) and do find . or ls -lR /dev or similiar, my xterm 'freezes up', there is no way to fix it but to kill the xterm usually. This NEVER occurs in telnet. The error is completely reproducable when you come across it. ie: one may just be browsing the filesystem and when you come across this problem, you can launch another xterm and the EXACT same thing happens when you try to do it again Bug reports on similiar issues seem to be sparse and people I know never seem to have the problem, perhaps they use ssh from a windows machine. I was wondering what causes this, and is there a way to fix it? From dtucker at zip.com.au Thu Jul 10 23:19:28 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 10 Jul 2003 23:19:28 +1000 Subject: XTerm & OpenSSH question w/ freezing. References: Message-ID: <3F0D67E0.688BE267@zip.com.au> war wrote: > Sometimes when I use openssh (latest) and do find . or ls -lR /dev or > similiar, my xterm 'freezes up', there is no way to fix it but to kill the > xterm usually. Let me guess, you have firewalling/packet filter/NAT and the client and server are on different subnets? It's most likely an MTU problem, see [1]. Who looks after the OpenSSH FAQ? I submitted this but never heard anything. [1] http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102413585608801 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From war at lucidpixels.com Thu Jul 10 23:21:09 2003 From: war at lucidpixels.com (war) Date: Thu, 10 Jul 2003 09:21:09 -0400 (EDT) Subject: XTerm & OpenSSH question w/ freezing. In-Reply-To: <3F0D67E0.688BE267@zip.com.au> References: <3F0D67E0.688BE267@zip.com.au> Message-ID: > Let me guess, you have firewalling/packet filter/NAT and the client and > server are on different subnets? It's most likely an MTU problem, see > [1]. Usually yes, but this also occurs on a 100mbps switched lan with no packet filtering in place. On Thu, 10 Jul 2003, Darren Tucker wrote: > war wrote: > > Sometimes when I use openssh (latest) and do find . or ls -lR /dev or > > similiar, my xterm 'freezes up', there is no way to fix it but to kill the > > xterm usually. > > Let me guess, you have firewalling/packet filter/NAT and the client and > server are on different subnets? It's most likely an MTU problem, see > [1]. > > Who looks after the OpenSSH FAQ? I submitted this but never heard > anything. > > [1] http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102413585608801 > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From dtucker at zip.com.au Thu Jul 10 23:34:02 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 10 Jul 2003 23:34:02 +1000 Subject: XTerm & OpenSSH question w/ freezing. References: <3F0D67E0.688BE267@zip.com.au> Message-ID: <3F0D6B4A.3E109CA8@zip.com.au> war wrote: > > Let me guess, you have firewalling/packet filter/NAT and the client and > > server are on different subnets? It's most likely an MTU problem, see > > [1]. > > Usually yes, but this also occurs on a 100mbps switched lan with no packet > filtering in place. Well, you're going to have to give us more info. Server/client OS/version? Network topology? 802.1q? OpenSSH at both ends? Try running "netstat -n" at both ends when the connection has hung and check the SendQ and RecvQ columns for the ssh connection. (xfree removed from cc: list) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Thu Jul 10 23:32:05 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 10 Jul 2003 08:32:05 -0500 (CDT) Subject: OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + PasswordAuthentication no + PermitEmptyPasswords yes (followup) In-Reply-To: <501BF453CDCFD111A6E40080C83DAC04026966AF@PSICS001> Message-ID: Would be nice for a complete sshd -d -d -d output. I've tracked back through the code and I don't see how a single platform could have a problem with it unless the problem is in auth_password(). Which is an utter mess and nearly untrackable. - Ben On Thu, 10 Jul 2003, Vikash Badal - PCS wrote: > Greetings, > > Problem : Openssh3.6.1p2 on UnixWare 7.1.1 allows access to passwordless > account without a valid key when sshd_config has PasswordAuthentication no > + PermitEmptyPasswords yes > > Attempts: > Installed maintence pack3 and recompiled both OpenSSH and OpenSSL (0.9.7b) > with native c compiler. > > Recompiled both OpenSSH and OpenSSL (0.9.7b) with gcc (2.95.2). > > Still the same problem. > > Looking at auth2.c line 185-190: > authenticated = m->userauth(authctxt); > sets authenticate to 1 when PermitEmptyPasswords ==> yes > > I found only one reference to userauth() > in sshconnect2.c (line 279) > > I do not understand the code m->userauth(authctxt); > > Please assist. > > Vikash > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From war at lucidpixels.com Thu Jul 10 23:36:56 2003 From: war at lucidpixels.com (war) Date: Thu, 10 Jul 2003 09:36:56 -0400 (EDT) Subject: XTerm & OpenSSH question w/ freezing. In-Reply-To: <3F0D6B4A.3E109CA8@zip.com.au> References: <3F0D67E0.688BE267@zip.com.au> <3F0D6B4A.3E109CA8@zip.com.au> Message-ID: XFree86 4.3.0 On Both Machines Kernel 2.4.21 On Both Machines Slackware Linux 8.0 On Both Machines (although occurs on other dists too) OpenSSH 3.6p2 On Both Machines eth0: negotiated 100baseTx-FD, link ok eth0: negotiated 100baseTx-FD, link ok on both machines next time it freezes I will check with netstat. On Thu, 10 Jul 2003, Darren Tucker wrote: > war wrote: > > > Let me guess, you have firewalling/packet filter/NAT and the client and > > > server are on different subnets? It's most likely an MTU problem, see > > > [1]. > > > > Usually yes, but this also occurs on a 100mbps switched lan with no packet > > filtering in place. > > Well, you're going to have to give us more info. > > Server/client OS/version? Network topology? 802.1q? OpenSSH at both > ends? > > Try running "netstat -n" at both ends when the connection has hung and > check the SendQ and RecvQ columns for the ssh connection. > > (xfree removed from cc: list) > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From dickey at herndon4.his.com Fri Jul 11 00:24:46 2003 From: dickey at herndon4.his.com (Thomas E. Dickey) Date: Thu, 10 Jul 2003 10:24:46 -0400 (EDT) Subject: XTerm & OpenSSH question w/ freezing. In-Reply-To: References: Message-ID: <20030710102408.P82064@vhost101.his.com> On Thu, 10 Jul 2003, war wrote: > Sometimes when I use openssh (latest) and do find . or ls -lR /dev or > similiar, my xterm 'freezes up', there is no way to fix it but to kill the > xterm usually. what version of xterm? The only issue that comes to mind is the fix for blinking cursor a few months ago. > > This NEVER occurs in telnet. > The error is completely reproducable when you come across it. > ie: one may just be browsing the filesystem and when you come across this > problem, you can launch another xterm and the EXACT same thing happens > when you try to do it again > > Bug reports on similiar issues seem to be sparse and people I know never > seem to have the problem, perhaps they use ssh from a windows machine. > > I was wondering what causes this, and is there a way to fix it? > -- T.E.Dickey http://invisible-island.net ftp://invisible-island.net From war at lucidpixels.com Fri Jul 11 00:25:39 2003 From: war at lucidpixels.com (war) Date: Thu, 10 Jul 2003 10:25:39 -0400 (EDT) Subject: XTerm & OpenSSH question w/ freezing. In-Reply-To: <20030710102408.P82064@vhost101.his.com> References: <20030710102408.P82064@vhost101.his.com> Message-ID: Any version, currently using the latest stable, xterm-179. On Thu, 10 Jul 2003, Thomas E. Dickey wrote: > On Thu, 10 Jul 2003, war wrote: > > > Sometimes when I use openssh (latest) and do find . or ls -lR /dev or > > similiar, my xterm 'freezes up', there is no way to fix it but to kill the > > xterm usually. > > what version of xterm? > The only issue that comes to mind is the fix for blinking cursor a few > months ago. > > > > > This NEVER occurs in telnet. > > The error is completely reproducable when you come across it. > > ie: one may just be browsing the filesystem and when you come across this > > problem, you can launch another xterm and the EXACT same thing happens > > when you try to do it again > > > > Bug reports on similiar issues seem to be sparse and people I know never > > seem to have the problem, perhaps they use ssh from a windows machine. > > > > I was wondering what causes this, and is there a way to fix it? > > > > -- > T.E.Dickey > http://invisible-island.net > ftp://invisible-island.net > From dickey at herndon4.his.com Fri Jul 11 00:33:23 2003 From: dickey at herndon4.his.com (Thomas E. Dickey) Date: Thu, 10 Jul 2003 10:33:23 -0400 (EDT) Subject: XTerm & OpenSSH question w/ freezing. In-Reply-To: References: <20030710102408.P82064@vhost101.his.com> Message-ID: <20030710103222.F82335@vhost101.his.com> On Thu, 10 Jul 2003, war wrote: > Any version, currently using the latest stable, xterm-179. There was a Debian bug report last week in this area, but it turned out to be a bug in bash (I don't know more than that). > > On Thu, 10 Jul 2003, Thomas E. Dickey wrote: > > > On Thu, 10 Jul 2003, war wrote: > > > > > Sometimes when I use openssh (latest) and do find . or ls -lR /dev or > > > similiar, my xterm 'freezes up', there is no way to fix it but to kill the > > > xterm usually. > > > > what version of xterm? > > The only issue that comes to mind is the fix for blinking cursor a few > > months ago. > > > > > > > > This NEVER occurs in telnet. > > > The error is completely reproducable when you come across it. > > > ie: one may just be browsing the filesystem and when you come across this > > > problem, you can launch another xterm and the EXACT same thing happens > > > when you try to do it again > > > > > > Bug reports on similiar issues seem to be sparse and people I know never > > > seem to have the problem, perhaps they use ssh from a windows machine. > > > > > > I was wondering what causes this, and is there a way to fix it? > > > > > > > -- > > T.E.Dickey > > http://invisible-island.net > > ftp://invisible-island.net > > > -- T.E.Dickey http://invisible-island.net ftp://invisible-island.net From war at lucidpixels.com Fri Jul 11 00:35:57 2003 From: war at lucidpixels.com (war) Date: Thu, 10 Jul 2003 10:35:57 -0400 (EDT) Subject: XTerm & OpenSSH question w/ freezing. In-Reply-To: <20030710103222.F82335@vhost101.his.com> References: <20030710102408.P82064@vhost101.his.com> <20030710103222.F82335@vhost101.his.com> Message-ID: Ok, next time I can reproduce this problem I will try csh/ksh other shells and see, thanks for the insight. On Thu, 10 Jul 2003, Thomas E. Dickey wrote: > On Thu, 10 Jul 2003, war wrote: > > > Any version, currently using the latest stable, xterm-179. > > There was a Debian bug report last week in this area, but it turned out to > be a bug in bash (I don't know more than that). > > > > > On Thu, 10 Jul 2003, Thomas E. Dickey wrote: > > > > > On Thu, 10 Jul 2003, war wrote: > > > > > > > Sometimes when I use openssh (latest) and do find . or ls -lR /dev or > > > > similiar, my xterm 'freezes up', there is no way to fix it but to kill the > > > > xterm usually. > > > > > > what version of xterm? > > > The only issue that comes to mind is the fix for blinking cursor a few > > > months ago. > > > > > > > > > > > This NEVER occurs in telnet. > > > > The error is completely reproducable when you come across it. > > > > ie: one may just be browsing the filesystem and when you come across this > > > > problem, you can launch another xterm and the EXACT same thing happens > > > > when you try to do it again > > > > > > > > Bug reports on similiar issues seem to be sparse and people I know never > > > > seem to have the problem, perhaps they use ssh from a windows machine. > > > > > > > > I was wondering what causes this, and is there a way to fix it? > > > > > > > > > > -- > > > T.E.Dickey > > > http://invisible-island.net > > > ftp://invisible-island.net > > > > > > > -- > T.E.Dickey > http://invisible-island.net > ftp://invisible-island.net > From soltrain33 at glay.org Fri Jul 11 00:37:00 2003 From: soltrain33 at glay.org (noah li) Date: Thu, 10 Jul 2003 22:37:00 +0800 Subject: Failed make of ssh3.6p1 : Error Code 1 Message-ID: <20030710143700.13159.qmail@glay.org> I'm trying to upgrade my version of openSSH on a freeBSD box. Previously I had version 3.4, which I removed before attempting installation of the new version. Upon running configure, I got the error "cannot guess build type; you must specify one" I ran configure again with the switch --build=i86 which completed sucessfully. However, when I tried to build, it gave me the error: "/auth-password.c(.text+0x5e):undefined reference to 'crypt' ** Error code 1" I am not sure how to resolve this. Any ideas? Thanks. -- _______________________________________________ Get your free email from http://www.glay.org Powered by Outblaze From dan at doxpara.com Fri Jul 11 00:37:51 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 10 Jul 2003 07:37:51 -0700 Subject: sshd also talking HTTP In-Reply-To: <20030710102018.GK81904@xs4all.nl> References: <20030710102018.GK81904@xs4all.nl> Message-ID: <3F0D7A3F.4080006@doxpara.com> Jan-- Your hack is useful, but (being a bit more diplomatic than Damien *smiles*) indeed should be generalized into an external application. Rather than launching separate instances of SSHD, however, you may simply use the delay to select your port forward destination. So, your app listens on 80; if any bytes are read from the client(GET/HEAD/POST/TRACE/etc) you forward to a web server running elsewhere, and if no bytes are read, you forward to 22. Though trickier, you can actually fool the server into believing it had the original socket (thus getting the correct IP in your logs); see the stunnel source to see how this is done. It may be Linux specific, though. Anyway, this prevents loss of entropy. The described tactic should also work with SSL/443, which also gets through firewalls well. And, of course, there's httptunnel, which can be used as an ssh transport via ProxyCommand. C'mon, Damien :-) The very use of crypto is predicated on the fact that networks are imperfect. Some people have more horrifyingly imperfect network than others. And besides, how much scoffing at do we get from the IPSec boosters? --Dan www.doxpara.com Jan Pieter Cornet wrote: >(I'm not subscribed to the list, please Cc me on replies). > >We have configured sshd to listen on port 80 for some of our users who >are behind sufficiently paranoid firewalls. However, others are now >confused since they're expecting a web server on port 80. > >So, I created a small patch (just as proof-of-concept so far), that >determines the type of client connecting. A web client will start talking >itself (GET, HEAD, etc...), while an ssh client will wait for the server >to issue the greeting banner. > >So, the patch simply waits 1 second (should be configurable) when someone >connects to port 80 (should also be configurable), and if any data is >available by then, it decides it's an HTTP client, not an SSH client, >and sends a proper redirect. > >The patch is attached (or in case the attachment gets stripped, also here: >http://www.xs4all.nl/~johnpc/dirty-sshd-hack.txt ) > >Could a cleaned up version of this patch be useful for inclusion in future >versions of Opensshd? Note that it is specifically _not_ the idea to put >a full-blown HTTP server inside sshd, only enough to redirect to another >URL (which should of course be configurable). > >Another way to solve the same problem would be to run sshd in "inetd" >mode, behind a simple wrapper script that does the HTTP detection and >redirection. However, that has the inherent disadvantages of the inetd >mode (like wasting entropy). > >I'm willing to invest some time in making the patch suitable, if it is >decided that it could be useful. > > > >------------------------------------------------------------------------ > >--- sshd.c.orig Mon Mar 10 01:38:10 2003 >+++ sshd.c Wed May 14 02:47:07 2003 >@@ -52,6 +52,11 @@ > #include > #include > #endif >+#ifdef DOUBLE_AS_HTTPD >+#include >+#include >+#include >+#endif > > #include "ssh.h" > #include "ssh1.h" >@@ -483,6 +488,152 @@ > } > } > >+#ifdef DOUBLE_AS_HTTPD >+static void sshd_act_like_an_httpd(int sock_in, int sock_out); >+static void sshd_httpd_timeout(int sig); >+ >+/* intercept httpd */ >+static void >+sshd_intercept_possible_httpd(int sock_in, int sock_out) >+{ >+ struct sockaddr local; >+ int local_len; >+ fd_set readfds; >+ struct timeval onesec; >+ >+ local_len = sizeof(local); >+ if ( getsockname(sock_in, &local, &local_len) != 0 ) { >+ log("HTTPD HACK: getsockname failed: %.100s", >+ strerror(errno)); >+ return; >+ } >+ if ( local.sa_family != AF_INET ) { >+ log("HTTPD HACK: strange sock_in.sa_family: %d", >+ local.sa_family); >+ return; >+ } >+ if ( ntohs(((struct sockaddr_in*) &local)->sin_port) != 80 ) { >+ /* XXX this logging should be removed */ >+ log("HTTPD HACK: incoming port not 80 but %d", >+ ntohs(((struct sockaddr_in*) &local)->sin_port)); >+ return; >+ } >+ >+ /* wait 1 second for a valid http request coming in */ >+ FD_ZERO(&readfds); >+ FD_SET(sock_in, &readfds); >+ onesec.tv_sec = 1; >+ onesec.tv_usec = 0; >+ if ( ! select(sock_in + 1, &readfds, NULL, NULL, &onesec) ) { >+ log("HTTPD HACK: nothing incoming for 1 second"); >+ return; >+ } >+ if ( ! FD_ISSET(sock_in, &readfds) ) { >+ log("HTTPD HACK: hm, sock_in not readable"); >+ return; >+ } >+ >+ /* >+ * Something is in the buffer right now. This is not an ssh client. >+ * so from here on, we will never return to the real program, >+ * and assume it is an HTTP request. >+ */ >+ >+ sshd_act_like_an_httpd(sock_in, sock_out); >+ exit(0); >+} >+ >+static void >+sshd_act_like_an_httpd(int sock_in, int sock_out) >+{ >+ FILE* in; >+ char httpreq[1024]; >+ char hdrline[1024]; >+ char outbuf[4096]; >+ char* p; >+ char* url; >+ >+ /* setup an alarm call to abort playing HTTPD reasonably soon. */ >+ signal(SIGALRM, sshd_httpd_timeout); >+ if (!debug_flag) >+ alarm(60); >+ >+ if ( !(in = fdopen(sock_in, "r+")) ) { >+ log("HTTPD HACK: fdopen failed: %.100s", strerror(errno)); >+ return; >+ } >+ >+ /* read in the first line of the request */ >+ if ( ! fgets(httpreq, sizeof(httpreq), in) ) { >+ log("HTTPD HACK: fgets failed on first line: %.100s", >+ strerror(errno)); >+ return; >+ } >+ >+ /* must be a GET request... for NOW. Support more */ >+ if ( strncmp(httpreq, "GET ", 4) ) { >+ log("HTTPD HACK: no GET request, but a %.100s", httpreq); >+ return; >+ } >+ url = httpreq + 4; >+ >+ if ( !(p = strchr(url, ' ')) ) { >+ log("HTTPD HACK: HTTP/0.9 request: %.100s", httpreq); >+ return; >+ } >+ >+ *p++ = '\0'; >+ /* must be a HTTP/1.x request */ >+ if ( strncmp(p, "HTTP/1.", 7) ) { >+ log("HTTPD HACK: Not a HTTP/1.x request but %.100s", p); >+ return; >+ } >+ >+ log("HTTPD HACK: faking a request for GET %.100s", url); >+ >+ /* read (and ignore) the subsequent header */ >+ strcpy(hdrline, "foo"); >+ while ( strlen(hdrline) > 0 ) { >+ if ( ! fgets(hdrline, sizeof(hdrline), in) ) { >+ log("HTTPD HACK: fgets failed on header: %.100s", >+ strerror(errno)); >+ return; >+ } >+ /* strip CR+LF */ >+ if ( (p = strchr(hdrline, '\r')) != NULL ) >+ *p = '\0'; >+ if ( (p = strchr(hdrline, '\n')) != NULL ) >+ *p = '\0'; >+ log("HTTPD HACK: ignoring header %.100s", hdrline); >+ } >+ >+ /* output the redirect. To a fixed site for proof of concept. */ >+ snprintf(outbuf, sizeof(outbuf), "\ >+HTTP/1.0 301 Don't be so lazy and type that www\r\n\ >+Server: sshd %.100s\r\n\ >+Location: http://www.xs4all.nl%s\r\n\ >+Connection: close\r\n\ >+Content-Type: text/plain\r\n\ >+\r\n\ >+Don't be so lazy, and simply type www.xs4all.nl instead of just xs4all.nl\r\n\ >+", >+ SSH_VERSION, >+ url >+ ); >+ write(sock_out, &outbuf, strlen(outbuf)); >+ return; >+} >+ >+static void >+sshd_httpd_timeout(int sig) >+{ >+ /* Log error and exit. */ >+ fatal("Timeout in acting like HTTPD for connection from %s", >+ get_remote_ipaddr()); >+} >+ >+#endif >+ > /* Destroy the host and server keys. They will no longer be needed. */ > void > destroy_sensitive_data(void) >@@ -1457,6 +1608,14 @@ > > /* Log the connection. */ > verbose("Connection from %.500s port %d", remote_ip, remote_port); >+ >+#ifdef DOUBLE_AS_HTTPD >+ /* >+ * Wait a few instants to see if an HTTP request comes in, >+ * then handle that. This is only done for port 80. >+ */ >+ sshd_intercept_possible_httpd(sock_in, sock_out); >+#endif > > /* > * We don\'t want to listen forever unless the other side > > >------------------------------------------------------------------------ > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From dickey at herndon4.his.com Fri Jul 11 01:07:37 2003 From: dickey at herndon4.his.com (Thomas E. Dickey) Date: Thu, 10 Jul 2003 11:07:37 -0400 (EDT) Subject: XTerm & OpenSSH question w/ freezing. In-Reply-To: References: <20030710102408.P82064@vhost101.his.com> <20030710103222.F82335@vhost101.his.com> Message-ID: <20030710110631.M83701@vhost101.his.com> On Thu, 10 Jul 2003, war wrote: > Ok, next time I can reproduce this problem I will try csh/ksh other shells > and see, thanks for the insight. no problem (it may be the same problem, or one that I haven't read about). > On Thu, 10 Jul 2003, Thomas E. Dickey wrote: > > > On Thu, 10 Jul 2003, war wrote: > > > > > Any version, currently using the latest stable, xterm-179. > > > > There was a Debian bug report last week in this area, but it turned out to > > be a bug in bash (I don't know more than that). > > > > > > > > On Thu, 10 Jul 2003, Thomas E. Dickey wrote: > > > > > > > On Thu, 10 Jul 2003, war wrote: > > > > > > > > > Sometimes when I use openssh (latest) and do find . or ls -lR /dev or > > > > > similiar, my xterm 'freezes up', there is no way to fix it but to kill the > > > > > xterm usually. > > > > > > > > what version of xterm? > > > > The only issue that comes to mind is the fix for blinking cursor a few > > > > months ago. > > > > > > > > > > > > > > This NEVER occurs in telnet. > > > > > The error is completely reproducable when you come across it. > > > > > ie: one may just be browsing the filesystem and when you come across this > > > > > problem, you can launch another xterm and the EXACT same thing happens > > > > > when you try to do it again > > > > > > > > > > Bug reports on similiar issues seem to be sparse and people I know never > > > > > seem to have the problem, perhaps they use ssh from a windows machine. > > > > > > > > > > I was wondering what causes this, and is there a way to fix it? > > > > > > > > > > > > > -- > > > > T.E.Dickey > > > > http://invisible-island.net > > > > ftp://invisible-island.net > > > > > > > > > > > -- > > T.E.Dickey > > http://invisible-island.net > > ftp://invisible-island.net > > > -- T.E.Dickey http://invisible-island.net ftp://invisible-island.net From mouring at etoh.eviladmin.org Fri Jul 11 04:25:46 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 10 Jul 2003 13:25:46 -0500 (CDT) Subject: sshd also talking HTTP In-Reply-To: <3F0D7A3F.4080006@doxpara.com> Message-ID: On Thu, 10 Jul 2003, Dan Kaminsky wrote: [..] > C'mon, Damien :-) The very use of crypto is predicated on the fact > that networks are imperfect. Some people have more horrifyingly > imperfect network than others. And besides, how much scoffing at do we > get from the IPSec boosters? > There is a reason ports are registered for services. =) Same reason you name your public server sane names like "www.mydomain.com" and "mail.mydomain.com". Because it is what people expect. Be it right or wrong. The whole "lets pig pile everything on port 80/443" has become extreme lately. As for IPSec people.. Not seen too much from them. besides.. IPSec is much more complex and is not the end-all of all tools (nor should ssh be). Personally my take is.. "UGH, yet another bloated feature. My god our code base is already too big to understand when I'm drunk!" =) But I agree as a separate project in a generic form it may be semi-useful, but that is outside the scope of our focus. - Ben From pasacki at sandia.gov Fri Jul 11 05:33:51 2003 From: pasacki at sandia.gov (Phil Sackinger) Date: Thu, 10 Jul 2003 19:33:51 -0000 Subject: XTerm & OpenSSH question w/ freezing. In-Reply-To: References: <20030710102408.P82064@vhost101.his.com> <20030710103222.F82335@vhost101.his.com> Message-ID: <1057865647.22198.8.camel@sahp5069.sandia.gov> Just making sure, here, but have you tried firing off your remote X clients using either the "-n" or "-f" switch? I vaguely recall sometime ago getting hung terminal sessions that were cured by using those switches. Your problem may not be so simply solved, but it's always good to check the obvious simple solution first, just in case. On Thu, 2003-07-10 at 08:35, war wrote: > Ok, next time I can reproduce this problem I will try csh/ksh other shells > and see, thanks for the insight. > > On Thu, 10 Jul 2003, Thomas E. Dickey wrote: > > > On Thu, 10 Jul 2003, war wrote: > > > > > Any version, currently using the latest stable, xterm-179. > > > > There was a Debian bug report last week in this area, but it turned out to > > be a bug in bash (I don't know more than that). > > > > > > > > On Thu, 10 Jul 2003, Thomas E. Dickey wrote: > > > > > > > On Thu, 10 Jul 2003, war wrote: > > > > > > > > > Sometimes when I use openssh (latest) and do find . or ls -lR /dev or > > > > > similiar, my xterm 'freezes up', there is no way to fix it but to kill the > > > > > xterm usually. > > > > > > > > what version of xterm? > > > > The only issue that comes to mind is the fix for blinking cursor a few > > > > months ago. > > > > > > > > > > > > > > This NEVER occurs in telnet. > > > > > The error is completely reproducable when you come across it. > > > > > ie: one may just be browsing the filesystem and when you come across this > > > > > problem, you can launch another xterm and the EXACT same thing happens > > > > > when you try to do it again > > > > > > > > > > Bug reports on similiar issues seem to be sparse and people I know never > > > > > seem to have the problem, perhaps they use ssh from a windows machine. > > > > > > > > > > I was wondering what causes this, and is there a way to fix it? > > > > > > > > > > > > > -- > > > > T.E.Dickey > > > > http://invisible-island.net > > > > ftp://invisible-island.net > > > > > > > > > > > -- > > T.E.Dickey > > http://invisible-island.net > > ftp://invisible-island.net > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From jodo710 at hotmail.com Fri Jul 11 07:31:03 2003 From: jodo710 at hotmail.com (Joey Doughly) Date: Thu, 10 Jul 2003 21:31:03 +0000 Subject: Question about porting SSH Message-ID: Hello everybody, I am working on a project trying to port openSSH and have noticed that some of the components rely on SSL which is a pretty big program as well. Is there any way to just rip out certain modules from SSL to get openSSH to work with out porting all of the SSL components, and if so what are the only SSL modules I need to get SSH to work properly. Any help will be greatly appreciated. Thank you, Joey _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail From markus at openbsd.org Fri Jul 11 07:53:48 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 10 Jul 2003 23:53:48 +0200 Subject: Question about porting SSH In-Reply-To: References: Message-ID: <20030710215348.GA14158@folly> On Thu, Jul 10, 2003 at 09:31:03PM +0000, Joey Doughly wrote: > Hello everybody, > I am working on a project trying to port openSSH and have noticed that some > of the components rely on SSL which is a pretty big program as well. Is > there any way to just rip out certain modules from SSL to get openSSH to > work with out porting all of the SSL components, and if so what are the > only SSL modules I need to get SSH to work properly. Any help will be you need bignum, rsa, dh and a at least 3des from libcrypto. you don't need libssl at all. From djm at mindrot.org Fri Jul 11 07:55:17 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 11 Jul 2003 07:55:17 +1000 Subject: sshd also talking HTTP In-Reply-To: <3F0D7A3F.4080006@doxpara.com> References: <20030710102018.GK81904@xs4all.nl> <3F0D7A3F.4080006@doxpara.com> Message-ID: <3F0DE0C5.1000608@mindrot.org> Dan Kaminsky wrote: > C'mon, Damien :-) The very use of crypto is predicated on the fact > that networks are imperfect. Some people have more horrifyingly > imperfect network than others. Perhaps we should just implement rfc3093. -d From djm at mindrot.org Fri Jul 11 08:05:22 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 11 Jul 2003 08:05:22 +1000 Subject: Question about porting SSH In-Reply-To: References: Message-ID: <3F0DE322.8080209@mindrot.org> Joey Doughly wrote: > Hello everybody, > I am working on a project trying to port openSSH and have noticed that some > of the components rely on SSL which is a pretty big program as well. Is > there any way to just rip out certain modules from SSL to get openSSH to > work with out porting all of the SSL components, and if so what are the only > SSL modules I need to get SSH to work properly. Any help will be greatly > appreciated. OpenSSH depends on the libcrypto component of OpenSSL only and it certainly doesn't use all of the functionality it provides. You could start by not installing libssl and turning off unused ciphers in libcrypto. Alternately, you could statically link the OpenSSH binaries. This would make them larger, but they would only include the object files from libcrypto that were used. -d From dan at doxpara.com Fri Jul 11 08:23:17 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 10 Jul 2003 15:23:17 -0700 Subject: sshd also talking HTTP In-Reply-To: References: Message-ID: <3F0DE755.90402@doxpara.com> >There is a reason ports are registered for services. =) Same reason you >name your public server sane names like "www.mydomain.com" and >"mail.mydomain.com". Because it is what people expect. Be it right or >wrong. The whole "lets pig pile everything on port 80/443" has become >extreme lately. > > Yeah, welcome to the unplanned evolution of the net. *sighs* You can't argue a server with 40 open ports is good, so what does that leave you? >As for IPSec people.. Not seen too much from them. besides.. IPSec is >much more complex and is not the end-all of all tools (nor should ssh be). > > SSH seems very complex compared to telnet, which is _obviously_ secure over IPSec :-) >Personally my take is.. "UGH, yet another bloated feature. My god our >code base is already too big to understand when I'm drunk!" =) > >But I agree as a separate project in a generic form it may be semi-useful, >but that is outside the scope of our focus. > > We agree -- although, concievably, we could accept some form of proxy notification from external proxies like the one I described. There's lots of precedent for this -- squid proxies notify over HTTP who they're requesting pages for, and mail servers add to the headers which IP address sent them the mail to be delivered. This could be much cleaner and more portable than the "transparent proxying" hack used by stunnel, and would involve little more than the proxy appending "ProxyFor=1.2.3.4" after the client banner (thus retaining compatibility with existing servers). We would have to be careful to only believe such proxies if they came from localhost... --Dan www.doxpara.com From gem at rellim.com Fri Jul 11 08:23:24 2003 From: gem at rellim.com (Gary E. Miller) Date: Thu, 10 Jul 2003 15:23:24 -0700 (PDT) Subject: sshd also talking HTTP In-Reply-To: <3F0DE0C5.1000608@mindrot.org> References: <20030710102018.GK81904@xs4all.nl> <3F0D7A3F.4080006@doxpara.com> <3F0DE0C5.1000608@mindrot.org> Message-ID: Yo All! Wrappers are the way to go. Make each tool do one thing well and leave the rest to others. Someone just posted a cool http/https standalonse tunnel for ssh on the pen-test mailing list. Smart enough to log in and pass packets through a firewall proxy. Check it out: http://lists.netsys.com/pipermail/full-disclosure/2003-July/011101.html RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From dan at doxpara.com Fri Jul 11 08:26:22 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 10 Jul 2003 15:26:22 -0700 Subject: Question about porting SSH In-Reply-To: References: Message-ID: <3F0DE80E.6040802@doxpara.com> Joey Doughly wrote: > Hello everybody, > I am working on a project trying to port openSSH and have noticed that > some of the components rely on SSL which is a pretty big program as > well. Is there any way to just rip out certain modules from SSL to > get openSSH to work with out porting all of the SSL components, and if > so what are the only SSL modules I need to get SSH to work properly. > Any help will be greatly appreciated. Libtomcrypt provides an _extremely_ portable interface to everything you're looking for. I'd argue we should use it, but I think the benefit of access to OpenSSL acceleration exceeds the cost of slightly limited portability and vulnerability to OpenSSL exploits. http://www.libtomcrypt.org --Dan From mouring at etoh.eviladmin.org Fri Jul 11 08:59:32 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 10 Jul 2003 17:59:32 -0500 (CDT) Subject: sshd also talking HTTP In-Reply-To: <3F0DE755.90402@doxpara.com> Message-ID: On Thu, 10 Jul 2003, Dan Kaminsky wrote: > > >There is a reason ports are registered for services. =) Same reason you > >name your public server sane names like "www.mydomain.com" and > >"mail.mydomain.com". Because it is what people expect. Be it right or > >wrong. The whole "lets pig pile everything on port 80/443" has become > >extreme lately. > > > > > Yeah, welcome to the unplanned evolution of the net. *sighs* > > You can't argue a server with 40 open ports is good, so what does that > leave you? > Nor could I argue that 1 port with 40 services on it is good either. - Ben From dan at doxpara.com Fri Jul 11 09:06:20 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 10 Jul 2003 16:06:20 -0700 Subject: sshd also talking HTTP In-Reply-To: References: Message-ID: <3F0DF16C.40806@doxpara.com> >Nor could I argue that 1 port with 40 services on it is good either. > > Oh? What do you think port forwarding does? --Dan From VikashB at ComparexAfrica.co.za Fri Jul 11 14:59:49 2003 From: VikashB at ComparexAfrica.co.za (Vikash Badal - PCS) Date: Fri, 11 Jul 2003 06:59:49 +0200 Subject: OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + PasswordAuthenticatio n no + PermitEmptyPasswords yes (followup) Message-ID: <501BF453CDCFD111A6E40080C83DAC04026966B3@PSICS001> Greetings, complete debug below > -----Original Message----- > From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] > Sent: 10 July 2003 03:32 > To: Vikash Badal - PCS > Cc: 'openssh-unix-dev at mindrot.org' > Subject: Re: OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + > PasswordAuthentication no + PermitEmptyPasswords yes (followup) > > > > Would be nice for a complete sshd -d -d -d output. I've tracked back > through the code and I don't see how a single platform could have a > problem with it unless the problem is in auth_password(). Which is an > utter mess and nearly untrackable. > > - Ben > > On Thu, 10 Jul 2003, Vikash Badal - PCS wrote: > > > Greetings, > > > > Problem : Openssh3.6.1p2 on UnixWare 7.1.1 allows access to > passwordless > > account without a valid key when sshd_config has > PasswordAuthentication no > > + PermitEmptyPasswords yes > > > > Attempts: > > Installed maintence pack3 and recompiled both OpenSSH and > OpenSSL (0.9.7b) > > with native c compiler. > > > > Recompiled both OpenSSH and OpenSSL (0.9.7b) with gcc (2.95.2). > > > > Still the same problem. > > > > Looking at auth2.c line 185-190: > > authenticated = m->userauth(authctxt); > > sets authenticate to 1 when PermitEmptyPasswords ==> yes > > > > I found only one reference to userauth() > > in sshconnect2.c (line 279) > > > > I do not understand the code m->userauth(authctxt); > > uw7: /usr/udd1/dev/original/openssh-3.6.1p2 # ./sshd -p 5000 -d -d -d debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper debug2: read_server_config: filename /etc/ssh/sshd_config debug1: sshd version OpenSSH_3.6.1p2 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 5000 on ::. debug1: Bind to port 5000 on 0.0.0.0. Server listening on 0.0.0.0 port 5000. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.1.1 port 1199 debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1 FreeBSD-20030201 debug1: match: OpenSSH_3.5p1 FreeBSD-20030201 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.6.1p2 debug1: list_hostkey_types: ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 129/256 debug2: bits set: 1619/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 1601/3191 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user natis service ssh-connection method none debug1: attempt 0 failures 0 debug3: allowed_user: today 12244 sp_expire -1 sp_lstchg 12240 sp_max -1 debug2: input_userauth_request: setting up authctxt for natis debug2: input_userauth_request: try method none Accepted none for natis from 192.168.1.1 port 1199 ssh2 debug1: Entering interactive session for SSH2. debug1: fd 7 setting O_NONBLOCK debug1: fd 8 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/pts/2 debug3: tty_parse_modes: SSH2 n_bytes 251 debug3: tty_parse_modes: ospeed 9600 debug3: tty_parse_modes: ispeed 9600 debug3: tty_parse_modes: 1 3 debug3: tty_parse_modes: 2 28 debug3: tty_parse_modes: 3 127 debug3: tty_parse_modes: 4 21 debug3: tty_parse_modes: 5 4 debug3: tty_parse_modes: 6 255 debug3: tty_parse_modes: 7 255 debug3: tty_parse_modes: 8 17 debug3: tty_parse_modes: 9 19 debug3: tty_parse_modes: 10 26 debug3: tty_parse_modes: 11 25 debug3: tty_parse_modes: 12 18 debug3: tty_parse_modes: 13 23 debug3: tty_parse_modes: 14 22 debug1: Ignoring unsupported tty mode opcode 17 (0x11) debug3: tty_parse_modes: 18 15 debug3: tty_parse_modes: 30 0 debug3: tty_parse_modes: 31 0 debug3: tty_parse_modes: 32 0 debug3: tty_parse_modes: 33 0 debug3: tty_parse_modes: 34 0 debug3: tty_parse_modes: 35 0 debug3: tty_parse_modes: 36 1 debug3: tty_parse_modes: 38 1 debug3: tty_parse_modes: 39 1 debug3: tty_parse_modes: 40 0 debug3: tty_parse_modes: 41 1 debug3: tty_parse_modes: 50 1 debug3: tty_parse_modes: 51 1 debug3: tty_parse_modes: 53 1 debug3: tty_parse_modes: 54 1 debug3: tty_parse_modes: 55 0 debug3: tty_parse_modes: 56 0 debug3: tty_parse_modes: 57 0 debug3: tty_parse_modes: 58 0 debug3: tty_parse_modes: 59 1 debug3: tty_parse_modes: 60 1 debug3: tty_parse_modes: 61 1 debug3: tty_parse_modes: 62 1 debug3: tty_parse_modes: 70 1 debug3: tty_parse_modes: 72 1 debug3: tty_parse_modes: 73 0 debug3: tty_parse_modes: 74 0 debug3: tty_parse_modes: 75 0 debug3: tty_parse_modes: 90 1 debug3: tty_parse_modes: 91 1 debug3: tty_parse_modes: 92 0 debug3: tty_parse_modes: 93 0 debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: fd 10 setting O_NONBLOCK debug2: fd 9 is O_NONBLOCK From squrobertgonzalez4207 at wanadoo.es Fri Jul 11 19:37:08 2003 From: squrobertgonzalez4207 at wanadoo.es (Cuba / Presos Políticos) Date: Fri, 11 Jul 2003 19:37:08 +1000 (EST) Subject: =?iso-8859-1?q?Presos_pol=EDticos=3A_a=E7=E3o_humanit=E1ria_urge?= =?iso-8859-1?q?nte?= Message-ID: <20030711093708.81DDE27C188@shitei.mindrot.org> bop [1]InEnglish - [2]EnEspa?ol - [3]AufDeutsch - [4]InItaliano - [5]EnFran?ais Cuba: a??o humanit?ria urgente! A economista Martha Beatriz Roque e o m?dico Oscar El?as Biscet, presos pol?ticos cubanos, est?o em s?rio risco de vida, maltratados, enfermos e sem assist?ncia m?dica. Veja no final o link para enviar mensagem instant?nea a mais de 100 personalidades mundiais, solicitando-lhes urgentes gest?es em favor de tais presos pol?ticos. Por favor, use esse link com responsabilidade, escrevendo em uma linguagem firme, por?m invariavelmente educada. Aos l?deres mundiais: pedem urgente interven??o em favor de presos pol?ticos cubanos ? delicado o estado de sa?de da economista Martha Beatriz Roque e do m?dico Oscar El?as Biscet, sem assist?ncia m?dica nos c?rceres da ilha, afirma Unidad Cubana MIAMI (HR) - "Solicitamos urgentemente aos governos democr?ticos do mundo, a seus parlamentares, a organiza??es humanit?rias internacionais e aos meios de comunica??o, sua interven??o em favor dos presos pol?ticos cubanos Martha Beatriz Roque e Oscar Eli?s Biscet, encarcerados em condi??es de sa?de e sanit?rias deplor?veis, a quem o regime comunista lhes nega aten??o m?dica", afirma a organiza??o Unidad Cubana em mensagem aos presidentes e chefes de Governo latino-americanos e europeus, a l?deres espirituais, a dirigentes de entidades humanit?rias e aos meios de comunica??o do mundo inteiro. Entre as destinat?rios incluem-se os presidentes latino-americanos Lula, Kirchner e Lagos; todos os chefes de governo europeus; o cardeal Angelo Sodano, secret?rio de Estado do Vaticano; o secret?rio geral da ONU, Kofi Annan; Danielle Mitterrand; entidades humanit?rias e meios de comunica??o. No documento, assinado por Jes?s Permuy, presidente da Unidad Cubana e por seu diretor executivo, o jornalista Armando P?rez Roura, solicita-se tamb?m a liberdade para todos os presos pol?ticos cubanos (para receber o texto completo e telefones de contato, fa?a clic aqui:[6]TextoCompleto-Contatos). A economista Martha Beatriz Roque, de 58 anos de idade, laureada com o pr?mio de Direitos Humanos da Academia de Ci?ncias de Nova York por seu "incans?vel trabalho em promover a democracia, os direitos humanos e o livre acesso ? informa??o em Cuba", acaba de ser condenada a vinte anos de pris?o na penitenci?ria de rigor m?ximo de Manto Negro. Encontra-se em uma cela rigorosamente fechada e sem comunica??o de 11/2 por 3 metros, sem janelas, em total isolamento, onde s? tem um colchonete de trapo, sem len?ol nem travesseiros; e para suas necessidades corporais, s? um buraco no ch?o. Ratos e insetos pululam em sua cela. Martha Beatriz padece de ?lceras estomacais, apresenta uma incontrol?vel hipertens?o arterial, tem o lado esquerdo do corpo dormente e sofre freq?entes desmaios. Desde o m?s de abril n?o recebe a adequada assist?ncia m?dica na pris?o, nem lhe prov?m os medicamentos necess?rios. O m?dico Oscar El?as Biscet, de 41 anos de idade, de ra?a negra, casado e pai de fam?lia, foi declarado prisioneiro de consci?ncia por organismos humanit?rios internacionais. Foi condenado em 1999 e cumpriu 3 anos de pris?o por reclamar a aboli??o da pena de morte em Cuba e a libera??o de todos os presos pol?ticos do pa?s. Ap?s sua libera??o em 31 de outubro de 2002, foi preso novamente em dezembro desse mesmo ano. Encontrando-se em cumprimento de pris?o preventiva, foi submetido a julgamento sum?rio por supostos delitos de atentar contra a soberania de Cuba e condenado este ano a 25 anos de c?rcere. Encontra-se na pris?o Kilo 5 1/2, em uma cela de castigo rigorosamente fechada e incomunic?vel, de 2 por 1 metro, sem ?gua corrente nem cama, pelo qual deve dormir no ch?o apenas com um short, pois sua roupa lhe foi retirada pela dire??o penal. O estado de sa?de de Biscet ? tamb?m delicado, padecendo de hipertens?o arterial e apresentando um deplor?vel estado de sa?de bucal. "Os inumanos maus tratos a que s?o submetidos Martha Beatriz Roque e Oscar El?as Biscet fazem prever que, se n?o se produzir uma rea??o mundial imediata, estes presos pol?ticos - para mencionar s? os dois dos mais destacados - poder?o perder a vida em pouco tempo, dado seu prec?rio estado de sa?de, o qual parece ser o prop?sito deliberado do regime castrista", afirmam Permuy e P?rez Roura, da Unidad Cubana. "Os dirigentes mundiais - em particular, os latino-americanos, que t?m sido mais benevolentes com a ditadura comunista - t?m uma d?vida moral com o povo cubano escravizado, abandonado ? pr?pria sorte por 44 anos. Chegou o momento de que paguem essa d?vida intimando publicamente o regime comunista a liberar a todos os presos pol?ticos", disse o jurista Luis A. Figueroa, diretor da Unidad Cubana. 030708HR / Human Rights News Service Diretores da Unidad Cubana: Jes?s Permuy e Armando P?rez Roura: tels. (1-305) 3796088 / 3796559; Dr. Luis A. Figueroa: tel. (1-305) 4420303 A??o humanit?ria urgente! 1) Envio de mensagens 2) Contatos pessoais 1) Link para enviar mensagem instant?nea aos presidentes latino-americanos Lula, Kirchner e Lagos; ao cardeal Sodano, secret?rio de Estado do Vaticano; ao minist?rio das Rela??es Exteriores de Cuba; aos meios de imprensa e a outras 100 personalidades mundiais, solicitando-lhes urgentes gest?es para a imediata liberdade de presos pol?ticos cubanos que correm s?rio risco de vida. Por favor, use este link com responsabilidade. Se o deseja, modifique o texto que encontrar? no link, segundo lhe pare?a mais conveniente. A linguagem deve ser firme, por?m invariavelmente respeitosa. Acrescente seu nome e o dos familiares que aderirem, assim como a cidade e o pa?s de onde escreve. Muito obrigado! Fa?a clic no seguinte link para enviar mensagem instant?nea a mais de 100 personalidades mundiais: [7]Cuba:LiberdadeParaPresosPoliticos 2) Contatos pessoais: se tem possibilidade, fa?a contato com l?deres pol?ticos, sociais e religiosos, assim como com jornalistas de sua cidade e pa?s, solicitando-lhes que se interessem por este drama humanit?rio. Tamb?m ? importante que telefone ou escreva a embaixadas e consulados cubanos. Para receber uma lista com endere?os e e-mails aos que poder? manifestar seu reclamo, fa?a clic aqui: [8]ListaContatos Para enviar sua mensagem ? Unidad Cubana, dando sua valiosa opini?o, narrando suas gest?es ante autoridades e meios de comunica??o de seu pa?s e/ou enviando sugest?es, fa?a clic em: [9]UnidadCubana:MinhaMensagem Para ser retirado de nosso Address Book, fa?a clic aqu?: [10]Unsubscribe (se j? fez anteriormente seu pedido de desinscri??o, lhe solicitamos que fa?a clic com o bot?o direito do mouse sobre esta mensagem e verifique em Propriedades / Detalhes e qual o e-mail, exatamente, que lhe escrevemos; copie-o e envie-o para que possamos retir?-lo imediatamente. Lamentamos os transtornos ocasionados). References 1. mailto:lnk3214leaders at yahoo.es?subject=Cuba:InEnglish 2. mailto:lnk3214leaders at yahoo.es?subject=Cuba:EnEspa%F1ol 3. mailto:lnk3214leaders at yahoo.es?subject=Cuba:AufDeutsch 4. mailto:lnk3214leaders at yahoo.es?subject=Cuba:InItaliano 5. mailto:lnk3214leaders at yahoo.es?subject=Cuba:EnFran%E7ais 6. mailto:lnk3214leaders at yahoo.es?subject=TextoCompleto-Contatos 7. mailto:lnk3214leaders at yahoo.es;legalytecnica at presidencia.gov.ar;protocolo at planalto.gov.br;gestionypartes at presidencia.cl;kannan at un.org;sodano at segstat.va;obolo.sp at segstat.va;mission.cuba at ties.itu.ch;cuba at un.int;cubaminrex at minrex.gov.cu;embacuba at uol.com.br;imprensa at mre.gov.br?subject=Cuba:LiberdadeParaPresosPoliticos&body=Solicitamos urgente interven%E7%E3o diplomatica para salvar a vida dos prisoneiros de consci%EAncia Martha Roque e Oscar Biscet, e pela liberdade de todos os presos politicos de Cuba 8. mailto:lnk3214leaders at yahoo.es?subject=Cuba:ListaContatos 9. mailto:lnk3214leaders at yahoo.es?subject=UnidadCubana:MinhaMensagem 10. mailto:lnk3214leaders at yahoo.es?subject=Unsubscribe From johnpc at xs4all.nl Fri Jul 11 20:53:21 2003 From: johnpc at xs4all.nl (Jan Pieter Cornet) Date: Fri, 11 Jul 2003 12:53:21 +0200 Subject: sshd also talking HTTP In-Reply-To: <3F0DE755.90402@doxpara.com> <3F0D7A3F.4080006@doxpara.com> References: <3F0DE755.90402@doxpara.com> <20030710102018.GK81904@xs4all.nl> <3F0D7A3F.4080006@doxpara.com> Message-ID: <20030711105320.GA90310@xs4all.nl> On Thu, Jul 10, 2003 at 07:37:51AM -0700, Dan Kaminsky wrote: > Your hack is useful, but (being a bit more diplomatic than Damien > *smiles*) indeed should be generalized into an external application. OK, fair enough. I'll hack up a wrapper instead. > Rather than launching separate instances of SSHD, however, you may > simply use the delay to select your port forward destination. So, your > app listens on 80; if any bytes are read from the > client(GET/HEAD/POST/TRACE/etc) you forward to a web server running > elsewhere, and if no bytes are read, you forward to 22. Though > trickier, you can actually fool the server into believing it had the > original socket (thus getting the correct IP in your logs); see the > stunnel source to see how this is done. It may be Linux specific, > though. Anyway, this prevents loss of entropy. Err... stunnel uses a really dirty trick that only works on recent linux kernels with a certain masquerading module present. Rather unportable. I'll just stomach the entropy hit and use sshd -i for now. > The described tactic should also work with SSL/443, which also gets > through firewalls well. And, of course, there's httptunnel, which can > be used as an ssh transport via ProxyCommand. Hm, httptunnel looks interesting too, but unfortunately it's by far not mature enough to consider as a "server" application. > We agree -- although, concievably, we could accept some form of proxy > notification from external proxies like the one I described. There's > lots of precedent for this -- squid proxies notify over HTTP who they're > requesting pages for, and mail servers add to the headers which IP > address sent them the mail to be delivered. This could be much cleaner > and more portable than the "transparent proxying" hack used by stunnel, > and would involve little more than the proxy appending > "ProxyFor=1.2.3.4" after the client banner (thus retaining compatibility > with existing servers). That would be useful indeed, allowing me to forward to port 22 regardless. It also allows things like httptunnel to know the correct remote IP. Another option I considered was to allow sshd to accept fd's via a unix domain socket. This is still hairy, but at least more portable than the stunnel "bind(socket, some-remote-IP-addr)". > We would have to be careful to only believe such proxies if they came > from localhost... You can't even trust localhost, since any local user might connect from it. You'd either have to configure "trusted" proxies (eg. localhost, port <1024) or make sure a "ProxyFor=x.x.x.x" can only be used to lower the priviledge (so for any checks against remote hosts, check both the proxy and the proxied client). -- #!perl -pl # This kenny-filter is virus-free as long as you don't copy it $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):('m',p,f)[map{((ord$&)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$&;$f.eig; # Jan-Pieter Cornet From openssh_nospam_ at secrisk.de Fri Jul 11 21:22:44 2003 From: openssh_nospam_ at secrisk.de (Mark Semmler) Date: Fri, 11 Jul 2003 13:22:44 +0200 Subject: Hide version information -- patch attached Message-ID: <3F0E9E04.7020802@secrisk.de> Hello programmers, hello maintainers! Like most of the old smtp servers (e.g. sendmail), ssh servers makes it pretty easy for an attacker to get the name of the software and its version: > badboy:~ > telnet niceboy 22 > Trying a.b.c.d... > Connected to localhost. > Escape character is '^]'. > SSH-2.0-OpenSSH_3.6.1p2 > ^] > telnet> close > Connection closed. I am not a friend of "security through obscurity", but I think each administrator should have the choice to decide, wether this sensitive information should be freely available or not. So I wrote a small patch (see attached file). The patch introduces the new parameter "WelcomeFile" to the configuration file. Only if this parameter points to a valid file, openssh reads a welcome message up to 128 characters out of it and displays it at the identfication exchange, e.g.: > badboy:~ > telnet niceboy 22 > Trying a.b.c.d... > Connected to localhost. > Escape character is '^]'. > SSH-2.0-Why should I tell you? > ^] > telnet> close > Connection closed. If WelcomeFile is not set or if some error occurs while try to read the file, the good old SSH_VERSION is printed out. If you - dear maintainers - think this is worth to complete it, please let me know. I'll will write then some docu and/or change some things as you think it's best. Greetings Mark -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch-mse Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030711/61e0aef2/attachment.ksh From abartlet at samba.org Fri Jul 11 22:01:06 2003 From: abartlet at samba.org (Andrew Bartlett) Date: Fri, 11 Jul 2003 12:01:06 +0000 Subject: Hide version information -- patch attached In-Reply-To: <3F0E9E04.7020802@secrisk.de>; from openssh_nospam_@secrisk.de on Fri, Jul 11, 2003 at 01:22:44PM +0200 References: <3F0E9E04.7020802@secrisk.de> Message-ID: <20030711120106.H24042@dp.samba.org> On Fri, Jul 11, 2003 at 01:22:44PM +0200, Mark Semmler wrote: > > Hello programmers, hello maintainers! > > The patch introduces the new parameter "WelcomeFile" to the > configuration file. Only if this parameter points to a valid file, > openssh reads a welcome message up to 128 characters out of it and > displays it at the identfication exchange, e.g.: > If you - dear maintainers - think this is worth to complete it, please > let me know. I'll will write then some docu and/or change some things as > you think it's best. Is this dumb ideas week on openssh-unix-dev or am I just reading it for once? This has been discused to death, and is a *really* bad idea for interoperability, and adds no secruity advantage. Andrew Bartlett From dtucker at zip.com.au Fri Jul 11 22:31:00 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 11 Jul 2003 22:31:00 +1000 Subject: Hide version information -- patch attached References: <3F0E9E04.7020802@secrisk.de> Message-ID: <3F0EAE04.6B21F862@zip.com.au> Mark Semmler wrote: > I am not a friend of "security through obscurity", but I think each > administrator should have the choice to decide, wether this sensitive > information should be freely available or not. So I wrote a small patch > (see attached file). Good luck to you, but this has been done to death a couple of times before and the consensus is that this isn't going to happen. You're not adding much if any security (an attacker can just try *all* the exploits they have) and increasing the chances of interoperability problems. See http://bugzilla.mindrot.org/show_bug.cgi?id=94 > The patch introduces the new parameter "WelcomeFile" to the > configuration file. Only if this parameter points to a valid file, > openssh reads a welcome message up to 128 characters out of it and > displays it at the identfication exchange, e.g.: Do you violate protocol if you have 2 newlines those 128 characters? Why not just have your string in the config file? (It would be less code.) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Sat Jul 12 01:29:19 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 11 Jul 2003 17:29:19 +0200 Subject: sshd also talking HTTP In-Reply-To: <20030711105320.GA90310@xs4all.nl> References: <3F0DE755.90402@doxpara.com> <20030710102018.GK81904@xs4all.nl> <3F0D7A3F.4080006@doxpara.com> <20030711105320.GA90310@xs4all.nl> Message-ID: <20030711152919.GC27291@folly> On Fri, Jul 11, 2003 at 12:53:21PM +0200, Jan Pieter Cornet wrote: > Another option I considered was to allow sshd to accept fd's via a unix > domain socket. This is still hairy, but at least more portable than the > stunnel "bind(socket, some-remote-IP-addr)". early versions of openssh did, because getaddrinfo/nameinfo returned unix domain sockets on openbsd... From markus at openbsd.org Sat Jul 12 01:28:16 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 11 Jul 2003 17:28:16 +0200 Subject: sshd also talking HTTP In-Reply-To: <20030711105320.GA90310@xs4all.nl> References: <3F0DE755.90402@doxpara.com> <20030710102018.GK81904@xs4all.nl> <3F0D7A3F.4080006@doxpara.com> <20030711105320.GA90310@xs4all.nl> Message-ID: <20030711152816.GB27291@folly> On Fri, Jul 11, 2003 at 12:53:21PM +0200, Jan Pieter Cornet wrote: > unportable. I'll just stomach the entropy hit and use sshd -i for now. this does not matter if you only use protocol v2. From openssh_nospam_ at secrisk.de Mon Jul 14 03:08:33 2003 From: openssh_nospam_ at secrisk.de (Mark) Date: Sun, 13 Jul 2003 19:08:33 +0200 Subject: Hide version information -- patch attached In-Reply-To: <3F0E9E04.7020802@secrisk.de> References: <3F0E9E04.7020802@secrisk.de> <3F0EAE04.6B21F862@zip.com.au> Message-ID: <3F119211.1010808@secrisk.de> Hi Darren, thank you very much for your answer! You have good reasons for not implementing this feature, altough I think a little bit different about it -- but you are the maintainers. =) Sorry, that I didn't find this thread before I posted the patch. Greetings Mark Darren Tucker wrote: > Mark Semmler wrote: > > >I am not a friend of "security through obscurity", but I think each > >administrator should have the choice to decide, wether this sensitive > >information should be freely available or not. So I wrote a small patch > >(see attached file). > > > Good luck to you, but this has been done to death a couple of times before > and the consensus is that this isn't going to happen. > > You're not adding much if any security (an attacker can just try *all* the > exploits they have) and increasing the chances of interoperability > problems. > > See http://bugzilla.mindrot.org/show_bug.cgi?id=94 > > > >The patch introduces the new parameter "WelcomeFile" to the > >configuration file. Only if this parameter points to a valid file, > >openssh reads a welcome message up to 128 characters out of it and > >displays it at the identfication exchange, e.g.: > > > Do you violate protocol if you have 2 newlines those 128 characters? Why > not just have your string in the config file? (It would be less code.) > From info at cmax.nl Mon Jul 14 21:48:47 2003 From: info at cmax.nl (bART I Cmax-Europe BV) Date: Mon, 14 Jul 2003 13:48:47 +0200 Subject: Design your own Linux-shoes Message-ID: <000901c349fd$e2d8fa10$7100a8c0@laptop> eu.CMAX.com Sending "Spam" to Linux-users. How dumb can these guys be you must be thinking? This is like teaching Bill Gates the word "open source" or like having sex with Mrs. Tyson. So, before you bomb the hell out of us or instantly block all of our IP addresses, please do listen up. We're not as stupid as you might think. We, like you, are proud Linuxers ourselves, so how could we be? We got your address searching on linux sites and we promise we will only use it once. What do you say? Deal? Here are two helpful tips to assist you in designing yourself the coolest sneakers ever: 1. Take Your time, Don't Rush It. We'd rather see you returning to CMAX to buy your shoes again (because you were so pleased with your first design) than not coming back at all because you designed something hideous. Save your cool shoe designs in your personal CMAX portfolio until you're ready to buy. It's almost the same as asking the girl in the shop if she can stow them away on the top shelf until you return tomorrow. 2. Read How "it" Works. We clearly explain on our site (leftside always) how to design your ultimate puppies. A Team of ex-adidas Shoe Dogs left the corporate world and started the CMAX-brand in 1999. We've made sure that our Chinese employee's would benefit from our company. As a result we've been rewarded by having a ISO-9002 certificate, and believe us, you don't get one of these if you are not 110% taking care of your fellow workers in addition to utilizing the best possible materials. Also, as far as we know, we are the only retailer having the phone number and address of the factory online. So whenever you're close to Chenhzen, China, please do drop by and have a beer with us. Your own logo next to TUX? Yep, we can also do that. But we then we must call it Promotional Footwear. From a minimum of 30 pairs you can order shoes with your company logo, your sports team logo, your whatever-logo. We deliver within 4 weeks to every address within the US as well as Europe. Please pay us a visit on www.promoshoes.com to find out more. ? 2003 eu.CMAX.com (CMAX Europe BV) From jodo710 at hotmail.com Wed Jul 16 04:48:42 2003 From: jodo710 at hotmail.com (Joey Doughly) Date: Tue, 15 Jul 2003 18:48:42 +0000 Subject: Question about Finding C Source Files... Message-ID: Hello everyone, I was just wondering if any of you knew where I could find the source code to header files such as , , , ... thank you very much for your help. Joey _________________________________________________________________ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail From djm at mindrot.org Wed Jul 16 07:56:40 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 16 Jul 2003 07:56:40 +1000 Subject: Question about Finding C Source Files... In-Reply-To: References: Message-ID: <3F147898.4060703@mindrot.org> Joey Doughly wrote: > Hello everyone, > I was just wondering if any of you knew where I could find the source code > to header files such as , , , > ... This isn't really an OpenSSH question, but... You question is ambiguous, do you want to know where the header files are located? (easy: /usr/include) or what the corresponding source files for a given header are? (read on) Some of these do not directly correspond to a C source file. E.g. endian.h, paths.h exist purely to define types and preprocessor macros to be used in other header files or in your programs. The other headers define types and declare functions provided by operating system (libc and or the kernel). One rarely needs to touch these (unless one is, say, porting software). If you are still curious, OpenBSD's libc is very well organised and readable. http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/ -d From VikashB at ComparexAfrica.co.za Thu Jul 17 14:53:58 2003 From: VikashB at ComparexAfrica.co.za (Vikash Badal - PCS) Date: Thu, 17 Jul 2003 06:53:58 +0200 Subject: possible bug + patch : OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + P asswordAuthentication no + PermitEmptyPasswords yes Message-ID: <501BF453CDCFD111A6E40080C83DAC04026966CB@PSICS001> Greetings, When PasswordAuthentication no + PermitEmptyPasswords yes SSH2 allows access to a passwordless account without a valid key. This is my patch: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ wormhole# diff -u auth2-none.c.old auth2-none.c --- auth2-none.c.old Thu Jul 17 06:23:24 2003 +++ auth2-none.c Thu Jul 17 06:44:42 2003 @@ -100,7 +100,9 @@ if (check_nt_auth(1, authctxt->pw) == 0) return(0); #endif - return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; + return PRIVSEP(auth_password(authctxt, "")) + && authctxt->valid + && options.password_authentication; } Authmethod method_none = { ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The authentication method "none" (which allows the user to log into an account with an empty password) returns 1 only if PasswordAuthentication is set to "yes". complete debug of problem below: uw7: /usr/udd1/dev/original/openssh-3.6.1p2 # ./sshd -p 5000 -d -d -d debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper debug2: read_server_config: filename /etc/ssh/sshd_config debug1: sshd version OpenSSH_3.6.1p2 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 5000 on ::. debug1: Bind to port 5000 on 0.0.0.0. Server listening on 0.0.0.0 port 5000. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.1.1 port 1199 debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1 FreeBSD-20030201 debug1: match: OpenSSH_3.5p1 FreeBSD-20030201 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.6.1p2 debug1: list_hostkey_types: ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 129/256 debug2: bits set: 1619/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 1601/3191 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user natis service ssh-connection method none debug1: attempt 0 failures 0 debug3: allowed_user: today 12244 sp_expire -1 sp_lstchg 12240 sp_max -1 debug2: input_userauth_request: setting up authctxt for natis debug2: input_userauth_request: try method none Accepted none for natis from 192.168.1.1 port 1199 ssh2 debug1: Entering interactive session for SSH2. debug1: fd 7 setting O_NONBLOCK debug1: fd 8 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/pts/2 debug3: tty_parse_modes: SSH2 n_bytes 251 debug3: tty_parse_modes: ospeed 9600 debug3: tty_parse_modes: ispeed 9600 debug3: tty_parse_modes: 1 3 debug3: tty_parse_modes: 2 28 debug3: tty_parse_modes: 3 127 debug3: tty_parse_modes: 4 21 debug3: tty_parse_modes: 5 4 debug3: tty_parse_modes: 6 255 debug3: tty_parse_modes: 7 255 debug3: tty_parse_modes: 8 17 debug3: tty_parse_modes: 9 19 debug3: tty_parse_modes: 10 26 debug3: tty_parse_modes: 11 25 debug3: tty_parse_modes: 12 18 debug3: tty_parse_modes: 13 23 debug3: tty_parse_modes: 14 22 debug1: Ignoring unsupported tty mode opcode 17 (0x11) debug3: tty_parse_modes: 18 15 debug3: tty_parse_modes: 30 0 debug3: tty_parse_modes: 31 0 debug3: tty_parse_modes: 32 0 debug3: tty_parse_modes: 33 0 debug3: tty_parse_modes: 34 0 debug3: tty_parse_modes: 35 0 debug3: tty_parse_modes: 36 1 debug3: tty_parse_modes: 38 1 debug3: tty_parse_modes: 39 1 debug3: tty_parse_modes: 40 0 debug3: tty_parse_modes: 41 1 debug3: tty_parse_modes: 50 1 debug3: tty_parse_modes: 51 1 debug3: tty_parse_modes: 53 1 debug3: tty_parse_modes: 54 1 debug3: tty_parse_modes: 55 0 debug3: tty_parse_modes: 56 0 debug3: tty_parse_modes: 57 0 debug3: tty_parse_modes: 58 0 debug3: tty_parse_modes: 59 1 debug3: tty_parse_modes: 60 1 debug3: tty_parse_modes: 61 1 debug3: tty_parse_modes: 62 1 debug3: tty_parse_modes: 70 1 debug3: tty_parse_modes: 72 1 debug3: tty_parse_modes: 73 0 debug3: tty_parse_modes: 74 0 debug3: tty_parse_modes: 75 0 debug3: tty_parse_modes: 90 1 debug3: tty_parse_modes: 91 1 debug3: tty_parse_modes: 92 0 debug3: tty_parse_modes: 93 0 debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: fd 10 setting O_NONBLOCK debug2: fd 9 is O_NONBLOCK Thanks Vikash From mouring at etoh.eviladmin.org Thu Jul 17 15:58:09 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 17 Jul 2003 00:58:09 -0500 (CDT) Subject: possible bug + patch : OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + P asswordAuthentication no + PermitEmptyPasswords yes In-Reply-To: <501BF453CDCFD111A6E40080C83DAC04026966CB@PSICS001> Message-ID: On Thu, 17 Jul 2003, Vikash Badal - PCS wrote: [..] > - return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; > + return PRIVSEP(auth_password(authctxt, "")) > + && authctxt->valid > + && options.password_authentication; > } > If this fixes your problem then the bug is in auth_password() function call. This will never go into the tree because this is just a bandaid. I could have already swore I pointed this out a few days ago. - Ben From djm at mindrot.org Fri Jul 18 10:25:05 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 18 Jul 2003 10:25:05 +1000 Subject: Test message, please ignore Message-ID: <3F173E61.4040708@mindrot.org> This is a test of the mailing list. Apologies for the inconvenience, but some scumbag has sent spam email, forging my domains as the sender addresses. I must test that my mitigation for the flood of bounce messages and complaints doesn't break the list. -d From Kieran.Broadfoot at gs.com Sat Jul 19 01:13:52 2003 From: Kieran.Broadfoot at gs.com (Broadfoot, Kieran J) Date: Fri, 18 Jul 2003 16:13:52 +0100 Subject: PAM_RUSER never set under ssh2? Message-ID: Everyone, First my apologies if this has been discussed before on this list, I was unable to find reference to it in the archives. I have a pam module that requires PAM_RUSER to be set however Ive found that if I connect to the remote server (where the pam module is installed) via ssh the PAM_RUSER variable is never set. The PAM_RUSER variable is set within auth-pam.c (line 239 in 3.6p1) as such: int do_pam_account(char *username, char *remote_user) { ... if (remote_user) { debug("PAM setting ruser to \"%.200s\"", remote_user); pam_retval = pam_set_item(__pamh, PAM_RUSER, remote_user); however do_pam_account() is called in only two locations (auth2.c and monitor.c) and in both cases remote_user is passed as NULL. As such the PAM_RUSER variable is never set. Although auth1.c (i.e SSH1) does indeed seem to pass something useful to do_pam_account unfortunately we need to be using SSH2 only on the server due to other constraints. Does anyone have any idea how this can be circumvented? Am I missing an obvious config file option? Thanks in advance for any help in this matter, I will of course pass back any solutions. Thanks kieran From john.sullivan at nexusmgmt.com Tue Jul 22 20:56:38 2003 From: john.sullivan at nexusmgmt.com (John A. Sullivan III) Date: Tue, 22 Jul 2003 10:56:38 -0000 Subject: ssh-askpass keyboard grab problems Message-ID: <1058836819.2969.6.camel@jasiiitosh.nexusmgmt.com> We're developing a security application (http://iscs.sourceforge.net) that uses SSH for out-of-band management. Sometimes we want to use rsa keys and other times we want to use user ids and passwords. We noticed that there was not an OpenSSH API that we could use to pass the user's password and that we could not give it via stdin. We did notice that we could set SSH_ASKPASS and launch gnome-ssh-askpass or ssh-askpass (or I suppose anything else). We tried this and were quite pleased with the result in that it allows us to get on with the rest of the code and not worry about this for now. However, every time we launch the application and it requests the ssh password via either ssh-askpass or gnome-ssh-askpass or x11-ssh-askpass, we receive errors about "could not grab keyboard" and hints that there might be malice afoot. What is causing this error and how to we go about eliminating it? Thanks - John Sullivan -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan at nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net From jmknoble at pobox.com Wed Jul 23 05:42:40 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 22 Jul 2003 15:42:40 -0400 Subject: ssh-askpass keyboard grab problems In-Reply-To: <1058836819.2969.6.camel@jasiiitosh.nexusmgmt.com> References: <1058836819.2969.6.camel@jasiiitosh.nexusmgmt.com> Message-ID: <20030722194240.GG9097@crawfish.ais.com> Circa 2003-07-21 21:20:19 -0400 dixit John A. Sullivan III: : [...] We did notice that we could set SSH_ASKPASS and launch : gnome-ssh-askpass or ssh-askpass (or I suppose anything else). : : We tried this and were quite pleased with the result in that it : allows us to get on with the rest of the code and not worry about : this for now. However, every time we launch the application and it : requests the ssh password via either ssh-askpass or : gnome-ssh-askpass or x11-ssh-askpass, we receive errors about "could : not grab keyboard" and hints that there might be malice afoot. : : What is causing this error and how to we go about eliminating it? Does your application (or some other running application) grab the keyboard---for example, by using XGrabKeyboard()? What version of x11-ssh-askpass are you using? Could you send the exact text of the error message(s) to the mailing list, please? -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "We have guided missiles and misguided men." --Martin Luther King, Jr. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030722/e6c21f3e/attachment.bin From john.sullivan at nexusmgmt.com Wed Jul 23 07:07:58 2003 From: john.sullivan at nexusmgmt.com (John A. Sullivan III) Date: Tue, 22 Jul 2003 21:07:58 -0000 Subject: ssh-askpass keyboard grab problems In-Reply-To: <20030722194240.GG9097@crawfish.ais.com> References: <1058836819.2969.6.camel@jasiiitosh.nexusmgmt.com> <20030722194240.GG9097@crawfish.ais.com> Message-ID: <1058908123.1899.121.camel@jasiiitosh.nexusmgmt.com> Thanks for the reply. I'm not sure how to tell which version of gnome-ssh-askpass we are using but we are using OpenSSH 3.5p1. I'm running on fully patched (as of July 21, 2003) RedHat 9.0 with a KDE desktop. I've attached a screen shot of the error (hopefully the list takes small attachments). We receive similar errors with ssh-askpass only they show up on stderr instead of in a widget. I am not explicitly grabbing the keyboard but perhaps one of the Qt widgets I'm using does so implicitly. Thanks again - John On Tue, 2003-07-22 at 15:42, Jim Knoble wrote: > Circa 2003-07-21 21:20:19 -0400 dixit John A. Sullivan III: > > : [...] We did notice that we could set SSH_ASKPASS and launch > : gnome-ssh-askpass or ssh-askpass (or I suppose anything else). > : > : We tried this and were quite pleased with the result in that it > : allows us to get on with the rest of the code and not worry about > : this for now. However, every time we launch the application and it > : requests the ssh password via either ssh-askpass or > : gnome-ssh-askpass or x11-ssh-askpass, we receive errors about "could > : not grab keyboard" and hints that there might be malice afoot. > : > : What is causing this error and how to we go about eliminating it? > > Does your application (or some other running application) grab the > keyboard---for example, by using XGrabKeyboard()? What version of > x11-ssh-askpass are you using? Could you send the exact text of the > error message(s) to the mailing list, please? -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan at nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net From jmknoble at pobox.com Wed Jul 23 09:53:25 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 22 Jul 2003 19:53:25 -0400 Subject: ssh-askpass keyboard grab problems In-Reply-To: <1058908123.1899.121.camel@jasiiitosh.nexusmgmt.com> References: <1058836819.2969.6.camel@jasiiitosh.nexusmgmt.com> <20030722194240.GG9097@crawfish.ais.com> <1058908123.1899.121.camel@jasiiitosh.nexusmgmt.com> Message-ID: <20030722235325.GH9097@crawfish.ais.com> Circa 2003-07-22 17:08:43 -0400 dixit John A. Sullivan III: : Thanks for the reply. I'm not sure how to tell which version of : gnome-ssh-askpass we are using but we are using OpenSSH 3.5p1. Unfortunately, i don't know anything about gnome-ssh-askpass. I'm the author of x11-ssh-askpass, which is why i asked you about which version of it you were running. : I'm running on fully patched (as of July 21, 2003) RedHat 9.0 with a : KDE desktop. The version of x11-ssh-askpass used in Red Hat's packages is listed in the specfile for the openssh source RPM package, available from Red Hat's FTP site or from your source CDs. : I've attached a screen shot of the error (hopefully the list takes : small attachments). We receive similar errors with ssh-askpass only : they show up on stderr instead of in a widget. Unfortunately, the list-manager filters out such attachments. In the future, please make the image available somewhere on the web or via FTP. The image appears to be a screenshot of a gnome-ssh-askpass message. Can you reproduce this with x11-ssh-askpass? The error message would probably appear in your session log (on Red Hat Linux, your session log is usually in "${HOME}/.xsession-errors"). : I am not explicitly grabbing the keyboard but perhaps one of the Qt : widgets I'm using does so implicitly. Thanks again - John That's the sort of thing i'm expecting is the case. You might try reproducing this with a minimal number of applications running ... for example: cd if [ -f .xsession ]; then mv -f .xsession .xsession.backup fi cat <<'EOF' >.xsession #!/bin/sh xterm -geometry +1+1 & exec twm EOF chmod +x .xsession and then choose 'Default' from the '> Session' menu on Red Hat's graphical login screen. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "We have guided missiles and misguided men." --Martin Luther King, Jr. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030722/83279004/attachment.bin From john.sullivan at nexusmgmt.com Wed Jul 23 12:15:04 2003 From: john.sullivan at nexusmgmt.com (John A. Sullivan III) Date: Wed, 23 Jul 2003 02:15:04 -0000 Subject: ssh-askpass keyboard grab problems In-Reply-To: <20030722235325.GH9097@crawfish.ais.com> References: <1058836819.2969.6.camel@jasiiitosh.nexusmgmt.com> <20030722194240.GG9097@crawfish.ais.com> <1058908123.1899.121.camel@jasiiitosh.nexusmgmt.com> <20030722235325.GH9097@crawfish.ais.com> Message-ID: <1058926544.2004.19.camel@jasiiitosh.nexusmgmt.com> Latin e-mail . . . interesting :-) I changed SSH_ASKPASS to x11-ssh-askpass. I could not use a simple X session as when I call the application from the command line, it prompts for the password on the command line rather than calling SSH_ASKPASS. I launched it from the KDE desktop running only my application. The password prompt appears but it is immediately covered by an empty dialog box. If I move the empty dialog box and login quickly, all i fine (except that if I take the intuitive step of pressing to enter my password rather than click on OK, it tells me that I used the wrong password - or at least it appears to). If I do not move quickly enough, I receive the following errors on stderr: x11-ssh-askpass[1981]: Trying to grab keyboard ... x11-ssh-askpass[1981]: Could not grab keyboard (someone else already has it) Permission denied, please try again. x11-ssh-askpass[1982]: Trying to grab keyboard ... x11-ssh-askpass[1982]: Could not grab keyboard (someone else already has it) Permission denied, please try again. Pardon my ignorance of rpm but I wasn't quite sure how to find the version. The nearest I could come was checking the change log through rpm and that reflects version 1.2.4.1. Thanks - John On Tue, 2003-07-22 at 19:53, Jim Knoble wrote: > Circa 2003-07-22 17:08:43 -0400 dixit John A. Sullivan III: > > : Thanks for the reply. I'm not sure how to tell which version of > : gnome-ssh-askpass we are using but we are using OpenSSH 3.5p1. > > Unfortunately, i don't know anything about gnome-ssh-askpass. I'm the > author of x11-ssh-askpass, which is why i asked you about which version > of it you were running. > > : I'm running on fully patched (as of July 21, 2003) RedHat 9.0 with a > : KDE desktop. > > The version of x11-ssh-askpass used in Red Hat's packages is listed in > the specfile for the openssh source RPM package, available from Red > Hat's FTP site or from your source CDs. > > : I've attached a screen shot of the error (hopefully the list takes > : small attachments). We receive similar errors with ssh-askpass only > : they show up on stderr instead of in a widget. > > Unfortunately, the list-manager filters out such attachments. In the > future, please make the image available somewhere on the web or via > FTP. > > The image appears to be a screenshot of a gnome-ssh-askpass message. > Can you reproduce this with x11-ssh-askpass? The error message would > probably appear in your session log (on Red Hat Linux, your session log > is usually in "${HOME}/.xsession-errors"). > > : I am not explicitly grabbing the keyboard but perhaps one of the Qt > : widgets I'm using does so implicitly. Thanks again - John > > That's the sort of thing i'm expecting is the case. You might try > reproducing this with a minimal number of applications running ... for > example: > > cd > if [ -f .xsession ]; then > mv -f .xsession .xsession.backup > fi > cat <<'EOF' >.xsession > #!/bin/sh > xterm -geometry +1+1 & > exec twm > EOF > chmod +x .xsession > > and then choose 'Default' from the '> Session' menu on Red Hat's > graphical login screen. -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan at nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net From jmknoble at pobox.com Wed Jul 23 15:33:32 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Wed, 23 Jul 2003 01:33:32 -0400 Subject: ssh-askpass keyboard grab problems In-Reply-To: <1058926544.2004.19.camel@jasiiitosh.nexusmgmt.com> References: <1058836819.2969.6.camel@jasiiitosh.nexusmgmt.com> <20030722194240.GG9097@crawfish.ais.com> <1058908123.1899.121.camel@jasiiitosh.nexusmgmt.com> <20030722235325.GH9097@crawfish.ais.com> <1058926544.2004.19.camel@jasiiitosh.nexusmgmt.com> Message-ID: <20030723053329.GJ9097@crawfish.ais.com> Circa 2003-07-22 22:15:45 -0400 dixit John A. Sullivan III: : I changed SSH_ASKPASS to x11-ssh-askpass. I could not use a simple X : session as when I call the application from the command line, it prompts : for the password on the command line rather than calling SSH_ASKPASS. In order to convince ssh to use the SSH_ASKPASS program to prompt for a password or passphrase, the following conditions must be met: (1) DISPLAY must be set (to a valid X display, obviously) (2) There must be no controlling terminal See the list archives about this: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104706638008113&w=2 I really think you should try to reproduce this without any KDE or other desktop environment in order to tell whether it's KDE or your application that's grabbing the keyboard. : I launched it from the KDE desktop running only my application. The : password prompt appears but it is immediately covered by an empty : dialog box. If I move the empty dialog box and login quickly, all i : fine (except that if I take the intuitive step of pressing : to enter my password rather than click on OK, it tells me that I : used the wrong password - or at least it appears to). If I do not : move quickly enough, I receive the following errors on stderr: : : x11-ssh-askpass[1981]: Trying to grab keyboard ... : x11-ssh-askpass[1981]: Could not grab keyboard (someone else already has : it) : Permission denied, please try again. : x11-ssh-askpass[1982]: Trying to grab keyboard ... : x11-ssh-askpass[1982]: Could not grab keyboard (someone else already has : it) : Permission denied, please try again. Some other application is definitely grabbing the keyboard before x11-ssh-askpass can get it. It also looks as if somebody (your app? ssh?) started two instances of x11-ssh-askpass (the number in square brackets is the PID)---i can't tell whether it was sequentially or in parallel. By default, x11-ssh-askpass tries to grab once per second for 5 seconds. This may be changed in the source code. The "empty" dialog appears because x11-ssh-askpass attempts to grab the keyboard before allowing passphrase entry, to prevent eavesdropping. : Pardon my ignorance of rpm but I wasn't quite sure how to find the : version. The nearest I could come was checking the change log through : rpm and that reflects version 1.2.4.1. Good. That's the most recent version; no keyboard/mouse/server grabbing bugs that i'm aware of in that version. You might try fiddling with the following X resources (usually in your "${HOME}/.Xdefaults" file; might need to use xrdb(1) to reload them) to see what happens: SshAskpass*grabKeyboard: (true|false, defaults to true) SshAskpass*grabPointer: (true|false, defaults to false) SshAskpass*grabServer: (true|false, defaults to false) For an explanation of the available resources, see the x11-ssh-askpass(1) man page. If you didn't get such a man page in your openssh package, complain to Red Hat, then download the x11-ssh-askpass source: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/ Also, the XGrabKeyboard(3) man page indicates the following: The X server automatically performs an UngrabKeyboard request if the event window for an active keyboard grab becomes not viewable. You might try hiding (miniaturizing/iconifying, shading) your application's window while x11-ssh-askpass is trying to grab the keyboard to see if that lets things work.... Good luck. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "We have guided missiles and misguided men." --Martin Luther King, Jr. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030723/d7fbfe09/attachment.bin From john.sullivan at nexusmgmt.com Wed Jul 23 22:03:54 2003 From: john.sullivan at nexusmgmt.com (John A. Sullivan III) Date: Wed, 23 Jul 2003 12:03:54 -0000 Subject: ssh-askpass keyboard grab problems In-Reply-To: <20030723053329.GJ9097@crawfish.ais.com> References: <1058836819.2969.6.camel@jasiiitosh.nexusmgmt.com> <20030722194240.GG9097@crawfish.ais.com> <1058908123.1899.121.camel@jasiiitosh.nexusmgmt.com> <20030722235325.GH9097@crawfish.ais.com> <1058926544.2004.19.camel@jasiiitosh.nexusmgmt.com> <20030723053329.GJ9097@crawfish.ais.com> Message-ID: <1058961856.1925.46.camel@jasiiitosh.nexusmgmt.com> Found it! Thanks for the direction and, as you rightly suspected, it was application based. SSH was invoked when was pressed in the command field. For some reason which I do not yet understand, pressing also activated a push button that also invoked SSH (it appears that somehow the button gained an errant focus). The two SSH sessions were competing with each other for keyboard control. Thanks again - John On Wed, 2003-07-23 at 01:33, Jim Knoble wrote: > Circa 2003-07-22 22:15:45 -0400 dixit John A. Sullivan III: > > : move quickly enough, I receive the following errors on stderr: > : > : x11-ssh-askpass[1981]: Trying to grab keyboard ... > : x11-ssh-askpass[1981]: Could not grab keyboard (someone else already has > : it) > : Permission denied, please try again. > : x11-ssh-askpass[1982]: Trying to grab keyboard ... > : x11-ssh-askpass[1982]: Could not grab keyboard (someone else already has > : it) > : Permission denied, please try again. > > Some other application is definitely grabbing the keyboard before > x11-ssh-askpass can get it. It also looks as if somebody (your app? > ssh?) started two instances of x11-ssh-askpass (the number in square > brackets is the PID)---i can't tell whether it was sequentially or in > parallel. > > By default, x11-ssh-askpass tries to grab once per second for 5 > seconds. This may be changed in the source code. The "empty" dialog > appears because x11-ssh-askpass attempts to grab the keyboard before > allowing passphrase entry, to prevent eavesdropping. > -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan at nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net From carmen_wai at yahoo.com Thu Jul 24 01:44:06 2003 From: carmen_wai at yahoo.com (Carmen Wai) Date: Wed, 23 Jul 2003 08:44:06 -0700 (PDT) Subject: Passwordless login for root Message-ID: <20030723154406.10894.qmail@web41901.mail.yahoo.com> Hello: Can anyone show me direction on how to config the sshd_conf and ssd_conf file so that I can remotely login to other machine without typing any password (for root user)? I am using the openssh as default in Red Hat 7.3. I have set the machine IP/user name in the files: /root/.shosts, /etc/ssh/shosts.equiv, /etc/hosts.equiv. But it is still fail! Thanks a lot! Carmen __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From dwmw2 at infradead.org Thu Jul 24 02:05:28 2003 From: dwmw2 at infradead.org (David Woodhouse) Date: Wed, 23 Jul 2003 12:05:28 -0400 Subject: ssh-askpass keyboard grab problems In-Reply-To: <20030723053329.GJ9097@crawfish.ais.com> References: <1058836819.2969.6.camel@jasiiitosh.nexusmgmt.com> <20030722194240.GG9097@crawfish.ais.com> <1058908123.1899.121.camel@jasiiitosh.nexusmgmt.com> <20030722235325.GH9097@crawfish.ais.com> <1058926544.2004.19.camel@jasiiitosh.nexusmgmt.com> <20030723053329.GJ9097@crawfish.ais.com> Message-ID: <1058976326.4057.29.camel@lapdancer.baythorne.internal> On Wed, 2003-07-23 at 01:33, Jim Knoble wrote: > In order to convince ssh to use the SSH_ASKPASS program to prompt for a > password or passphrase, the following conditions must be met: > > (1) DISPLAY must be set (to a valid X display, obviously) There's a patch to fix this attached to Bug #69. In <20030326215613.GA11953 at folly>, markus at openbsd.org said it can be applied after the 3.6 release. > (2) There must be no controlling terminal I'd really like to fix this too -- if not for the existing $SSH_ASKPASS then for _something_ -- I don't care too much if it's an environment variable such $SIMON_SAYS_SSH_ASKPASS or a new 'AskPass' option. -- dwmw2 From jugddrdt at yahoo.co.jp Thu Jul 24 08:10:53 2003 From: jugddrdt at yahoo.co.jp (=?ISO-2022-JP?B?GyRCJFIkbSRBJGMkcxsoQg==?=) Date: Wed, 23 Jul 2003 22:10:53 -0000 Subject: =?iso-2022-jp?b?GyRCQWo4XyVqJXMlLyQ3JF4kOyRzJCshKRsoQg==?= Message-ID: <200306240349080218.D41D8CD98F00B204E9800998ECF8427E@192.168.0.3> ???????????? ?????????????????????????????? ???????????????????? http://www.geocities.co.jp/Hollywood/1497/ ?????????????????????????????? ??????????????????????????????????????????????? ????????????? From hanghman at yahoo.co.kr Thu Jul 24 09:55:57 2003 From: hanghman at yahoo.co.kr (=?ks_c_5601-1987?B?wNPIo8HY?=) Date: Thu, 24 Jul 2003 08:55:57 +0900 Subject: please append me in mailing-list Message-ID: <001e01c35175$f76990a0$6401a8c0@griffon> I am planning to develop free ssh client on windows. And append me in mailing-list, please. ^^* from Max < E-mail > hanghman at yahoo.co.kr (check at 13:00 01:00) hanghman at korea.com (check at 01:00) < Mobile > Republic of Korea : 016-309-1384 Other country : 82-16-309-1384 < Homepage > http://my.netian.com/~hanghman From KishoreBT at mascotsystems.com Fri Jul 25 16:55:31 2003 From: KishoreBT at mascotsystems.com (Kishore Babu T) Date: Fri, 25 Jul 2003 12:25:31 +0530 Subject: SSH for communicating between different versions of Oracle Forms Message-ID: <5575473D4532D411BE4C009027E8C8380E19840A@masblrexc02.mascotsystems.com> Hi , We are doing the Migration project ( Migrating application Existing in Oracle Forms version. 3.0 to Oracle Forms Version 6.0(Character mode)). As the customer requirement is " To communicate the forms which are migrated to Forms 6.0 with the Existing Application (Forms 3.0)". We have got the information from our client that it's possible to do the same (Each application residing on different machines) by using SSH (Secure Shell) Protocol. So we want the information and your guidance, about using SSH to communicate between forms 3.0 and Forms 6.0. Have a nice day. Thanks & Regards, Kishore Babu T. Mascot Systems Limited. #1 Main Road, Jakkasandra, Koramangala Extension, Bangalore - 560034 Ph: +91-80-5521701 (Office) Ext: 3503 +91-80-31839118 (Home) From purple at lewiz.info Mon Jul 28 10:35:33 2003 From: purple at lewiz.info (Lewis Thompson) Date: Mon, 28 Jul 2003 01:35:33 +0100 Subject: SSH2 GSSAPI/KerberosV. Message-ID: <20030728003533.GC10147@lewiz.org> Hi, I've just set up OpenSSH to authenticate through Kerberos tickets. I spent a whole while figuring out I couldn't use SSH2 before stumbling across the information somewhere. First of all: is it possible this could be made very noticable in the sshd_config file? Secondly, is there any chance that SSH2 /will/ become supported in the future? There are already patches at http://www.sxw.org.uk/computing/patches/openssh.html and as I understand, this is where the SSH1 patches were held before they were ``officialised''. Sorry if this is the wrong list, but I figured you were the people in the know! Thanks very much, -lewiz. P.S. Can I be CCd in replies, as I am not subscribed to this list. Thanks! -- Hanlon's Razor: Never attribute to malice that which is adequately explained by stupidity. ------------------------------------------------------------------------ -| msn:purple at lewiz.net | jab:lewiz at jabber.org | url:http://lewiz.net |- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030728/8e80a928/attachment.bin From littlejw at dspcom.de Mon Jul 28 15:26:03 2003 From: littlejw at dspcom.de (Ralph Little) Date: Mon, 28 Jul 2003 01:26:03 -0400 Subject: Priva te gossip Message-ID: <3F24B3EB.245B7CE7@dspcom.de> Generic Viagra 05m7u93pdyc INTRODUCTORY OFFER For the first time ever, a generic version of Viagra? is available to you. GSC-100, the generic equivalent of Viagra?, gives you the exact performance and power as Viagra?, for HALF THE COST. Act now, or risk missing out on special promotional pricing -- GSC-100 is priced as low as $5.00 per 100mg tablet -- Viagra? costs $12.25 per 100mg tablet. The doctor consultation and shipping is Free of charge, and your GSC-100 will arrive at your door quickly and discretely. Simply visit this website for more information on this revolutionary new product. [1]Visit Our Website Here 100% Money Back Guarantee - The First Pharmaceutical to ever be guaranteed References 1. http://medicine34d.com/host/default.asp?ID=prx From djm at mindrot.org Mon Jul 28 18:56:23 2003 From: djm at mindrot.org (Damien Miller) Date: Mon, 28 Jul 2003 18:56:23 +1000 Subject: SSH2 GSSAPI/KerberosV. In-Reply-To: <20030728003533.GC10147@lewiz.org> References: <20030728003533.GC10147@lewiz.org> Message-ID: <3F24E537.5030006@mindrot.org> Lewis Thompson wrote: > Hi, > > I've just set up OpenSSH to authenticate through Kerberos tickets. I > spent a whole while figuring out I couldn't use SSH2 before stumbling > across the information somewhere. First of all: is it possible this > could be made very noticable in the sshd_config file? > > Secondly, is there any chance that SSH2 /will/ become supported in the > future? There are already patches at > http://www.sxw.org.uk/computing/patches/openssh.html and as I > understand, this is where the SSH1 patches were held before they were > ``officialised''. Sorry if this is the wrong list, but I figured you > were the people in the know! This has been discussed a couple of times on this list, so check the archives for details. The patches are being worked on, but progress is slow because of the lack of assistance (despite all the talk from people asking for the patches to be merged). -d From bbense at SLAC.Stanford.EDU Tue Jul 29 11:32:04 2003 From: bbense at SLAC.Stanford.EDU (Booker Bense) Date: Mon, 28 Jul 2003 18:32:04 -0700 (PDT) Subject: SSH2 GSSAPI/KerberosV. In-Reply-To: <3F24E537.5030006@mindrot.org> References: <20030728003533.GC10147@lewiz.org> <3F24E537.5030006@mindrot.org> Message-ID: On Mon, 28 Jul 2003, Damien Miller wrote: > Lewis Thompson wrote: > > Hi, > > > > I've just set up OpenSSH to authenticate through Kerberos tickets. I > > spent a whole while figuring out I couldn't use SSH2 before stumbling > > across the information somewhere. First of all: is it possible this > > could be made very noticable in the sshd_config file? > > > > Secondly, is there any chance that SSH2 /will/ become supported in the > > future? There are already patches at > > http://www.sxw.org.uk/computing/patches/openssh.html and as I > > understand, this is where the SSH1 patches were held before they were > > ``officialised''. Sorry if this is the wrong list, but I figured you > > were the people in the know! > > This has been discussed a couple of times on this list, so check the > archives for details. The patches are being worked on, but progress is > slow because of the lack of assistance (despite all the talk from people > asking for the patches to be merged). > - What needs to be done? Last I read you were only going to implement GSSAPI auth and not credential forwarding. This will produce something that anybody using GSSAPI will find largely useless, but given that or nothing I will hold my nose and do whatever I can to help. - Booker C. Bense From markus at openbsd.org Tue Jul 29 17:57:51 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 29 Jul 2003 09:57:51 +0200 Subject: SSH2 GSSAPI/KerberosV. In-Reply-To: References: <20030728003533.GC10147@lewiz.org> <3F24E537.5030006@mindrot.org> Message-ID: <20030729075751.GB4174@folly> On Mon, Jul 28, 2003 at 06:32:04PM -0700, Booker Bense wrote: > - What needs to be done? Last I read you were only going to > implement GSSAPI auth and not credential forwarding. This will so GSS API user authentication does not include credential forwarding? too bad. then why does it need so much code? I don't see a line by line audit of the patches or a stripped down version. I just see long emails. From matt at ucc.asn.au Tue Jul 29 19:51:58 2003 From: matt at ucc.asn.au (Matt Johnston) Date: Tue, 29 Jul 2003 17:51:58 +0800 Subject: (In)valid RSA key? Message-ID: <20030729095158.GK79052@morwong.ucc.gu.uwa.edu.au> Hi. In testing my SSH 2 server implementation (Dropbear), I've come across certain RSA hostkeys which fail for use with PuTTY as a client. Converting the keys for use with OpenSSH they also fail with PuTTY, which leads me to wonder whether they are valid keys or not. A sample key is attached, the important point to note is that the modulus (n) value doesn't have a multiple-of-8 number of bits. Is there any restriction on this? I haven't been able to find it specified anywhere. The actual values are as follows: n = 5886038905939931849793481926512875796836831719086734501519439860867912043790433262172630182697151131061148053854157155928712160937159068340118524813331816081025146309669009627549904578599602238492945297625461197628827141251138070043885227519045851919271348006113851652031006020294214266581123496032014041406270211 e = 65537 d = 2126220075060224706837525231979886500973727117775597793444485088822908429203270168739412041215990293677489342309585676937551790561458470541586675563892418233675380406419737033970559160285418583461017508368164937992703260549775879495018447997717953682981971642011940066077145681062355607163288549105412107221295137 p = 3428173739317616181988534253356424530886922795123777038960838820205861975510242373349759813680387393140772490491315664543565449716768374690346649042484853257 q = 1716960502448617995898088425791227141403238670199393648351700681159719711393276881945477576191000645095022170651697097981764516876134433284745878926818602923 Any advice would be appreciated. Cheers, Matt Johnston -------------- next part -------------- -----BEGIN RSA PRIVATE KEY----- MIICZAIBAAKBgn/mLaHA0qWRil1TBIlQ2bg/1WrUzYZR49WMSh3KG0tR1mJtdR4o RHSzU0DkXMNgmpe+25ArNFpIdza5D1bfmyZwnL5KP8eWfakf/V0MgOh1k0d8EwJ2 ze6XS2SJJkdguwozffD6lHujmMFrkydk9MHSSxfUisW2Z9/yklmM5Rt4awMCAwEA AQKBgi4zfeRifTVl/696n7bix+Mw2+09dgjBaCXqCZP9QCLTKzhfBeGg9imZ5ccZ NxE0wmNyhGnt0XmTl8ziyNG+8JLPrJBNJwJG3GYqXxSJ9JHnJ9TlLMDAWKLeGmla ivPOr1vCT0AGiDZkpBPMyOYZOW7UWgN0kWmbXeczeHNFq45nYCECQgD/r1QvxiZr X/GRctAl648omRaPl0vNQG/DOc34BaI8ClHl3w8knQH/lh1JVB/wBREBStVib0QX e+daTa3cOFH6CQJCAIAOiB4n6e7OauYpw9ZUKxt16tOc2uyTWbbuOteX3f6CFHjA FcfAj3K2HvBoxsO5xdetOF+dWnbyHniHxYcECO+rAkIA4BNs6U1zwCheUcTYLFNr q/22KvNCKEgval2PZ6ywSIQW0CkTYVgEN1T8p5YFQ1l9VK+boF+4wggBcj+ffd8R 4NkCQV837vjVXvoGHLC2H3uQLFmH7auZ96Nv0YbXT4Od1iD34ncDBW75fPCkAQ9s KVfCHB1KHR/jpi/JyuR+uF6znl1vAkFKMBOoVqauIPZA9j95aL+YDEH4Irj2VlRY IWHtL+flPDShHF3k1P2D+MrsmLq1S9My7RN/NQ0ZyHcbFEDK5D2ySw== -----END RSA PRIVATE KEY----- From deengert at anl.gov Wed Jul 30 04:44:36 2003 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 29 Jul 2003 13:44:36 -0500 Subject: SSH2 GSSAPI/KerberosV. References: <20030728003533.GC10147@lewiz.org> <3F24E537.5030006@mindrot.org> Message-ID: <3F26C094.41AED56F@anl.gov> Damien Miller wrote: > > This has been discussed a couple of times on this list, so check the > archives for details. The patches are being worked on, but progress is > slow because of the lack of assistance (despite all the talk from people > asking for the patches to be merged). > I am willing to help, but the process appears to be a closed process within the OpenSSH developers, as inferred from your note of Wed, 02 Jul 2003 22:20:11 +1000: > Please note that posting wordy position papers, "me too" messages and > other "contributions" from non-developers will not make this happen any > faster. > The above note and the lack of a public response to the MIT note of Thu, 26 Jun 2003 18:58:56 -0700 has lead me and maybe others to believe that we should back off any attempt to help, as you imply that it was being handled in house. I should point out that our site is running 3.6.1p1 with Simon's patches on 3 versions of Solaris, 2 versions of HP, SGI, AIX and Linux, and using a PC client with the GSSAPI. (They all delegate credentials to be used with AFS too.) So if there is something to try, please let us know. > -d > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jmknoble at pobox.com Wed Jul 30 05:41:16 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 29 Jul 2003 15:41:16 -0400 Subject: SSH2 GSSAPI/KerberosV. In-Reply-To: <3F26C094.41AED56F@anl.gov> References: <20030728003533.GC10147@lewiz.org> <3F24E537.5030006@mindrot.org> <3F26C094.41AED56F@anl.gov> Message-ID: <20030729194116.GH17138@crawfish.ais.com> Circa 2003-07-29 13:44:36 -0500 dixit Douglas E. Engert: : Damien Miller wrote: : > This has been discussed a couple of times on this list, so check : > the archives for details. The patches are being worked on, but : > progress is slow because of the lack of assistance (despite all : > the talk from people asking for the patches to be merged). : : I am willing to help, but the process appears to be a closed process : within the OpenSSH developers, as inferred from your note of Wed, 02 : Jul 2003 22:20:11 +1000: : : > Please note that posting wordy position papers, "me too" messages : > and other "contributions" from non-developers will not make this : > happen any faster. : : The above note and the lack of a public response to the MIT note of : Thu, 26 Jun 2003 18:58:56 -0700 has lead me and maybe others to : believe that we should back off any attempt to help, as you imply : that it was being handled in house. I think the intended message was that auditable patches, as well as qualified auditing of existing patches, are welcome contributions, whereas further discussion of the matter will only hinder the effort rather than helping. That is to say, the OpenSSH team would welcome any actual assistance, but has not yet received much except for Simon's patch, which they have already said they are not able to effectively audit.... -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "We have guided missiles and misguided men." --Martin Luther King, Jr. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030729/3030ec17/attachment.bin From djm at mindrot.org Wed Jul 30 11:12:12 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Jul 2003 11:12:12 +1000 Subject: SSH2 GSSAPI/KerberosV. In-Reply-To: <3F26C094.41AED56F@anl.gov> References: <20030728003533.GC10147@lewiz.org> <3F24E537.5030006@mindrot.org> <3F26C094.41AED56F@anl.gov> Message-ID: <3F271B6C.2060404@mindrot.org> Douglas E. Engert wrote: > > Damien Miller wrote: > >>This has been discussed a couple of times on this list, so check the >>archives for details. The patches are being worked on, but progress is >>slow because of the lack of assistance (despite all the talk from people >>asking for the patches to be merged). > > > I am willing to help, but the process appears to be a closed process > within the OpenSSH developers, as inferred from your note of > Wed, 02 Jul 2003 22:20:11 +1000: > >>Please note that posting wordy position papers, "me too" messages and >>other "contributions" from non-developers will not make this happen any >>faster. You must be joking. Apart from the fact that it is absolutely clear from the above (and the context in which it appeared) that I was disparaging non-code contributions (read the "non-developers" phrase a few times until it sinks in), we have repeatedly stated our criteria for the inclusion of the patches: they must be shrunk and audited. > The above note and the lack of a public response to the MIT note > of Thu, 26 Jun 2003 18:58:56 -0700 has lead me and maybe others to believe > that we should back off any attempt to help, as you imply that it was being > handled in house. What was in the MIT note that hadn't already be said and responded to? It was a fluffly position paper, retreading on well-covered ground, which did *zero* to help us merge the code. Every time this issue comes up we get howls of righteous indignation from the Kerberos community, but no assistance. It is a wonder than Markus and Jakob bother at all. -d From dtucker at zip.com.au Wed Jul 30 14:58:30 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 30 Jul 2003 14:58:30 +1000 Subject: [PATCH] Password expiry merge (AIX parts) Message-ID: <3F275076.30A5589D@zip.com.au> Hi All. Attached is a patch introduces password expiry handling for AIX (other platforms to follow). It is more or less the same as the previous patch but has been updated to reflect recent changes to auth-passwd.c I'm wondering if the AIX parts of auth.c should be moved to port-aix.c and if the generic password change functions (currently at the end of auth-passwd.c) belong in a separate file (eg pwchange.c). Comments? Objections? Any volunteers to look this one over? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: acconfig.h =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/acconfig.h,v retrieving revision 1.159 diff -u -r1.159 acconfig.h --- acconfig.h 14 Jul 2003 06:21:44 -0000 1.159 +++ acconfig.h 16 Jul 2003 04:42:22 -0000 @@ -53,6 +53,9 @@ /* from environment and PATH */ #undef LOGIN_PROGRAM_FALLBACK +/* Path to passwd program */ +#undef PASSWD_PROGRAM_PATH + /* Define if your password has a pw_class field */ #undef HAVE_PW_CLASS_IN_PASSWD Index: auth-passwd.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-passwd.c,v retrieving revision 1.57 diff -u -r1.57 auth-passwd.c --- auth-passwd.c 24 Jul 2003 06:52:13 -0000 1.57 +++ auth-passwd.c 26 Jul 2003 14:53:20 -0000 @@ -42,14 +42,18 @@ #include "log.h" #include "servconf.h" #include "auth.h" +#include "auth-options.h" +#include "misc.h" +#include "buffer.h" #include "openbsd-compat/xcrypt.h" #ifdef WITH_AIXAUTHENTICATE # include "buffer.h" # include "canohost.h" -extern Buffer loginmsg; #endif extern ServerOptions options; +extern Buffer loginmsg; +int password_change_required = 0; /* * Tries to authenticate the user using password. Returns true if @@ -168,4 +172,81 @@ } # endif #endif /* !HAVE_OSF_SIA */ +} + +/* + * Perform generic password change via tty. Like do_pam_chauthtok(), + * it throws a fatal error if the password can't be changed. + */ +int +do_tty_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + + if (pid == 0) { + permanently_set_uid(pw); + if (geteuid() == 0) + execl(PASSWD_PROGRAM_PATH, PASSWD_PROGRAM_PATH, + pw->pw_name, (char *)NULL); + else + execl(PASSWD_PROGRAM_PATH, PASSWD_PROGRAM_PATH, + (char *)NULL); + + /* NOTREACHED: execl shouldn't return */ + fatal("Couldn't exec %s", PASSWD_PROGRAM_PATH); + exit(1); + } + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + mysignal(SIGCHLD, old_signal); + + if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { + debug("%s password changed sucessfully", __func__); + flag_password_change_successful(); + return 1; + } else { + fatal("Failed to change password for %s, passwd returned %d", + pw->pw_name, status); + return 0; /* NOTREACHED */ + } +} + +/* + * flag that password change is necessary and disable all forwarding + */ +void +flag_password_change_required(void) +{ + debug3("disabling forwarding"); + password_change_required = 1; + + /* disallow other functionality for now */ + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; +} + +/* + * Flags that password change was successful. + * XXX: the password change is performed in the process that becomes the + * shell, but the flags must be reset in its parent and currently there is no + * way to notify the parent that the change was successful. + */ +void +flag_password_change_successful(void) +{ + debug3("reenabling forwarding"); + + password_change_required = 0; + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; } Index: auth.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v retrieving revision 1.74 diff -u -r1.74 auth.c --- auth.c 8 Jul 2003 12:59:59 -0000 1.74 +++ auth.c 9 Jul 2003 02:07:01 -0000 @@ -55,6 +55,7 @@ /* import */ extern ServerOptions options; extern Buffer loginmsg; +extern Buffer expiremsg; /* Debugging messages */ Buffer auth_debug; @@ -86,9 +87,10 @@ if (!pw || !pw->pw_name) return 0; +#define DAY (24L * 60 * 60) /* 1 day in seconds */ +#define WEEK (DAY * 7) /* 1 week in seconds */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ defined(HAS_SHADOW_EXPIRE) -#define DAY (24L * 60 * 60) /* 1 day in seconds */ if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) { today = time(NULL) / DAY; debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" @@ -221,6 +223,65 @@ stat(_PATH_NOLOGIN, &st) == 0)) return 0; } + } + + /* + * Check AIX password expiry. Only check when running as root. + * Unpriv'ed users can't access /etc/security/passwd or + * /etc/security/user so passwdexpired will always fail. + */ + if (geteuid() == 0) { + char *msg, *user = pw->pw_name; + int result, maxage, result2, maxexpired; + struct userpw *upw; + + /* + * Check if password has been expired too long. In this case, + * passwdexpired still returns 1 but /bin/passwd will fail + * while still returning a successiful status, allowing the + * login. So, we deny these login attempts here. + */ + upw = getuserpw(user); + result = getuserattr(user, S_MAXEXPIRED, &maxexpired, SEC_INT); + result2 = getuserattr(user, S_MAXAGE, &maxage, SEC_INT); + if (upw != NULL && result == 0 && result2 == 0) { + time_t now, lastup = upw->upw_lastupdate; + + now = time(NULL); + debug3("%s lastupdate %lu maxage %d wks maxexpired %d" + "wks time now %d", __func__, lastup, maxage, + maxexpired, now); + + if (maxexpired != -1 && maxage != 0 && + lastup + ((maxage + maxexpired) * WEEK) <= now ){ + logit("User %.100s password expired too long", + user); + return 0; + } + } + + result = passwdexpired(user, &msg); + if (msg && *msg) { + buffer_append(&expiremsg, msg, strlen(msg)); + aix_remove_embedded_newlines(msg); + } + debug3("AIX/passwdexpired returned %d msg %.100s", result, msg); + + switch (result) { + case 0: /* success, password not expired */ + break; + case 1: /* expired, password change required */ + flag_password_change_required(); + break; + default: /* user can't change(2) or other error (-1) */ + logit("Password can't be changed for user %s: " + "%.100s", user, msg); + if (msg) + xfree(msg); + return 0; + } + if (msg) + xfree(msg); } #endif /* WITH_AIXAUTHENTICATE */ Index: configure.ac =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v retrieving revision 1.137 diff -u -r1.137 configure.ac --- configure.ac 23 Jul 2003 04:33:10 -0000 1.137 +++ configure.ac 26 Jul 2003 14:36:55 -0000 @@ -41,6 +41,13 @@ fi fi +AC_PATH_PROG(PASSWD_PROGRAM_PATH, passwd) +if test ! -z "$PASSWD_PROGRAM_PATH" ; then + AC_DEFINE_UNQUOTED(PASSWD_PROGRAM_PATH, "$PASSWD_PROGRAM_PATH") +else + AC_MSG_ERROR([*** passwd command not found - check config.log ***]) +fi + if test -z "$LD" ; then LD=$CC fi Index: session.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v retrieving revision 1.241 diff -u -r1.241 session.c --- session.c 8 Jul 2003 12:59:59 -0000 1.241 +++ session.c 9 Jul 2003 02:02:53 -0000 @@ -95,7 +95,9 @@ extern u_int utmp_len; extern int startup_pipe; extern void destroy_sensitive_data(void); +extern int password_change_required; extern Buffer loginmsg; +extern Buffer expiremsg; /* original command from peer. */ const char *original_command = NULL; @@ -461,6 +463,9 @@ "TTY available"); } #endif /* USE_PAM */ + if (password_change_required) + packet_disconnect("Password change required but no " + "TTY available"); /* Fork the child. */ if ((pid = fork()) == 0) { @@ -726,6 +731,7 @@ socklen_t fromlen; struct sockaddr_storage from; struct passwd * pw = s->pw; + int password_changed = 0; pid_t pid = getpid(); /* @@ -758,6 +764,13 @@ print_pam_messages(); do_pam_chauthtok(); } +#else + buffer_append(&expiremsg, "\0", 1); + if (password_change_required) { + printf("%s\n", (char *)buffer_ptr(&expiremsg)); + fflush(stdout); + password_changed = do_tty_change_password(pw); + } #endif if (check_quietlogin(s, command)) @@ -766,6 +779,9 @@ #ifdef USE_PAM if (options.use_pam && !is_pam_password_change_required()) print_pam_messages(); +#else + if (!password_changed) + printf("%s\n", (char *)buffer_ptr(&expiremsg)); #endif /* USE_PAM */ /* display post-login message */ Index: sshd.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd.c,v retrieving revision 1.255 diff -u -r1.255 sshd.c --- sshd.c 19 Jul 2003 09:54:31 -0000 1.255 +++ sshd.c 26 Jul 2003 14:36:56 -0000 @@ -203,6 +203,7 @@ /* message to be displayed after login */ Buffer loginmsg; +Buffer expiremsg; /* Prototypes for various functions defined later in this file. */ void destroy_sensitive_data(void); @@ -1495,6 +1496,7 @@ /* prepare buffers to collect authentication messages */ buffer_init(&loginmsg); + buffer_init(&expiremsg); if (use_privsep) if ((authctxt = privsep_preauth()) != NULL) From mouring at etoh.eviladmin.org Wed Jul 30 15:33:46 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 30 Jul 2003 00:33:46 -0500 (CDT) Subject: [PATCH] Password expiry merge (AIX parts) In-Reply-To: <3F275076.30A5589D@zip.com.au> Message-ID: One comment, and one question on the patch itself. auth-passwd.c change that needs to be fixed: [..] +#include "buffer.h" #include "openbsd-compat/xcrypt.h" #ifdef WITH_AIXAUTHENTICATE # include "buffer.h" [..] Please remove the one inside the WITH_AIXAUTHENTICATE. And I assume your pulling them back out for the generalization for all platforms. in auth.c you make the comment "if not running as root don't check because the unpriv'd does not have rights to /etc/[..]". Does that mean with PrivSep inplace that code will never be ran? If so why? and is it not important? On Wed, 30 Jul 2003, Darren Tucker wrote: > Hi All. > Attached is a patch introduces password expiry handling for AIX (other > platforms to follow). It is more or less the same as the previous patch > but has been updated to reflect recent changes to auth-passwd.c > > I'm wondering if the AIX parts of auth.c should be moved to port-aix.c > and if the generic password change functions (currently at the end of > auth-passwd.c) belong in a separate file (eg pwchange.c). > If it makes sense and can clean up code please move the AIX code. =) > Comments? Objections? Any volunteers to look this one over? > I'd like to see the change password code go upstream before integrated in our tree. - Ben From dtucker at zip.com.au Wed Jul 30 18:25:06 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 30 Jul 2003 18:25:06 +1000 Subject: [PATCH] Password expiry merge (AIX parts) References: Message-ID: <3F2780E1.A770EAA6@zip.com.au> Ben Lindstrom wrote: > Please remove the one inside the WITH_AIXAUTHENTICATE. And I assume your > pulling them back out for the generalization for all platforms. Whoops, missed that one while merging. Yes, it should be generic, will fix. > in auth.c you make the comment "if not running as root don't check because > the unpriv'd does not have rights to /etc/[..]". > > Does that mean with PrivSep inplace that code will never be ran? If so > why? and is it not important? allowed_user is called by the monitor with privsep on, so the tests are done with or without it. The main reason for the uid==0 test is so the regression tests work, but someone might want to run sshd as a normal user for some other reason. > On Wed, 30 Jul 2003, Darren Tucker wrote: [snip] > If it makes sense and can clean up code please move the AIX code. =) OK, I'll try moving the AIX bits and see how it looks. > I'd like to see the change password code go upstream before integrated in > our tree. I didn't realise it needed to go upstream. Should I be doing a patch for the OpenBSD tree? I got no response to my last OpenBSD-only expiry-related patch (see bug #463). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Malick.IBIDAKPO at ifaedi.insa-lyon.fr Wed Jul 30 19:23:51 2003 From: Malick.IBIDAKPO at ifaedi.insa-lyon.fr (Malick.IBIDAKPO at ifaedi.insa-lyon.fr) Date: Wed, 30 Jul 2003 11:23:51 +0200 (CEST) Subject: Help on Customizing Openssh Message-ID: <8828.194.154.194.68.1059557031.squirrel@webmail.if.insa-lyon.fr> Hi folks i deeply need some help on openssh and i don't know where to found it. i'm coding a software re-using openssh code. my software should allow the user to connect to several hosts simultaneously (ex: ./mysoft user1 at hostname1@port1 user2 at hostname2@port2) and it should behave exactly the same way than openssh except 2 differences. *firstly i'd like to modify the source code in order to make the ssh session run in a other Xterm (or console or whatever) than the one that i used to start the program -> it means than the my soft must launch a new Xterm windows, in wich the ssh session will run. *secondly as i'll still have the hand and focus on the Xterm window from wich i launched my soft, i'd like to redirect the output of this Term to the ssh-server running on my host. it means that each char typed on the keyboard should be transmetted througtout the socket and "interpreted" and executed by the server side.(In order to use commands such as vi throught the network). How can I modify my source code and reuse fonctions that you implemented in openshh? For info i'm working on Unix Solaris and coding in C. I you know sites or forums where I can post a thread just tell me cause I'm really getting mad, and I don't know where to search anymore thanx From mgzinternacional_norepl at geocities.com Wed Jul 30 23:19:11 2003 From: mgzinternacional_norepl at geocities.com (Armando F. Valladares) Date: Wed, 30 Jul 2003 23:19:11 +1000 (EST) Subject: Lula-Cuba, "bloqueio", patrulhas"... Message-ID: <20030730131911.38B5427C187@shitei.mindrot.org> msz De: Fern?ndez-L?pez, Ambito Iberoamericano, Paseo de la Castellana 223, Madrid. [1]InEnglish - [2]EnEspanol Caros amigos luso-brasileiros, ? de se perguntar se as "patrulhas ideol?gicas" esquerdistas estar?o impedindo que os ?ltimos artigos do ex preso pol?tico e escritor cubano Armando Valladares - que abordam delicados aspetos das rela??es entre o regime comunista de Cuba e o atual governo brasileiro - cheguem aos grandes jornais. Por via de d?vidas, e qualquer que seja a resposta, lhes enviamos diretamente, via e-mail, o mais recente desses artigos, com um tema sem d?vida pol?mico. No final, encontrar?o links para tomar contato direto conosco e nos enviarem vossas valiosas opini?es, inclusive sobre o eventual problema do "patrulhamento" . Cordialmente, Fern?ndez-L?pez, Ambito Iberoamericano. Jul. 24, 2003: Diario Las Am?ricas, Miami. Jul. 22, 2003: Ambito Iberoamericano, Madrid; Jul. 22, 2003: Libertad Digital, Madrid Cuba: Lula sustenta o "bloqueio" interno castrista Se o presidente Lula quer desmentir com fatos, e n?o com palavras, que transformou-se no maior sustento internacional do regime comunista de Cuba, que adote medidas diplom?ticas categ?ricas para contribuir com a libera??o do povo cubano Por Armando F. Valladares Na primeira quinzena de julho, o presidente do Brasil, Sr. Lula da Silva, seu chanceler, Celso Amorim e seu embaixador em Cuba, Tilden Santiago (um ex-sacerdote, seguidor da teologia da liberta??o e amigo ?ntimo de Fidel Castro), fizeram importantes pronunciamentos que favorecem, tratam de justificar e contribuem para sustentar a sangrenta ditadura comunista de Cuba, que h? mais de 40 anos oprime a 12 milh?es de meus irm?os cubanos. Durante sua visita a Londres, Lula culpou acidamente os exilados cubanos "que est?o em Miami" pela manuten??o do que denominou "bloqueio de Cuba" por parte dos Estados Unidos; em Madri, seu chanceler, depois de afirmar genericamente que "defendemos os direitos humanos e a democracia", tentou justificar a brutal situa??o s?cio-pol?tica cubana, alegando que "reconhecemos avan?os na ?rea social" e "achamos que boa parte dos problemas de Cuba deve-se ao embargo norte-americano"; em Bras?lia, o embaixador Santiago disse cinicamente que os recentes b?rbaros fuzilamentos ou pris?es de opositores eram um recurso v?lido do regime comunista para defender-se de tentativas norte-americanas para "desestabilizar o Estado cubano". Dias antes, o mandat?rio brasileiro, em gesto simb?lico, havia colocado o bon? do pr?-castrista Movimentos dos Sem Terra (MST), durante a visita de seus dirigentes ao pal?cio presidencial; recebeu em uma ceia duas das mais importantes figuras do regime cubano, o vice-presidente Carlos Lage e o chanceler Felipe P?rez, os quais ouviram do governo brasileiro o compromisso de continuar colaborando econ?mica e politicamente com o regime e, pouco depois, foi anunciada sua viagem ? Havana, para setembro pr?ximo. As m?ximas autoridades civis brasileiras, ao tempo que aceitam e repetem o argumento oficial de Cuba comunista de que o "bloqueio" norte-americano ? causador de boa parte dos problemas cubanos, parecem fazer pouco caso de que a causa e origem do problema de Cuba ? o "bloqueio" interno atrav?s do qual o regime comunista asfixia, a sangue e fogo, a todo um povo, condenado a viver em uma ilha-c?rcere da qual s? se pode fugir pondo a vida em s?rio risco. O presidente Lula e o chanceler Amorim, seguindo ao p? da letra o "script" castro-comunista, transformam o milh?o de exilados cubanos, a maioria dos quais vive em Miami, como principais respons?veis pelo atual drama cubano, e o vitim?rio, esse criminoso internacional e ditador comunista chamado Fidel Castro, em v?tima pouco menos que inocente. A invers?o de pap?is, de crit?rios de an?lise, de princ?pios morais e l?gicos, n?o podia ser maior. O famoso "bloqueio" ou "embargo" norte-americano ? tomado pelo regime comunista como um pretexto para justificar seu fracasso econ?mico e a repress?o interna. J? o disse o sacerdote franciscano Miguel Angel Loredo - que foi um her?ico preso pol?tico cubano durante longos anos - ao acusar o ditador Castro de que demagogicamente, na tribuna da FAO, culpava o "embargo" americano: "O verdadeiro embargo ? o interno, aquele que Castro aplica ao povo de Cuba. Ele pro?be entrar ou sair da ilha, entabular rela??es, desenvolver iniciativas econ?micas". Afirmaram tamb?m essa verdade, t?o grande quanto silenciada, a economista Martha Beatriz Roque, atualmente prisioneira pol?tica na Pris?o de Mulheres Manto Negro, Prov?ncia de Mariano, Cuba, onde agoniza por maus tratos e falta de aten??o m?dica; e o tamb?m preso pol?tico Dr. Oscar El?as Biscet, que jaz em uma masmorra do C?rcere Kilo Cinco e Meio, na Estrada Luis Lazo, prov?ncia Pinar del Rio. Denunciaram igualmente a artificialidade da farsa publicit?ria castrista sobre o "bloqueio" externo os bispos cat?licos da ilha, Mons. Alfredo Petit e H?ctor Luis Pe?a; o economista, tamb?m exilado, Carmelo Mesa-Lago; e o laureado escritor exilado Guillermo Cabrera Infante, que afirmou: "Cuba n?o ? um pa?s pobre, ? um pa?s empobrecido pela pol?tica de Castro, que tem destru?do a economia. Crer que o respons?vel ? o embargo americano, al?m de ser rid?culo, ? uma vergonha, porque Cuba compra produtos em muitos pa?ses do mundo". Demonstrou o anterior, com cifras e argumentos, o atual?ssimo "Manual do idiota ?til latino-americano". E o reconheceu o pr?prio ditador Castro, que, em um de seus raptos de verborragia confessou ? jornalista americana Mar?a Schriver, da NBC, que "burla" a proibi??o do com?rcio com os Estados Unidos quantas vezes quer. O presidente Lula j? havia posto o bon? do pr?-castrista MST; agora, com os tais, colocou a do pr?prio sanguin?rio ditador cubano. O Sr. Lula da Silva, enquanto presidente do Brasil, passou a ser o principal sustent?culo pol?tico do regime castrista, com todas as responsabilidades morais que isso implica. No que se refere a Cuba, tudo o que foi dito anteriormente confirma minhas apreens?es manifestadas no artigo de setembro de 2002, a prop?sito do qual o Sr. Lula tentou desqualificar-me com o ep?teto de "picareta de Miami", durante um conhecido programa televisivo do jornalista Boris Casoy (cfr. A. Valladares, "Ironias do neo-Lula respondem e confirmam apreens?es sobre alian?a com Castro e Ch?vez", Diario Las Americas, Miami, Out. 11, 2002). Se o presidente Lula quer desmentir com fatos, e n?o com palavras, que transformou-se no maior sustento internacional do regime comunista de Cuba - com todas as graves responsabilidades que isso implica diante do povo cubano e do generoso, cordial e intuitivo povo brasileiro, por?m, sobretudo, diante de Deus, - que adote medidas diplom?ticas categ?ricas para contribuir com a libera??o de centenas e talvez de milhares de presos pol?ticos cubanos. Que fa?a algo eficaz para salvar a vida dos presos pol?ticos Martha Beatriz Roque e Oscar Biscet, os quais agonizam nos c?rceres cubanos, atendendo assim ao chamado p?blico que lhe acaba de fazer a entidade Unidad Cubana, de Miami. Que n?o cruze os bra?os ante o drama do f?sico cubano Dr. L?pez Linares, atualmente residente no Brasil, que infrutuosamente escreveu ao mandat?rio brasileiro solicitando sua interven??o para poder viajar a Cuba para conhecer seu filhinho Juan Paolo, de 4 anos de idade. Que n?o tente colocar panos mornos sobre os crimes castristas alegando o "bloqueio" externo aos supostos "avan?os na ?rea social", como a sa?de e a educa??o, que na realidade s?o dois impec?veis instrumentos de controle ideol?gico, mental, pol?tico e policial dos desditosos cubanos. Que, enfim, contribua, sem eufemismos, para a urgente liberdade de Cuba. Entretanto, continuaremos tomando ao p? da letra, como verdadeira, a afirma??o atribu?da ao Sr. Lula nos meios de comunica??o, durante sua viagem a Havana, em dezembro de 2001, para participar junto ao ditador Castro da 10? reuni?o do Foro de S?o Paulo (FSP), lado a lado com os chefes narco-guerrilheiros colombianos Rodolfo Gonz?lez (FARC) e Ramiro Vargas (ELN) e mais de 300 l?deres comunistas do continente: "Apesar de que seu rosto j? est? marcado por rugas, Fidel, sua alma continua limpa porque voc? nunca traiu os interesses de seu povo"; "obrigado, Fidel, obrigado porque voc?s continuam existindo". Em vista disso tudo, ? ao mesmo tempo expressivo e enigm?tico que a embaixadora norte-americana em Bras?lia, Donna Hrinak, acabe de prop?r que o presidente Lula seja o l?der da Am?rica Latina. Armando Valladares, ex-preso pol?tico cubano, autor do livro "Contra toda esperan?a", foi embaixador ante a Comiss?o de Direitos Humanos da ONU, em Genebra, durante as administra??es Reagan e Bush. Links: Para receber as Notas e Refer?ncias deste artigo: [3]Valladares:Notas-Br Para enviar sua valiosa opini?o, que se far? chegar ao embaixador Valladares: [4]Valladares:Concordo [5]Valladares:Francamente,Discordo [6]Valladares:EstouNaDuvida [7]Valladares:NaoConfioEnLula [8]Valladares:ConfioEmLula Para enviar vossa opini?o sobre a exist?ncia ou n?o de "patrulhas" esquerdistas nos grandes meios de imprensa de seu pa?s, por favor, use os seguintes links: [9]PatrulhasEsquerdistas:Existem [10]PatrulhasEsquerdistas:SoExistemNaSuaImaginacao Para subscrever amigos, com o consentimento destes: [11]Subscrever (acrescente o ou os e-mails a ser(em) inclu?dos em nosso Address Book) Para ser retirado de nosso Address Book imediatamente: [12]Unsubscribe (se j? fez anteriormente seu pedido de desubscri??o, lhe solicitamos que fa?a clic com o bot?o direito do mouse sobre esta mensagem e verifique em Propriedades / Detalhes em qual e-mail, exatamente, lhe escrevemos; copie-o e envie-o para que possamos retir?-lo imediatamente; lamentamos os inc?modos ocasionados). Muito gratos por sua aten??o. References 1. mailto:nv33135 at starline.ee?subject=InEnglish 2. mailto:nv33135 at starline.ee?subject=EnEspanol 3. mailto:nv33135 at starline.ee?subject=Valladares:Notas-Br 4. mailto:nv33135 at starline.ee?subject=Valladares:Concordo 5. mailto:nv33135 at starline.ee?subject=Valladares:Francamente,Discordo 6. mailto:nv33135 at starline.ee?subject=Valladares:EstouNaDuvida 7. mailto:nv33135 at starline.ee?subject=Valladares:NaoConfioEmLula 8. mailto:nv33135 at starline.ee?subject=Valladares:ConfioEmLula 9. mailto:nv33135 at starline.ee?subject=PatrulhasEsquerdistas:Existem 10. mailto:nv33135 at starline.ee?subject=PatrulhasEsquerdistas SoExistemNaSuaImaginacao 11. mailto:nv33135 at starline.ee?subject=Subscrever 12. mailto:nv33135 at starline.ee?subject=Unsubscribe From bbense at SLAC.Stanford.EDU Thu Jul 31 03:20:11 2003 From: bbense at SLAC.Stanford.EDU (Booker Bense) Date: Wed, 30 Jul 2003 10:20:11 -0700 (PDT) Subject: SSH2 GSSAPI/KerberosV. In-Reply-To: <3F271B6C.2060404@mindrot.org> References: <20030728003533.GC10147@lewiz.org> <3F24E537.5030006@mindrot.org> <3F26C094.41AED56F@anl.gov> <3F271B6C.2060404@mindrot.org> Message-ID: On Wed, 30 Jul 2003, Damien Miller wrote: > Douglas E. Engert wrote: > > > > Damien Miller wrote: > > > >>This has been discussed a couple of times on this list, so check the > >>archives for details. The patches are being worked on, but progress is > >>slow because of the lack of assistance (despite all the talk from people > >>asking for the patches to be merged). > > > > > > I am willing to help, but the process appears to be a closed process > > within the OpenSSH developers, as inferred from your note of > > Wed, 02 Jul 2003 22:20:11 +1000: > > > >>Please note that posting wordy position papers, "me too" messages and > >>other "contributions" from non-developers will not make this happen any > >>faster. > > You must be joking. > > Apart from the fact that it is absolutely clear from the above (and the > context in which it appeared) that I was disparaging non-code > contributions (read the "non-developers" phrase a few times until it > sinks in), we have repeatedly stated our criteria for the inclusion of > the patches: they must be shrunk and audited. - They can't be shrunk and be useful. I will gladly audit them, IN FACT I have offered to do so several times on this list and have been told that Simon's patches would not be accepted no matter what I did. > > The above note and the lack of a public response to the MIT note > > of Thu, 26 Jun 2003 18:58:56 -0700 has lead me and maybe others to believe > > that we should back off any attempt to help, as you imply that it was being > > handled in house. > > What was in the MIT note that hadn't already be said and responded to? > It was a fluffly position paper, retreading on well-covered ground, > which did *zero* to help us merge the code. > > Every time this issue comes up we get howls of righteous indignation > from the Kerberos community, but no assistance. It is a wonder than > Markus and Jakob bother at all. > - AGAIN WHAT DO YOU WANT ME TO DO? You have never suggested a single concrete way for us to procede in getting Simon's patches integrated other than to reimplement them without need functionality. _ Booker C. Bense From bbense at SLAC.Stanford.EDU Thu Jul 31 03:26:20 2003 From: bbense at SLAC.Stanford.EDU (Booker Bense) Date: Wed, 30 Jul 2003 10:26:20 -0700 (PDT) Subject: SSH2 GSSAPI/KerberosV. In-Reply-To: <20030729075751.GB4174@folly> References: <20030728003533.GC10147@lewiz.org> <3F24E537.5030006@mindrot.org> <20030729075751.GB4174@folly> Message-ID: On Tue, 29 Jul 2003, Markus Friedl wrote: > On Mon, Jul 28, 2003 at 06:32:04PM -0700, Booker Bense wrote: > > - What needs to be done? Last I read you were only going to > > implement GSSAPI auth and not credential forwarding. This will > > so GSS API user authentication does not include credential forwarding? > too bad. then why does it need so much code? - Simon's patches implement this. You've said time and time again that you won't accept them regardless of what I or anyone else does on this list. All you would accept would be a GSSAPI authentication only implementation. > > I don't see a line by line audit of the patches or a stripped > down version. I just see long emails. > - What do you want stripped out? What would be an acceptable audit? RATS ? or what.... BTW, this is the first time I've ever seen you or anybody else in the SSH team request an audit of Simon's patches. _ Booker C. Bense From mouring at etoh.eviladmin.org Thu Jul 31 06:16:35 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 30 Jul 2003 15:16:35 -0500 (CDT) Subject: SSH2 GSSAPI/KerberosV. In-Reply-To: Message-ID: On Wed, 30 Jul 2003, Booker Bense wrote: > On Tue, 29 Jul 2003, Markus Friedl wrote: > > > On Mon, Jul 28, 2003 at 06:32:04PM -0700, Booker Bense wrote: > > > - What needs to be done? Last I read you were only going to > > > implement GSSAPI auth and not credential forwarding. This will > > > > so GSS API user authentication does not include credential forwarding? > > too bad. then why does it need so much code? > > - Simon's patches implement this. You've said time and time again > that you won't accept them regardless of what I or anyone else > does on this list. All you would accept would be a GSSAPI > authentication only implementation. > Sounds like a damn good place to start if Markus says that is what will be accepted. Large multi-feature patches are harder to verify as being sanely coded and clean of all "edge cases". I have no doubts Simon's codes is good, but it is the potental corner cases that bother us all. > > I don't see a line by line audit of the patches or a stripped > > down version. I just see long emails. > > > > - What do you want stripped out? What would be an acceptable > audit? RATS ? or what.... BTW, this is the first time I've ever > seen you or anybody else in the SSH team request an audit of > Simon's patches. > If you are asking what is acceptable for auditing, then I suspect you are not a good person to do it. Automated tools don't catch corner cases. They surely don't find the "Protocol FOO expected XYZ, but we sent them XYZZY and thus it crashes." In fact 'RATS' spews more junk then valid warnings. Don't get me wrong.. some automated tools may be useful for catching some class of issues, but they tend to be in the minority of the warning messages. As for auditing request, Markus has said from *DAY ONE* that he would like to see someone else that understand KRB (Be it MIT group or qualified developers) audit it to ensure it is correct. This is *NOT* the first time. And claiming "oh we have run it, and it works" is not auditing. Frankly, I think we have pretty well laid out on the table what people should do. And I'm tired of seeing people bitch, moan and whine. Either hunker down and produce the patch or expect the topic to be ignored in the future. - Ben From godot at ace.ulyssis.org Thu Jul 31 07:47:36 2003 From: godot at ace.ulyssis.org (Danny De Cock) Date: Wed, 30 Jul 2003 23:47:36 +0200 (CEST) Subject: (In)valid RSA key? In-Reply-To: <20030729095158.GK79052@morwong.ucc.gu.uwa.edu.au> Message-ID: dear matt, I just checked the values you mention below. they form a consistent set of rsa parameters: e * d = 1 mod ((p - 1) * (q - 1)), and n = p * q. cu, danny. On Tue, 29 Jul 2003, Matt Johnston wrote: > Hi. > > In testing my SSH 2 server implementation (Dropbear), I've come across > certain RSA hostkeys which fail for use with PuTTY as a client. > Converting the keys for use with OpenSSH they also fail with PuTTY, > which leads me to wonder whether they are valid keys or not. > > A sample key is attached, the important point to note is that the > modulus (n) value doesn't have a multiple-of-8 number of bits. Is there > any restriction on this? I haven't been able to find it specified > anywhere. > > The actual values are as follows: > > n = 5886038905939931849793481926512875796836831719086734501519439860867912043790433262172630182697151131061148053854157155928712160937159068340118524813331816081025146309669009627549904578599602238492945297625461197628827141251138070043885227519045851919271348006113851652031006020294214266581123496032014041406270211 > > e = 65537 > > d = 2126220075060224706837525231979886500973727117775597793444485088822908429203270168739412041215990293677489342309585676937551790561458470541586675563892418233675380406419737033970559160285418583461017508368164937992703260549775879495018447997717953682981971642011940066077145681062355607163288549105412107221295137 > > p = 3428173739317616181988534253356424530886922795123777038960838820205861975510242373349759813680387393140772490491315664543565449716768374690346649042484853257 > > q = 1716960502448617995898088425791227141403238670199393648351700681159719711393276881945477576191000645095022170651697097981764516876134433284745878926818602923 > > Any advice would be appreciated. > > Cheers, > Matt Johnston > -- ------------------------------------------------------------------------------ <> ------------------------------------------------------------------------------ Mail : Danny.DeCock at esat.kuleuven.ac.be WWW : http://ace.ulyssis.org/~godot godot at advalvas.be From openssh-dev at joelweber.com Thu Jul 31 08:54:21 2003 From: openssh-dev at joelweber.com (Joel N. Weber II) Date: Wed, 30 Jul 2003 18:54:21 -0400 Subject: new version of gpg patch for openssh Message-ID: I've made version 0.9 of the gpg host/user authentication patch available; this version changes the encodings of the key and signature, and hopefully now encodes them in a way that matches the IETF spec. The code and some more details are at http://www.red-bean.com/~nemo/openssh-gpg From MBrandsma at bunnings.com.au Thu Jul 31 17:56:22 2003 From: MBrandsma at bunnings.com.au (Mitchell Brandsma) Date: Thu, 31 Jul 2003 15:56:22 +0800 Subject: conditional autoconf for AIX - LOGIN_NEEDS_UTMPX Message-ID: <25E4CA13D679FF48BC30769420220971087ECB01@mail-wa.bbs.bunnings.com.au> Hi, Just reporting our findings from a little problem a colleague and I discovered with the autoconf rules. Platform AIX-4.3.3, any RML OpenSSH versions: all from the latest release back to 3.4, identical symptoms for each version. This includes the Bull releases and building from the tarballs. I'm not sure exactly where between 3.0 and 3.4 it was introduced but the rest of the facts should speak for themselves. Symptom: Connecting and logging in corrupted the wtmp file every time. This does not occur on AIX5L, and does not occur with OpenSSH versions 3.0 and earlier. I tracked down the cause to the change made in June 2002, reported as a bug: 20020623 - (stevesk) [configure.ac] bug #255 LOGIN_NEEDS_UTMPX for AIX. >From this point, LOGIN_NEEDS_UTMPX has been defined for all AIX builds. This is obviously needed for AIX 5L, but breaks 4.3.3's implementation as above, hence this definition needs to be conditional within the AIX section of the autoconf rules. Sorry, I'm no autoconf expert. However, we ran the configure, turned the option off for our 4.3.3 boxes, and it compiles and runs as expected - without wtmp corruption. I hope you find this useful! Regards, Mitchell Brandsma Systems Administrator, Store Support Bunnings Building Supplies WA PS Apologies for the length of the blurb following this, it's automatically attached by our exchange server. ************************************************************************ Bunnings Legal Disclaimer: 1) This email is confidential and may contain legally privileged information. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this email in error, please notify us immediately by return email and delete the document. 2) All emails sent to and sent from Bunnings Building Supplies are scanned for content. Any material deemed to contain inappropriate subject matter will be reported to the email administrator of all parties concerned. ************************************************************************ From markus at openbsd.org Thu Jul 31 18:04:56 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 31 Jul 2003 10:04:56 +0200 Subject: SSH2 GSSAPI/KerberosV. In-Reply-To: References: <20030728003533.GC10147@lewiz.org> <3F24E537.5030006@mindrot.org> <20030729075751.GB4174@folly> Message-ID: <20030731080456.GB17407@folly> On Wed, Jul 30, 2003 at 10:26:20AM -0700, Booker Bense wrote: > On Tue, 29 Jul 2003, Markus Friedl wrote: > > > On Mon, Jul 28, 2003 at 06:32:04PM -0700, Booker Bense wrote: > > > - What needs to be done? Last I read you were only going to > > > implement GSSAPI auth and not credential forwarding. This will > > > > so GSS API user authentication does not include credential forwarding? > > too bad. then why does it need so much code? > > - Simon's patches implement this. You've said time and time again > that you won't accept them regardless of what I or anyone else > does on this list. All you would accept would be a GSSAPI > authentication only implementation. When did i says that? I said that we would implement userauth, but not KEX. From markus at openbsd.org Thu Jul 31 18:23:24 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 31 Jul 2003 10:23:24 +0200 Subject: new version of gpg patch for openssh In-Reply-To: References: Message-ID: <20030731082324.GG17407@folly> you really want to execute the gpg binary from within sshd? On Wed, Jul 30, 2003 at 06:54:21PM -0400, Joel N. Weber II wrote: > I've made version 0.9 of the gpg host/user authentication patch > available; this version changes the encodings of the key and > signature, and hopefully now encodes them in a way that matches the > IETF spec. > > The code and some more details are at > http://www.red-bean.com/~nemo/openssh-gpg > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From dtucker at zip.com.au Thu Jul 31 20:22:51 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 31 Jul 2003 20:22:51 +1000 Subject: conditional autoconf for AIX - LOGIN_NEEDS_UTMPX References: <25E4CA13D679FF48BC30769420220971087ECB01@mail-wa.bbs.bunnings.com.au> Message-ID: <3F28EDFB.BF601820@zip.com.au> Mitchell Brandsma wrote: [something about corrupted wtmp] Could you please elaborate on "corrupted"? What problems does it cause and what symptoms do you see? Removing LOGIN_NEEDS_UTMPX will probably break UseLogin on AIX 4.x. Are you using that? > PS Apologies for the length of the blurb following this, it's automatically > attached by our exchange server. [snip] > If you are not the intended recipient, you must not disclose or use the > information contained in it Interesting information. It's a shame the disclaimer prevents me from doing anything about it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.