From magnus at mandarin.nu Wed Oct 1 01:43:37 2003 From: magnus at mandarin.nu (magnus at mandarin.nu) Date: Tue, 30 Sep 2003 17:43:37 +0200 Subject: [PATCH] sftp-server (secure) chroot patch, 3.7.1p2 update Message-ID: <200309301543.h8UFhbd3029364@jedi.ath.cx> Hello all, Here is an updated patch. I published the original patch published on august 16. --- openssh-3.7.1p2/sftp-server.c.org 2003-08-22 01:34:41.000000000 +0200 +++ openssh-3.7.1p2/sftp-server.c 2003-09-30 17:22:43.730402000 +0200 @@ -24,6 +24,7 @@ #include \"includes.h\" RCSID(\"$OpenBSD: sftp-server.c,v 1.43 2003/06/25 22:39:36 miod Exp $\"); +#define CHROOT #include \"buffer.h\" #include \"bufaux.h\" #include \"getput.h\" @@ -33,6 +34,15 @@ #include \"sftp.h\" #include \"sftp-common.h\" +#ifdef CHROOT +#include \"uidswap.h\" +#include +#include +#include +#include +#include +#endif /* CHROOT */ + /* helper */ #define get_int64() buffer_get_int64(&iqueue); #define get_int() buffer_get_int(&iqueue); @@ -62,6 +72,49 @@ Attrib attrib; }; +#ifdef CHROOT +static void +chroot_init(void) +{ + struct passwd *pw; + struct stat st; + + /* Sanity checking before chroot */ + if ((pw = getpwuid(getuid())) == NULL) + fatal(\"getpwuid failed for %u\", (u_int)pw->pw_uid ); + + /* Sets passwd pointer to null */ + memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); + endpwent(); + + if (geteuid() != 0) + fatal(\"must be SUID root to use chroot feature\"); + + if ((stat(pw->pw_dir, &st)) == -1) + fatal(\"cannot stat chroot directory %s: %s\", pw->pw_dir, strerror(errno)); + + if (!S_ISDIR(st.st_mode)) + fatal(\"%s is not a directory: %s\", pw->pw_dir, strerror(errno)); + + /* Drop our privileges */ + debug3(\"chroot user:group %u:%u\", (u_int)pw->pw_uid, (u_int)pw->pw_gid); + + /* Change our root directory */ + if (chroot(pw->pw_dir) == -1) + fatal(\"chroot(\\\"%s\\\"): %s\", pw->pw_dir, strerror(errno)); + + /* Change dir to prevent chroot break */ + if (chdir(\"/\") == -1) + fatal(\"chdir(\\\"/\\\"): %s\", strerror(errno)); + + if (setgid(pw->pw_gid) < 0) + fatal(\"setgid failed for %u\", (u_int)pw->pw_gid ); + + permanently_set_uid(pw); + +} +#endif /* CHROOT */ + static int errno_to_portable(int unixerrno) { @@ -1028,15 +1081,19 @@ int in, out, max; ssize_t len, olen, set_size; +#ifdef DEBUG_SFTP_SERVER + log_init(\"sftp-server\", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); +#endif + +#ifdef CHROOT + chroot_init(); +#endif + /* XXX should use getopt */ __progname = ssh_get_progname(av[0]); handle_init(); -#ifdef DEBUG_SFTP_SERVER - log_init(\"sftp-server\", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); -#endif - in = dup(STDIN_FILENO); out = dup(STDOUT_FILENO); To apply this patch on OpenSSH 3.7.1p2: - patch -p0 < sftp-server.patch - edit Makefile and include uidswap.o in sftp-server - make sftp-server - copy sftp-server into your chroot and set u+s Any problems with it, please share, works ok for me on Solaris 8. Regards Magnus From mouring at etoh.eviladmin.org Wed Oct 1 01:57:08 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 30 Sep 2003 10:57:08 -0500 (CDT) Subject: [PATCH] sftp-server (secure) chroot patch, 3.7.1p2 update In-Reply-To: <200309301543.h8UFhbd3029364@jedi.ath.cx> Message-ID: On Tue, 30 Sep 2003 magnus at mandarin.nu wrote: > Hello all, > > Here is an updated patch. I published the original patch published on > august 16. > > --- openssh-3.7.1p2/sftp-server.c.org 2003-08-22 01:34:41.000000000 > +0200 > +++ openssh-3.7.1p2/sftp-server.c 2003-09-30 17:22:43.730402000 +0200 > @@ -24,6 +24,7 @@ > #include \"includes.h\" ^^^^^^^^^^^^^ Your patch is corrupted. - Ben From michael.steffens at hp.com Wed Oct 1 02:20:24 2003 From: michael.steffens at hp.com (Michael Steffens) Date: Tue, 30 Sep 2003 18:20:24 +0200 Subject: SSHD 3.7.1p2 on HP-UX In-Reply-To: <3F797A7B.8070909@whoi.edu> References: <3F789626.4040904@whoi.edu> <3F796091.9060209@hp.com> <3F797A7B.8070909@whoi.edu> Message-ID: <3F79AD48.3080701@hp.com> Eric Cunningham wrote: >> Could you please check what sshd in debugging mode "sshd -ddd" reports >> about aging? > > > > > debug3: allowed_user: today 12325 sp_expire -1 sp_lstchg -1 sp_max 0 > User eric password has expired (password aged) > > > > >> Could you please also check what >> >> /usr/lbin/getprpw >> >> reports about the account being rejected? > > > root:#-> /usr/lbin/getprpw eric > uid=5928, bootpw=NO, audid=10, audflg=1, mintm=-1, maxpwln=-1, exptm=-1, > lftm=-1, spwchg=-1, upwchg=Fri Mar 31 15:18:43 2000, acctexp=-1, > llog=-1, expwarn=-1, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, > admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Tue Sep 30 > 08:26:48 2003, ulogint=Thu Sep 25 14:03:12 2003, sloginy=pts/ta, > culogin=-1, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0000000 > > For kicks, after this, I reset my password and tried again. It worked. > I hadn't thought my password was expired...I had no trouble logging in > via non-ssh methods (ie, @console, telnet). Thanks very much for the > clues! > > I'm a little embarrassed but grateful... Not so fast :) I would predict that login will fail again tomorrow, as it does for Jan, and with your info I probably learnt why :) sshd got "sp_max 0" grom getspnam. This happens if aging policies for the user are set to *disable* aging! Now let's look at what auth.c does: if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) { logit("User %.100s password has expired (password aged)", pw->pw_name); return 0; } It expects the value -1 for disable aging. If sp_max happens to be zero instead, the aging calculation will succeed non-expired only on the day the password was last changed. Manual page getspent(3C) states If the fields corresponding to sp_min, sp_max, sp_lstchg, sp_warn, sp_inact, sp_expire, or sp_flag are not specified in the entry, they default to -1. Ooops! Should getspnam have returned -1 instead? The field corresponding to sp_max in the /tcb database is u_exp, and for a user with aging disabled the record reads like dummy:u_name=dummy:u_id#104:\ :u_pwd=*************:\ :u_auditid#445:\ :u_auditflag#1:\ :u_minchg#0:u_exp#0:u_life#0:u_succhg#1064822018:\ :u_pw_expire_warning#0:u_pswduser=dummy:u_pwchanger=roottmp:u_suclog#1064819726:\ :u_lock@:chkent: So far getspnam does what it is supposed to do, because u_exp does exist with value 0. Does it need to? modprpw(1M) claims No aging is present if the following 4 database parameters are all zero: u_minchg, u_exp, u_life, u_pw_expire_warning. and disabling a user's aging (for example via SAM) does exactly that. Now, how to detect this properly with struct spwd data? All of the fields above besides u_life do have corresponding swpd fields. (u_life is password lifetime, similar to expiration time, but admin intervention required to unlock if lifetime is exceeded.) So what I would propose for HP-UX trusted systems is to consider aging disabled - either when sp_min, sp_max, and sp_warn are all zero - or when getprpwnam returns u_minchg, u_exp, u_life, u_pw_expire_warning to be all zero. The first looks like a less intrusive modification, but would not detect u_life to be non-zero. The second looks like password aging for trusted systems should not be done using shadow data at all. But please do not eliminate shadow for HP-UX entirely, because there is native /etc/shadow shadowing available on 11.11 :) Cheers! Michael From picasso at madflower.com Wed Oct 1 02:21:40 2003 From: picasso at madflower.com (Sean O'Malley) Date: Tue, 30 Sep 2003 12:21:40 -0400 (EDT) Subject: openssh 3.7.1p2 afs/pam issues In-Reply-To: <3F78D0F1.3020803@mindrot.org> Message-ID: Sep 2003, Damien Miller wrote: > Please try the patch at http://bugzilla.mindrot.org/show_bug.cgi?id=717 Thanks!! this works! Im not sure if this is a bug or just normal, but to get this to work _correctly_ You have to set: PasswordAuthentication no Otherwise it is prompting me 3x for a password and failing and then the fourth time it is letting me in with an account using an afs password. For a local account. It works just fine. I guess I don't understand why it is failing 3 times with a tunneled password, and the 4th time it is magically working. Is it disabling tunneling after the 3rd attempt? In my pam.conf file I have: sshd auth sufficient /usr/lib/security/pam_unix.so sshd auth sufficient /usr/lib/security/$ISA/pam_afs.so.1 try_first_pass ignore_root setenv_password_expires sshd account required /usr/lib/security/pam_unix.so sshd session required /usr/lib/security/pam_unix.so Is this just a case of blatent Operator Error, lack of understanding or the pam_afs module doesn't support tunneling and the pam_unix one does? Sean From hayward at slothmud.org Wed Oct 1 03:06:30 2003 From: hayward at slothmud.org (hayward at slothmud.org) Date: Tue, 30 Sep 2003 12:06:30 -0500 (CDT) Subject: OpenSSL vulnerability... In-Reply-To: <58109.183988-26465-632434844-1064593949@seznam.cz> Message-ID: Does OpenSSH use OpenSSL in a way in which it would be vulnerable to the OpenSSL vulnerabilities announced today? Namely the ASN.1 parsing problem and the malformed key bugs? Thanks, Brian From picasso at madflower.com Wed Oct 1 03:19:07 2003 From: picasso at madflower.com (Sean O'Malley) Date: Tue, 30 Sep 2003 13:19:07 -0400 (EDT) Subject: openssh 3.7.1p2 afs/pam issues In-Reply-To: Message-ID: On Tue, 30 Sep 2003, Sean O'Malley wrote: > > Sep 2003, Damien Miller wrote: > > Please try the patch at http://bugzilla.mindrot.org/show_bug.cgi?id=717 > > Thanks!! this works! > I spoke a little to soon. It works just fine _except_ it is not setting the afs tokens. So when people get to their home directories in afs space they can't read/write anything. From magnus at mandarin.nu Wed Oct 1 04:00:19 2003 From: magnus at mandarin.nu (Magnus F) Date: Tue, 30 Sep 2003 20:00:19 +0200 Subject: [PATCH] sftp-server (secure) chroot patch, 3.7.1p2 update References: Message-ID: <001f01c3877c$b8669190$0201a8c0@black> Is it ok now? Must've been my webmail that added those slashes. --- openssh-3.7.1p2/sftp-server.c.org 2003-08-22 01:34:41.000000000 +0200 +++ openssh-3.7.1p2/sftp-server.c 2003-09-30 17:22:43.730402000 +0200 @@ -24,6 +24,7 @@ #include "includes.h" RCSID("$OpenBSD: sftp-server.c,v 1.43 2003/06/25 22:39:36 miod Exp $"); +#define CHROOT #include "buffer.h" #include "bufaux.h" #include "getput.h" @@ -33,6 +34,15 @@ #include "sftp.h" #include "sftp-common.h" +#ifdef CHROOT +#include "uidswap.h" +#include +#include +#include +#include +#include +#endif /* CHROOT */ + /* helper */ #define get_int64() buffer_get_int64(&iqueue); #define get_int() buffer_get_int(&iqueue); @@ -62,6 +72,49 @@ Attrib attrib; }; +#ifdef CHROOT +static void +chroot_init(void) +{ + struct passwd *pw; + struct stat st; + + /* Sanity checking before chroot */ + if ((pw = getpwuid(getuid())) == NULL) + fatal("getpwuid failed for %u", (u_int)pw->pw_uid ); + + /* Sets passwd pointer to null */ + memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); + endpwent(); + + if (geteuid() != 0) + fatal("must be SUID root to use chroot feature"); + + if ((stat(pw->pw_dir, &st)) == -1) + fatal("cannot stat chroot directory %s: %s", pw->pw_dir, strerror(errno)); + + if (!S_ISDIR(st.st_mode)) + fatal("%s is not a directory: %s", pw->pw_dir, strerror(errno)); + + /* Drop our privileges */ + debug3("chroot user:group %u:%u", (u_int)pw->pw_uid, (u_int)pw->pw_gid); + + /* Change our root directory */ + if (chroot(pw->pw_dir) == -1) + fatal("chroot(\"%s\"): %s", pw->pw_dir, strerror(errno)); + + /* Change dir to prevent chroot break */ + if (chdir("/") == -1) + fatal("chdir(\"/\"): %s", strerror(errno)); + + if (setgid(pw->pw_gid) < 0) + fatal("setgid failed for %u", (u_int)pw->pw_gid ); + + permanently_set_uid(pw); + +} +#endif /* CHROOT */ + static int errno_to_portable(int unixerrno) { @@ -1028,15 +1081,19 @@ int in, out, max; ssize_t len, olen, set_size; +#ifdef DEBUG_SFTP_SERVER + log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); +#endif + +#ifdef CHROOT + chroot_init(); +#endif + /* XXX should use getopt */ __progname = ssh_get_progname(av[0]); handle_init(); -#ifdef DEBUG_SFTP_SERVER - log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); -#endif - in = dup(STDIN_FILENO); out = dup(STDOUT_FILENO); EOF ----- Original Message ----- From: "Ben Lindstrom" To: Cc: Sent: Tuesday, September 30, 2003 5:57 PM Subject: Re: [PATCH] sftp-server (secure) chroot patch, 3.7.1p2 update > > > On Tue, 30 Sep 2003 magnus at mandarin.nu wrote: > > > Hello all, > > > > Here is an updated patch. I published the original patch published on > > august 16. > > > > --- openssh-3.7.1p2/sftp-server.c.org 2003-08-22 01:34:41.000000000 > > +0200 > > +++ openssh-3.7.1p2/sftp-server.c 2003-09-30 17:22:43.730402000 +0200 > > @@ -24,6 +24,7 @@ > > #include \"includes.h\" > ^^^^^^^^^^^^^ > > Your patch is corrupted. > > - Ben > > From markus at openbsd.org Wed Oct 1 06:41:27 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 30 Sep 2003 22:41:27 +0200 Subject: OpenSSL vulnerability... In-Reply-To: References: <58109.183988-26465-632434844-1064593949@seznam.cz> Message-ID: <20030930204127.GA27487@folly> On Tue, Sep 30, 2003 at 12:06:30PM -0500, hayward at slothmud.org wrote: > Does OpenSSH use OpenSSL in a way in which it would be vulnerable to the > OpenSSL vulnerabilities announced today? Namely the ASN.1 parsing > problem and the malformed key bugs? no, we avoid the OpenSSL ASN.1 code for signature verification and we don't support x509. only reading of _private_ keys triggers the ASN.1 code in OpenSSH. From djm at mindrot.org Wed Oct 1 11:19:04 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 01 Oct 2003 11:19:04 +1000 Subject: auth-pam.c, USE_POSIX_THREADS In-Reply-To: <200309300813.KAA00846@r2d2.physik3.gwdg.de> References: <200309300813.KAA00846@r2d2.physik3.gwdg.de> Message-ID: <3F7A2B88.7020302@mindrot.org> Hans Werner Strube wrote: > OpenSSH 3.7.1p2 contains an #ifdef USE_POSIX_THREADS and simulates threads > by processes if this is not defined. However, configure and config.h do not > provide any means to define this. Is this already included for future > releases but does not function properly if defined? Or could it be set > manually in config.h and would work in Solaris? I don't think we will be enabling USE_POSIX_THREADS in the PAM code anytime soon. Threads are a can or worms that I don't really want to open. I'd prefer to get the auth-pam.c authentication subprocess properly exporting any state that it creates back to the parent. E.g. see: http://bugzilla.mindrot.org/show_bug.cgi?id=717 -d From djm at mindrot.org Wed Oct 1 11:21:14 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 01 Oct 2003 11:21:14 +1000 Subject: openssh 3.7.1p2 afs/pam issues In-Reply-To: References: Message-ID: <3F7A2C0A.4000403@mindrot.org> Sean O'Malley wrote: > > On Tue, 30 Sep 2003, Sean O'Malley wrote: > > >>Sep 2003, Damien Miller wrote: >> >>>Please try the patch at http://bugzilla.mindrot.org/show_bug.cgi?id=717 >> >>Thanks!! this works! >> > > I spoke a little to soon. It works just fine _except_ it is not setting > the afs tokens. So when people get to their home directories in afs space > they can't read/write anything. Could you attach a "sshd -d -d -d" debug trace the the above bug report. I'd like to see it in operation. -d From griswld at cio.sc.gov Wed Oct 1 11:44:52 2003 From: griswld at cio.sc.gov (Doug Griswold) Date: Tue, 30 Sep 2003 21:44:52 -0400 Subject: Build fails on AIX 5.2 Message-ID: I'm trying to build openssh-3.7.1p2 on aix and am currently failing with the build errors below. This is a default build no special config options. I was able to build 3.6.1p2 with the patches but havn't been able to build any version of 3.7. I saw some changes were made to aix files in the changelog. /usr/include/sys/audit.h:284: warning: `\' followed by white space at end of line /usr/include/sys/audit.h:287: warning: `\' followed by white space at end of line In file included from ../includes.h:34, from bsd-arc4random.c:25: /usr/include/time.h:230: warning: `struct sigevent' declared inside parameter list /usr/include/time.h:230: warning: its scope is only this definition or declaration, which is probably not what you want. In file included from ../openbsd-compat/port-aix.h:34, from ../openbsd-compat/openbsd-compat.h:166, from ../includes.h:173, from bsd-arc4random.c:25: /usr/include/sys/audit.h:285: parse error before `0200' /usr/include/sys/audit.h:300: parse error before `}' make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 2. Stop. # From dtucker at zip.com.au Wed Oct 1 11:57:10 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 01 Oct 2003 11:57:10 +1000 Subject: Build fails on AIX 5.2 References: Message-ID: <3F7A3476.6A1180CE@zip.com.au> Doug Griswold wrote: > I'm trying to build openssh-3.7.1p2 on aix and am currently failing with > the build errors below. This is a > default build no special config options. I was able to build 3.6.1p2 > with the patches but havn't been able to build any version of 3.7. I > saw some changes were made to aix files in the changelog. > > /usr/include/sys/audit.h:284: warning: `\' followed by white space at > end of line > /usr/include/sys/audit.h:287: warning: `\' followed by white space at > end of line We now include some more system headers. Unfortunately, 2 have problems that trip up earlier gcc's (you're using the gcc-2.9x that came on the toolbox CD, right)? You can either upgrade your gcc version or edit the system headers. Details are here: http://bugzilla.mindrot.org/show_bug.cgi?id=640 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From openssh-unix-dev at thewrittenword.com Wed Oct 1 12:01:19 2003 From: openssh-unix-dev at thewrittenword.com (Albert Chin) Date: Tue, 30 Sep 2003 21:01:19 -0500 Subject: Recent OpenSSL vulnerability require rebuild of OpenSSH Message-ID: <20031001020119.GA79428@spuckler.il.thewrittenword.com> We have OpenSSH built against a static version of the OpenSSL library. Do the recent OpenSSL vulnerabilities necessitate a rebuild of OpenSSH? http://www.openssl.org/news/secadv_20030930.txt >From the description of the four bugs, I'm inclined to think not. -- albert chin (china at thewrittenword.com) From musunuru at hotmail.com Wed Oct 1 12:52:04 2003 From: musunuru at hotmail.com (Srinivasa Rao Musunuru) Date: Wed, 01 Oct 2003 02:52:04 +0000 Subject: Hep for creating a package Message-ID: Hi, I created a package for OpenSSH 3.7.1p2 in UNIX (OS: Sun Solaris), the newly created package includes binaries,man pages, libraries and Configuration files. I am planning to install this package in all of my Sun server's (Approximately 200 Server's). We have SSH/OpenSSH older version are already installed and running in all of the sun boxes. I want to install the OpenSSH 3.7.1p2 without deleting the old SSH/OpenSSH packages. The installed version of SSH/OpenSSH are in different direcotries like /usr/local/bin /usr/local/sbin /usr/local/libexec /usr/local/man /usr/local/etc Is there anyway i can make package replacing the binaries, man pages and also it has to check in the /usr/local/etc directory while doing the pacakage add (pkgadd), if the configuration files and key files exists in /usr/local/etc directory it shouldn't replace the files. Only it should copy the files if there is any files missing in /usr/local/etc directory while doing pkgadd. After doing the pkgadd i want append few things to my configuration files if the information doesn't exists (sshd_config) For ex: UserPrivilegeSeperation NO RhostAuthetication no Also i want to check for this file /.ssh/id_rsa.pub file, if this file exists then append /.ssh/id_rsa.pub to authorizationkeys Could you pls help me for creating the package(pkgmk/pkgadd) which will satisfy the above conditions. If you need any information pls let me know. Thanks, Srinivas _________________________________________________________________ Get Married! [1]Search from 7 lakh Brides & Grooms. References 1. http://g.msn.com/8HMBENIN/2755??PS= From tim at multitalents.net Wed Oct 1 13:08:39 2003 From: tim at multitalents.net (Tim Rice) Date: Tue, 30 Sep 2003 20:08:39 -0700 (PDT) Subject: Hep for creating a package In-Reply-To: References: Message-ID: You can do any customization you want by building custom preinstall and postinstall scripts. On Wed, 1 Oct 2003, Srinivasa Rao Musunuru wrote: [snip] > Could you pls help me for creating the package(pkgmk/pkgadd) which > will satisfy the above conditions. > > If you need any information pls let me know. > > Thanks, > Srinivas > _________________________________________________________________ -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dtucker at zip.com.au Wed Oct 1 13:09:20 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 01 Oct 2003 13:09:20 +1000 Subject: Hep for creating a package References: Message-ID: <3F7A4560.1931DBD@zip.com.au> Srinivasa Rao Musunuru wrote: > I created a package for OpenSSH 3.7.1p2 in UNIX (OS: Sun Solaris), the [snip] > Is there anyway i can make package replacing the binaries, man pages > and also it has to check in the /usr/local/etc directory while doing > the pacakage add (pkgadd), if the configuration files and key files > exists in /usr/local/etc directory it shouldn't replace the files. > Only it should copy the files if there is any files missing in > /usr/local/etc directory while doing pkgadd. Have a look at contrib/solaris/buildpkg.sh in your OpenSSH source directory, it does much of what you describe. Apart from that, you have a Solaris packaging question not an OpenSSH question. I suggest you check out some Solaris resources. I'd start with www.sunhelp.org and www.sunfreeware.com/pkgadd.html. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jjy2+ at pitt.edu Wed Oct 1 16:05:18 2003 From: jjy2+ at pitt.edu (Jared Yanovich) Date: Wed, 01 Oct 2003 01:05:18 -0500 Subject: 3.7.1p2 sftp recurse patch Message-ID: <20031001010518.7c28edda.jjy2@pitt.edu> This patch is against OpenSSH 3.7.1p2 sources. It adds recursive (directory) downloading and uploading. Criticism/suggestions welcome. I would imagine the time official support is added, recursive operations will be handled on a per-command basis as a flag as opposed to a global toggle command (such as get -r)? diff -ru openssh-3.7.1p2/sftp-int.c openssh-3.7.1p2-patched/sftp-int.c --- openssh-3.7.1p2/sftp-int.c Tue Sep 23 05:24:21 2003 +++ openssh-3.7.1p2-patched/sftp-int.c Thu Sep 25 16:56:13 2003 @@ -50,6 +50,9 @@ /* This is set to 0 if the progressmeter is not desired. */ int showprogress = 1; +/* Recursive operations */ +int recursion = 0; + /* Seperators for interactive commands */ #define WHITESPACE " \t\r\n" @@ -81,6 +84,7 @@ #define I_SYMLINK 21 #define I_VERSION 22 #define I_PROGRESS 23 +#define I_RECURSE 24 struct CMD { const char *c; @@ -113,6 +117,7 @@ { "mput", I_PUT }, { "pwd", I_PWD }, { "quit", I_QUIT }, + { "recurse", I_RECURSE }, { "rename", I_RENAME }, { "rm", I_RM }, { "rmdir", I_RMDIR }, @@ -147,6 +152,7 @@ printf("exit Quit sftp\n"); printf("quit Quit sftp\n"); printf("rename oldpath newpath Rename remote file\n"); + printf("recurse Toggle recursive operations\n"); printf("rmdir path Remove remote directory\n"); printf("rm path Delete remote file\n"); printf("symlink oldpath newpath Symlink remote file\n"); @@ -430,6 +436,106 @@ } static int +do_recursive_download(struct sftp_conn *conn, char *remote_path, + char *local_path, int pflag) +{ + char *remote_tmp, *local_tmp; + int err, n; + SFTP_DIRENT **d; + extern int errno; + + if (recursion && remote_is_dir(conn, remote_path)) { + if (!is_dir(local_path)) { + /* Create local directory */ + err = mkdir(local_path, 0777); + if (err == -1) { + error("Couldn't create local directory \"%s\": " + "%s", local_path, strerror(errno)); + goto END; + } + } + + err = do_readdir(conn, remote_path, &d); + if (err == -1) { + error("Couldn't gather list of remote files"); + goto END; + } + + for (n = 0; d[n] != NULL; n++) { + /* Skip '.' and '..' */ + if ((strcmp(d[n]->filename, ".") == 0) || + (strcmp(d[n]->filename, "..") == 0)) + continue; + remote_tmp = path_append(remote_path, d[n]->filename); + local_tmp = path_append(local_path, d[n]->filename); + err = do_recursive_download(conn, remote_tmp, + local_tmp, pflag); + xfree(remote_tmp); + xfree(local_tmp); + if (err == -1) + break; + } + free_sftp_dirents(d); + } else + err = do_download(conn, remote_path, local_path, pflag); +END: + return err; +} + +static int +do_recursive_upload(struct sftp_conn *conn, char *local_path, + char *remote_path, int pflag) +{ + int err; + DIR *d; + struct dirent *f; + char *local_tmp, *remote_tmp; + Attrib a; + extern int errno; + + if (recursion && is_dir(local_path)) { + if (!remote_is_dir(conn, remote_path)) { + /* Create remote directory */ + attrib_clear(&a); + a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS; + a.perm = 0777; + err = do_mkdir(conn, remote_path, &a); + if (err == -1) { + error("Couldn't create remote directory \"%s\"", + remote_path); + goto END; + } + } + + d = opendir(local_path); + if (d == NULL) { + error("Unable to read local directory \"%s\": %s", + local_path, strerror(errno)); + err = -1; + goto END; + } + while ((f = readdir(d)) != NULL) { + /* Skip '.' and '..' */ + if ((strcmp(f->d_name, ".") == 0) || + (strcmp(f->d_name, "..") == 0)) + continue; + local_tmp = path_append(local_path, f->d_name); + remote_tmp = path_append(remote_path, f->d_name); + err = do_recursive_upload(conn, local_tmp, remote_tmp, + pflag); + xfree(remote_tmp); + xfree(local_tmp); + if (err == -1) + break; + } + closedir(d); + } else + err = do_upload(conn, local_path, remote_path, pflag); +END: + return err; +} + +static int process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag) { char *abs_src = NULL; @@ -482,7 +588,7 @@ abs_dst = tmp; printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); - if (do_download(conn, g.gl_pathv[i], abs_dst, pflag) == -1) + if (do_recursive_download(conn, g.gl_pathv[i], abs_dst, pflag) == -1) err = -1; xfree(abs_dst); abs_dst = NULL; @@ -528,7 +634,7 @@ } for (i = 0; g.gl_pathv[i]; i++) { - if (!is_reg(g.gl_pathv[i])) { + if (!is_reg(g.gl_pathv[i]) && !(recursion && is_dir(g.gl_pathv[i]))) { error("skipping non-regular file %s", g.gl_pathv[i]); continue; @@ -557,7 +663,8 @@ abs_dst = make_absolute(tmp, pwd); printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); - if (do_upload(conn, g.gl_pathv[i], abs_dst, pflag) == -1) + if (do_recursive_upload(conn, g.gl_pathv[i], abs_dst, + pflag) == -1) err = -1; } @@ -881,6 +988,7 @@ case I_HELP: case I_VERSION: case I_PROGRESS: + case I_RECURSE: break; default: fatal("Command not implemented"); @@ -1093,6 +1201,13 @@ else printf("Progress meter disabled\n"); break; + case I_RECURSE: + recursion = !recursion; + if (recursion) + printf("Recursive operations enabled\n"); + else + printf("Recursive operations disabled\n"); + break; default: fatal("%d is not implemented", cmdnum); } diff -ru openssh-3.7.1p2/sftp.1 openssh-3.7.1p2-patched/sftp.1 --- openssh-3.7.1p2/sftp.1 Tue Sep 2 22:13:30 2003 +++ openssh-3.7.1p2-patched/sftp.1 Thu Sep 25 17:00:30 2003 @@ -256,6 +256,8 @@ .Ar path . .It Ic progress Toggle display of progress meter. +.It Ic recurse +Toggle recursive operations. .It Xo Ic put .Op Ar flags .Ar local-path - Jared From mouring at etoh.eviladmin.org Wed Oct 1 15:44:25 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 1 Oct 2003 00:44:25 -0500 (CDT) Subject: 3.7.1p2 sftp recurse patch In-Reply-To: <20031001010518.7c28edda.jjy2@pitt.edu> Message-ID: A few comments before wandering off to bed for the night. [..] > > static int > +do_recursive_download(struct sftp_conn *conn, char *remote_path, > + char *local_path, int pflag) > +{ > + char *remote_tmp, *local_tmp; > + int err, n; > + SFTP_DIRENT **d; > + extern int errno; > + > + if (recursion && remote_is_dir(conn, remote_path)) { > + if (!is_dir(local_path)) { > + /* Create local directory */ > + err = mkdir(local_path, 0777); > + if (err == -1) { > + error("Couldn't create local directory \"%s\": " > + "%s", local_path, strerror(errno)); > + goto END; > + } > + } > + > + err = do_readdir(conn, remote_path, &d); > + if (err == -1) { > + error("Couldn't gather list of remote files"); > + goto END; > + } > + > + for (n = 0; d[n] != NULL; n++) { > + /* Skip '.' and '..' */ > + if ((strcmp(d[n]->filename, ".") == 0) || > + (strcmp(d[n]->filename, "..") == 0)) > + continue; > + remote_tmp = path_append(remote_path, d[n]->filename); > + local_tmp = path_append(local_path, d[n]->filename); > + err = do_recursive_download(conn, remote_tmp, > + local_tmp, pflag); ^^^^^^^^^^^^ Ditch the recursive concept. On long directory runs you will kill your memory usage; if not crash the client (even worse looping due to symlinks). [..] > +static int > +do_recursive_upload(struct sftp_conn *conn, char *local_path, > + char *remote_path, int pflag) > +{ > + int err; > + DIR *d; > + struct dirent *f; > + char *local_tmp, *remote_tmp; > + Attrib a; > + extern int errno; > + Use fts(). That is why it was created. Too bad fts() does not support call backs like glob() or it would be useful for download. I've toyed with importing OpenBSD's fts() and modifying it to work for downloads, but didn't get too far since I was working on local caching. Yes, it should be 'get -r' and 'put -r'. - Ben From Antonino.Iannella at santos.com Wed Oct 1 17:00:33 2003 From: Antonino.Iannella at santos.com (Iannella, Antonino) Date: Wed, 1 Oct 2003 16:30:33 +0930 Subject: documentation update? Message-ID: <8AF4C5903AF3C94DBC8B48CAD155B3297CB40A@ademail01.santos.com> The INSTALL file in the current distribution has the passphrase request at http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html maybe this should be changed to http://www.liquidmeme.net/software/x11-ssh-askpass ?? -- Antonino Iannella Santos Ltd 91 King William St ADELAIDE SA 5000 Ph +618 8224 7712 Fax +618 8224 7577 Mobile +61408 800007 Email antonino.iannella at santos.com Santos Ltd A.B.N. 80 007 550 923 Disclaimer: The information contained in this email is intended only for the use of the person(s) to whom it is addressed and may be confidential or contain privileged information. If you are not the intended recipient you are hereby notified that any perusal, use, distribution, copying or disclosure is strictly prohibited. If you have received this email in error please immediately advise us by return email and delete the email without making a copy. From dtucker at zip.com.au Wed Oct 1 19:02:25 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 01 Oct 2003 19:02:25 +1000 Subject: documentation update? References: <8AF4C5903AF3C94DBC8B48CAD155B3297CB40A@ademail01.santos.com> Message-ID: <3F7A9821.C1573F8E@zip.com.au> "Iannella, Antonino" wrote: > > The INSTALL file in the current distribution has the passphrase request > at > > http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html This has already been fixed in -current: $ cvs annotate INSTALL |grep x11-ssh-askpass 1.58 (djm 19-Sep-03): http://www.jmknoble.net/software/x11-ssh-askpass/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Wed Oct 1 19:24:50 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 1 Oct 2003 11:24:50 +0200 Subject: Recent OpenSSL vulnerability require rebuild of OpenSSH In-Reply-To: <20031001020119.GA79428@spuckler.il.thewrittenword.com> References: <20031001020119.GA79428@spuckler.il.thewrittenword.com> Message-ID: <20031001092450.GA10974@folly> recent openssh versions avoid the ASN.1 code from openssl. only reading of private keys uses this code, so openssh is not affected. On Tue, Sep 30, 2003 at 09:01:19PM -0500, Albert Chin wrote: > We have OpenSSH built against a static version of the OpenSSL library. > Do the recent OpenSSL vulnerabilities necessitate a rebuild of > OpenSSH? > http://www.openssl.org/news/secadv_20030930.txt > > >From the description of the four bugs, I'm inclined to think not. > > -- > albert chin (china at thewrittenword.com) > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From jason at dour.org Wed Oct 1 21:42:08 2003 From: jason at dour.org (Jason A. Dour) Date: Wed, 1 Oct 2003 07:42:08 -0400 Subject: Recent OpenSSL vulnerability require rebuild of OpenSSH In-Reply-To: <20031001092450.GA10974@folly> References: <20031001020119.GA79428@spuckler.il.thewrittenword.com> <20031001092450.GA10974@folly> Message-ID: <20031001114208.GW24227@dour.org> On Wed, Oct 01, 2003 at 11:24:50AM +0200, Markus Friedl wrote: > recent openssh versions avoid the ASN.1 code > from openssl. only reading of private > keys uses this code, so openssh is not affected. I don't want to beat a dead horse, but as we rely completely on OpenSSH for our corporation, I have to ask. Could someone PLEASE make a definitive statement here or one the OpenSSH website regarding what, if any, versions of OpenSSH ARE vulnerable? If none are vulnerable, could that be stated? All statements made thus far are not clear. Without specifics, we are left wondering, and wondering is not a Good Thing when it comes to security... Markus says "recent versions" are safe, but that is not a specific answer, and is thus open to (mis)interpretation. Thanks, Jason # "Jason A. Dour" http://dour.org/ From markus at openbsd.org Wed Oct 1 22:09:19 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 1 Oct 2003 14:09:19 +0200 Subject: Recent OpenSSL vulnerability require rebuild of OpenSSH In-Reply-To: <20031001114208.GW24227@dour.org> References: <20031001020119.GA79428@spuckler.il.thewrittenword.com> <20031001092450.GA10974@folly> <20031001114208.GW24227@dour.org> Message-ID: <20031001120919.GA13357@folly> if someone pays me, then i can check all versions. right now i really don't have time. On Wed, Oct 01, 2003 at 07:42:08AM -0400, Jason A. Dour wrote: > On Wed, Oct 01, 2003 at 11:24:50AM +0200, Markus Friedl wrote: > > recent openssh versions avoid the ASN.1 code > > from openssl. only reading of private > > keys uses this code, so openssh is not affected. > > I don't want to beat a dead horse, but as we rely completely on > OpenSSH for our corporation, I have to ask. > > Could someone PLEASE make a definitive statement here or one the > OpenSSH website regarding what, if any, versions of OpenSSH ARE > vulnerable? If none are vulnerable, could that be stated? > > All statements made thus far are not clear. Without specifics, we > are left wondering, and wondering is not a Good Thing when it comes > to security... > > Markus says "recent versions" are safe, but that is not a specific > answer, and is thus open to (mis)interpretation. > > > > Thanks, > Jason > > # "Jason A. Dour" http://dour.org/ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From markus at openbsd.org Wed Oct 1 22:53:40 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 1 Oct 2003 14:53:40 +0200 Subject: Recent OpenSSL vulnerability require rebuild of OpenSSH In-Reply-To: <20031001092450.GA10974@folly> References: <20031001020119.GA79428@spuckler.il.thewrittenword.com> <20031001092450.GA10974@folly> Message-ID: <20031001125340.GA19232@folly> On Wed, Oct 01, 2003 at 11:24:50AM +0200, Markus Friedl wrote: > recent openssh versions avoid the ASN.1 code 1.25 (mouring 20-Aug-02): openssh_RSA_verify(int type, u_char *hash, u_int hashlen, so it's versions after 20-Aug-02. > from openssl. only reading of private > keys uses this code, so openssh is not affected. From jbourne at hardrock.org Wed Oct 1 23:55:47 2003 From: jbourne at hardrock.org (James Bourne) Date: Wed, 1 Oct 2003 07:55:47 -0600 (MDT) Subject: OpenSSH 3.7.1 compatibility problems on Linux In-Reply-To: Message-ID: On Fri, 19 Sep 2003, Dag-Erling Sm?rgrav wrote: > James Bourne writes: > > A little difficult when the only way to get LDAP support into ssh is by > > using pam, and besides, *why* would anyone even contemplate using different > > auth implementations for the various services on a server when you can use a > > single framework to auth with? > > Sorry, but PAM and ssh1 just don't go along very well. One more > reason to use ssh2 instead. I'd love to, unfortunately our window to upgrade clients at this point is December and therein lies the problem. Would it be feasible for sshv1 and, only if pam is configured and UsePAM is yes, to do simple password authentication, but instead of passing to the glibc functions, pass to the pam functions? I'm not sure if I have the general idea of the code layout, but from my understanding if you use pam, you have to use a challenge-response method of authentication. If that part is dropped, only with sshv1 *and* if you are using pam. Otherwise, fall back to other methods. Thanks and regards James > DES -- James Bourne | Email: jbourne at hardrock.org Unix Systems Administrator | WWW: http://www.hardrock.org Custom Unix Programming | Linux: The choice of a GNU generation ---------------------------------------------------------------------- "All you need's an occasional kick in the philosophy." Frank Herbert From ecunningham at whoi.edu Thu Oct 2 00:04:30 2003 From: ecunningham at whoi.edu (Eric Cunningham) Date: Wed, 01 Oct 2003 10:04:30 -0400 Subject: SSHD 3.7.1p2 on HP-UX References: <3F789626.4040904@whoi.edu> <3F796091.9060209@hp.com> <3F797A7B.8070909@whoi.edu> <3F79AD48.3080701@hp.com> Message-ID: <3F7ADEEE.7080609@whoi.edu> > I would predict that login will fail again tomorrow, as it does for Jan, > and with your info I probably learnt why :) You're correct. Today, sshd is reporting in syslog that my password has expired and I can't login again. Is there a way around this when password aging needs to be in effect, the system needs to remain Trusted and upgrading to 11.11 isn't a viable option (for the time being)? -Eric From Martin.Rottler at nuernberger.de Thu Oct 2 00:12:58 2003 From: Martin.Rottler at nuernberger.de (Martin.Rottler at nuernberger.de) Date: Wed, 1 Oct 2003 16:12:58 +0200 Subject: openssh-3-7-1p2 compiling problems on Reliant UNIX Message-ID: <0C93F14B44CBD711910E0010E3B97A6A020BEC5B@N999EXK0> Martin.Rottler at nuernberger.de wrote: > I have problems compiling openssh-3-7-1p2 on Reliant UNIX. > (same problem with 3-7-1p1) > > first error was: > ../defines.h 144: [error] CFE1101 "int8_t" has already been declared in the > current scope > typedef char int8_t; The configure test tests for int8_t, int16_t and int32_t before defining HAVE_INTXX_T. Does your system define all three (possibly in /usr/include/sys/types.h)? --> solution: delete compiler test lines in defines.h for int8_t, int16_t, int32_t and int64_t > cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o > sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib > -L/usr/local/lib -lssh -lopenbsd-compat -lz -lsocket -lnsl -lgen -lcrypto > Undefined first referenced > symbol in file > gmtime_r /usr/local/ssl/lib/libcrypto.a(o_time.o) > cma_sigaction > /usr/local/ssl/lib/libcrypto.a(ui_openssl.o) > ld: ssh: fatal error: Symbol referencing errors. No output written to ssh > make: *** Error code 1 That looks like your libcrypto is compiled with the re-entrant (threaded) C library. Try adding "-lc_r" to your LDFLAGS or recompile OpenSSL with the same flags you're using with OpenSSH. Alternatively you could compile OpenSSH with -lc_r, however you might need to invoke your compiler as "cc_r" or something for that to work properly. --> solution: recompile OpenSSL with option "no-threads" (parameter to config) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. Hinweis:: Der Inhalt dieser Mail ist vertraulich und nur fuer den Adressaten bzw. dessen Vertreter/in bestimmt. Anderen Personen ist es nicht gestattet den Inhalt dieser Mail zu publizieren, zu verwerten, zu kopieren oder weiterzugeben. Falls Sie nicht der angegebene Adressat oder dessen Vertreter/in sind, dann senden Sie bitte die E-Mail mit einem Vermerk an den Absender zurueck (Antwort-Funktion bzw. reply email). Entfernen Sie bitte danach die Nachricht aus Ihrem System. Informationen oder sonstige Aussagen an den Adressaten unterliegen dem Recht des Geschaeftes, zu dem sie gegeben worden sind, insbesondere den Allgemeinen Geschaefts- bzw. Versicherungsbedingungen und gegebenenfalls einer individuellen Vereinbarung. Der Inhalt der E-Mail ist nur rechtsverbindlich, wenn wir ihn dem betreffenden Adressaten schriftlich bestaetigen. From dtucker at zip.com.au Thu Oct 2 00:16:58 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 02 Oct 2003 00:16:58 +1000 Subject: SSHD 3.7.1p2 on HP-UX References: <3F789626.4040904@whoi.edu> <3F796091.9060209@hp.com> <3F797A7B.8070909@whoi.edu> <3F79AD48.3080701@hp.com> <3F7ADEEE.7080609@whoi.edu> Message-ID: <3F7AE1DA.6682ACF9@zip.com.au> Eric Cunningham wrote: > > > I would predict that login will fail again tomorrow, as it does for Jan, > > and with your info I probably learnt why :) > > You're correct. Today, sshd is reporting in syslog that my password has > expired and I can't login again. > > Is there a way around this when password aging needs to be in effect, > the system needs to remain Trusted and upgrading to 11.11 isn't a viable > option (for the time being)? Try this patch, it should get you going again. It's not ideal and a better solution (that won't affect platforms other than HP-UX) is needed. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v retrieving revision 1.77 diff -u -p -r1.77 auth.c --- auth.c 2 Sep 2003 21:32:46 -0000 1.77 +++ auth.c 1 Oct 2003 03:45:17 -0000 @@ -112,7 +112,7 @@ allowed_user(struct passwd * pw) return 0; } - if (spw->sp_max != -1 && + if (spw->sp_max != -1 && spw->sp_max != 0 && today > spw->sp_lstchg + spw->sp_max) { logit("User %.100s password has expired (password aged)", pw->pw_name); From markus at openbsd.org Thu Oct 2 02:55:50 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 1 Oct 2003 18:55:50 +0200 Subject: Recent OpenSSL vulnerability require rebuild of OpenSSH In-Reply-To: <20031001092450.GA10974@folly> References: <20031001020119.GA79428@spuckler.il.thewrittenword.com> <20031001092450.GA10974@folly> Message-ID: <20031001165550.GA7702@folly> On Wed, Oct 01, 2003 at 11:24:50AM +0200, Markus Friedl wrote: > recent openssh versions avoid the ASN.1 code > from openssl. only reading of private > keys uses this code, so openssh is not affected. s/recent openssh versions/OpenSSH >= 3.5/ From michael.leelun at citigroup.com Thu Oct 2 03:37:56 2003 From: michael.leelun at citigroup.com (Lee-Lun, Michael [IT]) Date: Wed, 1 Oct 2003 13:37:56 -0400 Subject: openssh-3-7-1p2: scp issue from Cygwin Build Message-ID: I downloaded and compiled openssh-3.7.1p2 under Cygwin 1.5.5-1. SSH and SFTP work fine. However, when I try to use SCP I get the following error. Any ideas? xmalloc: out of memory (allocating 1065029632 bytes) But the file successfully makes it across? Mike From jason at dour.org Thu Oct 2 03:46:22 2003 From: jason at dour.org (Jason A. Dour) Date: Wed, 1 Oct 2003 13:46:22 -0400 Subject: Recent OpenSSL vulnerability require rebuild of OpenSSH In-Reply-To: <20031001165550.GA7702@folly> References: <20031001020119.GA79428@spuckler.il.thewrittenword.com> <20031001092450.GA10974@folly> <20031001165550.GA7702@folly> Message-ID: <20031001174622.GX24227@dour.org> On Wed, Oct 01, 2003 at 06:55:50PM +0200, Markus Friedl wrote: > On Wed, Oct 01, 2003 at 11:24:50AM +0200, Markus Friedl wrote: > > recent openssh versions avoid the ASN.1 code > > from openssl. only reading of private > > keys uses this code, so openssh is not affected. > > s/recent openssh versions/OpenSSH >= 3.5/ Thank you. 8) Cheers, Jason From michael.leelun at citigroup.com Thu Oct 2 03:53:31 2003 From: michael.leelun at citigroup.com (Lee-Lun, Michael [IT]) Date: Wed, 1 Oct 2003 13:53:31 -0400 Subject: openssh-3-7-1p2: scp issue from Cygwin Build Message-ID: Correction to this... The file does not make it over. It created the file but it is 0 bytes long. Any help would be greatly appreciated! Mike -----Original Message----- From: Lee-Lun, Michael [IT] Sent: Wednesday, October 01, 2003 1:38 PM To: openssh-unix-dev at mindrot.org Subject: openssh-3-7-1p2: scp issue from Cygwin Build I downloaded and compiled openssh-3.7.1p2 under Cygwin 1.5.5-1. SSH and SFTP work fine. However, when I try to use SCP I get the following error. Any ideas? xmalloc: out of memory (allocating 1065029632 bytes) But the file successfully makes it across? Mike _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From ecunningham at whoi.edu Thu Oct 2 05:12:10 2003 From: ecunningham at whoi.edu (Eric Cunningham) Date: Wed, 01 Oct 2003 15:12:10 -0400 Subject: SSHD 3.7.1p2 on HP-UX References: <3F789626.4040904@whoi.edu> <3F796091.9060209@hp.com> <3F797A7B.8070909@whoi.edu> <3F79AD48.3080701@hp.com> <3F7ADEEE.7080609@whoi.edu> <3F7AE1DA.6682ACF9@zip.com.au> Message-ID: <3F7B270A.9000902@whoi.edu> I tried the auth.c patch provided with the following results: - without http://bugzilla.mindrot.org/attachment.cgi?id=386&action=view applied, I'm back to getting "password has expired (password aged)" msgs from sshd. - with http://bugzilla.mindrot.org/attachment.cgi?id=386&action=view applied, I'm back to getting "account is locked" msgs from sshd. I tried resetting my password but still get "account is locked" msgs from sshd. -Eric > Try this patch, it should get you going again. It's not ideal and a > better solution (that won't affect platforms other than HP-UX) is needed. > > > > ------------------------------------------------------------------------ > > Index: auth.c > =================================================================== > RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v > retrieving revision 1.77 > diff -u -p -r1.77 auth.c > --- auth.c 2 Sep 2003 21:32:46 -0000 1.77 > +++ auth.c 1 Oct 2003 03:45:17 -0000 > @@ -112,7 +112,7 @@ allowed_user(struct passwd * pw) > return 0; > } > > - if (spw->sp_max != -1 && > + if (spw->sp_max != -1 && spw->sp_max != 0 && > today > spw->sp_lstchg + spw->sp_max) { > logit("User %.100s password has expired (password aged)", > pw->pw_name); From mstone at cs.loyola.edu Thu Oct 2 07:32:17 2003 From: mstone at cs.loyola.edu (Michael Stone) Date: Wed, 1 Oct 2003 17:32:17 -0400 Subject: Recent OpenSSL vulnerability require rebuild of OpenSSH In-Reply-To: <20031001092450.GA10974@folly> References: <20031001020119.GA79428@spuckler.il.thewrittenword.com> <20031001092450.GA10974@folly> Message-ID: <20031001213217.GA2012@mathom.us> A DoS attack in the ASN.1 code would only affect the child process anyway, would it not? Mike Stone From weingart at tepid.org Thu Oct 2 07:54:56 2003 From: weingart at tepid.org (Tobias Weingartner) Date: Wed, 01 Oct 2003 15:54:56 -0600 Subject: OpenSSH idea... Message-ID: <13963.1065045296@natasha.tepid.org> I'm working at the UofA, and we use openssh all over the place (actually it's the only remote connection tool we use within our groups domain of influence. Save pop I suppose...). Anyways, for various reasons we have UseDNS set to ``yes''. This however is about 50% of our connection problems that our users have. Cable and even the DSL ISP's around here suck when it comes to managing and actually keeping their DNS up-to-date. Now, if the ssh client had a cookie of sorts (public key?) that it always sent (generated on first startup) when it connected to the server, I could envision a scenario where you would cache the tuple . The portion would be a "hard key", where both would need to match in the database. The portion should be configurable, in our case we would want at least one to match, and upon a mismatch in either the DNS or IP (DHCP client, or DNS fuckup), to add that entry into the database as well. Each entry in the database would have a lifetime, and this lifetime would be updated each time you hit the entry in the database. If your tuple does not exist in the database, I could see sshd spitting back "Sorry, you're coming from a host/etc that you don't usually come from, please connect to https://foo.org/blahonga to authenticate further." and then closes the connection. Then on that web-site (or whatever the admin makes it spit back), you have a means to administer the cache entries. "So, you're coming in from a web cafe? Ok, set timeout to 1 day.", etc... Is this sort of thing doable? Is it desirable? Was the above clear? --Toby. From dtucker at zip.com.au Thu Oct 2 10:02:42 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 02 Oct 2003 10:02:42 +1000 Subject: SSHD 3.7.1p2 on HP-UX References: <3F789626.4040904@whoi.edu> <3F796091.9060209@hp.com> <3F797A7B.8070909@whoi.edu> <3F79AD48.3080701@hp.com> <3F7ADEEE.7080609@whoi.edu> <3F7AE1DA.6682ACF9@zip.com.au> <3F7B270A.9000902@whoi.edu> Message-ID: <3F7B6B22.7B98C2A3@zip.com.au> Eric Cunningham wrote: > > I tried the auth.c patch provided with the following results: > > - without > http://bugzilla.mindrot.org/attachment.cgi?id=386&action=view applied, > I'm back to getting "password has expired (password aged)" msgs from sshd. > > - with http://bugzilla.mindrot.org/attachment.cgi?id=386&action=view > applied, I'm back to getting "account is locked" msgs from sshd. I tried > resetting my password but still get "account is locked" msgs from sshd. You need to run "autoreconf" to rebuild configure after applying that patch, then configure && make. Alternatively you can run configure then comment out "#define DISABLE_SHADOW 1" from config.h before compiling. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From majewski at cs.ubc.ca Thu Oct 2 10:21:45 2003 From: majewski at cs.ubc.ca (Chris Majewski) Date: Thu, 02 Oct 2003 00:21:45 -0000 Subject: openssh-3.7.1p2: no pam_close_session() invocation In-Reply-To: References: Message-ID: Somebody posted about this on September 26th but I don't see a follow-up to the list: pam_close_session() doesn't seem to get called when PrivilegeSeparation is turned off. (Turning it on breaks other things, those details available on request). Can one of the developers confirm that the original poster's patch is correct, and this will be fixed next time around? (Yes, I could try half-blindly hacking my source, but that seems pointless since a new version comes out every n days..) -chris From legrosd at yahoo.com Thu Oct 2 20:57:57 2003 From: legrosd at yahoo.com (David Legros) Date: Thu, 2 Oct 2003 03:57:57 -0700 (PDT) Subject: bug in configure script openssh 3.7.1p2 Message-ID: <20031002105757.24765.qmail@web11202.mail.yahoo.com> Hi, I recently downloaded openssh 3.7.1p2 to install it on a Linux RedHat, and I noticed that it was linked with libcrypt.so.1 It wasn't the case with previous versions, so I thought that was strange. So I checked the configure script and noticed this strange "esac" on : "configure" line 4021 of 17200 --23%-- col 2-9 I'm a security ingeneer and definitly not a script specialist, so maybe I'm wrong. Could you please check and tell me ? Best regards, David LEGROS __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From dtucker at zip.com.au Thu Oct 2 21:53:28 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 02 Oct 2003 21:53:28 +1000 Subject: bug in configure script openssh 3.7.1p2 References: <20031002105757.24765.qmail@web11202.mail.yahoo.com> Message-ID: <3F7C11B8.C2E79A3C@zip.com.au> David Legros wrote: > I recently downloaded openssh 3.7.1p2 to install it on a Linux RedHat, and I noticed that it was > linked with libcrypt.so.1 > It wasn't the case with previous versions, so I thought that was strange. Since PAM is now a run-time option, all of the regular crypt() code is now linked in even when configured --with-pam. > So I checked the configure script and noticed this strange "esac" on : > "configure" line 4021 of 17200 --23%-- col 2-9 "esac" is the opposite of "case" and it's supposed to be there. It's from this fragment of configure.ac: case `uname -r` in 1.*|2.0.*) AC_DEFINE(BROKEN_CMSG_TYPE) ;; esac That just defines BROKEN_CMSG_TYPE on Linux 1.x and 2.0 kernels, which is required for privsep to work. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dmanton at emea.att.com Thu Oct 2 22:10:58 2003 From: dmanton at emea.att.com (Manton, Doug) Date: Thu, 2 Oct 2003 13:10:58 +0100 Subject: User unable to log into Solaris when password has been expired by root Message-ID: I have a question. Our process for creating a new user account on our Solaris systems is to force expire (passwd -f) the user's password so they have to chose their own when they log in. However, since building OpenSSH 3.7.1p2 I find that new users are unable to log in with the following syslog messages: Oct 2 12:37:42 hostname sshd[1754]: User tester password has expired (root forced) Oct 2 12:37:42 hostname sshd[1754]: Failed none for illegal user tester from 10.10.67.135 port 33595 ssh2 Oct 2 12:37:45 hostname sshd[1754]: Failed password for illegal user tester from 10.10.67.135 port 33595 ssh2 What is the rationale behind this behaviour? It's not like I have locked the account -- how can I ensure my new users get access? Can I simply modify the test in auth.c or is there a 'proper' way to achieve the desired behaviour? Many thanks, --- Doug Manton, Managed Security Services AT&T Business, Building 6000 Langstone Technology Park, Havant, United Kingdom This message and any attachments to it contain business information exclusively intended for the recipients. Do not forward or distribute it to anyone else. If you have received this e-mail in error, please reply to dmanton at emea.att.com to report the error and then delete this message from your system. Registered in England, Branch No. BR004993, the UK branch of AT&T Global Network Services (UK) B.V., a limited liability company registered in the Netherlands. From dtucker at zip.com.au Thu Oct 2 22:22:18 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 02 Oct 2003 22:22:18 +1000 Subject: User unable to log into Solaris when password has been expired byroot References: Message-ID: <3F7C187A.DF7C7225@zip.com.au> "Manton, Doug" wrote: > > I have a question. > > Our process for creating a new user account on our Solaris systems is to > force expire (passwd -f) the user's password so they have to chose their own > when they log in. However, since building OpenSSH 3.7.1p2 I find that new > users are unable to log in with the following syslog messages: > > Oct 2 12:37:42 hostname sshd[1754]: User tester password has expired > (root forced) > Oct 2 12:37:42 hostname sshd[1754]: Failed none for illegal user tester > from 10.10.67.135 port 33595 ssh2 > Oct 2 12:37:45 hostname sshd[1754]: Failed password for illegal user > tester from 10.10.67.135 port 33595 ssh2 > > What is the rationale behind this behaviour? It's not like I have locked > the account -- how can I ensure my new users get access? Can I simply > modify the test in auth.c or is there a 'proper' way to achieve the desired > behaviour? Strictly speaking, it's because sshd supports password expiry (ie it knows that the password is expired), but doesn't (yet) support forcing changes of expired passwords. Supporting that has been a work-in-progress for, oh, about a year now :-) It should be fixed soon. Really. I mean it this time. Until then, you can apply the password expiry patch here: http://www.zip.com.au/~dtucker/openssh/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Fri Oct 3 00:29:50 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 2 Oct 2003 16:29:50 +0200 Subject: Recent OpenSSL vulnerability require rebuild of OpenSSH In-Reply-To: <20031001213217.GA2012@mathom.us> References: <20031001020119.GA79428@spuckler.il.thewrittenword.com> <20031001092450.GA10974@folly> <20031001213217.GA2012@mathom.us> Message-ID: <20031002142950.GA2255@folly> On Wed, Oct 01, 2003 at 05:32:17PM -0400, Michael Stone wrote: > A DoS attack in the ASN.1 code would only affect the child process > anyway, would it not? yes, it would not affect the listening process. From aagnello at us.ibm.com Fri Oct 3 03:28:37 2003 From: aagnello at us.ibm.com (Anthony Agnello) Date: Thu, 2 Oct 2003 13:28:37 -0400 Subject: Connection drops after entering password. Message-ID: Has anyone seen the error that I'm getting below? After you ssh to the box and enter the password the connection just closes. SSH Version { root at xxxxxxxx} # ssh -V OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003 OS Version { root at xxxxxxxx } # oslevel -r AIX 4330-09 SSH Connect Failure { root at xxxxxxxxx } # ssh -l xxxxxxxxx -v localhost OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003 debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7p1 debug1: match: OpenSSH_3.7p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.7p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'localhost' is known and matches the DSA host key. debug1: Found key in /.ssh/known_hosts:2 debug1: ssh_dss_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /.ssh/identity debug1: Trying private key: /.ssh/id_rsa debug1: Trying private key: /.ssh/id_dsa debug1: Next authentication method: keyboard-interactive debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: password aagnello at localhost's password: debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: channel 0: free: client-session, nchannels 1 Connection to localhost closed by remote host. Connection to localhost closed. debug1: Transferred: stdin 0, stdout 0, stderr 81 bytes in 0.0 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 3480.0 debug1: Exit status -1 /var/adm/messages Oct 2 13:05:29 xxxxxxxxx sshd[18860]: Accepted password for xxxxxxxxx xxx.xxx.xxx port 1775 ssh2 Oct 2 13:05:29 xxxxxxxxx sshd[21276]: fatal: Failed to set process credentials Thanks, ............................................................................ Tony Agnello UNIX Technical Services IBM Global Services - SDC Northeast 1701 North St, Endicott, NY 13760 ........................................................................... From Steve.Belt at motorola.com Fri Oct 3 03:53:28 2003 From: Steve.Belt at motorola.com (Steve Belt (rgpg70)) Date: Thu, 02 Oct 2003 12:53:28 -0500 Subject: Permission denied (publickey,password,keyboard-interactive) Message-ID: <3F7C6618.7CBDCA4F@motorola.com> Hello, I have recently downloaded and compiled openssh-3.7.1p2 on both HP-UX 10.20 and HP-UX 11.00. The compile went fine. Logging in on the system used for the build works fine. However, logging in on a different system (where the newly compiled openssh is installed) results in the following error: Permission denied (publickey,password,keyboard-interactive). I have tried several things I found in some other threads: ChallengeResponseAuthentication to "no" UsePam no then I get the following: Permission denied (publickey,password). Why would it work for one system and not another with the same OS? I did not use the PAM option for the 10.20 compile (could not find the pam headers), but did for the 11.00 compile. Thanks in advance, Steve -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735 From iqbala at qwestip.net Fri Oct 3 06:32:56 2003 From: iqbala at qwestip.net (Asif Iqbal) Date: Thu, 2 Oct 2003 16:32:56 -0400 (EDT) Subject: OpenSSL vulnerability... In-Reply-To: <20030930204127.GA27487@folly> Message-ID: On Tue, 30 Sep 2003, Markus Friedl wrote: > On Tue, Sep 30, 2003 at 12:06:30PM -0500, hayward at slothmud.org wrote: > > Does OpenSSH use OpenSSL in a way in which it would be vulnerable to the > > OpenSSL vulnerabilities announced today? Namely the ASN.1 parsing > > problem and the malformed key bugs? > > no, we avoid the OpenSSL ASN.1 code for signature verification > and we don't support x509. > > only reading of _private_ keys triggers the ASN.1 code > in OpenSSH. Does this statement encompass login with RSA keys ? > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Asif Iqbal http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08 There's no place like 127.0.0.1 From quellyn at lanl.gov Fri Oct 3 09:39:47 2003 From: quellyn at lanl.gov (Quellyn Snead) Date: Thu, 02 Oct 2003 23:39:47 -0000 Subject: pam_krb5 errors on OpenSSH3.6.1p2 Message-ID: <1065138176.1665.18.camel@gallifrey.lanl.gov> A few weeks ago, we upgraded our Red Hat 7.3 and 9 machines to OpenSSH 3.6.1p2 w/ the corresponding version of Simon's GSSAPI patch. All the expected functionality seems to be there: I can ssh/scp/sftp via Kerberos tickets or local password. However, I seem to be getting a new error message in my logs: For Red Hat 7.3: Message from syslogd at gallifrey at Thu Oct 2 17:24:12 2003 ... gallifrey sshd[1758]: pam_krb5: authenticate error: Input/output error (5) And On Red Hat 9: Message from syslogd at k9 at Thu Oct 2 13:13:17 2003 ... k9 sshd[25855]: pam_krb5: authenticate error: Preauthentication failed (-1765328360) This occurs whether I am using a Kerberos ticket to get in or simply trying local password. It seems to be a spurious (?) message, as I am always authenticated each time, but it sure is fattening up my logs. Anybody else see this problem, perchance? -- ******************************************************* Quellyn L. Snead UNIX Effort Team ( unixeffort at lanl.gov ) CCN-2 Enterprise Software Management Team Los Alamos National Laboratory (505) 667-4185 Schedule B ******************************************************* From dtucker at zip.com.au Fri Oct 3 12:57:17 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 03 Oct 2003 12:57:17 +1000 Subject: Connection drops after entering password. References: Message-ID: <3F7CE58D.254DF034@zip.com.au> Anthony Agnello wrote: > > Has anyone seen the error that I'm getting below? After you ssh to the box > and enter the password the connection just closes. > > SSH Version > { root at xxxxxxxx} # ssh -V > OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003 > > OS Version > { root at xxxxxxxx } # oslevel -r > AIX 4330-09 [snip] > /var/adm/messages > Oct 2 13:05:29 xxxxxxxxx sshd[18860]: Accepted password for xxxxxxxxx > xxx.xxx.xxx port 1775 ssh2 > Oct 2 13:05:29 xxxxxxxxx sshd[21276]: fatal: Failed to set process > credentials The call to setpcred() is failing for some reason. Does it happen for all accounts or only some? Do those accounts work OK with telnet? You can try the attached patch which will make the error non-fatal and log the errno returned, which might help figure out what's going on. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: session.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v retrieving revision 1.257 diff -u -p -r1.257 session.c --- session.c 2 Oct 2003 10:07:09 -0000 1.257 +++ session.c 3 Oct 2003 02:53:35 -0000 @@ -1229,7 +1229,8 @@ do_setusercontext(struct passwd *pw) #ifdef HAVE_SETPCRED if (setpcred(pw->pw_name, (char **)NULL) == -1) - fatal("Failed to set process credentials"); + error("Failed to set process credentials: %s", + strerror(errno)); #endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP # ifdef __bsdi__ From dtucker at zip.com.au Fri Oct 3 13:33:40 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 03 Oct 2003 13:33:40 +1000 Subject: Permission denied (publickey,password,keyboard-interactive) References: <3F7C6618.7CBDCA4F@motorola.com> Message-ID: <3F7CEE14.7A92965A@zip.com.au> "Steve Belt (rgpg70)" wrote: > I have recently downloaded and compiled openssh-3.7.1p2 on both HP-UX > 10.20 and HP-UX 11.00. The compile went fine. Logging in on the system > used for the build works fine. However, logging in on a different > system (where the newly compiled openssh is installed) results in the > following error: [snip] > Why would it work for one system and not another with the same OS? Probably because one system uses normal /etc/passwd and the other uses trusted mode or shadow passwords. Try this patch. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v retrieving revision 1.77 diff -u -p -r1.77 auth.c --- auth.c 2 Sep 2003 21:32:46 -0000 1.77 +++ auth.c 3 Oct 2003 03:31:46 -0000 @@ -112,7 +112,7 @@ allowed_user(struct passwd * pw) return 0; } - if (spw->sp_max != -1 && + if (spw->sp_max != -1 && spw->sp_max != 0 && today > spw->sp_lstchg + spw->sp_max) { logit("User %.100s password has expired (password aged)", pw->pw_name); From iqbala at qwestip.net Fri Oct 3 16:06:51 2003 From: iqbala at qwestip.net (Asif Iqbal) Date: Fri, 3 Oct 2003 02:06:51 -0400 (EDT) Subject: OpenSSL vulnerability... In-Reply-To: Message-ID: On Thu, 2 Oct 2003, Asif Iqbal wrote: > On Tue, 30 Sep 2003, Markus Friedl wrote: > > > On Tue, Sep 30, 2003 at 12:06:30PM -0500, hayward at slothmud.org wrote: > > > Does OpenSSH use OpenSSL in a way in which it would be vulnerable to the > > > OpenSSL vulnerabilities announced today? Namely the ASN.1 parsing > > > problem and the malformed key bugs? > > > > no, we avoid the OpenSSL ASN.1 code for signature verification > > and we don't support x509. > > > > only reading of _private_ keys triggers the ASN.1 code > > in OpenSSH. > > Does this statement encompass login with RSA keys ? In other words does this vulnerability of OpenSSL makes RSA Key Authentication in OpenSSH vulnerable as well ? Thanks > > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > -- Asif Iqbal http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08 There's no place like 127.0.0.1 From dtucker at zip.com.au Fri Oct 3 16:54:22 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 03 Oct 2003 16:54:22 +1000 Subject: pam_krb5 errors on OpenSSH3.6.1p2 References: <1065138176.1665.18.camel@gallifrey.lanl.gov> Message-ID: <3F7D1D1E.18D99432@zip.com.au> Quellyn Snead wrote: > > A few weeks ago, we upgraded our Red Hat 7.3 and 9 machines to OpenSSH > 3.6.1p2 w/ the corresponding version of Simon's GSSAPI patch. > > All the expected functionality seems to be there: I can ssh/scp/sftp via > Kerberos tickets or local password. However, I seem to be getting a new > error message in my logs: > > For Red Hat 7.3: > > Message from syslogd at gallifrey at Thu Oct 2 17:24:12 2003 ... > gallifrey sshd[1758]: pam_krb5: authenticate error: Input/output error [snip] This sounds like the owl-always-auth change. There's a discussion and patch for 3.6.1p2 in this Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=192207 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Nick_Chi at manulife.com Fri Oct 3 19:00:51 2003 From: Nick_Chi at manulife.com (Nick_Chi at manulife.com) Date: Fri, 3 Oct 2003 17:00:51 +0800 Subject: OpenSSH 3.7.1p2 with OpenSSL 0.9.7c installation on HP-UX 11.0 enquiry? Message-ID: Dear All, I can install OpenSSH 3.7.1p2 with OpenSSL 0.9.7c on HP-UX 11.0 without problem. However, I find that all valid accounts are treated as "locked" (even specify "AllowUsers USER1" in sshd_config) and can't make SSH connection to the server. Here is the message shown in syslog.log. Oct 3 16:49:17 SERVER_NAME sshd[12994]: User USER1 not allowed because account is locked Oct 3 16:49:21 SERVER_NAME sshd[12993]: Connection closed by CLIENT_IP_ADDRESS Oct 3 16:49:22 SERVER_NAME sshd[12994]: Failed password for illegal user USER1 from CLIENT_IP_ADDRESS port CLIENT_PORT Any idea? Thanks. Best Regards, Nick CHI Regional Technology Team, Regional I.T., I.T. Asia, Manulife International Limited Tel: (852) 2510 3273 Fax: (852) 2510 0244 Email: Nick_Chi at manulife.com ========================================================== This message is confidential and may also be privileged. If you are not the intended recipient, please notify me by return e-mail and delete this message from your system. If you are not the intended recipient, any use by you of this message is strictly prohibited. From dtucker at zip.com.au Fri Oct 3 19:19:46 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 03 Oct 2003 19:19:46 +1000 Subject: OpenSSH 3.7.1p2 with OpenSSL 0.9.7c installation on HP-UX 11.0enquiry? References: Message-ID: <3F7D3F32.174E7B0A@zip.com.au> Nick_Chi at manulife.com wrote: > I can install OpenSSH 3.7.1p2 with OpenSSL 0.9.7c on HP-UX 11.0 without > problem. > However, I find that all valid accounts are treated as "locked" (even > specify "AllowUsers USER1" in sshd_config) and can't make SSH connection to > the server. > > Here is the message shown in syslog.log. > > Oct 3 16:49:17 SERVER_NAME sshd[12994]: User USER1 not allowed because > account is locked > Oct 3 16:49:21 SERVER_NAME sshd[12993]: Connection closed by > CLIENT_IP_ADDRESS > Oct 3 16:49:22 SERVER_NAME sshd[12994]: Failed password for illegal user > USER1 from CLIENT_IP_ADDRESS port CLIENT_PORT Try a snapshot (but avoid 20031002 as PAM is broken), as this has been fixed. You may also have a problem with sshd claiming that the password is expired, you can apply this patch for that. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v retrieving revision 1.77 diff -u -p -r1.77 auth.c --- auth.c 2 Sep 2003 21:32:46 -0000 1.77 +++ auth.c 3 Oct 2003 03:31:46 -0000 @@ -112,7 +112,7 @@ allowed_user(struct passwd * pw) return 0; } - if (spw->sp_max != -1 && + if (spw->sp_max != -1 && spw->sp_max != 0 && today > spw->sp_lstchg + spw->sp_max) { logit("User %.100s password has expired (password aged)", pw->pw_name); From libove at felines.org Fri Oct 3 21:36:12 2003 From: libove at felines.org (Jay Libove) Date: Fri, 3 Oct 2003 07:36:12 -0400 Subject: 3.6.1p2 plus buffer overflow vulnerabilities patch, sufficient? Message-ID: Because of the high volume of discussion of various minor or somewhat serious problems and incompatibilities introduced in the 3.7x series, I prefer to stay with 3.6.1p2 plus the buffer overflow vulnerabilities patch for a while. Are there any other security changes introduced in the 3.7x series from 3.6.1p2 other than the back-ported patch for the buffer overflow vulnerabilities announced a few weeks ago? Thanks -Jay From ekcheu at uncg.edu Fri Oct 3 23:14:23 2003 From: ekcheu at uncg.edu (ERIC K. CHEU) Date: Fri, 3 Oct 2003 09:14:23 -0400 (EDT) Subject: openssh 3.7.1p2 afs/pam issues In-Reply-To: Message-ID: This is what happens when I put only this in the /etc/pam.conf file: sshd auth optional /usr/lib/security/pam_afs.krb.so.1 ignore_root (mind you, this line works okay with AFS accounts on previous version of openssh): debug1: Allocating pty. debug1: session_new: init debug1: session_new: session 0 debug1: session_pty_req: session 0 alloc /dev/pts/0 debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM: setting PAM_TTY to "/dev/pts/0" debug1: here 2 debug1: PAM: establishing credentials PAM: pam_setcred(): Authentication failed debug1: Calling cleanup 0x3a3dc(0x1279e4) debug1: Calling cleanup 0x476d8(0x0) debug1: session_by_tty: session 0 tty /dev/pts/0 debug1: channel 0: free: server-session, nchannels 1 debug1: session_pty_cleanup: session 0 release /dev/pts/0 debug1: Calling cleanup 0x4f5e0(0x0) debug1: Calling cleanup 0x44404(0x0) debug1: PAM: cleanup debug1: Calling cleanup 0x44404(0x0) debug1: PAM: cleanup client: AFS Password: Connection to waterfall closed by remote host. Connection to waterfall closed. -------------- So credentials are not being set somehow (maybe an incompatable ticket or something?). I put the line here 2 to see where it was failing. Looks like the second instance where do_pam_setcred(1) is being called after the tty is begin set (around line 528 of session.c). From tom at umsl.edu Sat Oct 4 01:25:27 2003 From: tom at umsl.edu (Tom Schaefer) Date: Fri, 3 Oct 2003 10:25:27 -0500 Subject: 3.7.1p1 and PAM Message-ID: <20031003102527.3ea5f91c.tom@umsl.edu> >Any chance of using putty or some such thing, instead?? It doesn't seem >to be b0rk3n. Well yes, thats what I ended up doing this week, converting all those MS Windows clients. But not to Putty, to Openssh! There is actually a MS Windows binary distribution of Openssh, complete with an installer available at http://lexa.mckenna.edu/sshwindows/ Tom Schaefer From ekcheu at uncg.edu Sat Oct 4 01:35:39 2003 From: ekcheu at uncg.edu (ERIC K. CHEU) Date: Fri, 3 Oct 2003 11:35:39 -0400 (EDT) Subject: openssh 3.7.1p2 afs/pam issues In-Reply-To: References: Message-ID: When I put set_token in my /etc/pam.conf file, I do manage to get tickets, but it is always owned by root and not by my uid. Is this why I am not able to get tokens? Having the ticket owned by root also causes other problems if not so (like using imsh with pine to automatically log into the imap server). From PROPECIAZP at HOTMAIL.COM Sat Oct 4 15:19:38 2003 From: PROPECIAZP at HOTMAIL.COM (lezeta ) Date: Sat, 4 Oct 2003 05:19:38 GMT Subject: exactingly Message-ID: [1][p.gif] [2]explosion [3]scientists [4]scroungemeddlespoemspostingacknowledgeacrimoniouspopularizationetae xperiencescravatstangerine [5]bender [6]crescents [7]sealed [8]tadpole [9]bolshevik [10]howdy [11]criticised References 1. http://srd.yahoo.com/drst/evergreen/*http://www.amazedhere1.com/topaz/ 2. http://www.amazedhere1.com/topaz/ 3. http://www.amazedhere1.com/topaz/ 4. http://www.amazedhere1.com/topaz/ 5. http://www.amazedhere1.com/topaz/ 6. http://www.amazedhere1.com/topaz/ 7. http://www.amazedhere1.com/to 8. http://www.amazedhere1.com/topaz/ 9. http://www.amazedhere1.com/topaz/ 10. http://www.amazedhere1.com/topaz/ 11. http://www.amazedhere1.com/topaz/ From alex at 3fn.net Sun Oct 5 00:18:09 2003 From: alex at 3fn.net (alex) Date: Sat, 4 Oct 2003 17:18:09 +0300 Subject: pam problem in openssh-3.7.1p2 Message-ID: <200310041718.09503.alex@3fn.net> ok, here the log +root at alex ~/ssh+ ls -al total 1604 drwxr-xr-x 2 root wheel 512 Oct 4 17:03 . drwxr-xr-x 16 root wheel 1024 Oct 4 17:02 .. -rw------- 1 root wheel 791161 Sep 22 15:06 openssh-3.7.1p1.tar.gz -rw------- 1 root wheel 792280 Sep 25 15:00 openssh-3.7.1p2.tar.gz +root at alex ~/ssh+ tar xzf openssh-3.7.1p2.tar.gz +root at alex ~/ssh+ cd openssh-3.7.1p2 +root at alex ~/ssh/openssh-3.7.1p2+ ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam | grep PAM configure: WARNING: Make sure the path to scp is in /etc/login.conf PAM support: yes PAM is enabled. You may need to install a PAM control file Example PAM control files can be found in the contrib/ +root at alex ~/ssh/openssh-3.7.1p2+ make > /dev/null uuencode.c: In function `uuencode': uuencode.c:35: warning: implicit declaration of function `__b64_ntop' uuencode.c: In function `uudecode': uuencode.c:53: warning: implicit declaration of function `__b64_pton' session.c: In function `do_setup_env': session.c:975: warning: unused variable `path' auth-pam.c:56:1: warning: "__unused" redefined In file included from /usr/include/stdio.h:43, from includes.h:24, from auth-pam.c:33: /usr/include/sys/cdefs.h:139:1: warning: this is the location of the previous definition +root at alex ~/ssh/openssh-3.7.1p2+ killall sshd +root at alex ~/ssh/openssh-3.7.1p2+ ./sshd -Ddddddddddddd ... bla bla bla ... in another terminal: ssh 127.0.0.1 debug1: auth2_challenge_start: trying authentication method 'pam' debug3: mm_sshpam_init_ctx debug3: mm_request_send entering: type 46 debug3: monitor_read: checking request 46 debug3: mm_answer_pam_init_ctx debug3: mm_request_send entering: type 47 debug3: mm_request_receive entering debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX debug3: mm_request_receive_expect entering: type 47 debug3: mm_request_receive entering debug3: mm_sshpam_init_ctx: pam_init_ctx failed Failed keyboard-interactive for root from 127.0.0.1 port 50684 ssh2 ... so pam don't work but !!! do absolutily the same with openssh-3.7.1p1 and it work wonderfull, why ? +root at alex ~+ uname -a FreeBSD alex.3fn.net 5.1-RELEASE FreeBSD 5.1-RELEASE #0: Wed Sep 17 22:20:52 EEST 2003 root at alex.ukr.net:/usr/src/sys/i386/compile/TEST i386 use same config & pam.d/sshd with both test openssh-3.7.1p1 & openssh-3.7.1p2 +root at alex ~/ssh/openssh-3.7.1p2+ grep Chall /etc/ssh/sshd_config ChallengeResponseAuthentication yes +root at alex ~+ cat /etc/pam.d/sshd ... # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ ... whe need pam, pls help best regards Alex From markus at openbsd.org Sun Oct 5 00:57:59 2003 From: markus at openbsd.org (Markus Friedl) Date: Sat, 4 Oct 2003 16:57:59 +0200 Subject: OpenSSL vulnerability... In-Reply-To: References: Message-ID: <20031004145759.GB28638@folly> On Fri, Oct 03, 2003 at 02:06:51AM -0400, Asif Iqbal wrote: > On Thu, 2 Oct 2003, Asif Iqbal wrote: > > > On Tue, 30 Sep 2003, Markus Friedl wrote: > > > > > On Tue, Sep 30, 2003 at 12:06:30PM -0500, hayward at slothmud.org wrote: > > > > Does OpenSSH use OpenSSL in a way in which it would be vulnerable to the > > > > OpenSSL vulnerabilities announced today? Namely the ASN.1 parsing > > > > problem and the malformed key bugs? > > > > > > no, we avoid the OpenSSL ASN.1 code for signature verification > > > and we don't support x509. > > > > > > only reading of _private_ keys triggers the ASN.1 code > > > in OpenSSH. > > > > Does this statement encompass login with RSA keys ? > > In other words does this vulnerability of OpenSSL makes RSA Key Authentication > in OpenSSH vulnerable as well ? no. i wrote: we avoid the OpenSSL ASN.1 code for signature verification From markus at openbsd.org Sun Oct 5 01:00:35 2003 From: markus at openbsd.org (Markus Friedl) Date: Sat, 4 Oct 2003 17:00:35 +0200 Subject: OpenSSL vulnerability... In-Reply-To: References: <20030930204127.GA27487@folly> Message-ID: <20031004150035.GC28638@folly> On Thu, Oct 02, 2003 at 04:32:56PM -0400, Asif Iqbal wrote: > On Tue, 30 Sep 2003, Markus Friedl wrote: > > > On Tue, Sep 30, 2003 at 12:06:30PM -0500, hayward at slothmud.org wrote: > > > Does OpenSSH use OpenSSL in a way in which it would be vulnerable to the > > > OpenSSL vulnerabilities announced today? Namely the ASN.1 parsing > > > problem and the malformed key bugs? > > > > no, we avoid the OpenSSL ASN.1 code for signature verification > > and we don't support x509. > > > > only reading of _private_ keys triggers the ASN.1 code > > in OpenSSH. > > Does this statement encompass login with RSA keys ? the 1st: yes 2nd: sshd reads _private_ keys only when reading the hostkey. From mouring at etoh.eviladmin.org Sun Oct 5 05:23:25 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 4 Oct 2003 14:23:25 -0500 (CDT) Subject: pam problem in openssh-3.7.1p2 In-Reply-To: <200310041718.09503.alex@3fn.net> Message-ID: Set 'UsePAM yes' in your sshd_config. The default is now 'UsePAM no'. - Ben On Sat, 4 Oct 2003, alex wrote: > ok, here the log > +root at alex ~/ssh+ ls -al > total 1604 > drwxr-xr-x 2 root wheel 512 Oct 4 17:03 . > drwxr-xr-x 16 root wheel 1024 Oct 4 17:02 .. > -rw------- 1 root wheel 791161 Sep 22 15:06 openssh-3.7.1p1.tar.gz > -rw------- 1 root wheel 792280 Sep 25 15:00 openssh-3.7.1p2.tar.gz > +root at alex ~/ssh+ tar xzf openssh-3.7.1p2.tar.gz > +root at alex ~/ssh+ cd openssh-3.7.1p2 > +root at alex ~/ssh/openssh-3.7.1p2+ ./configure --prefix=/usr > --sysconfdir=/etc/ssh --with-pam | grep PAM > configure: WARNING: Make sure the path to scp is in /etc/login.conf > PAM support: yes > PAM is enabled. You may need to install a PAM control file > Example PAM control files can be found in the contrib/ > +root at alex ~/ssh/openssh-3.7.1p2+ make > /dev/null > uuencode.c: In function `uuencode': > uuencode.c:35: warning: implicit declaration of function `__b64_ntop' > uuencode.c: In function `uudecode': > uuencode.c:53: warning: implicit declaration of function `__b64_pton' > session.c: In function `do_setup_env': > session.c:975: warning: unused variable `path' > auth-pam.c:56:1: warning: "__unused" redefined > In file included from /usr/include/stdio.h:43, > from includes.h:24, > from auth-pam.c:33: > /usr/include/sys/cdefs.h:139:1: warning: this is the location of the previous > definition > +root at alex ~/ssh/openssh-3.7.1p2+ killall sshd > +root at alex ~/ssh/openssh-3.7.1p2+ ./sshd -Ddddddddddddd > ... bla bla bla ... in another terminal: ssh 127.0.0.1 > debug1: auth2_challenge_start: trying authentication method 'pam' > debug3: mm_sshpam_init_ctx > debug3: mm_request_send entering: type 46 > debug3: monitor_read: checking request 46 > debug3: mm_answer_pam_init_ctx > debug3: mm_request_send entering: type 47 > debug3: mm_request_receive entering > debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX > debug3: mm_request_receive_expect entering: type 47 > debug3: mm_request_receive entering > debug3: mm_sshpam_init_ctx: pam_init_ctx failed > Failed keyboard-interactive for root from 127.0.0.1 port 50684 ssh2 > ... > so pam don't work > but !!! > do absolutily the same with openssh-3.7.1p1 and it work wonderfull, > why ? > +root at alex ~+ uname -a > FreeBSD alex.3fn.net 5.1-RELEASE FreeBSD 5.1-RELEASE #0: Wed Sep 17 22:20:52 > EEST 2003 root at alex.ukr.net:/usr/src/sys/i386/compile/TEST i386 > > use same config & pam.d/sshd with both test openssh-3.7.1p1 & openssh-3.7.1p2 > +root at alex ~/ssh/openssh-3.7.1p2+ grep Chall /etc/ssh/sshd_config > ChallengeResponseAuthentication yes > +root at alex ~+ cat /etc/pam.d/sshd > ... > # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ > ... > > whe need pam, pls help > best regards > Alex > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From pauli.borodulin at uta.fi Sun Oct 5 05:29:36 2003 From: pauli.borodulin at uta.fi (Pauli Borodulin) Date: Sat, 04 Oct 2003 22:29:36 +0300 Subject: Problem with OpenSSH =>3.7p1 on Linux \w Linux-PAM 0.77 Message-ID: <3F7F1FA0.6060401@uta.fi> Hello, I'm currently running OpenSSH 3.6.1p2 successfully on older Slackware Linux. Glibc in use is 2.2.2 and Linux-PAM 0.77. I have been compiling OpenSSH for couple years until now with options --sysconfdir=/etc/ssh --with-ipv4-default --with-pam \ --without-shadow --disable-suid-ssh Unfortunately, upgrading to =>3.7p1 makes PAM-authentication fail. Authentication simply fails every time I try to log in. Even running "sshd -ddd" it only prints line "Failed password..." or similar on failure so debugging is hard. Sure, I remembered to add "UsePAM yes" to my sshd_config. I tried removing PAM-file for sshd to see if PAM is even called at all. It seems that it is not. I have "other"-file which logs PAM-warn in syslog, but I didn't get it at all. 3.6.1p2 logs warning correctly from PAM this way. I wondered if anyone would know what change in code would cause this problem. I tried running diff across 3.6.1p2 and 3.7p1 but there's way too many changes that I could be able to go thru' them. Best regards, -- Pauli Borodulin From dan at doxpara.com Sun Oct 5 07:55:49 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Sat, 04 Oct 2003 17:55:49 -0400 Subject: OpenSSL vulnerability... In-Reply-To: <20031004150035.GC28638@folly> References: <20030930204127.GA27487@folly> <20031004150035.GC28638@folly> Message-ID: <3F7F41E5.2030104@doxpara.com> >2nd: sshd reads _private_ keys only when reading the hostkey. > > So basically, an attacker can exploit the bug if they can modify a root-owned file. Of course, if they can modify a root owned file, you've already been owned. --Dan From dtucker at zip.com.au Sun Oct 5 10:11:22 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 05 Oct 2003 10:11:22 +1000 Subject: Problem with OpenSSH =>3.7p1 on Linux \w Linux-PAM 0.77 References: <3F7F1FA0.6060401@uta.fi> Message-ID: <3F7F61AA.E2B3AA9B@zip.com.au> Pauli Borodulin wrote: > Unfortunately, upgrading to =>3.7p1 makes PAM-authentication fail. > Authentication simply fails every time I try to log in. Even running > "sshd -ddd" it only prints line "Failed password..." or similar on > failure so debugging is hard. Do you have ChallengeResponseAuthentication enabled on the server, and keyboard-interactive on the client? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From pauli.borodulin at uta.fi Mon Oct 6 00:17:18 2003 From: pauli.borodulin at uta.fi (Pauli Borodulin) Date: Sun, 05 Oct 2003 17:17:18 +0300 Subject: Problem with OpenSSH =>3.7p1 on Linux \w Linux-PAM 0.77 In-Reply-To: <3F7F61AA.E2B3AA9B@zip.com.au> References: <3F7F1FA0.6060401@uta.fi> <3F7F61AA.E2B3AA9B@zip.com.au> Message-ID: <3F8027EE.9050903@uta.fi> > Pauli Borodulin wrote: >>Unfortunately, upgrading to =>3.7p1 makes PAM-authentication fail. >>Authentication simply fails every time I try to log in. Even running >>"sshd -ddd" it only prints line "Failed password..." or similar on >>failure so debugging is hard. Darren Tucker wrote: > Do you have ChallengeResponseAuthentication enabled on the server, and > keyboard-interactive on the client? I have no ChallengeResponseAuthentication set in sshd_config so it should be the default (yes). Client I've been using is PuTTY with default settings which means that the setting 'Attempt "keyboard-interactive" authentication' is enabled. PuTTY has worked with every other OpenSSH so far so I guess it should work with current too. Regards, -- Pauli Borodulin From dtucker at zip.com.au Mon Oct 6 00:43:21 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 06 Oct 2003 00:43:21 +1000 Subject: Problem with OpenSSH =>3.7p1 on Linux \w Linux-PAM 0.77 References: <3F7F1FA0.6060401@uta.fi> <3F7F61AA.E2B3AA9B@zip.com.au> <3F8027EE.9050903@uta.fi> Message-ID: <3F802E09.A70635D1@zip.com.au> Pauli Borodulin wrote: > I have no ChallengeResponseAuthentication set in sshd_config so it > should be the default (yes). Client I've been using is PuTTY with > default settings which means that the setting 'Attempt > "keyboard-interactive" authentication' is enabled. PuTTY has worked with > every other OpenSSH so far so I guess it should work with current too. PAM works differently in 3.7. Try setting "PasswordAuthentication no". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From pauli.borodulin at uta.fi Mon Oct 6 01:03:54 2003 From: pauli.borodulin at uta.fi (Pauli Borodulin) Date: Sun, 05 Oct 2003 18:03:54 +0300 Subject: Problem with OpenSSH =>3.7p1 on Linux \w Linux-PAM 0.77 In-Reply-To: <3F802E09.A70635D1@zip.com.au> References: <3F7F1FA0.6060401@uta.fi> <3F7F61AA.E2B3AA9B@zip.com.au> <3F8027EE.9050903@uta.fi> <3F802E09.A70635D1@zip.com.au> Message-ID: <3F8032DA.5050108@uta.fi> > Pauli Borodulin wrote: >>I have no ChallengeResponseAuthentication set in sshd_config so it >>should be the default (yes). Client I've been using is PuTTY with >>default settings which means that the setting 'Attempt >>"keyboard-interactive" authentication' is enabled. PuTTY has worked with >>every other OpenSSH so far so I guess it should work with current too. Darren Tucker wrote: > PAM works differently in 3.7. Try setting "PasswordAuthentication no". Hmm, I'm pretty sure I tried that already. Lemme see -- yes, didn't help. 3.6.1p2 seems to require PasswordAuthentication to be enabled, otherwise I'm not able to log in (even using PAM). -- Pauli Borodulin From dtucker at zip.com.au Mon Oct 6 01:13:36 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 06 Oct 2003 01:13:36 +1000 Subject: Problem with OpenSSH =>3.7p1 on Linux \w Linux-PAM 0.77 References: <3F7F1FA0.6060401@uta.fi> <3F7F61AA.E2B3AA9B@zip.com.au> <3F8027EE.9050903@uta.fi> <3F802E09.A70635D1@zip.com.au> <3F8032DA.5050108@uta.fi> Message-ID: <3F803520.1247C0D3@zip.com.au> Pauli Borodulin wrote: > Hmm, I'm pretty sure I tried that already. Lemme see -- yes, didn't > help. 3.6.1p2 seems to require PasswordAuthentication to be enabled, > otherwise I'm not able to log in (even using PAM). I assume that version was a typo since your original message had "=>3.7p1"? For 3.7x you should have: UsePAM no PasswordAuthentication yes ChallengeResponseAuthentication no or UsePAM yes PasswordAuthentication no ChallengeResponseAuthentication yes Check the server-side debug in either of those configs. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From ziselman at mail.csi.cuny.edu Mon Oct 6 06:12:17 2003 From: ziselman at mail.csi.cuny.edu (Michael Ziselman) Date: Sun, 5 Oct 2003 16:12:17 -0400 Subject: OpenSSH Authentication on Solaris w/ NIS+ Problem Message-ID: <200310051612.AA46465226@mail.csi.cuny.edu> Hello, I am having a very aggrivating problem, and I will try and provide all of the necessary information. I have openssh-3.7.1p2 with openssl-0.9.6k installed on Solaris 8. Here is what I've been able to determine so far: 1. Local account authentication works fine (non-NIS+). 1a. NIS+ is running at security level 2 2. Telnet authentication works fine. 2a. When I use the SSH client, from another UNIX machine, it works fine -- only windows SSH clients (I've tried SecureCRT and SSH.com's SSH client) have problems connecting. 3. nscd is not running (I stopped it for now, but I don't think it matters) 3a. PAM is enabled in my sshd_config (see below) 4. When I log in via telnet (for example), it works; and then I try that same ID that wouldn't work originally via SSH, it then works! 5. When I log in to master server via SSH it works fine (it only doesn't work when I try to log into client servers). 6. When I try keyboard interactive authentication (instead of Password), it works, but it asks me TWICE for the login info (the first time fails, the second time succeeds). TO SUMMARIZE: I have problems WHEN: I log in via SSH to the non-master NIS+ server with a non-local account (NIS+ account) with a Windows client via 'Password' authentication. I'd love to see someone figure THIS ONE out... Here's my ./configure for openssh: ---------------------------------------------------------------------- configured by ./configure, generated by GNU Autoconf 2.52, with options \"--prefix=/usr/openssh --with-pam --without-rsh --with-pid-dir=/var/run --with-md5-passwords --with-ssl-dir=/usr/local/ssl --with-mantype=man\" ---------------------------------------------------------------------- Here is my sshd.conf file: ---------------------------------------------------------------------- Port 22 Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 HostKey /usr/openssh/etc/ssh_host_key # HostKeys for protocol version 2 HostKey /usr/openssh/etc/ssh_host_rsa_key HostKey /usr/openssh/etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 2m PermitRootLogin no #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /usr/openssh/etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCreds yes # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may # bypass the setting of 'PasswordAuthentication' UsePAM yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes PrintMotd yes #PrintLastLog yes KeepAlive yes #UseLogin no UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/openssh/libexec/sftp-server ---------------------------------------------------------------------- Here is what it looks like when I use a Windows SSH client (with IP addresses changed to protect the innocent): bash-2.03# /usr/openssh/sbin/sshd -d -d -d debug3: Seeding PRNG from /usr/openssh/libexec/ssh-rand-helper debug2: read_server_config: filename /usr/openssh/etc/sshd_config debug1: sshd version OpenSSH_3.7.1p2 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /usr/openssh/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /usr/openssh/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 10.0.0.1 port 1583 debug1: Client protocol version 2.0; client software version 3.4.5 SecureCRT debug1: no match: 3.4.5 SecureCRT debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 debug3: privsep user:group 1002:1002 debug1: permanently_set_uid: 1002/1002 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour debug2: kex_parse_kexinit: aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: Network child is on pid 801 debug3: preauth child monitor started debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2046 2046 debug3: mm_request_send entering: type 1 debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug2: dh_gen_key: priv key bits set: 133/256 debug2: bits set: 786/1535 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 780/1535 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 12b3c0(55) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user student service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for student debug3: mm_start_pam entering debug3: mm_request_send entering: type 43 debug3: monitor_read: checking request 43 debug1: PAM: initializing for "student" debug3: mm_inform_authserv entering debug3: Trying to reverse map address 10.0.0.1. debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug1: PAM: setting PAM_RHOST to "10.0.0.1-my.host.com" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 43 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for student from 10.0.0.1 port 1583 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for student from 10.0.0.1 port 1583 ssh2 debug1: userauth-request for user student service ssh-connection method password debug1: attempt 1 failures 1 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: monitor_read: checking request 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed password for student from 10.0.0.1 port 1583 ssh2 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed password for student from 10.0.0.1 port 1583 ssh2 Thanks. From mouring at etoh.eviladmin.org Mon Oct 6 06:35:07 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 5 Oct 2003 15:35:07 -0500 (CDT) Subject: OpenSSH Authentication on Solaris w/ NIS+ Problem In-Reply-To: <200310051612.AA46465226@mail.csi.cuny.edu> Message-ID: [..] > > # To disable tunneled clear text passwords, change to no here! > PasswordAuthentication yes If I'm not mistaken you need to set this to "no" to drop the second login prompt. Since Password authentication is being handled by 'ChallengeResponseAuthentication' below. > #PermitEmptyPasswords no > > # Change to no to disable s/key passwords > ChallengeResponseAuthentication yes > - Ben From pauli.borodulin at uta.fi Mon Oct 6 07:32:24 2003 From: pauli.borodulin at uta.fi (Pauli Borodulin) Date: Mon, 06 Oct 2003 00:32:24 +0300 Subject: Problem with OpenSSH =>3.7p1 on Linux \w Linux-PAM 0.77 In-Reply-To: <3F803520.1247C0D3@zip.com.au> References: <3F7F1FA0.6060401@uta.fi> <3F7F61AA.E2B3AA9B@zip.com.au> <3F8027EE.9050903@uta.fi> <3F802E09.A70635D1@zip.com.au> <3F8032DA.5050108@uta.fi> <3F803520.1247C0D3@zip.com.au> Message-ID: <3F808DE8.8040901@uta.fi> > Pauli Borodulin wrote: >> Hmm, I'm pretty sure I tried that already. Lemme see -- yes, didn't >> help. 3.6.1p2 seems to require PasswordAuthentication to be >> enabled, otherwise I'm not able to log in (even using PAM). Darren Tucker wrote: > I assume that version was a typo since your original message had > "=>3.7p1"? Nope. 3.6.1p2 is working ok. I just tried what happens if I try disabling PasswordAuthentication in it. Didn't do any good, as I told, I wasn't able to log in anymore after disabling it. :-) Okay, after checking PuTTY's default settings I found out that (for some odd reason) the version I was using had default setting of trying to prefer SSH1 over SSH2, so all connections were done in SSH1. I chose SSH2 as preferred protocol version and tested it with 3.6.1p2 and it seems to work ok but not with =>3.7p1. I made some logs of sshd -d and put them on the web. OpenSSH 3.6.1p2: http://boro.fixel.org/openssh/output_of_sshd_-d_3.6.1p2.txt OpenSSH 3.7p1 (disconnected right after I had given my account): http://boro.fixel.org/openssh/output_of_sshd_-d_3.7p1.txt OpenSSH 3.7.1p2: (disconnected right after I had given my account): http://boro.fixel.org/openssh/output_of_sshd_-d_3.7.1p2.txt I used settings you gave for 3.7p1 and 3.7.1p2: > UsePAM yes > PasswordAuthentication no > ChallengeResponseAuthentication yes I found something interesting, but couldn't understand what's really happening. Seems that 3.6.1p2 outputs: debug1: kbdint_alloc: devices '' Failed keyboard-interactive for foobar from x.y.z.z port 1838 ssh2 debug1: userauth-request for user foobar service ssh-connection method password debug1: attempt 2 failures 2 debug1: PAM password authentication accepted for foobar Accepted password for foobar from x.y.z.z port 1838 ssh2 but =>3.7p1 outputs: debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' PAM: Authentication failure Failed keyboard-interactive for foobar from x.y.z.z port 1855 ssh2 Received disconnect from x.y.z.z: 11: No supported authentication methods available I tried also OpenSSH's client, and it fails just like PuTTY so it has to be something on the server-side. -- Pauli Borodulin From dtucker at zip.com.au Mon Oct 6 14:37:13 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 06 Oct 2003 14:37:13 +1000 Subject: Problem with OpenSSH =>3.7p1 on Linux \w Linux-PAM 0.77 References: <3F7F1FA0.6060401@uta.fi> <3F7F61AA.E2B3AA9B@zip.com.au> <3F8027EE.9050903@uta.fi> <3F802E09.A70635D1@zip.com.au> <3F8032DA.5050108@uta.fi> <3F803520.1247C0D3@zip.com.au> <3F808DE8.8040901@uta.fi> Message-ID: <3F80F179.811B7D96@zip.com.au> Pauli Borodulin wrote: > Nope. 3.6.1p2 is working ok. I just tried what happens if I try > disabling PasswordAuthentication in it. Didn't do any good, as I told, I > wasn't able to log in anymore after disabling it. :-) For 3.6x, PAM = PasswordAuthentication For 3.7x, PAM = ChallengeResponseAuthentication > Okay, after checking PuTTY's default settings I found out that (for some > odd reason) the version I was using had default setting of trying to > prefer SSH1 over SSH2, so all connections were done in SSH1. For PuTTY + SSHv1 you need to enable "TIS or CryptoCard Authentication". [snip] > but =>3.7p1 outputs: > > debug1: kbdint_alloc: devices 'pam' > debug1: auth2_challenge_start: trying authentication method 'pam' > PAM: Authentication failure Does the system log (eg /var/log/messages or /var/log/authlog) say anything about the PAM authentication at this point? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kuenne at rentec.com Mon Oct 6 16:09:24 2003 From: kuenne at rentec.com (Karsten =?iso-8859-1?q?K=FCnne?=) Date: Mon, 6 Oct 2003 02:09:24 -0400 Subject: OpenSSH Authentication on Solaris w/ NIS+ Problem In-Reply-To: <200310051612.AA46465226@mail.csi.cuny.edu> References: <200310051612.AA46465226@mail.csi.cuny.edu> Message-ID: <200310060209.26277.kuenne@rentec.com> On Sunday 05 October 2003 16:12, Michael Ziselman wrote: > Hello, > > I am having a very aggrivating problem, and I will try and provide all > of the necessary information. I have openssh-3.7.1p2 with openssl-0.9.6k > installed on Solaris 8. Here is what I've been able to determine so far: > > 1. Local account authentication works fine (non-NIS+). > 1a. NIS+ is running at security level 2 > 2. Telnet authentication works fine. > 2a. When I use the SSH client, from another UNIX machine, it works fine -- > only windows SSH clients (I've tried SecureCRT and SSH.com's SSH client) > have problems connecting. 3. nscd is not running (I stopped it for now, but > I don't think it matters) 3a. PAM is enabled in my sshd_config (see below) > 4. When I log in via telnet (for example), it works; and then I try that > same ID that wouldn't work originally via SSH, it then works! 5. When I log > in to master server via SSH it works fine (it only doesn't work when I try > to log into client servers). 6. When I try keyboard interactive > authentication (instead of Password), it works, but it asks me TWICE for > the login info (the first time fails, the second time succeeds). > > TO SUMMARIZE: I have problems WHEN: I log in via SSH to the non-master NIS+ > server with a non-local account (NIS+ account) with a Windows client via > 'Password' authentication. I'd love to see someone figure THIS ONE out... > Your Windows clients are using password authentication. That doesn't work with ssh 3.7.1p2 on Solaris because the sshd has to be able to read the encrypted password out of NIS+. But if you run NIS+ at security level 2 the user needs to authenticate to NIS+ first via an explicit or implicit keylogin in order to be able to read his/her own encrypted password. Other users are not able to read it and that includes the root user on NIS+ clients. One exception is the root user (or machine principal) of the NIS+ master, that's why it works there. If you succeed to login via telnet then the telnetd does a keylogin and then stores your key with the keyserver, that's why subsequent ssh logins work until you reboot the machine (or restart the keyserver). You should use PAM authentication via keyboard-interactive with your Windows clients. I don't know anything about the 2 clients you tried but I know that Putty works with protocol version 2 and keyboard-interactive (tried it myself). > Here's my ./configure for openssh: > > ---------------------------------------------------------------------- > configured by ./configure, generated by GNU Autoconf 2.52, > with options \"--prefix=/usr/openssh --with-pam --without-rsh > --with-pid-dir=/var/run --with-md5-passwords --with-ssl-dir=/usr/local/ssl > --with-mantype=man\" > ---------------------------------------------------------------------- > > Here is my sshd.conf file: > > ---------------------------------------------------------------------- > Port 22 > Protocol 2 > #ListenAddress 0.0.0.0 > #ListenAddress :: > > # HostKey for protocol version 1 > HostKey /usr/openssh/etc/ssh_host_key > # HostKeys for protocol version 2 > HostKey /usr/openssh/etc/ssh_host_rsa_key > HostKey /usr/openssh/etc/ssh_host_dsa_key > > # Lifetime and size of ephemeral version 1 server key > #KeyRegenerationInterval 1h > ServerKeyBits 768 > > # Logging > #obsoletes QuietMode and FascistLogging > SyslogFacility AUTH > LogLevel INFO > > # Authentication: > > LoginGraceTime 2m > PermitRootLogin no > #StrictModes yes > > #RSAAuthentication yes > #PubkeyAuthentication yes > #AuthorizedKeysFile .ssh/authorized_keys > > # For this to work you will also need host keys in > /usr/openssh/etc/ssh_known_hosts #RhostsRSAAuthentication no > # similar for protocol version 2 > #HostbasedAuthentication no > # Change to yes if you don't trust ~/.ssh/known_hosts for > # RhostsRSAAuthentication and HostbasedAuthentication > #IgnoreUserKnownHosts no > # Don't read the user's ~/.rhosts and ~/.shosts files > IgnoreRhosts yes > > # To disable tunneled clear text passwords, change to no here! > PasswordAuthentication yes > #PermitEmptyPasswords no > > # Change to no to disable s/key passwords > ChallengeResponseAuthentication yes > > # Kerberos options > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPICleanupCreds yes > > # Set this to 'yes' to enable PAM authentication (via challenge-response) > # and session processing. Depending on your PAM configuration, this may > # bypass the setting of 'PasswordAuthentication' > UsePAM yes > > #AllowTcpForwarding yes > #GatewayPorts no > X11Forwarding yes > #X11DisplayOffset 10 > #X11UseLocalhost yes > PrintMotd yes > #PrintLastLog yes > KeepAlive yes > #UseLogin no > UsePrivilegeSeparation yes > #PermitUserEnvironment no > #Compression yes > #ClientAliveInterval 0 > #ClientAliveCountMax 3 > #UseDNS yes > PidFile /var/run/sshd.pid > #MaxStartups 10 > # no default banner path > #Banner /some/path > # override default of no subsystems > Subsystem sftp /usr/openssh/libexec/sftp-server > ---------------------------------------------------------------------- > > Here is what it looks like when I use a Windows SSH client (with IP > addresses changed to protect the innocent): > > bash-2.03# /usr/openssh/sbin/sshd -d -d -d > debug3: Seeding PRNG from /usr/openssh/libexec/ssh-rand-helper > debug2: read_server_config: filename /usr/openssh/etc/sshd_config > debug1: sshd version OpenSSH_3.7.1p2 > debug1: private host key: #0 type 0 RSA1 > debug3: Not a RSA1 key file /usr/openssh/etc/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #1 type 1 RSA > debug3: Not a RSA1 key file /usr/openssh/etc/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #2 type 2 DSA > debug1: Bind to port 22 on ::. > Server listening on :: port 22. > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug1: Server will not fork when running in debugging mode. > Connection from 10.0.0.1 port 1583 > debug1: Client protocol version 2.0; client software version 3.4.5 > SecureCRT debug1: no match: 3.4.5 SecureCRT > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 > debug3: privsep user:group 1002:1002 > debug1: permanently_set_uid: 1002/1002 > debug1: list_hostkey_types: ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: > kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc, >rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: > kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc, >rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: > kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,h >mac-md5-96 debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,h >mac-md5-96 debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: > kex_parse_kexinit: ssh-dss,ssh-rsa > debug2: kex_parse_kexinit: > aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour > debug2: kex_parse_kexinit: > aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug2: Network child is on pid 801 > debug3: preauth child monitor started > debug3: mm_request_receive entering > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug3: mm_request_send entering: type 0 > debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI > debug3: mm_request_receive_expect entering: type 1 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 0 > debug3: mm_answer_moduli: got parameters: 1024 2046 2046 > debug3: mm_request_send entering: type 1 > debug3: mm_choose_dh: remaining 0 > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug2: monitor_read: 0 used once, disabling now > debug3: mm_request_receive entering > debug2: dh_gen_key: priv key bits set: 133/256 > debug2: bits set: 786/1535 > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug2: bits set: 780/1535 > debug3: mm_key_sign entering > debug3: mm_request_send entering: type 4 > debug3: monitor_read: checking request 4 > debug3: mm_answer_sign > debug3: mm_answer_sign: signature 12b3c0(55) > debug3: mm_request_send entering: type 5 > debug2: monitor_read: 4 used once, disabling now > debug3: mm_request_receive entering > debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN > debug3: mm_request_receive_expect entering: type 5 > debug3: mm_request_receive entering > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user student service ssh-connection method > none debug1: attempt 0 failures 0 > debug3: mm_getpwnamallow entering > debug3: mm_request_send entering: type 6 > debug3: monitor_read: checking request 6 > debug3: mm_answer_pwnamallow > debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM > debug3: mm_request_receive_expect entering: type 7 > debug3: mm_request_receive entering > debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 > debug3: mm_request_send entering: type 7 > debug2: monitor_read: 6 used once, disabling now > debug3: mm_request_receive entering > debug2: input_userauth_request: setting up authctxt for student > debug3: mm_start_pam entering > debug3: mm_request_send entering: type 43 > debug3: monitor_read: checking request 43 > debug1: PAM: initializing for "student" > debug3: mm_inform_authserv entering > debug3: Trying to reverse map address 10.0.0.1. > debug3: mm_request_send entering: type 3 > debug2: input_userauth_request: try method none > debug3: mm_auth_password entering > debug3: mm_request_send entering: type 10 > debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD > debug3: mm_request_receive_expect entering: type 11 > debug3: mm_request_receive entering > debug1: PAM: setting PAM_RHOST to "10.0.0.1-my.host.com" > debug1: PAM: setting PAM_TTY to "ssh" > debug2: monitor_read: 43 used once, disabling now > debug3: mm_request_receive entering > debug3: monitor_read: checking request 3 > debug3: mm_answer_authserv: service=ssh-connection, style= > debug2: monitor_read: 3 used once, disabling now > debug3: mm_request_receive entering > debug3: monitor_read: checking request 10 > debug3: mm_answer_authpassword: sending result 0 > debug3: mm_request_send entering: type 11 > Failed none for student from 10.0.0.1 port 1583 ssh2 > debug3: mm_request_receive entering > debug3: mm_auth_password: user not authenticated > Failed none for student from 10.0.0.1 port 1583 ssh2 > debug1: userauth-request for user student service ssh-connection method > password debug1: attempt 1 failures 1 > debug2: input_userauth_request: try method password > debug3: mm_auth_password entering > debug3: mm_request_send entering: type 10 > debug3: monitor_read: checking request 10 > debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD > debug3: mm_answer_authpassword: sending result 0 > debug3: mm_request_send entering: type 11 > Failed password for student from 10.0.0.1 port 1583 ssh2 > debug3: mm_request_receive entering > debug3: mm_request_receive_expect entering: type 11 > debug3: mm_request_receive entering > debug3: mm_auth_password: user not authenticated > Failed password for student from 10.0.0.1 port 1583 ssh2 > > Thanks. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Subtlety is the art of saying what you think and getting out of the way before it is understood. From manish.k at db.com Mon Oct 6 21:16:29 2003 From: manish.k at db.com (Manish K) Date: Mon, 6 Oct 2003 19:16:29 +0800 Subject: seeking help in using openssh to communicate b/w unix & windows. URGENT!!! Message-ID: Hi I got the email-id from the web site. Kindly let me know whether we can use ssh to communicate b/w unix & windows(the initiation has to be from unix only), if yes then how & where can i find the releated informations If its not possible usnig the ssh then whats the other way to pull or push file from Unix usnig a encrypted way where the password is not hacked on the network. Kindly let us know in detail as soon as possible. It will be a great help if you all can do for me. ---------------------------------------------------------------- Thanks & Regards, Manish k GTO/GBD-ITO/ Banking Systems Asia - IDMS Deutsche Bank Singapore Tel : 6423 6731 Fax : 62241029 -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. From josv at osp.nl Mon Oct 6 21:26:21 2003 From: josv at osp.nl (Jos Visser) Date: Mon, 6 Oct 2003 13:26:21 +0200 Subject: seeking help in using openssh to communicate b/w unix & windows. URGENT!!! In-Reply-To: References: Message-ID: <20031006112621.GG14778@jadzia.test.uzorg> And while we are at it, should we come over and redecorate your appartment? Please read: "How to ask questions the smart way" http://www.catb.org/~esr/faqs/smart-questions.html ++Jos.nl On Mon, Oct 06, 2003 at 07:16:29PM +0800 it came to pass that Manish K wrote: > Hi I got the email-id from the web site. > Kindly let me know whether we can use ssh to communicate b/w unix & windows(the initiation has to be from unix only), if yes then how & where can i find the releated informations > If its not possible usnig the ssh then whats the other way to pull or push file from Unix usnig a encrypted way where the password is not hacked on the network. > Kindly let us know in detail as soon as possible. It will be a great help if you all can do for me. > > ---------------------------------------------------------------- > Thanks & Regards, > Manish k > GTO/GBD-ITO/ Banking Systems Asia - IDMS > Deutsche Bank > Singapore > Tel : 6423 6731 > Fax : 62241029 > > > -- > > This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- ek is so lug jy vlieg deur my sonder jou is ek sonder patroon "Breyten Breytenbach" From jason at devrandom.org Tue Oct 7 01:29:24 2003 From: jason at devrandom.org (Jason McCormick) Date: Mon, 6 Oct 2003 11:29:24 -0400 Subject: seeking help in using openssh to communicate b/w unix & windows. URGENT!!! In-Reply-To: References: Message-ID: <200310061129.24522.jason@devrandom.org> > Kindly let me know whether we can use ssh to communicate b/w unix & > windows(the initiation has to be from unix only), yes. OpenSSH works on most flavors/derivatives of unix. The most notable Windows client is PuTTY. Search on Google for 'PuTTY' and it's the first hit. > if yes then how & > where can i find the releated informations Look at http://www.openssh.com for information on OpenSSH and how to use it properly. There are also many HowTo documents that a quick Google search will provide. -- Jason From iqbala at qwestip.net Tue Oct 7 02:24:01 2003 From: iqbala at qwestip.net (Asif Iqbal) Date: Mon, 6 Oct 2003 12:24:01 -0400 (EDT) Subject: SecurID patch for OpenSSH 3.7.1p2 In-Reply-To: <58109.183988-26465-632434844-1064593949@seznam.cz> Message-ID: Should I be able to use Darren Tucker's Password Expire patch with this ? On Fri, 26 Sep 2003, [iso-8859-2] V?clav Tomec wrote: > Hello all, > > new version of SecurID patch is available on > http://sweb.cz/v_t_m/ > > The new version of the patch is extended with "shared logins" possibility. > It means that SecurID token can be used to login to an account shared > by several persons. > This cannot be solved using ACE server standard means. > > This patch depends on the AuthSelection patch (http://sweb.cz/v_t_m). > After applying AuthSelection patch, you can specify > server-supported authentication methods per user to authenticate with > OpenSSH server. > > > Vaclav > ____________________________________________________________ > Vyzkou?ejte si Oskarovy MMS zdarma! > http://ad2.seznam.cz/redir.cgi?instance=60950%26url=http://www.oskarmobil.cz/services/whatsnew.php#moje > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Asif Iqbal http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08 There's no place like 127.0.0.1 From manish.k at db.com Mon Oct 6 21:16:29 2003 From: manish.k at db.com (Manish K) Date: Mon, 6 Oct 2003 19:16:29 +0800 Subject: seeking help in using openssh to communicate b/w unix & windows. URGENT!!! Message-ID: Hi I got the email-id from the web site. Kindly let me know whether we can use ssh to communicate b/w unix & windows(the initiation has to be from unix only), if yes then how & where can i find the releated informations If its not possible usnig the ssh then whats the other way to pull or push file from Unix usnig a encrypted way where the password is not hacked on the network. Kindly let us know in detail as soon as possible. It will be a great help if you all can do for me. ---------------------------------------------------------------- Thanks & Regards, Manish k GTO/GBD-ITO/ Banking Systems Asia - IDMS Deutsche Bank Singapore Tel : 6423 6731 Fax : 62241029 -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. From ptrout at usa.net Tue Oct 7 02:48:27 2003 From: ptrout at usa.net (PAUL TROUT) Date: Mon, 06 Oct 2003 10:48:27 -0600 Subject: [seeking help in using openssh to communicate b/w unix & windows. URGENT!!!] Message-ID: <795HJFqWb0832S08.1065458907@uwdvg008.cms.usa.net> You might try the free SSH client, putty (from: http://www.chiark.greenend.org.uk/~sgtatham/putty/). It has a command line SCP client (pscp) that will allow you to securely copy the file from Unix box, under windows. I've used it and had excellent results. Good luck, Paul "Manish K" wrote: Hi I got the email-id from the web site. Kindly let me know whether we can use ssh to communicate b/w unix & windows(the initiation has to be from unix only), if yes then how & where can i find the releated informations If its not possible usnig the ssh then whats the other way to pull or push file from Unix usnig a encrypted way where the password is not hacked on the network. Kindly let us know in detail as soon as possible. It will be a great help if you all can do for me. ---------------------------------------------------------------- Thanks & Regards, Manish k GTO/GBD-ITO/ Banking Systems Asia - IDMS Deutsche Bank Singapore Tel : 6423 6731 Fax : 62241029 -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. From iqbala at qwestip.net Tue Oct 7 03:04:39 2003 From: iqbala at qwestip.net (Asif Iqbal) Date: Mon, 6 Oct 2003 13:04:39 -0400 (EDT) Subject: OpenSSL vulnerability... In-Reply-To: <20031004150035.GC28638@folly> Message-ID: We login with RSA key sometimes as root. So should we be concern ? On Sat, 4 Oct 2003, Markus Friedl wrote: > On Thu, Oct 02, 2003 at 04:32:56PM -0400, Asif Iqbal wrote: > > On Tue, 30 Sep 2003, Markus Friedl wrote: > > > > > On Tue, Sep 30, 2003 at 12:06:30PM -0500, hayward at slothmud.org wrote: > > > > Does OpenSSH use OpenSSL in a way in which it would be vulnerable to the > > > > OpenSSL vulnerabilities announced today? Namely the ASN.1 parsing > > > > problem and the malformed key bugs? > > > > > > no, we avoid the OpenSSL ASN.1 code for signature verification > > > and we don't support x509. > > > > > > only reading of _private_ keys triggers the ASN.1 code > > > in OpenSSH. > > > > Does this statement encompass login with RSA keys ? > > the 1st: yes > > 2nd: sshd reads _private_ keys only when reading the hostkey. > -- Asif Iqbal http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08 There's no place like 127.0.0.1 From Siegmar.Gross at informatik.fh-fulda.de Tue Oct 7 03:24:42 2003 From: Siegmar.Gross at informatik.fh-fulda.de (Siegmar Gross) Date: Mon, 6 Oct 2003 19:24:42 +0200 (CEST) Subject: unexpected behaviour in OpenSSH_3.7.1 Message-ID: <200310061724.h96HOgEv008160@tyr.informatik.fh-fulda.de> Hi, we have installed OpenSSH_3.7.1 in /usr/local. In our environment all machines mount /usr/local via NFS and automounter from a server. Because every machine should use its own keys (otherwise we had to export the directory with root priviledges so that every machine could read the private keys from /usr/local/etc/ssh), we created the keys in /etc/ssh and modified the configuration files appropriately. We wanted to use hostbased authentication. tyr fd1026 62 ssh -v OpenSSH_3.7.1p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 tyr fd1026 63 ps -aef | grep ssh root 4924 1 0 17:53:10 ? 0:00 /usr/local/sbin/sshd -f /usr/local/etc/ssh/sshd_config -p 22 tyr fd1026 64 alias ssh ssh -q -F /usr/local/etc/ssh/ssh_config tyr fd1026 65 cd /usr/local/etc/ssh tyr ssh 66 grep ssh_host *config sshd_config:HostKey /etc/ssh/ssh_host_key sshd_config:HostKey /etc/ssh/ssh_host_rsa_key sshd_config:HostKey /etc/ssh/ssh_host_dsa_key tyr ssh 67 grep ssh_known *config ssh_config:GlobalKnownHostsFile2 /usr/local/etc/ssh/ssh_known_hosts2 sshd_config:# /usr/local/etc/ssh/ssh_known_hosts Now we created ~/.shosts and tried a connection. Unfortunately we always had to present a password. Debugging ssh and sshd didn't solve the problem. At least we tried to insert some links into /usr/local/etc/ssh ssh_host_dsa_key -> /etc/ssh/ssh_host_dsa_key ssh_host_dsa_key.pub -> /etc/ssh/ssh_host_dsa_key.pub ssh_host_key -> /etc/ssh/ssh_host_key ssh_host_key.pub -> /etc/ssh/ssh_host_key.pub ssh_host_rsa_key -> /etc/ssh/ssh_host_rsa_key ssh_host_rsa_key.pub -> /etc/ssh/ssh_host_rsa_key.pub With these links OpenSSH behaves as expected. We don't understand why these links are necessary. Doesn't OpenSSH interpret the configuration files as expected or have we made a mistake? Please let me know if you are interested in the configuration files or any other information. I would be grateful if somebody can give us a hint which solves our confusion. Kind regards Siegmar ############################################################################## # # # Fachhochschule Fulda University of Applied Sciences # # FB Angewandte Informatik Department of Applied Computer Sciences # # # # Prof. Dr. Siegmar Gross Tel.: +49 (661) 9640 - 333 # # Fax: +49 (661) 9640 - 349 # # Marquardstr. 35 WWW: http://www.fh-fulda.de/~gross # # E-Mail: siegmar.gross at informatik.fh-fulda.de # # D-36039 Fulda sgross at acm.org # # # ############################################################################## From wendyp at cray.com Tue Oct 7 03:39:45 2003 From: wendyp at cray.com (Wendy Palm) Date: Mon, 06 Oct 2003 12:39:45 -0500 Subject: unexpected behaviour in OpenSSH_3.7.1 References: <200310061724.h96HOgEv008160@tyr.informatik.fh-fulda.de> Message-ID: <3F81A8E1.7040601@cray.com> we tried using links to the keys as well and it failed. i didn't get into the code to see why, i just know that when we took out the links and copied the files instead, it worked fine for our particular configuration. take that part out of the equation and see where you are then. Siegmar Gross wrote: > Hi, > > we have installed OpenSSH_3.7.1 in /usr/local. In our environment all > machines mount /usr/local via NFS and automounter from a server. Because > every machine should use its own keys (otherwise we had to export the > directory with root priviledges so that every machine could read the > private keys from /usr/local/etc/ssh), we created the keys in /etc/ssh > and modified the configuration files appropriately. We wanted to use > hostbased authentication. > > > tyr fd1026 62 ssh -v > OpenSSH_3.7.1p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 > > tyr fd1026 63 ps -aef | grep ssh > root 4924 1 0 17:53:10 ? 0:00 /usr/local/sbin/sshd -f > /usr/local/etc/ssh/sshd_config -p 22 > > > tyr fd1026 64 alias ssh > ssh -q -F /usr/local/etc/ssh/ssh_config > > > tyr fd1026 65 cd /usr/local/etc/ssh > tyr ssh 66 grep ssh_host *config > sshd_config:HostKey /etc/ssh/ssh_host_key > sshd_config:HostKey /etc/ssh/ssh_host_rsa_key > sshd_config:HostKey /etc/ssh/ssh_host_dsa_key > > tyr ssh 67 grep ssh_known *config > ssh_config:GlobalKnownHostsFile2 /usr/local/etc/ssh/ssh_known_hosts2 > sshd_config:# /usr/local/etc/ssh/ssh_known_hosts > > > Now we created ~/.shosts and tried a connection. Unfortunately we always > had to present a password. Debugging ssh and sshd didn't solve the problem. > At least we tried to insert some links into /usr/local/etc/ssh > > ssh_host_dsa_key -> /etc/ssh/ssh_host_dsa_key > ssh_host_dsa_key.pub -> /etc/ssh/ssh_host_dsa_key.pub > ssh_host_key -> /etc/ssh/ssh_host_key > ssh_host_key.pub -> /etc/ssh/ssh_host_key.pub > ssh_host_rsa_key -> /etc/ssh/ssh_host_rsa_key > ssh_host_rsa_key.pub -> /etc/ssh/ssh_host_rsa_key.pub > > With these links OpenSSH behaves as expected. We don't understand why these > links are necessary. Doesn't OpenSSH interpret the configuration files as > expected or have we made a mistake? Please let me know if you are interested > in the configuration files or any other information. I would be grateful if > somebody can give us a hint which solves our confusion. > > > Kind regards > > Siegmar > > > ############################################################################## > # # > # Fachhochschule Fulda University of Applied Sciences # > # FB Angewandte Informatik Department of Applied Computer Sciences # > # # > # Prof. Dr. Siegmar Gross Tel.: +49 (661) 9640 - 333 # > # Fax: +49 (661) 9640 - 349 # > # Marquardstr. 35 WWW: http://www.fh-fulda.de/~gross # > # E-Mail: siegmar.gross at informatik.fh-fulda.de # > # D-36039 Fulda sgross at acm.org # > # # > ############################################################################## > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- wendy palm Cray Open Software Development, Cray Inc. wendyp at cray.com, 651-605-9154 From scott.burch at camberwind.com Tue Oct 7 04:24:21 2003 From: scott.burch at camberwind.com (Scott Burch) Date: Mon, 06 Oct 2003 18:24:21 -0000 Subject: SecurID patch for OpenSSH 3.7.1p2 In-Reply-To: References: Message-ID: <1065464896.7567.1.camel@localhost> Asif, With 3.6.1p2 you were able to use Darren's patch in combination with this patch. I haven't tried with 3.7.1p2, but I will be building a version this week to see. -Scott On Mon, 2003-10-06 at 11:24, Asif Iqbal wrote: > Should I be able to use Darren Tucker's Password Expire patch with this ? > > On Fri, 26 Sep 2003, [iso-8859-2] V?clav Tomec wrote: > > > Hello all, > > > > new version of SecurID patch is available on > > http://sweb.cz/v_t_m/ > > > > The new version of the patch is extended with "shared logins" possibility. > > It means that SecurID token can be used to login to an account shared > > by several persons. > > This cannot be solved using ACE server standard means. > > > > This patch depends on the AuthSelection patch (http://sweb.cz/v_t_m). > > After applying AuthSelection patch, you can specify > > server-supported authentication methods per user to authenticate with > > OpenSSH server. > > > > > > Vaclav > > ____________________________________________________________ > > Vyzkou?ejte si Oskarovy MMS zdarma! > > http://ad2.seznam.cz/redir.cgi?instance=60950%26url=http://www.oskarmobil.cz/services/whatsnew.php#moje > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- Scott Burch From markus at openbsd.org Tue Oct 7 05:28:42 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 6 Oct 2003 21:28:42 +0200 Subject: OpenSSL vulnerability... In-Reply-To: References: <20031004150035.GC28638@folly> Message-ID: <20031006192842.GA31543@folly> yes, if random people can modify root's private key. On Mon, Oct 06, 2003 at 01:04:39PM -0400, Asif Iqbal wrote: > > We login with RSA key sometimes as root. So should we be concern ? > > On Sat, 4 Oct 2003, Markus Friedl wrote: > > > On Thu, Oct 02, 2003 at 04:32:56PM -0400, Asif Iqbal wrote: > > > On Tue, 30 Sep 2003, Markus Friedl wrote: > > > > > > > On Tue, Sep 30, 2003 at 12:06:30PM -0500, hayward at slothmud.org wrote: > > > > > Does OpenSSH use OpenSSL in a way in which it would be vulnerable to the > > > > > OpenSSL vulnerabilities announced today? Namely the ASN.1 parsing > > > > > problem and the malformed key bugs? > > > > > > > > no, we avoid the OpenSSL ASN.1 code for signature verification > > > > and we don't support x509. > > > > > > > > only reading of _private_ keys triggers the ASN.1 code > > > > in OpenSSH. > > > > > > Does this statement encompass login with RSA keys ? > > > > the 1st: yes > > > > 2nd: sshd reads _private_ keys only when reading the hostkey. > > > > -- > Asif Iqbal > http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08 > There's no place like 127.0.0.1 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From iqbala at qwestip.net Tue Oct 7 05:31:38 2003 From: iqbala at qwestip.net (Asif Iqbal) Date: Mon, 6 Oct 2003 15:31:38 -0400 (EDT) Subject: SecurID patch for OpenSSH 3.7.1p2 In-Reply-To: <1065464896.7567.1.camel@localhost> Message-ID: Let me know if it works for you with 3.7.1p2 and in what order you patched it ? It failed during configure for me On 6 Oct 2003, Scott Burch wrote: > Asif, > > With 3.6.1p2 you were able to use Darren's patch in combination with > this patch. I haven't tried with 3.7.1p2, but I will be building a > version this week to see. > > -Scott > > On Mon, 2003-10-06 at 11:24, Asif Iqbal wrote: > > Should I be able to use Darren Tucker's Password Expire patch with this ? > > > > On Fri, 26 Sep 2003, [iso-8859-2] V?clav Tomec wrote: > > > > > Hello all, > > > > > > new version of SecurID patch is available on > > > http://sweb.cz/v_t_m/ > > > > > > The new version of the patch is extended with "shared logins" possibility. > > > It means that SecurID token can be used to login to an account shared > > > by several persons. > > > This cannot be solved using ACE server standard means. > > > > > > This patch depends on the AuthSelection patch (http://sweb.cz/v_t_m). > > > After applying AuthSelection patch, you can specify > > > server-supported authentication methods per user to authenticate with > > > OpenSSH server. > > > > > > > > > Vaclav > > > ____________________________________________________________ > > > Vyzkou?ejte si Oskarovy MMS zdarma! > > > http://ad2.seznam.cz/redir.cgi?instance=60950%26url=http://www.oskarmobil.cz/services/whatsnew.php#moje > > > > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > -- Asif Iqbal http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08 There's no place like 127.0.0.1 From scott.burch at camberwind.com Tue Oct 7 06:08:32 2003 From: scott.burch at camberwind.com (Scott Burch) Date: Mon, 06 Oct 2003 20:08:32 -0000 Subject: SecurID patch for OpenSSH 3.7.1p2 In-Reply-To: References: Message-ID: <1065471147.7569.4.camel@localhost> Asif, I just got through testing, and by default the patches do not work together with 3.7.1p2..it doesn't matter on the order...I think you could make them work, but I don't have time to look into this further. I only have one system where I need the securid support, so I will just build two different packages. -Scott On Mon, 2003-10-06 at 14:31, Asif Iqbal wrote: > Let me know if it works for you with 3.7.1p2 and in what order you patched it ? > > It failed during configure for me > > > On 6 Oct 2003, Scott Burch wrote: > > > Asif, > > > > With 3.6.1p2 you were able to use Darren's patch in combination with > > this patch. I haven't tried with 3.7.1p2, but I will be building a > > version this week to see. > > > > -Scott > > > > On Mon, 2003-10-06 at 11:24, Asif Iqbal wrote: > > > Should I be able to use Darren Tucker's Password Expire patch with this ? > > > > > > On Fri, 26 Sep 2003, [iso-8859-2] V?clav Tomec wrote: > > > > > > > Hello all, > > > > > > > > new version of SecurID patch is available on > > > > http://sweb.cz/v_t_m/ > > > > > > > > The new version of the patch is extended with "shared logins" possibility. > > > > It means that SecurID token can be used to login to an account shared > > > > by several persons. > > > > This cannot be solved using ACE server standard means. > > > > > > > > This patch depends on the AuthSelection patch (http://sweb.cz/v_t_m). > > > > After applying AuthSelection patch, you can specify > > > > server-supported authentication methods per user to authenticate with > > > > OpenSSH server. > > > > > > > > > > > > Vaclav > > > > ____________________________________________________________ > > > > Vyzkou?ejte si Oskarovy MMS zdarma! > > > > http://ad2.seznam.cz/redir.cgi?instance=60950%26url=http://www.oskarmobil.cz/services/whatsnew.php#moje > > > > > > > > _______________________________________________ > > > > openssh-unix-dev mailing list > > > > openssh-unix-dev at mindrot.org > > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > -- Scott Burch From dtucker at zip.com.au Tue Oct 7 09:33:46 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 07 Oct 2003 09:33:46 +1000 Subject: OpenSSH_3.6.1p2: key authentication on HP-UX. References: Message-ID: <3F81FBDA.741732A3@zip.com.au> The address you sent this to is not the appropriate place for general problem reports regarding Portable OpenSSH. Unless you're reporting a security exposure you should use openssh-unix-dev. Gina Demars wrote: > > We currently upgraded one of our HP-UX systems to version 3.6.1p2. With the appropriate security patch, I hope? > I have > RSA keys from other Unix systems that are still working fine after the > upgrade but I have a problem with a key created on a NT machine that no > longer works. The key was created w/ F-Secure keygen and then converted w/ > OpenSSh keygen on the Unix side. I have tried creating new keypairs and it > still doesn't work. This is just a hunch but try adding "#define BROKEN_REALPATH 1" to config.h (ie, run configure, edit config.h, then run make). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From James.Roberts-Thomson at NBNZ.CO.NZ Tue Oct 7 10:14:31 2003 From: James.Roberts-Thomson at NBNZ.CO.NZ (Roberts-Thomson, James) Date: Tue, 7 Oct 2003 13:14:31 +1300 Subject: FW: Environment passing in Solaris 8 with later versions of SSH a nd UseLogin=yes Message-ID: Hi, I'm still hoping that some-one can offer a solution to this issue.... Anyone? > I've got the following issue, which I'm unable to resolve by > myself. Hopefully, someone on the list will be able to guide > me, or provide more information towards resolving this. > > We've compiled OpenSSH v3.7.1p1 (which I know is not the most > recent version) on Solaris 8 SPARC, and have noticed that > when the "UseLogin=yes" parameter is set in the sshd_config > file, the environment which SSH builds for the child shell > isn't making into the shell. When running both client and > server in debug mode, I can see the following when the client > attempts to login: (the JRT lines are my attempting to trace > the program execution flow) > > debug1: Authentication succeeded (publickey). > debug1: channel 0: new [client-session] > debug1: Entering interactive session. > debug1: JRT-03: do_pre_login > debug1: JRT-04: do_child > Environment: > TZ=NZ > SSH_CLIENT=xxx.xx.xx.xxx 34811 2222 > SSH_CONNECTION=xxx.xx.xx.xxx 34811 xxx.xx.xx.xx 2222 > SSH_TTY=/dev/pts/6 > TERM=xterm > debug1: JRT-05: launch_login > > However, if I then query the environment of the logged in > process, none of the variables have been set properly, thus: > > user at host:~$ echo $SSH_CLIENT > > user at host:~$ echo $SSH_TTY > > user at host:~$ echo $TERM > sun > > I don't mind the loss of SSH_CLIENT and SSH_TTY; but the fact > that my TERM is not being set correctly is causing all sorts > of problems. > > This DOES work in OpenSSH 3.0p1, with the same configuration > file. Turning UseLogin OFF in OpenSSH 3.7.1p1 also works; > but causes other issues with Solaris password aging, so isn't > an option (madated by our Information Security people). This > has been tested on the SAME machine in the SAME interactive > session, so I know it isn't an issue with different OS / > build / runtime factors. > > As far as I can tell, the environment etc is all done in > "session.c". I've looked at the code to the best of my > ability (I'm not a C guru, but can do basic things), and the > two versions of code is doing much the same stuff: > > 1. Define char **env > 2. Define "extern char **environ", which I assume will reach > the environment setup by the C RTL. > 3. Populate "env" by various calls to child_set_env (which > in OpenSSH 3.7.1p1 is called in another routine, by env = > do_setup_env - is this the problem??) > 4. "environ = env", which I assume will set the external > environment to the newly defined environment stored in "env". > 5. Call "execl(LOGIN_PROGRAM, "login", "-h", hostname, "-p" ,"-f", "--", pw- process. The "-p" flag is supposed to get login to read the > current environment. > > Hints / Help / Suggestions all welcome. Solutions are > preferred . > > Please ensure any responses are cc'ed to myself directly as > well as the list, as I'm not a subscriber to the list > currently (too many viruses on the list!) > > Thanks in advance, > > James Roberts-Thomson > Senior Systems Engineer DDI +64 4 494 4436 > Infrastructure Projects Tel +64 4 494 4000 > The National Bank of New Zealand Limited Fax +64 4 802 8509 This communication is confidential and may contain privileged material. If you are not the intended recipient you must not use, disclose, copy or retain it. If you have received it in error please immediately notify me by return email and delete the emails. Thank you. From iqbala at qwestip.net Tue Oct 7 13:09:29 2003 From: iqbala at qwestip.net (Asif Iqbal) Date: Mon, 6 Oct 2003 23:09:29 -0400 (EDT) Subject: SecurID patch for OpenSSH 3.7.1p2 In-Reply-To: <58109.183988-26465-632434844-1064593949@seznam.cz> Message-ID: Hi Vaclav I like to put the securid_users file in /etc directory instead of default /usr/local/etc/ Would you help me point out the location in your patch where I can modify to change that ? Thanks On Fri, 26 Sep 2003, [iso-8859-2] V?clav Tomec wrote: > Hello all, > > new version of SecurID patch is available on > http://sweb.cz/v_t_m/ > > The new version of the patch is extended with "shared logins" possibility. > It means that SecurID token can be used to login to an account shared > by several persons. > This cannot be solved using ACE server standard means. > > This patch depends on the AuthSelection patch (http://sweb.cz/v_t_m). > After applying AuthSelection patch, you can specify > server-supported authentication methods per user to authenticate with > OpenSSH server. > > > Vaclav > ____________________________________________________________ > Vyzkou?ejte si Oskarovy MMS zdarma! > http://ad2.seznam.cz/redir.cgi?instance=60950%26url=http://www.oskarmobil.cz/services/whatsnew.php#moje > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Asif Iqbal http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08 There's no place like 127.0.0.1 From iqbala at qwestip.net Tue Oct 7 13:29:32 2003 From: iqbala at qwestip.net (Asif Iqbal) Date: Mon, 6 Oct 2003 23:29:32 -0400 (EDT) Subject: SecurID patch for OpenSSH 3.7.1p2 In-Reply-To: Message-ID: On Mon, 6 Oct 2003, Asif Iqbal wrote: > Hi Vaclav > > I like to put the securid_users file in /etc directory instead of default > /usr/local/etc/ > > Would you help me point out the location in your patch where I can modify to > change that ? Nevermind, I found it Replaced this: #define SECURID_USERS_FILE SSHDIR "/securid_users" With this: #define SECURID_USERS_FILE "/etc/securid.users" (line 30 of auth2-securid.h) > > Thanks > > On Fri, 26 Sep 2003, [iso-8859-2] V?clav Tomec wrote: > > > Hello all, > > > > new version of SecurID patch is available on > > http://sweb.cz/v_t_m/ > > > > The new version of the patch is extended with "shared logins" possibility. > > It means that SecurID token can be used to login to an account shared > > by several persons. > > This cannot be solved using ACE server standard means. > > > > This patch depends on the AuthSelection patch (http://sweb.cz/v_t_m). > > After applying AuthSelection patch, you can specify > > server-supported authentication methods per user to authenticate with > > OpenSSH server. > > > > > > Vaclav > > ____________________________________________________________ > > Vyzkou?ejte si Oskarovy MMS zdarma! > > http://ad2.seznam.cz/redir.cgi?instance=60950%26url=http://www.oskarmobil.cz/services/whatsnew.php#moje > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > -- Asif Iqbal http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08 There's no place like 127.0.0.1 From tim at multitalents.net Tue Oct 7 14:59:26 2003 From: tim at multitalents.net (Tim Rice) Date: Mon, 6 Oct 2003 21:59:26 -0700 (PDT) Subject: EnableSSHKeysign Message-ID: It looks like host based authentication will not work if you attempt to set EnableSSHKeysign on a per host basis. Ie. This does not work. ------- Host ou8 HostName ou8.somedomain.com HostbasedAuthentication yes EnableSSHKeysign yes NoHostAuthenticationForLocalhost yes ------- Unless you also add ----- Host * EnableSSHKeysign yes ----- Is this the intended behavior? -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dtucker at zip.com.au Tue Oct 7 15:53:54 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 07 Oct 2003 15:53:54 +1000 Subject: SSHD 3.7.1p2 on HP-UX References: <3F718A10.6AFD97DB@zip.com.au> <3F71924A.30501@hp.com> <3F7197CF.6040907@hp.com> <3F72EE01.1020507@hp.com> <3F741E4D.5090600@hp.com> <3F742425.80109@hp.com> <3F78CEB7.C6D7AE4A@zip.com.au> <3F7A4EBC.999AA92C@zip.com.au> <3F7A76C8.EDEE0715@zip.com.au> <3F7BCFEF.1020605@hp.com> <3F7C1EFC.7AAE846B@zip.com.au> <3F7C38CF.5050308@hp.com> Message-ID: <3F8254F2.8296B6A8@zip.com.au> Hi All. Attached is a smallish patch against -current to prevent the expires-every-day behaviour on Trusted HP-UX systems. Credit goes to Micheal for figuring this one out. That section of code will need to be tidied up when the password expiry patches go in anyway, currently I'm interested in making the snapshots work for people using HP-UX. Is this patch OK until then? For those of you using 3.7.1p2 on HP-UX, I have a patch that contains only HP-UX fixes against 3.7.1p2. It patches configure too so you don't need autoconf, just apply it to 3.7.1p2 and you should be good to go. http://www.zip.com.au/~dtucker/openssh/openssh-3.7.1p2-hpux.patch -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v retrieving revision 1.78 diff -u -p -r1.78 auth.c --- auth.c 2 Oct 2003 06:12:36 -0000 1.78 +++ auth.c 7 Oct 2003 05:42:42 -0000 @@ -90,6 +90,7 @@ allowed_user(struct passwd * pw) #ifdef HAS_SHADOW_EXPIRE #define DAY (24L * 60 * 60) /* 1 day in seconds */ if (!options.use_pam && spw != NULL) { + int disabled = 0; time_t today; today = time(NULL) / DAY; @@ -106,13 +107,19 @@ allowed_user(struct passwd * pw) return 0; } - if (spw->sp_lstchg == 0) { +#if defined(__hpux) && !defined(HAVE_SECUREWARE) + if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && + spw->sp_warn == 0) + disabled = 1; /* Trusted Mode: expiry disabled */ +#endif + + if (!disabled && spw->sp_lstchg == 0) { logit("User %.100s password has expired (root forced)", pw->pw_name); return 0; } - if (spw->sp_max != -1 && + if (!disabled && spw->sp_max != -1 && spw->sp_max != 0 && today > spw->sp_lstchg + spw->sp_max) { logit("User %.100s password has expired (password aged)", pw->pw_name); From michael.steffens at hp.com Tue Oct 7 16:26:24 2003 From: michael.steffens at hp.com (Michael Steffens) Date: Tue, 07 Oct 2003 08:26:24 +0200 Subject: SSHD 3.7.1p2 on HP-UX In-Reply-To: <3F8254F2.8296B6A8@zip.com.au> References: <3F718A10.6AFD97DB@zip.com.au> <3F71924A.30501@hp.com> <3F7197CF.6040907@hp.com> <3F72EE01.1020507@hp.com> <3F741E4D.5090600@hp.com> <3F742425.80109@hp.com> <3F78CEB7.C6D7AE4A@zip.com.au> <3F7A4EBC.999AA92C@zip.com.au> <3F7A76C8.EDEE0715@zip.com.au> <3F7BCFEF.1020605@hp.com> <3F7C1EFC.7AAE846B@zip.com.au> <3F7C38CF.5050308@hp.com> <3F8254F2.8296B6A8@zip.com.au> Message-ID: <3F825C90.80509@hp.com> Hi Darren, looks fine besides one little detail, see below Darren Tucker wrote: > Hi All. > Attached is a smallish patch against -current to prevent the > expires-every-day behaviour on Trusted HP-UX systems. Credit goes to > Micheal for figuring this one out. > > That section of code will need to be tidied up when the password expiry > patches go in anyway, currently I'm interested in making the snapshots > work for people using HP-UX. Is this patch OK until then? > > For those of you using 3.7.1p2 on HP-UX, I have a patch that contains > only HP-UX fixes against 3.7.1p2. It patches configure too so you don't > need autoconf, just apply it to 3.7.1p2 and you should be good to go. > > http://www.zip.com.au/~dtucker/openssh/openssh-3.7.1p2-hpux.patch > > > > ------------------------------------------------------------------------ > > Index: auth.c > =================================================================== > RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v > retrieving revision 1.78 > diff -u -p -r1.78 auth.c > --- auth.c 2 Oct 2003 06:12:36 -0000 1.78 > +++ auth.c 7 Oct 2003 05:42:42 -0000 > @@ -90,6 +90,7 @@ allowed_user(struct passwd * pw) > #ifdef HAS_SHADOW_EXPIRE > #define DAY (24L * 60 * 60) /* 1 day in seconds */ > if (!options.use_pam && spw != NULL) { > + int disabled = 0; > time_t today; > > today = time(NULL) / DAY; > @@ -106,13 +107,19 @@ allowed_user(struct passwd * pw) > return 0; > } > > - if (spw->sp_lstchg == 0) { > +#if defined(__hpux) && !defined(HAVE_SECUREWARE) > + if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && > + spw->sp_warn == 0) > + disabled = 1; /* Trusted Mode: expiry disabled */ > +#endif > + > + if (!disabled && spw->sp_lstchg == 0) { > logit("User %.100s password has expired (root forced)", > pw->pw_name); > return 0; > } > > - if (spw->sp_max != -1 && > + if (!disabled && spw->sp_max != -1 && spw->sp_max != 0 && The test sp_max != 0 is not required here for trusted systems any more, as the "disabled" flag already catches it. But it changes behaviour for other shadow setups. I would suggest to remove it. > today > spw->sp_lstchg + spw->sp_max) { > logit("User %.100s password has expired (password aged)", > pw->pw_name); From dtucker at zip.com.au Tue Oct 7 16:32:49 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 07 Oct 2003 16:32:49 +1000 Subject: SSHD 3.7.1p2 on HP-UX References: <3F718A10.6AFD97DB@zip.com.au> <3F71924A.30501@hp.com> <3F7197CF.6040907@hp.com> <3F72EE01.1020507@hp.com> <3F741E4D.5090600@hp.com> <3F742425.80109@hp.com> <3F78CEB7.C6D7AE4A@zip.com.au> <3F7A4EBC.999AA92C@zip.com.au> <3F7A76C8.EDEE0715@zip.com.au> <3F7BCFEF.1020605@hp.com> <3F7C1EFC.7AAE846B@zip.com.au> <3F7C38CF.5050308@hp.com> <3F8254F2.8296B6A8@zip.com.au> <3F825C90.80509@hp.com> Message-ID: <3F825E11.9AF85A14@zip.com.au> Michael Steffens wrote: > looks fine besides one little detail, see below [snip] > > - if (spw->sp_max != -1 && > > + if (!disabled && spw->sp_max != -1 && spw->sp_max != 0 && > > The test sp_max != 0 is not required here for trusted systems > any more, as the "disabled" flag already catches it. But it changes > behaviour for other shadow setups. I would suggest to remove it. Good point, I thought I'd removed that.... yeah I removed it from the 3.7.1p2 working tree but not the -current one. Thanks! -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From openssh at roumenpetrov.info Tue Oct 7 16:52:29 2003 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Tue, 07 Oct 2003 09:52:29 +0300 Subject: EnableSSHKeysign References: Message-ID: <3F8262AD.6040302@roumenpetrov.info> ssh-keysign don't know host => only ... Host * EnableSSHKeysign yes ... in "host_config_file (.../ssh_config)" is valid. Tim Rice wrote: >It looks like host based authentication will not work if you >attempt to set EnableSSHKeysign on a per host basis. > >Ie. This does not work. >------- >Host ou8 > HostName ou8.somedomain.com > HostbasedAuthentication yes > EnableSSHKeysign yes > NoHostAuthenticationForLocalhost yes >------- > >Unless you also add >----- >Host * > EnableSSHKeysign yes >----- > >Is this the intended behavior? > Yes. > > > From markus at openbsd.org Tue Oct 7 17:51:09 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 7 Oct 2003 09:51:09 +0200 Subject: EnableSSHKeysign In-Reply-To: References: Message-ID: <20031007075109.GA17866@folly> yes, it's intentional. ssh-keysign does not know the target host. EnableSSHKeysign is intended to protect the private host key. perhaps this should be better documented... On Mon, Oct 06, 2003 at 09:59:26PM -0700, Tim Rice wrote: > > It looks like host based authentication will not work if you > attempt to set EnableSSHKeysign on a per host basis. > > Ie. This does not work. > ------- > Host ou8 > HostName ou8.somedomain.com > HostbasedAuthentication yes > EnableSSHKeysign yes > NoHostAuthenticationForLocalhost yes > ------- > > Unless you also add > ----- > Host * > EnableSSHKeysign yes > ----- > > Is this the intended behavior? > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From Pierre.Michaud at ec.gc.ca Wed Oct 8 03:27:57 2003 From: Pierre.Michaud at ec.gc.ca (Michaud,Pierre [CMC]) Date: Tue, 7 Oct 2003 13:27:57 -0400 Subject: Installing openssh-3.7.1p2 on HP-UX 10.20 Message-ID: <928233E3D896D311822900805F3198E9014960DE@Eccmc4.cmc.ec.gc.ca> > Hi, > > I'm trying to install openssh-3.7.1p2 on a HP-UX 10.20 machine. > Everything goes well until the "make install" command hangs on "Generating > public/private rsa1 key pair". Even the ssh-keygen command hangs on (I've > tried it after aborting the make install). The problem remains the same > using or not the configure option "--with-prngd-socket". Any idea what > could be the source of the problem? > > Thanks! > > Pierre Michaud > From wendyp at cray.com Wed Oct 8 03:35:07 2003 From: wendyp at cray.com (Wendy Palm) Date: Tue, 07 Oct 2003 12:35:07 -0500 Subject: Installing openssh-3.7.1p2 on HP-UX 10.20 References: <928233E3D896D311822900805F3198E9014960DE@Eccmc4.cmc.ec.gc.ca> Message-ID: <3F82F94B.1020506@cray.com> i've had that happen when my openssl wasn't installed properly. what version do you have installed? did it pass the rsa self tests? Michaud,Pierre [CMC] wrote: >>Hi, >> >>I'm trying to install openssh-3.7.1p2 on a HP-UX 10.20 machine. >>Everything goes well until the "make install" command hangs on "Generating >>public/private rsa1 key pair". Even the ssh-keygen command hangs on (I've >>tried it after aborting the make install). The problem remains the same >>using or not the configure option "--with-prngd-socket". Any idea what >>could be the source of the problem? >> >>Thanks! >> >>Pierre Michaud >> >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- wendy palm Cray Open Software Development, Cray Inc. wendyp at cray.com, 651-605-9154 From lindysandiego at yahoo.com Wed Oct 8 09:58:12 2003 From: lindysandiego at yahoo.com (Thomas Baden) Date: Tue, 7 Oct 2003 16:58:12 -0700 (PDT) Subject: Fwd: Re: Bus Error with OpenSSH 3.7.1p2 on Solaris 8, SPARC 64-bit, YASSP Message-ID: <20031007235812.47792.qmail@web20712.mail.yahoo.com> The following patch appears to fix the BUS error received on Solaris 8. This problem manifests as an immediate disconnect with no apparent cause immediately after authentication with the host. --- Darren Tucker wrote: > Date: Tue, 30 Sep 2003 09:35:26 +1000 > From: Darren Tucker > Subject: Re: Bus Error with OpenSSH 3.7.1p2 on > Solaris 8, SPARC 64-bit, YASSP > To: Thomas Baden > > Thomas Baden wrote: > > > I can do Solaris 8, 64-bit testing. > > > > I don't think that that will fix it, as you are > > casting mask to its own type. > > Yeah, it didn't look right even when I wrote it. > > > I think that a fix > > along the lines of what Matthias send makes the > most > > sense, as you're asking sscanf to return a long > value. > > Could you please test this patch? It's similar to > your hand-done patch. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 > C982 80C7 8FF4 FA69 > Good judgement comes with experience. > Unfortunately, the experience > usually comes from bad judgement. > > Index: session.c > =================================================================== > RCS file: > /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v > retrieving revision 1.255 > diff -u -p -r1.255 session.c > --- session.c 22 Sep 2003 11:04:23 -0000 1.255 > +++ session.c 29 Sep 2003 23:34:10 -0000 > @@ -915,7 +915,7 @@ read_etc_default_login(char > ***env, u_in > { > char **tmpenv = NULL, *var; > u_int i, tmpenvsize = 0; > - mode_t mask; > + u_long mask; > > /* > * We don't want to copy the whole file to the > child's environment, > @@ -936,7 +936,7 @@ read_etc_default_login(char > ***env, u_in > > if ((var = child_get_env(tmpenv, "UMASK")) != > NULL) > if (sscanf(var, "%5lo", &mask) == 1) > - umask(mask); > + umask((mode_t)mask); > > for (i = 0; tmpenv[i] != NULL; i++) > xfree(tmpenv[i]); > __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From mouring at etoh.eviladmin.org Wed Oct 8 11:01:47 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 7 Oct 2003 20:01:47 -0500 (CDT) Subject: Fwd: Re: Bus Error with OpenSSH 3.7.1p2 on Solaris 8, SPARC 64-bit, YASSP In-Reply-To: <20031007235812.47792.qmail@web20712.mail.yahoo.com> Message-ID: sshd -ddd would be a useful start. - Ben On Tue, 7 Oct 2003, Thomas Baden wrote: > The following patch appears to fix the BUS error > received on Solaris 8. This problem manifests as an > immediate disconnect with no apparent cause > immediately after authentication with the host. > > --- Darren Tucker wrote: > > Date: Tue, 30 Sep 2003 09:35:26 +1000 > > From: Darren Tucker > > Subject: Re: Bus Error with OpenSSH 3.7.1p2 on > > Solaris 8, SPARC 64-bit, YASSP > > To: Thomas Baden > > > > Thomas Baden wrote: > > > > > I can do Solaris 8, 64-bit testing. > > > > > > I don't think that that will fix it, as you are > > > casting mask to its own type. > > > > Yeah, it didn't look right even when I wrote it. > > > > > I think that a fix > > > along the lines of what Matthias send makes the > > most > > > sense, as you're asking sscanf to return a long > > value. > > > > Could you please test this patch? It's similar to > > your hand-done patch. > > > > -- > > Darren Tucker (dtucker at zip.com.au) > > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 > > C982 80C7 8FF4 FA69 > > Good judgement comes with experience. > > Unfortunately, the experience > > usually comes from bad judgement. > > > Index: session.c > > > =================================================================== > > RCS file: > > > /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v > > retrieving revision 1.255 > > diff -u -p -r1.255 session.c > > --- session.c 22 Sep 2003 11:04:23 -0000 1.255 > > +++ session.c 29 Sep 2003 23:34:10 -0000 > > @@ -915,7 +915,7 @@ read_etc_default_login(char > > ***env, u_in > > { > > char **tmpenv = NULL, *var; > > u_int i, tmpenvsize = 0; > > - mode_t mask; > > + u_long mask; > > > > /* > > * We don't want to copy the whole file to the > > child's environment, > > @@ -936,7 +936,7 @@ read_etc_default_login(char > > ***env, u_in > > > > if ((var = child_get_env(tmpenv, "UMASK")) != > > NULL) > > if (sscanf(var, "%5lo", &mask) == 1) > > - umask(mask); > > + umask((mode_t)mask); > > > > for (i = 0; tmpenv[i] != NULL; i++) > > xfree(tmpenv[i]); > > > > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Wed Oct 8 12:17:55 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 08 Oct 2003 12:17:55 +1000 Subject: Fwd: Re: Bus Error with OpenSSH 3.7.1p2 on Solaris 8, SPARC 64-bit,YASSP References: <20031007235812.47792.qmail@web20712.mail.yahoo.com> Message-ID: <3F8373D3.3133F639@zip.com.au> Thomas Baden wrote: > > The following patch appears to fix the BUS error > received on Solaris 8. Thanks for confirming that, the patch has been applied to the main tree. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Oct 8 12:39:30 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 08 Oct 2003 12:39:30 +1000 Subject: Installing openssh-3.7.1p2 on HP-UX 10.20 References: <928233E3D896D311822900805F3198E9014960DE@Eccmc4.cmc.ec.gc.ca> Message-ID: <3F8378E2.BDCAC68E@zip.com.au> "Michaud,Pierre [CMC]" wrote: > > I'm trying to install openssh-3.7.1p2 on a HP-UX 10.20 machine. > > Everything goes well until the "make install" command hangs on "Generating > > public/private rsa1 key pair". Even the ssh-keygen command hangs on (I've > > tried it after aborting the make install). The problem remains the same > > using or not the configure option "--with-prngd-socket". Any idea what > > could be the source of the problem? Try running "ssh-rand-helper -vvv" on its own and see where it hangs. If it's just a single command, you can comment it out of ssh_prng_cmds. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Martin.Kraemer at Fujitsu-Siemens.com Wed Oct 8 19:47:48 2003 From: Martin.Kraemer at Fujitsu-Siemens.com (Martin Kraemer) Date: Wed, 8 Oct 2003 11:47:48 +0200 Subject: OS/390 openssh Message-ID: <20031008094747.GA10143@deejai2.mch.fsc.net> Hello Steve, Hello OpenSSH-portable developers, I am building OpenSSH for our (EBCDIC-based) BS2000 mainframe operating system, and I noticed you do the same for OS/390. Because my initial ssh port was based on IBM's OSS port (ssh-1.2.2 or some such), I thought it was fair enough to help with a little co-operation; we might come up with a unified EBCDIC patch which could be contributed to the maintainers of the OpenSSH-portable version. Please find appended the latest diff which we apply to the openssh portable tree (in this case, 3.7.1p2), and which makes ssh, sshd, scp, ssh-agent & co work successfully on our BS2000. At least some of it may be useful to you, although the sftp problems you mention have not been addressed by us yet either. OpenSSH-portable developers: do you think this could be added as a new platform to the portable version? What should be changed to allow its addition? I *tried* to make it not-too-ugly, at least... ;-) Cheers, Martin Kraemer -- | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany -------------- next part -------------- diff -bur openssh-3.7.1p2.orig/auth.c openssh-3.7.1p2/auth.c --- openssh-3.7.1p2.orig/auth.c Tue Sep 2 23:32:46 2003 +++ openssh-3.7.1p2/auth.c Tue Oct 7 10:58:33 2003 @@ -300,8 +300,17 @@ #ifdef CUSTOM_FAILED_LOGIN if (authenticated == 0 && strcmp(method, "password") == 0) + { +#if #system(bs2000) + record_failed_login_attempt(authctxt->user, + "FAILED LOGIN ATTEMPT FOR USER", + get_remote_ipaddr(), + get_remote_port()); +#else record_failed_login(authctxt->user, "ssh"); #endif + } +#endif } /* @@ -524,8 +533,12 @@ logit("Illegal user %.100s from %.100s", user, get_remote_ipaddr()); #ifdef CUSTOM_FAILED_LOGIN +#if #system(bs2000) + record_failed_login_attempt(user, "ILLEGAL USER", get_remote_ipaddr(), get_remote_port()); +#else record_failed_login(user, "ssh"); #endif +#endif return (NULL); } if (!allowed_user(pw)) @@ -610,3 +623,23 @@ return (&fake); } + +#if #system(bs2000) && defined(CUSTOM_FAILED_LOGIN) +#include +/* + * record_failed_login_attempt: "attempted login failed" interface function + */ +void +record_failed_login_attempt(const char *user, const char *reason, const char *ipaddr, int port) +{ + char buf[1024]; + char cmd[1024]; + bs2cmd_rc rc; + int flags = BS2CMD_FLAG_STRIP; + + snprintf(buf, sizeof buf, "/TYPE %% OPENSSH %s '%s' FROM '[%s]:%d'", + reason, user, ipaddr, port); + strnvis(cmd, buf, sizeof(buf), VIS_SAFE|VIS_OCTAL); + (void) bs2cmd(cmd, &rc, BS2CMD_DEFAULT, flags); +} +#endif diff -bur openssh-3.7.1p2.orig/auth-passwd.c openssh-3.7.1p2/auth-passwd.c --- openssh-3.7.1p2.orig/auth-passwd.c Thu Sep 18 10:26:48 2003 +++ openssh-3.7.1p2/auth-passwd.c Tue Oct 7 08:21:59 2003 @@ -50,6 +50,18 @@ extern ServerOptions options; +#if #system(bs2000) +static void str_pad(char *dest, size_t size, char ch) +{ + int i = strlen(dest); /* Leave space for trailing '\0' */ + + while (i < size-1) + dest[i++] = ch; + + dest[size-1] = '\0'; /* Guarantee for trailing '\0' */ +} +#endif /*system(bs2000)*/ + /* * Tries to authenticate the user using password. Returns true if * authentication succeeds. @@ -72,6 +84,55 @@ #if defined(HAVE_OSF_SIA) return auth_sia_password(authctxt, password) && ok; +#elif defined(__MVS__) + { + int rc; + rc = __passwd(pw->pw_name, password, NULL); + if(rc) + debug("__passwd: %.100s", strerror(errno)); + return ok && rc == 0; + } +#elif #system(bs2000) + { + typedef struct { + char *username; + char *password; + char *pw_expdate; + char *logon_expdate; + char *account; + } _checkuser_struct; + extern int _checkuser(_checkuser_struct *); + _checkuser_struct auth_user; + char logon[9]; + char passw[9]; + char passw_expdate[11]; + char logon_expdate[11]; + char account_buffer[9]; + int ok_pw; + + /* in: */ + strncpy(logon, pw->pw_name, sizeof logon); + strupper(logon, NULL); + str_pad(logon, sizeof logon, ' '); + auth_user.username = logon; + strncpy(passw, password, sizeof passw); + strupper(passw, NULL); + str_pad(passw, sizeof passw, ' '); + auth_user.password = passw; + /* out: */ + auth_user.pw_expdate = passw_expdate; + auth_user.logon_expdate = logon_expdate; + auth_user.account = account_buffer; + + ok_pw = (_checkuser (&auth_user) == 0); + + if (!ok_pw) + debug("Password authentication of user %.100s " + "using BS2000 _checkuser() failed: %.100s", + logon, strerror(errno)); + return ok && ok_pw; + } + /*end #system(bs2000) */ #else # ifdef KRB5 if (options.kerberos_authentication == 1) { diff -bur openssh-3.7.1p2.orig/authfd.c openssh-3.7.1p2/authfd.c --- openssh-3.7.1p2.orig/authfd.c Thu Jul 3 05:46:56 2003 +++ openssh-3.7.1p2/authfd.c Tue Oct 7 08:21:59 2003 @@ -336,7 +336,7 @@ BN_num_bits(key->rsa->n), bits); break; case 2: - blob = buffer_get_string(&auth->identities, &blen); + blob = buffer_get_binary(&auth->identities, &blen); *comment = buffer_get_string(&auth->identities, NULL); key = key_from_blob(blob, blen); xfree(blob); @@ -430,8 +430,8 @@ buffer_init(&msg); buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST); - buffer_put_string(&msg, blob, blen); - buffer_put_string(&msg, data, datalen); + buffer_put_binary(&msg, blob, blen); + buffer_put_binary(&msg, data, datalen); buffer_put_int(&msg, flags); xfree(blob); @@ -446,7 +446,7 @@ fatal("Bad authentication response: %d", type); } else { ret = 0; - *sigp = buffer_get_string(&msg, lenp); + *sigp = buffer_get_binary(&msg, lenp); } buffer_free(&msg); return ret; @@ -573,7 +573,7 @@ } else if (key->type == KEY_DSA || key->type == KEY_RSA) { key_to_blob(key, &blob, &blen); buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); - buffer_put_string(&msg, blob, blen); + buffer_put_binary(&msg, blob, blen); xfree(blob); } else { buffer_free(&msg); diff -bur openssh-3.7.1p2.orig/auth2-hostbased.c openssh-3.7.1p2/auth2-hostbased.c --- openssh-3.7.1p2.orig/auth2-hostbased.c Sat Jun 28 04:38:02 2003 +++ openssh-3.7.1p2/auth2-hostbased.c Tue Oct 7 08:21:59 2003 @@ -60,10 +60,10 @@ return 0; } pkalg = packet_get_string(&alen); - pkblob = packet_get_string(&blen); + pkblob = packet_get_binary(&blen); chost = packet_get_string(NULL); cuser = packet_get_string(NULL); - sig = packet_get_string(&slen); + sig = packet_get_binary(&slen); debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d", cuser, chost, pkalg, slen); @@ -101,7 +101,7 @@ buffer_put_cstring(&b, service); buffer_put_cstring(&b, "hostbased"); buffer_put_string(&b, pkalg, alen); - buffer_put_string(&b, pkblob, blen); + buffer_put_binary(&b, pkblob, blen); buffer_put_cstring(&b, chost); buffer_put_cstring(&b, cuser); #ifdef DEBUG_PK diff -bur openssh-3.7.1p2.orig/auth2-pubkey.c openssh-3.7.1p2/auth2-pubkey.c --- openssh-3.7.1p2.orig/auth2-pubkey.c Sat Jun 28 04:38:02 2003 +++ openssh-3.7.1p2/auth2-pubkey.c Tue Oct 7 08:21:59 2003 @@ -65,7 +65,7 @@ if (datafellows & SSH_BUG_PKAUTH) { debug2("userauth_pubkey: SSH_BUG_PKAUTH"); /* no explicit pkalg given */ - pkblob = packet_get_string(&blen); + pkblob = packet_get_binary(&blen); buffer_init(&b); buffer_append(&b, pkblob, blen); /* so we have to extract the pkalg from the pkblob */ @@ -73,7 +73,7 @@ buffer_free(&b); } else { pkalg = packet_get_string(&alen); - pkblob = packet_get_string(&blen); + pkblob = packet_get_binary(&blen); } pktype = key_type_from_name(pkalg); if (pktype == KEY_UNSPEC) { @@ -93,13 +93,13 @@ goto done; } if (have_sig) { - sig = packet_get_string(&slen); + sig = packet_get_binary(&slen); packet_check_eom(); buffer_init(&b); if (datafellows & SSH_OLD_SESSIONID) { buffer_append(&b, session_id2, session_id2_len); } else { - buffer_put_string(&b, session_id2, session_id2_len); + buffer_put_binary(&b, session_id2, session_id2_len); } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); @@ -115,7 +115,7 @@ buffer_put_char(&b, have_sig); buffer_put_cstring(&b, pkalg); } - buffer_put_string(&b, pkblob, blen); + buffer_put_binary(&b, pkblob, blen); #ifdef DEBUG_PK buffer_dump(&b); #endif @@ -142,7 +142,7 @@ if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); - packet_put_string(pkblob, blen); + packet_put_binary(pkblob, blen); packet_send(); packet_write_wait(); authctxt->postponed = 1; diff -bur openssh-3.7.1p2.orig/bufaux.c openssh-3.7.1p2/bufaux.c --- openssh-3.7.1p2.orig/bufaux.c Wed May 14 05:40:07 2003 +++ openssh-3.7.1p2/bufaux.c Tue Oct 7 08:22:00 2003 @@ -126,7 +126,7 @@ carry = !++uc[i]; } } - buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh); + buffer_put_binary(buffer, buf+hasnohigh, bytes-hasnohigh); memset(buf, 0, bytes); xfree(buf); } @@ -136,7 +136,7 @@ buffer_get_bignum2(Buffer *buffer, BIGNUM *value) { u_int len; - u_char *bin = buffer_get_string(buffer, &len); + u_char *bin = buffer_get_binary(buffer, &len); if (len > 8 * 1024) fatal("buffer_get_bignum2: cannot handle BN of size %d", len); @@ -212,6 +212,36 @@ * will be stored there. A null character will be automatically appended * to the returned string, and is not counted in length. */ +#ifdef CHARSET_EBCDIC +void * +buffer_get_binary(Buffer *buffer, u_int *length_ptr) +{ + u_char *value; + u_int len; + + /* Get the length. */ + len = buffer_get_int(buffer); + if (len > 256 * 1024) + fatal("buffer_get_binary: bad length %d", len); + /* Allocate space for the object. Add one byte for a null character. */ + value = xmalloc(len + 1); + /* Get the string. */ + buffer_get(buffer, value, len); + /* Append a null character to make processing easier. */ + value[len] = 0; + /* Optionally return the length of the string. */ + if (length_ptr) + *length_ptr = len; + return value; +} +void +buffer_put_binary(Buffer *buffer, const void *buf, u_int len) +{ + buffer_put_int(buffer, len); + buffer_append(buffer, buf, len); +} +#endif + void * buffer_get_string(Buffer *buffer, u_int *length_ptr) { @@ -228,6 +258,9 @@ buffer_get(buffer, value, len); /* Append a null character to make processing easier. */ value[len] = 0; +#ifdef CHARSET_EBCDIC + __atoe_l(value,len); +#endif /* Optionally return the length of the string. */ if (length_ptr) *length_ptr = len; @@ -241,6 +274,17 @@ buffer_put_string(Buffer *buffer, const void *buf, u_int len) { buffer_put_int(buffer, len); +#ifdef CHARSET_EBCDIC + if (len > 0) + { + char *cp = xmalloc(len); + memcpy (cp, buf, len); + __etoa_l(cp, len); + buffer_append(buffer, cp, len); + xfree(cp); + } + else +#endif buffer_append(buffer, buf, len); } void diff -bur openssh-3.7.1p2.orig/bufaux.h openssh-3.7.1p2/bufaux.h --- openssh-3.7.1p2.orig/bufaux.h Sun Apr 27 20:01:37 2003 +++ openssh-3.7.1p2/bufaux.h Tue Oct 7 08:22:00 2003 @@ -35,6 +35,13 @@ int buffer_get_char(Buffer *); void buffer_put_char(Buffer *, int); +#ifdef CHARSET_EBCDIC +void *buffer_get_binary(Buffer *, u_int *); +void buffer_put_binary(Buffer *, const void *, u_int); +#else +#define buffer_get_binary(_buf,_len) buffer_get_string(_buf,_len) +#define buffer_put_binary(_buf,_data,_len) buffer_put_string(_buf,_data,_len) +#endif void *buffer_get_string(Buffer *, u_int *); void buffer_put_string(Buffer *, const void *, u_int); void buffer_put_cstring(Buffer *, const char *); diff -bur openssh-3.7.1p2.orig/buffer.c openssh-3.7.1p2/buffer.c --- openssh-3.7.1p2.orig/buffer.c Tue Sep 23 10:55:43 2003 +++ openssh-3.7.1p2/buffer.c Tue Oct 7 08:22:00 2003 @@ -170,7 +170,15 @@ buffer_dump(Buffer *buffer) { int i; +#ifdef CHARSET_EBCDIC + unsigned char *ucp; + + ucp = xmalloc(buffer->alloc); + memcpy(ucp, buffer->buf, buffer->alloc); + __atoe_l(&ucp[buffer->offset], buffer->end - buffer->offset); +#else u_char *ucp = buffer->buf; +#endif for (i = buffer->offset; i < buffer->end; i++) { fprintf(stderr, "%02x", ucp[i]); @@ -180,4 +188,7 @@ fprintf(stderr, " "); } fprintf(stderr, "\r\n"); +#ifdef CHARSET_EBCDIC + xfree(ucp); +#endif } diff -bur openssh-3.7.1p2.orig/channels.c openssh-3.7.1p2/channels.c --- openssh-3.7.1p2.orig/channels.c Tue Sep 16 23:34:12 2003 +++ openssh-3.7.1p2/channels.c Tue Oct 7 08:22:00 2003 @@ -1752,7 +1752,11 @@ packet_start(compat20 ? SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); packet_put_int(c->remote_id); + /*if (strcmp(c->ctype, "session") == 0)*/ + if (c->ctype[0] == 's') packet_put_string(buffer_ptr(&c->input), len); + else + packet_put_binary(buffer_ptr(&c->input), len); packet_send(); buffer_consume(&c->input, len); c->remote_window -= len; @@ -1787,7 +1791,11 @@ packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); packet_put_int(c->remote_id); packet_put_int(SSH2_EXTENDED_DATA_STDERR); + /*if (strcmp(c->ctype, "session") == 0)*/ + if (c->ctype[0] == 's') packet_put_string(buffer_ptr(&c->extended), len); + else + packet_put_binary(buffer_ptr(&c->extended), len); packet_send(); buffer_consume(&c->extended, len); c->remote_window -= len; @@ -1823,7 +1831,11 @@ return; /* Get the data. */ + /*if (strcmp(c->ctype, "session") == 0)*/ + if (c->ctype[0] == 's') data = packet_get_string(&data_len); + else + data = packet_get_binary(&data_len); if (compat20) { if (data_len > c->local_maxpacket) { @@ -1875,7 +1887,11 @@ logit("channel %d: bad ext data", c->self); return; } + /*if (strcmp(c->ctype, "session") == 0)*/ + if (c->ctype[0] == 's') data = packet_get_string(&data_len); + else + data = packet_get_binary(&data_len); packet_check_eom(); if (data_len > c->local_window) { logit("channel %d: rcvd too much extended_data %d, win %d", diff -bur openssh-3.7.1p2.orig/clientloop.c openssh-3.7.1p2/clientloop.c --- openssh-3.7.1p2.orig/clientloop.c Thu Jul 3 05:46:56 2003 +++ openssh-3.7.1p2/clientloop.c Tue Oct 7 08:22:00 2003 @@ -562,7 +562,11 @@ quit_pending = 1; return -1; +#ifdef CHARSET_EBCDIC + case '\x3F': /* os_toebcdic[^Z] */ +#else case 'Z' - 64: +#endif /* Suspend the program. */ /* Print a message to that effect to the user. */ snprintf(string, sizeof string, "%c^Z [suspend ssh]\r\n", escape_char); diff -bur openssh-3.7.1p2.orig/contrib/solaris/opensshd.in openssh-3.7.1p2/contrib/solaris/opensshd.in --- openssh-3.7.1p2.orig/contrib/solaris/opensshd.in Thu Nov 14 00:50:07 2002 +++ openssh-3.7.1p2/contrib/solaris/opensshd.in Tue Oct 7 08:22:00 2003 @@ -51,7 +51,23 @@ checkkeys # Start SSHD - echo "starting $SSHD... \c" ; $SSHD + echo "starting $SSHD... \c" ; + JOBFILE="\$SYSROOT.TMP.ENTER.OPENSSH-POSIX.$$" + LOGFILE="\$SYSROOT.TMP.ENTER.OPENSSH-POSIX.LOG" + ftyp text + bs2cp - bs2:${JOBFILE} <<. +/.SSHLOGIN LOGON "SYSROOT",TIME=NTL,PRIORITY=(,EXPRESS) +/SYSFILE SYSOUT=${LOGFILE} +/START-POSIX-SHELL +# Use sh (even if SYSROOT has a different shell) +sh -c "$SSHD 2>&1 | tee /var/adm/opensshd_startup.log | cat" +exit +/SYSFILE SYSOUT=(PRIMARY) +/ERASE ${LOGFILE} +/STEP +/LOGOFF NOSPOOL +. + ${prefix}/sbin/start-sshd-as-sysroot "/ENTER-JOB FROM-FILE=${JOBFILE},DELETE=YES,USER-ID=SYSROOT,ACCOUNT=SYSACC,CPU-LIMIT=NO,START=IMMED" sshd_rc=$? if [ $sshd_rc -ne 0 ]; then diff -bur openssh-3.7.1p2.orig/defines.h openssh-3.7.1p2/defines.h --- openssh-3.7.1p2.orig/defines.h Tue Sep 16 03:52:19 2003 +++ openssh-3.7.1p2/defines.h Tue Oct 7 08:22:00 2003 @@ -522,7 +522,13 @@ #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__) # define __func__ __FUNCTION__ #elif !defined(HAVE___func__) -# define __func__ "" +# ifdef __STDC__ +# define __stringize_internal(a) #a +# define __stringize(a) __stringize_internal(a) +# define __func__ __FILE__ ## ":" ## __stringize(__LINE__) +# else +# define __func__ "openssh" +# endif #endif #if defined(KRB5) && !defined(HEIMDAL) diff -bur openssh-3.7.1p2.orig/dh.c openssh-3.7.1p2/dh.c --- openssh-3.7.1p2.orig/dh.c Wed May 14 05:40:07 2003 +++ openssh-3.7.1p2/dh.c Tue Oct 7 08:22:00 2003 @@ -210,7 +210,7 @@ if (!BN_rand(dh->priv_key, 2*need, 0, 0)) fatal("dh_gen_key: BN_rand failed"); if (DH_generate_key(dh) == 0) - fatal("DH_generate_key"); + fatal("dh_gen_key: DH_generate_key failed"); for (i = 0; i <= BN_num_bits(dh->priv_key); i++) if (BN_is_bit_set(dh->priv_key, i)) bits_set++; diff -bur openssh-3.7.1p2.orig/includes.h openssh-3.7.1p2/includes.h --- openssh-3.7.1p2.orig/includes.h Sun Jun 29 13:23:37 2003 +++ openssh-3.7.1p2/includes.h Tue Oct 7 08:22:00 2003 @@ -110,6 +110,9 @@ # include #endif #include /* For MAXPATHLEN and roundup() */ +#ifndef MAXHOSTNAMELEN +# define MAXHOSTNAMELEN 64 +#endif #ifdef HAVE_SYS_UN_H # include /* For sockaddr_un */ #endif @@ -135,10 +138,14 @@ #include /* for TIOCCBRK on HP-UX */ #endif +#if !defined(__MVS__) && !#system(bs2000) #include /* For typedefs */ #include /* For IPv6 macros */ #include /* For IPTOS macros */ #include +#else +#include /* For IPv6 macros */ +#endif #include #if defined(HAVE_NETDB_H) # include @@ -174,5 +181,32 @@ #include "openbsd-compat/bsd-nextstep.h" #include "entropy.h" + +#if 'Z' == '\xE9' /* This test is true for all EBCDIC character dialects */ +#define CHARSET_EBCDIC +#if #system(bs2000) +#include +/* # define IPTOS_THROUGHPUT 0x08 No: setsockopt IPTOS_THROUGHPUT: Option not supported by protocol */ +/* # define IPTOS_LOWDELAY 0x10 No: setsockopt IPTOS_LOWDELAY: Option not supported by protocol */ +#ifndef MAXHOSTNAMELEN +# ifdef NI_MAXHOST /*1025*/ +# define MAXHOSTNAMELEN NI_MAXHOST +# else +# define MAXHOSTNAMELEN 256 +# endif +#endif +#define __atoe(_str) _a2e(_str) +#define __etoa(_str) _e2a(_str) +#define __etoa_l(_str, _len) _e2a_n(_str, _len) +#define __atoe_l(_str, _len) _a2e_n(_str, _len) +#define ASC(ch) _e2a_tab[(unsigned char)ch] +#define CHR(ch) _a2e_tab[(unsigned char)ch] +#else /* _OSD_POSIX */ +#error Please define an appropriate CHR() / ASC() macro +#endif /* _OSD_POSIX */ +#else +#define ASC(ch) (ch) +#define CHR(ch) (ch) +#endif #endif /* INCLUDES_H */ diff -bur openssh-3.7.1p2.orig/kex.c openssh-3.7.1p2/kex.c --- openssh-3.7.1p2.orig/kex.c Tue Apr 1 13:44:37 2003 +++ openssh-3.7.1p2/kex.c Tue Oct 7 08:22:00 2003 @@ -456,7 +456,7 @@ int i, mode, ctos; for (i = 0; i < NKEYS; i++) - keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret); + keys[i] = derive_key(kex, /*ASCII 'A'*/'\x41'+i, kex->we_need, hash, shared_secret); debug2("kex_derive_keys"); for (mode = 0; mode < MODE_MAX; mode++) { diff -bur openssh-3.7.1p2.orig/kexdh.c openssh-3.7.1p2/kexdh.c --- openssh-3.7.1p2.orig/kexdh.c Mon Feb 24 02:03:03 2003 +++ openssh-3.7.1p2/kexdh.c Tue Oct 7 08:22:00 2003 @@ -60,7 +60,7 @@ buffer_put_char(&b, SSH2_MSG_KEXINIT); buffer_append(&b, skexinit, skexinitlen); - buffer_put_string(&b, serverhostkeyblob, sbloblen); + buffer_put_binary(&b, serverhostkeyblob, sbloblen); buffer_put_bignum2(&b, client_dh_pub); buffer_put_bignum2(&b, server_dh_pub); buffer_put_bignum2(&b, shared_secret); diff -bur openssh-3.7.1p2.orig/kexdhc.c openssh-3.7.1p2/kexdhc.c --- openssh-3.7.1p2.orig/kexdhc.c Mon Feb 24 02:06:32 2003 +++ openssh-3.7.1p2/kexdhc.c Tue Oct 7 08:22:00 2003 @@ -62,7 +62,7 @@ packet_read_expect(SSH2_MSG_KEXDH_REPLY); /* key, cert */ - server_host_key_blob = packet_get_string(&sbloblen); + server_host_key_blob = packet_get_binary(&sbloblen); server_host_key = key_from_blob(server_host_key_blob, sbloblen); if (server_host_key == NULL) fatal("cannot decode server_host_key_blob"); @@ -86,7 +86,7 @@ #endif /* signed H */ - signature = packet_get_string(&slen); + signature = packet_get_binary(&slen); packet_check_eom(); if (!dh_pub_is_valid(dh, dh_server_pub)) diff -bur openssh-3.7.1p2.orig/kexdhs.c openssh-3.7.1p2/kexdhs.c --- openssh-3.7.1p2.orig/kexdhs.c Mon Feb 24 02:06:32 2003 +++ openssh-3.7.1p2/kexdhs.c Tue Oct 7 08:22:00 2003 @@ -122,9 +122,9 @@ /* send server hostkey, DH pubkey 'f' and singed H */ packet_start(SSH2_MSG_KEXDH_REPLY); - packet_put_string(server_host_key_blob, sbloblen); + packet_put_binary(server_host_key_blob, sbloblen); packet_put_bignum2(dh->pub_key); /* f */ - packet_put_string(signature, slen); + packet_put_binary(signature, slen); packet_send(); xfree(signature); diff -bur openssh-3.7.1p2.orig/kexgex.c openssh-3.7.1p2/kexgex.c --- openssh-3.7.1p2.orig/kexgex.c Mon Feb 24 02:03:03 2003 +++ openssh-3.7.1p2/kexgex.c Tue Oct 7 08:22:01 2003 @@ -62,7 +62,7 @@ buffer_put_char(&b, SSH2_MSG_KEXINIT); buffer_append(&b, skexinit, skexinitlen); - buffer_put_string(&b, serverhostkeyblob, sbloblen); + buffer_put_binary(&b, serverhostkeyblob, sbloblen); if (min == -1 || max == -1) buffer_put_int(&b, wantbits); else { diff -bur openssh-3.7.1p2.orig/kexgexc.c openssh-3.7.1p2/kexgexc.c --- openssh-3.7.1p2.orig/kexgexc.c Mon Feb 24 02:06:32 2003 +++ openssh-3.7.1p2/kexgexc.c Tue Oct 7 08:22:01 2003 @@ -108,7 +108,7 @@ packet_read_expect(SSH2_MSG_KEX_DH_GEX_REPLY); /* key, cert */ - server_host_key_blob = packet_get_string(&sbloblen); + server_host_key_blob = packet_get_binary(&sbloblen); server_host_key = key_from_blob(server_host_key_blob, sbloblen); if (server_host_key == NULL) fatal("cannot decode server_host_key_blob"); @@ -132,7 +132,7 @@ #endif /* signed H */ - signature = packet_get_string(&slen); + signature = packet_get_binary(&slen); packet_check_eom(); if (!dh_pub_is_valid(dh, dh_server_pub)) diff -bur openssh-3.7.1p2.orig/kexgexs.c openssh-3.7.1p2/kexgexs.c --- openssh-3.7.1p2.orig/kexgexs.c Mon Feb 24 02:06:32 2003 +++ openssh-3.7.1p2/kexgexs.c Tue Oct 7 08:22:01 2003 @@ -169,9 +169,9 @@ /* send server hostkey, DH pubkey 'f' and singed H */ debug("SSH2_MSG_KEX_DH_GEX_REPLY sent"); packet_start(SSH2_MSG_KEX_DH_GEX_REPLY); - packet_put_string(server_host_key_blob, sbloblen); + packet_put_binary(server_host_key_blob, sbloblen); packet_put_bignum2(dh->pub_key); /* f */ - packet_put_string(signature, slen); + packet_put_binary(signature, slen); packet_send(); xfree(signature); diff -bur openssh-3.7.1p2.orig/loginrec.c openssh-3.7.1p2/loginrec.c --- openssh-3.7.1p2.orig/loginrec.c Sun Jul 6 07:20:46 2003 +++ openssh-3.7.1p2/loginrec.c Tue Oct 7 08:22:01 2003 @@ -168,6 +168,16 @@ # include #endif +#if #system(bs2000) && !defined(_LASTLOG_H) +/* Define the structure from the missing in OSD/POSIX */ +#define _LASTLOG_H +struct lastlog { + time_t ll_time; + char ll_line[16]; + char ll_host[16]; /* same layout as in utmp */ +}; +#endif + /** ** prototypes for helper functions in this file **/ diff -bur openssh-3.7.1p2.orig/misc.c openssh-3.7.1p2/misc.c --- openssh-3.7.1p2.orig/misc.c Tue Sep 23 10:59:08 2003 +++ openssh-3.7.1p2/misc.c Tue Oct 7 08:22:01 2003 @@ -148,6 +148,11 @@ memset(copy, 0, sizeof(*copy)); copy->pw_name = xstrdup(pw->pw_name); +#if #system(bs2000) + /* Convert the UPPERCASE USER into all lowercase to ease connectivity with unix. */ + /* IMO that is legitimate, as BS2000's user names are case insensitive */ + strlower(copy->pw_name, NULL); +#endif copy->pw_passwd = xstrdup(pw->pw_passwd); copy->pw_gecos = xstrdup(pw->pw_gecos); copy->pw_uid = pw->pw_uid; diff -bur openssh-3.7.1p2.orig/monitor.c openssh-3.7.1p2/monitor.c --- openssh-3.7.1p2.orig/monitor.c Tue Sep 2 23:32:46 2003 +++ openssh-3.7.1p2/monitor.c Tue Oct 7 08:22:01 2003 @@ -507,7 +507,7 @@ debug3("%s", __func__); keyid = buffer_get_int(m); - p = buffer_get_string(m, &datlen); + p = buffer_get_binary(m, &datlen); if (datlen != 20) fatal("%s: data length incorrect: %u", __func__, datlen); @@ -527,7 +527,7 @@ debug3("%s: signature %p(%u)", __func__, signature, siglen); buffer_clear(m); - buffer_put_string(m, signature, siglen); + buffer_put_binary(m, signature, siglen); xfree(p); xfree(signature); @@ -574,7 +574,7 @@ authctxt->valid = 1; buffer_put_char(m, 1); - buffer_put_string(m, pwent, sizeof(struct passwd)); + buffer_put_binary(m, pwent, sizeof(struct passwd)); buffer_put_cstring(m, pwent->pw_name); buffer_put_cstring(m, "*"); buffer_put_cstring(m, pwent->pw_gecos); @@ -937,7 +937,7 @@ type = buffer_get_int(m); cuser = buffer_get_string(m, NULL); chost = buffer_get_string(m, NULL); - blob = buffer_get_string(m, &bloblen); + blob = buffer_get_binary(m, &bloblen); key = key_from_blob(blob, bloblen); @@ -1021,7 +1021,7 @@ fail++; buffer_consume(&b, session_id2_len); } else { - p = buffer_get_string(&b, &len); + p = buffer_get_binary(&b, &len); if ((session_id2 == NULL) || (len != session_id2_len) || (memcmp(p, session_id2, session_id2_len) != 0)) @@ -1069,7 +1069,7 @@ buffer_init(&b); buffer_append(&b, data, datalen); - p = buffer_get_string(&b, &len); + p = buffer_get_binary(&b, &len); if ((session_id2 == NULL) || (len != session_id2_len) || (memcmp(p, session_id2, session_id2_len) != 0)) @@ -1122,9 +1122,9 @@ int verified = 0; int valid_data = 0; - blob = buffer_get_string(m, &bloblen); - signature = buffer_get_string(m, &signaturelen); - data = buffer_get_string(m, &datalen); + blob = buffer_get_binary(m, &bloblen); + signature = buffer_get_binary(m, &signaturelen); + data = buffer_get_binary(m, &datalen); if (hostbased_cuser == NULL || hostbased_chost == NULL || !monitor_allowed_key(blob, bloblen)) @@ -1361,7 +1361,7 @@ key->type = KEY_RSA; /* cheat for key_to_blob */ if (key_to_blob(key, &blob, &blen) == 0) fatal("%s: key_to_blob failed", __func__); - buffer_put_string(m, blob, blen); + buffer_put_binary(m, blob, blen); /* Save temporarily for comparison in verify */ key_blob = blob; @@ -1391,7 +1391,7 @@ if (!authctxt->valid) fatal("%s: authctxt not valid", __func__); - blob = buffer_get_string(m, &blen); + blob = buffer_get_binary(m, &blen); if (!monitor_allowed_key(blob, blen)) fatal("%s: bad key, not previously allowed", __func__); if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY) @@ -1431,14 +1431,14 @@ if (ssh1_challenge == NULL) fatal("%s: no ssh1_challenge", __func__); - blob = buffer_get_string(m, &blen); + blob = buffer_get_binary(m, &blen); if (!monitor_allowed_key(blob, blen)) fatal("%s: bad key, not previously allowed", __func__); if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY) fatal("%s: key type mismatch: %d", __func__, key_blobtype); if ((key = key_from_blob(blob, blen)) == NULL) fatal("%s: received bad key", __func__); - response = buffer_get_string(m, &len); + response = buffer_get_binary(m, &len); if (len != 16) fatal("%s: received bad response to challenge", __func__); success = auth_rsa_verify_response(key, ssh1_challenge, response); @@ -1550,11 +1550,11 @@ kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); - blob = buffer_get_string(m, &bloblen); + blob = buffer_get_binary(m, &bloblen); buffer_init(&kex->my); buffer_append(&kex->my, blob, bloblen); xfree(blob); - blob = buffer_get_string(m, &bloblen); + blob = buffer_get_binary(m, &bloblen); buffer_init(&kex->peer); buffer_append(&kex->peer, blob, bloblen); xfree(blob); @@ -1586,23 +1586,23 @@ if (!compat20) { child_state.ssh1protoflags = buffer_get_int(&m); child_state.ssh1cipher = buffer_get_int(&m); - child_state.ssh1key = buffer_get_string(&m, + child_state.ssh1key = buffer_get_binary(&m, &child_state.ssh1keylen); - child_state.ivout = buffer_get_string(&m, + child_state.ivout = buffer_get_binary(&m, &child_state.ivoutlen); - child_state.ivin = buffer_get_string(&m, &child_state.ivinlen); + child_state.ivin = buffer_get_binary(&m, &child_state.ivinlen); goto skip; } else { /* Get the Kex for rekeying */ *pmonitor->m_pkex = mm_get_kex(&m); } - blob = buffer_get_string(&m, &bloblen); + blob = buffer_get_binary(&m, &bloblen); current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); xfree(blob); debug3("%s: Waiting for second key", __func__); - blob = buffer_get_string(&m, &bloblen); + blob = buffer_get_binary(&m, &bloblen); current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen); xfree(blob); @@ -1618,18 +1618,18 @@ skip: /* Get the key context */ - child_state.keyout = buffer_get_string(&m, &child_state.keyoutlen); - child_state.keyin = buffer_get_string(&m, &child_state.keyinlen); + child_state.keyout = buffer_get_binary(&m, &child_state.keyoutlen); + child_state.keyin = buffer_get_binary(&m, &child_state.keyinlen); debug3("%s: Getting compression state", __func__); /* Get compression state */ - p = buffer_get_string(&m, &plen); + p = buffer_get_binary(&m, &plen); if (plen != sizeof(child_state.outgoing)) fatal("%s: bad request size", __func__); memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing)); xfree(p); - p = buffer_get_string(&m, &plen); + p = buffer_get_binary(&m, &plen); if (plen != sizeof(child_state.incoming)) fatal("%s: bad request size", __func__); memcpy(&child_state.incoming, p, sizeof(child_state.incoming)); @@ -1637,8 +1637,8 @@ /* Network I/O buffers */ debug3("%s: Getting Network I/O buffers", __func__); - child_state.input = buffer_get_string(&m, &child_state.ilen); - child_state.output = buffer_get_string(&m, &child_state.olen); + child_state.input = buffer_get_binary(&m, &child_state.ilen); + child_state.output = buffer_get_binary(&m, &child_state.olen); buffer_free(&m); } @@ -1699,6 +1699,10 @@ } #define MM_MEMSIZE 65536 +#if #system(bs2000) +#undef MM_MEMSIZE +#define MM_MEMSIZE 16384 /* 16 kB */ +#endif struct monitor * monitor_init(void) diff -bur openssh-3.7.1p2.orig/monitor_wrap.c openssh-3.7.1p2/monitor_wrap.c --- openssh-3.7.1p2.orig/monitor_wrap.c Tue Sep 2 14:51:17 2003 +++ openssh-3.7.1p2/monitor_wrap.c Tue Oct 7 08:22:01 2003 @@ -165,13 +165,13 @@ buffer_init(&m); buffer_put_int(&m, kex->host_key_index(key)); - buffer_put_string(&m, data, datalen); + buffer_put_binary(&m, data, datalen); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, &m); debug3("%s: waiting for MONITOR_ANS_SIGN", __func__); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, &m); - *sigp = buffer_get_string(&m, lenp); + *sigp = buffer_get_binary(&m, lenp); buffer_free(&m); return (0); @@ -198,7 +198,7 @@ buffer_free(&m); return (NULL); } - pw = buffer_get_string(&m, &pwlen); + pw = buffer_get_binary(&m, &pwlen); if (pwlen != sizeof(struct passwd)) fatal("%s: struct passwd size mismatch", __func__); pw->pw_name = buffer_get_string(&m, NULL); @@ -331,7 +331,7 @@ buffer_put_int(&m, type); buffer_put_cstring(&m, user ? user : ""); buffer_put_cstring(&m, host ? host : ""); - buffer_put_string(&m, blob, len); + buffer_put_binary(&m, blob, len); xfree(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m); @@ -375,9 +375,9 @@ return (0); buffer_init(&m); - buffer_put_string(&m, blob, len); - buffer_put_string(&m, sig, siglen); - buffer_put_string(&m, data, datalen); + buffer_put_binary(&m, blob, len); + buffer_put_binary(&m, sig, siglen); + buffer_put_binary(&m, data, datalen); xfree(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); @@ -420,8 +420,8 @@ buffer_get(&b, &enc->cipher, sizeof(enc->cipher)); enc->enabled = buffer_get_int(&b); enc->block_size = buffer_get_int(&b); - enc->key = buffer_get_string(&b, &enc->key_len); - enc->iv = buffer_get_string(&b, &len); + enc->key = buffer_get_binary(&b, &enc->key_len); + enc->iv = buffer_get_binary(&b, &len); if (len != enc->block_size) fatal("%s: bad ivlen: expected %u != %u", __func__, enc->block_size, len); @@ -435,7 +435,7 @@ if (mac->name == NULL || mac_init(mac, mac->name) == -1) fatal("%s: can not init mac %s", __func__, mac->name); mac->enabled = buffer_get_int(&b); - mac->key = buffer_get_string(&b, &len); + mac->key = buffer_get_binary(&b, &len); if (len > mac->key_len) fatal("%s: bad mac key length: %u > %d", __func__, len, mac->key_len); @@ -480,14 +480,14 @@ buffer_append(&b, &enc->cipher, sizeof(enc->cipher)); buffer_put_int(&b, enc->enabled); buffer_put_int(&b, enc->block_size); - buffer_put_string(&b, enc->key, enc->key_len); + buffer_put_binary(&b, enc->key, enc->key_len); packet_get_keyiv(mode, enc->iv, enc->block_size); - buffer_put_string(&b, enc->iv, enc->block_size); + buffer_put_binary(&b, enc->iv, enc->block_size); /* Mac structure */ buffer_put_cstring(&b, mac->name); buffer_put_int(&b, mac->enabled); - buffer_put_string(&b, mac->key, mac->key_len); + buffer_put_binary(&b, mac->key, mac->key_len); /* Comp structure */ buffer_put_int(&b, comp->type); @@ -544,16 +544,16 @@ keylen = packet_get_encryption_key(NULL); key = xmalloc(keylen+1); /* add 1 if keylen == 0 */ keylen = packet_get_encryption_key(key); - buffer_put_string(&m, key, keylen); + buffer_put_binary(&m, key, keylen); memset(key, 0, keylen); xfree(key); ivlen = packet_get_keyiv_len(MODE_OUT); packet_get_keyiv(MODE_OUT, iv, ivlen); - buffer_put_string(&m, iv, ivlen); + buffer_put_binary(&m, iv, ivlen); ivlen = packet_get_keyiv_len(MODE_OUT); packet_get_keyiv(MODE_IN, iv, ivlen); - buffer_put_string(&m, iv, ivlen); + buffer_put_binary(&m, iv, ivlen); goto skip; } else { /* Kex for rekeying */ @@ -567,13 +567,13 @@ if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen)) fatal("%s: conversion of newkeys failed", __func__); - buffer_put_string(&m, blob, bloblen); + buffer_put_binary(&m, blob, bloblen); xfree(blob); if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) fatal("%s: conversion of newkeys failed", __func__); - buffer_put_string(&m, blob, bloblen); + buffer_put_binary(&m, blob, bloblen); xfree(blob); packet_get_state(MODE_OUT, &seqnr, &blocks, &packets); @@ -591,23 +591,23 @@ plen = packet_get_keycontext(MODE_OUT, NULL); p = xmalloc(plen+1); packet_get_keycontext(MODE_OUT, p); - buffer_put_string(&m, p, plen); + buffer_put_binary(&m, p, plen); xfree(p); plen = packet_get_keycontext(MODE_IN, NULL); p = xmalloc(plen+1); packet_get_keycontext(MODE_IN, p); - buffer_put_string(&m, p, plen); + buffer_put_binary(&m, p, plen); xfree(p); /* Compression state */ debug3("%s: Sending compression state", __func__); - buffer_put_string(&m, &outgoing_stream, sizeof(outgoing_stream)); - buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream)); + buffer_put_binary(&m, &outgoing_stream, sizeof(outgoing_stream)); + buffer_put_binary(&m, &incoming_stream, sizeof(incoming_stream)); /* Network I/O buffers */ - buffer_put_string(&m, buffer_ptr(&input), buffer_len(&input)); - buffer_put_string(&m, buffer_ptr(&output), buffer_len(&output)); + buffer_put_binary(&m, buffer_ptr(&input), buffer_len(&input)); + buffer_put_binary(&m, buffer_ptr(&output), buffer_len(&output)); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m); debug3("%s: Finished sending state", __func__); @@ -999,7 +999,7 @@ forced_command = have_forced ? xstrdup("true") : NULL; if (allowed && rkey != NULL) { - blob = buffer_get_string(&m, &blen); + blob = buffer_get_binary(&m, &blen); if ((key = key_from_blob(blob, blen)) == NULL) fatal("%s: key_from_blob failed", __func__); *rkey = key; @@ -1030,7 +1030,7 @@ key->type = KEY_RSA1; buffer_init(&m); - buffer_put_string(&m, blob, blen); + buffer_put_binary(&m, blob, blen); xfree(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m); @@ -1058,8 +1058,8 @@ key->type = KEY_RSA1; buffer_init(&m); - buffer_put_string(&m, blob, blen); - buffer_put_string(&m, response, 16); + buffer_put_binary(&m, blob, blen); + buffer_put_binary(&m, response, 16); xfree(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m); diff -bur openssh-3.7.1p2.orig/openbsd-compat/mktemp.c openssh-3.7.1p2/openbsd-compat/mktemp.c --- openssh-3.7.1p2.orig/openbsd-compat/mktemp.c Tue Jun 3 04:12:51 2003 +++ openssh-3.7.1p2/openbsd-compat/mktemp.c Tue Oct 7 08:22:01 2003 @@ -106,10 +106,26 @@ char c; pid = (arc4random() & 0xffff) % (26+26); +#if 'Z' == '\xE9' /* CHARSET_EBCDIC */ + /* EBCDIC problem: A-I J-R S-Z are contiguous, but there's a gap between the three subranges: +00c0 c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf .ABCDEFGHI...... +00d0 d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df .JKLMNOPQR...... +00e0 e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef ..STUVWXYZ...... +*/ + if (pid < 26) + c = pid + 'A' + + (pid >= ('I'-'A'+1))*('J'-'I'-1) /* add 7 for >= 'J' */ + + (pid >= ('I'-'A'+1+'R'-'J'+1))*('S'-'R'-1); /* add another 8 for >= 'S' */ + else + c = (pid - 26) + 'a' + + ((pid - 26) >= ('i'-'a'+1))*('j'-'i'-1) + + ((pid - 26) >= ('i'-'a'+1+'r'-'j'+1))*('s'-'r'-1); +#else if (pid < 26) c = pid + 'A'; else c = (pid - 26) + 'a'; +#endif *trv-- = c; } start = trv + 1; @@ -165,6 +181,16 @@ *trv = 'a'; else if (*trv == 'z') /* inc from z to A */ *trv = 'A'; +#if 'Z' == '\xE9' /* CHARSET_EBCDIC */ + /* EBCDIC problem: A-I J-R S-Z are contiguous, + * but there's a gap between the three subranges. + * (similar to the ASCII 'Z'..'a' gap) + */ + else if (*trv == 'I' || *trv == 'i') + *trv += ('J'-'I'); /* advance to 'j' (or 'J') */ + else if (*trv == 'R' || *trv == 'r') + *trv += ('S'-'R'); /* advance to 's' (or 'S') */ +#endif else { if (trv == suffp) return (0); diff -bur openssh-3.7.1p2.orig/openbsd-compat/vis.c openssh-3.7.1p2/openbsd-compat/vis.c --- openssh-3.7.1p2.orig/openbsd-compat/vis.c Fri Aug 29 18:59:52 2003 +++ openssh-3.7.1p2/openbsd-compat/vis.c Tue Oct 7 08:22:01 2003 @@ -38,6 +38,10 @@ #include "vis.h" +#if 'Z' == '\xE9' /* This test is true for all EBCDIC character dialects */ +#include "includes.h" +#endif + #define isoctal(c) (((u_char)(c)) >= '0' && ((u_char)(c)) <= '7') #define isvisible(c) (((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) && \ isgraph((u_char)(c))) || \ @@ -109,7 +113,7 @@ goto done; } } - if (((c & 0177) == ' ') || (flag & VIS_OCTAL)) { + if (((ASC(c) & 0177) == ASC(' ')) || (flag & VIS_OCTAL)) { *dst++ = '\\'; *dst++ = ((u_char)c >> 6 & 07) + '0'; *dst++ = ((u_char)c >> 3 & 07) + '0'; @@ -118,16 +122,20 @@ } if ((flag & VIS_NOSLASH) == 0) *dst++ = '\\'; - if (c & 0200) { + if (ASC(c) & 0200) { +#ifdef CHARSET_EBCDIC + c = CHR(ASC(c) & 0177); +#else c &= 0177; +#endif *dst++ = 'M'; } if (iscntrl(c)) { *dst++ = '^'; - if (c == 0177) + if (ASC(c) == 0177) *dst++ = '?'; else - *dst++ = c + '@'; + *dst++ = CHR(ASC(c) + ASC('@')); } else { *dst++ = '-'; *dst++ = c; diff -bur openssh-3.7.1p2.orig/packet.c openssh-3.7.1p2/packet.c --- openssh-3.7.1p2.orig/packet.c Tue Sep 23 11:00:41 2003 +++ openssh-3.7.1p2/packet.c Tue Oct 7 08:22:01 2003 @@ -473,6 +473,18 @@ { buffer_put_int(&outgoing_packet, value); } +#ifdef CHARSET_EBCDIC +void +packet_put_binary(const void *buf, u_int len) +{ + buffer_put_binary(&outgoing_packet, buf, len); +} +void * +packet_get_binary(u_int *length_ptr) +{ + return buffer_get_binary(&incoming_packet, length_ptr); +} +#endif void packet_put_string(const void *buf, u_int len) { @@ -1417,8 +1429,12 @@ return; if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, &tos, sizeof(tos)) < 0) +#if !#system(bs2000) error("setsockopt IP_TOS %d: %.100s:", tos, strerror(errno)); +#else + ; /* ignore the error -- no Type Of Service support on BS2000 yet */ +#endif } #endif diff -bur openssh-3.7.1p2.orig/packet.h openssh-3.7.1p2/packet.h --- openssh-3.7.1p2.orig/packet.h Sat Jun 28 04:38:02 2003 +++ openssh-3.7.1p2/packet.h Tue Oct 7 08:22:01 2003 @@ -31,6 +31,13 @@ void packet_set_interactive(int); int packet_is_interactive(void); +#ifdef CHARSET_EBCDIC +void packet_put_binary(const void *buf, u_int len); +void *packet_get_binary(u_int *length_ptr); +#else +#define packet_put_binary(_buf,_len) packet_put_string(_buf,_len) +#define packet_get_binary(_lenp) packet_get_string(_lenp) +#endif void packet_start(u_char); void packet_put_char(int ch); void packet_put_int(u_int value); diff -bur openssh-3.7.1p2.orig/scp.c openssh-3.7.1p2/scp.c --- openssh-3.7.1p2.orig/scp.c Fri Aug 22 01:34:41 2003 +++ openssh-3.7.1p2/scp.c Tue Oct 7 08:22:02 2003 @@ -201,6 +201,9 @@ uid_t userid; int errs, remin, remout; int pflag, iamremote, iamrecursive, targetshouldbedirectory; +#ifdef CHARSET_EBCDIC +int binary=0; +#endif #define CMDNEEDS 64 char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */ @@ -231,7 +234,11 @@ addargs(&args, "-oClearAllForwardings yes"); fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1) + while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:" +#ifdef CHARSET_EBCDIC + "b" /* binary */ +#endif + )) != -1) switch (ch) { /* User-visible flags. */ case '1': @@ -275,6 +282,11 @@ case 'q': showprogress = 0; break; +#ifdef CHARSET_EBCDIC + case 'b': + binary = 1; + break; +#endif /* Server options. */ case 'd': @@ -579,6 +591,13 @@ if (result != amt) haderr = result >= 0 ? EIO : errno; } +#ifdef CHARSET_EBCDIC + if (binary) { + /* Convert to EBCDIC */ + /* ssh will convert back to ASCII */ + __atoe_l(bp->buf,amt); + } +#endif if (haderr) (void) atomicio(vwrite, remout, bp->buf, amt); else { @@ -908,7 +927,13 @@ if (limitbw) bwlimit(4096); - +#ifdef CHARSET_EBCDIC + if (binary) { + /* Convert back to ASCII */ + /* ssh has converted to EBCDIC */ + __etoa_l(bp->buf,count); + } +#endif if (count == bp->cnt) { /* Keep reading so we stay sync'd up. */ if (wrerr == NO) { @@ -1072,7 +1097,7 @@ cp = cp0; do { c = (int)*cp; - if (c & 0200) + if (ASC(c) & 0200) goto bad; if (!isalpha(c) && !isdigit(c)) { switch (c) { diff -bur openssh-3.7.1p2.orig/serverloop.c openssh-3.7.1p2/serverloop.c --- openssh-3.7.1p2.orig/serverloop.c Sat Jun 28 04:38:02 2003 +++ openssh-3.7.1p2/serverloop.c Tue Oct 7 08:22:02 2003 @@ -926,9 +926,9 @@ ctype, rchan, rwindow, rmaxpack); if (strcmp(ctype, "session") == 0) { - c = server_request_session(ctype); + c = server_request_session("session"); } else if (strcmp(ctype, "direct-tcpip") == 0) { - c = server_request_direct_tcpip(ctype); + c = server_request_direct_tcpip("direct-tcpip"); } if (c != NULL) { debug("server_input_channel_open: confirm %s", ctype); diff -bur openssh-3.7.1p2.orig/session.c openssh-3.7.1p2/session.c --- openssh-3.7.1p2.orig/session.c Tue Sep 23 10:59:08 2003 +++ openssh-3.7.1p2/session.c Tue Oct 7 08:22:02 2003 @@ -404,7 +404,22 @@ #endif /* USE_PAM */ /* Fork the child. */ +#if #system(bs2000) + { + char *upper; + /* BS2000(PSD/POSIX) ufork needs the user name in UPPER case */ + upper = xstrdup(s->pw->pw_name); + strupper(upper, NULL); + if ((pid = ufork(upper)) == -1 && errno == EPERM) { + log("Hint: Is the POSIX-RLOGIN-DEFAULT set for user %s ?", + s->pw->pw_name); + } + free(upper); + } + if (pid == 0) { +#else if ((pid = fork()) == 0) { +#endif fatal_remove_all_cleanups(); /* Child. Reinitialize the log since the pid has changed. */ @@ -530,7 +545,22 @@ #endif /* Fork the child. */ +#if #system(bs2000) + { + char *upper; + /* BS2000(PSD/POSIX) ufork needs the user name in UPPER case */ + upper = xstrdup(s->pw->pw_name); + strupper(upper, NULL); + if ((pid = ufork(upper)) == -1 && errno == EPERM) { + log("Hint: Is the POSIX-RLOGIN-DEFAULT set for user %s ?", + s->pw->pw_name); + } + free(upper); + } + if (pid == 0) { +#else if ((pid = fork()) == 0) { +#endif fatal_remove_all_cleanups(); /* Child. Reinitialize the log because the pid has changed. */ diff -bur openssh-3.7.1p2.orig/ssh-agent.c openssh-3.7.1p2/ssh-agent.c --- openssh-3.7.1p2.orig/ssh-agent.c Tue Sep 23 10:59:08 2003 +++ openssh-3.7.1p2/ssh-agent.c Tue Oct 7 08:22:02 2003 @@ -210,7 +210,7 @@ u_char *blob; u_int blen; key_to_blob(id->key, &blob, &blen); - buffer_put_string(&msg, blob, blen); + buffer_put_binary(&msg, blob, blen); xfree(blob); } buffer_put_cstring(&msg, id->comment); @@ -302,8 +302,8 @@ datafellows = 0; - blob = buffer_get_string(&e->request, &blen); - data = buffer_get_string(&e->request, &dlen); + blob = buffer_get_binary(&e->request, &blen); + data = buffer_get_binary(&e->request, &dlen); flags = buffer_get_int(&e->request); if (flags & SSH_AGENT_OLD_SIGNATURE) @@ -319,7 +319,7 @@ buffer_init(&msg); if (ok == 0) { buffer_put_char(&msg, SSH2_AGENT_SIGN_RESPONSE); - buffer_put_string(&msg, signature, slen); + buffer_put_binary(&msg, signature, slen); } else { buffer_put_char(&msg, SSH_AGENT_FAILURE); } @@ -354,7 +354,7 @@ key_size(key), bits); break; case 2: - blob = buffer_get_string(&e->request, &blen); + blob = buffer_get_binary(&e->request, &blen); key = key_from_blob(blob, blen); xfree(blob); break; diff -bur openssh-3.7.1p2.orig/ssh-dss.c openssh-3.7.1p2/ssh-dss.c --- openssh-3.7.1p2.orig/ssh-dss.c Mon Feb 24 02:01:41 2003 +++ openssh-3.7.1p2/ssh-dss.c Tue Oct 7 08:22:02 2003 @@ -88,7 +88,7 @@ /* ietf-drafts */ buffer_init(&b); buffer_put_cstring(&b, "ssh-dss"); - buffer_put_string(&b, sigblob, SIGBLOB_LEN); + buffer_put_binary(&b, sigblob, SIGBLOB_LEN); len = buffer_len(&b); if (lenp != NULL) *lenp = len; @@ -134,7 +134,7 @@ return -1; } xfree(ktype); - sigblob = buffer_get_string(&b, &len); + sigblob = buffer_get_binary(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { diff -bur openssh-3.7.1p2.orig/ssh-keysign.c openssh-3.7.1p2/ssh-keysign.c --- openssh-3.7.1p2.orig/ssh-keysign.c Thu Jul 3 12:37:47 2003 +++ openssh-3.7.1p2/ssh-keysign.c Tue Oct 7 08:22:02 2003 @@ -68,7 +68,7 @@ buffer_append(&b, data, datalen); /* session id, currently limited to SHA1 (20 bytes) */ - p = buffer_get_string(&b, &len); + p = buffer_get_binary(&b, &len); if (len != 20) fail++; xfree(p); @@ -93,7 +93,7 @@ /* pubkey */ pkalg = buffer_get_string(&b, NULL); - pkblob = buffer_get_string(&b, &blen); + pkblob = buffer_get_binary(&b, &blen); pktype = key_type_from_name(pkalg); if (pktype == KEY_UNSPEC) @@ -210,7 +210,7 @@ if ((host = get_local_name(fd)) == NULL) fatal("cannot get sockname for fd"); - data = buffer_get_string(&b, &dlen); + data = buffer_get_binary(&b, &dlen); if (valid_request(pw, host, &key, data, dlen) < 0) fatal("not a valid request"); xfree(host); @@ -232,7 +232,7 @@ /* send reply */ buffer_clear(&b); - buffer_put_string(&b, signature, slen); + buffer_put_binary(&b, signature, slen); ssh_msg_send(STDOUT_FILENO, version, &b); return (0); diff -bur openssh-3.7.1p2.orig/ssh-rsa.c openssh-3.7.1p2/ssh-rsa.c --- openssh-3.7.1p2.orig/ssh-rsa.c Sun Jun 22 12:45:15 2003 +++ openssh-3.7.1p2/ssh-rsa.c Tue Oct 7 08:22:02 2003 @@ -80,7 +80,7 @@ /* encode signature */ buffer_init(&b); buffer_put_cstring(&b, "ssh-rsa"); - buffer_put_string(&b, sig, slen); + buffer_put_binary(&b, sig, slen); len = buffer_len(&b); if (lenp != NULL) *lenp = len; @@ -126,7 +126,7 @@ return -1; } xfree(ktype); - sigblob = buffer_get_string(&b, &len); + sigblob = buffer_get_binary(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { diff -bur openssh-3.7.1p2.orig/sshconnect.c openssh-3.7.1p2/sshconnect.c --- openssh-3.7.1p2.orig/sshconnect.c Tue Sep 23 10:49:29 2003 +++ openssh-3.7.1p2/sshconnect.c Tue Oct 7 08:22:02 2003 @@ -451,17 +451,20 @@ fatal("ssh_exchange_identification: read: %.100s", strerror(errno)); if (len != 1) fatal("ssh_exchange_identification: Connection closed by remote host"); - if (buf[i] == '\r') { - buf[i] = '\n'; + if (buf[i] == ASC('\r')) { + buf[i] = ASC('\n'); buf[i + 1] = 0; continue; /**XXX wait for \n */ } - if (buf[i] == '\n') { + if (buf[i] == ASC('\n')) { buf[i + 1] = 0; break; } } buf[sizeof(buf) - 1] = 0; +#ifdef CHARSET_EBCDIC + __atoe_l (buf, sizeof(buf)); +#endif if (strncmp(buf, "SSH-", 4) == 0) break; debug("ssh_exchange_identification: %s", buf); @@ -524,8 +527,14 @@ compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, compat20 ? PROTOCOL_MINOR_2 : minor1, SSH_VERSION); +#ifdef CHARSET_EBCDIC + __etoa(buf); +#endif if (atomicio(vwrite, connection_out, buf, strlen(buf)) != strlen(buf)) fatal("write: %.100s", strerror(errno)); +#ifdef CHARSET_EBCDIC + __atoe(buf); +#endif client_version_string = xstrdup(buf); chop(client_version_string); chop(server_version_string); @@ -955,6 +964,11 @@ char *server_user, *local_user; local_user = xstrdup(pw->pw_name); +#if #system(bs2000) + /* Convert the UPPERCASE USER into all lowercase to ease connectivity with unix. */ + /* IMO that is legitimate, as BS2000's user names are case insensitive */ + strlower(local_user, NULL); +#endif server_user = options.user ? options.user : local_user; /* Convert the user-supplied hostname into all lowercase. */ diff -bur openssh-3.7.1p2.orig/sshconnect2.c openssh-3.7.1p2/sshconnect2.c --- openssh-3.7.1p2.orig/sshconnect2.c Tue Aug 26 04:14:05 2003 +++ openssh-3.7.1p2/sshconnect2.c Tue Oct 7 08:22:02 2003 @@ -416,14 +416,14 @@ if (datafellows & SSH_BUG_PKOK) { /* this is similar to SSH_BUG_PKAUTH */ debug2("input_userauth_pk_ok: SSH_BUG_PKOK"); - pkblob = packet_get_string(&blen); + pkblob = packet_get_binary(&blen); buffer_init(&b); buffer_append(&b, pkblob, blen); pkalg = buffer_get_string(&b, &alen); buffer_free(&b); } else { pkalg = packet_get_string(&alen); - pkblob = packet_get_string(&blen); + pkblob = packet_get_binary(&blen); } packet_check_eom(); @@ -847,7 +847,7 @@ buffer_append(&b, session_id2, session_id2_len); skip = session_id2_len; } else { - buffer_put_string(&b, session_id2, session_id2_len); + buffer_put_binary(&b, session_id2, session_id2_len); skip = buffer_len(&b); } buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); @@ -863,7 +863,7 @@ buffer_put_char(&b, have_sig); buffer_put_cstring(&b, key_ssh_name(id->key)); } - buffer_put_string(&b, blob, bloblen); + buffer_put_binary(&b, blob, bloblen); /* generate signature */ ret = identity_sign(id, &signature, &slen, @@ -887,12 +887,12 @@ buffer_put_char(&b, have_sig); if (!(datafellows & SSH_BUG_PKAUTH)) buffer_put_cstring(&b, key_ssh_name(id->key)); - buffer_put_string(&b, blob, bloblen); + buffer_put_binary(&b, blob, bloblen); } xfree(blob); /* append signature */ - buffer_put_string(&b, signature, slen); + buffer_put_binary(&b, signature, slen); xfree(signature); /* skip session id and packet type */ @@ -932,7 +932,7 @@ packet_put_char(have_sig); if (!(datafellows & SSH_BUG_PKAUTH)) packet_put_cstring(key_ssh_name(id->key)); - packet_put_string(blob, bloblen); + packet_put_binary(blob, bloblen); xfree(blob); packet_send(); return 1; @@ -1243,7 +1243,7 @@ buffer_init(&b); buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */ - buffer_put_string(&b, data, datalen); + buffer_put_binary(&b, data, datalen); ssh_msg_send(to[1], version, &b); if (ssh_msg_recv(from[0], &b) < 0) { @@ -1263,7 +1263,7 @@ buffer_clear(&b); return -1; } - *sigp = buffer_get_string(&b, lenp); + *sigp = buffer_get_binary(&b, lenp); buffer_clear(&b); return 0; @@ -1318,13 +1318,13 @@ pkalg = xstrdup(key_ssh_name(private)); buffer_init(&b); /* construct data */ - buffer_put_string(&b, session_id2, session_id2_len); + buffer_put_binary(&b, session_id2, session_id2_len); buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); buffer_put_cstring(&b, authctxt->server_user); buffer_put_cstring(&b, service); buffer_put_cstring(&b, authctxt->method->name); buffer_put_cstring(&b, pkalg); - buffer_put_string(&b, blob, blen); + buffer_put_binary(&b, blob, blen); buffer_put_cstring(&b, chost); buffer_put_cstring(&b, authctxt->local_user); #ifdef DEBUG_PK @@ -1349,10 +1349,10 @@ packet_put_cstring(authctxt->service); packet_put_cstring(authctxt->method->name); packet_put_cstring(pkalg); - packet_put_string(blob, blen); + packet_put_binary(blob, blen); packet_put_cstring(chost); packet_put_cstring(authctxt->local_user); - packet_put_string(signature, slen); + packet_put_binary(signature, slen); memset(signature, 's', slen); xfree(signature); xfree(chost); diff -bur openssh-3.7.1p2.orig/sshd.c openssh-3.7.1p2/sshd.c --- openssh-3.7.1p2.orig/sshd.c Tue Sep 2 14:51:17 2003 +++ openssh-3.7.1p2/sshd.c Tue Oct 7 08:22:02 2003 @@ -152,6 +152,7 @@ */ char *client_version_string = NULL; char *server_version_string = NULL; +/* Note CHARSET_EBCDIC: these strings are kept in EBCDIC, and are converted for transmission */ /* for rekeying XXX fixme */ Kex *xxx_kex; @@ -370,6 +371,9 @@ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION); server_version_string = xstrdup(buf); +#ifdef CHARSET_EBCDIC + __etoa(server_version_string); +#endif /* Send our protocol version identification. */ if (atomicio(vwrite, sock_out, server_version_string, strlen(server_version_string)) @@ -377,6 +381,9 @@ logit("Could not write ident string to %s", get_remote_ipaddr()); fatal_cleanup(); } +#ifdef CHARSET_EBCDIC + __atoe(server_version_string); /* undo the conversion, server_version_string is used below */ +#endif /* Read other sides version identification. */ memset(buf, 0, sizeof(buf)); @@ -386,21 +393,30 @@ get_remote_ipaddr()); fatal_cleanup(); } - if (buf[i] == '\r') { + if (buf[i] == ASC('\r')) { +#ifdef CHARSET_EBCDIC + char *FSecureMacintosh = strcpy(alloca(sizeof("SSH-1.5-W1.0")), "SSH-1.5-W1.0"); + __etoa(FSecureMacintosh); /* need it in ASCII */ +#else +#define FSecureMacintosh "SSH-1.5-W1.0" +#endif buf[i] = 0; /* Kludge for F-Secure Macintosh < 1.0.2 */ if (i == 12 && - strncmp(buf, "SSH-1.5-W1.0", 12) == 0) + strncmp(buf, FSecureMacintosh, 12) == 0) break; continue; } - if (buf[i] == '\n') { + if (buf[i] == ASC('\n')) { buf[i] = 0; break; } } buf[sizeof(buf) - 1] = 0; client_version_string = xstrdup(buf); +#ifdef CHARSET_EBCDIC + __atoe(client_version_string); +#endif /* * Check that the versions match. In future this might accept @@ -409,7 +425,14 @@ if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n", &remote_major, &remote_minor, remote_version) != 3) { s = "Protocol mismatch.\n"; +#ifdef CHARSET_EBCDIC + s = xstrdup(s); + __etoa(s); + (void) atomicio(vwrite, sock_out, s, strlen(s)); + free(s); +#else (void) atomicio(vwrite, sock_out, s, strlen(s)); +#endif close(sock_in); close(sock_out); logit("Bad protocol version identification '%.100s' from %s", @@ -470,7 +493,14 @@ if (mismatch) { s = "Protocol major versions differ.\n"; +#ifdef CHARSET_EBCDIC + s = xstrdup(s); + __etoa(s); + (void) atomicio(vwrite, sock_out, s, strlen(s)); + free(s); +#else (void) atomicio(vwrite, sock_out, s, strlen(s)); +#endif close(sock_in); close(sock_out); logit("Protocol major versions differ for %s: %.200s vs. %.200s", @@ -583,7 +613,25 @@ /* Store a pointer to the kex for later rekeying */ pmonitor->m_pkex = &xxx_kex; +#if #system(bs2000) + { + char *upper; + /* BS2000(PSD/POSIX) ufork needs the user name in UPPER case */ + upper = xstrdup(SSH_PRIVSEP_USER); + strupper(upper, NULL); + if ((pid = ufork(upper)) == -1 && errno == EPERM) { + if (getpwnam(SSH_PRIVSEP_USER) == NULL) + fatal("Privilege separation user %s does not exist", + SSH_PRIVSEP_USER); + else + log("Hint: Is the POSIX-RLOGIN-DEFAULT set for user %s ?", + SSH_PRIVSEP_USER); + } + free(upper); + } +#else pid = fork(); +#endif if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { @@ -649,7 +697,21 @@ /* New socket pair */ monitor_reinit(pmonitor); +#if #system(bs2000) + { + char *upper; + /* BS2000(PSD/POSIX) ufork needs the user name in UPPER case */ + upper = xstrdup(authctxt->pw->pw_name); + strupper(upper, NULL); + if ((pmonitor->m_pid = ufork(upper)) == -1 && errno == EPERM) { + log("Hint: Is the POSIX-RLOGIN-DEFAULT set for user %s ?", + authctxt->pw->pw_name); + } + free(upper); + } +#else pmonitor->m_pid = fork(); +#endif if (pmonitor->m_pid == -1) fatal("fork of unprivileged child failed"); else if (pmonitor->m_pid != 0) { @@ -1287,6 +1349,11 @@ newsock = accept(listen_socks[i], (struct sockaddr *)&from, &fromlen); if (newsock < 0) { +#if #system(bs2000) + /* There is not much use in looping after the network layer has been brought down... Die gracefully. */ + if (errno == ENETDOWN) + fatal("accept: %.100s", strerror(errno)); +#endif if (errno != EINTR && errno != EWOULDBLOCK) error("accept: %.100s", strerror(errno)); continue; diff -bur openssh-3.7.1p2.orig/ttymodes.c openssh-3.7.1p2/ttymodes.c --- openssh-3.7.1p2.orig/ttymodes.c Wed May 14 05:40:07 2003 +++ openssh-3.7.1p2/ttymodes.c Tue Oct 7 08:22:02 2003 @@ -287,7 +287,7 @@ #define TTYCHAR(NAME, OP) \ debug3("tty_make_modes: %d %d", OP, tio.c_cc[NAME]); \ buffer_put_char(&buf, OP); \ - put_arg(&buf, tio.c_cc[NAME]); + put_arg(&buf, ASC(tio.c_cc[NAME])); #define TTYMODE(NAME, FIELD, OP) \ debug3("tty_make_modes: %d %d", OP, ((tio.FIELD & NAME) != 0)); \ @@ -303,7 +303,7 @@ /* Mark end of mode data. */ buffer_put_char(&buf, TTY_OP_END); if (compat20) - packet_put_string(buffer_ptr(&buf), buffer_len(&buf)); + packet_put_binary(buffer_ptr(&buf), buffer_len(&buf)); else packet_put_raw(buffer_ptr(&buf), buffer_len(&buf)); buffer_free(&buf); @@ -375,7 +375,7 @@ #define TTYCHAR(NAME, OP) \ case OP: \ n_bytes += arg_size; \ - tio.c_cc[NAME] = get_arg(); \ + tio.c_cc[NAME] = CHR(get_arg()); \ debug3("tty_parse_modes: %d %d", OP, tio.c_cc[NAME]); \ break; #define TTYMODE(NAME, FIELD, OP) \ diff -bur openssh-3.7.1p2.orig/uidswap.c openssh-3.7.1p2/uidswap.c --- openssh-3.7.1p2.orig/uidswap.c Mon Sep 22 04:55:21 2003 +++ openssh-3.7.1p2/uidswap.c Tue Oct 7 08:22:02 2003 @@ -143,6 +143,10 @@ void permanently_set_uid(struct passwd *pw) { +#if #system(bs2000) +#undef __func__ + static const char __func__[] = { "permanently_set_uid()" }; +#endif uid_t old_uid = getuid(); gid_t old_gid = getgid(); From Martin.Kraemer at fujitsu-siemens.com Wed Oct 8 22:06:31 2003 From: Martin.Kraemer at fujitsu-siemens.com (Martin Kraemer) Date: Wed, 8 Oct 2003 14:06:31 +0200 Subject: OS/390 openssh In-Reply-To: <20031008112800.GB9165@folly> References: <20031008094747.GA10143@deejai2.mch.fsc.net> <20031008112800.GB9165@folly> Message-ID: <20031008120631.GE7211@deejai2.mch.fsc.net> On Wed, Oct 08, 2003 at 01:28:00PM +0200, Markus Friedl wrote: > > - buffer_put_string(&msg, blob, blen); > > - buffer_put_string(&msg, data, datalen); > > + buffer_put_binary(&msg, blob, blen); > > + buffer_put_binary(&msg, data, datalen); > > wouldn't it be easier to treat all > buffer_put_string > as binary and do conversion only in > buffer_put_cstring > ? Then again it would be necessary to check all buffer_put_string()'s whether they should actually be buffer_put_cstring()'s.... When the patch was first written, IIRC there was no buffer_put_cstring() yet, and I do not remember why it was added in the first place. But yes, it would be much better to have only two function, not three. Martin -- | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany From dtucker at zip.com.au Wed Oct 8 22:26:31 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 08 Oct 2003 22:26:31 +1000 Subject: OS/390 openssh References: <20031008094747.GA10143@deejai2.mch.fsc.net> Message-ID: <3F840277.388BCF23@zip.com.au> Martin Kraemer wrote: > OpenSSH-portable developers: do you think this could be added as > a new platform to the portable version? What should be changed to > allow its addition? > I *tried* to make it not-too-ugly, at least... ;-) Bearing in mind this is just my own opinion... Guiding principle: keep diffs with OpenBSD's SSH to a minimum as far as reasonable. Secondary principle: keep the rest of the changes as generic as possible. In openbsd-compat, add a port-bs2000.c (or maybe a port-ebcdic.c or maybe both) and put your platform-specific functions in there. Instead of doing this: > #ifdef CUSTOM_FAILED_LOGIN > if (authenticated == 0 && strcmp(method, "password") == 0) > + { > +#if #system(bs2000) > + record_failed_login_attempt(authctxt->user, [snip] > #else > record_failed_login(authctxt->user, "ssh"); > #endif > + } > +#endif Add another argument to record_failed_login() (eg "reason", maybe make it an enum), put your own record_failed_login() into port-bs2000.c and lose the #ifdefs. > diff -bur openssh-3.7.1p2.orig/contrib/solaris/opensshd.in Why are you modifying Solaris files? > /* Fork the child. */ > +#if #system(bs2000) [snip] > + if ((pid = ufork(upper)) == -1 && errno == EPERM) { Could you achieve the same thing by creating a replacement fork() funtion in port-bs2000.c? > + /* EBCDIC problem: A-I J-R S-Z are contiguous, but there's a gap between > the three subranges: What kind of drugs were involved in creating a character set where the alphabet is non-contiguous :-? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Martin.Kraemer at fujitsu-siemens.com Wed Oct 8 22:43:45 2003 From: Martin.Kraemer at fujitsu-siemens.com (Martin Kraemer) Date: Wed, 8 Oct 2003 14:43:45 +0200 Subject: OS/390 openssh In-Reply-To: <3F840277.388BCF23@zip.com.au> References: <20031008094747.GA10143@deejai2.mch.fsc.net> <3F840277.388BCF23@zip.com.au> Message-ID: <20031008124345.GG7211@deejai2.mch.fsc.net> On Wed, Oct 08, 2003 at 10:26:31PM +1000, Darren Tucker wrote: > In openbsd-compat, add a port-bs2000.c (or maybe a port-ebcdic.c or maybe > both) and put your platform-specific functions in there. Excellent idea. Will do, alongside port-irix.c et al. > Instead of doing this: > > #ifdef CUSTOM_FAILED_LOGIN > > if (authenticated == 0 && strcmp(method, "password") == 0) > > +#if #system(bs2000) > > + record_failed_login_attempt(authctxt->user, > [snip] > > #else > > record_failed_login(authctxt->user, "ssh"); > > #endif > Add another argument to record_failed_login() (eg "reason", maybe make it > an enum), put your own record_failed_login() into port-bs2000.c and lose > the #ifdefs. Granted. This was a recent hack because the old API did not supply the remote IP information. You are right that is better to change the API (and ignore the new arguments in the other OS's). Will do. > > diff -bur openssh-3.7.1p2.orig/contrib/solaris/opensshd.in > > Why are you modifying Solaris files? Oops - my bad. This was not meant to be submitted; it is what we use internally because we use a mostly-identical rc script. The mods should not be in openssh-portable, of course, sorry. > > /* Fork the child. */ > > +#if #system(bs2000) > [snip] > > + if ((pid = ufork(upper)) == -1 && errno == EPERM) { > > Could you achieve the same thing by creating a replacement fork() funtion > in port-bs2000.c? Alas, impossible: there *is* a real fork() in BS2000, but it cannot be used in combination with changed user identities. When changing the user, the respective fork() must already pre-initialize for the new user-to-be which it need not if the user identity is not changed. It is unclean, but I see no portable solution to this one. > > + /* EBCDIC problem: A-I J-R S-Z are contiguous, but there's a gap between > > the three subranges: > > What kind of drugs were involved in creating a character set where the > alphabet is non-contiguous :-? ;-) Not by me... Ask IBM. The reason in found in the Hollerith card punching scheme. OTOH: My *real* machine is FreeBSD. Martin -- | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany From markus at openbsd.org Wed Oct 8 21:28:00 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 8 Oct 2003 13:28:00 +0200 Subject: OS/390 openssh In-Reply-To: <20031008094747.GA10143@deejai2.mch.fsc.net> References: <20031008094747.GA10143@deejai2.mch.fsc.net> Message-ID: <20031008112800.GB9165@folly> > - buffer_put_string(&msg, blob, blen); > - buffer_put_string(&msg, data, datalen); > + buffer_put_binary(&msg, blob, blen); > + buffer_put_binary(&msg, data, datalen); wouldn't it be easier to treat all buffer_put_string as binary and do conversion only in buffer_put_cstring ? From dtucker at zip.com.au Wed Oct 8 23:58:27 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 08 Oct 2003 23:58:27 +1000 Subject: OS/390 openssh References: <20031008094747.GA10143@deejai2.mch.fsc.net> <3F840277.388BCF23@zip.com.au> <20031008124345.GG7211@deejai2.mch.fsc.net> Message-ID: <3F841803.6302B21E@zip.com.au> Martin Kraemer wrote: > > Could you achieve the same thing by creating a replacement fork() funtion > > in port-bs2000.c? > > Alas, impossible: there *is* a real fork() in BS2000, but it cannot > be used in combination with changed user identities. When changing the > user, the respective fork() must already pre-initialize for the new > user-to-be which it need not if the user identity is not changed. > It is unclean, but I see no portable solution to this one. The preprocessor is your friend! Put "#define fork() bs2000_fork()" into port-bs2000.h, then add your magic bs2000_fork function in port-bs2000.c. We do something similar with signal/mysignal in bsd-misc. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Oct 9 01:32:18 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 09 Oct 2003 01:32:18 +1000 Subject: OS/390 openssh References: <20031008094747.GA10143@deejai2.mch.fsc.net> <3F840277.388BCF23@zip.com.au> <20031008124345.GG7211@deejai2.mch.fsc.net> <3F841803.6302B21E@zip.com.au> Message-ID: <3F842E02.8EA72293@zip.com.au> Darren Tucker wrote: > > Martin Kraemer wrote: > > > Could you achieve the same thing by creating a replacement fork() funtion > > > in port-bs2000.c? > > > > Alas, impossible: there *is* a real fork() in BS2000, but it cannot > > be used in combination with changed user identities. When changing the > > user, the respective fork() must already pre-initialize for the new > > user-to-be which it need not if the user identity is not changed. > > It is unclean, but I see no portable solution to this one. > > The preprocessor is your friend! [snip] Forget I said that. I missed the bit about fork() needing to know the user. While it might be possible with preprocessor hackery it's probably not something you'd want to think about. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Thu Oct 9 03:19:17 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 8 Oct 2003 12:19:17 -0500 (CDT) Subject: OS/390 openssh In-Reply-To: <3F840277.388BCF23@zip.com.au> Message-ID: On Wed, 8 Oct 2003, Darren Tucker wrote: [..] > Instead of doing this: > > #ifdef CUSTOM_FAILED_LOGIN > > if (authenticated == 0 && strcmp(method, "password") == 0) > > + { > > +#if #system(bs2000) > > + record_failed_login_attempt(authctxt->user, > [snip] > > #else > > record_failed_login(authctxt->user, "ssh"); > > #endif > > + } > > +#endif > > Add another argument to record_failed_login() (eg "reason", maybe make it > an enum), put your own record_failed_login() into port-bs2000.c and lose > the #ifdefs. > Unless there is an extreme need for this change (IE, system fails) they should be submited as separate patches. Please provide a patch that *ONLY* gets the platform to work. Otherwise it will be ignored since we will not seperate out "required" vs "nice" changes. - Ben From michael.leelun at citigroup.com Thu Oct 9 05:27:24 2003 From: michael.leelun at citigroup.com (Lee-Lun, Michael [IT]) Date: Wed, 8 Oct 2003 15:27:24 -0400 Subject: openssh-3-7-1p2: sftp issue from Cygwin Build Message-ID: Anyone have any problems with sftp-server on 3.7.1p2? When I sftp to the server i get this when I do an ls -l: sftp> ls -l ?-w-rwxrwx 0 1 16832 3 Oct 26 1993 Mike From tim at multitalents.net Thu Oct 9 08:04:46 2003 From: tim at multitalents.net (Tim Rice) Date: Wed, 8 Oct 2003 15:04:46 -0700 (PDT) Subject: openssh-3-7-1p2: sftp issue from Cygwin Build In-Reply-To: References: Message-ID: On Wed, 8 Oct 2003, Lee-Lun, Michael [IT] wrote: > Anyone have any problems with sftp-server on 3.7.1p2? When I sftp to the > server i get this when I do an ls -l: > > sftp> ls -l > ?-w-rwxrwx 0 1 16832 3 Oct 26 1993 What does the BROKEN_ONE_BYTE_DIRENT_D_NAME line in your config.h say? -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From girardet at nz1.ibm.com Thu Oct 9 11:12:35 2003 From: girardet at nz1.ibm.com (Andreas Girardet) Date: Thu, 9 Oct 2003 14:12:35 +1300 Subject: kerberos + gssapi password change Message-ID: Hello I am not a developer, but since this is a more advanced issue I rather post to this list than to the users list, I hope this is OK. We are currently running openssh with simon's gssapi patch and want to move towards the new integrated solution with openssh-3.7.1p2. A problem we experienced in both versions of openssh is that we are not able to change the kerberos password, when it expires. I used James' patch but it seemed to not work well with simon's gssapi patch and as such we decided not to integrate it. James told me that he believes password change is now working with the changes, but I am unable to get it working and am wondering if this is a known limitation still and if you are planning to work on this issue in the future if it is still an issue. Another oddness I experience Cheers IBM Global Services - New Zealand Linux Team Linux Infrastructure project Office: +64-9-359-8761 email: girardet at nz1.ibm.com 13-17 Dundonald Street, Newton, Auckland, New Zealand ########################################### from sshd -ddd ebug3: ssh_msg_recv entering debug3: ssh_msg_send: type 7 PAM: Authentication token is no longer valid; new one required. debug3: mm_request_send entering: type 49 debug3: mm_request_receive entering debug3: mm_sshpam_query: pam_query returned -1 debug2: auth2_challenge_start: devices debug3: mm_sshpam_free_ctx debug3: mm_request_send entering: type 52 debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX debug3: mm_request_receive_expect entering: type 53 debug3: mm_request_receive entering debug3: monitor_read: checking request 52 debug3: mm_answer_pam_free_ctx debug3: mm_request_send entering: type 53 debug2: monitor_read: 52 used once, disabling now Failed keyboard-interactive/pam for agirardet from 10.65.59.54 port 43168 ssh2 debug3: mm_request_receive entering Failed keyboard-interactive/pam for agirardet from 10.65.59.54 port 43168 ssh2 debug1: userauth-request for user agirardet service ssh-connection method keyboard-interactive debug1: attempt 5 failures 4 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=agirardet devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices debug1: auth2_challenge_start: trying authentication method 'pam' debug3: mm_sshpam_init_ctx debug3: mm_request_send entering: type 46 debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX debug3: mm_request_receive_expect entering: type 47 debug3: mm_request_receive entering debug3: monitor_read: checking request 46 debug3: mm_answer_pam_init_ctx debug3: mm_request_send entering: type 47 debug3: mm_request_receive entering debug3: mm_sshpam_query debug3: mm_request_send entering: type 48 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_request_receive_expect entering: type 49 debug3: mm_request_receive entering debug3: monitor_read: checking request 48 debug3: mm_answer_pam_query debug3: ssh_msg_recv entering debug3: ssh_msg_send: type 1 debug3: mm_request_send entering: type 49 debug3: mm_request_receive entering debug3: mm_sshpam_query: pam_query returned 0 Postponed keyboard-interactive for agirardet from 10.65.59.54 port 43168 ssh2 debug3: ssh_msg_recv entering debug3: mm_sshpam_respond debug3: mm_request_send entering: type 50 debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: monitor_read: checking request 50 debug3: mm_answer_pam_respond debug2: PAM: sshpam_respond debug3: ssh_msg_send: type 6 debug3: mm_request_send entering: type 51 debug3: mm_request_receive entering debug3: mm_sshpam_respond: pam_respond returned 1 debug3: mm_sshpam_query debug3: mm_request_send entering: type 48 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_request_receive_expect entering: type 49 debug3: mm_request_receive entering debug3: monitor_read: checking request 48 debug3: mm_answer_pam_query debug3: ssh_msg_recv entering debug3: ssh_msg_send: type 7 PAM: Authentication token is no longer valid; new one required. debug3: mm_request_send entering: type 49 debug3: mm_request_receive entering debug3: mm_sshpam_query: pam_query returned -1 debug2: auth2_challenge_start: devices debug3: mm_sshpam_free_ctx debug3: mm_request_send entering: type 52 debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX debug3: mm_request_receive_expect entering: type 53 debug3: mm_request_receive entering debug3: monitor_read: checking request 52 debug3: mm_answer_pam_free_ctx debug3: mm_request_send entering: type 53 ############################################## From dtucker at zip.com.au Thu Oct 9 11:58:24 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 09 Oct 2003 11:58:24 +1000 Subject: kerberos + gssapi password change References: Message-ID: <3F84C0C0.92C71177@zip.com.au> Andreas Girardet wrote: > I am not a developer, but since this is a more advanced issue I rather > post to this list than to the users list, I hope this is OK. That's OK. > We are currently running openssh with simon's gssapi patch and want to > move towards the new integrated solution with openssh-3.7.1p2. A problem > we experienced in both versions of openssh is that we are not able to > change the kerberos password, when it expires. I used James' patch but it > seemed to not work well with simon's gssapi patch and as such we decided > not to integrate it. James told me that he believes password change is now > working with the changes, but I am unable to get it working and am > wondering if this is a known limitation still and if you are planning to > work on this issue in the future if it is still an issue. I don't speak Kerberos myself but someone once reported [0] that an earlier version of my password expiry patch [1] worked with Kerberos on an earlier version of OpenSSH when PATH_PASSWD_PROGRAM was set to "kinit". > Another oddness I experience ... is truncated email messages? :-) [0] http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=10485986783267 [1] http://www.zip.com.au/~dtucker/openssh/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jfh at cise.ufl.edu Thu Oct 9 12:29:15 2003 From: jfh at cise.ufl.edu (James F.Hranicky) Date: Wed, 8 Oct 2003 22:29:15 -0400 Subject: kerberos + gssapi password change In-Reply-To: <3F84C0C0.92C71177@zip.com.au> References: <3F84C0C0.92C71177@zip.com.au> Message-ID: <20031008222915.5e69a321.jfh@cise.ufl.edu> On Thu, 09 Oct 2003 11:58:24 +1000 Darren Tucker wrote: > I don't speak Kerberos myself but someone once reported [0] that an > earlier version of my password expiry patch [1] worked with Kerberos on an > earlier version of OpenSSH when PATH_PASSWD_PROGRAM was set to "kinit". I was able to get password expiry to work with the new PAM code and pam_krb-1.0.3 under the following: OpenSSH 3.7.1p2 Solaris 8 I haven't thoroughly tested it, though. Jim From girardet at nz1.ibm.com Thu Oct 9 12:40:05 2003 From: girardet at nz1.ibm.com (Andreas Girardet) Date: Thu, 9 Oct 2003 03:40:05 +0100 Subject: kerberos + gssapi password change Message-ID: >I don't speak Kerberos myself but someone once reported [0] that an >earlier version of my password expiry patch [1] worked with Kerberos on an >earlier version of OpenSSH when PATH_PASSWD_PROGRAM was set to "kinit". I have tried this and I am still get the same behaviour. keyboard interactive fails and I wonder if ssh actually understands at all what PAM is getting back from kerberos. >> Another oddness I experience >... is truncated email messages? :-) Sure .. press escape in Lotus puts your message into the outbox and sends message (!!) Andreas From dtucker at zip.com.au Thu Oct 9 12:53:26 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 09 Oct 2003 12:53:26 +1000 Subject: kerberos + gssapi password change References: Message-ID: <3F84CDA6.9C70EE00@zip.com.au> Andreas Girardet wrote: > > >I don't speak Kerberos myself but someone once reported [0] that an > >earlier version of my password expiry patch [1] worked with Kerberos on > an > >earlier version of OpenSSH when PATH_PASSWD_PROGRAM was set to "kinit". > > I have tried this and I am still get the same behaviour. keyboard > interactive fails and I wonder if ssh actually understands at all what > PAM is getting back from kerberos. The debug you posted earlier shows this: debug3: ssh_msg_send: type 7 PAM: Authentication token is no longer valid; new one required. debug3: mm_request_send entering: type 49 debug3: mm_request_receive entering debug3: mm_sshpam_query: pam_query returned -1 debug2: auth2_challenge_start: devices Maybe sshpam_query needs to understand PAM_NEW_AUTHTOK_REQD? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Oct 9 13:23:13 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 09 Oct 2003 13:23:13 +1000 Subject: kerberos + gssapi password change References: <3F84CDA6.9C70EE00@zip.com.au> Message-ID: <3F84D4A1.E705025D@zip.com.au> Darren Tucker wrote: > Maybe sshpam_query needs to understand PAM_NEW_AUTHTOK_REQD? Please try this patch (it will apply on top of pwexp24). I have no idea if this is right or not (but it compiles :-) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- --- auth-pam.c.pwexp24 2003-10-09 12:53:53.000000000 +1000 +++ auth-pam.c 2003-10-09 13:18:04.000000000 +1000 @@ -422,6 +422,7 @@ break; case PAM_SUCCESS: case PAM_AUTH_ERR: + case PAM_NEW_AUTHTOK_REQD: if (**prompts != NULL) { /* drain any accumulated messages */ #if 0 /* XXX - not compatible with privsep */ @@ -434,7 +435,12 @@ xfree(**prompts); **prompts = NULL; } - if (type == PAM_SUCCESS) { + + if (sshpam_err == PAM_NEW_AUTHTOK_REQD) + flag_password_change_required(); + + if (type == PAM_SUCCESS || + type == PAM_NEW_AUTHTOK_REQD) { *num = 0; **echo_on = 0; ctxt->pam_done = 1; From girardet at nz1.ibm.com Thu Oct 9 13:57:06 2003 From: girardet at nz1.ibm.com (Andreas Girardet) Date: Thu, 9 Oct 2003 04:57:06 +0100 Subject: kerberos + gssapi password change Message-ID: Darren Thanks so much for looking into this. Unfortunately your patch did not work. I had to actually apply it manually. In meantime I also tried to swith privsep off, but this did not help either. Any special debugging I can send you? Andreas From dtucker at zip.com.au Thu Oct 9 14:10:29 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 09 Oct 2003 14:10:29 +1000 Subject: kerberos + gssapi password change References: Message-ID: <3F84DFB5.376A503A@zip.com.au> Andreas Girardet wrote: > Thanks so much for looking into this. Unfortunately your patch did not > work. I had to actually apply it manually. In meantime I also tried to > swith privsep off, but this did not help either. Any special debugging I > can send you? As far as I can tell, your PAM module is failing to authenticate even though it should (it should then return PAM_NEW_AUTHTOK_REQD in the session module). What's the PAM config look like? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bluestellqi at att.net Wed Oct 8 15:03:24 2003 From: bluestellqi at att.net (Steve Hammond) Date: Wed, 8 Oct 2003 05:03:24 GMT Subject: Are you happy? Message-ID: We Do What Viagra Can't BLUE STEEL, a doctor approved, all-natural, 100% safe and effective sexual performance accelorator. Our GMP certified, scientifically formulated product contains the trademarked ingredient, Cernitin. BLUE STEEL is not a synthetic drug. It is a proprietary blended, natural supplement consisting of the highest quality ingredients. Even with natural ingredients, however, dosages and concentration levels are important for maintaining effectiveness and safety. BLUE STEEL was designed to produce the following results: Girth: ? up to 2" Length: 1" up to 3 ? Stamina: up to 74% harder erections, this will help contribute to longer sexual experiences. Climax: from 7 to 26 physical penile contractions during orgasm. The average male experiences between 4 and 7. Libido: enhanced feelings and stimulated sexual arousal combine to increase desire. Recovery: faster recovery time eans more sex more often. please visit our web site [1]click here [2]Remove mail References 1. http://www.accentedcx.com/as/ 2. http://www.accentedcx.com/e.html From michael.leelun at citigroup.com Thu Oct 9 23:20:36 2003 From: michael.leelun at citigroup.com (Lee-Lun, Michael [IT]) Date: Thu, 9 Oct 2003 09:20:36 -0400 Subject: openssh-3-7-1p2: sftp issue from Cygwin Build Message-ID: It's commented out. Mike /* Define in your struct dirent expects you to allocate extra space for d_name */ /* #undef BROKEN_ONE_BYTE_DIRENT_D_NAME */ -----Original Message----- From: Tim Rice [mailto:tim at multitalents.net] Sent: Wednesday, October 08, 2003 6:05 PM To: Lee-Lun, Michael [IT] Cc: openssh-unix-dev at mindrot.org Subject: RE: openssh-3-7-1p2: sftp issue from Cygwin Build On Wed, 8 Oct 2003, Lee-Lun, Michael [IT] wrote: > Anyone have any problems with sftp-server on 3.7.1p2? When I sftp to the > server i get this when I do an ls -l: > > sftp> ls -l > ?-w-rwxrwx 0 1 16832 3 Oct 26 1993 What does the BROKEN_ONE_BYTE_DIRENT_D_NAME line in your config.h say? -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From hayward at slothmud.org Fri Oct 10 01:17:27 2003 From: hayward at slothmud.org (hayward at slothmud.org) Date: Thu, 9 Oct 2003 10:17:27 -0500 (CDT) Subject: Key-based auth fails - OpenSSH 3.7.1p2 (cygwin) Message-ID: Hey all, Maybe someone has seen my problem before with OpenSSH under cygwin. I'm trying to use key-based authentication and it's failing. Configuration, permissions and -ddd information is provided in this email. Thanks, Brian Hayward ---------- Forwarded message ---------- Date: Thu, 9 Oct 2003 10:12:47 -0500 (CDT) From: hayward at slothmud.org To: cygwin at cygwin.com Subject: Re: Key-based auth fails - OpenSSH 3.7.1p2 More information on file permissions: ls -ld / drwxrwxrwt+ 9 Administ ???????? 4096 Oct 9 08:57 / ls -ld /home drwxr-xr-x+ 5 Administ SYSTEM 0 Oct 9 10:07 /home ls -ld /home/hayward drwx------+ 3 hayward Administ 0 Oct 9 10:07 /home/hayward ls -altr /home/hayward/.ssh total 4 -rw------- 1 hayward Administ 618 Oct 9 09:40 authorized_keys -rw-r--r-- 1 hayward Administ 1228 Oct 9 09:40 known_hosts drwx------+ 2 hayward Administ 4096 Oct 9 09:41 . -rw------- 1 hayward Administ 618 Oct 9 09:41 authorized_keys2 drwx------+ 3 hayward Administ 0 Oct 9 10:07 .. Here are the sshd_config params not commented out: Port 22 StrictModes no Subsystem sftp /usr/sbin/sftp-server *** No matter what I do with filesystem permissions, I can't get ssh key-based authentication to work. I have tried both with StrictModes no and yes. Here is the output of sshd -ddd pertaining to key-based authentication: debug1: userauth-request for user hayward service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x100f4158 debug1: temporarily_use_uid: 132690/513 (e=18/544) debug1: trying public key file /home/hayward/.ssh/authorized_keys debug1: restore_uid: (unprivileged) debug1: temporarily_use_uid: 132690/513 (e=18/544) debug1: trying public key file /home/hayward/.ssh/authorized_keys debug1: restore_uid: (unprivileged) debug3: mm_answer_keyallowed: key 0x100f4158 is disallowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for hayward from 10.10.10.10 port 57461 ssh2 Any suggestions? Thanks, Brian Hayward From vinschen at redhat.com Fri Oct 10 02:42:17 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 9 Oct 2003 18:42:17 +0200 Subject: Key-based auth fails - OpenSSH 3.7.1p2 (cygwin) In-Reply-To: References: Message-ID: <20031009164217.GC14344@cygbert.vinschen.de> On Thu, Oct 09, 2003 at 10:17:27AM -0500, hayward at slothmud.org wrote: > Hey all, Maybe someone has seen my problem before with OpenSSH under > cygwin. I'm trying to use key-based authentication and it's failing. > > Configuration, permissions and -ddd information is provided in this email. > > Thanks, > Brian Hayward > > ---------- Forwarded message ---------- > Date: Thu, 9 Oct 2003 10:12:47 -0500 (CDT) > From: hayward at slothmud.org > To: cygwin at cygwin.com > Subject: Re: Key-based auth fails - OpenSSH 3.7.1p2 > > > More information on file permissions: > ls -ld / > drwxrwxrwt+ 9 Administ ???????? 4096 Oct 9 08:57 / > > ls -ld /home > drwxr-xr-x+ 5 Administ SYSTEM 0 Oct 9 10:07 /home > > ls -ld /home/hayward > drwx------+ 3 hayward Administ 0 Oct 9 10:07 /home/hayward > > ls -altr /home/hayward/.ssh > total 4 > -rw------- 1 hayward Administ 618 Oct 9 09:40 authorized_keys > -rw-r--r-- 1 hayward Administ 1228 Oct 9 09:40 known_hosts > drwx------+ 2 hayward Administ 4096 Oct 9 09:41 . > -rw------- 1 hayward Administ 618 Oct 9 09:41 authorized_keys2 > drwx------+ 3 hayward Administ 0 Oct 9 10:07 .. SYSTEM needs read access to your authorized_keys file. Try setfacl -m u:system:r-- ~ ~/.ssh ~/.ssh/authorized_keys Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. From hayward at slothmud.org Fri Oct 10 03:08:32 2003 From: hayward at slothmud.org (hayward at slothmud.org) Date: Thu, 9 Oct 2003 12:08:32 -0500 (CDT) Subject: Key-based auth fails - OpenSSH 3.7.1p2 (cygwin) In-Reply-To: <20031009164217.GC14344@cygbert.vinschen.de> Message-ID: Wonderful, that fixed it for me. Thanks! Brian Hayward >On Thu, Oct 09, 2003 at 10:17:27AM -0500, hayward at slothmud.org wrote: >> Hey all, Maybe someone has seen my problem before with OpenSSH under >> cygwin. I'm trying to use key-based authentication and it's failing. >> >> Configuration, permissions and -ddd information is provided in this email. >> >> Thanks, >> Brian Hayward >> >> ---------- Forwarded message ---------- >> Date: Thu, 9 Oct 2003 10:12:47 -0500 (CDT) >> From: hayward at slothmud.org >> To: cygwin at cygwin.com >> Subject: Re: Key-based auth fails - OpenSSH 3.7.1p2 >> >> >> More information on file permissions: >> ls -ld / >> drwxrwxrwt+ 9 Administ ???????? 4096 Oct 9 08:57 / >> >> ls -ld /home >> drwxr-xr-x+ 5 Administ SYSTEM 0 Oct 9 10:07 /home >> >> ls -ld /home/hayward >> drwx------+ 3 hayward Administ 0 Oct 9 10:07 /home/hayward >> >> ls -altr /home/hayward/.ssh >> total 4 >> -rw------- 1 hayward Administ 618 Oct 9 09:40 authorized_keys >> -rw-r--r-- 1 hayward Administ 1228 Oct 9 09:40 known_hosts >> drwx------+ 2 hayward Administ 4096 Oct 9 09:41 . >> -rw------- 1 hayward Administ 618 Oct 9 09:41 authorized_keys2 >> drwx------+ 3 hayward Administ 0 Oct 9 10:07 .. > >SYSTEM needs read access to your authorized_keys file. Try > > setfacl -m u:system:r-- ~ ~/.ssh ~/.ssh/authorized_keys > >Corinna > > From girardet at nz1.ibm.com Fri Oct 10 05:28:07 2003 From: girardet at nz1.ibm.com (Andreas Girardet) Date: Thu, 9 Oct 2003 20:28:07 +0100 Subject: kerberos + gssapi password change Message-ID: PAM config looks like this for sshd ################################################# auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_limits.so session optional /lib/security/pam_console.so password required /lib/security/pam_cracklib.so retry=3 type= system auth: ###################################################### auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth auth sufficient /lib/security/pam_krb5.so use_first_pass auth required /lib/security/pam_deny.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore authinfo_unavail=ignore] /lib/security/pam_ldap.so account [default=bad success=done user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_krb5.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so use_authtok md5 shadow remember=5 password sufficient /lib/security/pam_krb5.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_krb5.so ######################################## Andreas From girardet at nz1.ibm.com Fri Oct 10 07:41:45 2003 From: girardet at nz1.ibm.com (Andreas Girardet) Date: Thu, 9 Oct 2003 22:41:45 +0100 Subject: kerberos + gssapi password change Message-ID: Darren I have narrowed the issue down to be very likley a pam_krb5 issue with the version running on RH ES2.1 and will do some more work on that side. I think I am getting closer ....... Thanks for the help Andreas IBM Global Services - New Zealand Linux Team Linux Infrastructure project Office: +64-9-359-8761 email: girardet at nz1.ibm.com 13-17 Dundonald Street, Newton, Auckland, New Zealand From tim at multitalents.net Fri Oct 10 08:01:47 2003 From: tim at multitalents.net (Tim Rice) Date: Thu, 9 Oct 2003 15:01:47 -0700 (PDT) Subject: openssh-3-7-1p2: sftp issue from Cygwin Build In-Reply-To: References: Message-ID: On Thu, 9 Oct 2003, Lee-Lun, Michael [IT] wrote: > It's commented out. > > Mike > > /* Define in your struct dirent expects you to allocate extra space for > d_name */ > /* #undef BROKEN_ONE_BYTE_DIRENT_D_NAME */ Try #define BROKEN_ONE_BYTE_DIRENT_D_NAME 1 -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From jmknoble at pobox.com Fri Oct 10 08:06:39 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 9 Oct 2003 18:06:39 -0400 Subject: documentation update? In-Reply-To: <8AF4C5903AF3C94DBC8B48CAD155B3297CB40A@ademail01.santos.com> References: <8AF4C5903AF3C94DBC8B48CAD155B3297CB40A@ademail01.santos.com> Message-ID: <20031009220639.GB24188@crawfish.ais.com> Circa 2003-10-01 16:30:33 +0930 dixit Iannella, Antonino: : The INSTALL file in the current distribution has the passphrase request : at : : http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html : : maybe this should be changed to : : http://www.liquidmeme.net/software/x11-ssh-askpass No. The correct link to x11-ssh-askpass is: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/ and has been since the current release of x11-ssh-askpass about two years ago ( http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/ ). An alternate link is: http://www.jmknoble.net/software/x11-ssh-askpass/ No other links are guaranteed to exist. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "We have guided missiles and misguided men." --Martin Luther King, Jr. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031009/9954be22/attachment.bin From tim at multitalents.net Fri Oct 10 09:06:07 2003 From: tim at multitalents.net (Tim Rice) Date: Thu, 9 Oct 2003 16:06:07 -0700 (PDT) Subject: Trouble building 3.7.1 In-Reply-To: References: Message-ID: The proper place to ask about OpenSSH on any platform other then OpenBSD is openssh-unix-dev at mindrot.org On Thu, 9 Oct 2003, Neal Vail wrote: > On Irix 6.5.17 with gcc and gnu make > > inet_ntoa.c compilation failed with "inet_ntoa.h" not found error. > Examination > of 'configure' results indicated "inet_ntoa.h" was available. > > Where is it? Suggestions? Use 3.7.1p2. The #include "inet_ntoa.h" line in inet_ntoa.c is bogus, remove it. (fixed in 3.7.1p2) -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From michael.leelun at citigroup.com Fri Oct 10 10:48:30 2003 From: michael.leelun at citigroup.com (Lee-Lun, Michael [IT]) Date: Thu, 9 Oct 2003 20:48:30 -0400 Subject: openssh-3-7-1p2: sftp issue from Cygwin Build Message-ID: I get the same results after recompile. Mike -----Original Message----- From: Tim Rice To: Lee-Lun, Michael [IT] Cc: openssh-unix-dev at mindrot.org Sent: Oct 9, 2003 6:01p Subject: RE: openssh-3-7-1p2: sftp issue from Cygwin Build On Thu, 9 Oct 2003, Lee-Lun, Michael [IT] wrote: > It's commented out. > > Mike > > /* Define in your struct dirent expects you to allocate extra space for > d_name */ > /* #undef BROKEN_ONE_BYTE_DIRENT_D_NAME */ Try #define BROKEN_ONE_BYTE_DIRENT_D_NAME 1 -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Fri Oct 10 12:17:01 2003 From: tim at multitalents.net (Tim Rice) Date: Thu, 9 Oct 2003 19:17:01 -0700 (PDT) Subject: openssh-3-7-1p2: sftp issue from Cygwin Build In-Reply-To: References: Message-ID: On Thu, 9 Oct 2003, Lee-Lun, Michael [IT] wrote: > I get the same results after recompile. I didn't really expect it to work but it was worth a try. Is your Cygwin up to date? > > Mike > > -----Original Message----- > From: Tim Rice > To: Lee-Lun, Michael [IT] > Cc: openssh-unix-dev at mindrot.org > Sent: Oct 9, 2003 6:01p > Subject: RE: openssh-3-7-1p2: sftp issue from Cygwin Build > > On Thu, 9 Oct 2003, Lee-Lun, Michael [IT] wrote: > > > It's commented out. > > > > Mike > > > > /* Define in your struct dirent expects you to allocate extra space for > > d_name */ > > /* #undef BROKEN_ONE_BYTE_DIRENT_D_NAME */ > > Try > #define BROKEN_ONE_BYTE_DIRENT_D_NAME 1 -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From vinschen at redhat.com Fri Oct 10 18:45:45 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 10 Oct 2003 10:45:45 +0200 Subject: openssh-3-7-1p2: sftp issue from Cygwin Build In-Reply-To: References: Message-ID: <20031010084545.GI14344@cygbert.vinschen.de> On Thu, Oct 09, 2003 at 07:17:01PM -0700, Tim Rice wrote: > On Thu, 9 Oct 2003, Lee-Lun, Michael [IT] wrote: > > > I get the same results after recompile. > > I didn't really expect it to work but it was worth a try. > > Is your Cygwin up to date? Good question. I don't see that problem with sftp-server. The BROKEN_ONE_BYTE_DIRENT_D_NAME stuff is not broken on Cygwin. It would be more interesting to see what a local ls -l of the same file shows. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. From Martin.Kraemer at Fujitsu-Siemens.com Fri Oct 10 20:28:23 2003 From: Martin.Kraemer at Fujitsu-Siemens.com (Martin Kraemer) Date: Fri, 10 Oct 2003 12:28:23 +0200 Subject: slogin -n Message-ID: <20031010102823.GB38360@deejai2.mch.fsc.net> slogin "deadlocks" if you invoke it with the (useless, but legal) switch "-n". stdin is not passed to it (and the local ssh process ignores stdin), so it is not possible to kill it using <<~.>> Should the "-n_ switch be disallowed for an interactive invocation? Martin -- | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany From kumar_ind at HotPOP.com Fri Oct 10 21:52:44 2003 From: kumar_ind at HotPOP.com (Kumaresh) Date: Fri, 10 Oct 2003 17:22:44 +0530 Subject: slogin -n References: <20031010102823.GB38360@deejai2.mch.fsc.net> Message-ID: <013c01c38f25$0a5991f0$230110ac@kurco> Hi All, I have a doubt. I am using OpenSSH-3.6.1p2. I have patched the source with simon's GSSAPI patch. My configuration in the ssh_config has a line "GssApiAuthentication no" Now, even though I am NOT using the GSSAPI authentication, when I run the ssh in my machine to the a sshd server, I am getting "Couldn't import hostname". and the client connection aborts. When I browse the code, this is from kexgssc.c line #69 in function "kexgss_client". This is basically when the ssh_gssapi_import_name( ) is called.But I could not capture this in gdb. Could anyone shed some light on when will the kexgss_client will be called and what could be the reason for this error, [mentioned above]? Advance thanks Kumaresh. ----- Original Message ----- From: "Martin Kraemer" To: "OpenSSH Devel List" Sent: Friday, October 10, 2003 3:58 PM Subject: slogin -n > slogin "deadlocks" if you invoke it with the (useless, but legal) > switch "-n". stdin is not passed to it (and the local ssh process > ignores stdin), so it is not possible to kill it using <<~.>> > > Should the "-n_ switch be disallowed for an interactive invocation? > > Martin > -- > | Fujitsu Siemens > Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003 From kumar_ind at HotPOP.com Fri Oct 10 21:55:31 2003 From: kumar_ind at HotPOP.com (Kumaresh) Date: Fri, 10 Oct 2003 17:25:31 +0530 Subject: couldnot import hostname error with ssh - NO Gssapiauthentication References: <20031010102823.GB38360@deejai2.mch.fsc.net> Message-ID: <013f01c38f25$6a8970e0$230110ac@kurco> **************************************************************************** ******** Sorry for the previous mail with wrong subject. That was mistakenly sent. **************************************************************************** ******** Hi All, I have a doubt. I am using OpenSSH-3.6.1p2. I have patched the source with simon's GSSAPI patch. My configuration in the ssh_config has a line "GssApiAuthentication no" Now, even though I am NOT using the GSSAPI authentication, when I run the ssh in my machine to the a sshd server, I am getting "Couldn't import hostname". and the client connection aborts. When I browse the code, this is from kexgssc.c line #69 in function "kexgss_client". This is basically when the ssh_gssapi_import_name( ) is called.But I could not capture this in gdb. Could anyone shed some light on when will the kexgss_client will be called and what could be the reason for this error, [mentioned above]? Advance thanks Kumaresh. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003 From djm at mindrot.org Sat Oct 11 18:49:35 2003 From: djm at mindrot.org (Damien Miller) Date: Sat, 11 Oct 2003 08:49:35 -0000 Subject: test, please ignore Message-ID: <1065862047.19683.0.camel@sakura.mindrot.org> Just testing the list's spam filter. Nothing to see here, please move along... From dtucker at zip.com.au Sat Oct 11 19:44:54 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 11 Oct 2003 19:44:54 +1000 Subject: PAM sessions and conversation functions References: <20030923225629.GB27077@riva.ucam.org> Message-ID: <3F87D116.A9FD1BDA@zip.com.au> Colin Watson wrote: > > In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function, > do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2, > this is no longer the case: session modules run with a conversation > function that just returns PAM_CONV_ERR. This means that simple session > modules whose job involves printing text on the user's terminal no > longer work: pam_lastlog, pam_mail, and pam_motd. > > Can somebody explain to me why this change was made (as part of the > FreeBSD PAM merge, apparently), or if it was a mistake? I realize that > session modules are now run as root, but I'd have thought that modules > should be trusted code and don't need to have their output sanitized. It appears to be an oversight. Attached are 2 PAM-related patches. The first appends newlines to the PAM messages from pam_chauthtok_conv(), and the second uses pam_chauthtok_conv() as the session conversation function. The reason for the first is trivial: the conversation function is supposed to supply newlines if necessary, but currently doesn't. The second has two purposes: first is that pam_chauthtok_conv will spit the messages from the session modules onto stdout. The second is that it appears sometimes (only some patchlevels?) Solaris tries to do a password change in the session module if the password is expired. Comments on either? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth-pam.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v retrieving revision 1.76 diff -u -p -r1.76 auth-pam.c --- auth-pam.c 9 Oct 2003 04:20:15 -0000 1.76 +++ auth-pam.c 11 Oct 2003 07:34:58 -0000 @@ -636,14 +636,14 @@ pam_chauthtok_conv(int n, const struct p reply[i].resp_retcode = PAM_SUCCESS; break; case PAM_PROMPT_ECHO_ON: - fputs(PAM_MSG_MEMBER(msg, i, msg), stderr); + fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); fgets(input, sizeof input, stdin); reply[i].resp = xstrdup(input); reply[i].resp_retcode = PAM_SUCCESS; break; case PAM_ERROR_MSG: case PAM_TEXT_INFO: - fputs(PAM_MSG_MEMBER(msg, i, msg), stderr); + fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); reply[i].resp_retcode = PAM_SUCCESS; break; default: -------------- next part -------------- Index: auth-pam.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v retrieving revision 1.76 diff -u -p -r1.76 auth-pam.c --- auth-pam.c 9 Oct 2003 04:20:15 -0000 1.76 +++ auth-pam.c 11 Oct 2003 07:36:04 -0000 @@ -551,21 +551,6 @@ do_pam_account(void) } void -do_pam_session(void) -{ - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&null_conv); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_open_session(): %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_session_open = 1; -} - -void do_pam_set_tty(const char *tty) { if (tty != NULL) { @@ -662,6 +647,8 @@ pam_chauthtok_conv(int n, const struct p return (PAM_CONV_ERR); } +static struct pam_conv chauthtok_conv = { pam_chauthtok_conv, NULL }; + /* * XXX this should be done in the authentication phase, but ssh1 doesn't * support that @@ -669,15 +656,10 @@ pam_chauthtok_conv(int n, const struct p void do_pam_chauthtok(void) { - struct pam_conv pam_conv; - - pam_conv.conv = pam_chauthtok_conv; - pam_conv.appdata_ptr = NULL; - if (use_privsep) fatal("Password expired (unable to change with privsep)"); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&pam_conv); + (const void *)&chauthtok_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); @@ -686,6 +668,21 @@ do_pam_chauthtok(void) if (sshpam_err != PAM_SUCCESS) fatal("PAM: pam_chauthtok(): %s", pam_strerror(sshpam_handle, sshpam_err)); +} + +void +do_pam_session(void) +{ + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + (const void *)&chauthtok_conv); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: failed to set PAM_CONV: %s", + pam_strerror(sshpam_handle, sshpam_err)); + sshpam_err = pam_open_session(sshpam_handle, 0); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: pam_open_session(): %s", + pam_strerror(sshpam_handle, sshpam_err)); + sshpam_session_open = 1; } /* From doctor at doctor.nl2k.ab.ca Sun Oct 12 00:59:56 2003 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Sat, 11 Oct 2003 08:59:56 -0600 Subject: test, please ignore In-Reply-To: <1065862047.19683.0.camel@sakura.mindrot.org> References: <1065862047.19683.0.camel@sakura.mindrot.org> Message-ID: <20031011145956.GA12843@doctor.nl2k.ab.ca> On Sat, Oct 11, 2003 at 06:47:28PM +1000, Damien Miller wrote: > Just testing the list's spam filter. Nothing to see here, please move > along... > Need help. Some of us might be able to assist. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Member - Liberal International On 11 Sept 2001 the WORLD was violated. This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca Society MUST be saved! Extremists must dissolve. Newfoundland on 21 Oct 2003, VOTE LIBERAL!! From dtucker at zip.com.au Mon Oct 13 00:28:03 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 13 Oct 2003 00:28:03 +1000 Subject: [PATCH]: Call pam_chauthtok from keyboard-interactive. Message-ID: <3F8964F3.C7466157@zip.com.au> Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page: [quote] PAM_CHANGE_EXPIRED_AUTHTOK The password service should only update those pass- words that have aged. If this flag is not passed, all password services should update their passwords. [/quote] Imagine my complete lack of surprise when this turns out to not be the case. Even with that flag, Solaris attempts to change the password regardless of whether or not it's expired. To work around this, I call do_pam_account early and cache the result to prevent pam_account_mgmt being called twice. It works on Redhat. Kind of. The prompts don't have newlines where they should, and although the password is updated successfully, the last-changed time isn't, so you'll have to change it at each login. Annoying, and I don't know why it does that. Still to do: add newlines to prompt messages as appropriate. Figure out Linux last-changed problem. I'm interested in how this breaks on other platforms. Comments? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth-pam.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v retrieving revision 1.76 diff -u -p -r1.76 auth-pam.c --- auth-pam.c 9 Oct 2003 04:20:15 -0000 1.76 +++ auth-pam.c 12 Oct 2003 14:01:45 -0000 @@ -52,6 +52,8 @@ RCSID("$Id: auth-pam.c,v 1.76 2003/10/09 #include "auth-options.h" extern ServerOptions options; +extern Buffer loginmsg; +extern int compat20; #define __unused @@ -117,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,15 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + if (compat20) { + if (do_pam_account() && sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + sshpam_new_authtok_reqd = 0; /* XXX: reset fwd flags */ + } + } buffer_put_cstring(&buffer, "OK"); ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); buffer_free(&buffer); @@ -532,11 +544,16 @@ finish_pam(void) u_int do_pam_account(void) { + if (sshpam_account_status != -1) + return (sshpam_account_status); + sshpam_err = pam_acct_mgmt(sshpam_handle, 0); debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) - return (0); + if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { + sshpam_account_status = 0; + return (sshpam_account_status); + } if (sshpam_err == PAM_NEW_AUTHTOK_REQD) { sshpam_new_authtok_reqd = 1; @@ -547,7 +564,8 @@ do_pam_account(void) no_x11_forwarding_flag |= 2; } - return (1); + sshpam_account_status = 1; + return (sshpam_account_status); } void From nick at cleaton.net Mon Oct 13 03:32:55 2003 From: nick at cleaton.net (Nick Cleaton) Date: Sun, 12 Oct 2003 18:32:55 +0100 Subject: idea (and patch): connection cookies Message-ID: <20031012173255.GB27873@lt1.cleaton.net> I have an idea for a protocol extension to limit the exposure of the complex crypto code in ssh servers. It's like tcp-wrappers, but based on a secret token rather than IP address. Patch against openssh-3.7.1p2: http://nick.cleaton.net/openssh-cc-0.03.patch Details ======= The "Connection Cookies" mechanism is an unofficial ssh protocol extension designed to prevent attackers who are unable to packet sniff legitimate sessions from exploiting future ssh server vulnerabilities. The connection cookie is a shared secret, which the client sends to the server very early in the conversation. Unless a valid cookie is received the server drops the connection. Since the connection cookie mechanism is simple, there is very little server side code that can be exercised by an attacker without a valid connection cookie. Since the connection cookie is transmitted unencrypted, this extension offers no extra protection against attackers who are able to packet sniff legitimate sessions. (very rough) Specification ========================== An ssh server configured to require a connection cookie must prefix the 28-byte string "RequireSSHConnectionCookie\r\n" to its ident string. An ssh client configured to send connection cookies must do so only if it sees this extra line from the server. The client should then prepend the 3-byte string "CC:" followed by the 32-byte connection cookie to its own version string. All 32 bytes of the connection cookie must be non-whitespace printable US-ASCII characters other than doublequote (0x22). This restriction is intended to simplify the handling of connection cookie values in configuration files. If a digest of a passphrase is used as a connection cookie then the passphrase should be both very hard to guess and uncorrelated with any other passphrase, password or other sensitive information. Ssh clients that accept such a connection passphrase and perform the digest internally must use the MD5 digest algorithm and transmit the cookie as a 32-byte lowercase hexadecimal string. Disadvantages ============= There are a few ways in which an ssh server that requires connection cookies may be less secure than one that does not: There may be a vulnerability of some sort in the server side code that checks the connection cookie. However, that code is very simple so vulnerabilities are unlikely. The same applies to the client side code that sends the connection cookie. If each user has a different connection cookie, then a packet sniffing attacker will be able to match up connection cookies to determine whether or not any given pair of sessions belong to the same user. This may make traffic analysis easier. If each user is given a different connection cookie, then a packet sniffing attacker will be able to identify the first connection attempt that a new user makes. The attacker my choose to attempt to impersonate the server in these cases, hoping that the new client doesn't yet have the server's public host key. The ability to confine such attacks to the first connection attempts of new users may significantly reduce the risk of detection. Anyone see any more disadvantages ? -- Nick Cleaton nick at cleaton.net From dtucker at zip.com.au Mon Oct 13 10:13:01 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 13 Oct 2003 10:13:01 +1000 Subject: [PATCH]: Call pam_chauthtok from keyboard-interactive. References: <3F8964F3.C7466157@zip.com.au> Message-ID: <3F89EE0D.9351A91A@zip.com.au> Darren Tucker wrote: > This patch calls pam_chauthtok() to change an expired password via PAM > during keyboard-interactive authentication (SSHv2 only). It is tested on > Redhat 8 and Solaris 8. [snip] > Still to do: add newlines to prompt messages as appropriate. Figure out > Linux last-changed problem. This version seems to fix those problems. I suspect that Redhat needed the call to pam_account_mgmt to the last-changed shadow entry ? I'm still interested in feedback about other platforms. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth-pam.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v retrieving revision 1.76 diff -u -p -r1.76 auth-pam.c --- auth-pam.c 9 Oct 2003 04:20:15 -0000 1.76 +++ auth-pam.c 13 Oct 2003 00:05:25 -0000 @@ -52,6 +52,8 @@ RCSID("$Id: auth-pam.c,v 1.76 2003/10/09 #include "auth-options.h" extern ServerOptions options; +extern Buffer loginmsg; +extern int compat20; #define __unused @@ -117,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,15 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + if (compat20) { + if (do_pam_account() && sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + sshpam_new_authtok_reqd = 0; /* XXX: reset fwd flags */ + } + } buffer_put_cstring(&buffer, "OK"); ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); buffer_free(&buffer); @@ -412,9 +424,9 @@ sshpam_query(void *ctx, char **name, cha case PAM_ERROR_MSG: case PAM_TEXT_INFO: /* accumulate messages */ - len = plen + strlen(msg) + 1; + len = plen + strlen(msg) + 2; **prompts = xrealloc(**prompts, len); - plen += snprintf(**prompts + plen, len, "%s", msg); + plen += snprintf(**prompts + plen, len, "%s\n", msg); xfree(msg); break; case PAM_SUCCESS: @@ -532,11 +544,16 @@ finish_pam(void) u_int do_pam_account(void) { + if (sshpam_account_status != -1) + return (sshpam_account_status); + sshpam_err = pam_acct_mgmt(sshpam_handle, 0); debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) - return (0); + if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { + sshpam_account_status = 0; + return (sshpam_account_status); + } if (sshpam_err == PAM_NEW_AUTHTOK_REQD) { sshpam_new_authtok_reqd = 1; @@ -547,7 +564,8 @@ do_pam_account(void) no_x11_forwarding_flag |= 2; } - return (1); + sshpam_account_status = 1; + return (sshpam_account_status); } void From girardet at nz1.ibm.com Mon Oct 13 12:48:09 2003 From: girardet at nz1.ibm.com (Andreas Girardet) Date: Mon, 13 Oct 2003 03:48:09 +0100 Subject: [PATCH]: Call pam_chauthtok from keyboard-interactive. Message-ID: Unfortunately I tried this out on RH ES2.1 and RH 9.0 without success. The same issue still persists. I am unable to get any pw change prompt. As a sidenote. I had to apply the patch manually as the diff file did not patch cleanly on openssh-3.7.1p2. Cheers Andreas IBM Global Services - New Zealand Linux Team Linux Infrastructure project Office: +64-9-359-8761 email: girardet at nz1.ibm.com 13-17 Dundonald Street, Newton, Auckland, New Zealand From dtucker at zip.com.au Mon Oct 13 12:56:57 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 13 Oct 2003 12:56:57 +1000 Subject: [PATCH]: Call pam_chauthtok from keyboard-interactive. References: Message-ID: <3F8A1479.9AB8BE6F@zip.com.au> Andreas Girardet wrote: > > Unfortunately I tried this out on RH ES2.1 and RH 9.0 without success. > The same issue still persists. I am unable to get any pw change prompt. > As a sidenote. I had to apply the patch manually as the diff file did > not patch cleanly on openssh-3.7.1p2. The patch is against -current, not 3.7.1p2. This will only work if you authenticate via keyboard-interactive authentication and PAM. ./configure --with-pam In sshd_config: UsePAM yes ChallengeResponseAuthentication yes In ssh_config: PreferredAuthentications=keyboard-interactive. (BTW, please don't CC: the bounce address). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Eduard.Itkin at CIBC.com Tue Oct 14 04:38:36 2003 From: Eduard.Itkin at CIBC.com (Itkin, Eduard) Date: Mon, 13 Oct 2003 14:38:36 -0400 Subject: OpenSSH_3.7.1p2, Solaris 8: non-interactive authentication meth od prompts for a password Message-ID: <5142EC56E68BD411AD0B009027E7772B0C682274@gemmrd-scc011eu.gem.cibc.com> Hi, The OpenSSH_3.7.1p2, Solaris 8 case: non-interactive authentication method (publickey) works for root only ---------------------------------------------------------------------------- --------- We installed OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c We need to copy a file by SFTP from App server to a DB server with passwordless method. [cbfe-dev-app01 (client), user cbfesit] -----> [cbfe-dev-db01 (server), user ora817] The public key was generated on App Server (Client Side): 1. ssh-keygen -t rsa -n 1024 - N "" 2. the file ~cbfesit/.ssh/id_rsa.pub was copied to DB server to ~ora817/.ssh/authorized_keys We should not be prompted for the password from that point, however we do ... We were not able to configure to allow passwordless logins for an ordinary users, but it works fine for the user root !!! The /usr/local/etc/ssh_config and /usr/local/etc/sshd_config files from DB server are attached to that e-mail. The files have not been touched since the OpenSSH package has been installed. ----------------------------------------------------------------- non-interactive authentication method for user root works fine (see below) ------------------------------------------------------------ => su - Password: Sun Microsystems Inc. SunOS 5.8 Generic February 2000 Unauthorized access and use strictly prohibited. # sftp -v root at cbfe-dev-db01 Connecting to cbfe-dev-db01... OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Connecting to cbfe-dev-db01 [10.2.194.23] port 22. debug1: Connection established. debug1: identity file /.ssh/id_rsa type 1 debug1: identity file /.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7.1p2 debug1: match: OpenSSH_3.7.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'cbfe-dev-db01' is known and matches the RSA host key. debug1: Found key in /.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering public key: /.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 149 debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: Sending subsystem: sftp ----------------------------------------------------------------- non-interactive authentication method for an ordinary user failes, and prompts for the password (see below) ------------------------------------------------------------ sftp -v ora817 at cbfe-dev-db01 Connecting to cbfe-dev-db01... OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Connecting to cbfe-dev-db01 [10.2.194.23] port 22. debug1: Connection established. debug1: identity file /appdata/wls/cbfe/config/cbfesit/.ssh/id_rsa type 1 debug1: identity file /appdata/wls/cbfe/config/cbfesit/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7.1p2 debug1: match: OpenSSH_3.7.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'cbfe-dev-db01' is known and matches the RSA host key. debug1: Found key in /appdata/wls/cbfe/config/cbfesit/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering public key: /appdata/wls/cbfe/config/cbfesit/.ssh/id_rsa debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Trying private key: /appdata/wls/cbfe/config/cbfesit/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: password ora817 at cbfe-dev-db01's password: Your input to the case will be appreciated. Thanks, Eduard.Itkin at cibc.com Bus:416.784.8619 Environment Lead, CIBC Front End (CBFE) Canadian Imperial Bank of Commerce 750 Lawrence Ave W. E5, Toronto, ON, M6A 1B8 -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh_config Type: application/octet-stream Size: 1159 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031013/9dce152b/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: sshd_config Type: application/octet-stream Size: 2496 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031013/9dce152b/attachment-0001.obj From Mark_A_Khan at raytheon.com Tue Oct 14 07:14:31 2003 From: Mark_A_Khan at raytheon.com (Mark_A_Khan at raytheon.com) Date: Mon, 13 Oct 2003 17:14:31 -0400 Subject: OpenSSH 3.4p1 and OpenSSL Message-ID: Ladies and Gentlemen; I have multiple systems where all I can find is the OpenSSH 3.4p1 installed without the OpenSSL libraries. I have other systems that have OpenSSH3.4p1 with OpenSSL 0.9.6e and other systems with OpenSSH 3.6.1p1 and OpenSSL 0.9.7b installed. I am trying to respond to the following IAVA CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations Original issue date: October 1, 2003 * OpenSSL versions prior to 0.9.7c and 0.9.6k * Multiple SSL/TLS implementations * SSLeay library If someone could please take the time to answer the following questions, I would greatly appreciate it. 1. Does OpenSSH 3.4p1 need the OpenSSL libraries to encrypt the data so that it can't been seen? 2. If OpenSSH 3.4p1 does not need the OpenSSL libraries to encrypt the data so that it can't been seen, then what is the OpenSSL libraries used for? 3. I installed the OpenSSH3.4p1 on a Solaris 8 system without the OpenSSL libraries. Once installed I was able to do the following: 1. Started snoop in a window. snoop port 22 1. I then executed the following command from another window : /usr/local/bin/ssh localhost -l mak 2. I logged in. 3. When I checked the snoop output there was nothing! What am I missing here? Should snoop have reported output even if it WAS or was NOT encrypted? How can I find out what version of the OpenSSL libraries are being used by the OpenSSH? How do I test OpenSSH to make sure it is using the OpenSSL libraries? What are the OpenSSL libraries used for? I have theorized (guessed) the following: OpenSSH provides a somewhat generic encrypted secure "tunnel or connection" between systems. OpenSSL provides a higher level or grade of encryption of the data being passed thru the "tunnel or connection" between the systems. I am planning on updating the libraries on those systems that had previous version of OpenSSL mentioned above with the openssl 0.9.7c that is suppose to address the IAVA. Does this mean I will have to recompile the SSH software on those systems? Any and all help would be greatly appreciated! Respectfully; Mark Khan From bonnetain at acm.org Tue Oct 14 07:51:04 2003 From: bonnetain at acm.org (Pierre-Yves Bonnetain) Date: Mon, 13 Oct 2003 23:51:04 +0200 Subject: Problem in sftp 'ls' command output Message-ID: <3F8B1E48.8010000@acm.org> Hello, I have recently moved from OpenSSH 3.6 to 3.7 (portable version) : [pyb at nihao tmp]$ ssh -v OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.6h 5 Dec 2002 (okay, the SSL release is a little old but that's not the subject). I am also using scripts to perform automated sftp transfers between some systems. The 3.7 release of OpenSSH broke my scripts, which made me sad and my customers angry :-( The main problem I met is in processing 'ls' output. The format changed dramatically WRT my scripts' expectations. Where I got ls-like output previously, now I get : sftp> ls send send/. send/.. send/000000676.lotsend/000000677.lotsend/000000678.lot send/000000679.lotsend/000000680.lotsend/000000681.lotsend/000000682.lotsend/endfile [my shitty wrapping email client could make the problem not obvious. Here it is : the file names are concatenated, without spaces in-between] Known problem ? If so, my apologies. If not, I did a little homework and found that the sftp-int.c/do_ls_dir function seems to be the culprit. We have first : -------- if (!(lflag & SHORT_VIEW)) { int m = 0, width = 80; struct winsize ws; /* Count entries for sort and find longest filename */ for (n = 0; d[n] != NULL; n++) m = MAX(m, strlen(d[n]->filename)); if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) width = ws.ws_col; columns = width / (m + 2); columns = MAX(columns, 1); colspace = width / columns; } -------- which aims to compute the column width and column spacing. But when printing, a few lines below, we perform : -------- tmp = path_append(path, d[n]->filename); fname = path_strip(tmp, strip_path); xfree(tmp); if (lflag & LONG_VIEW) { /* irrelevant code */ } else { printf("%-*s", colspace, fname); if (c >= columns) { printf("\n"); c = 1; } else c++; } -------- What it boils down is that column width and spacing are computed on filenames, but we print path + filename. So column width is wrong on almost all cases. Here is a short patch. Warning : I assumed path and strip_path are never NULL and that strip_path is never "bigger" thant path. So I did NO control. This may be a little rough... I bet there are some better ways out, if this is really an error and not a misunderstanding on my part. Hth, -- Pierre-Yves Bonnetain B&A Consultants - Networks and Computers Security Phone : +33 (0) 563 277 241 - Fax : +33 (0) 563 277 245 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031013/bb412f6a/attachment.ksh From Darren.Moffat at Sun.COM Tue Oct 14 08:44:55 2003 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Mon, 13 Oct 2003 15:44:55 -0700 (PDT) Subject: PAM sessions and conversation functions In-Reply-To: <3F87D116.A9FD1BDA@zip.com.au> References: <20030923225629.GB27077@riva.ucam.org> <3F87D116.A9FD1BDA@zip.com.au> Message-ID: On Sat, 11 Oct 2003, Darren Tucker wrote: > The second has two purposes: first is that pam_chauthtok_conv will spit > the messages from the session modules onto stdout. The second is that it > appears sometimes (only some patchlevels?) Solaris tries to do a password > change in the session module if the password is expired. There is no Sun supplied PAM module (bundled or unbundled) that ever tries to do a password change in pam_sm_open_session or pam_sm_close_session; and there never has been. -- Darren J Moffat From Darren.Moffat at Sun.COM Tue Oct 14 08:46:32 2003 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Mon, 13 Oct 2003 15:46:32 -0700 (PDT) Subject: [PATCH]: Call pam_chauthtok from keyboard-interactive. In-Reply-To: <3F8964F3.C7466157@zip.com.au> References: <3F8964F3.C7466157@zip.com.au> Message-ID: On Mon, 13 Oct 2003, Darren Tucker wrote: > Hi All. > This patch calls pam_chauthtok() to change an expired password via PAM > during keyboard-interactive authentication (SSHv2 only). It is tested on > Redhat 8 and Solaris 8. Which release of Solaris 8 and what additional patches do you have installed ? What does your pam.conf file look like ? If it has pam_unix.so entries then it is an older Solaris 8 if it has entries that look like pam_unix_auth.so and pam_authtokstore.so then it is a newer Solaris 8. -- Darren J Moffat From mouring at etoh.eviladmin.org Tue Oct 14 11:47:08 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 13 Oct 2003 20:47:08 -0500 (CDT) Subject: Problem in sftp 'ls' command output In-Reply-To: <3F8B1E48.8010000@acm.org> Message-ID: On Mon, 13 Oct 2003, Pierre-Yves Bonnetain wrote: > Hello, > > I have recently moved from OpenSSH 3.6 to 3.7 (portable version) : > > [pyb at nihao tmp]$ ssh -v > OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.6h 5 Dec 2002 > > (okay, the SSL release is a little old but that's not the subject). > I am also using scripts to perform automated sftp transfers between some > systems. The 3.7 release of OpenSSH broke my scripts, which made me sad > and my customers angry :-( > The main problem I met is in processing 'ls' output. The format changed > dramatically WRT my scripts' expectations. Where I got ls-like output > previously, now I get : > > sftp> ls send > send/. send/.. > send/000000676.lotsend/000000677.lotsend/000000678.lot > send/000000679.lotsend/000000680.lotsend/000000681.lotsend/000000682.lotsend/endfile > Your patch didn't go through, but does this one work? Index: sftp-int.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp-int.c,v retrieving revision 1.63 diff -u -r1.63 sftp-int.c --- sftp-int.c 7 Oct 2003 07:04:16 -0000 1.63 +++ sftp-int.c 14 Oct 2003 01:39:38 -0000 @@ -594,17 +594,24 @@ if (!(lflag & SHORT_VIEW)) { int m = 0, width = 80; struct winsize ws; + char *tmp; /* Count entries for sort and find longest filename */ for (n = 0; d[n] != NULL; n++) m = MAX(m, strlen(d[n]->filename)); + /* Add any subpath that also needs to be counted */ + tmp = path_strip(path, strip_path); + m += strlen(tmp); + xfree(tmp); + if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) width = ws.ws_col; columns = width / (m + 2); columns = MAX(columns, 1); colspace = width / columns; + colspace = MIN(colspace, width); } qsort(d, n, sizeof(*d), sdirent_comp); From laurent at math.berkeley.edu Tue Oct 14 11:56:07 2003 From: laurent at math.berkeley.edu (Laurent Bartholdi) Date: Mon, 13 Oct 2003 18:56:07 -0700 (PDT) Subject: strange behaviour with ssh / stdin Message-ID: hi, i noted the following strange behaviour using ssh and linux. this is probably a low-priority bug: # ssh -V OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f # uname -a Linux funnyfarm 2.4.21-20.1.2024.2.1.nptl #1 Fri Jul 11 06:04:52 EDT 2003 i686 i686 i386 GNU/Linux # echo Hello | ssh frodo 'cat' Hello # echo Hello | ssh frodo 'cat /proc/self/fd/0' cat: /proc/self/fd/0: No such device or address # ssh frodo 'ls -l /proc/self/fd/0' lrwx------ 1 root root 64 Oct 13 18:51 /proc/self/fd/0 -> socket:[27105] this is a bit surprising: some applications require a file as input, and usually specifying /proc/self/fd/0 allows the standard input to be treated as a file; e.g. some arguments it tar(1) that require a file list. the command above, with 'cat /proc/self/fd/0' as argument, could then be entered as # echo Hello | ssh frodo 'cat | cat /proc/self/fd/0' Hello best, laurent -- Laurent Bartholdi \ laurent at math.berkeley.E-D-U 1073 Evans Hall, Dept of Mathematics\ Phone: +1 (510) 6423529 U.C. Berkeley, CA 94720-3840, U.S.A. \ Fax: +1 (510) 6428204 From dtucker at zip.com.au Tue Oct 14 12:53:56 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 14 Oct 2003 12:53:56 +1000 Subject: PAM sessions and conversation functions References: <20030923225629.GB27077@riva.ucam.org> <3F87D116.A9FD1BDA@zip.com.au> Message-ID: <3F8B6544.293B3025@zip.com.au> Darren J Moffat wrote: > > There is no Sun supplied PAM module (bundled or unbundled) that ever tries > to do a password change in pam_sm_open_session or pam_sm_close_session; and > there never has been. Interesting. I no longer have access to the machine where I saw that behaviour so I can't check its config. I'll mark it up to something odd on that machine. Thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Oct 14 13:02:06 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 14 Oct 2003 13:02:06 +1000 Subject: [PATCH]: Call pam_chauthtok from keyboard-interactive. References: <3F8964F3.C7466157@zip.com.au> Message-ID: <3F8B672E.BDF8D5E4@zip.com.au> Darren J Moffat wrote: > > On Mon, 13 Oct 2003, Darren Tucker wrote: > > > Hi All. > > This patch calls pam_chauthtok() to change an expired password via PAM > > during keyboard-interactive authentication (SSHv2 only). It is tested on > > Redhat 8 and Solaris 8. > > Which release of Solaris 8 and what additional patches do you have installed ? 2/02 with the recommended patch cluster from 5 Aug 2003. > What does your pam.conf file look like ? If it has pam_unix.so entries then > it is an older Solaris 8 if it has entries that look like pam_unix_auth.so > and pam_authtokstore.so then it is a newer Solaris 8. $ grep other /etc/pam.conf other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_auth.so.1 other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account required pam_unix_account.so.1 other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Oct 14 13:36:35 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 14 Oct 2003 13:36:35 +1000 Subject: PAM sessions and conversation functions References: <20030923225629.GB27077@riva.ucam.org> <3F87D116.A9FD1BDA@zip.com.au> <3F8B6544.293B3025@zip.com.au> Message-ID: <3F8B6F43.F6C63FE9@zip.com.au> Darren Tucker wrote: > > Darren J Moffat wrote: > > > > There is no Sun supplied PAM module (bundled or unbundled) that ever tries > > to do a password change in pam_sm_open_session or pam_sm_close_session; and > > there never has been. > > Interesting. I no longer have access to the machine where I saw that > behaviour so I can't check its config. I'll mark it up to something odd > on that machine. Thanks. The more I think about it the more I think I was wrong. A while back someone reported a problem with one of my earlier password expiry patches. It was a bug in the patch, but the surprising thing was that expiry still worked on some systems. The password was changed at about the point where the session module was invoked and I assumed that it was the session module doing it, because it wasn't my code. Anyway, details are hazy, but if I ever figure out what was going on I'll post it. Thanks again. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Oct 14 14:08:27 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 14 Oct 2003 14:08:27 +1000 Subject: OpenSSH_3.7.1p2, Solaris 8: non-interactive authentication method prompts for a password References: <5142EC56E68BD411AD0B009027E7772B0C682274@gemmrd-scc011eu.gem.cibc.com> Message-ID: <3F8B76BB.3F75DE1F@zip.com.au> "Itkin, Eduard" wrote: > We were not able to configure to allow > passwordless logins for an ordinary users, but it works fine for the user > root !!! Check the permissions on /home and /home/[user], I suspect you'll find one is group writable. Also, run the server is debug mode (eg "sshd -ddd -p 2022" then connect with "ssh -p 2022 [options]") as the server will tell you why the authentication was denied. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Oct 14 14:19:31 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 14 Oct 2003 14:19:31 +1000 Subject: OpenSSH 3.4p1 and OpenSSL References: Message-ID: <3F8B7953.979147AA@zip.com.au> Mark_A_Khan at raytheon.com wrote: > I have multiple systems where all I > can find is the OpenSSH 3.4p1 [snip] > Implementations Original issue date: October 1, 2003 > * OpenSSL versions prior to 0.9.7c and 0.9.6k > * Multiple SSL/TLS implementations > * SSLeay library You should also upgrade OpenSSH or apply the security patch: http://www.openssh.com/txt/buffer.adv > If someone could please take the time to answer the following questions, I > would greatly appreciate it. > 1. Does OpenSSH 3.4p1 need the OpenSSL libraries to encrypt the data so > that it can't been seen? Yes, but just libcrypto. > 2. If OpenSSH 3.4p1 does not need the OpenSSL libraries to encrypt the > data so that it can't been seen, then what is the OpenSSL libraries used > for? > 3. I installed the OpenSSH3.4p1 on a Solaris 8 system without the OpenSSL > libraries. Once installed I was able to do the following: > 1. Started snoop in a window. snoop port 22 > 1. I then executed the following command from another window : > /usr/local/bin/ssh localhost -l mak > 2. I logged in. > 3. When I checked the snoop output there was nothing! > What am I missing here? Solaris can't sniff its loopback interface. Try it between 2 boxes. > Should snoop have reported output even if it WAS or was NOT encrypted? You'll see the traffic either way but if it's encrypted you won't (shouldn't!) be able to make sense out of it. > How can I find out what version of the OpenSSL libraries are being used by > the OpenSSH? ssh -V > How do I test OpenSSH to make sure it is using the OpenSSL libraries? It won't build without them. > What are the OpenSSL libraries used for? > I have theorized (guessed) the following: > OpenSSH provides a somewhat generic encrypted secure "tunnel or > connection" between systems. > OpenSSL provides a higher level or grade of encryption of the data being > passed thru the "tunnel or connection" between the systems. OpenSSL is used only for its crypto functions. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From admin at kievonline.org Tue Oct 14 15:34:07 2003 From: admin at kievonline.org (admin at kievonline.org) Date: Tue, 14 Oct 2003 07:34:07 +0200 Subject: thank you Message-ID: <000d01c39214$c9efe810$0200a8c0@MOHA> You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person From bonnetain at acm.org Tue Oct 14 16:12:33 2003 From: bonnetain at acm.org (Pierre-Yves Bonnetain) Date: Tue, 14 Oct 2003 08:12:33 +0200 Subject: Problem in sftp 'ls' command output References: Message-ID: <3F8B93D1.4070703@acm.org> Hi Ben, > Your patch didn't go through, but does this one work? > Index: sftp-int.c Yes indeed, as far as I'm concerned it does work (and looks cleaner than my own dirty patch). Thanks a lot, -- Pierre-Yves Bonnetain B&A Consultants - Networks and Computers Security Phone : +33 (0) 563 277 241 - Fax : +33 (0) 563 277 245 From djm at mindrot.org Tue Oct 14 21:04:43 2003 From: djm at mindrot.org (Damien Miller) Date: Tue, 14 Oct 2003 11:04:43 -0000 Subject: strange behaviour with ssh / stdin In-Reply-To: References: Message-ID: <1066129335.13596.1.camel@sakura.mindrot.org> On Mon, 2003-10-13 at 19:56, Laurent Bartholdi wrote: > hi, > i noted the following strange behaviour using ssh and linux. this is > probably a low-priority bug: > > # ssh -V > OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f > # uname -a > Linux funnyfarm 2.4.21-20.1.2024.2.1.nptl #1 Fri Jul 11 06:04:52 EDT 2003 i686 i686 i386 GNU/Linux > > # echo Hello | ssh frodo 'cat' > Hello > # echo Hello | ssh frodo 'cat /proc/self/fd/0' > cat: /proc/self/fd/0: No such device or address > # ssh frodo 'ls -l /proc/self/fd/0' > lrwx------ 1 root root 64 Oct 13 18:51 /proc/self/fd/0 -> socket:[27105] This is probably some weird Linux race condition. I can't imagine anything that ssh could do that would cause this. Does /dev/stdin or /dev/fd/0 work? These are often aliases for the same purpose. -d From dtucker at zip.com.au Tue Oct 14 22:24:39 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 14 Oct 2003 22:24:39 +1000 Subject: strange behaviour with ssh / stdin References: <1066129335.13596.1.camel@sakura.mindrot.org> Message-ID: <3F8BEB07.CE66E8BB@zip.com.au> Damien Miller wrote: > > On Mon, 2003-10-13 at 19:56, Laurent Bartholdi wrote: > > hi, > > i noted the following strange behaviour using ssh and linux. this is > > probably a low-priority bug: > > > > # ssh -V > > OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f > > # uname -a > > Linux funnyfarm 2.4.21-20.1.2024.2.1.nptl #1 Fri Jul 11 06:04:52 EDT 2003 i686 i686 i386 GNU/Linux > > > > # echo Hello | ssh frodo 'cat' > > Hello > > # echo Hello | ssh frodo 'cat /proc/self/fd/0' > > cat: /proc/self/fd/0: No such device or address > > # ssh frodo 'ls -l /proc/self/fd/0' > > lrwx------ 1 root root 64 Oct 13 18:51 /proc/self/fd/0 -> socket:[27105] > > This is probably some weird Linux race condition. I can't imagine > anything that ssh could do that would cause this. > > Does /dev/stdin or /dev/fd/0 work? These are often aliases for the same > purpose. On my RH8 box they're all symlinks to the controlling tty if it has one or to some kind of socket descriptor if not (as you noted). The problem appears to be Linux-specific. $ uname -sr; ls -l /dev/stdin /dev/fd/0 /proc/self/fd/0 Linux 2.4.20-20.8 lrwx------ 1 dtucker dtucker 64 Oct 14 22:06 /dev/fd/0 -> /dev/pts/2 lrwxrwxrwx 1 root root 17 Mar 31 2003 /dev/stdin -> ../proc/self/fd/0 lrwx------ 1 dtucker dtucker 64 Oct 14 22:06 /proc/self/fd/0 -> /dev/pts/2 In contrast, on Solaris, /dev/fd/0 is a character special device, and your example works as expected: $ uname -sr; ls -l /dev/fd/0 /dev/stdin SunOS 5.8 crw-rw-rw- 1 root root 247, 0 Oct 14 22:09 /dev/fd/0 lrwxrwxrwx 1 root root 6 Apr 2 2002 /dev/stdin -> ./fd/0 $ echo Hello | ssh localhost "cat /dev/fd/0" Hello I remember reading an explanation about this someplace but I don't remember the details and I've been unable to locate it again. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From swhatley at hal-pc.org Wed Oct 15 03:02:05 2003 From: swhatley at hal-pc.org (swhatley at hal-pc.org) Date: Tue, 14 Oct 2003 12:02:05 -0500 Subject: 3.7.1p2: HP-UX 11.00 & NIS+ problems Message-ID: Hi all, When we installed OpenSSH 3.7.1p2, we could no longer ssh into the root account. The following message would appear in the syslog.log: Oct 8 19:20:38 myhost sshd[22179]: User root not allowed because account is locked We use NIS+ under HP-UX 11.00. We have very recently changed the root password. To change the root password under NIS+ we do the following: # passed # chkey -p # keylogin -r The last command generates a /etc/.rootkey file. Doing the command '/usr/lbin/getprpw root' says the account is *not* locked. We did not have any problems using ssh to login as root with OpenSSH 3.7.1p1. Is this a bug or am I missing something? Any info will be appreciated. Thanks, Steven -- ___ ____________ <<<((__O\ (__<>___<>__ \ ____ Don't get rattled by Steven Whatley \ \_(__<>___<>__)\O\_/O___>-< what I say. It's just swhatley at hal-pc.org \O__<>___<>___<>)\___/ my opinion. From Satishmohan.Gudipalli at GTECH.com Wed Oct 15 07:01:59 2003 From: Satishmohan.Gudipalli at GTECH.com (Gudipalli, Satishmohan (Consultant)) Date: Tue, 14 Oct 2003 17:01:59 -0400 Subject: Question on AIX5.2 compilation.. Message-ID: <25AD1A83BEB76B47B85E473AAC911744022AA468@indiamail02> Hello all, We migrated recently from AIX5.0 to AIX 5.2. I am getting the following warnings/errors during compilation: The following are some: /usr/include/time.h:236: warning: `struct sigevent' declared inside parameter list /usr/include/time.h:236: warning: its scope is only this definition or declaration, which is probably not what you want. /usr/include/time.h:236: warning: `struct sigevent' declared inside parameter list /usr/include/time.h:236: warning: its scope is only this definition or declaration, which is probably not what you want. In file included from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:52, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:52, from /usr/include/pthread.h:44, and some more... Regards, Satish Mohan. ----------------------------------------- This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, retention, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Also, email is susceptible to data corruption, interception, tampering, unauthorized amendment and viruses. We only send and receive emails on the basis that we are not liable for any such corruption, interception, tampering, amendment or viruses or any consequence thereof. From dtucker at zip.com.au Wed Oct 15 08:20:45 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 15 Oct 2003 08:20:45 +1000 Subject: Question on AIX5.2 compilation.. References: <25AD1A83BEB76B47B85E473AAC911744022AA468@indiamail02> Message-ID: <3F8C76BD.F1F23E1B@zip.com.au> "Gudipalli, Satishmohan (Consultant)" wrote: > We migrated recently from AIX5.0 to AIX 5.2. I am getting the following > warnings/errors during compilation: OpenSSH now includes some more system headers. Unfortunately 2 have errors (trailing spaces after a line-continuation "\") which choke earlier gcc's, including the one on the Toolbox CD. You can either use a newer gcc, or edit the system headers as described here: http://bugzilla.mindrot.org/show_bug.cgi?id=640 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Oct 15 08:34:05 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 15 Oct 2003 08:34:05 +1000 Subject: 3.7.1p2: HP-UX 11.00 & NIS+ problems References: Message-ID: <3F8C79DD.66E50C12@zip.com.au> swhatley at hal-pc.org wrote: > When we installed OpenSSH 3.7.1p2, we could no longer ssh into the root > account. The following message would appear in the syslog.log: > > Oct 8 19:20:38 myhost sshd[22179]: User root not allowed because account is > locked 3.7.1p2 had a couple of bugs on HP-UX in some configurations (trusted mode and shadow passwords are the ones I know of, and it looks like NIS+ too). Most have been fixed in the recent snapshots, but I've also got a patch that accumulates just the HP-UX fixes: http://www.zip.com.au/~dtucker/openssh/openssh-3.7.1p2-hpux.patch -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From henryg at optimation.com.au Wed Oct 15 11:30:35 2003 From: henryg at optimation.com.au (Henry Grebler) Date: Wed, 15 Oct 2003 11:30:35 +1000 Subject: OpenSSH package Message-ID: <10310150130.AA16268@optimation.com.au> A non-text attachment was scrubbed... Name: not available Type: text Size: 7366 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031015/02b75f40/attachment.ksh From dtucker at zip.com.au Wed Oct 15 12:05:13 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 15 Oct 2003 12:05:13 +1000 Subject: OpenSSH package References: <10310150130.AA16268@optimation.com.au> Message-ID: <3F8CAB59.38431F7A@zip.com.au> Henry Grebler wrote: > I saw that you have a variable TEST_DIR and a way of building a > package using that, but I had hoped to test the package and then > install it, not test one package and install another. I don't think it > would have got around the chroot problems. Apparently SCO Unixes have pkgadd which doesn't support -R, which is why TEST_DIR is there. > Anyway, I was able to achieve all my goals, and your package made it a > lot easier than doing it manually. So, thanks again. I wrote a wrapper for testing such configurations, see: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102698517600349 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From swhatley at hal-pc.org Wed Oct 15 13:07:38 2003 From: swhatley at hal-pc.org (Steven Whatley) Date: Tue, 14 Oct 2003 22:07:38 -0500 (CDT) Subject: [openssh] Re: 3.7.1p2: HP-UX 11.00 & NIS+ problems In-Reply-To: <3F8C79DD.66E50C12@zip.com.au> References: <3F8C79DD.66E50C12@zip.com.au> Message-ID: On Wed, 15 Oct 2003, Darren Tucker wrote: > swhatley at hal-pc.org wrote: > > When we installed OpenSSH 3.7.1p2, we could no longer ssh into the root > > account. The following message would appear in the syslog.log: > > > > Oct 8 19:20:38 myhost sshd[22179]: User root not allowed because account is > > locked > > 3.7.1p2 had a couple of bugs on HP-UX in some configurations (trusted mode > and shadow passwords are the ones I know of, and it looks like NIS+ too). > Most have been fixed in the recent snapshots, but I've also got a patch > that accumulates just the HP-UX fixes: OK, yes, we are running in trusted mode. That explains it. Thanks for the info and patch. Thanks, Steven From tim at multitalents.net Wed Oct 15 13:12:46 2003 From: tim at multitalents.net (Tim Rice) Date: Tue, 14 Oct 2003 20:12:46 -0700 (PDT) Subject: OpenSSH package In-Reply-To: <10310150130.AA16268@optimation.com.au> References: <10310150130.AA16268@optimation.com.au> Message-ID: On Wed, 15 Oct 2003, Henry Grebler wrote: > I saw that you have a variable TEST_DIR and a way of building a > package using that, but I had hoped to test the package and then > install it, not test one package and install another. I don't think it > would have got around the chroot problems. I put TEST_DIR in to address the very problems you report. As Darren said, the -R option to pkgadd is not available on all the platforms the buildpkg.sh script supports. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Wed Oct 15 13:32:17 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 14 Oct 2003 22:32:17 -0500 (CDT) Subject: OpenSSH package In-Reply-To: <10310150130.AA16268@optimation.com.au> Message-ID: > First of all, thank you for your contribution of the OpenSSH package > for Solaris. It is very useful. > Darren and Tim added most of the nicer features after I gutted the existing build script to make it FAKE ROOT based. [..] > I am building a Solaris 9 server. Solaris 9 comes with ssh, so I want > to test my recent build of OpenSSH before replacing Sun's native ssh. > I tried to install into /tmp/hmg. > > It seems that the package makes some assumptions: that root_path will > be used as a chroot newroot; that certain directories in > $root_path/etc already exist. > Looking below I question the use of -R. -R is really designed for jumpstart and other installs where the -R points to a complete OS install. "All files, including package system information files, are relocated to a directory tree starting in the specified root_path." [..] > I saw that you have a variable TEST_DIR and a way of building a > package using that, but I had hoped to test the package and then > install it, not test one package and install another. I don't think it > would have got around the chroot problems. > Actaully it would. TEST_DIR disables the "chroot" enabled by -R. As for your original idea. It's too bad pkgadd does not support the -n version from pkg_add in *BSD. -n Don't actually install a package, just report the steps that would be taken if it was. Or the idea like -vVAR=VALUE ala awk. However, I guess I do business different then you do. I then to give a box over to testing that is non-critical. So I can test the package in multiple different mode. So I can't really give you much advice. - Ben From ma at kievonline.org Wed Oct 15 18:02:52 2003 From: ma at kievonline.org (Moshe A) Date: Wed, 15 Oct 2003 10:02:52 +0200 Subject: change of address Message-ID: <000801c392f2$bc4e39d0$0200a8c0@MOHA> Thank you for writing me I have changed my address to ma at kievonline.org thank you for your time Moshe A From openssh at roumenpetrov.info Wed Oct 15 19:12:50 2003 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Wed, 15 Oct 2003 12:12:50 +0300 Subject: strange behaviour with ssh / stdin References: <1066129335.13596.1.camel@sakura.mindrot.org> <3F8BEB07.CE66E8BB@zip.com.au> Message-ID: <3F8D0F92.7010901@roumenpetrov.info> Might is linux kernel(?), not ssh(!) problem. As Laurent show ".../fd/0 -> socket:[27105]", i.e. on linux we have broken symbolic link - cat ".../fd/0" cannot found ".../fd/socket:[27105]" file. It is strange that cat without arguments work on linux. Darren Tucker wrote: >Damien Miller wrote: > > >>On Mon, 2003-10-13 at 19:56, Laurent Bartholdi wrote: >> >> >>>hi, >>>i noted the following strange behaviour using ssh and linux. this is >>>probably a low-priority bug: >>> >>># ssh -V >>>OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f >>># uname -a >>>Linux funnyfarm 2.4.21-20.1.2024.2.1.nptl #1 Fri Jul 11 06:04:52 EDT 2003 i686 i686 i386 GNU/Linux >>> >>># echo Hello | ssh frodo 'cat' >>>Hello >>># echo Hello | ssh frodo 'cat /proc/self/fd/0' >>>cat: /proc/self/fd/0: No such device or address >>># ssh frodo 'ls -l /proc/self/fd/0' >>>lrwx------ 1 root root 64 Oct 13 18:51 /proc/self/fd/0 -> socket:[27105] >>> >>> >>This is probably some weird Linux race condition. I can't imagine >>anything that ssh could do that would cause this. >> >>Does /dev/stdin or /dev/fd/0 work? These are often aliases for the same >>purpose. >> >> > >On my RH8 box they're all symlinks to the controlling tty if it has one or >to some kind of socket descriptor if not (as you noted). The problem >appears to be Linux-specific. > >$ uname -sr; ls -l /dev/stdin /dev/fd/0 /proc/self/fd/0 >Linux 2.4.20-20.8 >lrwx------ 1 dtucker dtucker 64 Oct 14 22:06 /dev/fd/0 -> >/dev/pts/2 >lrwxrwxrwx 1 root root 17 Mar 31 2003 /dev/stdin -> >../proc/self/fd/0 >lrwx------ 1 dtucker dtucker 64 Oct 14 22:06 /proc/self/fd/0 -> >/dev/pts/2 > >In contrast, on Solaris, /dev/fd/0 is a character special device, and your >example works as expected: >$ uname -sr; ls -l /dev/fd/0 /dev/stdin >SunOS 5.8 >crw-rw-rw- 1 root root 247, 0 Oct 14 22:09 /dev/fd/0 >lrwxrwxrwx 1 root root 6 Apr 2 2002 /dev/stdin -> ./fd/0 >$ echo Hello | ssh localhost "cat /dev/fd/0" >Hello > >I remember reading an explanation about this someplace but I don't >remember the details and I've been unable to locate it again. > From dtucker at zip.com.au Wed Oct 15 19:48:47 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 15 Oct 2003 19:48:47 +1000 Subject: strange behaviour with ssh / stdin References: <1066129335.13596.1.camel@sakura.mindrot.org> <3F8BEB07.CE66E8BB@zip.com.au> <3F8D0F92.7010901@roumenpetrov.info> Message-ID: <3F8D17FF.AF034B0D@zip.com.au> Roumen Petrov wrote: > > Might is linux kernel(?), not ssh(!) problem. Quite possibly. Laurent has opened a kernel Bugzilla bug: http://bugzilla.kernel.org/show_bug.cgi?id=1357 > As Laurent show ".../fd/0 -> socket:[27105]", i.e. on linux we have > broken symbolic link - cat ".../fd/0" cannot found > ".../fd/socket:[27105]" file. > It is strange that cat without arguments work on linux. Some food for thought: according to lsof (what did I do without lsof!) there's a difference the the descriptors: $ ssh localhost "lsof" | grep lsof |egrep '[012][rwu]' lsof 4101 dtucker 0u unix 0xc2d2c9e0 2530902 socket lsof 4101 dtucker 1u unix 0xc2d2c9e0 2530902 socket lsof 4101 dtucker 2u unix 0xcc975090 2530904 socket stdin/out are both read-write sockets $ ssh localhost "cat | lsof | cat" | grep lsof |egrep '[012][rwu]' lsof 4216 dtucker 0r FIFO 0,5 2533038 pipe lsof 4216 dtucker 1w FIFO 0,5 2533039 pipe lsof 4216 dtucker 2u unix 0xcad775a0 2533006 socket stdin/out are unidirectional pipes. What does this mean? No idea. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Oct 15 21:53:05 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 15 Oct 2003 21:53:05 +1000 Subject: strange behaviour with ssh / stdin References: <1066129335.13596.1.camel@sakura.mindrot.org> <3F8BEB07.CE66E8BB@zip.com.au> <3F8D0F92.7010901@roumenpetrov.info> <3F8D17FF.AF034B0D@zip.com.au> Message-ID: <3F8D3521.8951F7F@zip.com.au> Darren Tucker wrote: > > Roumen Petrov wrote: > > > > Might is linux kernel(?), not ssh(!) problem. > > Quite possibly. Laurent has opened a kernel Bugzilla bug: > http://bugzilla.kernel.org/show_bug.cgi?id=1357 Hmm, they closed it because it was a vendor kernel. I've reproduced it with 2.6.0-test7, made a tiny test case and and opened a new bug (can't reopen old ones): http://bugzilla.kernel.org/show_bug.cgi?id=1360 Looking at the code in session.c, since it seems to work with the descriptors are pipe, try adding "#define USE_PIPES 1" to config.h, recompile and retest. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From openssh at roumenpetrov.info Thu Oct 16 01:46:28 2003 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Wed, 15 Oct 2003 18:46:28 +0300 Subject: strange behaviour with ssh / stdin References: <1066129335.13596.1.camel@sakura.mindrot.org> <3F8BEB07.CE66E8BB@zip.com.au> <3F8D0F92.7010901@roumenpetrov.info> <3F8D17FF.AF034B0D@zip.com.au> <3F8D3521.8951F7F@zip.com.au> Message-ID: <3F8D6BD4.5000408@roumenpetrov.info> USE_PIPES is not solution ;-) =========================================================== echo hello | ssh localhost 'ls -l /dev/fd/; cat /dev/fd/0; zsh -c "ls -l /dev/fd/"' total 0 lr-x------ 1 rumen2 rumen 64 Oct 15 18:07 0 -> pipe:[12554] l-wx------ 1 rumen2 rumen 64 Oct 15 18:07 1 -> pipe:[12555] l-wx------ 1 rumen2 rumen 64 Oct 15 18:07 2 -> pipe:[12556] lr-x------ 1 rumen2 rumen 64 Oct 15 18:07 3 -> /proc/1616/fd cat: /dev/fd/0: Permission denied total 0 lr-x------ 1 rumen2 rumen 64 Oct 15 18:07 0 -> pipe:[12554] l-wx------ 1 rumen2 rumen 64 Oct 15 18:07 1 -> pipe:[12555] l-wx------ 1 rumen2 rumen 64 Oct 15 18:07 2 -> pipe:[12556] lr-x------ 1 rumen2 rumen 64 Oct 15 18:07 3 -> /proc/1618/fd =========================================================== Because "cat" (without file) work, "cat | cat /dev/fd/0" work too. For second cat "/dev/fd/0" should be pipe to stdout of first cat. Darren Tucker wrote: >Darren Tucker wrote: > > >>Roumen Petrov wrote: >> >> >>>Might is linux kernel(?), not ssh(!) problem. >>> >>Quite possibly. Laurent has opened a kernel Bugzilla bug: >>http://bugzilla.kernel.org/show_bug.cgi?id=1357 >> >> >Hmm, they closed it because it was a vendor kernel. I've reproduced it >with 2.6.0-test7, made a tiny test case and and opened a new bug (can't >reopen old ones): >http://bugzilla.kernel.org/show_bug.cgi?id=1360 > >Looking at the code in session.c, since it seems to work with the >descriptors are pipe, try adding "#define USE_PIPES 1" to config.h, >recompile and retest. > From Trevor.Strickland at ed.gov Thu Oct 16 09:00:44 2003 From: Trevor.Strickland at ed.gov (Strickland, Trevor (Contractor)) Date: Wed, 15 Oct 2003 19:00:44 -0400 Subject: Compile of OpenSSH 3.7.1p2 failing - TRU64 5.1A Message-ID: <092F005EA8A1B74FBA6A8AB192537A06C359E0@wdcrobexc04> All, I'm getting the following error message when trying to 'make' OpenSSH 3.7.1p2: cc: Severe: compress.c, line 19: Cannot find file "zlib.h" specified in #include directive. (noinclfilef) #include "zlib.h" -^ *** Exit 1 Stop. What can I do to get this to compile correctly? Thanks in advance, Trevor Strickland trevor.strickland at ed.gov From dtucker at zip.com.au Thu Oct 16 10:11:22 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 16 Oct 2003 10:11:22 +1000 Subject: Compile of OpenSSH 3.7.1p2 failing - TRU64 5.1A References: <092F005EA8A1B74FBA6A8AB192537A06C359E0@wdcrobexc04> Message-ID: <3F8DE22A.28993C26@zip.com.au> "Strickland, Trevor (Contractor)" wrote: > > All, > > I'm getting the following error message when trying to 'make' OpenSSH > 3.7.1p2: > > cc: Severe: compress.c, line 19: Cannot find file "zlib.h" specified in > #include directive. (noinclfilef) > #include "zlib.h" > -^ > *** Exit 1 > Stop. > > What can I do to get this to compile correctly? That file is part of the zlib package, perhaps it's not installed correctly. Try reinstalling it (you can get it from www.zlib.org). You may have to specify the path to it to OpenSSH's configure (--with-zlib=PATH). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From celinn at mtu.edu Thu Oct 16 12:25:09 2003 From: celinn at mtu.edu (Christopher Linn) Date: Wed, 15 Oct 2003 22:25:09 -0400 Subject: Compile of OpenSSH 3.7.1p2 failing - TRU64 5.1A In-Reply-To: <3F8DE22A.28993C26@zip.com.au> References: <092F005EA8A1B74FBA6A8AB192537A06C359E0@wdcrobexc04> <3F8DE22A.28993C26@zip.com.au> Message-ID: <20031016022509.GA1315@mtu.edu> On Thu, Oct 16, 2003 at 10:11:22AM +1000, Darren Tucker wrote: > "Strickland, Trevor (Contractor)" wrote: > > > > All, > > > > I'm getting the following error message when trying to 'make' OpenSSH > > 3.7.1p2: > > > > cc: Severe: compress.c, line 19: Cannot find file "zlib.h" specified in > > #include directive. (noinclfilef) > > #include "zlib.h" > > -^ > > *** Exit 1 > > Stop. > > > > What can I do to get this to compile correctly? > > That file is part of the zlib package, perhaps it's not installed > correctly. Try reinstalling it (you can get it from www.zlib.org). You > may have to specify the path to it to OpenSSH's configure > (--with-zlib=PATH). i have a machine which was pre-installed with Compaq Tru64 UNIX V5.1A (Rev. 1885); this has a /usr/lib/libz.a but no corrosponding zlib.h file installed. not sure if this came in the base system or as an optional package. what i did was to leave the system file alone, and in a non-standard location install zlib.h, zconf.h and libz.a from the zlib-1.1.4 release. then use --with-zlib=PATH to get the OpenSSH configure script to find it. chris -- Christopher Linn, (celinn at mtu.edu) | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From Trevor.Strickland at ed.gov Thu Oct 16 23:17:50 2003 From: Trevor.Strickland at ed.gov (Strickland, Trevor (Contractor)) Date: Thu, 16 Oct 2003 09:17:50 -0400 Subject: Compile of OpenSSH 3.7.1p2 failing - TRU64 5.1A Message-ID: <092F005EA8A1B74FBA6A8AB192537A06C359E4@wdcrobexc04> THANK YOU - Chris Linn Darren Tucker Strangely enough, when I simply added the --with-zlib=PATH, it compiled. I didn't have to re-install zlib or place it into a different location. It looks as if it just didn't know where to find it. Trevor -----Original Message----- From: Christopher Linn [mailto:celinn at mtu.edu] Sent: Wednesday, October 15, 2003 10:25 PM To: Darren Tucker Cc: Strickland, Trevor (Contractor); 'openssh-unix-dev at mindrot.org' Subject: Re: Compile of OpenSSH 3.7.1p2 failing - TRU64 5.1A On Thu, Oct 16, 2003 at 10:11:22AM +1000, Darren Tucker wrote: > "Strickland, Trevor (Contractor)" wrote: > > > > All, > > > > I'm getting the following error message when trying to 'make' OpenSSH > > 3.7.1p2: > > > > cc: Severe: compress.c, line 19: Cannot find file "zlib.h" specified in > > #include directive. (noinclfilef) > > #include "zlib.h" > > -^ > > *** Exit 1 > > Stop. > > > > What can I do to get this to compile correctly? > > That file is part of the zlib package, perhaps it's not installed > correctly. Try reinstalling it (you can get it from www.zlib.org). You > may have to specify the path to it to OpenSSH's configure > (--with-zlib=PATH). i have a machine which was pre-installed with Compaq Tru64 UNIX V5.1A (Rev. 1885); this has a /usr/lib/libz.a but no corrosponding zlib.h file installed. not sure if this came in the base system or as an optional package. what i did was to leave the system file alone, and in a non-standard location install zlib.h, zconf.h and libz.a from the zlib-1.1.4 release. then use --with-zlib=PATH to get the OpenSSH configure script to find it. chris -- Christopher Linn, (celinn at mtu.edu) | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From dtucker at zip.com.au Thu Oct 16 23:35:03 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 16 Oct 2003 23:35:03 +1000 Subject: Compile of OpenSSH 3.7.1p2 failing - TRU64 5.1A References: <092F005EA8A1B74FBA6A8AB192537A06C359E4@wdcrobexc04> Message-ID: <3F8E9E87.79C971A1@zip.com.au> "Strickland, Trevor (Contractor)" wrote: > Strangely enough, when I simply added the --with-zlib=PATH, it compiled. I > didn't have to re-install zlib or place it into a different location. It > looks as if it just didn't know where to find it. Configure searches for the library. If configure doesn't find it in the system library patch, the next place it looks is /usr/local/. You have a zlib.[a|so] in your normal system library path? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From steev at detritus.net Fri Oct 17 02:32:09 2003 From: steev at detritus.net (steev hise) Date: Thu, 16 Oct 2003 09:32:09 -0700 Subject: problem with INSTALL file Message-ID: <3F8EC809.7080508@detritus.net> I'm reporting a problem with documentation for openssh 3.7 portable. In the INSTALL file it says in the configure section: --with-md5-passwords will enable the use of MD5 passwords. Enable this if your operating system uses MD5 passwords without using PAM. The above verbage implies that if you use PAM there's no need to use the --with-md5-passwords option. This, I have discovered, is not true, at least on Redhat linux systems. When using PAM and MD5 passwords, you must use the above configure option AND the --with-pam option. If you don't, you won't be able to login using password authentication.... so, this wording should be changed to avoid further confusion and pain.... thanx, Steev Hise steev at detritus.net From arun.mahajan at att.net Fri Oct 17 03:45:53 2003 From: arun.mahajan at att.net (arun.mahajan at att.net) Date: Thu, 16 Oct 2003 17:45:53 +0000 Subject: Buffer management bug-fix for 2.5.1p2 Message-ID: <101620031745.2271.3baf@att.net> All, I got the patch for this bug from the OPENSSH site and as I was applying the same to my version of 'buffer.c' I noticed that this patch, which was in Appendix-A (ver 3.6 and earlier) was not directly applicable to my version of buffer.c, specifically the lines of code that have changed for the function, buffer_append_space(). For one, my version of this function has 3 arguements whereas the patch is to the same function wihich only takes in 2 arguements. The patch-ed lines are also different, i.e the patch applies to lines that may not even exist in my version of this file. In short, would someone point me to a patch that fixes this problem for Version 2.5.1p2? (I suppose I could still apply the patch but I do not know if there are other implications....) I would certainly prefer to upgrade to the latest OPENSSH version but that will be inconvenient at this time. Any help or suggestions are appreciated! Thank you. Sincerely, Arun Mahajan From Trevor.Strickland at ed.gov Fri Oct 17 05:38:10 2003 From: Trevor.Strickland at ed.gov (Strickland, Trevor (Contractor)) Date: Thu, 16 Oct 2003 15:38:10 -0400 Subject: Compile of OpenSSH 3.7.1p2 failing - TRU64 5.1A Message-ID: <092F005EA8A1B74FBA6A8AB192537A06C359EA@wdcrobexc04> Darren, I looked and no, I do not have zlib.[a|so] in my library path. After looking in the /usr/local/include directory, where I believe the compiler was looking, I have the following files: drwxr-xr-x 2 root system 8192 Oct 15 18:51 . drwxr-xr-x 13 root system 8192 Feb 3 2003 .. -rw-r--r-- 1 root system 7810 Jan 4 2003 zconf.h -rw-r--r-- 1 root system 40900 Oct 15 18:49 zlib.h I hope this was the information that you were looking for. If it isn't, let me know. Thanks again, Trevor Strickland -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Thursday, October 16, 2003 9:35 AM To: Strickland, Trevor (Contractor) Cc: OpenSSH Devel List Subject: Re: Compile of OpenSSH 3.7.1p2 failing - TRU64 5.1A "Strickland, Trevor (Contractor)" wrote: > Strangely enough, when I simply added the --with-zlib=PATH, it compiled. I > didn't have to re-install zlib or place it into a different location. It > looks as if it just didn't know where to find it. Configure searches for the library. If configure doesn't find it in the system library patch, the next place it looks is /usr/local/. You have a zlib.[a|so] in your normal system library path? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Oct 17 16:31:47 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 17 Oct 2003 16:31:47 +1000 Subject: problem with INSTALL file References: <3F8EC809.7080508@detritus.net> Message-ID: <3F8F8CD3.9EE9FF34@zip.com.au> steev hise wrote: > > I'm reporting a problem with documentation for openssh 3.7 portable. > > In the INSTALL file it says in the configure section: > > --with-md5-passwords will enable the use of MD5 passwords. Enable this > if your operating system uses MD5 passwords without using PAM. > > The above verbage implies that if you use PAM there's no need to use the > --with-md5-passwords option. > This, I have discovered, is not true, at least on Redhat linux systems. Good point. It used to be true when PAM was only a compile-time option, but as you've discovered it isn't any more. I will change that paragraph to read: --with-md5-passwords will enable the use of MD5 passwords. Enable this if your operating system uses MD5 passwords. The resulting binary will support both MD5 and traditional crypt type passwords. Thanks, -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Oct 17 16:39:41 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 17 Oct 2003 16:39:41 +1000 Subject: Compile of OpenSSH 3.7.1p2 failing - TRU64 5.1A References: <092F005EA8A1B74FBA6A8AB192537A06C359EA@wdcrobexc04> Message-ID: <3F8F8EAD.5D564396@zip.com.au> > "Strickland, Trevor (Contractor)" wrote: > I looked and no, I do not have zlib.[a|so] in my library path. > After looking in the /usr/local/include directory, where I believe the > compiler was looking, I have the following files: Err, make that "libz.[a|so]". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From carin.andersson at ericsson.com Sat Oct 18 00:30:50 2003 From: carin.andersson at ericsson.com (Carin Andersson (HF/EAB)) Date: Fri, 17 Oct 2003 16:30:50 +0200 Subject: Bugs in openssh Message-ID: <4DA6EA82906FD511BE2F00508BCF05380747E7F6@Esealnt861.al.sw.ericsson.se> Hi, We are using your product openssh 2.3.0p1 and we should upgrade to openssh 3.7.1p1 mainly for better SSH2 support but also for the bug reported on Is this problem located on the server side or on the client side, or both? Regards, Carin Andersson Software Developer Ericsson AB From joeydoughly2000 at yahoo.com Sat Oct 18 03:04:21 2003 From: joeydoughly2000 at yahoo.com (joey doughly) Date: Fri, 17 Oct 2003 10:04:21 -0700 (PDT) Subject: SSH/SSL Help... Message-ID: <20031017170421.86932.qmail@web20006.mail.yahoo.com> Hello Everybody, I am porting SSH to the AS400 and am having some problems in the linking stage. There are some SSL components that have function prototypes defined but no function definitions for the prototypes. Functions like PBEPARAM_free from the file p5_pbe.c and DSA_SIG_free from the file dsa_asn1.c. I have noticed that these functions are both prototyped and defined in the 0.9.6k version release of SSL but I am working with the 0.9.7b release where they are not defined. Can anyone help me out? Thank you, Joey __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From openssh at holotech.net Sat Oct 18 04:12:37 2003 From: openssh at holotech.net (Alan Little) Date: Fri, 17 Oct 2003 14:12:37 -0400 Subject: Script Control of sftp Message-ID: <16427382183.20031017141237@holotech.net> I am trying to conduct a full sftp session using the proc_open() function of PHP: http://www.php.net/manual/en/function.proc-open.php Once I get past the authentication stage, everything works fine: the script is able to write to sftp's stdin and capture its stdout. However, during the auth stage, these are apparently bypassed somehow, and IO takes place directly with the terminal. That is, the password prompt appears on the screen, and the password is accepted directly from the keyboard, while the password submitted by the script is ignored. Any ideas why, and/or how I can control the IO through the auth stage? Here is my code: #!/usr/www/users/holotech/cgi-bin/php4.cgi array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("file", "/tmp/error-output.txt", "a") ); $Server = "myserver.pair.com"; $User = "holotech"; $Pass = "########"; $sftp = "/usr/bin/sftp"; $process = proc_open( "$sftp $User@$Server", $descriptorspec, $pipes ); if (is_resource($process)) { fwrite($pipes[0], $Password."\n"); fclose($pipes[0]); while(!feof($pipes[1])) { echo fgets($pipes[1], 1024); } fclose($pipes[1]); $return_value = proc_close($process); echo "\ncommand returned $return_value\n"; } ?> -- Alan Little Holotech Enterprises From stephen.walton at csun.edu Sat Oct 18 08:24:17 2003 From: stephen.walton at csun.edu (Stephen Walton) Date: Fri, 17 Oct 2003 15:24:17 -0700 Subject: ssh-agent and rdist Message-ID: <1066429457.7207.5.camel@hector.sfo.csun.edu> Hi, I'm having a real difficulty here, and I'll keep this very short; ask for needed details. I've got two nearly identically configured RedHat 8 systems, call them A and B. I've generated keys with passphrases on both, added the public key for B to ~/.ssh/authorized_hosts on A and vice versa. On either machine, I can use ssh-agent with no problems. In particular, if I run 'rdist -P /usr/bin/ssh -c testdir myname at B' on A, no passphrase is requested. But the similar command issued on B to try to connect to rdistd on A always asks for a passphrase. This breaks parallel rdist updates. Oddly, if I manually do 'ssh -l myname A rdistd -S' on B, rdistd starts fine. ssh_config and sshd_config are identical on A and B. -- Stephen Walton Dept. of Physics & Astronomy, Cal State Northridge From jmknoble at pobox.com Sat Oct 18 08:51:36 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 17 Oct 2003 18:51:36 -0400 Subject: ssh-agent and rdist In-Reply-To: <1066429457.7207.5.camel@hector.sfo.csun.edu> References: <1066429457.7207.5.camel@hector.sfo.csun.edu> Message-ID: <20031017225136.GH10684@crawfish.ais.com> Circa 2003-10-17 15:24:17 -0700 dixit Stephen Walton: : Hi, : : I'm having a real difficulty here, and I'll keep this very short; ask : for needed details. I've got two nearly identically configured RedHat 8 : systems, call them A and B. I've generated keys with passphrases on : both, added the public key for B to ~/.ssh/authorized_hosts on A and : vice versa. : : On either machine, I can use ssh-agent with no problems. In particular, : if I run 'rdist -P /usr/bin/ssh -c testdir myname at B' on A, no passphrase : is requested. But the similar command issued on B to try to connect to : rdistd on A always asks for a passphrase. This breaks parallel rdist : updates. Oddly, if I manually do 'ssh -l myname A rdistd -S' on B, : rdistd starts fine. : : ssh_config and sshd_config are identical on A and B. Check permissions on home directory, ${HOME}/.ssh directory, and/or private key files in ${HOME}/.ssh to make certain they're not readable or writable by anyone but their user. Try running an sshd with debugging (-d) on A, then connecting to it with ssh -v on B. If nothing helpful appears, you might try increasing the diagnostic level (-ddd and -vvv respectively). -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "We have guided missiles and misguided men." --Martin Luther King, Jr. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031017/4cc06281/attachment.bin From openssh-unix-dev at mindrot.org Sat Oct 18 09:02:33 2003 From: openssh-unix-dev at mindrot.org (juan) Date: Fri, 17 Oct 2003 19:02:33 -0400 Subject: have hundreds of lenders help you get the lowest rates... Message-ID: <070c01c39503$8d4dce02$b400a8c0@homehost> 766z7813817h8nl54w77a6hm9e227x3 ed792014604cjg6w1199bc15624052z The demise of my hamster made me cry! lnterest rates are climbing! We do the work for you. By subrnitting your information across to hundreds of Ienders, we can get you the best interest rates around. Amber can be quite amiable when she wants to be. Imterest rates are lower than they have been in over 40 years, but it won't stay that way for long. Our simple form only takes a few moments, there is absolutly NO OBLlGATlON, and it's 100% FREE. You have nothing to lose, and everything to gain. [1]Fill out this onIine appIication! 6gf9203i4931e5iay44j2d3589l7465 00r42kny58a67p8ub032l5474f3xd18 53b8766z7813817h8nl54w77a6hm9e227x3ed792014604cjg6w1199bc15624 To get off our list, [2]un s ubscr11be. References 1. http://www.ezmedonline2.com/cgi-bin/affiliates/clickthru.cgi?id=mail01 2. http://www.ezmedonline2.com/gone/ From stephen.walton at csun.edu Sat Oct 18 09:05:32 2003 From: stephen.walton at csun.edu (Stephen Walton) Date: Fri, 17 Oct 2003 16:05:32 -0700 Subject: ssh-agent and rdist In-Reply-To: <20031017225136.GH10684@crawfish.ais.com> References: <1066429457.7207.5.camel@hector.sfo.csun.edu> <20031017225136.GH10684@crawfish.ais.com> Message-ID: <1066431932.7900.10.camel@hector.sfo.csun.edu> On Fri, 2003-10-17 at 15:51, Jim Knoble wrote: > Circa 2003-10-17 15:24:17 -0700 dixit Stephen Walton: > > : On either machine, I can use ssh-agent with no problems. In particular, > : if I run 'rdist -P /usr/bin/ssh -c testdir myname at B' on A, no passphrase > : is requested. But the similar command issued on B to try to connect to > : rdistd on A always asks for a passphrase. > : > : ssh_config and sshd_config are identical on A and B. > Try running an sshd with debugging (-d) on A, then connecting to > it with ssh -v on B. If nothing helpful appears, you might try > increasing the diagnostic level (-ddd and -vvv respectively). I haven't done the debugging yet, but I seem to have found the actual problem. Examining /etc/X11/xdm/Xsession on RedHat shows that if /usr/bin/ssh-agent is executable, it is started along with the X desktop by default. So, if I execute an ssh-agent in an xterm window, it becomes the second one. Knowing ssh-agent is already running, if I just use ssh-add the problem described above goes away. I suppose this kind of inconsistency is the result of inadvertently running 'nested' ssh-agent sessions. If this shouldn't happen, then I'd be happy to generate and share the debugging output. -- Stephen Walton Dept. of Physics & Astronomy, Cal State Northridge From dtucker at zip.com.au Sat Oct 18 11:35:03 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 18 Oct 2003 11:35:03 +1000 Subject: Bugs in openssh References: <4DA6EA82906FD511BE2F00508BCF05380747E7F6@Esealnt861.al.sw.ericsson.se> Message-ID: <3F9098C7.5BA06A8C@zip.com.au> "Carin Andersson (HF/EAB)" wrote: > We are using your product openssh 2.3.0p1 and we should upgrade to openssh 3.7.1p1 mainly for > better SSH2 support but also for the bug reported on > > Is this problem located on the server side or on the client side, or both? That particular bug is on the server side. There are other security bugs that have been fixed between 2.3.0p1 and 3.7.1p2 (which is the latest release, not 3.7.1p1). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From openssh-unix-dev at mindrot.org Sat Oct 18 12:24:33 2003 From: openssh-unix-dev at mindrot.org (odessa) Date: Fri, 17 Oct 2003 22:24:33 -0400 Subject: have hundreds of lenders help you get the lowest rates... Message-ID: <039201c3951f$32ad267c$b400a8c0@ashlie-zjvfv1n3> 624152z6gg0203i4932e5j az44j2d4589m746500s42k She was so malicious to poor little Debbie! We have hundreds of Ienders to help you get the lowest r.ates! We do the work for you. By subrnitting your information across to hundreds of Ienders, we can get you the best interest rates around. The group consensus was to tell Gary to go be a princess. Imterest rates are lower than they have been in over 40 years, but it won't stay that way for long. Our simple form only takes a few moments, there is absolutly NO OBLlGATlON, and it's 100% FREE. You have nothing to lose, and everything to gain. [1]Let us start working for you! oy58a68p9uc033l5475f36 d1963b8866z7813917i83l 54w77b7hn9f327y3fe892015604cjh6x1199cd256241 To stop from getting these, [2]un s ubscr11be. References 1. http://www.ezmedcenter.com/cgi-bin/affiliates/clickthru.cgi?id=mail01 2. http://www.ezmedcenter.com/gone/ From james at firstaidmusic.com Sat Oct 18 04:43:34 2003 From: james at firstaidmusic.com (James Dennis) Date: Fri, 17 Oct 2003 14:43:34 -0400 Subject: *lock* considered empty? Message-ID: Is *lock* considered empty in regard to passwords? I have an account that was locked using *lock* as the password (not my system) and after upgrading to 3.7.1 we found that that account could not log in. After giving that account a password, it could login fine. We were using public key auth so passwords aren't even necessary for that account. -James From dtucker at zip.com.au Sat Oct 18 14:02:07 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 18 Oct 2003 14:02:07 +1000 Subject: *lock* considered empty? References: Message-ID: <3F90BB3F.392965F0@zip.com.au> James Dennis wrote: > > Is *lock* considered empty in regard to passwords? I have an account > that was locked using *lock* as the password (not my system) and after > upgrading to 3.7.1 we found that that account could not log in. After > giving that account a password, it could login fine. We were using > public key auth so passwords aren't even necessary for that account. Not exactly. sshd now tests for locked accounts, but what constitutes locked varies from platform to platform. Currently, a literal "*lock*" isn't considered. The following strings are: Literal "*" Darwin, HP-UX Literal "*LK*" IRIX, Solaris Substring "Nologin" Tru64 Leading "!!" Linux What platform are you using? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From v_t_m at seznam.cz Sat Oct 18 21:07:40 2003 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Sat, 18 Oct 2003 13:07:40 +0200 (CEST) Subject: SecurID patch for OpenSSH 3.7.1p2 In-Reply-To: <1065471147.7569.4.camel@localhost> Message-ID: <69325.194413-26471-984659825-1066475260@seznam.cz> Hello all, I use these two (three) patches together - AuthSelect + SecurID + pwexpire and meanwhile without problem. Next week I can make these patches public on my site (in one package) if you want. Vaclav > Asif, > > I just got through testing, and by default the patches do not work > together with 3.7.1p2..it doesn't matter on the order...I think you > could make them work, but I don't have time to look into this further. I > only have one system where I need the securid support, so I will just > build two different packages. > > -Scott > > On Mon, 2003-10-06 at 14:31, Asif Iqbal wrote: > > Let me know if it works for you with 3.7.1p2 and in what order you patched it ? > > > > It failed during configure for me > > > > > > On 6 Oct 2003, Scott Burch wrote: > > > > > Asif, > > > > > > With 3.6.1p2 you were able to use Darren's patch in combination with > > > this patch. I haven't tried with 3.7.1p2, but I will be building a > > > version this week to see. > > > > > > -Scott > > > > > > On Mon, 2003-10-06 at 11:24, Asif Iqbal wrote: > > > > Should I be able to use Darren Tucker's Password Expire patch with this ? > > > > > > > > On Fri, 26 Sep 2003, [iso-8859-2] V?clav Tomec wrote: > > > > > > > > > Hello all, > > > > > > > > > > new version of SecurID patch is available on > > > > > http://sweb.cz/v_t_m/ > > > > > > > > > > The new version of the patch is extended with "shared logins" possibility. > > > > > It means that SecurID token can be used to login to an account shared > > > > > by several persons. > > > > > This cannot be solved using ACE server standard means. > > > > > > > > > > This patch depends on the AuthSelection patch (http://sweb.cz/v_t_m). > > > > > After applying AuthSelection patch, you can specify > > > > > server-supported authentication methods per user to authenticate with > > > > > OpenSSH server. > > > > > > > > > > > > > > > Vaclav > > > > > ____________________________________________________________ > > > > > Vyzkou?ejte si Oskarovy MMS zdarma! > > > > > http://ad2.seznam.cz/redir.cgi?instance=60950%26url=http://www.oskarmobil.cz/services/whatsnew.php#moje > > > > > > > > > > _______________________________________________ > > > > > openssh-unix-dev mailing list > > > > > openssh-unix-dev at mindrot.org > > > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > > > > -- > Scott Burch > ____________________________________________________________ Vych?z? Best of Chinaski-PREMIUM. 21 nejv?t??ch hit? v?etn? t?? novinek- nahl?dn?te do historie i budoucnosti jedn? z nejobl?ben?j??ch kapel sou?asnosti!http://ad2.seznam.cz/redir.cgi?instance=63636%26url=http://www.chinaski.cz From jaearick at colby.edu Sat Oct 18 22:15:36 2003 From: jaearick at colby.edu (Jeff A. Earickson) Date: Sat, 18 Oct 2003 08:15:36 -0400 (EDT) Subject: *lock* considered empty? In-Reply-To: <3F90BB3F.392965F0@zip.com.au> References: <3F90BB3F.392965F0@zip.com.au> Message-ID: Hi, This logic seems really fragile. For crypt() based passwords, I would think that "anything not 13 chars long is locked". Isn't MD5 also a fixed length too, with the same idea? --- Jeff Earickson Colby College On Sat, 18 Oct 2003, Darren Tucker wrote: > Date: Sat, 18 Oct 2003 14:02:07 +1000 > From: Darren Tucker > To: James Dennis > Cc: openssh-unix-dev at mindrot.org > Subject: Re: *lock* considered empty? > > James Dennis wrote: > > > > Is *lock* considered empty in regard to passwords? I have an account > > that was locked using *lock* as the password (not my system) and after > > upgrading to 3.7.1 we found that that account could not log in. After > > giving that account a password, it could login fine. We were using > > public key auth so passwords aren't even necessary for that account. > > Not exactly. sshd now tests for locked accounts, but what constitutes > locked varies from platform to platform. > > Currently, a literal "*lock*" isn't considered. The following strings > are: > Literal "*" Darwin, HP-UX > Literal "*LK*" IRIX, Solaris > Substring "Nologin" Tru64 > Leading "!!" Linux > > What platform are you using? > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From markus at openbsd.org Sat Oct 18 22:38:45 2003 From: markus at openbsd.org (Markus Friedl) Date: Sat, 18 Oct 2003 14:38:45 +0200 Subject: Script Control of sftp In-Reply-To: <16427382183.20031017141237@holotech.net> References: <16427382183.20031017141237@holotech.net> Message-ID: <20031018123844.GB11808@folly> You have to abuse the SSH_ASKPASS mechanism. Works fine for me, but it's not recommended to have passwords in scripts. On Fri, Oct 17, 2003 at 02:12:37PM -0400, Alan Little wrote: > I am trying to conduct a full sftp session using the proc_open() > function of PHP: > > http://www.php.net/manual/en/function.proc-open.php > > Once I get past the authentication stage, everything works fine: the > script is able to write to sftp's stdin and capture its stdout. > However, during the auth stage, these are apparently bypassed somehow, > and IO takes place directly with the terminal. That is, the password > prompt appears on the screen, and the password is accepted directly > from the keyboard, while the password submitted by the script is > ignored. Any ideas why, and/or how I can control the IO through the > auth stage? Here is my code: > > #!/usr/www/users/holotech/cgi-bin/php4.cgi > $descriptorspec = array( > 0 => array("pipe", "r"), > 1 => array("pipe", "w"), > 2 => array("file", "/tmp/error-output.txt", "a") > ); > > $Server = "myserver.pair.com"; > $User = "holotech"; > $Pass = "########"; > > $sftp = "/usr/bin/sftp"; > > $process = proc_open( > "$sftp $User@$Server", > $descriptorspec, > $pipes > ); > > if (is_resource($process)) { > fwrite($pipes[0], $Password."\n"); > fclose($pipes[0]); > > while(!feof($pipes[1])) { > echo fgets($pipes[1], 1024); > } > fclose($pipes[1]); > $return_value = proc_close($process); > > echo "\ncommand returned $return_value\n"; > } > ?> > > -- > Alan Little > Holotech Enterprises > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From openssh at holotech.net Sat Oct 18 23:09:20 2003 From: openssh at holotech.net (Alan Little) Date: Sat, 18 Oct 2003 09:09:20 -0400 Subject: Script Control of sftp In-Reply-To: <20031018123844.GB11808@folly> References: <16427382183.20031017141237@holotech.net> <20031018123844.GB11808@folly> Message-ID: <398000584.20031018090920@holotech.net> > You have to abuse the SSH_ASKPASS mechanism. Could you give me a quick rundown of how to do that and/or where I could find more information? > Works fine for me, but it's not recommended > to have passwords in scripts. The password won't be stored in the script or anywhere else for that matter; the user will be entering it over a secure connection. -- Alan Little Holotech Enterprises On Saturday, October 18, 2003, 8:38:45 AM, you wrote: > You have to abuse the SSH_ASKPASS mechanism. > Works fine for me, but it's not recommended > to have passwords in scripts. > On Fri, Oct 17, 2003 at 02:12:37PM -0400, Alan Little wrote: >> I am trying to conduct a full sftp session using the proc_open() >> function of PHP: >> >> http://www.php.net/manual/en/function.proc-open.php >> >> Once I get past the authentication stage, everything works fine: the >> script is able to write to sftp's stdin and capture its stdout. >> However, during the auth stage, these are apparently bypassed somehow, >> and IO takes place directly with the terminal. That is, the password >> prompt appears on the screen, and the password is accepted directly >> from the keyboard, while the password submitted by the script is >> ignored. Any ideas why, and/or how I can control the IO through the >> auth stage? Here is my code: >> >> #!/usr/www/users/holotech/cgi-bin/php4.cgi >> > $descriptorspec = array( >> 0 => array("pipe", "r"), >> 1 => array("pipe", "w"), >> 2 => array("file", "/tmp/error-output.txt", "a") >> ); >> >> $Server = "myserver.pair.com"; >> $User = "holotech"; >> $Pass = "########"; >> >> $sftp = "/usr/bin/sftp"; >> >> $process = proc_open( >> "$sftp $User@$Server", >> $descriptorspec, >> $pipes >> ); >> >> if (is_resource($process)) { >> fwrite($pipes[0], $Password."\n"); >> fclose($pipes[0]); >> >> while(!feof($pipes[1])) { >> echo fgets($pipes[1], 1024); >> } >> fclose($pipes[1]); >> $return_value = proc_close($process); >> >> echo "\ncommand returned $return_value\n"; >> } >> ?> >> >> -- >> Alan Little >> Holotech Enterprises >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From dtucker at zip.com.au Sat Oct 18 23:13:16 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 18 Oct 2003 23:13:16 +1000 Subject: *lock* considered empty? References: <3F90BB3F.392965F0@zip.com.au> Message-ID: <3F913C6C.16BABD1E@zip.com.au> "Jeff A. Earickson" wrote: > This logic seems really fragile. For crypt() based passwords, > I would think that "anything not 13 chars long is locked". Isn't > MD5 also a fixed length too, with the same idea? No, I don't think we should do that. I think it was even discussed previously. We're specifically after accounts locked by the admin with "passwd -l" or equivalent. There are other password strings (eg a literal "NP" on Solaris, which means "No Password authentication") which do not mean the account is locked. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From openssh-unix-dev at mindrot.org Sun Oct 19 02:41:07 2003 From: openssh-unix-dev at mindrot.org (david) Date: Sat, 18 Oct 2003 12:41:07 -0400 Subject: have hundreds of lenders help you get the lowest rates... Message-ID: <086e01c39597$7c29135c$b400a8c0@basement> 79a6lu846157f75b4mpj0hl2282 4441y00c836989r91h08m26730j Ain't no way there is a betrothal happening here... You wouldn't pass up an extra $1,000.00 a year... Would you? We do the work for you. By subrnitting your information across to hundreds of Ienders, we can get you the best interest rates around. Mia made a big clamor. Imterest rates are lower than they have been in over 40 years, but it won't stay that way for long. Our simple form only takes a few moments, there is absolutly NO OBLlGATlON, and it's 100% FREE. You have nothing to lose, and everything to gain. [1]Let us start working for you! 65ue52874ao3396931is2p5n1oc 9063598718d1b70qxz202wsk85r 54q71kn967kg94hfr0d379a6lu846157f75b4mpj0hl22824441y00 To get off our list, [2]un s ubscr11be. References 1. http://www.coolmedcenter.com/cgi-bin/affiliates/clickthru.cgi?id=mail01 2. http://www.coolmedcenter.com/gone/ From jmknoble at pobox.com Sun Oct 19 02:44:30 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Sat, 18 Oct 2003 12:44:30 -0400 Subject: Script Control of sftp In-Reply-To: <398000584.20031018090920@holotech.net> References: <16427382183.20031017141237@holotech.net> <20031018123844.GB11808@folly> <398000584.20031018090920@holotech.net> Message-ID: <20031018164430.GI10684@crawfish.ais.com> Circa 2003-10-18 09:09:20 -0400 dixit Alan Little: : > You have to abuse the SSH_ASKPASS mechanism. : Could you give me a quick rundown of how to do that and/or where I : could find more information? http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104706638008113&w=2 -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "We have guided missiles and misguided men." --Martin Luther King, Jr. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031018/00f2eac8/attachment.bin From stephen.walton at csun.edu Tue Oct 21 04:51:12 2003 From: stephen.walton at csun.edu (Stephen Walton) Date: Mon, 20 Oct 2003 11:51:12 -0700 Subject: ssh-agent and rdist SOLVED! In-Reply-To: <1066431932.7900.10.camel@hector.sfo.csun.edu> References: <1066429457.7207.5.camel@hector.sfo.csun.edu> <20031017225136.GH10684@crawfish.ais.com> <1066431932.7900.10.camel@hector.sfo.csun.edu> Message-ID: <1066675872.987.14.camel@sunspot.csun.edu> On Fri, 2003-10-17 at 16:05, Stephen Walton wrote about rdist -P ssh failing to heed ssh-agent/ssh-add: > I haven't done the debugging yet, but I seem to have found the actual > problem. Except I didn't. The real problem, which took me several days to track down, is actually a bug in rdist 6.1.5. For some reason, it only passes the first 40 environment variables to the rsh-equivalent command. Since I have a rather long environment, the variables set by "eval `ssh-agent`" weren't getting passed to ssh by rdist. Hence my bug. This is apparently well known; I found a patch http://ftp.rge.com/pub/systems/aix/aixtoolbox/PATCHES/rdist-6.1.5-environ.patch which was posted to bugs at linux-mandrake.com in 2000. Now to try to apply and distribute it to my 10+ systems. I thought this might help someone else out there. -- Stephen Walton Dept. of Physics & Astronomy, Cal State Northridge From Darren.Moffat at Sun.COM Tue Oct 21 06:50:54 2003 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Mon, 20 Oct 2003 13:50:54 -0700 (PDT) Subject: *lock* considered empty? In-Reply-To: References: <3F90BB3F.392965F0@zip.com.au> Message-ID: On Sat, 18 Oct 2003, Jeff A. Earickson wrote: > This logic seems really fragile. For crypt() based passwords, What is fragile is the method of overloading the password field with account status information. Ideally locked should have been a separate boolean all together. In some systems it could be implemented that way (eg if using things like PAM or BSD-Auth) but history means that at least for the forseable future there is that overloading. > I would think that "anything not 13 chars long is locked". Isn't > MD5 also a fixed length too, with the same idea? An equally fragile assumption. For example on Solaris 9 update 2 there is the following: NP - Not Participating in UNIX authentication - Used to allow an account to run cron jobs or login with SSH public-key but not with a UNIX password. *LK* - Locked Can not be authenticated to with UNIX and should not be used for running any processes. It is really *LK* as a prefix that we check not just "*LK*". *NP* - No permission to read the password field (NIS+ or LDAP) $1$.... - BSD MD5 crypt passwords $2a$... - BSD Blowfish crypt passwords $md5$.. - Sun (Alec Muffett) MD5 crypt passwords The crypt(3c) [ and crypt_gensalt(3c) ] interface is extensible (without requring access to the source) via crypt.conf(4). -- Darren J Moffat From henryg at optimation.com.au Tue Oct 21 09:10:21 2003 From: henryg at optimation.com.au (Henry Grebler) Date: Tue, 21 Oct 2003 09:10:21 +1000 Subject: /dev/random Message-ID: <10310202310.AA23217@optimation.com.au> A non-text attachment was scrubbed... Name: not available Type: text Size: 2881 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031021/4aebd962/attachment.ksh From djm at mindrot.org Tue Oct 21 10:32:35 2003 From: djm at mindrot.org (Damien Miller) Date: Tue, 21 Oct 2003 10:32:35 +1000 Subject: /dev/random In-Reply-To: <10310202310.AA23217@optimation.com.au> References: <10310202310.AA23217@optimation.com.au> Message-ID: <3F947EA3.5030200@mindrot.org> Henry Grebler wrote: > I can't tell if I have a problem with OpenSSH, OpenSSL or with Sun's > /dev/random (or some combination). OpenSSL - we rely on the random pool routines there for randomness (unless you compile with EGD or builtin randomness support). I don't know whether Sun saves a persistant seed for /dev/random across boots. They should IMO - there are so many commonalities in the boot process that the entropy collected there may be compromised. You could add a "dd if=/dev/urandom of=/var/state/host.random bs=8192 count=1" to a shutdown script and a symmetrical one to an early starup script. If Sun had followed the original design considerations for the Linux/BSD /dev/?random devices this wouldn't work. Manually adding randomness with dd would (by design) not increase the amount available from /dev/random. If one wanted added entropy to be debited to that available from /dev/random, then one had to add it using a special ioctl. The objective here was to make it easy to "stir" in semi-random data, without compromising the pools counters. -d From rmb at miranda.jpl.nasa.gov Tue Oct 21 15:40:36 2003 From: rmb at miranda.jpl.nasa.gov (Robert M. Beswick) Date: Mon, 20 Oct 2003 22:40:36 PDT Subject: HP-UX 10.20 assistance Message-ID: <200310210540.WAA28822@miranda.jpl.nasa.gov> To Whomever can assist, I am looking for anyone who has gotten OpenSsh 3.7.1p2 to build under HP-UX 10.20. I am working with the latest gcc (v. 3.3.1), gmake (v. 3.80), and Openssl (0.9.7c) and I still can not get OpenSsh to build properly. It errors out on the build process with a: loginrec.c:1405: dereferencing pointer to incomplete type cing pointer to incomplete type loginrec.c:1514: dereferencing pointer to incomplete type loginrec.c: In function `lastlog_get_entry': loginrec.c:1520: storage size of `last' isn't known loginrec.c:1520: warning: unused variable `last' gmake: *** [loginrec.o] Error 1 I use a configure line of: (although just a blank ./configure doesn't work ether) $ ./configure --with-ssl-dir=/adm --with-rsh=/usr/bin/remsh --with-tcp-wrapper s --bindir=/adm/sbin --libexecdir=/adm/sbin --prefix=/adm --with-prngd-socket=/v ar/run/egd-pool --with-default-path=/adm/sbin:/usr/sbin:/usr/lbin:/usr/bin --wit h-xauth=/usr/bin/X11/xauth --with-pid-dir=/var/run and config.log records: uname -m = 9000/782 uname -r = B.10.20 uname -s = HP-UX uname -v = A Are there some sort of special flags or libraries I need to add to the mix? Does anyone have configs or Makefiles that could point me the way to getting this to work? Perhaps a logfile or two? I will be happy to send gobs of info to anyone who is interested. Any assistance would be greatly appreciated. -Robert Beswick ----------------------------------------------------------------------- Robert Beswick, Jet Propulsion Laboratory/NASA Multi-Mission Navigation Operations, M/S: 230-205, 4800 Oak Grove Dr. System and Network Administration. Pasadena, CA 91109-8099 ----------------------------------------------------------------------- Office: 1-818-393-0539 (230-201GA) Pager: 1-800-759-8888, pin #: 1365304, option 1# E-Mail: rmb at miranda.jpl.nasa.gov ----------------------------------------------------------------------- From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Oct 21 16:43:04 2003 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 21 Oct 2003 08:43:04 +0200 Subject: HP-UX 10.20 assistance In-Reply-To: <200310210540.WAA28822@miranda.jpl.nasa.gov> References: <200310210540.WAA28822@miranda.jpl.nasa.gov> Message-ID: <20031021064303.GA16885@serv01.aet.tu-cottbus.de> On Mon, Oct 20, 2003 at 10:40:36PM -0700, Robert M. Beswick wrote: > To Whomever can assist, > > I am looking for anyone who has gotten OpenSsh 3.7.1p2 to build under > HP-UX 10.20. I am working with the latest gcc (v. 3.3.1), gmake (v. 3.80), > and Openssl (0.9.7c) and I still can not get OpenSsh to build properly. > > It errors out on the build process with a: > > loginrec.c:1405: dereferencing pointer to incomplete type > cing pointer to incomplete type > loginrec.c:1514: dereferencing pointer to incomplete type > loginrec.c: In function `lastlog_get_entry': > loginrec.c:1520: storage size of `last' isn't known > loginrec.c:1520: warning: unused variable `last' > gmake: *** [loginrec.o] Error 1 Do you have HP's ANSI C compiler available as well? It is known to work for me :-) Anyway: I only have a much outdated version of gcc installed. As gcc tends to have its own "rewritten" header files available this might well be a compiler specific issue. Therefore I would only start thinking if you don't have HP's compiler around... Best regards, Lutz PS. My configure options (I do keep my own remsh copy locally, YMMV): CC=cc CFLAGS="+O4 +Oall +Onolimit +Olibcalls" ./configure --with-cflags="+DAportable" --with-zlib=/usr/local --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-rsh=/usr/local/lib/rsh/remsh --with-tcp-wrappers --with-default-path="/usr/local/openssh/bin:/usr/bin:/usr/local/bin" --with-pid-dir=/var/run -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From larsch at trustcenter.de Tue Oct 21 18:26:23 2003 From: larsch at trustcenter.de (Nils Larsch) Date: Tue, 21 Oct 2003 10:26:23 +0200 Subject: SSH/SSL Help... In-Reply-To: <20031017170421.86932.qmail@web20006.mail.yahoo.com> References: <20031017170421.86932.qmail@web20006.mail.yahoo.com> Message-ID: <3F94EDAF.1040009@trustcenter.de> joey doughly wrote: > Hello Everybody, > I am porting SSH to the AS400 and am having some > problems in the linking stage. There are some SSL > components that have function prototypes defined but > no function definitions for the prototypes. Functions > like PBEPARAM_free from the file p5_pbe.c and > DSA_SIG_free from the file dsa_asn1.c. I have noticed > that these functions are both prototyped and defined > in the 0.9.6k version release of SSL but I am working > with the 0.9.7b release where they are not defined. > Can anyone help me out? DSA_SIG_free is defined in crypto/dsa_asn1.c via the IMPLEMENT_ASN1_FUNCTIONS_const macro (see crypto/asn1/asn1t.h). The same is true for PBEPARAM_free. Nils From aphor at speakeasy.net Wed Oct 22 02:01:09 2003 From: aphor at speakeasy.net (aphor at speakeasy.net) Date: Tue, 21 Oct 2003 16:01:09 +0000 Subject: Fwd: Re: Bus Error with OpenSSH 3.7.1p2 on Solaris 8, SPARC 64-bit Message-ID: The story of this problem, AFAIK, is that Solaris 8 YASSP and JASS and vigilant/paranoid sysadmins have been known to set a restricitve umask in /etc/default/login. OpenSSH compatibility for Solaris 8 has been spotty at times for sparcv9 targets. This time, when a sparcv9 binary tries to sscanf(3C) the numeric umask as a long octal and put it in a mode_t, SIGBUS happens. What this looks like in real life is: You are running a 64 bit OpenSSH_3.7.1p2 sshd on Solaris 8, and you have enforced UMASK in /etc/default/login. You try to log into this sshd, but after all the authentication and channel setup, just before you get your shell/command executed *POOF*. The daemon is getting a SIGBUS trying to handle the UMASK from /etc/default/login with sscanf(3C); It just so happens that I'm using gcc-3.3.1, and I can't say this is definitely an OS or libC or compiler issue. However, the 32 bit binary works, and the 64 bit binary SIGBUSes. Here is a demo that will work whether you are YASSP/JASS hardenened or whatever (because the umask is hard-coded instead of read from /etc/default/login). ---cut--- #include #include #include int main (){ char var[4] = "777\0"; mode_t mask; printf("Test case: UMASK=%s in /etc/default/login.\n",var); printf("Reading var for a regular octal value: \n"); sscanf(var, "%5o", &mask); printf("\tUMASK=%o\n",mask); printf("Reading var for a long octal value: \n"); /*** expect a SIGBUS here ***/ sscanf(var, "%5lo", &mask); printf("\tUMASK=%o\n",mask); } ---cut--- This bug is in session.c. It is only exposed AKAIK on 64 bit binaries running on hardened (default umask is set) Solaris boxes. I'm not sure why session.c needs to sscanf a long octal. Can someone try this with Forte compilers? Can we get by with sscanf(var, "%5o", &mask)? What is the *right* thing to do here? --- Jeremy From dtucker at zip.com.au Wed Oct 22 02:20:40 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 22 Oct 2003 02:20:40 +1000 Subject: Fwd: Re: Bus Error with OpenSSH 3.7.1p2 on Solaris 8, SPARC 64-bit References: Message-ID: <3F955CD8.7F19F3CE@zip.com.au> aphor at speakeasy.net wrote: > This time, when a sparcv9 binary tries to sscanf(3C) the numeric umask > as a long octal and put it in a mode_t, SIGBUS happens. Yep, it's a bug. Attached is the patch that went into the tree a while back. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: openssh_cvs/ChangeLog diff -u openssh_cvs/ChangeLog:1.3052 openssh_cvs/ChangeLog:1.3053 --- openssh_cvs/ChangeLog:1.3052 Thu Oct 2 17:32:30 2003 +++ openssh_cvs/ChangeLog Thu Oct 2 20:07:09 2003 @@ -31,6 +31,8 @@ - (dtucker) [configure.ac] Don't set DISABLE_SHADOW when configuring --with-pam. ok djm@ - (dtucker) [ssh-gss.h] Prototype change missed in sync. + - (dtucker) [session.c] Fix bus errors on some 64-bit Solaris configurations. + Based on patches by Matthias Koeppe and Thomas Baden. ok djm@ 20030930 - (bal) Fix issues in openbsd-compat/realpath.c @@ -1266,4 +1268,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple at murple.net, diagnosis from dtucker at zip.com.au -$Id: ChangeLog,v 1.3052 2003/10/02 07:32:30 dtucker Exp $ +$Id: ChangeLog,v 1.3053 2003/10/02 10:07:09 dtucker Exp $ Index: openssh_cvs/session.c diff -u openssh_cvs/session.c:1.256 openssh_cvs/session.c:1.257 --- openssh_cvs/session.c:1.256 Thu Oct 2 16:12:37 2003 +++ openssh_cvs/session.c Thu Oct 2 20:07:09 2003 @@ -906,7 +906,7 @@ { char **tmpenv = NULL, *var; u_int i, tmpenvsize = 0; - mode_t mask; + u_long mask; /* * We don't want to copy the whole file to the child's environment, @@ -927,7 +927,7 @@ if ((var = child_get_env(tmpenv, "UMASK")) != NULL) if (sscanf(var, "%5lo", &mask) == 1) - umask(mask); + umask((mode_t)mask); for (i = 0; tmpenv[i] != NULL; i++) xfree(tmpenv[i]); From lindysandiego at yahoo.com Wed Oct 22 03:41:57 2003 From: lindysandiego at yahoo.com (Thomas Baden) Date: Tue, 21 Oct 2003 10:41:57 -0700 (PDT) Subject: Bus Error with OpenSSH 3.7.1p2 on Solaris 8, SPARC 64-bit In-Reply-To: Message-ID: <20031021174157.58428.qmail@web20709.mail.yahoo.com> I do my compilations with the Forte C compiler on Solaris 8 hardened with YASSP. The best I can determine is that when compiling 64-bit Sparcv9 code, a LONG is 64-bits. On the other hand, Mode_T appears to be a 32-bit value. So when doing a scanf of a long, the code was assuming that a mode_t and a long are the same size. The patch which Darren sent steps around this issue by letting session.c read a long, and then casts that to mode_t when the value is referenced. Cheers, -Thomas --- aphor at speakeasy.net wrote: > The story of this problem, AFAIK, is that Solaris 8 > YASSP and JASS and vigilant/paranoid sysadmins have > been known to set a restricitve umask in > /etc/default/login. OpenSSH compatibility for > Solaris 8 has been spotty at times for sparcv9 > targets. This time, when a sparcv9 binary tries to > sscanf(3C) the numeric umask as a long octal and put > it in a mode_t, SIGBUS happens. > > What this looks like in real life is: You are > running a 64 bit OpenSSH_3.7.1p2 > sshd on Solaris 8, and you have enforced UMASK in > /etc/default/login. You try to log into this sshd, > but after all the authentication and channel setup, > just before you get your shell/command executed > *POOF*. The daemon is getting a SIGBUS trying to > handle the UMASK from /etc/default/login with > sscanf(3C); > > It just so happens that I'm using gcc-3.3.1, and I > can't say this is definitely an OS or libC or > compiler issue. However, the 32 bit binary works, > and the 64 bit binary SIGBUSes. Here is a demo that > will work whether you are YASSP/JASS hardenened or > whatever (because the umask is hard-coded instead of > read from /etc/default/login). > > ---cut--- > #include > #include > #include > > int main (){ > char var[4] = "777\0"; > mode_t mask; > printf("Test case: UMASK=%s in > /etc/default/login.\n",var); > printf("Reading var for a regular octal value: > \n"); > sscanf(var, "%5o", &mask); > printf("\tUMASK=%o\n",mask); > printf("Reading var for a long octal value: \n"); > /*** expect a SIGBUS here ***/ > sscanf(var, "%5lo", &mask); > printf("\tUMASK=%o\n",mask); > } > ---cut--- > > This bug is in session.c. It is only exposed AKAIK > on 64 bit binaries running on hardened (default > umask is set) Solaris boxes. I'm not sure why > session.c needs to sscanf a long octal. Can someone > try this with Forte compilers? Can we get by with > sscanf(var, "%5o", &mask)? What is the *right* thing > to do here? > > --- > Jeremy __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From v_t_m at seznam.cz Wed Oct 22 05:12:12 2003 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Tue, 21 Oct 2003 21:12:12 +0200 (CEST) Subject: Challenge response auth & more devices Message-ID: <110932.405599-7570-1716167282-1066763532@seznam.cz> Hello all, during tests of my SecurID patch I found a small mistake (maybe) in initialization of kbd-int devices. When kbdintctxt->device->init_ctx(authctxt) returns NULL whole challenge response authentication is stopped regardless availability of next devices. Small patch solving this situation is attached. ____________________________________________________________ Vyzkou?ejte pohodl? kontaktn?ch ?o?ek ACUVUE, nejprod?van?j??ch ?o?ek na sv?t?. Nyn? nav?c dvoukusov? balen? barevn?ch ?o?ek. http://ad2.seznam.cz/redir.cgi?instance=62203%26url=http://www.acuvue.cz -------------- next part -------------- A non-text attachment was scrubbed... Name: auth2-chall.patch Type: application/octet-stream Size: 818 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031021/020633bb/attachment.obj From dcole at keysoftsys.com Wed Oct 22 05:25:48 2003 From: dcole at keysoftsys.com (Darren Cole) Date: Tue, 21 Oct 2003 12:25:48 -0700 Subject: HP-UX 10.20 assistance In-Reply-To: <200310210540.WAA28822@miranda.jpl.nasa.gov> Message-ID: <5FDABE0C-03FC-11D8-B045-000A95E310BA@keysoftsys.com> Robert, I have gotten it to compile on hp-ux 10.26 with gcc 3.3.1. and gmake 3.74. I don't know what version of openssl I used, but I think it was the latest as of a few weeks ago. Once compiled only the client works correctly. sshd doesn't work (at least not built straight from openssh's source). So I'm not seeing the compile problems you describe (maybe 10.26 is enough different not to have that set of problems). Of course once you get it compiling your more likely to have a working sshd as 10.26 sshd problems have generally been because of the Trusted CMW features. I suppose you could try setting DISABLE_LASTLOG in your config.h, but since I'm not having the problem I am only guessing. The comments say that will disable ever trying to get lastlog info. Looking at the loginrec.c I am guessing that lastlog structs are giving you problems. Might get you compiling even if ultimately it isn't the final solution. On Monday, Oct 20, 2003, at 22:40 US/Pacific, Robert M. Beswick wrote: > To Whomever can assist, > > I am looking for anyone who has gotten OpenSsh 3.7.1p2 to build under > HP-UX 10.20. I am working with the latest gcc (v. 3.3.1), gmake (v. > 3.80), > and Openssl (0.9.7c) and I still can not get OpenSsh to build properly. > > It errors out on the build process with a: > > loginrec.c:1405: dereferencing pointer to incomplete type > cing pointer to incomplete type > loginrec.c:1514: dereferencing pointer to incomplete type > loginrec.c: In function `lastlog_get_entry': > loginrec.c:1520: storage size of `last' isn't known > loginrec.c:1520: warning: unused variable `last' > gmake: *** [loginrec.o] Error 1 > > I use a configure line of: > (although just a blank ./configure doesn't work ether) > > $ ./configure --with-ssl-dir=/adm --with-rsh=/usr/bin/remsh > --with-tcp-wrapper > s --bindir=/adm/sbin --libexecdir=/adm/sbin --prefix=/adm > --with-prngd-socket=/v > ar/run/egd-pool > --with-default-path=/adm/sbin:/usr/sbin:/usr/lbin:/usr/bin --wit > h-xauth=/usr/bin/X11/xauth --with-pid-dir=/var/run > > and config.log records: > > > uname -m = 9000/782 > uname -r = B.10.20 > uname -s = HP-UX > uname -v = A > > > Are there some sort of special flags or libraries I need to add to the > mix? > Does anyone have configs or Makefiles that could point me the way to > getting this to work? Perhaps a logfile or two? > > > I will be happy to send gobs of info to anyone who is interested. > > > Any assistance would be greatly appreciated. > > -Robert Beswick > > > > ----------------------------------------------------------------------- > Robert Beswick, Jet Propulsion Laboratory/NASA > Multi-Mission Navigation Operations, M/S: 230-205, 4800 Oak Grove Dr. > System and Network Administration. Pasadena, CA 91109-8099 > ----------------------------------------------------------------------- > Office: 1-818-393-0539 (230-201GA) > Pager: 1-800-759-8888, pin #: 1365304, option 1# > E-Mail: rmb at miranda.jpl.nasa.gov > ----------------------------------------------------------------------- > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Darren Cole email: dcole at keysoftsys.com alternate email: virr at virr.net From Steve.Belt at motorola.com Wed Oct 22 06:17:55 2003 From: Steve.Belt at motorola.com (Steve Belt (rgpg70)) Date: Tue, 21 Oct 2003 15:17:55 -0500 Subject: issue with 3.7.1p2 Message-ID: <3F959473.BD882B9@motorola.com> Hello, I have recently download and compiled version 3.7.1p2 of openssh, but am having authentication issues with it. I have been using 3.6.1p1 with no problems. Both versions were compiled on the same Solaris 8 host. That host uses ldap for its name service. Both were compiled using the same openssh config options: --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib However, the 3.7.1p2 version will not let me (as a regular user) login. I get the all-too-familiar error: Permission denied (publickey,password,keyboard-interactive) I did the compiles the exact same way. Why would one compile work, but not the other? I would like to migrate to the newer version, since it has some security fixes. Is there something I need to do during compile, or is this a runtime configuration thing? Thanks in advance, Steve -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735 From mouring at etoh.eviladmin.org Wed Oct 22 06:30:44 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 21 Oct 2003 15:30:44 -0500 (CDT) Subject: issue with 3.7.1p2 In-Reply-To: <3F959473.BD882B9@motorola.com> Message-ID: If you are using pam please go into your sshd_config and put in: UsePam yes - Ben On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote: > Hello, > > I have recently download and compiled version 3.7.1p2 of openssh, but am > having authentication issues with it. I have been using 3.6.1p1 with no > problems. Both versions were compiled on the same Solaris 8 host. That > host uses ldap for its name service. Both were compiled using the same > openssh config options: > > --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib > > However, the 3.7.1p2 version will not let me (as a regular user) login. > I get the all-too-familiar error: > > Permission denied (publickey,password,keyboard-interactive) > > I did the compiles the exact same way. Why would one compile work, but > not the other? I would like to migrate to the newer version, since it > has some security fixes. Is there something I need to do during > compile, or is this a runtime configuration thing? > > Thanks in advance, > Steve > > -- > > Steve "Wheat" Belt Motorola, Inc. > Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 > 512-895-2268 Austin, TX 78735 > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From Steve.Belt at motorola.com Wed Oct 22 06:46:12 2003 From: Steve.Belt at motorola.com (Steve Belt (rgpg70)) Date: Tue, 21 Oct 2003 15:46:12 -0500 Subject: issue with 3.7.1p2 References: Message-ID: <3F959B14.FD30A797@motorola.com> Hi Ben, Thanks for the reply. I assumed that since the defaults (according to the header in the sshd_config file) were commented out, UsePAM was already being utilized, since the file contained the line "#UsePAM yes." I went ahead and uncommented the line anyway and it now works. I wonder if the other "defaults" are incorrect as well? Anyway, thanks for the info. Saved a lot of headaches! Cheers, Steve Ben Lindstrom wrote: > If you are using pam please go into your sshd_config and put in: > > UsePam yes > > - Ben > > On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote: > > > Hello, > > > > I have recently download and compiled version 3.7.1p2 of openssh, but am > > having authentication issues with it. I have been using 3.6.1p1 with no > > problems. Both versions were compiled on the same Solaris 8 host. That > > host uses ldap for its name service. Both were compiled using the same > > openssh config options: > > > > --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib > > > > However, the 3.7.1p2 version will not let me (as a regular user) login. > > I get the all-too-familiar error: > > > > Permission denied (publickey,password,keyboard-interactive) > > > > I did the compiles the exact same way. Why would one compile work, but > > not the other? I would like to migrate to the newer version, since it > > has some security fixes. Is there something I need to do during > > compile, or is this a runtime configuration thing? > > > > Thanks in advance, > > Steve > > > > -- > > > > Steve "Wheat" Belt Motorola, Inc. > > Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 > > 512-895-2268 Austin, TX 78735 > > > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735 From mouring at etoh.eviladmin.org Wed Oct 22 07:01:21 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 21 Oct 2003 16:01:21 -0500 (CDT) Subject: issue with 3.7.1p2 In-Reply-To: <3F959B14.FD30A797@motorola.com> Message-ID: No that is the only incorrect default. It was missed in a last minute change before p2 release where we decided PAM (like Kerb, etc) are not to be enabled by default. The sshd_config has been corrected in the current CVS tree. - Ben On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote: > Hi Ben, > > Thanks for the reply. I assumed that since the defaults (according to the > header in the > sshd_config file) were commented out, UsePAM was already being utilized, > since the file contained the line "#UsePAM yes." I went ahead and > uncommented the line anyway and it now works. I wonder if the other > "defaults" are incorrect as well? Anyway, thanks for the info. Saved a lot > of headaches! > > Cheers, > Steve > > Ben Lindstrom wrote: > > > If you are using pam please go into your sshd_config and put in: > > > > UsePam yes > > > > - Ben > > > > On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote: > > > > > Hello, > > > > > > I have recently download and compiled version 3.7.1p2 of openssh, but am > > > having authentication issues with it. I have been using 3.6.1p1 with no > > > problems. Both versions were compiled on the same Solaris 8 host. That > > > host uses ldap for its name service. Both were compiled using the same > > > openssh config options: > > > > > > --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib > > > > > > However, the 3.7.1p2 version will not let me (as a regular user) login. > > > I get the all-too-familiar error: > > > > > > Permission denied (publickey,password,keyboard-interactive) > > > > > > I did the compiles the exact same way. Why would one compile work, but > > > not the other? I would like to migrate to the newer version, since it > > > has some security fixes. Is there something I need to do during > > > compile, or is this a runtime configuration thing? > > > > > > Thanks in advance, > > > Steve > > > > > > -- > > > > > > Steve "Wheat" Belt Motorola, Inc. > > > Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 > > > 512-895-2268 Austin, TX 78735 > > > > > > > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > -- > > Steve "Wheat" Belt Motorola, Inc. > Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 > 512-895-2268 Austin, TX 78735 > > > From Steve.Belt at motorola.com Wed Oct 22 07:49:45 2003 From: Steve.Belt at motorola.com (Steve Belt (rgpg70)) Date: Tue, 21 Oct 2003 16:49:45 -0500 Subject: issue with 3.7.1p2 References: Message-ID: <3F95A9F9.D0B6343D@motorola.com> Ben, Now that I have set "UsePAM yes" I am seeing another issue. When a user types in the wrong password, there is a long delay and then the message "Connection closed" appears. With 3.6.1p1, a wrong password would result in an immediate message "Permission denied, please try again" and the user would be asked to re-enter the password. I can reduce the delay by setting "LoginGraceTime" to some smaller number, but why does the connection close instead of asking for another password? Cheers, Steve Ben Lindstrom wrote: > No that is the only incorrect default. It was missed in a last minute > change before p2 release where we decided PAM (like Kerb, etc) are not to > be enabled by default. > > The sshd_config has been corrected in the current CVS tree. > > - Ben > > On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote: > > > Hi Ben, > > > > Thanks for the reply. I assumed that since the defaults (according to the > > header in the > > sshd_config file) were commented out, UsePAM was already being utilized, > > since the file contained the line "#UsePAM yes." I went ahead and > > uncommented the line anyway and it now works. I wonder if the other > > "defaults" are incorrect as well? Anyway, thanks for the info. Saved a lot > > of headaches! > > > > Cheers, > > Steve > > > > Ben Lindstrom wrote: > > > > > If you are using pam please go into your sshd_config and put in: > > > > > > UsePam yes > > > > > > - Ben > > > > > > On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote: > > > > > > > Hello, > > > > > > > > I have recently download and compiled version 3.7.1p2 of openssh, but am > > > > having authentication issues with it. I have been using 3.6.1p1 with no > > > > problems. Both versions were compiled on the same Solaris 8 host. That > > > > host uses ldap for its name service. Both were compiled using the same > > > > openssh config options: > > > > > > > > --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib > > > > > > > > However, the 3.7.1p2 version will not let me (as a regular user) login. > > > > I get the all-too-familiar error: > > > > > > > > Permission denied (publickey,password,keyboard-interactive) > > > > > > > > I did the compiles the exact same way. Why would one compile work, but > > > > not the other? I would like to migrate to the newer version, since it > > > > has some security fixes. Is there something I need to do during > > > > compile, or is this a runtime configuration thing? > > > > > > > > Thanks in advance, > > > > Steve > > > > > > > > -- > > > > > > > > Steve "Wheat" Belt Motorola, Inc. > > > > Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 > > > > 512-895-2268 Austin, TX 78735 > > > > > > > > > > > > _______________________________________________ > > > > openssh-unix-dev mailing list > > > > openssh-unix-dev at mindrot.org > > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > > > -- > > > > Steve "Wheat" Belt Motorola, Inc. > > Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 > > 512-895-2268 Austin, TX 78735 > > > > > > -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735 From ashok at visolve.com Wed Oct 22 20:20:22 2003 From: ashok at visolve.com (Ashok) Date: Wed, 22 Oct 2003 15:50:22 +0530 Subject: (no subject) Message-ID: <020f01c39886$1f947b10$240110ac@aslco> From kutek at cybercomm.net Wed Oct 22 21:56:04 2003 From: kutek at cybercomm.net (kutek at cybercomm.net) Date: Wed, 22 Oct 2003 07:56:04 -0400 Subject: sshd 3.7.1p1 and 3.7.1p2 on 2.0.39 linux kernel crashes Message-ID: <20031022115604.GC30662@cybercomm.net> since 3.7.1 sshd from openssh refuses to run on Linux 2.0.X kernels. debug log output shows the following: localhost sshd[182]: fatal: setresgid 105: Function not implemented an examination of the linux programmers man pages reveals that this function was not implemented until kernel 2.1.44 and is thus not available to 2.0.X systems. there were no compile problems probably due to the glibc/linux header weirdness, and the rest of the package seems to function...though i suspect that the sftp server may have the same problem ( i haven't teseted it) prior openssh versions did not display this problem. thanks for your assistance, fractoid From dtucker at zip.com.au Wed Oct 22 22:07:48 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 22 Oct 2003 22:07:48 +1000 Subject: sshd 3.7.1p1 and 3.7.1p2 on 2.0.39 linux kernel crashes References: <20031022115604.GC30662@cybercomm.net> Message-ID: <3F967314.92E1D532@zip.com.au> kutek at cybercomm.net wrote: > > since 3.7.1 sshd from openssh refuses to run on Linux 2.0.X kernels. > > debug log output shows the following: > > localhost sshd[182]: fatal: setresgid 105: Function not implemented Comment out HAVE_SETRESUID and HAVE_SETRESGID from config.h after running configure, re-run make. Read all about it here: http://bugzilla.mindrot.org/show_bug.cgi?id=645 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mqing at csee.wvu.edu Fri Oct 24 01:05:26 2003 From: mqing at csee.wvu.edu (mqing at csee.wvu.edu) Date: Thu, 23 Oct 2003 11:05:26 -0400 (EDT) Subject: Help on pam authentication with Openssh3.7.1p2 Message-ID: <33658.157.182.195.139.1066921526.squirrel@www.csee.wvu.edu> Hi all: I have recentely update to openssh3.7.1p2, the my pam authentication broken. I have followed the advice to modify my configuration file sshd_conf and set UsePAM yes PasswordAutentication no ChallengeResponseAuthentication yes but it still doesn't work.I have modified pam.conf to this. sshd auth requiste pam_authtok_get.so.1 sshd auth required pam_dhkeys.so.1 sshd auth sufficient pam_unix_auth.so.1 sshd auth required pam_ldap.so.1 try_first_pass sshd account required pam_unix_account.so.1 No any improve either. Do I need to use solarisLDAP instead of OpenLdap? Any other suggestion? Thanks so much! Mei Qing From Sankar.Subburathinam at three.co.uk Fri Oct 24 03:17:26 2003 From: Sankar.Subburathinam at three.co.uk (Sankar Subburathinam) Date: Thu, 23 Oct 2003 18:17:26 +0100 Subject: (no subject) Message-ID: <188DC86F099ABD47A6A3D89FE420E38507279B1C@libra.corpuk.net> Regards, Sankar Hutchison 3G UK Ltd Work: 1628 765780 Mobile: 07970768423 ________________________________________________________________________ This e-mail message (including any attachment) is intended only for the personal use of the recipient(s) named above. This message is confidential and may be legally privileged. If you are not an intended recipient, you may not review, copy or distribute this message. If you have received this communication in error, please notify us immediately by e-mail and delete the original message. Any views or opinions expressed in this message are those of the author only. Furthermore, this message (including any attachment) does not create any legally binding rights or obligations whatsoever, which may only be created by the exchange of hard copy documents signed by a duly authorised representative of Hutchison 3G UK Limited. ________________________________________________________________________ From Darren.Moffat at Sun.COM Fri Oct 24 10:40:15 2003 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Thu, 23 Oct 2003 17:40:15 -0700 (PDT) Subject: Help on pam authentication with Openssh3.7.1p2 In-Reply-To: <33658.157.182.195.139.1066921526.squirrel@www.csee.wvu.edu> References: <33658.157.182.195.139.1066921526.squirrel@www.csee.wvu.edu> Message-ID: On Thu, 23 Oct 2003 mqing at csee.wvu.edu wrote: > Hi all: > I have recentely update to openssh3.7.1p2, the my pam authentication > broken. I have followed the advice to modify my configuration file > sshd_conf and set UsePAM yes PasswordAutentication no > ChallengeResponseAuthentication yes > > but it still doesn't work.I have modified pam.conf to this. Please define "doesn't work" Also which Solaris release is this and which patches do you have installed ? > No any improve either. Do I need to use solarisLDAP instead of OpenLdap? Does the same configuration of pam.conf "work for you" when telnet is used ? [ ie do you have a PAM or LDAP problem or an OpenSSH problem ]. -- Darren J Moffat From c.bird_ph at 12move.nl Sat Oct 25 01:58:20 2003 From: c.bird_ph at 12move.nl (Cheryl A. Bird) Date: Fri, 24 Oct 2003 15:58:20 +0000 Subject: hi Message-ID: <3F994C1C.13430A82@12move.nl> From rjwill at cis.upenn.edu Sat Oct 25 03:03:18 2003 From: rjwill at cis.upenn.edu (Robert Williams) Date: Fri, 24 Oct 2003 13:03:18 -0400 Subject: openssh3.7.1p2 + krb5 round-robin dns issue Message-ID: <20031024170318.GE23057@ididntdoit.cis.upenn.edu> Hello All, I've encountered a problem with OpenSSH_3.7.1p2 and krb5 authentication that I did not have using previous OpenSSH versions and krb5. I have a group of machines that are all listed as addresses for hostname.domain.blah via round-robin dns. When attempting to ssh to hostname.here.blah using krb5 auth, I get the following error: (client side) debug1: Authentications that can continue: publickey,gssapi,password,hostbased debug1: Next authentication method: gssapi debug1: Miscellaneous failure Generic error (see e-text) I don't see anything useful in the daemon logs. ssh w/krb5 works fine if ssh'ind to all of these machines using their FQDN, but does not work using the round-robin dns hostname. Has anyone else experienced a similar problem? Thanks, ~ Bob From bankygxer at t-online.de Fri Oct 24 17:02:22 2003 From: bankygxer at t-online.de (Bank) Date: Fri, 24 Oct 2003 17:02:22 +1000 Subject: =?iso-8859-1?q?Bitte_dringend_zur=FCckrufen?= Message-ID: <71a501c399fc$c5a0e490$7f921858@qebkpndj> From orban at comcast.net Sat Oct 25 12:55:33 2003 From: orban at comcast.net (Tom Orban) Date: Fri, 24 Oct 2003 20:55:33 -0600 Subject: HP-UX 11i not using DNS Message-ID: <3F99E625.EB03F99A@comcast.net> Hello, I've compiled openssh 3.7.1p2 on HP-UX 11i. Everything generally seems to work except that ssh does not seem to use DNS to resolve names. If I ssh to a machine, it only works if that machine is listed in my local hosts file. I've absolutely checked /etc/nsswitch.conf, to no avail. (I've verified the changes I've made in nsswitch.conf by using telnet. If I put "files" only on the hosts line in nsswitch, telnet says "Unknown host". Then if I put "files dns" telnet works, but obviously ssh still doesn't work. I've also just put "dns" on the hosts lines in nsswitch, but still have the same problem) Oh yeah, giving the fully qualified name makes no difference. Here's the only thing I get when ssh'ing to a machine not in /etc/hosts: thor> ssh merlin ssh: merlin: host nor service provided, or not known I checked the ssh source, the "host nor service provided, or not known" message isn't from there. It appears to be a message out of /usr/lib/libc.2 It appears to be limited to 11i, as I've got the same version of ssh (3.7.1p2) compiled on 11.00 working with no problems at all. Has anyone else run across this, or something similar? Thanks for any info you can provide. -Tom From shashank at mia.ece.uic.edu Sun Oct 26 05:36:59 2003 From: shashank at mia.ece.uic.edu (Shashank Khanvilkar) Date: Sat, 25 Oct 2003 13:36:59 -0500 (CDT) Subject: How to contribute code In-Reply-To: <3F994C1C.13430A82@12move.nl> Message-ID: Hi, Is there any How-to/tutorial, which I can use to integrate my own crypto code into the openssl library (for my use only).. Or Is hacking into the OpenSSL source code the only way to start. Any help appreciated. Shank From mouring at etoh.eviladmin.org Sun Oct 26 06:15:09 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 25 Oct 2003 14:15:09 -0500 (CDT) Subject: How to contribute code In-Reply-To: Message-ID: Please contact OpenSSL group and not OpenSSH group. We are not the same. http://www.openssl.org/support/ - Ben On Sat, 25 Oct 2003, Shashank Khanvilkar wrote: > Hi, > > Is there any How-to/tutorial, which I can use to integrate my own > crypto code into the openssl library (for my use only).. > > Or > > Is hacking into the OpenSSL source code the only way to start. > > Any help appreciated. > Shank > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From ccochran_cm at btclick.com Sun Oct 26 11:55:49 2003 From: ccochran_cm at btclick.com (Cedric Cochran) Date: Sun, 26 Oct 2003 00:55:49 +0000 Subject: hi Message-ID: <3F9B1B95.79B72AFC@btclick.com> From dwmw2 at infradead.org Sun Oct 26 21:50:27 2003 From: dwmw2 at infradead.org (David Woodhouse) Date: Sun, 26 Oct 2003 10:50:27 +0000 Subject: getsockopt TCP_NODELAY: Socket operation on non-socket Message-ID: <1067165427.888.32.camel@imladris.demon.co.uk> We get the warning above whenever we use a ProxyCommand. We _know_ it's a pipe, so we can't use sockopts on it. So we shouldn't bitch about it. This breaks all kinds of things which use SSH transparently; including pine, which really wants the first thing it receives from an IMAP server to be a valid imap greeting... which $subject is not. $ ssh -o "proxycommand sh -c '( echo CONNECT %h:%p HTTP/1.0; echo; cat ) | nc 192.168.0.1 3128'" pentafluge.infradead.org exec bin/courier-imap.sh getsockopt TCP_NODELAY: Socket operation on non-socket * PREAUTH Ready. In fact, it's probably never necessary to bitch about it, so let's make it a debug message only... Index: misc.c =================================================================== RCS file: /cvs/openssh/misc.c,v retrieving revision 1.37 diff -u -p -r1.37 misc.c --- misc.c 22 Sep 2003 11:04:23 -0000 1.37 +++ misc.c 26 Oct 2003 10:48:35 -0000 @@ -97,7 +97,7 @@ set_nodelay(int fd) optlen = sizeof opt; if (getsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, &optlen) == -1) { - error("getsockopt TCP_NODELAY: %.100s", strerror(errno)); + debug("getsockopt TCP_NODELAY: %.100s", strerror(errno)); return; } if (opt == 1) { -- dwmw2 From emh at hvidevold.cjb.net Mon Oct 27 04:56:50 2003 From: emh at hvidevold.cjb.net (Eivind Magnus Hvidevold) Date: Sun, 26 Oct 2003 18:56:50 +0100 Subject: setlogin failed: Function not implemented Message-ID: <20031026175649.GA7708@giediprime> I'm using openssh-3.7.1p2 on Linux. I keep getting setlogin errors in /var/log/messages: Oct 26 18:44:22 giediprime sshd[7774]: Accepted publickey for root from 127.0.0.1 port 39310 ssh2 Oct 26 18:44:22 giediprime sshd[7776]: error: setlogin failed: Function not implemented Running LFS 4.0. Happens both on 2.6.0-test8 and 2.4.22-ac1. When configuring openssh I get this in config.log: configure:6557: checking for setlogin configure:6594: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno-uninitialized conftest.c -lutil -lz -lnsl >&5 /tmp/cc4nGZCj.o: In function `main': /tmp/build/openssh-3.7.1p2/configure:6585: warning: setlogin is not implemented and will always fail configure:6597: $? = 0 configure:6600: test -s conftest configure:6603: $? = 0 configure:6613: result: yes Also noting that there is no #if defined(HAVE_SETLOGIN) or similar surrounding the offending call at session.c:1259; if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); Please CC me on replies.. EMH From dtucker at zip.com.au Mon Oct 27 08:39:37 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 27 Oct 2003 08:39:37 +1100 Subject: setlogin failed: Function not implemented References: <20031026175649.GA7708@giediprime> Message-ID: <3F9C3F19.3225C07E@zip.com.au> Eivind Magnus Hvidevold wrote: > > I'm using openssh-3.7.1p2 on Linux. > > I keep getting setlogin errors in /var/log/messages: > Oct 26 18:44:22 giediprime sshd[7774]: Accepted publickey for root from 127.0.0.1 port 39310 ssh2 > Oct 26 18:44:22 giediprime sshd[7776]: error: setlogin failed: Function not implemented Your C library has a setlogin function so sshd uses it. It doesn't work and ssh reports this as an error because, well, it's an error. Remove HAVE_SETLOGIN from config.h or complain to whoever wrote the C library. > Running LFS 4.0. Happens both on 2.6.0-test8 and 2.4.22-ac1. The kernel version is probably irrelevant, it's the version of the C library that matters. > Also noting that there is no #if defined(HAVE_SETLOGIN) or similar > surrounding the offending call at session.c:1259 On platforms without their own setlogin() the replacement in openbsd-compat/bsd-misc.c (an empty stub) is used, since libopenbsd-compat is ahead of libc in the link order. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Mon Oct 27 08:48:57 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 27 Oct 2003 08:48:57 +1100 Subject: setlogin failed: Function not implemented References: <20031026175649.GA7708@giediprime> Message-ID: <3F9C4149.60EEF25B@zip.com.au> Eivind Magnus Hvidevold wrote: > When configuring openssh I get this in config.log: > configure:6557: checking for setlogin > configure:6594: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno-uninitialized conftest.c -lutil -lz -lnsl >&5 > /tmp/cc4nGZCj.o: In function `main': > /tmp/build/openssh-3.7.1p2/configure:6585: warning: setlogin is not implemented and will always fail One other thing: maybe configure could test for errno == ENOSYS when checking for setlogin? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Mon Oct 27 09:17:51 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 26 Oct 2003 16:17:51 -0600 (CST) Subject: setlogin failed: Function not implemented In-Reply-To: <3F9C4149.60EEF25B@zip.com.au> Message-ID: On Mon, 27 Oct 2003, Darren Tucker wrote: > Eivind Magnus Hvidevold wrote: > > When configuring openssh I get this in config.log: > > configure:6557: checking for setlogin > > configure:6594: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno-uninitialized conftest.c -lutil -lz -lnsl >&5 > > /tmp/cc4nGZCj.o: In function `main': > > /tmp/build/openssh-3.7.1p2/configure:6585: warning: setlogin is not implemented and will always fail > > One other thing: maybe configure could test for errno == ENOSYS when > checking for setlogin? > If it detects more stupid groups that don't have enough common sense to not implemention an API instead of doing a stub then I say go for it. - Ben From dtucker at zip.com.au Mon Oct 27 10:10:11 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 27 Oct 2003 10:10:11 +1100 Subject: setlogin failed: Function not implemented References: Message-ID: <3F9C5453.38F75197@zip.com.au> Ben Lindstrom wrote: > > On Mon, 27 Oct 2003, Darren Tucker wrote: > > > Eivind Magnus Hvidevold wrote: > > > When configuring openssh I get this in config.log: > > > configure:6557: checking for setlogin > > > configure:6594: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno-uninitialized conftest.c -lutil -lz -lnsl >&5 > > > /tmp/cc4nGZCj.o: In function `main': > > > /tmp/build/openssh-3.7.1p2/configure:6585: warning: setlogin is not implemented and will always fail > > > > One other thing: maybe configure could test for errno == ENOSYS when > > checking for setlogin? > > If it detects more stupid groups that don't have enough common sense to > not implemention an API instead of doing a stub then I say go for it. Eivind, please try this patch. You'll need to run "autoreconf" after applying it, then run "./configure && make". If this works out I might look at doing the same thing for setresuid and setresgid since they have the same problem on some Linuxes. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: configure.ac =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v retrieving revision 1.173 diff -u -p -r1.173 configure.ac --- configure.ac 15 Oct 2003 06:57:57 -0000 1.173 +++ configure.ac 26 Oct 2003 22:58:18 -0000 @@ -740,7 +740,7 @@ AC_CHECK_FUNCS(\ inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \ pstat readpassphrase realpath recvmsg rresvport_af sendmsg \ - setdtablesize setegid setenv seteuid setgroups setlogin setpcred \ + setdtablesize setegid setenv seteuid setgroups setpcred \ setproctitle setregid setresgid setresuid setreuid setrlimit \ setsid setvbuf sigaction sigvec snprintf socketpair strerror \ strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \ @@ -773,6 +773,19 @@ AC_CHECK_DECL(tcsendbreak, [AC_DEFINE(HAVE_TCSENDBREAK)], [AC_CHECK_FUNCS(tcsendbreak)], [#include ] +) + +dnl Some platorms have setlogin that isn't implemented +AC_CHECK_FUNC(setlogin, + [AC_MSG_CHECKING(if setlogin seems to work) + AC_TRY_RUN([ +#include +int main(){setlogin("sshtest"); if (errno==ENOSYS) exit 1; else exit 0;} + ], + [AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_SETLOGIN)], + AC_MSG_RESULT(not implemented) + )] ) dnl Checks for time functions From emh at hvidevold.cjb.net Mon Oct 27 11:27:15 2003 From: emh at hvidevold.cjb.net (Eivind Magnus Hvidevold) Date: Mon, 27 Oct 2003 01:27:15 +0100 Subject: setlogin failed: Function not implemented In-Reply-To: <3F9C5453.38F75197@zip.com.au> References: <3F9C5453.38F75197@zip.com.au> Message-ID: <20031027002715.GA27953@giediprime> On Mon, Oct 27, 2003 at 10:10:11AM +1100, Darren Tucker wrote: > Ben Lindstrom wrote: > > > > On Mon, 27 Oct 2003, Darren Tucker wrote: > > > > > Eivind Magnus Hvidevold wrote: > > > > When configuring openssh I get this in config.log: > > > > configure:6557: checking for setlogin > > > > configure:6594: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno-uninitialized conftest.c -lutil -lz -lnsl >&5 > > > > /tmp/cc4nGZCj.o: In function `main': > > > > /tmp/build/openssh-3.7.1p2/configure:6585: warning: setlogin is not implemented and will always fail > > > > > > One other thing: maybe configure could test for errno == ENOSYS when > > > checking for setlogin? > > > > If it detects more stupid groups that don't have enough common sense to > > not implemention an API instead of doing a stub then I say go for it. > > Eivind, please try this patch. You'll need to run "autoreconf" after > applying it, then run "./configure && make". > > If this works out I might look at doing the same thing for setresuid and > setresgid since they have the same problem on some Linuxes. Your patch works perfectly. Thanks! But I think something may have gone wrong when I compiled glibc, because /usr/include/gnu/stubs.h was empty. I tried replacing it with one from Mandrake (9.2rc1) and then setlogin was detected as non-implemented even without your patch. I'm using glibc-2.3.1, btw. EMH From dtucker at zip.com.au Mon Oct 27 13:21:48 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 27 Oct 2003 13:21:48 +1100 Subject: setlogin failed: Function not implemented References: <3F9C5453.38F75197@zip.com.au> <20031027002715.GA27953@giediprime> Message-ID: <3F9C813C.C563646D@zip.com.au> Eivind Magnus Hvidevold wrote: > > On Mon, Oct 27, 2003 at 10:10:11AM +1100, Darren Tucker wrote: > > Eivind, please try this patch. You'll need to run "autoreconf" after > > applying it, then run "./configure && make". > > > > If this works out I might look at doing the same thing for setresuid and > > setresgid since they have the same problem on some Linuxes. > > Your patch works perfectly. Thanks! > But I think something may have gone wrong when I compiled glibc, because > /usr/include/gnu/stubs.h was empty. I tried replacing it with one from > Mandrake (9.2rc1) and then setlogin was detected as non-implemented even > without your patch. I'm using glibc-2.3.1, btw. Hmm, so are we talking about a problem that occurs in some configurations of glibc, or something specific to your installation (or possibly just that particular build?) In the former case, I think it's still worth fixing, in the latter cases, probably not. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From ashok at visolve.com Mon Oct 27 15:31:15 2003 From: ashok at visolve.com (Ashok) Date: Mon, 27 Oct 2003 10:01:15 +0530 Subject: (no subject) Message-ID: <013901c39c43$812abef0$240110ac@aslco> From damien at sf.firstpr.com.au Mon Oct 27 20:08:43 2003 From: damien at sf.firstpr.com.au (damien at sf.firstpr.com.au) Date: Mon, 27 Oct 2003 01:08:43 -0800 Subject: Testing spam filter Message-ID: <20031027090843.GD10636@sf.firstpr.com.au> Testing yet more spam controls. The perils of an open list. Please ignore. From rwett at mailcity.com Tue Oct 28 03:48:32 2003 From: rwett at mailcity.com (Simmy) Date: Mon, 27 Oct 2003 08:48:32 -0800 Subject: Jenifer sent you a greeting Message-ID: <4225741067273312@h00a0c9b8fff0.ne.client2.attbi.com> Surprise! You've just received a greeting from "Jenifer" ([1]jenifer_brown at usa.net)! To view this greeting card, click on the following Web address at anytime within the next 30 days. [2]http://www.thebestgreetings.com/pickup7722.htm If that doesn't work, go to [3]http://www.thebestgreetings.com/pickup and copy and paste this code: 8272635YJKAH7 Enjoy! The Best Greetings Team ------------------------- Best Greetings is a free service. If you'd like to send someone a Best Greeting, you can do so at [4]http://www.thebestgreetings.com/ References 1. mailto:jenifer_brown at usa.net 2. http://www.thebestgreetings.com/pickup7722.htm 3. http://www.thebestgreetings.com/pickup 4. http://www.thebestgreetings.com/ From carin.andersson at ericsson.com Tue Oct 28 03:49:58 2003 From: carin.andersson at ericsson.com (Carin Andersson (HF/EAB)) Date: Mon, 27 Oct 2003 17:49:58 +0100 Subject: SSH2 question Message-ID: <2EFFD98DEBD6FD42AA1B21153E7359753E0537@esealnt803.al.sw.ericsson.se> HI, Can I run a openssh 3.7.1p2 client against a openssh 2.3.0 server and vice versa when using SSH2? Regards, Carin Andersson Software Developer Ericsson AB From dwmw2 at infradead.org Tue Oct 28 07:57:24 2003 From: dwmw2 at infradead.org (David Woodhouse) Date: Mon, 27 Oct 2003 20:57:24 +0000 Subject: [PATCH] Resend: getsockopt TCP_NODELAY: Socket operation on non-socket In-Reply-To: <1067165427.888.32.camel@imladris.demon.co.uk> References: <1067165427.888.32.camel@imladris.demon.co.uk> Message-ID: <1067288244.16391.7.camel@imladris.demon.co.uk> On Sun, 2003-10-26 at 10:50 +0000, David Woodhouse wrote: > We get the warning above whenever we use a ProxyCommand. We _know_ it's > a pipe, so we can't use sockopts on it. So we shouldn't bitch about it. > > This breaks all kinds of things which use SSH transparently; including > pine, which really wants the first thing it receives from an IMAP server > to be a valid imap greeting... which $subject is not. > > $ ssh -o "proxycommand sh -c '( echo CONNECT %h:%p HTTP/1.0; echo; cat ) | nc 192.168.0.1 3128'" pentafluge.infradead.org exec bin/courier-imap.sh > getsockopt TCP_NODELAY: Socket operation on non-socket > * PREAUTH Ready. > > In fact, it's probably never necessary to bitch about it, so let's make > it a debug message only... Index: misc.c =================================================================== RCS file: /cvs/openssh/misc.c,v retrieving revision 1.37 diff -u -p -r1.37 misc.c --- misc.c 22 Sep 2003 11:04:23 -0000 1.37 +++ misc.c 26 Oct 2003 10:48:35 -0000 @@ -97,7 +97,7 @@ set_nodelay(int fd) optlen = sizeof opt; if (getsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, &optlen) == -1) { - error("getsockopt TCP_NODELAY: %.100s", strerror(errno)); + debug("getsockopt TCP_NODELAY: %.100s", strerror(errno)); return; } if (opt == 1) { -- dwmw2 From stuge-openssh-unix-dev at cdy.org Tue Oct 28 11:43:13 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Tue, 28 Oct 2003 01:43:13 +0100 Subject: SSH2 question In-Reply-To: <2EFFD98DEBD6FD42AA1B21153E7359753E0537@esealnt803.al.sw.ericsson.se> References: <2EFFD98DEBD6FD42AA1B21153E7359753E0537@esealnt803.al.sw.ericsson.se> Message-ID: <20031028004313.GB17443@foo.birdnet.se> On Mon, Oct 27, 2003 at 05:49:58PM +0100, Carin Andersson (HF/EAB) wrote: > Can I run a openssh 3.7.1p2 client against a openssh 2.3.0 server and > vice versa when using SSH2? Just try it out, empirical evidence is always the best. Can be done on a high port by a regular user to not interfere with any SSH packages already in place. Spontaneous guess: Yes, it'll work. But please try to upgrade the 2.3.0 installation anyway. //Peter From dmiller at netstarnetworks.com Tue Oct 28 11:49:03 2003 From: dmiller at netstarnetworks.com (Damien Miller) Date: Tue, 28 Oct 2003 11:49:03 +1100 Subject: Another test, apologies Message-ID: <3F9DBCFF.8030808@netstarnetworks.com> Testing a new version of SpamAssassin. Please ignore. -d From joyhancockson at yahoo.com Tue Oct 28 19:45:56 2003 From: joyhancockson at yahoo.com (Joy Hancockson) Date: Tue, 28 Oct 2003 00:45:56 -0800 (PST) Subject: sshd does not start Message-ID: <20031028084556.14660.qmail@web41812.mail.yahoo.com> My God why does he pentagon have an moronic idiot like you working for them !?!?!?!?!? Friggin amatuer hour or what! __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From matter at sover.net Wed Oct 29 01:48:15 2003 From: matter at sover.net (Matt Richards) Date: Tue, 28 Oct 2003 09:48:15 -0500 (EST) Subject: AIX patch for openssh-3.7.1p2 Message-ID: There are a couple of bugs in the openssh-3.7.1p2. The aix_setauthdb function does not work with other types of authentication such as AFS/DFS. The loginfailed test in configure is not correct. Also, AIX can use the wtmp logging which I added in configure. Attached is the patch. Thanks, Matt Richards -------------- next part -------------- *** openssh-3.7.1p2/openbsd-compat/port-aix.c Mon Jul 14 02:41:55 2003 --- openssh-3.7.1p2.patched/openbsd-compat/port-aix.c Mon Sep 22 12:42:00 2003 *************** *** 96,102 **** --- 96,104 ---- if (geteuid() != 0) return; + #if 0 aix_setauthdb(user); + #endif # ifdef AIX_LOGINFAILED_4ARG loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH); # else *** openssh-3.7.1p2/auth-passwd.c Fri Sep 12 20:41:56 2003 --- openssh-3.7.1p2.patched/auth-passwd.c Mon Sep 22 12:24:15 2003 *************** *** 110,116 **** --- 110,118 ---- pw->pw_name, authmsg); /* No pty yet, so just label the line as "ssh" */ + #if 0 aix_setauthdb(authctxt->user); + #endif if (loginsuccess(authctxt->user, host, "ssh", &msg) == 0) { if (msg != NULL) { *** openssh-3.7.1p2/configure Tue Sep 23 05:55:43 2003 --- openssh-3.7.1p2.patched/configure Tue Oct 28 08:24:57 2003 *************** *** 3100,3105 **** --- 3100,3106 ---- # Check for some target-specific stuff case "$host" in *-*-aix*) + conf_wtmp_location=/var/adm/wtmp CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" echo "$as_me:3105: checking how to specify blibpath for linker ($LD)" >&5 *************** *** 3284,3326 **** echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF - #line 3287 "configure" #include "confdefs.h" ! #include int main () { - #ifndef loginfailed - char *p = (char *) loginfailed; - #endif ! ; ! return 0; } _ACEOF ! rm -f conftest.$ac_objext ! if { (eval echo "$as_me:3303: \"$ac_compile\"") >&5 ! (eval $ac_compile) 2>&5 ! ac_status=$? ! echo "$as_me:3306: \$? = $ac_status" >&5 ! (exit $ac_status); } && ! { ac_try='test -s conftest.$ac_objext' ! { (eval echo "$as_me:3309: \"$ac_try\"") >&5 ! (eval $ac_try) 2>&5 ! ac_status=$? ! echo "$as_me:3312: \$? = $ac_status" >&5 ! (exit $ac_status); }; }; then ! ac_cv_have_decl_loginfailed=yes ! else echo "$as_me: failed program was:" >&5 ! cat conftest.$ac_ext >&5 ! ac_cv_have_decl_loginfailed=no ! fi ! rm -f conftest.$ac_objext conftest.$ac_ext ! fi ! echo "$as_me:3322: result: $ac_cv_have_decl_loginfailed" >&5 ! echo "${ECHO_T}$ac_cv_have_decl_loginfailed" >&6 if test $ac_cv_have_decl_loginfailed = yes; then echo "$as_me:3325: checking if loginfailed takes 4 arguments" >&5 echo $ECHO_N "checking if loginfailed takes 4 arguments... $ECHO_C" >&6 --- 3285,3329 ---- echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF #include "confdefs.h" ! #ifdef __cplusplus ! extern "C" ! #endif + int loginfailed (); + int (*f) (); + int main () { ! f=loginfailed ! ; ! return 0; } _ACEOF ! rm -f conftest.$ac_objext conftest$ac_exeext ! if { (eval echo "$as_me:3193: \"$ac_link\"") >&5 ! (eval $ac_link) 2>&5 ! ac_status=$? ! echo "$as_me:3196: \$? = $ac_status" >&5 ! (exit $ac_status); } && ! { ac_try='test -s conftest$ac_exeext' ! { (eval echo "$as_me:3199: \"$ac_try\"") >&5 ! (eval $ac_try) 2>&5 ! ac_status=$? ! echo "$as_me:3202: \$? = $ac_status" >&5 ! (exit $ac_status); }; }; then ! ac_cv_have_decl_loginfailed=yes ! else echo "$as_me: failed program was:" >&5 ! cat conftest.$ac_ext >&5 ! ac_cv_have_decl_loginfailed=no ! fi ! rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext ! fi ! echo "$as_me:3212: result: $ac_cv_have_decl_loginfailed" >&5 ! echo "${ECHO_T}$ac_cv_have_decl_loginfailed" >&6 if test $ac_cv_have_decl_loginfailed = yes; then echo "$as_me:3325: checking if loginfailed takes 4 arguments" >&5 echo $ECHO_N "checking if loginfailed takes 4 arguments... $ECHO_C" >&6 From dan at D00M.integrate.com.ru Wed Oct 29 03:59:47 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Tue, 28 Oct 2003 19:59:47 +0300 (MSK) Subject: Privilege separation Message-ID: Hello! Please consider including the attached patch in the next release. It allows one to drop privilege separation code while building openssh by using '--disable-privsep' switch of configure script. If one doesn't use privilege separation at all, why don't simply allow him to drop privilege separation support completely? -- Sincerely Your, Dan. -------------- next part -------------- diff -adurN openssh-3.7.1p2.privsep/Makefile.in openssh-3.7.1p2/Makefile.in --- openssh-3.7.1p2.privsep/Makefile.in Mon Sep 22 05:00:12 2003 +++ openssh-3.7.1p2/Makefile.in Sat Oct 4 22:38:24 2003 @@ -80,8 +80,7 @@ auth-chall.o auth2-chall.o groupaccess.o \ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ - monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \ - kexdhs.o kexgexs.o \ + @PRIVSEP_OBJS@ kexdhs.o kexgexs.o \ auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-sia.o md5crypt.o diff -adurN openssh-3.7.1p2.privsep/acconfig.h openssh-3.7.1p2/acconfig.h --- openssh-3.7.1p2.privsep/acconfig.h Tue Sep 16 05:52:19 2003 +++ openssh-3.7.1p2/acconfig.h Sat Oct 4 22:22:14 2003 @@ -202,6 +202,9 @@ /* Define if you don't want to use wtmpx */ #undef DISABLE_WTMPX +/* Define if you don't want to use privilege separation */ +#undef DISABLE_PRIVSEP + /* Some systems need a utmpx entry for /bin/login to work */ #undef LOGIN_NEEDS_UTMPX diff -adurN openssh-3.7.1p2.privsep/auth-bsdauth.c openssh-3.7.1p2/auth-bsdauth.c --- openssh-3.7.1p2.privsep/auth-bsdauth.c Thu Jul 4 04:14:18 2002 +++ openssh-3.7.1p2/auth-bsdauth.c Sat Oct 4 23:52:37 2003 @@ -115,6 +115,7 @@ bsdauth_free_ctx }; +#ifndef DISABLE_PRIVSEP KbdintDevice mm_bsdauth_device = { "bsdauth", bsdauth_init_ctx, @@ -122,4 +123,5 @@ mm_bsdauth_respond, bsdauth_free_ctx }; +#endif /* DISABLE_PRIVSEP */ #endif diff -adurN openssh-3.7.1p2.privsep/auth-options.c openssh-3.7.1p2/auth-options.c --- openssh-3.7.1p2.privsep/auth-options.c Tue Jun 3 04:25:48 2003 +++ openssh-3.7.1p2/auth-options.c Sat Oct 4 22:54:42 2003 @@ -280,7 +280,9 @@ /* Process the next option. */ } +#ifndef DISABLE_PRIVSEP if (!use_privsep) +#endif /* DISABLE_PRIVSEP */ auth_debug_send(); /* grant access */ @@ -292,7 +294,9 @@ auth_debug_add("Bad options in %.100s file, line %lu: %.50s", file, linenum, opts); +#ifndef DISABLE_PRIVSEP if (!use_privsep) +#endif /* DISABLE_PRIVSEP */ auth_debug_send(); /* deny access */ diff -adurN openssh-3.7.1p2.privsep/auth-pam.c openssh-3.7.1p2/auth-pam.c --- openssh-3.7.1p2.privsep/auth-pam.c Tue Sep 23 13:24:21 2003 +++ openssh-3.7.1p2/auth-pam.c Sat Oct 4 23:54:05 2003 @@ -419,7 +419,7 @@ case PAM_AUTH_ERR: if (**prompts != NULL) { /* drain any accumulated messages */ -#if 0 /* XXX - not compatible with privsep */ +#ifdef DISABLE_PRIVSEP /* XXX - not compatible with privsep */ packet_start(SSH2_MSG_USERAUTH_BANNER); packet_put_cstring(**prompts); packet_put_cstring(""); @@ -500,6 +500,7 @@ sshpam_free_ctx }; +#ifndef DISABLE_PRIVSEP KbdintDevice mm_sshpam_device = { "pam", mm_sshpam_init_ctx, @@ -507,6 +508,7 @@ mm_sshpam_respond, mm_sshpam_free_ctx }; +#endif /* DISABLE_PRIVSEP */ /* * This replaces auth-pam.c @@ -673,8 +675,10 @@ pam_conv.conv = pam_chauthtok_conv; pam_conv.appdata_ptr = NULL; +#ifndef DISABLE_PRIVSEP if (use_privsep) fatal("Password expired (unable to change with privsep)"); +#endif /* DISABLE_PRIVSEP */ sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&pam_conv); if (sshpam_err != PAM_SUCCESS) diff -adurN openssh-3.7.1p2.privsep/auth-rhosts.c openssh-3.7.1p2/auth-rhosts.c --- openssh-3.7.1p2.privsep/auth-rhosts.c Tue Jun 3 04:25:48 2003 +++ openssh-3.7.1p2/auth-rhosts.c Sat Oct 4 23:02:16 2003 @@ -26,7 +26,9 @@ /* import */ extern ServerOptions options; +#ifndef DISABLE_PRIVSEP extern int use_privsep; +#endif /* DISABLE_PRIVSEP */ /* * This function processes an rhosts-style file (.rhosts, .shosts, or @@ -293,7 +295,9 @@ auth_debug_reset(); ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr); +#ifndef DISABLE_PRIVSEP if (!use_privsep) +#endif /* DISABLE_PRIVSEP */ auth_debug_send(); return ret; } diff -adurN openssh-3.7.1p2.privsep/auth-skey.c openssh-3.7.1p2/auth-skey.c --- openssh-3.7.1p2.privsep/auth-skey.c Thu Jul 4 04:14:18 2002 +++ openssh-3.7.1p2/auth-skey.c Sat Oct 4 23:53:15 2003 @@ -93,6 +93,7 @@ skey_free_ctx }; +#ifndef DISABLE_PRIVSEP KbdintDevice mm_skey_device = { "skey", skey_init_ctx, @@ -100,4 +101,5 @@ mm_skey_respond, skey_free_ctx }; +#endif /* DISABLE_PRIVSEP */ #endif /* SKEY */ diff -adurN openssh-3.7.1p2.privsep/auth.h openssh-3.7.1p2/auth.h --- openssh-3.7.1p2.privsep/auth.h Wed Sep 3 06:11:30 2003 +++ openssh-3.7.1p2/auth.h Sat Oct 4 22:49:24 2003 @@ -133,7 +133,9 @@ char *auth2_read_banner(void); +#ifndef DISABLE_PRIVSEP void privsep_challenge_enable(void); +#endif /* DISABLE_PRIVSEP */ int auth2_challenge(Authctxt *, char *); void auth2_challenge_stop(Authctxt *); diff -adurN openssh-3.7.1p2.privsep/auth1.c openssh-3.7.1p2/auth1.c --- openssh-3.7.1p2.privsep/auth1.c Wed Sep 3 01:32:46 2003 +++ openssh-3.7.1p2/auth1.c Sat Oct 4 23:08:43 2003 @@ -304,8 +304,12 @@ authctxt->pw = fakepw(); } +#ifndef DISABLE_PRIVSEP setproctitle("%s%s", authctxt->pw ? user : "unknown", use_privsep ? " [net]" : ""); +#else + setproctitle("%s", authctxt->pw ? user : "unknown"); +#endif /* DISABLE_PRIVSEP */ #ifdef USE_PAM if (options.use_pam) @@ -317,7 +321,11 @@ * the server. (Unless you are running Windows) */ #ifndef HAVE_CYGWIN +#ifndef DISABLE_PRIVSEP if (!use_privsep && getuid() != 0 && authctxt->pw && +#else + if (getuid() != 0 && authctxt->pw && +#endif /* DISABLE_PRIVSEP */ authctxt->pw->pw_uid != getuid()) packet_disconnect("Cannot change user when server not running as root."); #endif diff -adurN openssh-3.7.1p2.privsep/auth2-chall.c openssh-3.7.1p2/auth2-chall.c --- openssh-3.7.1p2.privsep/auth2-chall.c Mon May 26 15:36:13 2003 +++ openssh-3.7.1p2/auth2-chall.c Sat Oct 4 23:49:13 2003 @@ -323,6 +323,7 @@ xfree(method); } +#ifndef DISABLE_PRIVSEP void privsep_challenge_enable(void) { @@ -350,3 +351,4 @@ #endif #endif } +#endif /* DISABLE_PRIVSEP */ diff -adurN openssh-3.7.1p2.privsep/auth2-gss.c openssh-3.7.1p2/auth2-gss.c --- openssh-3.7.1p2.privsep/auth2-gss.c Tue Sep 2 16:59:01 2003 +++ openssh-3.7.1p2/auth2-gss.c Sat Oct 4 23:17:47 2003 @@ -130,7 +130,11 @@ OM_uint32 maj_status, min_status; u_int len; +#ifndef DISABLE_PRIVSEP if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) +#else + if (authctxt == NULL || authctxt->methoddata == NULL) +#endif /* DISABLE_PRIVSEP */ fatal("No authentication or GSSAPI context"); gssctxt = authctxt->methoddata; @@ -179,7 +183,11 @@ OM_uint32 maj_status; u_int len; +#ifndef DISABLE_PRIVSEP if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) +#else + if (authctxt == NULL || authctxt->methoddata == NULL) +#endif /* DISABLE_PRIVSEP */ fatal("No authentication or GSSAPI context"); gssctxt = authctxt->methoddata; @@ -216,7 +224,11 @@ Gssctxt *gssctxt; int authenticated; +#ifndef DISABLE_PRIVSEP if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) +#else + if (authctxt == NULL || authctxt->methoddata == NULL) +#endif /* DISABLE_PRIVSEP */ fatal("No authentication or GSSAPI context"); gssctxt = authctxt->methoddata; diff -adurN openssh-3.7.1p2.privsep/auth2.c openssh-3.7.1p2/auth2.c --- openssh-3.7.1p2.privsep/auth2.c Wed Sep 3 01:32:46 2003 +++ openssh-3.7.1p2/auth2.c Sat Oct 4 23:21:44 2003 @@ -174,13 +174,19 @@ PRIVSEP(start_pam(user)); #endif } +#ifndef DISABLE_PRIVSEP setproctitle("%s%s", authctxt->pw ? user : "unknown", use_privsep ? " [net]" : ""); +#else + setproctitle("%s", authctxt->pw ? user : "unknown"); +#endif /* DISABLE_PRIVSEP */ authctxt->user = xstrdup(user); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; +#ifndef DISABLE_PRIVSEP if (use_privsep) mm_inform_authserv(service, style); +#endif /* DISABLE_PRIVSEP */ } else if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { packet_disconnect("Change of username or service not allowed: " diff -adurN openssh-3.7.1p2.privsep/configure.ac openssh-3.7.1p2/configure.ac --- openssh-3.7.1p2.privsep/configure.ac Tue Sep 23 13:24:21 2003 +++ openssh-3.7.1p2/configure.ac Sat Oct 4 22:24:32 2003 @@ -2455,6 +2455,12 @@ fi ] ) +AC_ARG_ENABLE(privsep, + [ --disable-privsep disable use of privilege separation. [no]], + [ AC_DEFINE(DISABLE_PRIVSEP, 1, [Define if you don't want to use privilege separation]) ], + [ PRIVSEP_OBJS="monitor.o monitor_mm.o monitor_wrap.o monitor_fdpass.o" ] +) +AC_SUBST(PRIVSEP_OBJS) AC_ARG_WITH(lastlog, [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], [ diff -adurN openssh-3.7.1p2.privsep/monitor.h openssh-3.7.1p2/monitor.h --- openssh-3.7.1p2.privsep/monitor.h Tue Sep 2 16:51:17 2003 +++ openssh-3.7.1p2/monitor.h Sat Oct 4 22:42:59 2003 @@ -28,6 +28,7 @@ #ifndef _MONITOR_H_ #define _MONITOR_H_ +#ifndef DISABLE_PRIVSEP enum monitor_reqtype { MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, @@ -87,4 +88,5 @@ void mm_request_receive(int, Buffer *); void mm_request_receive_expect(int, enum monitor_reqtype, Buffer *); +#endif /* DISABLE_PRIVSEP */ #endif /* _MONITOR_H_ */ diff -adurN openssh-3.7.1p2.privsep/monitor_fdpass.h openssh-3.7.1p2/monitor_fdpass.h --- openssh-3.7.1p2.privsep/monitor_fdpass.h Wed Jun 26 03:04:11 2002 +++ openssh-3.7.1p2/monitor_fdpass.h Sat Oct 4 22:44:24 2003 @@ -28,7 +28,9 @@ #ifndef _MM_FDPASS_H_ #define _MM_FDPASS_H_ +#ifndef DISABLE_PRIVSEP void mm_send_fd(int, int); int mm_receive_fd(int); +#endif /* DISABLE_PRIVSEP */ #endif /* _MM_FDPASS_H_ */ diff -adurN openssh-3.7.1p2.privsep/monitor_mm.h openssh-3.7.1p2/monitor_mm.h --- openssh-3.7.1p2.privsep/monitor_mm.h Thu Sep 12 04:43:31 2002 +++ openssh-3.7.1p2/monitor_mm.h Sat Oct 4 22:45:11 2003 @@ -29,6 +29,7 @@ #define _MM_H_ #include "openbsd-compat/sys-tree.h" +#ifndef DISABLE_PRIVSEP struct mm_share { RB_ENTRY(mm_share) next; void *address; @@ -63,4 +64,5 @@ void mm_free(struct mm_master *, void *); void mm_memvalid(struct mm_master *, void *, size_t); +#endif /* DISABLE_PRIVSEP */ #endif /* _MM_H_ */ diff -adurN openssh-3.7.1p2.privsep/monitor_wrap.h openssh-3.7.1p2/monitor_wrap.h --- openssh-3.7.1p2.privsep/monitor_wrap.h Tue Sep 2 16:51:17 2003 +++ openssh-3.7.1p2/monitor_wrap.h Sat Oct 4 22:46:55 2003 @@ -30,6 +30,7 @@ #include "key.h" #include "buffer.h" +#ifndef DISABLE_PRIVSEP extern int use_privsep; #define PRIVSEP(x) (use_privsep ? mm_##x : x) @@ -102,4 +103,7 @@ void mm_zfree(struct mm_master *, void *); void mm_init_compression(struct mm_master *); +#else /* DISABLE_PRIVSEP */ +#define PRIVSEP(x) x +#endif /* DISABLE_PRIVSEP */ #endif /* _MM_H_ */ diff -adurN openssh-3.7.1p2.privsep/servconf.c openssh-3.7.1p2/servconf.c --- openssh-3.7.1p2.privsep/servconf.c Tue Sep 23 13:24:21 2003 +++ openssh-3.7.1p2/servconf.c Sun Oct 5 00:44:06 2003 @@ -29,8 +29,10 @@ /* AF_UNSPEC or AF_INET or AF_INET6 */ extern int IPv4or6; +#ifndef DISABLE_PRIVSEP /* Use of privilege separation or not */ extern int use_privsep; +#endif /* DISABLE_PRIVSEP */ /* Initializes the server options to their default values. */ @@ -101,8 +103,10 @@ options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; +#ifndef DISABLE_PRIVSEP /* Needs to be accessable in many places */ use_privsep = -1; +#endif /* DISABLE_PRIVSEP */ } void @@ -225,6 +229,7 @@ if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; +#ifndef DISABLE_PRIVSEP /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = 1; @@ -237,6 +242,7 @@ options->compression = 0; } #endif +#endif /* DISABLE_PRIVSEP */ } @@ -732,8 +738,13 @@ goto parse_flag; case sUsePrivilegeSeparation: +#ifndef DISABLE_PRIVSEP intptr = &use_privsep; goto parse_flag; +#else + /* Ignore the whole line */ + return 0; +#endif /* DISABLE_PRIVSEP */ case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { diff -adurN openssh-3.7.1p2.privsep/session.c openssh-3.7.1p2/session.c --- openssh-3.7.1p2.privsep/session.c Tue Sep 23 12:59:08 2003 +++ openssh-3.7.1p2/session.c Sat Oct 4 23:36:50 2003 @@ -692,7 +692,9 @@ } /* Record that there was a login on that tty from the remote host. */ +#ifndef DISABLE_PRIVSEP if (!use_privsep) +#endif /* DISABLE_PRIVSEP */ record_login(pid, s->tty, pw->pw_name, pw->pw_uid, get_remote_name_or_ip(utmp_len, options.use_dns), @@ -1668,7 +1670,9 @@ * time in case we call fatal() (e.g., the connection gets closed). */ fatal_add_cleanup(session_pty_cleanup, (void *)s); +#ifndef DISABLE_PRIVSEP if (!use_privsep) +#endif /* DISABLE_PRIVSEP */ pty_setowner(s->pw, s->tty); /* Set window size from the packet. */ diff -adurN openssh-3.7.1p2.privsep/sshd.c openssh-3.7.1p2/sshd.c --- openssh-3.7.1p2.privsep/sshd.c Tue Sep 2 16:51:17 2003 +++ openssh-3.7.1p2/sshd.c Sat Oct 4 23:44:14 2003 @@ -197,9 +197,11 @@ int *startup_pipes = NULL; int startup_pipe; /* in child */ +#ifndef DISABLE_PRIVSEP /* variables used for privilege separation */ int use_privsep; struct monitor *pmonitor; +#endif /* DISABLE_PRIVSEP */ /* message to be displayed after login */ Buffer loginmsg; @@ -526,6 +528,7 @@ /* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */ } +#ifndef DISABLE_PRIVSEP static void privsep_preauth_child(void) { @@ -674,6 +677,7 @@ /* It is safe now to apply the key state */ monitor_apply_keystate(pmonitor); } +#endif /* DISABLE_PRIVSEP */ static char * list_hostkey_types(void) @@ -1034,6 +1038,7 @@ } } +#ifndef DISABLE_PRIVSEP if (use_privsep) { struct passwd *pw; struct stat st; @@ -1056,6 +1061,7 @@ fatal("%s must be owned by root and not group or " "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); } +#endif /* DISABLE_PRIVSEP */ /* Configuration looks good, so exit if in test mode. */ if (test_flag) @@ -1468,9 +1474,11 @@ /* prepare buffers to collect authentication messages */ buffer_init(&loginmsg); +#ifndef DISABLE_PRIVSEP if (use_privsep) if ((authctxt = privsep_preauth()) != NULL) goto authenticated; +#endif /* DISABLE_PRIVSEP */ /* perform the key exchange */ /* authenticate user and start session */ @@ -1481,6 +1489,7 @@ do_ssh1_kex(); authctxt = do_authentication(); } +#ifndef DISABLE_PRIVSEP /* * If we use privilege separation, the unprivileged child transfers * the current keystate and exits @@ -1501,6 +1510,7 @@ if (!compat20) destroy_sensitive_data(); } +#endif /* DISABLE_PRIVSEP */ /* Perform session preparation. */ do_authenticated(authctxt); @@ -1515,8 +1525,10 @@ packet_close(); +#ifndef DISABLE_PRIVSEP if (use_privsep) mm_terminate(); +#endif /* DISABLE_PRIVSEP */ exit(0); } @@ -1722,8 +1734,10 @@ /* Destroy the private and public keys. No longer. */ destroy_sensitive_data(); +#ifndef DISABLE_PRIVSEP if (use_privsep) mm_ssh1_session_id(session_id); +#endif /* DISABLE_PRIVSEP */ /* Destroy the decrypted integer. It is no longer needed. */ BN_clear_free(session_key_int); From TORBAN at do.usbr.gov Wed Oct 29 05:09:49 2003 From: TORBAN at do.usbr.gov (Tom Orban) Date: Tue, 28 Oct 2003 11:09:49 -0700 Subject: ssh not resolving host names on HP-UX 11i Message-ID: I posted a message about this problem late last week, never heard anything back, so I have to assume other folks did get a working ssh (3.7.1p2) binary built on HP-UX 11i. Just to refresh, my ssh package that I built on HP-UX 11i works fine, except that the ssh binary doesn't seem to go to DNS to resolve host names. So the only way I can ssh to other machines is to put their host entries in my /etc/hosts file, or type their IP address instead of the hostname on the command line. Since that's a really unsustainable workaround, I've grabbed the 3.7.1p2 ssh binary that I built on an hp-ux 11.00 box and use it with the rest of the package that I build on 11i. Ugly, but it seems to work. In the meantime, I tried to boil down the build of the ssh package to the bare essentials. I stripped out the tcp_wrappers, and built with zlib-1.1.4, and openssl 0.9.7c. My "configure" lines look like this for ssh: CFLAGS="+O2 -Ae -I/usr/local/include" export CFLAGS ./configure --with-pam on openssl, I use the following (since config seems to want me to use Configure and declare what type of HP-UX build to use): ./Configure zlib no-shared -I/usr/local/include hpux-parisc-cc Stripping down didn't make any difference, I still get the "ssh: hostname: host nor service provided, or not known" error message. FYI, I'm using the HP KRNG* package for /dev/*random, and build everything with the HP Ansi C compiler. Can anyone who has built ssh (3.7.1p2) on an 11i box, and found it to work properly, share what config parameters they used? Thanks. -Tom From markus at openbsd.org Wed Oct 29 06:34:06 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 28 Oct 2003 20:34:06 +0100 Subject: Privilege separation In-Reply-To: References: Message-ID: <20031028193406.GB24594@folly> On Tue, Oct 28, 2003 at 07:59:47PM +0300, Dan Yefimov wrote: > Hello! > Please consider including the attached patch in the next release. It > allows one to drop privilege separation code while building openssh by using > '--disable-privsep' switch of configure script. If one doesn't use privilege > separation at all, why don't simply allow him to drop privilege separation > support completely? no, this won't happen. you could do this for every runtime option. From dan at D00M.integrate.com.ru Wed Oct 29 07:00:07 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Tue, 28 Oct 2003 23:00:07 +0300 (MSK) Subject: Privilege separation In-Reply-To: <20031028193406.GB24594@folly> Message-ID: On Tue, 28 Oct 2003, Markus Friedl wrote: > On Tue, Oct 28, 2003 at 07:59:47PM +0300, Dan Yefimov wrote: > > Hello! > > Please consider including the attached patch in the next release. It > > allows one to drop privilege separation code while building openssh by using > > '--disable-privsep' switch of configure script. If one doesn't use privilege > > separation at all, why don't simply allow him to drop privilege separation > > support completely? > > no, this won't happen. you could do this for every runtime option. > Please forgive me my importunity, but your answer seems unclear to me. What exactly could I do for every runtime option? And what's the exact reason for rejecting the patch? It simply introduces yet one configuration option allowing one to not compile code he doesn't want to use anyway and hence reduce the resulting executable size. -- Sincerely Your, Dan. From mouring at etoh.eviladmin.org Wed Oct 29 07:22:44 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 28 Oct 2003 14:22:44 -0600 (CST) Subject: Privilege separation In-Reply-To: Message-ID: On Tue, 28 Oct 2003, Dan Yefimov wrote: > On Tue, 28 Oct 2003, Markus Friedl wrote: > > > On Tue, Oct 28, 2003 at 07:59:47PM +0300, Dan Yefimov wrote: > > > Hello! > > > Please consider including the attached patch in the next release. It > > > allows one to drop privilege separation code while building openssh by using > > > '--disable-privsep' switch of configure script. If one doesn't use privilege > > > separation at all, why don't simply allow him to drop privilege separation > > > support completely? > > > > no, this won't happen. you could do this for every runtime option. > > > Please forgive me my importunity, but your answer seems unclear to me. What > exactly could I do for every runtime option? And what's the exact reason for > rejecting the patch? It simply introduces yet one configuration option allowing > one to not compile code he doesn't want to use anyway and hence reduce the > resulting executable size. Introduces harder to read code when there was once clean and simple pathways. Introduces yet another set of #ifdef that need to be cared for. Introduces yet another switch for someone to screw up and not realize they have. Introduces yet more complexity in a system that is already complex. Introduces yet more pathways and configurations to test when testing the software. In general it introduces more headaches and does not "solve" any real problems. Just because one can make another switch does not mean it is a good thing. - Ben From dan at D00M.integrate.com.ru Wed Oct 29 09:09:29 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Wed, 29 Oct 2003 01:09:29 +0300 (MSK) Subject: Privilege separation In-Reply-To: Message-ID: On Tue, 28 Oct 2003, Ben Lindstrom wrote: > > > > Please consider including the attached patch in the next release. It > > > > allows one to drop privilege separation code while building openssh by using > > > > '--disable-privsep' switch of configure script. If one doesn't use privilege > > > > separation at all, why don't simply allow him to drop privilege separation > > > > support completely? > > > > > > no, this won't happen. you could do this for every runtime option. > > > > > Please forgive me my importunity, but your answer seems unclear to me. What > > exactly could I do for every runtime option? And what's the exact reason for > > rejecting the patch? It simply introduces yet one configuration option allowing > > one to not compile code he doesn't want to use anyway and hence reduce the > > resulting executable size. > > Introduces harder to read code when there was once clean and simple > pathways. The resulting code is no more hard to read than current one, and execution pathways remain as clean and simple as currently. > Introduces yet another set of #ifdef that need to be cared for. Sure. Any other introduced optional feature would do that. > Introduces yet another switch for someone to screw up and not realize > they have. If one doesn't understand any of existing configuration switches, he has two options: either not use that switch (leaving the default value), or try to learn about what is it for. The help text for switch I'm trying to introduce is IMHO quite clear. If one knows nothing about privilege separation at all he just won't use that switch, which will enable privilege separation code by default. > Introduces yet more complexity in a system that is already complex. > Introduces yet more pathways and configurations to test when testing the > software. > Looks like you haven't even looked at the patch. In fact, the patch acts as if 'use_privsep' variable were replaced with a constant zero in the case of configuring out privilege separation. What additional pathways, increased complexity and additional configurations to test can be talked about in such case?! As for configurations to test, if you test configuration where 'UsePrivsep no' line is present in the sshd_config file, you also test the case where privilege separation is configured out. Please note also that every 'if (!use_privsep)' statement is surrounded with '#ifndef DISABLE_PRIVSEP', and likewise every 'if (use_privsep) { ... }' is surrounded with '#ifndef DISABLE_PRIVSEP', so code maintenance is not greatly complexified. > In general it introduces more headaches and does not "solve" any real > problems. > It's vain that you have taken 'solve' in quotes and believe that the patch doesn't solve any problems. Imagine a little router that is booted from diskette or ZIP drive. Every excessive byte of storage taken by an executable is important. Using privilege separation in that system doesn't make much sense. So the ability to configure out 'dead' code and reduce executable size is important in such case. Also many people may believe this feature to be useful. > Just because one can make another switch does not mean it is a good thing. > Absolutely true. -- Sincerely Your, Dan. From dtucker at zip.com.au Wed Oct 29 09:37:29 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 29 Oct 2003 09:37:29 +1100 Subject: AIX patch for openssh-3.7.1p2 References: Message-ID: <3F9EEFA9.6BD79B2@zip.com.au> Matt Richards wrote: > > There are a couple of bugs in the openssh-3.7.1p2. The aix_setauthdb > function does not work with other types of authentication such as AFS/DFS. I take it your issue is that your failed logins aren't being recorded for AFS/DFS? The call to setauthdb is needed for correct recording of successful and failed logins for some authentication types (eg LDAP). I can see two possibilities: 1) Call loginfailed (and loginsuccess) twice when the authentication DB isn't FILES, once with setauthdb(FILES) and once with setauthdb(whatever). 2) Keep a list of authentication types for which setauthdb is not called. > The loginfailed test in configure is not correct. Also, AIX can use the > wtmp logging which I added in configure. Attached is the patch. I can't follow the changes to configure (which is a machine-generated file). What is the issue with the loginfailed test? Could you post a patch against configure.ac, which is what autoconf uses to generate configure? (preferably "diff -u"). Any particular reason you added wtmp? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kamisama at otsuge.jp Tue Oct 28 18:01:57 2003 From: kamisama at otsuge.jp (=?ISO-2022-JP?B?GyRCP0BNTRsoQg==?=) Date: Tue, 28 Oct 2003 16:01:57 +0900 Subject: =?iso-2022-jp?b?GyRCTCQ+NUJ6OS05cCIoISE6IyRKJGlMNU5BISMbKEI=?= Message-ID: <20031029051126.6583F27C18A@shitei.mindrot.org> ???.jp kamisama at otsuge.jp ????????????? ??????? http://otuge.jp ?????? ??????? ????????????? ?????????????? ?????????????? ??????????????????????????? ??????????? ?????????????????????????? From stuge-openssh-unix-dev at cdy.org Wed Oct 29 17:58:14 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 29 Oct 2003 07:58:14 +0100 Subject: Privilege separation In-Reply-To: References: Message-ID: <20031029065814.GA2682@foo.birdnet.se> SCNR commenting. I appreciate the decision not to allow disabling of privsep. On Wed, Oct 29, 2003 at 01:09:29AM +0300, Dan Yefimov wrote: > It's vain that you have taken 'solve' in quotes and believe that the patch > doesn't solve any problems. Imagine a little router that is booted from > diskette or ZIP drive. Every excessive byte of storage taken by an > executable is important. Using privilege separation in that system doesn't > make much sense. The router not getting rooted because of some bug in OpenSSH or elsewhere is more important to me when I build routers. Floppy disks are (finally!) a dying breed. ZIP disks have hundreds of megabytes of storage space, as does CDs. If security isn't useful, you could just use utelnetd. //Peter From logsnaath at gmx.net Wed Oct 29 20:30:36 2003 From: logsnaath at gmx.net (Logu) Date: Wed, 29 Oct 2003 15:00:36 +0530 Subject: Privilege separation References: Message-ID: <00b801c39dff$a9dd74b0$5f0110ac@lorco> > > In general it introduces more headaches and does not "solve" any real > > problems. > > > It's vain that you have taken 'solve' in quotes and believe that the patch > doesn't solve any problems. Imagine a little router that is booted from > diskette or ZIP drive. Every excessive byte of storage taken by an executable is > important. Using privilege separation in that system doesn't make much sense. So > the ability to configure out 'dead' code and reduce executable size is important > in such case. Also many people may believe this feature to be useful. > If code size is your main issue rather than security, better option will be rsh. I do not understand why there is a runtime option not to use privilege separation. What if the previlege separation is made compulsary. -Logu From markus at openbsd.org Wed Oct 29 21:00:02 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 29 Oct 2003 11:00:02 +0100 Subject: Privilege separation In-Reply-To: References: <20031028193406.GB24594@folly> Message-ID: <20031029100002.GB24504@folly> On Tue, Oct 28, 2003 at 11:00:07PM +0300, Dan Yefimov wrote: > Please forgive me my importunity, but your answer seems unclear to me. What > exactly could I do for every runtime option? And what's the exact reason for > rejecting the patch? It simply introduces yet one configuration option allowing > one to not compile code he doesn't want to use anyway and hence reduce the > resulting executable size. if code size is the issue, then you could strip out ssh1, compression or other things. From dtucker at zip.com.au Wed Oct 29 21:01:14 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 29 Oct 2003 21:01:14 +1100 Subject: Privilege separation References: <00b801c39dff$a9dd74b0$5f0110ac@lorco> Message-ID: <3F9F8FEA.C4204D7B@zip.com.au> Logu wrote: > I do not understand why there is a runtime option not to use privilege > separation. What if the previlege separation is made compulsary. Not all platforms and configurations work with privsep. (Example: *really* early Linuxes have a broken mmap(), so Compression isn't usable with privilege separation.) It also increases the memory footprint (2 sshd's per connection rather than 1), this may make a difference on heavily-loaded or memory-starved machines. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Wed Oct 29 22:50:45 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 29 Oct 2003 12:50:45 +0100 Subject: Privilege separation In-Reply-To: <3F9F8FEA.C4204D7B@zip.com.au> References: <00b801c39dff$a9dd74b0$5f0110ac@lorco> <3F9F8FEA.C4204D7B@zip.com.au> Message-ID: <20031029115045.GA9314@folly> On Wed, Oct 29, 2003 at 09:01:14PM +1100, Darren Tucker wrote: > Logu wrote: > > I do not understand why there is a runtime option not to use privilege > > separation. What if the previlege separation is made compulsary. > > Not all platforms and configurations work with privsep. (Example: > *really* early Linuxes have a broken mmap(), so Compression isn't usable > with privilege separation.) > > It also increases the memory footprint (2 sshd's per connection rather > than 1), this may make a difference on heavily-loaded or memory-starved > machines. I'd rather make compression a compile time options. that's trivial... From jose.rodriguez at ac.upc.es Wed Oct 29 23:16:23 2003 From: jose.rodriguez at ac.upc.es (Jose A. Rodriguez) Date: Wed, 29 Oct 2003 13:16:23 +0100 Subject: Environment set on PAM module is not visible to user Message-ID: <20031029121623.GD10415@ac.upc.es> We're using an internal PAM module (Linux) that sets a few environment variables using pam_putenv (on pam_sm_authenticate). In version 3.6.1p1i such variables are visible to the user (as expected), but since 3.7p1 they are not... Is this the expected behaviour? Thanks in advance, Jose ____________________________________________________________________________ Jose A. Rodriguez OOO Universitat Politecnica de Catalunya (UPC) josear at ac.upc.es OOO Departament d'Arquitectura de Computadors Tel. 16990 OOO -*- LCAC -*- UPC From dan at D00M.integrate.com.ru Thu Oct 30 01:04:23 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Wed, 29 Oct 2003 17:04:23 +0300 (MSK) Subject: Privilege separation In-Reply-To: <00b801c39dff$a9dd74b0$5f0110ac@lorco> Message-ID: On Wed, 29 Oct 2003, Logu wrote: > > > > > In general it introduces more headaches and does not "solve" any real > > > problems. > > > > > It's vain that you have taken 'solve' in quotes and believe that the patch > > doesn't solve any problems. Imagine a little router that is booted from > > diskette or ZIP drive. Every excessive byte of storage taken by an > executable is > > important. Using privilege separation in that system doesn't make much > sense. So > > the ability to configure out 'dead' code and reduce executable size is > important > > in such case. Also many people may believe this feature to be useful. > > > > If code size is your main issue rather than security, better option will be > rsh. > Wanna joke? This is nice one. :-/ > I do not understand why there is a runtime option not to use privilege > separation. What if the previlege separation is made compulsary. > Nothing must be imposed to anybody. This is the main principal of most countries' Constitutions on over the world. Having at least runtime option is better than having no option at all. And yet better would be having compile-time option to completely remove feature anyone dislike. -- Sincerely Your, Dan. From greinert at rz.uni-leipzig.de Thu Oct 30 00:38:30 2003 From: greinert at rz.uni-leipzig.de (Wolfram Greinert) Date: Wed, 29 Oct 2003 14:38:30 +0100 (MET) Subject: OpenSSH 3.7.1p2 and HP-UX11i Message-ID: <20031029133830.98FD81F@server1.rz.uni-leipzig.de> Hello, We have a problem with OpenSSH and HP-UX 11i. With OpenSSH_3.6.1p1 we can use the publickeys (~/.ssh/id_rsa). With the same .ssh-dir and config-files in /etc/openssh OpenSSH_3.7.1p2 will not use the publickeys and prompt for password :-( We have try this with OpenSSL 0.9.7b and OpenSSL 0.9.7c ! Why OpenSSH_3.7.1p2 not use my publickey-files ???????? The OpenSSH_3.7.1p2-Server (sshd) has no problems with publickeys from other clients, but the OpenSSH_3.7.1p2-Clients (ssh,scp) will not use our publickeys :-( Here are debug output from OpenSSH_3.6.1p1 and OpenSSH_3.7.1p2: ------------------------------------------------------------------- OpenSSH_3.6.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090702f ... debug1: Host 'XXXX' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:13 debug2: bits set: 1609/3191 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred publickey,password debug3: authmethod_lookup publickey debug3: remaining preferred: password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply ... ------------------------------------------------------------------- --------------------------------------------------------------------- OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003 ... debug1: Host 'XXXX' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:13 debug2: bits set: 1568/3191 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred publickey,password debug3: authmethod_lookup publickey debug3: remaining preferred: password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password ... --------------------------------------------------------------------- Greetings Wolfram Greinert -- ########################################### # Wolfram Greinert # # URZ der Uni Leipzig, Abteilung Netze # # 04109 Leipzig, Augustusplatz 10/11 # # Tel.: +(0341) 97-33325 # # email: greinert at rz.uni-leipzig.de # ########################################### From dan at D00M.integrate.com.ru Thu Oct 30 01:28:45 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Wed, 29 Oct 2003 17:28:45 +0300 (MSK) Subject: Privilege separation In-Reply-To: <20031029115045.GA9314@folly> Message-ID: On Wed, 29 Oct 2003, Markus Friedl wrote: > On Wed, Oct 29, 2003 at 09:01:14PM +1100, Darren Tucker wrote: > > Logu wrote: > > > I do not understand why there is a runtime option not to use privilege > > > separation. What if the previlege separation is made compulsary. > > > > Not all platforms and configurations work with privsep. (Example: > > *really* early Linuxes have a broken mmap(), so Compression isn't usable > > with privilege separation.) > > > > It also increases the memory footprint (2 sshd's per connection rather > > than 1), this may make a difference on heavily-loaded or memory-starved > > machines. > > I'd rather make compression a compile time options. that's trivial... > And what about privilege separation? ;-) My patch proves that making it a compile time option is trivial too. And I completely agree with Darren's view point. Again, everyone must have an option. -- Sincerely Your, Dan. From markus at openbsd.org Thu Oct 30 01:33:54 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 29 Oct 2003 15:33:54 +0100 Subject: Privilege separation In-Reply-To: References: <20031029115045.GA9314@folly> Message-ID: <20031029143354.GA11131@folly> On Wed, Oct 29, 2003 at 05:28:45PM +0300, Dan Yefimov wrote: > > I'd rather make compression a compile time options. that's trivial... > > > And what about privilege separation? ;-) My patch proves that making it a > compile time option is trivial too. And I completely agree with Darren's view > point. Again, everyone must have an option. privilege separation as a compile time option requires far more changes. i'd like to see no compile time options at all, but that requires some rewrite. From Steve.Belt at motorola.com Thu Oct 30 01:54:37 2003 From: Steve.Belt at motorola.com (Steve Belt (rgpg70)) Date: Wed, 29 Oct 2003 08:54:37 -0600 Subject: issue with 3.7.1p2 Message-ID: <3F9FD4AD.79D19B71@motorola.com> Hello, I sent this a couple of weeks ago, but got no response. I can only assume that nobody has experienced this problem. Anyway, I thought I would try again just in case. As a preface, this was compiled and is running on a Solaris 8 system that uses ldap as its name service. The "--with-pam" switch was used during config and "UsePam yes" is in the sshd_config file. Here is the issue: When a user types in the wrong password, there is a long delay and then the message "Connection closed" appears. With 3.6.1p1, a wrong password would result in an immediate message "Permission denied, please try again" and the user would be asked to re-enter the password. I can reduce the delay by setting "LoginGraceTime" to some smaller number, but why does the connection close instead of asking for another password? BTW, this does not happen on a Solaris 8 system that uses nis as its name service. The behavior is as expected, with the user being asked to re-enter the password. Any help would be appreciated. Thanks, Steve -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735 From jose.rodriguez at ac.upc.es Thu Oct 30 02:22:56 2003 From: jose.rodriguez at ac.upc.es (Jose A. Rodriguez) Date: Wed, 29 Oct 2003 16:22:56 +0100 Subject: Environment set on PAM module is not visible to user Message-ID: <20031029152256.GF10415@ac.upc.es> > We're using an internal PAM module (Linux) that sets a few environment > variables using pam_putenv (on pam_sm_authenticate). In version 3.6.1p1i > such variables are visible to the user (as expected), but since 3.7p1 > they are not... I found the cause for this behaviour: since 3.7.1p2 the PAM authentication is done using a thread. If not compiled with POSIX thread support, then OpenSSH emulates threads using processes. This emulation is not perfect and as I reported, the environment updated by the PAM module is lost (there is no code to copy the environment from the child/emulated thread). Using POSIX threads everything works as expected. I consider this behaviour as a bug, but that's only an opinion. :-) Jose ____________________________________________________________________________ Jose A. Rodriguez OOO Universitat Politecnica de Catalunya (UPC) josear at ac.upc.es OOO Departament d'Arquitectura de Computadors Tel. 16990 OOO -*- LCAC -*- UPC From dan at D00M.integrate.com.ru Thu Oct 30 02:54:29 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Wed, 29 Oct 2003 18:54:29 +0300 (MSK) Subject: Privilege separation In-Reply-To: <20031029143354.GA11131@folly> Message-ID: On Wed, 29 Oct 2003, Markus Friedl wrote: > On Wed, Oct 29, 2003 at 05:28:45PM +0300, Dan Yefimov wrote: > > > I'd rather make compression a compile time options. that's trivial... > > > > > And what about privilege separation? ;-) My patch proves that making it a > > compile time option is trivial too. And I completely agree with Darren's view > > point. Again, everyone must have an option. > > privilege separation as a compile time option requires far more > changes. i'd like to see no compile time options at all, > but that requires some rewrite. > OK, hence what exactly is wrong/missing in my patch (please don't only tell me you dislike the idea itself of it - I've already got that) ? -- Sincerely Your, Dan. From djast at cs.toronto.edu Thu Oct 30 03:42:40 2003 From: djast at cs.toronto.edu (Dan Astoorian) Date: Wed, 29 Oct 2003 11:42:40 -0500 Subject: Privilege separation In-Reply-To: Your message of "Wed, 29 Oct 2003 09:28:45 EST." Message-ID: <03Oct29.114241edt.453187-21070@jane.cs.toronto.edu> On Wed, 29 Oct 2003 09:28:45 EST, Dan Yefimov writes: > And what about privilege separation? ;-) My patch proves that making it a > compile time option is trivial too. And I completely agree with Darren's view > > point. Again, everyone must have an option. A 500-line patch which requires future maintainers to add more #ifdefs every time they test the "use_privsep" variable is hardly "trivial." A simpler approach might have been to define use_privsep as a preprocessor constant, (removing any code that sets its value), and letting your compiler's optimizer remove the resulting dead code. -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast at cs.toronto.edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican From dan at D00M.integrate.com.ru Thu Oct 30 04:13:24 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Wed, 29 Oct 2003 20:13:24 +0300 (MSK) Subject: Privilege separation In-Reply-To: <20031029160259.GA17889@folly> Message-ID: On Wed, 29 Oct 2003, Markus Friedl wrote: > > > privilege separation as a compile time option requires far more > > > changes. i'd like to see no compile time options at all, > > > but that requires some rewrite. > > > > > OK, hence what exactly is wrong/missing in my patch (please don't only tell me > > you dislike the idea itself of it - I've already got that) ? > > it's too big The patch introducing privilege separation was much bigger. In general I see no constructive dialogue between me and you to be turned out - there will always be millions of thought up justifications for not wishing doing something. > and i dislike the idea. > No comments... > Privilege separation would be made optional last. > 2all: Is there at least one maintainer around in the list that would simply apply that simple patch without such unreasonable resistance? Up to the moment I heard no proved criticism against that patch. -- Sincerely Your, Dan. From markus at openbsd.org Thu Oct 30 04:27:50 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 29 Oct 2003 18:27:50 +0100 Subject: Privilege separation In-Reply-To: References: <20031029160259.GA17889@folly> Message-ID: <20031029172750.GB18456@folly> On Wed, Oct 29, 2003 at 08:13:24PM +0300, Dan Yefimov wrote: > On Wed, 29 Oct 2003, Markus Friedl wrote: > > > > > privilege separation as a compile time option requires far more > > > > changes. i'd like to see no compile time options at all, > > > > but that requires some rewrite. > > > > > > > OK, hence what exactly is wrong/missing in my patch (please don't only tell me > > > you dislike the idea itself of it - I've already got that) ? > > > > it's too big > > The patch introducing privilege separation was much bigger. In general I see > no constructive dialogue between me and you to be turned out - there will always > be millions of thought up justifications for not wishing doing something. but the privilege separation did not include #ifdef #ifdef is generally considered bad, because it introduces more codepaths. there should be not optional code. > > Privilege separation would be made optional last. > > > 2all: Is there at least one maintainer around in the list that would simply > apply that simple patch without such unreasonable resistance? Up to the moment I it's not a simple patch, it touches many files and introduces #ifdef. From celinn at mtu.edu Thu Oct 30 04:28:22 2003 From: celinn at mtu.edu (Christopher Linn) Date: Wed, 29 Oct 2003 12:28:22 -0500 Subject: Privilege separation In-Reply-To: References: <20031029160259.GA17889@folly> Message-ID: <20031029172822.GC2563@mtu.edu> On Wed, Oct 29, 2003 at 08:13:24PM +0300, Dan Yefimov wrote: [...] > 2all: Is there at least one maintainer around in the list that would simply > apply that simple patch without such unreasonable resistance? Up to the moment I > heard no proved criticism against that patch. with all due respect, i belive the resistance is not "unreasonable," but rather your insistance is unreasonable. a patch should prove itself worthy, rather than be applied unless proved unworthy. personally i think you have failed to prove that. (but then, i'm no develpoper.) chris -- Christopher Linn, (celinn at mtu.edu) | By no means shall either the CEC Staff System Administrator | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein. From markus at openbsd.org Thu Oct 30 04:30:28 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 29 Oct 2003 18:30:28 +0100 Subject: Privilege separation In-Reply-To: References: <20031029115045.GA9314@folly> Message-ID: <20031029173028.GA23739@folly> On Wed, Oct 29, 2003 at 05:28:45PM +0300, Dan Yefimov wrote: > point. Again, everyone must have an option. I don't agree. Options are bad, they cause bugs. Compile time options are options as well, and cause more bugs. More options, less tests, more bugs. From nospam at magestower.net Thu Oct 30 05:35:15 2003 From: nospam at magestower.net (The Alchemist) Date: Wed, 29 Oct 2003 12:35:15 -0600 Subject: question on assorted patches Message-ID: <3FA00863.10903@magestower.net> *This message was transferred with a trial version of CommuniGate(tm) Pro* I'm trying to put togther a starting list of patches required to get 3.7.1p2 working in our enviroment. I'm pretty sure I need the following at minimum but would like guidance about a couple of them and direction on a couple unanswered questions. I've spent most of the morning trolling the archives, but I feel that I've still got gaps in my understanding. I would greatly appreciate additional clarification. My questions are linked as footnotes with numbers in brackets Our environment: - Solaris (2.6, 8) with: PAM [1] password forced change (both for new accounts and inactivity) [2] BSM for some hosts [3] Some sparcv9 (64-bit) [4] - HP-UX (mostly 11.x) PAM both trusted and untrusted [5] password forces change like Solaris [6] - We're also working on some Linux, but its probably too early to worry about it now So here are my questions/observations: - [1] Should work fine w/ --use-pam & UsePam=yes except for [2] - [2] I found a patch from Darren, but according to a later post it doesn't apply against stock 3.7.1p2. Does anyone have a version that does? Use of -current disturbs me since I'm trying to write up a standards doc that will be norative until a new vulnerability arises or enough other changes take place to warrent upgrade on several hundred servers. - [3] We are currently using 3.4p1 with the BSM patch along with UseLogin=yes for hosts that are BSM enabled. According to one email with no reply, that patch is MIA for 3.7.1p2. Does anyone have a replacement? - [4] I found a patch for this that I plan on using. No worries here. - [5/6] I've found disturbing comments about issues with trusted. Are there any good or trial patches to resolve this? Can anyone fully elaborate what the limitations are? - General concerns: I understand we'll want to use keyboard-interactive & publickey for our only auth types. Is this correct? Anyone have really strong recommendations on openssl/zlib versions? Thanks all for a great product, --Jason From dan at D00M.integrate.com.ru Thu Oct 30 05:04:08 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Wed, 29 Oct 2003 21:04:08 +0300 (MSK) Subject: Privilege separation In-Reply-To: <20031029172822.GC2563@mtu.edu> Message-ID: On Wed, 29 Oct 2003, Christopher Linn wrote: > > 2all: Is there at least one maintainer around in the list that would simply > > apply that simple patch without such unreasonable resistance? Up to the moment I > > heard no proved criticism against that patch. > > with all due respect, i belive the resistance is not "unreasonable," > but rather your insistance is unreasonable. a patch should prove > itself worthy, rather than be applied unless proved unworthy. > personally i think you have failed to prove that. (but then, > i'm no develpoper.) > IOW, you believe the freedom of choice isn't worth, don't you? -- Sincerely Your, Dan. From mouring at etoh.eviladmin.org Thu Oct 30 05:40:50 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 29 Oct 2003 12:40:50 -0600 (CST) Subject: Privilege separation In-Reply-To: Message-ID: On Wed, 29 Oct 2003, Dan Yefimov wrote: > On Wed, 29 Oct 2003, Christopher Linn wrote: > > > > 2all: Is there at least one maintainer around in the list that would simply > > > apply that simple patch without such unreasonable resistance? Up to the moment I > > > heard no proved criticism against that patch. > > > > with all due respect, i belive the resistance is not "unreasonable," > > but rather your insistance is unreasonable. a patch should prove > > itself worthy, rather than be applied unless proved unworthy. > > personally i think you have failed to prove that. (but then, > > i'm no develpoper.) > > > IOW, you believe the freedom of choice isn't worth, don't you? You do have a freedom of choice. Your patch was declined, but you are free to setup a sourceforge project or some other place to praise and glorify your patch. If not outright create a fork. By us not accepting it does not limit *YOUR* choice. We have to code around this crap daily. You don't. So I don't see why you are getting upset that we refuse to dirty our code just to make you happy with a "feature" that is in our minds a bad thing. I think we are at the end of this thread. Is Markus says No.. and a few other of the core/portable team says no.. the answer is a resounding no. - Ben From jason at devrandom.org Thu Oct 30 05:53:58 2003 From: jason at devrandom.org (Jason McCormick) Date: Wed, 29 Oct 2003 13:53:58 -0500 Subject: OpenSSH and Redhat 8 In-Reply-To: <31EF3A450BCED5119D080002A5CE4D91045C9686@ga25exb01.wepd.mot.com> References: <31EF3A450BCED5119D080002A5CE4D91045C9686@ga25exb01.wepd.mot.com> Message-ID: <200310291353.58507.jason@devrandom.org> John, The following steps should work for you (or anyone buildling on a RedHat box): 1) Get the official OpenSSH source RPM from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/SRPMS/openssh-3.7.1p2-1.src.rpm 2) Do 'rpmbuild --rebuild ./openssh-3.7.1p2-1.src.rpm' from where you saved the file. 3) This should create the following files in /usr/src/redhat/RPMS/i386: openssh-server-3.7.1p2-1.i386.rpm openssh-clients-3.7.1p2-1.i386.rpm openssh-askpass-gnome-3.7.1p2-1.i386.rpm openssh-askpass-3.7.1p2-1.i386.rpm openssh-3.7.1p2-1.i386.rpm 4) Invoke 'rpm -Uvh openssh-*.rpm' to install them. 5) Assuming you're using a standard RedHat setup, make sure you edit /etc/ssh/sshd_config to change 'UsePAM' to yes so OpenSSH will look at PAM for user authentication. Note this is a change in behavior from previous OpenSSH installs where PAM was enabled by default. 6) Restart - '/etc/init.d/openssh restart' That should be all you need with Redhat 8.0. Let me know if you run into more problems. I've CCed this to the mailing list for future reference for all. -- Jason McCormick jason at devrandom.org GPG Key: http://www.devrandom.org/gpgkey.php GPG Fingerprint: 66C5 2B15 3E34 2B5E 5321 6147 303A DCE6 0A74 A19C From djm at mindrot.org Thu Oct 30 08:09:28 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 29 Oct 2003 21:09:28 -0000 Subject: Environment set on PAM module is not visible to user In-Reply-To: <20031029152256.GF10415@ac.upc.es> References: <20031029152256.GF10415@ac.upc.es> Message-ID: <1067465640.2853.3.camel@sakura.mindrot.org> Try the patch at: http://bugzilla.mindrot.org/show_bug.cgi?id=717 On Thu, 2003-10-30 at 02:22, Jose A. Rodriguez wrote: > > We're using an internal PAM module (Linux) that sets a few environment > > variables using pam_putenv (on pam_sm_authenticate). In version 3.6.1p1i > > such variables are visible to the user (as expected), but since 3.7p1 > > they are not... From djm at mindrot.org Thu Oct 30 08:19:29 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 29 Oct 2003 21:19:29 -0000 Subject: Privilege separation In-Reply-To: References: Message-ID: <1067466149.2853.11.camel@sakura.mindrot.org> On Thu, 2003-10-30 at 05:04, Dan Yefimov wrote: > On Wed, 29 Oct 2003, Christopher Linn wrote: > > > > 2all: Is there at least one maintainer around in the list that would simply > > > apply that simple patch without such unreasonable resistance? Up to the moment I > > > heard no proved criticism against that patch. > > > > with all due respect, i belive the resistance is not "unreasonable," > > but rather your insistance is unreasonable. a patch should prove > > itself worthy, rather than be applied unless proved unworthy. > > personally i think you have failed to prove that. (but then, > > i'm no develpoper.) > > > IOW, you believe the freedom of choice isn't worth, don't you? Yes, and you have the freedom of choice to maintin your patch in your own tree or fork you own version of OpenSSH if you don't like our choice. Please don't demand us to review your patches for bugs when we don't agree with your intent. -d From smichaud* at pobox.com Thu Oct 30 08:32:14 2003 From: smichaud* at pobox.com (Steven Michaud) Date: Wed, 29 Oct 2003 15:32:14 -0600 (CST) Subject: Fix for USE_POSIX_THREADS in auth-pam.c Message-ID: As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The default option (authenticating in a child process) has a serious problem -- authentication changes PAM's state, but the new state won't get transferred from the child to the parent unless you add new hacks to explicitly transfer each bit and piece that you want. For example, Christian Pfaffel posted a patch to this list on 9-17 with hacks to force Kerberos credentials to disk and to use ssh_msg_send() to send the PAM environment from the child process to the parent. (His patch was in an attachment and got dropped. But fortunately he re-posted his message to the MIT Kerberos newsgroup a few days later, and this time the attachment came through -- http://diswww.mit.edu:8008/menelaus.mit.edu/kerberos/19973.) Christian's patch works. But it's difficult to know exactly what state needs to be transferred. A simpler and more elegant solution is to create a new thread -- as long as both the "parent" and the "child" thread use the same PAM handle, state-changes in each thread "automatically" become visible in the other. In fact this solution works just fine (as long as your OS has support for POSIX threads). But a small change was required to the "thread" code in auth-pam.c: The man pages for Linux PAM (also used on Darwin/OS X) and Solaris PAM say that PAM isn't thread safe unless each thread uses a different PAM handle. But that's useless for us -- we need both threads to share a single PAM handle. Instead we should use a mutex to prevent the single handle from being used by more than a single thread at a time. That's what the following patch does. It also re-initializes the mutex when (after the authentication has succeeded) a user-owned child process gets forked (in do_exec_no_pty() and do_exec_pty() in session.c) that still needs access to the PAM handle. Since I know that the OpenSSH folks prefer to get patches against the most recent versions, this patch is meant to be applied to openssh-SNAP-20031028. It's been tested (separately) on Solaris 8 and (together with other patches) on Darwin/OS X. On some OSs (notably Solaris) you will need to add -lpthread to LDFLAGS (besides defining USE_POSIX_THREADS in CPPFLAGS). Please let me know if you have problems with it. Beware of broken lines (I don't dare include it as a separate attachment). diff -u -r src.old/auth-pam.c src/auth-pam.c --- src.old/auth-pam.c Wed Oct 29 12:37:08 2003 +++ src/auth-pam.c Wed Oct 29 12:37:07 2003 @@ -128,6 +128,69 @@ static void sshpam_free_ctx(void *); static struct pam_ctxt *cleanup_ctxt; +#ifdef USE_POSIX_THREADS + +static pthread_mutexattr_t lock_attr; +static pthread_mutex_t sshpam_handle_lock; +static int sshpam_handle_lock_ready = 0; +static int sshpam_handle_lock_count = 0; +static pid_t process_id = 0; + +/* On Solaris, Linux and Darwin, PAM routines are said to only be + * thread-safe if each thread has a different PAM handle (which really + * means they're NOT thread-safe, but anyway). For our purposes, all + * threads must use the same handle (otherwise it will be difficult for + * them to share PAM state), so we need to protect access to + * sshpam_handle with a mutex. + * + * Auth-pam.c has many other global variables, which might in principle + * also need to be protected by mutexes. But none of the others is a + * handle into an external black box (like PAM). And in the current state + * of the code, none of these global variables (even sshpam_handle) is + * ever changed from more than one thread. + */ +static pam_handle_t *grab_pamh(int set, pam_handle_t *value) +{ + pid_t pid_holder; + /* It's not safe to use pthread structures created for our parent + * (if we've been forked our pid will have changed). Reinitialize + * everything if this has happened (we know beforehand that these + * structures can't yet be in use in our process). + */ + if (process_id != (pid_holder = getpid())) { + sshpam_handle_lock_ready = 0; + process_id = pid_holder; + sshpam_handle_lock_count = 0; + pthread_mutexattr_init(&lock_attr); + pthread_mutexattr_settype(&lock_attr, PTHREAD_MUTEX_RECURSIVE); + pthread_mutex_init(&sshpam_handle_lock, &lock_attr); + sshpam_handle_lock_ready = 1; + } + if (!sshpam_handle_lock_ready) { + if (set) + sshpam_handle = value; + return sshpam_handle; + } + ++sshpam_handle_lock_count; + pthread_mutex_lock(&sshpam_handle_lock); + if (set) + sshpam_handle = value; + pthread_mutex_unlock(&sshpam_handle_lock); + --sshpam_handle_lock_count; + return sshpam_handle; +} + +#else /* #ifdef USE_POSIX_THREADS */ + +static pam_handle_t *grab_pamh(int set, pam_handle_t *value) +{ + if (set) + sshpam_handle = value; + return sshpam_handle; +} + +#endif /* #ifdef USE_POSIX_THREADS */ + /* * Conversation function for authentication thread. */ @@ -216,7 +279,7 @@ #ifndef USE_POSIX_THREADS const char *pam_user; - pam_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user); + pam_get_item(grab_pamh(0, NULL), PAM_USER, (const void **)&pam_user); setproctitle("%s [pam]", pam_user); #endif @@ -224,11 +287,11 @@ sshpam_conv.appdata_ptr = ctxt; buffer_init(&buffer); - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + sshpam_err = pam_set_item(grab_pamh(0, NULL), PAM_CONV, (const void *)&sshpam_conv); if (sshpam_err != PAM_SUCCESS) goto auth_fail; - sshpam_err = pam_authenticate(sshpam_handle, 0); + sshpam_err = pam_authenticate(grab_pamh(0, NULL), 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; buffer_put_cstring(&buffer, "OK"); @@ -238,7 +301,7 @@ auth_fail: buffer_put_cstring(&buffer, - pam_strerror(sshpam_handle, sshpam_err)); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); buffer_free(&buffer); pthread_exit(NULL); @@ -274,20 +337,31 @@ sshpam_cleanup(void) { debug("PAM: cleanup"); - if (sshpam_handle == NULL) - return; - pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); - if (sshpam_cred_established) { - pam_setcred(sshpam_handle, PAM_DELETE_CRED); - sshpam_cred_established = 0; - } - if (sshpam_session_open) { - pam_close_session(sshpam_handle, PAM_SILENT); - sshpam_session_open = 0; - } - sshpam_authenticated = sshpam_new_authtok_reqd = 0; - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; + if (grab_pamh(0, NULL) != NULL) { + pam_set_item(grab_pamh(0, NULL), PAM_CONV, (const void *)&null_conv); + if (sshpam_cred_established) { + pam_setcred(grab_pamh(0, NULL), PAM_DELETE_CRED); + sshpam_cred_established = 0; + } + if (sshpam_session_open) { + pam_close_session(grab_pamh(0, NULL), PAM_SILENT); + sshpam_session_open = 0; + } + sshpam_authenticated = sshpam_new_authtok_reqd = 0; + pam_end(grab_pamh(0, NULL), sshpam_err); + grab_pamh(1, NULL); + } +#ifdef USE_POSIX_THREADS + /* Free our pthread structures if it's safe to do so (if they were + * previously initialized and aren't currently in use in our process). + */ + grab_pamh(0, NULL); /* Bleed off traffic (possibly) and update state */ + if (!sshpam_handle_lock_count && sshpam_handle_lock_ready) { + sshpam_handle_lock_ready = 0; + pthread_mutexattr_destroy(&lock_attr); + pthread_mutex_destroy(&sshpam_handle_lock); + } +#endif } static int @@ -296,30 +370,53 @@ extern u_int utmp_len; extern char *__progname; const char *pam_rhost, *pam_user; + pam_handle_t *sshpam_handle_holder; + +#ifdef USE_POSIX_THREADS + /* (Re)initialize our pthread structures if it's safe to do so. Only + * free them if they were previously initialized and they aren't + * currently in use. + */ + if (!process_id) + process_id = getpid(); + grab_pamh(0, NULL); /* Bleed off traffic (possibly) and update state */ + if (!sshpam_handle_lock_count) { + if (sshpam_handle_lock_ready) { + sshpam_handle_lock_ready = 0; + pthread_mutexattr_destroy(&lock_attr); + pthread_mutex_destroy(&sshpam_handle_lock); + } + pthread_mutexattr_init(&lock_attr); + pthread_mutexattr_settype(&lock_attr, PTHREAD_MUTEX_RECURSIVE); + pthread_mutex_init(&sshpam_handle_lock, &lock_attr); + sshpam_handle_lock_ready = 1; + } +#endif - if (sshpam_handle != NULL) { + if (grab_pamh(0, NULL) != NULL) { /* We already have a PAM context; check if the user matches */ - sshpam_err = pam_get_item(sshpam_handle, + sshpam_err = pam_get_item(grab_pamh(0, NULL), PAM_USER, (const void **)&pam_user); if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) return (0); - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; + pam_end(grab_pamh(0, NULL), sshpam_err); + grab_pamh(1, NULL); } debug("PAM: initializing for \"%s\"", user); sshpam_err = - pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); + pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle_holder); + grab_pamh(1, sshpam_handle_holder); if (sshpam_err != PAM_SUCCESS) { - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; + pam_end(grab_pamh(0, NULL), sshpam_err); + grab_pamh(1, NULL); return (-1); } pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns); debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost); - sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost); + sshpam_err = pam_set_item(grab_pamh(0, NULL), PAM_RHOST, pam_rhost); if (sshpam_err != PAM_SUCCESS) { - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; + pam_end(grab_pamh(0, NULL), sshpam_err); + grab_pamh(1, NULL); return (-1); } #ifdef PAM_TTY_KLUDGE @@ -329,10 +426,10 @@ * may not even set one (for tty-less connections) */ debug("PAM: setting PAM_TTY to \"ssh\""); - sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh"); + sshpam_err = pam_set_item(grab_pamh(0, NULL), PAM_TTY, "ssh"); if (sshpam_err != PAM_SUCCESS) { - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; + pam_end(grab_pamh(0, NULL), sshpam_err); + grab_pamh(1, NULL); return (-1); } #endif @@ -532,7 +629,7 @@ u_int do_pam_account(void) { - sshpam_err = pam_acct_mgmt(sshpam_handle, 0); + sshpam_err = pam_acct_mgmt(grab_pamh(0, NULL), 0); debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) @@ -553,15 +650,15 @@ void do_pam_session(void) { - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + sshpam_err = pam_set_item(grab_pamh(0, NULL), PAM_CONV, (const void *)&null_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_err = pam_open_session(sshpam_handle, 0); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); + sshpam_err = pam_open_session(grab_pamh(0, NULL), 0); if (sshpam_err != PAM_SUCCESS) fatal("PAM: pam_open_session(): %s", - pam_strerror(sshpam_handle, sshpam_err)); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); sshpam_session_open = 1; } @@ -570,27 +667,27 @@ { if (tty != NULL) { debug("PAM: setting PAM_TTY to \"%s\"", tty); - sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty); + sshpam_err = pam_set_item(grab_pamh(0, NULL), PAM_TTY, tty); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_TTY: %s", - pam_strerror(sshpam_handle, sshpam_err)); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); } } void do_pam_setcred(int init) { - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + sshpam_err = pam_set_item(grab_pamh(0, NULL), PAM_CONV, (const void *)&null_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); if (init) { debug("PAM: establishing credentials"); - sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED); + sshpam_err = pam_setcred(grab_pamh(0, NULL), PAM_ESTABLISH_CRED); } else { debug("PAM: reinitializing credentials"); - sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED); + sshpam_err = pam_setcred(grab_pamh(0, NULL), PAM_REINITIALIZE_CRED); } if (sshpam_err == PAM_SUCCESS) { sshpam_cred_established = 1; @@ -598,10 +695,10 @@ } if (sshpam_authenticated) fatal("PAM: pam_setcred(): %s", - pam_strerror(sshpam_handle, sshpam_err)); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); else debug("PAM: pam_setcred(): %s", - pam_strerror(sshpam_handle, sshpam_err)); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); } int @@ -676,16 +773,16 @@ if (use_privsep) fatal("Password expired (unable to change with privsep)"); - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + sshpam_err = pam_set_item(grab_pamh(0, NULL), PAM_CONV, (const void *)&pam_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); debug("PAM: changing password"); - sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); + sshpam_err = pam_chauthtok(grab_pamh(0, NULL), PAM_CHANGE_EXPIRED_AUTHTOK); if (sshpam_err != PAM_SUCCESS) fatal("PAM: pam_chauthtok(): %s", - pam_strerror(sshpam_handle, sshpam_err)); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); } /* @@ -706,7 +803,7 @@ compound = xmalloc(len); snprintf(compound, len, "%s=%s", name, value); - ret = pam_putenv(sshpam_handle, compound); + ret = pam_putenv(grab_pamh(0, NULL), compound); xfree(compound); #endif @@ -724,7 +821,7 @@ { #ifdef HAVE_PAM_GETENVLIST debug("PAM: retrieving environment"); - return (pam_getenvlist(sshpam_handle)); + return (pam_getenvlist(grab_pamh(0, NULL))); #else return (NULL); #endif From John.Armsby at motorola.com Thu Oct 30 08:37:47 2003 From: John.Armsby at motorola.com (Armsby John-G16665) Date: Wed, 29 Oct 2003 16:37:47 -0500 Subject: OpenSSH and Redhat 8 Message-ID: <31EF3A450BCED5119D080002A5CE4D91045C9689@ga25exb01.wepd.mot.com> Jason, Ran into a little problem. The compiler is complaining about gnome-ssh-askpass2.c errors. Problems are listed below. Absolutely no output to RPMS/i386 directory. I am not sure what errors here are relevant. I appologize if the errors are too lengthy. I did a quick check on my redhat box. Absolutely no default Gnome software development installed. Is that the answer? John + make gnome-ssh-askpass2 cc `pkg-config --cflags gtk+-2.0` \ gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \ `pkg-config --libs gtk+-2.0` Package gtk+-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gtk+-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gtk+-2.0' found Package gtk+-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gtk+-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gtk+-2.0' found gnome-ssh-askpass2.c:56:21: gtk/gtk.h: No such file or directory gnome-ssh-askpass2.c:57:22: gdk/gdkx.h: No such file or directory gnome-ssh-askpass2.c: In function `report_failed_grab': gnome-ssh-askpass2.c:62: `GtkWidget' undeclared (first use in this function) gnome-ssh-askpass2.c:62: (Each undeclared identifier is reported only once gnome-ssh-askpass2.c:62: for each function it appears in.) gnome-ssh-askpass2.c:62: `err' undeclared (first use in this function) gnome-ssh-askpass2.c:65: `GTK_MESSAGE_ERROR' undeclared (first use in this function) gnome-ssh-askpass2.c:66: `GTK_BUTTONS_CLOSE' undeclared (first use in this function) gnome-ssh-askpass2.c:70: `GTK_WIN_POS_CENTER' undeclared (first use in this function) gnome-ssh-askpass2.c:71: invalid type argument of `->' gnome-ssh-askpass2.c:72: `TRUE' undeclared (first use in this function) gnome-ssh-askpass2.c: At top level: gnome-ssh-askpass2.c:80: parse error before '*' token gnome-ssh-askpass2.c: In function `ok_dialog': gnome-ssh-askpass2.c:82: `dialog' undeclared (first use in this function) gnome-ssh-askpass2.c:83: `GTK_RESPONSE_OK' undeclared (first use in this function) gnome-ssh-askpass2.c: In function `passphrase_dialog': gnome-ssh-askpass2.c:92: `GtkWidget' undeclared (first use in this function) gnome-ssh-askpass2.c:92: `dialog' undeclared (first use in this function) gnome-ssh-askpass2.c:92: `entry' undeclared (first use in this function) gnome-ssh-askpass2.c:93: `GdkGrabStatus' undeclared (first use in this function) gnome-ssh-askpass2.c:93: parse error before "status" gnome-ssh-askpass2.c:100: `GTK_MESSAGE_QUESTION' undeclared (first use in this function) gnome-ssh-askpass2.c:101: `GTK_BUTTONS_OK_CANCEL' undeclared (first use in this function) gnome-ssh-askpass2.c:106: invalid type argument of `->' gnome-ssh-askpass2.c:106: `FALSE' undeclared (first use in this function) gnome-ssh-askpass2.c:113: `GTK_WIN_POS_CENTER' undeclared (first use in this function) gnome-ssh-askpass2.c:114: invalid type argument of `->' gnome-ssh-askpass2.c:115: `TRUE' undeclared (first use in this function) gnome-ssh-askpass2.c:118: `GTK_RESPONSE_OK' undeclared (first use in this function) gnome-ssh-askpass2.c:126: `status' undeclared (first use in this function) gnome-ssh-askpass2.c:127: invalid type argument of `->' gnome-ssh-askpass2.c:128: `GDK_CURRENT_TIME' undeclared (first use in this function) gnome-ssh-askpass2.c:129: `GDK_GRAB_SUCCESS' undeclared (first use in this function) gnome-ssh-askpass2.c:139: invalid type argument of `->' gnome-ssh-askpass2.c:157: warning: passing arg 1 of `XUngrabServer' makes pointer from integer without a cast gnome-ssh-askpass2.c:164: warning: assignment makes pointer from integer without a cast gnome-ssh-askpass2.c:167: warning: assignment makes pointer from integer without a cast gnome-ssh-askpass2.c:193: warning: passing arg 1 of `XUngrabServer' makes pointer from integer without a cast gnome-ssh-askpass2.c: In function `main': gnome-ssh-askpass2.c:210: warning: assignment makes pointer from integer without a cast gnome-ssh-askpass2.c:212: warning: assignment makes pointer from integer without a cast make: *** [gnome-ssh-askpass2] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.39289 (%build) RPM build errors: user djm does not exist - using root group djm does not exist - using root user djm does not exist - using root group djm does not exist - using root user djm does not exist - using root group djm does not exist - using root Bad exit status from /var/tmp/rpm-tmp.39289 (%build) [root at xena2 src]# -----Original Message----- From: Jason McCormick [mailto:jason at devrandom.org] Sent: Wednesday, October 29, 2003 1:54 PM To: Armsby John-G16665 Cc: openssh-unix-dev at mindrot.org Subject: Re: OpenSSH and Redhat 8 John, The following steps should work for you (or anyone buildling on a RedHat box): 1) Get the official OpenSSH source RPM from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/SRPMS/openssh-3.7.1p2-1.src.rpm 2) Do 'rpmbuild --rebuild ./openssh-3.7.1p2-1.src.rpm' from where you saved the file. 3) This should create the following files in /usr/src/redhat/RPMS/i386: openssh-server-3.7.1p2-1.i386.rpm openssh-clients-3.7.1p2-1.i386.rpm openssh-askpass-gnome-3.7.1p2-1.i386.rpm openssh-askpass-3.7.1p2-1.i386.rpm openssh-3.7.1p2-1.i386.rpm 4) Invoke 'rpm -Uvh openssh-*.rpm' to install them. 5) Assuming you're using a standard RedHat setup, make sure you edit /etc/ssh/sshd_config to change 'UsePAM' to yes so OpenSSH will look at PAM for user authentication. Note this is a change in behavior from previous OpenSSH installs where PAM was enabled by default. 6) Restart - '/etc/init.d/openssh restart' That should be all you need with Redhat 8.0. Let me know if you run into more problems. I've CCed this to the mailing list for future reference for all. -- Jason McCormick jason at devrandom.org GPG Key: http://www.devrandom.org/gpgkey.php GPG Fingerprint: 66C5 2B15 3E34 2B5E 5321 6147 303A DCE6 0A74 A19C From dtucker at zip.com.au Thu Oct 30 09:10:09 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 30 Oct 2003 09:10:09 +1100 Subject: question on assorted patches References: <3FA00863.10903@magestower.net> Message-ID: <3FA03AC1.FCB1EF44@zip.com.au> The Alchemist wrote: > I'm trying to put togther a starting list of patches required to get > 3.7.1p2 working in our enviroment. I'm pretty sure I need the following > at minimum but would like guidance about a couple of them and direction > on a couple unanswered questions. I've spent most of the morning > trolling the archives, but I feel that I've still got gaps in my > understanding. I would greatly appreciate additional clarification. > > My questions are linked as footnotes with numbers in brackets > > Our environment: > - Solaris (2.6, 8) with: > PAM [1] > password forced change (both for new accounts and inactivity) [2] http://www.zip.com.au/~dtucker/openssh/openssh-3.7.1p2-pwexp24.patch The only issue is currently you won't get warnings (eg "your password will expire in x days") but the expiry should work OK. > BSM for some hosts [3] http://bugzilla.mindrot.org/show_bug.cgi?id=125 > Some sparcv9 (64-bit) [4] > - HP-UX (mostly 11.x) > PAM > both trusted and untrusted [5] http://www.zip.com.au/~dtucker/openssh/openssh-3.7.1p2-hpux.patch > password forces change like Solaris [6] Same expiry patch as Solaris above. > - We're also working on some Linux, but its probably too early to worry > about it now > > So here are my questions/observations: > - [1] Should work fine w/ --use-pam & UsePam=yes except for [2] > - [2] I found a patch from Darren, but according to a later post it > doesn't apply against stock 3.7.1p2. There's an updated patch now, link see above. . > - [5/6] I've found disturbing comments about issues with trusted. Are > there any good or trial patches to resolve this? Can anyone fully > elaborate what the limitations are? a) sshd didn't correctly handle password authentication for Trusted systems. We changed it so HP-UX used the normal shadow interface, which caused: b) sshd thinks the accounts are locked when they're not c) sshd thinks the passwords expire 1 day after they're changed Those are fixed in the current development versions and the HP-UX patch above. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Thu Oct 30 09:26:41 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 29 Oct 2003 16:26:41 -0600 (CST) Subject: OpenSSH and Redhat 8 In-Reply-To: <31EF3A450BCED5119D080002A5CE4D91045C9689@ga25exb01.wepd.mot.com> Message-ID: Extract the package and check the openssh.spec file for: # Do we want to disable building of gnome-askpass? (1=yes 0=no) %define no_gnome_askpass 0 If you don't plan on using gnome you should set that to 1. and you can do a rpm -ba openssh.spec on the package. - Ben On Wed, 29 Oct 2003, Armsby John-G16665 wrote: > Jason, > > Ran into a little problem. The compiler is complaining about gnome-ssh-askpass2.c errors. > > Problems are listed below. Absolutely no output to RPMS/i386 directory. > > I am not sure what errors here are relevant. I appologize if the errors are too lengthy. > > I did a quick check on my redhat box. Absolutely no default Gnome software development installed. > > Is that the answer? > > > > John > > + make gnome-ssh-askpass2 > cc `pkg-config --cflags gtk+-2.0` \ > gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \ > `pkg-config --libs gtk+-2.0` > Package gtk+-2.0 was not found in the pkg-config search path. > Perhaps you should add the directory containing `gtk+-2.0.pc' > to the PKG_CONFIG_PATH environment variable > No package 'gtk+-2.0' found > Package gtk+-2.0 was not found in the pkg-config search path. > Perhaps you should add the directory containing `gtk+-2.0.pc' > to the PKG_CONFIG_PATH environment variable > No package 'gtk+-2.0' found > gnome-ssh-askpass2.c:56:21: gtk/gtk.h: No such file or directory > gnome-ssh-askpass2.c:57:22: gdk/gdkx.h: No such file or directory > gnome-ssh-askpass2.c: In function `report_failed_grab': > gnome-ssh-askpass2.c:62: `GtkWidget' undeclared (first use in this function) > gnome-ssh-askpass2.c:62: (Each undeclared identifier is reported only once > gnome-ssh-askpass2.c:62: for each function it appears in.) > gnome-ssh-askpass2.c:62: `err' undeclared (first use in this function) > gnome-ssh-askpass2.c:65: `GTK_MESSAGE_ERROR' undeclared (first use in this function) > gnome-ssh-askpass2.c:66: `GTK_BUTTONS_CLOSE' undeclared (first use in this function) > gnome-ssh-askpass2.c:70: `GTK_WIN_POS_CENTER' undeclared (first use in this function) > gnome-ssh-askpass2.c:71: invalid type argument of `->' > gnome-ssh-askpass2.c:72: `TRUE' undeclared (first use in this function) > gnome-ssh-askpass2.c: At top level: > gnome-ssh-askpass2.c:80: parse error before '*' token > gnome-ssh-askpass2.c: In function `ok_dialog': > gnome-ssh-askpass2.c:82: `dialog' undeclared (first use in this function) > gnome-ssh-askpass2.c:83: `GTK_RESPONSE_OK' undeclared (first use in this function) > gnome-ssh-askpass2.c: In function `passphrase_dialog': > gnome-ssh-askpass2.c:92: `GtkWidget' undeclared (first use in this function) > gnome-ssh-askpass2.c:92: `dialog' undeclared (first use in this function) > gnome-ssh-askpass2.c:92: `entry' undeclared (first use in this function) > gnome-ssh-askpass2.c:93: `GdkGrabStatus' undeclared (first use in this function) > gnome-ssh-askpass2.c:93: parse error before "status" > gnome-ssh-askpass2.c:100: `GTK_MESSAGE_QUESTION' undeclared (first use in this function) > gnome-ssh-askpass2.c:101: `GTK_BUTTONS_OK_CANCEL' undeclared (first use in this function) > gnome-ssh-askpass2.c:106: invalid type argument of `->' > gnome-ssh-askpass2.c:106: `FALSE' undeclared (first use in this function) > gnome-ssh-askpass2.c:113: `GTK_WIN_POS_CENTER' undeclared (first use in this function) > gnome-ssh-askpass2.c:114: invalid type argument of `->' > gnome-ssh-askpass2.c:115: `TRUE' undeclared (first use in this function) > gnome-ssh-askpass2.c:118: `GTK_RESPONSE_OK' undeclared (first use in this function) > gnome-ssh-askpass2.c:126: `status' undeclared (first use in this function) > gnome-ssh-askpass2.c:127: invalid type argument of `->' > gnome-ssh-askpass2.c:128: `GDK_CURRENT_TIME' undeclared (first use in this function) > gnome-ssh-askpass2.c:129: `GDK_GRAB_SUCCESS' undeclared (first use in this function) > gnome-ssh-askpass2.c:139: invalid type argument of `->' > gnome-ssh-askpass2.c:157: warning: passing arg 1 of `XUngrabServer' makes pointer from integer without a cast > gnome-ssh-askpass2.c:164: warning: assignment makes pointer from integer without a cast > gnome-ssh-askpass2.c:167: warning: assignment makes pointer from integer without a cast > gnome-ssh-askpass2.c:193: warning: passing arg 1 of `XUngrabServer' makes pointer from integer without a cast > gnome-ssh-askpass2.c: In function `main': > gnome-ssh-askpass2.c:210: warning: assignment makes pointer from integer without a cast > gnome-ssh-askpass2.c:212: warning: assignment makes pointer from integer without a cast > make: *** [gnome-ssh-askpass2] Error 1 > error: Bad exit status from /var/tmp/rpm-tmp.39289 (%build) > > > RPM build errors: > user djm does not exist - using root > group djm does not exist - using root > user djm does not exist - using root > group djm does not exist - using root > user djm does not exist - using root > group djm does not exist - using root > Bad exit status from /var/tmp/rpm-tmp.39289 (%build) > [root at xena2 src]# > > > -----Original Message----- > From: Jason McCormick [mailto:jason at devrandom.org] > Sent: Wednesday, October 29, 2003 1:54 PM > To: Armsby John-G16665 > Cc: openssh-unix-dev at mindrot.org > Subject: Re: OpenSSH and Redhat 8 > > > John, > > The following steps should work for you (or anyone buildling on a > RedHat box): > > 1) Get the official OpenSSH source RPM from > ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/SRPMS/openssh-3.7.1p2-1.src.rpm > > 2) Do 'rpmbuild --rebuild ./openssh-3.7.1p2-1.src.rpm' from where you > saved the file. > > 3) This should create the following files in /usr/src/redhat/RPMS/i386: > openssh-server-3.7.1p2-1.i386.rpm > openssh-clients-3.7.1p2-1.i386.rpm > openssh-askpass-gnome-3.7.1p2-1.i386.rpm > openssh-askpass-3.7.1p2-1.i386.rpm > openssh-3.7.1p2-1.i386.rpm > > 4) Invoke 'rpm -Uvh openssh-*.rpm' to install them. > > 5) Assuming you're using a standard RedHat setup, make sure you edit > /etc/ssh/sshd_config to change 'UsePAM' to yes so OpenSSH will look at > PAM for user authentication. Note this is a change in behavior from > previous OpenSSH installs where PAM was enabled by default. > > 6) Restart - '/etc/init.d/openssh restart' > > That should be all you need with Redhat 8.0. Let me know if you run > into more problems. I've CCed this to the mailing list for future > reference for all. > > -- > Jason McCormick > jason at devrandom.org > GPG Key: http://www.devrandom.org/gpgkey.php > GPG Fingerprint: 66C5 2B15 3E34 2B5E 5321 6147 303A DCE6 0A74 A19C > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Thu Oct 30 09:39:55 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 30 Oct 2003 09:39:55 +1100 Subject: OpenSSH and Redhat 8 References: <31EF3A450BCED5119D080002A5CE4D91045C9689@ga25exb01.wepd.mot.com> Message-ID: <3FA041BB.4E6C6ECC@zip.com.au> Armsby John-G16665 wrote: > Ran into a little problem. The compiler is complaining about > gnome-ssh-askpass2.c errors. [snip] > > I did a quick check on my redhat box. Absolutely no default Gnome software > development installed. Is that the answer? Probably. > No package 'gtk+-2.0' found > gnome-ssh-askpass2.c:56:21: gtk/gtk.h: No such file or directory > gnome-ssh-askpass2.c:57:22: gdk/gdkx.h: No such file or directory This is the root cause. You need to install the gtk*-devel-2.*.rpm packages. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jason at devrandom.org Thu Oct 30 10:05:00 2003 From: jason at devrandom.org (Jason McCormick) Date: Wed, 29 Oct 2003 18:05:00 -0500 Subject: OpenSSH and Redhat 8 In-Reply-To: <31EF3A450BCED5119D080002A5CE4D91045C9689@ga25exb01.wepd.mot.com> References: <31EF3A450BCED5119D080002A5CE4D91045C9689@ga25exb01.wepd.mot.com> Message-ID: <200310291805.00471.jason@devrandom.org> > Ran into a little problem. The compiler is complaining about > gnome-ssh-askpass2.c errors. You don't have GTK/GTK2 so you need to build w/o askpass. Call rpmbuild like so: % rpmbuild --rebuild --define 'skip_gnome_askpass 1' Similiarly if you have GTK but not GTK2 you can just say % rpmbuild --rebuild --define 'no_gtk2 1' (I think that option won't be there until 3.8 though) -- Jason McCormick jason at devrandom.org GPG Key: http://www.devrandom.org/gpgkey.php GPG Fingerprint: 66C5 2B15 3E34 2B5E 5321 6147 303A DCE6 0A74 A19C From djm at mindrot.org Thu Oct 30 11:09:14 2003 From: djm at mindrot.org (Damien Miller) Date: Thu, 30 Oct 2003 11:09:14 +1100 Subject: Fix for USE_POSIX_THREADS in auth-pam.c In-Reply-To: References: Message-ID: <3FA056AA.9060106@mindrot.org> Steven Michaud wrote: > For example, Christian Pfaffel posted a patch to this list on 9-17 > with hacks to force Kerberos credentials to disk and to use > ssh_msg_send() to send the PAM environment from the child process to > the parent. (His patch was in an attachment and got dropped. But > fortunately he re-posted his message to the MIT Kerberos newsgroup a > few days later, and this time the attachment came through -- > http://diswww.mit.edu:8008/menelaus.mit.edu/kerberos/19973.) Please try the one at http://bugzilla.mindrot.org/show_bug.cgi?id=717 It has been sitting there with little feedback for a while. > In fact this solution works just fine (as long as your OS has support > for POSIX threads). But a small change was required to the "thread" > code in auth-pam.c: The man pages for Linux PAM (also used on > Darwin/OS X) and Solaris PAM say that PAM isn't thread safe unless > each thread uses a different PAM handle. But that's useless for us -- > we need both threads to share a single PAM handle. Instead we should > use a mutex to prevent the single handle from being used by more than > a single thread at a time. We won't be supporting threads, they add way more complexity then they solve. The code is still ethere because some people may want to use it, at their own risk. I'd prefer to explicitly export state from the PAM child back to the parent (hidden state is a bad idea, especially in a security API). Getting the above patch reviewed would be a start in this direction. -d From picasso at madflower.com Thu Oct 30 17:09:28 2003 From: picasso at madflower.com (Sean O'Malley) Date: Thu, 30 Oct 2003 01:09:28 -0500 (EST) Subject: Fix for USE_POSIX_THREADS in auth-pam.c In-Reply-To: <3FA056AA.9060106@mindrot.org> Message-ID: On Thu, 30 Oct 2003, Damien Miller wrote: > Steven Michaud wrote: > > > For example, Christian Pfaffel posted a patch to this list on 9-17 > > with hacks to force Kerberos credentials to disk and to use > > ssh_msg_send() to send the PAM environment from the child process to > > the parent. (His patch was in an attachment and got dropped. But > > fortunately he re-posted his message to the MIT Kerberos newsgroup a > > few days later, and this time the attachment came through -- > > http://diswww.mit.edu:8008/menelaus.mit.edu/kerberos/19973.) > > Please try the one at http://bugzilla.mindrot.org/show_bug.cgi?id=717 > > It has been sitting there with little feedback for a while. I tried this a while ago and it still didn't work. > > In fact this solution works just fine (as long as your OS has support > > for POSIX threads). But a small change was required to the "thread" > > code in auth-pam.c: The man pages for Linux PAM (also used on > > Darwin/OS X) and Solaris PAM say that PAM isn't thread safe unless > > each thread uses a different PAM handle. But that's useless for us -- > > we need both threads to share a single PAM handle. Instead we should > > use a mutex to prevent the single handle from being used by more than > > a single thread at a time. > > We won't be supporting threads, they add way more complexity then they > solve. The code is still ethere because some people may want to use it, > at their own risk. It doesn't sound like this patch is supporting threads in PAM persay. I mean literally from the sounds of the patch. It is not threaded. Thus doesn't break.. > I'd prefer to explicitly export state from the PAM child back to the > parent (hidden state is a bad idea, especially in a security API). > Getting the above patch reviewed would be a start in this direction. Is this even going to work things like AFS and Kerberos? I am not seeing how this is going to work at all since copying the state goes against what AFS does with pags (I assume kerberos works extremely similarly). Kudos to you if you do, but in the meantime we need something that works. We can ill afford to have release versions of OpenSSH just not work especially when the newer versions cover vulnerabilities. I really am also not seeing the vulnerability as to why you _need_ to copy the child to the parent. I mean literally if a pam module is allowing certain illegal behavior. It isn't the fault of SSH. If someone gains root access to change the pam modules you are fried anyway. What am I missing besides an out of the box release of OpenSSH that actually works with PAM the way it is supposed to? From vinschen at redhat.com Thu Oct 30 21:20:02 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 30 Oct 2003 11:20:02 +0100 Subject: [PATCH] contrib/cygwin/ssh-host-config: Fix a CRLF/LF issue Message-ID: <20031030102002.GA3205@cygbert.vinschen.de> Hi, could somebody apply the below patch to contrib/cygwin/ssh-host-config? The patch solves a problem with the way, the Windows pendant of the /etc/services file is used. This file has (obviously) CRLF line endings. The ssh-host-config file tries to accomodate that when adding the ssh service entries but I never reviewed this functionality in the light of some major changes in the Cygwin DLL. The result is, that on recent Cygwin releases (with "recent" probably around a year or so), the script fails under specific conditions to create CRLF line endings, just adding these entries with LFs. Funny enough, the related Winsock functions getservbyname and getservbyport have no problems to read these entries on all versions of Windows... except on the good old Windows 95, which tends to SEGV when trying to read these entries. Oh boy... Anyway, the below patch to ssh-host-config accomplishes CRLFs again under all conditions. Thanks in advance, Corinna Index: contrib/cygwin/ssh-host-config =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-host-config,v retrieving revision 1.11 diff -p -u -r1.11 ssh-host-config --- contrib/cygwin/ssh-host-config 22 Sep 2003 02:32:01 -0000 1.11 +++ contrib/cygwin/ssh-host-config 30 Oct 2003 10:18:22 -0000 @@ -468,19 +468,21 @@ then fi # Care for services file +_my_etcdir="/ssh-host-config.$$" if [ $_nt -gt 0 ] then - _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services" - _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$" + _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" + _services="${_my_etcdir}/services" else - _wservices="${WINDIR}\\SERVICES" - _wserv_tmp="${WINDIR}\\SERV.$$" + _win_etcdir="${WINDIR}" + _services="${_my_etcdir}/SERVICES" fi -_services=`cygpath -u "${_wservices}"` -_serv_tmp=`cygpath -u "${_wserv_tmp}"` +_serv_tmp="${_my_etcdir}/srv.out.$$" -mount -t -f "${_wservices}" "${_services}" -mount -t -f "${_wserv_tmp}" "${_serv_tmp}" +mount -t -f "${_win_etcdir}" "${_my_etcdir}" + +# Depends on the above mount +_wservices=`cygpath -w "${_services}"` # Remove sshd 22/port from services if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] @@ -490,13 +492,13 @@ then then if mv "${_serv_tmp}" "${_services}" then - echo "Removing sshd from ${_services}" + echo "Removing sshd from ${_wservices}" else - echo "Removing sshd from ${_services} failed\!" + echo "Removing sshd from ${_wservices} failed\!" fi rm -f "${_serv_tmp}" else - echo "Removing sshd from ${_services} failed\!" + echo "Removing sshd from ${_wservices} failed\!" fi fi @@ -508,18 +510,17 @@ then then if mv "${_serv_tmp}" "${_services}" then - echo "Added ssh to ${_services}" + echo "Added ssh to ${_wservices}" else - echo "Adding ssh to ${_services} failed\!" + echo "Adding ssh to ${_wservices} failed\!" fi rm -f "${_serv_tmp}" else - echo "Adding ssh to ${_services} failed\!" + echo "Adding ssh to ${_wservices} failed\!" fi fi -umount "${_services}" -umount "${_serv_tmp}" +umount "${_my_etcdir}" # Care for inetd.conf file _inetcnf="${SYSCONFDIR}/inetd.conf" -- Corinna Vinschen Cygwin Developer Red Hat, Inc. From matter at sover.net Fri Oct 31 00:15:48 2003 From: matter at sover.net (Matt Richards) Date: Thu, 30 Oct 2003 08:15:48 -0500 (EST) Subject: AIX patch for openssh-3.7.1p2 Message-ID: > I take it your issue is that your failed logins aren't being recorded > for > AFS/DFS? > > The call to setauthdb is needed for correct recording of successful and > failed logins for some authentication types (eg LDAP). > > I can see two possibilities: > 1) Call loginfailed (and loginsuccess) twice when the authentication DB > isn't FILES, once with setauthdb(FILES) and once with > setauthdb(whatever). I mispoke. The problem actually is privledge separation and setauthdb. setauthdb requires root, sshd is not running as root during privledge separation, so the authentication fails. > I can't follow the changes to configure (which is a machine-generated > file). What is the issue with the loginfailed test? Could you post a > patch against configure.ac, which is what autoconf uses to generate > configure? (preferably "diff -u"). The problem here is the configure test of: #ifndef loginfailed char *p = (char *) loginfailed; #endif loginfailed is not defined by the compiler and is picked up during the linking phase. The patch that I put in tests the linking phase rather than the compiling phase. The code above will always fail on AIX. > Any particular reason you added wtmp? AIX has an odd setup for wtmp. I originally patched the 1.2.27 version of ssh to use AIX's loginsuccess and loginfailed which will take care of wtmp and lastlog. It seems that openssh-3.7.1 changed it and put it under CUSTOM_FAILED_LOGIN define. Defining CUSTOM_FAILED_LOGIN, works for this version. From ghayes at usi.net Fri Oct 31 01:49:37 2003 From: ghayes at usi.net (Greg.Hayes) Date: Thu, 30 Oct 2003 09:49:37 -0500 (EST) Subject: sftp client reget reput Message-ID: we have implemented this function for 3.1p1, and have been using it in production sense may 2002. The patch has been ported to 3.7.1p2, we have been using it in 3.7.1p2 for awhile, if anyone is interested, here it is. This is the same patch David Bradford talked about on 2002-06-05 Regards, Greg Hayes diff -u -r openssh-3.7.1p2/sftp-client.c openssh-3.7.1p2_sftp/sftp-client.c --- openssh-3.7.1p2/sftp-client.c 2003-07-02 22:46:57.000000000 -0500 +++ openssh-3.7.1p2_sftp/sftp-client.c 2003-10-16 10:09:51.000000000 -0500 @@ -735,8 +735,13 @@ } int +#ifdef REGET +do_download(struct sftp_conn *conn, char *remote_path, char *local_path, + int pflag, int rflag) +#else do_download(struct sftp_conn *conn, char *remote_path, char *local_path, int pflag) +#endif { Attrib junk, *a; Buffer msg; @@ -798,8 +803,17 @@ return(-1); } - local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, - mode | S_IWRITE); +#ifdef REGET + if (rflag) + local_fd = open(local_path, O_WRONLY, mode | S_IWRITE); + else { + local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, + mode | S_IWRITE); + } +#else + local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, + mode | S_IWRITE); +#endif if (local_fd == -1) { error("Couldn't open local file \"%s\" for writing: %s", local_path, strerror(errno)); @@ -810,6 +821,16 @@ /* Read from remote and write to local */ write_error = read_error = write_errno = num_req = offset = 0; + +#ifdef REGET + if (rflag) { + long posn; + posn = lseek(local_fd, 0L, SEEK_END); + debug3("reget: restarting at file position %ld\n", posn); + offset = (u_int64_t)posn; + } +#endif + max_req = 1; progress_counter = 0; @@ -969,8 +990,13 @@ } int +#ifdef REGET +do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, + int pflag, int rflag) +#else do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, int pflag) +#endif { int local_fd, status; u_int handle_len, id, type; @@ -1023,6 +1049,13 @@ buffer_put_char(&msg, SSH2_FXP_OPEN); buffer_put_int(&msg, id); buffer_put_cstring(&msg, remote_path); + +#ifdef REGET + if(rflag) + buffer_put_int(&msg, SSH2_FXF_WRITE); + else +#endif + buffer_put_int(&msg, SSH2_FXF_WRITE|SSH2_FXF_CREAT|SSH2_FXF_TRUNC); encode_attrib(&msg, &a); send_msg(conn->fd_out, &msg); @@ -1041,7 +1074,44 @@ data = xmalloc(conn->transfer_buflen); /* Read from local and write to remote */ +#ifdef REGET + if(rflag) { + Attrib *attrs; + if (!(attrs = do_fstat(conn, handle, handle_len, 0))) { + error("read size of \"%s\": %s", + local_path, strerror(errno)); + close(local_fd); + buffer_free(&msg); + return(-1); + } + if (!(attrs->flags & SSH2_FILEXFER_ATTR_SIZE)) { + error("read size of %s: size was not given\n", local_path); + close(local_fd); + buffer_free(&msg); + return(-1); + } + offset = attrs->size; + debug3("reput: restarting at file position %d\n", (int)offset); + if (offset > LONG_MAX) { + error("reput: remote file is larger than we can deal with\n"); + close(local_fd); + buffer_free(&msg); + return(-1); + } + if(lseek(local_fd, offset, SEEK_SET) == -1) { + error("seek on local file %s failed: %s\n", local_path, strerror(errno)); + close(local_fd); + buffer_free(&msg); + return(-1); + } + /* if (lseek(local_fd, offset, SEEK_SET) != 0) + lseek(local_fd, 0, SEEK_END); */ + } else { + offset = 0; + } +#else offset = 0; +#endif if (showprogress) start_progress_meter(local_path, sb.st_size, &offset); else diff -u -r openssh-3.7.1p2/sftp-client.h openssh-3.7.1p2_sftp/sftp-client.h --- openssh-3.7.1p2/sftp-client.h 2002-09-11 18:54:26.000000000 -0500 +++ openssh-3.7.1p2_sftp/sftp-client.h 2003-10-16 10:11:34.000000000 -0500 @@ -96,12 +96,24 @@ * Download 'remote_path' to 'local_path'. Preserve permissions and times * if 'pflag' is set */ + +/* undef this to completely remove the reget functionality */ +#define REGET + +#ifdef REGET +int do_download(struct sftp_conn *, char *, char *, int, int); +#else int do_download(struct sftp_conn *, char *, char *, int); +#endif /* * Upload 'local_path' to 'remote_path'. Preserve permissions and times * if 'pflag' is set */ +#ifdef REGET +int do_upload(struct sftp_conn *, char *, char *, int, int); +#else int do_upload(struct sftp_conn *, char *, char *, int); +#endif #endif diff -u -r openssh-3.7.1p2/sftp-int.c openssh-3.7.1p2_sftp/sftp-int.c --- openssh-3.7.1p2/sftp-int.c 2003-09-23 04:24:21.000000000 -0500 +++ openssh-3.7.1p2_sftp/sftp-int.c 2003-10-16 10:52:02.000000000 -0500 @@ -82,6 +82,11 @@ #define I_VERSION 22 #define I_PROGRESS 23 +#ifdef REGET +# define I_REGET 24 +# define I_REPUT 25 +#endif + struct CMD { const char *c; const int n; @@ -118,6 +123,10 @@ { "rmdir", I_RMDIR }, { "symlink", I_SYMLINK }, { "version", I_VERSION }, +#ifdef REGET + { "reget", I_REGET }, + { "reput", I_REPUT }, +#endif { "!", I_SHELL }, { "?", I_HELP }, { NULL, -1} @@ -134,6 +143,9 @@ printf("chown own path Change owner of file 'path' to 'own'\n"); printf("help Display this help text\n"); printf("get remote-path [local-path] Download file\n"); +#ifdef REGET + printf("reget remote-path [local-path] Resume an interupted download\n"); +#endif printf("lls [ls-options [path]] Display local directory listing\n"); printf("ln oldpath newpath Symlink remote file\n"); printf("lmkdir path Create local directory\n"); @@ -143,6 +155,9 @@ printf("mkdir path Create remote directory\n"); printf("progress Toggle display of progress meter\n"); printf("put local-path [remote-path] Upload file\n"); +#ifdef USI_MODS + printf("reput local-path [remote-path] Resume an interupted upload\n"); +#endif printf("pwd Display remote working directory\n"); printf("exit Quit sftp\n"); printf("quit Quit sftp\n"); @@ -430,7 +445,11 @@ } static int +#ifdef REGET +process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag, int rflag) +#else process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag) +#endif { char *abs_src = NULL; char *abs_dst = NULL; @@ -482,7 +501,11 @@ abs_dst = tmp; printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); +#ifdef REGET + if (do_download(conn, g.gl_pathv[i], abs_dst, pflag, rflag) == -1) +#else if (do_download(conn, g.gl_pathv[i], abs_dst, pflag) == -1) +#endif err = -1; xfree(abs_dst); abs_dst = NULL; @@ -497,7 +520,11 @@ } static int +#ifdef REGET +process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag, int rflag) +#else process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag) +#endif { char *tmp_dst = NULL; char *abs_dst = NULL; @@ -557,7 +584,11 @@ abs_dst = make_absolute(tmp, pwd); printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); +#ifdef REGET + if (do_upload(conn, g.gl_pathv[i], abs_dst, pflag, rflag) == -1) +#else if (do_upload(conn, g.gl_pathv[i], abs_dst, pflag) == -1) +#endif err = -1; } @@ -789,6 +820,10 @@ switch (cmdnum) { case I_GET: case I_PUT: +#ifdef REGET + case I_REGET: + case I_REPUT: +#endif if (parse_getput_flags(&cp, pflag)) return(-1); /* Get first pathname (mandatory) */ @@ -921,10 +956,24 @@ err = -1; break; case I_GET: +#ifdef REGET + err = process_get(conn, path1, path2, *pwd, pflag, 0); +#else err = process_get(conn, path1, path2, *pwd, pflag); +#endif break; case I_PUT: +#ifdef REGET + err = process_put(conn, path1, path2, *pwd, pflag, 0); + break; + case I_REGET: + err = process_get(conn, path1, path2, *pwd, pflag, 1); + break; + case I_REPUT: + err = process_put(conn, path1, path2, *pwd, pflag, 1); +#else err = process_put(conn, path1, path2, *pwd, pflag); +#endif break; case I_RENAME: path1 = make_absolute(path1, *pwd); From smichaud at pobox.com Fri Oct 31 03:31:46 2003 From: smichaud at pobox.com (Steven Michaud) Date: Thu, 30 Oct 2003 10:31:46 -0600 (CST) Subject: Fix for USE_POSIX_THREADS in auth-pam.c Message-ID: Please try the one at http://bugzilla.mindrot.org/show_bug.cgi?id=717 I've just done so. Like others who posted comments to the same URI, I found that it "doesn't work". (I'll explain how below, and suggest a fix.) Your patch is functionally equivalent to part of Christian Pfaffel's patch to auth-pam.c -- the part that copies the PAM environment from the child process to the parent process. But you don't do anything to force the export of user credentials while still in the child ... which explains why your patch "doesn't work" for users of pam_krb5: Pam_krb5's pam_sm_setcred() function recovers and exports to disk the Kerberos credentials that were created in pam_sm_authenticate() (and stored to PAM's internal state by a call to pam_set_data()), then sets the KRB5CCNAME variable (in the PAM environment) to point to the cache file. You can trigger this by a call to do_pam_setcred() in OpenSSH. But it must be done while still in the child process where PAM authentication took place -- the internal state where the Kerberos credentials were stored (by pam_set_data()) is only present in the child, not in the parent. Your patch can be fixed (for users of pam_krb5) by adding a call to do_pam_setcred(0) at line 288 of auth-pam.c (as patched by you). By the way, I performed my tests of your patch on Solaris 8. I kept the tests as simple as possible -- my "configure" options were "--with-ssl-dir=/usr/local/ssl --with-pam" (so I didn't compile in GSSAPI support). The three lines in my pam.conf that governed OpenSSH were as follows: sshd auth requisite pam_authtok_get.so.1 sshd auth sufficient pam_krb5.so.1 use_first_pass sshd auth sufficient pam_unix_auth.so.1 When using your patch without the call to do_pam_setcred(0), I could connect using my "Kerberos password", but no credentials file was created and the KRB5CCNAME variable wasn't set. Adding the call to do_pam_setcred(0) fixed both of these problems. > We won't be supporting threads, they add way more complexity then > they solve. I actually think the PAM-state problem is a textbook example of what threads are good for -- allowing multiple lines of execution to easily share the same process state. It's true that multi-threaded programming is tricky, and has a steep learning curve. But I don't believe it's any harder than programming multiple processes. It's just a question of what you're used to (in my case I got into multiple threads before I got into multiple processes). That said, OpenSSH would need quite a few changes before multiple threads could be used everywhere -- in particular, you'd need to get rid of a lot of your global variables. And using multiple threads in just one small part of OpenSSH increases the possibility that someone will inadvertently tie them in knots :-) So I can understand your reluctance to start using threads. > The code is still ethere because some people may want to use it, at > their own risk. Like I said, I understand why this code isn't turned on by default. But in its current state anyone who tries to use it will shoot themselves in the foot. Couldn't you include my patch for the sake of those who are willing to experiment? > I'd prefer to explicitly export state from the PAM child back to the > parent (hidden state is a bad idea, especially in a security API). A PAM implementation is (in effect) a security program. Like OpenSSH, you can use it without fully understanding what it does ... as long as you trust the programmers sufficiently. Calling it a black box isn't a valid criticism -- so is everything you're not currently paying attention to. It's true that PAM is insufficiently specified, and that it's configuration "language" is both too complex and not powerful enough. But there are some things that are very difficult to do without it -- like using several different authentication methods simultaneously, or translating credentials from one type to another. Damien Miller wrote: > Steven Michaud wrote: > > > For example, Christian Pfaffel posted a patch to this list on 9-17 > > with hacks to force Kerberos credentials to disk and to use > > ssh_msg_send() to send the PAM environment from the child process > > to the parent. (His patch was in an attachment and got dropped. > > But fortunately he re-posted his message to the MIT Kerberos > > newsgroup a few days later, and this time the attachment came > > through -- > > http://diswww.mit.edu:8008/menelaus.mit.edu/kerberos/19973.) > > Please try the one at http://bugzilla.mindrot.org/show_bug.cgi?id=717 > > It has been sitting there with little feedback for a while. > > > In fact this solution works just fine (as long as your OS has > > support for POSIX threads). But a small change was required to > > the "thread" code in auth-pam.c: The man pages for Linux PAM (also > > used on Darwin/OS X) and Solaris PAM say that PAM isn't thread > > safe unless each thread uses a different PAM handle. But that's > > useless for us -- we need both threads to share a single PAM > > handle. Instead we should use a mutex to prevent the single > > handle from being used by more than a single thread at a time. > > We won't be supporting threads, they add way more complexity then > they solve. The code is still ethere because some people may want to > use it, at their own risk. > > I'd prefer to explicitly export state from the PAM child back to the > parent (hidden state is a bad idea, especially in a security API). > Getting the above patch reviewed would be a start in this direction. > > -d > From smichaud at pobox.com Fri Oct 31 04:05:31 2003 From: smichaud at pobox.com (Steven Michaud) Date: Thu, 30 Oct 2003 11:05:31 -0600 (CST) Subject: Fix for USE_POSIX_THREADS in auth-pam.c Message-ID: > It doesn't sound like this patch is supporting threads in PAM > persay. I mean literally from the sounds of the patch. It is not > threaded. Thus doesn't break.. You've completely missed the boat :-) But I'm not sure why (you don't know threads?, you haven't read the patch carefully?, you tried it and it "didn't work"?), so I don't know what to say next. Let's assume that my patch "didn't work": One thing to remember is that you need to define USE_POSIX_THREADS, and that you may also need to add libpthread.so to the list of libraries that sshd links to. The way I did this was to add the following to my "configure" parameters: "CPPFLAGS=-DUSE_POSIX_THREADS LDFLAGS=-lpthread" Sean O'Malley wrote: > On Thu, 30 Oct 2003, Damien Miller wrote: > > > Steven Michaud wrote: > > > > > For example, Christian Pfaffel posted a patch to this list on > > > 9-17 with hacks to force Kerberos credentials to disk and to use > > > ssh_msg_send() to send the PAM environment from the child > > > process to the parent. (His patch was in an attachment and got > > > dropped. But fortunately he re-posted his message to the MIT > > > Kerberos newsgroup a few days later, and this time the > > > attachment came through -- > > > http://diswww.mit.edu:8008/menelaus.mit.edu/kerberos/19973.) > > > > Please try the one at http://bugzilla.mindrot.org/show_bug.cgi?id=717 > > > > It has been sitting there with little feedback for a while. > > I tried this a while ago and it still didn't work. > > > > In fact this solution works just fine (as long as your OS has > > > support for POSIX threads). But a small change was required to > > > the "thread" code in auth-pam.c: The man pages for Linux PAM > > > (also used on Darwin/OS X) and Solaris PAM say that PAM isn't > > > thread safe unless each thread uses a different PAM handle. But > > > that's useless for us -- we need both threads to share a single > > > PAM handle. Instead we should use a mutex to prevent the single > > > handle from being used by more than a single thread at a time. > > > > We won't be supporting threads, they add way more complexity then > > they solve. The code is still ethere because some people may want > > to use it, at their own risk. > > It doesn't sound like this patch is supporting threads in PAM > persay. I mean literally from the sounds of the patch. It is not > threaded. Thus doesn't break.. > > > I'd prefer to explicitly export state from the PAM child back to > > the parent (hidden state is a bad idea, especially in a security > > API). Getting the above patch reviewed would be a start in this > > direction. > > Is this even going to work things like AFS and Kerberos? I am not > seeing how this is going to work at all since copying the state goes > against what AFS does with pags (I assume kerberos works extremely > similarly). Kudos to you if you do, but in the meantime we need > something that works. We can ill afford to have release versions of > OpenSSH just not work especially when the newer versions cover > vulnerabilities. > > I really am also not seeing the vulnerability as to why you _need_ > to copy the child to the parent. I mean literally if a pam module is > allowing certain illegal behavior. It isn't the fault of SSH. If > someone gains root access to change the pam modules you are fried > anyway. What am I missing besides an out of the box release of > OpenSSH that actually works with PAM the way it is supposed to? > From mouring at etoh.eviladmin.org Fri Oct 31 04:41:43 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 30 Oct 2003 11:41:43 -0600 (CST) Subject: sftp client reget reput In-Reply-To: Message-ID: The problem is in some cases the data being sent to you may be out of order (thankful no sftp server does this yet). So reget/reput without RFC clearifications can lead to bad file transfers. I'm trying to drag up in my mind which one was the problem... I believe reput is fine since the client has control over the ordering. reget is the troublesome some one without RFC clarifications stating out of order transfers are denied. if the RFC get clarified to disallow out of order transfers then a cleaned up version of this patch may not have a problem getting in. - Ben On Thu, 30 Oct 2003, Greg.Hayes wrote: > > we have implemented this function for 3.1p1, and have been using it in > production sense may 2002. The patch has been ported to 3.7.1p2, we have > been using it in 3.7.1p2 for awhile, if anyone is interested, here it is. > > This is the same patch David Bradford talked about on 2002-06-05 > > Regards, > > Greg Hayes [..] - Ben From nospam at magestower.net Fri Oct 31 05:28:10 2003 From: nospam at magestower.net (The Alchemist) Date: Thu, 30 Oct 2003 12:28:10 -0600 Subject: question on assorted patches In-Reply-To: <3FA03AC1.FCB1EF44@zip.com.au> References: <3FA00863.10903@magestower.net> <3FA03AC1.FCB1EF44@zip.com.au> Message-ID: <3FA1583A.60207@magestower.net> *This message was transferred with a trial version of CommuniGate(tm) Pro* One last question: if I apply both *pwexp24.patch and *hpux.patch, then whichever is applied last gets grouchy. Some of the patches appear to be dups (patch suggests that -R may be appropriate anyway), so I'm not real concerned about them. However patching configure completely fails in 625 places. Would an autoreconf fix this? Darren Tucker wrote: From dtucker at zip.com.au Fri Oct 31 07:29:49 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 31 Oct 2003 07:29:49 +1100 Subject: question on assorted patches References: <3FA00863.10903@magestower.net> <3FA03AC1.FCB1EF44@zip.com.au> <3FA1583A.60207@magestower.net> Message-ID: <3FA174BD.E55E7779@zip.com.au> The Alchemist wrote: > One last question: if I apply both *pwexp24.patch and *hpux.patch, then > whichever is applied last gets grouchy. Some of the patches appear to > be dups (patch suggests that -R may be appropriate anyway), so I'm not > real concerned about them. I'm not sure how much of the patches are dupes, but they touch the same code, so conflicts are likely. I recommend applying pwexp25 first, then apply the HPUX patch be hand (it's fairly small). > However patching configure completely fails > in 625 places. Would an autoreconf fix this? Yes, you may safely delete configure and rebuild it with autoreconf. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Oct 31 08:13:56 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 31 Oct 2003 08:13:56 +1100 Subject: AIX patch for openssh-3.7.1p2 References: Message-ID: <3FA17F14.7AF5DF4B@zip.com.au> Matt Richards wrote: [setauthdb] > I mispoke. The problem actually is privledge separation and setauthdb. > setauthdb requires root, sshd is not running as root during privledge > separation, so the authentication fails. When running with Privilege Separation, there are 2 sshd's[1], one running as root and one not. aix_setauthdb() should always be called from the privileged sshd process. If it's not, can you please post a debug (sshd -ddd) where it's failing? (Also, which AIX version, maintenance level and compiler are you using?) > > I can't follow the changes to configure (which is a machine-generated > > file). What is the issue with the loginfailed test? Could you post a > > patch against configure.ac, which is what autoconf uses to generate > > configure? (preferably "diff -u"). > > The problem here is the configure test of: > > #ifndef loginfailed > char *p = (char *) loginfailed; > #endif > > loginfailed is not defined by the compiler and is picked up during the > linking phase. The patch that I put in tests the linking phase rather > than the compiling phase. The code above will always fail on AIX. That's the output of AC_CHECK_FUNC and it's an #ifndef and not #ifdef. Can you please post the fragment of config.log where it's failing? > AIX has an odd setup for wtmp. I originally patched the 1.2.27 version of > ssh to use AIX's loginsuccess and loginfailed which will take care of > wtmp and lastlog. It seems that openssh-3.7.1 changed it and put it under > CUSTOM_FAILED_LOGIN define. Defining CUSTOM_FAILED_LOGIN, works for this > version. CUSTOM_FAILED_LOGIN should be defined automatically be configure. Again, if it's not please post the the fragment from config.log where it fails. [1] Actually for privesep, there are 4 sshds handling a given connections at various times (not counting the master daemon), but there's normally only 2 at any given time. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Fri Oct 31 08:14:53 2003 From: djm at mindrot.org (Damien Miller) Date: Thu, 30 Oct 2003 21:14:53 -0000 Subject: Fix for USE_POSIX_THREADS in auth-pam.c In-Reply-To: References: Message-ID: <1067552368.2853.45.camel@sakura.mindrot.org> On Fri, 2003-10-31 at 03:31, Steven Michaud wrote: > Pam_krb5's pam_sm_setcred() function recovers and exports to disk the > Kerberos credentials that were created in pam_sm_authenticate() (and > stored to PAM's internal state by a call to pam_set_data()), then sets > the KRB5CCNAME variable (in the PAM environment) to point to the cache > file. You can trigger this by a call to do_pam_setcred() in OpenSSH. > But it must be done while still in the child process where PAM > authentication took place -- the internal state where the Kerberos > credentials were stored (by pam_set_data()) is only present in the > child, not in the parent. What is to stop us from exporting state set by pam_set_data from the child to the parent? -d From smichaud at pobox.com Fri Oct 31 08:25:00 2003 From: smichaud at pobox.com (Steven Michaud) Date: Thu, 30 Oct 2003 15:25:00 -0600 (CST) Subject: Patch to make sshd work on multihomed systems Message-ID: As far as I know this patch has no security implications -- I don't believe that allowing sshd to use get_local_name() (in canohost.c) on a connected socket to determine it's own fqdn will allow a malicious client (or router or dns server) to make it come to the wrong conclusion. But please let me know if you think I'm wrong. Please also let me know if you're just not interested :-) This patch is against openssh-SNAP-20031030, and was tested on Solaris 8. Watch for broken lines. diff -u -r src.old/auth-krb5.c src/auth-krb5.c --- src.old/auth-krb5.c Thu Oct 30 15:02:45 2003 +++ src/auth-krb5.c Thu Oct 30 15:02:44 2003 @@ -34,6 +34,7 @@ #include "ssh1.h" #include "packet.h" #include "xmalloc.h" +#include "canohost.h" #include "log.h" #include "servconf.h" #include "uidswap.h" @@ -71,12 +72,23 @@ #endif krb5_error_code problem; krb5_ccache ccache = NULL; + char localname[MAXHOSTNAMELEN]; + char *socketname; if (authctxt->pw == NULL) return (0); temporarily_use_uid(authctxt->pw); + socketname = get_local_name(packet_get_connection_in()); + if (socketname) { + strlcpy(localname, socketname, MAXHOSTNAMELEN); + xfree(socketname); + } else if (gethostname(localname, MAXHOSTNAMELEN)) { + problem = -1; + goto out; + } + problem = krb5_init(authctxt); if (problem) goto out; @@ -123,7 +135,7 @@ if (problem) goto out; - problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL, + problem = krb5_sname_to_principal(authctxt->krb5_ctx, localname, NULL, KRB5_NT_SRV_HST, &server); if (problem) goto out; diff -u -r src.old/gss-genr.c src/gss-genr.c --- src.old/gss-genr.c Thu Oct 30 15:02:46 2003 +++ src/gss-genr.c Thu Oct 30 15:02:44 2003 @@ -30,6 +30,7 @@ #include "xmalloc.h" #include "bufaux.h" +#include "canohost.h" #include "compat.h" #include "log.h" #include "monitor_wrap.h" @@ -226,9 +227,18 @@ OM_uint32 status; char lname[MAXHOSTNAMELEN]; gss_OID_set oidset; + char *pname; gss_create_empty_oid_set(&status, &oidset); gss_add_oid_set_member(&status, ctx->oid, &oidset); + + pname = get_local_name(packet_get_connection_in()); + if (pname) { + strlcpy(lname, pname, MAXHOSTNAMELEN); + xfree(pname); + } else if (gethostname(lname, MAXHOSTNAMELEN)) { + return (-1); + } if (gethostname(lname, MAXHOSTNAMELEN)) return (-1); diff -u -r src.old/session.c src/session.c --- src.old/session.c Thu Oct 30 15:02:46 2003 +++ src/session.c Thu Oct 30 15:02:44 2003 @@ -2060,6 +2060,7 @@ struct stat st; char display[512], auth_display[512]; char hostname[MAXHOSTNAMELEN]; + char *pname; if (no_x11_forwarding_flag) { packet_send_debug("X11 forwarding disabled in user configuration file."); @@ -2091,8 +2092,13 @@ } /* Set up a suitable value for the DISPLAY variable. */ - if (gethostname(hostname, sizeof(hostname)) < 0) + pname = get_local_name(packet_get_connection_in()); + if (pname) { + strlcpy(hostname, pname, sizeof(hostname)); + xfree(pname); + } else if (gethostname(hostname, sizeof(hostname))) { fatal("gethostname: %.100s", strerror(errno)); + } /* * auth_display must be used as the displayname when the * authorization entry is added with xauth(1). This will be From smichaud at pobox.com Fri Oct 31 08:56:00 2003 From: smichaud at pobox.com (Steven Michaud) Date: Thu, 30 Oct 2003 15:56:00 -0600 (CST) Subject: Fix for USE_POSIX_THREADS in auth-pam.c In-Reply-To: <1067552368.2853.45.camel@sakura.mindrot.org> References: <1067552368.2853.45.camel@sakura.mindrot.org> Message-ID: > What is to stop us from exporting state set by pam_set_data from the > child to the parent? Well, perhaps you could ... but I think the code would be _very_ fragile. I don't know that you can call pam_set_data() (and pam_get_data()) outside any PAM module, or that you can call one from inside a PAM module and the other from a different PAM module (or from outside any PAM module). But let's assume that you can. Pam_set_data() has a module_data_name parameter that's supposed to be used to store the data (a pointer to void) in a unique "location". If you know the module_data_name (and the data is present in PAM's "state"), you can use pam_get_data() to get it back. Problem is, how do you know which data a given PAM module stored, and what name it was stored under? Of course you could look at the source code for some version of pam_krb5 (say) and see for yourself. But the name that's used to store the data isn't part of any protocol, nor should it be -- the authors of PAM modules don't (as far as I know) expect pam_get_data() to be called from "outside". So not only would you have to look at every possible (or important) PAM module to see what kind of data it used pam_set_data() to store, but you'd also have to look at every _version_ of every PAM module to see what names might have been used to store it under. I suppose there are better ways to torture yourself ... but it's hard to think of one off-hand :-) On Thu, 31 Oct 2003, Damien Miller wrote: > On Fri, 2003-10-31 at 03:31, Steven Michaud wrote: > > > Pam_krb5's pam_sm_setcred() function recovers and exports to disk the > > Kerberos credentials that were created in pam_sm_authenticate() (and > > stored to PAM's internal state by a call to pam_set_data()), then sets > > the KRB5CCNAME variable (in the PAM environment) to point to the cache > > file. You can trigger this by a call to do_pam_setcred() in OpenSSH. > > But it must be done while still in the child process where PAM > > authentication took place -- the internal state where the Kerberos > > credentials were stored (by pam_set_data()) is only present in the > > child, not in the parent. > > What is to stop us from exporting state set by pam_set_data from the > child to the parent? > > -d > > > > From smichaud at pobox.com Fri Oct 31 09:14:13 2003 From: smichaud at pobox.com (Steven Michaud) Date: Thu, 30 Oct 2003 16:14:13 -0600 (CST) Subject: Patch to make sshd work on multihomed systems Message-ID: Someone pointed out (thanks!) that I made a careless mistake in my patch. Here's a corrected version. And sorry for the confusion! diff -u -r src.old/auth-krb5.c src/auth-krb5.c --- src.old/auth-krb5.c Thu Oct 30 16:05:59 2003 +++ src/auth-krb5.c Thu Oct 30 16:05:57 2003 @@ -34,6 +34,7 @@ #include "ssh1.h" #include "packet.h" #include "xmalloc.h" +#include "canohost.h" #include "log.h" #include "servconf.h" #include "uidswap.h" @@ -71,12 +72,23 @@ #endif krb5_error_code problem; krb5_ccache ccache = NULL; + char localname[MAXHOSTNAMELEN]; + char *socketname; if (authctxt->pw == NULL) return (0); temporarily_use_uid(authctxt->pw); + socketname = get_local_name(packet_get_connection_in()); + if (socketname) { + strlcpy(localname, socketname, MAXHOSTNAMELEN); + xfree(socketname); + } else if (gethostname(localname, MAXHOSTNAMELEN)) { + problem = -1; + goto out; + } + problem = krb5_init(authctxt); if (problem) goto out; @@ -123,7 +135,7 @@ if (problem) goto out; - problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL, + problem = krb5_sname_to_principal(authctxt->krb5_ctx, localname, NULL, KRB5_NT_SRV_HST, &server); if (problem) goto out; diff -u -r src.old/gss-genr.c src/gss-genr.c --- src.old/gss-genr.c Thu Oct 30 16:05:59 2003 +++ src/gss-genr.c Thu Oct 30 16:05:58 2003 @@ -30,6 +30,7 @@ #include "xmalloc.h" #include "bufaux.h" +#include "canohost.h" #include "compat.h" #include "log.h" #include "monitor_wrap.h" @@ -226,12 +227,18 @@ OM_uint32 status; char lname[MAXHOSTNAMELEN]; gss_OID_set oidset; + char *pname; gss_create_empty_oid_set(&status, &oidset); gss_add_oid_set_member(&status, ctx->oid, &oidset); - if (gethostname(lname, MAXHOSTNAMELEN)) + pname = get_local_name(packet_get_connection_in()); + if (pname) { + strlcpy(lname, pname, MAXHOSTNAMELEN); + xfree(pname); + } else if (gethostname(lname, MAXHOSTNAMELEN)) { return (-1); + } if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) return (ctx->major); diff -u -r src.old/session.c src/session.c --- src.old/session.c Thu Oct 30 16:06:00 2003 +++ src/session.c Thu Oct 30 16:05:58 2003 @@ -2060,6 +2060,7 @@ struct stat st; char display[512], auth_display[512]; char hostname[MAXHOSTNAMELEN]; + char *pname; if (no_x11_forwarding_flag) { packet_send_debug("X11 forwarding disabled in user configuration file."); @@ -2091,8 +2092,13 @@ } /* Set up a suitable value for the DISPLAY variable. */ - if (gethostname(hostname, sizeof(hostname)) < 0) + pname = get_local_name(packet_get_connection_in()); + if (pname) { + strlcpy(hostname, pname, sizeof(hostname)); + xfree(pname); + } else if (gethostname(hostname, sizeof(hostname))) { fatal("gethostname: %.100s", strerror(errno)); + } /* * auth_display must be used as the displayname when the * authorization entry is added with xauth(1). This will be From John.Armsby at motorola.com Fri Oct 31 11:33:34 2003 From: John.Armsby at motorola.com (Armsby John-G16665) Date: Thu, 30 Oct 2003 19:33:34 -0500 Subject: OpenSSH and Redhat 8 Message-ID: <31EF3A450BCED5119D080002A5CE4D91045C96AB@ga25exb01.wepd.mot.com> Jason, I think I got it up and running. After redhat complained about failed depencies, I removed the offending gnome package. I followed your advise to the letter. Got appropriate messages from rpm -Uvh. I can telnet port 22 and see the appropriate version of Openssh. I will get one of the corporate guys to perform a scan on the test box which is what prompted this whole openssh thing in the first place. If all goes well, I will update my identical redhat system on the production side. many many thanks to your and your associates. John -----Original Message----- From: Jason McCormick [mailto:jason at devrandom.org] Sent: Wednesday, October 29, 2003 6:05 PM To: Armsby John-G16665 Cc: openssh-unix-dev at mindrot.org Subject: Re: OpenSSH and Redhat 8 > Ran into a little problem. The compiler is complaining about > gnome-ssh-askpass2.c errors. You don't have GTK/GTK2 so you need to build w/o askpass. Call rpmbuild like so: % rpmbuild --rebuild --define 'skip_gnome_askpass 1' Similiarly if you have GTK but not GTK2 you can just say % rpmbuild --rebuild --define 'no_gtk2 1' (I think that option won't be there until 3.8 though) -- Jason McCormick jason at devrandom.org GPG Key: http://www.devrandom.org/gpgkey.php GPG Fingerprint: 66C5 2B15 3E34 2B5E 5321 6147 303A DCE6 0A74 A19C From sq at oganer.net Fri Oct 31 12:53:05 2003 From: sq at oganer.net (Dmitry Lohansky) Date: Fri, 31 Oct 2003 08:53:05 +0700 Subject: sftp client reget reput In-Reply-To: References: Message-ID: <1342397331.20031031085305@oganer.net> Hello Greg.Hayes, Thursday, October 30, 2003, 9:49:37 PM, you wrote: GH> we have implemented this function for 3.1p1, and have been using it in GH> production sense may 2002. The patch has been ported to 3.7.1p2, we have GH> been using it in 3.7.1p2 for awhile, if anyone is interested, here it is. GH> This is the same patch David Bradford talked about on 2002-06-05 GH> Regards, GH> Greg Hayes I also have wrote similar patch :) Read this http://www.monkey.org/openbsd/archive/tech/0309/msg00106.html now, i want to rewrite it with md5-based "poor man's rscync" :) -- Best regards, Dmitry Lohansky From Nick_Chi at manulife.com Fri Oct 31 12:56:40 2003 From: Nick_Chi at manulife.com (Nick_Chi at manulife.com) Date: Fri, 31 Oct 2003 09:56:40 +0800 Subject: Problem found in OpenSSH 3.7.1p2 with OpenSSL 0.9.7c installation on HP-UX11.0 Message-ID: Resent! Rgds, Nick CHI Regional Technology Team, Regional I.T., I.T. Asia, Manulife International Limited Tel: (852) 2510 3273 Fax: (852) 2510 0244 Email: Nick_Chi at manulife.com ----- Forwarded by Nick Chi/Asia Division/Manulife on 10/31/2003 09:56 AM ----- To: openssh-unix-dev at mindrot.org Nick Chi cc: Subject: Problem found in OpenSSH 3.7.1p2 with OpenSSL 0.9.7c 10/28/2003 installation on HP-UX11.0 02:33 PM Hi all, I found that OpenSSL 3.7.1p2 has problem with PAM (HP-UX) system (with setting of account deacticating by 3 invalid login attempts). User enters wrong password more than twice through SSH, his/her account will not be deactivated. User enters wrong password more than twice through FTP, his/her account will be deactivated . However, only further FTP session is blocked. SSH session can be established even the account is deactivated. Besides, I deactivate an account through SAM, both new FTP and SSH sessions will be blocked. I check that there is no such problem in OpenSSH 3.4p1. Any comments / suggestions? Thanks. Best Regards, Nick CHI Regional Technology Team, Regional I.T., I.T. Asia, Manulife International Limited Tel: (852) 2510 3273 Fax: (852) 2510 0244 Email: Nick_Chi at manulife.com ========================================================== This message is confidential and may also be privileged. If you are not the intended recipient, please notify me by return e-mail and delete this message from your system. If you are not the intended recipient, any use by you of this message is strictly prohibited. ========================================================== This message is confidential and may also be privileged. If you are not the intended recipient, please notify me by return e-mail and delete this message from your system. If you are not the intended recipient, any use by you of this message is strictly prohibited.